enrich SASM with predicates SINV : (name → nat) × (name → PayDetailsSet) × (name → message) × (name → nat) × messageset; no-startfrom-soutbox : (name → message); nextSeqNo-isoton : messageset × (name → nat); exLog-nextSeqNo-isoton : (name → PayDetailsSet) × (name → nat); soutbox-wfd : (name → message) × (name → nat) × (name → nat); variables soutbox0, soutbox1, soutbox2, soutbox3, soutbox' : name → message; ether0, ether1, ether2, ether3, ether' : messageset; balance0, balance1, balance2, balance3, balance', nextSeqNo0, nextSeqNo1, nextSeqNo2, nextSeqNo3, nextSeqNo' : name → nat; exLog0, exLog1, exLog2, exLog3, exLog' : name → PayDetailsSet; axioms SINV-def : ⊦ SINV(balance, exLog, soutbox, nextSeqNo, ether) ↔ no-startfrom-soutbox(soutbox) ∧ nextSeqNo-isoton(ether, nextSeqNo) ∧ exLog-nextSeqNo-isoton(exLog, nextSeqNo) ∧ soutbox-wfd(soutbox, nextSeqNo, balance) ; no-startfrom-soutbox-def : ⊦ no-startfrom-soutbox(soutbox) ↔ (∀ na. authentic(na) → ¬ isStartFrom(soutbox(na))); nextSeqNo-isoton-def : ⊦ nextSeqNo-isoton(ether, nextSeqNo) ↔ (∀ msg. msg ∈ ether → ( isReq(msg) ∨ isVal(msg) ∨ isAck(msg) → authentic(msg .pd .from) ∧ authentic(msg .pd .to) ∧ nextSeqNo(msg .pd .from) > msg .pd .fromno ∧ nextSeqNo(msg .pd .to) > msg .pd .tono) ∧ (isStartTo(msg) → authentic(msg .pd .from) ∧ authentic(msg .pd .to) ∧ nextSeqNo(msg .pd .from) > msg .pd .fromno)) ; exLog-nextSeqNo-isoton-def : ⊦ exLog-nextSeqNo-isoton(exLog, nextSeqNo) ↔ (∀ na, pd. authentic(na) ∧ pd ∈ exLog(na) → authentic(pd .to) ∧ nextSeqNo(pd .to) > pd .tono) ; soutbox-wfd-def : ⊦ soutbox-wfd(soutbox, nextSeqNo, balance) ↔ (∀ na. authentic(na) → ( isReq(soutbox(na)) ∨ isVal(soutbox(na)) → authentic(soutbox(na) .pd .from) ∧ authentic(soutbox(na) .pd .to) ∧ soutbox(na) .pd .from ≠ soutbox(na) .pd .to ∧ nextSeqNo(soutbox(na) .pd .from) > soutbox(na) .pd .fromno ∧ nextSeqNo(soutbox(na) .pd .to) > soutbox(na) .pd .tono) ∧ ( isStartTo(soutbox(na)) → balance(na) ≥ soutbox(na) .pd .value ∧ authentic(soutbox(na) .pd .from) ∧ authentic(soutbox(na) .pd .to) ∧ soutbox(na) .pd .from ≠ soutbox(na) .pd .to ∧ nextSeqNo(soutbox(na) .pd .from) > soutbox(na) .pd .fromno ∧ soutbox(na) .pd .from = na)) ; end enrich