From VLSM.Lib Require Import Itauto.[Loading ML file ring_plugin.cmxs (using legacy method) ... done]
[Loading ML file zify_plugin.cmxs (using legacy method) ... done]
[Loading ML file micromega_plugin.cmxs (using legacy method) ... done]
[Loading ML file btauto_plugin.cmxs (using legacy method) ... done]
[Loading ML file coq-itauto.plugin ... done]
From Coq Require Import FunctionalExtensionality Reals.
From stdpp Require Import prelude finite.
From VLSM.Lib Require Import Preamble Measurable FinSetExtras RealsExtras ListExtras.
From VLSM.Core Require Import VLSM VLSMProjections Composition Equivocation.
From VLSM.Core Require Import ReachableThreshold Validator ProjectionTraces MessageDependencies.
From VLSM.Core Require Import TraceableVLSM MinimalEquivocationTrace.[Loading ML file extraction_plugin.cmxs (using legacy method) ... done]
[Loading ML file equations_plugin.cmxs (using legacy method) ... done]
From VLSM.Core Require Import AnnotatedVLSM MsgDepLimitedEquivocation.
From VLSM.Examples Require Import BaseELMO UMO MO.

Create HintDb ELMO_hints.

#[local] Hint Resolve submseteq_tail_l : ELMO_hints.

ELMO: Protocol Definitions and Properties for ELMO

This module contains definitions and properties of ELMO components and the ELMO protocol.

Section sec_ELMO.

Context
  {Address : Type}
  `{EqDecision Address}
  `{Measurable Address}
  (State := @State Address)
  (Observation := @Observation Address)
  (Message := @Message Address)
  (threshold : R)
  `{finite.Finite index}
  (idx : index -> Address)
  `{!Inj (=) (=) idx}
  `{!ReachableThreshold (Message_validator idx) (listset (Message_validator idx)) threshold}.

#[export] Instance ReachableThreshold_Address :
  ReachableThreshold Address (listset Address) threshold.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
ReachableThreshold Address (listset Address) threshold
Proof.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
ReachableThreshold Address (listset Address) threshold
  destruct ReachableThreshold0 as (Hgt0 & vs & Hvs).Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
Hgt0: (0 <= threshold)%R
vs: listset (Message_validator idx)
Hvs: (sum_weights vs > threshold)%R
ReachableThreshold Address (listset Address) threshold
  split; [done |].Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
Hgt0: (0 <= threshold)%R
vs: listset (Message_validator idx)
Hvs: (sum_weights vs > threshold)%R
∃ vs : listset Address, (sum_weights vs > threshold)%R
  exists (set_map proj1_sig vs).Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
Hgt0: (0 <= threshold)%R
vs: listset (Message_validator idx)
Hvs: (sum_weights vs > threshold)%R
(sum_weights (set_map proj1_sig vs) > threshold)%R
  replace (sum_weights _) with (sum_weights vs); [done |].Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
Hgt0: (0 <= threshold)%R
vs: listset (Message_validator idx)
Hvs: (sum_weights vs > threshold)%R
sum_weights vs = sum_weights (set_map proj1_sig vs)
  clear Hvs; revert vs; apply set_ind.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
Hgt0: (0 <= threshold)%R
Proper (equiv ==> impl)
  (λ X : listset (Message_validator idx),
     sum_weights X = sum_weights (set_map proj1_sig X))
Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
Hgt0: (0 <= threshold)%R
sum_weights ∅ = sum_weights (set_map proj1_sig ∅)
Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
Hgt0: (0 <= threshold)%R
∀ (x : Message_validator idx) 
  (X : listset (Message_validator idx)),
  x ∉ X
  → sum_weights X = sum_weights (set_map proj1_sig X)
    → sum_weights ({[x]} ∪ X) =
      sum_weights (set_map proj1_sig ({[x]} ∪ X))
  -Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
Hgt0: (0 <= threshold)%R
Proper (equiv ==> impl)
  (λ X : listset (Message_validator idx),
     sum_weights X = sum_weights (set_map proj1_sig X)) intros vs1 vs2 Heqv Hvs1.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
Hgt0: (0 <= threshold)%R
vs1, vs2: listset (Message_validator idx)
Heqv: vs1 ≡ vs2
Hvs1: sum_weights vs1 =
sum_weights (set_map proj1_sig vs1)
sum_weights vs2 = sum_weights (set_map proj1_sig vs2)
    replace (sum_weights vs2) with (sum_weights vs1)
      by (apply sum_weights_proper; done).Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
Hgt0: (0 <= threshold)%R
vs1, vs2: listset (Message_validator idx)
Heqv: vs1 ≡ vs2
Hvs1: sum_weights vs1 =
sum_weights (set_map proj1_sig vs1)
sum_weights vs1 = sum_weights (set_map proj1_sig vs2)
    by rewrite Hvs1; apply sum_weights_proper; rewrite Heqv.
  -Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
Hgt0: (0 <= threshold)%R
sum_weights ∅ = sum_weights (set_map proj1_sig ∅) by rewrite !sum_weights_empty.
  -Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
Hgt0: (0 <= threshold)%R
∀ (x : Message_validator idx) (X : listset
                                     (Message_validator
                                        idx)),
  x ∉ X
  → sum_weights X = sum_weights (set_map proj1_sig X)
    → sum_weights ({[x]} ∪ X) =
      sum_weights (set_map proj1_sig ({[x]} ∪ X)) intros v vs Hv Hvs.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
Hgt0: (0 <= threshold)%R
v: Message_validator idx
vs: listset (Message_validator idx)
Hv: v ∉ vs
Hvs: sum_weights vs =
sum_weights (set_map proj1_sig vs)
sum_weights ({[v]} ∪ vs) =
sum_weights (set_map proj1_sig ({[v]} ∪ vs))
    rewrite sum_weights_disj_union, Hvs by set_solver.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
Hgt0: (0 <= threshold)%R
v: Message_validator idx
vs: listset (Message_validator idx)
Hv: v ∉ vs
Hvs: sum_weights vs =
sum_weights (set_map proj1_sig vs)
(sum_weights {[v]} +
 sum_weights (set_map proj1_sig vs))%R =
sum_weights (set_map proj1_sig ({[v]} ∪ vs))
    replace (sum_weights (set_map _ ({[v]} ∪ _)))
      with (sum_weights (set_map (C := listset (Message_validator idx))
        (D := listset Address) proj1_sig {[v]} ∪ set_map (D := listset Address) proj1_sig vs))
      by (apply sum_weights_proper; rewrite set_map_union; done).Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
Hgt0: (0 <= threshold)%R
v: Message_validator idx
vs: listset (Message_validator idx)
Hv: v ∉ vs
Hvs: sum_weights vs =
sum_weights (set_map proj1_sig vs)
(sum_weights {[v]} +
 sum_weights (set_map proj1_sig vs))%R =
sum_weights
  (set_map proj1_sig {[v]} ∪ set_map proj1_sig vs)
    rewrite sum_weights_disj_union; cycle 1.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
Hgt0: (0 <= threshold)%R
v: Message_validator idx
vs: listset (Message_validator idx)
Hv: v ∉ vs
Hvs: sum_weights vs =
sum_weights (set_map proj1_sig vs)
set_map proj1_sig {[v]} ## set_map proj1_sig vs
Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
Hgt0: (0 <= threshold)%R
v: Message_validator idx
vs: listset (Message_validator idx)
Hv: v ∉ vs
Hvs: sum_weights vs =
sum_weights (set_map proj1_sig vs)
(sum_weights {[v]} +
 sum_weights (set_map proj1_sig vs))%R =
(sum_weights (set_map proj1_sig {[v]}) +
 sum_weights (set_map proj1_sig vs))%R
    +Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
Hgt0: (0 <= threshold)%R
v: Message_validator idx
vs: listset (Message_validator idx)
Hv: v ∉ vs
Hvs: sum_weights vs =
sum_weights (set_map proj1_sig vs)
set_map proj1_sig {[v]} ## set_map proj1_sig vs rewrite set_map_singleton.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
Hgt0: (0 <= threshold)%R
v: Message_validator idx
vs: listset (Message_validator idx)
Hv: v ∉ vs
Hvs: sum_weights vs =
sum_weights (set_map proj1_sig vs)
{[`v]} ## set_map proj1_sig vs
      cut (`v ∉ set_map (D := listset Address) proj1_sig vs); [by set_solver |].Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
Hgt0: (0 <= threshold)%R
v: Message_validator idx
vs: listset (Message_validator idx)
Hv: v ∉ vs
Hvs: sum_weights vs =
sum_weights (set_map proj1_sig vs)
`v ∉ set_map proj1_sig vs
      contradict Hv.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
Hgt0: (0 <= threshold)%R
v: Message_validator idx
vs: listset (Message_validator idx)
Hvs: sum_weights vs =
sum_weights (set_map proj1_sig vs)
Hv: `v ∈ set_map proj1_sig vs
v ∈ vs
      apply elem_of_map in Hv as (v' & Hv' & Hv).Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
Hgt0: (0 <= threshold)%R
v: Message_validator idx
vs: listset (Message_validator idx)
Hvs: sum_weights vs =
sum_weights (set_map proj1_sig vs)
v': {x : Address
| bool_decide ((is_Some ∘ adr2idx idx) x)}
Hv': `v = `v'
Hv: v' ∈ vs
v ∈ vs
      by apply dsig_eq in Hv' as ->.
    +Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
Hgt0: (0 <= threshold)%R
v: Message_validator idx
vs: listset (Message_validator idx)
Hv: v ∉ vs
Hvs: sum_weights vs =
sum_weights (set_map proj1_sig vs)
(sum_weights {[v]} +
 sum_weights (set_map proj1_sig vs))%R =
(sum_weights (set_map proj1_sig {[v]}) +
 sum_weights (set_map proj1_sig vs))%R replace (sum_weights (set_map _ {[v]}))
        with (sum_weights (Cv := listset Address) {[` v]}).Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
Hgt0: (0 <= threshold)%R
v: Message_validator idx
vs: listset (Message_validator idx)
Hv: v ∉ vs
Hvs: sum_weights vs =
sum_weights (set_map proj1_sig vs)
(sum_weights {[v]} +
 sum_weights (set_map proj1_sig vs))%R =
(sum_weights {[`v]} +
 sum_weights (set_map proj1_sig vs))%R
Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
Hgt0: (0 <= threshold)%R
v: Message_validator idx
vs: listset (Message_validator idx)
Hv: v ∉ vs
Hvs: sum_weights vs =
sum_weights (set_map proj1_sig vs)
sum_weights {[`v]} =
sum_weights (set_map proj1_sig {[v]})
      *Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
Hgt0: (0 <= threshold)%R
v: Message_validator idx
vs: listset (Message_validator idx)
Hv: v ∉ vs
Hvs: sum_weights vs =
sum_weights (set_map proj1_sig vs)
(sum_weights {[v]} +
 sum_weights (set_map proj1_sig vs))%R =
(sum_weights {[`v]} +
 sum_weights (set_map proj1_sig vs))%R by rewrite !sum_weights_singleton.
      *Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
Hgt0: (0 <= threshold)%R
v: Message_validator idx
vs: listset (Message_validator idx)
Hv: v ∉ vs
Hvs: sum_weights vs =
sum_weights (set_map proj1_sig vs)
sum_weights {[`v]} =
sum_weights (set_map proj1_sig {[v]}) by apply sum_weights_proper; rewrite set_map_singleton.
Qed.

Definition immediate_dependency (m1 m2 : Message) : Prop :=
  m1 ∈ messages (state m2).

Lemma immediate_dependency_msg_dep_rel :
  forall dm m : Message,
    immediate_dependency dm m <-> msg_dep_rel Message_dependencies dm m.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
∀ dm m : Message,
  immediate_dependency dm m
  ↔ msg_dep_rel Message_dependencies dm m
Proof.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
∀ dm m : Message,
  immediate_dependency dm m
  ↔ msg_dep_rel Message_dependencies dm m
  unfold immediate_dependency, messages, messages',
    msg_dep_rel, Message_dependencies; cbn.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
∀ dm m : Message,
  dm ∈ map message (obs (state m))
  ↔ dm ∈ list_to_set (map message (obs (state m)))
  by setoid_rewrite elem_of_list_to_set.
Qed.

#[local] Notation happensBefore := (tc immediate_dependency).

#[local] Infix "<hb" := happensBefore (at level 70).

Lemma happensBefore_msg_dep :
  forall dm m : Message,
    dm <hb m <-> msg_dep_happens_before Message_dependencies dm m.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
∀ dm m : Message,
  dm <hb m
  ↔ msg_dep_happens_before Message_dependencies dm m
Proof.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
∀ dm m : Message,
  dm <hb m
  ↔ msg_dep_happens_before Message_dependencies dm m
  by split;
    (induction 1; [by constructor 1; apply immediate_dependency_msg_dep_rel |]);
    (etransitivity; [| done]);
    constructor 1; apply immediate_dependency_msg_dep_rel.
Qed.

The full node condition says that a node can receive a message only if the direct observations of that node already include all messages from the direct observations of the state inside the message (not necessarily with the same Send/Receive label).

This will let us define validity predicates without needing to recurse into the states inside observations in a state, because a correctly-operating node would have checked the shallow condition for those messages when their observations were added to the state.

Definition full_node (s : State) (m : Message) : Prop :=
  messages (state m) ⊆+ messages s.

Lemma full_node_reachable_messages_ind
  (P : State -> Message -> Prop)
  (Hnew : forall s l msg
                 (Hfull : full_node s msg)
                 (IH : forall m, m ∈ messages s -> P s m),
    P (s <+> MkObservation l msg) msg)
  (Hprev : forall s ob m (IH : P s m), P (s <+> ob) m)
  :
  forall s, UMO_reachable full_node s ->
  forall m, m ∈ messages s -> P s m.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
P: State → Message → Prop
Hnew: ∀ (s : State) (l : Label) (msg : Message),
  full_node s msg
  → (∀ m : Message, m ∈ messages s → P s m)
    → P (s <+> MkObservation l msg) msg
Hprev: ∀ (s : State) (ob : BaseELMO.Observation) 
  (m : Message), P s m → P (s <+> ob) m
∀ s : BaseELMO.State,
  UMO_reachable full_node s
  → ∀ m : Message, m ∈ messages s → P s m
Proof.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
P: State → Message → Prop
Hnew: ∀ (s : State) (l : Label) (msg : Message),
  full_node s msg
  → (∀ m : Message, m ∈ messages s → P s m)
    → P (s <+> MkObservation l msg) msg
Hprev: ∀ (s : State) (ob : BaseELMO.Observation) 
  (m : Message), P s m → P (s <+> ob) m
∀ s : BaseELMO.State,
  UMO_reachable full_node s
  → ∀ m : Message, m ∈ messages s → P s m
  unfold full_node in Hnew.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
P: State → Message → Prop
Hnew: ∀ (s : State) (l : Label) (msg : Message),
  messages (state msg) ⊆+ messages s
  → (∀ m : Message, m ∈ messages s → P s m)
    → P (s <+> MkObservation l msg) msg
Hprev: ∀ (s : State) (ob : BaseELMO.Observation) 
  (m : Message), P s m → P (s <+> ob) m
∀ s : BaseELMO.State,
  UMO_reachable full_node s
  → ∀ m : Message, m ∈ messages s → P s m
  by apply UMO_reachable_elem_of_messages_ind; auto.
Qed.

Lemma messages_hb_transitive :
  forall s,
    UMO_reachable full_node s ->
  forall m,
    m ∈ messages s ->
  forall m',
    m' <hb m ->
    m' ∈ messages s.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
∀ s : BaseELMO.State,
  UMO_reachable full_node s
  → ∀ m : Message,
      m ∈ messages s
      → ∀ m' : Message, m' <hb m → m' ∈ messages s
Proof.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
∀ s : BaseELMO.State,
  UMO_reachable full_node s
  → ∀ m : Message,
      m ∈ messages s
      → ∀ m' : Message, m' <hb m → m' ∈ messages s
  refine (UMO_reachable_elem_of_messages_ind _ _ _ _ _);
    [intros | intros s Hs IH m' Hm'%tc_r_iff
    | intros s Hs mr Hmr%submseteq_list_subseteq IH m' Hm'%tc_r_iff];
    apply elem_of_messages_addObservation; right.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
s: BaseELMO.State
Hs: UMO_reachable full_node s
m: BaseELMO.Message
ob: BaseELMO.Observation
H1: m ∈ messages s
H2: ∀ m' : Message, m' <hb m → m' ∈ messages s
m': Message
H3: m' <hb m
m' ∈ messages s
Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
s: BaseELMO.State
Hs: UMO_reachable full_node s
IH: ∀ m' : BaseELMO.Message,
  m' ∈ messages s
  → ∀ m'0 : Message,
      m'0 <hb m' → m'0 ∈ messages s
m': Message
Hm': immediate_dependency m' (MkMessage s)
∨ (∃ y : Message,
     m' <hb y
     ∧ immediate_dependency y (MkMessage s))
m' ∈ messages s
Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
s: BaseELMO.State
Hs: UMO_reachable full_node s
mr: BaseELMO.Message
Hmr: messages (state mr) ⊆ messages s
IH: ∀ m' : BaseELMO.Message,
  m' ∈ messages s
  → ∀ m'0 : Message,
      m'0 <hb m' → m'0 ∈ messages s
m': Message
Hm': immediate_dependency m' mr
∨ (∃ y : Message,
     m' <hb y ∧ immediate_dependency y mr)
m' ∈ messages s
  -Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
s: BaseELMO.State
Hs: UMO_reachable full_node s
m: BaseELMO.Message
ob: BaseELMO.Observation
H1: m ∈ messages s
H2: ∀ m' : Message, m' <hb m → m' ∈ messages s
m': Message
H3: m' <hb m
m' ∈ messages s by itauto.
  -Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
s: BaseELMO.State
Hs: UMO_reachable full_node s
IH: ∀ m' : BaseELMO.Message,
  m' ∈ messages s
  → ∀ m'0 : Message,
      m'0 <hb m' → m'0 ∈ messages s
m': Message
Hm': immediate_dependency m' (MkMessage s)
∨ (∃ y : Message,
     m' <hb y
     ∧ immediate_dependency y (MkMessage s))
m' ∈ messages s by destruct Hm' as [| (m & ? & ?)]; [| eapply IH].
  -Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
s: BaseELMO.State
Hs: UMO_reachable full_node s
mr: BaseELMO.Message
Hmr: messages (state mr) ⊆ messages s
IH: ∀ m' : BaseELMO.Message,
  m' ∈ messages s
  → ∀ m'0 : Message,
      m'0 <hb m' → m'0 ∈ messages s
m': Message
Hm': immediate_dependency m' mr
∨ (∃ y : Message,
     m' <hb y ∧ immediate_dependency y mr)
m' ∈ messages s destruct Hm' as [| (m & ? & ?)]; [by apply Hmr |].Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
s: BaseELMO.State
Hs: UMO_reachable full_node s
mr: BaseELMO.Message
Hmr: messages (state mr) ⊆ messages s
IH: ∀ m' : BaseELMO.Message,
  m' ∈ messages s
  → ∀ m'0 : Message,
      m'0 <hb m' → m'0 ∈ messages s
m', m: Message
H1: m' <hb m
H2: immediate_dependency m mr
m' ∈ messages s
    by eapply IH; [apply Hmr |].
Qed.

Some claims about the full node condition hold for any UMO-based VLSM whose validity predicate implies the full node condition. By UMO-based we mean a VLSM built over the ELMO_component_type which also has the same transition function as UMO/MO, an initial state predicate that ensures obs of an initial state is empty, and a validity predicate that implies UMO_component_valid. If that's all we know about the VLSM, knowing that a State is reachable in that VLSM is only as informative as knowing that the state is UMO_reachable full_node. (This lemma needs no assumption about UMO_component_valid because reachability is the same anyway, because UMO_component_valid returns the state unchanged on invalid input.)

Lemma full_node_VLSM_reachable
  (VM : VLSMMachine ELMO_component_type)
  (V := mk_vlsm VM)
  (VM_transition_is_UMO :
    forall (l : Label) (s : State) (om : option Message),
      transition V l (s, om) = UMO_component_transition l s om)
  (VM_init_empty :
    forall s : State, initial_state_prop V s -> obs s = [])
  (VM_enforces_full_node :
    forall (l : Label) (s : State) (m : Message),
      valid V l (s, Some m) -> full_node s m) :
  forall (s : State),
    constrained_state_prop V s ->
    UMO_reachable full_node s.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
VM: VLSMMachine ELMO_component_type
V:= {|
  vlsm_type := ELMO_component_type;
  vlsm_machine := VM
|}: VLSM BaseELMO.Message
VM_transition_is_UMO: ∀ (l : Label) (s : State) 
  (om : option Message),
  transition l (s, om) =
  UMO_component_transition l s
    om
VM_init_empty: ∀ s : State,
  initial_state_prop s → obs s = []
VM_enforces_full_node: ∀ (l : Label) (s : State) 
  (m : Message),
  valid l (s, Some m)
  → full_node s m
∀ s : State,
  constrained_state_prop V s
  → UMO_reachable full_node s
Proof.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
VM: VLSMMachine ELMO_component_type
V:= {|
  vlsm_type := ELMO_component_type;
  vlsm_machine := VM
|}: VLSM BaseELMO.Message
VM_transition_is_UMO: ∀ (l : Label) (s : State) 
  (om : option Message),
  transition l (s, om) =
  UMO_component_transition l s
    om
VM_init_empty: ∀ s : State,
  initial_state_prop s → obs s = []
VM_enforces_full_node: ∀ (l : Label) (s : State) 
  (m : Message),
  valid l (s, Some m)
  → full_node s m
∀ s : State,
  constrained_state_prop V s
  → UMO_reachable full_node s
  intro s.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
VM: VLSMMachine ELMO_component_type
V:= {|
  vlsm_type := ELMO_component_type;
  vlsm_machine := VM
|}: VLSM BaseELMO.Message
VM_transition_is_UMO: ∀ (l : Label) (s : State) 
  (om : option Message),
  transition l (s, om) =
  UMO_component_transition l s
    om
VM_init_empty: ∀ s : State,
  initial_state_prop s → obs s = []
VM_enforces_full_node: ∀ (l : Label) (s : State) 
  (m : Message),
  valid l (s, Some m)
  → full_node s m
s: State
constrained_state_prop V s → UMO_reachable full_node s
  induction 1 using valid_state_prop_ind.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
VM: VLSMMachine ELMO_component_type
V:= {|
  vlsm_type := ELMO_component_type;
  vlsm_machine := VM
|}: VLSM BaseELMO.Message
VM_transition_is_UMO: ∀ (l : Label) (s : State) 
  (om : option Message),
  transition l (s, om) =
  UMO_component_transition l s
    om
VM_init_empty: ∀ s : State,
  initial_state_prop s → obs s = []
VM_enforces_full_node: ∀ (l : Label) (s : State) 
  (m : Message),
  valid l (s, Some m)
  → full_node s m
s: VLSM.state (preloaded_with_all_messages_vlsm V)
Hs: initial_state_prop s
UMO_reachable full_node s
Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
VM: VLSMMachine ELMO_component_type
V:= {|
  vlsm_type := ELMO_component_type;
  vlsm_machine := VM
|}: VLSM BaseELMO.Message
VM_transition_is_UMO: ∀ (l : Label) (s : State) 
  (om : option Message),
  transition l (s, om) =
  UMO_component_transition l s
    om
VM_init_empty: ∀ s : State,
  initial_state_prop s → obs s = []
VM_enforces_full_node: ∀ (l : Label) (s : State) 
  (m : Message),
  valid l (s, Some m)
  → full_node s m
s': VLSM.state (preloaded_with_all_messages_vlsm V)
l: VLSM.label (preloaded_with_all_messages_vlsm V)
om, om': option BaseELMO.Message
s: VLSM.state (preloaded_with_all_messages_vlsm V)
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm V) l (
  s, om) (s', om')
IHvalid_state_prop: UMO_reachable full_node s
UMO_reachable full_node s'
  -Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
VM: VLSMMachine ELMO_component_type
V:= {|
  vlsm_type := ELMO_component_type;
  vlsm_machine := VM
|}: VLSM BaseELMO.Message
VM_transition_is_UMO: ∀ (l : Label) (s : State) 
  (om : option Message),
  transition l (s, om) =
  UMO_component_transition l s
    om
VM_init_empty: ∀ s : State,
  initial_state_prop s → obs s = []
VM_enforces_full_node: ∀ (l : Label) (s : State) 
  (m : Message),
  valid l (s, Some m)
  → full_node s m
s: VLSM.state (preloaded_with_all_messages_vlsm V)
Hs: initial_state_prop s
UMO_reachable full_node s destruct s as [obs adr].Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
VM: VLSMMachine ELMO_component_type
V:= {|
  vlsm_type := ELMO_component_type;
  vlsm_machine := VM
|}: VLSM BaseELMO.Message
VM_transition_is_UMO: ∀ (l : Label) (s : State) 
  (om : option Message),
  transition l (s, om) =
  UMO_component_transition l s
    om
VM_init_empty: ∀ s : State,
  initial_state_prop s
  → BaseELMO.obs s = []
VM_enforces_full_node: ∀ (l : Label) (s : State) 
  (m : Message),
  valid l (s, Some m)
  → full_node s m
obs: list BaseELMO.Observation
adr: Address
Hs: initial_state_prop (MkState obs adr)
UMO_reachable full_node (MkState obs adr)
    apply VM_init_empty in Hs; cbn in Hs; subst.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
VM: VLSMMachine ELMO_component_type
V:= {|
  vlsm_type := ELMO_component_type;
  vlsm_machine := VM
|}: VLSM BaseELMO.Message
VM_transition_is_UMO: ∀ (l : Label) (s : State) 
  (om : option Message),
  transition l (s, om) =
  UMO_component_transition l s
    om
VM_init_empty: ∀ s : State,
  initial_state_prop s → obs s = []
VM_enforces_full_node: ∀ (l : Label) (s : State) 
  (m : Message),
  valid l (s, Some m)
  → full_node s m
adr: Address
UMO_reachable full_node (MkState [] adr)
    by apply reach_init.
  -Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
VM: VLSMMachine ELMO_component_type
V:= {|
  vlsm_type := ELMO_component_type;
  vlsm_machine := VM
|}: VLSM BaseELMO.Message
VM_transition_is_UMO: ∀ (l : Label) (s : State) 
  (om : option Message),
  transition l (s, om) =
  UMO_component_transition l s
    om
VM_init_empty: ∀ s : State,
  initial_state_prop s → obs s = []
VM_enforces_full_node: ∀ (l : Label) (s : State) 
  (m : Message),
  valid l (s, Some m)
  → full_node s m
s': VLSM.state (preloaded_with_all_messages_vlsm V)
l: VLSM.label (preloaded_with_all_messages_vlsm V)
om, om': option BaseELMO.Message
s: VLSM.state (preloaded_with_all_messages_vlsm V)
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm V) l (
  s, om) (s', om')
IHvalid_state_prop: UMO_reachable full_node s
UMO_reachable full_node s' destruct Ht as [(_ & _ & Hvalid) Ht]; cbn in Ht, Hvalid.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
VM: VLSMMachine ELMO_component_type
V:= {|
  vlsm_type := ELMO_component_type;
  vlsm_machine := VM
|}: VLSM BaseELMO.Message
VM_transition_is_UMO: ∀ (l : Label) (s : State) 
  (om : option Message),
  transition l (s, om) =
  UMO_component_transition l s
    om
VM_init_empty: ∀ s : State,
  initial_state_prop s → obs s = []
VM_enforces_full_node: ∀ (l : Label) (s : State) 
  (m : Message),
  valid l (s, Some m)
  → full_node s m
s': VLSM.state (preloaded_with_all_messages_vlsm V)
l: VLSM.label (preloaded_with_all_messages_vlsm V)
om, om': option BaseELMO.Message
s: VLSM.state (preloaded_with_all_messages_vlsm V)
Hvalid: valid l (s, om)
Ht: transition l (s, om) = (s', om')
IHvalid_state_prop: UMO_reachable full_node s
UMO_reachable full_node s'
    rewrite VM_transition_is_UMO in Ht.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
VM: VLSMMachine ELMO_component_type
V:= {|
  vlsm_type := ELMO_component_type;
  vlsm_machine := VM
|}: VLSM BaseELMO.Message
VM_transition_is_UMO: ∀ (l : Label) (s : State) 
  (om : option Message),
  transition l (s, om) =
  UMO_component_transition l s
    om
VM_init_empty: ∀ s : State,
  initial_state_prop s → obs s = []
VM_enforces_full_node: ∀ (l : Label) (s : State) 
  (m : Message),
  valid l (s, Some m)
  → full_node s m
s': VLSM.state (preloaded_with_all_messages_vlsm V)
l: VLSM.label (preloaded_with_all_messages_vlsm V)
om, om': option BaseELMO.Message
s: VLSM.state (preloaded_with_all_messages_vlsm V)
Hvalid: valid l (s, om)
Ht: UMO_component_transition l s om = (s', om')
IHvalid_state_prop: UMO_reachable full_node s
UMO_reachable full_node s'
    destruct l, om; injection Ht as [= <- <-]; [| done.. |].Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
VM: VLSMMachine ELMO_component_type
V:= {|
  vlsm_type := ELMO_component_type;
  vlsm_machine := VM
|}: VLSM BaseELMO.Message
VM_transition_is_UMO: ∀ (l : Label) (s : State) 
  (om : option Message),
  transition l (s, om) =
  UMO_component_transition l s
    om
VM_init_empty: ∀ s : State,
  initial_state_prop s → obs s = []
VM_enforces_full_node: ∀ (l : Label) (s : State) 
  (m : Message),
  valid l (s, Some m)
  → full_node s m
m: BaseELMO.Message
s: VLSM.state (preloaded_with_all_messages_vlsm V)
Hvalid: valid Receive (s, Some m)
IHvalid_state_prop: UMO_reachable full_node s
UMO_reachable full_node
  (s <+> MkObservation Receive m)
Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
VM: VLSMMachine ELMO_component_type
V:= {|
  vlsm_type := ELMO_component_type;
  vlsm_machine := VM
|}: VLSM BaseELMO.Message
VM_transition_is_UMO: ∀ (l : Label) (s : State) 
  (om : option Message),
  transition l (s, om) =
  UMO_component_transition l s
    om
VM_init_empty: ∀ s : State,
  initial_state_prop s → obs s = []
VM_enforces_full_node: ∀ (l : Label) (s : State) 
  (m : Message),
  valid l (s, Some m)
  → full_node s m
s: VLSM.state (preloaded_with_all_messages_vlsm V)
Hvalid: valid Send (s, None)
IHvalid_state_prop: UMO_reachable full_node s
UMO_reachable full_node
  (s <+> MkObservation Send (MkMessage s))
    +Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
VM: VLSMMachine ELMO_component_type
V:= {|
  vlsm_type := ELMO_component_type;
  vlsm_machine := VM
|}: VLSM BaseELMO.Message
VM_transition_is_UMO: ∀ (l : Label) (s : State) 
  (om : option Message),
  transition l (s, om) =
  UMO_component_transition l s
    om
VM_init_empty: ∀ s : State,
  initial_state_prop s → obs s = []
VM_enforces_full_node: ∀ (l : Label) (s : State) 
  (m : Message),
  valid l (s, Some m)
  → full_node s m
m: BaseELMO.Message
s: VLSM.state (preloaded_with_all_messages_vlsm V)
Hvalid: valid Receive (s, Some m)
IHvalid_state_prop: UMO_reachable full_node s
UMO_reachable full_node
  (s <+> MkObservation Receive m) apply VM_enforces_full_node in Hvalid.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
VM: VLSMMachine ELMO_component_type
V:= {|
  vlsm_type := ELMO_component_type;
  vlsm_machine := VM
|}: VLSM BaseELMO.Message
VM_transition_is_UMO: ∀ (l : Label) (s : State) 
  (om : option Message),
  transition l (s, om) =
  UMO_component_transition l s
    om
VM_init_empty: ∀ s : State,
  initial_state_prop s → obs s = []
VM_enforces_full_node: ∀ (l : Label) (s : State) 
  (m : Message),
  valid l (s, Some m)
  → full_node s m
m: BaseELMO.Message
s: VLSM.state (preloaded_with_all_messages_vlsm V)
Hvalid: full_node s m
IHvalid_state_prop: UMO_reachable full_node s
UMO_reachable full_node
  (s <+> MkObservation Receive m)
      by apply reach_recv.
    +Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
VM: VLSMMachine ELMO_component_type
V:= {|
  vlsm_type := ELMO_component_type;
  vlsm_machine := VM
|}: VLSM BaseELMO.Message
VM_transition_is_UMO: ∀ (l : Label) (s : State) 
  (om : option Message),
  transition l (s, om) =
  UMO_component_transition l s
    om
VM_init_empty: ∀ s : State,
  initial_state_prop s → obs s = []
VM_enforces_full_node: ∀ (l : Label) (s : State) 
  (m : Message),
  valid l (s, Some m)
  → full_node s m
s: VLSM.state (preloaded_with_all_messages_vlsm V)
Hvalid: valid Send (s, None)
IHvalid_state_prop: UMO_reachable full_node s
UMO_reachable full_node
  (s <+> MkObservation Send (MkMessage s)) by apply reach_send.
Qed.

A simplified version of local_equivocators that only checks for incompatible messages among the immediate observations of the state. This relies on the full node condition.

Set Warnings "-cannot-define-projection".
Record local_equivocators_simple (s : State) (i : Address) : Prop :=
{
  les_m1 : Message;
  les_m2 : Message;
  les_adr1 : adr (state les_m1) = i;
  les_adr2 : adr (state les_m2) = i;
  les_obs_m1 : les_m1 ∈ messages s;
  les_obs_m2 : les_m2 ∈ messages s;
  les_incomparable : incomparable les_m1 les_m2;
}.
Set Warnings "cannot-define-projection".

A variant of local equivocators that relies more on the full node condition and directly shows how the set of equivocators can grow.

Only a newly received message needs to be checked against previous messages, other addresses are equivocating if they are equivocating in the previous state.

Inductive local_equivocators_full_obs : list Observation -> Address -> Prop :=
| lefo_last :
    forall (ol : list Observation) (m1 m2 : Message),
      m2 ∈ receivedMessages' ol ->
      incomparable m1 m2 ->
      local_equivocators_full_obs (addObservation' (MkObservation Receive m1) ol) (adr (state m1))
| lefo_prev :
    forall (ol : list Observation) (l : Label) (m : Message) (i : Address),
      local_equivocators_full_obs ol i ->
      local_equivocators_full_obs (addObservation' (MkObservation l m) ol) i.

Lemma lefo_alt (ol : list Observation) (o : Observation) (a : Address) :
  local_equivocators_full_obs (addObservation' o ol) a <->
    (a = adr (state (message o))
      /\ label o = Receive
      /\ exists m2, m2 ∈ receivedMessages' ol
      /\ incomparable (message o) m2)
    \/ local_equivocators_full_obs ol a.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
ol: list Observation
o: Observation
a: Address
local_equivocators_full_obs (addObservation' o ol) a
↔ a = adr (state (message o))
  ∧ label o = Receive
    ∧ (∃ m2 : BaseELMO.Message,
         m2 ∈ receivedMessages' ol
         ∧ incomparable (message o) m2)
  ∨ local_equivocators_full_obs ol a
Proof.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
ol: list Observation
o: Observation
a: Address
local_equivocators_full_obs (addObservation' o ol) a
↔ a = adr (state (message o))
  ∧ label o = Receive
    ∧ (∃ m2 : BaseELMO.Message,
         m2 ∈ receivedMessages' ol
         ∧ incomparable (message o) m2)
  ∨ local_equivocators_full_obs ol a
  split.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
ol: list Observation
o: Observation
a: Address
local_equivocators_full_obs (addObservation' o ol) a
→ a = adr (state (message o))
  ∧ label o = Receive
    ∧ (∃ m2 : BaseELMO.Message,
         m2 ∈ receivedMessages' ol
         ∧ incomparable (message o) m2)
  ∨ local_equivocators_full_obs ol a
Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
ol: list Observation
o: Observation
a: Address
a = adr (state (message o))
∧ label o = Receive
  ∧ (∃ m2 : BaseELMO.Message,
       m2 ∈ receivedMessages' ol
       ∧ incomparable (message o) m2)
∨ local_equivocators_full_obs ol a
→ local_equivocators_full_obs (addObservation' o ol) a
  -Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
ol: list Observation
o: Observation
a: Address
local_equivocators_full_obs (addObservation' o ol) a
→ a = adr (state (message o))
  ∧ label o = Receive
    ∧ (∃ m2 : BaseELMO.Message,
         m2 ∈ receivedMessages' ol
         ∧ incomparable (message o) m2)
  ∨ local_equivocators_full_obs ol a by inversion 1; subst; [left; split_and!; [.. | eexists] | right].
  -Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
ol: list Observation
o: Observation
a: Address
a = adr (state (message o))
∧ label o = Receive
  ∧ (∃ m2 : BaseELMO.Message,
       m2 ∈ receivedMessages' ol
       ∧ incomparable (message o) m2)
∨ local_equivocators_full_obs ol a
→ local_equivocators_full_obs (addObservation' o ol) a destruct o as [l m1]; cbn.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
ol: list Observation
l: Label
m1: BaseELMO.Message
a: Address
a = adr (state m1)
∧ l = Receive
  ∧ (∃ m2 : BaseELMO.Message,
       m2 ∈ receivedMessages' ol ∧ incomparable m1 m2)
∨ local_equivocators_full_obs ol a
→ local_equivocators_full_obs
    (addObservation' (MkObservation l m1) ol) a
    by intros [(-> & -> & m2 & Hrecv & Hadr & Hincomp) |]; econstructor.
Qed.

#[export] Instance local_equivocators_full_obs_dec : RelDecision local_equivocators_full_obs.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
RelDecision local_equivocators_full_obs
Proof.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
RelDecision local_equivocators_full_obs
  intros ol a.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
ol: list Observation
a: Address
Decision (local_equivocators_full_obs ol a)
  induction ol using addObservation'_rec.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
a: Address
Decision (local_equivocators_full_obs [] a)
Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
a: Address
ob: BaseELMO.Observation
ol: list BaseELMO.Observation
IHol: Decision (local_equivocators_full_obs ol a)
Decision
  (local_equivocators_full_obs 
     (addObservation' ob ol) a)
  -Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
a: Address
Decision (local_equivocators_full_obs [] a) by right; inversion 1.
  -Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
a: Address
ob: BaseELMO.Observation
ol: list BaseELMO.Observation
IHol: Decision (local_equivocators_full_obs ol a)
Decision
  (local_equivocators_full_obs (addObservation' ob ol)
     a) apply (Decision_iff (iff_Symmetric _ _ (lefo_alt _ _ _))).Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
a: Address
ob: BaseELMO.Observation
ol: list BaseELMO.Observation
IHol: Decision (local_equivocators_full_obs ol a)
Decision
  (a = adr (state (message ob))
   ∧ label ob = Receive
     ∧ (∃ m2 : BaseELMO.Message,
          m2 ∈ receivedMessages' ol
          ∧ incomparable (message ob) m2)
   ∨ local_equivocators_full_obs ol a)
    by pose proof @list_exist_dec; typeclasses eauto.
Defined.

Definition local_equivocators_full (s : State) : Address -> Prop :=
  local_equivocators_full_obs (obs s).

#[export] Instance local_equivocators_full_dec : RelDecision local_equivocators_full :=
  fun s a => local_equivocators_full_obs_dec (obs s) a.

An ELMO component has the same elements as a MO component except for the validity predicate, which:

checks message validity
enforces the full-node condition
only allows receiving a message if it will not bring the total weight of the locally-visible equivocation above equivocation_threshold

Definition no_self_equiv (s : State) (m : Message) : Prop :=
  adr s = adr (state m) -> m ∈ sentMessages s.

Inductive MessageHasSender (m : Message) : Prop :=
| message_has_sender : forall i, adr (state m) = idx i -> MessageHasSender m.

Inductive ELMO_msg_valid_full : Message -> Prop :=
| MVF_nil :
    forall m : Message,
      obs (state m) = [] -> MessageHasSender m -> ELMO_msg_valid_full m
| MVF_send :
    forall m,
      ELMO_msg_valid_full m ->
      ELMO_msg_valid_full (m <*> MkObservation Send m)
| MVF_recv :
    forall m mo,
      full_node (state m) mo ->
      no_self_equiv (state m) mo ->
      ELMO_msg_valid_full m ->
      ELMO_msg_valid_full (m <*> MkObservation Receive mo).

Lemma ELMO_msg_valid_full_to_reach (m : Message) :
  ELMO_msg_valid_full m ->
  UMO_reachable (fun s m => full_node s m /\ no_self_equiv s m) (state m).Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
m: Message
ELMO_msg_valid_full m
→ UMO_reachable
    (λ (s : BaseELMO.State) (m : BaseELMO.Message),
       full_node s m ∧ no_self_equiv s m) (state m)
Proof.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
m: Message
ELMO_msg_valid_full m
→ UMO_reachable
    (λ (s : BaseELMO.State) (m : BaseELMO.Message),
       full_node s m ∧ no_self_equiv s m) (state m)
  by induction 1; destruct m as [ms]; cbn in *;
    [replace ms with (MkState [] (adr ms)) by (apply eq_State; done) | ..];
    constructor.
Qed.

Lemma ELMO_msg_valid_full_has_sender (m : Message) :
  ELMO_msg_valid_full m -> MessageHasSender m.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
m: Message
ELMO_msg_valid_full m → MessageHasSender m
Proof.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
m: Message
ELMO_msg_valid_full m → MessageHasSender m
  by induction 1; [done | ..]; destruct IHELMO_msg_valid_full; econstructor.
Qed.

#[local] Instance ELMO_local_equivocation : BasicEquivocation State Address (listset Address) threshold :=
{
  is_equivocating := local_equivocators_full;
  is_equivocating_dec := local_equivocators_full_dec;
  state_validators := const (list_to_set (map idx (enum index)));
}.

Definition local_equivocation_limit_ok (s : State) : Prop := not_heavy s.

Record ELMO_recv_valid (s : State) (m : Message) : Prop :=
{
  ELMO_mv_full_node : full_node s m;
  ELMO_mv_no_self_equiv : no_self_equiv  s m;
  ELMO_mv_msg_valid_full : ELMO_msg_valid_full m;
  ELMO_mv_local_equivocation_limit_ok :
    local_equivocation_limit_ok (s <+> MkObservation Receive m);
}.

Inductive ELMO_component_valid : Label -> State -> option Message -> Prop :=
| ELMOCV_Receive :
    forall (s : State) (m : Message),
      ELMO_recv_valid s m ->
      ELMO_component_valid Receive s (Some m)
| ELMOCV_Send :
    forall s : State,
      ELMO_component_valid Send s None.

This definition is closer to the way the validity condition might be defined by hand, but is probably less convenient than the inductive definition of ELMO_component_valid. So we prove that they are equivalent.

Definition ELMO_component_valid_alt (l : Label) (s : State) (om : option Message) : Prop :=
  UMO_component_valid l s om /\ (l = Receive -> from_option (ELMO_recv_valid s) False om).

Definition ELMO_component_valid_alt_iff :
  forall (l : Label) (s : State) (om : option Message),
    ELMO_component_valid l s om <-> ELMO_component_valid_alt l s om.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
∀ (l : Label) (s : State) (om : option Message),
  ELMO_component_valid l s om
  ↔ ELMO_component_valid_alt l s om
Proof.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
∀ (l : Label) (s : State) (om : option Message),
  ELMO_component_valid l s om
  ↔ ELMO_component_valid_alt l s om
  split.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
l: Label
s: State
om: option Message
ELMO_component_valid l s om
→ ELMO_component_valid_alt l s om
Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
l: Label
s: State
om: option Message
ELMO_component_valid_alt l s om
→ ELMO_component_valid l s om
  -Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
l: Label
s: State
om: option Message
ELMO_component_valid l s om
→ ELMO_component_valid_alt l s om by destruct 1; split; [constructor | auto | constructor | auto].
  -Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
l: Label
s: State
om: option Message
ELMO_component_valid_alt l s om
→ ELMO_component_valid l s om by intros [[] Hfo]; constructor; apply Hfo.
Qed.

Definition ELMO_component_machine (i : index) : VLSMMachine ELMO_component_type :=
{|
  initial_state_prop := UMO_component_initial_state_prop (idx i);
  initial_message_prop := const False;
  s0 := Inhabited_UMO_component_initial_state_type (idx i);
  transition := fun l '(st, om) => UMO_component_transition l st om;
  valid := fun l '(st, om) => ELMO_component_valid l st om;
|}.

Definition ELMO_component (i : index) : VLSM Message :=
{|
  vlsm_type := ELMO_component_type;
  vlsm_machine := ELMO_component_machine i;
|}.

#[export] Instance ComputableSentMessages_ELMO_component
  (i : index) : ComputableSentMessages (ELMO_component i).Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
ComputableSentMessages (ELMO_component i)
Proof.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
ComputableSentMessages (ELMO_component i)
  constructor 1 with sentMessages; constructor.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
∀ s : VLSM.state (ELMO_component i),
  initial_state_prop s
  → ∀ m : Message, m ∉ sentMessages s
Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
∀ (l : VLSM.label
         (preloaded_with_all_messages_vlsm
            (ELMO_component i))) 
  (s : VLSM.state
         (preloaded_with_all_messages_vlsm
            (ELMO_component i))) 
  (im : option Message) 
  (s' : VLSM.state
          (preloaded_with_all_messages_vlsm
             (ELMO_component i))) 
  (om : option Message),
  input_constrained_transition 
    (ELMO_component i) l (
    s, im) (s', om)
  → ∀ msg : Message,
      msg ∈ sentMessages s'
      ↔ field_selector output msg
          {|
            l := l;
            input := im;
            destination := s';
            output := om
          |} ∨ msg ∈ sentMessages s
  -Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
∀ s : VLSM.state (ELMO_component i),
  initial_state_prop s
  → ∀ m : Message, m ∉ sentMessages s by intros [] []; cbn in *; subst; cbn; apply not_elem_of_nil.
  -Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
∀ (l : VLSM.label
         (preloaded_with_all_messages_vlsm
            (ELMO_component i))) (s : VLSM.state
                                        (preloaded_with_all_messages_vlsm
                                           (ELMO_component
                                              i))) 
  (im : option Message) (s' : VLSM.state
                                (preloaded_with_all_messages_vlsm
                                   (ELMO_component i))) 
  (om : option Message),
  input_constrained_transition (ELMO_component i) l
    (s, im) (s', om)
  → ∀ msg : Message,
      msg ∈ sentMessages s'
      ↔ field_selector output msg
          {|
            l := l;
            input := im;
            destination := s';
            output := om
          |} ∨ msg ∈ sentMessages s intros l s im s' om [(Hvsp & Hovmp & Hv) Ht] m; cbn in *.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
l: Label
s: BaseELMO.State
im: option Message
s': BaseELMO.State
om: option Message
Hvsp: valid_state_prop
  (preloaded_with_all_messages_vlsm
     (ELMO_component i)) s
Hovmp: option_valid_message_prop
  (preloaded_with_all_messages_vlsm
     (ELMO_component i)) im
Hv: ELMO_component_valid l s im
Ht: UMO_component_transition l s im = (s', om)
m: Message
m ∈ sentMessages s' ↔ om = Some m ∨ m ∈ sentMessages s
    destruct l, im; cbn in *; [| by exfalso; inversion Hv.. |];
    inversion_clear Ht; destruct s; cbn.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
obs: list BaseELMO.Observation
adr: Address
m0: Message
s': BaseELMO.State
om: option Message
Hvsp: valid_state_prop
  (preloaded_with_all_messages_vlsm
     (ELMO_component i)) 
  (MkState obs adr)
Hovmp: option_valid_message_prop
  (preloaded_with_all_messages_vlsm
     (ELMO_component i)) 
  (Some m0)
Hv: ELMO_component_valid Receive 
  (MkState obs adr) (Some m0)
m: Message
m
∈ map message
    (if decide False
     then
      MkObservation Receive m0 :: filter isSend obs
     else filter isSend obs)
↔ None = Some m ∨ m ∈ map message (filter isSend obs)
Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
obs: list BaseELMO.Observation
adr: Address
s': BaseELMO.State
om: option Message
Hvsp: valid_state_prop
  (preloaded_with_all_messages_vlsm
     (ELMO_component i)) 
  (MkState obs adr)
Hovmp: option_valid_message_prop
  (preloaded_with_all_messages_vlsm
     (ELMO_component i)) None
Hv: ELMO_component_valid Send (MkState obs adr) None
m: Message
m
∈ map message
    (if decide True
     then
      MkObservation Send (MkMessage (MkState obs adr))
      :: filter isSend obs
     else filter isSend obs)
↔ Some (MkMessage (MkState obs adr)) = Some m
  ∨ m ∈ map message (filter isSend obs)
    +Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
obs: list BaseELMO.Observation
adr: Address
m0: Message
s': BaseELMO.State
om: option Message
Hvsp: valid_state_prop
  (preloaded_with_all_messages_vlsm
     (ELMO_component i)) 
  (MkState obs adr)
Hovmp: option_valid_message_prop
  (preloaded_with_all_messages_vlsm
     (ELMO_component i)) 
  (Some m0)
Hv: ELMO_component_valid Receive 
  (MkState obs adr) (Some m0)
m: Message
m
∈ map message
    (if decide False
     then
      MkObservation Receive m0 :: filter isSend obs
     else filter isSend obs)
↔ None = Some m ∨ m ∈ map message (filter isSend obs) by rewrite decide_False; cbn; firstorder congruence.
    +Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
obs: list BaseELMO.Observation
adr: Address
s': BaseELMO.State
om: option Message
Hvsp: valid_state_prop
  (preloaded_with_all_messages_vlsm
     (ELMO_component i)) 
  (MkState obs adr)
Hovmp: option_valid_message_prop
  (preloaded_with_all_messages_vlsm
     (ELMO_component i)) None
Hv: ELMO_component_valid Send (MkState obs adr) None
m: Message
m
∈ map message
    (if decide True
     then
      MkObservation Send (MkMessage (MkState obs adr))
      :: filter isSend obs
     else filter isSend obs)
↔ Some (MkMessage (MkState obs adr)) = Some m
  ∨ m ∈ map message (filter isSend obs) rewrite decide_True by done; cbn.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
obs: list BaseELMO.Observation
adr: Address
s': BaseELMO.State
om: option Message
Hvsp: valid_state_prop
  (preloaded_with_all_messages_vlsm
     (ELMO_component i)) 
  (MkState obs adr)
Hovmp: option_valid_message_prop
  (preloaded_with_all_messages_vlsm
     (ELMO_component i)) None
Hv: ELMO_component_valid Send (MkState obs adr) None
m: Message
m
∈ MkMessage (MkState obs adr)
  :: map message (filter isSend obs)
↔ Some (MkMessage (MkState obs adr)) = Some m
  ∨ m ∈ map message (filter isSend obs)
      unfold Message; rewrite elem_of_cons.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
obs: list BaseELMO.Observation
adr: Address
s': BaseELMO.State
om: option Message
Hvsp: valid_state_prop
  (preloaded_with_all_messages_vlsm
     (ELMO_component i)) 
  (MkState obs adr)
Hovmp: option_valid_message_prop
  (preloaded_with_all_messages_vlsm
     (ELMO_component i)) None
Hv: ELMO_component_valid Send (MkState obs adr) None
m: Message
m = MkMessage (MkState obs adr)
∨ m ∈ map message (filter isSend obs)
↔ Some (MkMessage (MkState obs adr)) = Some m
  ∨ m ∈ map message (filter isSend obs)
      by firstorder congruence.
Defined.

#[export] Instance ComputableReceivedMessages_ELMO_component
  (i : index) : ComputableReceivedMessages (ELMO_component i).Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
ComputableReceivedMessages (ELMO_component i)
Proof.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
ComputableReceivedMessages (ELMO_component i)
  constructor 1 with receivedMessages; constructor.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
∀ s : VLSM.state (ELMO_component i),
  initial_state_prop s
  → ∀ m : Message, m ∉ receivedMessages s
Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
∀ (l : VLSM.label
         (preloaded_with_all_messages_vlsm
            (ELMO_component i))) 
  (s : VLSM.state
         (preloaded_with_all_messages_vlsm
            (ELMO_component i))) 
  (im : option Message) 
  (s' : VLSM.state
          (preloaded_with_all_messages_vlsm
             (ELMO_component i))) 
  (om : option Message),
  input_constrained_transition 
    (ELMO_component i) l (
    s, im) (s', om)
  → ∀ msg : Message,
      msg ∈ receivedMessages s'
      ↔ field_selector input msg
          {|
            l := l;
            input := im;
            destination := s';
            output := om
          |} ∨ msg ∈ receivedMessages s
  -Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
∀ s : VLSM.state (ELMO_component i),
  initial_state_prop s
  → ∀ m : Message, m ∉ receivedMessages s by intros [] []; cbn in *; subst; cbn; apply not_elem_of_nil.
  -Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
∀ (l : VLSM.label
         (preloaded_with_all_messages_vlsm
            (ELMO_component i))) (s : VLSM.state
                                        (preloaded_with_all_messages_vlsm
                                           (ELMO_component
                                              i))) 
  (im : option Message) (s' : VLSM.state
                                (preloaded_with_all_messages_vlsm
                                   (ELMO_component i))) 
  (om : option Message),
  input_constrained_transition (ELMO_component i) l
    (s, im) (s', om)
  → ∀ msg : Message,
      msg ∈ receivedMessages s'
      ↔ field_selector input msg
          {|
            l := l;
            input := im;
            destination := s';
            output := om
          |} ∨ msg ∈ receivedMessages s intros l s im s' om [(Hvsp & Hovmp & Hv) Ht] m; cbn in *.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
l: Label
s: BaseELMO.State
im: option Message
s': BaseELMO.State
om: option Message
Hvsp: valid_state_prop
  (preloaded_with_all_messages_vlsm
     (ELMO_component i)) s
Hovmp: option_valid_message_prop
  (preloaded_with_all_messages_vlsm
     (ELMO_component i)) im
Hv: ELMO_component_valid l s im
Ht: UMO_component_transition l s im = (s', om)
m: Message
m ∈ receivedMessages s'
↔ im = Some m ∨ m ∈ receivedMessages s
    destruct l, im; cbn in *; [| by exfalso; inversion Hv.. |];
    inversion_clear Ht; destruct s; cbn.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
obs: list BaseELMO.Observation
adr: Address
m0: Message
s': BaseELMO.State
om: option Message
Hvsp: valid_state_prop
  (preloaded_with_all_messages_vlsm
     (ELMO_component i)) 
  (MkState obs adr)
Hovmp: option_valid_message_prop
  (preloaded_with_all_messages_vlsm
     (ELMO_component i)) 
  (Some m0)
Hv: ELMO_component_valid Receive 
  (MkState obs adr) (Some m0)
m: Message
m
∈ map message
    (if decide True
     then
      MkObservation Receive m0 :: filter isReceive obs
     else filter isReceive obs)
↔ Some m0 = Some m
  ∨ m ∈ map message (filter isReceive obs)
Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
obs: list BaseELMO.Observation
adr: Address
s': BaseELMO.State
om: option Message
Hvsp: valid_state_prop
  (preloaded_with_all_messages_vlsm
     (ELMO_component i)) 
  (MkState obs adr)
Hovmp: option_valid_message_prop
  (preloaded_with_all_messages_vlsm
     (ELMO_component i)) None
Hv: ELMO_component_valid Send (MkState obs adr) None
m: Message
m
∈ map message
    (if decide False
     then
      MkObservation Send (MkMessage (MkState obs adr))
      :: filter isReceive obs
     else filter isReceive obs)
↔ None = Some m
  ∨ m ∈ map message (filter isReceive obs)
    +Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
obs: list BaseELMO.Observation
adr: Address
m0: Message
s': BaseELMO.State
om: option Message
Hvsp: valid_state_prop
  (preloaded_with_all_messages_vlsm
     (ELMO_component i)) 
  (MkState obs adr)
Hovmp: option_valid_message_prop
  (preloaded_with_all_messages_vlsm
     (ELMO_component i)) 
  (Some m0)
Hv: ELMO_component_valid Receive 
  (MkState obs adr) (Some m0)
m: Message
m
∈ map message
    (if decide True
     then
      MkObservation Receive m0 :: filter isReceive obs
     else filter isReceive obs)
↔ Some m0 = Some m
  ∨ m ∈ map message (filter isReceive obs) rewrite decide_True by done; cbn.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
obs: list BaseELMO.Observation
adr: Address
m0: Message
s': BaseELMO.State
om: option Message
Hvsp: valid_state_prop
  (preloaded_with_all_messages_vlsm
     (ELMO_component i)) 
  (MkState obs adr)
Hovmp: option_valid_message_prop
  (preloaded_with_all_messages_vlsm
     (ELMO_component i)) 
  (Some m0)
Hv: ELMO_component_valid Receive 
  (MkState obs adr) (Some m0)
m: Message
m ∈ m0 :: map message (filter isReceive obs)
↔ Some m0 = Some m
  ∨ m ∈ map message (filter isReceive obs)
      unfold Message; rewrite elem_of_cons.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
obs: list BaseELMO.Observation
adr: Address
m0: Message
s': BaseELMO.State
om: option Message
Hvsp: valid_state_prop
  (preloaded_with_all_messages_vlsm
     (ELMO_component i)) 
  (MkState obs adr)
Hovmp: option_valid_message_prop
  (preloaded_with_all_messages_vlsm
     (ELMO_component i)) 
  (Some m0)
Hv: ELMO_component_valid Receive 
  (MkState obs adr) (Some m0)
m: Message
m = m0 ∨ m ∈ map message (filter isReceive obs)
↔ Some m0 = Some m
  ∨ m ∈ map message (filter isReceive obs)
      by firstorder congruence.
    +Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
obs: list BaseELMO.Observation
adr: Address
s': BaseELMO.State
om: option Message
Hvsp: valid_state_prop
  (preloaded_with_all_messages_vlsm
     (ELMO_component i)) 
  (MkState obs adr)
Hovmp: option_valid_message_prop
  (preloaded_with_all_messages_vlsm
     (ELMO_component i)) None
Hv: ELMO_component_valid Send (MkState obs adr) None
m: Message
m
∈ map message
    (if decide False
     then
      MkObservation Send (MkMessage (MkState obs adr))
      :: filter isReceive obs
     else filter isReceive obs)
↔ None = Some m
  ∨ m ∈ map message (filter isReceive obs) by rewrite decide_False; cbn; firstorder congruence.
Defined.

#[export] Instance HasBeenDirectlyObservedCapability_ELMO_component
  (i : index) : HasBeenDirectlyObservedCapability (ELMO_component i) :=
    HasBeenDirectlyObservedCapability_from_sent_received (ELMO_component i).

Lemma ELMO_reachable_view (s : State) i :
  constrained_state_prop (ELMO_component i) s
    <->
  UMO_reachable ELMO_recv_valid s /\ adr s = idx i.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
s: State
i: index
constrained_state_prop (ELMO_component i) s
↔ UMO_reachable ELMO_recv_valid s ∧ adr s = idx i
Proof.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
s: State
i: index
constrained_state_prop (ELMO_component i) s
↔ UMO_reachable ELMO_recv_valid s ∧ adr s = idx i
  eapply iff_trans.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
s: State
i: index
constrained_state_prop (ELMO_component i) s ↔ ?B
Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
s: State
i: index
?B ↔ UMO_reachable ELMO_recv_valid s ∧ adr s = idx i
  -Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
s: State
i: index
constrained_state_prop (ELMO_component i) s ↔ ?B apply UMO_based_valid_reachable; [| | done].Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
s: State
i: index
∀ si : VLSM.state
         {|
           vlsm_type :=
             {|
               VLSM.state := BaseELMO.State;
               VLSM.label := Label
             |};
           vlsm_machine := ELMO_component_machine i
         |}, initial_state_prop si → obs si = []
Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
s: State
i: index
∀ (s : VLSM.state
         (preloaded_with_all_messages_vlsm
            {|
              vlsm_type :=
                {|
                  VLSM.state := BaseELMO.State;
                  VLSM.label := Label
                |};
              vlsm_machine := ELMO_component_machine i
            |})) (om : option BaseELMO.Message),
  constrained_state_prop
    {|
      vlsm_type :=
        {|
          VLSM.state := BaseELMO.State;
          VLSM.label := Label
        |};
      vlsm_machine := ELMO_component_machine i
    |} s → valid Send (s, om) ↔ om = None
    +Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
s: State
i: index
∀ si : VLSM.state
         {|
           vlsm_type :=
             {|
               VLSM.state := BaseELMO.State;
               VLSM.label := Label
             |};
           vlsm_machine := ELMO_component_machine i
         |}, initial_state_prop si → obs si = [] by inversion 1.
    +Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
s: State
i: index
∀ (s : VLSM.state
         (preloaded_with_all_messages_vlsm
            {|
              vlsm_type :=
                {|
                  VLSM.state := BaseELMO.State;
                  VLSM.label := Label
                |};
              vlsm_machine := ELMO_component_machine i
            |})) (om : option BaseELMO.Message),
  constrained_state_prop
    {|
      vlsm_type :=
        {|
          VLSM.state := BaseELMO.State;
          VLSM.label := Label
        |};
      vlsm_machine := ELMO_component_machine i
    |} s → valid Send (s, om) ↔ om = None by cbn; split; inversion 1; [| constructor].
  -Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
s: State
i: index
UMO_reachable
  (λ (s : BaseELMO.State) (m : BaseELMO.Message),
     valid Receive (s, Some m)) s
∧ initial_state_prop (MkState [] (adr s))
↔ UMO_reachable ELMO_recv_valid s ∧ adr s = idx i apply Morphisms_Prop.and_iff_morphism.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
s: State
i: index
UMO_reachable
  (λ (s : BaseELMO.State) (m : BaseELMO.Message),
     valid Receive (s, Some m)) s
↔ UMO_reachable ELMO_recv_valid s
Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
s: State
i: index
initial_state_prop (MkState [] (adr s))
↔ adr s = idx i
    +Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
s: State
i: index
UMO_reachable
  (λ (s : BaseELMO.State) (m : BaseELMO.Message),
     valid Receive (s, Some m)) s
↔ UMO_reachable ELMO_recv_valid s by split; apply UMO_reachable_impl; inversion 1; subst; [| constructor].
    +Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
s: State
i: index
initial_state_prop (MkState [] (adr s))
↔ adr s = idx i by cbn; firstorder.
Qed.

Lemma ELMO_component_message_dependencies_full_node_condition :
  forall i : index,
    message_dependencies_full_node_condition_prop
      (ELMO_component i) Message_dependencies.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
∀ i : index,
  message_dependencies_full_node_condition_prop
    (ELMO_component i) Message_dependencies
Proof.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
∀ i : index,
  message_dependencies_full_node_condition_prop
    (ELMO_component i) Message_dependencies
  intros i [] s m Hv; inversion Hv as [? ? [Hfull] |]; subst.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
s: VLSM.state (ELMO_component i)
m: Message
Hv: valid Receive (s, Some m)
Hfull: full_node s m
ELMO_mv_no_self_equiv0: no_self_equiv s m
ELMO_mv_msg_valid_full0: ELMO_msg_valid_full m
ELMO_mv_local_equivocation_limit_ok0: local_equivocation_limit_ok
  (s <+>
   MkObservation
     Receive m)
message_dependencies_full_node_condition
  (ELMO_component i) Message_dependencies s m
  intros dm Hdm; cbn in Hdm.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
s: VLSM.state (ELMO_component i)
m: Message
Hv: valid Receive (s, Some m)
Hfull: full_node s m
ELMO_mv_no_self_equiv0: no_self_equiv s m
ELMO_mv_msg_valid_full0: ELMO_msg_valid_full m
ELMO_mv_local_equivocation_limit_ok0: local_equivocation_limit_ok
  (s <+>
   MkObservation
     Receive m)
dm: Message
Hdm: dm ∈ Message_dependencies m
has_been_directly_observed (ELMO_component i) s dm
  apply elem_of_list_to_set in Hdm.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
s: VLSM.state (ELMO_component i)
m: Message
Hv: valid Receive (s, Some m)
Hfull: full_node s m
ELMO_mv_no_self_equiv0: no_self_equiv s m
ELMO_mv_msg_valid_full0: ELMO_msg_valid_full m
ELMO_mv_local_equivocation_limit_ok0: local_equivocation_limit_ok
  (s <+>
   MkObservation
     Receive m)
dm: Message
Hdm: dm ∈ map message (obs (state m))
has_been_directly_observed (ELMO_component i) s dm
  eapply elem_of_submseteq, elem_of_messages in Hdm; [| done].Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
s: VLSM.state (ELMO_component i)
m: Message
Hv: valid Receive (s, Some m)
Hfull: full_node s m
ELMO_mv_no_self_equiv0: no_self_equiv s m
ELMO_mv_msg_valid_full0: ELMO_msg_valid_full m
ELMO_mv_local_equivocation_limit_ok0: local_equivocation_limit_ok
  (s <+>
   MkObservation
     Receive m)
dm: Message
Hdm: dm ∈ sentMessages s ∨ dm ∈ receivedMessages s
has_been_directly_observed (ELMO_component i) s dm
  by destruct Hdm as []; [left | right].
Qed.

Lemma ELMO_full_node_reachable i s :
  constrained_state_prop (ELMO_component i) s -> UMO_reachable full_node s.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
s: VLSM.state
  (preloaded_with_all_messages_vlsm
     (ELMO_component i))
constrained_state_prop (ELMO_component i) s
→ UMO_reachable full_node s
Proof.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
s: VLSM.state
  (preloaded_with_all_messages_vlsm
     (ELMO_component i))
constrained_state_prop (ELMO_component i) s
→ UMO_reachable full_node s
  intro Hs; apply ELMO_reachable_view in Hs as [? _].Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
s: VLSM.state
  (preloaded_with_all_messages_vlsm
     (ELMO_component i))
H1: UMO_reachable ELMO_recv_valid s
UMO_reachable full_node s
  eapply UMO_reachable_impl; [| done].Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
s: VLSM.state
  (preloaded_with_all_messages_vlsm
     (ELMO_component i))
H1: UMO_reachable ELMO_recv_valid s
∀ (s : BaseELMO.State) (m : BaseELMO.Message),
  ELMO_recv_valid s m → full_node s m
  by inversion 1.
Qed.

Lemma ELMO_no_self_equiv_reachable i s :
  constrained_state_prop (ELMO_component i) s -> UMO_reachable no_self_equiv s.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
s: VLSM.state
  (preloaded_with_all_messages_vlsm
     (ELMO_component i))
constrained_state_prop (ELMO_component i) s
→ UMO_reachable no_self_equiv s
Proof.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
s: VLSM.state
  (preloaded_with_all_messages_vlsm
     (ELMO_component i))
constrained_state_prop (ELMO_component i) s
→ UMO_reachable no_self_equiv s
  intro Hs; apply ELMO_reachable_view in Hs as [? _].Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
s: VLSM.state
  (preloaded_with_all_messages_vlsm
     (ELMO_component i))
H1: UMO_reachable ELMO_recv_valid s
UMO_reachable no_self_equiv s
  eapply UMO_reachable_impl; [| done].Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
s: VLSM.state
  (preloaded_with_all_messages_vlsm
     (ELMO_component i))
H1: UMO_reachable ELMO_recv_valid s
∀ (s : BaseELMO.State) (m : BaseELMO.Message),
  ELMO_recv_valid s m → no_self_equiv s m
  by inversion 1.
Qed.

Section sec_ELMO_component_lemmas.

Component lemmas

Context
  (i : index)
  (Ei : VLSM Message := ELMO_component i)
  .

Lemma ELMO_reachable_adr (s : State) :
  constrained_state_prop Ei s -> adr s = idx i.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
s: State
constrained_state_prop Ei s → adr s = idx i
Proof.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
s: State
constrained_state_prop Ei s → adr s = idx i
  by intros [_ Hadr]%ELMO_reachable_view.
Qed.

Lemma ELMO_constrained_transition_output_not_initial :
  forall l (s : State) (om : option Message) (s' : State) (om' : option Message),
    input_constrained_transition Ei l (s, om) (s', om') ->
    ~ initial_state_prop Ei s'.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
∀ (l : VLSM.label
         (preloaded_with_all_messages_vlsm Ei)) (s : State) 
  (om : option Message) (s' : State) (om' : option
                                              Message),
  input_constrained_transition Ei l (s, om) (s', om')
  → ¬ initial_state_prop s'
Proof.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
∀ (l : VLSM.label
         (preloaded_with_all_messages_vlsm Ei)) (s : State) 
  (om : option Message) (s' : State) (om' : option
                                              Message),
  input_constrained_transition Ei l (s, om) (s', om')
  → ¬ initial_state_prop s'
  intros l s om [ol a] om' [(_ & _ & Hv) Ht]; compute; intros [-> _].Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
l: VLSM.label (preloaded_with_all_messages_vlsm Ei)
s: State
om: option Message
a: Address
om': option Message
Hv: valid l (s, om)
Ht: transition l (s, om) = (MkState [] a, om')
False
  by inversion Hv; subst; inversion Ht.
Qed.

Lemma ELMO_input_constrained_transition_inj :
  forall l (s : State) (om : option Message) (s' : State) (om' : option Message),
    input_constrained_transition Ei l (s, om) (s', om') ->
  forall l0 s0 om0 om'0,
    input_constrained_transition Ei l0 (s0, om0) (s', om'0) ->
      l0 = l /\ s0 = s /\ om0 = om /\ om'0 = om'.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
∀ (l : VLSM.label
         (preloaded_with_all_messages_vlsm Ei)) (s : State) 
  (om : option Message) (s' : State) (om' : option
                                              Message),
  input_constrained_transition Ei l (s, om) (s', om')
  → ∀ (l0 : VLSM.label
              (preloaded_with_all_messages_vlsm Ei)) 
      (s0 : VLSM.state
              (preloaded_with_all_messages_vlsm Ei)) 
      (om0 om'0 : option Message),
      input_constrained_transition Ei l0 (s0, om0)
        (s', om'0)
      → l0 = l ∧ s0 = s ∧ om0 = om ∧ om'0 = om'
Proof.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
∀ (l : VLSM.label
         (preloaded_with_all_messages_vlsm Ei)) (s : State) 
  (om : option Message) (s' : State) (om' : option
                                              Message),
  input_constrained_transition Ei l (s, om) (s', om')
  → ∀ (l0 : VLSM.label
              (preloaded_with_all_messages_vlsm Ei)) 
      (s0 : VLSM.state
              (preloaded_with_all_messages_vlsm Ei)) 
      (om0 om'0 : option Message),
      input_constrained_transition Ei l0 (s0, om0)
        (s', om'0)
      → l0 = l ∧ s0 = s ∧ om0 = om ∧ om'0 = om'
  intros l s om s' om' [(_ & _ & Hvalid) Ht] l0 s0 om0 om'0 [(_ & _ & Hvalid0) Ht0].Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
l: VLSM.label (preloaded_with_all_messages_vlsm Ei)
s: State
om: option Message
s': State
om': option Message
Hvalid: valid l (s, om)
Ht: transition l (s, om) = (s', om')
l0: VLSM.label (preloaded_with_all_messages_vlsm Ei)
s0: VLSM.state (preloaded_with_all_messages_vlsm Ei)
om0, om'0: option Message
Hvalid0: valid l0 (s0, om0)
Ht0: transition l0 (s0, om0) = (s', om'0)
l0 = l ∧ s0 = s ∧ om0 = om ∧ om'0 = om'
  inversion Hvalid; subst; cbn in Ht; injection Ht as [= <- <-];
    inversion Hvalid0; subst; inversion Ht0; [| done].Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
s: State
m: Message
Hvalid: valid Receive (s, Some m)
s0: VLSM.state (preloaded_with_all_messages_vlsm Ei)
om'0: option Message
m0: Message
Hvalid0: valid Receive (s0, Some m0)
Ht0: transition Receive (s0, Some m0) =
(s <+> MkObservation Receive m, om'0)
H1: ELMO_recv_valid s m
H2: ELMO_recv_valid s0 m0
H4: m0 = m
H5: obs s0 = obs s
H6: adr s0 = adr s
H7: None = om'0
Receive = Receive
∧ s0 = s ∧ Some m = Some m ∧ None = None
  by replace s0 with s by (apply eq_State; done).
Qed.

Lemma ELMO_component_valid_transition_size :
  forall (s1 s2 : State) (iom oom : option Message) (lbl : Label),
    ELMO_component_valid lbl s1 iom ->
    UMO_component_transition lbl s1 iom = (s2, oom) ->
      sizeState s1 < sizeState s2.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
∀ (s1 s2 : State) (iom oom : option Message) (lbl : Label),
  ELMO_component_valid lbl s1 iom
  → UMO_component_transition lbl s1 iom = (s2, oom)
    → sizeState s1 < sizeState s2
Proof.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
∀ (s1 s2 : State) (iom oom : option Message) (lbl : Label),
  ELMO_component_valid lbl s1 iom
  → UMO_component_transition lbl s1 iom = (s2, oom)
    → sizeState s1 < sizeState s2 by intros [] s2 [im |] oom []; do 2 inversion_clear 1; cbn; lia. Qed.

#[export] Instance ELMOTransitionMonotoneVLSM : TransitionMonotoneVLSM Ei sizeState.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
TransitionMonotoneVLSM Ei sizeState
Proof.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
TransitionMonotoneVLSM Ei sizeState
  constructor; intros s1 s2 [? ? ? [Hv Ht]].Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
s1, s2: VLSM.state Ei
l: VLSM.label Ei
iom, oom: option Message
Hv: valid l (s1, iom)
Ht: transition l (s1, iom) = (s2, oom)
sizeState s1 < sizeState s2
  by eapply ELMO_component_valid_transition_size; cbn in *.
Qed.

Lemma state_suffix_addObservation_inv :
  forall (s1 s2 : State) (ob : Observation),
    state_suffix s1 (s2 <+> ob) ->
      s1 = s2 \/ state_suffix s1 s2.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
∀ (s1 s2 : State) (ob : Observation),
  state_suffix s1 (s2 <+> ob)
  → s1 = s2 ∨ state_suffix s1 s2
Proof.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
∀ (s1 s2 : State) (ob : Observation),
  state_suffix s1 (s2 <+> ob)
  → s1 = s2 ∨ state_suffix s1 s2
  intros s1 s2 ob (Hadr & [[| _o os] Hsuf] & Hstrict);
    [by contradict Hstrict; exists [] |].Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
s1, s2: State
ob: Observation
Hadr: adr s1 = adr (s2 <+> ob)
_o: BaseELMO.Observation
os: list BaseELMO.Observation
Hsuf: obs (s2 <+> ob) = (_o :: os) ++ obs s1
Hstrict: ¬ obs (s2 <+> ob) `suffix_of` obs s1
s1 = s2 ∨ state_suffix s1 s2
  destruct s2; cbn in *.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
s1: State
obs: list BaseELMO.Observation
adr: Address
ob: Observation
Hadr: BaseELMO.adr s1 = adr
_o: BaseELMO.Observation
os: list BaseELMO.Observation
Hsuf: addObservation' ob obs =
_o :: os ++ BaseELMO.obs s1
Hstrict: ¬ addObservation' ob obs
  `suffix_of` BaseELMO.obs s1
s1 = MkState obs adr
∨ state_suffix s1 (MkState obs adr)
  inversion Hsuf; subst _o obs.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
s1: State
adr: Address
ob: Observation
Hadr: BaseELMO.adr s1 = adr
os: list BaseELMO.Observation
Hstrict: ¬ addObservation' ob (os ++ obs s1)
  `suffix_of` obs s1
Hsuf: addObservation' ob (os ++ obs s1) =
ob :: os ++ obs s1
s1 = MkState (os ++ obs s1) adr
∨ state_suffix s1 (MkState (os ++ obs s1) adr)
  destruct os; [left; apply eq_State; cbn in *; congruence |].Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
s1: State
adr: Address
ob: Observation
Hadr: BaseELMO.adr s1 = adr
o: BaseELMO.Observation
os: list BaseELMO.Observation
Hstrict: ¬ addObservation' ob ((o :: os) ++ obs s1)
  `suffix_of` obs s1
Hsuf: addObservation' ob ((o :: os) ++ obs s1) =
ob :: (o :: os) ++ obs s1
s1 = MkState ((o :: os) ++ obs s1) adr
∨ state_suffix s1 (MkState ((o :: os) ++ obs s1) adr)
  right; constructor; [done |].Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
s1: State
adr: Address
ob: Observation
Hadr: BaseELMO.adr s1 = adr
o: BaseELMO.Observation
os: list BaseELMO.Observation
Hstrict: ¬ addObservation' ob ((o :: os) ++ obs s1)
  `suffix_of` obs s1
Hsuf: addObservation' ob ((o :: os) ++ obs s1) =
ob :: (o :: os) ++ obs s1
strict suffix (obs s1)
  (obs (MkState ((o :: os) ++ obs s1) adr))
  split; [by eexists | destruct s1; cbn; clear].Address: Type
obs: list BaseELMO.Observation
o: BaseELMO.Observation
os: list BaseELMO.Observation
¬ o :: os ++ obs `suffix_of` obs
  intros [os' Heqos].Address: Type
obs: list BaseELMO.Observation
o: BaseELMO.Observation
os, os': list BaseELMO.Observation
Heqos: obs = os' ++ o :: os ++ obs
False
  apply f_equal with (f := length) in Heqos.Address: Type
obs: list BaseELMO.Observation
o: BaseELMO.Observation
os, os': list BaseELMO.Observation
Heqos: length obs = length (os' ++ o :: os ++ obs)
False
  rewrite app_length in Heqos; cbn in Heqos; rewrite app_length in Heqos.Address: Type
obs: list BaseELMO.Observation
o: BaseELMO.Observation
os, os': list BaseELMO.Observation
Heqos: length obs =
length os' + S (length os + length obs)
False
  by lia.
Qed.

There is a unique trace from any prefix of a reachable state to that state.

Lemma ELMO_unique_trace_segments (s sf : State) :
  constrained_state_prop Ei sf -> (s = sf \/ state_suffix s sf) ->
  exists! (tr : list transition_item),
    finite_constrained_trace_from_to Ei s sf tr.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
s, sf: State
constrained_state_prop Ei sf
→ s = sf ∨ state_suffix s sf
  → ∃ y,
      unique
        (λ tr : list transition_item,
           finite_constrained_trace_from_to Ei s sf tr)
        y
Proof.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
s, sf: State
constrained_state_prop Ei sf
→ s = sf ∨ state_suffix s sf
  → ∃ y,
      unique
        (λ tr : list transition_item,
           finite_constrained_trace_from_to Ei s sf tr)
        y
  intros Hsf [-> | Hsuf];
    [by exists []; split; [by constructor |]; intros;
      symmetry; eapply transition_monotone_empty_trace; [typeclasses eauto |]
    |].Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
s, sf: State
Hsf: constrained_state_prop Ei sf
Hsuf: state_suffix s sf
∃ y,
  unique
    (λ tr : list transition_item,
       finite_constrained_trace_from_to Ei s sf tr) y
  induction Hsf using valid_state_prop_ind.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
s: State
s0: VLSM.state (preloaded_with_all_messages_vlsm Ei)
Hs: initial_state_prop s0
Hsuf: state_suffix s s0
∃ y,
  unique
    (λ tr : list transition_item,
       finite_constrained_trace_from_to Ei s s0 tr) y
Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
s: State
s': VLSM.state (preloaded_with_all_messages_vlsm Ei)
l: VLSM.label (preloaded_with_all_messages_vlsm Ei)
om, om': option Message
s0: VLSM.state (preloaded_with_all_messages_vlsm Ei)
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm Ei) l
  (s0, om) (s', om')
Hsuf: state_suffix s s'
IHHsf: state_suffix s s0
→ ∃ y,
    unique
      (λ tr : list transition_item,
         finite_constrained_trace_from_to Ei s
           s0 tr) y
∃ y,
  unique
    (λ tr : list transition_item,
       finite_constrained_trace_from_to Ei s s' tr) y
  -Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
s: State
s0: VLSM.state (preloaded_with_all_messages_vlsm Ei)
Hs: initial_state_prop s0
Hsuf: state_suffix s s0
∃ y,
  unique
    (λ tr : list transition_item,
       finite_constrained_trace_from_to Ei s s0 tr) y unfold initial_state_prop in Hs; cbn in Hs.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
s: State
s0: VLSM.state (preloaded_with_all_messages_vlsm Ei)
Hs: UMO_component_initial_state_prop (idx i) s0
Hsuf: state_suffix s s0
∃ y,
  unique
    (λ tr : list transition_item,
       finite_constrained_trace_from_to Ei s s0 tr) y
    eapply UMO_component_initial_state_spec in Hs as ->.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
s: State
Hsuf: state_suffix s (MkState [] (idx i))
∃ y,
  unique
    (λ tr : list transition_item,
       finite_constrained_trace_from_to Ei s
         (MkState [] (idx i)) tr) y
    by contradict Hsuf; apply state_suffix_empty_minimal.
  -Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
s: State
s': VLSM.state (preloaded_with_all_messages_vlsm Ei)
l: VLSM.label (preloaded_with_all_messages_vlsm Ei)
om, om': option Message
s0: VLSM.state (preloaded_with_all_messages_vlsm Ei)
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm Ei) l
  (s0, om) (s', om')
Hsuf: state_suffix s s'
IHHsf: state_suffix s s0
→ ∃ y,
    unique
      (λ tr : list transition_item,
         finite_constrained_trace_from_to Ei s
           s0 tr) y
∃ y,
  unique
    (λ tr : list transition_item,
       finite_constrained_trace_from_to Ei s s' tr) y assert (s = s0 \/ state_suffix s s0) as [-> | Hss0].Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
s: State
s': VLSM.state (preloaded_with_all_messages_vlsm Ei)
l: VLSM.label (preloaded_with_all_messages_vlsm Ei)
om, om': option Message
s0: VLSM.state (preloaded_with_all_messages_vlsm Ei)
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm Ei) l
  (s0, om) (s', om')
Hsuf: state_suffix s s'
IHHsf: state_suffix s s0
→ ∃ y,
    unique
      (λ tr : list transition_item,
         finite_constrained_trace_from_to Ei s
           s0 tr) y
s = s0 ∨ state_suffix s s0
Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
s': VLSM.state (preloaded_with_all_messages_vlsm Ei)
l: VLSM.label (preloaded_with_all_messages_vlsm Ei)
om, om': option Message
s0: VLSM.state (preloaded_with_all_messages_vlsm Ei)
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm Ei) l
  (s0, om) (s', om')
IHHsf: state_suffix s0 s0
→ ∃ y,
    unique
      (λ tr : list transition_item,
         finite_constrained_trace_from_to Ei
           s0 s0 tr) y
Hsuf: state_suffix s0 s'
∃ y,
  unique
    (λ tr : list transition_item,
       finite_constrained_trace_from_to Ei s0 s' tr) y
Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
s: State
s': VLSM.state (preloaded_with_all_messages_vlsm Ei)
l: VLSM.label (preloaded_with_all_messages_vlsm Ei)
om, om': option Message
s0: VLSM.state (preloaded_with_all_messages_vlsm Ei)
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm Ei) l
  (s0, om) (s', om')
Hsuf: state_suffix s s'
IHHsf: state_suffix s s0
→ ∃ y,
    unique
      (λ tr : list transition_item,
         finite_constrained_trace_from_to Ei s
           s0 tr) y
Hss0: state_suffix s s0
∃ y,
  unique
    (λ tr : list transition_item,
       finite_constrained_trace_from_to Ei s s' tr) y
    {Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
s: State
s': VLSM.state (preloaded_with_all_messages_vlsm Ei)
l: VLSM.label (preloaded_with_all_messages_vlsm Ei)
om, om': option Message
s0: VLSM.state (preloaded_with_all_messages_vlsm Ei)
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm Ei) l
  (s0, om) (s', om')
Hsuf: state_suffix s s'
IHHsf: state_suffix s s0
→ ∃ y,
    unique
      (λ tr : list transition_item,
         finite_constrained_trace_from_to Ei s
           s0 tr) y
s = s0 ∨ state_suffix s s0
      assert (exists o, s' = s0 <+> o) as [o ->]
        by (destruct Ht as [(_ & _ & Hv) Ht]; inversion Hv; subst;
            inversion Ht; eexists; done).Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
s: State
l: VLSM.label (preloaded_with_all_messages_vlsm Ei)
om, om': option Message
s0: VLSM.state (preloaded_with_all_messages_vlsm Ei)
o: BaseELMO.Observation
Hsuf: state_suffix s (s0 <+> o)
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm Ei) l
  (s0, om) (s0 <+> o, om')
IHHsf: state_suffix s s0
→ ∃ y,
    unique
      (λ tr : list transition_item,
         finite_constrained_trace_from_to Ei s
           s0 tr) y
s = s0 ∨ state_suffix s s0
      by apply state_suffix_addObservation_inv in Hsuf.
    }Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
s': VLSM.state (preloaded_with_all_messages_vlsm Ei)
l: VLSM.label (preloaded_with_all_messages_vlsm Ei)
om, om': option Message
s0: VLSM.state (preloaded_with_all_messages_vlsm Ei)
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm Ei) l
  (s0, om) (s', om')
IHHsf: state_suffix s0 s0
→ ∃ y,
    unique
      (λ tr : list transition_item,
         finite_constrained_trace_from_to Ei
           s0 s0 tr) y
Hsuf: state_suffix s0 s'
∃ y,
  unique
    (λ tr : list transition_item,
       finite_constrained_trace_from_to Ei s0 s' tr) y
Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
s: State
s': VLSM.state (preloaded_with_all_messages_vlsm Ei)
l: VLSM.label (preloaded_with_all_messages_vlsm Ei)
om, om': option Message
s0: VLSM.state (preloaded_with_all_messages_vlsm Ei)
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm Ei) l
  (s0, om) (s', om')
Hsuf: state_suffix s s'
IHHsf: state_suffix s s0
→ ∃ y,
    unique
      (λ tr : list transition_item,
         finite_constrained_trace_from_to Ei s
           s0 tr) y
Hss0: state_suffix s s0
∃ y,
  unique
    (λ tr : list transition_item,
       finite_constrained_trace_from_to Ei s s' tr) y
    +Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
s': VLSM.state (preloaded_with_all_messages_vlsm Ei)
l: VLSM.label (preloaded_with_all_messages_vlsm Ei)
om, om': option Message
s0: VLSM.state (preloaded_with_all_messages_vlsm Ei)
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm Ei) l
  (s0, om) (s', om')
IHHsf: state_suffix s0 s0
→ ∃ y,
    unique
      (λ tr : list transition_item,
         finite_constrained_trace_from_to Ei
           s0 s0 tr) y
Hsuf: state_suffix s0 s'
∃ y,
  unique
    (λ tr : list transition_item,
       finite_constrained_trace_from_to Ei s0 s' tr) y exists [Build_transition_item l om s' om'].Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
s': VLSM.state (preloaded_with_all_messages_vlsm Ei)
l: VLSM.label (preloaded_with_all_messages_vlsm Ei)
om, om': option Message
s0: VLSM.state (preloaded_with_all_messages_vlsm Ei)
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm Ei) l
  (s0, om) (s', om')
IHHsf: state_suffix s0 s0
→ ∃ y,
    unique
      (λ tr : list transition_item,
         finite_constrained_trace_from_to Ei
           s0 s0 tr) y
Hsuf: state_suffix s0 s'
unique
  (λ tr : list transition_item,
     finite_constrained_trace_from_to Ei s0 s' tr)
  [{|
     l := l;
     input := om;
     destination := s';
     output := om'
   |}]
      split; [by apply finite_valid_trace_from_to_singleton |].Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
s': VLSM.state (preloaded_with_all_messages_vlsm Ei)
l: VLSM.label (preloaded_with_all_messages_vlsm Ei)
om, om': option Message
s0: VLSM.state (preloaded_with_all_messages_vlsm Ei)
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm Ei) l
  (s0, om) (s', om')
IHHsf: state_suffix s0 s0
→ ∃ y,
    unique
      (λ tr : list transition_item,
         finite_constrained_trace_from_to Ei
           s0 s0 tr) y
Hsuf: state_suffix s0 s'
∀ x' : list transition_item,
  finite_constrained_trace_from_to Ei s0 s' x'
  → [{|
       l := l;
       input := om;
       destination := s';
       output := om'
     |}] = x'
      intros tr' Htr'.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
s': VLSM.state (preloaded_with_all_messages_vlsm Ei)
l: VLSM.label (preloaded_with_all_messages_vlsm Ei)
om, om': option Message
s0: VLSM.state (preloaded_with_all_messages_vlsm Ei)
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm Ei) l
  (s0, om) (s', om')
IHHsf: state_suffix s0 s0
→ ∃ y,
    unique
      (λ tr : list transition_item,
         finite_constrained_trace_from_to Ei
           s0 s0 tr) y
Hsuf: state_suffix s0 s'
tr': list transition_item
Htr': finite_constrained_trace_from_to Ei s0 s' tr'
[{|
   l := l;
   input := om;
   destination := s';
   output := om'
 |}] = tr'
      induction Htr' using finite_valid_trace_from_to_rev_ind;
        [by contradict Hsuf; apply Irreflexive_state_suffix | clear IHHtr'].Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
l: VLSM.label (preloaded_with_all_messages_vlsm Ei)
om, om': option Message
si, sf: VLSM.state (preloaded_with_all_messages_vlsm Ei)
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm Ei) l
  (si, om) (sf, om')
IHHsf: state_suffix si si
→ ∃ y,
    unique
      (λ tr : list transition_item,
         finite_constrained_trace_from_to Ei
           si si tr) y
Hsuf: state_suffix si sf
s: VLSM.state (preloaded_with_all_messages_vlsm Ei)
tr: list transition_item
Htr': finite_valid_trace_from_to
  (preloaded_with_all_messages_vlsm Ei) si s tr
iom, oom: option Message
l0: VLSM.label (preloaded_with_all_messages_vlsm Ei)
Ht0: input_valid_transition
  (preloaded_with_all_messages_vlsm Ei) l0
  (s, iom) (sf, oom)
[{|
   l := l;
   input := om;
   destination := sf;
   output := om'
 |}] =
tr ++
[{|
   l := l0;
   input := iom;
   destination := sf;
   output := oom
 |}]
      destruct (ELMO_input_constrained_transition_inj _ _ _ _ _ Ht _ _ _ _ Ht0)
        as (-> & -> & -> & ->).Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
l: VLSM.label (preloaded_with_all_messages_vlsm Ei)
om, om': option Message
si, sf: VLSM.state (preloaded_with_all_messages_vlsm Ei)
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm Ei) l
  (si, om) (sf, om')
IHHsf: state_suffix si si
→ ∃ y,
    unique
      (λ tr : list transition_item,
         finite_constrained_trace_from_to Ei
           si si tr) y
Hsuf: state_suffix si sf
tr: list transition_item
Htr': finite_valid_trace_from_to
  (preloaded_with_all_messages_vlsm Ei) si si
  tr
Ht0: input_valid_transition
  (preloaded_with_all_messages_vlsm Ei) l
  (si, om) (sf, om')
[{|
   l := l;
   input := om;
   destination := sf;
   output := om'
 |}] =
tr ++
[{|
   l := l;
   input := om;
   destination := sf;
   output := om'
 |}]
      eapply transition_monotone_empty_trace in Htr'; [| typeclasses eauto].Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
l: VLSM.label (preloaded_with_all_messages_vlsm Ei)
om, om': option Message
si, sf: VLSM.state (preloaded_with_all_messages_vlsm Ei)
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm Ei) l
  (si, om) (sf, om')
IHHsf: state_suffix si si
→ ∃ y,
    unique
      (λ tr : list transition_item,
         finite_constrained_trace_from_to Ei
           si si tr) y
Hsuf: state_suffix si sf
tr: list transition_item
Htr': tr = []
Ht0: input_valid_transition
  (preloaded_with_all_messages_vlsm Ei) l
  (si, om) (sf, om')
[{|
   l := l;
   input := om;
   destination := sf;
   output := om'
 |}] =
tr ++
[{|
   l := l;
   input := om;
   destination := sf;
   output := om'
 |}]
      by subst.
    +Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
s: State
s': VLSM.state (preloaded_with_all_messages_vlsm Ei)
l: VLSM.label (preloaded_with_all_messages_vlsm Ei)
om, om': option Message
s0: VLSM.state (preloaded_with_all_messages_vlsm Ei)
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm Ei) l
  (s0, om) (s', om')
Hsuf: state_suffix s s'
IHHsf: state_suffix s s0
→ ∃ y,
    unique
      (λ tr : list transition_item,
         finite_constrained_trace_from_to Ei s
           s0 tr) y
Hss0: state_suffix s s0
∃ y,
  unique
    (λ tr : list transition_item,
       finite_constrained_trace_from_to Ei s s' tr) y destruct (IHHsf Hss0) as (tr & Htr & Htr_unique).Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
s: State
s': VLSM.state (preloaded_with_all_messages_vlsm Ei)
l: VLSM.label (preloaded_with_all_messages_vlsm Ei)
om, om': option Message
s0: VLSM.state (preloaded_with_all_messages_vlsm Ei)
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm Ei) l
  (s0, om) (s', om')
Hsuf: state_suffix s s'
IHHsf: state_suffix s s0
→ ∃ y,
    unique
      (λ tr : list transition_item,
         finite_constrained_trace_from_to Ei s
           s0 tr) y
Hss0: state_suffix s s0
tr: list transition_item
Htr: finite_constrained_trace_from_to Ei s s0 tr
Htr_unique: ∀ x' : list transition_item,
  finite_constrained_trace_from_to Ei s
    s0 x' → tr = x'
∃ y,
  unique
    (λ tr : list transition_item,
       finite_constrained_trace_from_to Ei s s' tr) y
      exists (tr ++ [Build_transition_item l om s' om']).Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
s: State
s': VLSM.state (preloaded_with_all_messages_vlsm Ei)
l: VLSM.label (preloaded_with_all_messages_vlsm Ei)
om, om': option Message
s0: VLSM.state (preloaded_with_all_messages_vlsm Ei)
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm Ei) l
  (s0, om) (s', om')
Hsuf: state_suffix s s'
IHHsf: state_suffix s s0
→ ∃ y,
    unique
      (λ tr : list transition_item,
         finite_constrained_trace_from_to Ei s
           s0 tr) y
Hss0: state_suffix s s0
tr: list transition_item
Htr: finite_constrained_trace_from_to Ei s s0 tr
Htr_unique: ∀ x' : list transition_item,
  finite_constrained_trace_from_to Ei s
    s0 x' → tr = x'
unique
  (λ tr : list transition_item,
     finite_constrained_trace_from_to Ei s s' tr)
  (tr ++
   [{|
      l := l;
      input := om;
      destination := s';
      output := om'
    |}])
      split; [by apply extend_right_finite_trace_from_to with (s2 := s0) |].Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
s: State
s': VLSM.state (preloaded_with_all_messages_vlsm Ei)
l: VLSM.label (preloaded_with_all_messages_vlsm Ei)
om, om': option Message
s0: VLSM.state (preloaded_with_all_messages_vlsm Ei)
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm Ei) l
  (s0, om) (s', om')
Hsuf: state_suffix s s'
IHHsf: state_suffix s s0
→ ∃ y,
    unique
      (λ tr : list transition_item,
         finite_constrained_trace_from_to Ei s
           s0 tr) y
Hss0: state_suffix s s0
tr: list transition_item
Htr: finite_constrained_trace_from_to Ei s s0 tr
Htr_unique: ∀ x' : list transition_item,
  finite_constrained_trace_from_to Ei s
    s0 x' → tr = x'
∀ x' : list transition_item,
  finite_constrained_trace_from_to Ei s s' x'
  → tr ++
    [{|
       l := l;
       input := om;
       destination := s';
       output := om'
     |}] = x'
      intros tr' Htr'.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
s: State
s': VLSM.state (preloaded_with_all_messages_vlsm Ei)
l: VLSM.label (preloaded_with_all_messages_vlsm Ei)
om, om': option Message
s0: VLSM.state (preloaded_with_all_messages_vlsm Ei)
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm Ei) l
  (s0, om) (s', om')
Hsuf: state_suffix s s'
IHHsf: state_suffix s s0
→ ∃ y,
    unique
      (λ tr : list transition_item,
         finite_constrained_trace_from_to Ei s
           s0 tr) y
Hss0: state_suffix s s0
tr: list transition_item
Htr: finite_constrained_trace_from_to Ei s s0 tr
Htr_unique: ∀ x' : list transition_item,
  finite_constrained_trace_from_to Ei s
    s0 x' → tr = x'
tr': list transition_item
Htr': finite_constrained_trace_from_to Ei s s' tr'
tr ++
[{|
   l := l;
   input := om;
   destination := s';
   output := om'
 |}] = tr'
      induction Htr' using finite_valid_trace_from_to_rev_ind;
        [by contradict Hsuf; apply Irreflexive_state_suffix | clear IHHtr'].Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
l: VLSM.label (preloaded_with_all_messages_vlsm Ei)
om, om': option Message
s0, sf: VLSM.state (preloaded_with_all_messages_vlsm Ei)
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm Ei) l
  (s0, om) (sf, om')
si: VLSM.state (preloaded_with_all_messages_vlsm Ei)
Hsuf: state_suffix si sf
IHHsf: state_suffix si s0
→ ∃ y,
    unique
      (λ tr : list transition_item,
         finite_constrained_trace_from_to Ei
           si s0 tr) y
Hss0: state_suffix si s0
tr: list transition_item
Htr: finite_constrained_trace_from_to Ei si s0 tr
Htr_unique: ∀ x' : list transition_item,
  finite_constrained_trace_from_to Ei si
    s0 x' → tr = x'
s: VLSM.state (preloaded_with_all_messages_vlsm Ei)
tr0: list transition_item
Htr': finite_valid_trace_from_to
  (preloaded_with_all_messages_vlsm Ei) si s
  tr0
iom, oom: option Message
l0: VLSM.label (preloaded_with_all_messages_vlsm Ei)
Ht0: input_valid_transition
  (preloaded_with_all_messages_vlsm Ei) l0
  (s, iom) (sf, oom)
tr ++
[{|
   l := l;
   input := om;
   destination := sf;
   output := om'
 |}] =
tr0 ++
[{|
   l := l0;
   input := iom;
   destination := sf;
   output := oom
 |}]
      destruct (ELMO_input_constrained_transition_inj _ _ _ _ _ Ht _ _ _ _ Ht0)
        as (-> & -> & -> & ->).Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
l: VLSM.label (preloaded_with_all_messages_vlsm Ei)
om, om': option Message
s0, sf: VLSM.state (preloaded_with_all_messages_vlsm Ei)
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm Ei) l
  (s0, om) (sf, om')
si: VLSM.state (preloaded_with_all_messages_vlsm Ei)
Hsuf: state_suffix si sf
IHHsf: state_suffix si s0
→ ∃ y,
    unique
      (λ tr : list transition_item,
         finite_constrained_trace_from_to Ei
           si s0 tr) y
Hss0: state_suffix si s0
tr: list transition_item
Htr: finite_constrained_trace_from_to Ei si s0 tr
Htr_unique: ∀ x' : list transition_item,
  finite_constrained_trace_from_to Ei si
    s0 x' → tr = x'
tr0: list transition_item
Htr': finite_valid_trace_from_to
  (preloaded_with_all_messages_vlsm Ei) si s0
  tr0
Ht0: input_valid_transition
  (preloaded_with_all_messages_vlsm Ei) l
  (s0, om) (sf, om')
tr ++
[{|
   l := l;
   input := om;
   destination := sf;
   output := om'
 |}] =
tr0 ++
[{|
   l := l;
   input := om;
   destination := sf;
   output := om'
 |}]
      by f_equal; apply Htr_unique.
Qed.

From every reachable state of an ELMO_component we can extract a unique trace reaching that state from the initial state.

Lemma ELMO_unique_traces (sf : State) :
  constrained_state_prop Ei sf ->
    exists! tr : list transition_item, exists si : State,
      finite_constrained_trace_init_to Ei si sf tr.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
sf: State
constrained_state_prop Ei sf
→ ∃ y,
    unique
      (λ tr : list transition_item,
         ∃ si : State,
           finite_constrained_trace_init_to Ei si sf
             tr) y
Proof.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
sf: State
constrained_state_prop Ei sf
→ ∃ y,
    unique
      (λ tr : list transition_item,
         ∃ si : State,
           finite_constrained_trace_init_to Ei si sf
             tr) y
  intros Hsf.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
sf: State
Hsf: constrained_state_prop Ei sf
∃ y,
  unique
    (λ tr : list transition_item,
       ∃ si : State,
         finite_constrained_trace_init_to Ei si sf tr)
    y
  pose (si := MkState [] (idx i)).Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
sf: State
Hsf: constrained_state_prop Ei sf
si:= MkState [] (idx i): BaseELMO.State
∃ y,
  unique
    (λ tr : list transition_item,
       ∃ si : State,
         finite_constrained_trace_init_to Ei si sf tr)
    y
  cut (exists! (tr : list transition_item), finite_constrained_trace_from_to Ei si sf tr).Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
sf: State
Hsf: constrained_state_prop Ei sf
si:= MkState [] (idx i): BaseELMO.State
(∃ y,
   unique
     (λ tr : list transition_item,
        finite_constrained_trace_from_to Ei si sf tr)
     y)
→ ∃ y,
    unique
      (λ tr : list transition_item,
         ∃ si : State,
           finite_constrained_trace_init_to Ei si sf
             tr) y
Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
sf: State
Hsf: constrained_state_prop Ei sf
si:= MkState [] (idx i): BaseELMO.State
∃ y,
  unique
    (λ tr : list transition_item,
       finite_constrained_trace_from_to Ei si sf tr) y
  {Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
sf: State
Hsf: constrained_state_prop Ei sf
si:= MkState [] (idx i): BaseELMO.State
(∃ y,
   unique
     (λ tr : list transition_item,
        finite_constrained_trace_from_to Ei si sf tr)
     y)
→ ∃ y,
    unique
      (λ tr : list transition_item,
         ∃ si : State,
           finite_constrained_trace_init_to Ei si sf
             tr) y
    intros (tr & Htr & Htr_unique).Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
sf: State
Hsf: constrained_state_prop Ei sf
si:= MkState [] (idx i): BaseELMO.State
tr: list transition_item
Htr: finite_constrained_trace_from_to Ei si sf tr
Htr_unique: ∀ x' : list transition_item,
  finite_constrained_trace_from_to Ei si
    sf x' → tr = x'
∃ y,
  unique
    (λ tr : list transition_item,
       ∃ si : State,
         finite_constrained_trace_init_to Ei si sf tr)
    y
    exists tr; split; [by exists si; split |].Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
sf: State
Hsf: constrained_state_prop Ei sf
si:= MkState [] (idx i): BaseELMO.State
tr: list transition_item
Htr: finite_constrained_trace_from_to Ei si sf tr
Htr_unique: ∀ x' : list transition_item,
  finite_constrained_trace_from_to Ei si
    sf x' → tr = x'
∀ x' : list transition_item,
  (∃ si : State,
     finite_constrained_trace_init_to Ei si sf x')
  → tr = x'
    by intros _tr [[] [H_tr []]]; cbn in *; subst; apply Htr_unique.
  }Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
sf: State
Hsf: constrained_state_prop Ei sf
si:= MkState [] (idx i): BaseELMO.State
∃ y,
  unique
    (λ tr : list transition_item,
       finite_constrained_trace_from_to Ei si sf tr) y
  apply ELMO_unique_trace_segments; [done |].Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
sf: State
Hsf: constrained_state_prop Ei sf
si:= MkState [] (idx i): BaseELMO.State
si = sf ∨ state_suffix si sf
  destruct (decide (si = sf)) as [| Hneq]; [by left | right].Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
sf: State
Hsf: constrained_state_prop Ei sf
si:= MkState [] (idx i): BaseELMO.State
Hneq: si ≠ sf
state_suffix si sf
  subst si; constructor; cbn; [by rewrite ELMO_reachable_adr |].Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
sf: State
Hsf: constrained_state_prop Ei sf
Hneq: MkState [] (idx i) ≠ sf
strict suffix [] (obs sf)
  split; [by eexists; rewrite app_nil_r |].Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
sf: State
Hsf: constrained_state_prop Ei sf
Hneq: MkState [] (idx i) ≠ sf
¬ obs sf `suffix_of` []
  intros [os Hos].Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
sf: State
Hsf: constrained_state_prop Ei sf
Hneq: MkState [] (idx i) ≠ sf
os: list BaseELMO.Observation
Hos: [] = os ++ obs sf
False
  symmetry in Hos; apply app_nil in Hos as [_ Hosf].Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
sf: State
Hsf: constrained_state_prop Ei sf
Hneq: MkState [] (idx i) ≠ sf
os: list BaseELMO.Observation
Hosf: obs sf = []
False
  by contradict Hneq; apply eq_State; [| symmetry; apply ELMO_reachable_adr].
Qed.

Lemma full_node_rebase_rec_obs :
  forall (s s' : State) (m : Message),
    UMO_reachable full_node s ->
    full_node s (MkMessage s') ->
    forall l, rec_obs s' (MkObservation l m) ->
      exists l, rec_obs s (MkObservation l m).Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
∀ (s s' : State) (m : Message),
  UMO_reachable full_node s
  → full_node s (MkMessage s')
    → ∀ l : Label,
        rec_obs s' (MkObservation l m)
        → ∃ l0 : Label, rec_obs s (MkObservation l0 m)
Proof.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
∀ (s s' : State) (m : Message),
  UMO_reachable full_node s
  → full_node s (MkMessage s')
    → ∀ l : Label,
        rec_obs s' (MkObservation l m)
        → ∃ l0 : Label, rec_obs s (MkObservation l0 m)
  intros s s' m Hs Hfull l Hm.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
s, s': State
m: Message
Hs: UMO_reachable full_node s
Hfull: full_node s (MkMessage s')
l: Label
Hm: rec_obs s' (MkObservation l m)
∃ l : Label, rec_obs s (MkObservation l m)
  remember (MkObservation l m) as ob eqn: Heq_ob.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
s, s': State
m: Message
Hs: UMO_reachable full_node s
Hfull: full_node s (MkMessage s')
l: Label
ob: BaseELMO.Observation
Heq_ob: ob = MkObservation l m
Hm: rec_obs s' ob
∃ l : Label, rec_obs s (MkObservation l m)
  revert l m Heq_ob; induction Hm; intros l0 m0 ->.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
s: State
Hs: UMO_reachable full_node s
s0: BaseELMO.State
l0: Label
m0: Message
Hfull: full_node s
  (MkMessage (s0 <+> MkObservation l0 m0))
∃ l : Label, rec_obs s (MkObservation l m0)
Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
s: State
Hs: UMO_reachable full_node s
s0: BaseELMO.State
ob': BaseELMO.Observation
Hfull: full_node s (MkMessage (s0 <+> ob'))
l0: Label
m0: Message
IHHm: full_node s (MkMessage s0)
→ ∀ (l : Label) (m : Message),
    MkObservation l0 m0 = MkObservation l m
    → ∃ l0 : Label,
        rec_obs s (MkObservation l0 m)
Hm: rec_obs s0 (MkObservation l0 m0)
∃ l : Label, rec_obs s (MkObservation l m0)
Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
s: State
Hs: UMO_reachable full_node s
s0: BaseELMO.State
m: BaseELMO.Message
Hfull: full_node s
  (MkMessage (s0 <+> MkObservation Receive m))
l0: Label
m0: Message
IHHm: full_node s (MkMessage (state m))
→ ∀ (l : Label) (m : Message),
    MkObservation l0 m0 = MkObservation l m
    → ∃ l0 : Label,
        rec_obs s (MkObservation l0 m)
Hm: rec_obs (state m) (MkObservation l0 m0)
∃ l : Label, rec_obs s (MkObservation l m0)
  -Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
s: State
Hs: UMO_reachable full_node s
s0: BaseELMO.State
l0: Label
m0: Message
Hfull: full_node s
  (MkMessage (s0 <+> MkObservation l0 m0))
∃ l : Label, rec_obs s (MkObservation l m0) assert (Hm : m0 ∈ messages s) by (revert Hfull; apply elem_of_submseteq; constructor).Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
s: State
Hs: UMO_reachable full_node s
s0: BaseELMO.State
l0: Label
m0: Message
Hfull: full_node s
  (MkMessage (s0 <+> MkObservation l0 m0))
Hm: m0 ∈ messages s
∃ l : Label, rec_obs s (MkObservation l m0)
    by apply elem_of_list_fmap in Hm as [[l' m'] [-> Hm]]; exists l'; apply obs_rec_obs.
  -Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
s: State
Hs: UMO_reachable full_node s
s0: BaseELMO.State
ob': BaseELMO.Observation
Hfull: full_node s (MkMessage (s0 <+> ob'))
l0: Label
m0: Message
IHHm: full_node s (MkMessage s0)
→ ∀ (l : Label) (m : Message),
    MkObservation l0 m0 = MkObservation l m
    → ∃ l0 : Label,
        rec_obs s (MkObservation l0 m)
Hm: rec_obs s0 (MkObservation l0 m0)
∃ l : Label, rec_obs s (MkObservation l m0) eapply IHHm; [| done].Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
s: State
Hs: UMO_reachable full_node s
s0: BaseELMO.State
ob': BaseELMO.Observation
Hfull: full_node s (MkMessage (s0 <+> ob'))
l0: Label
m0: Message
IHHm: full_node s (MkMessage s0)
→ ∀ (l : Label) (m : Message),
    MkObservation l0 m0 = MkObservation l m
    → ∃ l0 : Label,
        rec_obs s (MkObservation l0 m)
Hm: rec_obs s0 (MkObservation l0 m0)
full_node s (MkMessage s0)
    by revert Hfull; apply submseteq_tail_l.
  -Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
s: State
Hs: UMO_reachable full_node s
s0: BaseELMO.State
m: BaseELMO.Message
Hfull: full_node s
  (MkMessage (s0 <+> MkObservation Receive m))
l0: Label
m0: Message
IHHm: full_node s (MkMessage (state m))
→ ∀ (l : Label) (m : Message),
    MkObservation l0 m0 = MkObservation l m
    → ∃ l0 : Label,
        rec_obs s (MkObservation l0 m)
Hm: rec_obs (state m) (MkObservation l0 m0)
∃ l : Label, rec_obs s (MkObservation l m0) assert (m ∈ messages s) by (revert Hfull; apply elem_of_submseteq; constructor).Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
s: State
Hs: UMO_reachable full_node s
s0: BaseELMO.State
m: BaseELMO.Message
Hfull: full_node s
  (MkMessage (s0 <+> MkObservation Receive m))
l0: Label
m0: Message
IHHm: full_node s (MkMessage (state m))
→ ∀ (l : Label) (m : Message),
    MkObservation l0 m0 = MkObservation l m
    → ∃ l0 : Label,
        rec_obs s (MkObservation l0 m)
Hm: rec_obs (state m) (MkObservation l0 m0)
H1: m ∈ messages s
∃ l : Label, rec_obs s (MkObservation l m0)
    by exists l0; apply (unfold_robs _ _ Hs); right; exists m.
Qed.

Lemma full_node_messages_iff_rec_obs :
  forall (s : State), UMO_reachable full_node s ->
  forall (m : Message),
    m ∈ messages s <-> (exists l, rec_obs s (MkObservation l m)).Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
∀ s : State,
  UMO_reachable full_node s
  → ∀ m : Message,
      m ∈ messages s
      ↔ (∃ l : Label, rec_obs s (MkObservation l m))
Proof.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
∀ s : State,
  UMO_reachable full_node s
  → ∀ m : Message,
      m ∈ messages s
      ↔ (∃ l : Label, rec_obs s (MkObservation l m))
  intros s Hs; induction Hs using UMO_reachable_ind'.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
a: Address
∀ m : Message,
  m ∈ messages (MkState [] a)
  ↔ (∃ l : Label,
       rec_obs (MkState [] a) (MkObservation l m))
Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
s: BaseELMO.State
l: Label
msg: BaseELMO.Message
Hs: UMO_reachable full_node s
H1: match l with
| Receive => full_node s msg
| Send => msg = MkMessage s
end
IHHs: ∀ m : Message,
  m ∈ messages s
  ↔ (∃ l : Label, rec_obs s (MkObservation l m))
∀ m : Message,
  m ∈ messages (s <+> MkObservation l msg)
  ↔ (∃ l0 : Label,
       rec_obs (s <+> MkObservation l msg)
         (MkObservation l0 m))
  -Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
a: Address
∀ m : Message,
  m ∈ messages (MkState [] a)
  ↔ (∃ l : Label,
       rec_obs (MkState [] a) (MkObservation l m)) by split; [intros Hm | intros [? Hm]]; inversion Hm.
  -Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
s: BaseELMO.State
l: Label
msg: BaseELMO.Message
Hs: UMO_reachable full_node s
H1: match l with
| Receive => full_node s msg
| Send => msg = MkMessage s
end
IHHs: ∀ m : Message,
  m ∈ messages s
  ↔ (∃ l : Label, rec_obs s (MkObservation l m))
∀ m : Message,
  m ∈ messages (s <+> MkObservation l msg)
  ↔ (∃ l0 : Label,
       rec_obs (s <+> MkObservation l msg)
         (MkObservation l0 m)) intros m.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
s: BaseELMO.State
l: Label
msg: BaseELMO.Message
Hs: UMO_reachable full_node s
H1: match l with
| Receive => full_node s msg
| Send => msg = MkMessage s
end
IHHs: ∀ m : Message,
  m ∈ messages s
  ↔ (∃ l : Label, rec_obs s (MkObservation l m))
m: Message
m ∈ messages (s <+> MkObservation l msg)
↔ (∃ l0 : Label,
     rec_obs (s <+> MkObservation l msg)
       (MkObservation l0 m))
    setoid_rewrite elem_of_messages_addObservation; rewrite (IHHs m);
      setoid_rewrite rec_obs_addObservation_iff; cbn.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
s: BaseELMO.State
l: Label
msg: BaseELMO.Message
Hs: UMO_reachable full_node s
H1: match l with
| Receive => full_node s msg
| Send => msg = MkMessage s
end
IHHs: ∀ m : Message,
  m ∈ messages s
  ↔ (∃ l : Label, rec_obs s (MkObservation l m))
m: Message
m = msg ∨ (∃ l : Label, rec_obs s (MkObservation l m))
↔ (∃ l0 : Label,
     rec_obs s (MkObservation l0 m)
     ∨ MkObservation l0 m = MkObservation l msg
       ∨ l = Receive
         ∧ rec_obs (state msg) (MkObservation l0 m))
    split.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
s: BaseELMO.State
l: Label
msg: BaseELMO.Message
Hs: UMO_reachable full_node s
H1: match l with
| Receive => full_node s msg
| Send => msg = MkMessage s
end
IHHs: ∀ m : Message,
  m ∈ messages s
  ↔ (∃ l : Label, rec_obs s (MkObservation l m))
m: Message
m = msg ∨ (∃ l : Label, rec_obs s (MkObservation l m))
→ ∃ l0 : Label,
    rec_obs s (MkObservation l0 m)
    ∨ MkObservation l0 m = MkObservation l msg
      ∨ l = Receive
        ∧ rec_obs (state msg) (MkObservation l0 m)
Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
s: BaseELMO.State
l: Label
msg: BaseELMO.Message
Hs: UMO_reachable full_node s
H1: match l with
| Receive => full_node s msg
| Send => msg = MkMessage s
end
IHHs: ∀ m : Message,
  m ∈ messages s
  ↔ (∃ l : Label, rec_obs s (MkObservation l m))
m: Message
(∃ l0 : Label,
   rec_obs s (MkObservation l0 m)
   ∨ MkObservation l0 m = MkObservation l msg
     ∨ l = Receive
       ∧ rec_obs (state msg) (MkObservation l0 m))
→ m = msg
  ∨ (∃ l : Label, rec_obs s (MkObservation l m))
    +Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
s: BaseELMO.State
l: Label
msg: BaseELMO.Message
Hs: UMO_reachable full_node s
H1: match l with
| Receive => full_node s msg
| Send => msg = MkMessage s
end
IHHs: ∀ m : Message,
  m ∈ messages s
  ↔ (∃ l : Label, rec_obs s (MkObservation l m))
m: Message
m = msg ∨ (∃ l : Label, rec_obs s (MkObservation l m))
→ ∃ l0 : Label,
    rec_obs s (MkObservation l0 m)
    ∨ MkObservation l0 m = MkObservation l msg
      ∨ l = Receive
        ∧ rec_obs (state msg) (MkObservation l0 m) by intros [<- | [l0]]; eauto.
    +Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
s: BaseELMO.State
l: Label
msg: BaseELMO.Message
Hs: UMO_reachable full_node s
H1: match l with
| Receive => full_node s msg
| Send => msg = MkMessage s
end
IHHs: ∀ m : Message,
  m ∈ messages s
  ↔ (∃ l : Label, rec_obs s (MkObservation l m))
m: Message
(∃ l0 : Label,
   rec_obs s (MkObservation l0 m)
   ∨ MkObservation l0 m = MkObservation l msg
     ∨ l = Receive
       ∧ rec_obs (state msg) (MkObservation l0 m))
→ m = msg
  ∨ (∃ l : Label, rec_obs s (MkObservation l m)) by intros [l0 [| [[= _] | [->]]]]; eauto using full_node_rebase_rec_obs.
Qed.

Because of the no_self_equiv assumption, a component might have received its own messages, but only messages it also sent.

Lemma self_messages_sent (s : State) :
  UMO_reachable no_self_equiv s ->
  forall m, adr (state m) = adr s -> m ∈ messages s -> m ∈ sentMessages s.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
s: State
UMO_reachable no_self_equiv s
→ ∀ m : BaseELMO.Message,
    adr (state m) = adr s
    → m ∈ messages s → m ∈ sentMessages s
Proof.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
s: State
UMO_reachable no_self_equiv s
→ ∀ m : BaseELMO.Message,
    adr (state m) = adr s
    → m ∈ messages s → m ∈ sentMessages s
  intros Hs m Hadr Hm; revert s Hs m Hm Hadr.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
∀ s : State,
  UMO_reachable no_self_equiv s
  → ∀ m : BaseELMO.Message,
      m ∈ messages s
      → adr (state m) = adr s → m ∈ sentMessages s
  by apply (UMO_reachable_elem_of_messages_ind no_self_equiv
    (fun s m => adr (state m) = adr s -> m ∈ sentMessages s));
    intros; apply elem_of_sentMessages_addObservation; constructor; auto.
Qed.

Lemma local_equivocators_simple_addObservation :
  forall (s : State) (ob : Observation) (a : Address),
    local_equivocators_simple (s <+> ob) a ->
      local_equivocators_simple s a
        \/
      adr (state (message ob)) = a /\
      message ob ∉ messages s /\
      exists m, m ∈ messages s /\ incomparable (message ob) m.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
∀ (s : State) (ob : Observation) (a : Address),
  local_equivocators_simple (s <+> ob) a
  → local_equivocators_simple s a
    ∨ adr (state (message ob)) = a
      ∧ (message ob ∉ messages s)
        ∧ (∃ m : BaseELMO.Message,
             m ∈ messages s
             ∧ incomparable (message ob) m)
Proof.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
∀ (s : State) (ob : Observation) (a : Address),
  local_equivocators_simple (s <+> ob) a
  → local_equivocators_simple s a
    ∨ adr (state (message ob)) = a
      ∧ (message ob ∉ messages s)
        ∧ (∃ m : BaseELMO.Message,
             m ∈ messages s
             ∧ incomparable (message ob) m)
  intros s ob a [].Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
s: State
ob: Observation
a: Address
les_m1, les_m2: Message
les_adr1: adr (state les_m1) = a
les_adr2: adr (state les_m2) = a
les_obs_m1: les_m1 ∈ messages (s <+> ob)
les_obs_m2: les_m2 ∈ messages (s <+> ob)
les_incomparable: incomparable les_m1 les_m2
local_equivocators_simple s a
∨ adr (state (message ob)) = a
  ∧ (message ob ∉ messages s)
    ∧ (∃ m : BaseELMO.Message,
         m ∈ messages s ∧ incomparable (message ob) m)
  apply elem_of_messages_addObservation in les_obs_m1 as [-> | Hm1], les_obs_m2 as [-> | Hm2].Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
s: State
ob: Observation
a: Address
les_adr1, les_adr2: adr (state (message ob)) = a
les_incomparable: incomparable (message ob)
  (message ob)
local_equivocators_simple s a
∨ adr (state (message ob)) = a
  ∧ (message ob ∉ messages s)
    ∧ (∃ m : BaseELMO.Message,
         m ∈ messages s ∧ incomparable (message ob) m)
Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
s: State
ob: Observation
a: Address
les_m2: Message
les_adr1: adr (state (message ob)) = a
les_adr2: adr (state les_m2) = a
Hm2: les_m2 ∈ messages s
les_incomparable: incomparable (message ob) les_m2
local_equivocators_simple s a
∨ adr (state (message ob)) = a
  ∧ (message ob ∉ messages s)
    ∧ (∃ m : BaseELMO.Message,
         m ∈ messages s ∧ incomparable (message ob) m)
Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
s: State
ob: Observation
a: Address
les_m1: Message
les_adr1: adr (state les_m1) = a
les_adr2: adr (state (message ob)) = a
Hm1: les_m1 ∈ messages s
les_incomparable: incomparable les_m1 (message ob)
local_equivocators_simple s a
∨ adr (state (message ob)) = a
  ∧ (message ob ∉ messages s)
    ∧ (∃ m : BaseELMO.Message,
         m ∈ messages s ∧ incomparable (message ob) m)
Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
s: State
ob: Observation
a: Address
les_m1, les_m2: Message
les_adr1: adr (state les_m1) = a
les_adr2: adr (state les_m2) = a
Hm1: les_m1 ∈ messages s
Hm2: les_m2 ∈ messages s
les_incomparable: incomparable les_m1 les_m2
local_equivocators_simple s a
∨ adr (state (message ob)) = a
  ∧ (message ob ∉ messages s)
    ∧ (∃ m : BaseELMO.Message,
         m ∈ messages s ∧ incomparable (message ob) m)
  -Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
s: State
ob: Observation
a: Address
les_adr1, les_adr2: adr (state (message ob)) = a
les_incomparable: incomparable (message ob)
  (message ob)
local_equivocators_simple s a
∨ adr (state (message ob)) = a
  ∧ (message ob ∉ messages s)
    ∧ (∃ m : BaseELMO.Message,
         m ∈ messages s ∧ incomparable (message ob) m) by destruct les_incomparable as [? []]; constructor.
  -Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
s: State
ob: Observation
a: Address
les_m2: Message
les_adr1: adr (state (message ob)) = a
les_adr2: adr (state les_m2) = a
Hm2: les_m2 ∈ messages s
les_incomparable: incomparable (message ob) les_m2
local_equivocators_simple s a
∨ adr (state (message ob)) = a
  ∧ (message ob ∉ messages s)
    ∧ (∃ m : BaseELMO.Message,
         m ∈ messages s ∧ incomparable (message ob) m) destruct (decide (message ob ∈ messages s)).Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
s: State
ob: Observation
a: Address
les_m2: Message
les_adr1: adr (state (message ob)) = a
les_adr2: adr (state les_m2) = a
Hm2: les_m2 ∈ messages s
les_incomparable: incomparable (message ob) les_m2
e: message ob ∈ messages s
local_equivocators_simple s a
∨ adr (state (message ob)) = a
  ∧ (message ob ∉ messages s)
    ∧ (∃ m : BaseELMO.Message,
         m ∈ messages s ∧ incomparable (message ob) m)
Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
s: State
ob: Observation
a: Address
les_m2: Message
les_adr1: adr (state (message ob)) = a
les_adr2: adr (state les_m2) = a
Hm2: les_m2 ∈ messages s
les_incomparable: incomparable (message ob) les_m2
n: message ob ∉ messages s
local_equivocators_simple s a
∨ adr (state (message ob)) = a
  ∧ (message ob ∉ messages s)
    ∧ (∃ m : BaseELMO.Message,
         m ∈ messages s ∧ incomparable (message ob) m)
    +Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
s: State
ob: Observation
a: Address
les_m2: Message
les_adr1: adr (state (message ob)) = a
les_adr2: adr (state les_m2) = a
Hm2: les_m2 ∈ messages s
les_incomparable: incomparable (message ob) les_m2
e: message ob ∈ messages s
local_equivocators_simple s a
∨ adr (state (message ob)) = a
  ∧ (message ob ∉ messages s)
    ∧ (∃ m : BaseELMO.Message,
         m ∈ messages s ∧ incomparable (message ob) m) by left; exists (message ob) les_m2.
    +Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
s: State
ob: Observation
a: Address
les_m2: Message
les_adr1: adr (state (message ob)) = a
les_adr2: adr (state les_m2) = a
Hm2: les_m2 ∈ messages s
les_incomparable: incomparable (message ob) les_m2
n: message ob ∉ messages s
local_equivocators_simple s a
∨ adr (state (message ob)) = a
  ∧ (message ob ∉ messages s)
    ∧ (∃ m : BaseELMO.Message,
         m ∈ messages s ∧ incomparable (message ob) m) by firstorder.
  -Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
s: State
ob: Observation
a: Address
les_m1: Message
les_adr1: adr (state les_m1) = a
les_adr2: adr (state (message ob)) = a
Hm1: les_m1 ∈ messages s
les_incomparable: incomparable les_m1 (message ob)
local_equivocators_simple s a
∨ adr (state (message ob)) = a
  ∧ (message ob ∉ messages s)
    ∧ (∃ m : BaseELMO.Message,
         m ∈ messages s ∧ incomparable (message ob) m) symmetry in les_incomparable.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
s: State
ob: Observation
a: Address
les_m1: Message
les_adr1: adr (state les_m1) = a
les_adr2: adr (state (message ob)) = a
Hm1: les_m1 ∈ messages s
les_incomparable: incomparable (message ob) les_m1
local_equivocators_simple s a
∨ adr (state (message ob)) = a
  ∧ (message ob ∉ messages s)
    ∧ (∃ m : BaseELMO.Message,
         m ∈ messages s ∧ incomparable (message ob) m)
    destruct (decide (message ob ∈ messages s)).Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
s: State
ob: Observation
a: Address
les_m1: Message
les_adr1: adr (state les_m1) = a
les_adr2: adr (state (message ob)) = a
Hm1: les_m1 ∈ messages s
les_incomparable: incomparable (message ob) les_m1
e: message ob ∈ messages s
local_equivocators_simple s a
∨ adr (state (message ob)) = a
  ∧ (message ob ∉ messages s)
    ∧ (∃ m : BaseELMO.Message,
         m ∈ messages s ∧ incomparable (message ob) m)
Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
s: State
ob: Observation
a: Address
les_m1: Message
les_adr1: adr (state les_m1) = a
les_adr2: adr (state (message ob)) = a
Hm1: les_m1 ∈ messages s
les_incomparable: incomparable (message ob) les_m1
n: message ob ∉ messages s
local_equivocators_simple s a
∨ adr (state (message ob)) = a
  ∧ (message ob ∉ messages s)
    ∧ (∃ m : BaseELMO.Message,
         m ∈ messages s ∧ incomparable (message ob) m)
    +Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
s: State
ob: Observation
a: Address
les_m1: Message
les_adr1: adr (state les_m1) = a
les_adr2: adr (state (message ob)) = a
Hm1: les_m1 ∈ messages s
les_incomparable: incomparable (message ob) les_m1
e: message ob ∈ messages s
local_equivocators_simple s a
∨ adr (state (message ob)) = a
  ∧ (message ob ∉ messages s)
    ∧ (∃ m : BaseELMO.Message,
         m ∈ messages s ∧ incomparable (message ob) m) by left; exists les_m1 (message ob).
    +Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
s: State
ob: Observation
a: Address
les_m1: Message
les_adr1: adr (state les_m1) = a
les_adr2: adr (state (message ob)) = a
Hm1: les_m1 ∈ messages s
les_incomparable: incomparable (message ob) les_m1
n: message ob ∉ messages s
local_equivocators_simple s a
∨ adr (state (message ob)) = a
  ∧ (message ob ∉ messages s)
    ∧ (∃ m : BaseELMO.Message,
         m ∈ messages s ∧ incomparable (message ob) m) by firstorder.
  -Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
s: State
ob: Observation
a: Address
les_m1, les_m2: Message
les_adr1: adr (state les_m1) = a
les_adr2: adr (state les_m2) = a
Hm1: les_m1 ∈ messages s
Hm2: les_m2 ∈ messages s
les_incomparable: incomparable les_m1 les_m2
local_equivocators_simple s a
∨ adr (state (message ob)) = a
  ∧ (message ob ∉ messages s)
    ∧ (∃ m : BaseELMO.Message,
         m ∈ messages s ∧ incomparable (message ob) m) by left; eauto using local_equivocators_simple.
Qed.

Lemma local_equivocators_simple_add_Send (s : State) :
  UMO_reachable no_self_equiv s ->
  forall a, local_equivocators_simple (s <+> MkObservation Send (MkMessage s)) a ->
            local_equivocators_simple s a.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
s: State
UMO_reachable no_self_equiv s
→ ∀ a : Address,
    local_equivocators_simple
      (s <+> MkObservation Send (MkMessage s)) a
    → local_equivocators_simple s a
Proof.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
s: State
UMO_reachable no_self_equiv s
→ ∀ a : Address,
    local_equivocators_simple
      (s <+> MkObservation Send (MkMessage s)) a
    → local_equivocators_simple s a
  intros Hs a Ha.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
s: State
Hs: UMO_reachable no_self_equiv s
a: Address
Ha: local_equivocators_simple
  (s <+> MkObservation Send (MkMessage s)) a
local_equivocators_simple s a
  apply local_equivocators_simple_addObservation
    in Ha as [| (<- & _ & m & Hm & Hincomp)]; [done |]; cbn in *.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
s: State
Hs: UMO_reachable no_self_equiv s
m: BaseELMO.Message
Hm: m ∈ messages s
Hincomp: incomparable (MkMessage s) m
local_equivocators_simple s (adr s)
  destruct Hincomp as [Hadr []].Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
s: State
Hs: UMO_reachable no_self_equiv s
m: BaseELMO.Message
Hm: m ∈ messages s
Hadr: adr (state (MkMessage s)) = adr (state m)
sent_comparable (MkMessage s) m
  by apply self_messages_sent in Hm; [constructor | ..].
Qed.

This lemma is convenient to prove for local_equivocators_simple, and our assumption is slightly weaker than constrained_state_prop Ei.

Lemma local_equivocators_simple_no_self (s : State) :
  UMO_reachable no_self_equiv s ->
    ~ local_equivocators_simple s (adr s).Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
s: State
UMO_reachable no_self_equiv s
→ ¬ local_equivocators_simple s (adr s)
Proof.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
s: State
UMO_reachable no_self_equiv s
→ ¬ local_equivocators_simple s (adr s)
  intros Hs; induction Hs as [| | ? ? Hno_self_eqv].Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
a: Address
¬ local_equivocators_simple (MkState [] a)
    (adr (MkState [] a))
Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
s: BaseELMO.State
Hs: UMO_reachable no_self_equiv s
IHHs: ¬ local_equivocators_simple s (adr s)
¬ local_equivocators_simple
    (s <+> MkObservation Send (MkMessage s))
    (adr (s <+> MkObservation Send (MkMessage s)))
Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
s: BaseELMO.State
msg: BaseELMO.Message
Hno_self_eqv: no_self_equiv s msg
Hs: UMO_reachable no_self_equiv s
IHHs: ¬ local_equivocators_simple s (adr s)
¬ local_equivocators_simple
    (s <+> MkObservation Receive msg)
    (adr (s <+> MkObservation Receive msg))
  -Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
a: Address
¬ local_equivocators_simple (MkState [] a)
    (adr (MkState [] a)) by destruct 1; inversion les_obs_m1.
  -Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
s: BaseELMO.State
Hs: UMO_reachable no_self_equiv s
IHHs: ¬ local_equivocators_simple s (adr s)
¬ local_equivocators_simple
    (s <+> MkObservation Send (MkMessage s))
    (adr (s <+> MkObservation Send (MkMessage s))) by contradict IHHs; apply local_equivocators_simple_add_Send in IHHs.
  -Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
s: BaseELMO.State
msg: BaseELMO.Message
Hno_self_eqv: no_self_equiv s msg
Hs: UMO_reachable no_self_equiv s
IHHs: ¬ local_equivocators_simple s (adr s)
¬ local_equivocators_simple
    (s <+> MkObservation Receive msg)
    (adr (s <+> MkObservation Receive msg)) contradict IHHs.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
s: BaseELMO.State
msg: BaseELMO.Message
Hno_self_eqv: no_self_equiv s msg
Hs: UMO_reachable no_self_equiv s
IHHs: local_equivocators_simple
  (s <+> MkObservation Receive msg)
  (adr (s <+> MkObservation Receive msg))
local_equivocators_simple s (adr s)
    unfold no_self_equiv in Hno_self_eqv.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
s: BaseELMO.State
msg: BaseELMO.Message
Hno_self_eqv: adr s = adr (state msg)
→ msg ∈ sentMessages s
Hs: UMO_reachable no_self_equiv s
IHHs: local_equivocators_simple
  (s <+> MkObservation Receive msg)
  (adr (s <+> MkObservation Receive msg))
local_equivocators_simple s (adr s)
    cbn in IHHs; destruct IHHs.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
s: BaseELMO.State
msg: BaseELMO.Message
Hno_self_eqv: adr s = adr (state msg)
→ msg ∈ sentMessages s
Hs: UMO_reachable no_self_equiv s
les_m1, les_m2: Message
les_adr1: adr (state les_m1) = adr s
les_adr2: adr (state les_m2) = adr s
les_obs_m1: les_m1
∈ messages
    (s <+> MkObservation Receive msg)
les_obs_m2: les_m2
∈ messages
    (s <+> MkObservation Receive msg)
les_incomparable: incomparable les_m1 les_m2
local_equivocators_simple s (adr s)
    assert (adr (state msg) = adr s -> msg ∈ messages s).Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
s: BaseELMO.State
msg: BaseELMO.Message
Hno_self_eqv: adr s = adr (state msg)
→ msg ∈ sentMessages s
Hs: UMO_reachable no_self_equiv s
les_m1, les_m2: Message
les_adr1: adr (state les_m1) = adr s
les_adr2: adr (state les_m2) = adr s
les_obs_m1: les_m1
∈ messages
    (s <+> MkObservation Receive msg)
les_obs_m2: les_m2
∈ messages
    (s <+> MkObservation Receive msg)
les_incomparable: incomparable les_m1 les_m2
adr (state msg) = adr s → msg ∈ messages s
Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
s: BaseELMO.State
msg: BaseELMO.Message
Hno_self_eqv: adr s = adr (state msg)
→ msg ∈ sentMessages s
Hs: UMO_reachable no_self_equiv s
les_m1, les_m2: Message
les_adr1: adr (state les_m1) = adr s
les_adr2: adr (state les_m2) = adr s
les_obs_m1: les_m1
∈ messages
    (s <+> MkObservation Receive msg)
les_obs_m2: les_m2
∈ messages
    (s <+> MkObservation Receive msg)
les_incomparable: incomparable les_m1 les_m2
H1: adr (state msg) = adr s → msg ∈ messages s
local_equivocators_simple s (adr s)
    {Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
s: BaseELMO.State
msg: BaseELMO.Message
Hno_self_eqv: adr s = adr (state msg)
→ msg ∈ sentMessages s
Hs: UMO_reachable no_self_equiv s
les_m1, les_m2: Message
les_adr1: adr (state les_m1) = adr s
les_adr2: adr (state les_m2) = adr s
les_obs_m1: les_m1
∈ messages
    (s <+> MkObservation Receive msg)
les_obs_m2: les_m2
∈ messages
    (s <+> MkObservation Receive msg)
les_incomparable: incomparable les_m1 les_m2
adr (state msg) = adr s → msg ∈ messages s
      intro Hmsg; symmetry in Hmsg.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
s: BaseELMO.State
msg: BaseELMO.Message
Hno_self_eqv: adr s = adr (state msg)
→ msg ∈ sentMessages s
Hs: UMO_reachable no_self_equiv s
les_m1, les_m2: Message
les_adr1: adr (state les_m1) = adr s
les_adr2: adr (state les_m2) = adr s
les_obs_m1: les_m1
∈ messages
    (s <+> MkObservation Receive msg)
les_obs_m2: les_m2
∈ messages
    (s <+> MkObservation Receive msg)
les_incomparable: incomparable les_m1 les_m2
Hmsg: adr s = adr (state msg)
msg ∈ messages s
      apply Hno_self_eqv, elem_of_list_fmap in Hmsg as (ob & Hmsg & Hob).Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
s: BaseELMO.State
msg: BaseELMO.Message
Hno_self_eqv: adr s = adr (state msg)
→ msg ∈ sentMessages s
Hs: UMO_reachable no_self_equiv s
les_m1, les_m2: Message
les_adr1: adr (state les_m1) = adr s
les_adr2: adr (state les_m2) = adr s
les_obs_m1: les_m1
∈ messages
    (s <+> MkObservation Receive msg)
les_obs_m2: les_m2
∈ messages
    (s <+> MkObservation Receive msg)
les_incomparable: incomparable les_m1 les_m2
ob: BaseELMO.Observation
Hmsg: msg = message ob
Hob: ob ∈ filter isSend (obs s)
msg ∈ messages s
      apply elem_of_list_fmap.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
s: BaseELMO.State
msg: BaseELMO.Message
Hno_self_eqv: adr s = adr (state msg)
→ msg ∈ sentMessages s
Hs: UMO_reachable no_self_equiv s
les_m1, les_m2: Message
les_adr1: adr (state les_m1) = adr s
les_adr2: adr (state les_m2) = adr s
les_obs_m1: les_m1
∈ messages
    (s <+> MkObservation Receive msg)
les_obs_m2: les_m2
∈ messages
    (s <+> MkObservation Receive msg)
les_incomparable: incomparable les_m1 les_m2
ob: BaseELMO.Observation
Hmsg: msg = message ob
Hob: ob ∈ filter isSend (obs s)
∃ y : BaseELMO.Observation,
  msg = message y ∧ y ∈ obs s
      exists ob.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
s: BaseELMO.State
msg: BaseELMO.Message
Hno_self_eqv: adr s = adr (state msg)
→ msg ∈ sentMessages s
Hs: UMO_reachable no_self_equiv s
les_m1, les_m2: Message
les_adr1: adr (state les_m1) = adr s
les_adr2: adr (state les_m2) = adr s
les_obs_m1: les_m1
∈ messages
    (s <+> MkObservation Receive msg)
les_obs_m2: les_m2
∈ messages
    (s <+> MkObservation Receive msg)
les_incomparable: incomparable les_m1 les_m2
ob: BaseELMO.Observation
Hmsg: msg = message ob
Hob: ob ∈ filter isSend (obs s)
msg = message ob ∧ ob ∈ obs s
      by apply list_filter_subseteq in Hob.
    }Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
s: BaseELMO.State
msg: BaseELMO.Message
Hno_self_eqv: adr s = adr (state msg)
→ msg ∈ sentMessages s
Hs: UMO_reachable no_self_equiv s
les_m1, les_m2: Message
les_adr1: adr (state les_m1) = adr s
les_adr2: adr (state les_m2) = adr s
les_obs_m1: les_m1
∈ messages
    (s <+> MkObservation Receive msg)
les_obs_m2: les_m2
∈ messages
    (s <+> MkObservation Receive msg)
les_incomparable: incomparable les_m1 les_m2
H1: adr (state msg) = adr s → msg ∈ messages s
local_equivocators_simple s (adr s)
    assert (les_m1 ∈ messages s)
      by (apply elem_of_messages_addObservation in les_obs_m1 as [-> | l]; auto).Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
s: BaseELMO.State
msg: BaseELMO.Message
Hno_self_eqv: adr s = adr (state msg)
→ msg ∈ sentMessages s
Hs: UMO_reachable no_self_equiv s
les_m1, les_m2: Message
les_adr1: adr (state les_m1) = adr s
les_adr2: adr (state les_m2) = adr s
les_obs_m1: les_m1
∈ messages
    (s <+> MkObservation Receive msg)
les_obs_m2: les_m2
∈ messages
    (s <+> MkObservation Receive msg)
les_incomparable: incomparable les_m1 les_m2
H1: adr (state msg) = adr s → msg ∈ messages s
H2: les_m1 ∈ messages s
local_equivocators_simple s (adr s)
    assert (les_m2 ∈ messages s)
      by (apply elem_of_messages_addObservation in les_obs_m2 as [-> | l]; auto).Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
s: BaseELMO.State
msg: BaseELMO.Message
Hno_self_eqv: adr s = adr (state msg)
→ msg ∈ sentMessages s
Hs: UMO_reachable no_self_equiv s
les_m1, les_m2: Message
les_adr1: adr (state les_m1) = adr s
les_adr2: adr (state les_m2) = adr s
les_obs_m1: les_m1
∈ messages
    (s <+> MkObservation Receive msg)
les_obs_m2: les_m2
∈ messages
    (s <+> MkObservation Receive msg)
les_incomparable: incomparable les_m1 les_m2
H1: adr (state msg) = adr s → msg ∈ messages s
H2: les_m1 ∈ messages s
H3: les_m2 ∈ messages s
local_equivocators_simple s (adr s)
    by exists les_m1 les_m2.
Qed.

Lemma local_equivocators_full_nondecreasing (s : State) l om s' om' :
  transition Ei l (s, om) = (s', om') ->
  (forall a, local_equivocators_full s a ->
             local_equivocators_full s' a).Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
s: State
l: VLSM.label Ei
om: option Message
s': VLSM.state Ei
om': option Message
transition l (s, om) = (s', om')
→ ∀ a : Address,
    local_equivocators_full s a
    → local_equivocators_full s' a
Proof.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
s: State
l: VLSM.label Ei
om: option Message
s': VLSM.state Ei
om': option Message
transition l (s, om) = (s', om')
→ ∀ a : Address,
    local_equivocators_full s a
    → local_equivocators_full s' a
  by destruct l, om; cbn; injection 1; intros; subst; try constructor.
Qed.

Lemma local_equivocators_full_increase_only_received_adr (s : State) m s' om' :
  transition Ei Receive (s, Some m) = (s', om') ->
  forall a, local_equivocators_full s' a ->
            local_equivocators_full s a \/ a = adr (state m).Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
s: State
m: Message
s': VLSM.state Ei
om': option Message
transition Receive (s, Some m) = (s', om')
→ ∀ a : Address,
    local_equivocators_full s' a
    → local_equivocators_full s a ∨ a = adr (state m)
Proof.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
s: State
m: Message
s': VLSM.state Ei
om': option Message
transition Receive (s, Some m) = (s', om')
→ ∀ a : Address,
    local_equivocators_full s' a
    → local_equivocators_full s a ∨ a = adr (state m)
  by inversion 1; subst; inversion 1; subst; [right | left].
Qed.

Lemma local_equivocators_simple_add_Receive (s : State) (msg : Message) :
  UMO_reachable no_self_equiv s -> no_self_equiv s msg ->
  forall i, local_equivocators_simple (s <+> MkObservation Receive msg) i ->
            local_equivocators_simple s i
     \/ adr (state msg) = i /\ i <> adr s /\
          exists m, m ∈ messages s /\ incomparable msg m.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
s: State
msg: Message
UMO_reachable no_self_equiv s
→ no_self_equiv s msg
  → ∀ i : Address,
      local_equivocators_simple
        (s <+> MkObservation Receive msg) i
      → local_equivocators_simple s i
        ∨ adr (state msg) = i
          ∧ i ≠ adr s
            ∧ (∃ m : BaseELMO.Message,
                 m ∈ messages s ∧ incomparable msg m)
Proof.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
s: State
msg: Message
UMO_reachable no_self_equiv s
→ no_self_equiv s msg
  → ∀ i : Address,
      local_equivocators_simple
        (s <+> MkObservation Receive msg) i
      → local_equivocators_simple s i
        ∨ adr (state msg) = i
          ∧ i ≠ adr s
            ∧ (∃ m : BaseELMO.Message,
                 m ∈ messages s ∧ incomparable msg m)
  intros Hs Hno_equiv a Ha.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
s: State
msg: Message
Hs: UMO_reachable no_self_equiv s
Hno_equiv: no_self_equiv s msg
a: Address
Ha: local_equivocators_simple
  (s <+> MkObservation Receive msg) a
local_equivocators_simple s a
∨ adr (state msg) = a
  ∧ a ≠ adr s
    ∧ (∃ m : BaseELMO.Message,
         m ∈ messages s ∧ incomparable msg m)
  assert (a <> adr (s <+> MkObservation Receive msg))
    by (contradict Ha; subst; apply local_equivocators_simple_no_self; constructor; done).Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
s: State
msg: Message
Hs: UMO_reachable no_self_equiv s
Hno_equiv: no_self_equiv s msg
a: Address
Ha: local_equivocators_simple
  (s <+> MkObservation Receive msg) a
H1: a ≠ adr (s <+> MkObservation Receive msg)
local_equivocators_simple s a
∨ adr (state msg) = a
  ∧ a ≠ adr s
    ∧ (∃ m : BaseELMO.Message,
         m ∈ messages s ∧ incomparable msg m)
  apply local_equivocators_simple_addObservation in Ha; cbn in *.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
s: State
msg: Message
Hs: UMO_reachable no_self_equiv s
Hno_equiv: no_self_equiv s msg
a: Address
Ha: local_equivocators_simple s a
∨ adr (state msg) = a
  ∧ (msg ∉ messages s)
    ∧ (∃ m : BaseELMO.Message,
         m ∈ messages s ∧ incomparable msg m)
H1: a ≠ adr s
local_equivocators_simple s a
∨ adr (state msg) = a
  ∧ a ≠ adr s
    ∧ (∃ m : BaseELMO.Message,
         m ∈ messages s ∧ incomparable msg m)
  by itauto.
Qed.

Any message in messages s which does not have the same address as s must be found in receivedMessages.

Lemma not_adr_received (s : State) :
  UMO_reachable no_self_equiv s ->
  forall msg,
    adr (state msg) <> adr s ->
      msg ∈ messages s -> msg ∈ receivedMessages s.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
s: State
UMO_reachable no_self_equiv s
→ ∀ msg : BaseELMO.Message,
    adr (state msg) ≠ adr s
    → msg ∈ messages s → msg ∈ receivedMessages s
Proof.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
s: State
UMO_reachable no_self_equiv s
→ ∀ msg : BaseELMO.Message,
    adr (state msg) ≠ adr s
    → msg ∈ messages s → msg ∈ receivedMessages s
  intros Hs msg Hadr Hmsg; revert s Hs msg Hmsg Hadr.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
∀ s : State,
  UMO_reachable no_self_equiv s
  → ∀ msg : BaseELMO.Message,
      msg ∈ messages s
      → adr (state msg) ≠ adr s
        → msg ∈ receivedMessages s
  by apply (UMO_reachable_elem_of_messages_ind _
    (fun s m => adr (state m) <> adr s -> m ∈ receivedMessages s));
    simpl; intros; apply elem_of_receivedMessages_addObservation; constructor; auto.
Qed.

Little lemmas used while proving equivalence between local_equivocators, local_equivocators_simple, and local_equivocators_full.

Lemma received_in_messages (s : State) :
  forall msg, msg ∈ receivedMessages s -> msg ∈ messages s.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
s: State
∀ msg : BaseELMO.Message,
  msg ∈ receivedMessages s → msg ∈ messages s
Proof.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
s: State
∀ msg : BaseELMO.Message,
  msg ∈ receivedMessages s → msg ∈ messages s
  intros msg Hmsg.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
s: State
msg: BaseELMO.Message
Hmsg: msg ∈ receivedMessages s
msg ∈ messages s
  apply elem_of_list_fmap in Hmsg as (ob & Hmsg & Hob).Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
s: State
msg: BaseELMO.Message
ob: BaseELMO.Observation
Hmsg: msg = message ob
Hob: ob ∈ filter isReceive (obs s)
msg ∈ messages s
  apply elem_of_list_fmap.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
s: State
msg: BaseELMO.Message
ob: BaseELMO.Observation
Hmsg: msg = message ob
Hob: ob ∈ filter isReceive (obs s)
∃ y : BaseELMO.Observation,
  msg = message y ∧ y ∈ obs s
  exists ob; split; [done |].Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
s: State
msg: BaseELMO.Message
ob: BaseELMO.Observation
Hmsg: msg = message ob
Hob: ob ∈ filter isReceive (obs s)
ob ∈ obs s
  by eapply list_filter_subseteq.
Qed.

Lemma local_equivocators_simple_prev (s : State) (ob : Observation) (a : Address) :
  local_equivocators_simple s a ->
  local_equivocators_simple (s <+> ob) a.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
s: State
ob: Observation
a: Address
local_equivocators_simple s a
→ local_equivocators_simple (s <+> ob) a
Proof.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
s: State
ob: Observation
a: Address
local_equivocators_simple s a
→ local_equivocators_simple (s <+> ob) a
  by destruct 1; exists les_m1 les_m2; try (apply elem_of_messages_addObservation; right).
Qed.

Lemma reachable_msg_obs :
  forall P (s : State),
    UMO_reachable P s ->
  forall (m : Message) (ob : Observation),
    rec_obs (state m) ob ->
    m ∈ messages s ->
    rec_obs s ob.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
∀ (P : BaseELMO.State → BaseELMO.Message → Prop) (s : State),
  UMO_reachable P s
  → ∀ (m : Message) (ob : Observation),
      rec_obs (state m) ob
      → m ∈ messages s → rec_obs s ob
Proof.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
∀ (P : BaseELMO.State → BaseELMO.Message → Prop) (s : State),
  UMO_reachable P s
  → ∀ (m : Message) (ob : Observation),
      rec_obs (state m) ob
      → m ∈ messages s → rec_obs s ob
  intros P s Hs m ob Hob Hm;
  revert s Hs m Hm ob Hob.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
P: BaseELMO.State → BaseELMO.Message → Prop
∀ s : State,
  UMO_reachable P s
  → ∀ m : Message,
      m ∈ messages s
      → ∀ ob : Observation,
          rec_obs (state m) ob → rec_obs s ob
  by refine (UMO_reachable_elem_of_messages_ind _ _ _ _ _); auto using @rec_obs.
Qed.

Lemma reachable_obs_msg (s : State) :
  UMO_reachable full_node s ->
  forall ob, rec_obs s ob -> message ob ∈ messages s.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
s: State
UMO_reachable full_node s
→ ∀ ob : BaseELMO.Observation,
    rec_obs s ob → message ob ∈ messages s
Proof.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
s: State
UMO_reachable full_node s
→ ∀ ob : BaseELMO.Observation,
    rec_obs s ob → message ob ∈ messages s
  intros Hs ob; induction Hs as [| | ? ? Hfull]; intros Hob.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
a: Address
ob: BaseELMO.Observation
Hob: rec_obs (MkState [] a) ob
message ob ∈ messages (MkState [] a)
Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
s: BaseELMO.State
Hs: UMO_reachable full_node s
ob: BaseELMO.Observation
IHHs: rec_obs s ob → message ob ∈ messages s
Hob: rec_obs (s <+> MkObservation Send (MkMessage s))
  ob
message ob
∈ messages (s <+> MkObservation Send (MkMessage s))
Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
s: BaseELMO.State
msg: BaseELMO.Message
Hfull: full_node s msg
Hs: UMO_reachable full_node s
ob: BaseELMO.Observation
IHHs: rec_obs s ob → message ob ∈ messages s
Hob: rec_obs (s <+> MkObservation Receive msg) ob
message ob
∈ messages (s <+> MkObservation Receive msg)
  -Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
a: Address
ob: BaseELMO.Observation
Hob: rec_obs (MkState [] a) ob
message ob ∈ messages (MkState [] a) by inversion Hob.
  -Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
s: BaseELMO.State
Hs: UMO_reachable full_node s
ob: BaseELMO.Observation
IHHs: rec_obs s ob → message ob ∈ messages s
Hob: rec_obs (s <+> MkObservation Send (MkMessage s))
  ob
message ob
∈ messages (s <+> MkObservation Send (MkMessage s)) by inversion Hob using rec_obs_send_inv; intros; apply elem_of_messages_addObservation; auto.
  -Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
s: BaseELMO.State
msg: BaseELMO.Message
Hfull: full_node s msg
Hs: UMO_reachable full_node s
ob: BaseELMO.Observation
IHHs: rec_obs s ob → message ob ∈ messages s
Hob: rec_obs (s <+> MkObservation Receive msg) ob
message ob
∈ messages (s <+> MkObservation Receive msg) apply elem_of_messages_addObservation; cbn.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
s: BaseELMO.State
msg: BaseELMO.Message
Hfull: full_node s msg
Hs: UMO_reachable full_node s
ob: BaseELMO.Observation
IHHs: rec_obs s ob → message ob ∈ messages s
Hob: rec_obs (s <+> MkObservation Receive msg) ob
message ob = msg ∨ message ob ∈ messages s
    inversion Hob using rec_obs_recv_inv; [by auto.. |].Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
s: BaseELMO.State
msg: BaseELMO.Message
Hfull: full_node s msg
Hs: UMO_reachable full_node s
ob: BaseELMO.Observation
IHHs: rec_obs s ob → message ob ∈ messages s
Hob: rec_obs (s <+> MkObservation Receive msg) ob
rec_obs (state msg) ob
→ message ob = msg ∨ message ob ∈ messages s
    pose proof (fun m H => elem_of_submseteq _ _ m H Hfull) as Hmsg.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
s: BaseELMO.State
msg: BaseELMO.Message
Hfull: full_node s msg
Hs: UMO_reachable full_node s
ob: BaseELMO.Observation
IHHs: rec_obs s ob → message ob ∈ messages s
Hob: rec_obs (s <+> MkObservation Receive msg) ob
Hmsg: ∀ m : BaseELMO.Message,
  m ∈ messages (state msg) → m ∈ messages s
rec_obs (state msg) ob
→ message ob = msg ∨ message ob ∈ messages s
    intros [Hm | (m & Hm & Hob')]%unfold_rec_obs.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
s: BaseELMO.State
msg: BaseELMO.Message
Hfull: full_node s msg
Hs: UMO_reachable full_node s
ob: BaseELMO.Observation
IHHs: rec_obs s ob → message ob ∈ messages s
Hob: rec_obs (s <+> MkObservation Receive msg) ob
Hmsg: ∀ m : BaseELMO.Message,
  m ∈ messages (state msg) → m ∈ messages s
Hm: ob ∈ obs (state msg)
message ob = msg ∨ message ob ∈ messages s
Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
s: BaseELMO.State
msg: BaseELMO.Message
Hfull: full_node s msg
Hs: UMO_reachable full_node s
ob: BaseELMO.Observation
IHHs: rec_obs s ob → message ob ∈ messages s
Hob: rec_obs (s <+> MkObservation Receive msg) ob
Hmsg: ∀ m : BaseELMO.Message,
  m ∈ messages (state msg) → m ∈ messages s
m: BaseELMO.Message
Hm: MkObservation Receive m ∈ obs (state msg)
Hob': rec_obs (state m) ob
message ob = msg ∨ message ob ∈ messages s
    +Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
s: BaseELMO.State
msg: BaseELMO.Message
Hfull: full_node s msg
Hs: UMO_reachable full_node s
ob: BaseELMO.Observation
IHHs: rec_obs s ob → message ob ∈ messages s
Hob: rec_obs (s <+> MkObservation Receive msg) ob
Hmsg: ∀ m : BaseELMO.Message,
  m ∈ messages (state msg) → m ∈ messages s
Hm: ob ∈ obs (state msg)
message ob = msg ∨ message ob ∈ messages s by right; apply Hmsg, elem_of_list_fmap_1.
    +Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
s: BaseELMO.State
msg: BaseELMO.Message
Hfull: full_node s msg
Hs: UMO_reachable full_node s
ob: BaseELMO.Observation
IHHs: rec_obs s ob → message ob ∈ messages s
Hob: rec_obs (s <+> MkObservation Receive msg) ob
Hmsg: ∀ m : BaseELMO.Message,
  m ∈ messages (state msg) → m ∈ messages s
m: BaseELMO.Message
Hm: MkObservation Receive m ∈ obs (state msg)
Hob': rec_obs (state m) ob
message ob = msg ∨ message ob ∈ messages s apply (elem_of_list_fmap_1 message) in Hm.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
s: BaseELMO.State
msg: BaseELMO.Message
Hfull: full_node s msg
Hs: UMO_reachable full_node s
ob: BaseELMO.Observation
IHHs: rec_obs s ob → message ob ∈ messages s
Hob: rec_obs (s <+> MkObservation Receive msg) ob
Hmsg: ∀ m : BaseELMO.Message,
  m ∈ messages (state msg) → m ∈ messages s
m: BaseELMO.Message
Hm: message (MkObservation Receive m)
∈ message <$> obs (state msg)
Hob': rec_obs (state m) ob
message ob = msg ∨ message ob ∈ messages s
      by right; apply IHHs, (unfold_robs full_node); eauto.
Qed.

Lemma local_equivocators_simple_iff_full (s : State) :
  UMO_reachable no_self_equiv s ->
  forall a, local_equivocators_simple s a <-> local_equivocators_full s a.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
s: State
UMO_reachable no_self_equiv s
→ ∀ a : Address,
    local_equivocators_simple s a
    ↔ local_equivocators_full s a
Proof.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
s: State
UMO_reachable no_self_equiv s
→ ∀ a : Address,
    local_equivocators_simple s a
    ↔ local_equivocators_full s a
  intros Hs a; split.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
s: State
Hs: UMO_reachable no_self_equiv s
a: Address
local_equivocators_simple s a
→ local_equivocators_full s a
Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
s: State
Hs: UMO_reachable no_self_equiv s
a: Address
local_equivocators_full s a
→ local_equivocators_simple s a
  -Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
s: State
Hs: UMO_reachable no_self_equiv s
a: Address
local_equivocators_simple s a
→ local_equivocators_full s a induction Hs.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
a0, a: Address
local_equivocators_simple (MkState [] a0) a
→ local_equivocators_full (MkState [] a0) a
Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
s: BaseELMO.State
Hs: UMO_reachable no_self_equiv s
a: Address
IHHs: local_equivocators_simple s a
→ local_equivocators_full s a
local_equivocators_simple
  (s <+> MkObservation Send (MkMessage s)) a
→ local_equivocators_full
    (s <+> MkObservation Send (MkMessage s)) a
Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
s: BaseELMO.State
msg: BaseELMO.Message
H1: no_self_equiv s msg
Hs: UMO_reachable no_self_equiv s
a: Address
IHHs: local_equivocators_simple s a
→ local_equivocators_full s a
local_equivocators_simple
  (s <+> MkObservation Receive msg) a
→ local_equivocators_full
    (s <+> MkObservation Receive msg) a
    +Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
a0, a: Address
local_equivocators_simple (MkState [] a0) a
→ local_equivocators_full (MkState [] a0) a by destruct 1; inversion les_obs_m1.
    +Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
s: BaseELMO.State
Hs: UMO_reachable no_self_equiv s
a: Address
IHHs: local_equivocators_simple s a
→ local_equivocators_full s a
local_equivocators_simple
  (s <+> MkObservation Send (MkMessage s)) a
→ local_equivocators_full
    (s <+> MkObservation Send (MkMessage s)) a intros Ha.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
s: BaseELMO.State
Hs: UMO_reachable no_self_equiv s
a: Address
IHHs: local_equivocators_simple s a
→ local_equivocators_full s a
Ha: local_equivocators_simple
  (s <+> MkObservation Send (MkMessage s)) a
local_equivocators_full
  (s <+> MkObservation Send (MkMessage s)) a
      apply lefo_prev, IHHs.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
s: BaseELMO.State
Hs: UMO_reachable no_self_equiv s
a: Address
IHHs: local_equivocators_simple s a
→ local_equivocators_full s a
Ha: local_equivocators_simple
  (s <+> MkObservation Send (MkMessage s)) a
local_equivocators_simple s a
      revert Ha; apply local_equivocators_simple_add_Send.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
s: BaseELMO.State
Hs: UMO_reachable no_self_equiv s
a: Address
IHHs: local_equivocators_simple s a
→ local_equivocators_full s a
UMO_reachable no_self_equiv s
      by eapply UMO_reachable_impl.
    +Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
s: BaseELMO.State
msg: BaseELMO.Message
H1: no_self_equiv s msg
Hs: UMO_reachable no_self_equiv s
a: Address
IHHs: local_equivocators_simple s a
→ local_equivocators_full s a
local_equivocators_simple
  (s <+> MkObservation Receive msg) a
→ local_equivocators_full
    (s <+> MkObservation Receive msg) a intros Ha.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
s: BaseELMO.State
msg: BaseELMO.Message
H1: no_self_equiv s msg
Hs: UMO_reachable no_self_equiv s
a: Address
IHHs: local_equivocators_simple s a
→ local_equivocators_full s a
Ha: local_equivocators_simple
  (s <+> MkObservation Receive msg) a
local_equivocators_full
  (s <+> MkObservation Receive msg) a
      apply local_equivocators_simple_add_Receive in Ha; [| done..].Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
s: BaseELMO.State
msg: BaseELMO.Message
H1: no_self_equiv s msg
Hs: UMO_reachable no_self_equiv s
a: Address
IHHs: local_equivocators_simple s a
→ local_equivocators_full s a
Ha: local_equivocators_simple s a
∨ adr (state msg) = a
  ∧ a ≠ adr s
    ∧ (∃ m : BaseELMO.Message,
         m ∈ messages s ∧ incomparable msg m)
local_equivocators_full
  (s <+> MkObservation Receive msg) a
      destruct Ha as [| (<- & Hnot_s & m & Hm & Hincomp)]; [by apply lefo_prev, IHHs |].Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
s: BaseELMO.State
msg: BaseELMO.Message
H1: no_self_equiv s msg
Hs: UMO_reachable no_self_equiv s
IHHs: local_equivocators_simple s (adr (state msg))
→ local_equivocators_full s (adr (state msg))
Hnot_s: adr (state msg) ≠ adr s
m: BaseELMO.Message
Hm: m ∈ messages s
Hincomp: incomparable msg m
local_equivocators_full
  (s <+> MkObservation Receive msg) (adr (state msg))
      assert (adr (state m) <> adr s) by (destruct Hincomp; congruence).Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
s: BaseELMO.State
msg: BaseELMO.Message
H1: no_self_equiv s msg
Hs: UMO_reachable no_self_equiv s
IHHs: local_equivocators_simple s (adr (state msg))
→ local_equivocators_full s (adr (state msg))
Hnot_s: adr (state msg) ≠ adr s
m: BaseELMO.Message
Hm: m ∈ messages s
Hincomp: incomparable msg m
H2: adr (state m) ≠ adr s
local_equivocators_full
  (s <+> MkObservation Receive msg) (adr (state msg))
      by revert Hincomp; apply lefo_last, not_adr_received.
  -Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
s: State
Hs: UMO_reachable no_self_equiv s
a: Address
local_equivocators_full s a
→ local_equivocators_simple s a destruct s as [s_obs s_a].Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
s_obs: list BaseELMO.Observation
s_a: Address
Hs: UMO_reachable no_self_equiv (MkState s_obs s_a)
a: Address
local_equivocators_full (MkState s_obs s_a) a
→ local_equivocators_simple (MkState s_obs s_a) a
    unfold local_equivocators_full; cbn.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
s_obs: list BaseELMO.Observation
s_a: Address
Hs: UMO_reachable no_self_equiv (MkState s_obs s_a)
a: Address
local_equivocators_full_obs s_obs a
→ local_equivocators_simple (MkState s_obs s_a) a
    intro Hlefo; induction Hlefo as [? ? ? ? Hm12 |].Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
s_a: Address
ol: list Observation
m1: Message
Hs: UMO_reachable no_self_equiv
  (MkState
     (addObservation' (MkObservation Receive m1)
        ol) s_a)
m2: Message
H1: m2 ∈ receivedMessages' ol
Hm12: incomparable m1 m2
local_equivocators_simple
  (MkState
     (addObservation' (MkObservation Receive m1) ol)
     s_a) (adr (state m1))
Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
s_a: Address
ol: list Observation
l: Label
m: Message
Hs: UMO_reachable no_self_equiv
  (MkState
     (addObservation' (MkObservation l m) ol) s_a)
i0: Address
Hlefo: local_equivocators_full_obs ol i0
IHHlefo: UMO_reachable no_self_equiv (MkState ol s_a)
→ local_equivocators_simple 
    (MkState ol s_a) i0
local_equivocators_simple
  (MkState (addObservation' (MkObservation l m) ol)
     s_a) i0
    +Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
s_a: Address
ol: list Observation
m1: Message
Hs: UMO_reachable no_self_equiv
  (MkState
     (addObservation' (MkObservation Receive m1)
        ol) s_a)
m2: Message
H1: m2 ∈ receivedMessages' ol
Hm12: incomparable m1 m2
local_equivocators_simple
  (MkState
     (addObservation' (MkObservation Receive m1) ol)
     s_a) (adr (state m1)) exists m1 m2; [done | .. | done].Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
s_a: Address
ol: list Observation
m1: Message
Hs: UMO_reachable no_self_equiv
  (MkState
     (addObservation' (MkObservation Receive m1)
        ol) s_a)
m2: Message
H1: m2 ∈ receivedMessages' ol
Hm12: incomparable m1 m2
adr (state m2) = adr (state m1)
Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
s_a: Address
ol: list Observation
m1: Message
Hs: UMO_reachable no_self_equiv
  (MkState
     (addObservation' (MkObservation Receive m1)
        ol) s_a)
m2: Message
H1: m2 ∈ receivedMessages' ol
Hm12: incomparable m1 m2
m1
∈ messages
    (MkState
       (addObservation' (MkObservation Receive m1) ol)
       s_a)
Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
s_a: Address
ol: list Observation
m1: Message
Hs: UMO_reachable no_self_equiv
  (MkState
     (addObservation' (MkObservation Receive m1)
        ol) s_a)
m2: Message
H1: m2 ∈ receivedMessages' ol
Hm12: incomparable m1 m2
m2
∈ messages
    (MkState
       (addObservation' (MkObservation Receive m1) ol)
       s_a)
      *Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
s_a: Address
ol: list Observation
m1: Message
Hs: UMO_reachable no_self_equiv
  (MkState
     (addObservation' (MkObservation Receive m1)
        ol) s_a)
m2: Message
H1: m2 ∈ receivedMessages' ol
Hm12: incomparable m1 m2
adr (state m2) = adr (state m1) by symmetry; apply Hm12.
      *Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
s_a: Address
ol: list Observation
m1: Message
Hs: UMO_reachable no_self_equiv
  (MkState
     (addObservation' (MkObservation Receive m1)
        ol) s_a)
m2: Message
H1: m2 ∈ receivedMessages' ol
Hm12: incomparable m1 m2
m1
∈ messages
    (MkState
       (addObservation' (MkObservation Receive m1) ol)
       s_a) by apply elem_of_cons; left.
      *Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
s_a: Address
ol: list Observation
m1: Message
Hs: UMO_reachable no_self_equiv
  (MkState
     (addObservation' (MkObservation Receive m1)
        ol) s_a)
m2: Message
H1: m2 ∈ receivedMessages' ol
Hm12: incomparable m1 m2
m2
∈ messages
    (MkState
       (addObservation' (MkObservation Receive m1) ol)
       s_a) apply elem_of_cons; right; change (m2 ∈ messages (MkState ol s_a)).Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
s_a: Address
ol: list Observation
m1: Message
Hs: UMO_reachable no_self_equiv
  (MkState
     (addObservation' (MkObservation Receive m1)
        ol) s_a)
m2: Message
H1: m2 ∈ receivedMessages' ol
Hm12: incomparable m1 m2
m2 ∈ messages (MkState ol s_a)
        by apply received_in_messages.
    +Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
s_a: Address
ol: list Observation
l: Label
m: Message
Hs: UMO_reachable no_self_equiv
  (MkState
     (addObservation' (MkObservation l m) ol) s_a)
i0: Address
Hlefo: local_equivocators_full_obs ol i0
IHHlefo: UMO_reachable no_self_equiv (MkState ol s_a)
→ local_equivocators_simple 
    (MkState ol s_a) i0
local_equivocators_simple
  (MkState (addObservation' (MkObservation l m) ol)
     s_a) i0 change (MkState _ _) with (MkState ol s_a <+> MkObservation l m) in Hs |- *.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
s_a: Address
ol: list Observation
l: Label
m: Message
Hs: UMO_reachable no_self_equiv
  (MkState ol s_a <+> MkObservation l m)
i0: Address
Hlefo: local_equivocators_full_obs ol i0
IHHlefo: UMO_reachable no_self_equiv (MkState ol s_a)
→ local_equivocators_simple 
    (MkState ol s_a) i0
local_equivocators_simple
  (MkState ol s_a <+> MkObservation l m) i0
      apply local_equivocators_simple_prev, IHHlefo.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
s_a: Address
ol: list Observation
l: Label
m: Message
Hs: UMO_reachable no_self_equiv
  (MkState ol s_a <+> MkObservation l m)
i0: Address
Hlefo: local_equivocators_full_obs ol i0
IHHlefo: UMO_reachable no_self_equiv (MkState ol s_a)
→ local_equivocators_simple 
    (MkState ol s_a) i0
UMO_reachable no_self_equiv (MkState ol s_a)
      by inversion Hs; destruct s.
Qed.

Lemma local_equivocators_iff_simple (s : State) :
  UMO_reachable full_node s ->
  forall a, local_equivocators s a <-> local_equivocators_simple s a.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
s: State
UMO_reachable full_node s
→ ∀ a : Address,
    local_equivocators s a
    ↔ local_equivocators_simple s a
Proof.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
s: State
UMO_reachable full_node s
→ ∀ a : Address,
    local_equivocators s a
    ↔ local_equivocators_simple s a
  intro Hs; split; destruct 1.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
s: State
Hs: UMO_reachable full_node s
a: Address
lceqv_ob1, lceqv_ob2: BaseELMO.Observation
lceqv_adr1: adr (state (message lceqv_ob1)) = a
lceqv_adr2: adr (state (message lceqv_ob2)) = a
lceqv_rec_obs1: rec_obs s lceqv_ob1
lceqv_rec_obs2: rec_obs s lceqv_ob2
lceqv_incomparable: incomparable (message lceqv_ob1)
  (message lceqv_ob2)
local_equivocators_simple s a
Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
s: State
Hs: UMO_reachable full_node s
a: Address
les_m1, les_m2: Message
les_adr1: adr (state les_m1) = a
les_adr2: adr (state les_m2) = a
les_obs_m1: les_m1 ∈ messages s
les_obs_m2: les_m2 ∈ messages s
les_incomparable: incomparable les_m1 les_m2
local_equivocators s a
  -Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
s: State
Hs: UMO_reachable full_node s
a: Address
lceqv_ob1, lceqv_ob2: BaseELMO.Observation
lceqv_adr1: adr (state (message lceqv_ob1)) = a
lceqv_adr2: adr (state (message lceqv_ob2)) = a
lceqv_rec_obs1: rec_obs s lceqv_ob1
lceqv_rec_obs2: rec_obs s lceqv_ob2
lceqv_incomparable: incomparable (message lceqv_ob1)
  (message lceqv_ob2)
local_equivocators_simple s a by exists (message lceqv_ob1) (message lceqv_ob2); auto using reachable_obs_msg.
  -Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
s: State
Hs: UMO_reachable full_node s
a: Address
les_m1, les_m2: Message
les_adr1: adr (state les_m1) = a
les_adr2: adr (state les_m2) = a
les_obs_m1: les_m1 ∈ messages s
les_obs_m2: les_m2 ∈ messages s
les_incomparable: incomparable les_m1 les_m2
local_equivocators s a apply (full_node_messages_iff_rec_obs s Hs) in les_obs_m1 as [l1 Hm1], les_obs_m2 as [l2 Hm2].Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
s: State
Hs: UMO_reachable full_node s
a: Address
les_m1, les_m2: Message
les_adr1: adr (state les_m1) = a
les_adr2: adr (state les_m2) = a
l1: Label
Hm1: rec_obs s (MkObservation l1 les_m1)
l2: Label
Hm2: rec_obs s (MkObservation l2 les_m2)
les_incomparable: incomparable les_m1 les_m2
local_equivocators s a
    by exists (MkObservation l1 les_m1) (MkObservation l2 les_m2); auto using reachable_obs_msg.
Qed.

Lemma local_equivocators_iff_full (s : State) :
  UMO_reachable (fun s m => full_node s m /\ no_self_equiv s m) s ->
  forall a, local_equivocators s a <-> local_equivocators_full s a.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
s: State
UMO_reachable
  (λ (s : BaseELMO.State) (m : BaseELMO.Message),
     full_node s m ∧ no_self_equiv s m) s
→ ∀ a : Address,
    local_equivocators s a
    ↔ local_equivocators_full s a
Proof.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
s: State
UMO_reachable
  (λ (s : BaseELMO.State) (m : BaseELMO.Message),
     full_node s m ∧ no_self_equiv s m) s
→ ∀ a : Address,
    local_equivocators s a
    ↔ local_equivocators_full s a
  intros Hs a.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
s: State
Hs: UMO_reachable
  (λ (s : BaseELMO.State) (m : BaseELMO.Message),
     full_node s m ∧ no_self_equiv s m) s
a: Address
local_equivocators s a ↔ local_equivocators_full s a
  by rewrite local_equivocators_iff_simple;
    [apply local_equivocators_simple_iff_full |];
    revert Hs; apply UMO_reachable_impl; itauto.
Qed.

The msg_valid_full predicate holds for any reachable state, even though it is only explicitly checked when receiving messages.

Lemma ELMO_reachable_msg_valid_full :
  forall s : State,
    constrained_state_prop Ei s -> ELMO_msg_valid_full (MkMessage s).Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
∀ s : State,
  constrained_state_prop Ei s
  → ELMO_msg_valid_full (MkMessage s)
Proof.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
∀ s : State,
  constrained_state_prop Ei s
  → ELMO_msg_valid_full (MkMessage s)
  intros s [Hs Hi]%ELMO_reachable_view.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
s: State
Hs: UMO_reachable ELMO_recv_valid s
Hi: adr s = idx i
ELMO_msg_valid_full (MkMessage s)
  induction Hs as [| | ? ? Hvalid]; [| specialize (IHHs Hi)..].Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
a: Address
Hi: adr (MkState [] a) = idx i
ELMO_msg_valid_full (MkMessage (MkState [] a))
Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
s: BaseELMO.State
Hs: UMO_reachable ELMO_recv_valid s
Hi: adr (s <+> MkObservation Send (MkMessage s)) =
idx i
IHHs: ELMO_msg_valid_full (MkMessage s)
ELMO_msg_valid_full
  (MkMessage (s <+> MkObservation Send (MkMessage s)))
Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
s: BaseELMO.State
msg: BaseELMO.Message
Hvalid: ELMO_recv_valid s msg
Hs: UMO_reachable ELMO_recv_valid s
Hi: adr (s <+> MkObservation Receive msg) = idx i
IHHs: ELMO_msg_valid_full (MkMessage s)
ELMO_msg_valid_full
  (MkMessage (s <+> MkObservation Receive msg))
  -Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
a: Address
Hi: adr (MkState [] a) = idx i
ELMO_msg_valid_full (MkMessage (MkState [] a)) by constructor; [| eexists].
  -Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
s: BaseELMO.State
Hs: UMO_reachable ELMO_recv_valid s
Hi: adr (s <+> MkObservation Send (MkMessage s)) =
idx i
IHHs: ELMO_msg_valid_full (MkMessage s)
ELMO_msg_valid_full
  (MkMessage (s <+> MkObservation Send (MkMessage s))) by constructor.
  -Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
s: BaseELMO.State
msg: BaseELMO.Message
Hvalid: ELMO_recv_valid s msg
Hs: UMO_reachable ELMO_recv_valid s
Hi: adr (s <+> MkObservation Receive msg) = idx i
IHHs: ELMO_msg_valid_full (MkMessage s)
ELMO_msg_valid_full
  (MkMessage (s <+> MkObservation Receive msg)) by eapply MVF_recv in IHHs; [| apply Hvalid..].
Qed.

Lemma reachable_full_node_for_all_messages i' (s : State) :
  constrained_state_prop (ELMO_component i') s ->
  forall m, m ∈ messages s -> full_node s m.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
i': index
s: State
constrained_state_prop (ELMO_component i') s
→ ∀ m : Message, m ∈ messages s → full_node s m
Proof.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
i': index
s: State
constrained_state_prop (ELMO_component i') s
→ ∀ m : Message, m ∈ messages s → full_node s m
  intros [Hs _]%ELMO_reachable_view.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
i': index
s: State
Hs: UMO_reachable ELMO_recv_valid s
∀ m : Message, m ∈ messages s → full_node s m
  induction Hs as [| | ? ? Hvalid].Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
i': index
a: Address
∀ m : Message,
  m ∈ messages (MkState [] a)
  → full_node (MkState [] a) m
Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
i': index
s: BaseELMO.State
Hs: UMO_reachable ELMO_recv_valid s
IHHs: ∀ m : Message, m ∈ messages s → full_node s m
∀ m : Message,
  m
  ∈ messages (s <+> MkObservation Send (MkMessage s))
  → full_node (s <+> MkObservation Send (MkMessage s))
      m
Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
i': index
s: BaseELMO.State
msg: BaseELMO.Message
Hvalid: ELMO_recv_valid s msg
Hs: UMO_reachable ELMO_recv_valid s
IHHs: ∀ m : Message, m ∈ messages s → full_node s m
∀ m : Message,
  m ∈ messages (s <+> MkObservation Receive msg)
  → full_node (s <+> MkObservation Receive msg) m
  -Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
i': index
a: Address
∀ m : Message,
  m ∈ messages (MkState [] a)
  → full_node (MkState [] a) m by inversion 1.
  -Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
i': index
s: BaseELMO.State
Hs: UMO_reachable ELMO_recv_valid s
IHHs: ∀ m : Message, m ∈ messages s → full_node s m
∀ m : Message,
  m
  ∈ messages (s <+> MkObservation Send (MkMessage s))
  → full_node (s <+> MkObservation Send (MkMessage s))
      m by intros m [-> | Hm%IHHs]%elem_of_messages_addObservation; apply submseteq_cons.
  -Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
i': index
s: BaseELMO.State
msg: BaseELMO.Message
Hvalid: ELMO_recv_valid s msg
Hs: UMO_reachable ELMO_recv_valid s
IHHs: ∀ m : Message, m ∈ messages s → full_node s m
∀ m : Message,
  m ∈ messages (s <+> MkObservation Receive msg)
  → full_node (s <+> MkObservation Receive msg) m intros m Hm.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
i': index
s: BaseELMO.State
msg: BaseELMO.Message
Hvalid: ELMO_recv_valid s msg
Hs: UMO_reachable ELMO_recv_valid s
IHHs: ∀ m : Message, m ∈ messages s → full_node s m
m: Message
Hm: m ∈ messages (s <+> MkObservation Receive msg)
full_node (s <+> MkObservation Receive msg) m
    apply submseteq_cons; change (full_node s m).Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
i': index
s: BaseELMO.State
msg: BaseELMO.Message
Hvalid: ELMO_recv_valid s msg
Hs: UMO_reachable ELMO_recv_valid s
IHHs: ∀ m : Message, m ∈ messages s → full_node s m
m: Message
Hm: m ∈ messages (s <+> MkObservation Receive msg)
full_node s m
    apply elem_of_messages_addObservation in Hm as [-> | Hm].Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
i': index
s: BaseELMO.State
msg: BaseELMO.Message
Hvalid: ELMO_recv_valid s msg
Hs: UMO_reachable ELMO_recv_valid s
IHHs: ∀ m : Message, m ∈ messages s → full_node s m
full_node s (message (MkObservation Receive msg))
Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
i': index
s: BaseELMO.State
msg: BaseELMO.Message
Hvalid: ELMO_recv_valid s msg
Hs: UMO_reachable ELMO_recv_valid s
IHHs: ∀ m : Message, m ∈ messages s → full_node s m
m: Message
Hm: m ∈ messages s
full_node s m
    +Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
i': index
s: BaseELMO.State
msg: BaseELMO.Message
Hvalid: ELMO_recv_valid s msg
Hs: UMO_reachable ELMO_recv_valid s
IHHs: ∀ m : Message, m ∈ messages s → full_node s m
full_node s (message (MkObservation Receive msg)) by apply Hvalid.
    +Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
i': index
s: BaseELMO.State
msg: BaseELMO.Message
Hvalid: ELMO_recv_valid s msg
Hs: UMO_reachable ELMO_recv_valid s
IHHs: ∀ m : Message, m ∈ messages s → full_node s m
m: Message
Hm: m ∈ messages s
full_node s m by apply IHHs in Hm.
Qed.

Lemma reachable_sent_messages_reachable i' (s ms : State) :
  constrained_state_prop (ELMO_component i') s ->
  MkMessage ms ∈ sentMessages s ->
  constrained_state_prop (ELMO_component i') ms.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
i': index
s, ms: State
constrained_state_prop (ELMO_component i') s
→ MkMessage ms ∈ sentMessages s
  → constrained_state_prop (ELMO_component i') ms
Proof.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
i': index
s, ms: State
constrained_state_prop (ELMO_component i') s
→ MkMessage ms ∈ sentMessages s
  → constrained_state_prop (ELMO_component i') ms
  intros [Hs Hadr]%ELMO_reachable_view Hms.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
i': index
s, ms: State
Hs: UMO_reachable ELMO_recv_valid s
Hadr: adr s = idx i'
Hms: MkMessage ms ∈ sentMessages s
constrained_state_prop (ELMO_component i') ms
  apply ELMO_reachable_view.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
i': index
s, ms: State
Hs: UMO_reachable ELMO_recv_valid s
Hadr: adr s = idx i'
Hms: MkMessage ms ∈ sentMessages s
UMO_reachable ELMO_recv_valid ms ∧ adr ms = idx i'
  induction Hs; [| | by auto].Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
i': index
ms: State
a: Address
Hadr: adr (MkState [] a) = idx i'
Hms: MkMessage ms ∈ sentMessages (MkState [] a)
UMO_reachable ELMO_recv_valid ms ∧ adr ms = idx i'
Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
i': index
ms: State
s: BaseELMO.State
Hs: UMO_reachable ELMO_recv_valid s
Hadr: adr (s <+> MkObservation Send (MkMessage s)) =
idx i'
Hms: MkMessage ms
∈ sentMessages
    (s <+> MkObservation Send (MkMessage s))
IHHs: adr s = idx i'
→ MkMessage ms ∈ sentMessages s
  → UMO_reachable ELMO_recv_valid ms
    ∧ adr ms = idx i'
UMO_reachable ELMO_recv_valid ms ∧ adr ms = idx i'
  -Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
i': index
ms: State
a: Address
Hadr: adr (MkState [] a) = idx i'
Hms: MkMessage ms ∈ sentMessages (MkState [] a)
UMO_reachable ELMO_recv_valid ms ∧ adr ms = idx i' by apply not_elem_of_nil in Hms.
  -Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
i': index
ms: State
s: BaseELMO.State
Hs: UMO_reachable ELMO_recv_valid s
Hadr: adr (s <+> MkObservation Send (MkMessage s)) =
idx i'
Hms: MkMessage ms
∈ sentMessages
    (s <+> MkObservation Send (MkMessage s))
IHHs: adr s = idx i'
→ MkMessage ms ∈ sentMessages s
  → UMO_reachable ELMO_recv_valid ms
    ∧ adr ms = idx i'
UMO_reachable ELMO_recv_valid ms ∧ adr ms = idx i' by apply elem_of_sentMessages_addObservation in Hms as [[[= ->] _] | Hms]; auto.
Qed.

Lemma reachable_sent_messages_adr (s : State) (m : Message) :
  constrained_state_prop Ei s ->
  m ∈ sentMessages s ->
  adr (state m) = idx i.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
s: State
m: Message
constrained_state_prop Ei s
→ m ∈ sentMessages s → adr (state m) = idx i
Proof.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
s: State
m: Message
constrained_state_prop Ei s
→ m ∈ sentMessages s → adr (state m) = idx i
  intros Hs Hm; destruct m.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
s: State
state: BaseELMO.State
Hs: constrained_state_prop Ei s
Hm: MkMessage state ∈ sentMessages s
adr (BaseELMO.state (MkMessage state)) = idx i
  by eapply ELMO_reachable_adr, reachable_sent_messages_reachable.
Qed.

Lemma reachable_messages_are_msg_valid (s : State) (m : Message) :
  constrained_state_prop Ei s ->
  m ∈ messages s ->
  ELMO_msg_valid_full m.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
s: State
m: Message
constrained_state_prop Ei s
→ m ∈ messages s → ELMO_msg_valid_full m
Proof.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
s: State
m: Message
constrained_state_prop Ei s
→ m ∈ messages s → ELMO_msg_valid_full m
  intros [Hs Hadr]%ELMO_reachable_view Hm.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
s: State
m: Message
Hs: UMO_reachable ELMO_recv_valid s
Hadr: adr s = idx i
Hm: m ∈ messages s
ELMO_msg_valid_full m
  revert s Hs m Hm Hadr.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
∀ s : State,
  UMO_reachable ELMO_recv_valid s
  → ∀ m : Message,
      m ∈ messages s
      → adr s = idx i → ELMO_msg_valid_full m
  refine (UMO_reachable_elem_of_messages_ind _ _ _ _ _); [done | | by destruct 2].Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
∀ s : BaseELMO.State,
  UMO_reachable ELMO_recv_valid s
  → (∀ m' : BaseELMO.Message,
       m' ∈ messages s
       → adr s = idx i → ELMO_msg_valid_full m')
    → adr (s <+> MkObservation Send (MkMessage s)) =
      idx i → ELMO_msg_valid_full (MkMessage s)
  by intros; apply ELMO_reachable_msg_valid_full, ELMO_reachable_view.
Qed.

Lemma equivocators_of_msg_subset_of_recv (s : State) (m : Message) :
  full_node s m ->
  forall a,
    local_equivocators_simple (state m) a
    -> local_equivocators_simple (s <+> MkObservation Receive m) a.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
s: State
m: Message
full_node s m
→ ∀ a : Address,
    local_equivocators_simple (state m) a
    → local_equivocators_simple
        (s <+> MkObservation Receive m) a
Proof.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
s: State
m: Message
full_node s m
→ ∀ a : Address,
    local_equivocators_simple (state m) a
    → local_equivocators_simple
        (s <+> MkObservation Receive m) a
  intros Hfull a []; destruct m as [ms]; cbn in *.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
s: State
ms: BaseELMO.State
Hfull: full_node s (MkMessage ms)
a: Address
les_m1, les_m2: Message
les_adr1: adr (state les_m1) = a
les_adr2: adr (state les_m2) = a
les_obs_m1: les_m1 ∈ messages ms
les_obs_m2: les_m2 ∈ messages ms
les_incomparable: incomparable les_m1 les_m2
local_equivocators_simple
  (s <+> MkObservation Receive (MkMessage ms)) a
  assert (forall x, x ∈ messages ms -> x ∈ messages (s <+> MkObservation Receive (MkMessage ms)))
    by (intros; apply elem_of_messages_addObservation; right; eapply elem_of_submseteq; done).Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
s: State
ms: BaseELMO.State
Hfull: full_node s (MkMessage ms)
a: Address
les_m1, les_m2: Message
les_adr1: adr (state les_m1) = a
les_adr2: adr (state les_m2) = a
les_obs_m1: les_m1 ∈ messages ms
les_obs_m2: les_m2 ∈ messages ms
les_incomparable: incomparable les_m1 les_m2
H1: ∀ x : BaseELMO.Message,
  x ∈ messages ms
  → x
    ∈ messages
        (s <+>
         MkObservation Receive (MkMessage ms))
local_equivocators_simple
  (s <+> MkObservation Receive (MkMessage ms)) a
  by eauto using local_equivocators_simple.
Qed.

Lemma equivocation_limit_recv_ok_msg_ok (s : State) (m : Message) :
  full_node s m ->
  no_self_equiv s m ->
  UMO_reachable no_self_equiv s ->
  UMO_reachable no_self_equiv (state m) ->
  local_equivocation_limit_ok (s <+> MkObservation Receive m) ->
  local_equivocation_limit_ok (state m).Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
s: State
m: Message
full_node s m
→ no_self_equiv s m
  → UMO_reachable no_self_equiv s
    → UMO_reachable no_self_equiv (state m)
      → local_equivocation_limit_ok
          (s <+> MkObservation Receive m)
        → local_equivocation_limit_ok (state m)
Proof.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
s: State
m: Message
full_node s m
→ no_self_equiv s m
  → UMO_reachable no_self_equiv s
    → UMO_reachable no_self_equiv (state m)
      → local_equivocation_limit_ok
          (s <+> MkObservation Receive m)
        → local_equivocation_limit_ok (state m)
  intros Hfull Hno_self Hs Hms Hs'.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
s: State
m: Message
Hfull: full_node s m
Hno_self: no_self_equiv s m
Hs: UMO_reachable no_self_equiv s
Hms: UMO_reachable no_self_equiv (state m)
Hs': local_equivocation_limit_ok
  (s <+> MkObservation Receive m)
local_equivocation_limit_ok (state m)
  eapply Rle_trans; [| done].Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
s: State
m: Message
Hfull: full_node s m
Hno_self: no_self_equiv s m
Hs: UMO_reachable no_self_equiv s
Hms: UMO_reachable no_self_equiv (state m)
Hs': local_equivocation_limit_ok
  (s <+> MkObservation Receive m)
(equivocation_fault (state m) <=
 equivocation_fault (s <+> MkObservation Receive m))%R
  apply incl_equivocating_validators_equivocation_fault, filter_subprop; cbn; intros a Ha.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
s: State
m: Message
Hfull: full_node s m
Hno_self: no_self_equiv s m
Hs: UMO_reachable no_self_equiv s
Hms: UMO_reachable no_self_equiv (state m)
Hs': local_equivocation_limit_ok
  (s <+> MkObservation Receive m)
a: Address
Ha: local_equivocators_full (state m) a
local_equivocators_full
  (s <+> MkObservation Receive m) a
  rewrite <- local_equivocators_simple_iff_full in Ha by done.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
s: State
m: Message
Hfull: full_node s m
Hno_self: no_self_equiv s m
Hs: UMO_reachable no_self_equiv s
Hms: UMO_reachable no_self_equiv (state m)
Hs': local_equivocation_limit_ok
  (s <+> MkObservation Receive m)
a: Address
Ha: local_equivocators_simple (state m) a
local_equivocators_full
  (s <+> MkObservation Receive m) a
  rewrite <- local_equivocators_simple_iff_full by (constructor; done).Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
s: State
m: Message
Hfull: full_node s m
Hno_self: no_self_equiv s m
Hs: UMO_reachable no_self_equiv s
Hms: UMO_reachable no_self_equiv (state m)
Hs': local_equivocation_limit_ok
  (s <+> MkObservation Receive m)
a: Address
Ha: local_equivocators_simple (state m) a
local_equivocators_simple
  (s <+> MkObservation Receive m) a
  by apply equivocators_of_msg_subset_of_recv.
Qed.

Lemma ELMO_msg_valid_prefix (m : Message) (ob : Observation) :
  ELMO_msg_valid_full (m <*> ob) ->
  ELMO_msg_valid_full m.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
m: Message
ob: Observation
ELMO_msg_valid_full (m <*> ob) → ELMO_msg_valid_full m
Proof.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
m: Message
ob: Observation
ELMO_msg_valid_full (m <*> ob) → ELMO_msg_valid_full m
  inversion 1 as [? Hobs | |].Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
m: Message
ob: Observation
H1: ELMO_msg_valid_full (m <*> ob)
m0: Message
Hobs: obs (state (m <*> ob)) = []
H2: MessageHasSender (m <*> ob)
H3: m0 = m <*> ob
ELMO_msg_valid_full m
Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
m: Message
ob: Observation
H1: ELMO_msg_valid_full (m <*> ob)
m0: Message
H2: ELMO_msg_valid_full m0
H3: MkObservation Send m0 = ob
H4: obs (state m0) = obs (state m)
H5: adr (state m0) = adr (state m)
ELMO_msg_valid_full m
Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
m: Message
ob: Observation
H1: ELMO_msg_valid_full (m <*> ob)
m0: BaseELMO.Message
mo: Message
H2: full_node (state m0) mo
H3: no_self_equiv (state m0) mo
H4: ELMO_msg_valid_full m0
H5: MkObservation Receive mo = ob
H6: obs (state m0) = obs (state m)
H7: adr (state m0) = adr (state m)
ELMO_msg_valid_full m
  -Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
m: Message
ob: Observation
H1: ELMO_msg_valid_full (m <*> ob)
m0: Message
Hobs: obs (state (m <*> ob)) = []
H2: MessageHasSender (m <*> ob)
H3: m0 = m <*> ob
ELMO_msg_valid_full m by inversion Hobs.
  -Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
m: Message
ob: Observation
H1: ELMO_msg_valid_full (m <*> ob)
m0: Message
H2: ELMO_msg_valid_full m0
H3: MkObservation Send m0 = ob
H4: obs (state m0) = obs (state m)
H5: adr (state m0) = adr (state m)
ELMO_msg_valid_full m by replace m with m0 by (apply eq_Message; done).
  -Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
m: Message
ob: Observation
H1: ELMO_msg_valid_full (m <*> ob)
m0: BaseELMO.Message
mo: Message
H2: full_node (state m0) mo
H3: no_self_equiv (state m0) mo
H4: ELMO_msg_valid_full m0
H5: MkObservation Receive mo = ob
H6: obs (state m0) = obs (state m)
H7: adr (state m0) = adr (state m)
ELMO_msg_valid_full m by replace m with m0 by (apply eq_Message; done).
Qed.

Lemma adr_neq_no_self_equiv (s : State) (m : Message) :
  adr s <> adr (state m) ->
  no_self_equiv s m.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
s: State
m: Message
adr s ≠ adr (state m) → no_self_equiv s m
Proof.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
s: State
m: Message
adr s ≠ adr (state m) → no_self_equiv s m by unfold no_self_equiv. Qed.

Lemma full_node_prefix s m ob :
  full_node s (m <*> ob) ->
  full_node s m.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
s: State
m: BaseELMO.Message
ob: BaseELMO.Observation
full_node s (m <*> ob) → full_node s m
Proof.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
s: State
m: BaseELMO.Message
ob: BaseELMO.Observation
full_node s (m <*> ob) → full_node s m by apply submseteq_tail_l. Qed.

Lemma ELMO_msg_valid_full_Send_inv
  (P : Message -> Message -> Prop) :
  (forall m om, m = om -> P m om) ->
  forall (m om : Message),
  ELMO_msg_valid_full (m <*> MkObservation Send om) ->
  P m om.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
P: Message → Message → Prop
(∀ m om : Message, m = om → P m om)
→ ∀ m om : Message,
    ELMO_msg_valid_full (m <*> MkObservation Send om)
    → P m om
Proof.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
P: Message → Message → Prop
(∀ m om : Message, m = om → P m om)
→ ∀ m om : Message,
    ELMO_msg_valid_full (m <*> MkObservation Send om)
    → P m om
  intros Hm m om.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
P: Message → Message → Prop
Hm: ∀ m om : Message, m = om → P m om
m, om: Message
ELMO_msg_valid_full (m <*> MkObservation Send om)
→ P m om
  inversion 1 as [? Hobs | |].Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
P: Message → Message → Prop
Hm: ∀ m om : Message, m = om → P m om
m, om: Message
H1: ELMO_msg_valid_full (m <*> MkObservation Send om)
m0: Message
Hobs: obs (state (m <*> MkObservation Send om)) = []
H2: MessageHasSender (m <*> MkObservation Send om)
H3: m0 = m <*> MkObservation Send om
P m om
Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
P: Message → Message → Prop
Hm: ∀ m om : Message, m = om → P m om
m, om: Message
H1: ELMO_msg_valid_full (m <*> MkObservation Send om)
m0: Message
H2: ELMO_msg_valid_full om
H3: m0 = om
H4: obs (state om) = obs (state m)
H5: adr (state om) = adr (state m)
P m om
  -Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
P: Message → Message → Prop
Hm: ∀ m om : Message, m = om → P m om
m, om: Message
H1: ELMO_msg_valid_full (m <*> MkObservation Send om)
m0: Message
Hobs: obs (state (m <*> MkObservation Send om)) = []
H2: MessageHasSender (m <*> MkObservation Send om)
H3: m0 = m <*> MkObservation Send om
P m om by inversion Hobs.
  -Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
P: Message → Message → Prop
Hm: ∀ m om : Message, m = om → P m om
m, om: Message
H1: ELMO_msg_valid_full (m <*> MkObservation Send om)
m0: Message
H2: ELMO_msg_valid_full om
H3: m0 = om
H4: obs (state om) = obs (state m)
H5: adr (state om) = adr (state m)
P m om by apply Hm, eq_Message.
Qed.

Lemma incomparable_iff (m1 m2 : Message) :
  incomparable m1 m2
    <->
  adr (state m1) = adr (state m2)
  /\ m1 <> m2
  /\ m1 ∉ sentMessages (state m2)
  /\ m2 ∉ sentMessages (state m1).Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
m1, m2: Message
incomparable m1 m2
↔ adr (state m1) = adr (state m2)
  ∧ m1 ≠ m2
    ∧ (m1 ∉ sentMessages (state m2))
      ∧ m2 ∉ sentMessages (state m1)
Proof.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
m1, m2: Message
incomparable m1 m2
↔ adr (state m1) = adr (state m2)
  ∧ m1 ≠ m2
    ∧ (m1 ∉ sentMessages (state m2))
      ∧ m2 ∉ sentMessages (state m1)
  split.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
m1, m2: Message
incomparable m1 m2
→ adr (state m1) = adr (state m2)
  ∧ m1 ≠ m2
    ∧ (m1 ∉ sentMessages (state m2))
      ∧ m2 ∉ sentMessages (state m1)
Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
m1, m2: Message
adr (state m1) = adr (state m2)
∧ m1 ≠ m2
  ∧ (m1 ∉ sentMessages (state m2))
    ∧ m2 ∉ sentMessages (state m1)
→ incomparable m1 m2
  -Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
m1, m2: Message
incomparable m1 m2
→ adr (state m1) = adr (state m2)
  ∧ m1 ≠ m2
    ∧ (m1 ∉ sentMessages (state m2))
      ∧ m2 ∉ sentMessages (state m1) intros [Hadr Hnot]; split; [done |].Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
m1, m2: Message
Hadr: adr (state m1) = adr (state m2)
Hnot: ¬ sent_comparable m1 m2
m1 ≠ m2
∧ (m1 ∉ sentMessages (state m2))
  ∧ m2 ∉ sentMessages (state m1)
    by repeat split; contradict Hnot; subst; constructor.
  -Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
m1, m2: Message
adr (state m1) = adr (state m2)
∧ m1 ≠ m2
  ∧ (m1 ∉ sentMessages (state m2))
    ∧ m2 ∉ sentMessages (state m1)
→ incomparable m1 m2 intros (Hadr & Hneq & Hnot_m12 & Hnot_m21).Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
m1, m2: Message
Hadr: adr (state m1) = adr (state m2)
Hneq: m1 ≠ m2
Hnot_m12: m1 ∉ sentMessages (state m2)
Hnot_m21: m2 ∉ sentMessages (state m1)
incomparable m1 m2
    split; [done |].Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
m1, m2: Message
Hadr: adr (state m1) = adr (state m2)
Hneq: m1 ≠ m2
Hnot_m12: m1 ∉ sentMessages (state m2)
Hnot_m21: m2 ∉ sentMessages (state m1)
¬ sent_comparable m1 m2
    by destruct 1 as [| m1 m2 [] | m1 m2 []].
Qed.

Lemma equivocation_limit_recv_msg_prefix_ok (v : State) (m : Message) ob
  (m' := m <*> ob)
  (v' := v <+> MkObservation Receive m')
  (v'' := v <+> MkObservation Receive m)
  :
  adr (state m) <> adr v ->
  constrained_state_prop Ei v ->
  m' ∉ receivedMessages v ->
  m ∉ receivedMessages v ->
  ELMO_recv_valid v m' ->
  local_equivocation_limit_ok (v <+> MkObservation Receive (m <*> ob)) ->
  local_equivocation_limit_ok (v <+> MkObservation Receive m).Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
v: State
m: Message
ob: BaseELMO.Observation
m':= m <*> ob: BaseELMO.Message
v':= v <+> MkObservation Receive m': BaseELMO.State
v'':= v <+> MkObservation Receive m: BaseELMO.State
adr (state m) ≠ adr v
→ constrained_state_prop Ei v
  → m' ∉ receivedMessages v
    → m ∉ receivedMessages v
      → ELMO_recv_valid v m'
        → local_equivocation_limit_ok
            (v <+> MkObservation Receive (m <*> ob))
          → local_equivocation_limit_ok
              (v <+> MkObservation Receive m)
Proof.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
v: State
m: Message
ob: BaseELMO.Observation
m':= m <*> ob: BaseELMO.Message
v':= v <+> MkObservation Receive m': BaseELMO.State
v'':= v <+> MkObservation Receive m: BaseELMO.State
adr (state m) ≠ adr v
→ constrained_state_prop Ei v
  → m' ∉ receivedMessages v
    → m ∉ receivedMessages v
      → ELMO_recv_valid v m'
        → local_equivocation_limit_ok
            (v <+> MkObservation Receive (m <*> ob))
          → local_equivocation_limit_ok
              (v <+> MkObservation Receive m)
  intros Hadrs Hv Hfresh_m' Hfresh_m Hvalid Hs'.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
v: State
m: Message
ob: BaseELMO.Observation
m':= m <*> ob: BaseELMO.Message
v':= v <+> MkObservation Receive m': BaseELMO.State
v'':= v <+> MkObservation Receive m: BaseELMO.State
Hadrs: adr (state m) ≠ adr v
Hv: constrained_state_prop Ei v
Hfresh_m': m' ∉ receivedMessages v
Hfresh_m: m ∉ receivedMessages v
Hvalid: ELMO_recv_valid v m'
Hs': local_equivocation_limit_ok
  (v <+> MkObservation Receive (m <*> ob))
local_equivocation_limit_ok
  (v <+> MkObservation Receive m)
  eapply Rle_trans; [| done].Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
v: State
m: Message
ob: BaseELMO.Observation
m':= m <*> ob: BaseELMO.Message
v':= v <+> MkObservation Receive m': BaseELMO.State
v'':= v <+> MkObservation Receive m: BaseELMO.State
Hadrs: adr (state m) ≠ adr v
Hv: constrained_state_prop Ei v
Hfresh_m': m' ∉ receivedMessages v
Hfresh_m: m ∉ receivedMessages v
Hvalid: ELMO_recv_valid v m'
Hs': local_equivocation_limit_ok
  (v <+> MkObservation Receive (m <*> ob))
(equivocation_fault (v <+> MkObservation Receive m) <=
 equivocation_fault
   (v <+> MkObservation Receive (m <*> ob)))%R
  apply incl_equivocating_validators_equivocation_fault, filter_subprop; cbn.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
v: State
m: Message
ob: BaseELMO.Observation
m':= m <*> ob: BaseELMO.Message
v':= v <+> MkObservation Receive m': BaseELMO.State
v'':= v <+> MkObservation Receive m: BaseELMO.State
Hadrs: adr (state m) ≠ adr v
Hv: constrained_state_prop Ei v
Hfresh_m': m' ∉ receivedMessages v
Hfresh_m: m ∉ receivedMessages v
Hvalid: ELMO_recv_valid v m'
Hs': local_equivocation_limit_ok
  (v <+> MkObservation Receive (m <*> ob))
∀ a : Address,
  local_equivocators_full
    (v <+> MkObservation Receive m) a
  → local_equivocators_full
      (v <+> MkObservation Receive (m <*> ob)) a
  fold v'' m' v'.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
v: State
m: Message
ob: BaseELMO.Observation
m':= m <*> ob: BaseELMO.Message
v':= v <+> MkObservation Receive m': BaseELMO.State
v'':= v <+> MkObservation Receive m: BaseELMO.State
Hadrs: adr (state m) ≠ adr v
Hv: constrained_state_prop Ei v
Hfresh_m': m' ∉ receivedMessages v
Hfresh_m: m ∉ receivedMessages v
Hvalid: ELMO_recv_valid v m'
Hs': local_equivocation_limit_ok
  (v <+> MkObservation Receive (m <*> ob))
∀ a : Address,
  local_equivocators_full v'' a
  → local_equivocators_full v' a
  intros k Hk; cbn in *.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
v: State
m: Message
ob: BaseELMO.Observation
m':= m <*> ob: BaseELMO.Message
v':= v <+> MkObservation Receive m': BaseELMO.State
v'':= v <+> MkObservation Receive m: BaseELMO.State
Hadrs: adr (state m) ≠ adr v
Hv: constrained_state_prop Ei v
Hfresh_m': m' ∉ receivedMessages v
Hfresh_m: m ∉ receivedMessages v
Hvalid: ELMO_recv_valid v m'
Hs': local_equivocation_limit_ok
  (v <+> MkObservation Receive (m <*> ob))
k: Address
Hk: local_equivocators_full v'' k
local_equivocators_full v' k
  apply lefo_alt in Hk as [(-> & _ & u & Hu & Hincomp) |]; [| by apply lefo_prev].Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
v: State
m: Message
ob: BaseELMO.Observation
m':= m <*> ob: BaseELMO.Message
v':= v <+> MkObservation Receive m': BaseELMO.State
v'':= v <+> MkObservation Receive m: BaseELMO.State
Hadrs: adr (state m) ≠ adr v
Hv: constrained_state_prop Ei v
Hfresh_m': m' ∉ receivedMessages v
Hfresh_m: m ∉ receivedMessages v
Hvalid: ELMO_recv_valid v m'
Hs': local_equivocation_limit_ok
  (v <+> MkObservation Receive (m <*> ob))
u: BaseELMO.Message
Hu: u ∈ receivedMessages' (obs v)
Hincomp: incomparable
  (message (MkObservation Receive m)) u
local_equivocators_full v'
  (adr (state (message (MkObservation Receive m))))
  apply (lefo_last _ m' u Hu).Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
v: State
m: Message
ob: BaseELMO.Observation
m':= m <*> ob: BaseELMO.Message
v':= v <+> MkObservation Receive m': BaseELMO.State
v'':= v <+> MkObservation Receive m: BaseELMO.State
Hadrs: adr (state m) ≠ adr v
Hv: constrained_state_prop Ei v
Hfresh_m': m' ∉ receivedMessages v
Hfresh_m: m ∉ receivedMessages v
Hvalid: ELMO_recv_valid v m'
Hs': local_equivocation_limit_ok
  (v <+> MkObservation Receive (m <*> ob))
u: BaseELMO.Message
Hu: u ∈ receivedMessages' (obs v)
Hincomp: incomparable
  (message (MkObservation Receive m)) u
incomparable m' u
  apply incomparable_iff in Hincomp as (Hadr & Hneq & H_m1_m2 & H_m2_m1).Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
v: State
m: Message
ob: BaseELMO.Observation
m':= m <*> ob: BaseELMO.Message
v':= v <+> MkObservation Receive m': BaseELMO.State
v'':= v <+> MkObservation Receive m: BaseELMO.State
Hadrs: adr (state m) ≠ adr v
Hv: constrained_state_prop Ei v
Hfresh_m': m' ∉ receivedMessages v
Hfresh_m: m ∉ receivedMessages v
Hvalid: ELMO_recv_valid v m'
Hs': local_equivocation_limit_ok
  (v <+> MkObservation Receive (m <*> ob))
u: BaseELMO.Message
Hu: u ∈ receivedMessages' (obs v)
Hadr: adr (state (message (MkObservation Receive m))) =
adr (state u)
Hneq: message (MkObservation Receive m) ≠ u
H_m1_m2: message (MkObservation Receive m)
∉ sentMessages (state u)
H_m2_m1: u
∉ sentMessages
    (state
       (message (MkObservation Receive m)))
incomparable m' u
  apply incomparable_iff; repeat split; [done | by intros <- | |].Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
v: State
m: Message
ob: BaseELMO.Observation
m':= m <*> ob: BaseELMO.Message
v':= v <+> MkObservation Receive m': BaseELMO.State
v'':= v <+> MkObservation Receive m: BaseELMO.State
Hadrs: adr (state m) ≠ adr v
Hv: constrained_state_prop Ei v
Hfresh_m': m' ∉ receivedMessages v
Hfresh_m: m ∉ receivedMessages v
Hvalid: ELMO_recv_valid v m'
Hs': local_equivocation_limit_ok
  (v <+> MkObservation Receive (m <*> ob))
u: BaseELMO.Message
Hu: u ∈ receivedMessages' (obs v)
Hadr: adr (state (message (MkObservation Receive m))) =
adr (state u)
Hneq: message (MkObservation Receive m) ≠ u
H_m1_m2: message (MkObservation Receive m)
∉ sentMessages (state u)
H_m2_m1: u
∉ sentMessages
    (state
       (message (MkObservation Receive m)))
m' ∉ sentMessages (state u)
Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
v: State
m: Message
ob: BaseELMO.Observation
m':= m <*> ob: BaseELMO.Message
v':= v <+> MkObservation Receive m': BaseELMO.State
v'':= v <+> MkObservation Receive m: BaseELMO.State
Hadrs: adr (state m) ≠ adr v
Hv: constrained_state_prop Ei v
Hfresh_m': m' ∉ receivedMessages v
Hfresh_m: m ∉ receivedMessages v
Hvalid: ELMO_recv_valid v m'
Hs': local_equivocation_limit_ok
  (v <+> MkObservation Receive (m <*> ob))
u: BaseELMO.Message
Hu: u ∈ receivedMessages' (obs v)
Hadr: adr (state (message (MkObservation Receive m))) =
adr (state u)
Hneq: message (MkObservation Receive m) ≠ u
H_m1_m2: message (MkObservation Receive m)
∉ sentMessages (state u)
H_m2_m1: u
∉ sentMessages
    (state
       (message (MkObservation Receive m)))
u ∉ sentMessages (state m')
  -Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
v: State
m: Message
ob: BaseELMO.Observation
m':= m <*> ob: BaseELMO.Message
v':= v <+> MkObservation Receive m': BaseELMO.State
v'':= v <+> MkObservation Receive m: BaseELMO.State
Hadrs: adr (state m) ≠ adr v
Hv: constrained_state_prop Ei v
Hfresh_m': m' ∉ receivedMessages v
Hfresh_m: m ∉ receivedMessages v
Hvalid: ELMO_recv_valid v m'
Hs': local_equivocation_limit_ok
  (v <+> MkObservation Receive (m <*> ob))
u: BaseELMO.Message
Hu: u ∈ receivedMessages' (obs v)
Hadr: adr (state (message (MkObservation Receive m))) =
adr (state u)
Hneq: message (MkObservation Receive m) ≠ u
H_m1_m2: message (MkObservation Receive m)
∉ sentMessages (state u)
H_m2_m1: u
∉ sentMessages
    (state
       (message (MkObservation Receive m)))
m' ∉ sentMessages (state u) intro Hm'.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
v: State
m: Message
ob: BaseELMO.Observation
m':= m <*> ob: BaseELMO.Message
v':= v <+> MkObservation Receive m': BaseELMO.State
v'':= v <+> MkObservation Receive m: BaseELMO.State
Hadrs: adr (state m) ≠ adr v
Hv: constrained_state_prop Ei v
Hfresh_m': m' ∉ receivedMessages v
Hfresh_m: m ∉ receivedMessages v
Hvalid: ELMO_recv_valid v m'
Hs': local_equivocation_limit_ok
  (v <+> MkObservation Receive (m <*> ob))
u: BaseELMO.Message
Hu: u ∈ receivedMessages' (obs v)
Hadr: adr (state (message (MkObservation Receive m))) =
adr (state u)
Hneq: message (MkObservation Receive m) ≠ u
H_m1_m2: message (MkObservation Receive m)
∉ sentMessages (state u)
H_m2_m1: u
∉ sentMessages
    (state
       (message (MkObservation Receive m)))
Hm': m' ∈ sentMessages (state u)
False
    contradict Hfresh_m'.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
v: State
m: Message
ob: BaseELMO.Observation
m':= m <*> ob: BaseELMO.Message
v':= v <+> MkObservation Receive m': BaseELMO.State
v'':= v <+> MkObservation Receive m: BaseELMO.State
Hadrs: adr (state m) ≠ adr v
Hv: constrained_state_prop Ei v
Hfresh_m: m ∉ receivedMessages v
Hvalid: ELMO_recv_valid v m'
Hs': local_equivocation_limit_ok
  (v <+> MkObservation Receive (m <*> ob))
u: BaseELMO.Message
Hu: u ∈ receivedMessages' (obs v)
Hadr: adr (state (message (MkObservation Receive m))) =
adr (state u)
Hneq: message (MkObservation Receive m) ≠ u
H_m1_m2: message (MkObservation Receive m)
∉ sentMessages (state u)
H_m2_m1: u
∉ sentMessages
    (state
       (message (MkObservation Receive m)))
Hm': m' ∈ sentMessages (state u)
m' ∈ receivedMessages v
    apply not_adr_received; [| done |].Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
v: State
m: Message
ob: BaseELMO.Observation
m':= m <*> ob: BaseELMO.Message
v':= v <+> MkObservation Receive m': BaseELMO.State
v'':= v <+> MkObservation Receive m: BaseELMO.State
Hadrs: adr (state m) ≠ adr v
Hv: constrained_state_prop Ei v
Hfresh_m: m ∉ receivedMessages v
Hvalid: ELMO_recv_valid v m'
Hs': local_equivocation_limit_ok
  (v <+> MkObservation Receive (m <*> ob))
u: BaseELMO.Message
Hu: u ∈ receivedMessages' (obs v)
Hadr: adr (state (message (MkObservation Receive m))) =
adr (state u)
Hneq: message (MkObservation Receive m) ≠ u
H_m1_m2: message (MkObservation Receive m)
∉ sentMessages (state u)
H_m2_m1: u
∉ sentMessages
    (state
       (message (MkObservation Receive m)))
Hm': m' ∈ sentMessages (state u)
UMO_reachable no_self_equiv v
Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
v: State
m: Message
ob: BaseELMO.Observation
m':= m <*> ob: BaseELMO.Message
v':= v <+> MkObservation Receive m': BaseELMO.State
v'':= v <+> MkObservation Receive m: BaseELMO.State
Hadrs: adr (state m) ≠ adr v
Hv: constrained_state_prop Ei v
Hfresh_m: m ∉ receivedMessages v
Hvalid: ELMO_recv_valid v m'
Hs': local_equivocation_limit_ok
  (v <+> MkObservation Receive (m <*> ob))
u: BaseELMO.Message
Hu: u ∈ receivedMessages' (obs v)
Hadr: adr (state (message (MkObservation Receive m))) =
adr (state u)
Hneq: message (MkObservation Receive m) ≠ u
H_m1_m2: message (MkObservation Receive m)
∉ sentMessages (state u)
H_m2_m1: u
∉ sentMessages
    (state
       (message (MkObservation Receive m)))
Hm': m' ∈ sentMessages (state u)
m' ∈ messages v
    +Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
v: State
m: Message
ob: BaseELMO.Observation
m':= m <*> ob: BaseELMO.Message
v':= v <+> MkObservation Receive m': BaseELMO.State
v'':= v <+> MkObservation Receive m: BaseELMO.State
Hadrs: adr (state m) ≠ adr v
Hv: constrained_state_prop Ei v
Hfresh_m: m ∉ receivedMessages v
Hvalid: ELMO_recv_valid v m'
Hs': local_equivocation_limit_ok
  (v <+> MkObservation Receive (m <*> ob))
u: BaseELMO.Message
Hu: u ∈ receivedMessages' (obs v)
Hadr: adr (state (message (MkObservation Receive m))) =
adr (state u)
Hneq: message (MkObservation Receive m) ≠ u
H_m1_m2: message (MkObservation Receive m)
∉ sentMessages (state u)
H_m2_m1: u
∉ sentMessages
    (state
       (message (MkObservation Receive m)))
Hm': m' ∈ sentMessages (state u)
UMO_reachable no_self_equiv v apply UMO_reachable_impl with (1 := ELMO_mv_no_self_equiv).Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
v: State
m: Message
ob: BaseELMO.Observation
m':= m <*> ob: BaseELMO.Message
v':= v <+> MkObservation Receive m': BaseELMO.State
v'':= v <+> MkObservation Receive m: BaseELMO.State
Hadrs: adr (state m) ≠ adr v
Hv: constrained_state_prop Ei v
Hfresh_m: m ∉ receivedMessages v
Hvalid: ELMO_recv_valid v m'
Hs': local_equivocation_limit_ok
  (v <+> MkObservation Receive (m <*> ob))
u: BaseELMO.Message
Hu: u ∈ receivedMessages' (obs v)
Hadr: adr (state (message (MkObservation Receive m))) =
adr (state u)
Hneq: message (MkObservation Receive m) ≠ u
H_m1_m2: message (MkObservation Receive m)
∉ sentMessages (state u)
H_m2_m1: u
∉ sentMessages
    (state
       (message (MkObservation Receive m)))
Hm': m' ∈ sentMessages (state u)
UMO_reachable ELMO_recv_valid v
      by apply ELMO_reachable_view in Hv as [].
    +Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
v: State
m: Message
ob: BaseELMO.Observation
m':= m <*> ob: BaseELMO.Message
v':= v <+> MkObservation Receive m': BaseELMO.State
v'':= v <+> MkObservation Receive m: BaseELMO.State
Hadrs: adr (state m) ≠ adr v
Hv: constrained_state_prop Ei v
Hfresh_m: m ∉ receivedMessages v
Hvalid: ELMO_recv_valid v m'
Hs': local_equivocation_limit_ok
  (v <+> MkObservation Receive (m <*> ob))
u: BaseELMO.Message
Hu: u ∈ receivedMessages' (obs v)
Hadr: adr (state (message (MkObservation Receive m))) =
adr (state u)
Hneq: message (MkObservation Receive m) ≠ u
H_m1_m2: message (MkObservation Receive m)
∉ sentMessages (state u)
H_m2_m1: u
∉ sentMessages
    (state
       (message (MkObservation Receive m)))
Hm': m' ∈ sentMessages (state u)
m' ∈ messages v eapply elem_of_submseteq.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
v: State
m: Message
ob: BaseELMO.Observation
m':= m <*> ob: BaseELMO.Message
v':= v <+> MkObservation Receive m': BaseELMO.State
v'':= v <+> MkObservation Receive m: BaseELMO.State
Hadrs: adr (state m) ≠ adr v
Hv: constrained_state_prop Ei v
Hfresh_m: m ∉ receivedMessages v
Hvalid: ELMO_recv_valid v m'
Hs': local_equivocation_limit_ok
  (v <+> MkObservation Receive (m <*> ob))
u: BaseELMO.Message
Hu: u ∈ receivedMessages' (obs v)
Hadr: adr (state (message (MkObservation Receive m))) =
adr (state u)
Hneq: message (MkObservation Receive m) ≠ u
H_m1_m2: message (MkObservation Receive m)
∉ sentMessages (state u)
H_m2_m1: u
∉ sentMessages
    (state
       (message (MkObservation Receive m)))
Hm': m' ∈ sentMessages (state u)
m' ∈ ?l
Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
v: State
m: Message
ob: BaseELMO.Observation
m':= m <*> ob: BaseELMO.Message
v':= v <+> MkObservation Receive m': BaseELMO.State
v'':= v <+> MkObservation Receive m: BaseELMO.State
Hadrs: adr (state m) ≠ adr v
Hv: constrained_state_prop Ei v
Hfresh_m: m ∉ receivedMessages v
Hvalid: ELMO_recv_valid v m'
Hs': local_equivocation_limit_ok
  (v <+> MkObservation Receive (m <*> ob))
u: BaseELMO.Message
Hu: u ∈ receivedMessages' (obs v)
Hadr: adr (state (message (MkObservation Receive m))) =
adr (state u)
Hneq: message (MkObservation Receive m) ≠ u
H_m1_m2: message (MkObservation Receive m)
∉ sentMessages (state u)
H_m2_m1: u
∉ sentMessages
    (state
       (message (MkObservation Receive m)))
Hm': m' ∈ sentMessages (state u)
?l ⊆+ messages v
      *Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
v: State
m: Message
ob: BaseELMO.Observation
m':= m <*> ob: BaseELMO.Message
v':= v <+> MkObservation Receive m': BaseELMO.State
v'':= v <+> MkObservation Receive m: BaseELMO.State
Hadrs: adr (state m) ≠ adr v
Hv: constrained_state_prop Ei v
Hfresh_m: m ∉ receivedMessages v
Hvalid: ELMO_recv_valid v m'
Hs': local_equivocation_limit_ok
  (v <+> MkObservation Receive (m <*> ob))
u: BaseELMO.Message
Hu: u ∈ receivedMessages' (obs v)
Hadr: adr (state (message (MkObservation Receive m))) =
adr (state u)
Hneq: message (MkObservation Receive m) ≠ u
H_m1_m2: message (MkObservation Receive m)
∉ sentMessages (state u)
H_m2_m1: u
∉ sentMessages
    (state
       (message (MkObservation Receive m)))
Hm': m' ∈ sentMessages (state u)
m' ∈ ?l by apply elem_of_messages; left.
      *Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
v: State
m: Message
ob: BaseELMO.Observation
m':= m <*> ob: BaseELMO.Message
v':= v <+> MkObservation Receive m': BaseELMO.State
v'':= v <+> MkObservation Receive m: BaseELMO.State
Hadrs: adr (state m) ≠ adr v
Hv: constrained_state_prop Ei v
Hfresh_m: m ∉ receivedMessages v
Hvalid: ELMO_recv_valid v m'
Hs': local_equivocation_limit_ok
  (v <+> MkObservation Receive (m <*> ob))
u: BaseELMO.Message
Hu: u ∈ receivedMessages' (obs v)
Hadr: adr (state (message (MkObservation Receive m))) =
adr (state u)
Hneq: message (MkObservation Receive m) ≠ u
H_m1_m2: message (MkObservation Receive m)
∉ sentMessages (state u)
H_m2_m1: u
∉ sentMessages
    (state
       (message (MkObservation Receive m)))
Hm': m' ∈ sentMessages (state u)
messages (state u) ⊆+ messages v apply reachable_full_node_for_all_messages with (1 := Hv).Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
v: State
m: Message
ob: BaseELMO.Observation
m':= m <*> ob: BaseELMO.Message
v':= v <+> MkObservation Receive m': BaseELMO.State
v'':= v <+> MkObservation Receive m: BaseELMO.State
Hadrs: adr (state m) ≠ adr v
Hv: constrained_state_prop Ei v
Hfresh_m: m ∉ receivedMessages v
Hvalid: ELMO_recv_valid v m'
Hs': local_equivocation_limit_ok
  (v <+> MkObservation Receive (m <*> ob))
u: BaseELMO.Message
Hu: u ∈ receivedMessages' (obs v)
Hadr: adr (state (message (MkObservation Receive m))) =
adr (state u)
Hneq: message (MkObservation Receive m) ≠ u
H_m1_m2: message (MkObservation Receive m)
∉ sentMessages (state u)
H_m2_m1: u
∉ sentMessages
    (state
       (message (MkObservation Receive m)))
Hm': m' ∈ sentMessages (state u)
u ∈ messages v
        by apply elem_of_messages; right.
  -Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
v: State
m: Message
ob: BaseELMO.Observation
m':= m <*> ob: BaseELMO.Message
v':= v <+> MkObservation Receive m': BaseELMO.State
v'':= v <+> MkObservation Receive m: BaseELMO.State
Hadrs: adr (state m) ≠ adr v
Hv: constrained_state_prop Ei v
Hfresh_m': m' ∉ receivedMessages v
Hfresh_m: m ∉ receivedMessages v
Hvalid: ELMO_recv_valid v m'
Hs': local_equivocation_limit_ok
  (v <+> MkObservation Receive (m <*> ob))
u: BaseELMO.Message
Hu: u ∈ receivedMessages' (obs v)
Hadr: adr (state (message (MkObservation Receive m))) =
adr (state u)
Hneq: message (MkObservation Receive m) ≠ u
H_m1_m2: message (MkObservation Receive m)
∉ sentMessages (state u)
H_m2_m1: u
∉ sentMessages
    (state
       (message (MkObservation Receive m)))
u ∉ sentMessages (state m') intros [[-> Hob] |]%elem_of_sentMessages_addObservation; [| done].Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
v: State
m: Message
ob: BaseELMO.Observation
m':= m <*> ob: BaseELMO.Message
v':= v <+> MkObservation Receive m': BaseELMO.State
v'':= v <+> MkObservation Receive m: BaseELMO.State
Hadrs: adr (state m) ≠ adr v
Hv: constrained_state_prop Ei v
Hfresh_m': m' ∉ receivedMessages v
Hfresh_m: m ∉ receivedMessages v
Hvalid: ELMO_recv_valid v m'
Hs': local_equivocation_limit_ok
  (v <+> MkObservation Receive (m <*> ob))
H_m2_m1: message ob
∉ sentMessages
    (state
       (message (MkObservation Receive m)))
H_m1_m2: message (MkObservation Receive m)
∉ sentMessages (state (message ob))
Hneq: message (MkObservation Receive m) ≠ message ob
Hadr: adr (state (message (MkObservation Receive m))) =
adr (state (message ob))
Hu: message ob ∈ receivedMessages' (obs v)
Hob: isSend ob
False
    destruct ob as [[] om], Hob, Hneq; cbn in *.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
v: State
m: Message
om: BaseELMO.Message
m':= m <*> MkObservation Send om: BaseELMO.Message
v':= v <+> MkObservation Receive m': BaseELMO.State
v'':= v <+> MkObservation Receive m: BaseELMO.State
Hadrs: adr (state m) ≠ adr v
Hv: constrained_state_prop Ei v
Hfresh_m': m' ∉ receivedMessages v
Hfresh_m: m ∉ receivedMessages v
Hvalid: ELMO_recv_valid v m'
Hs': local_equivocation_limit_ok
  (v <+>
   MkObservation Receive
     (m <*> MkObservation Send om))
H_m2_m1: om ∉ sentMessages (state m)
H_m1_m2: m ∉ sentMessages (state om)
Hadr: adr (state m) = adr (state om)
Hu: om ∈ receivedMessages' (obs v)
m = om
    assert (ELMO_msg_valid_full m') as Hmv by apply Hvalid.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
v: State
m: Message
om: BaseELMO.Message
m':= m <*> MkObservation Send om: BaseELMO.Message
v':= v <+> MkObservation Receive m': BaseELMO.State
v'':= v <+> MkObservation Receive m: BaseELMO.State
Hadrs: adr (state m) ≠ adr v
Hv: constrained_state_prop Ei v
Hfresh_m': m' ∉ receivedMessages v
Hfresh_m: m ∉ receivedMessages v
Hvalid: ELMO_recv_valid v m'
Hs': local_equivocation_limit_ok
  (v <+>
   MkObservation Receive
     (m <*> MkObservation Send om))
H_m2_m1: om ∉ sentMessages (state m)
H_m1_m2: m ∉ sentMessages (state om)
Hadr: adr (state m) = adr (state om)
Hu: om ∈ receivedMessages' (obs v)
Hmv: ELMO_msg_valid_full m'
m = om
    by inversion Hmv; [| apply eq_Message].
Qed.

Hint Resolve
  equivocation_limit_recv_msg_prefix_ok
  : ELMO_hints.

Hint Resolve
  full_node_prefix
  adr_neq_no_self_equiv
  ELMO_msg_valid_prefix
  : ELMO_hints.

Lemma ELMO_recv_valid_prefix s (m : Message) (ob : Observation) :
  constrained_state_prop Ei s ->
  m <*> ob ∉ receivedMessages s ->
  m ∉ receivedMessages s ->
  adr s <> adr (state m) ->
  ELMO_recv_valid s (m <*> ob) ->
  ELMO_recv_valid s m.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
s: VLSM.state (preloaded_with_all_messages_vlsm Ei)
m: Message
ob: Observation
constrained_state_prop Ei s
→ m <*> ob ∉ receivedMessages s
  → m ∉ receivedMessages s
    → adr s ≠ adr (state m)
      → ELMO_recv_valid s (m <*> ob)
        → ELMO_recv_valid s m
Proof.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
s: VLSM.state (preloaded_with_all_messages_vlsm Ei)
m: Message
ob: Observation
constrained_state_prop Ei s
→ m <*> ob ∉ receivedMessages s
  → m ∉ receivedMessages s
    → adr s ≠ adr (state m)
      → ELMO_recv_valid s (m <*> ob)
        → ELMO_recv_valid s m
  intros until 4; intros Hrecv.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
s: VLSM.state (preloaded_with_all_messages_vlsm Ei)
m: Message
ob: Observation
H1: constrained_state_prop Ei s
H2: m <*> ob ∉ receivedMessages s
H3: m ∉ receivedMessages s
H4: adr s ≠ adr (state m)
Hrecv: ELMO_recv_valid s (m <*> ob)
ELMO_recv_valid s m
  destruct (Hrecv) as [Hfull Hno_self Hmsg Hlimit].Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
s: VLSM.state (preloaded_with_all_messages_vlsm Ei)
m: Message
ob: Observation
H1: constrained_state_prop Ei s
H2: m <*> ob ∉ receivedMessages s
H3: m ∉ receivedMessages s
H4: adr s ≠ adr (state m)
Hrecv: ELMO_recv_valid s (m <*> ob)
Hfull: full_node s (m <*> ob)
Hno_self: no_self_equiv s (m <*> ob)
Hmsg: ELMO_msg_valid_full (m <*> ob)
Hlimit: local_equivocation_limit_ok
  (s <+> MkObservation Receive (m <*> ob))
ELMO_recv_valid s m
  by constructor; eauto with ELMO_hints.
Qed.

Hint Resolve ELMO_recv_valid_prefix : ELMO_hints.

Lemma reachable_received_messages_reachable (s : State) :
  constrained_state_prop Ei s ->
  forall m,
    m ∈ receivedMessages s ->
  forall i',
    adr (state m) = idx i' ->
    constrained_state_prop (ELMO_component i') (state m).Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
s: State
constrained_state_prop Ei s
→ ∀ m : BaseELMO.Message,
    m ∈ receivedMessages s
    → ∀ i' : index,
        adr (state m) = idx i'
        → constrained_state_prop (ELMO_component i')
            (state m)
Proof.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
s: State
constrained_state_prop Ei s
→ ∀ m : BaseELMO.Message,
    m ∈ receivedMessages s
    → ∀ i' : index,
        adr (state m) = idx i'
        → constrained_state_prop (ELMO_component i')
            (state m)
  intros Hs m Hm.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
s: State
Hs: constrained_state_prop Ei s
m: BaseELMO.Message
Hm: m ∈ receivedMessages s
∀ i' : index,
  adr (state m) = idx i'
  → constrained_state_prop (ELMO_component i')
      (state m)
  destruct (decide (adr (state m) = adr s)).Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
s: State
Hs: constrained_state_prop Ei s
m: BaseELMO.Message
Hm: m ∈ receivedMessages s
e: adr (state m) = adr s
∀ i' : index,
  adr (state m) = idx i'
  → constrained_state_prop (ELMO_component i')
      (state m)
Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
s: State
Hs: constrained_state_prop Ei s
m: BaseELMO.Message
Hm: m ∈ receivedMessages s
n: adr (state m) ≠ adr s
∀ i' : index,
  adr (state m) = idx i'
  → constrained_state_prop 
      (ELMO_component i') 
      (state m)
  {Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
s: State
Hs: constrained_state_prop Ei s
m: BaseELMO.Message
Hm: m ∈ receivedMessages s
e: adr (state m) = adr s
∀ i' : index,
  adr (state m) = idx i'
  → constrained_state_prop (ELMO_component i')
      (state m)
    intros i' Hi'.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
s: State
Hs: constrained_state_prop Ei s
m: BaseELMO.Message
Hm: m ∈ receivedMessages s
e: adr (state m) = adr s
i': index
Hi': adr (state m) = idx i'
constrained_state_prop (ELMO_component i') (state m)
    cut (m ∈ sentMessages s).Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
s: State
Hs: constrained_state_prop Ei s
m: BaseELMO.Message
Hm: m ∈ receivedMessages s
e: adr (state m) = adr s
i': index
Hi': adr (state m) = idx i'
m ∈ sentMessages s
→ constrained_state_prop (ELMO_component i') (state m)
Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
s: State
Hs: constrained_state_prop Ei s
m: BaseELMO.Message
Hm: m ∈ receivedMessages s
e: adr (state m) = adr s
i': index
Hi': adr (state m) = idx i'
m ∈ sentMessages s
    -Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
s: State
Hs: constrained_state_prop Ei s
m: BaseELMO.Message
Hm: m ∈ receivedMessages s
e: adr (state m) = adr s
i': index
Hi': adr (state m) = idx i'
m ∈ sentMessages s
→ constrained_state_prop (ELMO_component i') (state m) destruct m.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
s: State
Hs: constrained_state_prop Ei s
state: BaseELMO.State
Hm: MkMessage state ∈ receivedMessages s
e: adr (BaseELMO.state (MkMessage state)) = adr s
i': index
Hi': adr (BaseELMO.state (MkMessage state)) = idx i'
MkMessage state ∈ sentMessages s
→ constrained_state_prop (ELMO_component i')
    (BaseELMO.state (MkMessage state))
      apply reachable_sent_messages_reachable.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
s: State
Hs: constrained_state_prop Ei s
state: BaseELMO.State
Hm: MkMessage state ∈ receivedMessages s
e: adr (BaseELMO.state (MkMessage state)) = adr s
i': index
Hi': adr (BaseELMO.state (MkMessage state)) = idx i'
constrained_state_prop (ELMO_component i') s
      assert (i = i') as ->; [| done].Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
s: State
Hs: constrained_state_prop Ei s
state: BaseELMO.State
Hm: MkMessage state ∈ receivedMessages s
e: adr (BaseELMO.state (MkMessage state)) = adr s
i': index
Hi': adr (BaseELMO.state (MkMessage state)) = idx i'
i = i'
      by (apply ELMO_reachable_view in Hs as []; apply (inj idx); congruence).
    -Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
s: State
Hs: constrained_state_prop Ei s
m: BaseELMO.Message
Hm: m ∈ receivedMessages s
e: adr (state m) = adr s
i': index
Hi': adr (state m) = idx i'
m ∈ sentMessages s apply self_messages_sent; [| done | by apply elem_of_messages; auto].Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
s: State
Hs: constrained_state_prop Ei s
m: BaseELMO.Message
Hm: m ∈ receivedMessages s
e: adr (state m) = adr s
i': index
Hi': adr (state m) = idx i'
UMO_reachable no_self_equiv s
      apply ELMO_reachable_view in Hs as [Hs ?].Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
s: State
Hs: UMO_reachable ELMO_recv_valid s
H1: adr s = idx i
m: BaseELMO.Message
Hm: m ∈ receivedMessages s
e: adr (state m) = adr s
i': index
Hi': adr (state m) = idx i'
UMO_reachable no_self_equiv s
      revert Hs; apply UMO_reachable_impl.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
s: State
H1: adr s = idx i
m: BaseELMO.Message
Hm: m ∈ receivedMessages s
e: adr (state m) = adr s
i': index
Hi': adr (state m) = idx i'
∀ (s : BaseELMO.State) (m : BaseELMO.Message),
  ELMO_recv_valid s m → no_self_equiv s m
      by intros ? ? [].
  }Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
s: State
Hs: constrained_state_prop Ei s
m: BaseELMO.Message
Hm: m ∈ receivedMessages s
n: adr (state m) ≠ adr s
∀ i' : index,
  adr (state m) = idx i'
  → constrained_state_prop (ELMO_component i')
      (state m)
  revert m Hm n.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
s: State
Hs: constrained_state_prop Ei s
∀ m : BaseELMO.Message,
  m ∈ receivedMessages s
  → adr (state m) ≠ adr s
    → ∀ i' : index,
        adr (state m) = idx i'
        → constrained_state_prop (ELMO_component i')
            (state m)
  apply ELMO_reachable_view in Hs as [Hs Hadr].Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
s: State
Hs: UMO_reachable ELMO_recv_valid s
Hadr: adr s = idx i
∀ m : BaseELMO.Message,
  m ∈ receivedMessages s
  → adr (state m) ≠ adr s
    → ∀ i' : index,
        adr (state m) = idx i'
        → constrained_state_prop (ELMO_component i')
            (state m)
  induction Hs as [| | ? ? Hvalid]; [by inversion 1 | by apply IHHs |].Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
s: BaseELMO.State
msg: BaseELMO.Message
Hvalid: ELMO_recv_valid s msg
Hs: UMO_reachable ELMO_recv_valid s
Hadr: adr (s <+> MkObservation Receive msg) = idx i
IHHs: adr s = idx i
→ ∀ m : BaseELMO.Message,
    m ∈ receivedMessages s
    → adr (state m) ≠ adr s
      → ∀ i' : index,
          adr (state m) = idx i'
          → constrained_state_prop
              (ELMO_component i') 
              (state m)
∀ m : BaseELMO.Message,
  m
  ∈ receivedMessages (s <+> MkObservation Receive msg)
  → adr (state m)
    ≠ adr (s <+> MkObservation Receive msg)
    → ∀ i' : index,
        adr (state m) = idx i'
        → constrained_state_prop (ELMO_component i')
            (state m)
  intros m Hm%elem_of_receivedMessages_addObservation; cbn in Hm, Hadr.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
s: BaseELMO.State
msg: BaseELMO.Message
Hvalid: ELMO_recv_valid s msg
Hs: UMO_reachable ELMO_recv_valid s
Hadr: adr s = idx i
IHHs: adr s = idx i
→ ∀ m : BaseELMO.Message,
    m ∈ receivedMessages s
    → adr (state m) ≠ adr s
      → ∀ i' : index,
          adr (state m) = idx i'
          → constrained_state_prop
              (ELMO_component i') 
              (state m)
m: BaseELMO.Message
Hm: m = msg ∧ True ∨ m ∈ receivedMessages s
adr (state m) ≠ adr (s <+> MkObservation Receive msg)
→ ∀ i' : index,
    adr (state m) = idx i'
    → constrained_state_prop (ELMO_component i')
        (state m)
  destruct Hm as [[<- []] |]; [| by eauto].Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
s: BaseELMO.State
m: BaseELMO.Message
Hvalid: ELMO_recv_valid s m
Hs: UMO_reachable ELMO_recv_valid s
Hadr: adr s = idx i
IHHs: adr s = idx i
→ ∀ m : BaseELMO.Message,
    m ∈ receivedMessages s
    → adr (state m) ≠ adr s
      → ∀ i' : index,
          adr (state m) = idx i'
          → constrained_state_prop
              (ELMO_component i') 
              (state m)
adr (state m) ≠ adr (s <+> MkObservation Receive m)
→ ∀ i' : index,
    adr (state m) = idx i'
    → constrained_state_prop (ELMO_component i')
        (state m)
  destruct (decide (m ∈ receivedMessages s)); [by eauto |].Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
s: BaseELMO.State
m: BaseELMO.Message
Hvalid: ELMO_recv_valid s m
Hs: UMO_reachable ELMO_recv_valid s
Hadr: adr s = idx i
IHHs: adr s = idx i
→ ∀ m : BaseELMO.Message,
    m ∈ receivedMessages s
    → adr (state m) ≠ adr s
      → ∀ i' : index,
          adr (state m) = idx i'
          → constrained_state_prop
              (ELMO_component i') 
              (state m)
n: m ∉ receivedMessages s
adr (state m) ≠ adr (s <+> MkObservation Receive m)
→ ∀ i' : index,
    adr (state m) = idx i'
    → constrained_state_prop (ELMO_component i')
        (state m)
  clear IHHs; revert s Hs Hadr Hvalid n.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
m: BaseELMO.Message
∀ s : BaseELMO.State,
  UMO_reachable ELMO_recv_valid s
  → adr s = idx i
    → ELMO_recv_valid s m
      → m ∉ receivedMessages s
        → adr (state m)
          ≠ adr (s <+> MkObservation Receive m)
          → ∀ i' : index,
              adr (state m) = idx i'
              → constrained_state_prop
                  (ELMO_component i') (state m)
  destruct m as [ms]; cbn.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
ms: BaseELMO.State
∀ s : BaseELMO.State,
  UMO_reachable ELMO_recv_valid s
  → adr s = idx i
    → ELMO_recv_valid s (MkMessage ms)
      → MkMessage ms ∉ receivedMessages s
        → adr ms ≠ adr s
          → ∀ i' : index,
              adr ms = idx i'
              → constrained_state_prop
                  (ELMO_component i') ms
  induction ms using addObservation_ind;
    [by intros; apply initial_state_is_valid; constructor |].Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
ob: BaseELMO.Observation
ms: BaseELMO.State
IHms: ∀ s : BaseELMO.State,
  UMO_reachable ELMO_recv_valid s
  → adr s = idx i
    → ELMO_recv_valid s (MkMessage ms)
      → MkMessage ms ∉ receivedMessages s
        → adr ms ≠ adr s
          → ∀ i' : index,
              adr ms = idx i'
              → constrained_state_prop
                  (ELMO_component i') ms
∀ s : BaseELMO.State,
  UMO_reachable ELMO_recv_valid s
  → adr s = idx i
    → ELMO_recv_valid s (MkMessage (ms <+> ob))
      → MkMessage (ms <+> ob) ∉ receivedMessages s
        → adr (ms <+> ob) ≠ adr s
          → ∀ i' : index,
              adr (ms <+> ob) = idx i'
              → constrained_state_prop
                  (ELMO_component i') (ms <+> ob)
  set (m' := ms <+> ob); cbn.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
ob: BaseELMO.Observation
ms: BaseELMO.State
IHms: ∀ s : BaseELMO.State,
  UMO_reachable ELMO_recv_valid s
  → adr s = idx i
    → ELMO_recv_valid s (MkMessage ms)
      → MkMessage ms ∉ receivedMessages s
        → adr ms ≠ adr s
          → ∀ i' : index,
              adr ms = idx i'
              → constrained_state_prop
                  (ELMO_component i') ms
m':= ms <+> ob: BaseELMO.State
∀ s : BaseELMO.State,
  UMO_reachable ELMO_recv_valid s
  → adr s = idx i
    → ELMO_recv_valid s (MkMessage m')
      → MkMessage m' ∉ receivedMessages s
        → adr ms ≠ adr s
          → ∀ i' : index,
              adr ms = idx i'
              → constrained_state_prop
                  (ELMO_component i') m'
  intros s Hs Hadr Hrecv_m' Hfresh' Hadr_neq i' Hadr_ms.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
ob: BaseELMO.Observation
ms: BaseELMO.State
IHms: ∀ s : BaseELMO.State,
  UMO_reachable ELMO_recv_valid s
  → adr s = idx i
    → ELMO_recv_valid s (MkMessage ms)
      → MkMessage ms ∉ receivedMessages s
        → adr ms ≠ adr s
          → ∀ i' : index,
              adr ms = idx i'
              → constrained_state_prop
                  (ELMO_component i') ms
m':= ms <+> ob: BaseELMO.State
s: BaseELMO.State
Hs: UMO_reachable ELMO_recv_valid s
Hadr: adr s = idx i
Hrecv_m': ELMO_recv_valid s (MkMessage m')
Hfresh': MkMessage m' ∉ receivedMessages s
Hadr_neq: adr ms ≠ adr s
i': index
Hadr_ms: adr ms = idx i'
constrained_state_prop (ELMO_component i') m'
  assert (Hrecv_if_fresh : MkMessage ms ∉ receivedMessages s -> ELMO_recv_valid s (MkMessage ms)).Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
ob: BaseELMO.Observation
ms: BaseELMO.State
IHms: ∀ s : BaseELMO.State,
  UMO_reachable ELMO_recv_valid s
  → adr s = idx i
    → ELMO_recv_valid s (MkMessage ms)
      → MkMessage ms ∉ receivedMessages s
        → adr ms ≠ adr s
          → ∀ i' : index,
              adr ms = idx i'
              → constrained_state_prop
                  (ELMO_component i') ms
m':= ms <+> ob: BaseELMO.State
s: BaseELMO.State
Hs: UMO_reachable ELMO_recv_valid s
Hadr: adr s = idx i
Hrecv_m': ELMO_recv_valid s (MkMessage m')
Hfresh': MkMessage m' ∉ receivedMessages s
Hadr_neq: adr ms ≠ adr s
i': index
Hadr_ms: adr ms = idx i'
MkMessage ms ∉ receivedMessages s
→ ELMO_recv_valid s (MkMessage ms)
Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
ob: BaseELMO.Observation
ms: BaseELMO.State
IHms: ∀ s : BaseELMO.State,
  UMO_reachable ELMO_recv_valid s
  → adr s = idx i
    → ELMO_recv_valid s (MkMessage ms)
      → MkMessage ms ∉ receivedMessages s
        → adr ms ≠ adr s
          → ∀ i' : index,
              adr ms = idx i'
              → constrained_state_prop
                  (ELMO_component i') ms
m':= ms <+> ob: BaseELMO.State
s: BaseELMO.State
Hs: UMO_reachable ELMO_recv_valid s
Hadr: adr s = idx i
Hrecv_m': ELMO_recv_valid s (MkMessage m')
Hfresh': MkMessage m' ∉ receivedMessages s
Hadr_neq: adr ms ≠ adr s
i': index
Hadr_ms: adr ms = idx i'
Hrecv_if_fresh: MkMessage ms ∉ receivedMessages s
→ ELMO_recv_valid s (MkMessage ms)
constrained_state_prop (ELMO_component i') m'
  {Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
ob: BaseELMO.Observation
ms: BaseELMO.State
IHms: ∀ s : BaseELMO.State,
  UMO_reachable ELMO_recv_valid s
  → adr s = idx i
    → ELMO_recv_valid s (MkMessage ms)
      → MkMessage ms ∉ receivedMessages s
        → adr ms ≠ adr s
          → ∀ i' : index,
              adr ms = idx i'
              → constrained_state_prop
                  (ELMO_component i') ms
m':= ms <+> ob: BaseELMO.State
s: BaseELMO.State
Hs: UMO_reachable ELMO_recv_valid s
Hadr: adr s = idx i
Hrecv_m': ELMO_recv_valid s (MkMessage m')
Hfresh': MkMessage m' ∉ receivedMessages s
Hadr_neq: adr ms ≠ adr s
i': index
Hadr_ms: adr ms = idx i'
MkMessage ms ∉ receivedMessages s
→ ELMO_recv_valid s (MkMessage ms)
    by intro; apply (ELMO_recv_valid_prefix s (MkMessage ms) ob); [apply ELMO_reachable_view | ..].
  }Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
ob: BaseELMO.Observation
ms: BaseELMO.State
IHms: ∀ s : BaseELMO.State,
  UMO_reachable ELMO_recv_valid s
  → adr s = idx i
    → ELMO_recv_valid s (MkMessage ms)
      → MkMessage ms ∉ receivedMessages s
        → adr ms ≠ adr s
          → ∀ i' : index,
              adr ms = idx i'
              → constrained_state_prop
                  (ELMO_component i') ms
m':= ms <+> ob: BaseELMO.State
s: BaseELMO.State
Hs: UMO_reachable ELMO_recv_valid s
Hadr: adr s = idx i
Hrecv_m': ELMO_recv_valid s (MkMessage m')
Hfresh': MkMessage m' ∉ receivedMessages s
Hadr_neq: adr ms ≠ adr s
i': index
Hadr_ms: adr ms = idx i'
Hrecv_if_fresh: MkMessage ms ∉ receivedMessages s
→ ELMO_recv_valid s (MkMessage ms)
constrained_state_prop (ELMO_component i') m'
  assert (Hms : constrained_state_prop (ELMO_component i') ms).Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
ob: BaseELMO.Observation
ms: BaseELMO.State
IHms: ∀ s : BaseELMO.State,
  UMO_reachable ELMO_recv_valid s
  → adr s = idx i
    → ELMO_recv_valid s (MkMessage ms)
      → MkMessage ms ∉ receivedMessages s
        → adr ms ≠ adr s
          → ∀ i' : index,
              adr ms = idx i'
              → constrained_state_prop
                  (ELMO_component i') ms
m':= ms <+> ob: BaseELMO.State
s: BaseELMO.State
Hs: UMO_reachable ELMO_recv_valid s
Hadr: adr s = idx i
Hrecv_m': ELMO_recv_valid s (MkMessage m')
Hfresh': MkMessage m' ∉ receivedMessages s
Hadr_neq: adr ms ≠ adr s
i': index
Hadr_ms: adr ms = idx i'
Hrecv_if_fresh: MkMessage ms ∉ receivedMessages s
→ ELMO_recv_valid s (MkMessage ms)
constrained_state_prop (ELMO_component i') ms
Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
ob: BaseELMO.Observation
ms: BaseELMO.State
IHms: ∀ s : BaseELMO.State,
  UMO_reachable ELMO_recv_valid s
  → adr s = idx i
    → ELMO_recv_valid s (MkMessage ms)
      → MkMessage ms ∉ receivedMessages s
        → adr ms ≠ adr s
          → ∀ i' : index,
              adr ms = idx i'
              → constrained_state_prop
                  (ELMO_component i') ms
m':= ms <+> ob: BaseELMO.State
s: BaseELMO.State
Hs: UMO_reachable ELMO_recv_valid s
Hadr: adr s = idx i
Hrecv_m': ELMO_recv_valid s (MkMessage m')
Hfresh': MkMessage m' ∉ receivedMessages s
Hadr_neq: adr ms ≠ adr s
i': index
Hadr_ms: adr ms = idx i'
Hrecv_if_fresh: MkMessage ms ∉ receivedMessages s
→ ELMO_recv_valid s (MkMessage ms)
Hms: constrained_state_prop (ELMO_component i') ms
constrained_state_prop (ELMO_component i') m'
  {Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
ob: BaseELMO.Observation
ms: BaseELMO.State
IHms: ∀ s : BaseELMO.State,
  UMO_reachable ELMO_recv_valid s
  → adr s = idx i
    → ELMO_recv_valid s (MkMessage ms)
      → MkMessage ms ∉ receivedMessages s
        → adr ms ≠ adr s
          → ∀ i' : index,
              adr ms = idx i'
              → constrained_state_prop
                  (ELMO_component i') ms
m':= ms <+> ob: BaseELMO.State
s: BaseELMO.State
Hs: UMO_reachable ELMO_recv_valid s
Hadr: adr s = idx i
Hrecv_m': ELMO_recv_valid s (MkMessage m')
Hfresh': MkMessage m' ∉ receivedMessages s
Hadr_neq: adr ms ≠ adr s
i': index
Hadr_ms: adr ms = idx i'
Hrecv_if_fresh: MkMessage ms ∉ receivedMessages s
→ ELMO_recv_valid s (MkMessage ms)
constrained_state_prop (ELMO_component i') ms
    destruct (decide (MkMessage ms ∈ receivedMessages s)); [| by eauto].Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
ob: BaseELMO.Observation
ms: BaseELMO.State
IHms: ∀ s : BaseELMO.State,
  UMO_reachable ELMO_recv_valid s
  → adr s = idx i
    → ELMO_recv_valid s (MkMessage ms)
      → MkMessage ms ∉ receivedMessages s
        → adr ms ≠ adr s
          → ∀ i' : index,
              adr ms = idx i'
              → constrained_state_prop
                  (ELMO_component i') ms
m':= ms <+> ob: BaseELMO.State
s: BaseELMO.State
Hs: UMO_reachable ELMO_recv_valid s
Hadr: adr s = idx i
Hrecv_m': ELMO_recv_valid s (MkMessage m')
Hfresh': MkMessage m' ∉ receivedMessages s
Hadr_neq: adr ms ≠ adr s
i': index
Hadr_ms: adr ms = idx i'
Hrecv_if_fresh: MkMessage ms ∉ receivedMessages s
→ ELMO_recv_valid s (MkMessage ms)
e: MkMessage ms ∈ receivedMessages s
constrained_state_prop (ELMO_component i') ms
    revert e; clear -Hs IHms Hadr Hadr_ms Hadr_neq.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
ms: BaseELMO.State
IHms: ∀ s : BaseELMO.State,
  UMO_reachable ELMO_recv_valid s
  → adr s = idx i
    → ELMO_recv_valid s (MkMessage ms)
      → MkMessage ms ∉ receivedMessages s
        → adr ms ≠ adr s
          → ∀ i' : index,
              adr ms = idx i'
              → constrained_state_prop
                  (ELMO_component i') ms
s: BaseELMO.State
Hs: UMO_reachable ELMO_recv_valid s
Hadr: adr s = idx i
Hadr_neq: adr ms ≠ adr s
i': index
Hadr_ms: adr ms = idx i'
MkMessage ms ∈ receivedMessages s
→ constrained_state_prop (ELMO_component i') ms
    induction Hs; [by inversion 1 | by eapply IHHs |].Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
ms: BaseELMO.State
IHms: ∀ s : BaseELMO.State,
  UMO_reachable ELMO_recv_valid s
  → adr s = idx i
    → ELMO_recv_valid s (MkMessage ms)
      → MkMessage ms ∉ receivedMessages s
        → adr ms ≠ adr s
          → ∀ i' : index,
              adr ms = idx i'
              → constrained_state_prop
                  (ELMO_component i') ms
s: BaseELMO.State
msg: BaseELMO.Message
H1: ELMO_recv_valid s msg
Hs: UMO_reachable ELMO_recv_valid s
Hadr: adr (s <+> MkObservation Receive msg) = idx i
Hadr_neq: adr ms
≠ adr (s <+> MkObservation Receive msg)
i': index
Hadr_ms: adr ms = idx i'
IHHs: adr s = idx i
→ adr ms ≠ adr s
  → MkMessage ms ∈ receivedMessages s
    → constrained_state_prop
        (ELMO_component i') ms
MkMessage ms
∈ receivedMessages (s <+> MkObservation Receive msg)
→ constrained_state_prop (ELMO_component i') ms
    destruct (decide (MkMessage ms ∈ receivedMessages s)).Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
ms: BaseELMO.State
IHms: ∀ s : BaseELMO.State,
  UMO_reachable ELMO_recv_valid s
  → adr s = idx i
    → ELMO_recv_valid s (MkMessage ms)
      → MkMessage ms ∉ receivedMessages s
        → adr ms ≠ adr s
          → ∀ i' : index,
              adr ms = idx i'
              → constrained_state_prop
                  (ELMO_component i') ms
s: BaseELMO.State
msg: BaseELMO.Message
H1: ELMO_recv_valid s msg
Hs: UMO_reachable ELMO_recv_valid s
Hadr: adr (s <+> MkObservation Receive msg) = idx i
Hadr_neq: adr ms
≠ adr (s <+> MkObservation Receive msg)
i': index
Hadr_ms: adr ms = idx i'
IHHs: adr s = idx i
→ adr ms ≠ adr s
  → MkMessage ms ∈ receivedMessages s
    → constrained_state_prop
        (ELMO_component i') ms
e: MkMessage ms ∈ receivedMessages s
MkMessage ms
∈ receivedMessages (s <+> MkObservation Receive msg)
→ constrained_state_prop (ELMO_component i') ms
Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
ms: BaseELMO.State
IHms: ∀ s : BaseELMO.State,
  UMO_reachable ELMO_recv_valid s
  → adr s = idx i
    → ELMO_recv_valid s (MkMessage ms)
      → MkMessage ms ∉ receivedMessages s
        → adr ms ≠ adr s
          → ∀ i' : index,
              adr ms = idx i'
              → constrained_state_prop
                  (ELMO_component i') ms
s: BaseELMO.State
msg: BaseELMO.Message
H1: ELMO_recv_valid s msg
Hs: UMO_reachable ELMO_recv_valid s
Hadr: adr (s <+> MkObservation Receive msg) = idx i
Hadr_neq: adr ms
≠ adr (s <+> MkObservation Receive msg)
i': index
Hadr_ms: adr ms = idx i'
IHHs: adr s = idx i
→ adr ms ≠ adr s
  → MkMessage ms ∈ receivedMessages s
    → constrained_state_prop
        (ELMO_component i') ms
n: MkMessage ms ∉ receivedMessages s
MkMessage ms
∈ receivedMessages (s <+> MkObservation Receive msg)
→ constrained_state_prop (ELMO_component i') ms
    -Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
ms: BaseELMO.State
IHms: ∀ s : BaseELMO.State,
  UMO_reachable ELMO_recv_valid s
  → adr s = idx i
    → ELMO_recv_valid s (MkMessage ms)
      → MkMessage ms ∉ receivedMessages s
        → adr ms ≠ adr s
          → ∀ i' : index,
              adr ms = idx i'
              → constrained_state_prop
                  (ELMO_component i') ms
s: BaseELMO.State
msg: BaseELMO.Message
H1: ELMO_recv_valid s msg
Hs: UMO_reachable ELMO_recv_valid s
Hadr: adr (s <+> MkObservation Receive msg) = idx i
Hadr_neq: adr ms
≠ adr (s <+> MkObservation Receive msg)
i': index
Hadr_ms: adr ms = idx i'
IHHs: adr s = idx i
→ adr ms ≠ adr s
  → MkMessage ms ∈ receivedMessages s
    → constrained_state_prop
        (ELMO_component i') ms
e: MkMessage ms ∈ receivedMessages s
MkMessage ms
∈ receivedMessages (s <+> MkObservation Receive msg)
→ constrained_state_prop (ELMO_component i') ms by intros; eapply IHHs.
    -Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
ms: BaseELMO.State
IHms: ∀ s : BaseELMO.State,
  UMO_reachable ELMO_recv_valid s
  → adr s = idx i
    → ELMO_recv_valid s (MkMessage ms)
      → MkMessage ms ∉ receivedMessages s
        → adr ms ≠ adr s
          → ∀ i' : index,
              adr ms = idx i'
              → constrained_state_prop
                  (ELMO_component i') ms
s: BaseELMO.State
msg: BaseELMO.Message
H1: ELMO_recv_valid s msg
Hs: UMO_reachable ELMO_recv_valid s
Hadr: adr (s <+> MkObservation Receive msg) = idx i
Hadr_neq: adr ms
≠ adr (s <+> MkObservation Receive msg)
i': index
Hadr_ms: adr ms = idx i'
IHHs: adr s = idx i
→ adr ms ≠ adr s
  → MkMessage ms ∈ receivedMessages s
    → constrained_state_prop
        (ELMO_component i') ms
n: MkMessage ms ∉ receivedMessages s
MkMessage ms
∈ receivedMessages (s <+> MkObservation Receive msg)
→ constrained_state_prop (ELMO_component i') ms intros [[Hms _] |]%elem_of_receivedMessages_addObservation; cbn in *; subst; eauto.
  }Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
ob: BaseELMO.Observation
ms: BaseELMO.State
IHms: ∀ s : BaseELMO.State,
  UMO_reachable ELMO_recv_valid s
  → adr s = idx i
    → ELMO_recv_valid s (MkMessage ms)
      → MkMessage ms ∉ receivedMessages s
        → adr ms ≠ adr s
          → ∀ i' : index,
              adr ms = idx i'
              → constrained_state_prop
                  (ELMO_component i') ms
m':= ms <+> ob: BaseELMO.State
s: BaseELMO.State
Hs: UMO_reachable ELMO_recv_valid s
Hadr: adr s = idx i
Hrecv_m': ELMO_recv_valid s (MkMessage m')
Hfresh': MkMessage m' ∉ receivedMessages s
Hadr_neq: adr ms ≠ adr s
i': index
Hadr_ms: adr ms = idx i'
Hrecv_if_fresh: MkMessage ms ∉ receivedMessages s
→ ELMO_recv_valid s (MkMessage ms)
Hms: constrained_state_prop (ELMO_component i') ms
constrained_state_prop (ELMO_component i') m'
  apply ELMO_reachable_view; split; [| done].Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
ob: BaseELMO.Observation
ms: BaseELMO.State
IHms: ∀ s : BaseELMO.State,
  UMO_reachable ELMO_recv_valid s
  → adr s = idx i
    → ELMO_recv_valid s (MkMessage ms)
      → MkMessage ms ∉ receivedMessages s
        → adr ms ≠ adr s
          → ∀ i' : index,
              adr ms = idx i'
              → constrained_state_prop
                  (ELMO_component i') ms
m':= ms <+> ob: BaseELMO.State
s: BaseELMO.State
Hs: UMO_reachable ELMO_recv_valid s
Hadr: adr s = idx i
Hrecv_m': ELMO_recv_valid s (MkMessage m')
Hfresh': MkMessage m' ∉ receivedMessages s
Hadr_neq: adr ms ≠ adr s
i': index
Hadr_ms: adr ms = idx i'
Hrecv_if_fresh: MkMessage ms ∉ receivedMessages s
→ ELMO_recv_valid s (MkMessage ms)
Hms: constrained_state_prop (ELMO_component i') ms
UMO_reachable ELMO_recv_valid m'
  apply ELMO_reachable_view in Hms as [Hms _].Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
ob: BaseELMO.Observation
ms: BaseELMO.State
IHms: ∀ s : BaseELMO.State,
  UMO_reachable ELMO_recv_valid s
  → adr s = idx i
    → ELMO_recv_valid s (MkMessage ms)
      → MkMessage ms ∉ receivedMessages s
        → adr ms ≠ adr s
          → ∀ i' : index,
              adr ms = idx i'
              → constrained_state_prop
                  (ELMO_component i') ms
m':= ms <+> ob: BaseELMO.State
s: BaseELMO.State
Hs: UMO_reachable ELMO_recv_valid s
Hadr: adr s = idx i
Hrecv_m': ELMO_recv_valid s (MkMessage m')
Hfresh': MkMessage m' ∉ receivedMessages s
Hadr_neq: adr ms ≠ adr s
i': index
Hadr_ms: adr ms = idx i'
Hrecv_if_fresh: MkMessage ms ∉ receivedMessages s
→ ELMO_recv_valid s (MkMessage ms)
Hms: UMO_reachable ELMO_recv_valid ms
UMO_reachable ELMO_recv_valid m'
  destruct ob as [[] [os]].Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
os, ms: BaseELMO.State
IHms: ∀ s : BaseELMO.State,
  UMO_reachable ELMO_recv_valid s
  → adr s = idx i
    → ELMO_recv_valid s (MkMessage ms)
      → MkMessage ms ∉ receivedMessages s
        → adr ms ≠ adr s
          → ∀ i' : index,
              adr ms = idx i'
              → constrained_state_prop
                  (ELMO_component i') ms
m':= ms <+> MkObservation Receive (MkMessage os): BaseELMO.State
s: BaseELMO.State
Hs: UMO_reachable ELMO_recv_valid s
Hadr: adr s = idx i
Hrecv_m': ELMO_recv_valid s (MkMessage m')
Hfresh': MkMessage m' ∉ receivedMessages s
Hadr_neq: adr ms ≠ adr s
i': index
Hadr_ms: adr ms = idx i'
Hrecv_if_fresh: MkMessage ms ∉ receivedMessages s
→ ELMO_recv_valid s (MkMessage ms)
Hms: UMO_reachable ELMO_recv_valid ms
UMO_reachable ELMO_recv_valid m'
Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
os, ms: BaseELMO.State
IHms: ∀ s : BaseELMO.State,
  UMO_reachable ELMO_recv_valid s
  → adr s = idx i
    → ELMO_recv_valid s (MkMessage ms)
      → MkMessage ms ∉ receivedMessages s
        → adr ms ≠ adr s
          → ∀ i' : index,
              adr ms = idx i'
              → constrained_state_prop
                  (ELMO_component i') ms
m':= ms <+> MkObservation Send (MkMessage os): BaseELMO.State
s: BaseELMO.State
Hs: UMO_reachable ELMO_recv_valid s
Hadr: adr s = idx i
Hrecv_m': ELMO_recv_valid s (MkMessage m')
Hfresh': MkMessage m' ∉ receivedMessages s
Hadr_neq: adr ms ≠ adr s
i': index
Hadr_ms: adr ms = idx i'
Hrecv_if_fresh: MkMessage ms ∉ receivedMessages s
→ ELMO_recv_valid s (MkMessage ms)
Hms: UMO_reachable ELMO_recv_valid ms
UMO_reachable ELMO_recv_valid m'
  -Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
os, ms: BaseELMO.State
IHms: ∀ s : BaseELMO.State,
  UMO_reachable ELMO_recv_valid s
  → adr s = idx i
    → ELMO_recv_valid s (MkMessage ms)
      → MkMessage ms ∉ receivedMessages s
        → adr ms ≠ adr s
          → ∀ i' : index,
              adr ms = idx i'
              → constrained_state_prop
                  (ELMO_component i') ms
m':= ms <+> MkObservation Receive (MkMessage os): BaseELMO.State
s: BaseELMO.State
Hs: UMO_reachable ELMO_recv_valid s
Hadr: adr s = idx i
Hrecv_m': ELMO_recv_valid s (MkMessage m')
Hfresh': MkMessage m' ∉ receivedMessages s
Hadr_neq: adr ms ≠ adr s
i': index
Hadr_ms: adr ms = idx i'
Hrecv_if_fresh: MkMessage ms ∉ receivedMessages s
→ ELMO_recv_valid s (MkMessage ms)
Hms: UMO_reachable ELMO_recv_valid ms
UMO_reachable ELMO_recv_valid m' apply reach_recv; [| done].Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
os, ms: BaseELMO.State
IHms: ∀ s : BaseELMO.State,
  UMO_reachable ELMO_recv_valid s
  → adr s = idx i
    → ELMO_recv_valid s (MkMessage ms)
      → MkMessage ms ∉ receivedMessages s
        → adr ms ≠ adr s
          → ∀ i' : index,
              adr ms = idx i'
              → constrained_state_prop
                  (ELMO_component i') ms
m':= ms <+> MkObservation Receive (MkMessage os): BaseELMO.State
s: BaseELMO.State
Hs: UMO_reachable ELMO_recv_valid s
Hadr: adr s = idx i
Hrecv_m': ELMO_recv_valid s (MkMessage m')
Hfresh': MkMessage m' ∉ receivedMessages s
Hadr_neq: adr ms ≠ adr s
i': index
Hadr_ms: adr ms = idx i'
Hrecv_if_fresh: MkMessage ms ∉ receivedMessages s
→ ELMO_recv_valid s (MkMessage ms)
Hms: UMO_reachable ELMO_recv_valid ms
ELMO_recv_valid ms (MkMessage os)
    destruct Hrecv_m' as [Hfull_s_m' Hself Hmvf_m' Hlimit].Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
os, ms: BaseELMO.State
IHms: ∀ s : BaseELMO.State,
  UMO_reachable ELMO_recv_valid s
  → adr s = idx i
    → ELMO_recv_valid s (MkMessage ms)
      → MkMessage ms ∉ receivedMessages s
        → adr ms ≠ adr s
          → ∀ i' : index,
              adr ms = idx i'
              → constrained_state_prop
                  (ELMO_component i') ms
m':= ms <+> MkObservation Receive (MkMessage os): BaseELMO.State
s: BaseELMO.State
Hs: UMO_reachable ELMO_recv_valid s
Hadr: adr s = idx i
Hfull_s_m': full_node s (MkMessage m')
Hself: no_self_equiv s (MkMessage m')
Hmvf_m': ELMO_msg_valid_full (MkMessage m')
Hlimit: local_equivocation_limit_ok
  (s <+> MkObservation Receive (MkMessage m'))
Hfresh': MkMessage m' ∉ receivedMessages s
Hadr_neq: adr ms ≠ adr s
i': index
Hadr_ms: adr ms = idx i'
Hrecv_if_fresh: MkMessage ms ∉ receivedMessages s
→ ELMO_recv_valid s (MkMessage ms)
Hms: UMO_reachable ELMO_recv_valid ms
ELMO_recv_valid ms (MkMessage os)
    inversion Hmvf_m' as [| | ? ? Hfull_m_os Hself_os Hvalid Heqmo]; [done |].Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
os, ms: BaseELMO.State
IHms: ∀ s : BaseELMO.State,
  UMO_reachable ELMO_recv_valid s
  → adr s = idx i
    → ELMO_recv_valid s (MkMessage ms)
      → MkMessage ms ∉ receivedMessages s
        → adr ms ≠ adr s
          → ∀ i' : index,
              adr ms = idx i'
              → constrained_state_prop
                  (ELMO_component i') ms
m':= ms <+> MkObservation Receive (MkMessage os): BaseELMO.State
s: BaseELMO.State
Hs: UMO_reachable ELMO_recv_valid s
Hadr: adr s = idx i
Hfull_s_m': full_node s (MkMessage m')
Hself: no_self_equiv s (MkMessage m')
Hmvf_m': ELMO_msg_valid_full (MkMessage m')
Hlimit: local_equivocation_limit_ok
  (s <+> MkObservation Receive (MkMessage m'))
Hfresh': MkMessage m' ∉ receivedMessages s
Hadr_neq: adr ms ≠ adr s
i': index
Hadr_ms: adr ms = idx i'
Hrecv_if_fresh: MkMessage ms ∉ receivedMessages s
→ ELMO_recv_valid s (MkMessage ms)
Hms: UMO_reachable ELMO_recv_valid ms
m: BaseELMO.Message
mo: Message
Hfull_m_os: full_node (state m) (MkMessage os)
Hself_os: no_self_equiv (state m) (MkMessage os)
Hvalid: ELMO_msg_valid_full m
Heqmo: mo = MkMessage os
H1: obs (state m) = obs ms
H2: adr (state m) = adr ms
ELMO_recv_valid ms (MkMessage os)
    assert (m = MkMessage ms)
      by (destruct m; f_equal; apply eq_State; done).Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
os, ms: BaseELMO.State
IHms: ∀ s : BaseELMO.State,
  UMO_reachable ELMO_recv_valid s
  → adr s = idx i
    → ELMO_recv_valid s (MkMessage ms)
      → MkMessage ms ∉ receivedMessages s
        → adr ms ≠ adr s
          → ∀ i' : index,
              adr ms = idx i'
              → constrained_state_prop
                  (ELMO_component i') ms
m':= ms <+> MkObservation Receive (MkMessage os): BaseELMO.State
s: BaseELMO.State
Hs: UMO_reachable ELMO_recv_valid s
Hadr: adr s = idx i
Hfull_s_m': full_node s (MkMessage m')
Hself: no_self_equiv s (MkMessage m')
Hmvf_m': ELMO_msg_valid_full (MkMessage m')
Hlimit: local_equivocation_limit_ok
  (s <+> MkObservation Receive (MkMessage m'))
Hfresh': MkMessage m' ∉ receivedMessages s
Hadr_neq: adr ms ≠ adr s
i': index
Hadr_ms: adr ms = idx i'
Hrecv_if_fresh: MkMessage ms ∉ receivedMessages s
→ ELMO_recv_valid s (MkMessage ms)
Hms: UMO_reachable ELMO_recv_valid ms
m: BaseELMO.Message
mo: Message
Hfull_m_os: full_node (state m) (MkMessage os)
Hself_os: no_self_equiv (state m) (MkMessage os)
Hvalid: ELMO_msg_valid_full m
Heqmo: mo = MkMessage os
H1: obs (state m) = obs ms
H2: adr (state m) = adr ms
H3: m = MkMessage ms
ELMO_recv_valid ms (MkMessage os)
    subst m; clear mo Heqmo; cbn in *.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
os, ms: BaseELMO.State
IHms: ∀ s : BaseELMO.State,
  UMO_reachable ELMO_recv_valid s
  → adr s = idx i
    → ELMO_recv_valid s (MkMessage ms)
      → MkMessage ms ∉ receivedMessages s
        → adr ms ≠ adr s
          → ∀ i' : index,
              adr ms = idx i'
              → constrained_state_prop
                  (ELMO_component i') ms
m':= ms <+> MkObservation Receive (MkMessage os): BaseELMO.State
s: BaseELMO.State
Hs: UMO_reachable ELMO_recv_valid s
Hadr: adr s = idx i
Hfull_s_m': full_node s (MkMessage m')
Hself: no_self_equiv s (MkMessage m')
Hmvf_m': ELMO_msg_valid_full (MkMessage m')
Hlimit: local_equivocation_limit_ok
  (s <+> MkObservation Receive (MkMessage m'))
Hfresh': MkMessage m' ∉ receivedMessages s
Hadr_neq: adr ms ≠ adr s
i': index
Hadr_ms: adr ms = idx i'
Hrecv_if_fresh: MkMessage ms ∉ receivedMessages s
→ ELMO_recv_valid s (MkMessage ms)
Hms: UMO_reachable ELMO_recv_valid ms
Hvalid: ELMO_msg_valid_full (MkMessage ms)
Hself_os: no_self_equiv ms (MkMessage os)
Hfull_m_os: full_node ms (MkMessage os)
H2: adr ms = adr ms
H1: obs ms = obs ms
ELMO_recv_valid ms (MkMessage os)
    constructor; [done | done | |].Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
os, ms: BaseELMO.State
IHms: ∀ s : BaseELMO.State,
  UMO_reachable ELMO_recv_valid s
  → adr s = idx i
    → ELMO_recv_valid s (MkMessage ms)
      → MkMessage ms ∉ receivedMessages s
        → adr ms ≠ adr s
          → ∀ i' : index,
              adr ms = idx i'
              → constrained_state_prop
                  (ELMO_component i') ms
m':= ms <+> MkObservation Receive (MkMessage os): BaseELMO.State
s: BaseELMO.State
Hs: UMO_reachable ELMO_recv_valid s
Hadr: adr s = idx i
Hfull_s_m': full_node s (MkMessage m')
Hself: no_self_equiv s (MkMessage m')
Hmvf_m': ELMO_msg_valid_full (MkMessage m')
Hlimit: local_equivocation_limit_ok
  (s <+> MkObservation Receive (MkMessage m'))
Hfresh': MkMessage m' ∉ receivedMessages s
Hadr_neq: adr ms ≠ adr s
i': index
Hadr_ms: adr ms = idx i'
Hrecv_if_fresh: MkMessage ms ∉ receivedMessages s
→ ELMO_recv_valid s (MkMessage ms)
Hms: UMO_reachable ELMO_recv_valid ms
Hvalid: ELMO_msg_valid_full (MkMessage ms)
Hself_os: no_self_equiv ms (MkMessage os)
Hfull_m_os: full_node ms (MkMessage os)
H2: adr ms = adr ms
H1: obs ms = obs ms
ELMO_msg_valid_full (MkMessage os)
Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
os, ms: BaseELMO.State
IHms: ∀ s : BaseELMO.State,
  UMO_reachable ELMO_recv_valid s
  → adr s = idx i
    → ELMO_recv_valid s (MkMessage ms)
      → MkMessage ms ∉ receivedMessages s
        → adr ms ≠ adr s
          → ∀ i' : index,
              adr ms = idx i'
              → constrained_state_prop
                  (ELMO_component i') ms
m':= ms <+> MkObservation Receive (MkMessage os): BaseELMO.State
s: BaseELMO.State
Hs: UMO_reachable ELMO_recv_valid s
Hadr: adr s = idx i
Hfull_s_m': full_node s (MkMessage m')
Hself: no_self_equiv s (MkMessage m')
Hmvf_m': ELMO_msg_valid_full (MkMessage m')
Hlimit: local_equivocation_limit_ok
  (s <+> MkObservation Receive (MkMessage m'))
Hfresh': MkMessage m' ∉ receivedMessages s
Hadr_neq: adr ms ≠ adr s
i': index
Hadr_ms: adr ms = idx i'
Hrecv_if_fresh: MkMessage ms ∉ receivedMessages s
→ ELMO_recv_valid s (MkMessage ms)
Hms: UMO_reachable ELMO_recv_valid ms
Hvalid: ELMO_msg_valid_full (MkMessage ms)
Hself_os: no_self_equiv ms (MkMessage os)
Hfull_m_os: full_node ms (MkMessage os)
H2: adr ms = adr ms
H1: obs ms = obs ms
local_equivocation_limit_ok
  (ms <+> MkObservation Receive (MkMessage os))
    +Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
os, ms: BaseELMO.State
IHms: ∀ s : BaseELMO.State,
  UMO_reachable ELMO_recv_valid s
  → adr s = idx i
    → ELMO_recv_valid s (MkMessage ms)
      → MkMessage ms ∉ receivedMessages s
        → adr ms ≠ adr s
          → ∀ i' : index,
              adr ms = idx i'
              → constrained_state_prop
                  (ELMO_component i') ms
m':= ms <+> MkObservation Receive (MkMessage os): BaseELMO.State
s: BaseELMO.State
Hs: UMO_reachable ELMO_recv_valid s
Hadr: adr s = idx i
Hfull_s_m': full_node s (MkMessage m')
Hself: no_self_equiv s (MkMessage m')
Hmvf_m': ELMO_msg_valid_full (MkMessage m')
Hlimit: local_equivocation_limit_ok
  (s <+> MkObservation Receive (MkMessage m'))
Hfresh': MkMessage m' ∉ receivedMessages s
Hadr_neq: adr ms ≠ adr s
i': index
Hadr_ms: adr ms = idx i'
Hrecv_if_fresh: MkMessage ms ∉ receivedMessages s
→ ELMO_recv_valid s (MkMessage ms)
Hms: UMO_reachable ELMO_recv_valid ms
Hvalid: ELMO_msg_valid_full (MkMessage ms)
Hself_os: no_self_equiv ms (MkMessage os)
Hfull_m_os: full_node ms (MkMessage os)
H2: adr ms = adr ms
H1: obs ms = obs ms
ELMO_msg_valid_full (MkMessage os) apply reachable_messages_are_msg_valid with (s := s).Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
os, ms: BaseELMO.State
IHms: ∀ s : BaseELMO.State,
  UMO_reachable ELMO_recv_valid s
  → adr s = idx i
    → ELMO_recv_valid s (MkMessage ms)
      → MkMessage ms ∉ receivedMessages s
        → adr ms ≠ adr s
          → ∀ i' : index,
              adr ms = idx i'
              → constrained_state_prop
                  (ELMO_component i') ms
m':= ms <+> MkObservation Receive (MkMessage os): BaseELMO.State
s: BaseELMO.State
Hs: UMO_reachable ELMO_recv_valid s
Hadr: adr s = idx i
Hfull_s_m': full_node s (MkMessage m')
Hself: no_self_equiv s (MkMessage m')
Hmvf_m': ELMO_msg_valid_full (MkMessage m')
Hlimit: local_equivocation_limit_ok
  (s <+> MkObservation Receive (MkMessage m'))
Hfresh': MkMessage m' ∉ receivedMessages s
Hadr_neq: adr ms ≠ adr s
i': index
Hadr_ms: adr ms = idx i'
Hrecv_if_fresh: MkMessage ms ∉ receivedMessages s
→ ELMO_recv_valid s (MkMessage ms)
Hms: UMO_reachable ELMO_recv_valid ms
Hvalid: ELMO_msg_valid_full (MkMessage ms)
Hself_os: no_self_equiv ms (MkMessage os)
Hfull_m_os: full_node ms (MkMessage os)
H2: adr ms = adr ms
H1: obs ms = obs ms
constrained_state_prop Ei s
Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
os, ms: BaseELMO.State
IHms: ∀ s : BaseELMO.State,
  UMO_reachable ELMO_recv_valid s
  → adr s = idx i
    → ELMO_recv_valid s (MkMessage ms)
      → MkMessage ms ∉ receivedMessages s
        → adr ms ≠ adr s
          → ∀ i' : index,
              adr ms = idx i'
              → constrained_state_prop
                  (ELMO_component i') ms
m':= ms <+> MkObservation Receive (MkMessage os): BaseELMO.State
s: BaseELMO.State
Hs: UMO_reachable ELMO_recv_valid s
Hadr: adr s = idx i
Hfull_s_m': full_node s (MkMessage m')
Hself: no_self_equiv s (MkMessage m')
Hmvf_m': ELMO_msg_valid_full (MkMessage m')
Hlimit: local_equivocation_limit_ok
  (s <+> MkObservation Receive (MkMessage m'))
Hfresh': MkMessage m' ∉ receivedMessages s
Hadr_neq: adr ms ≠ adr s
i': index
Hadr_ms: adr ms = idx i'
Hrecv_if_fresh: MkMessage ms ∉ receivedMessages s
→ ELMO_recv_valid s (MkMessage ms)
Hms: UMO_reachable ELMO_recv_valid ms
Hvalid: ELMO_msg_valid_full (MkMessage ms)
Hself_os: no_self_equiv ms (MkMessage os)
Hfull_m_os: full_node ms (MkMessage os)
H2: adr ms = adr ms
H1: obs ms = obs ms
MkMessage os ∈ messages s
      *Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
os, ms: BaseELMO.State
IHms: ∀ s : BaseELMO.State,
  UMO_reachable ELMO_recv_valid s
  → adr s = idx i
    → ELMO_recv_valid s (MkMessage ms)
      → MkMessage ms ∉ receivedMessages s
        → adr ms ≠ adr s
          → ∀ i' : index,
              adr ms = idx i'
              → constrained_state_prop
                  (ELMO_component i') ms
m':= ms <+> MkObservation Receive (MkMessage os): BaseELMO.State
s: BaseELMO.State
Hs: UMO_reachable ELMO_recv_valid s
Hadr: adr s = idx i
Hfull_s_m': full_node s (MkMessage m')
Hself: no_self_equiv s (MkMessage m')
Hmvf_m': ELMO_msg_valid_full (MkMessage m')
Hlimit: local_equivocation_limit_ok
  (s <+> MkObservation Receive (MkMessage m'))
Hfresh': MkMessage m' ∉ receivedMessages s
Hadr_neq: adr ms ≠ adr s
i': index
Hadr_ms: adr ms = idx i'
Hrecv_if_fresh: MkMessage ms ∉ receivedMessages s
→ ELMO_recv_valid s (MkMessage ms)
Hms: UMO_reachable ELMO_recv_valid ms
Hvalid: ELMO_msg_valid_full (MkMessage ms)
Hself_os: no_self_equiv ms (MkMessage os)
Hfull_m_os: full_node ms (MkMessage os)
H2: adr ms = adr ms
H1: obs ms = obs ms
constrained_state_prop Ei s by apply ELMO_reachable_view.
      *Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
os, ms: BaseELMO.State
IHms: ∀ s : BaseELMO.State,
  UMO_reachable ELMO_recv_valid s
  → adr s = idx i
    → ELMO_recv_valid s (MkMessage ms)
      → MkMessage ms ∉ receivedMessages s
        → adr ms ≠ adr s
          → ∀ i' : index,
              adr ms = idx i'
              → constrained_state_prop
                  (ELMO_component i') ms
m':= ms <+> MkObservation Receive (MkMessage os): BaseELMO.State
s: BaseELMO.State
Hs: UMO_reachable ELMO_recv_valid s
Hadr: adr s = idx i
Hfull_s_m': full_node s (MkMessage m')
Hself: no_self_equiv s (MkMessage m')
Hmvf_m': ELMO_msg_valid_full (MkMessage m')
Hlimit: local_equivocation_limit_ok
  (s <+> MkObservation Receive (MkMessage m'))
Hfresh': MkMessage m' ∉ receivedMessages s
Hadr_neq: adr ms ≠ adr s
i': index
Hadr_ms: adr ms = idx i'
Hrecv_if_fresh: MkMessage ms ∉ receivedMessages s
→ ELMO_recv_valid s (MkMessage ms)
Hms: UMO_reachable ELMO_recv_valid ms
Hvalid: ELMO_msg_valid_full (MkMessage ms)
Hself_os: no_self_equiv ms (MkMessage os)
Hfull_m_os: full_node ms (MkMessage os)
H2: adr ms = adr ms
H1: obs ms = obs ms
MkMessage os ∈ messages s by revert Hfull_s_m'; apply elem_of_submseteq, elem_of_list_here.
    +Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
os, ms: BaseELMO.State
IHms: ∀ s : BaseELMO.State,
  UMO_reachable ELMO_recv_valid s
  → adr s = idx i
    → ELMO_recv_valid s (MkMessage ms)
      → MkMessage ms ∉ receivedMessages s
        → adr ms ≠ adr s
          → ∀ i' : index,
              adr ms = idx i'
              → constrained_state_prop
                  (ELMO_component i') ms
m':= ms <+> MkObservation Receive (MkMessage os): BaseELMO.State
s: BaseELMO.State
Hs: UMO_reachable ELMO_recv_valid s
Hadr: adr s = idx i
Hfull_s_m': full_node s (MkMessage m')
Hself: no_self_equiv s (MkMessage m')
Hmvf_m': ELMO_msg_valid_full (MkMessage m')
Hlimit: local_equivocation_limit_ok
  (s <+> MkObservation Receive (MkMessage m'))
Hfresh': MkMessage m' ∉ receivedMessages s
Hadr_neq: adr ms ≠ adr s
i': index
Hadr_ms: adr ms = idx i'
Hrecv_if_fresh: MkMessage ms ∉ receivedMessages s
→ ELMO_recv_valid s (MkMessage ms)
Hms: UMO_reachable ELMO_recv_valid ms
Hvalid: ELMO_msg_valid_full (MkMessage ms)
Hself_os: no_self_equiv ms (MkMessage os)
Hfull_m_os: full_node ms (MkMessage os)
H2: adr ms = adr ms
H1: obs ms = obs ms
local_equivocation_limit_ok
  (ms <+> MkObservation Receive (MkMessage os)) apply equivocation_limit_recv_ok_msg_ok in Hlimit; try done.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
os, ms: BaseELMO.State
IHms: ∀ s : BaseELMO.State,
  UMO_reachable ELMO_recv_valid s
  → adr s = idx i
    → ELMO_recv_valid s (MkMessage ms)
      → MkMessage ms ∉ receivedMessages s
        → adr ms ≠ adr s
          → ∀ i' : index,
              adr ms = idx i'
              → constrained_state_prop
                  (ELMO_component i') ms
m':= ms <+> MkObservation Receive (MkMessage os): BaseELMO.State
s: BaseELMO.State
Hs: UMO_reachable ELMO_recv_valid s
Hadr: adr s = idx i
Hfull_s_m': full_node s (MkMessage m')
Hself: no_self_equiv s (MkMessage m')
Hmvf_m': ELMO_msg_valid_full (MkMessage m')
Hlimit: local_equivocation_limit_ok
  (s <+> MkObservation Receive (MkMessage m'))
Hfresh': MkMessage m' ∉ receivedMessages s
Hadr_neq: adr ms ≠ adr s
i': index
Hadr_ms: adr ms = idx i'
Hrecv_if_fresh: MkMessage ms ∉ receivedMessages s
→ ELMO_recv_valid s (MkMessage ms)
Hms: UMO_reachable ELMO_recv_valid ms
Hvalid: ELMO_msg_valid_full (MkMessage ms)
Hself_os: no_self_equiv ms (MkMessage os)
Hfull_m_os: full_node ms (MkMessage os)
H2: adr ms = adr ms
H1: obs ms = obs ms
UMO_reachable no_self_equiv s
Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
os, ms: BaseELMO.State
IHms: ∀ s : BaseELMO.State,
  UMO_reachable ELMO_recv_valid s
  → adr s = idx i
    → ELMO_recv_valid s (MkMessage ms)
      → MkMessage ms ∉ receivedMessages s
        → adr ms ≠ adr s
          → ∀ i' : index,
              adr ms = idx i'
              → constrained_state_prop
                  (ELMO_component i') ms
m':= ms <+> MkObservation Receive (MkMessage os): BaseELMO.State
s: BaseELMO.State
Hs: UMO_reachable ELMO_recv_valid s
Hadr: adr s = idx i
Hfull_s_m': full_node s (MkMessage m')
Hself: no_self_equiv s (MkMessage m')
Hmvf_m': ELMO_msg_valid_full (MkMessage m')
Hlimit: local_equivocation_limit_ok
  (s <+> MkObservation Receive (MkMessage m'))
Hfresh': MkMessage m' ∉ receivedMessages s
Hadr_neq: adr ms ≠ adr s
i': index
Hadr_ms: adr ms = idx i'
Hrecv_if_fresh: MkMessage ms ∉ receivedMessages s
→ ELMO_recv_valid s (MkMessage ms)
Hms: UMO_reachable ELMO_recv_valid ms
Hvalid: ELMO_msg_valid_full (MkMessage ms)
Hself_os: no_self_equiv ms (MkMessage os)
Hfull_m_os: full_node ms (MkMessage os)
H2: adr ms = adr ms
H1: obs ms = obs ms
UMO_reachable no_self_equiv (state (MkMessage m'))
      *Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
os, ms: BaseELMO.State
IHms: ∀ s : BaseELMO.State,
  UMO_reachable ELMO_recv_valid s
  → adr s = idx i
    → ELMO_recv_valid s (MkMessage ms)
      → MkMessage ms ∉ receivedMessages s
        → adr ms ≠ adr s
          → ∀ i' : index,
              adr ms = idx i'
              → constrained_state_prop
                  (ELMO_component i') ms
m':= ms <+> MkObservation Receive (MkMessage os): BaseELMO.State
s: BaseELMO.State
Hs: UMO_reachable ELMO_recv_valid s
Hadr: adr s = idx i
Hfull_s_m': full_node s (MkMessage m')
Hself: no_self_equiv s (MkMessage m')
Hmvf_m': ELMO_msg_valid_full (MkMessage m')
Hlimit: local_equivocation_limit_ok
  (s <+> MkObservation Receive (MkMessage m'))
Hfresh': MkMessage m' ∉ receivedMessages s
Hadr_neq: adr ms ≠ adr s
i': index
Hadr_ms: adr ms = idx i'
Hrecv_if_fresh: MkMessage ms ∉ receivedMessages s
→ ELMO_recv_valid s (MkMessage ms)
Hms: UMO_reachable ELMO_recv_valid ms
Hvalid: ELMO_msg_valid_full (MkMessage ms)
Hself_os: no_self_equiv ms (MkMessage os)
Hfull_m_os: full_node ms (MkMessage os)
H2: adr ms = adr ms
H1: obs ms = obs ms
UMO_reachable no_self_equiv s by revert Hs; apply UMO_reachable_impl; intros ? ? [].
      *Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
os, ms: BaseELMO.State
IHms: ∀ s : BaseELMO.State,
  UMO_reachable ELMO_recv_valid s
  → adr s = idx i
    → ELMO_recv_valid s (MkMessage ms)
      → MkMessage ms ∉ receivedMessages s
        → adr ms ≠ adr s
          → ∀ i' : index,
              adr ms = idx i'
              → constrained_state_prop
                  (ELMO_component i') ms
m':= ms <+> MkObservation Receive (MkMessage os): BaseELMO.State
s: BaseELMO.State
Hs: UMO_reachable ELMO_recv_valid s
Hadr: adr s = idx i
Hfull_s_m': full_node s (MkMessage m')
Hself: no_self_equiv s (MkMessage m')
Hmvf_m': ELMO_msg_valid_full (MkMessage m')
Hlimit: local_equivocation_limit_ok
  (s <+> MkObservation Receive (MkMessage m'))
Hfresh': MkMessage m' ∉ receivedMessages s
Hadr_neq: adr ms ≠ adr s
i': index
Hadr_ms: adr ms = idx i'
Hrecv_if_fresh: MkMessage ms ∉ receivedMessages s
→ ELMO_recv_valid s (MkMessage ms)
Hms: UMO_reachable ELMO_recv_valid ms
Hvalid: ELMO_msg_valid_full (MkMessage ms)
Hself_os: no_self_equiv ms (MkMessage os)
Hfull_m_os: full_node ms (MkMessage os)
H2: adr ms = adr ms
H1: obs ms = obs ms
UMO_reachable no_self_equiv (state (MkMessage m')) apply reach_recv; [done |].Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
os, ms: BaseELMO.State
IHms: ∀ s : BaseELMO.State,
  UMO_reachable ELMO_recv_valid s
  → adr s = idx i
    → ELMO_recv_valid s (MkMessage ms)
      → MkMessage ms ∉ receivedMessages s
        → adr ms ≠ adr s
          → ∀ i' : index,
              adr ms = idx i'
              → constrained_state_prop
                  (ELMO_component i') ms
m':= ms <+> MkObservation Receive (MkMessage os): BaseELMO.State
s: BaseELMO.State
Hs: UMO_reachable ELMO_recv_valid s
Hadr: adr s = idx i
Hfull_s_m': full_node s (MkMessage m')
Hself: no_self_equiv s (MkMessage m')
Hmvf_m': ELMO_msg_valid_full (MkMessage m')
Hlimit: local_equivocation_limit_ok
  (s <+> MkObservation Receive (MkMessage m'))
Hfresh': MkMessage m' ∉ receivedMessages s
Hadr_neq: adr ms ≠ adr s
i': index
Hadr_ms: adr ms = idx i'
Hrecv_if_fresh: MkMessage ms ∉ receivedMessages s
→ ELMO_recv_valid s (MkMessage ms)
Hms: UMO_reachable ELMO_recv_valid ms
Hvalid: ELMO_msg_valid_full (MkMessage ms)
Hself_os: no_self_equiv ms (MkMessage os)
Hfull_m_os: full_node ms (MkMessage os)
H2: adr ms = adr ms
H1: obs ms = obs ms
UMO_reachable no_self_equiv ms
        by revert Hms; apply UMO_reachable_impl; intros ? ? [].
  -Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
os, ms: BaseELMO.State
IHms: ∀ s : BaseELMO.State,
  UMO_reachable ELMO_recv_valid s
  → adr s = idx i
    → ELMO_recv_valid s (MkMessage ms)
      → MkMessage ms ∉ receivedMessages s
        → adr ms ≠ adr s
          → ∀ i' : index,
              adr ms = idx i'
              → constrained_state_prop
                  (ELMO_component i') ms
m':= ms <+> MkObservation Send (MkMessage os): BaseELMO.State
s: BaseELMO.State
Hs: UMO_reachable ELMO_recv_valid s
Hadr: adr s = idx i
Hrecv_m': ELMO_recv_valid s (MkMessage m')
Hfresh': MkMessage m' ∉ receivedMessages s
Hadr_neq: adr ms ≠ adr s
i': index
Hadr_ms: adr ms = idx i'
Hrecv_if_fresh: MkMessage ms ∉ receivedMessages s
→ ELMO_recv_valid s (MkMessage ms)
Hms: UMO_reachable ELMO_recv_valid ms
UMO_reachable ELMO_recv_valid m' destruct Hrecv_m' as [_ _ Hmvf _]; inversion Hmvf; [done |].Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
os, ms: BaseELMO.State
IHms: ∀ s : BaseELMO.State,
  UMO_reachable ELMO_recv_valid s
  → adr s = idx i
    → ELMO_recv_valid s (MkMessage ms)
      → MkMessage ms ∉ receivedMessages s
        → adr ms ≠ adr s
          → ∀ i' : index,
              adr ms = idx i'
              → constrained_state_prop
                  (ELMO_component i') ms
m':= ms <+> MkObservation Send (MkMessage os): BaseELMO.State
s: BaseELMO.State
Hs: UMO_reachable ELMO_recv_valid s
Hadr: adr s = idx i
Hmvf: ELMO_msg_valid_full (MkMessage m')
Hfresh': MkMessage m' ∉ receivedMessages s
Hadr_neq: adr ms ≠ adr s
i': index
Hadr_ms: adr ms = idx i'
Hrecv_if_fresh: MkMessage ms ∉ receivedMessages s
→ ELMO_recv_valid s (MkMessage ms)
Hms: UMO_reachable ELMO_recv_valid ms
m: Message
H2: ELMO_msg_valid_full (MkMessage os)
H1: m = MkMessage os
H3: obs (state (MkMessage os)) = obs ms
H4: adr (state (MkMessage os)) = adr ms
UMO_reachable ELMO_recv_valid m'
    unfold m'.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
os, ms: BaseELMO.State
IHms: ∀ s : BaseELMO.State,
  UMO_reachable ELMO_recv_valid s
  → adr s = idx i
    → ELMO_recv_valid s (MkMessage ms)
      → MkMessage ms ∉ receivedMessages s
        → adr ms ≠ adr s
          → ∀ i' : index,
              adr ms = idx i'
              → constrained_state_prop
                  (ELMO_component i') ms
m':= ms <+> MkObservation Send (MkMessage os): BaseELMO.State
s: BaseELMO.State
Hs: UMO_reachable ELMO_recv_valid s
Hadr: adr s = idx i
Hmvf: ELMO_msg_valid_full (MkMessage m')
Hfresh': MkMessage m' ∉ receivedMessages s
Hadr_neq: adr ms ≠ adr s
i': index
Hadr_ms: adr ms = idx i'
Hrecv_if_fresh: MkMessage ms ∉ receivedMessages s
→ ELMO_recv_valid s (MkMessage ms)
Hms: UMO_reachable ELMO_recv_valid ms
m: Message
H2: ELMO_msg_valid_full (MkMessage os)
H1: m = MkMessage os
H3: obs (state (MkMessage os)) = obs ms
H4: adr (state (MkMessage os)) = adr ms
UMO_reachable ELMO_recv_valid
  (ms <+> MkObservation Send (MkMessage os))
    replace os with ms by (apply eq_State; done).Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
os, ms: BaseELMO.State
IHms: ∀ s : BaseELMO.State,
  UMO_reachable ELMO_recv_valid s
  → adr s = idx i
    → ELMO_recv_valid s (MkMessage ms)
      → MkMessage ms ∉ receivedMessages s
        → adr ms ≠ adr s
          → ∀ i' : index,
              adr ms = idx i'
              → constrained_state_prop
                  (ELMO_component i') ms
m':= ms <+> MkObservation Send (MkMessage os): BaseELMO.State
s: BaseELMO.State
Hs: UMO_reachable ELMO_recv_valid s
Hadr: adr s = idx i
Hmvf: ELMO_msg_valid_full (MkMessage m')
Hfresh': MkMessage m' ∉ receivedMessages s
Hadr_neq: adr ms ≠ adr s
i': index
Hadr_ms: adr ms = idx i'
Hrecv_if_fresh: MkMessage ms ∉ receivedMessages s
→ ELMO_recv_valid s (MkMessage ms)
Hms: UMO_reachable ELMO_recv_valid ms
m: Message
H2: ELMO_msg_valid_full (MkMessage os)
H1: m = MkMessage os
H3: obs (state (MkMessage os)) = obs ms
H4: adr (state (MkMessage os)) = adr ms
UMO_reachable ELMO_recv_valid
  (ms <+> MkObservation Send (MkMessage ms))
    by apply reach_send.
Qed.

Lemma receivable_messages_reachable (ms s : State) i' :
  adr ms = idx i' ->
  constrained_state_prop Ei s ->
  ELMO_recv_valid s (MkMessage ms) ->
  constrained_state_prop (ELMO_component i') ms.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
ms, s: State
i': index
adr ms = idx i'
→ constrained_state_prop Ei s
  → ELMO_recv_valid s (MkMessage ms)
    → constrained_state_prop (ELMO_component i') ms
Proof.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
ms, s: State
i': index
adr ms = idx i'
→ constrained_state_prop Ei s
  → ELMO_recv_valid s (MkMessage ms)
    → constrained_state_prop (ELMO_component i') ms
  intros Heq Hcsp Hrv.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
ms, s: State
i': index
Heq: adr ms = idx i'
Hcsp: constrained_state_prop Ei s
Hrv: ELMO_recv_valid s (MkMessage ms)
constrained_state_prop (ELMO_component i') ms
  change ms with (state (MkMessage ms)).Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
ms, s: State
i': index
Heq: adr ms = idx i'
Hcsp: constrained_state_prop Ei s
Hrv: ELMO_recv_valid s (MkMessage ms)
constrained_state_prop (ELMO_component i')
  (state (MkMessage ms))
  apply reachable_received_messages_reachable
    with (s := s <+> MkObservation Receive (MkMessage ms))
  ; [| constructor | done].Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
ms, s: State
i': index
Heq: adr ms = idx i'
Hcsp: constrained_state_prop Ei s
Hrv: ELMO_recv_valid s (MkMessage ms)
constrained_state_prop Ei
  (s <+> MkObservation Receive (MkMessage ms))
  apply ELMO_reachable_view in Hcsp as [].Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
ms, s: State
i': index
Heq: adr ms = idx i'
H1: UMO_reachable ELMO_recv_valid s
H2: adr s = idx i
Hrv: ELMO_recv_valid s (MkMessage ms)
constrained_state_prop Ei
  (s <+> MkObservation Receive (MkMessage ms))
  apply ELMO_reachable_view; cbn.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
ms, s: State
i': index
Heq: adr ms = idx i'
H1: UMO_reachable ELMO_recv_valid s
H2: adr s = idx i
Hrv: ELMO_recv_valid s (MkMessage ms)
UMO_reachable ELMO_recv_valid
  (s <+> MkObservation Receive (MkMessage ms))
∧ adr s = idx i
  by split; [apply reach_recv |].
Qed.

Inductive ELMO_component_RAM_transition : Label -> State -> State -> Message -> Prop :=
| ecr_valid_receive : forall (s1 s2 : State) (m : Message),
    input_constrained_transition Ei Receive (s1, Some m) (s2, None) ->
    ELMO_component_RAM_transition Receive s1 s2 m
| ecr_valid_send : forall (s1 s2 : State) (m : Message),
    input_constrained_transition Ei Send (s1, None) (s2, Some m) ->
    ELMO_component_RAM_transition Send s1 s2 m.

Lemma ELMO_component_input_constrained_transition_iff
  (l : Label) (s : State) (om : option Message) (s' : State) (om' : option Message) :
  input_constrained_transition Ei l (s, om) (s', om')
    <->
  (l = Receive /\ exists m, om = Some m /\ om' = None /\ ELMO_component_RAM_transition l s s' m)
    \/
  (l = Send /\ exists m, om' = Some m /\ om = None /\ ELMO_component_RAM_transition Send s s' m).Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
l: Label
s: State
om: option Message
s': State
om': option Message
input_constrained_transition Ei l (s, om) (s', om')
↔ l = Receive
  ∧ (∃ m : Message,
       om = Some m
       ∧ om' = None
         ∧ ELMO_component_RAM_transition l s s' m)
  ∨ l = Send
    ∧ (∃ m : Message,
         om' = Some m
         ∧ om = None
           ∧ ELMO_component_RAM_transition Send s s' m)
Proof.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
l: Label
s: State
om: option Message
s': State
om': option Message
input_constrained_transition Ei l (s, om) (s', om')
↔ l = Receive
  ∧ (∃ m : Message,
       om = Some m
       ∧ om' = None
         ∧ ELMO_component_RAM_transition l s s' m)
  ∨ l = Send
    ∧ (∃ m : Message,
         om' = Some m
         ∧ om = None
           ∧ ELMO_component_RAM_transition Send s s' m)
  split; cycle 1.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
l: Label
s: State
om: option Message
s': State
om': option Message
l = Receive
∧ (∃ m : Message,
     om = Some m
     ∧ om' = None
       ∧ ELMO_component_RAM_transition l s s' m)
∨ l = Send
  ∧ (∃ m : Message,
       om' = Some m
       ∧ om = None
         ∧ ELMO_component_RAM_transition Send s s' m)
→ input_constrained_transition Ei l (s, om) (s', om')
Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
l: Label
s: State
om: option Message
s': State
om': option Message
input_constrained_transition Ei l (s, om) (s', om')
→ l = Receive
  ∧ (∃ m : Message,
       om = Some m
       ∧ om' = None
         ∧ ELMO_component_RAM_transition l s s' m)
  ∨ l = Send
    ∧ (∃ m : Message,
         om' = Some m
         ∧ om = None
           ∧ ELMO_component_RAM_transition Send s s' m)
  -Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
l: Label
s: State
om: option Message
s': State
om': option Message
l = Receive
∧ (∃ m : Message,
     om = Some m
     ∧ om' = None
       ∧ ELMO_component_RAM_transition l s s' m)
∨ l = Send
  ∧ (∃ m : Message,
       om' = Some m
       ∧ om = None
         ∧ ELMO_component_RAM_transition Send s s' m)
→ input_constrained_transition Ei l (s, om) (s', om') by intros [(-> & ? & -> & -> & Hm) | (-> & ? & -> & -> & Hm)]; inversion Hm.
  -Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
l: Label
s: State
om: option Message
s': State
om': option Message
input_constrained_transition Ei l (s, om) (s', om')
→ l = Receive
  ∧ (∃ m : Message,
       om = Some m
       ∧ om' = None
         ∧ ELMO_component_RAM_transition l s s' m)
  ∨ l = Send
    ∧ (∃ m : Message,
         om' = Some m
         ∧ om = None
           ∧ ELMO_component_RAM_transition Send s s' m) intros Ht; pose (Hti := Ht);  destruct Hti as [(_ & _ & Hvi) Hti];
      inversion Hvi; subst; inversion Hti; subst; [left | right].Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
s: State
m: Message
Ht: input_constrained_transition Ei Receive
  (s, Some m)
  (s <+> MkObservation Receive m, None)
Hvi: valid Receive (s, Some m)
Hti: transition Receive (s, Some m) =
(s <+> MkObservation Receive m, None)
H1: ELMO_recv_valid s m
Receive = Receive
∧ (∃ m0 : Message,
     Some m = Some m0
     ∧ None = None
       ∧ ELMO_component_RAM_transition Receive s
           (s <+> MkObservation Receive m) m0)
Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
s: State
Ht: input_constrained_transition Ei Send (
  s, None)
  (s <+> MkObservation Send (MkMessage s),
   Some (MkMessage s))
Hvi: valid Send (s, None)
Hti: transition Send (s, None) =
(s <+> MkObservation Send (MkMessage s),
 Some (MkMessage s))
Send = Send
∧ (∃ m : Message,
     Some (MkMessage s) = Some m
     ∧ None = None
       ∧ ELMO_component_RAM_transition Send s
           (s <+> MkObservation Send (MkMessage s)) m)
    +Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
s: State
m: Message
Ht: input_constrained_transition Ei Receive
  (s, Some m)
  (s <+> MkObservation Receive m, None)
Hvi: valid Receive (s, Some m)
Hti: transition Receive (s, Some m) =
(s <+> MkObservation Receive m, None)
H1: ELMO_recv_valid s m
Receive = Receive
∧ (∃ m0 : Message,
     Some m = Some m0
     ∧ None = None
       ∧ ELMO_component_RAM_transition Receive s
           (s <+> MkObservation Receive m) m0) by split; [done |]; eexists; split_and!; [done.. |]; constructor.
    +Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
s: State
Ht: input_constrained_transition Ei Send (
  s, None)
  (s <+> MkObservation Send (MkMessage s),
   Some (MkMessage s))
Hvi: valid Send (s, None)
Hti: transition Send (s, None) =
(s <+> MkObservation Send (MkMessage s),
 Some (MkMessage s))
Send = Send
∧ (∃ m : Message,
     Some (MkMessage s) = Some m
     ∧ None = None
       ∧ ELMO_component_RAM_transition Send s
           (s <+> MkObservation Send (MkMessage s)) m) by split; [done |]; eexists; split_and!; [done.. |]; constructor.
Qed.

Lemma ELMO_component_elem_of_constrained_trace
  [s tr] (Htr : finite_constrained_trace_from Ei s tr) :
  forall item, item ∈ tr ->
    exists (s : State) (m : Message),
      destination item = s <+> MkObservation (l item) m /\
      input_constrained_transition_item Ei s item.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
s: VLSM.state (preloaded_with_all_messages_vlsm Ei)
tr: list transition_item
Htr: finite_constrained_trace_from Ei s tr
∀ item : transition_item,
  item ∈ tr
  → ∃ (s : State) (m : Message),
      destination item =
      s <+> MkObservation (l item) m
      ∧ input_constrained_transition_item Ei s item
Proof.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
s: VLSM.state (preloaded_with_all_messages_vlsm Ei)
tr: list transition_item
Htr: finite_constrained_trace_from Ei s tr
∀ item : transition_item,
  item ∈ tr
  → ∃ (s : State) (m : Message),
      destination item =
      s <+> MkObservation (l item) m
      ∧ input_constrained_transition_item Ei s item
  induction Htr; [by inversion 1 |].Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
s: VLSM.state (preloaded_with_all_messages_vlsm Ei)
tl: list transition_item
Htr: finite_valid_trace_from
  (preloaded_with_all_messages_vlsm Ei) s tl
s': VLSM.state (preloaded_with_all_messages_vlsm Ei)
iom, oom: option Message
l: VLSM.label (preloaded_with_all_messages_vlsm Ei)
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm Ei) l
  (s', iom) (s, oom)
IHHtr: ∀ item : transition_item,
  item ∈ tl
  → ∃ (s : State) (m : Message),
      destination item =
      s <+> MkObservation (VLSM.l item) m
      ∧ input_constrained_transition_item Ei s
          item
∀ item : transition_item,
  item
  ∈ {|
      l := l;
      input := iom;
      destination := s;
      output := oom
    |} :: tl
  → ∃ (s : State) (m : Message),
      destination item =
      s <+> MkObservation (VLSM.l item) m
      ∧ input_constrained_transition_item Ei s item
  intro item; rewrite elem_of_cons; intros [-> | Hitem]; [| by apply IHHtr].Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
s: VLSM.state (preloaded_with_all_messages_vlsm Ei)
tl: list transition_item
Htr: finite_valid_trace_from
  (preloaded_with_all_messages_vlsm Ei) s tl
s': VLSM.state (preloaded_with_all_messages_vlsm Ei)
iom, oom: option Message
l: VLSM.label (preloaded_with_all_messages_vlsm Ei)
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm Ei) l
  (s', iom) (s, oom)
IHHtr: ∀ item : transition_item,
  item ∈ tl
  → ∃ (s : State) (m : Message),
      destination item =
      s <+> MkObservation (VLSM.l item) m
      ∧ input_constrained_transition_item Ei s
          item
∃ (s0 : State) (m : Message),
  destination
    {|
      l := l;
      input := iom;
      destination := s;
      output := oom
    |} =
  s0 <+>
  MkObservation
    (VLSM.l
       {|
         l := l;
         input := iom;
         destination := s;
         output := oom
       |}) m
  ∧ input_constrained_transition_item Ei s0
      {|
        l := l;
        input := iom;
        destination := s;
        output := oom
      |}
  by pose (Hti := Ht); destruct Hti as [(_ & _ & Hvi) Hti];
    inversion Hvi; subst; inversion Hti; subst; eexists _, _; split.
Qed.

Lemma ELMO_component_receivedMessages_of_constrained_trace
  [s s' tr] (Htr : finite_constrained_trace_from_to Ei s s' tr) :
  forall item, item ∈ tr ->
  forall m, (field_selector input) m item -> m ∈ receivedMessages s'.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
s, s': VLSM.state (preloaded_with_all_messages_vlsm Ei)
tr: list transition_item
Htr: finite_constrained_trace_from_to Ei s s' tr
∀ item : transition_item,
  item ∈ tr
  → ∀ m : Message,
      field_selector input m item
      → m ∈ receivedMessages s'
Proof.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
s, s': VLSM.state (preloaded_with_all_messages_vlsm Ei)
tr: list transition_item
Htr: finite_constrained_trace_from_to Ei s s' tr
∀ item : transition_item,
  item ∈ tr
  → ∀ m : Message,
      field_selector input m item
      → m ∈ receivedMessages s'
  induction Htr using finite_valid_trace_from_to_rev_ind; [by inversion 1 |].Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
si, s: VLSM.state (preloaded_with_all_messages_vlsm Ei)
tr: list transition_item
Htr: finite_valid_trace_from_to
  (preloaded_with_all_messages_vlsm Ei) si s tr
sf: VLSM.state (preloaded_with_all_messages_vlsm Ei)
iom, oom: option Message
l: VLSM.label (preloaded_with_all_messages_vlsm Ei)
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm Ei) l
  (s, iom) (sf, oom)
IHHtr: ∀ item : transition_item,
  item ∈ tr
  → ∀ m : Message,
      field_selector input m item
      → m ∈ receivedMessages s
∀ item : transition_item,
  item
  ∈ tr ++
    [{|
       l := l;
       input := iom;
       destination := sf;
       output := oom
     |}]
  → ∀ m : Message,
      field_selector input m item
      → m ∈ receivedMessages sf
  intros item Hitem m Hm.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
si, s: VLSM.state (preloaded_with_all_messages_vlsm Ei)
tr: list transition_item
Htr: finite_valid_trace_from_to
  (preloaded_with_all_messages_vlsm Ei) si s tr
sf: VLSM.state (preloaded_with_all_messages_vlsm Ei)
iom, oom: option Message
l: VLSM.label (preloaded_with_all_messages_vlsm Ei)
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm Ei) l
  (s, iom) (sf, oom)
IHHtr: ∀ item : transition_item,
  item ∈ tr
  → ∀ m : Message,
      field_selector input m item
      → m ∈ receivedMessages s
item: transition_item
Hitem: item
∈ tr ++
  [{|
     l := l;
     input := iom;
     destination := sf;
     output := oom
   |}]
m: Message
Hm: field_selector input m item
m ∈ receivedMessages sf
  change (has_been_received Ei sf m).Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
si, s: VLSM.state (preloaded_with_all_messages_vlsm Ei)
tr: list transition_item
Htr: finite_valid_trace_from_to
  (preloaded_with_all_messages_vlsm Ei) si s tr
sf: VLSM.state (preloaded_with_all_messages_vlsm Ei)
iom, oom: option Message
l: VLSM.label (preloaded_with_all_messages_vlsm Ei)
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm Ei) l
  (s, iom) (sf, oom)
IHHtr: ∀ item : transition_item,
  item ∈ tr
  → ∀ m : Message,
      field_selector input m item
      → m ∈ receivedMessages s
item: transition_item
Hitem: item
∈ tr ++
  [{|
     l := l;
     input := iom;
     destination := sf;
     output := oom
   |}]
m: Message
Hm: field_selector input m item
has_been_received Ei sf m
  eapply has_been_received_step_update; [done |].Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
si, s: VLSM.state (preloaded_with_all_messages_vlsm Ei)
tr: list transition_item
Htr: finite_valid_trace_from_to
  (preloaded_with_all_messages_vlsm Ei) si s tr
sf: VLSM.state (preloaded_with_all_messages_vlsm Ei)
iom, oom: option Message
l: VLSM.label (preloaded_with_all_messages_vlsm Ei)
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm Ei) l
  (s, iom) (sf, oom)
IHHtr: ∀ item : transition_item,
  item ∈ tr
  → ∀ m : Message,
      field_selector input m item
      → m ∈ receivedMessages s
item: transition_item
Hitem: item
∈ tr ++
  [{|
     l := l;
     input := iom;
     destination := sf;
     output := oom
   |}]
m: Message
Hm: field_selector input m item
iom = Some m ∨ has_been_received Ei s m
  rewrite elem_of_app, elem_of_list_singleton in Hitem.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
si, s: VLSM.state (preloaded_with_all_messages_vlsm Ei)
tr: list transition_item
Htr: finite_valid_trace_from_to
  (preloaded_with_all_messages_vlsm Ei) si s tr
sf: VLSM.state (preloaded_with_all_messages_vlsm Ei)
iom, oom: option Message
l: VLSM.label (preloaded_with_all_messages_vlsm Ei)
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm Ei) l
  (s, iom) (sf, oom)
IHHtr: ∀ item : transition_item,
  item ∈ tr
  → ∀ m : Message,
      field_selector input m item
      → m ∈ receivedMessages s
item: transition_item
Hitem: item ∈ tr
∨ item =
  {|
    l := l;
    input := iom;
    destination := sf;
    output := oom
  |}
m: Message
Hm: field_selector input m item
iom = Some m ∨ has_been_received Ei s m
  by destruct Hitem as [Hitem | ->]; [right; cbn; eapply IHHtr | left].
Qed.

Lemma ELMO_component_sentMessages_of_constrained_trace
  [s s' tr] (Htr : finite_constrained_trace_from_to Ei s s' tr) :
  forall item, item ∈ tr ->
  forall m, (field_selector output) m item -> m ∈ sentMessages s'.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
s, s': VLSM.state (preloaded_with_all_messages_vlsm Ei)
tr: list transition_item
Htr: finite_constrained_trace_from_to Ei s s' tr
∀ item : transition_item,
  item ∈ tr
  → ∀ m : Message,
      field_selector output m item
      → m ∈ sentMessages s'
Proof.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
s, s': VLSM.state (preloaded_with_all_messages_vlsm Ei)
tr: list transition_item
Htr: finite_constrained_trace_from_to Ei s s' tr
∀ item : transition_item,
  item ∈ tr
  → ∀ m : Message,
      field_selector output m item
      → m ∈ sentMessages s'
  induction Htr using finite_valid_trace_from_to_rev_ind; [by inversion 1 |].Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
si, s: VLSM.state (preloaded_with_all_messages_vlsm Ei)
tr: list transition_item
Htr: finite_valid_trace_from_to
  (preloaded_with_all_messages_vlsm Ei) si s tr
sf: VLSM.state (preloaded_with_all_messages_vlsm Ei)
iom, oom: option Message
l: VLSM.label (preloaded_with_all_messages_vlsm Ei)
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm Ei) l
  (s, iom) (sf, oom)
IHHtr: ∀ item : transition_item,
  item ∈ tr
  → ∀ m : Message,
      field_selector output m item
      → m ∈ sentMessages s
∀ item : transition_item,
  item
  ∈ tr ++
    [{|
       l := l;
       input := iom;
       destination := sf;
       output := oom
     |}]
  → ∀ m : Message,
      field_selector output m item
      → m ∈ sentMessages sf
  intros item Hitem m Hm.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
si, s: VLSM.state (preloaded_with_all_messages_vlsm Ei)
tr: list transition_item
Htr: finite_valid_trace_from_to
  (preloaded_with_all_messages_vlsm Ei) si s tr
sf: VLSM.state (preloaded_with_all_messages_vlsm Ei)
iom, oom: option Message
l: VLSM.label (preloaded_with_all_messages_vlsm Ei)
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm Ei) l
  (s, iom) (sf, oom)
IHHtr: ∀ item : transition_item,
  item ∈ tr
  → ∀ m : Message,
      field_selector output m item
      → m ∈ sentMessages s
item: transition_item
Hitem: item
∈ tr ++
  [{|
     l := l;
     input := iom;
     destination := sf;
     output := oom
   |}]
m: Message
Hm: field_selector output m item
m ∈ sentMessages sf
  change (has_been_sent Ei sf m).Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
si, s: VLSM.state (preloaded_with_all_messages_vlsm Ei)
tr: list transition_item
Htr: finite_valid_trace_from_to
  (preloaded_with_all_messages_vlsm Ei) si s tr
sf: VLSM.state (preloaded_with_all_messages_vlsm Ei)
iom, oom: option Message
l: VLSM.label (preloaded_with_all_messages_vlsm Ei)
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm Ei) l
  (s, iom) (sf, oom)
IHHtr: ∀ item : transition_item,
  item ∈ tr
  → ∀ m : Message,
      field_selector output m item
      → m ∈ sentMessages s
item: transition_item
Hitem: item
∈ tr ++
  [{|
     l := l;
     input := iom;
     destination := sf;
     output := oom
   |}]
m: Message
Hm: field_selector output m item
has_been_sent Ei sf m
  eapply has_been_sent_step_update; [done |].Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
si, s: VLSM.state (preloaded_with_all_messages_vlsm Ei)
tr: list transition_item
Htr: finite_valid_trace_from_to
  (preloaded_with_all_messages_vlsm Ei) si s tr
sf: VLSM.state (preloaded_with_all_messages_vlsm Ei)
iom, oom: option Message
l: VLSM.label (preloaded_with_all_messages_vlsm Ei)
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm Ei) l
  (s, iom) (sf, oom)
IHHtr: ∀ item : transition_item,
  item ∈ tr
  → ∀ m : Message,
      field_selector output m item
      → m ∈ sentMessages s
item: transition_item
Hitem: item
∈ tr ++
  [{|
     l := l;
     input := iom;
     destination := sf;
     output := oom
   |}]
m: Message
Hm: field_selector output m item
oom = Some m ∨ has_been_sent Ei s m
  rewrite elem_of_app, elem_of_list_singleton in Hitem.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
si, s: VLSM.state (preloaded_with_all_messages_vlsm Ei)
tr: list transition_item
Htr: finite_valid_trace_from_to
  (preloaded_with_all_messages_vlsm Ei) si s tr
sf: VLSM.state (preloaded_with_all_messages_vlsm Ei)
iom, oom: option Message
l: VLSM.label (preloaded_with_all_messages_vlsm Ei)
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm Ei) l
  (s, iom) (sf, oom)
IHHtr: ∀ item : transition_item,
  item ∈ tr
  → ∀ m : Message,
      field_selector output m item
      → m ∈ sentMessages s
item: transition_item
Hitem: item ∈ tr
∨ item =
  {|
    l := l;
    input := iom;
    destination := sf;
    output := oom
  |}
m: Message
Hm: field_selector output m item
oom = Some m ∨ has_been_sent Ei s m
  by destruct Hitem as [Hitem | ->]; [right; cbn; eapply IHHtr | left].
Qed.

Lemma ELMO_component_sizeState_of_constrained_trace_output
  [s tr] (Htr : finite_constrained_trace_from Ei s tr) :
  forall item, item ∈ tr ->
  forall m, (field_selector output) m item ->
  sizeState s <= sizeState (state m).Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
s: VLSM.state (preloaded_with_all_messages_vlsm Ei)
tr: list transition_item
Htr: finite_constrained_trace_from Ei s tr
∀ item : transition_item,
  item ∈ tr
  → ∀ m : BaseELMO.Message,
      field_selector output m item
      → sizeState s ≤ sizeState (state m)
Proof.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
s: VLSM.state (preloaded_with_all_messages_vlsm Ei)
tr: list transition_item
Htr: finite_constrained_trace_from Ei s tr
∀ item : transition_item,
  item ∈ tr
  → ∀ m : BaseELMO.Message,
      field_selector output m item
      → sizeState s ≤ sizeState (state m)
  induction Htr; [by inversion 1 |].Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
s: VLSM.state (preloaded_with_all_messages_vlsm Ei)
tl: list transition_item
Htr: finite_valid_trace_from
  (preloaded_with_all_messages_vlsm Ei) s tl
s': VLSM.state (preloaded_with_all_messages_vlsm Ei)
iom, oom: option Message
l: VLSM.label (preloaded_with_all_messages_vlsm Ei)
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm Ei) l
  (s', iom) (s, oom)
IHHtr: ∀ item : transition_item,
  item ∈ tl
  → ∀ m : BaseELMO.Message,
      field_selector output m item
      → sizeState s ≤ sizeState (state m)
∀ item : transition_item,
  item
  ∈ {|
      l := l;
      input := iom;
      destination := s;
      output := oom
    |} :: tl
  → ∀ m : BaseELMO.Message,
      field_selector output m item
      → sizeState s' ≤ sizeState (state m)
  intros item Hitem m Hm.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
s: VLSM.state (preloaded_with_all_messages_vlsm Ei)
tl: list transition_item
Htr: finite_valid_trace_from
  (preloaded_with_all_messages_vlsm Ei) s tl
s': VLSM.state (preloaded_with_all_messages_vlsm Ei)
iom, oom: option Message
l: VLSM.label (preloaded_with_all_messages_vlsm Ei)
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm Ei) l
  (s', iom) (s, oom)
IHHtr: ∀ item : transition_item,
  item ∈ tl
  → ∀ m : BaseELMO.Message,
      field_selector output m item
      → sizeState s ≤ sizeState (state m)
item: transition_item
Hitem: item
∈ {|
    l := l;
    input := iom;
    destination := s;
    output := oom
  |} :: tl
m: BaseELMO.Message
Hm: field_selector output m item
sizeState s' ≤ sizeState (state m)
  destruct Ht as [(_ & _ & Hv) Ht].Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
s: VLSM.state (preloaded_with_all_messages_vlsm Ei)
tl: list transition_item
Htr: finite_valid_trace_from
  (preloaded_with_all_messages_vlsm Ei) s tl
s': VLSM.state (preloaded_with_all_messages_vlsm Ei)
iom, oom: option Message
l: VLSM.label (preloaded_with_all_messages_vlsm Ei)
Hv: valid l (s', iom)
Ht: transition l (s', iom) = (s, oom)
IHHtr: ∀ item : transition_item,
  item ∈ tl
  → ∀ m : BaseELMO.Message,
      field_selector output m item
      → sizeState s ≤ sizeState (state m)
item: transition_item
Hitem: item
∈ {|
    l := l;
    input := iom;
    destination := s;
    output := oom
  |} :: tl
m: BaseELMO.Message
Hm: field_selector output m item
sizeState s' ≤ sizeState (state m)
  apply elem_of_cons in Hitem as [-> | Hitem]; cbn in Hm.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
s: VLSM.state (preloaded_with_all_messages_vlsm Ei)
tl: list transition_item
Htr: finite_valid_trace_from
  (preloaded_with_all_messages_vlsm Ei) s tl
s': VLSM.state (preloaded_with_all_messages_vlsm Ei)
iom, oom: option Message
l: VLSM.label (preloaded_with_all_messages_vlsm Ei)
Hv: valid l (s', iom)
Ht: transition l (s', iom) = (s, oom)
IHHtr: ∀ item : transition_item,
  item ∈ tl
  → ∀ m : BaseELMO.Message,
      field_selector output m item
      → sizeState s ≤ sizeState (state m)
m: BaseELMO.Message
Hm: oom = Some m
sizeState s' ≤ sizeState (state m)
Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
s: VLSM.state (preloaded_with_all_messages_vlsm Ei)
tl: list transition_item
Htr: finite_valid_trace_from
  (preloaded_with_all_messages_vlsm Ei) s tl
s': VLSM.state (preloaded_with_all_messages_vlsm Ei)
iom, oom: option Message
l: VLSM.label (preloaded_with_all_messages_vlsm Ei)
Hv: valid l (s', iom)
Ht: transition l (s', iom) = (s, oom)
IHHtr: ∀ item : transition_item,
  item ∈ tl
  → ∀ m : BaseELMO.Message,
      field_selector output m item
      → sizeState s ≤ sizeState (state m)
item: transition_item
Hitem: item ∈ tl
m: BaseELMO.Message
Hm: output item = Some m
sizeState s' ≤ sizeState (state m)
  -Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
s: VLSM.state (preloaded_with_all_messages_vlsm Ei)
tl: list transition_item
Htr: finite_valid_trace_from
  (preloaded_with_all_messages_vlsm Ei) s tl
s': VLSM.state (preloaded_with_all_messages_vlsm Ei)
iom, oom: option Message
l: VLSM.label (preloaded_with_all_messages_vlsm Ei)
Hv: valid l (s', iom)
Ht: transition l (s', iom) = (s, oom)
IHHtr: ∀ item : transition_item,
  item ∈ tl
  → ∀ m : BaseELMO.Message,
      field_selector output m item
      → sizeState s ≤ sizeState (state m)
m: BaseELMO.Message
Hm: oom = Some m
sizeState s' ≤ sizeState (state m) by inversion Hv; subst; inversion Ht.
  -Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
s: VLSM.state (preloaded_with_all_messages_vlsm Ei)
tl: list transition_item
Htr: finite_valid_trace_from
  (preloaded_with_all_messages_vlsm Ei) s tl
s': VLSM.state (preloaded_with_all_messages_vlsm Ei)
iom, oom: option Message
l: VLSM.label (preloaded_with_all_messages_vlsm Ei)
Hv: valid l (s', iom)
Ht: transition l (s', iom) = (s, oom)
IHHtr: ∀ item : transition_item,
  item ∈ tl
  → ∀ m : BaseELMO.Message,
      field_selector output m item
      → sizeState s ≤ sizeState (state m)
item: transition_item
Hitem: item ∈ tl
m: BaseELMO.Message
Hm: output item = Some m
sizeState s' ≤ sizeState (state m) transitivity (sizeState s); [| by eapply IHHtr].Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
s: VLSM.state (preloaded_with_all_messages_vlsm Ei)
tl: list transition_item
Htr: finite_valid_trace_from
  (preloaded_with_all_messages_vlsm Ei) s tl
s': VLSM.state (preloaded_with_all_messages_vlsm Ei)
iom, oom: option Message
l: VLSM.label (preloaded_with_all_messages_vlsm Ei)
Hv: valid l (s', iom)
Ht: transition l (s', iom) = (s, oom)
IHHtr: ∀ item : transition_item,
  item ∈ tl
  → ∀ m : BaseELMO.Message,
      field_selector output m item
      → sizeState s ≤ sizeState (state m)
item: transition_item
Hitem: item ∈ tl
m: BaseELMO.Message
Hm: output item = Some m
sizeState s' ≤ sizeState s
    by eapply Nat.lt_le_incl, ELMO_component_valid_transition_size; cbn in Hv, Ht.
Qed.

Lemma ELMO_component_messages_of_constrained_trace
  [s s' tr] (Htr : finite_constrained_trace_from_to Ei s s' tr) :
  forall item, item ∈ tr ->
  forall m, item_sends_or_receives m item -> m ∈ messages s'.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
s, s': VLSM.state (preloaded_with_all_messages_vlsm Ei)
tr: list transition_item
Htr: finite_constrained_trace_from_to Ei s s' tr
∀ item : transition_item,
  item ∈ tr
  → ∀ m : Message,
      item_sends_or_receives m item → m ∈ messages s'
Proof.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
s, s': VLSM.state (preloaded_with_all_messages_vlsm Ei)
tr: list transition_item
Htr: finite_constrained_trace_from_to Ei s s' tr
∀ item : transition_item,
  item ∈ tr
  → ∀ m : Message,
      item_sends_or_receives m item → m ∈ messages s'
  intros ? ? ? [|]; apply elem_of_messages.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
s, s': VLSM.state (preloaded_with_all_messages_vlsm Ei)
tr: list transition_item
Htr: finite_constrained_trace_from_to Ei s s' tr
item: transition_item
H1: item ∈ tr
m: Message
H2: input item = Some m
m ∈ sentMessages s' ∨ m ∈ receivedMessages s'
Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
s, s': VLSM.state (preloaded_with_all_messages_vlsm Ei)
tr: list transition_item
Htr: finite_constrained_trace_from_to Ei s s' tr
item: transition_item
H1: item ∈ tr
m: Message
H2: output item = Some m
m ∈ sentMessages s' ∨ m ∈ receivedMessages s'
  -Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
s, s': VLSM.state (preloaded_with_all_messages_vlsm Ei)
tr: list transition_item
Htr: finite_constrained_trace_from_to Ei s s' tr
item: transition_item
H1: item ∈ tr
m: Message
H2: input item = Some m
m ∈ sentMessages s' ∨ m ∈ receivedMessages s' by right; eapply ELMO_component_receivedMessages_of_constrained_trace.
  -Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
s, s': VLSM.state (preloaded_with_all_messages_vlsm Ei)
tr: list transition_item
Htr: finite_constrained_trace_from_to Ei s s' tr
item: transition_item
H1: item ∈ tr
m: Message
H2: output item = Some m
m ∈ sentMessages s' ∨ m ∈ receivedMessages s' by left; eapply ELMO_component_sentMessages_of_constrained_trace.
Qed.

End sec_ELMO_component_lemmas.

Section sec_TraceableVLSM_ELMO_component.

Context
  (i : index)
  (Ei : VLSM Message := ELMO_component i)
  .

Definition ELMO_component_state_destructor (s : State)
  : list (transition_item ELMO_component_type * State) :=
  let adr := adr s in
  match obs s with
  | [] => []
  | MkObservation Send msg as ob :: obs =>
      let source := MkState obs adr in
        [(Build_transition_item ELMO_component_type Send None s (Some msg), source)]
  | MkObservation Receive msg as ob :: obs =>
      let source := MkState obs adr in
        [(Build_transition_item ELMO_component_type Receive (Some msg) s None, source)]
  end.

Lemma ELMO_component_state_destructor_initial :
  forall (s' : VLSM.state Ei), constrained_state_prop Ei s' ->
    initial_state_prop Ei s' <-> ELMO_component_state_destructor s' = [].Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
∀ s' : VLSM.state Ei,
  constrained_state_prop Ei s'
  → initial_state_prop s'
    ↔ ELMO_component_state_destructor s' = []
Proof.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
∀ s' : VLSM.state Ei,
  constrained_state_prop Ei s'
  → initial_state_prop s'
    ↔ ELMO_component_state_destructor s' = []
  intros s' Hs'; split; intro Hs''.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
s': VLSM.state Ei
Hs': constrained_state_prop Ei s'
Hs'': initial_state_prop s'
ELMO_component_state_destructor s' = []
Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
s': VLSM.state Ei
Hs': constrained_state_prop Ei s'
Hs'': ELMO_component_state_destructor s' = []
initial_state_prop s'
  -Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
s': VLSM.state Ei
Hs': constrained_state_prop Ei s'
Hs'': initial_state_prop s'
ELMO_component_state_destructor s' = [] by cbn in Hs''; apply UMO_component_initial_state_spec in Hs'' as ->.
  -Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
s': VLSM.state Ei
Hs': constrained_state_prop Ei s'
Hs'': ELMO_component_state_destructor s' = []
initial_state_prop s' apply ELMO_reachable_adr in Hs'.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
s': VLSM.state Ei
Hs': adr s' = idx i
Hs'': ELMO_component_state_destructor s' = []
initial_state_prop s'
    by destruct s' as [[| [[]]] adr]; cbn in *; [| done..].
Qed.

Lemma ELMO_component_state_destructor_input_constrained_transition_item :
  forall (s' : VLSM.state Ei), constrained_state_prop Ei s' ->
  forall (s : VLSM.state Ei) (item : transition_item Ei),
    (item, s) ∈ ELMO_component_state_destructor s' ->
    input_constrained_transition_item Ei s item.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
∀ s' : VLSM.state Ei,
  constrained_state_prop Ei s'
  → ∀ (s : VLSM.state Ei) (item : transition_item),
      (item, s) ∈ ELMO_component_state_destructor s'
      → input_constrained_transition_item Ei s item
Proof.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
∀ s' : VLSM.state Ei,
  constrained_state_prop Ei s'
  → ∀ (s : VLSM.state Ei) (item : transition_item),
      (item, s) ∈ ELMO_component_state_destructor s'
      → input_constrained_transition_item Ei s item
  intros s' Hs'; apply valid_state_prop_iff in Hs' as [[[is His] ->] | (l & (s, om) & om' & Hpt)].Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
is: VLSM.state (preloaded_with_all_messages_vlsm Ei)
His: initial_state_prop is
∀ (s : VLSM.state Ei) (item : transition_item),
  (item, s)
  ∈ ELMO_component_state_destructor (`(is ↾ His))
  → input_constrained_transition_item Ei s item
Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
s': VLSM.state Ei
l: VLSM.label (preloaded_with_all_messages_vlsm Ei)
s: VLSM.state (preloaded_with_all_messages_vlsm Ei)
om, om': option Message
Hpt: input_valid_transition
  (preloaded_with_all_messages_vlsm Ei) l
  (s, om) (s', om')
∀ (s : VLSM.state Ei) (item : transition_item),
  (item, s) ∈ ELMO_component_state_destructor s'
  → input_constrained_transition_item Ei s item
  -Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
is: VLSM.state (preloaded_with_all_messages_vlsm Ei)
His: initial_state_prop is
∀ (s : VLSM.state Ei) (item : transition_item),
  (item, s)
  ∈ ELMO_component_state_destructor (`(is ↾ His))
  → input_constrained_transition_item Ei s item by cbn in *; apply UMO_component_initial_state_spec in His as ->; inversion 1.
  -Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
s': VLSM.state Ei
l: VLSM.label (preloaded_with_all_messages_vlsm Ei)
s: VLSM.state (preloaded_with_all_messages_vlsm Ei)
om, om': option Message
Hpt: input_valid_transition
  (preloaded_with_all_messages_vlsm Ei) l
  (s, om) (s', om')
∀ (s : VLSM.state Ei) (item : transition_item),
  (item, s) ∈ ELMO_component_state_destructor s'
  → input_constrained_transition_item Ei s item by pose (Hpt' := Hpt); destruct l, s, om, Hpt' as [(_ & _ & Hv) Ht];
      inversion Hv; subst; inversion Ht; subst;
      intros _s item Hitem; apply elem_of_list_singleton in Hitem; inversion Hitem.
Qed.

#[export] Instance TraceableVLSM_ELMO_component :
  TraceableVLSM Ei ELMO_component_state_destructor sizeState.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
TraceableVLSM Ei ELMO_component_state_destructor
  sizeState
Proof.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
TraceableVLSM Ei ELMO_component_state_destructor
  sizeState
  constructor.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
TransitionMonotoneVLSM Ei sizeState
Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
∀ (s' s : VLSM.state Ei) (item : transition_item),
  (item, s) ∈ ELMO_component_state_destructor s'
  → destination item = s'
Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
∀ s' : VLSM.state Ei,
  constrained_state_prop Ei s'
  → ∀ (s : VLSM.state Ei) (item : transition_item),
      (item, s) ∈ ELMO_component_state_destructor s'
      → input_constrained_transition_item Ei s item
Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
∀ s : VLSM.state Ei,
  constrained_state_prop Ei s
  → initial_state_prop s
    ↔ ELMO_component_state_destructor s = []
  -Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
TransitionMonotoneVLSM Ei sizeState by typeclasses eauto.
  -Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
∀ (s' s : VLSM.state Ei) (item : transition_item),
  (item, s) ∈ ELMO_component_state_destructor s'
  → destination item = s' by intros [[| [[] ?] ?] ?] *; [inversion 1 | ..];
      intro Hitem; apply elem_of_list_singleton in Hitem;
      inversion_clear Hitem.
  -Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
∀ s' : VLSM.state Ei,
  constrained_state_prop Ei s'
  → ∀ (s : VLSM.state Ei) (item : transition_item),
      (item, s) ∈ ELMO_component_state_destructor s'
      → input_constrained_transition_item Ei s item by apply ELMO_component_state_destructor_input_constrained_transition_item.
  -Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
∀ s : VLSM.state Ei,
  constrained_state_prop Ei s
  → initial_state_prop s
    ↔ ELMO_component_state_destructor s = [] by apply ELMO_component_state_destructor_initial.
Qed.

Lemma ELMO_latest_observation_Send_state :
  forall s' : State, constrained_state_prop Ei s' ->
  forall (s : State) (m : Message), s' = s <+> MkObservation Send m ->
    s = state m.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
∀ s' : State,
  constrained_state_prop Ei s'
  → ∀ (s : State) (m : Message),
      s' = s <+> MkObservation Send m → s = state m
Proof.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
∀ s' : State,
  constrained_state_prop Ei s'
  → ∀ (s : State) (m : Message),
      s' = s <+> MkObservation Send m → s = state m
  intros s' Hs' s m ->.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
s: State
m: Message
Hs': constrained_state_prop Ei
  (s <+> MkObservation Send m)
s = state m
  edestruct (ELMO_component_state_destructor_input_constrained_transition_item _ Hs')
    as [(_ & _ & Hv) Ht]; [by apply elem_of_list_singleton |]; cbn in *.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
s: State
m: Message
Hs': constrained_state_prop Ei
  (s <+> MkObservation Send m)
Hv: ELMO_component_valid Send
  (MkState (obs s) (adr s)) None
Ht: (MkState (obs s) (adr s) <+>
 MkObservation Send
   (MkMessage (MkState (obs s) (adr s))),
 Some (MkMessage (MkState (obs s) (adr s)))) =
(s <+> MkObservation Send m, Some m)
s = state m
  by inversion Hv; subst; inversion Ht; subst; destruct s.
Qed.

End sec_TraceableVLSM_ELMO_component.

Section sec_MessageDependencies_ELMO_component.

Context
  (i : index)
  (Ei : VLSM Message := ELMO_component i)
  .

Lemma cannot_resend_message_stepwise_ELMO_component :
  cannot_resend_message_stepwise_prop Ei.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
cannot_resend_message_stepwise_prop Ei
Proof.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
cannot_resend_message_stepwise_prop Ei
  intros ? * [(Hs & _ & Hv) Ht];
    inversion Hv; subst; inversion Ht; subst;
    simpl; split; intro Hobs.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
s: VLSM.state (preloaded_with_all_messages_vlsm Ei)
Hs: valid_state_prop
  (preloaded_with_all_messages_vlsm Ei) s
Hv: valid Send (s, None)
Ht: transition Send (s, None) =
(s <+> MkObservation Send (MkMessage s),
 Some (MkMessage s))
Hobs: MkMessage s ∈ sentMessages s
False
Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
s: VLSM.state (preloaded_with_all_messages_vlsm Ei)
Hs: valid_state_prop
  (preloaded_with_all_messages_vlsm Ei) s
Hv: valid Send (s, None)
Ht: transition Send (s, None) =
(s <+> MkObservation Send (MkMessage s),
 Some (MkMessage s))
Hobs: MkMessage s
∈ receivedMessages
    (s <+> MkObservation Send (MkMessage s))
False
  -Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
s: VLSM.state (preloaded_with_all_messages_vlsm Ei)
Hs: valid_state_prop
  (preloaded_with_all_messages_vlsm Ei) s
Hv: valid Send (s, None)
Ht: transition Send (s, None) =
(s <+> MkObservation Send (MkMessage s),
 Some (MkMessage s))
Hobs: MkMessage s ∈ sentMessages s
False by apply elem_of_sentMessages, obs_sizeState in Hobs; cbn in Hobs; lia.
  -Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
s: VLSM.state (preloaded_with_all_messages_vlsm Ei)
Hs: valid_state_prop
  (preloaded_with_all_messages_vlsm Ei) s
Hv: valid Send (s, None)
Ht: transition Send (s, None) =
(s <+> MkObservation Send (MkMessage s),
 Some (MkMessage s))
Hobs: MkMessage s
∈ receivedMessages
    (s <+> MkObservation Send (MkMessage s))
False rewrite receivedMessages_addObservation, decide_False in Hobs by (intro; done).Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
s: VLSM.state (preloaded_with_all_messages_vlsm Ei)
Hs: valid_state_prop
  (preloaded_with_all_messages_vlsm Ei) s
Hv: valid Send (s, None)
Ht: transition Send (s, None) =
(s <+> MkObservation Send (MkMessage s),
 Some (MkMessage s))
Hobs: MkMessage s ∈ receivedMessages s
False
    by apply elem_of_receivedMessages, obs_sizeState in Hobs; cbn in Hobs; lia.
Qed.

#[export] Instance MessageDependencies_ELMO_component :
  MessageDependencies Ei Message_dependencies.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
MessageDependencies Ei Message_dependencies
Proof.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
MessageDependencies Ei Message_dependencies
  constructor.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
∀ (m : Message) (s' : VLSM.state
                        (preloaded_with_all_messages_vlsm
                           Ei)),
  can_produce (preloaded_with_all_messages_vlsm Ei) s'
    m
  → message_dependencies_full_node_condition Ei
      Message_dependencies s' m
Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
∀ m : Message,
  can_emit (preloaded_with_all_messages_vlsm Ei) m
  → can_emit
      (preloaded_vlsm Ei
         (λ msg : Message,
            msg ∈ Message_dependencies m)) m
  -Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
∀ (m : Message) (s' : VLSM.state
                        (preloaded_with_all_messages_vlsm
                           Ei)),
  can_produce (preloaded_with_all_messages_vlsm Ei) s'
    m
  → message_dependencies_full_node_condition Ei
      Message_dependencies s' m intros m s' ((s, iom) & l & [(_ & _ & Hv) Ht]) dm Hdm; cbn in *.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
m: Message
s', s: BaseELMO.State
iom: option Message
l: Label
Hv: ELMO_component_valid l s iom
Ht: UMO_component_transition l s iom = (s', Some m)
dm: Message
Hdm: dm ∈ Message_dependencies m
has_been_directly_observed_from_sent_received Ei s' dm
    apply elem_of_list_to_set, elem_of_list_fmap in Hdm
      as (o & -> & Hy).Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
m: Message
s', s: BaseELMO.State
iom: option Message
l: Label
Hv: ELMO_component_valid l s iom
Ht: UMO_component_transition l s iom = (s', Some m)
o: BaseELMO.Observation
Hy: o ∈ obs (state m)
has_been_directly_observed_from_sent_received Ei s'
  (message o)
    inversion Hv; subst; inversion Ht; subst; cbn in *; clear Ht.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
s: BaseELMO.State
Hv: ELMO_component_valid Send s None
o: BaseELMO.Observation
Hy: o ∈ obs s
has_been_directly_observed_from_sent_received Ei
  (s <+> MkObservation Send (MkMessage s)) (message o)
    red; unfold Message; simpl.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
s: BaseELMO.State
Hv: ELMO_component_valid Send s None
o: BaseELMO.Observation
Hy: o ∈ obs s
message o
∈ sentMessages
    (s <+> MkObservation Send (MkMessage s))
∨ message o
  ∈ receivedMessages
      (s <+> MkObservation Send (MkMessage s))
    rewrite elem_of_sentMessages_addObservation, elem_of_receivedMessages_addObservation,
      elem_of_sentMessages, elem_of_receivedMessages; cbn.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
s: BaseELMO.State
Hv: ELMO_component_valid Send s None
o: BaseELMO.Observation
Hy: o ∈ obs s
(message o = MkMessage s ∧ True
 ∨ MkObservation Send (message o) ∈ obs s)
∨ message o = MkMessage s ∧ False
  ∨ MkObservation Receive (message o) ∈ obs s
    by destruct o as [[] ?]; cbn; firstorder.
  -Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
∀ m : Message,
  can_emit (preloaded_with_all_messages_vlsm Ei) m
  → can_emit
      (preloaded_vlsm Ei
         (λ msg : Message,
            msg ∈ Message_dependencies m)) m intros m Hm.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
m: Message
Hm: can_emit (preloaded_with_all_messages_vlsm Ei) m
can_emit
  (preloaded_vlsm Ei
     (λ msg : Message, msg ∈ Message_dependencies m))
  m
    apply can_emit_has_trace in Hm as (is & tr & item & Htr & Houtput).Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
m: Message
is: VLSM.state (preloaded_with_all_messages_vlsm Ei)
tr: list transition_item
item: transition_item
Htr: finite_valid_trace
  (preloaded_with_all_messages_vlsm Ei) is
  (tr ++ [item])
Houtput: output item = Some m
can_emit
  (preloaded_vlsm Ei
     (λ msg : Message, msg ∈ Message_dependencies m))
  m
    apply (can_emit_from_valid_trace
            (preloaded_vlsm Ei (fun msg : Message => msg ∈ Message_dependencies m)))
      with is (tr ++ [item]); cycle 1.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
m: Message
is: VLSM.state (preloaded_with_all_messages_vlsm Ei)
tr: list transition_item
item: transition_item
Htr: finite_valid_trace
  (preloaded_with_all_messages_vlsm Ei) is
  (tr ++ [item])
Houtput: output item = Some m
trace_has_message (field_selector output) m
  (tr ++ [item])
Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
m: Message
is: VLSM.state (preloaded_with_all_messages_vlsm Ei)
tr: list transition_item
item: transition_item
Htr: finite_valid_trace
  (preloaded_with_all_messages_vlsm Ei) is
  (tr ++ [item])
Houtput: output item = Some m
finite_valid_trace
  (preloaded_vlsm Ei
     (λ msg : Message, msg ∈ Message_dependencies m))
  is (tr ++ [item])
    +Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
m: Message
is: VLSM.state (preloaded_with_all_messages_vlsm Ei)
tr: list transition_item
item: transition_item
Htr: finite_valid_trace
  (preloaded_with_all_messages_vlsm Ei) is
  (tr ++ [item])
Houtput: output item = Some m
trace_has_message (field_selector output) m
  (tr ++ [item]) apply Exists_exists; eexists.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
m: Message
is: VLSM.state (preloaded_with_all_messages_vlsm Ei)
tr: list transition_item
item: transition_item
Htr: finite_valid_trace
  (preloaded_with_all_messages_vlsm Ei) is
  (tr ++ [item])
Houtput: output item = Some m
?x ∈ tr ++ [item] ∧ field_selector output m ?x
      by split; [apply elem_of_app; right; left |].
    +Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
m: Message
is: VLSM.state (preloaded_with_all_messages_vlsm Ei)
tr: list transition_item
item: transition_item
Htr: finite_valid_trace
  (preloaded_with_all_messages_vlsm Ei) is
  (tr ++ [item])
Houtput: output item = Some m
finite_valid_trace
  (preloaded_vlsm Ei
     (λ msg : Message, msg ∈ Message_dependencies m))
  is (tr ++ [item]) eapply lift_preloaded_trace_to_seeded;
        [by apply cannot_resend_message_stepwise_ELMO_component | | done].Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
m: Message
is: VLSM.state (preloaded_with_all_messages_vlsm Ei)
tr: list transition_item
item: transition_item
Htr: finite_valid_trace
  (preloaded_with_all_messages_vlsm Ei) is
  (tr ++ [item])
Houtput: output item = Some m
trace_received_not_sent_before_or_after_invariant
  (tr ++ [item])
  (λ msg : Message, msg ∈ Message_dependencies m)
      intros dm [Hrcv Hnsnd].Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
m: Message
is: VLSM.state (preloaded_with_all_messages_vlsm Ei)
tr: list transition_item
item: transition_item
Htr: finite_valid_trace
  (preloaded_with_all_messages_vlsm Ei) is
  (tr ++ [item])
Houtput: output item = Some m
dm: Message
Hrcv: trace_has_message (field_selector input) dm
  (tr ++ [item])
Hnsnd: ¬ trace_has_message (field_selector output) dm
    (tr ++ [item])
dm ∈ Message_dependencies m
      apply elem_of_list_to_set, elem_of_list_fmap.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
m: Message
is: VLSM.state (preloaded_with_all_messages_vlsm Ei)
tr: list transition_item
item: transition_item
Htr: finite_valid_trace
  (preloaded_with_all_messages_vlsm Ei) is
  (tr ++ [item])
Houtput: output item = Some m
dm: Message
Hrcv: trace_has_message (field_selector input) dm
  (tr ++ [item])
Hnsnd: ¬ trace_has_message (field_selector output) dm
    (tr ++ [item])
∃ y : BaseELMO.Observation,
  dm = message y ∧ y ∈ obs (state m)
      exists (MkObservation Receive dm); split; [done |].Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
m: Message
is: VLSM.state (preloaded_with_all_messages_vlsm Ei)
tr: list transition_item
item: transition_item
Htr: finite_valid_trace
  (preloaded_with_all_messages_vlsm Ei) is
  (tr ++ [item])
Houtput: output item = Some m
dm: Message
Hrcv: trace_has_message (field_selector input) dm
  (tr ++ [item])
Hnsnd: ¬ trace_has_message (field_selector output) dm
    (tr ++ [item])
MkObservation Receive dm ∈ obs (state m)
      apply elem_of_receivedMessages.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
m: Message
is: VLSM.state (preloaded_with_all_messages_vlsm Ei)
tr: list transition_item
item: transition_item
Htr: finite_valid_trace
  (preloaded_with_all_messages_vlsm Ei) is
  (tr ++ [item])
Houtput: output item = Some m
dm: Message
Hrcv: trace_has_message (field_selector input) dm
  (tr ++ [item])
Hnsnd: ¬ trace_has_message (field_selector output) dm
    (tr ++ [item])
dm ∈ receivedMessages (state m)
      destruct Htr as [Htr His].Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
m: Message
is: VLSM.state (preloaded_with_all_messages_vlsm Ei)
tr: list transition_item
item: transition_item
Htr: finite_valid_trace_from
  (preloaded_with_all_messages_vlsm Ei) is
  (tr ++ [item])
His: initial_state_prop is
Houtput: output item = Some m
dm: Message
Hrcv: trace_has_message (field_selector input) dm
  (tr ++ [item])
Hnsnd: ¬ trace_has_message (field_selector output) dm
    (tr ++ [item])
dm ∈ receivedMessages (state m)
      apply finite_valid_trace_from_app_iff in Htr as [Htr Hitem].Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
m: Message
is: VLSM.state (preloaded_with_all_messages_vlsm Ei)
tr: list transition_item
item: transition_item
Htr: finite_valid_trace_from
  (preloaded_with_all_messages_vlsm Ei) is tr
Hitem: finite_valid_trace_from
  (preloaded_with_all_messages_vlsm Ei)
  (finite_trace_last is tr) [item]
His: initial_state_prop is
Houtput: output item = Some m
dm: Message
Hrcv: trace_has_message (field_selector input) dm
  (tr ++ [item])
Hnsnd: ¬ trace_has_message (field_selector output) dm
    (tr ++ [item])
dm ∈ receivedMessages (state m)
      apply valid_trace_add_default_last in Htr.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
m: Message
is: VLSM.state (preloaded_with_all_messages_vlsm Ei)
tr: list transition_item
item: transition_item
Htr: finite_valid_trace_from_to
  (preloaded_with_all_messages_vlsm Ei) is
  (finite_trace_last is tr) tr
Hitem: finite_valid_trace_from
  (preloaded_with_all_messages_vlsm Ei)
  (finite_trace_last is tr) [item]
His: initial_state_prop is
Houtput: output item = Some m
dm: Message
Hrcv: trace_has_message (field_selector input) dm
  (tr ++ [item])
Hnsnd: ¬ trace_has_message (field_selector output) dm
    (tr ++ [item])
dm ∈ receivedMessages (state m)
      apply first_transition_valid in Hitem as [(_ & _ & Hv) Ht].Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
m: Message
is: VLSM.state (preloaded_with_all_messages_vlsm Ei)
tr: list transition_item
item: transition_item
Htr: finite_valid_trace_from_to
  (preloaded_with_all_messages_vlsm Ei) is
  (finite_trace_last is tr) tr
Hv: valid (l item)
  (finite_trace_last is tr, input item)
Ht: transition (l item)
  (finite_trace_last is tr, input item) =
(destination item, output item)
His: initial_state_prop is
Houtput: output item = Some m
dm: Message
Hrcv: trace_has_message (field_selector input) dm
  (tr ++ [item])
Hnsnd: ¬ trace_has_message (field_selector output) dm
    (tr ++ [item])
dm ∈ receivedMessages (state m)
      destruct item, l, input; cbn in *; inversion Hv; subst; inversion Ht; subst.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
is: BaseELMO.State
tr: list transition_item
Htr: finite_valid_trace_from_to
  (preloaded_with_all_messages_vlsm Ei) is
  (finite_trace_last is tr) tr
Hv: ELMO_component_valid Send
  (finite_trace_last is tr) None
Ht: (finite_trace_last is tr <+>
 MkObservation Send
   (MkMessage (finite_trace_last is tr)),
 Some (MkMessage (finite_trace_last is tr))) =
(finite_trace_last is tr <+>
 MkObservation Send
   (MkMessage (finite_trace_last is tr)),
 Some (MkMessage (finite_trace_last is tr)))
His: UMO_component_initial_state_prop (idx i) is
dm: Message
Hnsnd: ¬ trace_has_message (field_selector output) dm
    (tr ++
     [{|
        l := Send;
        input := None;
        destination :=
          finite_trace_last is tr <+>
          MkObservation Send
            (MkMessage
               (finite_trace_last is tr));
        output :=
          Some
            (MkMessage
               (finite_trace_last is tr))
      |}])
Hrcv: trace_has_message (field_selector input) dm
  (tr ++
   [{|
      l := Send;
      input := None;
      destination :=
        finite_trace_last is tr <+>
        MkObservation Send
          (MkMessage (finite_trace_last is tr));
      output :=
        Some
          (MkMessage (finite_trace_last is tr))
    |}])
dm
∈ receivedMessages
    (state (MkMessage (finite_trace_last is tr)))
      clear Hv Ht Hnsnd; cbn.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
is: BaseELMO.State
tr: list transition_item
Htr: finite_valid_trace_from_to
  (preloaded_with_all_messages_vlsm Ei) is
  (finite_trace_last is tr) tr
His: UMO_component_initial_state_prop (idx i) is
dm: Message
Hrcv: trace_has_message (field_selector input) dm
  (tr ++
   [{|
      l := Send;
      input := None;
      destination :=
        finite_trace_last is tr <+>
        MkObservation Send
          (MkMessage (finite_trace_last is tr));
      output :=
        Some
          (MkMessage (finite_trace_last is tr))
    |}])
dm ∈ receivedMessages (finite_trace_last is tr)
      assert (Hrcv' : trace_has_message (field_selector input) dm tr).Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
is: BaseELMO.State
tr: list transition_item
Htr: finite_valid_trace_from_to
  (preloaded_with_all_messages_vlsm Ei) is
  (finite_trace_last is tr) tr
His: UMO_component_initial_state_prop (idx i) is
dm: Message
Hrcv: trace_has_message (field_selector input) dm
  (tr ++
   [{|
      l := Send;
      input := None;
      destination :=
        finite_trace_last is tr <+>
        MkObservation Send
          (MkMessage (finite_trace_last is tr));
      output :=
        Some
          (MkMessage (finite_trace_last is tr))
    |}])
trace_has_message (field_selector input) dm tr
Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
is: BaseELMO.State
tr: list transition_item
Htr: finite_valid_trace_from_to
  (preloaded_with_all_messages_vlsm Ei) is
  (finite_trace_last is tr) tr
His: UMO_component_initial_state_prop (idx i) is
dm: Message
Hrcv: trace_has_message (field_selector input) dm
  (tr ++
   [{|
      l := Send;
      input := None;
      destination :=
        finite_trace_last is tr <+>
        MkObservation Send
          (MkMessage (finite_trace_last is tr));
      output :=
        Some
          (MkMessage (finite_trace_last is tr))
    |}])
Hrcv': trace_has_message (field_selector input) dm tr
dm ∈ receivedMessages (finite_trace_last is tr)
      {Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
is: BaseELMO.State
tr: list transition_item
Htr: finite_valid_trace_from_to
  (preloaded_with_all_messages_vlsm Ei) is
  (finite_trace_last is tr) tr
His: UMO_component_initial_state_prop (idx i) is
dm: Message
Hrcv: trace_has_message (field_selector input) dm
  (tr ++
   [{|
      l := Send;
      input := None;
      destination :=
        finite_trace_last is tr <+>
        MkObservation Send
          (MkMessage (finite_trace_last is tr));
      output :=
        Some
          (MkMessage (finite_trace_last is tr))
    |}])
trace_has_message (field_selector input) dm tr
        apply Exists_exists in Hrcv as (dm_item & Hdm_item & Hdm).Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
is: BaseELMO.State
tr: list transition_item
Htr: finite_valid_trace_from_to
  (preloaded_with_all_messages_vlsm Ei) is
  (finite_trace_last is tr) tr
His: UMO_component_initial_state_prop (idx i) is
dm: Message
dm_item: transition_item
Hdm_item: dm_item
∈ tr ++
  [{|
     l := Send;
     input := None;
     destination :=
       finite_trace_last is tr <+>
       MkObservation Send
         (MkMessage
            (finite_trace_last is tr));
     output :=
       Some
         (MkMessage
            (finite_trace_last is tr))
   |}]
Hdm: field_selector input dm dm_item
trace_has_message (field_selector input) dm tr
        rewrite elem_of_app, elem_of_list_singleton in Hdm_item.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
is: BaseELMO.State
tr: list transition_item
Htr: finite_valid_trace_from_to
  (preloaded_with_all_messages_vlsm Ei) is
  (finite_trace_last is tr) tr
His: UMO_component_initial_state_prop (idx i) is
dm: Message
dm_item: transition_item
Hdm_item: dm_item ∈ tr
∨ dm_item =
  {|
    l := Send;
    input := None;
    destination :=
      finite_trace_last is tr <+>
      MkObservation Send
        (MkMessage
           (finite_trace_last is tr));
    output :=
      Some
        (MkMessage
           (finite_trace_last is tr))
  |}
Hdm: field_selector input dm dm_item
trace_has_message (field_selector input) dm tr
        destruct Hdm_item as [Hdm_item | ->]; cbn in Hdm; [| done].Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
is: BaseELMO.State
tr: list transition_item
Htr: finite_valid_trace_from_to
  (preloaded_with_all_messages_vlsm Ei) is
  (finite_trace_last is tr) tr
His: UMO_component_initial_state_prop (idx i) is
dm: Message
dm_item: transition_item
Hdm_item: dm_item ∈ tr
Hdm: input dm_item = Some dm
trace_has_message (field_selector input) dm tr
        by apply Exists_exists; eexists.
      }Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
i: index
Ei:= ELMO_component i: VLSM Message
is: BaseELMO.State
tr: list transition_item
Htr: finite_valid_trace_from_to
  (preloaded_with_all_messages_vlsm Ei) is
  (finite_trace_last is tr) tr
His: UMO_component_initial_state_prop (idx i) is
dm: Message
Hrcv: trace_has_message (field_selector input) dm
  (tr ++
   [{|
      l := Send;
      input := None;
      destination :=
        finite_trace_last is tr <+>
        MkObservation Send
          (MkMessage (finite_trace_last is tr));
      output :=
        Some
          (MkMessage (finite_trace_last is tr))
    |}])
Hrcv': trace_has_message (field_selector input) dm tr
dm ∈ receivedMessages (finite_trace_last is tr)
      by eapply @has_been_received_examine_one_trace with (vlsm := Ei) in Hrcv'; cycle 1.
Qed.

End sec_MessageDependencies_ELMO_component.

Section sec_ELMOProtocol.

Context
  `{Inhabited index}
  .

Protocol

An ELMO protocol is defined as the constrained composition of a collection of ELMO components, under a composition constraint that checks that the weight of the globally-detectable equivocation is under the threshold.

Equivocators

Definition ELMO_global_equivocators (s : composite_state ELMO_component) (a : Address) : Prop :=
  exists m : Message,
    adr (state m) = a /\
    (exists (k : index) (l : Label), rec_obs (s k) (MkObservation l m)) /\
    ~ composite_has_been_sent ELMO_component s m.

Definition rec_obs_exists_dec
  (P : Observation -> Prop)
  (P_dec : forall o, Decision (P o))
  (s : State)
  : Decision (exists o, rec_obs s o /\ P o).Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
P: Observation → Prop
P_dec: ∀ o : Observation, Decision (P o)
s: State
Decision
  (∃ o : BaseELMO.Observation, rec_obs s o ∧ P o)
Proof.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
P: Observation → Prop
P_dec: ∀ o : Observation, Decision (P o)
s: State
Decision
  (∃ o : BaseELMO.Observation, rec_obs s o ∧ P o)
  revert s; fix rec 1; destruct s as [ol a].Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
P: Observation → Prop
P_dec: ∀ o : Observation, Decision (P o)
rec: ∀ s : State,
  Decision
    (∃ o : BaseELMO.Observation,
       rec_obs s o ∧ P o)
ol: list BaseELMO.Observation
a: Address
Decision
  (∃ o : BaseELMO.Observation,
     rec_obs (MkState ol a) o ∧ P o)
  induction ol as [| ob ol]
  ; [| specialize (rec (state (message ob))) as IHob]; clear rec.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
P: Observation → Prop
P_dec: ∀ o : Observation, Decision (P o)
a: Address
Decision
  (∃ o : BaseELMO.Observation,
     rec_obs (MkState [] a) o ∧ P o)
Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
P: Observation → Prop
P_dec: ∀ o : Observation, Decision (P o)
ob: BaseELMO.Observation
ol: list BaseELMO.Observation
a: Address
IHol: Decision
  (∃ o : BaseELMO.Observation,
     rec_obs (MkState ol a) o ∧ P o)
IHob: Decision
  (∃ o : BaseELMO.Observation,
     rec_obs (state (message ob)) o ∧ P o)
Decision
  (∃ o : BaseELMO.Observation,
     rec_obs (MkState (ob :: ol) a) o ∧ P o)
  -Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
P: Observation → Prop
P_dec: ∀ o : Observation, Decision (P o)
a: Address
Decision
  (∃ o : BaseELMO.Observation,
     rec_obs (MkState [] a) o ∧ P o) by right; intros (? & Hrec & ?); inversion Hrec.
  -Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
P: Observation → Prop
P_dec: ∀ o : Observation, Decision (P o)
ob: BaseELMO.Observation
ol: list BaseELMO.Observation
a: Address
IHol: Decision
  (∃ o : BaseELMO.Observation,
     rec_obs (MkState ol a) o ∧ P o)
IHob: Decision
  (∃ o : BaseELMO.Observation,
     rec_obs (state (message ob)) o ∧ P o)
Decision
  (∃ o : BaseELMO.Observation,
     rec_obs (MkState (ob :: ol) a) o ∧ P o) change (MkState _ _) with (MkState ol a <+> ob);
      remember (MkState ol a) as s; clear Heqs ol a.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
P: Observation → Prop
P_dec: ∀ o : Observation, Decision (P o)
ob: BaseELMO.Observation
s: BaseELMO.State
IHol: Decision
  (∃ o : BaseELMO.Observation,
     rec_obs s o ∧ P o)
IHob: Decision
  (∃ o : BaseELMO.Observation,
     rec_obs (state (message ob)) o ∧ P o)
Decision
  (∃ o : BaseELMO.Observation,
     rec_obs (s <+> ob) o ∧ P o)
    destruct (P_dec ob) as [| Hnot_new];
      [by left; eexists; split; [constructor |] |].Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
P: Observation → Prop
P_dec: ∀ o : Observation, Decision (P o)
ob: BaseELMO.Observation
s: BaseELMO.State
IHol: Decision
  (∃ o : BaseELMO.Observation,
     rec_obs s o ∧ P o)
IHob: Decision
  (∃ o : BaseELMO.Observation,
     rec_obs (state (message ob)) o ∧ P o)
Hnot_new: ¬ P ob
Decision
  (∃ o : BaseELMO.Observation,
     rec_obs (s <+> ob) o ∧ P o)
    destruct IHol as [| Hnot_prev];
      [by left; destruct e as (o & Ho & HPo); exists o; split; [constructor 2 |] |].Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
P: Observation → Prop
P_dec: ∀ o : Observation, Decision (P o)
ob: BaseELMO.Observation
s: BaseELMO.State
Hnot_prev: ¬ (∃ o : BaseELMO.Observation,
     rec_obs s o ∧ P o)
IHob: Decision
  (∃ o : BaseELMO.Observation,
     rec_obs (state (message ob)) o ∧ P o)
Hnot_new: ¬ P ob
Decision
  (∃ o : BaseELMO.Observation,
     rec_obs (s <+> ob) o ∧ P o)
    destruct ob as [[] [os]]; cbn in IHob.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
P: Observation → Prop
P_dec: ∀ o : Observation, Decision (P o)
os, s: BaseELMO.State
Hnot_prev: ¬ (∃ o : BaseELMO.Observation,
     rec_obs s o ∧ P o)
IHob: Decision
  (∃ o : BaseELMO.Observation,
     rec_obs os o ∧ P o)
Hnot_new: ¬ P (MkObservation Receive (MkMessage os))
Decision
  (∃ o : BaseELMO.Observation,
     rec_obs
       (s <+> MkObservation Receive (MkMessage os)) o
     ∧ P o)
Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
P: Observation → Prop
P_dec: ∀ o : Observation, Decision (P o)
os, s: BaseELMO.State
Hnot_prev: ¬ (∃ o : BaseELMO.Observation,
     rec_obs s o ∧ P o)
IHob: Decision
  (∃ o : BaseELMO.Observation,
     rec_obs os o ∧ P o)
Hnot_new: ¬ P (MkObservation Send (MkMessage os))
Decision
  (∃ o : BaseELMO.Observation,
     rec_obs (s <+> MkObservation Send (MkMessage os))
       o ∧ P o)
    +Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
P: Observation → Prop
P_dec: ∀ o : Observation, Decision (P o)
os, s: BaseELMO.State
Hnot_prev: ¬ (∃ o : BaseELMO.Observation,
     rec_obs s o ∧ P o)
IHob: Decision
  (∃ o : BaseELMO.Observation,
     rec_obs os o ∧ P o)
Hnot_new: ¬ P (MkObservation Receive (MkMessage os))
Decision
  (∃ o : BaseELMO.Observation,
     rec_obs
       (s <+> MkObservation Receive (MkMessage os)) o
     ∧ P o) destruct IHob as [| Hnot_recv];
        [by left; destruct e as (o & Ho & HPo); exists o; split; [constructor 3 |] |].Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
P: Observation → Prop
P_dec: ∀ o : Observation, Decision (P o)
os, s: BaseELMO.State
Hnot_prev: ¬ (∃ o : BaseELMO.Observation,
     rec_obs s o ∧ P o)
Hnot_recv: ¬ (∃ o : BaseELMO.Observation,
     rec_obs os o ∧ P o)
Hnot_new: ¬ P (MkObservation Receive (MkMessage os))
Decision
  (∃ o : BaseELMO.Observation,
     rec_obs
       (s <+> MkObservation Receive (MkMessage os)) o
     ∧ P o)
      by right; intros (? & Hrec & ?); inversion Hrec; subst;
        replace s0 with s in * by (apply eq_State; done); eauto.
    +Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
P: Observation → Prop
P_dec: ∀ o : Observation, Decision (P o)
os, s: BaseELMO.State
Hnot_prev: ¬ (∃ o : BaseELMO.Observation,
     rec_obs s o ∧ P o)
IHob: Decision
  (∃ o : BaseELMO.Observation,
     rec_obs os o ∧ P o)
Hnot_new: ¬ P (MkObservation Send (MkMessage os))
Decision
  (∃ o : BaseELMO.Observation,
     rec_obs (s <+> MkObservation Send (MkMessage os))
       o ∧ P o) by right; intros (? & Hrec & ?); inversion Hrec; subst;
        replace s0 with s in * by (apply eq_State; done); eauto.
Defined.

#[export] Instance ELMO_global_equivocators_dec : RelDecision ELMO_global_equivocators.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
RelDecision ELMO_global_equivocators
Proof.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
RelDecision ELMO_global_equivocators
  intros s a.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
s: composite_state ELMO_component
a: Address
Decision (ELMO_global_equivocators s a)
  apply (@Decision_iff
    (exists k o, rec_obs (s k) o
      /\ adr (state (message o)) = a
      /\ not (composite_has_been_sent ELMO_component s (message o)))).Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
s: composite_state ELMO_component
a: Address
(∃ (k : index) (o : BaseELMO.Observation),
   rec_obs (s k) o
   ∧ adr (state (message o)) = a
     ∧ ¬ composite_has_been_sent ELMO_component s
           (message o)) ↔ ELMO_global_equivocators s a
Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
s: composite_state ELMO_component
a: Address
Decision
  (∃ (k : index) (o : BaseELMO.Observation),
     rec_obs (s k) o
     ∧ adr (state (message o)) = a
       ∧ ¬ composite_has_been_sent ELMO_component s
             (message o))
  {Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
s: composite_state ELMO_component
a: Address
(∃ (k : index) (o : BaseELMO.Observation),
   rec_obs (s k) o
   ∧ adr (state (message o)) = a
     ∧ ¬ composite_has_been_sent ELMO_component s
           (message o)) ↔ ELMO_global_equivocators s a
    unfold ELMO_global_equivocators.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
s: composite_state ELMO_component
a: Address
(∃ (k : index) (o : BaseELMO.Observation),
   rec_obs (s k) o
   ∧ adr (state (message o)) = a
     ∧ ¬ composite_has_been_sent ELMO_component s
           (message o))
↔ (∃ m : Message,
     adr (state m) = a
     ∧ (∃ (k : index) (l : Label),
          rec_obs (s k) (MkObservation l m))
       ∧ ¬ composite_has_been_sent ELMO_component s m)
    split; intros Hequ.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
s: composite_state ELMO_component
a: Address
Hequ: ∃ (k : index) (o : BaseELMO.Observation),
  rec_obs (s k) o
  ∧ adr (state (message o)) = a
    ∧ ¬ composite_has_been_sent ELMO_component
          s (message o)
∃ m : Message,
  adr (state m) = a
  ∧ (∃ (k : index) (l : Label),
       rec_obs (s k) (MkObservation l m))
    ∧ ¬ composite_has_been_sent ELMO_component s m
Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
s: composite_state ELMO_component
a: Address
Hequ: ∃ m : Message,
  adr (state m) = a
  ∧ (∃ (k : index) (l : Label),
       rec_obs (s k) (MkObservation l m))
    ∧ ¬ composite_has_been_sent ELMO_component
          s m
∃ (k : index) (o : BaseELMO.Observation),
  rec_obs (s k) o
  ∧ adr (state (message o)) = a
    ∧ ¬ composite_has_been_sent ELMO_component s
          (message o)
    -Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
s: composite_state ELMO_component
a: Address
Hequ: ∃ (k : index) (o : BaseELMO.Observation),
  rec_obs (s k) o
  ∧ adr (state (message o)) = a
    ∧ ¬ composite_has_been_sent ELMO_component
          s (message o)
∃ m : Message,
  adr (state m) = a
  ∧ (∃ (k : index) (l : Label),
       rec_obs (s k) (MkObservation l m))
    ∧ ¬ composite_has_been_sent ELMO_component s m by destruct Hequ as (k & [l m] & Hk & [Hadr Hsuff]); eauto 6.
    -Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
s: composite_state ELMO_component
a: Address
Hequ: ∃ m : Message,
  adr (state m) = a
  ∧ (∃ (k : index) (l : Label),
       rec_obs (s k) (MkObservation l m))
    ∧ ¬ composite_has_been_sent ELMO_component
          s m
∃ (k : index) (o : BaseELMO.Observation),
  rec_obs (s k) o
  ∧ adr (state (message o)) = a
    ∧ ¬ composite_has_been_sent ELMO_component s
          (message o) by destruct Hequ as (m & Hadr & (k & l & Hrec_obs) & Hnot_sent); eauto.
  }Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
s: composite_state ELMO_component
a: Address
Decision
  (∃ (k : index) (o : BaseELMO.Observation),
     rec_obs (s k) o
     ∧ adr (state (message o)) = a
       ∧ ¬ composite_has_been_sent ELMO_component s
             (message o))
  pose proof @rec_obs_exists_dec.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
s: composite_state ELMO_component
a: Address
X: ∀ P : Observation → Prop,
  (∀ o : Observation, Decision (P o))
  → ∀ s : State,
      Decision
        (∃ o : BaseELMO.Observation,
           rec_obs s o ∧ P o)
Decision
  (∃ (k : index) (o : BaseELMO.Observation),
     rec_obs (s k) o
     ∧ adr (state (message o)) = a
       ∧ ¬ composite_has_been_sent ELMO_component s
             (message o))
  by typeclasses eauto.
Defined.

Set Warnings "-cannot-define-projection".
Record global_equivocators_simple (s : composite_state ELMO_component) (a : Address) : Prop :=
{
  ges_m : Message;
  ges_adr : adr (state ges_m) = a;
  ges_recv : composite_has_been_received ELMO_component s ges_m;
  ges_not_sent : ~ composite_has_been_sent ELMO_component s ges_m;
}.
Set Warnings "cannot-define-projection".

Definition ELMO_global_equivocation :
  BasicEquivocation (composite_state ELMO_component) Address (listset Address) threshold :=
{|
  is_equivocating := ELMO_global_equivocators;
  is_equivocating_dec := ELMO_global_equivocators_dec;
  state_validators := const (list_to_set (map idx (enum index)));
|}.

Definition ELMO_not_heavy : composite_state ELMO_component -> Prop :=
  not_heavy (1 := ELMO_global_equivocation).

Definition ELMO_equivocating_validators : composite_state ELMO_component -> listset Address :=
  equivocating_validators (1 := ELMO_global_equivocation).

Lemma ELMO_equivocating_validators_are_Message_validators :
  forall (s : composite_state ELMO_component) (a : Address),
    a ∈ ELMO_equivocating_validators s ->
      exists (v : Message_validator idx), `v = a.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
∀ (s : composite_state ELMO_component) (a : Address),
  a ∈ ELMO_equivocating_validators s
  → ∃ v : Message_validator idx, `v = a
Proof.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
∀ (s : composite_state ELMO_component) (a : Address),
  a ∈ ELMO_equivocating_validators s
  → ∃ v : Message_validator idx, `v = a
  intros s a Ha.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
s: composite_state ELMO_component
a: Address
Ha: a ∈ ELMO_equivocating_validators s
∃ v : Message_validator idx, `v = a
  apply elem_of_filter in Ha as [_ Ha]; cbn in Ha.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
s: composite_state ELMO_component
a: Address
Ha: a ∈ list_to_set (map idx (enum index))
∃ v : Message_validator idx, `v = a
  apply elem_of_list_to_set, elem_of_list_fmap in Ha as (i & Hi & _).Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
s: composite_state ELMO_component
a: Address
i: index
Hi: a = idx i
∃ v : Message_validator idx, `v = a
  unshelve eexists (dexist a _); [| done].Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
s: composite_state ELMO_component
a: Address
i: index
Hi: a = idx i
(is_Some ∘ adr2idx idx) a
  by subst; eexists; apply adr2idx_idx.
Qed.

Definition ELMO_global_constraint
  (l : composite_label ELMO_component)
  (som : composite_state ELMO_component * option Message) : Prop :=
  match l with
  | existT _ Receive =>
    let (s', _) := composite_transition ELMO_component l som in
      ELMO_not_heavy s'
  | existT _ Send => True
  end.

Definition ELMOProtocol : VLSM Message :=
  composite_vlsm ELMO_component ELMO_global_constraint.

Definition FreeELMO : VLSM Message :=
  free_composite_vlsm ELMO_component.

To talk about reachable composite states for the ELMOProtocol we also name the preloaded_with_all_messages_vlsm version of the free_composition.

Definition ReachELMO : VLSM Message :=
  preloaded_with_all_messages_vlsm FreeELMO.

Definition LimitedELMO : VLSM Message :=
  msg_dep_limited_equivocation_vlsm (Cv := listset (Message_validator idx))
    ELMO_component threshold Message_full_dependencies (Message_sender idx).

Lemma ELMO_initial_state_equivocating_validators :
  forall s : composite_state ELMO_component,
    composite_initial_state_prop ELMO_component s ->
      ELMO_equivocating_validators s ≡ ∅.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
∀ s : composite_state ELMO_component,
  composite_initial_state_prop ELMO_component s
  → ELMO_equivocating_validators s ≡ ∅
Proof.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
∀ s : composite_state ELMO_component,
  composite_initial_state_prop ELMO_component s
  → ELMO_equivocating_validators s ≡ ∅
  intros s Hs; rewrite elem_of_equiv_empty; intros v.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
s: composite_state ELMO_component
Hs: composite_initial_state_prop ELMO_component s
v: Address
v ∉ ELMO_equivocating_validators s
  setoid_rewrite elem_of_filter; intros [(m & _ & [(k & l & Hobs) _]) _].Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
s: composite_state ELMO_component
Hs: composite_initial_state_prop ELMO_component s
v: Address
m: Message
k: index
l: Label
Hobs: rec_obs (s k) (MkObservation l m)
False
  replace (s k) with (MkState [] (idx k)) in Hobs
    by (symmetry; apply UMO_component_initial_state_spec, Hs).Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
s: composite_state ELMO_component
Hs: composite_initial_state_prop ELMO_component s
v: Address
m: Message
k: index
l: Label
Hobs: rec_obs (MkState [] (idx k))
  (MkObservation l m)
False
  by inversion Hobs.
Qed.

Lemma ELMO_initial_state_not_heavy :
  forall s : composite_state ELMO_component,
    composite_initial_state_prop ELMO_component s -> ELMO_not_heavy s.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
∀ s : composite_state ELMO_component,
  composite_initial_state_prop ELMO_component s
  → ELMO_not_heavy s
Proof.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
∀ s : composite_state ELMO_component,
  composite_initial_state_prop ELMO_component s
  → ELMO_not_heavy s
  intros s Hs.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
s: composite_state ELMO_component
Hs: composite_initial_state_prop ELMO_component s
ELMO_not_heavy s
  unfold ELMO_not_heavy, not_heavy.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
s: composite_state ELMO_component
Hs: composite_initial_state_prop ELMO_component s
(equivocation_fault s <= threshold)%R
  replace (equivocation_fault s) with 0%R.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
s: composite_state ELMO_component
Hs: composite_initial_state_prop ELMO_component s
(0 <= threshold)%R
Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
s: composite_state ELMO_component
Hs: composite_initial_state_prop ELMO_component s
0%R = equivocation_fault s
  -Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
s: composite_state ELMO_component
Hs: composite_initial_state_prop ELMO_component s
(0 <= threshold)%R by unshelve eapply rt_positive; cycle 2.
  -Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
s: composite_state ELMO_component
Hs: composite_initial_state_prop ELMO_component s
0%R = equivocation_fault s by symmetry; apply sum_weights_empty, ELMO_initial_state_equivocating_validators.
Qed.

Lemma ELMO_not_heavy_send_message :
  forall (sigma : composite_state ELMO_component) (i : index),
    ELMO_not_heavy sigma ->
    ELMO_not_heavy
      (state_update ELMO_component sigma i
        (sigma i <+> MkObservation Send (MkMessage (sigma i)))).Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
∀ (sigma : composite_state ELMO_component) (i : index),
  ELMO_not_heavy sigma
  → ELMO_not_heavy
      (state_update ELMO_component sigma i
         (sigma i <+>
          MkObservation Send (MkMessage (sigma i))))
Proof.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
∀ (sigma : composite_state ELMO_component) (i : index),
  ELMO_not_heavy sigma
  → ELMO_not_heavy
      (state_update ELMO_component sigma i
         (sigma i <+>
          MkObservation Send (MkMessage (sigma i))))
  unfold ELMO_not_heavy, not_heavy; etransitivity; [| done].Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
sigma: composite_state ELMO_component
i: index
H2: (equivocation_fault sigma <= threshold)%R
(equivocation_fault
   (state_update ELMO_component sigma i
      (sigma i <+>
       MkObservation Send (MkMessage (sigma i)))) <=
 equivocation_fault sigma)%R
  apply sum_weights_subseteq; [by apply NoDup_elements.. |].Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
sigma: composite_state ELMO_component
i: index
H2: (equivocation_fault sigma <= threshold)%R
equivocating_validators
  (state_update ELMO_component sigma i
     (sigma i <+>
      MkObservation Send (MkMessage (sigma i))))
⊆ equivocating_validators sigma
  intro a.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
sigma: composite_state ELMO_component
i: index
H2: (equivocation_fault sigma <= threshold)%R
a: Address
a
∈ equivocating_validators
    (state_update ELMO_component sigma i
       (sigma i <+>
        MkObservation Send (MkMessage (sigma i))))
→ a ∈ equivocating_validators sigma
  unfold equivocating_validators; rewrite !elem_of_filter; cbn.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
sigma: composite_state ELMO_component
i: index
H2: (equivocation_fault sigma <= threshold)%R
a: Address
ELMO_global_equivocators
  (state_update ELMO_component sigma i
     (sigma i <+>
      MkObservation Send (MkMessage (sigma i)))) a
∧ a ∈ list_to_set (map idx (enum index))
→ ELMO_global_equivocators sigma a
  ∧ a ∈ list_to_set (map idx (enum index))
  intros [(msg & ? & (k & l & Hmsh) & Hnsent) Hx].Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
sigma: composite_state ELMO_component
i: index
H2: (equivocation_fault sigma <= threshold)%R
a: Address
msg: Message
H3: adr (state msg) = a
k: index
l: Label
Hmsh: rec_obs
  (state_update ELMO_component sigma i
     (sigma i <+>
      MkObservation Send (MkMessage (sigma i)))
     k) (MkObservation l msg)
Hnsent: ¬ composite_has_been_sent ELMO_component
    (state_update ELMO_component sigma i
       (sigma i <+>
        MkObservation Send
          (MkMessage (sigma i)))) msg
Hx: a ∈ list_to_set (map idx (enum index))
ELMO_global_equivocators sigma a
∧ a ∈ list_to_set (map idx (enum index))
  split; [| done]; clear Hx.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
sigma: composite_state ELMO_component
i: index
H2: (equivocation_fault sigma <= threshold)%R
a: Address
msg: Message
H3: adr (state msg) = a
k: index
l: Label
Hmsh: rec_obs
  (state_update ELMO_component sigma i
     (sigma i <+>
      MkObservation Send (MkMessage (sigma i)))
     k) (MkObservation l msg)
Hnsent: ¬ composite_has_been_sent ELMO_component
    (state_update ELMO_component sigma i
       (sigma i <+>
        MkObservation Send
          (MkMessage (sigma i)))) msg
ELMO_global_equivocators sigma a
  exists msg; split; [done |].Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
sigma: composite_state ELMO_component
i: index
H2: (equivocation_fault sigma <= threshold)%R
a: Address
msg: Message
H3: adr (state msg) = a
k: index
l: Label
Hmsh: rec_obs
  (state_update ELMO_component sigma i
     (sigma i <+>
      MkObservation Send (MkMessage (sigma i)))
     k) (MkObservation l msg)
Hnsent: ¬ composite_has_been_sent ELMO_component
    (state_update ELMO_component sigma i
       (sigma i <+>
        MkObservation Send
          (MkMessage (sigma i)))) msg
(∃ (k : index) (l : Label),
   rec_obs (sigma k) (MkObservation l msg))
∧ ¬ composite_has_been_sent ELMO_component sigma msg
  split.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
sigma: composite_state ELMO_component
i: index
H2: (equivocation_fault sigma <= threshold)%R
a: Address
msg: Message
H3: adr (state msg) = a
k: index
l: Label
Hmsh: rec_obs
  (state_update ELMO_component sigma i
     (sigma i <+>
      MkObservation Send (MkMessage (sigma i)))
     k) (MkObservation l msg)
Hnsent: ¬ composite_has_been_sent ELMO_component
    (state_update ELMO_component sigma i
       (sigma i <+>
        MkObservation Send
          (MkMessage (sigma i)))) msg
∃ (k : index) (l : Label),
  rec_obs (sigma k) (MkObservation l msg)
Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
sigma: composite_state ELMO_component
i: index
H2: (equivocation_fault sigma <= threshold)%R
a: Address
msg: Message
H3: adr (state msg) = a
k: index
l: Label
Hmsh: rec_obs
  (state_update ELMO_component sigma i
     (sigma i <+>
      MkObservation Send (MkMessage (sigma i)))
     k) (MkObservation l msg)
Hnsent: ¬ composite_has_been_sent ELMO_component
    (state_update ELMO_component sigma i
       (sigma i <+>
        MkObservation Send
          (MkMessage (sigma i)))) msg
¬ composite_has_been_sent ELMO_component sigma msg
  -Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
sigma: composite_state ELMO_component
i: index
H2: (equivocation_fault sigma <= threshold)%R
a: Address
msg: Message
H3: adr (state msg) = a
k: index
l: Label
Hmsh: rec_obs
  (state_update ELMO_component sigma i
     (sigma i <+>
      MkObservation Send (MkMessage (sigma i)))
     k) (MkObservation l msg)
Hnsent: ¬ composite_has_been_sent ELMO_component
    (state_update ELMO_component sigma i
       (sigma i <+>
        MkObservation Send
          (MkMessage (sigma i)))) msg
∃ (k : index) (l : Label),
  rec_obs (sigma k) (MkObservation l msg) exists k, l; destruct (decide (k = i)); subst; state_update_simpl; [| done].Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
sigma: composite_state ELMO_component
i: index
H2: (equivocation_fault sigma <= threshold)%R
msg: Message
l: Label
Hmsh: rec_obs
  (sigma i <+>
   MkObservation Send (MkMessage (sigma i)))
  (MkObservation l msg)
Hnsent: ¬ composite_has_been_sent ELMO_component
    (state_update ELMO_component sigma i
       (sigma i <+>
        MkObservation Send
          (MkMessage (sigma i)))) msg
rec_obs (sigma i) (MkObservation l msg)
    by destruct (sigma i); inversion Hmsh; cbn in *; subst;
      [contradict Hnsent; exists i; cbn; state_update_simpl; left | destruct s].
  -Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
sigma: composite_state ELMO_component
i: index
H2: (equivocation_fault sigma <= threshold)%R
a: Address
msg: Message
H3: adr (state msg) = a
k: index
l: Label
Hmsh: rec_obs
  (state_update ELMO_component sigma i
     (sigma i <+>
      MkObservation Send (MkMessage (sigma i)))
     k) (MkObservation l msg)
Hnsent: ¬ composite_has_been_sent ELMO_component
    (state_update ELMO_component sigma i
       (sigma i <+>
        MkObservation Send
          (MkMessage (sigma i)))) msg
¬ composite_has_been_sent ELMO_component sigma msg contradict Hnsent; destruct Hnsent as [j Hsnd]; exists j; cbn.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
sigma: composite_state ELMO_component
i: index
H2: (equivocation_fault sigma <= threshold)%R
a: Address
msg: Message
H3: adr (state msg) = a
k: index
l: Label
Hmsh: rec_obs
  (state_update ELMO_component sigma i
     (sigma i <+>
      MkObservation Send (MkMessage (sigma i)))
     k) (MkObservation l msg)
j: index
Hsnd: has_been_sent (ELMO_component j) (sigma j) msg
msg
∈ sentMessages
    (state_update ELMO_component sigma i
       (sigma i <+>
        MkObservation Send (MkMessage (sigma i))) j)
    by destruct (decide (j = i)); subst; state_update_simpl; [right |].
Qed.

Lemma ELMO_not_heavy_receive_observed_message :
  forall (sigma : composite_state ELMO_component) (m : Message) (i i_m : index),
    UMO_reachable full_node (sigma i_m) ->
    has_been_directly_observed (ELMO_component i_m) (sigma i_m) m ->
    ELMO_not_heavy sigma ->
      ELMO_not_heavy (state_update ELMO_component sigma i (sigma i <+> MkObservation Receive m)).Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
∀ (sigma : composite_state ELMO_component) (m : Message) 
  (i i_m : index),
  UMO_reachable full_node (sigma i_m)
  → has_been_directly_observed (ELMO_component i_m)
      (sigma i_m) m
    → ELMO_not_heavy sigma
      → ELMO_not_heavy
          (state_update ELMO_component sigma i
             (sigma i <+> MkObservation Receive m))
Proof.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
∀ (sigma : composite_state ELMO_component) (m : Message) 
  (i i_m : index),
  UMO_reachable full_node (sigma i_m)
  → has_been_directly_observed (ELMO_component i_m)
      (sigma i_m) m
    → ELMO_not_heavy sigma
      → ELMO_not_heavy
          (state_update ELMO_component sigma i
             (sigma i <+> MkObservation Receive m))
  intros * Hfull Hobs.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
sigma: composite_state ELMO_component
m: Message
i, i_m: index
Hfull: UMO_reachable full_node (sigma i_m)
Hobs: has_been_directly_observed 
  (ELMO_component i_m) 
  (sigma i_m) m
ELMO_not_heavy sigma
→ ELMO_not_heavy
    (state_update ELMO_component sigma i
       (sigma i <+> MkObservation Receive m))
  unfold ELMO_not_heavy, not_heavy; etransitivity; [| done].Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
sigma: composite_state ELMO_component
m: Message
i, i_m: index
Hfull: UMO_reachable full_node (sigma i_m)
Hobs: has_been_directly_observed 
  (ELMO_component i_m) 
  (sigma i_m) m
H2: (equivocation_fault sigma <= threshold)%R
(equivocation_fault
   (state_update ELMO_component sigma i
      (sigma i <+> MkObservation Receive m)) <=
 equivocation_fault sigma)%R
  apply sum_weights_subseteq; [by apply NoDup_elements.. |].Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
sigma: composite_state ELMO_component
m: Message
i, i_m: index
Hfull: UMO_reachable full_node (sigma i_m)
Hobs: has_been_directly_observed 
  (ELMO_component i_m) 
  (sigma i_m) m
H2: (equivocation_fault sigma <= threshold)%R
equivocating_validators
  (state_update ELMO_component sigma i
     (sigma i <+> MkObservation Receive m))
⊆ equivocating_validators sigma
  intro a.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
sigma: composite_state ELMO_component
m: Message
i, i_m: index
Hfull: UMO_reachable full_node (sigma i_m)
Hobs: has_been_directly_observed 
  (ELMO_component i_m) 
  (sigma i_m) m
H2: (equivocation_fault sigma <= threshold)%R
a: Address
a
∈ equivocating_validators
    (state_update ELMO_component sigma i
       (sigma i <+> MkObservation Receive m))
→ a ∈ equivocating_validators sigma
  unfold equivocating_validators; rewrite !elem_of_filter; cbn.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
sigma: composite_state ELMO_component
m: Message
i, i_m: index
Hfull: UMO_reachable full_node (sigma i_m)
Hobs: has_been_directly_observed 
  (ELMO_component i_m) 
  (sigma i_m) m
H2: (equivocation_fault sigma <= threshold)%R
a: Address
ELMO_global_equivocators
  (state_update ELMO_component sigma i
     (sigma i <+> MkObservation Receive m)) a
∧ a ∈ list_to_set (map idx (enum index))
→ ELMO_global_equivocators sigma a
  ∧ a ∈ list_to_set (map idx (enum index))
  intros [(msg & ? & (k & l & Hmsh) & Hnsent) Hx].Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
sigma: composite_state ELMO_component
m: Message
i, i_m: index
Hfull: UMO_reachable full_node (sigma i_m)
Hobs: has_been_directly_observed 
  (ELMO_component i_m) 
  (sigma i_m) m
H2: (equivocation_fault sigma <= threshold)%R
a: Address
msg: Message
H3: adr (state msg) = a
k: index
l: Label
Hmsh: rec_obs
  (state_update ELMO_component sigma i
     (sigma i <+> MkObservation Receive m) k)
  (MkObservation l msg)
Hnsent: ¬ composite_has_been_sent ELMO_component
    (state_update ELMO_component sigma i
       (sigma i <+> MkObservation Receive m))
    msg
Hx: a ∈ list_to_set (map idx (enum index))
ELMO_global_equivocators sigma a
∧ a ∈ list_to_set (map idx (enum index))
  split; [| done]; clear Hx.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
sigma: composite_state ELMO_component
m: Message
i, i_m: index
Hfull: UMO_reachable full_node (sigma i_m)
Hobs: has_been_directly_observed 
  (ELMO_component i_m) 
  (sigma i_m) m
H2: (equivocation_fault sigma <= threshold)%R
a: Address
msg: Message
H3: adr (state msg) = a
k: index
l: Label
Hmsh: rec_obs
  (state_update ELMO_component sigma i
     (sigma i <+> MkObservation Receive m) k)
  (MkObservation l msg)
Hnsent: ¬ composite_has_been_sent ELMO_component
    (state_update ELMO_component sigma i
       (sigma i <+> MkObservation Receive m))
    msg
ELMO_global_equivocators sigma a
  exists msg; split; [done |].Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
sigma: composite_state ELMO_component
m: Message
i, i_m: index
Hfull: UMO_reachable full_node (sigma i_m)
Hobs: has_been_directly_observed 
  (ELMO_component i_m) 
  (sigma i_m) m
H2: (equivocation_fault sigma <= threshold)%R
a: Address
msg: Message
H3: adr (state msg) = a
k: index
l: Label
Hmsh: rec_obs
  (state_update ELMO_component sigma i
     (sigma i <+> MkObservation Receive m) k)
  (MkObservation l msg)
Hnsent: ¬ composite_has_been_sent ELMO_component
    (state_update ELMO_component sigma i
       (sigma i <+> MkObservation Receive m))
    msg
(∃ (k : index) (l : Label),
   rec_obs (sigma k) (MkObservation l msg))
∧ ¬ composite_has_been_sent ELMO_component sigma msg
  split; cycle 1.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
sigma: composite_state ELMO_component
m: Message
i, i_m: index
Hfull: UMO_reachable full_node (sigma i_m)
Hobs: has_been_directly_observed 
  (ELMO_component i_m) 
  (sigma i_m) m
H2: (equivocation_fault sigma <= threshold)%R
a: Address
msg: Message
H3: adr (state msg) = a
k: index
l: Label
Hmsh: rec_obs
  (state_update ELMO_component sigma i
     (sigma i <+> MkObservation Receive m) k)
  (MkObservation l msg)
Hnsent: ¬ composite_has_been_sent ELMO_component
    (state_update ELMO_component sigma i
       (sigma i <+> MkObservation Receive m))
    msg
¬ composite_has_been_sent ELMO_component sigma msg
Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
sigma: composite_state ELMO_component
m: Message
i, i_m: index
Hfull: UMO_reachable full_node (sigma i_m)
Hobs: has_been_directly_observed 
  (ELMO_component i_m) 
  (sigma i_m) m
H2: (equivocation_fault sigma <= threshold)%R
a: Address
msg: Message
H3: adr (state msg) = a
k: index
l: Label
Hmsh: rec_obs
  (state_update ELMO_component sigma i
     (sigma i <+> MkObservation Receive m) k)
  (MkObservation l msg)
Hnsent: ¬ composite_has_been_sent ELMO_component
    (state_update ELMO_component sigma i
       (sigma i <+> MkObservation Receive m))
    msg
∃ (k : index) (l : Label),
  rec_obs (sigma k) (MkObservation l msg)
  -Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
sigma: composite_state ELMO_component
m: Message
i, i_m: index
Hfull: UMO_reachable full_node (sigma i_m)
Hobs: has_been_directly_observed 
  (ELMO_component i_m) 
  (sigma i_m) m
H2: (equivocation_fault sigma <= threshold)%R
a: Address
msg: Message
H3: adr (state msg) = a
k: index
l: Label
Hmsh: rec_obs
  (state_update ELMO_component sigma i
     (sigma i <+> MkObservation Receive m) k)
  (MkObservation l msg)
Hnsent: ¬ composite_has_been_sent ELMO_component
    (state_update ELMO_component sigma i
       (sigma i <+> MkObservation Receive m))
    msg
¬ composite_has_been_sent ELMO_component sigma msg contradict Hnsent; destruct Hnsent as [j Hsnd]; exists j; cbn.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
sigma: composite_state ELMO_component
m: Message
i, i_m: index
Hfull: UMO_reachable full_node (sigma i_m)
Hobs: has_been_directly_observed 
  (ELMO_component i_m) 
  (sigma i_m) m
H2: (equivocation_fault sigma <= threshold)%R
a: Address
msg: Message
H3: adr (state msg) = a
k: index
l: Label
Hmsh: rec_obs
  (state_update ELMO_component sigma i
     (sigma i <+> MkObservation Receive m) k)
  (MkObservation l msg)
j: index
Hsnd: has_been_sent (ELMO_component j) (sigma j) msg
msg
∈ sentMessages
    (state_update ELMO_component sigma i
       (sigma i <+> MkObservation Receive m) j)
    by destruct (decide (j = i)); subst; state_update_simpl.
  -Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
sigma: composite_state ELMO_component
m: Message
i, i_m: index
Hfull: UMO_reachable full_node (sigma i_m)
Hobs: has_been_directly_observed 
  (ELMO_component i_m) 
  (sigma i_m) m
H2: (equivocation_fault sigma <= threshold)%R
a: Address
msg: Message
H3: adr (state msg) = a
k: index
l: Label
Hmsh: rec_obs
  (state_update ELMO_component sigma i
     (sigma i <+> MkObservation Receive m) k)
  (MkObservation l msg)
Hnsent: ¬ composite_has_been_sent ELMO_component
    (state_update ELMO_component sigma i
       (sigma i <+> MkObservation Receive m))
    msg
∃ (k : index) (l : Label),
  rec_obs (sigma k) (MkObservation l msg) destruct (decide (k = i)); subst; state_update_simpl; [| by eexists _, _].Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
sigma: composite_state ELMO_component
m: Message
i, i_m: index
Hfull: UMO_reachable full_node (sigma i_m)
Hobs: has_been_directly_observed 
  (ELMO_component i_m) 
  (sigma i_m) m
H2: (equivocation_fault sigma <= threshold)%R
msg: Message
l: Label
Hmsh: rec_obs (sigma i <+> MkObservation Receive m)
  (MkObservation l msg)
Hnsent: ¬ composite_has_been_sent ELMO_component
    (state_update ELMO_component sigma i
       (sigma i <+> MkObservation Receive m))
    msg
∃ (k : index) (l : Label),
  rec_obs (sigma k) (MkObservation l msg)
    apply rec_obs_addObservation_iff in Hmsh as [Hprev | Hmsh]; [by eexists _, _ |].Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
sigma: composite_state ELMO_component
m: Message
i, i_m: index
Hfull: UMO_reachable full_node (sigma i_m)
Hobs: has_been_directly_observed 
  (ELMO_component i_m) 
  (sigma i_m) m
H2: (equivocation_fault sigma <= threshold)%R
msg: Message
l: Label
Hmsh: MkObservation l msg = MkObservation Receive m
∨ label (MkObservation Receive m) = Receive
  ∧ rec_obs
      (state
         (message (MkObservation Receive m)))
      (MkObservation l msg)
Hnsent: ¬ composite_has_been_sent ELMO_component
    (state_update ELMO_component sigma i
       (sigma i <+> MkObservation Receive m))
    msg
∃ (k : index) (l : Label),
  rec_obs (sigma k) (MkObservation l msg)
    assert (m ∈ messages (sigma i_m)) by (apply elem_of_messages; done).Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
sigma: composite_state ELMO_component
m: Message
i, i_m: index
Hfull: UMO_reachable full_node (sigma i_m)
Hobs: has_been_directly_observed 
  (ELMO_component i_m) 
  (sigma i_m) m
H2: (equivocation_fault sigma <= threshold)%R
msg: Message
l: Label
Hmsh: MkObservation l msg = MkObservation Receive m
∨ label (MkObservation Receive m) = Receive
  ∧ rec_obs
      (state
         (message (MkObservation Receive m)))
      (MkObservation l msg)
Hnsent: ¬ composite_has_been_sent ELMO_component
    (state_update ELMO_component sigma i
       (sigma i <+> MkObservation Receive m))
    msg
H3: m ∈ messages (sigma i_m)
∃ (k : index) (l : Label),
  rec_obs (sigma k) (MkObservation l msg)
    exists i_m.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
sigma: composite_state ELMO_component
m: Message
i, i_m: index
Hfull: UMO_reachable full_node (sigma i_m)
Hobs: has_been_directly_observed 
  (ELMO_component i_m) 
  (sigma i_m) m
H2: (equivocation_fault sigma <= threshold)%R
msg: Message
l: Label
Hmsh: MkObservation l msg = MkObservation Receive m
∨ label (MkObservation Receive m) = Receive
  ∧ rec_obs
      (state
         (message (MkObservation Receive m)))
      (MkObservation l msg)
Hnsent: ¬ composite_has_been_sent ELMO_component
    (state_update ELMO_component sigma i
       (sigma i <+> MkObservation Receive m))
    msg
H3: m ∈ messages (sigma i_m)
∃ l : Label, rec_obs (sigma i_m) (MkObservation l msg)
    apply full_node_messages_iff_rec_obs; [done |].Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
sigma: composite_state ELMO_component
m: Message
i, i_m: index
Hfull: UMO_reachable full_node (sigma i_m)
Hobs: has_been_directly_observed 
  (ELMO_component i_m) 
  (sigma i_m) m
H2: (equivocation_fault sigma <= threshold)%R
msg: Message
l: Label
Hmsh: MkObservation l msg = MkObservation Receive m
∨ label (MkObservation Receive m) = Receive
  ∧ rec_obs
      (state
         (message (MkObservation Receive m)))
      (MkObservation l msg)
Hnsent: ¬ composite_has_been_sent ELMO_component
    (state_update ELMO_component sigma i
       (sigma i <+> MkObservation Receive m))
    msg
H3: m ∈ messages (sigma i_m)
msg ∈ messages (sigma i_m)
    destruct Hmsh as [[= _ ->] | [_ Hmsh]]; [done |].Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
sigma: composite_state ELMO_component
m: Message
i, i_m: index
Hfull: UMO_reachable full_node (sigma i_m)
Hobs: has_been_directly_observed 
  (ELMO_component i_m) 
  (sigma i_m) m
H2: (equivocation_fault sigma <= threshold)%R
msg: Message
l: Label
Hmsh: rec_obs
  (state (message (MkObservation Receive m)))
  (MkObservation l msg)
Hnsent: ¬ composite_has_been_sent ELMO_component
    (state_update ELMO_component sigma i
       (sigma i <+> MkObservation Receive m))
    msg
H3: m ∈ messages (sigma i_m)
msg ∈ messages (sigma i_m)
    apply messages_hb_transitive with m; [done.. |].Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
sigma: composite_state ELMO_component
m: Message
i, i_m: index
Hfull: UMO_reachable full_node (sigma i_m)
Hobs: has_been_directly_observed 
  (ELMO_component i_m) 
  (sigma i_m) m
H2: (equivocation_fault sigma <= threshold)%R
msg: Message
l: Label
Hmsh: rec_obs
  (state (message (MkObservation Receive m)))
  (MkObservation l msg)
Hnsent: ¬ composite_has_been_sent ELMO_component
    (state_update ELMO_component sigma i
       (sigma i <+> MkObservation Receive m))
    msg
H3: m ∈ messages (sigma i_m)
msg <hb m
    apply happensBefore_msg_dep, full_message_dependencies_happens_before.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
sigma: composite_state ELMO_component
m: Message
i, i_m: index
Hfull: UMO_reachable full_node (sigma i_m)
Hobs: has_been_directly_observed 
  (ELMO_component i_m) 
  (sigma i_m) m
H2: (equivocation_fault sigma <= threshold)%R
msg: Message
l: Label
Hmsh: rec_obs
  (state (message (MkObservation Receive m)))
  (MkObservation l msg)
Hnsent: ¬ composite_has_been_sent ELMO_component
    (state_update ELMO_component sigma i
       (sigma i <+> MkObservation Receive m))
    msg
H3: m ∈ messages (sigma i_m)
msg ∈ Message_full_dependencies m
    apply elem_of_rec_obs_fn_1 in Hmsh.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
sigma: composite_state ELMO_component
m: Message
i, i_m: index
Hfull: UMO_reachable full_node (sigma i_m)
Hobs: has_been_directly_observed 
  (ELMO_component i_m) 
  (sigma i_m) m
H2: (equivocation_fault sigma <= threshold)%R
msg: Message
l: Label
Hmsh: MkObservation l msg
∈ rec_obs_fn
    (state (message (MkObservation Receive m)))
Hnsent: ¬ composite_has_been_sent ELMO_component
    (state_update ELMO_component sigma i
       (sigma i <+> MkObservation Receive m))
    msg
H3: m ∈ messages (sigma i_m)
msg ∈ Message_full_dependencies m
    by apply elem_of_map; eexists; split; cycle 1.
Qed.

Lemma ELMO_valid_state_not_heavy :
  forall s : composite_state ELMO_component,
    valid_state_prop ELMOProtocol s -> ELMO_not_heavy s.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
∀ s : composite_state ELMO_component,
  valid_state_prop ELMOProtocol s → ELMO_not_heavy s
Proof.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
∀ s : composite_state ELMO_component,
  valid_state_prop ELMOProtocol s → ELMO_not_heavy s
  induction 1 using valid_state_prop_ind; [by apply ELMO_initial_state_not_heavy |].Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
s': VLSM.state ELMOProtocol
l: VLSM.label ELMOProtocol
om, om': option Message
s: VLSM.state ELMOProtocol
Ht: input_valid_transition ELMOProtocol l (
  s, om) (s', om')
IHvalid_state_prop: ELMO_not_heavy s
ELMO_not_heavy s'
  apply input_valid_transition_destination in Ht as Hs'.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
s': VLSM.state ELMOProtocol
l: VLSM.label ELMOProtocol
om, om': option Message
s: VLSM.state ELMOProtocol
Ht: input_valid_transition ELMOProtocol l (
  s, om) (s', om')
IHvalid_state_prop: ELMO_not_heavy s
Hs': valid_state_prop ELMOProtocol s'
ELMO_not_heavy s'
  destruct Ht as [(Hs & _ & [Hv Hc]) Ht].Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
s': VLSM.state ELMOProtocol
l: VLSM.label ELMOProtocol
om, om': option Message
s: VLSM.state ELMOProtocol
Hs: valid_state_prop ELMOProtocol s
Hv: valid l (s, om)
Hc: ELMO_global_constraint l (s, om)
Ht: transition l (s, om) = (s', om')
IHvalid_state_prop: ELMO_not_heavy s
Hs': valid_state_prop ELMOProtocol s'
ELMO_not_heavy s'
  unfold ELMO_global_constraint in Hc; destruct l as [i []];
    [by replace (composite_transition _ _ _) with (s', om') in Hc |].Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
s': VLSM.state ELMOProtocol
i: index
om, om': option Message
s: VLSM.state ELMOProtocol
Hs: valid_state_prop ELMOProtocol s
Hv: valid (existT i Send) (s, om)
Hc: True
Ht: transition (existT i Send) (s, om) = (s', om')
IHvalid_state_prop: ELMO_not_heavy s
Hs': valid_state_prop ELMOProtocol s'
ELMO_not_heavy s'
  inversion Hv; subst; inversion Ht; subst.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
s: VLSM.state ELMOProtocol
Hs: valid_state_prop ELMOProtocol s
Hv: valid (existT i Send) (s, None)
Hc: True
Ht: transition (existT i Send) (s, None) =
(state_update ELMO_component s i
   (s i <+> MkObservation Send (MkMessage (s i))),
 Some (MkMessage (s i)))
IHvalid_state_prop: ELMO_not_heavy s
Hs': valid_state_prop ELMOProtocol
  (state_update ELMO_component s i
     (s i <+>
      MkObservation Send (MkMessage (s i))))
ELMO_not_heavy
  (state_update ELMO_component s i
     (s i <+> MkObservation Send (MkMessage (s i))))
  by apply ELMO_not_heavy_send_message.
Qed.

Definition ELMO_state_to_minimal_equivocation_trace
  (s : composite_state ELMO_component) (Hs : composite_constrained_state_prop ELMO_component s)
  : composite_state ELMO_component * list (composite_transition_item ELMO_component) :=
  state_to_minimal_equivocation_trace ELMO_component
    (fun _ : index => ELMO_component_state_destructor) (fun _ : index => sizeState) s Hs.

Lemma ELMO_state_to_minimal_equivocation_trace_reachable
  (s : composite_state ELMO_component) (Hs : composite_constrained_state_prop ELMO_component s)
  (is : composite_state ELMO_component) (tr : list (composite_transition_item ELMO_component)) :
    ELMO_state_to_minimal_equivocation_trace s Hs = (is, tr) ->
      finite_valid_trace_init_to ReachELMO is s tr.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
s: composite_state ELMO_component
Hs: composite_constrained_state_prop ELMO_component s
is: composite_state ELMO_component
tr: list (composite_transition_item ELMO_component)
ELMO_state_to_minimal_equivocation_trace s Hs =
(is, tr)
→ finite_valid_trace_init_to ReachELMO is s tr
Proof.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
s: composite_state ELMO_component
Hs: composite_constrained_state_prop ELMO_component s
is: composite_state ELMO_component
tr: list (composite_transition_item ELMO_component)
ELMO_state_to_minimal_equivocation_trace s Hs =
(is, tr)
→ finite_valid_trace_init_to ReachELMO is s tr
  by apply reachable_composite_state_to_trace,
    minimal_equivocation_choice_is_choosing_well.
Qed.

Lemma ELMO_has_been_directly_observed_sizeState :
  forall i si m,
  has_been_directly_observed (ELMO_component i) si m ->
  sizeState (state m) < sizeState si.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
∀ (i : index) (si : VLSM.state (ELMO_component i)) 
  (m : Message),
  has_been_directly_observed (ELMO_component i) si m
  → sizeState (state m) < sizeState si
Proof.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
∀ (i : index) (si : VLSM.state (ELMO_component i)) 
  (m : Message),
  has_been_directly_observed (ELMO_component i) si m
  → sizeState (state m) < sizeState si
  intros * [Hsent | Hreceived]; cbn in *.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
si: BaseELMO.State
m: Message
Hsent: m ∈ sentMessages si
sizeState (state m) < sizeState si
Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
si: BaseELMO.State
m: Message
Hreceived: m ∈ receivedMessages si
sizeState (state m) < sizeState si
  -Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
si: BaseELMO.State
m: Message
Hsent: m ∈ sentMessages si
sizeState (state m) < sizeState si by apply elem_of_sentMessages, obs_sizeState in Hsent.
  -Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
si: BaseELMO.State
m: Message
Hreceived: m ∈ receivedMessages si
sizeState (state m) < sizeState si by apply elem_of_receivedMessages, obs_sizeState in Hreceived.
Qed.

Lemma ELMO_composite_observed_before_send_sizeState_Proper :
  Proper
    (composite_observed_before_send ELMO_component Message_dependencies ==> lt)
    (sizeState ∘ state).Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
Proper
  (composite_observed_before_send ELMO_component
     Message_dependencies ==> lt) (sizeState ∘ state)
Proof.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
Proper
  (composite_observed_before_send ELMO_component
     Message_dependencies ==> lt) (sizeState ∘ state)
  intros x y Hxy; cbn.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
x, y: Message
Hxy: composite_observed_before_send ELMO_component
  Message_dependencies x y
sizeState (state x) < sizeState (state y)
  apply composite_observed_before_send_iff in Hxy
    as (i & si & itemi & [[(Hsi & _ & Hv) Ht] Hy Hobsxitem]).Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
x, y: Message
i: index
si: VLSM.state (ELMO_component i)
itemi: transition_item
Hsi: valid_state_prop
  (preloaded_with_all_messages_vlsm
     (ELMO_component i)) si
Hv: valid (l itemi) (si, input itemi)
Ht: transition (l itemi) (si, input itemi) =
(destination itemi, output itemi)
Hy: output itemi = Some y
Hobsxitem: ObservedBeforeStateOrMessage
  (ELMO_component i) Message_dependencies
  x si (input itemi)
sizeState (state x) < sizeState (state y)
  destruct itemi, l, input; cbn in *;
    inversion Hv; subst; inversion Ht; subst; clear Hv Ht.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
x: Message
i: index
si: BaseELMO.State
Hsi: valid_state_prop
  (preloaded_with_all_messages_vlsm
     (ELMO_component i)) si
Hobsxitem: ObservedBeforeStateOrMessage
  (ELMO_component i) Message_dependencies
  x si None
sizeState (state x) < sizeState (state (MkMessage si))
  inversion Hobsxitem as [? ? ? Hobsx | |]; subst; clear Hobsxitem; cbn.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
x: Message
i: index
si: BaseELMO.State
Hsi: valid_state_prop
  (preloaded_with_all_messages_vlsm
     (ELMO_component i)) si
Hobsx: HasBeenObserved (ELMO_component i)
  Message_dependencies si x
sizeState (state x) < sizeState si
  inversion Hobsx; [by eapply ELMO_has_been_directly_observed_sizeState |].Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
x: Message
i: index
si: BaseELMO.State
Hsi: valid_state_prop
  (preloaded_with_all_messages_vlsm
     (ELMO_component i)) si
Hobsx: HasBeenObserved (ELMO_component i)
  Message_dependencies si x
m': Message
H2: has_been_directly_observed 
  (ELMO_component i) si m'
H3: msg_dep_happens_before Message_dependencies x m'
sizeState (state x) < sizeState si
  etransitivity; [| by eapply ELMO_has_been_directly_observed_sizeState].Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
x: Message
i: index
si: BaseELMO.State
Hsi: valid_state_prop
  (preloaded_with_all_messages_vlsm
     (ELMO_component i)) si
Hobsx: HasBeenObserved (ELMO_component i)
  Message_dependencies si x
m': Message
H2: has_been_directly_observed 
  (ELMO_component i) si m'
H3: msg_dep_happens_before Message_dependencies x m'
sizeState (state x) < sizeState (state m')
  by apply Message_full_dependencies_sizeState,
    full_message_dependencies_happens_before.
Qed.

#[local] Instance ELMO_component_tc_composite_observed_before_send_irreflexive :
  Irreflexive (tc_composite_observed_before_send ELMO_component Message_dependencies).Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
Irreflexive
  (tc_composite_observed_before_send ELMO_component
     Message_dependencies)
Proof.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
Irreflexive
  (tc_composite_observed_before_send ELMO_component
     Message_dependencies)
  apply (Proper_reflects_Irreflexive _ (<) (sizeState ∘ state));
    [| typeclasses eauto].Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
Proper
  (tc_composite_observed_before_send ELMO_component
     Message_dependencies ==> lt) (sizeState ∘ state)
  apply Proper_tc; [typeclasses eauto |].Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
Proper
  (composite_observed_before_send ELMO_component
     Message_dependencies ==> lt) (sizeState ∘ state)
  by apply ELMO_composite_observed_before_send_sizeState_Proper.
Qed.

Lemma ELMO_channel_authentication_prop :
  channel_authentication_prop ELMO_component (Message_sender_index idx) (Message_sender idx).Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
channel_authentication_prop ELMO_component
  (Message_sender_index idx) (Message_sender idx)
Proof.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
channel_authentication_prop ELMO_component
  (Message_sender_index idx) (Message_sender idx)
  intros i m ((s & []) & [] & s' & [(Hs & _ & Hv) Ht]);
    inversion Hv; subst; inversion Ht; subst.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
s: VLSM.state
  (preloaded_with_all_messages_vlsm
     (ELMO_component i))
Hs: valid_state_prop
  (preloaded_with_all_messages_vlsm
     (ELMO_component i)) s
Hv: valid Send (s, None)
Ht: transition Send (s, None) =
(s <+> MkObservation Send (MkMessage s),
 Some (MkMessage s))
channel_authenticated_message
  (Message_sender_index idx) (Message_sender idx) i
  (MkMessage s)
  unfold channel_authenticated_message, Message_sender.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
s: VLSM.state
  (preloaded_with_all_messages_vlsm
     (ELMO_component i))
Hs: valid_state_prop
  (preloaded_with_all_messages_vlsm
     (ELMO_component i)) s
Hv: valid Send (s, None)
Ht: transition Send (s, None) =
(s <+> MkObservation Send (MkMessage s),
 Some (MkMessage s))
option_map (Message_sender_index idx)
  match
    decide
      (is_Some
         (adr2idx idx (adr (state (MkMessage s)))))
  with
  | left Ha =>
      Some (dexist (adr (state (MkMessage s))) Ha)
  | right _ => None
  end = Some i
  erewrite ELMO_reachable_adr by done.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
s: VLSM.state
  (preloaded_with_all_messages_vlsm
     (ELMO_component i))
Hs: valid_state_prop
  (preloaded_with_all_messages_vlsm
     (ELMO_component i)) s
Hv: valid Send (s, None)
Ht: transition Send (s, None) =
(s <+> MkObservation Send (MkMessage s),
 Some (MkMessage s))
option_map (Message_sender_index idx)
  match decide (is_Some (adr2idx idx (idx i))) with
  | left Ha => Some (dexist (idx i) Ha)
  | right _ => None
  end = Some i
  case_decide as Hadr.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
s: VLSM.state
  (preloaded_with_all_messages_vlsm
     (ELMO_component i))
Hs: valid_state_prop
  (preloaded_with_all_messages_vlsm
     (ELMO_component i)) s
Hv: valid Send (s, None)
Ht: transition Send (s, None) =
(s <+> MkObservation Send (MkMessage s),
 Some (MkMessage s))
Hadr: is_Some (adr2idx idx (idx i))
option_map (Message_sender_index idx)
  (Some (dexist (idx i) Hadr)) = Some i
Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
s: VLSM.state
  (preloaded_with_all_messages_vlsm
     (ELMO_component i))
Hs: valid_state_prop
  (preloaded_with_all_messages_vlsm
     (ELMO_component i)) s
Hv: valid Send (s, None)
Ht: transition Send (s, None) =
(s <+> MkObservation Send (MkMessage s),
 Some (MkMessage s))
Hadr: ¬ is_Some (adr2idx idx (idx i))
option_map (Message_sender_index idx) None = Some i
  -Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
s: VLSM.state
  (preloaded_with_all_messages_vlsm
     (ELMO_component i))
Hs: valid_state_prop
  (preloaded_with_all_messages_vlsm
     (ELMO_component i)) s
Hv: valid Send (s, None)
Ht: transition Send (s, None) =
(s <+> MkObservation Send (MkMessage s),
 Some (MkMessage s))
Hadr: is_Some (adr2idx idx (idx i))
option_map (Message_sender_index idx)
  (Some (dexist (idx i) Hadr)) = Some i by cbn; f_equal; apply Message_sender_index_inv.
  -Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
s: VLSM.state
  (preloaded_with_all_messages_vlsm
     (ELMO_component i))
Hs: valid_state_prop
  (preloaded_with_all_messages_vlsm
     (ELMO_component i)) s
Hv: valid Send (s, None)
Ht: transition Send (s, None) =
(s <+> MkObservation Send (MkMessage s),
 Some (MkMessage s))
Hadr: ¬ is_Some (adr2idx idx (idx i))
option_map (Message_sender_index idx) None = Some i by rewrite (adr2idx_idx idx) in Hadr; contradict Hadr; eexists.
Qed.

Lemma ELMO_state_to_minimal_equivocation_trace_equivocation_monotonic :
  forall (s : composite_state ELMO_component) (Hs : composite_constrained_state_prop ELMO_component s),
  forall (is : composite_state ELMO_component) (tr : list (composite_transition_item ELMO_component)),
  ELMO_state_to_minimal_equivocation_trace s Hs = (is, tr) ->
  forall (pre suf : list (composite_transition_item ELMO_component))
    (item : composite_transition_item ELMO_component),
    tr = pre ++ [item] ++ suf ->
    forall (v : Message_validator idx),
      msg_dep_is_globally_equivocating ELMO_component Message_dependencies (Message_sender idx)
        (finite_trace_last is pre) v ->
      msg_dep_is_globally_equivocating ELMO_component Message_dependencies (Message_sender idx)
        (destination item) v.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
∀ (s : composite_state ELMO_component) (Hs : composite_constrained_state_prop
                                               ELMO_component
                                               s) 
  (is : composite_state ELMO_component) (tr : list
                                                (composite_transition_item
                                                 ELMO_component)),
  ELMO_state_to_minimal_equivocation_trace s Hs =
  (is, tr)
  → ∀ (pre
       suf : list
               (composite_transition_item
                  ELMO_component)) (item : composite_transition_item
                                             ELMO_component),
      tr = pre ++ [item] ++ suf
      → ∀ v : Message_validator idx,
          msg_dep_is_globally_equivocating
            ELMO_component Message_dependencies
            (Message_sender idx)
            (finite_trace_last is pre) v
          → msg_dep_is_globally_equivocating
              ELMO_component Message_dependencies
              (Message_sender idx) (destination item)
              v
Proof.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
∀ (s : composite_state ELMO_component) (Hs : composite_constrained_state_prop
                                               ELMO_component
                                               s) 
  (is : composite_state ELMO_component) (tr : list
                                                (composite_transition_item
                                                 ELMO_component)),
  ELMO_state_to_minimal_equivocation_trace s Hs =
  (is, tr)
  → ∀ (pre
       suf : list
               (composite_transition_item
                  ELMO_component)) (item : composite_transition_item
                                             ELMO_component),
      tr = pre ++ [item] ++ suf
      → ∀ v : Message_validator idx,
          msg_dep_is_globally_equivocating
            ELMO_component Message_dependencies
            (Message_sender idx)
            (finite_trace_last is pre) v
          → msg_dep_is_globally_equivocating
              ELMO_component Message_dependencies
              (Message_sender idx) (destination item)
              v
  eapply state_to_minimal_equivocation_trace_equivocation_monotonic.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
∀ i : index,
  MessageDependencies (ELMO_component i)
    Message_dependencies
Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
Irreflexive
  (tc_composite_observed_before_send ELMO_component
     Message_dependencies)
Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
channel_authentication_prop ELMO_component 
  ?A (Message_sender idx)
  -Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
∀ i : index,
  MessageDependencies (ELMO_component i)
    Message_dependencies by intro; apply MessageDependencies_ELMO_component.
  -Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
Irreflexive
  (tc_composite_observed_before_send ELMO_component
     Message_dependencies) by typeclasses eauto.
  -Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
channel_authentication_prop ELMO_component ?A
  (Message_sender idx) by apply ELMO_channel_authentication_prop.
Qed.

The shallow and deeper version of global_equivocators agree on states which are reachable in ELMOProtocol.

Lemma ELMO_global_equivocators_iff_simple :
  forall (s : VLSM.state ELMOProtocol) (a : Address),
    composite_constrained_state_prop ELMO_component s ->
      ELMO_global_equivocators s a <-> global_equivocators_simple s a.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
∀ (s : VLSM.state ELMOProtocol) (a : Address),
  composite_constrained_state_prop ELMO_component s
  → ELMO_global_equivocators s a
    ↔ global_equivocators_simple s a
Proof.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
∀ (s : VLSM.state ELMOProtocol) (a : Address),
  composite_constrained_state_prop ELMO_component s
  → ELMO_global_equivocators s a
    ↔ global_equivocators_simple s a
  intros s a Hs.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
s: VLSM.state ELMOProtocol
a: Address
Hs: composite_constrained_state_prop ELMO_component s
ELMO_global_equivocators s a
↔ global_equivocators_simple s a
  assert (forall k, UMO_reachable full_node (s k)) as Hsi;
    [by intro; apply ELMO_full_node_reachable, preloaded_valid_state_projection |].Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
s: VLSM.state ELMOProtocol
a: Address
Hs: composite_constrained_state_prop ELMO_component s
Hsi: ∀ k : index, UMO_reachable full_node (s k)
ELMO_global_equivocators s a
↔ global_equivocators_simple s a
  clear Hs; split; intros Hequiv.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
s: VLSM.state ELMOProtocol
a: Address
Hsi: ∀ k : index, UMO_reachable full_node (s k)
Hequiv: ELMO_global_equivocators s a
global_equivocators_simple s a
Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
s: VLSM.state ELMOProtocol
a: Address
Hsi: ∀ k : index, UMO_reachable full_node (s k)
Hequiv: global_equivocators_simple s a
ELMO_global_equivocators s a
  -Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
s: VLSM.state ELMOProtocol
a: Address
Hsi: ∀ k : index, UMO_reachable full_node (s k)
Hequiv: ELMO_global_equivocators s a
global_equivocators_simple s a destruct Hequiv as (m & Hadr & (k & l & Hrobs) & Hnot_sent).Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
s: VLSM.state ELMOProtocol
a: Address
Hsi: ∀ k : index, UMO_reachable full_node (s k)
m: Message
Hadr: adr (state m) = a
k: index
l: Label
Hrobs: rec_obs (s k) (MkObservation l m)
Hnot_sent: ¬ composite_has_been_sent ELMO_component s
    m
global_equivocators_simple s a
    enough (composite_has_been_received _ s m) by (econstructor; done).Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
s: VLSM.state ELMOProtocol
a: Address
Hsi: ∀ k : index, UMO_reachable full_node (s k)
m: Message
Hadr: adr (state m) = a
k: index
l: Label
Hrobs: rec_obs (s k) (MkObservation l m)
Hnot_sent: ¬ composite_has_been_sent ELMO_component s
    m
composite_has_been_received ELMO_component s m
    assert (m ∈ messages (s k)) as Hm.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
s: VLSM.state ELMOProtocol
a: Address
Hsi: ∀ k : index, UMO_reachable full_node (s k)
m: Message
Hadr: adr (state m) = a
k: index
l: Label
Hrobs: rec_obs (s k) (MkObservation l m)
Hnot_sent: ¬ composite_has_been_sent ELMO_component s
    m
m ∈ messages (s k)
Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
s: VLSM.state ELMOProtocol
a: Address
Hsi: ∀ k : index, UMO_reachable full_node (s k)
m: Message
Hadr: adr (state m) = a
k: index
l: Label
Hrobs: rec_obs (s k) (MkObservation l m)
Hnot_sent: ¬ composite_has_been_sent ELMO_component s
    m
Hm: m ∈ messages (s k)
composite_has_been_received ELMO_component s m
    +Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
s: VLSM.state ELMOProtocol
a: Address
Hsi: ∀ k : index, UMO_reachable full_node (s k)
m: Message
Hadr: adr (state m) = a
k: index
l: Label
Hrobs: rec_obs (s k) (MkObservation l m)
Hnot_sent: ¬ composite_has_been_sent ELMO_component s
    m
m ∈ messages (s k) by apply full_node_messages_iff_rec_obs; [| eexists].
    +Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
s: VLSM.state ELMOProtocol
a: Address
Hsi: ∀ k : index, UMO_reachable full_node (s k)
m: Message
Hadr: adr (state m) = a
k: index
l: Label
Hrobs: rec_obs (s k) (MkObservation l m)
Hnot_sent: ¬ composite_has_been_sent ELMO_component s
    m
Hm: m ∈ messages (s k)
composite_has_been_received ELMO_component s m by apply elem_of_messages in Hm as [|];
        [contradict Hnot_sent |]; exists k.
  -Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
s: VLSM.state ELMOProtocol
a: Address
Hsi: ∀ k : index, UMO_reachable full_node (s k)
Hequiv: global_equivocators_simple s a
ELMO_global_equivocators s a destruct Hequiv as [m Hadr [i_rec Hrecv] Hnot_sent].Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
s: VLSM.state ELMOProtocol
a: Address
Hsi: ∀ k : index, UMO_reachable full_node (s k)
m: Message
Hadr: adr (state m) = a
i_rec: index
Hrecv: has_been_received (ELMO_component i_rec)
  (s i_rec) m
Hnot_sent: ¬ composite_has_been_sent ELMO_component s
    m
ELMO_global_equivocators s a
    unfold ELMO_global_equivocators.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
s: VLSM.state ELMOProtocol
a: Address
Hsi: ∀ k : index, UMO_reachable full_node (s k)
m: Message
Hadr: adr (state m) = a
i_rec: index
Hrecv: has_been_received (ELMO_component i_rec)
  (s i_rec) m
Hnot_sent: ¬ composite_has_been_sent ELMO_component s
    m
∃ m : Message,
  adr (state m) = a
  ∧ (∃ (k : index) (l : Label),
       rec_obs (s k) (MkObservation l m))
    ∧ ¬ composite_has_been_sent ELMO_component s m
    exists m; split; [done |].Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
s: VLSM.state ELMOProtocol
a: Address
Hsi: ∀ k : index, UMO_reachable full_node (s k)
m: Message
Hadr: adr (state m) = a
i_rec: index
Hrecv: has_been_received (ELMO_component i_rec)
  (s i_rec) m
Hnot_sent: ¬ composite_has_been_sent ELMO_component s
    m
(∃ (k : index) (l : Label),
   rec_obs (s k) (MkObservation l m))
∧ ¬ composite_has_been_sent ELMO_component s m
    split; [| done].Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
s: VLSM.state ELMOProtocol
a: Address
Hsi: ∀ k : index, UMO_reachable full_node (s k)
m: Message
Hadr: adr (state m) = a
i_rec: index
Hrecv: has_been_received (ELMO_component i_rec)
  (s i_rec) m
Hnot_sent: ¬ composite_has_been_sent ELMO_component s
    m
∃ (k : index) (l : Label),
  rec_obs (s k) (MkObservation l m)
    exists i_rec.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
s: VLSM.state ELMOProtocol
a: Address
Hsi: ∀ k : index, UMO_reachable full_node (s k)
m: Message
Hadr: adr (state m) = a
i_rec: index
Hrecv: has_been_received (ELMO_component i_rec)
  (s i_rec) m
Hnot_sent: ¬ composite_has_been_sent ELMO_component s
    m
∃ l : Label, rec_obs (s i_rec) (MkObservation l m)
    by apply full_node_messages_iff_rec_obs, received_in_messages.
Qed.

global_equivocators_simple is equivalent to an instance of the generic definition full_node_is_globally_equivocating.

Lemma global_equivocators_simple_iff_full_node_equivocation :
  forall (s : VLSM.state ELMOProtocol) (v : Message_validator idx),
    full_node_is_globally_equivocating ELMO_component (Message_sender idx) s v
      <->
    global_equivocators_simple s (`v).Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
∀ (s : VLSM.state ELMOProtocol) (v : Message_validator
                                       idx),
  full_node_is_globally_equivocating ELMO_component
    (Message_sender idx) s v
  ↔ global_equivocators_simple s (`v)
Proof.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
∀ (s : VLSM.state ELMOProtocol) (v : Message_validator
                                       idx),
  full_node_is_globally_equivocating ELMO_component
    (Message_sender idx) s v
  ↔ global_equivocators_simple s (`v)
  split.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
s: VLSM.state ELMOProtocol
v: Message_validator idx
full_node_is_globally_equivocating ELMO_component
  (Message_sender idx) s v
→ global_equivocators_simple s (`v)
Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
s: VLSM.state ELMOProtocol
v: Message_validator idx
global_equivocators_simple s (`v)
→ full_node_is_globally_equivocating ELMO_component
    (Message_sender idx) s v
  -Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
s: VLSM.state ELMOProtocol
v: Message_validator idx
full_node_is_globally_equivocating ELMO_component
  (Message_sender idx) s v
→ global_equivocators_simple s (`v) intros [? []].Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
s: VLSM.state ELMOProtocol
v: Message_validator idx
x: Message
fngee_sender: Message_sender idx x = Some v
fngee_received: composite_has_been_received
  ELMO_component s x
fngee_not_sent: ¬ composite_has_been_sent
    ELMO_component s x
global_equivocators_simple s (`v)
    by erewrite Message_sender_Some_adr by done; econstructor.
  -Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
s: VLSM.state ELMOProtocol
v: Message_validator idx
global_equivocators_simple s (`v)
→ full_node_is_globally_equivocating ELMO_component
    (Message_sender idx) s v intros []; econstructor; split; [| done..].Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
s: VLSM.state ELMOProtocol
v: Message_validator idx
ges_m: Message
ges_adr: adr (state ges_m) = `v
ges_recv: composite_has_been_received ELMO_component
  s ges_m
ges_not_sent: ¬ composite_has_been_sent
    ELMO_component s ges_m
Message_sender idx ges_m = Some v
    by apply Message_sender_Some_adr_iff.
Qed.

ELMO_global_equivocators can be related to msg_dep_is_globally_equivocating, but the proof is more complicated because it also needs to translate between rec_obs and CompositeHasBeenObserved

We use a full_node hypothesis so we can convert through claims about m ∈ messages (s k) rather than directly relating rec_obs and CompositeHasBeenObserved.

It might be possible to use something weaker than UMO_reachable full_node to prove CompositeHasBeenObserved ELMO_component (elements ∘ Message_dependencies) s m ↔ ∃ (k : index) (l : label), rec_obs (s k) (MkObservation l m) but CompositeHasBeenObserved can recurse into sent or received messages and rec_obs only into received messages so we need some deep structural assumption about what Send observations are allowed, even recursively within observations of observations.

Lemma ELMO_CHBO_in_messages :
  forall s,
    (forall k, UMO_reachable full_node (s k)) ->
  forall m,
    CompositeHasBeenObserved ELMO_component Message_dependencies s m
      <->
    exists (k : index), m ∈ messages (s k).Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
∀ s : index → BaseELMO.State,
  (∀ k : index, UMO_reachable full_node (s k))
  → ∀ m : Message,
      CompositeHasBeenObserved ELMO_component
        Message_dependencies s m
      ↔ (∃ k : index, m ∈ messages (s k))
Proof.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
∀ s : index → BaseELMO.State,
  (∀ k : index, UMO_reachable full_node (s k))
  → ∀ m : Message,
      CompositeHasBeenObserved ELMO_component
        Message_dependencies s m
      ↔ (∃ k : index, m ∈ messages (s k))
  intros s Hs m; split.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
s: index → BaseELMO.State
Hs: ∀ k : index, UMO_reachable full_node (s k)
m: Message
CompositeHasBeenObserved ELMO_component
  Message_dependencies s m
→ ∃ k : index, m ∈ messages (s k)
Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
s: index → BaseELMO.State
Hs: ∀ k : index, UMO_reachable full_node (s k)
m: Message
(∃ k : index, m ∈ messages (s k))
→ CompositeHasBeenObserved ELMO_component
    Message_dependencies s m
  -Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
s: index → BaseELMO.State
Hs: ∀ k : index, UMO_reachable full_node (s k)
m: Message
CompositeHasBeenObserved ELMO_component
  Message_dependencies s m
→ ∃ k : index, m ∈ messages (s k) intros [Hobs | m' Hobs Hdepth];
      destruct Hobs as [k Hobs]; exists k.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
s: index → BaseELMO.State
Hs: ∀ k : index, UMO_reachable full_node (s k)
m: Message
k: index
Hobs: has_been_directly_observed 
  (ELMO_component k) (s k) m
m ∈ messages (s k)
Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
s: index → BaseELMO.State
Hs: ∀ k : index, UMO_reachable full_node (s k)
m, m': Message
k: index
Hobs: has_been_directly_observed 
  (ELMO_component k) (s k) m'
Hdepth: msg_dep_happens_before Message_dependencies m
  m'
m ∈ messages (s k)
    +Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
s: index → BaseELMO.State
Hs: ∀ k : index, UMO_reachable full_node (s k)
m: Message
k: index
Hobs: has_been_directly_observed 
  (ELMO_component k) (s k) m
m ∈ messages (s k) by apply elem_of_messages.
    +Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
s: index → BaseELMO.State
Hs: ∀ k : index, UMO_reachable full_node (s k)
m, m': Message
k: index
Hobs: has_been_directly_observed 
  (ELMO_component k) (s k) m'
Hdepth: msg_dep_happens_before Message_dependencies m
  m'
m ∈ messages (s k) assert (m' ∈ messages (s k)) by (eapply elem_of_messages; done).Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
s: index → BaseELMO.State
Hs: ∀ k : index, UMO_reachable full_node (s k)
m, m': Message
k: index
Hobs: has_been_directly_observed 
  (ELMO_component k) (s k) m'
Hdepth: msg_dep_happens_before Message_dependencies m
  m'
H2: m' ∈ messages (s k)
m ∈ messages (s k)
      enough (m <hb m') by (eapply messages_hb_transitive; done).Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
s: index → BaseELMO.State
Hs: ∀ k : index, UMO_reachable full_node (s k)
m, m': Message
k: index
Hobs: has_been_directly_observed 
  (ELMO_component k) (s k) m'
Hdepth: msg_dep_happens_before Message_dependencies m
  m'
H2: m' ∈ messages (s k)
m <hb m'
      revert Hdepth; apply (tc_congruence (fun m=>m)).Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
s: index → BaseELMO.State
Hs: ∀ k : index, UMO_reachable full_node (s k)
m, m': Message
k: index
Hobs: has_been_directly_observed 
  (ELMO_component k) (s k) m'
H2: m' ∈ messages (s k)
∀ x y : Message,
  msg_dep_rel Message_dependencies x y
  → immediate_dependency x y
      unfold msg_dep_rel, compose, immediate_dependency.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
s: index → BaseELMO.State
Hs: ∀ k : index, UMO_reachable full_node (s k)
m, m': Message
k: index
Hobs: has_been_directly_observed 
  (ELMO_component k) (s k) m'
H2: m' ∈ messages (s k)
∀ x y : Message,
  x ∈ Message_dependencies y → x ∈ messages (state y)
      by intros x y Hdep; apply elem_of_list_to_set in Hdep.
  -Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
s: index → BaseELMO.State
Hs: ∀ k : index, UMO_reachable full_node (s k)
m: Message
(∃ k : index, m ∈ messages (s k))
→ CompositeHasBeenObserved ELMO_component
    Message_dependencies s m by intros [k Hm%elem_of_messages]; constructor; exists k.
Qed.

Lemma ELMO_global_equivocators_iff_msg_dep_equivocation :
  forall (s : VLSM.state ELMOProtocol) (v : Message_validator idx),
    composite_constrained_state_prop ELMO_component s ->
    ELMO_global_equivocators s (`v)
      <->
    msg_dep_is_globally_equivocating ELMO_component
      Message_dependencies (Message_sender idx) s v.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
∀ (s : VLSM.state ELMOProtocol) (v : Message_validator
                                       idx),
  composite_constrained_state_prop ELMO_component s
  → ELMO_global_equivocators s (`v)
    ↔ msg_dep_is_globally_equivocating ELMO_component
        Message_dependencies (Message_sender idx) s v
Proof.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
∀ (s : VLSM.state ELMOProtocol) (v : Message_validator
                                       idx),
  composite_constrained_state_prop ELMO_component s
  → ELMO_global_equivocators s (`v)
    ↔ msg_dep_is_globally_equivocating ELMO_component
        Message_dependencies (Message_sender idx) s v
  cbn; intros s v Hs.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
s: composite_state ELMO_component
v: Message_validator idx
Hs: composite_constrained_state_prop ELMO_component s
ELMO_global_equivocators s (`v)
↔ msg_dep_is_globally_equivocating ELMO_component
    Message_dependencies (Message_sender idx) s v
  apply Morphisms_Prop.ex_iff_morphism; intros m.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
s: composite_state ELMO_component
v: Message_validator idx
Hs: composite_constrained_state_prop ELMO_component s
m: Message
adr (state m) = `v
∧ (∃ (k : index) (l : Label),
     rec_obs (s k) (MkObservation l m))
  ∧ ¬ composite_has_been_sent ELMO_component s m
↔ MsgDepGlobalEquivocationEvidence ELMO_component
    Message_dependencies (Message_sender idx) s v m
  assert (forall k : index, UMO_reachable full_node (s k))
    by (intro; eapply ELMO_full_node_reachable, composite_constrained_state_project; done).Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
s: composite_state ELMO_component
v: Message_validator idx
Hs: composite_constrained_state_prop ELMO_component s
m: Message
H2: ∀ k : index, UMO_reachable full_node (s k)
adr (state m) = `v
∧ (∃ (k : index) (l : Label),
     rec_obs (s k) (MkObservation l m))
  ∧ ¬ composite_has_been_sent ELMO_component s m
↔ MsgDepGlobalEquivocationEvidence ELMO_component
    Message_dependencies (Message_sender idx) s v m
  setoid_rewrite <- full_node_messages_iff_rec_obs; [| done].Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
s: composite_state ELMO_component
v: Message_validator idx
Hs: composite_constrained_state_prop ELMO_component s
m: Message
H2: ∀ k : index, UMO_reachable full_node (s k)
adr (state m) = `v
∧ (∃ k : index, m ∈ messages (s k))
  ∧ ¬ composite_has_been_sent ELMO_component s m
↔ MsgDepGlobalEquivocationEvidence ELMO_component
    Message_dependencies (Message_sender idx) s v m
  setoid_rewrite <- ELMO_CHBO_in_messages; [| done].Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
s: composite_state ELMO_component
v: Message_validator idx
Hs: composite_constrained_state_prop ELMO_component s
m: Message
H2: ∀ k : index, UMO_reachable full_node (s k)
adr (state m) = `v
∧ CompositeHasBeenObserved ELMO_component
    Message_dependencies s m
  ∧ ¬ composite_has_been_sent ELMO_component s m
↔ MsgDepGlobalEquivocationEvidence ELMO_component
    Message_dependencies (Message_sender idx) s v m
  split.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
s: composite_state ELMO_component
v: Message_validator idx
Hs: composite_constrained_state_prop ELMO_component s
m: Message
H2: ∀ k : index, UMO_reachable full_node (s k)
adr (state m) = `v
∧ CompositeHasBeenObserved ELMO_component
    Message_dependencies s m
  ∧ ¬ composite_has_been_sent ELMO_component s m
→ MsgDepGlobalEquivocationEvidence ELMO_component
    Message_dependencies (Message_sender idx) s v m
Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
s: composite_state ELMO_component
v: Message_validator idx
Hs: composite_constrained_state_prop ELMO_component s
m: Message
H2: ∀ k : index, UMO_reachable full_node (s k)
MsgDepGlobalEquivocationEvidence ELMO_component
  Message_dependencies 
  (Message_sender idx) s v m
→ adr (state m) = `v
  ∧ CompositeHasBeenObserved ELMO_component
      Message_dependencies s m
    ∧ ¬ composite_has_been_sent ELMO_component s m
  -Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
s: composite_state ELMO_component
v: Message_validator idx
Hs: composite_constrained_state_prop ELMO_component s
m: Message
H2: ∀ k : index, UMO_reachable full_node (s k)
adr (state m) = `v
∧ CompositeHasBeenObserved ELMO_component
    Message_dependencies s m
  ∧ ¬ composite_has_been_sent ELMO_component s m
→ MsgDepGlobalEquivocationEvidence ELMO_component
    Message_dependencies (Message_sender idx) s v m intros (? & ? & ?).Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
s: composite_state ELMO_component
v: Message_validator idx
Hs: composite_constrained_state_prop ELMO_component s
m: Message
H2: ∀ k : index, UMO_reachable full_node (s k)
H3: adr (state m) = `v
H4: CompositeHasBeenObserved ELMO_component
  Message_dependencies s m
H5: ¬ composite_has_been_sent ELMO_component s m
MsgDepGlobalEquivocationEvidence ELMO_component
  Message_dependencies (Message_sender idx) s v m
    by constructor; [apply Message_sender_Some_adr_iff |..].
  -Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
s: composite_state ELMO_component
v: Message_validator idx
Hs: composite_constrained_state_prop ELMO_component s
m: Message
H2: ∀ k : index, UMO_reachable full_node (s k)
MsgDepGlobalEquivocationEvidence ELMO_component
  Message_dependencies (Message_sender idx) s v m
→ adr (state m) = `v
  ∧ CompositeHasBeenObserved ELMO_component
      Message_dependencies s m
    ∧ ¬ composite_has_been_sent ELMO_component s m intros []; split_and!; [| done..].Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
s: composite_state ELMO_component
v: Message_validator idx
Hs: composite_constrained_state_prop ELMO_component s
m: Message
H2: ∀ k : index, UMO_reachable full_node (s k)
mdgee_sender: Message_sender idx m = Some v
mdgee_rec_observed: CompositeHasBeenObserved
  ELMO_component
  Message_dependencies s m
mdgee_not_sent: ¬ composite_has_been_sent
    ELMO_component s m
adr (state m) = `v
    by symmetry; apply Message_sender_Some_adr_iff.
Qed.

Lemma ELMO_global_equivocators_iff_simple_by_generic :
  forall (s : VLSM.state ELMOProtocol) (v : Message_validator idx),
    composite_constrained_state_prop ELMO_component s ->
      ELMO_global_equivocators s (`v) <-> global_equivocators_simple s (`v).Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
∀ (s : VLSM.state ELMOProtocol) (v : Message_validator
                                       idx),
  composite_constrained_state_prop ELMO_component s
  → ELMO_global_equivocators s (`v)
    ↔ global_equivocators_simple s (`v)
Proof.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
∀ (s : VLSM.state ELMOProtocol) (v : Message_validator
                                       idx),
  composite_constrained_state_prop ELMO_component s
  → ELMO_global_equivocators s (`v)
    ↔ global_equivocators_simple s (`v)
  intros s a Hs.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
s: VLSM.state ELMOProtocol
a: Message_validator idx
Hs: composite_constrained_state_prop ELMO_component s
ELMO_global_equivocators s (`a)
↔ global_equivocators_simple s (`a)
  rewrite ELMO_global_equivocators_iff_msg_dep_equivocation by done.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
s: VLSM.state ELMOProtocol
a: Message_validator idx
Hs: composite_constrained_state_prop ELMO_component s
msg_dep_is_globally_equivocating ELMO_component
  Message_dependencies (Message_sender idx) s a
↔ global_equivocators_simple s (`a)
  rewrite <- global_equivocators_simple_iff_full_node_equivocation by done.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
s: VLSM.state ELMOProtocol
a: Message_validator idx
Hs: composite_constrained_state_prop ELMO_component s
msg_dep_is_globally_equivocating ELMO_component
  Message_dependencies (Message_sender idx) s a
↔ full_node_is_globally_equivocating ELMO_component
    (Message_sender idx) s a
  rewrite full_node_is_globally_equivocating_iff; [done | by typeclasses eauto | | done].Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
s: VLSM.state ELMOProtocol
a: Message_validator idx
Hs: composite_constrained_state_prop ELMO_component s
∀ i : index,
  message_dependencies_full_node_condition_prop
    (ELMO_component i) Message_dependencies
  by apply ELMO_component_message_dependencies_full_node_condition.
Qed.

If s is a reachable state in E where the state of component i has the form si' <+> (l, m), let s' be the composite state which has component i equal to si' and the other components the same as those of s. If all global equivocators of s' are also global equivocators in s then s' is also reachable in E and also it is a valid transition in E to go from s to s' with label l from the new observation and either sending or receiving m as l says.

Lemma ELMO_state_to_minimal_equivocation_equivocating_validators
  (s : composite_state ELMO_component)
  (Hs_pre :  composite_constrained_state_prop ELMO_component s)
  (is : composite_state ELMO_component)
  (tr : list (composite_transition_item ELMO_component))
  (Heqtr_min : ELMO_state_to_minimal_equivocation_trace s Hs_pre = (is, tr)) :
    Forall (fun item =>
      ELMO_equivocating_validators (destination item) ⊆ ELMO_equivocating_validators s) tr.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
s: composite_state ELMO_component
Hs_pre: composite_constrained_state_prop
  ELMO_component s
is: composite_state ELMO_component
tr: list (composite_transition_item ELMO_component)
Heqtr_min: ELMO_state_to_minimal_equivocation_trace s
  Hs_pre = (is, tr)
Forall
  (λ item : transition_item,
     ELMO_equivocating_validators (destination item)
     ⊆ ELMO_equivocating_validators s) tr
Proof.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
s: composite_state ELMO_component
Hs_pre: composite_constrained_state_prop
  ELMO_component s
is: composite_state ELMO_component
tr: list (composite_transition_item ELMO_component)
Heqtr_min: ELMO_state_to_minimal_equivocation_trace s
  Hs_pre = (is, tr)
Forall
  (λ item : transition_item,
     ELMO_equivocating_validators (destination item)
     ⊆ ELMO_equivocating_validators s) tr
  assert (Hall := ELMO_state_to_minimal_equivocation_trace_equivocation_monotonic _ _ _ _ Heqtr_min).Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
s: composite_state ELMO_component
Hs_pre: composite_constrained_state_prop
  ELMO_component s
is: composite_state ELMO_component
tr: list (composite_transition_item ELMO_component)
Heqtr_min: ELMO_state_to_minimal_equivocation_trace s
  Hs_pre = (is, tr)
Hall: ∀ (pre
   suf : list
           (composite_transition_item
              ELMO_component)) 
  (item : composite_transition_item
            ELMO_component),
  tr = pre ++ [item] ++ suf
  → ∀ v : Message_validator idx,
      msg_dep_is_globally_equivocating
        ELMO_component Message_dependencies
        (Message_sender idx)
        (finite_trace_last is pre) v
      → msg_dep_is_globally_equivocating
          ELMO_component Message_dependencies
          (Message_sender idx)
          (destination item) v
Forall
  (λ item : transition_item,
     ELMO_equivocating_validators (destination item)
     ⊆ ELMO_equivocating_validators s) tr
  apply ELMO_state_to_minimal_equivocation_trace_reachable in Heqtr_min as Htr_min; clear Heqtr_min.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
s: composite_state ELMO_component
Hs_pre: composite_constrained_state_prop
  ELMO_component s
is: composite_state ELMO_component
tr: list (composite_transition_item ELMO_component)
Hall: ∀ (pre
   suf : list
           (composite_transition_item
              ELMO_component)) 
  (item : composite_transition_item
            ELMO_component),
  tr = pre ++ [item] ++ suf
  → ∀ v : Message_validator idx,
      msg_dep_is_globally_equivocating
        ELMO_component Message_dependencies
        (Message_sender idx)
        (finite_trace_last is pre) v
      → msg_dep_is_globally_equivocating
          ELMO_component Message_dependencies
          (Message_sender idx)
          (destination item) v
Htr_min: finite_valid_trace_init_to ReachELMO is s tr
Forall
  (λ item : transition_item,
     ELMO_equivocating_validators (destination item)
     ⊆ ELMO_equivocating_validators s) tr
  induction Htr_min using finite_valid_trace_init_to_rev_ind; [by constructor |].Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
sf: VLSM.state ReachELMO
Hs_pre: composite_constrained_state_prop
  ELMO_component sf
si: VLSM.state ReachELMO
tr: list transition_item
iom, oom: option Message
l: VLSM.label ReachELMO
Hall: ∀ (pre
   suf : list
           (composite_transition_item
              ELMO_component)) 
  (item : composite_transition_item
            ELMO_component),
  tr ++
  [{|
     l := l;
     input := iom;
     destination := sf;
     output := oom
   |}] = pre ++ [item] ++ suf
  → ∀ v : Message_validator idx,
      msg_dep_is_globally_equivocating
        ELMO_component Message_dependencies
        (Message_sender idx)
        (finite_trace_last si pre) v
      → msg_dep_is_globally_equivocating
          ELMO_component Message_dependencies
          (Message_sender idx)
          (destination item) v
s: VLSM.state ReachELMO
Htr_min: finite_valid_trace_init_to ReachELMO si s tr
Ht: input_valid_transition ReachELMO l (
  s, iom) (sf, oom)
IHHtr_min: composite_constrained_state_prop
  ELMO_component s
→ (∀ (pre
      suf : list
              (composite_transition_item
                 ELMO_component)) 
     (item : composite_transition_item
               ELMO_component),
     tr = pre ++ [item] ++ suf
     → ∀ v : Message_validator idx,
         msg_dep_is_globally_equivocating
           ELMO_component
           Message_dependencies
           (Message_sender idx)
           (finite_trace_last si pre) v
         → msg_dep_is_globally_equivocating
             ELMO_component
             Message_dependencies
             (Message_sender idx)
             (destination item) v)
  → Forall
      (λ item : transition_item,
         ELMO_equivocating_validators
           (destination item)
         ⊆ ELMO_equivocating_validators s)
      tr
Forall
  (λ item : transition_item,
     ELMO_equivocating_validators (destination item)
     ⊆ ELMO_equivocating_validators sf)
  (tr ++
   [{|
      l := l;
      input := iom;
      destination := sf;
      output := oom
    |}])
  apply Forall_app; split; [| by apply Forall_singleton].Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
sf: VLSM.state ReachELMO
Hs_pre: composite_constrained_state_prop
  ELMO_component sf
si: VLSM.state ReachELMO
tr: list transition_item
iom, oom: option Message
l: VLSM.label ReachELMO
Hall: ∀ (pre
   suf : list
           (composite_transition_item
              ELMO_component)) 
  (item : composite_transition_item
            ELMO_component),
  tr ++
  [{|
     l := l;
     input := iom;
     destination := sf;
     output := oom
   |}] = pre ++ [item] ++ suf
  → ∀ v : Message_validator idx,
      msg_dep_is_globally_equivocating
        ELMO_component Message_dependencies
        (Message_sender idx)
        (finite_trace_last si pre) v
      → msg_dep_is_globally_equivocating
          ELMO_component Message_dependencies
          (Message_sender idx)
          (destination item) v
s: VLSM.state ReachELMO
Htr_min: finite_valid_trace_init_to ReachELMO si s tr
Ht: input_valid_transition ReachELMO l (
  s, iom) (sf, oom)
IHHtr_min: composite_constrained_state_prop
  ELMO_component s
→ (∀ (pre
      suf : list
              (composite_transition_item
                 ELMO_component)) 
     (item : composite_transition_item
               ELMO_component),
     tr = pre ++ [item] ++ suf
     → ∀ v : Message_validator idx,
         msg_dep_is_globally_equivocating
           ELMO_component
           Message_dependencies
           (Message_sender idx)
           (finite_trace_last si pre) v
         → msg_dep_is_globally_equivocating
             ELMO_component
             Message_dependencies
             (Message_sender idx)
             (destination item) v)
  → Forall
      (λ item : transition_item,
         ELMO_equivocating_validators
           (destination item)
         ⊆ ELMO_equivocating_validators s)
      tr
Forall
  (λ item : transition_item,
     ELMO_equivocating_validators (destination item)
     ⊆ ELMO_equivocating_validators sf) tr
  apply input_valid_transition_origin in Ht as Hs.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
sf: VLSM.state ReachELMO
Hs_pre: composite_constrained_state_prop
  ELMO_component sf
si: VLSM.state ReachELMO
tr: list transition_item
iom, oom: option Message
l: VLSM.label ReachELMO
Hall: ∀ (pre
   suf : list
           (composite_transition_item
              ELMO_component)) 
  (item : composite_transition_item
            ELMO_component),
  tr ++
  [{|
     l := l;
     input := iom;
     destination := sf;
     output := oom
   |}] = pre ++ [item] ++ suf
  → ∀ v : Message_validator idx,
      msg_dep_is_globally_equivocating
        ELMO_component Message_dependencies
        (Message_sender idx)
        (finite_trace_last si pre) v
      → msg_dep_is_globally_equivocating
          ELMO_component Message_dependencies
          (Message_sender idx)
          (destination item) v
s: VLSM.state ReachELMO
Htr_min: finite_valid_trace_init_to ReachELMO si s tr
Ht: input_valid_transition ReachELMO l (
  s, iom) (sf, oom)
IHHtr_min: composite_constrained_state_prop
  ELMO_component s
→ (∀ (pre
      suf : list
              (composite_transition_item
                 ELMO_component)) 
     (item : composite_transition_item
               ELMO_component),
     tr = pre ++ [item] ++ suf
     → ∀ v : Message_validator idx,
         msg_dep_is_globally_equivocating
           ELMO_component
           Message_dependencies
           (Message_sender idx)
           (finite_trace_last si pre) v
         → msg_dep_is_globally_equivocating
             ELMO_component
             Message_dependencies
             (Message_sender idx)
             (destination item) v)
  → Forall
      (λ item : transition_item,
         ELMO_equivocating_validators
           (destination item)
         ⊆ ELMO_equivocating_validators s)
      tr
Hs: valid_state_prop ReachELMO s
Forall
  (λ item : transition_item,
     ELMO_equivocating_validators (destination item)
     ⊆ ELMO_equivocating_validators sf) tr
  apply input_valid_transition_destination in Ht as Hsf.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
sf: VLSM.state ReachELMO
Hs_pre: composite_constrained_state_prop
  ELMO_component sf
si: VLSM.state ReachELMO
tr: list transition_item
iom, oom: option Message
l: VLSM.label ReachELMO
Hall: ∀ (pre
   suf : list
           (composite_transition_item
              ELMO_component)) 
  (item : composite_transition_item
            ELMO_component),
  tr ++
  [{|
     l := l;
     input := iom;
     destination := sf;
     output := oom
   |}] = pre ++ [item] ++ suf
  → ∀ v : Message_validator idx,
      msg_dep_is_globally_equivocating
        ELMO_component Message_dependencies
        (Message_sender idx)
        (finite_trace_last si pre) v
      → msg_dep_is_globally_equivocating
          ELMO_component Message_dependencies
          (Message_sender idx)
          (destination item) v
s: VLSM.state ReachELMO
Htr_min: finite_valid_trace_init_to ReachELMO si s tr
Ht: input_valid_transition ReachELMO l (
  s, iom) (sf, oom)
IHHtr_min: composite_constrained_state_prop
  ELMO_component s
→ (∀ (pre
      suf : list
              (composite_transition_item
                 ELMO_component)) 
     (item : composite_transition_item
               ELMO_component),
     tr = pre ++ [item] ++ suf
     → ∀ v : Message_validator idx,
         msg_dep_is_globally_equivocating
           ELMO_component
           Message_dependencies
           (Message_sender idx)
           (finite_trace_last si pre) v
         → msg_dep_is_globally_equivocating
             ELMO_component
             Message_dependencies
             (Message_sender idx)
             (destination item) v)
  → Forall
      (λ item : transition_item,
         ELMO_equivocating_validators
           (destination item)
         ⊆ ELMO_equivocating_validators s)
      tr
Hs: valid_state_prop ReachELMO s
Hsf: valid_state_prop ReachELMO sf
Forall
  (λ item : transition_item,
     ELMO_equivocating_validators (destination item)
     ⊆ ELMO_equivocating_validators sf) tr
  eapply Forall_impl.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
sf: VLSM.state ReachELMO
Hs_pre: composite_constrained_state_prop
  ELMO_component sf
si: VLSM.state ReachELMO
tr: list transition_item
iom, oom: option Message
l: VLSM.label ReachELMO
Hall: ∀ (pre
   suf : list
           (composite_transition_item
              ELMO_component)) 
  (item : composite_transition_item
            ELMO_component),
  tr ++
  [{|
     l := l;
     input := iom;
     destination := sf;
     output := oom
   |}] = pre ++ [item] ++ suf
  → ∀ v : Message_validator idx,
      msg_dep_is_globally_equivocating
        ELMO_component Message_dependencies
        (Message_sender idx)
        (finite_trace_last si pre) v
      → msg_dep_is_globally_equivocating
          ELMO_component Message_dependencies
          (Message_sender idx)
          (destination item) v
s: VLSM.state ReachELMO
Htr_min: finite_valid_trace_init_to ReachELMO si s tr
Ht: input_valid_transition ReachELMO l (
  s, iom) (sf, oom)
IHHtr_min: composite_constrained_state_prop
  ELMO_component s
→ (∀ (pre
      suf : list
              (composite_transition_item
                 ELMO_component)) 
     (item : composite_transition_item
               ELMO_component),
     tr = pre ++ [item] ++ suf
     → ∀ v : Message_validator idx,
         msg_dep_is_globally_equivocating
           ELMO_component
           Message_dependencies
           (Message_sender idx)
           (finite_trace_last si pre) v
         → msg_dep_is_globally_equivocating
             ELMO_component
             Message_dependencies
             (Message_sender idx)
             (destination item) v)
  → Forall
      (λ item : transition_item,
         ELMO_equivocating_validators
           (destination item)
         ⊆ ELMO_equivocating_validators s)
      tr
Hs: valid_state_prop ReachELMO s
Hsf: valid_state_prop ReachELMO sf
Forall ?P tr
Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
sf: VLSM.state ReachELMO
Hs_pre: composite_constrained_state_prop
  ELMO_component sf
si: VLSM.state ReachELMO
tr: list transition_item
iom, oom: option Message
l: VLSM.label ReachELMO
Hall: ∀ (pre
   suf : list
           (composite_transition_item
              ELMO_component)) 
  (item : composite_transition_item
            ELMO_component),
  tr ++
  [{|
     l := l;
     input := iom;
     destination := sf;
     output := oom
   |}] = pre ++ [item] ++ suf
  → ∀ v : Message_validator idx,
      msg_dep_is_globally_equivocating
        ELMO_component Message_dependencies
        (Message_sender idx)
        (finite_trace_last si pre) v
      → msg_dep_is_globally_equivocating
          ELMO_component Message_dependencies
          (Message_sender idx)
          (destination item) v
s: VLSM.state ReachELMO
Htr_min: finite_valid_trace_init_to ReachELMO si s tr
Ht: input_valid_transition ReachELMO l (
  s, iom) (sf, oom)
IHHtr_min: composite_constrained_state_prop
  ELMO_component s
→ (∀ (pre
      suf : list
              (composite_transition_item
                 ELMO_component)) 
     (item : composite_transition_item
               ELMO_component),
     tr = pre ++ [item] ++ suf
     → ∀ v : Message_validator idx,
         msg_dep_is_globally_equivocating
           ELMO_component
           Message_dependencies
           (Message_sender idx)
           (finite_trace_last si pre) v
         → msg_dep_is_globally_equivocating
             ELMO_component
             Message_dependencies
             (Message_sender idx)
             (destination item) v)
  → Forall
      (λ item : transition_item,
         ELMO_equivocating_validators
           (destination item)
         ⊆ ELMO_equivocating_validators s)
      tr
Hs: valid_state_prop ReachELMO s
Hsf: valid_state_prop ReachELMO sf
∀ x : transition_item,
  ?P x
  → ELMO_equivocating_validators (destination x)
    ⊆ ELMO_equivocating_validators sf
  -Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
sf: VLSM.state ReachELMO
Hs_pre: composite_constrained_state_prop
  ELMO_component sf
si: VLSM.state ReachELMO
tr: list transition_item
iom, oom: option Message
l: VLSM.label ReachELMO
Hall: ∀ (pre
   suf : list
           (composite_transition_item
              ELMO_component)) 
  (item : composite_transition_item
            ELMO_component),
  tr ++
  [{|
     l := l;
     input := iom;
     destination := sf;
     output := oom
   |}] = pre ++ [item] ++ suf
  → ∀ v : Message_validator idx,
      msg_dep_is_globally_equivocating
        ELMO_component Message_dependencies
        (Message_sender idx)
        (finite_trace_last si pre) v
      → msg_dep_is_globally_equivocating
          ELMO_component Message_dependencies
          (Message_sender idx)
          (destination item) v
s: VLSM.state ReachELMO
Htr_min: finite_valid_trace_init_to ReachELMO si s tr
Ht: input_valid_transition ReachELMO l (
  s, iom) (sf, oom)
IHHtr_min: composite_constrained_state_prop
  ELMO_component s
→ (∀ (pre
      suf : list
              (composite_transition_item
                 ELMO_component)) 
     (item : composite_transition_item
               ELMO_component),
     tr = pre ++ [item] ++ suf
     → ∀ v : Message_validator idx,
         msg_dep_is_globally_equivocating
           ELMO_component
           Message_dependencies
           (Message_sender idx)
           (finite_trace_last si pre) v
         → msg_dep_is_globally_equivocating
             ELMO_component
             Message_dependencies
             (Message_sender idx)
             (destination item) v)
  → Forall
      (λ item : transition_item,
         ELMO_equivocating_validators
           (destination item)
         ⊆ ELMO_equivocating_validators s)
      tr
Hs: valid_state_prop ReachELMO s
Hsf: valid_state_prop ReachELMO sf
Forall ?P tr by apply IHHtr_min; [| intros * ->; eapply Hall; simplify_list_eq].
  -Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
sf: VLSM.state ReachELMO
Hs_pre: composite_constrained_state_prop
  ELMO_component sf
si: VLSM.state ReachELMO
tr: list transition_item
iom, oom: option Message
l: VLSM.label ReachELMO
Hall: ∀ (pre
   suf : list
           (composite_transition_item
              ELMO_component)) 
  (item : composite_transition_item
            ELMO_component),
  tr ++
  [{|
     l := l;
     input := iom;
     destination := sf;
     output := oom
   |}] = pre ++ [item] ++ suf
  → ∀ v : Message_validator idx,
      msg_dep_is_globally_equivocating
        ELMO_component Message_dependencies
        (Message_sender idx)
        (finite_trace_last si pre) v
      → msg_dep_is_globally_equivocating
          ELMO_component Message_dependencies
          (Message_sender idx)
          (destination item) v
s: VLSM.state ReachELMO
Htr_min: finite_valid_trace_init_to ReachELMO si s tr
Ht: input_valid_transition ReachELMO l (
  s, iom) (sf, oom)
IHHtr_min: composite_constrained_state_prop
  ELMO_component s
→ (∀ (pre
      suf : list
              (composite_transition_item
                 ELMO_component)) 
     (item : composite_transition_item
               ELMO_component),
     tr = pre ++ [item] ++ suf
     → ∀ v : Message_validator idx,
         msg_dep_is_globally_equivocating
           ELMO_component
           Message_dependencies
           (Message_sender idx)
           (finite_trace_last si pre) v
         → msg_dep_is_globally_equivocating
             ELMO_component
             Message_dependencies
             (Message_sender idx)
             (destination item) v)
  → Forall
      (λ item : transition_item,
         ELMO_equivocating_validators
           (destination item)
         ⊆ ELMO_equivocating_validators s)
      tr
Hs: valid_state_prop ReachELMO s
Hsf: valid_state_prop ReachELMO sf
∀ x : transition_item,
  (λ item : transition_item,
     ELMO_equivocating_validators (destination item)
     ⊆ ELMO_equivocating_validators s) x
  → ELMO_equivocating_validators (destination x)
    ⊆ ELMO_equivocating_validators sf intros x -> a Ha.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
sf: VLSM.state ReachELMO
Hs_pre: composite_constrained_state_prop
  ELMO_component sf
si: VLSM.state ReachELMO
tr: list transition_item
iom, oom: option Message
l: VLSM.label ReachELMO
Hall: ∀ (pre
   suf : list
           (composite_transition_item
              ELMO_component)) 
  (item : composite_transition_item
            ELMO_component),
  tr ++
  [{|
     l := l;
     input := iom;
     destination := sf;
     output := oom
   |}] = pre ++ [item] ++ suf
  → ∀ v : Message_validator idx,
      msg_dep_is_globally_equivocating
        ELMO_component Message_dependencies
        (Message_sender idx)
        (finite_trace_last si pre) v
      → msg_dep_is_globally_equivocating
          ELMO_component Message_dependencies
          (Message_sender idx)
          (destination item) v
s: VLSM.state ReachELMO
Htr_min: finite_valid_trace_init_to ReachELMO si s tr
Ht: input_valid_transition ReachELMO l (
  s, iom) (sf, oom)
IHHtr_min: composite_constrained_state_prop
  ELMO_component s
→ (∀ (pre
      suf : list
              (composite_transition_item
                 ELMO_component)) 
     (item : composite_transition_item
               ELMO_component),
     tr = pre ++ [item] ++ suf
     → ∀ v : Message_validator idx,
         msg_dep_is_globally_equivocating
           ELMO_component
           Message_dependencies
           (Message_sender idx)
           (finite_trace_last si pre) v
         → msg_dep_is_globally_equivocating
             ELMO_component
             Message_dependencies
             (Message_sender idx)
             (destination item) v)
  → Forall
      (λ item : transition_item,
         ELMO_equivocating_validators
           (destination item)
         ⊆ ELMO_equivocating_validators s)
      tr
Hs: valid_state_prop ReachELMO s
Hsf: valid_state_prop ReachELMO sf
x: transition_item
a: Address
Ha: a ∈ ELMO_equivocating_validators s
a ∈ ELMO_equivocating_validators sf
    apply ELMO_equivocating_validators_are_Message_validators in Ha as Hv.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
sf: VLSM.state ReachELMO
Hs_pre: composite_constrained_state_prop
  ELMO_component sf
si: VLSM.state ReachELMO
tr: list transition_item
iom, oom: option Message
l: VLSM.label ReachELMO
Hall: ∀ (pre
   suf : list
           (composite_transition_item
              ELMO_component)) 
  (item : composite_transition_item
            ELMO_component),
  tr ++
  [{|
     l := l;
     input := iom;
     destination := sf;
     output := oom
   |}] = pre ++ [item] ++ suf
  → ∀ v : Message_validator idx,
      msg_dep_is_globally_equivocating
        ELMO_component Message_dependencies
        (Message_sender idx)
        (finite_trace_last si pre) v
      → msg_dep_is_globally_equivocating
          ELMO_component Message_dependencies
          (Message_sender idx)
          (destination item) v
s: VLSM.state ReachELMO
Htr_min: finite_valid_trace_init_to ReachELMO si s tr
Ht: input_valid_transition ReachELMO l (
  s, iom) (sf, oom)
IHHtr_min: composite_constrained_state_prop
  ELMO_component s
→ (∀ (pre
      suf : list
              (composite_transition_item
                 ELMO_component)) 
     (item : composite_transition_item
               ELMO_component),
     tr = pre ++ [item] ++ suf
     → ∀ v : Message_validator idx,
         msg_dep_is_globally_equivocating
           ELMO_component
           Message_dependencies
           (Message_sender idx)
           (finite_trace_last si pre) v
         → msg_dep_is_globally_equivocating
             ELMO_component
             Message_dependencies
             (Message_sender idx)
             (destination item) v)
  → Forall
      (λ item : transition_item,
         ELMO_equivocating_validators
           (destination item)
         ⊆ ELMO_equivocating_validators s)
      tr
Hs: valid_state_prop ReachELMO s
Hsf: valid_state_prop ReachELMO sf
x: transition_item
a: Address
Ha: a ∈ ELMO_equivocating_validators s
Hv: ∃ v : Message_validator idx, `v = a
a ∈ ELMO_equivocating_validators sf
    destruct Hv as [v <-].Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
sf: VLSM.state ReachELMO
Hs_pre: composite_constrained_state_prop
  ELMO_component sf
si: VLSM.state ReachELMO
tr: list transition_item
iom, oom: option Message
l: VLSM.label ReachELMO
Hall: ∀ (pre
   suf : list
           (composite_transition_item
              ELMO_component)) 
  (item : composite_transition_item
            ELMO_component),
  tr ++
  [{|
     l := l;
     input := iom;
     destination := sf;
     output := oom
   |}] = pre ++ [item] ++ suf
  → ∀ v : Message_validator idx,
      msg_dep_is_globally_equivocating
        ELMO_component Message_dependencies
        (Message_sender idx)
        (finite_trace_last si pre) v
      → msg_dep_is_globally_equivocating
          ELMO_component Message_dependencies
          (Message_sender idx)
          (destination item) v
s: VLSM.state ReachELMO
Htr_min: finite_valid_trace_init_to ReachELMO si s tr
Ht: input_valid_transition ReachELMO l (
  s, iom) (sf, oom)
IHHtr_min: composite_constrained_state_prop
  ELMO_component s
→ (∀ (pre
      suf : list
              (composite_transition_item
                 ELMO_component)) 
     (item : composite_transition_item
               ELMO_component),
     tr = pre ++ [item] ++ suf
     → ∀ v : Message_validator idx,
         msg_dep_is_globally_equivocating
           ELMO_component
           Message_dependencies
           (Message_sender idx)
           (finite_trace_last si pre) v
         → msg_dep_is_globally_equivocating
             ELMO_component
             Message_dependencies
             (Message_sender idx)
             (destination item) v)
  → Forall
      (λ item : transition_item,
         ELMO_equivocating_validators
           (destination item)
         ⊆ ELMO_equivocating_validators s)
      tr
Hs: valid_state_prop ReachELMO s
Hsf: valid_state_prop ReachELMO sf
x: transition_item
v: Message_validator idx
Ha: `v ∈ ELMO_equivocating_validators s
`v ∈ ELMO_equivocating_validators sf
    apply elem_of_filter in Ha as [Heqv Hv].Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
sf: VLSM.state ReachELMO
Hs_pre: composite_constrained_state_prop
  ELMO_component sf
si: VLSM.state ReachELMO
tr: list transition_item
iom, oom: option Message
l: VLSM.label ReachELMO
Hall: ∀ (pre
   suf : list
           (composite_transition_item
              ELMO_component)) 
  (item : composite_transition_item
            ELMO_component),
  tr ++
  [{|
     l := l;
     input := iom;
     destination := sf;
     output := oom
   |}] = pre ++ [item] ++ suf
  → ∀ v : Message_validator idx,
      msg_dep_is_globally_equivocating
        ELMO_component Message_dependencies
        (Message_sender idx)
        (finite_trace_last si pre) v
      → msg_dep_is_globally_equivocating
          ELMO_component Message_dependencies
          (Message_sender idx)
          (destination item) v
s: VLSM.state ReachELMO
Htr_min: finite_valid_trace_init_to ReachELMO si s tr
Ht: input_valid_transition ReachELMO l (
  s, iom) (sf, oom)
IHHtr_min: composite_constrained_state_prop
  ELMO_component s
→ (∀ (pre
      suf : list
              (composite_transition_item
                 ELMO_component)) 
     (item : composite_transition_item
               ELMO_component),
     tr = pre ++ [item] ++ suf
     → ∀ v : Message_validator idx,
         msg_dep_is_globally_equivocating
           ELMO_component
           Message_dependencies
           (Message_sender idx)
           (finite_trace_last si pre) v
         → msg_dep_is_globally_equivocating
             ELMO_component
             Message_dependencies
             (Message_sender idx)
             (destination item) v)
  → Forall
      (λ item : transition_item,
         ELMO_equivocating_validators
           (destination item)
         ⊆ ELMO_equivocating_validators s)
      tr
Hs: valid_state_prop ReachELMO s
Hsf: valid_state_prop ReachELMO sf
x: transition_item
v: Message_validator idx
Heqv: is_equivocating s (`v)
Hv: `v ∈ state_validators s
`v ∈ ELMO_equivocating_validators sf
    apply elem_of_filter; split; [| done].Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
sf: VLSM.state ReachELMO
Hs_pre: composite_constrained_state_prop
  ELMO_component sf
si: VLSM.state ReachELMO
tr: list transition_item
iom, oom: option Message
l: VLSM.label ReachELMO
Hall: ∀ (pre
   suf : list
           (composite_transition_item
              ELMO_component)) 
  (item : composite_transition_item
            ELMO_component),
  tr ++
  [{|
     l := l;
     input := iom;
     destination := sf;
     output := oom
   |}] = pre ++ [item] ++ suf
  → ∀ v : Message_validator idx,
      msg_dep_is_globally_equivocating
        ELMO_component Message_dependencies
        (Message_sender idx)
        (finite_trace_last si pre) v
      → msg_dep_is_globally_equivocating
          ELMO_component Message_dependencies
          (Message_sender idx)
          (destination item) v
s: VLSM.state ReachELMO
Htr_min: finite_valid_trace_init_to ReachELMO si s tr
Ht: input_valid_transition ReachELMO l (
  s, iom) (sf, oom)
IHHtr_min: composite_constrained_state_prop
  ELMO_component s
→ (∀ (pre
      suf : list
              (composite_transition_item
                 ELMO_component)) 
     (item : composite_transition_item
               ELMO_component),
     tr = pre ++ [item] ++ suf
     → ∀ v : Message_validator idx,
         msg_dep_is_globally_equivocating
           ELMO_component
           Message_dependencies
           (Message_sender idx)
           (finite_trace_last si pre) v
         → msg_dep_is_globally_equivocating
             ELMO_component
             Message_dependencies
             (Message_sender idx)
             (destination item) v)
  → Forall
      (λ item : transition_item,
         ELMO_equivocating_validators
           (destination item)
         ⊆ ELMO_equivocating_validators s)
      tr
Hs: valid_state_prop ReachELMO s
Hsf: valid_state_prop ReachELMO sf
x: transition_item
v: Message_validator idx
Heqv: is_equivocating s (`v)
Hv: `v ∈ state_validators s
is_equivocating sf (`v)
    apply ELMO_global_equivocators_iff_msg_dep_equivocation in Heqv; [| done].Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
sf: VLSM.state ReachELMO
Hs_pre: composite_constrained_state_prop
  ELMO_component sf
si: VLSM.state ReachELMO
tr: list transition_item
iom, oom: option Message
l: VLSM.label ReachELMO
Hall: ∀ (pre
   suf : list
           (composite_transition_item
              ELMO_component)) 
  (item : composite_transition_item
            ELMO_component),
  tr ++
  [{|
     l := l;
     input := iom;
     destination := sf;
     output := oom
   |}] = pre ++ [item] ++ suf
  → ∀ v : Message_validator idx,
      msg_dep_is_globally_equivocating
        ELMO_component Message_dependencies
        (Message_sender idx)
        (finite_trace_last si pre) v
      → msg_dep_is_globally_equivocating
          ELMO_component Message_dependencies
          (Message_sender idx)
          (destination item) v
s: VLSM.state ReachELMO
Htr_min: finite_valid_trace_init_to ReachELMO si s tr
Ht: input_valid_transition ReachELMO l (
  s, iom) (sf, oom)
IHHtr_min: composite_constrained_state_prop
  ELMO_component s
→ (∀ (pre
      suf : list
              (composite_transition_item
                 ELMO_component)) 
     (item : composite_transition_item
               ELMO_component),
     tr = pre ++ [item] ++ suf
     → ∀ v : Message_validator idx,
         msg_dep_is_globally_equivocating
           ELMO_component
           Message_dependencies
           (Message_sender idx)
           (finite_trace_last si pre) v
         → msg_dep_is_globally_equivocating
             ELMO_component
             Message_dependencies
             (Message_sender idx)
             (destination item) v)
  → Forall
      (λ item : transition_item,
         ELMO_equivocating_validators
           (destination item)
         ⊆ ELMO_equivocating_validators s)
      tr
Hs: valid_state_prop ReachELMO s
Hsf: valid_state_prop ReachELMO sf
x: transition_item
v: Message_validator idx
Heqv: msg_dep_is_globally_equivocating ELMO_component
  Message_dependencies 
  (Message_sender idx) s v
Hv: `v ∈ state_validators s
is_equivocating sf (`v)
    apply valid_trace_get_last in Htr_min as <-.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
sf: VLSM.state ReachELMO
Hs_pre: composite_constrained_state_prop
  ELMO_component sf
si: VLSM.state ReachELMO
tr: list transition_item
iom, oom: option Message
l: VLSM.label ReachELMO
Hall: ∀ (pre
   suf : list
           (composite_transition_item
              ELMO_component)) 
  (item : composite_transition_item
            ELMO_component),
  tr ++
  [{|
     l := l;
     input := iom;
     destination := sf;
     output := oom
   |}] = pre ++ [item] ++ suf
  → ∀ v : Message_validator idx,
      msg_dep_is_globally_equivocating
        ELMO_component Message_dependencies
        (Message_sender idx)
        (finite_trace_last si pre) v
      → msg_dep_is_globally_equivocating
          ELMO_component Message_dependencies
          (Message_sender idx)
          (destination item) v
Hs: valid_state_prop ReachELMO
  (finite_trace_last si tr)
IHHtr_min: composite_constrained_state_prop
  ELMO_component (finite_trace_last si tr)
→ (∀ (pre
      suf : list
              (composite_transition_item
                 ELMO_component)) 
     (item : composite_transition_item
               ELMO_component),
     tr = pre ++ [item] ++ suf
     → ∀ v : Message_validator idx,
         msg_dep_is_globally_equivocating
           ELMO_component
           Message_dependencies
           (Message_sender idx)
           (finite_trace_last si pre) v
         → msg_dep_is_globally_equivocating
             ELMO_component
             Message_dependencies
             (Message_sender idx)
             (destination item) v)
  → Forall
      (λ item : transition_item,
         ELMO_equivocating_validators
           (destination item)
         ⊆ ELMO_equivocating_validators
             (finite_trace_last si tr)) tr
Ht: input_valid_transition ReachELMO l
  (finite_trace_last si tr, iom) (
  sf, oom)
Hsf: valid_state_prop ReachELMO sf
x: transition_item
v: Message_validator idx
Hv: `v ∈ state_validators (finite_trace_last si tr)
Heqv: msg_dep_is_globally_equivocating ELMO_component
  Message_dependencies 
  (Message_sender idx)
  (finite_trace_last si tr) v
is_equivocating sf (`v)
    eapply Hall in Heqv; [| done].Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
sf: VLSM.state ReachELMO
Hs_pre: composite_constrained_state_prop
  ELMO_component sf
si: VLSM.state ReachELMO
tr: list transition_item
iom, oom: option Message
l: VLSM.label ReachELMO
Hall: ∀ (pre
   suf : list
           (composite_transition_item
              ELMO_component)) 
  (item : composite_transition_item
            ELMO_component),
  tr ++
  [{|
     l := l;
     input := iom;
     destination := sf;
     output := oom
   |}] = pre ++ [item] ++ suf
  → ∀ v : Message_validator idx,
      msg_dep_is_globally_equivocating
        ELMO_component Message_dependencies
        (Message_sender idx)
        (finite_trace_last si pre) v
      → msg_dep_is_globally_equivocating
          ELMO_component Message_dependencies
          (Message_sender idx)
          (destination item) v
Hs: valid_state_prop ReachELMO
  (finite_trace_last si tr)
IHHtr_min: composite_constrained_state_prop
  ELMO_component (finite_trace_last si tr)
→ (∀ (pre
      suf : list
              (composite_transition_item
                 ELMO_component)) 
     (item : composite_transition_item
               ELMO_component),
     tr = pre ++ [item] ++ suf
     → ∀ v : Message_validator idx,
         msg_dep_is_globally_equivocating
           ELMO_component
           Message_dependencies
           (Message_sender idx)
           (finite_trace_last si pre) v
         → msg_dep_is_globally_equivocating
             ELMO_component
             Message_dependencies
             (Message_sender idx)
             (destination item) v)
  → Forall
      (λ item : transition_item,
         ELMO_equivocating_validators
           (destination item)
         ⊆ ELMO_equivocating_validators
             (finite_trace_last si tr)) tr
Ht: input_valid_transition ReachELMO l
  (finite_trace_last si tr, iom) (
  sf, oom)
Hsf: valid_state_prop ReachELMO sf
x: transition_item
v: Message_validator idx
Hv: `v ∈ state_validators (finite_trace_last si tr)
Heqv: msg_dep_is_globally_equivocating ELMO_component
  Message_dependencies 
  (Message_sender idx)
  (destination
     {|
       l := l;
       input := iom;
       destination := sf;
       output := oom
     |}) v
is_equivocating sf (`v)
    by apply ELMO_global_equivocators_iff_msg_dep_equivocation.
Qed.

Lemma ELMO_state_to_minimal_equivocation_trace_valid
  (s : composite_state ELMO_component)
  (Hs : valid_state_prop ELMOProtocol s)
  (Hs_pre := VLSM_incl_valid_state (constrained_preloaded_incl
    (free_composite_vlsm _) ELMO_global_constraint) _ Hs
    : composite_constrained_state_prop ELMO_component s)
  (is : composite_state ELMO_component)
  (tr : list (composite_transition_item ELMO_component)) :
    ELMO_state_to_minimal_equivocation_trace s Hs_pre = (is, tr) ->
      finite_valid_trace_init_to ELMOProtocol is s tr.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
s: composite_state ELMO_component
Hs: valid_state_prop ELMOProtocol s
Hs_pre:= VLSM_incl_valid_state
  (constrained_preloaded_incl
     (free_composite_vlsm ELMO_component)
     ELMO_global_constraint) s Hs: composite_constrained_state_prop
  ELMO_component s
is: composite_state ELMO_component
tr: list (composite_transition_item ELMO_component)
ELMO_state_to_minimal_equivocation_trace s Hs_pre =
(is, tr)
→ finite_valid_trace_init_to ELMOProtocol is s tr
Proof.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
s: composite_state ELMO_component
Hs: valid_state_prop ELMOProtocol s
Hs_pre:= VLSM_incl_valid_state
  (constrained_preloaded_incl
     (free_composite_vlsm ELMO_component)
     ELMO_global_constraint) s Hs: composite_constrained_state_prop
  ELMO_component s
is: composite_state ELMO_component
tr: list (composite_transition_item ELMO_component)
ELMO_state_to_minimal_equivocation_trace s Hs_pre =
(is, tr)
→ finite_valid_trace_init_to ELMOProtocol is s tr
  intros Heqtr_min.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
s: composite_state ELMO_component
Hs: valid_state_prop ELMOProtocol s
Hs_pre:= VLSM_incl_valid_state
  (constrained_preloaded_incl
     (free_composite_vlsm ELMO_component)
     ELMO_global_constraint) s Hs: composite_constrained_state_prop
  ELMO_component s
is: composite_state ELMO_component
tr: list (composite_transition_item ELMO_component)
Heqtr_min: ELMO_state_to_minimal_equivocation_trace s
  Hs_pre = (is, tr)
finite_valid_trace_init_to ELMOProtocol is s tr
  assert (Hall_not_heavy : Forall (fun item => ELMO_not_heavy (destination item)) tr).Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
s: composite_state ELMO_component
Hs: valid_state_prop ELMOProtocol s
Hs_pre:= VLSM_incl_valid_state
  (constrained_preloaded_incl
     (free_composite_vlsm ELMO_component)
     ELMO_global_constraint) s Hs: composite_constrained_state_prop
  ELMO_component s
is: composite_state ELMO_component
tr: list (composite_transition_item ELMO_component)
Heqtr_min: ELMO_state_to_minimal_equivocation_trace s
  Hs_pre = (is, tr)
Forall
  (λ item : transition_item,
     ELMO_not_heavy (destination item)) tr
Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
s: composite_state ELMO_component
Hs: valid_state_prop ELMOProtocol s
Hs_pre:= VLSM_incl_valid_state
  (constrained_preloaded_incl
     (free_composite_vlsm ELMO_component)
     ELMO_global_constraint) s Hs: composite_constrained_state_prop
  ELMO_component s
is: composite_state ELMO_component
tr: list (composite_transition_item ELMO_component)
Heqtr_min: ELMO_state_to_minimal_equivocation_trace s
  Hs_pre = (is, tr)
Hall_not_heavy: Forall
  (λ item : transition_item,
     ELMO_not_heavy
       (destination item)) tr
finite_valid_trace_init_to ELMOProtocol is s tr
  {Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
s: composite_state ELMO_component
Hs: valid_state_prop ELMOProtocol s
Hs_pre:= VLSM_incl_valid_state
  (constrained_preloaded_incl
     (free_composite_vlsm ELMO_component)
     ELMO_global_constraint) s Hs: composite_constrained_state_prop
  ELMO_component s
is: composite_state ELMO_component
tr: list (composite_transition_item ELMO_component)
Heqtr_min: ELMO_state_to_minimal_equivocation_trace s
  Hs_pre = (is, tr)
Forall
  (λ item : transition_item,
     ELMO_not_heavy (destination item)) tr
    apply ELMO_state_to_minimal_equivocation_equivocating_validators in Heqtr_min.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
s: composite_state ELMO_component
Hs: valid_state_prop ELMOProtocol s
Hs_pre:= VLSM_incl_valid_state
  (constrained_preloaded_incl
     (free_composite_vlsm ELMO_component)
     ELMO_global_constraint) s Hs: composite_constrained_state_prop
  ELMO_component s
is: composite_state ELMO_component
tr: list (composite_transition_item ELMO_component)
Heqtr_min: Forall
  (λ item : transition_item,
     ELMO_equivocating_validators
       (destination item)
     ⊆ ELMO_equivocating_validators s) tr
Forall
  (λ item : transition_item,
     ELMO_not_heavy (destination item)) tr
    eapply Forall_impl; cbn; [done |].Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
s: composite_state ELMO_component
Hs: valid_state_prop ELMOProtocol s
Hs_pre:= VLSM_incl_valid_state
  (constrained_preloaded_incl
     (free_composite_vlsm ELMO_component)
     ELMO_global_constraint) s Hs: composite_constrained_state_prop
  ELMO_component s
is: composite_state ELMO_component
tr: list (composite_transition_item ELMO_component)
Heqtr_min: Forall
  (λ item : transition_item,
     ELMO_equivocating_validators
       (destination item)
     ⊆ ELMO_equivocating_validators s) tr
∀ x : transition_item,
  (λ item : transition_item,
     ELMO_equivocating_validators (destination item)
     ⊆ ELMO_equivocating_validators s) x
  → ELMO_not_heavy (destination x)
    apply ELMO_valid_state_not_heavy in Hs as Hheavy.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
s: composite_state ELMO_component
Hs: valid_state_prop ELMOProtocol s
Hs_pre:= VLSM_incl_valid_state
  (constrained_preloaded_incl
     (free_composite_vlsm ELMO_component)
     ELMO_global_constraint) s Hs: composite_constrained_state_prop
  ELMO_component s
is: composite_state ELMO_component
tr: list (composite_transition_item ELMO_component)
Heqtr_min: Forall
  (λ item : transition_item,
     ELMO_equivocating_validators
       (destination item)
     ⊆ ELMO_equivocating_validators s) tr
Hheavy: ELMO_not_heavy s
∀ x : transition_item,
  (λ item : transition_item,
     ELMO_equivocating_validators (destination item)
     ⊆ ELMO_equivocating_validators s) x
  → ELMO_not_heavy (destination x)
    intros item Hitem; unfold ELMO_not_heavy, not_heavy.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
s: composite_state ELMO_component
Hs: valid_state_prop ELMOProtocol s
Hs_pre:= VLSM_incl_valid_state
  (constrained_preloaded_incl
     (free_composite_vlsm ELMO_component)
     ELMO_global_constraint) s Hs: composite_constrained_state_prop
  ELMO_component s
is: composite_state ELMO_component
tr: list (composite_transition_item ELMO_component)
Heqtr_min: Forall
  (λ item : transition_item,
     ELMO_equivocating_validators
       (destination item)
     ⊆ ELMO_equivocating_validators s) tr
Hheavy: ELMO_not_heavy s
item: transition_item
Hitem: (λ item : transition_item,
   ELMO_equivocating_validators
     (destination item)
   ⊆ ELMO_equivocating_validators s) item
(equivocation_fault (destination item) <= threshold)%R
    etransitivity; [| done].Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
s: composite_state ELMO_component
Hs: valid_state_prop ELMOProtocol s
Hs_pre:= VLSM_incl_valid_state
  (constrained_preloaded_incl
     (free_composite_vlsm ELMO_component)
     ELMO_global_constraint) s Hs: composite_constrained_state_prop
  ELMO_component s
is: composite_state ELMO_component
tr: list (composite_transition_item ELMO_component)
Heqtr_min: Forall
  (λ item : transition_item,
     ELMO_equivocating_validators
       (destination item)
     ⊆ ELMO_equivocating_validators s) tr
Hheavy: ELMO_not_heavy s
item: transition_item
Hitem: (λ item : transition_item,
   ELMO_equivocating_validators
     (destination item)
   ⊆ ELMO_equivocating_validators s) item
(equivocation_fault (destination item) <=
 equivocation_fault s)%R
    apply sum_weights_subseteq; [by apply NoDup_elements.. |].Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
s: composite_state ELMO_component
Hs: valid_state_prop ELMOProtocol s
Hs_pre:= VLSM_incl_valid_state
  (constrained_preloaded_incl
     (free_composite_vlsm ELMO_component)
     ELMO_global_constraint) s Hs: composite_constrained_state_prop
  ELMO_component s
is: composite_state ELMO_component
tr: list (composite_transition_item ELMO_component)
Heqtr_min: Forall
  (λ item : transition_item,
     ELMO_equivocating_validators
       (destination item)
     ⊆ ELMO_equivocating_validators s) tr
Hheavy: ELMO_not_heavy s
item: transition_item
Hitem: (λ item : transition_item,
   ELMO_equivocating_validators
     (destination item)
   ⊆ ELMO_equivocating_validators s) item
equivocating_validators (destination item)
⊆ equivocating_validators s
    by intro a; apply Hitem.
  }Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
s: composite_state ELMO_component
Hs: valid_state_prop ELMOProtocol s
Hs_pre:= VLSM_incl_valid_state
  (constrained_preloaded_incl
     (free_composite_vlsm ELMO_component)
     ELMO_global_constraint) s Hs: composite_constrained_state_prop
  ELMO_component s
is: composite_state ELMO_component
tr: list (composite_transition_item ELMO_component)
Heqtr_min: ELMO_state_to_minimal_equivocation_trace s
  Hs_pre = (is, tr)
Hall_not_heavy: Forall
  (λ item : transition_item,
     ELMO_not_heavy
       (destination item)) tr
finite_valid_trace_init_to ELMOProtocol is s tr
  apply ELMO_state_to_minimal_equivocation_trace_reachable in Heqtr_min as Htr_min; clear Heqtr_min.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
s: composite_state ELMO_component
Hs: valid_state_prop ELMOProtocol s
Hs_pre:= VLSM_incl_valid_state
  (constrained_preloaded_incl
     (free_composite_vlsm ELMO_component)
     ELMO_global_constraint) s Hs: composite_constrained_state_prop
  ELMO_component s
is: composite_state ELMO_component
tr: list (composite_transition_item ELMO_component)
Hall_not_heavy: Forall
  (λ item : transition_item,
     ELMO_not_heavy
       (destination item)) tr
Htr_min: finite_valid_trace_init_to ReachELMO is s tr
finite_valid_trace_init_to ELMOProtocol is s tr
  assert (Hall_input_valid :
    Forall (fun item => forall m, input item = Some m -> valid_message_prop ELMOProtocol m) tr).Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
s: composite_state ELMO_component
Hs: valid_state_prop ELMOProtocol s
Hs_pre:= VLSM_incl_valid_state
  (constrained_preloaded_incl
     (free_composite_vlsm ELMO_component)
     ELMO_global_constraint) s Hs: composite_constrained_state_prop
  ELMO_component s
is: composite_state ELMO_component
tr: list (composite_transition_item ELMO_component)
Hall_not_heavy: Forall
  (λ item : transition_item,
     ELMO_not_heavy
       (destination item)) tr
Htr_min: finite_valid_trace_init_to ReachELMO is s tr
Forall
  (λ item : transition_item,
     ∀ m : Message,
       input item = Some m
       → valid_message_prop ELMOProtocol m) tr
Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
s: composite_state ELMO_component
Hs: valid_state_prop ELMOProtocol s
Hs_pre:= VLSM_incl_valid_state
  (constrained_preloaded_incl
     (free_composite_vlsm ELMO_component)
     ELMO_global_constraint) s Hs: composite_constrained_state_prop
  ELMO_component s
is: composite_state ELMO_component
tr: list (composite_transition_item ELMO_component)
Hall_not_heavy: Forall
  (λ item : transition_item,
     ELMO_not_heavy
       (destination item)) tr
Htr_min: finite_valid_trace_init_to ReachELMO is s tr
Hall_input_valid: Forall
  (λ item : transition_item,
     ∀ m : Message,
       input item = Some m
       → valid_message_prop
           ELMOProtocol m) tr
finite_valid_trace_init_to ELMOProtocol is s tr
  {Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
s: composite_state ELMO_component
Hs: valid_state_prop ELMOProtocol s
Hs_pre:= VLSM_incl_valid_state
  (constrained_preloaded_incl
     (free_composite_vlsm ELMO_component)
     ELMO_global_constraint) s Hs: composite_constrained_state_prop
  ELMO_component s
is: composite_state ELMO_component
tr: list (composite_transition_item ELMO_component)
Hall_not_heavy: Forall
  (λ item : transition_item,
     ELMO_not_heavy
       (destination item)) tr
Htr_min: finite_valid_trace_init_to ReachELMO is s tr
Forall
  (λ item : transition_item,
     ∀ m : Message,
       input item = Some m
       → valid_message_prop ELMOProtocol m) tr
    apply Forall_forall; intros item Hitem m Hobs.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
s: composite_state ELMO_component
Hs: valid_state_prop ELMOProtocol s
Hs_pre:= VLSM_incl_valid_state
  (constrained_preloaded_incl
     (free_composite_vlsm ELMO_component)
     ELMO_global_constraint) s Hs: composite_constrained_state_prop
  ELMO_component s
is: composite_state ELMO_component
tr: list (composite_transition_item ELMO_component)
Hall_not_heavy: Forall
  (λ item : transition_item,
     ELMO_not_heavy
       (destination item)) tr
Htr_min: finite_valid_trace_init_to ReachELMO is s tr
item: transition_item
Hitem: item ∈ tr
m: Message
Hobs: input item = Some m
valid_message_prop ELMOProtocol m
    eapply directly_observed_valid; [done |].Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
s: composite_state ELMO_component
Hs: valid_state_prop ELMOProtocol s
Hs_pre:= VLSM_incl_valid_state
  (constrained_preloaded_incl
     (free_composite_vlsm ELMO_component)
     ELMO_global_constraint) s Hs: composite_constrained_state_prop
  ELMO_component s
is: composite_state ELMO_component
tr: list (composite_transition_item ELMO_component)
Hall_not_heavy: Forall
  (λ item : transition_item,
     ELMO_not_heavy
       (destination item)) tr
Htr_min: finite_valid_trace_init_to ReachELMO is s tr
item: transition_item
Hitem: item ∈ tr
m: Message
Hobs: input item = Some m
has_been_directly_observed ELMOProtocol s m
    eapply (EquivocationProjections.VLSM_incl_has_been_directly_observed_reflect
      (preloaded_constraint_subsumption_incl_free (free_composite_vlsm ELMO_component)
        ELMO_global_constraint)).Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
s: composite_state ELMO_component
Hs: valid_state_prop ELMOProtocol s
Hs_pre:= VLSM_incl_valid_state
  (constrained_preloaded_incl
     (free_composite_vlsm ELMO_component)
     ELMO_global_constraint) s Hs: composite_constrained_state_prop
  ELMO_component s
is: composite_state ELMO_component
tr: list (composite_transition_item ELMO_component)
Hall_not_heavy: Forall
  (λ item : transition_item,
     ELMO_not_heavy
       (destination item)) tr
Htr_min: finite_valid_trace_init_to ReachELMO is s tr
item: transition_item
Hitem: item ∈ tr
m: Message
Hobs: input item = Some m
constrained_state_prop
  {|
    vlsm_type := free_composite_vlsm ELMO_component;
    vlsm_machine :=
      constrained_vlsm_machine
        (free_composite_vlsm ELMO_component)
        ELMO_global_constraint
  |} s
Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
s: composite_state ELMO_component
Hs: valid_state_prop ELMOProtocol s
Hs_pre:= VLSM_incl_valid_state
  (constrained_preloaded_incl
     (free_composite_vlsm ELMO_component)
     ELMO_global_constraint) s Hs: composite_constrained_state_prop
  ELMO_component s
is: composite_state ELMO_component
tr: list (composite_transition_item ELMO_component)
Hall_not_heavy: Forall
  (λ item : transition_item,
     ELMO_not_heavy
       (destination item)) tr
Htr_min: finite_valid_trace_init_to ReachELMO is s tr
item: transition_item
Hitem: item ∈ tr
m: Message
Hobs: input item = Some m
has_been_directly_observed
  {|
    vlsm_type := free_composite_vlsm ELMO_component;
    vlsm_machine :=
      free_composite_vlsm_machine ELMO_component
  |} s m
    -Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
s: composite_state ELMO_component
Hs: valid_state_prop ELMOProtocol s
Hs_pre:= VLSM_incl_valid_state
  (constrained_preloaded_incl
     (free_composite_vlsm ELMO_component)
     ELMO_global_constraint) s Hs: composite_constrained_state_prop
  ELMO_component s
is: composite_state ELMO_component
tr: list (composite_transition_item ELMO_component)
Hall_not_heavy: Forall
  (λ item : transition_item,
     ELMO_not_heavy
       (destination item)) tr
Htr_min: finite_valid_trace_init_to ReachELMO is s tr
item: transition_item
Hitem: item ∈ tr
m: Message
Hobs: input item = Some m
constrained_state_prop
  {|
    vlsm_type := free_composite_vlsm ELMO_component;
    vlsm_machine :=
      constrained_vlsm_machine
        (free_composite_vlsm ELMO_component)
        ELMO_global_constraint
  |} s by generalize Hs; apply VLSM_incl_valid_state, vlsm_incl_preloaded_with_all_messages_vlsm.
    -Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
s: composite_state ELMO_component
Hs: valid_state_prop ELMOProtocol s
Hs_pre:= VLSM_incl_valid_state
  (constrained_preloaded_incl
     (free_composite_vlsm ELMO_component)
     ELMO_global_constraint) s Hs: composite_constrained_state_prop
  ELMO_component s
is: composite_state ELMO_component
tr: list (composite_transition_item ELMO_component)
Hall_not_heavy: Forall
  (λ item : transition_item,
     ELMO_not_heavy
       (destination item)) tr
Htr_min: finite_valid_trace_init_to ReachELMO is s tr
item: transition_item
Hitem: item ∈ tr
m: Message
Hobs: input item = Some m
has_been_directly_observed
  {|
    vlsm_type := free_composite_vlsm ELMO_component;
    vlsm_machine :=
      free_composite_vlsm_machine ELMO_component
  |} s m eapply has_been_directly_observed_examine_one_trace; [done |].Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
s: composite_state ELMO_component
Hs: valid_state_prop ELMOProtocol s
Hs_pre:= VLSM_incl_valid_state
  (constrained_preloaded_incl
     (free_composite_vlsm ELMO_component)
     ELMO_global_constraint) s Hs: composite_constrained_state_prop
  ELMO_component s
is: composite_state ELMO_component
tr: list (composite_transition_item ELMO_component)
Hall_not_heavy: Forall
  (λ item : transition_item,
     ELMO_not_heavy
       (destination item)) tr
Htr_min: finite_valid_trace_init_to ReachELMO is s tr
item: transition_item
Hitem: item ∈ tr
m: Message
Hobs: input item = Some m
trace_has_message item_sends_or_receives m tr
      by apply Exists_exists; eexists; cbn; eauto.
  }Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
s: composite_state ELMO_component
Hs: valid_state_prop ELMOProtocol s
Hs_pre:= VLSM_incl_valid_state
  (constrained_preloaded_incl
     (free_composite_vlsm ELMO_component)
     ELMO_global_constraint) s Hs: composite_constrained_state_prop
  ELMO_component s
is: composite_state ELMO_component
tr: list (composite_transition_item ELMO_component)
Hall_not_heavy: Forall
  (λ item : transition_item,
     ELMO_not_heavy
       (destination item)) tr
Htr_min: finite_valid_trace_init_to ReachELMO is s tr
Hall_input_valid: Forall
  (λ item : transition_item,
     ∀ m : Message,
       input item = Some m
       → valid_message_prop
           ELMOProtocol m) tr
finite_valid_trace_init_to ELMOProtocol is s tr
  clear -Htr_min Hall_input_valid Hall_not_heavy.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
s, is: composite_state ELMO_component
tr: list (composite_transition_item ELMO_component)
Hall_not_heavy: Forall
  (λ item : transition_item,
     ELMO_not_heavy
       (destination item)) tr
Htr_min: finite_valid_trace_init_to ReachELMO is s tr
Hall_input_valid: Forall
  (λ item : transition_item,
     ∀ m : Message,
       input item = Some m
       → valid_message_prop
           ELMOProtocol m) tr
finite_valid_trace_init_to ELMOProtocol is s tr
  induction Htr_min using finite_valid_trace_init_to_rev_ind.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
Hall_not_heavy: Forall
  (λ item : transition_item,
     ELMO_not_heavy
       (destination item)) []
si: VLSM.state ReachELMO
Hsi: initial_state_prop si
Hall_input_valid: Forall
  (λ item : transition_item,
     ∀ m : Message,
       input item = Some m
       → valid_message_prop
           ELMOProtocol m) []
finite_valid_trace_init_to ELMOProtocol si si []
Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
tr: list transition_item
sf: VLSM.state ReachELMO
iom, oom: option Message
l: VLSM.label ReachELMO
Hall_not_heavy: Forall
  (λ item : transition_item,
     ELMO_not_heavy
       (destination item))
  (tr ++
   [{|
      l := l;
      input := iom;
      destination := sf;
      output := oom
    |}])
si, s: VLSM.state ReachELMO
Htr_min: finite_valid_trace_init_to ReachELMO si s tr
Ht: input_valid_transition ReachELMO l (
  s, iom) (sf, oom)
Hall_input_valid: Forall
  (λ item : transition_item,
     ∀ m : Message,
       input item = Some m
       → valid_message_prop
           ELMOProtocol m)
  (tr ++
   [{|
      l := l;
      input := iom;
      destination := sf;
      output := oom
    |}])
IHHtr_min: Forall
  (λ item : transition_item,
     ELMO_not_heavy (destination item)) tr
→ Forall
    (λ item : transition_item,
       ∀ m : Message,
         input item = Some m
         → valid_message_prop ELMOProtocol
             m) tr
  → finite_valid_trace_init_to
      ELMOProtocol si s tr
finite_valid_trace_init_to ELMOProtocol si sf
  (tr ++
   [{|
      l := l;
      input := iom;
      destination := sf;
      output := oom
    |}])
  -Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
Hall_not_heavy: Forall
  (λ item : transition_item,
     ELMO_not_heavy
       (destination item)) []
si: VLSM.state ReachELMO
Hsi: initial_state_prop si
Hall_input_valid: Forall
  (λ item : transition_item,
     ∀ m : Message,
       input item = Some m
       → valid_message_prop
           ELMOProtocol m) []
finite_valid_trace_init_to ELMOProtocol si si [] by split; [rapply @finite_valid_trace_from_to_empty; apply initial_state_is_valid |].
  -Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
tr: list transition_item
sf: VLSM.state ReachELMO
iom, oom: option Message
l: VLSM.label ReachELMO
Hall_not_heavy: Forall
  (λ item : transition_item,
     ELMO_not_heavy
       (destination item))
  (tr ++
   [{|
      l := l;
      input := iom;
      destination := sf;
      output := oom
    |}])
si, s: VLSM.state ReachELMO
Htr_min: finite_valid_trace_init_to ReachELMO si s tr
Ht: input_valid_transition ReachELMO l (
  s, iom) (sf, oom)
Hall_input_valid: Forall
  (λ item : transition_item,
     ∀ m : Message,
       input item = Some m
       → valid_message_prop
           ELMOProtocol m)
  (tr ++
   [{|
      l := l;
      input := iom;
      destination := sf;
      output := oom
    |}])
IHHtr_min: Forall
  (λ item : transition_item,
     ELMO_not_heavy (destination item)) tr
→ Forall
    (λ item : transition_item,
       ∀ m : Message,
         input item = Some m
         → valid_message_prop ELMOProtocol
             m) tr
  → finite_valid_trace_init_to
      ELMOProtocol si s tr
finite_valid_trace_init_to ELMOProtocol si sf
  (tr ++
   [{|
      l := l;
      input := iom;
      destination := sf;
      output := oom
    |}]) rewrite !Forall_app, !Forall_singleton in Hall_not_heavy, Hall_input_valid.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
tr: list transition_item
sf: VLSM.state ReachELMO
iom, oom: option Message
l: VLSM.label ReachELMO
Hall_not_heavy: Forall
  (λ item : transition_item,
     ELMO_not_heavy
       (destination item)) tr
∧ ELMO_not_heavy
    (destination
       {|
         l := l;
         input := iom;
         destination := sf;
         output := oom
       |})
si, s: VLSM.state ReachELMO
Htr_min: finite_valid_trace_init_to ReachELMO si s tr
Ht: input_valid_transition ReachELMO l (
  s, iom) (sf, oom)
Hall_input_valid: Forall
  (λ item : transition_item,
     ∀ m : Message,
       input item = Some m
       → valid_message_prop
           ELMOProtocol m) tr
∧ (∀ m : Message,
     input
       {|
         l := l;
         input := iom;
         destination := sf;
         output := oom
       |} = Some m
     → valid_message_prop
         ELMOProtocol m)
IHHtr_min: Forall
  (λ item : transition_item,
     ELMO_not_heavy (destination item)) tr
→ Forall
    (λ item : transition_item,
       ∀ m : Message,
         input item = Some m
         → valid_message_prop ELMOProtocol
             m) tr
  → finite_valid_trace_init_to
      ELMOProtocol si s tr
finite_valid_trace_init_to ELMOProtocol si sf
  (tr ++
   [{|
      l := l;
      input := iom;
      destination := sf;
      output := oom
    |}])
    destruct Hall_not_heavy as [Hall_not_heavy Hsf_not_heavy],
             Hall_input_valid as [Hall_input_valid Hmsg_valid].Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
tr: list transition_item
sf: VLSM.state ReachELMO
iom, oom: option Message
l: VLSM.label ReachELMO
Hall_not_heavy: Forall
  (λ item : transition_item,
     ELMO_not_heavy
       (destination item)) tr
Hsf_not_heavy: ELMO_not_heavy
  (destination
     {|
       l := l;
       input := iom;
       destination := sf;
       output := oom
     |})
si, s: VLSM.state ReachELMO
Htr_min: finite_valid_trace_init_to ReachELMO si s tr
Ht: input_valid_transition ReachELMO l (
  s, iom) (sf, oom)
Hall_input_valid: Forall
  (λ item : transition_item,
     ∀ m : Message,
       input item = Some m
       → valid_message_prop
           ELMOProtocol m) tr
Hmsg_valid: ∀ m : Message,
  input
    {|
      l := l;
      input := iom;
      destination := sf;
      output := oom
    |} = Some m
  → valid_message_prop ELMOProtocol m
IHHtr_min: Forall
  (λ item : transition_item,
     ELMO_not_heavy (destination item)) tr
→ Forall
    (λ item : transition_item,
       ∀ m : Message,
         input item = Some m
         → valid_message_prop ELMOProtocol
             m) tr
  → finite_valid_trace_init_to
      ELMOProtocol si s tr
finite_valid_trace_init_to ELMOProtocol si sf
  (tr ++
   [{|
      l := l;
      input := iom;
      destination := sf;
      output := oom
    |}])
    destruct (IHHtr_min Hall_not_heavy Hall_input_valid) as [IHHtr _];
      clear Hall_not_heavy Hall_input_valid.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
tr: list transition_item
sf: VLSM.state ReachELMO
iom, oom: option Message
l: VLSM.label ReachELMO
Hsf_not_heavy: ELMO_not_heavy
  (destination
     {|
       l := l;
       input := iom;
       destination := sf;
       output := oom
     |})
si, s: VLSM.state ReachELMO
Htr_min: finite_valid_trace_init_to ReachELMO si s tr
Ht: input_valid_transition ReachELMO l (
  s, iom) (sf, oom)
Hmsg_valid: ∀ m : Message,
  input
    {|
      l := l;
      input := iom;
      destination := sf;
      output := oom
    |} = Some m
  → valid_message_prop ELMOProtocol m
IHHtr_min: Forall
  (λ item : transition_item,
     ELMO_not_heavy (destination item)) tr
→ Forall
    (λ item : transition_item,
       ∀ m : Message,
         input item = Some m
         → valid_message_prop ELMOProtocol
             m) tr
  → finite_valid_trace_init_to
      ELMOProtocol si s tr
IHHtr: finite_valid_trace_from_to ELMOProtocol si s
  tr
finite_valid_trace_init_to ELMOProtocol si sf
  (tr ++
   [{|
      l := l;
      input := iom;
      destination := sf;
      output := oom
    |}])
    split; [| by apply Htr_min]; clear Htr_min.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
tr: list transition_item
sf: VLSM.state ReachELMO
iom, oom: option Message
l: VLSM.label ReachELMO
Hsf_not_heavy: ELMO_not_heavy
  (destination
     {|
       l := l;
       input := iom;
       destination := sf;
       output := oom
     |})
si, s: VLSM.state ReachELMO
Ht: input_valid_transition ReachELMO l (
  s, iom) (sf, oom)
Hmsg_valid: ∀ m : Message,
  input
    {|
      l := l;
      input := iom;
      destination := sf;
      output := oom
    |} = Some m
  → valid_message_prop ELMOProtocol m
IHHtr_min: Forall
  (λ item : transition_item,
     ELMO_not_heavy (destination item)) tr
→ Forall
    (λ item : transition_item,
       ∀ m : Message,
         input item = Some m
         → valid_message_prop ELMOProtocol
             m) tr
  → finite_valid_trace_init_to
      ELMOProtocol si s tr
IHHtr: finite_valid_trace_from_to ELMOProtocol si s
  tr
finite_valid_trace_from_to ELMOProtocol si sf
  (tr ++
   [{|
      l := l;
      input := iom;
      destination := sf;
      output := oom
    |}])
    apply (extend_right_finite_trace_from_to _ IHHtr).Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
tr: list transition_item
sf: VLSM.state ReachELMO
iom, oom: option Message
l: VLSM.label ReachELMO
Hsf_not_heavy: ELMO_not_heavy
  (destination
     {|
       l := l;
       input := iom;
       destination := sf;
       output := oom
     |})
si, s: VLSM.state ReachELMO
Ht: input_valid_transition ReachELMO l (
  s, iom) (sf, oom)
Hmsg_valid: ∀ m : Message,
  input
    {|
      l := l;
      input := iom;
      destination := sf;
      output := oom
    |} = Some m
  → valid_message_prop ELMOProtocol m
IHHtr_min: Forall
  (λ item : transition_item,
     ELMO_not_heavy (destination item)) tr
→ Forall
    (λ item : transition_item,
       ∀ m : Message,
         input item = Some m
         → valid_message_prop ELMOProtocol
             m) tr
  → finite_valid_trace_init_to
      ELMOProtocol si s tr
IHHtr: finite_valid_trace_from_to ELMOProtocol si s
  tr
input_valid_transition ELMOProtocol l (s, iom)
  (sf, oom)
    destruct Ht as [(Hs_pre & _ & Hy) Ht].Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
tr: list transition_item
sf: VLSM.state ReachELMO
iom, oom: option Message
l: VLSM.label ReachELMO
Hsf_not_heavy: ELMO_not_heavy
  (destination
     {|
       l := l;
       input := iom;
       destination := sf;
       output := oom
     |})
si, s: VLSM.state ReachELMO
Hs_pre: valid_state_prop ReachELMO s
Hy: valid l (s, iom)
Ht: transition l (s, iom) = (sf, oom)
Hmsg_valid: ∀ m : Message,
  input
    {|
      l := l;
      input := iom;
      destination := sf;
      output := oom
    |} = Some m
  → valid_message_prop ELMOProtocol m
IHHtr_min: Forall
  (λ item : transition_item,
     ELMO_not_heavy (destination item)) tr
→ Forall
    (λ item : transition_item,
       ∀ m : Message,
         input item = Some m
         → valid_message_prop ELMOProtocol
             m) tr
  → finite_valid_trace_init_to
      ELMOProtocol si s tr
IHHtr: finite_valid_trace_from_to ELMOProtocol si s
  tr
input_valid_transition ELMOProtocol l (s, iom)
  (sf, oom)
    repeat split; [| | done | | done].Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
tr: list transition_item
sf: VLSM.state ReachELMO
iom, oom: option Message
l: VLSM.label ReachELMO
Hsf_not_heavy: ELMO_not_heavy
  (destination
     {|
       l := l;
       input := iom;
       destination := sf;
       output := oom
     |})
si, s: VLSM.state ReachELMO
Hs_pre: valid_state_prop ReachELMO s
Hy: valid l (s, iom)
Ht: transition l (s, iom) = (sf, oom)
Hmsg_valid: ∀ m : Message,
  input
    {|
      l := l;
      input := iom;
      destination := sf;
      output := oom
    |} = Some m
  → valid_message_prop ELMOProtocol m
IHHtr_min: Forall
  (λ item : transition_item,
     ELMO_not_heavy (destination item)) tr
→ Forall
    (λ item : transition_item,
       ∀ m : Message,
         input item = Some m
         → valid_message_prop ELMOProtocol
             m) tr
  → finite_valid_trace_init_to
      ELMOProtocol si s tr
IHHtr: finite_valid_trace_from_to ELMOProtocol si s
  tr
valid_state_prop ELMOProtocol s
Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
tr: list transition_item
sf: VLSM.state ReachELMO
iom, oom: option Message
l: VLSM.label ReachELMO
Hsf_not_heavy: ELMO_not_heavy
  (destination
     {|
       l := l;
       input := iom;
       destination := sf;
       output := oom
     |})
si, s: VLSM.state ReachELMO
Hs_pre: valid_state_prop ReachELMO s
Hy: valid l (s, iom)
Ht: transition l (s, iom) = (sf, oom)
Hmsg_valid: ∀ m : Message,
  input
    {|
      l := l;
      input := iom;
      destination := sf;
      output := oom
    |} = Some m
  → valid_message_prop ELMOProtocol m
IHHtr_min: Forall
  (λ item : transition_item,
     ELMO_not_heavy (destination item)) tr
→ Forall
    (λ item : transition_item,
       ∀ m : Message,
         input item = Some m
         → valid_message_prop ELMOProtocol
             m) tr
  → finite_valid_trace_init_to
      ELMOProtocol si s tr
IHHtr: finite_valid_trace_from_to ELMOProtocol si s
  tr
option_valid_message_prop ELMOProtocol iom
Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
tr: list transition_item
sf: VLSM.state ReachELMO
iom, oom: option Message
l: VLSM.label ReachELMO
Hsf_not_heavy: ELMO_not_heavy
  (destination
     {|
       l := l;
       input := iom;
       destination := sf;
       output := oom
     |})
si, s: VLSM.state ReachELMO
Hs_pre: valid_state_prop ReachELMO s
Hy: valid l (s, iom)
Ht: transition l (s, iom) = (sf, oom)
Hmsg_valid: ∀ m : Message,
  input
    {|
      l := l;
      input := iom;
      destination := sf;
      output := oom
    |} = Some m
  → valid_message_prop ELMOProtocol m
IHHtr_min: Forall
  (λ item : transition_item,
     ELMO_not_heavy (destination item)) tr
→ Forall
    (λ item : transition_item,
       ∀ m : Message,
         input item = Some m
         → valid_message_prop ELMOProtocol
             m) tr
  → finite_valid_trace_init_to
      ELMOProtocol si s tr
IHHtr: finite_valid_trace_from_to ELMOProtocol si s
  tr
ELMO_global_constraint l (s, iom)
    +Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
tr: list transition_item
sf: VLSM.state ReachELMO
iom, oom: option Message
l: VLSM.label ReachELMO
Hsf_not_heavy: ELMO_not_heavy
  (destination
     {|
       l := l;
       input := iom;
       destination := sf;
       output := oom
     |})
si, s: VLSM.state ReachELMO
Hs_pre: valid_state_prop ReachELMO s
Hy: valid l (s, iom)
Ht: transition l (s, iom) = (sf, oom)
Hmsg_valid: ∀ m : Message,
  input
    {|
      l := l;
      input := iom;
      destination := sf;
      output := oom
    |} = Some m
  → valid_message_prop ELMOProtocol m
IHHtr_min: Forall
  (λ item : transition_item,
     ELMO_not_heavy (destination item)) tr
→ Forall
    (λ item : transition_item,
       ∀ m : Message,
         input item = Some m
         → valid_message_prop ELMOProtocol
             m) tr
  → finite_valid_trace_init_to
      ELMOProtocol si s tr
IHHtr: finite_valid_trace_from_to ELMOProtocol si s
  tr
valid_state_prop ELMOProtocol s by apply valid_trace_last_pstate in IHHtr.
    +Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
tr: list transition_item
sf: VLSM.state ReachELMO
iom, oom: option Message
l: VLSM.label ReachELMO
Hsf_not_heavy: ELMO_not_heavy
  (destination
     {|
       l := l;
       input := iom;
       destination := sf;
       output := oom
     |})
si, s: VLSM.state ReachELMO
Hs_pre: valid_state_prop ReachELMO s
Hy: valid l (s, iom)
Ht: transition l (s, iom) = (sf, oom)
Hmsg_valid: ∀ m : Message,
  input
    {|
      l := l;
      input := iom;
      destination := sf;
      output := oom
    |} = Some m
  → valid_message_prop ELMOProtocol m
IHHtr_min: Forall
  (λ item : transition_item,
     ELMO_not_heavy (destination item)) tr
→ Forall
    (λ item : transition_item,
       ∀ m : Message,
         input item = Some m
         → valid_message_prop ELMOProtocol
             m) tr
  → finite_valid_trace_init_to
      ELMOProtocol si s tr
IHHtr: finite_valid_trace_from_to ELMOProtocol si s
  tr
option_valid_message_prop ELMOProtocol iom by destruct iom; [apply Hmsg_valid | apply option_valid_message_None].
    +Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
tr: list transition_item
sf: VLSM.state ReachELMO
iom, oom: option Message
l: VLSM.label ReachELMO
Hsf_not_heavy: ELMO_not_heavy
  (destination
     {|
       l := l;
       input := iom;
       destination := sf;
       output := oom
     |})
si, s: VLSM.state ReachELMO
Hs_pre: valid_state_prop ReachELMO s
Hy: valid l (s, iom)
Ht: transition l (s, iom) = (sf, oom)
Hmsg_valid: ∀ m : Message,
  input
    {|
      l := l;
      input := iom;
      destination := sf;
      output := oom
    |} = Some m
  → valid_message_prop ELMOProtocol m
IHHtr_min: Forall
  (λ item : transition_item,
     ELMO_not_heavy (destination item)) tr
→ Forall
    (λ item : transition_item,
       ∀ m : Message,
         input item = Some m
         → valid_message_prop ELMOProtocol
             m) tr
  → finite_valid_trace_init_to
      ELMOProtocol si s tr
IHHtr: finite_valid_trace_from_to ELMOProtocol si s
  tr
ELMO_global_constraint l (s, iom) destruct l as [i []]; [| done].Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
tr: list transition_item
sf: VLSM.state ReachELMO
iom, oom: option Message
i: index
Hsf_not_heavy: ELMO_not_heavy
  (destination
     {|
       l := existT i Receive;
       input := iom;
       destination := sf;
       output := oom
     |})
si, s: VLSM.state ReachELMO
Hs_pre: valid_state_prop ReachELMO s
Hy: valid (existT i Receive) (s, iom)
Ht: transition (existT i Receive) (s, iom) =
(sf, oom)
Hmsg_valid: ∀ m : Message,
  input
    {|
      l := existT i Receive;
      input := iom;
      destination := sf;
      output := oom
    |} = Some m
  → valid_message_prop ELMOProtocol m
IHHtr_min: Forall
  (λ item : transition_item,
     ELMO_not_heavy (destination item)) tr
→ Forall
    (λ item : transition_item,
       ∀ m : Message,
         input item = Some m
         → valid_message_prop ELMOProtocol
             m) tr
  → finite_valid_trace_init_to
      ELMOProtocol si s tr
IHHtr: finite_valid_trace_from_to ELMOProtocol si s
  tr
ELMO_global_constraint (existT i Receive) (s, iom)
      by hnf; replace (composite_transition _ _ _) with (sf, oom).
Qed.

Validators

Due to the validity predicate, a transition must have either a non-empty input or a non-empty output, the distinction being made by the label.

Inductive ELMOProtocol_valid_transition
  : index -> Label -> VLSM.state ELMOProtocol -> VLSM.state ELMOProtocol -> Message -> Prop :=
| ep_valid_receive : forall (i : index) (s1 s2 : VLSM.state ELMOProtocol) (m : Message),
    valid_transition ELMOProtocol (existT i Receive) s1 (Some m) s2 None ->
    ELMOProtocol_valid_transition i Receive s1 s2 m
| ep_valid_send : forall (i : index) (s1 s2 : VLSM.state ELMOProtocol) (m : Message),
    valid_transition ELMOProtocol (existT i Send) s1 None s2 (Some m) ->
    ELMOProtocol_valid_transition i Send s1 s2 m.

Lemma local_equivocators_full_step_update
  (i : index) (l : Label) (s1 s2 : State) (m : Message) :
    ELMO_component_RAM_transition i l s1 s2 m ->
    forall a : Address,
      local_equivocators_full s2 a
        <->
      local_equivocators_full s1 a \/
      a = adr (state m) /\ l = Receive /\
        exists m', m' ∈ receivedMessages s1 /\ incomparable m m'.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
l: Label
s1, s2: State
m: Message
ELMO_component_RAM_transition i l s1 s2 m
→ ∀ a : Address,
    local_equivocators_full s2 a
    ↔ local_equivocators_full s1 a
      ∨ a = adr (state m)
        ∧ l = Receive
          ∧ (∃ m' : BaseELMO.Message,
               m' ∈ receivedMessages s1
               ∧ incomparable m m')
Proof.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
l: Label
s1, s2: State
m: Message
ELMO_component_RAM_transition i l s1 s2 m
→ ∀ a : Address,
    local_equivocators_full s2 a
    ↔ local_equivocators_full s1 a
      ∨ a = adr (state m)
        ∧ l = Receive
          ∧ (∃ m' : BaseELMO.Message,
               m' ∈ receivedMessages s1
               ∧ incomparable m m')
  by inversion 1 as [? ? ? [_ Ht] | ? ? ? [_ Ht]]; inversion Ht;
    setoid_rewrite lefo_alt; itauto.
Qed.

Lemma global_equivocators_simple_step_update_send
  (i : index) (sigma : composite_state ELMO_component) (s' : State) (m : Message) :
  ELMO_component_RAM_transition i Send (sigma i) s' m ->
  forall a : Address,
    global_equivocators_simple (state_update ELMO_component sigma i s') a
      ->
    global_equivocators_simple sigma a.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
sigma: composite_state ELMO_component
s': State
m: Message
ELMO_component_RAM_transition i Send (sigma i) s' m
→ ∀ a : Address,
    global_equivocators_simple
      (state_update ELMO_component sigma i s') a
    → global_equivocators_simple sigma a
Proof.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
sigma: composite_state ELMO_component
s': State
m: Message
ELMO_component_RAM_transition i Send (sigma i) s' m
→ ∀ a : Address,
    global_equivocators_simple
      (state_update ELMO_component sigma i s') a
    → global_equivocators_simple sigma a
  inversion 1 as [| ? ? ? [(Hsi & _ & Hvi) Hti]]; inversion Hvi; inversion Hti; subst.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
sigma: composite_state ELMO_component
H2: ELMO_component_RAM_transition i Send 
  (sigma i)
  (sigma i <+>
   MkObservation Send (MkMessage (sigma i)))
  (MkMessage (sigma i))
Hsi: valid_state_prop
  (preloaded_with_all_messages_vlsm
     (ELMO_component i)) 
  (sigma i)
Hvi: valid Send (sigma i, None)
Hti: transition Send (sigma i, None) =
(sigma i <+>
 MkObservation Send (MkMessage (sigma i)),
 Some (MkMessage (sigma i)))
∀ a : Address,
  global_equivocators_simple
    (state_update ELMO_component sigma i
       (sigma i <+>
        MkObservation Send (MkMessage (sigma i)))) a
  → global_equivocators_simple sigma a
  intros a [ges_m ges_adr [j Hrcv] ges_not_sent].Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
sigma: composite_state ELMO_component
H2: ELMO_component_RAM_transition i Send 
  (sigma i)
  (sigma i <+>
   MkObservation Send (MkMessage (sigma i)))
  (MkMessage (sigma i))
Hsi: valid_state_prop
  (preloaded_with_all_messages_vlsm
     (ELMO_component i)) 
  (sigma i)
Hvi: valid Send (sigma i, None)
Hti: transition Send (sigma i, None) =
(sigma i <+>
 MkObservation Send (MkMessage (sigma i)),
 Some (MkMessage (sigma i)))
a: Address
ges_m: Message
ges_adr: adr (state ges_m) = a
j: index
Hrcv: has_been_received (ELMO_component j)
  (state_update ELMO_component sigma i
     (sigma i <+>
      MkObservation Send (MkMessage (sigma i)))
     j) ges_m
ges_not_sent: ¬ composite_has_been_sent
    ELMO_component
    (state_update ELMO_component sigma
       i
       (sigma i <+>
        MkObservation Send
          (MkMessage (sigma i)))) ges_m
global_equivocators_simple sigma a
  destruct (decide (j = i)); subst; state_update_simpl.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
sigma: composite_state ELMO_component
H2: ELMO_component_RAM_transition i Send 
  (sigma i)
  (sigma i <+>
   MkObservation Send (MkMessage (sigma i)))
  (MkMessage (sigma i))
Hsi: valid_state_prop
  (preloaded_with_all_messages_vlsm
     (ELMO_component i)) 
  (sigma i)
Hvi: valid Send (sigma i, None)
Hti: transition Send (sigma i, None) =
(sigma i <+>
 MkObservation Send (MkMessage (sigma i)),
 Some (MkMessage (sigma i)))
ges_m: Message
Hrcv: has_been_received (ELMO_component i)
  (sigma i <+>
   MkObservation Send (MkMessage (sigma i)))
  ges_m
ges_not_sent: ¬ composite_has_been_sent
    ELMO_component
    (state_update ELMO_component sigma
       i
       (sigma i <+>
        MkObservation Send
          (MkMessage (sigma i)))) ges_m
global_equivocators_simple sigma (adr (state ges_m))
Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
sigma: composite_state ELMO_component
H2: ELMO_component_RAM_transition i Send 
  (sigma i)
  (sigma i <+>
   MkObservation Send (MkMessage (sigma i)))
  (MkMessage (sigma i))
Hsi: valid_state_prop
  (preloaded_with_all_messages_vlsm
     (ELMO_component i)) 
  (sigma i)
Hvi: valid Send (sigma i, None)
Hti: transition Send (sigma i, None) =
(sigma i <+>
 MkObservation Send (MkMessage (sigma i)),
 Some (MkMessage (sigma i)))
ges_m: Message
j: index
Hrcv: has_been_received (ELMO_component j) 
  (sigma j) ges_m
ges_not_sent: ¬ composite_has_been_sent
    ELMO_component
    (state_update ELMO_component sigma
       i
       (sigma i <+>
        MkObservation Send
          (MkMessage (sigma i)))) ges_m
n: j ≠ i
global_equivocators_simple sigma (adr (state ges_m))
  -Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
sigma: composite_state ELMO_component
H2: ELMO_component_RAM_transition i Send 
  (sigma i)
  (sigma i <+>
   MkObservation Send (MkMessage (sigma i)))
  (MkMessage (sigma i))
Hsi: valid_state_prop
  (preloaded_with_all_messages_vlsm
     (ELMO_component i)) 
  (sigma i)
Hvi: valid Send (sigma i, None)
Hti: transition Send (sigma i, None) =
(sigma i <+>
 MkObservation Send (MkMessage (sigma i)),
 Some (MkMessage (sigma i)))
ges_m: Message
Hrcv: has_been_received (ELMO_component i)
  (sigma i <+>
   MkObservation Send (MkMessage (sigma i)))
  ges_m
ges_not_sent: ¬ composite_has_been_sent
    ELMO_component
    (state_update ELMO_component sigma
       i
       (sigma i <+>
        MkObservation Send
          (MkMessage (sigma i)))) ges_m
global_equivocators_simple sigma (adr (state ges_m)) cbn in Hrcv; rewrite decide_False in Hrcv by auto.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
sigma: composite_state ELMO_component
H2: ELMO_component_RAM_transition i Send 
  (sigma i)
  (sigma i <+>
   MkObservation Send (MkMessage (sigma i)))
  (MkMessage (sigma i))
Hsi: valid_state_prop
  (preloaded_with_all_messages_vlsm
     (ELMO_component i)) 
  (sigma i)
Hvi: valid Send (sigma i, None)
Hti: transition Send (sigma i, None) =
(sigma i <+>
 MkObservation Send (MkMessage (sigma i)),
 Some (MkMessage (sigma i)))
ges_m: Message
Hrcv: ges_m
∈ map message
    (filter isReceive (obs (sigma i)))
ges_not_sent: ¬ composite_has_been_sent
    ELMO_component
    (state_update ELMO_component sigma
       i
       (sigma i <+>
        MkObservation Send
          (MkMessage (sigma i)))) ges_m
global_equivocators_simple sigma (adr (state ges_m))
    econstructor; [done | by exists i |].Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
sigma: composite_state ELMO_component
H2: ELMO_component_RAM_transition i Send 
  (sigma i)
  (sigma i <+>
   MkObservation Send (MkMessage (sigma i)))
  (MkMessage (sigma i))
Hsi: valid_state_prop
  (preloaded_with_all_messages_vlsm
     (ELMO_component i)) 
  (sigma i)
Hvi: valid Send (sigma i, None)
Hti: transition Send (sigma i, None) =
(sigma i <+>
 MkObservation Send (MkMessage (sigma i)),
 Some (MkMessage (sigma i)))
ges_m: Message
Hrcv: ges_m
∈ map message
    (filter isReceive (obs (sigma i)))
ges_not_sent: ¬ composite_has_been_sent
    ELMO_component
    (state_update ELMO_component sigma
       i
       (sigma i <+>
        MkObservation Send
          (MkMessage (sigma i)))) ges_m
¬ composite_has_been_sent ELMO_component sigma ges_m
    intros [j Hsnd]; apply ges_not_sent; exists j.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
sigma: composite_state ELMO_component
H2: ELMO_component_RAM_transition i Send 
  (sigma i)
  (sigma i <+>
   MkObservation Send (MkMessage (sigma i)))
  (MkMessage (sigma i))
Hsi: valid_state_prop
  (preloaded_with_all_messages_vlsm
     (ELMO_component i)) 
  (sigma i)
Hvi: valid Send (sigma i, None)
Hti: transition Send (sigma i, None) =
(sigma i <+>
 MkObservation Send (MkMessage (sigma i)),
 Some (MkMessage (sigma i)))
ges_m: Message
Hrcv: ges_m
∈ map message
    (filter isReceive (obs (sigma i)))
ges_not_sent: ¬ composite_has_been_sent
    ELMO_component
    (state_update ELMO_component sigma
       i
       (sigma i <+>
        MkObservation Send
          (MkMessage (sigma i)))) ges_m
j: index
Hsnd: has_been_sent (ELMO_component j) 
  (sigma j) ges_m
has_been_sent (ELMO_component j)
  (state_update ELMO_component sigma i
     (sigma i <+>
      MkObservation Send (MkMessage (sigma i))) j)
  ges_m
    destruct (decide (j = i)); subst; state_update_simpl; cbn; [| done].Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
sigma: composite_state ELMO_component
H2: ELMO_component_RAM_transition i Send 
  (sigma i)
  (sigma i <+>
   MkObservation Send (MkMessage (sigma i)))
  (MkMessage (sigma i))
Hsi: valid_state_prop
  (preloaded_with_all_messages_vlsm
     (ELMO_component i)) 
  (sigma i)
Hvi: valid Send (sigma i, None)
Hti: transition Send (sigma i, None) =
(sigma i <+>
 MkObservation Send (MkMessage (sigma i)),
 Some (MkMessage (sigma i)))
ges_m: Message
Hrcv: ges_m
∈ map message
    (filter isReceive (obs (sigma i)))
ges_not_sent: ¬ composite_has_been_sent
    ELMO_component
    (state_update ELMO_component sigma
       i
       (sigma i <+>
        MkObservation Send
          (MkMessage (sigma i)))) ges_m
Hsnd: has_been_sent (ELMO_component i) 
  (sigma i) ges_m
ges_m
∈ map message
    (if decide True
     then
      MkObservation Send (MkMessage (sigma i))
      :: filter isSend (obs (sigma i))
     else filter isSend (obs (sigma i)))
    by rewrite decide_True by done; right.
  -Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
sigma: composite_state ELMO_component
H2: ELMO_component_RAM_transition i Send 
  (sigma i)
  (sigma i <+>
   MkObservation Send (MkMessage (sigma i)))
  (MkMessage (sigma i))
Hsi: valid_state_prop
  (preloaded_with_all_messages_vlsm
     (ELMO_component i)) 
  (sigma i)
Hvi: valid Send (sigma i, None)
Hti: transition Send (sigma i, None) =
(sigma i <+>
 MkObservation Send (MkMessage (sigma i)),
 Some (MkMessage (sigma i)))
ges_m: Message
j: index
Hrcv: has_been_received (ELMO_component j) 
  (sigma j) ges_m
ges_not_sent: ¬ composite_has_been_sent
    ELMO_component
    (state_update ELMO_component sigma
       i
       (sigma i <+>
        MkObservation Send
          (MkMessage (sigma i)))) ges_m
n: j ≠ i
global_equivocators_simple sigma (adr (state ges_m)) econstructor; [done | by exists j |].Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
sigma: composite_state ELMO_component
H2: ELMO_component_RAM_transition i Send 
  (sigma i)
  (sigma i <+>
   MkObservation Send (MkMessage (sigma i)))
  (MkMessage (sigma i))
Hsi: valid_state_prop
  (preloaded_with_all_messages_vlsm
     (ELMO_component i)) 
  (sigma i)
Hvi: valid Send (sigma i, None)
Hti: transition Send (sigma i, None) =
(sigma i <+>
 MkObservation Send (MkMessage (sigma i)),
 Some (MkMessage (sigma i)))
ges_m: Message
j: index
Hrcv: has_been_received (ELMO_component j) 
  (sigma j) ges_m
ges_not_sent: ¬ composite_has_been_sent
    ELMO_component
    (state_update ELMO_component sigma
       i
       (sigma i <+>
        MkObservation Send
          (MkMessage (sigma i)))) ges_m
n: j ≠ i
¬ composite_has_been_sent ELMO_component sigma ges_m
    intros[k Hsnd]; apply ges_not_sent.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
sigma: composite_state ELMO_component
H2: ELMO_component_RAM_transition i Send 
  (sigma i)
  (sigma i <+>
   MkObservation Send (MkMessage (sigma i)))
  (MkMessage (sigma i))
Hsi: valid_state_prop
  (preloaded_with_all_messages_vlsm
     (ELMO_component i)) 
  (sigma i)
Hvi: valid Send (sigma i, None)
Hti: transition Send (sigma i, None) =
(sigma i <+>
 MkObservation Send (MkMessage (sigma i)),
 Some (MkMessage (sigma i)))
ges_m: Message
j: index
Hrcv: has_been_received (ELMO_component j) 
  (sigma j) ges_m
ges_not_sent: ¬ composite_has_been_sent
    ELMO_component
    (state_update ELMO_component sigma
       i
       (sigma i <+>
        MkObservation Send
          (MkMessage (sigma i)))) ges_m
n: j ≠ i
k: index
Hsnd: has_been_sent (ELMO_component k) 
  (sigma k) ges_m
composite_has_been_sent ELMO_component
  (state_update ELMO_component sigma i
     (sigma i <+>
      MkObservation Send (MkMessage (sigma i)))) ges_m
    destruct (decide (k = i)); subst; [| by exists k; state_update_simpl].Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
sigma: composite_state ELMO_component
H2: ELMO_component_RAM_transition i Send 
  (sigma i)
  (sigma i <+>
   MkObservation Send (MkMessage (sigma i)))
  (MkMessage (sigma i))
Hsi: valid_state_prop
  (preloaded_with_all_messages_vlsm
     (ELMO_component i)) 
  (sigma i)
Hvi: valid Send (sigma i, None)
Hti: transition Send (sigma i, None) =
(sigma i <+>
 MkObservation Send (MkMessage (sigma i)),
 Some (MkMessage (sigma i)))
ges_m: Message
j: index
Hrcv: has_been_received (ELMO_component j) 
  (sigma j) ges_m
ges_not_sent: ¬ composite_has_been_sent
    ELMO_component
    (state_update ELMO_component sigma
       i
       (sigma i <+>
        MkObservation Send
          (MkMessage (sigma i)))) ges_m
n: j ≠ i
Hsnd: has_been_sent (ELMO_component i) 
  (sigma i) ges_m
composite_has_been_sent ELMO_component
  (state_update ELMO_component sigma i
     (sigma i <+>
      MkObservation Send (MkMessage (sigma i)))) ges_m
    exists i; state_update_simpl; unfold has_been_sent; cbn.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
sigma: composite_state ELMO_component
H2: ELMO_component_RAM_transition i Send 
  (sigma i)
  (sigma i <+>
   MkObservation Send (MkMessage (sigma i)))
  (MkMessage (sigma i))
Hsi: valid_state_prop
  (preloaded_with_all_messages_vlsm
     (ELMO_component i)) 
  (sigma i)
Hvi: valid Send (sigma i, None)
Hti: transition Send (sigma i, None) =
(sigma i <+>
 MkObservation Send (MkMessage (sigma i)),
 Some (MkMessage (sigma i)))
ges_m: Message
j: index
Hrcv: has_been_received (ELMO_component j) 
  (sigma j) ges_m
ges_not_sent: ¬ composite_has_been_sent
    ELMO_component
    (state_update ELMO_component sigma
       i
       (sigma i <+>
        MkObservation Send
          (MkMessage (sigma i)))) ges_m
n: j ≠ i
Hsnd: has_been_sent (ELMO_component i) 
  (sigma i) ges_m
ges_m
∈ map message
    (if decide True
     then
      MkObservation Send (MkMessage (sigma i))
      :: filter isSend (obs (sigma i))
     else filter isSend (obs (sigma i)))
    by rewrite decide_True by done; right.
Qed.

Lemma global_equivocators_simple_step_update_send_iff
  (i : index) (sigma : composite_state ELMO_component) (s' : State) (m : Message) :
  ELMO_component_RAM_transition i Send (sigma i) s' m ->
  ~ global_equivocators_simple sigma (idx i) ->
  forall a : Address,
    global_equivocators_simple (state_update ELMO_component sigma i s') a
      <->
    global_equivocators_simple sigma a.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
sigma: composite_state ELMO_component
s': State
m: Message
ELMO_component_RAM_transition i Send (sigma i) s' m
→ ¬ global_equivocators_simple sigma (idx i)
  → ∀ a : Address,
      global_equivocators_simple
        (state_update ELMO_component sigma i s') a
      ↔ global_equivocators_simple sigma a
Proof.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
sigma: composite_state ELMO_component
s': State
m: Message
ELMO_component_RAM_transition i Send (sigma i) s' m
→ ¬ global_equivocators_simple sigma (idx i)
  → ∀ a : Address,
      global_equivocators_simple
        (state_update ELMO_component sigma i s') a
      ↔ global_equivocators_simple sigma a
  intros Ht Hneqvi; split; [by eapply global_equivocators_simple_step_update_send |].Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
sigma: composite_state ELMO_component
s': State
m: Message
Ht: ELMO_component_RAM_transition i Send 
  (sigma i) s' m
Hneqvi: ¬ global_equivocators_simple sigma (idx i)
a: Address
global_equivocators_simple sigma a
→ global_equivocators_simple
    (state_update ELMO_component sigma i s') a
  inversion Ht as [| ? ? ? [(Hsi & _ & Hvi) Hti]]; inversion Hvi; inversion Hti; subst.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
sigma: composite_state ELMO_component
Ht: ELMO_component_RAM_transition i Send 
  (sigma i)
  (sigma i <+>
   MkObservation Send (MkMessage (sigma i)))
  (MkMessage (sigma i))
Hneqvi: ¬ global_equivocators_simple sigma (idx i)
a: Address
Hsi: valid_state_prop
  (preloaded_with_all_messages_vlsm
     (ELMO_component i)) 
  (sigma i)
Hvi: valid Send (sigma i, None)
Hti: transition Send (sigma i, None) =
(sigma i <+>
 MkObservation Send (MkMessage (sigma i)),
 Some (MkMessage (sigma i)))
global_equivocators_simple sigma a
→ global_equivocators_simple
    (state_update ELMO_component sigma i
       (sigma i <+>
        MkObservation Send (MkMessage (sigma i)))) a
  destruct (decide (a = idx i)); subst; [done |].Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
sigma: composite_state ELMO_component
Ht: ELMO_component_RAM_transition i Send 
  (sigma i)
  (sigma i <+>
   MkObservation Send (MkMessage (sigma i)))
  (MkMessage (sigma i))
Hneqvi: ¬ global_equivocators_simple sigma (idx i)
a: Address
Hsi: valid_state_prop
  (preloaded_with_all_messages_vlsm
     (ELMO_component i)) 
  (sigma i)
Hvi: valid Send (sigma i, None)
Hti: transition Send (sigma i, None) =
(sigma i <+>
 MkObservation Send (MkMessage (sigma i)),
 Some (MkMessage (sigma i)))
n: a ≠ idx i
global_equivocators_simple sigma a
→ global_equivocators_simple
    (state_update ELMO_component sigma i
       (sigma i <+>
        MkObservation Send (MkMessage (sigma i)))) a
  intros [ges_m ges_adr ges_recv ges_not_sent].Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
sigma: composite_state ELMO_component
Ht: ELMO_component_RAM_transition i Send 
  (sigma i)
  (sigma i <+>
   MkObservation Send (MkMessage (sigma i)))
  (MkMessage (sigma i))
Hneqvi: ¬ global_equivocators_simple sigma (idx i)
a: Address
Hsi: valid_state_prop
  (preloaded_with_all_messages_vlsm
     (ELMO_component i)) 
  (sigma i)
Hvi: valid Send (sigma i, None)
Hti: transition Send (sigma i, None) =
(sigma i <+>
 MkObservation Send (MkMessage (sigma i)),
 Some (MkMessage (sigma i)))
n: a ≠ idx i
ges_m: Message
ges_adr: adr (state ges_m) = a
ges_recv: composite_has_been_received ELMO_component
  sigma ges_m
ges_not_sent: ¬ composite_has_been_sent
    ELMO_component sigma ges_m
global_equivocators_simple
  (state_update ELMO_component sigma i
     (sigma i <+>
      MkObservation Send (MkMessage (sigma i)))) a
  econstructor; [done | ..].Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
sigma: composite_state ELMO_component
Ht: ELMO_component_RAM_transition i Send 
  (sigma i)
  (sigma i <+>
   MkObservation Send (MkMessage (sigma i)))
  (MkMessage (sigma i))
Hneqvi: ¬ global_equivocators_simple sigma (idx i)
a: Address
Hsi: valid_state_prop
  (preloaded_with_all_messages_vlsm
     (ELMO_component i)) 
  (sigma i)
Hvi: valid Send (sigma i, None)
Hti: transition Send (sigma i, None) =
(sigma i <+>
 MkObservation Send (MkMessage (sigma i)),
 Some (MkMessage (sigma i)))
n: a ≠ idx i
ges_m: Message
ges_adr: adr (state ges_m) = a
ges_recv: composite_has_been_received ELMO_component
  sigma ges_m
ges_not_sent: ¬ composite_has_been_sent
    ELMO_component sigma ges_m
composite_has_been_received ELMO_component
  (state_update ELMO_component sigma i
     (sigma i <+>
      MkObservation Send (MkMessage (sigma i)))) ges_m
Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
sigma: composite_state ELMO_component
Ht: ELMO_component_RAM_transition i Send 
  (sigma i)
  (sigma i <+>
   MkObservation Send (MkMessage (sigma i)))
  (MkMessage (sigma i))
Hneqvi: ¬ global_equivocators_simple sigma (idx i)
a: Address
Hsi: valid_state_prop
  (preloaded_with_all_messages_vlsm
     (ELMO_component i)) 
  (sigma i)
Hvi: valid Send (sigma i, None)
Hti: transition Send (sigma i, None) =
(sigma i <+>
 MkObservation Send (MkMessage (sigma i)),
 Some (MkMessage (sigma i)))
n: a ≠ idx i
ges_m: Message
ges_adr: adr (state ges_m) = a
ges_recv: composite_has_been_received ELMO_component
  sigma ges_m
ges_not_sent: ¬ composite_has_been_sent
    ELMO_component sigma ges_m
¬ composite_has_been_sent ELMO_component
    (state_update ELMO_component sigma i
       (sigma i <+>
        MkObservation Send (MkMessage (sigma i))))
    ges_m
  -Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
sigma: composite_state ELMO_component
Ht: ELMO_component_RAM_transition i Send 
  (sigma i)
  (sigma i <+>
   MkObservation Send (MkMessage (sigma i)))
  (MkMessage (sigma i))
Hneqvi: ¬ global_equivocators_simple sigma (idx i)
a: Address
Hsi: valid_state_prop
  (preloaded_with_all_messages_vlsm
     (ELMO_component i)) 
  (sigma i)
Hvi: valid Send (sigma i, None)
Hti: transition Send (sigma i, None) =
(sigma i <+>
 MkObservation Send (MkMessage (sigma i)),
 Some (MkMessage (sigma i)))
n: a ≠ idx i
ges_m: Message
ges_adr: adr (state ges_m) = a
ges_recv: composite_has_been_received ELMO_component
  sigma ges_m
ges_not_sent: ¬ composite_has_been_sent
    ELMO_component sigma ges_m
composite_has_been_received ELMO_component
  (state_update ELMO_component sigma i
     (sigma i <+>
      MkObservation Send (MkMessage (sigma i)))) ges_m destruct ges_recv as [j Hrcv]; exists j.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
sigma: composite_state ELMO_component
Ht: ELMO_component_RAM_transition i Send 
  (sigma i)
  (sigma i <+>
   MkObservation Send (MkMessage (sigma i)))
  (MkMessage (sigma i))
Hneqvi: ¬ global_equivocators_simple sigma (idx i)
a: Address
Hsi: valid_state_prop
  (preloaded_with_all_messages_vlsm
     (ELMO_component i)) 
  (sigma i)
Hvi: valid Send (sigma i, None)
Hti: transition Send (sigma i, None) =
(sigma i <+>
 MkObservation Send (MkMessage (sigma i)),
 Some (MkMessage (sigma i)))
n: a ≠ idx i
ges_m: Message
ges_adr: adr (state ges_m) = a
j: index
Hrcv: has_been_received (ELMO_component j) 
  (sigma j) ges_m
ges_not_sent: ¬ composite_has_been_sent
    ELMO_component sigma ges_m
has_been_received (ELMO_component j)
  (state_update ELMO_component sigma i
     (sigma i <+>
      MkObservation Send (MkMessage (sigma i))) j)
  ges_m
    destruct (decide (j = i)); subst; state_update_simpl; [| done].Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
sigma: composite_state ELMO_component
Ht: ELMO_component_RAM_transition i Send 
  (sigma i)
  (sigma i <+>
   MkObservation Send (MkMessage (sigma i)))
  (MkMessage (sigma i))
Hneqvi: ¬ global_equivocators_simple sigma (idx i)
Hsi: valid_state_prop
  (preloaded_with_all_messages_vlsm
     (ELMO_component i)) 
  (sigma i)
Hvi: valid Send (sigma i, None)
Hti: transition Send (sigma i, None) =
(sigma i <+>
 MkObservation Send (MkMessage (sigma i)),
 Some (MkMessage (sigma i)))
ges_m: Message
n: adr (state ges_m) ≠ idx i
Hrcv: has_been_received (ELMO_component i) 
  (sigma i) ges_m
ges_not_sent: ¬ composite_has_been_sent
    ELMO_component sigma ges_m
has_been_received (ELMO_component i)
  (sigma i <+>
   MkObservation Send (MkMessage (sigma i))) ges_m
    by cbn; rewrite decide_False by auto.
  -Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
sigma: composite_state ELMO_component
Ht: ELMO_component_RAM_transition i Send 
  (sigma i)
  (sigma i <+>
   MkObservation Send (MkMessage (sigma i)))
  (MkMessage (sigma i))
Hneqvi: ¬ global_equivocators_simple sigma (idx i)
a: Address
Hsi: valid_state_prop
  (preloaded_with_all_messages_vlsm
     (ELMO_component i)) 
  (sigma i)
Hvi: valid Send (sigma i, None)
Hti: transition Send (sigma i, None) =
(sigma i <+>
 MkObservation Send (MkMessage (sigma i)),
 Some (MkMessage (sigma i)))
n: a ≠ idx i
ges_m: Message
ges_adr: adr (state ges_m) = a
ges_recv: composite_has_been_received ELMO_component
  sigma ges_m
ges_not_sent: ¬ composite_has_been_sent
    ELMO_component sigma ges_m
¬ composite_has_been_sent ELMO_component
    (state_update ELMO_component sigma i
       (sigma i <+>
        MkObservation Send (MkMessage (sigma i))))
    ges_m intros [j Hsnd]; apply ges_not_sent; exists j.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
sigma: composite_state ELMO_component
Ht: ELMO_component_RAM_transition i Send 
  (sigma i)
  (sigma i <+>
   MkObservation Send (MkMessage (sigma i)))
  (MkMessage (sigma i))
Hneqvi: ¬ global_equivocators_simple sigma (idx i)
a: Address
Hsi: valid_state_prop
  (preloaded_with_all_messages_vlsm
     (ELMO_component i)) 
  (sigma i)
Hvi: valid Send (sigma i, None)
Hti: transition Send (sigma i, None) =
(sigma i <+>
 MkObservation Send (MkMessage (sigma i)),
 Some (MkMessage (sigma i)))
n: a ≠ idx i
ges_m: Message
ges_adr: adr (state ges_m) = a
ges_recv: composite_has_been_received ELMO_component
  sigma ges_m
ges_not_sent: ¬ composite_has_been_sent
    ELMO_component sigma ges_m
j: index
Hsnd: has_been_sent (ELMO_component j)
  (state_update ELMO_component sigma i
     (sigma i <+>
      MkObservation Send (MkMessage (sigma i)))
     j) ges_m
has_been_sent (ELMO_component j) (sigma j) ges_m
    destruct (decide (j = i)); subst; state_update_simpl; [| done].Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
sigma: composite_state ELMO_component
Ht: ELMO_component_RAM_transition i Send 
  (sigma i)
  (sigma i <+>
   MkObservation Send (MkMessage (sigma i)))
  (MkMessage (sigma i))
Hneqvi: ¬ global_equivocators_simple sigma (idx i)
Hsi: valid_state_prop
  (preloaded_with_all_messages_vlsm
     (ELMO_component i)) 
  (sigma i)
Hvi: valid Send (sigma i, None)
Hti: transition Send (sigma i, None) =
(sigma i <+>
 MkObservation Send (MkMessage (sigma i)),
 Some (MkMessage (sigma i)))
ges_m: Message
n: adr (state ges_m) ≠ idx i
ges_recv: composite_has_been_received ELMO_component
  sigma ges_m
ges_not_sent: ¬ composite_has_been_sent
    ELMO_component sigma ges_m
Hsnd: has_been_sent (ELMO_component i)
  (sigma i <+>
   MkObservation Send (MkMessage (sigma i)))
  ges_m
has_been_sent (ELMO_component i) (sigma i) ges_m
    cbn in Hsnd; rewrite decide_True, map_cons in Hsnd by done.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
sigma: composite_state ELMO_component
Ht: ELMO_component_RAM_transition i Send 
  (sigma i)
  (sigma i <+>
   MkObservation Send (MkMessage (sigma i)))
  (MkMessage (sigma i))
Hneqvi: ¬ global_equivocators_simple sigma (idx i)
Hsi: valid_state_prop
  (preloaded_with_all_messages_vlsm
     (ELMO_component i)) 
  (sigma i)
Hvi: valid Send (sigma i, None)
Hti: transition Send (sigma i, None) =
(sigma i <+>
 MkObservation Send (MkMessage (sigma i)),
 Some (MkMessage (sigma i)))
ges_m: Message
n: adr (state ges_m) ≠ idx i
ges_recv: composite_has_been_received ELMO_component
  sigma ges_m
ges_not_sent: ¬ composite_has_been_sent
    ELMO_component sigma ges_m
Hsnd: ges_m
∈ message
    (MkObservation Send (MkMessage (sigma i)))
  :: map message
       (filter isSend (obs (sigma i)))
has_been_sent (ELMO_component i) (sigma i) ges_m
    inversion Hsnd; subst; [| done].Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
sigma: composite_state ELMO_component
Ht: ELMO_component_RAM_transition i Send 
  (sigma i)
  (sigma i <+>
   MkObservation Send (MkMessage (sigma i)))
  (MkMessage (sigma i))
Hneqvi: ¬ global_equivocators_simple sigma (idx i)
Hsi: valid_state_prop
  (preloaded_with_all_messages_vlsm
     (ELMO_component i)) 
  (sigma i)
Hvi: valid Send (sigma i, None)
Hti: transition Send (sigma i, None) =
(sigma i <+>
 MkObservation Send (MkMessage (sigma i)),
 Some (MkMessage (sigma i)))
Hsnd: MkMessage (sigma i)
∈ message
    (MkObservation Send (MkMessage (sigma i)))
  :: map message
       (filter isSend (obs (sigma i)))
ges_not_sent: ¬ composite_has_been_sent
    ELMO_component sigma
    (MkMessage (sigma i))
ges_recv: composite_has_been_received ELMO_component
  sigma (MkMessage (sigma i))
n: adr (state (MkMessage (sigma i))) ≠ idx i
has_been_sent (ELMO_component i) (sigma i)
  (MkMessage (sigma i))
    by contradict n; apply ELMO_reachable_adr.
Qed.

Lemma global_equivocators_simple_step_update_receive
  (i : index) (sigma : composite_state ELMO_component) (s' : State) (m : Message) :
    ELMO_component_RAM_transition i Receive (sigma i) s' m ->
      forall a : Address,
        global_equivocators_simple (state_update ELMO_component sigma i s') a
          <->
        global_equivocators_simple sigma a
          \/
        a = adr (state m) /\ ~ composite_has_been_sent ELMO_component sigma m.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
sigma: composite_state ELMO_component
s': State
m: Message
ELMO_component_RAM_transition i Receive (sigma i) s' m
→ ∀ a : Address,
    global_equivocators_simple
      (state_update ELMO_component sigma i s') a
    ↔ global_equivocators_simple sigma a
      ∨ a = adr (state m)
        ∧ ¬ composite_has_been_sent ELMO_component
              sigma m
Proof.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
sigma: composite_state ELMO_component
s': State
m: Message
ELMO_component_RAM_transition i Receive (sigma i) s' m
→ ∀ a : Address,
    global_equivocators_simple
      (state_update ELMO_component sigma i s') a
    ↔ global_equivocators_simple sigma a
      ∨ a = adr (state m)
        ∧ ¬ composite_has_been_sent ELMO_component
              sigma m
  intros Ht a; inversion Ht as [? ? ? [(_ & _ & Hvi) Hti] |];
    inversion Hvi; inversion Hti; subst; clear Ht Hvi Hti; split.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
sigma: composite_state ELMO_component
m: Message
a: Address
H6: ELMO_recv_valid (sigma i) m
global_equivocators_simple
  (state_update ELMO_component sigma i
     (sigma i <+> MkObservation Receive m)) a
→ global_equivocators_simple sigma a
  ∨ a = adr (state m)
    ∧ ¬ composite_has_been_sent ELMO_component sigma m
Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
sigma: composite_state ELMO_component
m: Message
a: Address
H6: ELMO_recv_valid (sigma i) m
global_equivocators_simple sigma a
∨ a = adr (state m)
  ∧ ¬ composite_has_been_sent ELMO_component sigma m
→ global_equivocators_simple
    (state_update ELMO_component sigma i
       (sigma i <+> MkObservation Receive m)) a
  -Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
sigma: composite_state ELMO_component
m: Message
a: Address
H6: ELMO_recv_valid (sigma i) m
global_equivocators_simple
  (state_update ELMO_component sigma i
     (sigma i <+> MkObservation Receive m)) a
→ global_equivocators_simple sigma a
  ∨ a = adr (state m)
    ∧ ¬ composite_has_been_sent ELMO_component sigma m intros [ges_m ges_adr [j Hrcv] ges_not_sent].Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
sigma: composite_state ELMO_component
m: Message
a: Address
H6: ELMO_recv_valid (sigma i) m
ges_m: Message
ges_adr: adr (state ges_m) = a
j: index
Hrcv: has_been_received (ELMO_component j)
  (state_update ELMO_component sigma i
     (sigma i <+> MkObservation Receive m) j)
  ges_m
ges_not_sent: ¬ composite_has_been_sent
    ELMO_component
    (state_update ELMO_component sigma
       i
       (sigma i <+>
        MkObservation Receive m)) ges_m
global_equivocators_simple sigma a
∨ a = adr (state m)
  ∧ ¬ composite_has_been_sent ELMO_component sigma m
    destruct (decide (j = i)); subst; state_update_simpl; cycle 1.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
sigma: composite_state ELMO_component
m: Message
H6: ELMO_recv_valid (sigma i) m
ges_m: Message
j: index
Hrcv: has_been_received (ELMO_component j) 
  (sigma j) ges_m
ges_not_sent: ¬ composite_has_been_sent
    ELMO_component
    (state_update ELMO_component sigma
       i
       (sigma i <+>
        MkObservation Receive m)) ges_m
n: j ≠ i
global_equivocators_simple sigma (adr (state ges_m))
∨ adr (state ges_m) = adr (state m)
  ∧ ¬ composite_has_been_sent ELMO_component sigma m
Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
sigma: composite_state ELMO_component
m: Message
H6: ELMO_recv_valid (sigma i) m
ges_m: Message
Hrcv: has_been_received (ELMO_component i)
  (sigma i <+> MkObservation Receive m) ges_m
ges_not_sent: ¬ composite_has_been_sent
    ELMO_component
    (state_update ELMO_component sigma
       i
       (sigma i <+>
        MkObservation Receive m)) ges_m
global_equivocators_simple sigma (adr (state ges_m))
∨ adr (state ges_m) = adr (state m)
  ∧ ¬ composite_has_been_sent ELMO_component sigma m
    +Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
sigma: composite_state ELMO_component
m: Message
H6: ELMO_recv_valid (sigma i) m
ges_m: Message
j: index
Hrcv: has_been_received (ELMO_component j) 
  (sigma j) ges_m
ges_not_sent: ¬ composite_has_been_sent
    ELMO_component
    (state_update ELMO_component sigma
       i
       (sigma i <+>
        MkObservation Receive m)) ges_m
n: j ≠ i
global_equivocators_simple sigma (adr (state ges_m))
∨ adr (state ges_m) = adr (state m)
  ∧ ¬ composite_has_been_sent ELMO_component sigma m left; econstructor; [done | by exists j |].Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
sigma: composite_state ELMO_component
m: Message
H6: ELMO_recv_valid (sigma i) m
ges_m: Message
j: index
Hrcv: has_been_received (ELMO_component j) 
  (sigma j) ges_m
ges_not_sent: ¬ composite_has_been_sent
    ELMO_component
    (state_update ELMO_component sigma
       i
       (sigma i <+>
        MkObservation Receive m)) ges_m
n: j ≠ i
¬ composite_has_been_sent ELMO_component sigma ges_m
      intros [k Hsnd]; apply ges_not_sent.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
sigma: composite_state ELMO_component
m: Message
H6: ELMO_recv_valid (sigma i) m
ges_m: Message
j: index
Hrcv: has_been_received (ELMO_component j) 
  (sigma j) ges_m
ges_not_sent: ¬ composite_has_been_sent
    ELMO_component
    (state_update ELMO_component sigma
       i
       (sigma i <+>
        MkObservation Receive m)) ges_m
n: j ≠ i
k: index
Hsnd: has_been_sent (ELMO_component k) 
  (sigma k) ges_m
composite_has_been_sent ELMO_component
  (state_update ELMO_component sigma i
     (sigma i <+> MkObservation Receive m)) ges_m
      destruct (decide (k = i)); subst; [| by exists k; state_update_simpl].Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
sigma: composite_state ELMO_component
m: Message
H6: ELMO_recv_valid (sigma i) m
ges_m: Message
j: index
Hrcv: has_been_received (ELMO_component j) 
  (sigma j) ges_m
ges_not_sent: ¬ composite_has_been_sent
    ELMO_component
    (state_update ELMO_component sigma
       i
       (sigma i <+>
        MkObservation Receive m)) ges_m
n: j ≠ i
Hsnd: has_been_sent (ELMO_component i) 
  (sigma i) ges_m
composite_has_been_sent ELMO_component
  (state_update ELMO_component sigma i
     (sigma i <+> MkObservation Receive m)) ges_m
      exists i; state_update_simpl; unfold has_been_sent; cbn.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
sigma: composite_state ELMO_component
m: Message
H6: ELMO_recv_valid (sigma i) m
ges_m: Message
j: index
Hrcv: has_been_received (ELMO_component j) 
  (sigma j) ges_m
ges_not_sent: ¬ composite_has_been_sent
    ELMO_component
    (state_update ELMO_component sigma
       i
       (sigma i <+>
        MkObservation Receive m)) ges_m
n: j ≠ i
Hsnd: has_been_sent (ELMO_component i) 
  (sigma i) ges_m
ges_m
∈ map message
    (if decide False
     then
      MkObservation Receive m
      :: filter isSend (obs (sigma i))
     else filter isSend (obs (sigma i)))
      by rewrite decide_False by auto.
    +Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
sigma: composite_state ELMO_component
m: Message
H6: ELMO_recv_valid (sigma i) m
ges_m: Message
Hrcv: has_been_received (ELMO_component i)
  (sigma i <+> MkObservation Receive m) ges_m
ges_not_sent: ¬ composite_has_been_sent
    ELMO_component
    (state_update ELMO_component sigma
       i
       (sigma i <+>
        MkObservation Receive m)) ges_m
global_equivocators_simple sigma (adr (state ges_m))
∨ adr (state ges_m) = adr (state m)
  ∧ ¬ composite_has_been_sent ELMO_component sigma m cbn in Hrcv; rewrite decide_True, map_cons in Hrcv by done.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
sigma: composite_state ELMO_component
m: Message
H6: ELMO_recv_valid (sigma i) m
ges_m: Message
Hrcv: ges_m
∈ message (MkObservation Receive m)
  :: map message
       (filter isReceive (obs (sigma i)))
ges_not_sent: ¬ composite_has_been_sent
    ELMO_component
    (state_update ELMO_component sigma
       i
       (sigma i <+>
        MkObservation Receive m)) ges_m
global_equivocators_simple sigma (adr (state ges_m))
∨ adr (state ges_m) = adr (state m)
  ∧ ¬ composite_has_been_sent ELMO_component sigma m
      apply elem_of_cons in Hrcv as [-> | Hrcv].Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
sigma: composite_state ELMO_component
m: Message
H6: ELMO_recv_valid (sigma i) m
ges_not_sent: ¬ composite_has_been_sent
    ELMO_component
    (state_update ELMO_component sigma
       i
       (sigma i <+>
        MkObservation Receive m))
    (message (MkObservation Receive m))
global_equivocators_simple sigma
  (adr (state (message (MkObservation Receive m))))
∨ adr (state (message (MkObservation Receive m))) =
  adr (state m)
  ∧ ¬ composite_has_been_sent ELMO_component sigma m
Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
sigma: composite_state ELMO_component
m: Message
H6: ELMO_recv_valid (sigma i) m
ges_m: Message
Hrcv: ges_m
∈ map message
    (filter isReceive (obs (sigma i)))
ges_not_sent: ¬ composite_has_been_sent
    ELMO_component
    (state_update ELMO_component sigma
       i
       (sigma i <+>
        MkObservation Receive m)) ges_m
global_equivocators_simple sigma (adr (state ges_m))
∨ adr (state ges_m) = adr (state m)
  ∧ ¬ composite_has_been_sent ELMO_component sigma m
      *Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
sigma: composite_state ELMO_component
m: Message
H6: ELMO_recv_valid (sigma i) m
ges_not_sent: ¬ composite_has_been_sent
    ELMO_component
    (state_update ELMO_component sigma
       i
       (sigma i <+>
        MkObservation Receive m))
    (message (MkObservation Receive m))
global_equivocators_simple sigma
  (adr (state (message (MkObservation Receive m))))
∨ adr (state (message (MkObservation Receive m))) =
  adr (state m)
  ∧ ¬ composite_has_been_sent ELMO_component sigma m right; split; [done |].Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
sigma: composite_state ELMO_component
m: Message
H6: ELMO_recv_valid (sigma i) m
ges_not_sent: ¬ composite_has_been_sent
    ELMO_component
    (state_update ELMO_component sigma
       i
       (sigma i <+>
        MkObservation Receive m))
    (message (MkObservation Receive m))
¬ composite_has_been_sent ELMO_component sigma m
        intros [j Hsnd]; apply ges_not_sent; exists j.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
sigma: composite_state ELMO_component
m: Message
H6: ELMO_recv_valid (sigma i) m
ges_not_sent: ¬ composite_has_been_sent
    ELMO_component
    (state_update ELMO_component sigma
       i
       (sigma i <+>
        MkObservation Receive m))
    (message (MkObservation Receive m))
j: index
Hsnd: has_been_sent (ELMO_component j) (sigma j) m
has_been_sent (ELMO_component j)
  (state_update ELMO_component sigma i
     (sigma i <+> MkObservation Receive m) j)
  (message (MkObservation Receive m))
        destruct (decide (j = i)); subst; state_update_simpl; [| done].Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
sigma: composite_state ELMO_component
m: Message
H6: ELMO_recv_valid (sigma i) m
ges_not_sent: ¬ composite_has_been_sent
    ELMO_component
    (state_update ELMO_component sigma
       i
       (sigma i <+>
        MkObservation Receive m))
    (message (MkObservation Receive m))
Hsnd: has_been_sent (ELMO_component i) (sigma i) m
has_been_sent (ELMO_component i)
  (sigma i <+> MkObservation Receive m)
  (message (MkObservation Receive m))
        by cbn; rewrite decide_False by auto.
      *Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
sigma: composite_state ELMO_component
m: Message
H6: ELMO_recv_valid (sigma i) m
ges_m: Message
Hrcv: ges_m
∈ map message
    (filter isReceive (obs (sigma i)))
ges_not_sent: ¬ composite_has_been_sent
    ELMO_component
    (state_update ELMO_component sigma
       i
       (sigma i <+>
        MkObservation Receive m)) ges_m
global_equivocators_simple sigma (adr (state ges_m))
∨ adr (state ges_m) = adr (state m)
  ∧ ¬ composite_has_been_sent ELMO_component sigma m left; econstructor; [done | by exists i |].Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
sigma: composite_state ELMO_component
m: Message
H6: ELMO_recv_valid (sigma i) m
ges_m: Message
Hrcv: ges_m
∈ map message
    (filter isReceive (obs (sigma i)))
ges_not_sent: ¬ composite_has_been_sent
    ELMO_component
    (state_update ELMO_component sigma
       i
       (sigma i <+>
        MkObservation Receive m)) ges_m
¬ composite_has_been_sent ELMO_component sigma ges_m
        intros [j Hsnd]; apply ges_not_sent; exists j.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
sigma: composite_state ELMO_component
m: Message
H6: ELMO_recv_valid (sigma i) m
ges_m: Message
Hrcv: ges_m
∈ map message
    (filter isReceive (obs (sigma i)))
ges_not_sent: ¬ composite_has_been_sent
    ELMO_component
    (state_update ELMO_component sigma
       i
       (sigma i <+>
        MkObservation Receive m)) ges_m
j: index
Hsnd: has_been_sent (ELMO_component j) 
  (sigma j) ges_m
has_been_sent (ELMO_component j)
  (state_update ELMO_component sigma i
     (sigma i <+> MkObservation Receive m) j) ges_m
        destruct (decide (j = i)); subst; state_update_simpl; [| done].Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
sigma: composite_state ELMO_component
m: Message
H6: ELMO_recv_valid (sigma i) m
ges_m: Message
Hrcv: ges_m
∈ map message
    (filter isReceive (obs (sigma i)))
ges_not_sent: ¬ composite_has_been_sent
    ELMO_component
    (state_update ELMO_component sigma
       i
       (sigma i <+>
        MkObservation Receive m)) ges_m
Hsnd: has_been_sent (ELMO_component i) 
  (sigma i) ges_m
has_been_sent (ELMO_component i)
  (sigma i <+> MkObservation Receive m) ges_m
        by cbn; rewrite decide_False by auto.
  -Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
sigma: composite_state ELMO_component
m: Message
a: Address
H6: ELMO_recv_valid (sigma i) m
global_equivocators_simple sigma a
∨ a = adr (state m)
  ∧ ¬ composite_has_been_sent ELMO_component sigma m
→ global_equivocators_simple
    (state_update ELMO_component sigma i
       (sigma i <+> MkObservation Receive m)) a intros [[ges_m ges_adr ges_recv ges_not_sent] | [-> Hnsnd]].Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
sigma: composite_state ELMO_component
m: Message
a: Address
H6: ELMO_recv_valid (sigma i) m
ges_m: Message
ges_adr: adr (state ges_m) = a
ges_recv: composite_has_been_received ELMO_component
  sigma ges_m
ges_not_sent: ¬ composite_has_been_sent
    ELMO_component sigma ges_m
global_equivocators_simple
  (state_update ELMO_component sigma i
     (sigma i <+> MkObservation Receive m)) a
Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
sigma: composite_state ELMO_component
m: Message
H6: ELMO_recv_valid (sigma i) m
Hnsnd: ¬ composite_has_been_sent ELMO_component sigma
    m
global_equivocators_simple
  (state_update ELMO_component sigma i
     (sigma i <+> MkObservation Receive m))
  (adr (state m))
    +Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
sigma: composite_state ELMO_component
m: Message
a: Address
H6: ELMO_recv_valid (sigma i) m
ges_m: Message
ges_adr: adr (state ges_m) = a
ges_recv: composite_has_been_received ELMO_component
  sigma ges_m
ges_not_sent: ¬ composite_has_been_sent
    ELMO_component sigma ges_m
global_equivocators_simple
  (state_update ELMO_component sigma i
     (sigma i <+> MkObservation Receive m)) a econstructor; [done | ..].Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
sigma: composite_state ELMO_component
m: Message
a: Address
H6: ELMO_recv_valid (sigma i) m
ges_m: Message
ges_adr: adr (state ges_m) = a
ges_recv: composite_has_been_received ELMO_component
  sigma ges_m
ges_not_sent: ¬ composite_has_been_sent
    ELMO_component sigma ges_m
composite_has_been_received ELMO_component
  (state_update ELMO_component sigma i
     (sigma i <+> MkObservation Receive m)) ges_m
Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
sigma: composite_state ELMO_component
m: Message
a: Address
H6: ELMO_recv_valid (sigma i) m
ges_m: Message
ges_adr: adr (state ges_m) = a
ges_recv: composite_has_been_received ELMO_component
  sigma ges_m
ges_not_sent: ¬ composite_has_been_sent
    ELMO_component sigma ges_m
¬ composite_has_been_sent ELMO_component
    (state_update ELMO_component sigma i
       (sigma i <+> MkObservation Receive m)) ges_m
      *Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
sigma: composite_state ELMO_component
m: Message
a: Address
H6: ELMO_recv_valid (sigma i) m
ges_m: Message
ges_adr: adr (state ges_m) = a
ges_recv: composite_has_been_received ELMO_component
  sigma ges_m
ges_not_sent: ¬ composite_has_been_sent
    ELMO_component sigma ges_m
composite_has_been_received ELMO_component
  (state_update ELMO_component sigma i
     (sigma i <+> MkObservation Receive m)) ges_m destruct ges_recv as [j Hrcv]; exists j.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
sigma: composite_state ELMO_component
m: Message
a: Address
H6: ELMO_recv_valid (sigma i) m
ges_m: Message
ges_adr: adr (state ges_m) = a
j: index
Hrcv: has_been_received (ELMO_component j) 
  (sigma j) ges_m
ges_not_sent: ¬ composite_has_been_sent
    ELMO_component sigma ges_m
has_been_received (ELMO_component j)
  (state_update ELMO_component sigma i
     (sigma i <+> MkObservation Receive m) j) ges_m
        destruct (decide (j = i)); subst; state_update_simpl; [| done].Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
sigma: composite_state ELMO_component
m: Message
H6: ELMO_recv_valid (sigma i) m
ges_m: Message
Hrcv: has_been_received (ELMO_component i) 
  (sigma i) ges_m
ges_not_sent: ¬ composite_has_been_sent
    ELMO_component sigma ges_m
has_been_received (ELMO_component i)
  (sigma i <+> MkObservation Receive m) ges_m
        by cbn; rewrite decide_True, map_cons by done; right.
      *Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
sigma: composite_state ELMO_component
m: Message
a: Address
H6: ELMO_recv_valid (sigma i) m
ges_m: Message
ges_adr: adr (state ges_m) = a
ges_recv: composite_has_been_received ELMO_component
  sigma ges_m
ges_not_sent: ¬ composite_has_been_sent
    ELMO_component sigma ges_m
¬ composite_has_been_sent ELMO_component
    (state_update ELMO_component sigma i
       (sigma i <+> MkObservation Receive m)) ges_m intros [j Hsnd]; apply ges_not_sent; exists j.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
sigma: composite_state ELMO_component
m: Message
a: Address
H6: ELMO_recv_valid (sigma i) m
ges_m: Message
ges_adr: adr (state ges_m) = a
ges_recv: composite_has_been_received ELMO_component
  sigma ges_m
ges_not_sent: ¬ composite_has_been_sent
    ELMO_component sigma ges_m
j: index
Hsnd: has_been_sent (ELMO_component j)
  (state_update ELMO_component sigma i
     (sigma i <+> MkObservation Receive m) j)
  ges_m
has_been_sent (ELMO_component j) (sigma j) ges_m
        by destruct (decide (j = i)); subst; state_update_simpl.
    +Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
sigma: composite_state ELMO_component
m: Message
H6: ELMO_recv_valid (sigma i) m
Hnsnd: ¬ composite_has_been_sent ELMO_component sigma
    m
global_equivocators_simple
  (state_update ELMO_component sigma i
     (sigma i <+> MkObservation Receive m))
  (adr (state m)) econstructor; [done | ..].Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
sigma: composite_state ELMO_component
m: Message
H6: ELMO_recv_valid (sigma i) m
Hnsnd: ¬ composite_has_been_sent ELMO_component sigma
    m
composite_has_been_received ELMO_component
  (state_update ELMO_component sigma i
     (sigma i <+> MkObservation Receive m)) m
Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
sigma: composite_state ELMO_component
m: Message
H6: ELMO_recv_valid (sigma i) m
Hnsnd: ¬ composite_has_been_sent ELMO_component sigma
    m
¬ composite_has_been_sent ELMO_component
    (state_update ELMO_component sigma i
       (sigma i <+> MkObservation Receive m)) m
      *Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
sigma: composite_state ELMO_component
m: Message
H6: ELMO_recv_valid (sigma i) m
Hnsnd: ¬ composite_has_been_sent ELMO_component sigma
    m
composite_has_been_received ELMO_component
  (state_update ELMO_component sigma i
     (sigma i <+> MkObservation Receive m)) m by exists i; state_update_simpl; left.
      *Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
sigma: composite_state ELMO_component
m: Message
H6: ELMO_recv_valid (sigma i) m
Hnsnd: ¬ composite_has_been_sent ELMO_component sigma
    m
¬ composite_has_been_sent ELMO_component
    (state_update ELMO_component sigma i
       (sigma i <+> MkObservation Receive m)) m intros [j Hsnd]; apply Hnsnd; exists j.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
sigma: composite_state ELMO_component
m: Message
H6: ELMO_recv_valid (sigma i) m
Hnsnd: ¬ composite_has_been_sent ELMO_component sigma
    m
j: index
Hsnd: has_been_sent (ELMO_component j)
  (state_update ELMO_component sigma i
     (sigma i <+> MkObservation Receive m) j) m
has_been_sent (ELMO_component j) (sigma j) m
        destruct (decide (j = i)); subst; state_update_simpl; [| done].Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
sigma: composite_state ELMO_component
m: Message
H6: ELMO_recv_valid (sigma i) m
Hnsnd: ¬ composite_has_been_sent ELMO_component sigma
    m
Hsnd: has_been_sent (ELMO_component i)
  (sigma i <+> MkObservation Receive m) m
has_been_sent (ELMO_component i) (sigma i) m
        by cbn in Hsnd; rewrite decide_False in Hsnd by auto.
Qed.

Lemma global_equivocators_simple_step_update_receive_already_observed
  (i : index) (sigma : composite_state ELMO_component) (s' : State) (m : Message) :
    composite_constrained_state_prop ELMO_component sigma ->
    ELMO_component_RAM_transition i Receive (sigma i) s' m ->
    composite_has_been_directly_observed ELMO_component sigma m ->
      forall a : Address,
        global_equivocators_simple (state_update ELMO_component sigma i s') a
          <->
        global_equivocators_simple sigma a.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
sigma: composite_state ELMO_component
s': State
m: Message
composite_constrained_state_prop ELMO_component sigma
→ ELMO_component_RAM_transition i Receive (sigma i) s'
    m
  → composite_has_been_directly_observed
      ELMO_component sigma m
    → ∀ a : Address,
        global_equivocators_simple
          (state_update ELMO_component sigma i s') a
        ↔ global_equivocators_simple sigma a
Proof.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
sigma: composite_state ELMO_component
s': State
m: Message
composite_constrained_state_prop ELMO_component sigma
→ ELMO_component_RAM_transition i Receive (sigma i) s'
    m
  → composite_has_been_directly_observed
      ELMO_component sigma m
    → ∀ a : Address,
        global_equivocators_simple
          (state_update ELMO_component sigma i s') a
        ↔ global_equivocators_simple sigma a
  intros Hsigma Ht Hobs a.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
sigma: composite_state ELMO_component
s': State
m: Message
Hsigma: composite_constrained_state_prop
  ELMO_component sigma
Ht: ELMO_component_RAM_transition i Receive 
  (sigma i) s' m
Hobs: composite_has_been_directly_observed
  ELMO_component sigma m
a: Address
global_equivocators_simple
  (state_update ELMO_component sigma i s') a
↔ global_equivocators_simple sigma a
  rewrite global_equivocators_simple_step_update_receive by done.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
sigma: composite_state ELMO_component
s': State
m: Message
Hsigma: composite_constrained_state_prop
  ELMO_component sigma
Ht: ELMO_component_RAM_transition i Receive 
  (sigma i) s' m
Hobs: composite_has_been_directly_observed
  ELMO_component sigma m
a: Address
global_equivocators_simple sigma a
∨ a = adr (state m)
  ∧ ¬ composite_has_been_sent ELMO_component sigma m
↔ global_equivocators_simple sigma a
  split; [| by left]; intros [| [-> Hnsend]]; [done |].Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
sigma: composite_state ELMO_component
s': State
m: Message
Hsigma: composite_constrained_state_prop
  ELMO_component sigma
Ht: ELMO_component_RAM_transition i Receive 
  (sigma i) s' m
Hobs: composite_has_been_directly_observed
  ELMO_component sigma m
Hnsend: ¬ composite_has_been_sent ELMO_component
    sigma m
global_equivocators_simple sigma (adr (state m))
  apply ELMO_global_equivocators_iff_simple; [done |].Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
sigma: composite_state ELMO_component
s': State
m: Message
Hsigma: composite_constrained_state_prop
  ELMO_component sigma
Ht: ELMO_component_RAM_transition i Receive 
  (sigma i) s' m
Hobs: composite_has_been_directly_observed
  ELMO_component sigma m
Hnsend: ¬ composite_has_been_sent ELMO_component
    sigma m
ELMO_global_equivocators sigma (adr (state m))
  exists m; repeat split; [| done].Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
sigma: composite_state ELMO_component
s': State
m: Message
Hsigma: composite_constrained_state_prop
  ELMO_component sigma
Ht: ELMO_component_RAM_transition i Receive 
  (sigma i) s' m
Hobs: composite_has_been_directly_observed
  ELMO_component sigma m
Hnsend: ¬ composite_has_been_sent ELMO_component
    sigma m
∃ (k : index) (l : Label),
  rec_obs (sigma k) (MkObservation l m)
  destruct Hobs as [k Hobs]; exists k.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
sigma: composite_state ELMO_component
s': State
m: Message
Hsigma: composite_constrained_state_prop
  ELMO_component sigma
Ht: ELMO_component_RAM_transition i Receive 
  (sigma i) s' m
k: index
Hobs: has_been_directly_observed 
  (ELMO_component k) (sigma k) m
Hnsend: ¬ composite_has_been_sent ELMO_component
    sigma m
∃ l : Label, rec_obs (sigma k) (MkObservation l m)
  apply full_node_messages_iff_rec_obs; [| by apply elem_of_messages].Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
sigma: composite_state ELMO_component
s': State
m: Message
Hsigma: composite_constrained_state_prop
  ELMO_component sigma
Ht: ELMO_component_RAM_transition i Receive 
  (sigma i) s' m
k: index
Hobs: has_been_directly_observed 
  (ELMO_component k) (sigma k) m
Hnsend: ¬ composite_has_been_sent ELMO_component
    sigma m
UMO_reachable full_node (sigma k)
  by eapply ELMO_full_node_reachable, composite_constrained_state_project.
Qed.

Lemma ELMO_equivocating_validators_step_update_Send
  (i : index) (sigma : composite_state ELMO_component) (s' : State) (m : Message) :
  composite_constrained_state_prop ELMO_component sigma ->
  ELMO_component_RAM_transition i Send (sigma i) s' m ->
    ELMO_equivocating_validators (state_update ELMO_component sigma i s')
      ⊆
    ELMO_equivocating_validators sigma.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
sigma: composite_state ELMO_component
s': State
m: Message
composite_constrained_state_prop ELMO_component sigma
→ ELMO_component_RAM_transition i Send (sigma i) s' m
  → ELMO_equivocating_validators
      (state_update ELMO_component sigma i s')
    ⊆ ELMO_equivocating_validators sigma
Proof.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
sigma: composite_state ELMO_component
s': State
m: Message
composite_constrained_state_prop ELMO_component sigma
→ ELMO_component_RAM_transition i Send (sigma i) s' m
  → ELMO_equivocating_validators
      (state_update ELMO_component sigma i s')
    ⊆ ELMO_equivocating_validators sigma
  intros Hsigma Ht.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
sigma: composite_state ELMO_component
s': State
m: Message
Hsigma: composite_constrained_state_prop
  ELMO_component sigma
Ht: ELMO_component_RAM_transition i Send 
  (sigma i) s' m
ELMO_equivocating_validators
  (state_update ELMO_component sigma i s')
⊆ ELMO_equivocating_validators sigma
  assert (Hte : input_valid_transition ReachELMO
    (existT i Send) (sigma, None) (state_update ELMO_component sigma i s', Some m)).Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
sigma: composite_state ELMO_component
s': State
m: Message
Hsigma: composite_constrained_state_prop
  ELMO_component sigma
Ht: ELMO_component_RAM_transition i Send 
  (sigma i) s' m
input_valid_transition ReachELMO (existT i Send)
  (sigma, None)
  (state_update ELMO_component sigma i s', Some m)
Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
sigma: composite_state ELMO_component
s': State
m: Message
Hsigma: composite_constrained_state_prop
  ELMO_component sigma
Ht: ELMO_component_RAM_transition i Send 
  (sigma i) s' m
Hte: input_valid_transition ReachELMO 
  (existT i Send) (sigma, None)
  (state_update ELMO_component sigma i s',
   Some m)
ELMO_equivocating_validators
  (state_update ELMO_component sigma i s')
⊆ ELMO_equivocating_validators sigma
  {Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
sigma: composite_state ELMO_component
s': State
m: Message
Hsigma: composite_constrained_state_prop
  ELMO_component sigma
Ht: ELMO_component_RAM_transition i Send 
  (sigma i) s' m
input_valid_transition ReachELMO (existT i Send)
  (sigma, None)
  (state_update ELMO_component sigma i s', Some m)
    inversion Ht as [| ? ? ? [(_ & _ & Hvi) Hti]]; inversion Hvi; inversion Hti.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
sigma: composite_state ELMO_component
s': State
m: Message
Hsigma: composite_constrained_state_prop
  ELMO_component sigma
Ht: ELMO_component_RAM_transition i Send 
  (sigma i) s' m
s1, s2: State
m0: Message
Hvi: valid Send (sigma i, None)
Hti: transition Send (sigma i, None) = (s', Some m)
H3: s1 = sigma i
H4: s2 = s'
H5: m0 = m
s: State
H6: s = sigma i
H7: sigma i <+>
MkObservation Send (MkMessage (sigma i)) = s'
H8: MkMessage (sigma i) = m
input_valid_transition ReachELMO (existT i Send)
  (sigma, None)
  (state_update ELMO_component sigma i
     (sigma i <+>
      MkObservation Send (MkMessage (sigma i))),
   Some (MkMessage (sigma i)))
    by repeat split; [| apply option_valid_message_None | constructor].
  }Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
sigma: composite_state ELMO_component
s': State
m: Message
Hsigma: composite_constrained_state_prop
  ELMO_component sigma
Ht: ELMO_component_RAM_transition i Send 
  (sigma i) s' m
Hte: input_valid_transition ReachELMO 
  (existT i Send) (sigma, None)
  (state_update ELMO_component sigma i s',
   Some m)
ELMO_equivocating_validators
  (state_update ELMO_component sigma i s')
⊆ ELMO_equivocating_validators sigma
  apply input_valid_transition_destination in Hte.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
sigma: composite_state ELMO_component
s': State
m: Message
Hsigma: composite_constrained_state_prop
  ELMO_component sigma
Ht: ELMO_component_RAM_transition i Send 
  (sigma i) s' m
Hte: valid_state_prop ReachELMO
  (state_update ELMO_component sigma i s')
ELMO_equivocating_validators
  (state_update ELMO_component sigma i s')
⊆ ELMO_equivocating_validators sigma
  intro a; setoid_rewrite elem_of_filter; unfold is_equivocating; cbn.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
sigma: composite_state ELMO_component
s': State
m: Message
Hsigma: composite_constrained_state_prop
  ELMO_component sigma
Ht: ELMO_component_RAM_transition i Send 
  (sigma i) s' m
Hte: valid_state_prop ReachELMO
  (state_update ELMO_component sigma i s')
a: Address
ELMO_global_equivocators
  (state_update ELMO_component sigma i s') a
∧ a ∈ list_to_set (map idx (enum index))
→ ELMO_global_equivocators sigma a
  ∧ a ∈ list_to_set (map idx (enum index))
  rewrite !ELMO_global_equivocators_iff_simple by done.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
sigma: composite_state ELMO_component
s': State
m: Message
Hsigma: composite_constrained_state_prop
  ELMO_component sigma
Ht: ELMO_component_RAM_transition i Send 
  (sigma i) s' m
Hte: valid_state_prop ReachELMO
  (state_update ELMO_component sigma i s')
a: Address
global_equivocators_simple
  (state_update ELMO_component sigma i s') a
∧ a ∈ list_to_set (map idx (enum index))
→ global_equivocators_simple sigma a
  ∧ a ∈ list_to_set (map idx (enum index))
  intros [Heqv]; split; [| done].Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
sigma: composite_state ELMO_component
s': State
m: Message
Hsigma: composite_constrained_state_prop
  ELMO_component sigma
Ht: ELMO_component_RAM_transition i Send 
  (sigma i) s' m
Hte: valid_state_prop ReachELMO
  (state_update ELMO_component sigma i s')
a: Address
Heqv: global_equivocators_simple
  (state_update ELMO_component sigma i s') a
H2: a ∈ list_to_set (map idx (enum index))
global_equivocators_simple sigma a
  by eapply global_equivocators_simple_step_update_send.
Qed.

Lemma ELMO_equivocating_validators_step_update_Receive
  (i : index) (sigma : composite_state ELMO_component) (s' : State) (m : Message) :
  composite_constrained_state_prop ELMO_component sigma ->
  ELMO_component_RAM_transition i Receive (sigma i) s' m ->
    ELMO_equivocating_validators (state_update ELMO_component sigma i s')
      ⊆
    ELMO_equivocating_validators sigma ∪ {[ adr (state m) ]}.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
sigma: composite_state ELMO_component
s': State
m: Message
composite_constrained_state_prop ELMO_component sigma
→ ELMO_component_RAM_transition i Receive (sigma i) s'
    m
  → ELMO_equivocating_validators
      (state_update ELMO_component sigma i s')
    ⊆ ELMO_equivocating_validators sigma
      ∪ {[adr (state m)]}
Proof.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
sigma: composite_state ELMO_component
s': State
m: Message
composite_constrained_state_prop ELMO_component sigma
→ ELMO_component_RAM_transition i Receive (sigma i) s'
    m
  → ELMO_equivocating_validators
      (state_update ELMO_component sigma i s')
    ⊆ ELMO_equivocating_validators sigma
      ∪ {[adr (state m)]}
  intros Hsigma Ht.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
sigma: composite_state ELMO_component
s': State
m: Message
Hsigma: composite_constrained_state_prop
  ELMO_component sigma
Ht: ELMO_component_RAM_transition i Receive 
  (sigma i) s' m
ELMO_equivocating_validators
  (state_update ELMO_component sigma i s')
⊆ ELMO_equivocating_validators sigma
  ∪ {[adr (state m)]}
  assert (Hte : input_valid_transition ReachELMO
    (existT i Receive) (sigma, Some m) (state_update ELMO_component sigma i s', None)).Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
sigma: composite_state ELMO_component
s': State
m: Message
Hsigma: composite_constrained_state_prop
  ELMO_component sigma
Ht: ELMO_component_RAM_transition i Receive 
  (sigma i) s' m
input_valid_transition ReachELMO (existT i Receive)
  (sigma, Some m)
  (state_update ELMO_component sigma i s', None)
Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
sigma: composite_state ELMO_component
s': State
m: Message
Hsigma: composite_constrained_state_prop
  ELMO_component sigma
Ht: ELMO_component_RAM_transition i Receive 
  (sigma i) s' m
Hte: input_valid_transition ReachELMO
  (existT i Receive) (sigma, Some m)
  (state_update ELMO_component sigma i s', None)
ELMO_equivocating_validators
  (state_update ELMO_component sigma i s')
⊆ ELMO_equivocating_validators sigma
  ∪ {[adr (state m)]}
  {Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
sigma: composite_state ELMO_component
s': State
m: Message
Hsigma: composite_constrained_state_prop
  ELMO_component sigma
Ht: ELMO_component_RAM_transition i Receive 
  (sigma i) s' m
input_valid_transition ReachELMO (existT i Receive)
  (sigma, Some m)
  (state_update ELMO_component sigma i s', None)
    inversion Ht as [? ? ? [(_ & _ & Hvi) Hti] |]; inversion Hvi; inversion Hti.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
sigma: composite_state ELMO_component
s': State
m: Message
Hsigma: composite_constrained_state_prop
  ELMO_component sigma
Ht: ELMO_component_RAM_transition i Receive 
  (sigma i) s' m
s1, s2: State
m0: Message
Hvi: valid Receive (sigma i, Some m)
Hti: transition Receive (sigma i, Some m) =
(s', None)
H3: s1 = sigma i
H4: s2 = s'
H5: m0 = m
s: State
m1: Message
H6: ELMO_recv_valid (sigma i) m
H7: s = sigma i
H2: m1 = m
H9: sigma i <+> MkObservation Receive m = s'
input_valid_transition ReachELMO (existT i Receive)
  (sigma, Some m)
  (state_update ELMO_component sigma i
     (sigma i <+> MkObservation Receive m), None)
    by repeat split; [| apply any_message_is_valid_in_preloaded | constructor].
  }Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
sigma: composite_state ELMO_component
s': State
m: Message
Hsigma: composite_constrained_state_prop
  ELMO_component sigma
Ht: ELMO_component_RAM_transition i Receive 
  (sigma i) s' m
Hte: input_valid_transition ReachELMO
  (existT i Receive) (sigma, Some m)
  (state_update ELMO_component sigma i s', None)
ELMO_equivocating_validators
  (state_update ELMO_component sigma i s')
⊆ ELMO_equivocating_validators sigma
  ∪ {[adr (state m)]}
  apply input_valid_transition_destination in Hte.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
sigma: composite_state ELMO_component
s': State
m: Message
Hsigma: composite_constrained_state_prop
  ELMO_component sigma
Ht: ELMO_component_RAM_transition i Receive 
  (sigma i) s' m
Hte: valid_state_prop ReachELMO
  (state_update ELMO_component sigma i s')
ELMO_equivocating_validators
  (state_update ELMO_component sigma i s')
⊆ ELMO_equivocating_validators sigma
  ∪ {[adr (state m)]}
  intro a; rewrite elem_of_union, elem_of_singleton.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
sigma: composite_state ELMO_component
s': State
m: Message
Hsigma: composite_constrained_state_prop
  ELMO_component sigma
Ht: ELMO_component_RAM_transition i Receive 
  (sigma i) s' m
Hte: valid_state_prop ReachELMO
  (state_update ELMO_component sigma i s')
a: Address
a
∈ ELMO_equivocating_validators
    (state_update ELMO_component sigma i s')
→ a ∈ ELMO_equivocating_validators sigma
  ∨ a = adr (state m)
  setoid_rewrite elem_of_filter; unfold is_equivocating; cbn.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
sigma: composite_state ELMO_component
s': State
m: Message
Hsigma: composite_constrained_state_prop
  ELMO_component sigma
Ht: ELMO_component_RAM_transition i Receive 
  (sigma i) s' m
Hte: valid_state_prop ReachELMO
  (state_update ELMO_component sigma i s')
a: Address
ELMO_global_equivocators
  (state_update ELMO_component sigma i s') a
∧ a ∈ list_to_set (map idx (enum index))
→ ELMO_global_equivocators sigma a
  ∧ a ∈ list_to_set (map idx (enum index))
  ∨ a = adr (state m)
  rewrite !ELMO_global_equivocators_iff_simple by done.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
sigma: composite_state ELMO_component
s': State
m: Message
Hsigma: composite_constrained_state_prop
  ELMO_component sigma
Ht: ELMO_component_RAM_transition i Receive 
  (sigma i) s' m
Hte: valid_state_prop ReachELMO
  (state_update ELMO_component sigma i s')
a: Address
global_equivocators_simple
  (state_update ELMO_component sigma i s') a
∧ a ∈ list_to_set (map idx (enum index))
→ global_equivocators_simple sigma a
  ∧ a ∈ list_to_set (map idx (enum index))
  ∨ a = adr (state m)
  intros [Heqv Hin].Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
sigma: composite_state ELMO_component
s': State
m: Message
Hsigma: composite_constrained_state_prop
  ELMO_component sigma
Ht: ELMO_component_RAM_transition i Receive 
  (sigma i) s' m
Hte: valid_state_prop ReachELMO
  (state_update ELMO_component sigma i s')
a: Address
Heqv: global_equivocators_simple
  (state_update ELMO_component sigma i s') a
Hin: a ∈ list_to_set (map idx (enum index))
global_equivocators_simple sigma a
∧ a ∈ list_to_set (map idx (enum index))
∨ a = adr (state m)
  by eapply global_equivocators_simple_step_update_receive in Heqv as [Heqv | []];
    [left; split | right |].
Qed.

Lemma ELMO_equivocating_validators_step_update_Receive_already_Observed
  (i : index) (sigma : composite_state ELMO_component) (s' : State) (m : Message) :
  composite_constrained_state_prop ELMO_component sigma ->
  composite_has_been_directly_observed ELMO_component sigma m ->
  ELMO_component_RAM_transition i Receive (sigma i) s' m ->
    ELMO_equivocating_validators (state_update ELMO_component sigma i s')
      ⊆
    ELMO_equivocating_validators sigma.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
sigma: composite_state ELMO_component
s': State
m: Message
composite_constrained_state_prop ELMO_component sigma
→ composite_has_been_directly_observed ELMO_component
    sigma m
  → ELMO_component_RAM_transition i Receive (sigma i)
      s' m
    → ELMO_equivocating_validators
        (state_update ELMO_component sigma i s')
      ⊆ ELMO_equivocating_validators sigma
Proof.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
sigma: composite_state ELMO_component
s': State
m: Message
composite_constrained_state_prop ELMO_component sigma
→ composite_has_been_directly_observed ELMO_component
    sigma m
  → ELMO_component_RAM_transition i Receive (sigma i)
      s' m
    → ELMO_equivocating_validators
        (state_update ELMO_component sigma i s')
      ⊆ ELMO_equivocating_validators sigma
  intros Hsigma Hsent Ht.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
sigma: composite_state ELMO_component
s': State
m: Message
Hsigma: composite_constrained_state_prop
  ELMO_component sigma
Hsent: composite_has_been_directly_observed
  ELMO_component sigma m
Ht: ELMO_component_RAM_transition i Receive 
  (sigma i) s' m
ELMO_equivocating_validators
  (state_update ELMO_component sigma i s')
⊆ ELMO_equivocating_validators sigma
  assert (Hte : input_valid_transition ReachELMO
    (existT i Receive) (sigma, Some m) (state_update ELMO_component sigma i s', None)).Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
sigma: composite_state ELMO_component
s': State
m: Message
Hsigma: composite_constrained_state_prop
  ELMO_component sigma
Hsent: composite_has_been_directly_observed
  ELMO_component sigma m
Ht: ELMO_component_RAM_transition i Receive 
  (sigma i) s' m
input_valid_transition ReachELMO (existT i Receive)
  (sigma, Some m)
  (state_update ELMO_component sigma i s', None)
Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
sigma: composite_state ELMO_component
s': State
m: Message
Hsigma: composite_constrained_state_prop
  ELMO_component sigma
Hsent: composite_has_been_directly_observed
  ELMO_component sigma m
Ht: ELMO_component_RAM_transition i Receive 
  (sigma i) s' m
Hte: input_valid_transition ReachELMO
  (existT i Receive) (sigma, Some m)
  (state_update ELMO_component sigma i s', None)
ELMO_equivocating_validators
  (state_update ELMO_component sigma i s')
⊆ ELMO_equivocating_validators sigma
  {Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
sigma: composite_state ELMO_component
s': State
m: Message
Hsigma: composite_constrained_state_prop
  ELMO_component sigma
Hsent: composite_has_been_directly_observed
  ELMO_component sigma m
Ht: ELMO_component_RAM_transition i Receive 
  (sigma i) s' m
input_valid_transition ReachELMO (existT i Receive)
  (sigma, Some m)
  (state_update ELMO_component sigma i s', None)
    inversion Ht as [? ? ? [(_ & _ & Hvi) Hti] |]; inversion Hvi; inversion Hti.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
sigma: composite_state ELMO_component
s': State
m: Message
Hsigma: composite_constrained_state_prop
  ELMO_component sigma
Hsent: composite_has_been_directly_observed
  ELMO_component sigma m
Ht: ELMO_component_RAM_transition i Receive 
  (sigma i) s' m
s1, s2: State
m0: Message
Hvi: valid Receive (sigma i, Some m)
Hti: transition Receive (sigma i, Some m) =
(s', None)
H3: s1 = sigma i
H4: s2 = s'
H5: m0 = m
s: State
m1: Message
H6: ELMO_recv_valid (sigma i) m
H7: s = sigma i
H2: m1 = m
H9: sigma i <+> MkObservation Receive m = s'
input_valid_transition ReachELMO (existT i Receive)
  (sigma, Some m)
  (state_update ELMO_component sigma i
     (sigma i <+> MkObservation Receive m), None)
    by repeat split; [| apply any_message_is_valid_in_preloaded | constructor].
  }Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
sigma: composite_state ELMO_component
s': State
m: Message
Hsigma: composite_constrained_state_prop
  ELMO_component sigma
Hsent: composite_has_been_directly_observed
  ELMO_component sigma m
Ht: ELMO_component_RAM_transition i Receive 
  (sigma i) s' m
Hte: input_valid_transition ReachELMO
  (existT i Receive) (sigma, Some m)
  (state_update ELMO_component sigma i s', None)
ELMO_equivocating_validators
  (state_update ELMO_component sigma i s')
⊆ ELMO_equivocating_validators sigma
  apply input_valid_transition_destination in Hte.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
sigma: composite_state ELMO_component
s': State
m: Message
Hsigma: composite_constrained_state_prop
  ELMO_component sigma
Hsent: composite_has_been_directly_observed
  ELMO_component sigma m
Ht: ELMO_component_RAM_transition i Receive 
  (sigma i) s' m
Hte: valid_state_prop ReachELMO
  (state_update ELMO_component sigma i s')
ELMO_equivocating_validators
  (state_update ELMO_component sigma i s')
⊆ ELMO_equivocating_validators sigma
  intro a; setoid_rewrite elem_of_filter; unfold is_equivocating; cbn.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
sigma: composite_state ELMO_component
s': State
m: Message
Hsigma: composite_constrained_state_prop
  ELMO_component sigma
Hsent: composite_has_been_directly_observed
  ELMO_component sigma m
Ht: ELMO_component_RAM_transition i Receive 
  (sigma i) s' m
Hte: valid_state_prop ReachELMO
  (state_update ELMO_component sigma i s')
a: Address
ELMO_global_equivocators
  (state_update ELMO_component sigma i s') a
∧ a ∈ list_to_set (map idx (enum index))
→ ELMO_global_equivocators sigma a
  ∧ a ∈ list_to_set (map idx (enum index))
  rewrite !ELMO_global_equivocators_iff_simple by done.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
sigma: composite_state ELMO_component
s': State
m: Message
Hsigma: composite_constrained_state_prop
  ELMO_component sigma
Hsent: composite_has_been_directly_observed
  ELMO_component sigma m
Ht: ELMO_component_RAM_transition i Receive 
  (sigma i) s' m
Hte: valid_state_prop ReachELMO
  (state_update ELMO_component sigma i s')
a: Address
global_equivocators_simple
  (state_update ELMO_component sigma i s') a
∧ a ∈ list_to_set (map idx (enum index))
→ global_equivocators_simple sigma a
  ∧ a ∈ list_to_set (map idx (enum index))
  intros [Heqv]; split; [| done].Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
sigma: composite_state ELMO_component
s': State
m: Message
Hsigma: composite_constrained_state_prop
  ELMO_component sigma
Hsent: composite_has_been_directly_observed
  ELMO_component sigma m
Ht: ELMO_component_RAM_transition i Receive 
  (sigma i) s' m
Hte: valid_state_prop ReachELMO
  (state_update ELMO_component sigma i s')
a: Address
Heqv: global_equivocators_simple
  (state_update ELMO_component sigma i s') a
H2: a ∈ list_to_set (map idx (enum index))
global_equivocators_simple sigma a
  by eapply global_equivocators_simple_step_update_receive_already_observed.
Qed.

The following lemmas build towards proving that ELMO components are validating for the ELMO protocol.

If the state s is valid in the ELMO protocol, and s can take a valid transition involving a message m, then m is a valid message in the ELMO protocol.

Lemma ELMO_update_state_with_initial
  (s : composite_state ELMO_component)
  (Hs : valid_state_prop ELMOProtocol s)
  (i : index)
  (Heqv : (sum_weights (ELMO_equivocating_validators s ∪ {[ idx i ]}) <= threshold)%R)
  (si : State)
  (Hsi : initial_state_prop (ELMO_component i) si) :
    valid_state_prop ELMOProtocol (state_update ELMO_component s i si) /\
    ELMO_equivocating_validators (state_update ELMO_component s i si)
      ⊆
    ELMO_equivocating_validators s ∪ {[ idx i ]}.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
s: composite_state ELMO_component
Hs: valid_state_prop ELMOProtocol s
i: index
Heqv: (sum_weights
   (ELMO_equivocating_validators s ∪ {[idx i]}) <=
 threshold)%R
si: State
Hsi: initial_state_prop si
valid_state_prop ELMOProtocol
  (state_update ELMO_component s i si)
∧ ELMO_equivocating_validators
    (state_update ELMO_component s i si)
  ⊆ ELMO_equivocating_validators s ∪ {[idx i]}
Proof.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
s: composite_state ELMO_component
Hs: valid_state_prop ELMOProtocol s
i: index
Heqv: (sum_weights
   (ELMO_equivocating_validators s ∪ {[idx i]}) <=
 threshold)%R
si: State
Hsi: initial_state_prop si
valid_state_prop ELMOProtocol
  (state_update ELMO_component s i si)
∧ ELMO_equivocating_validators
    (state_update ELMO_component s i si)
  ⊆ ELMO_equivocating_validators s ∪ {[idx i]}
  assert (Hincl : VLSM_incl ELMOProtocol ReachELMO) by apply constrained_preloaded_incl.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
s: composite_state ELMO_component
Hs: valid_state_prop ELMOProtocol s
i: index
Heqv: (sum_weights
   (ELMO_equivocating_validators s ∪ {[idx i]}) <=
 threshold)%R
si: State
Hsi: initial_state_prop si
Hincl: VLSM_incl ELMOProtocol ReachELMO
valid_state_prop ELMOProtocol
  (state_update ELMO_component s i si)
∧ ELMO_equivocating_validators
    (state_update ELMO_component s i si)
  ⊆ ELMO_equivocating_validators s ∪ {[idx i]}
  assert (Htr_min := ELMO_state_to_minimal_equivocation_trace_valid _ Hs).Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
s: composite_state ELMO_component
Hs: valid_state_prop ELMOProtocol s
i: index
Heqv: (sum_weights
   (ELMO_equivocating_validators s ∪ {[idx i]}) <=
 threshold)%R
si: State
Hsi: initial_state_prop si
Hincl: VLSM_incl ELMOProtocol ReachELMO
Htr_min: ∀ (Hs_pre :
   composite_constrained_state_prop
     ELMO_component s :=
   VLSM_incl_valid_state
     (constrained_preloaded_incl
        (free_composite_vlsm ELMO_component)
        ELMO_global_constraint) s Hs) 
  (is : composite_state ELMO_component) 
  (tr : list
          (composite_transition_item
             ELMO_component)),
  ELMO_state_to_minimal_equivocation_trace s
    Hs_pre = (is, tr)
  → finite_valid_trace_init_to ELMOProtocol
      is s tr
valid_state_prop ELMOProtocol
  (state_update ELMO_component s i si)
∧ ELMO_equivocating_validators
    (state_update ELMO_component s i si)
  ⊆ ELMO_equivocating_validators s ∪ {[idx i]}
  cbn in Htr_min; destruct (ELMO_state_to_minimal_equivocation_trace _ _)
    as [is_min tr_min] eqn: Heqtr_min; specialize (Htr_min _ _ eq_refl).Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
s: composite_state ELMO_component
Hs: valid_state_prop ELMOProtocol s
i: index
Heqv: (sum_weights
   (ELMO_equivocating_validators s ∪ {[idx i]}) <=
 threshold)%R
si: State
Hsi: initial_state_prop si
Hincl: VLSM_incl ELMOProtocol ReachELMO
is_min: composite_state ELMO_component
tr_min: list
  (composite_transition_item ELMO_component)
Heqtr_min: ELMO_state_to_minimal_equivocation_trace s
  (VLSM_incl_valid_state
     (constrained_preloaded_incl
        (free_composite_vlsm
           ELMO_component)
        ELMO_global_constraint) s Hs) =
(is_min, tr_min)
Htr_min: finite_valid_trace_init_to ELMOProtocol
  is_min s tr_min
valid_state_prop ELMOProtocol
  (state_update ELMO_component s i si)
∧ ELMO_equivocating_validators
    (state_update ELMO_component s i si)
  ⊆ ELMO_equivocating_validators s ∪ {[idx i]}
  apply ELMO_state_to_minimal_equivocation_equivocating_validators in Heqtr_min
    as Hall; clear Hs Heqtr_min.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
s: composite_state ELMO_component
i: index
Heqv: (sum_weights
   (ELMO_equivocating_validators s ∪ {[idx i]}) <=
 threshold)%R
si: State
Hsi: initial_state_prop si
Hincl: VLSM_incl ELMOProtocol ReachELMO
is_min: composite_state ELMO_component
tr_min: list
  (composite_transition_item ELMO_component)
Htr_min: finite_valid_trace_init_to ELMOProtocol
  is_min s tr_min
Hall: Forall
  (λ item : transition_item,
     ELMO_equivocating_validators
       (destination item)
     ⊆ ELMO_equivocating_validators s) tr_min
valid_state_prop ELMOProtocol
  (state_update ELMO_component s i si)
∧ ELMO_equivocating_validators
    (state_update ELMO_component s i si)
  ⊆ ELMO_equivocating_validators s ∪ {[idx i]}
  set (s_eqvs := ELMO_equivocating_validators s) in *; clearbody s_eqvs.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
s: composite_state ELMO_component
i: index
s_eqvs: listset Address
Heqv: (sum_weights (s_eqvs ∪ {[idx i]}) <= threshold)%R
si: State
Hsi: initial_state_prop si
Hincl: VLSM_incl ELMOProtocol ReachELMO
is_min: composite_state ELMO_component
tr_min: list
  (composite_transition_item ELMO_component)
Htr_min: finite_valid_trace_init_to ELMOProtocol
  is_min s tr_min
Hall: Forall
  (λ item : transition_item,
     ELMO_equivocating_validators
       (destination item) ⊆ s_eqvs) tr_min
valid_state_prop ELMOProtocol
  (state_update ELMO_component s i si)
∧ ELMO_equivocating_validators
    (state_update ELMO_component s i si)
  ⊆ s_eqvs ∪ {[idx i]}
  induction Htr_min using finite_valid_trace_init_to_rev_ind.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
s_eqvs: listset Address
Heqv: (sum_weights (s_eqvs ∪ {[idx i]}) <= threshold)%R
si: State
Hsi: initial_state_prop si
Hincl: VLSM_incl ELMOProtocol ReachELMO
si0: VLSM.state ELMOProtocol
Hsi0: initial_state_prop si0
Hall: Forall
  (λ item : transition_item,
     ELMO_equivocating_validators
       (destination item) ⊆ s_eqvs) []
valid_state_prop ELMOProtocol
  (state_update ELMO_component si0 i si)
∧ ELMO_equivocating_validators
    (state_update ELMO_component si0 i si)
  ⊆ s_eqvs ∪ {[idx i]}
Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
s_eqvs: listset Address
Heqv: (sum_weights (s_eqvs ∪ {[idx i]}) <= threshold)%R
si: State
Hsi: initial_state_prop si
Hincl: VLSM_incl ELMOProtocol ReachELMO
si0, s: VLSM.state ELMOProtocol
tr: list transition_item
Htr_min: finite_valid_trace_init_to ELMOProtocol si0
  s tr
sf: VLSM.state ELMOProtocol
iom, oom: option Message
l: VLSM.label ELMOProtocol
Ht: input_valid_transition ELMOProtocol l (
  s, iom) (sf, oom)
Hall: Forall
  (λ item : transition_item,
     ELMO_equivocating_validators
       (destination item) ⊆ s_eqvs)
  (tr ++
   [{|
      l := l;
      input := iom;
      destination := sf;
      output := oom
    |}])
IHHtr_min: Forall
  (λ item : transition_item,
     ELMO_equivocating_validators
       (destination item) ⊆ s_eqvs) tr
→ valid_state_prop ELMOProtocol
    (state_update ELMO_component s i si)
  ∧ ELMO_equivocating_validators
      (state_update ELMO_component s i si)
    ⊆ s_eqvs ∪ {[idx i]}
valid_state_prop ELMOProtocol
  (state_update ELMO_component sf i si)
∧ ELMO_equivocating_validators
    (state_update ELMO_component sf i si)
  ⊆ s_eqvs ∪ {[idx i]}
  {Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
s_eqvs: listset Address
Heqv: (sum_weights (s_eqvs ∪ {[idx i]}) <= threshold)%R
si: State
Hsi: initial_state_prop si
Hincl: VLSM_incl ELMOProtocol ReachELMO
si0: VLSM.state ELMOProtocol
Hsi0: initial_state_prop si0
Hall: Forall
  (λ item : transition_item,
     ELMO_equivocating_validators
       (destination item) ⊆ s_eqvs) []
valid_state_prop ELMOProtocol
  (state_update ELMO_component si0 i si)
∧ ELMO_equivocating_validators
    (state_update ELMO_component si0 i si)
  ⊆ s_eqvs ∪ {[idx i]}
    rewrite !state_update_id by (destruct (Hsi0 i), Hsi; apply eq_State; congruence).Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
s_eqvs: listset Address
Heqv: (sum_weights (s_eqvs ∪ {[idx i]}) <= threshold)%R
si: State
Hsi: initial_state_prop si
Hincl: VLSM_incl ELMOProtocol ReachELMO
si0: VLSM.state ELMOProtocol
Hsi0: initial_state_prop si0
Hall: Forall
  (λ item : transition_item,
     ELMO_equivocating_validators
       (destination item) ⊆ s_eqvs) []
valid_state_prop ELMOProtocol si0
∧ ELMO_equivocating_validators si0
  ⊆ s_eqvs ∪ {[idx i]}
    split; [by apply initial_state_is_valid |].Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
s_eqvs: listset Address
Heqv: (sum_weights (s_eqvs ∪ {[idx i]}) <= threshold)%R
si: State
Hsi: initial_state_prop si
Hincl: VLSM_incl ELMOProtocol ReachELMO
si0: VLSM.state ELMOProtocol
Hsi0: initial_state_prop si0
Hall: Forall
  (λ item : transition_item,
     ELMO_equivocating_validators
       (destination item) ⊆ s_eqvs) []
ELMO_equivocating_validators si0 ⊆ s_eqvs ∪ {[idx i]}
    rewrite ELMO_initial_state_equivocating_validators by done.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
s_eqvs: listset Address
Heqv: (sum_weights (s_eqvs ∪ {[idx i]}) <= threshold)%R
si: State
Hsi: initial_state_prop si
Hincl: VLSM_incl ELMOProtocol ReachELMO
si0: VLSM.state ELMOProtocol
Hsi0: initial_state_prop si0
Hall: Forall
  (λ item : transition_item,
     ELMO_equivocating_validators
       (destination item) ⊆ s_eqvs) []
∅ ⊆ s_eqvs ∪ {[idx i]}
    by apply empty_subseteq.
  }Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
s_eqvs: listset Address
Heqv: (sum_weights (s_eqvs ∪ {[idx i]}) <= threshold)%R
si: State
Hsi: initial_state_prop si
Hincl: VLSM_incl ELMOProtocol ReachELMO
si0, s: VLSM.state ELMOProtocol
tr: list transition_item
Htr_min: finite_valid_trace_init_to ELMOProtocol si0
  s tr
sf: VLSM.state ELMOProtocol
iom, oom: option Message
l: VLSM.label ELMOProtocol
Ht: input_valid_transition ELMOProtocol l (
  s, iom) (sf, oom)
Hall: Forall
  (λ item : transition_item,
     ELMO_equivocating_validators
       (destination item) ⊆ s_eqvs)
  (tr ++
   [{|
      l := l;
      input := iom;
      destination := sf;
      output := oom
    |}])
IHHtr_min: Forall
  (λ item : transition_item,
     ELMO_equivocating_validators
       (destination item) ⊆ s_eqvs) tr
→ valid_state_prop ELMOProtocol
    (state_update ELMO_component s i si)
  ∧ ELMO_equivocating_validators
      (state_update ELMO_component s i si)
    ⊆ s_eqvs ∪ {[idx i]}
valid_state_prop ELMOProtocol
  (state_update ELMO_component sf i si)
∧ ELMO_equivocating_validators
    (state_update ELMO_component sf i si)
  ⊆ s_eqvs ∪ {[idx i]}
  rewrite Forall_app, Forall_singleton in Hall.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
s_eqvs: listset Address
Heqv: (sum_weights (s_eqvs ∪ {[idx i]}) <= threshold)%R
si: State
Hsi: initial_state_prop si
Hincl: VLSM_incl ELMOProtocol ReachELMO
si0, s: VLSM.state ELMOProtocol
tr: list transition_item
Htr_min: finite_valid_trace_init_to ELMOProtocol si0
  s tr
sf: VLSM.state ELMOProtocol
iom, oom: option Message
l: VLSM.label ELMOProtocol
Ht: input_valid_transition ELMOProtocol l (
  s, iom) (sf, oom)
Hall: Forall
  (λ item : transition_item,
     ELMO_equivocating_validators
       (destination item) ⊆ s_eqvs) tr
∧ ELMO_equivocating_validators
    (destination
       {|
         l := l;
         input := iom;
         destination := sf;
         output := oom
       |}) ⊆ s_eqvs
IHHtr_min: Forall
  (λ item : transition_item,
     ELMO_equivocating_validators
       (destination item) ⊆ s_eqvs) tr
→ valid_state_prop ELMOProtocol
    (state_update ELMO_component s i si)
  ∧ ELMO_equivocating_validators
      (state_update ELMO_component s i si)
    ⊆ s_eqvs ∪ {[idx i]}
valid_state_prop ELMOProtocol
  (state_update ELMO_component sf i si)
∧ ELMO_equivocating_validators
    (state_update ELMO_component sf i si)
  ⊆ s_eqvs ∪ {[idx i]}
  destruct Hall as [Hall Hsf_eqvs].Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
s_eqvs: listset Address
Heqv: (sum_weights (s_eqvs ∪ {[idx i]}) <= threshold)%R
si: State
Hsi: initial_state_prop si
Hincl: VLSM_incl ELMOProtocol ReachELMO
si0, s: VLSM.state ELMOProtocol
tr: list transition_item
Htr_min: finite_valid_trace_init_to ELMOProtocol si0
  s tr
sf: VLSM.state ELMOProtocol
iom, oom: option Message
l: VLSM.label ELMOProtocol
Ht: input_valid_transition ELMOProtocol l (
  s, iom) (sf, oom)
Hall: Forall
  (λ item : transition_item,
     ELMO_equivocating_validators
       (destination item) ⊆ s_eqvs) tr
Hsf_eqvs: ELMO_equivocating_validators
  (destination
     {|
       l := l;
       input := iom;
       destination := sf;
       output := oom
     |}) ⊆ s_eqvs
IHHtr_min: Forall
  (λ item : transition_item,
     ELMO_equivocating_validators
       (destination item) ⊆ s_eqvs) tr
→ valid_state_prop ELMOProtocol
    (state_update ELMO_component s i si)
  ∧ ELMO_equivocating_validators
      (state_update ELMO_component s i si)
    ⊆ s_eqvs ∪ {[idx i]}
valid_state_prop ELMOProtocol
  (state_update ELMO_component sf i si)
∧ ELMO_equivocating_validators
    (state_update ELMO_component sf i si)
  ⊆ s_eqvs ∪ {[idx i]}
  destruct (IHHtr_min Hall) as [Hsisi Heqvs].Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
s_eqvs: listset Address
Heqv: (sum_weights (s_eqvs ∪ {[idx i]}) <= threshold)%R
si: State
Hsi: initial_state_prop si
Hincl: VLSM_incl ELMOProtocol ReachELMO
si0, s: VLSM.state ELMOProtocol
tr: list transition_item
Htr_min: finite_valid_trace_init_to ELMOProtocol si0
  s tr
sf: VLSM.state ELMOProtocol
iom, oom: option Message
l: VLSM.label ELMOProtocol
Ht: input_valid_transition ELMOProtocol l (
  s, iom) (sf, oom)
Hall: Forall
  (λ item : transition_item,
     ELMO_equivocating_validators
       (destination item) ⊆ s_eqvs) tr
Hsf_eqvs: ELMO_equivocating_validators
  (destination
     {|
       l := l;
       input := iom;
       destination := sf;
       output := oom
     |}) ⊆ s_eqvs
IHHtr_min: Forall
  (λ item : transition_item,
     ELMO_equivocating_validators
       (destination item) ⊆ s_eqvs) tr
→ valid_state_prop ELMOProtocol
    (state_update ELMO_component s i si)
  ∧ ELMO_equivocating_validators
      (state_update ELMO_component s i si)
    ⊆ s_eqvs ∪ {[idx i]}
Hsisi: valid_state_prop ELMOProtocol
  (state_update ELMO_component s i si)
Heqvs: ELMO_equivocating_validators
  (state_update ELMO_component s i si)
⊆ s_eqvs ∪ {[idx i]}
valid_state_prop ELMOProtocol
  (state_update ELMO_component sf i si)
∧ ELMO_equivocating_validators
    (state_update ELMO_component sf i si)
  ⊆ s_eqvs ∪ {[idx i]}
  apply input_valid_transition_origin in Ht as Hs.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
s_eqvs: listset Address
Heqv: (sum_weights (s_eqvs ∪ {[idx i]}) <= threshold)%R
si: State
Hsi: initial_state_prop si
Hincl: VLSM_incl ELMOProtocol ReachELMO
si0, s: VLSM.state ELMOProtocol
tr: list transition_item
Htr_min: finite_valid_trace_init_to ELMOProtocol si0
  s tr
sf: VLSM.state ELMOProtocol
iom, oom: option Message
l: VLSM.label ELMOProtocol
Ht: input_valid_transition ELMOProtocol l (
  s, iom) (sf, oom)
Hall: Forall
  (λ item : transition_item,
     ELMO_equivocating_validators
       (destination item) ⊆ s_eqvs) tr
Hsf_eqvs: ELMO_equivocating_validators
  (destination
     {|
       l := l;
       input := iom;
       destination := sf;
       output := oom
     |}) ⊆ s_eqvs
IHHtr_min: Forall
  (λ item : transition_item,
     ELMO_equivocating_validators
       (destination item) ⊆ s_eqvs) tr
→ valid_state_prop ELMOProtocol
    (state_update ELMO_component s i si)
  ∧ ELMO_equivocating_validators
      (state_update ELMO_component s i si)
    ⊆ s_eqvs ∪ {[idx i]}
Hsisi: valid_state_prop ELMOProtocol
  (state_update ELMO_component s i si)
Heqvs: ELMO_equivocating_validators
  (state_update ELMO_component s i si)
⊆ s_eqvs ∪ {[idx i]}
Hs: valid_state_prop ELMOProtocol s
valid_state_prop ELMOProtocol
  (state_update ELMO_component sf i si)
∧ ELMO_equivocating_validators
    (state_update ELMO_component sf i si)
  ⊆ s_eqvs ∪ {[idx i]}
  apply input_valid_transition_destination in Ht as Hsf.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
s_eqvs: listset Address
Heqv: (sum_weights (s_eqvs ∪ {[idx i]}) <= threshold)%R
si: State
Hsi: initial_state_prop si
Hincl: VLSM_incl ELMOProtocol ReachELMO
si0, s: VLSM.state ELMOProtocol
tr: list transition_item
Htr_min: finite_valid_trace_init_to ELMOProtocol si0
  s tr
sf: VLSM.state ELMOProtocol
iom, oom: option Message
l: VLSM.label ELMOProtocol
Ht: input_valid_transition ELMOProtocol l (
  s, iom) (sf, oom)
Hall: Forall
  (λ item : transition_item,
     ELMO_equivocating_validators
       (destination item) ⊆ s_eqvs) tr
Hsf_eqvs: ELMO_equivocating_validators
  (destination
     {|
       l := l;
       input := iom;
       destination := sf;
       output := oom
     |}) ⊆ s_eqvs
IHHtr_min: Forall
  (λ item : transition_item,
     ELMO_equivocating_validators
       (destination item) ⊆ s_eqvs) tr
→ valid_state_prop ELMOProtocol
    (state_update ELMO_component s i si)
  ∧ ELMO_equivocating_validators
      (state_update ELMO_component s i si)
    ⊆ s_eqvs ∪ {[idx i]}
Hsisi: valid_state_prop ELMOProtocol
  (state_update ELMO_component s i si)
Heqvs: ELMO_equivocating_validators
  (state_update ELMO_component s i si)
⊆ s_eqvs ∪ {[idx i]}
Hs: valid_state_prop ELMOProtocol s
Hsf: valid_state_prop ELMOProtocol sf
valid_state_prop ELMOProtocol
  (state_update ELMO_component sf i si)
∧ ELMO_equivocating_validators
    (state_update ELMO_component sf i si)
  ⊆ s_eqvs ∪ {[idx i]}
  apply (VLSM_incl_valid_state Hincl) in Hs, Hsf.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
s_eqvs: listset Address
Heqv: (sum_weights (s_eqvs ∪ {[idx i]}) <= threshold)%R
si: State
Hsi: initial_state_prop si
Hincl: VLSM_incl ELMOProtocol ReachELMO
si0, s: VLSM.state ELMOProtocol
tr: list transition_item
Htr_min: finite_valid_trace_init_to ELMOProtocol si0
  s tr
sf: VLSM.state ELMOProtocol
iom, oom: option Message
l: VLSM.label ELMOProtocol
Ht: input_valid_transition ELMOProtocol l (
  s, iom) (sf, oom)
Hall: Forall
  (λ item : transition_item,
     ELMO_equivocating_validators
       (destination item) ⊆ s_eqvs) tr
Hsf_eqvs: ELMO_equivocating_validators
  (destination
     {|
       l := l;
       input := iom;
       destination := sf;
       output := oom
     |}) ⊆ s_eqvs
IHHtr_min: Forall
  (λ item : transition_item,
     ELMO_equivocating_validators
       (destination item) ⊆ s_eqvs) tr
→ valid_state_prop ELMOProtocol
    (state_update ELMO_component s i si)
  ∧ ELMO_equivocating_validators
      (state_update ELMO_component s i si)
    ⊆ s_eqvs ∪ {[idx i]}
Hsisi: valid_state_prop ELMOProtocol
  (state_update ELMO_component s i si)
Heqvs: ELMO_equivocating_validators
  (state_update ELMO_component s i si)
⊆ s_eqvs ∪ {[idx i]}
Hs: valid_state_prop
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} s
Hsf: valid_state_prop
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} sf
valid_state_prop ELMOProtocol
  (state_update ELMO_component sf i si)
∧ ELMO_equivocating_validators
    (state_update ELMO_component sf i si)
  ⊆ s_eqvs ∪ {[idx i]}
  destruct l as [j lj].Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
s_eqvs: listset Address
Heqv: (sum_weights (s_eqvs ∪ {[idx i]}) <= threshold)%R
si: State
Hsi: initial_state_prop si
Hincl: VLSM_incl ELMOProtocol ReachELMO
si0, s: VLSM.state ELMOProtocol
tr: list transition_item
Htr_min: finite_valid_trace_init_to ELMOProtocol si0
  s tr
sf: VLSM.state ELMOProtocol
iom, oom: option Message
j: index
lj: VLSM.label (ELMO_component j)
Ht: input_valid_transition ELMOProtocol 
  (existT j lj) (s, iom) (
  sf, oom)
Hall: Forall
  (λ item : transition_item,
     ELMO_equivocating_validators
       (destination item) ⊆ s_eqvs) tr
Hsf_eqvs: ELMO_equivocating_validators
  (destination
     {|
       l := existT j lj;
       input := iom;
       destination := sf;
       output := oom
     |}) ⊆ s_eqvs
IHHtr_min: Forall
  (λ item : transition_item,
     ELMO_equivocating_validators
       (destination item) ⊆ s_eqvs) tr
→ valid_state_prop ELMOProtocol
    (state_update ELMO_component s i si)
  ∧ ELMO_equivocating_validators
      (state_update ELMO_component s i si)
    ⊆ s_eqvs ∪ {[idx i]}
Hsisi: valid_state_prop ELMOProtocol
  (state_update ELMO_component s i si)
Heqvs: ELMO_equivocating_validators
  (state_update ELMO_component s i si)
⊆ s_eqvs ∪ {[idx i]}
Hs: valid_state_prop
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} s
Hsf: valid_state_prop
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} sf
valid_state_prop ELMOProtocol
  (state_update ELMO_component sf i si)
∧ ELMO_equivocating_validators
    (state_update ELMO_component sf i si)
  ⊆ s_eqvs ∪ {[idx i]}
  destruct (decide (j = i)); subst; [by destruct Ht as [(_ & _ & [Hv _]) Ht];
    inversion Hv; subst; inversion Ht; subst; rewrite state_update_twice |].Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
s_eqvs: listset Address
Heqv: (sum_weights (s_eqvs ∪ {[idx i]}) <= threshold)%R
si: State
Hsi: initial_state_prop si
Hincl: VLSM_incl ELMOProtocol ReachELMO
si0, s: VLSM.state ELMOProtocol
tr: list transition_item
Htr_min: finite_valid_trace_init_to ELMOProtocol si0
  s tr
sf: VLSM.state ELMOProtocol
iom, oom: option Message
j: index
lj: VLSM.label (ELMO_component j)
Ht: input_valid_transition ELMOProtocol 
  (existT j lj) (s, iom) (
  sf, oom)
Hall: Forall
  (λ item : transition_item,
     ELMO_equivocating_validators
       (destination item) ⊆ s_eqvs) tr
Hsf_eqvs: ELMO_equivocating_validators
  (destination
     {|
       l := existT j lj;
       input := iom;
       destination := sf;
       output := oom
     |}) ⊆ s_eqvs
IHHtr_min: Forall
  (λ item : transition_item,
     ELMO_equivocating_validators
       (destination item) ⊆ s_eqvs) tr
→ valid_state_prop ELMOProtocol
    (state_update ELMO_component s i si)
  ∧ ELMO_equivocating_validators
      (state_update ELMO_component s i si)
    ⊆ s_eqvs ∪ {[idx i]}
Hsisi: valid_state_prop ELMOProtocol
  (state_update ELMO_component s i si)
Heqvs: ELMO_equivocating_validators
  (state_update ELMO_component s i si)
⊆ s_eqvs ∪ {[idx i]}
Hs: valid_state_prop
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} s
Hsf: valid_state_prop
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} sf
n: j ≠ i
valid_state_prop ELMOProtocol
  (state_update ELMO_component sf i si)
∧ ELMO_equivocating_validators
    (state_update ELMO_component sf i si)
  ⊆ s_eqvs ∪ {[idx i]}
  apply (VLSM_incl_input_valid_transition Hincl) in Ht as Ht_pre.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
s_eqvs: listset Address
Heqv: (sum_weights (s_eqvs ∪ {[idx i]}) <= threshold)%R
si: State
Hsi: initial_state_prop si
Hincl: VLSM_incl ELMOProtocol ReachELMO
si0, s: VLSM.state ELMOProtocol
tr: list transition_item
Htr_min: finite_valid_trace_init_to ELMOProtocol si0
  s tr
sf: VLSM.state ELMOProtocol
iom, oom: option Message
j: index
lj: VLSM.label (ELMO_component j)
Ht: input_valid_transition ELMOProtocol 
  (existT j lj) (s, iom) (
  sf, oom)
Hall: Forall
  (λ item : transition_item,
     ELMO_equivocating_validators
       (destination item) ⊆ s_eqvs) tr
Hsf_eqvs: ELMO_equivocating_validators
  (destination
     {|
       l := existT j lj;
       input := iom;
       destination := sf;
       output := oom
     |}) ⊆ s_eqvs
IHHtr_min: Forall
  (λ item : transition_item,
     ELMO_equivocating_validators
       (destination item) ⊆ s_eqvs) tr
→ valid_state_prop ELMOProtocol
    (state_update ELMO_component s i si)
  ∧ ELMO_equivocating_validators
      (state_update ELMO_component s i si)
    ⊆ s_eqvs ∪ {[idx i]}
Hsisi: valid_state_prop ELMOProtocol
  (state_update ELMO_component s i si)
Heqvs: ELMO_equivocating_validators
  (state_update ELMO_component s i si)
⊆ s_eqvs ∪ {[idx i]}
Hs: valid_state_prop
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} s
Hsf: valid_state_prop
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} sf
n: j ≠ i
Ht_pre: input_valid_transition
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} (existT j lj) (s, iom) (
  sf, oom)
valid_state_prop ELMOProtocol
  (state_update ELMO_component sf i si)
∧ ELMO_equivocating_validators
    (state_update ELMO_component sf i si)
  ⊆ s_eqvs ∪ {[idx i]}
  destruct Ht as [(_ & Hm & Hv & Hc) Ht].Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
s_eqvs: listset Address
Heqv: (sum_weights (s_eqvs ∪ {[idx i]}) <= threshold)%R
si: State
Hsi: initial_state_prop si
Hincl: VLSM_incl ELMOProtocol ReachELMO
si0, s: VLSM.state ELMOProtocol
tr: list transition_item
Htr_min: finite_valid_trace_init_to ELMOProtocol si0
  s tr
sf: VLSM.state ELMOProtocol
iom, oom: option Message
j: index
lj: VLSM.label (ELMO_component j)
Hm: option_valid_message_prop ELMOProtocol iom
Hv: valid (existT j lj) (s, iom)
Hc: ELMO_global_constraint (existT j lj) (s, iom)
Ht: transition (existT j lj) (s, iom) = (sf, oom)
Hall: Forall
  (λ item : transition_item,
     ELMO_equivocating_validators
       (destination item) ⊆ s_eqvs) tr
Hsf_eqvs: ELMO_equivocating_validators
  (destination
     {|
       l := existT j lj;
       input := iom;
       destination := sf;
       output := oom
     |}) ⊆ s_eqvs
IHHtr_min: Forall
  (λ item : transition_item,
     ELMO_equivocating_validators
       (destination item) ⊆ s_eqvs) tr
→ valid_state_prop ELMOProtocol
    (state_update ELMO_component s i si)
  ∧ ELMO_equivocating_validators
      (state_update ELMO_component s i si)
    ⊆ s_eqvs ∪ {[idx i]}
Hsisi: valid_state_prop ELMOProtocol
  (state_update ELMO_component s i si)
Heqvs: ELMO_equivocating_validators
  (state_update ELMO_component s i si)
⊆ s_eqvs ∪ {[idx i]}
Hs: valid_state_prop
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} s
Hsf: valid_state_prop
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} sf
n: j ≠ i
Ht_pre: input_valid_transition
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} (existT j lj) (s, iom) (
  sf, oom)
valid_state_prop ELMOProtocol
  (state_update ELMO_component sf i si)
∧ ELMO_equivocating_validators
    (state_update ELMO_component sf i si)
  ⊆ s_eqvs ∪ {[idx i]}
  assert (Ht' :
    composite_transition ELMO_component (existT j lj) (state_update ELMO_component s i si, iom)
    = (state_update ELMO_component sf i si, oom)).Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
s_eqvs: listset Address
Heqv: (sum_weights (s_eqvs ∪ {[idx i]}) <= threshold)%R
si: State
Hsi: initial_state_prop si
Hincl: VLSM_incl ELMOProtocol ReachELMO
si0, s: VLSM.state ELMOProtocol
tr: list transition_item
Htr_min: finite_valid_trace_init_to ELMOProtocol si0
  s tr
sf: VLSM.state ELMOProtocol
iom, oom: option Message
j: index
lj: VLSM.label (ELMO_component j)
Hm: option_valid_message_prop ELMOProtocol iom
Hv: valid (existT j lj) (s, iom)
Hc: ELMO_global_constraint (existT j lj) (s, iom)
Ht: transition (existT j lj) (s, iom) = (sf, oom)
Hall: Forall
  (λ item : transition_item,
     ELMO_equivocating_validators
       (destination item) ⊆ s_eqvs) tr
Hsf_eqvs: ELMO_equivocating_validators
  (destination
     {|
       l := existT j lj;
       input := iom;
       destination := sf;
       output := oom
     |}) ⊆ s_eqvs
IHHtr_min: Forall
  (λ item : transition_item,
     ELMO_equivocating_validators
       (destination item) ⊆ s_eqvs) tr
→ valid_state_prop ELMOProtocol
    (state_update ELMO_component s i si)
  ∧ ELMO_equivocating_validators
      (state_update ELMO_component s i si)
    ⊆ s_eqvs ∪ {[idx i]}
Hsisi: valid_state_prop ELMOProtocol
  (state_update ELMO_component s i si)
Heqvs: ELMO_equivocating_validators
  (state_update ELMO_component s i si)
⊆ s_eqvs ∪ {[idx i]}
Hs: valid_state_prop
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} s
Hsf: valid_state_prop
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} sf
n: j ≠ i
Ht_pre: input_valid_transition
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} (existT j lj) (s, iom) (
  sf, oom)
composite_transition ELMO_component (existT j lj)
  (state_update ELMO_component s i si, iom) =
(state_update ELMO_component sf i si, oom)
Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
s_eqvs: listset Address
Heqv: (sum_weights (s_eqvs ∪ {[idx i]}) <= threshold)%R
si: State
Hsi: initial_state_prop si
Hincl: VLSM_incl ELMOProtocol ReachELMO
si0, s: VLSM.state ELMOProtocol
tr: list transition_item
Htr_min: finite_valid_trace_init_to ELMOProtocol si0
  s tr
sf: VLSM.state ELMOProtocol
iom, oom: option Message
j: index
lj: VLSM.label (ELMO_component j)
Hm: option_valid_message_prop ELMOProtocol iom
Hv: valid (existT j lj) (s, iom)
Hc: ELMO_global_constraint (existT j lj) (s, iom)
Ht: transition (existT j lj) (s, iom) = (sf, oom)
Hall: Forall
  (λ item : transition_item,
     ELMO_equivocating_validators
       (destination item) ⊆ s_eqvs) tr
Hsf_eqvs: ELMO_equivocating_validators
  (destination
     {|
       l := existT j lj;
       input := iom;
       destination := sf;
       output := oom
     |}) ⊆ s_eqvs
IHHtr_min: Forall
  (λ item : transition_item,
     ELMO_equivocating_validators
       (destination item) ⊆ s_eqvs) tr
→ valid_state_prop ELMOProtocol
    (state_update ELMO_component s i si)
  ∧ ELMO_equivocating_validators
      (state_update ELMO_component s i si)
    ⊆ s_eqvs ∪ {[idx i]}
Hsisi: valid_state_prop ELMOProtocol
  (state_update ELMO_component s i si)
Heqvs: ELMO_equivocating_validators
  (state_update ELMO_component s i si)
⊆ s_eqvs ∪ {[idx i]}
Hs: valid_state_prop
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} s
Hsf: valid_state_prop
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} sf
n: j ≠ i
Ht_pre: input_valid_transition
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} (existT j lj) (s, iom) (
  sf, oom)
Ht': composite_transition ELMO_component
  (existT j lj)
  (state_update ELMO_component s i si, iom) =
(state_update ELMO_component sf i si, oom)
valid_state_prop ELMOProtocol
  (state_update ELMO_component sf i si)
∧ ELMO_equivocating_validators
    (state_update ELMO_component sf i si)
  ⊆ s_eqvs ∪ {[idx i]}
  {Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
s_eqvs: listset Address
Heqv: (sum_weights (s_eqvs ∪ {[idx i]}) <= threshold)%R
si: State
Hsi: initial_state_prop si
Hincl: VLSM_incl ELMOProtocol ReachELMO
si0, s: VLSM.state ELMOProtocol
tr: list transition_item
Htr_min: finite_valid_trace_init_to ELMOProtocol si0
  s tr
sf: VLSM.state ELMOProtocol
iom, oom: option Message
j: index
lj: VLSM.label (ELMO_component j)
Hm: option_valid_message_prop ELMOProtocol iom
Hv: valid (existT j lj) (s, iom)
Hc: ELMO_global_constraint (existT j lj) (s, iom)
Ht: transition (existT j lj) (s, iom) = (sf, oom)
Hall: Forall
  (λ item : transition_item,
     ELMO_equivocating_validators
       (destination item) ⊆ s_eqvs) tr
Hsf_eqvs: ELMO_equivocating_validators
  (destination
     {|
       l := existT j lj;
       input := iom;
       destination := sf;
       output := oom
     |}) ⊆ s_eqvs
IHHtr_min: Forall
  (λ item : transition_item,
     ELMO_equivocating_validators
       (destination item) ⊆ s_eqvs) tr
→ valid_state_prop ELMOProtocol
    (state_update ELMO_component s i si)
  ∧ ELMO_equivocating_validators
      (state_update ELMO_component s i si)
    ⊆ s_eqvs ∪ {[idx i]}
Hsisi: valid_state_prop ELMOProtocol
  (state_update ELMO_component s i si)
Heqvs: ELMO_equivocating_validators
  (state_update ELMO_component s i si)
⊆ s_eqvs ∪ {[idx i]}
Hs: valid_state_prop
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} s
Hsf: valid_state_prop
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} sf
n: j ≠ i
Ht_pre: input_valid_transition
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} (existT j lj) (s, iom) (
  sf, oom)
composite_transition ELMO_component (existT j lj)
  (state_update ELMO_component s i si, iom) =
(state_update ELMO_component sf i si, oom)
    cbn in *; state_update_simpl; destruct UMO_component_transition; inversion Ht; subst.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
s_eqvs: listset Address
Heqv: (sum_weights (s_eqvs ∪ {[idx i]}) <= threshold)%R
si: State
Hsi: UMO_component_initial_state_prop (idx i) si
Hincl: VLSM_incl_part
  (constrained_vlsm_machine
     (free_composite_vlsm ELMO_component)
     ELMO_global_constraint)
  (preloaded_vlsm_machine FreeELMO
     (λ _ : Message, True))
si0, s: composite_state ELMO_component
tr: list transition_item
Htr_min: finite_valid_trace_init_to ELMOProtocol si0
  s tr
iom, oom: option Message
j: index
lj: Label
Hm: option_valid_message_prop ELMOProtocol iom
Hv: ELMO_component_valid lj (s j) iom
s0: BaseELMO.State
Hc: match lj with
| Receive =>
    ELMO_not_heavy
      (state_update ELMO_component s j s0)
| Send => True
end
Ht: (state_update ELMO_component s j s0, oom) =
(state_update ELMO_component s j s0, oom)
Hall: Forall
  (λ item : transition_item,
     ELMO_equivocating_validators
       (destination item) ⊆ s_eqvs) tr
Hsf_eqvs: ELMO_equivocating_validators
  (state_update ELMO_component s j s0)
⊆ s_eqvs
IHHtr_min: Forall
  (λ item : transition_item,
     ELMO_equivocating_validators
       (destination item) ⊆ s_eqvs) tr
→ valid_state_prop ELMOProtocol
    (state_update ELMO_component s i si)
  ∧ ELMO_equivocating_validators
      (state_update ELMO_component s i si)
    ⊆ s_eqvs ∪ {[idx i]}
Hsisi: valid_state_prop ELMOProtocol
  (state_update ELMO_component s i si)
Heqvs: ELMO_equivocating_validators
  (state_update ELMO_component s i si)
⊆ s_eqvs ∪ {[idx i]}
Hs: valid_state_prop
  {|
    vlsm_type := composite_type ELMO_component;
    vlsm_machine :=
      preloaded_vlsm_machine FreeELMO
        (λ _ : Message, True)
  |} s
Hsf: valid_state_prop
  {|
    vlsm_type := composite_type ELMO_component;
    vlsm_machine :=
      preloaded_vlsm_machine FreeELMO
        (λ _ : Message, True)
  |} (state_update ELMO_component s j s0)
n: j ≠ i
Ht_pre: input_valid_transition
  {|
    vlsm_type :=
      composite_type ELMO_component;
    vlsm_machine :=
      preloaded_vlsm_machine FreeELMO
        (λ _ : Message, True)
  |} (existT j lj) (s, iom)
  (state_update ELMO_component s j s0, oom)
(state_update ELMO_component
   (state_update ELMO_component s i si) j s0, oom) =
(state_update ELMO_component
   (state_update ELMO_component s j s0) i si, oom)
    by rewrite state_update_twice_neq.
  }Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
s_eqvs: listset Address
Heqv: (sum_weights (s_eqvs ∪ {[idx i]}) <= threshold)%R
si: State
Hsi: initial_state_prop si
Hincl: VLSM_incl ELMOProtocol ReachELMO
si0, s: VLSM.state ELMOProtocol
tr: list transition_item
Htr_min: finite_valid_trace_init_to ELMOProtocol si0
  s tr
sf: VLSM.state ELMOProtocol
iom, oom: option Message
j: index
lj: VLSM.label (ELMO_component j)
Hm: option_valid_message_prop ELMOProtocol iom
Hv: valid (existT j lj) (s, iom)
Hc: ELMO_global_constraint (existT j lj) (s, iom)
Ht: transition (existT j lj) (s, iom) = (sf, oom)
Hall: Forall
  (λ item : transition_item,
     ELMO_equivocating_validators
       (destination item) ⊆ s_eqvs) tr
Hsf_eqvs: ELMO_equivocating_validators
  (destination
     {|
       l := existT j lj;
       input := iom;
       destination := sf;
       output := oom
     |}) ⊆ s_eqvs
IHHtr_min: Forall
  (λ item : transition_item,
     ELMO_equivocating_validators
       (destination item) ⊆ s_eqvs) tr
→ valid_state_prop ELMOProtocol
    (state_update ELMO_component s i si)
  ∧ ELMO_equivocating_validators
      (state_update ELMO_component s i si)
    ⊆ s_eqvs ∪ {[idx i]}
Hsisi: valid_state_prop ELMOProtocol
  (state_update ELMO_component s i si)
Heqvs: ELMO_equivocating_validators
  (state_update ELMO_component s i si)
⊆ s_eqvs ∪ {[idx i]}
Hs: valid_state_prop
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} s
Hsf: valid_state_prop
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} sf
n: j ≠ i
Ht_pre: input_valid_transition
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} (existT j lj) (s, iom) (
  sf, oom)
Ht': composite_transition ELMO_component
  (existT j lj)
  (state_update ELMO_component s i si, iom) =
(state_update ELMO_component sf i si, oom)
valid_state_prop ELMOProtocol
  (state_update ELMO_component sf i si)
∧ ELMO_equivocating_validators
    (state_update ELMO_component sf i si)
  ⊆ s_eqvs ∪ {[idx i]}
  cut (ELMO_equivocating_validators (state_update ELMO_component sf i si) ⊆
        ELMO_equivocating_validators sf ∪ {[ idx i ]}).Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
s_eqvs: listset Address
Heqv: (sum_weights (s_eqvs ∪ {[idx i]}) <= threshold)%R
si: State
Hsi: initial_state_prop si
Hincl: VLSM_incl ELMOProtocol ReachELMO
si0, s: VLSM.state ELMOProtocol
tr: list transition_item
Htr_min: finite_valid_trace_init_to ELMOProtocol si0
  s tr
sf: VLSM.state ELMOProtocol
iom, oom: option Message
j: index
lj: VLSM.label (ELMO_component j)
Hm: option_valid_message_prop ELMOProtocol iom
Hv: valid (existT j lj) (s, iom)
Hc: ELMO_global_constraint (existT j lj) (s, iom)
Ht: transition (existT j lj) (s, iom) = (sf, oom)
Hall: Forall
  (λ item : transition_item,
     ELMO_equivocating_validators
       (destination item) ⊆ s_eqvs) tr
Hsf_eqvs: ELMO_equivocating_validators
  (destination
     {|
       l := existT j lj;
       input := iom;
       destination := sf;
       output := oom
     |}) ⊆ s_eqvs
IHHtr_min: Forall
  (λ item : transition_item,
     ELMO_equivocating_validators
       (destination item) ⊆ s_eqvs) tr
→ valid_state_prop ELMOProtocol
    (state_update ELMO_component s i si)
  ∧ ELMO_equivocating_validators
      (state_update ELMO_component s i si)
    ⊆ s_eqvs ∪ {[idx i]}
Hsisi: valid_state_prop ELMOProtocol
  (state_update ELMO_component s i si)
Heqvs: ELMO_equivocating_validators
  (state_update ELMO_component s i si)
⊆ s_eqvs ∪ {[idx i]}
Hs: valid_state_prop
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} s
Hsf: valid_state_prop
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} sf
n: j ≠ i
Ht_pre: input_valid_transition
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} (existT j lj) (s, iom) (
  sf, oom)
Ht': composite_transition ELMO_component
  (existT j lj)
  (state_update ELMO_component s i si, iom) =
(state_update ELMO_component sf i si, oom)
ELMO_equivocating_validators
  (state_update ELMO_component sf i si)
⊆ ELMO_equivocating_validators sf ∪ {[idx i]}
→ valid_state_prop ELMOProtocol
    (state_update ELMO_component sf i si)
  ∧ ELMO_equivocating_validators
      (state_update ELMO_component sf i si)
    ⊆ s_eqvs ∪ {[idx i]}
Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
s_eqvs: listset Address
Heqv: (sum_weights (s_eqvs ∪ {[idx i]}) <= threshold)%R
si: State
Hsi: initial_state_prop si
Hincl: VLSM_incl ELMOProtocol ReachELMO
si0, s: VLSM.state ELMOProtocol
tr: list transition_item
Htr_min: finite_valid_trace_init_to ELMOProtocol si0
  s tr
sf: VLSM.state ELMOProtocol
iom, oom: option Message
j: index
lj: VLSM.label (ELMO_component j)
Hm: option_valid_message_prop ELMOProtocol iom
Hv: valid (existT j lj) (s, iom)
Hc: ELMO_global_constraint (existT j lj) (s, iom)
Ht: transition (existT j lj) (s, iom) = (sf, oom)
Hall: Forall
  (λ item : transition_item,
     ELMO_equivocating_validators
       (destination item) ⊆ s_eqvs) tr
Hsf_eqvs: ELMO_equivocating_validators
  (destination
     {|
       l := existT j lj;
       input := iom;
       destination := sf;
       output := oom
     |}) ⊆ s_eqvs
IHHtr_min: Forall
  (λ item : transition_item,
     ELMO_equivocating_validators
       (destination item) ⊆ s_eqvs) tr
→ valid_state_prop ELMOProtocol
    (state_update ELMO_component s i si)
  ∧ ELMO_equivocating_validators
      (state_update ELMO_component s i si)
    ⊆ s_eqvs ∪ {[idx i]}
Hsisi: valid_state_prop ELMOProtocol
  (state_update ELMO_component s i si)
Heqvs: ELMO_equivocating_validators
  (state_update ELMO_component s i si)
⊆ s_eqvs ∪ {[idx i]}
Hs: valid_state_prop
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} s
Hsf: valid_state_prop
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} sf
n: j ≠ i
Ht_pre: input_valid_transition
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} (existT j lj) (s, iom) (
  sf, oom)
Ht': composite_transition ELMO_component
  (existT j lj)
  (state_update ELMO_component s i si, iom) =
(state_update ELMO_component sf i si, oom)
ELMO_equivocating_validators
  (state_update ELMO_component sf i si)
⊆ ELMO_equivocating_validators sf ∪ {[idx i]}
  {Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
s_eqvs: listset Address
Heqv: (sum_weights (s_eqvs ∪ {[idx i]}) <= threshold)%R
si: State
Hsi: initial_state_prop si
Hincl: VLSM_incl ELMOProtocol ReachELMO
si0, s: VLSM.state ELMOProtocol
tr: list transition_item
Htr_min: finite_valid_trace_init_to ELMOProtocol si0
  s tr
sf: VLSM.state ELMOProtocol
iom, oom: option Message
j: index
lj: VLSM.label (ELMO_component j)
Hm: option_valid_message_prop ELMOProtocol iom
Hv: valid (existT j lj) (s, iom)
Hc: ELMO_global_constraint (existT j lj) (s, iom)
Ht: transition (existT j lj) (s, iom) = (sf, oom)
Hall: Forall
  (λ item : transition_item,
     ELMO_equivocating_validators
       (destination item) ⊆ s_eqvs) tr
Hsf_eqvs: ELMO_equivocating_validators
  (destination
     {|
       l := existT j lj;
       input := iom;
       destination := sf;
       output := oom
     |}) ⊆ s_eqvs
IHHtr_min: Forall
  (λ item : transition_item,
     ELMO_equivocating_validators
       (destination item) ⊆ s_eqvs) tr
→ valid_state_prop ELMOProtocol
    (state_update ELMO_component s i si)
  ∧ ELMO_equivocating_validators
      (state_update ELMO_component s i si)
    ⊆ s_eqvs ∪ {[idx i]}
Hsisi: valid_state_prop ELMOProtocol
  (state_update ELMO_component s i si)
Heqvs: ELMO_equivocating_validators
  (state_update ELMO_component s i si)
⊆ s_eqvs ∪ {[idx i]}
Hs: valid_state_prop
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} s
Hsf: valid_state_prop
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} sf
n: j ≠ i
Ht_pre: input_valid_transition
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} (existT j lj) (s, iom) (
  sf, oom)
Ht': composite_transition ELMO_component
  (existT j lj)
  (state_update ELMO_component s i si, iom) =
(state_update ELMO_component sf i si, oom)
ELMO_equivocating_validators
  (state_update ELMO_component sf i si)
⊆ ELMO_equivocating_validators sf ∪ {[idx i]}
→ valid_state_prop ELMOProtocol
    (state_update ELMO_component sf i si)
  ∧ ELMO_equivocating_validators
      (state_update ELMO_component sf i si)
    ⊆ s_eqvs ∪ {[idx i]}
    intro Hsfisi_eqvs'.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
s_eqvs: listset Address
Heqv: (sum_weights (s_eqvs ∪ {[idx i]}) <= threshold)%R
si: State
Hsi: initial_state_prop si
Hincl: VLSM_incl ELMOProtocol ReachELMO
si0, s: VLSM.state ELMOProtocol
tr: list transition_item
Htr_min: finite_valid_trace_init_to ELMOProtocol si0
  s tr
sf: VLSM.state ELMOProtocol
iom, oom: option Message
j: index
lj: VLSM.label (ELMO_component j)
Hm: option_valid_message_prop ELMOProtocol iom
Hv: valid (existT j lj) (s, iom)
Hc: ELMO_global_constraint (existT j lj) (s, iom)
Ht: transition (existT j lj) (s, iom) = (sf, oom)
Hall: Forall
  (λ item : transition_item,
     ELMO_equivocating_validators
       (destination item) ⊆ s_eqvs) tr
Hsf_eqvs: ELMO_equivocating_validators
  (destination
     {|
       l := existT j lj;
       input := iom;
       destination := sf;
       output := oom
     |}) ⊆ s_eqvs
IHHtr_min: Forall
  (λ item : transition_item,
     ELMO_equivocating_validators
       (destination item) ⊆ s_eqvs) tr
→ valid_state_prop ELMOProtocol
    (state_update ELMO_component s i si)
  ∧ ELMO_equivocating_validators
      (state_update ELMO_component s i si)
    ⊆ s_eqvs ∪ {[idx i]}
Hsisi: valid_state_prop ELMOProtocol
  (state_update ELMO_component s i si)
Heqvs: ELMO_equivocating_validators
  (state_update ELMO_component s i si)
⊆ s_eqvs ∪ {[idx i]}
Hs: valid_state_prop
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} s
Hsf: valid_state_prop
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} sf
n: j ≠ i
Ht_pre: input_valid_transition
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} (existT j lj) (s, iom) (
  sf, oom)
Ht': composite_transition ELMO_component
  (existT j lj)
  (state_update ELMO_component s i si, iom) =
(state_update ELMO_component sf i si, oom)
Hsfisi_eqvs': ELMO_equivocating_validators
  (state_update ELMO_component sf i si)
⊆ ELMO_equivocating_validators sf
  ∪ {[idx i]}
valid_state_prop ELMOProtocol
  (state_update ELMO_component sf i si)
∧ ELMO_equivocating_validators
    (state_update ELMO_component sf i si)
  ⊆ s_eqvs ∪ {[idx i]}
    assert (Hsfisi_eqvs :
      ELMO_equivocating_validators (state_update ELMO_component sf i si) ⊆ s_eqvs ∪ {[ idx i ]}).Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
s_eqvs: listset Address
Heqv: (sum_weights (s_eqvs ∪ {[idx i]}) <= threshold)%R
si: State
Hsi: initial_state_prop si
Hincl: VLSM_incl ELMOProtocol ReachELMO
si0, s: VLSM.state ELMOProtocol
tr: list transition_item
Htr_min: finite_valid_trace_init_to ELMOProtocol si0
  s tr
sf: VLSM.state ELMOProtocol
iom, oom: option Message
j: index
lj: VLSM.label (ELMO_component j)
Hm: option_valid_message_prop ELMOProtocol iom
Hv: valid (existT j lj) (s, iom)
Hc: ELMO_global_constraint (existT j lj) (s, iom)
Ht: transition (existT j lj) (s, iom) = (sf, oom)
Hall: Forall
  (λ item : transition_item,
     ELMO_equivocating_validators
       (destination item) ⊆ s_eqvs) tr
Hsf_eqvs: ELMO_equivocating_validators
  (destination
     {|
       l := existT j lj;
       input := iom;
       destination := sf;
       output := oom
     |}) ⊆ s_eqvs
IHHtr_min: Forall
  (λ item : transition_item,
     ELMO_equivocating_validators
       (destination item) ⊆ s_eqvs) tr
→ valid_state_prop ELMOProtocol
    (state_update ELMO_component s i si)
  ∧ ELMO_equivocating_validators
      (state_update ELMO_component s i si)
    ⊆ s_eqvs ∪ {[idx i]}
Hsisi: valid_state_prop ELMOProtocol
  (state_update ELMO_component s i si)
Heqvs: ELMO_equivocating_validators
  (state_update ELMO_component s i si)
⊆ s_eqvs ∪ {[idx i]}
Hs: valid_state_prop
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} s
Hsf: valid_state_prop
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} sf
n: j ≠ i
Ht_pre: input_valid_transition
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} (existT j lj) (s, iom) (
  sf, oom)
Ht': composite_transition ELMO_component
  (existT j lj)
  (state_update ELMO_component s i si, iom) =
(state_update ELMO_component sf i si, oom)
Hsfisi_eqvs': ELMO_equivocating_validators
  (state_update ELMO_component sf i si)
⊆ ELMO_equivocating_validators sf
  ∪ {[idx i]}
ELMO_equivocating_validators
  (state_update ELMO_component sf i si)
⊆ s_eqvs ∪ {[idx i]}
Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
s_eqvs: listset Address
Heqv: (sum_weights (s_eqvs ∪ {[idx i]}) <= threshold)%R
si: State
Hsi: initial_state_prop si
Hincl: VLSM_incl ELMOProtocol ReachELMO
si0, s: VLSM.state ELMOProtocol
tr: list transition_item
Htr_min: finite_valid_trace_init_to ELMOProtocol si0
  s tr
sf: VLSM.state ELMOProtocol
iom, oom: option Message
j: index
lj: VLSM.label (ELMO_component j)
Hm: option_valid_message_prop ELMOProtocol iom
Hv: valid (existT j lj) (s, iom)
Hc: ELMO_global_constraint (existT j lj) (s, iom)
Ht: transition (existT j lj) (s, iom) = (sf, oom)
Hall: Forall
  (λ item : transition_item,
     ELMO_equivocating_validators
       (destination item) ⊆ s_eqvs) tr
Hsf_eqvs: ELMO_equivocating_validators
  (destination
     {|
       l := existT j lj;
       input := iom;
       destination := sf;
       output := oom
     |}) ⊆ s_eqvs
IHHtr_min: Forall
  (λ item : transition_item,
     ELMO_equivocating_validators
       (destination item) ⊆ s_eqvs) tr
→ valid_state_prop ELMOProtocol
    (state_update ELMO_component s i si)
  ∧ ELMO_equivocating_validators
      (state_update ELMO_component s i si)
    ⊆ s_eqvs ∪ {[idx i]}
Hsisi: valid_state_prop ELMOProtocol
  (state_update ELMO_component s i si)
Heqvs: ELMO_equivocating_validators
  (state_update ELMO_component s i si)
⊆ s_eqvs ∪ {[idx i]}
Hs: valid_state_prop
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} s
Hsf: valid_state_prop
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} sf
n: j ≠ i
Ht_pre: input_valid_transition
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} (existT j lj) (s, iom) (
  sf, oom)
Ht': composite_transition ELMO_component
  (existT j lj)
  (state_update ELMO_component s i si, iom) =
(state_update ELMO_component sf i si, oom)
Hsfisi_eqvs': ELMO_equivocating_validators
  (state_update ELMO_component sf i si)
⊆ ELMO_equivocating_validators sf
  ∪ {[idx i]}
Hsfisi_eqvs: ELMO_equivocating_validators
  (state_update ELMO_component sf i si)
⊆ s_eqvs ∪ {[idx i]}
valid_state_prop ELMOProtocol
  (state_update ELMO_component sf i si)
∧ ELMO_equivocating_validators
    (state_update ELMO_component sf i si)
  ⊆ s_eqvs ∪ {[idx i]}
    {Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
s_eqvs: listset Address
Heqv: (sum_weights (s_eqvs ∪ {[idx i]}) <= threshold)%R
si: State
Hsi: initial_state_prop si
Hincl: VLSM_incl ELMOProtocol ReachELMO
si0, s: VLSM.state ELMOProtocol
tr: list transition_item
Htr_min: finite_valid_trace_init_to ELMOProtocol si0
  s tr
sf: VLSM.state ELMOProtocol
iom, oom: option Message
j: index
lj: VLSM.label (ELMO_component j)
Hm: option_valid_message_prop ELMOProtocol iom
Hv: valid (existT j lj) (s, iom)
Hc: ELMO_global_constraint (existT j lj) (s, iom)
Ht: transition (existT j lj) (s, iom) = (sf, oom)
Hall: Forall
  (λ item : transition_item,
     ELMO_equivocating_validators
       (destination item) ⊆ s_eqvs) tr
Hsf_eqvs: ELMO_equivocating_validators
  (destination
     {|
       l := existT j lj;
       input := iom;
       destination := sf;
       output := oom
     |}) ⊆ s_eqvs
IHHtr_min: Forall
  (λ item : transition_item,
     ELMO_equivocating_validators
       (destination item) ⊆ s_eqvs) tr
→ valid_state_prop ELMOProtocol
    (state_update ELMO_component s i si)
  ∧ ELMO_equivocating_validators
      (state_update ELMO_component s i si)
    ⊆ s_eqvs ∪ {[idx i]}
Hsisi: valid_state_prop ELMOProtocol
  (state_update ELMO_component s i si)
Heqvs: ELMO_equivocating_validators
  (state_update ELMO_component s i si)
⊆ s_eqvs ∪ {[idx i]}
Hs: valid_state_prop
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} s
Hsf: valid_state_prop
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} sf
n: j ≠ i
Ht_pre: input_valid_transition
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} (existT j lj) (s, iom) (
  sf, oom)
Ht': composite_transition ELMO_component
  (existT j lj)
  (state_update ELMO_component s i si, iom) =
(state_update ELMO_component sf i si, oom)
Hsfisi_eqvs': ELMO_equivocating_validators
  (state_update ELMO_component sf i si)
⊆ ELMO_equivocating_validators sf
  ∪ {[idx i]}
ELMO_equivocating_validators
  (state_update ELMO_component sf i si)
⊆ s_eqvs ∪ {[idx i]}
      etransitivity; [done |].Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
s_eqvs: listset Address
Heqv: (sum_weights (s_eqvs ∪ {[idx i]}) <= threshold)%R
si: State
Hsi: initial_state_prop si
Hincl: VLSM_incl ELMOProtocol ReachELMO
si0, s: VLSM.state ELMOProtocol
tr: list transition_item
Htr_min: finite_valid_trace_init_to ELMOProtocol si0
  s tr
sf: VLSM.state ELMOProtocol
iom, oom: option Message
j: index
lj: VLSM.label (ELMO_component j)
Hm: option_valid_message_prop ELMOProtocol iom
Hv: valid (existT j lj) (s, iom)
Hc: ELMO_global_constraint (existT j lj) (s, iom)
Ht: transition (existT j lj) (s, iom) = (sf, oom)
Hall: Forall
  (λ item : transition_item,
     ELMO_equivocating_validators
       (destination item) ⊆ s_eqvs) tr
Hsf_eqvs: ELMO_equivocating_validators
  (destination
     {|
       l := existT j lj;
       input := iom;
       destination := sf;
       output := oom
     |}) ⊆ s_eqvs
IHHtr_min: Forall
  (λ item : transition_item,
     ELMO_equivocating_validators
       (destination item) ⊆ s_eqvs) tr
→ valid_state_prop ELMOProtocol
    (state_update ELMO_component s i si)
  ∧ ELMO_equivocating_validators
      (state_update ELMO_component s i si)
    ⊆ s_eqvs ∪ {[idx i]}
Hsisi: valid_state_prop ELMOProtocol
  (state_update ELMO_component s i si)
Heqvs: ELMO_equivocating_validators
  (state_update ELMO_component s i si)
⊆ s_eqvs ∪ {[idx i]}
Hs: valid_state_prop
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} s
Hsf: valid_state_prop
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} sf
n: j ≠ i
Ht_pre: input_valid_transition
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} (existT j lj) (s, iom) (
  sf, oom)
Ht': composite_transition ELMO_component
  (existT j lj)
  (state_update ELMO_component s i si, iom) =
(state_update ELMO_component sf i si, oom)
Hsfisi_eqvs': ELMO_equivocating_validators
  (state_update ELMO_component sf i si)
⊆ ELMO_equivocating_validators sf
  ∪ {[idx i]}
ELMO_equivocating_validators sf ∪ {[idx i]}
⊆ s_eqvs ∪ {[idx i]}
      by apply union_subseteq; split; [apply union_subseteq_l' | apply union_subseteq_r'].
    }Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
s_eqvs: listset Address
Heqv: (sum_weights (s_eqvs ∪ {[idx i]}) <= threshold)%R
si: State
Hsi: initial_state_prop si
Hincl: VLSM_incl ELMOProtocol ReachELMO
si0, s: VLSM.state ELMOProtocol
tr: list transition_item
Htr_min: finite_valid_trace_init_to ELMOProtocol si0
  s tr
sf: VLSM.state ELMOProtocol
iom, oom: option Message
j: index
lj: VLSM.label (ELMO_component j)
Hm: option_valid_message_prop ELMOProtocol iom
Hv: valid (existT j lj) (s, iom)
Hc: ELMO_global_constraint (existT j lj) (s, iom)
Ht: transition (existT j lj) (s, iom) = (sf, oom)
Hall: Forall
  (λ item : transition_item,
     ELMO_equivocating_validators
       (destination item) ⊆ s_eqvs) tr
Hsf_eqvs: ELMO_equivocating_validators
  (destination
     {|
       l := existT j lj;
       input := iom;
       destination := sf;
       output := oom
     |}) ⊆ s_eqvs
IHHtr_min: Forall
  (λ item : transition_item,
     ELMO_equivocating_validators
       (destination item) ⊆ s_eqvs) tr
→ valid_state_prop ELMOProtocol
    (state_update ELMO_component s i si)
  ∧ ELMO_equivocating_validators
      (state_update ELMO_component s i si)
    ⊆ s_eqvs ∪ {[idx i]}
Hsisi: valid_state_prop ELMOProtocol
  (state_update ELMO_component s i si)
Heqvs: ELMO_equivocating_validators
  (state_update ELMO_component s i si)
⊆ s_eqvs ∪ {[idx i]}
Hs: valid_state_prop
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} s
Hsf: valid_state_prop
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} sf
n: j ≠ i
Ht_pre: input_valid_transition
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} (existT j lj) (s, iom) (
  sf, oom)
Ht': composite_transition ELMO_component
  (existT j lj)
  (state_update ELMO_component s i si, iom) =
(state_update ELMO_component sf i si, oom)
Hsfisi_eqvs': ELMO_equivocating_validators
  (state_update ELMO_component sf i si)
⊆ ELMO_equivocating_validators sf
  ∪ {[idx i]}
Hsfisi_eqvs: ELMO_equivocating_validators
  (state_update ELMO_component sf i si)
⊆ s_eqvs ∪ {[idx i]}
valid_state_prop ELMOProtocol
  (state_update ELMO_component sf i si)
∧ ELMO_equivocating_validators
    (state_update ELMO_component sf i si)
  ⊆ s_eqvs ∪ {[idx i]}
    split; [| done].Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
s_eqvs: listset Address
Heqv: (sum_weights (s_eqvs ∪ {[idx i]}) <= threshold)%R
si: State
Hsi: initial_state_prop si
Hincl: VLSM_incl ELMOProtocol ReachELMO
si0, s: VLSM.state ELMOProtocol
tr: list transition_item
Htr_min: finite_valid_trace_init_to ELMOProtocol si0
  s tr
sf: VLSM.state ELMOProtocol
iom, oom: option Message
j: index
lj: VLSM.label (ELMO_component j)
Hm: option_valid_message_prop ELMOProtocol iom
Hv: valid (existT j lj) (s, iom)
Hc: ELMO_global_constraint (existT j lj) (s, iom)
Ht: transition (existT j lj) (s, iom) = (sf, oom)
Hall: Forall
  (λ item : transition_item,
     ELMO_equivocating_validators
       (destination item) ⊆ s_eqvs) tr
Hsf_eqvs: ELMO_equivocating_validators
  (destination
     {|
       l := existT j lj;
       input := iom;
       destination := sf;
       output := oom
     |}) ⊆ s_eqvs
IHHtr_min: Forall
  (λ item : transition_item,
     ELMO_equivocating_validators
       (destination item) ⊆ s_eqvs) tr
→ valid_state_prop ELMOProtocol
    (state_update ELMO_component s i si)
  ∧ ELMO_equivocating_validators
      (state_update ELMO_component s i si)
    ⊆ s_eqvs ∪ {[idx i]}
Hsisi: valid_state_prop ELMOProtocol
  (state_update ELMO_component s i si)
Heqvs: ELMO_equivocating_validators
  (state_update ELMO_component s i si)
⊆ s_eqvs ∪ {[idx i]}
Hs: valid_state_prop
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} s
Hsf: valid_state_prop
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} sf
n: j ≠ i
Ht_pre: input_valid_transition
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} (existT j lj) (s, iom) (
  sf, oom)
Ht': composite_transition ELMO_component
  (existT j lj)
  (state_update ELMO_component s i si, iom) =
(state_update ELMO_component sf i si, oom)
Hsfisi_eqvs': ELMO_equivocating_validators
  (state_update ELMO_component sf i si)
⊆ ELMO_equivocating_validators sf
  ∪ {[idx i]}
Hsfisi_eqvs: ELMO_equivocating_validators
  (state_update ELMO_component sf i si)
⊆ s_eqvs ∪ {[idx i]}
valid_state_prop ELMOProtocol
  (state_update ELMO_component sf i si)
    cut (input_valid_transition ELMOProtocol (existT j lj)
      (state_update ELMO_component s i si, iom) (state_update ELMO_component sf i si, oom));
      [by intro; eapply input_valid_transition_destination |].Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
s_eqvs: listset Address
Heqv: (sum_weights (s_eqvs ∪ {[idx i]}) <= threshold)%R
si: State
Hsi: initial_state_prop si
Hincl: VLSM_incl ELMOProtocol ReachELMO
si0, s: VLSM.state ELMOProtocol
tr: list transition_item
Htr_min: finite_valid_trace_init_to ELMOProtocol si0
  s tr
sf: VLSM.state ELMOProtocol
iom, oom: option Message
j: index
lj: VLSM.label (ELMO_component j)
Hm: option_valid_message_prop ELMOProtocol iom
Hv: valid (existT j lj) (s, iom)
Hc: ELMO_global_constraint (existT j lj) (s, iom)
Ht: transition (existT j lj) (s, iom) = (sf, oom)
Hall: Forall
  (λ item : transition_item,
     ELMO_equivocating_validators
       (destination item) ⊆ s_eqvs) tr
Hsf_eqvs: ELMO_equivocating_validators
  (destination
     {|
       l := existT j lj;
       input := iom;
       destination := sf;
       output := oom
     |}) ⊆ s_eqvs
IHHtr_min: Forall
  (λ item : transition_item,
     ELMO_equivocating_validators
       (destination item) ⊆ s_eqvs) tr
→ valid_state_prop ELMOProtocol
    (state_update ELMO_component s i si)
  ∧ ELMO_equivocating_validators
      (state_update ELMO_component s i si)
    ⊆ s_eqvs ∪ {[idx i]}
Hsisi: valid_state_prop ELMOProtocol
  (state_update ELMO_component s i si)
Heqvs: ELMO_equivocating_validators
  (state_update ELMO_component s i si)
⊆ s_eqvs ∪ {[idx i]}
Hs: valid_state_prop
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} s
Hsf: valid_state_prop
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} sf
n: j ≠ i
Ht_pre: input_valid_transition
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} (existT j lj) (s, iom) (
  sf, oom)
Ht': composite_transition ELMO_component
  (existT j lj)
  (state_update ELMO_component s i si, iom) =
(state_update ELMO_component sf i si, oom)
Hsfisi_eqvs': ELMO_equivocating_validators
  (state_update ELMO_component sf i si)
⊆ ELMO_equivocating_validators sf
  ∪ {[idx i]}
Hsfisi_eqvs: ELMO_equivocating_validators
  (state_update ELMO_component sf i si)
⊆ s_eqvs ∪ {[idx i]}
input_valid_transition ELMOProtocol (existT j lj)
  (state_update ELMO_component s i si, iom)
  (state_update ELMO_component sf i si, oom)
    repeat split; [done | done | by cbn; state_update_simpl | | done].Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
s_eqvs: listset Address
Heqv: (sum_weights (s_eqvs ∪ {[idx i]}) <= threshold)%R
si: State
Hsi: initial_state_prop si
Hincl: VLSM_incl ELMOProtocol ReachELMO
si0, s: VLSM.state ELMOProtocol
tr: list transition_item
Htr_min: finite_valid_trace_init_to ELMOProtocol si0
  s tr
sf: VLSM.state ELMOProtocol
iom, oom: option Message
j: index
lj: VLSM.label (ELMO_component j)
Hm: option_valid_message_prop ELMOProtocol iom
Hv: valid (existT j lj) (s, iom)
Hc: ELMO_global_constraint (existT j lj) (s, iom)
Ht: transition (existT j lj) (s, iom) = (sf, oom)
Hall: Forall
  (λ item : transition_item,
     ELMO_equivocating_validators
       (destination item) ⊆ s_eqvs) tr
Hsf_eqvs: ELMO_equivocating_validators
  (destination
     {|
       l := existT j lj;
       input := iom;
       destination := sf;
       output := oom
     |}) ⊆ s_eqvs
IHHtr_min: Forall
  (λ item : transition_item,
     ELMO_equivocating_validators
       (destination item) ⊆ s_eqvs) tr
→ valid_state_prop ELMOProtocol
    (state_update ELMO_component s i si)
  ∧ ELMO_equivocating_validators
      (state_update ELMO_component s i si)
    ⊆ s_eqvs ∪ {[idx i]}
Hsisi: valid_state_prop ELMOProtocol
  (state_update ELMO_component s i si)
Heqvs: ELMO_equivocating_validators
  (state_update ELMO_component s i si)
⊆ s_eqvs ∪ {[idx i]}
Hs: valid_state_prop
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} s
Hsf: valid_state_prop
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} sf
n: j ≠ i
Ht_pre: input_valid_transition
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} (existT j lj) (s, iom) (
  sf, oom)
Ht': composite_transition ELMO_component
  (existT j lj)
  (state_update ELMO_component s i si, iom) =
(state_update ELMO_component sf i si, oom)
Hsfisi_eqvs': ELMO_equivocating_validators
  (state_update ELMO_component sf i si)
⊆ ELMO_equivocating_validators sf
  ∪ {[idx i]}
Hsfisi_eqvs: ELMO_equivocating_validators
  (state_update ELMO_component sf i si)
⊆ s_eqvs ∪ {[idx i]}
ELMO_global_constraint (existT j lj)
  (state_update ELMO_component s i si, iom)
    destruct lj; [| done].Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
s_eqvs: listset Address
Heqv: (sum_weights (s_eqvs ∪ {[idx i]}) <= threshold)%R
si: State
Hsi: initial_state_prop si
Hincl: VLSM_incl ELMOProtocol ReachELMO
si0, s: VLSM.state ELMOProtocol
tr: list transition_item
Htr_min: finite_valid_trace_init_to ELMOProtocol si0
  s tr
sf: VLSM.state ELMOProtocol
iom, oom: option Message
j: index
Hm: option_valid_message_prop ELMOProtocol iom
Hv: valid (existT j Receive) (s, iom)
Hc: ELMO_global_constraint 
  (existT j Receive) (s, iom)
Ht: transition (existT j Receive) (s, iom) =
(sf, oom)
Hall: Forall
  (λ item : transition_item,
     ELMO_equivocating_validators
       (destination item) ⊆ s_eqvs) tr
Hsf_eqvs: ELMO_equivocating_validators
  (destination
     {|
       l := existT j Receive;
       input := iom;
       destination := sf;
       output := oom
     |}) ⊆ s_eqvs
IHHtr_min: Forall
  (λ item : transition_item,
     ELMO_equivocating_validators
       (destination item) ⊆ s_eqvs) tr
→ valid_state_prop ELMOProtocol
    (state_update ELMO_component s i si)
  ∧ ELMO_equivocating_validators
      (state_update ELMO_component s i si)
    ⊆ s_eqvs ∪ {[idx i]}
Hsisi: valid_state_prop ELMOProtocol
  (state_update ELMO_component s i si)
Heqvs: ELMO_equivocating_validators
  (state_update ELMO_component s i si)
⊆ s_eqvs ∪ {[idx i]}
Hs: valid_state_prop
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} s
Hsf: valid_state_prop
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} sf
n: j ≠ i
Ht_pre: input_valid_transition
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} (existT j Receive) (
  s, iom) (sf, oom)
Ht': composite_transition ELMO_component
  (existT j Receive)
  (state_update ELMO_component s i si, iom) =
(state_update ELMO_component sf i si, oom)
Hsfisi_eqvs': ELMO_equivocating_validators
  (state_update ELMO_component sf i si)
⊆ ELMO_equivocating_validators sf
  ∪ {[idx i]}
Hsfisi_eqvs: ELMO_equivocating_validators
  (state_update ELMO_component sf i si)
⊆ s_eqvs ∪ {[idx i]}
ELMO_global_constraint (existT j Receive)
  (state_update ELMO_component s i si, iom)
    unfold ELMO_global_constraint.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
s_eqvs: listset Address
Heqv: (sum_weights (s_eqvs ∪ {[idx i]}) <= threshold)%R
si: State
Hsi: initial_state_prop si
Hincl: VLSM_incl ELMOProtocol ReachELMO
si0, s: VLSM.state ELMOProtocol
tr: list transition_item
Htr_min: finite_valid_trace_init_to ELMOProtocol si0
  s tr
sf: VLSM.state ELMOProtocol
iom, oom: option Message
j: index
Hm: option_valid_message_prop ELMOProtocol iom
Hv: valid (existT j Receive) (s, iom)
Hc: ELMO_global_constraint 
  (existT j Receive) (s, iom)
Ht: transition (existT j Receive) (s, iom) =
(sf, oom)
Hall: Forall
  (λ item : transition_item,
     ELMO_equivocating_validators
       (destination item) ⊆ s_eqvs) tr
Hsf_eqvs: ELMO_equivocating_validators
  (destination
     {|
       l := existT j Receive;
       input := iom;
       destination := sf;
       output := oom
     |}) ⊆ s_eqvs
IHHtr_min: Forall
  (λ item : transition_item,
     ELMO_equivocating_validators
       (destination item) ⊆ s_eqvs) tr
→ valid_state_prop ELMOProtocol
    (state_update ELMO_component s i si)
  ∧ ELMO_equivocating_validators
      (state_update ELMO_component s i si)
    ⊆ s_eqvs ∪ {[idx i]}
Hsisi: valid_state_prop ELMOProtocol
  (state_update ELMO_component s i si)
Heqvs: ELMO_equivocating_validators
  (state_update ELMO_component s i si)
⊆ s_eqvs ∪ {[idx i]}
Hs: valid_state_prop
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} s
Hsf: valid_state_prop
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} sf
n: j ≠ i
Ht_pre: input_valid_transition
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} (existT j Receive) (
  s, iom) (sf, oom)
Ht': composite_transition ELMO_component
  (existT j Receive)
  (state_update ELMO_component s i si, iom) =
(state_update ELMO_component sf i si, oom)
Hsfisi_eqvs': ELMO_equivocating_validators
  (state_update ELMO_component sf i si)
⊆ ELMO_equivocating_validators sf
  ∪ {[idx i]}
Hsfisi_eqvs: ELMO_equivocating_validators
  (state_update ELMO_component sf i si)
⊆ s_eqvs ∪ {[idx i]}
let (s', _) :=
  composite_transition ELMO_component
    (existT j Receive)
    (state_update ELMO_component s i si, iom) in
ELMO_not_heavy s'
    replace (composite_transition _ _ _) with (state_update ELMO_component sf i si, oom).Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
s_eqvs: listset Address
Heqv: (sum_weights (s_eqvs ∪ {[idx i]}) <= threshold)%R
si: State
Hsi: initial_state_prop si
Hincl: VLSM_incl ELMOProtocol ReachELMO
si0, s: VLSM.state ELMOProtocol
tr: list transition_item
Htr_min: finite_valid_trace_init_to ELMOProtocol si0
  s tr
sf: VLSM.state ELMOProtocol
iom, oom: option Message
j: index
Hm: option_valid_message_prop ELMOProtocol iom
Hv: valid (existT j Receive) (s, iom)
Hc: ELMO_global_constraint 
  (existT j Receive) (s, iom)
Ht: transition (existT j Receive) (s, iom) =
(sf, oom)
Hall: Forall
  (λ item : transition_item,
     ELMO_equivocating_validators
       (destination item) ⊆ s_eqvs) tr
Hsf_eqvs: ELMO_equivocating_validators
  (destination
     {|
       l := existT j Receive;
       input := iom;
       destination := sf;
       output := oom
     |}) ⊆ s_eqvs
IHHtr_min: Forall
  (λ item : transition_item,
     ELMO_equivocating_validators
       (destination item) ⊆ s_eqvs) tr
→ valid_state_prop ELMOProtocol
    (state_update ELMO_component s i si)
  ∧ ELMO_equivocating_validators
      (state_update ELMO_component s i si)
    ⊆ s_eqvs ∪ {[idx i]}
Hsisi: valid_state_prop ELMOProtocol
  (state_update ELMO_component s i si)
Heqvs: ELMO_equivocating_validators
  (state_update ELMO_component s i si)
⊆ s_eqvs ∪ {[idx i]}
Hs: valid_state_prop
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} s
Hsf: valid_state_prop
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} sf
n: j ≠ i
Ht_pre: input_valid_transition
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} (existT j Receive) (
  s, iom) (sf, oom)
Ht': composite_transition ELMO_component
  (existT j Receive)
  (state_update ELMO_component s i si, iom) =
(state_update ELMO_component sf i si, oom)
Hsfisi_eqvs': ELMO_equivocating_validators
  (state_update ELMO_component sf i si)
⊆ ELMO_equivocating_validators sf
  ∪ {[idx i]}
Hsfisi_eqvs: ELMO_equivocating_validators
  (state_update ELMO_component sf i si)
⊆ s_eqvs ∪ {[idx i]}
ELMO_not_heavy (state_update ELMO_component sf i si)
    unfold ELMO_not_heavy, not_heavy; etransitivity; [| done].Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
s_eqvs: listset Address
Heqv: (sum_weights (s_eqvs ∪ {[idx i]}) <= threshold)%R
si: State
Hsi: initial_state_prop si
Hincl: VLSM_incl ELMOProtocol ReachELMO
si0, s: VLSM.state ELMOProtocol
tr: list transition_item
Htr_min: finite_valid_trace_init_to ELMOProtocol si0
  s tr
sf: VLSM.state ELMOProtocol
iom, oom: option Message
j: index
Hm: option_valid_message_prop ELMOProtocol iom
Hv: valid (existT j Receive) (s, iom)
Hc: ELMO_global_constraint 
  (existT j Receive) (s, iom)
Ht: transition (existT j Receive) (s, iom) =
(sf, oom)
Hall: Forall
  (λ item : transition_item,
     ELMO_equivocating_validators
       (destination item) ⊆ s_eqvs) tr
Hsf_eqvs: ELMO_equivocating_validators
  (destination
     {|
       l := existT j Receive;
       input := iom;
       destination := sf;
       output := oom
     |}) ⊆ s_eqvs
IHHtr_min: Forall
  (λ item : transition_item,
     ELMO_equivocating_validators
       (destination item) ⊆ s_eqvs) tr
→ valid_state_prop ELMOProtocol
    (state_update ELMO_component s i si)
  ∧ ELMO_equivocating_validators
      (state_update ELMO_component s i si)
    ⊆ s_eqvs ∪ {[idx i]}
Hsisi: valid_state_prop ELMOProtocol
  (state_update ELMO_component s i si)
Heqvs: ELMO_equivocating_validators
  (state_update ELMO_component s i si)
⊆ s_eqvs ∪ {[idx i]}
Hs: valid_state_prop
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} s
Hsf: valid_state_prop
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} sf
n: j ≠ i
Ht_pre: input_valid_transition
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} (existT j Receive) (
  s, iom) (sf, oom)
Ht': composite_transition ELMO_component
  (existT j Receive)
  (state_update ELMO_component s i si, iom) =
(state_update ELMO_component sf i si, oom)
Hsfisi_eqvs': ELMO_equivocating_validators
  (state_update ELMO_component sf i si)
⊆ ELMO_equivocating_validators sf
  ∪ {[idx i]}
Hsfisi_eqvs: ELMO_equivocating_validators
  (state_update ELMO_component sf i si)
⊆ s_eqvs ∪ {[idx i]}
(equivocation_fault
   (state_update ELMO_component sf i si) <=
 sum_weights (s_eqvs ∪ {[idx i]}))%R
    apply sum_weights_subseteq; [by apply NoDup_elements.. |].Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
s_eqvs: listset Address
Heqv: (sum_weights (s_eqvs ∪ {[idx i]}) <= threshold)%R
si: State
Hsi: initial_state_prop si
Hincl: VLSM_incl ELMOProtocol ReachELMO
si0, s: VLSM.state ELMOProtocol
tr: list transition_item
Htr_min: finite_valid_trace_init_to ELMOProtocol si0
  s tr
sf: VLSM.state ELMOProtocol
iom, oom: option Message
j: index
Hm: option_valid_message_prop ELMOProtocol iom
Hv: valid (existT j Receive) (s, iom)
Hc: ELMO_global_constraint 
  (existT j Receive) (s, iom)
Ht: transition (existT j Receive) (s, iom) =
(sf, oom)
Hall: Forall
  (λ item : transition_item,
     ELMO_equivocating_validators
       (destination item) ⊆ s_eqvs) tr
Hsf_eqvs: ELMO_equivocating_validators
  (destination
     {|
       l := existT j Receive;
       input := iom;
       destination := sf;
       output := oom
     |}) ⊆ s_eqvs
IHHtr_min: Forall
  (λ item : transition_item,
     ELMO_equivocating_validators
       (destination item) ⊆ s_eqvs) tr
→ valid_state_prop ELMOProtocol
    (state_update ELMO_component s i si)
  ∧ ELMO_equivocating_validators
      (state_update ELMO_component s i si)
    ⊆ s_eqvs ∪ {[idx i]}
Hsisi: valid_state_prop ELMOProtocol
  (state_update ELMO_component s i si)
Heqvs: ELMO_equivocating_validators
  (state_update ELMO_component s i si)
⊆ s_eqvs ∪ {[idx i]}
Hs: valid_state_prop
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} s
Hsf: valid_state_prop
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} sf
n: j ≠ i
Ht_pre: input_valid_transition
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} (existT j Receive) (
  s, iom) (sf, oom)
Ht': composite_transition ELMO_component
  (existT j Receive)
  (state_update ELMO_component s i si, iom) =
(state_update ELMO_component sf i si, oom)
Hsfisi_eqvs': ELMO_equivocating_validators
  (state_update ELMO_component sf i si)
⊆ ELMO_equivocating_validators sf
  ∪ {[idx i]}
Hsfisi_eqvs: ELMO_equivocating_validators
  (state_update ELMO_component sf i si)
⊆ s_eqvs ∪ {[idx i]}
equivocating_validators
  (state_update ELMO_component sf i si)
⊆ s_eqvs ∪ {[idx i]}
    by intro; apply Hsfisi_eqvs.
  }Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
s_eqvs: listset Address
Heqv: (sum_weights (s_eqvs ∪ {[idx i]}) <= threshold)%R
si: State
Hsi: initial_state_prop si
Hincl: VLSM_incl ELMOProtocol ReachELMO
si0, s: VLSM.state ELMOProtocol
tr: list transition_item
Htr_min: finite_valid_trace_init_to ELMOProtocol si0
  s tr
sf: VLSM.state ELMOProtocol
iom, oom: option Message
j: index
lj: VLSM.label (ELMO_component j)
Hm: option_valid_message_prop ELMOProtocol iom
Hv: valid (existT j lj) (s, iom)
Hc: ELMO_global_constraint (existT j lj) (s, iom)
Ht: transition (existT j lj) (s, iom) = (sf, oom)
Hall: Forall
  (λ item : transition_item,
     ELMO_equivocating_validators
       (destination item) ⊆ s_eqvs) tr
Hsf_eqvs: ELMO_equivocating_validators
  (destination
     {|
       l := existT j lj;
       input := iom;
       destination := sf;
       output := oom
     |}) ⊆ s_eqvs
IHHtr_min: Forall
  (λ item : transition_item,
     ELMO_equivocating_validators
       (destination item) ⊆ s_eqvs) tr
→ valid_state_prop ELMOProtocol
    (state_update ELMO_component s i si)
  ∧ ELMO_equivocating_validators
      (state_update ELMO_component s i si)
    ⊆ s_eqvs ∪ {[idx i]}
Hsisi: valid_state_prop ELMOProtocol
  (state_update ELMO_component s i si)
Heqvs: ELMO_equivocating_validators
  (state_update ELMO_component s i si)
⊆ s_eqvs ∪ {[idx i]}
Hs: valid_state_prop
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} s
Hsf: valid_state_prop
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} sf
n: j ≠ i
Ht_pre: input_valid_transition
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} (existT j lj) (s, iom) (
  sf, oom)
Ht': composite_transition ELMO_component
  (existT j lj)
  (state_update ELMO_component s i si, iom) =
(state_update ELMO_component sf i si, oom)
ELMO_equivocating_validators
  (state_update ELMO_component sf i si)
⊆ ELMO_equivocating_validators sf ∪ {[idx i]}
  apply (VLSM_incl_finite_valid_trace_init_to Hincl) in Htr_min as Htr_min_pre.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
s_eqvs: listset Address
Heqv: (sum_weights (s_eqvs ∪ {[idx i]}) <= threshold)%R
si: State
Hsi: initial_state_prop si
Hincl: VLSM_incl ELMOProtocol ReachELMO
si0, s: VLSM.state ELMOProtocol
tr: list transition_item
Htr_min: finite_valid_trace_init_to ELMOProtocol si0
  s tr
sf: VLSM.state ELMOProtocol
iom, oom: option Message
j: index
lj: VLSM.label (ELMO_component j)
Hm: option_valid_message_prop ELMOProtocol iom
Hv: valid (existT j lj) (s, iom)
Hc: ELMO_global_constraint (existT j lj) (s, iom)
Ht: transition (existT j lj) (s, iom) = (sf, oom)
Hall: Forall
  (λ item : transition_item,
     ELMO_equivocating_validators
       (destination item) ⊆ s_eqvs) tr
Hsf_eqvs: ELMO_equivocating_validators
  (destination
     {|
       l := existT j lj;
       input := iom;
       destination := sf;
       output := oom
     |}) ⊆ s_eqvs
IHHtr_min: Forall
  (λ item : transition_item,
     ELMO_equivocating_validators
       (destination item) ⊆ s_eqvs) tr
→ valid_state_prop ELMOProtocol
    (state_update ELMO_component s i si)
  ∧ ELMO_equivocating_validators
      (state_update ELMO_component s i si)
    ⊆ s_eqvs ∪ {[idx i]}
Hsisi: valid_state_prop ELMOProtocol
  (state_update ELMO_component s i si)
Heqvs: ELMO_equivocating_validators
  (state_update ELMO_component s i si)
⊆ s_eqvs ∪ {[idx i]}
Hs: valid_state_prop
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} s
Hsf: valid_state_prop
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} sf
n: j ≠ i
Ht_pre: input_valid_transition
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} (existT j lj) (s, iom) (
  sf, oom)
Ht': composite_transition ELMO_component
  (existT j lj)
  (state_update ELMO_component s i si, iom) =
(state_update ELMO_component sf i si, oom)
Htr_min_pre: finite_valid_trace_init_to
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} si0 s tr
ELMO_equivocating_validators
  (state_update ELMO_component sf i si)
⊆ ELMO_equivocating_validators sf ∪ {[idx i]}
  apply (VLSM_incl_valid_state Hincl) in Hsisi as Hsisi_pre.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
s_eqvs: listset Address
Heqv: (sum_weights (s_eqvs ∪ {[idx i]}) <= threshold)%R
si: State
Hsi: initial_state_prop si
Hincl: VLSM_incl ELMOProtocol ReachELMO
si0, s: VLSM.state ELMOProtocol
tr: list transition_item
Htr_min: finite_valid_trace_init_to ELMOProtocol si0
  s tr
sf: VLSM.state ELMOProtocol
iom, oom: option Message
j: index
lj: VLSM.label (ELMO_component j)
Hm: option_valid_message_prop ELMOProtocol iom
Hv: valid (existT j lj) (s, iom)
Hc: ELMO_global_constraint (existT j lj) (s, iom)
Ht: transition (existT j lj) (s, iom) = (sf, oom)
Hall: Forall
  (λ item : transition_item,
     ELMO_equivocating_validators
       (destination item) ⊆ s_eqvs) tr
Hsf_eqvs: ELMO_equivocating_validators
  (destination
     {|
       l := existT j lj;
       input := iom;
       destination := sf;
       output := oom
     |}) ⊆ s_eqvs
IHHtr_min: Forall
  (λ item : transition_item,
     ELMO_equivocating_validators
       (destination item) ⊆ s_eqvs) tr
→ valid_state_prop ELMOProtocol
    (state_update ELMO_component s i si)
  ∧ ELMO_equivocating_validators
      (state_update ELMO_component s i si)
    ⊆ s_eqvs ∪ {[idx i]}
Hsisi: valid_state_prop ELMOProtocol
  (state_update ELMO_component s i si)
Heqvs: ELMO_equivocating_validators
  (state_update ELMO_component s i si)
⊆ s_eqvs ∪ {[idx i]}
Hs: valid_state_prop
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} s
Hsf: valid_state_prop
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} sf
n: j ≠ i
Ht_pre: input_valid_transition
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} (existT j lj) (s, iom) (
  sf, oom)
Ht': composite_transition ELMO_component
  (existT j lj)
  (state_update ELMO_component s i si, iom) =
(state_update ELMO_component sf i si, oom)
Htr_min_pre: finite_valid_trace_init_to
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} si0 s tr
Hsisi_pre: valid_state_prop
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} (state_update ELMO_component s i si)
ELMO_equivocating_validators
  (state_update ELMO_component sf i si)
⊆ ELMO_equivocating_validators sf ∪ {[idx i]}
  assert (finite_valid_trace_init_to ReachELMO si0 sf
    (tr ++ [Build_transition_item (composite_type ELMO_component) (existT j lj) iom sf oom])).Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
s_eqvs: listset Address
Heqv: (sum_weights (s_eqvs ∪ {[idx i]}) <= threshold)%R
si: State
Hsi: initial_state_prop si
Hincl: VLSM_incl ELMOProtocol ReachELMO
si0, s: VLSM.state ELMOProtocol
tr: list transition_item
Htr_min: finite_valid_trace_init_to ELMOProtocol si0
  s tr
sf: VLSM.state ELMOProtocol
iom, oom: option Message
j: index
lj: VLSM.label (ELMO_component j)
Hm: option_valid_message_prop ELMOProtocol iom
Hv: valid (existT j lj) (s, iom)
Hc: ELMO_global_constraint (existT j lj) (s, iom)
Ht: transition (existT j lj) (s, iom) = (sf, oom)
Hall: Forall
  (λ item : transition_item,
     ELMO_equivocating_validators
       (destination item) ⊆ s_eqvs) tr
Hsf_eqvs: ELMO_equivocating_validators
  (destination
     {|
       l := existT j lj;
       input := iom;
       destination := sf;
       output := oom
     |}) ⊆ s_eqvs
IHHtr_min: Forall
  (λ item : transition_item,
     ELMO_equivocating_validators
       (destination item) ⊆ s_eqvs) tr
→ valid_state_prop ELMOProtocol
    (state_update ELMO_component s i si)
  ∧ ELMO_equivocating_validators
      (state_update ELMO_component s i si)
    ⊆ s_eqvs ∪ {[idx i]}
Hsisi: valid_state_prop ELMOProtocol
  (state_update ELMO_component s i si)
Heqvs: ELMO_equivocating_validators
  (state_update ELMO_component s i si)
⊆ s_eqvs ∪ {[idx i]}
Hs: valid_state_prop
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} s
Hsf: valid_state_prop
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} sf
n: j ≠ i
Ht_pre: input_valid_transition
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} (existT j lj) (s, iom) (
  sf, oom)
Ht': composite_transition ELMO_component
  (existT j lj)
  (state_update ELMO_component s i si, iom) =
(state_update ELMO_component sf i si, oom)
Htr_min_pre: finite_valid_trace_init_to
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} si0 s tr
Hsisi_pre: valid_state_prop
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} (state_update ELMO_component s i si)
finite_valid_trace_init_to ReachELMO si0 sf
  (tr ++
   [{|
      l := existT j lj;
      input := iom;
      destination := sf;
      output := oom
    |}])
Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
s_eqvs: listset Address
Heqv: (sum_weights (s_eqvs ∪ {[idx i]}) <= threshold)%R
si: State
Hsi: initial_state_prop si
Hincl: VLSM_incl ELMOProtocol ReachELMO
si0, s: VLSM.state ELMOProtocol
tr: list transition_item
Htr_min: finite_valid_trace_init_to ELMOProtocol si0
  s tr
sf: VLSM.state ELMOProtocol
iom, oom: option Message
j: index
lj: VLSM.label (ELMO_component j)
Hm: option_valid_message_prop ELMOProtocol iom
Hv: valid (existT j lj) (s, iom)
Hc: ELMO_global_constraint (existT j lj) (s, iom)
Ht: transition (existT j lj) (s, iom) = (sf, oom)
Hall: Forall
  (λ item : transition_item,
     ELMO_equivocating_validators
       (destination item) ⊆ s_eqvs) tr
Hsf_eqvs: ELMO_equivocating_validators
  (destination
     {|
       l := existT j lj;
       input := iom;
       destination := sf;
       output := oom
     |}) ⊆ s_eqvs
IHHtr_min: Forall
  (λ item : transition_item,
     ELMO_equivocating_validators
       (destination item) ⊆ s_eqvs) tr
→ valid_state_prop ELMOProtocol
    (state_update ELMO_component s i si)
  ∧ ELMO_equivocating_validators
      (state_update ELMO_component s i si)
    ⊆ s_eqvs ∪ {[idx i]}
Hsisi: valid_state_prop ELMOProtocol
  (state_update ELMO_component s i si)
Heqvs: ELMO_equivocating_validators
  (state_update ELMO_component s i si)
⊆ s_eqvs ∪ {[idx i]}
Hs: valid_state_prop
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} s
Hsf: valid_state_prop
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} sf
n: j ≠ i
Ht_pre: input_valid_transition
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} (existT j lj) (s, iom) (
  sf, oom)
Ht': composite_transition ELMO_component
  (existT j lj)
  (state_update ELMO_component s i si, iom) =
(state_update ELMO_component sf i si, oom)
Htr_min_pre: finite_valid_trace_init_to
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} si0 s tr
Hsisi_pre: valid_state_prop
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} (state_update ELMO_component s i si)
H2: finite_valid_trace_init_to ReachELMO si0 sf
  (tr ++
   [{|
      l := existT j lj;
      input := iom;
      destination := sf;
      output := oom
    |}])
ELMO_equivocating_validators
  (state_update ELMO_component sf i si)
⊆ ELMO_equivocating_validators sf ∪ {[idx i]}
  {Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
s_eqvs: listset Address
Heqv: (sum_weights (s_eqvs ∪ {[idx i]}) <= threshold)%R
si: State
Hsi: initial_state_prop si
Hincl: VLSM_incl ELMOProtocol ReachELMO
si0, s: VLSM.state ELMOProtocol
tr: list transition_item
Htr_min: finite_valid_trace_init_to ELMOProtocol si0
  s tr
sf: VLSM.state ELMOProtocol
iom, oom: option Message
j: index
lj: VLSM.label (ELMO_component j)
Hm: option_valid_message_prop ELMOProtocol iom
Hv: valid (existT j lj) (s, iom)
Hc: ELMO_global_constraint (existT j lj) (s, iom)
Ht: transition (existT j lj) (s, iom) = (sf, oom)
Hall: Forall
  (λ item : transition_item,
     ELMO_equivocating_validators
       (destination item) ⊆ s_eqvs) tr
Hsf_eqvs: ELMO_equivocating_validators
  (destination
     {|
       l := existT j lj;
       input := iom;
       destination := sf;
       output := oom
     |}) ⊆ s_eqvs
IHHtr_min: Forall
  (λ item : transition_item,
     ELMO_equivocating_validators
       (destination item) ⊆ s_eqvs) tr
→ valid_state_prop ELMOProtocol
    (state_update ELMO_component s i si)
  ∧ ELMO_equivocating_validators
      (state_update ELMO_component s i si)
    ⊆ s_eqvs ∪ {[idx i]}
Hsisi: valid_state_prop ELMOProtocol
  (state_update ELMO_component s i si)
Heqvs: ELMO_equivocating_validators
  (state_update ELMO_component s i si)
⊆ s_eqvs ∪ {[idx i]}
Hs: valid_state_prop
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} s
Hsf: valid_state_prop
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} sf
n: j ≠ i
Ht_pre: input_valid_transition
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} (existT j lj) (s, iom) (
  sf, oom)
Ht': composite_transition ELMO_component
  (existT j lj)
  (state_update ELMO_component s i si, iom) =
(state_update ELMO_component sf i si, oom)
Htr_min_pre: finite_valid_trace_init_to
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} si0 s tr
Hsisi_pre: valid_state_prop
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} (state_update ELMO_component s i si)
finite_valid_trace_init_to ReachELMO si0 sf
  (tr ++
   [{|
      l := existT j lj;
      input := iom;
      destination := sf;
      output := oom
    |}])
    split; [| by apply Htr_min].Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
s_eqvs: listset Address
Heqv: (sum_weights (s_eqvs ∪ {[idx i]}) <= threshold)%R
si: State
Hsi: initial_state_prop si
Hincl: VLSM_incl ELMOProtocol ReachELMO
si0, s: VLSM.state ELMOProtocol
tr: list transition_item
Htr_min: finite_valid_trace_init_to ELMOProtocol si0
  s tr
sf: VLSM.state ELMOProtocol
iom, oom: option Message
j: index
lj: VLSM.label (ELMO_component j)
Hm: option_valid_message_prop ELMOProtocol iom
Hv: valid (existT j lj) (s, iom)
Hc: ELMO_global_constraint (existT j lj) (s, iom)
Ht: transition (existT j lj) (s, iom) = (sf, oom)
Hall: Forall
  (λ item : transition_item,
     ELMO_equivocating_validators
       (destination item) ⊆ s_eqvs) tr
Hsf_eqvs: ELMO_equivocating_validators
  (destination
     {|
       l := existT j lj;
       input := iom;
       destination := sf;
       output := oom
     |}) ⊆ s_eqvs
IHHtr_min: Forall
  (λ item : transition_item,
     ELMO_equivocating_validators
       (destination item) ⊆ s_eqvs) tr
→ valid_state_prop ELMOProtocol
    (state_update ELMO_component s i si)
  ∧ ELMO_equivocating_validators
      (state_update ELMO_component s i si)
    ⊆ s_eqvs ∪ {[idx i]}
Hsisi: valid_state_prop ELMOProtocol
  (state_update ELMO_component s i si)
Heqvs: ELMO_equivocating_validators
  (state_update ELMO_component s i si)
⊆ s_eqvs ∪ {[idx i]}
Hs: valid_state_prop
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} s
Hsf: valid_state_prop
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} sf
n: j ≠ i
Ht_pre: input_valid_transition
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} (existT j lj) (s, iom) (
  sf, oom)
Ht': composite_transition ELMO_component
  (existT j lj)
  (state_update ELMO_component s i si, iom) =
(state_update ELMO_component sf i si, oom)
Htr_min_pre: finite_valid_trace_init_to
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} si0 s tr
Hsisi_pre: valid_state_prop
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} (state_update ELMO_component s i si)
finite_valid_trace_from_to ReachELMO si0 sf
  (tr ++
   [{|
      l := existT j lj;
      input := iom;
      destination := sf;
      output := oom
    |}])
    apply valid_trace_add_last; [| by apply finite_trace_last_is_last].Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
s_eqvs: listset Address
Heqv: (sum_weights (s_eqvs ∪ {[idx i]}) <= threshold)%R
si: State
Hsi: initial_state_prop si
Hincl: VLSM_incl ELMOProtocol ReachELMO
si0, s: VLSM.state ELMOProtocol
tr: list transition_item
Htr_min: finite_valid_trace_init_to ELMOProtocol si0
  s tr
sf: VLSM.state ELMOProtocol
iom, oom: option Message
j: index
lj: VLSM.label (ELMO_component j)
Hm: option_valid_message_prop ELMOProtocol iom
Hv: valid (existT j lj) (s, iom)
Hc: ELMO_global_constraint (existT j lj) (s, iom)
Ht: transition (existT j lj) (s, iom) = (sf, oom)
Hall: Forall
  (λ item : transition_item,
     ELMO_equivocating_validators
       (destination item) ⊆ s_eqvs) tr
Hsf_eqvs: ELMO_equivocating_validators
  (destination
     {|
       l := existT j lj;
       input := iom;
       destination := sf;
       output := oom
     |}) ⊆ s_eqvs
IHHtr_min: Forall
  (λ item : transition_item,
     ELMO_equivocating_validators
       (destination item) ⊆ s_eqvs) tr
→ valid_state_prop ELMOProtocol
    (state_update ELMO_component s i si)
  ∧ ELMO_equivocating_validators
      (state_update ELMO_component s i si)
    ⊆ s_eqvs ∪ {[idx i]}
Hsisi: valid_state_prop ELMOProtocol
  (state_update ELMO_component s i si)
Heqvs: ELMO_equivocating_validators
  (state_update ELMO_component s i si)
⊆ s_eqvs ∪ {[idx i]}
Hs: valid_state_prop
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} s
Hsf: valid_state_prop
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} sf
n: j ≠ i
Ht_pre: input_valid_transition
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} (existT j lj) (s, iom) (
  sf, oom)
Ht': composite_transition ELMO_component
  (existT j lj)
  (state_update ELMO_component s i si, iom) =
(state_update ELMO_component sf i si, oom)
Htr_min_pre: finite_valid_trace_init_to
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} si0 s tr
Hsisi_pre: valid_state_prop
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} (state_update ELMO_component s i si)
finite_valid_trace_from ReachELMO si0
  (tr ++
   [{|
      l := existT j lj;
      input := iom;
      destination := sf;
      output := oom
    |}])
    eapply (extend_right_finite_trace_from ReachELMO);
      [by eapply valid_trace_forget_last, Htr_min_pre |].Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
s_eqvs: listset Address
Heqv: (sum_weights (s_eqvs ∪ {[idx i]}) <= threshold)%R
si: State
Hsi: initial_state_prop si
Hincl: VLSM_incl ELMOProtocol ReachELMO
si0, s: VLSM.state ELMOProtocol
tr: list transition_item
Htr_min: finite_valid_trace_init_to ELMOProtocol si0
  s tr
sf: VLSM.state ELMOProtocol
iom, oom: option Message
j: index
lj: VLSM.label (ELMO_component j)
Hm: option_valid_message_prop ELMOProtocol iom
Hv: valid (existT j lj) (s, iom)
Hc: ELMO_global_constraint (existT j lj) (s, iom)
Ht: transition (existT j lj) (s, iom) = (sf, oom)
Hall: Forall
  (λ item : transition_item,
     ELMO_equivocating_validators
       (destination item) ⊆ s_eqvs) tr
Hsf_eqvs: ELMO_equivocating_validators
  (destination
     {|
       l := existT j lj;
       input := iom;
       destination := sf;
       output := oom
     |}) ⊆ s_eqvs
IHHtr_min: Forall
  (λ item : transition_item,
     ELMO_equivocating_validators
       (destination item) ⊆ s_eqvs) tr
→ valid_state_prop ELMOProtocol
    (state_update ELMO_component s i si)
  ∧ ELMO_equivocating_validators
      (state_update ELMO_component s i si)
    ⊆ s_eqvs ∪ {[idx i]}
Hsisi: valid_state_prop ELMOProtocol
  (state_update ELMO_component s i si)
Heqvs: ELMO_equivocating_validators
  (state_update ELMO_component s i si)
⊆ s_eqvs ∪ {[idx i]}
Hs: valid_state_prop
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} s
Hsf: valid_state_prop
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} sf
n: j ≠ i
Ht_pre: input_valid_transition
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} (existT j lj) (s, iom) (
  sf, oom)
Ht': composite_transition ELMO_component
  (existT j lj)
  (state_update ELMO_component s i si, iom) =
(state_update ELMO_component sf i si, oom)
Htr_min_pre: finite_valid_trace_init_to
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} si0 s tr
Hsisi_pre: valid_state_prop
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} (state_update ELMO_component s i si)
input_valid_transition ReachELMO (existT j lj)
  (finite_trace_last si0 tr, iom) (sf, oom)
    replace (finite_trace_last _ _) with s; [done |].Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
s_eqvs: listset Address
Heqv: (sum_weights (s_eqvs ∪ {[idx i]}) <= threshold)%R
si: State
Hsi: initial_state_prop si
Hincl: VLSM_incl ELMOProtocol ReachELMO
si0, s: VLSM.state ELMOProtocol
tr: list transition_item
Htr_min: finite_valid_trace_init_to ELMOProtocol si0
  s tr
sf: VLSM.state ELMOProtocol
iom, oom: option Message
j: index
lj: VLSM.label (ELMO_component j)
Hm: option_valid_message_prop ELMOProtocol iom
Hv: valid (existT j lj) (s, iom)
Hc: ELMO_global_constraint (existT j lj) (s, iom)
Ht: transition (existT j lj) (s, iom) = (sf, oom)
Hall: Forall
  (λ item : transition_item,
     ELMO_equivocating_validators
       (destination item) ⊆ s_eqvs) tr
Hsf_eqvs: ELMO_equivocating_validators
  (destination
     {|
       l := existT j lj;
       input := iom;
       destination := sf;
       output := oom
     |}) ⊆ s_eqvs
IHHtr_min: Forall
  (λ item : transition_item,
     ELMO_equivocating_validators
       (destination item) ⊆ s_eqvs) tr
→ valid_state_prop ELMOProtocol
    (state_update ELMO_component s i si)
  ∧ ELMO_equivocating_validators
      (state_update ELMO_component s i si)
    ⊆ s_eqvs ∪ {[idx i]}
Hsisi: valid_state_prop ELMOProtocol
  (state_update ELMO_component s i si)
Heqvs: ELMO_equivocating_validators
  (state_update ELMO_component s i si)
⊆ s_eqvs ∪ {[idx i]}
Hs: valid_state_prop
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} s
Hsf: valid_state_prop
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} sf
n: j ≠ i
Ht_pre: input_valid_transition
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} (existT j lj) (s, iom) (
  sf, oom)
Ht': composite_transition ELMO_component
  (existT j lj)
  (state_update ELMO_component s i si, iom) =
(state_update ELMO_component sf i si, oom)
Htr_min_pre: finite_valid_trace_init_to
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} si0 s tr
Hsisi_pre: valid_state_prop
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} (state_update ELMO_component s i si)
s = finite_trace_last si0 tr
    by apply valid_trace_get_last in Htr_min.
  }Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
s_eqvs: listset Address
Heqv: (sum_weights (s_eqvs ∪ {[idx i]}) <= threshold)%R
si: State
Hsi: initial_state_prop si
Hincl: VLSM_incl ELMOProtocol ReachELMO
si0, s: VLSM.state ELMOProtocol
tr: list transition_item
Htr_min: finite_valid_trace_init_to ELMOProtocol si0
  s tr
sf: VLSM.state ELMOProtocol
iom, oom: option Message
j: index
lj: VLSM.label (ELMO_component j)
Hm: option_valid_message_prop ELMOProtocol iom
Hv: valid (existT j lj) (s, iom)
Hc: ELMO_global_constraint (existT j lj) (s, iom)
Ht: transition (existT j lj) (s, iom) = (sf, oom)
Hall: Forall
  (λ item : transition_item,
     ELMO_equivocating_validators
       (destination item) ⊆ s_eqvs) tr
Hsf_eqvs: ELMO_equivocating_validators
  (destination
     {|
       l := existT j lj;
       input := iom;
       destination := sf;
       output := oom
     |}) ⊆ s_eqvs
IHHtr_min: Forall
  (λ item : transition_item,
     ELMO_equivocating_validators
       (destination item) ⊆ s_eqvs) tr
→ valid_state_prop ELMOProtocol
    (state_update ELMO_component s i si)
  ∧ ELMO_equivocating_validators
      (state_update ELMO_component s i si)
    ⊆ s_eqvs ∪ {[idx i]}
Hsisi: valid_state_prop ELMOProtocol
  (state_update ELMO_component s i si)
Heqvs: ELMO_equivocating_validators
  (state_update ELMO_component s i si)
⊆ s_eqvs ∪ {[idx i]}
Hs: valid_state_prop
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} s
Hsf: valid_state_prop
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} sf
n: j ≠ i
Ht_pre: input_valid_transition
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} (existT j lj) (s, iom) (
  sf, oom)
Ht': composite_transition ELMO_component
  (existT j lj)
  (state_update ELMO_component s i si, iom) =
(state_update ELMO_component sf i si, oom)
Htr_min_pre: finite_valid_trace_init_to
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} si0 s tr
Hsisi_pre: valid_state_prop
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} (state_update ELMO_component s i si)
H2: finite_valid_trace_init_to ReachELMO si0 sf
  (tr ++
   [{|
      l := existT j lj;
      input := iom;
      destination := sf;
      output := oom
    |}])
ELMO_equivocating_validators
  (state_update ELMO_component sf i si)
⊆ ELMO_equivocating_validators sf ∪ {[idx i]}
  assert (Hpre_tisi : input_valid_transition ReachELMO (existT j lj)
    (state_update ELMO_component s i si, iom) (state_update ELMO_component sf i si, oom)).Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
s_eqvs: listset Address
Heqv: (sum_weights (s_eqvs ∪ {[idx i]}) <= threshold)%R
si: State
Hsi: initial_state_prop si
Hincl: VLSM_incl ELMOProtocol ReachELMO
si0, s: VLSM.state ELMOProtocol
tr: list transition_item
Htr_min: finite_valid_trace_init_to ELMOProtocol si0
  s tr
sf: VLSM.state ELMOProtocol
iom, oom: option Message
j: index
lj: VLSM.label (ELMO_component j)
Hm: option_valid_message_prop ELMOProtocol iom
Hv: valid (existT j lj) (s, iom)
Hc: ELMO_global_constraint (existT j lj) (s, iom)
Ht: transition (existT j lj) (s, iom) = (sf, oom)
Hall: Forall
  (λ item : transition_item,
     ELMO_equivocating_validators
       (destination item) ⊆ s_eqvs) tr
Hsf_eqvs: ELMO_equivocating_validators
  (destination
     {|
       l := existT j lj;
       input := iom;
       destination := sf;
       output := oom
     |}) ⊆ s_eqvs
IHHtr_min: Forall
  (λ item : transition_item,
     ELMO_equivocating_validators
       (destination item) ⊆ s_eqvs) tr
→ valid_state_prop ELMOProtocol
    (state_update ELMO_component s i si)
  ∧ ELMO_equivocating_validators
      (state_update ELMO_component s i si)
    ⊆ s_eqvs ∪ {[idx i]}
Hsisi: valid_state_prop ELMOProtocol
  (state_update ELMO_component s i si)
Heqvs: ELMO_equivocating_validators
  (state_update ELMO_component s i si)
⊆ s_eqvs ∪ {[idx i]}
Hs: valid_state_prop
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} s
Hsf: valid_state_prop
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} sf
n: j ≠ i
Ht_pre: input_valid_transition
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} (existT j lj) (s, iom) (
  sf, oom)
Ht': composite_transition ELMO_component
  (existT j lj)
  (state_update ELMO_component s i si, iom) =
(state_update ELMO_component sf i si, oom)
Htr_min_pre: finite_valid_trace_init_to
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} si0 s tr
Hsisi_pre: valid_state_prop
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} (state_update ELMO_component s i si)
H2: finite_valid_trace_init_to ReachELMO si0 sf
  (tr ++
   [{|
      l := existT j lj;
      input := iom;
      destination := sf;
      output := oom
    |}])
input_valid_transition ReachELMO (existT j lj)
  (state_update ELMO_component s i si, iom)
  (state_update ELMO_component sf i si, oom)
Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
s_eqvs: listset Address
Heqv: (sum_weights (s_eqvs ∪ {[idx i]}) <= threshold)%R
si: State
Hsi: initial_state_prop si
Hincl: VLSM_incl ELMOProtocol ReachELMO
si0, s: VLSM.state ELMOProtocol
tr: list transition_item
Htr_min: finite_valid_trace_init_to ELMOProtocol si0
  s tr
sf: VLSM.state ELMOProtocol
iom, oom: option Message
j: index
lj: VLSM.label (ELMO_component j)
Hm: option_valid_message_prop ELMOProtocol iom
Hv: valid (existT j lj) (s, iom)
Hc: ELMO_global_constraint (existT j lj) (s, iom)
Ht: transition (existT j lj) (s, iom) = (sf, oom)
Hall: Forall
  (λ item : transition_item,
     ELMO_equivocating_validators
       (destination item) ⊆ s_eqvs) tr
Hsf_eqvs: ELMO_equivocating_validators
  (destination
     {|
       l := existT j lj;
       input := iom;
       destination := sf;
       output := oom
     |}) ⊆ s_eqvs
IHHtr_min: Forall
  (λ item : transition_item,
     ELMO_equivocating_validators
       (destination item) ⊆ s_eqvs) tr
→ valid_state_prop ELMOProtocol
    (state_update ELMO_component s i si)
  ∧ ELMO_equivocating_validators
      (state_update ELMO_component s i si)
    ⊆ s_eqvs ∪ {[idx i]}
Hsisi: valid_state_prop ELMOProtocol
  (state_update ELMO_component s i si)
Heqvs: ELMO_equivocating_validators
  (state_update ELMO_component s i si)
⊆ s_eqvs ∪ {[idx i]}
Hs: valid_state_prop
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} s
Hsf: valid_state_prop
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} sf
n: j ≠ i
Ht_pre: input_valid_transition
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} (existT j lj) (s, iom) (
  sf, oom)
Ht': composite_transition ELMO_component
  (existT j lj)
  (state_update ELMO_component s i si, iom) =
(state_update ELMO_component sf i si, oom)
Htr_min_pre: finite_valid_trace_init_to
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} si0 s tr
Hsisi_pre: valid_state_prop
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} (state_update ELMO_component s i si)
H2: finite_valid_trace_init_to ReachELMO si0 sf
  (tr ++
   [{|
      l := existT j lj;
      input := iom;
      destination := sf;
      output := oom
    |}])
Hpre_tisi: input_valid_transition ReachELMO
  (existT j lj)
  (state_update ELMO_component s i si, iom)
  (state_update ELMO_component sf i si,
   oom)
ELMO_equivocating_validators
  (state_update ELMO_component sf i si)
⊆ ELMO_equivocating_validators sf ∪ {[idx i]}
  {Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
s_eqvs: listset Address
Heqv: (sum_weights (s_eqvs ∪ {[idx i]}) <= threshold)%R
si: State
Hsi: initial_state_prop si
Hincl: VLSM_incl ELMOProtocol ReachELMO
si0, s: VLSM.state ELMOProtocol
tr: list transition_item
Htr_min: finite_valid_trace_init_to ELMOProtocol si0
  s tr
sf: VLSM.state ELMOProtocol
iom, oom: option Message
j: index
lj: VLSM.label (ELMO_component j)
Hm: option_valid_message_prop ELMOProtocol iom
Hv: valid (existT j lj) (s, iom)
Hc: ELMO_global_constraint (existT j lj) (s, iom)
Ht: transition (existT j lj) (s, iom) = (sf, oom)
Hall: Forall
  (λ item : transition_item,
     ELMO_equivocating_validators
       (destination item) ⊆ s_eqvs) tr
Hsf_eqvs: ELMO_equivocating_validators
  (destination
     {|
       l := existT j lj;
       input := iom;
       destination := sf;
       output := oom
     |}) ⊆ s_eqvs
IHHtr_min: Forall
  (λ item : transition_item,
     ELMO_equivocating_validators
       (destination item) ⊆ s_eqvs) tr
→ valid_state_prop ELMOProtocol
    (state_update ELMO_component s i si)
  ∧ ELMO_equivocating_validators
      (state_update ELMO_component s i si)
    ⊆ s_eqvs ∪ {[idx i]}
Hsisi: valid_state_prop ELMOProtocol
  (state_update ELMO_component s i si)
Heqvs: ELMO_equivocating_validators
  (state_update ELMO_component s i si)
⊆ s_eqvs ∪ {[idx i]}
Hs: valid_state_prop
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} s
Hsf: valid_state_prop
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} sf
n: j ≠ i
Ht_pre: input_valid_transition
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} (existT j lj) (s, iom) (
  sf, oom)
Ht': composite_transition ELMO_component
  (existT j lj)
  (state_update ELMO_component s i si, iom) =
(state_update ELMO_component sf i si, oom)
Htr_min_pre: finite_valid_trace_init_to
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} si0 s tr
Hsisi_pre: valid_state_prop
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} (state_update ELMO_component s i si)
H2: finite_valid_trace_init_to ReachELMO si0 sf
  (tr ++
   [{|
      l := existT j lj;
      input := iom;
      destination := sf;
      output := oom
    |}])
input_valid_transition ReachELMO (existT j lj)
  (state_update ELMO_component s i si, iom)
  (state_update ELMO_component sf i si, oom)
    repeat split; [done | .. | done].Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
s_eqvs: listset Address
Heqv: (sum_weights (s_eqvs ∪ {[idx i]}) <= threshold)%R
si: State
Hsi: initial_state_prop si
Hincl: VLSM_incl ELMOProtocol ReachELMO
si0, s: VLSM.state ELMOProtocol
tr: list transition_item
Htr_min: finite_valid_trace_init_to ELMOProtocol si0
  s tr
sf: VLSM.state ELMOProtocol
iom, oom: option Message
j: index
lj: VLSM.label (ELMO_component j)
Hm: option_valid_message_prop ELMOProtocol iom
Hv: valid (existT j lj) (s, iom)
Hc: ELMO_global_constraint (existT j lj) (s, iom)
Ht: transition (existT j lj) (s, iom) = (sf, oom)
Hall: Forall
  (λ item : transition_item,
     ELMO_equivocating_validators
       (destination item) ⊆ s_eqvs) tr
Hsf_eqvs: ELMO_equivocating_validators
  (destination
     {|
       l := existT j lj;
       input := iom;
       destination := sf;
       output := oom
     |}) ⊆ s_eqvs
IHHtr_min: Forall
  (λ item : transition_item,
     ELMO_equivocating_validators
       (destination item) ⊆ s_eqvs) tr
→ valid_state_prop ELMOProtocol
    (state_update ELMO_component s i si)
  ∧ ELMO_equivocating_validators
      (state_update ELMO_component s i si)
    ⊆ s_eqvs ∪ {[idx i]}
Hsisi: valid_state_prop ELMOProtocol
  (state_update ELMO_component s i si)
Heqvs: ELMO_equivocating_validators
  (state_update ELMO_component s i si)
⊆ s_eqvs ∪ {[idx i]}
Hs: valid_state_prop
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} s
Hsf: valid_state_prop
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} sf
n: j ≠ i
Ht_pre: input_valid_transition
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} (existT j lj) (s, iom) (
  sf, oom)
Ht': composite_transition ELMO_component
  (existT j lj)
  (state_update ELMO_component s i si, iom) =
(state_update ELMO_component sf i si, oom)
Htr_min_pre: finite_valid_trace_init_to
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} si0 s tr
Hsisi_pre: valid_state_prop
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} (state_update ELMO_component s i si)
H2: finite_valid_trace_init_to ReachELMO si0 sf
  (tr ++
   [{|
      l := existT j lj;
      input := iom;
      destination := sf;
      output := oom
    |}])
option_valid_message_prop ReachELMO iom
Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
s_eqvs: listset Address
Heqv: (sum_weights (s_eqvs ∪ {[idx i]}) <= threshold)%R
si: State
Hsi: initial_state_prop si
Hincl: VLSM_incl ELMOProtocol ReachELMO
si0, s: VLSM.state ELMOProtocol
tr: list transition_item
Htr_min: finite_valid_trace_init_to ELMOProtocol si0
  s tr
sf: VLSM.state ELMOProtocol
iom, oom: option Message
j: index
lj: VLSM.label (ELMO_component j)
Hm: option_valid_message_prop ELMOProtocol iom
Hv: valid (existT j lj) (s, iom)
Hc: ELMO_global_constraint (existT j lj) (s, iom)
Ht: transition (existT j lj) (s, iom) = (sf, oom)
Hall: Forall
  (λ item : transition_item,
     ELMO_equivocating_validators
       (destination item) ⊆ s_eqvs) tr
Hsf_eqvs: ELMO_equivocating_validators
  (destination
     {|
       l := existT j lj;
       input := iom;
       destination := sf;
       output := oom
     |}) ⊆ s_eqvs
IHHtr_min: Forall
  (λ item : transition_item,
     ELMO_equivocating_validators
       (destination item) ⊆ s_eqvs) tr
→ valid_state_prop ELMOProtocol
    (state_update ELMO_component s i si)
  ∧ ELMO_equivocating_validators
      (state_update ELMO_component s i si)
    ⊆ s_eqvs ∪ {[idx i]}
Hsisi: valid_state_prop ELMOProtocol
  (state_update ELMO_component s i si)
Heqvs: ELMO_equivocating_validators
  (state_update ELMO_component s i si)
⊆ s_eqvs ∪ {[idx i]}
Hs: valid_state_prop
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} s
Hsf: valid_state_prop
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} sf
n: j ≠ i
Ht_pre: input_valid_transition
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} (existT j lj) (s, iom) (
  sf, oom)
Ht': composite_transition ELMO_component
  (existT j lj)
  (state_update ELMO_component s i si, iom) =
(state_update ELMO_component sf i si, oom)
Htr_min_pre: finite_valid_trace_init_to
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} si0 s tr
Hsisi_pre: valid_state_prop
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} (state_update ELMO_component s i si)
H2: finite_valid_trace_init_to ReachELMO si0 sf
  (tr ++
   [{|
      l := existT j lj;
      input := iom;
      destination := sf;
      output := oom
    |}])
valid (existT j lj)
  (state_update ELMO_component s i si, iom)
    -Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
s_eqvs: listset Address
Heqv: (sum_weights (s_eqvs ∪ {[idx i]}) <= threshold)%R
si: State
Hsi: initial_state_prop si
Hincl: VLSM_incl ELMOProtocol ReachELMO
si0, s: VLSM.state ELMOProtocol
tr: list transition_item
Htr_min: finite_valid_trace_init_to ELMOProtocol si0
  s tr
sf: VLSM.state ELMOProtocol
iom, oom: option Message
j: index
lj: VLSM.label (ELMO_component j)
Hm: option_valid_message_prop ELMOProtocol iom
Hv: valid (existT j lj) (s, iom)
Hc: ELMO_global_constraint (existT j lj) (s, iom)
Ht: transition (existT j lj) (s, iom) = (sf, oom)
Hall: Forall
  (λ item : transition_item,
     ELMO_equivocating_validators
       (destination item) ⊆ s_eqvs) tr
Hsf_eqvs: ELMO_equivocating_validators
  (destination
     {|
       l := existT j lj;
       input := iom;
       destination := sf;
       output := oom
     |}) ⊆ s_eqvs
IHHtr_min: Forall
  (λ item : transition_item,
     ELMO_equivocating_validators
       (destination item) ⊆ s_eqvs) tr
→ valid_state_prop ELMOProtocol
    (state_update ELMO_component s i si)
  ∧ ELMO_equivocating_validators
      (state_update ELMO_component s i si)
    ⊆ s_eqvs ∪ {[idx i]}
Hsisi: valid_state_prop ELMOProtocol
  (state_update ELMO_component s i si)
Heqvs: ELMO_equivocating_validators
  (state_update ELMO_component s i si)
⊆ s_eqvs ∪ {[idx i]}
Hs: valid_state_prop
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} s
Hsf: valid_state_prop
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} sf
n: j ≠ i
Ht_pre: input_valid_transition
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} (existT j lj) (s, iom) (
  sf, oom)
Ht': composite_transition ELMO_component
  (existT j lj)
  (state_update ELMO_component s i si, iom) =
(state_update ELMO_component sf i si, oom)
Htr_min_pre: finite_valid_trace_init_to
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} si0 s tr
Hsisi_pre: valid_state_prop
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} (state_update ELMO_component s i si)
H2: finite_valid_trace_init_to ReachELMO si0 sf
  (tr ++
   [{|
      l := existT j lj;
      input := iom;
      destination := sf;
      output := oom
    |}])
option_valid_message_prop ReachELMO iom by apply any_message_is_valid_in_preloaded.
    -Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
s_eqvs: listset Address
Heqv: (sum_weights (s_eqvs ∪ {[idx i]}) <= threshold)%R
si: State
Hsi: initial_state_prop si
Hincl: VLSM_incl ELMOProtocol ReachELMO
si0, s: VLSM.state ELMOProtocol
tr: list transition_item
Htr_min: finite_valid_trace_init_to ELMOProtocol si0
  s tr
sf: VLSM.state ELMOProtocol
iom, oom: option Message
j: index
lj: VLSM.label (ELMO_component j)
Hm: option_valid_message_prop ELMOProtocol iom
Hv: valid (existT j lj) (s, iom)
Hc: ELMO_global_constraint (existT j lj) (s, iom)
Ht: transition (existT j lj) (s, iom) = (sf, oom)
Hall: Forall
  (λ item : transition_item,
     ELMO_equivocating_validators
       (destination item) ⊆ s_eqvs) tr
Hsf_eqvs: ELMO_equivocating_validators
  (destination
     {|
       l := existT j lj;
       input := iom;
       destination := sf;
       output := oom
     |}) ⊆ s_eqvs
IHHtr_min: Forall
  (λ item : transition_item,
     ELMO_equivocating_validators
       (destination item) ⊆ s_eqvs) tr
→ valid_state_prop ELMOProtocol
    (state_update ELMO_component s i si)
  ∧ ELMO_equivocating_validators
      (state_update ELMO_component s i si)
    ⊆ s_eqvs ∪ {[idx i]}
Hsisi: valid_state_prop ELMOProtocol
  (state_update ELMO_component s i si)
Heqvs: ELMO_equivocating_validators
  (state_update ELMO_component s i si)
⊆ s_eqvs ∪ {[idx i]}
Hs: valid_state_prop
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} s
Hsf: valid_state_prop
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} sf
n: j ≠ i
Ht_pre: input_valid_transition
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} (existT j lj) (s, iom) (
  sf, oom)
Ht': composite_transition ELMO_component
  (existT j lj)
  (state_update ELMO_component s i si, iom) =
(state_update ELMO_component sf i si, oom)
Htr_min_pre: finite_valid_trace_init_to
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} si0 s tr
Hsisi_pre: valid_state_prop
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} (state_update ELMO_component s i si)
H2: finite_valid_trace_init_to ReachELMO si0 sf
  (tr ++
   [{|
      l := existT j lj;
      input := iom;
      destination := sf;
      output := oom
    |}])
valid (existT j lj)
  (state_update ELMO_component s i si, iom) by cbn; state_update_simpl.
  }Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
s_eqvs: listset Address
Heqv: (sum_weights (s_eqvs ∪ {[idx i]}) <= threshold)%R
si: State
Hsi: initial_state_prop si
Hincl: VLSM_incl ELMOProtocol ReachELMO
si0, s: VLSM.state ELMOProtocol
tr: list transition_item
Htr_min: finite_valid_trace_init_to ELMOProtocol si0
  s tr
sf: VLSM.state ELMOProtocol
iom, oom: option Message
j: index
lj: VLSM.label (ELMO_component j)
Hm: option_valid_message_prop ELMOProtocol iom
Hv: valid (existT j lj) (s, iom)
Hc: ELMO_global_constraint (existT j lj) (s, iom)
Ht: transition (existT j lj) (s, iom) = (sf, oom)
Hall: Forall
  (λ item : transition_item,
     ELMO_equivocating_validators
       (destination item) ⊆ s_eqvs) tr
Hsf_eqvs: ELMO_equivocating_validators
  (destination
     {|
       l := existT j lj;
       input := iom;
       destination := sf;
       output := oom
     |}) ⊆ s_eqvs
IHHtr_min: Forall
  (λ item : transition_item,
     ELMO_equivocating_validators
       (destination item) ⊆ s_eqvs) tr
→ valid_state_prop ELMOProtocol
    (state_update ELMO_component s i si)
  ∧ ELMO_equivocating_validators
      (state_update ELMO_component s i si)
    ⊆ s_eqvs ∪ {[idx i]}
Hsisi: valid_state_prop ELMOProtocol
  (state_update ELMO_component s i si)
Heqvs: ELMO_equivocating_validators
  (state_update ELMO_component s i si)
⊆ s_eqvs ∪ {[idx i]}
Hs: valid_state_prop
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} s
Hsf: valid_state_prop
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} sf
n: j ≠ i
Ht_pre: input_valid_transition
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} (existT j lj) (s, iom) (
  sf, oom)
Ht': composite_transition ELMO_component
  (existT j lj)
  (state_update ELMO_component s i si, iom) =
(state_update ELMO_component sf i si, oom)
Htr_min_pre: finite_valid_trace_init_to
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} si0 s tr
Hsisi_pre: valid_state_prop
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} (state_update ELMO_component s i si)
H2: finite_valid_trace_init_to ReachELMO si0 sf
  (tr ++
   [{|
      l := existT j lj;
      input := iom;
      destination := sf;
      output := oom
    |}])
Hpre_tisi: input_valid_transition ReachELMO
  (existT j lj)
  (state_update ELMO_component s i si, iom)
  (state_update ELMO_component sf i si,
   oom)
ELMO_equivocating_validators
  (state_update ELMO_component sf i si)
⊆ ELMO_equivocating_validators sf ∪ {[idx i]}
  apply input_valid_transition_destination in Hpre_tisi as Hpre_sfisi.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
s_eqvs: listset Address
Heqv: (sum_weights (s_eqvs ∪ {[idx i]}) <= threshold)%R
si: State
Hsi: initial_state_prop si
Hincl: VLSM_incl ELMOProtocol ReachELMO
si0, s: VLSM.state ELMOProtocol
tr: list transition_item
Htr_min: finite_valid_trace_init_to ELMOProtocol si0
  s tr
sf: VLSM.state ELMOProtocol
iom, oom: option Message
j: index
lj: VLSM.label (ELMO_component j)
Hm: option_valid_message_prop ELMOProtocol iom
Hv: valid (existT j lj) (s, iom)
Hc: ELMO_global_constraint (existT j lj) (s, iom)
Ht: transition (existT j lj) (s, iom) = (sf, oom)
Hall: Forall
  (λ item : transition_item,
     ELMO_equivocating_validators
       (destination item) ⊆ s_eqvs) tr
Hsf_eqvs: ELMO_equivocating_validators
  (destination
     {|
       l := existT j lj;
       input := iom;
       destination := sf;
       output := oom
     |}) ⊆ s_eqvs
IHHtr_min: Forall
  (λ item : transition_item,
     ELMO_equivocating_validators
       (destination item) ⊆ s_eqvs) tr
→ valid_state_prop ELMOProtocol
    (state_update ELMO_component s i si)
  ∧ ELMO_equivocating_validators
      (state_update ELMO_component s i si)
    ⊆ s_eqvs ∪ {[idx i]}
Hsisi: valid_state_prop ELMOProtocol
  (state_update ELMO_component s i si)
Heqvs: ELMO_equivocating_validators
  (state_update ELMO_component s i si)
⊆ s_eqvs ∪ {[idx i]}
Hs: valid_state_prop
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} s
Hsf: valid_state_prop
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} sf
n: j ≠ i
Ht_pre: input_valid_transition
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} (existT j lj) (s, iom) (
  sf, oom)
Ht': composite_transition ELMO_component
  (existT j lj)
  (state_update ELMO_component s i si, iom) =
(state_update ELMO_component sf i si, oom)
Htr_min_pre: finite_valid_trace_init_to
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} si0 s tr
Hsisi_pre: valid_state_prop
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} (state_update ELMO_component s i si)
H2: finite_valid_trace_init_to ReachELMO si0 sf
  (tr ++
   [{|
      l := existT j lj;
      input := iom;
      destination := sf;
      output := oom
    |}])
Hpre_tisi: input_valid_transition ReachELMO
  (existT j lj)
  (state_update ELMO_component s i si, iom)
  (state_update ELMO_component sf i si,
   oom)
Hpre_sfisi: valid_state_prop ReachELMO
  (state_update ELMO_component sf i si)
ELMO_equivocating_validators
  (state_update ELMO_component sf i si)
⊆ ELMO_equivocating_validators sf ∪ {[idx i]}
  intros a Ha.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
s_eqvs: listset Address
Heqv: (sum_weights (s_eqvs ∪ {[idx i]}) <= threshold)%R
si: State
Hsi: initial_state_prop si
Hincl: VLSM_incl ELMOProtocol ReachELMO
si0, s: VLSM.state ELMOProtocol
tr: list transition_item
Htr_min: finite_valid_trace_init_to ELMOProtocol si0
  s tr
sf: VLSM.state ELMOProtocol
iom, oom: option Message
j: index
lj: VLSM.label (ELMO_component j)
Hm: option_valid_message_prop ELMOProtocol iom
Hv: valid (existT j lj) (s, iom)
Hc: ELMO_global_constraint (existT j lj) (s, iom)
Ht: transition (existT j lj) (s, iom) = (sf, oom)
Hall: Forall
  (λ item : transition_item,
     ELMO_equivocating_validators
       (destination item) ⊆ s_eqvs) tr
Hsf_eqvs: ELMO_equivocating_validators
  (destination
     {|
       l := existT j lj;
       input := iom;
       destination := sf;
       output := oom
     |}) ⊆ s_eqvs
IHHtr_min: Forall
  (λ item : transition_item,
     ELMO_equivocating_validators
       (destination item) ⊆ s_eqvs) tr
→ valid_state_prop ELMOProtocol
    (state_update ELMO_component s i si)
  ∧ ELMO_equivocating_validators
      (state_update ELMO_component s i si)
    ⊆ s_eqvs ∪ {[idx i]}
Hsisi: valid_state_prop ELMOProtocol
  (state_update ELMO_component s i si)
Heqvs: ELMO_equivocating_validators
  (state_update ELMO_component s i si)
⊆ s_eqvs ∪ {[idx i]}
Hs: valid_state_prop
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} s
Hsf: valid_state_prop
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} sf
n: j ≠ i
Ht_pre: input_valid_transition
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} (existT j lj) (s, iom) (
  sf, oom)
Ht': composite_transition ELMO_component
  (existT j lj)
  (state_update ELMO_component s i si, iom) =
(state_update ELMO_component sf i si, oom)
Htr_min_pre: finite_valid_trace_init_to
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} si0 s tr
Hsisi_pre: valid_state_prop
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} (state_update ELMO_component s i si)
H2: finite_valid_trace_init_to ReachELMO si0 sf
  (tr ++
   [{|
      l := existT j lj;
      input := iom;
      destination := sf;
      output := oom
    |}])
Hpre_tisi: input_valid_transition ReachELMO
  (existT j lj)
  (state_update ELMO_component s i si, iom)
  (state_update ELMO_component sf i si,
   oom)
Hpre_sfisi: valid_state_prop ReachELMO
  (state_update ELMO_component sf i si)
a: Address
Ha: a
∈ ELMO_equivocating_validators
    (state_update ELMO_component sf i si)
a ∈ ELMO_equivocating_validators sf ∪ {[idx i]}
  apply ELMO_equivocating_validators_are_Message_validators in Ha as Hmeqv.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
s_eqvs: listset Address
Heqv: (sum_weights (s_eqvs ∪ {[idx i]}) <= threshold)%R
si: State
Hsi: initial_state_prop si
Hincl: VLSM_incl ELMOProtocol ReachELMO
si0, s: VLSM.state ELMOProtocol
tr: list transition_item
Htr_min: finite_valid_trace_init_to ELMOProtocol si0
  s tr
sf: VLSM.state ELMOProtocol
iom, oom: option Message
j: index
lj: VLSM.label (ELMO_component j)
Hm: option_valid_message_prop ELMOProtocol iom
Hv: valid (existT j lj) (s, iom)
Hc: ELMO_global_constraint (existT j lj) (s, iom)
Ht: transition (existT j lj) (s, iom) = (sf, oom)
Hall: Forall
  (λ item : transition_item,
     ELMO_equivocating_validators
       (destination item) ⊆ s_eqvs) tr
Hsf_eqvs: ELMO_equivocating_validators
  (destination
     {|
       l := existT j lj;
       input := iom;
       destination := sf;
       output := oom
     |}) ⊆ s_eqvs
IHHtr_min: Forall
  (λ item : transition_item,
     ELMO_equivocating_validators
       (destination item) ⊆ s_eqvs) tr
→ valid_state_prop ELMOProtocol
    (state_update ELMO_component s i si)
  ∧ ELMO_equivocating_validators
      (state_update ELMO_component s i si)
    ⊆ s_eqvs ∪ {[idx i]}
Hsisi: valid_state_prop ELMOProtocol
  (state_update ELMO_component s i si)
Heqvs: ELMO_equivocating_validators
  (state_update ELMO_component s i si)
⊆ s_eqvs ∪ {[idx i]}
Hs: valid_state_prop
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} s
Hsf: valid_state_prop
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} sf
n: j ≠ i
Ht_pre: input_valid_transition
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} (existT j lj) (s, iom) (
  sf, oom)
Ht': composite_transition ELMO_component
  (existT j lj)
  (state_update ELMO_component s i si, iom) =
(state_update ELMO_component sf i si, oom)
Htr_min_pre: finite_valid_trace_init_to
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} si0 s tr
Hsisi_pre: valid_state_prop
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} (state_update ELMO_component s i si)
H2: finite_valid_trace_init_to ReachELMO si0 sf
  (tr ++
   [{|
      l := existT j lj;
      input := iom;
      destination := sf;
      output := oom
    |}])
Hpre_tisi: input_valid_transition ReachELMO
  (existT j lj)
  (state_update ELMO_component s i si, iom)
  (state_update ELMO_component sf i si,
   oom)
Hpre_sfisi: valid_state_prop ReachELMO
  (state_update ELMO_component sf i si)
a: Address
Ha: a
∈ ELMO_equivocating_validators
    (state_update ELMO_component sf i si)
Hmeqv: ∃ v : Message_validator idx, `v = a
a ∈ ELMO_equivocating_validators sf ∪ {[idx i]}
  destruct Hmeqv as [v <-].Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
s_eqvs: listset Address
Heqv: (sum_weights (s_eqvs ∪ {[idx i]}) <= threshold)%R
si: State
Hsi: initial_state_prop si
Hincl: VLSM_incl ELMOProtocol ReachELMO
si0, s: VLSM.state ELMOProtocol
tr: list transition_item
Htr_min: finite_valid_trace_init_to ELMOProtocol si0
  s tr
sf: VLSM.state ELMOProtocol
iom, oom: option Message
j: index
lj: VLSM.label (ELMO_component j)
Hm: option_valid_message_prop ELMOProtocol iom
Hv: valid (existT j lj) (s, iom)
Hc: ELMO_global_constraint (existT j lj) (s, iom)
Ht: transition (existT j lj) (s, iom) = (sf, oom)
Hall: Forall
  (λ item : transition_item,
     ELMO_equivocating_validators
       (destination item) ⊆ s_eqvs) tr
Hsf_eqvs: ELMO_equivocating_validators
  (destination
     {|
       l := existT j lj;
       input := iom;
       destination := sf;
       output := oom
     |}) ⊆ s_eqvs
IHHtr_min: Forall
  (λ item : transition_item,
     ELMO_equivocating_validators
       (destination item) ⊆ s_eqvs) tr
→ valid_state_prop ELMOProtocol
    (state_update ELMO_component s i si)
  ∧ ELMO_equivocating_validators
      (state_update ELMO_component s i si)
    ⊆ s_eqvs ∪ {[idx i]}
Hsisi: valid_state_prop ELMOProtocol
  (state_update ELMO_component s i si)
Heqvs: ELMO_equivocating_validators
  (state_update ELMO_component s i si)
⊆ s_eqvs ∪ {[idx i]}
Hs: valid_state_prop
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} s
Hsf: valid_state_prop
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} sf
n: j ≠ i
Ht_pre: input_valid_transition
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} (existT j lj) (s, iom) (
  sf, oom)
Ht': composite_transition ELMO_component
  (existT j lj)
  (state_update ELMO_component s i si, iom) =
(state_update ELMO_component sf i si, oom)
Htr_min_pre: finite_valid_trace_init_to
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} si0 s tr
Hsisi_pre: valid_state_prop
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} (state_update ELMO_component s i si)
H2: finite_valid_trace_init_to ReachELMO si0 sf
  (tr ++
   [{|
      l := existT j lj;
      input := iom;
      destination := sf;
      output := oom
    |}])
Hpre_tisi: input_valid_transition ReachELMO
  (existT j lj)
  (state_update ELMO_component s i si, iom)
  (state_update ELMO_component sf i si,
   oom)
Hpre_sfisi: valid_state_prop ReachELMO
  (state_update ELMO_component sf i si)
v: Message_validator idx
Ha: `v
∈ ELMO_equivocating_validators
    (state_update ELMO_component sf i si)
`v ∈ ELMO_equivocating_validators sf ∪ {[idx i]}
  revert Ha; unfold ELMO_equivocating_validators, equivocating_validators.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
s_eqvs: listset Address
Heqv: (sum_weights (s_eqvs ∪ {[idx i]}) <= threshold)%R
si: State
Hsi: initial_state_prop si
Hincl: VLSM_incl ELMOProtocol ReachELMO
si0, s: VLSM.state ELMOProtocol
tr: list transition_item
Htr_min: finite_valid_trace_init_to ELMOProtocol si0
  s tr
sf: VLSM.state ELMOProtocol
iom, oom: option Message
j: index
lj: VLSM.label (ELMO_component j)
Hm: option_valid_message_prop ELMOProtocol iom
Hv: valid (existT j lj) (s, iom)
Hc: ELMO_global_constraint (existT j lj) (s, iom)
Ht: transition (existT j lj) (s, iom) = (sf, oom)
Hall: Forall
  (λ item : transition_item,
     ELMO_equivocating_validators
       (destination item) ⊆ s_eqvs) tr
Hsf_eqvs: ELMO_equivocating_validators
  (destination
     {|
       l := existT j lj;
       input := iom;
       destination := sf;
       output := oom
     |}) ⊆ s_eqvs
IHHtr_min: Forall
  (λ item : transition_item,
     ELMO_equivocating_validators
       (destination item) ⊆ s_eqvs) tr
→ valid_state_prop ELMOProtocol
    (state_update ELMO_component s i si)
  ∧ ELMO_equivocating_validators
      (state_update ELMO_component s i si)
    ⊆ s_eqvs ∪ {[idx i]}
Hsisi: valid_state_prop ELMOProtocol
  (state_update ELMO_component s i si)
Heqvs: ELMO_equivocating_validators
  (state_update ELMO_component s i si)
⊆ s_eqvs ∪ {[idx i]}
Hs: valid_state_prop
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} s
Hsf: valid_state_prop
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} sf
n: j ≠ i
Ht_pre: input_valid_transition
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} (existT j lj) (s, iom) (
  sf, oom)
Ht': composite_transition ELMO_component
  (existT j lj)
  (state_update ELMO_component s i si, iom) =
(state_update ELMO_component sf i si, oom)
Htr_min_pre: finite_valid_trace_init_to
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} si0 s tr
Hsisi_pre: valid_state_prop
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} (state_update ELMO_component s i si)
H2: finite_valid_trace_init_to ReachELMO si0 sf
  (tr ++
   [{|
      l := existT j lj;
      input := iom;
      destination := sf;
      output := oom
    |}])
Hpre_tisi: input_valid_transition ReachELMO
  (existT j lj)
  (state_update ELMO_component s i si, iom)
  (state_update ELMO_component sf i si,
   oom)
Hpre_sfisi: valid_state_prop ReachELMO
  (state_update ELMO_component sf i si)
v: Message_validator idx
`v
∈ filter
    (λ v : Address,
       is_equivocating
         (state_update ELMO_component sf i si) v)
    (state_validators
       (state_update ELMO_component sf i si))
→ `v
  ∈ filter (λ v : Address, is_equivocating sf v)
      (state_validators sf) ∪ {[idx i]}
  rewrite elem_of_union, elem_of_singleton, !elem_of_filter.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
s_eqvs: listset Address
Heqv: (sum_weights (s_eqvs ∪ {[idx i]}) <= threshold)%R
si: State
Hsi: initial_state_prop si
Hincl: VLSM_incl ELMOProtocol ReachELMO
si0, s: VLSM.state ELMOProtocol
tr: list transition_item
Htr_min: finite_valid_trace_init_to ELMOProtocol si0
  s tr
sf: VLSM.state ELMOProtocol
iom, oom: option Message
j: index
lj: VLSM.label (ELMO_component j)
Hm: option_valid_message_prop ELMOProtocol iom
Hv: valid (existT j lj) (s, iom)
Hc: ELMO_global_constraint (existT j lj) (s, iom)
Ht: transition (existT j lj) (s, iom) = (sf, oom)
Hall: Forall
  (λ item : transition_item,
     ELMO_equivocating_validators
       (destination item) ⊆ s_eqvs) tr
Hsf_eqvs: ELMO_equivocating_validators
  (destination
     {|
       l := existT j lj;
       input := iom;
       destination := sf;
       output := oom
     |}) ⊆ s_eqvs
IHHtr_min: Forall
  (λ item : transition_item,
     ELMO_equivocating_validators
       (destination item) ⊆ s_eqvs) tr
→ valid_state_prop ELMOProtocol
    (state_update ELMO_component s i si)
  ∧ ELMO_equivocating_validators
      (state_update ELMO_component s i si)
    ⊆ s_eqvs ∪ {[idx i]}
Hsisi: valid_state_prop ELMOProtocol
  (state_update ELMO_component s i si)
Heqvs: ELMO_equivocating_validators
  (state_update ELMO_component s i si)
⊆ s_eqvs ∪ {[idx i]}
Hs: valid_state_prop
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} s
Hsf: valid_state_prop
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} sf
n: j ≠ i
Ht_pre: input_valid_transition
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} (existT j lj) (s, iom) (
  sf, oom)
Ht': composite_transition ELMO_component
  (existT j lj)
  (state_update ELMO_component s i si, iom) =
(state_update ELMO_component sf i si, oom)
Htr_min_pre: finite_valid_trace_init_to
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} si0 s tr
Hsisi_pre: valid_state_prop
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} (state_update ELMO_component s i si)
H2: finite_valid_trace_init_to ReachELMO si0 sf
  (tr ++
   [{|
      l := existT j lj;
      input := iom;
      destination := sf;
      output := oom
    |}])
Hpre_tisi: input_valid_transition ReachELMO
  (existT j lj)
  (state_update ELMO_component s i si, iom)
  (state_update ELMO_component sf i si,
   oom)
Hpre_sfisi: valid_state_prop ReachELMO
  (state_update ELMO_component sf i si)
v: Message_validator idx
is_equivocating (state_update ELMO_component sf i si)
  (`v)
∧ `v
  ∈ state_validators
      (state_update ELMO_component sf i si)
→ is_equivocating sf (`v) ∧ `v ∈ state_validators sf
  ∨ `v = idx i
  unfold is_equivocating; cbn; rewrite !ELMO_global_equivocators_iff_simple by done.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
s_eqvs: listset Address
Heqv: (sum_weights (s_eqvs ∪ {[idx i]}) <= threshold)%R
si: State
Hsi: initial_state_prop si
Hincl: VLSM_incl ELMOProtocol ReachELMO
si0, s: VLSM.state ELMOProtocol
tr: list transition_item
Htr_min: finite_valid_trace_init_to ELMOProtocol si0
  s tr
sf: VLSM.state ELMOProtocol
iom, oom: option Message
j: index
lj: VLSM.label (ELMO_component j)
Hm: option_valid_message_prop ELMOProtocol iom
Hv: valid (existT j lj) (s, iom)
Hc: ELMO_global_constraint (existT j lj) (s, iom)
Ht: transition (existT j lj) (s, iom) = (sf, oom)
Hall: Forall
  (λ item : transition_item,
     ELMO_equivocating_validators
       (destination item) ⊆ s_eqvs) tr
Hsf_eqvs: ELMO_equivocating_validators
  (destination
     {|
       l := existT j lj;
       input := iom;
       destination := sf;
       output := oom
     |}) ⊆ s_eqvs
IHHtr_min: Forall
  (λ item : transition_item,
     ELMO_equivocating_validators
       (destination item) ⊆ s_eqvs) tr
→ valid_state_prop ELMOProtocol
    (state_update ELMO_component s i si)
  ∧ ELMO_equivocating_validators
      (state_update ELMO_component s i si)
    ⊆ s_eqvs ∪ {[idx i]}
Hsisi: valid_state_prop ELMOProtocol
  (state_update ELMO_component s i si)
Heqvs: ELMO_equivocating_validators
  (state_update ELMO_component s i si)
⊆ s_eqvs ∪ {[idx i]}
Hs: valid_state_prop
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} s
Hsf: valid_state_prop
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} sf
n: j ≠ i
Ht_pre: input_valid_transition
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} (existT j lj) (s, iom) (
  sf, oom)
Ht': composite_transition ELMO_component
  (existT j lj)
  (state_update ELMO_component s i si, iom) =
(state_update ELMO_component sf i si, oom)
Htr_min_pre: finite_valid_trace_init_to
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} si0 s tr
Hsisi_pre: valid_state_prop
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} (state_update ELMO_component s i si)
H2: finite_valid_trace_init_to ReachELMO si0 sf
  (tr ++
   [{|
      l := existT j lj;
      input := iom;
      destination := sf;
      output := oom
    |}])
Hpre_tisi: input_valid_transition ReachELMO
  (existT j lj)
  (state_update ELMO_component s i si, iom)
  (state_update ELMO_component sf i si,
   oom)
Hpre_sfisi: valid_state_prop ReachELMO
  (state_update ELMO_component sf i si)
v: Message_validator idx
global_equivocators_simple
  (state_update ELMO_component sf i si) (`v)
∧ `v ∈ list_to_set (map idx (enum index))
→ global_equivocators_simple sf (`v)
  ∧ `v ∈ list_to_set (map idx (enum index))
  ∨ `v = idx i
  intros [[ges_m ges_adr [k Hrcv] ges_not_sent] Ha].Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
s_eqvs: listset Address
Heqv: (sum_weights (s_eqvs ∪ {[idx i]}) <= threshold)%R
si: State
Hsi: initial_state_prop si
Hincl: VLSM_incl ELMOProtocol ReachELMO
si0, s: VLSM.state ELMOProtocol
tr: list transition_item
Htr_min: finite_valid_trace_init_to ELMOProtocol si0
  s tr
sf: VLSM.state ELMOProtocol
iom, oom: option Message
j: index
lj: VLSM.label (ELMO_component j)
Hm: option_valid_message_prop ELMOProtocol iom
Hv: valid (existT j lj) (s, iom)
Hc: ELMO_global_constraint (existT j lj) (s, iom)
Ht: transition (existT j lj) (s, iom) = (sf, oom)
Hall: Forall
  (λ item : transition_item,
     ELMO_equivocating_validators
       (destination item) ⊆ s_eqvs) tr
Hsf_eqvs: ELMO_equivocating_validators
  (destination
     {|
       l := existT j lj;
       input := iom;
       destination := sf;
       output := oom
     |}) ⊆ s_eqvs
IHHtr_min: Forall
  (λ item : transition_item,
     ELMO_equivocating_validators
       (destination item) ⊆ s_eqvs) tr
→ valid_state_prop ELMOProtocol
    (state_update ELMO_component s i si)
  ∧ ELMO_equivocating_validators
      (state_update ELMO_component s i si)
    ⊆ s_eqvs ∪ {[idx i]}
Hsisi: valid_state_prop ELMOProtocol
  (state_update ELMO_component s i si)
Heqvs: ELMO_equivocating_validators
  (state_update ELMO_component s i si)
⊆ s_eqvs ∪ {[idx i]}
Hs: valid_state_prop
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} s
Hsf: valid_state_prop
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} sf
n: j ≠ i
Ht_pre: input_valid_transition
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} (existT j lj) (s, iom) (
  sf, oom)
Ht': composite_transition ELMO_component
  (existT j lj)
  (state_update ELMO_component s i si, iom) =
(state_update ELMO_component sf i si, oom)
Htr_min_pre: finite_valid_trace_init_to
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} si0 s tr
Hsisi_pre: valid_state_prop
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} (state_update ELMO_component s i si)
H2: finite_valid_trace_init_to ReachELMO si0 sf
  (tr ++
   [{|
      l := existT j lj;
      input := iom;
      destination := sf;
      output := oom
    |}])
Hpre_tisi: input_valid_transition ReachELMO
  (existT j lj)
  (state_update ELMO_component s i si, iom)
  (state_update ELMO_component sf i si,
   oom)
Hpre_sfisi: valid_state_prop ReachELMO
  (state_update ELMO_component sf i si)
v: Message_validator idx
ges_m: Message
ges_adr: adr (state ges_m) = `v
k: index
Hrcv: has_been_received (ELMO_component k)
  (state_update ELMO_component sf i si k) ges_m
ges_not_sent: ¬ composite_has_been_sent
    ELMO_component
    (state_update ELMO_component sf i
       si) ges_m
Ha: `v ∈ list_to_set (map idx (enum index))
global_equivocators_simple sf (`v)
∧ `v ∈ list_to_set (map idx (enum index)) ∨ `v = idx i
  assert (k <> i); [intros -> |]; state_update_simpl.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
s_eqvs: listset Address
Heqv: (sum_weights (s_eqvs ∪ {[idx i]}) <= threshold)%R
si: State
Hsi: initial_state_prop si
Hincl: VLSM_incl ELMOProtocol ReachELMO
si0, s: VLSM.state ELMOProtocol
tr: list transition_item
Htr_min: finite_valid_trace_init_to ELMOProtocol si0
  s tr
sf: VLSM.state ELMOProtocol
iom, oom: option Message
j: index
lj: VLSM.label (ELMO_component j)
Hm: option_valid_message_prop ELMOProtocol iom
Hv: valid (existT j lj) (s, iom)
Hc: ELMO_global_constraint (existT j lj) (s, iom)
Ht: transition (existT j lj) (s, iom) = (sf, oom)
Hall: Forall
  (λ item : transition_item,
     ELMO_equivocating_validators
       (destination item) ⊆ s_eqvs) tr
Hsf_eqvs: ELMO_equivocating_validators
  (destination
     {|
       l := existT j lj;
       input := iom;
       destination := sf;
       output := oom
     |}) ⊆ s_eqvs
IHHtr_min: Forall
  (λ item : transition_item,
     ELMO_equivocating_validators
       (destination item) ⊆ s_eqvs) tr
→ valid_state_prop ELMOProtocol
    (state_update ELMO_component s i si)
  ∧ ELMO_equivocating_validators
      (state_update ELMO_component s i si)
    ⊆ s_eqvs ∪ {[idx i]}
Hsisi: valid_state_prop ELMOProtocol
  (state_update ELMO_component s i si)
Heqvs: ELMO_equivocating_validators
  (state_update ELMO_component s i si)
⊆ s_eqvs ∪ {[idx i]}
Hs: valid_state_prop
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} s
Hsf: valid_state_prop
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} sf
n: j ≠ i
Ht_pre: input_valid_transition
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} (existT j lj) (s, iom) (
  sf, oom)
Ht': composite_transition ELMO_component
  (existT j lj)
  (state_update ELMO_component s i si, iom) =
(state_update ELMO_component sf i si, oom)
Htr_min_pre: finite_valid_trace_init_to
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} si0 s tr
Hsisi_pre: valid_state_prop
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} (state_update ELMO_component s i si)
H2: finite_valid_trace_init_to ReachELMO si0 sf
  (tr ++
   [{|
      l := existT j lj;
      input := iom;
      destination := sf;
      output := oom
    |}])
Hpre_tisi: input_valid_transition ReachELMO
  (existT j lj)
  (state_update ELMO_component s i si, iom)
  (state_update ELMO_component sf i si,
   oom)
Hpre_sfisi: valid_state_prop ReachELMO
  (state_update ELMO_component sf i si)
v: Message_validator idx
ges_m: Message
ges_adr: adr (state ges_m) = `v
Hrcv: has_been_received (ELMO_component i) si ges_m
ges_not_sent: ¬ composite_has_been_sent
    ELMO_component
    (state_update ELMO_component sf i
       si) ges_m
Ha: `v ∈ list_to_set (map idx (enum index))
False
Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
s_eqvs: listset Address
Heqv: (sum_weights (s_eqvs ∪ {[idx i]}) <= threshold)%R
si: State
Hsi: initial_state_prop si
Hincl: VLSM_incl ELMOProtocol ReachELMO
si0, s: VLSM.state ELMOProtocol
tr: list transition_item
Htr_min: finite_valid_trace_init_to ELMOProtocol si0
  s tr
sf: VLSM.state ELMOProtocol
iom, oom: option Message
j: index
lj: VLSM.label (ELMO_component j)
Hm: option_valid_message_prop ELMOProtocol iom
Hv: valid (existT j lj) (s, iom)
Hc: ELMO_global_constraint (existT j lj) (s, iom)
Ht: transition (existT j lj) (s, iom) = (sf, oom)
Hall: Forall
  (λ item : transition_item,
     ELMO_equivocating_validators
       (destination item) ⊆ s_eqvs) tr
Hsf_eqvs: ELMO_equivocating_validators
  (destination
     {|
       l := existT j lj;
       input := iom;
       destination := sf;
       output := oom
     |}) ⊆ s_eqvs
IHHtr_min: Forall
  (λ item : transition_item,
     ELMO_equivocating_validators
       (destination item) ⊆ s_eqvs) tr
→ valid_state_prop ELMOProtocol
    (state_update ELMO_component s i si)
  ∧ ELMO_equivocating_validators
      (state_update ELMO_component s i si)
    ⊆ s_eqvs ∪ {[idx i]}
Hsisi: valid_state_prop ELMOProtocol
  (state_update ELMO_component s i si)
Heqvs: ELMO_equivocating_validators
  (state_update ELMO_component s i si)
⊆ s_eqvs ∪ {[idx i]}
Hs: valid_state_prop
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} s
Hsf: valid_state_prop
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} sf
n: j ≠ i
Ht_pre: input_valid_transition
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} (existT j lj) (s, iom) (
  sf, oom)
Ht': composite_transition ELMO_component
  (existT j lj)
  (state_update ELMO_component s i si, iom) =
(state_update ELMO_component sf i si, oom)
Htr_min_pre: finite_valid_trace_init_to
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} si0 s tr
Hsisi_pre: valid_state_prop
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} (state_update ELMO_component s i si)
H2: finite_valid_trace_init_to ReachELMO si0 sf
  (tr ++
   [{|
      l := existT j lj;
      input := iom;
      destination := sf;
      output := oom
    |}])
Hpre_tisi: input_valid_transition ReachELMO
  (existT j lj)
  (state_update ELMO_component s i si, iom)
  (state_update ELMO_component sf i si,
   oom)
Hpre_sfisi: valid_state_prop ReachELMO
  (state_update ELMO_component sf i si)
v: Message_validator idx
ges_m: Message
ges_adr: adr (state ges_m) = `v
k: index
Hrcv: has_been_received (ELMO_component k) 
  (sf k) ges_m
ges_not_sent: ¬ composite_has_been_sent
    ELMO_component
    (state_update ELMO_component sf i
       si) ges_m
Ha: `v ∈ list_to_set (map idx (enum index))
H3: k ≠ i
global_equivocators_simple sf (`v)
∧ `v ∈ list_to_set (map idx (enum index)) ∨ 
`v = idx i
  {Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
s_eqvs: listset Address
Heqv: (sum_weights (s_eqvs ∪ {[idx i]}) <= threshold)%R
si: State
Hsi: initial_state_prop si
Hincl: VLSM_incl ELMOProtocol ReachELMO
si0, s: VLSM.state ELMOProtocol
tr: list transition_item
Htr_min: finite_valid_trace_init_to ELMOProtocol si0
  s tr
sf: VLSM.state ELMOProtocol
iom, oom: option Message
j: index
lj: VLSM.label (ELMO_component j)
Hm: option_valid_message_prop ELMOProtocol iom
Hv: valid (existT j lj) (s, iom)
Hc: ELMO_global_constraint (existT j lj) (s, iom)
Ht: transition (existT j lj) (s, iom) = (sf, oom)
Hall: Forall
  (λ item : transition_item,
     ELMO_equivocating_validators
       (destination item) ⊆ s_eqvs) tr
Hsf_eqvs: ELMO_equivocating_validators
  (destination
     {|
       l := existT j lj;
       input := iom;
       destination := sf;
       output := oom
     |}) ⊆ s_eqvs
IHHtr_min: Forall
  (λ item : transition_item,
     ELMO_equivocating_validators
       (destination item) ⊆ s_eqvs) tr
→ valid_state_prop ELMOProtocol
    (state_update ELMO_component s i si)
  ∧ ELMO_equivocating_validators
      (state_update ELMO_component s i si)
    ⊆ s_eqvs ∪ {[idx i]}
Hsisi: valid_state_prop ELMOProtocol
  (state_update ELMO_component s i si)
Heqvs: ELMO_equivocating_validators
  (state_update ELMO_component s i si)
⊆ s_eqvs ∪ {[idx i]}
Hs: valid_state_prop
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} s
Hsf: valid_state_prop
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} sf
n: j ≠ i
Ht_pre: input_valid_transition
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} (existT j lj) (s, iom) (
  sf, oom)
Ht': composite_transition ELMO_component
  (existT j lj)
  (state_update ELMO_component s i si, iom) =
(state_update ELMO_component sf i si, oom)
Htr_min_pre: finite_valid_trace_init_to
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} si0 s tr
Hsisi_pre: valid_state_prop
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} (state_update ELMO_component s i si)
H2: finite_valid_trace_init_to ReachELMO si0 sf
  (tr ++
   [{|
      l := existT j lj;
      input := iom;
      destination := sf;
      output := oom
    |}])
Hpre_tisi: input_valid_transition ReachELMO
  (existT j lj)
  (state_update ELMO_component s i si, iom)
  (state_update ELMO_component sf i si,
   oom)
Hpre_sfisi: valid_state_prop ReachELMO
  (state_update ELMO_component sf i si)
v: Message_validator idx
ges_m: Message
ges_adr: adr (state ges_m) = `v
Hrcv: has_been_received (ELMO_component i) si ges_m
ges_not_sent: ¬ composite_has_been_sent
    ELMO_component
    (state_update ELMO_component sf i
       si) ges_m
Ha: `v ∈ list_to_set (map idx (enum index))
False
    by cbn in Hrcv; replace si with (MkState [] (idx i)) in Hrcv;
      [inversion Hrcv | apply eq_State; symmetry; apply Hsi].
  }Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
s_eqvs: listset Address
Heqv: (sum_weights (s_eqvs ∪ {[idx i]}) <= threshold)%R
si: State
Hsi: initial_state_prop si
Hincl: VLSM_incl ELMOProtocol ReachELMO
si0, s: VLSM.state ELMOProtocol
tr: list transition_item
Htr_min: finite_valid_trace_init_to ELMOProtocol si0
  s tr
sf: VLSM.state ELMOProtocol
iom, oom: option Message
j: index
lj: VLSM.label (ELMO_component j)
Hm: option_valid_message_prop ELMOProtocol iom
Hv: valid (existT j lj) (s, iom)
Hc: ELMO_global_constraint (existT j lj) (s, iom)
Ht: transition (existT j lj) (s, iom) = (sf, oom)
Hall: Forall
  (λ item : transition_item,
     ELMO_equivocating_validators
       (destination item) ⊆ s_eqvs) tr
Hsf_eqvs: ELMO_equivocating_validators
  (destination
     {|
       l := existT j lj;
       input := iom;
       destination := sf;
       output := oom
     |}) ⊆ s_eqvs
IHHtr_min: Forall
  (λ item : transition_item,
     ELMO_equivocating_validators
       (destination item) ⊆ s_eqvs) tr
→ valid_state_prop ELMOProtocol
    (state_update ELMO_component s i si)
  ∧ ELMO_equivocating_validators
      (state_update ELMO_component s i si)
    ⊆ s_eqvs ∪ {[idx i]}
Hsisi: valid_state_prop ELMOProtocol
  (state_update ELMO_component s i si)
Heqvs: ELMO_equivocating_validators
  (state_update ELMO_component s i si)
⊆ s_eqvs ∪ {[idx i]}
Hs: valid_state_prop
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} s
Hsf: valid_state_prop
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} sf
n: j ≠ i
Ht_pre: input_valid_transition
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} (existT j lj) (s, iom) (
  sf, oom)
Ht': composite_transition ELMO_component
  (existT j lj)
  (state_update ELMO_component s i si, iom) =
(state_update ELMO_component sf i si, oom)
Htr_min_pre: finite_valid_trace_init_to
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} si0 s tr
Hsisi_pre: valid_state_prop
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} (state_update ELMO_component s i si)
H2: finite_valid_trace_init_to ReachELMO si0 sf
  (tr ++
   [{|
      l := existT j lj;
      input := iom;
      destination := sf;
      output := oom
    |}])
Hpre_tisi: input_valid_transition ReachELMO
  (existT j lj)
  (state_update ELMO_component s i si, iom)
  (state_update ELMO_component sf i si,
   oom)
Hpre_sfisi: valid_state_prop ReachELMO
  (state_update ELMO_component sf i si)
v: Message_validator idx
ges_m: Message
ges_adr: adr (state ges_m) = `v
k: index
Hrcv: has_been_received (ELMO_component k) 
  (sf k) ges_m
ges_not_sent: ¬ composite_has_been_sent
    ELMO_component
    (state_update ELMO_component sf i
       si) ges_m
Ha: `v ∈ list_to_set (map idx (enum index))
H3: k ≠ i
global_equivocators_simple sf (`v)
∧ `v ∈ list_to_set (map idx (enum index)) ∨ `v = idx i
  cut (~ composite_has_been_sent ELMO_component sf ges_m \/ `v = idx i).Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
s_eqvs: listset Address
Heqv: (sum_weights (s_eqvs ∪ {[idx i]}) <= threshold)%R
si: State
Hsi: initial_state_prop si
Hincl: VLSM_incl ELMOProtocol ReachELMO
si0, s: VLSM.state ELMOProtocol
tr: list transition_item
Htr_min: finite_valid_trace_init_to ELMOProtocol si0
  s tr
sf: VLSM.state ELMOProtocol
iom, oom: option Message
j: index
lj: VLSM.label (ELMO_component j)
Hm: option_valid_message_prop ELMOProtocol iom
Hv: valid (existT j lj) (s, iom)
Hc: ELMO_global_constraint (existT j lj) (s, iom)
Ht: transition (existT j lj) (s, iom) = (sf, oom)
Hall: Forall
  (λ item : transition_item,
     ELMO_equivocating_validators
       (destination item) ⊆ s_eqvs) tr
Hsf_eqvs: ELMO_equivocating_validators
  (destination
     {|
       l := existT j lj;
       input := iom;
       destination := sf;
       output := oom
     |}) ⊆ s_eqvs
IHHtr_min: Forall
  (λ item : transition_item,
     ELMO_equivocating_validators
       (destination item) ⊆ s_eqvs) tr
→ valid_state_prop ELMOProtocol
    (state_update ELMO_component s i si)
  ∧ ELMO_equivocating_validators
      (state_update ELMO_component s i si)
    ⊆ s_eqvs ∪ {[idx i]}
Hsisi: valid_state_prop ELMOProtocol
  (state_update ELMO_component s i si)
Heqvs: ELMO_equivocating_validators
  (state_update ELMO_component s i si)
⊆ s_eqvs ∪ {[idx i]}
Hs: valid_state_prop
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} s
Hsf: valid_state_prop
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} sf
n: j ≠ i
Ht_pre: input_valid_transition
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} (existT j lj) (s, iom) (
  sf, oom)
Ht': composite_transition ELMO_component
  (existT j lj)
  (state_update ELMO_component s i si, iom) =
(state_update ELMO_component sf i si, oom)
Htr_min_pre: finite_valid_trace_init_to
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} si0 s tr
Hsisi_pre: valid_state_prop
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} (state_update ELMO_component s i si)
H2: finite_valid_trace_init_to ReachELMO si0 sf
  (tr ++
   [{|
      l := existT j lj;
      input := iom;
      destination := sf;
      output := oom
    |}])
Hpre_tisi: input_valid_transition ReachELMO
  (existT j lj)
  (state_update ELMO_component s i si, iom)
  (state_update ELMO_component sf i si,
   oom)
Hpre_sfisi: valid_state_prop ReachELMO
  (state_update ELMO_component sf i si)
v: Message_validator idx
ges_m: Message
ges_adr: adr (state ges_m) = `v
k: index
Hrcv: has_been_received (ELMO_component k) 
  (sf k) ges_m
ges_not_sent: ¬ composite_has_been_sent
    ELMO_component
    (state_update ELMO_component sf i
       si) ges_m
Ha: `v ∈ list_to_set (map idx (enum index))
H3: k ≠ i
¬ composite_has_been_sent ELMO_component sf ges_m
∨ `v = idx i
→ global_equivocators_simple sf (`v)
  ∧ `v ∈ list_to_set (map idx (enum index))
  ∨ `v = idx i
Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
s_eqvs: listset Address
Heqv: (sum_weights (s_eqvs ∪ {[idx i]}) <= threshold)%R
si: State
Hsi: initial_state_prop si
Hincl: VLSM_incl ELMOProtocol ReachELMO
si0, s: VLSM.state ELMOProtocol
tr: list transition_item
Htr_min: finite_valid_trace_init_to ELMOProtocol si0
  s tr
sf: VLSM.state ELMOProtocol
iom, oom: option Message
j: index
lj: VLSM.label (ELMO_component j)
Hm: option_valid_message_prop ELMOProtocol iom
Hv: valid (existT j lj) (s, iom)
Hc: ELMO_global_constraint (existT j lj) (s, iom)
Ht: transition (existT j lj) (s, iom) = (sf, oom)
Hall: Forall
  (λ item : transition_item,
     ELMO_equivocating_validators
       (destination item) ⊆ s_eqvs) tr
Hsf_eqvs: ELMO_equivocating_validators
  (destination
     {|
       l := existT j lj;
       input := iom;
       destination := sf;
       output := oom
     |}) ⊆ s_eqvs
IHHtr_min: Forall
  (λ item : transition_item,
     ELMO_equivocating_validators
       (destination item) ⊆ s_eqvs) tr
→ valid_state_prop ELMOProtocol
    (state_update ELMO_component s i si)
  ∧ ELMO_equivocating_validators
      (state_update ELMO_component s i si)
    ⊆ s_eqvs ∪ {[idx i]}
Hsisi: valid_state_prop ELMOProtocol
  (state_update ELMO_component s i si)
Heqvs: ELMO_equivocating_validators
  (state_update ELMO_component s i si)
⊆ s_eqvs ∪ {[idx i]}
Hs: valid_state_prop
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} s
Hsf: valid_state_prop
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} sf
n: j ≠ i
Ht_pre: input_valid_transition
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} (existT j lj) (s, iom) (
  sf, oom)
Ht': composite_transition ELMO_component
  (existT j lj)
  (state_update ELMO_component s i si, iom) =
(state_update ELMO_component sf i si, oom)
Htr_min_pre: finite_valid_trace_init_to
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} si0 s tr
Hsisi_pre: valid_state_prop
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} (state_update ELMO_component s i si)
H2: finite_valid_trace_init_to ReachELMO si0 sf
  (tr ++
   [{|
      l := existT j lj;
      input := iom;
      destination := sf;
      output := oom
    |}])
Hpre_tisi: input_valid_transition ReachELMO
  (existT j lj)
  (state_update ELMO_component s i si, iom)
  (state_update ELMO_component sf i si,
   oom)
Hpre_sfisi: valid_state_prop ReachELMO
  (state_update ELMO_component sf i si)
v: Message_validator idx
ges_m: Message
ges_adr: adr (state ges_m) = `v
k: index
Hrcv: has_been_received (ELMO_component k) 
  (sf k) ges_m
ges_not_sent: ¬ composite_has_been_sent
    ELMO_component
    (state_update ELMO_component sf i
       si) ges_m
Ha: `v ∈ list_to_set (map idx (enum index))
H3: k ≠ i
¬ composite_has_been_sent ELMO_component sf ges_m
∨ `v = idx i
  {Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
s_eqvs: listset Address
Heqv: (sum_weights (s_eqvs ∪ {[idx i]}) <= threshold)%R
si: State
Hsi: initial_state_prop si
Hincl: VLSM_incl ELMOProtocol ReachELMO
si0, s: VLSM.state ELMOProtocol
tr: list transition_item
Htr_min: finite_valid_trace_init_to ELMOProtocol si0
  s tr
sf: VLSM.state ELMOProtocol
iom, oom: option Message
j: index
lj: VLSM.label (ELMO_component j)
Hm: option_valid_message_prop ELMOProtocol iom
Hv: valid (existT j lj) (s, iom)
Hc: ELMO_global_constraint (existT j lj) (s, iom)
Ht: transition (existT j lj) (s, iom) = (sf, oom)
Hall: Forall
  (λ item : transition_item,
     ELMO_equivocating_validators
       (destination item) ⊆ s_eqvs) tr
Hsf_eqvs: ELMO_equivocating_validators
  (destination
     {|
       l := existT j lj;
       input := iom;
       destination := sf;
       output := oom
     |}) ⊆ s_eqvs
IHHtr_min: Forall
  (λ item : transition_item,
     ELMO_equivocating_validators
       (destination item) ⊆ s_eqvs) tr
→ valid_state_prop ELMOProtocol
    (state_update ELMO_component s i si)
  ∧ ELMO_equivocating_validators
      (state_update ELMO_component s i si)
    ⊆ s_eqvs ∪ {[idx i]}
Hsisi: valid_state_prop ELMOProtocol
  (state_update ELMO_component s i si)
Heqvs: ELMO_equivocating_validators
  (state_update ELMO_component s i si)
⊆ s_eqvs ∪ {[idx i]}
Hs: valid_state_prop
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} s
Hsf: valid_state_prop
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} sf
n: j ≠ i
Ht_pre: input_valid_transition
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} (existT j lj) (s, iom) (
  sf, oom)
Ht': composite_transition ELMO_component
  (existT j lj)
  (state_update ELMO_component s i si, iom) =
(state_update ELMO_component sf i si, oom)
Htr_min_pre: finite_valid_trace_init_to
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} si0 s tr
Hsisi_pre: valid_state_prop
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} (state_update ELMO_component s i si)
H2: finite_valid_trace_init_to ReachELMO si0 sf
  (tr ++
   [{|
      l := existT j lj;
      input := iom;
      destination := sf;
      output := oom
    |}])
Hpre_tisi: input_valid_transition ReachELMO
  (existT j lj)
  (state_update ELMO_component s i si, iom)
  (state_update ELMO_component sf i si,
   oom)
Hpre_sfisi: valid_state_prop ReachELMO
  (state_update ELMO_component sf i si)
v: Message_validator idx
ges_m: Message
ges_adr: adr (state ges_m) = `v
k: index
Hrcv: has_been_received (ELMO_component k) 
  (sf k) ges_m
ges_not_sent: ¬ composite_has_been_sent
    ELMO_component
    (state_update ELMO_component sf i
       si) ges_m
Ha: `v ∈ list_to_set (map idx (enum index))
H3: k ≠ i
¬ composite_has_been_sent ELMO_component sf ges_m
∨ `v = idx i
→ global_equivocators_simple sf (`v)
  ∧ `v ∈ list_to_set (map idx (enum index))
  ∨ `v = idx i
    intros []; [| by right].Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
s_eqvs: listset Address
Heqv: (sum_weights (s_eqvs ∪ {[idx i]}) <= threshold)%R
si: State
Hsi: initial_state_prop si
Hincl: VLSM_incl ELMOProtocol ReachELMO
si0, s: VLSM.state ELMOProtocol
tr: list transition_item
Htr_min: finite_valid_trace_init_to ELMOProtocol si0
  s tr
sf: VLSM.state ELMOProtocol
iom, oom: option Message
j: index
lj: VLSM.label (ELMO_component j)
Hm: option_valid_message_prop ELMOProtocol iom
Hv: valid (existT j lj) (s, iom)
Hc: ELMO_global_constraint (existT j lj) (s, iom)
Ht: transition (existT j lj) (s, iom) = (sf, oom)
Hall: Forall
  (λ item : transition_item,
     ELMO_equivocating_validators
       (destination item) ⊆ s_eqvs) tr
Hsf_eqvs: ELMO_equivocating_validators
  (destination
     {|
       l := existT j lj;
       input := iom;
       destination := sf;
       output := oom
     |}) ⊆ s_eqvs
IHHtr_min: Forall
  (λ item : transition_item,
     ELMO_equivocating_validators
       (destination item) ⊆ s_eqvs) tr
→ valid_state_prop ELMOProtocol
    (state_update ELMO_component s i si)
  ∧ ELMO_equivocating_validators
      (state_update ELMO_component s i si)
    ⊆ s_eqvs ∪ {[idx i]}
Hsisi: valid_state_prop ELMOProtocol
  (state_update ELMO_component s i si)
Heqvs: ELMO_equivocating_validators
  (state_update ELMO_component s i si)
⊆ s_eqvs ∪ {[idx i]}
Hs: valid_state_prop
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} s
Hsf: valid_state_prop
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} sf
n: j ≠ i
Ht_pre: input_valid_transition
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} (existT j lj) (s, iom) (
  sf, oom)
Ht': composite_transition ELMO_component
  (existT j lj)
  (state_update ELMO_component s i si, iom) =
(state_update ELMO_component sf i si, oom)
Htr_min_pre: finite_valid_trace_init_to
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} si0 s tr
Hsisi_pre: valid_state_prop
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} (state_update ELMO_component s i si)
H2: finite_valid_trace_init_to ReachELMO si0 sf
  (tr ++
   [{|
      l := existT j lj;
      input := iom;
      destination := sf;
      output := oom
    |}])
Hpre_tisi: input_valid_transition ReachELMO
  (existT j lj)
  (state_update ELMO_component s i si, iom)
  (state_update ELMO_component sf i si,
   oom)
Hpre_sfisi: valid_state_prop ReachELMO
  (state_update ELMO_component sf i si)
v: Message_validator idx
ges_m: Message
ges_adr: adr (state ges_m) = `v
k: index
Hrcv: has_been_received (ELMO_component k) 
  (sf k) ges_m
ges_not_sent: ¬ composite_has_been_sent
    ELMO_component
    (state_update ELMO_component sf i
       si) ges_m
Ha: `v ∈ list_to_set (map idx (enum index))
H3: k ≠ i
H4: ¬ composite_has_been_sent ELMO_component sf ges_m
global_equivocators_simple sf (`v)
∧ `v ∈ list_to_set (map idx (enum index)) ∨ `v = idx i
    left; split; [| done].Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
s_eqvs: listset Address
Heqv: (sum_weights (s_eqvs ∪ {[idx i]}) <= threshold)%R
si: State
Hsi: initial_state_prop si
Hincl: VLSM_incl ELMOProtocol ReachELMO
si0, s: VLSM.state ELMOProtocol
tr: list transition_item
Htr_min: finite_valid_trace_init_to ELMOProtocol si0
  s tr
sf: VLSM.state ELMOProtocol
iom, oom: option Message
j: index
lj: VLSM.label (ELMO_component j)
Hm: option_valid_message_prop ELMOProtocol iom
Hv: valid (existT j lj) (s, iom)
Hc: ELMO_global_constraint (existT j lj) (s, iom)
Ht: transition (existT j lj) (s, iom) = (sf, oom)
Hall: Forall
  (λ item : transition_item,
     ELMO_equivocating_validators
       (destination item) ⊆ s_eqvs) tr
Hsf_eqvs: ELMO_equivocating_validators
  (destination
     {|
       l := existT j lj;
       input := iom;
       destination := sf;
       output := oom
     |}) ⊆ s_eqvs
IHHtr_min: Forall
  (λ item : transition_item,
     ELMO_equivocating_validators
       (destination item) ⊆ s_eqvs) tr
→ valid_state_prop ELMOProtocol
    (state_update ELMO_component s i si)
  ∧ ELMO_equivocating_validators
      (state_update ELMO_component s i si)
    ⊆ s_eqvs ∪ {[idx i]}
Hsisi: valid_state_prop ELMOProtocol
  (state_update ELMO_component s i si)
Heqvs: ELMO_equivocating_validators
  (state_update ELMO_component s i si)
⊆ s_eqvs ∪ {[idx i]}
Hs: valid_state_prop
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} s
Hsf: valid_state_prop
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} sf
n: j ≠ i
Ht_pre: input_valid_transition
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} (existT j lj) (s, iom) (
  sf, oom)
Ht': composite_transition ELMO_component
  (existT j lj)
  (state_update ELMO_component s i si, iom) =
(state_update ELMO_component sf i si, oom)
Htr_min_pre: finite_valid_trace_init_to
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} si0 s tr
Hsisi_pre: valid_state_prop
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} (state_update ELMO_component s i si)
H2: finite_valid_trace_init_to ReachELMO si0 sf
  (tr ++
   [{|
      l := existT j lj;
      input := iom;
      destination := sf;
      output := oom
    |}])
Hpre_tisi: input_valid_transition ReachELMO
  (existT j lj)
  (state_update ELMO_component s i si, iom)
  (state_update ELMO_component sf i si,
   oom)
Hpre_sfisi: valid_state_prop ReachELMO
  (state_update ELMO_component sf i si)
v: Message_validator idx
ges_m: Message
ges_adr: adr (state ges_m) = `v
k: index
Hrcv: has_been_received (ELMO_component k) 
  (sf k) ges_m
ges_not_sent: ¬ composite_has_been_sent
    ELMO_component
    (state_update ELMO_component sf i
       si) ges_m
Ha: `v ∈ list_to_set (map idx (enum index))
H3: k ≠ i
H4: ¬ composite_has_been_sent ELMO_component sf ges_m
global_equivocators_simple sf (`v)
    by econstructor; [| eexists |].
  }Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
s_eqvs: listset Address
Heqv: (sum_weights (s_eqvs ∪ {[idx i]}) <= threshold)%R
si: State
Hsi: initial_state_prop si
Hincl: VLSM_incl ELMOProtocol ReachELMO
si0, s: VLSM.state ELMOProtocol
tr: list transition_item
Htr_min: finite_valid_trace_init_to ELMOProtocol si0
  s tr
sf: VLSM.state ELMOProtocol
iom, oom: option Message
j: index
lj: VLSM.label (ELMO_component j)
Hm: option_valid_message_prop ELMOProtocol iom
Hv: valid (existT j lj) (s, iom)
Hc: ELMO_global_constraint (existT j lj) (s, iom)
Ht: transition (existT j lj) (s, iom) = (sf, oom)
Hall: Forall
  (λ item : transition_item,
     ELMO_equivocating_validators
       (destination item) ⊆ s_eqvs) tr
Hsf_eqvs: ELMO_equivocating_validators
  (destination
     {|
       l := existT j lj;
       input := iom;
       destination := sf;
       output := oom
     |}) ⊆ s_eqvs
IHHtr_min: Forall
  (λ item : transition_item,
     ELMO_equivocating_validators
       (destination item) ⊆ s_eqvs) tr
→ valid_state_prop ELMOProtocol
    (state_update ELMO_component s i si)
  ∧ ELMO_equivocating_validators
      (state_update ELMO_component s i si)
    ⊆ s_eqvs ∪ {[idx i]}
Hsisi: valid_state_prop ELMOProtocol
  (state_update ELMO_component s i si)
Heqvs: ELMO_equivocating_validators
  (state_update ELMO_component s i si)
⊆ s_eqvs ∪ {[idx i]}
Hs: valid_state_prop
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} s
Hsf: valid_state_prop
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} sf
n: j ≠ i
Ht_pre: input_valid_transition
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} (existT j lj) (s, iom) (
  sf, oom)
Ht': composite_transition ELMO_component
  (existT j lj)
  (state_update ELMO_component s i si, iom) =
(state_update ELMO_component sf i si, oom)
Htr_min_pre: finite_valid_trace_init_to
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} si0 s tr
Hsisi_pre: valid_state_prop
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} (state_update ELMO_component s i si)
H2: finite_valid_trace_init_to ReachELMO si0 sf
  (tr ++
   [{|
      l := existT j lj;
      input := iom;
      destination := sf;
      output := oom
    |}])
Hpre_tisi: input_valid_transition ReachELMO
  (existT j lj)
  (state_update ELMO_component s i si, iom)
  (state_update ELMO_component sf i si,
   oom)
Hpre_sfisi: valid_state_prop ReachELMO
  (state_update ELMO_component sf i si)
v: Message_validator idx
ges_m: Message
ges_adr: adr (state ges_m) = `v
k: index
Hrcv: has_been_received (ELMO_component k) 
  (sf k) ges_m
ges_not_sent: ¬ composite_has_been_sent
    ELMO_component
    (state_update ELMO_component sf i
       si) ges_m
Ha: `v ∈ list_to_set (map idx (enum index))
H3: k ≠ i
¬ composite_has_been_sent ELMO_component sf ges_m
∨ `v = idx i
  apply elem_of_list_to_set, elem_of_list_fmap in Ha as (i_a & Ha & _).Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
s_eqvs: listset Address
Heqv: (sum_weights (s_eqvs ∪ {[idx i]}) <= threshold)%R
si: State
Hsi: initial_state_prop si
Hincl: VLSM_incl ELMOProtocol ReachELMO
si0, s: VLSM.state ELMOProtocol
tr: list transition_item
Htr_min: finite_valid_trace_init_to ELMOProtocol si0
  s tr
sf: VLSM.state ELMOProtocol
iom, oom: option Message
j: index
lj: VLSM.label (ELMO_component j)
Hm: option_valid_message_prop ELMOProtocol iom
Hv: valid (existT j lj) (s, iom)
Hc: ELMO_global_constraint (existT j lj) (s, iom)
Ht: transition (existT j lj) (s, iom) = (sf, oom)
Hall: Forall
  (λ item : transition_item,
     ELMO_equivocating_validators
       (destination item) ⊆ s_eqvs) tr
Hsf_eqvs: ELMO_equivocating_validators
  (destination
     {|
       l := existT j lj;
       input := iom;
       destination := sf;
       output := oom
     |}) ⊆ s_eqvs
IHHtr_min: Forall
  (λ item : transition_item,
     ELMO_equivocating_validators
       (destination item) ⊆ s_eqvs) tr
→ valid_state_prop ELMOProtocol
    (state_update ELMO_component s i si)
  ∧ ELMO_equivocating_validators
      (state_update ELMO_component s i si)
    ⊆ s_eqvs ∪ {[idx i]}
Hsisi: valid_state_prop ELMOProtocol
  (state_update ELMO_component s i si)
Heqvs: ELMO_equivocating_validators
  (state_update ELMO_component s i si)
⊆ s_eqvs ∪ {[idx i]}
Hs: valid_state_prop
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} s
Hsf: valid_state_prop
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} sf
n: j ≠ i
Ht_pre: input_valid_transition
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} (existT j lj) (s, iom) (
  sf, oom)
Ht': composite_transition ELMO_component
  (existT j lj)
  (state_update ELMO_component s i si, iom) =
(state_update ELMO_component sf i si, oom)
Htr_min_pre: finite_valid_trace_init_to
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} si0 s tr
Hsisi_pre: valid_state_prop
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} (state_update ELMO_component s i si)
H2: finite_valid_trace_init_to ReachELMO si0 sf
  (tr ++
   [{|
      l := existT j lj;
      input := iom;
      destination := sf;
      output := oom
    |}])
Hpre_tisi: input_valid_transition ReachELMO
  (existT j lj)
  (state_update ELMO_component s i si, iom)
  (state_update ELMO_component sf i si,
   oom)
Hpre_sfisi: valid_state_prop ReachELMO
  (state_update ELMO_component sf i si)
v: Message_validator idx
ges_m: Message
ges_adr: adr (state ges_m) = `v
k: index
Hrcv: has_been_received (ELMO_component k) 
  (sf k) ges_m
ges_not_sent: ¬ composite_has_been_sent
    ELMO_component
    (state_update ELMO_component sf i
       si) ges_m
i_a: index
Ha: `v = idx i_a
H3: k ≠ i
¬ composite_has_been_sent ELMO_component sf ges_m
∨ `v = idx i
  cbn in *; rewrite Ha.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
s_eqvs: listset Address
Heqv: (sum_weights (s_eqvs ∪ {[idx i]}) <= threshold)%R
si: State
Hsi: UMO_component_initial_state_prop (idx i) si
Hincl: VLSM_incl_part
  (constrained_vlsm_machine
     (free_composite_vlsm ELMO_component)
     ELMO_global_constraint)
  (preloaded_vlsm_machine FreeELMO
     (λ _ : Message, True))
si0, s: composite_state ELMO_component
tr: list transition_item
Htr_min: finite_valid_trace_init_to ELMOProtocol si0
  s tr
sf: composite_state ELMO_component
iom, oom: option Message
j: index
lj: Label
Hm: option_valid_message_prop ELMOProtocol iom
Hv: ELMO_component_valid lj (s j) iom
Hc: match lj with
| Receive =>
    let (s', _) :=
      let (si', om') :=
        UMO_component_transition lj (s j) iom in
      (state_update ELMO_component s j si', om') in
    ELMO_not_heavy s'
| Send => True
end
Ht: (let (si', om') :=
   UMO_component_transition lj (s j) iom in
 (state_update ELMO_component s j si', om')) =
(sf, oom)
Hall: Forall
  (λ item : transition_item,
     ELMO_equivocating_validators
       (destination item) ⊆ s_eqvs) tr
Hsf_eqvs: ELMO_equivocating_validators sf ⊆ s_eqvs
IHHtr_min: Forall
  (λ item : transition_item,
     ELMO_equivocating_validators
       (destination item) ⊆ s_eqvs) tr
→ valid_state_prop ELMOProtocol
    (state_update ELMO_component s i si)
  ∧ ELMO_equivocating_validators
      (state_update ELMO_component s i si)
    ⊆ s_eqvs ∪ {[idx i]}
Hsisi: valid_state_prop ELMOProtocol
  (state_update ELMO_component s i si)
Heqvs: ELMO_equivocating_validators
  (state_update ELMO_component s i si)
⊆ s_eqvs ∪ {[idx i]}
Hs: valid_state_prop
  {|
    vlsm_type := composite_type ELMO_component;
    vlsm_machine :=
      preloaded_vlsm_machine FreeELMO
        (λ _ : Message, True)
  |} s
Hsf: valid_state_prop
  {|
    vlsm_type := composite_type ELMO_component;
    vlsm_machine :=
      preloaded_vlsm_machine FreeELMO
        (λ _ : Message, True)
  |} sf
n: j ≠ i
Ht_pre: input_valid_transition
  {|
    vlsm_type :=
      composite_type ELMO_component;
    vlsm_machine :=
      preloaded_vlsm_machine FreeELMO
        (λ _ : Message, True)
  |} (existT j lj) (s, iom) (
  sf, oom)
Ht': (let (si', om') :=
   UMO_component_transition lj
     (state_update ELMO_component s i si j) iom in
 (state_update ELMO_component
    (state_update ELMO_component s i si) j si',
  om')) =
(state_update ELMO_component sf i si, oom)
Htr_min_pre: finite_valid_trace_init_to
  {|
    vlsm_type :=
      composite_type ELMO_component;
    vlsm_machine :=
      preloaded_vlsm_machine FreeELMO
        (λ _ : Message, True)
  |} si0 s tr
Hsisi_pre: valid_state_prop
  {|
    vlsm_type :=
      composite_type ELMO_component;
    vlsm_machine :=
      preloaded_vlsm_machine FreeELMO
        (λ _ : Message, True)
  |} (state_update ELMO_component s i si)
H2: finite_valid_trace_init_to ReachELMO si0 sf
  (tr ++
   [{|
      l := existT j lj;
      input := iom;
      destination := sf;
      output := oom
    |}])
Hpre_tisi: input_valid_transition ReachELMO
  (existT j lj)
  (state_update ELMO_component s i si, iom)
  (state_update ELMO_component sf i si,
   oom)
Hpre_sfisi: valid_state_prop ReachELMO
  (state_update ELMO_component sf i si)
v: Message_validator idx
ges_m: Message
ges_adr: adr (state ges_m) = `v
k: index
Hrcv: ges_m ∈ receivedMessages (sf k)
ges_not_sent: ¬ composite_has_been_sent
    ELMO_component
    (state_update ELMO_component sf i
       si) ges_m
i_a: index
Ha: `v = idx i_a
H3: k ≠ i
¬ composite_has_been_sent ELMO_component sf ges_m
∨ idx i_a = idx i
  destruct (decide (i_a = i)); [by subst; right | left].Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
s_eqvs: listset Address
Heqv: (sum_weights (s_eqvs ∪ {[idx i]}) <= threshold)%R
si: State
Hsi: UMO_component_initial_state_prop (idx i) si
Hincl: VLSM_incl_part
  (constrained_vlsm_machine
     (free_composite_vlsm ELMO_component)
     ELMO_global_constraint)
  (preloaded_vlsm_machine FreeELMO
     (λ _ : Message, True))
si0, s: composite_state ELMO_component
tr: list transition_item
Htr_min: finite_valid_trace_init_to ELMOProtocol si0
  s tr
sf: composite_state ELMO_component
iom, oom: option Message
j: index
lj: Label
Hm: option_valid_message_prop ELMOProtocol iom
Hv: ELMO_component_valid lj (s j) iom
Hc: match lj with
| Receive =>
    let (s', _) :=
      let (si', om') :=
        UMO_component_transition lj (s j) iom in
      (state_update ELMO_component s j si', om') in
    ELMO_not_heavy s'
| Send => True
end
Ht: (let (si', om') :=
   UMO_component_transition lj (s j) iom in
 (state_update ELMO_component s j si', om')) =
(sf, oom)
Hall: Forall
  (λ item : transition_item,
     ELMO_equivocating_validators
       (destination item) ⊆ s_eqvs) tr
Hsf_eqvs: ELMO_equivocating_validators sf ⊆ s_eqvs
IHHtr_min: Forall
  (λ item : transition_item,
     ELMO_equivocating_validators
       (destination item) ⊆ s_eqvs) tr
→ valid_state_prop ELMOProtocol
    (state_update ELMO_component s i si)
  ∧ ELMO_equivocating_validators
      (state_update ELMO_component s i si)
    ⊆ s_eqvs ∪ {[idx i]}
Hsisi: valid_state_prop ELMOProtocol
  (state_update ELMO_component s i si)
Heqvs: ELMO_equivocating_validators
  (state_update ELMO_component s i si)
⊆ s_eqvs ∪ {[idx i]}
Hs: valid_state_prop
  {|
    vlsm_type := composite_type ELMO_component;
    vlsm_machine :=
      preloaded_vlsm_machine FreeELMO
        (λ _ : Message, True)
  |} s
Hsf: valid_state_prop
  {|
    vlsm_type := composite_type ELMO_component;
    vlsm_machine :=
      preloaded_vlsm_machine FreeELMO
        (λ _ : Message, True)
  |} sf
n: j ≠ i
Ht_pre: input_valid_transition
  {|
    vlsm_type :=
      composite_type ELMO_component;
    vlsm_machine :=
      preloaded_vlsm_machine FreeELMO
        (λ _ : Message, True)
  |} (existT j lj) (s, iom) (
  sf, oom)
Ht': (let (si', om') :=
   UMO_component_transition lj
     (state_update ELMO_component s i si j) iom in
 (state_update ELMO_component
    (state_update ELMO_component s i si) j si',
  om')) =
(state_update ELMO_component sf i si, oom)
Htr_min_pre: finite_valid_trace_init_to
  {|
    vlsm_type :=
      composite_type ELMO_component;
    vlsm_machine :=
      preloaded_vlsm_machine FreeELMO
        (λ _ : Message, True)
  |} si0 s tr
Hsisi_pre: valid_state_prop
  {|
    vlsm_type :=
      composite_type ELMO_component;
    vlsm_machine :=
      preloaded_vlsm_machine FreeELMO
        (λ _ : Message, True)
  |} (state_update ELMO_component s i si)
H2: finite_valid_trace_init_to ReachELMO si0 sf
  (tr ++
   [{|
      l := existT j lj;
      input := iom;
      destination := sf;
      output := oom
    |}])
Hpre_tisi: input_valid_transition ReachELMO
  (existT j lj)
  (state_update ELMO_component s i si, iom)
  (state_update ELMO_component sf i si,
   oom)
Hpre_sfisi: valid_state_prop ReachELMO
  (state_update ELMO_component sf i si)
v: Message_validator idx
ges_m: Message
ges_adr: adr (state ges_m) = `v
k: index
Hrcv: ges_m ∈ receivedMessages (sf k)
ges_not_sent: ¬ composite_has_been_sent
    ELMO_component
    (state_update ELMO_component sf i
       si) ges_m
i_a: index
Ha: `v = idx i_a
H3: k ≠ i
n0: i_a ≠ i
¬ composite_has_been_sent ELMO_component sf ges_m
  contradict ges_not_sent.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
s_eqvs: listset Address
Heqv: (sum_weights (s_eqvs ∪ {[idx i]}) <= threshold)%R
si: State
Hsi: UMO_component_initial_state_prop (idx i) si
Hincl: VLSM_incl_part
  (constrained_vlsm_machine
     (free_composite_vlsm ELMO_component)
     ELMO_global_constraint)
  (preloaded_vlsm_machine FreeELMO
     (λ _ : Message, True))
si0, s: composite_state ELMO_component
tr: list transition_item
Htr_min: finite_valid_trace_init_to ELMOProtocol si0
  s tr
sf: composite_state ELMO_component
iom, oom: option Message
j: index
lj: Label
Hm: option_valid_message_prop ELMOProtocol iom
Hv: ELMO_component_valid lj (s j) iom
Hc: match lj with
| Receive =>
    let (s', _) :=
      let (si', om') :=
        UMO_component_transition lj (s j) iom in
      (state_update ELMO_component s j si', om') in
    ELMO_not_heavy s'
| Send => True
end
Ht: (let (si', om') :=
   UMO_component_transition lj (s j) iom in
 (state_update ELMO_component s j si', om')) =
(sf, oom)
Hall: Forall
  (λ item : transition_item,
     ELMO_equivocating_validators
       (destination item) ⊆ s_eqvs) tr
Hsf_eqvs: ELMO_equivocating_validators sf ⊆ s_eqvs
IHHtr_min: Forall
  (λ item : transition_item,
     ELMO_equivocating_validators
       (destination item) ⊆ s_eqvs) tr
→ valid_state_prop ELMOProtocol
    (state_update ELMO_component s i si)
  ∧ ELMO_equivocating_validators
      (state_update ELMO_component s i si)
    ⊆ s_eqvs ∪ {[idx i]}
Hsisi: valid_state_prop ELMOProtocol
  (state_update ELMO_component s i si)
Heqvs: ELMO_equivocating_validators
  (state_update ELMO_component s i si)
⊆ s_eqvs ∪ {[idx i]}
Hs: valid_state_prop
  {|
    vlsm_type := composite_type ELMO_component;
    vlsm_machine :=
      preloaded_vlsm_machine FreeELMO
        (λ _ : Message, True)
  |} s
Hsf: valid_state_prop
  {|
    vlsm_type := composite_type ELMO_component;
    vlsm_machine :=
      preloaded_vlsm_machine FreeELMO
        (λ _ : Message, True)
  |} sf
n: j ≠ i
Ht_pre: input_valid_transition
  {|
    vlsm_type :=
      composite_type ELMO_component;
    vlsm_machine :=
      preloaded_vlsm_machine FreeELMO
        (λ _ : Message, True)
  |} (existT j lj) (s, iom) (
  sf, oom)
Ht': (let (si', om') :=
   UMO_component_transition lj
     (state_update ELMO_component s i si j) iom in
 (state_update ELMO_component
    (state_update ELMO_component s i si) j si',
  om')) =
(state_update ELMO_component sf i si, oom)
Htr_min_pre: finite_valid_trace_init_to
  {|
    vlsm_type :=
      composite_type ELMO_component;
    vlsm_machine :=
      preloaded_vlsm_machine FreeELMO
        (λ _ : Message, True)
  |} si0 s tr
Hsisi_pre: valid_state_prop
  {|
    vlsm_type :=
      composite_type ELMO_component;
    vlsm_machine :=
      preloaded_vlsm_machine FreeELMO
        (λ _ : Message, True)
  |} (state_update ELMO_component s i si)
H2: finite_valid_trace_init_to ReachELMO si0 sf
  (tr ++
   [{|
      l := existT j lj;
      input := iom;
      destination := sf;
      output := oom
    |}])
Hpre_tisi: input_valid_transition ReachELMO
  (existT j lj)
  (state_update ELMO_component s i si, iom)
  (state_update ELMO_component sf i si,
   oom)
Hpre_sfisi: valid_state_prop ReachELMO
  (state_update ELMO_component sf i si)
v: Message_validator idx
ges_m: Message
ges_adr: adr (state ges_m) = `v
k: index
Hrcv: ges_m ∈ receivedMessages (sf k)
i_a: index
Ha: `v = idx i_a
H3: k ≠ i
n0: i_a ≠ i
ges_not_sent: composite_has_been_sent ELMO_component
  sf ges_m
composite_has_been_sent ELMO_component
  (state_update ELMO_component sf i si) ges_m
  eapply has_been_sent_iff_by_sender in ges_not_sent; cycle 1.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
s_eqvs: listset Address
Heqv: (sum_weights (s_eqvs ∪ {[idx i]}) <= threshold)%R
si: State
Hsi: UMO_component_initial_state_prop (idx i) si
Hincl: VLSM_incl_part
  (constrained_vlsm_machine
     (free_composite_vlsm ELMO_component)
     ELMO_global_constraint)
  (preloaded_vlsm_machine FreeELMO
     (λ _ : Message, True))
si0, s: composite_state ELMO_component
tr: list transition_item
Htr_min: finite_valid_trace_init_to ELMOProtocol si0
  s tr
sf: composite_state ELMO_component
iom, oom: option Message
j: index
lj: Label
Hm: option_valid_message_prop ELMOProtocol iom
Hv: ELMO_component_valid lj (s j) iom
Hc: match lj with
| Receive =>
    let (s', _) :=
      let (si', om') :=
        UMO_component_transition lj (s j) iom in
      (state_update ELMO_component s j si', om') in
    ELMO_not_heavy s'
| Send => True
end
Ht: (let (si', om') :=
   UMO_component_transition lj (s j) iom in
 (state_update ELMO_component s j si', om')) =
(sf, oom)
Hall: Forall
  (λ item : transition_item,
     ELMO_equivocating_validators
       (destination item) ⊆ s_eqvs) tr
Hsf_eqvs: ELMO_equivocating_validators sf ⊆ s_eqvs
IHHtr_min: Forall
  (λ item : transition_item,
     ELMO_equivocating_validators
       (destination item) ⊆ s_eqvs) tr
→ valid_state_prop ELMOProtocol
    (state_update ELMO_component s i si)
  ∧ ELMO_equivocating_validators
      (state_update ELMO_component s i si)
    ⊆ s_eqvs ∪ {[idx i]}
Hsisi: valid_state_prop ELMOProtocol
  (state_update ELMO_component s i si)
Heqvs: ELMO_equivocating_validators
  (state_update ELMO_component s i si)
⊆ s_eqvs ∪ {[idx i]}
Hs: valid_state_prop
  {|
    vlsm_type := composite_type ELMO_component;
    vlsm_machine :=
      preloaded_vlsm_machine FreeELMO
        (λ _ : Message, True)
  |} s
Hsf: valid_state_prop
  {|
    vlsm_type := composite_type ELMO_component;
    vlsm_machine :=
      preloaded_vlsm_machine FreeELMO
        (λ _ : Message, True)
  |} sf
n: j ≠ i
Ht_pre: input_valid_transition
  {|
    vlsm_type :=
      composite_type ELMO_component;
    vlsm_machine :=
      preloaded_vlsm_machine FreeELMO
        (λ _ : Message, True)
  |} (existT j lj) (s, iom) (
  sf, oom)
Ht': (let (si', om') :=
   UMO_component_transition lj
     (state_update ELMO_component s i si j) iom in
 (state_update ELMO_component
    (state_update ELMO_component s i si) j si',
  om')) =
(state_update ELMO_component sf i si, oom)
Htr_min_pre: finite_valid_trace_init_to
  {|
    vlsm_type :=
      composite_type ELMO_component;
    vlsm_machine :=
      preloaded_vlsm_machine FreeELMO
        (λ _ : Message, True)
  |} si0 s tr
Hsisi_pre: valid_state_prop
  {|
    vlsm_type :=
      composite_type ELMO_component;
    vlsm_machine :=
      preloaded_vlsm_machine FreeELMO
        (λ _ : Message, True)
  |} (state_update ELMO_component s i si)
H2: finite_valid_trace_init_to ReachELMO si0 sf
  (tr ++
   [{|
      l := existT j lj;
      input := iom;
      destination := sf;
      output := oom
    |}])
Hpre_tisi: input_valid_transition ReachELMO
  (existT j lj)
  (state_update ELMO_component s i si, iom)
  (state_update ELMO_component sf i si,
   oom)
Hpre_sfisi: valid_state_prop ReachELMO
  (state_update ELMO_component sf i si)
v: Message_validator idx
ges_m: Message
ges_adr: adr (state ges_m) = `v
k: index
Hrcv: ges_m ∈ receivedMessages (sf k)
i_a: index
Ha: `v = idx i_a
H3: k ≠ i
n0: i_a ≠ i
ges_not_sent: composite_has_been_sent ELMO_component
  sf ges_m
H4: ∀ (IM : index → VLSM Message) 
  (H0 : ∀ i : index, HasBeenSentCapability (IM i)) 
  (validator : Type) (A : validator → index) 
  (sender : Message → option validator),
  sender_safety_alt_prop IM A sender
  → ∀ (is
       s : VLSM.state
             (preloaded_with_all_messages_vlsm
                (free_composite_vlsm IM))) 
      (tr : list transition_item),
      finite_constrained_trace_init_to
        (free_composite_vlsm IM) is s tr
      → ∀ (m : Message) (v : validator),
          sender m = Some v
          → composite_has_been_sent IM s m
            → has_been_sent 
                (IM (A v)) 
                (s (A v)) m
sender_safety_alt_prop ELMO_component ?A ?sender
Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
s_eqvs: listset Address
Heqv: (sum_weights (s_eqvs ∪ {[idx i]}) <= threshold)%R
si: State
Hsi: UMO_component_initial_state_prop (idx i) si
Hincl: VLSM_incl_part
  (constrained_vlsm_machine
     (free_composite_vlsm ELMO_component)
     ELMO_global_constraint)
  (preloaded_vlsm_machine FreeELMO
     (λ _ : Message, True))
si0, s: composite_state ELMO_component
tr: list transition_item
Htr_min: finite_valid_trace_init_to ELMOProtocol si0
  s tr
sf: composite_state ELMO_component
iom, oom: option Message
j: index
lj: Label
Hm: option_valid_message_prop ELMOProtocol iom
Hv: ELMO_component_valid lj (s j) iom
Hc: match lj with
| Receive =>
    let (s', _) :=
      let (si', om') :=
        UMO_component_transition lj (s j) iom in
      (state_update ELMO_component s j si', om') in
    ELMO_not_heavy s'
| Send => True
end
Ht: (let (si', om') :=
   UMO_component_transition lj (s j) iom in
 (state_update ELMO_component s j si', om')) =
(sf, oom)
Hall: Forall
  (λ item : transition_item,
     ELMO_equivocating_validators
       (destination item) ⊆ s_eqvs) tr
Hsf_eqvs: ELMO_equivocating_validators sf ⊆ s_eqvs
IHHtr_min: Forall
  (λ item : transition_item,
     ELMO_equivocating_validators
       (destination item) ⊆ s_eqvs) tr
→ valid_state_prop ELMOProtocol
    (state_update ELMO_component s i si)
  ∧ ELMO_equivocating_validators
      (state_update ELMO_component s i si)
    ⊆ s_eqvs ∪ {[idx i]}
Hsisi: valid_state_prop ELMOProtocol
  (state_update ELMO_component s i si)
Heqvs: ELMO_equivocating_validators
  (state_update ELMO_component s i si)
⊆ s_eqvs ∪ {[idx i]}
Hs: valid_state_prop
  {|
    vlsm_type := composite_type ELMO_component;
    vlsm_machine :=
      preloaded_vlsm_machine FreeELMO
        (λ _ : Message, True)
  |} s
Hsf: valid_state_prop
  {|
    vlsm_type := composite_type ELMO_component;
    vlsm_machine :=
      preloaded_vlsm_machine FreeELMO
        (λ _ : Message, True)
  |} sf
n: j ≠ i
Ht_pre: input_valid_transition
  {|
    vlsm_type :=
      composite_type ELMO_component;
    vlsm_machine :=
      preloaded_vlsm_machine FreeELMO
        (λ _ : Message, True)
  |} (existT j lj) (s, iom) (
  sf, oom)
Ht': (let (si', om') :=
   UMO_component_transition lj
     (state_update ELMO_component s i si j) iom in
 (state_update ELMO_component
    (state_update ELMO_component s i si) j si',
  om')) =
(state_update ELMO_component sf i si, oom)
Htr_min_pre: finite_valid_trace_init_to
  {|
    vlsm_type :=
      composite_type ELMO_component;
    vlsm_machine :=
      preloaded_vlsm_machine FreeELMO
        (λ _ : Message, True)
  |} si0 s tr
Hsisi_pre: valid_state_prop
  {|
    vlsm_type :=
      composite_type ELMO_component;
    vlsm_machine :=
      preloaded_vlsm_machine FreeELMO
        (λ _ : Message, True)
  |} (state_update ELMO_component s i si)
H2: finite_valid_trace_init_to ReachELMO si0 sf
  (tr ++
   [{|
      l := existT j lj;
      input := iom;
      destination := sf;
      output := oom
    |}])
Hpre_tisi: input_valid_transition ReachELMO
  (existT j lj)
  (state_update ELMO_component s i si, iom)
  (state_update ELMO_component sf i si,
   oom)
Hpre_sfisi: valid_state_prop ReachELMO
  (state_update ELMO_component sf i si)
v: Message_validator idx
ges_m: Message
ges_adr: adr (state ges_m) = `v
k: index
Hrcv: ges_m ∈ receivedMessages (sf k)
i_a: index
Ha: `v = idx i_a
H3: k ≠ i
n0: i_a ≠ i
ges_not_sent: composite_has_been_sent ELMO_component
  sf ges_m
H4: ∀ (IM : index → VLSM Message) 
  (H0 : ∀ i : index, HasBeenSentCapability (IM i)) 
  (validator : Type) (A : validator → index) 
  (sender : Message → option validator),
  sender_safety_alt_prop IM A sender
  → ∀ (is
       s : VLSM.state
             (preloaded_with_all_messages_vlsm
                (free_composite_vlsm IM))) 
      (tr : list transition_item),
      finite_constrained_trace_init_to
        (free_composite_vlsm IM) is s tr
      → ∀ (m : Message) (v : validator),
          sender m = Some v
          → composite_has_been_sent IM s m
            → has_been_sent 
                (IM (A v)) 
                (s (A v)) m
finite_constrained_trace_init_to
  (free_composite_vlsm ELMO_component) 
  ?is sf ?tr
Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
s_eqvs: listset Address
Heqv: (sum_weights (s_eqvs ∪ {[idx i]}) <= threshold)%R
si: State
Hsi: UMO_component_initial_state_prop (idx i) si
Hincl: VLSM_incl_part
  (constrained_vlsm_machine
     (free_composite_vlsm ELMO_component)
     ELMO_global_constraint)
  (preloaded_vlsm_machine FreeELMO
     (λ _ : Message, True))
si0, s: composite_state ELMO_component
tr: list transition_item
Htr_min: finite_valid_trace_init_to ELMOProtocol si0
  s tr
sf: composite_state ELMO_component
iom, oom: option Message
j: index
lj: Label
Hm: option_valid_message_prop ELMOProtocol iom
Hv: ELMO_component_valid lj (s j) iom
Hc: match lj with
| Receive =>
    let (s', _) :=
      let (si', om') :=
        UMO_component_transition lj (s j) iom in
      (state_update ELMO_component s j si', om') in
    ELMO_not_heavy s'
| Send => True
end
Ht: (let (si', om') :=
   UMO_component_transition lj (s j) iom in
 (state_update ELMO_component s j si', om')) =
(sf, oom)
Hall: Forall
  (λ item : transition_item,
     ELMO_equivocating_validators
       (destination item) ⊆ s_eqvs) tr
Hsf_eqvs: ELMO_equivocating_validators sf ⊆ s_eqvs
IHHtr_min: Forall
  (λ item : transition_item,
     ELMO_equivocating_validators
       (destination item) ⊆ s_eqvs) tr
→ valid_state_prop ELMOProtocol
    (state_update ELMO_component s i si)
  ∧ ELMO_equivocating_validators
      (state_update ELMO_component s i si)
    ⊆ s_eqvs ∪ {[idx i]}
Hsisi: valid_state_prop ELMOProtocol
  (state_update ELMO_component s i si)
Heqvs: ELMO_equivocating_validators
  (state_update ELMO_component s i si)
⊆ s_eqvs ∪ {[idx i]}
Hs: valid_state_prop
  {|
    vlsm_type := composite_type ELMO_component;
    vlsm_machine :=
      preloaded_vlsm_machine FreeELMO
        (λ _ : Message, True)
  |} s
Hsf: valid_state_prop
  {|
    vlsm_type := composite_type ELMO_component;
    vlsm_machine :=
      preloaded_vlsm_machine FreeELMO
        (λ _ : Message, True)
  |} sf
n: j ≠ i
Ht_pre: input_valid_transition
  {|
    vlsm_type :=
      composite_type ELMO_component;
    vlsm_machine :=
      preloaded_vlsm_machine FreeELMO
        (λ _ : Message, True)
  |} (existT j lj) (s, iom) (
  sf, oom)
Ht': (let (si', om') :=
   UMO_component_transition lj
     (state_update ELMO_component s i si j) iom in
 (state_update ELMO_component
    (state_update ELMO_component s i si) j si',
  om')) =
(state_update ELMO_component sf i si, oom)
Htr_min_pre: finite_valid_trace_init_to
  {|
    vlsm_type :=
      composite_type ELMO_component;
    vlsm_machine :=
      preloaded_vlsm_machine FreeELMO
        (λ _ : Message, True)
  |} si0 s tr
Hsisi_pre: valid_state_prop
  {|
    vlsm_type :=
      composite_type ELMO_component;
    vlsm_machine :=
      preloaded_vlsm_machine FreeELMO
        (λ _ : Message, True)
  |} (state_update ELMO_component s i si)
H2: finite_valid_trace_init_to ReachELMO si0 sf
  (tr ++
   [{|
      l := existT j lj;
      input := iom;
      destination := sf;
      output := oom
    |}])
Hpre_tisi: input_valid_transition ReachELMO
  (existT j lj)
  (state_update ELMO_component s i si, iom)
  (state_update ELMO_component sf i si,
   oom)
Hpre_sfisi: valid_state_prop ReachELMO
  (state_update ELMO_component sf i si)
v: Message_validator idx
ges_m: Message
ges_adr: adr (state ges_m) = `v
k: index
Hrcv: ges_m ∈ receivedMessages (sf k)
i_a: index
Ha: `v = idx i_a
H3: k ≠ i
n0: i_a ≠ i
ges_not_sent: composite_has_been_sent ELMO_component
  sf ges_m
H4: ∀ (IM : index → VLSM Message) 
  (H0 : ∀ i : index, HasBeenSentCapability (IM i)) 
  (validator : Type) (A : validator → index) 
  (sender : Message → option validator),
  sender_safety_alt_prop IM A sender
  → ∀ (is
       s : VLSM.state
             (preloaded_with_all_messages_vlsm
                (free_composite_vlsm IM))) 
      (tr : list transition_item),
      finite_constrained_trace_init_to
        (free_composite_vlsm IM) is s tr
      → ∀ (m : Message) (v : validator),
          sender m = Some v
          → composite_has_been_sent IM s m
            → has_been_sent 
                (IM (A v)) 
                (s (A v)) m
?sender ges_m = Some ?v
Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
s_eqvs: listset Address
Heqv: (sum_weights (s_eqvs ∪ {[idx i]}) <= threshold)%R
si: State
Hsi: UMO_component_initial_state_prop (idx i) si
Hincl: VLSM_incl_part
  (constrained_vlsm_machine
     (free_composite_vlsm ELMO_component)
     ELMO_global_constraint)
  (preloaded_vlsm_machine FreeELMO
     (λ _ : Message, True))
si0, s: composite_state ELMO_component
tr: list transition_item
Htr_min: finite_valid_trace_init_to ELMOProtocol si0
  s tr
sf: composite_state ELMO_component
iom, oom: option Message
j: index
lj: Label
Hm: option_valid_message_prop ELMOProtocol iom
Hv: ELMO_component_valid lj (s j) iom
Hc: match lj with
| Receive =>
    let (s', _) :=
      let (si', om') :=
        UMO_component_transition lj (s j) iom in
      (state_update ELMO_component s j si', om') in
    ELMO_not_heavy s'
| Send => True
end
Ht: (let (si', om') :=
   UMO_component_transition lj (s j) iom in
 (state_update ELMO_component s j si', om')) =
(sf, oom)
Hall: Forall
  (λ item : transition_item,
     ELMO_equivocating_validators
       (destination item) ⊆ s_eqvs) tr
Hsf_eqvs: ELMO_equivocating_validators sf ⊆ s_eqvs
IHHtr_min: Forall
  (λ item : transition_item,
     ELMO_equivocating_validators
       (destination item) ⊆ s_eqvs) tr
→ valid_state_prop ELMOProtocol
    (state_update ELMO_component s i si)
  ∧ ELMO_equivocating_validators
      (state_update ELMO_component s i si)
    ⊆ s_eqvs ∪ {[idx i]}
Hsisi: valid_state_prop ELMOProtocol
  (state_update ELMO_component s i si)
Heqvs: ELMO_equivocating_validators
  (state_update ELMO_component s i si)
⊆ s_eqvs ∪ {[idx i]}
Hs: valid_state_prop
  {|
    vlsm_type := composite_type ELMO_component;
    vlsm_machine :=
      preloaded_vlsm_machine FreeELMO
        (λ _ : Message, True)
  |} s
Hsf: valid_state_prop
  {|
    vlsm_type := composite_type ELMO_component;
    vlsm_machine :=
      preloaded_vlsm_machine FreeELMO
        (λ _ : Message, True)
  |} sf
n: j ≠ i
Ht_pre: input_valid_transition
  {|
    vlsm_type :=
      composite_type ELMO_component;
    vlsm_machine :=
      preloaded_vlsm_machine FreeELMO
        (λ _ : Message, True)
  |} (existT j lj) (s, iom) (
  sf, oom)
Ht': (let (si', om') :=
   UMO_component_transition lj
     (state_update ELMO_component s i si j) iom in
 (state_update ELMO_component
    (state_update ELMO_component s i si) j si',
  om')) =
(state_update ELMO_component sf i si, oom)
Htr_min_pre: finite_valid_trace_init_to
  {|
    vlsm_type :=
      composite_type ELMO_component;
    vlsm_machine :=
      preloaded_vlsm_machine FreeELMO
        (λ _ : Message, True)
  |} si0 s tr
Hsisi_pre: valid_state_prop
  {|
    vlsm_type :=
      composite_type ELMO_component;
    vlsm_machine :=
      preloaded_vlsm_machine FreeELMO
        (λ _ : Message, True)
  |} (state_update ELMO_component s i si)
H2: finite_valid_trace_init_to ReachELMO si0 sf
  (tr ++
   [{|
      l := existT j lj;
      input := iom;
      destination := sf;
      output := oom
    |}])
Hpre_tisi: input_valid_transition ReachELMO
  (existT j lj)
  (state_update ELMO_component s i si, iom)
  (state_update ELMO_component sf i si,
   oom)
Hpre_sfisi: valid_state_prop ReachELMO
  (state_update ELMO_component sf i si)
v: Message_validator idx
ges_m: Message
ges_adr: adr (state ges_m) = `v
k: index
Hrcv: ges_m ∈ receivedMessages (sf k)
i_a: index
Ha: `v = idx i_a
H3: k ≠ i
n0: i_a ≠ i
ges_not_sent: has_been_sent (ELMO_component (?A ?v))
  (sf (?A ?v)) ges_m
composite_has_been_sent ELMO_component
  (state_update ELMO_component sf i si) ges_m
  -Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
s_eqvs: listset Address
Heqv: (sum_weights (s_eqvs ∪ {[idx i]}) <= threshold)%R
si: State
Hsi: UMO_component_initial_state_prop (idx i) si
Hincl: VLSM_incl_part
  (constrained_vlsm_machine
     (free_composite_vlsm ELMO_component)
     ELMO_global_constraint)
  (preloaded_vlsm_machine FreeELMO
     (λ _ : Message, True))
si0, s: composite_state ELMO_component
tr: list transition_item
Htr_min: finite_valid_trace_init_to ELMOProtocol si0
  s tr
sf: composite_state ELMO_component
iom, oom: option Message
j: index
lj: Label
Hm: option_valid_message_prop ELMOProtocol iom
Hv: ELMO_component_valid lj (s j) iom
Hc: match lj with
| Receive =>
    let (s', _) :=
      let (si', om') :=
        UMO_component_transition lj (s j) iom in
      (state_update ELMO_component s j si', om') in
    ELMO_not_heavy s'
| Send => True
end
Ht: (let (si', om') :=
   UMO_component_transition lj (s j) iom in
 (state_update ELMO_component s j si', om')) =
(sf, oom)
Hall: Forall
  (λ item : transition_item,
     ELMO_equivocating_validators
       (destination item) ⊆ s_eqvs) tr
Hsf_eqvs: ELMO_equivocating_validators sf ⊆ s_eqvs
IHHtr_min: Forall
  (λ item : transition_item,
     ELMO_equivocating_validators
       (destination item) ⊆ s_eqvs) tr
→ valid_state_prop ELMOProtocol
    (state_update ELMO_component s i si)
  ∧ ELMO_equivocating_validators
      (state_update ELMO_component s i si)
    ⊆ s_eqvs ∪ {[idx i]}
Hsisi: valid_state_prop ELMOProtocol
  (state_update ELMO_component s i si)
Heqvs: ELMO_equivocating_validators
  (state_update ELMO_component s i si)
⊆ s_eqvs ∪ {[idx i]}
Hs: valid_state_prop
  {|
    vlsm_type := composite_type ELMO_component;
    vlsm_machine :=
      preloaded_vlsm_machine FreeELMO
        (λ _ : Message, True)
  |} s
Hsf: valid_state_prop
  {|
    vlsm_type := composite_type ELMO_component;
    vlsm_machine :=
      preloaded_vlsm_machine FreeELMO
        (λ _ : Message, True)
  |} sf
n: j ≠ i
Ht_pre: input_valid_transition
  {|
    vlsm_type :=
      composite_type ELMO_component;
    vlsm_machine :=
      preloaded_vlsm_machine FreeELMO
        (λ _ : Message, True)
  |} (existT j lj) (s, iom) (
  sf, oom)
Ht': (let (si', om') :=
   UMO_component_transition lj
     (state_update ELMO_component s i si j) iom in
 (state_update ELMO_component
    (state_update ELMO_component s i si) j si',
  om')) =
(state_update ELMO_component sf i si, oom)
Htr_min_pre: finite_valid_trace_init_to
  {|
    vlsm_type :=
      composite_type ELMO_component;
    vlsm_machine :=
      preloaded_vlsm_machine FreeELMO
        (λ _ : Message, True)
  |} si0 s tr
Hsisi_pre: valid_state_prop
  {|
    vlsm_type :=
      composite_type ELMO_component;
    vlsm_machine :=
      preloaded_vlsm_machine FreeELMO
        (λ _ : Message, True)
  |} (state_update ELMO_component s i si)
H2: finite_valid_trace_init_to ReachELMO si0 sf
  (tr ++
   [{|
      l := existT j lj;
      input := iom;
      destination := sf;
      output := oom
    |}])
Hpre_tisi: input_valid_transition ReachELMO
  (existT j lj)
  (state_update ELMO_component s i si, iom)
  (state_update ELMO_component sf i si,
   oom)
Hpre_sfisi: valid_state_prop ReachELMO
  (state_update ELMO_component sf i si)
v: Message_validator idx
ges_m: Message
ges_adr: adr (state ges_m) = `v
k: index
Hrcv: ges_m ∈ receivedMessages (sf k)
i_a: index
Ha: `v = idx i_a
H3: k ≠ i
n0: i_a ≠ i
ges_not_sent: composite_has_been_sent ELMO_component
  sf ges_m
H4: ∀ (IM : index → VLSM Message) 
  (H0 : ∀ i : index, HasBeenSentCapability (IM i)) 
  (validator : Type) (A : validator → index) 
  (sender : Message → option validator),
  sender_safety_alt_prop IM A sender
  → ∀ (is
       s : VLSM.state
             (preloaded_with_all_messages_vlsm
                (free_composite_vlsm IM))) 
      (tr : list transition_item),
      finite_constrained_trace_init_to
        (free_composite_vlsm IM) is s tr
      → ∀ (m : Message) (v : validator),
          sender m = Some v
          → composite_has_been_sent IM s m
            → has_been_sent 
                (IM (A v)) 
                (s (A v)) m
sender_safety_alt_prop ELMO_component ?A ?sender by apply channel_authentication_sender_safety, ELMO_channel_authentication_prop.
  -Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
s_eqvs: listset Address
Heqv: (sum_weights (s_eqvs ∪ {[idx i]}) <= threshold)%R
si: State
Hsi: UMO_component_initial_state_prop (idx i) si
Hincl: VLSM_incl_part
  (constrained_vlsm_machine
     (free_composite_vlsm ELMO_component)
     ELMO_global_constraint)
  (preloaded_vlsm_machine FreeELMO
     (λ _ : Message, True))
si0, s: composite_state ELMO_component
tr: list transition_item
Htr_min: finite_valid_trace_init_to ELMOProtocol si0
  s tr
sf: composite_state ELMO_component
iom, oom: option Message
j: index
lj: Label
Hm: option_valid_message_prop ELMOProtocol iom
Hv: ELMO_component_valid lj (s j) iom
Hc: match lj with
| Receive =>
    let (s', _) :=
      let (si', om') :=
        UMO_component_transition lj (s j) iom in
      (state_update ELMO_component s j si', om') in
    ELMO_not_heavy s'
| Send => True
end
Ht: (let (si', om') :=
   UMO_component_transition lj (s j) iom in
 (state_update ELMO_component s j si', om')) =
(sf, oom)
Hall: Forall
  (λ item : transition_item,
     ELMO_equivocating_validators
       (destination item) ⊆ s_eqvs) tr
Hsf_eqvs: ELMO_equivocating_validators sf ⊆ s_eqvs
IHHtr_min: Forall
  (λ item : transition_item,
     ELMO_equivocating_validators
       (destination item) ⊆ s_eqvs) tr
→ valid_state_prop ELMOProtocol
    (state_update ELMO_component s i si)
  ∧ ELMO_equivocating_validators
      (state_update ELMO_component s i si)
    ⊆ s_eqvs ∪ {[idx i]}
Hsisi: valid_state_prop ELMOProtocol
  (state_update ELMO_component s i si)
Heqvs: ELMO_equivocating_validators
  (state_update ELMO_component s i si)
⊆ s_eqvs ∪ {[idx i]}
Hs: valid_state_prop
  {|
    vlsm_type := composite_type ELMO_component;
    vlsm_machine :=
      preloaded_vlsm_machine FreeELMO
        (λ _ : Message, True)
  |} s
Hsf: valid_state_prop
  {|
    vlsm_type := composite_type ELMO_component;
    vlsm_machine :=
      preloaded_vlsm_machine FreeELMO
        (λ _ : Message, True)
  |} sf
n: j ≠ i
Ht_pre: input_valid_transition
  {|
    vlsm_type :=
      composite_type ELMO_component;
    vlsm_machine :=
      preloaded_vlsm_machine FreeELMO
        (λ _ : Message, True)
  |} (existT j lj) (s, iom) (
  sf, oom)
Ht': (let (si', om') :=
   UMO_component_transition lj
     (state_update ELMO_component s i si j) iom in
 (state_update ELMO_component
    (state_update ELMO_component s i si) j si',
  om')) =
(state_update ELMO_component sf i si, oom)
Htr_min_pre: finite_valid_trace_init_to
  {|
    vlsm_type :=
      composite_type ELMO_component;
    vlsm_machine :=
      preloaded_vlsm_machine FreeELMO
        (λ _ : Message, True)
  |} si0 s tr
Hsisi_pre: valid_state_prop
  {|
    vlsm_type :=
      composite_type ELMO_component;
    vlsm_machine :=
      preloaded_vlsm_machine FreeELMO
        (λ _ : Message, True)
  |} (state_update ELMO_component s i si)
H2: finite_valid_trace_init_to ReachELMO si0 sf
  (tr ++
   [{|
      l := existT j lj;
      input := iom;
      destination := sf;
      output := oom
    |}])
Hpre_tisi: input_valid_transition ReachELMO
  (existT j lj)
  (state_update ELMO_component s i si, iom)
  (state_update ELMO_component sf i si,
   oom)
Hpre_sfisi: valid_state_prop ReachELMO
  (state_update ELMO_component sf i si)
v: Message_validator idx
ges_m: Message
ges_adr: adr (state ges_m) = `v
k: index
Hrcv: ges_m ∈ receivedMessages (sf k)
i_a: index
Ha: `v = idx i_a
H3: k ≠ i
n0: i_a ≠ i
ges_not_sent: composite_has_been_sent ELMO_component
  sf ges_m
H4: ∀ (IM : index → VLSM Message) 
  (H0 : ∀ i : index, HasBeenSentCapability (IM i)) 
  (validator : Type) (A : validator → index) 
  (sender : Message → option validator),
  sender_safety_alt_prop IM A sender
  → ∀ (is
       s : VLSM.state
             (preloaded_with_all_messages_vlsm
                (free_composite_vlsm IM))) 
      (tr : list transition_item),
      finite_constrained_trace_init_to
        (free_composite_vlsm IM) is s tr
      → ∀ (m : Message) (v : validator),
          sender m = Some v
          → composite_has_been_sent IM s m
            → has_been_sent 
                (IM (A v)) 
                (s (A v)) m
finite_constrained_trace_init_to
  (free_composite_vlsm ELMO_component) ?is sf ?tr done.
  -Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
s_eqvs: listset Address
Heqv: (sum_weights (s_eqvs ∪ {[idx i]}) <= threshold)%R
si: State
Hsi: UMO_component_initial_state_prop (idx i) si
Hincl: VLSM_incl_part
  (constrained_vlsm_machine
     (free_composite_vlsm ELMO_component)
     ELMO_global_constraint)
  (preloaded_vlsm_machine FreeELMO
     (λ _ : Message, True))
si0, s: composite_state ELMO_component
tr: list transition_item
Htr_min: finite_valid_trace_init_to ELMOProtocol si0
  s tr
sf: composite_state ELMO_component
iom, oom: option Message
j: index
lj: Label
Hm: option_valid_message_prop ELMOProtocol iom
Hv: ELMO_component_valid lj (s j) iom
Hc: match lj with
| Receive =>
    let (s', _) :=
      let (si', om') :=
        UMO_component_transition lj (s j) iom in
      (state_update ELMO_component s j si', om') in
    ELMO_not_heavy s'
| Send => True
end
Ht: (let (si', om') :=
   UMO_component_transition lj (s j) iom in
 (state_update ELMO_component s j si', om')) =
(sf, oom)
Hall: Forall
  (λ item : transition_item,
     ELMO_equivocating_validators
       (destination item) ⊆ s_eqvs) tr
Hsf_eqvs: ELMO_equivocating_validators sf ⊆ s_eqvs
IHHtr_min: Forall
  (λ item : transition_item,
     ELMO_equivocating_validators
       (destination item) ⊆ s_eqvs) tr
→ valid_state_prop ELMOProtocol
    (state_update ELMO_component s i si)
  ∧ ELMO_equivocating_validators
      (state_update ELMO_component s i si)
    ⊆ s_eqvs ∪ {[idx i]}
Hsisi: valid_state_prop ELMOProtocol
  (state_update ELMO_component s i si)
Heqvs: ELMO_equivocating_validators
  (state_update ELMO_component s i si)
⊆ s_eqvs ∪ {[idx i]}
Hs: valid_state_prop
  {|
    vlsm_type := composite_type ELMO_component;
    vlsm_machine :=
      preloaded_vlsm_machine FreeELMO
        (λ _ : Message, True)
  |} s
Hsf: valid_state_prop
  {|
    vlsm_type := composite_type ELMO_component;
    vlsm_machine :=
      preloaded_vlsm_machine FreeELMO
        (λ _ : Message, True)
  |} sf
n: j ≠ i
Ht_pre: input_valid_transition
  {|
    vlsm_type :=
      composite_type ELMO_component;
    vlsm_machine :=
      preloaded_vlsm_machine FreeELMO
        (λ _ : Message, True)
  |} (existT j lj) (s, iom) (
  sf, oom)
Ht': (let (si', om') :=
   UMO_component_transition lj
     (state_update ELMO_component s i si j) iom in
 (state_update ELMO_component
    (state_update ELMO_component s i si) j si',
  om')) =
(state_update ELMO_component sf i si, oom)
Htr_min_pre: finite_valid_trace_init_to
  {|
    vlsm_type :=
      composite_type ELMO_component;
    vlsm_machine :=
      preloaded_vlsm_machine FreeELMO
        (λ _ : Message, True)
  |} si0 s tr
Hsisi_pre: valid_state_prop
  {|
    vlsm_type :=
      composite_type ELMO_component;
    vlsm_machine :=
      preloaded_vlsm_machine FreeELMO
        (λ _ : Message, True)
  |} (state_update ELMO_component s i si)
H2: finite_valid_trace_init_to ReachELMO si0 sf
  (tr ++
   [{|
      l := existT j lj;
      input := iom;
      destination := sf;
      output := oom
    |}])
Hpre_tisi: input_valid_transition ReachELMO
  (existT j lj)
  (state_update ELMO_component s i si, iom)
  (state_update ELMO_component sf i si,
   oom)
Hpre_sfisi: valid_state_prop ReachELMO
  (state_update ELMO_component sf i si)
v: Message_validator idx
ges_m: Message
ges_adr: adr (state ges_m) = `v
k: index
Hrcv: ges_m ∈ receivedMessages (sf k)
i_a: index
Ha: `v = idx i_a
H3: k ≠ i
n0: i_a ≠ i
ges_not_sent: composite_has_been_sent ELMO_component
  sf ges_m
H4: ∀ (IM : index → VLSM Message) 
  (H0 : ∀ i : index, HasBeenSentCapability (IM i)) 
  (validator : Type) (A : validator → index) 
  (sender : Message → option validator),
  sender_safety_alt_prop IM A sender
  → ∀ (is
       s : VLSM.state
             (preloaded_with_all_messages_vlsm
                (free_composite_vlsm IM))) 
      (tr : list transition_item),
      finite_constrained_trace_init_to
        (free_composite_vlsm IM) is s tr
      → ∀ (m : Message) (v : validator),
          sender m = Some v
          → composite_has_been_sent IM s m
            → has_been_sent 
                (IM (A v)) 
                (s (A v)) m
Message_sender idx ges_m = Some ?v by apply Message_sender_Some_adr_iff.
  -Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
s_eqvs: listset Address
Heqv: (sum_weights (s_eqvs ∪ {[idx i]}) <= threshold)%R
si: State
Hsi: UMO_component_initial_state_prop (idx i) si
Hincl: VLSM_incl_part
  (constrained_vlsm_machine
     (free_composite_vlsm ELMO_component)
     ELMO_global_constraint)
  (preloaded_vlsm_machine FreeELMO
     (λ _ : Message, True))
si0, s: composite_state ELMO_component
tr: list transition_item
Htr_min: finite_valid_trace_init_to ELMOProtocol si0
  s tr
sf: composite_state ELMO_component
iom, oom: option Message
j: index
lj: Label
Hm: option_valid_message_prop ELMOProtocol iom
Hv: ELMO_component_valid lj (s j) iom
Hc: match lj with
| Receive =>
    let (s', _) :=
      let (si', om') :=
        UMO_component_transition lj (s j) iom in
      (state_update ELMO_component s j si', om') in
    ELMO_not_heavy s'
| Send => True
end
Ht: (let (si', om') :=
   UMO_component_transition lj (s j) iom in
 (state_update ELMO_component s j si', om')) =
(sf, oom)
Hall: Forall
  (λ item : transition_item,
     ELMO_equivocating_validators
       (destination item) ⊆ s_eqvs) tr
Hsf_eqvs: ELMO_equivocating_validators sf ⊆ s_eqvs
IHHtr_min: Forall
  (λ item : transition_item,
     ELMO_equivocating_validators
       (destination item) ⊆ s_eqvs) tr
→ valid_state_prop ELMOProtocol
    (state_update ELMO_component s i si)
  ∧ ELMO_equivocating_validators
      (state_update ELMO_component s i si)
    ⊆ s_eqvs ∪ {[idx i]}
Hsisi: valid_state_prop ELMOProtocol
  (state_update ELMO_component s i si)
Heqvs: ELMO_equivocating_validators
  (state_update ELMO_component s i si)
⊆ s_eqvs ∪ {[idx i]}
Hs: valid_state_prop
  {|
    vlsm_type := composite_type ELMO_component;
    vlsm_machine :=
      preloaded_vlsm_machine FreeELMO
        (λ _ : Message, True)
  |} s
Hsf: valid_state_prop
  {|
    vlsm_type := composite_type ELMO_component;
    vlsm_machine :=
      preloaded_vlsm_machine FreeELMO
        (λ _ : Message, True)
  |} sf
n: j ≠ i
Ht_pre: input_valid_transition
  {|
    vlsm_type :=
      composite_type ELMO_component;
    vlsm_machine :=
      preloaded_vlsm_machine FreeELMO
        (λ _ : Message, True)
  |} (existT j lj) (s, iom) (
  sf, oom)
Ht': (let (si', om') :=
   UMO_component_transition lj
     (state_update ELMO_component s i si j) iom in
 (state_update ELMO_component
    (state_update ELMO_component s i si) j si',
  om')) =
(state_update ELMO_component sf i si, oom)
Htr_min_pre: finite_valid_trace_init_to
  {|
    vlsm_type :=
      composite_type ELMO_component;
    vlsm_machine :=
      preloaded_vlsm_machine FreeELMO
        (λ _ : Message, True)
  |} si0 s tr
Hsisi_pre: valid_state_prop
  {|
    vlsm_type :=
      composite_type ELMO_component;
    vlsm_machine :=
      preloaded_vlsm_machine FreeELMO
        (λ _ : Message, True)
  |} (state_update ELMO_component s i si)
H2: finite_valid_trace_init_to ReachELMO si0 sf
  (tr ++
   [{|
      l := existT j lj;
      input := iom;
      destination := sf;
      output := oom
    |}])
Hpre_tisi: input_valid_transition ReachELMO
  (existT j lj)
  (state_update ELMO_component s i si, iom)
  (state_update ELMO_component sf i si,
   oom)
Hpre_sfisi: valid_state_prop ReachELMO
  (state_update ELMO_component sf i si)
v: Message_validator idx
ges_m: Message
ges_adr: adr (state ges_m) = `v
k: index
Hrcv: ges_m ∈ receivedMessages (sf k)
i_a: index
Ha: `v = idx i_a
H3: k ≠ i
n0: i_a ≠ i
ges_not_sent: has_been_sent
  (ELMO_component
     (Message_sender_index idx v))
  (sf (Message_sender_index idx v))
  ges_m
composite_has_been_sent ELMO_component
  (state_update ELMO_component sf i si) ges_m exists i_a; state_update_simpl.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
s_eqvs: listset Address
Heqv: (sum_weights (s_eqvs ∪ {[idx i]}) <= threshold)%R
si: State
Hsi: UMO_component_initial_state_prop (idx i) si
Hincl: VLSM_incl_part
  (constrained_vlsm_machine
     (free_composite_vlsm ELMO_component)
     ELMO_global_constraint)
  (preloaded_vlsm_machine FreeELMO
     (λ _ : Message, True))
si0, s: composite_state ELMO_component
tr: list transition_item
Htr_min: finite_valid_trace_init_to ELMOProtocol si0
  s tr
sf: composite_state ELMO_component
iom, oom: option Message
j: index
lj: Label
Hm: option_valid_message_prop ELMOProtocol iom
Hv: ELMO_component_valid lj (s j) iom
Hc: match lj with
| Receive =>
    let (s', _) :=
      let (si', om') :=
        UMO_component_transition lj (s j) iom in
      (state_update ELMO_component s j si', om') in
    ELMO_not_heavy s'
| Send => True
end
Ht: (let (si', om') :=
   UMO_component_transition lj (s j) iom in
 (state_update ELMO_component s j si', om')) =
(sf, oom)
Hall: Forall
  (λ item : transition_item,
     ELMO_equivocating_validators
       (destination item) ⊆ s_eqvs) tr
Hsf_eqvs: ELMO_equivocating_validators sf ⊆ s_eqvs
IHHtr_min: Forall
  (λ item : transition_item,
     ELMO_equivocating_validators
       (destination item) ⊆ s_eqvs) tr
→ valid_state_prop ELMOProtocol
    (state_update ELMO_component s i si)
  ∧ ELMO_equivocating_validators
      (state_update ELMO_component s i si)
    ⊆ s_eqvs ∪ {[idx i]}
Hsisi: valid_state_prop ELMOProtocol
  (state_update ELMO_component s i si)
Heqvs: ELMO_equivocating_validators
  (state_update ELMO_component s i si)
⊆ s_eqvs ∪ {[idx i]}
Hs: valid_state_prop
  {|
    vlsm_type := composite_type ELMO_component;
    vlsm_machine :=
      preloaded_vlsm_machine FreeELMO
        (λ _ : Message, True)
  |} s
Hsf: valid_state_prop
  {|
    vlsm_type := composite_type ELMO_component;
    vlsm_machine :=
      preloaded_vlsm_machine FreeELMO
        (λ _ : Message, True)
  |} sf
n: j ≠ i
Ht_pre: input_valid_transition
  {|
    vlsm_type :=
      composite_type ELMO_component;
    vlsm_machine :=
      preloaded_vlsm_machine FreeELMO
        (λ _ : Message, True)
  |} (existT j lj) (s, iom) (
  sf, oom)
Ht': (let (si', om') :=
   UMO_component_transition lj (s j) iom in
 (state_update ELMO_component
    (state_update ELMO_component s i si) j si',
  om')) =
(state_update ELMO_component sf i si, oom)
Htr_min_pre: finite_valid_trace_init_to
  {|
    vlsm_type :=
      composite_type ELMO_component;
    vlsm_machine :=
      preloaded_vlsm_machine FreeELMO
        (λ _ : Message, True)
  |} si0 s tr
Hsisi_pre: valid_state_prop
  {|
    vlsm_type :=
      composite_type ELMO_component;
    vlsm_machine :=
      preloaded_vlsm_machine FreeELMO
        (λ _ : Message, True)
  |} (state_update ELMO_component s i si)
H2: finite_valid_trace_init_to ReachELMO si0 sf
  (tr ++
   [{|
      l := existT j lj;
      input := iom;
      destination := sf;
      output := oom
    |}])
Hpre_tisi: input_valid_transition ReachELMO
  (existT j lj)
  (state_update ELMO_component s i si, iom)
  (state_update ELMO_component sf i si,
   oom)
Hpre_sfisi: valid_state_prop ReachELMO
  (state_update ELMO_component sf i si)
v: Message_validator idx
ges_m: Message
ges_adr: adr (state ges_m) = `v
k: index
Hrcv: ges_m ∈ receivedMessages (sf k)
i_a: index
Ha: `v = idx i_a
H3: k ≠ i
n0: i_a ≠ i
ges_not_sent: has_been_sent
  (ELMO_component
     (Message_sender_index idx v))
  (sf (Message_sender_index idx v))
  ges_m
has_been_sent (ELMO_component i_a) (sf i_a) ges_m
    by apply Message_sender_index_inv in Ha as <-.
Qed.

Lemma ELMO_valid_states_only_receive_valid_messages :
  forall s : VLSM.state ELMOProtocol,
    valid_state_prop ELMOProtocol s ->
  forall (i : index) (l : Label) (s' : VLSM.state ELMOProtocol) (m : Message),
    ELMOProtocol_valid_transition i l s s' m ->
    valid_message_prop ELMOProtocol m.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
∀ s : VLSM.state ELMOProtocol,
  valid_state_prop ELMOProtocol s
  → ∀ (i : index) (l : Label) (s' : VLSM.state
                                      ELMOProtocol) 
      (m : Message),
      ELMOProtocol_valid_transition i l s s' m
      → valid_message_prop ELMOProtocol m
Proof.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
∀ s : VLSM.state ELMOProtocol,
  valid_state_prop ELMOProtocol s
  → ∀ (i : index) (l : Label) (s' : VLSM.state
                                      ELMOProtocol) 
      (m : Message),
      ELMOProtocol_valid_transition i l s s' m
      → valid_message_prop ELMOProtocol m
  intros s Hs i l s' m Hvalid.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
s: VLSM.state ELMOProtocol
Hs: valid_state_prop ELMOProtocol s
i: index
l: Label
s': VLSM.state ELMOProtocol
m: Message
Hvalid: ELMOProtocol_valid_transition i l s s' m
valid_message_prop ELMOProtocol m
  inversion Hvalid as [? ? ? ? Hreceive | ? ? ? ? Hsend]; subst; cycle 1.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
s: VLSM.state ELMOProtocol
Hs: valid_state_prop ELMOProtocol s
i: index
s': VLSM.state ELMOProtocol
m: Message
Hvalid: ELMOProtocol_valid_transition i Send s s' m
Hsend: valid_transition ELMOProtocol 
  (existT i Send) s None s' 
  (Some m)
valid_message_prop ELMOProtocol m
Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
s: VLSM.state ELMOProtocol
Hs: valid_state_prop ELMOProtocol s
i: index
s': VLSM.state ELMOProtocol
m: Message
Hvalid: ELMOProtocol_valid_transition i Receive s s'
  m
Hreceive: valid_transition ELMOProtocol
  (existT i Receive) s 
  (Some m) s' None
valid_message_prop ELMOProtocol m
  {Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
s: VLSM.state ELMOProtocol
Hs: valid_state_prop ELMOProtocol s
i: index
s': VLSM.state ELMOProtocol
m: Message
Hvalid: ELMOProtocol_valid_transition i Send s s' m
Hsend: valid_transition ELMOProtocol 
  (existT i Send) s None s' 
  (Some m)
valid_message_prop ELMOProtocol m
    apply emitted_messages_are_valid.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
s: VLSM.state ELMOProtocol
Hs: valid_state_prop ELMOProtocol s
i: index
s': VLSM.state ELMOProtocol
m: Message
Hvalid: ELMOProtocol_valid_transition i Send s s' m
Hsend: valid_transition ELMOProtocol 
  (existT i Send) s None s' 
  (Some m)
can_emit ELMOProtocol m
    exists (s, None), (existT i Send), s'.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
s: VLSM.state ELMOProtocol
Hs: valid_state_prop ELMOProtocol s
i: index
s': VLSM.state ELMOProtocol
m: Message
Hvalid: ELMOProtocol_valid_transition i Send s s' m
Hsend: valid_transition ELMOProtocol 
  (existT i Send) s None s' 
  (Some m)
input_valid_transition ELMOProtocol (existT i Send)
  (s, None) (s', Some m)
    by repeat split; [| apply option_valid_message_None | apply Hsend..].
  }Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
s: VLSM.state ELMOProtocol
Hs: valid_state_prop ELMOProtocol s
i: index
s': VLSM.state ELMOProtocol
m: Message
Hvalid: ELMOProtocol_valid_transition i Receive s s'
  m
Hreceive: valid_transition ELMOProtocol
  (existT i Receive) s 
  (Some m) s' None
valid_message_prop ELMOProtocol m
  assert (Hincl : VLSM_incl ELMOProtocol ReachELMO) by apply constrained_preloaded_incl.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
s: VLSM.state ELMOProtocol
Hs: valid_state_prop ELMOProtocol s
i: index
s': VLSM.state ELMOProtocol
m: Message
Hvalid: ELMOProtocol_valid_transition i Receive s s'
  m
Hreceive: valid_transition ELMOProtocol
  (existT i Receive) s 
  (Some m) s' None
Hincl: VLSM_incl ELMOProtocol ReachELMO
valid_message_prop ELMOProtocol m
  destruct (decide (composite_has_been_sent ELMO_component s m)) as [| Hnsnd];
    [by eapply sent_valid |].Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
s: VLSM.state ELMOProtocol
Hs: valid_state_prop ELMOProtocol s
i: index
s': VLSM.state ELMOProtocol
m: Message
Hvalid: ELMOProtocol_valid_transition i Receive s s'
  m
Hreceive: valid_transition ELMOProtocol
  (existT i Receive) s 
  (Some m) s' None
Hincl: VLSM_incl ELMOProtocol ReachELMO
Hnsnd: ¬ composite_has_been_sent ELMO_component s m
valid_message_prop ELMOProtocol m
  destruct Hreceive as [[Hv Hc] Ht]; inversion Hv as [? ? Hrcv |]; subst; inversion Ht.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
s: VLSM.state ELMOProtocol
Hs: valid_state_prop ELMOProtocol s
i: index
s': VLSM.state ELMOProtocol
m: Message
Hvalid: ELMOProtocol_valid_transition i Receive s s'
  m
Hv: valid (existT i Receive) (s, Some m)
Hc: ELMO_global_constraint 
  (existT i Receive) (s, Some m)
Ht: transition (existT i Receive) (s, Some m) =
(s', None)
Hincl: VLSM_incl ELMOProtocol ReachELMO
Hnsnd: ¬ composite_has_been_sent ELMO_component s m
Hrcv: ELMO_recv_valid (s i) m
H3: state_update ELMO_component s i
  (s i <+> MkObservation Receive m) = s'
valid_message_prop ELMOProtocol m
  assert (Hm_eqv : global_equivocators_simple s' (adr (state m))).Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
s: VLSM.state ELMOProtocol
Hs: valid_state_prop ELMOProtocol s
i: index
s': VLSM.state ELMOProtocol
m: Message
Hvalid: ELMOProtocol_valid_transition i Receive s s'
  m
Hv: valid (existT i Receive) (s, Some m)
Hc: ELMO_global_constraint 
  (existT i Receive) (s, Some m)
Ht: transition (existT i Receive) (s, Some m) =
(s', None)
Hincl: VLSM_incl ELMOProtocol ReachELMO
Hnsnd: ¬ composite_has_been_sent ELMO_component s m
Hrcv: ELMO_recv_valid (s i) m
H3: state_update ELMO_component s i
  (s i <+> MkObservation Receive m) = s'
global_equivocators_simple s' (adr (state m))
Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
s: VLSM.state ELMOProtocol
Hs: valid_state_prop ELMOProtocol s
i: index
s': VLSM.state ELMOProtocol
m: Message
Hvalid: ELMOProtocol_valid_transition i Receive s s'
  m
Hv: valid (existT i Receive) (s, Some m)
Hc: ELMO_global_constraint 
  (existT i Receive) (s, Some m)
Ht: transition (existT i Receive) (s, Some m) =
(s', None)
Hincl: VLSM_incl ELMOProtocol ReachELMO
Hnsnd: ¬ composite_has_been_sent ELMO_component s m
Hrcv: ELMO_recv_valid (s i) m
H3: state_update ELMO_component s i
  (s i <+> MkObservation Receive m) = s'
Hm_eqv: global_equivocators_simple s' (adr (state m))
valid_message_prop ELMOProtocol m
  {Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
s: VLSM.state ELMOProtocol
Hs: valid_state_prop ELMOProtocol s
i: index
s': VLSM.state ELMOProtocol
m: Message
Hvalid: ELMOProtocol_valid_transition i Receive s s'
  m
Hv: valid (existT i Receive) (s, Some m)
Hc: ELMO_global_constraint 
  (existT i Receive) (s, Some m)
Ht: transition (existT i Receive) (s, Some m) =
(s', None)
Hincl: VLSM_incl ELMOProtocol ReachELMO
Hnsnd: ¬ composite_has_been_sent ELMO_component s m
Hrcv: ELMO_recv_valid (s i) m
H3: state_update ELMO_component s i
  (s i <+> MkObservation Receive m) = s'
global_equivocators_simple s' (adr (state m))
    subst; constructor 1 with m; [done | |].Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
s: VLSM.state ELMOProtocol
Hs: valid_state_prop ELMOProtocol s
i: index
m: Message
Hvalid: ELMOProtocol_valid_transition i Receive s
  (state_update ELMO_component s i
     (s i <+> MkObservation Receive m)) m
Hv: valid (existT i Receive) (s, Some m)
Hc: ELMO_global_constraint 
  (existT i Receive) (s, Some m)
Ht: transition (existT i Receive) (s, Some m) =
(state_update ELMO_component s i
   (s i <+> MkObservation Receive m), None)
Hincl: VLSM_incl ELMOProtocol ReachELMO
Hnsnd: ¬ composite_has_been_sent ELMO_component s m
Hrcv: ELMO_recv_valid (s i) m
composite_has_been_received ELMO_component
  (state_update ELMO_component s i
     (s i <+> MkObservation Receive m)) m
Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
s: VLSM.state ELMOProtocol
Hs: valid_state_prop ELMOProtocol s
i: index
m: Message
Hvalid: ELMOProtocol_valid_transition i Receive s
  (state_update ELMO_component s i
     (s i <+> MkObservation Receive m)) m
Hv: valid (existT i Receive) (s, Some m)
Hc: ELMO_global_constraint 
  (existT i Receive) (s, Some m)
Ht: transition (existT i Receive) (s, Some m) =
(state_update ELMO_component s i
   (s i <+> MkObservation Receive m), None)
Hincl: VLSM_incl ELMOProtocol ReachELMO
Hnsnd: ¬ composite_has_been_sent ELMO_component s m
Hrcv: ELMO_recv_valid (s i) m
¬ composite_has_been_sent ELMO_component
    (state_update ELMO_component s i
       (s i <+> MkObservation Receive m)) m
    -Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
s: VLSM.state ELMOProtocol
Hs: valid_state_prop ELMOProtocol s
i: index
m: Message
Hvalid: ELMOProtocol_valid_transition i Receive s
  (state_update ELMO_component s i
     (s i <+> MkObservation Receive m)) m
Hv: valid (existT i Receive) (s, Some m)
Hc: ELMO_global_constraint 
  (existT i Receive) (s, Some m)
Ht: transition (existT i Receive) (s, Some m) =
(state_update ELMO_component s i
   (s i <+> MkObservation Receive m), None)
Hincl: VLSM_incl ELMOProtocol ReachELMO
Hnsnd: ¬ composite_has_been_sent ELMO_component s m
Hrcv: ELMO_recv_valid (s i) m
composite_has_been_received ELMO_component
  (state_update ELMO_component s i
     (s i <+> MkObservation Receive m)) m by exists i; cbn; state_update_simpl; left.
    -Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
s: VLSM.state ELMOProtocol
Hs: valid_state_prop ELMOProtocol s
i: index
m: Message
Hvalid: ELMOProtocol_valid_transition i Receive s
  (state_update ELMO_component s i
     (s i <+> MkObservation Receive m)) m
Hv: valid (existT i Receive) (s, Some m)
Hc: ELMO_global_constraint 
  (existT i Receive) (s, Some m)
Ht: transition (existT i Receive) (s, Some m) =
(state_update ELMO_component s i
   (s i <+> MkObservation Receive m), None)
Hincl: VLSM_incl ELMOProtocol ReachELMO
Hnsnd: ¬ composite_has_been_sent ELMO_component s m
Hrcv: ELMO_recv_valid (s i) m
¬ composite_has_been_sent ELMO_component
    (state_update ELMO_component s i
       (s i <+> MkObservation Receive m)) m intros [i_m Hsnd]; apply Hnsnd; exists i_m.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
s: VLSM.state ELMOProtocol
Hs: valid_state_prop ELMOProtocol s
i: index
m: Message
Hvalid: ELMOProtocol_valid_transition i Receive s
  (state_update ELMO_component s i
     (s i <+> MkObservation Receive m)) m
Hv: valid (existT i Receive) (s, Some m)
Hc: ELMO_global_constraint 
  (existT i Receive) (s, Some m)
Ht: transition (existT i Receive) (s, Some m) =
(state_update ELMO_component s i
   (s i <+> MkObservation Receive m), None)
Hincl: VLSM_incl ELMOProtocol ReachELMO
Hnsnd: ¬ composite_has_been_sent ELMO_component s m
Hrcv: ELMO_recv_valid (s i) m
i_m: index
Hsnd: has_been_sent (ELMO_component i_m)
  (state_update ELMO_component s i
     (s i <+> MkObservation Receive m) i_m) m
has_been_sent (ELMO_component i_m) (s i_m) m
      by destruct (decide (i_m = i)); subst; state_update_simpl.
  }Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
s: VLSM.state ELMOProtocol
Hs: valid_state_prop ELMOProtocol s
i: index
s': VLSM.state ELMOProtocol
m: Message
Hvalid: ELMOProtocol_valid_transition i Receive s s'
  m
Hv: valid (existT i Receive) (s, Some m)
Hc: ELMO_global_constraint 
  (existT i Receive) (s, Some m)
Ht: transition (existT i Receive) (s, Some m) =
(s', None)
Hincl: VLSM_incl ELMOProtocol ReachELMO
Hnsnd: ¬ composite_has_been_sent ELMO_component s m
Hrcv: ELMO_recv_valid (s i) m
H3: state_update ELMO_component s i
  (s i <+> MkObservation Receive m) = s'
Hm_eqv: global_equivocators_simple s' (adr (state m))
valid_message_prop ELMOProtocol m
  assert (Hs'_eqv : forall a,
    global_equivocators_simple s' a
      <->
    a = adr (state m) \/ global_equivocators_simple s a).Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
s: VLSM.state ELMOProtocol
Hs: valid_state_prop ELMOProtocol s
i: index
s': VLSM.state ELMOProtocol
m: Message
Hvalid: ELMOProtocol_valid_transition i Receive s s'
  m
Hv: valid (existT i Receive) (s, Some m)
Hc: ELMO_global_constraint 
  (existT i Receive) (s, Some m)
Ht: transition (existT i Receive) (s, Some m) =
(s', None)
Hincl: VLSM_incl ELMOProtocol ReachELMO
Hnsnd: ¬ composite_has_been_sent ELMO_component s m
Hrcv: ELMO_recv_valid (s i) m
H3: state_update ELMO_component s i
  (s i <+> MkObservation Receive m) = s'
Hm_eqv: global_equivocators_simple s' (adr (state m))
∀ a : Address,
  global_equivocators_simple s' a
  ↔ a = adr (state m) ∨ global_equivocators_simple s a
Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
s: VLSM.state ELMOProtocol
Hs: valid_state_prop ELMOProtocol s
i: index
s': VLSM.state ELMOProtocol
m: Message
Hvalid: ELMOProtocol_valid_transition i Receive s s'
  m
Hv: valid (existT i Receive) (s, Some m)
Hc: ELMO_global_constraint 
  (existT i Receive) (s, Some m)
Ht: transition (existT i Receive) (s, Some m) =
(s', None)
Hincl: VLSM_incl ELMOProtocol ReachELMO
Hnsnd: ¬ composite_has_been_sent ELMO_component s m
Hrcv: ELMO_recv_valid (s i) m
H3: state_update ELMO_component s i
  (s i <+> MkObservation Receive m) = s'
Hm_eqv: global_equivocators_simple s' (adr (state m))
Hs'_eqv: ∀ a : Address,
  global_equivocators_simple s' a
  ↔ a = adr (state m)
    ∨ global_equivocators_simple s a
valid_message_prop ELMOProtocol m
  {Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
s: VLSM.state ELMOProtocol
Hs: valid_state_prop ELMOProtocol s
i: index
s': VLSM.state ELMOProtocol
m: Message
Hvalid: ELMOProtocol_valid_transition i Receive s s'
  m
Hv: valid (existT i Receive) (s, Some m)
Hc: ELMO_global_constraint 
  (existT i Receive) (s, Some m)
Ht: transition (existT i Receive) (s, Some m) =
(s', None)
Hincl: VLSM_incl ELMOProtocol ReachELMO
Hnsnd: ¬ composite_has_been_sent ELMO_component s m
Hrcv: ELMO_recv_valid (s i) m
H3: state_update ELMO_component s i
  (s i <+> MkObservation Receive m) = s'
Hm_eqv: global_equivocators_simple s' (adr (state m))
∀ a : Address,
  global_equivocators_simple s' a
  ↔ a = adr (state m) ∨ global_equivocators_simple s a
    intro a; subst.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
s: VLSM.state ELMOProtocol
Hs: valid_state_prop ELMOProtocol s
i: index
m: Message
Hvalid: ELMOProtocol_valid_transition i Receive s
  (state_update ELMO_component s i
     (s i <+> MkObservation Receive m)) m
Hv: valid (existT i Receive) (s, Some m)
Hc: ELMO_global_constraint 
  (existT i Receive) (s, Some m)
Ht: transition (existT i Receive) (s, Some m) =
(state_update ELMO_component s i
   (s i <+> MkObservation Receive m), None)
Hincl: VLSM_incl ELMOProtocol ReachELMO
Hnsnd: ¬ composite_has_been_sent ELMO_component s m
Hrcv: ELMO_recv_valid (s i) m
Hm_eqv: global_equivocators_simple
  (state_update ELMO_component s i
     (s i <+> MkObservation Receive m))
  (adr (state m))
a: Address
global_equivocators_simple
  (state_update ELMO_component s i
     (s i <+> MkObservation Receive m)) a
↔ a = adr (state m) ∨ global_equivocators_simple s a
    erewrite global_equivocators_simple_step_update_receive with (m := m); [by itauto |].Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
s: VLSM.state ELMOProtocol
Hs: valid_state_prop ELMOProtocol s
i: index
m: Message
Hvalid: ELMOProtocol_valid_transition i Receive s
  (state_update ELMO_component s i
     (s i <+> MkObservation Receive m)) m
Hv: valid (existT i Receive) (s, Some m)
Hc: ELMO_global_constraint 
  (existT i Receive) (s, Some m)
Ht: transition (existT i Receive) (s, Some m) =
(state_update ELMO_component s i
   (s i <+> MkObservation Receive m), None)
Hincl: VLSM_incl ELMOProtocol ReachELMO
Hnsnd: ¬ composite_has_been_sent ELMO_component s m
Hrcv: ELMO_recv_valid (s i) m
Hm_eqv: global_equivocators_simple
  (state_update ELMO_component s i
     (s i <+> MkObservation Receive m))
  (adr (state m))
a: Address
ELMO_component_RAM_transition i Receive (s i)
  (s i <+> MkObservation Receive m) m
    constructor; repeat split; [| | done].Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
s: VLSM.state ELMOProtocol
Hs: valid_state_prop ELMOProtocol s
i: index
m: Message
Hvalid: ELMOProtocol_valid_transition i Receive s
  (state_update ELMO_component s i
     (s i <+> MkObservation Receive m)) m
Hv: valid (existT i Receive) (s, Some m)
Hc: ELMO_global_constraint 
  (existT i Receive) (s, Some m)
Ht: transition (existT i Receive) (s, Some m) =
(state_update ELMO_component s i
   (s i <+> MkObservation Receive m), None)
Hincl: VLSM_incl ELMOProtocol ReachELMO
Hnsnd: ¬ composite_has_been_sent ELMO_component s m
Hrcv: ELMO_recv_valid (s i) m
Hm_eqv: global_equivocators_simple
  (state_update ELMO_component s i
     (s i <+> MkObservation Receive m))
  (adr (state m))
a: Address
valid_state_prop
  (preloaded_with_all_messages_vlsm (ELMO_component i))
  (s i)
Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
s: VLSM.state ELMOProtocol
Hs: valid_state_prop ELMOProtocol s
i: index
m: Message
Hvalid: ELMOProtocol_valid_transition i Receive s
  (state_update ELMO_component s i
     (s i <+> MkObservation Receive m)) m
Hv: valid (existT i Receive) (s, Some m)
Hc: ELMO_global_constraint 
  (existT i Receive) (s, Some m)
Ht: transition (existT i Receive) (s, Some m) =
(state_update ELMO_component s i
   (s i <+> MkObservation Receive m), None)
Hincl: VLSM_incl ELMOProtocol ReachELMO
Hnsnd: ¬ composite_has_been_sent ELMO_component s m
Hrcv: ELMO_recv_valid (s i) m
Hm_eqv: global_equivocators_simple
  (state_update ELMO_component s i
     (s i <+> MkObservation Receive m))
  (adr (state m))
a: Address
option_valid_message_prop
  (preloaded_with_all_messages_vlsm (ELMO_component i))
  (Some m)
    -Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
s: VLSM.state ELMOProtocol
Hs: valid_state_prop ELMOProtocol s
i: index
m: Message
Hvalid: ELMOProtocol_valid_transition i Receive s
  (state_update ELMO_component s i
     (s i <+> MkObservation Receive m)) m
Hv: valid (existT i Receive) (s, Some m)
Hc: ELMO_global_constraint 
  (existT i Receive) (s, Some m)
Ht: transition (existT i Receive) (s, Some m) =
(state_update ELMO_component s i
   (s i <+> MkObservation Receive m), None)
Hincl: VLSM_incl ELMOProtocol ReachELMO
Hnsnd: ¬ composite_has_been_sent ELMO_component s m
Hrcv: ELMO_recv_valid (s i) m
Hm_eqv: global_equivocators_simple
  (state_update ELMO_component s i
     (s i <+> MkObservation Receive m))
  (adr (state m))
a: Address
valid_state_prop
  (preloaded_with_all_messages_vlsm (ELMO_component i))
  (s i) by eapply valid_state_project_preloaded.
    -Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
s: VLSM.state ELMOProtocol
Hs: valid_state_prop ELMOProtocol s
i: index
m: Message
Hvalid: ELMOProtocol_valid_transition i Receive s
  (state_update ELMO_component s i
     (s i <+> MkObservation Receive m)) m
Hv: valid (existT i Receive) (s, Some m)
Hc: ELMO_global_constraint 
  (existT i Receive) (s, Some m)
Ht: transition (existT i Receive) (s, Some m) =
(state_update ELMO_component s i
   (s i <+> MkObservation Receive m), None)
Hincl: VLSM_incl ELMOProtocol ReachELMO
Hnsnd: ¬ composite_has_been_sent ELMO_component s m
Hrcv: ELMO_recv_valid (s i) m
Hm_eqv: global_equivocators_simple
  (state_update ELMO_component s i
     (s i <+> MkObservation Receive m))
  (adr (state m))
a: Address
option_valid_message_prop
  (preloaded_with_all_messages_vlsm (ELMO_component i))
  (Some m) by apply any_message_is_valid_in_preloaded.
  }Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
s: VLSM.state ELMOProtocol
Hs: valid_state_prop ELMOProtocol s
i: index
s': VLSM.state ELMOProtocol
m: Message
Hvalid: ELMOProtocol_valid_transition i Receive s s'
  m
Hv: valid (existT i Receive) (s, Some m)
Hc: ELMO_global_constraint 
  (existT i Receive) (s, Some m)
Ht: transition (existT i Receive) (s, Some m) =
(s', None)
Hincl: VLSM_incl ELMOProtocol ReachELMO
Hnsnd: ¬ composite_has_been_sent ELMO_component s m
Hrcv: ELMO_recv_valid (s i) m
H3: state_update ELMO_component s i
  (s i <+> MkObservation Receive m) = s'
Hm_eqv: global_equivocators_simple s' (adr (state m))
Hs'_eqv: ∀ a : Address,
  global_equivocators_simple s' a
  ↔ a = adr (state m)
    ∨ global_equivocators_simple s a
valid_message_prop ELMOProtocol m
  apply (VLSM_incl_valid_state Hincl) in Hs as Hs_pre.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
s: VLSM.state ELMOProtocol
Hs: valid_state_prop ELMOProtocol s
i: index
s': VLSM.state ELMOProtocol
m: Message
Hvalid: ELMOProtocol_valid_transition i Receive s s'
  m
Hv: valid (existT i Receive) (s, Some m)
Hc: ELMO_global_constraint 
  (existT i Receive) (s, Some m)
Ht: transition (existT i Receive) (s, Some m) =
(s', None)
Hincl: VLSM_incl ELMOProtocol ReachELMO
Hnsnd: ¬ composite_has_been_sent ELMO_component s m
Hrcv: ELMO_recv_valid (s i) m
H3: state_update ELMO_component s i
  (s i <+> MkObservation Receive m) = s'
Hm_eqv: global_equivocators_simple s' (adr (state m))
Hs'_eqv: ∀ a : Address,
  global_equivocators_simple s' a
  ↔ a = adr (state m)
    ∨ global_equivocators_simple s a
Hs_pre: valid_state_prop
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} s
valid_message_prop ELMOProtocol m
  assert (Hs' : composite_constrained_state_prop ELMO_component s').Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
s: VLSM.state ELMOProtocol
Hs: valid_state_prop ELMOProtocol s
i: index
s': VLSM.state ELMOProtocol
m: Message
Hvalid: ELMOProtocol_valid_transition i Receive s s'
  m
Hv: valid (existT i Receive) (s, Some m)
Hc: ELMO_global_constraint 
  (existT i Receive) (s, Some m)
Ht: transition (existT i Receive) (s, Some m) =
(s', None)
Hincl: VLSM_incl ELMOProtocol ReachELMO
Hnsnd: ¬ composite_has_been_sent ELMO_component s m
Hrcv: ELMO_recv_valid (s i) m
H3: state_update ELMO_component s i
  (s i <+> MkObservation Receive m) = s'
Hm_eqv: global_equivocators_simple s' (adr (state m))
Hs'_eqv: ∀ a : Address,
  global_equivocators_simple s' a
  ↔ a = adr (state m)
    ∨ global_equivocators_simple s a
Hs_pre: valid_state_prop
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} s
composite_constrained_state_prop ELMO_component s'
Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
s: VLSM.state ELMOProtocol
Hs: valid_state_prop ELMOProtocol s
i: index
s': VLSM.state ELMOProtocol
m: Message
Hvalid: ELMOProtocol_valid_transition i Receive s s'
  m
Hv: valid (existT i Receive) (s, Some m)
Hc: ELMO_global_constraint 
  (existT i Receive) (s, Some m)
Ht: transition (existT i Receive) (s, Some m) =
(s', None)
Hincl: VLSM_incl ELMOProtocol ReachELMO
Hnsnd: ¬ composite_has_been_sent ELMO_component s m
Hrcv: ELMO_recv_valid (s i) m
H3: state_update ELMO_component s i
  (s i <+> MkObservation Receive m) = s'
Hm_eqv: global_equivocators_simple s' (adr (state m))
Hs'_eqv: ∀ a : Address,
  global_equivocators_simple s' a
  ↔ a = adr (state m)
    ∨ global_equivocators_simple s a
Hs_pre: valid_state_prop
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} s
Hs': composite_constrained_state_prop ELMO_component
  s'
valid_message_prop ELMOProtocol m
  {Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
s: VLSM.state ELMOProtocol
Hs: valid_state_prop ELMOProtocol s
i: index
s': VLSM.state ELMOProtocol
m: Message
Hvalid: ELMOProtocol_valid_transition i Receive s s'
  m
Hv: valid (existT i Receive) (s, Some m)
Hc: ELMO_global_constraint 
  (existT i Receive) (s, Some m)
Ht: transition (existT i Receive) (s, Some m) =
(s', None)
Hincl: VLSM_incl ELMOProtocol ReachELMO
Hnsnd: ¬ composite_has_been_sent ELMO_component s m
Hrcv: ELMO_recv_valid (s i) m
H3: state_update ELMO_component s i
  (s i <+> MkObservation Receive m) = s'
Hm_eqv: global_equivocators_simple s' (adr (state m))
Hs'_eqv: ∀ a : Address,
  global_equivocators_simple s' a
  ↔ a = adr (state m)
    ∨ global_equivocators_simple s a
Hs_pre: valid_state_prop
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} s
composite_constrained_state_prop ELMO_component s'
    apply valid_state_prop_iff; right.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
s: VLSM.state ELMOProtocol
Hs: valid_state_prop ELMOProtocol s
i: index
s': VLSM.state ELMOProtocol
m: Message
Hvalid: ELMOProtocol_valid_transition i Receive s s'
  m
Hv: valid (existT i Receive) (s, Some m)
Hc: ELMO_global_constraint 
  (existT i Receive) (s, Some m)
Ht: transition (existT i Receive) (s, Some m) =
(s', None)
Hincl: VLSM_incl ELMOProtocol ReachELMO
Hnsnd: ¬ composite_has_been_sent ELMO_component s m
Hrcv: ELMO_recv_valid (s i) m
H3: state_update ELMO_component s i
  (s i <+> MkObservation Receive m) = s'
Hm_eqv: global_equivocators_simple s' (adr (state m))
Hs'_eqv: ∀ a : Address,
  global_equivocators_simple s' a
  ↔ a = adr (state m)
    ∨ global_equivocators_simple s a
Hs_pre: valid_state_prop
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} s
∃ (l : VLSM.label
         (preloaded_with_all_messages_vlsm
            (free_composite_vlsm ELMO_component))) 
  (som : VLSM.state
           (preloaded_with_all_messages_vlsm
              (free_composite_vlsm ELMO_component)) *
         option Message) (om' : option Message),
  input_valid_transition
    (preloaded_with_all_messages_vlsm
       (free_composite_vlsm ELMO_component)) l som
    (s', om')
    by exists (existT i Receive), (s, Some m), None; repeat split;
      [| apply any_message_is_valid_in_preloaded | ..].
  }Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
s: VLSM.state ELMOProtocol
Hs: valid_state_prop ELMOProtocol s
i: index
s': VLSM.state ELMOProtocol
m: Message
Hvalid: ELMOProtocol_valid_transition i Receive s s'
  m
Hv: valid (existT i Receive) (s, Some m)
Hc: ELMO_global_constraint 
  (existT i Receive) (s, Some m)
Ht: transition (existT i Receive) (s, Some m) =
(s', None)
Hincl: VLSM_incl ELMOProtocol ReachELMO
Hnsnd: ¬ composite_has_been_sent ELMO_component s m
Hrcv: ELMO_recv_valid (s i) m
H3: state_update ELMO_component s i
  (s i <+> MkObservation Receive m) = s'
Hm_eqv: global_equivocators_simple s' (adr (state m))
Hs'_eqv: ∀ a : Address,
  global_equivocators_simple s' a
  ↔ a = adr (state m)
    ∨ global_equivocators_simple s a
Hs_pre: valid_state_prop
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} s
Hs': composite_constrained_state_prop ELMO_component
  s'
valid_message_prop ELMOProtocol m
  pose (H_rcv := Hrcv); destruct H_rcv.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
s: VLSM.state ELMOProtocol
Hs: valid_state_prop ELMOProtocol s
i: index
s': VLSM.state ELMOProtocol
m: Message
Hvalid: ELMOProtocol_valid_transition i Receive s s'
  m
Hv: valid (existT i Receive) (s, Some m)
Hc: ELMO_global_constraint 
  (existT i Receive) (s, Some m)
Ht: transition (existT i Receive) (s, Some m) =
(s', None)
Hincl: VLSM_incl ELMOProtocol ReachELMO
Hnsnd: ¬ composite_has_been_sent ELMO_component s m
Hrcv: ELMO_recv_valid (s i) m
H3: state_update ELMO_component s i
  (s i <+> MkObservation Receive m) = s'
Hm_eqv: global_equivocators_simple s' (adr (state m))
Hs'_eqv: ∀ a : Address,
  global_equivocators_simple s' a
  ↔ a = adr (state m)
    ∨ global_equivocators_simple s a
Hs_pre: valid_state_prop
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} s
Hs': composite_constrained_state_prop ELMO_component
  s'
ELMO_mv_full_node0: full_node (s i) m
ELMO_mv_no_self_equiv0: no_self_equiv (s i) m
ELMO_mv_msg_valid_full0: ELMO_msg_valid_full m
ELMO_mv_local_equivocation_limit_ok0: local_equivocation_limit_ok
  (s i <+>
   MkObservation
     Receive m)
valid_message_prop ELMOProtocol m
  apply ELMO_msg_valid_full_has_sender in ELMO_mv_msg_valid_full0 as Hsender.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
s: VLSM.state ELMOProtocol
Hs: valid_state_prop ELMOProtocol s
i: index
s': VLSM.state ELMOProtocol
m: Message
Hvalid: ELMOProtocol_valid_transition i Receive s s'
  m
Hv: valid (existT i Receive) (s, Some m)
Hc: ELMO_global_constraint 
  (existT i Receive) (s, Some m)
Ht: transition (existT i Receive) (s, Some m) =
(s', None)
Hincl: VLSM_incl ELMOProtocol ReachELMO
Hnsnd: ¬ composite_has_been_sent ELMO_component s m
Hrcv: ELMO_recv_valid (s i) m
H3: state_update ELMO_component s i
  (s i <+> MkObservation Receive m) = s'
Hm_eqv: global_equivocators_simple s' (adr (state m))
Hs'_eqv: ∀ a : Address,
  global_equivocators_simple s' a
  ↔ a = adr (state m)
    ∨ global_equivocators_simple s a
Hs_pre: valid_state_prop
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} s
Hs': composite_constrained_state_prop ELMO_component
  s'
ELMO_mv_full_node0: full_node (s i) m
ELMO_mv_no_self_equiv0: no_self_equiv (s i) m
ELMO_mv_msg_valid_full0: ELMO_msg_valid_full m
ELMO_mv_local_equivocation_limit_ok0: local_equivocation_limit_ok
  (s i <+>
   MkObservation
     Receive m)
Hsender: MessageHasSender m
valid_message_prop ELMOProtocol m
  destruct Hsender as [i_m Hsender].Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
s: VLSM.state ELMOProtocol
Hs: valid_state_prop ELMOProtocol s
i: index
s': VLSM.state ELMOProtocol
m: Message
Hvalid: ELMOProtocol_valid_transition i Receive s s'
  m
Hv: valid (existT i Receive) (s, Some m)
Hc: ELMO_global_constraint 
  (existT i Receive) (s, Some m)
Ht: transition (existT i Receive) (s, Some m) =
(s', None)
Hincl: VLSM_incl ELMOProtocol ReachELMO
Hnsnd: ¬ composite_has_been_sent ELMO_component s m
Hrcv: ELMO_recv_valid (s i) m
H3: state_update ELMO_component s i
  (s i <+> MkObservation Receive m) = s'
Hm_eqv: global_equivocators_simple s' (adr (state m))
Hs'_eqv: ∀ a : Address,
  global_equivocators_simple s' a
  ↔ a = adr (state m)
    ∨ global_equivocators_simple s a
Hs_pre: valid_state_prop
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} s
Hs': composite_constrained_state_prop ELMO_component
  s'
ELMO_mv_full_node0: full_node (s i) m
ELMO_mv_no_self_equiv0: no_self_equiv (s i) m
ELMO_mv_msg_valid_full0: ELMO_msg_valid_full m
ELMO_mv_local_equivocation_limit_ok0: local_equivocation_limit_ok
  (s i <+>
   MkObservation
     Receive m)
i_m: index
Hsender: adr (state m) = idx i_m
valid_message_prop ELMOProtocol m
  assert (Heqv :
    (sum_weights (ELMO_equivocating_validators s ∪ {[ idx i_m ]}) <= threshold)%R).Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
s: VLSM.state ELMOProtocol
Hs: valid_state_prop ELMOProtocol s
i: index
s': VLSM.state ELMOProtocol
m: Message
Hvalid: ELMOProtocol_valid_transition i Receive s s'
  m
Hv: valid (existT i Receive) (s, Some m)
Hc: ELMO_global_constraint 
  (existT i Receive) (s, Some m)
Ht: transition (existT i Receive) (s, Some m) =
(s', None)
Hincl: VLSM_incl ELMOProtocol ReachELMO
Hnsnd: ¬ composite_has_been_sent ELMO_component s m
Hrcv: ELMO_recv_valid (s i) m
H3: state_update ELMO_component s i
  (s i <+> MkObservation Receive m) = s'
Hm_eqv: global_equivocators_simple s' (adr (state m))
Hs'_eqv: ∀ a : Address,
  global_equivocators_simple s' a
  ↔ a = adr (state m)
    ∨ global_equivocators_simple s a
Hs_pre: valid_state_prop
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} s
Hs': composite_constrained_state_prop ELMO_component
  s'
ELMO_mv_full_node0: full_node (s i) m
ELMO_mv_no_self_equiv0: no_self_equiv (s i) m
ELMO_mv_msg_valid_full0: ELMO_msg_valid_full m
ELMO_mv_local_equivocation_limit_ok0: local_equivocation_limit_ok
  (s i <+>
   MkObservation
     Receive m)
i_m: index
Hsender: adr (state m) = idx i_m
(sum_weights
   (ELMO_equivocating_validators s ∪ {[idx i_m]}) <=
 threshold)%R
Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
s: VLSM.state ELMOProtocol
Hs: valid_state_prop ELMOProtocol s
i: index
s': VLSM.state ELMOProtocol
m: Message
Hvalid: ELMOProtocol_valid_transition i Receive s s'
  m
Hv: valid (existT i Receive) (s, Some m)
Hc: ELMO_global_constraint 
  (existT i Receive) (
  s, Some m)
Ht: transition (existT i Receive) (s, Some m) =
(s', None)
Hincl: VLSM_incl ELMOProtocol ReachELMO
Hnsnd: ¬ composite_has_been_sent ELMO_component s m
Hrcv: ELMO_recv_valid (s i) m
H3: state_update ELMO_component s i
  (s i <+> MkObservation Receive m) = s'
Hm_eqv: global_equivocators_simple s' (adr (state m))
Hs'_eqv: ∀ a : Address,
  global_equivocators_simple s' a
  ↔ a = adr (state m)
    ∨ global_equivocators_simple s a
Hs_pre: valid_state_prop
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} s
Hs': composite_constrained_state_prop ELMO_component
  s'
ELMO_mv_full_node0: full_node (s i) m
ELMO_mv_no_self_equiv0: no_self_equiv (s i) m
ELMO_mv_msg_valid_full0: ELMO_msg_valid_full m
ELMO_mv_local_equivocation_limit_ok0: local_equivocation_limit_ok
  (s i <+>
   MkObservation
     Receive m)
i_m: index
Hsender: adr (state m) = idx i_m
Heqv: (sum_weights
   (ELMO_equivocating_validators s
    ∪ {[idx i_m]}) <= threshold)%R
valid_message_prop ELMOProtocol m
  {Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
s: VLSM.state ELMOProtocol
Hs: valid_state_prop ELMOProtocol s
i: index
s': VLSM.state ELMOProtocol
m: Message
Hvalid: ELMOProtocol_valid_transition i Receive s s'
  m
Hv: valid (existT i Receive) (s, Some m)
Hc: ELMO_global_constraint 
  (existT i Receive) (s, Some m)
Ht: transition (existT i Receive) (s, Some m) =
(s', None)
Hincl: VLSM_incl ELMOProtocol ReachELMO
Hnsnd: ¬ composite_has_been_sent ELMO_component s m
Hrcv: ELMO_recv_valid (s i) m
H3: state_update ELMO_component s i
  (s i <+> MkObservation Receive m) = s'
Hm_eqv: global_equivocators_simple s' (adr (state m))
Hs'_eqv: ∀ a : Address,
  global_equivocators_simple s' a
  ↔ a = adr (state m)
    ∨ global_equivocators_simple s a
Hs_pre: valid_state_prop
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} s
Hs': composite_constrained_state_prop ELMO_component
  s'
ELMO_mv_full_node0: full_node (s i) m
ELMO_mv_no_self_equiv0: no_self_equiv (s i) m
ELMO_mv_msg_valid_full0: ELMO_msg_valid_full m
ELMO_mv_local_equivocation_limit_ok0: local_equivocation_limit_ok
  (s i <+>
   MkObservation
     Receive m)
i_m: index
Hsender: adr (state m) = idx i_m
(sum_weights
   (ELMO_equivocating_validators s ∪ {[idx i_m]}) <=
 threshold)%R
    etransitivity; [| apply Hc].Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
s: VLSM.state ELMOProtocol
Hs: valid_state_prop ELMOProtocol s
i: index
s': VLSM.state ELMOProtocol
m: Message
Hvalid: ELMOProtocol_valid_transition i Receive s s'
  m
Hv: valid (existT i Receive) (s, Some m)
Hc: ELMO_global_constraint 
  (existT i Receive) (s, Some m)
Ht: transition (existT i Receive) (s, Some m) =
(s', None)
Hincl: VLSM_incl ELMOProtocol ReachELMO
Hnsnd: ¬ composite_has_been_sent ELMO_component s m
Hrcv: ELMO_recv_valid (s i) m
H3: state_update ELMO_component s i
  (s i <+> MkObservation Receive m) = s'
Hm_eqv: global_equivocators_simple s' (adr (state m))
Hs'_eqv: ∀ a : Address,
  global_equivocators_simple s' a
  ↔ a = adr (state m)
    ∨ global_equivocators_simple s a
Hs_pre: valid_state_prop
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} s
Hs': composite_constrained_state_prop ELMO_component
  s'
ELMO_mv_full_node0: full_node (s i) m
ELMO_mv_no_self_equiv0: no_self_equiv (s i) m
ELMO_mv_msg_valid_full0: ELMO_msg_valid_full m
ELMO_mv_local_equivocation_limit_ok0: local_equivocation_limit_ok
  (s i <+>
   MkObservation
     Receive m)
i_m: index
Hsender: adr (state m) = idx i_m
(sum_weights
   (ELMO_equivocating_validators s ∪ {[idx i_m]}) <=
 equivocation_fault
   (state_update ELMO_component s i
      (s i <+> MkObservation Receive m)))%R
    apply sum_weights_subseteq; [by apply NoDup_elements.. |].Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
s: VLSM.state ELMOProtocol
Hs: valid_state_prop ELMOProtocol s
i: index
s': VLSM.state ELMOProtocol
m: Message
Hvalid: ELMOProtocol_valid_transition i Receive s s'
  m
Hv: valid (existT i Receive) (s, Some m)
Hc: ELMO_global_constraint 
  (existT i Receive) (s, Some m)
Ht: transition (existT i Receive) (s, Some m) =
(s', None)
Hincl: VLSM_incl ELMOProtocol ReachELMO
Hnsnd: ¬ composite_has_been_sent ELMO_component s m
Hrcv: ELMO_recv_valid (s i) m
H3: state_update ELMO_component s i
  (s i <+> MkObservation Receive m) = s'
Hm_eqv: global_equivocators_simple s' (adr (state m))
Hs'_eqv: ∀ a : Address,
  global_equivocators_simple s' a
  ↔ a = adr (state m)
    ∨ global_equivocators_simple s a
Hs_pre: valid_state_prop
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} s
Hs': composite_constrained_state_prop ELMO_component
  s'
ELMO_mv_full_node0: full_node (s i) m
ELMO_mv_no_self_equiv0: no_self_equiv (s i) m
ELMO_mv_msg_valid_full0: ELMO_msg_valid_full m
ELMO_mv_local_equivocation_limit_ok0: local_equivocation_limit_ok
  (s i <+>
   MkObservation
     Receive m)
i_m: index
Hsender: adr (state m) = idx i_m
ELMO_equivocating_validators s ∪ {[idx i_m]}
⊆ equivocating_validators
    (state_update ELMO_component s i
       (s i <+> MkObservation Receive m))
    intro a; rewrite elem_of_union, elem_of_singleton.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
s: VLSM.state ELMOProtocol
Hs: valid_state_prop ELMOProtocol s
i: index
s': VLSM.state ELMOProtocol
m: Message
Hvalid: ELMOProtocol_valid_transition i Receive s s'
  m
Hv: valid (existT i Receive) (s, Some m)
Hc: ELMO_global_constraint 
  (existT i Receive) (s, Some m)
Ht: transition (existT i Receive) (s, Some m) =
(s', None)
Hincl: VLSM_incl ELMOProtocol ReachELMO
Hnsnd: ¬ composite_has_been_sent ELMO_component s m
Hrcv: ELMO_recv_valid (s i) m
H3: state_update ELMO_component s i
  (s i <+> MkObservation Receive m) = s'
Hm_eqv: global_equivocators_simple s' (adr (state m))
Hs'_eqv: ∀ a : Address,
  global_equivocators_simple s' a
  ↔ a = adr (state m)
    ∨ global_equivocators_simple s a
Hs_pre: valid_state_prop
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} s
Hs': composite_constrained_state_prop ELMO_component
  s'
ELMO_mv_full_node0: full_node (s i) m
ELMO_mv_no_self_equiv0: no_self_equiv (s i) m
ELMO_mv_msg_valid_full0: ELMO_msg_valid_full m
ELMO_mv_local_equivocation_limit_ok0: local_equivocation_limit_ok
  (s i <+>
   MkObservation
     Receive m)
i_m: index
Hsender: adr (state m) = idx i_m
a: Address
a ∈ ELMO_equivocating_validators s ∨ a = idx i_m
→ a
  ∈ equivocating_validators
      (state_update ELMO_component s i
         (s i <+> MkObservation Receive m))
    unfold ELMO_equivocating_validators, equivocating_validators.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
s: VLSM.state ELMOProtocol
Hs: valid_state_prop ELMOProtocol s
i: index
s': VLSM.state ELMOProtocol
m: Message
Hvalid: ELMOProtocol_valid_transition i Receive s s'
  m
Hv: valid (existT i Receive) (s, Some m)
Hc: ELMO_global_constraint 
  (existT i Receive) (s, Some m)
Ht: transition (existT i Receive) (s, Some m) =
(s', None)
Hincl: VLSM_incl ELMOProtocol ReachELMO
Hnsnd: ¬ composite_has_been_sent ELMO_component s m
Hrcv: ELMO_recv_valid (s i) m
H3: state_update ELMO_component s i
  (s i <+> MkObservation Receive m) = s'
Hm_eqv: global_equivocators_simple s' (adr (state m))
Hs'_eqv: ∀ a : Address,
  global_equivocators_simple s' a
  ↔ a = adr (state m)
    ∨ global_equivocators_simple s a
Hs_pre: valid_state_prop
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} s
Hs': composite_constrained_state_prop ELMO_component
  s'
ELMO_mv_full_node0: full_node (s i) m
ELMO_mv_no_self_equiv0: no_self_equiv (s i) m
ELMO_mv_msg_valid_full0: ELMO_msg_valid_full m
ELMO_mv_local_equivocation_limit_ok0: local_equivocation_limit_ok
  (s i <+>
   MkObservation
     Receive m)
i_m: index
Hsender: adr (state m) = idx i_m
a: Address
a
∈ filter (λ v : Address, is_equivocating s v)
    (state_validators s) ∨ a = idx i_m
→ a
  ∈ filter
      (λ v : Address,
         is_equivocating
           (state_update ELMO_component s i
              (s i <+> MkObservation Receive m)) v)
      (state_validators
         (state_update ELMO_component s i
            (s i <+> MkObservation Receive m)))
    rewrite !elem_of_filter.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
s: VLSM.state ELMOProtocol
Hs: valid_state_prop ELMOProtocol s
i: index
s': VLSM.state ELMOProtocol
m: Message
Hvalid: ELMOProtocol_valid_transition i Receive s s'
  m
Hv: valid (existT i Receive) (s, Some m)
Hc: ELMO_global_constraint 
  (existT i Receive) (s, Some m)
Ht: transition (existT i Receive) (s, Some m) =
(s', None)
Hincl: VLSM_incl ELMOProtocol ReachELMO
Hnsnd: ¬ composite_has_been_sent ELMO_component s m
Hrcv: ELMO_recv_valid (s i) m
H3: state_update ELMO_component s i
  (s i <+> MkObservation Receive m) = s'
Hm_eqv: global_equivocators_simple s' (adr (state m))
Hs'_eqv: ∀ a : Address,
  global_equivocators_simple s' a
  ↔ a = adr (state m)
    ∨ global_equivocators_simple s a
Hs_pre: valid_state_prop
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} s
Hs': composite_constrained_state_prop ELMO_component
  s'
ELMO_mv_full_node0: full_node (s i) m
ELMO_mv_no_self_equiv0: no_self_equiv (s i) m
ELMO_mv_msg_valid_full0: ELMO_msg_valid_full m
ELMO_mv_local_equivocation_limit_ok0: local_equivocation_limit_ok
  (s i <+>
   MkObservation
     Receive m)
i_m: index
Hsender: adr (state m) = idx i_m
a: Address
is_equivocating s a ∧ a ∈ state_validators s
∨ a = idx i_m
→ is_equivocating
    (state_update ELMO_component s i
       (s i <+> MkObservation Receive m)) a
  ∧ a
    ∈ state_validators
        (state_update ELMO_component s i
           (s i <+> MkObservation Receive m))
    destruct (decide (a = adr (state m))).Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
s: VLSM.state ELMOProtocol
Hs: valid_state_prop ELMOProtocol s
i: index
s': VLSM.state ELMOProtocol
m: Message
Hvalid: ELMOProtocol_valid_transition i Receive s s'
  m
Hv: valid (existT i Receive) (s, Some m)
Hc: ELMO_global_constraint 
  (existT i Receive) (s, Some m)
Ht: transition (existT i Receive) (s, Some m) =
(s', None)
Hincl: VLSM_incl ELMOProtocol ReachELMO
Hnsnd: ¬ composite_has_been_sent ELMO_component s m
Hrcv: ELMO_recv_valid (s i) m
H3: state_update ELMO_component s i
  (s i <+> MkObservation Receive m) = s'
Hm_eqv: global_equivocators_simple s' (adr (state m))
Hs'_eqv: ∀ a : Address,
  global_equivocators_simple s' a
  ↔ a = adr (state m)
    ∨ global_equivocators_simple s a
Hs_pre: valid_state_prop
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} s
Hs': composite_constrained_state_prop ELMO_component
  s'
ELMO_mv_full_node0: full_node (s i) m
ELMO_mv_no_self_equiv0: no_self_equiv (s i) m
ELMO_mv_msg_valid_full0: ELMO_msg_valid_full m
ELMO_mv_local_equivocation_limit_ok0: local_equivocation_limit_ok
  (s i <+>
   MkObservation
     Receive m)
i_m: index
Hsender: adr (state m) = idx i_m
a: Address
e: a = adr (state m)
is_equivocating s a ∧ a ∈ state_validators s
∨ a = idx i_m
→ is_equivocating
    (state_update ELMO_component s i
       (s i <+> MkObservation Receive m)) a
  ∧ a
    ∈ state_validators
        (state_update ELMO_component s i
           (s i <+> MkObservation Receive m))
Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
s: VLSM.state ELMOProtocol
Hs: valid_state_prop ELMOProtocol s
i: index
s': VLSM.state ELMOProtocol
m: Message
Hvalid: ELMOProtocol_valid_transition i Receive s s'
  m
Hv: valid (existT i Receive) (s, Some m)
Hc: ELMO_global_constraint 
  (existT i Receive) (
  s, Some m)
Ht: transition (existT i Receive) (s, Some m) =
(s', None)
Hincl: VLSM_incl ELMOProtocol ReachELMO
Hnsnd: ¬ composite_has_been_sent ELMO_component s m
Hrcv: ELMO_recv_valid (s i) m
H3: state_update ELMO_component s i
  (s i <+> MkObservation Receive m) = s'
Hm_eqv: global_equivocators_simple s' (adr (state m))
Hs'_eqv: ∀ a : Address,
  global_equivocators_simple s' a
  ↔ a = adr (state m)
    ∨ global_equivocators_simple s a
Hs_pre: valid_state_prop
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} s
Hs': composite_constrained_state_prop ELMO_component
  s'
ELMO_mv_full_node0: full_node (s i) m
ELMO_mv_no_self_equiv0: no_self_equiv (s i) m
ELMO_mv_msg_valid_full0: ELMO_msg_valid_full m
ELMO_mv_local_equivocation_limit_ok0: local_equivocation_limit_ok
  (s i <+>
   MkObservation
     Receive m)
i_m: index
Hsender: adr (state m) = idx i_m
a: Address
n: a ≠ adr (state m)
is_equivocating s a ∧ a ∈ state_validators s
∨ a = idx i_m
→ is_equivocating
    (state_update ELMO_component s i
       (s i <+> MkObservation Receive m)) a
  ∧ a
    ∈ state_validators
        (state_update ELMO_component s i
        (s i <+> MkObservation Receive m))
    -Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
s: VLSM.state ELMOProtocol
Hs: valid_state_prop ELMOProtocol s
i: index
s': VLSM.state ELMOProtocol
m: Message
Hvalid: ELMOProtocol_valid_transition i Receive s s'
  m
Hv: valid (existT i Receive) (s, Some m)
Hc: ELMO_global_constraint 
  (existT i Receive) (s, Some m)
Ht: transition (existT i Receive) (s, Some m) =
(s', None)
Hincl: VLSM_incl ELMOProtocol ReachELMO
Hnsnd: ¬ composite_has_been_sent ELMO_component s m
Hrcv: ELMO_recv_valid (s i) m
H3: state_update ELMO_component s i
  (s i <+> MkObservation Receive m) = s'
Hm_eqv: global_equivocators_simple s' (adr (state m))
Hs'_eqv: ∀ a : Address,
  global_equivocators_simple s' a
  ↔ a = adr (state m)
    ∨ global_equivocators_simple s a
Hs_pre: valid_state_prop
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} s
Hs': composite_constrained_state_prop ELMO_component
  s'
ELMO_mv_full_node0: full_node (s i) m
ELMO_mv_no_self_equiv0: no_self_equiv (s i) m
ELMO_mv_msg_valid_full0: ELMO_msg_valid_full m
ELMO_mv_local_equivocation_limit_ok0: local_equivocation_limit_ok
  (s i <+>
   MkObservation
     Receive m)
i_m: index
Hsender: adr (state m) = idx i_m
a: Address
e: a = adr (state m)
is_equivocating s a ∧ a ∈ state_validators s
∨ a = idx i_m
→ is_equivocating
    (state_update ELMO_component s i
       (s i <+> MkObservation Receive m)) a
  ∧ a
    ∈ state_validators
        (state_update ELMO_component s i
           (s i <+> MkObservation Receive m)) subst; split; cbn.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
s: VLSM.state ELMOProtocol
Hs: valid_state_prop ELMOProtocol s
i: index
m: Message
Hvalid: ELMOProtocol_valid_transition i Receive s
  (state_update ELMO_component s i
     (s i <+> MkObservation Receive m)) m
Hv: valid (existT i Receive) (s, Some m)
Hc: ELMO_global_constraint 
  (existT i Receive) (s, Some m)
Ht: transition (existT i Receive) (s, Some m) =
(state_update ELMO_component s i
   (s i <+> MkObservation Receive m), None)
Hincl: VLSM_incl ELMOProtocol ReachELMO
Hnsnd: ¬ composite_has_been_sent ELMO_component s m
Hrcv: ELMO_recv_valid (s i) m
Hs'_eqv: ∀ a : Address,
  global_equivocators_simple
    (state_update ELMO_component s i
       (s i <+> MkObservation Receive m)) a
  ↔ a = adr (state m)
    ∨ global_equivocators_simple s a
Hm_eqv: global_equivocators_simple
  (state_update ELMO_component s i
     (s i <+> MkObservation Receive m))
  (adr (state m))
Hs_pre: valid_state_prop
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} s
Hs': composite_constrained_state_prop ELMO_component
  (state_update ELMO_component s i
     (s i <+> MkObservation Receive m))
ELMO_mv_full_node0: full_node (s i) m
ELMO_mv_no_self_equiv0: no_self_equiv (s i) m
ELMO_mv_msg_valid_full0: ELMO_msg_valid_full m
ELMO_mv_local_equivocation_limit_ok0: local_equivocation_limit_ok
  (s i <+>
   MkObservation
     Receive m)
i_m: index
Hsender: adr (state m) = idx i_m
H2: is_equivocating s (adr (state m))
∧ adr (state m) ∈ state_validators s
∨ adr (state m) = idx i_m
ELMO_global_equivocators
  (state_update ELMO_component s i
     (s i <+> MkObservation Receive m))
  (adr (state m))
Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
s: VLSM.state ELMOProtocol
Hs: valid_state_prop ELMOProtocol s
i: index
m: Message
Hvalid: ELMOProtocol_valid_transition i Receive s
  (state_update ELMO_component s i
     (s i <+> MkObservation Receive m)) m
Hv: valid (existT i Receive) (s, Some m)
Hc: ELMO_global_constraint 
  (existT i Receive) (
  s, Some m)
Ht: transition (existT i Receive) (s, Some m) =
(state_update ELMO_component s i
   (s i <+> MkObservation Receive m), None)
Hincl: VLSM_incl ELMOProtocol ReachELMO
Hnsnd: ¬ composite_has_been_sent ELMO_component s m
Hrcv: ELMO_recv_valid (s i) m
Hs'_eqv: ∀ a : Address,
  global_equivocators_simple
    (state_update ELMO_component s i
       (s i <+> MkObservation Receive m)) a
  ↔ a = adr (state m)
    ∨ global_equivocators_simple s a
Hm_eqv: global_equivocators_simple
  (state_update ELMO_component s i
     (s i <+> MkObservation Receive m))
  (adr (state m))
Hs_pre: valid_state_prop
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} s
Hs': composite_constrained_state_prop ELMO_component
  (state_update ELMO_component s i
     (s i <+> MkObservation Receive m))
ELMO_mv_full_node0: full_node (s i) m
ELMO_mv_no_self_equiv0: no_self_equiv (s i) m
ELMO_mv_msg_valid_full0: ELMO_msg_valid_full m
ELMO_mv_local_equivocation_limit_ok0: local_equivocation_limit_ok
  (s i <+>
   MkObservation
     Receive m)
i_m: index
Hsender: adr (state m) = idx i_m
H2: is_equivocating s (adr (state m))
∧ adr (state m) ∈ state_validators s
∨ adr (state m) = idx i_m
adr (state m) ∈ list_to_set (map idx (enum index))
      +Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
s: VLSM.state ELMOProtocol
Hs: valid_state_prop ELMOProtocol s
i: index
m: Message
Hvalid: ELMOProtocol_valid_transition i Receive s
  (state_update ELMO_component s i
     (s i <+> MkObservation Receive m)) m
Hv: valid (existT i Receive) (s, Some m)
Hc: ELMO_global_constraint 
  (existT i Receive) (s, Some m)
Ht: transition (existT i Receive) (s, Some m) =
(state_update ELMO_component s i
   (s i <+> MkObservation Receive m), None)
Hincl: VLSM_incl ELMOProtocol ReachELMO
Hnsnd: ¬ composite_has_been_sent ELMO_component s m
Hrcv: ELMO_recv_valid (s i) m
Hs'_eqv: ∀ a : Address,
  global_equivocators_simple
    (state_update ELMO_component s i
       (s i <+> MkObservation Receive m)) a
  ↔ a = adr (state m)
    ∨ global_equivocators_simple s a
Hm_eqv: global_equivocators_simple
  (state_update ELMO_component s i
     (s i <+> MkObservation Receive m))
  (adr (state m))
Hs_pre: valid_state_prop
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} s
Hs': composite_constrained_state_prop ELMO_component
  (state_update ELMO_component s i
     (s i <+> MkObservation Receive m))
ELMO_mv_full_node0: full_node (s i) m
ELMO_mv_no_self_equiv0: no_self_equiv (s i) m
ELMO_mv_msg_valid_full0: ELMO_msg_valid_full m
ELMO_mv_local_equivocation_limit_ok0: local_equivocation_limit_ok
  (s i <+>
   MkObservation
     Receive m)
i_m: index
Hsender: adr (state m) = idx i_m
H2: is_equivocating s (adr (state m))
∧ adr (state m) ∈ state_validators s
∨ adr (state m) = idx i_m
ELMO_global_equivocators
  (state_update ELMO_component s i
     (s i <+> MkObservation Receive m))
  (adr (state m)) by apply ELMO_global_equivocators_iff_simple.
      +Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
s: VLSM.state ELMOProtocol
Hs: valid_state_prop ELMOProtocol s
i: index
m: Message
Hvalid: ELMOProtocol_valid_transition i Receive s
  (state_update ELMO_component s i
     (s i <+> MkObservation Receive m)) m
Hv: valid (existT i Receive) (s, Some m)
Hc: ELMO_global_constraint 
  (existT i Receive) (s, Some m)
Ht: transition (existT i Receive) (s, Some m) =
(state_update ELMO_component s i
   (s i <+> MkObservation Receive m), None)
Hincl: VLSM_incl ELMOProtocol ReachELMO
Hnsnd: ¬ composite_has_been_sent ELMO_component s m
Hrcv: ELMO_recv_valid (s i) m
Hs'_eqv: ∀ a : Address,
  global_equivocators_simple
    (state_update ELMO_component s i
       (s i <+> MkObservation Receive m)) a
  ↔ a = adr (state m)
    ∨ global_equivocators_simple s a
Hm_eqv: global_equivocators_simple
  (state_update ELMO_component s i
     (s i <+> MkObservation Receive m))
  (adr (state m))
Hs_pre: valid_state_prop
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} s
Hs': composite_constrained_state_prop ELMO_component
  (state_update ELMO_component s i
     (s i <+> MkObservation Receive m))
ELMO_mv_full_node0: full_node (s i) m
ELMO_mv_no_self_equiv0: no_self_equiv (s i) m
ELMO_mv_msg_valid_full0: ELMO_msg_valid_full m
ELMO_mv_local_equivocation_limit_ok0: local_equivocation_limit_ok
  (s i <+>
   MkObservation
     Receive m)
i_m: index
Hsender: adr (state m) = idx i_m
H2: is_equivocating s (adr (state m))
∧ adr (state m) ∈ state_validators s
∨ adr (state m) = idx i_m
adr (state m) ∈ list_to_set (map idx (enum index)) by apply elem_of_list_to_set, elem_of_list_fmap; eexists; split; [| apply elem_of_enum].
    -Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
s: VLSM.state ELMOProtocol
Hs: valid_state_prop ELMOProtocol s
i: index
s': VLSM.state ELMOProtocol
m: Message
Hvalid: ELMOProtocol_valid_transition i Receive s s'
  m
Hv: valid (existT i Receive) (s, Some m)
Hc: ELMO_global_constraint 
  (existT i Receive) (s, Some m)
Ht: transition (existT i Receive) (s, Some m) =
(s', None)
Hincl: VLSM_incl ELMOProtocol ReachELMO
Hnsnd: ¬ composite_has_been_sent ELMO_component s m
Hrcv: ELMO_recv_valid (s i) m
H3: state_update ELMO_component s i
  (s i <+> MkObservation Receive m) = s'
Hm_eqv: global_equivocators_simple s' (adr (state m))
Hs'_eqv: ∀ a : Address,
  global_equivocators_simple s' a
  ↔ a = adr (state m)
    ∨ global_equivocators_simple s a
Hs_pre: valid_state_prop
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} s
Hs': composite_constrained_state_prop ELMO_component
  s'
ELMO_mv_full_node0: full_node (s i) m
ELMO_mv_no_self_equiv0: no_self_equiv (s i) m
ELMO_mv_msg_valid_full0: ELMO_msg_valid_full m
ELMO_mv_local_equivocation_limit_ok0: local_equivocation_limit_ok
  (s i <+>
   MkObservation
     Receive m)
i_m: index
Hsender: adr (state m) = idx i_m
a: Address
n: a ≠ adr (state m)
is_equivocating s a ∧ a ∈ state_validators s
∨ a = idx i_m
→ is_equivocating
    (state_update ELMO_component s i
       (s i <+> MkObservation Receive m)) a
  ∧ a
    ∈ state_validators
        (state_update ELMO_component s i
           (s i <+> MkObservation Receive m)) intros [[] |]; [| by congruence]; split; [| done].Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
s: VLSM.state ELMOProtocol
Hs: valid_state_prop ELMOProtocol s
i: index
s': VLSM.state ELMOProtocol
m: Message
Hvalid: ELMOProtocol_valid_transition i Receive s s'
  m
Hv: valid (existT i Receive) (s, Some m)
Hc: ELMO_global_constraint 
  (existT i Receive) (s, Some m)
Ht: transition (existT i Receive) (s, Some m) =
(s', None)
Hincl: VLSM_incl ELMOProtocol ReachELMO
Hnsnd: ¬ composite_has_been_sent ELMO_component s m
Hrcv: ELMO_recv_valid (s i) m
H3: state_update ELMO_component s i
  (s i <+> MkObservation Receive m) = s'
Hm_eqv: global_equivocators_simple s' (adr (state m))
Hs'_eqv: ∀ a : Address,
  global_equivocators_simple s' a
  ↔ a = adr (state m)
    ∨ global_equivocators_simple s a
Hs_pre: valid_state_prop
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} s
Hs': composite_constrained_state_prop ELMO_component
  s'
ELMO_mv_full_node0: full_node (s i) m
ELMO_mv_no_self_equiv0: no_self_equiv (s i) m
ELMO_mv_msg_valid_full0: ELMO_msg_valid_full m
ELMO_mv_local_equivocation_limit_ok0: local_equivocation_limit_ok
  (s i <+>
   MkObservation
     Receive m)
i_m: index
Hsender: adr (state m) = idx i_m
a: Address
n: a ≠ adr (state m)
H2: is_equivocating s a
H4: a ∈ state_validators s
is_equivocating
  (state_update ELMO_component s i
     (s i <+> MkObservation Receive m)) a
      subst; apply ELMO_global_equivocators_iff_simple, Hs'_eqv; [done |].Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
s: VLSM.state ELMOProtocol
Hs: valid_state_prop ELMOProtocol s
i: index
m: Message
Hvalid: ELMOProtocol_valid_transition i Receive s
  (state_update ELMO_component s i
     (s i <+> MkObservation Receive m)) m
Hv: valid (existT i Receive) (s, Some m)
Hc: ELMO_global_constraint 
  (existT i Receive) (s, Some m)
Ht: transition (existT i Receive) (s, Some m) =
(state_update ELMO_component s i
   (s i <+> MkObservation Receive m), None)
Hincl: VLSM_incl ELMOProtocol ReachELMO
Hnsnd: ¬ composite_has_been_sent ELMO_component s m
Hrcv: ELMO_recv_valid (s i) m
Hs'_eqv: ∀ a : Address,
  global_equivocators_simple
    (state_update ELMO_component s i
       (s i <+> MkObservation Receive m)) a
  ↔ a = adr (state m)
    ∨ global_equivocators_simple s a
Hm_eqv: global_equivocators_simple
  (state_update ELMO_component s i
     (s i <+> MkObservation Receive m))
  (adr (state m))
Hs_pre: valid_state_prop
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} s
Hs': composite_constrained_state_prop ELMO_component
  (state_update ELMO_component s i
     (s i <+> MkObservation Receive m))
ELMO_mv_full_node0: full_node (s i) m
ELMO_mv_no_self_equiv0: no_self_equiv (s i) m
ELMO_mv_msg_valid_full0: ELMO_msg_valid_full m
ELMO_mv_local_equivocation_limit_ok0: local_equivocation_limit_ok
  (s i <+>
   MkObservation
     Receive m)
i_m: index
Hsender: adr (state m) = idx i_m
a: Address
n: a ≠ adr (state m)
H2: is_equivocating s a
H4: a ∈ state_validators s
a = adr (state m) ∨ global_equivocators_simple s a
      by right; apply ELMO_global_equivocators_iff_simple.
  }Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
s: VLSM.state ELMOProtocol
Hs: valid_state_prop ELMOProtocol s
i: index
s': VLSM.state ELMOProtocol
m: Message
Hvalid: ELMOProtocol_valid_transition i Receive s s'
  m
Hv: valid (existT i Receive) (s, Some m)
Hc: ELMO_global_constraint 
  (existT i Receive) (s, Some m)
Ht: transition (existT i Receive) (s, Some m) =
(s', None)
Hincl: VLSM_incl ELMOProtocol ReachELMO
Hnsnd: ¬ composite_has_been_sent ELMO_component s m
Hrcv: ELMO_recv_valid (s i) m
H3: state_update ELMO_component s i
  (s i <+> MkObservation Receive m) = s'
Hm_eqv: global_equivocators_simple s' (adr (state m))
Hs'_eqv: ∀ a : Address,
  global_equivocators_simple s' a
  ↔ a = adr (state m)
    ∨ global_equivocators_simple s a
Hs_pre: valid_state_prop
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} s
Hs': composite_constrained_state_prop ELMO_component
  s'
ELMO_mv_full_node0: full_node (s i) m
ELMO_mv_no_self_equiv0: no_self_equiv (s i) m
ELMO_mv_msg_valid_full0: ELMO_msg_valid_full m
ELMO_mv_local_equivocation_limit_ok0: local_equivocation_limit_ok
  (s i <+>
   MkObservation
     Receive m)
i_m: index
Hsender: adr (state m) = idx i_m
Heqv: (sum_weights
   (ELMO_equivocating_validators s
    ∪ {[idx i_m]}) <= threshold)%R
valid_message_prop ELMOProtocol m
  assert (His : initial_state_prop (ELMO_component i_m) (MkState [] (idx i_m))) by done.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
s: VLSM.state ELMOProtocol
Hs: valid_state_prop ELMOProtocol s
i: index
s': VLSM.state ELMOProtocol
m: Message
Hvalid: ELMOProtocol_valid_transition i Receive s s'
  m
Hv: valid (existT i Receive) (s, Some m)
Hc: ELMO_global_constraint 
  (existT i Receive) (s, Some m)
Ht: transition (existT i Receive) (s, Some m) =
(s', None)
Hincl: VLSM_incl ELMOProtocol ReachELMO
Hnsnd: ¬ composite_has_been_sent ELMO_component s m
Hrcv: ELMO_recv_valid (s i) m
H3: state_update ELMO_component s i
  (s i <+> MkObservation Receive m) = s'
Hm_eqv: global_equivocators_simple s' (adr (state m))
Hs'_eqv: ∀ a : Address,
  global_equivocators_simple s' a
  ↔ a = adr (state m)
    ∨ global_equivocators_simple s a
Hs_pre: valid_state_prop
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} s
Hs': composite_constrained_state_prop ELMO_component
  s'
ELMO_mv_full_node0: full_node (s i) m
ELMO_mv_no_self_equiv0: no_self_equiv (s i) m
ELMO_mv_msg_valid_full0: ELMO_msg_valid_full m
ELMO_mv_local_equivocation_limit_ok0: local_equivocation_limit_ok
  (s i <+>
   MkObservation
     Receive m)
i_m: index
Hsender: adr (state m) = idx i_m
Heqv: (sum_weights
   (ELMO_equivocating_validators s
    ∪ {[idx i_m]}) <= threshold)%R
His: initial_state_prop (MkState [] (idx i_m))
valid_message_prop ELMOProtocol m
  destruct (ELMO_update_state_with_initial _ Hs _ Heqv _ His) as [Hsimis Hsimis_eqvs].Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
s: VLSM.state ELMOProtocol
Hs: valid_state_prop ELMOProtocol s
i: index
s': VLSM.state ELMOProtocol
m: Message
Hvalid: ELMOProtocol_valid_transition i Receive s s'
  m
Hv: valid (existT i Receive) (s, Some m)
Hc: ELMO_global_constraint 
  (existT i Receive) (s, Some m)
Ht: transition (existT i Receive) (s, Some m) =
(s', None)
Hincl: VLSM_incl ELMOProtocol ReachELMO
Hnsnd: ¬ composite_has_been_sent ELMO_component s m
Hrcv: ELMO_recv_valid (s i) m
H3: state_update ELMO_component s i
  (s i <+> MkObservation Receive m) = s'
Hm_eqv: global_equivocators_simple s' (adr (state m))
Hs'_eqv: ∀ a : Address,
  global_equivocators_simple s' a
  ↔ a = adr (state m)
    ∨ global_equivocators_simple s a
Hs_pre: valid_state_prop
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} s
Hs': composite_constrained_state_prop ELMO_component
  s'
ELMO_mv_full_node0: full_node (s i) m
ELMO_mv_no_self_equiv0: no_self_equiv (s i) m
ELMO_mv_msg_valid_full0: ELMO_msg_valid_full m
ELMO_mv_local_equivocation_limit_ok0: local_equivocation_limit_ok
  (s i <+>
   MkObservation
     Receive m)
i_m: index
Hsender: adr (state m) = idx i_m
Heqv: (sum_weights
   (ELMO_equivocating_validators s
    ∪ {[idx i_m]}) <= threshold)%R
His: initial_state_prop (MkState [] (idx i_m))
Hsimis: valid_state_prop ELMOProtocol
  (state_update ELMO_component s i_m
     (MkState [] (idx i_m)))
Hsimis_eqvs: ELMO_equivocating_validators
  (state_update ELMO_component s i_m
     (MkState [] (idx i_m)))
⊆ ELMO_equivocating_validators s
  ∪ {[idx i_m]}
valid_message_prop ELMOProtocol m
  eapply valid_state_project_preloaded with (i := i) in Hs as Hsi_pre.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
s: VLSM.state ELMOProtocol
Hs: valid_state_prop ELMOProtocol s
i: index
s': VLSM.state ELMOProtocol
m: Message
Hvalid: ELMOProtocol_valid_transition i Receive s s'
  m
Hv: valid (existT i Receive) (s, Some m)
Hc: ELMO_global_constraint 
  (existT i Receive) (s, Some m)
Ht: transition (existT i Receive) (s, Some m) =
(s', None)
Hincl: VLSM_incl ELMOProtocol ReachELMO
Hnsnd: ¬ composite_has_been_sent ELMO_component s m
Hrcv: ELMO_recv_valid (s i) m
H3: state_update ELMO_component s i
  (s i <+> MkObservation Receive m) = s'
Hm_eqv: global_equivocators_simple s' (adr (state m))
Hs'_eqv: ∀ a : Address,
  global_equivocators_simple s' a
  ↔ a = adr (state m)
    ∨ global_equivocators_simple s a
Hs_pre: valid_state_prop
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} s
Hs': composite_constrained_state_prop ELMO_component
  s'
ELMO_mv_full_node0: full_node (s i) m
ELMO_mv_no_self_equiv0: no_self_equiv (s i) m
ELMO_mv_msg_valid_full0: ELMO_msg_valid_full m
ELMO_mv_local_equivocation_limit_ok0: local_equivocation_limit_ok
  (s i <+>
   MkObservation
     Receive m)
i_m: index
Hsender: adr (state m) = idx i_m
Heqv: (sum_weights
   (ELMO_equivocating_validators s
    ∪ {[idx i_m]}) <= threshold)%R
His: initial_state_prop (MkState [] (idx i_m))
Hsimis: valid_state_prop ELMOProtocol
  (state_update ELMO_component s i_m
     (MkState [] (idx i_m)))
Hsimis_eqvs: ELMO_equivocating_validators
  (state_update ELMO_component s i_m
     (MkState [] (idx i_m)))
⊆ ELMO_equivocating_validators s
  ∪ {[idx i_m]}
Hsi_pre: constrained_state_prop 
  (ELMO_component i) 
  (s i)
valid_message_prop ELMOProtocol m
  replace m with (MkMessage (state m)) in Hrcv by (destruct m; done).Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
s: VLSM.state ELMOProtocol
Hs: valid_state_prop ELMOProtocol s
i: index
s': VLSM.state ELMOProtocol
m: Message
Hvalid: ELMOProtocol_valid_transition i Receive s s'
  m
Hv: valid (existT i Receive) (s, Some m)
Hc: ELMO_global_constraint 
  (existT i Receive) (s, Some m)
Ht: transition (existT i Receive) (s, Some m) =
(s', None)
Hincl: VLSM_incl ELMOProtocol ReachELMO
Hnsnd: ¬ composite_has_been_sent ELMO_component s m
Hrcv: ELMO_recv_valid (s i) (MkMessage (state m))
H3: state_update ELMO_component s i
  (s i <+> MkObservation Receive m) = s'
Hm_eqv: global_equivocators_simple s' (adr (state m))
Hs'_eqv: ∀ a : Address,
  global_equivocators_simple s' a
  ↔ a = adr (state m)
    ∨ global_equivocators_simple s a
Hs_pre: valid_state_prop
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} s
Hs': composite_constrained_state_prop ELMO_component
  s'
ELMO_mv_full_node0: full_node (s i) m
ELMO_mv_no_self_equiv0: no_self_equiv (s i) m
ELMO_mv_msg_valid_full0: ELMO_msg_valid_full m
ELMO_mv_local_equivocation_limit_ok0: local_equivocation_limit_ok
  (s i <+>
   MkObservation
     Receive m)
i_m: index
Hsender: adr (state m) = idx i_m
Heqv: (sum_weights
   (ELMO_equivocating_validators s
    ∪ {[idx i_m]}) <= threshold)%R
His: initial_state_prop (MkState [] (idx i_m))
Hsimis: valid_state_prop ELMOProtocol
  (state_update ELMO_component s i_m
     (MkState [] (idx i_m)))
Hsimis_eqvs: ELMO_equivocating_validators
  (state_update ELMO_component s i_m
     (MkState [] (idx i_m)))
⊆ ELMO_equivocating_validators s
  ∪ {[idx i_m]}
Hsi_pre: constrained_state_prop 
  (ELMO_component i) 
  (s i)
valid_message_prop ELMOProtocol m
  pose proof (Hm := receivable_messages_reachable _ _ _ _ Hsender Hsi_pre Hrcv).Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
s: VLSM.state ELMOProtocol
Hs: valid_state_prop ELMOProtocol s
i: index
s': VLSM.state ELMOProtocol
m: Message
Hvalid: ELMOProtocol_valid_transition i Receive s s'
  m
Hv: valid (existT i Receive) (s, Some m)
Hc: ELMO_global_constraint 
  (existT i Receive) (s, Some m)
Ht: transition (existT i Receive) (s, Some m) =
(s', None)
Hincl: VLSM_incl ELMOProtocol ReachELMO
Hnsnd: ¬ composite_has_been_sent ELMO_component s m
Hrcv: ELMO_recv_valid (s i) (MkMessage (state m))
H3: state_update ELMO_component s i
  (s i <+> MkObservation Receive m) = s'
Hm_eqv: global_equivocators_simple s' (adr (state m))
Hs'_eqv: ∀ a : Address,
  global_equivocators_simple s' a
  ↔ a = adr (state m)
    ∨ global_equivocators_simple s a
Hs_pre: valid_state_prop
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} s
Hs': composite_constrained_state_prop ELMO_component
  s'
ELMO_mv_full_node0: full_node (s i) m
ELMO_mv_no_self_equiv0: no_self_equiv (s i) m
ELMO_mv_msg_valid_full0: ELMO_msg_valid_full m
ELMO_mv_local_equivocation_limit_ok0: local_equivocation_limit_ok
  (s i <+>
   MkObservation
     Receive m)
i_m: index
Hsender: adr (state m) = idx i_m
Heqv: (sum_weights
   (ELMO_equivocating_validators s
    ∪ {[idx i_m]}) <= threshold)%R
His: initial_state_prop (MkState [] (idx i_m))
Hsimis: valid_state_prop ELMOProtocol
  (state_update ELMO_component s i_m
     (MkState [] (idx i_m)))
Hsimis_eqvs: ELMO_equivocating_validators
  (state_update ELMO_component s i_m
     (MkState [] (idx i_m)))
⊆ ELMO_equivocating_validators s
  ∪ {[idx i_m]}
Hsi_pre: constrained_state_prop 
  (ELMO_component i) 
  (s i)
Hm: constrained_state_prop 
  (ELMO_component i_m) 
  (state m)
valid_message_prop ELMOProtocol m
  apply valid_state_has_trace in Hm as (is_m & tr_m & Htr_m).Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
s: VLSM.state ELMOProtocol
Hs: valid_state_prop ELMOProtocol s
i: index
s': VLSM.state ELMOProtocol
m: Message
Hvalid: ELMOProtocol_valid_transition i Receive s s'
  m
Hv: valid (existT i Receive) (s, Some m)
Hc: ELMO_global_constraint 
  (existT i Receive) (s, Some m)
Ht: transition (existT i Receive) (s, Some m) =
(s', None)
Hincl: VLSM_incl ELMOProtocol ReachELMO
Hnsnd: ¬ composite_has_been_sent ELMO_component s m
Hrcv: ELMO_recv_valid (s i) (MkMessage (state m))
H3: state_update ELMO_component s i
  (s i <+> MkObservation Receive m) = s'
Hm_eqv: global_equivocators_simple s' (adr (state m))
Hs'_eqv: ∀ a : Address,
  global_equivocators_simple s' a
  ↔ a = adr (state m)
    ∨ global_equivocators_simple s a
Hs_pre: valid_state_prop
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} s
Hs': composite_constrained_state_prop ELMO_component
  s'
ELMO_mv_full_node0: full_node (s i) m
ELMO_mv_no_self_equiv0: no_self_equiv (s i) m
ELMO_mv_msg_valid_full0: ELMO_msg_valid_full m
ELMO_mv_local_equivocation_limit_ok0: local_equivocation_limit_ok
  (s i <+>
   MkObservation
     Receive m)
i_m: index
Hsender: adr (state m) = idx i_m
Heqv: (sum_weights
   (ELMO_equivocating_validators s
    ∪ {[idx i_m]}) <= threshold)%R
His: initial_state_prop (MkState [] (idx i_m))
Hsimis: valid_state_prop ELMOProtocol
  (state_update ELMO_component s i_m
     (MkState [] (idx i_m)))
Hsimis_eqvs: ELMO_equivocating_validators
  (state_update ELMO_component s i_m
     (MkState [] (idx i_m)))
⊆ ELMO_equivocating_validators s
  ∪ {[idx i_m]}
Hsi_pre: constrained_state_prop 
  (ELMO_component i) 
  (s i)
is_m: VLSM.state
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m))
tr_m: list transition_item
Htr_m: finite_valid_trace_init_to
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m)) is_m 
  (state m) tr_m
valid_message_prop ELMOProtocol m
  assert (Hall_messages_observed :
    Forall (fun item => forall m, item_sends_or_receives m item -> m ∈ messages (s i)) tr_m).Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
s: VLSM.state ELMOProtocol
Hs: valid_state_prop ELMOProtocol s
i: index
s': VLSM.state ELMOProtocol
m: Message
Hvalid: ELMOProtocol_valid_transition i Receive s s'
  m
Hv: valid (existT i Receive) (s, Some m)
Hc: ELMO_global_constraint 
  (existT i Receive) (s, Some m)
Ht: transition (existT i Receive) (s, Some m) =
(s', None)
Hincl: VLSM_incl ELMOProtocol ReachELMO
Hnsnd: ¬ composite_has_been_sent ELMO_component s m
Hrcv: ELMO_recv_valid (s i) (MkMessage (state m))
H3: state_update ELMO_component s i
  (s i <+> MkObservation Receive m) = s'
Hm_eqv: global_equivocators_simple s' (adr (state m))
Hs'_eqv: ∀ a : Address,
  global_equivocators_simple s' a
  ↔ a = adr (state m)
    ∨ global_equivocators_simple s a
Hs_pre: valid_state_prop
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} s
Hs': composite_constrained_state_prop ELMO_component
  s'
ELMO_mv_full_node0: full_node (s i) m
ELMO_mv_no_self_equiv0: no_self_equiv (s i) m
ELMO_mv_msg_valid_full0: ELMO_msg_valid_full m
ELMO_mv_local_equivocation_limit_ok0: local_equivocation_limit_ok
  (s i <+>
   MkObservation
     Receive m)
i_m: index
Hsender: adr (state m) = idx i_m
Heqv: (sum_weights
   (ELMO_equivocating_validators s
    ∪ {[idx i_m]}) <= threshold)%R
His: initial_state_prop (MkState [] (idx i_m))
Hsimis: valid_state_prop ELMOProtocol
  (state_update ELMO_component s i_m
     (MkState [] (idx i_m)))
Hsimis_eqvs: ELMO_equivocating_validators
  (state_update ELMO_component s i_m
     (MkState [] (idx i_m)))
⊆ ELMO_equivocating_validators s
  ∪ {[idx i_m]}
Hsi_pre: constrained_state_prop 
  (ELMO_component i) 
  (s i)
is_m: VLSM.state
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m))
tr_m: list transition_item
Htr_m: finite_valid_trace_init_to
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m)) is_m 
  (state m) tr_m
Forall
  (λ item : transition_item,
     ∀ m : Message,
       item_sends_or_receives m item
       → m ∈ messages (s i)) tr_m
Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
s: VLSM.state ELMOProtocol
Hs: valid_state_prop ELMOProtocol s
i: index
s': VLSM.state ELMOProtocol
m: Message
Hvalid: ELMOProtocol_valid_transition i Receive s s'
  m
Hv: valid (existT i Receive) (s, Some m)
Hc: ELMO_global_constraint 
  (existT i Receive) (
  s, Some m)
Ht: transition (existT i Receive) (s, Some m) =
(s', None)
Hincl: VLSM_incl ELMOProtocol ReachELMO
Hnsnd: ¬ composite_has_been_sent ELMO_component s m
Hrcv: ELMO_recv_valid (s i) (MkMessage (state m))
H3: state_update ELMO_component s i
  (s i <+> MkObservation Receive m) = s'
Hm_eqv: global_equivocators_simple s' (adr (state m))
Hs'_eqv: ∀ a : Address,
  global_equivocators_simple s' a
  ↔ a = adr (state m)
    ∨ global_equivocators_simple s a
Hs_pre: valid_state_prop
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} s
Hs': composite_constrained_state_prop ELMO_component
  s'
ELMO_mv_full_node0: full_node (s i) m
ELMO_mv_no_self_equiv0: no_self_equiv (s i) m
ELMO_mv_msg_valid_full0: ELMO_msg_valid_full m
ELMO_mv_local_equivocation_limit_ok0: local_equivocation_limit_ok
  (s i <+>
   MkObservation
     Receive m)
i_m: index
Hsender: adr (state m) = idx i_m
Heqv: (sum_weights
   (ELMO_equivocating_validators s
    ∪ {[idx i_m]}) <= threshold)%R
His: initial_state_prop (MkState [] (idx i_m))
Hsimis: valid_state_prop ELMOProtocol
  (state_update ELMO_component s i_m
     (MkState [] (idx i_m)))
Hsimis_eqvs: ELMO_equivocating_validators
  (state_update ELMO_component s i_m
     (MkState [] (idx i_m)))
⊆ ELMO_equivocating_validators s
  ∪ {[idx i_m]}
Hsi_pre: constrained_state_prop 
  (ELMO_component i) 
  (s i)
is_m: VLSM.state
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m))
tr_m: list transition_item
Htr_m: finite_valid_trace_init_to
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m)) is_m 
  (state m) tr_m
Hall_messages_observed: Forall
  (λ item : transition_item,
     ∀ m : Message,
       item_sends_or_receives
        m item
       → 
       m ∈ messages (s i))
  tr_m
valid_message_prop ELMOProtocol m
  {Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
s: VLSM.state ELMOProtocol
Hs: valid_state_prop ELMOProtocol s
i: index
s': VLSM.state ELMOProtocol
m: Message
Hvalid: ELMOProtocol_valid_transition i Receive s s'
  m
Hv: valid (existT i Receive) (s, Some m)
Hc: ELMO_global_constraint 
  (existT i Receive) (s, Some m)
Ht: transition (existT i Receive) (s, Some m) =
(s', None)
Hincl: VLSM_incl ELMOProtocol ReachELMO
Hnsnd: ¬ composite_has_been_sent ELMO_component s m
Hrcv: ELMO_recv_valid (s i) (MkMessage (state m))
H3: state_update ELMO_component s i
  (s i <+> MkObservation Receive m) = s'
Hm_eqv: global_equivocators_simple s' (adr (state m))
Hs'_eqv: ∀ a : Address,
  global_equivocators_simple s' a
  ↔ a = adr (state m)
    ∨ global_equivocators_simple s a
Hs_pre: valid_state_prop
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} s
Hs': composite_constrained_state_prop ELMO_component
  s'
ELMO_mv_full_node0: full_node (s i) m
ELMO_mv_no_self_equiv0: no_self_equiv (s i) m
ELMO_mv_msg_valid_full0: ELMO_msg_valid_full m
ELMO_mv_local_equivocation_limit_ok0: local_equivocation_limit_ok
  (s i <+>
   MkObservation
     Receive m)
i_m: index
Hsender: adr (state m) = idx i_m
Heqv: (sum_weights
   (ELMO_equivocating_validators s
    ∪ {[idx i_m]}) <= threshold)%R
His: initial_state_prop (MkState [] (idx i_m))
Hsimis: valid_state_prop ELMOProtocol
  (state_update ELMO_component s i_m
     (MkState [] (idx i_m)))
Hsimis_eqvs: ELMO_equivocating_validators
  (state_update ELMO_component s i_m
     (MkState [] (idx i_m)))
⊆ ELMO_equivocating_validators s
  ∪ {[idx i_m]}
Hsi_pre: constrained_state_prop 
  (ELMO_component i) 
  (s i)
is_m: VLSM.state
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m))
tr_m: list transition_item
Htr_m: finite_valid_trace_init_to
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m)) is_m 
  (state m) tr_m
Forall
  (λ item : transition_item,
     ∀ m : Message,
       item_sends_or_receives m item
       → m ∈ messages (s i)) tr_m
    apply Forall_forall; intros item Hitem dm Hobs.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
s: VLSM.state ELMOProtocol
Hs: valid_state_prop ELMOProtocol s
i: index
s': VLSM.state ELMOProtocol
m: Message
Hvalid: ELMOProtocol_valid_transition i Receive s s'
  m
Hv: valid (existT i Receive) (s, Some m)
Hc: ELMO_global_constraint 
  (existT i Receive) (s, Some m)
Ht: transition (existT i Receive) (s, Some m) =
(s', None)
Hincl: VLSM_incl ELMOProtocol ReachELMO
Hnsnd: ¬ composite_has_been_sent ELMO_component s m
Hrcv: ELMO_recv_valid (s i) (MkMessage (state m))
H3: state_update ELMO_component s i
  (s i <+> MkObservation Receive m) = s'
Hm_eqv: global_equivocators_simple s' (adr (state m))
Hs'_eqv: ∀ a : Address,
  global_equivocators_simple s' a
  ↔ a = adr (state m)
    ∨ global_equivocators_simple s a
Hs_pre: valid_state_prop
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} s
Hs': composite_constrained_state_prop ELMO_component
  s'
ELMO_mv_full_node0: full_node (s i) m
ELMO_mv_no_self_equiv0: no_self_equiv (s i) m
ELMO_mv_msg_valid_full0: ELMO_msg_valid_full m
ELMO_mv_local_equivocation_limit_ok0: local_equivocation_limit_ok
  (s i <+>
   MkObservation
     Receive m)
i_m: index
Hsender: adr (state m) = idx i_m
Heqv: (sum_weights
   (ELMO_equivocating_validators s
    ∪ {[idx i_m]}) <= threshold)%R
His: initial_state_prop (MkState [] (idx i_m))
Hsimis: valid_state_prop ELMOProtocol
  (state_update ELMO_component s i_m
     (MkState [] (idx i_m)))
Hsimis_eqvs: ELMO_equivocating_validators
  (state_update ELMO_component s i_m
     (MkState [] (idx i_m)))
⊆ ELMO_equivocating_validators s
  ∪ {[idx i_m]}
Hsi_pre: constrained_state_prop 
  (ELMO_component i) 
  (s i)
is_m: VLSM.state
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m))
tr_m: list transition_item
Htr_m: finite_valid_trace_init_to
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m)) is_m 
  (state m) tr_m
item: transition_item
Hitem: item ∈ tr_m
dm: Message
Hobs: item_sends_or_receives dm item
dm ∈ messages (s i)
    eapply elem_of_submseteq; [| done].Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
s: VLSM.state ELMOProtocol
Hs: valid_state_prop ELMOProtocol s
i: index
s': VLSM.state ELMOProtocol
m: Message
Hvalid: ELMOProtocol_valid_transition i Receive s s'
  m
Hv: valid (existT i Receive) (s, Some m)
Hc: ELMO_global_constraint 
  (existT i Receive) (s, Some m)
Ht: transition (existT i Receive) (s, Some m) =
(s', None)
Hincl: VLSM_incl ELMOProtocol ReachELMO
Hnsnd: ¬ composite_has_been_sent ELMO_component s m
Hrcv: ELMO_recv_valid (s i) (MkMessage (state m))
H3: state_update ELMO_component s i
  (s i <+> MkObservation Receive m) = s'
Hm_eqv: global_equivocators_simple s' (adr (state m))
Hs'_eqv: ∀ a : Address,
  global_equivocators_simple s' a
  ↔ a = adr (state m)
    ∨ global_equivocators_simple s a
Hs_pre: valid_state_prop
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} s
Hs': composite_constrained_state_prop ELMO_component
  s'
ELMO_mv_full_node0: full_node (s i) m
ELMO_mv_no_self_equiv0: no_self_equiv (s i) m
ELMO_mv_msg_valid_full0: ELMO_msg_valid_full m
ELMO_mv_local_equivocation_limit_ok0: local_equivocation_limit_ok
  (s i <+>
   MkObservation
     Receive m)
i_m: index
Hsender: adr (state m) = idx i_m
Heqv: (sum_weights
   (ELMO_equivocating_validators s
    ∪ {[idx i_m]}) <= threshold)%R
His: initial_state_prop (MkState [] (idx i_m))
Hsimis: valid_state_prop ELMOProtocol
  (state_update ELMO_component s i_m
     (MkState [] (idx i_m)))
Hsimis_eqvs: ELMO_equivocating_validators
  (state_update ELMO_component s i_m
     (MkState [] (idx i_m)))
⊆ ELMO_equivocating_validators s
  ∪ {[idx i_m]}
Hsi_pre: constrained_state_prop 
  (ELMO_component i) 
  (s i)
is_m: VLSM.state
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m))
tr_m: list transition_item
Htr_m: finite_valid_trace_init_to
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m)) is_m 
  (state m) tr_m
item: transition_item
Hitem: item ∈ tr_m
dm: Message
Hobs: item_sends_or_receives dm item
dm ∈ messages (state m)
    apply elem_of_messages.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
s: VLSM.state ELMOProtocol
Hs: valid_state_prop ELMOProtocol s
i: index
s': VLSM.state ELMOProtocol
m: Message
Hvalid: ELMOProtocol_valid_transition i Receive s s'
  m
Hv: valid (existT i Receive) (s, Some m)
Hc: ELMO_global_constraint 
  (existT i Receive) (s, Some m)
Ht: transition (existT i Receive) (s, Some m) =
(s', None)
Hincl: VLSM_incl ELMOProtocol ReachELMO
Hnsnd: ¬ composite_has_been_sent ELMO_component s m
Hrcv: ELMO_recv_valid (s i) (MkMessage (state m))
H3: state_update ELMO_component s i
  (s i <+> MkObservation Receive m) = s'
Hm_eqv: global_equivocators_simple s' (adr (state m))
Hs'_eqv: ∀ a : Address,
  global_equivocators_simple s' a
  ↔ a = adr (state m)
    ∨ global_equivocators_simple s a
Hs_pre: valid_state_prop
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} s
Hs': composite_constrained_state_prop ELMO_component
  s'
ELMO_mv_full_node0: full_node (s i) m
ELMO_mv_no_self_equiv0: no_self_equiv (s i) m
ELMO_mv_msg_valid_full0: ELMO_msg_valid_full m
ELMO_mv_local_equivocation_limit_ok0: local_equivocation_limit_ok
  (s i <+>
   MkObservation
     Receive m)
i_m: index
Hsender: adr (state m) = idx i_m
Heqv: (sum_weights
   (ELMO_equivocating_validators s
    ∪ {[idx i_m]}) <= threshold)%R
His: initial_state_prop (MkState [] (idx i_m))
Hsimis: valid_state_prop ELMOProtocol
  (state_update ELMO_component s i_m
     (MkState [] (idx i_m)))
Hsimis_eqvs: ELMO_equivocating_validators
  (state_update ELMO_component s i_m
     (MkState [] (idx i_m)))
⊆ ELMO_equivocating_validators s
  ∪ {[idx i_m]}
Hsi_pre: constrained_state_prop 
  (ELMO_component i) 
  (s i)
is_m: VLSM.state
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m))
tr_m: list transition_item
Htr_m: finite_valid_trace_init_to
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m)) is_m 
  (state m) tr_m
item: transition_item
Hitem: item ∈ tr_m
dm: Message
Hobs: item_sends_or_receives dm item
dm ∈ sentMessages (state m)
∨ dm ∈ receivedMessages (state m)
    change (has_been_directly_observed (ELMO_component i_m) (state m) dm).Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
s: VLSM.state ELMOProtocol
Hs: valid_state_prop ELMOProtocol s
i: index
s': VLSM.state ELMOProtocol
m: Message
Hvalid: ELMOProtocol_valid_transition i Receive s s'
  m
Hv: valid (existT i Receive) (s, Some m)
Hc: ELMO_global_constraint 
  (existT i Receive) (s, Some m)
Ht: transition (existT i Receive) (s, Some m) =
(s', None)
Hincl: VLSM_incl ELMOProtocol ReachELMO
Hnsnd: ¬ composite_has_been_sent ELMO_component s m
Hrcv: ELMO_recv_valid (s i) (MkMessage (state m))
H3: state_update ELMO_component s i
  (s i <+> MkObservation Receive m) = s'
Hm_eqv: global_equivocators_simple s' (adr (state m))
Hs'_eqv: ∀ a : Address,
  global_equivocators_simple s' a
  ↔ a = adr (state m)
    ∨ global_equivocators_simple s a
Hs_pre: valid_state_prop
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} s
Hs': composite_constrained_state_prop ELMO_component
  s'
ELMO_mv_full_node0: full_node (s i) m
ELMO_mv_no_self_equiv0: no_self_equiv (s i) m
ELMO_mv_msg_valid_full0: ELMO_msg_valid_full m
ELMO_mv_local_equivocation_limit_ok0: local_equivocation_limit_ok
  (s i <+>
   MkObservation
     Receive m)
i_m: index
Hsender: adr (state m) = idx i_m
Heqv: (sum_weights
   (ELMO_equivocating_validators s
    ∪ {[idx i_m]}) <= threshold)%R
His: initial_state_prop (MkState [] (idx i_m))
Hsimis: valid_state_prop ELMOProtocol
  (state_update ELMO_component s i_m
     (MkState [] (idx i_m)))
Hsimis_eqvs: ELMO_equivocating_validators
  (state_update ELMO_component s i_m
     (MkState [] (idx i_m)))
⊆ ELMO_equivocating_validators s
  ∪ {[idx i_m]}
Hsi_pre: constrained_state_prop 
  (ELMO_component i) 
  (s i)
is_m: VLSM.state
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m))
tr_m: list transition_item
Htr_m: finite_valid_trace_init_to
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m)) is_m 
  (state m) tr_m
item: transition_item
Hitem: item ∈ tr_m
dm: Message
Hobs: item_sends_or_receives dm item
has_been_directly_observed (ELMO_component i_m)
  (state m) dm
    eapply has_been_directly_observed_examine_one_trace; [done |].Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
s: VLSM.state ELMOProtocol
Hs: valid_state_prop ELMOProtocol s
i: index
s': VLSM.state ELMOProtocol
m: Message
Hvalid: ELMOProtocol_valid_transition i Receive s s'
  m
Hv: valid (existT i Receive) (s, Some m)
Hc: ELMO_global_constraint 
  (existT i Receive) (s, Some m)
Ht: transition (existT i Receive) (s, Some m) =
(s', None)
Hincl: VLSM_incl ELMOProtocol ReachELMO
Hnsnd: ¬ composite_has_been_sent ELMO_component s m
Hrcv: ELMO_recv_valid (s i) (MkMessage (state m))
H3: state_update ELMO_component s i
  (s i <+> MkObservation Receive m) = s'
Hm_eqv: global_equivocators_simple s' (adr (state m))
Hs'_eqv: ∀ a : Address,
  global_equivocators_simple s' a
  ↔ a = adr (state m)
    ∨ global_equivocators_simple s a
Hs_pre: valid_state_prop
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} s
Hs': composite_constrained_state_prop ELMO_component
  s'
ELMO_mv_full_node0: full_node (s i) m
ELMO_mv_no_self_equiv0: no_self_equiv (s i) m
ELMO_mv_msg_valid_full0: ELMO_msg_valid_full m
ELMO_mv_local_equivocation_limit_ok0: local_equivocation_limit_ok
  (s i <+>
   MkObservation
     Receive m)
i_m: index
Hsender: adr (state m) = idx i_m
Heqv: (sum_weights
   (ELMO_equivocating_validators s
    ∪ {[idx i_m]}) <= threshold)%R
His: initial_state_prop (MkState [] (idx i_m))
Hsimis: valid_state_prop ELMOProtocol
  (state_update ELMO_component s i_m
     (MkState [] (idx i_m)))
Hsimis_eqvs: ELMO_equivocating_validators
  (state_update ELMO_component s i_m
     (MkState [] (idx i_m)))
⊆ ELMO_equivocating_validators s
  ∪ {[idx i_m]}
Hsi_pre: constrained_state_prop 
  (ELMO_component i) 
  (s i)
is_m: VLSM.state
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m))
tr_m: list transition_item
Htr_m: finite_valid_trace_init_to
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m)) is_m 
  (state m) tr_m
item: transition_item
Hitem: item ∈ tr_m
dm: Message
Hobs: item_sends_or_receives dm item
trace_has_message item_sends_or_receives dm tr_m
    by apply Exists_exists; eexists.
  }Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
s: VLSM.state ELMOProtocol
Hs: valid_state_prop ELMOProtocol s
i: index
s': VLSM.state ELMOProtocol
m: Message
Hvalid: ELMOProtocol_valid_transition i Receive s s'
  m
Hv: valid (existT i Receive) (s, Some m)
Hc: ELMO_global_constraint 
  (existT i Receive) (s, Some m)
Ht: transition (existT i Receive) (s, Some m) =
(s', None)
Hincl: VLSM_incl ELMOProtocol ReachELMO
Hnsnd: ¬ composite_has_been_sent ELMO_component s m
Hrcv: ELMO_recv_valid (s i) (MkMessage (state m))
H3: state_update ELMO_component s i
  (s i <+> MkObservation Receive m) = s'
Hm_eqv: global_equivocators_simple s' (adr (state m))
Hs'_eqv: ∀ a : Address,
  global_equivocators_simple s' a
  ↔ a = adr (state m)
    ∨ global_equivocators_simple s a
Hs_pre: valid_state_prop
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} s
Hs': composite_constrained_state_prop ELMO_component
  s'
ELMO_mv_full_node0: full_node (s i) m
ELMO_mv_no_self_equiv0: no_self_equiv (s i) m
ELMO_mv_msg_valid_full0: ELMO_msg_valid_full m
ELMO_mv_local_equivocation_limit_ok0: local_equivocation_limit_ok
  (s i <+>
   MkObservation
     Receive m)
i_m: index
Hsender: adr (state m) = idx i_m
Heqv: (sum_weights
   (ELMO_equivocating_validators s
    ∪ {[idx i_m]}) <= threshold)%R
His: initial_state_prop (MkState [] (idx i_m))
Hsimis: valid_state_prop ELMOProtocol
  (state_update ELMO_component s i_m
     (MkState [] (idx i_m)))
Hsimis_eqvs: ELMO_equivocating_validators
  (state_update ELMO_component s i_m
     (MkState [] (idx i_m)))
⊆ ELMO_equivocating_validators s
  ∪ {[idx i_m]}
Hsi_pre: constrained_state_prop 
  (ELMO_component i) 
  (s i)
is_m: VLSM.state
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m))
tr_m: list transition_item
Htr_m: finite_valid_trace_init_to
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m)) is_m 
  (state m) tr_m
Hall_messages_observed: Forall
  (λ item : transition_item,
     ∀ m : Message,
       item_sends_or_receives
        m item
       → 
       m ∈ messages (s i))
  tr_m
valid_message_prop ELMOProtocol m
  assert (Hall_messages_valid :
    Forall (fun item => forall m, item_sends_or_receives m item ->
      valid_message_prop ELMOProtocol m) tr_m).Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
s: VLSM.state ELMOProtocol
Hs: valid_state_prop ELMOProtocol s
i: index
s': VLSM.state ELMOProtocol
m: Message
Hvalid: ELMOProtocol_valid_transition i Receive s s'
  m
Hv: valid (existT i Receive) (s, Some m)
Hc: ELMO_global_constraint 
  (existT i Receive) (s, Some m)
Ht: transition (existT i Receive) (s, Some m) =
(s', None)
Hincl: VLSM_incl ELMOProtocol ReachELMO
Hnsnd: ¬ composite_has_been_sent ELMO_component s m
Hrcv: ELMO_recv_valid (s i) (MkMessage (state m))
H3: state_update ELMO_component s i
  (s i <+> MkObservation Receive m) = s'
Hm_eqv: global_equivocators_simple s' (adr (state m))
Hs'_eqv: ∀ a : Address,
  global_equivocators_simple s' a
  ↔ a = adr (state m)
    ∨ global_equivocators_simple s a
Hs_pre: valid_state_prop
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} s
Hs': composite_constrained_state_prop ELMO_component
  s'
ELMO_mv_full_node0: full_node (s i) m
ELMO_mv_no_self_equiv0: no_self_equiv (s i) m
ELMO_mv_msg_valid_full0: ELMO_msg_valid_full m
ELMO_mv_local_equivocation_limit_ok0: local_equivocation_limit_ok
  (s i <+>
   MkObservation
     Receive m)
i_m: index
Hsender: adr (state m) = idx i_m
Heqv: (sum_weights
   (ELMO_equivocating_validators s
    ∪ {[idx i_m]}) <= threshold)%R
His: initial_state_prop (MkState [] (idx i_m))
Hsimis: valid_state_prop ELMOProtocol
  (state_update ELMO_component s i_m
     (MkState [] (idx i_m)))
Hsimis_eqvs: ELMO_equivocating_validators
  (state_update ELMO_component s i_m
     (MkState [] (idx i_m)))
⊆ ELMO_equivocating_validators s
  ∪ {[idx i_m]}
Hsi_pre: constrained_state_prop 
  (ELMO_component i) 
  (s i)
is_m: VLSM.state
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m))
tr_m: list transition_item
Htr_m: finite_valid_trace_init_to
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m)) is_m 
  (state m) tr_m
Hall_messages_observed: Forall
  (λ item : transition_item,
     ∀ m : Message,
       item_sends_or_receives
        m item
       → 
       m ∈ messages (s i))
  tr_m
Forall
  (λ item : transition_item,
     ∀ m : Message,
       item_sends_or_receives m item
       → valid_message_prop ELMOProtocol m) tr_m
Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
s: VLSM.state ELMOProtocol
Hs: valid_state_prop ELMOProtocol s
i: index
s': VLSM.state ELMOProtocol
m: Message
Hvalid: ELMOProtocol_valid_transition i Receive s s'
  m
Hv: valid (existT i Receive) (s, Some m)
Hc: ELMO_global_constraint 
  (existT i Receive) (
  s, Some m)
Ht: transition (existT i Receive) (s, Some m) =
(s', None)
Hincl: VLSM_incl ELMOProtocol ReachELMO
Hnsnd: ¬ composite_has_been_sent ELMO_component s m
Hrcv: ELMO_recv_valid (s i) (MkMessage (state m))
H3: state_update ELMO_component s i
  (s i <+> MkObservation Receive m) = s'
Hm_eqv: global_equivocators_simple s' (adr (state m))
Hs'_eqv: ∀ a : Address,
  global_equivocators_simple s' a
  ↔ a = adr (state m)
    ∨ global_equivocators_simple s a
Hs_pre: valid_state_prop
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} s
Hs': composite_constrained_state_prop ELMO_component
  s'
ELMO_mv_full_node0: full_node (s i) m
ELMO_mv_no_self_equiv0: no_self_equiv (s i) m
ELMO_mv_msg_valid_full0: ELMO_msg_valid_full m
ELMO_mv_local_equivocation_limit_ok0: local_equivocation_limit_ok
  (s i <+>
   MkObservation
     Receive m)
i_m: index
Hsender: adr (state m) = idx i_m
Heqv: (sum_weights
   (ELMO_equivocating_validators s
    ∪ {[idx i_m]}) <= threshold)%R
His: initial_state_prop (MkState [] (idx i_m))
Hsimis: valid_state_prop ELMOProtocol
  (state_update ELMO_component s i_m
     (MkState [] (idx i_m)))
Hsimis_eqvs: ELMO_equivocating_validators
  (state_update ELMO_component s i_m
     (MkState [] (idx i_m)))
⊆ ELMO_equivocating_validators s
  ∪ {[idx i_m]}
Hsi_pre: constrained_state_prop 
  (ELMO_component i) 
  (s i)
is_m: VLSM.state
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m))
tr_m: list transition_item
Htr_m: finite_valid_trace_init_to
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m)) is_m 
  (state m) tr_m
Hall_messages_observed: Forall
  (λ item : transition_item,
     ∀ m : Message,
       item_sends_or_receives
        m item
       → 
       m ∈ messages (s i))
  tr_m
Hall_messages_valid: Forall
  (λ item : transition_item,
     ∀ m : Message,
       item_sends_or_receives m
        item
       → 
       valid_message_prop
        ELMOProtocol m) tr_m
valid_message_prop ELMOProtocol m
  {Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
s: VLSM.state ELMOProtocol
Hs: valid_state_prop ELMOProtocol s
i: index
s': VLSM.state ELMOProtocol
m: Message
Hvalid: ELMOProtocol_valid_transition i Receive s s'
  m
Hv: valid (existT i Receive) (s, Some m)
Hc: ELMO_global_constraint 
  (existT i Receive) (s, Some m)
Ht: transition (existT i Receive) (s, Some m) =
(s', None)
Hincl: VLSM_incl ELMOProtocol ReachELMO
Hnsnd: ¬ composite_has_been_sent ELMO_component s m
Hrcv: ELMO_recv_valid (s i) (MkMessage (state m))
H3: state_update ELMO_component s i
  (s i <+> MkObservation Receive m) = s'
Hm_eqv: global_equivocators_simple s' (adr (state m))
Hs'_eqv: ∀ a : Address,
  global_equivocators_simple s' a
  ↔ a = adr (state m)
    ∨ global_equivocators_simple s a
Hs_pre: valid_state_prop
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} s
Hs': composite_constrained_state_prop ELMO_component
  s'
ELMO_mv_full_node0: full_node (s i) m
ELMO_mv_no_self_equiv0: no_self_equiv (s i) m
ELMO_mv_msg_valid_full0: ELMO_msg_valid_full m
ELMO_mv_local_equivocation_limit_ok0: local_equivocation_limit_ok
  (s i <+>
   MkObservation
     Receive m)
i_m: index
Hsender: adr (state m) = idx i_m
Heqv: (sum_weights
   (ELMO_equivocating_validators s
    ∪ {[idx i_m]}) <= threshold)%R
His: initial_state_prop (MkState [] (idx i_m))
Hsimis: valid_state_prop ELMOProtocol
  (state_update ELMO_component s i_m
     (MkState [] (idx i_m)))
Hsimis_eqvs: ELMO_equivocating_validators
  (state_update ELMO_component s i_m
     (MkState [] (idx i_m)))
⊆ ELMO_equivocating_validators s
  ∪ {[idx i_m]}
Hsi_pre: constrained_state_prop 
  (ELMO_component i) 
  (s i)
is_m: VLSM.state
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m))
tr_m: list transition_item
Htr_m: finite_valid_trace_init_to
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m)) is_m 
  (state m) tr_m
Hall_messages_observed: Forall
  (λ item : transition_item,
     ∀ m : Message,
       item_sends_or_receives
        m item
       → 
       m ∈ messages (s i))
  tr_m
Forall
  (λ item : transition_item,
     ∀ m : Message,
       item_sends_or_receives m item
       → valid_message_prop ELMOProtocol m) tr_m
    eapply Forall_impl; cbn; [by apply Hall_messages_observed |].Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
s: VLSM.state ELMOProtocol
Hs: valid_state_prop ELMOProtocol s
i: index
s': VLSM.state ELMOProtocol
m: Message
Hvalid: ELMOProtocol_valid_transition i Receive s s'
  m
Hv: valid (existT i Receive) (s, Some m)
Hc: ELMO_global_constraint 
  (existT i Receive) (s, Some m)
Ht: transition (existT i Receive) (s, Some m) =
(s', None)
Hincl: VLSM_incl ELMOProtocol ReachELMO
Hnsnd: ¬ composite_has_been_sent ELMO_component s m
Hrcv: ELMO_recv_valid (s i) (MkMessage (state m))
H3: state_update ELMO_component s i
  (s i <+> MkObservation Receive m) = s'
Hm_eqv: global_equivocators_simple s' (adr (state m))
Hs'_eqv: ∀ a : Address,
  global_equivocators_simple s' a
  ↔ a = adr (state m)
    ∨ global_equivocators_simple s a
Hs_pre: valid_state_prop
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} s
Hs': composite_constrained_state_prop ELMO_component
  s'
ELMO_mv_full_node0: full_node (s i) m
ELMO_mv_no_self_equiv0: no_self_equiv (s i) m
ELMO_mv_msg_valid_full0: ELMO_msg_valid_full m
ELMO_mv_local_equivocation_limit_ok0: local_equivocation_limit_ok
  (s i <+>
   MkObservation
     Receive m)
i_m: index
Hsender: adr (state m) = idx i_m
Heqv: (sum_weights
   (ELMO_equivocating_validators s
    ∪ {[idx i_m]}) <= threshold)%R
His: initial_state_prop (MkState [] (idx i_m))
Hsimis: valid_state_prop ELMOProtocol
  (state_update ELMO_component s i_m
     (MkState [] (idx i_m)))
Hsimis_eqvs: ELMO_equivocating_validators
  (state_update ELMO_component s i_m
     (MkState [] (idx i_m)))
⊆ ELMO_equivocating_validators s
  ∪ {[idx i_m]}
Hsi_pre: constrained_state_prop 
  (ELMO_component i) 
  (s i)
is_m: VLSM.state
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m))
tr_m: list transition_item
Htr_m: finite_valid_trace_init_to
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m)) is_m 
  (state m) tr_m
Hall_messages_observed: Forall
  (λ item : transition_item,
     ∀ m : Message,
       item_sends_or_receives
        m item
       → 
       m ∈ messages (s i))
  tr_m
∀ x : transition_item,
  (λ item : transition_item,
     ∀ m : Message,
       item_sends_or_receives m item
       → m ∈ messages (s i)) x
  → ∀ m : Message,
      input x = Some m ∨ output x = Some m
      → valid_message_prop ELMOProtocol m
    intros item Hobs dm Hdm.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
s: VLSM.state ELMOProtocol
Hs: valid_state_prop ELMOProtocol s
i: index
s': VLSM.state ELMOProtocol
m: Message
Hvalid: ELMOProtocol_valid_transition i Receive s s'
  m
Hv: valid (existT i Receive) (s, Some m)
Hc: ELMO_global_constraint 
  (existT i Receive) (s, Some m)
Ht: transition (existT i Receive) (s, Some m) =
(s', None)
Hincl: VLSM_incl ELMOProtocol ReachELMO
Hnsnd: ¬ composite_has_been_sent ELMO_component s m
Hrcv: ELMO_recv_valid (s i) (MkMessage (state m))
H3: state_update ELMO_component s i
  (s i <+> MkObservation Receive m) = s'
Hm_eqv: global_equivocators_simple s' (adr (state m))
Hs'_eqv: ∀ a : Address,
  global_equivocators_simple s' a
  ↔ a = adr (state m)
    ∨ global_equivocators_simple s a
Hs_pre: valid_state_prop
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} s
Hs': composite_constrained_state_prop ELMO_component
  s'
ELMO_mv_full_node0: full_node (s i) m
ELMO_mv_no_self_equiv0: no_self_equiv (s i) m
ELMO_mv_msg_valid_full0: ELMO_msg_valid_full m
ELMO_mv_local_equivocation_limit_ok0: local_equivocation_limit_ok
  (s i <+>
   MkObservation
     Receive m)
i_m: index
Hsender: adr (state m) = idx i_m
Heqv: (sum_weights
   (ELMO_equivocating_validators s
    ∪ {[idx i_m]}) <= threshold)%R
His: initial_state_prop (MkState [] (idx i_m))
Hsimis: valid_state_prop ELMOProtocol
  (state_update ELMO_component s i_m
     (MkState [] (idx i_m)))
Hsimis_eqvs: ELMO_equivocating_validators
  (state_update ELMO_component s i_m
     (MkState [] (idx i_m)))
⊆ ELMO_equivocating_validators s
  ∪ {[idx i_m]}
Hsi_pre: constrained_state_prop 
  (ELMO_component i) 
  (s i)
is_m: VLSM.state
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m))
tr_m: list transition_item
Htr_m: finite_valid_trace_init_to
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m)) is_m 
  (state m) tr_m
Hall_messages_observed: Forall
  (λ item : transition_item,
     ∀ m : Message,
       item_sends_or_receives
        m item
       → 
       m ∈ messages (s i))
  tr_m
item: transition_item
Hobs: (λ item : transition_item,
   ∀ m : Message,
     item_sends_or_receives m item
     → m ∈ messages (s i)) item
dm: Message
Hdm: input item = Some dm ∨ output item = Some dm
valid_message_prop ELMOProtocol dm
    eapply directly_observed_valid; [by apply Hs |].Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
s: VLSM.state ELMOProtocol
Hs: valid_state_prop ELMOProtocol s
i: index
s': VLSM.state ELMOProtocol
m: Message
Hvalid: ELMOProtocol_valid_transition i Receive s s'
  m
Hv: valid (existT i Receive) (s, Some m)
Hc: ELMO_global_constraint 
  (existT i Receive) (s, Some m)
Ht: transition (existT i Receive) (s, Some m) =
(s', None)
Hincl: VLSM_incl ELMOProtocol ReachELMO
Hnsnd: ¬ composite_has_been_sent ELMO_component s m
Hrcv: ELMO_recv_valid (s i) (MkMessage (state m))
H3: state_update ELMO_component s i
  (s i <+> MkObservation Receive m) = s'
Hm_eqv: global_equivocators_simple s' (adr (state m))
Hs'_eqv: ∀ a : Address,
  global_equivocators_simple s' a
  ↔ a = adr (state m)
    ∨ global_equivocators_simple s a
Hs_pre: valid_state_prop
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} s
Hs': composite_constrained_state_prop ELMO_component
  s'
ELMO_mv_full_node0: full_node (s i) m
ELMO_mv_no_self_equiv0: no_self_equiv (s i) m
ELMO_mv_msg_valid_full0: ELMO_msg_valid_full m
ELMO_mv_local_equivocation_limit_ok0: local_equivocation_limit_ok
  (s i <+>
   MkObservation
     Receive m)
i_m: index
Hsender: adr (state m) = idx i_m
Heqv: (sum_weights
   (ELMO_equivocating_validators s
    ∪ {[idx i_m]}) <= threshold)%R
His: initial_state_prop (MkState [] (idx i_m))
Hsimis: valid_state_prop ELMOProtocol
  (state_update ELMO_component s i_m
     (MkState [] (idx i_m)))
Hsimis_eqvs: ELMO_equivocating_validators
  (state_update ELMO_component s i_m
     (MkState [] (idx i_m)))
⊆ ELMO_equivocating_validators s
  ∪ {[idx i_m]}
Hsi_pre: constrained_state_prop 
  (ELMO_component i) 
  (s i)
is_m: VLSM.state
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m))
tr_m: list transition_item
Htr_m: finite_valid_trace_init_to
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m)) is_m 
  (state m) tr_m
Hall_messages_observed: Forall
  (λ item : transition_item,
     ∀ m : Message,
       item_sends_or_receives
        m item
       → 
       m ∈ messages (s i))
  tr_m
item: transition_item
Hobs: (λ item : transition_item,
   ∀ m : Message,
     item_sends_or_receives m item
     → m ∈ messages (s i)) item
dm: Message
Hdm: input item = Some dm ∨ output item = Some dm
has_been_directly_observed ELMOProtocol s dm
    by apply Hobs, elem_of_messages in Hdm as []; [left | right]; eexists i.
  }Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
s: VLSM.state ELMOProtocol
Hs: valid_state_prop ELMOProtocol s
i: index
s': VLSM.state ELMOProtocol
m: Message
Hvalid: ELMOProtocol_valid_transition i Receive s s'
  m
Hv: valid (existT i Receive) (s, Some m)
Hc: ELMO_global_constraint 
  (existT i Receive) (s, Some m)
Ht: transition (existT i Receive) (s, Some m) =
(s', None)
Hincl: VLSM_incl ELMOProtocol ReachELMO
Hnsnd: ¬ composite_has_been_sent ELMO_component s m
Hrcv: ELMO_recv_valid (s i) (MkMessage (state m))
H3: state_update ELMO_component s i
  (s i <+> MkObservation Receive m) = s'
Hm_eqv: global_equivocators_simple s' (adr (state m))
Hs'_eqv: ∀ a : Address,
  global_equivocators_simple s' a
  ↔ a = adr (state m)
    ∨ global_equivocators_simple s a
Hs_pre: valid_state_prop
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} s
Hs': composite_constrained_state_prop ELMO_component
  s'
ELMO_mv_full_node0: full_node (s i) m
ELMO_mv_no_self_equiv0: no_self_equiv (s i) m
ELMO_mv_msg_valid_full0: ELMO_msg_valid_full m
ELMO_mv_local_equivocation_limit_ok0: local_equivocation_limit_ok
  (s i <+>
   MkObservation
     Receive m)
i_m: index
Hsender: adr (state m) = idx i_m
Heqv: (sum_weights
   (ELMO_equivocating_validators s
    ∪ {[idx i_m]}) <= threshold)%R
His: initial_state_prop (MkState [] (idx i_m))
Hsimis: valid_state_prop ELMOProtocol
  (state_update ELMO_component s i_m
     (MkState [] (idx i_m)))
Hsimis_eqvs: ELMO_equivocating_validators
  (state_update ELMO_component s i_m
     (MkState [] (idx i_m)))
⊆ ELMO_equivocating_validators s
  ∪ {[idx i_m]}
Hsi_pre: constrained_state_prop 
  (ELMO_component i) 
  (s i)
is_m: VLSM.state
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m))
tr_m: list transition_item
Htr_m: finite_valid_trace_init_to
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m)) is_m 
  (state m) tr_m
Hall_messages_observed: Forall
  (λ item : transition_item,
     ∀ m : Message,
       item_sends_or_receives
        m item
       → 
       m ∈ messages (s i))
  tr_m
Hall_messages_valid: Forall
  (λ item : transition_item,
     ∀ m : Message,
       item_sends_or_receives m
        item
       → 
       valid_message_prop
        ELMOProtocol m) tr_m
valid_message_prop ELMOProtocol m
  assert (Heqis_m : is_m = MkState [] (idx i_m))
    by (destruct is_m, Htr_m as [_ []]; cbn in *; subst; done).Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
s: VLSM.state ELMOProtocol
Hs: valid_state_prop ELMOProtocol s
i: index
s': VLSM.state ELMOProtocol
m: Message
Hvalid: ELMOProtocol_valid_transition i Receive s s'
  m
Hv: valid (existT i Receive) (s, Some m)
Hc: ELMO_global_constraint 
  (existT i Receive) (s, Some m)
Ht: transition (existT i Receive) (s, Some m) =
(s', None)
Hincl: VLSM_incl ELMOProtocol ReachELMO
Hnsnd: ¬ composite_has_been_sent ELMO_component s m
Hrcv: ELMO_recv_valid (s i) (MkMessage (state m))
H3: state_update ELMO_component s i
  (s i <+> MkObservation Receive m) = s'
Hm_eqv: global_equivocators_simple s' (adr (state m))
Hs'_eqv: ∀ a : Address,
  global_equivocators_simple s' a
  ↔ a = adr (state m)
    ∨ global_equivocators_simple s a
Hs_pre: valid_state_prop
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} s
Hs': composite_constrained_state_prop ELMO_component
  s'
ELMO_mv_full_node0: full_node (s i) m
ELMO_mv_no_self_equiv0: no_self_equiv (s i) m
ELMO_mv_msg_valid_full0: ELMO_msg_valid_full m
ELMO_mv_local_equivocation_limit_ok0: local_equivocation_limit_ok
  (s i <+>
   MkObservation
     Receive m)
i_m: index
Hsender: adr (state m) = idx i_m
Heqv: (sum_weights
   (ELMO_equivocating_validators s
    ∪ {[idx i_m]}) <= threshold)%R
His: initial_state_prop (MkState [] (idx i_m))
Hsimis: valid_state_prop ELMOProtocol
  (state_update ELMO_component s i_m
     (MkState [] (idx i_m)))
Hsimis_eqvs: ELMO_equivocating_validators
  (state_update ELMO_component s i_m
     (MkState [] (idx i_m)))
⊆ ELMO_equivocating_validators s
  ∪ {[idx i_m]}
Hsi_pre: constrained_state_prop 
  (ELMO_component i) 
  (s i)
is_m: VLSM.state
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m))
tr_m: list transition_item
Htr_m: finite_valid_trace_init_to
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m)) is_m 
  (state m) tr_m
Hall_messages_observed: Forall
  (λ item : transition_item,
     ∀ m : Message,
       item_sends_or_receives
        m item
       → 
       m ∈ messages (s i))
  tr_m
Hall_messages_valid: Forall
  (λ item : transition_item,
     ∀ m : Message,
       item_sends_or_receives m
        item
       → 
       valid_message_prop
        ELMOProtocol m) tr_m
Heqis_m: is_m = MkState [] (idx i_m)
valid_message_prop ELMOProtocol m
  assert (Hall_bounded_eqv :
    Forall (fun item =>
      ELMO_equivocating_validators (lift_to_composite_state ELMO_component s i_m (destination item))
        ⊆
      ELMO_equivocating_validators s ∪ {[ idx i_m ]})
        tr_m).Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
s: VLSM.state ELMOProtocol
Hs: valid_state_prop ELMOProtocol s
i: index
s': VLSM.state ELMOProtocol
m: Message
Hvalid: ELMOProtocol_valid_transition i Receive s s'
  m
Hv: valid (existT i Receive) (s, Some m)
Hc: ELMO_global_constraint 
  (existT i Receive) (s, Some m)
Ht: transition (existT i Receive) (s, Some m) =
(s', None)
Hincl: VLSM_incl ELMOProtocol ReachELMO
Hnsnd: ¬ composite_has_been_sent ELMO_component s m
Hrcv: ELMO_recv_valid (s i) (MkMessage (state m))
H3: state_update ELMO_component s i
  (s i <+> MkObservation Receive m) = s'
Hm_eqv: global_equivocators_simple s' (adr (state m))
Hs'_eqv: ∀ a : Address,
  global_equivocators_simple s' a
  ↔ a = adr (state m)
    ∨ global_equivocators_simple s a
Hs_pre: valid_state_prop
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} s
Hs': composite_constrained_state_prop ELMO_component
  s'
ELMO_mv_full_node0: full_node (s i) m
ELMO_mv_no_self_equiv0: no_self_equiv (s i) m
ELMO_mv_msg_valid_full0: ELMO_msg_valid_full m
ELMO_mv_local_equivocation_limit_ok0: local_equivocation_limit_ok
  (s i <+>
   MkObservation
     Receive m)
i_m: index
Hsender: adr (state m) = idx i_m
Heqv: (sum_weights
   (ELMO_equivocating_validators s
    ∪ {[idx i_m]}) <= threshold)%R
His: initial_state_prop (MkState [] (idx i_m))
Hsimis: valid_state_prop ELMOProtocol
  (state_update ELMO_component s i_m
     (MkState [] (idx i_m)))
Hsimis_eqvs: ELMO_equivocating_validators
  (state_update ELMO_component s i_m
     (MkState [] (idx i_m)))
⊆ ELMO_equivocating_validators s
  ∪ {[idx i_m]}
Hsi_pre: constrained_state_prop 
  (ELMO_component i) 
  (s i)
is_m: VLSM.state
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m))
tr_m: list transition_item
Htr_m: finite_valid_trace_init_to
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m)) is_m 
  (state m) tr_m
Hall_messages_observed: Forall
  (λ item : transition_item,
     ∀ m : Message,
       item_sends_or_receives
        m item
       → 
       m ∈ messages (s i))
  tr_m
Hall_messages_valid: Forall
  (λ item : transition_item,
     ∀ m : Message,
       item_sends_or_receives m
        item
       → 
       valid_message_prop
        ELMOProtocol m) tr_m
Heqis_m: is_m = MkState [] (idx i_m)
Forall
  (λ item : transition_item,
     ELMO_equivocating_validators
       (lift_to_composite_state ELMO_component s i_m
          (destination item))
     ⊆ ELMO_equivocating_validators s ∪ {[idx i_m]})
  tr_m
Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
s: VLSM.state ELMOProtocol
Hs: valid_state_prop ELMOProtocol s
i: index
s': VLSM.state ELMOProtocol
m: Message
Hvalid: ELMOProtocol_valid_transition i Receive s s'
  m
Hv: valid (existT i Receive) (s, Some m)
Hc: ELMO_global_constraint 
  (existT i Receive) (
  s, Some m)
Ht: transition (existT i Receive) (s, Some m) =
(s', None)
Hincl: VLSM_incl ELMOProtocol ReachELMO
Hnsnd: ¬ composite_has_been_sent ELMO_component s m
Hrcv: ELMO_recv_valid (s i) (MkMessage (state m))
H3: state_update ELMO_component s i
  (s i <+> MkObservation Receive m) = s'
Hm_eqv: global_equivocators_simple s' (adr (state m))
Hs'_eqv: ∀ a : Address,
  global_equivocators_simple s' a
  ↔ a = adr (state m)
    ∨ global_equivocators_simple s a
Hs_pre: valid_state_prop
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} s
Hs': composite_constrained_state_prop ELMO_component
  s'
ELMO_mv_full_node0: full_node (s i) m
ELMO_mv_no_self_equiv0: no_self_equiv (s i) m
ELMO_mv_msg_valid_full0: ELMO_msg_valid_full m
ELMO_mv_local_equivocation_limit_ok0: local_equivocation_limit_ok
  (s i <+>
   MkObservation
     Receive m)
i_m: index
Hsender: adr (state m) = idx i_m
Heqv: (sum_weights
   (ELMO_equivocating_validators s
    ∪ {[idx i_m]}) <= threshold)%R
His: initial_state_prop (MkState [] (idx i_m))
Hsimis: valid_state_prop ELMOProtocol
  (state_update ELMO_component s i_m
     (MkState [] (idx i_m)))
Hsimis_eqvs: ELMO_equivocating_validators
  (state_update ELMO_component s i_m
     (MkState [] (idx i_m)))
⊆ ELMO_equivocating_validators s
  ∪ {[idx i_m]}
Hsi_pre: constrained_state_prop 
  (ELMO_component i) 
  (s i)
is_m: VLSM.state
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m))
tr_m: list transition_item
Htr_m: finite_valid_trace_init_to
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m)) is_m 
  (state m) tr_m
Hall_messages_observed: Forall
  (λ item : transition_item,
     ∀ m : Message,
       item_sends_or_receives
        m item
       → 
       m ∈ messages (s i))
  tr_m
Hall_messages_valid: Forall
  (λ item : transition_item,
     ∀ m : Message,
       item_sends_or_receives m
        item
       → 
       valid_message_prop
        ELMOProtocol m) tr_m
Heqis_m: is_m = MkState [] (idx i_m)
Hall_bounded_eqv: Forall
  (λ item : transition_item,
     ELMO_equivocating_validators
       (lift_to_composite_state
        ELMO_component s i_m
        (destination item))
     ⊆ ELMO_equivocating_validators
        s ∪ {[
       idx i_m]}) tr_m
valid_message_prop ELMOProtocol m
  {Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
s: VLSM.state ELMOProtocol
Hs: valid_state_prop ELMOProtocol s
i: index
s': VLSM.state ELMOProtocol
m: Message
Hvalid: ELMOProtocol_valid_transition i Receive s s'
  m
Hv: valid (existT i Receive) (s, Some m)
Hc: ELMO_global_constraint 
  (existT i Receive) (s, Some m)
Ht: transition (existT i Receive) (s, Some m) =
(s', None)
Hincl: VLSM_incl ELMOProtocol ReachELMO
Hnsnd: ¬ composite_has_been_sent ELMO_component s m
Hrcv: ELMO_recv_valid (s i) (MkMessage (state m))
H3: state_update ELMO_component s i
  (s i <+> MkObservation Receive m) = s'
Hm_eqv: global_equivocators_simple s' (adr (state m))
Hs'_eqv: ∀ a : Address,
  global_equivocators_simple s' a
  ↔ a = adr (state m)
    ∨ global_equivocators_simple s a
Hs_pre: valid_state_prop
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} s
Hs': composite_constrained_state_prop ELMO_component
  s'
ELMO_mv_full_node0: full_node (s i) m
ELMO_mv_no_self_equiv0: no_self_equiv (s i) m
ELMO_mv_msg_valid_full0: ELMO_msg_valid_full m
ELMO_mv_local_equivocation_limit_ok0: local_equivocation_limit_ok
  (s i <+>
   MkObservation
     Receive m)
i_m: index
Hsender: adr (state m) = idx i_m
Heqv: (sum_weights
   (ELMO_equivocating_validators s
    ∪ {[idx i_m]}) <= threshold)%R
His: initial_state_prop (MkState [] (idx i_m))
Hsimis: valid_state_prop ELMOProtocol
  (state_update ELMO_component s i_m
     (MkState [] (idx i_m)))
Hsimis_eqvs: ELMO_equivocating_validators
  (state_update ELMO_component s i_m
     (MkState [] (idx i_m)))
⊆ ELMO_equivocating_validators s
  ∪ {[idx i_m]}
Hsi_pre: constrained_state_prop 
  (ELMO_component i) 
  (s i)
is_m: VLSM.state
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m))
tr_m: list transition_item
Htr_m: finite_valid_trace_init_to
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m)) is_m 
  (state m) tr_m
Hall_messages_observed: Forall
  (λ item : transition_item,
     ∀ m : Message,
       item_sends_or_receives
        m item
       → 
       m ∈ messages (s i))
  tr_m
Hall_messages_valid: Forall
  (λ item : transition_item,
     ∀ m : Message,
       item_sends_or_receives m
        item
       → 
       valid_message_prop
        ELMOProtocol m) tr_m
Heqis_m: is_m = MkState [] (idx i_m)
Forall
  (λ item : transition_item,
     ELMO_equivocating_validators
       (lift_to_composite_state ELMO_component s i_m
          (destination item))
     ⊆ ELMO_equivocating_validators s ∪ {[idx i_m]})
  tr_m
    assert (Hall_reachable :
      Forall (fun item =>
        composite_constrained_state_prop ELMO_component
          ((state_update ELMO_component s i_m item))) (is_m :: map destination tr_m)).Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
s: VLSM.state ELMOProtocol
Hs: valid_state_prop ELMOProtocol s
i: index
s': VLSM.state ELMOProtocol
m: Message
Hvalid: ELMOProtocol_valid_transition i Receive s s'
  m
Hv: valid (existT i Receive) (s, Some m)
Hc: ELMO_global_constraint 
  (existT i Receive) (s, Some m)
Ht: transition (existT i Receive) (s, Some m) =
(s', None)
Hincl: VLSM_incl ELMOProtocol ReachELMO
Hnsnd: ¬ composite_has_been_sent ELMO_component s m
Hrcv: ELMO_recv_valid (s i) (MkMessage (state m))
H3: state_update ELMO_component s i
  (s i <+> MkObservation Receive m) = s'
Hm_eqv: global_equivocators_simple s' (adr (state m))
Hs'_eqv: ∀ a : Address,
  global_equivocators_simple s' a
  ↔ a = adr (state m)
    ∨ global_equivocators_simple s a
Hs_pre: valid_state_prop
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} s
Hs': composite_constrained_state_prop ELMO_component
  s'
ELMO_mv_full_node0: full_node (s i) m
ELMO_mv_no_self_equiv0: no_self_equiv (s i) m
ELMO_mv_msg_valid_full0: ELMO_msg_valid_full m
ELMO_mv_local_equivocation_limit_ok0: local_equivocation_limit_ok
  (s i <+>
   MkObservation
     Receive m)
i_m: index
Hsender: adr (state m) = idx i_m
Heqv: (sum_weights
   (ELMO_equivocating_validators s
    ∪ {[idx i_m]}) <= threshold)%R
His: initial_state_prop (MkState [] (idx i_m))
Hsimis: valid_state_prop ELMOProtocol
  (state_update ELMO_component s i_m
     (MkState [] (idx i_m)))
Hsimis_eqvs: ELMO_equivocating_validators
  (state_update ELMO_component s i_m
     (MkState [] (idx i_m)))
⊆ ELMO_equivocating_validators s
  ∪ {[idx i_m]}
Hsi_pre: constrained_state_prop 
  (ELMO_component i) 
  (s i)
is_m: VLSM.state
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m))
tr_m: list transition_item
Htr_m: finite_valid_trace_init_to
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m)) is_m 
  (state m) tr_m
Hall_messages_observed: Forall
  (λ item : transition_item,
     ∀ m : Message,
       item_sends_or_receives
        m item
       → 
       m ∈ messages (s i))
  tr_m
Hall_messages_valid: Forall
  (λ item : transition_item,
     ∀ m : Message,
       item_sends_or_receives m
        item
       → 
       valid_message_prop
        ELMOProtocol m) tr_m
Heqis_m: is_m = MkState [] (idx i_m)
Forall
  (λ item : VLSM.state (ELMO_component i_m),
     composite_constrained_state_prop ELMO_component
       (state_update ELMO_component s i_m item))
  (is_m :: map destination tr_m)
Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
s: VLSM.state ELMOProtocol
Hs: valid_state_prop ELMOProtocol s
i: index
s': VLSM.state ELMOProtocol
m: Message
Hvalid: ELMOProtocol_valid_transition i Receive s s'
  m
Hv: valid (existT i Receive) (s, Some m)
Hc: ELMO_global_constraint 
  (existT i Receive) (
  s, Some m)
Ht: transition (existT i Receive) (s, Some m) =
(s', None)
Hincl: VLSM_incl ELMOProtocol ReachELMO
Hnsnd: ¬ composite_has_been_sent ELMO_component s m
Hrcv: ELMO_recv_valid (s i) (MkMessage (state m))
H3: state_update ELMO_component s i
  (s i <+> MkObservation Receive m) = s'
Hm_eqv: global_equivocators_simple s' (adr (state m))
Hs'_eqv: ∀ a : Address,
  global_equivocators_simple s' a
  ↔ a = adr (state m)
    ∨ global_equivocators_simple s a
Hs_pre: valid_state_prop
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} s
Hs': composite_constrained_state_prop ELMO_component
  s'
ELMO_mv_full_node0: full_node (s i) m
ELMO_mv_no_self_equiv0: no_self_equiv (s i) m
ELMO_mv_msg_valid_full0: ELMO_msg_valid_full m
ELMO_mv_local_equivocation_limit_ok0: local_equivocation_limit_ok
  (s i <+>
   MkObservation
     Receive m)
i_m: index
Hsender: adr (state m) = idx i_m
Heqv: (sum_weights
   (ELMO_equivocating_validators s
    ∪ {[idx i_m]}) <= threshold)%R
His: initial_state_prop (MkState [] (idx i_m))
Hsimis: valid_state_prop ELMOProtocol
  (state_update ELMO_component s i_m
     (MkState [] (idx i_m)))
Hsimis_eqvs: ELMO_equivocating_validators
  (state_update ELMO_component s i_m
     (MkState [] (idx i_m)))
⊆ ELMO_equivocating_validators s
  ∪ {[idx i_m]}
Hsi_pre: constrained_state_prop 
  (ELMO_component i) 
  (s i)
is_m: VLSM.state
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m))
tr_m: list transition_item
Htr_m: finite_valid_trace_init_to
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m)) is_m 
  (state m) tr_m
Hall_messages_observed: Forall
  (λ item : transition_item,
     ∀ m : Message,
       item_sends_or_receives
        m item
       → 
       m ∈ messages (s i))
  tr_m
Hall_messages_valid: Forall
  (λ item : transition_item,
     ∀ m : Message,
       item_sends_or_receives m
        item
       → 
       valid_message_prop
        ELMOProtocol m) tr_m
Heqis_m: is_m = MkState [] (idx i_m)
Hall_reachable: Forall
  (λ item : 
      VLSM.state 
        (ELMO_component i_m),
     composite_constrained_state_prop
       ELMO_component
       (state_update ELMO_component s
        i_m item))
  (is_m :: map destination tr_m)
Forall
  (λ item : transition_item,
     ELMO_equivocating_validators
       (lift_to_composite_state ELMO_component s i_m
        (destination item))
     ⊆ ELMO_equivocating_validators s ∪ {[idx i_m]})
  tr_m
    {Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
s: VLSM.state ELMOProtocol
Hs: valid_state_prop ELMOProtocol s
i: index
s': VLSM.state ELMOProtocol
m: Message
Hvalid: ELMOProtocol_valid_transition i Receive s s'
  m
Hv: valid (existT i Receive) (s, Some m)
Hc: ELMO_global_constraint 
  (existT i Receive) (s, Some m)
Ht: transition (existT i Receive) (s, Some m) =
(s', None)
Hincl: VLSM_incl ELMOProtocol ReachELMO
Hnsnd: ¬ composite_has_been_sent ELMO_component s m
Hrcv: ELMO_recv_valid (s i) (MkMessage (state m))
H3: state_update ELMO_component s i
  (s i <+> MkObservation Receive m) = s'
Hm_eqv: global_equivocators_simple s' (adr (state m))
Hs'_eqv: ∀ a : Address,
  global_equivocators_simple s' a
  ↔ a = adr (state m)
    ∨ global_equivocators_simple s a
Hs_pre: valid_state_prop
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} s
Hs': composite_constrained_state_prop ELMO_component
  s'
ELMO_mv_full_node0: full_node (s i) m
ELMO_mv_no_self_equiv0: no_self_equiv (s i) m
ELMO_mv_msg_valid_full0: ELMO_msg_valid_full m
ELMO_mv_local_equivocation_limit_ok0: local_equivocation_limit_ok
  (s i <+>
   MkObservation
     Receive m)
i_m: index
Hsender: adr (state m) = idx i_m
Heqv: (sum_weights
   (ELMO_equivocating_validators s
    ∪ {[idx i_m]}) <= threshold)%R
His: initial_state_prop (MkState [] (idx i_m))
Hsimis: valid_state_prop ELMOProtocol
  (state_update ELMO_component s i_m
     (MkState [] (idx i_m)))
Hsimis_eqvs: ELMO_equivocating_validators
  (state_update ELMO_component s i_m
     (MkState [] (idx i_m)))
⊆ ELMO_equivocating_validators s
  ∪ {[idx i_m]}
Hsi_pre: constrained_state_prop 
  (ELMO_component i) 
  (s i)
is_m: VLSM.state
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m))
tr_m: list transition_item
Htr_m: finite_valid_trace_init_to
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m)) is_m 
  (state m) tr_m
Hall_messages_observed: Forall
  (λ item : transition_item,
     ∀ m : Message,
       item_sends_or_receives
        m item
       → 
       m ∈ messages (s i))
  tr_m
Hall_messages_valid: Forall
  (λ item : transition_item,
     ∀ m : Message,
       item_sends_or_receives m
        item
       → 
       valid_message_prop
        ELMOProtocol m) tr_m
Heqis_m: is_m = MkState [] (idx i_m)
Forall
  (λ item : VLSM.state (ELMO_component i_m),
     composite_constrained_state_prop ELMO_component
       (state_update ELMO_component s i_m item))
  (is_m :: map destination tr_m)
      apply (VLSM_incl_valid_state Hincl) in Hsimis as Hsimis_pre.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
s: VLSM.state ELMOProtocol
Hs: valid_state_prop ELMOProtocol s
i: index
s': VLSM.state ELMOProtocol
m: Message
Hvalid: ELMOProtocol_valid_transition i Receive s s'
  m
Hv: valid (existT i Receive) (s, Some m)
Hc: ELMO_global_constraint 
  (existT i Receive) (s, Some m)
Ht: transition (existT i Receive) (s, Some m) =
(s', None)
Hincl: VLSM_incl ELMOProtocol ReachELMO
Hnsnd: ¬ composite_has_been_sent ELMO_component s m
Hrcv: ELMO_recv_valid (s i) (MkMessage (state m))
H3: state_update ELMO_component s i
  (s i <+> MkObservation Receive m) = s'
Hm_eqv: global_equivocators_simple s' (adr (state m))
Hs'_eqv: ∀ a : Address,
  global_equivocators_simple s' a
  ↔ a = adr (state m)
    ∨ global_equivocators_simple s a
Hs_pre: valid_state_prop
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} s
Hs': composite_constrained_state_prop ELMO_component
  s'
ELMO_mv_full_node0: full_node (s i) m
ELMO_mv_no_self_equiv0: no_self_equiv (s i) m
ELMO_mv_msg_valid_full0: ELMO_msg_valid_full m
ELMO_mv_local_equivocation_limit_ok0: local_equivocation_limit_ok
  (s i <+>
   MkObservation
     Receive m)
i_m: index
Hsender: adr (state m) = idx i_m
Heqv: (sum_weights
   (ELMO_equivocating_validators s
    ∪ {[idx i_m]}) <= threshold)%R
His: initial_state_prop (MkState [] (idx i_m))
Hsimis: valid_state_prop ELMOProtocol
  (state_update ELMO_component s i_m
     (MkState [] (idx i_m)))
Hsimis_eqvs: ELMO_equivocating_validators
  (state_update ELMO_component s i_m
     (MkState [] (idx i_m)))
⊆ ELMO_equivocating_validators s
  ∪ {[idx i_m]}
Hsi_pre: constrained_state_prop 
  (ELMO_component i) 
  (s i)
is_m: VLSM.state
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m))
tr_m: list transition_item
Htr_m: finite_valid_trace_init_to
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m)) is_m 
  (state m) tr_m
Hall_messages_observed: Forall
  (λ item : transition_item,
     ∀ m : Message,
       item_sends_or_receives
        m item
       → 
       m ∈ messages (s i))
  tr_m
Hall_messages_valid: Forall
  (λ item : transition_item,
     ∀ m : Message,
       item_sends_or_receives m
        item
       → 
       valid_message_prop
        ELMOProtocol m) tr_m
Heqis_m: is_m = MkState [] (idx i_m)
Hsimis_pre: valid_state_prop
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |}
  (state_update ELMO_component s i_m
     (MkState [] (idx i_m)))
Forall
  (λ item : VLSM.state (ELMO_component i_m),
     composite_constrained_state_prop ELMO_component
       (state_update ELMO_component s i_m item))
  (is_m :: map destination tr_m)
      destruct Htr_m as [Htr_m _].Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
s: VLSM.state ELMOProtocol
Hs: valid_state_prop ELMOProtocol s
i: index
s': VLSM.state ELMOProtocol
m: Message
Hvalid: ELMOProtocol_valid_transition i Receive s s'
  m
Hv: valid (existT i Receive) (s, Some m)
Hc: ELMO_global_constraint 
  (existT i Receive) (s, Some m)
Ht: transition (existT i Receive) (s, Some m) =
(s', None)
Hincl: VLSM_incl ELMOProtocol ReachELMO
Hnsnd: ¬ composite_has_been_sent ELMO_component s m
Hrcv: ELMO_recv_valid (s i) (MkMessage (state m))
H3: state_update ELMO_component s i
  (s i <+> MkObservation Receive m) = s'
Hm_eqv: global_equivocators_simple s' (adr (state m))
Hs'_eqv: ∀ a : Address,
  global_equivocators_simple s' a
  ↔ a = adr (state m)
    ∨ global_equivocators_simple s a
Hs_pre: valid_state_prop
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} s
Hs': composite_constrained_state_prop ELMO_component
  s'
ELMO_mv_full_node0: full_node (s i) m
ELMO_mv_no_self_equiv0: no_self_equiv (s i) m
ELMO_mv_msg_valid_full0: ELMO_msg_valid_full m
ELMO_mv_local_equivocation_limit_ok0: local_equivocation_limit_ok
  (s i <+>
   MkObservation
     Receive m)
i_m: index
Hsender: adr (state m) = idx i_m
Heqv: (sum_weights
   (ELMO_equivocating_validators s
    ∪ {[idx i_m]}) <= threshold)%R
His: initial_state_prop (MkState [] (idx i_m))
Hsimis: valid_state_prop ELMOProtocol
  (state_update ELMO_component s i_m
     (MkState [] (idx i_m)))
Hsimis_eqvs: ELMO_equivocating_validators
  (state_update ELMO_component s i_m
     (MkState [] (idx i_m)))
⊆ ELMO_equivocating_validators s
  ∪ {[idx i_m]}
Hsi_pre: constrained_state_prop 
  (ELMO_component i) 
  (s i)
is_m: VLSM.state
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m))
tr_m: list transition_item
Htr_m: finite_valid_trace_from_to
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m)) is_m 
  (state m) tr_m
Hall_messages_observed: Forall
  (λ item : transition_item,
     ∀ m : Message,
       item_sends_or_receives
        m item
       → 
       m ∈ messages (s i))
  tr_m
Hall_messages_valid: Forall
  (λ item : transition_item,
     ∀ m : Message,
       item_sends_or_receives m
        item
       → 
       valid_message_prop
        ELMOProtocol m) tr_m
Heqis_m: is_m = MkState [] (idx i_m)
Hsimis_pre: valid_state_prop
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |}
  (state_update ELMO_component s i_m
     (MkState [] (idx i_m)))
Forall
  (λ item : VLSM.state (ELMO_component i_m),
     composite_constrained_state_prop ELMO_component
       (state_update ELMO_component s i_m item))
  (is_m :: map destination tr_m)
      apply (VLSM_weak_embedding_finite_valid_trace_from_to
        (lift_to_preloaded_free_weak_embedding ELMO_component i_m _ Hs_pre)) in Htr_m.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
s: VLSM.state ELMOProtocol
Hs: valid_state_prop ELMOProtocol s
i: index
s': VLSM.state ELMOProtocol
m: Message
Hvalid: ELMOProtocol_valid_transition i Receive s s'
  m
Hv: valid (existT i Receive) (s, Some m)
Hc: ELMO_global_constraint 
  (existT i Receive) (s, Some m)
Ht: transition (existT i Receive) (s, Some m) =
(s', None)
Hincl: VLSM_incl ELMOProtocol ReachELMO
Hnsnd: ¬ composite_has_been_sent ELMO_component s m
Hrcv: ELMO_recv_valid (s i) (MkMessage (state m))
H3: state_update ELMO_component s i
  (s i <+> MkObservation Receive m) = s'
Hm_eqv: global_equivocators_simple s' (adr (state m))
Hs'_eqv: ∀ a : Address,
  global_equivocators_simple s' a
  ↔ a = adr (state m)
    ∨ global_equivocators_simple s a
Hs_pre: valid_state_prop
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} s
Hs': composite_constrained_state_prop ELMO_component
  s'
ELMO_mv_full_node0: full_node (s i) m
ELMO_mv_no_self_equiv0: no_self_equiv (s i) m
ELMO_mv_msg_valid_full0: ELMO_msg_valid_full m
ELMO_mv_local_equivocation_limit_ok0: local_equivocation_limit_ok
  (s i <+>
   MkObservation
     Receive m)
i_m: index
Hsender: adr (state m) = idx i_m
Heqv: (sum_weights
   (ELMO_equivocating_validators s
    ∪ {[idx i_m]}) <= threshold)%R
His: initial_state_prop (MkState [] (idx i_m))
Hsimis: valid_state_prop ELMOProtocol
  (state_update ELMO_component s i_m
     (MkState [] (idx i_m)))
Hsimis_eqvs: ELMO_equivocating_validators
  (state_update ELMO_component s i_m
     (MkState [] (idx i_m)))
⊆ ELMO_equivocating_validators s
  ∪ {[idx i_m]}
Hsi_pre: constrained_state_prop 
  (ELMO_component i) 
  (s i)
is_m: VLSM.state
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m))
tr_m: list transition_item
Htr_m: finite_valid_trace_from_to
  (preloaded_with_all_messages_vlsm
     (free_composite_vlsm ELMO_component))
  (lift_to_composite_state ELMO_component s
     i_m is_m)
  (lift_to_composite_state ELMO_component s
     i_m 
     (state m))
  (VLSM_weak_embedding_finite_trace_project
     (lift_to_preloaded_free_weak_embedding
        ELMO_component i_m s Hs_pre) tr_m)
Hall_messages_observed: Forall
  (λ item : transition_item,
     ∀ m : Message,
       item_sends_or_receives
        m item
       → 
       m ∈ messages (s i))
  tr_m
Hall_messages_valid: Forall
  (λ item : transition_item,
     ∀ m : Message,
       item_sends_or_receives m
        item
       → 
       valid_message_prop
        ELMOProtocol m) tr_m
Heqis_m: is_m = MkState [] (idx i_m)
Hsimis_pre: valid_state_prop
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |}
  (state_update ELMO_component s i_m
     (MkState [] (idx i_m)))
Forall
  (λ item : VLSM.state (ELMO_component i_m),
     composite_constrained_state_prop ELMO_component
       (state_update ELMO_component s i_m item))
  (is_m :: map destination tr_m)
      state_update_simpl.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
s: VLSM.state ELMOProtocol
Hs: valid_state_prop ELMOProtocol s
i: index
s': VLSM.state ELMOProtocol
m: Message
Hvalid: ELMOProtocol_valid_transition i Receive s s'
  m
Hv: valid (existT i Receive) (s, Some m)
Hc: ELMO_global_constraint 
  (existT i Receive) (s, Some m)
Ht: transition (existT i Receive) (s, Some m) =
(s', None)
Hincl: VLSM_incl ELMOProtocol ReachELMO
Hnsnd: ¬ composite_has_been_sent ELMO_component s m
Hrcv: ELMO_recv_valid (s i) (MkMessage (state m))
H3: state_update ELMO_component s i
  (s i <+> MkObservation Receive m) = s'
Hm_eqv: global_equivocators_simple s' (adr (state m))
Hs'_eqv: ∀ a : Address,
  global_equivocators_simple s' a
  ↔ a = adr (state m)
    ∨ global_equivocators_simple s a
Hs_pre: valid_state_prop
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} s
Hs': composite_constrained_state_prop ELMO_component
  s'
ELMO_mv_full_node0: full_node (s i) m
ELMO_mv_no_self_equiv0: no_self_equiv (s i) m
ELMO_mv_msg_valid_full0: ELMO_msg_valid_full m
ELMO_mv_local_equivocation_limit_ok0: local_equivocation_limit_ok
  (s i <+>
   MkObservation
     Receive m)
i_m: index
Hsender: adr (state m) = idx i_m
Heqv: (sum_weights
   (ELMO_equivocating_validators s
    ∪ {[idx i_m]}) <= threshold)%R
His: initial_state_prop (MkState [] (idx i_m))
Hsimis: valid_state_prop ELMOProtocol
  (state_update ELMO_component s i_m
     (MkState [] (idx i_m)))
Hsimis_eqvs: ELMO_equivocating_validators
  (state_update ELMO_component s i_m
     (MkState [] (idx i_m)))
⊆ ELMO_equivocating_validators s
  ∪ {[idx i_m]}
Hsi_pre: constrained_state_prop 
  (ELMO_component i) 
  (s i)
is_m: VLSM.state
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m))
tr_m: list transition_item
Htr_m: finite_valid_trace_from_to
  (preloaded_with_all_messages_vlsm
     (free_composite_vlsm ELMO_component))
  (state_update ELMO_component s i_m is_m)
  (state_update ELMO_component s i_m (state m))
  (VLSM_weak_embedding_finite_trace_project
     (lift_to_preloaded_free_weak_embedding
        ELMO_component i_m s Hs_pre) tr_m)
Hall_messages_observed: Forall
  (λ item : transition_item,
     ∀ m : Message,
       item_sends_or_receives
        m item
       → 
       m ∈ messages (s i))
  tr_m
Hall_messages_valid: Forall
  (λ item : transition_item,
     ∀ m : Message,
       item_sends_or_receives m
        item
       → 
       valid_message_prop
        ELMOProtocol m) tr_m
Heqis_m: is_m = MkState [] (idx i_m)
Hsimis_pre: valid_state_prop
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |}
  (state_update ELMO_component s i_m
     (MkState [] (idx i_m)))
Forall
  (λ item : VLSM.state (ELMO_component i_m),
     composite_constrained_state_prop ELMO_component
       (state_update ELMO_component s i_m item))
  (is_m :: map destination tr_m)
      apply Forall_forall; intros d Hd.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
s: VLSM.state ELMOProtocol
Hs: valid_state_prop ELMOProtocol s
i: index
s': VLSM.state ELMOProtocol
m: Message
Hvalid: ELMOProtocol_valid_transition i Receive s s'
  m
Hv: valid (existT i Receive) (s, Some m)
Hc: ELMO_global_constraint 
  (existT i Receive) (s, Some m)
Ht: transition (existT i Receive) (s, Some m) =
(s', None)
Hincl: VLSM_incl ELMOProtocol ReachELMO
Hnsnd: ¬ composite_has_been_sent ELMO_component s m
Hrcv: ELMO_recv_valid (s i) (MkMessage (state m))
H3: state_update ELMO_component s i
  (s i <+> MkObservation Receive m) = s'
Hm_eqv: global_equivocators_simple s' (adr (state m))
Hs'_eqv: ∀ a : Address,
  global_equivocators_simple s' a
  ↔ a = adr (state m)
    ∨ global_equivocators_simple s a
Hs_pre: valid_state_prop
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} s
Hs': composite_constrained_state_prop ELMO_component
  s'
ELMO_mv_full_node0: full_node (s i) m
ELMO_mv_no_self_equiv0: no_self_equiv (s i) m
ELMO_mv_msg_valid_full0: ELMO_msg_valid_full m
ELMO_mv_local_equivocation_limit_ok0: local_equivocation_limit_ok
  (s i <+>
   MkObservation
     Receive m)
i_m: index
Hsender: adr (state m) = idx i_m
Heqv: (sum_weights
   (ELMO_equivocating_validators s
    ∪ {[idx i_m]}) <= threshold)%R
His: initial_state_prop (MkState [] (idx i_m))
Hsimis: valid_state_prop ELMOProtocol
  (state_update ELMO_component s i_m
     (MkState [] (idx i_m)))
Hsimis_eqvs: ELMO_equivocating_validators
  (state_update ELMO_component s i_m
     (MkState [] (idx i_m)))
⊆ ELMO_equivocating_validators s
  ∪ {[idx i_m]}
Hsi_pre: constrained_state_prop 
  (ELMO_component i) 
  (s i)
is_m: VLSM.state
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m))
tr_m: list transition_item
Htr_m: finite_valid_trace_from_to
  (preloaded_with_all_messages_vlsm
     (free_composite_vlsm ELMO_component))
  (state_update ELMO_component s i_m is_m)
  (state_update ELMO_component s i_m (state m))
  (VLSM_weak_embedding_finite_trace_project
     (lift_to_preloaded_free_weak_embedding
        ELMO_component i_m s Hs_pre) tr_m)
Hall_messages_observed: Forall
  (λ item : transition_item,
     ∀ m : Message,
       item_sends_or_receives
        m item
       → 
       m ∈ messages (s i))
  tr_m
Hall_messages_valid: Forall
  (λ item : transition_item,
     ∀ m : Message,
       item_sends_or_receives m
        item
       → 
       valid_message_prop
        ELMOProtocol m) tr_m
Heqis_m: is_m = MkState [] (idx i_m)
Hsimis_pre: valid_state_prop
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |}
  (state_update ELMO_component s i_m
     (MkState [] (idx i_m)))
d: VLSM.state (ELMO_component i_m)
Hd: d ∈ is_m :: map destination tr_m
composite_constrained_state_prop ELMO_component
  (state_update ELMO_component s i_m d)
      apply elem_of_cons in Hd as [-> | Hd]; [by subst |].Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
s: VLSM.state ELMOProtocol
Hs: valid_state_prop ELMOProtocol s
i: index
s': VLSM.state ELMOProtocol
m: Message
Hvalid: ELMOProtocol_valid_transition i Receive s s'
  m
Hv: valid (existT i Receive) (s, Some m)
Hc: ELMO_global_constraint 
  (existT i Receive) (s, Some m)
Ht: transition (existT i Receive) (s, Some m) =
(s', None)
Hincl: VLSM_incl ELMOProtocol ReachELMO
Hnsnd: ¬ composite_has_been_sent ELMO_component s m
Hrcv: ELMO_recv_valid (s i) (MkMessage (state m))
H3: state_update ELMO_component s i
  (s i <+> MkObservation Receive m) = s'
Hm_eqv: global_equivocators_simple s' (adr (state m))
Hs'_eqv: ∀ a : Address,
  global_equivocators_simple s' a
  ↔ a = adr (state m)
    ∨ global_equivocators_simple s a
Hs_pre: valid_state_prop
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} s
Hs': composite_constrained_state_prop ELMO_component
  s'
ELMO_mv_full_node0: full_node (s i) m
ELMO_mv_no_self_equiv0: no_self_equiv (s i) m
ELMO_mv_msg_valid_full0: ELMO_msg_valid_full m
ELMO_mv_local_equivocation_limit_ok0: local_equivocation_limit_ok
  (s i <+>
   MkObservation
     Receive m)
i_m: index
Hsender: adr (state m) = idx i_m
Heqv: (sum_weights
   (ELMO_equivocating_validators s
    ∪ {[idx i_m]}) <= threshold)%R
His: initial_state_prop (MkState [] (idx i_m))
Hsimis: valid_state_prop ELMOProtocol
  (state_update ELMO_component s i_m
     (MkState [] (idx i_m)))
Hsimis_eqvs: ELMO_equivocating_validators
  (state_update ELMO_component s i_m
     (MkState [] (idx i_m)))
⊆ ELMO_equivocating_validators s
  ∪ {[idx i_m]}
Hsi_pre: constrained_state_prop 
  (ELMO_component i) 
  (s i)
is_m: VLSM.state
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m))
tr_m: list transition_item
Htr_m: finite_valid_trace_from_to
  (preloaded_with_all_messages_vlsm
     (free_composite_vlsm ELMO_component))
  (state_update ELMO_component s i_m is_m)
  (state_update ELMO_component s i_m (state m))
  (VLSM_weak_embedding_finite_trace_project
     (lift_to_preloaded_free_weak_embedding
        ELMO_component i_m s Hs_pre) tr_m)
Hall_messages_observed: Forall
  (λ item : transition_item,
     ∀ m : Message,
       item_sends_or_receives
        m item
       → 
       m ∈ messages (s i))
  tr_m
Hall_messages_valid: Forall
  (λ item : transition_item,
     ∀ m : Message,
       item_sends_or_receives m
        item
       → 
       valid_message_prop
        ELMOProtocol m) tr_m
Heqis_m: is_m = MkState [] (idx i_m)
Hsimis_pre: valid_state_prop
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |}
  (state_update ELMO_component s i_m
     (MkState [] (idx i_m)))
d: VLSM.state (ELMO_component i_m)
Hd: d ∈ map destination tr_m
composite_constrained_state_prop ELMO_component
  (state_update ELMO_component s i_m d)
      apply elem_of_list_fmap in Hd as (item & -> & Hitem).Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
s: VLSM.state ELMOProtocol
Hs: valid_state_prop ELMOProtocol s
i: index
s': VLSM.state ELMOProtocol
m: Message
Hvalid: ELMOProtocol_valid_transition i Receive s s'
  m
Hv: valid (existT i Receive) (s, Some m)
Hc: ELMO_global_constraint 
  (existT i Receive) (s, Some m)
Ht: transition (existT i Receive) (s, Some m) =
(s', None)
Hincl: VLSM_incl ELMOProtocol ReachELMO
Hnsnd: ¬ composite_has_been_sent ELMO_component s m
Hrcv: ELMO_recv_valid (s i) (MkMessage (state m))
H3: state_update ELMO_component s i
  (s i <+> MkObservation Receive m) = s'
Hm_eqv: global_equivocators_simple s' (adr (state m))
Hs'_eqv: ∀ a : Address,
  global_equivocators_simple s' a
  ↔ a = adr (state m)
    ∨ global_equivocators_simple s a
Hs_pre: valid_state_prop
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} s
Hs': composite_constrained_state_prop ELMO_component
  s'
ELMO_mv_full_node0: full_node (s i) m
ELMO_mv_no_self_equiv0: no_self_equiv (s i) m
ELMO_mv_msg_valid_full0: ELMO_msg_valid_full m
ELMO_mv_local_equivocation_limit_ok0: local_equivocation_limit_ok
  (s i <+>
   MkObservation
     Receive m)
i_m: index
Hsender: adr (state m) = idx i_m
Heqv: (sum_weights
   (ELMO_equivocating_validators s
    ∪ {[idx i_m]}) <= threshold)%R
His: initial_state_prop (MkState [] (idx i_m))
Hsimis: valid_state_prop ELMOProtocol
  (state_update ELMO_component s i_m
     (MkState [] (idx i_m)))
Hsimis_eqvs: ELMO_equivocating_validators
  (state_update ELMO_component s i_m
     (MkState [] (idx i_m)))
⊆ ELMO_equivocating_validators s
  ∪ {[idx i_m]}
Hsi_pre: constrained_state_prop 
  (ELMO_component i) 
  (s i)
is_m: VLSM.state
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m))
tr_m: list transition_item
Htr_m: finite_valid_trace_from_to
  (preloaded_with_all_messages_vlsm
     (free_composite_vlsm ELMO_component))
  (state_update ELMO_component s i_m is_m)
  (state_update ELMO_component s i_m (state m))
  (VLSM_weak_embedding_finite_trace_project
     (lift_to_preloaded_free_weak_embedding
        ELMO_component i_m s Hs_pre) tr_m)
Hall_messages_observed: Forall
  (λ item : transition_item,
     ∀ m : Message,
       item_sends_or_receives
        m item
       → 
       m ∈ messages (s i))
  tr_m
Hall_messages_valid: Forall
  (λ item : transition_item,
     ∀ m : Message,
       item_sends_or_receives m
        item
       → 
       valid_message_prop
        ELMOProtocol m) tr_m
Heqis_m: is_m = MkState [] (idx i_m)
Hsimis_pre: valid_state_prop
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |}
  (state_update ELMO_component s i_m
     (MkState [] (idx i_m)))
item: transition_item
Hitem: item ∈ tr_m
composite_constrained_state_prop ELMO_component
  (state_update ELMO_component s i_m
     (destination item))
      apply elem_of_list_split in Hitem as (pre & suf & ->).Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
s: VLSM.state ELMOProtocol
Hs: valid_state_prop ELMOProtocol s
i: index
s': VLSM.state ELMOProtocol
m: Message
Hvalid: ELMOProtocol_valid_transition i Receive s s'
  m
Hv: valid (existT i Receive) (s, Some m)
Hc: ELMO_global_constraint 
  (existT i Receive) (s, Some m)
Ht: transition (existT i Receive) (s, Some m) =
(s', None)
Hincl: VLSM_incl ELMOProtocol ReachELMO
Hnsnd: ¬ composite_has_been_sent ELMO_component s m
Hrcv: ELMO_recv_valid (s i) (MkMessage (state m))
H3: state_update ELMO_component s i
  (s i <+> MkObservation Receive m) = s'
Hm_eqv: global_equivocators_simple s' (adr (state m))
Hs'_eqv: ∀ a : Address,
  global_equivocators_simple s' a
  ↔ a = adr (state m)
    ∨ global_equivocators_simple s a
Hs_pre: valid_state_prop
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} s
Hs': composite_constrained_state_prop ELMO_component
  s'
ELMO_mv_full_node0: full_node (s i) m
ELMO_mv_no_self_equiv0: no_self_equiv (s i) m
ELMO_mv_msg_valid_full0: ELMO_msg_valid_full m
ELMO_mv_local_equivocation_limit_ok0: local_equivocation_limit_ok
  (s i <+>
   MkObservation
     Receive m)
i_m: index
Hsender: adr (state m) = idx i_m
Heqv: (sum_weights
   (ELMO_equivocating_validators s
    ∪ {[idx i_m]}) <= threshold)%R
His: initial_state_prop (MkState [] (idx i_m))
Hsimis: valid_state_prop ELMOProtocol
  (state_update ELMO_component s i_m
     (MkState [] (idx i_m)))
Hsimis_eqvs: ELMO_equivocating_validators
  (state_update ELMO_component s i_m
     (MkState [] (idx i_m)))
⊆ ELMO_equivocating_validators s
  ∪ {[idx i_m]}
Hsi_pre: constrained_state_prop 
  (ELMO_component i) 
  (s i)
is_m: VLSM.state
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m))
item: transition_item
pre, suf: list transition_item
Hall_messages_valid: Forall
  (λ item : transition_item,
     ∀ m : Message,
       item_sends_or_receives m
        item
       → 
       valid_message_prop
        ELMOProtocol m)
  (pre ++ item :: suf)
Hall_messages_observed: Forall
  (λ item : transition_item,
     ∀ m : Message,
       item_sends_or_receives
        m item
       → 
       m ∈ messages (s i))
  (pre ++ item :: suf)
Htr_m: finite_valid_trace_from_to
  (preloaded_with_all_messages_vlsm
     (free_composite_vlsm ELMO_component))
  (state_update ELMO_component s i_m is_m)
  (state_update ELMO_component s i_m (state m))
  (VLSM_weak_embedding_finite_trace_project
     (lift_to_preloaded_free_weak_embedding
        ELMO_component i_m s Hs_pre)
     (pre ++ item :: suf))
Heqis_m: is_m = MkState [] (idx i_m)
Hsimis_pre: valid_state_prop
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |}
  (state_update ELMO_component s i_m
     (MkState [] (idx i_m)))
composite_constrained_state_prop ELMO_component
  (state_update ELMO_component s i_m
     (destination item))
      setoid_rewrite map_app in Htr_m; cbn in Htr_m.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
s: VLSM.state ELMOProtocol
Hs: valid_state_prop ELMOProtocol s
i: index
s': VLSM.state ELMOProtocol
m: Message
Hvalid: ELMOProtocol_valid_transition i Receive s s'
  m
Hv: valid (existT i Receive) (s, Some m)
Hc: ELMO_global_constraint 
  (existT i Receive) (s, Some m)
Ht: transition (existT i Receive) (s, Some m) =
(s', None)
Hincl: VLSM_incl ELMOProtocol ReachELMO
Hnsnd: ¬ composite_has_been_sent ELMO_component s m
Hrcv: ELMO_recv_valid (s i) (MkMessage (state m))
H3: state_update ELMO_component s i
  (s i <+> MkObservation Receive m) = s'
Hm_eqv: global_equivocators_simple s' (adr (state m))
Hs'_eqv: ∀ a : Address,
  global_equivocators_simple s' a
  ↔ a = adr (state m)
    ∨ global_equivocators_simple s a
Hs_pre: valid_state_prop
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} s
Hs': composite_constrained_state_prop ELMO_component
  s'
ELMO_mv_full_node0: full_node (s i) m
ELMO_mv_no_self_equiv0: no_self_equiv (s i) m
ELMO_mv_msg_valid_full0: ELMO_msg_valid_full m
ELMO_mv_local_equivocation_limit_ok0: local_equivocation_limit_ok
  (s i <+>
   MkObservation
     Receive m)
i_m: index
Hsender: adr (state m) = idx i_m
Heqv: (sum_weights
   (ELMO_equivocating_validators s
    ∪ {[idx i_m]}) <= threshold)%R
His: initial_state_prop (MkState [] (idx i_m))
Hsimis: valid_state_prop ELMOProtocol
  (state_update ELMO_component s i_m
     (MkState [] (idx i_m)))
Hsimis_eqvs: ELMO_equivocating_validators
  (state_update ELMO_component s i_m
     (MkState [] (idx i_m)))
⊆ ELMO_equivocating_validators s
  ∪ {[idx i_m]}
Hsi_pre: constrained_state_prop 
  (ELMO_component i) 
  (s i)
is_m: VLSM.state
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m))
item: transition_item
pre, suf: list transition_item
Hall_messages_valid: Forall
  (λ item : transition_item,
     ∀ m : Message,
       item_sends_or_receives m
        item
       → 
       valid_message_prop
        ELMOProtocol m)
  (pre ++ item :: suf)
Hall_messages_observed: Forall
  (λ item : transition_item,
     ∀ m : Message,
       item_sends_or_receives
        m item
       → 
       m ∈ messages (s i))
  (pre ++ item :: suf)
Htr_m: finite_valid_trace_from_to
  (preloaded_with_all_messages_vlsm
     (free_composite_vlsm ELMO_component))
  (state_update ELMO_component s i_m is_m)
  (state_update ELMO_component s i_m (state m))
  (map
     (pre_VLSM_embedding_transition_item_project
        ELMO_component_type
        (composite_type ELMO_component)
        (lift_to_composite_label
        ELMO_component i_m)
        (λ sj : BaseELMO.State,
        state_update ELMO_component s i_m sj))
     pre ++
   pre_VLSM_embedding_transition_item_project
     ELMO_component_type
     (composite_type ELMO_component)
     (lift_to_composite_label ELMO_component
        i_m)
     (λ sj : BaseELMO.State,
        state_update ELMO_component s i_m sj)
     item
   :: map
        (pre_VLSM_embedding_transition_item_project
        ELMO_component_type
        (composite_type ELMO_component)
        (lift_to_composite_label
        ELMO_component i_m)
        (λ sj : BaseELMO.State,
        state_update ELMO_component s i_m sj))
        suf)
Heqis_m: is_m = MkState [] (idx i_m)
Hsimis_pre: valid_state_prop
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |}
  (state_update ELMO_component s i_m
     (MkState [] (idx i_m)))
composite_constrained_state_prop ELMO_component
  (state_update ELMO_component s i_m
     (destination item))
      by eapply elem_of_trace_in_futures_left, in_futures_valid_fst in Htr_m;
        [| by apply elem_of_app; right; left].
    }Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
s: VLSM.state ELMOProtocol
Hs: valid_state_prop ELMOProtocol s
i: index
s': VLSM.state ELMOProtocol
m: Message
Hvalid: ELMOProtocol_valid_transition i Receive s s'
  m
Hv: valid (existT i Receive) (s, Some m)
Hc: ELMO_global_constraint 
  (existT i Receive) (s, Some m)
Ht: transition (existT i Receive) (s, Some m) =
(s', None)
Hincl: VLSM_incl ELMOProtocol ReachELMO
Hnsnd: ¬ composite_has_been_sent ELMO_component s m
Hrcv: ELMO_recv_valid (s i) (MkMessage (state m))
H3: state_update ELMO_component s i
  (s i <+> MkObservation Receive m) = s'
Hm_eqv: global_equivocators_simple s' (adr (state m))
Hs'_eqv: ∀ a : Address,
  global_equivocators_simple s' a
  ↔ a = adr (state m)
    ∨ global_equivocators_simple s a
Hs_pre: valid_state_prop
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} s
Hs': composite_constrained_state_prop ELMO_component
  s'
ELMO_mv_full_node0: full_node (s i) m
ELMO_mv_no_self_equiv0: no_self_equiv (s i) m
ELMO_mv_msg_valid_full0: ELMO_msg_valid_full m
ELMO_mv_local_equivocation_limit_ok0: local_equivocation_limit_ok
  (s i <+>
   MkObservation
     Receive m)
i_m: index
Hsender: adr (state m) = idx i_m
Heqv: (sum_weights
   (ELMO_equivocating_validators s
    ∪ {[idx i_m]}) <= threshold)%R
His: initial_state_prop (MkState [] (idx i_m))
Hsimis: valid_state_prop ELMOProtocol
  (state_update ELMO_component s i_m
     (MkState [] (idx i_m)))
Hsimis_eqvs: ELMO_equivocating_validators
  (state_update ELMO_component s i_m
     (MkState [] (idx i_m)))
⊆ ELMO_equivocating_validators s
  ∪ {[idx i_m]}
Hsi_pre: constrained_state_prop 
  (ELMO_component i) 
  (s i)
is_m: VLSM.state
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m))
tr_m: list transition_item
Htr_m: finite_valid_trace_init_to
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m)) is_m 
  (state m) tr_m
Hall_messages_observed: Forall
  (λ item : transition_item,
     ∀ m : Message,
       item_sends_or_receives
        m item
       → 
       m ∈ messages (s i))
  tr_m
Hall_messages_valid: Forall
  (λ item : transition_item,
     ∀ m : Message,
       item_sends_or_receives m
        item
       → 
       valid_message_prop
        ELMOProtocol m) tr_m
Heqis_m: is_m = MkState [] (idx i_m)
Hall_reachable: Forall
  (λ item : 
      VLSM.state 
        (ELMO_component i_m),
     composite_constrained_state_prop
       ELMO_component
       (state_update ELMO_component s
        i_m item))
  (is_m :: map destination tr_m)
Forall
  (λ item : transition_item,
     ELMO_equivocating_validators
       (lift_to_composite_state ELMO_component s i_m
          (destination item))
     ⊆ ELMO_equivocating_validators s ∪ {[idx i_m]})
  tr_m
    rewrite <- Heqis_m in Hsimis_eqvs, Hsimis.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
s: VLSM.state ELMOProtocol
Hs: valid_state_prop ELMOProtocol s
i: index
s': VLSM.state ELMOProtocol
m: Message
Hvalid: ELMOProtocol_valid_transition i Receive s s'
  m
Hv: valid (existT i Receive) (s, Some m)
Hc: ELMO_global_constraint 
  (existT i Receive) (s, Some m)
Ht: transition (existT i Receive) (s, Some m) =
(s', None)
Hincl: VLSM_incl ELMOProtocol ReachELMO
Hnsnd: ¬ composite_has_been_sent ELMO_component s m
Hrcv: ELMO_recv_valid (s i) (MkMessage (state m))
H3: state_update ELMO_component s i
  (s i <+> MkObservation Receive m) = s'
Hm_eqv: global_equivocators_simple s' (adr (state m))
Hs'_eqv: ∀ a : Address,
  global_equivocators_simple s' a
  ↔ a = adr (state m)
    ∨ global_equivocators_simple s a
Hs_pre: valid_state_prop
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} s
Hs': composite_constrained_state_prop ELMO_component
  s'
ELMO_mv_full_node0: full_node (s i) m
ELMO_mv_no_self_equiv0: no_self_equiv (s i) m
ELMO_mv_msg_valid_full0: ELMO_msg_valid_full m
ELMO_mv_local_equivocation_limit_ok0: local_equivocation_limit_ok
  (s i <+>
   MkObservation
     Receive m)
i_m: index
Hsender: adr (state m) = idx i_m
Heqv: (sum_weights
   (ELMO_equivocating_validators s
    ∪ {[idx i_m]}) <= threshold)%R
His: initial_state_prop (MkState [] (idx i_m))
is_m: VLSM.state
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m))
Hsimis: valid_state_prop ELMOProtocol
  (state_update ELMO_component s i_m is_m)
Hsimis_eqvs: ELMO_equivocating_validators
  (state_update ELMO_component s i_m
     is_m)
⊆ ELMO_equivocating_validators s
  ∪ {[idx i_m]}
Hsi_pre: constrained_state_prop 
  (ELMO_component i) 
  (s i)
tr_m: list transition_item
Htr_m: finite_valid_trace_init_to
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m)) is_m 
  (state m) tr_m
Hall_messages_observed: Forall
  (λ item : transition_item,
     ∀ m : Message,
       item_sends_or_receives
        m item
       → 
       m ∈ messages (s i))
  tr_m
Hall_messages_valid: Forall
  (λ item : transition_item,
     ∀ m : Message,
       item_sends_or_receives m
        item
       → 
       valid_message_prop
        ELMOProtocol m) tr_m
Heqis_m: is_m = MkState [] (idx i_m)
Hall_reachable: Forall
  (λ item : 
      VLSM.state 
        (ELMO_component i_m),
     composite_constrained_state_prop
       ELMO_component
       (state_update ELMO_component s
        i_m item))
  (is_m :: map destination tr_m)
Forall
  (λ item : transition_item,
     ELMO_equivocating_validators
       (lift_to_composite_state ELMO_component s i_m
          (destination item))
     ⊆ ELMO_equivocating_validators s ∪ {[idx i_m]})
  tr_m
    remember (state m) as state_m; rewrite <- Hsender in Hsimis_eqvs |- *;
      rewrite Heqstate_m in Hsender, Hsimis_eqvs |- *.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
s: VLSM.state ELMOProtocol
Hs: valid_state_prop ELMOProtocol s
i: index
s': VLSM.state ELMOProtocol
m: Message
Hvalid: ELMOProtocol_valid_transition i Receive s s'
  m
Hv: valid (existT i Receive) (s, Some m)
Hc: ELMO_global_constraint 
  (existT i Receive) (s, Some m)
Ht: transition (existT i Receive) (s, Some m) =
(s', None)
Hincl: VLSM_incl ELMOProtocol ReachELMO
Hnsnd: ¬ composite_has_been_sent ELMO_component s m
state_m: BaseELMO.State
Heqstate_m: state_m = state m
Hrcv: ELMO_recv_valid (s i) (MkMessage state_m)
H3: state_update ELMO_component s i
  (s i <+> MkObservation Receive m) = s'
Hm_eqv: global_equivocators_simple s' (adr state_m)
Hs'_eqv: ∀ a : Address,
  global_equivocators_simple s' a
  ↔ a = adr state_m
    ∨ global_equivocators_simple s a
Hs_pre: valid_state_prop
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} s
Hs': composite_constrained_state_prop ELMO_component
  s'
ELMO_mv_full_node0: full_node (s i) m
ELMO_mv_no_self_equiv0: no_self_equiv (s i) m
ELMO_mv_msg_valid_full0: ELMO_msg_valid_full m
ELMO_mv_local_equivocation_limit_ok0: local_equivocation_limit_ok
  (s i <+>
   MkObservation
     Receive m)
i_m: index
Hsender: adr (state m) = idx i_m
Heqv: (sum_weights
   (ELMO_equivocating_validators s
    ∪ {[idx i_m]}) <= threshold)%R
His: initial_state_prop (MkState [] (idx i_m))
is_m: VLSM.state
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m))
Hsimis: valid_state_prop ELMOProtocol
  (state_update ELMO_component s i_m is_m)
Hsimis_eqvs: ELMO_equivocating_validators
  (state_update ELMO_component s i_m
     is_m)
⊆ ELMO_equivocating_validators s
  ∪ {[adr (state m)]}
Hsi_pre: constrained_state_prop 
  (ELMO_component i) 
  (s i)
tr_m: list transition_item
Htr_m: finite_valid_trace_init_to
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m)) is_m state_m tr_m
Hall_messages_observed: Forall
  (λ item : transition_item,
     ∀ m : Message,
       item_sends_or_receives
        m item
       → 
       m ∈ messages (s i))
  tr_m
Hall_messages_valid: Forall
  (λ item : transition_item,
     ∀ m : Message,
       item_sends_or_receives m
        item
       → 
       valid_message_prop
        ELMOProtocol m) tr_m
Heqis_m: is_m = MkState [] (idx i_m)
Hall_reachable: Forall
  (λ item : 
      VLSM.state 
        (ELMO_component i_m),
     composite_constrained_state_prop
       ELMO_component
       (state_update ELMO_component s
        i_m item))
  (is_m :: map destination tr_m)
Forall
  (λ item : transition_item,
     ELMO_equivocating_validators
       (lift_to_composite_state ELMO_component s i_m
          (destination item))
     ⊆ ELMO_equivocating_validators s
       ∪ {[adr (state m)]}) tr_m
    clear -Htr_m Hsimis_eqvs Hall_reachable Hall_messages_observed Hs Hs_pre Hsender.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
s: VLSM.state ELMOProtocol
Hs: valid_state_prop ELMOProtocol s
i: index
m: Message
state_m: BaseELMO.State
Hs_pre: valid_state_prop
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} s
i_m: index
Hsender: adr (state m) = idx i_m
is_m: VLSM.state
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m))
Hsimis_eqvs: ELMO_equivocating_validators
  (state_update ELMO_component s i_m
     is_m)
⊆ ELMO_equivocating_validators s
  ∪ {[adr (state m)]}
tr_m: list transition_item
Htr_m: finite_valid_trace_init_to
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m)) is_m state_m tr_m
Hall_messages_observed: Forall
  (λ item : transition_item,
     ∀ m : Message,
       item_sends_or_receives
         m item
       → m ∈ messages (s i))
  tr_m
Hall_reachable: Forall
  (λ item : VLSM.state
              (ELMO_component i_m),
     composite_constrained_state_prop
       ELMO_component
       (state_update ELMO_component s
          i_m item))
  (is_m :: map destination tr_m)
Forall
  (λ item : transition_item,
     ELMO_equivocating_validators
       (lift_to_composite_state ELMO_component s i_m
          (destination item))
     ⊆ ELMO_equivocating_validators s
       ∪ {[adr (state m)]}) tr_m
    induction Htr_m using finite_valid_trace_init_to_rev_ind; [by constructor |].Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
s: VLSM.state ELMOProtocol
Hs: valid_state_prop ELMOProtocol s
i: index
m: Message
Hs_pre: valid_state_prop
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} s
i_m: index
Hsender: adr (state m) = idx i_m
si: VLSM.state
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m))
Hsimis_eqvs: ELMO_equivocating_validators
  (state_update ELMO_component s i_m si)
⊆ ELMO_equivocating_validators s
  ∪ {[adr (state m)]}
s0: VLSM.state
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m))
tr: list transition_item
Htr_m: finite_valid_trace_init_to
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m)) si s0 tr
sf: VLSM.state
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m))
iom, oom: option Message
l: VLSM.label
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m))
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m)) l (
  s0, iom) (sf, oom)
Hall_messages_observed: Forall
  (λ item : transition_item,
     ∀ m : Message,
       item_sends_or_receives
         m item
       → m ∈ messages (s i))
  (tr ++
   [{|
      l := l;
      input := iom;
      destination := sf;
      output := oom
    |}])
Hall_reachable: Forall
  (λ item : VLSM.state
              (ELMO_component i_m),
     composite_constrained_state_prop
       ELMO_component
       (state_update ELMO_component s
          i_m item))
  (si
   :: map destination
        (tr ++
         [{|
            l := l;
            input := iom;
            destination := sf;
            output := oom
          |}]))
IHHtr_m: ELMO_equivocating_validators
  (state_update ELMO_component s i_m si)
⊆ ELMO_equivocating_validators s
  ∪ {[adr (state m)]}
→ Forall
    (λ item : transition_item,
       ∀ m : Message,
         item_sends_or_receives m item
         → m ∈ messages (s i)) tr
  → Forall
      (λ item : VLSM.state
                  (ELMO_component i_m),
         composite_constrained_state_prop
           ELMO_component
           (state_update ELMO_component s
              i_m item))
      (si :: map destination tr)
    → Forall
        (λ item : transition_item,
           ELMO_equivocating_validators
             (lift_to_composite_state
                ELMO_component s i_m
                (destination item))
           ⊆ ELMO_equivocating_validators s
             ∪ {[adr (state m)]}) tr
Forall
  (λ item : transition_item,
     ELMO_equivocating_validators
       (lift_to_composite_state ELMO_component s i_m
          (destination item))
     ⊆ ELMO_equivocating_validators s
       ∪ {[adr (state m)]})
  (tr ++
   [{|
      l := l;
      input := iom;
      destination := sf;
      output := oom
    |}])
    rewrite map_app in Hall_reachable; cbn in Hall_reachable.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
s: VLSM.state ELMOProtocol
Hs: valid_state_prop ELMOProtocol s
i: index
m: Message
Hs_pre: valid_state_prop
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} s
i_m: index
Hsender: adr (state m) = idx i_m
si: VLSM.state
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m))
Hsimis_eqvs: ELMO_equivocating_validators
  (state_update ELMO_component s i_m si)
⊆ ELMO_equivocating_validators s
  ∪ {[adr (state m)]}
s0: VLSM.state
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m))
tr: list transition_item
Htr_m: finite_valid_trace_init_to
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m)) si s0 tr
sf: VLSM.state
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m))
iom, oom: option Message
l: VLSM.label
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m))
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m)) l (
  s0, iom) (sf, oom)
Hall_messages_observed: Forall
  (λ item : transition_item,
     ∀ m : Message,
       item_sends_or_receives
         m item
       → m ∈ messages (s i))
  (tr ++
   [{|
      l := l;
      input := iom;
      destination := sf;
      output := oom
    |}])
Hall_reachable: Forall
  (λ item : BaseELMO.State,
     composite_constrained_state_prop
       ELMO_component
       (state_update ELMO_component s
          i_m item))
  (si :: map destination tr ++ [sf])
IHHtr_m: ELMO_equivocating_validators
  (state_update ELMO_component s i_m si)
⊆ ELMO_equivocating_validators s
  ∪ {[adr (state m)]}
→ Forall
    (λ item : transition_item,
       ∀ m : Message,
         item_sends_or_receives m item
         → m ∈ messages (s i)) tr
  → Forall
      (λ item : VLSM.state
                  (ELMO_component i_m),
         composite_constrained_state_prop
           ELMO_component
           (state_update ELMO_component s
              i_m item))
      (si :: map destination tr)
    → Forall
        (λ item : transition_item,
           ELMO_equivocating_validators
             (lift_to_composite_state
                ELMO_component s i_m
                (destination item))
           ⊆ ELMO_equivocating_validators s
             ∪ {[adr (state m)]}) tr
Forall
  (λ item : transition_item,
     ELMO_equivocating_validators
       (lift_to_composite_state ELMO_component s i_m
          (destination item))
     ⊆ ELMO_equivocating_validators s
       ∪ {[adr (state m)]})
  (tr ++
   [{|
      l := l;
      input := iom;
      destination := sf;
      output := oom
    |}])
    rewrite app_comm_cons in Hall_reachable.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
s: VLSM.state ELMOProtocol
Hs: valid_state_prop ELMOProtocol s
i: index
m: Message
Hs_pre: valid_state_prop
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} s
i_m: index
Hsender: adr (state m) = idx i_m
si: VLSM.state
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m))
Hsimis_eqvs: ELMO_equivocating_validators
  (state_update ELMO_component s i_m si)
⊆ ELMO_equivocating_validators s
  ∪ {[adr (state m)]}
s0: VLSM.state
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m))
tr: list transition_item
Htr_m: finite_valid_trace_init_to
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m)) si s0 tr
sf: VLSM.state
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m))
iom, oom: option Message
l: VLSM.label
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m))
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m)) l (
  s0, iom) (sf, oom)
Hall_messages_observed: Forall
  (λ item : transition_item,
     ∀ m : Message,
       item_sends_or_receives
         m item
       → m ∈ messages (s i))
  (tr ++
   [{|
      l := l;
      input := iom;
      destination := sf;
      output := oom
    |}])
Hall_reachable: Forall
  (λ item : BaseELMO.State,
     composite_constrained_state_prop
       ELMO_component
       (state_update ELMO_component s
          i_m item))
  ((si :: map destination tr) ++ [sf])
IHHtr_m: ELMO_equivocating_validators
  (state_update ELMO_component s i_m si)
⊆ ELMO_equivocating_validators s
  ∪ {[adr (state m)]}
→ Forall
    (λ item : transition_item,
       ∀ m : Message,
         item_sends_or_receives m item
         → m ∈ messages (s i)) tr
  → Forall
      (λ item : VLSM.state
                  (ELMO_component i_m),
         composite_constrained_state_prop
           ELMO_component
           (state_update ELMO_component s
              i_m item))
      (si :: map destination tr)
    → Forall
        (λ item : transition_item,
           ELMO_equivocating_validators
             (lift_to_composite_state
                ELMO_component s i_m
                (destination item))
           ⊆ ELMO_equivocating_validators s
             ∪ {[adr (state m)]}) tr
Forall
  (λ item : transition_item,
     ELMO_equivocating_validators
       (lift_to_composite_state ELMO_component s i_m
          (destination item))
     ⊆ ELMO_equivocating_validators s
       ∪ {[adr (state m)]})
  (tr ++
   [{|
      l := l;
      input := iom;
      destination := sf;
      output := oom
    |}])
    apply Forall_app in Hall_reachable as [Hall_reachable Hsf_reachable].Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
s: VLSM.state ELMOProtocol
Hs: valid_state_prop ELMOProtocol s
i: index
m: Message
Hs_pre: valid_state_prop
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} s
i_m: index
Hsender: adr (state m) = idx i_m
si: VLSM.state
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m))
Hsimis_eqvs: ELMO_equivocating_validators
  (state_update ELMO_component s i_m si)
⊆ ELMO_equivocating_validators s
  ∪ {[adr (state m)]}
s0: VLSM.state
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m))
tr: list transition_item
Htr_m: finite_valid_trace_init_to
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m)) si s0 tr
sf: VLSM.state
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m))
iom, oom: option Message
l: VLSM.label
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m))
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m)) l (
  s0, iom) (sf, oom)
Hall_messages_observed: Forall
  (λ item : transition_item,
     ∀ m : Message,
       item_sends_or_receives
         m item
       → m ∈ messages (s i))
  (tr ++
   [{|
      l := l;
      input := iom;
      destination := sf;
      output := oom
    |}])
Hall_reachable: Forall
  (λ item : BaseELMO.State,
     composite_constrained_state_prop
       ELMO_component
       (state_update ELMO_component s
          i_m item))
  (si :: map destination tr)
Hsf_reachable: Forall
  (λ item : BaseELMO.State,
     composite_constrained_state_prop
       ELMO_component
       (state_update ELMO_component s
          i_m item)) [sf]
IHHtr_m: ELMO_equivocating_validators
  (state_update ELMO_component s i_m si)
⊆ ELMO_equivocating_validators s
  ∪ {[adr (state m)]}
→ Forall
    (λ item : transition_item,
       ∀ m : Message,
         item_sends_or_receives m item
         → m ∈ messages (s i)) tr
  → Forall
      (λ item : VLSM.state
                  (ELMO_component i_m),
         composite_constrained_state_prop
           ELMO_component
           (state_update ELMO_component s
              i_m item))
      (si :: map destination tr)
    → Forall
        (λ item : transition_item,
           ELMO_equivocating_validators
             (lift_to_composite_state
                ELMO_component s i_m
                (destination item))
           ⊆ ELMO_equivocating_validators s
             ∪ {[adr (state m)]}) tr
Forall
  (λ item : transition_item,
     ELMO_equivocating_validators
       (lift_to_composite_state ELMO_component s i_m
          (destination item))
     ⊆ ELMO_equivocating_validators s
       ∪ {[adr (state m)]})
  (tr ++
   [{|
      l := l;
      input := iom;
      destination := sf;
      output := oom
    |}])
    rewrite Forall_singleton in Hsf_reachable.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
s: VLSM.state ELMOProtocol
Hs: valid_state_prop ELMOProtocol s
i: index
m: Message
Hs_pre: valid_state_prop
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} s
i_m: index
Hsender: adr (state m) = idx i_m
si: VLSM.state
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m))
Hsimis_eqvs: ELMO_equivocating_validators
  (state_update ELMO_component s i_m si)
⊆ ELMO_equivocating_validators s
  ∪ {[adr (state m)]}
s0: VLSM.state
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m))
tr: list transition_item
Htr_m: finite_valid_trace_init_to
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m)) si s0 tr
sf: VLSM.state
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m))
iom, oom: option Message
l: VLSM.label
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m))
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m)) l (
  s0, iom) (sf, oom)
Hall_messages_observed: Forall
  (λ item : transition_item,
     ∀ m : Message,
       item_sends_or_receives
         m item
       → m ∈ messages (s i))
  (tr ++
   [{|
      l := l;
      input := iom;
      destination := sf;
      output := oom
    |}])
Hall_reachable: Forall
  (λ item : BaseELMO.State,
     composite_constrained_state_prop
       ELMO_component
       (state_update ELMO_component s
          i_m item))
  (si :: map destination tr)
Hsf_reachable: composite_constrained_state_prop
  ELMO_component
  (state_update ELMO_component s i_m
     sf)
IHHtr_m: ELMO_equivocating_validators
  (state_update ELMO_component s i_m si)
⊆ ELMO_equivocating_validators s
  ∪ {[adr (state m)]}
→ Forall
    (λ item : transition_item,
       ∀ m : Message,
         item_sends_or_receives m item
         → m ∈ messages (s i)) tr
  → Forall
      (λ item : VLSM.state
                  (ELMO_component i_m),
         composite_constrained_state_prop
           ELMO_component
           (state_update ELMO_component s
              i_m item))
      (si :: map destination tr)
    → Forall
        (λ item : transition_item,
           ELMO_equivocating_validators
             (lift_to_composite_state
                ELMO_component s i_m
                (destination item))
           ⊆ ELMO_equivocating_validators s
             ∪ {[adr (state m)]}) tr
Forall
  (λ item : transition_item,
     ELMO_equivocating_validators
       (lift_to_composite_state ELMO_component s i_m
          (destination item))
     ⊆ ELMO_equivocating_validators s
       ∪ {[adr (state m)]})
  (tr ++
   [{|
      l := l;
      input := iom;
      destination := sf;
      output := oom
    |}])
    apply Forall_app in Hall_messages_observed as [Hall_messages_observed Hlast_obs].Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
s: VLSM.state ELMOProtocol
Hs: valid_state_prop ELMOProtocol s
i: index
m: Message
Hs_pre: valid_state_prop
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} s
i_m: index
Hsender: adr (state m) = idx i_m
si: VLSM.state
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m))
Hsimis_eqvs: ELMO_equivocating_validators
  (state_update ELMO_component s i_m si)
⊆ ELMO_equivocating_validators s
  ∪ {[adr (state m)]}
s0: VLSM.state
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m))
tr: list transition_item
Htr_m: finite_valid_trace_init_to
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m)) si s0 tr
sf: VLSM.state
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m))
iom, oom: option Message
l: VLSM.label
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m))
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m)) l (
  s0, iom) (sf, oom)
Hall_messages_observed: Forall
  (λ item : transition_item,
     ∀ m : Message,
       item_sends_or_receives
         m item
       → m ∈ messages (s i))
  tr
Hlast_obs: Forall
  (λ item : transition_item,
     ∀ m : Message,
       item_sends_or_receives m item
       → m ∈ messages (s i))
  [{|
     l := l;
     input := iom;
     destination := sf;
     output := oom
   |}]
Hall_reachable: Forall
  (λ item : BaseELMO.State,
     composite_constrained_state_prop
       ELMO_component
       (state_update ELMO_component s
          i_m item))
  (si :: map destination tr)
Hsf_reachable: composite_constrained_state_prop
  ELMO_component
  (state_update ELMO_component s i_m
     sf)
IHHtr_m: ELMO_equivocating_validators
  (state_update ELMO_component s i_m si)
⊆ ELMO_equivocating_validators s
  ∪ {[adr (state m)]}
→ Forall
    (λ item : transition_item,
       ∀ m : Message,
         item_sends_or_receives m item
         → m ∈ messages (s i)) tr
  → Forall
      (λ item : VLSM.state
                  (ELMO_component i_m),
         composite_constrained_state_prop
           ELMO_component
           (state_update ELMO_component s
              i_m item))
      (si :: map destination tr)
    → Forall
        (λ item : transition_item,
           ELMO_equivocating_validators
             (lift_to_composite_state
                ELMO_component s i_m
                (destination item))
           ⊆ ELMO_equivocating_validators s
             ∪ {[adr (state m)]}) tr
Forall
  (λ item : transition_item,
     ELMO_equivocating_validators
       (lift_to_composite_state ELMO_component s i_m
          (destination item))
     ⊆ ELMO_equivocating_validators s
       ∪ {[adr (state m)]})
  (tr ++
   [{|
      l := l;
      input := iom;
      destination := sf;
      output := oom
    |}])
    rewrite Forall_singleton in Hlast_obs.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
s: VLSM.state ELMOProtocol
Hs: valid_state_prop ELMOProtocol s
i: index
m: Message
Hs_pre: valid_state_prop
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} s
i_m: index
Hsender: adr (state m) = idx i_m
si: VLSM.state
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m))
Hsimis_eqvs: ELMO_equivocating_validators
  (state_update ELMO_component s i_m si)
⊆ ELMO_equivocating_validators s
  ∪ {[adr (state m)]}
s0: VLSM.state
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m))
tr: list transition_item
Htr_m: finite_valid_trace_init_to
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m)) si s0 tr
sf: VLSM.state
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m))
iom, oom: option Message
l: VLSM.label
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m))
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m)) l (
  s0, iom) (sf, oom)
Hall_messages_observed: Forall
  (λ item : transition_item,
     ∀ m : Message,
       item_sends_or_receives
         m item
       → m ∈ messages (s i))
  tr
Hlast_obs: ∀ m : Message,
  item_sends_or_receives m
    {|
      l := l;
      input := iom;
      destination := sf;
      output := oom
    |} → m ∈ messages (s i)
Hall_reachable: Forall
  (λ item : BaseELMO.State,
     composite_constrained_state_prop
       ELMO_component
       (state_update ELMO_component s
          i_m item))
  (si :: map destination tr)
Hsf_reachable: composite_constrained_state_prop
  ELMO_component
  (state_update ELMO_component s i_m
     sf)
IHHtr_m: ELMO_equivocating_validators
  (state_update ELMO_component s i_m si)
⊆ ELMO_equivocating_validators s
  ∪ {[adr (state m)]}
→ Forall
    (λ item : transition_item,
       ∀ m : Message,
         item_sends_or_receives m item
         → m ∈ messages (s i)) tr
  → Forall
      (λ item : VLSM.state
                  (ELMO_component i_m),
         composite_constrained_state_prop
           ELMO_component
           (state_update ELMO_component s
              i_m item))
      (si :: map destination tr)
    → Forall
        (λ item : transition_item,
           ELMO_equivocating_validators
             (lift_to_composite_state
                ELMO_component s i_m
                (destination item))
           ⊆ ELMO_equivocating_validators s
             ∪ {[adr (state m)]}) tr
Forall
  (λ item : transition_item,
     ELMO_equivocating_validators
       (lift_to_composite_state ELMO_component s i_m
          (destination item))
     ⊆ ELMO_equivocating_validators s
       ∪ {[adr (state m)]})
  (tr ++
   [{|
      l := l;
      input := iom;
      destination := sf;
      output := oom
    |}])
    specialize (IHHtr_m Hsimis_eqvs Hall_messages_observed Hall_reachable).Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
s: VLSM.state ELMOProtocol
Hs: valid_state_prop ELMOProtocol s
i: index
m: Message
Hs_pre: valid_state_prop
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} s
i_m: index
Hsender: adr (state m) = idx i_m
si: VLSM.state
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m))
Hsimis_eqvs: ELMO_equivocating_validators
  (state_update ELMO_component s i_m si)
⊆ ELMO_equivocating_validators s
  ∪ {[adr (state m)]}
s0: VLSM.state
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m))
tr: list transition_item
Htr_m: finite_valid_trace_init_to
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m)) si s0 tr
sf: VLSM.state
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m))
iom, oom: option Message
l: VLSM.label
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m))
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m)) l (
  s0, iom) (sf, oom)
Hall_messages_observed: Forall
  (λ item : transition_item,
     ∀ m : Message,
       item_sends_or_receives
         m item
       → m ∈ messages (s i))
  tr
Hlast_obs: ∀ m : Message,
  item_sends_or_receives m
    {|
      l := l;
      input := iom;
      destination := sf;
      output := oom
    |} → m ∈ messages (s i)
Hall_reachable: Forall
  (λ item : BaseELMO.State,
     composite_constrained_state_prop
       ELMO_component
       (state_update ELMO_component s
          i_m item))
  (si :: map destination tr)
Hsf_reachable: composite_constrained_state_prop
  ELMO_component
  (state_update ELMO_component s i_m
     sf)
IHHtr_m: Forall
  (λ item : transition_item,
     ELMO_equivocating_validators
       (lift_to_composite_state
          ELMO_component s i_m
          (destination item))
     ⊆ ELMO_equivocating_validators s
       ∪ {[adr (state m)]}) tr
Forall
  (λ item : transition_item,
     ELMO_equivocating_validators
       (lift_to_composite_state ELMO_component s i_m
          (destination item))
     ⊆ ELMO_equivocating_validators s
       ∪ {[adr (state m)]})
  (tr ++
   [{|
      l := l;
      input := iom;
      destination := sf;
      output := oom
    |}])
    assert (Hsis0_pre : composite_constrained_state_prop ELMO_component
      (state_update ELMO_component s i_m s0)).Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
s: VLSM.state ELMOProtocol
Hs: valid_state_prop ELMOProtocol s
i: index
m: Message
Hs_pre: valid_state_prop
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} s
i_m: index
Hsender: adr (state m) = idx i_m
si: VLSM.state
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m))
Hsimis_eqvs: ELMO_equivocating_validators
  (state_update ELMO_component s i_m si)
⊆ ELMO_equivocating_validators s
  ∪ {[adr (state m)]}
s0: VLSM.state
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m))
tr: list transition_item
Htr_m: finite_valid_trace_init_to
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m)) si s0 tr
sf: VLSM.state
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m))
iom, oom: option Message
l: VLSM.label
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m))
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m)) l (
  s0, iom) (sf, oom)
Hall_messages_observed: Forall
  (λ item : transition_item,
     ∀ m : Message,
       item_sends_or_receives
         m item
       → m ∈ messages (s i))
  tr
Hlast_obs: ∀ m : Message,
  item_sends_or_receives m
    {|
      l := l;
      input := iom;
      destination := sf;
      output := oom
    |} → m ∈ messages (s i)
Hall_reachable: Forall
  (λ item : BaseELMO.State,
     composite_constrained_state_prop
       ELMO_component
       (state_update ELMO_component s
          i_m item))
  (si :: map destination tr)
Hsf_reachable: composite_constrained_state_prop
  ELMO_component
  (state_update ELMO_component s i_m
     sf)
IHHtr_m: Forall
  (λ item : transition_item,
     ELMO_equivocating_validators
       (lift_to_composite_state
          ELMO_component s i_m
          (destination item))
     ⊆ ELMO_equivocating_validators s
       ∪ {[adr (state m)]}) tr
composite_constrained_state_prop ELMO_component
  (state_update ELMO_component s i_m s0)
Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
s: VLSM.state ELMOProtocol
Hs: valid_state_prop ELMOProtocol s
i: index
m: Message
Hs_pre: valid_state_prop
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} s
i_m: index
Hsender: adr (state m) = idx i_m
si: VLSM.state
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m))
Hsimis_eqvs: ELMO_equivocating_validators
  (state_update ELMO_component s i_m si)
⊆ ELMO_equivocating_validators s
  ∪ {[adr (state m)]}
s0: VLSM.state
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m))
tr: list transition_item
Htr_m: finite_valid_trace_init_to
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m)) si s0 tr
sf: VLSM.state
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m))
iom, oom: option Message
l: VLSM.label
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m))
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m)) l (
  s0, iom) (sf, oom)
Hall_messages_observed: Forall
  (λ item : transition_item,
     ∀ m : Message,
       item_sends_or_receives
         m item
       → m ∈ messages (s i))
  tr
Hlast_obs: ∀ m : Message,
  item_sends_or_receives m
    {|
      l := l;
      input := iom;
      destination := sf;
      output := oom
    |} → m ∈ messages (s i)
Hall_reachable: Forall
  (λ item : BaseELMO.State,
     composite_constrained_state_prop
       ELMO_component
       (state_update ELMO_component s
          i_m item))
  (si :: map destination tr)
Hsf_reachable: composite_constrained_state_prop
  ELMO_component
  (state_update ELMO_component s i_m
     sf)
IHHtr_m: Forall
  (λ item : transition_item,
     ELMO_equivocating_validators
       (lift_to_composite_state
          ELMO_component s i_m
          (destination item))
     ⊆ ELMO_equivocating_validators s
       ∪ {[adr (state m)]}) tr
Hsis0_pre: composite_constrained_state_prop
  ELMO_component
  (state_update ELMO_component s i_m s0)
Forall
  (λ item : transition_item,
     ELMO_equivocating_validators
       (lift_to_composite_state ELMO_component s i_m
          (destination item))
     ⊆ ELMO_equivocating_validators s
       ∪ {[adr (state m)]})
  (tr ++
   [{|
      l := l;
      input := iom;
      destination := sf;
      output := oom
    |}])
    {Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
s: VLSM.state ELMOProtocol
Hs: valid_state_prop ELMOProtocol s
i: index
m: Message
Hs_pre: valid_state_prop
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} s
i_m: index
Hsender: adr (state m) = idx i_m
si: VLSM.state
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m))
Hsimis_eqvs: ELMO_equivocating_validators
  (state_update ELMO_component s i_m si)
⊆ ELMO_equivocating_validators s
  ∪ {[adr (state m)]}
s0: VLSM.state
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m))
tr: list transition_item
Htr_m: finite_valid_trace_init_to
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m)) si s0 tr
sf: VLSM.state
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m))
iom, oom: option Message
l: VLSM.label
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m))
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m)) l (
  s0, iom) (sf, oom)
Hall_messages_observed: Forall
  (λ item : transition_item,
     ∀ m : Message,
       item_sends_or_receives
         m item
       → m ∈ messages (s i))
  tr
Hlast_obs: ∀ m : Message,
  item_sends_or_receives m
    {|
      l := l;
      input := iom;
      destination := sf;
      output := oom
    |} → m ∈ messages (s i)
Hall_reachable: Forall
  (λ item : BaseELMO.State,
     composite_constrained_state_prop
       ELMO_component
       (state_update ELMO_component s
          i_m item))
  (si :: map destination tr)
Hsf_reachable: composite_constrained_state_prop
  ELMO_component
  (state_update ELMO_component s i_m
     sf)
IHHtr_m: Forall
  (λ item : transition_item,
     ELMO_equivocating_validators
       (lift_to_composite_state
          ELMO_component s i_m
          (destination item))
     ⊆ ELMO_equivocating_validators s
       ∪ {[adr (state m)]}) tr
composite_constrained_state_prop ELMO_component
  (state_update ELMO_component s i_m s0)
      apply valid_trace_get_last in Htr_m as <-.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
s: VLSM.state ELMOProtocol
Hs: valid_state_prop ELMOProtocol s
i: index
m: Message
Hs_pre: valid_state_prop
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} s
i_m: index
Hsender: adr (state m) = idx i_m
si: VLSM.state
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m))
Hsimis_eqvs: ELMO_equivocating_validators
  (state_update ELMO_component s i_m si)
⊆ ELMO_equivocating_validators s
  ∪ {[adr (state m)]}
tr: list transition_item
sf: VLSM.state
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m))
iom, oom: option Message
l: VLSM.label
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m))
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m)) l
  (finite_trace_last si tr, iom) (
  sf, oom)
Hall_messages_observed: Forall
  (λ item : transition_item,
     ∀ m : Message,
       item_sends_or_receives
         m item
       → m ∈ messages (s i))
  tr
Hlast_obs: ∀ m : Message,
  item_sends_or_receives m
    {|
      l := l;
      input := iom;
      destination := sf;
      output := oom
    |} → m ∈ messages (s i)
Hall_reachable: Forall
  (λ item : BaseELMO.State,
     composite_constrained_state_prop
       ELMO_component
       (state_update ELMO_component s
          i_m item))
  (si :: map destination tr)
Hsf_reachable: composite_constrained_state_prop
  ELMO_component
  (state_update ELMO_component s i_m
     sf)
IHHtr_m: Forall
  (λ item : transition_item,
     ELMO_equivocating_validators
       (lift_to_composite_state
          ELMO_component s i_m
          (destination item))
     ⊆ ELMO_equivocating_validators s
       ∪ {[adr (state m)]}) tr
composite_constrained_state_prop ELMO_component
  (state_update ELMO_component s i_m
     (finite_trace_last si tr))
      rewrite Forall_forall in Hall_reachable.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
s: VLSM.state ELMOProtocol
Hs: valid_state_prop ELMOProtocol s
i: index
m: Message
Hs_pre: valid_state_prop
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} s
i_m: index
Hsender: adr (state m) = idx i_m
si: VLSM.state
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m))
Hsimis_eqvs: ELMO_equivocating_validators
  (state_update ELMO_component s i_m si)
⊆ ELMO_equivocating_validators s
  ∪ {[adr (state m)]}
tr: list transition_item
sf: VLSM.state
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m))
iom, oom: option Message
l: VLSM.label
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m))
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m)) l
  (finite_trace_last si tr, iom) (
  sf, oom)
Hall_messages_observed: Forall
  (λ item : transition_item,
     ∀ m : Message,
       item_sends_or_receives
         m item
       → m ∈ messages (s i))
  tr
Hlast_obs: ∀ m : Message,
  item_sends_or_receives m
    {|
      l := l;
      input := iom;
      destination := sf;
      output := oom
    |} → m ∈ messages (s i)
Hall_reachable: ∀ x : BaseELMO.State,
  x ∈ si :: map destination tr
  → composite_constrained_state_prop
      ELMO_component
      (state_update ELMO_component s
         i_m x)
Hsf_reachable: composite_constrained_state_prop
  ELMO_component
  (state_update ELMO_component s i_m
     sf)
IHHtr_m: Forall
  (λ item : transition_item,
     ELMO_equivocating_validators
       (lift_to_composite_state
          ELMO_component s i_m
          (destination item))
     ⊆ ELMO_equivocating_validators s
       ∪ {[adr (state m)]}) tr
composite_constrained_state_prop ELMO_component
  (state_update ELMO_component s i_m
     (finite_trace_last si tr))
      apply Hall_reachable; apply last_Some_elem_of.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
s: VLSM.state ELMOProtocol
Hs: valid_state_prop ELMOProtocol s
i: index
m: Message
Hs_pre: valid_state_prop
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} s
i_m: index
Hsender: adr (state m) = idx i_m
si: VLSM.state
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m))
Hsimis_eqvs: ELMO_equivocating_validators
  (state_update ELMO_component s i_m si)
⊆ ELMO_equivocating_validators s
  ∪ {[adr (state m)]}
tr: list transition_item
sf: VLSM.state
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m))
iom, oom: option Message
l: VLSM.label
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m))
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m)) l
  (finite_trace_last si tr, iom) (
  sf, oom)
Hall_messages_observed: Forall
  (λ item : transition_item,
     ∀ m : Message,
       item_sends_or_receives
         m item
       → m ∈ messages (s i))
  tr
Hlast_obs: ∀ m : Message,
  item_sends_or_receives m
    {|
      l := l;
      input := iom;
      destination := sf;
      output := oom
    |} → m ∈ messages (s i)
Hall_reachable: ∀ x : BaseELMO.State,
  x ∈ si :: map destination tr
  → composite_constrained_state_prop
      ELMO_component
      (state_update ELMO_component s
         i_m x)
Hsf_reachable: composite_constrained_state_prop
  ELMO_component
  (state_update ELMO_component s i_m
     sf)
IHHtr_m: Forall
  (λ item : transition_item,
     ELMO_equivocating_validators
       (lift_to_composite_state
          ELMO_component s i_m
          (destination item))
     ⊆ ELMO_equivocating_validators s
       ∪ {[adr (state m)]}) tr
last (si :: map destination tr) =
Some (finite_trace_last si tr)
      by rewrite <- StdppExtras.last_last_error, unlock_finite_trace_last.
    }Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
s: VLSM.state ELMOProtocol
Hs: valid_state_prop ELMOProtocol s
i: index
m: Message
Hs_pre: valid_state_prop
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} s
i_m: index
Hsender: adr (state m) = idx i_m
si: VLSM.state
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m))
Hsimis_eqvs: ELMO_equivocating_validators
  (state_update ELMO_component s i_m si)
⊆ ELMO_equivocating_validators s
  ∪ {[adr (state m)]}
s0: VLSM.state
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m))
tr: list transition_item
Htr_m: finite_valid_trace_init_to
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m)) si s0 tr
sf: VLSM.state
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m))
iom, oom: option Message
l: VLSM.label
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m))
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m)) l (
  s0, iom) (sf, oom)
Hall_messages_observed: Forall
  (λ item : transition_item,
     ∀ m : Message,
       item_sends_or_receives
         m item
       → m ∈ messages (s i))
  tr
Hlast_obs: ∀ m : Message,
  item_sends_or_receives m
    {|
      l := l;
      input := iom;
      destination := sf;
      output := oom
    |} → m ∈ messages (s i)
Hall_reachable: Forall
  (λ item : BaseELMO.State,
     composite_constrained_state_prop
       ELMO_component
       (state_update ELMO_component s
          i_m item))
  (si :: map destination tr)
Hsf_reachable: composite_constrained_state_prop
  ELMO_component
  (state_update ELMO_component s i_m
     sf)
IHHtr_m: Forall
  (λ item : transition_item,
     ELMO_equivocating_validators
       (lift_to_composite_state
          ELMO_component s i_m
          (destination item))
     ⊆ ELMO_equivocating_validators s
       ∪ {[adr (state m)]}) tr
Hsis0_pre: composite_constrained_state_prop
  ELMO_component
  (state_update ELMO_component s i_m s0)
Forall
  (λ item : transition_item,
     ELMO_equivocating_validators
       (lift_to_composite_state ELMO_component s i_m
          (destination item))
     ⊆ ELMO_equivocating_validators s
       ∪ {[adr (state m)]})
  (tr ++
   [{|
      l := l;
      input := iom;
      destination := sf;
      output := oom
    |}])
    clear Hall_reachable Hall_messages_observed.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
s: VLSM.state ELMOProtocol
Hs: valid_state_prop ELMOProtocol s
i: index
m: Message
Hs_pre: valid_state_prop
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} s
i_m: index
Hsender: adr (state m) = idx i_m
si: VLSM.state
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m))
Hsimis_eqvs: ELMO_equivocating_validators
  (state_update ELMO_component s i_m si)
⊆ ELMO_equivocating_validators s
  ∪ {[adr (state m)]}
s0: VLSM.state
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m))
tr: list transition_item
Htr_m: finite_valid_trace_init_to
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m)) si s0 tr
sf: VLSM.state
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m))
iom, oom: option Message
l: VLSM.label
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m))
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m)) l (
  s0, iom) (sf, oom)
Hlast_obs: ∀ m : Message,
  item_sends_or_receives m
    {|
      l := l;
      input := iom;
      destination := sf;
      output := oom
    |} → m ∈ messages (s i)
Hsf_reachable: composite_constrained_state_prop
  ELMO_component
  (state_update ELMO_component s i_m
     sf)
IHHtr_m: Forall
  (λ item : transition_item,
     ELMO_equivocating_validators
       (lift_to_composite_state
          ELMO_component s i_m
          (destination item))
     ⊆ ELMO_equivocating_validators s
       ∪ {[adr (state m)]}) tr
Hsis0_pre: composite_constrained_state_prop
  ELMO_component
  (state_update ELMO_component s i_m s0)
Forall
  (λ item : transition_item,
     ELMO_equivocating_validators
       (lift_to_composite_state ELMO_component s i_m
          (destination item))
     ⊆ ELMO_equivocating_validators s
       ∪ {[adr (state m)]})
  (tr ++
   [{|
      l := l;
      input := iom;
      destination := sf;
      output := oom
    |}])
    apply Forall_app; split; [done |].Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
s: VLSM.state ELMOProtocol
Hs: valid_state_prop ELMOProtocol s
i: index
m: Message
Hs_pre: valid_state_prop
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} s
i_m: index
Hsender: adr (state m) = idx i_m
si: VLSM.state
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m))
Hsimis_eqvs: ELMO_equivocating_validators
  (state_update ELMO_component s i_m si)
⊆ ELMO_equivocating_validators s
  ∪ {[adr (state m)]}
s0: VLSM.state
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m))
tr: list transition_item
Htr_m: finite_valid_trace_init_to
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m)) si s0 tr
sf: VLSM.state
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m))
iom, oom: option Message
l: VLSM.label
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m))
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m)) l (
  s0, iom) (sf, oom)
Hlast_obs: ∀ m : Message,
  item_sends_or_receives m
    {|
      l := l;
      input := iom;
      destination := sf;
      output := oom
    |} → m ∈ messages (s i)
Hsf_reachable: composite_constrained_state_prop
  ELMO_component
  (state_update ELMO_component s i_m
     sf)
IHHtr_m: Forall
  (λ item : transition_item,
     ELMO_equivocating_validators
       (lift_to_composite_state
          ELMO_component s i_m
          (destination item))
     ⊆ ELMO_equivocating_validators s
       ∪ {[adr (state m)]}) tr
Hsis0_pre: composite_constrained_state_prop
  ELMO_component
  (state_update ELMO_component s i_m s0)
Forall
  (λ item : transition_item,
     ELMO_equivocating_validators
       (lift_to_composite_state ELMO_component s i_m
          (destination item))
     ⊆ ELMO_equivocating_validators s
       ∪ {[adr (state m)]})
  [{|
     l := l;
     input := iom;
     destination := sf;
     output := oom
   |}]
    constructor; [| by constructor].Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
s: VLSM.state ELMOProtocol
Hs: valid_state_prop ELMOProtocol s
i: index
m: Message
Hs_pre: valid_state_prop
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} s
i_m: index
Hsender: adr (state m) = idx i_m
si: VLSM.state
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m))
Hsimis_eqvs: ELMO_equivocating_validators
  (state_update ELMO_component s i_m si)
⊆ ELMO_equivocating_validators s
  ∪ {[adr (state m)]}
s0: VLSM.state
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m))
tr: list transition_item
Htr_m: finite_valid_trace_init_to
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m)) si s0 tr
sf: VLSM.state
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m))
iom, oom: option Message
l: VLSM.label
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m))
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m)) l (
  s0, iom) (sf, oom)
Hlast_obs: ∀ m : Message,
  item_sends_or_receives m
    {|
      l := l;
      input := iom;
      destination := sf;
      output := oom
    |} → m ∈ messages (s i)
Hsf_reachable: composite_constrained_state_prop
  ELMO_component
  (state_update ELMO_component s i_m
     sf)
IHHtr_m: Forall
  (λ item : transition_item,
     ELMO_equivocating_validators
       (lift_to_composite_state
          ELMO_component s i_m
          (destination item))
     ⊆ ELMO_equivocating_validators s
       ∪ {[adr (state m)]}) tr
Hsis0_pre: composite_constrained_state_prop
  ELMO_component
  (state_update ELMO_component s i_m s0)
ELMO_equivocating_validators
  (lift_to_composite_state ELMO_component s i_m
     (destination
        {|
          l := l;
          input := iom;
          destination := sf;
          output := oom
        |}))
⊆ ELMO_equivocating_validators s ∪ {[adr (state m)]}
    assert (Hsis0_eqvs :
      ELMO_equivocating_validators (state_update ELMO_component s i_m s0)
        ⊆ ELMO_equivocating_validators s ∪ {[ adr (state m) ]}).Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
s: VLSM.state ELMOProtocol
Hs: valid_state_prop ELMOProtocol s
i: index
m: Message
Hs_pre: valid_state_prop
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} s
i_m: index
Hsender: adr (state m) = idx i_m
si: VLSM.state
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m))
Hsimis_eqvs: ELMO_equivocating_validators
  (state_update ELMO_component s i_m si)
⊆ ELMO_equivocating_validators s
  ∪ {[adr (state m)]}
s0: VLSM.state
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m))
tr: list transition_item
Htr_m: finite_valid_trace_init_to
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m)) si s0 tr
sf: VLSM.state
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m))
iom, oom: option Message
l: VLSM.label
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m))
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m)) l (
  s0, iom) (sf, oom)
Hlast_obs: ∀ m : Message,
  item_sends_or_receives m
    {|
      l := l;
      input := iom;
      destination := sf;
      output := oom
    |} → m ∈ messages (s i)
Hsf_reachable: composite_constrained_state_prop
  ELMO_component
  (state_update ELMO_component s i_m
     sf)
IHHtr_m: Forall
  (λ item : transition_item,
     ELMO_equivocating_validators
       (lift_to_composite_state
          ELMO_component s i_m
          (destination item))
     ⊆ ELMO_equivocating_validators s
       ∪ {[adr (state m)]}) tr
Hsis0_pre: composite_constrained_state_prop
  ELMO_component
  (state_update ELMO_component s i_m s0)
ELMO_equivocating_validators
  (state_update ELMO_component s i_m s0)
⊆ ELMO_equivocating_validators s ∪ {[adr (state m)]}
Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
s: VLSM.state ELMOProtocol
Hs: valid_state_prop ELMOProtocol s
i: index
m: Message
Hs_pre: valid_state_prop
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} s
i_m: index
Hsender: adr (state m) = idx i_m
si: VLSM.state
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m))
Hsimis_eqvs: ELMO_equivocating_validators
  (state_update ELMO_component s i_m si)
⊆ ELMO_equivocating_validators s
  ∪ {[adr (state m)]}
s0: VLSM.state
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m))
tr: list transition_item
Htr_m: finite_valid_trace_init_to
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m)) si s0 tr
sf: VLSM.state
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m))
iom, oom: option Message
l: VLSM.label
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m))
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m)) l (
  s0, iom) (sf, oom)
Hlast_obs: ∀ m : Message,
  item_sends_or_receives m
    {|
      l := l;
      input := iom;
      destination := sf;
      output := oom
    |} → m ∈ messages (s i)
Hsf_reachable: composite_constrained_state_prop
  ELMO_component
  (state_update ELMO_component s i_m
     sf)
IHHtr_m: Forall
  (λ item : transition_item,
     ELMO_equivocating_validators
       (lift_to_composite_state
          ELMO_component s i_m
          (destination item))
     ⊆ ELMO_equivocating_validators s
       ∪ {[adr (state m)]}) tr
Hsis0_pre: composite_constrained_state_prop
  ELMO_component
  (state_update ELMO_component s i_m s0)
Hsis0_eqvs: ELMO_equivocating_validators
  (state_update ELMO_component s i_m s0)
⊆ ELMO_equivocating_validators s
  ∪ {[adr (state m)]}
ELMO_equivocating_validators
  (lift_to_composite_state ELMO_component s i_m
     (destination
        {|
          l := l;
          input := iom;
          destination := sf;
          output := oom
        |}))
⊆ ELMO_equivocating_validators s ∪ {[adr (state m)]}
    {Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
s: VLSM.state ELMOProtocol
Hs: valid_state_prop ELMOProtocol s
i: index
m: Message
Hs_pre: valid_state_prop
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} s
i_m: index
Hsender: adr (state m) = idx i_m
si: VLSM.state
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m))
Hsimis_eqvs: ELMO_equivocating_validators
  (state_update ELMO_component s i_m si)
⊆ ELMO_equivocating_validators s
  ∪ {[adr (state m)]}
s0: VLSM.state
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m))
tr: list transition_item
Htr_m: finite_valid_trace_init_to
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m)) si s0 tr
sf: VLSM.state
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m))
iom, oom: option Message
l: VLSM.label
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m))
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m)) l (
  s0, iom) (sf, oom)
Hlast_obs: ∀ m : Message,
  item_sends_or_receives m
    {|
      l := l;
      input := iom;
      destination := sf;
      output := oom
    |} → m ∈ messages (s i)
Hsf_reachable: composite_constrained_state_prop
  ELMO_component
  (state_update ELMO_component s i_m
     sf)
IHHtr_m: Forall
  (λ item : transition_item,
     ELMO_equivocating_validators
       (lift_to_composite_state
          ELMO_component s i_m
          (destination item))
     ⊆ ELMO_equivocating_validators s
       ∪ {[adr (state m)]}) tr
Hsis0_pre: composite_constrained_state_prop
  ELMO_component
  (state_update ELMO_component s i_m s0)
ELMO_equivocating_validators
  (state_update ELMO_component s i_m s0)
⊆ ELMO_equivocating_validators s ∪ {[adr (state m)]}
      apply valid_trace_get_last in Htr_m as <-.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
s: VLSM.state ELMOProtocol
Hs: valid_state_prop ELMOProtocol s
i: index
m: Message
Hs_pre: valid_state_prop
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} s
i_m: index
Hsender: adr (state m) = idx i_m
si: VLSM.state
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m))
Hsimis_eqvs: ELMO_equivocating_validators
  (state_update ELMO_component s i_m si)
⊆ ELMO_equivocating_validators s
  ∪ {[adr (state m)]}
tr: list transition_item
sf: VLSM.state
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m))
iom, oom: option Message
l: VLSM.label
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m))
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m)) l
  (finite_trace_last si tr, iom) (
  sf, oom)
Hlast_obs: ∀ m : Message,
  item_sends_or_receives m
    {|
      l := l;
      input := iom;
      destination := sf;
      output := oom
    |} → m ∈ messages (s i)
Hsf_reachable: composite_constrained_state_prop
  ELMO_component
  (state_update ELMO_component s i_m
     sf)
IHHtr_m: Forall
  (λ item : transition_item,
     ELMO_equivocating_validators
       (lift_to_composite_state
          ELMO_component s i_m
          (destination item))
     ⊆ ELMO_equivocating_validators s
       ∪ {[adr (state m)]}) tr
Hsis0_pre: composite_constrained_state_prop
  ELMO_component
  (state_update ELMO_component s i_m
     (finite_trace_last si tr))
ELMO_equivocating_validators
  (state_update ELMO_component s i_m
     (finite_trace_last si tr))
⊆ ELMO_equivocating_validators s ∪ {[adr (state m)]}
      destruct_list_last tr tr' lst Heq; [done |].Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
s: VLSM.state ELMOProtocol
Hs: valid_state_prop ELMOProtocol s
i: index
m: Message
Hs_pre: valid_state_prop
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} s
i_m: index
Hsender: adr (state m) = idx i_m
si: VLSM.state
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m))
Hsimis_eqvs: ELMO_equivocating_validators
  (state_update ELMO_component s i_m si)
⊆ ELMO_equivocating_validators s
  ∪ {[adr (state m)]}
tr: list transition_item
sf: VLSM.state
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m))
iom, oom: option Message
l: VLSM.label
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m))
tr': list transition_item
lst: transition_item
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m)) l
  (finite_trace_last si (tr' ++ [lst]), iom)
  (sf, oom)
Hlast_obs: ∀ m : Message,
  item_sends_or_receives m
    {|
      l := l;
      input := iom;
      destination := sf;
      output := oom
    |} → m ∈ messages (s i)
Hsf_reachable: composite_constrained_state_prop
  ELMO_component
  (state_update ELMO_component s i_m
     sf)
IHHtr_m: Forall
  (λ item : transition_item,
     ELMO_equivocating_validators
       (lift_to_composite_state
          ELMO_component s i_m
          (destination item))
     ⊆ ELMO_equivocating_validators s
       ∪ {[adr (state m)]}) 
  (tr' ++ [lst])
Hsis0_pre: composite_constrained_state_prop
  ELMO_component
  (state_update ELMO_component s i_m
     (finite_trace_last si (tr' ++ [lst])))
Heq: tr = tr' ++ [lst]
ELMO_equivocating_validators
  (state_update ELMO_component s i_m
     (finite_trace_last si (tr' ++ [lst])))
⊆ ELMO_equivocating_validators s ∪ {[adr (state m)]}
      rewrite finite_trace_last_is_last.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
s: VLSM.state ELMOProtocol
Hs: valid_state_prop ELMOProtocol s
i: index
m: Message
Hs_pre: valid_state_prop
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} s
i_m: index
Hsender: adr (state m) = idx i_m
si: VLSM.state
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m))
Hsimis_eqvs: ELMO_equivocating_validators
  (state_update ELMO_component s i_m si)
⊆ ELMO_equivocating_validators s
  ∪ {[adr (state m)]}
tr: list transition_item
sf: VLSM.state
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m))
iom, oom: option Message
l: VLSM.label
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m))
tr': list transition_item
lst: transition_item
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m)) l
  (finite_trace_last si (tr' ++ [lst]), iom)
  (sf, oom)
Hlast_obs: ∀ m : Message,
  item_sends_or_receives m
    {|
      l := l;
      input := iom;
      destination := sf;
      output := oom
    |} → m ∈ messages (s i)
Hsf_reachable: composite_constrained_state_prop
  ELMO_component
  (state_update ELMO_component s i_m
     sf)
IHHtr_m: Forall
  (λ item : transition_item,
     ELMO_equivocating_validators
       (lift_to_composite_state
          ELMO_component s i_m
          (destination item))
     ⊆ ELMO_equivocating_validators s
       ∪ {[adr (state m)]}) 
  (tr' ++ [lst])
Hsis0_pre: composite_constrained_state_prop
  ELMO_component
  (state_update ELMO_component s i_m
     (finite_trace_last si (tr' ++ [lst])))
Heq: tr = tr' ++ [lst]
ELMO_equivocating_validators
  (state_update ELMO_component s i_m (destination lst))
⊆ ELMO_equivocating_validators s ∪ {[adr (state m)]}
      rewrite Forall_forall in IHHtr_m; eapply IHHtr_m.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
s: VLSM.state ELMOProtocol
Hs: valid_state_prop ELMOProtocol s
i: index
m: Message
Hs_pre: valid_state_prop
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} s
i_m: index
Hsender: adr (state m) = idx i_m
si: VLSM.state
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m))
Hsimis_eqvs: ELMO_equivocating_validators
  (state_update ELMO_component s i_m si)
⊆ ELMO_equivocating_validators s
  ∪ {[adr (state m)]}
tr: list transition_item
sf: VLSM.state
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m))
iom, oom: option Message
l: VLSM.label
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m))
tr': list transition_item
lst: transition_item
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m)) l
  (finite_trace_last si (tr' ++ [lst]), iom)
  (sf, oom)
Hlast_obs: ∀ m : Message,
  item_sends_or_receives m
    {|
      l := l;
      input := iom;
      destination := sf;
      output := oom
    |} → m ∈ messages (s i)
Hsf_reachable: composite_constrained_state_prop
  ELMO_component
  (state_update ELMO_component s i_m
     sf)
IHHtr_m: ∀ x : transition_item,
  x ∈ tr' ++ [lst]
  → ELMO_equivocating_validators
      (lift_to_composite_state
         ELMO_component s i_m
         (destination x))
    ⊆ ELMO_equivocating_validators s
      ∪ {[adr (state m)]}
Hsis0_pre: composite_constrained_state_prop
  ELMO_component
  (state_update ELMO_component s i_m
     (finite_trace_last si (tr' ++ [lst])))
Heq: tr = tr' ++ [lst]
lst ∈ tr' ++ [lst]
      by apply elem_of_app; right; left.
    }Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
s: VLSM.state ELMOProtocol
Hs: valid_state_prop ELMOProtocol s
i: index
m: Message
Hs_pre: valid_state_prop
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} s
i_m: index
Hsender: adr (state m) = idx i_m
si: VLSM.state
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m))
Hsimis_eqvs: ELMO_equivocating_validators
  (state_update ELMO_component s i_m si)
⊆ ELMO_equivocating_validators s
  ∪ {[adr (state m)]}
s0: VLSM.state
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m))
tr: list transition_item
Htr_m: finite_valid_trace_init_to
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m)) si s0 tr
sf: VLSM.state
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m))
iom, oom: option Message
l: VLSM.label
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m))
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m)) l (
  s0, iom) (sf, oom)
Hlast_obs: ∀ m : Message,
  item_sends_or_receives m
    {|
      l := l;
      input := iom;
      destination := sf;
      output := oom
    |} → m ∈ messages (s i)
Hsf_reachable: composite_constrained_state_prop
  ELMO_component
  (state_update ELMO_component s i_m
     sf)
IHHtr_m: Forall
  (λ item : transition_item,
     ELMO_equivocating_validators
       (lift_to_composite_state
          ELMO_component s i_m
          (destination item))
     ⊆ ELMO_equivocating_validators s
       ∪ {[adr (state m)]}) tr
Hsis0_pre: composite_constrained_state_prop
  ELMO_component
  (state_update ELMO_component s i_m s0)
Hsis0_eqvs: ELMO_equivocating_validators
  (state_update ELMO_component s i_m s0)
⊆ ELMO_equivocating_validators s
  ∪ {[adr (state m)]}
ELMO_equivocating_validators
  (lift_to_composite_state ELMO_component s i_m
     (destination
        {|
          l := l;
          input := iom;
          destination := sf;
          output := oom
        |}))
⊆ ELMO_equivocating_validators s ∪ {[adr (state m)]}
    cbn; replace (lift_to_composite_state _ _ _ _)
      with (state_update ELMO_component (state_update ELMO_component s i_m s0) i_m sf)
      by (apply state_update_twice; done).Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
s: VLSM.state ELMOProtocol
Hs: valid_state_prop ELMOProtocol s
i: index
m: Message
Hs_pre: valid_state_prop
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} s
i_m: index
Hsender: adr (state m) = idx i_m
si: VLSM.state
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m))
Hsimis_eqvs: ELMO_equivocating_validators
  (state_update ELMO_component s i_m si)
⊆ ELMO_equivocating_validators s
  ∪ {[adr (state m)]}
s0: VLSM.state
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m))
tr: list transition_item
Htr_m: finite_valid_trace_init_to
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m)) si s0 tr
sf: VLSM.state
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m))
iom, oom: option Message
l: VLSM.label
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m))
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m)) l (
  s0, iom) (sf, oom)
Hlast_obs: ∀ m : Message,
  item_sends_or_receives m
    {|
      l := l;
      input := iom;
      destination := sf;
      output := oom
    |} → m ∈ messages (s i)
Hsf_reachable: composite_constrained_state_prop
  ELMO_component
  (state_update ELMO_component s i_m
     sf)
IHHtr_m: Forall
  (λ item : transition_item,
     ELMO_equivocating_validators
       (lift_to_composite_state
          ELMO_component s i_m
          (destination item))
     ⊆ ELMO_equivocating_validators s
       ∪ {[adr (state m)]}) tr
Hsis0_pre: composite_constrained_state_prop
  ELMO_component
  (state_update ELMO_component s i_m s0)
Hsis0_eqvs: ELMO_equivocating_validators
  (state_update ELMO_component s i_m s0)
⊆ ELMO_equivocating_validators s
  ∪ {[adr (state m)]}
ELMO_equivocating_validators
  (state_update ELMO_component
     (state_update ELMO_component s i_m s0) i_m sf)
⊆ ELMO_equivocating_validators s ∪ {[adr (state m)]}
    destruct (Ht) as [(_ & _ & H_v) H_t];
      inversion H_v as [? ? [] |]; subst; inversion H_t; subst; cycle 1.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
s: VLSM.state ELMOProtocol
Hs: valid_state_prop ELMOProtocol s
i: index
m: Message
Hs_pre: valid_state_prop
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} s
i_m: index
Hsender: adr (state m) = idx i_m
si: VLSM.state
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m))
Hsimis_eqvs: ELMO_equivocating_validators
  (state_update ELMO_component s i_m si)
⊆ ELMO_equivocating_validators s
  ∪ {[adr (state m)]}
s0: VLSM.state
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m))
tr: list transition_item
Htr_m: finite_valid_trace_init_to
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m)) si s0 tr
Hsf_reachable: composite_constrained_state_prop
  ELMO_component
  (state_update ELMO_component s i_m
     (s0 <+>
      MkObservation Send
        (MkMessage s0)))
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m)) Send (
  s0, None)
  (s0 <+> MkObservation Send (MkMessage s0),
   Some (MkMessage s0))
Hlast_obs: ∀ m : Message,
  item_sends_or_receives m
    {|
      l := Send;
      input := None;
      destination :=
        s0 <+>
        MkObservation Send (MkMessage s0);
      output := Some (MkMessage s0)
    |} → m ∈ messages (s i)
IHHtr_m: Forall
  (λ item : transition_item,
     ELMO_equivocating_validators
       (lift_to_composite_state
          ELMO_component s i_m
          (destination item))
     ⊆ ELMO_equivocating_validators s
       ∪ {[adr (state m)]}) tr
Hsis0_pre: composite_constrained_state_prop
  ELMO_component
  (state_update ELMO_component s i_m s0)
Hsis0_eqvs: ELMO_equivocating_validators
  (state_update ELMO_component s i_m s0)
⊆ ELMO_equivocating_validators s
  ∪ {[adr (state m)]}
H_v: valid Send (s0, None)
H_t: transition Send (s0, None) =
(s0 <+> MkObservation Send (MkMessage s0),
 Some (MkMessage s0))
ELMO_equivocating_validators
  (state_update ELMO_component
     (state_update ELMO_component s i_m s0) i_m
     (s0 <+> MkObservation Send (MkMessage s0)))
⊆ ELMO_equivocating_validators s ∪ {[adr (state m)]}
Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
s: VLSM.state ELMOProtocol
Hs: valid_state_prop ELMOProtocol s
i: index
m: Message
Hs_pre: valid_state_prop
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} s
i_m: index
Hsender: adr (state m) = idx i_m
si: VLSM.state
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m))
Hsimis_eqvs: ELMO_equivocating_validators
  (state_update ELMO_component s i_m si)
⊆ ELMO_equivocating_validators s
  ∪ {[adr (state m)]}
s0: VLSM.state
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m))
tr: list transition_item
Htr_m: finite_valid_trace_init_to
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m)) si s0 tr
m0: Message
Hsf_reachable: composite_constrained_state_prop
  ELMO_component
  (state_update ELMO_component s i_m
     (s0 <+> MkObservation Receive m0))
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m)) Receive (
  s0, Some m0)
  (s0 <+> MkObservation Receive m0, None)
Hlast_obs: ∀ m : Message,
  item_sends_or_receives m
    {|
      l := Receive;
      input := Some m0;
      destination :=
        s0 <+> MkObservation Receive m0;
      output := None
    |} → m ∈ messages (s i)
IHHtr_m: Forall
  (λ item : transition_item,
     ELMO_equivocating_validators
       (lift_to_composite_state
          ELMO_component s i_m
          (destination item))
     ⊆ ELMO_equivocating_validators s
       ∪ {[adr (state m)]}) tr
Hsis0_pre: composite_constrained_state_prop
  ELMO_component
  (state_update ELMO_component s i_m s0)
Hsis0_eqvs: ELMO_equivocating_validators
  (state_update ELMO_component s i_m s0)
⊆ ELMO_equivocating_validators s
  ∪ {[adr (state m)]}
H_v: valid Receive (s0, Some m0)
H_t: transition Receive (s0, Some m0) =
(s0 <+> MkObservation Receive m0, None)
ELMO_mv_full_node0: full_node s0 m0
ELMO_mv_no_self_equiv0: no_self_equiv s0 m0
ELMO_mv_msg_valid_full0: ELMO_msg_valid_full m0
ELMO_mv_local_equivocation_limit_ok0: local_equivocation_limit_ok
  (s0 <+>
   MkObservation
     Receive m0)
ELMO_equivocating_validators
  (state_update ELMO_component
     (state_update ELMO_component s i_m s0) i_m
     (s0 <+> MkObservation Receive m0))
⊆ ELMO_equivocating_validators s ∪ {[adr (state m)]}
    -Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
s: VLSM.state ELMOProtocol
Hs: valid_state_prop ELMOProtocol s
i: index
m: Message
Hs_pre: valid_state_prop
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} s
i_m: index
Hsender: adr (state m) = idx i_m
si: VLSM.state
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m))
Hsimis_eqvs: ELMO_equivocating_validators
  (state_update ELMO_component s i_m si)
⊆ ELMO_equivocating_validators s
  ∪ {[adr (state m)]}
s0: VLSM.state
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m))
tr: list transition_item
Htr_m: finite_valid_trace_init_to
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m)) si s0 tr
Hsf_reachable: composite_constrained_state_prop
  ELMO_component
  (state_update ELMO_component s i_m
     (s0 <+>
      MkObservation Send
        (MkMessage s0)))
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m)) Send (
  s0, None)
  (s0 <+> MkObservation Send (MkMessage s0),
   Some (MkMessage s0))
Hlast_obs: ∀ m : Message,
  item_sends_or_receives m
    {|
      l := Send;
      input := None;
      destination :=
        s0 <+>
        MkObservation Send (MkMessage s0);
      output := Some (MkMessage s0)
    |} → m ∈ messages (s i)
IHHtr_m: Forall
  (λ item : transition_item,
     ELMO_equivocating_validators
       (lift_to_composite_state
          ELMO_component s i_m
          (destination item))
     ⊆ ELMO_equivocating_validators s
       ∪ {[adr (state m)]}) tr
Hsis0_pre: composite_constrained_state_prop
  ELMO_component
  (state_update ELMO_component s i_m s0)
Hsis0_eqvs: ELMO_equivocating_validators
  (state_update ELMO_component s i_m s0)
⊆ ELMO_equivocating_validators s
  ∪ {[adr (state m)]}
H_v: valid Send (s0, None)
H_t: transition Send (s0, None) =
(s0 <+> MkObservation Send (MkMessage s0),
 Some (MkMessage s0))
ELMO_equivocating_validators
  (state_update ELMO_component
     (state_update ELMO_component s i_m s0) i_m
     (s0 <+> MkObservation Send (MkMessage s0)))
⊆ ELMO_equivocating_validators s ∪ {[adr (state m)]} transitivity (ELMO_equivocating_validators (state_update ELMO_component s i_m s0)
        ∪ {[ adr (state m) ]}).Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
s: VLSM.state ELMOProtocol
Hs: valid_state_prop ELMOProtocol s
i: index
m: Message
Hs_pre: valid_state_prop
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} s
i_m: index
Hsender: adr (state m) = idx i_m
si: VLSM.state
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m))
Hsimis_eqvs: ELMO_equivocating_validators
  (state_update ELMO_component s i_m si)
⊆ ELMO_equivocating_validators s
  ∪ {[adr (state m)]}
s0: VLSM.state
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m))
tr: list transition_item
Htr_m: finite_valid_trace_init_to
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m)) si s0 tr
Hsf_reachable: composite_constrained_state_prop
  ELMO_component
  (state_update ELMO_component s i_m
     (s0 <+>
      MkObservation Send
        (MkMessage s0)))
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m)) Send (
  s0, None)
  (s0 <+> MkObservation Send (MkMessage s0),
   Some (MkMessage s0))
Hlast_obs: ∀ m : Message,
  item_sends_or_receives m
    {|
      l := Send;
      input := None;
      destination :=
        s0 <+>
        MkObservation Send (MkMessage s0);
      output := Some (MkMessage s0)
    |} → m ∈ messages (s i)
IHHtr_m: Forall
  (λ item : transition_item,
     ELMO_equivocating_validators
       (lift_to_composite_state
          ELMO_component s i_m
          (destination item))
     ⊆ ELMO_equivocating_validators s
       ∪ {[adr (state m)]}) tr
Hsis0_pre: composite_constrained_state_prop
  ELMO_component
  (state_update ELMO_component s i_m s0)
Hsis0_eqvs: ELMO_equivocating_validators
  (state_update ELMO_component s i_m s0)
⊆ ELMO_equivocating_validators s
  ∪ {[adr (state m)]}
H_v: valid Send (s0, None)
H_t: transition Send (s0, None) =
(s0 <+> MkObservation Send (MkMessage s0),
 Some (MkMessage s0))
ELMO_equivocating_validators
  (state_update ELMO_component
     (state_update ELMO_component s i_m s0) i_m
     (s0 <+> MkObservation Send (MkMessage s0)))
⊆ ELMO_equivocating_validators
    (state_update ELMO_component s i_m s0)
  ∪ {[adr (state m)]}
Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
s: VLSM.state ELMOProtocol
Hs: valid_state_prop ELMOProtocol s
i: index
m: Message
Hs_pre: valid_state_prop
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} s
i_m: index
Hsender: adr (state m) = idx i_m
si: VLSM.state
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m))
Hsimis_eqvs: ELMO_equivocating_validators
  (state_update ELMO_component s i_m si)
⊆ ELMO_equivocating_validators s
  ∪ {[adr (state m)]}
s0: VLSM.state
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m))
tr: list transition_item
Htr_m: finite_valid_trace_init_to
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m)) si s0 tr
Hsf_reachable: composite_constrained_state_prop
  ELMO_component
  (state_update ELMO_component s i_m
     (s0 <+>
      MkObservation Send
        (MkMessage s0)))
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m)) Send (
  s0, None)
  (s0 <+> MkObservation Send (MkMessage s0),
   Some (MkMessage s0))
Hlast_obs: ∀ m : Message,
  item_sends_or_receives m
    {|
      l := Send;
      input := None;
      destination :=
        s0 <+>
        MkObservation Send (MkMessage s0);
      output := Some (MkMessage s0)
    |} → m ∈ messages (s i)
IHHtr_m: Forall
  (λ item : transition_item,
     ELMO_equivocating_validators
       (lift_to_composite_state
          ELMO_component s i_m
          (destination item))
     ⊆ ELMO_equivocating_validators s
       ∪ {[adr (state m)]}) tr
Hsis0_pre: composite_constrained_state_prop
  ELMO_component
  (state_update ELMO_component s i_m s0)
Hsis0_eqvs: ELMO_equivocating_validators
  (state_update ELMO_component s i_m s0)
⊆ ELMO_equivocating_validators s
  ∪ {[adr (state m)]}
H_v: valid Send (s0, None)
H_t: transition Send (s0, None) =
(s0 <+> MkObservation Send (MkMessage s0),
 Some (MkMessage s0))
ELMO_equivocating_validators
  (state_update ELMO_component s i_m s0)
∪ {[adr (state m)]}
⊆ ELMO_equivocating_validators s ∪ {[adr (state m)]}
      +Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
s: VLSM.state ELMOProtocol
Hs: valid_state_prop ELMOProtocol s
i: index
m: Message
Hs_pre: valid_state_prop
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} s
i_m: index
Hsender: adr (state m) = idx i_m
si: VLSM.state
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m))
Hsimis_eqvs: ELMO_equivocating_validators
  (state_update ELMO_component s i_m si)
⊆ ELMO_equivocating_validators s
  ∪ {[adr (state m)]}
s0: VLSM.state
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m))
tr: list transition_item
Htr_m: finite_valid_trace_init_to
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m)) si s0 tr
Hsf_reachable: composite_constrained_state_prop
  ELMO_component
  (state_update ELMO_component s i_m
     (s0 <+>
      MkObservation Send
        (MkMessage s0)))
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m)) Send (
  s0, None)
  (s0 <+> MkObservation Send (MkMessage s0),
   Some (MkMessage s0))
Hlast_obs: ∀ m : Message,
  item_sends_or_receives m
    {|
      l := Send;
      input := None;
      destination :=
        s0 <+>
        MkObservation Send (MkMessage s0);
      output := Some (MkMessage s0)
    |} → m ∈ messages (s i)
IHHtr_m: Forall
  (λ item : transition_item,
     ELMO_equivocating_validators
       (lift_to_composite_state
          ELMO_component s i_m
          (destination item))
     ⊆ ELMO_equivocating_validators s
       ∪ {[adr (state m)]}) tr
Hsis0_pre: composite_constrained_state_prop
  ELMO_component
  (state_update ELMO_component s i_m s0)
Hsis0_eqvs: ELMO_equivocating_validators
  (state_update ELMO_component s i_m s0)
⊆ ELMO_equivocating_validators s
  ∪ {[adr (state m)]}
H_v: valid Send (s0, None)
H_t: transition Send (s0, None) =
(s0 <+> MkObservation Send (MkMessage s0),
 Some (MkMessage s0))
ELMO_equivocating_validators
  (state_update ELMO_component
     (state_update ELMO_component s i_m s0) i_m
     (s0 <+> MkObservation Send (MkMessage s0)))
⊆ ELMO_equivocating_validators
    (state_update ELMO_component s i_m s0)
  ∪ {[adr (state m)]} by eapply union_subseteq_l', ELMO_equivocating_validators_step_update_Send;
          [| by constructor; state_update_simpl].
      +Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
s: VLSM.state ELMOProtocol
Hs: valid_state_prop ELMOProtocol s
i: index
m: Message
Hs_pre: valid_state_prop
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} s
i_m: index
Hsender: adr (state m) = idx i_m
si: VLSM.state
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m))
Hsimis_eqvs: ELMO_equivocating_validators
  (state_update ELMO_component s i_m si)
⊆ ELMO_equivocating_validators s
  ∪ {[adr (state m)]}
s0: VLSM.state
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m))
tr: list transition_item
Htr_m: finite_valid_trace_init_to
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m)) si s0 tr
Hsf_reachable: composite_constrained_state_prop
  ELMO_component
  (state_update ELMO_component s i_m
     (s0 <+>
      MkObservation Send
        (MkMessage s0)))
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m)) Send (
  s0, None)
  (s0 <+> MkObservation Send (MkMessage s0),
   Some (MkMessage s0))
Hlast_obs: ∀ m : Message,
  item_sends_or_receives m
    {|
      l := Send;
      input := None;
      destination :=
        s0 <+>
        MkObservation Send (MkMessage s0);
      output := Some (MkMessage s0)
    |} → m ∈ messages (s i)
IHHtr_m: Forall
  (λ item : transition_item,
     ELMO_equivocating_validators
       (lift_to_composite_state
          ELMO_component s i_m
          (destination item))
     ⊆ ELMO_equivocating_validators s
       ∪ {[adr (state m)]}) tr
Hsis0_pre: composite_constrained_state_prop
  ELMO_component
  (state_update ELMO_component s i_m s0)
Hsis0_eqvs: ELMO_equivocating_validators
  (state_update ELMO_component s i_m s0)
⊆ ELMO_equivocating_validators s
  ∪ {[adr (state m)]}
H_v: valid Send (s0, None)
H_t: transition Send (s0, None) =
(s0 <+> MkObservation Send (MkMessage s0),
 Some (MkMessage s0))
ELMO_equivocating_validators
  (state_update ELMO_component s i_m s0)
∪ {[adr (state m)]}
⊆ ELMO_equivocating_validators s ∪ {[adr (state m)]} by apply union_subseteq; split; [| apply union_subseteq_r'].
    -Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
s: VLSM.state ELMOProtocol
Hs: valid_state_prop ELMOProtocol s
i: index
m: Message
Hs_pre: valid_state_prop
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} s
i_m: index
Hsender: adr (state m) = idx i_m
si: VLSM.state
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m))
Hsimis_eqvs: ELMO_equivocating_validators
  (state_update ELMO_component s i_m si)
⊆ ELMO_equivocating_validators s
  ∪ {[adr (state m)]}
s0: VLSM.state
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m))
tr: list transition_item
Htr_m: finite_valid_trace_init_to
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m)) si s0 tr
m0: Message
Hsf_reachable: composite_constrained_state_prop
  ELMO_component
  (state_update ELMO_component s i_m
     (s0 <+> MkObservation Receive m0))
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m)) Receive (
  s0, Some m0)
  (s0 <+> MkObservation Receive m0, None)
Hlast_obs: ∀ m : Message,
  item_sends_or_receives m
    {|
      l := Receive;
      input := Some m0;
      destination :=
        s0 <+> MkObservation Receive m0;
      output := None
    |} → m ∈ messages (s i)
IHHtr_m: Forall
  (λ item : transition_item,
     ELMO_equivocating_validators
       (lift_to_composite_state
          ELMO_component s i_m
          (destination item))
     ⊆ ELMO_equivocating_validators s
       ∪ {[adr (state m)]}) tr
Hsis0_pre: composite_constrained_state_prop
  ELMO_component
  (state_update ELMO_component s i_m s0)
Hsis0_eqvs: ELMO_equivocating_validators
  (state_update ELMO_component s i_m s0)
⊆ ELMO_equivocating_validators s
  ∪ {[adr (state m)]}
H_v: valid Receive (s0, Some m0)
H_t: transition Receive (s0, Some m0) =
(s0 <+> MkObservation Receive m0, None)
ELMO_mv_full_node0: full_node s0 m0
ELMO_mv_no_self_equiv0: no_self_equiv s0 m0
ELMO_mv_msg_valid_full0: ELMO_msg_valid_full m0
ELMO_mv_local_equivocation_limit_ok0: local_equivocation_limit_ok
  (s0 <+>
   MkObservation
     Receive m0)
ELMO_equivocating_validators
  (state_update ELMO_component
     (state_update ELMO_component s i_m s0) i_m
     (s0 <+> MkObservation Receive m0))
⊆ ELMO_equivocating_validators s ∪ {[adr (state m)]} destruct (decide (adr (state m) = adr (state m0))) as [Hmm0 | Hnmm0].Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
s: VLSM.state ELMOProtocol
Hs: valid_state_prop ELMOProtocol s
i: index
m: Message
Hs_pre: valid_state_prop
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} s
i_m: index
Hsender: adr (state m) = idx i_m
si: VLSM.state
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m))
Hsimis_eqvs: ELMO_equivocating_validators
  (state_update ELMO_component s i_m si)
⊆ ELMO_equivocating_validators s
  ∪ {[adr (state m)]}
s0: VLSM.state
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m))
tr: list transition_item
Htr_m: finite_valid_trace_init_to
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m)) si s0 tr
m0: Message
Hsf_reachable: composite_constrained_state_prop
  ELMO_component
  (state_update ELMO_component s i_m
     (s0 <+> MkObservation Receive m0))
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m)) Receive (
  s0, Some m0)
  (s0 <+> MkObservation Receive m0, None)
Hlast_obs: ∀ m : Message,
  item_sends_or_receives m
    {|
      l := Receive;
      input := Some m0;
      destination :=
        s0 <+> MkObservation Receive m0;
      output := None
    |} → m ∈ messages (s i)
IHHtr_m: Forall
  (λ item : transition_item,
     ELMO_equivocating_validators
       (lift_to_composite_state
          ELMO_component s i_m
          (destination item))
     ⊆ ELMO_equivocating_validators s
       ∪ {[adr (state m)]}) tr
Hsis0_pre: composite_constrained_state_prop
  ELMO_component
  (state_update ELMO_component s i_m s0)
Hsis0_eqvs: ELMO_equivocating_validators
  (state_update ELMO_component s i_m s0)
⊆ ELMO_equivocating_validators s
  ∪ {[adr (state m)]}
H_v: valid Receive (s0, Some m0)
H_t: transition Receive (s0, Some m0) =
(s0 <+> MkObservation Receive m0, None)
ELMO_mv_full_node0: full_node s0 m0
ELMO_mv_no_self_equiv0: no_self_equiv s0 m0
ELMO_mv_msg_valid_full0: ELMO_msg_valid_full m0
ELMO_mv_local_equivocation_limit_ok0: local_equivocation_limit_ok
  (s0 <+>
   MkObservation
     Receive m0)
Hmm0: adr (state m) = adr (state m0)
ELMO_equivocating_validators
  (state_update ELMO_component
     (state_update ELMO_component s i_m s0) i_m
     (s0 <+> MkObservation Receive m0))
⊆ ELMO_equivocating_validators s ∪ {[adr (state m)]}
Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
s: VLSM.state ELMOProtocol
Hs: valid_state_prop ELMOProtocol s
i: index
m: Message
Hs_pre: valid_state_prop
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} s
i_m: index
Hsender: adr (state m) = idx i_m
si: VLSM.state
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m))
Hsimis_eqvs: ELMO_equivocating_validators
  (state_update ELMO_component s i_m si)
⊆ ELMO_equivocating_validators s
  ∪ {[adr (state m)]}
s0: VLSM.state
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m))
tr: list transition_item
Htr_m: finite_valid_trace_init_to
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m)) si s0 tr
m0: Message
Hsf_reachable: composite_constrained_state_prop
  ELMO_component
  (state_update ELMO_component s i_m
     (s0 <+> MkObservation Receive m0))
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m)) Receive (
  s0, Some m0)
  (s0 <+> MkObservation Receive m0, None)
Hlast_obs: ∀ m : Message,
  item_sends_or_receives m
    {|
      l := Receive;
      input := Some m0;
      destination :=
        s0 <+> MkObservation Receive m0;
      output := None
    |} → 
  m ∈ messages (s i)
IHHtr_m: Forall
  (λ item : transition_item,
     ELMO_equivocating_validators
       (lift_to_composite_state
        ELMO_component s i_m
        (destination item))
     ⊆ ELMO_equivocating_validators s
       ∪ {[
       adr (state m)]}) tr
Hsis0_pre: composite_constrained_state_prop
  ELMO_component
  (state_update ELMO_component s i_m s0)
Hsis0_eqvs: ELMO_equivocating_validators
  (state_update ELMO_component s i_m s0)
⊆ ELMO_equivocating_validators s
  ∪ {[adr (state m)]}
H_v: valid Receive (s0, Some m0)
H_t: transition Receive (s0, Some m0) =
(s0 <+> MkObservation Receive m0, None)
ELMO_mv_full_node0: full_node s0 m0
ELMO_mv_no_self_equiv0: no_self_equiv s0 m0
ELMO_mv_msg_valid_full0: ELMO_msg_valid_full m0
ELMO_mv_local_equivocation_limit_ok0: local_equivocation_limit_ok
  (s0 <+>
   MkObservation
     Receive m0)
Hnmm0: adr (state m) ≠ adr (state m0)
ELMO_equivocating_validators
  (state_update ELMO_component
     (state_update ELMO_component s i_m s0) i_m
     (s0 <+> MkObservation Receive m0))
⊆ ELMO_equivocating_validators s ∪ {[adr (state m)]}
      {Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
s: VLSM.state ELMOProtocol
Hs: valid_state_prop ELMOProtocol s
i: index
m: Message
Hs_pre: valid_state_prop
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} s
i_m: index
Hsender: adr (state m) = idx i_m
si: VLSM.state
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m))
Hsimis_eqvs: ELMO_equivocating_validators
  (state_update ELMO_component s i_m si)
⊆ ELMO_equivocating_validators s
  ∪ {[adr (state m)]}
s0: VLSM.state
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m))
tr: list transition_item
Htr_m: finite_valid_trace_init_to
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m)) si s0 tr
m0: Message
Hsf_reachable: composite_constrained_state_prop
  ELMO_component
  (state_update ELMO_component s i_m
     (s0 <+> MkObservation Receive m0))
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m)) Receive (
  s0, Some m0)
  (s0 <+> MkObservation Receive m0, None)
Hlast_obs: ∀ m : Message,
  item_sends_or_receives m
    {|
      l := Receive;
      input := Some m0;
      destination :=
        s0 <+> MkObservation Receive m0;
      output := None
    |} → m ∈ messages (s i)
IHHtr_m: Forall
  (λ item : transition_item,
     ELMO_equivocating_validators
       (lift_to_composite_state
          ELMO_component s i_m
          (destination item))
     ⊆ ELMO_equivocating_validators s
       ∪ {[adr (state m)]}) tr
Hsis0_pre: composite_constrained_state_prop
  ELMO_component
  (state_update ELMO_component s i_m s0)
Hsis0_eqvs: ELMO_equivocating_validators
  (state_update ELMO_component s i_m s0)
⊆ ELMO_equivocating_validators s
  ∪ {[adr (state m)]}
H_v: valid Receive (s0, Some m0)
H_t: transition Receive (s0, Some m0) =
(s0 <+> MkObservation Receive m0, None)
ELMO_mv_full_node0: full_node s0 m0
ELMO_mv_no_self_equiv0: no_self_equiv s0 m0
ELMO_mv_msg_valid_full0: ELMO_msg_valid_full m0
ELMO_mv_local_equivocation_limit_ok0: local_equivocation_limit_ok
  (s0 <+>
   MkObservation
     Receive m0)
Hmm0: adr (state m) = adr (state m0)
ELMO_equivocating_validators
  (state_update ELMO_component
     (state_update ELMO_component s i_m s0) i_m
     (s0 <+> MkObservation Receive m0))
⊆ ELMO_equivocating_validators s ∪ {[adr (state m)]}
        transitivity (ELMO_equivocating_validators (state_update ELMO_component s i_m s0)
          ∪ {[ adr (state m) ]}).Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
s: VLSM.state ELMOProtocol
Hs: valid_state_prop ELMOProtocol s
i: index
m: Message
Hs_pre: valid_state_prop
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} s
i_m: index
Hsender: adr (state m) = idx i_m
si: VLSM.state
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m))
Hsimis_eqvs: ELMO_equivocating_validators
  (state_update ELMO_component s i_m si)
⊆ ELMO_equivocating_validators s
  ∪ {[adr (state m)]}
s0: VLSM.state
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m))
tr: list transition_item
Htr_m: finite_valid_trace_init_to
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m)) si s0 tr
m0: Message
Hsf_reachable: composite_constrained_state_prop
  ELMO_component
  (state_update ELMO_component s i_m
     (s0 <+> MkObservation Receive m0))
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m)) Receive (
  s0, Some m0)
  (s0 <+> MkObservation Receive m0, None)
Hlast_obs: ∀ m : Message,
  item_sends_or_receives m
    {|
      l := Receive;
      input := Some m0;
      destination :=
        s0 <+> MkObservation Receive m0;
      output := None
    |} → m ∈ messages (s i)
IHHtr_m: Forall
  (λ item : transition_item,
     ELMO_equivocating_validators
       (lift_to_composite_state
          ELMO_component s i_m
          (destination item))
     ⊆ ELMO_equivocating_validators s
       ∪ {[adr (state m)]}) tr
Hsis0_pre: composite_constrained_state_prop
  ELMO_component
  (state_update ELMO_component s i_m s0)
Hsis0_eqvs: ELMO_equivocating_validators
  (state_update ELMO_component s i_m s0)
⊆ ELMO_equivocating_validators s
  ∪ {[adr (state m)]}
H_v: valid Receive (s0, Some m0)
H_t: transition Receive (s0, Some m0) =
(s0 <+> MkObservation Receive m0, None)
ELMO_mv_full_node0: full_node s0 m0
ELMO_mv_no_self_equiv0: no_self_equiv s0 m0
ELMO_mv_msg_valid_full0: ELMO_msg_valid_full m0
ELMO_mv_local_equivocation_limit_ok0: local_equivocation_limit_ok
  (s0 <+>
   MkObservation
     Receive m0)
Hmm0: adr (state m) = adr (state m0)
ELMO_equivocating_validators
  (state_update ELMO_component
     (state_update ELMO_component s i_m s0) i_m
     (s0 <+> MkObservation Receive m0))
⊆ ELMO_equivocating_validators
    (state_update ELMO_component s i_m s0)
  ∪ {[adr (state m)]}
Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
s: VLSM.state ELMOProtocol
Hs: valid_state_prop ELMOProtocol s
i: index
m: Message
Hs_pre: valid_state_prop
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} s
i_m: index
Hsender: adr (state m) = idx i_m
si: VLSM.state
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m))
Hsimis_eqvs: ELMO_equivocating_validators
  (state_update ELMO_component s i_m si)
⊆ ELMO_equivocating_validators s
  ∪ {[adr (state m)]}
s0: VLSM.state
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m))
tr: list transition_item
Htr_m: finite_valid_trace_init_to
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m)) si s0 tr
m0: Message
Hsf_reachable: composite_constrained_state_prop
  ELMO_component
  (state_update ELMO_component s i_m
     (s0 <+> MkObservation Receive m0))
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m)) Receive (
  s0, Some m0)
  (s0 <+> MkObservation Receive m0, None)
Hlast_obs: ∀ m : Message,
  item_sends_or_receives m
    {|
      l := Receive;
      input := Some m0;
      destination :=
        s0 <+> MkObservation Receive m0;
      output := None
    |} → 
  m ∈ messages (s i)
IHHtr_m: Forall
  (λ item : transition_item,
     ELMO_equivocating_validators
       (lift_to_composite_state
        ELMO_component s i_m
        (destination item))
     ⊆ ELMO_equivocating_validators s
       ∪ {[
       adr (state m)]}) tr
Hsis0_pre: composite_constrained_state_prop
  ELMO_component
  (state_update ELMO_component s i_m s0)
Hsis0_eqvs: ELMO_equivocating_validators
  (state_update ELMO_component s i_m s0)
⊆ ELMO_equivocating_validators s
  ∪ {[adr (state m)]}
H_v: valid Receive (s0, Some m0)
H_t: transition Receive (s0, Some m0) =
(s0 <+> MkObservation Receive m0, None)
ELMO_mv_full_node0: full_node s0 m0
ELMO_mv_no_self_equiv0: no_self_equiv s0 m0
ELMO_mv_msg_valid_full0: ELMO_msg_valid_full m0
ELMO_mv_local_equivocation_limit_ok0: local_equivocation_limit_ok
  (s0 <+>
   MkObservation
     Receive m0)
Hmm0: adr (state m) = adr (state m0)
ELMO_equivocating_validators
  (state_update ELMO_component s i_m s0)
∪ {[adr (state m)]}
⊆ ELMO_equivocating_validators s ∪ {[adr (state m)]}
        -Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
s: VLSM.state ELMOProtocol
Hs: valid_state_prop ELMOProtocol s
i: index
m: Message
Hs_pre: valid_state_prop
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} s
i_m: index
Hsender: adr (state m) = idx i_m
si: VLSM.state
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m))
Hsimis_eqvs: ELMO_equivocating_validators
  (state_update ELMO_component s i_m si)
⊆ ELMO_equivocating_validators s
  ∪ {[adr (state m)]}
s0: VLSM.state
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m))
tr: list transition_item
Htr_m: finite_valid_trace_init_to
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m)) si s0 tr
m0: Message
Hsf_reachable: composite_constrained_state_prop
  ELMO_component
  (state_update ELMO_component s i_m
     (s0 <+> MkObservation Receive m0))
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m)) Receive (
  s0, Some m0)
  (s0 <+> MkObservation Receive m0, None)
Hlast_obs: ∀ m : Message,
  item_sends_or_receives m
    {|
      l := Receive;
      input := Some m0;
      destination :=
        s0 <+> MkObservation Receive m0;
      output := None
    |} → m ∈ messages (s i)
IHHtr_m: Forall
  (λ item : transition_item,
     ELMO_equivocating_validators
       (lift_to_composite_state
          ELMO_component s i_m
          (destination item))
     ⊆ ELMO_equivocating_validators s
       ∪ {[adr (state m)]}) tr
Hsis0_pre: composite_constrained_state_prop
  ELMO_component
  (state_update ELMO_component s i_m s0)
Hsis0_eqvs: ELMO_equivocating_validators
  (state_update ELMO_component s i_m s0)
⊆ ELMO_equivocating_validators s
  ∪ {[adr (state m)]}
H_v: valid Receive (s0, Some m0)
H_t: transition Receive (s0, Some m0) =
(s0 <+> MkObservation Receive m0, None)
ELMO_mv_full_node0: full_node s0 m0
ELMO_mv_no_self_equiv0: no_self_equiv s0 m0
ELMO_mv_msg_valid_full0: ELMO_msg_valid_full m0
ELMO_mv_local_equivocation_limit_ok0: local_equivocation_limit_ok
  (s0 <+>
   MkObservation
     Receive m0)
Hmm0: adr (state m) = adr (state m0)
ELMO_equivocating_validators
  (state_update ELMO_component
     (state_update ELMO_component s i_m s0) i_m
     (s0 <+> MkObservation Receive m0))
⊆ ELMO_equivocating_validators
    (state_update ELMO_component s i_m s0)
  ∪ {[adr (state m)]} rewrite Hmm0.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
s: VLSM.state ELMOProtocol
Hs: valid_state_prop ELMOProtocol s
i: index
m: Message
Hs_pre: valid_state_prop
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} s
i_m: index
Hsender: adr (state m) = idx i_m
si: VLSM.state
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m))
Hsimis_eqvs: ELMO_equivocating_validators
  (state_update ELMO_component s i_m si)
⊆ ELMO_equivocating_validators s
  ∪ {[adr (state m)]}
s0: VLSM.state
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m))
tr: list transition_item
Htr_m: finite_valid_trace_init_to
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m)) si s0 tr
m0: Message
Hsf_reachable: composite_constrained_state_prop
  ELMO_component
  (state_update ELMO_component s i_m
     (s0 <+> MkObservation Receive m0))
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m)) Receive (
  s0, Some m0)
  (s0 <+> MkObservation Receive m0, None)
Hlast_obs: ∀ m : Message,
  item_sends_or_receives m
    {|
      l := Receive;
      input := Some m0;
      destination :=
        s0 <+> MkObservation Receive m0;
      output := None
    |} → m ∈ messages (s i)
IHHtr_m: Forall
  (λ item : transition_item,
     ELMO_equivocating_validators
       (lift_to_composite_state
          ELMO_component s i_m
          (destination item))
     ⊆ ELMO_equivocating_validators s
       ∪ {[adr (state m)]}) tr
Hsis0_pre: composite_constrained_state_prop
  ELMO_component
  (state_update ELMO_component s i_m s0)
Hsis0_eqvs: ELMO_equivocating_validators
  (state_update ELMO_component s i_m s0)
⊆ ELMO_equivocating_validators s
  ∪ {[adr (state m)]}
H_v: valid Receive (s0, Some m0)
H_t: transition Receive (s0, Some m0) =
(s0 <+> MkObservation Receive m0, None)
ELMO_mv_full_node0: full_node s0 m0
ELMO_mv_no_self_equiv0: no_self_equiv s0 m0
ELMO_mv_msg_valid_full0: ELMO_msg_valid_full m0
ELMO_mv_local_equivocation_limit_ok0: local_equivocation_limit_ok
  (s0 <+>
   MkObservation
     Receive m0)
Hmm0: adr (state m) = adr (state m0)
ELMO_equivocating_validators
  (state_update ELMO_component
     (state_update ELMO_component s i_m s0) i_m
     (s0 <+> MkObservation Receive m0))
⊆ ELMO_equivocating_validators
    (state_update ELMO_component s i_m s0)
  ∪ {[adr (state m0)]}
          by eapply ELMO_equivocating_validators_step_update_Receive;
            [| constructor; state_update_simpl].
        -Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
s: VLSM.state ELMOProtocol
Hs: valid_state_prop ELMOProtocol s
i: index
m: Message
Hs_pre: valid_state_prop
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} s
i_m: index
Hsender: adr (state m) = idx i_m
si: VLSM.state
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m))
Hsimis_eqvs: ELMO_equivocating_validators
  (state_update ELMO_component s i_m si)
⊆ ELMO_equivocating_validators s
  ∪ {[adr (state m)]}
s0: VLSM.state
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m))
tr: list transition_item
Htr_m: finite_valid_trace_init_to
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m)) si s0 tr
m0: Message
Hsf_reachable: composite_constrained_state_prop
  ELMO_component
  (state_update ELMO_component s i_m
     (s0 <+> MkObservation Receive m0))
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m)) Receive (
  s0, Some m0)
  (s0 <+> MkObservation Receive m0, None)
Hlast_obs: ∀ m : Message,
  item_sends_or_receives m
    {|
      l := Receive;
      input := Some m0;
      destination :=
        s0 <+> MkObservation Receive m0;
      output := None
    |} → m ∈ messages (s i)
IHHtr_m: Forall
  (λ item : transition_item,
     ELMO_equivocating_validators
       (lift_to_composite_state
          ELMO_component s i_m
          (destination item))
     ⊆ ELMO_equivocating_validators s
       ∪ {[adr (state m)]}) tr
Hsis0_pre: composite_constrained_state_prop
  ELMO_component
  (state_update ELMO_component s i_m s0)
Hsis0_eqvs: ELMO_equivocating_validators
  (state_update ELMO_component s i_m s0)
⊆ ELMO_equivocating_validators s
  ∪ {[adr (state m)]}
H_v: valid Receive (s0, Some m0)
H_t: transition Receive (s0, Some m0) =
(s0 <+> MkObservation Receive m0, None)
ELMO_mv_full_node0: full_node s0 m0
ELMO_mv_no_self_equiv0: no_self_equiv s0 m0
ELMO_mv_msg_valid_full0: ELMO_msg_valid_full m0
ELMO_mv_local_equivocation_limit_ok0: local_equivocation_limit_ok
  (s0 <+>
   MkObservation
     Receive m0)
Hmm0: adr (state m) = adr (state m0)
ELMO_equivocating_validators
  (state_update ELMO_component s i_m s0)
∪ {[adr (state m)]}
⊆ ELMO_equivocating_validators s ∪ {[adr (state m)]} by apply union_subseteq; split; [| apply union_subseteq_r'].
      }Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
s: VLSM.state ELMOProtocol
Hs: valid_state_prop ELMOProtocol s
i: index
m: Message
Hs_pre: valid_state_prop
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} s
i_m: index
Hsender: adr (state m) = idx i_m
si: VLSM.state
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m))
Hsimis_eqvs: ELMO_equivocating_validators
  (state_update ELMO_component s i_m si)
⊆ ELMO_equivocating_validators s
  ∪ {[adr (state m)]}
s0: VLSM.state
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m))
tr: list transition_item
Htr_m: finite_valid_trace_init_to
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m)) si s0 tr
m0: Message
Hsf_reachable: composite_constrained_state_prop
  ELMO_component
  (state_update ELMO_component s i_m
     (s0 <+> MkObservation Receive m0))
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m)) Receive (
  s0, Some m0)
  (s0 <+> MkObservation Receive m0, None)
Hlast_obs: ∀ m : Message,
  item_sends_or_receives m
    {|
      l := Receive;
      input := Some m0;
      destination :=
        s0 <+> MkObservation Receive m0;
      output := None
    |} → m ∈ messages (s i)
IHHtr_m: Forall
  (λ item : transition_item,
     ELMO_equivocating_validators
       (lift_to_composite_state
          ELMO_component s i_m
          (destination item))
     ⊆ ELMO_equivocating_validators s
       ∪ {[adr (state m)]}) tr
Hsis0_pre: composite_constrained_state_prop
  ELMO_component
  (state_update ELMO_component s i_m s0)
Hsis0_eqvs: ELMO_equivocating_validators
  (state_update ELMO_component s i_m s0)
⊆ ELMO_equivocating_validators s
  ∪ {[adr (state m)]}
H_v: valid Receive (s0, Some m0)
H_t: transition Receive (s0, Some m0) =
(s0 <+> MkObservation Receive m0, None)
ELMO_mv_full_node0: full_node s0 m0
ELMO_mv_no_self_equiv0: no_self_equiv s0 m0
ELMO_mv_msg_valid_full0: ELMO_msg_valid_full m0
ELMO_mv_local_equivocation_limit_ok0: local_equivocation_limit_ok
  (s0 <+>
   MkObservation
     Receive m0)
Hnmm0: adr (state m) ≠ adr (state m0)
ELMO_equivocating_validators
  (state_update ELMO_component
     (state_update ELMO_component s i_m s0) i_m
     (s0 <+> MkObservation Receive m0))
⊆ ELMO_equivocating_validators s ∪ {[adr (state m)]}
      assert (Hm0_obs : m0 ∈ messages (s i)) by (apply Hlast_obs; left; done).Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
s: VLSM.state ELMOProtocol
Hs: valid_state_prop ELMOProtocol s
i: index
m: Message
Hs_pre: valid_state_prop
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} s
i_m: index
Hsender: adr (state m) = idx i_m
si: VLSM.state
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m))
Hsimis_eqvs: ELMO_equivocating_validators
  (state_update ELMO_component s i_m si)
⊆ ELMO_equivocating_validators s
  ∪ {[adr (state m)]}
s0: VLSM.state
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m))
tr: list transition_item
Htr_m: finite_valid_trace_init_to
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m)) si s0 tr
m0: Message
Hsf_reachable: composite_constrained_state_prop
  ELMO_component
  (state_update ELMO_component s i_m
     (s0 <+> MkObservation Receive m0))
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m)) Receive (
  s0, Some m0)
  (s0 <+> MkObservation Receive m0, None)
Hlast_obs: ∀ m : Message,
  item_sends_or_receives m
    {|
      l := Receive;
      input := Some m0;
      destination :=
        s0 <+> MkObservation Receive m0;
      output := None
    |} → m ∈ messages (s i)
IHHtr_m: Forall
  (λ item : transition_item,
     ELMO_equivocating_validators
       (lift_to_composite_state
          ELMO_component s i_m
          (destination item))
     ⊆ ELMO_equivocating_validators s
       ∪ {[adr (state m)]}) tr
Hsis0_pre: composite_constrained_state_prop
  ELMO_component
  (state_update ELMO_component s i_m s0)
Hsis0_eqvs: ELMO_equivocating_validators
  (state_update ELMO_component s i_m s0)
⊆ ELMO_equivocating_validators s
  ∪ {[adr (state m)]}
H_v: valid Receive (s0, Some m0)
H_t: transition Receive (s0, Some m0) =
(s0 <+> MkObservation Receive m0, None)
ELMO_mv_full_node0: full_node s0 m0
ELMO_mv_no_self_equiv0: no_self_equiv s0 m0
ELMO_mv_msg_valid_full0: ELMO_msg_valid_full m0
ELMO_mv_local_equivocation_limit_ok0: local_equivocation_limit_ok
  (s0 <+>
   MkObservation
     Receive m0)
Hnmm0: adr (state m) ≠ adr (state m0)
Hm0_obs: m0 ∈ messages (s i)
ELMO_equivocating_validators
  (state_update ELMO_component
     (state_update ELMO_component s i_m s0) i_m
     (s0 <+> MkObservation Receive m0))
⊆ ELMO_equivocating_validators s ∪ {[adr (state m)]}
      destruct (decide (i_m = i)); cycle 1.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
s: VLSM.state ELMOProtocol
Hs: valid_state_prop ELMOProtocol s
i: index
m: Message
Hs_pre: valid_state_prop
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} s
i_m: index
Hsender: adr (state m) = idx i_m
si: VLSM.state
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m))
Hsimis_eqvs: ELMO_equivocating_validators
  (state_update ELMO_component s i_m si)
⊆ ELMO_equivocating_validators s
  ∪ {[adr (state m)]}
s0: VLSM.state
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m))
tr: list transition_item
Htr_m: finite_valid_trace_init_to
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m)) si s0 tr
m0: Message
Hsf_reachable: composite_constrained_state_prop
  ELMO_component
  (state_update ELMO_component s i_m
     (s0 <+> MkObservation Receive m0))
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m)) Receive (
  s0, Some m0)
  (s0 <+> MkObservation Receive m0, None)
Hlast_obs: ∀ m : Message,
  item_sends_or_receives m
    {|
      l := Receive;
      input := Some m0;
      destination :=
        s0 <+> MkObservation Receive m0;
      output := None
    |} → m ∈ messages (s i)
IHHtr_m: Forall
  (λ item : transition_item,
     ELMO_equivocating_validators
       (lift_to_composite_state
          ELMO_component s i_m
          (destination item))
     ⊆ ELMO_equivocating_validators s
       ∪ {[adr (state m)]}) tr
Hsis0_pre: composite_constrained_state_prop
  ELMO_component
  (state_update ELMO_component s i_m s0)
Hsis0_eqvs: ELMO_equivocating_validators
  (state_update ELMO_component s i_m s0)
⊆ ELMO_equivocating_validators s
  ∪ {[adr (state m)]}
H_v: valid Receive (s0, Some m0)
H_t: transition Receive (s0, Some m0) =
(s0 <+> MkObservation Receive m0, None)
ELMO_mv_full_node0: full_node s0 m0
ELMO_mv_no_self_equiv0: no_self_equiv s0 m0
ELMO_mv_msg_valid_full0: ELMO_msg_valid_full m0
ELMO_mv_local_equivocation_limit_ok0: local_equivocation_limit_ok
  (s0 <+>
   MkObservation
     Receive m0)
Hnmm0: adr (state m) ≠ adr (state m0)
Hm0_obs: m0 ∈ messages (s i)
n: i_m ≠ i
ELMO_equivocating_validators
  (state_update ELMO_component
     (state_update ELMO_component s i_m s0) i_m
     (s0 <+> MkObservation Receive m0))
⊆ ELMO_equivocating_validators s ∪ {[adr (state m)]}
Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
s: VLSM.state ELMOProtocol
Hs: valid_state_prop ELMOProtocol s
i: index
m: Message
Hs_pre: valid_state_prop
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} s
i_m: index
Hsender: adr (state m) = idx i_m
si: VLSM.state
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m))
Hsimis_eqvs: ELMO_equivocating_validators
  (state_update ELMO_component s i_m si)
⊆ ELMO_equivocating_validators s
  ∪ {[adr (state m)]}
s0: VLSM.state
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m))
tr: list transition_item
Htr_m: finite_valid_trace_init_to
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m)) si s0 tr
m0: Message
Hsf_reachable: composite_constrained_state_prop
  ELMO_component
  (state_update ELMO_component s i_m
     (s0 <+> MkObservation Receive m0))
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m)) Receive (
  s0, Some m0)
  (s0 <+> MkObservation Receive m0, None)
Hlast_obs: ∀ m : Message,
  item_sends_or_receives m
    {|
      l := Receive;
      input := Some m0;
      destination :=
        s0 <+> MkObservation Receive m0;
      output := None
    |} → 
  m ∈ messages (s i)
IHHtr_m: Forall
  (λ item : transition_item,
     ELMO_equivocating_validators
       (lift_to_composite_state
        ELMO_component s i_m
        (destination item))
     ⊆ ELMO_equivocating_validators s
       ∪ {[
       adr (state m)]}) tr
Hsis0_pre: composite_constrained_state_prop
  ELMO_component
  (state_update ELMO_component s i_m s0)
Hsis0_eqvs: ELMO_equivocating_validators
  (state_update ELMO_component s i_m s0)
⊆ ELMO_equivocating_validators s
  ∪ {[adr (state m)]}
H_v: valid Receive (s0, Some m0)
H_t: transition Receive (s0, Some m0) =
(s0 <+> MkObservation Receive m0, None)
ELMO_mv_full_node0: full_node s0 m0
ELMO_mv_no_self_equiv0: no_self_equiv s0 m0
ELMO_mv_msg_valid_full0: ELMO_msg_valid_full m0
ELMO_mv_local_equivocation_limit_ok0: local_equivocation_limit_ok
  (s0 <+>
   MkObservation
     Receive m0)
Hnmm0: adr (state m) ≠ adr (state m0)
Hm0_obs: m0 ∈ messages (s i)
e: i_m = i
ELMO_equivocating_validators
  (state_update ELMO_component
     (state_update ELMO_component s i_m s0) i_m
     (s0 <+> MkObservation Receive m0))
⊆ ELMO_equivocating_validators s ∪ {[adr (state m)]}
      +Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
s: VLSM.state ELMOProtocol
Hs: valid_state_prop ELMOProtocol s
i: index
m: Message
Hs_pre: valid_state_prop
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} s
i_m: index
Hsender: adr (state m) = idx i_m
si: VLSM.state
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m))
Hsimis_eqvs: ELMO_equivocating_validators
  (state_update ELMO_component s i_m si)
⊆ ELMO_equivocating_validators s
  ∪ {[adr (state m)]}
s0: VLSM.state
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m))
tr: list transition_item
Htr_m: finite_valid_trace_init_to
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m)) si s0 tr
m0: Message
Hsf_reachable: composite_constrained_state_prop
  ELMO_component
  (state_update ELMO_component s i_m
     (s0 <+> MkObservation Receive m0))
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m)) Receive (
  s0, Some m0)
  (s0 <+> MkObservation Receive m0, None)
Hlast_obs: ∀ m : Message,
  item_sends_or_receives m
    {|
      l := Receive;
      input := Some m0;
      destination :=
        s0 <+> MkObservation Receive m0;
      output := None
    |} → m ∈ messages (s i)
IHHtr_m: Forall
  (λ item : transition_item,
     ELMO_equivocating_validators
       (lift_to_composite_state
          ELMO_component s i_m
          (destination item))
     ⊆ ELMO_equivocating_validators s
       ∪ {[adr (state m)]}) tr
Hsis0_pre: composite_constrained_state_prop
  ELMO_component
  (state_update ELMO_component s i_m s0)
Hsis0_eqvs: ELMO_equivocating_validators
  (state_update ELMO_component s i_m s0)
⊆ ELMO_equivocating_validators s
  ∪ {[adr (state m)]}
H_v: valid Receive (s0, Some m0)
H_t: transition Receive (s0, Some m0) =
(s0 <+> MkObservation Receive m0, None)
ELMO_mv_full_node0: full_node s0 m0
ELMO_mv_no_self_equiv0: no_self_equiv s0 m0
ELMO_mv_msg_valid_full0: ELMO_msg_valid_full m0
ELMO_mv_local_equivocation_limit_ok0: local_equivocation_limit_ok
  (s0 <+>
   MkObservation
     Receive m0)
Hnmm0: adr (state m) ≠ adr (state m0)
Hm0_obs: m0 ∈ messages (s i)
n: i_m ≠ i
ELMO_equivocating_validators
  (state_update ELMO_component
     (state_update ELMO_component s i_m s0) i_m
     (s0 <+> MkObservation Receive m0))
⊆ ELMO_equivocating_validators s ∪ {[adr (state m)]} transitivity (ELMO_equivocating_validators (state_update ELMO_component s i_m s0)
          ∪ {[ adr (state m) ]});
          [| by apply union_subseteq; split; [| by apply union_subseteq_r']].Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
s: VLSM.state ELMOProtocol
Hs: valid_state_prop ELMOProtocol s
i: index
m: Message
Hs_pre: valid_state_prop
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} s
i_m: index
Hsender: adr (state m) = idx i_m
si: VLSM.state
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m))
Hsimis_eqvs: ELMO_equivocating_validators
  (state_update ELMO_component s i_m si)
⊆ ELMO_equivocating_validators s
  ∪ {[adr (state m)]}
s0: VLSM.state
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m))
tr: list transition_item
Htr_m: finite_valid_trace_init_to
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m)) si s0 tr
m0: Message
Hsf_reachable: composite_constrained_state_prop
  ELMO_component
  (state_update ELMO_component s i_m
     (s0 <+> MkObservation Receive m0))
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m)) Receive (
  s0, Some m0)
  (s0 <+> MkObservation Receive m0, None)
Hlast_obs: ∀ m : Message,
  item_sends_or_receives m
    {|
      l := Receive;
      input := Some m0;
      destination :=
        s0 <+> MkObservation Receive m0;
      output := None
    |} → m ∈ messages (s i)
IHHtr_m: Forall
  (λ item : transition_item,
     ELMO_equivocating_validators
       (lift_to_composite_state
          ELMO_component s i_m
          (destination item))
     ⊆ ELMO_equivocating_validators s
       ∪ {[adr (state m)]}) tr
Hsis0_pre: composite_constrained_state_prop
  ELMO_component
  (state_update ELMO_component s i_m s0)
Hsis0_eqvs: ELMO_equivocating_validators
  (state_update ELMO_component s i_m s0)
⊆ ELMO_equivocating_validators s
  ∪ {[adr (state m)]}
H_v: valid Receive (s0, Some m0)
H_t: transition Receive (s0, Some m0) =
(s0 <+> MkObservation Receive m0, None)
ELMO_mv_full_node0: full_node s0 m0
ELMO_mv_no_self_equiv0: no_self_equiv s0 m0
ELMO_mv_msg_valid_full0: ELMO_msg_valid_full m0
ELMO_mv_local_equivocation_limit_ok0: local_equivocation_limit_ok
  (s0 <+>
   MkObservation
     Receive m0)
Hnmm0: adr (state m) ≠ adr (state m0)
Hm0_obs: m0 ∈ messages (s i)
n: i_m ≠ i
ELMO_equivocating_validators
  (state_update ELMO_component
     (state_update ELMO_component s i_m s0) i_m
     (s0 <+> MkObservation Receive m0))
⊆ ELMO_equivocating_validators
    (state_update ELMO_component s i_m s0)
  ∪ {[adr (state m)]}
        eapply union_subseteq_l', ELMO_equivocating_validators_step_update_Receive_already_Observed;
          [done | | by constructor; state_update_simpl].Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
s: VLSM.state ELMOProtocol
Hs: valid_state_prop ELMOProtocol s
i: index
m: Message
Hs_pre: valid_state_prop
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} s
i_m: index
Hsender: adr (state m) = idx i_m
si: VLSM.state
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m))
Hsimis_eqvs: ELMO_equivocating_validators
  (state_update ELMO_component s i_m si)
⊆ ELMO_equivocating_validators s
  ∪ {[adr (state m)]}
s0: VLSM.state
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m))
tr: list transition_item
Htr_m: finite_valid_trace_init_to
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m)) si s0 tr
m0: Message
Hsf_reachable: composite_constrained_state_prop
  ELMO_component
  (state_update ELMO_component s i_m
     (s0 <+> MkObservation Receive m0))
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m)) Receive (
  s0, Some m0)
  (s0 <+> MkObservation Receive m0, None)
Hlast_obs: ∀ m : Message,
  item_sends_or_receives m
    {|
      l := Receive;
      input := Some m0;
      destination :=
        s0 <+> MkObservation Receive m0;
      output := None
    |} → m ∈ messages (s i)
IHHtr_m: Forall
  (λ item : transition_item,
     ELMO_equivocating_validators
       (lift_to_composite_state
          ELMO_component s i_m
          (destination item))
     ⊆ ELMO_equivocating_validators s
       ∪ {[adr (state m)]}) tr
Hsis0_pre: composite_constrained_state_prop
  ELMO_component
  (state_update ELMO_component s i_m s0)
Hsis0_eqvs: ELMO_equivocating_validators
  (state_update ELMO_component s i_m s0)
⊆ ELMO_equivocating_validators s
  ∪ {[adr (state m)]}
H_v: valid Receive (s0, Some m0)
H_t: transition Receive (s0, Some m0) =
(s0 <+> MkObservation Receive m0, None)
ELMO_mv_full_node0: full_node s0 m0
ELMO_mv_no_self_equiv0: no_self_equiv s0 m0
ELMO_mv_msg_valid_full0: ELMO_msg_valid_full m0
ELMO_mv_local_equivocation_limit_ok0: local_equivocation_limit_ok
  (s0 <+>
   MkObservation
     Receive m0)
Hnmm0: adr (state m) ≠ adr (state m0)
Hm0_obs: m0 ∈ messages (s i)
n: i_m ≠ i
composite_has_been_directly_observed ELMO_component
  (state_update ELMO_component s i_m s0) m0
        exists i; state_update_simpl.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
s: VLSM.state ELMOProtocol
Hs: valid_state_prop ELMOProtocol s
i: index
m: Message
Hs_pre: valid_state_prop
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} s
i_m: index
Hsender: adr (state m) = idx i_m
si: VLSM.state
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m))
Hsimis_eqvs: ELMO_equivocating_validators
  (state_update ELMO_component s i_m si)
⊆ ELMO_equivocating_validators s
  ∪ {[adr (state m)]}
s0: VLSM.state
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m))
tr: list transition_item
Htr_m: finite_valid_trace_init_to
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m)) si s0 tr
m0: Message
Hsf_reachable: composite_constrained_state_prop
  ELMO_component
  (state_update ELMO_component s i_m
     (s0 <+> MkObservation Receive m0))
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m)) Receive (
  s0, Some m0)
  (s0 <+> MkObservation Receive m0, None)
Hlast_obs: ∀ m : Message,
  item_sends_or_receives m
    {|
      l := Receive;
      input := Some m0;
      destination :=
        s0 <+> MkObservation Receive m0;
      output := None
    |} → m ∈ messages (s i)
IHHtr_m: Forall
  (λ item : transition_item,
     ELMO_equivocating_validators
       (state_update ELMO_component s i_m
          (destination item))
     ⊆ ELMO_equivocating_validators s
       ∪ {[adr (state m)]}) tr
Hsis0_pre: composite_constrained_state_prop
  ELMO_component
  (state_update ELMO_component s i_m s0)
Hsis0_eqvs: ELMO_equivocating_validators
  (state_update ELMO_component s i_m s0)
⊆ ELMO_equivocating_validators s
  ∪ {[adr (state m)]}
H_v: valid Receive (s0, Some m0)
H_t: transition Receive (s0, Some m0) =
(s0 <+> MkObservation Receive m0, None)
ELMO_mv_full_node0: full_node s0 m0
ELMO_mv_no_self_equiv0: no_self_equiv s0 m0
ELMO_mv_msg_valid_full0: ELMO_msg_valid_full m0
ELMO_mv_local_equivocation_limit_ok0: local_equivocation_limit_ok
  (s0 <+>
   MkObservation
     Receive m0)
Hnmm0: adr (state m) ≠ adr (state m0)
Hm0_obs: m0 ∈ messages (s i)
n: i_m ≠ i
has_been_directly_observed (ELMO_component i) (s i) m0
        by apply elem_of_messages in Hm0_obs.
      +Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
s: VLSM.state ELMOProtocol
Hs: valid_state_prop ELMOProtocol s
i: index
m: Message
Hs_pre: valid_state_prop
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} s
i_m: index
Hsender: adr (state m) = idx i_m
si: VLSM.state
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m))
Hsimis_eqvs: ELMO_equivocating_validators
  (state_update ELMO_component s i_m si)
⊆ ELMO_equivocating_validators s
  ∪ {[adr (state m)]}
s0: VLSM.state
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m))
tr: list transition_item
Htr_m: finite_valid_trace_init_to
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m)) si s0 tr
m0: Message
Hsf_reachable: composite_constrained_state_prop
  ELMO_component
  (state_update ELMO_component s i_m
     (s0 <+> MkObservation Receive m0))
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m)) Receive (
  s0, Some m0)
  (s0 <+> MkObservation Receive m0, None)
Hlast_obs: ∀ m : Message,
  item_sends_or_receives m
    {|
      l := Receive;
      input := Some m0;
      destination :=
        s0 <+> MkObservation Receive m0;
      output := None
    |} → m ∈ messages (s i)
IHHtr_m: Forall
  (λ item : transition_item,
     ELMO_equivocating_validators
       (lift_to_composite_state
          ELMO_component s i_m
          (destination item))
     ⊆ ELMO_equivocating_validators s
       ∪ {[adr (state m)]}) tr
Hsis0_pre: composite_constrained_state_prop
  ELMO_component
  (state_update ELMO_component s i_m s0)
Hsis0_eqvs: ELMO_equivocating_validators
  (state_update ELMO_component s i_m s0)
⊆ ELMO_equivocating_validators s
  ∪ {[adr (state m)]}
H_v: valid Receive (s0, Some m0)
H_t: transition Receive (s0, Some m0) =
(s0 <+> MkObservation Receive m0, None)
ELMO_mv_full_node0: full_node s0 m0
ELMO_mv_no_self_equiv0: no_self_equiv s0 m0
ELMO_mv_msg_valid_full0: ELMO_msg_valid_full m0
ELMO_mv_local_equivocation_limit_ok0: local_equivocation_limit_ok
  (s0 <+>
   MkObservation
     Receive m0)
Hnmm0: adr (state m) ≠ adr (state m0)
Hm0_obs: m0 ∈ messages (s i)
e: i_m = i
ELMO_equivocating_validators
  (state_update ELMO_component
     (state_update ELMO_component s i_m s0) i_m
     (s0 <+> MkObservation Receive m0))
⊆ ELMO_equivocating_validators s ∪ {[adr (state m)]} subst; intro a; setoid_rewrite elem_of_filter.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
s: VLSM.state ELMOProtocol
Hs: valid_state_prop ELMOProtocol s
i: index
m: Message
Hs_pre: valid_state_prop
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} s
tr: list transition_item
s0, si: VLSM.state
  (preloaded_with_all_messages_vlsm
     (ELMO_component i))
Htr_m: finite_valid_trace_init_to
  (preloaded_with_all_messages_vlsm
     (ELMO_component i)) si s0 tr
Hsimis_eqvs: ELMO_equivocating_validators
  (state_update ELMO_component s i si)
⊆ ELMO_equivocating_validators s
  ∪ {[adr (state m)]}
Hsender: adr (state m) = idx i
m0: Message
ELMO_mv_no_self_equiv0: no_self_equiv s0 m0
ELMO_mv_full_node0: full_node s0 m0
H_t: transition Receive (s0, Some m0) =
(s0 <+> MkObservation Receive m0, None)
H_v: valid Receive (s0, Some m0)
Hsis0_eqvs: ELMO_equivocating_validators
  (state_update ELMO_component s i s0)
⊆ ELMO_equivocating_validators s
  ∪ {[adr (state m)]}
Hsis0_pre: composite_constrained_state_prop
  ELMO_component
  (state_update ELMO_component s i s0)
IHHtr_m: Forall
  (λ item : transition_item,
     ELMO_equivocating_validators
       (lift_to_composite_state
          ELMO_component s i
          (destination item))
     ⊆ ELMO_equivocating_validators s
       ∪ {[adr (state m)]}) tr
Hlast_obs: ∀ m : Message,
  item_sends_or_receives m
    {|
      l := Receive;
      input := Some m0;
      destination :=
        s0 <+> MkObservation Receive m0;
      output := None
    |} → m ∈ messages (s i)
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm
     (ELMO_component i)) Receive (
  s0, Some m0)
  (s0 <+> MkObservation Receive m0, None)
Hsf_reachable: composite_constrained_state_prop
  ELMO_component
  (state_update ELMO_component s i
     (s0 <+> MkObservation Receive m0))
ELMO_mv_msg_valid_full0: ELMO_msg_valid_full m0
ELMO_mv_local_equivocation_limit_ok0: local_equivocation_limit_ok
  (s0 <+>
   MkObservation
     Receive m0)
Hnmm0: adr (state m) ≠ adr (state m0)
Hm0_obs: m0 ∈ messages (s i)
a: Address
is_equivocating
  (state_update ELMO_component
     (state_update ELMO_component s i s0) i
     (s0 <+> MkObservation Receive m0)) a
∧ a
  ∈ state_validators
      (state_update ELMO_component
         (state_update ELMO_component s i s0) i
         (s0 <+> MkObservation Receive m0))
→ a
  ∈ ELMO_equivocating_validators s ∪ {[adr (state m)]}
        unfold is_equivocating; cbn.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
s: VLSM.state ELMOProtocol
Hs: valid_state_prop ELMOProtocol s
i: index
m: Message
Hs_pre: valid_state_prop
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} s
tr: list transition_item
s0, si: VLSM.state
  (preloaded_with_all_messages_vlsm
     (ELMO_component i))
Htr_m: finite_valid_trace_init_to
  (preloaded_with_all_messages_vlsm
     (ELMO_component i)) si s0 tr
Hsimis_eqvs: ELMO_equivocating_validators
  (state_update ELMO_component s i si)
⊆ ELMO_equivocating_validators s
  ∪ {[adr (state m)]}
Hsender: adr (state m) = idx i
m0: Message
ELMO_mv_no_self_equiv0: no_self_equiv s0 m0
ELMO_mv_full_node0: full_node s0 m0
H_t: transition Receive (s0, Some m0) =
(s0 <+> MkObservation Receive m0, None)
H_v: valid Receive (s0, Some m0)
Hsis0_eqvs: ELMO_equivocating_validators
  (state_update ELMO_component s i s0)
⊆ ELMO_equivocating_validators s
  ∪ {[adr (state m)]}
Hsis0_pre: composite_constrained_state_prop
  ELMO_component
  (state_update ELMO_component s i s0)
IHHtr_m: Forall
  (λ item : transition_item,
     ELMO_equivocating_validators
       (lift_to_composite_state
          ELMO_component s i
          (destination item))
     ⊆ ELMO_equivocating_validators s
       ∪ {[adr (state m)]}) tr
Hlast_obs: ∀ m : Message,
  item_sends_or_receives m
    {|
      l := Receive;
      input := Some m0;
      destination :=
        s0 <+> MkObservation Receive m0;
      output := None
    |} → m ∈ messages (s i)
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm
     (ELMO_component i)) Receive (
  s0, Some m0)
  (s0 <+> MkObservation Receive m0, None)
Hsf_reachable: composite_constrained_state_prop
  ELMO_component
  (state_update ELMO_component s i
     (s0 <+> MkObservation Receive m0))
ELMO_mv_msg_valid_full0: ELMO_msg_valid_full m0
ELMO_mv_local_equivocation_limit_ok0: local_equivocation_limit_ok
  (s0 <+>
   MkObservation
     Receive m0)
Hnmm0: adr (state m) ≠ adr (state m0)
Hm0_obs: m0 ∈ messages (s i)
a: Address
ELMO_global_equivocators
  (state_update ELMO_component
     (state_update ELMO_component s i s0) i
     (s0 <+> MkObservation Receive m0)) a
∧ a ∈ list_to_set (map idx (enum index))
→ a
  ∈ ELMO_equivocating_validators s ∪ {[adr (state m)]}
        rewrite ELMO_global_equivocators_iff_simple by (rewrite state_update_twice; done).Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
s: VLSM.state ELMOProtocol
Hs: valid_state_prop ELMOProtocol s
i: index
m: Message
Hs_pre: valid_state_prop
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} s
tr: list transition_item
s0, si: VLSM.state
  (preloaded_with_all_messages_vlsm
     (ELMO_component i))
Htr_m: finite_valid_trace_init_to
  (preloaded_with_all_messages_vlsm
     (ELMO_component i)) si s0 tr
Hsimis_eqvs: ELMO_equivocating_validators
  (state_update ELMO_component s i si)
⊆ ELMO_equivocating_validators s
  ∪ {[adr (state m)]}
Hsender: adr (state m) = idx i
m0: Message
ELMO_mv_no_self_equiv0: no_self_equiv s0 m0
ELMO_mv_full_node0: full_node s0 m0
H_t: transition Receive (s0, Some m0) =
(s0 <+> MkObservation Receive m0, None)
H_v: valid Receive (s0, Some m0)
Hsis0_eqvs: ELMO_equivocating_validators
  (state_update ELMO_component s i s0)
⊆ ELMO_equivocating_validators s
  ∪ {[adr (state m)]}
Hsis0_pre: composite_constrained_state_prop
  ELMO_component
  (state_update ELMO_component s i s0)
IHHtr_m: Forall
  (λ item : transition_item,
     ELMO_equivocating_validators
       (lift_to_composite_state
          ELMO_component s i
          (destination item))
     ⊆ ELMO_equivocating_validators s
       ∪ {[adr (state m)]}) tr
Hlast_obs: ∀ m : Message,
  item_sends_or_receives m
    {|
      l := Receive;
      input := Some m0;
      destination :=
        s0 <+> MkObservation Receive m0;
      output := None
    |} → m ∈ messages (s i)
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm
     (ELMO_component i)) Receive (
  s0, Some m0)
  (s0 <+> MkObservation Receive m0, None)
Hsf_reachable: composite_constrained_state_prop
  ELMO_component
  (state_update ELMO_component s i
     (s0 <+> MkObservation Receive m0))
ELMO_mv_msg_valid_full0: ELMO_msg_valid_full m0
ELMO_mv_local_equivocation_limit_ok0: local_equivocation_limit_ok
  (s0 <+>
   MkObservation
     Receive m0)
Hnmm0: adr (state m) ≠ adr (state m0)
Hm0_obs: m0 ∈ messages (s i)
a: Address
global_equivocators_simple
  (state_update ELMO_component
     (state_update ELMO_component s i s0) i
     (s0 <+> MkObservation Receive m0)) a
∧ a ∈ list_to_set (map idx (enum index))
→ a
  ∈ ELMO_equivocating_validators s ∪ {[adr (state m)]}
        intros [Heqv].Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
s: VLSM.state ELMOProtocol
Hs: valid_state_prop ELMOProtocol s
i: index
m: Message
Hs_pre: valid_state_prop
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} s
tr: list transition_item
s0, si: VLSM.state
  (preloaded_with_all_messages_vlsm
     (ELMO_component i))
Htr_m: finite_valid_trace_init_to
  (preloaded_with_all_messages_vlsm
     (ELMO_component i)) si s0 tr
Hsimis_eqvs: ELMO_equivocating_validators
  (state_update ELMO_component s i si)
⊆ ELMO_equivocating_validators s
  ∪ {[adr (state m)]}
Hsender: adr (state m) = idx i
m0: Message
ELMO_mv_no_self_equiv0: no_self_equiv s0 m0
ELMO_mv_full_node0: full_node s0 m0
H_t: transition Receive (s0, Some m0) =
(s0 <+> MkObservation Receive m0, None)
H_v: valid Receive (s0, Some m0)
Hsis0_eqvs: ELMO_equivocating_validators
  (state_update ELMO_component s i s0)
⊆ ELMO_equivocating_validators s
  ∪ {[adr (state m)]}
Hsis0_pre: composite_constrained_state_prop
  ELMO_component
  (state_update ELMO_component s i s0)
IHHtr_m: Forall
  (λ item : transition_item,
     ELMO_equivocating_validators
       (lift_to_composite_state
          ELMO_component s i
          (destination item))
     ⊆ ELMO_equivocating_validators s
       ∪ {[adr (state m)]}) tr
Hlast_obs: ∀ m : Message,
  item_sends_or_receives m
    {|
      l := Receive;
      input := Some m0;
      destination :=
        s0 <+> MkObservation Receive m0;
      output := None
    |} → m ∈ messages (s i)
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm
     (ELMO_component i)) Receive (
  s0, Some m0)
  (s0 <+> MkObservation Receive m0, None)
Hsf_reachable: composite_constrained_state_prop
  ELMO_component
  (state_update ELMO_component s i
     (s0 <+> MkObservation Receive m0))
ELMO_mv_msg_valid_full0: ELMO_msg_valid_full m0
ELMO_mv_local_equivocation_limit_ok0: local_equivocation_limit_ok
  (s0 <+>
   MkObservation
     Receive m0)
Hnmm0: adr (state m) ≠ adr (state m0)
Hm0_obs: m0 ∈ messages (s i)
a: Address
Heqv: global_equivocators_simple
  (state_update ELMO_component
     (state_update ELMO_component s i s0) i
     (s0 <+> MkObservation Receive m0)) a
H1: a ∈ list_to_set (map idx (enum index))
a ∈ ELMO_equivocating_validators s ∪ {[adr (state m)]}
        eapply global_equivocators_simple_step_update_receive in Heqv;
          [| by constructor; state_update_simpl].Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
s: VLSM.state ELMOProtocol
Hs: valid_state_prop ELMOProtocol s
i: index
m: Message
Hs_pre: valid_state_prop
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} s
tr: list transition_item
s0, si: VLSM.state
  (preloaded_with_all_messages_vlsm
     (ELMO_component i))
Htr_m: finite_valid_trace_init_to
  (preloaded_with_all_messages_vlsm
     (ELMO_component i)) si s0 tr
Hsimis_eqvs: ELMO_equivocating_validators
  (state_update ELMO_component s i si)
⊆ ELMO_equivocating_validators s
  ∪ {[adr (state m)]}
Hsender: adr (state m) = idx i
m0: Message
ELMO_mv_no_self_equiv0: no_self_equiv s0 m0
ELMO_mv_full_node0: full_node s0 m0
H_t: transition Receive (s0, Some m0) =
(s0 <+> MkObservation Receive m0, None)
H_v: valid Receive (s0, Some m0)
Hsis0_eqvs: ELMO_equivocating_validators
  (state_update ELMO_component s i s0)
⊆ ELMO_equivocating_validators s
  ∪ {[adr (state m)]}
Hsis0_pre: composite_constrained_state_prop
  ELMO_component
  (state_update ELMO_component s i s0)
IHHtr_m: Forall
  (λ item : transition_item,
     ELMO_equivocating_validators
       (lift_to_composite_state
          ELMO_component s i
          (destination item))
     ⊆ ELMO_equivocating_validators s
       ∪ {[adr (state m)]}) tr
Hlast_obs: ∀ m : Message,
  item_sends_or_receives m
    {|
      l := Receive;
      input := Some m0;
      destination :=
        s0 <+> MkObservation Receive m0;
      output := None
    |} → m ∈ messages (s i)
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm
     (ELMO_component i)) Receive (
  s0, Some m0)
  (s0 <+> MkObservation Receive m0, None)
Hsf_reachable: composite_constrained_state_prop
  ELMO_component
  (state_update ELMO_component s i
     (s0 <+> MkObservation Receive m0))
ELMO_mv_msg_valid_full0: ELMO_msg_valid_full m0
ELMO_mv_local_equivocation_limit_ok0: local_equivocation_limit_ok
  (s0 <+>
   MkObservation
     Receive m0)
Hnmm0: adr (state m) ≠ adr (state m0)
Hm0_obs: m0 ∈ messages (s i)
a: Address
H1: a ∈ list_to_set (map idx (enum index))
Heqv: global_equivocators_simple
  (state_update ELMO_component s i s0) a
∨ a = adr (state m0)
  ∧ ¬ composite_has_been_sent ELMO_component
        (state_update ELMO_component s i s0) m0
a ∈ ELMO_equivocating_validators s ∪ {[adr (state m)]}
        assert (Hm0_not_sent : m0 ∉ sentMessages (s i)).Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
s: VLSM.state ELMOProtocol
Hs: valid_state_prop ELMOProtocol s
i: index
m: Message
Hs_pre: valid_state_prop
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} s
tr: list transition_item
s0, si: VLSM.state
  (preloaded_with_all_messages_vlsm
     (ELMO_component i))
Htr_m: finite_valid_trace_init_to
  (preloaded_with_all_messages_vlsm
     (ELMO_component i)) si s0 tr
Hsimis_eqvs: ELMO_equivocating_validators
  (state_update ELMO_component s i si)
⊆ ELMO_equivocating_validators s
  ∪ {[adr (state m)]}
Hsender: adr (state m) = idx i
m0: Message
ELMO_mv_no_self_equiv0: no_self_equiv s0 m0
ELMO_mv_full_node0: full_node s0 m0
H_t: transition Receive (s0, Some m0) =
(s0 <+> MkObservation Receive m0, None)
H_v: valid Receive (s0, Some m0)
Hsis0_eqvs: ELMO_equivocating_validators
  (state_update ELMO_component s i s0)
⊆ ELMO_equivocating_validators s
  ∪ {[adr (state m)]}
Hsis0_pre: composite_constrained_state_prop
  ELMO_component
  (state_update ELMO_component s i s0)
IHHtr_m: Forall
  (λ item : transition_item,
     ELMO_equivocating_validators
       (lift_to_composite_state
          ELMO_component s i
          (destination item))
     ⊆ ELMO_equivocating_validators s
       ∪ {[adr (state m)]}) tr
Hlast_obs: ∀ m : Message,
  item_sends_or_receives m
    {|
      l := Receive;
      input := Some m0;
      destination :=
        s0 <+> MkObservation Receive m0;
      output := None
    |} → m ∈ messages (s i)
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm
     (ELMO_component i)) Receive (
  s0, Some m0)
  (s0 <+> MkObservation Receive m0, None)
Hsf_reachable: composite_constrained_state_prop
  ELMO_component
  (state_update ELMO_component s i
     (s0 <+> MkObservation Receive m0))
ELMO_mv_msg_valid_full0: ELMO_msg_valid_full m0
ELMO_mv_local_equivocation_limit_ok0: local_equivocation_limit_ok
  (s0 <+>
   MkObservation
     Receive m0)
Hnmm0: adr (state m) ≠ adr (state m0)
Hm0_obs: m0 ∈ messages (s i)
a: Address
H1: a ∈ list_to_set (map idx (enum index))
Heqv: global_equivocators_simple
  (state_update ELMO_component s i s0) a
∨ a = adr (state m0)
  ∧ ¬ composite_has_been_sent ELMO_component
        (state_update ELMO_component s i s0) m0
m0 ∉ sentMessages (s i)
Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
s: VLSM.state ELMOProtocol
Hs: valid_state_prop ELMOProtocol s
i: index
m: Message
Hs_pre: valid_state_prop
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} s
tr: list transition_item
s0, si: VLSM.state
  (preloaded_with_all_messages_vlsm
     (ELMO_component i))
Htr_m: finite_valid_trace_init_to
  (preloaded_with_all_messages_vlsm
     (ELMO_component i)) si s0 tr
Hsimis_eqvs: ELMO_equivocating_validators
  (state_update ELMO_component s i si)
⊆ ELMO_equivocating_validators s
  ∪ {[adr (state m)]}
Hsender: adr (state m) = idx i
m0: Message
ELMO_mv_no_self_equiv0: no_self_equiv s0 m0
ELMO_mv_full_node0: full_node s0 m0
H_t: transition Receive (s0, Some m0) =
(s0 <+> MkObservation Receive m0, None)
H_v: valid Receive (s0, Some m0)
Hsis0_eqvs: ELMO_equivocating_validators
  (state_update ELMO_component s i s0)
⊆ ELMO_equivocating_validators s
  ∪ {[adr (state m)]}
Hsis0_pre: composite_constrained_state_prop
  ELMO_component
  (state_update ELMO_component s i s0)
IHHtr_m: Forall
  (λ item : transition_item,
     ELMO_equivocating_validators
       (lift_to_composite_state
        ELMO_component s i
        (destination item))
     ⊆ ELMO_equivocating_validators s
       ∪ {[
       adr (state m)]}) tr
Hlast_obs: ∀ m : Message,
  item_sends_or_receives m
    {|
      l := Receive;
      input := Some m0;
      destination :=
        s0 <+> MkObservation Receive m0;
      output := None
    |} → 
  m ∈ messages (s i)
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm
     (ELMO_component i)) Receive (
  s0, Some m0)
  (s0 <+> MkObservation Receive m0, None)
Hsf_reachable: composite_constrained_state_prop
  ELMO_component
  (state_update ELMO_component s i
     (s0 <+> MkObservation Receive m0))
ELMO_mv_msg_valid_full0: ELMO_msg_valid_full m0
ELMO_mv_local_equivocation_limit_ok0: local_equivocation_limit_ok
  (s0 <+>
   MkObservation
     Receive m0)
Hnmm0: adr (state m) ≠ adr (state m0)
Hm0_obs: m0 ∈ messages (s i)
a: Address
H1: a ∈ list_to_set (map idx (enum index))
Heqv: global_equivocators_simple
  (state_update ELMO_component s i s0) a
∨ a = adr (state m0)
  ∧ ¬ composite_has_been_sent ELMO_component
        (state_update ELMO_component s i s0) m0
Hm0_not_sent: m0 ∉ sentMessages (s i)
a ∈ ELMO_equivocating_validators s ∪ {[adr (state m)]}
        {Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
s: VLSM.state ELMOProtocol
Hs: valid_state_prop ELMOProtocol s
i: index
m: Message
Hs_pre: valid_state_prop
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} s
tr: list transition_item
s0, si: VLSM.state
  (preloaded_with_all_messages_vlsm
     (ELMO_component i))
Htr_m: finite_valid_trace_init_to
  (preloaded_with_all_messages_vlsm
     (ELMO_component i)) si s0 tr
Hsimis_eqvs: ELMO_equivocating_validators
  (state_update ELMO_component s i si)
⊆ ELMO_equivocating_validators s
  ∪ {[adr (state m)]}
Hsender: adr (state m) = idx i
m0: Message
ELMO_mv_no_self_equiv0: no_self_equiv s0 m0
ELMO_mv_full_node0: full_node s0 m0
H_t: transition Receive (s0, Some m0) =
(s0 <+> MkObservation Receive m0, None)
H_v: valid Receive (s0, Some m0)
Hsis0_eqvs: ELMO_equivocating_validators
  (state_update ELMO_component s i s0)
⊆ ELMO_equivocating_validators s
  ∪ {[adr (state m)]}
Hsis0_pre: composite_constrained_state_prop
  ELMO_component
  (state_update ELMO_component s i s0)
IHHtr_m: Forall
  (λ item : transition_item,
     ELMO_equivocating_validators
       (lift_to_composite_state
          ELMO_component s i
          (destination item))
     ⊆ ELMO_equivocating_validators s
       ∪ {[adr (state m)]}) tr
Hlast_obs: ∀ m : Message,
  item_sends_or_receives m
    {|
      l := Receive;
      input := Some m0;
      destination :=
        s0 <+> MkObservation Receive m0;
      output := None
    |} → m ∈ messages (s i)
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm
     (ELMO_component i)) Receive (
  s0, Some m0)
  (s0 <+> MkObservation Receive m0, None)
Hsf_reachable: composite_constrained_state_prop
  ELMO_component
  (state_update ELMO_component s i
     (s0 <+> MkObservation Receive m0))
ELMO_mv_msg_valid_full0: ELMO_msg_valid_full m0
ELMO_mv_local_equivocation_limit_ok0: local_equivocation_limit_ok
  (s0 <+>
   MkObservation
     Receive m0)
Hnmm0: adr (state m) ≠ adr (state m0)
Hm0_obs: m0 ∈ messages (s i)
a: Address
H1: a ∈ list_to_set (map idx (enum index))
Heqv: global_equivocators_simple
  (state_update ELMO_component s i s0) a
∨ a = adr (state m0)
  ∧ ¬ composite_has_been_sent ELMO_component
        (state_update ELMO_component s i s0) m0
m0 ∉ sentMessages (s i)
          intro Hm0; eapply adr_of_sentMessages in Hm0;
            [| by eapply ELMO_full_node_reachable, valid_state_project_preloaded].Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
s: VLSM.state ELMOProtocol
Hs: valid_state_prop ELMOProtocol s
i: index
m: Message
Hs_pre: valid_state_prop
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} s
tr: list transition_item
s0, si: VLSM.state
  (preloaded_with_all_messages_vlsm
     (ELMO_component i))
Htr_m: finite_valid_trace_init_to
  (preloaded_with_all_messages_vlsm
     (ELMO_component i)) si s0 tr
Hsimis_eqvs: ELMO_equivocating_validators
  (state_update ELMO_component s i si)
⊆ ELMO_equivocating_validators s
  ∪ {[adr (state m)]}
Hsender: adr (state m) = idx i
m0: Message
ELMO_mv_no_self_equiv0: no_self_equiv s0 m0
ELMO_mv_full_node0: full_node s0 m0
H_t: transition Receive (s0, Some m0) =
(s0 <+> MkObservation Receive m0, None)
H_v: valid Receive (s0, Some m0)
Hsis0_eqvs: ELMO_equivocating_validators
  (state_update ELMO_component s i s0)
⊆ ELMO_equivocating_validators s
  ∪ {[adr (state m)]}
Hsis0_pre: composite_constrained_state_prop
  ELMO_component
  (state_update ELMO_component s i s0)
IHHtr_m: Forall
  (λ item : transition_item,
     ELMO_equivocating_validators
       (lift_to_composite_state
          ELMO_component s i
          (destination item))
     ⊆ ELMO_equivocating_validators s
       ∪ {[adr (state m)]}) tr
Hlast_obs: ∀ m : Message,
  item_sends_or_receives m
    {|
      l := Receive;
      input := Some m0;
      destination :=
        s0 <+> MkObservation Receive m0;
      output := None
    |} → m ∈ messages (s i)
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm
     (ELMO_component i)) Receive (
  s0, Some m0)
  (s0 <+> MkObservation Receive m0, None)
Hsf_reachable: composite_constrained_state_prop
  ELMO_component
  (state_update ELMO_component s i
     (s0 <+> MkObservation Receive m0))
ELMO_mv_msg_valid_full0: ELMO_msg_valid_full m0
ELMO_mv_local_equivocation_limit_ok0: local_equivocation_limit_ok
  (s0 <+>
   MkObservation
     Receive m0)
Hnmm0: adr (state m) ≠ adr (state m0)
Hm0_obs: m0 ∈ messages (s i)
a: Address
H1: a ∈ list_to_set (map idx (enum index))
Heqv: global_equivocators_simple
  (state_update ELMO_component s i s0) a
∨ a = adr (state m0)
  ∧ ¬ composite_has_been_sent ELMO_component
        (state_update ELMO_component s i s0) m0
Hm0: adr (state m0) = adr (s i)
False
          rewrite Hsender in *.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
s: VLSM.state ELMOProtocol
Hs: valid_state_prop ELMOProtocol s
i: index
m: Message
Hs_pre: valid_state_prop
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} s
tr: list transition_item
s0, si: VLSM.state
  (preloaded_with_all_messages_vlsm
     (ELMO_component i))
Htr_m: finite_valid_trace_init_to
  (preloaded_with_all_messages_vlsm
     (ELMO_component i)) si s0 tr
Hsimis_eqvs: ELMO_equivocating_validators
  (state_update ELMO_component s i si)
⊆ ELMO_equivocating_validators s
  ∪ {[idx i]}
Hsender: adr (state m) = idx i
m0: Message
ELMO_mv_no_self_equiv0: no_self_equiv s0 m0
ELMO_mv_full_node0: full_node s0 m0
H_t: transition Receive (s0, Some m0) =
(s0 <+> MkObservation Receive m0, None)
H_v: valid Receive (s0, Some m0)
Hsis0_eqvs: ELMO_equivocating_validators
  (state_update ELMO_component s i s0)
⊆ ELMO_equivocating_validators s
  ∪ {[idx i]}
Hsis0_pre: composite_constrained_state_prop
  ELMO_component
  (state_update ELMO_component s i s0)
IHHtr_m: Forall
  (λ item : transition_item,
     ELMO_equivocating_validators
       (lift_to_composite_state
          ELMO_component s i
          (destination item))
     ⊆ ELMO_equivocating_validators s
       ∪ {[idx i]}) tr
Hlast_obs: ∀ m : Message,
  item_sends_or_receives m
    {|
      l := Receive;
      input := Some m0;
      destination :=
        s0 <+> MkObservation Receive m0;
      output := None
    |} → m ∈ messages (s i)
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm
     (ELMO_component i)) Receive (
  s0, Some m0)
  (s0 <+> MkObservation Receive m0, None)
Hsf_reachable: composite_constrained_state_prop
  ELMO_component
  (state_update ELMO_component s i
     (s0 <+> MkObservation Receive m0))
ELMO_mv_msg_valid_full0: ELMO_msg_valid_full m0
ELMO_mv_local_equivocation_limit_ok0: local_equivocation_limit_ok
  (s0 <+>
   MkObservation
     Receive m0)
Hnmm0: idx i ≠ adr (state m0)
Hm0_obs: m0 ∈ messages (s i)
a: Address
H1: a ∈ list_to_set (map idx (enum index))
Heqv: global_equivocators_simple
  (state_update ELMO_component s i s0) a
∨ a = adr (state m0)
  ∧ ¬ composite_has_been_sent ELMO_component
        (state_update ELMO_component s i s0) m0
Hm0: adr (state m0) = adr (s i)
False
          rewrite Hm0 in Hnmm0; contradict Hnmm0; symmetry.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
s: VLSM.state ELMOProtocol
Hs: valid_state_prop ELMOProtocol s
i: index
m: Message
Hs_pre: valid_state_prop
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} s
tr: list transition_item
s0, si: VLSM.state
  (preloaded_with_all_messages_vlsm
     (ELMO_component i))
Htr_m: finite_valid_trace_init_to
  (preloaded_with_all_messages_vlsm
     (ELMO_component i)) si s0 tr
Hsimis_eqvs: ELMO_equivocating_validators
  (state_update ELMO_component s i si)
⊆ ELMO_equivocating_validators s
  ∪ {[idx i]}
Hsender: adr (state m) = idx i
m0: Message
ELMO_mv_no_self_equiv0: no_self_equiv s0 m0
ELMO_mv_full_node0: full_node s0 m0
H_t: transition Receive (s0, Some m0) =
(s0 <+> MkObservation Receive m0, None)
H_v: valid Receive (s0, Some m0)
Hsis0_eqvs: ELMO_equivocating_validators
  (state_update ELMO_component s i s0)
⊆ ELMO_equivocating_validators s
  ∪ {[idx i]}
Hsis0_pre: composite_constrained_state_prop
  ELMO_component
  (state_update ELMO_component s i s0)
IHHtr_m: Forall
  (λ item : transition_item,
     ELMO_equivocating_validators
       (lift_to_composite_state
          ELMO_component s i
          (destination item))
     ⊆ ELMO_equivocating_validators s
       ∪ {[idx i]}) tr
Hlast_obs: ∀ m : Message,
  item_sends_or_receives m
    {|
      l := Receive;
      input := Some m0;
      destination :=
        s0 <+> MkObservation Receive m0;
      output := None
    |} → m ∈ messages (s i)
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm
     (ELMO_component i)) Receive (
  s0, Some m0)
  (s0 <+> MkObservation Receive m0, None)
Hsf_reachable: composite_constrained_state_prop
  ELMO_component
  (state_update ELMO_component s i
     (s0 <+> MkObservation Receive m0))
ELMO_mv_msg_valid_full0: ELMO_msg_valid_full m0
ELMO_mv_local_equivocation_limit_ok0: local_equivocation_limit_ok
  (s0 <+>
   MkObservation
     Receive m0)
Hm0_obs: m0 ∈ messages (s i)
a: Address
H1: a ∈ list_to_set (map idx (enum index))
Heqv: global_equivocators_simple
  (state_update ELMO_component s i s0) a
∨ a = adr (state m0)
  ∧ ¬ composite_has_been_sent ELMO_component
        (state_update ELMO_component s i s0) m0
Hm0: adr (state m0) = adr (s i)
adr (s i) = idx i
          by apply ELMO_reachable_adr, valid_state_project_preloaded.
        }Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
s: VLSM.state ELMOProtocol
Hs: valid_state_prop ELMOProtocol s
i: index
m: Message
Hs_pre: valid_state_prop
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} s
tr: list transition_item
s0, si: VLSM.state
  (preloaded_with_all_messages_vlsm
     (ELMO_component i))
Htr_m: finite_valid_trace_init_to
  (preloaded_with_all_messages_vlsm
     (ELMO_component i)) si s0 tr
Hsimis_eqvs: ELMO_equivocating_validators
  (state_update ELMO_component s i si)
⊆ ELMO_equivocating_validators s
  ∪ {[adr (state m)]}
Hsender: adr (state m) = idx i
m0: Message
ELMO_mv_no_self_equiv0: no_self_equiv s0 m0
ELMO_mv_full_node0: full_node s0 m0
H_t: transition Receive (s0, Some m0) =
(s0 <+> MkObservation Receive m0, None)
H_v: valid Receive (s0, Some m0)
Hsis0_eqvs: ELMO_equivocating_validators
  (state_update ELMO_component s i s0)
⊆ ELMO_equivocating_validators s
  ∪ {[adr (state m)]}
Hsis0_pre: composite_constrained_state_prop
  ELMO_component
  (state_update ELMO_component s i s0)
IHHtr_m: Forall
  (λ item : transition_item,
     ELMO_equivocating_validators
       (lift_to_composite_state
          ELMO_component s i
          (destination item))
     ⊆ ELMO_equivocating_validators s
       ∪ {[adr (state m)]}) tr
Hlast_obs: ∀ m : Message,
  item_sends_or_receives m
    {|
      l := Receive;
      input := Some m0;
      destination :=
        s0 <+> MkObservation Receive m0;
      output := None
    |} → m ∈ messages (s i)
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm
     (ELMO_component i)) Receive (
  s0, Some m0)
  (s0 <+> MkObservation Receive m0, None)
Hsf_reachable: composite_constrained_state_prop
  ELMO_component
  (state_update ELMO_component s i
     (s0 <+> MkObservation Receive m0))
ELMO_mv_msg_valid_full0: ELMO_msg_valid_full m0
ELMO_mv_local_equivocation_limit_ok0: local_equivocation_limit_ok
  (s0 <+>
   MkObservation
     Receive m0)
Hnmm0: adr (state m) ≠ adr (state m0)
Hm0_obs: m0 ∈ messages (s i)
a: Address
H1: a ∈ list_to_set (map idx (enum index))
Heqv: global_equivocators_simple
  (state_update ELMO_component s i s0) a
∨ a = adr (state m0)
  ∧ ¬ composite_has_been_sent ELMO_component
        (state_update ELMO_component s i s0) m0
Hm0_not_sent: m0 ∉ sentMessages (s i)
a ∈ ELMO_equivocating_validators s ∪ {[adr (state m)]}
        destruct Heqv as [Heqv | [-> Hnsent]]; cycle 1.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
s: VLSM.state ELMOProtocol
Hs: valid_state_prop ELMOProtocol s
i: index
m: Message
Hs_pre: valid_state_prop
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} s
tr: list transition_item
s0, si: VLSM.state
  (preloaded_with_all_messages_vlsm
     (ELMO_component i))
Htr_m: finite_valid_trace_init_to
  (preloaded_with_all_messages_vlsm
     (ELMO_component i)) si s0 tr
Hsimis_eqvs: ELMO_equivocating_validators
  (state_update ELMO_component s i si)
⊆ ELMO_equivocating_validators s
  ∪ {[adr (state m)]}
Hsender: adr (state m) = idx i
m0: Message
ELMO_mv_no_self_equiv0: no_self_equiv s0 m0
ELMO_mv_full_node0: full_node s0 m0
H_t: transition Receive (s0, Some m0) =
(s0 <+> MkObservation Receive m0, None)
H_v: valid Receive (s0, Some m0)
Hsis0_eqvs: ELMO_equivocating_validators
  (state_update ELMO_component s i s0)
⊆ ELMO_equivocating_validators s
  ∪ {[adr (state m)]}
Hsis0_pre: composite_constrained_state_prop
  ELMO_component
  (state_update ELMO_component s i s0)
IHHtr_m: Forall
  (λ item : transition_item,
     ELMO_equivocating_validators
       (lift_to_composite_state
          ELMO_component s i
          (destination item))
     ⊆ ELMO_equivocating_validators s
       ∪ {[adr (state m)]}) tr
Hlast_obs: ∀ m : Message,
  item_sends_or_receives m
    {|
      l := Receive;
      input := Some m0;
      destination :=
        s0 <+> MkObservation Receive m0;
      output := None
    |} → m ∈ messages (s i)
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm
     (ELMO_component i)) Receive (
  s0, Some m0)
  (s0 <+> MkObservation Receive m0, None)
Hsf_reachable: composite_constrained_state_prop
  ELMO_component
  (state_update ELMO_component s i
     (s0 <+> MkObservation Receive m0))
ELMO_mv_msg_valid_full0: ELMO_msg_valid_full m0
ELMO_mv_local_equivocation_limit_ok0: local_equivocation_limit_ok
  (s0 <+>
   MkObservation
     Receive m0)
Hnmm0: adr (state m) ≠ adr (state m0)
Hm0_obs: m0 ∈ messages (s i)
H1: adr (state m0)
∈ list_to_set (map idx (enum index))
Hnsent: ¬ composite_has_been_sent ELMO_component
    (state_update ELMO_component s i s0) m0
Hm0_not_sent: m0 ∉ sentMessages (s i)
adr (state m0)
∈ ELMO_equivocating_validators s ∪ {[adr (state m)]}
Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
s: VLSM.state ELMOProtocol
Hs: valid_state_prop ELMOProtocol s
i: index
m: Message
Hs_pre: valid_state_prop
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} s
tr: list transition_item
s0, si: VLSM.state
  (preloaded_with_all_messages_vlsm
     (ELMO_component i))
Htr_m: finite_valid_trace_init_to
  (preloaded_with_all_messages_vlsm
     (ELMO_component i)) si s0 tr
Hsimis_eqvs: ELMO_equivocating_validators
  (state_update ELMO_component s i si)
⊆ ELMO_equivocating_validators s
  ∪ {[adr (state m)]}
Hsender: adr (state m) = idx i
m0: Message
ELMO_mv_no_self_equiv0: no_self_equiv s0 m0
ELMO_mv_full_node0: full_node s0 m0
H_t: transition Receive (s0, Some m0) =
(s0 <+> MkObservation Receive m0, None)
H_v: valid Receive (s0, Some m0)
Hsis0_eqvs: ELMO_equivocating_validators
  (state_update ELMO_component s i s0)
⊆ ELMO_equivocating_validators s
  ∪ {[adr (state m)]}
Hsis0_pre: composite_constrained_state_prop
  ELMO_component
  (state_update ELMO_component s i s0)
IHHtr_m: Forall
  (λ item : transition_item,
     ELMO_equivocating_validators
       (lift_to_composite_state
        ELMO_component s i
        (destination item))
     ⊆ ELMO_equivocating_validators s
       ∪ {[
       adr (state m)]}) tr
Hlast_obs: ∀ m : Message,
  item_sends_or_receives m
    {|
      l := Receive;
      input := Some m0;
      destination :=
        s0 <+> MkObservation Receive m0;
      output := None
    |} → 
  m ∈ messages (s i)
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm
     (ELMO_component i)) Receive (
  s0, Some m0)
  (s0 <+> MkObservation Receive m0, None)
Hsf_reachable: composite_constrained_state_prop
  ELMO_component
  (state_update ELMO_component s i
     (s0 <+> MkObservation Receive m0))
ELMO_mv_msg_valid_full0: ELMO_msg_valid_full m0
ELMO_mv_local_equivocation_limit_ok0: local_equivocation_limit_ok
  (s0 <+>
   MkObservation
     Receive m0)
Hnmm0: adr (state m) ≠ adr (state m0)
Hm0_obs: m0 ∈ messages (s i)
a: Address
H1: a ∈ list_to_set (map idx (enum index))
Heqv: global_equivocators_simple
  (state_update ELMO_component s i s0) a
Hm0_not_sent: m0 ∉ sentMessages (s i)
a ∈ ELMO_equivocating_validators s ∪ {[adr (state m)]}
        *Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
s: VLSM.state ELMOProtocol
Hs: valid_state_prop ELMOProtocol s
i: index
m: Message
Hs_pre: valid_state_prop
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} s
tr: list transition_item
s0, si: VLSM.state
  (preloaded_with_all_messages_vlsm
     (ELMO_component i))
Htr_m: finite_valid_trace_init_to
  (preloaded_with_all_messages_vlsm
     (ELMO_component i)) si s0 tr
Hsimis_eqvs: ELMO_equivocating_validators
  (state_update ELMO_component s i si)
⊆ ELMO_equivocating_validators s
  ∪ {[adr (state m)]}
Hsender: adr (state m) = idx i
m0: Message
ELMO_mv_no_self_equiv0: no_self_equiv s0 m0
ELMO_mv_full_node0: full_node s0 m0
H_t: transition Receive (s0, Some m0) =
(s0 <+> MkObservation Receive m0, None)
H_v: valid Receive (s0, Some m0)
Hsis0_eqvs: ELMO_equivocating_validators
  (state_update ELMO_component s i s0)
⊆ ELMO_equivocating_validators s
  ∪ {[adr (state m)]}
Hsis0_pre: composite_constrained_state_prop
  ELMO_component
  (state_update ELMO_component s i s0)
IHHtr_m: Forall
  (λ item : transition_item,
     ELMO_equivocating_validators
       (lift_to_composite_state
          ELMO_component s i
          (destination item))
     ⊆ ELMO_equivocating_validators s
       ∪ {[adr (state m)]}) tr
Hlast_obs: ∀ m : Message,
  item_sends_or_receives m
    {|
      l := Receive;
      input := Some m0;
      destination :=
        s0 <+> MkObservation Receive m0;
      output := None
    |} → m ∈ messages (s i)
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm
     (ELMO_component i)) Receive (
  s0, Some m0)
  (s0 <+> MkObservation Receive m0, None)
Hsf_reachable: composite_constrained_state_prop
  ELMO_component
  (state_update ELMO_component s i
     (s0 <+> MkObservation Receive m0))
ELMO_mv_msg_valid_full0: ELMO_msg_valid_full m0
ELMO_mv_local_equivocation_limit_ok0: local_equivocation_limit_ok
  (s0 <+>
   MkObservation
     Receive m0)
Hnmm0: adr (state m) ≠ adr (state m0)
Hm0_obs: m0 ∈ messages (s i)
H1: adr (state m0)
∈ list_to_set (map idx (enum index))
Hnsent: ¬ composite_has_been_sent ELMO_component
    (state_update ELMO_component s i s0) m0
Hm0_not_sent: m0 ∉ sentMessages (s i)
adr (state m0)
∈ ELMO_equivocating_validators s ∪ {[adr (state m)]} unfold ELMO_equivocating_validators, equivocating_validators, is_equivocating; cbn.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
s: VLSM.state ELMOProtocol
Hs: valid_state_prop ELMOProtocol s
i: index
m: Message
Hs_pre: valid_state_prop
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} s
tr: list transition_item
s0, si: VLSM.state
  (preloaded_with_all_messages_vlsm
     (ELMO_component i))
Htr_m: finite_valid_trace_init_to
  (preloaded_with_all_messages_vlsm
     (ELMO_component i)) si s0 tr
Hsimis_eqvs: ELMO_equivocating_validators
  (state_update ELMO_component s i si)
⊆ ELMO_equivocating_validators s
  ∪ {[adr (state m)]}
Hsender: adr (state m) = idx i
m0: Message
ELMO_mv_no_self_equiv0: no_self_equiv s0 m0
ELMO_mv_full_node0: full_node s0 m0
H_t: transition Receive (s0, Some m0) =
(s0 <+> MkObservation Receive m0, None)
H_v: valid Receive (s0, Some m0)
Hsis0_eqvs: ELMO_equivocating_validators
  (state_update ELMO_component s i s0)
⊆ ELMO_equivocating_validators s
  ∪ {[adr (state m)]}
Hsis0_pre: composite_constrained_state_prop
  ELMO_component
  (state_update ELMO_component s i s0)
IHHtr_m: Forall
  (λ item : transition_item,
     ELMO_equivocating_validators
       (lift_to_composite_state
          ELMO_component s i
          (destination item))
     ⊆ ELMO_equivocating_validators s
       ∪ {[adr (state m)]}) tr
Hlast_obs: ∀ m : Message,
  item_sends_or_receives m
    {|
      l := Receive;
      input := Some m0;
      destination :=
        s0 <+> MkObservation Receive m0;
      output := None
    |} → m ∈ messages (s i)
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm
     (ELMO_component i)) Receive (
  s0, Some m0)
  (s0 <+> MkObservation Receive m0, None)
Hsf_reachable: composite_constrained_state_prop
  ELMO_component
  (state_update ELMO_component s i
     (s0 <+> MkObservation Receive m0))
ELMO_mv_msg_valid_full0: ELMO_msg_valid_full m0
ELMO_mv_local_equivocation_limit_ok0: local_equivocation_limit_ok
  (s0 <+>
   MkObservation
     Receive m0)
Hnmm0: adr (state m) ≠ adr (state m0)
Hm0_obs: m0 ∈ messages (s i)
H1: adr (state m0)
∈ list_to_set (map idx (enum index))
Hnsent: ¬ composite_has_been_sent ELMO_component
    (state_update ELMO_component s i s0) m0
Hm0_not_sent: m0 ∉ sentMessages (s i)
adr (state m0)
∈ filter (λ v : Address, ELMO_global_equivocators s v)
    (list_to_set (map idx (enum index)))
  ∪ {[adr (state m)]}
          rewrite elem_of_union, elem_of_singleton, elem_of_filter,
            ELMO_global_equivocators_iff_simple by done.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
s: VLSM.state ELMOProtocol
Hs: valid_state_prop ELMOProtocol s
i: index
m: Message
Hs_pre: valid_state_prop
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} s
tr: list transition_item
s0, si: VLSM.state
  (preloaded_with_all_messages_vlsm
     (ELMO_component i))
Htr_m: finite_valid_trace_init_to
  (preloaded_with_all_messages_vlsm
     (ELMO_component i)) si s0 tr
Hsimis_eqvs: ELMO_equivocating_validators
  (state_update ELMO_component s i si)
⊆ ELMO_equivocating_validators s
  ∪ {[adr (state m)]}
Hsender: adr (state m) = idx i
m0: Message
ELMO_mv_no_self_equiv0: no_self_equiv s0 m0
ELMO_mv_full_node0: full_node s0 m0
H_t: transition Receive (s0, Some m0) =
(s0 <+> MkObservation Receive m0, None)
H_v: valid Receive (s0, Some m0)
Hsis0_eqvs: ELMO_equivocating_validators
  (state_update ELMO_component s i s0)
⊆ ELMO_equivocating_validators s
  ∪ {[adr (state m)]}
Hsis0_pre: composite_constrained_state_prop
  ELMO_component
  (state_update ELMO_component s i s0)
IHHtr_m: Forall
  (λ item : transition_item,
     ELMO_equivocating_validators
       (lift_to_composite_state
          ELMO_component s i
          (destination item))
     ⊆ ELMO_equivocating_validators s
       ∪ {[adr (state m)]}) tr
Hlast_obs: ∀ m : Message,
  item_sends_or_receives m
    {|
      l := Receive;
      input := Some m0;
      destination :=
        s0 <+> MkObservation Receive m0;
      output := None
    |} → m ∈ messages (s i)
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm
     (ELMO_component i)) Receive (
  s0, Some m0)
  (s0 <+> MkObservation Receive m0, None)
Hsf_reachable: composite_constrained_state_prop
  ELMO_component
  (state_update ELMO_component s i
     (s0 <+> MkObservation Receive m0))
ELMO_mv_msg_valid_full0: ELMO_msg_valid_full m0
ELMO_mv_local_equivocation_limit_ok0: local_equivocation_limit_ok
  (s0 <+>
   MkObservation
     Receive m0)
Hnmm0: adr (state m) ≠ adr (state m0)
Hm0_obs: m0 ∈ messages (s i)
H1: adr (state m0)
∈ list_to_set (map idx (enum index))
Hnsent: ¬ composite_has_been_sent ELMO_component
    (state_update ELMO_component s i s0) m0
Hm0_not_sent: m0 ∉ sentMessages (s i)
global_equivocators_simple s (adr (state m0))
∧ adr (state m0) ∈ list_to_set (map idx (enum index))
∨ adr (state m0) = adr (state m)
          left; split; [| done].Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
s: VLSM.state ELMOProtocol
Hs: valid_state_prop ELMOProtocol s
i: index
m: Message
Hs_pre: valid_state_prop
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} s
tr: list transition_item
s0, si: VLSM.state
  (preloaded_with_all_messages_vlsm
     (ELMO_component i))
Htr_m: finite_valid_trace_init_to
  (preloaded_with_all_messages_vlsm
     (ELMO_component i)) si s0 tr
Hsimis_eqvs: ELMO_equivocating_validators
  (state_update ELMO_component s i si)
⊆ ELMO_equivocating_validators s
  ∪ {[adr (state m)]}
Hsender: adr (state m) = idx i
m0: Message
ELMO_mv_no_self_equiv0: no_self_equiv s0 m0
ELMO_mv_full_node0: full_node s0 m0
H_t: transition Receive (s0, Some m0) =
(s0 <+> MkObservation Receive m0, None)
H_v: valid Receive (s0, Some m0)
Hsis0_eqvs: ELMO_equivocating_validators
  (state_update ELMO_component s i s0)
⊆ ELMO_equivocating_validators s
  ∪ {[adr (state m)]}
Hsis0_pre: composite_constrained_state_prop
  ELMO_component
  (state_update ELMO_component s i s0)
IHHtr_m: Forall
  (λ item : transition_item,
     ELMO_equivocating_validators
       (lift_to_composite_state
          ELMO_component s i
          (destination item))
     ⊆ ELMO_equivocating_validators s
       ∪ {[adr (state m)]}) tr
Hlast_obs: ∀ m : Message,
  item_sends_or_receives m
    {|
      l := Receive;
      input := Some m0;
      destination :=
        s0 <+> MkObservation Receive m0;
      output := None
    |} → m ∈ messages (s i)
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm
     (ELMO_component i)) Receive (
  s0, Some m0)
  (s0 <+> MkObservation Receive m0, None)
Hsf_reachable: composite_constrained_state_prop
  ELMO_component
  (state_update ELMO_component s i
     (s0 <+> MkObservation Receive m0))
ELMO_mv_msg_valid_full0: ELMO_msg_valid_full m0
ELMO_mv_local_equivocation_limit_ok0: local_equivocation_limit_ok
  (s0 <+>
   MkObservation
     Receive m0)
Hnmm0: adr (state m) ≠ adr (state m0)
Hm0_obs: m0 ∈ messages (s i)
H1: adr (state m0)
∈ list_to_set (map idx (enum index))
Hnsent: ¬ composite_has_been_sent ELMO_component
    (state_update ELMO_component s i s0) m0
Hm0_not_sent: m0 ∉ sentMessages (s i)
global_equivocators_simple s (adr (state m0))
          econstructor; [done | exists i; by apply elem_of_messages in Hm0_obs as [] |].Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
s: VLSM.state ELMOProtocol
Hs: valid_state_prop ELMOProtocol s
i: index
m: Message
Hs_pre: valid_state_prop
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} s
tr: list transition_item
s0, si: VLSM.state
  (preloaded_with_all_messages_vlsm
     (ELMO_component i))
Htr_m: finite_valid_trace_init_to
  (preloaded_with_all_messages_vlsm
     (ELMO_component i)) si s0 tr
Hsimis_eqvs: ELMO_equivocating_validators
  (state_update ELMO_component s i si)
⊆ ELMO_equivocating_validators s
  ∪ {[adr (state m)]}
Hsender: adr (state m) = idx i
m0: Message
ELMO_mv_no_self_equiv0: no_self_equiv s0 m0
ELMO_mv_full_node0: full_node s0 m0
H_t: transition Receive (s0, Some m0) =
(s0 <+> MkObservation Receive m0, None)
H_v: valid Receive (s0, Some m0)
Hsis0_eqvs: ELMO_equivocating_validators
  (state_update ELMO_component s i s0)
⊆ ELMO_equivocating_validators s
  ∪ {[adr (state m)]}
Hsis0_pre: composite_constrained_state_prop
  ELMO_component
  (state_update ELMO_component s i s0)
IHHtr_m: Forall
  (λ item : transition_item,
     ELMO_equivocating_validators
       (lift_to_composite_state
          ELMO_component s i
          (destination item))
     ⊆ ELMO_equivocating_validators s
       ∪ {[adr (state m)]}) tr
Hlast_obs: ∀ m : Message,
  item_sends_or_receives m
    {|
      l := Receive;
      input := Some m0;
      destination :=
        s0 <+> MkObservation Receive m0;
      output := None
    |} → m ∈ messages (s i)
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm
     (ELMO_component i)) Receive (
  s0, Some m0)
  (s0 <+> MkObservation Receive m0, None)
Hsf_reachable: composite_constrained_state_prop
  ELMO_component
  (state_update ELMO_component s i
     (s0 <+> MkObservation Receive m0))
ELMO_mv_msg_valid_full0: ELMO_msg_valid_full m0
ELMO_mv_local_equivocation_limit_ok0: local_equivocation_limit_ok
  (s0 <+>
   MkObservation
     Receive m0)
Hnmm0: adr (state m) ≠ adr (state m0)
Hm0_obs: m0 ∈ messages (s i)
H1: adr (state m0)
∈ list_to_set (map idx (enum index))
Hnsent: ¬ composite_has_been_sent ELMO_component
    (state_update ELMO_component s i s0) m0
Hm0_not_sent: m0 ∉ sentMessages (s i)
¬ composite_has_been_sent ELMO_component s m0
          intros [i_m0 Hsent].Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
s: VLSM.state ELMOProtocol
Hs: valid_state_prop ELMOProtocol s
i: index
m: Message
Hs_pre: valid_state_prop
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} s
tr: list transition_item
s0, si: VLSM.state
  (preloaded_with_all_messages_vlsm
     (ELMO_component i))
Htr_m: finite_valid_trace_init_to
  (preloaded_with_all_messages_vlsm
     (ELMO_component i)) si s0 tr
Hsimis_eqvs: ELMO_equivocating_validators
  (state_update ELMO_component s i si)
⊆ ELMO_equivocating_validators s
  ∪ {[adr (state m)]}
Hsender: adr (state m) = idx i
m0: Message
ELMO_mv_no_self_equiv0: no_self_equiv s0 m0
ELMO_mv_full_node0: full_node s0 m0
H_t: transition Receive (s0, Some m0) =
(s0 <+> MkObservation Receive m0, None)
H_v: valid Receive (s0, Some m0)
Hsis0_eqvs: ELMO_equivocating_validators
  (state_update ELMO_component s i s0)
⊆ ELMO_equivocating_validators s
  ∪ {[adr (state m)]}
Hsis0_pre: composite_constrained_state_prop
  ELMO_component
  (state_update ELMO_component s i s0)
IHHtr_m: Forall
  (λ item : transition_item,
     ELMO_equivocating_validators
       (lift_to_composite_state
          ELMO_component s i
          (destination item))
     ⊆ ELMO_equivocating_validators s
       ∪ {[adr (state m)]}) tr
Hlast_obs: ∀ m : Message,
  item_sends_or_receives m
    {|
      l := Receive;
      input := Some m0;
      destination :=
        s0 <+> MkObservation Receive m0;
      output := None
    |} → m ∈ messages (s i)
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm
     (ELMO_component i)) Receive (
  s0, Some m0)
  (s0 <+> MkObservation Receive m0, None)
Hsf_reachable: composite_constrained_state_prop
  ELMO_component
  (state_update ELMO_component s i
     (s0 <+> MkObservation Receive m0))
ELMO_mv_msg_valid_full0: ELMO_msg_valid_full m0
ELMO_mv_local_equivocation_limit_ok0: local_equivocation_limit_ok
  (s0 <+>
   MkObservation
     Receive m0)
Hnmm0: adr (state m) ≠ adr (state m0)
Hm0_obs: m0 ∈ messages (s i)
H1: adr (state m0)
∈ list_to_set (map idx (enum index))
Hnsent: ¬ composite_has_been_sent ELMO_component
    (state_update ELMO_component s i s0) m0
Hm0_not_sent: m0 ∉ sentMessages (s i)
i_m0: index
Hsent: has_been_sent 
  (ELMO_component i_m0) 
  (s i_m0) m0
False
          assert (i <> i_m0) by (intros ->; contradict Hm0_not_sent; done).Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
s: VLSM.state ELMOProtocol
Hs: valid_state_prop ELMOProtocol s
i: index
m: Message
Hs_pre: valid_state_prop
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} s
tr: list transition_item
s0, si: VLSM.state
  (preloaded_with_all_messages_vlsm
     (ELMO_component i))
Htr_m: finite_valid_trace_init_to
  (preloaded_with_all_messages_vlsm
     (ELMO_component i)) si s0 tr
Hsimis_eqvs: ELMO_equivocating_validators
  (state_update ELMO_component s i si)
⊆ ELMO_equivocating_validators s
  ∪ {[adr (state m)]}
Hsender: adr (state m) = idx i
m0: Message
ELMO_mv_no_self_equiv0: no_self_equiv s0 m0
ELMO_mv_full_node0: full_node s0 m0
H_t: transition Receive (s0, Some m0) =
(s0 <+> MkObservation Receive m0, None)
H_v: valid Receive (s0, Some m0)
Hsis0_eqvs: ELMO_equivocating_validators
  (state_update ELMO_component s i s0)
⊆ ELMO_equivocating_validators s
  ∪ {[adr (state m)]}
Hsis0_pre: composite_constrained_state_prop
  ELMO_component
  (state_update ELMO_component s i s0)
IHHtr_m: Forall
  (λ item : transition_item,
     ELMO_equivocating_validators
       (lift_to_composite_state
          ELMO_component s i
          (destination item))
     ⊆ ELMO_equivocating_validators s
       ∪ {[adr (state m)]}) tr
Hlast_obs: ∀ m : Message,
  item_sends_or_receives m
    {|
      l := Receive;
      input := Some m0;
      destination :=
        s0 <+> MkObservation Receive m0;
      output := None
    |} → m ∈ messages (s i)
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm
     (ELMO_component i)) Receive (
  s0, Some m0)
  (s0 <+> MkObservation Receive m0, None)
Hsf_reachable: composite_constrained_state_prop
  ELMO_component
  (state_update ELMO_component s i
     (s0 <+> MkObservation Receive m0))
ELMO_mv_msg_valid_full0: ELMO_msg_valid_full m0
ELMO_mv_local_equivocation_limit_ok0: local_equivocation_limit_ok
  (s0 <+>
   MkObservation
     Receive m0)
Hnmm0: adr (state m) ≠ adr (state m0)
Hm0_obs: m0 ∈ messages (s i)
H1: adr (state m0)
∈ list_to_set (map idx (enum index))
Hnsent: ¬ composite_has_been_sent ELMO_component
    (state_update ELMO_component s i s0) m0
Hm0_not_sent: m0 ∉ sentMessages (s i)
i_m0: index
Hsent: has_been_sent 
  (ELMO_component i_m0) 
  (s i_m0) m0
H2: i ≠ i_m0
False
          by apply Hnsent; exists i_m0; state_update_simpl.
        *Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
s: VLSM.state ELMOProtocol
Hs: valid_state_prop ELMOProtocol s
i: index
m: Message
Hs_pre: valid_state_prop
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} s
tr: list transition_item
s0, si: VLSM.state
  (preloaded_with_all_messages_vlsm
     (ELMO_component i))
Htr_m: finite_valid_trace_init_to
  (preloaded_with_all_messages_vlsm
     (ELMO_component i)) si s0 tr
Hsimis_eqvs: ELMO_equivocating_validators
  (state_update ELMO_component s i si)
⊆ ELMO_equivocating_validators s
  ∪ {[adr (state m)]}
Hsender: adr (state m) = idx i
m0: Message
ELMO_mv_no_self_equiv0: no_self_equiv s0 m0
ELMO_mv_full_node0: full_node s0 m0
H_t: transition Receive (s0, Some m0) =
(s0 <+> MkObservation Receive m0, None)
H_v: valid Receive (s0, Some m0)
Hsis0_eqvs: ELMO_equivocating_validators
  (state_update ELMO_component s i s0)
⊆ ELMO_equivocating_validators s
  ∪ {[adr (state m)]}
Hsis0_pre: composite_constrained_state_prop
  ELMO_component
  (state_update ELMO_component s i s0)
IHHtr_m: Forall
  (λ item : transition_item,
     ELMO_equivocating_validators
       (lift_to_composite_state
          ELMO_component s i
          (destination item))
     ⊆ ELMO_equivocating_validators s
       ∪ {[adr (state m)]}) tr
Hlast_obs: ∀ m : Message,
  item_sends_or_receives m
    {|
      l := Receive;
      input := Some m0;
      destination :=
        s0 <+> MkObservation Receive m0;
      output := None
    |} → m ∈ messages (s i)
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm
     (ELMO_component i)) Receive (
  s0, Some m0)
  (s0 <+> MkObservation Receive m0, None)
Hsf_reachable: composite_constrained_state_prop
  ELMO_component
  (state_update ELMO_component s i
     (s0 <+> MkObservation Receive m0))
ELMO_mv_msg_valid_full0: ELMO_msg_valid_full m0
ELMO_mv_local_equivocation_limit_ok0: local_equivocation_limit_ok
  (s0 <+>
   MkObservation
     Receive m0)
Hnmm0: adr (state m) ≠ adr (state m0)
Hm0_obs: m0 ∈ messages (s i)
a: Address
H1: a ∈ list_to_set (map idx (enum index))
Heqv: global_equivocators_simple
  (state_update ELMO_component s i s0) a
Hm0_not_sent: m0 ∉ sentMessages (s i)
a ∈ ELMO_equivocating_validators s ∪ {[adr (state m)]} apply Hsis0_eqvs.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
s: VLSM.state ELMOProtocol
Hs: valid_state_prop ELMOProtocol s
i: index
m: Message
Hs_pre: valid_state_prop
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} s
tr: list transition_item
s0, si: VLSM.state
  (preloaded_with_all_messages_vlsm
     (ELMO_component i))
Htr_m: finite_valid_trace_init_to
  (preloaded_with_all_messages_vlsm
     (ELMO_component i)) si s0 tr
Hsimis_eqvs: ELMO_equivocating_validators
  (state_update ELMO_component s i si)
⊆ ELMO_equivocating_validators s
  ∪ {[adr (state m)]}
Hsender: adr (state m) = idx i
m0: Message
ELMO_mv_no_self_equiv0: no_self_equiv s0 m0
ELMO_mv_full_node0: full_node s0 m0
H_t: transition Receive (s0, Some m0) =
(s0 <+> MkObservation Receive m0, None)
H_v: valid Receive (s0, Some m0)
Hsis0_eqvs: ELMO_equivocating_validators
  (state_update ELMO_component s i s0)
⊆ ELMO_equivocating_validators s
  ∪ {[adr (state m)]}
Hsis0_pre: composite_constrained_state_prop
  ELMO_component
  (state_update ELMO_component s i s0)
IHHtr_m: Forall
  (λ item : transition_item,
     ELMO_equivocating_validators
       (lift_to_composite_state
          ELMO_component s i
          (destination item))
     ⊆ ELMO_equivocating_validators s
       ∪ {[adr (state m)]}) tr
Hlast_obs: ∀ m : Message,
  item_sends_or_receives m
    {|
      l := Receive;
      input := Some m0;
      destination :=
        s0 <+> MkObservation Receive m0;
      output := None
    |} → m ∈ messages (s i)
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm
     (ELMO_component i)) Receive (
  s0, Some m0)
  (s0 <+> MkObservation Receive m0, None)
Hsf_reachable: composite_constrained_state_prop
  ELMO_component
  (state_update ELMO_component s i
     (s0 <+> MkObservation Receive m0))
ELMO_mv_msg_valid_full0: ELMO_msg_valid_full m0
ELMO_mv_local_equivocation_limit_ok0: local_equivocation_limit_ok
  (s0 <+>
   MkObservation
     Receive m0)
Hnmm0: adr (state m) ≠ adr (state m0)
Hm0_obs: m0 ∈ messages (s i)
a: Address
H1: a ∈ list_to_set (map idx (enum index))
Heqv: global_equivocators_simple
  (state_update ELMO_component s i s0) a
Hm0_not_sent: m0 ∉ sentMessages (s i)
a
∈ ELMO_equivocating_validators
    (state_update ELMO_component s i s0)
          unfold ELMO_equivocating_validators, equivocating_validators, is_equivocating; cbn.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
s: VLSM.state ELMOProtocol
Hs: valid_state_prop ELMOProtocol s
i: index
m: Message
Hs_pre: valid_state_prop
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} s
tr: list transition_item
s0, si: VLSM.state
  (preloaded_with_all_messages_vlsm
     (ELMO_component i))
Htr_m: finite_valid_trace_init_to
  (preloaded_with_all_messages_vlsm
     (ELMO_component i)) si s0 tr
Hsimis_eqvs: ELMO_equivocating_validators
  (state_update ELMO_component s i si)
⊆ ELMO_equivocating_validators s
  ∪ {[adr (state m)]}
Hsender: adr (state m) = idx i
m0: Message
ELMO_mv_no_self_equiv0: no_self_equiv s0 m0
ELMO_mv_full_node0: full_node s0 m0
H_t: transition Receive (s0, Some m0) =
(s0 <+> MkObservation Receive m0, None)
H_v: valid Receive (s0, Some m0)
Hsis0_eqvs: ELMO_equivocating_validators
  (state_update ELMO_component s i s0)
⊆ ELMO_equivocating_validators s
  ∪ {[adr (state m)]}
Hsis0_pre: composite_constrained_state_prop
  ELMO_component
  (state_update ELMO_component s i s0)
IHHtr_m: Forall
  (λ item : transition_item,
     ELMO_equivocating_validators
       (lift_to_composite_state
          ELMO_component s i
          (destination item))
     ⊆ ELMO_equivocating_validators s
       ∪ {[adr (state m)]}) tr
Hlast_obs: ∀ m : Message,
  item_sends_or_receives m
    {|
      l := Receive;
      input := Some m0;
      destination :=
        s0 <+> MkObservation Receive m0;
      output := None
    |} → m ∈ messages (s i)
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm
     (ELMO_component i)) Receive (
  s0, Some m0)
  (s0 <+> MkObservation Receive m0, None)
Hsf_reachable: composite_constrained_state_prop
  ELMO_component
  (state_update ELMO_component s i
     (s0 <+> MkObservation Receive m0))
ELMO_mv_msg_valid_full0: ELMO_msg_valid_full m0
ELMO_mv_local_equivocation_limit_ok0: local_equivocation_limit_ok
  (s0 <+>
   MkObservation
     Receive m0)
Hnmm0: adr (state m) ≠ adr (state m0)
Hm0_obs: m0 ∈ messages (s i)
a: Address
H1: a ∈ list_to_set (map idx (enum index))
Heqv: global_equivocators_simple
  (state_update ELMO_component s i s0) a
Hm0_not_sent: m0 ∉ sentMessages (s i)
a
∈ filter
    (λ v : Address,
       ELMO_global_equivocators
         (state_update ELMO_component s i s0) v)
    (list_to_set (map idx (enum index)))
          by rewrite elem_of_filter, ELMO_global_equivocators_iff_simple.
  }Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
s: VLSM.state ELMOProtocol
Hs: valid_state_prop ELMOProtocol s
i: index
s': VLSM.state ELMOProtocol
m: Message
Hvalid: ELMOProtocol_valid_transition i Receive s s'
  m
Hv: valid (existT i Receive) (s, Some m)
Hc: ELMO_global_constraint 
  (existT i Receive) (s, Some m)
Ht: transition (existT i Receive) (s, Some m) =
(s', None)
Hincl: VLSM_incl ELMOProtocol ReachELMO
Hnsnd: ¬ composite_has_been_sent ELMO_component s m
Hrcv: ELMO_recv_valid (s i) (MkMessage (state m))
H3: state_update ELMO_component s i
  (s i <+> MkObservation Receive m) = s'
Hm_eqv: global_equivocators_simple s' (adr (state m))
Hs'_eqv: ∀ a : Address,
  global_equivocators_simple s' a
  ↔ a = adr (state m)
    ∨ global_equivocators_simple s a
Hs_pre: valid_state_prop
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} s
Hs': composite_constrained_state_prop ELMO_component
  s'
ELMO_mv_full_node0: full_node (s i) m
ELMO_mv_no_self_equiv0: no_self_equiv (s i) m
ELMO_mv_msg_valid_full0: ELMO_msg_valid_full m
ELMO_mv_local_equivocation_limit_ok0: local_equivocation_limit_ok
  (s i <+>
   MkObservation
     Receive m)
i_m: index
Hsender: adr (state m) = idx i_m
Heqv: (sum_weights
   (ELMO_equivocating_validators s
    ∪ {[idx i_m]}) <= threshold)%R
His: initial_state_prop (MkState [] (idx i_m))
Hsimis: valid_state_prop ELMOProtocol
  (state_update ELMO_component s i_m
     (MkState [] (idx i_m)))
Hsimis_eqvs: ELMO_equivocating_validators
  (state_update ELMO_component s i_m
     (MkState [] (idx i_m)))
⊆ ELMO_equivocating_validators s
  ∪ {[idx i_m]}
Hsi_pre: constrained_state_prop 
  (ELMO_component i) 
  (s i)
is_m: VLSM.state
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m))
tr_m: list transition_item
Htr_m: finite_valid_trace_init_to
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m)) is_m 
  (state m) tr_m
Hall_messages_observed: Forall
  (λ item : transition_item,
     ∀ m : Message,
       item_sends_or_receives
        m item
       → 
       m ∈ messages (s i))
  tr_m
Hall_messages_valid: Forall
  (λ item : transition_item,
     ∀ m : Message,
       item_sends_or_receives m
        item
       → 
       valid_message_prop
        ELMOProtocol m) tr_m
Heqis_m: is_m = MkState [] (idx i_m)
Hall_bounded_eqv: Forall
  (λ item : transition_item,
     ELMO_equivocating_validators
       (lift_to_composite_state
        ELMO_component s i_m
        (destination item))
     ⊆ ELMO_equivocating_validators
        s ∪ {[
       idx i_m]}) tr_m
valid_message_prop ELMOProtocol m
  assert (Htr_m_lift :
    finite_valid_trace_from_to ELMOProtocol
      (lift_to_composite_state ELMO_component s i_m is_m)
      (lift_to_composite_state ELMO_component s i_m (state m))
      (pre_VLSM_embedding_finite_trace_project
      _ _ (lift_to_composite_label ELMO_component i_m) (lift_to_composite_state ELMO_component s i_m)
      tr_m)).Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
s: VLSM.state ELMOProtocol
Hs: valid_state_prop ELMOProtocol s
i: index
s': VLSM.state ELMOProtocol
m: Message
Hvalid: ELMOProtocol_valid_transition i Receive s s'
  m
Hv: valid (existT i Receive) (s, Some m)
Hc: ELMO_global_constraint 
  (existT i Receive) (s, Some m)
Ht: transition (existT i Receive) (s, Some m) =
(s', None)
Hincl: VLSM_incl ELMOProtocol ReachELMO
Hnsnd: ¬ composite_has_been_sent ELMO_component s m
Hrcv: ELMO_recv_valid (s i) (MkMessage (state m))
H3: state_update ELMO_component s i
  (s i <+> MkObservation Receive m) = s'
Hm_eqv: global_equivocators_simple s' (adr (state m))
Hs'_eqv: ∀ a : Address,
  global_equivocators_simple s' a
  ↔ a = adr (state m)
    ∨ global_equivocators_simple s a
Hs_pre: valid_state_prop
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} s
Hs': composite_constrained_state_prop ELMO_component
  s'
ELMO_mv_full_node0: full_node (s i) m
ELMO_mv_no_self_equiv0: no_self_equiv (s i) m
ELMO_mv_msg_valid_full0: ELMO_msg_valid_full m
ELMO_mv_local_equivocation_limit_ok0: local_equivocation_limit_ok
  (s i <+>
   MkObservation
     Receive m)
i_m: index
Hsender: adr (state m) = idx i_m
Heqv: (sum_weights
   (ELMO_equivocating_validators s
    ∪ {[idx i_m]}) <= threshold)%R
His: initial_state_prop (MkState [] (idx i_m))
Hsimis: valid_state_prop ELMOProtocol
  (state_update ELMO_component s i_m
     (MkState [] (idx i_m)))
Hsimis_eqvs: ELMO_equivocating_validators
  (state_update ELMO_component s i_m
     (MkState [] (idx i_m)))
⊆ ELMO_equivocating_validators s
  ∪ {[idx i_m]}
Hsi_pre: constrained_state_prop 
  (ELMO_component i) 
  (s i)
is_m: VLSM.state
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m))
tr_m: list transition_item
Htr_m: finite_valid_trace_init_to
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m)) is_m 
  (state m) tr_m
Hall_messages_observed: Forall
  (λ item : transition_item,
     ∀ m : Message,
       item_sends_or_receives
        m item
       → 
       m ∈ messages (s i))
  tr_m
Hall_messages_valid: Forall
  (λ item : transition_item,
     ∀ m : Message,
       item_sends_or_receives m
        item
       → 
       valid_message_prop
        ELMOProtocol m) tr_m
Heqis_m: is_m = MkState [] (idx i_m)
Hall_bounded_eqv: Forall
  (λ item : transition_item,
     ELMO_equivocating_validators
       (lift_to_composite_state
        ELMO_component s i_m
        (destination item))
     ⊆ ELMO_equivocating_validators
        s ∪ {[
       idx i_m]}) tr_m
finite_valid_trace_from_to ELMOProtocol
  (lift_to_composite_state ELMO_component s i_m is_m)
  (lift_to_composite_state ELMO_component s i_m
     (state m))
  (pre_VLSM_embedding_finite_trace_project
     (ELMO_component i_m)
     (composite_type ELMO_component)
     (lift_to_composite_label ELMO_component i_m)
     (lift_to_composite_state ELMO_component s i_m)
     tr_m)
Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
s: VLSM.state ELMOProtocol
Hs: valid_state_prop ELMOProtocol s
i: index
s': VLSM.state ELMOProtocol
m: Message
Hvalid: ELMOProtocol_valid_transition i Receive s s'
  m
Hv: valid (existT i Receive) (s, Some m)
Hc: ELMO_global_constraint 
  (existT i Receive) (
  s, Some m)
Ht: transition (existT i Receive) (s, Some m) =
(s', None)
Hincl: VLSM_incl ELMOProtocol ReachELMO
Hnsnd: ¬ composite_has_been_sent ELMO_component s m
Hrcv: ELMO_recv_valid (s i) (MkMessage (state m))
H3: state_update ELMO_component s i
  (s i <+> MkObservation Receive m) = s'
Hm_eqv: global_equivocators_simple s' (adr (state m))
Hs'_eqv: ∀ a : Address,
  global_equivocators_simple s' a
  ↔ a = adr (state m)
    ∨ global_equivocators_simple s a
Hs_pre: valid_state_prop
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} s
Hs': composite_constrained_state_prop ELMO_component
  s'
ELMO_mv_full_node0: full_node (s i) m
ELMO_mv_no_self_equiv0: no_self_equiv (s i) m
ELMO_mv_msg_valid_full0: ELMO_msg_valid_full m
ELMO_mv_local_equivocation_limit_ok0: local_equivocation_limit_ok
  (s i <+>
   MkObservation
     Receive m)
i_m: index
Hsender: adr (state m) = idx i_m
Heqv: (sum_weights
   (ELMO_equivocating_validators s
    ∪ {[idx i_m]}) <= threshold)%R
His: initial_state_prop (MkState [] (idx i_m))
Hsimis: valid_state_prop ELMOProtocol
  (state_update ELMO_component s i_m
     (MkState [] (idx i_m)))
Hsimis_eqvs: ELMO_equivocating_validators
  (state_update ELMO_component s i_m
     (MkState [] (idx i_m)))
⊆ ELMO_equivocating_validators s
  ∪ {[idx i_m]}
Hsi_pre: constrained_state_prop 
  (ELMO_component i) 
  (s i)
is_m: VLSM.state
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m))
tr_m: list transition_item
Htr_m: finite_valid_trace_init_to
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m)) is_m 
  (state m) tr_m
Hall_messages_observed: Forall
  (λ item : transition_item,
     ∀ m : Message,
       item_sends_or_receives
        m item
       → 
       m ∈ messages (s i))
  tr_m
Hall_messages_valid: Forall
  (λ item : transition_item,
     ∀ m : Message,
       item_sends_or_receives m
        item
       → 
       valid_message_prop
        ELMOProtocol m) tr_m
Heqis_m: is_m = MkState [] (idx i_m)
Hall_bounded_eqv: Forall
  (λ item : transition_item,
     ELMO_equivocating_validators
       (lift_to_composite_state
        ELMO_component s i_m
        (destination item))
     ⊆ ELMO_equivocating_validators
        s ∪ {[
       idx i_m]}) tr_m
Htr_m_lift: finite_valid_trace_from_to ELMOProtocol
  (lift_to_composite_state ELMO_component
     s i_m is_m)
  (lift_to_composite_state ELMO_component
     s i_m 
     (state m))
  (pre_VLSM_embedding_finite_trace_project
     (ELMO_component i_m)
     (composite_type ELMO_component)
     (lift_to_composite_label
        ELMO_component i_m)
     (lift_to_composite_state
        ELMO_component s i_m) tr_m)
valid_message_prop ELMOProtocol m
  {Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
s: VLSM.state ELMOProtocol
Hs: valid_state_prop ELMOProtocol s
i: index
s': VLSM.state ELMOProtocol
m: Message
Hvalid: ELMOProtocol_valid_transition i Receive s s'
  m
Hv: valid (existT i Receive) (s, Some m)
Hc: ELMO_global_constraint 
  (existT i Receive) (s, Some m)
Ht: transition (existT i Receive) (s, Some m) =
(s', None)
Hincl: VLSM_incl ELMOProtocol ReachELMO
Hnsnd: ¬ composite_has_been_sent ELMO_component s m
Hrcv: ELMO_recv_valid (s i) (MkMessage (state m))
H3: state_update ELMO_component s i
  (s i <+> MkObservation Receive m) = s'
Hm_eqv: global_equivocators_simple s' (adr (state m))
Hs'_eqv: ∀ a : Address,
  global_equivocators_simple s' a
  ↔ a = adr (state m)
    ∨ global_equivocators_simple s a
Hs_pre: valid_state_prop
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} s
Hs': composite_constrained_state_prop ELMO_component
  s'
ELMO_mv_full_node0: full_node (s i) m
ELMO_mv_no_self_equiv0: no_self_equiv (s i) m
ELMO_mv_msg_valid_full0: ELMO_msg_valid_full m
ELMO_mv_local_equivocation_limit_ok0: local_equivocation_limit_ok
  (s i <+>
   MkObservation
     Receive m)
i_m: index
Hsender: adr (state m) = idx i_m
Heqv: (sum_weights
   (ELMO_equivocating_validators s
    ∪ {[idx i_m]}) <= threshold)%R
His: initial_state_prop (MkState [] (idx i_m))
Hsimis: valid_state_prop ELMOProtocol
  (state_update ELMO_component s i_m
     (MkState [] (idx i_m)))
Hsimis_eqvs: ELMO_equivocating_validators
  (state_update ELMO_component s i_m
     (MkState [] (idx i_m)))
⊆ ELMO_equivocating_validators s
  ∪ {[idx i_m]}
Hsi_pre: constrained_state_prop 
  (ELMO_component i) 
  (s i)
is_m: VLSM.state
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m))
tr_m: list transition_item
Htr_m: finite_valid_trace_init_to
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m)) is_m 
  (state m) tr_m
Hall_messages_observed: Forall
  (λ item : transition_item,
     ∀ m : Message,
       item_sends_or_receives
        m item
       → 
       m ∈ messages (s i))
  tr_m
Hall_messages_valid: Forall
  (λ item : transition_item,
     ∀ m : Message,
       item_sends_or_receives m
        item
       → 
       valid_message_prop
        ELMOProtocol m) tr_m
Heqis_m: is_m = MkState [] (idx i_m)
Hall_bounded_eqv: Forall
  (λ item : transition_item,
     ELMO_equivocating_validators
       (lift_to_composite_state
        ELMO_component s i_m
        (destination item))
     ⊆ ELMO_equivocating_validators
        s ∪ {[
       idx i_m]}) tr_m
finite_valid_trace_from_to ELMOProtocol
  (lift_to_composite_state ELMO_component s i_m is_m)
  (lift_to_composite_state ELMO_component s i_m
     (state m))
  (pre_VLSM_embedding_finite_trace_project
     (ELMO_component i_m)
     (composite_type ELMO_component)
     (lift_to_composite_label ELMO_component i_m)
     (lift_to_composite_state ELMO_component s i_m)
     tr_m)
    remember (state m) as sm.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
s: VLSM.state ELMOProtocol
Hs: valid_state_prop ELMOProtocol s
i: index
s': VLSM.state ELMOProtocol
m: Message
Hvalid: ELMOProtocol_valid_transition i Receive s s'
  m
Hv: valid (existT i Receive) (s, Some m)
Hc: ELMO_global_constraint 
  (existT i Receive) (s, Some m)
Ht: transition (existT i Receive) (s, Some m) =
(s', None)
Hincl: VLSM_incl ELMOProtocol ReachELMO
Hnsnd: ¬ composite_has_been_sent ELMO_component s m
sm: BaseELMO.State
Heqsm: sm = state m
Hrcv: ELMO_recv_valid (s i) (MkMessage sm)
H3: state_update ELMO_component s i
  (s i <+> MkObservation Receive m) = s'
Hm_eqv: global_equivocators_simple s' (adr sm)
Hs'_eqv: ∀ a : Address,
  global_equivocators_simple s' a
  ↔ a = adr sm
    ∨ global_equivocators_simple s a
Hs_pre: valid_state_prop
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} s
Hs': composite_constrained_state_prop ELMO_component
  s'
ELMO_mv_full_node0: full_node (s i) m
ELMO_mv_no_self_equiv0: no_self_equiv (s i) m
ELMO_mv_msg_valid_full0: ELMO_msg_valid_full m
ELMO_mv_local_equivocation_limit_ok0: local_equivocation_limit_ok
  (s i <+>
   MkObservation
     Receive m)
i_m: index
Hsender: adr sm = idx i_m
Heqv: (sum_weights
   (ELMO_equivocating_validators s
    ∪ {[idx i_m]}) <= threshold)%R
His: initial_state_prop (MkState [] (idx i_m))
Hsimis: valid_state_prop ELMOProtocol
  (state_update ELMO_component s i_m
     (MkState [] (idx i_m)))
Hsimis_eqvs: ELMO_equivocating_validators
  (state_update ELMO_component s i_m
     (MkState [] (idx i_m)))
⊆ ELMO_equivocating_validators s
  ∪ {[idx i_m]}
Hsi_pre: constrained_state_prop 
  (ELMO_component i) 
  (s i)
is_m: VLSM.state
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m))
tr_m: list transition_item
Htr_m: finite_valid_trace_init_to
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m)) is_m sm tr_m
Hall_messages_observed: Forall
  (λ item : transition_item,
     ∀ m : Message,
       item_sends_or_receives
        m item
       → 
       m ∈ messages (s i))
  tr_m
Hall_messages_valid: Forall
  (λ item : transition_item,
     ∀ m : Message,
       item_sends_or_receives m
        item
       → 
       valid_message_prop
        ELMOProtocol m) tr_m
Heqis_m: is_m = MkState [] (idx i_m)
Hall_bounded_eqv: Forall
  (λ item : transition_item,
     ELMO_equivocating_validators
       (lift_to_composite_state
        ELMO_component s i_m
        (destination item))
     ⊆ ELMO_equivocating_validators
        s ∪ {[
       idx i_m]}) tr_m
finite_valid_trace_from_to ELMOProtocol
  (lift_to_composite_state ELMO_component s i_m is_m)
  (lift_to_composite_state ELMO_component s i_m sm)
  (pre_VLSM_embedding_finite_trace_project
     (ELMO_component i_m)
     (composite_type ELMO_component)
     (lift_to_composite_label ELMO_component i_m)
     (lift_to_composite_state ELMO_component s i_m)
     tr_m)
    clear Heqsm Hrcv Hm_eqv Hs'_eqv Hsender Heqis_m Hall_messages_observed.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
s: VLSM.state ELMOProtocol
Hs: valid_state_prop ELMOProtocol s
i: index
s': VLSM.state ELMOProtocol
m: Message
Hvalid: ELMOProtocol_valid_transition i Receive s s'
  m
Hv: valid (existT i Receive) (s, Some m)
Hc: ELMO_global_constraint 
  (existT i Receive) (s, Some m)
Ht: transition (existT i Receive) (s, Some m) =
(s', None)
Hincl: VLSM_incl ELMOProtocol ReachELMO
Hnsnd: ¬ composite_has_been_sent ELMO_component s m
sm: BaseELMO.State
H3: state_update ELMO_component s i
  (s i <+> MkObservation Receive m) = s'
Hs_pre: valid_state_prop
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} s
Hs': composite_constrained_state_prop ELMO_component
  s'
ELMO_mv_full_node0: full_node (s i) m
ELMO_mv_no_self_equiv0: no_self_equiv (s i) m
ELMO_mv_msg_valid_full0: ELMO_msg_valid_full m
ELMO_mv_local_equivocation_limit_ok0: local_equivocation_limit_ok
  (s i <+>
   MkObservation
     Receive m)
i_m: index
Heqv: (sum_weights
   (ELMO_equivocating_validators s
    ∪ {[idx i_m]}) <= threshold)%R
His: initial_state_prop (MkState [] (idx i_m))
Hsimis: valid_state_prop ELMOProtocol
  (state_update ELMO_component s i_m
     (MkState [] (idx i_m)))
Hsimis_eqvs: ELMO_equivocating_validators
  (state_update ELMO_component s i_m
     (MkState [] (idx i_m)))
⊆ ELMO_equivocating_validators s
  ∪ {[idx i_m]}
Hsi_pre: constrained_state_prop 
  (ELMO_component i) 
  (s i)
is_m: VLSM.state
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m))
tr_m: list transition_item
Htr_m: finite_valid_trace_init_to
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m)) is_m sm tr_m
Hall_messages_valid: Forall
  (λ item : transition_item,
     ∀ m : Message,
       item_sends_or_receives m
        item
       → 
       valid_message_prop
        ELMOProtocol m) tr_m
Hall_bounded_eqv: Forall
  (λ item : transition_item,
     ELMO_equivocating_validators
       (lift_to_composite_state
        ELMO_component s i_m
        (destination item))
     ⊆ ELMO_equivocating_validators
        s ∪ {[
       idx i_m]}) tr_m
finite_valid_trace_from_to ELMOProtocol
  (lift_to_composite_state ELMO_component s i_m is_m)
  (lift_to_composite_state ELMO_component s i_m sm)
  (pre_VLSM_embedding_finite_trace_project
     (ELMO_component i_m)
     (composite_type ELMO_component)
     (lift_to_composite_label ELMO_component i_m)
     (lift_to_composite_state ELMO_component s i_m)
     tr_m)
    induction Htr_m using  finite_valid_trace_init_to_rev_ind;
      [by constructor; destruct si, Hsi; cbn in *; subst |].Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
s: VLSM.state ELMOProtocol
Hs: valid_state_prop ELMOProtocol s
i: index
s': VLSM.state ELMOProtocol
m: Message
Hvalid: ELMOProtocol_valid_transition i Receive s s'
  m
Hv: valid (existT i Receive) (s, Some m)
Hc: ELMO_global_constraint 
  (existT i Receive) (s, Some m)
Ht: transition (existT i Receive) (s, Some m) =
(s', None)
Hincl: VLSM_incl ELMOProtocol ReachELMO
Hnsnd: ¬ composite_has_been_sent ELMO_component s m
H3: state_update ELMO_component s i
  (s i <+> MkObservation Receive m) = s'
Hs_pre: valid_state_prop
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} s
Hs': composite_constrained_state_prop ELMO_component
  s'
ELMO_mv_full_node0: full_node (s i) m
ELMO_mv_no_self_equiv0: no_self_equiv (s i) m
ELMO_mv_msg_valid_full0: ELMO_msg_valid_full m
ELMO_mv_local_equivocation_limit_ok0: local_equivocation_limit_ok
  (s i <+>
   MkObservation
     Receive m)
i_m: index
Heqv: (sum_weights
   (ELMO_equivocating_validators s
    ∪ {[idx i_m]}) <= threshold)%R
His: initial_state_prop (MkState [] (idx i_m))
Hsimis: valid_state_prop ELMOProtocol
  (state_update ELMO_component s i_m
     (MkState [] (idx i_m)))
Hsimis_eqvs: ELMO_equivocating_validators
  (state_update ELMO_component s i_m
     (MkState [] (idx i_m)))
⊆ ELMO_equivocating_validators s
  ∪ {[idx i_m]}
Hsi_pre: constrained_state_prop 
  (ELMO_component i) 
  (s i)
si, s0: VLSM.state
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m))
tr: list transition_item
Htr_m: finite_valid_trace_init_to
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m)) si s0 tr
sf: VLSM.state
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m))
iom, oom: option Message
l: VLSM.label
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m))
Ht0: input_valid_transition
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m)) l (
  s0, iom) (
  sf, oom)
Hall_messages_valid: Forall
  (λ item : transition_item,
     ∀ m : Message,
       item_sends_or_receives m
        item
       → 
       valid_message_prop
        ELMOProtocol m)
  (tr ++
   [{|
      l := l;
      input := iom;
      destination := sf;
      output := oom
    |}])
Hall_bounded_eqv: Forall
  (λ item : transition_item,
     ELMO_equivocating_validators
       (lift_to_composite_state
        ELMO_component s i_m
        (destination item))
     ⊆ ELMO_equivocating_validators
        s ∪ {[
       idx i_m]})
  (tr ++
   [{|
      l := l;
      input := iom;
      destination := sf;
      output := oom
    |}])
IHHtr_m: Forall
  (λ item : transition_item,
     ∀ m : Message,
       item_sends_or_receives m item
       → 
       valid_message_prop ELMOProtocol m) tr
→ Forall
    (λ item : transition_item,
       ELMO_equivocating_validators
        (lift_to_composite_state
        ELMO_component s i_m
        (destination item))
       ⊆ 
       ELMO_equivocating_validators s
       ∪ {[
       idx i_m]}) tr
  → finite_valid_trace_from_to ELMOProtocol
      (lift_to_composite_state
        ELMO_component s i_m si)
      (lift_to_composite_state
        ELMO_component s i_m s0)
      (pre_VLSM_embedding_finite_trace_project
        (ELMO_component i_m)
        (composite_type ELMO_component)
        (lift_to_composite_label
        ELMO_component i_m)
        (lift_to_composite_state
        ELMO_component s i_m) tr)
finite_valid_trace_from_to ELMOProtocol
  (lift_to_composite_state ELMO_component s i_m si)
  (lift_to_composite_state ELMO_component s i_m sf)
  (pre_VLSM_embedding_finite_trace_project
     (ELMO_component i_m)
     (composite_type ELMO_component)
     (lift_to_composite_label ELMO_component i_m)
     (lift_to_composite_state ELMO_component s i_m)
     (tr ++
      [{|
         l := l;
         input := iom;
         destination := sf;
         output := oom
       |}]))
    apply Forall_app in Hall_messages_valid as [Hall_messages_valid H_lst_msg_valid].Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
s: VLSM.state ELMOProtocol
Hs: valid_state_prop ELMOProtocol s
i: index
s': VLSM.state ELMOProtocol
m: Message
Hvalid: ELMOProtocol_valid_transition i Receive s s'
  m
Hv: valid (existT i Receive) (s, Some m)
Hc: ELMO_global_constraint 
  (existT i Receive) (s, Some m)
Ht: transition (existT i Receive) (s, Some m) =
(s', None)
Hincl: VLSM_incl ELMOProtocol ReachELMO
Hnsnd: ¬ composite_has_been_sent ELMO_component s m
H3: state_update ELMO_component s i
  (s i <+> MkObservation Receive m) = s'
Hs_pre: valid_state_prop
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} s
Hs': composite_constrained_state_prop ELMO_component
  s'
ELMO_mv_full_node0: full_node (s i) m
ELMO_mv_no_self_equiv0: no_self_equiv (s i) m
ELMO_mv_msg_valid_full0: ELMO_msg_valid_full m
ELMO_mv_local_equivocation_limit_ok0: local_equivocation_limit_ok
  (s i <+>
   MkObservation
     Receive m)
i_m: index
Heqv: (sum_weights
   (ELMO_equivocating_validators s
    ∪ {[idx i_m]}) <= threshold)%R
His: initial_state_prop (MkState [] (idx i_m))
Hsimis: valid_state_prop ELMOProtocol
  (state_update ELMO_component s i_m
     (MkState [] (idx i_m)))
Hsimis_eqvs: ELMO_equivocating_validators
  (state_update ELMO_component s i_m
     (MkState [] (idx i_m)))
⊆ ELMO_equivocating_validators s
  ∪ {[idx i_m]}
Hsi_pre: constrained_state_prop 
  (ELMO_component i) 
  (s i)
si, s0: VLSM.state
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m))
tr: list transition_item
Htr_m: finite_valid_trace_init_to
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m)) si s0 tr
sf: VLSM.state
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m))
iom, oom: option Message
l: VLSM.label
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m))
Ht0: input_valid_transition
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m)) l (
  s0, iom) (
  sf, oom)
Hall_messages_valid: Forall
  (λ item : transition_item,
     ∀ m : Message,
       item_sends_or_receives m
        item
       → 
       valid_message_prop
        ELMOProtocol m) tr
H_lst_msg_valid: Forall
  (λ item : transition_item,
     ∀ m : Message,
       item_sends_or_receives m item
       → 
       valid_message_prop
        ELMOProtocol m)
  [{|
     l := l;
     input := iom;
     destination := sf;
     output := oom
   |}]
Hall_bounded_eqv: Forall
  (λ item : transition_item,
     ELMO_equivocating_validators
       (lift_to_composite_state
        ELMO_component s i_m
        (destination item))
     ⊆ ELMO_equivocating_validators
        s ∪ {[
       idx i_m]})
  (tr ++
   [{|
      l := l;
      input := iom;
      destination := sf;
      output := oom
    |}])
IHHtr_m: Forall
  (λ item : transition_item,
     ∀ m : Message,
       item_sends_or_receives m item
       → 
       valid_message_prop ELMOProtocol m) tr
→ Forall
    (λ item : transition_item,
       ELMO_equivocating_validators
        (lift_to_composite_state
        ELMO_component s i_m
        (destination item))
       ⊆ 
       ELMO_equivocating_validators s
       ∪ {[
       idx i_m]}) tr
  → finite_valid_trace_from_to ELMOProtocol
      (lift_to_composite_state
        ELMO_component s i_m si)
      (lift_to_composite_state
        ELMO_component s i_m s0)
      (pre_VLSM_embedding_finite_trace_project
        (ELMO_component i_m)
        (composite_type ELMO_component)
        (lift_to_composite_label
        ELMO_component i_m)
        (lift_to_composite_state
        ELMO_component s i_m) tr)
finite_valid_trace_from_to ELMOProtocol
  (lift_to_composite_state ELMO_component s i_m si)
  (lift_to_composite_state ELMO_component s i_m sf)
  (pre_VLSM_embedding_finite_trace_project
     (ELMO_component i_m)
     (composite_type ELMO_component)
     (lift_to_composite_label ELMO_component i_m)
     (lift_to_composite_state ELMO_component s i_m)
     (tr ++
      [{|
         l := l;
         input := iom;
         destination := sf;
         output := oom
       |}]))
    apply Forall_app in Hall_bounded_eqv as [Hall_bounded_eqv Hsf_bounded_eqv].Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
s: VLSM.state ELMOProtocol
Hs: valid_state_prop ELMOProtocol s
i: index
s': VLSM.state ELMOProtocol
m: Message
Hvalid: ELMOProtocol_valid_transition i Receive s s'
  m
Hv: valid (existT i Receive) (s, Some m)
Hc: ELMO_global_constraint 
  (existT i Receive) (s, Some m)
Ht: transition (existT i Receive) (s, Some m) =
(s', None)
Hincl: VLSM_incl ELMOProtocol ReachELMO
Hnsnd: ¬ composite_has_been_sent ELMO_component s m
H3: state_update ELMO_component s i
  (s i <+> MkObservation Receive m) = s'
Hs_pre: valid_state_prop
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} s
Hs': composite_constrained_state_prop ELMO_component
  s'
ELMO_mv_full_node0: full_node (s i) m
ELMO_mv_no_self_equiv0: no_self_equiv (s i) m
ELMO_mv_msg_valid_full0: ELMO_msg_valid_full m
ELMO_mv_local_equivocation_limit_ok0: local_equivocation_limit_ok
  (s i <+>
   MkObservation
     Receive m)
i_m: index
Heqv: (sum_weights
   (ELMO_equivocating_validators s
    ∪ {[idx i_m]}) <= threshold)%R
His: initial_state_prop (MkState [] (idx i_m))
Hsimis: valid_state_prop ELMOProtocol
  (state_update ELMO_component s i_m
     (MkState [] (idx i_m)))
Hsimis_eqvs: ELMO_equivocating_validators
  (state_update ELMO_component s i_m
     (MkState [] (idx i_m)))
⊆ ELMO_equivocating_validators s
  ∪ {[idx i_m]}
Hsi_pre: constrained_state_prop 
  (ELMO_component i) 
  (s i)
si, s0: VLSM.state
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m))
tr: list transition_item
Htr_m: finite_valid_trace_init_to
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m)) si s0 tr
sf: VLSM.state
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m))
iom, oom: option Message
l: VLSM.label
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m))
Ht0: input_valid_transition
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m)) l (
  s0, iom) (
  sf, oom)
Hall_messages_valid: Forall
  (λ item : transition_item,
     ∀ m : Message,
       item_sends_or_receives m
        item
       → 
       valid_message_prop
        ELMOProtocol m) tr
H_lst_msg_valid: Forall
  (λ item : transition_item,
     ∀ m : Message,
       item_sends_or_receives m item
       → 
       valid_message_prop
        ELMOProtocol m)
  [{|
     l := l;
     input := iom;
     destination := sf;
     output := oom
   |}]
Hall_bounded_eqv: Forall
  (λ item : transition_item,
     ELMO_equivocating_validators
       (lift_to_composite_state
        ELMO_component s i_m
        (destination item))
     ⊆ ELMO_equivocating_validators
        s ∪ {[
       idx i_m]}) tr
Hsf_bounded_eqv: Forall
  (λ item : transition_item,
     ELMO_equivocating_validators
       (lift_to_composite_state
        ELMO_component s i_m
        (destination item))
     ⊆ ELMO_equivocating_validators
        s ∪ {[
       idx i_m]})
  [{|
     l := l;
     input := iom;
     destination := sf;
     output := oom
   |}]
IHHtr_m: Forall
  (λ item : transition_item,
     ∀ m : Message,
       item_sends_or_receives m item
       → 
       valid_message_prop ELMOProtocol m) tr
→ Forall
    (λ item : transition_item,
       ELMO_equivocating_validators
        (lift_to_composite_state
        ELMO_component s i_m
        (destination item))
       ⊆ 
       ELMO_equivocating_validators s
       ∪ {[
       idx i_m]}) tr
  → finite_valid_trace_from_to ELMOProtocol
      (lift_to_composite_state
        ELMO_component s i_m si)
      (lift_to_composite_state
        ELMO_component s i_m s0)
      (pre_VLSM_embedding_finite_trace_project
        (ELMO_component i_m)
        (composite_type ELMO_component)
        (lift_to_composite_label
        ELMO_component i_m)
        (lift_to_composite_state
        ELMO_component s i_m) tr)
finite_valid_trace_from_to ELMOProtocol
  (lift_to_composite_state ELMO_component s i_m si)
  (lift_to_composite_state ELMO_component s i_m sf)
  (pre_VLSM_embedding_finite_trace_project
     (ELMO_component i_m)
     (composite_type ELMO_component)
     (lift_to_composite_label ELMO_component i_m)
     (lift_to_composite_state ELMO_component s i_m)
     (tr ++
      [{|
         l := l;
         input := iom;
         destination := sf;
         output := oom
       |}]))
    rewrite Forall_singleton in H_lst_msg_valid.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
s: VLSM.state ELMOProtocol
Hs: valid_state_prop ELMOProtocol s
i: index
s': VLSM.state ELMOProtocol
m: Message
Hvalid: ELMOProtocol_valid_transition i Receive s s'
  m
Hv: valid (existT i Receive) (s, Some m)
Hc: ELMO_global_constraint 
  (existT i Receive) (s, Some m)
Ht: transition (existT i Receive) (s, Some m) =
(s', None)
Hincl: VLSM_incl ELMOProtocol ReachELMO
Hnsnd: ¬ composite_has_been_sent ELMO_component s m
H3: state_update ELMO_component s i
  (s i <+> MkObservation Receive m) = s'
Hs_pre: valid_state_prop
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} s
Hs': composite_constrained_state_prop ELMO_component
  s'
ELMO_mv_full_node0: full_node (s i) m
ELMO_mv_no_self_equiv0: no_self_equiv (s i) m
ELMO_mv_msg_valid_full0: ELMO_msg_valid_full m
ELMO_mv_local_equivocation_limit_ok0: local_equivocation_limit_ok
  (s i <+>
   MkObservation
     Receive m)
i_m: index
Heqv: (sum_weights
   (ELMO_equivocating_validators s
    ∪ {[idx i_m]}) <= threshold)%R
His: initial_state_prop (MkState [] (idx i_m))
Hsimis: valid_state_prop ELMOProtocol
  (state_update ELMO_component s i_m
     (MkState [] (idx i_m)))
Hsimis_eqvs: ELMO_equivocating_validators
  (state_update ELMO_component s i_m
     (MkState [] (idx i_m)))
⊆ ELMO_equivocating_validators s
  ∪ {[idx i_m]}
Hsi_pre: constrained_state_prop 
  (ELMO_component i) 
  (s i)
si, s0: VLSM.state
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m))
tr: list transition_item
Htr_m: finite_valid_trace_init_to
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m)) si s0 tr
sf: VLSM.state
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m))
iom, oom: option Message
l: VLSM.label
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m))
Ht0: input_valid_transition
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m)) l (
  s0, iom) (
  sf, oom)
Hall_messages_valid: Forall
  (λ item : transition_item,
     ∀ m : Message,
       item_sends_or_receives m
        item
       → 
       valid_message_prop
        ELMOProtocol m) tr
H_lst_msg_valid: ∀ m : Message,
  item_sends_or_receives m
    {|
      l := l;
      input := iom;
      destination := sf;
      output := oom
    |}
  → valid_message_prop ELMOProtocol
      m
Hall_bounded_eqv: Forall
  (λ item : transition_item,
     ELMO_equivocating_validators
       (lift_to_composite_state
        ELMO_component s i_m
        (destination item))
     ⊆ ELMO_equivocating_validators
        s ∪ {[
       idx i_m]}) tr
Hsf_bounded_eqv: Forall
  (λ item : transition_item,
     ELMO_equivocating_validators
       (lift_to_composite_state
        ELMO_component s i_m
        (destination item))
     ⊆ ELMO_equivocating_validators
        s ∪ {[
       idx i_m]})
  [{|
     l := l;
     input := iom;
     destination := sf;
     output := oom
   |}]
IHHtr_m: Forall
  (λ item : transition_item,
     ∀ m : Message,
       item_sends_or_receives m item
       → 
       valid_message_prop ELMOProtocol m) tr
→ Forall
    (λ item : transition_item,
       ELMO_equivocating_validators
        (lift_to_composite_state
        ELMO_component s i_m
        (destination item))
       ⊆ 
       ELMO_equivocating_validators s
       ∪ {[
       idx i_m]}) tr
  → finite_valid_trace_from_to ELMOProtocol
      (lift_to_composite_state
        ELMO_component s i_m si)
      (lift_to_composite_state
        ELMO_component s i_m s0)
      (pre_VLSM_embedding_finite_trace_project
        (ELMO_component i_m)
        (composite_type ELMO_component)
        (lift_to_composite_label
        ELMO_component i_m)
        (lift_to_composite_state
        ELMO_component s i_m) tr)
finite_valid_trace_from_to ELMOProtocol
  (lift_to_composite_state ELMO_component s i_m si)
  (lift_to_composite_state ELMO_component s i_m sf)
  (pre_VLSM_embedding_finite_trace_project
     (ELMO_component i_m)
     (composite_type ELMO_component)
     (lift_to_composite_label ELMO_component i_m)
     (lift_to_composite_state ELMO_component s i_m)
     (tr ++
      [{|
         l := l;
         input := iom;
         destination := sf;
         output := oom
       |}]))
    rewrite Forall_singleton in Hsf_bounded_eqv.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
s: VLSM.state ELMOProtocol
Hs: valid_state_prop ELMOProtocol s
i: index
s': VLSM.state ELMOProtocol
m: Message
Hvalid: ELMOProtocol_valid_transition i Receive s s'
  m
Hv: valid (existT i Receive) (s, Some m)
Hc: ELMO_global_constraint 
  (existT i Receive) (s, Some m)
Ht: transition (existT i Receive) (s, Some m) =
(s', None)
Hincl: VLSM_incl ELMOProtocol ReachELMO
Hnsnd: ¬ composite_has_been_sent ELMO_component s m
H3: state_update ELMO_component s i
  (s i <+> MkObservation Receive m) = s'
Hs_pre: valid_state_prop
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} s
Hs': composite_constrained_state_prop ELMO_component
  s'
ELMO_mv_full_node0: full_node (s i) m
ELMO_mv_no_self_equiv0: no_self_equiv (s i) m
ELMO_mv_msg_valid_full0: ELMO_msg_valid_full m
ELMO_mv_local_equivocation_limit_ok0: local_equivocation_limit_ok
  (s i <+>
   MkObservation
     Receive m)
i_m: index
Heqv: (sum_weights
   (ELMO_equivocating_validators s
    ∪ {[idx i_m]}) <= threshold)%R
His: initial_state_prop (MkState [] (idx i_m))
Hsimis: valid_state_prop ELMOProtocol
  (state_update ELMO_component s i_m
     (MkState [] (idx i_m)))
Hsimis_eqvs: ELMO_equivocating_validators
  (state_update ELMO_component s i_m
     (MkState [] (idx i_m)))
⊆ ELMO_equivocating_validators s
  ∪ {[idx i_m]}
Hsi_pre: constrained_state_prop 
  (ELMO_component i) 
  (s i)
si, s0: VLSM.state
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m))
tr: list transition_item
Htr_m: finite_valid_trace_init_to
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m)) si s0 tr
sf: VLSM.state
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m))
iom, oom: option Message
l: VLSM.label
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m))
Ht0: input_valid_transition
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m)) l (
  s0, iom) (
  sf, oom)
Hall_messages_valid: Forall
  (λ item : transition_item,
     ∀ m : Message,
       item_sends_or_receives m
        item
       → 
       valid_message_prop
        ELMOProtocol m) tr
H_lst_msg_valid: ∀ m : Message,
  item_sends_or_receives m
    {|
      l := l;
      input := iom;
      destination := sf;
      output := oom
    |}
  → valid_message_prop ELMOProtocol
      m
Hall_bounded_eqv: Forall
  (λ item : transition_item,
     ELMO_equivocating_validators
       (lift_to_composite_state
        ELMO_component s i_m
        (destination item))
     ⊆ ELMO_equivocating_validators
        s ∪ {[
       idx i_m]}) tr
Hsf_bounded_eqv: ELMO_equivocating_validators
  (lift_to_composite_state
     ELMO_component s i_m
     (destination
        {|
        l := l;
        input := iom;
        destination := sf;
        output := oom
        |}))
⊆ ELMO_equivocating_validators s
  ∪ {[idx i_m]}
IHHtr_m: Forall
  (λ item : transition_item,
     ∀ m : Message,
       item_sends_or_receives m item
       → 
       valid_message_prop ELMOProtocol m) tr
→ Forall
    (λ item : transition_item,
       ELMO_equivocating_validators
        (lift_to_composite_state
        ELMO_component s i_m
        (destination item))
       ⊆ 
       ELMO_equivocating_validators s
       ∪ {[
       idx i_m]}) tr
  → finite_valid_trace_from_to ELMOProtocol
      (lift_to_composite_state
        ELMO_component s i_m si)
      (lift_to_composite_state
        ELMO_component s i_m s0)
      (pre_VLSM_embedding_finite_trace_project
        (ELMO_component i_m)
        (composite_type ELMO_component)
        (lift_to_composite_label
        ELMO_component i_m)
        (lift_to_composite_state
        ELMO_component s i_m) tr)
finite_valid_trace_from_to ELMOProtocol
  (lift_to_composite_state ELMO_component s i_m si)
  (lift_to_composite_state ELMO_component s i_m sf)
  (pre_VLSM_embedding_finite_trace_project
     (ELMO_component i_m)
     (composite_type ELMO_component)
     (lift_to_composite_label ELMO_component i_m)
     (lift_to_composite_state ELMO_component s i_m)
     (tr ++
      [{|
         l := l;
         input := iom;
         destination := sf;
         output := oom
       |}]))
    setoid_rewrite map_app; cbn.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
s: VLSM.state ELMOProtocol
Hs: valid_state_prop ELMOProtocol s
i: index
s': VLSM.state ELMOProtocol
m: Message
Hvalid: ELMOProtocol_valid_transition i Receive s s'
  m
Hv: valid (existT i Receive) (s, Some m)
Hc: ELMO_global_constraint 
  (existT i Receive) (s, Some m)
Ht: transition (existT i Receive) (s, Some m) =
(s', None)
Hincl: VLSM_incl ELMOProtocol ReachELMO
Hnsnd: ¬ composite_has_been_sent ELMO_component s m
H3: state_update ELMO_component s i
  (s i <+> MkObservation Receive m) = s'
Hs_pre: valid_state_prop
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} s
Hs': composite_constrained_state_prop ELMO_component
  s'
ELMO_mv_full_node0: full_node (s i) m
ELMO_mv_no_self_equiv0: no_self_equiv (s i) m
ELMO_mv_msg_valid_full0: ELMO_msg_valid_full m
ELMO_mv_local_equivocation_limit_ok0: local_equivocation_limit_ok
  (s i <+>
   MkObservation
     Receive m)
i_m: index
Heqv: (sum_weights
   (ELMO_equivocating_validators s
    ∪ {[idx i_m]}) <= threshold)%R
His: initial_state_prop (MkState [] (idx i_m))
Hsimis: valid_state_prop ELMOProtocol
  (state_update ELMO_component s i_m
     (MkState [] (idx i_m)))
Hsimis_eqvs: ELMO_equivocating_validators
  (state_update ELMO_component s i_m
     (MkState [] (idx i_m)))
⊆ ELMO_equivocating_validators s
  ∪ {[idx i_m]}
Hsi_pre: constrained_state_prop 
  (ELMO_component i) 
  (s i)
si, s0: VLSM.state
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m))
tr: list transition_item
Htr_m: finite_valid_trace_init_to
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m)) si s0 tr
sf: VLSM.state
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m))
iom, oom: option Message
l: VLSM.label
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m))
Ht0: input_valid_transition
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m)) l (
  s0, iom) (
  sf, oom)
Hall_messages_valid: Forall
  (λ item : transition_item,
     ∀ m : Message,
       item_sends_or_receives m
        item
       → 
       valid_message_prop
        ELMOProtocol m) tr
H_lst_msg_valid: ∀ m : Message,
  item_sends_or_receives m
    {|
      l := l;
      input := iom;
      destination := sf;
      output := oom
    |}
  → valid_message_prop ELMOProtocol
      m
Hall_bounded_eqv: Forall
  (λ item : transition_item,
     ELMO_equivocating_validators
       (lift_to_composite_state
        ELMO_component s i_m
        (destination item))
     ⊆ ELMO_equivocating_validators
        s ∪ {[
       idx i_m]}) tr
Hsf_bounded_eqv: ELMO_equivocating_validators
  (lift_to_composite_state
     ELMO_component s i_m
     (destination
        {|
        l := l;
        input := iom;
        destination := sf;
        output := oom
        |}))
⊆ ELMO_equivocating_validators s
  ∪ {[idx i_m]}
IHHtr_m: Forall
  (λ item : transition_item,
     ∀ m : Message,
       item_sends_or_receives m item
       → 
       valid_message_prop ELMOProtocol m) tr
→ Forall
    (λ item : transition_item,
       ELMO_equivocating_validators
        (lift_to_composite_state
        ELMO_component s i_m
        (destination item))
       ⊆ 
       ELMO_equivocating_validators s
       ∪ {[
       idx i_m]}) tr
  → finite_valid_trace_from_to ELMOProtocol
      (lift_to_composite_state
        ELMO_component s i_m si)
      (lift_to_composite_state
        ELMO_component s i_m s0)
      (pre_VLSM_embedding_finite_trace_project
        (ELMO_component i_m)
        (composite_type ELMO_component)
        (lift_to_composite_label
        ELMO_component i_m)
        (lift_to_composite_state
        ELMO_component s i_m) tr)
finite_valid_trace_from_to ELMOProtocol
  (lift_to_composite_state ELMO_component s i_m si)
  (lift_to_composite_state ELMO_component s i_m sf)
  (map
     (pre_VLSM_embedding_transition_item_project
        ELMO_component_type
        (composite_type ELMO_component)
        (lift_to_composite_label ELMO_component i_m)
        (lift_to_composite_state ELMO_component s i_m))
     tr ++
   [pre_VLSM_embedding_transition_item_project
      ELMO_component_type
      (composite_type ELMO_component)
      (lift_to_composite_label ELMO_component i_m)
      (lift_to_composite_state ELMO_component s i_m)
      {|
        l := l;
        input := iom;
        destination := sf;
        output := oom
      |}])
    eapply extend_right_finite_trace_from_to; [by apply IHHtr_m | cbn].Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
s: VLSM.state ELMOProtocol
Hs: valid_state_prop ELMOProtocol s
i: index
s': VLSM.state ELMOProtocol
m: Message
Hvalid: ELMOProtocol_valid_transition i Receive s s'
  m
Hv: valid (existT i Receive) (s, Some m)
Hc: ELMO_global_constraint 
  (existT i Receive) (s, Some m)
Ht: transition (existT i Receive) (s, Some m) =
(s', None)
Hincl: VLSM_incl ELMOProtocol ReachELMO
Hnsnd: ¬ composite_has_been_sent ELMO_component s m
H3: state_update ELMO_component s i
  (s i <+> MkObservation Receive m) = s'
Hs_pre: valid_state_prop
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} s
Hs': composite_constrained_state_prop ELMO_component
  s'
ELMO_mv_full_node0: full_node (s i) m
ELMO_mv_no_self_equiv0: no_self_equiv (s i) m
ELMO_mv_msg_valid_full0: ELMO_msg_valid_full m
ELMO_mv_local_equivocation_limit_ok0: local_equivocation_limit_ok
  (s i <+>
   MkObservation
     Receive m)
i_m: index
Heqv: (sum_weights
   (ELMO_equivocating_validators s
    ∪ {[idx i_m]}) <= threshold)%R
His: initial_state_prop (MkState [] (idx i_m))
Hsimis: valid_state_prop ELMOProtocol
  (state_update ELMO_component s i_m
     (MkState [] (idx i_m)))
Hsimis_eqvs: ELMO_equivocating_validators
  (state_update ELMO_component s i_m
     (MkState [] (idx i_m)))
⊆ ELMO_equivocating_validators s
  ∪ {[idx i_m]}
Hsi_pre: constrained_state_prop 
  (ELMO_component i) 
  (s i)
si, s0: VLSM.state
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m))
tr: list transition_item
Htr_m: finite_valid_trace_init_to
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m)) si s0 tr
sf: VLSM.state
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m))
iom, oom: option Message
l: VLSM.label
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m))
Ht0: input_valid_transition
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m)) l (
  s0, iom) (
  sf, oom)
Hall_messages_valid: Forall
  (λ item : transition_item,
     ∀ m : Message,
       item_sends_or_receives m
        item
       → 
       valid_message_prop
        ELMOProtocol m) tr
H_lst_msg_valid: ∀ m : Message,
  item_sends_or_receives m
    {|
      l := l;
      input := iom;
      destination := sf;
      output := oom
    |}
  → valid_message_prop ELMOProtocol
      m
Hall_bounded_eqv: Forall
  (λ item : transition_item,
     ELMO_equivocating_validators
       (lift_to_composite_state
        ELMO_component s i_m
        (destination item))
     ⊆ ELMO_equivocating_validators
        s ∪ {[
       idx i_m]}) tr
Hsf_bounded_eqv: ELMO_equivocating_validators
  (lift_to_composite_state
     ELMO_component s i_m
     (destination
        {|
        l := l;
        input := iom;
        destination := sf;
        output := oom
        |}))
⊆ ELMO_equivocating_validators s
  ∪ {[idx i_m]}
IHHtr_m: Forall
  (λ item : transition_item,
     ∀ m : Message,
       item_sends_or_receives m item
       → 
       valid_message_prop ELMOProtocol m) tr
→ Forall
    (λ item : transition_item,
       ELMO_equivocating_validators
        (lift_to_composite_state
        ELMO_component s i_m
        (destination item))
       ⊆ 
       ELMO_equivocating_validators s
       ∪ {[
       idx i_m]}) tr
  → finite_valid_trace_from_to ELMOProtocol
      (lift_to_composite_state
        ELMO_component s i_m si)
      (lift_to_composite_state
        ELMO_component s i_m s0)
      (pre_VLSM_embedding_finite_trace_project
        (ELMO_component i_m)
        (composite_type ELMO_component)
        (lift_to_composite_label
        ELMO_component i_m)
        (lift_to_composite_state
        ELMO_component s i_m) tr)
input_valid_transition ELMOProtocol
  (lift_to_composite_label ELMO_component i_m l)
  (lift_to_composite_state ELMO_component s i_m s0,
   iom)
  (lift_to_composite_state ELMO_component s i_m sf,
   oom)
    destruct Ht0 as [(Hs0 &  _ & Hv0) Ht0].Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
s: VLSM.state ELMOProtocol
Hs: valid_state_prop ELMOProtocol s
i: index
s': VLSM.state ELMOProtocol
m: Message
Hvalid: ELMOProtocol_valid_transition i Receive s s'
  m
Hv: valid (existT i Receive) (s, Some m)
Hc: ELMO_global_constraint 
  (existT i Receive) (s, Some m)
Ht: transition (existT i Receive) (s, Some m) =
(s', None)
Hincl: VLSM_incl ELMOProtocol ReachELMO
Hnsnd: ¬ composite_has_been_sent ELMO_component s m
H3: state_update ELMO_component s i
  (s i <+> MkObservation Receive m) = s'
Hs_pre: valid_state_prop
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} s
Hs': composite_constrained_state_prop ELMO_component
  s'
ELMO_mv_full_node0: full_node (s i) m
ELMO_mv_no_self_equiv0: no_self_equiv (s i) m
ELMO_mv_msg_valid_full0: ELMO_msg_valid_full m
ELMO_mv_local_equivocation_limit_ok0: local_equivocation_limit_ok
  (s i <+>
   MkObservation
     Receive m)
i_m: index
Heqv: (sum_weights
   (ELMO_equivocating_validators s
    ∪ {[idx i_m]}) <= threshold)%R
His: initial_state_prop (MkState [] (idx i_m))
Hsimis: valid_state_prop ELMOProtocol
  (state_update ELMO_component s i_m
     (MkState [] (idx i_m)))
Hsimis_eqvs: ELMO_equivocating_validators
  (state_update ELMO_component s i_m
     (MkState [] (idx i_m)))
⊆ ELMO_equivocating_validators s
  ∪ {[idx i_m]}
Hsi_pre: constrained_state_prop 
  (ELMO_component i) 
  (s i)
si, s0: VLSM.state
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m))
tr: list transition_item
Htr_m: finite_valid_trace_init_to
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m)) si s0 tr
sf: VLSM.state
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m))
iom, oom: option Message
l: VLSM.label
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m))
Hs0: valid_state_prop
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m)) s0
Hv0: valid l (s0, iom)
Ht0: transition l (s0, iom) = (sf, oom)
Hall_messages_valid: Forall
  (λ item : transition_item,
     ∀ m : Message,
       item_sends_or_receives m
        item
       → 
       valid_message_prop
        ELMOProtocol m) tr
H_lst_msg_valid: ∀ m : Message,
  item_sends_or_receives m
    {|
      l := l;
      input := iom;
      destination := sf;
      output := oom
    |}
  → valid_message_prop ELMOProtocol
      m
Hall_bounded_eqv: Forall
  (λ item : transition_item,
     ELMO_equivocating_validators
       (lift_to_composite_state
        ELMO_component s i_m
        (destination item))
     ⊆ ELMO_equivocating_validators
        s ∪ {[
       idx i_m]}) tr
Hsf_bounded_eqv: ELMO_equivocating_validators
  (lift_to_composite_state
     ELMO_component s i_m
     (destination
        {|
        l := l;
        input := iom;
        destination := sf;
        output := oom
        |}))
⊆ ELMO_equivocating_validators s
  ∪ {[idx i_m]}
IHHtr_m: Forall
  (λ item : transition_item,
     ∀ m : Message,
       item_sends_or_receives m item
       → 
       valid_message_prop ELMOProtocol m) tr
→ Forall
    (λ item : transition_item,
       ELMO_equivocating_validators
        (lift_to_composite_state
        ELMO_component s i_m
        (destination item))
       ⊆ 
       ELMO_equivocating_validators s
       ∪ {[
       idx i_m]}) tr
  → finite_valid_trace_from_to ELMOProtocol
      (lift_to_composite_state
        ELMO_component s i_m si)
      (lift_to_composite_state
        ELMO_component s i_m s0)
      (pre_VLSM_embedding_finite_trace_project
        (ELMO_component i_m)
        (composite_type ELMO_component)
        (lift_to_composite_label
        ELMO_component i_m)
        (lift_to_composite_state
        ELMO_component s i_m) tr)
input_valid_transition ELMOProtocol
  (lift_to_composite_label ELMO_component i_m l)
  (lift_to_composite_state ELMO_component s i_m s0,
   iom)
  (lift_to_composite_state ELMO_component s i_m sf,
   oom)
    repeat split.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
s: VLSM.state ELMOProtocol
Hs: valid_state_prop ELMOProtocol s
i: index
s': VLSM.state ELMOProtocol
m: Message
Hvalid: ELMOProtocol_valid_transition i Receive s s'
  m
Hv: valid (existT i Receive) (s, Some m)
Hc: ELMO_global_constraint 
  (existT i Receive) (s, Some m)
Ht: transition (existT i Receive) (s, Some m) =
(s', None)
Hincl: VLSM_incl ELMOProtocol ReachELMO
Hnsnd: ¬ composite_has_been_sent ELMO_component s m
H3: state_update ELMO_component s i
  (s i <+> MkObservation Receive m) = s'
Hs_pre: valid_state_prop
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} s
Hs': composite_constrained_state_prop ELMO_component
  s'
ELMO_mv_full_node0: full_node (s i) m
ELMO_mv_no_self_equiv0: no_self_equiv (s i) m
ELMO_mv_msg_valid_full0: ELMO_msg_valid_full m
ELMO_mv_local_equivocation_limit_ok0: local_equivocation_limit_ok
  (s i <+>
   MkObservation
     Receive m)
i_m: index
Heqv: (sum_weights
   (ELMO_equivocating_validators s
    ∪ {[idx i_m]}) <= threshold)%R
His: initial_state_prop (MkState [] (idx i_m))
Hsimis: valid_state_prop ELMOProtocol
  (state_update ELMO_component s i_m
     (MkState [] (idx i_m)))
Hsimis_eqvs: ELMO_equivocating_validators
  (state_update ELMO_component s i_m
     (MkState [] (idx i_m)))
⊆ ELMO_equivocating_validators s
  ∪ {[idx i_m]}
Hsi_pre: constrained_state_prop 
  (ELMO_component i) 
  (s i)
si, s0: VLSM.state
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m))
tr: list transition_item
Htr_m: finite_valid_trace_init_to
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m)) si s0 tr
sf: VLSM.state
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m))
iom, oom: option Message
l: VLSM.label
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m))
Hs0: valid_state_prop
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m)) s0
Hv0: valid l (s0, iom)
Ht0: transition l (s0, iom) = (sf, oom)
Hall_messages_valid: Forall
  (λ item : transition_item,
     ∀ m : Message,
       item_sends_or_receives m
        item
       → 
       valid_message_prop
        ELMOProtocol m) tr
H_lst_msg_valid: ∀ m : Message,
  item_sends_or_receives m
    {|
      l := l;
      input := iom;
      destination := sf;
      output := oom
    |}
  → valid_message_prop ELMOProtocol
      m
Hall_bounded_eqv: Forall
  (λ item : transition_item,
     ELMO_equivocating_validators
       (lift_to_composite_state
        ELMO_component s i_m
        (destination item))
     ⊆ ELMO_equivocating_validators
        s ∪ {[
       idx i_m]}) tr
Hsf_bounded_eqv: ELMO_equivocating_validators
  (lift_to_composite_state
     ELMO_component s i_m
     (destination
        {|
        l := l;
        input := iom;
        destination := sf;
        output := oom
        |}))
⊆ ELMO_equivocating_validators s
  ∪ {[idx i_m]}
IHHtr_m: Forall
  (λ item : transition_item,
     ∀ m : Message,
       item_sends_or_receives m item
       → 
       valid_message_prop ELMOProtocol m) tr
→ Forall
    (λ item : transition_item,
       ELMO_equivocating_validators
        (lift_to_composite_state
        ELMO_component s i_m
        (destination item))
       ⊆ 
       ELMO_equivocating_validators s
       ∪ {[
       idx i_m]}) tr
  → finite_valid_trace_from_to ELMOProtocol
      (lift_to_composite_state
        ELMO_component s i_m si)
      (lift_to_composite_state
        ELMO_component s i_m s0)
      (pre_VLSM_embedding_finite_trace_project
        (ELMO_component i_m)
        (composite_type ELMO_component)
        (lift_to_composite_label
        ELMO_component i_m)
        (lift_to_composite_state
        ELMO_component s i_m) tr)
valid_state_prop ELMOProtocol
  (lift_to_composite_state ELMO_component s i_m s0)
Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
s: VLSM.state ELMOProtocol
Hs: valid_state_prop ELMOProtocol s
i: index
s': VLSM.state ELMOProtocol
m: Message
Hvalid: ELMOProtocol_valid_transition i Receive s s'
  m
Hv: valid (existT i Receive) (s, Some m)
Hc: ELMO_global_constraint 
  (existT i Receive) (
  s, Some m)
Ht: transition (existT i Receive) (s, Some m) =
(s', None)
Hincl: VLSM_incl ELMOProtocol ReachELMO
Hnsnd: ¬ composite_has_been_sent ELMO_component s m
H3: state_update ELMO_component s i
  (s i <+> MkObservation Receive m) = s'
Hs_pre: valid_state_prop
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} s
Hs': composite_constrained_state_prop ELMO_component
  s'
ELMO_mv_full_node0: full_node (s i) m
ELMO_mv_no_self_equiv0: no_self_equiv (s i) m
ELMO_mv_msg_valid_full0: ELMO_msg_valid_full m
ELMO_mv_local_equivocation_limit_ok0: local_equivocation_limit_ok
  (s i <+>
   MkObservation
     Receive m)
i_m: index
Heqv: (sum_weights
   (ELMO_equivocating_validators s
    ∪ {[idx i_m]}) <= threshold)%R
His: initial_state_prop (MkState [] (idx i_m))
Hsimis: valid_state_prop ELMOProtocol
  (state_update ELMO_component s i_m
     (MkState [] (idx i_m)))
Hsimis_eqvs: ELMO_equivocating_validators
  (state_update ELMO_component s i_m
     (MkState [] (idx i_m)))
⊆ ELMO_equivocating_validators s
  ∪ {[idx i_m]}
Hsi_pre: constrained_state_prop 
  (ELMO_component i) 
  (s i)
si, s0: VLSM.state
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m))
tr: list transition_item
Htr_m: finite_valid_trace_init_to
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m)) si s0 tr
sf: VLSM.state
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m))
iom, oom: option Message
l: VLSM.label
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m))
Hs0: valid_state_prop
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m)) s0
Hv0: valid l (s0, iom)
Ht0: transition l (s0, iom) = (sf, oom)
Hall_messages_valid: Forall
  (λ item : transition_item,
     ∀ m : Message,
       item_sends_or_receives m
        item
       → 
       valid_message_prop
        ELMOProtocol m) tr
H_lst_msg_valid: ∀ m : Message,
  item_sends_or_receives m
    {|
      l := l;
      input := iom;
      destination := sf;
      output := oom
    |}
  → valid_message_prop ELMOProtocol
      m
Hall_bounded_eqv: Forall
  (λ item : transition_item,
     ELMO_equivocating_validators
       (lift_to_composite_state
        ELMO_component s i_m
        (destination item))
     ⊆ ELMO_equivocating_validators
        s ∪ {[
       idx i_m]}) tr
Hsf_bounded_eqv: ELMO_equivocating_validators
  (lift_to_composite_state
     ELMO_component s i_m
     (destination
        {|
        l := l;
        input := iom;
        destination := sf;
        output := oom
        |}))
⊆ ELMO_equivocating_validators s
  ∪ {[idx i_m]}
IHHtr_m: Forall
  (λ item : transition_item,
     ∀ m : Message,
       item_sends_or_receives m item
       → 
       valid_message_prop ELMOProtocol m) tr
→ Forall
    (λ item : transition_item,
       ELMO_equivocating_validators
        (lift_to_composite_state
        ELMO_component s i_m
        (destination item))
       ⊆ 
       ELMO_equivocating_validators s
       ∪ {[
       idx i_m]}) tr
  → finite_valid_trace_from_to ELMOProtocol
      (lift_to_composite_state
        ELMO_component s i_m si)
      (lift_to_composite_state
        ELMO_component s i_m s0)
      (pre_VLSM_embedding_finite_trace_project
        (ELMO_component i_m)
        (composite_type ELMO_component)
        (lift_to_composite_label
        ELMO_component i_m)
        (lift_to_composite_state
        ELMO_component s i_m) tr)
option_valid_message_prop ELMOProtocol iom
Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
s: VLSM.state ELMOProtocol
Hs: valid_state_prop ELMOProtocol s
i: index
s': VLSM.state ELMOProtocol
m: Message
Hvalid: ELMOProtocol_valid_transition i Receive s s'
  m
Hv: valid (existT i Receive) (s, Some m)
Hc: ELMO_global_constraint 
  (existT i Receive) (
  s, Some m)
Ht: transition (existT i Receive) (s, Some m) =
(s', None)
Hincl: VLSM_incl ELMOProtocol ReachELMO
Hnsnd: ¬ composite_has_been_sent ELMO_component s m
H3: state_update ELMO_component s i
  (s i <+> MkObservation Receive m) = s'
Hs_pre: valid_state_prop
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} s
Hs': composite_constrained_state_prop ELMO_component
  s'
ELMO_mv_full_node0: full_node (s i) m
ELMO_mv_no_self_equiv0: no_self_equiv (s i) m
ELMO_mv_msg_valid_full0: ELMO_msg_valid_full m
ELMO_mv_local_equivocation_limit_ok0: local_equivocation_limit_ok
  (s i <+>
   MkObservation
     Receive m)
i_m: index
Heqv: (sum_weights
   (ELMO_equivocating_validators s
    ∪ {[idx i_m]}) <= threshold)%R
His: initial_state_prop (MkState [] (idx i_m))
Hsimis: valid_state_prop ELMOProtocol
  (state_update ELMO_component s i_m
     (MkState [] (idx i_m)))
Hsimis_eqvs: ELMO_equivocating_validators
  (state_update ELMO_component s i_m
     (MkState [] (idx i_m)))
⊆ ELMO_equivocating_validators s
  ∪ {[idx i_m]}
Hsi_pre: constrained_state_prop 
  (ELMO_component i) 
  (s i)
si, s0: VLSM.state
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m))
tr: list transition_item
Htr_m: finite_valid_trace_init_to
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m)) si s0 tr
sf: VLSM.state
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m))
iom, oom: option Message
l: VLSM.label
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m))
Hs0: valid_state_prop
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m)) s0
Hv0: valid l (s0, iom)
Ht0: transition l (s0, iom) = (sf, oom)
Hall_messages_valid: Forall
  (λ item : transition_item,
     ∀ m : Message,
       item_sends_or_receives m
        item
       → 
       valid_message_prop
        ELMOProtocol m) tr
H_lst_msg_valid: ∀ m : Message,
  item_sends_or_receives m
    {|
      l := l;
      input := iom;
      destination := sf;
      output := oom
    |}
  → valid_message_prop ELMOProtocol
      m
Hall_bounded_eqv: Forall
  (λ item : transition_item,
     ELMO_equivocating_validators
       (lift_to_composite_state
        ELMO_component s i_m
        (destination item))
     ⊆ ELMO_equivocating_validators
        s ∪ {[
       idx i_m]}) tr
Hsf_bounded_eqv: ELMO_equivocating_validators
  (lift_to_composite_state
     ELMO_component s i_m
     (destination
        {|
        l := l;
        input := iom;
        destination := sf;
        output := oom
        |}))
⊆ ELMO_equivocating_validators s
  ∪ {[idx i_m]}
IHHtr_m: Forall
  (λ item : transition_item,
     ∀ m : Message,
       item_sends_or_receives m item
       → 
       valid_message_prop ELMOProtocol m) tr
→ Forall
    (λ item : transition_item,
       ELMO_equivocating_validators
        (lift_to_composite_state
        ELMO_component s i_m
        (destination item))
       ⊆ 
       ELMO_equivocating_validators s
       ∪ {[
       idx i_m]}) tr
  → finite_valid_trace_from_to ELMOProtocol
      (lift_to_composite_state
        ELMO_component s i_m si)
      (lift_to_composite_state
        ELMO_component s i_m s0)
      (pre_VLSM_embedding_finite_trace_project
        (ELMO_component i_m)
        (composite_type ELMO_component)
        (lift_to_composite_label
        ELMO_component i_m)
        (lift_to_composite_state
        ELMO_component s i_m) tr)
valid (lift_to_composite_label ELMO_component i_m l)
  (lift_to_composite_state ELMO_component s i_m s0,
   iom)
Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
s: VLSM.state ELMOProtocol
Hs: valid_state_prop ELMOProtocol s
i: index
s': VLSM.state ELMOProtocol
m: Message
Hvalid: ELMOProtocol_valid_transition i Receive s s'
  m
Hv: valid (existT i Receive) (s, Some m)
Hc: ELMO_global_constraint 
  (existT i Receive) (
  s, Some m)
Ht: transition (existT i Receive) (s, Some m) =
(s', None)
Hincl: VLSM_incl ELMOProtocol ReachELMO
Hnsnd: ¬ composite_has_been_sent ELMO_component s m
H3: state_update ELMO_component s i
  (s i <+> MkObservation Receive m) = s'
Hs_pre: valid_state_prop
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} s
Hs': composite_constrained_state_prop ELMO_component
  s'
ELMO_mv_full_node0: full_node (s i) m
ELMO_mv_no_self_equiv0: no_self_equiv (s i) m
ELMO_mv_msg_valid_full0: ELMO_msg_valid_full m
ELMO_mv_local_equivocation_limit_ok0: local_equivocation_limit_ok
  (s i <+>
   MkObservation
     Receive m)
i_m: index
Heqv: (sum_weights
   (ELMO_equivocating_validators s
    ∪ {[idx i_m]}) <= threshold)%R
His: initial_state_prop (MkState [] (idx i_m))
Hsimis: valid_state_prop ELMOProtocol
  (state_update ELMO_component s i_m
     (MkState [] (idx i_m)))
Hsimis_eqvs: ELMO_equivocating_validators
  (state_update ELMO_component s i_m
     (MkState [] (idx i_m)))
⊆ ELMO_equivocating_validators s
  ∪ {[idx i_m]}
Hsi_pre: constrained_state_prop 
  (ELMO_component i) 
  (s i)
si, s0: VLSM.state
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m))
tr: list transition_item
Htr_m: finite_valid_trace_init_to
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m)) si s0 tr
sf: VLSM.state
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m))
iom, oom: option Message
l: VLSM.label
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m))
Hs0: valid_state_prop
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m)) s0
Hv0: valid l (s0, iom)
Ht0: transition l (s0, iom) = (sf, oom)
Hall_messages_valid: Forall
  (λ item : transition_item,
     ∀ m : Message,
       item_sends_or_receives m
        item
       → 
       valid_message_prop
        ELMOProtocol m) tr
H_lst_msg_valid: ∀ m : Message,
  item_sends_or_receives m
    {|
      l := l;
      input := iom;
      destination := sf;
      output := oom
    |}
  → valid_message_prop ELMOProtocol
      m
Hall_bounded_eqv: Forall
  (λ item : transition_item,
     ELMO_equivocating_validators
       (lift_to_composite_state
        ELMO_component s i_m
        (destination item))
     ⊆ ELMO_equivocating_validators
        s ∪ {[
       idx i_m]}) tr
Hsf_bounded_eqv: ELMO_equivocating_validators
  (lift_to_composite_state
     ELMO_component s i_m
     (destination
        {|
        l := l;
        input := iom;
        destination := sf;
        output := oom
        |}))
⊆ ELMO_equivocating_validators s
  ∪ {[idx i_m]}
IHHtr_m: Forall
  (λ item : transition_item,
     ∀ m : Message,
       item_sends_or_receives m item
       → 
       valid_message_prop ELMOProtocol m) tr
→ Forall
    (λ item : transition_item,
       ELMO_equivocating_validators
        (lift_to_composite_state
        ELMO_component s i_m
        (destination item))
       ⊆ 
       ELMO_equivocating_validators s
       ∪ {[
       idx i_m]}) tr
  → finite_valid_trace_from_to ELMOProtocol
      (lift_to_composite_state
        ELMO_component s i_m si)
      (lift_to_composite_state
        ELMO_component s i_m s0)
      (pre_VLSM_embedding_finite_trace_project
        (ELMO_component i_m)
        (composite_type ELMO_component)
        (lift_to_composite_label
        ELMO_component i_m)
        (lift_to_composite_state
        ELMO_component s i_m) tr)
ELMO_global_constraint
  (lift_to_composite_label ELMO_component i_m l)
  (lift_to_composite_state ELMO_component s i_m s0,
   iom)
Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
s: VLSM.state ELMOProtocol
Hs: valid_state_prop ELMOProtocol s
i: index
s': VLSM.state ELMOProtocol
m: Message
Hvalid: ELMOProtocol_valid_transition i Receive s s'
  m
Hv: valid (existT i Receive) (s, Some m)
Hc: ELMO_global_constraint 
  (existT i Receive) (
  s, Some m)
Ht: transition (existT i Receive) (s, Some m) =
(s', None)
Hincl: VLSM_incl ELMOProtocol ReachELMO
Hnsnd: ¬ composite_has_been_sent ELMO_component s m
H3: state_update ELMO_component s i
  (s i <+> MkObservation Receive m) = s'
Hs_pre: valid_state_prop
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} s
Hs': composite_constrained_state_prop ELMO_component
  s'
ELMO_mv_full_node0: full_node (s i) m
ELMO_mv_no_self_equiv0: no_self_equiv (s i) m
ELMO_mv_msg_valid_full0: ELMO_msg_valid_full m
ELMO_mv_local_equivocation_limit_ok0: local_equivocation_limit_ok
  (s i <+>
   MkObservation
     Receive m)
i_m: index
Heqv: (sum_weights
   (ELMO_equivocating_validators s
    ∪ {[idx i_m]}) <= threshold)%R
His: initial_state_prop (MkState [] (idx i_m))
Hsimis: valid_state_prop ELMOProtocol
  (state_update ELMO_component s i_m
     (MkState [] (idx i_m)))
Hsimis_eqvs: ELMO_equivocating_validators
  (state_update ELMO_component s i_m
     (MkState [] (idx i_m)))
⊆ ELMO_equivocating_validators s
  ∪ {[idx i_m]}
Hsi_pre: constrained_state_prop 
  (ELMO_component i) 
  (s i)
si, s0: VLSM.state
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m))
tr: list transition_item
Htr_m: finite_valid_trace_init_to
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m)) si s0 tr
sf: VLSM.state
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m))
iom, oom: option Message
l: VLSM.label
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m))
Hs0: valid_state_prop
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m)) s0
Hv0: valid l (s0, iom)
Ht0: transition l (s0, iom) = (sf, oom)
Hall_messages_valid: Forall
  (λ item : transition_item,
     ∀ m : Message,
       item_sends_or_receives m
        item
       → 
       valid_message_prop
        ELMOProtocol m) tr
H_lst_msg_valid: ∀ m : Message,
  item_sends_or_receives m
    {|
      l := l;
      input := iom;
      destination := sf;
      output := oom
    |}
  → valid_message_prop ELMOProtocol
      m
Hall_bounded_eqv: Forall
  (λ item : transition_item,
     ELMO_equivocating_validators
       (lift_to_composite_state
        ELMO_component s i_m
        (destination item))
     ⊆ ELMO_equivocating_validators
        s ∪ {[
       idx i_m]}) tr
Hsf_bounded_eqv: ELMO_equivocating_validators
  (lift_to_composite_state
     ELMO_component s i_m
     (destination
        {|
        l := l;
        input := iom;
        destination := sf;
        output := oom
        |}))
⊆ ELMO_equivocating_validators s
  ∪ {[idx i_m]}
IHHtr_m: Forall
  (λ item : transition_item,
     ∀ m : Message,
       item_sends_or_receives m item
       → 
       valid_message_prop ELMOProtocol m) tr
→ Forall
    (λ item : transition_item,
       ELMO_equivocating_validators
        (lift_to_composite_state
        ELMO_component s i_m
        (destination item))
       ⊆ 
       ELMO_equivocating_validators s
       ∪ {[
       idx i_m]}) tr
  → finite_valid_trace_from_to ELMOProtocol
      (lift_to_composite_state
        ELMO_component s i_m si)
      (lift_to_composite_state
        ELMO_component s i_m s0)
      (pre_VLSM_embedding_finite_trace_project
        (ELMO_component i_m)
        (composite_type ELMO_component)
        (lift_to_composite_label
        ELMO_component i_m)
        (lift_to_composite_state
        ELMO_component s i_m) tr)
transition
  (lift_to_composite_label ELMO_component i_m l)
  (lift_to_composite_state ELMO_component s i_m s0,
   iom) =
(lift_to_composite_state ELMO_component s i_m sf, oom)
    -Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
s: VLSM.state ELMOProtocol
Hs: valid_state_prop ELMOProtocol s
i: index
s': VLSM.state ELMOProtocol
m: Message
Hvalid: ELMOProtocol_valid_transition i Receive s s'
  m
Hv: valid (existT i Receive) (s, Some m)
Hc: ELMO_global_constraint 
  (existT i Receive) (s, Some m)
Ht: transition (existT i Receive) (s, Some m) =
(s', None)
Hincl: VLSM_incl ELMOProtocol ReachELMO
Hnsnd: ¬ composite_has_been_sent ELMO_component s m
H3: state_update ELMO_component s i
  (s i <+> MkObservation Receive m) = s'
Hs_pre: valid_state_prop
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} s
Hs': composite_constrained_state_prop ELMO_component
  s'
ELMO_mv_full_node0: full_node (s i) m
ELMO_mv_no_self_equiv0: no_self_equiv (s i) m
ELMO_mv_msg_valid_full0: ELMO_msg_valid_full m
ELMO_mv_local_equivocation_limit_ok0: local_equivocation_limit_ok
  (s i <+>
   MkObservation
     Receive m)
i_m: index
Heqv: (sum_weights
   (ELMO_equivocating_validators s
    ∪ {[idx i_m]}) <= threshold)%R
His: initial_state_prop (MkState [] (idx i_m))
Hsimis: valid_state_prop ELMOProtocol
  (state_update ELMO_component s i_m
     (MkState [] (idx i_m)))
Hsimis_eqvs: ELMO_equivocating_validators
  (state_update ELMO_component s i_m
     (MkState [] (idx i_m)))
⊆ ELMO_equivocating_validators s
  ∪ {[idx i_m]}
Hsi_pre: constrained_state_prop 
  (ELMO_component i) 
  (s i)
si, s0: VLSM.state
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m))
tr: list transition_item
Htr_m: finite_valid_trace_init_to
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m)) si s0 tr
sf: VLSM.state
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m))
iom, oom: option Message
l: VLSM.label
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m))
Hs0: valid_state_prop
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m)) s0
Hv0: valid l (s0, iom)
Ht0: transition l (s0, iom) = (sf, oom)
Hall_messages_valid: Forall
  (λ item : transition_item,
     ∀ m : Message,
       item_sends_or_receives m
        item
       → 
       valid_message_prop
        ELMOProtocol m) tr
H_lst_msg_valid: ∀ m : Message,
  item_sends_or_receives m
    {|
      l := l;
      input := iom;
      destination := sf;
      output := oom
    |}
  → valid_message_prop ELMOProtocol
      m
Hall_bounded_eqv: Forall
  (λ item : transition_item,
     ELMO_equivocating_validators
       (lift_to_composite_state
        ELMO_component s i_m
        (destination item))
     ⊆ ELMO_equivocating_validators
        s ∪ {[
       idx i_m]}) tr
Hsf_bounded_eqv: ELMO_equivocating_validators
  (lift_to_composite_state
     ELMO_component s i_m
     (destination
        {|
        l := l;
        input := iom;
        destination := sf;
        output := oom
        |}))
⊆ ELMO_equivocating_validators s
  ∪ {[idx i_m]}
IHHtr_m: Forall
  (λ item : transition_item,
     ∀ m : Message,
       item_sends_or_receives m item
       → 
       valid_message_prop ELMOProtocol m) tr
→ Forall
    (λ item : transition_item,
       ELMO_equivocating_validators
        (lift_to_composite_state
        ELMO_component s i_m
        (destination item))
       ⊆ 
       ELMO_equivocating_validators s
       ∪ {[
       idx i_m]}) tr
  → finite_valid_trace_from_to ELMOProtocol
      (lift_to_composite_state
        ELMO_component s i_m si)
      (lift_to_composite_state
        ELMO_component s i_m s0)
      (pre_VLSM_embedding_finite_trace_project
        (ELMO_component i_m)
        (composite_type ELMO_component)
        (lift_to_composite_label
        ELMO_component i_m)
        (lift_to_composite_state
        ELMO_component s i_m) tr)
valid_state_prop ELMOProtocol
  (lift_to_composite_state ELMO_component s i_m s0) by eapply finite_valid_trace_from_to_last_pstate, IHHtr_m.
    -Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
s: VLSM.state ELMOProtocol
Hs: valid_state_prop ELMOProtocol s
i: index
s': VLSM.state ELMOProtocol
m: Message
Hvalid: ELMOProtocol_valid_transition i Receive s s'
  m
Hv: valid (existT i Receive) (s, Some m)
Hc: ELMO_global_constraint 
  (existT i Receive) (s, Some m)
Ht: transition (existT i Receive) (s, Some m) =
(s', None)
Hincl: VLSM_incl ELMOProtocol ReachELMO
Hnsnd: ¬ composite_has_been_sent ELMO_component s m
H3: state_update ELMO_component s i
  (s i <+> MkObservation Receive m) = s'
Hs_pre: valid_state_prop
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} s
Hs': composite_constrained_state_prop ELMO_component
  s'
ELMO_mv_full_node0: full_node (s i) m
ELMO_mv_no_self_equiv0: no_self_equiv (s i) m
ELMO_mv_msg_valid_full0: ELMO_msg_valid_full m
ELMO_mv_local_equivocation_limit_ok0: local_equivocation_limit_ok
  (s i <+>
   MkObservation
     Receive m)
i_m: index
Heqv: (sum_weights
   (ELMO_equivocating_validators s
    ∪ {[idx i_m]}) <= threshold)%R
His: initial_state_prop (MkState [] (idx i_m))
Hsimis: valid_state_prop ELMOProtocol
  (state_update ELMO_component s i_m
     (MkState [] (idx i_m)))
Hsimis_eqvs: ELMO_equivocating_validators
  (state_update ELMO_component s i_m
     (MkState [] (idx i_m)))
⊆ ELMO_equivocating_validators s
  ∪ {[idx i_m]}
Hsi_pre: constrained_state_prop 
  (ELMO_component i) 
  (s i)
si, s0: VLSM.state
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m))
tr: list transition_item
Htr_m: finite_valid_trace_init_to
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m)) si s0 tr
sf: VLSM.state
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m))
iom, oom: option Message
l: VLSM.label
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m))
Hs0: valid_state_prop
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m)) s0
Hv0: valid l (s0, iom)
Ht0: transition l (s0, iom) = (sf, oom)
Hall_messages_valid: Forall
  (λ item : transition_item,
     ∀ m : Message,
       item_sends_or_receives m
        item
       → 
       valid_message_prop
        ELMOProtocol m) tr
H_lst_msg_valid: ∀ m : Message,
  item_sends_or_receives m
    {|
      l := l;
      input := iom;
      destination := sf;
      output := oom
    |}
  → valid_message_prop ELMOProtocol
      m
Hall_bounded_eqv: Forall
  (λ item : transition_item,
     ELMO_equivocating_validators
       (lift_to_composite_state
        ELMO_component s i_m
        (destination item))
     ⊆ ELMO_equivocating_validators
        s ∪ {[
       idx i_m]}) tr
Hsf_bounded_eqv: ELMO_equivocating_validators
  (lift_to_composite_state
     ELMO_component s i_m
     (destination
        {|
        l := l;
        input := iom;
        destination := sf;
        output := oom
        |}))
⊆ ELMO_equivocating_validators s
  ∪ {[idx i_m]}
IHHtr_m: Forall
  (λ item : transition_item,
     ∀ m : Message,
       item_sends_or_receives m item
       → 
       valid_message_prop ELMOProtocol m) tr
→ Forall
    (λ item : transition_item,
       ELMO_equivocating_validators
        (lift_to_composite_state
        ELMO_component s i_m
        (destination item))
       ⊆ 
       ELMO_equivocating_validators s
       ∪ {[
       idx i_m]}) tr
  → finite_valid_trace_from_to ELMOProtocol
      (lift_to_composite_state
        ELMO_component s i_m si)
      (lift_to_composite_state
        ELMO_component s i_m s0)
      (pre_VLSM_embedding_finite_trace_project
        (ELMO_component i_m)
        (composite_type ELMO_component)
        (lift_to_composite_label
        ELMO_component i_m)
        (lift_to_composite_state
        ELMO_component s i_m) tr)
option_valid_message_prop ELMOProtocol iom destruct iom; [| apply option_valid_message_None].Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
s: VLSM.state ELMOProtocol
Hs: valid_state_prop ELMOProtocol s
i: index
s': VLSM.state ELMOProtocol
m: Message
Hvalid: ELMOProtocol_valid_transition i Receive s s'
  m
Hv: valid (existT i Receive) (s, Some m)
Hc: ELMO_global_constraint 
  (existT i Receive) (s, Some m)
Ht: transition (existT i Receive) (s, Some m) =
(s', None)
Hincl: VLSM_incl ELMOProtocol ReachELMO
Hnsnd: ¬ composite_has_been_sent ELMO_component s m
H3: state_update ELMO_component s i
  (s i <+> MkObservation Receive m) = s'
Hs_pre: valid_state_prop
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} s
Hs': composite_constrained_state_prop ELMO_component
  s'
ELMO_mv_full_node0: full_node (s i) m
ELMO_mv_no_self_equiv0: no_self_equiv (s i) m
ELMO_mv_msg_valid_full0: ELMO_msg_valid_full m
ELMO_mv_local_equivocation_limit_ok0: local_equivocation_limit_ok
  (s i <+>
   MkObservation
     Receive m)
i_m: index
Heqv: (sum_weights
   (ELMO_equivocating_validators s
    ∪ {[idx i_m]}) <= threshold)%R
His: initial_state_prop (MkState [] (idx i_m))
Hsimis: valid_state_prop ELMOProtocol
  (state_update ELMO_component s i_m
     (MkState [] (idx i_m)))
Hsimis_eqvs: ELMO_equivocating_validators
  (state_update ELMO_component s i_m
     (MkState [] (idx i_m)))
⊆ ELMO_equivocating_validators s
  ∪ {[idx i_m]}
Hsi_pre: constrained_state_prop 
  (ELMO_component i) 
  (s i)
si, s0: VLSM.state
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m))
tr: list transition_item
Htr_m: finite_valid_trace_init_to
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m)) si s0 tr
sf: VLSM.state
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m))
m0: Message
oom: option Message
l: VLSM.label
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m))
Hs0: valid_state_prop
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m)) s0
Hv0: valid l (s0, Some m0)
Ht0: transition l (s0, Some m0) = (sf, oom)
Hall_messages_valid: Forall
  (λ item : transition_item,
     ∀ m : Message,
       item_sends_or_receives m
        item
       → 
       valid_message_prop
        ELMOProtocol m) tr
H_lst_msg_valid: ∀ m : Message,
  item_sends_or_receives m
    {|
      l := l;
      input := Some m0;
      destination := sf;
      output := oom
    |}
  → valid_message_prop ELMOProtocol
      m
Hall_bounded_eqv: Forall
  (λ item : transition_item,
     ELMO_equivocating_validators
       (lift_to_composite_state
        ELMO_component s i_m
        (destination item))
     ⊆ ELMO_equivocating_validators
        s ∪ {[
       idx i_m]}) tr
Hsf_bounded_eqv: ELMO_equivocating_validators
  (lift_to_composite_state
     ELMO_component s i_m
     (destination
        {|
        l := l;
        input := Some m0;
        destination := sf;
        output := oom
        |}))
⊆ ELMO_equivocating_validators s
  ∪ {[idx i_m]}
IHHtr_m: Forall
  (λ item : transition_item,
     ∀ m : Message,
       item_sends_or_receives m item
       → 
       valid_message_prop ELMOProtocol m) tr
→ Forall
    (λ item : transition_item,
       ELMO_equivocating_validators
        (lift_to_composite_state
        ELMO_component s i_m
        (destination item))
       ⊆ 
       ELMO_equivocating_validators s
       ∪ {[
       idx i_m]}) tr
  → finite_valid_trace_from_to ELMOProtocol
      (lift_to_composite_state
        ELMO_component s i_m si)
      (lift_to_composite_state
        ELMO_component s i_m s0)
      (pre_VLSM_embedding_finite_trace_project
        (ELMO_component i_m)
        (composite_type ELMO_component)
        (lift_to_composite_label
        ELMO_component i_m)
        (lift_to_composite_state
        ELMO_component s i_m) tr)
option_valid_message_prop ELMOProtocol (Some m0)
      by apply H_lst_msg_valid; left.
    -Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
s: VLSM.state ELMOProtocol
Hs: valid_state_prop ELMOProtocol s
i: index
s': VLSM.state ELMOProtocol
m: Message
Hvalid: ELMOProtocol_valid_transition i Receive s s'
  m
Hv: valid (existT i Receive) (s, Some m)
Hc: ELMO_global_constraint 
  (existT i Receive) (s, Some m)
Ht: transition (existT i Receive) (s, Some m) =
(s', None)
Hincl: VLSM_incl ELMOProtocol ReachELMO
Hnsnd: ¬ composite_has_been_sent ELMO_component s m
H3: state_update ELMO_component s i
  (s i <+> MkObservation Receive m) = s'
Hs_pre: valid_state_prop
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} s
Hs': composite_constrained_state_prop ELMO_component
  s'
ELMO_mv_full_node0: full_node (s i) m
ELMO_mv_no_self_equiv0: no_self_equiv (s i) m
ELMO_mv_msg_valid_full0: ELMO_msg_valid_full m
ELMO_mv_local_equivocation_limit_ok0: local_equivocation_limit_ok
  (s i <+>
   MkObservation
     Receive m)
i_m: index
Heqv: (sum_weights
   (ELMO_equivocating_validators s
    ∪ {[idx i_m]}) <= threshold)%R
His: initial_state_prop (MkState [] (idx i_m))
Hsimis: valid_state_prop ELMOProtocol
  (state_update ELMO_component s i_m
     (MkState [] (idx i_m)))
Hsimis_eqvs: ELMO_equivocating_validators
  (state_update ELMO_component s i_m
     (MkState [] (idx i_m)))
⊆ ELMO_equivocating_validators s
  ∪ {[idx i_m]}
Hsi_pre: constrained_state_prop 
  (ELMO_component i) 
  (s i)
si, s0: VLSM.state
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m))
tr: list transition_item
Htr_m: finite_valid_trace_init_to
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m)) si s0 tr
sf: VLSM.state
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m))
iom, oom: option Message
l: VLSM.label
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m))
Hs0: valid_state_prop
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m)) s0
Hv0: valid l (s0, iom)
Ht0: transition l (s0, iom) = (sf, oom)
Hall_messages_valid: Forall
  (λ item : transition_item,
     ∀ m : Message,
       item_sends_or_receives m
        item
       → 
       valid_message_prop
        ELMOProtocol m) tr
H_lst_msg_valid: ∀ m : Message,
  item_sends_or_receives m
    {|
      l := l;
      input := iom;
      destination := sf;
      output := oom
    |}
  → valid_message_prop ELMOProtocol
      m
Hall_bounded_eqv: Forall
  (λ item : transition_item,
     ELMO_equivocating_validators
       (lift_to_composite_state
        ELMO_component s i_m
        (destination item))
     ⊆ ELMO_equivocating_validators
        s ∪ {[
       idx i_m]}) tr
Hsf_bounded_eqv: ELMO_equivocating_validators
  (lift_to_composite_state
     ELMO_component s i_m
     (destination
        {|
        l := l;
        input := iom;
        destination := sf;
        output := oom
        |}))
⊆ ELMO_equivocating_validators s
  ∪ {[idx i_m]}
IHHtr_m: Forall
  (λ item : transition_item,
     ∀ m : Message,
       item_sends_or_receives m item
       → 
       valid_message_prop ELMOProtocol m) tr
→ Forall
    (λ item : transition_item,
       ELMO_equivocating_validators
        (lift_to_composite_state
        ELMO_component s i_m
        (destination item))
       ⊆ 
       ELMO_equivocating_validators s
       ∪ {[
       idx i_m]}) tr
  → finite_valid_trace_from_to ELMOProtocol
      (lift_to_composite_state
        ELMO_component s i_m si)
      (lift_to_composite_state
        ELMO_component s i_m s0)
      (pre_VLSM_embedding_finite_trace_project
        (ELMO_component i_m)
        (composite_type ELMO_component)
        (lift_to_composite_label
        ELMO_component i_m)
        (lift_to_composite_state
        ELMO_component s i_m) tr)
valid (lift_to_composite_label ELMO_component i_m l)
  (lift_to_composite_state ELMO_component s i_m s0,
   iom) by cbn; state_update_simpl.
    -Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
s: VLSM.state ELMOProtocol
Hs: valid_state_prop ELMOProtocol s
i: index
s': VLSM.state ELMOProtocol
m: Message
Hvalid: ELMOProtocol_valid_transition i Receive s s'
  m
Hv: valid (existT i Receive) (s, Some m)
Hc: ELMO_global_constraint 
  (existT i Receive) (s, Some m)
Ht: transition (existT i Receive) (s, Some m) =
(s', None)
Hincl: VLSM_incl ELMOProtocol ReachELMO
Hnsnd: ¬ composite_has_been_sent ELMO_component s m
H3: state_update ELMO_component s i
  (s i <+> MkObservation Receive m) = s'
Hs_pre: valid_state_prop
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} s
Hs': composite_constrained_state_prop ELMO_component
  s'
ELMO_mv_full_node0: full_node (s i) m
ELMO_mv_no_self_equiv0: no_self_equiv (s i) m
ELMO_mv_msg_valid_full0: ELMO_msg_valid_full m
ELMO_mv_local_equivocation_limit_ok0: local_equivocation_limit_ok
  (s i <+>
   MkObservation
     Receive m)
i_m: index
Heqv: (sum_weights
   (ELMO_equivocating_validators s
    ∪ {[idx i_m]}) <= threshold)%R
His: initial_state_prop (MkState [] (idx i_m))
Hsimis: valid_state_prop ELMOProtocol
  (state_update ELMO_component s i_m
     (MkState [] (idx i_m)))
Hsimis_eqvs: ELMO_equivocating_validators
  (state_update ELMO_component s i_m
     (MkState [] (idx i_m)))
⊆ ELMO_equivocating_validators s
  ∪ {[idx i_m]}
Hsi_pre: constrained_state_prop 
  (ELMO_component i) 
  (s i)
si, s0: VLSM.state
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m))
tr: list transition_item
Htr_m: finite_valid_trace_init_to
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m)) si s0 tr
sf: VLSM.state
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m))
iom, oom: option Message
l: VLSM.label
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m))
Hs0: valid_state_prop
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m)) s0
Hv0: valid l (s0, iom)
Ht0: transition l (s0, iom) = (sf, oom)
Hall_messages_valid: Forall
  (λ item : transition_item,
     ∀ m : Message,
       item_sends_or_receives m
        item
       → 
       valid_message_prop
        ELMOProtocol m) tr
H_lst_msg_valid: ∀ m : Message,
  item_sends_or_receives m
    {|
      l := l;
      input := iom;
      destination := sf;
      output := oom
    |}
  → valid_message_prop ELMOProtocol
      m
Hall_bounded_eqv: Forall
  (λ item : transition_item,
     ELMO_equivocating_validators
       (lift_to_composite_state
        ELMO_component s i_m
        (destination item))
     ⊆ ELMO_equivocating_validators
        s ∪ {[
       idx i_m]}) tr
Hsf_bounded_eqv: ELMO_equivocating_validators
  (lift_to_composite_state
     ELMO_component s i_m
     (destination
        {|
        l := l;
        input := iom;
        destination := sf;
        output := oom
        |}))
⊆ ELMO_equivocating_validators s
  ∪ {[idx i_m]}
IHHtr_m: Forall
  (λ item : transition_item,
     ∀ m : Message,
       item_sends_or_receives m item
       → 
       valid_message_prop ELMOProtocol m) tr
→ Forall
    (λ item : transition_item,
       ELMO_equivocating_validators
        (lift_to_composite_state
        ELMO_component s i_m
        (destination item))
       ⊆ 
       ELMO_equivocating_validators s
       ∪ {[
       idx i_m]}) tr
  → finite_valid_trace_from_to ELMOProtocol
      (lift_to_composite_state
        ELMO_component s i_m si)
      (lift_to_composite_state
        ELMO_component s i_m s0)
      (pre_VLSM_embedding_finite_trace_project
        (ELMO_component i_m)
        (composite_type ELMO_component)
        (lift_to_composite_label
        ELMO_component i_m)
        (lift_to_composite_state
        ELMO_component s i_m) tr)
ELMO_global_constraint
  (lift_to_composite_label ELMO_component i_m l)
  (lift_to_composite_state ELMO_component s i_m s0,
   iom) destruct l as []; [| done].Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
s: VLSM.state ELMOProtocol
Hs: valid_state_prop ELMOProtocol s
i: index
s': VLSM.state ELMOProtocol
m: Message
Hvalid: ELMOProtocol_valid_transition i Receive s s'
  m
Hv: valid (existT i Receive) (s, Some m)
Hc: ELMO_global_constraint 
  (existT i Receive) (s, Some m)
Ht: transition (existT i Receive) (s, Some m) =
(s', None)
Hincl: VLSM_incl ELMOProtocol ReachELMO
Hnsnd: ¬ composite_has_been_sent ELMO_component s m
H3: state_update ELMO_component s i
  (s i <+> MkObservation Receive m) = s'
Hs_pre: valid_state_prop
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} s
Hs': composite_constrained_state_prop ELMO_component
  s'
ELMO_mv_full_node0: full_node (s i) m
ELMO_mv_no_self_equiv0: no_self_equiv (s i) m
ELMO_mv_msg_valid_full0: ELMO_msg_valid_full m
ELMO_mv_local_equivocation_limit_ok0: local_equivocation_limit_ok
  (s i <+>
   MkObservation
     Receive m)
i_m: index
Heqv: (sum_weights
   (ELMO_equivocating_validators s
    ∪ {[idx i_m]}) <= threshold)%R
His: initial_state_prop (MkState [] (idx i_m))
Hsimis: valid_state_prop ELMOProtocol
  (state_update ELMO_component s i_m
     (MkState [] (idx i_m)))
Hsimis_eqvs: ELMO_equivocating_validators
  (state_update ELMO_component s i_m
     (MkState [] (idx i_m)))
⊆ ELMO_equivocating_validators s
  ∪ {[idx i_m]}
Hsi_pre: constrained_state_prop 
  (ELMO_component i) 
  (s i)
si, s0: VLSM.state
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m))
tr: list transition_item
Htr_m: finite_valid_trace_init_to
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m)) si s0 tr
sf: VLSM.state
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m))
iom, oom: option Message
Hs0: valid_state_prop
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m)) s0
Hv0: valid Receive (s0, iom)
Ht0: transition Receive (s0, iom) = (sf, oom)
Hall_messages_valid: Forall
  (λ item : transition_item,
     ∀ m : Message,
       item_sends_or_receives m
        item
       → 
       valid_message_prop
        ELMOProtocol m) tr
H_lst_msg_valid: ∀ m : Message,
  item_sends_or_receives m
    {|
      l := Receive;
      input := iom;
      destination := sf;
      output := oom
    |}
  → valid_message_prop ELMOProtocol
      m
Hall_bounded_eqv: Forall
  (λ item : transition_item,
     ELMO_equivocating_validators
       (lift_to_composite_state
        ELMO_component s i_m
        (destination item))
     ⊆ ELMO_equivocating_validators
        s ∪ {[
       idx i_m]}) tr
Hsf_bounded_eqv: ELMO_equivocating_validators
  (lift_to_composite_state
     ELMO_component s i_m
     (destination
        {|
        l := Receive;
        input := iom;
        destination := sf;
        output := oom
        |}))
⊆ ELMO_equivocating_validators s
  ∪ {[idx i_m]}
IHHtr_m: Forall
  (λ item : transition_item,
     ∀ m : Message,
       item_sends_or_receives m item
       → 
       valid_message_prop ELMOProtocol m) tr
→ Forall
    (λ item : transition_item,
       ELMO_equivocating_validators
        (lift_to_composite_state
        ELMO_component s i_m
        (destination item))
       ⊆ 
       ELMO_equivocating_validators s
       ∪ {[
       idx i_m]}) tr
  → finite_valid_trace_from_to ELMOProtocol
      (lift_to_composite_state
        ELMO_component s i_m si)
      (lift_to_composite_state
        ELMO_component s i_m s0)
      (pre_VLSM_embedding_finite_trace_project
        (ELMO_component i_m)
        (composite_type ELMO_component)
        (lift_to_composite_label
        ELMO_component i_m)
        (lift_to_composite_state
        ELMO_component s i_m) tr)
ELMO_global_constraint
  (lift_to_composite_label ELMO_component i_m Receive)
  (lift_to_composite_state ELMO_component s i_m s0,
   iom)
      unfold ELMO_global_constraint, lift_to_composite_label, composite_transition.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
s: VLSM.state ELMOProtocol
Hs: valid_state_prop ELMOProtocol s
i: index
s': VLSM.state ELMOProtocol
m: Message
Hvalid: ELMOProtocol_valid_transition i Receive s s'
  m
Hv: valid (existT i Receive) (s, Some m)
Hc: ELMO_global_constraint 
  (existT i Receive) (s, Some m)
Ht: transition (existT i Receive) (s, Some m) =
(s', None)
Hincl: VLSM_incl ELMOProtocol ReachELMO
Hnsnd: ¬ composite_has_been_sent ELMO_component s m
H3: state_update ELMO_component s i
  (s i <+> MkObservation Receive m) = s'
Hs_pre: valid_state_prop
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} s
Hs': composite_constrained_state_prop ELMO_component
  s'
ELMO_mv_full_node0: full_node (s i) m
ELMO_mv_no_self_equiv0: no_self_equiv (s i) m
ELMO_mv_msg_valid_full0: ELMO_msg_valid_full m
ELMO_mv_local_equivocation_limit_ok0: local_equivocation_limit_ok
  (s i <+>
   MkObservation
     Receive m)
i_m: index
Heqv: (sum_weights
   (ELMO_equivocating_validators s
    ∪ {[idx i_m]}) <= threshold)%R
His: initial_state_prop (MkState [] (idx i_m))
Hsimis: valid_state_prop ELMOProtocol
  (state_update ELMO_component s i_m
     (MkState [] (idx i_m)))
Hsimis_eqvs: ELMO_equivocating_validators
  (state_update ELMO_component s i_m
     (MkState [] (idx i_m)))
⊆ ELMO_equivocating_validators s
  ∪ {[idx i_m]}
Hsi_pre: constrained_state_prop 
  (ELMO_component i) 
  (s i)
si, s0: VLSM.state
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m))
tr: list transition_item
Htr_m: finite_valid_trace_init_to
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m)) si s0 tr
sf: VLSM.state
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m))
iom, oom: option Message
Hs0: valid_state_prop
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m)) s0
Hv0: valid Receive (s0, iom)
Ht0: transition Receive (s0, iom) = (sf, oom)
Hall_messages_valid: Forall
  (λ item : transition_item,
     ∀ m : Message,
       item_sends_or_receives m
        item
       → 
       valid_message_prop
        ELMOProtocol m) tr
H_lst_msg_valid: ∀ m : Message,
  item_sends_or_receives m
    {|
      l := Receive;
      input := iom;
      destination := sf;
      output := oom
    |}
  → valid_message_prop ELMOProtocol
      m
Hall_bounded_eqv: Forall
  (λ item : transition_item,
     ELMO_equivocating_validators
       (lift_to_composite_state
        ELMO_component s i_m
        (destination item))
     ⊆ ELMO_equivocating_validators
        s ∪ {[
       idx i_m]}) tr
Hsf_bounded_eqv: ELMO_equivocating_validators
  (lift_to_composite_state
     ELMO_component s i_m
     (destination
        {|
        l := Receive;
        input := iom;
        destination := sf;
        output := oom
        |}))
⊆ ELMO_equivocating_validators s
  ∪ {[idx i_m]}
IHHtr_m: Forall
  (λ item : transition_item,
     ∀ m : Message,
       item_sends_or_receives m item
       → 
       valid_message_prop ELMOProtocol m) tr
→ Forall
    (λ item : transition_item,
       ELMO_equivocating_validators
        (lift_to_composite_state
        ELMO_component s i_m
        (destination item))
       ⊆ 
       ELMO_equivocating_validators s
       ∪ {[
       idx i_m]}) tr
  → finite_valid_trace_from_to ELMOProtocol
      (lift_to_composite_state
        ELMO_component s i_m si)
      (lift_to_composite_state
        ELMO_component s i_m s0)
      (pre_VLSM_embedding_finite_trace_project
        (ELMO_component i_m)
        (composite_type ELMO_component)
        (lift_to_composite_label
        ELMO_component i_m)
        (lift_to_composite_state
        ELMO_component s i_m) tr)
let (s', _) :=
  let (si', om') :=
    transition Receive
      (lift_to_composite_state ELMO_component s i_m s0
         i_m, iom) in
  (state_update ELMO_component
     (lift_to_composite_state ELMO_component s i_m s0)
     i_m si', om') in
ELMO_not_heavy s'
      rewrite state_update_eq.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
s: VLSM.state ELMOProtocol
Hs: valid_state_prop ELMOProtocol s
i: index
s': VLSM.state ELMOProtocol
m: Message
Hvalid: ELMOProtocol_valid_transition i Receive s s'
  m
Hv: valid (existT i Receive) (s, Some m)
Hc: ELMO_global_constraint 
  (existT i Receive) (s, Some m)
Ht: transition (existT i Receive) (s, Some m) =
(s', None)
Hincl: VLSM_incl ELMOProtocol ReachELMO
Hnsnd: ¬ composite_has_been_sent ELMO_component s m
H3: state_update ELMO_component s i
  (s i <+> MkObservation Receive m) = s'
Hs_pre: valid_state_prop
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} s
Hs': composite_constrained_state_prop ELMO_component
  s'
ELMO_mv_full_node0: full_node (s i) m
ELMO_mv_no_self_equiv0: no_self_equiv (s i) m
ELMO_mv_msg_valid_full0: ELMO_msg_valid_full m
ELMO_mv_local_equivocation_limit_ok0: local_equivocation_limit_ok
  (s i <+>
   MkObservation
     Receive m)
i_m: index
Heqv: (sum_weights
   (ELMO_equivocating_validators s
    ∪ {[idx i_m]}) <= threshold)%R
His: initial_state_prop (MkState [] (idx i_m))
Hsimis: valid_state_prop ELMOProtocol
  (state_update ELMO_component s i_m
     (MkState [] (idx i_m)))
Hsimis_eqvs: ELMO_equivocating_validators
  (state_update ELMO_component s i_m
     (MkState [] (idx i_m)))
⊆ ELMO_equivocating_validators s
  ∪ {[idx i_m]}
Hsi_pre: constrained_state_prop 
  (ELMO_component i) 
  (s i)
si, s0: VLSM.state
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m))
tr: list transition_item
Htr_m: finite_valid_trace_init_to
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m)) si s0 tr
sf: VLSM.state
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m))
iom, oom: option Message
Hs0: valid_state_prop
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m)) s0
Hv0: valid Receive (s0, iom)
Ht0: transition Receive (s0, iom) = (sf, oom)
Hall_messages_valid: Forall
  (λ item : transition_item,
     ∀ m : Message,
       item_sends_or_receives m
        item
       → 
       valid_message_prop
        ELMOProtocol m) tr
H_lst_msg_valid: ∀ m : Message,
  item_sends_or_receives m
    {|
      l := Receive;
      input := iom;
      destination := sf;
      output := oom
    |}
  → valid_message_prop ELMOProtocol
      m
Hall_bounded_eqv: Forall
  (λ item : transition_item,
     ELMO_equivocating_validators
       (lift_to_composite_state
        ELMO_component s i_m
        (destination item))
     ⊆ ELMO_equivocating_validators
        s ∪ {[
       idx i_m]}) tr
Hsf_bounded_eqv: ELMO_equivocating_validators
  (lift_to_composite_state
     ELMO_component s i_m
     (destination
        {|
        l := Receive;
        input := iom;
        destination := sf;
        output := oom
        |}))
⊆ ELMO_equivocating_validators s
  ∪ {[idx i_m]}
IHHtr_m: Forall
  (λ item : transition_item,
     ∀ m : Message,
       item_sends_or_receives m item
       → 
       valid_message_prop ELMOProtocol m) tr
→ Forall
    (λ item : transition_item,
       ELMO_equivocating_validators
        (lift_to_composite_state
        ELMO_component s i_m
        (destination item))
       ⊆ 
       ELMO_equivocating_validators s
       ∪ {[
       idx i_m]}) tr
  → finite_valid_trace_from_to ELMOProtocol
      (lift_to_composite_state
        ELMO_component s i_m si)
      (lift_to_composite_state
        ELMO_component s i_m s0)
      (pre_VLSM_embedding_finite_trace_project
        (ELMO_component i_m)
        (composite_type ELMO_component)
        (lift_to_composite_label
        ELMO_component i_m)
        (lift_to_composite_state
        ELMO_component s i_m) tr)
let (s', _) :=
  let (si', om') := transition Receive (s0, iom) in
  (state_update ELMO_component
     (lift_to_composite_state ELMO_component s i_m s0)
     i_m si', om') in
ELMO_not_heavy s'
      cbn in Ht0 |- *; rewrite Ht0, state_update_twice.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
s: VLSM.state ELMOProtocol
Hs: valid_state_prop ELMOProtocol s
i: index
s': VLSM.state ELMOProtocol
m: Message
Hvalid: ELMOProtocol_valid_transition i Receive s s'
  m
Hv: valid (existT i Receive) (s, Some m)
Hc: ELMO_global_constraint 
  (existT i Receive) (s, Some m)
Ht: transition (existT i Receive) (s, Some m) =
(s', None)
Hincl: VLSM_incl ELMOProtocol ReachELMO
Hnsnd: ¬ composite_has_been_sent ELMO_component s m
H3: state_update ELMO_component s i
  (s i <+> MkObservation Receive m) = s'
Hs_pre: valid_state_prop
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} s
Hs': composite_constrained_state_prop ELMO_component
  s'
ELMO_mv_full_node0: full_node (s i) m
ELMO_mv_no_self_equiv0: no_self_equiv (s i) m
ELMO_mv_msg_valid_full0: ELMO_msg_valid_full m
ELMO_mv_local_equivocation_limit_ok0: local_equivocation_limit_ok
  (s i <+>
   MkObservation
     Receive m)
i_m: index
Heqv: (sum_weights
   (ELMO_equivocating_validators s
    ∪ {[idx i_m]}) <= threshold)%R
His: initial_state_prop (MkState [] (idx i_m))
Hsimis: valid_state_prop ELMOProtocol
  (state_update ELMO_component s i_m
     (MkState [] (idx i_m)))
Hsimis_eqvs: ELMO_equivocating_validators
  (state_update ELMO_component s i_m
     (MkState [] (idx i_m)))
⊆ ELMO_equivocating_validators s
  ∪ {[idx i_m]}
Hsi_pre: constrained_state_prop 
  (ELMO_component i) 
  (s i)
si, s0: VLSM.state
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m))
tr: list transition_item
Htr_m: finite_valid_trace_init_to
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m)) si s0 tr
sf: VLSM.state
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m))
iom, oom: option Message
Hs0: valid_state_prop
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m)) s0
Hv0: valid Receive (s0, iom)
Ht0: match iom with
| Some m =>
    (s0 <+> MkObservation Receive m, None)
| None => (s0, None)
end = (sf, oom)
Hall_messages_valid: Forall
  (λ item : transition_item,
     ∀ m : Message,
       item_sends_or_receives m
        item
       → 
       valid_message_prop
        ELMOProtocol m) tr
H_lst_msg_valid: ∀ m : Message,
  item_sends_or_receives m
    {|
      l := Receive;
      input := iom;
      destination := sf;
      output := oom
    |}
  → valid_message_prop ELMOProtocol
      m
Hall_bounded_eqv: Forall
  (λ item : transition_item,
     ELMO_equivocating_validators
       (lift_to_composite_state
        ELMO_component s i_m
        (destination item))
     ⊆ ELMO_equivocating_validators
        s ∪ {[
       idx i_m]}) tr
Hsf_bounded_eqv: ELMO_equivocating_validators
  (lift_to_composite_state
     ELMO_component s i_m
     (destination
        {|
        l := Receive;
        input := iom;
        destination := sf;
        output := oom
        |}))
⊆ ELMO_equivocating_validators s
  ∪ {[idx i_m]}
IHHtr_m: Forall
  (λ item : transition_item,
     ∀ m : Message,
       item_sends_or_receives m item
       → 
       valid_message_prop ELMOProtocol m) tr
→ Forall
    (λ item : transition_item,
       ELMO_equivocating_validators
        (lift_to_composite_state
        ELMO_component s i_m
        (destination item))
       ⊆ 
       ELMO_equivocating_validators s
       ∪ {[
       idx i_m]}) tr
  → finite_valid_trace_from_to ELMOProtocol
      (lift_to_composite_state
        ELMO_component s i_m si)
      (lift_to_composite_state
        ELMO_component s i_m s0)
      (pre_VLSM_embedding_finite_trace_project
        (ELMO_component i_m)
        (composite_type ELMO_component)
        (lift_to_composite_label
        ELMO_component i_m)
        (lift_to_composite_state
        ELMO_component s i_m) tr)
ELMO_not_heavy (state_update ELMO_component s i_m sf)
      unfold ELMO_not_heavy, not_heavy.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
s: VLSM.state ELMOProtocol
Hs: valid_state_prop ELMOProtocol s
i: index
s': VLSM.state ELMOProtocol
m: Message
Hvalid: ELMOProtocol_valid_transition i Receive s s'
  m
Hv: valid (existT i Receive) (s, Some m)
Hc: ELMO_global_constraint 
  (existT i Receive) (s, Some m)
Ht: transition (existT i Receive) (s, Some m) =
(s', None)
Hincl: VLSM_incl ELMOProtocol ReachELMO
Hnsnd: ¬ composite_has_been_sent ELMO_component s m
H3: state_update ELMO_component s i
  (s i <+> MkObservation Receive m) = s'
Hs_pre: valid_state_prop
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} s
Hs': composite_constrained_state_prop ELMO_component
  s'
ELMO_mv_full_node0: full_node (s i) m
ELMO_mv_no_self_equiv0: no_self_equiv (s i) m
ELMO_mv_msg_valid_full0: ELMO_msg_valid_full m
ELMO_mv_local_equivocation_limit_ok0: local_equivocation_limit_ok
  (s i <+>
   MkObservation
     Receive m)
i_m: index
Heqv: (sum_weights
   (ELMO_equivocating_validators s
    ∪ {[idx i_m]}) <= threshold)%R
His: initial_state_prop (MkState [] (idx i_m))
Hsimis: valid_state_prop ELMOProtocol
  (state_update ELMO_component s i_m
     (MkState [] (idx i_m)))
Hsimis_eqvs: ELMO_equivocating_validators
  (state_update ELMO_component s i_m
     (MkState [] (idx i_m)))
⊆ ELMO_equivocating_validators s
  ∪ {[idx i_m]}
Hsi_pre: constrained_state_prop 
  (ELMO_component i) 
  (s i)
si, s0: VLSM.state
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m))
tr: list transition_item
Htr_m: finite_valid_trace_init_to
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m)) si s0 tr
sf: VLSM.state
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m))
iom, oom: option Message
Hs0: valid_state_prop
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m)) s0
Hv0: valid Receive (s0, iom)
Ht0: match iom with
| Some m =>
    (s0 <+> MkObservation Receive m, None)
| None => (s0, None)
end = (sf, oom)
Hall_messages_valid: Forall
  (λ item : transition_item,
     ∀ m : Message,
       item_sends_or_receives m
        item
       → 
       valid_message_prop
        ELMOProtocol m) tr
H_lst_msg_valid: ∀ m : Message,
  item_sends_or_receives m
    {|
      l := Receive;
      input := iom;
      destination := sf;
      output := oom
    |}
  → valid_message_prop ELMOProtocol
      m
Hall_bounded_eqv: Forall
  (λ item : transition_item,
     ELMO_equivocating_validators
       (lift_to_composite_state
        ELMO_component s i_m
        (destination item))
     ⊆ ELMO_equivocating_validators
        s ∪ {[
       idx i_m]}) tr
Hsf_bounded_eqv: ELMO_equivocating_validators
  (lift_to_composite_state
     ELMO_component s i_m
     (destination
        {|
        l := Receive;
        input := iom;
        destination := sf;
        output := oom
        |}))
⊆ ELMO_equivocating_validators s
  ∪ {[idx i_m]}
IHHtr_m: Forall
  (λ item : transition_item,
     ∀ m : Message,
       item_sends_or_receives m item
       → 
       valid_message_prop ELMOProtocol m) tr
→ Forall
    (λ item : transition_item,
       ELMO_equivocating_validators
        (lift_to_composite_state
        ELMO_component s i_m
        (destination item))
       ⊆ 
       ELMO_equivocating_validators s
       ∪ {[
       idx i_m]}) tr
  → finite_valid_trace_from_to ELMOProtocol
      (lift_to_composite_state
        ELMO_component s i_m si)
      (lift_to_composite_state
        ELMO_component s i_m s0)
      (pre_VLSM_embedding_finite_trace_project
        (ELMO_component i_m)
        (composite_type ELMO_component)
        (lift_to_composite_label
        ELMO_component i_m)
        (lift_to_composite_state
        ELMO_component s i_m) tr)
(equivocation_fault
   (state_update ELMO_component s i_m sf) <= threshold)%R
      etransitivity; [| done].Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
s: VLSM.state ELMOProtocol
Hs: valid_state_prop ELMOProtocol s
i: index
s': VLSM.state ELMOProtocol
m: Message
Hvalid: ELMOProtocol_valid_transition i Receive s s'
  m
Hv: valid (existT i Receive) (s, Some m)
Hc: ELMO_global_constraint 
  (existT i Receive) (s, Some m)
Ht: transition (existT i Receive) (s, Some m) =
(s', None)
Hincl: VLSM_incl ELMOProtocol ReachELMO
Hnsnd: ¬ composite_has_been_sent ELMO_component s m
H3: state_update ELMO_component s i
  (s i <+> MkObservation Receive m) = s'
Hs_pre: valid_state_prop
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} s
Hs': composite_constrained_state_prop ELMO_component
  s'
ELMO_mv_full_node0: full_node (s i) m
ELMO_mv_no_self_equiv0: no_self_equiv (s i) m
ELMO_mv_msg_valid_full0: ELMO_msg_valid_full m
ELMO_mv_local_equivocation_limit_ok0: local_equivocation_limit_ok
  (s i <+>
   MkObservation
     Receive m)
i_m: index
Heqv: (sum_weights
   (ELMO_equivocating_validators s
    ∪ {[idx i_m]}) <= threshold)%R
His: initial_state_prop (MkState [] (idx i_m))
Hsimis: valid_state_prop ELMOProtocol
  (state_update ELMO_component s i_m
     (MkState [] (idx i_m)))
Hsimis_eqvs: ELMO_equivocating_validators
  (state_update ELMO_component s i_m
     (MkState [] (idx i_m)))
⊆ ELMO_equivocating_validators s
  ∪ {[idx i_m]}
Hsi_pre: constrained_state_prop 
  (ELMO_component i) 
  (s i)
si, s0: VLSM.state
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m))
tr: list transition_item
Htr_m: finite_valid_trace_init_to
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m)) si s0 tr
sf: VLSM.state
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m))
iom, oom: option Message
Hs0: valid_state_prop
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m)) s0
Hv0: valid Receive (s0, iom)
Ht0: match iom with
| Some m =>
    (s0 <+> MkObservation Receive m, None)
| None => (s0, None)
end = (sf, oom)
Hall_messages_valid: Forall
  (λ item : transition_item,
     ∀ m : Message,
       item_sends_or_receives m
        item
       → 
       valid_message_prop
        ELMOProtocol m) tr
H_lst_msg_valid: ∀ m : Message,
  item_sends_or_receives m
    {|
      l := Receive;
      input := iom;
      destination := sf;
      output := oom
    |}
  → valid_message_prop ELMOProtocol
      m
Hall_bounded_eqv: Forall
  (λ item : transition_item,
     ELMO_equivocating_validators
       (lift_to_composite_state
        ELMO_component s i_m
        (destination item))
     ⊆ ELMO_equivocating_validators
        s ∪ {[
       idx i_m]}) tr
Hsf_bounded_eqv: ELMO_equivocating_validators
  (lift_to_composite_state
     ELMO_component s i_m
     (destination
        {|
        l := Receive;
        input := iom;
        destination := sf;
        output := oom
        |}))
⊆ ELMO_equivocating_validators s
  ∪ {[idx i_m]}
IHHtr_m: Forall
  (λ item : transition_item,
     ∀ m : Message,
       item_sends_or_receives m item
       → 
       valid_message_prop ELMOProtocol m) tr
→ Forall
    (λ item : transition_item,
       ELMO_equivocating_validators
        (lift_to_composite_state
        ELMO_component s i_m
        (destination item))
       ⊆ 
       ELMO_equivocating_validators s
       ∪ {[
       idx i_m]}) tr
  → finite_valid_trace_from_to ELMOProtocol
      (lift_to_composite_state
        ELMO_component s i_m si)
      (lift_to_composite_state
        ELMO_component s i_m s0)
      (pre_VLSM_embedding_finite_trace_project
        (ELMO_component i_m)
        (composite_type ELMO_component)
        (lift_to_composite_label
        ELMO_component i_m)
        (lift_to_composite_state
        ELMO_component s i_m) tr)
(equivocation_fault
   (state_update ELMO_component s i_m sf) <=
 sum_weights
   (ELMO_equivocating_validators s ∪ {[idx i_m]}))%R
      apply sum_weights_subseteq; [by apply NoDup_elements.. |].Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
s: VLSM.state ELMOProtocol
Hs: valid_state_prop ELMOProtocol s
i: index
s': VLSM.state ELMOProtocol
m: Message
Hvalid: ELMOProtocol_valid_transition i Receive s s'
  m
Hv: valid (existT i Receive) (s, Some m)
Hc: ELMO_global_constraint 
  (existT i Receive) (s, Some m)
Ht: transition (existT i Receive) (s, Some m) =
(s', None)
Hincl: VLSM_incl ELMOProtocol ReachELMO
Hnsnd: ¬ composite_has_been_sent ELMO_component s m
H3: state_update ELMO_component s i
  (s i <+> MkObservation Receive m) = s'
Hs_pre: valid_state_prop
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} s
Hs': composite_constrained_state_prop ELMO_component
  s'
ELMO_mv_full_node0: full_node (s i) m
ELMO_mv_no_self_equiv0: no_self_equiv (s i) m
ELMO_mv_msg_valid_full0: ELMO_msg_valid_full m
ELMO_mv_local_equivocation_limit_ok0: local_equivocation_limit_ok
  (s i <+>
   MkObservation
     Receive m)
i_m: index
Heqv: (sum_weights
   (ELMO_equivocating_validators s
    ∪ {[idx i_m]}) <= threshold)%R
His: initial_state_prop (MkState [] (idx i_m))
Hsimis: valid_state_prop ELMOProtocol
  (state_update ELMO_component s i_m
     (MkState [] (idx i_m)))
Hsimis_eqvs: ELMO_equivocating_validators
  (state_update ELMO_component s i_m
     (MkState [] (idx i_m)))
⊆ ELMO_equivocating_validators s
  ∪ {[idx i_m]}
Hsi_pre: constrained_state_prop 
  (ELMO_component i) 
  (s i)
si, s0: VLSM.state
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m))
tr: list transition_item
Htr_m: finite_valid_trace_init_to
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m)) si s0 tr
sf: VLSM.state
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m))
iom, oom: option Message
Hs0: valid_state_prop
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m)) s0
Hv0: valid Receive (s0, iom)
Ht0: match iom with
| Some m =>
    (s0 <+> MkObservation Receive m, None)
| None => (s0, None)
end = (sf, oom)
Hall_messages_valid: Forall
  (λ item : transition_item,
     ∀ m : Message,
       item_sends_or_receives m
        item
       → 
       valid_message_prop
        ELMOProtocol m) tr
H_lst_msg_valid: ∀ m : Message,
  item_sends_or_receives m
    {|
      l := Receive;
      input := iom;
      destination := sf;
      output := oom
    |}
  → valid_message_prop ELMOProtocol
      m
Hall_bounded_eqv: Forall
  (λ item : transition_item,
     ELMO_equivocating_validators
       (lift_to_composite_state
        ELMO_component s i_m
        (destination item))
     ⊆ ELMO_equivocating_validators
        s ∪ {[
       idx i_m]}) tr
Hsf_bounded_eqv: ELMO_equivocating_validators
  (lift_to_composite_state
     ELMO_component s i_m
     (destination
        {|
        l := Receive;
        input := iom;
        destination := sf;
        output := oom
        |}))
⊆ ELMO_equivocating_validators s
  ∪ {[idx i_m]}
IHHtr_m: Forall
  (λ item : transition_item,
     ∀ m : Message,
       item_sends_or_receives m item
       → 
       valid_message_prop ELMOProtocol m) tr
→ Forall
    (λ item : transition_item,
       ELMO_equivocating_validators
        (lift_to_composite_state
        ELMO_component s i_m
        (destination item))
       ⊆ 
       ELMO_equivocating_validators s
       ∪ {[
       idx i_m]}) tr
  → finite_valid_trace_from_to ELMOProtocol
      (lift_to_composite_state
        ELMO_component s i_m si)
      (lift_to_composite_state
        ELMO_component s i_m s0)
      (pre_VLSM_embedding_finite_trace_project
        (ELMO_component i_m)
        (composite_type ELMO_component)
        (lift_to_composite_label
        ELMO_component i_m)
        (lift_to_composite_state
        ELMO_component s i_m) tr)
equivocating_validators
  (state_update ELMO_component s i_m sf)
⊆ ELMO_equivocating_validators s ∪ {[idx i_m]}
      by intro; apply Hsf_bounded_eqv.
    -Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
s: VLSM.state ELMOProtocol
Hs: valid_state_prop ELMOProtocol s
i: index
s': VLSM.state ELMOProtocol
m: Message
Hvalid: ELMOProtocol_valid_transition i Receive s s'
  m
Hv: valid (existT i Receive) (s, Some m)
Hc: ELMO_global_constraint 
  (existT i Receive) (s, Some m)
Ht: transition (existT i Receive) (s, Some m) =
(s', None)
Hincl: VLSM_incl ELMOProtocol ReachELMO
Hnsnd: ¬ composite_has_been_sent ELMO_component s m
H3: state_update ELMO_component s i
  (s i <+> MkObservation Receive m) = s'
Hs_pre: valid_state_prop
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} s
Hs': composite_constrained_state_prop ELMO_component
  s'
ELMO_mv_full_node0: full_node (s i) m
ELMO_mv_no_self_equiv0: no_self_equiv (s i) m
ELMO_mv_msg_valid_full0: ELMO_msg_valid_full m
ELMO_mv_local_equivocation_limit_ok0: local_equivocation_limit_ok
  (s i <+>
   MkObservation
     Receive m)
i_m: index
Heqv: (sum_weights
   (ELMO_equivocating_validators s
    ∪ {[idx i_m]}) <= threshold)%R
His: initial_state_prop (MkState [] (idx i_m))
Hsimis: valid_state_prop ELMOProtocol
  (state_update ELMO_component s i_m
     (MkState [] (idx i_m)))
Hsimis_eqvs: ELMO_equivocating_validators
  (state_update ELMO_component s i_m
     (MkState [] (idx i_m)))
⊆ ELMO_equivocating_validators s
  ∪ {[idx i_m]}
Hsi_pre: constrained_state_prop 
  (ELMO_component i) 
  (s i)
si, s0: VLSM.state
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m))
tr: list transition_item
Htr_m: finite_valid_trace_init_to
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m)) si s0 tr
sf: VLSM.state
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m))
iom, oom: option Message
l: VLSM.label
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m))
Hs0: valid_state_prop
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m)) s0
Hv0: valid l (s0, iom)
Ht0: transition l (s0, iom) = (sf, oom)
Hall_messages_valid: Forall
  (λ item : transition_item,
     ∀ m : Message,
       item_sends_or_receives m
        item
       → 
       valid_message_prop
        ELMOProtocol m) tr
H_lst_msg_valid: ∀ m : Message,
  item_sends_or_receives m
    {|
      l := l;
      input := iom;
      destination := sf;
      output := oom
    |}
  → valid_message_prop ELMOProtocol
      m
Hall_bounded_eqv: Forall
  (λ item : transition_item,
     ELMO_equivocating_validators
       (lift_to_composite_state
        ELMO_component s i_m
        (destination item))
     ⊆ ELMO_equivocating_validators
        s ∪ {[
       idx i_m]}) tr
Hsf_bounded_eqv: ELMO_equivocating_validators
  (lift_to_composite_state
     ELMO_component s i_m
     (destination
        {|
        l := l;
        input := iom;
        destination := sf;
        output := oom
        |}))
⊆ ELMO_equivocating_validators s
  ∪ {[idx i_m]}
IHHtr_m: Forall
  (λ item : transition_item,
     ∀ m : Message,
       item_sends_or_receives m item
       → 
       valid_message_prop ELMOProtocol m) tr
→ Forall
    (λ item : transition_item,
       ELMO_equivocating_validators
        (lift_to_composite_state
        ELMO_component s i_m
        (destination item))
       ⊆ 
       ELMO_equivocating_validators s
       ∪ {[
       idx i_m]}) tr
  → finite_valid_trace_from_to ELMOProtocol
      (lift_to_composite_state
        ELMO_component s i_m si)
      (lift_to_composite_state
        ELMO_component s i_m s0)
      (pre_VLSM_embedding_finite_trace_project
        (ELMO_component i_m)
        (composite_type ELMO_component)
        (lift_to_composite_label
        ELMO_component i_m)
        (lift_to_composite_state
        ELMO_component s i_m) tr)
transition
  (lift_to_composite_label ELMO_component i_m l)
  (lift_to_composite_state ELMO_component s i_m s0,
   iom) =
(lift_to_composite_state ELMO_component s i_m sf, oom) cbn; state_update_simpl.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
s: VLSM.state ELMOProtocol
Hs: valid_state_prop ELMOProtocol s
i: index
s': VLSM.state ELMOProtocol
m: Message
Hvalid: ELMOProtocol_valid_transition i Receive s s'
  m
Hv: valid (existT i Receive) (s, Some m)
Hc: ELMO_global_constraint 
  (existT i Receive) (s, Some m)
Ht: transition (existT i Receive) (s, Some m) =
(s', None)
Hincl: VLSM_incl ELMOProtocol ReachELMO
Hnsnd: ¬ composite_has_been_sent ELMO_component s m
H3: state_update ELMO_component s i
  (s i <+> MkObservation Receive m) = s'
Hs_pre: valid_state_prop
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} s
Hs': composite_constrained_state_prop ELMO_component
  s'
ELMO_mv_full_node0: full_node (s i) m
ELMO_mv_no_self_equiv0: no_self_equiv (s i) m
ELMO_mv_msg_valid_full0: ELMO_msg_valid_full m
ELMO_mv_local_equivocation_limit_ok0: local_equivocation_limit_ok
  (s i <+>
   MkObservation
     Receive m)
i_m: index
Heqv: (sum_weights
   (ELMO_equivocating_validators s
    ∪ {[idx i_m]}) <= threshold)%R
His: initial_state_prop (MkState [] (idx i_m))
Hsimis: valid_state_prop ELMOProtocol
  (state_update ELMO_component s i_m
     (MkState [] (idx i_m)))
Hsimis_eqvs: ELMO_equivocating_validators
  (state_update ELMO_component s i_m
     (MkState [] (idx i_m)))
⊆ ELMO_equivocating_validators s
  ∪ {[idx i_m]}
Hsi_pre: constrained_state_prop 
  (ELMO_component i) 
  (s i)
si, s0: VLSM.state
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m))
tr: list transition_item
Htr_m: finite_valid_trace_init_to
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m)) si s0 tr
sf: VLSM.state
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m))
iom, oom: option Message
l: VLSM.label
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m))
Hs0: valid_state_prop
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m)) s0
Hv0: valid l (s0, iom)
Ht0: transition l (s0, iom) = (sf, oom)
Hall_messages_valid: Forall
  (λ item : transition_item,
     ∀ m : Message,
       item_sends_or_receives m
        item
       → 
       valid_message_prop
        ELMOProtocol m) tr
H_lst_msg_valid: ∀ m : Message,
  item_sends_or_receives m
    {|
      l := l;
      input := iom;
      destination := sf;
      output := oom
    |}
  → valid_message_prop ELMOProtocol
      m
Hall_bounded_eqv: Forall
  (λ item : transition_item,
     ELMO_equivocating_validators
       (state_update ELMO_component
        s i_m 
        (destination item))
     ⊆ ELMO_equivocating_validators
        s ∪ {[
       idx i_m]}) tr
Hsf_bounded_eqv: ELMO_equivocating_validators
  (state_update ELMO_component s i_m
     (destination
        {|
        l := l;
        input := iom;
        destination := sf;
        output := oom
        |}))
⊆ ELMO_equivocating_validators s
  ∪ {[idx i_m]}
IHHtr_m: Forall
  (λ item : transition_item,
     ∀ m : Message,
       item_sends_or_receives m item
       → 
       valid_message_prop ELMOProtocol m) tr
→ Forall
    (λ item : transition_item,
       ELMO_equivocating_validators
        (state_update ELMO_component s i_m
        (destination item))
       ⊆ 
       ELMO_equivocating_validators s
       ∪ {[
       idx i_m]}) tr
  → finite_valid_trace_from_to ELMOProtocol
      (state_update ELMO_component s i_m si)
      (state_update ELMO_component s i_m s0)
      (pre_VLSM_embedding_finite_trace_project
        (ELMO_component i_m)
        (composite_type ELMO_component)
        (lift_to_composite_label
        ELMO_component i_m)
        (λ sj : 
        VLSM.state 
        (ELMO_component i_m),
        state_update ELMO_component s i_m sj)
        tr)
(let (si', om') :=
   UMO_component_transition l s0 iom in
 (state_update ELMO_component
    (state_update ELMO_component s i_m s0) i_m si',
  om')) = (state_update ELMO_component s i_m sf, oom)
      replace (UMO_component_transition _ _ _) with (sf, oom).Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
s: VLSM.state ELMOProtocol
Hs: valid_state_prop ELMOProtocol s
i: index
s': VLSM.state ELMOProtocol
m: Message
Hvalid: ELMOProtocol_valid_transition i Receive s s'
  m
Hv: valid (existT i Receive) (s, Some m)
Hc: ELMO_global_constraint 
  (existT i Receive) (s, Some m)
Ht: transition (existT i Receive) (s, Some m) =
(s', None)
Hincl: VLSM_incl ELMOProtocol ReachELMO
Hnsnd: ¬ composite_has_been_sent ELMO_component s m
H3: state_update ELMO_component s i
  (s i <+> MkObservation Receive m) = s'
Hs_pre: valid_state_prop
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} s
Hs': composite_constrained_state_prop ELMO_component
  s'
ELMO_mv_full_node0: full_node (s i) m
ELMO_mv_no_self_equiv0: no_self_equiv (s i) m
ELMO_mv_msg_valid_full0: ELMO_msg_valid_full m
ELMO_mv_local_equivocation_limit_ok0: local_equivocation_limit_ok
  (s i <+>
   MkObservation
     Receive m)
i_m: index
Heqv: (sum_weights
   (ELMO_equivocating_validators s
    ∪ {[idx i_m]}) <= threshold)%R
His: initial_state_prop (MkState [] (idx i_m))
Hsimis: valid_state_prop ELMOProtocol
  (state_update ELMO_component s i_m
     (MkState [] (idx i_m)))
Hsimis_eqvs: ELMO_equivocating_validators
  (state_update ELMO_component s i_m
     (MkState [] (idx i_m)))
⊆ ELMO_equivocating_validators s
  ∪ {[idx i_m]}
Hsi_pre: constrained_state_prop 
  (ELMO_component i) 
  (s i)
si, s0: VLSM.state
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m))
tr: list transition_item
Htr_m: finite_valid_trace_init_to
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m)) si s0 tr
sf: VLSM.state
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m))
iom, oom: option Message
l: VLSM.label
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m))
Hs0: valid_state_prop
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m)) s0
Hv0: valid l (s0, iom)
Ht0: transition l (s0, iom) = (sf, oom)
Hall_messages_valid: Forall
  (λ item : transition_item,
     ∀ m : Message,
       item_sends_or_receives m
        item
       → 
       valid_message_prop
        ELMOProtocol m) tr
H_lst_msg_valid: ∀ m : Message,
  item_sends_or_receives m
    {|
      l := l;
      input := iom;
      destination := sf;
      output := oom
    |}
  → valid_message_prop ELMOProtocol
      m
Hall_bounded_eqv: Forall
  (λ item : transition_item,
     ELMO_equivocating_validators
       (state_update ELMO_component
        s i_m 
        (destination item))
     ⊆ ELMO_equivocating_validators
        s ∪ {[
       idx i_m]}) tr
Hsf_bounded_eqv: ELMO_equivocating_validators
  (state_update ELMO_component s i_m
     (destination
        {|
        l := l;
        input := iom;
        destination := sf;
        output := oom
        |}))
⊆ ELMO_equivocating_validators s
  ∪ {[idx i_m]}
IHHtr_m: Forall
  (λ item : transition_item,
     ∀ m : Message,
       item_sends_or_receives m item
       → 
       valid_message_prop ELMOProtocol m) tr
→ Forall
    (λ item : transition_item,
       ELMO_equivocating_validators
        (state_update ELMO_component s i_m
        (destination item))
       ⊆ 
       ELMO_equivocating_validators s
       ∪ {[
       idx i_m]}) tr
  → finite_valid_trace_from_to ELMOProtocol
      (state_update ELMO_component s i_m si)
      (state_update ELMO_component s i_m s0)
      (pre_VLSM_embedding_finite_trace_project
        (ELMO_component i_m)
        (composite_type ELMO_component)
        (lift_to_composite_label
        ELMO_component i_m)
        (λ sj : 
        VLSM.state 
        (ELMO_component i_m),
        state_update ELMO_component s i_m sj)
        tr)
(state_update ELMO_component
   (state_update ELMO_component s i_m s0) i_m sf, oom) =
(state_update ELMO_component s i_m sf, oom)
      by rewrite state_update_twice.
  }Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
s: VLSM.state ELMOProtocol
Hs: valid_state_prop ELMOProtocol s
i: index
s': VLSM.state ELMOProtocol
m: Message
Hvalid: ELMOProtocol_valid_transition i Receive s s'
  m
Hv: valid (existT i Receive) (s, Some m)
Hc: ELMO_global_constraint 
  (existT i Receive) (s, Some m)
Ht: transition (existT i Receive) (s, Some m) =
(s', None)
Hincl: VLSM_incl ELMOProtocol ReachELMO
Hnsnd: ¬ composite_has_been_sent ELMO_component s m
Hrcv: ELMO_recv_valid (s i) (MkMessage (state m))
H3: state_update ELMO_component s i
  (s i <+> MkObservation Receive m) = s'
Hm_eqv: global_equivocators_simple s' (adr (state m))
Hs'_eqv: ∀ a : Address,
  global_equivocators_simple s' a
  ↔ a = adr (state m)
    ∨ global_equivocators_simple s a
Hs_pre: valid_state_prop
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} s
Hs': composite_constrained_state_prop ELMO_component
  s'
ELMO_mv_full_node0: full_node (s i) m
ELMO_mv_no_self_equiv0: no_self_equiv (s i) m
ELMO_mv_msg_valid_full0: ELMO_msg_valid_full m
ELMO_mv_local_equivocation_limit_ok0: local_equivocation_limit_ok
  (s i <+>
   MkObservation
     Receive m)
i_m: index
Hsender: adr (state m) = idx i_m
Heqv: (sum_weights
   (ELMO_equivocating_validators s
    ∪ {[idx i_m]}) <= threshold)%R
His: initial_state_prop (MkState [] (idx i_m))
Hsimis: valid_state_prop ELMOProtocol
  (state_update ELMO_component s i_m
     (MkState [] (idx i_m)))
Hsimis_eqvs: ELMO_equivocating_validators
  (state_update ELMO_component s i_m
     (MkState [] (idx i_m)))
⊆ ELMO_equivocating_validators s
  ∪ {[idx i_m]}
Hsi_pre: constrained_state_prop 
  (ELMO_component i) 
  (s i)
is_m: VLSM.state
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m))
tr_m: list transition_item
Htr_m: finite_valid_trace_init_to
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m)) is_m 
  (state m) tr_m
Hall_messages_observed: Forall
  (λ item : transition_item,
     ∀ m : Message,
       item_sends_or_receives
        m item
       → 
       m ∈ messages (s i))
  tr_m
Hall_messages_valid: Forall
  (λ item : transition_item,
     ∀ m : Message,
       item_sends_or_receives m
        item
       → 
       valid_message_prop
        ELMOProtocol m) tr_m
Heqis_m: is_m = MkState [] (idx i_m)
Hall_bounded_eqv: Forall
  (λ item : transition_item,
     ELMO_equivocating_validators
       (lift_to_composite_state
        ELMO_component s i_m
        (destination item))
     ⊆ ELMO_equivocating_validators
        s ∪ {[
       idx i_m]}) tr_m
Htr_m_lift: finite_valid_trace_from_to ELMOProtocol
  (lift_to_composite_state ELMO_component
     s i_m is_m)
  (lift_to_composite_state ELMO_component
     s i_m 
     (state m))
  (pre_VLSM_embedding_finite_trace_project
     (ELMO_component i_m)
     (composite_type ELMO_component)
     (lift_to_composite_label
        ELMO_component i_m)
     (lift_to_composite_state
        ELMO_component s i_m) tr_m)
valid_message_prop ELMOProtocol m
  cut
    (input_valid_transition ELMOProtocol (existT i_m Send)
      (lift_to_composite_state ELMO_component s i_m (state m), None)
      (lift_to_composite_state ELMO_component s i_m (state m <+> MkObservation Send m), Some m))
    ; [by apply input_valid_transition_out |].Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
s: VLSM.state ELMOProtocol
Hs: valid_state_prop ELMOProtocol s
i: index
s': VLSM.state ELMOProtocol
m: Message
Hvalid: ELMOProtocol_valid_transition i Receive s s'
  m
Hv: valid (existT i Receive) (s, Some m)
Hc: ELMO_global_constraint 
  (existT i Receive) (s, Some m)
Ht: transition (existT i Receive) (s, Some m) =
(s', None)
Hincl: VLSM_incl ELMOProtocol ReachELMO
Hnsnd: ¬ composite_has_been_sent ELMO_component s m
Hrcv: ELMO_recv_valid (s i) (MkMessage (state m))
H3: state_update ELMO_component s i
  (s i <+> MkObservation Receive m) = s'
Hm_eqv: global_equivocators_simple s' (adr (state m))
Hs'_eqv: ∀ a : Address,
  global_equivocators_simple s' a
  ↔ a = adr (state m)
    ∨ global_equivocators_simple s a
Hs_pre: valid_state_prop
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} s
Hs': composite_constrained_state_prop ELMO_component
  s'
ELMO_mv_full_node0: full_node (s i) m
ELMO_mv_no_self_equiv0: no_self_equiv (s i) m
ELMO_mv_msg_valid_full0: ELMO_msg_valid_full m
ELMO_mv_local_equivocation_limit_ok0: local_equivocation_limit_ok
  (s i <+>
   MkObservation
     Receive m)
i_m: index
Hsender: adr (state m) = idx i_m
Heqv: (sum_weights
   (ELMO_equivocating_validators s
    ∪ {[idx i_m]}) <= threshold)%R
His: initial_state_prop (MkState [] (idx i_m))
Hsimis: valid_state_prop ELMOProtocol
  (state_update ELMO_component s i_m
     (MkState [] (idx i_m)))
Hsimis_eqvs: ELMO_equivocating_validators
  (state_update ELMO_component s i_m
     (MkState [] (idx i_m)))
⊆ ELMO_equivocating_validators s
  ∪ {[idx i_m]}
Hsi_pre: constrained_state_prop 
  (ELMO_component i) 
  (s i)
is_m: VLSM.state
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m))
tr_m: list transition_item
Htr_m: finite_valid_trace_init_to
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m)) is_m 
  (state m) tr_m
Hall_messages_observed: Forall
  (λ item : transition_item,
     ∀ m : Message,
       item_sends_or_receives
        m item
       → 
       m ∈ messages (s i))
  tr_m
Hall_messages_valid: Forall
  (λ item : transition_item,
     ∀ m : Message,
       item_sends_or_receives m
        item
       → 
       valid_message_prop
        ELMOProtocol m) tr_m
Heqis_m: is_m = MkState [] (idx i_m)
Hall_bounded_eqv: Forall
  (λ item : transition_item,
     ELMO_equivocating_validators
       (lift_to_composite_state
        ELMO_component s i_m
        (destination item))
     ⊆ ELMO_equivocating_validators
        s ∪ {[
       idx i_m]}) tr_m
Htr_m_lift: finite_valid_trace_from_to ELMOProtocol
  (lift_to_composite_state ELMO_component
     s i_m is_m)
  (lift_to_composite_state ELMO_component
     s i_m 
     (state m))
  (pre_VLSM_embedding_finite_trace_project
     (ELMO_component i_m)
     (composite_type ELMO_component)
     (lift_to_composite_label
        ELMO_component i_m)
     (lift_to_composite_state
        ELMO_component s i_m) tr_m)
input_valid_transition ELMOProtocol (existT i_m Send)
  (lift_to_composite_state ELMO_component s i_m
     (state m), None)
  (lift_to_composite_state ELMO_component s i_m
     (state m <+> MkObservation Send m), Some m)
  repeat split.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
s: VLSM.state ELMOProtocol
Hs: valid_state_prop ELMOProtocol s
i: index
s': VLSM.state ELMOProtocol
m: Message
Hvalid: ELMOProtocol_valid_transition i Receive s s'
  m
Hv: valid (existT i Receive) (s, Some m)
Hc: ELMO_global_constraint 
  (existT i Receive) (s, Some m)
Ht: transition (existT i Receive) (s, Some m) =
(s', None)
Hincl: VLSM_incl ELMOProtocol ReachELMO
Hnsnd: ¬ composite_has_been_sent ELMO_component s m
Hrcv: ELMO_recv_valid (s i) (MkMessage (state m))
H3: state_update ELMO_component s i
  (s i <+> MkObservation Receive m) = s'
Hm_eqv: global_equivocators_simple s' (adr (state m))
Hs'_eqv: ∀ a : Address,
  global_equivocators_simple s' a
  ↔ a = adr (state m)
    ∨ global_equivocators_simple s a
Hs_pre: valid_state_prop
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} s
Hs': composite_constrained_state_prop ELMO_component
  s'
ELMO_mv_full_node0: full_node (s i) m
ELMO_mv_no_self_equiv0: no_self_equiv (s i) m
ELMO_mv_msg_valid_full0: ELMO_msg_valid_full m
ELMO_mv_local_equivocation_limit_ok0: local_equivocation_limit_ok
  (s i <+>
   MkObservation
     Receive m)
i_m: index
Hsender: adr (state m) = idx i_m
Heqv: (sum_weights
   (ELMO_equivocating_validators s
    ∪ {[idx i_m]}) <= threshold)%R
His: initial_state_prop (MkState [] (idx i_m))
Hsimis: valid_state_prop ELMOProtocol
  (state_update ELMO_component s i_m
     (MkState [] (idx i_m)))
Hsimis_eqvs: ELMO_equivocating_validators
  (state_update ELMO_component s i_m
     (MkState [] (idx i_m)))
⊆ ELMO_equivocating_validators s
  ∪ {[idx i_m]}
Hsi_pre: constrained_state_prop 
  (ELMO_component i) 
  (s i)
is_m: VLSM.state
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m))
tr_m: list transition_item
Htr_m: finite_valid_trace_init_to
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m)) is_m 
  (state m) tr_m
Hall_messages_observed: Forall
  (λ item : transition_item,
     ∀ m : Message,
       item_sends_or_receives
        m item
       → 
       m ∈ messages (s i))
  tr_m
Hall_messages_valid: Forall
  (λ item : transition_item,
     ∀ m : Message,
       item_sends_or_receives m
        item
       → 
       valid_message_prop
        ELMOProtocol m) tr_m
Heqis_m: is_m = MkState [] (idx i_m)
Hall_bounded_eqv: Forall
  (λ item : transition_item,
     ELMO_equivocating_validators
       (lift_to_composite_state
        ELMO_component s i_m
        (destination item))
     ⊆ ELMO_equivocating_validators
        s ∪ {[
       idx i_m]}) tr_m
Htr_m_lift: finite_valid_trace_from_to ELMOProtocol
  (lift_to_composite_state ELMO_component
     s i_m is_m)
  (lift_to_composite_state ELMO_component
     s i_m 
     (state m))
  (pre_VLSM_embedding_finite_trace_project
     (ELMO_component i_m)
     (composite_type ELMO_component)
     (lift_to_composite_label
        ELMO_component i_m)
     (lift_to_composite_state
        ELMO_component s i_m) tr_m)
valid_state_prop ELMOProtocol
  (lift_to_composite_state ELMO_component s i_m
     (state m))
Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
s: VLSM.state ELMOProtocol
Hs: valid_state_prop ELMOProtocol s
i: index
s': VLSM.state ELMOProtocol
m: Message
Hvalid: ELMOProtocol_valid_transition i Receive s s'
  m
Hv: valid (existT i Receive) (s, Some m)
Hc: ELMO_global_constraint 
  (existT i Receive) (
  s, Some m)
Ht: transition (existT i Receive) (s, Some m) =
(s', None)
Hincl: VLSM_incl ELMOProtocol ReachELMO
Hnsnd: ¬ composite_has_been_sent ELMO_component s m
Hrcv: ELMO_recv_valid (s i) (MkMessage (state m))
H3: state_update ELMO_component s i
  (s i <+> MkObservation Receive m) = s'
Hm_eqv: global_equivocators_simple s' (adr (state m))
Hs'_eqv: ∀ a : Address,
  global_equivocators_simple s' a
  ↔ a = adr (state m)
    ∨ global_equivocators_simple s a
Hs_pre: valid_state_prop
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} s
Hs': composite_constrained_state_prop ELMO_component
  s'
ELMO_mv_full_node0: full_node (s i) m
ELMO_mv_no_self_equiv0: no_self_equiv (s i) m
ELMO_mv_msg_valid_full0: ELMO_msg_valid_full m
ELMO_mv_local_equivocation_limit_ok0: local_equivocation_limit_ok
  (s i <+>
   MkObservation
     Receive m)
i_m: index
Hsender: adr (state m) = idx i_m
Heqv: (sum_weights
   (ELMO_equivocating_validators s
    ∪ {[idx i_m]}) <= threshold)%R
His: initial_state_prop (MkState [] (idx i_m))
Hsimis: valid_state_prop ELMOProtocol
  (state_update ELMO_component s i_m
     (MkState [] (idx i_m)))
Hsimis_eqvs: ELMO_equivocating_validators
  (state_update ELMO_component s i_m
     (MkState [] (idx i_m)))
⊆ ELMO_equivocating_validators s
  ∪ {[idx i_m]}
Hsi_pre: constrained_state_prop 
  (ELMO_component i) 
  (s i)
is_m: VLSM.state
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m))
tr_m: list transition_item
Htr_m: finite_valid_trace_init_to
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m)) is_m 
  (state m) tr_m
Hall_messages_observed: Forall
  (λ item : transition_item,
     ∀ m : Message,
       item_sends_or_receives
        m item
       → 
       m ∈ messages (s i))
  tr_m
Hall_messages_valid: Forall
  (λ item : transition_item,
     ∀ m : Message,
       item_sends_or_receives m
        item
       → 
       valid_message_prop
        ELMOProtocol m) tr_m
Heqis_m: is_m = MkState [] (idx i_m)
Hall_bounded_eqv: Forall
  (λ item : transition_item,
     ELMO_equivocating_validators
       (lift_to_composite_state
        ELMO_component s i_m
        (destination item))
     ⊆ ELMO_equivocating_validators
        s ∪ {[
       idx i_m]}) tr_m
Htr_m_lift: finite_valid_trace_from_to ELMOProtocol
  (lift_to_composite_state ELMO_component
     s i_m is_m)
  (lift_to_composite_state ELMO_component
     s i_m 
     (state m))
  (pre_VLSM_embedding_finite_trace_project
     (ELMO_component i_m)
     (composite_type ELMO_component)
     (lift_to_composite_label
        ELMO_component i_m)
     (lift_to_composite_state
        ELMO_component s i_m) tr_m)
option_valid_message_prop ELMOProtocol None
Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
s: VLSM.state ELMOProtocol
Hs: valid_state_prop ELMOProtocol s
i: index
s': VLSM.state ELMOProtocol
m: Message
Hvalid: ELMOProtocol_valid_transition i Receive s s'
  m
Hv: valid (existT i Receive) (s, Some m)
Hc: ELMO_global_constraint 
  (existT i Receive) (
  s, Some m)
Ht: transition (existT i Receive) (s, Some m) =
(s', None)
Hincl: VLSM_incl ELMOProtocol ReachELMO
Hnsnd: ¬ composite_has_been_sent ELMO_component s m
Hrcv: ELMO_recv_valid (s i) (MkMessage (state m))
H3: state_update ELMO_component s i
  (s i <+> MkObservation Receive m) = s'
Hm_eqv: global_equivocators_simple s' (adr (state m))
Hs'_eqv: ∀ a : Address,
  global_equivocators_simple s' a
  ↔ a = adr (state m)
    ∨ global_equivocators_simple s a
Hs_pre: valid_state_prop
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} s
Hs': composite_constrained_state_prop ELMO_component
  s'
ELMO_mv_full_node0: full_node (s i) m
ELMO_mv_no_self_equiv0: no_self_equiv (s i) m
ELMO_mv_msg_valid_full0: ELMO_msg_valid_full m
ELMO_mv_local_equivocation_limit_ok0: local_equivocation_limit_ok
  (s i <+>
   MkObservation
     Receive m)
i_m: index
Hsender: adr (state m) = idx i_m
Heqv: (sum_weights
   (ELMO_equivocating_validators s
    ∪ {[idx i_m]}) <= threshold)%R
His: initial_state_prop (MkState [] (idx i_m))
Hsimis: valid_state_prop ELMOProtocol
  (state_update ELMO_component s i_m
     (MkState [] (idx i_m)))
Hsimis_eqvs: ELMO_equivocating_validators
  (state_update ELMO_component s i_m
     (MkState [] (idx i_m)))
⊆ ELMO_equivocating_validators s
  ∪ {[idx i_m]}
Hsi_pre: constrained_state_prop 
  (ELMO_component i) 
  (s i)
is_m: VLSM.state
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m))
tr_m: list transition_item
Htr_m: finite_valid_trace_init_to
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m)) is_m 
  (state m) tr_m
Hall_messages_observed: Forall
  (λ item : transition_item,
     ∀ m : Message,
       item_sends_or_receives
        m item
       → 
       m ∈ messages (s i))
  tr_m
Hall_messages_valid: Forall
  (λ item : transition_item,
     ∀ m : Message,
       item_sends_or_receives m
        item
       → 
       valid_message_prop
        ELMOProtocol m) tr_m
Heqis_m: is_m = MkState [] (idx i_m)
Hall_bounded_eqv: Forall
  (λ item : transition_item,
     ELMO_equivocating_validators
       (lift_to_composite_state
        ELMO_component s i_m
        (destination item))
     ⊆ ELMO_equivocating_validators
        s ∪ {[
       idx i_m]}) tr_m
Htr_m_lift: finite_valid_trace_from_to ELMOProtocol
  (lift_to_composite_state ELMO_component
     s i_m is_m)
  (lift_to_composite_state ELMO_component
     s i_m 
     (state m))
  (pre_VLSM_embedding_finite_trace_project
     (ELMO_component i_m)
     (composite_type ELMO_component)
     (lift_to_composite_label
        ELMO_component i_m)
     (lift_to_composite_state
        ELMO_component s i_m) tr_m)
valid (existT i_m Send)
  (lift_to_composite_state ELMO_component s i_m
     (state m), None)
Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
s: VLSM.state ELMOProtocol
Hs: valid_state_prop ELMOProtocol s
i: index
s': VLSM.state ELMOProtocol
m: Message
Hvalid: ELMOProtocol_valid_transition i Receive s s'
  m
Hv: valid (existT i Receive) (s, Some m)
Hc: ELMO_global_constraint 
  (existT i Receive) (
  s, Some m)
Ht: transition (existT i Receive) (s, Some m) =
(s', None)
Hincl: VLSM_incl ELMOProtocol ReachELMO
Hnsnd: ¬ composite_has_been_sent ELMO_component s m
Hrcv: ELMO_recv_valid (s i) (MkMessage (state m))
H3: state_update ELMO_component s i
  (s i <+> MkObservation Receive m) = s'
Hm_eqv: global_equivocators_simple s' (adr (state m))
Hs'_eqv: ∀ a : Address,
  global_equivocators_simple s' a
  ↔ a = adr (state m)
    ∨ global_equivocators_simple s a
Hs_pre: valid_state_prop
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} s
Hs': composite_constrained_state_prop ELMO_component
  s'
ELMO_mv_full_node0: full_node (s i) m
ELMO_mv_no_self_equiv0: no_self_equiv (s i) m
ELMO_mv_msg_valid_full0: ELMO_msg_valid_full m
ELMO_mv_local_equivocation_limit_ok0: local_equivocation_limit_ok
  (s i <+>
   MkObservation
     Receive m)
i_m: index
Hsender: adr (state m) = idx i_m
Heqv: (sum_weights
   (ELMO_equivocating_validators s
    ∪ {[idx i_m]}) <= threshold)%R
His: initial_state_prop (MkState [] (idx i_m))
Hsimis: valid_state_prop ELMOProtocol
  (state_update ELMO_component s i_m
     (MkState [] (idx i_m)))
Hsimis_eqvs: ELMO_equivocating_validators
  (state_update ELMO_component s i_m
     (MkState [] (idx i_m)))
⊆ ELMO_equivocating_validators s
  ∪ {[idx i_m]}
Hsi_pre: constrained_state_prop 
  (ELMO_component i) 
  (s i)
is_m: VLSM.state
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m))
tr_m: list transition_item
Htr_m: finite_valid_trace_init_to
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m)) is_m 
  (state m) tr_m
Hall_messages_observed: Forall
  (λ item : transition_item,
     ∀ m : Message,
       item_sends_or_receives
        m item
       → 
       m ∈ messages (s i))
  tr_m
Hall_messages_valid: Forall
  (λ item : transition_item,
     ∀ m : Message,
       item_sends_or_receives m
        item
       → 
       valid_message_prop
        ELMOProtocol m) tr_m
Heqis_m: is_m = MkState [] (idx i_m)
Hall_bounded_eqv: Forall
  (λ item : transition_item,
     ELMO_equivocating_validators
       (lift_to_composite_state
        ELMO_component s i_m
        (destination item))
     ⊆ ELMO_equivocating_validators
        s ∪ {[
       idx i_m]}) tr_m
Htr_m_lift: finite_valid_trace_from_to ELMOProtocol
  (lift_to_composite_state ELMO_component
     s i_m is_m)
  (lift_to_composite_state ELMO_component
     s i_m 
     (state m))
  (pre_VLSM_embedding_finite_trace_project
     (ELMO_component i_m)
     (composite_type ELMO_component)
     (lift_to_composite_label
        ELMO_component i_m)
     (lift_to_composite_state
        ELMO_component s i_m) tr_m)
transition 
  (existT i_m Send)
  (lift_to_composite_state ELMO_component s i_m
     (state m), None) =
(lift_to_composite_state ELMO_component s i_m
   (state m <+> MkObservation Send m), 
 Some m)
  -Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
s: VLSM.state ELMOProtocol
Hs: valid_state_prop ELMOProtocol s
i: index
s': VLSM.state ELMOProtocol
m: Message
Hvalid: ELMOProtocol_valid_transition i Receive s s'
  m
Hv: valid (existT i Receive) (s, Some m)
Hc: ELMO_global_constraint 
  (existT i Receive) (s, Some m)
Ht: transition (existT i Receive) (s, Some m) =
(s', None)
Hincl: VLSM_incl ELMOProtocol ReachELMO
Hnsnd: ¬ composite_has_been_sent ELMO_component s m
Hrcv: ELMO_recv_valid (s i) (MkMessage (state m))
H3: state_update ELMO_component s i
  (s i <+> MkObservation Receive m) = s'
Hm_eqv: global_equivocators_simple s' (adr (state m))
Hs'_eqv: ∀ a : Address,
  global_equivocators_simple s' a
  ↔ a = adr (state m)
    ∨ global_equivocators_simple s a
Hs_pre: valid_state_prop
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} s
Hs': composite_constrained_state_prop ELMO_component
  s'
ELMO_mv_full_node0: full_node (s i) m
ELMO_mv_no_self_equiv0: no_self_equiv (s i) m
ELMO_mv_msg_valid_full0: ELMO_msg_valid_full m
ELMO_mv_local_equivocation_limit_ok0: local_equivocation_limit_ok
  (s i <+>
   MkObservation
     Receive m)
i_m: index
Hsender: adr (state m) = idx i_m
Heqv: (sum_weights
   (ELMO_equivocating_validators s
    ∪ {[idx i_m]}) <= threshold)%R
His: initial_state_prop (MkState [] (idx i_m))
Hsimis: valid_state_prop ELMOProtocol
  (state_update ELMO_component s i_m
     (MkState [] (idx i_m)))
Hsimis_eqvs: ELMO_equivocating_validators
  (state_update ELMO_component s i_m
     (MkState [] (idx i_m)))
⊆ ELMO_equivocating_validators s
  ∪ {[idx i_m]}
Hsi_pre: constrained_state_prop 
  (ELMO_component i) 
  (s i)
is_m: VLSM.state
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m))
tr_m: list transition_item
Htr_m: finite_valid_trace_init_to
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m)) is_m 
  (state m) tr_m
Hall_messages_observed: Forall
  (λ item : transition_item,
     ∀ m : Message,
       item_sends_or_receives
        m item
       → 
       m ∈ messages (s i))
  tr_m
Hall_messages_valid: Forall
  (λ item : transition_item,
     ∀ m : Message,
       item_sends_or_receives m
        item
       → 
       valid_message_prop
        ELMOProtocol m) tr_m
Heqis_m: is_m = MkState [] (idx i_m)
Hall_bounded_eqv: Forall
  (λ item : transition_item,
     ELMO_equivocating_validators
       (lift_to_composite_state
        ELMO_component s i_m
        (destination item))
     ⊆ ELMO_equivocating_validators
        s ∪ {[
       idx i_m]}) tr_m
Htr_m_lift: finite_valid_trace_from_to ELMOProtocol
  (lift_to_composite_state ELMO_component
     s i_m is_m)
  (lift_to_composite_state ELMO_component
     s i_m 
     (state m))
  (pre_VLSM_embedding_finite_trace_project
     (ELMO_component i_m)
     (composite_type ELMO_component)
     (lift_to_composite_label
        ELMO_component i_m)
     (lift_to_composite_state
        ELMO_component s i_m) tr_m)
valid_state_prop ELMOProtocol
  (lift_to_composite_state ELMO_component s i_m
     (state m)) by apply finite_valid_trace_from_to_last_pstate in Htr_m_lift.
  -Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
s: VLSM.state ELMOProtocol
Hs: valid_state_prop ELMOProtocol s
i: index
s': VLSM.state ELMOProtocol
m: Message
Hvalid: ELMOProtocol_valid_transition i Receive s s'
  m
Hv: valid (existT i Receive) (s, Some m)
Hc: ELMO_global_constraint 
  (existT i Receive) (s, Some m)
Ht: transition (existT i Receive) (s, Some m) =
(s', None)
Hincl: VLSM_incl ELMOProtocol ReachELMO
Hnsnd: ¬ composite_has_been_sent ELMO_component s m
Hrcv: ELMO_recv_valid (s i) (MkMessage (state m))
H3: state_update ELMO_component s i
  (s i <+> MkObservation Receive m) = s'
Hm_eqv: global_equivocators_simple s' (adr (state m))
Hs'_eqv: ∀ a : Address,
  global_equivocators_simple s' a
  ↔ a = adr (state m)
    ∨ global_equivocators_simple s a
Hs_pre: valid_state_prop
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} s
Hs': composite_constrained_state_prop ELMO_component
  s'
ELMO_mv_full_node0: full_node (s i) m
ELMO_mv_no_self_equiv0: no_self_equiv (s i) m
ELMO_mv_msg_valid_full0: ELMO_msg_valid_full m
ELMO_mv_local_equivocation_limit_ok0: local_equivocation_limit_ok
  (s i <+>
   MkObservation
     Receive m)
i_m: index
Hsender: adr (state m) = idx i_m
Heqv: (sum_weights
   (ELMO_equivocating_validators s
    ∪ {[idx i_m]}) <= threshold)%R
His: initial_state_prop (MkState [] (idx i_m))
Hsimis: valid_state_prop ELMOProtocol
  (state_update ELMO_component s i_m
     (MkState [] (idx i_m)))
Hsimis_eqvs: ELMO_equivocating_validators
  (state_update ELMO_component s i_m
     (MkState [] (idx i_m)))
⊆ ELMO_equivocating_validators s
  ∪ {[idx i_m]}
Hsi_pre: constrained_state_prop 
  (ELMO_component i) 
  (s i)
is_m: VLSM.state
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m))
tr_m: list transition_item
Htr_m: finite_valid_trace_init_to
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m)) is_m 
  (state m) tr_m
Hall_messages_observed: Forall
  (λ item : transition_item,
     ∀ m : Message,
       item_sends_or_receives
        m item
       → 
       m ∈ messages (s i))
  tr_m
Hall_messages_valid: Forall
  (λ item : transition_item,
     ∀ m : Message,
       item_sends_or_receives m
        item
       → 
       valid_message_prop
        ELMOProtocol m) tr_m
Heqis_m: is_m = MkState [] (idx i_m)
Hall_bounded_eqv: Forall
  (λ item : transition_item,
     ELMO_equivocating_validators
       (lift_to_composite_state
        ELMO_component s i_m
        (destination item))
     ⊆ ELMO_equivocating_validators
        s ∪ {[
       idx i_m]}) tr_m
Htr_m_lift: finite_valid_trace_from_to ELMOProtocol
  (lift_to_composite_state ELMO_component
     s i_m is_m)
  (lift_to_composite_state ELMO_component
     s i_m 
     (state m))
  (pre_VLSM_embedding_finite_trace_project
     (ELMO_component i_m)
     (composite_type ELMO_component)
     (lift_to_composite_label
        ELMO_component i_m)
     (lift_to_composite_state
        ELMO_component s i_m) tr_m)
option_valid_message_prop ELMOProtocol None by apply option_valid_message_None.
  -Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
s: VLSM.state ELMOProtocol
Hs: valid_state_prop ELMOProtocol s
i: index
s': VLSM.state ELMOProtocol
m: Message
Hvalid: ELMOProtocol_valid_transition i Receive s s'
  m
Hv: valid (existT i Receive) (s, Some m)
Hc: ELMO_global_constraint 
  (existT i Receive) (s, Some m)
Ht: transition (existT i Receive) (s, Some m) =
(s', None)
Hincl: VLSM_incl ELMOProtocol ReachELMO
Hnsnd: ¬ composite_has_been_sent ELMO_component s m
Hrcv: ELMO_recv_valid (s i) (MkMessage (state m))
H3: state_update ELMO_component s i
  (s i <+> MkObservation Receive m) = s'
Hm_eqv: global_equivocators_simple s' (adr (state m))
Hs'_eqv: ∀ a : Address,
  global_equivocators_simple s' a
  ↔ a = adr (state m)
    ∨ global_equivocators_simple s a
Hs_pre: valid_state_prop
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} s
Hs': composite_constrained_state_prop ELMO_component
  s'
ELMO_mv_full_node0: full_node (s i) m
ELMO_mv_no_self_equiv0: no_self_equiv (s i) m
ELMO_mv_msg_valid_full0: ELMO_msg_valid_full m
ELMO_mv_local_equivocation_limit_ok0: local_equivocation_limit_ok
  (s i <+>
   MkObservation
     Receive m)
i_m: index
Hsender: adr (state m) = idx i_m
Heqv: (sum_weights
   (ELMO_equivocating_validators s
    ∪ {[idx i_m]}) <= threshold)%R
His: initial_state_prop (MkState [] (idx i_m))
Hsimis: valid_state_prop ELMOProtocol
  (state_update ELMO_component s i_m
     (MkState [] (idx i_m)))
Hsimis_eqvs: ELMO_equivocating_validators
  (state_update ELMO_component s i_m
     (MkState [] (idx i_m)))
⊆ ELMO_equivocating_validators s
  ∪ {[idx i_m]}
Hsi_pre: constrained_state_prop 
  (ELMO_component i) 
  (s i)
is_m: VLSM.state
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m))
tr_m: list transition_item
Htr_m: finite_valid_trace_init_to
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m)) is_m 
  (state m) tr_m
Hall_messages_observed: Forall
  (λ item : transition_item,
     ∀ m : Message,
       item_sends_or_receives
        m item
       → 
       m ∈ messages (s i))
  tr_m
Hall_messages_valid: Forall
  (λ item : transition_item,
     ∀ m : Message,
       item_sends_or_receives m
        item
       → 
       valid_message_prop
        ELMOProtocol m) tr_m
Heqis_m: is_m = MkState [] (idx i_m)
Hall_bounded_eqv: Forall
  (λ item : transition_item,
     ELMO_equivocating_validators
       (lift_to_composite_state
        ELMO_component s i_m
        (destination item))
     ⊆ ELMO_equivocating_validators
        s ∪ {[
       idx i_m]}) tr_m
Htr_m_lift: finite_valid_trace_from_to ELMOProtocol
  (lift_to_composite_state ELMO_component
     s i_m is_m)
  (lift_to_composite_state ELMO_component
     s i_m 
     (state m))
  (pre_VLSM_embedding_finite_trace_project
     (ELMO_component i_m)
     (composite_type ELMO_component)
     (lift_to_composite_label
        ELMO_component i_m)
     (lift_to_composite_state
        ELMO_component s i_m) tr_m)
valid (existT i_m Send)
  (lift_to_composite_state ELMO_component s i_m
     (state m), None) by constructor.
  -Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
s: VLSM.state ELMOProtocol
Hs: valid_state_prop ELMOProtocol s
i: index
s': VLSM.state ELMOProtocol
m: Message
Hvalid: ELMOProtocol_valid_transition i Receive s s'
  m
Hv: valid (existT i Receive) (s, Some m)
Hc: ELMO_global_constraint 
  (existT i Receive) (s, Some m)
Ht: transition (existT i Receive) (s, Some m) =
(s', None)
Hincl: VLSM_incl ELMOProtocol ReachELMO
Hnsnd: ¬ composite_has_been_sent ELMO_component s m
Hrcv: ELMO_recv_valid (s i) (MkMessage (state m))
H3: state_update ELMO_component s i
  (s i <+> MkObservation Receive m) = s'
Hm_eqv: global_equivocators_simple s' (adr (state m))
Hs'_eqv: ∀ a : Address,
  global_equivocators_simple s' a
  ↔ a = adr (state m)
    ∨ global_equivocators_simple s a
Hs_pre: valid_state_prop
  {|
    vlsm_type := ELMOProtocol;
    vlsm_machine := ReachELMO
  |} s
Hs': composite_constrained_state_prop ELMO_component
  s'
ELMO_mv_full_node0: full_node (s i) m
ELMO_mv_no_self_equiv0: no_self_equiv (s i) m
ELMO_mv_msg_valid_full0: ELMO_msg_valid_full m
ELMO_mv_local_equivocation_limit_ok0: local_equivocation_limit_ok
  (s i <+>
   MkObservation
     Receive m)
i_m: index
Hsender: adr (state m) = idx i_m
Heqv: (sum_weights
   (ELMO_equivocating_validators s
    ∪ {[idx i_m]}) <= threshold)%R
His: initial_state_prop (MkState [] (idx i_m))
Hsimis: valid_state_prop ELMOProtocol
  (state_update ELMO_component s i_m
     (MkState [] (idx i_m)))
Hsimis_eqvs: ELMO_equivocating_validators
  (state_update ELMO_component s i_m
     (MkState [] (idx i_m)))
⊆ ELMO_equivocating_validators s
  ∪ {[idx i_m]}
Hsi_pre: constrained_state_prop 
  (ELMO_component i) 
  (s i)
is_m: VLSM.state
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m))
tr_m: list transition_item
Htr_m: finite_valid_trace_init_to
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m)) is_m 
  (state m) tr_m
Hall_messages_observed: Forall
  (λ item : transition_item,
     ∀ m : Message,
       item_sends_or_receives
        m item
       → 
       m ∈ messages (s i))
  tr_m
Hall_messages_valid: Forall
  (λ item : transition_item,
     ∀ m : Message,
       item_sends_or_receives m
        item
       → 
       valid_message_prop
        ELMOProtocol m) tr_m
Heqis_m: is_m = MkState [] (idx i_m)
Hall_bounded_eqv: Forall
  (λ item : transition_item,
     ELMO_equivocating_validators
       (lift_to_composite_state
        ELMO_component s i_m
        (destination item))
     ⊆ ELMO_equivocating_validators
        s ∪ {[
       idx i_m]}) tr_m
Htr_m_lift: finite_valid_trace_from_to ELMOProtocol
  (lift_to_composite_state ELMO_component
     s i_m is_m)
  (lift_to_composite_state ELMO_component
     s i_m 
     (state m))
  (pre_VLSM_embedding_finite_trace_project
     (ELMO_component i_m)
     (composite_type ELMO_component)
     (lift_to_composite_label
        ELMO_component i_m)
     (lift_to_composite_state
        ELMO_component s i_m) tr_m)
transition (existT i_m Send)
  (lift_to_composite_state ELMO_component s i_m
     (state m), None) =
(lift_to_composite_state ELMO_component s i_m
   (state m <+> MkObservation Send m), Some m) by cbn; state_update_simpl; rewrite state_update_twice; destruct m.
Qed.

Let si be a reachable state in (ELMO_component i) and m a message such that ELMO_component_valid Receive si (Some m) in (ELMO_component i), adr m <> i and adr m ∉ local_equivocators_full si, and also there is no message m' ∈ received_messages(si) with m' ⊥ m.

Suppose σ is a valid state in ELMOProtocol such that σ i = si, having messages(si) = messages(σ), local_equivocators_full(si) = global_equivocators(σ), and components of σ other than i may only have a Send observation as their latest observation, and also m ∉ sent_messages(σ).

Then there exists a state σ' in the future of σ such that σ' i = si, messages(σ') = messages(si), and global_equivocators(σ') = global_equivocators(σ), components of σ' other than i and adr(m) may only have a Send observation as their latest observation. Finally, σ'(adr(m)) = m (So m can be emitted immediately from σ').

This is stronger than the previous message by showing, at least in these conditions, that a message that can be validly received by a component in a valid ELMOProtocol state can be validly emitted not just in some unrelated ELMOProtocol trace, but also in a trace continuing from the current state. (We will build from this towards proving ELMO_components are validating for ELMOProtocol by showing how to construct such an ELMOProtocol state embedding given an ELMO_component state and receivable message)

Definition latest_observation_Send (s : State) : Prop :=
  obs s = []
    \/
  exists (s' : State) (m : Message),
    s = s' <+> MkObservation Send m.

Definition component_reflects_composite_messages
  (s : VLSM.state ELMOProtocol) (i : index) : Prop :=
    forall m : Message, (exists j, m ∈ messages (s j)) <-> m ∈ messages (s i).

Definition component_reflects_composite_equivocators
  (s : VLSM.state ELMOProtocol) (i : index) : Prop :=
    forall a : Address, global_equivocators_simple s a <-> local_equivocators_full (s i) a.

Record component_reflects_composite (s : VLSM.state ELMOProtocol) (i : index) : Prop :=
{
  component_sees_messages : component_reflects_composite_messages s i;
  component_sees_equivocators : component_reflects_composite_equivocators s i;
}.

Definition other_components_after_send
  (P_allowed : index -> Prop) (s : VLSM.state ELMOProtocol) : Prop :=
    forall i : index, ~ P_allowed i -> latest_observation_Send (s i).

Lemma non_equivocating_received_message_continues_trace
  (i : index) (si si' : VLSM.state (ELMO_component i))
  (m : Message)
  (Ht : input_constrained_transition (ELMO_component i)
    Receive (si, Some m) (si', None))
  (Hnot_local_equivocator' : ~ local_equivocators_full si' (adr (state m)))
  (i_m : index)
  (Hi_m : adr (state m) = idx i_m)
  (Hadr_neq : adr (state m) <> idx i)
  (sigma : composite_state ELMO_component)
  (Hcomponent : sigma i = si)
  (Hsigma : valid_state_prop ELMOProtocol sigma)
  (Hm_not_sent_yet : ~ composite_has_been_sent ELMO_component sigma m)
  (Hspecial : component_reflects_composite sigma i)
  (H_not_i_paused : other_components_after_send (fun j : index => j = i) sigma)
  : exists tr_m,
      finite_constrained_trace_from_to (ELMO_component i_m) (sigma i_m) (state m) tr_m.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
si, si': VLSM.state (ELMO_component i)
m: Message
Ht: input_constrained_transition 
  (ELMO_component i) Receive (
  si, Some m) (si', None)
Hnot_local_equivocator': ¬ local_equivocators_full
    si' (adr (state m))
i_m: index
Hi_m: adr (state m) = idx i_m
Hadr_neq: adr (state m) ≠ idx i
sigma: composite_state ELMO_component
Hcomponent: sigma i = si
Hsigma: valid_state_prop ELMOProtocol sigma
Hm_not_sent_yet: ¬ composite_has_been_sent
    ELMO_component sigma m
Hspecial: component_reflects_composite sigma i
H_not_i_paused: other_components_after_send
  (λ j : index, j = i) sigma
∃ tr_m : list transition_item,
  finite_constrained_trace_from_to
    (ELMO_component i_m) (sigma i_m) (state m) tr_m
Proof.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
si, si': VLSM.state (ELMO_component i)
m: Message
Ht: input_constrained_transition 
  (ELMO_component i) Receive (
  si, Some m) (si', None)
Hnot_local_equivocator': ¬ local_equivocators_full
    si' (adr (state m))
i_m: index
Hi_m: adr (state m) = idx i_m
Hadr_neq: adr (state m) ≠ idx i
sigma: composite_state ELMO_component
Hcomponent: sigma i = si
Hsigma: valid_state_prop ELMOProtocol sigma
Hm_not_sent_yet: ¬ composite_has_been_sent
    ELMO_component sigma m
Hspecial: component_reflects_composite sigma i
H_not_i_paused: other_components_after_send
  (λ j : index, j = i) sigma
∃ tr_m : list transition_item,
  finite_constrained_trace_from_to
    (ELMO_component i_m) (sigma i_m) (state m) tr_m
  assert (Hsigma_no_junk :
    forall j, j <> i ->
    forall mj, mj ∈ sentMessages (sigma j) ->
    mj ∈ receivedMessages si).Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
si, si': VLSM.state (ELMO_component i)
m: Message
Ht: input_constrained_transition 
  (ELMO_component i) Receive (
  si, Some m) (si', None)
Hnot_local_equivocator': ¬ local_equivocators_full
    si' (adr (state m))
i_m: index
Hi_m: adr (state m) = idx i_m
Hadr_neq: adr (state m) ≠ idx i
sigma: composite_state ELMO_component
Hcomponent: sigma i = si
Hsigma: valid_state_prop ELMOProtocol sigma
Hm_not_sent_yet: ¬ composite_has_been_sent
    ELMO_component sigma m
Hspecial: component_reflects_composite sigma i
H_not_i_paused: other_components_after_send
  (λ j : index, j = i) sigma
∀ j : index,
  j ≠ i
  → ∀ mj : BaseELMO.Message,
      mj ∈ sentMessages (sigma j)
      → mj ∈ receivedMessages si
Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
si, si': VLSM.state (ELMO_component i)
m: Message
Ht: input_constrained_transition 
  (ELMO_component i) Receive (
  si, Some m) (si', None)
Hnot_local_equivocator': ¬ local_equivocators_full
    si' (adr (state m))
i_m: index
Hi_m: adr (state m) = idx i_m
Hadr_neq: adr (state m) ≠ idx i
sigma: composite_state ELMO_component
Hcomponent: sigma i = si
Hsigma: valid_state_prop ELMOProtocol sigma
Hm_not_sent_yet: ¬ composite_has_been_sent
    ELMO_component sigma m
Hspecial: component_reflects_composite sigma i
H_not_i_paused: other_components_after_send
  (λ j : index, j = i) sigma
Hsigma_no_junk: ∀ j : index,
  j ≠ i
  → ∀ mj : BaseELMO.Message,
      mj ∈ sentMessages (sigma j)
      → mj ∈ receivedMessages si
∃ tr_m : list transition_item,
  finite_constrained_trace_from_to
    (ELMO_component i_m) 
    (sigma i_m) (state m) tr_m
  {Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
si, si': VLSM.state (ELMO_component i)
m: Message
Ht: input_constrained_transition 
  (ELMO_component i) Receive (
  si, Some m) (si', None)
Hnot_local_equivocator': ¬ local_equivocators_full
    si' (adr (state m))
i_m: index
Hi_m: adr (state m) = idx i_m
Hadr_neq: adr (state m) ≠ idx i
sigma: composite_state ELMO_component
Hcomponent: sigma i = si
Hsigma: valid_state_prop ELMOProtocol sigma
Hm_not_sent_yet: ¬ composite_has_been_sent
    ELMO_component sigma m
Hspecial: component_reflects_composite sigma i
H_not_i_paused: other_components_after_send
  (λ j : index, j = i) sigma
∀ j : index,
  j ≠ i
  → ∀ mj : BaseELMO.Message,
      mj ∈ sentMessages (sigma j)
      → mj ∈ receivedMessages si
    intros j Hni mj Hmj.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
si, si': VLSM.state (ELMO_component i)
m: Message
Ht: input_constrained_transition 
  (ELMO_component i) Receive (
  si, Some m) (si', None)
Hnot_local_equivocator': ¬ local_equivocators_full
    si' (adr (state m))
i_m: index
Hi_m: adr (state m) = idx i_m
Hadr_neq: adr (state m) ≠ idx i
sigma: composite_state ELMO_component
Hcomponent: sigma i = si
Hsigma: valid_state_prop ELMOProtocol sigma
Hm_not_sent_yet: ¬ composite_has_been_sent
    ELMO_component sigma m
Hspecial: component_reflects_composite sigma i
H_not_i_paused: other_components_after_send
  (λ j : index, j = i) sigma
j: index
Hni: j ≠ i
mj: BaseELMO.Message
Hmj: mj ∈ sentMessages (sigma j)
mj ∈ receivedMessages si
    eapply reachable_sent_messages_adr in Hmj as Hmj_adr;
      [subst | by eapply valid_state_project_preloaded].Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
si': VLSM.state (ELMO_component i)
m: Message
sigma: composite_state ELMO_component
Ht: input_constrained_transition 
  (ELMO_component i) Receive (
  sigma i, Some m) (si', None)
Hnot_local_equivocator': ¬ local_equivocators_full
    si' (adr (state m))
i_m: index
Hi_m: adr (state m) = idx i_m
Hadr_neq: adr (state m) ≠ idx i
Hsigma: valid_state_prop ELMOProtocol sigma
Hm_not_sent_yet: ¬ composite_has_been_sent
    ELMO_component sigma m
Hspecial: component_reflects_composite sigma i
H_not_i_paused: other_components_after_send
  (λ j : index, j = i) sigma
j: index
Hni: j ≠ i
mj: BaseELMO.Message
Hmj: mj ∈ sentMessages (sigma j)
Hmj_adr: adr (state mj) = idx j
mj ∈ receivedMessages (sigma i)
    cut (mj ∈ messages (sigma i)).Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
si': VLSM.state (ELMO_component i)
m: Message
sigma: composite_state ELMO_component
Ht: input_constrained_transition 
  (ELMO_component i) Receive (
  sigma i, Some m) (si', None)
Hnot_local_equivocator': ¬ local_equivocators_full
    si' (adr (state m))
i_m: index
Hi_m: adr (state m) = idx i_m
Hadr_neq: adr (state m) ≠ idx i
Hsigma: valid_state_prop ELMOProtocol sigma
Hm_not_sent_yet: ¬ composite_has_been_sent
    ELMO_component sigma m
Hspecial: component_reflects_composite sigma i
H_not_i_paused: other_components_after_send
  (λ j : index, j = i) sigma
j: index
Hni: j ≠ i
mj: BaseELMO.Message
Hmj: mj ∈ sentMessages (sigma j)
Hmj_adr: adr (state mj) = idx j
mj ∈ messages (sigma i)
→ mj ∈ receivedMessages (sigma i)
Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
si': VLSM.state (ELMO_component i)
m: Message
sigma: composite_state ELMO_component
Ht: input_constrained_transition 
  (ELMO_component i) Receive (
  sigma i, Some m) (si', None)
Hnot_local_equivocator': ¬ local_equivocators_full
    si' (adr (state m))
i_m: index
Hi_m: adr (state m) = idx i_m
Hadr_neq: adr (state m) ≠ idx i
Hsigma: valid_state_prop ELMOProtocol sigma
Hm_not_sent_yet: ¬ composite_has_been_sent
    ELMO_component sigma m
Hspecial: component_reflects_composite sigma i
H_not_i_paused: other_components_after_send
  (λ j : index, j = i) sigma
j: index
Hni: j ≠ i
mj: BaseELMO.Message
Hmj: mj ∈ sentMessages (sigma j)
Hmj_adr: adr (state mj) = idx j
mj ∈ messages (sigma i)
    {Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
si': VLSM.state (ELMO_component i)
m: Message
sigma: composite_state ELMO_component
Ht: input_constrained_transition 
  (ELMO_component i) Receive (
  sigma i, Some m) (si', None)
Hnot_local_equivocator': ¬ local_equivocators_full
    si' (adr (state m))
i_m: index
Hi_m: adr (state m) = idx i_m
Hadr_neq: adr (state m) ≠ idx i
Hsigma: valid_state_prop ELMOProtocol sigma
Hm_not_sent_yet: ¬ composite_has_been_sent
    ELMO_component sigma m
Hspecial: component_reflects_composite sigma i
H_not_i_paused: other_components_after_send
  (λ j : index, j = i) sigma
j: index
Hni: j ≠ i
mj: BaseELMO.Message
Hmj: mj ∈ sentMessages (sigma j)
Hmj_adr: adr (state mj) = idx j
mj ∈ messages (sigma i)
→ mj ∈ receivedMessages (sigma i)
      rewrite elem_of_messages; intros [Hmji |]; [| done].Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
si': VLSM.state (ELMO_component i)
m: Message
sigma: composite_state ELMO_component
Ht: input_constrained_transition 
  (ELMO_component i) Receive (
  sigma i, Some m) (si', None)
Hnot_local_equivocator': ¬ local_equivocators_full
    si' (adr (state m))
i_m: index
Hi_m: adr (state m) = idx i_m
Hadr_neq: adr (state m) ≠ idx i
Hsigma: valid_state_prop ELMOProtocol sigma
Hm_not_sent_yet: ¬ composite_has_been_sent
    ELMO_component sigma m
Hspecial: component_reflects_composite sigma i
H_not_i_paused: other_components_after_send
  (λ j : index, j = i) sigma
j: index
Hni: j ≠ i
mj: BaseELMO.Message
Hmj: mj ∈ sentMessages (sigma j)
Hmj_adr: adr (state mj) = idx j
Hmji: mj ∈ sentMessages (sigma i)
mj ∈ receivedMessages (sigma i)
      eapply reachable_sent_messages_adr in Hmji; [| by eapply valid_state_project_preloaded].Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
si': VLSM.state (ELMO_component i)
m: Message
sigma: composite_state ELMO_component
Ht: input_constrained_transition 
  (ELMO_component i) Receive (
  sigma i, Some m) (si', None)
Hnot_local_equivocator': ¬ local_equivocators_full
    si' (adr (state m))
i_m: index
Hi_m: adr (state m) = idx i_m
Hadr_neq: adr (state m) ≠ idx i
Hsigma: valid_state_prop ELMOProtocol sigma
Hm_not_sent_yet: ¬ composite_has_been_sent
    ELMO_component sigma m
Hspecial: component_reflects_composite sigma i
H_not_i_paused: other_components_after_send
  (λ j : index, j = i) sigma
j: index
Hni: j ≠ i
mj: BaseELMO.Message
Hmj: mj ∈ sentMessages (sigma j)
Hmj_adr: adr (state mj) = idx j
Hmji: adr (state mj) = idx i
mj ∈ receivedMessages (sigma i)
      by contradict Hni; eapply inj with idx; [done | congruence].
    }Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
si': VLSM.state (ELMO_component i)
m: Message
sigma: composite_state ELMO_component
Ht: input_constrained_transition 
  (ELMO_component i) Receive (
  sigma i, Some m) (si', None)
Hnot_local_equivocator': ¬ local_equivocators_full
    si' (adr (state m))
i_m: index
Hi_m: adr (state m) = idx i_m
Hadr_neq: adr (state m) ≠ idx i
Hsigma: valid_state_prop ELMOProtocol sigma
Hm_not_sent_yet: ¬ composite_has_been_sent
    ELMO_component sigma m
Hspecial: component_reflects_composite sigma i
H_not_i_paused: other_components_after_send
  (λ j : index, j = i) sigma
j: index
Hni: j ≠ i
mj: BaseELMO.Message
Hmj: mj ∈ sentMessages (sigma j)
Hmj_adr: adr (state mj) = idx j
mj ∈ messages (sigma i)
    by apply Hspecial; exists j; apply elem_of_messages; left.
  }Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
si, si': VLSM.state (ELMO_component i)
m: Message
Ht: input_constrained_transition 
  (ELMO_component i) Receive (
  si, Some m) (si', None)
Hnot_local_equivocator': ¬ local_equivocators_full
    si' (adr (state m))
i_m: index
Hi_m: adr (state m) = idx i_m
Hadr_neq: adr (state m) ≠ idx i
sigma: composite_state ELMO_component
Hcomponent: sigma i = si
Hsigma: valid_state_prop ELMOProtocol sigma
Hm_not_sent_yet: ¬ composite_has_been_sent
    ELMO_component sigma m
Hspecial: component_reflects_composite sigma i
H_not_i_paused: other_components_after_send
  (λ j : index, j = i) sigma
Hsigma_no_junk: ∀ j : index,
  j ≠ i
  → ∀ mj : BaseELMO.Message,
      mj ∈ sentMessages (sigma j)
      → mj ∈ receivedMessages si
∃ tr_m : list transition_item,
  finite_constrained_trace_from_to
    (ELMO_component i_m) (sigma i_m) (state m) tr_m
  assert (i <> i_m) by (contradict Hadr_neq; congruence).Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
si, si': VLSM.state (ELMO_component i)
m: Message
Ht: input_constrained_transition 
  (ELMO_component i) Receive (
  si, Some m) (si', None)
Hnot_local_equivocator': ¬ local_equivocators_full
    si' (adr (state m))
i_m: index
Hi_m: adr (state m) = idx i_m
Hadr_neq: adr (state m) ≠ idx i
sigma: composite_state ELMO_component
Hcomponent: sigma i = si
Hsigma: valid_state_prop ELMOProtocol sigma
Hm_not_sent_yet: ¬ composite_has_been_sent
    ELMO_component sigma m
Hspecial: component_reflects_composite sigma i
H_not_i_paused: other_components_after_send
  (λ j : index, j = i) sigma
Hsigma_no_junk: ∀ j : index,
  j ≠ i
  → ∀ mj : BaseELMO.Message,
      mj ∈ sentMessages (sigma j)
      → mj ∈ receivedMessages si
H2: i ≠ i_m
∃ tr_m : list transition_item,
  finite_constrained_trace_from_to
    (ELMO_component i_m) (sigma i_m) (state m) tr_m
  apply valid_state_project_preloaded with (i := i_m) in Hsigma as Hsi_m.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
si, si': VLSM.state (ELMO_component i)
m: Message
Ht: input_constrained_transition 
  (ELMO_component i) Receive (
  si, Some m) (si', None)
Hnot_local_equivocator': ¬ local_equivocators_full
    si' (adr (state m))
i_m: index
Hi_m: adr (state m) = idx i_m
Hadr_neq: adr (state m) ≠ idx i
sigma: composite_state ELMO_component
Hcomponent: sigma i = si
Hsigma: valid_state_prop ELMOProtocol sigma
Hm_not_sent_yet: ¬ composite_has_been_sent
    ELMO_component sigma m
Hspecial: component_reflects_composite sigma i
H_not_i_paused: other_components_after_send
  (λ j : index, j = i) sigma
Hsigma_no_junk: ∀ j : index,
  j ≠ i
  → ∀ mj : BaseELMO.Message,
      mj ∈ sentMessages (sigma j)
      → mj ∈ receivedMessages si
H2: i ≠ i_m
Hsi_m: constrained_state_prop 
  (ELMO_component i_m) 
  (sigma i_m)
∃ tr_m : list transition_item,
  finite_constrained_trace_from_to
    (ELMO_component i_m) (sigma i_m) (state m) tr_m
  assert (adr (sigma i_m) = idx i_m) by (apply ELMO_reachable_adr; done).Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
si, si': VLSM.state (ELMO_component i)
m: Message
Ht: input_constrained_transition 
  (ELMO_component i) Receive (
  si, Some m) (si', None)
Hnot_local_equivocator': ¬ local_equivocators_full
    si' (adr (state m))
i_m: index
Hi_m: adr (state m) = idx i_m
Hadr_neq: adr (state m) ≠ idx i
sigma: composite_state ELMO_component
Hcomponent: sigma i = si
Hsigma: valid_state_prop ELMOProtocol sigma
Hm_not_sent_yet: ¬ composite_has_been_sent
    ELMO_component sigma m
Hspecial: component_reflects_composite sigma i
H_not_i_paused: other_components_after_send
  (λ j : index, j = i) sigma
Hsigma_no_junk: ∀ j : index,
  j ≠ i
  → ∀ mj : BaseELMO.Message,
      mj ∈ sentMessages (sigma j)
      → mj ∈ receivedMessages si
H2: i ≠ i_m
Hsi_m: constrained_state_prop 
  (ELMO_component i_m) 
  (sigma i_m)
H3: adr (sigma i_m) = idx i_m
∃ tr_m : list transition_item,
  finite_constrained_trace_from_to
    (ELMO_component i_m) (sigma i_m) (state m) tr_m
  destruct (ELMO_unique_trace_segments i_m (sigma i_m) (state m)) as [tr []]; [.. | by eexists].Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
si, si': VLSM.state (ELMO_component i)
m: Message
Ht: input_constrained_transition 
  (ELMO_component i) Receive (
  si, Some m) (si', None)
Hnot_local_equivocator': ¬ local_equivocators_full
    si' (adr (state m))
i_m: index
Hi_m: adr (state m) = idx i_m
Hadr_neq: adr (state m) ≠ idx i
sigma: composite_state ELMO_component
Hcomponent: sigma i = si
Hsigma: valid_state_prop ELMOProtocol sigma
Hm_not_sent_yet: ¬ composite_has_been_sent
    ELMO_component sigma m
Hspecial: component_reflects_composite sigma i
H_not_i_paused: other_components_after_send
  (λ j : index, j = i) sigma
Hsigma_no_junk: ∀ j : index,
  j ≠ i
  → ∀ mj : BaseELMO.Message,
      mj ∈ sentMessages (sigma j)
      → mj ∈ receivedMessages si
H2: i ≠ i_m
Hsi_m: constrained_state_prop 
  (ELMO_component i_m) 
  (sigma i_m)
H3: adr (sigma i_m) = idx i_m
constrained_state_prop (ELMO_component i_m) (state m)
Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
si, si': VLSM.state (ELMO_component i)
m: Message
Ht: input_constrained_transition 
  (ELMO_component i) Receive (
  si, Some m) (si', None)
Hnot_local_equivocator': ¬ local_equivocators_full
    si' (adr (state m))
i_m: index
Hi_m: adr (state m) = idx i_m
Hadr_neq: adr (state m) ≠ idx i
sigma: composite_state ELMO_component
Hcomponent: sigma i = si
Hsigma: valid_state_prop ELMOProtocol sigma
Hm_not_sent_yet: ¬ composite_has_been_sent
    ELMO_component sigma m
Hspecial: component_reflects_composite sigma i
H_not_i_paused: other_components_after_send
  (λ j : index, j = i) sigma
Hsigma_no_junk: ∀ j : index,
  j ≠ i
  → ∀ mj : BaseELMO.Message,
      mj ∈ sentMessages (sigma j)
      → mj ∈ receivedMessages si
H2: i ≠ i_m
Hsi_m: constrained_state_prop 
  (ELMO_component i_m) 
  (sigma i_m)
H3: adr (sigma i_m) = idx i_m
sigma i_m = state m
∨ state_suffix (sigma i_m) (state m)
  -Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
si, si': VLSM.state (ELMO_component i)
m: Message
Ht: input_constrained_transition 
  (ELMO_component i) Receive (
  si, Some m) (si', None)
Hnot_local_equivocator': ¬ local_equivocators_full
    si' (adr (state m))
i_m: index
Hi_m: adr (state m) = idx i_m
Hadr_neq: adr (state m) ≠ idx i
sigma: composite_state ELMO_component
Hcomponent: sigma i = si
Hsigma: valid_state_prop ELMOProtocol sigma
Hm_not_sent_yet: ¬ composite_has_been_sent
    ELMO_component sigma m
Hspecial: component_reflects_composite sigma i
H_not_i_paused: other_components_after_send
  (λ j : index, j = i) sigma
Hsigma_no_junk: ∀ j : index,
  j ≠ i
  → ∀ mj : BaseELMO.Message,
      mj ∈ sentMessages (sigma j)
      → mj ∈ receivedMessages si
H2: i ≠ i_m
Hsi_m: constrained_state_prop 
  (ELMO_component i_m) 
  (sigma i_m)
H3: adr (sigma i_m) = idx i_m
constrained_state_prop (ELMO_component i_m) (state m) destruct Ht as [(Hsi & _ & Hv) _]; inversion Hv; subst.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
si': VLSM.state (ELMO_component i)
m: Message
sigma: composite_state ELMO_component
Hv: valid Receive (sigma i, Some m)
Hsi: valid_state_prop
  (preloaded_with_all_messages_vlsm
     (ELMO_component i)) 
  (sigma i)
Hnot_local_equivocator': ¬ local_equivocators_full
    si' (adr (state m))
i_m: index
Hi_m: adr (state m) = idx i_m
Hadr_neq: adr (state m) ≠ idx i
Hsigma: valid_state_prop ELMOProtocol sigma
Hm_not_sent_yet: ¬ composite_has_been_sent
    ELMO_component sigma m
Hspecial: component_reflects_composite sigma i
H_not_i_paused: other_components_after_send
  (λ j : index, j = i) sigma
Hsigma_no_junk: ∀ j : index,
  j ≠ i
  → ∀ mj : BaseELMO.Message,
      mj ∈ sentMessages (sigma j)
      → mj
        ∈ receivedMessages (sigma i)
H2: i ≠ i_m
Hsi_m: constrained_state_prop 
  (ELMO_component i_m) 
  (sigma i_m)
H3: adr (sigma i_m) = idx i_m
H5: ELMO_recv_valid (sigma i) m
constrained_state_prop (ELMO_component i_m) (state m)
    by clear Hsi_m; destruct m; eapply receivable_messages_reachable.
  -Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
si, si': VLSM.state (ELMO_component i)
m: Message
Ht: input_constrained_transition 
  (ELMO_component i) Receive (
  si, Some m) (si', None)
Hnot_local_equivocator': ¬ local_equivocators_full
    si' (adr (state m))
i_m: index
Hi_m: adr (state m) = idx i_m
Hadr_neq: adr (state m) ≠ idx i
sigma: composite_state ELMO_component
Hcomponent: sigma i = si
Hsigma: valid_state_prop ELMOProtocol sigma
Hm_not_sent_yet: ¬ composite_has_been_sent
    ELMO_component sigma m
Hspecial: component_reflects_composite sigma i
H_not_i_paused: other_components_after_send
  (λ j : index, j = i) sigma
Hsigma_no_junk: ∀ j : index,
  j ≠ i
  → ∀ mj : BaseELMO.Message,
      mj ∈ sentMessages (sigma j)
      → mj ∈ receivedMessages si
H2: i ≠ i_m
Hsi_m: constrained_state_prop 
  (ELMO_component i_m) 
  (sigma i_m)
H3: adr (sigma i_m) = idx i_m
sigma i_m = state m
∨ state_suffix (sigma i_m) (state m) destruct (H_not_i_paused i_m) as [Hinit | (sim & lst_im & Hsnd)]; [done | ..].Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
si, si': VLSM.state (ELMO_component i)
m: Message
Ht: input_constrained_transition 
  (ELMO_component i) Receive (
  si, Some m) (si', None)
Hnot_local_equivocator': ¬ local_equivocators_full
    si' (adr (state m))
i_m: index
Hi_m: adr (state m) = idx i_m
Hadr_neq: adr (state m) ≠ idx i
sigma: composite_state ELMO_component
Hcomponent: sigma i = si
Hsigma: valid_state_prop ELMOProtocol sigma
Hm_not_sent_yet: ¬ composite_has_been_sent
    ELMO_component sigma m
Hspecial: component_reflects_composite sigma i
H_not_i_paused: other_components_after_send
  (λ j : index, j = i) sigma
Hsigma_no_junk: ∀ j : index,
  j ≠ i
  → ∀ mj : BaseELMO.Message,
      mj ∈ sentMessages (sigma j)
      → mj ∈ receivedMessages si
H2: i ≠ i_m
Hsi_m: constrained_state_prop 
  (ELMO_component i_m) 
  (sigma i_m)
H3: adr (sigma i_m) = idx i_m
Hinit: obs (sigma i_m) = []
sigma i_m = state m
∨ state_suffix (sigma i_m) (state m)
Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
si, si': VLSM.state (ELMO_component i)
m: Message
Ht: input_constrained_transition 
  (ELMO_component i) Receive (
  si, Some m) (si', None)
Hnot_local_equivocator': ¬ local_equivocators_full
    si' (adr (state m))
i_m: index
Hi_m: adr (state m) = idx i_m
Hadr_neq: adr (state m) ≠ idx i
sigma: composite_state ELMO_component
Hcomponent: sigma i = si
Hsigma: valid_state_prop ELMOProtocol sigma
Hm_not_sent_yet: ¬ composite_has_been_sent
    ELMO_component sigma m
Hspecial: component_reflects_composite sigma i
H_not_i_paused: other_components_after_send
  (λ j : index, j = i) sigma
Hsigma_no_junk: ∀ j : index,
  j ≠ i
  → ∀ mj : BaseELMO.Message,
      mj ∈ sentMessages (sigma j)
      → mj ∈ receivedMessages si
H2: i ≠ i_m
Hsi_m: constrained_state_prop 
  (ELMO_component i_m) 
  (sigma i_m)
H3: adr (sigma i_m) = idx i_m
sim: State
lst_im: Message
Hsnd: sigma i_m = sim <+> MkObservation Send lst_im
sigma i_m = state m
∨ state_suffix (sigma i_m) (state m)
    +Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
si, si': VLSM.state (ELMO_component i)
m: Message
Ht: input_constrained_transition 
  (ELMO_component i) Receive (
  si, Some m) (si', None)
Hnot_local_equivocator': ¬ local_equivocators_full
    si' (adr (state m))
i_m: index
Hi_m: adr (state m) = idx i_m
Hadr_neq: adr (state m) ≠ idx i
sigma: composite_state ELMO_component
Hcomponent: sigma i = si
Hsigma: valid_state_prop ELMOProtocol sigma
Hm_not_sent_yet: ¬ composite_has_been_sent
    ELMO_component sigma m
Hspecial: component_reflects_composite sigma i
H_not_i_paused: other_components_after_send
  (λ j : index, j = i) sigma
Hsigma_no_junk: ∀ j : index,
  j ≠ i
  → ∀ mj : BaseELMO.Message,
      mj ∈ sentMessages (sigma j)
      → mj ∈ receivedMessages si
H2: i ≠ i_m
Hsi_m: constrained_state_prop 
  (ELMO_component i_m) 
  (sigma i_m)
H3: adr (sigma i_m) = idx i_m
Hinit: obs (sigma i_m) = []
sigma i_m = state m
∨ state_suffix (sigma i_m) (state m) replace (sigma i_m) with (MkState [] (adr (state m)));
        [by specialize (state_suffix_empty_minimum (state m)); itauto |].Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
si, si': VLSM.state (ELMO_component i)
m: Message
Ht: input_constrained_transition 
  (ELMO_component i) Receive (
  si, Some m) (si', None)
Hnot_local_equivocator': ¬ local_equivocators_full
    si' (adr (state m))
i_m: index
Hi_m: adr (state m) = idx i_m
Hadr_neq: adr (state m) ≠ idx i
sigma: composite_state ELMO_component
Hcomponent: sigma i = si
Hsigma: valid_state_prop ELMOProtocol sigma
Hm_not_sent_yet: ¬ composite_has_been_sent
    ELMO_component sigma m
Hspecial: component_reflects_composite sigma i
H_not_i_paused: other_components_after_send
  (λ j : index, j = i) sigma
Hsigma_no_junk: ∀ j : index,
  j ≠ i
  → ∀ mj : BaseELMO.Message,
      mj ∈ sentMessages (sigma j)
      → mj ∈ receivedMessages si
H2: i ≠ i_m
Hsi_m: constrained_state_prop 
  (ELMO_component i_m) 
  (sigma i_m)
H3: adr (sigma i_m) = idx i_m
Hinit: obs (sigma i_m) = []
MkState [] (adr (state m)) = sigma i_m
      by apply eq_State; [| cbn; congruence].
    +Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
si, si': VLSM.state (ELMO_component i)
m: Message
Ht: input_constrained_transition 
  (ELMO_component i) Receive (
  si, Some m) (si', None)
Hnot_local_equivocator': ¬ local_equivocators_full
    si' (adr (state m))
i_m: index
Hi_m: adr (state m) = idx i_m
Hadr_neq: adr (state m) ≠ idx i
sigma: composite_state ELMO_component
Hcomponent: sigma i = si
Hsigma: valid_state_prop ELMOProtocol sigma
Hm_not_sent_yet: ¬ composite_has_been_sent
    ELMO_component sigma m
Hspecial: component_reflects_composite sigma i
H_not_i_paused: other_components_after_send
  (λ j : index, j = i) sigma
Hsigma_no_junk: ∀ j : index,
  j ≠ i
  → ∀ mj : BaseELMO.Message,
      mj ∈ sentMessages (sigma j)
      → mj ∈ receivedMessages si
H2: i ≠ i_m
Hsi_m: constrained_state_prop 
  (ELMO_component i_m) 
  (sigma i_m)
H3: adr (sigma i_m) = idx i_m
sim: State
lst_im: Message
Hsnd: sigma i_m = sim <+> MkObservation Send lst_im
sigma i_m = state m
∨ state_suffix (sigma i_m) (state m) apply ELMO_latest_observation_Send_state with (i := i_m) in Hsnd as Hsim; [| done].Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
si, si': VLSM.state (ELMO_component i)
m: Message
Ht: input_constrained_transition 
  (ELMO_component i) Receive (
  si, Some m) (si', None)
Hnot_local_equivocator': ¬ local_equivocators_full
    si' (adr (state m))
i_m: index
Hi_m: adr (state m) = idx i_m
Hadr_neq: adr (state m) ≠ idx i
sigma: composite_state ELMO_component
Hcomponent: sigma i = si
Hsigma: valid_state_prop ELMOProtocol sigma
Hm_not_sent_yet: ¬ composite_has_been_sent
    ELMO_component sigma m
Hspecial: component_reflects_composite sigma i
H_not_i_paused: other_components_after_send
  (λ j : index, j = i) sigma
Hsigma_no_junk: ∀ j : index,
  j ≠ i
  → ∀ mj : BaseELMO.Message,
      mj ∈ sentMessages (sigma j)
      → mj ∈ receivedMessages si
H2: i ≠ i_m
Hsi_m: constrained_state_prop 
  (ELMO_component i_m) 
  (sigma i_m)
H3: adr (sigma i_m) = idx i_m
sim: State
lst_im: Message
Hsnd: sigma i_m = sim <+> MkObservation Send lst_im
Hsim: sim = state lst_im
sigma i_m = state m
∨ state_suffix (sigma i_m) (state m)
      subst sim.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
si, si': VLSM.state (ELMO_component i)
m: Message
Ht: input_constrained_transition 
  (ELMO_component i) Receive (
  si, Some m) (si', None)
Hnot_local_equivocator': ¬ local_equivocators_full
    si' (adr (state m))
i_m: index
Hi_m: adr (state m) = idx i_m
Hadr_neq: adr (state m) ≠ idx i
sigma: composite_state ELMO_component
Hcomponent: sigma i = si
Hsigma: valid_state_prop ELMOProtocol sigma
Hm_not_sent_yet: ¬ composite_has_been_sent
    ELMO_component sigma m
Hspecial: component_reflects_composite sigma i
H_not_i_paused: other_components_after_send
  (λ j : index, j = i) sigma
Hsigma_no_junk: ∀ j : index,
  j ≠ i
  → ∀ mj : BaseELMO.Message,
      mj ∈ sentMessages (sigma j)
      → mj ∈ receivedMessages si
H2: i ≠ i_m
Hsi_m: constrained_state_prop 
  (ELMO_component i_m) 
  (sigma i_m)
H3: adr (sigma i_m) = idx i_m
lst_im: Message
Hsnd: sigma i_m =
state lst_im <+> MkObservation Send lst_im
sigma i_m = state m
∨ state_suffix (sigma i_m) (state m)
      assert (Hcmp : sent_comparable m lst_im).Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
si, si': VLSM.state (ELMO_component i)
m: Message
Ht: input_constrained_transition 
  (ELMO_component i) Receive (
  si, Some m) (si', None)
Hnot_local_equivocator': ¬ local_equivocators_full
    si' (adr (state m))
i_m: index
Hi_m: adr (state m) = idx i_m
Hadr_neq: adr (state m) ≠ idx i
sigma: composite_state ELMO_component
Hcomponent: sigma i = si
Hsigma: valid_state_prop ELMOProtocol sigma
Hm_not_sent_yet: ¬ composite_has_been_sent
    ELMO_component sigma m
Hspecial: component_reflects_composite sigma i
H_not_i_paused: other_components_after_send
  (λ j : index, j = i) sigma
Hsigma_no_junk: ∀ j : index,
  j ≠ i
  → ∀ mj : BaseELMO.Message,
      mj ∈ sentMessages (sigma j)
      → mj ∈ receivedMessages si
H2: i ≠ i_m
Hsi_m: constrained_state_prop 
  (ELMO_component i_m) 
  (sigma i_m)
H3: adr (sigma i_m) = idx i_m
lst_im: Message
Hsnd: sigma i_m =
state lst_im <+> MkObservation Send lst_im
sent_comparable m lst_im
Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
si, si': VLSM.state (ELMO_component i)
m: Message
Ht: input_constrained_transition 
  (ELMO_component i) Receive (
  si, Some m) (si', None)
Hnot_local_equivocator': ¬ local_equivocators_full
    si' (adr (state m))
i_m: index
Hi_m: adr (state m) = idx i_m
Hadr_neq: adr (state m) ≠ idx i
sigma: composite_state ELMO_component
Hcomponent: sigma i = si
Hsigma: valid_state_prop ELMOProtocol sigma
Hm_not_sent_yet: ¬ composite_has_been_sent
    ELMO_component sigma m
Hspecial: component_reflects_composite sigma i
H_not_i_paused: other_components_after_send
  (λ j : index, j = i) sigma
Hsigma_no_junk: ∀ j : index,
  j ≠ i
  → ∀ mj : BaseELMO.Message,
      mj ∈ sentMessages (sigma j)
      → mj ∈ receivedMessages si
H2: i ≠ i_m
Hsi_m: constrained_state_prop 
  (ELMO_component i_m) 
  (sigma i_m)
H3: adr (sigma i_m) = idx i_m
lst_im: Message
Hsnd: sigma i_m =
state lst_im <+> MkObservation Send lst_im
Hcmp: sent_comparable m lst_im
sigma i_m = state m
∨ state_suffix (sigma i_m) (state m)
      {Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
si, si': VLSM.state (ELMO_component i)
m: Message
Ht: input_constrained_transition 
  (ELMO_component i) Receive (
  si, Some m) (si', None)
Hnot_local_equivocator': ¬ local_equivocators_full
    si' (adr (state m))
i_m: index
Hi_m: adr (state m) = idx i_m
Hadr_neq: adr (state m) ≠ idx i
sigma: composite_state ELMO_component
Hcomponent: sigma i = si
Hsigma: valid_state_prop ELMOProtocol sigma
Hm_not_sent_yet: ¬ composite_has_been_sent
    ELMO_component sigma m
Hspecial: component_reflects_composite sigma i
H_not_i_paused: other_components_after_send
  (λ j : index, j = i) sigma
Hsigma_no_junk: ∀ j : index,
  j ≠ i
  → ∀ mj : BaseELMO.Message,
      mj ∈ sentMessages (sigma j)
      → mj ∈ receivedMessages si
H2: i ≠ i_m
Hsi_m: constrained_state_prop 
  (ELMO_component i_m) 
  (sigma i_m)
H3: adr (sigma i_m) = idx i_m
lst_im: Message
Hsnd: sigma i_m =
state lst_im <+> MkObservation Send lst_im
sent_comparable m lst_im
        destruct (decide (sent_comparable m lst_im)); [done |].Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
si, si': VLSM.state (ELMO_component i)
m: Message
Ht: input_constrained_transition 
  (ELMO_component i) Receive (
  si, Some m) (si', None)
Hnot_local_equivocator': ¬ local_equivocators_full
    si' (adr (state m))
i_m: index
Hi_m: adr (state m) = idx i_m
Hadr_neq: adr (state m) ≠ idx i
sigma: composite_state ELMO_component
Hcomponent: sigma i = si
Hsigma: valid_state_prop ELMOProtocol sigma
Hm_not_sent_yet: ¬ composite_has_been_sent
    ELMO_component sigma m
Hspecial: component_reflects_composite sigma i
H_not_i_paused: other_components_after_send
  (λ j : index, j = i) sigma
Hsigma_no_junk: ∀ j : index,
  j ≠ i
  → ∀ mj : BaseELMO.Message,
      mj ∈ sentMessages (sigma j)
      → mj ∈ receivedMessages si
H2: i ≠ i_m
Hsi_m: constrained_state_prop 
  (ELMO_component i_m) 
  (sigma i_m)
H3: adr (sigma i_m) = idx i_m
lst_im: Message
Hsnd: sigma i_m =
state lst_im <+> MkObservation Send lst_im
n: ¬ sent_comparable m lst_im
sent_comparable m lst_im
        contradict Hnot_local_equivocator'.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
si, si': VLSM.state (ELMO_component i)
m: Message
Ht: input_constrained_transition 
  (ELMO_component i) Receive (
  si, Some m) (si', None)
i_m: index
Hi_m: adr (state m) = idx i_m
Hadr_neq: adr (state m) ≠ idx i
sigma: composite_state ELMO_component
Hcomponent: sigma i = si
Hsigma: valid_state_prop ELMOProtocol sigma
Hm_not_sent_yet: ¬ composite_has_been_sent
    ELMO_component sigma m
Hspecial: component_reflects_composite sigma i
H_not_i_paused: other_components_after_send
  (λ j : index, j = i) sigma
Hsigma_no_junk: ∀ j : index,
  j ≠ i
  → ∀ mj : BaseELMO.Message,
      mj ∈ sentMessages (sigma j)
      → mj ∈ receivedMessages si
H2: i ≠ i_m
Hsi_m: constrained_state_prop 
  (ELMO_component i_m) 
  (sigma i_m)
H3: adr (sigma i_m) = idx i_m
lst_im: Message
Hsnd: sigma i_m =
state lst_im <+> MkObservation Send lst_im
n: ¬ sent_comparable m lst_im
local_equivocators_full si' (adr (state m))
        eapply local_equivocators_full_step_update; [by constructor 1 |].Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
si, si': VLSM.state (ELMO_component i)
m: Message
Ht: input_constrained_transition 
  (ELMO_component i) Receive (
  si, Some m) (si', None)
i_m: index
Hi_m: adr (state m) = idx i_m
Hadr_neq: adr (state m) ≠ idx i
sigma: composite_state ELMO_component
Hcomponent: sigma i = si
Hsigma: valid_state_prop ELMOProtocol sigma
Hm_not_sent_yet: ¬ composite_has_been_sent
    ELMO_component sigma m
Hspecial: component_reflects_composite sigma i
H_not_i_paused: other_components_after_send
  (λ j : index, j = i) sigma
Hsigma_no_junk: ∀ j : index,
  j ≠ i
  → ∀ mj : BaseELMO.Message,
      mj ∈ sentMessages (sigma j)
      → mj ∈ receivedMessages si
H2: i ≠ i_m
Hsi_m: constrained_state_prop 
  (ELMO_component i_m) 
  (sigma i_m)
H3: adr (sigma i_m) = idx i_m
lst_im: Message
Hsnd: sigma i_m =
state lst_im <+> MkObservation Send lst_im
n: ¬ sent_comparable m lst_im
local_equivocators_full si (adr (state m))
∨ adr (state m) = adr (state m)
  ∧ Receive = Receive
    ∧ (∃ m' : BaseELMO.Message,
         m' ∈ receivedMessages si ∧ incomparable m m')
        right; split_and!; [done.. |].Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
si, si': VLSM.state (ELMO_component i)
m: Message
Ht: input_constrained_transition 
  (ELMO_component i) Receive (
  si, Some m) (si', None)
i_m: index
Hi_m: adr (state m) = idx i_m
Hadr_neq: adr (state m) ≠ idx i
sigma: composite_state ELMO_component
Hcomponent: sigma i = si
Hsigma: valid_state_prop ELMOProtocol sigma
Hm_not_sent_yet: ¬ composite_has_been_sent
    ELMO_component sigma m
Hspecial: component_reflects_composite sigma i
H_not_i_paused: other_components_after_send
  (λ j : index, j = i) sigma
Hsigma_no_junk: ∀ j : index,
  j ≠ i
  → ∀ mj : BaseELMO.Message,
      mj ∈ sentMessages (sigma j)
      → mj ∈ receivedMessages si
H2: i ≠ i_m
Hsi_m: constrained_state_prop 
  (ELMO_component i_m) 
  (sigma i_m)
H3: adr (sigma i_m) = idx i_m
lst_im: Message
Hsnd: sigma i_m =
state lst_im <+> MkObservation Send lst_im
n: ¬ sent_comparable m lst_im
∃ m' : BaseELMO.Message,
  m' ∈ receivedMessages si ∧ incomparable m m'
        exists lst_im; split; [| split; [| done]].Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
si, si': VLSM.state (ELMO_component i)
m: Message
Ht: input_constrained_transition 
  (ELMO_component i) Receive (
  si, Some m) (si', None)
i_m: index
Hi_m: adr (state m) = idx i_m
Hadr_neq: adr (state m) ≠ idx i
sigma: composite_state ELMO_component
Hcomponent: sigma i = si
Hsigma: valid_state_prop ELMOProtocol sigma
Hm_not_sent_yet: ¬ composite_has_been_sent
    ELMO_component sigma m
Hspecial: component_reflects_composite sigma i
H_not_i_paused: other_components_after_send
  (λ j : index, j = i) sigma
Hsigma_no_junk: ∀ j : index,
  j ≠ i
  → ∀ mj : BaseELMO.Message,
      mj ∈ sentMessages (sigma j)
      → mj ∈ receivedMessages si
H2: i ≠ i_m
Hsi_m: constrained_state_prop 
  (ELMO_component i_m) 
  (sigma i_m)
H3: adr (sigma i_m) = idx i_m
lst_im: Message
Hsnd: sigma i_m =
state lst_im <+> MkObservation Send lst_im
n: ¬ sent_comparable m lst_im
lst_im ∈ receivedMessages si
Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
si, si': VLSM.state (ELMO_component i)
m: Message
Ht: input_constrained_transition 
  (ELMO_component i) Receive (
  si, Some m) (si', None)
i_m: index
Hi_m: adr (state m) = idx i_m
Hadr_neq: adr (state m) ≠ idx i
sigma: composite_state ELMO_component
Hcomponent: sigma i = si
Hsigma: valid_state_prop ELMOProtocol sigma
Hm_not_sent_yet: ¬ composite_has_been_sent
    ELMO_component sigma m
Hspecial: component_reflects_composite sigma i
H_not_i_paused: other_components_after_send
  (λ j : index, j = i) sigma
Hsigma_no_junk: ∀ j : index,
  j ≠ i
  → ∀ mj : BaseELMO.Message,
      mj ∈ sentMessages (sigma j)
      → mj ∈ receivedMessages si
H2: i ≠ i_m
Hsi_m: constrained_state_prop 
  (ELMO_component i_m) 
  (sigma i_m)
H3: adr (sigma i_m) = idx i_m
lst_im: Message
Hsnd: sigma i_m =
state lst_im <+> MkObservation Send lst_im
n: ¬ sent_comparable m lst_im
adr (state m) = adr (state lst_im)
        -Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
si, si': VLSM.state (ELMO_component i)
m: Message
Ht: input_constrained_transition 
  (ELMO_component i) Receive (
  si, Some m) (si', None)
i_m: index
Hi_m: adr (state m) = idx i_m
Hadr_neq: adr (state m) ≠ idx i
sigma: composite_state ELMO_component
Hcomponent: sigma i = si
Hsigma: valid_state_prop ELMOProtocol sigma
Hm_not_sent_yet: ¬ composite_has_been_sent
    ELMO_component sigma m
Hspecial: component_reflects_composite sigma i
H_not_i_paused: other_components_after_send
  (λ j : index, j = i) sigma
Hsigma_no_junk: ∀ j : index,
  j ≠ i
  → ∀ mj : BaseELMO.Message,
      mj ∈ sentMessages (sigma j)
      → mj ∈ receivedMessages si
H2: i ≠ i_m
Hsi_m: constrained_state_prop 
  (ELMO_component i_m) 
  (sigma i_m)
H3: adr (sigma i_m) = idx i_m
lst_im: Message
Hsnd: sigma i_m =
state lst_im <+> MkObservation Send lst_im
n: ¬ sent_comparable m lst_im
lst_im ∈ receivedMessages si by eapply Hsigma_no_junk with (j := i_m); [| rewrite Hsnd; left].
        -Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
si, si': VLSM.state (ELMO_component i)
m: Message
Ht: input_constrained_transition 
  (ELMO_component i) Receive (
  si, Some m) (si', None)
i_m: index
Hi_m: adr (state m) = idx i_m
Hadr_neq: adr (state m) ≠ idx i
sigma: composite_state ELMO_component
Hcomponent: sigma i = si
Hsigma: valid_state_prop ELMOProtocol sigma
Hm_not_sent_yet: ¬ composite_has_been_sent
    ELMO_component sigma m
Hspecial: component_reflects_composite sigma i
H_not_i_paused: other_components_after_send
  (λ j : index, j = i) sigma
Hsigma_no_junk: ∀ j : index,
  j ≠ i
  → ∀ mj : BaseELMO.Message,
      mj ∈ sentMessages (sigma j)
      → mj ∈ receivedMessages si
H2: i ≠ i_m
Hsi_m: constrained_state_prop 
  (ELMO_component i_m) 
  (sigma i_m)
H3: adr (sigma i_m) = idx i_m
lst_im: Message
Hsnd: sigma i_m =
state lst_im <+> MkObservation Send lst_im
n: ¬ sent_comparable m lst_im
adr (state m) = adr (state lst_im) by transitivity (adr (sigma i_m)); [congruence | rewrite Hsnd].
      }Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
si, si': VLSM.state (ELMO_component i)
m: Message
Ht: input_constrained_transition 
  (ELMO_component i) Receive (
  si, Some m) (si', None)
Hnot_local_equivocator': ¬ local_equivocators_full
    si' (adr (state m))
i_m: index
Hi_m: adr (state m) = idx i_m
Hadr_neq: adr (state m) ≠ idx i
sigma: composite_state ELMO_component
Hcomponent: sigma i = si
Hsigma: valid_state_prop ELMOProtocol sigma
Hm_not_sent_yet: ¬ composite_has_been_sent
    ELMO_component sigma m
Hspecial: component_reflects_composite sigma i
H_not_i_paused: other_components_after_send
  (λ j : index, j = i) sigma
Hsigma_no_junk: ∀ j : index,
  j ≠ i
  → ∀ mj : BaseELMO.Message,
      mj ∈ sentMessages (sigma j)
      → mj ∈ receivedMessages si
H2: i ≠ i_m
Hsi_m: constrained_state_prop 
  (ELMO_component i_m) 
  (sigma i_m)
H3: adr (sigma i_m) = idx i_m
lst_im: Message
Hsnd: sigma i_m =
state lst_im <+> MkObservation Send lst_im
Hcmp: sent_comparable m lst_im
sigma i_m = state m
∨ state_suffix (sigma i_m) (state m)
      inversion Hcmp as [| ? ? [] | ? ? Hbefore]; subst.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
si': VLSM.state (ELMO_component i)
sigma: composite_state ELMO_component
lst_im: Message
Hnot_local_equivocator': ¬ local_equivocators_full
    si' (adr (state lst_im))
Ht: input_constrained_transition 
  (ELMO_component i) Receive
  (sigma i, Some lst_im) (
  si', None)
i_m: index
Hadr_neq: adr (state lst_im) ≠ idx i
Hi_m: adr (state lst_im) = idx i_m
Hsigma: valid_state_prop ELMOProtocol sigma
Hm_not_sent_yet: ¬ composite_has_been_sent
    ELMO_component sigma lst_im
Hspecial: component_reflects_composite sigma i
H_not_i_paused: other_components_after_send
  (λ j : index, j = i) sigma
Hsigma_no_junk: ∀ j : index,
  j ≠ i
  → ∀ mj : BaseELMO.Message,
      mj ∈ sentMessages (sigma j)
      → mj
        ∈ receivedMessages (sigma i)
H2: i ≠ i_m
Hsi_m: constrained_state_prop 
  (ELMO_component i_m) 
  (sigma i_m)
H3: adr (sigma i_m) = idx i_m
Hsnd: sigma i_m =
state lst_im <+> MkObservation Send lst_im
Hcmp: sent_comparable lst_im lst_im
sigma i_m = state lst_im
∨ state_suffix (sigma i_m) (state lst_im)
Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
si': VLSM.state (ELMO_component i)
m: Message
sigma: composite_state ELMO_component
Ht: input_constrained_transition 
  (ELMO_component i) Receive (
  sigma i, Some m) (si', None)
Hnot_local_equivocator': ¬ local_equivocators_full
    si' (adr (state m))
i_m: index
Hi_m: adr (state m) = idx i_m
Hadr_neq: adr (state m) ≠ idx i
Hsigma: valid_state_prop ELMOProtocol sigma
Hm_not_sent_yet: ¬ composite_has_been_sent
    ELMO_component sigma m
Hspecial: component_reflects_composite sigma i
H_not_i_paused: other_components_after_send
  (λ j : index, j = i) sigma
Hsigma_no_junk: ∀ j : index,
  j ≠ i
  → ∀ mj : BaseELMO.Message,
      mj ∈ sentMessages (sigma j)
      → mj
        ∈ receivedMessages (sigma i)
H2: i ≠ i_m
Hsi_m: constrained_state_prop 
  (ELMO_component i_m) 
  (sigma i_m)
H3: adr (sigma i_m) = idx i_m
lst_im: Message
Hsnd: sigma i_m =
state lst_im <+> MkObservation Send lst_im
Hcmp: sent_comparable m lst_im
H4: adr (state m) = adr (state lst_im)
H5: m ∈ sentMessages (state lst_im)
sigma i_m = state m
∨ state_suffix (sigma i_m) (state m)
Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
si': VLSM.state (ELMO_component i)
m: Message
sigma: composite_state ELMO_component
Ht: input_constrained_transition 
  (ELMO_component i) Receive (
  sigma i, Some m) (si', None)
Hnot_local_equivocator': ¬ local_equivocators_full
    si' (adr (state m))
i_m: index
Hi_m: adr (state m) = idx i_m
Hadr_neq: adr (state m) ≠ idx i
Hsigma: valid_state_prop ELMOProtocol sigma
Hm_not_sent_yet: ¬ composite_has_been_sent
    ELMO_component sigma m
Hspecial: component_reflects_composite sigma i
H_not_i_paused: other_components_after_send
  (λ j : index, j = i) sigma
Hsigma_no_junk: ∀ j : index,
  j ≠ i
  → ∀ mj : BaseELMO.Message,
      mj ∈ sentMessages (sigma j)
      → mj
        ∈ receivedMessages (sigma i)
H2: i ≠ i_m
Hsi_m: constrained_state_prop 
  (ELMO_component i_m) 
  (sigma i_m)
H3: adr (sigma i_m) = idx i_m
lst_im: Message
Hsnd: sigma i_m =
state lst_im <+> MkObservation Send lst_im
Hcmp: sent_comparable m lst_im
Hbefore: was_sent_before lst_im m
sigma i_m = state m
∨ state_suffix (sigma i_m) (state m)
      *Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
si': VLSM.state (ELMO_component i)
sigma: composite_state ELMO_component
lst_im: Message
Hnot_local_equivocator': ¬ local_equivocators_full
    si' (adr (state lst_im))
Ht: input_constrained_transition 
  (ELMO_component i) Receive
  (sigma i, Some lst_im) (
  si', None)
i_m: index
Hadr_neq: adr (state lst_im) ≠ idx i
Hi_m: adr (state lst_im) = idx i_m
Hsigma: valid_state_prop ELMOProtocol sigma
Hm_not_sent_yet: ¬ composite_has_been_sent
    ELMO_component sigma lst_im
Hspecial: component_reflects_composite sigma i
H_not_i_paused: other_components_after_send
  (λ j : index, j = i) sigma
Hsigma_no_junk: ∀ j : index,
  j ≠ i
  → ∀ mj : BaseELMO.Message,
      mj ∈ sentMessages (sigma j)
      → mj
        ∈ receivedMessages (sigma i)
H2: i ≠ i_m
Hsi_m: constrained_state_prop 
  (ELMO_component i_m) 
  (sigma i_m)
H3: adr (sigma i_m) = idx i_m
Hsnd: sigma i_m =
state lst_im <+> MkObservation Send lst_im
Hcmp: sent_comparable lst_im lst_im
sigma i_m = state lst_im
∨ state_suffix (sigma i_m) (state lst_im) by contradict Hm_not_sent_yet; exists i_m; rewrite Hsnd; left.
      *Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
si': VLSM.state (ELMO_component i)
m: Message
sigma: composite_state ELMO_component
Ht: input_constrained_transition 
  (ELMO_component i) Receive (
  sigma i, Some m) (si', None)
Hnot_local_equivocator': ¬ local_equivocators_full
    si' (adr (state m))
i_m: index
Hi_m: adr (state m) = idx i_m
Hadr_neq: adr (state m) ≠ idx i
Hsigma: valid_state_prop ELMOProtocol sigma
Hm_not_sent_yet: ¬ composite_has_been_sent
    ELMO_component sigma m
Hspecial: component_reflects_composite sigma i
H_not_i_paused: other_components_after_send
  (λ j : index, j = i) sigma
Hsigma_no_junk: ∀ j : index,
  j ≠ i
  → ∀ mj : BaseELMO.Message,
      mj ∈ sentMessages (sigma j)
      → mj
        ∈ receivedMessages (sigma i)
H2: i ≠ i_m
Hsi_m: constrained_state_prop 
  (ELMO_component i_m) 
  (sigma i_m)
H3: adr (sigma i_m) = idx i_m
lst_im: Message
Hsnd: sigma i_m =
state lst_im <+> MkObservation Send lst_im
Hcmp: sent_comparable m lst_im
H4: adr (state m) = adr (state lst_im)
H5: m ∈ sentMessages (state lst_im)
sigma i_m = state m
∨ state_suffix (sigma i_m) (state m) contradict Hm_not_sent_yet; exists i_m; cbn.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
si': VLSM.state (ELMO_component i)
m: Message
sigma: composite_state ELMO_component
Ht: input_constrained_transition 
  (ELMO_component i) Receive (
  sigma i, Some m) (si', None)
Hnot_local_equivocator': ¬ local_equivocators_full
    si' (adr (state m))
i_m: index
Hi_m: adr (state m) = idx i_m
Hadr_neq: adr (state m) ≠ idx i
Hsigma: valid_state_prop ELMOProtocol sigma
Hspecial: component_reflects_composite sigma i
H_not_i_paused: other_components_after_send
  (λ j : index, j = i) sigma
Hsigma_no_junk: ∀ j : index,
  j ≠ i
  → ∀ mj : BaseELMO.Message,
      mj ∈ sentMessages (sigma j)
      → mj
        ∈ receivedMessages (sigma i)
H2: i ≠ i_m
Hsi_m: constrained_state_prop 
  (ELMO_component i_m) 
  (sigma i_m)
H3: adr (sigma i_m) = idx i_m
lst_im: Message
Hsnd: sigma i_m =
state lst_im <+> MkObservation Send lst_im
Hcmp: sent_comparable m lst_im
H4: adr (state m) = adr (state lst_im)
H5: m ∈ sentMessages (state lst_im)
m ∈ sentMessages (sigma i_m)
        apply self_messages_sent;
          [by eapply ELMO_no_self_equiv_reachable, valid_state_project_preloaded | by congruence |].Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
si': VLSM.state (ELMO_component i)
m: Message
sigma: composite_state ELMO_component
Ht: input_constrained_transition 
  (ELMO_component i) Receive (
  sigma i, Some m) (si', None)
Hnot_local_equivocator': ¬ local_equivocators_full
    si' (adr (state m))
i_m: index
Hi_m: adr (state m) = idx i_m
Hadr_neq: adr (state m) ≠ idx i
Hsigma: valid_state_prop ELMOProtocol sigma
Hspecial: component_reflects_composite sigma i
H_not_i_paused: other_components_after_send
  (λ j : index, j = i) sigma
Hsigma_no_junk: ∀ j : index,
  j ≠ i
  → ∀ mj : BaseELMO.Message,
      mj ∈ sentMessages (sigma j)
      → mj
        ∈ receivedMessages (sigma i)
H2: i ≠ i_m
Hsi_m: constrained_state_prop 
  (ELMO_component i_m) 
  (sigma i_m)
H3: adr (sigma i_m) = idx i_m
lst_im: Message
Hsnd: sigma i_m =
state lst_im <+> MkObservation Send lst_im
Hcmp: sent_comparable m lst_im
H4: adr (state m) = adr (state lst_im)
H5: m ∈ sentMessages (state lst_im)
m ∈ messages (sigma i_m)
        apply messages_hb_transitive with lst_im.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
si': VLSM.state (ELMO_component i)
m: Message
sigma: composite_state ELMO_component
Ht: input_constrained_transition 
  (ELMO_component i) Receive (
  sigma i, Some m) (si', None)
Hnot_local_equivocator': ¬ local_equivocators_full
    si' (adr (state m))
i_m: index
Hi_m: adr (state m) = idx i_m
Hadr_neq: adr (state m) ≠ idx i
Hsigma: valid_state_prop ELMOProtocol sigma
Hspecial: component_reflects_composite sigma i
H_not_i_paused: other_components_after_send
  (λ j : index, j = i) sigma
Hsigma_no_junk: ∀ j : index,
  j ≠ i
  → ∀ mj : BaseELMO.Message,
      mj ∈ sentMessages (sigma j)
      → mj
        ∈ receivedMessages (sigma i)
H2: i ≠ i_m
Hsi_m: constrained_state_prop 
  (ELMO_component i_m) 
  (sigma i_m)
H3: adr (sigma i_m) = idx i_m
lst_im: Message
Hsnd: sigma i_m =
state lst_im <+> MkObservation Send lst_im
Hcmp: sent_comparable m lst_im
H4: adr (state m) = adr (state lst_im)
H5: m ∈ sentMessages (state lst_im)
UMO_reachable full_node (sigma i_m)
Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
si': VLSM.state (ELMO_component i)
m: Message
sigma: composite_state ELMO_component
Ht: input_constrained_transition 
  (ELMO_component i) Receive (
  sigma i, Some m) (si', None)
Hnot_local_equivocator': ¬ local_equivocators_full
    si' (adr (state m))
i_m: index
Hi_m: adr (state m) = idx i_m
Hadr_neq: adr (state m) ≠ idx i
Hsigma: valid_state_prop ELMOProtocol sigma
Hspecial: component_reflects_composite sigma i
H_not_i_paused: other_components_after_send
  (λ j : index, j = i) sigma
Hsigma_no_junk: ∀ j : index,
  j ≠ i
  → ∀ mj : BaseELMO.Message,
      mj ∈ sentMessages (sigma j)
      → mj
        ∈ receivedMessages (sigma i)
H2: i ≠ i_m
Hsi_m: constrained_state_prop 
  (ELMO_component i_m) 
  (sigma i_m)
H3: adr (sigma i_m) = idx i_m
lst_im: Message
Hsnd: sigma i_m =
state lst_im <+> MkObservation Send lst_im
Hcmp: sent_comparable m lst_im
H4: adr (state m) = adr (state lst_im)
H5: m ∈ sentMessages (state lst_im)
lst_im ∈ messages (sigma i_m)
Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
si': VLSM.state (ELMO_component i)
m: Message
sigma: composite_state ELMO_component
Ht: input_constrained_transition 
  (ELMO_component i) Receive (
  sigma i, Some m) (si', None)
Hnot_local_equivocator': ¬ local_equivocators_full
    si' (adr (state m))
i_m: index
Hi_m: adr (state m) = idx i_m
Hadr_neq: adr (state m) ≠ idx i
Hsigma: valid_state_prop ELMOProtocol sigma
Hspecial: component_reflects_composite sigma i
H_not_i_paused: other_components_after_send
  (λ j : index, j = i) sigma
Hsigma_no_junk: ∀ j : index,
  j ≠ i
  → ∀ mj : BaseELMO.Message,
      mj ∈ sentMessages (sigma j)
      → mj
        ∈ receivedMessages (sigma i)
H2: i ≠ i_m
Hsi_m: constrained_state_prop 
  (ELMO_component i_m) 
  (sigma i_m)
H3: adr (sigma i_m) = idx i_m
lst_im: Message
Hsnd: sigma i_m =
state lst_im <+> MkObservation Send lst_im
Hcmp: sent_comparable m lst_im
H4: adr (state m) = adr (state lst_im)
H5: m ∈ sentMessages (state lst_im)
m <hb lst_im
        --Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
si': VLSM.state (ELMO_component i)
m: Message
sigma: composite_state ELMO_component
Ht: input_constrained_transition 
  (ELMO_component i) Receive (
  sigma i, Some m) (si', None)
Hnot_local_equivocator': ¬ local_equivocators_full
    si' (adr (state m))
i_m: index
Hi_m: adr (state m) = idx i_m
Hadr_neq: adr (state m) ≠ idx i
Hsigma: valid_state_prop ELMOProtocol sigma
Hspecial: component_reflects_composite sigma i
H_not_i_paused: other_components_after_send
  (λ j : index, j = i) sigma
Hsigma_no_junk: ∀ j : index,
  j ≠ i
  → ∀ mj : BaseELMO.Message,
      mj ∈ sentMessages (sigma j)
      → mj
        ∈ receivedMessages (sigma i)
H2: i ≠ i_m
Hsi_m: constrained_state_prop 
  (ELMO_component i_m) 
  (sigma i_m)
H3: adr (sigma i_m) = idx i_m
lst_im: Message
Hsnd: sigma i_m =
state lst_im <+> MkObservation Send lst_im
Hcmp: sent_comparable m lst_im
H4: adr (state m) = adr (state lst_im)
H5: m ∈ sentMessages (state lst_im)
UMO_reachable full_node (sigma i_m) by eapply ELMO_full_node_reachable, valid_state_project_preloaded.
        --Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
si': VLSM.state (ELMO_component i)
m: Message
sigma: composite_state ELMO_component
Ht: input_constrained_transition 
  (ELMO_component i) Receive (
  sigma i, Some m) (si', None)
Hnot_local_equivocator': ¬ local_equivocators_full
    si' (adr (state m))
i_m: index
Hi_m: adr (state m) = idx i_m
Hadr_neq: adr (state m) ≠ idx i
Hsigma: valid_state_prop ELMOProtocol sigma
Hspecial: component_reflects_composite sigma i
H_not_i_paused: other_components_after_send
  (λ j : index, j = i) sigma
Hsigma_no_junk: ∀ j : index,
  j ≠ i
  → ∀ mj : BaseELMO.Message,
      mj ∈ sentMessages (sigma j)
      → mj
        ∈ receivedMessages (sigma i)
H2: i ≠ i_m
Hsi_m: constrained_state_prop 
  (ELMO_component i_m) 
  (sigma i_m)
H3: adr (sigma i_m) = idx i_m
lst_im: Message
Hsnd: sigma i_m =
state lst_im <+> MkObservation Send lst_im
Hcmp: sent_comparable m lst_im
H4: adr (state m) = adr (state lst_im)
H5: m ∈ sentMessages (state lst_im)
lst_im ∈ messages (sigma i_m) by rewrite Hsnd; left.
        --Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
si': VLSM.state (ELMO_component i)
m: Message
sigma: composite_state ELMO_component
Ht: input_constrained_transition 
  (ELMO_component i) Receive (
  sigma i, Some m) (si', None)
Hnot_local_equivocator': ¬ local_equivocators_full
    si' (adr (state m))
i_m: index
Hi_m: adr (state m) = idx i_m
Hadr_neq: adr (state m) ≠ idx i
Hsigma: valid_state_prop ELMOProtocol sigma
Hspecial: component_reflects_composite sigma i
H_not_i_paused: other_components_after_send
  (λ j : index, j = i) sigma
Hsigma_no_junk: ∀ j : index,
  j ≠ i
  → ∀ mj : BaseELMO.Message,
      mj ∈ sentMessages (sigma j)
      → mj
        ∈ receivedMessages (sigma i)
H2: i ≠ i_m
Hsi_m: constrained_state_prop 
  (ELMO_component i_m) 
  (sigma i_m)
H3: adr (sigma i_m) = idx i_m
lst_im: Message
Hsnd: sigma i_m =
state lst_im <+> MkObservation Send lst_im
Hcmp: sent_comparable m lst_im
H4: adr (state m) = adr (state lst_im)
H5: m ∈ sentMessages (state lst_im)
m <hb lst_im by constructor 1; apply elem_of_messages; left.
      *Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
si': VLSM.state (ELMO_component i)
m: Message
sigma: composite_state ELMO_component
Ht: input_constrained_transition 
  (ELMO_component i) Receive (
  sigma i, Some m) (si', None)
Hnot_local_equivocator': ¬ local_equivocators_full
    si' (adr (state m))
i_m: index
Hi_m: adr (state m) = idx i_m
Hadr_neq: adr (state m) ≠ idx i
Hsigma: valid_state_prop ELMOProtocol sigma
Hm_not_sent_yet: ¬ composite_has_been_sent
    ELMO_component sigma m
Hspecial: component_reflects_composite sigma i
H_not_i_paused: other_components_after_send
  (λ j : index, j = i) sigma
Hsigma_no_junk: ∀ j : index,
  j ≠ i
  → ∀ mj : BaseELMO.Message,
      mj ∈ sentMessages (sigma j)
      → mj
        ∈ receivedMessages (sigma i)
H2: i ≠ i_m
Hsi_m: constrained_state_prop 
  (ELMO_component i_m) 
  (sigma i_m)
H3: adr (sigma i_m) = idx i_m
lst_im: Message
Hsnd: sigma i_m =
state lst_im <+> MkObservation Send lst_im
Hcmp: sent_comparable m lst_im
Hbefore: was_sent_before lst_im m
sigma i_m = state m
∨ state_suffix (sigma i_m) (state m) eapply was_sent_before_characterization_1 in Hbefore; [by rewrite Hsnd; itauto |].Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
si': VLSM.state (ELMO_component i)
m: Message
sigma: composite_state ELMO_component
Ht: input_constrained_transition 
  (ELMO_component i) Receive (
  sigma i, Some m) (si', None)
Hnot_local_equivocator': ¬ local_equivocators_full
    si' (adr (state m))
i_m: index
Hi_m: adr (state m) = idx i_m
Hadr_neq: adr (state m) ≠ idx i
Hsigma: valid_state_prop ELMOProtocol sigma
Hm_not_sent_yet: ¬ composite_has_been_sent
    ELMO_component sigma m
Hspecial: component_reflects_composite sigma i
H_not_i_paused: other_components_after_send
  (λ j : index, j = i) sigma
Hsigma_no_junk: ∀ j : index,
  j ≠ i
  → ∀ mj : BaseELMO.Message,
      mj ∈ sentMessages (sigma j)
      → mj
        ∈ receivedMessages (sigma i)
H2: i ≠ i_m
Hsi_m: constrained_state_prop 
  (ELMO_component i_m) 
  (sigma i_m)
H3: adr (sigma i_m) = idx i_m
lst_im: Message
Hsnd: sigma i_m =
state lst_im <+> MkObservation Send lst_im
Hcmp: sent_comparable m lst_im
Hbefore: was_sent_before lst_im m
H4: ∀ (P : BaseELMO.State → BaseELMO.Message → Prop) 
  (m1 m2 : BaseELMO.Message),
  UMO_reachable P (state m2)
  → was_sent_before m1 m2
    → let s := state m1 <+> MkObservation Send m1
        in
      state_suffix s (state m2) ∨ s = state m2
UMO_reachable ?P (state m)
        eapply ELMO_reachable_view with (i := i_m).Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
si': VLSM.state (ELMO_component i)
m: Message
sigma: composite_state ELMO_component
Ht: input_constrained_transition 
  (ELMO_component i) Receive (
  sigma i, Some m) (si', None)
Hnot_local_equivocator': ¬ local_equivocators_full
    si' (adr (state m))
i_m: index
Hi_m: adr (state m) = idx i_m
Hadr_neq: adr (state m) ≠ idx i
Hsigma: valid_state_prop ELMOProtocol sigma
Hm_not_sent_yet: ¬ composite_has_been_sent
    ELMO_component sigma m
Hspecial: component_reflects_composite sigma i
H_not_i_paused: other_components_after_send
  (λ j : index, j = i) sigma
Hsigma_no_junk: ∀ j : index,
  j ≠ i
  → ∀ mj : BaseELMO.Message,
      mj ∈ sentMessages (sigma j)
      → mj
        ∈ receivedMessages (sigma i)
H2: i ≠ i_m
Hsi_m: constrained_state_prop 
  (ELMO_component i_m) 
  (sigma i_m)
H3: adr (sigma i_m) = idx i_m
lst_im: Message
Hsnd: sigma i_m =
state lst_im <+> MkObservation Send lst_im
Hcmp: sent_comparable m lst_im
Hbefore: was_sent_before lst_im m
H4: ∀ (P : BaseELMO.State → BaseELMO.Message → Prop) 
  (m1 m2 : BaseELMO.Message),
  UMO_reachable P (state m2)
  → was_sent_before m1 m2
    → let s := state m1 <+> MkObservation Send m1
        in
      state_suffix s (state m2) ∨ s = state m2
constrained_state_prop (ELMO_component i_m) (state m)
        destruct Ht as [(Hsi & _ & Hv) _]; inversion Hv; subst.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
si': VLSM.state (ELMO_component i)
m: Message
sigma: composite_state ELMO_component
Hsi: valid_state_prop
  (preloaded_with_all_messages_vlsm
     (ELMO_component i)) 
  (sigma i)
Hv: valid Receive (sigma i, Some m)
Hnot_local_equivocator': ¬ local_equivocators_full
    si' (adr (state m))
i_m: index
Hi_m: adr (state m) = idx i_m
Hadr_neq: adr (state m) ≠ idx i
Hsigma: valid_state_prop ELMOProtocol sigma
Hm_not_sent_yet: ¬ composite_has_been_sent
    ELMO_component sigma m
Hspecial: component_reflects_composite sigma i
H_not_i_paused: other_components_after_send
  (λ j : index, j = i) sigma
Hsigma_no_junk: ∀ j : index,
  j ≠ i
  → ∀ mj : BaseELMO.Message,
      mj ∈ sentMessages (sigma j)
      → mj
        ∈ receivedMessages (sigma i)
H2: i ≠ i_m
Hsi_m: constrained_state_prop 
  (ELMO_component i_m) 
  (sigma i_m)
H3: adr (sigma i_m) = idx i_m
lst_im: Message
Hsnd: sigma i_m =
state lst_im <+> MkObservation Send lst_im
Hcmp: sent_comparable m lst_im
Hbefore: was_sent_before lst_im m
H4: ∀ (P : BaseELMO.State → BaseELMO.Message → Prop) 
  (m1 m2 : BaseELMO.Message),
  UMO_reachable P (state m2)
  → was_sent_before m1 m2
    → let s := state m1 <+> MkObservation Send m1
        in
      state_suffix s (state m2) ∨ s = state m2
H6: ELMO_recv_valid (sigma i) m
constrained_state_prop (ELMO_component i_m) (state m)
        by clear Hsi_m; destruct m; eapply receivable_messages_reachable; [congruence | ..].
Qed.

Lemma all_intermediary_transitions_are_receive
  (i : index) (si si' : VLSM.state (ELMO_component i))
  (m : Message)
  (Ht : input_constrained_transition (ELMO_component i)
    Receive (si, Some m) (si', None))
  (i_m : index)
  (Hi_m : adr (state m) = idx i_m)
  (Hadr_neq : adr (state m) <> idx i)
  (Hnot_local_equivocator : ~ local_equivocators_full si (adr (state m)))
  (sigma : composite_state ELMO_component)
  (Hsigma : composite_constrained_state_prop ELMO_component sigma)
  (Hcomponent : sigma i = si)
  (Hspecial : component_reflects_composite sigma i)
  (tr_m : list transition_item)
  (Htr_m : finite_constrained_trace_from_to (ELMO_component i_m) (sigma i_m) (state m) tr_m)
  : Forall (fun item : transition_item ELMO_component_type => l item = Receive) tr_m.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
si, si': VLSM.state (ELMO_component i)
m: Message
Ht: input_constrained_transition 
  (ELMO_component i) Receive (
  si, Some m) (si', None)
i_m: index
Hi_m: adr (state m) = idx i_m
Hadr_neq: adr (state m) ≠ idx i
Hnot_local_equivocator: ¬ local_equivocators_full si
    (adr (state m))
sigma: composite_state ELMO_component
Hsigma: composite_constrained_state_prop
  ELMO_component sigma
Hcomponent: sigma i = si
Hspecial: component_reflects_composite sigma i
tr_m: list transition_item
Htr_m: finite_constrained_trace_from_to
  (ELMO_component i_m) 
  (sigma i_m) (state m) tr_m
Forall (λ item : transition_item, l item = Receive)
  tr_m
Proof.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
si, si': VLSM.state (ELMO_component i)
m: Message
Ht: input_constrained_transition 
  (ELMO_component i) Receive (
  si, Some m) (si', None)
i_m: index
Hi_m: adr (state m) = idx i_m
Hadr_neq: adr (state m) ≠ idx i
Hnot_local_equivocator: ¬ local_equivocators_full si
    (adr (state m))
sigma: composite_state ELMO_component
Hsigma: composite_constrained_state_prop
  ELMO_component sigma
Hcomponent: sigma i = si
Hspecial: component_reflects_composite sigma i
tr_m: list transition_item
Htr_m: finite_constrained_trace_from_to
  (ELMO_component i_m) 
  (sigma i_m) (state m) tr_m
Forall (λ item : transition_item, l item = Receive)
  tr_m
  apply Forall_forall; intros item Hitem.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
si, si': VLSM.state (ELMO_component i)
m: Message
Ht: input_constrained_transition 
  (ELMO_component i) Receive (
  si, Some m) (si', None)
i_m: index
Hi_m: adr (state m) = idx i_m
Hadr_neq: adr (state m) ≠ idx i
Hnot_local_equivocator: ¬ local_equivocators_full si
    (adr (state m))
sigma: composite_state ELMO_component
Hsigma: composite_constrained_state_prop
  ELMO_component sigma
Hcomponent: sigma i = si
Hspecial: component_reflects_composite sigma i
tr_m: list transition_item
Htr_m: finite_constrained_trace_from_to
  (ELMO_component i_m) 
  (sigma i_m) (state m) tr_m
item: transition_item
Hitem: item ∈ tr_m
l item = Receive
  eapply ELMO_component_elem_of_constrained_trace in Hitem as H_item;
    [| by red; eapply valid_trace_forget_last].Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
si, si': VLSM.state (ELMO_component i)
m: Message
Ht: input_constrained_transition 
  (ELMO_component i) Receive (
  si, Some m) (si', None)
i_m: index
Hi_m: adr (state m) = idx i_m
Hadr_neq: adr (state m) ≠ idx i
Hnot_local_equivocator: ¬ local_equivocators_full si
    (adr (state m))
sigma: composite_state ELMO_component
Hsigma: composite_constrained_state_prop
  ELMO_component sigma
Hcomponent: sigma i = si
Hspecial: component_reflects_composite sigma i
tr_m: list transition_item
Htr_m: finite_constrained_trace_from_to
  (ELMO_component i_m) 
  (sigma i_m) (state m) tr_m
item: transition_item
Hitem: item ∈ tr_m
H_item: ∃ (s : State) (m : Message),
  destination item =
  s <+> MkObservation (l item) m
  ∧ input_constrained_transition_item
      (ELMO_component i_m) s item
l item = Receive
  destruct H_item as (s_m0 & m0 & Hs_m0 & H_item).Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
si, si': VLSM.state (ELMO_component i)
m: Message
Ht: input_constrained_transition 
  (ELMO_component i) Receive (
  si, Some m) (si', None)
i_m: index
Hi_m: adr (state m) = idx i_m
Hadr_neq: adr (state m) ≠ idx i
Hnot_local_equivocator: ¬ local_equivocators_full si
    (adr (state m))
sigma: composite_state ELMO_component
Hsigma: composite_constrained_state_prop
  ELMO_component sigma
Hcomponent: sigma i = si
Hspecial: component_reflects_composite sigma i
tr_m: list transition_item
Htr_m: finite_constrained_trace_from_to
  (ELMO_component i_m) 
  (sigma i_m) (state m) tr_m
item: transition_item
Hitem: item ∈ tr_m
s_m0: State
m0: Message
Hs_m0: destination item =
s_m0 <+> MkObservation (l item) m0
H_item: input_constrained_transition_item
  (ELMO_component i_m) s_m0 item
l item = Receive
  destruct item; apply ELMO_component_input_constrained_transition_iff in H_item
    as [[] | (Hl & m_0 & Houtput & Hinput & H_item)]; [done | cbn in *; subst].Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
si': BaseELMO.State
m: Message
sigma: composite_state ELMO_component
Ht: input_constrained_transition 
  (ELMO_component i) Receive (
  sigma i, Some m) (si', None)
i_m: index
Hi_m: adr (state m) = idx i_m
Hadr_neq: adr (state m) ≠ idx i
Hnot_local_equivocator: ¬ local_equivocators_full
    (sigma i) (adr (state m))
Hsigma: composite_constrained_state_prop
  ELMO_component sigma
Hspecial: component_reflects_composite sigma i
tr_m: list transition_item
Htr_m: finite_constrained_trace_from_to
  (ELMO_component i_m) 
  (sigma i_m) (state m) tr_m
s_m0: State
m0, m_0: Message
Hitem: {|
  l := Send;
  input := None;
  destination :=
    s_m0 <+> MkObservation Send m0;
  output := Some m_0
|} ∈ tr_m
H_item: ELMO_component_RAM_transition i_m Send s_m0
  (s_m0 <+> MkObservation Send m0) m_0
Send = Receive
  inversion H_item as [| ? ? ? [(_ & _ & Hvi) Hti]]; subst;
    inversion Hvi; subst; inversion Hti; subst; clear H_item Hvi Hti.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
si': BaseELMO.State
m: Message
sigma: composite_state ELMO_component
Ht: input_constrained_transition 
  (ELMO_component i) Receive (
  sigma i, Some m) (si', None)
i_m: index
Hi_m: adr (state m) = idx i_m
Hadr_neq: adr (state m) ≠ idx i
Hnot_local_equivocator: ¬ local_equivocators_full
    (sigma i) (adr (state m))
Hsigma: composite_constrained_state_prop
  ELMO_component sigma
Hspecial: component_reflects_composite sigma i
tr_m: list transition_item
Htr_m: finite_constrained_trace_from_to
  (ELMO_component i_m) 
  (sigma i_m) (state m) tr_m
s_m0: State
Hitem: {|
  l := Send;
  input := None;
  destination :=
    s_m0 <+>
    MkObservation Send (MkMessage s_m0);
  output := Some (MkMessage s_m0)
|} ∈ tr_m
Send = Receive
  contradict Hnot_local_equivocator; apply Hspecial.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
si': BaseELMO.State
m: Message
sigma: composite_state ELMO_component
Ht: input_constrained_transition 
  (ELMO_component i) Receive (
  sigma i, Some m) (si', None)
i_m: index
Hi_m: adr (state m) = idx i_m
Hadr_neq: adr (state m) ≠ idx i
Hsigma: composite_constrained_state_prop
  ELMO_component sigma
Hspecial: component_reflects_composite sigma i
tr_m: list transition_item
Htr_m: finite_constrained_trace_from_to
  (ELMO_component i_m) 
  (sigma i_m) (state m) tr_m
s_m0: State
Hitem: {|
  l := Send;
  input := None;
  destination :=
    s_m0 <+>
    MkObservation Send (MkMessage s_m0);
  output := Some (MkMessage s_m0)
|} ∈ tr_m
global_equivocators_simple sigma (adr (state m))
  eapply ELMO_component_sentMessages_of_constrained_trace in Hitem as Hm0; [| done..].Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
si': BaseELMO.State
m: Message
sigma: composite_state ELMO_component
Ht: input_constrained_transition 
  (ELMO_component i) Receive (
  sigma i, Some m) (si', None)
i_m: index
Hi_m: adr (state m) = idx i_m
Hadr_neq: adr (state m) ≠ idx i
Hsigma: composite_constrained_state_prop
  ELMO_component sigma
Hspecial: component_reflects_composite sigma i
tr_m: list transition_item
Htr_m: finite_constrained_trace_from_to
  (ELMO_component i_m) 
  (sigma i_m) (state m) tr_m
s_m0: State
Hitem: {|
  l := Send;
  input := None;
  destination :=
    s_m0 <+>
    MkObservation Send (MkMessage s_m0);
  output := Some (MkMessage s_m0)
|} ∈ tr_m
Hm0: MkMessage s_m0 ∈ sentMessages (state m)
global_equivocators_simple sigma (adr (state m))
  eapply reachable_sent_messages_adr in Hm0 as Hm0_adr;
    [| by eapply finite_valid_trace_from_to_last_pstate].Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
si': BaseELMO.State
m: Message
sigma: composite_state ELMO_component
Ht: input_constrained_transition 
  (ELMO_component i) Receive (
  sigma i, Some m) (si', None)
i_m: index
Hi_m: adr (state m) = idx i_m
Hadr_neq: adr (state m) ≠ idx i
Hsigma: composite_constrained_state_prop
  ELMO_component sigma
Hspecial: component_reflects_composite sigma i
tr_m: list transition_item
Htr_m: finite_constrained_trace_from_to
  (ELMO_component i_m) 
  (sigma i_m) (state m) tr_m
s_m0: State
Hitem: {|
  l := Send;
  input := None;
  destination :=
    s_m0 <+>
    MkObservation Send (MkMessage s_m0);
  output := Some (MkMessage s_m0)
|} ∈ tr_m
Hm0: MkMessage s_m0 ∈ sentMessages (state m)
Hm0_adr: adr (state (MkMessage s_m0)) = idx i_m
global_equivocators_simple sigma (adr (state m))
  exists (MkMessage s_m0); [by congruence | ..].Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
si': BaseELMO.State
m: Message
sigma: composite_state ELMO_component
Ht: input_constrained_transition 
  (ELMO_component i) Receive (
  sigma i, Some m) (si', None)
i_m: index
Hi_m: adr (state m) = idx i_m
Hadr_neq: adr (state m) ≠ idx i
Hsigma: composite_constrained_state_prop
  ELMO_component sigma
Hspecial: component_reflects_composite sigma i
tr_m: list transition_item
Htr_m: finite_constrained_trace_from_to
  (ELMO_component i_m) 
  (sigma i_m) (state m) tr_m
s_m0: State
Hitem: {|
  l := Send;
  input := None;
  destination :=
    s_m0 <+>
    MkObservation Send (MkMessage s_m0);
  output := Some (MkMessage s_m0)
|} ∈ tr_m
Hm0: MkMessage s_m0 ∈ sentMessages (state m)
Hm0_adr: adr (state (MkMessage s_m0)) = idx i_m
composite_has_been_received ELMO_component sigma
  (MkMessage s_m0)
Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
si': BaseELMO.State
m: Message
sigma: composite_state ELMO_component
Ht: input_constrained_transition 
  (ELMO_component i) Receive (
  sigma i, Some m) (si', None)
i_m: index
Hi_m: adr (state m) = idx i_m
Hadr_neq: adr (state m) ≠ idx i
Hsigma: composite_constrained_state_prop
  ELMO_component sigma
Hspecial: component_reflects_composite sigma i
tr_m: list transition_item
Htr_m: finite_constrained_trace_from_to
  (ELMO_component i_m) 
  (sigma i_m) (state m) tr_m
s_m0: State
Hitem: {|
  l := Send;
  input := None;
  destination :=
    s_m0 <+>
    MkObservation Send (MkMessage s_m0);
  output := Some (MkMessage s_m0)
|} ∈ tr_m
Hm0: MkMessage s_m0 ∈ sentMessages (state m)
Hm0_adr: adr (state (MkMessage s_m0)) = idx i_m
¬ composite_has_been_sent ELMO_component sigma
    (MkMessage s_m0)
  -Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
si': BaseELMO.State
m: Message
sigma: composite_state ELMO_component
Ht: input_constrained_transition 
  (ELMO_component i) Receive (
  sigma i, Some m) (si', None)
i_m: index
Hi_m: adr (state m) = idx i_m
Hadr_neq: adr (state m) ≠ idx i
Hsigma: composite_constrained_state_prop
  ELMO_component sigma
Hspecial: component_reflects_composite sigma i
tr_m: list transition_item
Htr_m: finite_constrained_trace_from_to
  (ELMO_component i_m) 
  (sigma i_m) (state m) tr_m
s_m0: State
Hitem: {|
  l := Send;
  input := None;
  destination :=
    s_m0 <+>
    MkObservation Send (MkMessage s_m0);
  output := Some (MkMessage s_m0)
|} ∈ tr_m
Hm0: MkMessage s_m0 ∈ sentMessages (state m)
Hm0_adr: adr (state (MkMessage s_m0)) = idx i_m
composite_has_been_received ELMO_component sigma
  (MkMessage s_m0) exists i.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
si': BaseELMO.State
m: Message
sigma: composite_state ELMO_component
Ht: input_constrained_transition 
  (ELMO_component i) Receive (
  sigma i, Some m) (si', None)
i_m: index
Hi_m: adr (state m) = idx i_m
Hadr_neq: adr (state m) ≠ idx i
Hsigma: composite_constrained_state_prop
  ELMO_component sigma
Hspecial: component_reflects_composite sigma i
tr_m: list transition_item
Htr_m: finite_constrained_trace_from_to
  (ELMO_component i_m) 
  (sigma i_m) (state m) tr_m
s_m0: State
Hitem: {|
  l := Send;
  input := None;
  destination :=
    s_m0 <+>
    MkObservation Send (MkMessage s_m0);
  output := Some (MkMessage s_m0)
|} ∈ tr_m
Hm0: MkMessage s_m0 ∈ sentMessages (state m)
Hm0_adr: adr (state (MkMessage s_m0)) = idx i_m
has_been_received (ELMO_component i) (sigma i)
  (MkMessage s_m0)
    assert (Hm : MkMessage s_m0 ∈ messages (sigma i)).Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
si': BaseELMO.State
m: Message
sigma: composite_state ELMO_component
Ht: input_constrained_transition 
  (ELMO_component i) Receive (
  sigma i, Some m) (si', None)
i_m: index
Hi_m: adr (state m) = idx i_m
Hadr_neq: adr (state m) ≠ idx i
Hsigma: composite_constrained_state_prop
  ELMO_component sigma
Hspecial: component_reflects_composite sigma i
tr_m: list transition_item
Htr_m: finite_constrained_trace_from_to
  (ELMO_component i_m) 
  (sigma i_m) (state m) tr_m
s_m0: State
Hitem: {|
  l := Send;
  input := None;
  destination :=
    s_m0 <+>
    MkObservation Send (MkMessage s_m0);
  output := Some (MkMessage s_m0)
|} ∈ tr_m
Hm0: MkMessage s_m0 ∈ sentMessages (state m)
Hm0_adr: adr (state (MkMessage s_m0)) = idx i_m
MkMessage s_m0 ∈ messages (sigma i)
Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
si': BaseELMO.State
m: Message
sigma: composite_state ELMO_component
Ht: input_constrained_transition 
  (ELMO_component i) Receive (
  sigma i, Some m) (si', None)
i_m: index
Hi_m: adr (state m) = idx i_m
Hadr_neq: adr (state m) ≠ idx i
Hsigma: composite_constrained_state_prop
  ELMO_component sigma
Hspecial: component_reflects_composite sigma i
tr_m: list transition_item
Htr_m: finite_constrained_trace_from_to
  (ELMO_component i_m) 
  (sigma i_m) (state m) tr_m
s_m0: State
Hitem: {|
  l := Send;
  input := None;
  destination :=
    s_m0 <+>
    MkObservation Send (MkMessage s_m0);
  output := Some (MkMessage s_m0)
|} ∈ tr_m
Hm0: MkMessage s_m0 ∈ sentMessages (state m)
Hm0_adr: adr (state (MkMessage s_m0)) = idx i_m
Hm: MkMessage s_m0 ∈ messages (sigma i)
has_been_received (ELMO_component i) 
  (sigma i) (MkMessage s_m0)
    {Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
si': BaseELMO.State
m: Message
sigma: composite_state ELMO_component
Ht: input_constrained_transition 
  (ELMO_component i) Receive (
  sigma i, Some m) (si', None)
i_m: index
Hi_m: adr (state m) = idx i_m
Hadr_neq: adr (state m) ≠ idx i
Hsigma: composite_constrained_state_prop
  ELMO_component sigma
Hspecial: component_reflects_composite sigma i
tr_m: list transition_item
Htr_m: finite_constrained_trace_from_to
  (ELMO_component i_m) 
  (sigma i_m) (state m) tr_m
s_m0: State
Hitem: {|
  l := Send;
  input := None;
  destination :=
    s_m0 <+>
    MkObservation Send (MkMessage s_m0);
  output := Some (MkMessage s_m0)
|} ∈ tr_m
Hm0: MkMessage s_m0 ∈ sentMessages (state m)
Hm0_adr: adr (state (MkMessage s_m0)) = idx i_m
MkMessage s_m0 ∈ messages (sigma i)
      destruct Ht as [(_ & _ & Hv) _]; inversion Hv as [? ? [] |]; subst.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
si': BaseELMO.State
m: Message
sigma: composite_state ELMO_component
Hv: valid Receive (sigma i, Some m)
i_m: index
Hi_m: adr (state m) = idx i_m
Hadr_neq: adr (state m) ≠ idx i
Hsigma: composite_constrained_state_prop
  ELMO_component sigma
Hspecial: component_reflects_composite sigma i
tr_m: list transition_item
Htr_m: finite_constrained_trace_from_to
  (ELMO_component i_m) 
  (sigma i_m) (state m) tr_m
s_m0: State
Hitem: {|
  l := Send;
  input := None;
  destination :=
    s_m0 <+>
    MkObservation Send (MkMessage s_m0);
  output := Some (MkMessage s_m0)
|} ∈ tr_m
Hm0: MkMessage s_m0 ∈ sentMessages (state m)
Hm0_adr: adr (state (MkMessage s_m0)) = idx i_m
ELMO_mv_full_node0: full_node (sigma i) m
ELMO_mv_no_self_equiv0: no_self_equiv (sigma i) m
ELMO_mv_msg_valid_full0: ELMO_msg_valid_full m
ELMO_mv_local_equivocation_limit_ok0: local_equivocation_limit_ok
  (sigma i <+>
   MkObservation
     Receive m)
MkMessage s_m0 ∈ messages (sigma i)
      eapply elem_of_submseteq; [| done].Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
si': BaseELMO.State
m: Message
sigma: composite_state ELMO_component
Hv: valid Receive (sigma i, Some m)
i_m: index
Hi_m: adr (state m) = idx i_m
Hadr_neq: adr (state m) ≠ idx i
Hsigma: composite_constrained_state_prop
  ELMO_component sigma
Hspecial: component_reflects_composite sigma i
tr_m: list transition_item
Htr_m: finite_constrained_trace_from_to
  (ELMO_component i_m) 
  (sigma i_m) (state m) tr_m
s_m0: State
Hitem: {|
  l := Send;
  input := None;
  destination :=
    s_m0 <+>
    MkObservation Send (MkMessage s_m0);
  output := Some (MkMessage s_m0)
|} ∈ tr_m
Hm0: MkMessage s_m0 ∈ sentMessages (state m)
Hm0_adr: adr (state (MkMessage s_m0)) = idx i_m
ELMO_mv_full_node0: full_node (sigma i) m
ELMO_mv_no_self_equiv0: no_self_equiv (sigma i) m
ELMO_mv_msg_valid_full0: ELMO_msg_valid_full m
ELMO_mv_local_equivocation_limit_ok0: local_equivocation_limit_ok
  (sigma i <+>
   MkObservation
     Receive m)
MkMessage s_m0 ∈ messages (state m)
      by apply elem_of_messages; left.
    }Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
si': BaseELMO.State
m: Message
sigma: composite_state ELMO_component
Ht: input_constrained_transition 
  (ELMO_component i) Receive (
  sigma i, Some m) (si', None)
i_m: index
Hi_m: adr (state m) = idx i_m
Hadr_neq: adr (state m) ≠ idx i
Hsigma: composite_constrained_state_prop
  ELMO_component sigma
Hspecial: component_reflects_composite sigma i
tr_m: list transition_item
Htr_m: finite_constrained_trace_from_to
  (ELMO_component i_m) 
  (sigma i_m) (state m) tr_m
s_m0: State
Hitem: {|
  l := Send;
  input := None;
  destination :=
    s_m0 <+>
    MkObservation Send (MkMessage s_m0);
  output := Some (MkMessage s_m0)
|} ∈ tr_m
Hm0: MkMessage s_m0 ∈ sentMessages (state m)
Hm0_adr: adr (state (MkMessage s_m0)) = idx i_m
Hm: MkMessage s_m0 ∈ messages (sigma i)
has_been_received (ELMO_component i) (sigma i)
  (MkMessage s_m0)
    apply elem_of_messages in Hm as [Hsnd |]; [| done].Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
si': BaseELMO.State
m: Message
sigma: composite_state ELMO_component
Ht: input_constrained_transition 
  (ELMO_component i) Receive (
  sigma i, Some m) (si', None)
i_m: index
Hi_m: adr (state m) = idx i_m
Hadr_neq: adr (state m) ≠ idx i
Hsigma: composite_constrained_state_prop
  ELMO_component sigma
Hspecial: component_reflects_composite sigma i
tr_m: list transition_item
Htr_m: finite_constrained_trace_from_to
  (ELMO_component i_m) 
  (sigma i_m) (state m) tr_m
s_m0: State
Hitem: {|
  l := Send;
  input := None;
  destination :=
    s_m0 <+>
    MkObservation Send (MkMessage s_m0);
  output := Some (MkMessage s_m0)
|} ∈ tr_m
Hm0: MkMessage s_m0 ∈ sentMessages (state m)
Hm0_adr: adr (state (MkMessage s_m0)) = idx i_m
Hsnd: MkMessage s_m0 ∈ sentMessages (sigma i)
has_been_received (ELMO_component i) (sigma i)
  (MkMessage s_m0)
    cbn in Hsnd; eapply reachable_sent_messages_adr in Hsnd; cycle 1.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
si': BaseELMO.State
m: Message
sigma: composite_state ELMO_component
Ht: input_constrained_transition 
  (ELMO_component i) Receive (
  sigma i, Some m) (si', None)
i_m: index
Hi_m: adr (state m) = idx i_m
Hadr_neq: adr (state m) ≠ idx i
Hsigma: composite_constrained_state_prop
  ELMO_component sigma
Hspecial: component_reflects_composite sigma i
tr_m: list transition_item
Htr_m: finite_constrained_trace_from_to
  (ELMO_component i_m) 
  (sigma i_m) (state m) tr_m
s_m0: State
Hitem: {|
  l := Send;
  input := None;
  destination :=
    s_m0 <+>
    MkObservation Send (MkMessage s_m0);
  output := Some (MkMessage s_m0)
|} ∈ tr_m
Hm0: MkMessage s_m0 ∈ sentMessages (state m)
Hm0_adr: adr (state (MkMessage s_m0)) = idx i_m
Hsnd: MkMessage s_m0 ∈ sentMessages (sigma i)
constrained_state_prop (ELMO_component ?i) (sigma i)
Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
si': BaseELMO.State
m: Message
sigma: composite_state ELMO_component
Ht: input_constrained_transition 
  (ELMO_component i) Receive (
  sigma i, Some m) (si', None)
i_m: index
Hi_m: adr (state m) = idx i_m
Hadr_neq: adr (state m) ≠ idx i
Hsigma: composite_constrained_state_prop
  ELMO_component sigma
Hspecial: component_reflects_composite sigma i
tr_m: list transition_item
Htr_m: finite_constrained_trace_from_to
  (ELMO_component i_m) 
  (sigma i_m) (state m) tr_m
s_m0: State
Hitem: {|
  l := Send;
  input := None;
  destination :=
    s_m0 <+>
    MkObservation Send (MkMessage s_m0);
  output := Some (MkMessage s_m0)
|} ∈ tr_m
Hm0: MkMessage s_m0 ∈ sentMessages (state m)
Hm0_adr: adr (state (MkMessage s_m0)) = idx i_m
Hsnd: adr (state (MkMessage s_m0)) = idx ?i
has_been_received (ELMO_component i) 
  (sigma i) (MkMessage s_m0)
    +Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
si': BaseELMO.State
m: Message
sigma: composite_state ELMO_component
Ht: input_constrained_transition 
  (ELMO_component i) Receive (
  sigma i, Some m) (si', None)
i_m: index
Hi_m: adr (state m) = idx i_m
Hadr_neq: adr (state m) ≠ idx i
Hsigma: composite_constrained_state_prop
  ELMO_component sigma
Hspecial: component_reflects_composite sigma i
tr_m: list transition_item
Htr_m: finite_constrained_trace_from_to
  (ELMO_component i_m) 
  (sigma i_m) (state m) tr_m
s_m0: State
Hitem: {|
  l := Send;
  input := None;
  destination :=
    s_m0 <+>
    MkObservation Send (MkMessage s_m0);
  output := Some (MkMessage s_m0)
|} ∈ tr_m
Hm0: MkMessage s_m0 ∈ sentMessages (state m)
Hm0_adr: adr (state (MkMessage s_m0)) = idx i_m
Hsnd: MkMessage s_m0 ∈ sentMessages (sigma i)
constrained_state_prop (ELMO_component ?i) (sigma i) by eapply composite_constrained_state_project.
    +Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
si': BaseELMO.State
m: Message
sigma: composite_state ELMO_component
Ht: input_constrained_transition 
  (ELMO_component i) Receive (
  sigma i, Some m) (si', None)
i_m: index
Hi_m: adr (state m) = idx i_m
Hadr_neq: adr (state m) ≠ idx i
Hsigma: composite_constrained_state_prop
  ELMO_component sigma
Hspecial: component_reflects_composite sigma i
tr_m: list transition_item
Htr_m: finite_constrained_trace_from_to
  (ELMO_component i_m) 
  (sigma i_m) (state m) tr_m
s_m0: State
Hitem: {|
  l := Send;
  input := None;
  destination :=
    s_m0 <+>
    MkObservation Send (MkMessage s_m0);
  output := Some (MkMessage s_m0)
|} ∈ tr_m
Hm0: MkMessage s_m0 ∈ sentMessages (state m)
Hm0_adr: adr (state (MkMessage s_m0)) = idx i_m
Hsnd: adr (state (MkMessage s_m0)) = idx i
has_been_received (ELMO_component i) (sigma i)
  (MkMessage s_m0) by congruence.
  -Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
si': BaseELMO.State
m: Message
sigma: composite_state ELMO_component
Ht: input_constrained_transition 
  (ELMO_component i) Receive (
  sigma i, Some m) (si', None)
i_m: index
Hi_m: adr (state m) = idx i_m
Hadr_neq: adr (state m) ≠ idx i
Hsigma: composite_constrained_state_prop
  ELMO_component sigma
Hspecial: component_reflects_composite sigma i
tr_m: list transition_item
Htr_m: finite_constrained_trace_from_to
  (ELMO_component i_m) 
  (sigma i_m) (state m) tr_m
s_m0: State
Hitem: {|
  l := Send;
  input := None;
  destination :=
    s_m0 <+>
    MkObservation Send (MkMessage s_m0);
  output := Some (MkMessage s_m0)
|} ∈ tr_m
Hm0: MkMessage s_m0 ∈ sentMessages (state m)
Hm0_adr: adr (state (MkMessage s_m0)) = idx i_m
¬ composite_has_been_sent ELMO_component sigma
    (MkMessage s_m0) intros [j Hsnd].Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
si': BaseELMO.State
m: Message
sigma: composite_state ELMO_component
Ht: input_constrained_transition 
  (ELMO_component i) Receive (
  sigma i, Some m) (si', None)
i_m: index
Hi_m: adr (state m) = idx i_m
Hadr_neq: adr (state m) ≠ idx i
Hsigma: composite_constrained_state_prop
  ELMO_component sigma
Hspecial: component_reflects_composite sigma i
tr_m: list transition_item
Htr_m: finite_constrained_trace_from_to
  (ELMO_component i_m) 
  (sigma i_m) (state m) tr_m
s_m0: State
Hitem: {|
  l := Send;
  input := None;
  destination :=
    s_m0 <+>
    MkObservation Send (MkMessage s_m0);
  output := Some (MkMessage s_m0)
|} ∈ tr_m
Hm0: MkMessage s_m0 ∈ sentMessages (state m)
Hm0_adr: adr (state (MkMessage s_m0)) = idx i_m
j: index
Hsnd: has_been_sent (ELMO_component j) 
  (sigma j) (MkMessage s_m0)
False
    cbn in Hsnd; eapply reachable_sent_messages_adr in Hsnd as Hsnd_adr;
      [| by eapply composite_constrained_state_project].Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
si': BaseELMO.State
m: Message
sigma: composite_state ELMO_component
Ht: input_constrained_transition 
  (ELMO_component i) Receive (
  sigma i, Some m) (si', None)
i_m: index
Hi_m: adr (state m) = idx i_m
Hadr_neq: adr (state m) ≠ idx i
Hsigma: composite_constrained_state_prop
  ELMO_component sigma
Hspecial: component_reflects_composite sigma i
tr_m: list transition_item
Htr_m: finite_constrained_trace_from_to
  (ELMO_component i_m) 
  (sigma i_m) (state m) tr_m
s_m0: State
Hitem: {|
  l := Send;
  input := None;
  destination :=
    s_m0 <+>
    MkObservation Send (MkMessage s_m0);
  output := Some (MkMessage s_m0)
|} ∈ tr_m
Hm0: MkMessage s_m0 ∈ sentMessages (state m)
Hm0_adr: adr (state (MkMessage s_m0)) = idx i_m
j: index
Hsnd: MkMessage s_m0 ∈ sentMessages (sigma j)
Hsnd_adr: adr (state (MkMessage s_m0)) = idx j
False
    rewrite Hm0_adr in Hsnd_adr.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
si': BaseELMO.State
m: Message
sigma: composite_state ELMO_component
Ht: input_constrained_transition 
  (ELMO_component i) Receive (
  sigma i, Some m) (si', None)
i_m: index
Hi_m: adr (state m) = idx i_m
Hadr_neq: adr (state m) ≠ idx i
Hsigma: composite_constrained_state_prop
  ELMO_component sigma
Hspecial: component_reflects_composite sigma i
tr_m: list transition_item
Htr_m: finite_constrained_trace_from_to
  (ELMO_component i_m) 
  (sigma i_m) (state m) tr_m
s_m0: State
Hitem: {|
  l := Send;
  input := None;
  destination :=
    s_m0 <+>
    MkObservation Send (MkMessage s_m0);
  output := Some (MkMessage s_m0)
|} ∈ tr_m
Hm0: MkMessage s_m0 ∈ sentMessages (state m)
Hm0_adr: adr (state (MkMessage s_m0)) = idx i_m
j: index
Hsnd: MkMessage s_m0 ∈ sentMessages (sigma j)
Hsnd_adr: idx i_m = idx j
False
    eapply inj in Hsnd_adr; [| done]; subst j.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
si': BaseELMO.State
m: Message
sigma: composite_state ELMO_component
Ht: input_constrained_transition 
  (ELMO_component i) Receive (
  sigma i, Some m) (si', None)
i_m: index
Hi_m: adr (state m) = idx i_m
Hadr_neq: adr (state m) ≠ idx i
Hsigma: composite_constrained_state_prop
  ELMO_component sigma
Hspecial: component_reflects_composite sigma i
tr_m: list transition_item
Htr_m: finite_constrained_trace_from_to
  (ELMO_component i_m) 
  (sigma i_m) (state m) tr_m
s_m0: State
Hitem: {|
  l := Send;
  input := None;
  destination :=
    s_m0 <+>
    MkObservation Send (MkMessage s_m0);
  output := Some (MkMessage s_m0)
|} ∈ tr_m
Hm0: MkMessage s_m0 ∈ sentMessages (state m)
Hm0_adr: adr (state (MkMessage s_m0)) = idx i_m
Hsnd: MkMessage s_m0 ∈ sentMessages (sigma i_m)
False
    eapply ELMO_component_sizeState_of_constrained_trace_output in Hitem;
      [| by red; eapply valid_trace_forget_last | done].Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
si': BaseELMO.State
m: Message
sigma: composite_state ELMO_component
Ht: input_constrained_transition 
  (ELMO_component i) Receive (
  sigma i, Some m) (si', None)
i_m: index
Hi_m: adr (state m) = idx i_m
Hadr_neq: adr (state m) ≠ idx i
Hsigma: composite_constrained_state_prop
  ELMO_component sigma
Hspecial: component_reflects_composite sigma i
tr_m: list transition_item
Htr_m: finite_constrained_trace_from_to
  (ELMO_component i_m) 
  (sigma i_m) (state m) tr_m
s_m0: State
Hm0: MkMessage s_m0 ∈ sentMessages (state m)
Hm0_adr: adr (state (MkMessage s_m0)) = idx i_m
Hsnd: MkMessage s_m0 ∈ sentMessages (sigma i_m)
Hitem: sizeState (sigma i_m)
≤ sizeState (state (MkMessage s_m0))
False
    assert (sizeState s_m0 < sizeState (sigma i_m)).Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
si': BaseELMO.State
m: Message
sigma: composite_state ELMO_component
Ht: input_constrained_transition 
  (ELMO_component i) Receive (
  sigma i, Some m) (si', None)
i_m: index
Hi_m: adr (state m) = idx i_m
Hadr_neq: adr (state m) ≠ idx i
Hsigma: composite_constrained_state_prop
  ELMO_component sigma
Hspecial: component_reflects_composite sigma i
tr_m: list transition_item
Htr_m: finite_constrained_trace_from_to
  (ELMO_component i_m) 
  (sigma i_m) (state m) tr_m
s_m0: State
Hm0: MkMessage s_m0 ∈ sentMessages (state m)
Hm0_adr: adr (state (MkMessage s_m0)) = idx i_m
Hsnd: MkMessage s_m0 ∈ sentMessages (sigma i_m)
Hitem: sizeState (sigma i_m)
≤ sizeState (state (MkMessage s_m0))
sizeState s_m0 < sizeState (sigma i_m)
Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
si': BaseELMO.State
m: Message
sigma: composite_state ELMO_component
Ht: input_constrained_transition 
  (ELMO_component i) Receive (
  sigma i, Some m) (si', None)
i_m: index
Hi_m: adr (state m) = idx i_m
Hadr_neq: adr (state m) ≠ idx i
Hsigma: composite_constrained_state_prop
  ELMO_component sigma
Hspecial: component_reflects_composite sigma i
tr_m: list transition_item
Htr_m: finite_constrained_trace_from_to
  (ELMO_component i_m) 
  (sigma i_m) (state m) tr_m
s_m0: State
Hm0: MkMessage s_m0 ∈ sentMessages (state m)
Hm0_adr: adr (state (MkMessage s_m0)) = idx i_m
Hsnd: MkMessage s_m0 ∈ sentMessages (sigma i_m)
Hitem: sizeState (sigma i_m)
≤ sizeState (state (MkMessage s_m0))
H2: sizeState s_m0 < sizeState (sigma i_m)
False
    {Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
si': BaseELMO.State
m: Message
sigma: composite_state ELMO_component
Ht: input_constrained_transition 
  (ELMO_component i) Receive (
  sigma i, Some m) (si', None)
i_m: index
Hi_m: adr (state m) = idx i_m
Hadr_neq: adr (state m) ≠ idx i
Hsigma: composite_constrained_state_prop
  ELMO_component sigma
Hspecial: component_reflects_composite sigma i
tr_m: list transition_item
Htr_m: finite_constrained_trace_from_to
  (ELMO_component i_m) 
  (sigma i_m) (state m) tr_m
s_m0: State
Hm0: MkMessage s_m0 ∈ sentMessages (state m)
Hm0_adr: adr (state (MkMessage s_m0)) = idx i_m
Hsnd: MkMessage s_m0 ∈ sentMessages (sigma i_m)
Hitem: sizeState (sigma i_m)
≤ sizeState (state (MkMessage s_m0))
sizeState s_m0 < sizeState (sigma i_m)
      change s_m0 with (state (MkMessage s_m0)).Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
si': BaseELMO.State
m: Message
sigma: composite_state ELMO_component
Ht: input_constrained_transition 
  (ELMO_component i) Receive (
  sigma i, Some m) (si', None)
i_m: index
Hi_m: adr (state m) = idx i_m
Hadr_neq: adr (state m) ≠ idx i
Hsigma: composite_constrained_state_prop
  ELMO_component sigma
Hspecial: component_reflects_composite sigma i
tr_m: list transition_item
Htr_m: finite_constrained_trace_from_to
  (ELMO_component i_m) 
  (sigma i_m) (state m) tr_m
s_m0: State
Hm0: MkMessage s_m0 ∈ sentMessages (state m)
Hm0_adr: adr (state (MkMessage s_m0)) = idx i_m
Hsnd: MkMessage s_m0 ∈ sentMessages (sigma i_m)
Hitem: sizeState (sigma i_m)
≤ sizeState (state (MkMessage s_m0))
sizeState (state (MkMessage s_m0)) <
sizeState (sigma i_m)
      by apply messages_sizeState, elem_of_messages; left.
    }Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
si': BaseELMO.State
m: Message
sigma: composite_state ELMO_component
Ht: input_constrained_transition 
  (ELMO_component i) Receive (
  sigma i, Some m) (si', None)
i_m: index
Hi_m: adr (state m) = idx i_m
Hadr_neq: adr (state m) ≠ idx i
Hsigma: composite_constrained_state_prop
  ELMO_component sigma
Hspecial: component_reflects_composite sigma i
tr_m: list transition_item
Htr_m: finite_constrained_trace_from_to
  (ELMO_component i_m) 
  (sigma i_m) (state m) tr_m
s_m0: State
Hm0: MkMessage s_m0 ∈ sentMessages (state m)
Hm0_adr: adr (state (MkMessage s_m0)) = idx i_m
Hsnd: MkMessage s_m0 ∈ sentMessages (sigma i_m)
Hitem: sizeState (sigma i_m)
≤ sizeState (state (MkMessage s_m0))
H2: sizeState s_m0 < sizeState (sigma i_m)
False
    by cbn in Hitem; lia.
Qed.

Lemma lift_receive_trace
  (sigma : composite_state ELMO_component)
  (Hsigma : valid_state_prop ELMOProtocol sigma)
  (m : Message)
  (i_m : index)
  (tr_m : list transition_item)
  (Htr_m : finite_constrained_trace_from_to (ELMO_component i_m) (sigma i_m) (state m) tr_m)
  (Htr_m_receive : Forall (fun item : transition_item ELMO_component_type => l item = Receive) tr_m)
  (Htr_m_inputs_in_sigma :
    forall (item : transition_item) (msg : Message),
      item ∈ tr_m -> input item = Some msg ->
      composite_has_been_directly_observed ELMO_component sigma msg) :
  finite_valid_trace_from_to ELMOProtocol
    sigma (lift_to_composite_state ELMO_component sigma i_m (state m))
    (pre_VLSM_embedding_finite_trace_project
      _ _ (lift_to_composite_label ELMO_component i_m)
      (lift_to_composite_state ELMO_component sigma i_m)
      tr_m)
    /\
  forall a : Address,
    global_equivocators_simple
      (lift_to_composite_state ELMO_component sigma i_m (state m)) a
      <->
    global_equivocators_simple sigma a.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
sigma: composite_state ELMO_component
Hsigma: valid_state_prop ELMOProtocol sigma
m: Message
i_m: index
tr_m: list transition_item
Htr_m: finite_constrained_trace_from_to
  (ELMO_component i_m) 
  (sigma i_m) (state m) tr_m
Htr_m_receive: Forall
  (λ item : transition_item,
     l item = Receive) tr_m
Htr_m_inputs_in_sigma: ∀ (item : transition_item) 
  (msg : Message),
  item ∈ tr_m
  → input item = Some msg
    → composite_has_been_directly_observed
        ELMO_component sigma
        msg
finite_valid_trace_from_to ELMOProtocol sigma
  (lift_to_composite_state ELMO_component sigma i_m
     (state m))
  (pre_VLSM_embedding_finite_trace_project
     (ELMO_component i_m)
     (composite_type ELMO_component)
     (lift_to_composite_label ELMO_component i_m)
     (lift_to_composite_state ELMO_component sigma i_m)
     tr_m)
∧ (∀ a : Address,
     global_equivocators_simple
       (lift_to_composite_state ELMO_component sigma
          i_m (state m)) a
     ↔ global_equivocators_simple sigma a)
Proof.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
sigma: composite_state ELMO_component
Hsigma: valid_state_prop ELMOProtocol sigma
m: Message
i_m: index
tr_m: list transition_item
Htr_m: finite_constrained_trace_from_to
  (ELMO_component i_m) 
  (sigma i_m) (state m) tr_m
Htr_m_receive: Forall
  (λ item : transition_item,
     l item = Receive) tr_m
Htr_m_inputs_in_sigma: ∀ (item : transition_item) 
  (msg : Message),
  item ∈ tr_m
  → input item = Some msg
    → composite_has_been_directly_observed
        ELMO_component sigma
        msg
finite_valid_trace_from_to ELMOProtocol sigma
  (lift_to_composite_state ELMO_component sigma i_m
     (state m))
  (pre_VLSM_embedding_finite_trace_project
     (ELMO_component i_m)
     (composite_type ELMO_component)
     (lift_to_composite_label ELMO_component i_m)
     (lift_to_composite_state ELMO_component sigma i_m)
     tr_m)
∧ (∀ a : Address,
     global_equivocators_simple
       (lift_to_composite_state ELMO_component sigma
          i_m (state m)) a
     ↔ global_equivocators_simple sigma a)
  remember (pre_VLSM_embedding_finite_trace_project _ _ _ _ _) as tr.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
sigma: composite_state ELMO_component
Hsigma: valid_state_prop ELMOProtocol sigma
m: Message
i_m: index
tr_m: list transition_item
Htr_m: finite_constrained_trace_from_to
  (ELMO_component i_m) 
  (sigma i_m) (state m) tr_m
Htr_m_receive: Forall
  (λ item : transition_item,
     l item = Receive) tr_m
Htr_m_inputs_in_sigma: ∀ (item : transition_item) 
  (msg : Message),
  item ∈ tr_m
  → input item = Some msg
    → composite_has_been_directly_observed
        ELMO_component sigma
        msg
tr: list transition_item
Heqtr: tr =
pre_VLSM_embedding_finite_trace_project
  (ELMO_component i_m)
  (composite_type ELMO_component)
  (lift_to_composite_label ELMO_component i_m)
  (lift_to_composite_state ELMO_component
     sigma i_m) tr_m
finite_valid_trace_from_to ELMOProtocol sigma
  (lift_to_composite_state ELMO_component sigma i_m
     (state m)) tr
∧ (∀ a : Address,
     global_equivocators_simple
       (lift_to_composite_state ELMO_component sigma
          i_m (state m)) a
     ↔ global_equivocators_simple sigma a)
  remember (sigma i_m) as si_m.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
sigma: composite_state ELMO_component
Hsigma: valid_state_prop ELMOProtocol sigma
m: Message
i_m: index
tr_m: list transition_item
si_m: VLSM.state (ELMO_component i_m)
Heqsi_m: si_m = sigma i_m
Htr_m: finite_constrained_trace_from_to
  (ELMO_component i_m) si_m 
  (state m) tr_m
Htr_m_receive: Forall
  (λ item : transition_item,
     l item = Receive) tr_m
Htr_m_inputs_in_sigma: ∀ (item : transition_item) 
  (msg : Message),
  item ∈ tr_m
  → input item = Some msg
    → composite_has_been_directly_observed
        ELMO_component sigma
        msg
tr: list transition_item
Heqtr: tr =
pre_VLSM_embedding_finite_trace_project
  (ELMO_component i_m)
  (composite_type ELMO_component)
  (lift_to_composite_label ELMO_component i_m)
  (lift_to_composite_state ELMO_component
     sigma i_m) tr_m
finite_valid_trace_from_to ELMOProtocol sigma
  (lift_to_composite_state ELMO_component sigma i_m
     (state m)) tr
∧ (∀ a : Address,
     global_equivocators_simple
       (lift_to_composite_state ELMO_component sigma
          i_m (state m)) a
     ↔ global_equivocators_simple sigma a)
  remember (state m) as sm; clear Heqsm.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
sigma: composite_state ELMO_component
Hsigma: valid_state_prop ELMOProtocol sigma
m: Message
i_m: index
tr_m: list transition_item
si_m: VLSM.state (ELMO_component i_m)
Heqsi_m: si_m = sigma i_m
sm: BaseELMO.State
Htr_m: finite_constrained_trace_from_to
  (ELMO_component i_m) si_m sm tr_m
Htr_m_receive: Forall
  (λ item : transition_item,
     l item = Receive) tr_m
Htr_m_inputs_in_sigma: ∀ (item : transition_item) 
  (msg : Message),
  item ∈ tr_m
  → input item = Some msg
    → composite_has_been_directly_observed
        ELMO_component sigma
        msg
tr: list transition_item
Heqtr: tr =
pre_VLSM_embedding_finite_trace_project
  (ELMO_component i_m)
  (composite_type ELMO_component)
  (lift_to_composite_label ELMO_component i_m)
  (lift_to_composite_state ELMO_component
     sigma i_m) tr_m
finite_valid_trace_from_to ELMOProtocol sigma
  (lift_to_composite_state ELMO_component sigma i_m sm)
  tr
∧ (∀ a : Address,
     global_equivocators_simple
       (lift_to_composite_state ELMO_component sigma
          i_m sm) a
     ↔ global_equivocators_simple sigma a)
  revert Heqsi_m Htr_m_inputs_in_sigma Htr_m_receive tr Heqtr.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
sigma: composite_state ELMO_component
Hsigma: valid_state_prop ELMOProtocol sigma
m: Message
i_m: index
tr_m: list transition_item
si_m: VLSM.state (ELMO_component i_m)
sm: BaseELMO.State
Htr_m: finite_constrained_trace_from_to
  (ELMO_component i_m) si_m sm tr_m
si_m = sigma i_m
→ (∀ (item : transition_item) (msg : Message),
     item ∈ tr_m
     → input item = Some msg
       → composite_has_been_directly_observed
           ELMO_component sigma msg)
  → Forall
      (λ item : transition_item, l item = Receive)
      tr_m
    → ∀ tr : list transition_item,
        tr =
        pre_VLSM_embedding_finite_trace_project
          (ELMO_component i_m)
          (composite_type ELMO_component)
          (lift_to_composite_label ELMO_component i_m)
          (lift_to_composite_state ELMO_component
             sigma i_m) tr_m
        → finite_valid_trace_from_to ELMOProtocol
            sigma
            (lift_to_composite_state ELMO_component
               sigma i_m sm) tr
          ∧ (∀ a : Address,
               global_equivocators_simple
                 (lift_to_composite_state
                    ELMO_component sigma i_m sm) a
               ↔ global_equivocators_simple sigma a)
  induction Htr_m using finite_valid_trace_from_to_rev_ind; intros; subst;
    [by unfold lift_to_composite_state; rewrite state_update_id; split; constructor |].Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
sigma: composite_state ELMO_component
Hsigma: valid_state_prop ELMOProtocol sigma
m: Message
i_m: index
s: VLSM.state
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m))
tr: list transition_item
Htr_m: finite_valid_trace_from_to
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m)) 
  (sigma i_m) s tr
sf: VLSM.state
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m))
iom, oom: option Message
l: VLSM.label
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m))
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m)) l (
  s, iom) (sf, oom)
IHHtr_m: sigma i_m = sigma i_m
→ (∀ (item : transition_item) 
     (msg : Message),
     item ∈ tr
     → input item = Some msg
       → composite_has_been_directly_observed
           ELMO_component sigma msg)
  → Forall
      (λ item : transition_item,
         VLSM.l item = Receive) tr
    → ∀ tr0 : list transition_item,
        tr0 =
        pre_VLSM_embedding_finite_trace_project
          (ELMO_component i_m)
          (composite_type ELMO_component)
          (lift_to_composite_label
             ELMO_component i_m)
          (lift_to_composite_state
             ELMO_component sigma i_m) tr
        → finite_valid_trace_from_to
            ELMOProtocol sigma
            (lift_to_composite_state
               ELMO_component sigma i_m s)
            tr0
          ∧ (∀ a : Address,
               global_equivocators_simple
                 (lift_to_composite_state
                    ELMO_component sigma i_m
                    s) a
               ↔ global_equivocators_simple
                   sigma a)
Htr_m_inputs_in_sigma: ∀ (item : transition_item) 
  (msg : Message),
  item
  ∈ tr ++
    [{|
       l := l;
       input := iom;
       destination := sf;
       output := oom
     |}]
  → input item = Some msg
    → composite_has_been_directly_observed
        ELMO_component sigma
        msg
Htr_m_receive: Forall
  (λ item : transition_item,
     VLSM.l item = Receive)
  (tr ++
   [{|
      l := l;
      input := iom;
      destination := sf;
      output := oom
    |}])
finite_valid_trace_from_to ELMOProtocol sigma
  (lift_to_composite_state ELMO_component sigma i_m sf)
  (pre_VLSM_embedding_finite_trace_project
     (ELMO_component i_m)
     (composite_type ELMO_component)
     (lift_to_composite_label ELMO_component i_m)
     (lift_to_composite_state ELMO_component sigma i_m)
     (tr ++
      [{|
         l := l;
         input := iom;
         destination := sf;
         output := oom
       |}]))
∧ (∀ a : Address,
     global_equivocators_simple
       (lift_to_composite_state ELMO_component sigma
          i_m sf) a
     ↔ global_equivocators_simple sigma a)
  apply Forall_app in Htr_m_receive as [Htr_m_receive Hl].Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
sigma: composite_state ELMO_component
Hsigma: valid_state_prop ELMOProtocol sigma
m: Message
i_m: index
s: VLSM.state
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m))
tr: list transition_item
Htr_m: finite_valid_trace_from_to
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m)) 
  (sigma i_m) s tr
sf: VLSM.state
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m))
iom, oom: option Message
l: VLSM.label
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m))
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m)) l (
  s, iom) (sf, oom)
IHHtr_m: sigma i_m = sigma i_m
→ (∀ (item : transition_item) 
     (msg : Message),
     item ∈ tr
     → input item = Some msg
       → composite_has_been_directly_observed
           ELMO_component sigma msg)
  → Forall
      (λ item : transition_item,
         VLSM.l item = Receive) tr
    → ∀ tr0 : list transition_item,
        tr0 =
        pre_VLSM_embedding_finite_trace_project
          (ELMO_component i_m)
          (composite_type ELMO_component)
          (lift_to_composite_label
             ELMO_component i_m)
          (lift_to_composite_state
             ELMO_component sigma i_m) tr
        → finite_valid_trace_from_to
            ELMOProtocol sigma
            (lift_to_composite_state
               ELMO_component sigma i_m s)
            tr0
          ∧ (∀ a : Address,
               global_equivocators_simple
                 (lift_to_composite_state
                    ELMO_component sigma i_m
                    s) a
               ↔ global_equivocators_simple
                   sigma a)
Htr_m_inputs_in_sigma: ∀ (item : transition_item) 
  (msg : Message),
  item
  ∈ tr ++
    [{|
       l := l;
       input := iom;
       destination := sf;
       output := oom
     |}]
  → input item = Some msg
    → composite_has_been_directly_observed
        ELMO_component sigma
        msg
Htr_m_receive: Forall
  (λ item : transition_item,
     VLSM.l item = Receive) tr
Hl: Forall
  (λ item : transition_item,
     VLSM.l item = Receive)
  [{|
     l := l;
     input := iom;
     destination := sf;
     output := oom
   |}]
finite_valid_trace_from_to ELMOProtocol sigma
  (lift_to_composite_state ELMO_component sigma i_m sf)
  (pre_VLSM_embedding_finite_trace_project
     (ELMO_component i_m)
     (composite_type ELMO_component)
     (lift_to_composite_label ELMO_component i_m)
     (lift_to_composite_state ELMO_component sigma i_m)
     (tr ++
      [{|
         l := l;
         input := iom;
         destination := sf;
         output := oom
       |}]))
∧ (∀ a : Address,
     global_equivocators_simple
       (lift_to_composite_state ELMO_component sigma
          i_m sf) a
     ↔ global_equivocators_simple sigma a)
  inversion Hl as [| ? ? H_l _]; cbn in H_l; subst; clear Hl.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
sigma: composite_state ELMO_component
Hsigma: valid_state_prop ELMOProtocol sigma
m: Message
i_m: index
s: VLSM.state
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m))
tr: list transition_item
Htr_m: finite_valid_trace_from_to
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m)) 
  (sigma i_m) s tr
sf: VLSM.state
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m))
iom, oom: option Message
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m)) Receive (
  s, iom) (sf, oom)
IHHtr_m: sigma i_m = sigma i_m
→ (∀ (item : transition_item) 
     (msg : Message),
     item ∈ tr
     → input item = Some msg
       → composite_has_been_directly_observed
           ELMO_component sigma msg)
  → Forall
      (λ item : transition_item,
         l item = Receive) tr
    → ∀ tr0 : list transition_item,
        tr0 =
        pre_VLSM_embedding_finite_trace_project
          (ELMO_component i_m)
          (composite_type ELMO_component)
          (lift_to_composite_label
             ELMO_component i_m)
          (lift_to_composite_state
             ELMO_component sigma i_m) tr
        → finite_valid_trace_from_to
            ELMOProtocol sigma
            (lift_to_composite_state
               ELMO_component sigma i_m s)
            tr0
          ∧ (∀ a : Address,
               global_equivocators_simple
                 (lift_to_composite_state
                    ELMO_component sigma i_m
                    s) a
               ↔ global_equivocators_simple
                   sigma a)
Htr_m_inputs_in_sigma: ∀ (item : transition_item) 
  (msg : Message),
  item
  ∈ tr ++
    [{|
       l := Receive;
       input := iom;
       destination := sf;
       output := oom
     |}]
  → input item = Some msg
    → composite_has_been_directly_observed
        ELMO_component sigma
        msg
Htr_m_receive: Forall
  (λ item : transition_item,
     l item = Receive) tr
finite_valid_trace_from_to ELMOProtocol sigma
  (lift_to_composite_state ELMO_component sigma i_m sf)
  (pre_VLSM_embedding_finite_trace_project
     (ELMO_component i_m)
     (composite_type ELMO_component)
     (lift_to_composite_label ELMO_component i_m)
     (lift_to_composite_state ELMO_component sigma i_m)
     (tr ++
      [{|
         l := Receive;
         input := iom;
         destination := sf;
         output := oom
       |}]))
∧ (∀ a : Address,
     global_equivocators_simple
       (lift_to_composite_state ELMO_component sigma
          i_m sf) a
     ↔ global_equivocators_simple sigma a)
  pose (Hti := Ht); destruct Hti as [(_ & _ & Hv) Hti];
    inversion Hv; subst; inversion Hti; subst.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
sigma: composite_state ELMO_component
Hsigma: valid_state_prop ELMOProtocol sigma
m: Message
i_m: index
s: VLSM.state
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m))
tr: list transition_item
Htr_m: finite_valid_trace_from_to
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m)) 
  (sigma i_m) s tr
m0: Message
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m)) Receive (
  s, Some m0)
  (s <+> MkObservation Receive m0, None)
IHHtr_m: sigma i_m = sigma i_m
→ (∀ (item : transition_item) 
     (msg : Message),
     item ∈ tr
     → input item = Some msg
       → composite_has_been_directly_observed
           ELMO_component sigma msg)
  → Forall
      (λ item : transition_item,
         l item = Receive) tr
    → ∀ tr0 : list transition_item,
        tr0 =
        pre_VLSM_embedding_finite_trace_project
          (ELMO_component i_m)
          (composite_type ELMO_component)
          (lift_to_composite_label
             ELMO_component i_m)
          (lift_to_composite_state
             ELMO_component sigma i_m) tr
        → finite_valid_trace_from_to
            ELMOProtocol sigma
            (lift_to_composite_state
               ELMO_component sigma i_m s)
            tr0
          ∧ (∀ a : Address,
               global_equivocators_simple
                 (lift_to_composite_state
                    ELMO_component sigma i_m
                    s) a
               ↔ global_equivocators_simple
                   sigma a)
Htr_m_inputs_in_sigma: ∀ (item : transition_item) 
  (msg : Message),
  item
  ∈ tr ++
    [{|
       l := Receive;
       input := Some m0;
       destination :=
         s <+>
         MkObservation Receive
           m0;
       output := None
     |}]
  → input item = Some msg
    → composite_has_been_directly_observed
        ELMO_component sigma
        msg
Htr_m_receive: Forall
  (λ item : transition_item,
     l item = Receive) tr
Hti: transition Receive (s, Some m0) =
(s <+> MkObservation Receive m0, None)
Hv: valid Receive (s, Some m0)
H2: ELMO_recv_valid s m0
finite_valid_trace_from_to ELMOProtocol sigma
  (lift_to_composite_state ELMO_component sigma i_m
     (s <+> MkObservation Receive m0))
  (pre_VLSM_embedding_finite_trace_project
     (ELMO_component i_m)
     (composite_type ELMO_component)
     (lift_to_composite_label ELMO_component i_m)
     (lift_to_composite_state ELMO_component sigma i_m)
     (tr ++
      [{|
         l := Receive;
         input := Some m0;
         destination := s <+> MkObservation Receive m0;
         output := None
       |}]))
∧ (∀ a : Address,
     global_equivocators_simple
       (lift_to_composite_state ELMO_component sigma
          i_m (s <+> MkObservation Receive m0)) a
     ↔ global_equivocators_simple sigma a)
  setoid_rewrite map_app; cbn.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
sigma: composite_state ELMO_component
Hsigma: valid_state_prop ELMOProtocol sigma
m: Message
i_m: index
s: VLSM.state
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m))
tr: list transition_item
Htr_m: finite_valid_trace_from_to
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m)) 
  (sigma i_m) s tr
m0: Message
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m)) Receive (
  s, Some m0)
  (s <+> MkObservation Receive m0, None)
IHHtr_m: sigma i_m = sigma i_m
→ (∀ (item : transition_item) 
     (msg : Message),
     item ∈ tr
     → input item = Some msg
       → composite_has_been_directly_observed
           ELMO_component sigma msg)
  → Forall
      (λ item : transition_item,
         l item = Receive) tr
    → ∀ tr0 : list transition_item,
        tr0 =
        pre_VLSM_embedding_finite_trace_project
          (ELMO_component i_m)
          (composite_type ELMO_component)
          (lift_to_composite_label
             ELMO_component i_m)
          (lift_to_composite_state
             ELMO_component sigma i_m) tr
        → finite_valid_trace_from_to
            ELMOProtocol sigma
            (lift_to_composite_state
               ELMO_component sigma i_m s)
            tr0
          ∧ (∀ a : Address,
               global_equivocators_simple
                 (lift_to_composite_state
                    ELMO_component sigma i_m
                    s) a
               ↔ global_equivocators_simple
                   sigma a)
Htr_m_inputs_in_sigma: ∀ (item : transition_item) 
  (msg : Message),
  item
  ∈ tr ++
    [{|
       l := Receive;
       input := Some m0;
       destination :=
         s <+>
         MkObservation Receive
           m0;
       output := None
     |}]
  → input item = Some msg
    → composite_has_been_directly_observed
        ELMO_component sigma
        msg
Htr_m_receive: Forall
  (λ item : transition_item,
     l item = Receive) tr
Hti: transition Receive (s, Some m0) =
(s <+> MkObservation Receive m0, None)
Hv: valid Receive (s, Some m0)
H2: ELMO_recv_valid s m0
finite_valid_trace_from_to ELMOProtocol sigma
  (lift_to_composite_state ELMO_component sigma i_m
     (s <+> MkObservation Receive m0))
  (map
     (pre_VLSM_embedding_transition_item_project
        ELMO_component_type
        (composite_type ELMO_component)
        (lift_to_composite_label ELMO_component i_m)
        (lift_to_composite_state ELMO_component sigma
           i_m)) tr ++
   [pre_VLSM_embedding_transition_item_project
      ELMO_component_type
      (composite_type ELMO_component)
      (lift_to_composite_label ELMO_component i_m)
      (lift_to_composite_state ELMO_component sigma
         i_m)
      {|
        l := Receive;
        input := Some m0;
        destination := s <+> MkObservation Receive m0;
        output := None
      |}])
∧ (∀ a : Address,
     global_equivocators_simple
       (lift_to_composite_state ELMO_component sigma
          i_m (s <+> MkObservation Receive m0)) a
     ↔ global_equivocators_simple sigma a)
  assert (Hm0 : composite_has_been_directly_observed ELMO_component sigma m0)
    by (eapply Htr_m_inputs_in_sigma;
      [apply elem_of_app; right; apply elem_of_list_singleton |]; done).Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
sigma: composite_state ELMO_component
Hsigma: valid_state_prop ELMOProtocol sigma
m: Message
i_m: index
s: VLSM.state
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m))
tr: list transition_item
Htr_m: finite_valid_trace_from_to
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m)) 
  (sigma i_m) s tr
m0: Message
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m)) Receive (
  s, Some m0)
  (s <+> MkObservation Receive m0, None)
IHHtr_m: sigma i_m = sigma i_m
→ (∀ (item : transition_item) 
     (msg : Message),
     item ∈ tr
     → input item = Some msg
       → composite_has_been_directly_observed
           ELMO_component sigma msg)
  → Forall
      (λ item : transition_item,
         l item = Receive) tr
    → ∀ tr0 : list transition_item,
        tr0 =
        pre_VLSM_embedding_finite_trace_project
          (ELMO_component i_m)
          (composite_type ELMO_component)
          (lift_to_composite_label
             ELMO_component i_m)
          (lift_to_composite_state
             ELMO_component sigma i_m) tr
        → finite_valid_trace_from_to
            ELMOProtocol sigma
            (lift_to_composite_state
               ELMO_component sigma i_m s)
            tr0
          ∧ (∀ a : Address,
               global_equivocators_simple
                 (lift_to_composite_state
                    ELMO_component sigma i_m
                    s) a
               ↔ global_equivocators_simple
                   sigma a)
Htr_m_inputs_in_sigma: ∀ (item : transition_item) 
  (msg : Message),
  item
  ∈ tr ++
    [{|
       l := Receive;
       input := Some m0;
       destination :=
         s <+>
         MkObservation Receive
           m0;
       output := None
     |}]
  → input item = Some msg
    → composite_has_been_directly_observed
        ELMO_component sigma
        msg
Htr_m_receive: Forall
  (λ item : transition_item,
     l item = Receive) tr
Hti: transition Receive (s, Some m0) =
(s <+> MkObservation Receive m0, None)
Hv: valid Receive (s, Some m0)
H2: ELMO_recv_valid s m0
Hm0: composite_has_been_directly_observed
  ELMO_component sigma m0
finite_valid_trace_from_to ELMOProtocol sigma
  (lift_to_composite_state ELMO_component sigma i_m
     (s <+> MkObservation Receive m0))
  (map
     (pre_VLSM_embedding_transition_item_project
        ELMO_component_type
        (composite_type ELMO_component)
        (lift_to_composite_label ELMO_component i_m)
        (lift_to_composite_state ELMO_component sigma
           i_m)) tr ++
   [pre_VLSM_embedding_transition_item_project
      ELMO_component_type
      (composite_type ELMO_component)
      (lift_to_composite_label ELMO_component i_m)
      (lift_to_composite_state ELMO_component sigma
         i_m)
      {|
        l := Receive;
        input := Some m0;
        destination := s <+> MkObservation Receive m0;
        output := None
      |}])
∧ (∀ a : Address,
     global_equivocators_simple
       (lift_to_composite_state ELMO_component sigma
          i_m (s <+> MkObservation Receive m0)) a
     ↔ global_equivocators_simple sigma a)
  edestruct IHHtr_m as [Htr Hall];
    [.. | split; [eapply finite_valid_trace_from_to_app; [by apply Htr |] |]].Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
sigma: composite_state ELMO_component
Hsigma: valid_state_prop ELMOProtocol sigma
m: Message
i_m: index
s: VLSM.state
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m))
tr: list transition_item
Htr_m: finite_valid_trace_from_to
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m)) 
  (sigma i_m) s tr
m0: Message
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m)) Receive (
  s, Some m0)
  (s <+> MkObservation Receive m0, None)
IHHtr_m: sigma i_m = sigma i_m
→ (∀ (item : transition_item) 
     (msg : Message),
     item ∈ tr
     → input item = Some msg
       → composite_has_been_directly_observed
           ELMO_component sigma msg)
  → Forall
      (λ item : transition_item,
         l item = Receive) tr
    → ∀ tr0 : list transition_item,
        tr0 =
        pre_VLSM_embedding_finite_trace_project
          (ELMO_component i_m)
          (composite_type ELMO_component)
          (lift_to_composite_label
             ELMO_component i_m)
          (lift_to_composite_state
             ELMO_component sigma i_m) tr
        → finite_valid_trace_from_to
            ELMOProtocol sigma
            (lift_to_composite_state
               ELMO_component sigma i_m s)
            tr0
          ∧ (∀ a : Address,
               global_equivocators_simple
                 (lift_to_composite_state
                    ELMO_component sigma i_m
                    s) a
               ↔ global_equivocators_simple
                   sigma a)
Htr_m_inputs_in_sigma: ∀ (item : transition_item) 
  (msg : Message),
  item
  ∈ tr ++
    [{|
       l := Receive;
       input := Some m0;
       destination :=
         s <+>
         MkObservation Receive
           m0;
       output := None
     |}]
  → input item = Some msg
    → composite_has_been_directly_observed
        ELMO_component sigma
        msg
Htr_m_receive: Forall
  (λ item : transition_item,
     l item = Receive) tr
Hti: transition Receive (s, Some m0) =
(s <+> MkObservation Receive m0, None)
Hv: valid Receive (s, Some m0)
H2: ELMO_recv_valid s m0
Hm0: composite_has_been_directly_observed
  ELMO_component sigma m0
sigma i_m = sigma i_m
Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
sigma: composite_state ELMO_component
Hsigma: valid_state_prop ELMOProtocol sigma
m: Message
i_m: index
s: VLSM.state
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m))
tr: list transition_item
Htr_m: finite_valid_trace_from_to
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m)) 
  (sigma i_m) s tr
m0: Message
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m)) Receive (
  s, Some m0)
  (s <+> MkObservation Receive m0, None)
IHHtr_m: sigma i_m = sigma i_m
→ (∀ (item : transition_item) 
     (msg : Message),
     item ∈ tr
     → input item = Some msg
       → composite_has_been_directly_observed
           ELMO_component sigma msg)
  → Forall
      (λ item : transition_item,
         l item = Receive) tr
    → ∀ tr0 : list transition_item,
        tr0 =
        pre_VLSM_embedding_finite_trace_project
          (ELMO_component i_m)
          (composite_type ELMO_component)
          (lift_to_composite_label
             ELMO_component i_m)
          (lift_to_composite_state
             ELMO_component sigma i_m) tr
        → finite_valid_trace_from_to
            ELMOProtocol sigma
            (lift_to_composite_state
               ELMO_component sigma i_m s)
            tr0
          ∧ (∀ a : Address,
               global_equivocators_simple
                 (lift_to_composite_state
                    ELMO_component sigma i_m
                    s) a
               ↔ global_equivocators_simple
                   sigma a)
Htr_m_inputs_in_sigma: ∀ (item : transition_item) 
  (msg : Message),
  item
  ∈ tr ++
    [{|
       l := Receive;
       input := Some m0;
       destination :=
         s <+>
         MkObservation Receive
           m0;
       output := None
     |}]
  → input item = Some msg
    → composite_has_been_directly_observed
        ELMO_component sigma
        msg
Htr_m_receive: Forall
  (λ item : transition_item,
     l item = Receive) tr
Hti: transition Receive (s, Some m0) =
(s <+> MkObservation Receive m0, None)
Hv: valid Receive (s, Some m0)
H2: ELMO_recv_valid s m0
Hm0: composite_has_been_directly_observed
  ELMO_component sigma m0
∀ (item : transition_item) (msg : Message),
  item ∈ tr
  → input item = Some msg
    → composite_has_been_directly_observed
        ELMO_component sigma msg
Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
sigma: composite_state ELMO_component
Hsigma: valid_state_prop ELMOProtocol sigma
m: Message
i_m: index
s: VLSM.state
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m))
tr: list transition_item
Htr_m: finite_valid_trace_from_to
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m)) 
  (sigma i_m) s tr
m0: Message
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m)) Receive (
  s, Some m0)
  (s <+> MkObservation Receive m0, None)
IHHtr_m: sigma i_m = sigma i_m
→ (∀ (item : transition_item) 
     (msg : Message),
     item ∈ tr
     → input item = Some msg
       → composite_has_been_directly_observed
           ELMO_component sigma msg)
  → Forall
      (λ item : transition_item,
         l item = Receive) tr
    → ∀ tr0 : list transition_item,
        tr0 =
        pre_VLSM_embedding_finite_trace_project
          (ELMO_component i_m)
          (composite_type ELMO_component)
          (lift_to_composite_label
             ELMO_component i_m)
          (lift_to_composite_state
             ELMO_component sigma i_m) tr
        → finite_valid_trace_from_to
            ELMOProtocol sigma
            (lift_to_composite_state
               ELMO_component sigma i_m s)
            tr0
          ∧ (∀ a : Address,
               global_equivocators_simple
                 (lift_to_composite_state
                    ELMO_component sigma i_m
                    s) a
               ↔ global_equivocators_simple
                   sigma a)
Htr_m_inputs_in_sigma: ∀ (item : transition_item) 
  (msg : Message),
  item
  ∈ tr ++
    [{|
       l := Receive;
       input := Some m0;
       destination :=
         s <+>
         MkObservation Receive
           m0;
       output := None
     |}]
  → input item = Some msg
    → composite_has_been_directly_observed
        ELMO_component sigma
        msg
Htr_m_receive: Forall
  (λ item : transition_item,
     l item = Receive) tr
Hti: transition Receive (s, Some m0) =
(s <+> MkObservation Receive m0, None)
Hv: valid Receive (s, Some m0)
H2: ELMO_recv_valid s m0
Hm0: composite_has_been_directly_observed
  ELMO_component sigma m0
Forall (λ item : transition_item, l item = Receive) tr
Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
sigma: composite_state ELMO_component
Hsigma: valid_state_prop ELMOProtocol sigma
m: Message
i_m: index
s: VLSM.state
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m))
tr: list transition_item
Htr_m: finite_valid_trace_from_to
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m)) 
  (sigma i_m) s tr
m0: Message
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m)) Receive (
  s, Some m0)
  (s <+> MkObservation Receive m0, None)
IHHtr_m: sigma i_m = sigma i_m
→ (∀ (item : transition_item) 
     (msg : Message),
     item ∈ tr
     → input item = Some msg
       → composite_has_been_directly_observed
           ELMO_component sigma msg)
  → Forall
      (λ item : transition_item,
         l item = Receive) tr
    → ∀ tr0 : list transition_item,
        tr0 =
        pre_VLSM_embedding_finite_trace_project
          (ELMO_component i_m)
          (composite_type ELMO_component)
          (lift_to_composite_label
             ELMO_component i_m)
          (lift_to_composite_state
             ELMO_component sigma i_m) tr
        → finite_valid_trace_from_to
            ELMOProtocol sigma
            (lift_to_composite_state
               ELMO_component sigma i_m s)
            tr0
          ∧ (∀ a : Address,
               global_equivocators_simple
                 (lift_to_composite_state
                    ELMO_component sigma i_m
                    s) a
               ↔ global_equivocators_simple
                   sigma a)
Htr_m_inputs_in_sigma: ∀ (item : transition_item) 
  (msg : Message),
  item
  ∈ tr ++
    [{|
       l := Receive;
       input := Some m0;
       destination :=
         s <+>
         MkObservation Receive
           m0;
       output := None
     |}]
  → input item = Some msg
    → composite_has_been_directly_observed
        ELMO_component sigma
        msg
Htr_m_receive: Forall
  (λ item : transition_item,
     l item = Receive) tr
Hti: transition Receive (s, Some m0) =
(s <+> MkObservation Receive m0, None)
Hv: valid Receive (s, Some m0)
H2: ELMO_recv_valid s m0
Hm0: composite_has_been_directly_observed
  ELMO_component sigma m0
map
  (pre_VLSM_embedding_transition_item_project
     ELMO_component_type
     (composite_type ELMO_component)
     (lift_to_composite_label ELMO_component i_m)
     (lift_to_composite_state ELMO_component sigma i_m))
  tr =
pre_VLSM_embedding_finite_trace_project
  (ELMO_component i_m) 
  (composite_type ELMO_component)
  (lift_to_composite_label ELMO_component i_m)
  (lift_to_composite_state ELMO_component sigma i_m)
  tr
Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
sigma: composite_state ELMO_component
Hsigma: valid_state_prop ELMOProtocol sigma
m: Message
i_m: index
s: VLSM.state
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m))
tr: list transition_item
Htr_m: finite_valid_trace_from_to
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m)) 
  (sigma i_m) s tr
m0: Message
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m)) Receive (
  s, Some m0)
  (s <+> MkObservation Receive m0, None)
IHHtr_m: sigma i_m = sigma i_m
→ (∀ (item : transition_item) 
     (msg : Message),
     item ∈ tr
     → input item = Some msg
       → composite_has_been_directly_observed
           ELMO_component sigma msg)
  → Forall
      (λ item : transition_item,
         l item = Receive) tr
    → ∀ tr0 : list transition_item,
        tr0 =
        pre_VLSM_embedding_finite_trace_project
          (ELMO_component i_m)
          (composite_type ELMO_component)
          (lift_to_composite_label
             ELMO_component i_m)
          (lift_to_composite_state
             ELMO_component sigma i_m) tr
        → finite_valid_trace_from_to
            ELMOProtocol sigma
            (lift_to_composite_state
               ELMO_component sigma i_m s)
            tr0
          ∧ (∀ a : Address,
               global_equivocators_simple
                 (lift_to_composite_state
                    ELMO_component sigma i_m
                    s) a
               ↔ global_equivocators_simple
                   sigma a)
Htr_m_inputs_in_sigma: ∀ (item : transition_item) 
  (msg : Message),
  item
  ∈ tr ++
    [{|
       l := Receive;
       input := Some m0;
       destination :=
         s <+>
         MkObservation Receive
           m0;
       output := None
     |}]
  → input item = Some msg
    → composite_has_been_directly_observed
        ELMO_component sigma
        msg
Htr_m_receive: Forall
  (λ item : transition_item,
     l item = Receive) tr
Hti: transition Receive (s, Some m0) =
(s <+> MkObservation Receive m0, None)
Hv: valid Receive (s, Some m0)
H2: ELMO_recv_valid s m0
Hm0: composite_has_been_directly_observed
  ELMO_component sigma m0
Htr: finite_valid_trace_from_to ELMOProtocol sigma
  (lift_to_composite_state ELMO_component sigma
     i_m s)
  (map
     (pre_VLSM_embedding_transition_item_project
        ELMO_component_type
        (composite_type ELMO_component)
        (lift_to_composite_label ELMO_component
           i_m)
        (lift_to_composite_state ELMO_component
           sigma i_m)) tr)
Hall: ∀ a : Address,
  global_equivocators_simple
    (lift_to_composite_state ELMO_component
       sigma i_m s) a
  ↔ global_equivocators_simple sigma a
finite_valid_trace_from_to ELMOProtocol
  (lift_to_composite_state ELMO_component sigma i_m s)
  (lift_to_composite_state ELMO_component sigma i_m
     (s <+> MkObservation Receive m0))
  [pre_VLSM_embedding_transition_item_project
     ELMO_component_type
     (composite_type ELMO_component)
     (lift_to_composite_label ELMO_component i_m)
     (lift_to_composite_state ELMO_component sigma i_m)
     {|
       l := Receive;
       input := Some m0;
       destination := s <+> MkObservation Receive m0;
       output := None
     |}]
Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
sigma: composite_state ELMO_component
Hsigma: valid_state_prop ELMOProtocol sigma
m: Message
i_m: index
s: VLSM.state
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m))
tr: list transition_item
Htr_m: finite_valid_trace_from_to
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m)) 
  (sigma i_m) s tr
m0: Message
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m)) Receive (
  s, Some m0)
  (s <+> MkObservation Receive m0, None)
IHHtr_m: sigma i_m = sigma i_m
→ (∀ (item : transition_item) 
     (msg : Message),
     item ∈ tr
     → input item = Some msg
       → composite_has_been_directly_observed
           ELMO_component sigma msg)
  → Forall
      (λ item : transition_item,
         l item = Receive) tr
    → ∀ tr0 : list transition_item,
        tr0 =
        pre_VLSM_embedding_finite_trace_project
          (ELMO_component i_m)
          (composite_type ELMO_component)
          (lift_to_composite_label
             ELMO_component i_m)
          (lift_to_composite_state
             ELMO_component sigma i_m) tr
        → finite_valid_trace_from_to
            ELMOProtocol sigma
            (lift_to_composite_state
               ELMO_component sigma i_m s)
            tr0
          ∧ (∀ a : Address,
               global_equivocators_simple
                 (lift_to_composite_state
                    ELMO_component sigma i_m
                    s) a
               ↔ global_equivocators_simple
                   sigma a)
Htr_m_inputs_in_sigma: ∀ (item : transition_item) 
  (msg : Message),
  item
  ∈ tr ++
    [{|
       l := Receive;
       input := Some m0;
       destination :=
         s <+>
         MkObservation Receive
           m0;
       output := None
     |}]
  → input item = Some msg
    → composite_has_been_directly_observed
        ELMO_component sigma
        msg
Htr_m_receive: Forall
  (λ item : transition_item,
     l item = Receive) tr
Hti: transition Receive (s, Some m0) =
(s <+> MkObservation Receive m0, None)
Hv: valid Receive (s, Some m0)
H2: ELMO_recv_valid s m0
Hm0: composite_has_been_directly_observed
  ELMO_component sigma m0
Htr: finite_valid_trace_from_to ELMOProtocol sigma
  (lift_to_composite_state ELMO_component sigma
     i_m s)
  (map
     (pre_VLSM_embedding_transition_item_project
        ELMO_component_type
        (composite_type ELMO_component)
        (lift_to_composite_label ELMO_component
           i_m)
        (lift_to_composite_state ELMO_component
           sigma i_m)) tr)
Hall: ∀ a : Address,
  global_equivocators_simple
    (lift_to_composite_state ELMO_component
       sigma i_m s) a
  ↔ global_equivocators_simple sigma a
∀ a : Address,
  global_equivocators_simple
    (lift_to_composite_state ELMO_component sigma i_m
       (s <+> MkObservation Receive m0)) a
  ↔ global_equivocators_simple sigma a
  -Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
sigma: composite_state ELMO_component
Hsigma: valid_state_prop ELMOProtocol sigma
m: Message
i_m: index
s: VLSM.state
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m))
tr: list transition_item
Htr_m: finite_valid_trace_from_to
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m)) 
  (sigma i_m) s tr
m0: Message
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m)) Receive (
  s, Some m0)
  (s <+> MkObservation Receive m0, None)
IHHtr_m: sigma i_m = sigma i_m
→ (∀ (item : transition_item) 
     (msg : Message),
     item ∈ tr
     → input item = Some msg
       → composite_has_been_directly_observed
           ELMO_component sigma msg)
  → Forall
      (λ item : transition_item,
         l item = Receive) tr
    → ∀ tr0 : list transition_item,
        tr0 =
        pre_VLSM_embedding_finite_trace_project
          (ELMO_component i_m)
          (composite_type ELMO_component)
          (lift_to_composite_label
             ELMO_component i_m)
          (lift_to_composite_state
             ELMO_component sigma i_m) tr
        → finite_valid_trace_from_to
            ELMOProtocol sigma
            (lift_to_composite_state
               ELMO_component sigma i_m s)
            tr0
          ∧ (∀ a : Address,
               global_equivocators_simple
                 (lift_to_composite_state
                    ELMO_component sigma i_m
                    s) a
               ↔ global_equivocators_simple
                   sigma a)
Htr_m_inputs_in_sigma: ∀ (item : transition_item) 
  (msg : Message),
  item
  ∈ tr ++
    [{|
       l := Receive;
       input := Some m0;
       destination :=
         s <+>
         MkObservation Receive
           m0;
       output := None
     |}]
  → input item = Some msg
    → composite_has_been_directly_observed
        ELMO_component sigma
        msg
Htr_m_receive: Forall
  (λ item : transition_item,
     l item = Receive) tr
Hti: transition Receive (s, Some m0) =
(s <+> MkObservation Receive m0, None)
Hv: valid Receive (s, Some m0)
H2: ELMO_recv_valid s m0
Hm0: composite_has_been_directly_observed
  ELMO_component sigma m0
sigma i_m = sigma i_m done.
  -Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
sigma: composite_state ELMO_component
Hsigma: valid_state_prop ELMOProtocol sigma
m: Message
i_m: index
s: VLSM.state
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m))
tr: list transition_item
Htr_m: finite_valid_trace_from_to
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m)) 
  (sigma i_m) s tr
m0: Message
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m)) Receive (
  s, Some m0)
  (s <+> MkObservation Receive m0, None)
IHHtr_m: sigma i_m = sigma i_m
→ (∀ (item : transition_item) 
     (msg : Message),
     item ∈ tr
     → input item = Some msg
       → composite_has_been_directly_observed
           ELMO_component sigma msg)
  → Forall
      (λ item : transition_item,
         l item = Receive) tr
    → ∀ tr0 : list transition_item,
        tr0 =
        pre_VLSM_embedding_finite_trace_project
          (ELMO_component i_m)
          (composite_type ELMO_component)
          (lift_to_composite_label
             ELMO_component i_m)
          (lift_to_composite_state
             ELMO_component sigma i_m) tr
        → finite_valid_trace_from_to
            ELMOProtocol sigma
            (lift_to_composite_state
               ELMO_component sigma i_m s)
            tr0
          ∧ (∀ a : Address,
               global_equivocators_simple
                 (lift_to_composite_state
                    ELMO_component sigma i_m
                    s) a
               ↔ global_equivocators_simple
                   sigma a)
Htr_m_inputs_in_sigma: ∀ (item : transition_item) 
  (msg : Message),
  item
  ∈ tr ++
    [{|
       l := Receive;
       input := Some m0;
       destination :=
         s <+>
         MkObservation Receive
           m0;
       output := None
     |}]
  → input item = Some msg
    → composite_has_been_directly_observed
        ELMO_component sigma
        msg
Htr_m_receive: Forall
  (λ item : transition_item,
     l item = Receive) tr
Hti: transition Receive (s, Some m0) =
(s <+> MkObservation Receive m0, None)
Hv: valid Receive (s, Some m0)
H2: ELMO_recv_valid s m0
Hm0: composite_has_been_directly_observed
  ELMO_component sigma m0
∀ (item : transition_item) (msg : Message),
  item ∈ tr
  → input item = Some msg
    → composite_has_been_directly_observed
        ELMO_component sigma msg intros item msg Hitem Hmsg.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
sigma: composite_state ELMO_component
Hsigma: valid_state_prop ELMOProtocol sigma
m: Message
i_m: index
s: VLSM.state
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m))
tr: list transition_item
Htr_m: finite_valid_trace_from_to
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m)) 
  (sigma i_m) s tr
m0: Message
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m)) Receive (
  s, Some m0)
  (s <+> MkObservation Receive m0, None)
IHHtr_m: sigma i_m = sigma i_m
→ (∀ (item : transition_item) 
     (msg : Message),
     item ∈ tr
     → input item = Some msg
       → composite_has_been_directly_observed
           ELMO_component sigma msg)
  → Forall
      (λ item : transition_item,
         l item = Receive) tr
    → ∀ tr0 : list transition_item,
        tr0 =
        pre_VLSM_embedding_finite_trace_project
          (ELMO_component i_m)
          (composite_type ELMO_component)
          (lift_to_composite_label
             ELMO_component i_m)
          (lift_to_composite_state
             ELMO_component sigma i_m) tr
        → finite_valid_trace_from_to
            ELMOProtocol sigma
            (lift_to_composite_state
               ELMO_component sigma i_m s)
            tr0
          ∧ (∀ a : Address,
               global_equivocators_simple
                 (lift_to_composite_state
                    ELMO_component sigma i_m
                    s) a
               ↔ global_equivocators_simple
                   sigma a)
Htr_m_inputs_in_sigma: ∀ (item : transition_item) 
  (msg : Message),
  item
  ∈ tr ++
    [{|
       l := Receive;
       input := Some m0;
       destination :=
         s <+>
         MkObservation Receive
           m0;
       output := None
     |}]
  → input item = Some msg
    → composite_has_been_directly_observed
        ELMO_component sigma
        msg
Htr_m_receive: Forall
  (λ item : transition_item,
     l item = Receive) tr
Hti: transition Receive (s, Some m0) =
(s <+> MkObservation Receive m0, None)
Hv: valid Receive (s, Some m0)
H2: ELMO_recv_valid s m0
Hm0: composite_has_been_directly_observed
  ELMO_component sigma m0
item: transition_item
msg: Message
Hitem: item ∈ tr
Hmsg: input item = Some msg
composite_has_been_directly_observed ELMO_component
  sigma msg
    by eapply Htr_m_inputs_in_sigma; [apply elem_of_app; left |].
  -Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
sigma: composite_state ELMO_component
Hsigma: valid_state_prop ELMOProtocol sigma
m: Message
i_m: index
s: VLSM.state
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m))
tr: list transition_item
Htr_m: finite_valid_trace_from_to
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m)) 
  (sigma i_m) s tr
m0: Message
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m)) Receive (
  s, Some m0)
  (s <+> MkObservation Receive m0, None)
IHHtr_m: sigma i_m = sigma i_m
→ (∀ (item : transition_item) 
     (msg : Message),
     item ∈ tr
     → input item = Some msg
       → composite_has_been_directly_observed
           ELMO_component sigma msg)
  → Forall
      (λ item : transition_item,
         l item = Receive) tr
    → ∀ tr0 : list transition_item,
        tr0 =
        pre_VLSM_embedding_finite_trace_project
          (ELMO_component i_m)
          (composite_type ELMO_component)
          (lift_to_composite_label
             ELMO_component i_m)
          (lift_to_composite_state
             ELMO_component sigma i_m) tr
        → finite_valid_trace_from_to
            ELMOProtocol sigma
            (lift_to_composite_state
               ELMO_component sigma i_m s)
            tr0
          ∧ (∀ a : Address,
               global_equivocators_simple
                 (lift_to_composite_state
                    ELMO_component sigma i_m
                    s) a
               ↔ global_equivocators_simple
                   sigma a)
Htr_m_inputs_in_sigma: ∀ (item : transition_item) 
  (msg : Message),
  item
  ∈ tr ++
    [{|
       l := Receive;
       input := Some m0;
       destination :=
         s <+>
         MkObservation Receive
           m0;
       output := None
     |}]
  → input item = Some msg
    → composite_has_been_directly_observed
        ELMO_component sigma
        msg
Htr_m_receive: Forall
  (λ item : transition_item,
     l item = Receive) tr
Hti: transition Receive (s, Some m0) =
(s <+> MkObservation Receive m0, None)
Hv: valid Receive (s, Some m0)
H2: ELMO_recv_valid s m0
Hm0: composite_has_been_directly_observed
  ELMO_component sigma m0
Forall (λ item : transition_item, l item = Receive) tr done.
  -Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
sigma: composite_state ELMO_component
Hsigma: valid_state_prop ELMOProtocol sigma
m: Message
i_m: index
s: VLSM.state
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m))
tr: list transition_item
Htr_m: finite_valid_trace_from_to
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m)) 
  (sigma i_m) s tr
m0: Message
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m)) Receive (
  s, Some m0)
  (s <+> MkObservation Receive m0, None)
IHHtr_m: sigma i_m = sigma i_m
→ (∀ (item : transition_item) 
     (msg : Message),
     item ∈ tr
     → input item = Some msg
       → composite_has_been_directly_observed
           ELMO_component sigma msg)
  → Forall
      (λ item : transition_item,
         l item = Receive) tr
    → ∀ tr0 : list transition_item,
        tr0 =
        pre_VLSM_embedding_finite_trace_project
          (ELMO_component i_m)
          (composite_type ELMO_component)
          (lift_to_composite_label
             ELMO_component i_m)
          (lift_to_composite_state
             ELMO_component sigma i_m) tr
        → finite_valid_trace_from_to
            ELMOProtocol sigma
            (lift_to_composite_state
               ELMO_component sigma i_m s)
            tr0
          ∧ (∀ a : Address,
               global_equivocators_simple
                 (lift_to_composite_state
                    ELMO_component sigma i_m
                    s) a
               ↔ global_equivocators_simple
                   sigma a)
Htr_m_inputs_in_sigma: ∀ (item : transition_item) 
  (msg : Message),
  item
  ∈ tr ++
    [{|
       l := Receive;
       input := Some m0;
       destination :=
         s <+>
         MkObservation Receive
           m0;
       output := None
     |}]
  → input item = Some msg
    → composite_has_been_directly_observed
        ELMO_component sigma
        msg
Htr_m_receive: Forall
  (λ item : transition_item,
     l item = Receive) tr
Hti: transition Receive (s, Some m0) =
(s <+> MkObservation Receive m0, None)
Hv: valid Receive (s, Some m0)
H2: ELMO_recv_valid s m0
Hm0: composite_has_been_directly_observed
  ELMO_component sigma m0
map
  (pre_VLSM_embedding_transition_item_project
     ELMO_component_type
     (composite_type ELMO_component)
     (lift_to_composite_label ELMO_component i_m)
     (lift_to_composite_state ELMO_component sigma i_m))
  tr =
pre_VLSM_embedding_finite_trace_project
  (ELMO_component i_m) (composite_type ELMO_component)
  (lift_to_composite_label ELMO_component i_m)
  (lift_to_composite_state ELMO_component sigma i_m)
  tr done.
  -Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
sigma: composite_state ELMO_component
Hsigma: valid_state_prop ELMOProtocol sigma
m: Message
i_m: index
s: VLSM.state
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m))
tr: list transition_item
Htr_m: finite_valid_trace_from_to
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m)) 
  (sigma i_m) s tr
m0: Message
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m)) Receive (
  s, Some m0)
  (s <+> MkObservation Receive m0, None)
IHHtr_m: sigma i_m = sigma i_m
→ (∀ (item : transition_item) 
     (msg : Message),
     item ∈ tr
     → input item = Some msg
       → composite_has_been_directly_observed
           ELMO_component sigma msg)
  → Forall
      (λ item : transition_item,
         l item = Receive) tr
    → ∀ tr0 : list transition_item,
        tr0 =
        pre_VLSM_embedding_finite_trace_project
          (ELMO_component i_m)
          (composite_type ELMO_component)
          (lift_to_composite_label
             ELMO_component i_m)
          (lift_to_composite_state
             ELMO_component sigma i_m) tr
        → finite_valid_trace_from_to
            ELMOProtocol sigma
            (lift_to_composite_state
               ELMO_component sigma i_m s)
            tr0
          ∧ (∀ a : Address,
               global_equivocators_simple
                 (lift_to_composite_state
                    ELMO_component sigma i_m
                    s) a
               ↔ global_equivocators_simple
                   sigma a)
Htr_m_inputs_in_sigma: ∀ (item : transition_item) 
  (msg : Message),
  item
  ∈ tr ++
    [{|
       l := Receive;
       input := Some m0;
       destination :=
         s <+>
         MkObservation Receive
           m0;
       output := None
     |}]
  → input item = Some msg
    → composite_has_been_directly_observed
        ELMO_component sigma
        msg
Htr_m_receive: Forall
  (λ item : transition_item,
     l item = Receive) tr
Hti: transition Receive (s, Some m0) =
(s <+> MkObservation Receive m0, None)
Hv: valid Receive (s, Some m0)
H2: ELMO_recv_valid s m0
Hm0: composite_has_been_directly_observed
  ELMO_component sigma m0
Htr: finite_valid_trace_from_to ELMOProtocol sigma
  (lift_to_composite_state ELMO_component sigma
     i_m s)
  (map
     (pre_VLSM_embedding_transition_item_project
        ELMO_component_type
        (composite_type ELMO_component)
        (lift_to_composite_label ELMO_component
           i_m)
        (lift_to_composite_state ELMO_component
           sigma i_m)) tr)
Hall: ∀ a : Address,
  global_equivocators_simple
    (lift_to_composite_state ELMO_component
       sigma i_m s) a
  ↔ global_equivocators_simple sigma a
finite_valid_trace_from_to ELMOProtocol
  (lift_to_composite_state ELMO_component sigma i_m s)
  (lift_to_composite_state ELMO_component sigma i_m
     (s <+> MkObservation Receive m0))
  [pre_VLSM_embedding_transition_item_project
     ELMO_component_type
     (composite_type ELMO_component)
     (lift_to_composite_label ELMO_component i_m)
     (lift_to_composite_state ELMO_component sigma i_m)
     {|
       l := Receive;
       input := Some m0;
       destination := s <+> MkObservation Receive m0;
       output := None
     |}] apply finite_valid_trace_from_add_last; [| done].Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
sigma: composite_state ELMO_component
Hsigma: valid_state_prop ELMOProtocol sigma
m: Message
i_m: index
s: VLSM.state
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m))
tr: list transition_item
Htr_m: finite_valid_trace_from_to
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m)) 
  (sigma i_m) s tr
m0: Message
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m)) Receive (
  s, Some m0)
  (s <+> MkObservation Receive m0, None)
IHHtr_m: sigma i_m = sigma i_m
→ (∀ (item : transition_item) 
     (msg : Message),
     item ∈ tr
     → input item = Some msg
       → composite_has_been_directly_observed
           ELMO_component sigma msg)
  → Forall
      (λ item : transition_item,
         l item = Receive) tr
    → ∀ tr0 : list transition_item,
        tr0 =
        pre_VLSM_embedding_finite_trace_project
          (ELMO_component i_m)
          (composite_type ELMO_component)
          (lift_to_composite_label
             ELMO_component i_m)
          (lift_to_composite_state
             ELMO_component sigma i_m) tr
        → finite_valid_trace_from_to
            ELMOProtocol sigma
            (lift_to_composite_state
               ELMO_component sigma i_m s)
            tr0
          ∧ (∀ a : Address,
               global_equivocators_simple
                 (lift_to_composite_state
                    ELMO_component sigma i_m
                    s) a
               ↔ global_equivocators_simple
                   sigma a)
Htr_m_inputs_in_sigma: ∀ (item : transition_item) 
  (msg : Message),
  item
  ∈ tr ++
    [{|
       l := Receive;
       input := Some m0;
       destination :=
         s <+>
         MkObservation Receive
           m0;
       output := None
     |}]
  → input item = Some msg
    → composite_has_been_directly_observed
        ELMO_component sigma
        msg
Htr_m_receive: Forall
  (λ item : transition_item,
     l item = Receive) tr
Hti: transition Receive (s, Some m0) =
(s <+> MkObservation Receive m0, None)
Hv: valid Receive (s, Some m0)
H2: ELMO_recv_valid s m0
Hm0: composite_has_been_directly_observed
  ELMO_component sigma m0
Htr: finite_valid_trace_from_to ELMOProtocol sigma
  (lift_to_composite_state ELMO_component sigma
     i_m s)
  (map
     (pre_VLSM_embedding_transition_item_project
        ELMO_component_type
        (composite_type ELMO_component)
        (lift_to_composite_label ELMO_component
           i_m)
        (lift_to_composite_state ELMO_component
           sigma i_m)) tr)
Hall: ∀ a : Address,
  global_equivocators_simple
    (lift_to_composite_state ELMO_component
       sigma i_m s) a
  ↔ global_equivocators_simple sigma a
finite_valid_trace_from ELMOProtocol
  (lift_to_composite_state ELMO_component sigma i_m s)
  [pre_VLSM_embedding_transition_item_project
     ELMO_component_type
     (composite_type ELMO_component)
     (lift_to_composite_label ELMO_component i_m)
     (lift_to_composite_state ELMO_component sigma i_m)
     {|
       l := Receive;
       input := Some m0;
       destination := s <+> MkObservation Receive m0;
       output := None
     |}]
    apply first_transition_valid; cbn.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
sigma: composite_state ELMO_component
Hsigma: valid_state_prop ELMOProtocol sigma
m: Message
i_m: index
s: VLSM.state
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m))
tr: list transition_item
Htr_m: finite_valid_trace_from_to
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m)) 
  (sigma i_m) s tr
m0: Message
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m)) Receive (
  s, Some m0)
  (s <+> MkObservation Receive m0, None)
IHHtr_m: sigma i_m = sigma i_m
→ (∀ (item : transition_item) 
     (msg : Message),
     item ∈ tr
     → input item = Some msg
       → composite_has_been_directly_observed
           ELMO_component sigma msg)
  → Forall
      (λ item : transition_item,
         l item = Receive) tr
    → ∀ tr0 : list transition_item,
        tr0 =
        pre_VLSM_embedding_finite_trace_project
          (ELMO_component i_m)
          (composite_type ELMO_component)
          (lift_to_composite_label
             ELMO_component i_m)
          (lift_to_composite_state
             ELMO_component sigma i_m) tr
        → finite_valid_trace_from_to
            ELMOProtocol sigma
            (lift_to_composite_state
               ELMO_component sigma i_m s)
            tr0
          ∧ (∀ a : Address,
               global_equivocators_simple
                 (lift_to_composite_state
                    ELMO_component sigma i_m
                    s) a
               ↔ global_equivocators_simple
                   sigma a)
Htr_m_inputs_in_sigma: ∀ (item : transition_item) 
  (msg : Message),
  item
  ∈ tr ++
    [{|
       l := Receive;
       input := Some m0;
       destination :=
         s <+>
         MkObservation Receive
           m0;
       output := None
     |}]
  → input item = Some msg
    → composite_has_been_directly_observed
        ELMO_component sigma
        msg
Htr_m_receive: Forall
  (λ item : transition_item,
     l item = Receive) tr
Hti: transition Receive (s, Some m0) =
(s <+> MkObservation Receive m0, None)
Hv: valid Receive (s, Some m0)
H2: ELMO_recv_valid s m0
Hm0: composite_has_been_directly_observed
  ELMO_component sigma m0
Htr: finite_valid_trace_from_to ELMOProtocol sigma
  (lift_to_composite_state ELMO_component sigma
     i_m s)
  (map
     (pre_VLSM_embedding_transition_item_project
        ELMO_component_type
        (composite_type ELMO_component)
        (lift_to_composite_label ELMO_component
           i_m)
        (lift_to_composite_state ELMO_component
           sigma i_m)) tr)
Hall: ∀ a : Address,
  global_equivocators_simple
    (lift_to_composite_state ELMO_component
       sigma i_m s) a
  ↔ global_equivocators_simple sigma a
input_valid_transition ELMOProtocol
  (lift_to_composite_label ELMO_component i_m Receive)
  (lift_to_composite_state ELMO_component sigma i_m s,
   Some m0)
  (lift_to_composite_state ELMO_component sigma i_m
     (s <+> MkObservation Receive m0), None)
    apply finite_valid_trace_from_to_last_pstate in Htr as Hsigma'.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
sigma: composite_state ELMO_component
Hsigma: valid_state_prop ELMOProtocol sigma
m: Message
i_m: index
s: VLSM.state
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m))
tr: list transition_item
Htr_m: finite_valid_trace_from_to
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m)) 
  (sigma i_m) s tr
m0: Message
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m)) Receive (
  s, Some m0)
  (s <+> MkObservation Receive m0, None)
IHHtr_m: sigma i_m = sigma i_m
→ (∀ (item : transition_item) 
     (msg : Message),
     item ∈ tr
     → input item = Some msg
       → composite_has_been_directly_observed
           ELMO_component sigma msg)
  → Forall
      (λ item : transition_item,
         l item = Receive) tr
    → ∀ tr0 : list transition_item,
        tr0 =
        pre_VLSM_embedding_finite_trace_project
          (ELMO_component i_m)
          (composite_type ELMO_component)
          (lift_to_composite_label
             ELMO_component i_m)
          (lift_to_composite_state
             ELMO_component sigma i_m) tr
        → finite_valid_trace_from_to
            ELMOProtocol sigma
            (lift_to_composite_state
               ELMO_component sigma i_m s)
            tr0
          ∧ (∀ a : Address,
               global_equivocators_simple
                 (lift_to_composite_state
                    ELMO_component sigma i_m
                    s) a
               ↔ global_equivocators_simple
                   sigma a)
Htr_m_inputs_in_sigma: ∀ (item : transition_item) 
  (msg : Message),
  item
  ∈ tr ++
    [{|
       l := Receive;
       input := Some m0;
       destination :=
         s <+>
         MkObservation Receive
           m0;
       output := None
     |}]
  → input item = Some msg
    → composite_has_been_directly_observed
        ELMO_component sigma
        msg
Htr_m_receive: Forall
  (λ item : transition_item,
     l item = Receive) tr
Hti: transition Receive (s, Some m0) =
(s <+> MkObservation Receive m0, None)
Hv: valid Receive (s, Some m0)
H2: ELMO_recv_valid s m0
Hm0: composite_has_been_directly_observed
  ELMO_component sigma m0
Htr: finite_valid_trace_from_to ELMOProtocol sigma
  (lift_to_composite_state ELMO_component sigma
     i_m s)
  (map
     (pre_VLSM_embedding_transition_item_project
        ELMO_component_type
        (composite_type ELMO_component)
        (lift_to_composite_label ELMO_component
           i_m)
        (lift_to_composite_state ELMO_component
           sigma i_m)) tr)
Hall: ∀ a : Address,
  global_equivocators_simple
    (lift_to_composite_state ELMO_component
       sigma i_m s) a
  ↔ global_equivocators_simple sigma a
Hsigma': valid_state_prop ELMOProtocol
  (lift_to_composite_state ELMO_component
     sigma i_m s)
input_valid_transition ELMOProtocol
  (lift_to_composite_label ELMO_component i_m Receive)
  (lift_to_composite_state ELMO_component sigma i_m s,
   Some m0)
  (lift_to_composite_state ELMO_component sigma i_m
     (s <+> MkObservation Receive m0), None)
    repeat split; cbn; [done | ..].Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
sigma: composite_state ELMO_component
Hsigma: valid_state_prop ELMOProtocol sigma
m: Message
i_m: index
s: VLSM.state
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m))
tr: list transition_item
Htr_m: finite_valid_trace_from_to
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m)) 
  (sigma i_m) s tr
m0: Message
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m)) Receive (
  s, Some m0)
  (s <+> MkObservation Receive m0, None)
IHHtr_m: sigma i_m = sigma i_m
→ (∀ (item : transition_item) 
     (msg : Message),
     item ∈ tr
     → input item = Some msg
       → composite_has_been_directly_observed
           ELMO_component sigma msg)
  → Forall
      (λ item : transition_item,
         l item = Receive) tr
    → ∀ tr0 : list transition_item,
        tr0 =
        pre_VLSM_embedding_finite_trace_project
          (ELMO_component i_m)
          (composite_type ELMO_component)
          (lift_to_composite_label
             ELMO_component i_m)
          (lift_to_composite_state
             ELMO_component sigma i_m) tr
        → finite_valid_trace_from_to
            ELMOProtocol sigma
            (lift_to_composite_state
               ELMO_component sigma i_m s)
            tr0
          ∧ (∀ a : Address,
               global_equivocators_simple
                 (lift_to_composite_state
                    ELMO_component sigma i_m
                    s) a
               ↔ global_equivocators_simple
                   sigma a)
Htr_m_inputs_in_sigma: ∀ (item : transition_item) 
  (msg : Message),
  item
  ∈ tr ++
    [{|
       l := Receive;
       input := Some m0;
       destination :=
         s <+>
         MkObservation Receive
           m0;
       output := None
     |}]
  → input item = Some msg
    → composite_has_been_directly_observed
        ELMO_component sigma
        msg
Htr_m_receive: Forall
  (λ item : transition_item,
     l item = Receive) tr
Hti: transition Receive (s, Some m0) =
(s <+> MkObservation Receive m0, None)
Hv: valid Receive (s, Some m0)
H2: ELMO_recv_valid s m0
Hm0: composite_has_been_directly_observed
  ELMO_component sigma m0
Htr: finite_valid_trace_from_to ELMOProtocol sigma
  (lift_to_composite_state ELMO_component sigma
     i_m s)
  (map
     (pre_VLSM_embedding_transition_item_project
        ELMO_component_type
        (composite_type ELMO_component)
        (lift_to_composite_label ELMO_component
           i_m)
        (lift_to_composite_state ELMO_component
           sigma i_m)) tr)
Hall: ∀ a : Address,
  global_equivocators_simple
    (lift_to_composite_state ELMO_component
       sigma i_m s) a
  ↔ global_equivocators_simple sigma a
Hsigma': valid_state_prop ELMOProtocol
  (lift_to_composite_state ELMO_component
     sigma i_m s)
option_valid_message_prop ELMOProtocol (Some m0)
Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
sigma: composite_state ELMO_component
Hsigma: valid_state_prop ELMOProtocol sigma
m: Message
i_m: index
s: VLSM.state
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m))
tr: list transition_item
Htr_m: finite_valid_trace_from_to
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m)) 
  (sigma i_m) s tr
m0: Message
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m)) Receive (
  s, Some m0)
  (s <+> MkObservation Receive m0, None)
IHHtr_m: sigma i_m = sigma i_m
→ (∀ (item : transition_item) 
     (msg : Message),
     item ∈ tr
     → input item = Some msg
       → composite_has_been_directly_observed
           ELMO_component sigma msg)
  → Forall
      (λ item : transition_item,
         l item = Receive) tr
    → ∀ tr0 : list transition_item,
        tr0 =
        pre_VLSM_embedding_finite_trace_project
          (ELMO_component i_m)
          (composite_type ELMO_component)
          (lift_to_composite_label
             ELMO_component i_m)
          (lift_to_composite_state
             ELMO_component sigma i_m) tr
        → finite_valid_trace_from_to
            ELMOProtocol sigma
            (lift_to_composite_state
               ELMO_component sigma i_m s)
            tr0
          ∧ (∀ a : Address,
               global_equivocators_simple
                 (lift_to_composite_state
                    ELMO_component sigma i_m
                    s) a
               ↔ global_equivocators_simple
                   sigma a)
Htr_m_inputs_in_sigma: ∀ (item : transition_item) 
  (msg : Message),
  item
  ∈ tr ++
    [{|
       l := Receive;
       input := Some m0;
       destination :=
         s <+>
         MkObservation Receive
           m0;
       output := None
     |}]
  → input item = Some msg
    → composite_has_been_directly_observed
        ELMO_component sigma
        msg
Htr_m_receive: Forall
  (λ item : transition_item,
     l item = Receive) tr
Hti: transition Receive (s, Some m0) =
(s <+> MkObservation Receive m0, None)
Hv: valid Receive (s, Some m0)
H2: ELMO_recv_valid s m0
Hm0: composite_has_been_directly_observed
  ELMO_component sigma m0
Htr: finite_valid_trace_from_to ELMOProtocol sigma
  (lift_to_composite_state ELMO_component sigma
     i_m s)
  (map
     (pre_VLSM_embedding_transition_item_project
        ELMO_component_type
        (composite_type ELMO_component)
        (lift_to_composite_label ELMO_component
           i_m)
        (lift_to_composite_state ELMO_component
           sigma i_m)) tr)
Hall: ∀ a : Address,
  global_equivocators_simple
    (lift_to_composite_state ELMO_component
       sigma i_m s) a
  ↔ global_equivocators_simple sigma a
Hsigma': valid_state_prop ELMOProtocol
  (lift_to_composite_state ELMO_component
     sigma i_m s)
ELMO_component_valid Receive
  (lift_to_composite_state ELMO_component sigma i_m s
     i_m) (Some m0)
Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
sigma: composite_state ELMO_component
Hsigma: valid_state_prop ELMOProtocol sigma
m: Message
i_m: index
s: VLSM.state
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m))
tr: list transition_item
Htr_m: finite_valid_trace_from_to
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m)) 
  (sigma i_m) s tr
m0: Message
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m)) Receive (
  s, Some m0)
  (s <+> MkObservation Receive m0, None)
IHHtr_m: sigma i_m = sigma i_m
→ (∀ (item : transition_item) 
     (msg : Message),
     item ∈ tr
     → input item = Some msg
       → composite_has_been_directly_observed
           ELMO_component sigma msg)
  → Forall
      (λ item : transition_item,
         l item = Receive) tr
    → ∀ tr0 : list transition_item,
        tr0 =
        pre_VLSM_embedding_finite_trace_project
          (ELMO_component i_m)
          (composite_type ELMO_component)
          (lift_to_composite_label
             ELMO_component i_m)
          (lift_to_composite_state
             ELMO_component sigma i_m) tr
        → finite_valid_trace_from_to
            ELMOProtocol sigma
            (lift_to_composite_state
               ELMO_component sigma i_m s)
            tr0
          ∧ (∀ a : Address,
               global_equivocators_simple
                 (lift_to_composite_state
                    ELMO_component sigma i_m
                    s) a
               ↔ global_equivocators_simple
                   sigma a)
Htr_m_inputs_in_sigma: ∀ (item : transition_item) 
  (msg : Message),
  item
  ∈ tr ++
    [{|
       l := Receive;
       input := Some m0;
       destination :=
         s <+>
         MkObservation Receive
           m0;
       output := None
     |}]
  → input item = Some msg
    → composite_has_been_directly_observed
        ELMO_component sigma
        msg
Htr_m_receive: Forall
  (λ item : transition_item,
     l item = Receive) tr
Hti: transition Receive (s, Some m0) =
(s <+> MkObservation Receive m0, None)
Hv: valid Receive (s, Some m0)
H2: ELMO_recv_valid s m0
Hm0: composite_has_been_directly_observed
  ELMO_component sigma m0
Htr: finite_valid_trace_from_to ELMOProtocol sigma
  (lift_to_composite_state ELMO_component sigma
     i_m s)
  (map
     (pre_VLSM_embedding_transition_item_project
        ELMO_component_type
        (composite_type ELMO_component)
        (lift_to_composite_label ELMO_component
           i_m)
        (lift_to_composite_state ELMO_component
           sigma i_m)) tr)
Hall: ∀ a : Address,
  global_equivocators_simple
    (lift_to_composite_state ELMO_component
       sigma i_m s) a
  ↔ global_equivocators_simple sigma a
Hsigma': valid_state_prop ELMOProtocol
  (lift_to_composite_state ELMO_component
     sigma i_m s)
ELMO_not_heavy
  (state_update ELMO_component
     (lift_to_composite_state ELMO_component sigma i_m
        s) i_m
     (lift_to_composite_state ELMO_component sigma i_m
        s i_m <+> MkObservation Receive m0))
Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
sigma: composite_state ELMO_component
Hsigma: valid_state_prop ELMOProtocol sigma
m: Message
i_m: index
s: VLSM.state
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m))
tr: list transition_item
Htr_m: finite_valid_trace_from_to
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m)) 
  (sigma i_m) s tr
m0: Message
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m)) Receive (
  s, Some m0)
  (s <+> MkObservation Receive m0, None)
IHHtr_m: sigma i_m = sigma i_m
→ (∀ (item : transition_item) 
     (msg : Message),
     item ∈ tr
     → input item = Some msg
       → composite_has_been_directly_observed
           ELMO_component sigma msg)
  → Forall
      (λ item : transition_item,
         l item = Receive) tr
    → ∀ tr0 : list transition_item,
        tr0 =
        pre_VLSM_embedding_finite_trace_project
          (ELMO_component i_m)
          (composite_type ELMO_component)
          (lift_to_composite_label
             ELMO_component i_m)
          (lift_to_composite_state
             ELMO_component sigma i_m) tr
        → finite_valid_trace_from_to
            ELMOProtocol sigma
            (lift_to_composite_state
               ELMO_component sigma i_m s)
            tr0
          ∧ (∀ a : Address,
               global_equivocators_simple
                 (lift_to_composite_state
                    ELMO_component sigma i_m
                    s) a
               ↔ global_equivocators_simple
                   sigma a)
Htr_m_inputs_in_sigma: ∀ (item : transition_item) 
  (msg : Message),
  item
  ∈ tr ++
    [{|
       l := Receive;
       input := Some m0;
       destination :=
         s <+>
         MkObservation Receive
           m0;
       output := None
     |}]
  → input item = Some msg
    → composite_has_been_directly_observed
        ELMO_component sigma
        msg
Htr_m_receive: Forall
  (λ item : transition_item,
     l item = Receive) tr
Hti: transition Receive (s, Some m0) =
(s <+> MkObservation Receive m0, None)
Hv: valid Receive (s, Some m0)
H2: ELMO_recv_valid s m0
Hm0: composite_has_been_directly_observed
  ELMO_component sigma m0
Htr: finite_valid_trace_from_to ELMOProtocol sigma
  (lift_to_composite_state ELMO_component sigma
     i_m s)
  (map
     (pre_VLSM_embedding_transition_item_project
        ELMO_component_type
        (composite_type ELMO_component)
        (lift_to_composite_label ELMO_component
           i_m)
        (lift_to_composite_state ELMO_component
           sigma i_m)) tr)
Hall: ∀ a : Address,
  global_equivocators_simple
    (lift_to_composite_state ELMO_component
       sigma i_m s) a
  ↔ global_equivocators_simple sigma a
Hsigma': valid_state_prop ELMOProtocol
  (lift_to_composite_state ELMO_component
     sigma i_m s)
(state_update ELMO_component
   (lift_to_composite_state ELMO_component sigma i_m s)
   i_m
   (lift_to_composite_state ELMO_component sigma i_m s
      i_m <+> MkObservation Receive m0), None) =
(lift_to_composite_state ELMO_component sigma i_m
   (s <+> MkObservation Receive m0), None)
    +Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
sigma: composite_state ELMO_component
Hsigma: valid_state_prop ELMOProtocol sigma
m: Message
i_m: index
s: VLSM.state
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m))
tr: list transition_item
Htr_m: finite_valid_trace_from_to
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m)) 
  (sigma i_m) s tr
m0: Message
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m)) Receive (
  s, Some m0)
  (s <+> MkObservation Receive m0, None)
IHHtr_m: sigma i_m = sigma i_m
→ (∀ (item : transition_item) 
     (msg : Message),
     item ∈ tr
     → input item = Some msg
       → composite_has_been_directly_observed
           ELMO_component sigma msg)
  → Forall
      (λ item : transition_item,
         l item = Receive) tr
    → ∀ tr0 : list transition_item,
        tr0 =
        pre_VLSM_embedding_finite_trace_project
          (ELMO_component i_m)
          (composite_type ELMO_component)
          (lift_to_composite_label
             ELMO_component i_m)
          (lift_to_composite_state
             ELMO_component sigma i_m) tr
        → finite_valid_trace_from_to
            ELMOProtocol sigma
            (lift_to_composite_state
               ELMO_component sigma i_m s)
            tr0
          ∧ (∀ a : Address,
               global_equivocators_simple
                 (lift_to_composite_state
                    ELMO_component sigma i_m
                    s) a
               ↔ global_equivocators_simple
                   sigma a)
Htr_m_inputs_in_sigma: ∀ (item : transition_item) 
  (msg : Message),
  item
  ∈ tr ++
    [{|
       l := Receive;
       input := Some m0;
       destination :=
         s <+>
         MkObservation Receive
           m0;
       output := None
     |}]
  → input item = Some msg
    → composite_has_been_directly_observed
        ELMO_component sigma
        msg
Htr_m_receive: Forall
  (λ item : transition_item,
     l item = Receive) tr
Hti: transition Receive (s, Some m0) =
(s <+> MkObservation Receive m0, None)
Hv: valid Receive (s, Some m0)
H2: ELMO_recv_valid s m0
Hm0: composite_has_been_directly_observed
  ELMO_component sigma m0
Htr: finite_valid_trace_from_to ELMOProtocol sigma
  (lift_to_composite_state ELMO_component sigma
     i_m s)
  (map
     (pre_VLSM_embedding_transition_item_project
        ELMO_component_type
        (composite_type ELMO_component)
        (lift_to_composite_label ELMO_component
           i_m)
        (lift_to_composite_state ELMO_component
           sigma i_m)) tr)
Hall: ∀ a : Address,
  global_equivocators_simple
    (lift_to_composite_state ELMO_component
       sigma i_m s) a
  ↔ global_equivocators_simple sigma a
Hsigma': valid_state_prop ELMOProtocol
  (lift_to_composite_state ELMO_component
     sigma i_m s)
option_valid_message_prop ELMOProtocol (Some m0) by eapply composite_directly_observed_valid; cycle 1.
    +Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
sigma: composite_state ELMO_component
Hsigma: valid_state_prop ELMOProtocol sigma
m: Message
i_m: index
s: VLSM.state
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m))
tr: list transition_item
Htr_m: finite_valid_trace_from_to
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m)) 
  (sigma i_m) s tr
m0: Message
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m)) Receive (
  s, Some m0)
  (s <+> MkObservation Receive m0, None)
IHHtr_m: sigma i_m = sigma i_m
→ (∀ (item : transition_item) 
     (msg : Message),
     item ∈ tr
     → input item = Some msg
       → composite_has_been_directly_observed
           ELMO_component sigma msg)
  → Forall
      (λ item : transition_item,
         l item = Receive) tr
    → ∀ tr0 : list transition_item,
        tr0 =
        pre_VLSM_embedding_finite_trace_project
          (ELMO_component i_m)
          (composite_type ELMO_component)
          (lift_to_composite_label
             ELMO_component i_m)
          (lift_to_composite_state
             ELMO_component sigma i_m) tr
        → finite_valid_trace_from_to
            ELMOProtocol sigma
            (lift_to_composite_state
               ELMO_component sigma i_m s)
            tr0
          ∧ (∀ a : Address,
               global_equivocators_simple
                 (lift_to_composite_state
                    ELMO_component sigma i_m
                    s) a
               ↔ global_equivocators_simple
                   sigma a)
Htr_m_inputs_in_sigma: ∀ (item : transition_item) 
  (msg : Message),
  item
  ∈ tr ++
    [{|
       l := Receive;
       input := Some m0;
       destination :=
         s <+>
         MkObservation Receive
           m0;
       output := None
     |}]
  → input item = Some msg
    → composite_has_been_directly_observed
        ELMO_component sigma
        msg
Htr_m_receive: Forall
  (λ item : transition_item,
     l item = Receive) tr
Hti: transition Receive (s, Some m0) =
(s <+> MkObservation Receive m0, None)
Hv: valid Receive (s, Some m0)
H2: ELMO_recv_valid s m0
Hm0: composite_has_been_directly_observed
  ELMO_component sigma m0
Htr: finite_valid_trace_from_to ELMOProtocol sigma
  (lift_to_composite_state ELMO_component sigma
     i_m s)
  (map
     (pre_VLSM_embedding_transition_item_project
        ELMO_component_type
        (composite_type ELMO_component)
        (lift_to_composite_label ELMO_component
           i_m)
        (lift_to_composite_state ELMO_component
           sigma i_m)) tr)
Hall: ∀ a : Address,
  global_equivocators_simple
    (lift_to_composite_state ELMO_component
       sigma i_m s) a
  ↔ global_equivocators_simple sigma a
Hsigma': valid_state_prop ELMOProtocol
  (lift_to_composite_state ELMO_component
     sigma i_m s)
ELMO_component_valid Receive
  (lift_to_composite_state ELMO_component sigma i_m s
     i_m) (Some m0) by constructor; state_update_simpl.
    +Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
sigma: composite_state ELMO_component
Hsigma: valid_state_prop ELMOProtocol sigma
m: Message
i_m: index
s: VLSM.state
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m))
tr: list transition_item
Htr_m: finite_valid_trace_from_to
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m)) 
  (sigma i_m) s tr
m0: Message
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m)) Receive (
  s, Some m0)
  (s <+> MkObservation Receive m0, None)
IHHtr_m: sigma i_m = sigma i_m
→ (∀ (item : transition_item) 
     (msg : Message),
     item ∈ tr
     → input item = Some msg
       → composite_has_been_directly_observed
           ELMO_component sigma msg)
  → Forall
      (λ item : transition_item,
         l item = Receive) tr
    → ∀ tr0 : list transition_item,
        tr0 =
        pre_VLSM_embedding_finite_trace_project
          (ELMO_component i_m)
          (composite_type ELMO_component)
          (lift_to_composite_label
             ELMO_component i_m)
          (lift_to_composite_state
             ELMO_component sigma i_m) tr
        → finite_valid_trace_from_to
            ELMOProtocol sigma
            (lift_to_composite_state
               ELMO_component sigma i_m s)
            tr0
          ∧ (∀ a : Address,
               global_equivocators_simple
                 (lift_to_composite_state
                    ELMO_component sigma i_m
                    s) a
               ↔ global_equivocators_simple
                   sigma a)
Htr_m_inputs_in_sigma: ∀ (item : transition_item) 
  (msg : Message),
  item
  ∈ tr ++
    [{|
       l := Receive;
       input := Some m0;
       destination :=
         s <+>
         MkObservation Receive
           m0;
       output := None
     |}]
  → input item = Some msg
    → composite_has_been_directly_observed
        ELMO_component sigma
        msg
Htr_m_receive: Forall
  (λ item : transition_item,
     l item = Receive) tr
Hti: transition Receive (s, Some m0) =
(s <+> MkObservation Receive m0, None)
Hv: valid Receive (s, Some m0)
H2: ELMO_recv_valid s m0
Hm0: composite_has_been_directly_observed
  ELMO_component sigma m0
Htr: finite_valid_trace_from_to ELMOProtocol sigma
  (lift_to_composite_state ELMO_component sigma
     i_m s)
  (map
     (pre_VLSM_embedding_transition_item_project
        ELMO_component_type
        (composite_type ELMO_component)
        (lift_to_composite_label ELMO_component
           i_m)
        (lift_to_composite_state ELMO_component
           sigma i_m)) tr)
Hall: ∀ a : Address,
  global_equivocators_simple
    (lift_to_composite_state ELMO_component
       sigma i_m s) a
  ↔ global_equivocators_simple sigma a
Hsigma': valid_state_prop ELMOProtocol
  (lift_to_composite_state ELMO_component
     sigma i_m s)
ELMO_not_heavy
  (state_update ELMO_component
     (lift_to_composite_state ELMO_component sigma i_m
        s) i_m
     (lift_to_composite_state ELMO_component sigma i_m
        s i_m <+> MkObservation Receive m0)) eapply
        (in_futures_preserving_oracle_from_stepwise _ _ _ _
          (composite_has_been_directly_observed_stepwise_props ELMO_component
            ELMO_global_constraint)) in Hm0;
        [| by eapply (VLSM_incl_in_futures (vlsm_incl_preloaded_with_all_messages_vlsm
          ELMOProtocol)); eexists].Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
sigma: composite_state ELMO_component
Hsigma: valid_state_prop ELMOProtocol sigma
m: Message
i_m: index
s: VLSM.state
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m))
tr: list transition_item
Htr_m: finite_valid_trace_from_to
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m)) 
  (sigma i_m) s tr
m0: Message
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m)) Receive (
  s, Some m0)
  (s <+> MkObservation Receive m0, None)
IHHtr_m: sigma i_m = sigma i_m
→ (∀ (item : transition_item) 
     (msg : Message),
     item ∈ tr
     → input item = Some msg
       → composite_has_been_directly_observed
           ELMO_component sigma msg)
  → Forall
      (λ item : transition_item,
         l item = Receive) tr
    → ∀ tr0 : list transition_item,
        tr0 =
        pre_VLSM_embedding_finite_trace_project
          (ELMO_component i_m)
          (composite_type ELMO_component)
          (lift_to_composite_label
             ELMO_component i_m)
          (lift_to_composite_state
             ELMO_component sigma i_m) tr
        → finite_valid_trace_from_to
            ELMOProtocol sigma
            (lift_to_composite_state
               ELMO_component sigma i_m s)
            tr0
          ∧ (∀ a : Address,
               global_equivocators_simple
                 (lift_to_composite_state
                    ELMO_component sigma i_m
                    s) a
               ↔ global_equivocators_simple
                   sigma a)
Htr_m_inputs_in_sigma: ∀ (item : transition_item) 
  (msg : Message),
  item
  ∈ tr ++
    [{|
       l := Receive;
       input := Some m0;
       destination :=
         s <+>
         MkObservation Receive
           m0;
       output := None
     |}]
  → input item = Some msg
    → composite_has_been_directly_observed
        ELMO_component sigma
        msg
Htr_m_receive: Forall
  (λ item : transition_item,
     l item = Receive) tr
Hti: transition Receive (s, Some m0) =
(s <+> MkObservation Receive m0, None)
Hv: valid Receive (s, Some m0)
H2: ELMO_recv_valid s m0
Htr: finite_valid_trace_from_to ELMOProtocol sigma
  (lift_to_composite_state ELMO_component sigma
     i_m s)
  (map
     (pre_VLSM_embedding_transition_item_project
        ELMO_component_type
        (composite_type ELMO_component)
        (lift_to_composite_label ELMO_component
           i_m)
        (lift_to_composite_state ELMO_component
           sigma i_m)) tr)
Hall: ∀ a : Address,
  global_equivocators_simple
    (lift_to_composite_state ELMO_component
       sigma i_m s) a
  ↔ global_equivocators_simple sigma a
Hsigma': valid_state_prop ELMOProtocol
  (lift_to_composite_state ELMO_component
     sigma i_m s)
Hm0: composite_has_been_directly_observed
  ELMO_component
  (lift_to_composite_state ELMO_component sigma
     i_m s) m0
ELMO_not_heavy
  (state_update ELMO_component
     (lift_to_composite_state ELMO_component sigma i_m
        s) i_m
     (lift_to_composite_state ELMO_component sigma i_m
        s i_m <+> MkObservation Receive m0))
      destruct Hm0 as [i_m0 Hm0].Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
sigma: composite_state ELMO_component
Hsigma: valid_state_prop ELMOProtocol sigma
m: Message
i_m: index
s: VLSM.state
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m))
tr: list transition_item
Htr_m: finite_valid_trace_from_to
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m)) 
  (sigma i_m) s tr
m0: Message
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m)) Receive (
  s, Some m0)
  (s <+> MkObservation Receive m0, None)
IHHtr_m: sigma i_m = sigma i_m
→ (∀ (item : transition_item) 
     (msg : Message),
     item ∈ tr
     → input item = Some msg
       → composite_has_been_directly_observed
           ELMO_component sigma msg)
  → Forall
      (λ item : transition_item,
         l item = Receive) tr
    → ∀ tr0 : list transition_item,
        tr0 =
        pre_VLSM_embedding_finite_trace_project
          (ELMO_component i_m)
          (composite_type ELMO_component)
          (lift_to_composite_label
             ELMO_component i_m)
          (lift_to_composite_state
             ELMO_component sigma i_m) tr
        → finite_valid_trace_from_to
            ELMOProtocol sigma
            (lift_to_composite_state
               ELMO_component sigma i_m s)
            tr0
          ∧ (∀ a : Address,
               global_equivocators_simple
                 (lift_to_composite_state
                    ELMO_component sigma i_m
                    s) a
               ↔ global_equivocators_simple
                   sigma a)
Htr_m_inputs_in_sigma: ∀ (item : transition_item) 
  (msg : Message),
  item
  ∈ tr ++
    [{|
       l := Receive;
       input := Some m0;
       destination :=
         s <+>
         MkObservation Receive
           m0;
       output := None
     |}]
  → input item = Some msg
    → composite_has_been_directly_observed
        ELMO_component sigma
        msg
Htr_m_receive: Forall
  (λ item : transition_item,
     l item = Receive) tr
Hti: transition Receive (s, Some m0) =
(s <+> MkObservation Receive m0, None)
Hv: valid Receive (s, Some m0)
H2: ELMO_recv_valid s m0
Htr: finite_valid_trace_from_to ELMOProtocol sigma
  (lift_to_composite_state ELMO_component sigma
     i_m s)
  (map
     (pre_VLSM_embedding_transition_item_project
        ELMO_component_type
        (composite_type ELMO_component)
        (lift_to_composite_label ELMO_component
           i_m)
        (lift_to_composite_state ELMO_component
           sigma i_m)) tr)
Hall: ∀ a : Address,
  global_equivocators_simple
    (lift_to_composite_state ELMO_component
       sigma i_m s) a
  ↔ global_equivocators_simple sigma a
Hsigma': valid_state_prop ELMOProtocol
  (lift_to_composite_state ELMO_component
     sigma i_m s)
i_m0: index
Hm0: has_been_directly_observed 
  (ELMO_component i_m0)
  (lift_to_composite_state ELMO_component sigma
     i_m s i_m0) m0
ELMO_not_heavy
  (state_update ELMO_component
     (lift_to_composite_state ELMO_component sigma i_m
        s) i_m
     (lift_to_composite_state ELMO_component sigma i_m
        s i_m <+> MkObservation Receive m0))
      eapply ELMO_not_heavy_receive_observed_message; [| done |].Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
sigma: composite_state ELMO_component
Hsigma: valid_state_prop ELMOProtocol sigma
m: Message
i_m: index
s: VLSM.state
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m))
tr: list transition_item
Htr_m: finite_valid_trace_from_to
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m)) 
  (sigma i_m) s tr
m0: Message
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m)) Receive (
  s, Some m0)
  (s <+> MkObservation Receive m0, None)
IHHtr_m: sigma i_m = sigma i_m
→ (∀ (item : transition_item) 
     (msg : Message),
     item ∈ tr
     → input item = Some msg
       → composite_has_been_directly_observed
           ELMO_component sigma msg)
  → Forall
      (λ item : transition_item,
         l item = Receive) tr
    → ∀ tr0 : list transition_item,
        tr0 =
        pre_VLSM_embedding_finite_trace_project
          (ELMO_component i_m)
          (composite_type ELMO_component)
          (lift_to_composite_label
             ELMO_component i_m)
          (lift_to_composite_state
             ELMO_component sigma i_m) tr
        → finite_valid_trace_from_to
            ELMOProtocol sigma
            (lift_to_composite_state
               ELMO_component sigma i_m s)
            tr0
          ∧ (∀ a : Address,
               global_equivocators_simple
                 (lift_to_composite_state
                    ELMO_component sigma i_m
                    s) a
               ↔ global_equivocators_simple
                   sigma a)
Htr_m_inputs_in_sigma: ∀ (item : transition_item) 
  (msg : Message),
  item
  ∈ tr ++
    [{|
       l := Receive;
       input := Some m0;
       destination :=
         s <+>
         MkObservation Receive
           m0;
       output := None
     |}]
  → input item = Some msg
    → composite_has_been_directly_observed
        ELMO_component sigma
        msg
Htr_m_receive: Forall
  (λ item : transition_item,
     l item = Receive) tr
Hti: transition Receive (s, Some m0) =
(s <+> MkObservation Receive m0, None)
Hv: valid Receive (s, Some m0)
H2: ELMO_recv_valid s m0
Htr: finite_valid_trace_from_to ELMOProtocol sigma
  (lift_to_composite_state ELMO_component sigma
     i_m s)
  (map
     (pre_VLSM_embedding_transition_item_project
        ELMO_component_type
        (composite_type ELMO_component)
        (lift_to_composite_label ELMO_component
           i_m)
        (lift_to_composite_state ELMO_component
           sigma i_m)) tr)
Hall: ∀ a : Address,
  global_equivocators_simple
    (lift_to_composite_state ELMO_component
       sigma i_m s) a
  ↔ global_equivocators_simple sigma a
Hsigma': valid_state_prop ELMOProtocol
  (lift_to_composite_state ELMO_component
     sigma i_m s)
i_m0: index
Hm0: has_been_directly_observed 
  (ELMO_component i_m0)
  (lift_to_composite_state ELMO_component sigma
     i_m s i_m0) m0
UMO_reachable full_node
  (lift_to_composite_state ELMO_component sigma i_m s
     i_m0)
Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
sigma: composite_state ELMO_component
Hsigma: valid_state_prop ELMOProtocol sigma
m: Message
i_m: index
s: VLSM.state
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m))
tr: list transition_item
Htr_m: finite_valid_trace_from_to
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m)) 
  (sigma i_m) s tr
m0: Message
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m)) Receive (
  s, Some m0)
  (s <+> MkObservation Receive m0, None)
IHHtr_m: sigma i_m = sigma i_m
→ (∀ (item : transition_item) 
     (msg : Message),
     item ∈ tr
     → input item = Some msg
       → composite_has_been_directly_observed
           ELMO_component sigma msg)
  → Forall
      (λ item : transition_item,
         l item = Receive) tr
    → ∀ tr0 : list transition_item,
        tr0 =
        pre_VLSM_embedding_finite_trace_project
          (ELMO_component i_m)
          (composite_type ELMO_component)
          (lift_to_composite_label
             ELMO_component i_m)
          (lift_to_composite_state
             ELMO_component sigma i_m) tr
        → finite_valid_trace_from_to
            ELMOProtocol sigma
            (lift_to_composite_state
               ELMO_component sigma i_m s)
            tr0
          ∧ (∀ a : Address,
               global_equivocators_simple
                 (lift_to_composite_state
                    ELMO_component sigma i_m
                    s) a
               ↔ global_equivocators_simple
                   sigma a)
Htr_m_inputs_in_sigma: ∀ (item : transition_item) 
  (msg : Message),
  item
  ∈ tr ++
    [{|
       l := Receive;
       input := Some m0;
       destination :=
         s <+>
         MkObservation Receive
           m0;
       output := None
     |}]
  → input item = Some msg
    → composite_has_been_directly_observed
        ELMO_component sigma
        msg
Htr_m_receive: Forall
  (λ item : transition_item,
     l item = Receive) tr
Hti: transition Receive (s, Some m0) =
(s <+> MkObservation Receive m0, None)
Hv: valid Receive (s, Some m0)
H2: ELMO_recv_valid s m0
Htr: finite_valid_trace_from_to ELMOProtocol sigma
  (lift_to_composite_state ELMO_component sigma
     i_m s)
  (map
     (pre_VLSM_embedding_transition_item_project
        ELMO_component_type
        (composite_type ELMO_component)
        (lift_to_composite_label ELMO_component
           i_m)
        (lift_to_composite_state ELMO_component
           sigma i_m)) tr)
Hall: ∀ a : Address,
  global_equivocators_simple
    (lift_to_composite_state ELMO_component
       sigma i_m s) a
  ↔ global_equivocators_simple sigma a
Hsigma': valid_state_prop ELMOProtocol
  (lift_to_composite_state ELMO_component
     sigma i_m s)
i_m0: index
Hm0: has_been_directly_observed 
  (ELMO_component i_m0)
  (lift_to_composite_state ELMO_component sigma
     i_m s i_m0) m0
ELMO_not_heavy
  (lift_to_composite_state ELMO_component sigma i_m s)
      *Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
sigma: composite_state ELMO_component
Hsigma: valid_state_prop ELMOProtocol sigma
m: Message
i_m: index
s: VLSM.state
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m))
tr: list transition_item
Htr_m: finite_valid_trace_from_to
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m)) 
  (sigma i_m) s tr
m0: Message
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m)) Receive (
  s, Some m0)
  (s <+> MkObservation Receive m0, None)
IHHtr_m: sigma i_m = sigma i_m
→ (∀ (item : transition_item) 
     (msg : Message),
     item ∈ tr
     → input item = Some msg
       → composite_has_been_directly_observed
           ELMO_component sigma msg)
  → Forall
      (λ item : transition_item,
         l item = Receive) tr
    → ∀ tr0 : list transition_item,
        tr0 =
        pre_VLSM_embedding_finite_trace_project
          (ELMO_component i_m)
          (composite_type ELMO_component)
          (lift_to_composite_label
             ELMO_component i_m)
          (lift_to_composite_state
             ELMO_component sigma i_m) tr
        → finite_valid_trace_from_to
            ELMOProtocol sigma
            (lift_to_composite_state
               ELMO_component sigma i_m s)
            tr0
          ∧ (∀ a : Address,
               global_equivocators_simple
                 (lift_to_composite_state
                    ELMO_component sigma i_m
                    s) a
               ↔ global_equivocators_simple
                   sigma a)
Htr_m_inputs_in_sigma: ∀ (item : transition_item) 
  (msg : Message),
  item
  ∈ tr ++
    [{|
       l := Receive;
       input := Some m0;
       destination :=
         s <+>
         MkObservation Receive
           m0;
       output := None
     |}]
  → input item = Some msg
    → composite_has_been_directly_observed
        ELMO_component sigma
        msg
Htr_m_receive: Forall
  (λ item : transition_item,
     l item = Receive) tr
Hti: transition Receive (s, Some m0) =
(s <+> MkObservation Receive m0, None)
Hv: valid Receive (s, Some m0)
H2: ELMO_recv_valid s m0
Htr: finite_valid_trace_from_to ELMOProtocol sigma
  (lift_to_composite_state ELMO_component sigma
     i_m s)
  (map
     (pre_VLSM_embedding_transition_item_project
        ELMO_component_type
        (composite_type ELMO_component)
        (lift_to_composite_label ELMO_component
           i_m)
        (lift_to_composite_state ELMO_component
           sigma i_m)) tr)
Hall: ∀ a : Address,
  global_equivocators_simple
    (lift_to_composite_state ELMO_component
       sigma i_m s) a
  ↔ global_equivocators_simple sigma a
Hsigma': valid_state_prop ELMOProtocol
  (lift_to_composite_state ELMO_component
     sigma i_m s)
i_m0: index
Hm0: has_been_directly_observed 
  (ELMO_component i_m0)
  (lift_to_composite_state ELMO_component sigma
     i_m s i_m0) m0
UMO_reachable full_node
  (lift_to_composite_state ELMO_component sigma i_m s
     i_m0) by eapply ELMO_full_node_reachable, valid_state_project_preloaded.
      *Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
sigma: composite_state ELMO_component
Hsigma: valid_state_prop ELMOProtocol sigma
m: Message
i_m: index
s: VLSM.state
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m))
tr: list transition_item
Htr_m: finite_valid_trace_from_to
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m)) 
  (sigma i_m) s tr
m0: Message
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m)) Receive (
  s, Some m0)
  (s <+> MkObservation Receive m0, None)
IHHtr_m: sigma i_m = sigma i_m
→ (∀ (item : transition_item) 
     (msg : Message),
     item ∈ tr
     → input item = Some msg
       → composite_has_been_directly_observed
           ELMO_component sigma msg)
  → Forall
      (λ item : transition_item,
         l item = Receive) tr
    → ∀ tr0 : list transition_item,
        tr0 =
        pre_VLSM_embedding_finite_trace_project
          (ELMO_component i_m)
          (composite_type ELMO_component)
          (lift_to_composite_label
             ELMO_component i_m)
          (lift_to_composite_state
             ELMO_component sigma i_m) tr
        → finite_valid_trace_from_to
            ELMOProtocol sigma
            (lift_to_composite_state
               ELMO_component sigma i_m s)
            tr0
          ∧ (∀ a : Address,
               global_equivocators_simple
                 (lift_to_composite_state
                    ELMO_component sigma i_m
                    s) a
               ↔ global_equivocators_simple
                   sigma a)
Htr_m_inputs_in_sigma: ∀ (item : transition_item) 
  (msg : Message),
  item
  ∈ tr ++
    [{|
       l := Receive;
       input := Some m0;
       destination :=
         s <+>
         MkObservation Receive
           m0;
       output := None
     |}]
  → input item = Some msg
    → composite_has_been_directly_observed
        ELMO_component sigma
        msg
Htr_m_receive: Forall
  (λ item : transition_item,
     l item = Receive) tr
Hti: transition Receive (s, Some m0) =
(s <+> MkObservation Receive m0, None)
Hv: valid Receive (s, Some m0)
H2: ELMO_recv_valid s m0
Htr: finite_valid_trace_from_to ELMOProtocol sigma
  (lift_to_composite_state ELMO_component sigma
     i_m s)
  (map
     (pre_VLSM_embedding_transition_item_project
        ELMO_component_type
        (composite_type ELMO_component)
        (lift_to_composite_label ELMO_component
           i_m)
        (lift_to_composite_state ELMO_component
           sigma i_m)) tr)
Hall: ∀ a : Address,
  global_equivocators_simple
    (lift_to_composite_state ELMO_component
       sigma i_m s) a
  ↔ global_equivocators_simple sigma a
Hsigma': valid_state_prop ELMOProtocol
  (lift_to_composite_state ELMO_component
     sigma i_m s)
i_m0: index
Hm0: has_been_directly_observed 
  (ELMO_component i_m0)
  (lift_to_composite_state ELMO_component sigma
     i_m s i_m0) m0
ELMO_not_heavy
  (lift_to_composite_state ELMO_component sigma i_m s) by apply ELMO_valid_state_not_heavy.
    +Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
sigma: composite_state ELMO_component
Hsigma: valid_state_prop ELMOProtocol sigma
m: Message
i_m: index
s: VLSM.state
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m))
tr: list transition_item
Htr_m: finite_valid_trace_from_to
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m)) 
  (sigma i_m) s tr
m0: Message
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m)) Receive (
  s, Some m0)
  (s <+> MkObservation Receive m0, None)
IHHtr_m: sigma i_m = sigma i_m
→ (∀ (item : transition_item) 
     (msg : Message),
     item ∈ tr
     → input item = Some msg
       → composite_has_been_directly_observed
           ELMO_component sigma msg)
  → Forall
      (λ item : transition_item,
         l item = Receive) tr
    → ∀ tr0 : list transition_item,
        tr0 =
        pre_VLSM_embedding_finite_trace_project
          (ELMO_component i_m)
          (composite_type ELMO_component)
          (lift_to_composite_label
             ELMO_component i_m)
          (lift_to_composite_state
             ELMO_component sigma i_m) tr
        → finite_valid_trace_from_to
            ELMOProtocol sigma
            (lift_to_composite_state
               ELMO_component sigma i_m s)
            tr0
          ∧ (∀ a : Address,
               global_equivocators_simple
                 (lift_to_composite_state
                    ELMO_component sigma i_m
                    s) a
               ↔ global_equivocators_simple
                   sigma a)
Htr_m_inputs_in_sigma: ∀ (item : transition_item) 
  (msg : Message),
  item
  ∈ tr ++
    [{|
       l := Receive;
       input := Some m0;
       destination :=
         s <+>
         MkObservation Receive
           m0;
       output := None
     |}]
  → input item = Some msg
    → composite_has_been_directly_observed
        ELMO_component sigma
        msg
Htr_m_receive: Forall
  (λ item : transition_item,
     l item = Receive) tr
Hti: transition Receive (s, Some m0) =
(s <+> MkObservation Receive m0, None)
Hv: valid Receive (s, Some m0)
H2: ELMO_recv_valid s m0
Hm0: composite_has_been_directly_observed
  ELMO_component sigma m0
Htr: finite_valid_trace_from_to ELMOProtocol sigma
  (lift_to_composite_state ELMO_component sigma
     i_m s)
  (map
     (pre_VLSM_embedding_transition_item_project
        ELMO_component_type
        (composite_type ELMO_component)
        (lift_to_composite_label ELMO_component
           i_m)
        (lift_to_composite_state ELMO_component
           sigma i_m)) tr)
Hall: ∀ a : Address,
  global_equivocators_simple
    (lift_to_composite_state ELMO_component
       sigma i_m s) a
  ↔ global_equivocators_simple sigma a
Hsigma': valid_state_prop ELMOProtocol
  (lift_to_composite_state ELMO_component
     sigma i_m s)
(state_update ELMO_component
   (lift_to_composite_state ELMO_component sigma i_m s)
   i_m
   (lift_to_composite_state ELMO_component sigma i_m s
      i_m <+> MkObservation Receive m0), None) =
(lift_to_composite_state ELMO_component sigma i_m
   (s <+> MkObservation Receive m0), None) by state_update_simpl; rewrite state_update_twice.
  -Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
sigma: composite_state ELMO_component
Hsigma: valid_state_prop ELMOProtocol sigma
m: Message
i_m: index
s: VLSM.state
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m))
tr: list transition_item
Htr_m: finite_valid_trace_from_to
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m)) 
  (sigma i_m) s tr
m0: Message
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m)) Receive (
  s, Some m0)
  (s <+> MkObservation Receive m0, None)
IHHtr_m: sigma i_m = sigma i_m
→ (∀ (item : transition_item) 
     (msg : Message),
     item ∈ tr
     → input item = Some msg
       → composite_has_been_directly_observed
           ELMO_component sigma msg)
  → Forall
      (λ item : transition_item,
         l item = Receive) tr
    → ∀ tr0 : list transition_item,
        tr0 =
        pre_VLSM_embedding_finite_trace_project
          (ELMO_component i_m)
          (composite_type ELMO_component)
          (lift_to_composite_label
             ELMO_component i_m)
          (lift_to_composite_state
             ELMO_component sigma i_m) tr
        → finite_valid_trace_from_to
            ELMOProtocol sigma
            (lift_to_composite_state
               ELMO_component sigma i_m s)
            tr0
          ∧ (∀ a : Address,
               global_equivocators_simple
                 (lift_to_composite_state
                    ELMO_component sigma i_m
                    s) a
               ↔ global_equivocators_simple
                   sigma a)
Htr_m_inputs_in_sigma: ∀ (item : transition_item) 
  (msg : Message),
  item
  ∈ tr ++
    [{|
       l := Receive;
       input := Some m0;
       destination :=
         s <+>
         MkObservation Receive
           m0;
       output := None
     |}]
  → input item = Some msg
    → composite_has_been_directly_observed
        ELMO_component sigma
        msg
Htr_m_receive: Forall
  (λ item : transition_item,
     l item = Receive) tr
Hti: transition Receive (s, Some m0) =
(s <+> MkObservation Receive m0, None)
Hv: valid Receive (s, Some m0)
H2: ELMO_recv_valid s m0
Hm0: composite_has_been_directly_observed
  ELMO_component sigma m0
Htr: finite_valid_trace_from_to ELMOProtocol sigma
  (lift_to_composite_state ELMO_component sigma
     i_m s)
  (map
     (pre_VLSM_embedding_transition_item_project
        ELMO_component_type
        (composite_type ELMO_component)
        (lift_to_composite_label ELMO_component
           i_m)
        (lift_to_composite_state ELMO_component
           sigma i_m)) tr)
Hall: ∀ a : Address,
  global_equivocators_simple
    (lift_to_composite_state ELMO_component
       sigma i_m s) a
  ↔ global_equivocators_simple sigma a
∀ a : Address,
  global_equivocators_simple
    (lift_to_composite_state ELMO_component sigma i_m
       (s <+> MkObservation Receive m0)) a
  ↔ global_equivocators_simple sigma a apply finite_valid_trace_from_to_last_pstate in Htr as Hsigma'.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
sigma: composite_state ELMO_component
Hsigma: valid_state_prop ELMOProtocol sigma
m: Message
i_m: index
s: VLSM.state
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m))
tr: list transition_item
Htr_m: finite_valid_trace_from_to
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m)) 
  (sigma i_m) s tr
m0: Message
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m)) Receive (
  s, Some m0)
  (s <+> MkObservation Receive m0, None)
IHHtr_m: sigma i_m = sigma i_m
→ (∀ (item : transition_item) 
     (msg : Message),
     item ∈ tr
     → input item = Some msg
       → composite_has_been_directly_observed
           ELMO_component sigma msg)
  → Forall
      (λ item : transition_item,
         l item = Receive) tr
    → ∀ tr0 : list transition_item,
        tr0 =
        pre_VLSM_embedding_finite_trace_project
          (ELMO_component i_m)
          (composite_type ELMO_component)
          (lift_to_composite_label
             ELMO_component i_m)
          (lift_to_composite_state
             ELMO_component sigma i_m) tr
        → finite_valid_trace_from_to
            ELMOProtocol sigma
            (lift_to_composite_state
               ELMO_component sigma i_m s)
            tr0
          ∧ (∀ a : Address,
               global_equivocators_simple
                 (lift_to_composite_state
                    ELMO_component sigma i_m
                    s) a
               ↔ global_equivocators_simple
                   sigma a)
Htr_m_inputs_in_sigma: ∀ (item : transition_item) 
  (msg : Message),
  item
  ∈ tr ++
    [{|
       l := Receive;
       input := Some m0;
       destination :=
         s <+>
         MkObservation Receive
           m0;
       output := None
     |}]
  → input item = Some msg
    → composite_has_been_directly_observed
        ELMO_component sigma
        msg
Htr_m_receive: Forall
  (λ item : transition_item,
     l item = Receive) tr
Hti: transition Receive (s, Some m0) =
(s <+> MkObservation Receive m0, None)
Hv: valid Receive (s, Some m0)
H2: ELMO_recv_valid s m0
Hm0: composite_has_been_directly_observed
  ELMO_component sigma m0
Htr: finite_valid_trace_from_to ELMOProtocol sigma
  (lift_to_composite_state ELMO_component sigma
     i_m s)
  (map
     (pre_VLSM_embedding_transition_item_project
        ELMO_component_type
        (composite_type ELMO_component)
        (lift_to_composite_label ELMO_component
           i_m)
        (lift_to_composite_state ELMO_component
           sigma i_m)) tr)
Hall: ∀ a : Address,
  global_equivocators_simple
    (lift_to_composite_state ELMO_component
       sigma i_m s) a
  ↔ global_equivocators_simple sigma a
Hsigma': valid_state_prop ELMOProtocol
  (lift_to_composite_state ELMO_component
     sigma i_m s)
∀ a : Address,
  global_equivocators_simple
    (lift_to_composite_state ELMO_component sigma i_m
       (s <+> MkObservation Receive m0)) a
  ↔ global_equivocators_simple sigma a
    eapply
      (in_futures_preserving_oracle_from_stepwise _ _ _ _
        (composite_has_been_directly_observed_stepwise_props ELMO_component
          ELMO_global_constraint)) in Hm0;
      [| by eapply (VLSM_incl_in_futures (vlsm_incl_preloaded_with_all_messages_vlsm
        ELMOProtocol)); eexists].Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
sigma: composite_state ELMO_component
Hsigma: valid_state_prop ELMOProtocol sigma
m: Message
i_m: index
s: VLSM.state
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m))
tr: list transition_item
Htr_m: finite_valid_trace_from_to
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m)) 
  (sigma i_m) s tr
m0: Message
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m)) Receive (
  s, Some m0)
  (s <+> MkObservation Receive m0, None)
IHHtr_m: sigma i_m = sigma i_m
→ (∀ (item : transition_item) 
     (msg : Message),
     item ∈ tr
     → input item = Some msg
       → composite_has_been_directly_observed
           ELMO_component sigma msg)
  → Forall
      (λ item : transition_item,
         l item = Receive) tr
    → ∀ tr0 : list transition_item,
        tr0 =
        pre_VLSM_embedding_finite_trace_project
          (ELMO_component i_m)
          (composite_type ELMO_component)
          (lift_to_composite_label
             ELMO_component i_m)
          (lift_to_composite_state
             ELMO_component sigma i_m) tr
        → finite_valid_trace_from_to
            ELMOProtocol sigma
            (lift_to_composite_state
               ELMO_component sigma i_m s)
            tr0
          ∧ (∀ a : Address,
               global_equivocators_simple
                 (lift_to_composite_state
                    ELMO_component sigma i_m
                    s) a
               ↔ global_equivocators_simple
                   sigma a)
Htr_m_inputs_in_sigma: ∀ (item : transition_item) 
  (msg : Message),
  item
  ∈ tr ++
    [{|
       l := Receive;
       input := Some m0;
       destination :=
         s <+>
         MkObservation Receive
           m0;
       output := None
     |}]
  → input item = Some msg
    → composite_has_been_directly_observed
        ELMO_component sigma
        msg
Htr_m_receive: Forall
  (λ item : transition_item,
     l item = Receive) tr
Hti: transition Receive (s, Some m0) =
(s <+> MkObservation Receive m0, None)
Hv: valid Receive (s, Some m0)
H2: ELMO_recv_valid s m0
Htr: finite_valid_trace_from_to ELMOProtocol sigma
  (lift_to_composite_state ELMO_component sigma
     i_m s)
  (map
     (pre_VLSM_embedding_transition_item_project
        ELMO_component_type
        (composite_type ELMO_component)
        (lift_to_composite_label ELMO_component
           i_m)
        (lift_to_composite_state ELMO_component
           sigma i_m)) tr)
Hall: ∀ a : Address,
  global_equivocators_simple
    (lift_to_composite_state ELMO_component
       sigma i_m s) a
  ↔ global_equivocators_simple sigma a
Hsigma': valid_state_prop ELMOProtocol
  (lift_to_composite_state ELMO_component
     sigma i_m s)
Hm0: composite_has_been_directly_observed
  ELMO_component
  (lift_to_composite_state ELMO_component sigma
     i_m s) m0
∀ a : Address,
  global_equivocators_simple
    (lift_to_composite_state ELMO_component sigma i_m
       (s <+> MkObservation Receive m0)) a
  ↔ global_equivocators_simple sigma a
    intro a; cbn.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
sigma: composite_state ELMO_component
Hsigma: valid_state_prop ELMOProtocol sigma
m: Message
i_m: index
s: VLSM.state
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m))
tr: list transition_item
Htr_m: finite_valid_trace_from_to
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m)) 
  (sigma i_m) s tr
m0: Message
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m)) Receive (
  s, Some m0)
  (s <+> MkObservation Receive m0, None)
IHHtr_m: sigma i_m = sigma i_m
→ (∀ (item : transition_item) 
     (msg : Message),
     item ∈ tr
     → input item = Some msg
       → composite_has_been_directly_observed
           ELMO_component sigma msg)
  → Forall
      (λ item : transition_item,
         l item = Receive) tr
    → ∀ tr0 : list transition_item,
        tr0 =
        pre_VLSM_embedding_finite_trace_project
          (ELMO_component i_m)
          (composite_type ELMO_component)
          (lift_to_composite_label
             ELMO_component i_m)
          (lift_to_composite_state
             ELMO_component sigma i_m) tr
        → finite_valid_trace_from_to
            ELMOProtocol sigma
            (lift_to_composite_state
               ELMO_component sigma i_m s)
            tr0
          ∧ (∀ a : Address,
               global_equivocators_simple
                 (lift_to_composite_state
                    ELMO_component sigma i_m
                    s) a
               ↔ global_equivocators_simple
                   sigma a)
Htr_m_inputs_in_sigma: ∀ (item : transition_item) 
  (msg : Message),
  item
  ∈ tr ++
    [{|
       l := Receive;
       input := Some m0;
       destination :=
         s <+>
         MkObservation Receive
           m0;
       output := None
     |}]
  → input item = Some msg
    → composite_has_been_directly_observed
        ELMO_component sigma
        msg
Htr_m_receive: Forall
  (λ item : transition_item,
     l item = Receive) tr
Hti: transition Receive (s, Some m0) =
(s <+> MkObservation Receive m0, None)
Hv: valid Receive (s, Some m0)
H2: ELMO_recv_valid s m0
Htr: finite_valid_trace_from_to ELMOProtocol sigma
  (lift_to_composite_state ELMO_component sigma
     i_m s)
  (map
     (pre_VLSM_embedding_transition_item_project
        ELMO_component_type
        (composite_type ELMO_component)
        (lift_to_composite_label ELMO_component
           i_m)
        (lift_to_composite_state ELMO_component
           sigma i_m)) tr)
Hall: ∀ a : Address,
  global_equivocators_simple
    (lift_to_composite_state ELMO_component
       sigma i_m s) a
  ↔ global_equivocators_simple sigma a
Hsigma': valid_state_prop ELMOProtocol
  (lift_to_composite_state ELMO_component
     sigma i_m s)
Hm0: composite_has_been_directly_observed
  ELMO_component
  (lift_to_composite_state ELMO_component sigma
     i_m s) m0
a: Address
global_equivocators_simple
  (lift_to_composite_state ELMO_component sigma i_m
     (s <+> MkObservation Receive m0)) a
↔ global_equivocators_simple sigma a
    transitivity (global_equivocators_simple (lift_to_composite_state ELMO_component sigma i_m s) a);
      [| apply Hall].Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
sigma: composite_state ELMO_component
Hsigma: valid_state_prop ELMOProtocol sigma
m: Message
i_m: index
s: VLSM.state
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m))
tr: list transition_item
Htr_m: finite_valid_trace_from_to
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m)) 
  (sigma i_m) s tr
m0: Message
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m)) Receive (
  s, Some m0)
  (s <+> MkObservation Receive m0, None)
IHHtr_m: sigma i_m = sigma i_m
→ (∀ (item : transition_item) 
     (msg : Message),
     item ∈ tr
     → input item = Some msg
       → composite_has_been_directly_observed
           ELMO_component sigma msg)
  → Forall
      (λ item : transition_item,
         l item = Receive) tr
    → ∀ tr0 : list transition_item,
        tr0 =
        pre_VLSM_embedding_finite_trace_project
          (ELMO_component i_m)
          (composite_type ELMO_component)
          (lift_to_composite_label
             ELMO_component i_m)
          (lift_to_composite_state
             ELMO_component sigma i_m) tr
        → finite_valid_trace_from_to
            ELMOProtocol sigma
            (lift_to_composite_state
               ELMO_component sigma i_m s)
            tr0
          ∧ (∀ a : Address,
               global_equivocators_simple
                 (lift_to_composite_state
                    ELMO_component sigma i_m
                    s) a
               ↔ global_equivocators_simple
                   sigma a)
Htr_m_inputs_in_sigma: ∀ (item : transition_item) 
  (msg : Message),
  item
  ∈ tr ++
    [{|
       l := Receive;
       input := Some m0;
       destination :=
         s <+>
         MkObservation Receive
           m0;
       output := None
     |}]
  → input item = Some msg
    → composite_has_been_directly_observed
        ELMO_component sigma
        msg
Htr_m_receive: Forall
  (λ item : transition_item,
     l item = Receive) tr
Hti: transition Receive (s, Some m0) =
(s <+> MkObservation Receive m0, None)
Hv: valid Receive (s, Some m0)
H2: ELMO_recv_valid s m0
Htr: finite_valid_trace_from_to ELMOProtocol sigma
  (lift_to_composite_state ELMO_component sigma
     i_m s)
  (map
     (pre_VLSM_embedding_transition_item_project
        ELMO_component_type
        (composite_type ELMO_component)
        (lift_to_composite_label ELMO_component
           i_m)
        (lift_to_composite_state ELMO_component
           sigma i_m)) tr)
Hall: ∀ a : Address,
  global_equivocators_simple
    (lift_to_composite_state ELMO_component
       sigma i_m s) a
  ↔ global_equivocators_simple sigma a
Hsigma': valid_state_prop ELMOProtocol
  (lift_to_composite_state ELMO_component
     sigma i_m s)
Hm0: composite_has_been_directly_observed
  ELMO_component
  (lift_to_composite_state ELMO_component sigma
     i_m s) m0
a: Address
global_equivocators_simple
  (lift_to_composite_state ELMO_component sigma i_m
     (s <+> MkObservation Receive m0)) a
↔ global_equivocators_simple
    (lift_to_composite_state ELMO_component sigma i_m
       s) a
    remember (lift_to_composite_state ELMO_component sigma i_m s) as sigma_s.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
sigma: composite_state ELMO_component
Hsigma: valid_state_prop ELMOProtocol sigma
m: Message
i_m: index
s: VLSM.state
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m))
tr: list transition_item
Htr_m: finite_valid_trace_from_to
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m)) 
  (sigma i_m) s tr
m0: Message
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m)) Receive (
  s, Some m0)
  (s <+> MkObservation Receive m0, None)
sigma_s: composite_state ELMO_component
Heqsigma_s: sigma_s =
lift_to_composite_state ELMO_component
  sigma i_m s
IHHtr_m: sigma i_m = sigma i_m
→ (∀ (item : transition_item) 
     (msg : Message),
     item ∈ tr
     → input item = Some msg
       → composite_has_been_directly_observed
           ELMO_component sigma msg)
  → Forall
      (λ item : transition_item,
         l item = Receive) tr
    → ∀ tr0 : list transition_item,
        tr0 =
        pre_VLSM_embedding_finite_trace_project
          (ELMO_component i_m)
          (composite_type ELMO_component)
          (lift_to_composite_label
             ELMO_component i_m)
          (lift_to_composite_state
             ELMO_component sigma i_m) tr
        → finite_valid_trace_from_to
            ELMOProtocol sigma sigma_s tr0
          ∧ (∀ a : Address,
               global_equivocators_simple
                 sigma_s a
               ↔ global_equivocators_simple
                   sigma a)
Htr_m_inputs_in_sigma: ∀ (item : transition_item) 
  (msg : Message),
  item
  ∈ tr ++
    [{|
       l := Receive;
       input := Some m0;
       destination :=
         s <+>
         MkObservation Receive
           m0;
       output := None
     |}]
  → input item = Some msg
    → composite_has_been_directly_observed
        ELMO_component sigma
        msg
Htr_m_receive: Forall
  (λ item : transition_item,
     l item = Receive) tr
Hti: transition Receive (s, Some m0) =
(s <+> MkObservation Receive m0, None)
Hv: valid Receive (s, Some m0)
H2: ELMO_recv_valid s m0
Htr: finite_valid_trace_from_to ELMOProtocol sigma
  sigma_s
  (map
     (pre_VLSM_embedding_transition_item_project
        ELMO_component_type
        (composite_type ELMO_component)
        (lift_to_composite_label ELMO_component
           i_m)
        (lift_to_composite_state ELMO_component
           sigma i_m)) tr)
Hall: ∀ a : Address,
  global_equivocators_simple sigma_s a
  ↔ global_equivocators_simple sigma a
Hsigma': valid_state_prop ELMOProtocol sigma_s
Hm0: composite_has_been_directly_observed
  ELMO_component sigma_s m0
a: Address
global_equivocators_simple
  (lift_to_composite_state ELMO_component sigma i_m
     (s <+> MkObservation Receive m0)) a
↔ global_equivocators_simple sigma_s a
    replace s with (sigma_s i_m) by (subst; state_update_simpl; done).Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
sigma: composite_state ELMO_component
Hsigma: valid_state_prop ELMOProtocol sigma
m: Message
i_m: index
s: VLSM.state
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m))
tr: list transition_item
Htr_m: finite_valid_trace_from_to
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m)) 
  (sigma i_m) s tr
m0: Message
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m)) Receive (
  s, Some m0)
  (s <+> MkObservation Receive m0, None)
sigma_s: composite_state ELMO_component
Heqsigma_s: sigma_s =
lift_to_composite_state ELMO_component
  sigma i_m s
IHHtr_m: sigma i_m = sigma i_m
→ (∀ (item : transition_item) 
     (msg : Message),
     item ∈ tr
     → input item = Some msg
       → composite_has_been_directly_observed
           ELMO_component sigma msg)
  → Forall
      (λ item : transition_item,
         l item = Receive) tr
    → ∀ tr0 : list transition_item,
        tr0 =
        pre_VLSM_embedding_finite_trace_project
          (ELMO_component i_m)
          (composite_type ELMO_component)
          (lift_to_composite_label
             ELMO_component i_m)
          (lift_to_composite_state
             ELMO_component sigma i_m) tr
        → finite_valid_trace_from_to
            ELMOProtocol sigma sigma_s tr0
          ∧ (∀ a : Address,
               global_equivocators_simple
                 sigma_s a
               ↔ global_equivocators_simple
                   sigma a)
Htr_m_inputs_in_sigma: ∀ (item : transition_item) 
  (msg : Message),
  item
  ∈ tr ++
    [{|
       l := Receive;
       input := Some m0;
       destination :=
         s <+>
         MkObservation Receive
           m0;
       output := None
     |}]
  → input item = Some msg
    → composite_has_been_directly_observed
        ELMO_component sigma
        msg
Htr_m_receive: Forall
  (λ item : transition_item,
     l item = Receive) tr
Hti: transition Receive (s, Some m0) =
(s <+> MkObservation Receive m0, None)
Hv: valid Receive (s, Some m0)
H2: ELMO_recv_valid s m0
Htr: finite_valid_trace_from_to ELMOProtocol sigma
  sigma_s
  (map
     (pre_VLSM_embedding_transition_item_project
        ELMO_component_type
        (composite_type ELMO_component)
        (lift_to_composite_label ELMO_component
           i_m)
        (lift_to_composite_state ELMO_component
           sigma i_m)) tr)
Hall: ∀ a : Address,
  global_equivocators_simple sigma_s a
  ↔ global_equivocators_simple sigma a
Hsigma': valid_state_prop ELMOProtocol sigma_s
Hm0: composite_has_been_directly_observed
  ELMO_component sigma_s m0
a: Address
global_equivocators_simple
  (lift_to_composite_state ELMO_component sigma i_m
     (sigma_s i_m <+> MkObservation Receive m0)) a
↔ global_equivocators_simple sigma_s a
    replace (lift_to_composite_state ELMO_component sigma i_m _) with
      (state_update ELMO_component sigma_s i_m (sigma_s i_m <+> MkObservation Receive m0))
      by (subst; rewrite state_update_twice; done).Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
sigma: composite_state ELMO_component
Hsigma: valid_state_prop ELMOProtocol sigma
m: Message
i_m: index
s: VLSM.state
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m))
tr: list transition_item
Htr_m: finite_valid_trace_from_to
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m)) 
  (sigma i_m) s tr
m0: Message
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m)) Receive (
  s, Some m0)
  (s <+> MkObservation Receive m0, None)
sigma_s: composite_state ELMO_component
Heqsigma_s: sigma_s =
lift_to_composite_state ELMO_component
  sigma i_m s
IHHtr_m: sigma i_m = sigma i_m
→ (∀ (item : transition_item) 
     (msg : Message),
     item ∈ tr
     → input item = Some msg
       → composite_has_been_directly_observed
           ELMO_component sigma msg)
  → Forall
      (λ item : transition_item,
         l item = Receive) tr
    → ∀ tr0 : list transition_item,
        tr0 =
        pre_VLSM_embedding_finite_trace_project
          (ELMO_component i_m)
          (composite_type ELMO_component)
          (lift_to_composite_label
             ELMO_component i_m)
          (lift_to_composite_state
             ELMO_component sigma i_m) tr
        → finite_valid_trace_from_to
            ELMOProtocol sigma sigma_s tr0
          ∧ (∀ a : Address,
               global_equivocators_simple
                 sigma_s a
               ↔ global_equivocators_simple
                   sigma a)
Htr_m_inputs_in_sigma: ∀ (item : transition_item) 
  (msg : Message),
  item
  ∈ tr ++
    [{|
       l := Receive;
       input := Some m0;
       destination :=
         s <+>
         MkObservation Receive
           m0;
       output := None
     |}]
  → input item = Some msg
    → composite_has_been_directly_observed
        ELMO_component sigma
        msg
Htr_m_receive: Forall
  (λ item : transition_item,
     l item = Receive) tr
Hti: transition Receive (s, Some m0) =
(s <+> MkObservation Receive m0, None)
Hv: valid Receive (s, Some m0)
H2: ELMO_recv_valid s m0
Htr: finite_valid_trace_from_to ELMOProtocol sigma
  sigma_s
  (map
     (pre_VLSM_embedding_transition_item_project
        ELMO_component_type
        (composite_type ELMO_component)
        (lift_to_composite_label ELMO_component
           i_m)
        (lift_to_composite_state ELMO_component
           sigma i_m)) tr)
Hall: ∀ a : Address,
  global_equivocators_simple sigma_s a
  ↔ global_equivocators_simple sigma a
Hsigma': valid_state_prop ELMOProtocol sigma_s
Hm0: composite_has_been_directly_observed
  ELMO_component sigma_s m0
a: Address
global_equivocators_simple
  (state_update ELMO_component sigma_s i_m
     (sigma_s i_m <+> MkObservation Receive m0)) a
↔ global_equivocators_simple sigma_s a
    rewrite global_equivocators_simple_step_update_receive
      by (subst; state_update_simpl; constructor; done).Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
sigma: composite_state ELMO_component
Hsigma: valid_state_prop ELMOProtocol sigma
m: Message
i_m: index
s: VLSM.state
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m))
tr: list transition_item
Htr_m: finite_valid_trace_from_to
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m)) 
  (sigma i_m) s tr
m0: Message
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m)) Receive (
  s, Some m0)
  (s <+> MkObservation Receive m0, None)
sigma_s: composite_state ELMO_component
Heqsigma_s: sigma_s =
lift_to_composite_state ELMO_component
  sigma i_m s
IHHtr_m: sigma i_m = sigma i_m
→ (∀ (item : transition_item) 
     (msg : Message),
     item ∈ tr
     → input item = Some msg
       → composite_has_been_directly_observed
           ELMO_component sigma msg)
  → Forall
      (λ item : transition_item,
         l item = Receive) tr
    → ∀ tr0 : list transition_item,
        tr0 =
        pre_VLSM_embedding_finite_trace_project
          (ELMO_component i_m)
          (composite_type ELMO_component)
          (lift_to_composite_label
             ELMO_component i_m)
          (lift_to_composite_state
             ELMO_component sigma i_m) tr
        → finite_valid_trace_from_to
            ELMOProtocol sigma sigma_s tr0
          ∧ (∀ a : Address,
               global_equivocators_simple
                 sigma_s a
               ↔ global_equivocators_simple
                   sigma a)
Htr_m_inputs_in_sigma: ∀ (item : transition_item) 
  (msg : Message),
  item
  ∈ tr ++
    [{|
       l := Receive;
       input := Some m0;
       destination :=
         s <+>
         MkObservation Receive
           m0;
       output := None
     |}]
  → input item = Some msg
    → composite_has_been_directly_observed
        ELMO_component sigma
        msg
Htr_m_receive: Forall
  (λ item : transition_item,
     l item = Receive) tr
Hti: transition Receive (s, Some m0) =
(s <+> MkObservation Receive m0, None)
Hv: valid Receive (s, Some m0)
H2: ELMO_recv_valid s m0
Htr: finite_valid_trace_from_to ELMOProtocol sigma
  sigma_s
  (map
     (pre_VLSM_embedding_transition_item_project
        ELMO_component_type
        (composite_type ELMO_component)
        (lift_to_composite_label ELMO_component
           i_m)
        (lift_to_composite_state ELMO_component
           sigma i_m)) tr)
Hall: ∀ a : Address,
  global_equivocators_simple sigma_s a
  ↔ global_equivocators_simple sigma a
Hsigma': valid_state_prop ELMOProtocol sigma_s
Hm0: composite_has_been_directly_observed
  ELMO_component sigma_s m0
a: Address
global_equivocators_simple sigma_s a
∨ a = adr (state m0)
  ∧ ¬ composite_has_been_sent ELMO_component sigma_s
        m0 ↔ global_equivocators_simple sigma_s a
    split; [| by left].Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
sigma: composite_state ELMO_component
Hsigma: valid_state_prop ELMOProtocol sigma
m: Message
i_m: index
s: VLSM.state
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m))
tr: list transition_item
Htr_m: finite_valid_trace_from_to
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m)) 
  (sigma i_m) s tr
m0: Message
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m)) Receive (
  s, Some m0)
  (s <+> MkObservation Receive m0, None)
sigma_s: composite_state ELMO_component
Heqsigma_s: sigma_s =
lift_to_composite_state ELMO_component
  sigma i_m s
IHHtr_m: sigma i_m = sigma i_m
→ (∀ (item : transition_item) 
     (msg : Message),
     item ∈ tr
     → input item = Some msg
       → composite_has_been_directly_observed
           ELMO_component sigma msg)
  → Forall
      (λ item : transition_item,
         l item = Receive) tr
    → ∀ tr0 : list transition_item,
        tr0 =
        pre_VLSM_embedding_finite_trace_project
          (ELMO_component i_m)
          (composite_type ELMO_component)
          (lift_to_composite_label
             ELMO_component i_m)
          (lift_to_composite_state
             ELMO_component sigma i_m) tr
        → finite_valid_trace_from_to
            ELMOProtocol sigma sigma_s tr0
          ∧ (∀ a : Address,
               global_equivocators_simple
                 sigma_s a
               ↔ global_equivocators_simple
                   sigma a)
Htr_m_inputs_in_sigma: ∀ (item : transition_item) 
  (msg : Message),
  item
  ∈ tr ++
    [{|
       l := Receive;
       input := Some m0;
       destination :=
         s <+>
         MkObservation Receive
           m0;
       output := None
     |}]
  → input item = Some msg
    → composite_has_been_directly_observed
        ELMO_component sigma
        msg
Htr_m_receive: Forall
  (λ item : transition_item,
     l item = Receive) tr
Hti: transition Receive (s, Some m0) =
(s <+> MkObservation Receive m0, None)
Hv: valid Receive (s, Some m0)
H2: ELMO_recv_valid s m0
Htr: finite_valid_trace_from_to ELMOProtocol sigma
  sigma_s
  (map
     (pre_VLSM_embedding_transition_item_project
        ELMO_component_type
        (composite_type ELMO_component)
        (lift_to_composite_label ELMO_component
           i_m)
        (lift_to_composite_state ELMO_component
           sigma i_m)) tr)
Hall: ∀ a : Address,
  global_equivocators_simple sigma_s a
  ↔ global_equivocators_simple sigma a
Hsigma': valid_state_prop ELMOProtocol sigma_s
Hm0: composite_has_been_directly_observed
  ELMO_component sigma_s m0
a: Address
global_equivocators_simple sigma_s a
∨ a = adr (state m0)
  ∧ ¬ composite_has_been_sent ELMO_component sigma_s
        m0 → global_equivocators_simple sigma_s a
    intros [| [-> Hnsnd]]; [done |].Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
sigma: composite_state ELMO_component
Hsigma: valid_state_prop ELMOProtocol sigma
m: Message
i_m: index
s: VLSM.state
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m))
tr: list transition_item
Htr_m: finite_valid_trace_from_to
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m)) 
  (sigma i_m) s tr
m0: Message
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m)) Receive (
  s, Some m0)
  (s <+> MkObservation Receive m0, None)
sigma_s: composite_state ELMO_component
Heqsigma_s: sigma_s =
lift_to_composite_state ELMO_component
  sigma i_m s
IHHtr_m: sigma i_m = sigma i_m
→ (∀ (item : transition_item) 
     (msg : Message),
     item ∈ tr
     → input item = Some msg
       → composite_has_been_directly_observed
           ELMO_component sigma msg)
  → Forall
      (λ item : transition_item,
         l item = Receive) tr
    → ∀ tr0 : list transition_item,
        tr0 =
        pre_VLSM_embedding_finite_trace_project
          (ELMO_component i_m)
          (composite_type ELMO_component)
          (lift_to_composite_label
             ELMO_component i_m)
          (lift_to_composite_state
             ELMO_component sigma i_m) tr
        → finite_valid_trace_from_to
            ELMOProtocol sigma sigma_s tr0
          ∧ (∀ a : Address,
               global_equivocators_simple
                 sigma_s a
               ↔ global_equivocators_simple
                   sigma a)
Htr_m_inputs_in_sigma: ∀ (item : transition_item) 
  (msg : Message),
  item
  ∈ tr ++
    [{|
       l := Receive;
       input := Some m0;
       destination :=
         s <+>
         MkObservation Receive
           m0;
       output := None
     |}]
  → input item = Some msg
    → composite_has_been_directly_observed
        ELMO_component sigma
        msg
Htr_m_receive: Forall
  (λ item : transition_item,
     l item = Receive) tr
Hti: transition Receive (s, Some m0) =
(s <+> MkObservation Receive m0, None)
Hv: valid Receive (s, Some m0)
H2: ELMO_recv_valid s m0
Htr: finite_valid_trace_from_to ELMOProtocol sigma
  sigma_s
  (map
     (pre_VLSM_embedding_transition_item_project
        ELMO_component_type
        (composite_type ELMO_component)
        (lift_to_composite_label ELMO_component
           i_m)
        (lift_to_composite_state ELMO_component
           sigma i_m)) tr)
Hall: ∀ a : Address,
  global_equivocators_simple sigma_s a
  ↔ global_equivocators_simple sigma a
Hsigma': valid_state_prop ELMOProtocol sigma_s
Hm0: composite_has_been_directly_observed
  ELMO_component sigma_s m0
Hnsnd: ¬ composite_has_been_sent ELMO_component
    sigma_s m0
global_equivocators_simple sigma_s (adr (state m0))
    econstructor; [done | | done].Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
sigma: composite_state ELMO_component
Hsigma: valid_state_prop ELMOProtocol sigma
m: Message
i_m: index
s: VLSM.state
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m))
tr: list transition_item
Htr_m: finite_valid_trace_from_to
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m)) 
  (sigma i_m) s tr
m0: Message
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m)) Receive (
  s, Some m0)
  (s <+> MkObservation Receive m0, None)
sigma_s: composite_state ELMO_component
Heqsigma_s: sigma_s =
lift_to_composite_state ELMO_component
  sigma i_m s
IHHtr_m: sigma i_m = sigma i_m
→ (∀ (item : transition_item) 
     (msg : Message),
     item ∈ tr
     → input item = Some msg
       → composite_has_been_directly_observed
           ELMO_component sigma msg)
  → Forall
      (λ item : transition_item,
         l item = Receive) tr
    → ∀ tr0 : list transition_item,
        tr0 =
        pre_VLSM_embedding_finite_trace_project
          (ELMO_component i_m)
          (composite_type ELMO_component)
          (lift_to_composite_label
             ELMO_component i_m)
          (lift_to_composite_state
             ELMO_component sigma i_m) tr
        → finite_valid_trace_from_to
            ELMOProtocol sigma sigma_s tr0
          ∧ (∀ a : Address,
               global_equivocators_simple
                 sigma_s a
               ↔ global_equivocators_simple
                   sigma a)
Htr_m_inputs_in_sigma: ∀ (item : transition_item) 
  (msg : Message),
  item
  ∈ tr ++
    [{|
       l := Receive;
       input := Some m0;
       destination :=
         s <+>
         MkObservation Receive
           m0;
       output := None
     |}]
  → input item = Some msg
    → composite_has_been_directly_observed
        ELMO_component sigma
        msg
Htr_m_receive: Forall
  (λ item : transition_item,
     l item = Receive) tr
Hti: transition Receive (s, Some m0) =
(s <+> MkObservation Receive m0, None)
Hv: valid Receive (s, Some m0)
H2: ELMO_recv_valid s m0
Htr: finite_valid_trace_from_to ELMOProtocol sigma
  sigma_s
  (map
     (pre_VLSM_embedding_transition_item_project
        ELMO_component_type
        (composite_type ELMO_component)
        (lift_to_composite_label ELMO_component
           i_m)
        (lift_to_composite_state ELMO_component
           sigma i_m)) tr)
Hall: ∀ a : Address,
  global_equivocators_simple sigma_s a
  ↔ global_equivocators_simple sigma a
Hsigma': valid_state_prop ELMOProtocol sigma_s
Hm0: composite_has_been_directly_observed
  ELMO_component sigma_s m0
Hnsnd: ¬ composite_has_been_sent ELMO_component
    sigma_s m0
composite_has_been_received ELMO_component sigma_s m0
    by apply composite_has_been_directly_observed_sent_received_iff in Hm0 as [].
Qed.

Lemma special_receivable_messages_emittable_in_future
  (i : index) (si si' : VLSM.state (ELMO_component i))
  (m : Message)
  (Ht : input_constrained_transition (ELMO_component i)
    Receive (si, Some m) (si', None))
  (i_m : index)
  (Hi_m : adr (state m) = idx i_m)
  (Hadr_neq : adr (state m) <> idx i)
  (Hnot_local_equivocator : ~ local_equivocators_full si (adr (state m)))
  (Hnot_local_equivocator' : ~ local_equivocators_full si' (adr (state m)))
  (sigma : composite_state ELMO_component)
  (Hsigma : valid_state_prop ELMOProtocol sigma)
  (Hcomponent : sigma i = si)
  (Hspecial : component_reflects_composite sigma i)
  (H_not_i_paused : other_components_after_send (fun j : index => j = i) sigma)
  (Hm_not_sent_yet : ~ composite_has_been_sent ELMO_component sigma m) :
    exists sigma' : VLSM.state ELMOProtocol,
      in_futures ELMOProtocol sigma sigma' /\
      sigma' i = si /\
      component_reflects_composite sigma' i /\
      sigma' i_m = state m /\
      other_components_after_send (fun j : index => j = i \/ j = i_m) sigma'.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
si, si': VLSM.state (ELMO_component i)
m: Message
Ht: input_constrained_transition 
  (ELMO_component i) Receive (
  si, Some m) (si', None)
i_m: index
Hi_m: adr (state m) = idx i_m
Hadr_neq: adr (state m) ≠ idx i
Hnot_local_equivocator: ¬ local_equivocators_full si
    (adr (state m))
Hnot_local_equivocator': ¬ local_equivocators_full
    si' (adr (state m))
sigma: composite_state ELMO_component
Hsigma: valid_state_prop ELMOProtocol sigma
Hcomponent: sigma i = si
Hspecial: component_reflects_composite sigma i
H_not_i_paused: other_components_after_send
  (λ j : index, j = i) sigma
Hm_not_sent_yet: ¬ composite_has_been_sent
    ELMO_component sigma m
∃ sigma' : VLSM.state ELMOProtocol,
  in_futures ELMOProtocol sigma sigma'
  ∧ sigma' i = si
    ∧ component_reflects_composite sigma' i
      ∧ sigma' i_m = state m
        ∧ other_components_after_send
            (λ j : index, j = i ∨ j = i_m) sigma'
Proof.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
si, si': VLSM.state (ELMO_component i)
m: Message
Ht: input_constrained_transition 
  (ELMO_component i) Receive (
  si, Some m) (si', None)
i_m: index
Hi_m: adr (state m) = idx i_m
Hadr_neq: adr (state m) ≠ idx i
Hnot_local_equivocator: ¬ local_equivocators_full si
    (adr (state m))
Hnot_local_equivocator': ¬ local_equivocators_full
    si' (adr (state m))
sigma: composite_state ELMO_component
Hsigma: valid_state_prop ELMOProtocol sigma
Hcomponent: sigma i = si
Hspecial: component_reflects_composite sigma i
H_not_i_paused: other_components_after_send
  (λ j : index, j = i) sigma
Hm_not_sent_yet: ¬ composite_has_been_sent
    ELMO_component sigma m
∃ sigma' : VLSM.state ELMOProtocol,
  in_futures ELMOProtocol sigma sigma'
  ∧ sigma' i = si
    ∧ component_reflects_composite sigma' i
      ∧ sigma' i_m = state m
        ∧ other_components_after_send
            (λ j : index, j = i ∨ j = i_m) sigma'
  assert (Hiim : i <> i_m) by (contradict Hadr_neq; congruence).Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
si, si': VLSM.state (ELMO_component i)
m: Message
Ht: input_constrained_transition 
  (ELMO_component i) Receive (
  si, Some m) (si', None)
i_m: index
Hi_m: adr (state m) = idx i_m
Hadr_neq: adr (state m) ≠ idx i
Hnot_local_equivocator: ¬ local_equivocators_full si
    (adr (state m))
Hnot_local_equivocator': ¬ local_equivocators_full
    si' (adr (state m))
sigma: composite_state ELMO_component
Hsigma: valid_state_prop ELMOProtocol sigma
Hcomponent: sigma i = si
Hspecial: component_reflects_composite sigma i
H_not_i_paused: other_components_after_send
  (λ j : index, j = i) sigma
Hm_not_sent_yet: ¬ composite_has_been_sent
    ELMO_component sigma m
Hiim: i ≠ i_m
∃ sigma' : VLSM.state ELMOProtocol,
  in_futures ELMOProtocol sigma sigma'
  ∧ sigma' i = si
    ∧ component_reflects_composite sigma' i
      ∧ sigma' i_m = state m
        ∧ other_components_after_send
            (λ j : index, j = i ∨ j = i_m) sigma'
  assert (Hai_m : adr (sigma i_m) = idx i_m)
    by (apply ELMO_reachable_adr; eapply valid_state_project_preloaded; done).Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
si, si': VLSM.state (ELMO_component i)
m: Message
Ht: input_constrained_transition 
  (ELMO_component i) Receive (
  si, Some m) (si', None)
i_m: index
Hi_m: adr (state m) = idx i_m
Hadr_neq: adr (state m) ≠ idx i
Hnot_local_equivocator: ¬ local_equivocators_full si
    (adr (state m))
Hnot_local_equivocator': ¬ local_equivocators_full
    si' (adr (state m))
sigma: composite_state ELMO_component
Hsigma: valid_state_prop ELMOProtocol sigma
Hcomponent: sigma i = si
Hspecial: component_reflects_composite sigma i
H_not_i_paused: other_components_after_send
  (λ j : index, j = i) sigma
Hm_not_sent_yet: ¬ composite_has_been_sent
    ELMO_component sigma m
Hiim: i ≠ i_m
Hai_m: adr (sigma i_m) = idx i_m
∃ sigma' : VLSM.state ELMOProtocol,
  in_futures ELMOProtocol sigma sigma'
  ∧ sigma' i = si
    ∧ component_reflects_composite sigma' i
      ∧ sigma' i_m = state m
        ∧ other_components_after_send
            (λ j : index, j = i ∨ j = i_m) sigma'
  edestruct non_equivocating_received_message_continues_trace as [tr_m Htr_m]; [done.. |].Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
si, si': VLSM.state (ELMO_component i)
m: Message
Ht: input_constrained_transition 
  (ELMO_component i) Receive (
  si, Some m) (si', None)
i_m: index
Hi_m: adr (state m) = idx i_m
Hadr_neq: adr (state m) ≠ idx i
Hnot_local_equivocator: ¬ local_equivocators_full si
    (adr (state m))
Hnot_local_equivocator': ¬ local_equivocators_full
    si' (adr (state m))
sigma: composite_state ELMO_component
Hsigma: valid_state_prop ELMOProtocol sigma
Hcomponent: sigma i = si
Hspecial: component_reflects_composite sigma i
H_not_i_paused: other_components_after_send
  (λ j : index, j = i) sigma
Hm_not_sent_yet: ¬ composite_has_been_sent
    ELMO_component sigma m
Hiim: i ≠ i_m
Hai_m: adr (sigma i_m) = idx i_m
tr_m: list transition_item
Htr_m: finite_constrained_trace_from_to
  (ELMO_component i_m) 
  (sigma i_m) (state m) tr_m
∃ sigma' : VLSM.state ELMOProtocol,
  in_futures ELMOProtocol sigma sigma'
  ∧ sigma' i = si
    ∧ component_reflects_composite sigma' i
      ∧ sigma' i_m = state m
        ∧ other_components_after_send
            (λ j : index, j = i ∨ j = i_m) sigma'
  assert (Htr_m_receive :
    Forall (fun item : transition_item ELMO_component_type => l item = Receive) tr_m).Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
si, si': VLSM.state (ELMO_component i)
m: Message
Ht: input_constrained_transition 
  (ELMO_component i) Receive (
  si, Some m) (si', None)
i_m: index
Hi_m: adr (state m) = idx i_m
Hadr_neq: adr (state m) ≠ idx i
Hnot_local_equivocator: ¬ local_equivocators_full si
    (adr (state m))
Hnot_local_equivocator': ¬ local_equivocators_full
    si' (adr (state m))
sigma: composite_state ELMO_component
Hsigma: valid_state_prop ELMOProtocol sigma
Hcomponent: sigma i = si
Hspecial: component_reflects_composite sigma i
H_not_i_paused: other_components_after_send
  (λ j : index, j = i) sigma
Hm_not_sent_yet: ¬ composite_has_been_sent
    ELMO_component sigma m
Hiim: i ≠ i_m
Hai_m: adr (sigma i_m) = idx i_m
tr_m: list transition_item
Htr_m: finite_constrained_trace_from_to
  (ELMO_component i_m) 
  (sigma i_m) (state m) tr_m
Forall (λ item : transition_item, l item = Receive)
  tr_m
Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
si, si': VLSM.state (ELMO_component i)
m: Message
Ht: input_constrained_transition 
  (ELMO_component i) Receive (
  si, Some m) (si', None)
i_m: index
Hi_m: adr (state m) = idx i_m
Hadr_neq: adr (state m) ≠ idx i
Hnot_local_equivocator: ¬ local_equivocators_full si
    (adr (state m))
Hnot_local_equivocator': ¬ local_equivocators_full
    si' (adr (state m))
sigma: composite_state ELMO_component
Hsigma: valid_state_prop ELMOProtocol sigma
Hcomponent: sigma i = si
Hspecial: component_reflects_composite sigma i
H_not_i_paused: other_components_after_send
  (λ j : index, j = i) sigma
Hm_not_sent_yet: ¬ composite_has_been_sent
    ELMO_component sigma m
Hiim: i ≠ i_m
Hai_m: adr (sigma i_m) = idx i_m
tr_m: list transition_item
Htr_m: finite_constrained_trace_from_to
  (ELMO_component i_m) 
  (sigma i_m) (state m) tr_m
Htr_m_receive: Forall
  (λ item : transition_item,
     l item = Receive) tr_m
∃ sigma' : VLSM.state ELMOProtocol,
  in_futures ELMOProtocol sigma sigma'
  ∧ sigma' i = si
    ∧ component_reflects_composite sigma' i
      ∧ sigma' i_m = state m
        ∧ other_components_after_send
            (λ j : index, j = i ∨ j = i_m) sigma'
  {Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
si, si': VLSM.state (ELMO_component i)
m: Message
Ht: input_constrained_transition 
  (ELMO_component i) Receive (
  si, Some m) (si', None)
i_m: index
Hi_m: adr (state m) = idx i_m
Hadr_neq: adr (state m) ≠ idx i
Hnot_local_equivocator: ¬ local_equivocators_full si
    (adr (state m))
Hnot_local_equivocator': ¬ local_equivocators_full
    si' (adr (state m))
sigma: composite_state ELMO_component
Hsigma: valid_state_prop ELMOProtocol sigma
Hcomponent: sigma i = si
Hspecial: component_reflects_composite sigma i
H_not_i_paused: other_components_after_send
  (λ j : index, j = i) sigma
Hm_not_sent_yet: ¬ composite_has_been_sent
    ELMO_component sigma m
Hiim: i ≠ i_m
Hai_m: adr (sigma i_m) = idx i_m
tr_m: list transition_item
Htr_m: finite_constrained_trace_from_to
  (ELMO_component i_m) 
  (sigma i_m) (state m) tr_m
Forall (λ item : transition_item, l item = Receive)
  tr_m
    eapply all_intermediary_transitions_are_receive; only 1-4, 6-8: done.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
si, si': VLSM.state (ELMO_component i)
m: Message
Ht: input_constrained_transition 
  (ELMO_component i) Receive (
  si, Some m) (si', None)
i_m: index
Hi_m: adr (state m) = idx i_m
Hadr_neq: adr (state m) ≠ idx i
Hnot_local_equivocator: ¬ local_equivocators_full si
    (adr (state m))
Hnot_local_equivocator': ¬ local_equivocators_full
    si' (adr (state m))
sigma: composite_state ELMO_component
Hsigma: valid_state_prop ELMOProtocol sigma
Hcomponent: sigma i = si
Hspecial: component_reflects_composite sigma i
H_not_i_paused: other_components_after_send
  (λ j : index, j = i) sigma
Hm_not_sent_yet: ¬ composite_has_been_sent
    ELMO_component sigma m
Hiim: i ≠ i_m
Hai_m: adr (sigma i_m) = idx i_m
tr_m: list transition_item
Htr_m: finite_constrained_trace_from_to
  (ELMO_component i_m) 
  (sigma i_m) (state m) tr_m
composite_constrained_state_prop ELMO_component sigma
    eapply VLSM_incl_valid_state; [| done].Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
si, si': VLSM.state (ELMO_component i)
m: Message
Ht: input_constrained_transition 
  (ELMO_component i) Receive (
  si, Some m) (si', None)
i_m: index
Hi_m: adr (state m) = idx i_m
Hadr_neq: adr (state m) ≠ idx i
Hnot_local_equivocator: ¬ local_equivocators_full si
    (adr (state m))
Hnot_local_equivocator': ¬ local_equivocators_full
    si' (adr (state m))
sigma: composite_state ELMO_component
Hsigma: valid_state_prop ELMOProtocol sigma
Hcomponent: sigma i = si
Hspecial: component_reflects_composite sigma i
H_not_i_paused: other_components_after_send
  (λ j : index, j = i) sigma
Hm_not_sent_yet: ¬ composite_has_been_sent
    ELMO_component sigma m
Hiim: i ≠ i_m
Hai_m: adr (sigma i_m) = idx i_m
tr_m: list transition_item
Htr_m: finite_constrained_trace_from_to
  (ELMO_component i_m) 
  (sigma i_m) (state m) tr_m
VLSM_incl_part
  (constrained_vlsm_machine
     (free_composite_vlsm ELMO_component)
     ELMO_global_constraint)
  (preloaded_vlsm_machine
     (free_composite_vlsm ELMO_component)
     (λ _ : Message, True))
    by apply constrained_preloaded_incl with (constraint := ELMO_global_constraint).
  }Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
si, si': VLSM.state (ELMO_component i)
m: Message
Ht: input_constrained_transition 
  (ELMO_component i) Receive (
  si, Some m) (si', None)
i_m: index
Hi_m: adr (state m) = idx i_m
Hadr_neq: adr (state m) ≠ idx i
Hnot_local_equivocator: ¬ local_equivocators_full si
    (adr (state m))
Hnot_local_equivocator': ¬ local_equivocators_full
    si' (adr (state m))
sigma: composite_state ELMO_component
Hsigma: valid_state_prop ELMOProtocol sigma
Hcomponent: sigma i = si
Hspecial: component_reflects_composite sigma i
H_not_i_paused: other_components_after_send
  (λ j : index, j = i) sigma
Hm_not_sent_yet: ¬ composite_has_been_sent
    ELMO_component sigma m
Hiim: i ≠ i_m
Hai_m: adr (sigma i_m) = idx i_m
tr_m: list transition_item
Htr_m: finite_constrained_trace_from_to
  (ELMO_component i_m) 
  (sigma i_m) (state m) tr_m
Htr_m_receive: Forall
  (λ item : transition_item,
     l item = Receive) tr_m
∃ sigma' : VLSM.state ELMOProtocol,
  in_futures ELMOProtocol sigma sigma'
  ∧ sigma' i = si
    ∧ component_reflects_composite sigma' i
      ∧ sigma' i_m = state m
        ∧ other_components_after_send
            (λ j : index, j = i ∨ j = i_m) sigma'
  assert (Htr_m_inputs_in_sigma :
    forall item msg, item ∈ tr_m -> input item = Some msg ->
    composite_has_been_directly_observed ELMO_component sigma msg).Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
si, si': VLSM.state (ELMO_component i)
m: Message
Ht: input_constrained_transition 
  (ELMO_component i) Receive (
  si, Some m) (si', None)
i_m: index
Hi_m: adr (state m) = idx i_m
Hadr_neq: adr (state m) ≠ idx i
Hnot_local_equivocator: ¬ local_equivocators_full si
    (adr (state m))
Hnot_local_equivocator': ¬ local_equivocators_full
    si' (adr (state m))
sigma: composite_state ELMO_component
Hsigma: valid_state_prop ELMOProtocol sigma
Hcomponent: sigma i = si
Hspecial: component_reflects_composite sigma i
H_not_i_paused: other_components_after_send
  (λ j : index, j = i) sigma
Hm_not_sent_yet: ¬ composite_has_been_sent
    ELMO_component sigma m
Hiim: i ≠ i_m
Hai_m: adr (sigma i_m) = idx i_m
tr_m: list transition_item
Htr_m: finite_constrained_trace_from_to
  (ELMO_component i_m) 
  (sigma i_m) (state m) tr_m
Htr_m_receive: Forall
  (λ item : transition_item,
     l item = Receive) tr_m
∀ (item : transition_item) (msg : Message),
  item ∈ tr_m
  → input item = Some msg
    → composite_has_been_directly_observed
        ELMO_component sigma msg
Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
si, si': VLSM.state (ELMO_component i)
m: Message
Ht: input_constrained_transition 
  (ELMO_component i) Receive (
  si, Some m) (si', None)
i_m: index
Hi_m: adr (state m) = idx i_m
Hadr_neq: adr (state m) ≠ idx i
Hnot_local_equivocator: ¬ local_equivocators_full si
    (adr (state m))
Hnot_local_equivocator': ¬ local_equivocators_full
    si' (adr (state m))
sigma: composite_state ELMO_component
Hsigma: valid_state_prop ELMOProtocol sigma
Hcomponent: sigma i = si
Hspecial: component_reflects_composite sigma i
H_not_i_paused: other_components_after_send
  (λ j : index, j = i) sigma
Hm_not_sent_yet: ¬ composite_has_been_sent
    ELMO_component sigma m
Hiim: i ≠ i_m
Hai_m: adr (sigma i_m) = idx i_m
tr_m: list transition_item
Htr_m: finite_constrained_trace_from_to
  (ELMO_component i_m) 
  (sigma i_m) (state m) tr_m
Htr_m_receive: Forall
  (λ item : transition_item,
     l item = Receive) tr_m
Htr_m_inputs_in_sigma: ∀ (item : transition_item) 
  (msg : Message),
  item ∈ tr_m
  → input item = Some msg
    → composite_has_been_directly_observed
        ELMO_component sigma
        msg
∃ sigma' : VLSM.state ELMOProtocol,
  in_futures ELMOProtocol sigma sigma'
  ∧ sigma' i = si
    ∧ component_reflects_composite sigma' i
      ∧ sigma' i_m = state m
        ∧ other_components_after_send
            (λ j : index, j = i ∨ j = i_m) sigma'
  {Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
si, si': VLSM.state (ELMO_component i)
m: Message
Ht: input_constrained_transition 
  (ELMO_component i) Receive (
  si, Some m) (si', None)
i_m: index
Hi_m: adr (state m) = idx i_m
Hadr_neq: adr (state m) ≠ idx i
Hnot_local_equivocator: ¬ local_equivocators_full si
    (adr (state m))
Hnot_local_equivocator': ¬ local_equivocators_full
    si' (adr (state m))
sigma: composite_state ELMO_component
Hsigma: valid_state_prop ELMOProtocol sigma
Hcomponent: sigma i = si
Hspecial: component_reflects_composite sigma i
H_not_i_paused: other_components_after_send
  (λ j : index, j = i) sigma
Hm_not_sent_yet: ¬ composite_has_been_sent
    ELMO_component sigma m
Hiim: i ≠ i_m
Hai_m: adr (sigma i_m) = idx i_m
tr_m: list transition_item
Htr_m: finite_constrained_trace_from_to
  (ELMO_component i_m) 
  (sigma i_m) (state m) tr_m
Htr_m_receive: Forall
  (λ item : transition_item,
     l item = Receive) tr_m
∀ (item : transition_item) (msg : Message),
  item ∈ tr_m
  → input item = Some msg
    → composite_has_been_directly_observed
        ELMO_component sigma msg
    intros item msg Hitem Hinput.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
si, si': VLSM.state (ELMO_component i)
m: Message
Ht: input_constrained_transition 
  (ELMO_component i) Receive (
  si, Some m) (si', None)
i_m: index
Hi_m: adr (state m) = idx i_m
Hadr_neq: adr (state m) ≠ idx i
Hnot_local_equivocator: ¬ local_equivocators_full si
    (adr (state m))
Hnot_local_equivocator': ¬ local_equivocators_full
    si' (adr (state m))
sigma: composite_state ELMO_component
Hsigma: valid_state_prop ELMOProtocol sigma
Hcomponent: sigma i = si
Hspecial: component_reflects_composite sigma i
H_not_i_paused: other_components_after_send
  (λ j : index, j = i) sigma
Hm_not_sent_yet: ¬ composite_has_been_sent
    ELMO_component sigma m
Hiim: i ≠ i_m
Hai_m: adr (sigma i_m) = idx i_m
tr_m: list transition_item
Htr_m: finite_constrained_trace_from_to
  (ELMO_component i_m) 
  (sigma i_m) (state m) tr_m
Htr_m_receive: Forall
  (λ item : transition_item,
     l item = Receive) tr_m
item: transition_item
msg: Message
Hitem: item ∈ tr_m
Hinput: input item = Some msg
composite_has_been_directly_observed ELMO_component
  sigma msg
    destruct Ht as [(Hsi & _ & Hv) _]; inversion Hv as [? ? [] |]; subst.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
si': VLSM.state (ELMO_component i)
m: Message
sigma: composite_state ELMO_component
Hv: valid Receive (sigma i, Some m)
Hsi: valid_state_prop
  (preloaded_with_all_messages_vlsm
     (ELMO_component i)) 
  (sigma i)
i_m: index
Hi_m: adr (state m) = idx i_m
Hadr_neq: adr (state m) ≠ idx i
Hnot_local_equivocator: ¬ local_equivocators_full
    (sigma i) (adr (state m))
Hnot_local_equivocator': ¬ local_equivocators_full
    si' (adr (state m))
Hsigma: valid_state_prop ELMOProtocol sigma
Hspecial: component_reflects_composite sigma i
H_not_i_paused: other_components_after_send
  (λ j : index, j = i) sigma
Hm_not_sent_yet: ¬ composite_has_been_sent
    ELMO_component sigma m
Hiim: i ≠ i_m
Hai_m: adr (sigma i_m) = idx i_m
tr_m: list transition_item
Htr_m: finite_constrained_trace_from_to
  (ELMO_component i_m) 
  (sigma i_m) (state m) tr_m
Htr_m_receive: Forall
  (λ item : transition_item,
     l item = Receive) tr_m
item: transition_item
msg: Message
Hitem: item ∈ tr_m
Hinput: input item = Some msg
ELMO_mv_full_node0: full_node (sigma i) m
ELMO_mv_no_self_equiv0: no_self_equiv (sigma i) m
ELMO_mv_msg_valid_full0: ELMO_msg_valid_full m
ELMO_mv_local_equivocation_limit_ok0: local_equivocation_limit_ok
  (sigma i <+>
   MkObservation
     Receive m)
composite_has_been_directly_observed ELMO_component
  sigma msg
    cut (has_been_received (ELMO_component i_m) (state m) msg).Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
si': VLSM.state (ELMO_component i)
m: Message
sigma: composite_state ELMO_component
Hv: valid Receive (sigma i, Some m)
Hsi: valid_state_prop
  (preloaded_with_all_messages_vlsm
     (ELMO_component i)) 
  (sigma i)
i_m: index
Hi_m: adr (state m) = idx i_m
Hadr_neq: adr (state m) ≠ idx i
Hnot_local_equivocator: ¬ local_equivocators_full
    (sigma i) (adr (state m))
Hnot_local_equivocator': ¬ local_equivocators_full
    si' (adr (state m))
Hsigma: valid_state_prop ELMOProtocol sigma
Hspecial: component_reflects_composite sigma i
H_not_i_paused: other_components_after_send
  (λ j : index, j = i) sigma
Hm_not_sent_yet: ¬ composite_has_been_sent
    ELMO_component sigma m
Hiim: i ≠ i_m
Hai_m: adr (sigma i_m) = idx i_m
tr_m: list transition_item
Htr_m: finite_constrained_trace_from_to
  (ELMO_component i_m) 
  (sigma i_m) (state m) tr_m
Htr_m_receive: Forall
  (λ item : transition_item,
     l item = Receive) tr_m
item: transition_item
msg: Message
Hitem: item ∈ tr_m
Hinput: input item = Some msg
ELMO_mv_full_node0: full_node (sigma i) m
ELMO_mv_no_self_equiv0: no_self_equiv (sigma i) m
ELMO_mv_msg_valid_full0: ELMO_msg_valid_full m
ELMO_mv_local_equivocation_limit_ok0: local_equivocation_limit_ok
  (sigma i <+>
   MkObservation
     Receive m)
has_been_received (ELMO_component i_m) (state m) msg
→ composite_has_been_directly_observed ELMO_component
    sigma msg
Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
si': VLSM.state (ELMO_component i)
m: Message
sigma: composite_state ELMO_component
Hv: valid Receive (sigma i, Some m)
Hsi: valid_state_prop
  (preloaded_with_all_messages_vlsm
     (ELMO_component i)) 
  (sigma i)
i_m: index
Hi_m: adr (state m) = idx i_m
Hadr_neq: adr (state m) ≠ idx i
Hnot_local_equivocator: ¬ local_equivocators_full
    (sigma i) 
    (adr (state m))
Hnot_local_equivocator': ¬ local_equivocators_full
    si' (adr (state m))
Hsigma: valid_state_prop ELMOProtocol sigma
Hspecial: component_reflects_composite sigma i
H_not_i_paused: other_components_after_send
  (λ j : index, j = i) sigma
Hm_not_sent_yet: ¬ composite_has_been_sent
    ELMO_component sigma m
Hiim: i ≠ i_m
Hai_m: adr (sigma i_m) = idx i_m
tr_m: list transition_item
Htr_m: finite_constrained_trace_from_to
  (ELMO_component i_m) 
  (sigma i_m) 
  (state m) tr_m
Htr_m_receive: Forall
  (λ item : transition_item,
     l item = Receive) tr_m
item: transition_item
msg: Message
Hitem: item ∈ tr_m
Hinput: input item = Some msg
ELMO_mv_full_node0: full_node (sigma i) m
ELMO_mv_no_self_equiv0: no_self_equiv (sigma i) m
ELMO_mv_msg_valid_full0: ELMO_msg_valid_full m
ELMO_mv_local_equivocation_limit_ok0: local_equivocation_limit_ok
  (sigma i <+>
   MkObservation
     Receive m)
has_been_received (ELMO_component i_m) (state m) msg
    {Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
si': VLSM.state (ELMO_component i)
m: Message
sigma: composite_state ELMO_component
Hv: valid Receive (sigma i, Some m)
Hsi: valid_state_prop
  (preloaded_with_all_messages_vlsm
     (ELMO_component i)) 
  (sigma i)
i_m: index
Hi_m: adr (state m) = idx i_m
Hadr_neq: adr (state m) ≠ idx i
Hnot_local_equivocator: ¬ local_equivocators_full
    (sigma i) (adr (state m))
Hnot_local_equivocator': ¬ local_equivocators_full
    si' (adr (state m))
Hsigma: valid_state_prop ELMOProtocol sigma
Hspecial: component_reflects_composite sigma i
H_not_i_paused: other_components_after_send
  (λ j : index, j = i) sigma
Hm_not_sent_yet: ¬ composite_has_been_sent
    ELMO_component sigma m
Hiim: i ≠ i_m
Hai_m: adr (sigma i_m) = idx i_m
tr_m: list transition_item
Htr_m: finite_constrained_trace_from_to
  (ELMO_component i_m) 
  (sigma i_m) (state m) tr_m
Htr_m_receive: Forall
  (λ item : transition_item,
     l item = Receive) tr_m
item: transition_item
msg: Message
Hitem: item ∈ tr_m
Hinput: input item = Some msg
ELMO_mv_full_node0: full_node (sigma i) m
ELMO_mv_no_self_equiv0: no_self_equiv (sigma i) m
ELMO_mv_msg_valid_full0: ELMO_msg_valid_full m
ELMO_mv_local_equivocation_limit_ok0: local_equivocation_limit_ok
  (sigma i <+>
   MkObservation
     Receive m)
has_been_received (ELMO_component i_m) (state m) msg
→ composite_has_been_directly_observed ELMO_component
    sigma msg
      cbn; intro Hmsg.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
si': VLSM.state (ELMO_component i)
m: Message
sigma: composite_state ELMO_component
Hv: valid Receive (sigma i, Some m)
Hsi: valid_state_prop
  (preloaded_with_all_messages_vlsm
     (ELMO_component i)) 
  (sigma i)
i_m: index
Hi_m: adr (state m) = idx i_m
Hadr_neq: adr (state m) ≠ idx i
Hnot_local_equivocator: ¬ local_equivocators_full
    (sigma i) (adr (state m))
Hnot_local_equivocator': ¬ local_equivocators_full
    si' (adr (state m))
Hsigma: valid_state_prop ELMOProtocol sigma
Hspecial: component_reflects_composite sigma i
H_not_i_paused: other_components_after_send
  (λ j : index, j = i) sigma
Hm_not_sent_yet: ¬ composite_has_been_sent
    ELMO_component sigma m
Hiim: i ≠ i_m
Hai_m: adr (sigma i_m) = idx i_m
tr_m: list transition_item
Htr_m: finite_constrained_trace_from_to
  (ELMO_component i_m) 
  (sigma i_m) (state m) tr_m
Htr_m_receive: Forall
  (λ item : transition_item,
     l item = Receive) tr_m
item: transition_item
msg: Message
Hitem: item ∈ tr_m
Hinput: input item = Some msg
ELMO_mv_full_node0: full_node (sigma i) m
ELMO_mv_no_self_equiv0: no_self_equiv (sigma i) m
ELMO_mv_msg_valid_full0: ELMO_msg_valid_full m
ELMO_mv_local_equivocation_limit_ok0: local_equivocation_limit_ok
  (sigma i <+>
   MkObservation
     Receive m)
Hmsg: msg ∈ receivedMessages (state m)
composite_has_been_directly_observed ELMO_component
  sigma msg
      exists i; cbn; unfold has_been_directly_observed_from_sent_received; cbn.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
si': VLSM.state (ELMO_component i)
m: Message
sigma: composite_state ELMO_component
Hv: valid Receive (sigma i, Some m)
Hsi: valid_state_prop
  (preloaded_with_all_messages_vlsm
     (ELMO_component i)) 
  (sigma i)
i_m: index
Hi_m: adr (state m) = idx i_m
Hadr_neq: adr (state m) ≠ idx i
Hnot_local_equivocator: ¬ local_equivocators_full
    (sigma i) (adr (state m))
Hnot_local_equivocator': ¬ local_equivocators_full
    si' (adr (state m))
Hsigma: valid_state_prop ELMOProtocol sigma
Hspecial: component_reflects_composite sigma i
H_not_i_paused: other_components_after_send
  (λ j : index, j = i) sigma
Hm_not_sent_yet: ¬ composite_has_been_sent
    ELMO_component sigma m
Hiim: i ≠ i_m
Hai_m: adr (sigma i_m) = idx i_m
tr_m: list transition_item
Htr_m: finite_constrained_trace_from_to
  (ELMO_component i_m) 
  (sigma i_m) (state m) tr_m
Htr_m_receive: Forall
  (λ item : transition_item,
     l item = Receive) tr_m
item: transition_item
msg: Message
Hitem: item ∈ tr_m
Hinput: input item = Some msg
ELMO_mv_full_node0: full_node (sigma i) m
ELMO_mv_no_self_equiv0: no_self_equiv (sigma i) m
ELMO_mv_msg_valid_full0: ELMO_msg_valid_full m
ELMO_mv_local_equivocation_limit_ok0: local_equivocation_limit_ok
  (sigma i <+>
   MkObservation
     Receive m)
Hmsg: msg ∈ receivedMessages (state m)
msg ∈ sentMessages (sigma i)
∨ msg ∈ receivedMessages (sigma i)
      eapply elem_of_messages, elem_of_submseteq; [| done].Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
si': VLSM.state (ELMO_component i)
m: Message
sigma: composite_state ELMO_component
Hv: valid Receive (sigma i, Some m)
Hsi: valid_state_prop
  (preloaded_with_all_messages_vlsm
     (ELMO_component i)) 
  (sigma i)
i_m: index
Hi_m: adr (state m) = idx i_m
Hadr_neq: adr (state m) ≠ idx i
Hnot_local_equivocator: ¬ local_equivocators_full
    (sigma i) (adr (state m))
Hnot_local_equivocator': ¬ local_equivocators_full
    si' (adr (state m))
Hsigma: valid_state_prop ELMOProtocol sigma
Hspecial: component_reflects_composite sigma i
H_not_i_paused: other_components_after_send
  (λ j : index, j = i) sigma
Hm_not_sent_yet: ¬ composite_has_been_sent
    ELMO_component sigma m
Hiim: i ≠ i_m
Hai_m: adr (sigma i_m) = idx i_m
tr_m: list transition_item
Htr_m: finite_constrained_trace_from_to
  (ELMO_component i_m) 
  (sigma i_m) (state m) tr_m
Htr_m_receive: Forall
  (λ item : transition_item,
     l item = Receive) tr_m
item: transition_item
msg: Message
Hitem: item ∈ tr_m
Hinput: input item = Some msg
ELMO_mv_full_node0: full_node (sigma i) m
ELMO_mv_no_self_equiv0: no_self_equiv (sigma i) m
ELMO_mv_msg_valid_full0: ELMO_msg_valid_full m
ELMO_mv_local_equivocation_limit_ok0: local_equivocation_limit_ok
  (sigma i <+>
   MkObservation
     Receive m)
Hmsg: msg ∈ receivedMessages (state m)
msg ∈ messages (state m)
      by apply elem_of_messages; right.
    }Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
si': VLSM.state (ELMO_component i)
m: Message
sigma: composite_state ELMO_component
Hv: valid Receive (sigma i, Some m)
Hsi: valid_state_prop
  (preloaded_with_all_messages_vlsm
     (ELMO_component i)) 
  (sigma i)
i_m: index
Hi_m: adr (state m) = idx i_m
Hadr_neq: adr (state m) ≠ idx i
Hnot_local_equivocator: ¬ local_equivocators_full
    (sigma i) (adr (state m))
Hnot_local_equivocator': ¬ local_equivocators_full
    si' (adr (state m))
Hsigma: valid_state_prop ELMOProtocol sigma
Hspecial: component_reflects_composite sigma i
H_not_i_paused: other_components_after_send
  (λ j : index, j = i) sigma
Hm_not_sent_yet: ¬ composite_has_been_sent
    ELMO_component sigma m
Hiim: i ≠ i_m
Hai_m: adr (sigma i_m) = idx i_m
tr_m: list transition_item
Htr_m: finite_constrained_trace_from_to
  (ELMO_component i_m) 
  (sigma i_m) (state m) tr_m
Htr_m_receive: Forall
  (λ item : transition_item,
     l item = Receive) tr_m
item: transition_item
msg: Message
Hitem: item ∈ tr_m
Hinput: input item = Some msg
ELMO_mv_full_node0: full_node (sigma i) m
ELMO_mv_no_self_equiv0: no_self_equiv (sigma i) m
ELMO_mv_msg_valid_full0: ELMO_msg_valid_full m
ELMO_mv_local_equivocation_limit_ok0: local_equivocation_limit_ok
  (sigma i <+>
   MkObservation
     Receive m)
has_been_received (ELMO_component i_m) (state m) msg
    apply finite_valid_trace_from_to_complete_left in Htr_m as (is & tr & Htr & Hlst).Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
si': VLSM.state (ELMO_component i)
m: Message
sigma: composite_state ELMO_component
Hv: valid Receive (sigma i, Some m)
Hsi: valid_state_prop
  (preloaded_with_all_messages_vlsm
     (ELMO_component i)) 
  (sigma i)
i_m: index
Hi_m: adr (state m) = idx i_m
Hadr_neq: adr (state m) ≠ idx i
Hnot_local_equivocator: ¬ local_equivocators_full
    (sigma i) (adr (state m))
Hnot_local_equivocator': ¬ local_equivocators_full
    si' (adr (state m))
Hsigma: valid_state_prop ELMOProtocol sigma
Hspecial: component_reflects_composite sigma i
H_not_i_paused: other_components_after_send
  (λ j : index, j = i) sigma
Hm_not_sent_yet: ¬ composite_has_been_sent
    ELMO_component sigma m
Hiim: i ≠ i_m
Hai_m: adr (sigma i_m) = idx i_m
tr_m: list transition_item
is: VLSM.state
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m))
tr: list transition_item
Htr: finite_valid_trace_init_to
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m)) is 
  (state m) (tr ++ tr_m)
Hlst: finite_trace_last is tr = sigma i_m
Htr_m_receive: Forall
  (λ item : transition_item,
     l item = Receive) tr_m
item: transition_item
msg: Message
Hitem: item ∈ tr_m
Hinput: input item = Some msg
ELMO_mv_full_node0: full_node (sigma i) m
ELMO_mv_no_self_equiv0: no_self_equiv (sigma i) m
ELMO_mv_msg_valid_full0: ELMO_msg_valid_full m
ELMO_mv_local_equivocation_limit_ok0: local_equivocation_limit_ok
  (sigma i <+>
   MkObservation
     Receive m)
has_been_received (ELMO_component i_m) (state m) msg
    eapply has_been_received_examine_one_trace; [done |].Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
si': VLSM.state (ELMO_component i)
m: Message
sigma: composite_state ELMO_component
Hv: valid Receive (sigma i, Some m)
Hsi: valid_state_prop
  (preloaded_with_all_messages_vlsm
     (ELMO_component i)) 
  (sigma i)
i_m: index
Hi_m: adr (state m) = idx i_m
Hadr_neq: adr (state m) ≠ idx i
Hnot_local_equivocator: ¬ local_equivocators_full
    (sigma i) (adr (state m))
Hnot_local_equivocator': ¬ local_equivocators_full
    si' (adr (state m))
Hsigma: valid_state_prop ELMOProtocol sigma
Hspecial: component_reflects_composite sigma i
H_not_i_paused: other_components_after_send
  (λ j : index, j = i) sigma
Hm_not_sent_yet: ¬ composite_has_been_sent
    ELMO_component sigma m
Hiim: i ≠ i_m
Hai_m: adr (sigma i_m) = idx i_m
tr_m: list transition_item
is: VLSM.state
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m))
tr: list transition_item
Htr: finite_valid_trace_init_to
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m)) is 
  (state m) (tr ++ tr_m)
Hlst: finite_trace_last is tr = sigma i_m
Htr_m_receive: Forall
  (λ item : transition_item,
     l item = Receive) tr_m
item: transition_item
msg: Message
Hitem: item ∈ tr_m
Hinput: input item = Some msg
ELMO_mv_full_node0: full_node (sigma i) m
ELMO_mv_no_self_equiv0: no_self_equiv (sigma i) m
ELMO_mv_msg_valid_full0: ELMO_msg_valid_full m
ELMO_mv_local_equivocation_limit_ok0: local_equivocation_limit_ok
  (sigma i <+>
   MkObservation
     Receive m)
trace_has_message (field_selector input) msg
  (tr ++ tr_m)
    apply Exists_app; right.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
si': VLSM.state (ELMO_component i)
m: Message
sigma: composite_state ELMO_component
Hv: valid Receive (sigma i, Some m)
Hsi: valid_state_prop
  (preloaded_with_all_messages_vlsm
     (ELMO_component i)) 
  (sigma i)
i_m: index
Hi_m: adr (state m) = idx i_m
Hadr_neq: adr (state m) ≠ idx i
Hnot_local_equivocator: ¬ local_equivocators_full
    (sigma i) (adr (state m))
Hnot_local_equivocator': ¬ local_equivocators_full
    si' (adr (state m))
Hsigma: valid_state_prop ELMOProtocol sigma
Hspecial: component_reflects_composite sigma i
H_not_i_paused: other_components_after_send
  (λ j : index, j = i) sigma
Hm_not_sent_yet: ¬ composite_has_been_sent
    ELMO_component sigma m
Hiim: i ≠ i_m
Hai_m: adr (sigma i_m) = idx i_m
tr_m: list transition_item
is: VLSM.state
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m))
tr: list transition_item
Htr: finite_valid_trace_init_to
  (preloaded_with_all_messages_vlsm
     (ELMO_component i_m)) is 
  (state m) (tr ++ tr_m)
Hlst: finite_trace_last is tr = sigma i_m
Htr_m_receive: Forall
  (λ item : transition_item,
     l item = Receive) tr_m
item: transition_item
msg: Message
Hitem: item ∈ tr_m
Hinput: input item = Some msg
ELMO_mv_full_node0: full_node (sigma i) m
ELMO_mv_no_self_equiv0: no_self_equiv (sigma i) m
ELMO_mv_msg_valid_full0: ELMO_msg_valid_full m
ELMO_mv_local_equivocation_limit_ok0: local_equivocation_limit_ok
  (sigma i <+>
   MkObservation
     Receive m)
Exists (field_selector input msg) tr_m
    by apply Exists_exists; eexists.
  }Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
si, si': VLSM.state (ELMO_component i)
m: Message
Ht: input_constrained_transition 
  (ELMO_component i) Receive (
  si, Some m) (si', None)
i_m: index
Hi_m: adr (state m) = idx i_m
Hadr_neq: adr (state m) ≠ idx i
Hnot_local_equivocator: ¬ local_equivocators_full si
    (adr (state m))
Hnot_local_equivocator': ¬ local_equivocators_full
    si' (adr (state m))
sigma: composite_state ELMO_component
Hsigma: valid_state_prop ELMOProtocol sigma
Hcomponent: sigma i = si
Hspecial: component_reflects_composite sigma i
H_not_i_paused: other_components_after_send
  (λ j : index, j = i) sigma
Hm_not_sent_yet: ¬ composite_has_been_sent
    ELMO_component sigma m
Hiim: i ≠ i_m
Hai_m: adr (sigma i_m) = idx i_m
tr_m: list transition_item
Htr_m: finite_constrained_trace_from_to
  (ELMO_component i_m) 
  (sigma i_m) (state m) tr_m
Htr_m_receive: Forall
  (λ item : transition_item,
     l item = Receive) tr_m
Htr_m_inputs_in_sigma: ∀ (item : transition_item) 
  (msg : Message),
  item ∈ tr_m
  → input item = Some msg
    → composite_has_been_directly_observed
        ELMO_component sigma
        msg
∃ sigma' : VLSM.state ELMOProtocol,
  in_futures ELMOProtocol sigma sigma'
  ∧ sigma' i = si
    ∧ component_reflects_composite sigma' i
      ∧ sigma' i_m = state m
        ∧ other_components_after_send
            (λ j : index, j = i ∨ j = i_m) sigma'
  edestruct lift_receive_trace as [Htrsigma_m' Heqv]; [done.. |].Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
si, si': VLSM.state (ELMO_component i)
m: Message
Ht: input_constrained_transition 
  (ELMO_component i) Receive (
  si, Some m) (si', None)
i_m: index
Hi_m: adr (state m) = idx i_m
Hadr_neq: adr (state m) ≠ idx i
Hnot_local_equivocator: ¬ local_equivocators_full si
    (adr (state m))
Hnot_local_equivocator': ¬ local_equivocators_full
    si' (adr (state m))
sigma: composite_state ELMO_component
Hsigma: valid_state_prop ELMOProtocol sigma
Hcomponent: sigma i = si
Hspecial: component_reflects_composite sigma i
H_not_i_paused: other_components_after_send
  (λ j : index, j = i) sigma
Hm_not_sent_yet: ¬ composite_has_been_sent
    ELMO_component sigma m
Hiim: i ≠ i_m
Hai_m: adr (sigma i_m) = idx i_m
tr_m: list transition_item
Htr_m: finite_constrained_trace_from_to
  (ELMO_component i_m) 
  (sigma i_m) (state m) tr_m
Htr_m_receive: Forall
  (λ item : transition_item,
     l item = Receive) tr_m
Htr_m_inputs_in_sigma: ∀ (item : transition_item) 
  (msg : Message),
  item ∈ tr_m
  → input item = Some msg
    → composite_has_been_directly_observed
        ELMO_component sigma
        msg
Htrsigma_m': finite_valid_trace_from_to ELMOProtocol
  sigma
  (lift_to_composite_state
     ELMO_component sigma i_m 
     (state m))
  (pre_VLSM_embedding_finite_trace_project
     (ELMO_component i_m)
     (composite_type ELMO_component)
     (lift_to_composite_label
        ELMO_component i_m)
     (lift_to_composite_state
        ELMO_component sigma i_m) tr_m)
Heqv: ∀ a : Address,
  global_equivocators_simple
    (lift_to_composite_state ELMO_component
       sigma i_m (state m)) a
  ↔ global_equivocators_simple sigma a
∃ sigma' : VLSM.state ELMOProtocol,
  in_futures ELMOProtocol sigma sigma'
  ∧ sigma' i = si
    ∧ component_reflects_composite sigma' i
      ∧ sigma' i_m = state m
        ∧ other_components_after_send
            (λ j : index, j = i ∨ j = i_m) sigma'
  exists (lift_to_composite_state ELMO_component sigma i_m (state m)).Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
si, si': VLSM.state (ELMO_component i)
m: Message
Ht: input_constrained_transition 
  (ELMO_component i) Receive (
  si, Some m) (si', None)
i_m: index
Hi_m: adr (state m) = idx i_m
Hadr_neq: adr (state m) ≠ idx i
Hnot_local_equivocator: ¬ local_equivocators_full si
    (adr (state m))
Hnot_local_equivocator': ¬ local_equivocators_full
    si' (adr (state m))
sigma: composite_state ELMO_component
Hsigma: valid_state_prop ELMOProtocol sigma
Hcomponent: sigma i = si
Hspecial: component_reflects_composite sigma i
H_not_i_paused: other_components_after_send
  (λ j : index, j = i) sigma
Hm_not_sent_yet: ¬ composite_has_been_sent
    ELMO_component sigma m
Hiim: i ≠ i_m
Hai_m: adr (sigma i_m) = idx i_m
tr_m: list transition_item
Htr_m: finite_constrained_trace_from_to
  (ELMO_component i_m) 
  (sigma i_m) (state m) tr_m
Htr_m_receive: Forall
  (λ item : transition_item,
     l item = Receive) tr_m
Htr_m_inputs_in_sigma: ∀ (item : transition_item) 
  (msg : Message),
  item ∈ tr_m
  → input item = Some msg
    → composite_has_been_directly_observed
        ELMO_component sigma
        msg
Htrsigma_m': finite_valid_trace_from_to ELMOProtocol
  sigma
  (lift_to_composite_state
     ELMO_component sigma i_m 
     (state m))
  (pre_VLSM_embedding_finite_trace_project
     (ELMO_component i_m)
     (composite_type ELMO_component)
     (lift_to_composite_label
        ELMO_component i_m)
     (lift_to_composite_state
        ELMO_component sigma i_m) tr_m)
Heqv: ∀ a : Address,
  global_equivocators_simple
    (lift_to_composite_state ELMO_component
       sigma i_m (state m)) a
  ↔ global_equivocators_simple sigma a
in_futures ELMOProtocol sigma
  (lift_to_composite_state ELMO_component sigma i_m
     (state m))
∧ lift_to_composite_state ELMO_component sigma i_m
    (state m) i = si
  ∧ component_reflects_composite
      (lift_to_composite_state ELMO_component sigma
         i_m (state m)) i
    ∧ lift_to_composite_state ELMO_component sigma i_m
        (state m) i_m = state m
      ∧ other_components_after_send
          (λ j : index, j = i ∨ j = i_m)
          (lift_to_composite_state ELMO_component
             sigma i_m (state m))
  split_and!.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
si, si': VLSM.state (ELMO_component i)
m: Message
Ht: input_constrained_transition 
  (ELMO_component i) Receive (
  si, Some m) (si', None)
i_m: index
Hi_m: adr (state m) = idx i_m
Hadr_neq: adr (state m) ≠ idx i
Hnot_local_equivocator: ¬ local_equivocators_full si
    (adr (state m))
Hnot_local_equivocator': ¬ local_equivocators_full
    si' (adr (state m))
sigma: composite_state ELMO_component
Hsigma: valid_state_prop ELMOProtocol sigma
Hcomponent: sigma i = si
Hspecial: component_reflects_composite sigma i
H_not_i_paused: other_components_after_send
  (λ j : index, j = i) sigma
Hm_not_sent_yet: ¬ composite_has_been_sent
    ELMO_component sigma m
Hiim: i ≠ i_m
Hai_m: adr (sigma i_m) = idx i_m
tr_m: list transition_item
Htr_m: finite_constrained_trace_from_to
  (ELMO_component i_m) 
  (sigma i_m) (state m) tr_m
Htr_m_receive: Forall
  (λ item : transition_item,
     l item = Receive) tr_m
Htr_m_inputs_in_sigma: ∀ (item : transition_item) 
  (msg : Message),
  item ∈ tr_m
  → input item = Some msg
    → composite_has_been_directly_observed
        ELMO_component sigma
        msg
Htrsigma_m': finite_valid_trace_from_to ELMOProtocol
  sigma
  (lift_to_composite_state
     ELMO_component sigma i_m 
     (state m))
  (pre_VLSM_embedding_finite_trace_project
     (ELMO_component i_m)
     (composite_type ELMO_component)
     (lift_to_composite_label
        ELMO_component i_m)
     (lift_to_composite_state
        ELMO_component sigma i_m) tr_m)
Heqv: ∀ a : Address,
  global_equivocators_simple
    (lift_to_composite_state ELMO_component
       sigma i_m (state m)) a
  ↔ global_equivocators_simple sigma a
in_futures ELMOProtocol sigma
  (lift_to_composite_state ELMO_component sigma i_m
     (state m))
Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
si, si': VLSM.state (ELMO_component i)
m: Message
Ht: input_constrained_transition 
  (ELMO_component i) Receive (
  si, Some m) (si', None)
i_m: index
Hi_m: adr (state m) = idx i_m
Hadr_neq: adr (state m) ≠ idx i
Hnot_local_equivocator: ¬ local_equivocators_full si
    (adr (state m))
Hnot_local_equivocator': ¬ local_equivocators_full
    si' (adr (state m))
sigma: composite_state ELMO_component
Hsigma: valid_state_prop ELMOProtocol sigma
Hcomponent: sigma i = si
Hspecial: component_reflects_composite sigma i
H_not_i_paused: other_components_after_send
  (λ j : index, j = i) sigma
Hm_not_sent_yet: ¬ composite_has_been_sent
    ELMO_component sigma m
Hiim: i ≠ i_m
Hai_m: adr (sigma i_m) = idx i_m
tr_m: list transition_item
Htr_m: finite_constrained_trace_from_to
  (ELMO_component i_m) 
  (sigma i_m) (state m) tr_m
Htr_m_receive: Forall
  (λ item : transition_item,
     l item = Receive) tr_m
Htr_m_inputs_in_sigma: ∀ (item : transition_item) 
  (msg : Message),
  item ∈ tr_m
  → input item = Some msg
    → composite_has_been_directly_observed
        ELMO_component sigma
        msg
Htrsigma_m': finite_valid_trace_from_to ELMOProtocol
  sigma
  (lift_to_composite_state
     ELMO_component sigma i_m 
     (state m))
  (pre_VLSM_embedding_finite_trace_project
     (ELMO_component i_m)
     (composite_type ELMO_component)
     (lift_to_composite_label
        ELMO_component i_m)
     (lift_to_composite_state
        ELMO_component sigma i_m) tr_m)
Heqv: ∀ a : Address,
  global_equivocators_simple
    (lift_to_composite_state ELMO_component
       sigma i_m (state m)) a
  ↔ global_equivocators_simple sigma a
lift_to_composite_state ELMO_component sigma i_m
  (state m) i = si
Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
si, si': VLSM.state (ELMO_component i)
m: Message
Ht: input_constrained_transition 
  (ELMO_component i) Receive (
  si, Some m) (si', None)
i_m: index
Hi_m: adr (state m) = idx i_m
Hadr_neq: adr (state m) ≠ idx i
Hnot_local_equivocator: ¬ local_equivocators_full si
    (adr (state m))
Hnot_local_equivocator': ¬ local_equivocators_full
    si' (adr (state m))
sigma: composite_state ELMO_component
Hsigma: valid_state_prop ELMOProtocol sigma
Hcomponent: sigma i = si
Hspecial: component_reflects_composite sigma i
H_not_i_paused: other_components_after_send
  (λ j : index, j = i) sigma
Hm_not_sent_yet: ¬ composite_has_been_sent
    ELMO_component sigma m
Hiim: i ≠ i_m
Hai_m: adr (sigma i_m) = idx i_m
tr_m: list transition_item
Htr_m: finite_constrained_trace_from_to
  (ELMO_component i_m) 
  (sigma i_m) (state m) tr_m
Htr_m_receive: Forall
  (λ item : transition_item,
     l item = Receive) tr_m
Htr_m_inputs_in_sigma: ∀ (item : transition_item) 
  (msg : Message),
  item ∈ tr_m
  → input item = Some msg
    → composite_has_been_directly_observed
        ELMO_component sigma
        msg
Htrsigma_m': finite_valid_trace_from_to ELMOProtocol
  sigma
  (lift_to_composite_state
     ELMO_component sigma i_m 
     (state m))
  (pre_VLSM_embedding_finite_trace_project
     (ELMO_component i_m)
     (composite_type ELMO_component)
     (lift_to_composite_label
        ELMO_component i_m)
     (lift_to_composite_state
        ELMO_component sigma i_m) tr_m)
Heqv: ∀ a : Address,
  global_equivocators_simple
    (lift_to_composite_state ELMO_component
       sigma i_m (state m)) a
  ↔ global_equivocators_simple sigma a
component_reflects_composite
  (lift_to_composite_state ELMO_component sigma i_m
     (state m)) i
Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
si, si': VLSM.state (ELMO_component i)
m: Message
Ht: input_constrained_transition 
  (ELMO_component i) Receive (
  si, Some m) (si', None)
i_m: index
Hi_m: adr (state m) = idx i_m
Hadr_neq: adr (state m) ≠ idx i
Hnot_local_equivocator: ¬ local_equivocators_full si
    (adr (state m))
Hnot_local_equivocator': ¬ local_equivocators_full
    si' (adr (state m))
sigma: composite_state ELMO_component
Hsigma: valid_state_prop ELMOProtocol sigma
Hcomponent: sigma i = si
Hspecial: component_reflects_composite sigma i
H_not_i_paused: other_components_after_send
  (λ j : index, j = i) sigma
Hm_not_sent_yet: ¬ composite_has_been_sent
    ELMO_component sigma m
Hiim: i ≠ i_m
Hai_m: adr (sigma i_m) = idx i_m
tr_m: list transition_item
Htr_m: finite_constrained_trace_from_to
  (ELMO_component i_m) 
  (sigma i_m) (state m) tr_m
Htr_m_receive: Forall
  (λ item : transition_item,
     l item = Receive) tr_m
Htr_m_inputs_in_sigma: ∀ (item : transition_item) 
  (msg : Message),
  item ∈ tr_m
  → input item = Some msg
    → composite_has_been_directly_observed
        ELMO_component sigma
        msg
Htrsigma_m': finite_valid_trace_from_to ELMOProtocol
  sigma
  (lift_to_composite_state
     ELMO_component sigma i_m 
     (state m))
  (pre_VLSM_embedding_finite_trace_project
     (ELMO_component i_m)
     (composite_type ELMO_component)
     (lift_to_composite_label
        ELMO_component i_m)
     (lift_to_composite_state
        ELMO_component sigma i_m) tr_m)
Heqv: ∀ a : Address,
  global_equivocators_simple
    (lift_to_composite_state ELMO_component
       sigma i_m (state m)) a
  ↔ global_equivocators_simple sigma a
lift_to_composite_state ELMO_component sigma i_m
  (state m) i_m = state m
Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
si, si': VLSM.state (ELMO_component i)
m: Message
Ht: input_constrained_transition 
  (ELMO_component i) Receive (
  si, Some m) (si', None)
i_m: index
Hi_m: adr (state m) = idx i_m
Hadr_neq: adr (state m) ≠ idx i
Hnot_local_equivocator: ¬ local_equivocators_full si
    (adr (state m))
Hnot_local_equivocator': ¬ local_equivocators_full
    si' (adr (state m))
sigma: composite_state ELMO_component
Hsigma: valid_state_prop ELMOProtocol sigma
Hcomponent: sigma i = si
Hspecial: component_reflects_composite sigma i
H_not_i_paused: other_components_after_send
  (λ j : index, j = i) sigma
Hm_not_sent_yet: ¬ composite_has_been_sent
    ELMO_component sigma m
Hiim: i ≠ i_m
Hai_m: adr (sigma i_m) = idx i_m
tr_m: list transition_item
Htr_m: finite_constrained_trace_from_to
  (ELMO_component i_m) 
  (sigma i_m) (state m) tr_m
Htr_m_receive: Forall
  (λ item : transition_item,
     l item = Receive) tr_m
Htr_m_inputs_in_sigma: ∀ (item : transition_item) 
  (msg : Message),
  item ∈ tr_m
  → input item = Some msg
    → composite_has_been_directly_observed
        ELMO_component sigma
        msg
Htrsigma_m': finite_valid_trace_from_to ELMOProtocol
  sigma
  (lift_to_composite_state
     ELMO_component sigma i_m 
     (state m))
  (pre_VLSM_embedding_finite_trace_project
     (ELMO_component i_m)
     (composite_type ELMO_component)
     (lift_to_composite_label
        ELMO_component i_m)
     (lift_to_composite_state
        ELMO_component sigma i_m) tr_m)
Heqv: ∀ a : Address,
  global_equivocators_simple
    (lift_to_composite_state ELMO_component
       sigma i_m (state m)) a
  ↔ global_equivocators_simple sigma a
other_components_after_send
  (λ j : index, j = i ∨ j = i_m)
  (lift_to_composite_state ELMO_component sigma i_m
     (state m))
  -Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
si, si': VLSM.state (ELMO_component i)
m: Message
Ht: input_constrained_transition 
  (ELMO_component i) Receive (
  si, Some m) (si', None)
i_m: index
Hi_m: adr (state m) = idx i_m
Hadr_neq: adr (state m) ≠ idx i
Hnot_local_equivocator: ¬ local_equivocators_full si
    (adr (state m))
Hnot_local_equivocator': ¬ local_equivocators_full
    si' (adr (state m))
sigma: composite_state ELMO_component
Hsigma: valid_state_prop ELMOProtocol sigma
Hcomponent: sigma i = si
Hspecial: component_reflects_composite sigma i
H_not_i_paused: other_components_after_send
  (λ j : index, j = i) sigma
Hm_not_sent_yet: ¬ composite_has_been_sent
    ELMO_component sigma m
Hiim: i ≠ i_m
Hai_m: adr (sigma i_m) = idx i_m
tr_m: list transition_item
Htr_m: finite_constrained_trace_from_to
  (ELMO_component i_m) 
  (sigma i_m) (state m) tr_m
Htr_m_receive: Forall
  (λ item : transition_item,
     l item = Receive) tr_m
Htr_m_inputs_in_sigma: ∀ (item : transition_item) 
  (msg : Message),
  item ∈ tr_m
  → input item = Some msg
    → composite_has_been_directly_observed
        ELMO_component sigma
        msg
Htrsigma_m': finite_valid_trace_from_to ELMOProtocol
  sigma
  (lift_to_composite_state
     ELMO_component sigma i_m 
     (state m))
  (pre_VLSM_embedding_finite_trace_project
     (ELMO_component i_m)
     (composite_type ELMO_component)
     (lift_to_composite_label
        ELMO_component i_m)
     (lift_to_composite_state
        ELMO_component sigma i_m) tr_m)
Heqv: ∀ a : Address,
  global_equivocators_simple
    (lift_to_composite_state ELMO_component
       sigma i_m (state m)) a
  ↔ global_equivocators_simple sigma a
in_futures ELMOProtocol sigma
  (lift_to_composite_state ELMO_component sigma i_m
     (state m)) by eexists.
  -Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
si, si': VLSM.state (ELMO_component i)
m: Message
Ht: input_constrained_transition 
  (ELMO_component i) Receive (
  si, Some m) (si', None)
i_m: index
Hi_m: adr (state m) = idx i_m
Hadr_neq: adr (state m) ≠ idx i
Hnot_local_equivocator: ¬ local_equivocators_full si
    (adr (state m))
Hnot_local_equivocator': ¬ local_equivocators_full
    si' (adr (state m))
sigma: composite_state ELMO_component
Hsigma: valid_state_prop ELMOProtocol sigma
Hcomponent: sigma i = si
Hspecial: component_reflects_composite sigma i
H_not_i_paused: other_components_after_send
  (λ j : index, j = i) sigma
Hm_not_sent_yet: ¬ composite_has_been_sent
    ELMO_component sigma m
Hiim: i ≠ i_m
Hai_m: adr (sigma i_m) = idx i_m
tr_m: list transition_item
Htr_m: finite_constrained_trace_from_to
  (ELMO_component i_m) 
  (sigma i_m) (state m) tr_m
Htr_m_receive: Forall
  (λ item : transition_item,
     l item = Receive) tr_m
Htr_m_inputs_in_sigma: ∀ (item : transition_item) 
  (msg : Message),
  item ∈ tr_m
  → input item = Some msg
    → composite_has_been_directly_observed
        ELMO_component sigma
        msg
Htrsigma_m': finite_valid_trace_from_to ELMOProtocol
  sigma
  (lift_to_composite_state
     ELMO_component sigma i_m 
     (state m))
  (pre_VLSM_embedding_finite_trace_project
     (ELMO_component i_m)
     (composite_type ELMO_component)
     (lift_to_composite_label
        ELMO_component i_m)
     (lift_to_composite_state
        ELMO_component sigma i_m) tr_m)
Heqv: ∀ a : Address,
  global_equivocators_simple
    (lift_to_composite_state ELMO_component
       sigma i_m (state m)) a
  ↔ global_equivocators_simple sigma a
lift_to_composite_state ELMO_component sigma i_m
  (state m) i = si by subst; apply state_update_neq.
  -Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
si, si': VLSM.state (ELMO_component i)
m: Message
Ht: input_constrained_transition 
  (ELMO_component i) Receive (
  si, Some m) (si', None)
i_m: index
Hi_m: adr (state m) = idx i_m
Hadr_neq: adr (state m) ≠ idx i
Hnot_local_equivocator: ¬ local_equivocators_full si
    (adr (state m))
Hnot_local_equivocator': ¬ local_equivocators_full
    si' (adr (state m))
sigma: composite_state ELMO_component
Hsigma: valid_state_prop ELMOProtocol sigma
Hcomponent: sigma i = si
Hspecial: component_reflects_composite sigma i
H_not_i_paused: other_components_after_send
  (λ j : index, j = i) sigma
Hm_not_sent_yet: ¬ composite_has_been_sent
    ELMO_component sigma m
Hiim: i ≠ i_m
Hai_m: adr (sigma i_m) = idx i_m
tr_m: list transition_item
Htr_m: finite_constrained_trace_from_to
  (ELMO_component i_m) 
  (sigma i_m) (state m) tr_m
Htr_m_receive: Forall
  (λ item : transition_item,
     l item = Receive) tr_m
Htr_m_inputs_in_sigma: ∀ (item : transition_item) 
  (msg : Message),
  item ∈ tr_m
  → input item = Some msg
    → composite_has_been_directly_observed
        ELMO_component sigma
        msg
Htrsigma_m': finite_valid_trace_from_to ELMOProtocol
  sigma
  (lift_to_composite_state
     ELMO_component sigma i_m 
     (state m))
  (pre_VLSM_embedding_finite_trace_project
     (ELMO_component i_m)
     (composite_type ELMO_component)
     (lift_to_composite_label
        ELMO_component i_m)
     (lift_to_composite_state
        ELMO_component sigma i_m) tr_m)
Heqv: ∀ a : Address,
  global_equivocators_simple
    (lift_to_composite_state ELMO_component
       sigma i_m (state m)) a
  ↔ global_equivocators_simple sigma a
component_reflects_composite
  (lift_to_composite_state ELMO_component sigma i_m
     (state m)) i unfold lift_to_composite_state; split.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
si, si': VLSM.state (ELMO_component i)
m: Message
Ht: input_constrained_transition 
  (ELMO_component i) Receive (
  si, Some m) (si', None)
i_m: index
Hi_m: adr (state m) = idx i_m
Hadr_neq: adr (state m) ≠ idx i
Hnot_local_equivocator: ¬ local_equivocators_full si
    (adr (state m))
Hnot_local_equivocator': ¬ local_equivocators_full
    si' (adr (state m))
sigma: composite_state ELMO_component
Hsigma: valid_state_prop ELMOProtocol sigma
Hcomponent: sigma i = si
Hspecial: component_reflects_composite sigma i
H_not_i_paused: other_components_after_send
  (λ j : index, j = i) sigma
Hm_not_sent_yet: ¬ composite_has_been_sent
    ELMO_component sigma m
Hiim: i ≠ i_m
Hai_m: adr (sigma i_m) = idx i_m
tr_m: list transition_item
Htr_m: finite_constrained_trace_from_to
  (ELMO_component i_m) 
  (sigma i_m) (state m) tr_m
Htr_m_receive: Forall
  (λ item : transition_item,
     l item = Receive) tr_m
Htr_m_inputs_in_sigma: ∀ (item : transition_item) 
  (msg : Message),
  item ∈ tr_m
  → input item = Some msg
    → composite_has_been_directly_observed
        ELMO_component sigma
        msg
Htrsigma_m': finite_valid_trace_from_to ELMOProtocol
  sigma
  (lift_to_composite_state
     ELMO_component sigma i_m 
     (state m))
  (pre_VLSM_embedding_finite_trace_project
     (ELMO_component i_m)
     (composite_type ELMO_component)
     (lift_to_composite_label
        ELMO_component i_m)
     (lift_to_composite_state
        ELMO_component sigma i_m) tr_m)
Heqv: ∀ a : Address,
  global_equivocators_simple
    (lift_to_composite_state ELMO_component
       sigma i_m (state m)) a
  ↔ global_equivocators_simple sigma a
component_reflects_composite_messages
  (state_update ELMO_component sigma i_m (state m)) i
Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
si, si': VLSM.state (ELMO_component i)
m: Message
Ht: input_constrained_transition 
  (ELMO_component i) Receive (
  si, Some m) (si', None)
i_m: index
Hi_m: adr (state m) = idx i_m
Hadr_neq: adr (state m) ≠ idx i
Hnot_local_equivocator: ¬ local_equivocators_full si
    (adr (state m))
Hnot_local_equivocator': ¬ local_equivocators_full
    si' (adr (state m))
sigma: composite_state ELMO_component
Hsigma: valid_state_prop ELMOProtocol sigma
Hcomponent: sigma i = si
Hspecial: component_reflects_composite sigma i
H_not_i_paused: other_components_after_send
  (λ j : index, j = i) sigma
Hm_not_sent_yet: ¬ composite_has_been_sent
    ELMO_component sigma m
Hiim: i ≠ i_m
Hai_m: adr (sigma i_m) = idx i_m
tr_m: list transition_item
Htr_m: finite_constrained_trace_from_to
  (ELMO_component i_m) 
  (sigma i_m) (state m) tr_m
Htr_m_receive: Forall
  (λ item : transition_item,
     l item = Receive) tr_m
Htr_m_inputs_in_sigma: ∀ (item : transition_item) 
  (msg : Message),
  item ∈ tr_m
  → input item = Some msg
    → composite_has_been_directly_observed
        ELMO_component sigma
        msg
Htrsigma_m': finite_valid_trace_from_to ELMOProtocol
  sigma
  (lift_to_composite_state
     ELMO_component sigma i_m 
     (state m))
  (pre_VLSM_embedding_finite_trace_project
     (ELMO_component i_m)
     (composite_type ELMO_component)
     (lift_to_composite_label
        ELMO_component i_m)
     (lift_to_composite_state
        ELMO_component sigma i_m) tr_m)
Heqv: ∀ a : Address,
  global_equivocators_simple
    (lift_to_composite_state ELMO_component
       sigma i_m (state m)) a
  ↔ global_equivocators_simple sigma a
component_reflects_composite_equivocators
  (state_update ELMO_component sigma i_m (state m)) i
    +Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
si, si': VLSM.state (ELMO_component i)
m: Message
Ht: input_constrained_transition 
  (ELMO_component i) Receive (
  si, Some m) (si', None)
i_m: index
Hi_m: adr (state m) = idx i_m
Hadr_neq: adr (state m) ≠ idx i
Hnot_local_equivocator: ¬ local_equivocators_full si
    (adr (state m))
Hnot_local_equivocator': ¬ local_equivocators_full
    si' (adr (state m))
sigma: composite_state ELMO_component
Hsigma: valid_state_prop ELMOProtocol sigma
Hcomponent: sigma i = si
Hspecial: component_reflects_composite sigma i
H_not_i_paused: other_components_after_send
  (λ j : index, j = i) sigma
Hm_not_sent_yet: ¬ composite_has_been_sent
    ELMO_component sigma m
Hiim: i ≠ i_m
Hai_m: adr (sigma i_m) = idx i_m
tr_m: list transition_item
Htr_m: finite_constrained_trace_from_to
  (ELMO_component i_m) 
  (sigma i_m) (state m) tr_m
Htr_m_receive: Forall
  (λ item : transition_item,
     l item = Receive) tr_m
Htr_m_inputs_in_sigma: ∀ (item : transition_item) 
  (msg : Message),
  item ∈ tr_m
  → input item = Some msg
    → composite_has_been_directly_observed
        ELMO_component sigma
        msg
Htrsigma_m': finite_valid_trace_from_to ELMOProtocol
  sigma
  (lift_to_composite_state
     ELMO_component sigma i_m 
     (state m))
  (pre_VLSM_embedding_finite_trace_project
     (ELMO_component i_m)
     (composite_type ELMO_component)
     (lift_to_composite_label
        ELMO_component i_m)
     (lift_to_composite_state
        ELMO_component sigma i_m) tr_m)
Heqv: ∀ a : Address,
  global_equivocators_simple
    (lift_to_composite_state ELMO_component
       sigma i_m (state m)) a
  ↔ global_equivocators_simple sigma a
component_reflects_composite_messages
  (state_update ELMO_component sigma i_m (state m)) i intros m0; split; [| by eexists].Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
si, si': VLSM.state (ELMO_component i)
m: Message
Ht: input_constrained_transition 
  (ELMO_component i) Receive (
  si, Some m) (si', None)
i_m: index
Hi_m: adr (state m) = idx i_m
Hadr_neq: adr (state m) ≠ idx i
Hnot_local_equivocator: ¬ local_equivocators_full si
    (adr (state m))
Hnot_local_equivocator': ¬ local_equivocators_full
    si' (adr (state m))
sigma: composite_state ELMO_component
Hsigma: valid_state_prop ELMOProtocol sigma
Hcomponent: sigma i = si
Hspecial: component_reflects_composite sigma i
H_not_i_paused: other_components_after_send
  (λ j : index, j = i) sigma
Hm_not_sent_yet: ¬ composite_has_been_sent
    ELMO_component sigma m
Hiim: i ≠ i_m
Hai_m: adr (sigma i_m) = idx i_m
tr_m: list transition_item
Htr_m: finite_constrained_trace_from_to
  (ELMO_component i_m) 
  (sigma i_m) (state m) tr_m
Htr_m_receive: Forall
  (λ item : transition_item,
     l item = Receive) tr_m
Htr_m_inputs_in_sigma: ∀ (item : transition_item) 
  (msg : Message),
  item ∈ tr_m
  → input item = Some msg
    → composite_has_been_directly_observed
        ELMO_component sigma
        msg
Htrsigma_m': finite_valid_trace_from_to ELMOProtocol
  sigma
  (lift_to_composite_state
     ELMO_component sigma i_m 
     (state m))
  (pre_VLSM_embedding_finite_trace_project
     (ELMO_component i_m)
     (composite_type ELMO_component)
     (lift_to_composite_label
        ELMO_component i_m)
     (lift_to_composite_state
        ELMO_component sigma i_m) tr_m)
Heqv: ∀ a : Address,
  global_equivocators_simple
    (lift_to_composite_state ELMO_component
       sigma i_m (state m)) a
  ↔ global_equivocators_simple sigma a
m0: Message
(∃ j : index,
   m0
   ∈ messages
       (state_update ELMO_component sigma i_m
          (state m) j))
→ m0
  ∈ messages
      (state_update ELMO_component sigma i_m (state m)
         i)
      intros [j Hm0]; destruct (decide (i_m = j)); subst; state_update_simpl;
        [| by apply Hspecial; eexists].Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
si': VLSM.state (ELMO_component i)
m: Message
sigma: composite_state ELMO_component
Ht: input_constrained_transition 
  (ELMO_component i) Receive (
  sigma i, Some m) (si', None)
j: index
m0: Message
Hm0: m0 ∈ messages (state m)
Hi_m: adr (state m) = idx j
Hadr_neq: adr (state m) ≠ idx i
Hnot_local_equivocator: ¬ local_equivocators_full
    (sigma i) (adr (state m))
Hnot_local_equivocator': ¬ local_equivocators_full
    si' (adr (state m))
Hsigma: valid_state_prop ELMOProtocol sigma
Hspecial: component_reflects_composite sigma i
H_not_i_paused: other_components_after_send
  (λ j : index, j = i) sigma
Hm_not_sent_yet: ¬ composite_has_been_sent
    ELMO_component sigma m
Heqv: ∀ a : Address,
  global_equivocators_simple
    (state_update ELMO_component sigma j
       (state m)) a
  ↔ global_equivocators_simple sigma a
tr_m: list transition_item
Htrsigma_m': finite_valid_trace_from_to ELMOProtocol
  sigma
  (state_update ELMO_component sigma j
     (state m))
  (pre_VLSM_embedding_finite_trace_project
     (ELMO_component j)
     (composite_type ELMO_component)
     (lift_to_composite_label
        ELMO_component j)
     (λ sj : VLSM.state
               (ELMO_component j),
        state_update ELMO_component
          sigma j sj) tr_m)
Htr_m_inputs_in_sigma: ∀ (item : transition_item) 
  (msg : Message),
  item ∈ tr_m
  → input item = Some msg
    → composite_has_been_directly_observed
        ELMO_component sigma
        msg
Htr_m_receive: Forall
  (λ item : transition_item,
     l item = Receive) tr_m
Htr_m: finite_constrained_trace_from_to
  (ELMO_component j) (sigma j) 
  (state m) tr_m
Hai_m: adr (sigma j) = idx j
Hiim: i ≠ j
m0 ∈ messages (sigma i)
      destruct Ht as [(_ & _ & Hv) _]; inversion Hv as [? ? [] |]; subst.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
si': VLSM.state (ELMO_component i)
m: Message
sigma: composite_state ELMO_component
Hv: valid Receive (sigma i, Some m)
j: index
m0: Message
Hm0: m0 ∈ messages (state m)
Hi_m: adr (state m) = idx j
Hadr_neq: adr (state m) ≠ idx i
Hnot_local_equivocator: ¬ local_equivocators_full
    (sigma i) (adr (state m))
Hnot_local_equivocator': ¬ local_equivocators_full
    si' (adr (state m))
Hsigma: valid_state_prop ELMOProtocol sigma
Hspecial: component_reflects_composite sigma i
H_not_i_paused: other_components_after_send
  (λ j : index, j = i) sigma
Hm_not_sent_yet: ¬ composite_has_been_sent
    ELMO_component sigma m
Heqv: ∀ a : Address,
  global_equivocators_simple
    (state_update ELMO_component sigma j
       (state m)) a
  ↔ global_equivocators_simple sigma a
tr_m: list transition_item
Htrsigma_m': finite_valid_trace_from_to ELMOProtocol
  sigma
  (state_update ELMO_component sigma j
     (state m))
  (pre_VLSM_embedding_finite_trace_project
     (ELMO_component j)
     (composite_type ELMO_component)
     (lift_to_composite_label
        ELMO_component j)
     (λ sj : VLSM.state
               (ELMO_component j),
        state_update ELMO_component
          sigma j sj) tr_m)
Htr_m_inputs_in_sigma: ∀ (item : transition_item) 
  (msg : Message),
  item ∈ tr_m
  → input item = Some msg
    → composite_has_been_directly_observed
        ELMO_component sigma
        msg
Htr_m_receive: Forall
  (λ item : transition_item,
     l item = Receive) tr_m
Htr_m: finite_constrained_trace_from_to
  (ELMO_component j) (sigma j) 
  (state m) tr_m
Hai_m: adr (sigma j) = idx j
Hiim: i ≠ j
ELMO_mv_full_node0: full_node (sigma i) m
ELMO_mv_no_self_equiv0: no_self_equiv (sigma i) m
ELMO_mv_msg_valid_full0: ELMO_msg_valid_full m
ELMO_mv_local_equivocation_limit_ok0: local_equivocation_limit_ok
  (sigma i <+>
   MkObservation
     Receive m)
m0 ∈ messages (sigma i)
      by eapply elem_of_submseteq; [| done].
    +Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
si, si': VLSM.state (ELMO_component i)
m: Message
Ht: input_constrained_transition 
  (ELMO_component i) Receive (
  si, Some m) (si', None)
i_m: index
Hi_m: adr (state m) = idx i_m
Hadr_neq: adr (state m) ≠ idx i
Hnot_local_equivocator: ¬ local_equivocators_full si
    (adr (state m))
Hnot_local_equivocator': ¬ local_equivocators_full
    si' (adr (state m))
sigma: composite_state ELMO_component
Hsigma: valid_state_prop ELMOProtocol sigma
Hcomponent: sigma i = si
Hspecial: component_reflects_composite sigma i
H_not_i_paused: other_components_after_send
  (λ j : index, j = i) sigma
Hm_not_sent_yet: ¬ composite_has_been_sent
    ELMO_component sigma m
Hiim: i ≠ i_m
Hai_m: adr (sigma i_m) = idx i_m
tr_m: list transition_item
Htr_m: finite_constrained_trace_from_to
  (ELMO_component i_m) 
  (sigma i_m) (state m) tr_m
Htr_m_receive: Forall
  (λ item : transition_item,
     l item = Receive) tr_m
Htr_m_inputs_in_sigma: ∀ (item : transition_item) 
  (msg : Message),
  item ∈ tr_m
  → input item = Some msg
    → composite_has_been_directly_observed
        ELMO_component sigma
        msg
Htrsigma_m': finite_valid_trace_from_to ELMOProtocol
  sigma
  (lift_to_composite_state
     ELMO_component sigma i_m 
     (state m))
  (pre_VLSM_embedding_finite_trace_project
     (ELMO_component i_m)
     (composite_type ELMO_component)
     (lift_to_composite_label
        ELMO_component i_m)
     (lift_to_composite_state
        ELMO_component sigma i_m) tr_m)
Heqv: ∀ a : Address,
  global_equivocators_simple
    (lift_to_composite_state ELMO_component
       sigma i_m (state m)) a
  ↔ global_equivocators_simple sigma a
component_reflects_composite_equivocators
  (state_update ELMO_component sigma i_m (state m)) i intros a; state_update_simpl.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
si, si': VLSM.state (ELMO_component i)
m: Message
Ht: input_constrained_transition 
  (ELMO_component i) Receive (
  si, Some m) (si', None)
i_m: index
Hi_m: adr (state m) = idx i_m
Hadr_neq: adr (state m) ≠ idx i
Hnot_local_equivocator: ¬ local_equivocators_full si
    (adr (state m))
Hnot_local_equivocator': ¬ local_equivocators_full
    si' (adr (state m))
sigma: composite_state ELMO_component
Hsigma: valid_state_prop ELMOProtocol sigma
Hcomponent: sigma i = si
Hspecial: component_reflects_composite sigma i
H_not_i_paused: other_components_after_send
  (λ j : index, j = i) sigma
Hm_not_sent_yet: ¬ composite_has_been_sent
    ELMO_component sigma m
Hiim: i ≠ i_m
Hai_m: adr (sigma i_m) = idx i_m
tr_m: list transition_item
Htr_m: finite_constrained_trace_from_to
  (ELMO_component i_m) 
  (sigma i_m) (state m) tr_m
Htr_m_receive: Forall
  (λ item : transition_item,
     l item = Receive) tr_m
Htr_m_inputs_in_sigma: ∀ (item : transition_item) 
  (msg : Message),
  item ∈ tr_m
  → input item = Some msg
    → composite_has_been_directly_observed
        ELMO_component sigma
        msg
Htrsigma_m': finite_valid_trace_from_to ELMOProtocol
  sigma
  (state_update ELMO_component sigma i_m
     (state m))
  (pre_VLSM_embedding_finite_trace_project
     (ELMO_component i_m)
     (composite_type ELMO_component)
     (lift_to_composite_label
        ELMO_component i_m)
     (λ sj : VLSM.state
               (ELMO_component i_m),
        state_update ELMO_component
          sigma i_m sj) tr_m)
Heqv: ∀ a : Address,
  global_equivocators_simple
    (state_update ELMO_component sigma i_m
       (state m)) a
  ↔ global_equivocators_simple sigma a
a: Address
global_equivocators_simple
  (state_update ELMO_component sigma i_m (state m)) a
↔ local_equivocators_full (sigma i) a
      by transitivity (global_equivocators_simple sigma a); [apply Heqv | apply Hspecial].
  -Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
si, si': VLSM.state (ELMO_component i)
m: Message
Ht: input_constrained_transition 
  (ELMO_component i) Receive (
  si, Some m) (si', None)
i_m: index
Hi_m: adr (state m) = idx i_m
Hadr_neq: adr (state m) ≠ idx i
Hnot_local_equivocator: ¬ local_equivocators_full si
    (adr (state m))
Hnot_local_equivocator': ¬ local_equivocators_full
    si' (adr (state m))
sigma: composite_state ELMO_component
Hsigma: valid_state_prop ELMOProtocol sigma
Hcomponent: sigma i = si
Hspecial: component_reflects_composite sigma i
H_not_i_paused: other_components_after_send
  (λ j : index, j = i) sigma
Hm_not_sent_yet: ¬ composite_has_been_sent
    ELMO_component sigma m
Hiim: i ≠ i_m
Hai_m: adr (sigma i_m) = idx i_m
tr_m: list transition_item
Htr_m: finite_constrained_trace_from_to
  (ELMO_component i_m) 
  (sigma i_m) (state m) tr_m
Htr_m_receive: Forall
  (λ item : transition_item,
     l item = Receive) tr_m
Htr_m_inputs_in_sigma: ∀ (item : transition_item) 
  (msg : Message),
  item ∈ tr_m
  → input item = Some msg
    → composite_has_been_directly_observed
        ELMO_component sigma
        msg
Htrsigma_m': finite_valid_trace_from_to ELMOProtocol
  sigma
  (lift_to_composite_state
     ELMO_component sigma i_m 
     (state m))
  (pre_VLSM_embedding_finite_trace_project
     (ELMO_component i_m)
     (composite_type ELMO_component)
     (lift_to_composite_label
        ELMO_component i_m)
     (lift_to_composite_state
        ELMO_component sigma i_m) tr_m)
Heqv: ∀ a : Address,
  global_equivocators_simple
    (lift_to_composite_state ELMO_component
       sigma i_m (state m)) a
  ↔ global_equivocators_simple sigma a
lift_to_composite_state ELMO_component sigma i_m
  (state m) i_m = state m by state_update_simpl.
  -Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
si, si': VLSM.state (ELMO_component i)
m: Message
Ht: input_constrained_transition 
  (ELMO_component i) Receive (
  si, Some m) (si', None)
i_m: index
Hi_m: adr (state m) = idx i_m
Hadr_neq: adr (state m) ≠ idx i
Hnot_local_equivocator: ¬ local_equivocators_full si
    (adr (state m))
Hnot_local_equivocator': ¬ local_equivocators_full
    si' (adr (state m))
sigma: composite_state ELMO_component
Hsigma: valid_state_prop ELMOProtocol sigma
Hcomponent: sigma i = si
Hspecial: component_reflects_composite sigma i
H_not_i_paused: other_components_after_send
  (λ j : index, j = i) sigma
Hm_not_sent_yet: ¬ composite_has_been_sent
    ELMO_component sigma m
Hiim: i ≠ i_m
Hai_m: adr (sigma i_m) = idx i_m
tr_m: list transition_item
Htr_m: finite_constrained_trace_from_to
  (ELMO_component i_m) 
  (sigma i_m) (state m) tr_m
Htr_m_receive: Forall
  (λ item : transition_item,
     l item = Receive) tr_m
Htr_m_inputs_in_sigma: ∀ (item : transition_item) 
  (msg : Message),
  item ∈ tr_m
  → input item = Some msg
    → composite_has_been_directly_observed
        ELMO_component sigma
        msg
Htrsigma_m': finite_valid_trace_from_to ELMOProtocol
  sigma
  (lift_to_composite_state
     ELMO_component sigma i_m 
     (state m))
  (pre_VLSM_embedding_finite_trace_project
     (ELMO_component i_m)
     (composite_type ELMO_component)
     (lift_to_composite_label
        ELMO_component i_m)
     (lift_to_composite_state
        ELMO_component sigma i_m) tr_m)
Heqv: ∀ a : Address,
  global_equivocators_simple
    (lift_to_composite_state ELMO_component
       sigma i_m (state m)) a
  ↔ global_equivocators_simple sigma a
other_components_after_send
  (λ j : index, j = i ∨ j = i_m)
  (lift_to_composite_state ELMO_component sigma i_m
     (state m)) intros k Hnk.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
si, si': VLSM.state (ELMO_component i)
m: Message
Ht: input_constrained_transition 
  (ELMO_component i) Receive (
  si, Some m) (si', None)
i_m: index
Hi_m: adr (state m) = idx i_m
Hadr_neq: adr (state m) ≠ idx i
Hnot_local_equivocator: ¬ local_equivocators_full si
    (adr (state m))
Hnot_local_equivocator': ¬ local_equivocators_full
    si' (adr (state m))
sigma: composite_state ELMO_component
Hsigma: valid_state_prop ELMOProtocol sigma
Hcomponent: sigma i = si
Hspecial: component_reflects_composite sigma i
H_not_i_paused: other_components_after_send
  (λ j : index, j = i) sigma
Hm_not_sent_yet: ¬ composite_has_been_sent
    ELMO_component sigma m
Hiim: i ≠ i_m
Hai_m: adr (sigma i_m) = idx i_m
tr_m: list transition_item
Htr_m: finite_constrained_trace_from_to
  (ELMO_component i_m) 
  (sigma i_m) (state m) tr_m
Htr_m_receive: Forall
  (λ item : transition_item,
     l item = Receive) tr_m
Htr_m_inputs_in_sigma: ∀ (item : transition_item) 
  (msg : Message),
  item ∈ tr_m
  → input item = Some msg
    → composite_has_been_directly_observed
        ELMO_component sigma
        msg
Htrsigma_m': finite_valid_trace_from_to ELMOProtocol
  sigma
  (lift_to_composite_state
     ELMO_component sigma i_m 
     (state m))
  (pre_VLSM_embedding_finite_trace_project
     (ELMO_component i_m)
     (composite_type ELMO_component)
     (lift_to_composite_label
        ELMO_component i_m)
     (lift_to_composite_state
        ELMO_component sigma i_m) tr_m)
Heqv: ∀ a : Address,
  global_equivocators_simple
    (lift_to_composite_state ELMO_component
       sigma i_m (state m)) a
  ↔ global_equivocators_simple sigma a
k: index
Hnk: ¬ (k = i ∨ k = i_m)
latest_observation_Send
  (lift_to_composite_state ELMO_component sigma i_m
     (state m) k)
    apply Decidable.not_or in Hnk as [].Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
si, si': VLSM.state (ELMO_component i)
m: Message
Ht: input_constrained_transition 
  (ELMO_component i) Receive (
  si, Some m) (si', None)
i_m: index
Hi_m: adr (state m) = idx i_m
Hadr_neq: adr (state m) ≠ idx i
Hnot_local_equivocator: ¬ local_equivocators_full si
    (adr (state m))
Hnot_local_equivocator': ¬ local_equivocators_full
    si' (adr (state m))
sigma: composite_state ELMO_component
Hsigma: valid_state_prop ELMOProtocol sigma
Hcomponent: sigma i = si
Hspecial: component_reflects_composite sigma i
H_not_i_paused: other_components_after_send
  (λ j : index, j = i) sigma
Hm_not_sent_yet: ¬ composite_has_been_sent
    ELMO_component sigma m
Hiim: i ≠ i_m
Hai_m: adr (sigma i_m) = idx i_m
tr_m: list transition_item
Htr_m: finite_constrained_trace_from_to
  (ELMO_component i_m) 
  (sigma i_m) (state m) tr_m
Htr_m_receive: Forall
  (λ item : transition_item,
     l item = Receive) tr_m
Htr_m_inputs_in_sigma: ∀ (item : transition_item) 
  (msg : Message),
  item ∈ tr_m
  → input item = Some msg
    → composite_has_been_directly_observed
        ELMO_component sigma
        msg
Htrsigma_m': finite_valid_trace_from_to ELMOProtocol
  sigma
  (lift_to_composite_state
     ELMO_component sigma i_m 
     (state m))
  (pre_VLSM_embedding_finite_trace_project
     (ELMO_component i_m)
     (composite_type ELMO_component)
     (lift_to_composite_label
        ELMO_component i_m)
     (lift_to_composite_state
        ELMO_component sigma i_m) tr_m)
Heqv: ∀ a : Address,
  global_equivocators_simple
    (lift_to_composite_state ELMO_component
       sigma i_m (state m)) a
  ↔ global_equivocators_simple sigma a
k: index
H2: k ≠ i
H3: k ≠ i_m
latest_observation_Send
  (lift_to_composite_state ELMO_component sigma i_m
     (state m) k)
    state_update_simpl.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
si, si': VLSM.state (ELMO_component i)
m: Message
Ht: input_constrained_transition 
  (ELMO_component i) Receive (
  si, Some m) (si', None)
i_m: index
Hi_m: adr (state m) = idx i_m
Hadr_neq: adr (state m) ≠ idx i
Hnot_local_equivocator: ¬ local_equivocators_full si
    (adr (state m))
Hnot_local_equivocator': ¬ local_equivocators_full
    si' (adr (state m))
sigma: composite_state ELMO_component
Hsigma: valid_state_prop ELMOProtocol sigma
Hcomponent: sigma i = si
Hspecial: component_reflects_composite sigma i
H_not_i_paused: other_components_after_send
  (λ j : index, j = i) sigma
Hm_not_sent_yet: ¬ composite_has_been_sent
    ELMO_component sigma m
Hiim: i ≠ i_m
Hai_m: adr (sigma i_m) = idx i_m
tr_m: list transition_item
Htr_m: finite_constrained_trace_from_to
  (ELMO_component i_m) 
  (sigma i_m) (state m) tr_m
Htr_m_receive: Forall
  (λ item : transition_item,
     l item = Receive) tr_m
Htr_m_inputs_in_sigma: ∀ (item : transition_item) 
  (msg : Message),
  item ∈ tr_m
  → input item = Some msg
    → composite_has_been_directly_observed
        ELMO_component sigma
        msg
Htrsigma_m': finite_valid_trace_from_to ELMOProtocol
  sigma
  (state_update ELMO_component sigma i_m
     (state m))
  (pre_VLSM_embedding_finite_trace_project
     (ELMO_component i_m)
     (composite_type ELMO_component)
     (lift_to_composite_label
        ELMO_component i_m)
     (λ sj : VLSM.state
               (ELMO_component i_m),
        state_update ELMO_component
          sigma i_m sj) tr_m)
Heqv: ∀ a : Address,
  global_equivocators_simple
    (state_update ELMO_component sigma i_m
       (state m)) a
  ↔ global_equivocators_simple sigma a
k: index
H2: k ≠ i
H3: k ≠ i_m
latest_observation_Send (sigma k)
    by apply H_not_i_paused.
Qed.

Lemma component_reflects_composite_messages_step_update
  (i : index) (l : Label) (sigma : composite_state ELMO_component) (s' : State) (m : Message) :
  ELMO_component_RAM_transition i l (sigma i) s' m ->
  component_reflects_composite_messages sigma i ->
  component_reflects_composite_messages (state_update ELMO_component sigma i s') i.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
l: Label
sigma: composite_state ELMO_component
s': State
m: Message
ELMO_component_RAM_transition i l (sigma i) s' m
→ component_reflects_composite_messages sigma i
  → component_reflects_composite_messages
      (state_update ELMO_component sigma i s') i
Proof.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
l: Label
sigma: composite_state ELMO_component
s': State
m: Message
ELMO_component_RAM_transition i l (sigma i) s' m
→ component_reflects_composite_messages sigma i
  → component_reflects_composite_messages
      (state_update ELMO_component sigma i s') i
  intros Ht Hmsgs m'; state_update_simpl.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
l: Label
sigma: composite_state ELMO_component
s': State
m: Message
Ht: ELMO_component_RAM_transition i l (sigma i) s' m
Hmsgs: component_reflects_composite_messages sigma i
m': Message
(∃ j : index,
   m'
   ∈ messages
       (state_update ELMO_component sigma i s' j))
↔ m' ∈ messages s'
  replace s' with (sigma i <+> MkObservation l m).Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
l: Label
sigma: composite_state ELMO_component
s': State
m: Message
Ht: ELMO_component_RAM_transition i l (sigma i) s' m
Hmsgs: component_reflects_composite_messages sigma i
m': Message
(∃ j : index,
   m'
   ∈ messages
       (state_update ELMO_component sigma i
          (sigma i <+> MkObservation l m) j))
↔ m' ∈ messages (sigma i <+> MkObservation l m)
Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
l: Label
sigma: composite_state ELMO_component
s': State
m: Message
Ht: ELMO_component_RAM_transition i l (sigma i) s' m
Hmsgs: component_reflects_composite_messages sigma i
m': Message
sigma i <+> MkObservation l m = s'
  -Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
l: Label
sigma: composite_state ELMO_component
s': State
m: Message
Ht: ELMO_component_RAM_transition i l (sigma i) s' m
Hmsgs: component_reflects_composite_messages sigma i
m': Message
(∃ j : index,
   m'
   ∈ messages
       (state_update ELMO_component sigma i
          (sigma i <+> MkObservation l m) j))
↔ m' ∈ messages (sigma i <+> MkObservation l m) split; [| by exists i; state_update_simpl].Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
l: Label
sigma: composite_state ELMO_component
s': State
m: Message
Ht: ELMO_component_RAM_transition i l (sigma i) s' m
Hmsgs: component_reflects_composite_messages sigma i
m': Message
(∃ j : index,
   m'
   ∈ messages
       (state_update ELMO_component sigma i
          (sigma i <+> MkObservation l m) j))
→ m' ∈ messages (sigma i <+> MkObservation l m)
    intros [j Hj]; destruct (decide (j = i)); subst; state_update_simpl; [done |].Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
l: Label
sigma: composite_state ELMO_component
s': State
m: Message
Ht: ELMO_component_RAM_transition i l (sigma i) s' m
Hmsgs: component_reflects_composite_messages sigma i
m': Message
j: index
Hj: m' ∈ messages (sigma j)
n: j ≠ i
m' ∈ messages (sigma i <+> MkObservation l m)
    by apply elem_of_messages_addObservation; right; apply Hmsgs; eexists.
  -Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
l: Label
sigma: composite_state ELMO_component
s': State
m: Message
Ht: ELMO_component_RAM_transition i l (sigma i) s' m
Hmsgs: component_reflects_composite_messages sigma i
m': Message
sigma i <+> MkObservation l m = s' by inversion Ht as [? ? ? [(_ & _ & Hvi) Hti] | ? ? ? [(_ & _ & Hvi) Hti]];
      inversion Hvi; inversion Hti; done.
Qed.

Lemma receiving_already_sent_global_local_equivocators
  (i : index) (sigma : composite_state ELMO_component) (m : Message) (s' : State)
  (Ht : input_constrained_transition (ELMO_component i)
    Receive (sigma i, Some m) (s', None))
  (Hreflects : component_reflects_composite sigma i)
  (Hm : composite_has_been_sent ELMO_component sigma m)
  : forall a : Address,
    global_equivocators_simple (state_update ELMO_component sigma i s') a
      <->
    local_equivocators_full s' a.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
sigma: composite_state ELMO_component
m: Message
s': State
Ht: input_constrained_transition 
  (ELMO_component i) Receive (
  sigma i, Some m) (s', None)
Hreflects: component_reflects_composite sigma i
Hm: composite_has_been_sent ELMO_component sigma m
∀ a : Address,
  global_equivocators_simple
    (state_update ELMO_component sigma i s') a
  ↔ local_equivocators_full s' a
Proof.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
sigma: composite_state ELMO_component
m: Message
s': State
Ht: input_constrained_transition 
  (ELMO_component i) Receive (
  sigma i, Some m) (s', None)
Hreflects: component_reflects_composite sigma i
Hm: composite_has_been_sent ELMO_component sigma m
∀ a : Address,
  global_equivocators_simple
    (state_update ELMO_component sigma i s') a
  ↔ local_equivocators_full s' a
  destruct Hreflects as [Hmessages Heqvs].Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
sigma: composite_state ELMO_component
m: Message
s': State
Ht: input_constrained_transition 
  (ELMO_component i) Receive (
  sigma i, Some m) (s', None)
Hmessages: component_reflects_composite_messages
  sigma i
Heqvs: component_reflects_composite_equivocators
  sigma i
Hm: composite_has_been_sent ELMO_component sigma m
∀ a : Address,
  global_equivocators_simple
    (state_update ELMO_component sigma i s') a
  ↔ local_equivocators_full s' a
  assert (m ∈ messages (sigma i))
    by (destruct Hm as [j]; apply Hmessages; exists j; apply elem_of_messages; left; done).Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
sigma: composite_state ELMO_component
m: Message
s': State
Ht: input_constrained_transition 
  (ELMO_component i) Receive (
  sigma i, Some m) (s', None)
Hmessages: component_reflects_composite_messages
  sigma i
Heqvs: component_reflects_composite_equivocators
  sigma i
Hm: composite_has_been_sent ELMO_component sigma m
H2: m ∈ messages (sigma i)
∀ a : Address,
  global_equivocators_simple
    (state_update ELMO_component sigma i s') a
  ↔ local_equivocators_full s' a
  pose (Hti := Ht); destruct Hti as [(_ & _ & Hvi) Hti];
    inversion Hvi; subst; inversion Hti; subst.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
sigma: composite_state ELMO_component
m: Message
Ht: input_constrained_transition 
  (ELMO_component i) Receive (
  sigma i, Some m)
  (sigma i <+> MkObservation Receive m, None)
Hmessages: component_reflects_composite_messages
  sigma i
Heqvs: component_reflects_composite_equivocators
  sigma i
Hm: composite_has_been_sent ELMO_component sigma m
H2: m ∈ messages (sigma i)
Hvi: valid Receive (sigma i, Some m)
Hti: transition Receive (sigma i, Some m) =
(sigma i <+> MkObservation Receive m, None)
H4: ELMO_recv_valid (sigma i) m
∀ a : Address,
  global_equivocators_simple
    (state_update ELMO_component sigma i
       (sigma i <+> MkObservation Receive m)) a
  ↔ local_equivocators_full
      (sigma i <+> MkObservation Receive m) a
  intros a; rewrite global_equivocators_simple_step_update_receive,
    local_equivocators_full_step_update, (Heqvs a) by (constructor; subst; done).Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
sigma: composite_state ELMO_component
m: Message
Ht: input_constrained_transition 
  (ELMO_component i) Receive (
  sigma i, Some m)
  (sigma i <+> MkObservation Receive m, None)
Hmessages: component_reflects_composite_messages
  sigma i
Heqvs: component_reflects_composite_equivocators
  sigma i
Hm: composite_has_been_sent ELMO_component sigma m
H2: m ∈ messages (sigma i)
Hvi: valid Receive (sigma i, Some m)
Hti: transition Receive (sigma i, Some m) =
(sigma i <+> MkObservation Receive m, None)
H4: ELMO_recv_valid (sigma i) m
a: Address
local_equivocators_full (sigma i) a
∨ a = adr (state m)
  ∧ ¬ composite_has_been_sent ELMO_component sigma m
↔ local_equivocators_full (sigma i) a
  ∨ a = adr (state m)
    ∧ Receive = Receive
      ∧ (∃ m' : BaseELMO.Message,
           m' ∈ receivedMessages (sigma i)
           ∧ incomparable m m')
  split; intros [| [-> Hsome]]; [by left | done | by left | left].Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
sigma: composite_state ELMO_component
m: Message
Ht: input_constrained_transition 
  (ELMO_component i) Receive (
  sigma i, Some m)
  (sigma i <+> MkObservation Receive m, None)
Hmessages: component_reflects_composite_messages
  sigma i
Heqvs: component_reflects_composite_equivocators
  sigma i
Hm: composite_has_been_sent ELMO_component sigma m
H2: m ∈ messages (sigma i)
Hvi: valid Receive (sigma i, Some m)
Hti: transition Receive (sigma i, Some m) =
(sigma i <+> MkObservation Receive m, None)
H4: ELMO_recv_valid (sigma i) m
Hsome: Receive = Receive
∧ (∃ m' : BaseELMO.Message,
     m' ∈ receivedMessages (sigma i)
     ∧ incomparable m m')
local_equivocators_full (sigma i) (adr (state m))
  eapply local_equivocators_simple_iff_full; [done | |].Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
sigma: composite_state ELMO_component
m: Message
Ht: input_constrained_transition 
  (ELMO_component i) Receive (
  sigma i, Some m)
  (sigma i <+> MkObservation Receive m, None)
Hmessages: component_reflects_composite_messages
  sigma i
Heqvs: component_reflects_composite_equivocators
  sigma i
Hm: composite_has_been_sent ELMO_component sigma m
H2: m ∈ messages (sigma i)
Hvi: valid Receive (sigma i, Some m)
Hti: transition Receive (sigma i, Some m) =
(sigma i <+> MkObservation Receive m, None)
H4: ELMO_recv_valid (sigma i) m
Hsome: Receive = Receive
∧ (∃ m' : BaseELMO.Message,
     m' ∈ receivedMessages (sigma i)
     ∧ incomparable m m')
UMO_reachable no_self_equiv (sigma i)
Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
sigma: composite_state ELMO_component
m: Message
Ht: input_constrained_transition 
  (ELMO_component i) Receive (
  sigma i, Some m)
  (sigma i <+> MkObservation Receive m, None)
Hmessages: component_reflects_composite_messages
  sigma i
Heqvs: component_reflects_composite_equivocators
  sigma i
Hm: composite_has_been_sent ELMO_component sigma m
H2: m ∈ messages (sigma i)
Hvi: valid Receive (sigma i, Some m)
Hti: transition Receive (sigma i, Some m) =
(sigma i <+> MkObservation Receive m, None)
H4: ELMO_recv_valid (sigma i) m
Hsome: Receive = Receive
∧ (∃ m' : BaseELMO.Message,
     m' ∈ receivedMessages (sigma i)
     ∧ incomparable m m')
local_equivocators_simple (sigma i) (adr (state m))
  -Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
sigma: composite_state ELMO_component
m: Message
Ht: input_constrained_transition 
  (ELMO_component i) Receive (
  sigma i, Some m)
  (sigma i <+> MkObservation Receive m, None)
Hmessages: component_reflects_composite_messages
  sigma i
Heqvs: component_reflects_composite_equivocators
  sigma i
Hm: composite_has_been_sent ELMO_component sigma m
H2: m ∈ messages (sigma i)
Hvi: valid Receive (sigma i, Some m)
Hti: transition Receive (sigma i, Some m) =
(sigma i <+> MkObservation Receive m, None)
H4: ELMO_recv_valid (sigma i) m
Hsome: Receive = Receive
∧ (∃ m' : BaseELMO.Message,
     m' ∈ receivedMessages (sigma i)
     ∧ incomparable m m')
UMO_reachable no_self_equiv (sigma i) by eapply UMO_reachable_impl, ELMO_reachable_view;
      [intros ? ? [] | apply Ht].
  -Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
sigma: composite_state ELMO_component
m: Message
Ht: input_constrained_transition 
  (ELMO_component i) Receive (
  sigma i, Some m)
  (sigma i <+> MkObservation Receive m, None)
Hmessages: component_reflects_composite_messages
  sigma i
Heqvs: component_reflects_composite_equivocators
  sigma i
Hm: composite_has_been_sent ELMO_component sigma m
H2: m ∈ messages (sigma i)
Hvi: valid Receive (sigma i, Some m)
Hti: transition Receive (sigma i, Some m) =
(sigma i <+> MkObservation Receive m, None)
H4: ELMO_recv_valid (sigma i) m
Hsome: Receive = Receive
∧ (∃ m' : BaseELMO.Message,
     m' ∈ receivedMessages (sigma i)
     ∧ incomparable m m')
local_equivocators_simple (sigma i) (adr (state m)) destruct Hsome as (_ & m' & Hm' & [Heqadr Hcmp]).Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
sigma: composite_state ELMO_component
m: Message
Ht: input_constrained_transition 
  (ELMO_component i) Receive (
  sigma i, Some m)
  (sigma i <+> MkObservation Receive m, None)
Hmessages: component_reflects_composite_messages
  sigma i
Heqvs: component_reflects_composite_equivocators
  sigma i
Hm: composite_has_been_sent ELMO_component sigma m
H2: m ∈ messages (sigma i)
Hvi: valid Receive (sigma i, Some m)
Hti: transition Receive (sigma i, Some m) =
(sigma i <+> MkObservation Receive m, None)
H4: ELMO_recv_valid (sigma i) m
m': BaseELMO.Message
Hm': m' ∈ receivedMessages (sigma i)
Heqadr: adr (state m) = adr (state m')
Hcmp: ¬ sent_comparable m m'
local_equivocators_simple (sigma i) (adr (state m))
    constructor 1 with m' m; [done | done | | | by split].Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
sigma: composite_state ELMO_component
m: Message
Ht: input_constrained_transition 
  (ELMO_component i) Receive (
  sigma i, Some m)
  (sigma i <+> MkObservation Receive m, None)
Hmessages: component_reflects_composite_messages
  sigma i
Heqvs: component_reflects_composite_equivocators
  sigma i
Hm: composite_has_been_sent ELMO_component sigma m
H2: m ∈ messages (sigma i)
Hvi: valid Receive (sigma i, Some m)
Hti: transition Receive (sigma i, Some m) =
(sigma i <+> MkObservation Receive m, None)
H4: ELMO_recv_valid (sigma i) m
m': BaseELMO.Message
Hm': m' ∈ receivedMessages (sigma i)
Heqadr: adr (state m) = adr (state m')
Hcmp: ¬ sent_comparable m m'
m' ∈ messages (sigma i)
Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
sigma: composite_state ELMO_component
m: Message
Ht: input_constrained_transition 
  (ELMO_component i) Receive (
  sigma i, Some m)
  (sigma i <+> MkObservation Receive m, None)
Hmessages: component_reflects_composite_messages
  sigma i
Heqvs: component_reflects_composite_equivocators
  sigma i
Hm: composite_has_been_sent ELMO_component sigma m
H2: m ∈ messages (sigma i)
Hvi: valid Receive (sigma i, Some m)
Hti: transition Receive (sigma i, Some m) =
(sigma i <+> MkObservation Receive m, None)
H4: ELMO_recv_valid (sigma i) m
m': BaseELMO.Message
Hm': m' ∈ receivedMessages (sigma i)
Heqadr: adr (state m) = adr (state m')
Hcmp: ¬ sent_comparable m m'
m ∈ messages (sigma i)
    +Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
sigma: composite_state ELMO_component
m: Message
Ht: input_constrained_transition 
  (ELMO_component i) Receive (
  sigma i, Some m)
  (sigma i <+> MkObservation Receive m, None)
Hmessages: component_reflects_composite_messages
  sigma i
Heqvs: component_reflects_composite_equivocators
  sigma i
Hm: composite_has_been_sent ELMO_component sigma m
H2: m ∈ messages (sigma i)
Hvi: valid Receive (sigma i, Some m)
Hti: transition Receive (sigma i, Some m) =
(sigma i <+> MkObservation Receive m, None)
H4: ELMO_recv_valid (sigma i) m
m': BaseELMO.Message
Hm': m' ∈ receivedMessages (sigma i)
Heqadr: adr (state m) = adr (state m')
Hcmp: ¬ sent_comparable m m'
m' ∈ messages (sigma i) by apply elem_of_messages; right.
    +Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
sigma: composite_state ELMO_component
m: Message
Ht: input_constrained_transition 
  (ELMO_component i) Receive (
  sigma i, Some m)
  (sigma i <+> MkObservation Receive m, None)
Hmessages: component_reflects_composite_messages
  sigma i
Heqvs: component_reflects_composite_equivocators
  sigma i
Hm: composite_has_been_sent ELMO_component sigma m
H2: m ∈ messages (sigma i)
Hvi: valid Receive (sigma i, Some m)
Hti: transition Receive (sigma i, Some m) =
(sigma i <+> MkObservation Receive m, None)
H4: ELMO_recv_valid (sigma i) m
m': BaseELMO.Message
Hm': m' ∈ receivedMessages (sigma i)
Heqadr: adr (state m) = adr (state m')
Hcmp: ¬ sent_comparable m m'
m ∈ messages (sigma i) apply Hmessages.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
sigma: composite_state ELMO_component
m: Message
Ht: input_constrained_transition 
  (ELMO_component i) Receive (
  sigma i, Some m)
  (sigma i <+> MkObservation Receive m, None)
Hmessages: component_reflects_composite_messages
  sigma i
Heqvs: component_reflects_composite_equivocators
  sigma i
Hm: composite_has_been_sent ELMO_component sigma m
H2: m ∈ messages (sigma i)
Hvi: valid Receive (sigma i, Some m)
Hti: transition Receive (sigma i, Some m) =
(sigma i <+> MkObservation Receive m, None)
H4: ELMO_recv_valid (sigma i) m
m': BaseELMO.Message
Hm': m' ∈ receivedMessages (sigma i)
Heqadr: adr (state m) = adr (state m')
Hcmp: ¬ sent_comparable m m'
∃ j : index, m ∈ messages (sigma j)
      destruct Hm as [j Hj]; exists j.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
sigma: composite_state ELMO_component
m: Message
Ht: input_constrained_transition 
  (ELMO_component i) Receive (
  sigma i, Some m)
  (sigma i <+> MkObservation Receive m, None)
Hmessages: component_reflects_composite_messages
  sigma i
Heqvs: component_reflects_composite_equivocators
  sigma i
j: index
Hj: has_been_sent (ELMO_component j) (sigma j) m
H2: m ∈ messages (sigma i)
Hvi: valid Receive (sigma i, Some m)
Hti: transition Receive (sigma i, Some m) =
(sigma i <+> MkObservation Receive m, None)
H4: ELMO_recv_valid (sigma i) m
m': BaseELMO.Message
Hm': m' ∈ receivedMessages (sigma i)
Heqadr: adr (state m) = adr (state m')
Hcmp: ¬ sent_comparable m m'
m ∈ messages (sigma j)
      by apply elem_of_messages; left.
Qed.

Lemma receiving_already_equivocating_global_local_equivocators
  (i : index) (sigma : composite_state ELMO_component) (m : Message) (s' : State)
  (Ht : input_constrained_transition (ELMO_component i)
    Receive (sigma i, Some m) (s', None))
  (Hreflects : component_reflects_composite sigma i)
  (Heqv : local_equivocators_full (sigma i) (adr (state m)))
  : forall a : Address,
    global_equivocators_simple (state_update ELMO_component sigma i s') a
      <->
    local_equivocators_full s' a.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
sigma: composite_state ELMO_component
m: Message
s': State
Ht: input_constrained_transition 
  (ELMO_component i) Receive (
  sigma i, Some m) (s', None)
Hreflects: component_reflects_composite sigma i
Heqv: local_equivocators_full 
  (sigma i) (adr (state m))
∀ a : Address,
  global_equivocators_simple
    (state_update ELMO_component sigma i s') a
  ↔ local_equivocators_full s' a
Proof.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
sigma: composite_state ELMO_component
m: Message
s': State
Ht: input_constrained_transition 
  (ELMO_component i) Receive (
  sigma i, Some m) (s', None)
Hreflects: component_reflects_composite sigma i
Heqv: local_equivocators_full 
  (sigma i) (adr (state m))
∀ a : Address,
  global_equivocators_simple
    (state_update ELMO_component sigma i s') a
  ↔ local_equivocators_full s' a
  destruct Hreflects as [Hmessages Heqvs].Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
sigma: composite_state ELMO_component
m: Message
s': State
Ht: input_constrained_transition 
  (ELMO_component i) Receive (
  sigma i, Some m) (s', None)
Hmessages: component_reflects_composite_messages
  sigma i
Heqvs: component_reflects_composite_equivocators
  sigma i
Heqv: local_equivocators_full 
  (sigma i) (adr (state m))
∀ a : Address,
  global_equivocators_simple
    (state_update ELMO_component sigma i s') a
  ↔ local_equivocators_full s' a
  pose (Hti := Ht); destruct Hti as [(_ & _ & Hvi) Hti];
    inversion Hvi; subst; inversion Hti; subst.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
sigma: composite_state ELMO_component
m: Message
Ht: input_constrained_transition 
  (ELMO_component i) Receive (
  sigma i, Some m)
  (sigma i <+> MkObservation Receive m, None)
Hmessages: component_reflects_composite_messages
  sigma i
Heqvs: component_reflects_composite_equivocators
  sigma i
Heqv: local_equivocators_full 
  (sigma i) (adr (state m))
Hvi: valid Receive (sigma i, Some m)
Hti: transition Receive (sigma i, Some m) =
(sigma i <+> MkObservation Receive m, None)
H3: ELMO_recv_valid (sigma i) m
∀ a : Address,
  global_equivocators_simple
    (state_update ELMO_component sigma i
       (sigma i <+> MkObservation Receive m)) a
  ↔ local_equivocators_full
      (sigma i <+> MkObservation Receive m) a
  intros a; rewrite global_equivocators_simple_step_update_receive,
    local_equivocators_full_step_update, (Heqvs a) by (constructor; subst; done).Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
sigma: composite_state ELMO_component
m: Message
Ht: input_constrained_transition 
  (ELMO_component i) Receive (
  sigma i, Some m)
  (sigma i <+> MkObservation Receive m, None)
Hmessages: component_reflects_composite_messages
  sigma i
Heqvs: component_reflects_composite_equivocators
  sigma i
Heqv: local_equivocators_full 
  (sigma i) (adr (state m))
Hvi: valid Receive (sigma i, Some m)
Hti: transition Receive (sigma i, Some m) =
(sigma i <+> MkObservation Receive m, None)
H3: ELMO_recv_valid (sigma i) m
a: Address
local_equivocators_full (sigma i) a
∨ a = adr (state m)
  ∧ ¬ composite_has_been_sent ELMO_component sigma m
↔ local_equivocators_full (sigma i) a
  ∨ a = adr (state m)
    ∧ Receive = Receive
      ∧ (∃ m' : BaseELMO.Message,
           m' ∈ receivedMessages (sigma i)
           ∧ incomparable m m')
  by split; intros []; [by left | | by left |]; destruct_and!; subst; left.
Qed.

Lemma receiving_not_already_equivocating_global_local_equivocators
  (i : index) (sigma : composite_state ELMO_component) (m : Message) (s' : State)
  (Ht : input_constrained_transition (ELMO_component i)
    Receive (sigma i, Some m) (s', None))
  (Hreflects : component_reflects_composite sigma i)
  (Hneqv : ~ local_equivocators_full (sigma i) (adr (state m)))
  (Heqv : local_equivocators_full s' (adr (state m)))
  : forall a : Address,
    global_equivocators_simple (state_update ELMO_component sigma i s') a
      <->
    local_equivocators_full s' a.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
sigma: composite_state ELMO_component
m: Message
s': State
Ht: input_constrained_transition 
  (ELMO_component i) Receive (
  sigma i, Some m) (s', None)
Hreflects: component_reflects_composite sigma i
Hneqv: ¬ local_equivocators_full 
    (sigma i) (adr (state m))
Heqv: local_equivocators_full s' (adr (state m))
∀ a : Address,
  global_equivocators_simple
    (state_update ELMO_component sigma i s') a
  ↔ local_equivocators_full s' a
Proof.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
sigma: composite_state ELMO_component
m: Message
s': State
Ht: input_constrained_transition 
  (ELMO_component i) Receive (
  sigma i, Some m) (s', None)
Hreflects: component_reflects_composite sigma i
Hneqv: ¬ local_equivocators_full 
    (sigma i) (adr (state m))
Heqv: local_equivocators_full s' (adr (state m))
∀ a : Address,
  global_equivocators_simple
    (state_update ELMO_component sigma i s') a
  ↔ local_equivocators_full s' a
  destruct Hreflects as [Hmessages Heqvs].Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
sigma: composite_state ELMO_component
m: Message
s': State
Ht: input_constrained_transition 
  (ELMO_component i) Receive (
  sigma i, Some m) (s', None)
Hmessages: component_reflects_composite_messages
  sigma i
Heqvs: component_reflects_composite_equivocators
  sigma i
Hneqv: ¬ local_equivocators_full 
    (sigma i) (adr (state m))
Heqv: local_equivocators_full s' (adr (state m))
∀ a : Address,
  global_equivocators_simple
    (state_update ELMO_component sigma i s') a
  ↔ local_equivocators_full s' a
  pose (Hti := Ht); destruct Hti as [(_ & _ & Hvi) Hti];
    inversion Hvi; subst; inversion Hti.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
sigma: composite_state ELMO_component
m: Message
s': State
Ht: input_constrained_transition 
  (ELMO_component i) Receive (
  sigma i, Some m) (s', None)
Hmessages: component_reflects_composite_messages
  sigma i
Heqvs: component_reflects_composite_equivocators
  sigma i
Hneqv: ¬ local_equivocators_full 
    (sigma i) (adr (state m))
Heqv: local_equivocators_full s' (adr (state m))
Hvi: valid Receive (sigma i, Some m)
Hti: transition Receive (sigma i, Some m) =
(s', None)
H3: ELMO_recv_valid (sigma i) m
H4: sigma i <+> MkObservation Receive m = s'
∀ a : Address,
  global_equivocators_simple
    (state_update ELMO_component sigma i
       (sigma i <+> MkObservation Receive m)) a
  ↔ local_equivocators_full
      (sigma i <+> MkObservation Receive m) a
  assert (Hm' : exists m', m' ∈ receivedMessages (sigma i) /\ incomparable m m')
    by (eapply local_equivocators_full_step_update in Heqv as [| (_ & _ & Hrcv)];
        [| | constructor 1]; done).Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
sigma: composite_state ELMO_component
m: Message
s': State
Ht: input_constrained_transition 
  (ELMO_component i) Receive (
  sigma i, Some m) (s', None)
Hmessages: component_reflects_composite_messages
  sigma i
Heqvs: component_reflects_composite_equivocators
  sigma i
Hneqv: ¬ local_equivocators_full 
    (sigma i) (adr (state m))
Heqv: local_equivocators_full s' (adr (state m))
Hvi: valid Receive (sigma i, Some m)
Hti: transition Receive (sigma i, Some m) =
(s', None)
H3: ELMO_recv_valid (sigma i) m
H4: sigma i <+> MkObservation Receive m = s'
Hm': ∃ m' : BaseELMO.Message,
  m' ∈ receivedMessages (sigma i)
  ∧ incomparable m m'
∀ a : Address,
  global_equivocators_simple
    (state_update ELMO_component sigma i
       (sigma i <+> MkObservation Receive m)) a
  ↔ local_equivocators_full
      (sigma i <+> MkObservation Receive m) a
  intros a; rewrite global_equivocators_simple_step_update_receive,
    local_equivocators_full_step_update, (Heqvs a) by (constructor; subst; done).Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
sigma: composite_state ELMO_component
m: Message
s': State
Ht: input_constrained_transition 
  (ELMO_component i) Receive (
  sigma i, Some m) (s', None)
Hmessages: component_reflects_composite_messages
  sigma i
Heqvs: component_reflects_composite_equivocators
  sigma i
Hneqv: ¬ local_equivocators_full 
    (sigma i) (adr (state m))
Heqv: local_equivocators_full s' (adr (state m))
Hvi: valid Receive (sigma i, Some m)
Hti: transition Receive (sigma i, Some m) =
(s', None)
H3: ELMO_recv_valid (sigma i) m
H4: sigma i <+> MkObservation Receive m = s'
Hm': ∃ m' : BaseELMO.Message,
  m' ∈ receivedMessages (sigma i)
  ∧ incomparable m m'
a: Address
local_equivocators_full (sigma i) a
∨ a = adr (state m)
  ∧ ¬ composite_has_been_sent ELMO_component sigma m
↔ local_equivocators_full (sigma i) a
  ∨ a = adr (state m)
    ∧ Receive = Receive
      ∧ (∃ m' : BaseELMO.Message,
           m' ∈ receivedMessages (sigma i)
           ∧ incomparable m m')
  split; intros []; [by left | by itauto | by left |].Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
sigma: composite_state ELMO_component
m: Message
s': State
Ht: input_constrained_transition 
  (ELMO_component i) Receive (
  sigma i, Some m) (s', None)
Hmessages: component_reflects_composite_messages
  sigma i
Heqvs: component_reflects_composite_equivocators
  sigma i
Hneqv: ¬ local_equivocators_full 
    (sigma i) (adr (state m))
Heqv: local_equivocators_full s' (adr (state m))
Hvi: valid Receive (sigma i, Some m)
Hti: transition Receive (sigma i, Some m) =
(s', None)
H3: ELMO_recv_valid (sigma i) m
H4: sigma i <+> MkObservation Receive m = s'
Hm': ∃ m' : BaseELMO.Message,
  m' ∈ receivedMessages (sigma i)
  ∧ incomparable m m'
a: Address
H2: a = adr (state m)
∧ Receive = Receive
  ∧ (∃ m' : BaseELMO.Message,
       m' ∈ receivedMessages (sigma i)
       ∧ incomparable m m')
local_equivocators_full (sigma i) a
∨ a = adr (state m)
  ∧ ¬ composite_has_been_sent ELMO_component sigma m
  destruct_and!; subst; right; split; [done |].Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
sigma: composite_state ELMO_component
m: Message
Ht: input_constrained_transition 
  (ELMO_component i) Receive (
  sigma i, Some m)
  (sigma i <+> MkObservation Receive m, None)
Hmessages: component_reflects_composite_messages
  sigma i
Heqvs: component_reflects_composite_equivocators
  sigma i
Hneqv: ¬ local_equivocators_full 
    (sigma i) (adr (state m))
Heqv: local_equivocators_full
  (sigma i <+> MkObservation Receive m)
  (adr (state m))
Hvi: valid Receive (sigma i, Some m)
Hti: transition Receive (sigma i, Some m) =
(sigma i <+> MkObservation Receive m, None)
H3: ELMO_recv_valid (sigma i) m
Hm': ∃ m' : BaseELMO.Message,
  m' ∈ receivedMessages (sigma i)
  ∧ incomparable m m'
H2: Receive = Receive
H7: ∃ m' : BaseELMO.Message,
  m' ∈ receivedMessages (sigma i)
  ∧ incomparable m m'
¬ composite_has_been_sent ELMO_component sigma m
  contradict Hneqv.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
sigma: composite_state ELMO_component
m: Message
Ht: input_constrained_transition 
  (ELMO_component i) Receive (
  sigma i, Some m)
  (sigma i <+> MkObservation Receive m, None)
Hmessages: component_reflects_composite_messages
  sigma i
Heqvs: component_reflects_composite_equivocators
  sigma i
Heqv: local_equivocators_full
  (sigma i <+> MkObservation Receive m)
  (adr (state m))
Hvi: valid Receive (sigma i, Some m)
Hti: transition Receive (sigma i, Some m) =
(sigma i <+> MkObservation Receive m, None)
H3: ELMO_recv_valid (sigma i) m
Hm': ∃ m' : BaseELMO.Message,
  m' ∈ receivedMessages (sigma i)
  ∧ incomparable m m'
H2: Receive = Receive
H7: ∃ m' : BaseELMO.Message,
  m' ∈ receivedMessages (sigma i)
  ∧ incomparable m m'
Hneqv: composite_has_been_sent ELMO_component sigma m
local_equivocators_full (sigma i) (adr (state m))
  eapply local_equivocators_simple_iff_full; [done | |].Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
sigma: composite_state ELMO_component
m: Message
Ht: input_constrained_transition 
  (ELMO_component i) Receive (
  sigma i, Some m)
  (sigma i <+> MkObservation Receive m, None)
Hmessages: component_reflects_composite_messages
  sigma i
Heqvs: component_reflects_composite_equivocators
  sigma i
Heqv: local_equivocators_full
  (sigma i <+> MkObservation Receive m)
  (adr (state m))
Hvi: valid Receive (sigma i, Some m)
Hti: transition Receive (sigma i, Some m) =
(sigma i <+> MkObservation Receive m, None)
H3: ELMO_recv_valid (sigma i) m
Hm': ∃ m' : BaseELMO.Message,
  m' ∈ receivedMessages (sigma i)
  ∧ incomparable m m'
H2: Receive = Receive
H7: ∃ m' : BaseELMO.Message,
  m' ∈ receivedMessages (sigma i)
  ∧ incomparable m m'
Hneqv: composite_has_been_sent ELMO_component sigma m
UMO_reachable no_self_equiv (sigma i)
Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
sigma: composite_state ELMO_component
m: Message
Ht: input_constrained_transition 
  (ELMO_component i) Receive (
  sigma i, Some m)
  (sigma i <+> MkObservation Receive m, None)
Hmessages: component_reflects_composite_messages
  sigma i
Heqvs: component_reflects_composite_equivocators
  sigma i
Heqv: local_equivocators_full
  (sigma i <+> MkObservation Receive m)
  (adr (state m))
Hvi: valid Receive (sigma i, Some m)
Hti: transition Receive (sigma i, Some m) =
(sigma i <+> MkObservation Receive m, None)
H3: ELMO_recv_valid (sigma i) m
Hm': ∃ m' : BaseELMO.Message,
  m' ∈ receivedMessages (sigma i)
  ∧ incomparable m m'
H2: Receive = Receive
H7: ∃ m' : BaseELMO.Message,
  m' ∈ receivedMessages (sigma i)
  ∧ incomparable m m'
Hneqv: composite_has_been_sent ELMO_component sigma m
local_equivocators_simple (sigma i) (adr (state m))
  -Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
sigma: composite_state ELMO_component
m: Message
Ht: input_constrained_transition 
  (ELMO_component i) Receive (
  sigma i, Some m)
  (sigma i <+> MkObservation Receive m, None)
Hmessages: component_reflects_composite_messages
  sigma i
Heqvs: component_reflects_composite_equivocators
  sigma i
Heqv: local_equivocators_full
  (sigma i <+> MkObservation Receive m)
  (adr (state m))
Hvi: valid Receive (sigma i, Some m)
Hti: transition Receive (sigma i, Some m) =
(sigma i <+> MkObservation Receive m, None)
H3: ELMO_recv_valid (sigma i) m
Hm': ∃ m' : BaseELMO.Message,
  m' ∈ receivedMessages (sigma i)
  ∧ incomparable m m'
H2: Receive = Receive
H7: ∃ m' : BaseELMO.Message,
  m' ∈ receivedMessages (sigma i)
  ∧ incomparable m m'
Hneqv: composite_has_been_sent ELMO_component sigma m
UMO_reachable no_self_equiv (sigma i) by eapply UMO_reachable_impl, ELMO_reachable_view;
      [intros ? ? [] | apply Ht].
  -Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
sigma: composite_state ELMO_component
m: Message
Ht: input_constrained_transition 
  (ELMO_component i) Receive (
  sigma i, Some m)
  (sigma i <+> MkObservation Receive m, None)
Hmessages: component_reflects_composite_messages
  sigma i
Heqvs: component_reflects_composite_equivocators
  sigma i
Heqv: local_equivocators_full
  (sigma i <+> MkObservation Receive m)
  (adr (state m))
Hvi: valid Receive (sigma i, Some m)
Hti: transition Receive (sigma i, Some m) =
(sigma i <+> MkObservation Receive m, None)
H3: ELMO_recv_valid (sigma i) m
Hm': ∃ m' : BaseELMO.Message,
  m' ∈ receivedMessages (sigma i)
  ∧ incomparable m m'
H2: Receive = Receive
H7: ∃ m' : BaseELMO.Message,
  m' ∈ receivedMessages (sigma i)
  ∧ incomparable m m'
Hneqv: composite_has_been_sent ELMO_component sigma m
local_equivocators_simple (sigma i) (adr (state m)) destruct Hm' as (m' & Hm' & Heqadr & Hcmp).Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
sigma: composite_state ELMO_component
m: Message
Ht: input_constrained_transition 
  (ELMO_component i) Receive (
  sigma i, Some m)
  (sigma i <+> MkObservation Receive m, None)
Hmessages: component_reflects_composite_messages
  sigma i
Heqvs: component_reflects_composite_equivocators
  sigma i
Heqv: local_equivocators_full
  (sigma i <+> MkObservation Receive m)
  (adr (state m))
Hvi: valid Receive (sigma i, Some m)
Hti: transition Receive (sigma i, Some m) =
(sigma i <+> MkObservation Receive m, None)
H3: ELMO_recv_valid (sigma i) m
m': BaseELMO.Message
Hm': m' ∈ receivedMessages (sigma i)
Heqadr: adr (state m) = adr (state m')
Hcmp: ¬ sent_comparable m m'
H2: Receive = Receive
H7: ∃ m' : BaseELMO.Message,
  m' ∈ receivedMessages (sigma i)
  ∧ incomparable m m'
Hneqv: composite_has_been_sent ELMO_component sigma m
local_equivocators_simple (sigma i) (adr (state m))
    constructor 1 with m' m; [done | done | | | by split].Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
sigma: composite_state ELMO_component
m: Message
Ht: input_constrained_transition 
  (ELMO_component i) Receive (
  sigma i, Some m)
  (sigma i <+> MkObservation Receive m, None)
Hmessages: component_reflects_composite_messages
  sigma i
Heqvs: component_reflects_composite_equivocators
  sigma i
Heqv: local_equivocators_full
  (sigma i <+> MkObservation Receive m)
  (adr (state m))
Hvi: valid Receive (sigma i, Some m)
Hti: transition Receive (sigma i, Some m) =
(sigma i <+> MkObservation Receive m, None)
H3: ELMO_recv_valid (sigma i) m
m': BaseELMO.Message
Hm': m' ∈ receivedMessages (sigma i)
Heqadr: adr (state m) = adr (state m')
Hcmp: ¬ sent_comparable m m'
H2: Receive = Receive
H7: ∃ m' : BaseELMO.Message,
  m' ∈ receivedMessages (sigma i)
  ∧ incomparable m m'
Hneqv: composite_has_been_sent ELMO_component sigma m
m' ∈ messages (sigma i)
Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
sigma: composite_state ELMO_component
m: Message
Ht: input_constrained_transition 
  (ELMO_component i) Receive (
  sigma i, Some m)
  (sigma i <+> MkObservation Receive m, None)
Hmessages: component_reflects_composite_messages
  sigma i
Heqvs: component_reflects_composite_equivocators
  sigma i
Heqv: local_equivocators_full
  (sigma i <+> MkObservation Receive m)
  (adr (state m))
Hvi: valid Receive (sigma i, Some m)
Hti: transition Receive (sigma i, Some m) =
(sigma i <+> MkObservation Receive m, None)
H3: ELMO_recv_valid (sigma i) m
m': BaseELMO.Message
Hm': m' ∈ receivedMessages (sigma i)
Heqadr: adr (state m) = adr (state m')
Hcmp: ¬ sent_comparable m m'
H2: Receive = Receive
H7: ∃ m' : BaseELMO.Message,
  m' ∈ receivedMessages (sigma i)
  ∧ incomparable m m'
Hneqv: composite_has_been_sent ELMO_component sigma m
m ∈ messages (sigma i)
    +Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
sigma: composite_state ELMO_component
m: Message
Ht: input_constrained_transition 
  (ELMO_component i) Receive (
  sigma i, Some m)
  (sigma i <+> MkObservation Receive m, None)
Hmessages: component_reflects_composite_messages
  sigma i
Heqvs: component_reflects_composite_equivocators
  sigma i
Heqv: local_equivocators_full
  (sigma i <+> MkObservation Receive m)
  (adr (state m))
Hvi: valid Receive (sigma i, Some m)
Hti: transition Receive (sigma i, Some m) =
(sigma i <+> MkObservation Receive m, None)
H3: ELMO_recv_valid (sigma i) m
m': BaseELMO.Message
Hm': m' ∈ receivedMessages (sigma i)
Heqadr: adr (state m) = adr (state m')
Hcmp: ¬ sent_comparable m m'
H2: Receive = Receive
H7: ∃ m' : BaseELMO.Message,
  m' ∈ receivedMessages (sigma i)
  ∧ incomparable m m'
Hneqv: composite_has_been_sent ELMO_component sigma m
m' ∈ messages (sigma i) by apply elem_of_messages; right.
    +Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
sigma: composite_state ELMO_component
m: Message
Ht: input_constrained_transition 
  (ELMO_component i) Receive (
  sigma i, Some m)
  (sigma i <+> MkObservation Receive m, None)
Hmessages: component_reflects_composite_messages
  sigma i
Heqvs: component_reflects_composite_equivocators
  sigma i
Heqv: local_equivocators_full
  (sigma i <+> MkObservation Receive m)
  (adr (state m))
Hvi: valid Receive (sigma i, Some m)
Hti: transition Receive (sigma i, Some m) =
(sigma i <+> MkObservation Receive m, None)
H3: ELMO_recv_valid (sigma i) m
m': BaseELMO.Message
Hm': m' ∈ receivedMessages (sigma i)
Heqadr: adr (state m) = adr (state m')
Hcmp: ¬ sent_comparable m m'
H2: Receive = Receive
H7: ∃ m' : BaseELMO.Message,
  m' ∈ receivedMessages (sigma i)
  ∧ incomparable m m'
Hneqv: composite_has_been_sent ELMO_component sigma m
m ∈ messages (sigma i) apply Hmessages.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
sigma: composite_state ELMO_component
m: Message
Ht: input_constrained_transition 
  (ELMO_component i) Receive (
  sigma i, Some m)
  (sigma i <+> MkObservation Receive m, None)
Hmessages: component_reflects_composite_messages
  sigma i
Heqvs: component_reflects_composite_equivocators
  sigma i
Heqv: local_equivocators_full
  (sigma i <+> MkObservation Receive m)
  (adr (state m))
Hvi: valid Receive (sigma i, Some m)
Hti: transition Receive (sigma i, Some m) =
(sigma i <+> MkObservation Receive m, None)
H3: ELMO_recv_valid (sigma i) m
m': BaseELMO.Message
Hm': m' ∈ receivedMessages (sigma i)
Heqadr: adr (state m) = adr (state m')
Hcmp: ¬ sent_comparable m m'
H2: Receive = Receive
H7: ∃ m' : BaseELMO.Message,
  m' ∈ receivedMessages (sigma i)
  ∧ incomparable m m'
Hneqv: composite_has_been_sent ELMO_component sigma m
∃ j : index, m ∈ messages (sigma j)
      destruct Hneqv as [j Hj]; exists j.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
sigma: composite_state ELMO_component
m: Message
Ht: input_constrained_transition 
  (ELMO_component i) Receive (
  sigma i, Some m)
  (sigma i <+> MkObservation Receive m, None)
Hmessages: component_reflects_composite_messages
  sigma i
Heqvs: component_reflects_composite_equivocators
  sigma i
Heqv: local_equivocators_full
  (sigma i <+> MkObservation Receive m)
  (adr (state m))
Hvi: valid Receive (sigma i, Some m)
Hti: transition Receive (sigma i, Some m) =
(sigma i <+> MkObservation Receive m, None)
H3: ELMO_recv_valid (sigma i) m
m': BaseELMO.Message
Hm': m' ∈ receivedMessages (sigma i)
Heqadr: adr (state m) = adr (state m')
Hcmp: ¬ sent_comparable m m'
H2: Receive = Receive
H7: ∃ m' : BaseELMO.Message,
  m' ∈ receivedMessages (sigma i)
  ∧ incomparable m m'
j: index
Hj: has_been_sent (ELMO_component j) (sigma j) m
m ∈ messages (sigma j)
      by apply elem_of_messages; left.
Qed.

The following lemma shows that for any reachable state in an (ELMO_component i) there is a valid state in ELMOProtocol where component i meets most of the conditions of the previous lemma.

Lemma reflecting_composite_for_reachable_component
  (i : index) (si : VLSM.state (ELMO_component i))
  (Hreachable : constrained_state_prop (ELMO_component i) si) :
  exists s : VLSM.state ELMOProtocol,
    s i = si
    /\ valid_state_prop ELMOProtocol s
    /\ component_reflects_composite s i
    /\ other_components_after_send (fun j : index => j = i) s
    /\ forall (s_prev : State) (l : Label) (m : Message),
      si = s_prev <+> MkObservation l m ->
      let s' := state_update ELMO_component s i s_prev in
      valid_state_prop ELMOProtocol s' /\
      ELMOProtocol_valid_transition i l s' s m.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
si: VLSM.state (ELMO_component i)
Hreachable: constrained_state_prop 
  (ELMO_component i) si
∃ s : VLSM.state ELMOProtocol,
  s i = si
  ∧ valid_state_prop ELMOProtocol s
    ∧ component_reflects_composite s i
      ∧ other_components_after_send
          (λ j : index, j = i) s
        ∧ (∀ (s_prev : State) (l : Label) (m : Message),
             si = s_prev <+> MkObservation l m
             → let s' :=
                 state_update ELMO_component s i
                   s_prev in
               valid_state_prop ELMOProtocol s'
               ∧ ELMOProtocol_valid_transition i l s'
                   s m)
Proof.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
si: VLSM.state (ELMO_component i)
Hreachable: constrained_state_prop 
  (ELMO_component i) si
∃ s : VLSM.state ELMOProtocol,
  s i = si
  ∧ valid_state_prop ELMOProtocol s
    ∧ component_reflects_composite s i
      ∧ other_components_after_send
          (λ j : index, j = i) s
        ∧ (∀ (s_prev : State) (l : Label) (m : Message),
             si = s_prev <+> MkObservation l m
             → let s' :=
                 state_update ELMO_component s i
                   s_prev in
               valid_state_prop ELMOProtocol s'
               ∧ ELMOProtocol_valid_transition i l s'
                   s m)
  induction Hreachable using valid_state_prop_ind;
    [| destruct IHHreachable as (sigma & <- & Hsigma & Hreflects & Hsend & Hall), l; cycle 1].Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
s: VLSM.state
  (preloaded_with_all_messages_vlsm
     (ELMO_component i))
Hs: initial_state_prop s
∃ s0 : VLSM.state ELMOProtocol,
  s0 i = s
  ∧ valid_state_prop ELMOProtocol s0
    ∧ component_reflects_composite s0 i
      ∧ other_components_after_send
          (λ j : index, j = i) s0
        ∧ (∀ (s_prev : State) (l : Label) (m : Message),
             s = s_prev <+> MkObservation l m
             → let s' :=
                 state_update ELMO_component s0 i
                   s_prev in
               valid_state_prop ELMOProtocol s'
               ∧ ELMOProtocol_valid_transition i l s'
                   s0 m)
Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
s': VLSM.state
  (preloaded_with_all_messages_vlsm
     (ELMO_component i))
om, om': option Message
sigma: VLSM.state ELMOProtocol
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm
     (ELMO_component i)) Send (
  sigma i, om) (s', om')
Hsigma: valid_state_prop ELMOProtocol sigma
Hreflects: component_reflects_composite sigma i
Hsend: other_components_after_send
  (λ j : index, j = i) sigma
Hall: ∀ (s_prev : State) (l : Label) (m : Message),
  sigma i = s_prev <+> MkObservation l m
  → let s' :=
      state_update ELMO_component sigma i
        s_prev in
    valid_state_prop ELMOProtocol s'
    ∧ ELMOProtocol_valid_transition i l s'
        sigma m
∃ s : VLSM.state ELMOProtocol,
  s i = s'
  ∧ valid_state_prop ELMOProtocol s
    ∧ component_reflects_composite s i
      ∧ other_components_after_send
          (λ j : index, j = i) s
        ∧ (∀ (s_prev : State) 
             (l : Label) 
             (m : Message),
             s' = s_prev <+> MkObservation l m
             → let s' :=
                 state_update ELMO_component s i
                   s_prev in
               valid_state_prop ELMOProtocol s'
               ∧ ELMOProtocol_valid_transition i l s'
                   s m)
Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
s': VLSM.state
  (preloaded_with_all_messages_vlsm
     (ELMO_component i))
om, om': option Message
sigma: VLSM.state ELMOProtocol
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm
     (ELMO_component i)) Receive (
  sigma i, om) (s', om')
Hsigma: valid_state_prop ELMOProtocol sigma
Hreflects: component_reflects_composite sigma i
Hsend: other_components_after_send
  (λ j : index, j = i) sigma
Hall: ∀ (s_prev : State) (l : Label) (m : Message),
  sigma i = s_prev <+> MkObservation l m
  → let s' :=
      state_update ELMO_component sigma i
        s_prev in
    valid_state_prop ELMOProtocol s'
    ∧ ELMOProtocol_valid_transition i l s'
        sigma m
∃ s : VLSM.state ELMOProtocol,
  s i = s'
  ∧ valid_state_prop ELMOProtocol s
    ∧ component_reflects_composite s i
      ∧ other_components_after_send
          (λ j : index, j = i) s
        ∧ (∀ (s_prev : State) 
             (l : Label) 
             (m : Message),
             s' = s_prev <+> MkObservation l m
             → let s' :=
                 state_update ELMO_component s i
                   s_prev in
               valid_state_prop ELMOProtocol s'
               ∧ ELMOProtocol_valid_transition i l s'
                   s m)
  -Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
s: VLSM.state
  (preloaded_with_all_messages_vlsm
     (ELMO_component i))
Hs: initial_state_prop s
∃ s0 : VLSM.state ELMOProtocol,
  s0 i = s
  ∧ valid_state_prop ELMOProtocol s0
    ∧ component_reflects_composite s0 i
      ∧ other_components_after_send
          (λ j : index, j = i) s0
        ∧ (∀ (s_prev : State) (l : Label) (m : Message),
             s = s_prev <+> MkObservation l m
             → let s' :=
                 state_update ELMO_component s0 i
                   s_prev in
               valid_state_prop ELMOProtocol s'
               ∧ ELMOProtocol_valid_transition i l s'
                   s0 m) unfold initial_state_prop in Hs; cbn in Hs.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
s: VLSM.state
  (preloaded_with_all_messages_vlsm
     (ELMO_component i))
Hs: UMO_component_initial_state_prop (idx i) s
∃ s0 : VLSM.state ELMOProtocol,
  s0 i = s
  ∧ valid_state_prop ELMOProtocol s0
    ∧ component_reflects_composite s0 i
      ∧ other_components_after_send
          (λ j : index, j = i) s0
        ∧ (∀ (s_prev : State) (l : Label) (m : Message),
             s = s_prev <+> MkObservation l m
             → let s' :=
                 state_update ELMO_component s0 i
                   s_prev in
               valid_state_prop ELMOProtocol s'
               ∧ ELMOProtocol_valid_transition i l s'
                   s0 m)
    apply UMO_component_initial_state_spec in Hs as ->.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
∃ s : VLSM.state ELMOProtocol,
  s i = MkState [] (idx i)
  ∧ valid_state_prop ELMOProtocol s
    ∧ component_reflects_composite s i
      ∧ other_components_after_send
          (λ j : index, j = i) s
        ∧ (∀ (s_prev : State) (l : Label) (m : Message),
             MkState [] (idx i) =
             s_prev <+> MkObservation l m
             → let s' :=
                 state_update ELMO_component s i
                   s_prev in
               valid_state_prop ELMOProtocol s'
               ∧ ELMOProtocol_valid_transition i l s'
                   s m)
    exists (` (composite_s0 ELMO_component)).Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
(`(composite_s0 ELMO_component)) i =
MkState [] (idx i)
∧ valid_state_prop ELMOProtocol
    (`(composite_s0 ELMO_component))
  ∧ component_reflects_composite
      (`(composite_s0 ELMO_component)) i
    ∧ other_components_after_send (λ j : index, j = i)
        (`(composite_s0 ELMO_component))
      ∧ (∀ (s_prev : State) (l : Label) (m : Message),
           MkState [] (idx i) =
           s_prev <+> MkObservation l m
           → let s' :=
               state_update ELMO_component
                 (`(composite_s0 ELMO_component)) i
                 s_prev in
             valid_state_prop ELMOProtocol s'
             ∧ ELMOProtocol_valid_transition i l s'
                 (`(composite_s0 ELMO_component)) m)
    unfold composite_s0; cbn; split_and!; [done | ..].Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
valid_state_prop ELMOProtocol
  (λ n : index, MkState [] (idx n))
Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
component_reflects_composite
  (λ n : index, MkState [] (idx n)) i
Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
other_components_after_send 
  (λ j : index, j = i)
  (λ n : index, MkState [] (idx n))
Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
∀ (s_prev : State) (l : Label) (m : Message),
  MkState [] (idx i) = s_prev <+> MkObservation l m
  → valid_state_prop ELMOProtocol
      (state_update ELMO_component
         (λ n : index, MkState [] (idx n)) i s_prev)
    ∧ ELMOProtocol_valid_transition i l
        (state_update ELMO_component
           (λ n : index, MkState [] (idx n)) i s_prev)
        (λ n : index, MkState [] (idx n)) m
    +Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
valid_state_prop ELMOProtocol
  (λ n : index, MkState [] (idx n)) by apply initial_state_is_valid.
    +Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
component_reflects_composite
  (λ n : index, MkState [] (idx n)) i repeat split; cbn; [.. | by inversion 1].Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
m: Message
(∃ _ : index, m ∈ []) → m ∈ []
Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
m: Message
m ∈ [] → ∃ _ : index, m ∈ []
Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
a: Address
global_equivocators_simple
  (λ n : index, MkState [] (idx n)) a
→ local_equivocators_full (MkState [] (idx i)) a
      *Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
m: Message
(∃ _ : index, m ∈ []) → m ∈ [] by intros [j Hj].
      *Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
m: Message
m ∈ [] → ∃ _ : index, m ∈ [] by inversion 1.
      *Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
a: Address
global_equivocators_simple
  (λ n : index, MkState [] (idx n)) a
→ local_equivocators_full (MkState [] (idx i)) a by intros []; itauto.
    +Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
other_components_after_send (λ j : index, j = i)
  (λ n : index, MkState [] (idx n)) by left; cbn.
    +Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
∀ (s_prev : State) (l : Label) (m : Message),
  MkState [] (idx i) = s_prev <+> MkObservation l m
  → valid_state_prop ELMOProtocol
      (state_update ELMO_component
         (λ n : index, MkState [] (idx n)) i s_prev)
    ∧ ELMOProtocol_valid_transition i l
        (state_update ELMO_component
           (λ n : index, MkState [] (idx n)) i s_prev)
        (λ n : index, MkState [] (idx n)) m by inversion 1.
  -Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
s': VLSM.state
  (preloaded_with_all_messages_vlsm
     (ELMO_component i))
om, om': option Message
sigma: VLSM.state ELMOProtocol
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm
     (ELMO_component i)) Send (
  sigma i, om) (s', om')
Hsigma: valid_state_prop ELMOProtocol sigma
Hreflects: component_reflects_composite sigma i
Hsend: other_components_after_send
  (λ j : index, j = i) sigma
Hall: ∀ (s_prev : State) (l : Label) (m : Message),
  sigma i = s_prev <+> MkObservation l m
  → let s' :=
      state_update ELMO_component sigma i
        s_prev in
    valid_state_prop ELMOProtocol s'
    ∧ ELMOProtocol_valid_transition i l s'
        sigma m
∃ s : VLSM.state ELMOProtocol,
  s i = s'
  ∧ valid_state_prop ELMOProtocol s
    ∧ component_reflects_composite s i
      ∧ other_components_after_send
          (λ j : index, j = i) s
        ∧ (∀ (s_prev : State) (l : Label) (m : Message),
             s' = s_prev <+> MkObservation l m
             → let s' :=
                 state_update ELMO_component s i
                   s_prev in
               valid_state_prop ELMOProtocol s'
               ∧ ELMOProtocol_valid_transition i l s'
                   s m) pose (sigma' := state_update ELMO_component sigma i s').Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
s': VLSM.state
  (preloaded_with_all_messages_vlsm
     (ELMO_component i))
om, om': option Message
sigma: VLSM.state ELMOProtocol
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm
     (ELMO_component i)) Send (
  sigma i, om) (s', om')
Hsigma: valid_state_prop ELMOProtocol sigma
Hreflects: component_reflects_composite sigma i
Hsend: other_components_after_send
  (λ j : index, j = i) sigma
Hall: ∀ (s_prev : State) (l : Label) (m : Message),
  sigma i = s_prev <+> MkObservation l m
  → let s' :=
      state_update ELMO_component sigma i
        s_prev in
    valid_state_prop ELMOProtocol s'
    ∧ ELMOProtocol_valid_transition i l s'
        sigma m
sigma':= state_update ELMO_component sigma i s': ∀ j : index, VLSM.state (ELMO_component j)
∃ s : VLSM.state ELMOProtocol,
  s i = s'
  ∧ valid_state_prop ELMOProtocol s
    ∧ component_reflects_composite s i
      ∧ other_components_after_send
          (λ j : index, j = i) s
        ∧ (∀ (s_prev : State) (l : Label) (m : Message),
             s' = s_prev <+> MkObservation l m
             → let s' :=
                 state_update ELMO_component s i
                   s_prev in
               valid_state_prop ELMOProtocol s'
               ∧ ELMOProtocol_valid_transition i l s'
                   s m)
    exists sigma'; split; [by subst sigma'; state_update_simpl |].Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
s': VLSM.state
  (preloaded_with_all_messages_vlsm
     (ELMO_component i))
om, om': option Message
sigma: VLSM.state ELMOProtocol
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm
     (ELMO_component i)) Send (
  sigma i, om) (s', om')
Hsigma: valid_state_prop ELMOProtocol sigma
Hreflects: component_reflects_composite sigma i
Hsend: other_components_after_send
  (λ j : index, j = i) sigma
Hall: ∀ (s_prev : State) (l : Label) (m : Message),
  sigma i = s_prev <+> MkObservation l m
  → let s' :=
      state_update ELMO_component sigma i
        s_prev in
    valid_state_prop ELMOProtocol s'
    ∧ ELMOProtocol_valid_transition i l s'
        sigma m
sigma':= state_update ELMO_component sigma i s': ∀ j : index, VLSM.state (ELMO_component j)
valid_state_prop ELMOProtocol sigma'
∧ component_reflects_composite sigma' i
  ∧ other_components_after_send (λ j : index, j = i)
      sigma'
    ∧ (∀ (s_prev : State) (l : Label) (m : Message),
         s' = s_prev <+> MkObservation l m
         → let s' :=
             state_update ELMO_component sigma' i
               s_prev in
           valid_state_prop ELMOProtocol s'
           ∧ ELMOProtocol_valid_transition i l s'
               sigma' m)
    pose (Hti := Ht); destruct Hti as [(_ & _ & Hv) Hti];
      inversion Hv; subst; inversion Hti; subst.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
sigma: VLSM.state ELMOProtocol
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm
     (ELMO_component i)) Send (
  sigma i, None)
  (sigma i <+>
   MkObservation Send (MkMessage (sigma i)),
   Some (MkMessage (sigma i)))
Hsigma: valid_state_prop ELMOProtocol sigma
Hreflects: component_reflects_composite sigma i
Hsend: other_components_after_send
  (λ j : index, j = i) sigma
Hall: ∀ (s_prev : State) (l : Label) (m : Message),
  sigma i = s_prev <+> MkObservation l m
  → let s' :=
      state_update ELMO_component sigma i
        s_prev in
    valid_state_prop ELMOProtocol s'
    ∧ ELMOProtocol_valid_transition i l s'
        sigma m
Hti: transition Send (sigma i, None) =
(sigma i <+>
 MkObservation Send (MkMessage (sigma i)),
 Some (MkMessage (sigma i)))
sigma':= state_update ELMO_component sigma i
  (sigma i <+>
   MkObservation Send (MkMessage (sigma i))): ∀ j : index, VLSM.state (ELMO_component j)
Hv: valid Send (sigma i, None)
valid_state_prop ELMOProtocol sigma'
∧ component_reflects_composite sigma' i
  ∧ other_components_after_send (λ j : index, j = i)
      sigma'
    ∧ (∀ (s_prev : State) (l : Label) (m : Message),
         sigma i <+>
         MkObservation Send (MkMessage (sigma i)) =
         s_prev <+> MkObservation l m
         → let s' :=
             state_update ELMO_component sigma' i
               s_prev in
           valid_state_prop ELMOProtocol s'
           ∧ ELMOProtocol_valid_transition i l s'
               sigma' m)
    assert (Htsigma : input_valid_transition ELMOProtocol (existT i Send) (sigma, None)
                        (sigma', Some (MkMessage (sigma i))))
      by (repeat split; [| apply option_valid_message_None |]; done).Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
sigma: VLSM.state ELMOProtocol
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm
     (ELMO_component i)) Send (
  sigma i, None)
  (sigma i <+>
   MkObservation Send (MkMessage (sigma i)),
   Some (MkMessage (sigma i)))
Hsigma: valid_state_prop ELMOProtocol sigma
Hreflects: component_reflects_composite sigma i
Hsend: other_components_after_send
  (λ j : index, j = i) sigma
Hall: ∀ (s_prev : State) (l : Label) (m : Message),
  sigma i = s_prev <+> MkObservation l m
  → let s' :=
      state_update ELMO_component sigma i
        s_prev in
    valid_state_prop ELMOProtocol s'
    ∧ ELMOProtocol_valid_transition i l s'
        sigma m
Hti: transition Send (sigma i, None) =
(sigma i <+>
 MkObservation Send (MkMessage (sigma i)),
 Some (MkMessage (sigma i)))
sigma':= state_update ELMO_component sigma i
  (sigma i <+>
   MkObservation Send (MkMessage (sigma i))): ∀ j : index, VLSM.state (ELMO_component j)
Hv: valid Send (sigma i, None)
Htsigma: input_valid_transition ELMOProtocol
  (existT i Send) (sigma, None)
  (sigma', Some (MkMessage (sigma i)))
valid_state_prop ELMOProtocol sigma'
∧ component_reflects_composite sigma' i
  ∧ other_components_after_send (λ j : index, j = i)
      sigma'
    ∧ (∀ (s_prev : State) (l : Label) (m : Message),
         sigma i <+>
         MkObservation Send (MkMessage (sigma i)) =
         s_prev <+> MkObservation l m
         → let s' :=
             state_update ELMO_component sigma' i
               s_prev in
           valid_state_prop ELMOProtocol s'
           ∧ ELMOProtocol_valid_transition i l s'
               sigma' m)
    eapply input_valid_transition_destination in Htsigma as Hsigma'.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
sigma: VLSM.state ELMOProtocol
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm
     (ELMO_component i)) Send (
  sigma i, None)
  (sigma i <+>
   MkObservation Send (MkMessage (sigma i)),
   Some (MkMessage (sigma i)))
Hsigma: valid_state_prop ELMOProtocol sigma
Hreflects: component_reflects_composite sigma i
Hsend: other_components_after_send
  (λ j : index, j = i) sigma
Hall: ∀ (s_prev : State) (l : Label) (m : Message),
  sigma i = s_prev <+> MkObservation l m
  → let s' :=
      state_update ELMO_component sigma i
        s_prev in
    valid_state_prop ELMOProtocol s'
    ∧ ELMOProtocol_valid_transition i l s'
        sigma m
Hti: transition Send (sigma i, None) =
(sigma i <+>
 MkObservation Send (MkMessage (sigma i)),
 Some (MkMessage (sigma i)))
sigma':= state_update ELMO_component sigma i
  (sigma i <+>
   MkObservation Send (MkMessage (sigma i))): ∀ j : index, VLSM.state (ELMO_component j)
Hv: valid Send (sigma i, None)
Htsigma: input_valid_transition ELMOProtocol
  (existT i Send) (sigma, None)
  (sigma', Some (MkMessage (sigma i)))
Hsigma': valid_state_prop ELMOProtocol sigma'
valid_state_prop ELMOProtocol sigma'
∧ component_reflects_composite sigma' i
  ∧ other_components_after_send (λ j : index, j = i)
      sigma'
    ∧ (∀ (s_prev : State) (l : Label) (m : Message),
         sigma i <+>
         MkObservation Send (MkMessage (sigma i)) =
         s_prev <+> MkObservation l m
         → let s' :=
             state_update ELMO_component sigma' i
               s_prev in
           valid_state_prop ELMOProtocol s'
           ∧ ELMOProtocol_valid_transition i l s'
               sigma' m)
    split_and!; [done | split | ..]; cycle 2.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
sigma: VLSM.state ELMOProtocol
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm
     (ELMO_component i)) Send (
  sigma i, None)
  (sigma i <+>
   MkObservation Send (MkMessage (sigma i)),
   Some (MkMessage (sigma i)))
Hsigma: valid_state_prop ELMOProtocol sigma
Hreflects: component_reflects_composite sigma i
Hsend: other_components_after_send
  (λ j : index, j = i) sigma
Hall: ∀ (s_prev : State) (l : Label) (m : Message),
  sigma i = s_prev <+> MkObservation l m
  → let s' :=
      state_update ELMO_component sigma i
        s_prev in
    valid_state_prop ELMOProtocol s'
    ∧ ELMOProtocol_valid_transition i l s'
        sigma m
Hti: transition Send (sigma i, None) =
(sigma i <+>
 MkObservation Send (MkMessage (sigma i)),
 Some (MkMessage (sigma i)))
sigma':= state_update ELMO_component sigma i
  (sigma i <+>
   MkObservation Send (MkMessage (sigma i))): ∀ j : index, VLSM.state (ELMO_component j)
Hv: valid Send (sigma i, None)
Htsigma: input_valid_transition ELMOProtocol
  (existT i Send) (sigma, None)
  (sigma', Some (MkMessage (sigma i)))
Hsigma': valid_state_prop ELMOProtocol sigma'
other_components_after_send (λ j : index, j = i)
  sigma'
Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
sigma: VLSM.state ELMOProtocol
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm
     (ELMO_component i)) Send (
  sigma i, None)
  (sigma i <+>
   MkObservation Send (MkMessage (sigma i)),
   Some (MkMessage (sigma i)))
Hsigma: valid_state_prop ELMOProtocol sigma
Hreflects: component_reflects_composite sigma i
Hsend: other_components_after_send
  (λ j : index, j = i) sigma
Hall: ∀ (s_prev : State) (l : Label) (m : Message),
  sigma i = s_prev <+> MkObservation l m
  → let s' :=
      state_update ELMO_component sigma i
        s_prev in
    valid_state_prop ELMOProtocol s'
    ∧ ELMOProtocol_valid_transition i l s'
        sigma m
Hti: transition Send (sigma i, None) =
(sigma i <+>
 MkObservation Send (MkMessage (sigma i)),
 Some (MkMessage (sigma i)))
sigma':= state_update ELMO_component sigma i
  (sigma i <+>
   MkObservation Send (MkMessage (sigma i))): ∀ j : index, VLSM.state (ELMO_component j)
Hv: valid Send (sigma i, None)
Htsigma: input_valid_transition ELMOProtocol
  (existT i Send) (sigma, None)
  (sigma', Some (MkMessage (sigma i)))
Hsigma': valid_state_prop ELMOProtocol sigma'
∀ (s_prev : State) (l : Label) (m : Message),
  sigma i <+> MkObservation Send (MkMessage (sigma i)) =
  s_prev <+> MkObservation l m
  → let s' :=
      state_update ELMO_component sigma' i s_prev in
    valid_state_prop ELMOProtocol s'
    ∧ ELMOProtocol_valid_transition i l s' sigma' m
Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
sigma: VLSM.state ELMOProtocol
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm
     (ELMO_component i)) Send (
  sigma i, None)
  (sigma i <+>
   MkObservation Send (MkMessage (sigma i)),
   Some (MkMessage (sigma i)))
Hsigma: valid_state_prop ELMOProtocol sigma
Hreflects: component_reflects_composite sigma i
Hsend: other_components_after_send
  (λ j : index, j = i) sigma
Hall: ∀ (s_prev : State) (l : Label) (m : Message),
  sigma i = s_prev <+> MkObservation l m
  → let s' :=
      state_update ELMO_component sigma i
        s_prev in
    valid_state_prop ELMOProtocol s'
    ∧ ELMOProtocol_valid_transition i l s'
        sigma m
Hti: transition Send (sigma i, None) =
(sigma i <+>
 MkObservation Send (MkMessage (sigma i)),
 Some (MkMessage (sigma i)))
sigma':= state_update ELMO_component sigma i
  (sigma i <+>
   MkObservation Send (MkMessage (sigma i))): ∀ j : index, VLSM.state (ELMO_component j)
Hv: valid Send (sigma i, None)
Htsigma: input_valid_transition ELMOProtocol
  (existT i Send) (sigma, None)
  (sigma', Some (MkMessage (sigma i)))
Hsigma': valid_state_prop ELMOProtocol sigma'
component_reflects_composite_messages sigma' i
Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
sigma: VLSM.state ELMOProtocol
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm
     (ELMO_component i)) Send (
  sigma i, None)
  (sigma i <+>
   MkObservation Send (MkMessage (sigma i)),
   Some (MkMessage (sigma i)))
Hsigma: valid_state_prop ELMOProtocol sigma
Hreflects: component_reflects_composite sigma i
Hsend: other_components_after_send
  (λ j : index, j = i) sigma
Hall: ∀ (s_prev : State) (l : Label) (m : Message),
  sigma i = s_prev <+> MkObservation l m
  → let s' :=
      state_update ELMO_component sigma i
        s_prev in
    valid_state_prop ELMOProtocol s'
    ∧ ELMOProtocol_valid_transition i l s'
        sigma m
Hti: transition Send (sigma i, None) =
(sigma i <+>
 MkObservation Send (MkMessage (sigma i)),
 Some (MkMessage (sigma i)))
sigma':= state_update ELMO_component sigma i
  (sigma i <+>
   MkObservation Send (MkMessage (sigma i))): ∀ j : index, VLSM.state (ELMO_component j)
Hv: valid Send (sigma i, None)
Htsigma: input_valid_transition ELMOProtocol
  (existT i Send) (sigma, None)
  (sigma', Some (MkMessage (sigma i)))
Hsigma': valid_state_prop ELMOProtocol sigma'
component_reflects_composite_equivocators sigma' i
    +Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
sigma: VLSM.state ELMOProtocol
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm
     (ELMO_component i)) Send (
  sigma i, None)
  (sigma i <+>
   MkObservation Send (MkMessage (sigma i)),
   Some (MkMessage (sigma i)))
Hsigma: valid_state_prop ELMOProtocol sigma
Hreflects: component_reflects_composite sigma i
Hsend: other_components_after_send
  (λ j : index, j = i) sigma
Hall: ∀ (s_prev : State) (l : Label) (m : Message),
  sigma i = s_prev <+> MkObservation l m
  → let s' :=
      state_update ELMO_component sigma i
        s_prev in
    valid_state_prop ELMOProtocol s'
    ∧ ELMOProtocol_valid_transition i l s'
        sigma m
Hti: transition Send (sigma i, None) =
(sigma i <+>
 MkObservation Send (MkMessage (sigma i)),
 Some (MkMessage (sigma i)))
sigma':= state_update ELMO_component sigma i
  (sigma i <+>
   MkObservation Send (MkMessage (sigma i))): ∀ j : index, VLSM.state (ELMO_component j)
Hv: valid Send (sigma i, None)
Htsigma: input_valid_transition ELMOProtocol
  (existT i Send) (sigma, None)
  (sigma', Some (MkMessage (sigma i)))
Hsigma': valid_state_prop ELMOProtocol sigma'
other_components_after_send (λ j : index, j = i)
  sigma' by intros j Hnj; subst sigma'; state_update_simpl; apply Hsend.
    +Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
sigma: VLSM.state ELMOProtocol
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm
     (ELMO_component i)) Send (
  sigma i, None)
  (sigma i <+>
   MkObservation Send (MkMessage (sigma i)),
   Some (MkMessage (sigma i)))
Hsigma: valid_state_prop ELMOProtocol sigma
Hreflects: component_reflects_composite sigma i
Hsend: other_components_after_send
  (λ j : index, j = i) sigma
Hall: ∀ (s_prev : State) (l : Label) (m : Message),
  sigma i = s_prev <+> MkObservation l m
  → let s' :=
      state_update ELMO_component sigma i
        s_prev in
    valid_state_prop ELMOProtocol s'
    ∧ ELMOProtocol_valid_transition i l s'
        sigma m
Hti: transition Send (sigma i, None) =
(sigma i <+>
 MkObservation Send (MkMessage (sigma i)),
 Some (MkMessage (sigma i)))
sigma':= state_update ELMO_component sigma i
  (sigma i <+>
   MkObservation Send (MkMessage (sigma i))): ∀ j : index, VLSM.state (ELMO_component j)
Hv: valid Send (sigma i, None)
Htsigma: input_valid_transition ELMOProtocol
  (existT i Send) (sigma, None)
  (sigma', Some (MkMessage (sigma i)))
Hsigma': valid_state_prop ELMOProtocol sigma'
∀ (s_prev : State) (l : Label) (m : Message),
  sigma i <+> MkObservation Send (MkMessage (sigma i)) =
  s_prev <+> MkObservation l m
  → let s' :=
      state_update ELMO_component sigma' i s_prev in
    valid_state_prop ELMOProtocol s'
    ∧ ELMOProtocol_valid_transition i l s' sigma' m inversion 1; destruct s_prev; cbn in *; subst.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
sigma: composite_state ELMO_component
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm
     (ELMO_component i)) Send (
  sigma i, None)
  (sigma i <+>
   MkObservation Send (MkMessage (sigma i)),
   Some (MkMessage (sigma i)))
Hsigma: valid_state_prop ELMOProtocol sigma
Hreflects: component_reflects_composite sigma i
Hsend: other_components_after_send
  (λ j : index, j = i) sigma
Hall: ∀ (s_prev : State) (l : Label) (m : Message),
  sigma i = s_prev <+> MkObservation l m
  → valid_state_prop ELMOProtocol
      (state_update ELMO_component sigma i
         s_prev)
    ∧ ELMOProtocol_valid_transition i l
        (state_update ELMO_component sigma i
           s_prev) sigma m
Hti: (sigma i <+>
 MkObservation Send (MkMessage (sigma i)),
 Some (MkMessage (sigma i))) =
(sigma i <+>
 MkObservation Send (MkMessage (sigma i)),
 Some (MkMessage (sigma i)))
sigma':= state_update ELMO_component sigma i
  (sigma i <+>
   MkObservation Send (MkMessage (sigma i))): index → BaseELMO.State
Hv: ELMO_component_valid Send (sigma i) None
Htsigma: input_valid_transition ELMOProtocol
  (existT i Send) (sigma, None)
  (sigma', Some (MkMessage (sigma i)))
Hsigma': valid_state_prop ELMOProtocol sigma'
H2: sigma i <+>
MkObservation Send (MkMessage (sigma i)) =
MkState (obs (sigma i)) (adr (sigma i)) <+>
MkObservation Send (MkMessage (sigma i))
valid_state_prop ELMOProtocol
  (state_update ELMO_component sigma' i
     (MkState (obs (sigma i)) (adr (sigma i))))
∧ ELMOProtocol_valid_transition i Send
    (state_update ELMO_component sigma' i
       (MkState (obs (sigma i)) (adr (sigma i))))
    sigma' (MkMessage (sigma i))
      replace (state_update _ _ _ _) with sigma; [by split; [| constructor] |].Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
sigma: composite_state ELMO_component
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm
     (ELMO_component i)) Send (
  sigma i, None)
  (sigma i <+>
   MkObservation Send (MkMessage (sigma i)),
   Some (MkMessage (sigma i)))
Hsigma: valid_state_prop ELMOProtocol sigma
Hreflects: component_reflects_composite sigma i
Hsend: other_components_after_send
  (λ j : index, j = i) sigma
Hall: ∀ (s_prev : State) (l : Label) (m : Message),
  sigma i = s_prev <+> MkObservation l m
  → valid_state_prop ELMOProtocol
      (state_update ELMO_component sigma i
         s_prev)
    ∧ ELMOProtocol_valid_transition i l
        (state_update ELMO_component sigma i
           s_prev) sigma m
Hti: (sigma i <+>
 MkObservation Send (MkMessage (sigma i)),
 Some (MkMessage (sigma i))) =
(sigma i <+>
 MkObservation Send (MkMessage (sigma i)),
 Some (MkMessage (sigma i)))
sigma':= state_update ELMO_component sigma i
  (sigma i <+>
   MkObservation Send (MkMessage (sigma i))): index → BaseELMO.State
Hv: ELMO_component_valid Send (sigma i) None
Htsigma: input_valid_transition ELMOProtocol
  (existT i Send) (sigma, None)
  (sigma', Some (MkMessage (sigma i)))
Hsigma': valid_state_prop ELMOProtocol sigma'
H2: sigma i <+>
MkObservation Send (MkMessage (sigma i)) =
MkState (obs (sigma i)) (adr (sigma i)) <+>
MkObservation Send (MkMessage (sigma i))
sigma =
state_update ELMO_component sigma' i
  (MkState (obs (sigma i)) (adr (sigma i)))
      by subst sigma'; extensionality j; destruct (decide (i = j)); subst;
        state_update_simpl; [destruct (sigma j) |].
    +Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
sigma: VLSM.state ELMOProtocol
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm
     (ELMO_component i)) Send (
  sigma i, None)
  (sigma i <+>
   MkObservation Send (MkMessage (sigma i)),
   Some (MkMessage (sigma i)))
Hsigma: valid_state_prop ELMOProtocol sigma
Hreflects: component_reflects_composite sigma i
Hsend: other_components_after_send
  (λ j : index, j = i) sigma
Hall: ∀ (s_prev : State) (l : Label) (m : Message),
  sigma i = s_prev <+> MkObservation l m
  → let s' :=
      state_update ELMO_component sigma i
        s_prev in
    valid_state_prop ELMOProtocol s'
    ∧ ELMOProtocol_valid_transition i l s'
        sigma m
Hti: transition Send (sigma i, None) =
(sigma i <+>
 MkObservation Send (MkMessage (sigma i)),
 Some (MkMessage (sigma i)))
sigma':= state_update ELMO_component sigma i
  (sigma i <+>
   MkObservation Send (MkMessage (sigma i))): ∀ j : index, VLSM.state (ELMO_component j)
Hv: valid Send (sigma i, None)
Htsigma: input_valid_transition ELMOProtocol
  (existT i Send) (sigma, None)
  (sigma', Some (MkMessage (sigma i)))
Hsigma': valid_state_prop ELMOProtocol sigma'
component_reflects_composite_messages sigma' i intro m; split; [| by eexists]; intros [j Hm].Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
sigma: VLSM.state ELMOProtocol
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm
     (ELMO_component i)) Send (
  sigma i, None)
  (sigma i <+>
   MkObservation Send (MkMessage (sigma i)),
   Some (MkMessage (sigma i)))
Hsigma: valid_state_prop ELMOProtocol sigma
Hreflects: component_reflects_composite sigma i
Hsend: other_components_after_send
  (λ j : index, j = i) sigma
Hall: ∀ (s_prev : State) (l : Label) (m : Message),
  sigma i = s_prev <+> MkObservation l m
  → let s' :=
      state_update ELMO_component sigma i
        s_prev in
    valid_state_prop ELMOProtocol s'
    ∧ ELMOProtocol_valid_transition i l s'
        sigma m
Hti: transition Send (sigma i, None) =
(sigma i <+>
 MkObservation Send (MkMessage (sigma i)),
 Some (MkMessage (sigma i)))
sigma':= state_update ELMO_component sigma i
  (sigma i <+>
   MkObservation Send (MkMessage (sigma i))): ∀ j : index, VLSM.state (ELMO_component j)
Hv: valid Send (sigma i, None)
Htsigma: input_valid_transition ELMOProtocol
  (existT i Send) (sigma, None)
  (sigma', Some (MkMessage (sigma i)))
Hsigma': valid_state_prop ELMOProtocol sigma'
m: Message
j: index
Hm: m ∈ messages (sigma' j)
m ∈ messages (sigma' i)
      destruct (decide (i = j)); [by subst |].Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
sigma: VLSM.state ELMOProtocol
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm
     (ELMO_component i)) Send (
  sigma i, None)
  (sigma i <+>
   MkObservation Send (MkMessage (sigma i)),
   Some (MkMessage (sigma i)))
Hsigma: valid_state_prop ELMOProtocol sigma
Hreflects: component_reflects_composite sigma i
Hsend: other_components_after_send
  (λ j : index, j = i) sigma
Hall: ∀ (s_prev : State) (l : Label) (m : Message),
  sigma i = s_prev <+> MkObservation l m
  → let s' :=
      state_update ELMO_component sigma i
        s_prev in
    valid_state_prop ELMOProtocol s'
    ∧ ELMOProtocol_valid_transition i l s'
        sigma m
Hti: transition Send (sigma i, None) =
(sigma i <+>
 MkObservation Send (MkMessage (sigma i)),
 Some (MkMessage (sigma i)))
sigma':= state_update ELMO_component sigma i
  (sigma i <+>
   MkObservation Send (MkMessage (sigma i))): ∀ j : index, VLSM.state (ELMO_component j)
Hv: valid Send (sigma i, None)
Htsigma: input_valid_transition ELMOProtocol
  (existT i Send) (sigma, None)
  (sigma', Some (MkMessage (sigma i)))
Hsigma': valid_state_prop ELMOProtocol sigma'
m: Message
j: index
Hm: m ∈ messages (sigma' j)
n: i ≠ j
m ∈ messages (sigma' i)
      subst sigma'; state_update_simpl.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
sigma: VLSM.state ELMOProtocol
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm
     (ELMO_component i)) Send (
  sigma i, None)
  (sigma i <+>
   MkObservation Send (MkMessage (sigma i)),
   Some (MkMessage (sigma i)))
Hsigma: valid_state_prop ELMOProtocol sigma
Hreflects: component_reflects_composite sigma i
Hsend: other_components_after_send
  (λ j : index, j = i) sigma
Hall: ∀ (s_prev : State) (l : Label) (m : Message),
  sigma i = s_prev <+> MkObservation l m
  → valid_state_prop ELMOProtocol
      (state_update ELMO_component sigma i
         s_prev)
    ∧ ELMOProtocol_valid_transition i l
        (state_update ELMO_component sigma i
           s_prev) sigma m
Hti: transition Send (sigma i, None) =
(sigma i <+>
 MkObservation Send (MkMessage (sigma i)),
 Some (MkMessage (sigma i)))
Hv: valid Send (sigma i, None)
Htsigma: input_valid_transition ELMOProtocol
  (existT i Send) (sigma, None)
  (state_update ELMO_component sigma i
     (sigma i <+>
      MkObservation Send
        (MkMessage (sigma i))),
   Some (MkMessage (sigma i)))
Hsigma': valid_state_prop ELMOProtocol
  (state_update ELMO_component sigma i
     (sigma i <+>
      MkObservation Send
        (MkMessage (sigma i))))
m: Message
j: index
Hm: m ∈ messages (sigma j)
n: i ≠ j
m
∈ messages
    (sigma i <+>
     MkObservation Send (MkMessage (sigma i)))
      apply elem_of_messages_addObservation; right.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
sigma: VLSM.state ELMOProtocol
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm
     (ELMO_component i)) Send (
  sigma i, None)
  (sigma i <+>
   MkObservation Send (MkMessage (sigma i)),
   Some (MkMessage (sigma i)))
Hsigma: valid_state_prop ELMOProtocol sigma
Hreflects: component_reflects_composite sigma i
Hsend: other_components_after_send
  (λ j : index, j = i) sigma
Hall: ∀ (s_prev : State) (l : Label) (m : Message),
  sigma i = s_prev <+> MkObservation l m
  → valid_state_prop ELMOProtocol
      (state_update ELMO_component sigma i
         s_prev)
    ∧ ELMOProtocol_valid_transition i l
        (state_update ELMO_component sigma i
           s_prev) sigma m
Hti: transition Send (sigma i, None) =
(sigma i <+>
 MkObservation Send (MkMessage (sigma i)),
 Some (MkMessage (sigma i)))
Hv: valid Send (sigma i, None)
Htsigma: input_valid_transition ELMOProtocol
  (existT i Send) (sigma, None)
  (state_update ELMO_component sigma i
     (sigma i <+>
      MkObservation Send
        (MkMessage (sigma i))),
   Some (MkMessage (sigma i)))
Hsigma': valid_state_prop ELMOProtocol
  (state_update ELMO_component sigma i
     (sigma i <+>
      MkObservation Send
        (MkMessage (sigma i))))
m: Message
j: index
Hm: m ∈ messages (sigma j)
n: i ≠ j
m ∈ messages (sigma i)
      by apply Hreflects; eexists.
    +Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
sigma: VLSM.state ELMOProtocol
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm
     (ELMO_component i)) Send (
  sigma i, None)
  (sigma i <+>
   MkObservation Send (MkMessage (sigma i)),
   Some (MkMessage (sigma i)))
Hsigma: valid_state_prop ELMOProtocol sigma
Hreflects: component_reflects_composite sigma i
Hsend: other_components_after_send
  (λ j : index, j = i) sigma
Hall: ∀ (s_prev : State) (l : Label) (m : Message),
  sigma i = s_prev <+> MkObservation l m
  → let s' :=
      state_update ELMO_component sigma i
        s_prev in
    valid_state_prop ELMOProtocol s'
    ∧ ELMOProtocol_valid_transition i l s'
        sigma m
Hti: transition Send (sigma i, None) =
(sigma i <+>
 MkObservation Send (MkMessage (sigma i)),
 Some (MkMessage (sigma i)))
sigma':= state_update ELMO_component sigma i
  (sigma i <+>
   MkObservation Send (MkMessage (sigma i))): ∀ j : index, VLSM.state (ELMO_component j)
Hv: valid Send (sigma i, None)
Htsigma: input_valid_transition ELMOProtocol
  (existT i Send) (sigma, None)
  (sigma', Some (MkMessage (sigma i)))
Hsigma': valid_state_prop ELMOProtocol sigma'
component_reflects_composite_equivocators sigma' i intros a; transitivity (global_equivocators_simple sigma a); [split |]; cycle 2.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
sigma: VLSM.state ELMOProtocol
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm
     (ELMO_component i)) Send (
  sigma i, None)
  (sigma i <+>
   MkObservation Send (MkMessage (sigma i)),
   Some (MkMessage (sigma i)))
Hsigma: valid_state_prop ELMOProtocol sigma
Hreflects: component_reflects_composite sigma i
Hsend: other_components_after_send
  (λ j : index, j = i) sigma
Hall: ∀ (s_prev : State) (l : Label) (m : Message),
  sigma i = s_prev <+> MkObservation l m
  → let s' :=
      state_update ELMO_component sigma i
        s_prev in
    valid_state_prop ELMOProtocol s'
    ∧ ELMOProtocol_valid_transition i l s'
        sigma m
Hti: transition Send (sigma i, None) =
(sigma i <+>
 MkObservation Send (MkMessage (sigma i)),
 Some (MkMessage (sigma i)))
sigma':= state_update ELMO_component sigma i
  (sigma i <+>
   MkObservation Send (MkMessage (sigma i))): ∀ j : index, VLSM.state (ELMO_component j)
Hv: valid Send (sigma i, None)
Htsigma: input_valid_transition ELMOProtocol
  (existT i Send) (sigma, None)
  (sigma', Some (MkMessage (sigma i)))
Hsigma': valid_state_prop ELMOProtocol sigma'
a: Address
global_equivocators_simple sigma a
↔ local_equivocators_full (sigma' i) a
Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
sigma: VLSM.state ELMOProtocol
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm
     (ELMO_component i)) Send (
  sigma i, None)
  (sigma i <+>
   MkObservation Send (MkMessage (sigma i)),
   Some (MkMessage (sigma i)))
Hsigma: valid_state_prop ELMOProtocol sigma
Hreflects: component_reflects_composite sigma i
Hsend: other_components_after_send
  (λ j : index, j = i) sigma
Hall: ∀ (s_prev : State) (l : Label) (m : Message),
  sigma i = s_prev <+> MkObservation l m
  → let s' :=
      state_update ELMO_component sigma i
        s_prev in
    valid_state_prop ELMOProtocol s'
    ∧ ELMOProtocol_valid_transition i l s'
        sigma m
Hti: transition Send (sigma i, None) =
(sigma i <+>
 MkObservation Send (MkMessage (sigma i)),
 Some (MkMessage (sigma i)))
sigma':= state_update ELMO_component sigma i
  (sigma i <+>
   MkObservation Send (MkMessage (sigma i))): ∀ j : index, VLSM.state (ELMO_component j)
Hv: valid Send (sigma i, None)
Htsigma: input_valid_transition ELMOProtocol
  (existT i Send) (sigma, None)
  (sigma', Some (MkMessage (sigma i)))
Hsigma': valid_state_prop ELMOProtocol sigma'
a: Address
global_equivocators_simple sigma' a
→ global_equivocators_simple sigma a
Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
sigma: VLSM.state ELMOProtocol
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm
     (ELMO_component i)) Send (
  sigma i, None)
  (sigma i <+>
   MkObservation Send (MkMessage (sigma i)),
   Some (MkMessage (sigma i)))
Hsigma: valid_state_prop ELMOProtocol sigma
Hreflects: component_reflects_composite sigma i
Hsend: other_components_after_send
  (λ j : index, j = i) sigma
Hall: ∀ (s_prev : State) (l : Label) (m : Message),
  sigma i = s_prev <+> MkObservation l m
  → let s' :=
      state_update ELMO_component sigma i
        s_prev in
    valid_state_prop ELMOProtocol s'
    ∧ ELMOProtocol_valid_transition i l s'
        sigma m
Hti: transition Send (sigma i, None) =
(sigma i <+>
 MkObservation Send (MkMessage (sigma i)),
 Some (MkMessage (sigma i)))
sigma':= state_update ELMO_component sigma i
  (sigma i <+>
   MkObservation Send (MkMessage (sigma i))): ∀ j : index, VLSM.state (ELMO_component j)
Hv: valid Send (sigma i, None)
Htsigma: input_valid_transition ELMOProtocol
  (existT i Send) (sigma, None)
  (sigma', Some (MkMessage (sigma i)))
Hsigma': valid_state_prop ELMOProtocol sigma'
a: Address
global_equivocators_simple sigma a
→ global_equivocators_simple sigma' a
      *Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
sigma: VLSM.state ELMOProtocol
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm
     (ELMO_component i)) Send (
  sigma i, None)
  (sigma i <+>
   MkObservation Send (MkMessage (sigma i)),
   Some (MkMessage (sigma i)))
Hsigma: valid_state_prop ELMOProtocol sigma
Hreflects: component_reflects_composite sigma i
Hsend: other_components_after_send
  (λ j : index, j = i) sigma
Hall: ∀ (s_prev : State) (l : Label) (m : Message),
  sigma i = s_prev <+> MkObservation l m
  → let s' :=
      state_update ELMO_component sigma i
        s_prev in
    valid_state_prop ELMOProtocol s'
    ∧ ELMOProtocol_valid_transition i l s'
        sigma m
Hti: transition Send (sigma i, None) =
(sigma i <+>
 MkObservation Send (MkMessage (sigma i)),
 Some (MkMessage (sigma i)))
sigma':= state_update ELMO_component sigma i
  (sigma i <+>
   MkObservation Send (MkMessage (sigma i))): ∀ j : index, VLSM.state (ELMO_component j)
Hv: valid Send (sigma i, None)
Htsigma: input_valid_transition ELMOProtocol
  (existT i Send) (sigma, None)
  (sigma', Some (MkMessage (sigma i)))
Hsigma': valid_state_prop ELMOProtocol sigma'
a: Address
global_equivocators_simple sigma a
↔ local_equivocators_full (sigma' i) a etransitivity; [by apply Hreflects |].Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
sigma: VLSM.state ELMOProtocol
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm
     (ELMO_component i)) Send (
  sigma i, None)
  (sigma i <+>
   MkObservation Send (MkMessage (sigma i)),
   Some (MkMessage (sigma i)))
Hsigma: valid_state_prop ELMOProtocol sigma
Hreflects: component_reflects_composite sigma i
Hsend: other_components_after_send
  (λ j : index, j = i) sigma
Hall: ∀ (s_prev : State) (l : Label) (m : Message),
  sigma i = s_prev <+> MkObservation l m
  → let s' :=
      state_update ELMO_component sigma i
        s_prev in
    valid_state_prop ELMOProtocol s'
    ∧ ELMOProtocol_valid_transition i l s'
        sigma m
Hti: transition Send (sigma i, None) =
(sigma i <+>
 MkObservation Send (MkMessage (sigma i)),
 Some (MkMessage (sigma i)))
sigma':= state_update ELMO_component sigma i
  (sigma i <+>
   MkObservation Send (MkMessage (sigma i))): ∀ j : index, VLSM.state (ELMO_component j)
Hv: valid Send (sigma i, None)
Htsigma: input_valid_transition ELMOProtocol
  (existT i Send) (sigma, None)
  (sigma', Some (MkMessage (sigma i)))
Hsigma': valid_state_prop ELMOProtocol sigma'
a: Address
local_equivocators_full (sigma i) a
↔ local_equivocators_full (sigma' i) a
        subst sigma'; state_update_simpl.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
sigma: VLSM.state ELMOProtocol
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm
     (ELMO_component i)) Send (
  sigma i, None)
  (sigma i <+>
   MkObservation Send (MkMessage (sigma i)),
   Some (MkMessage (sigma i)))
Hsigma: valid_state_prop ELMOProtocol sigma
Hreflects: component_reflects_composite sigma i
Hsend: other_components_after_send
  (λ j : index, j = i) sigma
Hall: ∀ (s_prev : State) (l : Label) (m : Message),
  sigma i = s_prev <+> MkObservation l m
  → valid_state_prop ELMOProtocol
      (state_update ELMO_component sigma i
         s_prev)
    ∧ ELMOProtocol_valid_transition i l
        (state_update ELMO_component sigma i
           s_prev) sigma m
Hti: transition Send (sigma i, None) =
(sigma i <+>
 MkObservation Send (MkMessage (sigma i)),
 Some (MkMessage (sigma i)))
Hv: valid Send (sigma i, None)
Htsigma: input_valid_transition ELMOProtocol
  (existT i Send) (sigma, None)
  (state_update ELMO_component sigma i
     (sigma i <+>
      MkObservation Send
        (MkMessage (sigma i))),
   Some (MkMessage (sigma i)))
Hsigma': valid_state_prop ELMOProtocol
  (state_update ELMO_component sigma i
     (sigma i <+>
      MkObservation Send
        (MkMessage (sigma i))))
a: Address
local_equivocators_full (sigma i) a
↔ local_equivocators_full
    (sigma i <+>
     MkObservation Send (MkMessage (sigma i))) a
        unfold local_equivocators_full; cbn; rewrite lefo_alt; cbn.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
sigma: VLSM.state ELMOProtocol
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm
     (ELMO_component i)) Send (
  sigma i, None)
  (sigma i <+>
   MkObservation Send (MkMessage (sigma i)),
   Some (MkMessage (sigma i)))
Hsigma: valid_state_prop ELMOProtocol sigma
Hreflects: component_reflects_composite sigma i
Hsend: other_components_after_send
  (λ j : index, j = i) sigma
Hall: ∀ (s_prev : State) (l : Label) (m : Message),
  sigma i = s_prev <+> MkObservation l m
  → valid_state_prop ELMOProtocol
      (state_update ELMO_component sigma i
         s_prev)
    ∧ ELMOProtocol_valid_transition i l
        (state_update ELMO_component sigma i
           s_prev) sigma m
Hti: transition Send (sigma i, None) =
(sigma i <+>
 MkObservation Send (MkMessage (sigma i)),
 Some (MkMessage (sigma i)))
Hv: valid Send (sigma i, None)
Htsigma: input_valid_transition ELMOProtocol
  (existT i Send) (sigma, None)
  (state_update ELMO_component sigma i
     (sigma i <+>
      MkObservation Send
        (MkMessage (sigma i))),
   Some (MkMessage (sigma i)))
Hsigma': valid_state_prop ELMOProtocol
  (state_update ELMO_component sigma i
     (sigma i <+>
      MkObservation Send
        (MkMessage (sigma i))))
a: Address
local_equivocators_full_obs (obs (sigma i)) a
↔ a = adr (sigma i)
  ∧ Send = Receive
    ∧ (∃ m2 : BaseELMO.Message,
         m2 ∈ receivedMessages' (obs (sigma i))
         ∧ incomparable (MkMessage (sigma i)) m2)
  ∨ local_equivocators_full_obs (obs (sigma i)) a
        by split; [right | intros [|]; [destruct_and! |]].
      *Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
sigma: VLSM.state ELMOProtocol
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm
     (ELMO_component i)) Send (
  sigma i, None)
  (sigma i <+>
   MkObservation Send (MkMessage (sigma i)),
   Some (MkMessage (sigma i)))
Hsigma: valid_state_prop ELMOProtocol sigma
Hreflects: component_reflects_composite sigma i
Hsend: other_components_after_send
  (λ j : index, j = i) sigma
Hall: ∀ (s_prev : State) (l : Label) (m : Message),
  sigma i = s_prev <+> MkObservation l m
  → let s' :=
      state_update ELMO_component sigma i
        s_prev in
    valid_state_prop ELMOProtocol s'
    ∧ ELMOProtocol_valid_transition i l s'
        sigma m
Hti: transition Send (sigma i, None) =
(sigma i <+>
 MkObservation Send (MkMessage (sigma i)),
 Some (MkMessage (sigma i)))
sigma':= state_update ELMO_component sigma i
  (sigma i <+>
   MkObservation Send (MkMessage (sigma i))): ∀ j : index, VLSM.state (ELMO_component j)
Hv: valid Send (sigma i, None)
Htsigma: input_valid_transition ELMOProtocol
  (existT i Send) (sigma, None)
  (sigma', Some (MkMessage (sigma i)))
Hsigma': valid_state_prop ELMOProtocol sigma'
a: Address
global_equivocators_simple sigma' a
→ global_equivocators_simple sigma a intros [? <-]; esplit; [done | ..].Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
sigma: VLSM.state ELMOProtocol
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm
     (ELMO_component i)) Send (
  sigma i, None)
  (sigma i <+>
   MkObservation Send (MkMessage (sigma i)),
   Some (MkMessage (sigma i)))
Hsigma: valid_state_prop ELMOProtocol sigma
Hreflects: component_reflects_composite sigma i
Hsend: other_components_after_send
  (λ j : index, j = i) sigma
Hall: ∀ (s_prev : State) (l : Label) (m : Message),
  sigma i = s_prev <+> MkObservation l m
  → let s' :=
      state_update ELMO_component sigma i
        s_prev in
    valid_state_prop ELMOProtocol s'
    ∧ ELMOProtocol_valid_transition i l s'
        sigma m
Hti: transition Send (sigma i, None) =
(sigma i <+>
 MkObservation Send (MkMessage (sigma i)),
 Some (MkMessage (sigma i)))
sigma':= state_update ELMO_component sigma i
  (sigma i <+>
   MkObservation Send (MkMessage (sigma i))): ∀ j : index, VLSM.state (ELMO_component j)
Hv: valid Send (sigma i, None)
Htsigma: input_valid_transition ELMOProtocol
  (existT i Send) (sigma, None)
  (sigma', Some (MkMessage (sigma i)))
Hsigma': valid_state_prop ELMOProtocol sigma'
ges_m: Message
ges_recv: composite_has_been_received ELMO_component
  sigma' ges_m
ges_not_sent: ¬ composite_has_been_sent
    ELMO_component sigma' ges_m
composite_has_been_received ELMO_component sigma ges_m
Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
sigma: VLSM.state ELMOProtocol
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm
     (ELMO_component i)) Send (
  sigma i, None)
  (sigma i <+>
   MkObservation Send (MkMessage (sigma i)),
   Some (MkMessage (sigma i)))
Hsigma: valid_state_prop ELMOProtocol sigma
Hreflects: component_reflects_composite sigma i
Hsend: other_components_after_send
  (λ j : index, j = i) sigma
Hall: ∀ (s_prev : State) (l : Label) (m : Message),
  sigma i = s_prev <+> MkObservation l m
  → let s' :=
      state_update ELMO_component sigma i
        s_prev in
    valid_state_prop ELMOProtocol s'
    ∧ ELMOProtocol_valid_transition i l s'
        sigma m
Hti: transition Send (sigma i, None) =
(sigma i <+>
 MkObservation Send (MkMessage (sigma i)),
 Some (MkMessage (sigma i)))
sigma':= state_update ELMO_component sigma i
  (sigma i <+>
   MkObservation Send (MkMessage (sigma i))): ∀ j : index, VLSM.state (ELMO_component j)
Hv: valid Send (sigma i, None)
Htsigma: input_valid_transition ELMOProtocol
  (existT i Send) (sigma, None)
  (sigma', Some (MkMessage (sigma i)))
Hsigma': valid_state_prop ELMOProtocol sigma'
ges_m: Message
ges_recv: composite_has_been_received ELMO_component
  sigma' ges_m
ges_not_sent: ¬ composite_has_been_sent
    ELMO_component sigma' ges_m
¬ composite_has_been_sent ELMO_component sigma ges_m
        --Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
sigma: VLSM.state ELMOProtocol
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm
     (ELMO_component i)) Send (
  sigma i, None)
  (sigma i <+>
   MkObservation Send (MkMessage (sigma i)),
   Some (MkMessage (sigma i)))
Hsigma: valid_state_prop ELMOProtocol sigma
Hreflects: component_reflects_composite sigma i
Hsend: other_components_after_send
  (λ j : index, j = i) sigma
Hall: ∀ (s_prev : State) (l : Label) (m : Message),
  sigma i = s_prev <+> MkObservation l m
  → let s' :=
      state_update ELMO_component sigma i
        s_prev in
    valid_state_prop ELMOProtocol s'
    ∧ ELMOProtocol_valid_transition i l s'
        sigma m
Hti: transition Send (sigma i, None) =
(sigma i <+>
 MkObservation Send (MkMessage (sigma i)),
 Some (MkMessage (sigma i)))
sigma':= state_update ELMO_component sigma i
  (sigma i <+>
   MkObservation Send (MkMessage (sigma i))): ∀ j : index, VLSM.state (ELMO_component j)
Hv: valid Send (sigma i, None)
Htsigma: input_valid_transition ELMOProtocol
  (existT i Send) (sigma, None)
  (sigma', Some (MkMessage (sigma i)))
Hsigma': valid_state_prop ELMOProtocol sigma'
ges_m: Message
ges_recv: composite_has_been_received ELMO_component
  sigma' ges_m
ges_not_sent: ¬ composite_has_been_sent
    ELMO_component sigma' ges_m
composite_has_been_received ELMO_component sigma ges_m destruct ges_recv as [j Hrecv].Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
sigma: VLSM.state ELMOProtocol
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm
     (ELMO_component i)) Send (
  sigma i, None)
  (sigma i <+>
   MkObservation Send (MkMessage (sigma i)),
   Some (MkMessage (sigma i)))
Hsigma: valid_state_prop ELMOProtocol sigma
Hreflects: component_reflects_composite sigma i
Hsend: other_components_after_send
  (λ j : index, j = i) sigma
Hall: ∀ (s_prev : State) (l : Label) (m : Message),
  sigma i = s_prev <+> MkObservation l m
  → let s' :=
      state_update ELMO_component sigma i
        s_prev in
    valid_state_prop ELMOProtocol s'
    ∧ ELMOProtocol_valid_transition i l s'
        sigma m
Hti: transition Send (sigma i, None) =
(sigma i <+>
 MkObservation Send (MkMessage (sigma i)),
 Some (MkMessage (sigma i)))
sigma':= state_update ELMO_component sigma i
  (sigma i <+>
   MkObservation Send (MkMessage (sigma i))): ∀ j : index, VLSM.state (ELMO_component j)
Hv: valid Send (sigma i, None)
Htsigma: input_valid_transition ELMOProtocol
  (existT i Send) (sigma, None)
  (sigma', Some (MkMessage (sigma i)))
Hsigma': valid_state_prop ELMOProtocol sigma'
ges_m: Message
j: index
Hrecv: has_been_received (ELMO_component j)
  (sigma' j) ges_m
ges_not_sent: ¬ composite_has_been_sent
    ELMO_component sigma' ges_m
composite_has_been_received ELMO_component sigma ges_m
           destruct (decide (i = j)); subst; subst sigma'; state_update_simpl; [| by eexists].Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
sigma: VLSM.state ELMOProtocol
j: index
ges_m: Message
ges_not_sent: ¬ composite_has_been_sent
    ELMO_component
    (state_update ELMO_component sigma
       j
       (sigma j <+>
        MkObservation Send
          (MkMessage (sigma j)))) ges_m
Hrecv: has_been_received (ELMO_component j)
  (sigma j <+>
   MkObservation Send (MkMessage (sigma j)))
  ges_m
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm
     (ELMO_component j)) Send (
  sigma j, None)
  (sigma j <+>
   MkObservation Send (MkMessage (sigma j)),
   Some (MkMessage (sigma j)))
Hsigma: valid_state_prop ELMOProtocol sigma
Hsigma': valid_state_prop ELMOProtocol
  (state_update ELMO_component sigma j
     (sigma j <+>
      MkObservation Send
        (MkMessage (sigma j))))
Htsigma: input_valid_transition ELMOProtocol
  (existT j Send) (sigma, None)
  (state_update ELMO_component sigma j
     (sigma j <+>
      MkObservation Send
        (MkMessage (sigma j))),
   Some (MkMessage (sigma j)))
Hv: valid Send (sigma j, None)
Hti: transition Send (sigma j, None) =
(sigma j <+>
 MkObservation Send (MkMessage (sigma j)),
 Some (MkMessage (sigma j)))
Hall: ∀ (s_prev : State) (l : Label) (m : Message),
  sigma j = s_prev <+> MkObservation l m
  → valid_state_prop ELMOProtocol
      (state_update ELMO_component sigma j
         s_prev)
    ∧ ELMOProtocol_valid_transition j l
        (state_update ELMO_component sigma j
           s_prev) sigma m
Hsend: other_components_after_send
  (λ j0 : index, j0 = j) sigma
Hreflects: component_reflects_composite sigma j
composite_has_been_received ELMO_component sigma ges_m
           by cbn in Hrecv; rewrite decide_False in Hrecv by itauto; exists j.
        --Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
sigma: VLSM.state ELMOProtocol
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm
     (ELMO_component i)) Send (
  sigma i, None)
  (sigma i <+>
   MkObservation Send (MkMessage (sigma i)),
   Some (MkMessage (sigma i)))
Hsigma: valid_state_prop ELMOProtocol sigma
Hreflects: component_reflects_composite sigma i
Hsend: other_components_after_send
  (λ j : index, j = i) sigma
Hall: ∀ (s_prev : State) (l : Label) (m : Message),
  sigma i = s_prev <+> MkObservation l m
  → let s' :=
      state_update ELMO_component sigma i
        s_prev in
    valid_state_prop ELMOProtocol s'
    ∧ ELMOProtocol_valid_transition i l s'
        sigma m
Hti: transition Send (sigma i, None) =
(sigma i <+>
 MkObservation Send (MkMessage (sigma i)),
 Some (MkMessage (sigma i)))
sigma':= state_update ELMO_component sigma i
  (sigma i <+>
   MkObservation Send (MkMessage (sigma i))): ∀ j : index, VLSM.state (ELMO_component j)
Hv: valid Send (sigma i, None)
Htsigma: input_valid_transition ELMOProtocol
  (existT i Send) (sigma, None)
  (sigma', Some (MkMessage (sigma i)))
Hsigma': valid_state_prop ELMOProtocol sigma'
ges_m: Message
ges_recv: composite_has_been_received ELMO_component
  sigma' ges_m
ges_not_sent: ¬ composite_has_been_sent
    ELMO_component sigma' ges_m
¬ composite_has_been_sent ELMO_component sigma ges_m intros [j Hsent]; apply ges_not_sent; exists j.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
sigma: VLSM.state ELMOProtocol
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm
     (ELMO_component i)) Send (
  sigma i, None)
  (sigma i <+>
   MkObservation Send (MkMessage (sigma i)),
   Some (MkMessage (sigma i)))
Hsigma: valid_state_prop ELMOProtocol sigma
Hreflects: component_reflects_composite sigma i
Hsend: other_components_after_send
  (λ j : index, j = i) sigma
Hall: ∀ (s_prev : State) (l : Label) (m : Message),
  sigma i = s_prev <+> MkObservation l m
  → let s' :=
      state_update ELMO_component sigma i
        s_prev in
    valid_state_prop ELMOProtocol s'
    ∧ ELMOProtocol_valid_transition i l s'
        sigma m
Hti: transition Send (sigma i, None) =
(sigma i <+>
 MkObservation Send (MkMessage (sigma i)),
 Some (MkMessage (sigma i)))
sigma':= state_update ELMO_component sigma i
  (sigma i <+>
   MkObservation Send (MkMessage (sigma i))): ∀ j : index, VLSM.state (ELMO_component j)
Hv: valid Send (sigma i, None)
Htsigma: input_valid_transition ELMOProtocol
  (existT i Send) (sigma, None)
  (sigma', Some (MkMessage (sigma i)))
Hsigma': valid_state_prop ELMOProtocol sigma'
ges_m: Message
ges_recv: composite_has_been_received ELMO_component
  sigma' ges_m
ges_not_sent: ¬ composite_has_been_sent
    ELMO_component sigma' ges_m
j: index
Hsent: has_been_sent (ELMO_component j) 
  (sigma j) ges_m
has_been_sent (ELMO_component j) (sigma' j) ges_m
           destruct (decide (i = j)); subst; subst sigma'; state_update_simpl; [| done].Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
sigma: VLSM.state ELMOProtocol
j: index
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm
     (ELMO_component j)) Send (
  sigma j, None)
  (sigma j <+>
   MkObservation Send (MkMessage (sigma j)),
   Some (MkMessage (sigma j)))
Hsigma: valid_state_prop ELMOProtocol sigma
Hsigma': valid_state_prop ELMOProtocol
  (state_update ELMO_component sigma j
     (sigma j <+>
      MkObservation Send
        (MkMessage (sigma j))))
Htsigma: input_valid_transition ELMOProtocol
  (existT j Send) (sigma, None)
  (state_update ELMO_component sigma j
     (sigma j <+>
      MkObservation Send
        (MkMessage (sigma j))),
   Some (MkMessage (sigma j)))
Hv: valid Send (sigma j, None)
Hti: transition Send (sigma j, None) =
(sigma j <+>
 MkObservation Send (MkMessage (sigma j)),
 Some (MkMessage (sigma j)))
Hall: ∀ (s_prev : State) (l : Label) (m : Message),
  sigma j = s_prev <+> MkObservation l m
  → valid_state_prop ELMOProtocol
      (state_update ELMO_component sigma j
         s_prev)
    ∧ ELMOProtocol_valid_transition j l
        (state_update ELMO_component sigma j
           s_prev) sigma m
Hsend: other_components_after_send
  (λ j0 : index, j0 = j) sigma
Hreflects: component_reflects_composite sigma j
ges_m: Message
ges_not_sent: ¬ composite_has_been_sent
    ELMO_component
    (state_update ELMO_component sigma
       j
       (sigma j <+>
        MkObservation Send
          (MkMessage (sigma j)))) ges_m
ges_recv: composite_has_been_received ELMO_component
  (state_update ELMO_component sigma j
     (sigma j <+>
      MkObservation Send
        (MkMessage (sigma j)))) ges_m
Hsent: has_been_sent (ELMO_component j) 
  (sigma j) ges_m
has_been_sent (ELMO_component j)
  (sigma j <+>
   MkObservation Send (MkMessage (sigma j))) ges_m
           by eapply has_been_sent_step_update; [| right].
      *Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
sigma: VLSM.state ELMOProtocol
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm
     (ELMO_component i)) Send (
  sigma i, None)
  (sigma i <+>
   MkObservation Send (MkMessage (sigma i)),
   Some (MkMessage (sigma i)))
Hsigma: valid_state_prop ELMOProtocol sigma
Hreflects: component_reflects_composite sigma i
Hsend: other_components_after_send
  (λ j : index, j = i) sigma
Hall: ∀ (s_prev : State) (l : Label) (m : Message),
  sigma i = s_prev <+> MkObservation l m
  → let s' :=
      state_update ELMO_component sigma i
        s_prev in
    valid_state_prop ELMOProtocol s'
    ∧ ELMOProtocol_valid_transition i l s'
        sigma m
Hti: transition Send (sigma i, None) =
(sigma i <+>
 MkObservation Send (MkMessage (sigma i)),
 Some (MkMessage (sigma i)))
sigma':= state_update ELMO_component sigma i
  (sigma i <+>
   MkObservation Send (MkMessage (sigma i))): ∀ j : index, VLSM.state (ELMO_component j)
Hv: valid Send (sigma i, None)
Htsigma: input_valid_transition ELMOProtocol
  (existT i Send) (sigma, None)
  (sigma', Some (MkMessage (sigma i)))
Hsigma': valid_state_prop ELMOProtocol sigma'
a: Address
global_equivocators_simple sigma a
→ global_equivocators_simple sigma' a intros []; esplit; [done | ..].Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
sigma: VLSM.state ELMOProtocol
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm
     (ELMO_component i)) Send (
  sigma i, None)
  (sigma i <+>
   MkObservation Send (MkMessage (sigma i)),
   Some (MkMessage (sigma i)))
Hsigma: valid_state_prop ELMOProtocol sigma
Hreflects: component_reflects_composite sigma i
Hsend: other_components_after_send
  (λ j : index, j = i) sigma
Hall: ∀ (s_prev : State) (l : Label) (m : Message),
  sigma i = s_prev <+> MkObservation l m
  → let s' :=
      state_update ELMO_component sigma i
        s_prev in
    valid_state_prop ELMOProtocol s'
    ∧ ELMOProtocol_valid_transition i l s'
        sigma m
Hti: transition Send (sigma i, None) =
(sigma i <+>
 MkObservation Send (MkMessage (sigma i)),
 Some (MkMessage (sigma i)))
sigma':= state_update ELMO_component sigma i
  (sigma i <+>
   MkObservation Send (MkMessage (sigma i))): ∀ j : index, VLSM.state (ELMO_component j)
Hv: valid Send (sigma i, None)
Htsigma: input_valid_transition ELMOProtocol
  (existT i Send) (sigma, None)
  (sigma', Some (MkMessage (sigma i)))
Hsigma': valid_state_prop ELMOProtocol sigma'
a: Address
ges_m: Message
ges_adr: adr (state ges_m) = a
ges_recv: composite_has_been_received ELMO_component
  sigma ges_m
ges_not_sent: ¬ composite_has_been_sent
    ELMO_component sigma ges_m
composite_has_been_received ELMO_component sigma'
  ges_m
Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
sigma: VLSM.state ELMOProtocol
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm
     (ELMO_component i)) Send (
  sigma i, None)
  (sigma i <+>
   MkObservation Send (MkMessage (sigma i)),
   Some (MkMessage (sigma i)))
Hsigma: valid_state_prop ELMOProtocol sigma
Hreflects: component_reflects_composite sigma i
Hsend: other_components_after_send
  (λ j : index, j = i) sigma
Hall: ∀ (s_prev : State) (l : Label) (m : Message),
  sigma i = s_prev <+> MkObservation l m
  → let s' :=
      state_update ELMO_component sigma i
        s_prev in
    valid_state_prop ELMOProtocol s'
    ∧ ELMOProtocol_valid_transition i l s'
        sigma m
Hti: transition Send (sigma i, None) =
(sigma i <+>
 MkObservation Send (MkMessage (sigma i)),
 Some (MkMessage (sigma i)))
sigma':= state_update ELMO_component sigma i
  (sigma i <+>
   MkObservation Send (MkMessage (sigma i))): ∀ j : index, VLSM.state (ELMO_component j)
Hv: valid Send (sigma i, None)
Htsigma: input_valid_transition ELMOProtocol
  (existT i Send) (sigma, None)
  (sigma', Some (MkMessage (sigma i)))
Hsigma': valid_state_prop ELMOProtocol sigma'
a: Address
ges_m: Message
ges_adr: adr (state ges_m) = a
ges_recv: composite_has_been_received ELMO_component
  sigma ges_m
ges_not_sent: ¬ composite_has_been_sent
    ELMO_component sigma ges_m
¬ composite_has_been_sent ELMO_component sigma' ges_m
        --Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
sigma: VLSM.state ELMOProtocol
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm
     (ELMO_component i)) Send (
  sigma i, None)
  (sigma i <+>
   MkObservation Send (MkMessage (sigma i)),
   Some (MkMessage (sigma i)))
Hsigma: valid_state_prop ELMOProtocol sigma
Hreflects: component_reflects_composite sigma i
Hsend: other_components_after_send
  (λ j : index, j = i) sigma
Hall: ∀ (s_prev : State) (l : Label) (m : Message),
  sigma i = s_prev <+> MkObservation l m
  → let s' :=
      state_update ELMO_component sigma i
        s_prev in
    valid_state_prop ELMOProtocol s'
    ∧ ELMOProtocol_valid_transition i l s'
        sigma m
Hti: transition Send (sigma i, None) =
(sigma i <+>
 MkObservation Send (MkMessage (sigma i)),
 Some (MkMessage (sigma i)))
sigma':= state_update ELMO_component sigma i
  (sigma i <+>
   MkObservation Send (MkMessage (sigma i))): ∀ j : index, VLSM.state (ELMO_component j)
Hv: valid Send (sigma i, None)
Htsigma: input_valid_transition ELMOProtocol
  (existT i Send) (sigma, None)
  (sigma', Some (MkMessage (sigma i)))
Hsigma': valid_state_prop ELMOProtocol sigma'
a: Address
ges_m: Message
ges_adr: adr (state ges_m) = a
ges_recv: composite_has_been_received ELMO_component
  sigma ges_m
ges_not_sent: ¬ composite_has_been_sent
    ELMO_component sigma ges_m
composite_has_been_received ELMO_component sigma'
  ges_m destruct ges_recv as [j Hrecv]; exists j.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
sigma: VLSM.state ELMOProtocol
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm
     (ELMO_component i)) Send (
  sigma i, None)
  (sigma i <+>
   MkObservation Send (MkMessage (sigma i)),
   Some (MkMessage (sigma i)))
Hsigma: valid_state_prop ELMOProtocol sigma
Hreflects: component_reflects_composite sigma i
Hsend: other_components_after_send
  (λ j : index, j = i) sigma
Hall: ∀ (s_prev : State) (l : Label) (m : Message),
  sigma i = s_prev <+> MkObservation l m
  → let s' :=
      state_update ELMO_component sigma i
        s_prev in
    valid_state_prop ELMOProtocol s'
    ∧ ELMOProtocol_valid_transition i l s'
        sigma m
Hti: transition Send (sigma i, None) =
(sigma i <+>
 MkObservation Send (MkMessage (sigma i)),
 Some (MkMessage (sigma i)))
sigma':= state_update ELMO_component sigma i
  (sigma i <+>
   MkObservation Send (MkMessage (sigma i))): ∀ j : index, VLSM.state (ELMO_component j)
Hv: valid Send (sigma i, None)
Htsigma: input_valid_transition ELMOProtocol
  (existT i Send) (sigma, None)
  (sigma', Some (MkMessage (sigma i)))
Hsigma': valid_state_prop ELMOProtocol sigma'
a: Address
ges_m: Message
ges_adr: adr (state ges_m) = a
j: index
Hrecv: has_been_received (ELMO_component j) 
  (sigma j) ges_m
ges_not_sent: ¬ composite_has_been_sent
    ELMO_component sigma ges_m
has_been_received (ELMO_component j) (sigma' j) ges_m
           destruct (decide (i = j)); subst; subst sigma'; state_update_simpl; [| done].Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
sigma: VLSM.state ELMOProtocol
j: index
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm
     (ELMO_component j)) Send (
  sigma j, None)
  (sigma j <+>
   MkObservation Send (MkMessage (sigma j)),
   Some (MkMessage (sigma j)))
Hsigma: valid_state_prop ELMOProtocol sigma
Hsigma': valid_state_prop ELMOProtocol
  (state_update ELMO_component sigma j
     (sigma j <+>
      MkObservation Send
        (MkMessage (sigma j))))
Htsigma: input_valid_transition ELMOProtocol
  (existT j Send) (sigma, None)
  (state_update ELMO_component sigma j
     (sigma j <+>
      MkObservation Send
        (MkMessage (sigma j))),
   Some (MkMessage (sigma j)))
Hv: valid Send (sigma j, None)
Hti: transition Send (sigma j, None) =
(sigma j <+>
 MkObservation Send (MkMessage (sigma j)),
 Some (MkMessage (sigma j)))
Hall: ∀ (s_prev : State) (l : Label) (m : Message),
  sigma j = s_prev <+> MkObservation l m
  → valid_state_prop ELMOProtocol
      (state_update ELMO_component sigma j
         s_prev)
    ∧ ELMOProtocol_valid_transition j l
        (state_update ELMO_component sigma j
           s_prev) sigma m
Hsend: other_components_after_send
  (λ j0 : index, j0 = j) sigma
Hreflects: component_reflects_composite sigma j
ges_m: Message
Hrecv: has_been_received (ELMO_component j) 
  (sigma j) ges_m
ges_not_sent: ¬ composite_has_been_sent
    ELMO_component sigma ges_m
has_been_received (ELMO_component j)
  (sigma j <+>
   MkObservation Send (MkMessage (sigma j))) ges_m
           by eapply has_been_received_step_update; [| right].
        --Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
sigma: VLSM.state ELMOProtocol
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm
     (ELMO_component i)) Send (
  sigma i, None)
  (sigma i <+>
   MkObservation Send (MkMessage (sigma i)),
   Some (MkMessage (sigma i)))
Hsigma: valid_state_prop ELMOProtocol sigma
Hreflects: component_reflects_composite sigma i
Hsend: other_components_after_send
  (λ j : index, j = i) sigma
Hall: ∀ (s_prev : State) (l : Label) (m : Message),
  sigma i = s_prev <+> MkObservation l m
  → let s' :=
      state_update ELMO_component sigma i
        s_prev in
    valid_state_prop ELMOProtocol s'
    ∧ ELMOProtocol_valid_transition i l s'
        sigma m
Hti: transition Send (sigma i, None) =
(sigma i <+>
 MkObservation Send (MkMessage (sigma i)),
 Some (MkMessage (sigma i)))
sigma':= state_update ELMO_component sigma i
  (sigma i <+>
   MkObservation Send (MkMessage (sigma i))): ∀ j : index, VLSM.state (ELMO_component j)
Hv: valid Send (sigma i, None)
Htsigma: input_valid_transition ELMOProtocol
  (existT i Send) (sigma, None)
  (sigma', Some (MkMessage (sigma i)))
Hsigma': valid_state_prop ELMOProtocol sigma'
a: Address
ges_m: Message
ges_adr: adr (state ges_m) = a
ges_recv: composite_has_been_received ELMO_component
  sigma ges_m
ges_not_sent: ¬ composite_has_been_sent
    ELMO_component sigma ges_m
¬ composite_has_been_sent ELMO_component sigma' ges_m intros [j Hsnd]; apply ges_not_sent.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
sigma: VLSM.state ELMOProtocol
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm
     (ELMO_component i)) Send (
  sigma i, None)
  (sigma i <+>
   MkObservation Send (MkMessage (sigma i)),
   Some (MkMessage (sigma i)))
Hsigma: valid_state_prop ELMOProtocol sigma
Hreflects: component_reflects_composite sigma i
Hsend: other_components_after_send
  (λ j : index, j = i) sigma
Hall: ∀ (s_prev : State) (l : Label) (m : Message),
  sigma i = s_prev <+> MkObservation l m
  → let s' :=
      state_update ELMO_component sigma i
        s_prev in
    valid_state_prop ELMOProtocol s'
    ∧ ELMOProtocol_valid_transition i l s'
        sigma m
Hti: transition Send (sigma i, None) =
(sigma i <+>
 MkObservation Send (MkMessage (sigma i)),
 Some (MkMessage (sigma i)))
sigma':= state_update ELMO_component sigma i
  (sigma i <+>
   MkObservation Send (MkMessage (sigma i))): ∀ j : index, VLSM.state (ELMO_component j)
Hv: valid Send (sigma i, None)
Htsigma: input_valid_transition ELMOProtocol
  (existT i Send) (sigma, None)
  (sigma', Some (MkMessage (sigma i)))
Hsigma': valid_state_prop ELMOProtocol sigma'
a: Address
ges_m: Message
ges_adr: adr (state ges_m) = a
ges_recv: composite_has_been_received ELMO_component
  sigma ges_m
ges_not_sent: ¬ composite_has_been_sent
    ELMO_component sigma ges_m
j: index
Hsnd: has_been_sent (ELMO_component j) 
  (sigma' j) ges_m
composite_has_been_sent ELMO_component sigma ges_m
           destruct (decide (i = j)); subst; subst sigma'; state_update_simpl; [| by eexists].Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
sigma: VLSM.state ELMOProtocol
j: index
ges_m: Message
Hsnd: has_been_sent (ELMO_component j)
  (sigma j <+>
   MkObservation Send (MkMessage (sigma j)))
  ges_m
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm
     (ELMO_component j)) Send (
  sigma j, None)
  (sigma j <+>
   MkObservation Send (MkMessage (sigma j)),
   Some (MkMessage (sigma j)))
Hsigma: valid_state_prop ELMOProtocol sigma
Hsigma': valid_state_prop ELMOProtocol
  (state_update ELMO_component sigma j
     (sigma j <+>
      MkObservation Send
        (MkMessage (sigma j))))
Htsigma: input_valid_transition ELMOProtocol
  (existT j Send) (sigma, None)
  (state_update ELMO_component sigma j
     (sigma j <+>
      MkObservation Send
        (MkMessage (sigma j))),
   Some (MkMessage (sigma j)))
Hv: valid Send (sigma j, None)
Hti: transition Send (sigma j, None) =
(sigma j <+>
 MkObservation Send (MkMessage (sigma j)),
 Some (MkMessage (sigma j)))
Hall: ∀ (s_prev : State) (l : Label) (m : Message),
  sigma j = s_prev <+> MkObservation l m
  → valid_state_prop ELMOProtocol
      (state_update ELMO_component sigma j
         s_prev)
    ∧ ELMOProtocol_valid_transition j l
        (state_update ELMO_component sigma j
           s_prev) sigma m
Hsend: other_components_after_send
  (λ j0 : index, j0 = j) sigma
Hreflects: component_reflects_composite sigma j
ges_recv: composite_has_been_received ELMO_component
  sigma ges_m
ges_not_sent: ¬ composite_has_been_sent
    ELMO_component sigma ges_m
composite_has_been_sent ELMO_component sigma ges_m
           cbn in Hsnd; rewrite decide_True in Hsnd by done; cbn in Hsnd.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
sigma: VLSM.state ELMOProtocol
j: index
ges_m: Message
Hsnd: ges_m
∈ MkMessage (sigma j)
  :: map message
       (filter isSend (obs (sigma j)))
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm
     (ELMO_component j)) Send (
  sigma j, None)
  (sigma j <+>
   MkObservation Send (MkMessage (sigma j)),
   Some (MkMessage (sigma j)))
Hsigma: valid_state_prop ELMOProtocol sigma
Hsigma': valid_state_prop ELMOProtocol
  (state_update ELMO_component sigma j
     (sigma j <+>
      MkObservation Send
        (MkMessage (sigma j))))
Htsigma: input_valid_transition ELMOProtocol
  (existT j Send) (sigma, None)
  (state_update ELMO_component sigma j
     (sigma j <+>
      MkObservation Send
        (MkMessage (sigma j))),
   Some (MkMessage (sigma j)))
Hv: valid Send (sigma j, None)
Hti: transition Send (sigma j, None) =
(sigma j <+>
 MkObservation Send (MkMessage (sigma j)),
 Some (MkMessage (sigma j)))
Hall: ∀ (s_prev : State) (l : Label) (m : Message),
  sigma j = s_prev <+> MkObservation l m
  → valid_state_prop ELMOProtocol
      (state_update ELMO_component sigma j
         s_prev)
    ∧ ELMOProtocol_valid_transition j l
        (state_update ELMO_component sigma j
           s_prev) sigma m
Hsend: other_components_after_send
  (λ j0 : index, j0 = j) sigma
Hreflects: component_reflects_composite sigma j
ges_recv: composite_has_been_received ELMO_component
  sigma ges_m
ges_not_sent: ¬ composite_has_been_sent
    ELMO_component sigma ges_m
composite_has_been_sent ELMO_component sigma ges_m
           apply elem_of_cons in Hsnd as []; subst; [| by exists j].Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
sigma: VLSM.state ELMOProtocol
j: index
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm
     (ELMO_component j)) Send (
  sigma j, None)
  (sigma j <+>
   MkObservation Send (MkMessage (sigma j)),
   Some (MkMessage (sigma j)))
Hsigma: valid_state_prop ELMOProtocol sigma
Hsigma': valid_state_prop ELMOProtocol
  (state_update ELMO_component sigma j
     (sigma j <+>
      MkObservation Send
        (MkMessage (sigma j))))
Htsigma: input_valid_transition ELMOProtocol
  (existT j Send) (sigma, None)
  (state_update ELMO_component sigma j
     (sigma j <+>
      MkObservation Send
        (MkMessage (sigma j))),
   Some (MkMessage (sigma j)))
Hv: valid Send (sigma j, None)
Hti: transition Send (sigma j, None) =
(sigma j <+>
 MkObservation Send (MkMessage (sigma j)),
 Some (MkMessage (sigma j)))
Hall: ∀ (s_prev : State) (l : Label) (m : Message),
  sigma j = s_prev <+> MkObservation l m
  → valid_state_prop ELMOProtocol
      (state_update ELMO_component sigma j
         s_prev)
    ∧ ELMOProtocol_valid_transition j l
        (state_update ELMO_component sigma j
           s_prev) sigma m
Hsend: other_components_after_send
  (λ j0 : index, j0 = j) sigma
Hreflects: component_reflects_composite sigma j
ges_not_sent: ¬ composite_has_been_sent
    ELMO_component sigma
    (MkMessage (sigma j))
ges_recv: composite_has_been_received ELMO_component
  sigma (MkMessage (sigma j))
composite_has_been_sent ELMO_component sigma
  (MkMessage (sigma j))
           exfalso; eapply irreflexivity with (R := lt) (x := sizeState (sigma j));
             [typeclasses eauto |].Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
sigma: VLSM.state ELMOProtocol
j: index
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm
     (ELMO_component j)) Send (
  sigma j, None)
  (sigma j <+>
   MkObservation Send (MkMessage (sigma j)),
   Some (MkMessage (sigma j)))
Hsigma: valid_state_prop ELMOProtocol sigma
Hsigma': valid_state_prop ELMOProtocol
  (state_update ELMO_component sigma j
     (sigma j <+>
      MkObservation Send
        (MkMessage (sigma j))))
Htsigma: input_valid_transition ELMOProtocol
  (existT j Send) (sigma, None)
  (state_update ELMO_component sigma j
     (sigma j <+>
      MkObservation Send
        (MkMessage (sigma j))),
   Some (MkMessage (sigma j)))
Hv: valid Send (sigma j, None)
Hti: transition Send (sigma j, None) =
(sigma j <+>
 MkObservation Send (MkMessage (sigma j)),
 Some (MkMessage (sigma j)))
Hall: ∀ (s_prev : State) (l : Label) (m : Message),
  sigma j = s_prev <+> MkObservation l m
  → valid_state_prop ELMOProtocol
      (state_update ELMO_component sigma j
         s_prev)
    ∧ ELMOProtocol_valid_transition j l
        (state_update ELMO_component sigma j
           s_prev) sigma m
Hsend: other_components_after_send
  (λ j0 : index, j0 = j) sigma
Hreflects: component_reflects_composite sigma j
ges_not_sent: ¬ composite_has_been_sent
    ELMO_component sigma
    (MkMessage (sigma j))
ges_recv: composite_has_been_received ELMO_component
  sigma (MkMessage (sigma j))
sizeState (sigma j) < sizeState (sigma j)
           change (sigma j) with (state (MkMessage (sigma j))) at 1.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
sigma: VLSM.state ELMOProtocol
j: index
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm
     (ELMO_component j)) Send (
  sigma j, None)
  (sigma j <+>
   MkObservation Send (MkMessage (sigma j)),
   Some (MkMessage (sigma j)))
Hsigma: valid_state_prop ELMOProtocol sigma
Hsigma': valid_state_prop ELMOProtocol
  (state_update ELMO_component sigma j
     (sigma j <+>
      MkObservation Send
        (MkMessage (sigma j))))
Htsigma: input_valid_transition ELMOProtocol
  (existT j Send) (sigma, None)
  (state_update ELMO_component sigma j
     (sigma j <+>
      MkObservation Send
        (MkMessage (sigma j))),
   Some (MkMessage (sigma j)))
Hv: valid Send (sigma j, None)
Hti: transition Send (sigma j, None) =
(sigma j <+>
 MkObservation Send (MkMessage (sigma j)),
 Some (MkMessage (sigma j)))
Hall: ∀ (s_prev : State) (l : Label) (m : Message),
  sigma j = s_prev <+> MkObservation l m
  → valid_state_prop ELMOProtocol
      (state_update ELMO_component sigma j
         s_prev)
    ∧ ELMOProtocol_valid_transition j l
        (state_update ELMO_component sigma j
           s_prev) sigma m
Hsend: other_components_after_send
  (λ j0 : index, j0 = j) sigma
Hreflects: component_reflects_composite sigma j
ges_not_sent: ¬ composite_has_been_sent
    ELMO_component sigma
    (MkMessage (sigma j))
ges_recv: composite_has_been_received ELMO_component
  sigma (MkMessage (sigma j))
sizeState (state (MkMessage (sigma j))) <
sizeState (sigma j)
           apply messages_sizeState, Hreflects.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
sigma: VLSM.state ELMOProtocol
j: index
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm
     (ELMO_component j)) Send (
  sigma j, None)
  (sigma j <+>
   MkObservation Send (MkMessage (sigma j)),
   Some (MkMessage (sigma j)))
Hsigma: valid_state_prop ELMOProtocol sigma
Hsigma': valid_state_prop ELMOProtocol
  (state_update ELMO_component sigma j
     (sigma j <+>
      MkObservation Send
        (MkMessage (sigma j))))
Htsigma: input_valid_transition ELMOProtocol
  (existT j Send) (sigma, None)
  (state_update ELMO_component sigma j
     (sigma j <+>
      MkObservation Send
        (MkMessage (sigma j))),
   Some (MkMessage (sigma j)))
Hv: valid Send (sigma j, None)
Hti: transition Send (sigma j, None) =
(sigma j <+>
 MkObservation Send (MkMessage (sigma j)),
 Some (MkMessage (sigma j)))
Hall: ∀ (s_prev : State) (l : Label) (m : Message),
  sigma j = s_prev <+> MkObservation l m
  → valid_state_prop ELMOProtocol
      (state_update ELMO_component sigma j
         s_prev)
    ∧ ELMOProtocol_valid_transition j l
        (state_update ELMO_component sigma j
           s_prev) sigma m
Hsend: other_components_after_send
  (λ j0 : index, j0 = j) sigma
Hreflects: component_reflects_composite sigma j
ges_not_sent: ¬ composite_has_been_sent
    ELMO_component sigma
    (MkMessage (sigma j))
ges_recv: composite_has_been_received ELMO_component
  sigma (MkMessage (sigma j))
∃ j0 : index,
  MkMessage (sigma j) ∈ messages (sigma j0)
           destruct ges_recv as [j' Hrecv]; exists j'.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
sigma: VLSM.state ELMOProtocol
j: index
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm
     (ELMO_component j)) Send (
  sigma j, None)
  (sigma j <+>
   MkObservation Send (MkMessage (sigma j)),
   Some (MkMessage (sigma j)))
Hsigma: valid_state_prop ELMOProtocol sigma
Hsigma': valid_state_prop ELMOProtocol
  (state_update ELMO_component sigma j
     (sigma j <+>
      MkObservation Send
        (MkMessage (sigma j))))
Htsigma: input_valid_transition ELMOProtocol
  (existT j Send) (sigma, None)
  (state_update ELMO_component sigma j
     (sigma j <+>
      MkObservation Send
        (MkMessage (sigma j))),
   Some (MkMessage (sigma j)))
Hv: valid Send (sigma j, None)
Hti: transition Send (sigma j, None) =
(sigma j <+>
 MkObservation Send (MkMessage (sigma j)),
 Some (MkMessage (sigma j)))
Hall: ∀ (s_prev : State) (l : Label) (m : Message),
  sigma j = s_prev <+> MkObservation l m
  → valid_state_prop ELMOProtocol
      (state_update ELMO_component sigma j
         s_prev)
    ∧ ELMOProtocol_valid_transition j l
        (state_update ELMO_component sigma j
           s_prev) sigma m
Hsend: other_components_after_send
  (λ j0 : index, j0 = j) sigma
Hreflects: component_reflects_composite sigma j
ges_not_sent: ¬ composite_has_been_sent
    ELMO_component sigma
    (MkMessage (sigma j))
j': index
Hrecv: has_been_received (ELMO_component j')
  (sigma j') (MkMessage (sigma j))
MkMessage (sigma j) ∈ messages (sigma j')
           by apply elem_of_messages; right.
  -Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
s': VLSM.state
  (preloaded_with_all_messages_vlsm
     (ELMO_component i))
om, om': option Message
sigma: VLSM.state ELMOProtocol
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm
     (ELMO_component i)) Receive (
  sigma i, om) (s', om')
Hsigma: valid_state_prop ELMOProtocol sigma
Hreflects: component_reflects_composite sigma i
Hsend: other_components_after_send
  (λ j : index, j = i) sigma
Hall: ∀ (s_prev : State) (l : Label) (m : Message),
  sigma i = s_prev <+> MkObservation l m
  → let s' :=
      state_update ELMO_component sigma i
        s_prev in
    valid_state_prop ELMOProtocol s'
    ∧ ELMOProtocol_valid_transition i l s'
        sigma m
∃ s : VLSM.state ELMOProtocol,
  s i = s'
  ∧ valid_state_prop ELMOProtocol s
    ∧ component_reflects_composite s i
      ∧ other_components_after_send
          (λ j : index, j = i) s
        ∧ (∀ (s_prev : State) (l : Label) (m : Message),
             s' = s_prev <+> MkObservation l m
             → let s' :=
                 state_update ELMO_component s i
                   s_prev in
               valid_state_prop ELMOProtocol s'
               ∧ ELMOProtocol_valid_transition i l s'
                   s m) pose (Hti := Ht); destruct Hti as [(_ & _ & Hv) Hti];
      inversion Hv as [? ? [? ? ? Hlocal_ok] |]; subst; inversion Hti; subst om'.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
s': VLSM.state
  (preloaded_with_all_messages_vlsm
     (ELMO_component i))
sigma: VLSM.state ELMOProtocol
m: Message
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm
     (ELMO_component i)) Receive
  (sigma i, Some m) (s', None)
Hsigma: valid_state_prop ELMOProtocol sigma
Hreflects: component_reflects_composite sigma i
Hsend: other_components_after_send
  (λ j : index, j = i) sigma
Hall: ∀ (s_prev : State) (l : Label) (m : Message),
  sigma i = s_prev <+> MkObservation l m
  → let s' :=
      state_update ELMO_component sigma i
        s_prev in
    valid_state_prop ELMOProtocol s'
    ∧ ELMOProtocol_valid_transition i l s'
        sigma m
Hti: transition Receive (sigma i, Some m) =
(s', None)
Hv: valid Receive (sigma i, Some m)
ELMO_mv_full_node0: full_node (sigma i) m
ELMO_mv_no_self_equiv0: no_self_equiv (sigma i) m
ELMO_mv_msg_valid_full0: ELMO_msg_valid_full m
Hlocal_ok: local_equivocation_limit_ok
  (sigma i <+> MkObservation Receive m)
H3: sigma i <+> MkObservation Receive m = s'
∃ s : VLSM.state ELMOProtocol,
  s i = sigma i <+> MkObservation Receive m
  ∧ valid_state_prop ELMOProtocol s
    ∧ component_reflects_composite s i
      ∧ other_components_after_send
          (λ j : index, j = i) s
        ∧ (∀ (s_prev : State) (l : Label) (m0 : Message),
             sigma i <+> MkObservation Receive m =
             s_prev <+> MkObservation l m0
             → let s' :=
                 state_update ELMO_component s i
                   s_prev in
               valid_state_prop ELMOProtocol s'
               ∧ ELMOProtocol_valid_transition i l s'
                   s m0)
    apply ELMO_msg_valid_full_has_sender in ELMO_mv_msg_valid_full0 as Hsender.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
s': VLSM.state
  (preloaded_with_all_messages_vlsm
     (ELMO_component i))
sigma: VLSM.state ELMOProtocol
m: Message
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm
     (ELMO_component i)) Receive
  (sigma i, Some m) (s', None)
Hsigma: valid_state_prop ELMOProtocol sigma
Hreflects: component_reflects_composite sigma i
Hsend: other_components_after_send
  (λ j : index, j = i) sigma
Hall: ∀ (s_prev : State) (l : Label) (m : Message),
  sigma i = s_prev <+> MkObservation l m
  → let s' :=
      state_update ELMO_component sigma i
        s_prev in
    valid_state_prop ELMOProtocol s'
    ∧ ELMOProtocol_valid_transition i l s'
        sigma m
Hti: transition Receive (sigma i, Some m) =
(s', None)
Hv: valid Receive (sigma i, Some m)
ELMO_mv_full_node0: full_node (sigma i) m
ELMO_mv_no_self_equiv0: no_self_equiv (sigma i) m
ELMO_mv_msg_valid_full0: ELMO_msg_valid_full m
Hlocal_ok: local_equivocation_limit_ok
  (sigma i <+> MkObservation Receive m)
H3: sigma i <+> MkObservation Receive m = s'
Hsender: MessageHasSender m
∃ s : VLSM.state ELMOProtocol,
  s i = sigma i <+> MkObservation Receive m
  ∧ valid_state_prop ELMOProtocol s
    ∧ component_reflects_composite s i
      ∧ other_components_after_send
          (λ j : index, j = i) s
        ∧ (∀ (s_prev : State) (l : Label) (m0 : Message),
             sigma i <+> MkObservation Receive m =
             s_prev <+> MkObservation l m0
             → let s' :=
                 state_update ELMO_component s i
                   s_prev in
               valid_state_prop ELMOProtocol s'
               ∧ ELMOProtocol_valid_transition i l s'
                   s m0)
    cut (exists gamma,
          in_futures ELMOProtocol sigma gamma /\
          gamma i = sigma i /\
          component_reflects_composite (state_update ELMO_component gamma i s') i /\
          other_components_after_send (fun j : index => j = i) gamma).Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
s': VLSM.state
  (preloaded_with_all_messages_vlsm
     (ELMO_component i))
sigma: VLSM.state ELMOProtocol
m: Message
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm
     (ELMO_component i)) Receive
  (sigma i, Some m) (s', None)
Hsigma: valid_state_prop ELMOProtocol sigma
Hreflects: component_reflects_composite sigma i
Hsend: other_components_after_send
  (λ j : index, j = i) sigma
Hall: ∀ (s_prev : State) (l : Label) (m : Message),
  sigma i = s_prev <+> MkObservation l m
  → let s' :=
      state_update ELMO_component sigma i
        s_prev in
    valid_state_prop ELMOProtocol s'
    ∧ ELMOProtocol_valid_transition i l s'
        sigma m
Hti: transition Receive (sigma i, Some m) =
(s', None)
Hv: valid Receive (sigma i, Some m)
ELMO_mv_full_node0: full_node (sigma i) m
ELMO_mv_no_self_equiv0: no_self_equiv (sigma i) m
ELMO_mv_msg_valid_full0: ELMO_msg_valid_full m
Hlocal_ok: local_equivocation_limit_ok
  (sigma i <+> MkObservation Receive m)
H3: sigma i <+> MkObservation Receive m = s'
Hsender: MessageHasSender m
(∃ gamma : VLSM.state ELMOProtocol,
   in_futures ELMOProtocol sigma gamma
   ∧ gamma i = sigma i
     ∧ component_reflects_composite
         (state_update ELMO_component gamma i s') i
       ∧ other_components_after_send
           (λ j : index, j = i) gamma)
→ ∃ s : VLSM.state ELMOProtocol,
    s i = sigma i <+> MkObservation Receive m
    ∧ valid_state_prop ELMOProtocol s
      ∧ component_reflects_composite s i
        ∧ other_components_after_send
            (λ j : index, j = i) s
          ∧ (∀ (s_prev : State) (l : Label) (m0 : Message),
               sigma i <+> MkObservation Receive m =
               s_prev <+> MkObservation l m0
               → let s' :=
                   state_update ELMO_component s i
                     s_prev in
                 valid_state_prop ELMOProtocol s'
                 ∧ ELMOProtocol_valid_transition i l
                     s' s m0)
Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
s': VLSM.state
  (preloaded_with_all_messages_vlsm
     (ELMO_component i))
sigma: VLSM.state ELMOProtocol
m: Message
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm
     (ELMO_component i)) Receive
  (sigma i, Some m) (s', None)
Hsigma: valid_state_prop ELMOProtocol sigma
Hreflects: component_reflects_composite sigma i
Hsend: other_components_after_send
  (λ j : index, j = i) sigma
Hall: ∀ (s_prev : State) (l : Label) (m : Message),
  sigma i = s_prev <+> MkObservation l m
  → let s' :=
      state_update ELMO_component sigma i
        s_prev in
    valid_state_prop ELMOProtocol s'
    ∧ ELMOProtocol_valid_transition i l s'
        sigma m
Hti: transition Receive (sigma i, Some m) =
(s', None)
Hv: valid Receive (sigma i, Some m)
ELMO_mv_full_node0: full_node (sigma i) m
ELMO_mv_no_self_equiv0: no_self_equiv (sigma i) m
ELMO_mv_msg_valid_full0: ELMO_msg_valid_full m
Hlocal_ok: local_equivocation_limit_ok
  (sigma i <+> MkObservation Receive m)
H3: sigma i <+> MkObservation Receive m = s'
Hsender: MessageHasSender m
∃ gamma : VLSM.state ELMOProtocol,
  in_futures ELMOProtocol sigma gamma
  ∧ gamma i = sigma i
    ∧ component_reflects_composite
        (state_update ELMO_component gamma i s') i
      ∧ other_components_after_send
          (λ j : index, j = i) gamma
    {Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
s': VLSM.state
  (preloaded_with_all_messages_vlsm
     (ELMO_component i))
sigma: VLSM.state ELMOProtocol
m: Message
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm
     (ELMO_component i)) Receive
  (sigma i, Some m) (s', None)
Hsigma: valid_state_prop ELMOProtocol sigma
Hreflects: component_reflects_composite sigma i
Hsend: other_components_after_send
  (λ j : index, j = i) sigma
Hall: ∀ (s_prev : State) (l : Label) (m : Message),
  sigma i = s_prev <+> MkObservation l m
  → let s' :=
      state_update ELMO_component sigma i
        s_prev in
    valid_state_prop ELMOProtocol s'
    ∧ ELMOProtocol_valid_transition i l s'
        sigma m
Hti: transition Receive (sigma i, Some m) =
(s', None)
Hv: valid Receive (sigma i, Some m)
ELMO_mv_full_node0: full_node (sigma i) m
ELMO_mv_no_self_equiv0: no_self_equiv (sigma i) m
ELMO_mv_msg_valid_full0: ELMO_msg_valid_full m
Hlocal_ok: local_equivocation_limit_ok
  (sigma i <+> MkObservation Receive m)
H3: sigma i <+> MkObservation Receive m = s'
Hsender: MessageHasSender m
(∃ gamma : VLSM.state ELMOProtocol,
   in_futures ELMOProtocol sigma gamma
   ∧ gamma i = sigma i
     ∧ component_reflects_composite
         (state_update ELMO_component gamma i s') i
       ∧ other_components_after_send
           (λ j : index, j = i) gamma)
→ ∃ s : VLSM.state ELMOProtocol,
    s i = sigma i <+> MkObservation Receive m
    ∧ valid_state_prop ELMOProtocol s
      ∧ component_reflects_composite s i
        ∧ other_components_after_send
            (λ j : index, j = i) s
          ∧ (∀ (s_prev : State) (l : Label) (m0 : Message),
               sigma i <+> MkObservation Receive m =
               s_prev <+> MkObservation l m0
               → let s' :=
                   state_update ELMO_component s i
                     s_prev in
                 valid_state_prop ELMOProtocol s'
                 ∧ ELMOProtocol_valid_transition i l
                     s' s m0)
      intros (gamma & Hfutures & Heq_i & [Hsigma'_messages Hsigma'_eqvs] & Hgamma_send).Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
s': VLSM.state
  (preloaded_with_all_messages_vlsm
     (ELMO_component i))
sigma: VLSM.state ELMOProtocol
m: Message
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm
     (ELMO_component i)) Receive
  (sigma i, Some m) (s', None)
Hsigma: valid_state_prop ELMOProtocol sigma
Hreflects: component_reflects_composite sigma i
Hsend: other_components_after_send
  (λ j : index, j = i) sigma
Hall: ∀ (s_prev : State) (l : Label) (m : Message),
  sigma i = s_prev <+> MkObservation l m
  → let s' :=
      state_update ELMO_component sigma i
        s_prev in
    valid_state_prop ELMOProtocol s'
    ∧ ELMOProtocol_valid_transition i l s'
        sigma m
Hti: transition Receive (sigma i, Some m) =
(s', None)
Hv: valid Receive (sigma i, Some m)
ELMO_mv_full_node0: full_node (sigma i) m
ELMO_mv_no_self_equiv0: no_self_equiv (sigma i) m
ELMO_mv_msg_valid_full0: ELMO_msg_valid_full m
Hlocal_ok: local_equivocation_limit_ok
  (sigma i <+> MkObservation Receive m)
H3: sigma i <+> MkObservation Receive m = s'
Hsender: MessageHasSender m
gamma: VLSM.state ELMOProtocol
Hfutures: in_futures ELMOProtocol sigma gamma
Heq_i: gamma i = sigma i
Hsigma'_messages: component_reflects_composite_messages
  (state_update ELMO_component
     gamma i s') i
Hsigma'_eqvs: component_reflects_composite_equivocators
  (state_update ELMO_component gamma i
     s') i
Hgamma_send: other_components_after_send
  (λ j : index, j = i) gamma
∃ s : VLSM.state ELMOProtocol,
  s i = sigma i <+> MkObservation Receive m
  ∧ valid_state_prop ELMOProtocol s
    ∧ component_reflects_composite s i
      ∧ other_components_after_send
          (λ j : index, j = i) s
        ∧ (∀ (s_prev : State) (l : Label) (m0 : Message),
             sigma i <+> MkObservation Receive m =
             s_prev <+> MkObservation l m0
             → let s' :=
                 state_update ELMO_component s i
                   s_prev in
               valid_state_prop ELMOProtocol s'
               ∧ ELMOProtocol_valid_transition i l s'
                   s m0)
      pose (sigma' := state_update ELMO_component gamma i s'); subst s'.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
sigma: VLSM.state ELMOProtocol
m: Message
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm
     (ELMO_component i)) Receive
  (sigma i, Some m)
  (sigma i <+> MkObservation Receive m, None)
Hsigma: valid_state_prop ELMOProtocol sigma
Hreflects: component_reflects_composite sigma i
Hsend: other_components_after_send
  (λ j : index, j = i) sigma
Hall: ∀ (s_prev : State) (l : Label) (m : Message),
  sigma i = s_prev <+> MkObservation l m
  → let s' :=
      state_update ELMO_component sigma i
        s_prev in
    valid_state_prop ELMOProtocol s'
    ∧ ELMOProtocol_valid_transition i l s'
        sigma m
Hti: transition Receive (sigma i, Some m) =
(sigma i <+> MkObservation Receive m, None)
Hv: valid Receive (sigma i, Some m)
ELMO_mv_full_node0: full_node (sigma i) m
ELMO_mv_no_self_equiv0: no_self_equiv (sigma i) m
ELMO_mv_msg_valid_full0: ELMO_msg_valid_full m
Hlocal_ok: local_equivocation_limit_ok
  (sigma i <+> MkObservation Receive m)
Hsender: MessageHasSender m
gamma: VLSM.state ELMOProtocol
Hfutures: in_futures ELMOProtocol sigma gamma
Heq_i: gamma i = sigma i
Hsigma'_eqvs: component_reflects_composite_equivocators
  (state_update ELMO_component gamma i
     (sigma i <+>
      MkObservation Receive m)) i
Hsigma'_messages: component_reflects_composite_messages
  (state_update ELMO_component
     gamma i
     (sigma i <+>
      MkObservation Receive m)) i
Hgamma_send: other_components_after_send
  (λ j : index, j = i) gamma
sigma':= state_update ELMO_component gamma i
  (sigma i <+> MkObservation Receive m): ∀ j : index, VLSM.state (ELMO_component j)
∃ s : VLSM.state ELMOProtocol,
  s i = sigma i <+> MkObservation Receive m
  ∧ valid_state_prop ELMOProtocol s
    ∧ component_reflects_composite s i
      ∧ other_components_after_send
          (λ j : index, j = i) s
        ∧ (∀ (s_prev : State) (l : Label) (m0 : Message),
             sigma i <+> MkObservation Receive m =
             s_prev <+> MkObservation l m0
             → let s' :=
                 state_update ELMO_component s i
                   s_prev in
               valid_state_prop ELMOProtocol s'
               ∧ ELMOProtocol_valid_transition i l s'
                   s m0)
      exists sigma'; split; [by subst sigma'; state_update_simpl |].Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
sigma: VLSM.state ELMOProtocol
m: Message
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm
     (ELMO_component i)) Receive
  (sigma i, Some m)
  (sigma i <+> MkObservation Receive m, None)
Hsigma: valid_state_prop ELMOProtocol sigma
Hreflects: component_reflects_composite sigma i
Hsend: other_components_after_send
  (λ j : index, j = i) sigma
Hall: ∀ (s_prev : State) (l : Label) (m : Message),
  sigma i = s_prev <+> MkObservation l m
  → let s' :=
      state_update ELMO_component sigma i
        s_prev in
    valid_state_prop ELMOProtocol s'
    ∧ ELMOProtocol_valid_transition i l s'
        sigma m
Hti: transition Receive (sigma i, Some m) =
(sigma i <+> MkObservation Receive m, None)
Hv: valid Receive (sigma i, Some m)
ELMO_mv_full_node0: full_node (sigma i) m
ELMO_mv_no_self_equiv0: no_self_equiv (sigma i) m
ELMO_mv_msg_valid_full0: ELMO_msg_valid_full m
Hlocal_ok: local_equivocation_limit_ok
  (sigma i <+> MkObservation Receive m)
Hsender: MessageHasSender m
gamma: VLSM.state ELMOProtocol
Hfutures: in_futures ELMOProtocol sigma gamma
Heq_i: gamma i = sigma i
Hsigma'_eqvs: component_reflects_composite_equivocators
  (state_update ELMO_component gamma i
     (sigma i <+>
      MkObservation Receive m)) i
Hsigma'_messages: component_reflects_composite_messages
  (state_update ELMO_component
     gamma i
     (sigma i <+>
      MkObservation Receive m)) i
Hgamma_send: other_components_after_send
  (λ j : index, j = i) gamma
sigma':= state_update ELMO_component gamma i
  (sigma i <+> MkObservation Receive m): ∀ j : index, VLSM.state (ELMO_component j)
valid_state_prop ELMOProtocol sigma'
∧ component_reflects_composite sigma' i
  ∧ other_components_after_send (λ j : index, j = i)
      sigma'
    ∧ (∀ (s_prev : State) (l : Label) (m0 : Message),
         sigma i <+> MkObservation Receive m =
         s_prev <+> MkObservation l m0
         → let s' :=
             state_update ELMO_component sigma' i
               s_prev in
           valid_state_prop ELMOProtocol s'
           ∧ ELMOProtocol_valid_transition i l s'
               sigma' m0)
      assert (Hvtsigma : valid_transition ELMOProtocol (existT i Receive) gamma (Some m) sigma' None).Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
sigma: VLSM.state ELMOProtocol
m: Message
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm
     (ELMO_component i)) Receive
  (sigma i, Some m)
  (sigma i <+> MkObservation Receive m, None)
Hsigma: valid_state_prop ELMOProtocol sigma
Hreflects: component_reflects_composite sigma i
Hsend: other_components_after_send
  (λ j : index, j = i) sigma
Hall: ∀ (s_prev : State) (l : Label) (m : Message),
  sigma i = s_prev <+> MkObservation l m
  → let s' :=
      state_update ELMO_component sigma i
        s_prev in
    valid_state_prop ELMOProtocol s'
    ∧ ELMOProtocol_valid_transition i l s'
        sigma m
Hti: transition Receive (sigma i, Some m) =
(sigma i <+> MkObservation Receive m, None)
Hv: valid Receive (sigma i, Some m)
ELMO_mv_full_node0: full_node (sigma i) m
ELMO_mv_no_self_equiv0: no_self_equiv (sigma i) m
ELMO_mv_msg_valid_full0: ELMO_msg_valid_full m
Hlocal_ok: local_equivocation_limit_ok
  (sigma i <+> MkObservation Receive m)
Hsender: MessageHasSender m
gamma: VLSM.state ELMOProtocol
Hfutures: in_futures ELMOProtocol sigma gamma
Heq_i: gamma i = sigma i
Hsigma'_eqvs: component_reflects_composite_equivocators
  (state_update ELMO_component gamma i
     (sigma i <+>
      MkObservation Receive m)) i
Hsigma'_messages: component_reflects_composite_messages
  (state_update ELMO_component
     gamma i
     (sigma i <+>
      MkObservation Receive m)) i
Hgamma_send: other_components_after_send
  (λ j : index, j = i) gamma
sigma':= state_update ELMO_component gamma i
  (sigma i <+> MkObservation Receive m): ∀ j : index, VLSM.state (ELMO_component j)
valid_transition ELMOProtocol (existT i Receive) gamma
  (Some m) sigma' None
Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
sigma: VLSM.state ELMOProtocol
m: Message
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm
     (ELMO_component i)) Receive
  (sigma i, Some m)
  (sigma i <+> MkObservation Receive m, None)
Hsigma: valid_state_prop ELMOProtocol sigma
Hreflects: component_reflects_composite sigma i
Hsend: other_components_after_send
  (λ j : index, j = i) sigma
Hall: ∀ (s_prev : State) (l : Label) (m : Message),
  sigma i = s_prev <+> MkObservation l m
  → let s' :=
      state_update ELMO_component sigma i
        s_prev in
    valid_state_prop ELMOProtocol s'
    ∧ ELMOProtocol_valid_transition i l s'
        sigma m
Hti: transition Receive (sigma i, Some m) =
(sigma i <+> MkObservation Receive m, None)
Hv: valid Receive (sigma i, Some m)
ELMO_mv_full_node0: full_node (sigma i) m
ELMO_mv_no_self_equiv0: no_self_equiv (sigma i) m
ELMO_mv_msg_valid_full0: ELMO_msg_valid_full m
Hlocal_ok: local_equivocation_limit_ok
  (sigma i <+> MkObservation Receive m)
Hsender: MessageHasSender m
gamma: VLSM.state ELMOProtocol
Hfutures: in_futures ELMOProtocol sigma gamma
Heq_i: gamma i = sigma i
Hsigma'_eqvs: component_reflects_composite_equivocators
  (state_update ELMO_component gamma i
     (sigma i <+>
      MkObservation Receive m)) i
Hsigma'_messages: component_reflects_composite_messages
  (state_update ELMO_component
     gamma i
     (sigma i <+>
      MkObservation Receive m)) i
Hgamma_send: other_components_after_send
  (λ j : index, j = i) gamma
sigma':= state_update ELMO_component gamma i
  (sigma i <+> MkObservation Receive m): ∀ j : index, VLSM.state (ELMO_component j)
Hvtsigma: valid_transition ELMOProtocol
  (existT i Receive) gamma 
  (Some m) sigma' None
valid_state_prop ELMOProtocol sigma'
∧ component_reflects_composite sigma' i
  ∧ other_components_after_send 
      (λ j : index, j = i) sigma'
    ∧ (∀ (s_prev : State) (l : Label) (m0 : Message),
         sigma i <+> MkObservation Receive m =
         s_prev <+> MkObservation l m0
         → let s' :=
             state_update ELMO_component sigma' i
               s_prev in
           valid_state_prop ELMOProtocol s'
           ∧ ELMOProtocol_valid_transition i l s'
               sigma' m0)
      {Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
sigma: VLSM.state ELMOProtocol
m: Message
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm
     (ELMO_component i)) Receive
  (sigma i, Some m)
  (sigma i <+> MkObservation Receive m, None)
Hsigma: valid_state_prop ELMOProtocol sigma
Hreflects: component_reflects_composite sigma i
Hsend: other_components_after_send
  (λ j : index, j = i) sigma
Hall: ∀ (s_prev : State) (l : Label) (m : Message),
  sigma i = s_prev <+> MkObservation l m
  → let s' :=
      state_update ELMO_component sigma i
        s_prev in
    valid_state_prop ELMOProtocol s'
    ∧ ELMOProtocol_valid_transition i l s'
        sigma m
Hti: transition Receive (sigma i, Some m) =
(sigma i <+> MkObservation Receive m, None)
Hv: valid Receive (sigma i, Some m)
ELMO_mv_full_node0: full_node (sigma i) m
ELMO_mv_no_self_equiv0: no_self_equiv (sigma i) m
ELMO_mv_msg_valid_full0: ELMO_msg_valid_full m
Hlocal_ok: local_equivocation_limit_ok
  (sigma i <+> MkObservation Receive m)
Hsender: MessageHasSender m
gamma: VLSM.state ELMOProtocol
Hfutures: in_futures ELMOProtocol sigma gamma
Heq_i: gamma i = sigma i
Hsigma'_eqvs: component_reflects_composite_equivocators
  (state_update ELMO_component gamma i
     (sigma i <+>
      MkObservation Receive m)) i
Hsigma'_messages: component_reflects_composite_messages
  (state_update ELMO_component
     gamma i
     (sigma i <+>
      MkObservation Receive m)) i
Hgamma_send: other_components_after_send
  (λ j : index, j = i) gamma
sigma':= state_update ELMO_component gamma i
  (sigma i <+> MkObservation Receive m): ∀ j : index, VLSM.state (ELMO_component j)
valid_transition ELMOProtocol (existT i Receive) gamma
  (Some m) sigma' None
        repeat split; cbn; [by rewrite Heq_i | | by rewrite Heq_i].Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
sigma: VLSM.state ELMOProtocol
m: Message
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm
     (ELMO_component i)) Receive
  (sigma i, Some m)
  (sigma i <+> MkObservation Receive m, None)
Hsigma: valid_state_prop ELMOProtocol sigma
Hreflects: component_reflects_composite sigma i
Hsend: other_components_after_send
  (λ j : index, j = i) sigma
Hall: ∀ (s_prev : State) (l : Label) (m : Message),
  sigma i = s_prev <+> MkObservation l m
  → let s' :=
      state_update ELMO_component sigma i
        s_prev in
    valid_state_prop ELMOProtocol s'
    ∧ ELMOProtocol_valid_transition i l s'
        sigma m
Hti: transition Receive (sigma i, Some m) =
(sigma i <+> MkObservation Receive m, None)
Hv: valid Receive (sigma i, Some m)
ELMO_mv_full_node0: full_node (sigma i) m
ELMO_mv_no_self_equiv0: no_self_equiv (sigma i) m
ELMO_mv_msg_valid_full0: ELMO_msg_valid_full m
Hlocal_ok: local_equivocation_limit_ok
  (sigma i <+> MkObservation Receive m)
Hsender: MessageHasSender m
gamma: VLSM.state ELMOProtocol
Hfutures: in_futures ELMOProtocol sigma gamma
Heq_i: gamma i = sigma i
Hsigma'_eqvs: component_reflects_composite_equivocators
  (state_update ELMO_component gamma i
     (sigma i <+>
      MkObservation Receive m)) i
Hsigma'_messages: component_reflects_composite_messages
  (state_update ELMO_component
     gamma i
     (sigma i <+>
      MkObservation Receive m)) i
Hgamma_send: other_components_after_send
  (λ j : index, j = i) gamma
sigma':= state_update ELMO_component gamma i
  (sigma i <+> MkObservation Receive m): ∀ j : index, VLSM.state (ELMO_component j)
ELMO_not_heavy
  (state_update ELMO_component gamma i
     (gamma i <+> MkObservation Receive m))
        unfold local_equivocation_limit_ok, not_heavy in Hlocal_ok.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
sigma: VLSM.state ELMOProtocol
m: Message
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm
     (ELMO_component i)) Receive
  (sigma i, Some m)
  (sigma i <+> MkObservation Receive m, None)
Hsigma: valid_state_prop ELMOProtocol sigma
Hreflects: component_reflects_composite sigma i
Hsend: other_components_after_send
  (λ j : index, j = i) sigma
Hall: ∀ (s_prev : State) (l : Label) (m : Message),
  sigma i = s_prev <+> MkObservation l m
  → let s' :=
      state_update ELMO_component sigma i
        s_prev in
    valid_state_prop ELMOProtocol s'
    ∧ ELMOProtocol_valid_transition i l s'
        sigma m
Hti: transition Receive (sigma i, Some m) =
(sigma i <+> MkObservation Receive m, None)
Hv: valid Receive (sigma i, Some m)
ELMO_mv_full_node0: full_node (sigma i) m
ELMO_mv_no_self_equiv0: no_self_equiv (sigma i) m
ELMO_mv_msg_valid_full0: ELMO_msg_valid_full m
Hlocal_ok: (equivocation_fault
   (sigma i <+> MkObservation Receive m) <=
 threshold)%R
Hsender: MessageHasSender m
gamma: VLSM.state ELMOProtocol
Hfutures: in_futures ELMOProtocol sigma gamma
Heq_i: gamma i = sigma i
Hsigma'_eqvs: component_reflects_composite_equivocators
  (state_update ELMO_component gamma i
     (sigma i <+>
      MkObservation Receive m)) i
Hsigma'_messages: component_reflects_composite_messages
  (state_update ELMO_component
     gamma i
     (sigma i <+>
      MkObservation Receive m)) i
Hgamma_send: other_components_after_send
  (λ j : index, j = i) gamma
sigma':= state_update ELMO_component gamma i
  (sigma i <+> MkObservation Receive m): ∀ j : index, VLSM.state (ELMO_component j)
ELMO_not_heavy
  (state_update ELMO_component gamma i
     (gamma i <+> MkObservation Receive m))
        unfold ELMO_not_heavy, not_heavy.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
sigma: VLSM.state ELMOProtocol
m: Message
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm
     (ELMO_component i)) Receive
  (sigma i, Some m)
  (sigma i <+> MkObservation Receive m, None)
Hsigma: valid_state_prop ELMOProtocol sigma
Hreflects: component_reflects_composite sigma i
Hsend: other_components_after_send
  (λ j : index, j = i) sigma
Hall: ∀ (s_prev : State) (l : Label) (m : Message),
  sigma i = s_prev <+> MkObservation l m
  → let s' :=
      state_update ELMO_component sigma i
        s_prev in
    valid_state_prop ELMOProtocol s'
    ∧ ELMOProtocol_valid_transition i l s'
        sigma m
Hti: transition Receive (sigma i, Some m) =
(sigma i <+> MkObservation Receive m, None)
Hv: valid Receive (sigma i, Some m)
ELMO_mv_full_node0: full_node (sigma i) m
ELMO_mv_no_self_equiv0: no_self_equiv (sigma i) m
ELMO_mv_msg_valid_full0: ELMO_msg_valid_full m
Hlocal_ok: (equivocation_fault
   (sigma i <+> MkObservation Receive m) <=
 threshold)%R
Hsender: MessageHasSender m
gamma: VLSM.state ELMOProtocol
Hfutures: in_futures ELMOProtocol sigma gamma
Heq_i: gamma i = sigma i
Hsigma'_eqvs: component_reflects_composite_equivocators
  (state_update ELMO_component gamma i
     (sigma i <+>
      MkObservation Receive m)) i
Hsigma'_messages: component_reflects_composite_messages
  (state_update ELMO_component
     gamma i
     (sigma i <+>
      MkObservation Receive m)) i
Hgamma_send: other_components_after_send
  (λ j : index, j = i) gamma
sigma':= state_update ELMO_component gamma i
  (sigma i <+> MkObservation Receive m): ∀ j : index, VLSM.state (ELMO_component j)
(equivocation_fault
   (state_update ELMO_component gamma i
      (gamma i <+> MkObservation Receive m)) <=
 threshold)%R
        etransitivity; [| done].Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
sigma: VLSM.state ELMOProtocol
m: Message
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm
     (ELMO_component i)) Receive
  (sigma i, Some m)
  (sigma i <+> MkObservation Receive m, None)
Hsigma: valid_state_prop ELMOProtocol sigma
Hreflects: component_reflects_composite sigma i
Hsend: other_components_after_send
  (λ j : index, j = i) sigma
Hall: ∀ (s_prev : State) (l : Label) (m : Message),
  sigma i = s_prev <+> MkObservation l m
  → let s' :=
      state_update ELMO_component sigma i
        s_prev in
    valid_state_prop ELMOProtocol s'
    ∧ ELMOProtocol_valid_transition i l s'
        sigma m
Hti: transition Receive (sigma i, Some m) =
(sigma i <+> MkObservation Receive m, None)
Hv: valid Receive (sigma i, Some m)
ELMO_mv_full_node0: full_node (sigma i) m
ELMO_mv_no_self_equiv0: no_self_equiv (sigma i) m
ELMO_mv_msg_valid_full0: ELMO_msg_valid_full m
Hlocal_ok: (equivocation_fault
   (sigma i <+> MkObservation Receive m) <=
 threshold)%R
Hsender: MessageHasSender m
gamma: VLSM.state ELMOProtocol
Hfutures: in_futures ELMOProtocol sigma gamma
Heq_i: gamma i = sigma i
Hsigma'_eqvs: component_reflects_composite_equivocators
  (state_update ELMO_component gamma i
     (sigma i <+>
      MkObservation Receive m)) i
Hsigma'_messages: component_reflects_composite_messages
  (state_update ELMO_component
     gamma i
     (sigma i <+>
      MkObservation Receive m)) i
Hgamma_send: other_components_after_send
  (λ j : index, j = i) gamma
sigma':= state_update ELMO_component gamma i
  (sigma i <+> MkObservation Receive m): ∀ j : index, VLSM.state (ELMO_component j)
(equivocation_fault
   (state_update ELMO_component gamma i
      (gamma i <+> MkObservation Receive m)) <=
 equivocation_fault
   (sigma i <+> MkObservation Receive m))%R
        apply sum_weights_subseteq; [by apply NoDup_elements.. |].Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
sigma: VLSM.state ELMOProtocol
m: Message
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm
     (ELMO_component i)) Receive
  (sigma i, Some m)
  (sigma i <+> MkObservation Receive m, None)
Hsigma: valid_state_prop ELMOProtocol sigma
Hreflects: component_reflects_composite sigma i
Hsend: other_components_after_send
  (λ j : index, j = i) sigma
Hall: ∀ (s_prev : State) (l : Label) (m : Message),
  sigma i = s_prev <+> MkObservation l m
  → let s' :=
      state_update ELMO_component sigma i
        s_prev in
    valid_state_prop ELMOProtocol s'
    ∧ ELMOProtocol_valid_transition i l s'
        sigma m
Hti: transition Receive (sigma i, Some m) =
(sigma i <+> MkObservation Receive m, None)
Hv: valid Receive (sigma i, Some m)
ELMO_mv_full_node0: full_node (sigma i) m
ELMO_mv_no_self_equiv0: no_self_equiv (sigma i) m
ELMO_mv_msg_valid_full0: ELMO_msg_valid_full m
Hlocal_ok: (equivocation_fault
   (sigma i <+> MkObservation Receive m) <=
 threshold)%R
Hsender: MessageHasSender m
gamma: VLSM.state ELMOProtocol
Hfutures: in_futures ELMOProtocol sigma gamma
Heq_i: gamma i = sigma i
Hsigma'_eqvs: component_reflects_composite_equivocators
  (state_update ELMO_component gamma i
     (sigma i <+>
      MkObservation Receive m)) i
Hsigma'_messages: component_reflects_composite_messages
  (state_update ELMO_component
     gamma i
     (sigma i <+>
      MkObservation Receive m)) i
Hgamma_send: other_components_after_send
  (λ j : index, j = i) gamma
sigma':= state_update ELMO_component gamma i
  (sigma i <+> MkObservation Receive m): ∀ j : index, VLSM.state (ELMO_component j)
equivocating_validators
  (state_update ELMO_component gamma i
     (gamma i <+> MkObservation Receive m))
⊆ equivocating_validators
    (sigma i <+> MkObservation Receive m)
        intros x.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
sigma: VLSM.state ELMOProtocol
m: Message
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm
     (ELMO_component i)) Receive
  (sigma i, Some m)
  (sigma i <+> MkObservation Receive m, None)
Hsigma: valid_state_prop ELMOProtocol sigma
Hreflects: component_reflects_composite sigma i
Hsend: other_components_after_send
  (λ j : index, j = i) sigma
Hall: ∀ (s_prev : State) (l : Label) (m : Message),
  sigma i = s_prev <+> MkObservation l m
  → let s' :=
      state_update ELMO_component sigma i
        s_prev in
    valid_state_prop ELMOProtocol s'
    ∧ ELMOProtocol_valid_transition i l s'
        sigma m
Hti: transition Receive (sigma i, Some m) =
(sigma i <+> MkObservation Receive m, None)
Hv: valid Receive (sigma i, Some m)
ELMO_mv_full_node0: full_node (sigma i) m
ELMO_mv_no_self_equiv0: no_self_equiv (sigma i) m
ELMO_mv_msg_valid_full0: ELMO_msg_valid_full m
Hlocal_ok: (equivocation_fault
   (sigma i <+> MkObservation Receive m) <=
 threshold)%R
Hsender: MessageHasSender m
gamma: VLSM.state ELMOProtocol
Hfutures: in_futures ELMOProtocol sigma gamma
Heq_i: gamma i = sigma i
Hsigma'_eqvs: component_reflects_composite_equivocators
  (state_update ELMO_component gamma i
     (sigma i <+>
      MkObservation Receive m)) i
Hsigma'_messages: component_reflects_composite_messages
  (state_update ELMO_component
     gamma i
     (sigma i <+>
      MkObservation Receive m)) i
Hgamma_send: other_components_after_send
  (λ j : index, j = i) gamma
sigma':= state_update ELMO_component gamma i
  (sigma i <+> MkObservation Receive m): ∀ j : index, VLSM.state (ELMO_component j)
x: Address
x
∈ equivocating_validators
    (state_update ELMO_component gamma i
       (gamma i <+> MkObservation Receive m))
→ x
  ∈ equivocating_validators
      (sigma i <+> MkObservation Receive m)
        unfold equivocating_validators, is_equivocating; cbn.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
sigma: VLSM.state ELMOProtocol
m: Message
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm
     (ELMO_component i)) Receive
  (sigma i, Some m)
  (sigma i <+> MkObservation Receive m, None)
Hsigma: valid_state_prop ELMOProtocol sigma
Hreflects: component_reflects_composite sigma i
Hsend: other_components_after_send
  (λ j : index, j = i) sigma
Hall: ∀ (s_prev : State) (l : Label) (m : Message),
  sigma i = s_prev <+> MkObservation l m
  → let s' :=
      state_update ELMO_component sigma i
        s_prev in
    valid_state_prop ELMOProtocol s'
    ∧ ELMOProtocol_valid_transition i l s'
        sigma m
Hti: transition Receive (sigma i, Some m) =
(sigma i <+> MkObservation Receive m, None)
Hv: valid Receive (sigma i, Some m)
ELMO_mv_full_node0: full_node (sigma i) m
ELMO_mv_no_self_equiv0: no_self_equiv (sigma i) m
ELMO_mv_msg_valid_full0: ELMO_msg_valid_full m
Hlocal_ok: (equivocation_fault
   (sigma i <+> MkObservation Receive m) <=
 threshold)%R
Hsender: MessageHasSender m
gamma: VLSM.state ELMOProtocol
Hfutures: in_futures ELMOProtocol sigma gamma
Heq_i: gamma i = sigma i
Hsigma'_eqvs: component_reflects_composite_equivocators
  (state_update ELMO_component gamma i
     (sigma i <+>
      MkObservation Receive m)) i
Hsigma'_messages: component_reflects_composite_messages
  (state_update ELMO_component
     gamma i
     (sigma i <+>
      MkObservation Receive m)) i
Hgamma_send: other_components_after_send
  (λ j : index, j = i) gamma
sigma':= state_update ELMO_component gamma i
  (sigma i <+> MkObservation Receive m): ∀ j : index, VLSM.state (ELMO_component j)
x: Address
x
∈ filter
    (λ v : Address,
       ELMO_global_equivocators
         (state_update ELMO_component gamma i
            (gamma i <+> MkObservation Receive m)) v)
    (list_to_set (map idx (enum index)))
→ x
  ∈ filter
      (λ v : Address,
         local_equivocators_full
           (sigma i <+> MkObservation Receive m) v)
      (list_to_set (map idx (enum index)))
        apply filter_subprop; intros; rewrite <- Heq_i in *.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
sigma: VLSM.state ELMOProtocol
m: Message
gamma: VLSM.state ELMOProtocol
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm
     (ELMO_component i)) Receive
  (gamma i, Some m)
  (gamma i <+> MkObservation Receive m, None)
Hsigma: valid_state_prop ELMOProtocol sigma
Hreflects: component_reflects_composite sigma i
Hsend: other_components_after_send
  (λ j : index, j = i) sigma
Hall: ∀ (s_prev : State) (l : Label) (m : Message),
  gamma i = s_prev <+> MkObservation l m
  → let s' :=
      state_update ELMO_component sigma i
        s_prev in
    valid_state_prop ELMOProtocol s'
    ∧ ELMOProtocol_valid_transition i l s'
        sigma m
Hti: transition Receive (gamma i, Some m) =
(gamma i <+> MkObservation Receive m, None)
Hv: valid Receive (gamma i, Some m)
ELMO_mv_full_node0: full_node (gamma i) m
ELMO_mv_no_self_equiv0: no_self_equiv (gamma i) m
ELMO_mv_msg_valid_full0: ELMO_msg_valid_full m
Hlocal_ok: (equivocation_fault
   (gamma i <+> MkObservation Receive m) <=
 threshold)%R
Hsender: MessageHasSender m
Hfutures: in_futures ELMOProtocol sigma gamma
Heq_i: gamma i = sigma i
Hsigma'_eqvs: component_reflects_composite_equivocators
  (state_update ELMO_component gamma i
     (gamma i <+>
      MkObservation Receive m)) i
Hsigma'_messages: component_reflects_composite_messages
  (state_update ELMO_component
     gamma i
     (gamma i <+>
      MkObservation Receive m)) i
Hgamma_send: other_components_after_send
  (λ j : index, j = i) gamma
sigma':= state_update ELMO_component gamma i
  (sigma i <+> MkObservation Receive m): ∀ j : index, VLSM.state (ELMO_component j)
x, a: Address
H2: ELMO_global_equivocators
  (state_update ELMO_component gamma i
     (gamma i <+> MkObservation Receive m)) a
local_equivocators_full
  (gamma i <+> MkObservation Receive m) a
        unfold component_reflects_composite_equivocators in Hsigma'_eqvs.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
sigma: VLSM.state ELMOProtocol
m: Message
gamma: VLSM.state ELMOProtocol
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm
     (ELMO_component i)) Receive
  (gamma i, Some m)
  (gamma i <+> MkObservation Receive m, None)
Hsigma: valid_state_prop ELMOProtocol sigma
Hreflects: component_reflects_composite sigma i
Hsend: other_components_after_send
  (λ j : index, j = i) sigma
Hall: ∀ (s_prev : State) (l : Label) (m : Message),
  gamma i = s_prev <+> MkObservation l m
  → let s' :=
      state_update ELMO_component sigma i
        s_prev in
    valid_state_prop ELMOProtocol s'
    ∧ ELMOProtocol_valid_transition i l s'
        sigma m
Hti: transition Receive (gamma i, Some m) =
(gamma i <+> MkObservation Receive m, None)
Hv: valid Receive (gamma i, Some m)
ELMO_mv_full_node0: full_node (gamma i) m
ELMO_mv_no_self_equiv0: no_self_equiv (gamma i) m
ELMO_mv_msg_valid_full0: ELMO_msg_valid_full m
Hlocal_ok: (equivocation_fault
   (gamma i <+> MkObservation Receive m) <=
 threshold)%R
Hsender: MessageHasSender m
Hfutures: in_futures ELMOProtocol sigma gamma
Heq_i: gamma i = sigma i
Hsigma'_eqvs: ∀ a : Address,
  global_equivocators_simple
    (state_update ELMO_component gamma
       i
       (gamma i <+>
        MkObservation Receive m)) a
  ↔ local_equivocators_full
      (state_update ELMO_component
         gamma i
         (gamma i <+>
          MkObservation Receive m) i) a
Hsigma'_messages: component_reflects_composite_messages
  (state_update ELMO_component
     gamma i
     (gamma i <+>
      MkObservation Receive m)) i
Hgamma_send: other_components_after_send
  (λ j : index, j = i) gamma
sigma':= state_update ELMO_component gamma i
  (sigma i <+> MkObservation Receive m): ∀ j : index, VLSM.state (ELMO_component j)
x, a: Address
H2: ELMO_global_equivocators
  (state_update ELMO_component gamma i
     (gamma i <+> MkObservation Receive m)) a
local_equivocators_full
  (gamma i <+> MkObservation Receive m) a
        state_update_simpl.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
sigma: VLSM.state ELMOProtocol
m: Message
gamma: VLSM.state ELMOProtocol
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm
     (ELMO_component i)) Receive
  (gamma i, Some m)
  (gamma i <+> MkObservation Receive m, None)
Hsigma: valid_state_prop ELMOProtocol sigma
Hreflects: component_reflects_composite sigma i
Hsend: other_components_after_send
  (λ j : index, j = i) sigma
Hall: ∀ (s_prev : State) (l : Label) (m : Message),
  gamma i = s_prev <+> MkObservation l m
  → valid_state_prop ELMOProtocol
      (state_update ELMO_component sigma i
         s_prev)
    ∧ ELMOProtocol_valid_transition i l
        (state_update ELMO_component sigma i
           s_prev) sigma m
Hti: transition Receive (gamma i, Some m) =
(gamma i <+> MkObservation Receive m, None)
Hv: valid Receive (gamma i, Some m)
ELMO_mv_full_node0: full_node (gamma i) m
ELMO_mv_no_self_equiv0: no_self_equiv (gamma i) m
ELMO_mv_msg_valid_full0: ELMO_msg_valid_full m
Hlocal_ok: (equivocation_fault
   (gamma i <+> MkObservation Receive m) <=
 threshold)%R
Hsender: MessageHasSender m
Hfutures: in_futures ELMOProtocol sigma gamma
Heq_i: gamma i = sigma i
Hsigma'_eqvs: ∀ a : Address,
  global_equivocators_simple
    (state_update ELMO_component gamma
       i
       (gamma i <+>
        MkObservation Receive m)) a
  ↔ local_equivocators_full
      (gamma i <+>
       MkObservation Receive m) a
Hsigma'_messages: component_reflects_composite_messages
  (state_update ELMO_component
     gamma i
     (gamma i <+>
      MkObservation Receive m)) i
Hgamma_send: other_components_after_send
  (λ j : index, j = i) gamma
sigma':= state_update ELMO_component gamma i
  (sigma i <+> MkObservation Receive m): ∀ j : index, VLSM.state (ELMO_component j)
x, a: Address
H2: ELMO_global_equivocators
  (state_update ELMO_component gamma i
     (gamma i <+> MkObservation Receive m)) a
local_equivocators_full
  (gamma i <+> MkObservation Receive m) a
        apply Hsigma'_eqvs, ELMO_global_equivocators_iff_simple; [| done].Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
sigma: VLSM.state ELMOProtocol
m: Message
gamma: VLSM.state ELMOProtocol
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm
     (ELMO_component i)) Receive
  (gamma i, Some m)
  (gamma i <+> MkObservation Receive m, None)
Hsigma: valid_state_prop ELMOProtocol sigma
Hreflects: component_reflects_composite sigma i
Hsend: other_components_after_send
  (λ j : index, j = i) sigma
Hall: ∀ (s_prev : State) (l : Label) (m : Message),
  gamma i = s_prev <+> MkObservation l m
  → valid_state_prop ELMOProtocol
      (state_update ELMO_component sigma i
         s_prev)
    ∧ ELMOProtocol_valid_transition i l
        (state_update ELMO_component sigma i
           s_prev) sigma m
Hti: transition Receive (gamma i, Some m) =
(gamma i <+> MkObservation Receive m, None)
Hv: valid Receive (gamma i, Some m)
ELMO_mv_full_node0: full_node (gamma i) m
ELMO_mv_no_self_equiv0: no_self_equiv (gamma i) m
ELMO_mv_msg_valid_full0: ELMO_msg_valid_full m
Hlocal_ok: (equivocation_fault
   (gamma i <+> MkObservation Receive m) <=
 threshold)%R
Hsender: MessageHasSender m
Hfutures: in_futures ELMOProtocol sigma gamma
Heq_i: gamma i = sigma i
Hsigma'_eqvs: ∀ a : Address,
  global_equivocators_simple
    (state_update ELMO_component gamma
       i
       (gamma i <+>
        MkObservation Receive m)) a
  ↔ local_equivocators_full
      (gamma i <+>
       MkObservation Receive m) a
Hsigma'_messages: component_reflects_composite_messages
  (state_update ELMO_component
     gamma i
     (gamma i <+>
      MkObservation Receive m)) i
Hgamma_send: other_components_after_send
  (λ j : index, j = i) gamma
sigma':= state_update ELMO_component gamma i
  (sigma i <+> MkObservation Receive m): ∀ j : index, VLSM.state (ELMO_component j)
x, a: Address
H2: ELMO_global_equivocators
  (state_update ELMO_component gamma i
     (gamma i <+> MkObservation Receive m)) a
composite_constrained_state_prop ELMO_component
  (state_update ELMO_component gamma i
     (gamma i <+> MkObservation Receive m))
        apply input_valid_transition_destination
          with (l := existT i Receive) (s := gamma) (om := Some m) (om' := None);
          repeat split; [| | done].Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
sigma: VLSM.state ELMOProtocol
m: Message
gamma: VLSM.state ELMOProtocol
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm
     (ELMO_component i)) Receive
  (gamma i, Some m)
  (gamma i <+> MkObservation Receive m, None)
Hsigma: valid_state_prop ELMOProtocol sigma
Hreflects: component_reflects_composite sigma i
Hsend: other_components_after_send
  (λ j : index, j = i) sigma
Hall: ∀ (s_prev : State) (l : Label) (m : Message),
  gamma i = s_prev <+> MkObservation l m
  → valid_state_prop ELMOProtocol
      (state_update ELMO_component sigma i
         s_prev)
    ∧ ELMOProtocol_valid_transition i l
        (state_update ELMO_component sigma i
           s_prev) sigma m
Hti: transition Receive (gamma i, Some m) =
(gamma i <+> MkObservation Receive m, None)
Hv: valid Receive (gamma i, Some m)
ELMO_mv_full_node0: full_node (gamma i) m
ELMO_mv_no_self_equiv0: no_self_equiv (gamma i) m
ELMO_mv_msg_valid_full0: ELMO_msg_valid_full m
Hlocal_ok: (equivocation_fault
   (gamma i <+> MkObservation Receive m) <=
 threshold)%R
Hsender: MessageHasSender m
Hfutures: in_futures ELMOProtocol sigma gamma
Heq_i: gamma i = sigma i
Hsigma'_eqvs: ∀ a : Address,
  global_equivocators_simple
    (state_update ELMO_component gamma
       i
       (gamma i <+>
        MkObservation Receive m)) a
  ↔ local_equivocators_full
      (gamma i <+>
       MkObservation Receive m) a
Hsigma'_messages: component_reflects_composite_messages
  (state_update ELMO_component
     gamma i
     (gamma i <+>
      MkObservation Receive m)) i
Hgamma_send: other_components_after_send
  (λ j : index, j = i) gamma
sigma':= state_update ELMO_component gamma i
  (sigma i <+> MkObservation Receive m): ∀ j : index, VLSM.state (ELMO_component j)
x, a: Address
H2: ELMO_global_equivocators
  (state_update ELMO_component gamma i
     (gamma i <+> MkObservation Receive m)) a
valid_state_prop
  (preloaded_with_all_messages_vlsm
     (free_composite_vlsm ELMO_component)) gamma
Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
sigma: VLSM.state ELMOProtocol
m: Message
gamma: VLSM.state ELMOProtocol
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm
     (ELMO_component i)) Receive
  (gamma i, Some m)
  (gamma i <+> MkObservation Receive m, None)
Hsigma: valid_state_prop ELMOProtocol sigma
Hreflects: component_reflects_composite sigma i
Hsend: other_components_after_send
  (λ j : index, j = i) sigma
Hall: ∀ (s_prev : State) (l : Label) (m : Message),
  gamma i = s_prev <+> MkObservation l m
  → valid_state_prop ELMOProtocol
      (state_update ELMO_component sigma i
         s_prev)
    ∧ ELMOProtocol_valid_transition i l
        (state_update ELMO_component sigma i
           s_prev) sigma m
Hti: transition Receive (gamma i, Some m) =
(gamma i <+> MkObservation Receive m, None)
Hv: valid Receive (gamma i, Some m)
ELMO_mv_full_node0: full_node (gamma i) m
ELMO_mv_no_self_equiv0: no_self_equiv (gamma i) m
ELMO_mv_msg_valid_full0: ELMO_msg_valid_full m
Hlocal_ok: (equivocation_fault
   (gamma i <+> MkObservation Receive m) <=
 threshold)%R
Hsender: MessageHasSender m
Hfutures: in_futures ELMOProtocol sigma gamma
Heq_i: gamma i = sigma i
Hsigma'_eqvs: ∀ a : Address,
  global_equivocators_simple
    (state_update ELMO_component gamma
       i
       (gamma i <+>
        MkObservation Receive m)) a
  ↔ local_equivocators_full
      (gamma i <+>
       MkObservation Receive m) a
Hsigma'_messages: component_reflects_composite_messages
  (state_update ELMO_component
     gamma i
     (gamma i <+>
      MkObservation Receive m)) i
Hgamma_send: other_components_after_send
  (λ j : index, j = i) gamma
sigma':= state_update ELMO_component gamma i
  (sigma i <+> MkObservation Receive m): ∀ j : index, VLSM.state (ELMO_component j)
x, a: Address
H2: ELMO_global_equivocators
  (state_update ELMO_component gamma i
     (gamma i <+> MkObservation Receive m)) a
option_valid_message_prop
  (preloaded_with_all_messages_vlsm
     (free_composite_vlsm ELMO_component)) 
  (Some m)
        -Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
sigma: VLSM.state ELMOProtocol
m: Message
gamma: VLSM.state ELMOProtocol
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm
     (ELMO_component i)) Receive
  (gamma i, Some m)
  (gamma i <+> MkObservation Receive m, None)
Hsigma: valid_state_prop ELMOProtocol sigma
Hreflects: component_reflects_composite sigma i
Hsend: other_components_after_send
  (λ j : index, j = i) sigma
Hall: ∀ (s_prev : State) (l : Label) (m : Message),
  gamma i = s_prev <+> MkObservation l m
  → valid_state_prop ELMOProtocol
      (state_update ELMO_component sigma i
         s_prev)
    ∧ ELMOProtocol_valid_transition i l
        (state_update ELMO_component sigma i
           s_prev) sigma m
Hti: transition Receive (gamma i, Some m) =
(gamma i <+> MkObservation Receive m, None)
Hv: valid Receive (gamma i, Some m)
ELMO_mv_full_node0: full_node (gamma i) m
ELMO_mv_no_self_equiv0: no_self_equiv (gamma i) m
ELMO_mv_msg_valid_full0: ELMO_msg_valid_full m
Hlocal_ok: (equivocation_fault
   (gamma i <+> MkObservation Receive m) <=
 threshold)%R
Hsender: MessageHasSender m
Hfutures: in_futures ELMOProtocol sigma gamma
Heq_i: gamma i = sigma i
Hsigma'_eqvs: ∀ a : Address,
  global_equivocators_simple
    (state_update ELMO_component gamma
       i
       (gamma i <+>
        MkObservation Receive m)) a
  ↔ local_equivocators_full
      (gamma i <+>
       MkObservation Receive m) a
Hsigma'_messages: component_reflects_composite_messages
  (state_update ELMO_component
     gamma i
     (gamma i <+>
      MkObservation Receive m)) i
Hgamma_send: other_components_after_send
  (λ j : index, j = i) gamma
sigma':= state_update ELMO_component gamma i
  (sigma i <+> MkObservation Receive m): ∀ j : index, VLSM.state (ELMO_component j)
x, a: Address
H2: ELMO_global_equivocators
  (state_update ELMO_component gamma i
     (gamma i <+> MkObservation Receive m)) a
valid_state_prop
  (preloaded_with_all_messages_vlsm
     (free_composite_vlsm ELMO_component)) gamma eapply in_futures_valid_snd.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
sigma: VLSM.state ELMOProtocol
m: Message
gamma: VLSM.state ELMOProtocol
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm
     (ELMO_component i)) Receive
  (gamma i, Some m)
  (gamma i <+> MkObservation Receive m, None)
Hsigma: valid_state_prop ELMOProtocol sigma
Hreflects: component_reflects_composite sigma i
Hsend: other_components_after_send
  (λ j : index, j = i) sigma
Hall: ∀ (s_prev : State) (l : Label) (m : Message),
  gamma i = s_prev <+> MkObservation l m
  → valid_state_prop ELMOProtocol
      (state_update ELMO_component sigma i
         s_prev)
    ∧ ELMOProtocol_valid_transition i l
        (state_update ELMO_component sigma i
           s_prev) sigma m
Hti: transition Receive (gamma i, Some m) =
(gamma i <+> MkObservation Receive m, None)
Hv: valid Receive (gamma i, Some m)
ELMO_mv_full_node0: full_node (gamma i) m
ELMO_mv_no_self_equiv0: no_self_equiv (gamma i) m
ELMO_mv_msg_valid_full0: ELMO_msg_valid_full m
Hlocal_ok: (equivocation_fault
   (gamma i <+> MkObservation Receive m) <=
 threshold)%R
Hsender: MessageHasSender m
Hfutures: in_futures ELMOProtocol sigma gamma
Heq_i: gamma i = sigma i
Hsigma'_eqvs: ∀ a : Address,
  global_equivocators_simple
    (state_update ELMO_component gamma
       i
       (gamma i <+>
        MkObservation Receive m)) a
  ↔ local_equivocators_full
      (gamma i <+>
       MkObservation Receive m) a
Hsigma'_messages: component_reflects_composite_messages
  (state_update ELMO_component
     gamma i
     (gamma i <+>
      MkObservation Receive m)) i
Hgamma_send: other_components_after_send
  (λ j : index, j = i) gamma
sigma':= state_update ELMO_component gamma i
  (sigma i <+> MkObservation Receive m): ∀ j : index, VLSM.state (ELMO_component j)
x, a: Address
H2: ELMO_global_equivocators
  (state_update ELMO_component gamma i
     (gamma i <+> MkObservation Receive m)) a
in_futures
  (preloaded_with_all_messages_vlsm
     (free_composite_vlsm ELMO_component)) ?first
  gamma
          by apply (VLSM_incl_in_futures (constrained_preloaded_incl (free_composite_vlsm _)
            ELMO_global_constraint)).
        -Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
sigma: VLSM.state ELMOProtocol
m: Message
gamma: VLSM.state ELMOProtocol
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm
     (ELMO_component i)) Receive
  (gamma i, Some m)
  (gamma i <+> MkObservation Receive m, None)
Hsigma: valid_state_prop ELMOProtocol sigma
Hreflects: component_reflects_composite sigma i
Hsend: other_components_after_send
  (λ j : index, j = i) sigma
Hall: ∀ (s_prev : State) (l : Label) (m : Message),
  gamma i = s_prev <+> MkObservation l m
  → valid_state_prop ELMOProtocol
      (state_update ELMO_component sigma i
         s_prev)
    ∧ ELMOProtocol_valid_transition i l
        (state_update ELMO_component sigma i
           s_prev) sigma m
Hti: transition Receive (gamma i, Some m) =
(gamma i <+> MkObservation Receive m, None)
Hv: valid Receive (gamma i, Some m)
ELMO_mv_full_node0: full_node (gamma i) m
ELMO_mv_no_self_equiv0: no_self_equiv (gamma i) m
ELMO_mv_msg_valid_full0: ELMO_msg_valid_full m
Hlocal_ok: (equivocation_fault
   (gamma i <+> MkObservation Receive m) <=
 threshold)%R
Hsender: MessageHasSender m
Hfutures: in_futures ELMOProtocol sigma gamma
Heq_i: gamma i = sigma i
Hsigma'_eqvs: ∀ a : Address,
  global_equivocators_simple
    (state_update ELMO_component gamma
       i
       (gamma i <+>
        MkObservation Receive m)) a
  ↔ local_equivocators_full
      (gamma i <+>
       MkObservation Receive m) a
Hsigma'_messages: component_reflects_composite_messages
  (state_update ELMO_component
     gamma i
     (gamma i <+>
      MkObservation Receive m)) i
Hgamma_send: other_components_after_send
  (λ j : index, j = i) gamma
sigma':= state_update ELMO_component gamma i
  (sigma i <+> MkObservation Receive m): ∀ j : index, VLSM.state (ELMO_component j)
x, a: Address
H2: ELMO_global_equivocators
  (state_update ELMO_component gamma i
     (gamma i <+> MkObservation Receive m)) a
option_valid_message_prop
  (preloaded_with_all_messages_vlsm
     (free_composite_vlsm ELMO_component)) (Some m) by apply any_message_is_valid_in_preloaded.
      }Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
sigma: VLSM.state ELMOProtocol
m: Message
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm
     (ELMO_component i)) Receive
  (sigma i, Some m)
  (sigma i <+> MkObservation Receive m, None)
Hsigma: valid_state_prop ELMOProtocol sigma
Hreflects: component_reflects_composite sigma i
Hsend: other_components_after_send
  (λ j : index, j = i) sigma
Hall: ∀ (s_prev : State) (l : Label) (m : Message),
  sigma i = s_prev <+> MkObservation l m
  → let s' :=
      state_update ELMO_component sigma i
        s_prev in
    valid_state_prop ELMOProtocol s'
    ∧ ELMOProtocol_valid_transition i l s'
        sigma m
Hti: transition Receive (sigma i, Some m) =
(sigma i <+> MkObservation Receive m, None)
Hv: valid Receive (sigma i, Some m)
ELMO_mv_full_node0: full_node (sigma i) m
ELMO_mv_no_self_equiv0: no_self_equiv (sigma i) m
ELMO_mv_msg_valid_full0: ELMO_msg_valid_full m
Hlocal_ok: local_equivocation_limit_ok
  (sigma i <+> MkObservation Receive m)
Hsender: MessageHasSender m
gamma: VLSM.state ELMOProtocol
Hfutures: in_futures ELMOProtocol sigma gamma
Heq_i: gamma i = sigma i
Hsigma'_eqvs: component_reflects_composite_equivocators
  (state_update ELMO_component gamma i
     (sigma i <+>
      MkObservation Receive m)) i
Hsigma'_messages: component_reflects_composite_messages
  (state_update ELMO_component
     gamma i
     (sigma i <+>
      MkObservation Receive m)) i
Hgamma_send: other_components_after_send
  (λ j : index, j = i) gamma
sigma':= state_update ELMO_component gamma i
  (sigma i <+> MkObservation Receive m): ∀ j : index, VLSM.state (ELMO_component j)
Hvtsigma: valid_transition ELMOProtocol
  (existT i Receive) gamma 
  (Some m) sigma' None
valid_state_prop ELMOProtocol sigma'
∧ component_reflects_composite sigma' i
  ∧ other_components_after_send (λ j : index, j = i)
      sigma'
    ∧ (∀ (s_prev : State) (l : Label) (m0 : Message),
         sigma i <+> MkObservation Receive m =
         s_prev <+> MkObservation l m0
         → let s' :=
             state_update ELMO_component sigma' i
               s_prev in
           valid_state_prop ELMOProtocol s'
           ∧ ELMOProtocol_valid_transition i l s'
               sigma' m0)
      split_and!.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
sigma: VLSM.state ELMOProtocol
m: Message
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm
     (ELMO_component i)) Receive
  (sigma i, Some m)
  (sigma i <+> MkObservation Receive m, None)
Hsigma: valid_state_prop ELMOProtocol sigma
Hreflects: component_reflects_composite sigma i
Hsend: other_components_after_send
  (λ j : index, j = i) sigma
Hall: ∀ (s_prev : State) (l : Label) (m : Message),
  sigma i = s_prev <+> MkObservation l m
  → let s' :=
      state_update ELMO_component sigma i
        s_prev in
    valid_state_prop ELMOProtocol s'
    ∧ ELMOProtocol_valid_transition i l s'
        sigma m
Hti: transition Receive (sigma i, Some m) =
(sigma i <+> MkObservation Receive m, None)
Hv: valid Receive (sigma i, Some m)
ELMO_mv_full_node0: full_node (sigma i) m
ELMO_mv_no_self_equiv0: no_self_equiv (sigma i) m
ELMO_mv_msg_valid_full0: ELMO_msg_valid_full m
Hlocal_ok: local_equivocation_limit_ok
  (sigma i <+> MkObservation Receive m)
Hsender: MessageHasSender m
gamma: VLSM.state ELMOProtocol
Hfutures: in_futures ELMOProtocol sigma gamma
Heq_i: gamma i = sigma i
Hsigma'_eqvs: component_reflects_composite_equivocators
  (state_update ELMO_component gamma i
     (sigma i <+>
      MkObservation Receive m)) i
Hsigma'_messages: component_reflects_composite_messages
  (state_update ELMO_component
     gamma i
     (sigma i <+>
      MkObservation Receive m)) i
Hgamma_send: other_components_after_send
  (λ j : index, j = i) gamma
sigma':= state_update ELMO_component gamma i
  (sigma i <+> MkObservation Receive m): ∀ j : index, VLSM.state (ELMO_component j)
Hvtsigma: valid_transition ELMOProtocol
  (existT i Receive) gamma 
  (Some m) sigma' None
valid_state_prop ELMOProtocol sigma'
Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
sigma: VLSM.state ELMOProtocol
m: Message
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm
     (ELMO_component i)) Receive
  (sigma i, Some m)
  (sigma i <+> MkObservation Receive m, None)
Hsigma: valid_state_prop ELMOProtocol sigma
Hreflects: component_reflects_composite sigma i
Hsend: other_components_after_send
  (λ j : index, j = i) sigma
Hall: ∀ (s_prev : State) (l : Label) (m : Message),
  sigma i = s_prev <+> MkObservation l m
  → let s' :=
      state_update ELMO_component sigma i
        s_prev in
    valid_state_prop ELMOProtocol s'
    ∧ ELMOProtocol_valid_transition i l s'
        sigma m
Hti: transition Receive (sigma i, Some m) =
(sigma i <+> MkObservation Receive m, None)
Hv: valid Receive (sigma i, Some m)
ELMO_mv_full_node0: full_node (sigma i) m
ELMO_mv_no_self_equiv0: no_self_equiv (sigma i) m
ELMO_mv_msg_valid_full0: ELMO_msg_valid_full m
Hlocal_ok: local_equivocation_limit_ok
  (sigma i <+> MkObservation Receive m)
Hsender: MessageHasSender m
gamma: VLSM.state ELMOProtocol
Hfutures: in_futures ELMOProtocol sigma gamma
Heq_i: gamma i = sigma i
Hsigma'_eqvs: component_reflects_composite_equivocators
  (state_update ELMO_component gamma i
     (sigma i <+>
      MkObservation Receive m)) i
Hsigma'_messages: component_reflects_composite_messages
  (state_update ELMO_component
     gamma i
     (sigma i <+>
      MkObservation Receive m)) i
Hgamma_send: other_components_after_send
  (λ j : index, j = i) gamma
sigma':= state_update ELMO_component gamma i
  (sigma i <+> MkObservation Receive m): ∀ j : index, VLSM.state (ELMO_component j)
Hvtsigma: valid_transition ELMOProtocol
  (existT i Receive) gamma 
  (Some m) sigma' None
component_reflects_composite sigma' i
Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
sigma: VLSM.state ELMOProtocol
m: Message
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm
     (ELMO_component i)) Receive
  (sigma i, Some m)
  (sigma i <+> MkObservation Receive m, None)
Hsigma: valid_state_prop ELMOProtocol sigma
Hreflects: component_reflects_composite sigma i
Hsend: other_components_after_send
  (λ j : index, j = i) sigma
Hall: ∀ (s_prev : State) (l : Label) (m : Message),
  sigma i = s_prev <+> MkObservation l m
  → let s' :=
      state_update ELMO_component sigma i
        s_prev in
    valid_state_prop ELMOProtocol s'
    ∧ ELMOProtocol_valid_transition i l s'
        sigma m
Hti: transition Receive (sigma i, Some m) =
(sigma i <+> MkObservation Receive m, None)
Hv: valid Receive (sigma i, Some m)
ELMO_mv_full_node0: full_node (sigma i) m
ELMO_mv_no_self_equiv0: no_self_equiv (sigma i) m
ELMO_mv_msg_valid_full0: ELMO_msg_valid_full m
Hlocal_ok: local_equivocation_limit_ok
  (sigma i <+> MkObservation Receive m)
Hsender: MessageHasSender m
gamma: VLSM.state ELMOProtocol
Hfutures: in_futures ELMOProtocol sigma gamma
Heq_i: gamma i = sigma i
Hsigma'_eqvs: component_reflects_composite_equivocators
  (state_update ELMO_component gamma i
     (sigma i <+>
      MkObservation Receive m)) i
Hsigma'_messages: component_reflects_composite_messages
  (state_update ELMO_component
     gamma i
     (sigma i <+>
      MkObservation Receive m)) i
Hgamma_send: other_components_after_send
  (λ j : index, j = i) gamma
sigma':= state_update ELMO_component gamma i
  (sigma i <+> MkObservation Receive m): ∀ j : index, VLSM.state (ELMO_component j)
Hvtsigma: valid_transition ELMOProtocol
  (existT i Receive) gamma 
  (Some m) sigma' None
other_components_after_send 
  (λ j : index, j = i) sigma'
Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
sigma: VLSM.state ELMOProtocol
m: Message
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm
     (ELMO_component i)) Receive
  (sigma i, Some m)
  (sigma i <+> MkObservation Receive m, None)
Hsigma: valid_state_prop ELMOProtocol sigma
Hreflects: component_reflects_composite sigma i
Hsend: other_components_after_send
  (λ j : index, j = i) sigma
Hall: ∀ (s_prev : State) (l : Label) (m : Message),
  sigma i = s_prev <+> MkObservation l m
  → let s' :=
      state_update ELMO_component sigma i
        s_prev in
    valid_state_prop ELMOProtocol s'
    ∧ ELMOProtocol_valid_transition i l s'
        sigma m
Hti: transition Receive (sigma i, Some m) =
(sigma i <+> MkObservation Receive m, None)
Hv: valid Receive (sigma i, Some m)
ELMO_mv_full_node0: full_node (sigma i) m
ELMO_mv_no_self_equiv0: no_self_equiv (sigma i) m
ELMO_mv_msg_valid_full0: ELMO_msg_valid_full m
Hlocal_ok: local_equivocation_limit_ok
  (sigma i <+> MkObservation Receive m)
Hsender: MessageHasSender m
gamma: VLSM.state ELMOProtocol
Hfutures: in_futures ELMOProtocol sigma gamma
Heq_i: gamma i = sigma i
Hsigma'_eqvs: component_reflects_composite_equivocators
  (state_update ELMO_component gamma i
     (sigma i <+>
      MkObservation Receive m)) i
Hsigma'_messages: component_reflects_composite_messages
  (state_update ELMO_component
     gamma i
     (sigma i <+>
      MkObservation Receive m)) i
Hgamma_send: other_components_after_send
  (λ j : index, j = i) gamma
sigma':= state_update ELMO_component gamma i
  (sigma i <+> MkObservation Receive m): ∀ j : index, VLSM.state (ELMO_component j)
Hvtsigma: valid_transition ELMOProtocol
  (existT i Receive) gamma 
  (Some m) sigma' None
∀ (s_prev : State) (l : Label) (m0 : Message),
  sigma i <+> MkObservation Receive m =
  s_prev <+> MkObservation l m0
  → let s' :=
      state_update ELMO_component sigma' i s_prev in
    valid_state_prop ELMOProtocol s'
    ∧ ELMOProtocol_valid_transition i l s' sigma' m0
      -Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
sigma: VLSM.state ELMOProtocol
m: Message
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm
     (ELMO_component i)) Receive
  (sigma i, Some m)
  (sigma i <+> MkObservation Receive m, None)
Hsigma: valid_state_prop ELMOProtocol sigma
Hreflects: component_reflects_composite sigma i
Hsend: other_components_after_send
  (λ j : index, j = i) sigma
Hall: ∀ (s_prev : State) (l : Label) (m : Message),
  sigma i = s_prev <+> MkObservation l m
  → let s' :=
      state_update ELMO_component sigma i
        s_prev in
    valid_state_prop ELMOProtocol s'
    ∧ ELMOProtocol_valid_transition i l s'
        sigma m
Hti: transition Receive (sigma i, Some m) =
(sigma i <+> MkObservation Receive m, None)
Hv: valid Receive (sigma i, Some m)
ELMO_mv_full_node0: full_node (sigma i) m
ELMO_mv_no_self_equiv0: no_self_equiv (sigma i) m
ELMO_mv_msg_valid_full0: ELMO_msg_valid_full m
Hlocal_ok: local_equivocation_limit_ok
  (sigma i <+> MkObservation Receive m)
Hsender: MessageHasSender m
gamma: VLSM.state ELMOProtocol
Hfutures: in_futures ELMOProtocol sigma gamma
Heq_i: gamma i = sigma i
Hsigma'_eqvs: component_reflects_composite_equivocators
  (state_update ELMO_component gamma i
     (sigma i <+>
      MkObservation Receive m)) i
Hsigma'_messages: component_reflects_composite_messages
  (state_update ELMO_component
     gamma i
     (sigma i <+>
      MkObservation Receive m)) i
Hgamma_send: other_components_after_send
  (λ j : index, j = i) gamma
sigma':= state_update ELMO_component gamma i
  (sigma i <+> MkObservation Receive m): ∀ j : index, VLSM.state (ELMO_component j)
Hvtsigma: valid_transition ELMOProtocol
  (existT i Receive) gamma 
  (Some m) sigma' None
valid_state_prop ELMOProtocol sigma' apply input_valid_transition_destination
          with (l := existT i Receive) (s := gamma) (om := Some m) (om' := None); repeat split.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
sigma: VLSM.state ELMOProtocol
m: Message
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm
     (ELMO_component i)) Receive
  (sigma i, Some m)
  (sigma i <+> MkObservation Receive m, None)
Hsigma: valid_state_prop ELMOProtocol sigma
Hreflects: component_reflects_composite sigma i
Hsend: other_components_after_send
  (λ j : index, j = i) sigma
Hall: ∀ (s_prev : State) (l : Label) (m : Message),
  sigma i = s_prev <+> MkObservation l m
  → let s' :=
      state_update ELMO_component sigma i
        s_prev in
    valid_state_prop ELMOProtocol s'
    ∧ ELMOProtocol_valid_transition i l s'
        sigma m
Hti: transition Receive (sigma i, Some m) =
(sigma i <+> MkObservation Receive m, None)
Hv: valid Receive (sigma i, Some m)
ELMO_mv_full_node0: full_node (sigma i) m
ELMO_mv_no_self_equiv0: no_self_equiv (sigma i) m
ELMO_mv_msg_valid_full0: ELMO_msg_valid_full m
Hlocal_ok: local_equivocation_limit_ok
  (sigma i <+> MkObservation Receive m)
Hsender: MessageHasSender m
gamma: VLSM.state ELMOProtocol
Hfutures: in_futures ELMOProtocol sigma gamma
Heq_i: gamma i = sigma i
Hsigma'_eqvs: component_reflects_composite_equivocators
  (state_update ELMO_component gamma i
     (sigma i <+>
      MkObservation Receive m)) i
Hsigma'_messages: component_reflects_composite_messages
  (state_update ELMO_component
     gamma i
     (sigma i <+>
      MkObservation Receive m)) i
Hgamma_send: other_components_after_send
  (λ j : index, j = i) gamma
sigma':= state_update ELMO_component gamma i
  (sigma i <+> MkObservation Receive m): ∀ j : index, VLSM.state (ELMO_component j)
Hvtsigma: valid_transition ELMOProtocol
  (existT i Receive) gamma 
  (Some m) sigma' None
valid_state_prop ELMOProtocol gamma
Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
sigma: VLSM.state ELMOProtocol
m: Message
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm
     (ELMO_component i)) Receive
  (sigma i, Some m)
  (sigma i <+> MkObservation Receive m, None)
Hsigma: valid_state_prop ELMOProtocol sigma
Hreflects: component_reflects_composite sigma i
Hsend: other_components_after_send
  (λ j : index, j = i) sigma
Hall: ∀ (s_prev : State) (l : Label) (m : Message),
  sigma i = s_prev <+> MkObservation l m
  → let s' :=
      state_update ELMO_component sigma i
        s_prev in
    valid_state_prop ELMOProtocol s'
    ∧ ELMOProtocol_valid_transition i l s'
        sigma m
Hti: transition Receive (sigma i, Some m) =
(sigma i <+> MkObservation Receive m, None)
Hv: valid Receive (sigma i, Some m)
ELMO_mv_full_node0: full_node (sigma i) m
ELMO_mv_no_self_equiv0: no_self_equiv (sigma i) m
ELMO_mv_msg_valid_full0: ELMO_msg_valid_full m
Hlocal_ok: local_equivocation_limit_ok
  (sigma i <+> MkObservation Receive m)
Hsender: MessageHasSender m
gamma: VLSM.state ELMOProtocol
Hfutures: in_futures ELMOProtocol sigma gamma
Heq_i: gamma i = sigma i
Hsigma'_eqvs: component_reflects_composite_equivocators
  (state_update ELMO_component gamma i
     (sigma i <+>
      MkObservation Receive m)) i
Hsigma'_messages: component_reflects_composite_messages
  (state_update ELMO_component
     gamma i
     (sigma i <+>
      MkObservation Receive m)) i
Hgamma_send: other_components_after_send
  (λ j : index, j = i) gamma
sigma':= state_update ELMO_component gamma i
  (sigma i <+> MkObservation Receive m): ∀ j : index, VLSM.state (ELMO_component j)
Hvtsigma: valid_transition ELMOProtocol
  (existT i Receive) gamma 
  (Some m) sigma' None
option_valid_message_prop ELMOProtocol (Some m)
Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
sigma: VLSM.state ELMOProtocol
m: Message
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm
     (ELMO_component i)) Receive
  (sigma i, Some m)
  (sigma i <+> MkObservation Receive m, None)
Hsigma: valid_state_prop ELMOProtocol sigma
Hreflects: component_reflects_composite sigma i
Hsend: other_components_after_send
  (λ j : index, j = i) sigma
Hall: ∀ (s_prev : State) (l : Label) (m : Message),
  sigma i = s_prev <+> MkObservation l m
  → let s' :=
      state_update ELMO_component sigma i
        s_prev in
    valid_state_prop ELMOProtocol s'
    ∧ ELMOProtocol_valid_transition i l s'
        sigma m
Hti: transition Receive (sigma i, Some m) =
(sigma i <+> MkObservation Receive m, None)
Hv: valid Receive (sigma i, Some m)
ELMO_mv_full_node0: full_node (sigma i) m
ELMO_mv_no_self_equiv0: no_self_equiv (sigma i) m
ELMO_mv_msg_valid_full0: ELMO_msg_valid_full m
Hlocal_ok: local_equivocation_limit_ok
  (sigma i <+> MkObservation Receive m)
Hsender: MessageHasSender m
gamma: VLSM.state ELMOProtocol
Hfutures: in_futures ELMOProtocol sigma gamma
Heq_i: gamma i = sigma i
Hsigma'_eqvs: component_reflects_composite_equivocators
  (state_update ELMO_component gamma i
     (sigma i <+>
      MkObservation Receive m)) i
Hsigma'_messages: component_reflects_composite_messages
  (state_update ELMO_component
     gamma i
     (sigma i <+>
      MkObservation Receive m)) i
Hgamma_send: other_components_after_send
  (λ j : index, j = i) gamma
sigma':= state_update ELMO_component gamma i
  (sigma i <+> MkObservation Receive m): ∀ j : index, VLSM.state (ELMO_component j)
Hvtsigma: valid_transition ELMOProtocol
  (existT i Receive) gamma 
  (Some m) sigma' None
valid (existT i Receive) (gamma, Some m)
Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
sigma: VLSM.state ELMOProtocol
m: Message
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm
     (ELMO_component i)) Receive
  (sigma i, Some m)
  (sigma i <+> MkObservation Receive m, None)
Hsigma: valid_state_prop ELMOProtocol sigma
Hreflects: component_reflects_composite sigma i
Hsend: other_components_after_send
  (λ j : index, j = i) sigma
Hall: ∀ (s_prev : State) (l : Label) (m : Message),
  sigma i = s_prev <+> MkObservation l m
  → let s' :=
      state_update ELMO_component sigma i
        s_prev in
    valid_state_prop ELMOProtocol s'
    ∧ ELMOProtocol_valid_transition i l s'
        sigma m
Hti: transition Receive (sigma i, Some m) =
(sigma i <+> MkObservation Receive m, None)
Hv: valid Receive (sigma i, Some m)
ELMO_mv_full_node0: full_node (sigma i) m
ELMO_mv_no_self_equiv0: no_self_equiv (sigma i) m
ELMO_mv_msg_valid_full0: ELMO_msg_valid_full m
Hlocal_ok: local_equivocation_limit_ok
  (sigma i <+> MkObservation Receive m)
Hsender: MessageHasSender m
gamma: VLSM.state ELMOProtocol
Hfutures: in_futures ELMOProtocol sigma gamma
Heq_i: gamma i = sigma i
Hsigma'_eqvs: component_reflects_composite_equivocators
  (state_update ELMO_component gamma i
     (sigma i <+>
      MkObservation Receive m)) i
Hsigma'_messages: component_reflects_composite_messages
  (state_update ELMO_component
     gamma i
     (sigma i <+>
      MkObservation Receive m)) i
Hgamma_send: other_components_after_send
  (λ j : index, j = i) gamma
sigma':= state_update ELMO_component gamma i
  (sigma i <+> MkObservation Receive m): ∀ j : index, VLSM.state (ELMO_component j)
Hvtsigma: valid_transition ELMOProtocol
  (existT i Receive) gamma 
  (Some m) sigma' None
ELMO_global_constraint 
  (existT i Receive) (gamma, Some m)
Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
sigma: VLSM.state ELMOProtocol
m: Message
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm
     (ELMO_component i)) Receive
  (sigma i, Some m)
  (sigma i <+> MkObservation Receive m, None)
Hsigma: valid_state_prop ELMOProtocol sigma
Hreflects: component_reflects_composite sigma i
Hsend: other_components_after_send
  (λ j : index, j = i) sigma
Hall: ∀ (s_prev : State) (l : Label) (m : Message),
  sigma i = s_prev <+> MkObservation l m
  → let s' :=
      state_update ELMO_component sigma i
        s_prev in
    valid_state_prop ELMOProtocol s'
    ∧ ELMOProtocol_valid_transition i l s'
        sigma m
Hti: transition Receive (sigma i, Some m) =
(sigma i <+> MkObservation Receive m, None)
Hv: valid Receive (sigma i, Some m)
ELMO_mv_full_node0: full_node (sigma i) m
ELMO_mv_no_self_equiv0: no_self_equiv (sigma i) m
ELMO_mv_msg_valid_full0: ELMO_msg_valid_full m
Hlocal_ok: local_equivocation_limit_ok
  (sigma i <+> MkObservation Receive m)
Hsender: MessageHasSender m
gamma: VLSM.state ELMOProtocol
Hfutures: in_futures ELMOProtocol sigma gamma
Heq_i: gamma i = sigma i
Hsigma'_eqvs: component_reflects_composite_equivocators
  (state_update ELMO_component gamma i
     (sigma i <+>
      MkObservation Receive m)) i
Hsigma'_messages: component_reflects_composite_messages
  (state_update ELMO_component
     gamma i
     (sigma i <+>
      MkObservation Receive m)) i
Hgamma_send: other_components_after_send
  (λ j : index, j = i) gamma
sigma':= state_update ELMO_component gamma i
  (sigma i <+> MkObservation Receive m): ∀ j : index, VLSM.state (ELMO_component j)
Hvtsigma: valid_transition ELMOProtocol
  (existT i Receive) gamma 
  (Some m) sigma' None
transition (existT i Receive) (gamma, Some m) =
(sigma', None)
        +Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
sigma: VLSM.state ELMOProtocol
m: Message
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm
     (ELMO_component i)) Receive
  (sigma i, Some m)
  (sigma i <+> MkObservation Receive m, None)
Hsigma: valid_state_prop ELMOProtocol sigma
Hreflects: component_reflects_composite sigma i
Hsend: other_components_after_send
  (λ j : index, j = i) sigma
Hall: ∀ (s_prev : State) (l : Label) (m : Message),
  sigma i = s_prev <+> MkObservation l m
  → let s' :=
      state_update ELMO_component sigma i
        s_prev in
    valid_state_prop ELMOProtocol s'
    ∧ ELMOProtocol_valid_transition i l s'
        sigma m
Hti: transition Receive (sigma i, Some m) =
(sigma i <+> MkObservation Receive m, None)
Hv: valid Receive (sigma i, Some m)
ELMO_mv_full_node0: full_node (sigma i) m
ELMO_mv_no_self_equiv0: no_self_equiv (sigma i) m
ELMO_mv_msg_valid_full0: ELMO_msg_valid_full m
Hlocal_ok: local_equivocation_limit_ok
  (sigma i <+> MkObservation Receive m)
Hsender: MessageHasSender m
gamma: VLSM.state ELMOProtocol
Hfutures: in_futures ELMOProtocol sigma gamma
Heq_i: gamma i = sigma i
Hsigma'_eqvs: component_reflects_composite_equivocators
  (state_update ELMO_component gamma i
     (sigma i <+>
      MkObservation Receive m)) i
Hsigma'_messages: component_reflects_composite_messages
  (state_update ELMO_component
     gamma i
     (sigma i <+>
      MkObservation Receive m)) i
Hgamma_send: other_components_after_send
  (λ j : index, j = i) gamma
sigma':= state_update ELMO_component gamma i
  (sigma i <+> MkObservation Receive m): ∀ j : index, VLSM.state (ELMO_component j)
Hvtsigma: valid_transition ELMOProtocol
  (existT i Receive) gamma 
  (Some m) sigma' None
valid_state_prop ELMOProtocol gamma by eapply in_futures_valid_snd.
        +Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
sigma: VLSM.state ELMOProtocol
m: Message
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm
     (ELMO_component i)) Receive
  (sigma i, Some m)
  (sigma i <+> MkObservation Receive m, None)
Hsigma: valid_state_prop ELMOProtocol sigma
Hreflects: component_reflects_composite sigma i
Hsend: other_components_after_send
  (λ j : index, j = i) sigma
Hall: ∀ (s_prev : State) (l : Label) (m : Message),
  sigma i = s_prev <+> MkObservation l m
  → let s' :=
      state_update ELMO_component sigma i
        s_prev in
    valid_state_prop ELMOProtocol s'
    ∧ ELMOProtocol_valid_transition i l s'
        sigma m
Hti: transition Receive (sigma i, Some m) =
(sigma i <+> MkObservation Receive m, None)
Hv: valid Receive (sigma i, Some m)
ELMO_mv_full_node0: full_node (sigma i) m
ELMO_mv_no_self_equiv0: no_self_equiv (sigma i) m
ELMO_mv_msg_valid_full0: ELMO_msg_valid_full m
Hlocal_ok: local_equivocation_limit_ok
  (sigma i <+> MkObservation Receive m)
Hsender: MessageHasSender m
gamma: VLSM.state ELMOProtocol
Hfutures: in_futures ELMOProtocol sigma gamma
Heq_i: gamma i = sigma i
Hsigma'_eqvs: component_reflects_composite_equivocators
  (state_update ELMO_component gamma i
     (sigma i <+>
      MkObservation Receive m)) i
Hsigma'_messages: component_reflects_composite_messages
  (state_update ELMO_component
     gamma i
     (sigma i <+>
      MkObservation Receive m)) i
Hgamma_send: other_components_after_send
  (λ j : index, j = i) gamma
sigma':= state_update ELMO_component gamma i
  (sigma i <+> MkObservation Receive m): ∀ j : index, VLSM.state (ELMO_component j)
Hvtsigma: valid_transition ELMOProtocol
  (existT i Receive) gamma 
  (Some m) sigma' None
option_valid_message_prop ELMOProtocol (Some m) by eapply ELMO_valid_states_only_receive_valid_messages;
            [eapply in_futures_valid_snd | constructor 1].
        +Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
sigma: VLSM.state ELMOProtocol
m: Message
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm
     (ELMO_component i)) Receive
  (sigma i, Some m)
  (sigma i <+> MkObservation Receive m, None)
Hsigma: valid_state_prop ELMOProtocol sigma
Hreflects: component_reflects_composite sigma i
Hsend: other_components_after_send
  (λ j : index, j = i) sigma
Hall: ∀ (s_prev : State) (l : Label) (m : Message),
  sigma i = s_prev <+> MkObservation l m
  → let s' :=
      state_update ELMO_component sigma i
        s_prev in
    valid_state_prop ELMOProtocol s'
    ∧ ELMOProtocol_valid_transition i l s'
        sigma m
Hti: transition Receive (sigma i, Some m) =
(sigma i <+> MkObservation Receive m, None)
Hv: valid Receive (sigma i, Some m)
ELMO_mv_full_node0: full_node (sigma i) m
ELMO_mv_no_self_equiv0: no_self_equiv (sigma i) m
ELMO_mv_msg_valid_full0: ELMO_msg_valid_full m
Hlocal_ok: local_equivocation_limit_ok
  (sigma i <+> MkObservation Receive m)
Hsender: MessageHasSender m
gamma: VLSM.state ELMOProtocol
Hfutures: in_futures ELMOProtocol sigma gamma
Heq_i: gamma i = sigma i
Hsigma'_eqvs: component_reflects_composite_equivocators
  (state_update ELMO_component gamma i
     (sigma i <+>
      MkObservation Receive m)) i
Hsigma'_messages: component_reflects_composite_messages
  (state_update ELMO_component
     gamma i
     (sigma i <+>
      MkObservation Receive m)) i
Hgamma_send: other_components_after_send
  (λ j : index, j = i) gamma
sigma':= state_update ELMO_component gamma i
  (sigma i <+> MkObservation Receive m): ∀ j : index, VLSM.state (ELMO_component j)
Hvtsigma: valid_transition ELMOProtocol
  (existT i Receive) gamma 
  (Some m) sigma' None
valid (existT i Receive) (gamma, Some m) by cbn; rewrite Heq_i.
        +Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
sigma: VLSM.state ELMOProtocol
m: Message
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm
     (ELMO_component i)) Receive
  (sigma i, Some m)
  (sigma i <+> MkObservation Receive m, None)
Hsigma: valid_state_prop ELMOProtocol sigma
Hreflects: component_reflects_composite sigma i
Hsend: other_components_after_send
  (λ j : index, j = i) sigma
Hall: ∀ (s_prev : State) (l : Label) (m : Message),
  sigma i = s_prev <+> MkObservation l m
  → let s' :=
      state_update ELMO_component sigma i
        s_prev in
    valid_state_prop ELMOProtocol s'
    ∧ ELMOProtocol_valid_transition i l s'
        sigma m
Hti: transition Receive (sigma i, Some m) =
(sigma i <+> MkObservation Receive m, None)
Hv: valid Receive (sigma i, Some m)
ELMO_mv_full_node0: full_node (sigma i) m
ELMO_mv_no_self_equiv0: no_self_equiv (sigma i) m
ELMO_mv_msg_valid_full0: ELMO_msg_valid_full m
Hlocal_ok: local_equivocation_limit_ok
  (sigma i <+> MkObservation Receive m)
Hsender: MessageHasSender m
gamma: VLSM.state ELMOProtocol
Hfutures: in_futures ELMOProtocol sigma gamma
Heq_i: gamma i = sigma i
Hsigma'_eqvs: component_reflects_composite_equivocators
  (state_update ELMO_component gamma i
     (sigma i <+>
      MkObservation Receive m)) i
Hsigma'_messages: component_reflects_composite_messages
  (state_update ELMO_component
     gamma i
     (sigma i <+>
      MkObservation Receive m)) i
Hgamma_send: other_components_after_send
  (λ j : index, j = i) gamma
sigma':= state_update ELMO_component gamma i
  (sigma i <+> MkObservation Receive m): ∀ j : index, VLSM.state (ELMO_component j)
Hvtsigma: valid_transition ELMOProtocol
  (existT i Receive) gamma 
  (Some m) sigma' None
ELMO_global_constraint (existT i Receive)
  (gamma, Some m) by apply Hvtsigma.
        +Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
sigma: VLSM.state ELMOProtocol
m: Message
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm
     (ELMO_component i)) Receive
  (sigma i, Some m)
  (sigma i <+> MkObservation Receive m, None)
Hsigma: valid_state_prop ELMOProtocol sigma
Hreflects: component_reflects_composite sigma i
Hsend: other_components_after_send
  (λ j : index, j = i) sigma
Hall: ∀ (s_prev : State) (l : Label) (m : Message),
  sigma i = s_prev <+> MkObservation l m
  → let s' :=
      state_update ELMO_component sigma i
        s_prev in
    valid_state_prop ELMOProtocol s'
    ∧ ELMOProtocol_valid_transition i l s'
        sigma m
Hti: transition Receive (sigma i, Some m) =
(sigma i <+> MkObservation Receive m, None)
Hv: valid Receive (sigma i, Some m)
ELMO_mv_full_node0: full_node (sigma i) m
ELMO_mv_no_self_equiv0: no_self_equiv (sigma i) m
ELMO_mv_msg_valid_full0: ELMO_msg_valid_full m
Hlocal_ok: local_equivocation_limit_ok
  (sigma i <+> MkObservation Receive m)
Hsender: MessageHasSender m
gamma: VLSM.state ELMOProtocol
Hfutures: in_futures ELMOProtocol sigma gamma
Heq_i: gamma i = sigma i
Hsigma'_eqvs: component_reflects_composite_equivocators
  (state_update ELMO_component gamma i
     (sigma i <+>
      MkObservation Receive m)) i
Hsigma'_messages: component_reflects_composite_messages
  (state_update ELMO_component
     gamma i
     (sigma i <+>
      MkObservation Receive m)) i
Hgamma_send: other_components_after_send
  (λ j : index, j = i) gamma
sigma':= state_update ELMO_component gamma i
  (sigma i <+> MkObservation Receive m): ∀ j : index, VLSM.state (ELMO_component j)
Hvtsigma: valid_transition ELMOProtocol
  (existT i Receive) gamma 
  (Some m) sigma' None
transition (existT i Receive) (gamma, Some m) =
(sigma', None) by cbn; rewrite Heq_i.
      -Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
sigma: VLSM.state ELMOProtocol
m: Message
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm
     (ELMO_component i)) Receive
  (sigma i, Some m)
  (sigma i <+> MkObservation Receive m, None)
Hsigma: valid_state_prop ELMOProtocol sigma
Hreflects: component_reflects_composite sigma i
Hsend: other_components_after_send
  (λ j : index, j = i) sigma
Hall: ∀ (s_prev : State) (l : Label) (m : Message),
  sigma i = s_prev <+> MkObservation l m
  → let s' :=
      state_update ELMO_component sigma i
        s_prev in
    valid_state_prop ELMOProtocol s'
    ∧ ELMOProtocol_valid_transition i l s'
        sigma m
Hti: transition Receive (sigma i, Some m) =
(sigma i <+> MkObservation Receive m, None)
Hv: valid Receive (sigma i, Some m)
ELMO_mv_full_node0: full_node (sigma i) m
ELMO_mv_no_self_equiv0: no_self_equiv (sigma i) m
ELMO_mv_msg_valid_full0: ELMO_msg_valid_full m
Hlocal_ok: local_equivocation_limit_ok
  (sigma i <+> MkObservation Receive m)
Hsender: MessageHasSender m
gamma: VLSM.state ELMOProtocol
Hfutures: in_futures ELMOProtocol sigma gamma
Heq_i: gamma i = sigma i
Hsigma'_eqvs: component_reflects_composite_equivocators
  (state_update ELMO_component gamma i
     (sigma i <+>
      MkObservation Receive m)) i
Hsigma'_messages: component_reflects_composite_messages
  (state_update ELMO_component
     gamma i
     (sigma i <+>
      MkObservation Receive m)) i
Hgamma_send: other_components_after_send
  (λ j : index, j = i) gamma
sigma':= state_update ELMO_component gamma i
  (sigma i <+> MkObservation Receive m): ∀ j : index, VLSM.state (ELMO_component j)
Hvtsigma: valid_transition ELMOProtocol
  (existT i Receive) gamma 
  (Some m) sigma' None
component_reflects_composite sigma' i done.
      -Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
sigma: VLSM.state ELMOProtocol
m: Message
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm
     (ELMO_component i)) Receive
  (sigma i, Some m)
  (sigma i <+> MkObservation Receive m, None)
Hsigma: valid_state_prop ELMOProtocol sigma
Hreflects: component_reflects_composite sigma i
Hsend: other_components_after_send
  (λ j : index, j = i) sigma
Hall: ∀ (s_prev : State) (l : Label) (m : Message),
  sigma i = s_prev <+> MkObservation l m
  → let s' :=
      state_update ELMO_component sigma i
        s_prev in
    valid_state_prop ELMOProtocol s'
    ∧ ELMOProtocol_valid_transition i l s'
        sigma m
Hti: transition Receive (sigma i, Some m) =
(sigma i <+> MkObservation Receive m, None)
Hv: valid Receive (sigma i, Some m)
ELMO_mv_full_node0: full_node (sigma i) m
ELMO_mv_no_self_equiv0: no_self_equiv (sigma i) m
ELMO_mv_msg_valid_full0: ELMO_msg_valid_full m
Hlocal_ok: local_equivocation_limit_ok
  (sigma i <+> MkObservation Receive m)
Hsender: MessageHasSender m
gamma: VLSM.state ELMOProtocol
Hfutures: in_futures ELMOProtocol sigma gamma
Heq_i: gamma i = sigma i
Hsigma'_eqvs: component_reflects_composite_equivocators
  (state_update ELMO_component gamma i
     (sigma i <+>
      MkObservation Receive m)) i
Hsigma'_messages: component_reflects_composite_messages
  (state_update ELMO_component
     gamma i
     (sigma i <+>
      MkObservation Receive m)) i
Hgamma_send: other_components_after_send
  (λ j : index, j = i) gamma
sigma':= state_update ELMO_component gamma i
  (sigma i <+> MkObservation Receive m): ∀ j : index, VLSM.state (ELMO_component j)
Hvtsigma: valid_transition ELMOProtocol
  (existT i Receive) gamma 
  (Some m) sigma' None
other_components_after_send (λ j : index, j = i)
  sigma' by intros j Hnj; subst sigma'; state_update_simpl; apply Hgamma_send.
      -Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
sigma: VLSM.state ELMOProtocol
m: Message
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm
     (ELMO_component i)) Receive
  (sigma i, Some m)
  (sigma i <+> MkObservation Receive m, None)
Hsigma: valid_state_prop ELMOProtocol sigma
Hreflects: component_reflects_composite sigma i
Hsend: other_components_after_send
  (λ j : index, j = i) sigma
Hall: ∀ (s_prev : State) (l : Label) (m : Message),
  sigma i = s_prev <+> MkObservation l m
  → let s' :=
      state_update ELMO_component sigma i
        s_prev in
    valid_state_prop ELMOProtocol s'
    ∧ ELMOProtocol_valid_transition i l s'
        sigma m
Hti: transition Receive (sigma i, Some m) =
(sigma i <+> MkObservation Receive m, None)
Hv: valid Receive (sigma i, Some m)
ELMO_mv_full_node0: full_node (sigma i) m
ELMO_mv_no_self_equiv0: no_self_equiv (sigma i) m
ELMO_mv_msg_valid_full0: ELMO_msg_valid_full m
Hlocal_ok: local_equivocation_limit_ok
  (sigma i <+> MkObservation Receive m)
Hsender: MessageHasSender m
gamma: VLSM.state ELMOProtocol
Hfutures: in_futures ELMOProtocol sigma gamma
Heq_i: gamma i = sigma i
Hsigma'_eqvs: component_reflects_composite_equivocators
  (state_update ELMO_component gamma i
     (sigma i <+>
      MkObservation Receive m)) i
Hsigma'_messages: component_reflects_composite_messages
  (state_update ELMO_component
     gamma i
     (sigma i <+>
      MkObservation Receive m)) i
Hgamma_send: other_components_after_send
  (λ j : index, j = i) gamma
sigma':= state_update ELMO_component gamma i
  (sigma i <+> MkObservation Receive m): ∀ j : index, VLSM.state (ELMO_component j)
Hvtsigma: valid_transition ELMOProtocol
  (existT i Receive) gamma 
  (Some m) sigma' None
∀ (s_prev : State) (l : Label) (m0 : Message),
  sigma i <+> MkObservation Receive m =
  s_prev <+> MkObservation l m0
  → let s' :=
      state_update ELMO_component sigma' i s_prev in
    valid_state_prop ELMOProtocol s'
    ∧ ELMOProtocol_valid_transition i l s' sigma' m0 inversion 1; destruct s_prev; cbn in *; subst; rewrite <- Heq_i.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
sigma: composite_state ELMO_component
m0: Message
H2: sigma i <+> MkObservation Receive m0 =
MkState (obs (sigma i)) (adr (sigma i)) <+>
MkObservation Receive m0
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm
     (ELMO_component i)) Receive
  (sigma i, Some m0)
  (sigma i <+> MkObservation Receive m0, None)
Hsigma: valid_state_prop ELMOProtocol sigma
Hreflects: component_reflects_composite sigma i
Hsend: other_components_after_send
  (λ j : index, j = i) sigma
Hall: ∀ (s_prev : State) (l : Label) (m : Message),
  sigma i = s_prev <+> MkObservation l m
  → valid_state_prop ELMOProtocol
      (state_update ELMO_component sigma i
         s_prev)
    ∧ ELMOProtocol_valid_transition i l
        (state_update ELMO_component sigma i
           s_prev) sigma m
Hsender: MessageHasSender m0
Hlocal_ok: local_equivocation_limit_ok
  (sigma i <+> MkObservation Receive m0)
ELMO_mv_msg_valid_full0: ELMO_msg_valid_full m0
ELMO_mv_no_self_equiv0: no_self_equiv (sigma i) m0
ELMO_mv_full_node0: full_node (sigma i) m0
Hv: ELMO_component_valid Receive (sigma i) (Some m0)
Hti: (sigma i <+> MkObservation Receive m0, None) =
(sigma i <+> MkObservation Receive m0, None)
gamma: composite_state ELMO_component
Hfutures: in_futures ELMOProtocol sigma gamma
Heq_i: gamma i = sigma i
Hsigma'_messages: component_reflects_composite_messages
  (state_update ELMO_component
     gamma i
     (sigma i <+>
      MkObservation Receive m0)) i
Hsigma'_eqvs: component_reflects_composite_equivocators
  (state_update ELMO_component gamma i
     (sigma i <+>
      MkObservation Receive m0)) i
Hgamma_send: other_components_after_send
  (λ j : index, j = i) gamma
sigma':= state_update ELMO_component gamma i
  (sigma i <+> MkObservation Receive m0): index → BaseELMO.State
Hvtsigma: valid_transition ELMOProtocol
  (existT i Receive) gamma 
  (Some m0) sigma' None
valid_state_prop ELMOProtocol
  (state_update ELMO_component sigma' i
     (MkState (obs (gamma i)) (adr (gamma i))))
∧ ELMOProtocol_valid_transition i Receive
    (state_update ELMO_component sigma' i
       (MkState (obs (gamma i)) (adr (gamma i))))
    sigma' m0
        subst sigma'; rewrite state_update_twice, state_update_id by (destruct (gamma i); done).Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
sigma: composite_state ELMO_component
m0: Message
H2: sigma i <+> MkObservation Receive m0 =
MkState (obs (sigma i)) (adr (sigma i)) <+>
MkObservation Receive m0
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm
     (ELMO_component i)) Receive
  (sigma i, Some m0)
  (sigma i <+> MkObservation Receive m0, None)
Hsigma: valid_state_prop ELMOProtocol sigma
Hreflects: component_reflects_composite sigma i
Hsend: other_components_after_send
  (λ j : index, j = i) sigma
Hall: ∀ (s_prev : State) (l : Label) (m : Message),
  sigma i = s_prev <+> MkObservation l m
  → valid_state_prop ELMOProtocol
      (state_update ELMO_component sigma i
         s_prev)
    ∧ ELMOProtocol_valid_transition i l
        (state_update ELMO_component sigma i
           s_prev) sigma m
Hsender: MessageHasSender m0
Hlocal_ok: local_equivocation_limit_ok
  (sigma i <+> MkObservation Receive m0)
ELMO_mv_msg_valid_full0: ELMO_msg_valid_full m0
ELMO_mv_no_self_equiv0: no_self_equiv (sigma i) m0
ELMO_mv_full_node0: full_node (sigma i) m0
Hv: ELMO_component_valid Receive (sigma i) (Some m0)
Hti: (sigma i <+> MkObservation Receive m0, None) =
(sigma i <+> MkObservation Receive m0, None)
gamma: composite_state ELMO_component
Hfutures: in_futures ELMOProtocol sigma gamma
Heq_i: gamma i = sigma i
Hsigma'_messages: component_reflects_composite_messages
  (state_update ELMO_component
     gamma i
     (sigma i <+>
      MkObservation Receive m0)) i
Hsigma'_eqvs: component_reflects_composite_equivocators
  (state_update ELMO_component gamma i
     (sigma i <+>
      MkObservation Receive m0)) i
Hgamma_send: other_components_after_send
  (λ j : index, j = i) gamma
Hvtsigma: valid_transition ELMOProtocol
  (existT i Receive) gamma 
  (Some m0)
  (state_update ELMO_component gamma i
     (sigma i <+> MkObservation Receive m0))
  None
valid_state_prop ELMOProtocol gamma
∧ ELMOProtocol_valid_transition i Receive gamma
    (state_update ELMO_component gamma i
       (sigma i <+> MkObservation Receive m0)) m0
        by split; [eapply in_futures_valid_snd | constructor].
    }Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
s': VLSM.state
  (preloaded_with_all_messages_vlsm
     (ELMO_component i))
sigma: VLSM.state ELMOProtocol
m: Message
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm
     (ELMO_component i)) Receive
  (sigma i, Some m) (s', None)
Hsigma: valid_state_prop ELMOProtocol sigma
Hreflects: component_reflects_composite sigma i
Hsend: other_components_after_send
  (λ j : index, j = i) sigma
Hall: ∀ (s_prev : State) (l : Label) (m : Message),
  sigma i = s_prev <+> MkObservation l m
  → let s' :=
      state_update ELMO_component sigma i
        s_prev in
    valid_state_prop ELMOProtocol s'
    ∧ ELMOProtocol_valid_transition i l s'
        sigma m
Hti: transition Receive (sigma i, Some m) =
(s', None)
Hv: valid Receive (sigma i, Some m)
ELMO_mv_full_node0: full_node (sigma i) m
ELMO_mv_no_self_equiv0: no_self_equiv (sigma i) m
ELMO_mv_msg_valid_full0: ELMO_msg_valid_full m
Hlocal_ok: local_equivocation_limit_ok
  (sigma i <+> MkObservation Receive m)
H3: sigma i <+> MkObservation Receive m = s'
Hsender: MessageHasSender m
∃ gamma : VLSM.state ELMOProtocol,
  in_futures ELMOProtocol sigma gamma
  ∧ gamma i = sigma i
    ∧ component_reflects_composite
        (state_update ELMO_component gamma i s') i
      ∧ other_components_after_send
          (λ j : index, j = i) gamma
    destruct (decide (composite_has_been_sent ELMO_component sigma m)) as [| Hnot_sent].Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
s': VLSM.state
  (preloaded_with_all_messages_vlsm
     (ELMO_component i))
sigma: VLSM.state ELMOProtocol
m: Message
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm
     (ELMO_component i)) Receive
  (sigma i, Some m) (s', None)
Hsigma: valid_state_prop ELMOProtocol sigma
Hreflects: component_reflects_composite sigma i
Hsend: other_components_after_send
  (λ j : index, j = i) sigma
Hall: ∀ (s_prev : State) (l : Label) (m : Message),
  sigma i = s_prev <+> MkObservation l m
  → let s' :=
      state_update ELMO_component sigma i
        s_prev in
    valid_state_prop ELMOProtocol s'
    ∧ ELMOProtocol_valid_transition i l s'
        sigma m
Hti: transition Receive (sigma i, Some m) =
(s', None)
Hv: valid Receive (sigma i, Some m)
ELMO_mv_full_node0: full_node (sigma i) m
ELMO_mv_no_self_equiv0: no_self_equiv (sigma i) m
ELMO_mv_msg_valid_full0: ELMO_msg_valid_full m
Hlocal_ok: local_equivocation_limit_ok
  (sigma i <+> MkObservation Receive m)
H3: sigma i <+> MkObservation Receive m = s'
Hsender: MessageHasSender m
c: composite_has_been_sent ELMO_component sigma m
∃ gamma : VLSM.state ELMOProtocol,
  in_futures ELMOProtocol sigma gamma
  ∧ gamma i = sigma i
    ∧ component_reflects_composite
        (state_update ELMO_component gamma i s') i
      ∧ other_components_after_send
          (λ j : index, j = i) gamma
Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
s': VLSM.state
  (preloaded_with_all_messages_vlsm
     (ELMO_component i))
sigma: VLSM.state ELMOProtocol
m: Message
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm
     (ELMO_component i)) Receive
  (sigma i, Some m) (s', None)
Hsigma: valid_state_prop ELMOProtocol sigma
Hreflects: component_reflects_composite sigma i
Hsend: other_components_after_send
  (λ j : index, j = i) sigma
Hall: ∀ (s_prev : State) (l : Label) (m : Message),
  sigma i = s_prev <+> MkObservation l m
  → let s' :=
      state_update ELMO_component sigma i
        s_prev in
    valid_state_prop ELMOProtocol s'
    ∧ ELMOProtocol_valid_transition i l s'
        sigma m
Hti: transition Receive (sigma i, Some m) =
(s', None)
Hv: valid Receive (sigma i, Some m)
ELMO_mv_full_node0: full_node (sigma i) m
ELMO_mv_no_self_equiv0: no_self_equiv (sigma i) m
ELMO_mv_msg_valid_full0: ELMO_msg_valid_full m
Hlocal_ok: local_equivocation_limit_ok
  (sigma i <+> MkObservation Receive m)
H3: sigma i <+> MkObservation Receive m = s'
Hsender: MessageHasSender m
Hnot_sent: ¬ composite_has_been_sent ELMO_component
    sigma m
∃ gamma : VLSM.state ELMOProtocol,
  in_futures ELMOProtocol sigma gamma
  ∧ gamma i = sigma i
    ∧ component_reflects_composite
        (state_update ELMO_component gamma i s') i
      ∧ other_components_after_send
          (λ j : index, j = i) gamma
    {Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
s': VLSM.state
  (preloaded_with_all_messages_vlsm
     (ELMO_component i))
sigma: VLSM.state ELMOProtocol
m: Message
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm
     (ELMO_component i)) Receive
  (sigma i, Some m) (s', None)
Hsigma: valid_state_prop ELMOProtocol sigma
Hreflects: component_reflects_composite sigma i
Hsend: other_components_after_send
  (λ j : index, j = i) sigma
Hall: ∀ (s_prev : State) (l : Label) (m : Message),
  sigma i = s_prev <+> MkObservation l m
  → let s' :=
      state_update ELMO_component sigma i
        s_prev in
    valid_state_prop ELMOProtocol s'
    ∧ ELMOProtocol_valid_transition i l s'
        sigma m
Hti: transition Receive (sigma i, Some m) =
(s', None)
Hv: valid Receive (sigma i, Some m)
ELMO_mv_full_node0: full_node (sigma i) m
ELMO_mv_no_self_equiv0: no_self_equiv (sigma i) m
ELMO_mv_msg_valid_full0: ELMO_msg_valid_full m
Hlocal_ok: local_equivocation_limit_ok
  (sigma i <+> MkObservation Receive m)
H3: sigma i <+> MkObservation Receive m = s'
Hsender: MessageHasSender m
c: composite_has_been_sent ELMO_component sigma m
∃ gamma : VLSM.state ELMOProtocol,
  in_futures ELMOProtocol sigma gamma
  ∧ gamma i = sigma i
    ∧ component_reflects_composite
        (state_update ELMO_component gamma i s') i
      ∧ other_components_after_send
          (λ j : index, j = i) gamma
      exists sigma; split_and!; [by apply in_futures_refl | done | split | done].Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
s': VLSM.state
  (preloaded_with_all_messages_vlsm
     (ELMO_component i))
sigma: VLSM.state ELMOProtocol
m: Message
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm
     (ELMO_component i)) Receive
  (sigma i, Some m) (s', None)
Hsigma: valid_state_prop ELMOProtocol sigma
Hreflects: component_reflects_composite sigma i
Hsend: other_components_after_send
  (λ j : index, j = i) sigma
Hall: ∀ (s_prev : State) (l : Label) (m : Message),
  sigma i = s_prev <+> MkObservation l m
  → let s' :=
      state_update ELMO_component sigma i
        s_prev in
    valid_state_prop ELMOProtocol s'
    ∧ ELMOProtocol_valid_transition i l s'
        sigma m
Hti: transition Receive (sigma i, Some m) =
(s', None)
Hv: valid Receive (sigma i, Some m)
ELMO_mv_full_node0: full_node (sigma i) m
ELMO_mv_no_self_equiv0: no_self_equiv (sigma i) m
ELMO_mv_msg_valid_full0: ELMO_msg_valid_full m
Hlocal_ok: local_equivocation_limit_ok
  (sigma i <+> MkObservation Receive m)
H3: sigma i <+> MkObservation Receive m = s'
Hsender: MessageHasSender m
c: composite_has_been_sent ELMO_component sigma m
component_reflects_composite_messages
  (state_update ELMO_component sigma i s') i
Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
s': VLSM.state
  (preloaded_with_all_messages_vlsm
     (ELMO_component i))
sigma: VLSM.state ELMOProtocol
m: Message
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm
     (ELMO_component i)) Receive
  (sigma i, Some m) (s', None)
Hsigma: valid_state_prop ELMOProtocol sigma
Hreflects: component_reflects_composite sigma i
Hsend: other_components_after_send
  (λ j : index, j = i) sigma
Hall: ∀ (s_prev : State) (l : Label) (m : Message),
  sigma i = s_prev <+> MkObservation l m
  → let s' :=
      state_update ELMO_component sigma i
        s_prev in
    valid_state_prop ELMOProtocol s'
    ∧ ELMOProtocol_valid_transition i l s'
        sigma m
Hti: transition Receive (sigma i, Some m) =
(s', None)
Hv: valid Receive (sigma i, Some m)
ELMO_mv_full_node0: full_node (sigma i) m
ELMO_mv_no_self_equiv0: no_self_equiv (sigma i) m
ELMO_mv_msg_valid_full0: ELMO_msg_valid_full m
Hlocal_ok: local_equivocation_limit_ok
  (sigma i <+> MkObservation Receive m)
H3: sigma i <+> MkObservation Receive m = s'
Hsender: MessageHasSender m
c: composite_has_been_sent ELMO_component sigma m
component_reflects_composite_equivocators
  (state_update ELMO_component sigma i s') i
      -Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
s': VLSM.state
  (preloaded_with_all_messages_vlsm
     (ELMO_component i))
sigma: VLSM.state ELMOProtocol
m: Message
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm
     (ELMO_component i)) Receive
  (sigma i, Some m) (s', None)
Hsigma: valid_state_prop ELMOProtocol sigma
Hreflects: component_reflects_composite sigma i
Hsend: other_components_after_send
  (λ j : index, j = i) sigma
Hall: ∀ (s_prev : State) (l : Label) (m : Message),
  sigma i = s_prev <+> MkObservation l m
  → let s' :=
      state_update ELMO_component sigma i
        s_prev in
    valid_state_prop ELMOProtocol s'
    ∧ ELMOProtocol_valid_transition i l s'
        sigma m
Hti: transition Receive (sigma i, Some m) =
(s', None)
Hv: valid Receive (sigma i, Some m)
ELMO_mv_full_node0: full_node (sigma i) m
ELMO_mv_no_self_equiv0: no_self_equiv (sigma i) m
ELMO_mv_msg_valid_full0: ELMO_msg_valid_full m
Hlocal_ok: local_equivocation_limit_ok
  (sigma i <+> MkObservation Receive m)
H3: sigma i <+> MkObservation Receive m = s'
Hsender: MessageHasSender m
c: composite_has_been_sent ELMO_component sigma m
component_reflects_composite_messages
  (state_update ELMO_component sigma i s') i by eapply component_reflects_composite_messages_step_update, Hreflects; constructor 1.
      -Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
s': VLSM.state
  (preloaded_with_all_messages_vlsm
     (ELMO_component i))
sigma: VLSM.state ELMOProtocol
m: Message
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm
     (ELMO_component i)) Receive
  (sigma i, Some m) (s', None)
Hsigma: valid_state_prop ELMOProtocol sigma
Hreflects: component_reflects_composite sigma i
Hsend: other_components_after_send
  (λ j : index, j = i) sigma
Hall: ∀ (s_prev : State) (l : Label) (m : Message),
  sigma i = s_prev <+> MkObservation l m
  → let s' :=
      state_update ELMO_component sigma i
        s_prev in
    valid_state_prop ELMOProtocol s'
    ∧ ELMOProtocol_valid_transition i l s'
        sigma m
Hti: transition Receive (sigma i, Some m) =
(s', None)
Hv: valid Receive (sigma i, Some m)
ELMO_mv_full_node0: full_node (sigma i) m
ELMO_mv_no_self_equiv0: no_self_equiv (sigma i) m
ELMO_mv_msg_valid_full0: ELMO_msg_valid_full m
Hlocal_ok: local_equivocation_limit_ok
  (sigma i <+> MkObservation Receive m)
H3: sigma i <+> MkObservation Receive m = s'
Hsender: MessageHasSender m
c: composite_has_been_sent ELMO_component sigma m
component_reflects_composite_equivocators
  (state_update ELMO_component sigma i s') i unfold component_reflects_composite_messages, component_reflects_composite_equivocators.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
s': VLSM.state
  (preloaded_with_all_messages_vlsm
     (ELMO_component i))
sigma: VLSM.state ELMOProtocol
m: Message
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm
     (ELMO_component i)) Receive
  (sigma i, Some m) (s', None)
Hsigma: valid_state_prop ELMOProtocol sigma
Hreflects: component_reflects_composite sigma i
Hsend: other_components_after_send
  (λ j : index, j = i) sigma
Hall: ∀ (s_prev : State) (l : Label) (m : Message),
  sigma i = s_prev <+> MkObservation l m
  → let s' :=
      state_update ELMO_component sigma i
        s_prev in
    valid_state_prop ELMOProtocol s'
    ∧ ELMOProtocol_valid_transition i l s'
        sigma m
Hti: transition Receive (sigma i, Some m) =
(s', None)
Hv: valid Receive (sigma i, Some m)
ELMO_mv_full_node0: full_node (sigma i) m
ELMO_mv_no_self_equiv0: no_self_equiv (sigma i) m
ELMO_mv_msg_valid_full0: ELMO_msg_valid_full m
Hlocal_ok: local_equivocation_limit_ok
  (sigma i <+> MkObservation Receive m)
H3: sigma i <+> MkObservation Receive m = s'
Hsender: MessageHasSender m
c: composite_has_been_sent ELMO_component sigma m
∀ a : Address,
  global_equivocators_simple
    (state_update ELMO_component sigma i s') a
  ↔ local_equivocators_full
      (state_update ELMO_component sigma i s' i) a
        state_update_simpl.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
s': VLSM.state
  (preloaded_with_all_messages_vlsm
     (ELMO_component i))
sigma: VLSM.state ELMOProtocol
m: Message
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm
     (ELMO_component i)) Receive
  (sigma i, Some m) (s', None)
Hsigma: valid_state_prop ELMOProtocol sigma
Hreflects: component_reflects_composite sigma i
Hsend: other_components_after_send
  (λ j : index, j = i) sigma
Hall: ∀ (s_prev : State) (l : Label) (m : Message),
  sigma i = s_prev <+> MkObservation l m
  → valid_state_prop ELMOProtocol
      (state_update ELMO_component sigma i
         s_prev)
    ∧ ELMOProtocol_valid_transition i l
        (state_update ELMO_component sigma i
           s_prev) sigma m
Hti: transition Receive (sigma i, Some m) =
(s', None)
Hv: valid Receive (sigma i, Some m)
ELMO_mv_full_node0: full_node (sigma i) m
ELMO_mv_no_self_equiv0: no_self_equiv (sigma i) m
ELMO_mv_msg_valid_full0: ELMO_msg_valid_full m
Hlocal_ok: local_equivocation_limit_ok
  (sigma i <+> MkObservation Receive m)
H3: sigma i <+> MkObservation Receive m = s'
Hsender: MessageHasSender m
c: composite_has_been_sent ELMO_component sigma m
∀ a : Address,
  global_equivocators_simple
    (state_update ELMO_component sigma i s') a
  ↔ local_equivocators_full s' a
        by eapply receiving_already_sent_global_local_equivocators.
    }Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
s': VLSM.state
  (preloaded_with_all_messages_vlsm
     (ELMO_component i))
sigma: VLSM.state ELMOProtocol
m: Message
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm
     (ELMO_component i)) Receive
  (sigma i, Some m) (s', None)
Hsigma: valid_state_prop ELMOProtocol sigma
Hreflects: component_reflects_composite sigma i
Hsend: other_components_after_send
  (λ j : index, j = i) sigma
Hall: ∀ (s_prev : State) (l : Label) (m : Message),
  sigma i = s_prev <+> MkObservation l m
  → let s' :=
      state_update ELMO_component sigma i
        s_prev in
    valid_state_prop ELMOProtocol s'
    ∧ ELMOProtocol_valid_transition i l s'
        sigma m
Hti: transition Receive (sigma i, Some m) =
(s', None)
Hv: valid Receive (sigma i, Some m)
ELMO_mv_full_node0: full_node (sigma i) m
ELMO_mv_no_self_equiv0: no_self_equiv (sigma i) m
ELMO_mv_msg_valid_full0: ELMO_msg_valid_full m
Hlocal_ok: local_equivocation_limit_ok
  (sigma i <+> MkObservation Receive m)
H3: sigma i <+> MkObservation Receive m = s'
Hsender: MessageHasSender m
Hnot_sent: ¬ composite_has_been_sent ELMO_component
    sigma m
∃ gamma : VLSM.state ELMOProtocol,
  in_futures ELMOProtocol sigma gamma
  ∧ gamma i = sigma i
    ∧ component_reflects_composite
        (state_update ELMO_component gamma i s') i
      ∧ other_components_after_send
          (λ j : index, j = i) gamma
    destruct (decide (adr (state m) = idx i)) as [| Hm_not_by_i].Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
s': VLSM.state
  (preloaded_with_all_messages_vlsm
     (ELMO_component i))
sigma: VLSM.state ELMOProtocol
m: Message
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm
     (ELMO_component i)) Receive
  (sigma i, Some m) (s', None)
Hsigma: valid_state_prop ELMOProtocol sigma
Hreflects: component_reflects_composite sigma i
Hsend: other_components_after_send
  (λ j : index, j = i) sigma
Hall: ∀ (s_prev : State) (l : Label) (m : Message),
  sigma i = s_prev <+> MkObservation l m
  → let s' :=
      state_update ELMO_component sigma i
        s_prev in
    valid_state_prop ELMOProtocol s'
    ∧ ELMOProtocol_valid_transition i l s'
        sigma m
Hti: transition Receive (sigma i, Some m) =
(s', None)
Hv: valid Receive (sigma i, Some m)
ELMO_mv_full_node0: full_node (sigma i) m
ELMO_mv_no_self_equiv0: no_self_equiv (sigma i) m
ELMO_mv_msg_valid_full0: ELMO_msg_valid_full m
Hlocal_ok: local_equivocation_limit_ok
  (sigma i <+> MkObservation Receive m)
H3: sigma i <+> MkObservation Receive m = s'
Hsender: MessageHasSender m
Hnot_sent: ¬ composite_has_been_sent ELMO_component
    sigma m
e: adr (state m) = idx i
∃ gamma : VLSM.state ELMOProtocol,
  in_futures ELMOProtocol sigma gamma
  ∧ gamma i = sigma i
    ∧ component_reflects_composite
        (state_update ELMO_component gamma i s') i
      ∧ other_components_after_send
          (λ j : index, j = i) gamma
Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
s': VLSM.state
  (preloaded_with_all_messages_vlsm
     (ELMO_component i))
sigma: VLSM.state ELMOProtocol
m: Message
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm
     (ELMO_component i)) Receive
  (sigma i, Some m) (s', None)
Hsigma: valid_state_prop ELMOProtocol sigma
Hreflects: component_reflects_composite sigma i
Hsend: other_components_after_send
  (λ j : index, j = i) sigma
Hall: ∀ (s_prev : State) (l : Label) (m : Message),
  sigma i = s_prev <+> MkObservation l m
  → let s' :=
      state_update ELMO_component sigma i
        s_prev in
    valid_state_prop ELMOProtocol s'
    ∧ ELMOProtocol_valid_transition i l s'
        sigma m
Hti: transition Receive (sigma i, Some m) =
(s', None)
Hv: valid Receive (sigma i, Some m)
ELMO_mv_full_node0: full_node (sigma i) m
ELMO_mv_no_self_equiv0: no_self_equiv (sigma i) m
ELMO_mv_msg_valid_full0: ELMO_msg_valid_full m
Hlocal_ok: local_equivocation_limit_ok
  (sigma i <+> MkObservation Receive m)
H3: sigma i <+> MkObservation Receive m = s'
Hsender: MessageHasSender m
Hnot_sent: ¬ composite_has_been_sent ELMO_component
    sigma m
Hm_not_by_i: adr (state m) ≠ idx i
∃ gamma : VLSM.state ELMOProtocol,
  in_futures ELMOProtocol sigma gamma
  ∧ gamma i = sigma i
    ∧ component_reflects_composite
        (state_update ELMO_component gamma i s') i
      ∧ other_components_after_send
          (λ j : index, j = i) gamma
    {Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
s': VLSM.state
  (preloaded_with_all_messages_vlsm
     (ELMO_component i))
sigma: VLSM.state ELMOProtocol
m: Message
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm
     (ELMO_component i)) Receive
  (sigma i, Some m) (s', None)
Hsigma: valid_state_prop ELMOProtocol sigma
Hreflects: component_reflects_composite sigma i
Hsend: other_components_after_send
  (λ j : index, j = i) sigma
Hall: ∀ (s_prev : State) (l : Label) (m : Message),
  sigma i = s_prev <+> MkObservation l m
  → let s' :=
      state_update ELMO_component sigma i
        s_prev in
    valid_state_prop ELMOProtocol s'
    ∧ ELMOProtocol_valid_transition i l s'
        sigma m
Hti: transition Receive (sigma i, Some m) =
(s', None)
Hv: valid Receive (sigma i, Some m)
ELMO_mv_full_node0: full_node (sigma i) m
ELMO_mv_no_self_equiv0: no_self_equiv (sigma i) m
ELMO_mv_msg_valid_full0: ELMO_msg_valid_full m
Hlocal_ok: local_equivocation_limit_ok
  (sigma i <+> MkObservation Receive m)
H3: sigma i <+> MkObservation Receive m = s'
Hsender: MessageHasSender m
Hnot_sent: ¬ composite_has_been_sent ELMO_component
    sigma m
e: adr (state m) = idx i
∃ gamma : VLSM.state ELMOProtocol,
  in_futures ELMOProtocol sigma gamma
  ∧ gamma i = sigma i
    ∧ component_reflects_composite
        (state_update ELMO_component gamma i s') i
      ∧ other_components_after_send
          (λ j : index, j = i) gamma
      contradict Hnot_sent; exists i.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
s': VLSM.state
  (preloaded_with_all_messages_vlsm
     (ELMO_component i))
sigma: VLSM.state ELMOProtocol
m: Message
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm
     (ELMO_component i)) Receive
  (sigma i, Some m) (s', None)
Hsigma: valid_state_prop ELMOProtocol sigma
Hreflects: component_reflects_composite sigma i
Hsend: other_components_after_send
  (λ j : index, j = i) sigma
Hall: ∀ (s_prev : State) (l : Label) (m : Message),
  sigma i = s_prev <+> MkObservation l m
  → let s' :=
      state_update ELMO_component sigma i
        s_prev in
    valid_state_prop ELMOProtocol s'
    ∧ ELMOProtocol_valid_transition i l s'
        sigma m
Hti: transition Receive (sigma i, Some m) =
(s', None)
Hv: valid Receive (sigma i, Some m)
ELMO_mv_full_node0: full_node (sigma i) m
ELMO_mv_no_self_equiv0: no_self_equiv (sigma i) m
ELMO_mv_msg_valid_full0: ELMO_msg_valid_full m
Hlocal_ok: local_equivocation_limit_ok
  (sigma i <+> MkObservation Receive m)
H3: sigma i <+> MkObservation Receive m = s'
Hsender: MessageHasSender m
e: adr (state m) = idx i
has_been_sent (ELMO_component i) (sigma i) m
      cbn; apply ELMO_mv_no_self_equiv; [by split |].Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
s': VLSM.state
  (preloaded_with_all_messages_vlsm
     (ELMO_component i))
sigma: VLSM.state ELMOProtocol
m: Message
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm
     (ELMO_component i)) Receive
  (sigma i, Some m) (s', None)
Hsigma: valid_state_prop ELMOProtocol sigma
Hreflects: component_reflects_composite sigma i
Hsend: other_components_after_send
  (λ j : index, j = i) sigma
Hall: ∀ (s_prev : State) (l : Label) (m : Message),
  sigma i = s_prev <+> MkObservation l m
  → let s' :=
      state_update ELMO_component sigma i
        s_prev in
    valid_state_prop ELMOProtocol s'
    ∧ ELMOProtocol_valid_transition i l s'
        sigma m
Hti: transition Receive (sigma i, Some m) =
(s', None)
Hv: valid Receive (sigma i, Some m)
ELMO_mv_full_node0: full_node (sigma i) m
ELMO_mv_no_self_equiv0: no_self_equiv (sigma i) m
ELMO_mv_msg_valid_full0: ELMO_msg_valid_full m
Hlocal_ok: local_equivocation_limit_ok
  (sigma i <+> MkObservation Receive m)
H3: sigma i <+> MkObservation Receive m = s'
Hsender: MessageHasSender m
e: adr (state m) = idx i
adr (sigma i) = adr (state m)
      transitivity (idx i); [| done].Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
s': VLSM.state
  (preloaded_with_all_messages_vlsm
     (ELMO_component i))
sigma: VLSM.state ELMOProtocol
m: Message
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm
     (ELMO_component i)) Receive
  (sigma i, Some m) (s', None)
Hsigma: valid_state_prop ELMOProtocol sigma
Hreflects: component_reflects_composite sigma i
Hsend: other_components_after_send
  (λ j : index, j = i) sigma
Hall: ∀ (s_prev : State) (l : Label) (m : Message),
  sigma i = s_prev <+> MkObservation l m
  → let s' :=
      state_update ELMO_component sigma i
        s_prev in
    valid_state_prop ELMOProtocol s'
    ∧ ELMOProtocol_valid_transition i l s'
        sigma m
Hti: transition Receive (sigma i, Some m) =
(s', None)
Hv: valid Receive (sigma i, Some m)
ELMO_mv_full_node0: full_node (sigma i) m
ELMO_mv_no_self_equiv0: no_self_equiv (sigma i) m
ELMO_mv_msg_valid_full0: ELMO_msg_valid_full m
Hlocal_ok: local_equivocation_limit_ok
  (sigma i <+> MkObservation Receive m)
H3: sigma i <+> MkObservation Receive m = s'
Hsender: MessageHasSender m
e: adr (state m) = idx i
adr (sigma i) = idx i
      by eapply ELMO_reachable_adr, Ht.
    }Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
s': VLSM.state
  (preloaded_with_all_messages_vlsm
     (ELMO_component i))
sigma: VLSM.state ELMOProtocol
m: Message
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm
     (ELMO_component i)) Receive
  (sigma i, Some m) (s', None)
Hsigma: valid_state_prop ELMOProtocol sigma
Hreflects: component_reflects_composite sigma i
Hsend: other_components_after_send
  (λ j : index, j = i) sigma
Hall: ∀ (s_prev : State) (l : Label) (m : Message),
  sigma i = s_prev <+> MkObservation l m
  → let s' :=
      state_update ELMO_component sigma i
        s_prev in
    valid_state_prop ELMOProtocol s'
    ∧ ELMOProtocol_valid_transition i l s'
        sigma m
Hti: transition Receive (sigma i, Some m) =
(s', None)
Hv: valid Receive (sigma i, Some m)
ELMO_mv_full_node0: full_node (sigma i) m
ELMO_mv_no_self_equiv0: no_self_equiv (sigma i) m
ELMO_mv_msg_valid_full0: ELMO_msg_valid_full m
Hlocal_ok: local_equivocation_limit_ok
  (sigma i <+> MkObservation Receive m)
H3: sigma i <+> MkObservation Receive m = s'
Hsender: MessageHasSender m
Hnot_sent: ¬ composite_has_been_sent ELMO_component
    sigma m
Hm_not_by_i: adr (state m) ≠ idx i
∃ gamma : VLSM.state ELMOProtocol,
  in_futures ELMOProtocol sigma gamma
  ∧ gamma i = sigma i
    ∧ component_reflects_composite
        (state_update ELMO_component gamma i s') i
      ∧ other_components_after_send
          (λ j : index, j = i) gamma
    destruct (decide (local_equivocators_full (sigma i) (adr (state m)))) as [| Hneqv].Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
s': VLSM.state
  (preloaded_with_all_messages_vlsm
     (ELMO_component i))
sigma: VLSM.state ELMOProtocol
m: Message
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm
     (ELMO_component i)) Receive
  (sigma i, Some m) (s', None)
Hsigma: valid_state_prop ELMOProtocol sigma
Hreflects: component_reflects_composite sigma i
Hsend: other_components_after_send
  (λ j : index, j = i) sigma
Hall: ∀ (s_prev : State) (l : Label) (m : Message),
  sigma i = s_prev <+> MkObservation l m
  → let s' :=
      state_update ELMO_component sigma i
        s_prev in
    valid_state_prop ELMOProtocol s'
    ∧ ELMOProtocol_valid_transition i l s'
        sigma m
Hti: transition Receive (sigma i, Some m) =
(s', None)
Hv: valid Receive (sigma i, Some m)
ELMO_mv_full_node0: full_node (sigma i) m
ELMO_mv_no_self_equiv0: no_self_equiv (sigma i) m
ELMO_mv_msg_valid_full0: ELMO_msg_valid_full m
Hlocal_ok: local_equivocation_limit_ok
  (sigma i <+> MkObservation Receive m)
H3: sigma i <+> MkObservation Receive m = s'
Hsender: MessageHasSender m
Hnot_sent: ¬ composite_has_been_sent ELMO_component
    sigma m
Hm_not_by_i: adr (state m) ≠ idx i
l: local_equivocators_full (sigma i) (adr (state m))
∃ gamma : VLSM.state ELMOProtocol,
  in_futures ELMOProtocol sigma gamma
  ∧ gamma i = sigma i
    ∧ component_reflects_composite
        (state_update ELMO_component gamma i s') i
      ∧ other_components_after_send
          (λ j : index, j = i) gamma
Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
s': VLSM.state
  (preloaded_with_all_messages_vlsm
     (ELMO_component i))
sigma: VLSM.state ELMOProtocol
m: Message
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm
     (ELMO_component i)) Receive
  (sigma i, Some m) (s', None)
Hsigma: valid_state_prop ELMOProtocol sigma
Hreflects: component_reflects_composite sigma i
Hsend: other_components_after_send
  (λ j : index, j = i) sigma
Hall: ∀ (s_prev : State) (l : Label) (m : Message),
  sigma i = s_prev <+> MkObservation l m
  → let s' :=
      state_update ELMO_component sigma i
        s_prev in
    valid_state_prop ELMOProtocol s'
    ∧ ELMOProtocol_valid_transition i l s'
        sigma m
Hti: transition Receive (sigma i, Some m) =
(s', None)
Hv: valid Receive (sigma i, Some m)
ELMO_mv_full_node0: full_node (sigma i) m
ELMO_mv_no_self_equiv0: no_self_equiv (sigma i) m
ELMO_mv_msg_valid_full0: ELMO_msg_valid_full m
Hlocal_ok: local_equivocation_limit_ok
  (sigma i <+> MkObservation Receive m)
H3: sigma i <+> MkObservation Receive m = s'
Hsender: MessageHasSender m
Hnot_sent: ¬ composite_has_been_sent ELMO_component
    sigma m
Hm_not_by_i: adr (state m) ≠ idx i
Hneqv: ¬ local_equivocators_full 
    (sigma i) (adr (state m))
∃ gamma : VLSM.state ELMOProtocol,
  in_futures ELMOProtocol sigma gamma
  ∧ gamma i = sigma i
    ∧ component_reflects_composite
        (state_update ELMO_component gamma i s') i
      ∧ other_components_after_send
          (λ j : index, j = i) gamma
    {Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
s': VLSM.state
  (preloaded_with_all_messages_vlsm
     (ELMO_component i))
sigma: VLSM.state ELMOProtocol
m: Message
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm
     (ELMO_component i)) Receive
  (sigma i, Some m) (s', None)
Hsigma: valid_state_prop ELMOProtocol sigma
Hreflects: component_reflects_composite sigma i
Hsend: other_components_after_send
  (λ j : index, j = i) sigma
Hall: ∀ (s_prev : State) (l : Label) (m : Message),
  sigma i = s_prev <+> MkObservation l m
  → let s' :=
      state_update ELMO_component sigma i
        s_prev in
    valid_state_prop ELMOProtocol s'
    ∧ ELMOProtocol_valid_transition i l s'
        sigma m
Hti: transition Receive (sigma i, Some m) =
(s', None)
Hv: valid Receive (sigma i, Some m)
ELMO_mv_full_node0: full_node (sigma i) m
ELMO_mv_no_self_equiv0: no_self_equiv (sigma i) m
ELMO_mv_msg_valid_full0: ELMO_msg_valid_full m
Hlocal_ok: local_equivocation_limit_ok
  (sigma i <+> MkObservation Receive m)
H3: sigma i <+> MkObservation Receive m = s'
Hsender: MessageHasSender m
Hnot_sent: ¬ composite_has_been_sent ELMO_component
    sigma m
Hm_not_by_i: adr (state m) ≠ idx i
l: local_equivocators_full (sigma i) (adr (state m))
∃ gamma : VLSM.state ELMOProtocol,
  in_futures ELMOProtocol sigma gamma
  ∧ gamma i = sigma i
    ∧ component_reflects_composite
        (state_update ELMO_component gamma i s') i
      ∧ other_components_after_send
          (λ j : index, j = i) gamma
      exists sigma; split_and!; [by apply in_futures_refl | done | split | done].Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
s': VLSM.state
  (preloaded_with_all_messages_vlsm
     (ELMO_component i))
sigma: VLSM.state ELMOProtocol
m: Message
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm
     (ELMO_component i)) Receive
  (sigma i, Some m) (s', None)
Hsigma: valid_state_prop ELMOProtocol sigma
Hreflects: component_reflects_composite sigma i
Hsend: other_components_after_send
  (λ j : index, j = i) sigma
Hall: ∀ (s_prev : State) (l : Label) (m : Message),
  sigma i = s_prev <+> MkObservation l m
  → let s' :=
      state_update ELMO_component sigma i
        s_prev in
    valid_state_prop ELMOProtocol s'
    ∧ ELMOProtocol_valid_transition i l s'
        sigma m
Hti: transition Receive (sigma i, Some m) =
(s', None)
Hv: valid Receive (sigma i, Some m)
ELMO_mv_full_node0: full_node (sigma i) m
ELMO_mv_no_self_equiv0: no_self_equiv (sigma i) m
ELMO_mv_msg_valid_full0: ELMO_msg_valid_full m
Hlocal_ok: local_equivocation_limit_ok
  (sigma i <+> MkObservation Receive m)
H3: sigma i <+> MkObservation Receive m = s'
Hsender: MessageHasSender m
Hnot_sent: ¬ composite_has_been_sent ELMO_component
    sigma m
Hm_not_by_i: adr (state m) ≠ idx i
l: local_equivocators_full (sigma i) (adr (state m))
component_reflects_composite_messages
  (state_update ELMO_component sigma i s') i
Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
s': VLSM.state
  (preloaded_with_all_messages_vlsm
     (ELMO_component i))
sigma: VLSM.state ELMOProtocol
m: Message
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm
     (ELMO_component i)) Receive
  (sigma i, Some m) (s', None)
Hsigma: valid_state_prop ELMOProtocol sigma
Hreflects: component_reflects_composite sigma i
Hsend: other_components_after_send
  (λ j : index, j = i) sigma
Hall: ∀ (s_prev : State) (l : Label) (m : Message),
  sigma i = s_prev <+> MkObservation l m
  → let s' :=
      state_update ELMO_component sigma i
        s_prev in
    valid_state_prop ELMOProtocol s'
    ∧ ELMOProtocol_valid_transition i l s'
        sigma m
Hti: transition Receive (sigma i, Some m) =
(s', None)
Hv: valid Receive (sigma i, Some m)
ELMO_mv_full_node0: full_node (sigma i) m
ELMO_mv_no_self_equiv0: no_self_equiv (sigma i) m
ELMO_mv_msg_valid_full0: ELMO_msg_valid_full m
Hlocal_ok: local_equivocation_limit_ok
  (sigma i <+> MkObservation Receive m)
H3: sigma i <+> MkObservation Receive m = s'
Hsender: MessageHasSender m
Hnot_sent: ¬ composite_has_been_sent ELMO_component
    sigma m
Hm_not_by_i: adr (state m) ≠ idx i
l: local_equivocators_full (sigma i) (adr (state m))
component_reflects_composite_equivocators
  (state_update ELMO_component sigma i s') i
      -Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
s': VLSM.state
  (preloaded_with_all_messages_vlsm
     (ELMO_component i))
sigma: VLSM.state ELMOProtocol
m: Message
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm
     (ELMO_component i)) Receive
  (sigma i, Some m) (s', None)
Hsigma: valid_state_prop ELMOProtocol sigma
Hreflects: component_reflects_composite sigma i
Hsend: other_components_after_send
  (λ j : index, j = i) sigma
Hall: ∀ (s_prev : State) (l : Label) (m : Message),
  sigma i = s_prev <+> MkObservation l m
  → let s' :=
      state_update ELMO_component sigma i
        s_prev in
    valid_state_prop ELMOProtocol s'
    ∧ ELMOProtocol_valid_transition i l s'
        sigma m
Hti: transition Receive (sigma i, Some m) =
(s', None)
Hv: valid Receive (sigma i, Some m)
ELMO_mv_full_node0: full_node (sigma i) m
ELMO_mv_no_self_equiv0: no_self_equiv (sigma i) m
ELMO_mv_msg_valid_full0: ELMO_msg_valid_full m
Hlocal_ok: local_equivocation_limit_ok
  (sigma i <+> MkObservation Receive m)
H3: sigma i <+> MkObservation Receive m = s'
Hsender: MessageHasSender m
Hnot_sent: ¬ composite_has_been_sent ELMO_component
    sigma m
Hm_not_by_i: adr (state m) ≠ idx i
l: local_equivocators_full (sigma i) (adr (state m))
component_reflects_composite_messages
  (state_update ELMO_component sigma i s') i by eapply component_reflects_composite_messages_step_update, Hreflects; constructor.
      -Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
s': VLSM.state
  (preloaded_with_all_messages_vlsm
     (ELMO_component i))
sigma: VLSM.state ELMOProtocol
m: Message
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm
     (ELMO_component i)) Receive
  (sigma i, Some m) (s', None)
Hsigma: valid_state_prop ELMOProtocol sigma
Hreflects: component_reflects_composite sigma i
Hsend: other_components_after_send
  (λ j : index, j = i) sigma
Hall: ∀ (s_prev : State) (l : Label) (m : Message),
  sigma i = s_prev <+> MkObservation l m
  → let s' :=
      state_update ELMO_component sigma i
        s_prev in
    valid_state_prop ELMOProtocol s'
    ∧ ELMOProtocol_valid_transition i l s'
        sigma m
Hti: transition Receive (sigma i, Some m) =
(s', None)
Hv: valid Receive (sigma i, Some m)
ELMO_mv_full_node0: full_node (sigma i) m
ELMO_mv_no_self_equiv0: no_self_equiv (sigma i) m
ELMO_mv_msg_valid_full0: ELMO_msg_valid_full m
Hlocal_ok: local_equivocation_limit_ok
  (sigma i <+> MkObservation Receive m)
H3: sigma i <+> MkObservation Receive m = s'
Hsender: MessageHasSender m
Hnot_sent: ¬ composite_has_been_sent ELMO_component
    sigma m
Hm_not_by_i: adr (state m) ≠ idx i
l: local_equivocators_full (sigma i) (adr (state m))
component_reflects_composite_equivocators
  (state_update ELMO_component sigma i s') i unfold component_reflects_composite_messages, component_reflects_composite_equivocators.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
s': VLSM.state
  (preloaded_with_all_messages_vlsm
     (ELMO_component i))
sigma: VLSM.state ELMOProtocol
m: Message
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm
     (ELMO_component i)) Receive
  (sigma i, Some m) (s', None)
Hsigma: valid_state_prop ELMOProtocol sigma
Hreflects: component_reflects_composite sigma i
Hsend: other_components_after_send
  (λ j : index, j = i) sigma
Hall: ∀ (s_prev : State) (l : Label) (m : Message),
  sigma i = s_prev <+> MkObservation l m
  → let s' :=
      state_update ELMO_component sigma i
        s_prev in
    valid_state_prop ELMOProtocol s'
    ∧ ELMOProtocol_valid_transition i l s'
        sigma m
Hti: transition Receive (sigma i, Some m) =
(s', None)
Hv: valid Receive (sigma i, Some m)
ELMO_mv_full_node0: full_node (sigma i) m
ELMO_mv_no_self_equiv0: no_self_equiv (sigma i) m
ELMO_mv_msg_valid_full0: ELMO_msg_valid_full m
Hlocal_ok: local_equivocation_limit_ok
  (sigma i <+> MkObservation Receive m)
H3: sigma i <+> MkObservation Receive m = s'
Hsender: MessageHasSender m
Hnot_sent: ¬ composite_has_been_sent ELMO_component
    sigma m
Hm_not_by_i: adr (state m) ≠ idx i
l: local_equivocators_full (sigma i) (adr (state m))
∀ a : Address,
  global_equivocators_simple
    (state_update ELMO_component sigma i s') a
  ↔ local_equivocators_full
      (state_update ELMO_component sigma i s' i) a
        state_update_simpl.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
s': VLSM.state
  (preloaded_with_all_messages_vlsm
     (ELMO_component i))
sigma: VLSM.state ELMOProtocol
m: Message
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm
     (ELMO_component i)) Receive
  (sigma i, Some m) (s', None)
Hsigma: valid_state_prop ELMOProtocol sigma
Hreflects: component_reflects_composite sigma i
Hsend: other_components_after_send
  (λ j : index, j = i) sigma
Hall: ∀ (s_prev : State) (l : Label) (m : Message),
  sigma i = s_prev <+> MkObservation l m
  → valid_state_prop ELMOProtocol
      (state_update ELMO_component sigma i
         s_prev)
    ∧ ELMOProtocol_valid_transition i l
        (state_update ELMO_component sigma i
           s_prev) sigma m
Hti: transition Receive (sigma i, Some m) =
(s', None)
Hv: valid Receive (sigma i, Some m)
ELMO_mv_full_node0: full_node (sigma i) m
ELMO_mv_no_self_equiv0: no_self_equiv (sigma i) m
ELMO_mv_msg_valid_full0: ELMO_msg_valid_full m
Hlocal_ok: local_equivocation_limit_ok
  (sigma i <+> MkObservation Receive m)
H3: sigma i <+> MkObservation Receive m = s'
Hsender: MessageHasSender m
Hnot_sent: ¬ composite_has_been_sent ELMO_component
    sigma m
Hm_not_by_i: adr (state m) ≠ idx i
l: local_equivocators_full (sigma i) (adr (state m))
∀ a : Address,
  global_equivocators_simple
    (state_update ELMO_component sigma i s') a
  ↔ local_equivocators_full s' a
        by eapply receiving_already_equivocating_global_local_equivocators.
    }Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
s': VLSM.state
  (preloaded_with_all_messages_vlsm
     (ELMO_component i))
sigma: VLSM.state ELMOProtocol
m: Message
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm
     (ELMO_component i)) Receive
  (sigma i, Some m) (s', None)
Hsigma: valid_state_prop ELMOProtocol sigma
Hreflects: component_reflects_composite sigma i
Hsend: other_components_after_send
  (λ j : index, j = i) sigma
Hall: ∀ (s_prev : State) (l : Label) (m : Message),
  sigma i = s_prev <+> MkObservation l m
  → let s' :=
      state_update ELMO_component sigma i
        s_prev in
    valid_state_prop ELMOProtocol s'
    ∧ ELMOProtocol_valid_transition i l s'
        sigma m
Hti: transition Receive (sigma i, Some m) =
(s', None)
Hv: valid Receive (sigma i, Some m)
ELMO_mv_full_node0: full_node (sigma i) m
ELMO_mv_no_self_equiv0: no_self_equiv (sigma i) m
ELMO_mv_msg_valid_full0: ELMO_msg_valid_full m
Hlocal_ok: local_equivocation_limit_ok
  (sigma i <+> MkObservation Receive m)
H3: sigma i <+> MkObservation Receive m = s'
Hsender: MessageHasSender m
Hnot_sent: ¬ composite_has_been_sent ELMO_component
    sigma m
Hm_not_by_i: adr (state m) ≠ idx i
Hneqv: ¬ local_equivocators_full 
    (sigma i) (adr (state m))
∃ gamma : VLSM.state ELMOProtocol,
  in_futures ELMOProtocol sigma gamma
  ∧ gamma i = sigma i
    ∧ component_reflects_composite
        (state_update ELMO_component gamma i s') i
      ∧ other_components_after_send
          (λ j : index, j = i) gamma
    destruct (decide (local_equivocators_full s' (adr (state m)))) as [| Hneqv'].Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
s': VLSM.state
  (preloaded_with_all_messages_vlsm
     (ELMO_component i))
sigma: VLSM.state ELMOProtocol
m: Message
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm
     (ELMO_component i)) Receive
  (sigma i, Some m) (s', None)
Hsigma: valid_state_prop ELMOProtocol sigma
Hreflects: component_reflects_composite sigma i
Hsend: other_components_after_send
  (λ j : index, j = i) sigma
Hall: ∀ (s_prev : State) (l : Label) (m : Message),
  sigma i = s_prev <+> MkObservation l m
  → let s' :=
      state_update ELMO_component sigma i
        s_prev in
    valid_state_prop ELMOProtocol s'
    ∧ ELMOProtocol_valid_transition i l s'
        sigma m
Hti: transition Receive (sigma i, Some m) =
(s', None)
Hv: valid Receive (sigma i, Some m)
ELMO_mv_full_node0: full_node (sigma i) m
ELMO_mv_no_self_equiv0: no_self_equiv (sigma i) m
ELMO_mv_msg_valid_full0: ELMO_msg_valid_full m
Hlocal_ok: local_equivocation_limit_ok
  (sigma i <+> MkObservation Receive m)
H3: sigma i <+> MkObservation Receive m = s'
Hsender: MessageHasSender m
Hnot_sent: ¬ composite_has_been_sent ELMO_component
    sigma m
Hm_not_by_i: adr (state m) ≠ idx i
Hneqv: ¬ local_equivocators_full 
    (sigma i) (adr (state m))
l: local_equivocators_full s' (adr (state m))
∃ gamma : VLSM.state ELMOProtocol,
  in_futures ELMOProtocol sigma gamma
  ∧ gamma i = sigma i
    ∧ component_reflects_composite
        (state_update ELMO_component gamma i s') i
      ∧ other_components_after_send
          (λ j : index, j = i) gamma
Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
s': VLSM.state
  (preloaded_with_all_messages_vlsm
     (ELMO_component i))
sigma: VLSM.state ELMOProtocol
m: Message
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm
     (ELMO_component i)) Receive
  (sigma i, Some m) (s', None)
Hsigma: valid_state_prop ELMOProtocol sigma
Hreflects: component_reflects_composite sigma i
Hsend: other_components_after_send
  (λ j : index, j = i) sigma
Hall: ∀ (s_prev : State) (l : Label) (m : Message),
  sigma i = s_prev <+> MkObservation l m
  → let s' :=
      state_update ELMO_component sigma i
        s_prev in
    valid_state_prop ELMOProtocol s'
    ∧ ELMOProtocol_valid_transition i l s'
        sigma m
Hti: transition Receive (sigma i, Some m) =
(s', None)
Hv: valid Receive (sigma i, Some m)
ELMO_mv_full_node0: full_node (sigma i) m
ELMO_mv_no_self_equiv0: no_self_equiv (sigma i) m
ELMO_mv_msg_valid_full0: ELMO_msg_valid_full m
Hlocal_ok: local_equivocation_limit_ok
  (sigma i <+> MkObservation Receive m)
H3: sigma i <+> MkObservation Receive m = s'
Hsender: MessageHasSender m
Hnot_sent: ¬ composite_has_been_sent ELMO_component
    sigma m
Hm_not_by_i: adr (state m) ≠ idx i
Hneqv: ¬ local_equivocators_full 
    (sigma i) (adr (state m))
Hneqv': ¬ local_equivocators_full s' (adr (state m))
∃ gamma : VLSM.state ELMOProtocol,
  in_futures ELMOProtocol sigma gamma
  ∧ gamma i = sigma i
    ∧ component_reflects_composite
        (state_update ELMO_component gamma i s') i
      ∧ other_components_after_send
          (λ j : index, j = i) gamma
    {Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
s': VLSM.state
  (preloaded_with_all_messages_vlsm
     (ELMO_component i))
sigma: VLSM.state ELMOProtocol
m: Message
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm
     (ELMO_component i)) Receive
  (sigma i, Some m) (s', None)
Hsigma: valid_state_prop ELMOProtocol sigma
Hreflects: component_reflects_composite sigma i
Hsend: other_components_after_send
  (λ j : index, j = i) sigma
Hall: ∀ (s_prev : State) (l : Label) (m : Message),
  sigma i = s_prev <+> MkObservation l m
  → let s' :=
      state_update ELMO_component sigma i
        s_prev in
    valid_state_prop ELMOProtocol s'
    ∧ ELMOProtocol_valid_transition i l s'
        sigma m
Hti: transition Receive (sigma i, Some m) =
(s', None)
Hv: valid Receive (sigma i, Some m)
ELMO_mv_full_node0: full_node (sigma i) m
ELMO_mv_no_self_equiv0: no_self_equiv (sigma i) m
ELMO_mv_msg_valid_full0: ELMO_msg_valid_full m
Hlocal_ok: local_equivocation_limit_ok
  (sigma i <+> MkObservation Receive m)
H3: sigma i <+> MkObservation Receive m = s'
Hsender: MessageHasSender m
Hnot_sent: ¬ composite_has_been_sent ELMO_component
    sigma m
Hm_not_by_i: adr (state m) ≠ idx i
Hneqv: ¬ local_equivocators_full 
    (sigma i) (adr (state m))
l: local_equivocators_full s' (adr (state m))
∃ gamma : VLSM.state ELMOProtocol,
  in_futures ELMOProtocol sigma gamma
  ∧ gamma i = sigma i
    ∧ component_reflects_composite
        (state_update ELMO_component gamma i s') i
      ∧ other_components_after_send
          (λ j : index, j = i) gamma
      exists sigma; split_and!; [by apply in_futures_refl | done | split | done].Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
s': VLSM.state
  (preloaded_with_all_messages_vlsm
     (ELMO_component i))
sigma: VLSM.state ELMOProtocol
m: Message
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm
     (ELMO_component i)) Receive
  (sigma i, Some m) (s', None)
Hsigma: valid_state_prop ELMOProtocol sigma
Hreflects: component_reflects_composite sigma i
Hsend: other_components_after_send
  (λ j : index, j = i) sigma
Hall: ∀ (s_prev : State) (l : Label) (m : Message),
  sigma i = s_prev <+> MkObservation l m
  → let s' :=
      state_update ELMO_component sigma i
        s_prev in
    valid_state_prop ELMOProtocol s'
    ∧ ELMOProtocol_valid_transition i l s'
        sigma m
Hti: transition Receive (sigma i, Some m) =
(s', None)
Hv: valid Receive (sigma i, Some m)
ELMO_mv_full_node0: full_node (sigma i) m
ELMO_mv_no_self_equiv0: no_self_equiv (sigma i) m
ELMO_mv_msg_valid_full0: ELMO_msg_valid_full m
Hlocal_ok: local_equivocation_limit_ok
  (sigma i <+> MkObservation Receive m)
H3: sigma i <+> MkObservation Receive m = s'
Hsender: MessageHasSender m
Hnot_sent: ¬ composite_has_been_sent ELMO_component
    sigma m
Hm_not_by_i: adr (state m) ≠ idx i
Hneqv: ¬ local_equivocators_full 
    (sigma i) (adr (state m))
l: local_equivocators_full s' (adr (state m))
component_reflects_composite_messages
  (state_update ELMO_component sigma i s') i
Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
s': VLSM.state
  (preloaded_with_all_messages_vlsm
     (ELMO_component i))
sigma: VLSM.state ELMOProtocol
m: Message
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm
     (ELMO_component i)) Receive
  (sigma i, Some m) (s', None)
Hsigma: valid_state_prop ELMOProtocol sigma
Hreflects: component_reflects_composite sigma i
Hsend: other_components_after_send
  (λ j : index, j = i) sigma
Hall: ∀ (s_prev : State) (l : Label) (m : Message),
  sigma i = s_prev <+> MkObservation l m
  → let s' :=
      state_update ELMO_component sigma i
        s_prev in
    valid_state_prop ELMOProtocol s'
    ∧ ELMOProtocol_valid_transition i l s'
        sigma m
Hti: transition Receive (sigma i, Some m) =
(s', None)
Hv: valid Receive (sigma i, Some m)
ELMO_mv_full_node0: full_node (sigma i) m
ELMO_mv_no_self_equiv0: no_self_equiv (sigma i) m
ELMO_mv_msg_valid_full0: ELMO_msg_valid_full m
Hlocal_ok: local_equivocation_limit_ok
  (sigma i <+> MkObservation Receive m)
H3: sigma i <+> MkObservation Receive m = s'
Hsender: MessageHasSender m
Hnot_sent: ¬ composite_has_been_sent ELMO_component
    sigma m
Hm_not_by_i: adr (state m) ≠ idx i
Hneqv: ¬ local_equivocators_full 
    (sigma i) (adr (state m))
l: local_equivocators_full s' (adr (state m))
component_reflects_composite_equivocators
  (state_update ELMO_component sigma i s') i
      -Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
s': VLSM.state
  (preloaded_with_all_messages_vlsm
     (ELMO_component i))
sigma: VLSM.state ELMOProtocol
m: Message
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm
     (ELMO_component i)) Receive
  (sigma i, Some m) (s', None)
Hsigma: valid_state_prop ELMOProtocol sigma
Hreflects: component_reflects_composite sigma i
Hsend: other_components_after_send
  (λ j : index, j = i) sigma
Hall: ∀ (s_prev : State) (l : Label) (m : Message),
  sigma i = s_prev <+> MkObservation l m
  → let s' :=
      state_update ELMO_component sigma i
        s_prev in
    valid_state_prop ELMOProtocol s'
    ∧ ELMOProtocol_valid_transition i l s'
        sigma m
Hti: transition Receive (sigma i, Some m) =
(s', None)
Hv: valid Receive (sigma i, Some m)
ELMO_mv_full_node0: full_node (sigma i) m
ELMO_mv_no_self_equiv0: no_self_equiv (sigma i) m
ELMO_mv_msg_valid_full0: ELMO_msg_valid_full m
Hlocal_ok: local_equivocation_limit_ok
  (sigma i <+> MkObservation Receive m)
H3: sigma i <+> MkObservation Receive m = s'
Hsender: MessageHasSender m
Hnot_sent: ¬ composite_has_been_sent ELMO_component
    sigma m
Hm_not_by_i: adr (state m) ≠ idx i
Hneqv: ¬ local_equivocators_full 
    (sigma i) (adr (state m))
l: local_equivocators_full s' (adr (state m))
component_reflects_composite_messages
  (state_update ELMO_component sigma i s') i by eapply component_reflects_composite_messages_step_update, Hreflects; constructor 1.
      -Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
s': VLSM.state
  (preloaded_with_all_messages_vlsm
     (ELMO_component i))
sigma: VLSM.state ELMOProtocol
m: Message
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm
     (ELMO_component i)) Receive
  (sigma i, Some m) (s', None)
Hsigma: valid_state_prop ELMOProtocol sigma
Hreflects: component_reflects_composite sigma i
Hsend: other_components_after_send
  (λ j : index, j = i) sigma
Hall: ∀ (s_prev : State) (l : Label) (m : Message),
  sigma i = s_prev <+> MkObservation l m
  → let s' :=
      state_update ELMO_component sigma i
        s_prev in
    valid_state_prop ELMOProtocol s'
    ∧ ELMOProtocol_valid_transition i l s'
        sigma m
Hti: transition Receive (sigma i, Some m) =
(s', None)
Hv: valid Receive (sigma i, Some m)
ELMO_mv_full_node0: full_node (sigma i) m
ELMO_mv_no_self_equiv0: no_self_equiv (sigma i) m
ELMO_mv_msg_valid_full0: ELMO_msg_valid_full m
Hlocal_ok: local_equivocation_limit_ok
  (sigma i <+> MkObservation Receive m)
H3: sigma i <+> MkObservation Receive m = s'
Hsender: MessageHasSender m
Hnot_sent: ¬ composite_has_been_sent ELMO_component
    sigma m
Hm_not_by_i: adr (state m) ≠ idx i
Hneqv: ¬ local_equivocators_full 
    (sigma i) (adr (state m))
l: local_equivocators_full s' (adr (state m))
component_reflects_composite_equivocators
  (state_update ELMO_component sigma i s') i unfold component_reflects_composite_messages, component_reflects_composite_equivocators.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
s': VLSM.state
  (preloaded_with_all_messages_vlsm
     (ELMO_component i))
sigma: VLSM.state ELMOProtocol
m: Message
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm
     (ELMO_component i)) Receive
  (sigma i, Some m) (s', None)
Hsigma: valid_state_prop ELMOProtocol sigma
Hreflects: component_reflects_composite sigma i
Hsend: other_components_after_send
  (λ j : index, j = i) sigma
Hall: ∀ (s_prev : State) (l : Label) (m : Message),
  sigma i = s_prev <+> MkObservation l m
  → let s' :=
      state_update ELMO_component sigma i
        s_prev in
    valid_state_prop ELMOProtocol s'
    ∧ ELMOProtocol_valid_transition i l s'
        sigma m
Hti: transition Receive (sigma i, Some m) =
(s', None)
Hv: valid Receive (sigma i, Some m)
ELMO_mv_full_node0: full_node (sigma i) m
ELMO_mv_no_self_equiv0: no_self_equiv (sigma i) m
ELMO_mv_msg_valid_full0: ELMO_msg_valid_full m
Hlocal_ok: local_equivocation_limit_ok
  (sigma i <+> MkObservation Receive m)
H3: sigma i <+> MkObservation Receive m = s'
Hsender: MessageHasSender m
Hnot_sent: ¬ composite_has_been_sent ELMO_component
    sigma m
Hm_not_by_i: adr (state m) ≠ idx i
Hneqv: ¬ local_equivocators_full 
    (sigma i) (adr (state m))
l: local_equivocators_full s' (adr (state m))
∀ a : Address,
  global_equivocators_simple
    (state_update ELMO_component sigma i s') a
  ↔ local_equivocators_full
      (state_update ELMO_component sigma i s' i) a
        state_update_simpl.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
s': VLSM.state
  (preloaded_with_all_messages_vlsm
     (ELMO_component i))
sigma: VLSM.state ELMOProtocol
m: Message
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm
     (ELMO_component i)) Receive
  (sigma i, Some m) (s', None)
Hsigma: valid_state_prop ELMOProtocol sigma
Hreflects: component_reflects_composite sigma i
Hsend: other_components_after_send
  (λ j : index, j = i) sigma
Hall: ∀ (s_prev : State) (l : Label) (m : Message),
  sigma i = s_prev <+> MkObservation l m
  → valid_state_prop ELMOProtocol
      (state_update ELMO_component sigma i
         s_prev)
    ∧ ELMOProtocol_valid_transition i l
        (state_update ELMO_component sigma i
           s_prev) sigma m
Hti: transition Receive (sigma i, Some m) =
(s', None)
Hv: valid Receive (sigma i, Some m)
ELMO_mv_full_node0: full_node (sigma i) m
ELMO_mv_no_self_equiv0: no_self_equiv (sigma i) m
ELMO_mv_msg_valid_full0: ELMO_msg_valid_full m
Hlocal_ok: local_equivocation_limit_ok
  (sigma i <+> MkObservation Receive m)
H3: sigma i <+> MkObservation Receive m = s'
Hsender: MessageHasSender m
Hnot_sent: ¬ composite_has_been_sent ELMO_component
    sigma m
Hm_not_by_i: adr (state m) ≠ idx i
Hneqv: ¬ local_equivocators_full 
    (sigma i) (adr (state m))
l: local_equivocators_full s' (adr (state m))
∀ a : Address,
  global_equivocators_simple
    (state_update ELMO_component sigma i s') a
  ↔ local_equivocators_full s' a
        by eapply receiving_not_already_equivocating_global_local_equivocators.
    }Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
s': VLSM.state
  (preloaded_with_all_messages_vlsm
     (ELMO_component i))
sigma: VLSM.state ELMOProtocol
m: Message
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm
     (ELMO_component i)) Receive
  (sigma i, Some m) (s', None)
Hsigma: valid_state_prop ELMOProtocol sigma
Hreflects: component_reflects_composite sigma i
Hsend: other_components_after_send
  (λ j : index, j = i) sigma
Hall: ∀ (s_prev : State) (l : Label) (m : Message),
  sigma i = s_prev <+> MkObservation l m
  → let s' :=
      state_update ELMO_component sigma i
        s_prev in
    valid_state_prop ELMOProtocol s'
    ∧ ELMOProtocol_valid_transition i l s'
        sigma m
Hti: transition Receive (sigma i, Some m) =
(s', None)
Hv: valid Receive (sigma i, Some m)
ELMO_mv_full_node0: full_node (sigma i) m
ELMO_mv_no_self_equiv0: no_self_equiv (sigma i) m
ELMO_mv_msg_valid_full0: ELMO_msg_valid_full m
Hlocal_ok: local_equivocation_limit_ok
  (sigma i <+> MkObservation Receive m)
H3: sigma i <+> MkObservation Receive m = s'
Hsender: MessageHasSender m
Hnot_sent: ¬ composite_has_been_sent ELMO_component
    sigma m
Hm_not_by_i: adr (state m) ≠ idx i
Hneqv: ¬ local_equivocators_full 
    (sigma i) (adr (state m))
Hneqv': ¬ local_equivocators_full s' (adr (state m))
∃ gamma : VLSM.state ELMOProtocol,
  in_futures ELMOProtocol sigma gamma
  ∧ gamma i = sigma i
    ∧ component_reflects_composite
        (state_update ELMO_component gamma i s') i
      ∧ other_components_after_send
          (λ j : index, j = i) gamma
    destruct Hsender as [i_m Hsender].Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
s': VLSM.state
  (preloaded_with_all_messages_vlsm
     (ELMO_component i))
sigma: VLSM.state ELMOProtocol
m: Message
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm
     (ELMO_component i)) Receive
  (sigma i, Some m) (s', None)
Hsigma: valid_state_prop ELMOProtocol sigma
Hreflects: component_reflects_composite sigma i
Hsend: other_components_after_send
  (λ j : index, j = i) sigma
Hall: ∀ (s_prev : State) (l : Label) (m : Message),
  sigma i = s_prev <+> MkObservation l m
  → let s' :=
      state_update ELMO_component sigma i
        s_prev in
    valid_state_prop ELMOProtocol s'
    ∧ ELMOProtocol_valid_transition i l s'
        sigma m
Hti: transition Receive (sigma i, Some m) =
(s', None)
Hv: valid Receive (sigma i, Some m)
ELMO_mv_full_node0: full_node (sigma i) m
ELMO_mv_no_self_equiv0: no_self_equiv (sigma i) m
ELMO_mv_msg_valid_full0: ELMO_msg_valid_full m
Hlocal_ok: local_equivocation_limit_ok
  (sigma i <+> MkObservation Receive m)
H3: sigma i <+> MkObservation Receive m = s'
i_m: index
Hsender: adr (state m) = idx i_m
Hnot_sent: ¬ composite_has_been_sent ELMO_component
    sigma m
Hm_not_by_i: adr (state m) ≠ idx i
Hneqv: ¬ local_equivocators_full 
    (sigma i) (adr (state m))
Hneqv': ¬ local_equivocators_full s' (adr (state m))
∃ gamma : VLSM.state ELMOProtocol,
  in_futures ELMOProtocol sigma gamma
  ∧ gamma i = sigma i
    ∧ component_reflects_composite
        (state_update ELMO_component gamma i s') i
      ∧ other_components_after_send
          (λ j : index, j = i) gamma
    destruct (special_receivable_messages_emittable_in_future _ _ _ _ Ht
      _ Hsender Hm_not_by_i Hneqv Hneqv' _ Hsigma eq_refl Hreflects Hsend Hnot_sent)
      as (chi & Hfutures & Heqi & [Hchi_messages Hchi_eqvs] & Heqi_m & Hchi_send).Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
s': VLSM.state
  (preloaded_with_all_messages_vlsm
     (ELMO_component i))
sigma: VLSM.state ELMOProtocol
m: Message
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm
     (ELMO_component i)) Receive
  (sigma i, Some m) (s', None)
Hsigma: valid_state_prop ELMOProtocol sigma
Hreflects: component_reflects_composite sigma i
Hsend: other_components_after_send
  (λ j : index, j = i) sigma
Hall: ∀ (s_prev : State) (l : Label) (m : Message),
  sigma i = s_prev <+> MkObservation l m
  → let s' :=
      state_update ELMO_component sigma i
        s_prev in
    valid_state_prop ELMOProtocol s'
    ∧ ELMOProtocol_valid_transition i l s'
        sigma m
Hti: transition Receive (sigma i, Some m) =
(s', None)
Hv: valid Receive (sigma i, Some m)
ELMO_mv_full_node0: full_node (sigma i) m
ELMO_mv_no_self_equiv0: no_self_equiv (sigma i) m
ELMO_mv_msg_valid_full0: ELMO_msg_valid_full m
Hlocal_ok: local_equivocation_limit_ok
  (sigma i <+> MkObservation Receive m)
H3: sigma i <+> MkObservation Receive m = s'
i_m: index
Hsender: adr (state m) = idx i_m
Hnot_sent: ¬ composite_has_been_sent ELMO_component
    sigma m
Hm_not_by_i: adr (state m) ≠ idx i
Hneqv: ¬ local_equivocators_full 
    (sigma i) (adr (state m))
Hneqv': ¬ local_equivocators_full s' (adr (state m))
chi: VLSM.state ELMOProtocol
Hfutures: in_futures ELMOProtocol sigma chi
Heqi: chi i = sigma i
Hchi_messages: component_reflects_composite_messages
  chi i
Hchi_eqvs: component_reflects_composite_equivocators
  chi i
Heqi_m: chi i_m = state m
Hchi_send: other_components_after_send
  (λ j : index, j = i ∨ j = i_m) chi
∃ gamma : VLSM.state ELMOProtocol,
  in_futures ELMOProtocol sigma gamma
  ∧ gamma i = sigma i
    ∧ component_reflects_composite
        (state_update ELMO_component gamma i s') i
      ∧ other_components_after_send
          (λ j : index, j = i) gamma
    pose (sigma' := state_update ELMO_component chi i_m (chi i_m <+> MkObservation Send m)); subst s'.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
sigma: VLSM.state ELMOProtocol
m: Message
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm
     (ELMO_component i)) Receive
  (sigma i, Some m)
  (sigma i <+> MkObservation Receive m, None)
Hsigma: valid_state_prop ELMOProtocol sigma
Hreflects: component_reflects_composite sigma i
Hsend: other_components_after_send
  (λ j : index, j = i) sigma
Hall: ∀ (s_prev : State) (l : Label) (m : Message),
  sigma i = s_prev <+> MkObservation l m
  → let s' :=
      state_update ELMO_component sigma i
        s_prev in
    valid_state_prop ELMOProtocol s'
    ∧ ELMOProtocol_valid_transition i l s'
        sigma m
Hti: transition Receive (sigma i, Some m) =
(sigma i <+> MkObservation Receive m, None)
Hv: valid Receive (sigma i, Some m)
ELMO_mv_full_node0: full_node (sigma i) m
ELMO_mv_no_self_equiv0: no_self_equiv (sigma i) m
ELMO_mv_msg_valid_full0: ELMO_msg_valid_full m
Hlocal_ok: local_equivocation_limit_ok
  (sigma i <+> MkObservation Receive m)
i_m: index
Hsender: adr (state m) = idx i_m
Hnot_sent: ¬ composite_has_been_sent ELMO_component
    sigma m
Hm_not_by_i: adr (state m) ≠ idx i
Hneqv: ¬ local_equivocators_full 
    (sigma i) (adr (state m))
Hneqv': ¬ local_equivocators_full
    (sigma i <+> MkObservation Receive m)
    (adr (state m))
chi: VLSM.state ELMOProtocol
Hfutures: in_futures ELMOProtocol sigma chi
Heqi: chi i = sigma i
Hchi_messages: component_reflects_composite_messages
  chi i
Hchi_eqvs: component_reflects_composite_equivocators
  chi i
Heqi_m: chi i_m = state m
Hchi_send: other_components_after_send
  (λ j : index, j = i ∨ j = i_m) chi
sigma':= state_update ELMO_component chi i_m
  (chi i_m <+> MkObservation Send m): ∀ j : index, VLSM.state (ELMO_component j)
∃ gamma : VLSM.state ELMOProtocol,
  in_futures ELMOProtocol sigma gamma
  ∧ gamma i = sigma i
    ∧ component_reflects_composite
        (state_update ELMO_component gamma i
           (sigma i <+> MkObservation Receive m)) i
      ∧ other_components_after_send
          (λ j : index, j = i) gamma
    assert (Hti_m :
      input_valid_transition ELMOProtocol (existT i_m Send) (chi, None) (sigma', Some m)).Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
sigma: VLSM.state ELMOProtocol
m: Message
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm
     (ELMO_component i)) Receive
  (sigma i, Some m)
  (sigma i <+> MkObservation Receive m, None)
Hsigma: valid_state_prop ELMOProtocol sigma
Hreflects: component_reflects_composite sigma i
Hsend: other_components_after_send
  (λ j : index, j = i) sigma
Hall: ∀ (s_prev : State) (l : Label) (m : Message),
  sigma i = s_prev <+> MkObservation l m
  → let s' :=
      state_update ELMO_component sigma i
        s_prev in
    valid_state_prop ELMOProtocol s'
    ∧ ELMOProtocol_valid_transition i l s'
        sigma m
Hti: transition Receive (sigma i, Some m) =
(sigma i <+> MkObservation Receive m, None)
Hv: valid Receive (sigma i, Some m)
ELMO_mv_full_node0: full_node (sigma i) m
ELMO_mv_no_self_equiv0: no_self_equiv (sigma i) m
ELMO_mv_msg_valid_full0: ELMO_msg_valid_full m
Hlocal_ok: local_equivocation_limit_ok
  (sigma i <+> MkObservation Receive m)
i_m: index
Hsender: adr (state m) = idx i_m
Hnot_sent: ¬ composite_has_been_sent ELMO_component
    sigma m
Hm_not_by_i: adr (state m) ≠ idx i
Hneqv: ¬ local_equivocators_full 
    (sigma i) (adr (state m))
Hneqv': ¬ local_equivocators_full
    (sigma i <+> MkObservation Receive m)
    (adr (state m))
chi: VLSM.state ELMOProtocol
Hfutures: in_futures ELMOProtocol sigma chi
Heqi: chi i = sigma i
Hchi_messages: component_reflects_composite_messages
  chi i
Hchi_eqvs: component_reflects_composite_equivocators
  chi i
Heqi_m: chi i_m = state m
Hchi_send: other_components_after_send
  (λ j : index, j = i ∨ j = i_m) chi
sigma':= state_update ELMO_component chi i_m
  (chi i_m <+> MkObservation Send m): ∀ j : index, VLSM.state (ELMO_component j)
input_valid_transition ELMOProtocol (existT i_m Send)
  (chi, None) (sigma', Some m)
Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
sigma: VLSM.state ELMOProtocol
m: Message
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm
     (ELMO_component i)) Receive
  (sigma i, Some m)
  (sigma i <+> MkObservation Receive m, None)
Hsigma: valid_state_prop ELMOProtocol sigma
Hreflects: component_reflects_composite sigma i
Hsend: other_components_after_send
  (λ j : index, j = i) sigma
Hall: ∀ (s_prev : State) (l : Label) (m : Message),
  sigma i = s_prev <+> MkObservation l m
  → let s' :=
      state_update ELMO_component sigma i
        s_prev in
    valid_state_prop ELMOProtocol s'
    ∧ ELMOProtocol_valid_transition i l s'
        sigma m
Hti: transition Receive (sigma i, Some m) =
(sigma i <+> MkObservation Receive m, None)
Hv: valid Receive (sigma i, Some m)
ELMO_mv_full_node0: full_node (sigma i) m
ELMO_mv_no_self_equiv0: no_self_equiv (sigma i) m
ELMO_mv_msg_valid_full0: ELMO_msg_valid_full m
Hlocal_ok: local_equivocation_limit_ok
  (sigma i <+> MkObservation Receive m)
i_m: index
Hsender: adr (state m) = idx i_m
Hnot_sent: ¬ composite_has_been_sent ELMO_component
    sigma m
Hm_not_by_i: adr (state m) ≠ idx i
Hneqv: ¬ local_equivocators_full 
    (sigma i) (adr (state m))
Hneqv': ¬ local_equivocators_full
    (sigma i <+> MkObservation Receive m)
    (adr (state m))
chi: VLSM.state ELMOProtocol
Hfutures: in_futures ELMOProtocol sigma chi
Heqi: chi i = sigma i
Hchi_messages: component_reflects_composite_messages
  chi i
Hchi_eqvs: component_reflects_composite_equivocators
  chi i
Heqi_m: chi i_m = state m
Hchi_send: other_components_after_send
  (λ j : index, j = i ∨ j = i_m) chi
sigma':= state_update ELMO_component chi i_m
  (chi i_m <+> MkObservation Send m): ∀ j : index, VLSM.state (ELMO_component j)
Hti_m: input_valid_transition ELMOProtocol
  (existT i_m Send) (chi, None)
  (sigma', Some m)
∃ gamma : VLSM.state ELMOProtocol,
  in_futures ELMOProtocol sigma gamma
  ∧ gamma i = sigma i
    ∧ component_reflects_composite
        (state_update ELMO_component gamma i
           (sigma i <+> MkObservation Receive m)) i
      ∧ other_components_after_send
          (λ j : index, j = i) gamma
    {Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
sigma: VLSM.state ELMOProtocol
m: Message
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm
     (ELMO_component i)) Receive
  (sigma i, Some m)
  (sigma i <+> MkObservation Receive m, None)
Hsigma: valid_state_prop ELMOProtocol sigma
Hreflects: component_reflects_composite sigma i
Hsend: other_components_after_send
  (λ j : index, j = i) sigma
Hall: ∀ (s_prev : State) (l : Label) (m : Message),
  sigma i = s_prev <+> MkObservation l m
  → let s' :=
      state_update ELMO_component sigma i
        s_prev in
    valid_state_prop ELMOProtocol s'
    ∧ ELMOProtocol_valid_transition i l s'
        sigma m
Hti: transition Receive (sigma i, Some m) =
(sigma i <+> MkObservation Receive m, None)
Hv: valid Receive (sigma i, Some m)
ELMO_mv_full_node0: full_node (sigma i) m
ELMO_mv_no_self_equiv0: no_self_equiv (sigma i) m
ELMO_mv_msg_valid_full0: ELMO_msg_valid_full m
Hlocal_ok: local_equivocation_limit_ok
  (sigma i <+> MkObservation Receive m)
i_m: index
Hsender: adr (state m) = idx i_m
Hnot_sent: ¬ composite_has_been_sent ELMO_component
    sigma m
Hm_not_by_i: adr (state m) ≠ idx i
Hneqv: ¬ local_equivocators_full 
    (sigma i) (adr (state m))
Hneqv': ¬ local_equivocators_full
    (sigma i <+> MkObservation Receive m)
    (adr (state m))
chi: VLSM.state ELMOProtocol
Hfutures: in_futures ELMOProtocol sigma chi
Heqi: chi i = sigma i
Hchi_messages: component_reflects_composite_messages
  chi i
Hchi_eqvs: component_reflects_composite_equivocators
  chi i
Heqi_m: chi i_m = state m
Hchi_send: other_components_after_send
  (λ j : index, j = i ∨ j = i_m) chi
sigma':= state_update ELMO_component chi i_m
  (chi i_m <+> MkObservation Send m): ∀ j : index, VLSM.state (ELMO_component j)
input_valid_transition ELMOProtocol (existT i_m Send)
  (chi, None) (sigma', Some m)
      repeat split.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
sigma: VLSM.state ELMOProtocol
m: Message
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm
     (ELMO_component i)) Receive
  (sigma i, Some m)
  (sigma i <+> MkObservation Receive m, None)
Hsigma: valid_state_prop ELMOProtocol sigma
Hreflects: component_reflects_composite sigma i
Hsend: other_components_after_send
  (λ j : index, j = i) sigma
Hall: ∀ (s_prev : State) (l : Label) (m : Message),
  sigma i = s_prev <+> MkObservation l m
  → let s' :=
      state_update ELMO_component sigma i
        s_prev in
    valid_state_prop ELMOProtocol s'
    ∧ ELMOProtocol_valid_transition i l s'
        sigma m
Hti: transition Receive (sigma i, Some m) =
(sigma i <+> MkObservation Receive m, None)
Hv: valid Receive (sigma i, Some m)
ELMO_mv_full_node0: full_node (sigma i) m
ELMO_mv_no_self_equiv0: no_self_equiv (sigma i) m
ELMO_mv_msg_valid_full0: ELMO_msg_valid_full m
Hlocal_ok: local_equivocation_limit_ok
  (sigma i <+> MkObservation Receive m)
i_m: index
Hsender: adr (state m) = idx i_m
Hnot_sent: ¬ composite_has_been_sent ELMO_component
    sigma m
Hm_not_by_i: adr (state m) ≠ idx i
Hneqv: ¬ local_equivocators_full 
    (sigma i) (adr (state m))
Hneqv': ¬ local_equivocators_full
    (sigma i <+> MkObservation Receive m)
    (adr (state m))
chi: VLSM.state ELMOProtocol
Hfutures: in_futures ELMOProtocol sigma chi
Heqi: chi i = sigma i
Hchi_messages: component_reflects_composite_messages
  chi i
Hchi_eqvs: component_reflects_composite_equivocators
  chi i
Heqi_m: chi i_m = state m
Hchi_send: other_components_after_send
  (λ j : index, j = i ∨ j = i_m) chi
sigma':= state_update ELMO_component chi i_m
  (chi i_m <+> MkObservation Send m): ∀ j : index, VLSM.state (ELMO_component j)
valid_state_prop ELMOProtocol chi
Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
sigma: VLSM.state ELMOProtocol
m: Message
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm
     (ELMO_component i)) Receive
  (sigma i, Some m)
  (sigma i <+> MkObservation Receive m, None)
Hsigma: valid_state_prop ELMOProtocol sigma
Hreflects: component_reflects_composite sigma i
Hsend: other_components_after_send
  (λ j : index, j = i) sigma
Hall: ∀ (s_prev : State) (l : Label) (m : Message),
  sigma i = s_prev <+> MkObservation l m
  → let s' :=
      state_update ELMO_component sigma i
        s_prev in
    valid_state_prop ELMOProtocol s'
    ∧ ELMOProtocol_valid_transition i l s'
        sigma m
Hti: transition Receive (sigma i, Some m) =
(sigma i <+> MkObservation Receive m, None)
Hv: valid Receive (sigma i, Some m)
ELMO_mv_full_node0: full_node (sigma i) m
ELMO_mv_no_self_equiv0: no_self_equiv (sigma i) m
ELMO_mv_msg_valid_full0: ELMO_msg_valid_full m
Hlocal_ok: local_equivocation_limit_ok
  (sigma i <+> MkObservation Receive m)
i_m: index
Hsender: adr (state m) = idx i_m
Hnot_sent: ¬ composite_has_been_sent ELMO_component
    sigma m
Hm_not_by_i: adr (state m) ≠ idx i
Hneqv: ¬ local_equivocators_full 
    (sigma i) (adr (state m))
Hneqv': ¬ local_equivocators_full
    (sigma i <+> MkObservation Receive m)
    (adr (state m))
chi: VLSM.state ELMOProtocol
Hfutures: in_futures ELMOProtocol sigma chi
Heqi: chi i = sigma i
Hchi_messages: component_reflects_composite_messages
  chi i
Hchi_eqvs: component_reflects_composite_equivocators
  chi i
Heqi_m: chi i_m = state m
Hchi_send: other_components_after_send
  (λ j : index, j = i ∨ j = i_m) chi
sigma':= state_update ELMO_component chi i_m
  (chi i_m <+> MkObservation Send m): ∀ j : index, VLSM.state (ELMO_component j)
option_valid_message_prop ELMOProtocol None
Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
sigma: VLSM.state ELMOProtocol
m: Message
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm
     (ELMO_component i)) Receive
  (sigma i, Some m)
  (sigma i <+> MkObservation Receive m, None)
Hsigma: valid_state_prop ELMOProtocol sigma
Hreflects: component_reflects_composite sigma i
Hsend: other_components_after_send
  (λ j : index, j = i) sigma
Hall: ∀ (s_prev : State) (l : Label) (m : Message),
  sigma i = s_prev <+> MkObservation l m
  → let s' :=
      state_update ELMO_component sigma i
        s_prev in
    valid_state_prop ELMOProtocol s'
    ∧ ELMOProtocol_valid_transition i l s'
        sigma m
Hti: transition Receive (sigma i, Some m) =
(sigma i <+> MkObservation Receive m, None)
Hv: valid Receive (sigma i, Some m)
ELMO_mv_full_node0: full_node (sigma i) m
ELMO_mv_no_self_equiv0: no_self_equiv (sigma i) m
ELMO_mv_msg_valid_full0: ELMO_msg_valid_full m
Hlocal_ok: local_equivocation_limit_ok
  (sigma i <+> MkObservation Receive m)
i_m: index
Hsender: adr (state m) = idx i_m
Hnot_sent: ¬ composite_has_been_sent ELMO_component
    sigma m
Hm_not_by_i: adr (state m) ≠ idx i
Hneqv: ¬ local_equivocators_full 
    (sigma i) (adr (state m))
Hneqv': ¬ local_equivocators_full
    (sigma i <+> MkObservation Receive m)
    (adr (state m))
chi: VLSM.state ELMOProtocol
Hfutures: in_futures ELMOProtocol sigma chi
Heqi: chi i = sigma i
Hchi_messages: component_reflects_composite_messages
  chi i
Hchi_eqvs: component_reflects_composite_equivocators
  chi i
Heqi_m: chi i_m = state m
Hchi_send: other_components_after_send
  (λ j : index, j = i ∨ j = i_m) chi
sigma':= state_update ELMO_component chi i_m
  (chi i_m <+> MkObservation Send m): ∀ j : index, VLSM.state (ELMO_component j)
valid (existT i_m Send) (chi, None)
Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
sigma: VLSM.state ELMOProtocol
m: Message
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm
     (ELMO_component i)) Receive
  (sigma i, Some m)
  (sigma i <+> MkObservation Receive m, None)
Hsigma: valid_state_prop ELMOProtocol sigma
Hreflects: component_reflects_composite sigma i
Hsend: other_components_after_send
  (λ j : index, j = i) sigma
Hall: ∀ (s_prev : State) (l : Label) (m : Message),
  sigma i = s_prev <+> MkObservation l m
  → let s' :=
      state_update ELMO_component sigma i
        s_prev in
    valid_state_prop ELMOProtocol s'
    ∧ ELMOProtocol_valid_transition i l s'
        sigma m
Hti: transition Receive (sigma i, Some m) =
(sigma i <+> MkObservation Receive m, None)
Hv: valid Receive (sigma i, Some m)
ELMO_mv_full_node0: full_node (sigma i) m
ELMO_mv_no_self_equiv0: no_self_equiv (sigma i) m
ELMO_mv_msg_valid_full0: ELMO_msg_valid_full m
Hlocal_ok: local_equivocation_limit_ok
  (sigma i <+> MkObservation Receive m)
i_m: index
Hsender: adr (state m) = idx i_m
Hnot_sent: ¬ composite_has_been_sent ELMO_component
    sigma m
Hm_not_by_i: adr (state m) ≠ idx i
Hneqv: ¬ local_equivocators_full 
    (sigma i) (adr (state m))
Hneqv': ¬ local_equivocators_full
    (sigma i <+> MkObservation Receive m)
    (adr (state m))
chi: VLSM.state ELMOProtocol
Hfutures: in_futures ELMOProtocol sigma chi
Heqi: chi i = sigma i
Hchi_messages: component_reflects_composite_messages
  chi i
Hchi_eqvs: component_reflects_composite_equivocators
  chi i
Heqi_m: chi i_m = state m
Hchi_send: other_components_after_send
  (λ j : index, j = i ∨ j = i_m) chi
sigma':= state_update ELMO_component chi i_m
  (chi i_m <+> MkObservation Send m): ∀ j : index, VLSM.state (ELMO_component j)
transition (existT i_m Send) (chi, None) =
(sigma', Some m)
      -Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
sigma: VLSM.state ELMOProtocol
m: Message
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm
     (ELMO_component i)) Receive
  (sigma i, Some m)
  (sigma i <+> MkObservation Receive m, None)
Hsigma: valid_state_prop ELMOProtocol sigma
Hreflects: component_reflects_composite sigma i
Hsend: other_components_after_send
  (λ j : index, j = i) sigma
Hall: ∀ (s_prev : State) (l : Label) (m : Message),
  sigma i = s_prev <+> MkObservation l m
  → let s' :=
      state_update ELMO_component sigma i
        s_prev in
    valid_state_prop ELMOProtocol s'
    ∧ ELMOProtocol_valid_transition i l s'
        sigma m
Hti: transition Receive (sigma i, Some m) =
(sigma i <+> MkObservation Receive m, None)
Hv: valid Receive (sigma i, Some m)
ELMO_mv_full_node0: full_node (sigma i) m
ELMO_mv_no_self_equiv0: no_self_equiv (sigma i) m
ELMO_mv_msg_valid_full0: ELMO_msg_valid_full m
Hlocal_ok: local_equivocation_limit_ok
  (sigma i <+> MkObservation Receive m)
i_m: index
Hsender: adr (state m) = idx i_m
Hnot_sent: ¬ composite_has_been_sent ELMO_component
    sigma m
Hm_not_by_i: adr (state m) ≠ idx i
Hneqv: ¬ local_equivocators_full 
    (sigma i) (adr (state m))
Hneqv': ¬ local_equivocators_full
    (sigma i <+> MkObservation Receive m)
    (adr (state m))
chi: VLSM.state ELMOProtocol
Hfutures: in_futures ELMOProtocol sigma chi
Heqi: chi i = sigma i
Hchi_messages: component_reflects_composite_messages
  chi i
Hchi_eqvs: component_reflects_composite_equivocators
  chi i
Heqi_m: chi i_m = state m
Hchi_send: other_components_after_send
  (λ j : index, j = i ∨ j = i_m) chi
sigma':= state_update ELMO_component chi i_m
  (chi i_m <+> MkObservation Send m): ∀ j : index, VLSM.state (ELMO_component j)
valid_state_prop ELMOProtocol chi by eapply in_futures_valid_snd.
      -Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
sigma: VLSM.state ELMOProtocol
m: Message
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm
     (ELMO_component i)) Receive
  (sigma i, Some m)
  (sigma i <+> MkObservation Receive m, None)
Hsigma: valid_state_prop ELMOProtocol sigma
Hreflects: component_reflects_composite sigma i
Hsend: other_components_after_send
  (λ j : index, j = i) sigma
Hall: ∀ (s_prev : State) (l : Label) (m : Message),
  sigma i = s_prev <+> MkObservation l m
  → let s' :=
      state_update ELMO_component sigma i
        s_prev in
    valid_state_prop ELMOProtocol s'
    ∧ ELMOProtocol_valid_transition i l s'
        sigma m
Hti: transition Receive (sigma i, Some m) =
(sigma i <+> MkObservation Receive m, None)
Hv: valid Receive (sigma i, Some m)
ELMO_mv_full_node0: full_node (sigma i) m
ELMO_mv_no_self_equiv0: no_self_equiv (sigma i) m
ELMO_mv_msg_valid_full0: ELMO_msg_valid_full m
Hlocal_ok: local_equivocation_limit_ok
  (sigma i <+> MkObservation Receive m)
i_m: index
Hsender: adr (state m) = idx i_m
Hnot_sent: ¬ composite_has_been_sent ELMO_component
    sigma m
Hm_not_by_i: adr (state m) ≠ idx i
Hneqv: ¬ local_equivocators_full 
    (sigma i) (adr (state m))
Hneqv': ¬ local_equivocators_full
    (sigma i <+> MkObservation Receive m)
    (adr (state m))
chi: VLSM.state ELMOProtocol
Hfutures: in_futures ELMOProtocol sigma chi
Heqi: chi i = sigma i
Hchi_messages: component_reflects_composite_messages
  chi i
Hchi_eqvs: component_reflects_composite_equivocators
  chi i
Heqi_m: chi i_m = state m
Hchi_send: other_components_after_send
  (λ j : index, j = i ∨ j = i_m) chi
sigma':= state_update ELMO_component chi i_m
  (chi i_m <+> MkObservation Send m): ∀ j : index, VLSM.state (ELMO_component j)
option_valid_message_prop ELMOProtocol None by apply option_valid_message_None.
      -Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
sigma: VLSM.state ELMOProtocol
m: Message
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm
     (ELMO_component i)) Receive
  (sigma i, Some m)
  (sigma i <+> MkObservation Receive m, None)
Hsigma: valid_state_prop ELMOProtocol sigma
Hreflects: component_reflects_composite sigma i
Hsend: other_components_after_send
  (λ j : index, j = i) sigma
Hall: ∀ (s_prev : State) (l : Label) (m : Message),
  sigma i = s_prev <+> MkObservation l m
  → let s' :=
      state_update ELMO_component sigma i
        s_prev in
    valid_state_prop ELMOProtocol s'
    ∧ ELMOProtocol_valid_transition i l s'
        sigma m
Hti: transition Receive (sigma i, Some m) =
(sigma i <+> MkObservation Receive m, None)
Hv: valid Receive (sigma i, Some m)
ELMO_mv_full_node0: full_node (sigma i) m
ELMO_mv_no_self_equiv0: no_self_equiv (sigma i) m
ELMO_mv_msg_valid_full0: ELMO_msg_valid_full m
Hlocal_ok: local_equivocation_limit_ok
  (sigma i <+> MkObservation Receive m)
i_m: index
Hsender: adr (state m) = idx i_m
Hnot_sent: ¬ composite_has_been_sent ELMO_component
    sigma m
Hm_not_by_i: adr (state m) ≠ idx i
Hneqv: ¬ local_equivocators_full 
    (sigma i) (adr (state m))
Hneqv': ¬ local_equivocators_full
    (sigma i <+> MkObservation Receive m)
    (adr (state m))
chi: VLSM.state ELMOProtocol
Hfutures: in_futures ELMOProtocol sigma chi
Heqi: chi i = sigma i
Hchi_messages: component_reflects_composite_messages
  chi i
Hchi_eqvs: component_reflects_composite_equivocators
  chi i
Heqi_m: chi i_m = state m
Hchi_send: other_components_after_send
  (λ j : index, j = i ∨ j = i_m) chi
sigma':= state_update ELMO_component chi i_m
  (chi i_m <+> MkObservation Send m): ∀ j : index, VLSM.state (ELMO_component j)
valid (existT i_m Send) (chi, None) by constructor.
      -Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
sigma: VLSM.state ELMOProtocol
m: Message
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm
     (ELMO_component i)) Receive
  (sigma i, Some m)
  (sigma i <+> MkObservation Receive m, None)
Hsigma: valid_state_prop ELMOProtocol sigma
Hreflects: component_reflects_composite sigma i
Hsend: other_components_after_send
  (λ j : index, j = i) sigma
Hall: ∀ (s_prev : State) (l : Label) (m : Message),
  sigma i = s_prev <+> MkObservation l m
  → let s' :=
      state_update ELMO_component sigma i
        s_prev in
    valid_state_prop ELMOProtocol s'
    ∧ ELMOProtocol_valid_transition i l s'
        sigma m
Hti: transition Receive (sigma i, Some m) =
(sigma i <+> MkObservation Receive m, None)
Hv: valid Receive (sigma i, Some m)
ELMO_mv_full_node0: full_node (sigma i) m
ELMO_mv_no_self_equiv0: no_self_equiv (sigma i) m
ELMO_mv_msg_valid_full0: ELMO_msg_valid_full m
Hlocal_ok: local_equivocation_limit_ok
  (sigma i <+> MkObservation Receive m)
i_m: index
Hsender: adr (state m) = idx i_m
Hnot_sent: ¬ composite_has_been_sent ELMO_component
    sigma m
Hm_not_by_i: adr (state m) ≠ idx i
Hneqv: ¬ local_equivocators_full 
    (sigma i) (adr (state m))
Hneqv': ¬ local_equivocators_full
    (sigma i <+> MkObservation Receive m)
    (adr (state m))
chi: VLSM.state ELMOProtocol
Hfutures: in_futures ELMOProtocol sigma chi
Heqi: chi i = sigma i
Hchi_messages: component_reflects_composite_messages
  chi i
Hchi_eqvs: component_reflects_composite_equivocators
  chi i
Heqi_m: chi i_m = state m
Hchi_send: other_components_after_send
  (λ j : index, j = i ∨ j = i_m) chi
sigma':= state_update ELMO_component chi i_m
  (chi i_m <+> MkObservation Send m): ∀ j : index, VLSM.state (ELMO_component j)
transition (existT i_m Send) (chi, None) =
(sigma', Some m) by subst sigma'; cbn; rewrite Heqi_m; destruct m.
    }Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
sigma: VLSM.state ELMOProtocol
m: Message
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm
     (ELMO_component i)) Receive
  (sigma i, Some m)
  (sigma i <+> MkObservation Receive m, None)
Hsigma: valid_state_prop ELMOProtocol sigma
Hreflects: component_reflects_composite sigma i
Hsend: other_components_after_send
  (λ j : index, j = i) sigma
Hall: ∀ (s_prev : State) (l : Label) (m : Message),
  sigma i = s_prev <+> MkObservation l m
  → let s' :=
      state_update ELMO_component sigma i
        s_prev in
    valid_state_prop ELMOProtocol s'
    ∧ ELMOProtocol_valid_transition i l s'
        sigma m
Hti: transition Receive (sigma i, Some m) =
(sigma i <+> MkObservation Receive m, None)
Hv: valid Receive (sigma i, Some m)
ELMO_mv_full_node0: full_node (sigma i) m
ELMO_mv_no_self_equiv0: no_self_equiv (sigma i) m
ELMO_mv_msg_valid_full0: ELMO_msg_valid_full m
Hlocal_ok: local_equivocation_limit_ok
  (sigma i <+> MkObservation Receive m)
i_m: index
Hsender: adr (state m) = idx i_m
Hnot_sent: ¬ composite_has_been_sent ELMO_component
    sigma m
Hm_not_by_i: adr (state m) ≠ idx i
Hneqv: ¬ local_equivocators_full 
    (sigma i) (adr (state m))
Hneqv': ¬ local_equivocators_full
    (sigma i <+> MkObservation Receive m)
    (adr (state m))
chi: VLSM.state ELMOProtocol
Hfutures: in_futures ELMOProtocol sigma chi
Heqi: chi i = sigma i
Hchi_messages: component_reflects_composite_messages
  chi i
Hchi_eqvs: component_reflects_composite_equivocators
  chi i
Heqi_m: chi i_m = state m
Hchi_send: other_components_after_send
  (λ j : index, j = i ∨ j = i_m) chi
sigma':= state_update ELMO_component chi i_m
  (chi i_m <+> MkObservation Send m): ∀ j : index, VLSM.state (ELMO_component j)
Hti_m: input_valid_transition ELMOProtocol
  (existT i_m Send) (chi, None)
  (sigma', Some m)
∃ gamma : VLSM.state ELMOProtocol,
  in_futures ELMOProtocol sigma gamma
  ∧ gamma i = sigma i
    ∧ component_reflects_composite
        (state_update ELMO_component gamma i
           (sigma i <+> MkObservation Receive m)) i
      ∧ other_components_after_send
          (λ j : index, j = i) gamma
    assert (i <> i_m) by (contradict Hm_not_by_i; subst; done).Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
sigma: VLSM.state ELMOProtocol
m: Message
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm
     (ELMO_component i)) Receive
  (sigma i, Some m)
  (sigma i <+> MkObservation Receive m, None)
Hsigma: valid_state_prop ELMOProtocol sigma
Hreflects: component_reflects_composite sigma i
Hsend: other_components_after_send
  (λ j : index, j = i) sigma
Hall: ∀ (s_prev : State) (l : Label) (m : Message),
  sigma i = s_prev <+> MkObservation l m
  → let s' :=
      state_update ELMO_component sigma i
        s_prev in
    valid_state_prop ELMOProtocol s'
    ∧ ELMOProtocol_valid_transition i l s'
        sigma m
Hti: transition Receive (sigma i, Some m) =
(sigma i <+> MkObservation Receive m, None)
Hv: valid Receive (sigma i, Some m)
ELMO_mv_full_node0: full_node (sigma i) m
ELMO_mv_no_self_equiv0: no_self_equiv (sigma i) m
ELMO_mv_msg_valid_full0: ELMO_msg_valid_full m
Hlocal_ok: local_equivocation_limit_ok
  (sigma i <+> MkObservation Receive m)
i_m: index
Hsender: adr (state m) = idx i_m
Hnot_sent: ¬ composite_has_been_sent ELMO_component
    sigma m
Hm_not_by_i: adr (state m) ≠ idx i
Hneqv: ¬ local_equivocators_full 
    (sigma i) (adr (state m))
Hneqv': ¬ local_equivocators_full
    (sigma i <+> MkObservation Receive m)
    (adr (state m))
chi: VLSM.state ELMOProtocol
Hfutures: in_futures ELMOProtocol sigma chi
Heqi: chi i = sigma i
Hchi_messages: component_reflects_composite_messages
  chi i
Hchi_eqvs: component_reflects_composite_equivocators
  chi i
Heqi_m: chi i_m = state m
Hchi_send: other_components_after_send
  (λ j : index, j = i ∨ j = i_m) chi
sigma':= state_update ELMO_component chi i_m
  (chi i_m <+> MkObservation Send m): ∀ j : index, VLSM.state (ELMO_component j)
Hti_m: input_valid_transition ELMOProtocol
  (existT i_m Send) (chi, None)
  (sigma', Some m)
H2: i ≠ i_m
∃ gamma : VLSM.state ELMOProtocol,
  in_futures ELMOProtocol sigma gamma
  ∧ gamma i = sigma i
    ∧ component_reflects_composite
        (state_update ELMO_component gamma i
           (sigma i <+> MkObservation Receive m)) i
      ∧ other_components_after_send
          (λ j : index, j = i) gamma
    assert (ELMO_component_RAM_transition i Receive (sigma' i) (sigma i <+> MkObservation Receive m) m).Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
sigma: VLSM.state ELMOProtocol
m: Message
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm
     (ELMO_component i)) Receive
  (sigma i, Some m)
  (sigma i <+> MkObservation Receive m, None)
Hsigma: valid_state_prop ELMOProtocol sigma
Hreflects: component_reflects_composite sigma i
Hsend: other_components_after_send
  (λ j : index, j = i) sigma
Hall: ∀ (s_prev : State) (l : Label) (m : Message),
  sigma i = s_prev <+> MkObservation l m
  → let s' :=
      state_update ELMO_component sigma i
        s_prev in
    valid_state_prop ELMOProtocol s'
    ∧ ELMOProtocol_valid_transition i l s'
        sigma m
Hti: transition Receive (sigma i, Some m) =
(sigma i <+> MkObservation Receive m, None)
Hv: valid Receive (sigma i, Some m)
ELMO_mv_full_node0: full_node (sigma i) m
ELMO_mv_no_self_equiv0: no_self_equiv (sigma i) m
ELMO_mv_msg_valid_full0: ELMO_msg_valid_full m
Hlocal_ok: local_equivocation_limit_ok
  (sigma i <+> MkObservation Receive m)
i_m: index
Hsender: adr (state m) = idx i_m
Hnot_sent: ¬ composite_has_been_sent ELMO_component
    sigma m
Hm_not_by_i: adr (state m) ≠ idx i
Hneqv: ¬ local_equivocators_full 
    (sigma i) (adr (state m))
Hneqv': ¬ local_equivocators_full
    (sigma i <+> MkObservation Receive m)
    (adr (state m))
chi: VLSM.state ELMOProtocol
Hfutures: in_futures ELMOProtocol sigma chi
Heqi: chi i = sigma i
Hchi_messages: component_reflects_composite_messages
  chi i
Hchi_eqvs: component_reflects_composite_equivocators
  chi i
Heqi_m: chi i_m = state m
Hchi_send: other_components_after_send
  (λ j : index, j = i ∨ j = i_m) chi
sigma':= state_update ELMO_component chi i_m
  (chi i_m <+> MkObservation Send m): ∀ j : index, VLSM.state (ELMO_component j)
Hti_m: input_valid_transition ELMOProtocol
  (existT i_m Send) (chi, None)
  (sigma', Some m)
H2: i ≠ i_m
ELMO_component_RAM_transition i Receive (sigma' i)
  (sigma i <+> MkObservation Receive m) m
Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
sigma: VLSM.state ELMOProtocol
m: Message
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm
     (ELMO_component i)) Receive
  (sigma i, Some m)
  (sigma i <+> MkObservation Receive m, None)
Hsigma: valid_state_prop ELMOProtocol sigma
Hreflects: component_reflects_composite sigma i
Hsend: other_components_after_send
  (λ j : index, j = i) sigma
Hall: ∀ (s_prev : State) (l : Label) (m : Message),
  sigma i = s_prev <+> MkObservation l m
  → let s' :=
      state_update ELMO_component sigma i
        s_prev in
    valid_state_prop ELMOProtocol s'
    ∧ ELMOProtocol_valid_transition i l s'
        sigma m
Hti: transition Receive (sigma i, Some m) =
(sigma i <+> MkObservation Receive m, None)
Hv: valid Receive (sigma i, Some m)
ELMO_mv_full_node0: full_node (sigma i) m
ELMO_mv_no_self_equiv0: no_self_equiv (sigma i) m
ELMO_mv_msg_valid_full0: ELMO_msg_valid_full m
Hlocal_ok: local_equivocation_limit_ok
  (sigma i <+> MkObservation Receive m)
i_m: index
Hsender: adr (state m) = idx i_m
Hnot_sent: ¬ composite_has_been_sent ELMO_component
    sigma m
Hm_not_by_i: adr (state m) ≠ idx i
Hneqv: ¬ local_equivocators_full 
    (sigma i) (adr (state m))
Hneqv': ¬ local_equivocators_full
    (sigma i <+> MkObservation Receive m)
    (adr (state m))
chi: VLSM.state ELMOProtocol
Hfutures: in_futures ELMOProtocol sigma chi
Heqi: chi i = sigma i
Hchi_messages: component_reflects_composite_messages
  chi i
Hchi_eqvs: component_reflects_composite_equivocators
  chi i
Heqi_m: chi i_m = state m
Hchi_send: other_components_after_send
  (λ j : index, j = i ∨ j = i_m) chi
sigma':= state_update ELMO_component chi i_m
  (chi i_m <+> MkObservation Send m): ∀ j : index, VLSM.state (ELMO_component j)
Hti_m: input_valid_transition ELMOProtocol
  (existT i_m Send) (chi, None)
  (sigma', Some m)
H2: i ≠ i_m
H3: ELMO_component_RAM_transition i Receive
  (sigma' i)
  (sigma i <+> MkObservation Receive m) m
∃ gamma : VLSM.state ELMOProtocol,
  in_futures ELMOProtocol sigma gamma
  ∧ gamma i = sigma i
    ∧ component_reflects_composite
        (state_update ELMO_component gamma i
           (sigma i <+> MkObservation Receive m)) i
      ∧ other_components_after_send
          (λ j : index, j = i) gamma
    {Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
sigma: VLSM.state ELMOProtocol
m: Message
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm
     (ELMO_component i)) Receive
  (sigma i, Some m)
  (sigma i <+> MkObservation Receive m, None)
Hsigma: valid_state_prop ELMOProtocol sigma
Hreflects: component_reflects_composite sigma i
Hsend: other_components_after_send
  (λ j : index, j = i) sigma
Hall: ∀ (s_prev : State) (l : Label) (m : Message),
  sigma i = s_prev <+> MkObservation l m
  → let s' :=
      state_update ELMO_component sigma i
        s_prev in
    valid_state_prop ELMOProtocol s'
    ∧ ELMOProtocol_valid_transition i l s'
        sigma m
Hti: transition Receive (sigma i, Some m) =
(sigma i <+> MkObservation Receive m, None)
Hv: valid Receive (sigma i, Some m)
ELMO_mv_full_node0: full_node (sigma i) m
ELMO_mv_no_self_equiv0: no_self_equiv (sigma i) m
ELMO_mv_msg_valid_full0: ELMO_msg_valid_full m
Hlocal_ok: local_equivocation_limit_ok
  (sigma i <+> MkObservation Receive m)
i_m: index
Hsender: adr (state m) = idx i_m
Hnot_sent: ¬ composite_has_been_sent ELMO_component
    sigma m
Hm_not_by_i: adr (state m) ≠ idx i
Hneqv: ¬ local_equivocators_full 
    (sigma i) (adr (state m))
Hneqv': ¬ local_equivocators_full
    (sigma i <+> MkObservation Receive m)
    (adr (state m))
chi: VLSM.state ELMOProtocol
Hfutures: in_futures ELMOProtocol sigma chi
Heqi: chi i = sigma i
Hchi_messages: component_reflects_composite_messages
  chi i
Hchi_eqvs: component_reflects_composite_equivocators
  chi i
Heqi_m: chi i_m = state m
Hchi_send: other_components_after_send
  (λ j : index, j = i ∨ j = i_m) chi
sigma':= state_update ELMO_component chi i_m
  (chi i_m <+> MkObservation Send m): ∀ j : index, VLSM.state (ELMO_component j)
Hti_m: input_valid_transition ELMOProtocol
  (existT i_m Send) (chi, None)
  (sigma', Some m)
H2: i ≠ i_m
ELMO_component_RAM_transition i Receive (sigma' i)
  (sigma i <+> MkObservation Receive m) m
      subst sigma'; state_update_simpl; rewrite Heqi.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
sigma: VLSM.state ELMOProtocol
m: Message
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm
     (ELMO_component i)) Receive
  (sigma i, Some m)
  (sigma i <+> MkObservation Receive m, None)
Hsigma: valid_state_prop ELMOProtocol sigma
Hreflects: component_reflects_composite sigma i
Hsend: other_components_after_send
  (λ j : index, j = i) sigma
Hall: ∀ (s_prev : State) (l : Label) (m : Message),
  sigma i = s_prev <+> MkObservation l m
  → valid_state_prop ELMOProtocol
      (state_update ELMO_component sigma i
         s_prev)
    ∧ ELMOProtocol_valid_transition i l
        (state_update ELMO_component sigma i
           s_prev) sigma m
Hti: transition Receive (sigma i, Some m) =
(sigma i <+> MkObservation Receive m, None)
Hv: valid Receive (sigma i, Some m)
ELMO_mv_full_node0: full_node (sigma i) m
ELMO_mv_no_self_equiv0: no_self_equiv (sigma i) m
ELMO_mv_msg_valid_full0: ELMO_msg_valid_full m
Hlocal_ok: local_equivocation_limit_ok
  (sigma i <+> MkObservation Receive m)
i_m: index
Hsender: adr (state m) = idx i_m
Hnot_sent: ¬ composite_has_been_sent ELMO_component
    sigma m
Hm_not_by_i: adr (state m) ≠ idx i
Hneqv: ¬ local_equivocators_full 
    (sigma i) (adr (state m))
Hneqv': ¬ local_equivocators_full
    (sigma i <+> MkObservation Receive m)
    (adr (state m))
chi: VLSM.state ELMOProtocol
Hfutures: in_futures ELMOProtocol sigma chi
Heqi: chi i = sigma i
Hchi_messages: component_reflects_composite_messages
  chi i
Hchi_eqvs: component_reflects_composite_equivocators
  chi i
Heqi_m: chi i_m = state m
Hchi_send: other_components_after_send
  (λ j : index, j = i ∨ j = i_m) chi
Hti_m: input_valid_transition ELMOProtocol
  (existT i_m Send) (chi, None)
  (state_update ELMO_component chi i_m
     (chi i_m <+> MkObservation Send m),
   Some m)
H2: i ≠ i_m
ELMO_component_RAM_transition i Receive (sigma i)
  (sigma i <+> MkObservation Receive m) m
      constructor; repeat split; [.. | done].Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
sigma: VLSM.state ELMOProtocol
m: Message
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm
     (ELMO_component i)) Receive
  (sigma i, Some m)
  (sigma i <+> MkObservation Receive m, None)
Hsigma: valid_state_prop ELMOProtocol sigma
Hreflects: component_reflects_composite sigma i
Hsend: other_components_after_send
  (λ j : index, j = i) sigma
Hall: ∀ (s_prev : State) (l : Label) (m : Message),
  sigma i = s_prev <+> MkObservation l m
  → valid_state_prop ELMOProtocol
      (state_update ELMO_component sigma i
         s_prev)
    ∧ ELMOProtocol_valid_transition i l
        (state_update ELMO_component sigma i
           s_prev) sigma m
Hti: transition Receive (sigma i, Some m) =
(sigma i <+> MkObservation Receive m, None)
Hv: valid Receive (sigma i, Some m)
ELMO_mv_full_node0: full_node (sigma i) m
ELMO_mv_no_self_equiv0: no_self_equiv (sigma i) m
ELMO_mv_msg_valid_full0: ELMO_msg_valid_full m
Hlocal_ok: local_equivocation_limit_ok
  (sigma i <+> MkObservation Receive m)
i_m: index
Hsender: adr (state m) = idx i_m
Hnot_sent: ¬ composite_has_been_sent ELMO_component
    sigma m
Hm_not_by_i: adr (state m) ≠ idx i
Hneqv: ¬ local_equivocators_full 
    (sigma i) (adr (state m))
Hneqv': ¬ local_equivocators_full
    (sigma i <+> MkObservation Receive m)
    (adr (state m))
chi: VLSM.state ELMOProtocol
Hfutures: in_futures ELMOProtocol sigma chi
Heqi: chi i = sigma i
Hchi_messages: component_reflects_composite_messages
  chi i
Hchi_eqvs: component_reflects_composite_equivocators
  chi i
Heqi_m: chi i_m = state m
Hchi_send: other_components_after_send
  (λ j : index, j = i ∨ j = i_m) chi
Hti_m: input_valid_transition ELMOProtocol
  (existT i_m Send) (chi, None)
  (state_update ELMO_component chi i_m
     (chi i_m <+> MkObservation Send m),
   Some m)
H2: i ≠ i_m
valid_state_prop
  (preloaded_with_all_messages_vlsm (ELMO_component i))
  (sigma i)
Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
sigma: VLSM.state ELMOProtocol
m: Message
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm
     (ELMO_component i)) Receive
  (sigma i, Some m)
  (sigma i <+> MkObservation Receive m, None)
Hsigma: valid_state_prop ELMOProtocol sigma
Hreflects: component_reflects_composite sigma i
Hsend: other_components_after_send
  (λ j : index, j = i) sigma
Hall: ∀ (s_prev : State) (l : Label) (m : Message),
  sigma i = s_prev <+> MkObservation l m
  → valid_state_prop ELMOProtocol
      (state_update ELMO_component sigma i
         s_prev)
    ∧ ELMOProtocol_valid_transition i l
        (state_update ELMO_component sigma i
           s_prev) sigma m
Hti: transition Receive (sigma i, Some m) =
(sigma i <+> MkObservation Receive m, None)
Hv: valid Receive (sigma i, Some m)
ELMO_mv_full_node0: full_node (sigma i) m
ELMO_mv_no_self_equiv0: no_self_equiv (sigma i) m
ELMO_mv_msg_valid_full0: ELMO_msg_valid_full m
Hlocal_ok: local_equivocation_limit_ok
  (sigma i <+> MkObservation Receive m)
i_m: index
Hsender: adr (state m) = idx i_m
Hnot_sent: ¬ composite_has_been_sent ELMO_component
    sigma m
Hm_not_by_i: adr (state m) ≠ idx i
Hneqv: ¬ local_equivocators_full 
    (sigma i) (adr (state m))
Hneqv': ¬ local_equivocators_full
    (sigma i <+> MkObservation Receive m)
    (adr (state m))
chi: VLSM.state ELMOProtocol
Hfutures: in_futures ELMOProtocol sigma chi
Heqi: chi i = sigma i
Hchi_messages: component_reflects_composite_messages
  chi i
Hchi_eqvs: component_reflects_composite_equivocators
  chi i
Heqi_m: chi i_m = state m
Hchi_send: other_components_after_send
  (λ j : index, j = i ∨ j = i_m) chi
Hti_m: input_valid_transition ELMOProtocol
  (existT i_m Send) (chi, None)
  (state_update ELMO_component chi i_m
     (chi i_m <+> MkObservation Send m),
   Some m)
H2: i ≠ i_m
option_valid_message_prop
  (preloaded_with_all_messages_vlsm (ELMO_component i))
  (Some m)
      -Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
sigma: VLSM.state ELMOProtocol
m: Message
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm
     (ELMO_component i)) Receive
  (sigma i, Some m)
  (sigma i <+> MkObservation Receive m, None)
Hsigma: valid_state_prop ELMOProtocol sigma
Hreflects: component_reflects_composite sigma i
Hsend: other_components_after_send
  (λ j : index, j = i) sigma
Hall: ∀ (s_prev : State) (l : Label) (m : Message),
  sigma i = s_prev <+> MkObservation l m
  → valid_state_prop ELMOProtocol
      (state_update ELMO_component sigma i
         s_prev)
    ∧ ELMOProtocol_valid_transition i l
        (state_update ELMO_component sigma i
           s_prev) sigma m
Hti: transition Receive (sigma i, Some m) =
(sigma i <+> MkObservation Receive m, None)
Hv: valid Receive (sigma i, Some m)
ELMO_mv_full_node0: full_node (sigma i) m
ELMO_mv_no_self_equiv0: no_self_equiv (sigma i) m
ELMO_mv_msg_valid_full0: ELMO_msg_valid_full m
Hlocal_ok: local_equivocation_limit_ok
  (sigma i <+> MkObservation Receive m)
i_m: index
Hsender: adr (state m) = idx i_m
Hnot_sent: ¬ composite_has_been_sent ELMO_component
    sigma m
Hm_not_by_i: adr (state m) ≠ idx i
Hneqv: ¬ local_equivocators_full 
    (sigma i) (adr (state m))
Hneqv': ¬ local_equivocators_full
    (sigma i <+> MkObservation Receive m)
    (adr (state m))
chi: VLSM.state ELMOProtocol
Hfutures: in_futures ELMOProtocol sigma chi
Heqi: chi i = sigma i
Hchi_messages: component_reflects_composite_messages
  chi i
Hchi_eqvs: component_reflects_composite_equivocators
  chi i
Heqi_m: chi i_m = state m
Hchi_send: other_components_after_send
  (λ j : index, j = i ∨ j = i_m) chi
Hti_m: input_valid_transition ELMOProtocol
  (existT i_m Send) (chi, None)
  (state_update ELMO_component chi i_m
     (chi i_m <+> MkObservation Send m),
   Some m)
H2: i ≠ i_m
valid_state_prop
  (preloaded_with_all_messages_vlsm (ELMO_component i))
  (sigma i) by eapply valid_state_project_preloaded.
      -Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
sigma: VLSM.state ELMOProtocol
m: Message
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm
     (ELMO_component i)) Receive
  (sigma i, Some m)
  (sigma i <+> MkObservation Receive m, None)
Hsigma: valid_state_prop ELMOProtocol sigma
Hreflects: component_reflects_composite sigma i
Hsend: other_components_after_send
  (λ j : index, j = i) sigma
Hall: ∀ (s_prev : State) (l : Label) (m : Message),
  sigma i = s_prev <+> MkObservation l m
  → valid_state_prop ELMOProtocol
      (state_update ELMO_component sigma i
         s_prev)
    ∧ ELMOProtocol_valid_transition i l
        (state_update ELMO_component sigma i
           s_prev) sigma m
Hti: transition Receive (sigma i, Some m) =
(sigma i <+> MkObservation Receive m, None)
Hv: valid Receive (sigma i, Some m)
ELMO_mv_full_node0: full_node (sigma i) m
ELMO_mv_no_self_equiv0: no_self_equiv (sigma i) m
ELMO_mv_msg_valid_full0: ELMO_msg_valid_full m
Hlocal_ok: local_equivocation_limit_ok
  (sigma i <+> MkObservation Receive m)
i_m: index
Hsender: adr (state m) = idx i_m
Hnot_sent: ¬ composite_has_been_sent ELMO_component
    sigma m
Hm_not_by_i: adr (state m) ≠ idx i
Hneqv: ¬ local_equivocators_full 
    (sigma i) (adr (state m))
Hneqv': ¬ local_equivocators_full
    (sigma i <+> MkObservation Receive m)
    (adr (state m))
chi: VLSM.state ELMOProtocol
Hfutures: in_futures ELMOProtocol sigma chi
Heqi: chi i = sigma i
Hchi_messages: component_reflects_composite_messages
  chi i
Hchi_eqvs: component_reflects_composite_equivocators
  chi i
Heqi_m: chi i_m = state m
Hchi_send: other_components_after_send
  (λ j : index, j = i ∨ j = i_m) chi
Hti_m: input_valid_transition ELMOProtocol
  (existT i_m Send) (chi, None)
  (state_update ELMO_component chi i_m
     (chi i_m <+> MkObservation Send m),
   Some m)
H2: i ≠ i_m
option_valid_message_prop
  (preloaded_with_all_messages_vlsm (ELMO_component i))
  (Some m) by apply any_message_is_valid_in_preloaded.
    }Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
sigma: VLSM.state ELMOProtocol
m: Message
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm
     (ELMO_component i)) Receive
  (sigma i, Some m)
  (sigma i <+> MkObservation Receive m, None)
Hsigma: valid_state_prop ELMOProtocol sigma
Hreflects: component_reflects_composite sigma i
Hsend: other_components_after_send
  (λ j : index, j = i) sigma
Hall: ∀ (s_prev : State) (l : Label) (m : Message),
  sigma i = s_prev <+> MkObservation l m
  → let s' :=
      state_update ELMO_component sigma i
        s_prev in
    valid_state_prop ELMOProtocol s'
    ∧ ELMOProtocol_valid_transition i l s'
        sigma m
Hti: transition Receive (sigma i, Some m) =
(sigma i <+> MkObservation Receive m, None)
Hv: valid Receive (sigma i, Some m)
ELMO_mv_full_node0: full_node (sigma i) m
ELMO_mv_no_self_equiv0: no_self_equiv (sigma i) m
ELMO_mv_msg_valid_full0: ELMO_msg_valid_full m
Hlocal_ok: local_equivocation_limit_ok
  (sigma i <+> MkObservation Receive m)
i_m: index
Hsender: adr (state m) = idx i_m
Hnot_sent: ¬ composite_has_been_sent ELMO_component
    sigma m
Hm_not_by_i: adr (state m) ≠ idx i
Hneqv: ¬ local_equivocators_full 
    (sigma i) (adr (state m))
Hneqv': ¬ local_equivocators_full
    (sigma i <+> MkObservation Receive m)
    (adr (state m))
chi: VLSM.state ELMOProtocol
Hfutures: in_futures ELMOProtocol sigma chi
Heqi: chi i = sigma i
Hchi_messages: component_reflects_composite_messages
  chi i
Hchi_eqvs: component_reflects_composite_equivocators
  chi i
Heqi_m: chi i_m = state m
Hchi_send: other_components_after_send
  (λ j : index, j = i ∨ j = i_m) chi
sigma':= state_update ELMO_component chi i_m
  (chi i_m <+> MkObservation Send m): ∀ j : index, VLSM.state (ELMO_component j)
Hti_m: input_valid_transition ELMOProtocol
  (existT i_m Send) (chi, None)
  (sigma', Some m)
H2: i ≠ i_m
H3: ELMO_component_RAM_transition i Receive
  (sigma' i)
  (sigma i <+> MkObservation Receive m) m
∃ gamma : VLSM.state ELMOProtocol,
  in_futures ELMOProtocol sigma gamma
  ∧ gamma i = sigma i
    ∧ component_reflects_composite
        (state_update ELMO_component gamma i
           (sigma i <+> MkObservation Receive m)) i
      ∧ other_components_after_send
          (λ j : index, j = i) gamma
    exists sigma'; split_and!; cycle 3; [.. | split].Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
sigma: VLSM.state ELMOProtocol
m: Message
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm
     (ELMO_component i)) Receive
  (sigma i, Some m)
  (sigma i <+> MkObservation Receive m, None)
Hsigma: valid_state_prop ELMOProtocol sigma
Hreflects: component_reflects_composite sigma i
Hsend: other_components_after_send
  (λ j : index, j = i) sigma
Hall: ∀ (s_prev : State) (l : Label) (m : Message),
  sigma i = s_prev <+> MkObservation l m
  → let s' :=
      state_update ELMO_component sigma i
        s_prev in
    valid_state_prop ELMOProtocol s'
    ∧ ELMOProtocol_valid_transition i l s'
        sigma m
Hti: transition Receive (sigma i, Some m) =
(sigma i <+> MkObservation Receive m, None)
Hv: valid Receive (sigma i, Some m)
ELMO_mv_full_node0: full_node (sigma i) m
ELMO_mv_no_self_equiv0: no_self_equiv (sigma i) m
ELMO_mv_msg_valid_full0: ELMO_msg_valid_full m
Hlocal_ok: local_equivocation_limit_ok
  (sigma i <+> MkObservation Receive m)
i_m: index
Hsender: adr (state m) = idx i_m
Hnot_sent: ¬ composite_has_been_sent ELMO_component
    sigma m
Hm_not_by_i: adr (state m) ≠ idx i
Hneqv: ¬ local_equivocators_full 
    (sigma i) (adr (state m))
Hneqv': ¬ local_equivocators_full
    (sigma i <+> MkObservation Receive m)
    (adr (state m))
chi: VLSM.state ELMOProtocol
Hfutures: in_futures ELMOProtocol sigma chi
Heqi: chi i = sigma i
Hchi_messages: component_reflects_composite_messages
  chi i
Hchi_eqvs: component_reflects_composite_equivocators
  chi i
Heqi_m: chi i_m = state m
Hchi_send: other_components_after_send
  (λ j : index, j = i ∨ j = i_m) chi
sigma':= state_update ELMO_component chi i_m
  (chi i_m <+> MkObservation Send m): ∀ j : index, VLSM.state (ELMO_component j)
Hti_m: input_valid_transition ELMOProtocol
  (existT i_m Send) (chi, None)
  (sigma', Some m)
H2: i ≠ i_m
H3: ELMO_component_RAM_transition i Receive
  (sigma' i)
  (sigma i <+> MkObservation Receive m) m
other_components_after_send (λ j : index, j = i)
  sigma'
Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
sigma: VLSM.state ELMOProtocol
m: Message
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm
     (ELMO_component i)) Receive
  (sigma i, Some m)
  (sigma i <+> MkObservation Receive m, None)
Hsigma: valid_state_prop ELMOProtocol sigma
Hreflects: component_reflects_composite sigma i
Hsend: other_components_after_send
  (λ j : index, j = i) sigma
Hall: ∀ (s_prev : State) (l : Label) (m : Message),
  sigma i = s_prev <+> MkObservation l m
  → let s' :=
      state_update ELMO_component sigma i
        s_prev in
    valid_state_prop ELMOProtocol s'
    ∧ ELMOProtocol_valid_transition i l s'
        sigma m
Hti: transition Receive (sigma i, Some m) =
(sigma i <+> MkObservation Receive m, None)
Hv: valid Receive (sigma i, Some m)
ELMO_mv_full_node0: full_node (sigma i) m
ELMO_mv_no_self_equiv0: no_self_equiv (sigma i) m
ELMO_mv_msg_valid_full0: ELMO_msg_valid_full m
Hlocal_ok: local_equivocation_limit_ok
  (sigma i <+> MkObservation Receive m)
i_m: index
Hsender: adr (state m) = idx i_m
Hnot_sent: ¬ composite_has_been_sent ELMO_component
    sigma m
Hm_not_by_i: adr (state m) ≠ idx i
Hneqv: ¬ local_equivocators_full 
    (sigma i) (adr (state m))
Hneqv': ¬ local_equivocators_full
    (sigma i <+> MkObservation Receive m)
    (adr (state m))
chi: VLSM.state ELMOProtocol
Hfutures: in_futures ELMOProtocol sigma chi
Heqi: chi i = sigma i
Hchi_messages: component_reflects_composite_messages
  chi i
Hchi_eqvs: component_reflects_composite_equivocators
  chi i
Heqi_m: chi i_m = state m
Hchi_send: other_components_after_send
  (λ j : index, j = i ∨ j = i_m) chi
sigma':= state_update ELMO_component chi i_m
  (chi i_m <+> MkObservation Send m): ∀ j : index, VLSM.state (ELMO_component j)
Hti_m: input_valid_transition ELMOProtocol
  (existT i_m Send) (chi, None)
  (sigma', Some m)
H2: i ≠ i_m
H3: ELMO_component_RAM_transition i Receive
  (sigma' i)
  (sigma i <+> MkObservation Receive m) m
in_futures ELMOProtocol sigma sigma'
Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
sigma: VLSM.state ELMOProtocol
m: Message
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm
     (ELMO_component i)) Receive
  (sigma i, Some m)
  (sigma i <+> MkObservation Receive m, None)
Hsigma: valid_state_prop ELMOProtocol sigma
Hreflects: component_reflects_composite sigma i
Hsend: other_components_after_send
  (λ j : index, j = i) sigma
Hall: ∀ (s_prev : State) (l : Label) (m : Message),
  sigma i = s_prev <+> MkObservation l m
  → let s' :=
      state_update ELMO_component sigma i
        s_prev in
    valid_state_prop ELMOProtocol s'
    ∧ ELMOProtocol_valid_transition i l s'
        sigma m
Hti: transition Receive (sigma i, Some m) =
(sigma i <+> MkObservation Receive m, None)
Hv: valid Receive (sigma i, Some m)
ELMO_mv_full_node0: full_node (sigma i) m
ELMO_mv_no_self_equiv0: no_self_equiv (sigma i) m
ELMO_mv_msg_valid_full0: ELMO_msg_valid_full m
Hlocal_ok: local_equivocation_limit_ok
  (sigma i <+> MkObservation Receive m)
i_m: index
Hsender: adr (state m) = idx i_m
Hnot_sent: ¬ composite_has_been_sent ELMO_component
    sigma m
Hm_not_by_i: adr (state m) ≠ idx i
Hneqv: ¬ local_equivocators_full 
    (sigma i) (adr (state m))
Hneqv': ¬ local_equivocators_full
    (sigma i <+> MkObservation Receive m)
    (adr (state m))
chi: VLSM.state ELMOProtocol
Hfutures: in_futures ELMOProtocol sigma chi
Heqi: chi i = sigma i
Hchi_messages: component_reflects_composite_messages
  chi i
Hchi_eqvs: component_reflects_composite_equivocators
  chi i
Heqi_m: chi i_m = state m
Hchi_send: other_components_after_send
  (λ j : index, j = i ∨ j = i_m) chi
sigma':= state_update ELMO_component chi i_m
  (chi i_m <+> MkObservation Send m): ∀ j : index, VLSM.state (ELMO_component j)
Hti_m: input_valid_transition ELMOProtocol
  (existT i_m Send) (chi, None)
  (sigma', Some m)
H2: i ≠ i_m
H3: ELMO_component_RAM_transition i Receive
  (sigma' i)
  (sigma i <+> MkObservation Receive m) m
sigma' i = sigma i
Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
sigma: VLSM.state ELMOProtocol
m: Message
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm
     (ELMO_component i)) Receive
  (sigma i, Some m)
  (sigma i <+> MkObservation Receive m, None)
Hsigma: valid_state_prop ELMOProtocol sigma
Hreflects: component_reflects_composite sigma i
Hsend: other_components_after_send
  (λ j : index, j = i) sigma
Hall: ∀ (s_prev : State) (l : Label) (m : Message),
  sigma i = s_prev <+> MkObservation l m
  → let s' :=
      state_update ELMO_component sigma i
        s_prev in
    valid_state_prop ELMOProtocol s'
    ∧ ELMOProtocol_valid_transition i l s'
        sigma m
Hti: transition Receive (sigma i, Some m) =
(sigma i <+> MkObservation Receive m, None)
Hv: valid Receive (sigma i, Some m)
ELMO_mv_full_node0: full_node (sigma i) m
ELMO_mv_no_self_equiv0: no_self_equiv (sigma i) m
ELMO_mv_msg_valid_full0: ELMO_msg_valid_full m
Hlocal_ok: local_equivocation_limit_ok
  (sigma i <+> MkObservation Receive m)
i_m: index
Hsender: adr (state m) = idx i_m
Hnot_sent: ¬ composite_has_been_sent ELMO_component
    sigma m
Hm_not_by_i: adr (state m) ≠ idx i
Hneqv: ¬ local_equivocators_full 
    (sigma i) (adr (state m))
Hneqv': ¬ local_equivocators_full
    (sigma i <+> MkObservation Receive m)
    (adr (state m))
chi: VLSM.state ELMOProtocol
Hfutures: in_futures ELMOProtocol sigma chi
Heqi: chi i = sigma i
Hchi_messages: component_reflects_composite_messages
  chi i
Hchi_eqvs: component_reflects_composite_equivocators
  chi i
Heqi_m: chi i_m = state m
Hchi_send: other_components_after_send
  (λ j : index, j = i ∨ j = i_m) chi
sigma':= state_update ELMO_component chi i_m
  (chi i_m <+> MkObservation Send m): ∀ j : index, VLSM.state (ELMO_component j)
Hti_m: input_valid_transition ELMOProtocol
  (existT i_m Send) (chi, None)
  (sigma', Some m)
H2: i ≠ i_m
H3: ELMO_component_RAM_transition i Receive
  (sigma' i)
  (sigma i <+> MkObservation Receive m) m
component_reflects_composite_messages
  (state_update ELMO_component sigma' i
     (sigma i <+> MkObservation Receive m)) i
Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
sigma: VLSM.state ELMOProtocol
m: Message
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm
     (ELMO_component i)) Receive
  (sigma i, Some m)
  (sigma i <+> MkObservation Receive m, None)
Hsigma: valid_state_prop ELMOProtocol sigma
Hreflects: component_reflects_composite sigma i
Hsend: other_components_after_send
  (λ j : index, j = i) sigma
Hall: ∀ (s_prev : State) (l : Label) (m : Message),
  sigma i = s_prev <+> MkObservation l m
  → let s' :=
      state_update ELMO_component sigma i
        s_prev in
    valid_state_prop ELMOProtocol s'
    ∧ ELMOProtocol_valid_transition i l s'
        sigma m
Hti: transition Receive (sigma i, Some m) =
(sigma i <+> MkObservation Receive m, None)
Hv: valid Receive (sigma i, Some m)
ELMO_mv_full_node0: full_node (sigma i) m
ELMO_mv_no_self_equiv0: no_self_equiv (sigma i) m
ELMO_mv_msg_valid_full0: ELMO_msg_valid_full m
Hlocal_ok: local_equivocation_limit_ok
  (sigma i <+> MkObservation Receive m)
i_m: index
Hsender: adr (state m) = idx i_m
Hnot_sent: ¬ composite_has_been_sent ELMO_component
    sigma m
Hm_not_by_i: adr (state m) ≠ idx i
Hneqv: ¬ local_equivocators_full 
    (sigma i) (adr (state m))
Hneqv': ¬ local_equivocators_full
    (sigma i <+> MkObservation Receive m)
    (adr (state m))
chi: VLSM.state ELMOProtocol
Hfutures: in_futures ELMOProtocol sigma chi
Heqi: chi i = sigma i
Hchi_messages: component_reflects_composite_messages
  chi i
Hchi_eqvs: component_reflects_composite_equivocators
  chi i
Heqi_m: chi i_m = state m
Hchi_send: other_components_after_send
  (λ j : index, j = i ∨ j = i_m) chi
sigma':= state_update ELMO_component chi i_m
  (chi i_m <+> MkObservation Send m): ∀ j : index, VLSM.state (ELMO_component j)
Hti_m: input_valid_transition ELMOProtocol
  (existT i_m Send) (chi, None)
  (sigma', Some m)
H2: i ≠ i_m
H3: ELMO_component_RAM_transition i Receive
  (sigma' i)
  (sigma i <+> MkObservation Receive m) m
component_reflects_composite_equivocators
  (state_update ELMO_component sigma' i
     (sigma i <+> MkObservation Receive m)) i
    +Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
sigma: VLSM.state ELMOProtocol
m: Message
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm
     (ELMO_component i)) Receive
  (sigma i, Some m)
  (sigma i <+> MkObservation Receive m, None)
Hsigma: valid_state_prop ELMOProtocol sigma
Hreflects: component_reflects_composite sigma i
Hsend: other_components_after_send
  (λ j : index, j = i) sigma
Hall: ∀ (s_prev : State) (l : Label) (m : Message),
  sigma i = s_prev <+> MkObservation l m
  → let s' :=
      state_update ELMO_component sigma i
        s_prev in
    valid_state_prop ELMOProtocol s'
    ∧ ELMOProtocol_valid_transition i l s'
        sigma m
Hti: transition Receive (sigma i, Some m) =
(sigma i <+> MkObservation Receive m, None)
Hv: valid Receive (sigma i, Some m)
ELMO_mv_full_node0: full_node (sigma i) m
ELMO_mv_no_self_equiv0: no_self_equiv (sigma i) m
ELMO_mv_msg_valid_full0: ELMO_msg_valid_full m
Hlocal_ok: local_equivocation_limit_ok
  (sigma i <+> MkObservation Receive m)
i_m: index
Hsender: adr (state m) = idx i_m
Hnot_sent: ¬ composite_has_been_sent ELMO_component
    sigma m
Hm_not_by_i: adr (state m) ≠ idx i
Hneqv: ¬ local_equivocators_full 
    (sigma i) (adr (state m))
Hneqv': ¬ local_equivocators_full
    (sigma i <+> MkObservation Receive m)
    (adr (state m))
chi: VLSM.state ELMOProtocol
Hfutures: in_futures ELMOProtocol sigma chi
Heqi: chi i = sigma i
Hchi_messages: component_reflects_composite_messages
  chi i
Hchi_eqvs: component_reflects_composite_equivocators
  chi i
Heqi_m: chi i_m = state m
Hchi_send: other_components_after_send
  (λ j : index, j = i ∨ j = i_m) chi
sigma':= state_update ELMO_component chi i_m
  (chi i_m <+> MkObservation Send m): ∀ j : index, VLSM.state (ELMO_component j)
Hti_m: input_valid_transition ELMOProtocol
  (existT i_m Send) (chi, None)
  (sigma', Some m)
H2: i ≠ i_m
H3: ELMO_component_RAM_transition i Receive
  (sigma' i)
  (sigma i <+> MkObservation Receive m) m
other_components_after_send (λ j : index, j = i)
  sigma' intros k Hk.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
sigma: VLSM.state ELMOProtocol
m: Message
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm
     (ELMO_component i)) Receive
  (sigma i, Some m)
  (sigma i <+> MkObservation Receive m, None)
Hsigma: valid_state_prop ELMOProtocol sigma
Hreflects: component_reflects_composite sigma i
Hsend: other_components_after_send
  (λ j : index, j = i) sigma
Hall: ∀ (s_prev : State) (l : Label) (m : Message),
  sigma i = s_prev <+> MkObservation l m
  → let s' :=
      state_update ELMO_component sigma i
        s_prev in
    valid_state_prop ELMOProtocol s'
    ∧ ELMOProtocol_valid_transition i l s'
        sigma m
Hti: transition Receive (sigma i, Some m) =
(sigma i <+> MkObservation Receive m, None)
Hv: valid Receive (sigma i, Some m)
ELMO_mv_full_node0: full_node (sigma i) m
ELMO_mv_no_self_equiv0: no_self_equiv (sigma i) m
ELMO_mv_msg_valid_full0: ELMO_msg_valid_full m
Hlocal_ok: local_equivocation_limit_ok
  (sigma i <+> MkObservation Receive m)
i_m: index
Hsender: adr (state m) = idx i_m
Hnot_sent: ¬ composite_has_been_sent ELMO_component
    sigma m
Hm_not_by_i: adr (state m) ≠ idx i
Hneqv: ¬ local_equivocators_full 
    (sigma i) (adr (state m))
Hneqv': ¬ local_equivocators_full
    (sigma i <+> MkObservation Receive m)
    (adr (state m))
chi: VLSM.state ELMOProtocol
Hfutures: in_futures ELMOProtocol sigma chi
Heqi: chi i = sigma i
Hchi_messages: component_reflects_composite_messages
  chi i
Hchi_eqvs: component_reflects_composite_equivocators
  chi i
Heqi_m: chi i_m = state m
Hchi_send: other_components_after_send
  (λ j : index, j = i ∨ j = i_m) chi
sigma':= state_update ELMO_component chi i_m
  (chi i_m <+> MkObservation Send m): ∀ j : index, VLSM.state (ELMO_component j)
Hti_m: input_valid_transition ELMOProtocol
  (existT i_m Send) (chi, None)
  (sigma', Some m)
H2: i ≠ i_m
H3: ELMO_component_RAM_transition i Receive
  (sigma' i)
  (sigma i <+> MkObservation Receive m) m
k: index
Hk: k ≠ i
latest_observation_Send (sigma' k)
      subst sigma'.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
sigma: VLSM.state ELMOProtocol
m: Message
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm
     (ELMO_component i)) Receive
  (sigma i, Some m)
  (sigma i <+> MkObservation Receive m, None)
Hsigma: valid_state_prop ELMOProtocol sigma
Hreflects: component_reflects_composite sigma i
Hsend: other_components_after_send
  (λ j : index, j = i) sigma
Hall: ∀ (s_prev : State) (l : Label) (m : Message),
  sigma i = s_prev <+> MkObservation l m
  → let s' :=
      state_update ELMO_component sigma i
        s_prev in
    valid_state_prop ELMOProtocol s'
    ∧ ELMOProtocol_valid_transition i l s'
        sigma m
Hti: transition Receive (sigma i, Some m) =
(sigma i <+> MkObservation Receive m, None)
Hv: valid Receive (sigma i, Some m)
ELMO_mv_full_node0: full_node (sigma i) m
ELMO_mv_no_self_equiv0: no_self_equiv (sigma i) m
ELMO_mv_msg_valid_full0: ELMO_msg_valid_full m
Hlocal_ok: local_equivocation_limit_ok
  (sigma i <+> MkObservation Receive m)
i_m: index
Hsender: adr (state m) = idx i_m
Hnot_sent: ¬ composite_has_been_sent ELMO_component
    sigma m
Hm_not_by_i: adr (state m) ≠ idx i
Hneqv: ¬ local_equivocators_full 
    (sigma i) (adr (state m))
Hneqv': ¬ local_equivocators_full
    (sigma i <+> MkObservation Receive m)
    (adr (state m))
chi: VLSM.state ELMOProtocol
Hfutures: in_futures ELMOProtocol sigma chi
Heqi: chi i = sigma i
Hchi_messages: component_reflects_composite_messages
  chi i
Hchi_eqvs: component_reflects_composite_equivocators
  chi i
Heqi_m: chi i_m = state m
Hchi_send: other_components_after_send
  (λ j : index, j = i ∨ j = i_m) chi
Hti_m: input_valid_transition ELMOProtocol
  (existT i_m Send) (chi, None)
  (state_update ELMO_component chi i_m
     (chi i_m <+> MkObservation Send m),
   Some m)
H2: i ≠ i_m
H3: ELMO_component_RAM_transition i Receive
  (state_update ELMO_component chi i_m
     (chi i_m <+> MkObservation Send m) i)
  (sigma i <+> MkObservation Receive m) m
k: index
Hk: k ≠ i
latest_observation_Send
  (state_update ELMO_component chi i_m
     (chi i_m <+> MkObservation Send m) k)
      destruct (decide (k = i_m)); subst; state_update_simpl; [| by apply Hchi_send; itauto].Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
sigma: VLSM.state ELMOProtocol
m: Message
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm
     (ELMO_component i)) Receive
  (sigma i, Some m)
  (sigma i <+> MkObservation Receive m, None)
Hsigma: valid_state_prop ELMOProtocol sigma
Hreflects: component_reflects_composite sigma i
Hsend: other_components_after_send
  (λ j : index, j = i) sigma
Hall: ∀ (s_prev : State) (l : Label) (m : Message),
  sigma i = s_prev <+> MkObservation l m
  → valid_state_prop ELMOProtocol
      (state_update ELMO_component sigma i
         s_prev)
    ∧ ELMOProtocol_valid_transition i l
        (state_update ELMO_component sigma i
           s_prev) sigma m
Hti: transition Receive (sigma i, Some m) =
(sigma i <+> MkObservation Receive m, None)
Hv: valid Receive (sigma i, Some m)
ELMO_mv_full_node0: full_node (sigma i) m
ELMO_mv_no_self_equiv0: no_self_equiv (sigma i) m
ELMO_mv_msg_valid_full0: ELMO_msg_valid_full m
Hlocal_ok: local_equivocation_limit_ok
  (sigma i <+> MkObservation Receive m)
i_m: index
Hsender: adr (state m) = idx i_m
Hnot_sent: ¬ composite_has_been_sent ELMO_component
    sigma m
Hm_not_by_i: adr (state m) ≠ idx i
Hneqv: ¬ local_equivocators_full 
    (sigma i) (adr (state m))
Hneqv': ¬ local_equivocators_full
    (sigma i <+> MkObservation Receive m)
    (adr (state m))
chi: VLSM.state ELMOProtocol
Hfutures: in_futures ELMOProtocol sigma chi
Heqi: chi i = sigma i
Hchi_messages: component_reflects_composite_messages
  chi i
Hchi_eqvs: component_reflects_composite_equivocators
  chi i
Heqi_m: chi i_m = state m
Hchi_send: other_components_after_send
  (λ j : index, j = i ∨ j = i_m) chi
Hti_m: input_valid_transition ELMOProtocol
  (existT i_m Send) (chi, None)
  (state_update ELMO_component chi i_m
     (chi i_m <+> MkObservation Send m),
   Some m)
H2: i ≠ i_m
H3: ELMO_component_RAM_transition i Receive 
  (chi i) (sigma i <+> MkObservation Receive m) m
Hk: i_m ≠ i
latest_observation_Send
  (chi i_m <+> MkObservation Send m)
      by constructor 2; eexists _, _.
    +Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
sigma: VLSM.state ELMOProtocol
m: Message
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm
     (ELMO_component i)) Receive
  (sigma i, Some m)
  (sigma i <+> MkObservation Receive m, None)
Hsigma: valid_state_prop ELMOProtocol sigma
Hreflects: component_reflects_composite sigma i
Hsend: other_components_after_send
  (λ j : index, j = i) sigma
Hall: ∀ (s_prev : State) (l : Label) (m : Message),
  sigma i = s_prev <+> MkObservation l m
  → let s' :=
      state_update ELMO_component sigma i
        s_prev in
    valid_state_prop ELMOProtocol s'
    ∧ ELMOProtocol_valid_transition i l s'
        sigma m
Hti: transition Receive (sigma i, Some m) =
(sigma i <+> MkObservation Receive m, None)
Hv: valid Receive (sigma i, Some m)
ELMO_mv_full_node0: full_node (sigma i) m
ELMO_mv_no_self_equiv0: no_self_equiv (sigma i) m
ELMO_mv_msg_valid_full0: ELMO_msg_valid_full m
Hlocal_ok: local_equivocation_limit_ok
  (sigma i <+> MkObservation Receive m)
i_m: index
Hsender: adr (state m) = idx i_m
Hnot_sent: ¬ composite_has_been_sent ELMO_component
    sigma m
Hm_not_by_i: adr (state m) ≠ idx i
Hneqv: ¬ local_equivocators_full 
    (sigma i) (adr (state m))
Hneqv': ¬ local_equivocators_full
    (sigma i <+> MkObservation Receive m)
    (adr (state m))
chi: VLSM.state ELMOProtocol
Hfutures: in_futures ELMOProtocol sigma chi
Heqi: chi i = sigma i
Hchi_messages: component_reflects_composite_messages
  chi i
Hchi_eqvs: component_reflects_composite_equivocators
  chi i
Heqi_m: chi i_m = state m
Hchi_send: other_components_after_send
  (λ j : index, j = i ∨ j = i_m) chi
sigma':= state_update ELMO_component chi i_m
  (chi i_m <+> MkObservation Send m): ∀ j : index, VLSM.state (ELMO_component j)
Hti_m: input_valid_transition ELMOProtocol
  (existT i_m Send) (chi, None)
  (sigma', Some m)
H2: i ≠ i_m
H3: ELMO_component_RAM_transition i Receive
  (sigma' i)
  (sigma i <+> MkObservation Receive m) m
in_futures ELMOProtocol sigma sigma' by etransitivity; [| eapply input_valid_transition_in_futures].
    +Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
sigma: VLSM.state ELMOProtocol
m: Message
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm
     (ELMO_component i)) Receive
  (sigma i, Some m)
  (sigma i <+> MkObservation Receive m, None)
Hsigma: valid_state_prop ELMOProtocol sigma
Hreflects: component_reflects_composite sigma i
Hsend: other_components_after_send
  (λ j : index, j = i) sigma
Hall: ∀ (s_prev : State) (l : Label) (m : Message),
  sigma i = s_prev <+> MkObservation l m
  → let s' :=
      state_update ELMO_component sigma i
        s_prev in
    valid_state_prop ELMOProtocol s'
    ∧ ELMOProtocol_valid_transition i l s'
        sigma m
Hti: transition Receive (sigma i, Some m) =
(sigma i <+> MkObservation Receive m, None)
Hv: valid Receive (sigma i, Some m)
ELMO_mv_full_node0: full_node (sigma i) m
ELMO_mv_no_self_equiv0: no_self_equiv (sigma i) m
ELMO_mv_msg_valid_full0: ELMO_msg_valid_full m
Hlocal_ok: local_equivocation_limit_ok
  (sigma i <+> MkObservation Receive m)
i_m: index
Hsender: adr (state m) = idx i_m
Hnot_sent: ¬ composite_has_been_sent ELMO_component
    sigma m
Hm_not_by_i: adr (state m) ≠ idx i
Hneqv: ¬ local_equivocators_full 
    (sigma i) (adr (state m))
Hneqv': ¬ local_equivocators_full
    (sigma i <+> MkObservation Receive m)
    (adr (state m))
chi: VLSM.state ELMOProtocol
Hfutures: in_futures ELMOProtocol sigma chi
Heqi: chi i = sigma i
Hchi_messages: component_reflects_composite_messages
  chi i
Hchi_eqvs: component_reflects_composite_equivocators
  chi i
Heqi_m: chi i_m = state m
Hchi_send: other_components_after_send
  (λ j : index, j = i ∨ j = i_m) chi
sigma':= state_update ELMO_component chi i_m
  (chi i_m <+> MkObservation Send m): ∀ j : index, VLSM.state (ELMO_component j)
Hti_m: input_valid_transition ELMOProtocol
  (existT i_m Send) (chi, None)
  (sigma', Some m)
H2: i ≠ i_m
H3: ELMO_component_RAM_transition i Receive
  (sigma' i)
  (sigma i <+> MkObservation Receive m) m
sigma' i = sigma i by subst sigma'; rewrite <- Heqi; state_update_simpl.
    +Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
sigma: VLSM.state ELMOProtocol
m: Message
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm
     (ELMO_component i)) Receive
  (sigma i, Some m)
  (sigma i <+> MkObservation Receive m, None)
Hsigma: valid_state_prop ELMOProtocol sigma
Hreflects: component_reflects_composite sigma i
Hsend: other_components_after_send
  (λ j : index, j = i) sigma
Hall: ∀ (s_prev : State) (l : Label) (m : Message),
  sigma i = s_prev <+> MkObservation l m
  → let s' :=
      state_update ELMO_component sigma i
        s_prev in
    valid_state_prop ELMOProtocol s'
    ∧ ELMOProtocol_valid_transition i l s'
        sigma m
Hti: transition Receive (sigma i, Some m) =
(sigma i <+> MkObservation Receive m, None)
Hv: valid Receive (sigma i, Some m)
ELMO_mv_full_node0: full_node (sigma i) m
ELMO_mv_no_self_equiv0: no_self_equiv (sigma i) m
ELMO_mv_msg_valid_full0: ELMO_msg_valid_full m
Hlocal_ok: local_equivocation_limit_ok
  (sigma i <+> MkObservation Receive m)
i_m: index
Hsender: adr (state m) = idx i_m
Hnot_sent: ¬ composite_has_been_sent ELMO_component
    sigma m
Hm_not_by_i: adr (state m) ≠ idx i
Hneqv: ¬ local_equivocators_full 
    (sigma i) (adr (state m))
Hneqv': ¬ local_equivocators_full
    (sigma i <+> MkObservation Receive m)
    (adr (state m))
chi: VLSM.state ELMOProtocol
Hfutures: in_futures ELMOProtocol sigma chi
Heqi: chi i = sigma i
Hchi_messages: component_reflects_composite_messages
  chi i
Hchi_eqvs: component_reflects_composite_equivocators
  chi i
Heqi_m: chi i_m = state m
Hchi_send: other_components_after_send
  (λ j : index, j = i ∨ j = i_m) chi
sigma':= state_update ELMO_component chi i_m
  (chi i_m <+> MkObservation Send m): ∀ j : index, VLSM.state (ELMO_component j)
Hti_m: input_valid_transition ELMOProtocol
  (existT i_m Send) (chi, None)
  (sigma', Some m)
H2: i ≠ i_m
H3: ELMO_component_RAM_transition i Receive
  (sigma' i)
  (sigma i <+> MkObservation Receive m) m
component_reflects_composite_messages
  (state_update ELMO_component sigma' i
     (sigma i <+> MkObservation Receive m)) i split; [| by eexists]; intros [j Hj].Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
sigma: VLSM.state ELMOProtocol
m: Message
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm
     (ELMO_component i)) Receive
  (sigma i, Some m)
  (sigma i <+> MkObservation Receive m, None)
Hsigma: valid_state_prop ELMOProtocol sigma
Hreflects: component_reflects_composite sigma i
Hsend: other_components_after_send
  (λ j : index, j = i) sigma
Hall: ∀ (s_prev : State) (l : Label) (m : Message),
  sigma i = s_prev <+> MkObservation l m
  → let s' :=
      state_update ELMO_component sigma i
        s_prev in
    valid_state_prop ELMOProtocol s'
    ∧ ELMOProtocol_valid_transition i l s'
        sigma m
Hti: transition Receive (sigma i, Some m) =
(sigma i <+> MkObservation Receive m, None)
Hv: valid Receive (sigma i, Some m)
ELMO_mv_full_node0: full_node (sigma i) m
ELMO_mv_no_self_equiv0: no_self_equiv (sigma i) m
ELMO_mv_msg_valid_full0: ELMO_msg_valid_full m
Hlocal_ok: local_equivocation_limit_ok
  (sigma i <+> MkObservation Receive m)
i_m: index
Hsender: adr (state m) = idx i_m
Hnot_sent: ¬ composite_has_been_sent ELMO_component
    sigma m
Hm_not_by_i: adr (state m) ≠ idx i
Hneqv: ¬ local_equivocators_full 
    (sigma i) (adr (state m))
Hneqv': ¬ local_equivocators_full
    (sigma i <+> MkObservation Receive m)
    (adr (state m))
chi: VLSM.state ELMOProtocol
Hfutures: in_futures ELMOProtocol sigma chi
Heqi: chi i = sigma i
Hchi_messages: component_reflects_composite_messages
  chi i
Hchi_eqvs: component_reflects_composite_equivocators
  chi i
Heqi_m: chi i_m = state m
Hchi_send: other_components_after_send
  (λ j : index, j = i ∨ j = i_m) chi
sigma':= state_update ELMO_component chi i_m
  (chi i_m <+> MkObservation Send m): ∀ j : index, VLSM.state (ELMO_component j)
Hti_m: input_valid_transition ELMOProtocol
  (existT i_m Send) (chi, None)
  (sigma', Some m)
H2: i ≠ i_m
H3: ELMO_component_RAM_transition i Receive
  (sigma' i)
  (sigma i <+> MkObservation Receive m) m
m0: Message
j: index
Hj: m0
∈ messages
    (state_update ELMO_component sigma' i
       (sigma i <+> MkObservation Receive m) j)
m0
∈ messages
    (state_update ELMO_component sigma' i
       (sigma i <+> MkObservation Receive m) i)
      destruct (decide (i = j)); [by subst |].Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
sigma: VLSM.state ELMOProtocol
m: Message
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm
     (ELMO_component i)) Receive
  (sigma i, Some m)
  (sigma i <+> MkObservation Receive m, None)
Hsigma: valid_state_prop ELMOProtocol sigma
Hreflects: component_reflects_composite sigma i
Hsend: other_components_after_send
  (λ j : index, j = i) sigma
Hall: ∀ (s_prev : State) (l : Label) (m : Message),
  sigma i = s_prev <+> MkObservation l m
  → let s' :=
      state_update ELMO_component sigma i
        s_prev in
    valid_state_prop ELMOProtocol s'
    ∧ ELMOProtocol_valid_transition i l s'
        sigma m
Hti: transition Receive (sigma i, Some m) =
(sigma i <+> MkObservation Receive m, None)
Hv: valid Receive (sigma i, Some m)
ELMO_mv_full_node0: full_node (sigma i) m
ELMO_mv_no_self_equiv0: no_self_equiv (sigma i) m
ELMO_mv_msg_valid_full0: ELMO_msg_valid_full m
Hlocal_ok: local_equivocation_limit_ok
  (sigma i <+> MkObservation Receive m)
i_m: index
Hsender: adr (state m) = idx i_m
Hnot_sent: ¬ composite_has_been_sent ELMO_component
    sigma m
Hm_not_by_i: adr (state m) ≠ idx i
Hneqv: ¬ local_equivocators_full 
    (sigma i) (adr (state m))
Hneqv': ¬ local_equivocators_full
    (sigma i <+> MkObservation Receive m)
    (adr (state m))
chi: VLSM.state ELMOProtocol
Hfutures: in_futures ELMOProtocol sigma chi
Heqi: chi i = sigma i
Hchi_messages: component_reflects_composite_messages
  chi i
Hchi_eqvs: component_reflects_composite_equivocators
  chi i
Heqi_m: chi i_m = state m
Hchi_send: other_components_after_send
  (λ j : index, j = i ∨ j = i_m) chi
sigma':= state_update ELMO_component chi i_m
  (chi i_m <+> MkObservation Send m): ∀ j : index, VLSM.state (ELMO_component j)
Hti_m: input_valid_transition ELMOProtocol
  (existT i_m Send) (chi, None)
  (sigma', Some m)
H2: i ≠ i_m
H3: ELMO_component_RAM_transition i Receive
  (sigma' i)
  (sigma i <+> MkObservation Receive m) m
m0: Message
j: index
Hj: m0
∈ messages
    (state_update ELMO_component sigma' i
       (sigma i <+> MkObservation Receive m) j)
n: i ≠ j
m0
∈ messages
    (state_update ELMO_component sigma' i
       (sigma i <+> MkObservation Receive m) i)
      subst sigma'; destruct (decide (i_m = j)); subst; state_update_simpl;
        apply elem_of_messages_addObservation.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
sigma: VLSM.state ELMOProtocol
m: Message
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm
     (ELMO_component i)) Receive
  (sigma i, Some m)
  (sigma i <+> MkObservation Receive m, None)
Hsigma: valid_state_prop ELMOProtocol sigma
Hreflects: component_reflects_composite sigma i
Hsend: other_components_after_send
  (λ j : index, j = i) sigma
Hall: ∀ (s_prev : State) (l : Label) (m : Message),
  sigma i = s_prev <+> MkObservation l m
  → valid_state_prop ELMOProtocol
      (state_update ELMO_component sigma i
         s_prev)
    ∧ ELMOProtocol_valid_transition i l
        (state_update ELMO_component sigma i
           s_prev) sigma m
Hti: transition Receive (sigma i, Some m) =
(sigma i <+> MkObservation Receive m, None)
Hv: valid Receive (sigma i, Some m)
ELMO_mv_full_node0: full_node (sigma i) m
ELMO_mv_no_self_equiv0: no_self_equiv (sigma i) m
ELMO_mv_msg_valid_full0: ELMO_msg_valid_full m
Hlocal_ok: local_equivocation_limit_ok
  (sigma i <+> MkObservation Receive m)
j: index
chi: VLSM.state ELMOProtocol
m0: Message
Hj: m0 ∈ messages (chi j <+> MkObservation Send m)
Hsender: adr (state m) = idx j
Hnot_sent: ¬ composite_has_been_sent ELMO_component
    sigma m
Hm_not_by_i: adr (state m) ≠ idx i
Hneqv: ¬ local_equivocators_full 
    (sigma i) (adr (state m))
Hneqv': ¬ local_equivocators_full
    (sigma i <+> MkObservation Receive m)
    (adr (state m))
Hfutures: in_futures ELMOProtocol sigma chi
Heqi: chi i = sigma i
Hchi_messages: component_reflects_composite_messages
  chi i
Hchi_eqvs: component_reflects_composite_equivocators
  chi i
H3: ELMO_component_RAM_transition i Receive 
  (chi i) (sigma i <+> MkObservation Receive m) m
H2: i ≠ j
Hti_m: input_valid_transition ELMOProtocol
  (existT j Send) (chi, None)
  (state_update ELMO_component chi j
     (chi j <+> MkObservation Send m), 
   Some m)
Hchi_send: other_components_after_send
  (λ j0 : index, j0 = i ∨ j0 = j) chi
Heqi_m: chi j = state m
n: i ≠ j
m0 = message (MkObservation Receive m)
∨ m0 ∈ messages (sigma i)
Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
sigma: VLSM.state ELMOProtocol
m: Message
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm
     (ELMO_component i)) Receive
  (sigma i, Some m)
  (sigma i <+> MkObservation Receive m, None)
Hsigma: valid_state_prop ELMOProtocol sigma
Hreflects: component_reflects_composite sigma i
Hsend: other_components_after_send
  (λ j : index, j = i) sigma
Hall: ∀ (s_prev : State) (l : Label) (m : Message),
  sigma i = s_prev <+> MkObservation l m
  → valid_state_prop ELMOProtocol
      (state_update ELMO_component sigma i
         s_prev)
    ∧ ELMOProtocol_valid_transition i l
        (state_update ELMO_component sigma i
           s_prev) sigma m
Hti: transition Receive (sigma i, Some m) =
(sigma i <+> MkObservation Receive m, None)
Hv: valid Receive (sigma i, Some m)
ELMO_mv_full_node0: full_node (sigma i) m
ELMO_mv_no_self_equiv0: no_self_equiv (sigma i) m
ELMO_mv_msg_valid_full0: ELMO_msg_valid_full m
Hlocal_ok: local_equivocation_limit_ok
  (sigma i <+> MkObservation Receive m)
i_m: index
Hsender: adr (state m) = idx i_m
Hnot_sent: ¬ composite_has_been_sent ELMO_component
    sigma m
Hm_not_by_i: adr (state m) ≠ idx i
Hneqv: ¬ local_equivocators_full 
    (sigma i) (adr (state m))
Hneqv': ¬ local_equivocators_full
    (sigma i <+> MkObservation Receive m)
    (adr (state m))
chi: VLSM.state ELMOProtocol
Hfutures: in_futures ELMOProtocol sigma chi
Heqi: chi i = sigma i
Hchi_messages: component_reflects_composite_messages
  chi i
Hchi_eqvs: component_reflects_composite_equivocators
  chi i
Heqi_m: chi i_m = state m
Hchi_send: other_components_after_send
  (λ j : index, j = i ∨ j = i_m) chi
Hti_m: input_valid_transition ELMOProtocol
  (existT i_m Send) (chi, None)
  (state_update ELMO_component chi i_m
     (chi i_m <+> MkObservation Send m),
   Some m)
H2: i ≠ i_m
H3: ELMO_component_RAM_transition i Receive 
  (chi i) (sigma i <+> MkObservation Receive m) m
m0: Message
j: index
Hj: m0 ∈ messages (chi j)
n: i ≠ j
n0: i_m ≠ j
m0 = message (MkObservation Receive m)
∨ m0 ∈ messages (sigma i)
      *Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
sigma: VLSM.state ELMOProtocol
m: Message
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm
     (ELMO_component i)) Receive
  (sigma i, Some m)
  (sigma i <+> MkObservation Receive m, None)
Hsigma: valid_state_prop ELMOProtocol sigma
Hreflects: component_reflects_composite sigma i
Hsend: other_components_after_send
  (λ j : index, j = i) sigma
Hall: ∀ (s_prev : State) (l : Label) (m : Message),
  sigma i = s_prev <+> MkObservation l m
  → valid_state_prop ELMOProtocol
      (state_update ELMO_component sigma i
         s_prev)
    ∧ ELMOProtocol_valid_transition i l
        (state_update ELMO_component sigma i
           s_prev) sigma m
Hti: transition Receive (sigma i, Some m) =
(sigma i <+> MkObservation Receive m, None)
Hv: valid Receive (sigma i, Some m)
ELMO_mv_full_node0: full_node (sigma i) m
ELMO_mv_no_self_equiv0: no_self_equiv (sigma i) m
ELMO_mv_msg_valid_full0: ELMO_msg_valid_full m
Hlocal_ok: local_equivocation_limit_ok
  (sigma i <+> MkObservation Receive m)
j: index
chi: VLSM.state ELMOProtocol
m0: Message
Hj: m0 ∈ messages (chi j <+> MkObservation Send m)
Hsender: adr (state m) = idx j
Hnot_sent: ¬ composite_has_been_sent ELMO_component
    sigma m
Hm_not_by_i: adr (state m) ≠ idx i
Hneqv: ¬ local_equivocators_full 
    (sigma i) (adr (state m))
Hneqv': ¬ local_equivocators_full
    (sigma i <+> MkObservation Receive m)
    (adr (state m))
Hfutures: in_futures ELMOProtocol sigma chi
Heqi: chi i = sigma i
Hchi_messages: component_reflects_composite_messages
  chi i
Hchi_eqvs: component_reflects_composite_equivocators
  chi i
H3: ELMO_component_RAM_transition i Receive 
  (chi i) (sigma i <+> MkObservation Receive m) m
H2: i ≠ j
Hti_m: input_valid_transition ELMOProtocol
  (existT j Send) (chi, None)
  (state_update ELMO_component chi j
     (chi j <+> MkObservation Send m), 
   Some m)
Hchi_send: other_components_after_send
  (λ j0 : index, j0 = i ∨ j0 = j) chi
Heqi_m: chi j = state m
n: i ≠ j
m0 = message (MkObservation Receive m)
∨ m0 ∈ messages (sigma i) apply elem_of_messages_addObservation in Hj as []; [by left |].Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
sigma: VLSM.state ELMOProtocol
m: Message
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm
     (ELMO_component i)) Receive
  (sigma i, Some m)
  (sigma i <+> MkObservation Receive m, None)
Hsigma: valid_state_prop ELMOProtocol sigma
Hreflects: component_reflects_composite sigma i
Hsend: other_components_after_send
  (λ j : index, j = i) sigma
Hall: ∀ (s_prev : State) (l : Label) (m : Message),
  sigma i = s_prev <+> MkObservation l m
  → valid_state_prop ELMOProtocol
      (state_update ELMO_component sigma i
         s_prev)
    ∧ ELMOProtocol_valid_transition i l
        (state_update ELMO_component sigma i
           s_prev) sigma m
Hti: transition Receive (sigma i, Some m) =
(sigma i <+> MkObservation Receive m, None)
Hv: valid Receive (sigma i, Some m)
ELMO_mv_full_node0: full_node (sigma i) m
ELMO_mv_no_self_equiv0: no_self_equiv (sigma i) m
ELMO_mv_msg_valid_full0: ELMO_msg_valid_full m
Hlocal_ok: local_equivocation_limit_ok
  (sigma i <+> MkObservation Receive m)
j: index
chi: VLSM.state ELMOProtocol
m0: Message
H4: m0 ∈ messages (chi j)
Hsender: adr (state m) = idx j
Hnot_sent: ¬ composite_has_been_sent ELMO_component
    sigma m
Hm_not_by_i: adr (state m) ≠ idx i
Hneqv: ¬ local_equivocators_full 
    (sigma i) (adr (state m))
Hneqv': ¬ local_equivocators_full
    (sigma i <+> MkObservation Receive m)
    (adr (state m))
Hfutures: in_futures ELMOProtocol sigma chi
Heqi: chi i = sigma i
Hchi_messages: component_reflects_composite_messages
  chi i
Hchi_eqvs: component_reflects_composite_equivocators
  chi i
H3: ELMO_component_RAM_transition i Receive 
  (chi i) (sigma i <+> MkObservation Receive m) m
H2: i ≠ j
Hti_m: input_valid_transition ELMOProtocol
  (existT j Send) (chi, None)
  (state_update ELMO_component chi j
     (chi j <+> MkObservation Send m), 
   Some m)
Hchi_send: other_components_after_send
  (λ j0 : index, j0 = i ∨ j0 = j) chi
Heqi_m: chi j = state m
n: i ≠ j
m0 = message (MkObservation Receive m)
∨ m0 ∈ messages (sigma i)
        by right; rewrite <- Heqi; apply Hchi_messages; eexists.
      *Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
sigma: VLSM.state ELMOProtocol
m: Message
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm
     (ELMO_component i)) Receive
  (sigma i, Some m)
  (sigma i <+> MkObservation Receive m, None)
Hsigma: valid_state_prop ELMOProtocol sigma
Hreflects: component_reflects_composite sigma i
Hsend: other_components_after_send
  (λ j : index, j = i) sigma
Hall: ∀ (s_prev : State) (l : Label) (m : Message),
  sigma i = s_prev <+> MkObservation l m
  → valid_state_prop ELMOProtocol
      (state_update ELMO_component sigma i
         s_prev)
    ∧ ELMOProtocol_valid_transition i l
        (state_update ELMO_component sigma i
           s_prev) sigma m
Hti: transition Receive (sigma i, Some m) =
(sigma i <+> MkObservation Receive m, None)
Hv: valid Receive (sigma i, Some m)
ELMO_mv_full_node0: full_node (sigma i) m
ELMO_mv_no_self_equiv0: no_self_equiv (sigma i) m
ELMO_mv_msg_valid_full0: ELMO_msg_valid_full m
Hlocal_ok: local_equivocation_limit_ok
  (sigma i <+> MkObservation Receive m)
i_m: index
Hsender: adr (state m) = idx i_m
Hnot_sent: ¬ composite_has_been_sent ELMO_component
    sigma m
Hm_not_by_i: adr (state m) ≠ idx i
Hneqv: ¬ local_equivocators_full 
    (sigma i) (adr (state m))
Hneqv': ¬ local_equivocators_full
    (sigma i <+> MkObservation Receive m)
    (adr (state m))
chi: VLSM.state ELMOProtocol
Hfutures: in_futures ELMOProtocol sigma chi
Heqi: chi i = sigma i
Hchi_messages: component_reflects_composite_messages
  chi i
Hchi_eqvs: component_reflects_composite_equivocators
  chi i
Heqi_m: chi i_m = state m
Hchi_send: other_components_after_send
  (λ j : index, j = i ∨ j = i_m) chi
Hti_m: input_valid_transition ELMOProtocol
  (existT i_m Send) (chi, None)
  (state_update ELMO_component chi i_m
     (chi i_m <+> MkObservation Send m),
   Some m)
H2: i ≠ i_m
H3: ELMO_component_RAM_transition i Receive 
  (chi i) (sigma i <+> MkObservation Receive m) m
m0: Message
j: index
Hj: m0 ∈ messages (chi j)
n: i ≠ j
n0: i_m ≠ j
m0 = message (MkObservation Receive m)
∨ m0 ∈ messages (sigma i) by right; rewrite <- Heqi; apply Hchi_messages; eexists.
    +Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
sigma: VLSM.state ELMOProtocol
m: Message
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm
     (ELMO_component i)) Receive
  (sigma i, Some m)
  (sigma i <+> MkObservation Receive m, None)
Hsigma: valid_state_prop ELMOProtocol sigma
Hreflects: component_reflects_composite sigma i
Hsend: other_components_after_send
  (λ j : index, j = i) sigma
Hall: ∀ (s_prev : State) (l : Label) (m : Message),
  sigma i = s_prev <+> MkObservation l m
  → let s' :=
      state_update ELMO_component sigma i
        s_prev in
    valid_state_prop ELMOProtocol s'
    ∧ ELMOProtocol_valid_transition i l s'
        sigma m
Hti: transition Receive (sigma i, Some m) =
(sigma i <+> MkObservation Receive m, None)
Hv: valid Receive (sigma i, Some m)
ELMO_mv_full_node0: full_node (sigma i) m
ELMO_mv_no_self_equiv0: no_self_equiv (sigma i) m
ELMO_mv_msg_valid_full0: ELMO_msg_valid_full m
Hlocal_ok: local_equivocation_limit_ok
  (sigma i <+> MkObservation Receive m)
i_m: index
Hsender: adr (state m) = idx i_m
Hnot_sent: ¬ composite_has_been_sent ELMO_component
    sigma m
Hm_not_by_i: adr (state m) ≠ idx i
Hneqv: ¬ local_equivocators_full 
    (sigma i) (adr (state m))
Hneqv': ¬ local_equivocators_full
    (sigma i <+> MkObservation Receive m)
    (adr (state m))
chi: VLSM.state ELMOProtocol
Hfutures: in_futures ELMOProtocol sigma chi
Heqi: chi i = sigma i
Hchi_messages: component_reflects_composite_messages
  chi i
Hchi_eqvs: component_reflects_composite_equivocators
  chi i
Heqi_m: chi i_m = state m
Hchi_send: other_components_after_send
  (λ j : index, j = i ∨ j = i_m) chi
sigma':= state_update ELMO_component chi i_m
  (chi i_m <+> MkObservation Send m): ∀ j : index, VLSM.state (ELMO_component j)
Hti_m: input_valid_transition ELMOProtocol
  (existT i_m Send) (chi, None)
  (sigma', Some m)
H2: i ≠ i_m
H3: ELMO_component_RAM_transition i Receive
  (sigma' i)
  (sigma i <+> MkObservation Receive m) m
component_reflects_composite_equivocators
  (state_update ELMO_component sigma' i
     (sigma i <+> MkObservation Receive m)) i intros a; state_update_simpl.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
sigma: VLSM.state ELMOProtocol
m: Message
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm
     (ELMO_component i)) Receive
  (sigma i, Some m)
  (sigma i <+> MkObservation Receive m, None)
Hsigma: valid_state_prop ELMOProtocol sigma
Hreflects: component_reflects_composite sigma i
Hsend: other_components_after_send
  (λ j : index, j = i) sigma
Hall: ∀ (s_prev : State) (l : Label) (m : Message),
  sigma i = s_prev <+> MkObservation l m
  → valid_state_prop ELMOProtocol
      (state_update ELMO_component sigma i
         s_prev)
    ∧ ELMOProtocol_valid_transition i l
        (state_update ELMO_component sigma i
           s_prev) sigma m
Hti: transition Receive (sigma i, Some m) =
(sigma i <+> MkObservation Receive m, None)
Hv: valid Receive (sigma i, Some m)
ELMO_mv_full_node0: full_node (sigma i) m
ELMO_mv_no_self_equiv0: no_self_equiv (sigma i) m
ELMO_mv_msg_valid_full0: ELMO_msg_valid_full m
Hlocal_ok: local_equivocation_limit_ok
  (sigma i <+> MkObservation Receive m)
i_m: index
Hsender: adr (state m) = idx i_m
Hnot_sent: ¬ composite_has_been_sent ELMO_component
    sigma m
Hm_not_by_i: adr (state m) ≠ idx i
Hneqv: ¬ local_equivocators_full 
    (sigma i) (adr (state m))
Hneqv': ¬ local_equivocators_full
    (sigma i <+> MkObservation Receive m)
    (adr (state m))
chi: VLSM.state ELMOProtocol
Hfutures: in_futures ELMOProtocol sigma chi
Heqi: chi i = sigma i
Hchi_messages: component_reflects_composite_messages
  chi i
Hchi_eqvs: component_reflects_composite_equivocators
  chi i
Heqi_m: chi i_m = state m
Hchi_send: other_components_after_send
  (λ j : index, j = i ∨ j = i_m) chi
sigma':= state_update ELMO_component chi i_m
  (chi i_m <+> MkObservation Send m): ∀ j : index, VLSM.state (ELMO_component j)
Hti_m: input_valid_transition ELMOProtocol
  (existT i_m Send) (chi, None)
  (sigma', Some m)
H2: i ≠ i_m
H3: ELMO_component_RAM_transition i Receive
  (sigma' i)
  (sigma i <+> MkObservation Receive m) m
a: Address
global_equivocators_simple
  (state_update ELMO_component sigma' i
     (sigma i <+> MkObservation Receive m)) a
↔ local_equivocators_full
    (sigma i <+> MkObservation Receive m) a
      transitivity (global_equivocators_simple chi a).Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
sigma: VLSM.state ELMOProtocol
m: Message
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm
     (ELMO_component i)) Receive
  (sigma i, Some m)
  (sigma i <+> MkObservation Receive m, None)
Hsigma: valid_state_prop ELMOProtocol sigma
Hreflects: component_reflects_composite sigma i
Hsend: other_components_after_send
  (λ j : index, j = i) sigma
Hall: ∀ (s_prev : State) (l : Label) (m : Message),
  sigma i = s_prev <+> MkObservation l m
  → valid_state_prop ELMOProtocol
      (state_update ELMO_component sigma i
         s_prev)
    ∧ ELMOProtocol_valid_transition i l
        (state_update ELMO_component sigma i
           s_prev) sigma m
Hti: transition Receive (sigma i, Some m) =
(sigma i <+> MkObservation Receive m, None)
Hv: valid Receive (sigma i, Some m)
ELMO_mv_full_node0: full_node (sigma i) m
ELMO_mv_no_self_equiv0: no_self_equiv (sigma i) m
ELMO_mv_msg_valid_full0: ELMO_msg_valid_full m
Hlocal_ok: local_equivocation_limit_ok
  (sigma i <+> MkObservation Receive m)
i_m: index
Hsender: adr (state m) = idx i_m
Hnot_sent: ¬ composite_has_been_sent ELMO_component
    sigma m
Hm_not_by_i: adr (state m) ≠ idx i
Hneqv: ¬ local_equivocators_full 
    (sigma i) (adr (state m))
Hneqv': ¬ local_equivocators_full
    (sigma i <+> MkObservation Receive m)
    (adr (state m))
chi: VLSM.state ELMOProtocol
Hfutures: in_futures ELMOProtocol sigma chi
Heqi: chi i = sigma i
Hchi_messages: component_reflects_composite_messages
  chi i
Hchi_eqvs: component_reflects_composite_equivocators
  chi i
Heqi_m: chi i_m = state m
Hchi_send: other_components_after_send
  (λ j : index, j = i ∨ j = i_m) chi
sigma':= state_update ELMO_component chi i_m
  (chi i_m <+> MkObservation Send m): ∀ j : index, VLSM.state (ELMO_component j)
Hti_m: input_valid_transition ELMOProtocol
  (existT i_m Send) (chi, None)
  (sigma', Some m)
H2: i ≠ i_m
H3: ELMO_component_RAM_transition i Receive
  (sigma' i)
  (sigma i <+> MkObservation Receive m) m
a: Address
global_equivocators_simple
  (state_update ELMO_component sigma' i
     (sigma i <+> MkObservation Receive m)) a
↔ global_equivocators_simple chi a
Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
sigma: VLSM.state ELMOProtocol
m: Message
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm
     (ELMO_component i)) Receive
  (sigma i, Some m)
  (sigma i <+> MkObservation Receive m, None)
Hsigma: valid_state_prop ELMOProtocol sigma
Hreflects: component_reflects_composite sigma i
Hsend: other_components_after_send
  (λ j : index, j = i) sigma
Hall: ∀ (s_prev : State) (l : Label) (m : Message),
  sigma i = s_prev <+> MkObservation l m
  → valid_state_prop ELMOProtocol
      (state_update ELMO_component sigma i
         s_prev)
    ∧ ELMOProtocol_valid_transition i l
        (state_update ELMO_component sigma i
           s_prev) sigma m
Hti: transition Receive (sigma i, Some m) =
(sigma i <+> MkObservation Receive m, None)
Hv: valid Receive (sigma i, Some m)
ELMO_mv_full_node0: full_node (sigma i) m
ELMO_mv_no_self_equiv0: no_self_equiv (sigma i) m
ELMO_mv_msg_valid_full0: ELMO_msg_valid_full m
Hlocal_ok: local_equivocation_limit_ok
  (sigma i <+> MkObservation Receive m)
i_m: index
Hsender: adr (state m) = idx i_m
Hnot_sent: ¬ composite_has_been_sent ELMO_component
    sigma m
Hm_not_by_i: adr (state m) ≠ idx i
Hneqv: ¬ local_equivocators_full 
    (sigma i) (adr (state m))
Hneqv': ¬ local_equivocators_full
    (sigma i <+> MkObservation Receive m)
    (adr (state m))
chi: VLSM.state ELMOProtocol
Hfutures: in_futures ELMOProtocol sigma chi
Heqi: chi i = sigma i
Hchi_messages: component_reflects_composite_messages
  chi i
Hchi_eqvs: component_reflects_composite_equivocators
  chi i
Heqi_m: chi i_m = state m
Hchi_send: other_components_after_send
  (λ j : index, j = i ∨ j = i_m) chi
sigma':= state_update ELMO_component chi i_m
  (chi i_m <+> MkObservation Send m): ∀ j : index, VLSM.state (ELMO_component j)
Hti_m: input_valid_transition ELMOProtocol
  (existT i_m Send) (chi, None)
  (sigma', Some m)
H2: i ≠ i_m
H3: ELMO_component_RAM_transition i Receive
  (sigma' i)
  (sigma i <+> MkObservation Receive m) m
a: Address
global_equivocators_simple chi a
↔ local_equivocators_full
    (sigma i <+> MkObservation Receive m) a
      *Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
sigma: VLSM.state ELMOProtocol
m: Message
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm
     (ELMO_component i)) Receive
  (sigma i, Some m)
  (sigma i <+> MkObservation Receive m, None)
Hsigma: valid_state_prop ELMOProtocol sigma
Hreflects: component_reflects_composite sigma i
Hsend: other_components_after_send
  (λ j : index, j = i) sigma
Hall: ∀ (s_prev : State) (l : Label) (m : Message),
  sigma i = s_prev <+> MkObservation l m
  → valid_state_prop ELMOProtocol
      (state_update ELMO_component sigma i
         s_prev)
    ∧ ELMOProtocol_valid_transition i l
        (state_update ELMO_component sigma i
           s_prev) sigma m
Hti: transition Receive (sigma i, Some m) =
(sigma i <+> MkObservation Receive m, None)
Hv: valid Receive (sigma i, Some m)
ELMO_mv_full_node0: full_node (sigma i) m
ELMO_mv_no_self_equiv0: no_self_equiv (sigma i) m
ELMO_mv_msg_valid_full0: ELMO_msg_valid_full m
Hlocal_ok: local_equivocation_limit_ok
  (sigma i <+> MkObservation Receive m)
i_m: index
Hsender: adr (state m) = idx i_m
Hnot_sent: ¬ composite_has_been_sent ELMO_component
    sigma m
Hm_not_by_i: adr (state m) ≠ idx i
Hneqv: ¬ local_equivocators_full 
    (sigma i) (adr (state m))
Hneqv': ¬ local_equivocators_full
    (sigma i <+> MkObservation Receive m)
    (adr (state m))
chi: VLSM.state ELMOProtocol
Hfutures: in_futures ELMOProtocol sigma chi
Heqi: chi i = sigma i
Hchi_messages: component_reflects_composite_messages
  chi i
Hchi_eqvs: component_reflects_composite_equivocators
  chi i
Heqi_m: chi i_m = state m
Hchi_send: other_components_after_send
  (λ j : index, j = i ∨ j = i_m) chi
sigma':= state_update ELMO_component chi i_m
  (chi i_m <+> MkObservation Send m): ∀ j : index, VLSM.state (ELMO_component j)
Hti_m: input_valid_transition ELMOProtocol
  (existT i_m Send) (chi, None)
  (sigma', Some m)
H2: i ≠ i_m
H3: ELMO_component_RAM_transition i Receive
  (sigma' i)
  (sigma i <+> MkObservation Receive m) m
a: Address
global_equivocators_simple
  (state_update ELMO_component sigma' i
     (sigma i <+> MkObservation Receive m)) a
↔ global_equivocators_simple chi a subst sigma'; rewrite global_equivocators_simple_step_update_receive;
          [| by constructor; state_update_simpl; rewrite Heqi].Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
sigma: VLSM.state ELMOProtocol
m: Message
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm
     (ELMO_component i)) Receive
  (sigma i, Some m)
  (sigma i <+> MkObservation Receive m, None)
Hsigma: valid_state_prop ELMOProtocol sigma
Hreflects: component_reflects_composite sigma i
Hsend: other_components_after_send
  (λ j : index, j = i) sigma
Hall: ∀ (s_prev : State) (l : Label) (m : Message),
  sigma i = s_prev <+> MkObservation l m
  → valid_state_prop ELMOProtocol
      (state_update ELMO_component sigma i
         s_prev)
    ∧ ELMOProtocol_valid_transition i l
        (state_update ELMO_component sigma i
           s_prev) sigma m
Hti: transition Receive (sigma i, Some m) =
(sigma i <+> MkObservation Receive m, None)
Hv: valid Receive (sigma i, Some m)
ELMO_mv_full_node0: full_node (sigma i) m
ELMO_mv_no_self_equiv0: no_self_equiv (sigma i) m
ELMO_mv_msg_valid_full0: ELMO_msg_valid_full m
Hlocal_ok: local_equivocation_limit_ok
  (sigma i <+> MkObservation Receive m)
i_m: index
Hsender: adr (state m) = idx i_m
Hnot_sent: ¬ composite_has_been_sent ELMO_component
    sigma m
Hm_not_by_i: adr (state m) ≠ idx i
Hneqv: ¬ local_equivocators_full 
    (sigma i) (adr (state m))
Hneqv': ¬ local_equivocators_full
    (sigma i <+> MkObservation Receive m)
    (adr (state m))
chi: VLSM.state ELMOProtocol
Hfutures: in_futures ELMOProtocol sigma chi
Heqi: chi i = sigma i
Hchi_messages: component_reflects_composite_messages
  chi i
Hchi_eqvs: component_reflects_composite_equivocators
  chi i
Heqi_m: chi i_m = state m
Hchi_send: other_components_after_send
  (λ j : index, j = i ∨ j = i_m) chi
Hti_m: input_valid_transition ELMOProtocol
  (existT i_m Send) (chi, None)
  (state_update ELMO_component chi i_m
     (chi i_m <+> MkObservation Send m),
   Some m)
H2: i ≠ i_m
H3: ELMO_component_RAM_transition i Receive
  (state_update ELMO_component chi i_m
     (chi i_m <+> MkObservation Send m) i)
  (sigma i <+> MkObservation Receive m) m
a: Address
global_equivocators_simple
  (state_update ELMO_component chi i_m
     (chi i_m <+> MkObservation Send m)) a
∨ a = adr (state m)
  ∧ ¬ composite_has_been_sent ELMO_component
        (state_update ELMO_component chi i_m
           (chi i_m <+> MkObservation Send m)) m
↔ global_equivocators_simple chi a
        rewrite global_equivocators_simple_step_update_send_iff; cycle 1.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
sigma: VLSM.state ELMOProtocol
m: Message
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm
     (ELMO_component i)) Receive
  (sigma i, Some m)
  (sigma i <+> MkObservation Receive m, None)
Hsigma: valid_state_prop ELMOProtocol sigma
Hreflects: component_reflects_composite sigma i
Hsend: other_components_after_send
  (λ j : index, j = i) sigma
Hall: ∀ (s_prev : State) (l : Label) (m : Message),
  sigma i = s_prev <+> MkObservation l m
  → valid_state_prop ELMOProtocol
      (state_update ELMO_component sigma i
         s_prev)
    ∧ ELMOProtocol_valid_transition i l
        (state_update ELMO_component sigma i
           s_prev) sigma m
Hti: transition Receive (sigma i, Some m) =
(sigma i <+> MkObservation Receive m, None)
Hv: valid Receive (sigma i, Some m)
ELMO_mv_full_node0: full_node (sigma i) m
ELMO_mv_no_self_equiv0: no_self_equiv (sigma i) m
ELMO_mv_msg_valid_full0: ELMO_msg_valid_full m
Hlocal_ok: local_equivocation_limit_ok
  (sigma i <+> MkObservation Receive m)
i_m: index
Hsender: adr (state m) = idx i_m
Hnot_sent: ¬ composite_has_been_sent ELMO_component
    sigma m
Hm_not_by_i: adr (state m) ≠ idx i
Hneqv: ¬ local_equivocators_full 
    (sigma i) (adr (state m))
Hneqv': ¬ local_equivocators_full
    (sigma i <+> MkObservation Receive m)
    (adr (state m))
chi: VLSM.state ELMOProtocol
Hfutures: in_futures ELMOProtocol sigma chi
Heqi: chi i = sigma i
Hchi_messages: component_reflects_composite_messages
  chi i
Hchi_eqvs: component_reflects_composite_equivocators
  chi i
Heqi_m: chi i_m = state m
Hchi_send: other_components_after_send
  (λ j : index, j = i ∨ j = i_m) chi
Hti_m: input_valid_transition ELMOProtocol
  (existT i_m Send) (chi, None)
  (state_update ELMO_component chi i_m
     (chi i_m <+> MkObservation Send m),
   Some m)
H2: i ≠ i_m
H3: ELMO_component_RAM_transition i Receive
  (state_update ELMO_component chi i_m
     (chi i_m <+> MkObservation Send m) i)
  (sigma i <+> MkObservation Receive m) m
a: Address
ELMO_component_RAM_transition i_m Send (chi i_m)
  (chi i_m <+> MkObservation Send m) ?Goal1
Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
sigma: VLSM.state ELMOProtocol
m: Message
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm
     (ELMO_component i)) Receive
  (sigma i, Some m)
  (sigma i <+> MkObservation Receive m, None)
Hsigma: valid_state_prop ELMOProtocol sigma
Hreflects: component_reflects_composite sigma i
Hsend: other_components_after_send
  (λ j : index, j = i) sigma
Hall: ∀ (s_prev : State) (l : Label) (m : Message),
  sigma i = s_prev <+> MkObservation l m
  → valid_state_prop ELMOProtocol
      (state_update ELMO_component sigma i
         s_prev)
    ∧ ELMOProtocol_valid_transition i l
        (state_update ELMO_component sigma i
           s_prev) sigma m
Hti: transition Receive (sigma i, Some m) =
(sigma i <+> MkObservation Receive m, None)
Hv: valid Receive (sigma i, Some m)
ELMO_mv_full_node0: full_node (sigma i) m
ELMO_mv_no_self_equiv0: no_self_equiv (sigma i) m
ELMO_mv_msg_valid_full0: ELMO_msg_valid_full m
Hlocal_ok: local_equivocation_limit_ok
  (sigma i <+> MkObservation Receive m)
i_m: index
Hsender: adr (state m) = idx i_m
Hnot_sent: ¬ composite_has_been_sent ELMO_component
    sigma m
Hm_not_by_i: adr (state m) ≠ idx i
Hneqv: ¬ local_equivocators_full 
    (sigma i) (adr (state m))
Hneqv': ¬ local_equivocators_full
    (sigma i <+> MkObservation Receive m)
    (adr (state m))
chi: VLSM.state ELMOProtocol
Hfutures: in_futures ELMOProtocol sigma chi
Heqi: chi i = sigma i
Hchi_messages: component_reflects_composite_messages
  chi i
Hchi_eqvs: component_reflects_composite_equivocators
  chi i
Heqi_m: chi i_m = state m
Hchi_send: other_components_after_send
  (λ j : index, j = i ∨ j = i_m) chi
Hti_m: input_valid_transition ELMOProtocol
  (existT i_m Send) (chi, None)
  (state_update ELMO_component chi i_m
     (chi i_m <+> MkObservation Send m),
   Some m)
H2: i ≠ i_m
H3: ELMO_component_RAM_transition i Receive
  (state_update ELMO_component chi i_m
     (chi i_m <+> MkObservation Send m) i)
  (sigma i <+> MkObservation Receive m) m
a: Address
¬ global_equivocators_simple chi (idx i_m)
Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
sigma: VLSM.state ELMOProtocol
m: Message
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm
     (ELMO_component i)) Receive
  (sigma i, Some m)
  (sigma i <+> MkObservation Receive m, None)
Hsigma: valid_state_prop ELMOProtocol sigma
Hreflects: component_reflects_composite sigma i
Hsend: other_components_after_send
  (λ j : index, j = i) sigma
Hall: ∀ (s_prev : State) (l : Label) (m : Message),
  sigma i = s_prev <+> MkObservation l m
  → valid_state_prop ELMOProtocol
      (state_update ELMO_component sigma i
         s_prev)
    ∧ ELMOProtocol_valid_transition i l
        (state_update ELMO_component sigma i
           s_prev) sigma m
Hti: transition Receive (sigma i, Some m) =
(sigma i <+> MkObservation Receive m, None)
Hv: valid Receive (sigma i, Some m)
ELMO_mv_full_node0: full_node (sigma i) m
ELMO_mv_no_self_equiv0: no_self_equiv (sigma i) m
ELMO_mv_msg_valid_full0: ELMO_msg_valid_full m
Hlocal_ok: local_equivocation_limit_ok
  (sigma i <+> MkObservation Receive m)
i_m: index
Hsender: adr (state m) = idx i_m
Hnot_sent: ¬ composite_has_been_sent ELMO_component
    sigma m
Hm_not_by_i: adr (state m) ≠ idx i
Hneqv: ¬ local_equivocators_full 
    (sigma i) (adr (state m))
Hneqv': ¬ local_equivocators_full
    (sigma i <+> MkObservation Receive m)
    (adr (state m))
chi: VLSM.state ELMOProtocol
Hfutures: in_futures ELMOProtocol sigma chi
Heqi: chi i = sigma i
Hchi_messages: component_reflects_composite_messages
  chi i
Hchi_eqvs: component_reflects_composite_equivocators
  chi i
Heqi_m: chi i_m = state m
Hchi_send: other_components_after_send
  (λ j : index, j = i ∨ j = i_m) chi
Hti_m: input_valid_transition ELMOProtocol
  (existT i_m Send) (chi, None)
  (state_update ELMO_component chi i_m
     (chi i_m <+> MkObservation Send m),
   Some m)
H2: i ≠ i_m
H3: ELMO_component_RAM_transition i Receive
  (state_update ELMO_component chi i_m
     (chi i_m <+> MkObservation Send m) i)
  (sigma i <+> MkObservation Receive m) m
a: Address
global_equivocators_simple chi a
∨ a = adr (state m)
  ∧ ¬ composite_has_been_sent ELMO_component
        (state_update ELMO_component chi i_m
           (chi i_m <+> MkObservation Send m)) m
↔ global_equivocators_simple chi a
        --Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
sigma: VLSM.state ELMOProtocol
m: Message
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm
     (ELMO_component i)) Receive
  (sigma i, Some m)
  (sigma i <+> MkObservation Receive m, None)
Hsigma: valid_state_prop ELMOProtocol sigma
Hreflects: component_reflects_composite sigma i
Hsend: other_components_after_send
  (λ j : index, j = i) sigma
Hall: ∀ (s_prev : State) (l : Label) (m : Message),
  sigma i = s_prev <+> MkObservation l m
  → valid_state_prop ELMOProtocol
      (state_update ELMO_component sigma i
         s_prev)
    ∧ ELMOProtocol_valid_transition i l
        (state_update ELMO_component sigma i
           s_prev) sigma m
Hti: transition Receive (sigma i, Some m) =
(sigma i <+> MkObservation Receive m, None)
Hv: valid Receive (sigma i, Some m)
ELMO_mv_full_node0: full_node (sigma i) m
ELMO_mv_no_self_equiv0: no_self_equiv (sigma i) m
ELMO_mv_msg_valid_full0: ELMO_msg_valid_full m
Hlocal_ok: local_equivocation_limit_ok
  (sigma i <+> MkObservation Receive m)
i_m: index
Hsender: adr (state m) = idx i_m
Hnot_sent: ¬ composite_has_been_sent ELMO_component
    sigma m
Hm_not_by_i: adr (state m) ≠ idx i
Hneqv: ¬ local_equivocators_full 
    (sigma i) (adr (state m))
Hneqv': ¬ local_equivocators_full
    (sigma i <+> MkObservation Receive m)
    (adr (state m))
chi: VLSM.state ELMOProtocol
Hfutures: in_futures ELMOProtocol sigma chi
Heqi: chi i = sigma i
Hchi_messages: component_reflects_composite_messages
  chi i
Hchi_eqvs: component_reflects_composite_equivocators
  chi i
Heqi_m: chi i_m = state m
Hchi_send: other_components_after_send
  (λ j : index, j = i ∨ j = i_m) chi
Hti_m: input_valid_transition ELMOProtocol
  (existT i_m Send) (chi, None)
  (state_update ELMO_component chi i_m
     (chi i_m <+> MkObservation Send m),
   Some m)
H2: i ≠ i_m
H3: ELMO_component_RAM_transition i Receive
  (state_update ELMO_component chi i_m
     (chi i_m <+> MkObservation Send m) i)
  (sigma i <+> MkObservation Receive m) m
a: Address
ELMO_component_RAM_transition i_m Send (chi i_m)
  (chi i_m <+> MkObservation Send m) ?Goal1 by constructor; apply input_valid_transition_project_active in Hti_m; state_update_simpl.
        --Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
sigma: VLSM.state ELMOProtocol
m: Message
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm
     (ELMO_component i)) Receive
  (sigma i, Some m)
  (sigma i <+> MkObservation Receive m, None)
Hsigma: valid_state_prop ELMOProtocol sigma
Hreflects: component_reflects_composite sigma i
Hsend: other_components_after_send
  (λ j : index, j = i) sigma
Hall: ∀ (s_prev : State) (l : Label) (m : Message),
  sigma i = s_prev <+> MkObservation l m
  → valid_state_prop ELMOProtocol
      (state_update ELMO_component sigma i
         s_prev)
    ∧ ELMOProtocol_valid_transition i l
        (state_update ELMO_component sigma i
           s_prev) sigma m
Hti: transition Receive (sigma i, Some m) =
(sigma i <+> MkObservation Receive m, None)
Hv: valid Receive (sigma i, Some m)
ELMO_mv_full_node0: full_node (sigma i) m
ELMO_mv_no_self_equiv0: no_self_equiv (sigma i) m
ELMO_mv_msg_valid_full0: ELMO_msg_valid_full m
Hlocal_ok: local_equivocation_limit_ok
  (sigma i <+> MkObservation Receive m)
i_m: index
Hsender: adr (state m) = idx i_m
Hnot_sent: ¬ composite_has_been_sent ELMO_component
    sigma m
Hm_not_by_i: adr (state m) ≠ idx i
Hneqv: ¬ local_equivocators_full 
    (sigma i) (adr (state m))
Hneqv': ¬ local_equivocators_full
    (sigma i <+> MkObservation Receive m)
    (adr (state m))
chi: VLSM.state ELMOProtocol
Hfutures: in_futures ELMOProtocol sigma chi
Heqi: chi i = sigma i
Hchi_messages: component_reflects_composite_messages
  chi i
Hchi_eqvs: component_reflects_composite_equivocators
  chi i
Heqi_m: chi i_m = state m
Hchi_send: other_components_after_send
  (λ j : index, j = i ∨ j = i_m) chi
Hti_m: input_valid_transition ELMOProtocol
  (existT i_m Send) (chi, None)
  (state_update ELMO_component chi i_m
     (chi i_m <+> MkObservation Send m),
   Some m)
H2: i ≠ i_m
H3: ELMO_component_RAM_transition i Receive
  (state_update ELMO_component chi i_m
     (chi i_m <+> MkObservation Send m) i)
  (sigma i <+> MkObservation Receive m) m
a: Address
¬ global_equivocators_simple chi (idx i_m) by contradict Hneqv; rewrite Hsender, <- Heqi; apply Hchi_eqvs.
        --Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
sigma: VLSM.state ELMOProtocol
m: Message
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm
     (ELMO_component i)) Receive
  (sigma i, Some m)
  (sigma i <+> MkObservation Receive m, None)
Hsigma: valid_state_prop ELMOProtocol sigma
Hreflects: component_reflects_composite sigma i
Hsend: other_components_after_send
  (λ j : index, j = i) sigma
Hall: ∀ (s_prev : State) (l : Label) (m : Message),
  sigma i = s_prev <+> MkObservation l m
  → valid_state_prop ELMOProtocol
      (state_update ELMO_component sigma i
         s_prev)
    ∧ ELMOProtocol_valid_transition i l
        (state_update ELMO_component sigma i
           s_prev) sigma m
Hti: transition Receive (sigma i, Some m) =
(sigma i <+> MkObservation Receive m, None)
Hv: valid Receive (sigma i, Some m)
ELMO_mv_full_node0: full_node (sigma i) m
ELMO_mv_no_self_equiv0: no_self_equiv (sigma i) m
ELMO_mv_msg_valid_full0: ELMO_msg_valid_full m
Hlocal_ok: local_equivocation_limit_ok
  (sigma i <+> MkObservation Receive m)
i_m: index
Hsender: adr (state m) = idx i_m
Hnot_sent: ¬ composite_has_been_sent ELMO_component
    sigma m
Hm_not_by_i: adr (state m) ≠ idx i
Hneqv: ¬ local_equivocators_full 
    (sigma i) (adr (state m))
Hneqv': ¬ local_equivocators_full
    (sigma i <+> MkObservation Receive m)
    (adr (state m))
chi: VLSM.state ELMOProtocol
Hfutures: in_futures ELMOProtocol sigma chi
Heqi: chi i = sigma i
Hchi_messages: component_reflects_composite_messages
  chi i
Hchi_eqvs: component_reflects_composite_equivocators
  chi i
Heqi_m: chi i_m = state m
Hchi_send: other_components_after_send
  (λ j : index, j = i ∨ j = i_m) chi
Hti_m: input_valid_transition ELMOProtocol
  (existT i_m Send) (chi, None)
  (state_update ELMO_component chi i_m
     (chi i_m <+> MkObservation Send m),
   Some m)
H2: i ≠ i_m
H3: ELMO_component_RAM_transition i Receive
  (state_update ELMO_component chi i_m
     (chi i_m <+> MkObservation Send m) i)
  (sigma i <+> MkObservation Receive m) m
a: Address
global_equivocators_simple chi a
∨ a = adr (state m)
  ∧ ¬ composite_has_been_sent ELMO_component
        (state_update ELMO_component chi i_m
           (chi i_m <+> MkObservation Send m)) m
↔ global_equivocators_simple chi a split; [| by left].Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
sigma: VLSM.state ELMOProtocol
m: Message
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm
     (ELMO_component i)) Receive
  (sigma i, Some m)
  (sigma i <+> MkObservation Receive m, None)
Hsigma: valid_state_prop ELMOProtocol sigma
Hreflects: component_reflects_composite sigma i
Hsend: other_components_after_send
  (λ j : index, j = i) sigma
Hall: ∀ (s_prev : State) (l : Label) (m : Message),
  sigma i = s_prev <+> MkObservation l m
  → valid_state_prop ELMOProtocol
      (state_update ELMO_component sigma i
         s_prev)
    ∧ ELMOProtocol_valid_transition i l
        (state_update ELMO_component sigma i
           s_prev) sigma m
Hti: transition Receive (sigma i, Some m) =
(sigma i <+> MkObservation Receive m, None)
Hv: valid Receive (sigma i, Some m)
ELMO_mv_full_node0: full_node (sigma i) m
ELMO_mv_no_self_equiv0: no_self_equiv (sigma i) m
ELMO_mv_msg_valid_full0: ELMO_msg_valid_full m
Hlocal_ok: local_equivocation_limit_ok
  (sigma i <+> MkObservation Receive m)
i_m: index
Hsender: adr (state m) = idx i_m
Hnot_sent: ¬ composite_has_been_sent ELMO_component
    sigma m
Hm_not_by_i: adr (state m) ≠ idx i
Hneqv: ¬ local_equivocators_full 
    (sigma i) (adr (state m))
Hneqv': ¬ local_equivocators_full
    (sigma i <+> MkObservation Receive m)
    (adr (state m))
chi: VLSM.state ELMOProtocol
Hfutures: in_futures ELMOProtocol sigma chi
Heqi: chi i = sigma i
Hchi_messages: component_reflects_composite_messages
  chi i
Hchi_eqvs: component_reflects_composite_equivocators
  chi i
Heqi_m: chi i_m = state m
Hchi_send: other_components_after_send
  (λ j : index, j = i ∨ j = i_m) chi
Hti_m: input_valid_transition ELMOProtocol
  (existT i_m Send) (chi, None)
  (state_update ELMO_component chi i_m
     (chi i_m <+> MkObservation Send m),
   Some m)
H2: i ≠ i_m
H3: ELMO_component_RAM_transition i Receive
  (state_update ELMO_component chi i_m
     (chi i_m <+> MkObservation Send m) i)
  (sigma i <+> MkObservation Receive m) m
a: Address
global_equivocators_simple chi a
∨ a = adr (state m)
  ∧ ¬ composite_has_been_sent ELMO_component
        (state_update ELMO_component chi i_m
           (chi i_m <+> MkObservation Send m)) m
→ global_equivocators_simple chi a
           intros [| [_ Hnsnd]]; [done |].Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
sigma: VLSM.state ELMOProtocol
m: Message
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm
     (ELMO_component i)) Receive
  (sigma i, Some m)
  (sigma i <+> MkObservation Receive m, None)
Hsigma: valid_state_prop ELMOProtocol sigma
Hreflects: component_reflects_composite sigma i
Hsend: other_components_after_send
  (λ j : index, j = i) sigma
Hall: ∀ (s_prev : State) (l : Label) (m : Message),
  sigma i = s_prev <+> MkObservation l m
  → valid_state_prop ELMOProtocol
      (state_update ELMO_component sigma i
         s_prev)
    ∧ ELMOProtocol_valid_transition i l
        (state_update ELMO_component sigma i
           s_prev) sigma m
Hti: transition Receive (sigma i, Some m) =
(sigma i <+> MkObservation Receive m, None)
Hv: valid Receive (sigma i, Some m)
ELMO_mv_full_node0: full_node (sigma i) m
ELMO_mv_no_self_equiv0: no_self_equiv (sigma i) m
ELMO_mv_msg_valid_full0: ELMO_msg_valid_full m
Hlocal_ok: local_equivocation_limit_ok
  (sigma i <+> MkObservation Receive m)
i_m: index
Hsender: adr (state m) = idx i_m
Hnot_sent: ¬ composite_has_been_sent ELMO_component
    sigma m
Hm_not_by_i: adr (state m) ≠ idx i
Hneqv: ¬ local_equivocators_full 
    (sigma i) (adr (state m))
Hneqv': ¬ local_equivocators_full
    (sigma i <+> MkObservation Receive m)
    (adr (state m))
chi: VLSM.state ELMOProtocol
Hfutures: in_futures ELMOProtocol sigma chi
Heqi: chi i = sigma i
Hchi_messages: component_reflects_composite_messages
  chi i
Hchi_eqvs: component_reflects_composite_equivocators
  chi i
Heqi_m: chi i_m = state m
Hchi_send: other_components_after_send
  (λ j : index, j = i ∨ j = i_m) chi
Hti_m: input_valid_transition ELMOProtocol
  (existT i_m Send) (chi, None)
  (state_update ELMO_component chi i_m
     (chi i_m <+> MkObservation Send m),
   Some m)
H2: i ≠ i_m
H3: ELMO_component_RAM_transition i Receive
  (state_update ELMO_component chi i_m
     (chi i_m <+> MkObservation Send m) i)
  (sigma i <+> MkObservation Receive m) m
a: Address
Hnsnd: ¬ composite_has_been_sent ELMO_component
    (state_update ELMO_component chi i_m
       (chi i_m <+> MkObservation Send m)) m
global_equivocators_simple chi a
           by contradict Hnsnd; exists i_m; state_update_simpl; left.
      *Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
sigma: VLSM.state ELMOProtocol
m: Message
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm
     (ELMO_component i)) Receive
  (sigma i, Some m)
  (sigma i <+> MkObservation Receive m, None)
Hsigma: valid_state_prop ELMOProtocol sigma
Hreflects: component_reflects_composite sigma i
Hsend: other_components_after_send
  (λ j : index, j = i) sigma
Hall: ∀ (s_prev : State) (l : Label) (m : Message),
  sigma i = s_prev <+> MkObservation l m
  → valid_state_prop ELMOProtocol
      (state_update ELMO_component sigma i
         s_prev)
    ∧ ELMOProtocol_valid_transition i l
        (state_update ELMO_component sigma i
           s_prev) sigma m
Hti: transition Receive (sigma i, Some m) =
(sigma i <+> MkObservation Receive m, None)
Hv: valid Receive (sigma i, Some m)
ELMO_mv_full_node0: full_node (sigma i) m
ELMO_mv_no_self_equiv0: no_self_equiv (sigma i) m
ELMO_mv_msg_valid_full0: ELMO_msg_valid_full m
Hlocal_ok: local_equivocation_limit_ok
  (sigma i <+> MkObservation Receive m)
i_m: index
Hsender: adr (state m) = idx i_m
Hnot_sent: ¬ composite_has_been_sent ELMO_component
    sigma m
Hm_not_by_i: adr (state m) ≠ idx i
Hneqv: ¬ local_equivocators_full 
    (sigma i) (adr (state m))
Hneqv': ¬ local_equivocators_full
    (sigma i <+> MkObservation Receive m)
    (adr (state m))
chi: VLSM.state ELMOProtocol
Hfutures: in_futures ELMOProtocol sigma chi
Heqi: chi i = sigma i
Hchi_messages: component_reflects_composite_messages
  chi i
Hchi_eqvs: component_reflects_composite_equivocators
  chi i
Heqi_m: chi i_m = state m
Hchi_send: other_components_after_send
  (λ j : index, j = i ∨ j = i_m) chi
sigma':= state_update ELMO_component chi i_m
  (chi i_m <+> MkObservation Send m): ∀ j : index, VLSM.state (ELMO_component j)
Hti_m: input_valid_transition ELMOProtocol
  (existT i_m Send) (chi, None)
  (sigma', Some m)
H2: i ≠ i_m
H3: ELMO_component_RAM_transition i Receive
  (sigma' i)
  (sigma i <+> MkObservation Receive m) m
a: Address
global_equivocators_simple chi a
↔ local_equivocators_full
    (sigma i <+> MkObservation Receive m) a etransitivity; [by apply Hchi_eqvs |].Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
sigma: VLSM.state ELMOProtocol
m: Message
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm
     (ELMO_component i)) Receive
  (sigma i, Some m)
  (sigma i <+> MkObservation Receive m, None)
Hsigma: valid_state_prop ELMOProtocol sigma
Hreflects: component_reflects_composite sigma i
Hsend: other_components_after_send
  (λ j : index, j = i) sigma
Hall: ∀ (s_prev : State) (l : Label) (m : Message),
  sigma i = s_prev <+> MkObservation l m
  → valid_state_prop ELMOProtocol
      (state_update ELMO_component sigma i
         s_prev)
    ∧ ELMOProtocol_valid_transition i l
        (state_update ELMO_component sigma i
           s_prev) sigma m
Hti: transition Receive (sigma i, Some m) =
(sigma i <+> MkObservation Receive m, None)
Hv: valid Receive (sigma i, Some m)
ELMO_mv_full_node0: full_node (sigma i) m
ELMO_mv_no_self_equiv0: no_self_equiv (sigma i) m
ELMO_mv_msg_valid_full0: ELMO_msg_valid_full m
Hlocal_ok: local_equivocation_limit_ok
  (sigma i <+> MkObservation Receive m)
i_m: index
Hsender: adr (state m) = idx i_m
Hnot_sent: ¬ composite_has_been_sent ELMO_component
    sigma m
Hm_not_by_i: adr (state m) ≠ idx i
Hneqv: ¬ local_equivocators_full 
    (sigma i) (adr (state m))
Hneqv': ¬ local_equivocators_full
    (sigma i <+> MkObservation Receive m)
    (adr (state m))
chi: VLSM.state ELMOProtocol
Hfutures: in_futures ELMOProtocol sigma chi
Heqi: chi i = sigma i
Hchi_messages: component_reflects_composite_messages
  chi i
Hchi_eqvs: component_reflects_composite_equivocators
  chi i
Heqi_m: chi i_m = state m
Hchi_send: other_components_after_send
  (λ j : index, j = i ∨ j = i_m) chi
sigma':= state_update ELMO_component chi i_m
  (chi i_m <+> MkObservation Send m): ∀ j : index, VLSM.state (ELMO_component j)
Hti_m: input_valid_transition ELMOProtocol
  (existT i_m Send) (chi, None)
  (sigma', Some m)
H2: i ≠ i_m
H3: ELMO_component_RAM_transition i Receive
  (sigma' i)
  (sigma i <+> MkObservation Receive m) m
a: Address
local_equivocators_full (chi i) a
↔ local_equivocators_full
    (sigma i <+> MkObservation Receive m) a
        rewrite Heqi; split.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
sigma: VLSM.state ELMOProtocol
m: Message
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm
     (ELMO_component i)) Receive
  (sigma i, Some m)
  (sigma i <+> MkObservation Receive m, None)
Hsigma: valid_state_prop ELMOProtocol sigma
Hreflects: component_reflects_composite sigma i
Hsend: other_components_after_send
  (λ j : index, j = i) sigma
Hall: ∀ (s_prev : State) (l : Label) (m : Message),
  sigma i = s_prev <+> MkObservation l m
  → valid_state_prop ELMOProtocol
      (state_update ELMO_component sigma i
         s_prev)
    ∧ ELMOProtocol_valid_transition i l
        (state_update ELMO_component sigma i
           s_prev) sigma m
Hti: transition Receive (sigma i, Some m) =
(sigma i <+> MkObservation Receive m, None)
Hv: valid Receive (sigma i, Some m)
ELMO_mv_full_node0: full_node (sigma i) m
ELMO_mv_no_self_equiv0: no_self_equiv (sigma i) m
ELMO_mv_msg_valid_full0: ELMO_msg_valid_full m
Hlocal_ok: local_equivocation_limit_ok
  (sigma i <+> MkObservation Receive m)
i_m: index
Hsender: adr (state m) = idx i_m
Hnot_sent: ¬ composite_has_been_sent ELMO_component
    sigma m
Hm_not_by_i: adr (state m) ≠ idx i
Hneqv: ¬ local_equivocators_full 
    (sigma i) (adr (state m))
Hneqv': ¬ local_equivocators_full
    (sigma i <+> MkObservation Receive m)
    (adr (state m))
chi: VLSM.state ELMOProtocol
Hfutures: in_futures ELMOProtocol sigma chi
Heqi: chi i = sigma i
Hchi_messages: component_reflects_composite_messages
  chi i
Hchi_eqvs: component_reflects_composite_equivocators
  chi i
Heqi_m: chi i_m = state m
Hchi_send: other_components_after_send
  (λ j : index, j = i ∨ j = i_m) chi
sigma':= state_update ELMO_component chi i_m
  (chi i_m <+> MkObservation Send m): ∀ j : index, VLSM.state (ELMO_component j)
Hti_m: input_valid_transition ELMOProtocol
  (existT i_m Send) (chi, None)
  (sigma', Some m)
H2: i ≠ i_m
H3: ELMO_component_RAM_transition i Receive
  (sigma' i)
  (sigma i <+> MkObservation Receive m) m
a: Address
local_equivocators_full (sigma i) a
→ local_equivocators_full
    (sigma i <+> MkObservation Receive m) a
Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
sigma: VLSM.state ELMOProtocol
m: Message
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm
     (ELMO_component i)) Receive
  (sigma i, Some m)
  (sigma i <+> MkObservation Receive m, None)
Hsigma: valid_state_prop ELMOProtocol sigma
Hreflects: component_reflects_composite sigma i
Hsend: other_components_after_send
  (λ j : index, j = i) sigma
Hall: ∀ (s_prev : State) (l : Label) (m : Message),
  sigma i = s_prev <+> MkObservation l m
  → valid_state_prop ELMOProtocol
      (state_update ELMO_component sigma i
         s_prev)
    ∧ ELMOProtocol_valid_transition i l
        (state_update ELMO_component sigma i
           s_prev) sigma m
Hti: transition Receive (sigma i, Some m) =
(sigma i <+> MkObservation Receive m, None)
Hv: valid Receive (sigma i, Some m)
ELMO_mv_full_node0: full_node (sigma i) m
ELMO_mv_no_self_equiv0: no_self_equiv (sigma i) m
ELMO_mv_msg_valid_full0: ELMO_msg_valid_full m
Hlocal_ok: local_equivocation_limit_ok
  (sigma i <+> MkObservation Receive m)
i_m: index
Hsender: adr (state m) = idx i_m
Hnot_sent: ¬ composite_has_been_sent ELMO_component
    sigma m
Hm_not_by_i: adr (state m) ≠ idx i
Hneqv: ¬ local_equivocators_full 
    (sigma i) (adr (state m))
Hneqv': ¬ local_equivocators_full
    (sigma i <+> MkObservation Receive m)
    (adr (state m))
chi: VLSM.state ELMOProtocol
Hfutures: in_futures ELMOProtocol sigma chi
Heqi: chi i = sigma i
Hchi_messages: component_reflects_composite_messages
  chi i
Hchi_eqvs: component_reflects_composite_equivocators
  chi i
Heqi_m: chi i_m = state m
Hchi_send: other_components_after_send
  (λ j : index, j = i ∨ j = i_m) chi
sigma':= state_update ELMO_component chi i_m
  (chi i_m <+> MkObservation Send m): ∀ j : index, VLSM.state (ELMO_component j)
Hti_m: input_valid_transition ELMOProtocol
  (existT i_m Send) (chi, None)
  (sigma', Some m)
H2: i ≠ i_m
H3: ELMO_component_RAM_transition i Receive
  (sigma' i)
  (sigma i <+> MkObservation Receive m) m
a: Address
local_equivocators_full
  (sigma i <+> MkObservation Receive m) a
→ local_equivocators_full (sigma i) a
        --Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
sigma: VLSM.state ELMOProtocol
m: Message
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm
     (ELMO_component i)) Receive
  (sigma i, Some m)
  (sigma i <+> MkObservation Receive m, None)
Hsigma: valid_state_prop ELMOProtocol sigma
Hreflects: component_reflects_composite sigma i
Hsend: other_components_after_send
  (λ j : index, j = i) sigma
Hall: ∀ (s_prev : State) (l : Label) (m : Message),
  sigma i = s_prev <+> MkObservation l m
  → valid_state_prop ELMOProtocol
      (state_update ELMO_component sigma i
         s_prev)
    ∧ ELMOProtocol_valid_transition i l
        (state_update ELMO_component sigma i
           s_prev) sigma m
Hti: transition Receive (sigma i, Some m) =
(sigma i <+> MkObservation Receive m, None)
Hv: valid Receive (sigma i, Some m)
ELMO_mv_full_node0: full_node (sigma i) m
ELMO_mv_no_self_equiv0: no_self_equiv (sigma i) m
ELMO_mv_msg_valid_full0: ELMO_msg_valid_full m
Hlocal_ok: local_equivocation_limit_ok
  (sigma i <+> MkObservation Receive m)
i_m: index
Hsender: adr (state m) = idx i_m
Hnot_sent: ¬ composite_has_been_sent ELMO_component
    sigma m
Hm_not_by_i: adr (state m) ≠ idx i
Hneqv: ¬ local_equivocators_full 
    (sigma i) (adr (state m))
Hneqv': ¬ local_equivocators_full
    (sigma i <+> MkObservation Receive m)
    (adr (state m))
chi: VLSM.state ELMOProtocol
Hfutures: in_futures ELMOProtocol sigma chi
Heqi: chi i = sigma i
Hchi_messages: component_reflects_composite_messages
  chi i
Hchi_eqvs: component_reflects_composite_equivocators
  chi i
Heqi_m: chi i_m = state m
Hchi_send: other_components_after_send
  (λ j : index, j = i ∨ j = i_m) chi
sigma':= state_update ELMO_component chi i_m
  (chi i_m <+> MkObservation Send m): ∀ j : index, VLSM.state (ELMO_component j)
Hti_m: input_valid_transition ELMOProtocol
  (existT i_m Send) (chi, None)
  (sigma', Some m)
H2: i ≠ i_m
H3: ELMO_component_RAM_transition i Receive
  (sigma' i)
  (sigma i <+> MkObservation Receive m) m
a: Address
local_equivocators_full (sigma i) a
→ local_equivocators_full
    (sigma i <+> MkObservation Receive m) a by intros Heqv; eapply local_equivocators_full_step_update; [constructor | left].
        --Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
sigma: VLSM.state ELMOProtocol
m: Message
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm
     (ELMO_component i)) Receive
  (sigma i, Some m)
  (sigma i <+> MkObservation Receive m, None)
Hsigma: valid_state_prop ELMOProtocol sigma
Hreflects: component_reflects_composite sigma i
Hsend: other_components_after_send
  (λ j : index, j = i) sigma
Hall: ∀ (s_prev : State) (l : Label) (m : Message),
  sigma i = s_prev <+> MkObservation l m
  → valid_state_prop ELMOProtocol
      (state_update ELMO_component sigma i
         s_prev)
    ∧ ELMOProtocol_valid_transition i l
        (state_update ELMO_component sigma i
           s_prev) sigma m
Hti: transition Receive (sigma i, Some m) =
(sigma i <+> MkObservation Receive m, None)
Hv: valid Receive (sigma i, Some m)
ELMO_mv_full_node0: full_node (sigma i) m
ELMO_mv_no_self_equiv0: no_self_equiv (sigma i) m
ELMO_mv_msg_valid_full0: ELMO_msg_valid_full m
Hlocal_ok: local_equivocation_limit_ok
  (sigma i <+> MkObservation Receive m)
i_m: index
Hsender: adr (state m) = idx i_m
Hnot_sent: ¬ composite_has_been_sent ELMO_component
    sigma m
Hm_not_by_i: adr (state m) ≠ idx i
Hneqv: ¬ local_equivocators_full 
    (sigma i) (adr (state m))
Hneqv': ¬ local_equivocators_full
    (sigma i <+> MkObservation Receive m)
    (adr (state m))
chi: VLSM.state ELMOProtocol
Hfutures: in_futures ELMOProtocol sigma chi
Heqi: chi i = sigma i
Hchi_messages: component_reflects_composite_messages
  chi i
Hchi_eqvs: component_reflects_composite_equivocators
  chi i
Heqi_m: chi i_m = state m
Hchi_send: other_components_after_send
  (λ j : index, j = i ∨ j = i_m) chi
sigma':= state_update ELMO_component chi i_m
  (chi i_m <+> MkObservation Send m): ∀ j : index, VLSM.state (ELMO_component j)
Hti_m: input_valid_transition ELMOProtocol
  (existT i_m Send) (chi, None)
  (sigma', Some m)
H2: i ≠ i_m
H3: ELMO_component_RAM_transition i Receive
  (sigma' i)
  (sigma i <+> MkObservation Receive m) m
a: Address
local_equivocators_full
  (sigma i <+> MkObservation Receive m) a
→ local_equivocators_full (sigma i) a intros Heqv.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
sigma: VLSM.state ELMOProtocol
m: Message
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm
     (ELMO_component i)) Receive
  (sigma i, Some m)
  (sigma i <+> MkObservation Receive m, None)
Hsigma: valid_state_prop ELMOProtocol sigma
Hreflects: component_reflects_composite sigma i
Hsend: other_components_after_send
  (λ j : index, j = i) sigma
Hall: ∀ (s_prev : State) (l : Label) (m : Message),
  sigma i = s_prev <+> MkObservation l m
  → valid_state_prop ELMOProtocol
      (state_update ELMO_component sigma i
         s_prev)
    ∧ ELMOProtocol_valid_transition i l
        (state_update ELMO_component sigma i
           s_prev) sigma m
Hti: transition Receive (sigma i, Some m) =
(sigma i <+> MkObservation Receive m, None)
Hv: valid Receive (sigma i, Some m)
ELMO_mv_full_node0: full_node (sigma i) m
ELMO_mv_no_self_equiv0: no_self_equiv (sigma i) m
ELMO_mv_msg_valid_full0: ELMO_msg_valid_full m
Hlocal_ok: local_equivocation_limit_ok
  (sigma i <+> MkObservation Receive m)
i_m: index
Hsender: adr (state m) = idx i_m
Hnot_sent: ¬ composite_has_been_sent ELMO_component
    sigma m
Hm_not_by_i: adr (state m) ≠ idx i
Hneqv: ¬ local_equivocators_full 
    (sigma i) (adr (state m))
Hneqv': ¬ local_equivocators_full
    (sigma i <+> MkObservation Receive m)
    (adr (state m))
chi: VLSM.state ELMOProtocol
Hfutures: in_futures ELMOProtocol sigma chi
Heqi: chi i = sigma i
Hchi_messages: component_reflects_composite_messages
  chi i
Hchi_eqvs: component_reflects_composite_equivocators
  chi i
Heqi_m: chi i_m = state m
Hchi_send: other_components_after_send
  (λ j : index, j = i ∨ j = i_m) chi
sigma':= state_update ELMO_component chi i_m
  (chi i_m <+> MkObservation Send m): ∀ j : index, VLSM.state (ELMO_component j)
Hti_m: input_valid_transition ELMOProtocol
  (existT i_m Send) (chi, None)
  (sigma', Some m)
H2: i ≠ i_m
H3: ELMO_component_RAM_transition i Receive
  (sigma' i)
  (sigma i <+> MkObservation Receive m) m
a: Address
Heqv: local_equivocators_full
  (sigma i <+> MkObservation Receive m) a
local_equivocators_full (sigma i) a
           destruct (decide (a = adr (state m))); [by subst |].Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
sigma: VLSM.state ELMOProtocol
m: Message
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm
     (ELMO_component i)) Receive
  (sigma i, Some m)
  (sigma i <+> MkObservation Receive m, None)
Hsigma: valid_state_prop ELMOProtocol sigma
Hreflects: component_reflects_composite sigma i
Hsend: other_components_after_send
  (λ j : index, j = i) sigma
Hall: ∀ (s_prev : State) (l : Label) (m : Message),
  sigma i = s_prev <+> MkObservation l m
  → valid_state_prop ELMOProtocol
      (state_update ELMO_component sigma i
         s_prev)
    ∧ ELMOProtocol_valid_transition i l
        (state_update ELMO_component sigma i
           s_prev) sigma m
Hti: transition Receive (sigma i, Some m) =
(sigma i <+> MkObservation Receive m, None)
Hv: valid Receive (sigma i, Some m)
ELMO_mv_full_node0: full_node (sigma i) m
ELMO_mv_no_self_equiv0: no_self_equiv (sigma i) m
ELMO_mv_msg_valid_full0: ELMO_msg_valid_full m
Hlocal_ok: local_equivocation_limit_ok
  (sigma i <+> MkObservation Receive m)
i_m: index
Hsender: adr (state m) = idx i_m
Hnot_sent: ¬ composite_has_been_sent ELMO_component
    sigma m
Hm_not_by_i: adr (state m) ≠ idx i
Hneqv: ¬ local_equivocators_full 
    (sigma i) (adr (state m))
Hneqv': ¬ local_equivocators_full
    (sigma i <+> MkObservation Receive m)
    (adr (state m))
chi: VLSM.state ELMOProtocol
Hfutures: in_futures ELMOProtocol sigma chi
Heqi: chi i = sigma i
Hchi_messages: component_reflects_composite_messages
  chi i
Hchi_eqvs: component_reflects_composite_equivocators
  chi i
Heqi_m: chi i_m = state m
Hchi_send: other_components_after_send
  (λ j : index, j = i ∨ j = i_m) chi
sigma':= state_update ELMO_component chi i_m
  (chi i_m <+> MkObservation Send m): ∀ j : index, VLSM.state (ELMO_component j)
Hti_m: input_valid_transition ELMOProtocol
  (existT i_m Send) (chi, None)
  (sigma', Some m)
H2: i ≠ i_m
H3: ELMO_component_RAM_transition i Receive
  (sigma' i)
  (sigma i <+> MkObservation Receive m) m
a: Address
Heqv: local_equivocators_full
  (sigma i <+> MkObservation Receive m) a
n: a ≠ adr (state m)
local_equivocators_full (sigma i) a
           eapply local_equivocators_full_step_update in Heqv; [| by constructor].Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
sigma: VLSM.state ELMOProtocol
m: Message
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm
     (ELMO_component i)) Receive
  (sigma i, Some m)
  (sigma i <+> MkObservation Receive m, None)
Hsigma: valid_state_prop ELMOProtocol sigma
Hreflects: component_reflects_composite sigma i
Hsend: other_components_after_send
  (λ j : index, j = i) sigma
Hall: ∀ (s_prev : State) (l : Label) (m : Message),
  sigma i = s_prev <+> MkObservation l m
  → valid_state_prop ELMOProtocol
      (state_update ELMO_component sigma i
         s_prev)
    ∧ ELMOProtocol_valid_transition i l
        (state_update ELMO_component sigma i
           s_prev) sigma m
Hti: transition Receive (sigma i, Some m) =
(sigma i <+> MkObservation Receive m, None)
Hv: valid Receive (sigma i, Some m)
ELMO_mv_full_node0: full_node (sigma i) m
ELMO_mv_no_self_equiv0: no_self_equiv (sigma i) m
ELMO_mv_msg_valid_full0: ELMO_msg_valid_full m
Hlocal_ok: local_equivocation_limit_ok
  (sigma i <+> MkObservation Receive m)
i_m: index
Hsender: adr (state m) = idx i_m
Hnot_sent: ¬ composite_has_been_sent ELMO_component
    sigma m
Hm_not_by_i: adr (state m) ≠ idx i
Hneqv: ¬ local_equivocators_full 
    (sigma i) (adr (state m))
Hneqv': ¬ local_equivocators_full
    (sigma i <+> MkObservation Receive m)
    (adr (state m))
chi: VLSM.state ELMOProtocol
Hfutures: in_futures ELMOProtocol sigma chi
Heqi: chi i = sigma i
Hchi_messages: component_reflects_composite_messages
  chi i
Hchi_eqvs: component_reflects_composite_equivocators
  chi i
Heqi_m: chi i_m = state m
Hchi_send: other_components_after_send
  (λ j : index, j = i ∨ j = i_m) chi
sigma':= state_update ELMO_component chi i_m
  (chi i_m <+> MkObservation Send m): ∀ j : index, VLSM.state (ELMO_component j)
Hti_m: input_valid_transition ELMOProtocol
  (existT i_m Send) (chi, None)
  (sigma', Some m)
H2: i ≠ i_m
H3: ELMO_component_RAM_transition i Receive
  (sigma' i)
  (sigma i <+> MkObservation Receive m) m
a: Address
n: a ≠ adr (state m)
Heqv: local_equivocators_full (sigma i) a
∨ a = adr (state m)
  ∧ Receive = Receive
    ∧ (∃ m' : BaseELMO.Message,
         m' ∈ receivedMessages (sigma i)
         ∧ incomparable m m')
local_equivocators_full (sigma i) a
           by destruct Heqv as [| [->]].
Qed.

Every ELMO_component is a validator for ELMOProtocol.

Theorem ELMO_components_validating :
  forall i : index,
    component_projection_validator_prop ELMO_component ELMO_global_constraint i.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
∀ i : index,
  component_projection_validator_prop ELMO_component
    ELMO_global_constraint i
Proof.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
∀ i : index,
  component_projection_validator_prop ELMO_component
    ELMO_global_constraint i
  intros i li si om Hvti.Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
li: VLSM.label (ELMO_component i)
si: VLSM.state (ELMO_component i)
om: option Message
Hvti: input_constrained (ELMO_component i) li
  (si, om)
valid li (si, om)
  red in Hvti; apply input_valid_transition_iff in Hvti as [[si' om'] Hvti].Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
li: VLSM.label (ELMO_component i)
si: VLSM.state (ELMO_component i)
om: option Message
si': VLSM.state
  (preloaded_with_all_messages_vlsm
     (ELMO_component i))
om': option Message
Hvti: input_valid_transition
  (preloaded_with_all_messages_vlsm
     (ELMO_component i)) li (
  si, om) (si', om')
valid li (si, om)
  pose (Hvti' := Hvti); destruct Hvti' as [(_ & _ & Hvi) Hti].Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
li: VLSM.label (ELMO_component i)
si: VLSM.state (ELMO_component i)
om: option Message
si': VLSM.state
  (preloaded_with_all_messages_vlsm
     (ELMO_component i))
om': option Message
Hvti: input_valid_transition
  (preloaded_with_all_messages_vlsm
     (ELMO_component i)) li (
  si, om) (si', om')
Hvi: valid li (si, om)
Hti: transition li (si, om) = (si', om')
valid li (si, om)
  assert (Hsi' : constrained_state_prop (ELMO_component i) si')
    by (eapply input_valid_transition_destination; done).Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
li: VLSM.label (ELMO_component i)
si: VLSM.state (ELMO_component i)
om: option Message
si': VLSM.state
  (preloaded_with_all_messages_vlsm
     (ELMO_component i))
om': option Message
Hvti: input_valid_transition
  (preloaded_with_all_messages_vlsm
     (ELMO_component i)) li (
  si, om) (si', om')
Hvi: valid li (si, om)
Hti: transition li (si, om) = (si', om')
Hsi': constrained_state_prop (ELMO_component i) si'
valid li (si, om)
  apply reflecting_composite_for_reachable_component in Hsi'
    as (s' & <- & Hs' & _ & _ & Htransitions).Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
li: VLSM.label (ELMO_component i)
si: VLSM.state (ELMO_component i)
om, om': option Message
s': VLSM.state ELMOProtocol
Hvti: input_valid_transition
  (preloaded_with_all_messages_vlsm
     (ELMO_component i)) li (
  si, om) (s' i, om')
Hvi: valid li (si, om)
Hti: transition li (si, om) = (s' i, om')
Hs': valid_state_prop ELMOProtocol s'
Htransitions: ∀ (s_prev : State) (l : Label) 
  (m : Message),
  s' i = s_prev <+> MkObservation l m
  → let s'0 :=
      state_update ELMO_component s' i
        s_prev in
    valid_state_prop ELMOProtocol s'0
    ∧ ELMOProtocol_valid_transition i l
        s'0 s' m
valid li (si, om)
  specialize (Htransitions si li).Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
li: VLSM.label (ELMO_component i)
si: VLSM.state (ELMO_component i)
om, om': option Message
s': VLSM.state ELMOProtocol
Hvti: input_valid_transition
  (preloaded_with_all_messages_vlsm
     (ELMO_component i)) li (
  si, om) (s' i, om')
Hvi: valid li (si, om)
Hti: transition li (si, om) = (s' i, om')
Hs': valid_state_prop ELMOProtocol s'
Htransitions: ∀ m : Message,
  s' i = si <+> MkObservation li m
  → let s'0 :=
      state_update ELMO_component s' i
        si in
    valid_state_prop ELMOProtocol s'0
    ∧ ELMOProtocol_valid_transition i
        li s'0 s' m
valid li (si, om)
  exists (state_update ELMO_component s' i si).Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
li: VLSM.label (ELMO_component i)
si: VLSM.state (ELMO_component i)
om, om': option Message
s': VLSM.state ELMOProtocol
Hvti: input_valid_transition
  (preloaded_with_all_messages_vlsm
     (ELMO_component i)) li (
  si, om) (s' i, om')
Hvi: valid li (si, om)
Hti: transition li (si, om) = (s' i, om')
Hs': valid_state_prop ELMOProtocol s'
Htransitions: ∀ m : Message,
  s' i = si <+> MkObservation li m
  → let s'0 :=
      state_update ELMO_component s' i
        si in
    valid_state_prop ELMOProtocol s'0
    ∧ ELMOProtocol_valid_transition i
        li s'0 s' m
state_update ELMO_component s' i si i = si
∧ input_valid
    (composite_vlsm ELMO_component
       ELMO_global_constraint) (existT i li)
    (state_update ELMO_component s' i si, om)
  split; [by state_update_simpl |].Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
li: VLSM.label (ELMO_component i)
si: VLSM.state (ELMO_component i)
om, om': option Message
s': VLSM.state ELMOProtocol
Hvti: input_valid_transition
  (preloaded_with_all_messages_vlsm
     (ELMO_component i)) li (
  si, om) (s' i, om')
Hvi: valid li (si, om)
Hti: transition li (si, om) = (s' i, om')
Hs': valid_state_prop ELMOProtocol s'
Htransitions: ∀ m : Message,
  s' i = si <+> MkObservation li m
  → let s'0 :=
      state_update ELMO_component s' i
        si in
    valid_state_prop ELMOProtocol s'0
    ∧ ELMOProtocol_valid_transition i
        li s'0 s' m
input_valid
  (composite_vlsm ELMO_component
     ELMO_global_constraint) (existT i li)
  (state_update ELMO_component s' i si, om)
  inversion Hvi; subst; inversion Hti as [Heqs'i]; subst;
    symmetry in Heqs'i; destruct (Htransitions _ Heqs'i) as [Hvs'0 Hvt0];
    inversion Hvt0 as [? ? ? ? Hvt | ? ? ? ? Hvt].Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
si: VLSM.state (ELMO_component i)
s': VLSM.state ELMOProtocol
m: Message
Hvti: input_valid_transition
  (preloaded_with_all_messages_vlsm
     (ELMO_component i)) Receive (
  si, Some m) (s' i, None)
Hvi: valid Receive (si, Some m)
Hti: transition Receive (si, Some m) = (s' i, None)
Hs': valid_state_prop ELMOProtocol s'
Htransitions: ∀ m : Message,
  s' i = si <+> MkObservation Receive m
  → let s'0 :=
      state_update ELMO_component s' i
        si in
    valid_state_prop ELMOProtocol s'0
    ∧ ELMOProtocol_valid_transition i
        Receive s'0 s' m
H2: ELMO_recv_valid si m
Heqs'i: s' i = si <+> MkObservation Receive m
Hvs'0: valid_state_prop ELMOProtocol
  (state_update ELMO_component s' i si)
Hvt0: ELMOProtocol_valid_transition i Receive
  (state_update ELMO_component s' i si) s' m
i0: index
s1, s2: VLSM.state ELMOProtocol
m0: Message
Hvt: valid_transition ELMOProtocol 
  (existT i Receive)
  (state_update ELMO_component s' i si) 
  (Some m) s' None
H3: i0 = i
H5: s1 = state_update ELMO_component s' i si
H6: s2 = s'
H7: m0 = m
input_valid
  (composite_vlsm ELMO_component
     ELMO_global_constraint) (existT i Receive)
  (state_update ELMO_component s' i si, Some m)
Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
si: VLSM.state (ELMO_component i)
s': VLSM.state ELMOProtocol
Hvti: input_valid_transition
  (preloaded_with_all_messages_vlsm
     (ELMO_component i)) Send (
  si, None) (s' i, Some (MkMessage si))
Hvi: valid Send (si, None)
Hti: transition Send (si, None) =
(s' i, Some (MkMessage si))
Hs': valid_state_prop ELMOProtocol s'
Htransitions: ∀ m : Message,
  s' i = si <+> MkObservation Send m
  → let s'0 :=
      state_update ELMO_component s' i
        si in
    valid_state_prop ELMOProtocol s'0
    ∧ ELMOProtocol_valid_transition i
        Send s'0 s' m
Heqs'i: s' i =
si <+> MkObservation Send (MkMessage si)
Hvs'0: valid_state_prop ELMOProtocol
  (state_update ELMO_component s' i si)
Hvt0: ELMOProtocol_valid_transition i Send
  (state_update ELMO_component s' i si) s'
  (MkMessage si)
i0: index
s1, s2: VLSM.state ELMOProtocol
m: Message
Hvt: valid_transition ELMOProtocol 
  (existT i Send)
  (state_update ELMO_component s' i si) None s'
  (Some (MkMessage si))
H2: i0 = i
H4: s1 = state_update ELMO_component s' i si
H5: s2 = s'
H6: m = MkMessage si
input_valid
  (composite_vlsm ELMO_component
     ELMO_global_constraint) 
  (existT i Send)
  (state_update ELMO_component s' i si, None)
  -Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
si: VLSM.state (ELMO_component i)
s': VLSM.state ELMOProtocol
m: Message
Hvti: input_valid_transition
  (preloaded_with_all_messages_vlsm
     (ELMO_component i)) Receive (
  si, Some m) (s' i, None)
Hvi: valid Receive (si, Some m)
Hti: transition Receive (si, Some m) = (s' i, None)
Hs': valid_state_prop ELMOProtocol s'
Htransitions: ∀ m : Message,
  s' i = si <+> MkObservation Receive m
  → let s'0 :=
      state_update ELMO_component s' i
        si in
    valid_state_prop ELMOProtocol s'0
    ∧ ELMOProtocol_valid_transition i
        Receive s'0 s' m
H2: ELMO_recv_valid si m
Heqs'i: s' i = si <+> MkObservation Receive m
Hvs'0: valid_state_prop ELMOProtocol
  (state_update ELMO_component s' i si)
Hvt0: ELMOProtocol_valid_transition i Receive
  (state_update ELMO_component s' i si) s' m
i0: index
s1, s2: VLSM.state ELMOProtocol
m0: Message
Hvt: valid_transition ELMOProtocol 
  (existT i Receive)
  (state_update ELMO_component s' i si) 
  (Some m) s' None
H3: i0 = i
H5: s1 = state_update ELMO_component s' i si
H6: s2 = s'
H7: m0 = m
input_valid
  (composite_vlsm ELMO_component
     ELMO_global_constraint) (existT i Receive)
  (state_update ELMO_component s' i si, Some m) repeat split; [done | | by apply Hvt..].Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
si: VLSM.state (ELMO_component i)
s': VLSM.state ELMOProtocol
m: Message
Hvti: input_valid_transition
  (preloaded_with_all_messages_vlsm
     (ELMO_component i)) Receive (
  si, Some m) (s' i, None)
Hvi: valid Receive (si, Some m)
Hti: transition Receive (si, Some m) = (s' i, None)
Hs': valid_state_prop ELMOProtocol s'
Htransitions: ∀ m : Message,
  s' i = si <+> MkObservation Receive m
  → let s'0 :=
      state_update ELMO_component s' i
        si in
    valid_state_prop ELMOProtocol s'0
    ∧ ELMOProtocol_valid_transition i
        Receive s'0 s' m
H2: ELMO_recv_valid si m
Heqs'i: s' i = si <+> MkObservation Receive m
Hvs'0: valid_state_prop ELMOProtocol
  (state_update ELMO_component s' i si)
Hvt0: ELMOProtocol_valid_transition i Receive
  (state_update ELMO_component s' i si) s' m
i0: index
s1, s2: VLSM.state ELMOProtocol
m0: Message
Hvt: valid_transition ELMOProtocol 
  (existT i Receive)
  (state_update ELMO_component s' i si) 
  (Some m) s' None
H3: i0 = i
H5: s1 = state_update ELMO_component s' i si
H6: s2 = s'
H7: m0 = m
option_valid_message_prop
  (composite_vlsm ELMO_component
     ELMO_global_constraint) (Some m)
    eapply received_valid; [by apply Hs' |].Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
si: VLSM.state (ELMO_component i)
s': VLSM.state ELMOProtocol
m: Message
Hvti: input_valid_transition
  (preloaded_with_all_messages_vlsm
     (ELMO_component i)) Receive (
  si, Some m) (s' i, None)
Hvi: valid Receive (si, Some m)
Hti: transition Receive (si, Some m) = (s' i, None)
Hs': valid_state_prop ELMOProtocol s'
Htransitions: ∀ m : Message,
  s' i = si <+> MkObservation Receive m
  → let s'0 :=
      state_update ELMO_component s' i
        si in
    valid_state_prop ELMOProtocol s'0
    ∧ ELMOProtocol_valid_transition i
        Receive s'0 s' m
H2: ELMO_recv_valid si m
Heqs'i: s' i = si <+> MkObservation Receive m
Hvs'0: valid_state_prop ELMOProtocol
  (state_update ELMO_component s' i si)
Hvt0: ELMOProtocol_valid_transition i Receive
  (state_update ELMO_component s' i si) s' m
i0: index
s1, s2: VLSM.state ELMOProtocol
m0: Message
Hvt: valid_transition ELMOProtocol 
  (existT i Receive)
  (state_update ELMO_component s' i si) 
  (Some m) s' None
H3: i0 = i
H5: s1 = state_update ELMO_component s' i si
H6: s2 = s'
H7: m0 = m
has_been_received
  (composite_vlsm ELMO_component
     ELMO_global_constraint) s' m
    by eexists; eapply has_been_received_step_update; [| left].
  -Address: Type
EqDecision0: EqDecision Address
H: Measurable Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
threshold: R
index: Type
EqDecision1: EqDecision index
H0: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
ReachableThreshold0: ReachableThreshold
  (Message_validator idx)
  (listset
     (Message_validator idx))
  threshold
H1: Inhabited index
i: index
si: VLSM.state (ELMO_component i)
s': VLSM.state ELMOProtocol
Hvti: input_valid_transition
  (preloaded_with_all_messages_vlsm
     (ELMO_component i)) Send (
  si, None) (s' i, Some (MkMessage si))
Hvi: valid Send (si, None)
Hti: transition Send (si, None) =
(s' i, Some (MkMessage si))
Hs': valid_state_prop ELMOProtocol s'
Htransitions: ∀ m : Message,
  s' i = si <+> MkObservation Send m
  → let s'0 :=
      state_update ELMO_component s' i
        si in
    valid_state_prop ELMOProtocol s'0
    ∧ ELMOProtocol_valid_transition i
        Send s'0 s' m
Heqs'i: s' i =
si <+> MkObservation Send (MkMessage si)
Hvs'0: valid_state_prop ELMOProtocol
  (state_update ELMO_component s' i si)
Hvt0: ELMOProtocol_valid_transition i Send
  (state_update ELMO_component s' i si) s'
  (MkMessage si)
i0: index
s1, s2: VLSM.state ELMOProtocol
m: Message
Hvt: valid_transition ELMOProtocol 
  (existT i Send)
  (state_update ELMO_component s' i si) None s'
  (Some (MkMessage si))
H2: i0 = i
H4: s1 = state_update ELMO_component s' i si
H5: s2 = s'
H6: m = MkMessage si
input_valid
  (composite_vlsm ELMO_component
     ELMO_global_constraint) (existT i Send)
  (state_update ELMO_component s' i si, None) by repeat split; [| apply option_valid_message_None | apply Hvt].
Qed.

End sec_ELMOProtocol.

End sec_ELMO.