Context Navigation

Back to Ticket #460

Ticket #460: easycrypt_IB6_IB7_QueryTags143e2c4.v

File easycrypt_IB6_IB7_QueryTags143e2c4.v, 47.2 KB (added by coquser, 11 years ago)
problematic coq file

Line
1	(* This file is generated by Why3's Coq driver *)
2	(* Beware! Only edit allowed sections below *)
3	Require Import ZArith.
4	Require Import Rbase.
5	Require Import Rtrigo_def.
6	Require Import Rpower.
7	Require Import R_sqrt.
8	Require Import Rpower.
9	Require Import Rbasic_fun.
10	Parameter bitstring_hashDataLen : Type.
11
12	Parameter bitstring_hashTagLen : Type.
13
14	Parameter bitstring_symmKeyLen : Type.
15
16	Parameter bitstring_payloadLen : Type.
17
18	Inductive option (a:Type) :=
19	\| None : option a
20	\| Some : a -> option a.
21	Set Contextual Implicit.
22	Implicit Arguments None.
23	Unset Contextual Implicit.
24	Implicit Arguments Some.
25
26	Inductive list (a:Type) :=
27	\| Nil : list a
28	\| Cons : a -> (list a) -> list a.
29	Set Contextual Implicit.
30	Implicit Arguments Nil.
31	Unset Contextual Implicit.
32	Implicit Arguments Cons.
33
34	Set Implicit Arguments.
35	Fixpoint infix_plpl (a:Type)(l1:(list a)) (l2:(list a)) {struct l1}: (list
36	a) :=
37	match l1 with
38	\| Nil => l2
39	\| (Cons x1 r1) => (Cons x1 (infix_plpl r1 l2))
40	end.
41	Unset Implicit Arguments.
42
43	Axiom Append_assoc : forall (a:Type), forall (l1:(list a)) (l2:(list a))
44	(l3:(list a)), ((infix_plpl l1 (infix_plpl l2
45	l3)) = (infix_plpl (infix_plpl l1 l2) l3)).
46
47	Axiom Append_l_nil : forall (a:Type), forall (l:(list a)), ((infix_plpl l
48	(Nil:(list a))) = l).
49
50	Set Implicit Arguments.
51	Fixpoint length (a:Type)(l:(list a)) {struct l}: Z :=
52	match l with
53	\| Nil => 0%Z
54	\| (Cons _ r) => (1%Z + (length r))%Z
55	end.
56	Unset Implicit Arguments.
57
58	Axiom Length_nonnegative : forall (a:Type), forall (l:(list a)),
59	(0%Z <= (length l))%Z.
60
61	Axiom Length_nil : forall (a:Type), forall (l:(list a)),
62	((length l) = 0%Z) <-> (l = (Nil:(list a))).
63
64	Axiom Append_length : forall (a:Type), forall (l1:(list a)) (l2:(list a)),
65	((length (infix_plpl l1 l2)) = ((length l1) + (length l2))%Z).
66
67	Set Implicit Arguments.
68	Fixpoint mem (a:Type)(x:a) (l:(list a)) {struct l}: Prop :=
69	match l with
70	\| Nil => False
71	\| (Cons y r) => (x = y) \/ (mem x r)
72	end.
73	Unset Implicit Arguments.
74
75	Axiom mem_append : forall (a:Type), forall (x:a) (l1:(list a)) (l2:(list a)),
76	(mem x (infix_plpl l1 l2)) <-> ((mem x l1) \/ (mem x l2)).
77
78	Axiom mem_decomp : forall (a:Type), forall (x:a) (l:(list a)), (mem x l) ->
79	exists l1:(list a), exists l2:(list a), (l = (infix_plpl l1 (Cons x l2))).
80
81	Definition log2(x:R): R := (Rdiv (ln x) (ln 2%R))%R.
82
83	Definition log10(x:R): R := (Rdiv (ln x) (ln 10%R))%R.
84
85	Parameter pow: R -> R -> R.
86
87
88	Axiom Pow_zero_y : forall (y:R), (~ (y = 0%R)) -> ((pow 0%R y) = 0%R).
89
90	Axiom Pow_x_zero : forall (x:R), (~ (x = 0%R)) -> ((pow x 0%R) = 1%R).
91
92	Axiom Pow_x_one : forall (x:R), ((pow x 1%R) = x).
93
94	Axiom Pow_one_y : forall (y:R), ((pow 1%R y) = 1%R).
95
96	Axiom Pow_x_two : forall (x:R), ((pow x 2%R) = (Rsqr x)).
97
98	Axiom Pow_half : forall (x:R), (0%R <= x)%R -> ((pow x
99	(05 / 10)%R) = (sqrt x)).
100
101	Axiom Pow_exp_log : forall (x:R) (y:R), (0%R < x)%R -> ((pow x
102	y) = (exp (y * (ln x))%R)).
103
104	Axiom Abs_le : forall (x:Z) (y:Z), ((Zabs x) <= y)%Z <-> (((-y)%Z <= x)%Z /\
105	(x <= y)%Z).
106
107	Parameter power: Z -> Z -> Z.
108
109
110	Axiom Power_0 : forall (x:Z), ((power x 0%Z) = 1%Z).
111
112	Axiom Power_s : forall (x:Z) (n:Z), (0%Z <= n)%Z -> ((power x
113	(n + 1%Z)%Z) = (x * (power x n))%Z).
114
115	Axiom Power_1 : forall (x:Z), ((power x 1%Z) = x).
116
117	Axiom Power_sum : forall (x:Z) (n:Z) (m:Z), ((0%Z <= n)%Z /\ (0%Z <= m)%Z) ->
118	((power x (n + m)%Z) = ((power x n) * (power x m))%Z).
119
120	Axiom Power_mult : forall (x:Z) (n:Z) (m:Z), (0%Z <= n)%Z -> ((0%Z <= m)%Z ->
121	((power x (n * m)%Z) = (power (power x n) m))).
122
123	Parameter div: Z -> Z -> Z.
124
125
126	Parameter mod1: Z -> Z -> Z.
127
128
129	Axiom Div_mod : forall (x:Z) (y:Z), (~ (y = 0%Z)) -> (x = ((y * (div x
130	y))%Z + (mod1 x y))%Z).
131
132	Axiom Div_bound : forall (x:Z) (y:Z), ((0%Z <= x)%Z /\ (0%Z < y)%Z) ->
133	((0%Z <= (div x y))%Z /\ ((div x y) <= x)%Z).
134
135	Axiom Mod_bound : forall (x:Z) (y:Z), (~ (y = 0%Z)) -> ((0%Z <= (mod1 x
136	y))%Z /\ ((mod1 x y) < (Zabs y))%Z).
137
138	Axiom Mod_1 : forall (x:Z), ((mod1 x 1%Z) = 0%Z).
139
140	Axiom Div_1 : forall (x:Z), ((div x 1%Z) = x).
141
142	Parameter map : forall (qta:Type) (qtb:Type), Type.
143
144	Parameter real_of_bool: bool -> R.
145
146
147	Parameter upd_map: forall (qta:Type) (qtb:Type), (map qta qtb) -> qta
148	-> qtb -> (map qta qtb).
149
150	Implicit Arguments upd_map.
151
152	Parameter get_map: forall (qta:Type) (qtb:Type), (map qta qtb) -> qta -> qtb.
153
154	Implicit Arguments get_map.
155
156	Parameter in_dom_map: forall (qta:Type) (qtb:Type), qta -> (map qta qtb) ->
157	Prop.
158
159	Implicit Arguments in_dom_map.
160
161	Parameter in_rng_map: forall (qta:Type) (qtb:Type), qtb -> (map qta qtb) ->
162	Prop.
163
164	Implicit Arguments in_rng_map.
165
166	Parameter sp_lk__: Z.
167
168
169	Definition fst (qta:Type) (qtb:Type)(p:(qta* qtb)%type): qta :=
170	match p with
171	\| (a, b) => a
172	end.
173	Implicit Arguments fst.
174
175	Definition snd (qta:Type) (qtb:Type)(p:(qta* qtb)%type): qtb :=
176	match p with
177	\| (a, b) => b
178	end.
179	Implicit Arguments snd.
180
181	Definition pi3_1 (qta:Type) (qtb:Type) (qtc:Type)(p:(qta* qtb*
182	qtc)%type): qta := match p with
183	\| (a, b, c) => a
184	end.
185	Implicit Arguments pi3_1.
186
187	Definition pi3_2 (qta:Type) (qtb:Type) (qtc:Type)(p:(qta* qtb*
188	qtc)%type): qtb := match p with
189	\| (a, b, c) => b
190	end.
191	Implicit Arguments pi3_2.
192
193	Definition pi3_3 (qta:Type) (qtb:Type) (qtc:Type)(p:(qta* qtb*
194	qtc)%type): qtc := match p with
195	\| (a, b, c) => c
196	end.
197	Implicit Arguments pi3_3.
198
199	Definition pi4_1 (qta:Type) (qtb:Type) (qtc:Type) (qtd:Type)(p:(qta* qtb*
200	qtc* qtd)%type): qta := match p with
201	\| (a, b, c, d) => a
202	end.
203	Implicit Arguments pi4_1.
204
205	Definition pi4_2 (qta:Type) (qtb:Type) (qtc:Type) (qtd:Type)(p:(qta* qtb*
206	qtc* qtd)%type): qtb := match p with
207	\| (a, b, c, d) => b
208	end.
209	Implicit Arguments pi4_2.
210
211	Definition pi4_3 (qta:Type) (qtb:Type) (qtc:Type) (qtd:Type)(p:(qta* qtb*
212	qtc* qtd)%type): qtc := match p with
213	\| (a, b, c, d) => c
214	end.
215	Implicit Arguments pi4_3.
216
217	Definition pi4_4 (qta:Type) (qtb:Type) (qtc:Type) (qtd:Type)(p:(qta* qtb*
218	qtc* qtd)%type): qtd := match p with
219	\| (a, b, c, d) => d
220	end.
221	Implicit Arguments pi4_4.
222
223	Parameter proj: forall (qta:Type), (option qta) -> qta.
224
225	Implicit Arguments proj.
226
227	Parameter hd: forall (qta:Type), (list qta) -> qta.
228
229	Implicit Arguments hd.
230
231	Parameter tl: forall (qta:Type), (list qta) -> (list qta).
232
233	Implicit Arguments tl.
234
235	Parameter empty_map: forall (qta:Type) (qtb:Type), (map qta qtb).
236
237	Set Contextual Implicit.
238	Implicit Arguments empty_map.
239	Unset Contextual Implicit.
240
241	Parameter nat : Type.
242
243	Parameter natProject: nat -> Z.
244
245
246	Parameter natInject: Z -> nat.
247
248
249	Parameter nth: forall (qta:Type), (list qta) -> Z -> (option qta).
250
251	Implicit Arguments nth.
252
253	Definition unique (qta:Type)(xs:(list qta)) (ys:(list qta)): Prop :=
254	(forall (y:qta), (mem y ys) -> (mem y xs)) /\ ((forall (x:qta), (mem x
255	xs) -> (mem x ys)) /\ forall (i:Z) (j:Z), (0%Z <= i)%Z ->
256	((i < (length ys))%Z -> ((0%Z <= j)%Z -> ((j < (length ys))%Z ->
257	(((proj (nth ys i)) = (proj (nth ys j))) -> (i = j)))))).
258	Implicit Arguments unique.
259
260	Parameter unique1: forall (qta:Type), (list qta) -> (list qta).
261
262	Implicit Arguments unique1.
263
264	Definition noDups (qta:Type)(xs:(list qta)): Prop := (unique xs xs).
265	Implicit Arguments noDups.
266
267	Definition fromTo(i:Z) (j:Z) (xs:(list Z)): Prop := ((j < i)%Z /\
268	(xs = (Nil:(list Z)))) \/ ((i <= j)%Z /\ (((length xs) = (j - i)%Z) /\
269	((noDups xs) /\ forall (k:Z), (i <= k)%Z -> ((k <= j)%Z -> (mem k xs))))).
270
271	Parameter fromTo1: Z -> Z -> (list Z).
272
273
274	Definition remov (qta:Type)(i:Z) (xs:(list qta)) (ys:(list qta)): Prop :=
275	(0%Z <= i)%Z /\ ((i < (length xs))%Z /\
276	(((length ys) = ((length xs) - 1%Z)%Z) /\ ((forall (j:Z), (0%Z <= j)%Z ->
277	((j < i)%Z -> ((proj (nth ys j)) = (proj (nth xs j))))) /\ forall (j:Z),
278	(i < j)%Z -> ((j < (length xs))%Z -> ((proj (nth ys
279	(j - 1%Z)%Z)) = (proj (nth xs j))))))).
280	Implicit Arguments remov.
281
282	Parameter remov1: forall (qta:Type), Z -> (list qta) -> (list qta).
283
284	Implicit Arguments remov1.
285
286	Definition mapRepr (qta:Type) (qta1:Type)(map1:(map qta1 qta)) (domain:(list
287	qta1)) (range:(list qta)): Prop := ((length domain) = (length range)) /\
288	((noDups domain) /\ ((forall (x:qta1), (in_dom_map x map1) <-> (mem x
289	domain)) /\ forall (i:Z), (0%Z <= i)%Z -> ((i < (length domain))%Z ->
290	((get_map map1 (proj (nth domain i))) = (proj (nth range i)))))).
291	Implicit Arguments mapRepr.
292
293	Definition injRepr (qtb:Type) (qta:Type)(map1:(map qta qtb)) (domain:(list
294	qta)) (range:(list qtb)): Prop := (mapRepr map1 domain range) /\
295	(noDups range).
296	Implicit Arguments injRepr.
297
298	Parameter attribute : Type.
299
300	Parameter attributeCard: Z.
301
302
303	Parameter exAttr: attribute.
304
305
306	Parameter payloadLen: Z.
307
308
309	Parameter xor_bs_payloadLen: bitstring_payloadLen -> bitstring_payloadLen ->
310	bitstring_payloadLen.
311
312
313	Parameter bs0_payloadLen: bitstring_payloadLen.
314
315
316	Definition payload := bitstring_payloadLen.
317
318	Parameter numAttrs: Z.
319
320
321	Definition indexConcreteValid(n:Z): Prop := (0%Z <= n)%Z /\
322	(n < numAttrs)%Z.
323
324	Parameter index : Type.
325
326	Parameter indexProject: index -> Z.
327
328
329	Parameter indexInject: Z -> index.
330
331
332	Parameter exAttrList: (list attribute).
333
334
335	Definition recordConcrete := ((list attribute)* bitstring_payloadLen)%type.
336
337	Definition recordConcreteValid(rec:((list attribute)*
338	bitstring_payloadLen)%type): Prop := ((length (fst rec)) = numAttrs).
339
340	Parameter record : Type.
341
342	Parameter recordProject: record -> ((list attribute)*
343	bitstring_payloadLen)%type.
344
345
346	Parameter recordInject: ((list attribute)* bitstring_payloadLen)%type ->
347	record.
348
349
350	Definition attrListOfRecord(rec:record): (list attribute) :=
351	(fst (recordProject rec)).
352
353	Definition payloadOfRecord(rec:record): bitstring_payloadLen :=
354	(snd (recordProject rec)).
355
356	Definition nthRecord(rec:record) (i:index): attribute :=
357	(proj (nth (attrListOfRecord rec) (indexProject i))).
358
359	Definition db_concrete := (list record).
360
361	Parameter db : Type.
362
363	Parameter dbProject: db -> (list record).
364
365
366	Parameter dbInject: (list record) -> db.
367
368
369	Definition query := (index* attribute)%type.
370
371	Definition queryExecution(db1:db) (qry:(index* attribute)%type)
372	(dbqt:db): Prop := let i := (fst qry) in let attr := (snd qry) in
373	((forall (rec:record), (mem rec (dbProject db1)) -> (((nthRecord rec
374	i) = attr) -> (mem rec (dbProject dbqt)))) /\ forall (rec:record), (mem rec
375	(dbProject dbqt)) -> ((mem rec (dbProject db1)) /\ ((nthRecord rec
376	i) = attr))).
377
378	Parameter ord: Z.
379
380
381	Parameter mod_int: Z -> Z -> Z.
382
383
384	Parameter group : Type.
385
386	Parameter id: group.
387
388
389	Parameter gen: group.
390
391
392	Parameter groupMult: group -> group -> group.
393
394
395	Parameter groupPow: group -> Z -> group.
396
397
398	Parameter symmKeyLen: Z.
399
400
401	Parameter xor_bs_symmKeyLen: bitstring_symmKeyLen -> bitstring_symmKeyLen ->
402	bitstring_symmKeyLen.
403
404
405	Parameter bs0_symmKeyLen: bitstring_symmKeyLen.
406
407
408	Definition symm_key := bitstring_symmKeyLen.
409
410	Parameter symm_cipher : Type.
411
412	Definition symm_plain := record.
413
414	Parameter bsshould_not_be_usedslsl_symmKeyGen: bitstring_symmKeyLen -> R.
415
416
417	Parameter bsshould_not_be_usedslsl_symmEncrypt: symm_cipher
418	-> bitstring_symmKeyLen -> record -> R.
419
420
421	Parameter symmDecrypt: bitstring_symmKeyLen -> symm_cipher -> record.
422
423
424	Definition hash_group_oracle_state := (map (index* attribute)%type Z).
425
426	Definition counterConcreteValid(n:Z): Prop := (0%Z <= n)%Z /\
427	(n <= ((power attributeCard numAttrs) * (power 2%Z payloadLen))%Z)%Z.
428
429	Parameter counter : Type.
430
431	Parameter counterProject: counter -> Z.
432
433
434	Parameter counterInject: Z -> counter.
435
436
437	Definition annot_group := (group* counter)%type.
438
439	Parameter hashTagLen: Z.
440
441
442	Parameter xor_bs_hashTagLen: bitstring_hashTagLen -> bitstring_hashTagLen ->
443	bitstring_hashTagLen.
444
445
446	Parameter bs0_hashTagLen: bitstring_hashTagLen.
447
448
449	Definition hash_tag := bitstring_hashTagLen.
450
451	Parameter hashDataLen: Z.
452
453
454	Parameter xor_bs_hashDataLen: bitstring_hashDataLen
455	-> bitstring_hashDataLen -> bitstring_hashDataLen.
456
457
458	Parameter bs0_hashDataLen: bitstring_hashDataLen.
459
460
461	Definition hash_data := bitstring_hashDataLen.
462
463	Parameter pad: bitstring_symmKeyLen -> bitstring_hashDataLen.
464
465
466	Parameter unpad: bitstring_hashDataLen -> bitstring_symmKeyLen.
467
468
469	Definition hash_tag_oracle_state := (map (group* counter)%type
470	bitstring_hashTagLen).
471
472	Definition hash_data_oracle_state := (map (group* counter)%type
473	bitstring_hashDataLen).
474
475	Parameter getDistinctHashTag: (list bitstring_hashTagLen) -> Z ->
476	bitstring_hashTagLen.
477
478
479	Parameter getDistinctHashData: (list bitstring_hashDataLen) -> Z ->
480	bitstring_hashDataLen.
481
482
483	Definition groupExps(ns:(list Z)): Prop := forall (i:Z), (0%Z <= i)%Z ->
484	((i < (length ns))%Z -> let n := (proj (nth ns i)) in ((0%Z <= n)%Z /\
485	(n < ord)%Z)).
486
487	Parameter getDistinctHashGroup: (list Z) -> Z -> Z.
488
489
490	Definition table := (list (bitstring_hashTagLen* bitstring_hashDataLen*
491	nat)%type).
492
493	Definition files := (map nat symm_cipher).
494
495	Definition edb_concrete := ((list (bitstring_hashTagLen*
496	bitstring_hashDataLen* nat)%type)* (map nat symm_cipher))%type.
497
498	Definition edbConcreteValid(edbc:((list (bitstring_hashTagLen*
499	bitstring_hashDataLen* nat)%type)* (map nat symm_cipher))%type): Prop :=
500	let table1 := (fst edbc) in let files1 := (snd edbc) in ((noDups table1) /\
501	((forall (ht:bitstring_hashTagLen) (hd1:bitstring_hashDataLen) (n:nat),
502	(mem (ht, hd1, n) table1) -> (in_dom_map n files1)) /\ forall (n:nat),
503	(in_dom_map n files1) -> exists ht:bitstring_hashTagLen,
504	exists hd1:bitstring_hashDataLen, (mem (ht, hd1, n) table1))).
505
506	Parameter edb : Type.
507
508	Parameter edbProject: edb -> ((list (bitstring_hashTagLen*
509	bitstring_hashDataLen* nat)%type)* (map nat symm_cipher))%type.
510
511
512	Parameter edbInject: ((list (bitstring_hashTagLen* bitstring_hashDataLen*
513	nat)%type)* (map nat symm_cipher))%type -> edb.
514
515
516	Definition tableOfEDB(edb1:edb): (list (bitstring_hashTagLen*
517	bitstring_hashDataLen* nat)%type) := (fst (edbProject edb1)).
518
519	Definition filesOfEDB(edb1:edb): (map nat symm_cipher) :=
520	(snd (edbProject edb1)).
521
522	Definition makeEDB(table1:(list (bitstring_hashTagLen* bitstring_hashDataLen*
523	nat)%type)) (files1:(map nat symm_cipher)): edb := (edbInject (table1,
524	files1)).
525
526	Definition pub_vals := group.
527
528	Definition server_tau := Z.
529
530	Definition ib_tau := edb.
531
532	Definition ib_query_resp := (bitstring_hashDataLen* symm_cipher)%type.
533
534	Definition client_tau0 := (group* Z)%type.
535
536	Definition client_tau1 := (group* counter)%type.
537
538	Definition client_tau_2 := (group* counter)%type.
539
540	Definition view_inner_element := (bitstring_hashTagLen* (list
541	(bitstring_hashDataLen* symm_cipher)%type)* edb)%type.
542
543	Definition view_outer_element := (list (bitstring_hashTagLen* (list
544	(bitstring_hashDataLen* symm_cipher)%type)* edb)%type).
545
546	Definition view := (group* edb* (list (list (bitstring_hashTagLen* (list
547	(bitstring_hashDataLen* symm_cipher)%type)* edb)%type)))%type.
548
549	Definition consistTabEntHash(tabEnt:(bitstring_hashTagLen*
550	bitstring_hashDataLen* nat)%type) (hashTagOracleState:(map (group*
551	counter)%type bitstring_hashTagLen)) (hashDataOracleState:(map (group*
552	counter)%type bitstring_hashDataLen)): Prop := exists ag:(group*
553	counter)%type, (in_dom_map ag hashTagOracleState) /\
554	(((get_map hashTagOracleState ag) = (pi3_1 tabEnt)) /\ (in_dom_map ag
555	hashDataOracleState)).
556
557	Definition IB6_IB7_Queries_First(qrys:(list (index* attribute)%type))
558	(hashGroupOtherOracleState1:(map (index* attribute)%type Z))
559	(hashGroupOtherOracleState2:(map (index* attribute)%type Z)) (i:Z): Prop :=
560	(0%Z <= i)%Z /\ ((i <= (length qrys))%Z /\ ((forall (q:(index*
561	attribute)%type), (in_dom_map q hashGroupOtherOracleState1) ->
562	(in_dom_map q hashGroupOtherOracleState2)) /\ ((forall (q:(index*
563	attribute)%type), (in_dom_map q hashGroupOtherOracleState1) ->
564	((get_map hashGroupOtherOracleState1
565	q) = (get_map hashGroupOtherOracleState2 q))) /\ forall (q:(index*
566	attribute)%type), (in_dom_map q hashGroupOtherOracleState2) ->
567	((in_dom_map q hashGroupOtherOracleState1) \/ exists j:Z, (0%Z <= j)%Z /\
568	((j < i)%Z /\ (q = (proj (nth qrys j)))))))).
569
570	Definition IB6_IB7_Queries_Second(qrys:(list (index* attribute)%type))
571	(hashGroupOtherOracleState1:(map (index* attribute)%type Z))
572	(hashGroupOtherOracleState2:(map (index* attribute)%type Z)) (i:Z): Prop :=
573	(0%Z <= i)%Z /\ ((i <= (length qrys))%Z /\ ((forall (q:(index*
574	attribute)%type), (in_dom_map q hashGroupOtherOracleState1) ->
575	(in_dom_map q hashGroupOtherOracleState2)) /\ ((forall (q:(index*
576	attribute)%type), (in_dom_map q hashGroupOtherOracleState1) ->
577	((get_map hashGroupOtherOracleState1
578	q) = (get_map hashGroupOtherOracleState2 q))) /\ forall (q:(index*
579	attribute)%type), (in_dom_map q hashGroupOtherOracleState2) ->
580	((in_dom_map q hashGroupOtherOracleState1) \/ exists j:Z, (i <= j)%Z /\
581	((j < (length qrys))%Z /\ (q = (proj (nth qrys j)))))))).
582
583	Definition IB6_IB7_QueryTags_First(qrys:(list (index* attribute)%type))
584	(qrysTags:(list (list bitstring_hashTagLen))) (qryTags:(list
585	bitstring_hashTagLen)) (qryTagsDone:bool) (table1:(list
586	(bitstring_hashTagLen* bitstring_hashDataLen* nat)%type))
587	(hashGroupOtherOracleState1:(map (index* attribute)%type Z))
588	(hashGroupOtherOracleState2:(map (index* attribute)%type Z))
589	(hashTagOracleState1:(map (group* counter)%type bitstring_hashTagLen))
590	(hashTagOracleState2:(map (group* counter)%type
591	bitstring_hashTagLen)): Prop := ((qryTagsDone = true) ->
592	~ (qryTags = (Nil:(list bitstring_hashTagLen)))) /\ (((qryTags = (Nil:(list
593	bitstring_hashTagLen))) -> ((length qrysTags) <= (length qrys))%Z) /\
594	(((~ (qryTags = (Nil:(list bitstring_hashTagLen)))) ->
595	(((length qrysTags) + 1%Z)%Z <= (length qrys))%Z) /\ ((forall (ag:(group*
596	counter)%type), (in_dom_map ag hashTagOracleState1) -> (in_dom_map ag
597	hashTagOracleState2)) /\ ((forall (ag:(group* counter)%type),
598	(in_dom_map ag hashTagOracleState1) -> ((get_map hashTagOracleState1
599	ag) = (get_map hashTagOracleState2 ag))) /\ ((forall (ag:(group*
600	counter)%type), (in_dom_map ag hashTagOracleState2) -> ((in_dom_map ag
601	hashTagOracleState1) \/ ((exists i:Z, (exists j:Z, (0%Z <= i)%Z /\
602	((i < (length qrysTags))%Z /\ ((0%Z <= j)%Z /\
603	((j < (length (proj (nth qrysTags i))))%Z /\ (ag = ((groupPow gen
604	(get_map hashGroupOtherOracleState2 (proj (nth qrys i)))),
605	(counterInject j)))))))) \/ exists j:Z, (0%Z <= j)%Z /\
606	((j < (length qryTags))%Z /\ (ag = ((groupPow gen
607	(get_map hashGroupOtherOracleState2 (proj (nth qrys (length qrysTags))))),
608	(counterInject j))))))) /\ ((forall (i:Z), (0%Z <= i)%Z ->
609	((i < (length qrysTags))%Z -> forall (j:Z), (0%Z <= j)%Z ->
610	((j < (length (proj (nth qrysTags i))))%Z -> ((get_map hashTagOracleState2
611	((groupPow gen (get_map hashGroupOtherOracleState2 (proj (nth qrys i)))),
612	(counterInject j))) = (proj (nth (proj (nth qrysTags i)) j)))))) /\
613	((forall (i:Z), (0%Z <= i)%Z -> ((i < (length qrysTags))%Z ->
614	((1%Z <= (length (proj (nth qrysTags i))))%Z /\ ((forall (j:Z),
615	(0%Z <= j)%Z -> ((j < ((length (proj (nth qrysTags i))) - 1%Z)%Z)%Z ->
616	exists k:Z, (0%Z <= k)%Z /\ ((k < (length table1))%Z /\
617	((pi3_1 (proj (nth table1 k))) = (proj (nth (proj (nth qrysTags i))
618	j)))))) /\ let j := ((length (proj (nth qrysTags i))) - 1%Z)%Z in
619	((j = ((power attributeCard numAttrs) * (power 2%Z payloadLen))%Z) \/
620	~ exists k:Z, (0%Z <= k)%Z /\ ((k < (length table1))%Z /\
621	((pi3_1 (proj (nth table1 k))) = (proj (nth (proj (nth qrysTags i))
622	j))))))))) /\ ((forall (j:Z), (0%Z <= j)%Z -> ((j < (length qryTags))%Z ->
623	((get_map hashTagOracleState2 ((groupPow gen
624	(get_map hashGroupOtherOracleState2 (proj (nth qrys (length qrysTags))))),
625	(counterInject j))) = (proj (nth qryTags j))))) /\
626	(((~ (qryTagsDone = true)) -> forall (j:Z), (0%Z <= j)%Z ->
627	((j < (length qryTags))%Z -> exists k:Z, (0%Z <= k)%Z /\
628	((k < (length table1))%Z /\ ((pi3_1 (proj (nth table1
629	k))) = (proj (nth qryTags j)))))) /\ ((qryTagsDone = true) ->
630	((1%Z <= (length qryTags))%Z /\ ((forall (j:Z), (0%Z <= j)%Z ->
631	((j < ((length qryTags) - 1%Z)%Z)%Z -> exists k:Z, (0%Z <= k)%Z /\
632	((k < (length table1))%Z /\ ((pi3_1 (proj (nth table1
633	k))) = (proj (nth qryTags j)))))) /\ let j := ((length qryTags) - 1%Z)%Z in
634	((j = ((power attributeCard numAttrs) * (power 2%Z payloadLen))%Z) \/
635	~ exists k:Z, (0%Z <= k)%Z /\ ((k < (length table1))%Z /\
636	((pi3_1 (proj (nth table1 k))) = (proj (nth qryTags j))))))))))))))))).
637
638	Definition IB6_IB7_QueryTags_Second(qrys:(list (index* attribute)%type))
639	(qrysTags:(list (list bitstring_hashTagLen))) (table1:(list
640	(bitstring_hashTagLen* bitstring_hashDataLen* nat)%type))
641	(hashGroupOtherOracleState1:(map (index* attribute)%type Z))
642	(hashGroupOtherOracleState2:(map (index* attribute)%type Z))
643	(hashTagOracleState1:(map (group* counter)%type bitstring_hashTagLen))
644	(hashTagOracleState2:(map (group* counter)%type bitstring_hashTagLen))
645	(i:Z) (j:Z): Prop := ((length qrys) = (length qrysTags)) /\
646	((0%Z <= i)%Z /\ ((i <= (length qrysTags))%Z /\
647	(((i < (length qrysTags))%Z -> ((0%Z <= j)%Z /\
648	(j < (length (proj (nth qrysTags i))))%Z)) /\ ((forall (ag:(group*
649	counter)%type), (in_dom_map ag hashTagOracleState1) -> (in_dom_map ag
650	hashTagOracleState2)) /\ ((forall (ag:(group* counter)%type),
651	(in_dom_map ag hashTagOracleState1) -> ((get_map hashTagOracleState1
652	ag) = (get_map hashTagOracleState2 ag))) /\ ((forall (ag:(group*
653	counter)%type), (in_dom_map ag hashTagOracleState2) -> ((in_dom_map ag
654	hashTagOracleState1) \/ (((i < (length qrysTags))%Z /\ exists jqt:Z,
655	(j <= jqt)%Z /\ ((jqt < (length (proj (nth qrysTags i))))%Z /\ (ag = (
656	(groupPow gen (get_map hashGroupOtherOracleState2 (proj (nth qrys i)))),
657	(counterInject jqt))))) \/ exists iqt:Z, exists jqt:Z, (i < iqt)%Z /\
658	((iqt < (length qrysTags))%Z /\ ((0%Z <= jqt)%Z /\
659	((jqt <= (length (proj (nth qrysTags iqt))))%Z /\ (ag = ((groupPow gen
660	(get_map hashGroupOtherOracleState2 (proj (nth qrys iqt)))),
661	(counterInject jqt))))))))) /\ ((forall (i1:Z), (0%Z <= i1)%Z ->
662	((i1 < (length qrysTags))%Z -> forall (j1:Z), (0%Z <= j1)%Z ->
663	((j1 < (length (proj (nth qrysTags i1))))%Z ->
664	((get_map hashTagOracleState2 ((groupPow gen
665	(get_map hashGroupOtherOracleState2 (proj (nth qrys i1)))),
666	(counterInject j1))) = (proj (nth (proj (nth qrysTags i1)) j1)))))) /\
667	forall (i1:Z), (0%Z <= i1)%Z -> ((i1 < (length qrysTags))%Z ->
668	((1%Z <= (length (proj (nth qrysTags i1))))%Z /\ ((forall (j1:Z),
669	(0%Z <= j1)%Z -> ((j1 < ((length (proj (nth qrysTags i1))) - 1%Z)%Z)%Z ->
670	exists k:Z, (0%Z <= k)%Z /\ ((k < (length table1))%Z /\
671	((pi3_1 (proj (nth table1 k))) = (proj (nth (proj (nth qrysTags i1))
672	j1)))))) /\ let j1 := ((length (proj (nth qrysTags i1))) - 1%Z)%Z in
673	((j1 = ((power attributeCard numAttrs) * (power 2%Z payloadLen))%Z) \/
674	~ exists k:Z, (0%Z <= k)%Z /\ ((k < (length table1))%Z /\
675	((pi3_1 (proj (nth table1 k))) = (proj (nth (proj (nth qrysTags i1))
676	j1))))))))))))))).
677
678	Axiom Some_inj : forall (qta:Type), forall (x:qta) (y:qta),
679	((Some x) = (Some y)) -> (x = y).
680
681	Axiom Proj_Some : forall (qta:Type), forall (x:qta), ((proj (Some x)) = x).
682
683	Axiom Proj_eq : forall (qta:Type), forall (o1:(option qta)) (o2:(option
684	qta)), (~ (o1 = (None:(option qta)))) -> ((~ (o2 = (None:(option qta)))) ->
685	(((proj o1) = (proj o2)) -> (o1 = o2))).
686
687	Axiom Some_or_None : forall (qta:Type), forall (o:(option qta)),
688	(o = (None:(option qta))) \/ exists x:qta, (o = (Some x)).
689
690	Axiom head_def : forall (qta:Type), forall (a:qta) (l:(list qta)),
691	((hd (Cons a l)) = a).
692
693	Axiom tail_def : forall (qta:Type), forall (a:qta) (l:(list qta)),
694	((tl (Cons a l)) = l).
695
696	Axiom get_upd_map_same : forall (qtb:Type) (qta:Type), forall (m:(map qta
697	qtb)) (a1:qta) (a2:qta) (b:qtb), (a1 = a2) -> ((get_map (upd_map m a1 b)
698	a2) = b).
699
700	Axiom get_upd_map_diff : forall (qtb:Type) (qta:Type), forall (m:(map qta
701	qtb)) (a1:qta) (a2:qta) (b:qtb), (~ (a1 = a2)) -> ((get_map (upd_map m a1
702	b) a2) = (get_map m a2)).
703
704	Axiom upd_map_comm : forall (qtb:Type) (qta:Type), forall (m:(map qta qtb))
705	(a:qta) (aqt:qta) (b:qtb) (bqt:qtb), (~ (a = aqt)) -> ((upd_map (upd_map m
706	a b) aqt bqt) = (upd_map (upd_map m aqt bqt) a b)).
707
708	Axiom upd_in_dom_same : forall (qtb:Type) (qta:Type), forall (m:(map qta
709	qtb)) (a:qta) (aqt:qta) (b:qtb), (a = aqt) -> (in_dom_map aqt (upd_map m a
710	b)).
711
712	Axiom upd_in_dom_diff : forall (qtb:Type) (qta:Type), forall (m:(map qta
713	qtb)) (a:qta) (aqt:qta) (b:qtb), (~ (a = aqt)) -> ((in_dom_map aqt
714	(upd_map m a b)) <-> (in_dom_map aqt m)).
715
716	Axiom upd_in_rng_same : forall (qtb:Type) (qta:Type), forall (m:(map qta
717	qtb)) (a:qta) (b:qtb) (bqt:qtb), (b = bqt) -> (in_rng_map bqt (upd_map m a
718	b)).
719
720	Axiom upd_in_rng_diff : forall (qtb:Type) (qta:Type), forall (m:(map qta
721	qtb)) (a:qta) (b:qtb) (bqt:qtb), (~ (b = bqt)) -> ((in_rng_map bqt
722	(upd_map m a b)) <-> (in_rng_map bqt m)).
723
724	Axiom in_dom_in_rng : forall (qta:Type) (qtb:Type), forall (m:(map qta qtb))
725	(a:qta), (in_dom_map a m) -> (in_rng_map (get_map m a) m).
726
727	Axiom in_rng_in_dom : forall (qtb:Type) (qta:Type), forall (m:(map qta qtb))
728	(b:qtb), (in_rng_map b m) -> exists a:qta, (in_dom_map a m) /\ ((get_map m
729	a) = b).
730
731	Axiom empty_in_dom : forall (qta:Type) (qtb:Type) (qtb1:Type),
732	forall (a:qta), ~ (in_dom_map a (empty_map:(map qta qtb1))).
733
734	Axiom empty_in_rng : forall (qtb:Type) (qta:Type) (qta1:Type),
735	forall (b:qtb), ~ (in_rng_map b (empty_map:(map qta1 qtb))).
736
737	Axiom real_of_bool_true : ((real_of_bool true) = (IZR 1%Z)).
738
739	Axiom real_of_bool_false : ((real_of_bool false) = (IZR 0%Z)).
740
741	Axiom real_of_int_le_compat : forall (x:Z) (y:Z), (x <= y)%Z ->
742	((IZR x) <= (IZR y))%R.
743
744	Axiom real_of_int_lt_compat : forall (x:Z) (y:Z), (x < y)%Z ->
745	((IZR x) < (IZR y))%R.
746
747	Axiom rmult_le_compat_l : forall (x:R) (y:R) (z:R), ((IZR 0%Z) <= x)%R ->
748	((y <= z)%R -> ((x * y)%R <= (x * z)%R)%R).
749
750	Axiom rmult_le_compat_r : forall (x:R) (y:R) (z:R), ((IZR 0%Z) <= z)%R ->
751	((x <= y)%R -> ((x * z)%R <= (y * z)%R)%R).
752
753	Axiom rmul_plus_distr_r : forall (x:R) (y:R) (z:R),
754	(((x + y)%R * z)%R = ((x * z)%R + (y * z)%R)%R).
755
756	Axiom rdiv_le_compat : forall (x1:R) (x2:R) (y1:R) (y2:R),
757	((IZR 0%Z) < y2)%R -> ((y2 <= y1)%R -> (((IZR 0%Z) <= x1)%R ->
758	((x1 <= x2)%R -> ((Rdiv x1 y1)%R <= (Rdiv x2 y2)%R)%R))).
759
760	Axiom rdiv_0_le : forall (x:R) (y:R), ((IZR 0%Z) < y)%R ->
761	(((IZR 0%Z) <= x)%R -> ((IZR 0%Z) <= (Rdiv x y)%R)%R).
762
763	Axiom pow2_pos : forall (n:Z), (0%Z <= n)%Z -> (0%Z < (power 2%Z n))%Z.
764
765	Axiom ExNatConcreteValid : (0%Z <= 0%Z)%Z.
766
767	Axiom NatProjectInject : forall (n:nat), ((natInject (natProject n)) = n).
768
769	Axiom NatInjectProjectGood : forall (n:Z), (0%Z <= n)%Z ->
770	((natProject (natInject n)) = n).
771
772	Axiom NatInjectProjectBad : forall (n:Z), (~ (0%Z <= n)%Z) ->
773	((natProject (natInject n)) = 0%Z).
774
775	Axiom NatProjectValid : forall (n:nat), (0%Z <= (natProject n))%Z.
776
777	Axiom LengthEmpty : forall (qta:Type), ((length (Nil:(list qta))) = 0%Z).
778
779	Axiom LengthNonEmpty : forall (qta:Type), forall (x:qta) (xs:(list qta)),
780	((length (Cons x xs)) = ((length xs) + 1%Z)%Z).
781
782	Axiom NthZero : forall (qta:Type), forall (x:qta) (ls:(list qta)),
783	((nth (Cons x ls) 0%Z) = (Some x)).
784
785	Axiom NthNonZero : forall (qta:Type), forall (i:Z) (x:qta) (ls:(list qta)),
786	(0%Z < i)%Z -> ((i < (length ls))%Z -> ((nth (Cons x ls) i) = (nth ls
787	(i - 1%Z)%Z))).
788
789	Axiom NthGood : forall (qta:Type), forall (i:Z) (ls:(list qta)),
790	(0%Z <= i)%Z -> ((i < (length ls))%Z -> exists x:qta, ((nth ls
791	i) = (Some x))).
792
793	Axiom NthGoodqt : forall (qta:Type), forall (i:Z) (ls:(list qta)),
794	(0%Z <= i)%Z -> ((i < (length ls))%Z -> ~ ((nth ls i) = (None:(option
795	qta)))).
796
797	Axiom NthBad : forall (qta:Type), forall (i:Z) (ls:(list qta)),
798	((i < 0%Z)%Z \/ ((length ls) <= i)%Z) -> ((nth ls i) = (None:(option
799	qta))).
800
801	Axiom NthMem : forall (qta:Type), forall (ls:(list qta)) (i:Z),
802	(0%Z <= i)%Z -> ((i < (length ls))%Z -> (mem (proj (nth ls i)) ls)).
803
804	Axiom Unique : forall (qta:Type), forall (xs:(list qta)), (unique xs
805	(unique1 xs)).
806
807	Axiom NoDups1 : forall (qta:Type), forall (x:qta) (ys:(list qta)),
808	(noDups ys) -> ((~ (mem x ys)) -> (noDups (Cons x ys))).
809
810	Axiom NoDups2 : forall (qta:Type), forall (x:qta) (ys:(list qta)), (mem x
811	ys) -> ~ (noDups (Cons x ys)).
812
813	Axiom NoDups3 : forall (qta:Type), forall (x:qta) (ys:(list qta)),
814	(noDups (Cons x ys)) -> (noDups ys).
815
816	Axiom FromTo : forall (i:Z) (j:Z), (fromTo i j (fromTo1 i j)).
817
818	Axiom Remov1 : forall (qta:Type), forall (i:Z) (xs:(list qta)),
819	(((i < 0%Z)%Z \/ ((length xs) < i)%Z) -> ((remov1 i xs) = (Nil:(list
820	qta)))) /\ ((0%Z <= i)%Z -> ((i < (length xs))%Z -> (remov i xs (remov1 i
821	xs)))).
822
823	Axiom Remov2 : forall (qta:Type), forall (i:Z) (xs:(list qta)) (y:qta),
824	(mem y (remov1 i xs)) -> (mem y xs).
825
826	Axiom MapRepr1 : forall (qtb:Type) (qta:Type), (mapRepr (empty_map:(map qta
827	qtb)) (Nil:(list qta)) (Nil:(list qtb))).
828
829	Axiom MapRepr2 : forall (qtb:Type) (qta:Type), forall (map1:(map qta qtb))
830	(domain:(list qta)) (range:(list qtb)) (x:qta) (y:qtb), (mapRepr map1
831	domain range) -> ((~ (in_dom_map x map1)) -> (mapRepr (upd_map map1 x y)
832	(Cons x domain) (Cons y range))).
833
834	Axiom MapRepr3 : forall (qtb:Type) (qta:Type), forall (map1:(map qta qtb))
835	(domain:(list qta)) (range:(list qtb)), (mapRepr map1 domain range) ->
836	forall (x:qtb), (in_rng_map x map1) <-> (mem x range).
837
838	Axiom InjRepr1 : forall (qtb:Type) (qta:Type), (injRepr (empty_map:(map qta
839	qtb)) (Nil:(list qta)) (Nil:(list qtb))).
840
841	Axiom InjRepr2 : forall (qtb:Type) (qta:Type), forall (map1:(map qta qtb))
842	(domain:(list qta)) (range:(list qtb)) (x:qta) (y:qtb), (injRepr map1
843	domain range) -> ((~ (in_dom_map x map1)) -> ((~ (in_rng_map y map1)) ->
844	(injRepr (upd_map map1 x y) (Cons x domain) (Cons y range)))).
845
846	Axiom InjRepr3 : forall (qtb:Type) (qta:Type), forall (map1:(map qta qtb))
847	(domain:(list qta)) (range:(list qtb)), (injRepr map1 domain range) ->
848	forall (x:qtb), (in_rng_map x map1) <-> (mem x range).
849
850	Axiom InjRepr4 : forall (qtb:Type) (qta:Type), forall (map1:(map qta qtb))
851	(domain:(list qta)) (range:(list qtb)) (x1:qta) (x2:qta), (injRepr map1
852	domain range) -> ((in_dom_map x1 map1) -> ((in_dom_map x2 map1) ->
853	(((get_map map1 x2) = (get_map map1 x1)) -> (x1 = x2)))).
854
855	Axiom AttributeCard : (1%Z <= attributeCard)%Z.
856
857	Axiom xor_payloadLen_comm : forall (x:bitstring_payloadLen)
858	(y:bitstring_payloadLen), ((xor_bs_payloadLen x y) = (xor_bs_payloadLen y
859	x)).
860
861	Axiom xor_payloadLen_assoc : forall (x:bitstring_payloadLen)
862	(y:bitstring_payloadLen) (z:bitstring_payloadLen),
863	((xor_bs_payloadLen (xor_bs_payloadLen x y) z) = (xor_bs_payloadLen x
864	(xor_bs_payloadLen y z))).
865
866	Axiom xor_payloadLen_zero_r : forall (x:bitstring_payloadLen),
867	((xor_bs_payloadLen x bs0_payloadLen) = x).
868
869	Axiom xor_payloadLen_cancel : forall (x:bitstring_payloadLen),
870	((xor_bs_payloadLen x x) = bs0_payloadLen).
871
872	Axiom NumAttrs : (1%Z <= numAttrs)%Z.
873
874	Axiom ExIndexConcreteValid : (indexConcreteValid 0%Z).
875
876	Axiom IndexProjectInject : forall (n:index),
877	((indexInject (indexProject n)) = n).
878
879	Axiom IndexInjectProjectGood : forall (n:Z), (indexConcreteValid n) ->
880	((indexProject (indexInject n)) = n).
881
882	Axiom IndexInjectProjectBad : forall (n:Z), (~ (indexConcreteValid n)) ->
883	((indexProject (indexInject n)) = 0%Z).
884
885	Axiom IndexProjectValid : forall (n:index),
886	(indexConcreteValid (indexProject n)).
887
888	Axiom ExAttrList : ((length exAttrList) = numAttrs) /\ forall (i:Z),
889	(0%Z <= i)%Z -> ((i < numAttrs)%Z -> ((proj (nth exAttrList
890	i)) = exAttr)).
891
892	Axiom ExRecConcValid : (recordConcreteValid (exAttrList, bs0_payloadLen)).
893
894	Axiom RecordCard : (1%Z <= ((power attributeCard numAttrs) * (power 2%Z
895	payloadLen))%Z)%Z.
896
897	Axiom RecordProjectInject : forall (rec:record),
898	((recordInject (recordProject rec)) = rec).
899
900	Axiom RecordInjectProjectGood : forall (conc:((list attribute)*
901	bitstring_payloadLen)%type), (recordConcreteValid conc) ->
902	((recordProject (recordInject conc)) = conc).
903
904	Axiom RecordInjectProjectBad : forall (conc:((list attribute)*
905	bitstring_payloadLen)%type), (~ (recordConcreteValid conc)) ->
906	((recordProject (recordInject conc)) = (exAttrList, bs0_payloadLen)).
907
908	Axiom RecordProjectValid : forall (rec:record),
909	(recordConcreteValid (recordProject rec)).
910
911	Axiom ExDBConc : (noDups (Nil:(list record))).
912
913	Axiom DBProjectInject : forall (db1:db), ((dbInject (dbProject db1)) = db1).
914
915	Axiom DBInjectProjectGood : forall (conc:(list record)), (noDups conc) ->
916	((dbProject (dbInject conc)) = conc).
917
918	Axiom dbInjectProjectBad : forall (conc:(list record)), (~ (noDups conc)) ->
919	((dbProject (dbInject conc)) = (Nil:(list record))).
920
921	Axiom DBProjectValid : forall (db1:db), (noDups (dbProject db1)).
922
923	Axiom QueryCard : forall (qrys:(list (index* attribute)%type)),
924	(noDups qrys) -> ((length qrys) <= (numAttrs * attributeCard)%Z)%Z.
925
926	Axiom OrderPos : (1%Z <= ord)%Z.
927
928	Axiom ModSmall : forall (x:Z), (0%Z <= x)%Z -> ((x < ord)%Z -> ((mod_int x
929	ord) = x)).
930
931	Axiom ModBound : forall (x:Z), (0%Z <= (mod_int x ord))%Z /\ ((mod_int x
932	ord) < ord)%Z.
933
934	Axiom ModAdd : forall (x:Z) (y:Z), ((mod_int ((mod_int x ord) + y)%Z
935	ord) = (mod_int (x + y)%Z ord)).
936
937	Axiom ModSub : forall (x:Z) (y:Z), ((mod_int ((mod_int x ord) - y)%Z
938	ord) = (mod_int (x - y)%Z ord)).
939
940	Axiom ModTimes : forall (x:Z) (y:Z), ((mod_int ((mod_int x ord) * y)%Z
941	ord) = (mod_int (x * y)%Z ord)).
942
943	Axiom GroupAssoc : forall (x:group) (y:group) (z:group), ((groupMult x
944	(groupMult y z)) = (groupMult (groupMult x y) z)).
945
946	Axiom GroupIdentityRight : forall (x:group), ((groupMult x id) = x).
947
948	Axiom GroupIdentityLeft : forall (x:group), ((groupMult id x) = x).
949
950	Axiom GroupPowMod : forall (x:group) (n:Z), ((groupPow x n) = (groupPow x
951	(mod_int n ord))).
952
953	Axiom GroupPowId : forall (x:group), ((groupPow x 0%Z) = id).
954
955	Axiom GroupPlusInPower : forall (x:group) (n:Z) (m:Z), ((groupPow x
956	(n + m)%Z) = (groupMult (groupPow x n) (groupPow x m))).
957
958	Axiom GroupLeftNestedPower : forall (x:group) (n:Z) (m:Z),
959	((groupPow (groupPow x n) m) = (groupPow x (n * m)%Z)).
960
961	Axiom GroupTimesInPower : forall (x:group) (y:group) (n:Z),
962	((groupPow (groupMult x y) n) = (groupMult (groupPow x n) (groupPow y n))).
963
964	Axiom SymmKeyLen : (0%Z <= symmKeyLen)%Z.
965
966	Axiom xor_symmKeyLen_comm : forall (x:bitstring_symmKeyLen)
967	(y:bitstring_symmKeyLen), ((xor_bs_symmKeyLen x y) = (xor_bs_symmKeyLen y
968	x)).
969
970	Axiom xor_symmKeyLen_assoc : forall (x:bitstring_symmKeyLen)
971	(y:bitstring_symmKeyLen) (z:bitstring_symmKeyLen),
972	((xor_bs_symmKeyLen (xor_bs_symmKeyLen x y) z) = (xor_bs_symmKeyLen x
973	(xor_bs_symmKeyLen y z))).
974
975	Axiom xor_symmKeyLen_zero_r : forall (x:bitstring_symmKeyLen),
976	((xor_bs_symmKeyLen x bs0_symmKeyLen) = x).
977
978	Axiom xor_symmKeyLen_cancel : forall (x:bitstring_symmKeyLen),
979	((xor_bs_symmKeyLen x x) = bs0_symmKeyLen).
980
981	Axiom QueryOrd : ((numAttrs * attributeCard)%Z <= ord)%Z.
982
983	Axiom ExCounterConcreteValid : (counterConcreteValid 0%Z).
984
985	Axiom CounterProjectInject : forall (n:counter),
986	((counterInject (counterProject n)) = n).
987
988	Axiom CounterInjectProjectGood : forall (n:Z), (counterConcreteValid n) ->
989	((counterProject (counterInject n)) = n).
990
991	Axiom CounterInjectProjectBad : forall (n:Z), (~ (counterConcreteValid n)) ->
992	((counterProject (counterInject n)) = 0%Z).
993
994	Axiom CounterProjectValid : forall (n:counter),
995	(counterConcreteValid (counterProject n)).
996
997	Axiom AnnotGroupCardPos : (1%Z <= (ord * (((power attributeCard
998	numAttrs) * (power 2%Z payloadLen))%Z + 1%Z)%Z)%Z)%Z.
999
1000	Axiom AnnotGroupCard : forall (xs:(list (group* counter)%type)),
1001	(noDups xs) -> ((length xs) <= (ord * (((power attributeCard
1002	numAttrs) * (power 2%Z payloadLen))%Z + 1%Z)%Z)%Z)%Z.
1003
1004	Axiom xor_hashTagLen_comm : forall (x:bitstring_hashTagLen)
1005	(y:bitstring_hashTagLen), ((xor_bs_hashTagLen x y) = (xor_bs_hashTagLen y
1006	x)).
1007
1008	Axiom xor_hashTagLen_assoc : forall (x:bitstring_hashTagLen)
1009	(y:bitstring_hashTagLen) (z:bitstring_hashTagLen),
1010	((xor_bs_hashTagLen (xor_bs_hashTagLen x y) z) = (xor_bs_hashTagLen x
1011	(xor_bs_hashTagLen y z))).
1012
1013	Axiom xor_hashTagLen_zero_r : forall (x:bitstring_hashTagLen),
1014	((xor_bs_hashTagLen x bs0_hashTagLen) = x).
1015
1016	Axiom xor_hashTagLen_cancel : forall (x:bitstring_hashTagLen),
1017	((xor_bs_hashTagLen x x) = bs0_hashTagLen).
1018
1019	Axiom HashTagLen1 : (0%Z <= hashTagLen)%Z.
1020
1021	Axiom HashTagLen2 : ((ord * (((power attributeCard numAttrs) * (power 2%Z
1022	payloadLen))%Z + 1%Z)%Z)%Z <= (power 2%Z hashTagLen))%Z.
1023
1024	Axiom xor_hashDataLen_comm : forall (x:bitstring_hashDataLen)
1025	(y:bitstring_hashDataLen), ((xor_bs_hashDataLen x
1026	y) = (xor_bs_hashDataLen y x)).
1027
1028	Axiom xor_hashDataLen_assoc : forall (x:bitstring_hashDataLen)
1029	(y:bitstring_hashDataLen) (z:bitstring_hashDataLen),
1030	((xor_bs_hashDataLen (xor_bs_hashDataLen x y) z) = (xor_bs_hashDataLen x
1031	(xor_bs_hashDataLen y z))).
1032
1033	Axiom xor_hashDataLen_zero_r : forall (x:bitstring_hashDataLen),
1034	((xor_bs_hashDataLen x bs0_hashDataLen) = x).
1035
1036	Axiom xor_hashDataLen_cancel : forall (x:bitstring_hashDataLen),
1037	((xor_bs_hashDataLen x x) = bs0_hashDataLen).
1038
1039	Axiom HashDataLen1 : (symmKeyLen <= hashDataLen)%Z.
1040
1041	Axiom HashDataLen2 : ((ord * (((power attributeCard numAttrs) * (power 2%Z
1042	payloadLen))%Z + 1%Z)%Z)%Z <= (power 2%Z hashDataLen))%Z.
1043
1044	Axiom PadUnpad : forall (k:bitstring_symmKeyLen), ((unpad (pad k)) = k).
1045
1046	Axiom ListLengthBound : forall (qta:Type), forall (x:qta) (xs:(list qta))
1047	(n:Z), ((length (Cons x xs)) <= n)%Z -> ((length xs) < n)%Z.
1048
1049	Axiom AnnotGroupListLengthBound : forall (xs:(list (group* counter)%type))
1050	(x:(group* counter)%type), ((length (Cons x
1051	xs)) <= (ord * (((power attributeCard numAttrs) * (power 2%Z
1052	payloadLen))%Z + 1%Z)%Z)%Z)%Z ->
1053	((length xs) < (ord * (((power attributeCard numAttrs) * (power 2%Z
1054	payloadLen))%Z + 1%Z)%Z)%Z)%Z.
1055
1056	Axiom QueryListLengthBound : forall (xs:(list (index* attribute)%type))
1057	(x:(index* attribute)%type), ((length (Cons x
1058	xs)) <= (numAttrs * attributeCard)%Z)%Z ->
1059	((length xs) < (numAttrs * attributeCard)%Z)%Z.
1060
1061	Axiom AnnotGroupNoDupsIncompleteListLengthBoundqt : forall (xs:(list (group*
1062	counter)%type)) (x:(group* counter)%type), (noDups xs) -> ((~ (mem x
1063	xs)) -> (((length (Cons x xs)) <= (ord * (((power attributeCard
1064	numAttrs) * (power 2%Z payloadLen))%Z + 1%Z)%Z)%Z)%Z /\
1065	((length xs) < (ord * (((power attributeCard numAttrs) * (power 2%Z
1066	payloadLen))%Z + 1%Z)%Z)%Z)%Z)).
1067
1068	Axiom QueryNoDupsIncompleteListLengthBoundqt : forall (xs:(list (index*
1069	attribute)%type)) (x:(index* attribute)%type), (noDups xs) -> ((~ (mem x
1070	xs)) -> (((length (Cons x xs)) <= (numAttrs * attributeCard)%Z)%Z /\
1071	((length xs) < (numAttrs * attributeCard)%Z)%Z)).
1072
1073	Axiom AnnotGroupNoDupsIncompleteListLengthBound : forall (xs:(list (group*
1074	counter)%type)) (x:(group* counter)%type), (noDups xs) -> ((~ (mem x
1075	xs)) -> ((length xs) < (ord * (((power attributeCard
1076	numAttrs) * (power 2%Z payloadLen))%Z + 1%Z)%Z)%Z)%Z).
1077
1078	Axiom QueryNoDupsIncompleteListLengthBound : forall (xs:(list (index*
1079	attribute)%type)) (x:(index* attribute)%type), (noDups xs) -> ((~ (mem x
1080	xs)) -> ((length xs) < (numAttrs * attributeCard)%Z)%Z).
1081
1082	Axiom HashTagMapReprBound : forall (hashTagOracleState:(map (group*
1083	counter)%type bitstring_hashTagLen)) (hashTagOracleDomain:(list (group*
1084	counter)%type)) (hashTagOracleRange:(list bitstring_hashTagLen)),
1085	(mapRepr hashTagOracleState hashTagOracleDomain hashTagOracleRange) ->
1086	((length hashTagOracleRange) <= (ord * (((power attributeCard
1087	numAttrs) * (power 2%Z payloadLen))%Z + 1%Z)%Z)%Z)%Z.
1088
1089	Axiom HashTagMapReprIncompleteBoundqt : forall (hashTagOracleState:(map
1090	(group* counter)%type bitstring_hashTagLen)) (hashTagOracleDomain:(list
1091	(group* counter)%type)) (hashTagOracleRange:(list bitstring_hashTagLen))
1092	(ag:(group* counter)%type), (mapRepr hashTagOracleState hashTagOracleDomain
1093	hashTagOracleRange) -> ((~ (mem ag hashTagOracleDomain)) ->
1094	((length hashTagOracleRange) < (ord * (((power attributeCard
1095	numAttrs) * (power 2%Z payloadLen))%Z + 1%Z)%Z)%Z)%Z).
1096
1097	Axiom HashTagMapReprIncompleteBound : forall (hashTagOracleState:(map (group*
1098	counter)%type bitstring_hashTagLen)) (hashTagOracleDomain:(list (group*
1099	counter)%type)) (hashTagOracleRange:(list bitstring_hashTagLen))
1100	(ag:(group* counter)%type), (mapRepr hashTagOracleState hashTagOracleDomain
1101	hashTagOracleRange) -> ((~ (in_dom_map ag hashTagOracleState)) ->
1102	((length hashTagOracleRange) < (ord * (((power attributeCard
1103	numAttrs) * (power 2%Z payloadLen))%Z + 1%Z)%Z)%Z)%Z).
1104
1105	Axiom HashDataMapReprBound : forall (hashDataOracleState:(map (group*
1106	counter)%type bitstring_hashDataLen)) (hashDataOracleDomain:(list (group*
1107	counter)%type)) (hashDataOracleRange:(list bitstring_hashDataLen)),
1108	(mapRepr hashDataOracleState hashDataOracleDomain hashDataOracleRange) ->
1109	((length hashDataOracleRange) <= (ord * (((power attributeCard
1110	numAttrs) * (power 2%Z payloadLen))%Z + 1%Z)%Z)%Z)%Z.
1111
1112	Axiom HashDataMapReprIncompleteBoundqt : forall (hashDataOracleState:(map
1113	(group* counter)%type bitstring_hashDataLen)) (hashDataOracleDomain:(list
1114	(group* counter)%type)) (hashDataOracleRange:(list bitstring_hashDataLen))
1115	(ag:(group* counter)%type), (mapRepr hashDataOracleState
1116	hashDataOracleDomain hashDataOracleRange) -> ((~ (mem ag
1117	hashDataOracleDomain)) ->
1118	((length hashDataOracleRange) < (ord * (((power attributeCard
1119	numAttrs) * (power 2%Z payloadLen))%Z + 1%Z)%Z)%Z)%Z).
1120
1121	Axiom HashDataMapReprIncompleteBound : forall (hashDataOracleState:(map
1122	(group* counter)%type bitstring_hashDataLen)) (hashDataOracleDomain:(list
1123	(group* counter)%type)) (hashDataOracleRange:(list bitstring_hashDataLen))
1124	(ag:(group* counter)%type), (mapRepr hashDataOracleState
1125	hashDataOracleDomain hashDataOracleRange) -> ((~ (in_dom_map ag
1126	hashDataOracleState)) ->
1127	((length hashDataOracleRange) < (ord * (((power attributeCard
1128	numAttrs) * (power 2%Z payloadLen))%Z + 1%Z)%Z)%Z)%Z).
1129
1130	Axiom HashGroupOtherMapReprBound : forall (hashGroupOtherOracleState:(map
1131	(index* attribute)%type Z)) (hashGroupOtherOracleDomain:(list (index*
1132	attribute)%type)) (hashGroupOtherOracleRange:(list Z)),
1133	(mapRepr hashGroupOtherOracleState hashGroupOtherOracleDomain
1134	hashGroupOtherOracleRange) ->
1135	((length hashGroupOtherOracleRange) <= (numAttrs * attributeCard)%Z)%Z.
1136
1137	Axiom HashGroupOtherMapReprIncompleteBoundqt : forall (hashGroupOtherOracleState:(map
1138	(index* attribute)%type Z)) (hashGroupOtherOracleDomain:(list (index*
1139	attribute)%type)) (hashGroupOtherOracleRange:(list Z)) (q:(index*
1140	attribute)%type), (mapRepr hashGroupOtherOracleState
1141	hashGroupOtherOracleDomain hashGroupOtherOracleRange) -> ((~ (mem q
1142	hashGroupOtherOracleDomain)) ->
1143	((length hashGroupOtherOracleRange) < (numAttrs * attributeCard)%Z)%Z).
1144
1145	Axiom HashGroupOtherMapReprIncompleteBound : forall (hashGroupOtherOracleState:(map
1146	(index* attribute)%type Z)) (hashGroupOtherOracleDomain:(list (index*
1147	attribute)%type)) (hashGroupOtherOracleRange:(list Z)) (q:(index*
1148	attribute)%type), (mapRepr hashGroupOtherOracleState
1149	hashGroupOtherOracleDomain hashGroupOtherOracleRange) -> ((~ (in_dom_map q
1150	hashGroupOtherOracleState)) ->
1151	((length hashGroupOtherOracleRange) < (numAttrs * attributeCard)%Z)%Z).
1152
1153	Axiom getDistinctHashTag1 : forall (xs:(list bitstring_hashTagLen)) (i:Z),
1154	((~ (noDups xs)) \/ ((i < 0%Z)%Z \/ (((power 2%Z
1155	hashTagLen) - (length xs))%Z <= i)%Z)) -> ((getDistinctHashTag xs
1156	i) = bs0_hashTagLen).
1157
1158	Axiom getDistinctHashTag2 : forall (xs:(list bitstring_hashTagLen)) (i:Z),
1159	(noDups xs) -> ((0%Z <= i)%Z -> ((i < ((power 2%Z
1160	hashTagLen) - (length xs))%Z)%Z -> ~ (mem (getDistinctHashTag xs i) xs))).
1161
1162	Axiom getDistinctHashTag3 : forall (xs:(list bitstring_hashTagLen)) (i:Z)
1163	(j:Z), (noDups xs) -> ((0%Z <= i)%Z -> ((i < ((power 2%Z
1164	hashTagLen) - (length xs))%Z)%Z -> ((0%Z <= j)%Z -> ((j < ((power 2%Z
1165	hashTagLen) - (length xs))%Z)%Z -> (((getDistinctHashTag xs
1166	i) = (getDistinctHashTag xs j)) -> (i = j)))))).
1167
1168	Axiom getDistinctHashData1 : forall (xs:(list bitstring_hashDataLen)) (i:Z),
1169	((~ (noDups xs)) \/ ((i < 0%Z)%Z \/ (((power 2%Z
1170	hashDataLen) - (length xs))%Z <= i)%Z)) -> ((getDistinctHashData xs
1171	i) = bs0_hashDataLen).
1172
1173	Axiom getDistinctHashData2 : forall (xs:(list bitstring_hashDataLen)) (i:Z),
1174	(noDups xs) -> ((0%Z <= i)%Z -> ((i < ((power 2%Z
1175	hashDataLen) - (length xs))%Z)%Z -> ~ (mem (getDistinctHashData xs i)
1176	xs))).
1177
1178	Axiom getDistinctHashData3 : forall (xs:(list bitstring_hashDataLen)) (i:Z)
1179	(j:Z), (noDups xs) -> ((0%Z <= i)%Z -> ((i < ((power 2%Z
1180	hashDataLen) - (length xs))%Z)%Z -> ((0%Z <= j)%Z -> ((j < ((power 2%Z
1181	hashDataLen) - (length xs))%Z)%Z -> (((getDistinctHashData xs
1182	i) = (getDistinctHashData xs j)) -> (i = j)))))).
1183
1184	Axiom getDistinctHashGroup1 : forall (xs:(list Z)) (i:Z),
1185	((~ (groupExps xs)) \/ ((noDups xs) \/ ((i < 0%Z)%Z \/
1186	((ord - (length xs))%Z <= i)%Z))) -> ((getDistinctHashGroup xs i) = 0%Z).
1187
1188	Axiom getDistinctHashGroup2 : forall (xs:(list Z)) (i:Z), (groupExps xs) ->
1189	((noDups xs) -> ((0%Z <= i)%Z -> ((i < (ord - (length xs))%Z)%Z ->
1190	~ (mem (getDistinctHashGroup xs i) xs)))).
1191
1192	Axiom getDistinctHashGroup3 : forall (xs:(list Z)) (i:Z) (j:Z),
1193	(groupExps xs) -> ((noDups xs) -> ((0%Z <= i)%Z ->
1194	((i < (ord - (length xs))%Z)%Z -> ((0%Z <= j)%Z ->
1195	((j < (ord - (length xs))%Z)%Z -> (((getDistinctHashGroup xs
1196	i) = (getDistinctHashGroup xs j)) -> (i = j))))))).
1197
1198	Axiom ExEDBConcValid : (edbConcreteValid ((Nil:(list (bitstring_hashTagLen*
1199	bitstring_hashDataLen* nat)%type)), (empty_map:(map nat symm_cipher)))).
1200
1201	Axiom EDBProjectInject : forall (edb1:edb),
1202	((edbInject (edbProject edb1)) = edb1).
1203
1204	Axiom EDBInjectProjectGood : forall (conc:((list (bitstring_hashTagLen*
1205	bitstring_hashDataLen* nat)%type)* (map nat symm_cipher))%type),
1206	(edbConcreteValid conc) -> ((edbProject (edbInject conc)) = conc).
1207
1208	Axiom EDBInjectProjectBad : forall (conc:((list (bitstring_hashTagLen*
1209	bitstring_hashDataLen* nat)%type)* (map nat symm_cipher))%type),
1210	(~ (edbConcreteValid conc)) -> ((edbProject (edbInject conc)) = ((Nil:(list
1211	(bitstring_hashTagLen* bitstring_hashDataLen* nat)%type)), (empty_map:(map
1212	nat symm_cipher)))).
1213
1214	Axiom eDBProjectValid : forall (qry:edb),
1215	(edbConcreteValid (edbProject qry)).
1216
1217	Axiom ConsistTabEntHash1 : forall (tabEnt:(bitstring_hashTagLen*
1218	bitstring_hashDataLen* nat)%type) (hashTagOracleState:(map (group*
1219	counter)%type bitstring_hashTagLen)) (hashDataOracleState:(map (group*
1220	counter)%type bitstring_hashDataLen)) (ag:(group* counter)%type)
1221	(ht:bitstring_hashTagLen), (consistTabEntHash tabEnt hashTagOracleState
1222	hashDataOracleState) -> ((~ (in_dom_map ag hashTagOracleState)) ->
1223	(consistTabEntHash tabEnt (upd_map hashTagOracleState ag ht)
1224	hashDataOracleState)).
1225
1226	Axiom ConsistTabEntHash2 : forall (tabEnt:(bitstring_hashTagLen*
1227	bitstring_hashDataLen* nat)%type) (hashTagOracleState:(map (group*
1228	counter)%type bitstring_hashTagLen)) (hashDataOracleState:(map (group*
1229	counter)%type bitstring_hashDataLen)) (ag:(group* counter)%type)
1230	(hd1:bitstring_hashDataLen), (consistTabEntHash tabEnt hashTagOracleState
1231	hashDataOracleState) -> (consistTabEntHash tabEnt hashTagOracleState
1232	(upd_map hashDataOracleState ag hd1)).
1233
1234	Axiom IB6_IB7_Queries1 : forall (qrys:(list (index* attribute)%type))
1235	(hashGroupOtherOracleState1:(map (index* attribute)%type Z))
1236	(hashGroupOtherOracleState2:(map (index* attribute)%type Z)),
1237	(IB6_IB7_Queries_First qrys hashGroupOtherOracleState1
1238	hashGroupOtherOracleState2 (length qrys)) -> (IB6_IB7_Queries_Second qrys
1239	hashGroupOtherOracleState1 hashGroupOtherOracleState2 0%Z).
1240
1241	(* YOU MAY EDIT THE CONTEXT BELOW *)
1242
1243	(* DO NOT EDIT BELOW *)
1244
1245	Theorem IB6_IB7_QueryTags1 : forall (qrys:(list (index* attribute)%type))
1246	(qrysTags:(list (list bitstring_hashTagLen))) (table1:(list
1247	(bitstring_hashTagLen* bitstring_hashDataLen* nat)%type))
1248	(hashGroupOtherOracleState1:(map (index* attribute)%type Z))
1249	(hashGroupOtherOracleState2:(map (index* attribute)%type Z))
1250	(hashTagOracleState1:(map (group* counter)%type bitstring_hashTagLen))
1251	(hashTagOracleState2:(map (group* counter)%type bitstring_hashTagLen)),
1252	((length qrys) = (length qrysTags)) -> ((IB6_IB7_QueryTags_First qrys
1253	qrysTags (Nil:(list bitstring_hashTagLen)) false table1
1254	hashGroupOtherOracleState1 hashGroupOtherOracleState2 hashTagOracleState1
1255	hashTagOracleState2) -> (IB6_IB7_QueryTags_Second qrys qrysTags table1
1256	hashGroupOtherOracleState1 hashGroupOtherOracleState2 hashTagOracleState1
1257	hashTagOracleState2 0%Z 0%Z)).
1258	(* YOU MAY EDIT THE PROOF BELOW *)
1259
1260
1261
1262	(* DO NOT EDIT BELOW *)
1263
1264

Download in other formats:

Original Format