enrich ES-mapping with predicates ESINV : (name → nat) × (name → emessage) × (name → tidset) × (name → epaydetailsset) × tidset × emessageset × (name → nat) × (name → PayDetailsSet) × (name → message) × (name → nat) × messageset; state-EQ : (name → nat) × (name → emessage) × (name → epaydetailsset) × tidset × (name → nat) × (name → PayDetailsSet) × (name → message) × (name → nat) × (transactionid → nat) × (transactionid → nat); rva-weakly-injective : emessageset × (name → epaydetailsset) × (name → emessage) × (transactionid → nat) × (transactionid → nat); req-tid-not-in-usedTids : (name → tidset) × emessageset × (name → message) × messageset × (transactionid → nat) × (transactionid → nat); axioms ESINV-def : ⊦ ESINV(balance0, eoutbox0, usedTids0, eexLog0, ts0, eether0, balance, exLog, soutbox, nextSeqNo, ether) ↔ (∃ fromseqno, toseqno. rva-weakly-injective(eether0, eexLog0, eoutbox0, fromseqno, toseqno) ∧ req-tid-not-in-usedTids(usedTids0, eether0, soutbox, ether, fromseqno, toseqno) ∧ state-EQ(balance0, eoutbox0, eexLog0, ts0, balance, exLog, soutbox, nextSeqNo, fromseqno, toseqno) ∧ eether2ether(eether0, fromseqno, toseqno) = RVA(ether)) ; rva-weakly-injective-def : ⊦ rva-weakly-injective(eether, eexLog, eoutbox, fromseqno, toseqno) ↔ (∀ epd1, epd2. epd1 .from = epd2 .from ∧ epd1 .to = epd2 .to ∧ epd1 .tid ≠ epd2 .tid ∧ ( (∃ emsg1. emsg1 ∈ eether ∧ emsg1 .pd = epd1) ∨ (∃ na1. authentic(na1) ∧ (¬ isNone(eoutbox(na1)) ∧ eoutbox(na1) .pd = epd1 ∨ epd1 ∈ eexLog(na1)))) ∧ ( (∃ emsg2. emsg2 ∈ eether ∧ emsg2 .pd = epd2) ∨ (∃ na2. authentic(na2) ∧ (¬ isNone(eoutbox(na2)) ∧ eoutbox(na2) .pd = epd2 ∨ epd2 ∈ eexLog(na2)))) → fromseqno(epd1 .tid) ≠ fromseqno(epd2 .tid) ∨ toseqno(epd1 .tid) ≠ toseqno(epd2 .tid)) ; req-tid-not-in-usedTids-def : ⊦ req-tid-not-in-usedTids(usedTids, eether0, soutbox, ether, fromseqno, toseqno) ↔ (∀ na, pd. authentic(na) → ( soutbox(na) = startTo(pd) ∧ Req(pd) ∈ ether → (∃ emsg. emsg ∈ eether0 ∧ emsg2msg(emsg, fromseqno, toseqno) = Req(pd) ∧ ¬ emsg .tid ∈ usedTids(na)))) ; state-EQ-def : ⊦ state-EQ(balance0, eoutbox0, eexLog0, ts0, balance, exLog, soutbox, nextSeqNo, fromseqno, toseqno) ↔ (∀ na. authentic(na) → balance0(na) = balance(na) ∧ outbox-EQ(na, eoutbox0, soutbox, fromseqno, toseqno) ∧ eexLog2exLog(eexLog0(na), fromseqno, toseqno) = exLog(na)) ; end enrich