{ 
s:SecurityTheory. es:EO+(Info). C:Id List.
ns:Atom1 List. (C is a cabal for ns 
Only agents in C have atoms in ns)
supposing (A
C.Honest(A)) }
{ Proof }
Definitions occuring in Statement :
sth-es: sth-es(s),
security-theory: SecurityTheory,
ses-cabal: cabal is a cabal for atms,
ses-secrecy: Only agents in As have atoms in secrets,
ses-honest: Honest(A),
ses-info: Info,
event-ordering+: EO+(Info),
Id: Id,
uimplies: b supposing a,
all: x:A. B[x],
implies: P Q,
list: type List,
l_all: (xL.P[x]),
atom: Atom$n
Definitions :
record-select: r.x,
rev_implies: P 
Q,
iff: P Q,
ses-key-rel: MatchingKeys(k1;k2),
ycomb: Y,
cand: A c
B,
es-loc: loc(e),
squash: 
T,
es-causl: (e < e'),
apply: f a,
limited-type: LimitedType,
real: 
,
grp_car: |g|,
minus: -n,
add: n + m,
subtract: n - m,
natural_number: $n,
int: 
,
subtype: S 
T,
strongwellfounded: SWellFounded(R[x; y]),
sym: Sym(T;x,y.E[x; y]),
ses-K: PropertyK,
ses-S: PropertyS,
ses-D: PropertyD,
ses-R: PropertyR,
ses-V: PropertyV,
ses-nonce-disjoint: NoncesCiphersAndKeysDisjoint,
ses-disjoint: ActionsDisjoint,
ses-new: New,
ses-sign: Sign,
ses-encrypt: Encrypt,
es-E-interface: E(X),
sdata: SecurityData,
encryption-key: Key,
ses-flow: ses-flow(s;es;a;e1;e2),
top: Top,
ses-axioms: SecurityAxioms,
security-event-structure: SES,
strong-subtype: strong-subtype(A;B),
union: left + right,
or: P 
Q,
pi1: fst(t),
eq_atom: x =a y,
eq_atom: eq_atom$n(x;y),
dep-isect: Error :dep-isect,
record+: record+,
le: A 
B,
ge: i 
j ,
not: 
A,
less_than: a < b,
and: P Q,
uiff: uiff(P;Q),
subtype_rel: A r B,
event_ordering: EO,
es-E: E,
event-has: (e has a),
l_exists: (
xL. P[x]),
universe: Type,
ses-cabal: cabal is a cabal for atms,
atom: Atom$n,
uall: [x:A]. B[x],
security-theory: SecurityTheory,
event-ordering+: EO+(Info),
ses-info: Info,
list: type List,
uimplies: b supposing a,
isect: 
x:A. B[x],
so_lambda: 
x.t[x],
sth-es: sth-es(s),
prop: 
,
ses-secrecy: Only agents in As have atoms in secrets,
exists: x:A. B[x],
product: x:A 
B[x],
nat: 
,
set: {x:A| B[x]} ,
ses-honest: Honest(A),
assert: 
b,
ifthenelse: if b then t else f fi ,
decide: case b of inl(x) => s[x] | inr(y) => t[y],
true: True,
equal: s = t,
false: False,
void: Void,
l_all: (xL.P[x]),
all: x:A. B[x],
implies: P Q,
member: t T,
lambda: x.A[x],
l_member: (x l),
Id: Id,
function: x:A 
B[x],
Auto: Error :Auto,
CollapseTHEN: Error :CollapseTHEN,
D: Error :D,
ses-flow-axiom: PropertyF,
AssertBY: Error :AssertBY,
es-causle: e c e',
append: as @ bs,
es-before: before(e),
es-locl: (e <loc e'),
es-le-before: loc(e),
es-le: e loc e' ,
map: map(f;as),
hd: hd(l),
last: last(L),
remove-repeats: remove-repeats(eq;L),
select: l[i],
record: record(x.T[x]),
infix_ap: x f y,
sq_stable: SqStable(P),
so_apply: x[s],
cons: [car / cdr],
nil: [],
atom: Atom,
es-base-E: es-base-E(es),
token: "$token",
pair: <a, b>,
class-value-has: X(e) has a,
symmetric-key: symmetric-key(a),
ses-public-key: PublicKey(A),
ses-encryption-key: key(e),
ses-send: Send,
ses-crypt: cipherText(e),
eclass-val: X(e),
in-eclass: e 
X,
bool: 
,
so_lambda: so_lambda(x,y,z.t[x; y; z]),
guard: {T},
sq_type: SQType(T),
sqequal: s ~ t,
existse-before: e<e'.P[e],
existse-le: ee'.P[e],
alle-lt: e<e'.P[e],
alle-le: ee'.P[e],
alle-between1: e[e1,e2).P[e],
existse-between1: e[e1,e2).P[e],
alle-between2: e[e1,e2].P[e],
existse-between2: e[e1,e2].P[e],
existse-between3: e(e1,e2].P[e],
es-fset-loc: i locs(s),
es-r-immediate-pred: es-r-immediate-pred(es;R;e';e),
same-thread: same-thread(es;p;e;e'),
collect-event: collect-event(es;X;n;v.num[v];L.P[L];e),
cut-order: a (X;f) b,
path-goes-thru: x-f*-y thru i,
lg-edge: lg-edge(g;a;b),
ses-action: Action(e),
ses-legal-sequence: Legal(pas) given prvt,
decidable: Dec(P),
es-p-le: e p e',
es-p-locl: e p< e',
causal-predecessor: causal-predecessor(es;p),
ses-rcv: Rcv,
it: 
,
ses-decrypt: Decrypt,
ses-decryption-key: key(e),
ses-encrypted: plainText(e),
ses-decrypted: plainText(e),
ses-cipher: cipherText(e),
ses-verify: Verify,
eclass: EClass(A[eo; e]),
fpf: a:A fp-> B[a],
ses-private-key: PrivateKey(A),
pi2: snd(t),
so_lambda: x y.t[x; y],
IdLnk: IdLnk,
Knd: Knd,
MaName: MaName,
consensus-state3: consensus-state3(T),
consensus-rcv: consensus-rcv(V;A),
runEvents: runEvents(r),
l_contains: A B,
inject: Inj(A;B;f),
reducible: reducible(a),
prime: prime(a),
fun-connected: y is f*(x),
qle: r s,
qless: r < s,
q-rel: q-rel(r;x),
i-finite: i-finite(I),
i-closed: i-closed(I),
p-outcome: Outcome,
fset-member: a s,
f-subset: xs ys,
fset-closed: (s closed under fs),
l_disjoint: l_disjoint(T;l1;l2),
cs-not-completed: in state s, a has not completed inning i,
cs-archived: by state s, a archived v in inning i,
cs-passed: by state s, a passed inning i without archiving a value,
cs-inning-committed: in state s, inning i has committed v,
cs-inning-committable: in state s, inning i could commit v ,
cs-archive-blocked: in state s, ws' blocks ws from archiving v in inning i,
cs-precondition: state s may consider v in inning i,
btrue: tt,
free-from-atom: x:T||a,
null: null(as),
isl: isl(x),
inr: inr x ,
fpf-cap: f(x)?z,
class-program: ClassProgram(T),
fpf-dom: x dom(f),
ma-state: State(ds),
deq: EqDecider(T),
fpf-sub: f g,
ses-sig: signature(e),
nequal: a 
b T ,
rationals: 
,
intensional-universe: IType,
can-apply: can-apply(f;x),
spread: spread def,
rec: rec(x.A[x]),
tree: Tree(E),
es-pred: pred(e),
locl: locl(a),
cond-class: [X?Y],
eq_knd: a = b,
same-action: same-action(x;y)
Lemmas :
ses-flow-causle,
same-action_wf,
event-has_functionality,
es-causle_transitivity,
security-event-structure_wf,
guard_wf,
decidable__es-E-equal,
ses-flow-implies',
es-locl_wf,
symmetric-key_wf,
es-le_wf,
es-causl_transitivity1,
intensional-universe_wf,
ses-decrypted_wf,
ses-encrypted_wf,
ses-cipher_wf,
ses-encryption-key_wf,
ses-crypt_wf,
ses-disjoint_wf,
atom1_sq,
atom_sq,
set_subtype_base,
atom1_subtype_base,
subtype_rel_sum,
free-from-atom-subtype,
free-from-atom-outr,
pi1_wf_top,
pi2_wf,
eclass-val_wf,
free-from-atom_wf1,
in-eclass_wf,
assert_elim,
bool_wf,
bool_subtype_base,
not_wf,
eclass_wf,
es-interface-top,
es-interface-subtype_rel2,
top_wf,
subtype_rel_wf,
decidable__l_member,
decidable__equal_Id,
ses-K_wf,
ses-key-rel_wf,
sym_wf,
assert_wf,
false_wf,
ifthenelse_wf,
iff_wf,
rev_implies_wf,
squash_wf,
true_wf,
ses-decryption-key_wf,
ses-private-key_wf,
ses-S_wf,
ses-send_wf,
ses-rcv_wf,
ses-decrypt_wf,
ses-verify_wf,
class-value-has_wf,
es-causl_weakening,
ses-flow-has,
es-causle_weakening_eq,
decidable__es-causl,
es-causl_transitivity2,
es-causle_weakening,
subtype_base_sq,
atom2_subtype_base,
es-le-loc,
es-causle_wf,
subtype_rel_self,
es-base-E_wf,
es-loc_wf,
ses-flow-induction,
uiff_inversion,
l_member_subtype,
event-has_wf,
es-E-interface_wf,
ses-info_wf,
ses-sign_wf,
sdata_wf,
Id_wf,
ses-flow_wf,
ses-encrypt_wf,
es-E_wf,
encryption-key_wf,
ses-flow-axiom_wf,
security-theory_wf,
sth-es_wf,
event-ordering+_wf,
l_member_wf,
ses-honest_wf,
l_all_wf2,
ses-cabal_wf,
l_exists_wf,
ses-secrecy_wf,
ses-honest_witness,
l_all_wf,
ses-new_wf,
es-causl-swellfnd,
event-ordering+_inc,
nat_wf,
nat_properties,
ge_wf,
le_wf,
member_wf,
es-causl_wf
\mforall{}s:SecurityTheory. \mforall{}es:EO+(Info). \mforall{}C:Id List.
\mforall{}ns:Atom1 List. (C is a cabal for ns {}\mRightarrow{} Only agents in C have atoms in ns)
supposing (\mforall{}A\mmember{}C.Honest(A))
Date html generated:
2011_08_17-PM-07_52_48
Last ObjectModification:
2011_06_18-PM-01_46_52
Home
Index