Check if a
(certify-possiblep cert dests systate) → yes/no
The validator in question is the author of the certificate.
If the validator is faulty, for each endorser in the certificate, there must be a message, in the network, from that endorser, for the proposal of the certificate. As a special case, if the certificate has no endorsers, no such message is required to be in the network: nothing prevents a faulty validator from authoring a proposal and then certifying it with no additional signatures; the certificate will not be accepted by correct validators, but the certificate can still be generated.
Another constraint we put on faulty validators is that
they send the certificate to at least a validator.
Similarly to an analogous requirement in propose-possiblep,
this is not a real restriction, but just a modeling convenience:
since faulty validators have no internal state,
if a faulty validator created a certificate but sent it to nobody,
there would be no change in the system state;
that is, it would be the same as no event.
In other words, a
If the validator is correct,
no message is required to be in the network,
because endorsing signatures are incorporated into the validator state
via separate
It is an invariant, proved elsewhere, that the endorsers of each proposal
in the
(defun certify-possiblep (cert dests systate) (declare (xargs :guard (and (certificatep cert) (address-setp dests) (system-statep systate)))) (let ((__function__ 'certify-possiblep)) (declare (ignorable __function__)) (b* (((certificate cert) cert) ((proposal prop) cert.proposal) ((when (not (in (correct-addresses systate)))) (and (subset (make-endorsement-messages prop cert.endorsers) (get-network-state systate)) (not (emptyp (address-set-fix dests))))) ((when (in (address-set-fix dests))) nil) ((validator-state vstate) (get-validator-state systate)) (prop+endors (omap::assoc prop vstate.proposed)) ((unless prop+endors) nil) ((unless (equal cert.endorsers (cdr prop+endors))) nil) (commtt (active-committee-at-round prop.round vstate.blockchain)) ((unless commtt) nil) (signers (certificate->signers cert)) ((unless (>= (committee-validators-stake signers commtt) (committee-quorum-stake commtt))) nil)) t)))
(defthm booleanp-of-certify-possiblep (b* ((yes/no (certify-possiblep cert dests systate))) (booleanp yes/no)) :rule-classes :rewrite)
(defthm certify-possiblep-of-certificate-fix-cert (equal (certify-possiblep (certificate-fix cert) dests systate) (certify-possiblep cert dests systate)))
(defthm certify-possiblep-certificate-equiv-congruence-on-cert (implies (certificate-equiv cert cert-equiv) (equal (certify-possiblep cert dests systate) (certify-possiblep cert-equiv dests systate))) :rule-classes :congruence)
(defthm certify-possiblep-of-address-set-fix-dests (equal (certify-possiblep cert (address-set-fix dests) systate) (certify-possiblep cert dests systate)))
(defthm certify-possiblep-address-set-equiv-congruence-on-dests (implies (address-set-equiv dests dests-equiv) (equal (certify-possiblep cert dests systate) (certify-possiblep cert dests-equiv systate))) :rule-classes :congruence)
(defthm certify-possiblep-of-system-state-fix-systate (equal (certify-possiblep cert dests (system-state-fix systate)) (certify-possiblep cert dests systate)))
(defthm certify-possiblep-system-state-equiv-congruence-on-systate (implies (system-state-equiv systate systate-equiv) (equal (certify-possiblep cert dests systate) (certify-possiblep cert dests systate-equiv))) :rule-classes :congruence)