Theory Strands_and_Constraints

(*  Title:      Strands_and_Constraints.thy
    Author:     Andreas Viktor Hess, DTU
    SPDX-License-Identifier: BSD-3-Clause
*)

section ‹Strands and Symbolic Intruder Constraints›
theory Strands_and_Constraints
imports Messages More_Unification Intruder_Deduction
begin

subsection ‹Constraints, Strands and Related Definitions›
datatype poscheckvariant = Assign ("assign") | Check ("check")

text ‹
  A strand (or constraint) step is either a message transmission (either a message being sent ‹Send›
  or being received ‹Receive›) or a check on messages (a positive check ‹Equality›---which can be
  either an "assignment" or just a check---or a negative check ‹Inequality›)
›
datatype (funs⇩s⇩t⇩p: 'a, vars⇩s⇩t⇩p: 'b) strand_step =
  Send       "('a,'b) term list" ("send⟨_⟩⇩s⇩t" 80)
| Receive    "('a,'b) term list" ("receive⟨_⟩⇩s⇩t" 80)
| Equality   poscheckvariant "('a,'b) term" "('a,'b) term" ("⟨_: _ ≐ _⟩⇩s⇩t" [80,80])
| Inequality (bvars⇩s⇩t⇩p: "'b list") "(('a,'b) term × ('a,'b) term) list" ("∀_⟨∨≠: _⟩⇩s⇩t" [80,80])
where
  "bvars⇩s⇩t⇩p (Send _) = []"
| "bvars⇩s⇩t⇩p (Receive _) = []"
| "bvars⇩s⇩t⇩p (Equality _ _ _) = []"

abbreviation "Send1 t ≡ Send [t]"
abbreviation "Receive1 t ≡ Receive [t]"

text ‹
  A strand is a finite sequence of strand steps (constraints and strands share the same datatype)
›
type_synonym ('a,'b) strand = "('a,'b) strand_step list"

type_synonym ('a,'b) strands = "('a,'b) strand set"

abbreviation "trms⇩p⇩a⇩i⇩r⇩s F ≡ ⋃(t,t') ∈ set F. {t,t'}"

fun trms⇩s⇩t⇩p::"('a,'b) strand_step ⇒ ('a,'b) terms" where
  "trms⇩s⇩t⇩p (Send ts) = set ts"
| "trms⇩s⇩t⇩p (Receive ts) = set ts"
| "trms⇩s⇩t⇩p (Equality _ t t') = {t,t'}"
| "trms⇩s⇩t⇩p (Inequality _ F) = trms⇩p⇩a⇩i⇩r⇩s F"

lemma vars⇩s⇩t⇩p_unfold[simp]: "vars⇩s⇩t⇩p x = fv⇩s⇩e⇩t (trms⇩s⇩t⇩p x) ∪ set (bvars⇩s⇩t⇩p x)"
by (cases x) auto

text ‹The set of terms occurring in a strand›
definition trms⇩s⇩t where "trms⇩s⇩t S ≡ ⋃(trms⇩s⇩t⇩p ` set S)"

fun trms_list⇩s⇩t⇩p::"('a,'b) strand_step ⇒ ('a,'b) term list" where
  "trms_list⇩s⇩t⇩p (Send ts) = ts"
| "trms_list⇩s⇩t⇩p (Receive ts) = ts"
| "trms_list⇩s⇩t⇩p (Equality _ t t') = [t,t']"
| "trms_list⇩s⇩t⇩p (Inequality _ F) = concat (map (λ(t,t'). [t,t']) F)"

text ‹The set of terms occurring in a strand (list variant)›
definition trms_list⇩s⇩t where "trms_list⇩s⇩t S ≡ remdups (concat (map trms_list⇩s⇩t⇩p S))"

text ‹The set of variables occurring in a sent message›
definition fv⇩s⇩n⇩d::"('a,'b) strand_step ⇒ 'b set" where
  "fv⇩s⇩n⇩d x ≡ case x of Send t ⇒ fv⇩s⇩e⇩t (set t) | _ ⇒ {}"

text ‹The set of variables occurring in a received message›
definition fv⇩r⇩c⇩v::"('a,'b) strand_step ⇒ 'b set" where
  "fv⇩r⇩c⇩v x ≡ case x of Receive t ⇒ fv⇩s⇩e⇩t (set t) | _ ⇒ {}"

text ‹The set of variables occurring in an equality constraint›
definition fv⇩e⇩q::"poscheckvariant ⇒ ('a,'b) strand_step ⇒ 'b set" where
  "fv⇩e⇩q ac x ≡ case x of Equality ac' s t ⇒ if ac = ac' then fv s ∪ fv t else {} | _ ⇒ {}"

text ‹The set of variables occurring at the left-hand side of an equality constraint›
definition fv_l⇩e⇩q::"poscheckvariant ⇒ ('a,'b) strand_step ⇒ 'b set" where
  "fv_l⇩e⇩q ac x ≡ case x of Equality ac' s t ⇒ if ac = ac' then fv s else {} | _ ⇒ {}"

text ‹The set of variables occurring at the right-hand side of an equality constraint›
definition fv_r⇩e⇩q::"poscheckvariant ⇒ ('a,'b) strand_step ⇒ 'b set" where
  "fv_r⇩e⇩q ac x ≡ case x of Equality ac' s t ⇒ if ac = ac' then fv t else {} | _ ⇒ {}"

text ‹The free variables of inequality constraints›
definition fv⇩i⇩n⇩e⇩q::"('a,'b) strand_step ⇒ 'b set" where
  "fv⇩i⇩n⇩e⇩q x ≡ case x of Inequality X F ⇒ fv⇩p⇩a⇩i⇩r⇩s F - set X | _ ⇒ {}"

fun fv⇩s⇩t⇩p::"('a,'b) strand_step ⇒ 'b set" where
  "fv⇩s⇩t⇩p (Send t) = fv⇩s⇩e⇩t (set t)"
| "fv⇩s⇩t⇩p (Receive t) = fv⇩s⇩e⇩t (set t)"
| "fv⇩s⇩t⇩p (Equality _ t t') = fv t ∪ fv t'"
| "fv⇩s⇩t⇩p (Inequality X F) = (⋃(t,t') ∈ set F. fv t ∪ fv t') - set X"

text ‹The set of free variables of a strand›
definition fv⇩s⇩t::"('a,'b) strand ⇒ 'b set" where
  "fv⇩s⇩t S ≡ ⋃(set (map fv⇩s⇩t⇩p S))"

text ‹The set of bound variables of a strand›
definition bvars⇩s⇩t::"('a,'b) strand ⇒ 'b set" where
  "bvars⇩s⇩t S ≡ ⋃(set (map (set ∘ bvars⇩s⇩t⇩p) S))"

text ‹The set of all variables occurring in a strand›
definition vars⇩s⇩t::"('a,'b) strand ⇒ 'b set" where
  "vars⇩s⇩t S ≡ ⋃(set (map vars⇩s⇩t⇩p S))"

abbreviation wfrestrictedvars⇩s⇩t⇩p::"('a,'b) strand_step ⇒ 'b set" where
  "wfrestrictedvars⇩s⇩t⇩p x ≡
    case x of Inequality _ _ ⇒ {} | Equality Check _ _ ⇒ {} | _ ⇒ vars⇩s⇩t⇩p x"

text ‹The variables of a strand whose occurrences might be restricted by well-formedness constraints›
definition wfrestrictedvars⇩s⇩t::"('a,'b) strand ⇒ 'b set" where
  "wfrestrictedvars⇩s⇩t S ≡ ⋃(set (map wfrestrictedvars⇩s⇩t⇩p S))"

abbreviation wfvarsoccs⇩s⇩t⇩p where
  "wfvarsoccs⇩s⇩t⇩p x ≡ case x of Send t ⇒ fv⇩s⇩e⇩t (set t) | Equality Assign s t ⇒ fv s | _ ⇒ {}"

text ‹The variables of a strand that occur in sent messages or in assignments›
definition wfvarsoccs⇩s⇩t where
  "wfvarsoccs⇩s⇩t S ≡ ⋃(set (map wfvarsoccs⇩s⇩t⇩p S))"

text ‹The variables occurring at the right-hand side of assignment steps›
fun assignment_rhs⇩s⇩t where
  "assignment_rhs⇩s⇩t [] = {}"
| "assignment_rhs⇩s⇩t (Equality Assign t t'#S) = insert t' (assignment_rhs⇩s⇩t S)"
| "assignment_rhs⇩s⇩t (x#S) = assignment_rhs⇩s⇩t S"

text ‹The set of function symbols occurring in a strand›
definition funs⇩s⇩t::"('a,'b) strand ⇒ 'a set" where
  "funs⇩s⇩t S ≡ ⋃(set (map funs⇩s⇩t⇩p S))"

fun subst_apply_strand_step::"('a,'b) strand_step ⇒ ('a,'b) subst ⇒ ('a,'b) strand_step"
  (infix "⋅⇩s⇩t⇩p" 51) where
  "Send t ⋅⇩s⇩t⇩p θ = Send (t ⋅⇩l⇩i⇩s⇩t θ)"
| "Receive t ⋅⇩s⇩t⇩p θ = Receive (t ⋅⇩l⇩i⇩s⇩t θ)"
| "Equality a t t' ⋅⇩s⇩t⇩p θ = Equality a (t ⋅ θ) (t' ⋅ θ)"
| "Inequality X F ⋅⇩s⇩t⇩p θ = Inequality X (F ⋅⇩p⇩a⇩i⇩r⇩s rm_vars (set X) θ)"

text ‹Substitution application for strands›
definition subst_apply_strand::"('a,'b) strand ⇒ ('a,'b) subst ⇒ ('a,'b) strand"
  (infix "⋅⇩s⇩t" 51) where
  "S ⋅⇩s⇩t θ ≡ map (λx. x ⋅⇩s⇩t⇩p θ) S"

text ‹The semantics of inequality constraints›
definition
  "ineq_model (ℐ::('a,'b) subst) X F ≡
      (∀δ. subst_domain δ = set X ∧ ground (subst_range δ) ⟶ 
              (∃(t,t') ∈ set F. t ⋅ δ ∘⇩s ℐ ≠ t' ⋅ δ ∘⇩s ℐ))"

fun simple⇩s⇩t⇩p where
  "simple⇩s⇩t⇩p (Receive t) = True"
| "simple⇩s⇩t⇩p (Send [Var v]) = True"
| "simple⇩s⇩t⇩p (Inequality X F) = (∃ℐ. ineq_model ℐ X F)"
| "simple⇩s⇩t⇩p _ = False"

text ‹Simple constraints›
definition simple where "simple S ≡ list_all simple⇩s⇩t⇩p S"

text ‹The intruder knowledge of a constraint›
fun ik⇩s⇩t::"('a,'b) strand ⇒ ('a,'b) terms" where
  "ik⇩s⇩t [] = {}"
| "ik⇩s⇩t (Receive t#S) = set t ∪ (ik⇩s⇩t S)"
| "ik⇩s⇩t (_#S) = ik⇩s⇩t S"

text ‹Strand well-formedness›
fun wf⇩s⇩t::"'b set ⇒ ('a,'b) strand ⇒ bool" where
  "wf⇩s⇩t V [] = True"
| "wf⇩s⇩t V (Receive ts#S) = (fv⇩s⇩e⇩t (set ts) ⊆ V ∧ wf⇩s⇩t V S)"
| "wf⇩s⇩t V (Send ts#S) = wf⇩s⇩t (V ∪ fv⇩s⇩e⇩t (set ts)) S"
| "wf⇩s⇩t V (Equality Assign s t#S) = (fv t ⊆ V ∧ wf⇩s⇩t (V ∪ fv s) S)"
| "wf⇩s⇩t V (Equality Check s t#S) = wf⇩s⇩t V S"
| "wf⇩s⇩t V (Inequality _ _#S) = wf⇩s⇩t V S"

text ‹Well-formedness of constraint states›
definition wf⇩c⇩o⇩n⇩s⇩t⇩r::"('a,'b) strand ⇒ ('a,'b) subst ⇒ bool" where
  "wf⇩c⇩o⇩n⇩s⇩t⇩r S θ ≡ (wf⇩s⇩u⇩b⇩s⇩t θ ∧ wf⇩s⇩t {} S ∧ subst_domain θ ∩ vars⇩s⇩t S = {} ∧
                  range_vars θ ∩ bvars⇩s⇩t S = {} ∧ fv⇩s⇩t S ∩ bvars⇩s⇩t S = {})"

declare trms⇩s⇩t_def[simp]
declare fv⇩s⇩n⇩d_def[simp]
declare fv⇩r⇩c⇩v_def[simp]
declare fv⇩e⇩q_def[simp]
declare fv_l⇩e⇩q_def[simp]
declare fv_r⇩e⇩q_def[simp]
declare fv⇩i⇩n⇩e⇩q_def[simp]
declare fv⇩s⇩t_def[simp]
declare vars⇩s⇩t_def[simp]
declare bvars⇩s⇩t_def[simp]
declare wfrestrictedvars⇩s⇩t_def[simp]
declare wfvarsoccs⇩s⇩t_def[simp]

lemmas wf⇩s⇩t_induct = wf⇩s⇩t.induct[case_names Nil ConsRcv ConsSnd ConsEq ConsEq2 ConsIneq]
lemmas ik⇩s⇩t_induct = ik⇩s⇩t.induct[case_names Nil ConsRcv ConsSnd ConsEq ConsIneq]
lemmas assignment_rhs⇩s⇩t_induct = assignment_rhs⇩s⇩t.induct[case_names Nil ConsEq2 ConsSnd ConsRcv ConsEq ConsIneq]
  

subsubsection ‹Lexicographical measure on strands›
definition size⇩s⇩t::"('a,'b) strand ⇒ nat" where
  "size⇩s⇩t S ≡ size_list (λx. Max (insert 0 (size ` trms⇩s⇩t⇩p x))) S"

definition measure⇩s⇩t::"((('a, 'b) strand × ('a,'b) subst) × ('a, 'b) strand × ('a,'b) subst) set"
where
  "measure⇩s⇩t ≡ measures [λ(S,θ). card (fv⇩s⇩t S), λ(S,θ). size⇩s⇩t S]"

lemma measure⇩s⇩t_alt_def:
  "((s,x),(t,y)) ∈ measure⇩s⇩t =
      (card (fv⇩s⇩t s) < card (fv⇩s⇩t t) ∨ (card (fv⇩s⇩t s) = card (fv⇩s⇩t t) ∧ size⇩s⇩t s < size⇩s⇩t t))"
by (simp add: measure⇩s⇩t_def size⇩s⇩t_def)

lemma measure⇩s⇩t_trans: "trans measure⇩s⇩t"
by (simp add: trans_def measure⇩s⇩t_def size⇩s⇩t_def)


subsubsection ‹Some lemmata›
lemma trms_list⇩s⇩t_is_trms⇩s⇩t: "trms⇩s⇩t S = set (trms_list⇩s⇩t S)"
unfolding trms⇩s⇩t_def trms_list⇩s⇩t_def
proof (induction S)
  case (Cons x S) thus ?case by (cases x) auto
qed simp

lemma subst_apply_strand_step_def:
  "s ⋅⇩s⇩t⇩p θ = (case s of
    Send t ⇒ Send (t ⋅⇩l⇩i⇩s⇩t θ)
  | Receive t ⇒ Receive (t ⋅⇩l⇩i⇩s⇩t θ)
  | Equality a t t' ⇒ Equality a (t ⋅ θ) (t' ⋅ θ)
  | Inequality X F ⇒ Inequality X (F ⋅⇩p⇩a⇩i⇩r⇩s rm_vars (set X) θ))"
by (cases s) simp_all

lemma subst_apply_strand_nil[simp]: "[] ⋅⇩s⇩t δ = []"
unfolding subst_apply_strand_def by simp

lemma finite_funs⇩s⇩t⇩p[simp]: "finite (funs⇩s⇩t⇩p x)" by (cases x) auto
lemma finite_funs⇩s⇩t[simp]: "finite (funs⇩s⇩t S)" unfolding funs⇩s⇩t_def by simp
lemma finite_trms⇩p⇩a⇩i⇩r⇩s[simp]: "finite (trms⇩p⇩a⇩i⇩r⇩s x)" by (induct x) auto
lemma finite_trms⇩s⇩t⇩p[simp]: "finite (trms⇩s⇩t⇩p x)" by (cases x) auto
lemma finite_vars⇩s⇩t⇩p[simp]: "finite (vars⇩s⇩t⇩p x)" by auto
lemma finite_bvars⇩s⇩t⇩p[simp]: "finite (set (bvars⇩s⇩t⇩p x))" by rule
lemma finite_fv⇩s⇩n⇩d[simp]: "finite (fv⇩s⇩n⇩d x)" by (cases x) auto
lemma finite_fv⇩r⇩c⇩v[simp]: "finite (fv⇩r⇩c⇩v x)" by (cases x) auto
lemma finite_fv⇩s⇩t⇩p[simp]: "finite (fv⇩s⇩t⇩p x)" by (cases x) auto
lemma finite_vars⇩s⇩t[simp]: "finite (vars⇩s⇩t S)" by simp
lemma finite_bvars⇩s⇩t[simp]: "finite (bvars⇩s⇩t S)" by simp
lemma finite_fv⇩s⇩t[simp]: "finite (fv⇩s⇩t S)" by simp

lemma finite_wfrestrictedvars⇩s⇩t⇩p[simp]: "finite (wfrestrictedvars⇩s⇩t⇩p x)"
by (cases x) (auto split: poscheckvariant.splits)

lemma finite_wfrestrictedvars⇩s⇩t[simp]: "finite (wfrestrictedvars⇩s⇩t S)"
using finite_wfrestrictedvars⇩s⇩t⇩p by auto

lemma finite_wfvarsoccs⇩s⇩t⇩p[simp]: "finite (wfvarsoccs⇩s⇩t⇩p x)"
by (cases x) (auto split: poscheckvariant.splits)

lemma finite_wfvarsoccs⇩s⇩t[simp]: "finite (wfvarsoccs⇩s⇩t S)"
using finite_wfvarsoccs⇩s⇩t⇩p by auto

lemma finite_ik⇩s⇩t[simp]: "finite (ik⇩s⇩t S)"
by (induct S rule: ik⇩s⇩t.induct) simp_all

lemma finite_assignment_rhs⇩s⇩t[simp]: "finite (assignment_rhs⇩s⇩t S)"
by (induct S rule: assignment_rhs⇩s⇩t.induct) simp_all

lemma ik⇩s⇩t_is_rcv_set: "ik⇩s⇩t A = {t | ts t. Receive ts ∈ set A ∧ t ∈ set ts}"
by (induct A rule: ik⇩s⇩t.induct) auto

lemma ik⇩s⇩t_snoc_no_receive_eq:
  assumes "∄ts. a = receive⟨ts⟩⇩s⇩t"
  shows "ik⇩s⇩t (A@[a]) ⋅⇩s⇩e⇩t ℐ = ik⇩s⇩t A ⋅⇩s⇩e⇩t ℐ"
using assms unfolding ik⇩s⇩t_is_rcv_set
by (metis (no_types, lifting) Un_iff append_Nil2 set_ConsD set_append)

lemma ik⇩s⇩tD[dest]: "t ∈ ik⇩s⇩t S ⟹ ∃ts. t ∈ set ts ∧ Receive ts ∈ set S"
by (induct S rule: ik⇩s⇩t.induct) auto

lemma ik⇩s⇩tD'[dest]: "t ∈ ik⇩s⇩t S ⟹ t ∈ trms⇩s⇩t S"
by (induct S rule: ik⇩s⇩t.induct) auto

lemma ik⇩s⇩tD''[dest]: "t ∈ subterms⇩s⇩e⇩t (ik⇩s⇩t S) ⟹ t ∈ subterms⇩s⇩e⇩t (trms⇩s⇩t S)"
by (induct S rule: ik⇩s⇩t.induct) auto

lemma ik⇩s⇩t_subterm_exD:
  assumes "t ∈ ik⇩s⇩t S"
  shows "∃x ∈ set S. t ∈ subterms⇩s⇩e⇩t (trms⇩s⇩t⇩p x)"
using assms ik⇩s⇩tD by force

lemma assignment_rhs⇩s⇩tD[dest]: "t ∈ assignment_rhs⇩s⇩t S ⟹ ∃t'. Equality Assign t' t ∈ set S"
by (induct S rule: assignment_rhs⇩s⇩t.induct) auto

lemma assignment_rhs⇩s⇩tD'[dest]: "t ∈ subterms⇩s⇩e⇩t (assignment_rhs⇩s⇩t S) ⟹ t ∈ subterms⇩s⇩e⇩t (trms⇩s⇩t S)"
by (induct S rule: assignment_rhs⇩s⇩t.induct) auto

lemma bvars⇩s⇩t_split: "bvars⇩s⇩t (S@S') = bvars⇩s⇩t S ∪ bvars⇩s⇩t S'"
unfolding bvars⇩s⇩t_def by auto

lemma bvars⇩s⇩t_singleton: "bvars⇩s⇩t [x] = set (bvars⇩s⇩t⇩p x)"
unfolding bvars⇩s⇩t_def by auto

lemma strand_fv_bvars_disjointD:
  assumes "fv⇩s⇩t S ∩ bvars⇩s⇩t S = {}" "Inequality X F ∈ set S"
  shows "set X ⊆ bvars⇩s⇩t S" "fv⇩p⇩a⇩i⇩r⇩s F - set X ⊆ fv⇩s⇩t S"
using assms by (induct S) fastforce+

lemma strand_fv_bvars_disjoint_unfold:
  assumes "fv⇩s⇩t S ∩ bvars⇩s⇩t S = {}" "Inequality X F ∈ set S" "Inequality Y G ∈ set S"
  shows "set Y ∩ (fv⇩p⇩a⇩i⇩r⇩s F - set X) = {}"
proof -
  have "set X ⊆ bvars⇩s⇩t S" "set Y ⊆ bvars⇩s⇩t S"
       "fv⇩p⇩a⇩i⇩r⇩s F - set X ⊆ fv⇩s⇩t S" "fv⇩p⇩a⇩i⇩r⇩s G - set Y ⊆ fv⇩s⇩t S"
    using strand_fv_bvars_disjointD[OF assms(1)] assms(2,3) by auto
  thus ?thesis using assms(1) by fastforce
qed

lemma strand_subst_hom[iff]:
  "(S@S') ⋅⇩s⇩t θ = (S ⋅⇩s⇩t θ)@(S' ⋅⇩s⇩t θ)" "(x#S) ⋅⇩s⇩t θ = (x ⋅⇩s⇩t⇩p θ)#(S ⋅⇩s⇩t θ)"
unfolding subst_apply_strand_def by auto

lemma strand_subst_comp: "range_vars δ ∩ bvars⇩s⇩t S = {} ⟹ S ⋅⇩s⇩t δ ∘⇩s θ = ((S ⋅⇩s⇩t δ) ⋅⇩s⇩t θ)"
proof (induction S)
  case (Cons x S)
  have *: "range_vars δ ∩ bvars⇩s⇩t S = {}" "range_vars δ ∩ (set (bvars⇩s⇩t⇩p x)) = {}"
    using Cons bvars⇩s⇩t_split[of "[x]" S] append_Cons inf_sup_absorb
    by (metis (no_types, lifting) Int_iff Un_commute disjoint_iff_not_equal self_append_conv2,
        metis append_self_conv2 bvars⇩s⇩t_singleton inf_bot_right inf_left_commute) 
  hence IH: "S ⋅⇩s⇩t δ ∘⇩s θ = (S ⋅⇩s⇩t δ) ⋅⇩s⇩t θ" using Cons.IH by auto
  have "(x#S ⋅⇩s⇩t δ ∘⇩s θ) = (x ⋅⇩s⇩t⇩p δ ∘⇩s θ)#(S ⋅⇩s⇩t δ ∘⇩s θ)" by (metis strand_subst_hom(2))
  hence "... = (x ⋅⇩s⇩t⇩p δ ∘⇩s θ)#((S ⋅⇩s⇩t δ) ⋅⇩s⇩t θ)" by (metis IH)
  hence "... = ((x ⋅⇩s⇩t⇩p δ) ⋅⇩s⇩t⇩p θ)#((S ⋅⇩s⇩t δ) ⋅⇩s⇩t θ)" using rm_vars_comp[OF *(2)]
  proof (induction x)
    case (Inequality X F) thus ?case
      by (induct F) (auto simp add: subst_apply_pairs_def subst_apply_strand_step_def)
  qed (simp_all add: subst_apply_strand_step_def)
  thus ?case using IH by auto
qed (simp add: subst_apply_strand_def)

lemma strand_substI[intro]:
  "subst_domain θ ∩ fv⇩s⇩t S = {} ⟹ S ⋅⇩s⇩t θ = S"
  "subst_domain θ ∩ vars⇩s⇩t S = {} ⟹ S ⋅⇩s⇩t θ = S"
proof -
  show "subst_domain θ ∩ vars⇩s⇩t S = {} ⟹ S ⋅⇩s⇩t θ = S"
  proof (induction S)
    case (Cons x S)
    hence "S ⋅⇩s⇩t θ = S" by auto
    moreover have "vars⇩s⇩t⇩p x ∩ subst_domain θ = {}" using Cons.prems by auto
    hence "x ⋅⇩s⇩t⇩p θ = x"
    proof (induction x)
      case (Send ts) thus ?case by (induct ts) auto
    next
      case (Receive ts) thus ?case by (induct ts) auto
    next
      case (Inequality X F) thus ?case
        by (induct F) (force simp add: subst_apply_pairs_def)+
    qed auto
    ultimately show ?case by simp
  qed (simp add: subst_apply_strand_def)

  show "subst_domain θ ∩ fv⇩s⇩t S = {} ⟹ S ⋅⇩s⇩t θ = S"
  proof (induction S)
    case (Cons x S)
    hence "S ⋅⇩s⇩t θ = S" by auto
    moreover have "fv⇩s⇩t⇩p x ∩ subst_domain θ = {}"
      using Cons.prems by auto
    hence "x ⋅⇩s⇩t⇩p θ = x"
    proof (induction x)
      case (Send ts) thus ?case by (induct ts) auto
    next
      case (Receive ts) thus ?case by (induct ts) auto
    next
      case (Inequality X F) thus ?case
        by (induct F) (force simp add: subst_apply_pairs_def)+
    qed auto
    ultimately show ?case by simp
  qed (simp add: subst_apply_strand_def)
qed

lemma strand_substI':
  "fv⇩s⇩t S = {} ⟹ S ⋅⇩s⇩t θ = S"
  "vars⇩s⇩t S = {} ⟹ S ⋅⇩s⇩t θ = S"
by (metis inf_bot_right strand_substI(1),
    metis inf_bot_right strand_substI(2))

lemma strand_subst_set: "(set (S ⋅⇩s⇩t θ)) = ((λx. x ⋅⇩s⇩t⇩p θ) ` (set S))"
by (auto simp add: subst_apply_strand_def)

lemma strand_map_inv_set_snd_rcv_subst:
  assumes "finite (M::('a,'b) terms)"
  shows "set ((map Send1 (inv set M)) ⋅⇩s⇩t θ) = Send1 ` (M ⋅⇩s⇩e⇩t θ)" (is ?A)
        "set ((map Receive1 (inv set M)) ⋅⇩s⇩t θ) = Receive1 ` (M ⋅⇩s⇩e⇩t θ)" (is ?B)
proof -
  { fix f::"('a,'b) term ⇒ ('a,'b) strand_step"
    assume f: "f = Send1 ∨ f = Receive1"
    from assms have "set ((map f (inv set M)) ⋅⇩s⇩t θ) = f ` (M ⋅⇩s⇩e⇩t θ)"
    proof (induction rule: finite_induct)
      case empty thus ?case unfolding inv_def by auto
    next
      case (insert m M)
      have "set (map f (inv set (insert m M)) ⋅⇩s⇩t θ) =
            insert (f m ⋅⇩s⇩t⇩p θ) (set (map f (inv set M) ⋅⇩s⇩t θ))"
        by (simp add: insert.hyps(1) inv_set_fset subst_apply_strand_def)
      thus ?case using f insert.IH by auto
    qed
  }
  thus "?A" "?B" by auto
qed

lemma strand_ground_subst_vars_subset:
  assumes "ground (subst_range θ)" shows "vars⇩s⇩t (S ⋅⇩s⇩t θ) ⊆ vars⇩s⇩t S"
proof (induction S)
  case (Cons x S)
  have "vars⇩s⇩t⇩p (x ⋅⇩s⇩t⇩p θ) ⊆ vars⇩s⇩t⇩p x" using ground_subst_fv_subset[OF assms] 
  proof (cases x)
    case (Inequality X F)
    let ?θ = "rm_vars (set X) θ"
    have "fv⇩p⇩a⇩i⇩r⇩s (F ⋅⇩p⇩a⇩i⇩r⇩s ?θ) ⊆ fv⇩p⇩a⇩i⇩r⇩s F"
    proof (induction F)
      case (Cons f F)
      obtain t t' where f: "f = (t,t')" by (metis surj_pair)
      hence "fv⇩p⇩a⇩i⇩r⇩s (f#F ⋅⇩p⇩a⇩i⇩r⇩s ?θ) = fv (t ⋅ ?θ) ∪ fv (t' ⋅ ?θ) ∪ fv⇩p⇩a⇩i⇩r⇩s (F ⋅⇩p⇩a⇩i⇩r⇩s ?θ)"
            "fv⇩p⇩a⇩i⇩r⇩s (f#F) = fv t ∪ fv t' ∪ fv⇩p⇩a⇩i⇩r⇩s F"
        by (auto simp add: subst_apply_pairs_def)
      thus ?case
        using ground_subst_fv_subset[OF ground_subset[OF rm_vars_img_subset assms, of "set X"]]
              Cons.IH
        by (metis (no_types, lifting) Un_mono)
    qed (simp add: subst_apply_pairs_def)
    moreover have
        "vars⇩s⇩t⇩p (x ⋅⇩s⇩t⇩p θ) = fv⇩p⇩a⇩i⇩r⇩s (F ⋅⇩p⇩a⇩i⇩r⇩s rm_vars (set X) θ) ∪ set X"
        "vars⇩s⇩t⇩p x = fv⇩p⇩a⇩i⇩r⇩s F ∪ set X"
      using Inequality
      by (auto simp add: subst_apply_pairs_def)
    ultimately show ?thesis by auto
  qed auto
  thus ?case using Cons.IH by auto
qed (simp add: subst_apply_strand_def)

lemma ik_union_subset: "⋃(P ` ik⇩s⇩t S) ⊆ (⋃x ∈ (set S). ⋃(P ` trms⇩s⇩t⇩p x))"
by (induct S rule: ik⇩s⇩t.induct) auto

lemma ik_snd_empty[simp]: "ik⇩s⇩t (map Send X) = {}"
by (induct "map Send X" arbitrary: X rule: ik⇩s⇩t.induct) auto

lemma ik_snd_empty'[simp]: "ik⇩s⇩t [Send t] = {}" by simp

lemma ik_append[iff]: "ik⇩s⇩t (S@S') = ik⇩s⇩t S ∪ ik⇩s⇩t S'" by (induct S rule: ik⇩s⇩t.induct) auto

lemma ik_cons: "ik⇩s⇩t (x#S) = ik⇩s⇩t [x] ∪ ik⇩s⇩t S" using ik_append[of "[x]" S] by simp

lemma assignment_rhs_append[iff]: "assignment_rhs⇩s⇩t (S@S') = assignment_rhs⇩s⇩t S ∪ assignment_rhs⇩s⇩t S'"
by (induct S rule: assignment_rhs⇩s⇩t.induct) auto

lemma eqs_rcv_map_empty: "assignment_rhs⇩s⇩t (map Receive M) = {}"
by auto

lemma ik_rcv_map: assumes "ts ∈ set L" shows "set ts ⊆ ik⇩s⇩t (map Receive L)"
proof -
  { fix L L' 
    have "set ts ⊆ ik⇩s⇩t [Receive ts]" by auto
    hence "set ts ⊆ ik⇩s⇩t (map Receive L@Receive ts#map Receive L')" using ik_append by auto
    hence "set ts ⊆ ik⇩s⇩t (map Receive (L@ts#L'))" by auto
  }
  thus ?thesis using assms split_list_last by force 
qed

lemma ik_subst: "ik⇩s⇩t (S ⋅⇩s⇩t δ) = ik⇩s⇩t S ⋅⇩s⇩e⇩t δ"
by (induct rule: ik⇩s⇩t_induct) auto

lemma ik_rcv_map': assumes "t ∈ ik⇩s⇩t (map Receive L)" shows "∃ts ∈ set L. t ∈ set ts"
using assms by force

lemma ik_append_subset[simp]: "ik⇩s⇩t S ⊆ ik⇩s⇩t (S@S')" "ik⇩s⇩t S' ⊆ ik⇩s⇩t (S@S')"
by (induct S rule: ik⇩s⇩t.induct) auto

lemma assignment_rhs_append_subset[simp]:
  "assignment_rhs⇩s⇩t S ⊆ assignment_rhs⇩s⇩t (S@S')"
  "assignment_rhs⇩s⇩t S' ⊆ assignment_rhs⇩s⇩t (S@S')"
by (induct S rule: assignment_rhs⇩s⇩t.induct) auto

lemma trms⇩s⇩t_cons: "trms⇩s⇩t (x#S) = trms⇩s⇩t⇩p x ∪ trms⇩s⇩t S" by simp

lemma trm_strand_subst_cong:
  "t ∈ trms⇩s⇩t S ⟹ t ⋅ δ ∈ trms⇩s⇩t (S ⋅⇩s⇩t δ)
    ∨ (∃X F. Inequality X F ∈ set S ∧ t ⋅ rm_vars (set X) δ ∈ trms⇩s⇩t (S ⋅⇩s⇩t δ))"
    (is "t ∈ trms⇩s⇩t S ⟹ ?P t δ S")
  "t ∈ trms⇩s⇩t (S ⋅⇩s⇩t δ) ⟹ (∃t'. t = t' ⋅ δ ∧ t' ∈ trms⇩s⇩t S)
    ∨ (∃X F. Inequality X F ∈ set S ∧ (∃t' ∈ trms⇩p⇩a⇩i⇩r⇩s F. t = t' ⋅ rm_vars (set X) δ))"
    (is "t ∈ trms⇩s⇩t (S ⋅⇩s⇩t δ) ⟹ ?Q t δ S")
proof -
  show "t ∈ trms⇩s⇩t S ⟹ ?P t δ S"
  proof (induction S)
    case (Cons x S) show ?case
    proof (cases "t ∈ trms⇩s⇩t S")
      case True
      hence "?P t δ S" using Cons by simp
      thus ?thesis
        by (cases x)
           (metis (no_types, lifting) Un_iff list.set_intros(2) strand_subst_hom(2) trms⇩s⇩t_cons)+
    next
      case False
      hence "t ∈ trms⇩s⇩t⇩p x" using Cons.prems by auto
      thus ?thesis
      proof (induction x)
        case (Inequality X F)
        hence "t ⋅ rm_vars (set X) δ ∈ trms⇩s⇩t⇩p (Inequality X F ⋅⇩s⇩t⇩p δ)"
          by (induct F) (auto simp add: subst_apply_pairs_def subst_apply_strand_step_def)
        thus ?case by fastforce
      qed (auto simp add: subst_apply_strand_step_def)
    qed
  qed simp

  show "t ∈ trms⇩s⇩t (S ⋅⇩s⇩t δ) ⟹ ?Q t δ S"
  proof (induction S)
    case (Cons x S) show ?case
    proof (cases "t ∈ trms⇩s⇩t (S ⋅⇩s⇩t δ)")
      case True
      hence "?Q t δ S" using Cons by simp
      thus ?thesis by (cases x) force+
    next
      case False
      hence "t ∈ trms⇩s⇩t⇩p (x ⋅⇩s⇩t⇩p δ)" using Cons.prems by auto
      thus ?thesis
      proof (induction x)
        case (Inequality X F)
        hence "t ∈ trms⇩s⇩t⇩p (Inequality X F) ⋅⇩s⇩e⇩t rm_vars (set X) δ"
          by (induct F) (force simp add: subst_apply_pairs_def)+
        thus ?case by fastforce
      qed (auto simp add: subst_apply_strand_step_def)
    qed
  qed simp
qed


subsection ‹Lemmata: Free Variables of Strands›
lemma fv_trm_snd_rcv[simp]:
  "fv⇩s⇩e⇩t (trms⇩s⇩t⇩p (Send ts)) = fv⇩s⇩e⇩t (set ts)" "fv⇩s⇩e⇩t (trms⇩s⇩t⇩p (Receive ts)) = fv⇩s⇩e⇩t (set ts)"
by simp_all

lemma in_strand_fv_subset: "x ∈ set S ⟹ vars⇩s⇩t⇩p x ⊆ vars⇩s⇩t S"
by fastforce

lemma in_strand_fv_subset_snd: "Send ts ∈ set S ⟹ fv⇩s⇩e⇩t (set ts) ⊆ ⋃(set (map fv⇩s⇩n⇩d S))"
by fastforce

lemma in_strand_fv_subset_rcv: "Receive ts ∈ set S ⟹ fv⇩s⇩e⇩t (set ts) ⊆ ⋃(set (map fv⇩r⇩c⇩v S))"
by fastforce

lemma fv⇩s⇩n⇩dE:
  assumes "v ∈ ⋃(set (map fv⇩s⇩n⇩d S))"
  obtains ts where "send⟨ts⟩⇩s⇩t ∈ set S" "v ∈ fv⇩s⇩e⇩t (set ts)"
proof -
  have "∃ts. send⟨ts⟩⇩s⇩t ∈ set S ∧ v ∈ fv⇩s⇩e⇩t (set ts)"
    by (metis (no_types, lifting) assms UN_E empty_iff set_map strand_step.case_eq_if
              fv⇩s⇩n⇩d_def strand_step.collapse(1))
  thus ?thesis by (metis that)
qed

lemma fv⇩r⇩c⇩vE:
  assumes "v ∈ ⋃(set (map fv⇩r⇩c⇩v S))"
  obtains ts where "receive⟨ts⟩⇩s⇩t ∈ set S" "v ∈ fv⇩s⇩e⇩t (set ts)"
proof -
  have "∃ts. receive⟨ts⟩⇩s⇩t ∈ set S ∧ v ∈ fv⇩s⇩e⇩t (set ts)"
    by (metis (no_types, lifting) assms UN_E empty_iff set_map strand_step.case_eq_if
              fv⇩r⇩c⇩v_def strand_step.collapse(2))
  thus ?thesis by (metis that)
qed

lemma vars⇩s⇩t⇩pI[intro]: "x ∈ fv⇩s⇩t⇩p s ⟹ x ∈ vars⇩s⇩t⇩p s"
by (induct s rule: fv⇩s⇩t⇩p.induct) auto

lemma vars⇩s⇩tI[intro]: "x ∈ fv⇩s⇩t S ⟹ x ∈ vars⇩s⇩t S" using vars⇩s⇩t⇩pI by fastforce

lemma fv⇩s⇩t_subset_vars⇩s⇩t[simp]: "fv⇩s⇩t S ⊆ vars⇩s⇩t S" using vars⇩s⇩tI by force

lemma vars⇩s⇩t_is_fv⇩s⇩t_bvars⇩s⇩t: "vars⇩s⇩t S = fv⇩s⇩t S ∪ bvars⇩s⇩t S"
proof (induction S)
  case (Cons x S) thus ?case
  proof (induction x)
    case (Inequality X F) thus ?case by (induct F) auto
  qed auto
qed simp

lemma fv⇩s⇩t⇩p_is_subterm_trms⇩s⇩t⇩p: "x ∈ fv⇩s⇩t⇩p a ⟹ Var x ∈ subterms⇩s⇩e⇩t (trms⇩s⇩t⇩p a)" 
using var_is_subterm by (cases a) force+

lemma fv⇩s⇩t_is_subterm_trms⇩s⇩t: "x ∈ fv⇩s⇩t A ⟹ Var x ∈ subterms⇩s⇩e⇩t (trms⇩s⇩t A)"
proof (induction A)
  case (Cons a A) thus ?case using fv⇩s⇩t⇩p_is_subterm_trms⇩s⇩t⇩p by (cases "x ∈ fv⇩s⇩t A") auto
qed simp

lemma vars_st_snd_map: "vars⇩s⇩t (map Send tss) = fv⇩s⇩e⇩t (Fun f ` set tss)" by auto

lemma vars_st_rcv_map: "vars⇩s⇩t (map Receive tss) = fv⇩s⇩e⇩t (Fun f ` set tss)" by auto

lemma vars_snd_rcv_union:
  "vars⇩s⇩t⇩p x = fv⇩s⇩n⇩d x ∪ fv⇩r⇩c⇩v x ∪ fv⇩e⇩q assign x ∪ fv⇩e⇩q check x ∪ fv⇩i⇩n⇩e⇩q x ∪ set (bvars⇩s⇩t⇩p x)"
proof (cases x)
  case (Equality ac t t') thus ?thesis by (cases ac) auto
qed auto

lemma fv_snd_rcv_union:
  "fv⇩s⇩t⇩p x = fv⇩s⇩n⇩d x ∪ fv⇩r⇩c⇩v x ∪ fv⇩e⇩q assign x ∪ fv⇩e⇩q check x ∪ fv⇩i⇩n⇩e⇩q x"
proof (cases x)
  case (Equality ac t t') thus ?thesis by (cases ac) auto
qed auto

lemma fv_snd_rcv_empty[simp]: "fv⇩s⇩n⇩d x = {} ∨ fv⇩r⇩c⇩v x = {}" by (cases x) simp_all

lemma vars_snd_rcv_strand[iff]:
  "vars⇩s⇩t (S::('a,'b) strand) =
    (⋃(set (map fv⇩s⇩n⇩d S))) ∪ (⋃(set (map fv⇩r⇩c⇩v S))) ∪ (⋃(set (map (fv⇩e⇩q assign) S)))
    ∪ (⋃(set (map (fv⇩e⇩q check) S))) ∪ (⋃(set (map fv⇩i⇩n⇩e⇩q S))) ∪ bvars⇩s⇩t S"
unfolding bvars⇩s⇩t_def
proof (induction S)
  case (Cons x S)
  have "⋀s V. vars⇩s⇩t⇩p (s::('a,'b) strand_step) ∪ V = 
                fv⇩s⇩n⇩d s ∪ fv⇩r⇩c⇩v s ∪ fv⇩e⇩q assign s ∪ fv⇩e⇩q check s ∪ fv⇩i⇩n⇩e⇩q s ∪ set (bvars⇩s⇩t⇩p s) ∪ V"
    by (metis vars_snd_rcv_union)
  thus ?case using Cons.IH by (auto simp add: sup_assoc sup_left_commute)
qed simp

lemma fv_snd_rcv_strand[iff]:
  "fv⇩s⇩t (S::('a,'b) strand) =
    (⋃(set (map fv⇩s⇩n⇩d S))) ∪ (⋃(set (map fv⇩r⇩c⇩v S))) ∪ (⋃(set (map (fv⇩e⇩q assign) S)))
    ∪ (⋃(set (map (fv⇩e⇩q check) S))) ∪ (⋃(set (map fv⇩i⇩n⇩e⇩q S)))"
unfolding bvars⇩s⇩t_def
proof (induction S)
  case (Cons x S)
  have "⋀s V. fv⇩s⇩t⇩p (s::('a,'b) strand_step) ∪ V = 
                fv⇩s⇩n⇩d s ∪ fv⇩r⇩c⇩v s ∪ fv⇩e⇩q assign s ∪ fv⇩e⇩q check s ∪ fv⇩i⇩n⇩e⇩q s ∪ V"
    by (metis fv_snd_rcv_union)
  thus ?case using Cons.IH by (auto simp add: sup_assoc sup_left_commute)
qed simp

lemma vars_snd_rcv_strand2[iff]:
  "wfrestrictedvars⇩s⇩t (S::('a,'b) strand) =
    (⋃(set (map fv⇩s⇩n⇩d S))) ∪ (⋃(set (map fv⇩r⇩c⇩v S))) ∪ (⋃(set (map (fv⇩e⇩q assign) S)))"
by (induct S) (auto simp add: split: strand_step.split poscheckvariant.split)

lemma fv_snd_rcv_strand_subset[simp]:
  "⋃(set (map fv⇩s⇩n⇩d S)) ⊆ fv⇩s⇩t S" "⋃(set (map fv⇩r⇩c⇩v S)) ⊆ fv⇩s⇩t S"
  "⋃(set (map (fv⇩e⇩q ac) S)) ⊆ fv⇩s⇩t S" "⋃(set (map fv⇩i⇩n⇩e⇩q S)) ⊆ fv⇩s⇩t S"
  "wfvarsoccs⇩s⇩t S ⊆ fv⇩s⇩t S"
proof -
  show "⋃(set (map fv⇩s⇩n⇩d S)) ⊆ fv⇩s⇩t S" "⋃(set (map fv⇩r⇩c⇩v S)) ⊆ fv⇩s⇩t S" "⋃(set (map fv⇩i⇩n⇩e⇩q S)) ⊆ fv⇩s⇩t S"
    using fv_snd_rcv_strand[of S] by auto
  
  show "⋃(set (map (fv⇩e⇩q ac) S)) ⊆ fv⇩s⇩t S"
    by (induct S) (auto split: strand_step.split poscheckvariant.split)

  show "wfvarsoccs⇩s⇩t S ⊆ fv⇩s⇩t S"
    by (induct S) (auto split: strand_step.split poscheckvariant.split)
qed

lemma vars_snd_rcv_strand_subset2[simp]:
  "⋃(set (map fv⇩s⇩n⇩d S)) ⊆ wfrestrictedvars⇩s⇩t S" "⋃(set (map fv⇩r⇩c⇩v S)) ⊆ wfrestrictedvars⇩s⇩t S"
  "⋃(set (map (fv⇩e⇩q assign) S)) ⊆ wfrestrictedvars⇩s⇩t S" "wfvarsoccs⇩s⇩t S ⊆ wfrestrictedvars⇩s⇩t S"
by (induction S) (auto split: strand_step.split poscheckvariant.split)

lemma wfrestrictedvars⇩s⇩t_subset_vars⇩s⇩t: "wfrestrictedvars⇩s⇩t S ⊆ vars⇩s⇩t S"
by (induction S) (auto split: strand_step.split poscheckvariant.split)

lemma subst_sends_strand_step_fv_to_img: "fv⇩s⇩t⇩p (x ⋅⇩s⇩t⇩p δ) ⊆ fv⇩s⇩t⇩p x ∪ range_vars δ" 
using subst_sends_fv_to_img[of _ δ]
proof (cases x)
  case (Inequality X F)
  let ?θ = "rm_vars (set X) δ"
  have "fv⇩p⇩a⇩i⇩r⇩s (F ⋅⇩p⇩a⇩i⇩r⇩s ?θ) ⊆ fv⇩p⇩a⇩i⇩r⇩s F ∪ range_vars ?θ"
  proof (induction F)
    case (Cons f F) thus ?case
      using subst_sends_fv_to_img[of _ ?θ]
      by (auto simp add: subst_apply_pairs_def)
  qed (auto simp add: subst_apply_pairs_def)
  hence "fv⇩p⇩a⇩i⇩r⇩s (F ⋅⇩p⇩a⇩i⇩r⇩s ?θ) ⊆ fv⇩p⇩a⇩i⇩r⇩s F ∪ range_vars δ"
    using rm_vars_img_subset[of "set X" δ] fv_set_mono
    unfolding range_vars_alt_def by blast+
  thus ?thesis using Inequality by (auto simp add: subst_apply_strand_step_def)
qed (auto simp add: subst_apply_strand_step_def)

lemma subst_sends_strand_fv_to_img: "fv⇩s⇩t (S ⋅⇩s⇩t δ) ⊆ fv⇩s⇩t S ∪ range_vars δ" 
proof (induction S)
  case (Cons x S)
  have *: "fv⇩s⇩t (x#S ⋅⇩s⇩t δ) = fv⇩s⇩t⇩p (x ⋅⇩s⇩t⇩p δ) ∪ fv⇩s⇩t (S ⋅⇩s⇩t δ)"
          "fv⇩s⇩t (x#S) ∪ range_vars δ = fv⇩s⇩t⇩p x ∪ fv⇩s⇩t S ∪ range_vars δ"
    by auto
  thus ?case using Cons.IH subst_sends_strand_step_fv_to_img[of x δ] by auto
qed simp

lemma ineq_apply_subst:
  assumes "subst_domain δ ∩ set X = {}"
  shows "(Inequality X F) ⋅⇩s⇩t⇩p δ = Inequality X (F ⋅⇩p⇩a⇩i⇩r⇩s δ)"
using rm_vars_apply'[OF assms] by (simp add: subst_apply_strand_step_def)

lemma fv_strand_step_subst:
  assumes "P = fv⇩s⇩t⇩p ∨ P = fv⇩r⇩c⇩v ∨ P = fv⇩s⇩n⇩d ∨ P = fv⇩e⇩q ac ∨ P = fv⇩i⇩n⇩e⇩q"
  and "set (bvars⇩s⇩t⇩p x) ∩ (subst_domain δ ∪ range_vars δ) = {}"
  shows "fv⇩s⇩e⇩t (δ ` (P x)) = P (x ⋅⇩s⇩t⇩p δ)"
proof (cases x)
  case (Send ts)
  hence "vars⇩s⇩t⇩p x = fv⇩s⇩e⇩t (set ts)" "fv⇩s⇩n⇩d x = fv⇩s⇩e⇩t (set ts)" by auto
  thus ?thesis using assms Send subst_apply_fv_unfold[of _ δ] by fastforce
next
  case (Receive ts)
  hence "vars⇩s⇩t⇩p x = fv⇩s⇩e⇩t (set ts)" "fv⇩r⇩c⇩v x = fv⇩s⇩e⇩t (set ts)" by auto
  thus ?thesis using assms Receive subst_apply_fv_unfold[of _ δ] by fastforce
next
  case (Equality ac' t t') show ?thesis
  proof (cases "ac = ac'")
    case True
    hence "vars⇩s⇩t⇩p x = fv t ∪ fv t'" "fv⇩e⇩q ac x = fv t ∪ fv t'"
      using Equality
      by auto
    thus ?thesis
      using assms Equality subst_apply_fv_unfold[of _ δ] True
      by auto
  next
    case False
    hence "vars⇩s⇩t⇩p x = fv t ∪ fv t'" "fv⇩e⇩q ac x = {}"
      using Equality
      by auto
    thus ?thesis
      using assms Equality subst_apply_fv_unfold[of _ δ] False
      by auto
  qed
next
  case (Inequality X F)
  hence 1: "set X ∩ (subst_domain δ ∪ range_vars δ) = {}"
           "x ⋅⇩s⇩t⇩p δ = Inequality X (F ⋅⇩p⇩a⇩i⇩r⇩s δ)"
           "rm_vars (set X) δ = δ"
    using assms ineq_apply_subst[of δ X F] rm_vars_apply'[of δ "set X"]
    unfolding range_vars_alt_def by force+

  have 2: "fv⇩i⇩n⇩e⇩q x = fv⇩p⇩a⇩i⇩r⇩s F - set X" using Inequality by auto
  hence "fv⇩s⇩e⇩t (δ ` fv⇩i⇩n⇩e⇩q x) = fv⇩s⇩e⇩t (δ ` fv⇩p⇩a⇩i⇩r⇩s F) - set X"
    using fv⇩s⇩e⇩t_subst_img_eq[OF 1(1), of "fv⇩p⇩a⇩i⇩r⇩s F"] by simp
  hence 3: "fv⇩s⇩e⇩t (δ ` fv⇩i⇩n⇩e⇩q x) = fv⇩p⇩a⇩i⇩r⇩s (F ⋅⇩p⇩a⇩i⇩r⇩s δ) - set X" by (metis fv⇩p⇩a⇩i⇩r⇩s_step_subst)
  
  have 4: "fv⇩i⇩n⇩e⇩q (x ⋅⇩s⇩t⇩p δ) = fv⇩p⇩a⇩i⇩r⇩s (F ⋅⇩p⇩a⇩i⇩r⇩s δ) - set X" using 1(2) by auto

  show ?thesis
    using assms(1) Inequality subst_apply_fv_unfold[of _ δ] 1(2) 2 3 4
    unfolding fv⇩e⇩q_def fv⇩r⇩c⇩v_def fv⇩s⇩n⇩d_def
    by (metis (no_types) Sup_empty image_empty fv⇩p⇩a⇩i⇩r⇩s.simps fv⇩s⇩e⇩t.simps
              fv⇩s⇩t⇩p.simps(4) strand_step.simps(20))
qed

lemma fv_strand_subst:
  assumes "P = fv⇩s⇩t⇩p ∨ P = fv⇩r⇩c⇩v ∨ P = fv⇩s⇩n⇩d ∨ P = fv⇩e⇩q ac ∨ P = fv⇩i⇩n⇩e⇩q"
  and "bvars⇩s⇩t S ∩ (subst_domain δ ∪ range_vars δ) = {}"
  shows "fv⇩s⇩e⇩t (δ ` (⋃(set (map P S)))) = ⋃(set (map P (S ⋅⇩s⇩t δ)))"
using assms(2)
proof (induction S)
  case (Cons x S)
  hence *: "bvars⇩s⇩t S ∩ (subst_domain δ ∪ range_vars δ) = {}"
           "set (bvars⇩s⇩t⇩p x) ∩ (subst_domain δ ∪ range_vars δ) = {}"
    unfolding bvars⇩s⇩t_def by force+
  hence **: "fv⇩s⇩e⇩t (δ ` P x) = P (x ⋅⇩s⇩t⇩p δ)" using fv_strand_step_subst[OF assms(1), of x δ] by auto
  have "fv⇩s⇩e⇩t (δ ` (⋃(set (map P (x#S))))) = fv⇩s⇩e⇩t (δ ` P x) ∪ (⋃(set (map P ((S ⋅⇩s⇩t δ)))))"
    using Cons unfolding range_vars_alt_def bvars⇩s⇩t_def by force
  hence "fv⇩s⇩e⇩t (δ ` (⋃(set (map P (x#S))))) = P (x ⋅⇩s⇩t⇩p δ) ∪ fv⇩s⇩e⇩t (δ ` (⋃(set (map P S))))"
    using ** by simp
  thus ?case using Cons.IH[OF *(1)] unfolding bvars⇩s⇩t_def by simp
qed simp

lemma fv_strand_subst2:
  assumes "bvars⇩s⇩t S ∩ (subst_domain δ ∪ range_vars δ) = {}"
  shows "fv⇩s⇩e⇩t (δ ` (wfrestrictedvars⇩s⇩t S)) = wfrestrictedvars⇩s⇩t (S ⋅⇩s⇩t δ)"
by (metis (no_types, lifting) assms fv⇩s⇩e⇩t.simps vars_snd_rcv_strand2 fv_strand_subst UN_Un image_Un)

lemma fv_strand_subst':
  assumes "bvars⇩s⇩t S ∩ (subst_domain δ ∪ range_vars δ) = {}"
  shows "fv⇩s⇩e⇩t (δ ` (fv⇩s⇩t S)) = fv⇩s⇩t (S ⋅⇩s⇩t δ)"
by (metis assms fv_strand_subst fv⇩s⇩t_def)

lemma fv_trms⇩p⇩a⇩i⇩r⇩s_is_fv⇩p⇩a⇩i⇩r⇩s:
  "fv⇩s⇩e⇩t (trms⇩p⇩a⇩i⇩r⇩s F) = fv⇩p⇩a⇩i⇩r⇩s F"
by auto

lemma fv⇩p⇩a⇩i⇩r⇩s_in_fv_trms⇩p⇩a⇩i⇩r⇩s: "x ∈ fv⇩p⇩a⇩i⇩r⇩s F ⟹ x ∈ fv⇩s⇩e⇩t (trms⇩p⇩a⇩i⇩r⇩s F)"
using fv_trms⇩p⇩a⇩i⇩r⇩s_is_fv⇩p⇩a⇩i⇩r⇩s[of F] by blast

lemma trms⇩s⇩t_append: "trms⇩s⇩t (A@B) = trms⇩s⇩t A ∪ trms⇩s⇩t B"
by auto

lemma trms⇩p⇩a⇩i⇩r⇩s_subst: "trms⇩p⇩a⇩i⇩r⇩s (a ⋅⇩p⇩a⇩i⇩r⇩s θ) = trms⇩p⇩a⇩i⇩r⇩s a ⋅⇩s⇩e⇩t θ"
by (auto simp add: subst_apply_pairs_def)

lemma trms⇩p⇩a⇩i⇩r⇩s_fv_subst_subset:
  "t ∈ trms⇩p⇩a⇩i⇩r⇩s F ⟹ fv (t ⋅ θ) ⊆ fv⇩p⇩a⇩i⇩r⇩s (F ⋅⇩p⇩a⇩i⇩r⇩s θ)"
by (force simp add: subst_apply_pairs_def)

lemma trms⇩p⇩a⇩i⇩r⇩s_fv_subst_subset':
  fixes t::"('a,'b) term" and θ::"('a,'b) subst"
  assumes "t ∈ subterms⇩s⇩e⇩t (trms⇩p⇩a⇩i⇩r⇩s F)"
  shows "fv (t ⋅ θ) ⊆ fv⇩p⇩a⇩i⇩r⇩s (F ⋅⇩p⇩a⇩i⇩r⇩s θ)"
proof -
  { fix x assume "x ∈ fv t"
    hence "x ∈ fv⇩p⇩a⇩i⇩r⇩s F"
      using fv_subset[OF assms] fv_subterms_set[of "trms⇩p⇩a⇩i⇩r⇩s F"] fv_trms⇩p⇩a⇩i⇩r⇩s_is_fv⇩p⇩a⇩i⇩r⇩s[of F]
      by blast
    hence "fv (θ x) ⊆ fv⇩p⇩a⇩i⇩r⇩s (F ⋅⇩p⇩a⇩i⇩r⇩s θ)" using fv⇩p⇩a⇩i⇩r⇩s_subst_fv_subset by fast
  } thus ?thesis by (meson fv_subst_obtain_var subset_iff) 
qed

lemma trms⇩p⇩a⇩i⇩r⇩s_funs_term_cases:
  assumes "t ∈ trms⇩p⇩a⇩i⇩r⇩s (F ⋅⇩p⇩a⇩i⇩r⇩s θ)" "f ∈ funs_term t"
  shows "(∃u ∈ trms⇩p⇩a⇩i⇩r⇩s F. f ∈ funs_term u) ∨ (∃x ∈ fv⇩p⇩a⇩i⇩r⇩s F. f ∈ funs_term (θ x))"
using assms(1)
proof (induction F)
  case (Cons g F)
  obtain s u where g: "g = (s,u)" by (metis surj_pair)
  show ?case
  proof (cases "t ∈ trms⇩p⇩a⇩i⇩r⇩s (F ⋅⇩p⇩a⇩i⇩r⇩s θ)")
    case False
    thus ?thesis
      using assms(2) Cons.prems g funs_term_subst[of _ θ]
      by (auto simp add: subst_apply_pairs_def)
  qed (use Cons.IH in fastforce)
qed simp

lemma trm⇩s⇩t⇩p_subst: 
  assumes "subst_domain θ ∩ set (bvars⇩s⇩t⇩p a) = {}"
  shows "trms⇩s⇩t⇩p (a ⋅⇩s⇩t⇩p θ) = trms⇩s⇩t⇩p a ⋅⇩s⇩e⇩t θ"
proof -
  have "rm_vars (set (bvars⇩s⇩t⇩p a)) θ = θ" using assms by force
  thus ?thesis
    using assms
    by (auto simp add: subst_apply_pairs_def subst_apply_strand_step_def
             split: strand_step.splits)
qed

lemma trms⇩s⇩t_subst:
  assumes "subst_domain θ ∩ bvars⇩s⇩t A = {}"
  shows "trms⇩s⇩t (A ⋅⇩s⇩t θ) = trms⇩s⇩t A ⋅⇩s⇩e⇩t θ"
using assms
proof (induction A)
  case (Cons a A)
  have 1: "subst_domain θ ∩ bvars⇩s⇩t A = {}" "subst_domain θ ∩ set (bvars⇩s⇩t⇩p a) = {}"
    using Cons.prems by auto
  hence IH: "trms⇩s⇩t A ⋅⇩s⇩e⇩t θ = trms⇩s⇩t (A ⋅⇩s⇩t θ)" using Cons.IH by simp
  
  have "trms⇩s⇩t (a#A) = trms⇩s⇩t⇩p a ∪ trms⇩s⇩t A" by auto
  hence 2: "trms⇩s⇩t (a#A) ⋅⇩s⇩e⇩t θ = (trms⇩s⇩t⇩p a ⋅⇩s⇩e⇩t θ) ∪ (trms⇩s⇩t A ⋅⇩s⇩e⇩t θ)" by (metis image_Un)

  have "trms⇩s⇩t (a#A ⋅⇩s⇩t θ) = (trms⇩s⇩t⇩p (a ⋅⇩s⇩t⇩p θ)) ∪ trms⇩s⇩t (A ⋅⇩s⇩t θ)"
    by (auto simp add: subst_apply_strand_def)
  hence 3: "trms⇩s⇩t (a#A ⋅⇩s⇩t θ) = (trms⇩s⇩t⇩p a ⋅⇩s⇩e⇩t θ) ∪ trms⇩s⇩t (A ⋅⇩s⇩t θ)"
    using trm⇩s⇩t⇩p_subst[OF 1(2)] by auto
  
  show ?case using IH 2 3 by metis
qed (simp add: subst_apply_strand_def)

lemma strand_map_set_subst:
  assumes δ: "bvars⇩s⇩t S ∩ (subst_domain δ ∪ range_vars δ) = {}"
  shows "⋃(set (map trms⇩s⇩t⇩p (S ⋅⇩s⇩t δ))) = (⋃(set (map trms⇩s⇩t⇩p S))) ⋅⇩s⇩e⇩t δ"
using assms
proof (induction S)
  case (Cons x S)
  hence "bvars⇩s⇩t [x] ∩ subst_domain δ = {}" "bvars⇩s⇩t S ∩ (subst_domain δ ∪ range_vars δ) = {}"
    unfolding bvars⇩s⇩t_def by force+
  hence *: "subst_domain δ ∩ set (bvars⇩s⇩t⇩p x) = {}"
           "⋃(set (map trms⇩s⇩t⇩p (S ⋅⇩s⇩t δ))) = ⋃(set (map trms⇩s⇩t⇩p S)) ⋅⇩s⇩e⇩t δ"
    using Cons.IH(1) bvars⇩s⇩t_singleton[of x] by auto
  hence "trms⇩s⇩t⇩p (x ⋅⇩s⇩t⇩p δ) = (trms⇩s⇩t⇩p x) ⋅⇩s⇩e⇩t δ"
  proof (cases x)
    case (Inequality X F)
    thus ?thesis
      using rm_vars_apply'[of δ "set X"] * 
      by (metis (no_types, lifting) image_cong trm⇩s⇩t⇩p_subst)
  qed simp_all
  thus ?case using * subst_all_insert by auto
qed simp

lemma subst_apply_fv_subset_strand_trm:
  assumes P: "P = fv⇩s⇩t⇩p ∨ P = fv⇩r⇩c⇩v ∨ P = fv⇩s⇩n⇩d ∨ P = fv⇩e⇩q ac ∨ P = fv⇩i⇩n⇩e⇩q"
  and fv_sub: "fv t ⊆ ⋃(set (map P S)) ∪ V"
  and δ: "bvars⇩s⇩t S ∩ (subst_domain δ ∪ range_vars δ) = {}"
  shows "fv (t ⋅ δ) ⊆ ⋃(set (map P (S ⋅⇩s⇩t δ))) ∪ fv⇩s⇩e⇩t (δ ` V)"
using fv_strand_subst[OF P δ] subst_apply_fv_subset[OF fv_sub, of δ] by force

lemma subst_apply_fv_subset_strand_trm2:
  assumes fv_sub: "fv t ⊆ wfrestrictedvars⇩s⇩t S ∪ V"
  and δ: "bvars⇩s⇩t S ∩ (subst_domain δ ∪ range_vars δ) = {}"
  shows "fv (t ⋅ δ) ⊆ wfrestrictedvars⇩s⇩t (S ⋅⇩s⇩t δ) ∪ fv⇩s⇩e⇩t (δ ` V)"
using fv_strand_subst2[OF δ] subst_apply_fv_subset[OF fv_sub, of δ] by force

lemma subst_apply_fv_subset_strand:
  assumes P: "P = fv⇩s⇩t⇩p ∨ P = fv⇩r⇩c⇩v ∨ P = fv⇩s⇩n⇩d ∨ P = fv⇩e⇩q ac ∨ P = fv⇩i⇩n⇩e⇩q"
  and P_subset: "P x ⊆ ⋃(set (map P S)) ∪ V"
  and δ: "bvars⇩s⇩t S ∩ (subst_domain δ ∪ range_vars δ) = {}"
         "set (bvars⇩s⇩t⇩p x) ∩ (subst_domain δ ∪ range_vars δ) = {}"
  shows "P (x ⋅⇩s⇩t⇩p δ) ⊆ ⋃(set (map P (S ⋅⇩s⇩t δ))) ∪ fv⇩s⇩e⇩t (δ ` V)"
proof (cases x)
  case (Send ts)
  hence *: "fv⇩s⇩t⇩p x = fv⇩s⇩e⇩t (set ts)" "fv⇩s⇩t⇩p (x ⋅⇩s⇩t⇩p δ) = fv⇩s⇩e⇩t (set ts ⋅⇩s⇩e⇩t δ)"
           "fv⇩r⇩c⇩v x = {}" "fv⇩r⇩c⇩v (x ⋅⇩s⇩t⇩p δ) = {}"
           "fv⇩s⇩n⇩d x = fv⇩s⇩e⇩t (set ts)" "fv⇩s⇩n⇩d (x ⋅⇩s⇩t⇩p δ) = fv⇩s⇩e⇩t (set ts ⋅⇩s⇩e⇩t δ)"
           "fv⇩e⇩q ac x = {}" "fv⇩e⇩q ac (x ⋅⇩s⇩t⇩p δ) = {}"
           "fv⇩i⇩n⇩e⇩q x = {}" "fv⇩i⇩n⇩e⇩q (x ⋅⇩s⇩t⇩p δ) = {}"
    by auto
  hence **: "(P x = fv⇩s⇩e⇩t (set ts) ∧ P (x ⋅⇩s⇩t⇩p δ) = fv⇩s⇩e⇩t (set ts ⋅⇩s⇩e⇩t δ)) ∨
             (P x = {} ∧ P (x ⋅⇩s⇩t⇩p δ) = {})"
    by (metis P)
  moreover
  { assume "P x = {}" "P (x ⋅⇩s⇩t⇩p δ) = {}" hence ?thesis by simp }
  moreover
  { assume "P x = fv⇩s⇩e⇩t (set ts)" "P (x ⋅⇩s⇩t⇩p δ) = fv⇩s⇩e⇩t (set ts ⋅⇩s⇩e⇩t δ)"
    hence "fv⇩s⇩e⇩t (set ts) ⊆ ⋃(set (map P S)) ∪ V" using P_subset by auto
    hence "fv⇩s⇩e⇩t (set ts ⋅⇩s⇩e⇩t δ) ⊆ ⋃(set (map P (S ⋅⇩s⇩t δ))) ∪ fv⇩s⇩e⇩t (δ ` V)"
      using subst_apply_fv_subset_strand_trm[OF P _ assms(3), of _ V] by fastforce
    hence ?thesis using ‹P (x ⋅⇩s⇩t⇩p δ) = fv⇩s⇩e⇩t (set ts ⋅⇩s⇩e⇩t δ)› by force
  }
  ultimately show ?thesis by metis
next
  case (Receive ts)
  hence *: "fv⇩s⇩t⇩p x = fv⇩s⇩e⇩t (set ts)" "fv⇩s⇩t⇩p (x ⋅⇩s⇩t⇩p δ) = fv⇩s⇩e⇩t (set ts ⋅⇩s⇩e⇩t δ)"
           "fv⇩r⇩c⇩v x = fv⇩s⇩e⇩t (set ts)" "fv⇩r⇩c⇩v (x ⋅⇩s⇩t⇩p δ) = fv⇩s⇩e⇩t (set ts ⋅⇩s⇩e⇩t δ)"
           "fv⇩s⇩n⇩d x = {}" "fv⇩s⇩n⇩d (x ⋅⇩s⇩t⇩p δ) = {}"
           "fv⇩e⇩q ac x = {}" "fv⇩e⇩q ac (x ⋅⇩s⇩t⇩p δ) = {}"
           "fv⇩i⇩n⇩e⇩q x = {}" "fv⇩i⇩n⇩e⇩q (x ⋅⇩s⇩t⇩p δ) = {}"
    by auto
  hence **: "(P x = fv⇩s⇩e⇩t (set ts) ∧ P (x ⋅⇩s⇩t⇩p δ) = fv⇩s⇩e⇩t (set ts ⋅⇩s⇩e⇩t δ)) ∨
             (P x = {} ∧ P (x ⋅⇩s⇩t⇩p δ) = {})"
    by (metis P)
  moreover
  { assume "P x = {}" "P (x ⋅⇩s⇩t⇩p δ) = {}" hence ?thesis by simp }
  moreover
  { assume "P x = fv⇩s⇩e⇩t (set ts)" "P (x ⋅⇩s⇩t⇩p δ) = fv⇩s⇩e⇩t (set ts ⋅⇩s⇩e⇩t δ)"
    hence "fv⇩s⇩e⇩t (set ts) ⊆ ⋃(set (map P S)) ∪ V" using P_subset by auto
    hence "fv⇩s⇩e⇩t (set ts ⋅⇩s⇩e⇩t δ) ⊆ ⋃(set (map P (S ⋅⇩s⇩t δ))) ∪ fv⇩s⇩e⇩t (δ ` V)"
      using subst_apply_fv_subset_strand_trm[OF P _ assms(3), of _ V] by fastforce
    hence ?thesis using ‹P (x ⋅⇩s⇩t⇩p δ) = fv⇩s⇩e⇩t (set ts ⋅⇩s⇩e⇩t δ)› by blast
  }
  ultimately show ?thesis by metis
next
  case (Equality ac' t t') show ?thesis
  proof (cases "ac' = ac")
    case True
    hence *: "fv⇩s⇩t⇩p x = fv t ∪ fv t'" "fv⇩s⇩t⇩p (x ⋅⇩s⇩t⇩p δ) = fv (t ⋅ δ) ∪ fv (t' ⋅ δ)"
             "fv⇩r⇩c⇩v x = {}" "fv⇩r⇩c⇩v (x ⋅⇩s⇩t⇩p δ) = {}"
             "fv⇩s⇩n⇩d x = {}" "fv⇩s⇩n⇩d (x ⋅⇩s⇩t⇩p δ) = {}"
             "fv⇩e⇩q ac x = fv t ∪ fv t'" "fv⇩e⇩q ac (x ⋅⇩s⇩t⇩p δ) = fv (t ⋅ δ) ∪ fv (t' ⋅ δ)"
             "fv⇩i⇩n⇩e⇩q x = {}" "fv⇩i⇩n⇩e⇩q (x ⋅⇩s⇩t⇩p δ) = {}"
      using Equality by auto
    hence **: "(P x = fv t ∪ fv t' ∧ P (x ⋅⇩s⇩t⇩p δ) = fv (t ⋅ δ) ∪ fv (t' ⋅ δ))
              ∨ (P x = {} ∧ P (x ⋅⇩s⇩t⇩p δ) = {})"
      by (metis P)
    moreover
    { assume "P x = {}" "P (x ⋅⇩s⇩t⇩p δ) = {}" hence ?thesis by simp }
    moreover
    { assume "P x = fv t ∪ fv t'" "P (x ⋅⇩s⇩t⇩p δ) = fv (t ⋅ δ) ∪ fv (t' ⋅ δ)"
      hence "fv t ⊆ ⋃(set (map P S)) ∪ V" "fv t' ⊆ ⋃(set (map P S)) ∪ V" using P_subset by auto
      hence "fv (t ⋅ δ) ⊆ ⋃(set (map P (S ⋅⇩s⇩t δ))) ∪ fv⇩s⇩e⇩t (δ ` V)"
            "fv (t' ⋅ δ) ⊆ ⋃(set (map P (S ⋅⇩s⇩t δ))) ∪ fv⇩s⇩e⇩t (δ ` V)"
        using P subst_apply_fv_subset_strand_trm assms by metis+
      hence ?thesis using ‹P (x ⋅⇩s⇩t⇩p δ) = fv (t ⋅ δ) ∪ fv (t' ⋅ δ)› by blast
    }
    ultimately show ?thesis by metis
  next
    case False
    hence *: "fv⇩s⇩t⇩p x = fv t ∪ fv t'" "fv⇩s⇩t⇩p (x ⋅⇩s⇩t⇩p δ) = fv (t ⋅ δ) ∪ fv (t' ⋅ δ)"
             "fv⇩r⇩c⇩v x = {}" "fv⇩r⇩c⇩v (x ⋅⇩s⇩t⇩p δ) = {}"
             "fv⇩s⇩n⇩d x = {}" "fv⇩s⇩n⇩d (x ⋅⇩s⇩t⇩p δ) = {}"
             "fv⇩e⇩q ac x = {}" "fv⇩e⇩q ac (x ⋅⇩s⇩t⇩p δ) = {}"
             "fv⇩i⇩n⇩e⇩q x = {}" "fv⇩i⇩n⇩e⇩q (x ⋅⇩s⇩t⇩p δ) = {}"
      using Equality by auto
    hence **: "(P x = fv t ∪ fv t' ∧ P (x ⋅⇩s⇩t⇩p δ) = fv (t ⋅ δ) ∪ fv (t' ⋅ δ))
              ∨ (P x = {} ∧ P (x ⋅⇩s⇩t⇩p δ) = {})"
      by (metis P)
    moreover
    { assume "P x = {}" "P (x ⋅⇩s⇩t⇩p δ) = {}" hence ?thesis by simp }
    moreover
    { assume "P x = fv t ∪ fv t'" "P (x ⋅⇩s⇩t⇩p δ) = fv (t ⋅ δ) ∪ fv (t' ⋅ δ)"
      hence "fv t ⊆ ⋃(set (map P S)) ∪ V" "fv t' ⊆ ⋃(set (map P S)) ∪ V" using P_subset by auto
      hence "fv (t ⋅ δ) ⊆ ⋃(set (map P (S ⋅⇩s⇩t δ))) ∪ fv⇩s⇩e⇩t (δ ` V)"
            "fv (t' ⋅ δ) ⊆ ⋃(set (map P (S ⋅⇩s⇩t δ))) ∪ fv⇩s⇩e⇩t (δ ` V)"
        using P subst_apply_fv_subset_strand_trm assms by metis+
      hence ?thesis using ‹P (x ⋅⇩s⇩t⇩p δ) = fv (t ⋅ δ) ∪ fv (t' ⋅ δ)› by blast
    }
    ultimately show ?thesis by metis
  qed
next
  case (Inequality X F)
  hence *: "fv⇩s⇩t⇩p x = fv⇩p⇩a⇩i⇩r⇩s F - set X" "fv⇩s⇩t⇩p (x ⋅⇩s⇩t⇩p δ) = fv⇩p⇩a⇩i⇩r⇩s (F ⋅⇩p⇩a⇩i⇩r⇩s δ) - set X"
           "fv⇩r⇩c⇩v x = {}" "fv⇩r⇩c⇩v (x ⋅⇩s⇩t⇩p δ) = {}"
           "fv⇩s⇩n⇩d x = {}" "fv⇩s⇩n⇩d (x ⋅⇩s⇩t⇩p δ) = {}"
           "fv⇩e⇩q ac x = {}" "fv⇩e⇩q ac (x ⋅⇩s⇩t⇩p δ) = {}"
           "fv⇩i⇩n⇩e⇩q x = fv⇩p⇩a⇩i⇩r⇩s F - set X"
           "fv⇩i⇩n⇩e⇩q (x ⋅⇩s⇩t⇩p δ) = fv⇩p⇩a⇩i⇩r⇩s (F ⋅⇩p⇩a⇩i⇩r⇩s δ) - set X"
    using δ(2) ineq_apply_subst[of δ X F] by force+
  hence **: "(P x = fv⇩p⇩a⇩i⇩r⇩s F - set X ∧ P (x ⋅⇩s⇩t⇩p δ) = fv⇩p⇩a⇩i⇩r⇩s (F ⋅⇩p⇩a⇩i⇩r⇩s δ) - set X)
            ∨ (P x = {} ∧ P (x ⋅⇩s⇩t⇩p δ) = {})"
    by (metis P)
  moreover
  { assume "P x = {}" "P (x ⋅⇩s⇩t⇩p δ) = {}" hence ?thesis by simp }
  moreover
  { assume "P x = fv⇩p⇩a⇩i⇩r⇩s F - set X" "P (x ⋅⇩s⇩t⇩p δ) = fv⇩p⇩a⇩i⇩r⇩s (F ⋅⇩p⇩a⇩i⇩r⇩s δ) - set X"
    hence "fv⇩p⇩a⇩i⇩r⇩s F - set X ⊆ ⋃(set (map P S)) ∪ V"
      using P_subset by auto
    hence "fv⇩p⇩a⇩i⇩r⇩s (F ⋅⇩p⇩a⇩i⇩r⇩s δ) ⊆ ⋃(set (map P (S ⋅⇩s⇩t δ))) ∪ fv⇩s⇩e⇩t (δ ` (V ∪ set X))"
    proof (induction F)
      case (Cons f G)
      hence IH: "fv⇩p⇩a⇩i⇩r⇩s (G ⋅⇩p⇩a⇩i⇩r⇩s δ) ⊆ ⋃(set (map P (S ⋅⇩s⇩t δ))) ∪ fv⇩s⇩e⇩t (δ ` (V ∪ set X))"
        by (metis (no_types, lifting) Diff_subset_conv UN_insert le_sup_iff
                  list.simps(15) fv⇩p⇩a⇩i⇩r⇩s.simps)
      obtain t t' where f: "f = (t,t')" by (metis surj_pair)
      hence "fv t ⊆ ⋃(set (map P S)) ∪ (V ∪ set X)" "fv t' ⊆ ⋃(set (map P S)) ∪ (V ∪ set X)"
        using Cons.prems by auto
      hence "fv (t ⋅ δ) ⊆ ⋃(set (map P (S ⋅⇩s⇩t δ))) ∪ fv⇩s⇩e⇩t (δ ` (V ∪ set X))"
            "fv (t' ⋅ δ) ⊆ ⋃(set (map P (S ⋅⇩s⇩t δ))) ∪ fv⇩s⇩e⇩t (δ ` (V ∪ set X))"
        using subst_apply_fv_subset_strand_trm[OF P _ assms(3)]
        by blast+
      thus ?case using f IH by (auto simp add: subst_apply_pairs_def)
    qed (simp add: subst_apply_pairs_def)
    moreover have "fv⇩s⇩e⇩t (δ ` set X) = set X" using assms(4) Inequality by force
    ultimately have "fv⇩p⇩a⇩i⇩r⇩s (F ⋅⇩p⇩a⇩i⇩r⇩s δ) - set X ⊆ ⋃(set (map P (S ⋅⇩s⇩t δ))) ∪ fv⇩s⇩e⇩t (δ ` V)"
      by auto
    hence ?thesis using ‹P (x ⋅⇩s⇩t⇩p δ) = fv⇩p⇩a⇩i⇩r⇩s (F ⋅⇩p⇩a⇩i⇩r⇩s δ) - set X› by blast
  }
  ultimately show ?thesis by metis
qed

lemma subst_apply_fv_subset_strand2:
  assumes P: "P = fv⇩s⇩t⇩p ∨ P = fv⇩r⇩c⇩v ∨ P = fv⇩s⇩n⇩d ∨ P = fv⇩e⇩q ac ∨ P = fv⇩i⇩n⇩e⇩q ∨ P = fv_r⇩e⇩q ac"
  and P_subset: "P x ⊆ wfrestrictedvars⇩s⇩t S ∪ V"
  and δ: "bvars⇩s⇩t S ∩ (subst_domain δ ∪ range_vars δ) = {}"
         "set (bvars⇩s⇩t⇩p x) ∩ (subst_domain δ ∪ range_vars δ) = {}"
  shows "P (x ⋅⇩s⇩t⇩p δ) ⊆ wfrestrictedvars⇩s⇩t (S ⋅⇩s⇩t δ) ∪ fv⇩s⇩e⇩t (δ ` V)"
proof (cases x)
  case (Send ts)
  hence *: "fv⇩s⇩t⇩p x = fv⇩s⇩e⇩t (set ts)" "fv⇩s⇩t⇩p (x ⋅⇩s⇩t⇩p δ) = fv⇩s⇩e⇩t (set ts ⋅⇩s⇩e⇩t δ)"
           "fv⇩r⇩c⇩v x = {}" "fv⇩r⇩c⇩v (x ⋅⇩s⇩t⇩p δ) = {}"
           "fv⇩s⇩n⇩d x = fv⇩s⇩e⇩t (set ts)" "fv⇩s⇩n⇩d (x ⋅⇩s⇩t⇩p δ) = fv⇩s⇩e⇩t (set ts ⋅⇩s⇩e⇩t δ)"
           "fv⇩e⇩q ac x = {}" "fv⇩e⇩q ac (x ⋅⇩s⇩t⇩p δ) = {}"
           "fv⇩i⇩n⇩e⇩q x = {}" "fv⇩i⇩n⇩e⇩q (x ⋅⇩s⇩t⇩p δ) = {}"
           "fv_r⇩e⇩q ac x = {}" "fv_r⇩e⇩q ac (x ⋅⇩s⇩t⇩p δ) = {}"
    by auto
  hence **: "(P x = fv⇩s⇩e⇩t (set ts) ∧ P (x ⋅⇩s⇩t⇩p δ) = fv⇩s⇩e⇩t (set ts ⋅⇩s⇩e⇩t δ)) ∨ (P x = {} ∧ P (x ⋅⇩s⇩t⇩p δ) = {})" by (metis P)
  moreover
  { assume "P x = {}" "P (x ⋅⇩s⇩t⇩p δ) = {}" hence ?thesis by simp }
  moreover
  { assume "P x = fv⇩s⇩e⇩t (set ts)" "P (x ⋅⇩s⇩t⇩p δ) = fv⇩s⇩e⇩t (set ts ⋅⇩s⇩e⇩t δ)"
    hence "fv⇩s⇩e⇩t (set ts) ⊆ wfrestrictedvars⇩s⇩t S ∪ V" using P_subset by auto
    hence "fv⇩s⇩e⇩t (set ts ⋅⇩s⇩e⇩t δ) ⊆ wfrestrictedvars⇩s⇩t (S ⋅⇩s⇩t δ) ∪ fv⇩s⇩e⇩t (δ ` V)"
      using subst_apply_fv_subset_strand_trm2[OF _ assms(3), of _ V] by fastforce
    hence ?thesis using ‹P (x ⋅⇩s⇩t⇩p δ) = fv⇩s⇩e⇩t (set ts ⋅⇩s⇩e⇩t δ)› by blast
  }
  ultimately show ?thesis by metis
next
  case (Receive ts)
  hence *: "fv⇩s⇩t⇩p x = fv⇩s⇩e⇩t (set ts)" "fv⇩s⇩t⇩p (x ⋅⇩s⇩t⇩p δ) = fv⇩s⇩e⇩t (set ts ⋅⇩s⇩e⇩t δ)"
           "fv⇩r⇩c⇩v x = fv⇩s⇩e⇩t (set ts)" "fv⇩r⇩c⇩v (x ⋅⇩s⇩t⇩p δ) = fv⇩s⇩e⇩t (set ts ⋅⇩s⇩e⇩t δ)"
           "fv⇩s⇩n⇩d x = {}" "fv⇩s⇩n⇩d (x ⋅⇩s⇩t⇩p δ) = {}"
           "fv⇩e⇩q ac x = {}" "fv⇩e⇩q ac (x ⋅⇩s⇩t⇩p δ) = {}"
           "fv⇩i⇩n⇩e⇩q x = {}" "fv⇩i⇩n⇩e⇩q (x ⋅⇩s⇩t⇩p δ) = {}"
           "fv_r⇩e⇩q ac x = {}" "fv_r⇩e⇩q ac (x ⋅⇩s⇩t⇩p δ) = {}"
    by auto
  hence **: "(P x = fv⇩s⇩e⇩t (set ts) ∧ P (x ⋅⇩s⇩t⇩p δ) = fv⇩s⇩e⇩t (set ts ⋅⇩s⇩e⇩t δ)) ∨
             (P x = {} ∧ P (x ⋅⇩s⇩t⇩p δ) = {})"
    by (metis P)
  moreover
  { assume "P x = {}" "P (x ⋅⇩s⇩t⇩p δ) = {}" hence ?thesis by simp }
  moreover
  { assume "P x = fv⇩s⇩e⇩t (set ts)" "P (x ⋅⇩s⇩t⇩p δ) = fv⇩s⇩e⇩t (set ts ⋅⇩s⇩e⇩t δ)"
    hence "fv⇩s⇩e⇩t (set ts) ⊆ wfrestrictedvars⇩s⇩t S ∪ V" using P_subset by auto
    hence "fv⇩s⇩e⇩t (set ts ⋅⇩s⇩e⇩t δ) ⊆ wfrestrictedvars⇩s⇩t (S ⋅⇩s⇩t δ) ∪ fv⇩s⇩e⇩t (δ ` V)"
      using subst_apply_fv_subset_strand_trm2[OF _ assms(3), of _ V] by fastforce
    hence ?thesis using ‹P (x ⋅⇩s⇩t⇩p δ) = fv⇩s⇩e⇩t (set ts ⋅⇩s⇩e⇩t δ)› by blast
  }
  ultimately show ?thesis by metis
next
  case (Equality ac' t t') show ?thesis
  proof (cases "ac' = ac")
    case True
    hence *: "fv⇩s⇩t⇩p x = fv t ∪ fv t'" "fv⇩s⇩t⇩p (x ⋅⇩s⇩t⇩p δ) = fv (t ⋅ δ) ∪ fv (t' ⋅ δ)"
             "fv⇩r⇩c⇩v x = {}" "fv⇩r⇩c⇩v (x ⋅⇩s⇩t⇩p δ) = {}"
             "fv⇩s⇩n⇩d x = {}" "fv⇩s⇩n⇩d (x ⋅⇩s⇩t⇩p δ) = {}"
             "fv⇩e⇩q ac x = fv t ∪ fv t'" "fv⇩e⇩q ac (x ⋅⇩s⇩t⇩p δ) = fv (t ⋅ δ) ∪ fv (t' ⋅ δ)"
             "fv⇩i⇩n⇩e⇩q x = {}" "fv⇩i⇩n⇩e⇩q (x ⋅⇩s⇩t⇩p δ) = {}"
             "fv_r⇩e⇩q ac x = fv t'" "fv_r⇩e⇩q ac (x ⋅⇩s⇩t⇩p δ) = fv (t' ⋅ δ)"
      using Equality by auto
    hence **: "(P x = fv t ∪ fv t' ∧ P (x ⋅⇩s⇩t⇩p δ) = fv (t ⋅ δ) ∪ fv (t' ⋅ δ))
              ∨ (P x = {} ∧ P (x ⋅⇩s⇩t⇩p δ) = {})
              ∨ (P x = fv t' ∧ P (x ⋅⇩s⇩t⇩p δ) = fv (t' ⋅ δ))"
      by (metis P)
    moreover
    { assume "P x = {}" "P (x ⋅⇩s⇩t⇩p δ) = {}" hence ?thesis by simp }
    moreover
    { assume "P x = fv t ∪ fv t'" "P (x ⋅⇩s⇩t⇩p δ) = fv (t ⋅ δ) ∪ fv (t' ⋅ δ)"
      hence "fv t ⊆ wfrestrictedvars⇩s⇩t S ∪ V" "fv t' ⊆ wfrestrictedvars⇩s⇩t S ∪ V" using P_subset by auto
      hence "fv (t ⋅ δ) ⊆ wfrestrictedvars⇩s⇩t (S ⋅⇩s⇩t δ) ∪ fv⇩s⇩e⇩t (δ ` V)"
            "fv (t' ⋅ δ) ⊆ wfrestrictedvars⇩s⇩t (S ⋅⇩s⇩t δ) ∪ fv⇩s⇩e⇩t (δ ` V)"
        using P subst_apply_fv_subset_strand_trm2 assms by blast+
      hence ?thesis using ‹P (x ⋅⇩s⇩t⇩p δ) = fv (t ⋅ δ) ∪ fv (t' ⋅ δ)› by blast
    }
    moreover
    { assume "P x = fv t'" "P (x ⋅⇩s⇩t⇩p δ) = fv (t' ⋅ δ)"
      hence "fv t' ⊆ wfrestrictedvars⇩s⇩t S ∪ V" using P_subset by auto
      hence "fv (t' ⋅ δ) ⊆ wfrestrictedvars⇩s⇩t (S ⋅⇩s⇩t δ) ∪ fv⇩s⇩e⇩t (δ ` V)"
        using P subst_apply_fv_subset_strand_trm2 assms by blast+
      hence ?thesis using ‹P (x ⋅⇩s⇩t⇩p δ) = fv (t' ⋅ δ)› by blast
    }
    ultimately show ?thesis by metis
  next
    case False
    hence *: "fv⇩s⇩t⇩p x = fv t ∪ fv t'" "fv⇩s⇩t⇩p (x ⋅⇩s⇩t⇩p δ) = fv (t ⋅ δ) ∪ fv (t' ⋅ δ)"
             "fv⇩r⇩c⇩v x = {}" "fv⇩r⇩c⇩v (x ⋅⇩s⇩t⇩p δ) = {}"
             "fv⇩s⇩n⇩d x = {}" "fv⇩s⇩n⇩d (x ⋅⇩s⇩t⇩p δ) = {}"
             "fv⇩e⇩q ac x = {}" "fv⇩e⇩q ac (x ⋅⇩s⇩t⇩p δ) = {}"
             "fv⇩i⇩n⇩e⇩q x = {}" "fv⇩i⇩n⇩e⇩q (x ⋅⇩s⇩t⇩p δ) = {}"
             "fv_r⇩e⇩q ac x = {}" "fv_r⇩e⇩q ac (x ⋅⇩s⇩t⇩p δ) = {}"
      using Equality by auto
    hence **: "(P x = fv t ∪ fv t' ∧ P (x ⋅⇩s⇩t⇩p δ) = fv (t ⋅ δ) ∪ fv (t' ⋅ δ))
              ∨ (P x = {} ∧ P (x ⋅⇩s⇩t⇩p δ) = {})
              ∨ (P x = fv t' ∧ P (x ⋅⇩s⇩t⇩p δ) = fv (t' ⋅ δ))"
      by (metis P)
    moreover
    { assume "P x = {}" "P (x ⋅⇩s⇩t⇩p δ) = {}" hence ?thesis by simp }
    moreover
    { assume "P x = fv t ∪ fv t'" "P (x ⋅⇩s⇩t⇩p δ) = fv (t ⋅ δ) ∪ fv (t' ⋅ δ)"
      hence "fv t ⊆ wfrestrictedvars⇩s⇩t S ∪ V" "fv t' ⊆ wfrestrictedvars⇩s⇩t S ∪ V"
        using P_subset by auto
      hence "fv (t ⋅ δ) ⊆ wfrestrictedvars⇩s⇩t (S ⋅⇩s⇩t δ) ∪ fv⇩s⇩e⇩t (δ ` V)"
            "fv (t' ⋅ δ) ⊆ wfrestrictedvars⇩s⇩t (S ⋅⇩s⇩t δ) ∪ fv⇩s⇩e⇩t (δ ` V)"
        using P subst_apply_fv_subset_strand_trm2 assms by blast+
      hence ?thesis using ‹P (x ⋅⇩s⇩t⇩p δ) = fv (t ⋅ δ) ∪ fv (t' ⋅ δ)› by blast
    }
    moreover
    { assume "P x = fv t'" "P (x ⋅⇩s⇩t⇩p δ) = fv (t' ⋅ δ)"
      hence "fv t' ⊆ wfrestrictedvars⇩s⇩t S ∪ V" using P_subset by auto
      hence "fv (t' ⋅ δ) ⊆ wfrestrictedvars⇩s⇩t (S ⋅⇩s⇩t δ) ∪ fv⇩s⇩e⇩t (δ ` V)"
        using P subst_apply_fv_subset_strand_trm2 assms by blast+
      hence ?thesis using ‹P (x ⋅⇩s⇩t⇩p δ) = fv (t' ⋅ δ)› by blast
    }
    ultimately show ?thesis by metis
  qed
next
  case (Inequality X F)
  hence *: "fv⇩s⇩t⇩p x = fv⇩p⇩a⇩i⇩r⇩s F - set X" "fv⇩s⇩t⇩p (x ⋅⇩s⇩t⇩p δ) = fv⇩p⇩a⇩i⇩r⇩s (F ⋅⇩p⇩a⇩i⇩r⇩s δ) - set X"
           "fv⇩r⇩c⇩v x = {}" "fv⇩r⇩c⇩v (x ⋅⇩s⇩t⇩p δ) = {}"
           "fv⇩s⇩n⇩d x = {}" "fv⇩s⇩n⇩d (x ⋅⇩s⇩t⇩p δ) = {}"
           "fv⇩e⇩q ac x = {}" "fv⇩e⇩q ac (x ⋅⇩s⇩t⇩p δ) = {}"
           "fv⇩i⇩n⇩e⇩q x = fv⇩p⇩a⇩i⇩r⇩s F - set X" "fv⇩i⇩n⇩e⇩q (x ⋅⇩s⇩t⇩p δ) = fv⇩p⇩a⇩i⇩r⇩s (F ⋅⇩p⇩a⇩i⇩r⇩s δ) - set X"
           "fv_r⇩e⇩q ac x = {}" "fv_r⇩e⇩q ac (x ⋅⇩s⇩t⇩p δ) = {}"
    using δ(2) ineq_apply_subst[of δ X F] by force+
  hence **: "(P x = fv⇩p⇩a⇩i⇩r⇩s F - set X ∧ P (x ⋅⇩s⇩t⇩p δ) = fv⇩p⇩a⇩i⇩r⇩s (F ⋅⇩p⇩a⇩i⇩r⇩s δ) - set X)
            ∨ (P x = {} ∧ P (x ⋅⇩s⇩t⇩p δ) = {})"
    by (metis P)
  moreover
  { assume "P x = {}" "P (x ⋅⇩s⇩t⇩p δ) = {}" hence ?thesis by simp }
  moreover
  { assume "P x = fv⇩p⇩a⇩i⇩r⇩s F - set X" "P (x ⋅⇩s⇩t⇩p δ) = fv⇩p⇩a⇩i⇩r⇩s (F ⋅⇩p⇩a⇩i⇩r⇩s δ) - set X"
    hence "fv⇩p⇩a⇩i⇩r⇩s F - set X ⊆ wfrestrictedvars⇩s⇩t S ∪ V" using P_subset by auto
    hence "fv⇩p⇩a⇩i⇩r⇩s (F ⋅⇩p⇩a⇩i⇩r⇩s δ) ⊆ wfrestrictedvars⇩s⇩t (S ⋅⇩s⇩t δ) ∪ fv⇩s⇩e⇩t (δ ` (V ∪ set X))"
    proof (induction F)
      case (Cons f G)
      hence IH: "fv⇩p⇩a⇩i⇩r⇩s (G ⋅⇩p⇩a⇩i⇩r⇩s δ) ⊆wfrestrictedvars⇩s⇩t (S ⋅⇩s⇩t δ) ∪ fv⇩s⇩e⇩t (δ ` (V ∪ set X))"
        by (metis (no_types, lifting) Diff_subset_conv UN_insert le_sup_iff
                  list.simps(15) fv⇩p⇩a⇩i⇩r⇩s.simps)
      obtain t t' where f: "f = (t,t')" by (metis surj_pair)
      hence "fv t ⊆ wfrestrictedvars⇩s⇩t S ∪ (V ∪ set X)" "fv t' ⊆ wfrestrictedvars⇩s⇩t S ∪ (V ∪ set X)"
        using Cons.prems by auto
      hence "fv (t ⋅ δ) ⊆ wfrestrictedvars⇩s⇩t (S ⋅⇩s⇩t δ) ∪ fv⇩s⇩e⇩t (δ ` (V ∪ set X))"
            "fv (t' ⋅ δ) ⊆ wfrestrictedvars⇩s⇩t (S ⋅⇩s⇩t δ) ∪ fv⇩s⇩e⇩t (δ ` (V ∪ set X))"
        using subst_apply_fv_subset_strand_trm2[OF _ assms(3)] P
        by blast+
      thus ?case using f IH by (auto simp add: subst_apply_pairs_def)
    qed (simp add: subst_apply_pairs_def)
    moreover have "fv⇩s⇩e⇩t (δ ` set X) = set X" using assms(4) Inequality by force
    ultimately have "fv⇩p⇩a⇩i⇩r⇩s (F ⋅⇩p⇩a⇩i⇩r⇩s δ) - set X ⊆ wfrestrictedvars⇩s⇩t (S ⋅⇩s⇩t δ) ∪ fv⇩s⇩e⇩t (δ ` V)"
      by fastforce
    hence ?thesis using ‹P (x ⋅⇩s⇩t⇩p δ) = fv⇩p⇩a⇩i⇩r⇩s (F ⋅⇩p⇩a⇩i⇩r⇩s δ) - set X› by blast
  }
  ultimately show ?thesis by metis
qed

lemma strand_subst_fv_bounded_if_img_bounded:
  assumes "range_vars δ ⊆ fv⇩s⇩t S"
  shows "fv⇩s⇩t (S ⋅⇩s⇩t δ) ⊆ fv⇩s⇩t S"
using subst_sends_strand_fv_to_img[of S δ] assms by blast

lemma strand_fv_subst_subset_if_subst_elim:
  assumes "subst_elim δ v" and "v ∈ fv⇩s⇩t S ∨ bvars⇩s⇩t S ∩ (subst_domain δ ∪ range_vars δ) = {}"
  shows "v ∉ fv⇩s⇩t (S ⋅⇩s⇩t δ)"
proof (cases "v ∈ fv⇩s⇩t S")
  case True thus ?thesis
  proof (induction S)
    case (Cons x S)
    have *: "v ∉ fv⇩s⇩t⇩p (x ⋅⇩s⇩t⇩p δ)"
    using assms(1)
    proof (cases x)
      case (Inequality X F)
      hence "subst_elim (rm_vars (set X) δ) v ∨ v ∈ set X" using assms(1) by blast
      moreover have "fv⇩s⇩t⇩p (Inequality X F ⋅⇩s⇩t⇩p δ) = fv⇩p⇩a⇩i⇩r⇩s (F ⋅⇩p⇩a⇩i⇩r⇩s rm_vars (set X) δ) - set X"
        using Inequality by auto
      ultimately have "v ∉ fv⇩s⇩t⇩p (Inequality X F ⋅⇩s⇩t⇩p δ)"
        by (induct F) (auto simp add: subst_elim_def subst_apply_pairs_def)
      thus ?thesis using Inequality by simp
    qed (simp_all add: subst_elim_def)
    moreover have "v ∉ fv⇩s⇩t (S ⋅⇩s⇩t δ)" using Cons.IH
    proof (cases "v ∈ fv⇩s⇩t S")
      case False
      moreover have "v ∉ range_vars δ"
        by (simp add: subst_elimD''[OF assms(1)] range_vars_alt_def) 
      ultimately show ?thesis by (meson UnE subsetCE subst_sends_strand_fv_to_img)
    qed simp
    ultimately show ?case by auto
  qed simp
next
  case False
  thus ?thesis
    using assms fv_strand_subst'
    unfolding subst_elim_def
    by (metis (mono_tags, opaque_lifting) fv⇩s⇩e⇩t.simps imageE mem_simps(8) eval_term.simps(1))
qed

lemma strand_fv_subst_subset_if_subst_elim':
  assumes "subst_elim δ v" "v ∈ fv⇩s⇩t S" "range_vars δ ⊆ fv⇩s⇩t S"
  shows "fv⇩s⇩t (S ⋅⇩s⇩t δ) ⊂ fv⇩s⇩t S"
using strand_fv_subst_subset_if_subst_elim[OF assms(1)] assms(2)
      strand_subst_fv_bounded_if_img_bounded[OF assms(3)]
by blast

lemma fv_ik_is_fv_rcv: "fv⇩s⇩e⇩t (ik⇩s⇩t S) = ⋃(set (map fv⇩r⇩c⇩v S))"
by (induct S rule: ik⇩s⇩t.induct) auto

lemma fv_ik_subset_fv_st[simp]: "fv⇩s⇩e⇩t (ik⇩s⇩t S) ⊆ wfrestrictedvars⇩s⇩t S"
by (induct S rule: ik⇩s⇩t.induct) auto

lemma fv_assignment_rhs_subset_fv_st[simp]: "fv⇩s⇩e⇩t (assignment_rhs⇩s⇩t S) ⊆ wfrestrictedvars⇩s⇩t S"
by (induct S rule: assignment_rhs⇩s⇩t.induct) force+

lemma fv_ik_subset_fv_st'[simp]: "fv⇩s⇩e⇩t (ik⇩s⇩t S) ⊆ fv⇩s⇩t S"
by (induct S rule: ik⇩s⇩t.induct) auto

lemma ik⇩s⇩t_var_is_fv: "Var x ∈ subterms⇩s⇩e⇩t (ik⇩s⇩t A) ⟹ x ∈ fv⇩s⇩t A"
by (meson fv_ik_subset_fv_st'[of A] fv_subset_subterms subsetCE term.set_intros(3))

lemma fv_assignment_rhs_subset_fv_st'[simp]: "fv⇩s⇩e⇩t (assignment_rhs⇩s⇩t S) ⊆ fv⇩s⇩t S"
by (induct S rule: assignment_rhs⇩s⇩t.induct) auto

lemma ik⇩s⇩t_assignment_rhs⇩s⇩t_wfrestrictedvars_subset:
  "fv⇩s⇩e⇩t (ik⇩s⇩t A ∪ assignment_rhs⇩s⇩t A) ⊆ wfrestrictedvars⇩s⇩t A"
using fv_ik_subset_fv_st[of A] fv_assignment_rhs_subset_fv_st[of A]
by simp+

lemma strand_step_id_subst[iff]: "x ⋅⇩s⇩t⇩p Var = x" by (cases x) auto

lemma strand_id_subst[iff]: "S ⋅⇩s⇩t Var = S" using strand_step_id_subst by (induct S) auto

lemma strand_subst_vars_union_bound[simp]: "vars⇩s⇩t (S ⋅⇩s⇩t δ) ⊆ vars⇩s⇩t S ∪ range_vars δ"
proof (induction S)
  case (Cons x S)
  moreover have "vars⇩s⇩t⇩p (x ⋅⇩s⇩t⇩p δ) ⊆ vars⇩s⇩t⇩p x ∪ range_vars δ" using subst_sends_fv_to_img[of _ δ]
  proof (cases x)
    case (Inequality X F)
    define δ' where "δ' ≡ rm_vars (set X) δ"
    have 0: "range_vars δ' ⊆ range_vars δ"
      using rm_vars_img[of "set X" δ]
      by (auto simp add: δ'_def subst_domain_def range_vars_alt_def)

    have "vars⇩s⇩t⇩p (x ⋅⇩s⇩t⇩p δ) = fv⇩p⇩a⇩i⇩r⇩s (F ⋅⇩p⇩a⇩i⇩r⇩s δ') ∪ set X" "vars⇩s⇩t⇩p x = fv⇩p⇩a⇩i⇩r⇩s F ∪ set X"
      using Inequality by (auto simp add: δ'_def)
    moreover have "fv⇩p⇩a⇩i⇩r⇩s (F ⋅⇩p⇩a⇩i⇩r⇩s δ') ⊆ fv⇩p⇩a⇩i⇩r⇩s F ∪ range_vars δ"
    proof (induction F)
      case (Cons f G)
      obtain t t' where f: "f = (t,t')" by atomize_elim auto
      hence "fv⇩p⇩a⇩i⇩r⇩s (f#G ⋅⇩p⇩a⇩i⇩r⇩s δ') = fv (t ⋅ δ') ∪ fv (t' ⋅ δ') ∪ fv⇩p⇩a⇩i⇩r⇩s (G ⋅⇩p⇩a⇩i⇩r⇩s δ')"
            "fv⇩p⇩a⇩i⇩r⇩s (f#G) = fv t ∪ fv t' ∪ fv⇩p⇩a⇩i⇩r⇩s G"
        by (auto simp add: subst_apply_pairs_def)
      thus ?case
        using 0 Cons.IH subst_sends_fv_to_img[of t δ'] subst_sends_fv_to_img[of t' δ']
        unfolding f by auto
    qed (simp add: subst_apply_pairs_def)
    ultimately show ?thesis by auto
  qed auto
  ultimately show ?case by auto
qed simp

lemma strand_vars_split:
  "vars⇩s⇩t (S@S') = vars⇩s⇩t S ∪ vars⇩s⇩t S'"
  "wfrestrictedvars⇩s⇩t (S@S') = wfrestrictedvars⇩s⇩t S ∪ wfrestrictedvars⇩s⇩t S'"
  "fv⇩s⇩t (S@S') = fv⇩s⇩t S ∪ fv⇩s⇩t S'"
by auto

lemma bvars_subst_ident: "bvars⇩s⇩t S = bvars⇩s⇩t (S ⋅⇩s⇩t δ)"
unfolding bvars⇩s⇩t_def
by (induct S) (simp_all add: subst_apply_strand_step_def split: strand_step.splits)

lemma strand_subst_subst_idem:
  assumes "subst_idem δ" "subst_domain δ ∪ range_vars δ ⊆ fv⇩s⇩t S" "subst_domain θ ∩ fv⇩s⇩t S = {}"
          "range_vars δ ∩ bvars⇩s⇩t S = {}" "range_vars θ ∩ bvars⇩s⇩t S = {}"
  shows "(S ⋅⇩s⇩t δ) ⋅⇩s⇩t θ = (S ⋅⇩s⇩t δ)"
  and   "(S ⋅⇩s⇩t δ) ⋅⇩s⇩t (θ ∘⇩s δ) = (S ⋅⇩s⇩t δ)"
proof -
  from assms(2,3) have "fv⇩s⇩t (S ⋅⇩s⇩t δ) ∩ subst_domain θ = {}"
    using subst_sends_strand_fv_to_img[of S δ] by blast
  thus "(S ⋅⇩s⇩t δ) ⋅⇩s⇩t θ = (S ⋅⇩s⇩t δ)" by blast
  thus "(S ⋅⇩s⇩t δ) ⋅⇩s⇩t (θ ∘⇩s δ) = (S ⋅⇩s⇩t δ)"
    by (metis assms(1,4,5) bvars_subst_ident strand_subst_comp subst_idem_def)
qed

lemma strand_subst_img_bound:
  assumes "subst_domain δ ∪ range_vars δ ⊆ fv⇩s⇩t S"
    and "(subst_domain δ ∪ range_vars δ) ∩ bvars⇩s⇩t S = {}"
  shows "range_vars δ ⊆ fv⇩s⇩t (S ⋅⇩s⇩t δ)"
proof -
  have "subst_domain δ ⊆ ⋃(set (map fv⇩s⇩t⇩p S))" by (metis (no_types) fv⇩s⇩t_def Un_subset_iff assms(1))
  thus ?thesis
    unfolding range_vars_alt_def fv⇩s⇩t_def
    by (metis subst_range.simps fv_set_mono fv_strand_subst Int_commute assms(2) image_Un
              le_iff_sup)
qed

lemma strand_subst_img_bound':
  assumes "subst_domain δ ∪ range_vars δ ⊆ vars⇩s⇩t S"
    and "(subst_domain δ ∪ range_vars δ) ∩ bvars⇩s⇩t S = {}"
  shows "range_vars δ ⊆ vars⇩s⇩t (S ⋅⇩s⇩t δ)"
proof -
  have "(subst_domain δ ∪ fv⇩s⇩e⇩t (δ ` subst_domain δ)) ∩ vars⇩s⇩t S =
        subst_domain δ ∪ fv⇩s⇩e⇩t (δ ` subst_domain δ)"
    using assms(1) by (metis inf.absorb_iff1 range_vars_alt_def subst_range.simps)
  hence "range_vars δ ⊆ fv⇩s⇩t (S ⋅⇩s⇩t δ)"
    using vars_snd_rcv_strand fv_snd_rcv_strand assms(2) strand_subst_img_bound
    unfolding range_vars_alt_def
    by (metis (no_types) inf_le2 inf_sup_distrib1 subst_range.simps sup_bot.right_neutral)
  thus "range_vars δ ⊆ vars⇩s⇩t (S ⋅⇩s⇩t δ)"
    by (metis fv_snd_rcv_strand le_supI1 vars_snd_rcv_strand)
qed

lemma strand_subst_all_fv_subset:
  assumes "fv t ⊆ fv⇩s⇩t S" "(subst_domain δ ∪ range_vars δ) ∩ bvars⇩s⇩t S = {}"
  shows "fv (t ⋅ δ) ⊆ fv⇩s⇩t (S ⋅⇩s⇩t δ)"
using assms by (metis fv_strand_subst' Int_commute subst_apply_fv_subset)

lemma strand_subst_not_dom_fixed:
  assumes "v ∈ fv⇩s⇩t S" and "v ∉ subst_domain δ"
  shows "v ∈ fv⇩s⇩t (S ⋅⇩s⇩t δ)"
using assms
proof (induction S)
  case (Cons x S')
  have 1: "⋀X. v ∉ subst_domain (rm_vars (set X) δ)"
    using Cons.prems(2) rm_vars_dom_subset by force
  
  show ?case
  proof (cases "v ∈ fv⇩s⇩t S'")
    case True thus ?thesis using Cons.IH[OF _ Cons.prems(2)] by auto
  next
    case False
    hence 2: "v ∈ fv⇩s⇩t⇩p x" using Cons.prems(1) by simp
    hence "v ∈ fv⇩s⇩t⇩p (x ⋅⇩s⇩t⇩p δ)" using Cons.prems(2) subst_not_dom_fixed
    proof (cases x)
      case (Inequality X F)
      hence "v ∈ fv⇩p⇩a⇩i⇩r⇩s F - set X" using 2 by simp
      hence "v ∈ fv⇩p⇩a⇩i⇩r⇩s (F ⋅⇩p⇩a⇩i⇩r⇩s rm_vars (set X) δ)"
        using subst_not_dom_fixed[OF _ 1]
        by (induct F) (auto simp add: subst_apply_pairs_def)
      thus ?thesis using Inequality 2 by auto
    qed (force simp add: subst_domain_def)+
    thus ?thesis by auto
  qed
qed simp

lemma strand_vars_unfold: "v ∈ vars⇩s⇩t S ⟹ ∃S' x S''. S = S'@x#S'' ∧ v ∈ vars⇩s⇩t⇩p x"
proof (induction S)
  case (Cons x S) thus ?case
  proof (cases "v ∈ vars⇩s⇩t⇩p x")
    case True thus ?thesis by blast
  next
    case False
    hence "v ∈ vars⇩s⇩t S" using Cons.prems by auto
    thus ?thesis using Cons.IH by (metis append_Cons)
  qed
qed simp

lemma strand_fv_unfold: "v ∈ fv⇩s⇩t S ⟹ ∃S' x S''. S = S'@x#S'' ∧ v ∈ fv⇩s⇩t⇩p x"
proof (induction S)
  case (Cons x S) thus ?case
  proof (cases "v ∈ fv⇩s⇩t⇩p x")
    case True thus ?thesis by blast
  next
    case False
    hence "v ∈ fv⇩s⇩t S" using Cons.prems by auto
    thus ?thesis using Cons.IH by (metis append_Cons)
  qed
qed simp

lemma subterm_if_in_strand_ik:
  "t ∈ ik⇩s⇩t S ⟹ ∃ts. Receive ts ∈ set S ∧ t ⊑⇩s⇩e⇩t set ts"
by (induct S rule: ik⇩s⇩t_induct) auto

lemma fv_subset_if_in_strand_ik:
  "t ∈ ik⇩s⇩t S ⟹ fv t ⊆ ⋃(set (map fv⇩r⇩c⇩v S))"
proof -
  assume "t ∈ ik⇩s⇩t S"
  then obtain ts where "Receive ts ∈ set S" "t ⊑⇩s⇩e⇩t set ts" by (metis subterm_if_in_strand_ik)
  hence "fv t ⊆ fv⇩s⇩e⇩t (set ts)" using subtermeq_vars_subset by auto
  thus ?thesis using in_strand_fv_subset_rcv[OF ‹Receive ts ∈ set S›] by auto
qed

lemma fv_subset_if_in_strand_ik':
  "t ∈ ik⇩s⇩t S ⟹ fv t ⊆ fv⇩s⇩t S"
using fv_subset_if_in_strand_ik[of t S] fv_snd_rcv_strand_subset(2)[of S] by blast

lemma vars_subset_if_in_strand_ik2:
  "t ∈ ik⇩s⇩t S ⟹ fv t ⊆ wfrestrictedvars⇩s⇩t S"
using fv_subset_if_in_strand_ik[of t S] vars_snd_rcv_strand_subset2(2)[of S] by blast


subsection ‹Lemmata: Simple Strands›
lemma simple_Cons[dest]: "simple (s#S) ⟹ simple S"
unfolding simple_def by auto

lemma simple_split[dest]:
  assumes "simple (S@S')"
  shows "simple S" "simple S'"
using assms unfolding simple_def by auto

lemma simple_append[intro]: "⟦simple S; simple S'⟧ ⟹ simple (S@S')"
unfolding simple_def by auto

lemma simple_append_sym[sym]: "simple (S@S') ⟹ simple (S'@S)" by auto

lemma not_simple_if_snd_fun: "Fun f T ∈ set ts ⟹ S = S'@Send ts#S'' ⟹ ¬simple S"
by (metis simple_def list.set_cases list_all_append list_all_simps(1) simple⇩s⇩t⇩p.simps(5,6))

lemma not_list_all_elim: "¬list_all P A ⟹ ∃B x C. A = B@x#C ∧ ¬P x ∧ list_all P B"
proof (induction A rule: List.rev_induct)
  case (snoc a A)
  show ?case
  proof (cases "list_all P A")
    case True
    thus ?thesis using snoc.prems by auto
  next
    case False
    then obtain B x C where "A = B@x#C" "¬P x" "list_all P B" using snoc.IH[OF False] by auto
    thus ?thesis by auto
  qed
qed simp

lemma not_simple⇩s⇩t⇩p_elim:
  assumes "¬simple⇩s⇩t⇩p x"
  shows "(∃ts. x = Send ts ∧ (∄y. ts = [Var y])) ∨
         (∃a t t'. x = Equality a t t') ∨
         (∃X F. x = Inequality X F ∧ (∄ℐ. ineq_model ℐ X F))"
using assms by (cases x) (fastforce elim: simple⇩s⇩t⇩p.elims)+

lemma not_simple_elim:
  assumes "¬simple S"
  shows "(∃A B ts. S = A@Send ts#B ∧ (∄x. ts = [Var x]) ∧ simple A) ∨ 
         (∃A B a t t'. S = A@Equality a t t'#B ∧ simple A) ∨
         (∃A B X F. S = A@Inequality X F#B ∧ (∄ℐ. ineq_model ℐ X F) ∧ simple A)"
by (metis assms not_list_all_elim not_simple⇩s⇩t⇩p_elim simple_def)

lemma simple_snd_is_var: "⟦Send ts ∈ set S; simple S⟧ ⟹ ∃v. ts = [Var v]"
unfolding simple_def
by (metis list_all_append list_all_simps(1) simple⇩s⇩t⇩p.elims(2) split_list_first
          strand_step.distinct(1) strand_step.distinct(5) strand_step.inject(1)) 


subsection ‹Lemmata: Strand Measure›
lemma measure⇩s⇩t_wellfounded: "wf measure⇩s⇩t" unfolding measure⇩s⇩t_def by simp

lemma strand_size_append[iff]: "size⇩s⇩t (S@S') = size⇩s⇩t S + size⇩s⇩t S'"
by (induct S) (auto simp add: size⇩s⇩t_def)

lemma strand_size_map_fun_lt[simp]:
  "size⇩s⇩t (map Send1 X) < size (Fun f X)"
  "size⇩s⇩t (map Send1 X) < size⇩s⇩t [Send [Fun f X]]"
  "size⇩s⇩t (map Receive1 X) < size⇩s⇩t [Receive [Fun f X]]"
  "size⇩s⇩t [Send X] < size⇩s⇩t [Send [Fun f X]]"
  "size⇩s⇩t [Receive X] < size⇩s⇩t [Receive [Fun f X]]"
by (induct X) (auto simp add: size⇩s⇩t_def)

lemma strand_size_rm_fun_lt[simp]:
  "size⇩s⇩t (S@S') < size⇩s⇩t (S@Send ts#S')"
  "size⇩s⇩t (S@S') < size⇩s⇩t (S@Receive ts#S')"
by (induct S) (auto simp add: size⇩s⇩t_def)

lemma strand_fv_card_map_fun_eq:
  "card (fv⇩s⇩t (S@Send [Fun f X]#S')) = card (fv⇩s⇩t (S@(map Send1 X)@S'))"
proof -
  have "fv⇩s⇩t (S@Send [Fun f X]#S') = fv⇩s⇩t (S@(map Send1 X)@S')" by auto
  thus ?thesis by simp
qed

lemma strand_fv_card_rm_fun_le[simp]: "card (fv⇩s⇩t (S@S')) ≤ card (fv⇩s⇩t (S@Send [Fun f X]#S'))"
by (force intro: card_mono)

lemma strand_fv_card_rm_eq_le[simp]: "card (fv⇩s⇩t (S@S')) ≤ card (fv⇩s⇩t (S@Equality a t t'#S'))"
by (force intro: card_mono)


subsection ‹Lemmata: Well-formed Strands›
lemma wf_prefix[dest]: "wf⇩s⇩t V (S@S') ⟹ wf⇩s⇩t V S"
by (induct S rule: wf⇩s⇩t.induct) auto

lemma wf_vars_mono[simp]: "wf⇩s⇩t V S ⟹ wf⇩s⇩t (V ∪ W) S"
proof (induction S arbitrary: V)
  case (Cons x S) thus ?case
  proof (cases x)
    case (Send ts)
    hence "wf⇩s⇩t (V ∪ fv⇩s⇩e⇩t (set ts) ∪ W) S" using Cons.prems(1) Cons.IH by simp
    thus ?thesis by (metis Send sup_assoc sup_commute wf⇩s⇩t.simps(3))
  next
    case (Equality a t t')
    show ?thesis
    proof (cases a)
      case Assign
      hence "wf⇩s⇩t (V ∪ fv t ∪ W) S" "fv t' ⊆ V ∪ W" using Equality Cons.prems(1) Cons.IH by auto
      thus ?thesis using Equality Assign by (simp add: sup_commute sup_left_commute)
    next
      case Check thus ?thesis using Equality Cons by auto
    qed
  qed auto
qed simp

lemma wf⇩s⇩tI[intro]: "wfrestrictedvars⇩s⇩t S ⊆ V ⟹ wf⇩s⇩t V S"
proof (induction S)
  case (Cons x S) thus ?case
  proof (cases x)
    case (Send ts)
    hence "wf⇩s⇩t V S" "V ∪ fv⇩s⇩e⇩t (set ts) = V" using Cons by auto
    thus ?thesis using Send by simp
  next
    case (Equality a t t')
    show ?thesis
    proof (cases a)
      case Assign
      hence "wf⇩s⇩t V S" "fv t' ⊆ V" using Equality Cons by auto
      thus ?thesis using wf_vars_mono Equality Assign by simp
    next
      case Check thus ?thesis using Equality Cons by auto
    qed
  qed simp_all
qed simp

lemma wf⇩s⇩tI'[intro]: "⋃(fv⇩r⇩c⇩v ` set S) ∪ ⋃(fv_r⇩e⇩q assign ` set S) ⊆ V ⟹ wf⇩s⇩t V S"
proof (induction S)
  case (Cons x S) thus ?case
  proof (cases x)
    case (Equality a t t') thus ?thesis using Cons by (cases a) auto
  qed simp_all
qed simp

lemma wf_append_exec: "wf⇩s⇩t V (S@S') ⟹ wf⇩s⇩t (V ∪ wfvarsoccs⇩s⇩t S) S'"
proof (induction S arbitrary: V)
  case (Cons x S V) thus ?case
  proof (cases x)
    case (Send ts)
    hence "wf⇩s⇩t (V ∪ fv⇩s⇩e⇩t (set ts) ∪ wfvarsoccs⇩s⇩t S) S'" using Cons.prems Cons.IH by simp
    thus ?thesis using Send by (auto simp add: sup_assoc)
  next
    case (Equality a t t') show ?thesis
    proof (cases a)
      case Assign
      hence "wf⇩s⇩t (V ∪ fv t ∪ wfvarsoccs⇩s⇩t S) S'" using Equality Cons.prems Cons.IH by auto
      thus ?thesis using Equality Assign by (auto simp add: sup_assoc)
    next
      case Check
      hence "wf⇩s⇩t (V ∪ wfvarsoccs⇩s⇩t S) S'" using Equality Cons.prems Cons.IH by auto
      thus ?thesis using Equality Check by (auto simp add: sup_assoc)
    qed
  qed auto
qed simp

lemma wf_append_suffix:
  "wf⇩s⇩t V S ⟹ wfrestrictedvars⇩s⇩t S' ⊆ wfrestrictedvars⇩s⇩t S ∪ V ⟹ wf⇩s⇩t V (S@S')"
proof (induction V S rule: wf⇩s⇩t_induct)
  case (ConsSnd V ts S)
  hence *: "wf⇩s⇩t (V ∪ fv⇩s⇩e⇩t (set ts)) S" by simp_all
  hence "wfrestrictedvars⇩s⇩t S' ⊆ wfrestrictedvars⇩s⇩t S ∪ (V ∪ fv⇩s⇩e⇩t (set ts))"
    using ConsSnd.prems(2) by fastforce
  thus ?case using ConsSnd.IH * by simp
next
  case (ConsRcv V ts S)
  hence *: "fv⇩s⇩e⇩t (set ts) ⊆ V" "wf⇩s⇩t V S" by simp_all
  hence "wfrestrictedvars⇩s⇩t S' ⊆ wfrestrictedvars⇩s⇩t S ∪ V"
    using ConsRcv.prems(2) by fastforce
  thus ?case using ConsRcv.IH * by simp
next
  case (ConsEq V t t' S)
  hence *: "fv t' ⊆ V" "wf⇩s⇩t (V ∪ fv t) S" by simp_all
  moreover have "vars⇩s⇩t⇩p (Equality Assign t t') = fv t ∪ fv t'"
    by simp
  moreover have "wfrestrictedvars⇩s⇩t (Equality Assign t t'#S) = fv t ∪ fv t' ∪ wfrestrictedvars⇩s⇩t S"
    by auto
  ultimately have "wfrestrictedvars⇩s⇩t S' ⊆ wfrestrictedvars⇩s⇩t S ∪ (V ∪ fv t)"
    using ConsEq.prems(2) by blast
  thus ?case using ConsEq.IH * by simp
qed (simp_all add: wf⇩s⇩tI)

lemma wf_append_suffix':
  assumes "wf⇩s⇩t V S"
    and "⋃(fv⇩r⇩c⇩v ` set S') ∪ ⋃(fv_r⇩e⇩q assign ` set S') ⊆ wfvarsoccs⇩s⇩t S ∪ V"
  shows "wf⇩s⇩t V (S@S')"
using assms
proof (induction V S rule: wf⇩s⇩t_induct)
  case (ConsSnd V ts S)
  hence *: "wf⇩s⇩t (V ∪ fv⇩s⇩e⇩t (set ts)) S" by simp_all
  have "wfvarsoccs⇩s⇩t (send⟨ts⟩⇩s⇩t#S) = fv⇩s⇩e⇩t (set ts) ∪ wfvarsoccs⇩s⇩t S"
    unfolding wfvarsoccs⇩s⇩t_def by simp
  hence "(⋃a∈set S'. fv⇩r⇩c⇩v a) ∪ (⋃a∈set S'. fv_r⇩e⇩q assign a) ⊆ wfvarsoccs⇩s⇩t S ∪ (V ∪ fv⇩s⇩e⇩t (set ts))"
    using ConsSnd.prems(2) unfolding wfvarsoccs⇩s⇩t_def by auto
  thus ?case using ConsSnd.IH[OF *] by auto
next
  case (ConsEq V t t' S)
  hence *: "fv t' ⊆ V" "wf⇩s⇩t (V ∪ fv t) S" by simp_all
  have "wfvarsoccs⇩s⇩t (⟨assign: t ≐ t'⟩⇩s⇩t#S) = fv t ∪ wfvarsoccs⇩s⇩t S"
    unfolding wfvarsoccs⇩s⇩t_def by simp
  hence "(⋃a∈set S'. fv⇩r⇩c⇩v a) ∪ (⋃a∈set S'. fv_r⇩e⇩q assign a) ⊆ wfvarsoccs⇩s⇩t S ∪ (V ∪ fv t)"
    using ConsEq.prems(2) unfolding wfvarsoccs⇩s⇩t_def by auto
  thus ?case using ConsEq.IH[OF *(2)] *(1) by auto
qed (auto simp add: wf⇩s⇩tI')

lemma wf_send_compose: "wf⇩s⇩t V (S@(map Send1 X)@S') = wf⇩s⇩t V (S@Send1 (Fun f X)#S')"
proof (induction S arbitrary: V)
  case Nil thus ?case 
  proof (induction X arbitrary: V)
    case (Cons y Y) thus ?case by (simp add: sup_assoc)
  qed simp
next
  case (Cons s S) thus ?case
  proof (cases s)
    case (Equality ac t t') thus ?thesis using Cons by (cases ac) auto
  qed auto
qed

lemma wf_snd_append[iff]: "wf⇩s⇩t V (S@[Send t]) = wf⇩s⇩t V S"
by (induct S rule: wf⇩s⇩t.induct) simp_all

lemma wf_snd_append': "wf⇩s⇩t V S ⟹ wf⇩s⇩t V (Send t#S)"
by simp

lemma wf_rcv_append[dest]: "wf⇩s⇩t V (S@Receive t#S') ⟹ wf⇩s⇩t V (S@S')"
by (induct S rule: wf⇩s⇩t.induct) simp_all

lemma wf_rcv_append'[intro]:
  "⟦wf⇩s⇩t V (S@S'); fv⇩s⇩e⇩t (set ts) ⊆ wfrestrictedvars⇩s⇩t S ∪ V⟧ ⟹ wf⇩s⇩t V (S@Receive ts#S')"
proof (induction S rule: wf⇩s⇩t_induct)
  case (ConsRcv V t' S)
  hence "wf⇩s⇩t V (S@S')" "fv⇩s⇩e⇩t (set ts) ⊆ wfrestrictedvars⇩s⇩t S ∪ V" by (simp, fastforce)
  thus ?case using ConsRcv by auto
next
  case (ConsEq V t' t'' S)
  hence "fv t'' ⊆ V" by simp
  moreover have
      "wfrestrictedvars⇩s⇩t (Equality Assign t' t''#S) = fv t' ∪ fv t'' ∪ wfrestrictedvars⇩s⇩t S"
    by auto
  ultimately have "fv⇩s⇩e⇩t (set ts) ⊆ wfrestrictedvars⇩s⇩t S ∪ (V ∪ fv t')"
    using ConsEq.prems(2) by blast
  thus ?case using ConsEq by auto
qed auto

lemma wf_rcv_append''[intro]:
  "⟦wf⇩s⇩t V S; fv⇩s⇩e⇩t (set ts) ⊆ ⋃(set (map fv⇩s⇩n⇩d S))⟧ ⟹ wf⇩s⇩t V (S@[Receive ts])"
by (induct S)
   (simp, metis vars_snd_rcv_strand_subset2(1) append_Nil2 le_supI1 order_trans wf_rcv_append')

lemma wf_rcv_append'''[intro]:
  "⟦wf⇩s⇩t V S; fv⇩s⇩e⇩t (set ts) ⊆ wfrestrictedvars⇩s⇩t S ∪ V⟧ ⟹ wf⇩s⇩t V (S@[Receive ts])"
by (simp add: wf_rcv_append'[of _ _ "[]"])

lemma wf_eq_append[dest]:
  "wf⇩s⇩t V (S@Equality a t t'#S') ⟹ fv t ⊆ wfrestrictedvars⇩s⇩t S ∪ V ⟹ wf⇩s⇩t V (S@S')"
proof (induction S rule: wf⇩s⇩t_induct)
  case (Nil V)
  hence "wf⇩s⇩t (V ∪ fv t) S'" by (cases a) auto
  moreover have "V ∪ fv t = V" using Nil by auto
  ultimately show ?case by simp
next
  case (ConsRcv V us S)
  hence "wf⇩s⇩t V (S @ Equality a t t' # S')" "fv t ⊆ wfrestrictedvars⇩s⇩t S ∪ V" "fv⇩s⇩e⇩t (set us) ⊆ V"
    by fastforce+
  hence "wf⇩s⇩t V (S@S')" using ConsRcv.IH by auto
  thus ?case using ‹fv⇩s⇩e⇩t (set us) ⊆ V› by simp
next
  case (ConsEq V u u' S)
  hence "wf⇩s⇩t (V ∪ fv u) (S@Equality a t t'#S')" "fv t ⊆ wfrestrictedvars⇩s⇩t S ∪ (V ∪ fv u)" "fv u' ⊆ V"
    by auto
  hence "wf⇩s⇩t (V ∪ fv u) (S@S')" using ConsEq.IH by auto
  thus ?case using ‹fv u' ⊆ V› by simp
qed auto

lemma wf_eq_append'[intro]:
  "⟦wf⇩s⇩t V (S@S'); fv t' ⊆ wfrestrictedvars⇩s⇩t S ∪ V⟧ ⟹ wf⇩s⇩t V (S@Equality a t t'#S')"
proof (induction S rule: wf⇩s⇩t_induct)
  case Nil thus ?case by (cases a) auto
next
  case (ConsEq V u u' S)
  hence "wf⇩s⇩t (V ∪ fv u) (S@S')" "fv t' ⊆ wfrestrictedvars⇩s⇩t S ∪ V ∪ fv u"
    by fastforce+
  thus ?case using ConsEq by auto
next
  case (ConsEq2 V u u' S)
  hence "wf⇩s⇩t V (S@S')" by auto
  thus ?case using ConsEq2 by auto
next
  case (ConsRcv V u S)
  hence "wf⇩s⇩t V (S@S')" "fv t' ⊆ wfrestrictedvars⇩s⇩t S ∪ V"
    by fastforce+
  thus ?case using ConsRcv by auto
next
  case (ConsSnd V us S)
  hence "wf⇩s⇩t (V ∪ fv⇩s⇩e⇩t (set us)) (S@S')" "fv t' ⊆ wfrestrictedvars⇩s⇩t S ∪ (V ∪ fv⇩s⇩e⇩t (set us))"
    by fastforce+
  thus ?case using ConsSnd by auto
qed auto

lemma wf_eq_append''[intro]:
  "⟦wf⇩s⇩t V (S@S'); fv t' ⊆ wfvarsoccs⇩s⇩t S ∪ V⟧ ⟹ wf⇩s⇩t V (S@[Equality a t t']@S')"
proof (induction S rule: wf⇩s⇩t_induct)
  case Nil thus ?case by (cases a) auto
next
  case (ConsEq V u u' S)
  hence "wf⇩s⇩t (V ∪ fv u) (S@S')" "fv t' ⊆ wfvarsoccs⇩s⇩t S ∪ V ∪ fv u" by fastforce+
  thus ?case using ConsEq by auto
next
  case (ConsEq2 V u u' S)
  hence "wf⇩s⇩t (V ∪ fv u) (S@S')" "fv t' ⊆ wfvarsoccs⇩s⇩t S ∪ V ∪ fv u" by fastforce+
  thus ?case using ConsEq2 by auto
next
  case (ConsRcv V u S)
  hence "wf⇩s⇩t V (S@S')" "fv t' ⊆ wfvarsoccs⇩s⇩t S ∪ V" by fastforce+
  thus ?case using ConsRcv by auto
next
  case (ConsSnd V us S)
  hence "wf⇩s⇩t (V ∪ fv⇩s⇩e⇩t (set us)) (S@S')" "fv t' ⊆ wfvarsoccs⇩s⇩t S ∪ (V ∪ fv⇩s⇩e⇩t (set us))" by auto
  thus ?case using ConsSnd by auto
qed auto

lemma wf_eq_append'''[intro]:
  "⟦wf⇩s⇩t V S; fv t' ⊆ wfrestrictedvars⇩s⇩t S ∪ V⟧ ⟹ wf⇩s⇩t V (S@[Equality a t t'])"
by (simp add: wf_eq_append'[of _ _ "[]"])

lemma wf_eq_check_append[dest]: "wf⇩s⇩t V (S@Equality Check t t'#S') ⟹ wf⇩s⇩t V (S@S')"
by (induct S rule: wf⇩s⇩t.induct) simp_all

lemma wf_eq_check_append'[intro]: "wf⇩s⇩t V (S@S') ⟹ wf⇩s⇩t V (S@Equality Check t t'#S')"
by (induct S rule: wf⇩s⇩t.induct) auto

lemma wf_eq_check_append''[intro]: "wf⇩s⇩t V S ⟹ wf⇩s⇩t V (S@[Equality Check t t'])"
by (induct S rule: wf⇩s⇩t.induct) auto

lemma wf_ineq_append[dest]: "wf⇩s⇩t V (S@Inequality X F#S') ⟹ wf⇩s⇩t V (S@S')"
by (induct S rule: wf⇩s⇩t.induct) simp_all

lemma wf_ineq_append'[intro]: "wf⇩s⇩t V (S@S') ⟹ wf⇩s⇩t V (S@Inequality X F#S')"
by (induct S rule: wf⇩s⇩t.induct) auto

lemma wf_ineq_append''[intro]: "wf⇩s⇩t V S ⟹ wf⇩s⇩t V (S@[Inequality X F])"
by (induct S rule: wf⇩s⇩t.induct) auto

lemma wf_Receive1_prefix:
  assumes "wf⇩s⇩t X S"
    and "fv⇩s⇩e⇩t (set ts) ⊆ X"
  shows "wf⇩s⇩t X (map Receive1 ts@S)"
using assms by (induct ts) simp_all

lemma wf_Send1_prefix:
  assumes "wf⇩s⇩t (X ∪ fv⇩s⇩e⇩t (set ts)) S"
  shows "wf⇩s⇩t X (map Send1 ts@S)"
using assms by (induct ts arbitrary: X) (simp, force simp add: Un_assoc)

lemma wf_rcv_fv_single[elim]: "wf⇩s⇩t V (Receive ts#S') ⟹ fv⇩s⇩e⇩t (set ts) ⊆ V"
by simp

lemma wf_rcv_fv: "wf⇩s⇩t V (S@Receive ts#S') ⟹ fv⇩s⇩e⇩t (set ts) ⊆ wfvarsoccs⇩s⇩t S ∪ V"
proof (induction S arbitrary: V)
  case (Cons a S) thus ?case by (cases a) (auto split!: poscheckvariant.split)
qed simp

lemma wf_eq_fv: "wf⇩s⇩t V (S@Equality Assign t t'#S') ⟹ fv t' ⊆ wfvarsoccs⇩s⇩t S ∪ V"
proof (induction S arbitrary: V)
  case (Cons a S) thus ?case by (cases a) (auto split!: poscheckvariant.split)
qed simp

lemma wf_simple_fv_occurrence:
  assumes "wf⇩s⇩t {} S" "simple S" "v ∈ wfrestrictedvars⇩s⇩t S"
  shows "∃S⇩p⇩r⇩e S⇩s⇩u⇩f. S = S⇩p⇩r⇩e@Send [Var v]#S⇩s⇩u⇩f ∧ v ∉ wfrestrictedvars⇩s⇩t S⇩p⇩r⇩e"
using assms
proof (induction S rule: List.rev_induct)
  case (snoc x S)
  from ‹wf⇩s⇩t {} (S@[x])› have "wf⇩s⇩t {} S" "wf⇩s⇩t (wfrestrictedvars⇩s⇩t S) [x]"
    using wf_append_exec[THEN wf_vars_mono, of "{}" S "[x]" "wfrestrictedvars⇩s⇩t S - wfvarsoccs⇩s⇩t S"]
          vars_snd_rcv_strand_subset2(4)[of S]
          Diff_partition[of "wfvarsoccs⇩s⇩t S" "wfrestrictedvars⇩s⇩t S"]
    by auto
  from ‹simple (S@[x])› have "simple S" "simple⇩s⇩t⇩p x" unfolding simple_def by auto

  show ?case
  proof (cases "v ∈ wfrestrictedvars⇩s⇩t S")
    case False
    show ?thesis
    proof (cases x)
      case (Receive ts)
      hence "fv⇩s⇩e⇩t (set ts) ⊆ wfrestrictedvars⇩s⇩t S" using ‹wf⇩s⇩t (wfrestrictedvars⇩s⇩t S) [x]› by simp
      hence "v ∈ wfrestrictedvars⇩s⇩t S"
        using ‹v ∈ wfrestrictedvars⇩s⇩t (S@[x])› ‹x = Receive ts›
        by auto
      thus ?thesis using ‹x = Receive ts› snoc.IH[OF ‹wf⇩s⇩t {} S› ‹simple S›] by fastforce
    next
      case (Send ts)
      hence "v ∈ vars⇩s⇩t⇩p x" using ‹v ∈ wfrestrictedvars⇩s⇩t (S@[x])› False by auto
      from Send obtain w where "ts = [Var w]" using ‹simple⇩s⇩t⇩p x›
        by (cases ts) (simp, metis in_set_conv_decomp simple_snd_is_var snoc.prems(2))
      hence "v = w" using ‹x = Send ts› ‹v ∈ vars⇩s⇩t⇩p x› by simp
      thus ?thesis using ‹x = Send ts› ‹v ∉ wfrestrictedvars⇩s⇩t S› ‹ts = [Var w]› by auto
    next
      case (Equality ac t t') thus ?thesis using snoc.prems(2) unfolding simple_def by auto
    next
      case (Inequality t t') thus ?thesis using False snoc.prems(3) by auto
    qed
  qed (use snoc.IH[OF ‹wf⇩s⇩t {} S› ‹simple S›] in fastforce)
qed simp

lemma Unifier_strand_fv_subset:
  assumes g_in_ik: "t ∈ ik⇩s⇩t S"
  and δ: "Unifier δ (Fun f X) t"
  and disj: "bvars⇩s⇩t S ∩ (subst_domain δ ∪ range_vars δ) = {}"
  shows "fv (Fun f X ⋅ δ) ⊆ ⋃(set (map fv⇩r⇩c⇩v (S ⋅⇩s⇩t δ)))"
by (metis (no_types) fv_subset_if_in_strand_ik[OF g_in_ik]
          disj δ fv_strand_subst subst_apply_fv_subset)

lemma wf⇩s⇩t_induct'[consumes 1, case_names Nil ConsSnd ConsRcv ConsEq ConsEq2 ConsIneq]:
  fixes S::"('a,'b) strand"
  assumes "wf⇩s⇩t V S"
          "P []"
          "⋀ts S. ⟦wf⇩s⇩t V S; P S⟧ ⟹ P (S@[Send ts])"
          "⋀ts S. ⟦wf⇩s⇩t V S; P S; fv⇩s⇩e⇩t (set ts) ⊆ V ∪ wfvarsoccs⇩s⇩t S⟧ ⟹ P (S@[Receive ts])"
          "⋀t t' S. ⟦wf⇩s⇩t V S; P S; fv t' ⊆ V ∪ wfvarsoccs⇩s⇩t S⟧ ⟹ P (S@[Equality Assign t t'])"
          "⋀t t' S. ⟦wf⇩s⇩t V S; P S⟧ ⟹ P (S@[Equality Check t t'])"
          "⋀X F S. ⟦wf⇩s⇩t V S; P S⟧ ⟹ P (S@[Inequality X F])"
  shows "P S"
using assms
proof (induction S rule: List.rev_induct)
  case (snoc x S)
  hence *: "wf⇩s⇩t V S" "wf⇩s⇩t (V ∪ wfvarsoccs⇩s⇩t S) [x]" by (metis wf_prefix, metis wf_append_exec)
  have IH: "P S" using snoc.IH[OF *(1)] snoc.prems by auto
  note ** = snoc.prems(3,4,5,6,7)[OF *(1) IH] *(2)
  show ?case using **(1,2,4,5,6)
  proof (cases x)
    case (Equality ac t t')
    then show ?thesis using **(3,4,6) by (cases ac) auto
  qed auto
qed simp

lemma wf_subst_apply:
  "wf⇩s⇩t V S ⟹ wf⇩s⇩t (fv⇩s⇩e⇩t (δ ` V)) (S ⋅⇩s⇩t δ)"
proof (induction S arbitrary: V rule: wf⇩s⇩t_induct)
  case (ConsRcv V ts S)
  hence "wf⇩s⇩t V S" "fv⇩s⇩e⇩t (set ts) ⊆ V" by simp_all
  hence "wf⇩s⇩t (fv⇩s⇩e⇩t (δ ` V)) (S ⋅⇩s⇩t δ)" "fv⇩s⇩e⇩t (set ts ⋅⇩s⇩e⇩t δ) ⊆ fv⇩s⇩e⇩t (δ ` V)"
    using ConsRcv.IH subst_apply_fv_subset by (simp, force)
  thus ?case by simp
next
  case (ConsSnd V ts S)
  hence "wf⇩s⇩t (V ∪ fv⇩s⇩e⇩t (set ts)) S" by simp
  hence "wf⇩s⇩t (fv⇩s⇩e⇩t (δ ` (V ∪ fv⇩s⇩e⇩t (set ts)))) (S ⋅⇩s⇩t δ)" using ConsSnd.IH by metis
  hence "wf⇩s⇩t (fv⇩s⇩e⇩t (δ ` V) ∪ fv⇩s⇩e⇩t (δ ` fv⇩s⇩e⇩t (set ts))) (S ⋅⇩s⇩t δ)" by simp
  hence "wf⇩s⇩t (fv⇩s⇩e⇩t (δ ` V) ∪ fv⇩s⇩e⇩t (set ts ⋅⇩s⇩e⇩t δ)) (S ⋅⇩s⇩t δ)" by (metis subst_apply_fv_unfold_set)
  thus ?case by simp
next
  case (ConsEq V t t' S)
  hence "wf⇩s⇩t (V ∪ fv t) S" "fv t' ⊆ V" by auto
  hence "wf⇩s⇩t (fv⇩s⇩e⇩t (δ ` (V ∪ fv t))) (S ⋅⇩s⇩t δ)" and *: "fv (t' ⋅ δ) ⊆ fv⇩s⇩e⇩t (δ ` V)"
    using ConsEq.IH subst_apply_fv_subset by force+
  hence "wf⇩s⇩t (fv⇩s⇩e⇩t (δ ` V) ∪ fv (t ⋅ δ)) (S ⋅⇩s⇩t δ)" using subst_apply_fv_union by metis
  thus ?case using * by simp
qed simp_all

lemma wf_unify:
  assumes wf: "wf⇩s⇩t V (S@Send [Fun f X]#S')"
  and g_in_ik: "t ∈ ik⇩s⇩t S"
  and δ: "Unifier δ (Fun f X) t"
  and disj: "bvars⇩s⇩t (S@Send [Fun f X]#S') ∩ (subst_domain δ ∪ range_vars δ) = {}"
  shows "wf⇩s⇩t (fv⇩s⇩e⇩t (δ ` V)) ((S@S') ⋅⇩s⇩t δ)"
using assms
proof (induction S' arbitrary: V rule: List.rev_induct)
  case (snoc x S' V)
  have fun_fv_bound: "fv (Fun f X ⋅ δ) ⊆ ⋃(set (map fv⇩r⇩c⇩v (S ⋅⇩s⇩t δ)))"
    using snoc.prems(4) bvars⇩s⇩t_split Unifier_strand_fv_subset[OF g_in_ik δ] by auto
  hence "fv (Fun f X ⋅ δ) ⊆ fv⇩s⇩e⇩t (ik⇩s⇩t (S ⋅⇩s⇩t δ))" using fv_ik_is_fv_rcv by metis
  hence "fv (Fun f X ⋅ δ) ⊆ wfrestrictedvars⇩s⇩t (S ⋅⇩s⇩t δ)" using fv_ik_subset_fv_st[of "S ⋅⇩s⇩t δ"] by blast
  hence *: "fv ((Fun f X) ⋅ δ) ⊆ wfrestrictedvars⇩s⇩t ((S@S') ⋅⇩s⇩t δ)" by fastforce

  from snoc.prems(1) have "wf⇩s⇩t V (S@Send [Fun f X]#S')"
    using wf_prefix[of V "S@Send [Fun f X]#S'" "[x]"] by simp
  hence **: "wf⇩s⇩t (fv⇩s⇩e⇩t (δ ` V)) ((S@S') ⋅⇩s⇩t δ)"
    using snoc.IH[OF _ snoc.prems(2,3)] snoc.prems(4) by auto

  from snoc.prems(1) have ***: "wf⇩s⇩t (V ∪ wfvarsoccs⇩s⇩t (S@Send [Fun f X]#S')) [x]"
    using wf_append_exec[of V "(S@Send [Fun f X]#S')" "[x]"] by simp

  from snoc.prems(4) have disj':
      "bvars⇩s⇩t (S@S') ∩ (subst_domain δ ∪ range_vars δ) = {}"
      "set (bvars⇩s⇩t⇩p x) ∩ (subst_domain δ ∪ range_vars δ) = {}"
    by auto

  show ?case
  proof (cases x)
    case (Send t)
    thus ?thesis using wf_snd_append[of "fv⇩s⇩e⇩t (δ ` V)" "(S@S') ⋅⇩s⇩t δ"] ** by auto
  next
    case (Receive t)
    hence "fv⇩s⇩t⇩p x ⊆ V ∪ wfvarsoccs⇩s⇩t (S@Send [Fun f X]#S')" using *** by auto
    hence "fv⇩s⇩t⇩p x ⊆ V ∪ wfrestrictedvars⇩s⇩t (S@Send [Fun f X]#S')"
      using vars_snd_rcv_strand_subset2(4)[of "S@Send [Fun f X]#S'"] by blast
    hence "fv⇩s⇩t⇩p x ⊆ V ∪ fv (Fun f X) ∪ wfrestrictedvars⇩s⇩t (S@S')" by auto
    hence "fv⇩s⇩t⇩p (x ⋅⇩s⇩t⇩p δ) ⊆ fv⇩s⇩e⇩t (δ ` V) ∪ fv ((Fun f X) ⋅ δ) ∪ wfrestrictedvars⇩s⇩t ((S@S') ⋅⇩s⇩t δ)"
      by (metis (no_types) inf_sup_aci(5) subst_apply_fv_subset_strand2 subst_apply_fv_union disj')
    hence "fv⇩s⇩t⇩p (x ⋅⇩s⇩t⇩p δ) ⊆ fv⇩s⇩e⇩t (δ ` V) ∪ wfrestrictedvars⇩s⇩t ((S@S') ⋅⇩s⇩t δ)" using * by blast
    hence "fv⇩s⇩e⇩t (set t ⋅⇩s⇩e⇩t δ) ⊆ wfrestrictedvars⇩s⇩t ((S@S') ⋅⇩s⇩t δ) ∪ fv⇩s⇩e⇩t (δ ` V) "
      using ‹x = Receive t› by auto
    hence "wf⇩s⇩t (fv⇩s⇩e⇩t (δ ` V)) (((S@S') ⋅⇩s⇩t δ)@[Receive (t ⋅⇩l⇩i⇩s⇩t δ)])"
      using wf_rcv_append'''[OF **, of "t ⋅⇩l⇩i⇩s⇩t δ"] by simp
    thus ?thesis using ‹x = Receive t› by auto
  next
    case (Equality ac s s') show ?thesis
    proof (cases ac)
      case Assign
      hence "fv s' ⊆ V ∪ wfvarsoccs⇩s⇩t (S@Send [Fun f X]#S')" using Equality *** by auto
      hence "fv s' ⊆ V ∪ wfrestrictedvars⇩s⇩t (S@Send [Fun f X]#S')"
        using vars_snd_rcv_strand_subset2(4)[of "S@Send [Fun f X]#S'"] by blast
      hence "fv s' ⊆ V ∪ fv (Fun f X) ∪ wfrestrictedvars⇩s⇩t (S@S')" by auto
      moreover have "fv s' = fv_r⇩e⇩q ac x" "fv (s' ⋅ δ) = fv_r⇩e⇩q ac (x ⋅⇩s⇩t⇩p δ)"
        using Equality by simp_all
      ultimately have "fv (s' ⋅ δ) ⊆ fv⇩s⇩e⇩t (δ ` V) ∪ fv (Fun f X ⋅ δ) ∪ wfrestrictedvars⇩s⇩t ((S@S') ⋅⇩s⇩t δ)"
        using subst_apply_fv_subset_strand2[of "fv⇩e⇩q ac" ac x]
        by (metis disj'(1) subst_apply_fv_subset_strand_trm2 subst_apply_fv_union sup_commute)
      hence "fv (s' ⋅ δ) ⊆ fv⇩s⇩e⇩t (δ ` V) ∪ wfrestrictedvars⇩s⇩t ((S@S') ⋅⇩s⇩t δ)" using * by blast
      hence "fv (s' ⋅ δ) ⊆ wfrestrictedvars⇩s⇩t ((S@S') ⋅⇩s⇩t δ) ∪ fv⇩s⇩e⇩t (δ ` V)"
        using ‹x = Equality ac s s'› by auto
      hence "wf⇩s⇩t (fv⇩s⇩e⇩t (δ ` V)) (((S@S') ⋅⇩s⇩t δ)@[Equality ac (s ⋅ δ) (s' ⋅ δ)])"
        using wf_eq_append'''[OF **] by metis
      thus ?thesis using ‹x = Equality ac s s'› by auto
    next
      case Check thus ?thesis using wf_eq_check_append''[OF **] Equality by simp
    qed
  next
    case (Inequality t t') thus ?thesis using wf_ineq_append''[OF **] by simp
  qed
qed (auto dest: wf_subst_apply)

lemma wf_equality:
  assumes wf: "wf⇩s⇩t V (S@Equality ac t t'#S')"
  and δ: "mgu t t' = Some δ"
  and disj: "bvars⇩s⇩t (S@Equality ac t t'#S') ∩ (subst_domain δ ∪ range_vars δ) = {}"
  shows "wf⇩s⇩t (fv⇩s⇩e⇩t (δ ` V)) ((S@S') ⋅⇩s⇩t δ)"
using assms
proof (induction S' arbitrary: V rule: List.rev_induct)
  case Nil thus ?case using wf_prefix[of V S "[Equality ac t t']"] wf_subst_apply[of V S δ] by auto
next
  case (snoc x S' V) show ?case
  proof (cases ac)
    case Assign
    hence "fv t' ⊆ V ∪ wfvarsoccs⇩s⇩t S"
      using wf_eq_fv[of V, of S t t' "S'@[x]"] snoc by auto
    hence "fv t' ⊆ V ∪ wfrestrictedvars⇩s⇩t S"
      using vars_snd_rcv_strand_subset2(4)[of S] by blast
    hence "fv t' ⊆ V ∪ wfrestrictedvars⇩s⇩t (S@S')" by force
    moreover have disj':
        "bvars⇩s⇩t (S@S') ∩ (subst_domain δ ∪ range_vars δ) = {}"
        "set (bvars⇩s⇩t⇩p x) ∩ (subst_domain δ ∪ range_vars δ) = {}"
        "bvars⇩s⇩t (S@Equality ac t t'#S') ∩ (subst_domain δ ∪ range_vars δ) = {}"
      using snoc.prems(3) by auto
    ultimately have
        "fv (t' ⋅ δ) ⊆ fv⇩s⇩e⇩t (δ ` V) ∪ wfrestrictedvars⇩s⇩t ((S@S') ⋅⇩s⇩t δ)"
      by (metis inf_sup_aci(5) subst_apply_fv_subset_strand_trm2)
    moreover have "fv (t ⋅ δ) = fv (t' ⋅ δ)"
      by (metis MGU_is_Unifier[OF mgu_gives_MGU[OF δ]])
    ultimately have *:
        "fv (t ⋅ δ) ∪ fv (t' ⋅ δ) ⊆ fv⇩s⇩e⇩t (δ ` V) ∪ wfrestrictedvars⇩s⇩t ((S@S') ⋅⇩s⇩t δ)"
      by simp
  
    from snoc.prems(1) have "wf⇩s⇩t V (S@Equality ac t t'#S')"
      using wf_prefix[of V "S@Equality ac t t'#S'"] by simp
    hence **: "wf⇩s⇩t (fv⇩s⇩e⇩t (δ ` V)) ((S@S') ⋅⇩s⇩t δ)" by (metis snoc.IH δ disj'(3))
  
    from snoc.prems(1) have ***: "wf⇩s⇩t (V ∪ wfvarsoccs⇩s⇩t (S@Equality ac t t'#S')) [x]"
      using wf_append_exec[of V "(S@Equality ac t t'#S')" "[x]"] by simp
  
    show ?thesis
    proof (cases x)
      case (Send t)
      thus ?thesis using wf_snd_append[of "fv⇩s⇩e⇩t (δ ` V)" "(S@S') ⋅⇩s⇩t δ"] ** by auto
    next
      case (Receive s)
      hence "fv⇩s⇩t⇩p x ⊆ V ∪ wfvarsoccs⇩s⇩t (S@Equality ac t t'#S')" using *** by auto
      hence "fv⇩s⇩t⇩p x ⊆ V ∪ wfrestrictedvars⇩s⇩t (S@Equality ac t t'#S')"
        using vars_snd_rcv_strand_subset2(4)[of "S@Equality ac t t'#S'"] by blast
      hence "fv⇩s⇩t⇩p x ⊆ V ∪ fv t ∪ fv t' ∪ wfrestrictedvars⇩s⇩t (S@S')"
        by (cases ac) auto
      hence "fv⇩s⇩t⇩p (x ⋅⇩s⇩t⇩p δ) ⊆ fv⇩s⇩e⇩t (δ ` V) ∪ fv (t ⋅ δ) ∪ fv (t' ⋅ δ) ∪ wfrestrictedvars⇩s⇩t ((S@S') ⋅⇩s⇩t δ)"
        using subst_apply_fv_subset_strand2[of fv⇩s⇩t⇩p]
        by (metis (no_types) inf_sup_aci(5) subst_apply_fv_union disj'(1,2))
      hence "fv⇩s⇩t⇩p (x ⋅⇩s⇩t⇩p δ) ⊆ fv⇩s⇩e⇩t (δ ` V) ∪ wfrestrictedvars⇩s⇩t ((S@S') ⋅⇩s⇩t δ)"
        when "ac = Assign"
        using * that by blast
      hence "fv⇩s⇩e⇩t (set s ⋅⇩s⇩e⇩t δ) ⊆ wfrestrictedvars⇩s⇩t ((S@S') ⋅⇩s⇩t δ) ∪ (fv⇩s⇩e⇩t (δ ` V))"
        when "ac = Assign"
        using ‹x = Receive s› that by auto
      hence "wf⇩s⇩t (fv⇩s⇩e⇩t (δ ` V)) (((S@S') ⋅⇩s⇩t δ)@[Receive (s ⋅⇩l⇩i⇩s⇩t δ)])"
        when "ac = Assign"
        using wf_rcv_append'''[OF **, of "s ⋅⇩l⇩i⇩s⇩t δ"] that by simp
      thus ?thesis using ‹x = Receive s› Assign by auto
    next
      case (Equality ac' s s') show ?thesis
      proof (cases ac')
        case Assign
        hence "fv s' ⊆ V ∪ wfvarsoccs⇩s⇩t (S@Equality ac t t'#S')" using *** Equality by auto
        hence "fv s' ⊆ V ∪ wfrestrictedvars⇩s⇩t (S@Equality ac t t'#S')"
          using vars_snd_rcv_strand_subset2(4)[of "S@Equality ac t t'#S'"] by blast
        hence "fv s' ⊆ V ∪ fv t ∪ fv t' ∪ wfrestrictedvars⇩s⇩t (S@S')"
          by (cases ac) auto
        moreover have "fv s' = fv_r⇩e⇩q ac' x" "fv (s' ⋅ δ) = fv_r⇩e⇩q ac' (x ⋅⇩s⇩t⇩p δ)"
          using Equality by simp_all
        ultimately have
            "fv (s' ⋅ δ) ⊆ fv⇩s⇩e⇩t (δ ` V) ∪ fv (t ⋅ δ) ∪ fv (t' ⋅ δ) ∪ wfrestrictedvars⇩s⇩t ((S@S') ⋅⇩s⇩t δ)"
          using subst_apply_fv_subset_strand2[of "fv_r⇩e⇩q ac'" ac' x]
          by (metis disj'(1) subst_apply_fv_subset_strand_trm2 subst_apply_fv_union sup_commute)
        hence "fv (s' ⋅ δ) ⊆ fv⇩s⇩e⇩t (δ ` V) ∪ wfrestrictedvars⇩s⇩t ((S@S') ⋅⇩s⇩t δ)"
          using * ‹ac = Assign› by blast
        hence ****:
            "fv (s' ⋅ δ) ⊆ wfrestrictedvars⇩s⇩t ((S@S') ⋅⇩s⇩t δ) ∪ fv⇩s⇩e⇩t (δ ` V)"
          using ‹x = Equality ac' s s'› ‹ac = Assign› by auto
        thus ?thesis
          using ‹x = Equality ac' s s'› ** **** wf_eq_append' ‹ac = Assign›
          by (metis (no_types, lifting) append.assoc append_Nil2 strand_step.case(3)
                strand_subst_hom subst_apply_strand_step_def)
      next
        case Check thus ?thesis using wf_eq_check_append''[OF **] Equality by simp
      qed
    next
      case (Inequality s s') thus ?thesis using wf_ineq_append''[OF **] by simp
    qed
  qed (metis snoc.prems(1) wf_eq_check_append wf_subst_apply)
qed

lemma wf_rcv_prefix_ground:
  "wf⇩s⇩t {} ((map Receive M)@S) ⟹ vars⇩s⇩t (map Receive M) = {}"
by (induct M) auto

lemma simple_wfvarsoccs⇩s⇩t_is_fv⇩s⇩n⇩d:
  assumes "simple S"
  shows "wfvarsoccs⇩s⇩t S = ⋃(set (map fv⇩s⇩n⇩d S))"
using assms unfolding simple_def
proof (induction S)
  case (Cons x S) thus ?case by (cases x) auto
qed simp

lemma wf⇩s⇩t_simple_induct[consumes 2, case_names Nil ConsSnd ConsRcv ConsIneq]:
  fixes S::"('a,'b) strand"
  assumes "wf⇩s⇩t V S" "simple S"
          "P []"
          "⋀v S. ⟦wf⇩s⇩t V S; simple S; P S⟧ ⟹ P (S@[Send [Var v]])"
          "⋀ts S. ⟦wf⇩s⇩t V S; simple S; P S; fv⇩s⇩e⇩t (set ts) ⊆ V ∪ ⋃(set (map fv⇩s⇩n⇩d S))⟧ ⟹ P (S@[Receive ts])"
          "⋀X F S. ⟦wf⇩s⇩t V S; simple S; P S⟧ ⟹ P (S@[Inequality X F])"
  shows "P S"
using assms
proof (induction S rule: wf⇩s⇩t_induct')
  case (ConsSnd t S)
  hence "P S" by auto
  obtain v where "t = [Var v]" using simple_snd_is_var[OF _ ‹simple (S@[Send t])›] by auto
  thus ?case using ConsSnd.prems(3)[OF ‹wf⇩s⇩t V S› _ ‹P S›] ‹simple (S@[Send t])› by auto
next
  case (ConsRcv t S) thus ?case using simple_wfvarsoccs⇩s⇩t_is_fv⇩s⇩n⇩d[of "S@[Receive t]"] by auto
qed (auto simp add: simple_def)

lemma wf_trm_stp_dom_fv_disjoint:
  "⟦wf⇩c⇩o⇩n⇩s⇩t⇩r S θ; t ∈ trms⇩s⇩t S⟧ ⟹ subst_domain θ ∩ fv t = {}"
unfolding wf⇩c⇩o⇩n⇩s⇩t⇩r_def by force

lemma wf_constr_bvars_disj: "wf⇩c⇩o⇩n⇩s⇩t⇩r S θ ⟹ (subst_domain θ ∪ range_vars θ) ∩ bvars⇩s⇩t S = {}"
unfolding range_vars_alt_def wf⇩c⇩o⇩n⇩s⇩t⇩r_def by fastforce

lemma wf_constr_bvars_disj':
  assumes "wf⇩c⇩o⇩n⇩s⇩t⇩r S θ" "subst_domain δ ∪ range_vars δ ⊆ fv⇩s⇩t S"
  shows "(subst_domain δ ∪ range_vars δ) ∩ bvars⇩s⇩t S = {}" (is ?A)
  and "(subst_domain θ ∪ range_vars θ) ∩ bvars⇩s⇩t (S ⋅⇩s⇩t δ) = {}" (is ?B)
proof -
  have "(subst_domain θ ∪ range_vars θ) ∩ bvars⇩s⇩t S = {}" "fv⇩s⇩t S ∩ bvars⇩s⇩t S = {}"
    using assms(1) unfolding range_vars_alt_def wf⇩c⇩o⇩n⇩s⇩t⇩r_def by fastforce+
  thus ?A and ?B using assms(2) bvars_subst_ident[of S δ] by blast+
qed

lemma (in intruder_model) wf_simple_strand_first_Send_var_split:
  assumes "wf⇩s⇩t {} S" "simple S" "∃v ∈ wfrestrictedvars⇩s⇩t S. t ⋅ ℐ = ℐ v"
  shows "∃v S⇩p⇩r⇩e S⇩s⇩u⇩f. S = S⇩p⇩r⇩e@Send [Var v]#S⇩s⇩u⇩f ∧ t ⋅ ℐ = ℐ v
                      ∧ ¬(∃w ∈ wfrestrictedvars⇩s⇩t S⇩p⇩r⇩e. t ⋅ ℐ = ℐ w)"
    (is "?P S")
using assms
proof (induction S rule: wf⇩s⇩t_simple_induct)
  case (ConsSnd v S) show ?case
  proof (cases "∃w ∈ wfrestrictedvars⇩s⇩t S. t ⋅ ℐ = ℐ w")
    case True thus ?thesis using ConsSnd.IH by fastforce
  next
    case False thus ?thesis using ConsSnd.prems by auto
  qed
next
  case (ConsRcv t' S)
  have "fv⇩s⇩e⇩t (set t') ⊆ wfrestrictedvars⇩s⇩t S"
    using ConsRcv.hyps(3) vars_snd_rcv_strand_subset2(1) by force
  hence "∃v ∈ wfrestrictedvars⇩s⇩t S. t ⋅ ℐ = ℐ v"
    using ConsRcv.prems(1) by fastforce
  hence "?P S" by (metis ConsRcv.IH)
  thus ?case by fastforce 
next
  case (ConsIneq X F S)
  moreover have "wfrestrictedvars⇩s⇩t (S @ [Inequality X F]) = wfrestrictedvars⇩s⇩t S" by auto
  ultimately have "?P S" by blast
  thus ?case by fastforce
qed simp

lemma (in intruder_model) wf_strand_first_Send_var_split:
  assumes "wf⇩s⇩t {} S" "∃v ∈ wfrestrictedvars⇩s⇩t S. t ⋅ ℐ ⊑ ℐ v"
  shows "∃S⇩p⇩r⇩e S⇩s⇩u⇩f. ¬(∃w ∈ wfrestrictedvars⇩s⇩t S⇩p⇩r⇩e. t ⋅ ℐ ⊑ ℐ w)
            ∧ ((∃t'. S = S⇩p⇩r⇩e@Send t'#S⇩s⇩u⇩f ∧ t ⋅ ℐ ⊑⇩s⇩e⇩t set t' ⋅⇩s⇩e⇩t ℐ)
               ∨ (∃t' t''. S = S⇩p⇩r⇩e@Equality Assign t' t''#S⇩s⇩u⇩f ∧ t ⋅ ℐ ⊑ t' ⋅ ℐ))"
    (is "∃S⇩p⇩r⇩e S⇩s⇩u⇩f. ?P S⇩p⇩r⇩e ∧ ?Q S S⇩p⇩r⇩e S⇩s⇩u⇩f")
using assms
proof (induction S rule: wf⇩s⇩t_induct')
  case (ConsSnd ts' S) show ?case
  proof (cases "∃w ∈ wfrestrictedvars⇩s⇩t S. t ⋅ ℐ ⊑ ℐ w")
    case True
    then obtain S⇩p⇩r⇩e S⇩s⇩u⇩f where "?P S⇩p⇩r⇩e" "?Q S S⇩p⇩r⇩e S⇩s⇩u⇩f"
      using ConsSnd.IH by atomize_elim auto
    thus ?thesis by fastforce
  next
    case False
    then obtain v where v: "v ∈ fv⇩s⇩e⇩t (set ts')" "t ⋅ ℐ ⊑ ℐ v"
      using ConsSnd.prems by auto
    then obtain t' where t': "t' ∈ set ts'" "v ∈ fv t'" by auto
    have "t ⋅ ℐ ⊑ t' ⋅ ℐ"
      using v(2) t'(2) subst_mono[of "Var v" t' ℐ] vars_iff_subtermeq[of v] term.order_trans
      by auto
    hence "t ⋅ ℐ ⊑⇩s⇩e⇩t set ts' ⋅⇩s⇩e⇩t ℐ" using v(1) t'(1) by blast
    thus ?thesis using False v by auto
  qed
next
  case (ConsRcv t' S)
  have "fv⇩s⇩e⇩t (set t') ⊆ wfrestrictedvars⇩s⇩t S"
    using ConsRcv.hyps vars_snd_rcv_strand_subset2(4)[of S] by blast
  hence "∃v ∈ wfrestrictedvars⇩s⇩t S. t ⋅ ℐ ⊑ ℐ v"
    using ConsRcv.prems by fastforce
  then obtain S⇩p⇩r⇩e S⇩s⇩u⇩f where "?P S⇩p⇩r⇩e" "?Q S S⇩p⇩r⇩e S⇩s⇩u⇩f"
    using ConsRcv.IH by atomize_elim auto
  thus ?case by fastforce
next
  case (ConsEq s s' S)
  have *: "fv s' ⊆ wfrestrictedvars⇩s⇩t S"
    using ConsEq.hyps vars_snd_rcv_strand_subset2(4)[of S]
    by blast
  show ?case
  proof (cases "∃v ∈ wfrestrictedvars⇩s⇩t S. t ⋅ ℐ ⊑ ℐ v")
    case True
    then obtain S⇩p⇩r⇩e S⇩s⇩u⇩f where "?P S⇩p⇩r⇩e" "?Q S S⇩p⇩r⇩e S⇩s⇩u⇩f"
      using ConsEq.IH by atomize_elim auto
    thus ?thesis by fastforce
  next
    case False
    then obtain v where "v ∈ fv s" "t ⋅ ℐ ⊑ ℐ v" using ConsEq.prems * by auto
    hence "t ⋅ ℐ ⊑ s ⋅ ℐ"
      using vars_iff_subtermeq[of v s] subst_mono[of "Var v" s ℐ] term.order_trans
      by auto
    thus ?thesis using False by fastforce
  qed
next
  case (ConsEq2 s s' S)
  have "wfrestrictedvars⇩s⇩t (S@[Equality Check s s']) = wfrestrictedvars⇩s⇩t S" by auto
  hence "∃v ∈ wfrestrictedvars⇩s⇩t S. t ⋅ ℐ ⊑ ℐ v" using ConsEq2.prems by metis
  then obtain S⇩p⇩r⇩e S⇩s⇩u⇩f where "?P S⇩p⇩r⇩e" "?Q S S⇩p⇩r⇩e S⇩s⇩u⇩f"
    using ConsEq2.IH by atomize_elim auto
  thus ?case by fastforce
next
  case (ConsIneq X F S)
  hence "∃v ∈ wfrestrictedvars⇩s⇩t S. t ⋅ ℐ ⊑ ℐ v" by fastforce
  then obtain S⇩p⇩r⇩e S⇩s⇩u⇩f where "?P S⇩p⇩r⇩e" "?Q S S⇩p⇩r⇩e S⇩s⇩u⇩f"
    using ConsIneq.IH by atomize_elim auto
  thus ?case by fastforce
qed simp


subsection ‹Constraint Semantics›
context intruder_model
begin

subsubsection ‹Definitions›
text ‹The constraint semantics in which the intruder is limited to composition only›
fun strand_sem_c::"('fun,'var) terms ⇒ ('fun,'var) strand ⇒ ('fun,'var) subst ⇒ bool" ("⟦_; _⟧⇩c")
where
  "⟦M; []⟧⇩c = (λℐ. True)"
| "⟦M; Send ts#S⟧⇩c = (λℐ. (∀t ∈ set ts. M ⊢⇩c t ⋅ ℐ) ∧ ⟦M; S⟧⇩c ℐ)"
| "⟦M; Receive ts#S⟧⇩c = (λℐ. ⟦(set ts ⋅⇩s⇩e⇩t ℐ) ∪ M; S⟧⇩c ℐ)"
| "⟦M; Equality _ t t'#S⟧⇩c = (λℐ. t ⋅ ℐ = t' ⋅ ℐ ∧ ⟦M; S⟧⇩c ℐ)"
| "⟦M; Inequality X F#S⟧⇩c = (λℐ. ineq_model ℐ X F ∧ ⟦M; S⟧⇩c ℐ)"

definition constr_sem_c ("_ ⊨⇩c ⟨_,_⟩") where "ℐ ⊨⇩c ⟨S,θ⟩ ≡ (θ supports ℐ ∧ ⟦{}; S⟧⇩c ℐ)"
abbreviation constr_sem_c' ("_ ⊨⇩c ⟨_⟩" 90) where "ℐ ⊨⇩c ⟨S⟩ ≡ ℐ ⊨⇩c ⟨S,Var⟩"

text ‹The full constraint semantics›
fun strand_sem_d::"('fun,'var) terms ⇒ ('fun,'var) strand ⇒ ('fun,'var) subst ⇒ bool" ("⟦_; _⟧⇩d")
where
  "⟦M; []⟧⇩d = (λℐ. True)"
| "⟦M; Send ts#S⟧⇩d = (λℐ. (∀t ∈ set ts. M ⊢ t ⋅ ℐ) ∧ ⟦M; S⟧⇩d ℐ)"
| "⟦M; Receive ts#S⟧⇩d = (λℐ. ⟦(set ts ⋅⇩s⇩e⇩t ℐ) ∪ M; S⟧⇩d ℐ)"
| "⟦M; Equality _ t t'#S⟧⇩d = (λℐ. t ⋅ ℐ = t' ⋅ ℐ ∧ ⟦M; S⟧⇩d ℐ)"
| "⟦M; Inequality X F#S⟧⇩d = (λℐ. ineq_model ℐ X F ∧ ⟦M; S⟧⇩d ℐ)"

definition constr_sem_d ("_ ⊨ ⟨_,_⟩") where "ℐ ⊨ ⟨S,θ⟩ ≡ (θ supports ℐ ∧ ⟦{}; S⟧⇩d ℐ)"
abbreviation constr_sem_d' ("_ ⊨ ⟨_⟩" 90) where "ℐ ⊨ ⟨S⟩ ≡ ℐ ⊨ ⟨S,Var⟩"

lemmas strand_sem_induct = strand_sem_c.induct[case_names Nil ConsSnd ConsRcv ConsEq ConsIneq]


subsubsection ‹Lemmata›
lemma strand_sem_d_if_c: "ℐ ⊨⇩c ⟨S,θ⟩ ⟹ ℐ ⊨ ⟨S,θ⟩"
proof -
  assume *: "ℐ ⊨⇩c ⟨S,θ⟩"
  { fix M have "⟦M; S⟧⇩c ℐ ⟹ ⟦M; S⟧⇩d ℐ"
    proof (induction S rule: strand_sem_induct)
      case (ConsSnd M ts S)
      hence "∀t ∈ set ts. M ⊢⇩c t ⋅ ℐ" "⟦M; S⟧⇩d ℐ" by auto
      thus ?case using strand_sem_d.simps(2)[of M _ S] by auto
    qed (auto simp add: ineq_model_def)
  }
  thus ?thesis using * by (simp add: constr_sem_c_def constr_sem_d_def)
qed

lemma strand_sem_mono_ik:
  "⟦M ⊆ M'; ⟦M; S⟧⇩c θ⟧ ⟹ ⟦M'; S⟧⇩c θ" (is "⟦?A'; ?A''⟧ ⟹ ?A")
  "⟦M ⊆ M'; ⟦M; S⟧⇩d θ⟧ ⟹ ⟦M'; S⟧⇩d θ" (is "⟦?B'; ?B''⟧ ⟹ ?B")
proof -
  show "⟦?A'; ?A''⟧ ⟹ ?A"
  proof (induction M S arbitrary: M M' rule: strand_sem_induct)
    case (ConsRcv M ts S)
    thus ?case using ConsRcv.IH[of "(set ts ⋅⇩s⇩e⇩t θ) ∪ M" "(set ts ⋅⇩s⇩e⇩t θ) ∪ M'"] by auto
  next
    case (ConsSnd M ts S)
    hence "∀t ∈ set ts. M ⊢⇩c t ⋅ θ" "⟦M'; S⟧⇩c θ" by auto
    hence "∀t ∈ set ts. M' ⊢⇩c t ⋅ θ" using ideduct_synth_mono ‹M ⊆ M'› by metis
    thus ?case using ‹⟦M'; S⟧⇩c θ› by simp
  qed auto

  show "⟦?B'; ?B''⟧ ⟹ ?B"
  proof (induction M S arbitrary: M M' rule: strand_sem_induct)
    case (ConsRcv M ts S)
    thus ?case using ConsRcv.IH[of "(set ts ⋅⇩s⇩e⇩t θ) ∪ M" "(set ts ⋅⇩s⇩e⇩t θ) ∪ M'"] by auto
  next
    case (ConsSnd M ts S)
    hence "∀t ∈ set ts. M ⊢ t ⋅ θ" "⟦M'; S⟧⇩d θ" by auto
    hence "∀t ∈ set ts. M' ⊢ t ⋅ θ" using ideduct_mono ‹M ⊆ M'› by metis
    thus ?case using ‹⟦M'; S⟧⇩d θ› by simp
  qed auto
qed

context
begin
private lemma strand_sem_split_left:
  "⟦M; S@S'⟧⇩c θ ⟹ ⟦M; S⟧⇩c θ"
  "⟦M; S@S'⟧⇩d θ ⟹ ⟦M; S⟧⇩d θ"
proof (induct S arbitrary: M)
  case (Cons x S)
  { case 1 thus ?case using Cons by (cases x) simp_all }
  { case 2 thus ?case using Cons by (cases x) simp_all }
qed simp_all

private lemma strand_sem_split_right:
  "⟦M; S@S'⟧⇩c θ ⟹ ⟦M ∪ (ik⇩s⇩t S ⋅⇩s⇩e⇩t θ); S'⟧⇩c θ"
  "⟦M; S@S'⟧⇩d θ ⟹ ⟦M ∪ (ik⇩s⇩t S ⋅⇩s⇩e⇩t θ); S'⟧⇩d θ"
proof (induction S arbitrary: M rule: ik⇩s⇩t_induct)
  case (ConsRcv ts S)
  { case 1 thus ?case
      using ConsRcv.IH(1)[of "(set ts ⋅⇩s⇩e⇩t θ) ∪ M"]
      by (simp add: Un_commute Un_left_commute image_Un)
  }
  { case 2 thus ?case
      using ConsRcv.IH(2)[of "(set ts ⋅⇩s⇩e⇩t θ) ∪ M"]
      by (simp add: Un_commute Un_left_commute image_Un)
  }
qed simp_all

lemmas strand_sem_split[dest] =
  strand_sem_split_left(1) strand_sem_split_right(1)
  strand_sem_split_left(2) strand_sem_split_right(2)
end

lemma strand_sem_Send_split[dest]:
  "⟦⟦M; map Send T⟧⇩c θ; ts ∈ set T⟧ ⟹ ⟦M; [Send ts]⟧⇩c θ" (is "⟦?A'; ?A''⟧ ⟹ ?A")
  "⟦⟦M; map Send T⟧⇩d θ; ts ∈ set T⟧ ⟹ ⟦M; [Send ts]⟧⇩d θ" (is "⟦?B'; ?B''⟧ ⟹ ?B")
  "⟦⟦M; map Send T@S⟧⇩c θ; ts ∈ set T⟧ ⟹ ⟦M; Send ts#S⟧⇩c θ" (is "⟦?C'; ?C''⟧ ⟹ ?C")
  "⟦⟦M; map Send T@S⟧⇩d θ; ts ∈ set T⟧ ⟹ ⟦M; Send ts#S⟧⇩d θ" (is "⟦?D'; ?D''⟧ ⟹ ?D")
  "⟦⟦M; map Send1 T'⟧⇩c θ; t ∈ set T'⟧ ⟹ ⟦M; [Send1 t]⟧⇩c θ" (is "⟦?E'; ?E''⟧ ⟹ ?E")
  "⟦⟦M; map Send1 T'⟧⇩d θ; t ∈ set T'⟧ ⟹ ⟦M; [Send1 t]⟧⇩d θ" (is "⟦?F'; ?F''⟧ ⟹ ?F")
  "⟦⟦M; map Send1 T'@S⟧⇩c θ; t ∈ set T'⟧ ⟹ ⟦M; Send1 t#S⟧⇩c θ" (is "⟦?G'; ?G''⟧ ⟹ ?G")
  "⟦⟦M; map Send1 T'@S⟧⇩d θ; t ∈ set T'⟧ ⟹ ⟦M; Send1 t#S⟧⇩d θ" (is "⟦?H'; ?H''⟧ ⟹ ?H")
proof -
  show A: "⟦?A'; ?A''⟧ ⟹ ?A" by (induct "map Send T" arbitrary: T rule: strand_sem_c.induct) auto
  show B: "⟦?B'; ?B''⟧ ⟹ ?B" by (induct "map Send T" arbitrary: T rule: strand_sem_d.induct) auto
  show "⟦?C'; ?C''⟧ ⟹ ?C" "⟦?D'; ?D''⟧ ⟹ ?D"
    using list.set_map list.simps(8) set_empty ik_snd_empty sup_bot.right_neutral
    by (metis (no_types, lifting) A strand_sem_split(1,2) strand_sem_c.simps(2),
        metis (no_types, lifting) B strand_sem_split(3,4) strand_sem_d.simps(2))

  show "⟦?E'; ?E''⟧ ⟹ ?E"
    by (induct "map Send1 T'" arbitrary: T' rule: strand_sem_c.induct) auto

  show "⟦?F'; ?F''⟧ ⟹ ?F"
    by (induct "map Send1 T'" arbitrary: T' rule: strand_sem_c.induct) auto

  show "⟦?G'; ?G''⟧ ⟹ ?G"
  proof (induction "map Send1 T'" arbitrary: T' rule: strand_sem_c.induct)
    case (2 M ts S')
    obtain t' T'' where ts: "ts = [t']" "T' = t'#T''" "S' = map Send1 T''"
      using "2.hyps"(2) by blast
    thus ?case using "2.prems" "2.hyps"(1)
    proof (cases "t = t'")
      case True
      have "ik⇩s⇩t (map Send1 T') ⋅⇩s⇩e⇩t θ = {}" by force
      hence "⟦M; [Send1 t]⟧⇩c θ" "⟦M; S⟧⇩c θ" using "2.prems"(1) unfolding ts(2) True by auto
      thus ?thesis by simp
    qed auto
  qed auto

  show "⟦?H'; ?H''⟧ ⟹ ?H"
  proof (induction "map Send1 T'" arbitrary: T' rule: strand_sem_c.induct)
    case (2 M ts S')
    obtain t' T'' where ts: "ts = [t']" "T' = t'#T''" "S' = map Send1 T''"
      using "2.hyps"(2) by blast
    thus ?case using "2.prems" "2.hyps"(1)
    proof (cases "t = t'")
      case True
      have "ik⇩s⇩t (map Send1 T') ⋅⇩s⇩e⇩t θ = {}" by force
      hence "⟦M; [Send1 t]⟧⇩d θ" "⟦M; S⟧⇩d θ" using "2.prems"(1) unfolding ts(2) True by auto
      thus ?thesis by simp
    qed auto
  qed auto
qed

lemma strand_sem_Send_map:
  "(⋀ts. ts ∈ set T ⟹ ⟦M; [Send ts]⟧⇩c ℐ) ⟹ ⟦M; map Send T⟧⇩c ℐ"
  "(⋀ts. ts ∈ set T ⟹ ⟦M; [Send ts]⟧⇩d ℐ) ⟹ ⟦M; map Send T⟧⇩d ℐ"
  "(⋀t. t ∈ set T' ⟹ ⟦M; [Send1 t]⟧⇩c ℐ) ⟹ ⟦M; map Send1 T'⟧⇩c ℐ"
  "(⋀t. t ∈ set T' ⟹ ⟦M; [Send1 t]⟧⇩d ℐ) ⟹ ⟦M; map Send1 T'⟧⇩d ℐ"
  "⟦M; map Send1 T'⟧⇩c ℐ ⟷ ⟦M; [Send T']⟧⇩c ℐ"
  "⟦M; map Send1 T'⟧⇩d ℐ ⟷ ⟦M; [Send T']⟧⇩d ℐ"
proof -
  show "(⋀ts. ts ∈ set T ⟹ ⟦M; [Send ts]⟧⇩c ℐ) ⟹ ⟦M; map Send T⟧⇩c ℐ"
       "(⋀ts. ts ∈ set T ⟹ ⟦M; [Send ts]⟧⇩d ℐ) ⟹ ⟦M; map Send T⟧⇩d ℐ"
    by (induct T) auto

  show "(⋀t. t ∈ set T' ⟹ ⟦M; [Send1 t]⟧⇩c ℐ) ⟹ ⟦M; map Send1 T'⟧⇩c ℐ"
       "(⋀t. t ∈ set T' ⟹ ⟦M; [Send1 t]⟧⇩d ℐ) ⟹ ⟦M; map Send1 T'⟧⇩d ℐ"
    by (induct T') auto

  show "⟦M; map Send1 T'⟧⇩c ℐ ⟷ ⟦M; [Send T']⟧⇩c ℐ"
       "⟦M; map Send1 T'⟧⇩d ℐ ⟷ ⟦M; [Send T']⟧⇩d ℐ"
    by (induct T') auto
qed

lemma strand_sem_Receive_map:
  "⟦M; map Receive T⟧⇩c ℐ" "⟦M; map Receive T⟧⇩d ℐ"
  "⟦M; map Receive1 T'⟧⇩c ℐ" "⟦M; map Receive1 T'⟧⇩d ℐ"
  "⟦M; [Receive T']⟧⇩c ℐ" "⟦M; [Receive T']⟧⇩d ℐ"
proof -
  show "⟦M; map Receive T⟧⇩c ℐ" "⟦M; map Receive T⟧⇩d ℐ" by (induct T arbitrary: M) auto
  show "⟦M; map Receive1 T'⟧⇩c ℐ" "⟦M; map Receive1 T'⟧⇩d ℐ" by (induct T' arbitrary: M) auto
  show "⟦M; [Receive T']⟧⇩c ℐ" "⟦M; [Receive T']⟧⇩d ℐ" by (induct T' arbitrary: M) auto
qed

lemma strand_sem_append[intro]:
  "⟦⟦M; S⟧⇩c θ; ⟦M ∪ (ik⇩s⇩t S ⋅⇩s⇩e⇩t θ); S'⟧⇩c θ⟧ ⟹ ⟦M; S@S'⟧⇩c θ"
  "⟦⟦M; S⟧⇩d θ; ⟦M ∪ (ik⇩s⇩t S ⋅⇩s⇩e⇩t θ); S'⟧⇩d θ⟧ ⟹ ⟦M; S@S'⟧⇩d θ"
proof (induction S arbitrary: M)
  case (Cons x S) 
  { case 1 thus ?case using Cons
    proof (cases x)
      case (Receive ts) thus ?thesis
        using 1 Cons.IH(1)[of "(set ts ⋅⇩s⇩e⇩t θ) ∪ M"]
              strand_sem_c.simps(3)[of M ts] image_Un[of "λt. t ⋅ θ" "set ts" "ik⇩s⇩t S"]
        by (metis (no_types, lifting) ik⇩s⇩t.simps(2) Un_assoc Un_commute append_Cons)
    qed auto
  }
  { case 2 thus ?case using Cons
    proof (cases x)
      case (Receive ts) thus ?thesis
        using 2 Cons.IH(2)[of "(set ts ⋅⇩s⇩e⇩t θ) ∪ M"]
              strand_sem_d.simps(3)[of M ts] image_Un[of "λt. t ⋅ θ" "set ts" "ik⇩s⇩t S"]
        by (metis (no_types, lifting) ik⇩s⇩t.simps(2) Un_assoc Un_commute append_Cons)
    qed auto
  }
qed simp_all

lemma ineq_model_subst:
  fixes F::"(('a,'b) term × ('a,'b) term) list"
  assumes "(subst_domain δ ∪ range_vars δ) ∩ set X = {}"
    and "ineq_model (δ ∘⇩s θ) X F"
  shows "ineq_model θ X (F ⋅⇩p⇩a⇩i⇩r⇩s δ)"
proof -
  { fix σ::"('a,'b) subst" and t t'
    assume σ: "subst_domain σ = set X" "ground (subst_range σ)"
        and *: "∃(s,t) ∈ set F. s ⋅ (σ ∘⇩s (δ ∘⇩s θ)) ≠ t ⋅ (σ ∘⇩s (δ ∘⇩s θ))"
    obtain f where f: "f ∈ set F" "fst f ⋅ σ ∘⇩s (δ ∘⇩s θ) ≠ snd f ⋅ σ ∘⇩s (δ ∘⇩s θ)"
      using * by (induct F) force+
    have "σ ∘⇩s (δ ∘⇩s θ) = δ ∘⇩s (σ ∘⇩s θ)"
      by (metis (no_types, lifting) σ subst_compose_assoc assms(1) inf_sup_aci(1)
              subst_comp_eq_if_disjoint_vars sup_inf_absorb range_vars_alt_def) 
    hence "(fst f ⋅ δ) ⋅ σ ∘⇩s θ ≠ (snd f ⋅ δ) ⋅ σ ∘⇩s θ" using f by auto
    moreover have "(fst f ⋅ δ, snd f ⋅ δ) ∈ set (F ⋅⇩p⇩a⇩i⇩r⇩s δ)"
      using f(1) by (auto simp add: subst_apply_pairs_def)
    ultimately have "∃(s,t) ∈ set (F ⋅⇩p⇩a⇩i⇩r⇩s δ). s ⋅ (σ ∘⇩s θ) ≠ t ⋅ (σ ∘⇩s θ)"
      using f(1) Bex_set by fastforce
  }
  thus ?thesis using assms unfolding ineq_model_def by simp
qed

lemma ineq_model_subst':
  fixes F::"(('a,'b) term × ('a,'b) term) list"
  assumes "(subst_domain δ ∪ range_vars δ) ∩ set X = {}"
    and "ineq_model θ X (F ⋅⇩p⇩a⇩i⇩r⇩s δ)"
  shows "ineq_model (δ ∘⇩s θ) X F"
proof -
  { fix σ::"('a,'b) subst" and t t'
    assume σ: "subst_domain σ = set X" "ground (subst_range σ)"
        and *: "∃(s,t) ∈ set (F ⋅⇩p⇩a⇩i⇩r⇩s δ). s ⋅ (σ ∘⇩s θ) ≠ t ⋅ (σ ∘⇩s θ)"
    obtain f where f: "f ∈ set (F ⋅⇩p⇩a⇩i⇩r⇩s δ)" "fst f ⋅ σ ∘⇩s θ ≠ snd f ⋅ σ ∘⇩s θ"
      using * by (induct F) auto
    then obtain g where g: "g ∈ set F" "f = g ⋅⇩p δ" by (auto simp add: subst_apply_pairs_def)
    have "σ ∘⇩s (δ ∘⇩s θ) = δ ∘⇩s (σ ∘⇩s θ)"
      by (metis (no_types, lifting) σ subst_compose_assoc assms(1) inf_sup_aci(1)
              subst_comp_eq_if_disjoint_vars sup_inf_absorb range_vars_alt_def) 
    hence "fst g ⋅ σ ∘⇩s (δ ∘⇩s θ) ≠ snd g ⋅ σ ∘⇩s (δ ∘⇩s θ)"
      using f(2) g by (simp add: prod.case_eq_if)
    hence "∃(s,t) ∈ set F. s ⋅ (σ ∘⇩s (δ ∘⇩s θ)) ≠ t ⋅ (σ ∘⇩s (δ ∘⇩s θ))"
      using g Bex_set by fastforce
  }
  thus ?thesis using assms unfolding ineq_model_def by simp
qed

lemma ineq_model_ground_subst:
  fixes F::"(('a,'b) term × ('a,'b) term) list"
  assumes "fv⇩p⇩a⇩i⇩r⇩s F - set X ⊆ subst_domain δ"
    and "ground (subst_range δ)"
    and "ineq_model δ X F"
  shows "ineq_model (δ ∘⇩s θ) X F"
proof -
  { fix σ::"('a,'b) subst" and t t'
    assume σ: "subst_domain σ = set X" "ground (subst_range σ)"
        and *: "∃(s,t) ∈ set F. s ⋅ (σ ∘⇩s δ) ≠ t ⋅ (σ ∘⇩s δ )"
    obtain f where f: "f ∈ set F" "fst f ⋅ σ ∘⇩s δ ≠ snd f ⋅ σ ∘⇩s δ"
      using * by (induct F) force+
    hence "fv (fst f) ⊆ fv⇩p⇩a⇩i⇩r⇩s F" "fv (snd f) ⊆ fv⇩p⇩a⇩i⇩r⇩s F" by auto
    hence "fv (fst f) - set X ⊆ subst_domain δ" "fv (snd f) - set X ⊆ subst_domain δ"
      using assms(1) by auto
    hence "fv (fst f ⋅ σ) ⊆ subst_domain δ" "fv (snd f ⋅ σ) ⊆ subst_domain δ"
      using σ by (simp_all add: range_vars_alt_def subst_fv_unfold_ground_img)
    hence "fv (fst f ⋅ σ ∘⇩s δ) = {}" "fv (snd f ⋅ σ ∘⇩s δ) = {}"
      using assms(2) by (simp_all add: subst_fv_dom_ground_if_ground_img)
    hence "fst f ⋅ σ ∘⇩s (δ ∘⇩s θ) ≠ snd f ⋅ σ ∘⇩s (δ ∘⇩s θ)" using f(2) subst_ground_ident by fastforce 
    hence "∃(s,t) ∈ set F. s ⋅ (σ ∘⇩s (δ ∘⇩s θ)) ≠ t ⋅ (σ ∘⇩s (δ ∘⇩s θ))"
      using f(1) Bex_set by fastforce
  }
  thus ?thesis using assms unfolding ineq_model_def by simp
qed

context
begin
private lemma strand_sem_subst_c:
  assumes "(subst_domain δ ∪ range_vars δ) ∩ bvars⇩s⇩t S = {}"
  shows "⟦M; S⟧⇩c (δ ∘⇩s θ) ⟹ ⟦M; S ⋅⇩s⇩t δ⟧⇩c θ"
using assms
proof (induction S arbitrary: δ M rule: strand_sem_induct)
  case (ConsSnd M ts S)
  hence "⟦M; S ⋅⇩s⇩t δ⟧⇩c θ" "∀t ∈ set ts. M ⊢⇩c t ⋅ (δ ∘⇩s θ)" by auto
  hence "∀t ∈ set ts. M ⊢⇩c (t ⋅ δ) ⋅ θ"
    using subst_comp_all[of δ θ M] subst_subst_compose[of _ δ θ] by simp
  hence "∀t ∈ set (ts ⋅⇩l⇩i⇩s⇩t δ). M ⊢⇩c t ⋅ θ" by fastforce
  thus ?case
    using ‹⟦M; S ⋅⇩s⇩t δ⟧⇩c θ›
    unfolding subst_apply_strand_def 
    by simp
next
  case (ConsRcv M ts S)
  have *: "⟦(set ts ⋅⇩s⇩e⇩t δ ∘⇩s θ) ∪ M; S⟧⇩c (δ ∘⇩s θ)" using ConsRcv.prems(1) by simp
  have "bvars⇩s⇩t (Receive ts#S) = bvars⇩s⇩t S" by auto
  hence **: "(subst_domain δ ∪ range_vars δ) ∩ bvars⇩s⇩t S = {}" using ConsRcv.prems(2) by blast
  have "⟦M; Receive (ts ⋅⇩l⇩i⇩s⇩t δ)#(S ⋅⇩s⇩t δ)⟧⇩c θ"
    using ConsRcv.IH[OF * **] by (metis (no_types) image_set strand_sem_c.simps(3) subst_comp_all)
  thus ?case by simp
next
  case (ConsIneq M X F S)
  hence *: "⟦M; S ⋅⇩s⇩t δ⟧⇩c θ" and
        ***: "(subst_domain δ ∪ range_vars δ) ∩ set X = {}" 
    unfolding bvars⇩s⇩t_def ineq_model_def by auto
  have **: "ineq_model (δ ∘⇩s θ) X F"
    using ConsIneq by (auto simp add: subst_compose_assoc ineq_model_def)
  have "∀γ. subst_domain γ = set X ∧ ground (subst_range γ)
          ⟶ (subst_domain δ ∪ range_vars δ) ∩ (subst_domain γ ∪ range_vars γ) = {}"
    using * ** *** unfolding range_vars_alt_def by auto
  hence "∀γ. subst_domain γ = set X ∧ ground (subst_range γ) ⟶ γ ∘⇩s δ = δ ∘⇩s γ"
    by (metis subst_comp_eq_if_disjoint_vars)
  hence "ineq_model θ X (F ⋅⇩p⇩a⇩i⇩r⇩s δ)"
    using ineq_model_subst[OF *** **]
    by blast
  moreover have "rm_vars (set X) δ = δ" using ConsIneq.prems(2) by force
  ultimately show ?case using * by auto
qed simp_all

private lemma strand_sem_subst_c':
  assumes "(subst_domain δ ∪ range_vars δ) ∩ bvars⇩s⇩t S = {}"
  shows "⟦M; S ⋅⇩s⇩t δ⟧⇩c θ ⟹ ⟦M; S⟧⇩c (δ ∘⇩s θ)"
using assms
proof (induction S arbitrary: δ M rule: strand_sem_induct)
  case (ConsSnd M ts S)
  hence "⟦M; [Send ts] ⋅⇩s⇩t δ⟧⇩c θ" "⟦M; S ⋅⇩s⇩t δ⟧⇩c θ" by auto
  hence "⟦M; S⟧⇩c (δ ∘⇩s θ)" using ConsSnd.IH[OF _] ConsSnd.prems(2) by auto
  moreover have "⟦M; [Send ts]⟧⇩c (δ ∘⇩s θ)"
  proof -
    have "⟦M; [send⟨ts ⋅⇩l⇩i⇩s⇩t δ⟩⇩s⇩t]⟧⇩c θ" using ‹⟦M; [Send ts] ⋅⇩s⇩t δ⟧⇩c θ› by simp
    hence "∀t ∈ set (ts ⋅⇩l⇩i⇩s⇩t δ). M ⊢⇩c t ⋅ θ" by simp
    hence "∀t ∈ set ts. M ⊢⇩c t ⋅ δ ⋅ θ" by auto
    hence "∀t ∈ set ts. M ⊢⇩c t ⋅ (δ ∘⇩s θ)" using subst_subst_compose by metis
    thus "⟦M; [Send ts]⟧⇩c (δ ∘⇩s θ)" by auto
  qed
  ultimately show ?case by auto
next
  case (ConsRcv M ts S)
  hence "⟦((set ts ⋅⇩s⇩e⇩t δ ⋅⇩s⇩e⇩t θ) ∪ M); S ⋅⇩s⇩t δ⟧⇩c θ" by (simp add: subst_all_insert)
  hence "⟦((set ts ⋅⇩s⇩e⇩t δ ∘⇩s θ) ∪ M); S ⋅⇩s⇩t δ⟧⇩c θ" by (metis subst_comp_all)
  thus ?case using ConsRcv.IH ConsRcv.prems(2)  by auto
next
  case (ConsIneq M X F S)
  have δ: "rm_vars (set X) δ = δ" using ConsIneq.prems(2) by force
  hence *: "⟦M; S⟧⇩c (δ ∘⇩s θ)"
    and ***: "(subst_domain δ ∪ range_vars δ) ∩ set X = {}"
    using ConsIneq unfolding bvars⇩s⇩t_def ineq_model_def by auto
  have **: "ineq_model θ X (F ⋅⇩p⇩a⇩i⇩r⇩s δ)"
    using ConsIneq.prems(1) δ by (auto simp add: subst_compose_assoc ineq_model_def)
  have "∀γ. subst_domain γ = set X ∧ ground (subst_range γ)
          ⟶ (subst_domain δ ∪ range_vars δ) ∩ (subst_domain γ ∪ range_vars γ) = {}"
    using * ** *** unfolding range_vars_alt_def by auto
  hence "∀γ. subst_domain γ = set X ∧ ground (subst_range γ) ⟶ γ ∘⇩s δ = δ ∘⇩s γ"
    by (metis subst_comp_eq_if_disjoint_vars)
  hence "ineq_model (δ ∘⇩s θ) X F"
    using ineq_model_subst'[OF *** **]
    by blast
  thus ?case using * by auto
next
  case ConsEq thus ?case unfolding bvars⇩s⇩t_def by auto
qed simp_all

private lemma strand_sem_subst_d:
  assumes "(subst_domain δ ∪ range_vars δ) ∩ bvars⇩s⇩t S = {}"
  shows "⟦M; S⟧⇩d (δ ∘⇩s θ) ⟹ ⟦M; S ⋅⇩s⇩t δ⟧⇩d θ"
using assms
proof (induction S arbitrary: δ M rule: strand_sem_induct)
  case (ConsSnd M ts S)
  hence "⟦M; S ⋅⇩s⇩t δ⟧⇩d θ" "∀t ∈ set ts. M ⊢ t ⋅ (δ ∘⇩s θ)" by auto
  hence "∀t ∈ set ts. M ⊢ (t ⋅ δ) ⋅ θ"
    using subst_comp_all[of δ θ M] subst_subst_compose[of _ δ θ] by simp
  hence "∀t ∈ set (ts ⋅⇩l⇩i⇩s⇩t δ). M ⊢ t ⋅ θ" by simp
  thus ?case using ‹⟦M; S ⋅⇩s⇩t δ⟧⇩d θ› by simp
next
  case (ConsRcv M ts S) 
  have "⟦(set ts ⋅⇩s⇩e⇩t δ ∘⇩s θ) ∪ M; S⟧⇩d (δ ∘⇩s θ)" using ConsRcv.prems(1) by simp
  hence *: "⟦(set ts ⋅⇩s⇩e⇩t δ ⋅⇩s⇩e⇩t θ) ∪ M; S⟧⇩d (δ ∘⇩s θ)" by (metis subst_comp_all)
  have "bvars⇩s⇩t (Receive ts#S) = bvars⇩s⇩t S" by auto
  hence **: "(subst_domain δ ∪ range_vars δ) ∩ bvars⇩s⇩t S = {}" using ConsRcv.prems(2) by blast
  have "⟦M; Receive (ts ⋅⇩l⇩i⇩s⇩t δ)#(S ⋅⇩s⇩t δ)⟧⇩d θ" using ConsRcv.IH[OF * **] by simp
  thus ?case by simp
next
  case (ConsIneq M X F S)
  hence *: "⟦M; S ⋅⇩s⇩t δ⟧⇩d θ" and
        ***: "(subst_domain δ ∪ range_vars δ) ∩ set X = {}" 
    unfolding bvars⇩s⇩t_def ineq_model_def by auto
  have **: "ineq_model (δ ∘⇩s θ) X F"
    using ConsIneq by (auto simp add: subst_compose_assoc ineq_model_def)
  have "∀γ. subst_domain γ = set X ∧ ground (subst_range γ)
          ⟶ (subst_domain δ ∪ range_vars δ) ∩ (subst_domain γ ∪ range_vars γ) = {}"
    using * ** *** unfolding range_vars_alt_def by auto
  hence "∀γ. subst_domain γ = set X ∧ ground (subst_range γ) ⟶ γ ∘⇩s δ = δ ∘⇩s γ"
    by (metis subst_comp_eq_if_disjoint_vars)
  hence "ineq_model θ X (F ⋅⇩p⇩a⇩i⇩r⇩s δ)"
    using ineq_model_subst[OF *** **]
    by blast
  moreover have "rm_vars (set X) δ = δ" using ConsIneq.prems(2) by force
  ultimately show ?case using * by auto
next
  case ConsEq thus ?case unfolding bvars⇩s⇩t_def by auto
qed simp_all

private lemma strand_sem_subst_d':
  assumes "(subst_domain δ ∪ range_vars δ) ∩ bvars⇩s⇩t S = {}"
  shows "⟦M; S ⋅⇩s⇩t δ⟧⇩d θ ⟹ ⟦M; S⟧⇩d (δ ∘⇩s θ)"
using assms
proof (induction S arbitrary: δ M rule: strand_sem_induct)
  case (ConsSnd M ts S)
  hence "⟦M; [Send ts] ⋅⇩s⇩t δ⟧⇩d θ" "⟦M; S ⋅⇩s⇩t δ⟧⇩d θ" by auto
  hence "⟦M; S⟧⇩d (δ ∘⇩s θ)" using ConsSnd.IH[OF _] ConsSnd.prems(2) by auto
  moreover have "⟦M; [Send ts]⟧⇩d (δ ∘⇩s θ)"
  proof -
    have "⟦M; [send⟨ts ⋅⇩l⇩i⇩s⇩t δ⟩⇩s⇩t]⟧⇩d θ" using ‹⟦M; [Send ts] ⋅⇩s⇩t δ⟧⇩d θ› by simp
    hence "∀t ∈ set (ts ⋅⇩l⇩i⇩s⇩t δ). M ⊢ t ⋅ θ" by simp
    hence "∀t ∈ set ts. M ⊢ t ⋅ δ ⋅ θ" by auto
    hence "∀t ∈ set ts. M ⊢ t ⋅ (δ ∘⇩s θ)" using subst_subst_compose by metis
    thus "⟦M; [Send ts]⟧⇩d (δ ∘⇩s θ)" by auto
  qed
  ultimately show ?case by auto
next
  case (ConsRcv M ts S)
  hence "⟦((set ts ⋅⇩s⇩e⇩t δ ⋅⇩s⇩e⇩t θ) ∪ M); S ⋅⇩s⇩t δ⟧⇩d θ" by (simp add: subst_all_insert)
  hence "⟦((set ts ⋅⇩s⇩e⇩t δ ∘⇩s θ) ∪ M); S ⋅⇩s⇩t δ⟧⇩d θ" by (metis subst_comp_all)
  thus ?case using ConsRcv.IH ConsRcv.prems(2) by auto
next
  case (ConsIneq M X F S)
  have δ: "rm_vars (set X) δ = δ" using ConsIneq.prems(2) by force
  hence *: "⟦M; S⟧⇩d (δ ∘⇩s θ)"
    and ***: "(subst_domain δ ∪ range_vars δ) ∩ set X = {}"
    using ConsIneq unfolding bvars⇩s⇩t_def ineq_model_def by auto
  have **: "ineq_model θ X (F ⋅⇩p⇩a⇩i⇩r⇩s δ)"
    using ConsIneq.prems(1) δ by (auto simp add: subst_compose_assoc ineq_model_def)
  have "∀γ. subst_domain γ = set X ∧ ground (subst_range γ)
          ⟶ (subst_domain δ ∪ range_vars δ) ∩ (subst_domain γ ∪ range_vars γ) = {}"
    using * ** *** unfolding range_vars_alt_def by auto
  hence "∀γ. subst_domain γ = set X ∧ ground (subst_range γ) ⟶ γ ∘⇩s δ = δ ∘⇩s γ"
    by (metis subst_comp_eq_if_disjoint_vars)
  hence "ineq_model (δ ∘⇩s θ) X F"
    using ineq_model_subst'[OF *** **]
    by blast
  thus ?case using * by auto
next
  case ConsEq thus ?case unfolding bvars⇩s⇩t_def by auto
qed simp_all

lemmas strand_sem_subst =
  strand_sem_subst_c strand_sem_subst_c' strand_sem_subst_d strand_sem_subst_d'
end

lemma strand_sem_subst_subst_idem:
  assumes δ: "(subst_domain δ ∪ range_vars δ) ∩ bvars⇩s⇩t S = {}"
  shows "⟦⟦M; S ⋅⇩s⇩t δ⟧⇩c (δ ∘⇩s θ); subst_idem δ⟧ ⟹ ⟦M; S⟧⇩c (δ ∘⇩s θ)"
using strand_sem_subst(2)[OF assms, of M "δ ∘⇩s θ"] subst_compose_assoc[of δ δ θ]
unfolding subst_idem_def by argo

lemma strand_sem_subst_comp:
  assumes "(subst_domain θ ∪ range_vars θ) ∩ bvars⇩s⇩t S = {}"
    and "⟦M; S⟧⇩c δ" "subst_domain θ ∩ (vars⇩s⇩t S ∪ fv⇩s⇩e⇩t M) = {}"
  shows "⟦M; S⟧⇩c (θ ∘⇩s δ)"
proof -
  from assms(3) have "subst_domain θ ∩ vars⇩s⇩t S = {}" "subst_domain θ ∩ fv⇩s⇩e⇩t M = {}" by auto
  hence "S ⋅⇩s⇩t θ = S" "M ⋅⇩s⇩e⇩t θ = M" using strand_substI set_subst_ident[of M θ] by (blast, blast)
  thus ?thesis using assms(2) by (auto simp add: strand_sem_subst(2)[OF assms(1)])
qed

lemma strand_sem_c_imp_ineqs_neq:
  assumes "⟦M; S⟧⇩c ℐ" "Inequality X [(t,t')] ∈ set S"
  shows "t ≠ t' ∧ (∀δ. subst_domain δ = set X ∧ ground (subst_range δ)
                        ⟶ t ⋅ δ ≠ t' ⋅ δ ∧ t ⋅ δ ⋅ ℐ ≠ t' ⋅ δ ⋅ ℐ)"
using assms
proof (induction rule: strand_sem_induct)
  case (ConsIneq M Y F S) thus ?case
  proof (cases "Inequality X [(t,t')] ∈ set S")
    case False
    hence "X = Y" "F = [(t,t')]" using ConsIneq by auto
    hence *: "∀θ. subst_domain θ = set X ∧ ground (subst_range θ) ⟶ t ⋅ θ ⋅ ℐ ≠ t' ⋅ θ ⋅ ℐ"
      using ConsIneq by (auto simp add: ineq_model_def)
    then obtain θ where θ: "subst_domain θ = set X" "ground (subst_range θ)" "t ⋅ θ ⋅ ℐ ≠ t' ⋅ θ ⋅ ℐ"
      using interpretation_subst_exists'[of "set X"] by atomize_elim auto
    hence "t ≠ t'" by auto
    moreover have "⋀ℐ θ. t ⋅ θ ⋅ ℐ ≠ t' ⋅ θ ⋅ ℐ ⟹ t ⋅ θ ≠ t' ⋅ θ" by auto
    ultimately show ?thesis using * by auto
  qed simp
qed simp_all

lemma strand_sem_c_imp_ineq_model:
  assumes "⟦M; S⟧⇩c ℐ" "Inequality X F ∈ set S"
  shows "ineq_model ℐ X F"
using assms by (induct S rule: strand_sem_induct) force+

lemma strand_sem_wf_simple_fv_sat:
  assumes "wf⇩s⇩t {} S" "simple S" "⟦{}; S⟧⇩c ℐ"
  shows "⋀v. v ∈ wfrestrictedvars⇩s⇩t S ⟹ ik⇩s⇩t S ⋅⇩s⇩e⇩t ℐ ⊢⇩c ℐ v"
using assms
proof (induction S rule: wf⇩s⇩t_simple_induct)
  case (ConsRcv t S)
  have "v ∈ wfrestrictedvars⇩s⇩t S"
    using ConsRcv.hyps(3) ConsRcv.prems(1) vars_snd_rcv_strand2
    by fastforce
  moreover have "⟦{}; S⟧⇩c ℐ" using ‹⟦{}; S@[Receive t]⟧⇩c ℐ› by blast
  moreover have "ik⇩s⇩t S ⋅⇩s⇩e⇩t ℐ ⊆ ik⇩s⇩t (S@[Receive t]) ⋅⇩s⇩e⇩t ℐ" by auto
  ultimately show ?case using ConsRcv.IH ideduct_synth_mono by meson
next
  case (ConsIneq X F S)
  hence "v ∈ wfrestrictedvars⇩s⇩t S" by fastforce
  moreover have "⟦{}; S⟧⇩c ℐ" using ‹⟦{}; S@[Inequality X F]⟧⇩c ℐ› by blast
  moreover have "ik⇩s⇩t S ⋅⇩s⇩e⇩t ℐ ⊆ ik⇩s⇩t (S@[Inequality X F]) ⋅⇩s⇩e⇩t ℐ" by auto
  ultimately show ?case using ConsIneq.IH ideduct_synth_mono by meson
next
  case (ConsSnd w S)
  hence *: "⟦{}; S⟧⇩c ℐ" "ik⇩s⇩t S ⋅⇩s⇩e⇩t ℐ ⊢⇩c ℐ w" by auto
  have **: "ik⇩s⇩t S ⋅⇩s⇩e⇩t ℐ ⊆ ik⇩s⇩t (S@[Send [Var w]]) ⋅⇩s⇩e⇩t ℐ" by simp
  show ?case
  proof (cases "v = w")
    case True thus ?thesis using *(2) ideduct_synth_mono[OF _ **] by meson
  next
    case False
    hence "v ∈ wfrestrictedvars⇩s⇩t S" using ConsSnd.prems(1) by auto
    thus ?thesis using ConsSnd.IH[OF _ *(1)] ideduct_synth_mono[OF _ **] by metis
  qed
qed simp

lemma strand_sem_wf_ik_or_assignment_rhs_fun_subterm:
  assumes "wf⇩s⇩t {} A" "⟦{}; A⟧⇩c ℐ" "Var x ∈ ik⇩s⇩t A" "ℐ x = Fun f T"
          "t⇩i ∈ set T" "¬ik⇩s⇩t A ⋅⇩s⇩e⇩t ℐ ⊢⇩c t⇩i" "interpretation⇩s⇩u⇩b⇩s⇩t ℐ"
  obtains S where
    "Fun f S ∈ subterms⇩s⇩e⇩t (ik⇩s⇩t A) ∨ Fun f S ∈ subterms⇩s⇩e⇩t (assignment_rhs⇩s⇩t A)"
    "Fun f T = Fun f S ⋅ ℐ"
proof -
  have "x ∈ wfrestrictedvars⇩s⇩t A"
    by (metis (no_types) assms(3) set_rev_mp term.set_intros(3) vars_subset_if_in_strand_ik2)
  moreover have "Fun f T ⋅ ℐ = Fun f T"
    by (metis subst_ground_ident interpretation_grounds_all assms(4,7))
  ultimately obtain A⇩p⇩r⇩e A⇩s⇩u⇩f where *:
      "¬(∃w ∈ wfrestrictedvars⇩s⇩t A⇩p⇩r⇩e. Fun f T ⊑ ℐ w)"
      "(∃t. A = A⇩p⇩r⇩e@Send t#A⇩s⇩u⇩f ∧ Fun f T ⊑⇩s⇩e⇩t set t ⋅⇩s⇩e⇩t ℐ) ∨
       (∃t t'. A = A⇩p⇩r⇩e@Equality Assign t t'#A⇩s⇩u⇩f ∧ Fun f T ⊑ t ⋅ ℐ)"
    using wf_strand_first_Send_var_split[OF assms(1)] assms(4) subtermeqI' by metis
  moreover
  { fix ts assume **: "A = A⇩p⇩r⇩e@Send ts#A⇩s⇩u⇩f" "Fun f T ⊑⇩s⇩e⇩t set ts ⋅⇩s⇩e⇩t ℐ"
    hence ***: "∀t ∈ set ts. ik⇩s⇩t A⇩p⇩r⇩e ⋅⇩s⇩e⇩t ℐ ⊢⇩c t ⋅ ℐ" "¬ik⇩s⇩t A⇩p⇩r⇩e ⋅⇩s⇩e⇩t ℐ ⊢⇩c t⇩i"
      using assms(2,6) by (auto intro: ideduct_synth_mono)
    then obtain t where t: "t ∈ set ts" "Fun f T ⊑ t ⋅ ℐ" "ik⇩s⇩t A⇩p⇩r⇩e ⋅⇩s⇩e⇩t ℐ ⊢⇩c t ⋅ ℐ"
      using **(2) by blast
    obtain s where s: "s ∈ ik⇩s⇩t A⇩p⇩r⇩e" "Fun f T ⊑ s ⋅ ℐ"
      using t(3,2) ***(2) assms(5) by (induct rule: intruder_synth_induct) auto
    then obtain g S where gS: "Fun g S ⊑ s" "Fun f T = Fun g S ⋅ ℐ"
      using subterm_subst_not_img_subterm[OF s(2)] *(1) by force
    hence ?thesis using that **(1) s(1) by force
  }
  moreover
  { fix t t' assume **: "A = A⇩p⇩r⇩e@Equality Assign t t'#A⇩s⇩u⇩f" "Fun f T ⊑ t ⋅ ℐ"
    with assms(2) have "t ⋅ ℐ = t' ⋅ ℐ" by auto
    hence "Fun f T ⊑ t' ⋅ ℐ" using **(2) by auto
    from assms(1) **(1) have "fv t' ⊆ wfrestrictedvars⇩s⇩t A⇩p⇩r⇩e"
      using wf_eq_fv[of "{}" A⇩p⇩r⇩e t t' A⇩s⇩u⇩f] vars_snd_rcv_strand_subset2(4)[of A⇩p⇩r⇩e]
      by blast
    then obtain g S where gS: "Fun g S ⊑ t'" "Fun f T = Fun g S ⋅ ℐ"
      using subterm_subst_not_img_subterm[OF ‹Fun f T ⊑ t' ⋅ ℐ›] *(1) by fastforce
    hence ?thesis using that **(1) by auto
  }
  ultimately show ?thesis by auto
qed

lemma ineq_model_not_unif_is_sat_ineq:
  assumes "∄θ. Unifier θ t t'"
  shows "ineq_model ℐ X [(t, t')]"
using assms list.set_intros(1)[of "(t,t')" "[]"]
unfolding ineq_model_def by blast

lemma strand_sem_not_unif_is_sat_ineq:
  assumes "∄θ. Unifier θ t t'"
  shows "⟦M; [Inequality X [(t,t')]]⟧⇩c ℐ" "⟦M; [Inequality X [(t,t')]]⟧⇩d ℐ"
using ineq_model_not_unif_is_sat_ineq[OF assms]
      strand_sem_c.simps(1,5)[of M] strand_sem_d.simps(1,5)[of M]
by presburger+

lemma ineq_model_singleI[intro]:
  assumes "∀δ. subst_domain δ = set X ∧ ground (subst_range δ) ⟶ t ⋅ δ ⋅ ℐ ≠ t' ⋅ δ ⋅ ℐ"
  shows "ineq_model ℐ X [(t,t')]"
using assms unfolding ineq_model_def by auto

lemma ineq_model_singleE:
  assumes "ineq_model ℐ X [(t,t')]"
  shows "∀δ. subst_domain δ = set X ∧ ground (subst_range δ) ⟶ t ⋅ δ ⋅ ℐ ≠ t' ⋅ δ ⋅ ℐ"
using assms unfolding ineq_model_def by auto

lemma ineq_model_single_iff:
  fixes F::"(('a,'b) term × ('a,'b) term) list"
  shows "ineq_model ℐ X F ⟷
         ineq_model ℐ X [(Fun f (Fun c []#map fst F),Fun f (Fun c []#map snd F))]"
    (is "?A ⟷ ?B")
proof -
  let ?P = "λδ f. fst f ⋅ (δ ∘⇩s ℐ) ≠ snd f ⋅ (δ ∘⇩s ℐ)"
  let ?Q = "λδ t t'. t ⋅ (δ ∘⇩s ℐ) ≠ t' ⋅ (δ ∘⇩s ℐ)"
  let ?T = "λg. Fun c []#map g F"
  let ?S = "λδ g. map (λx. x ⋅ (δ ∘⇩s ℐ)) (Fun c []#map g F)"
  let ?t = "Fun f (?T fst)"
  let ?t' = "Fun f (?T snd)"

  have len: "⋀g h. length (?T g) = length (?T h)"
            "⋀g h δ. length (?S δ g) = length (?T h)"
            "⋀g h δ. length (?S δ g) = length (?T h)"
            "⋀g h δ σ. length (?S δ g) = length (?S σ h)"
    by simp_all

  { fix δ::"('a,'b) subst"
    assume δ: "subst_domain δ = set X" "ground (subst_range δ)"
    have "list_ex (?P δ) F ⟷ ?Q δ ?t ?t'"
    proof
      assume "list_ex (?P δ) F"
      then obtain a where a: "a ∈ set F" "?P δ a" by (metis (mono_tags, lifting) Bex_set)
      thus "?Q δ ?t ?t'" by auto
    qed (fastforce simp add: Bex_set)
  } thus ?thesis unfolding ineq_model_def case_prod_unfold by auto
qed


subsection ‹Constraint Semantics (Alternative, Equivalent Version)›
text ‹These are the constraint semantics used in the CSF 2017 paper›
fun strand_sem_c'::"('fun,'var) terms ⇒ ('fun,'var) strand ⇒ ('fun,'var) subst ⇒ bool"  ("⟦_; _⟧⇩c''") 
  where
  "⟦M; []⟧⇩c' = (λℐ. True)"
| "⟦M; Send ts#S⟧⇩c' = (λℐ. (∀t ∈ set ts. M ⋅⇩s⇩e⇩t ℐ ⊢⇩c t ⋅ ℐ) ∧ ⟦M; S⟧⇩c' ℐ)"
| "⟦M; Receive ts#S⟧⇩c' = ⟦set ts ∪ M; S⟧⇩c'"
| "⟦M; Equality _ t t'#S⟧⇩c' = (λℐ. t ⋅ ℐ = t' ⋅ ℐ ∧ ⟦M; S⟧⇩c' ℐ)"
| "⟦M; Inequality X F#S⟧⇩c' = (λℐ. ineq_model ℐ X F ∧ ⟦M; S⟧⇩c' ℐ)"

fun strand_sem_d'::"('fun,'var) terms ⇒ ('fun,'var) strand ⇒ ('fun,'var) subst ⇒ bool" ("⟦_; _⟧⇩d''")
where
  "⟦M; []⟧⇩d' = (λℐ. True)"
| "⟦M; Send ts#S⟧⇩d' = (λℐ. (∀t ∈ set ts. M ⋅⇩s⇩e⇩t ℐ ⊢ t ⋅ ℐ) ∧ ⟦M; S⟧⇩d' ℐ)"
| "⟦M; Receive ts#S⟧⇩d' = ⟦set ts ∪ M; S⟧⇩d'"
| "⟦M; Equality _ t t'#S⟧⇩d' = (λℐ. t ⋅ ℐ = t' ⋅ ℐ ∧ ⟦M; S⟧⇩d' ℐ)"
| "⟦M; Inequality X F#S⟧⇩d' = (λℐ. ineq_model ℐ X F ∧ ⟦M; S⟧⇩d' ℐ)"

lemma strand_sem_eq_defs:
  "⟦M; 𝒜⟧⇩c' ℐ = ⟦M ⋅⇩s⇩e⇩t ℐ; 𝒜⟧⇩c ℐ"
  "⟦M; 𝒜⟧⇩d' ℐ = ⟦M ⋅⇩s⇩e⇩t ℐ; 𝒜⟧⇩d ℐ"
proof -
  have 1: "⟦M; 𝒜⟧⇩c' ℐ ⟹ ⟦M ⋅⇩s⇩e⇩t ℐ; 𝒜⟧⇩c ℐ"
  proof (induction 𝒜 arbitrary: M rule: strand_sem_induct)
    case (ConsRcv M ts S) thus ?case by (fastforce simp add: image_Un[of "λt. t ⋅ ℐ"])
  qed simp_all

  have 2: "⟦M ⋅⇩s⇩e⇩t ℐ; 𝒜⟧⇩c ℐ ⟹ ⟦M; 𝒜⟧⇩c' ℐ"
  proof (induction 𝒜 arbitrary: M rule: strand_sem_c'.induct)
    case (3 M ts S) thus ?case by (fastforce simp add: image_Un[of "λt. t ⋅ ℐ"])
  qed simp_all

  have 3: "⟦M; 𝒜⟧⇩d' ℐ ⟹ ⟦M ⋅⇩s⇩e⇩t ℐ; 𝒜⟧⇩d ℐ"
  proof (induction 𝒜 arbitrary: M rule: strand_sem_induct)
    case (ConsRcv M ts S) thus ?case by (fastforce simp add: image_Un[of "λt. t ⋅ ℐ"])
  qed simp_all

  have 4: "⟦M ⋅⇩s⇩e⇩t ℐ; 𝒜⟧⇩d ℐ ⟹ ⟦M; 𝒜⟧⇩d' ℐ"
  proof (induction 𝒜 arbitrary: M rule: strand_sem_d'.induct)
    case (3 M ts S) thus ?case by (fastforce simp add: image_Un[of "λt. t ⋅ ℐ"])
  qed simp_all

  show "⟦M; 𝒜⟧⇩c' ℐ = ⟦M ⋅⇩s⇩e⇩t ℐ; 𝒜⟧⇩c ℐ" "⟦M; 𝒜⟧⇩d' ℐ = ⟦M ⋅⇩s⇩e⇩t ℐ; 𝒜⟧⇩d ℐ"
    by (metis 1 2, metis 3 4)
qed

lemma strand_sem_split'[dest]:
  "⟦M; S@S'⟧⇩c' θ ⟹ ⟦M; S⟧⇩c' θ" 
  "⟦M; S@S'⟧⇩c' θ ⟹ ⟦M ∪ ik⇩s⇩t S; S'⟧⇩c' θ"
  "⟦M; S@S'⟧⇩d' θ ⟹ ⟦M; S⟧⇩d' θ"
  "⟦M; S@S'⟧⇩d' θ ⟹ ⟦M ∪ ik⇩s⇩t S; S'⟧⇩d' θ"
using strand_sem_eq_defs[of M "S@S'" θ]
      strand_sem_eq_defs[of M S θ]
      strand_sem_eq_defs[of "M ∪ ik⇩s⇩t S" S' θ]
      strand_sem_split(2,4)
by (auto simp add: image_Un)

lemma strand_sem_append'[intro]:
  "⟦M; S⟧⇩c' θ ⟹ ⟦M ∪ ik⇩s⇩t S; S'⟧⇩c' θ ⟹ ⟦M; S@S'⟧⇩c' θ"
  "⟦M; S⟧⇩d' θ ⟹ ⟦M ∪ ik⇩s⇩t S; S'⟧⇩d' θ ⟹ ⟦M; S@S'⟧⇩d' θ"
using strand_sem_eq_defs[of M "S@S'" θ]
      strand_sem_eq_defs[of M S θ]
      strand_sem_eq_defs[of "M ∪ ik⇩s⇩t S" S' θ]
by (auto simp add: image_Un)

end

subsection ‹Dual Strands›
fun dual⇩s⇩t::"('a,'b) strand ⇒ ('a,'b) strand" where
  "dual⇩s⇩t [] = []"
| "dual⇩s⇩t (Receive t#S) = Send t#(dual⇩s⇩t S)"
| "dual⇩s⇩t (Send t#S) = Receive t#(dual⇩s⇩t S)"
| "dual⇩s⇩t (x#S) = x#(dual⇩s⇩t S)"

lemma dual⇩s⇩t_append: "dual⇩s⇩t (A@B) = (dual⇩s⇩t A)@(dual⇩s⇩t B)"
by (induct A rule: dual⇩s⇩t.induct) auto

lemma dual⇩s⇩t_self_inverse: "dual⇩s⇩t (dual⇩s⇩t S) = S"
proof (induction S)
  case (Cons x S) thus ?case by (cases x) auto
qed simp

lemma dual⇩s⇩t_trms_eq: "trms⇩s⇩t (dual⇩s⇩t S) = trms⇩s⇩t S"
proof (induction S)
  case (Cons x S) thus ?case by (cases x) auto
qed simp

lemma dual⇩s⇩t_fv: "fv⇩s⇩t (dual⇩s⇩t A) = fv⇩s⇩t A"
by (induct A rule: dual⇩s⇩t.induct) auto

lemma dual⇩s⇩t_bvars: "bvars⇩s⇩t (dual⇩s⇩t A) = bvars⇩s⇩t A"
by (induct A rule: dual⇩s⇩t.induct) fastforce+


end