enrich EASM with predicates EINV : (name → nat) × (name → emessage) × (name → tidset) × (name → epaydetailsset) × tidset × emessageset; eether-wfd : emessageset × tidset; eoutboxes-wfd : (name → emessage); old-tids-in-ts : (name → emessage) × (name → epaydetailsset) × (name → tidset) × tidset; variables balance0, balance1, balance2, balance3, balance' : name → nat; eexLog, eexLog0, eexLog1, eexLog2, eexLog3, eexLog' : name → epaydetailsset; eoutbox0, eoutbox1, eoutbox2, eoutbox3, eoutbox' : name → emessage; usedTids0, usedTids1, usedTids2 : name → tidset; ts0, ts1, ts2, ts3, ts' : tidset; eether, eether0, eether1, eether2, eether3, eether' : emessageset; axioms EINV-def : ⊦ EINV(balance, eoutbox, usedTids, eexLog, ts, eether) ↔ eether-wfd(eether, ts) ∧ eoutboxes-wfd(eoutbox) ∧ old-tids-in-ts(eoutbox, eexLog, usedTids, ts) ; eether-wfd-def : ⊦ eether-wfd(eether, ts) ↔ (∀ emsg. emsg ∈ eether → emsg ≠ none ∧ authentic(emsg .from) ∧ authentic(emsg .to) ∧ emsg .from ≠ emsg .to ∧ emsg .tid ∈ ts) ; eoutboxes-wfd-def : ⊦ eoutboxes-wfd(eoutbox) ↔ (∀ na. authentic(na) → (isEReq(eoutbox(na)) → authentic(eoutbox(na) .from) ∧ eoutbox(na) .to = na) ∧ (isEVal(eoutbox(na)) → authentic(eoutbox(na) .to) ∧ eoutbox(na) .from = na) ∧ (isEAck(eoutbox(na)) → authentic(eoutbox(na) .from) ∧ eoutbox(na) .to = na)) ; old-tids-in-ts-def : ⊦ old-tids-in-ts(eoutbox, eexLog, usedTids, ts) ↔ (∀ na, epd, tid. authentic(na) → (eoutbox(na) ≠ none → eoutbox(na) .tid ∈ ts) ∧ (epd ∈ eexLog(na) → epd .tid ∈ ts) ∧ (tid ∈ usedTids(na) → tid ∈ ts)) ; end enrich