Hi Dan,
We often solve this differently. When you are looking for an exists-trace lemma (like executability), you can effectively provide "hints" for the proof search by adding more events with shared variables in your lemma. Since it is trace-exists, adding more events there does not invalidate the result. Instead, it just looks for a more specific example, narrowing the search space.
For example, assume you have a initiator role with 4 steps, where the last has an action "InitStep4(~tid,...)" and you want to express this is reachable. One way of writing this is:
lemma Lemma1:
exists-trace "Ex tid ... #i4 . InitStep4(tid, ...)@i4 "
However, you can also look for a more specific trace.
lemma Lemma2:
exists-trace "Ex tid ... #i1 #i2 #i3 #i4 . InitStep1(tid, ...)@i1 & InitStep2(tid, ...)@i2 & InitStep3(tid, ...)@i3 & InitStep4(tid, ...)@i4
& #i1 < #i2 & #i2 < #i3 & #i3 < #i4"
More things that you could add to Lemma 2:
- Where possible, bind the variables appearing in the actions across the multiple steps.
- Add clauses to specify actions that should not appear, or appear only once, so they avoid your particular looping scenarios.
- Specify that all received messages were previously sent by protocol rule instances (typically requires adding some actions to specify)
The second lemma is typically easier to verify because it looks for a much more specific trace.
You can then convince yourself manually that lemma 2 implies lemma 1. Of course, if you want Tamarin to check, you can first prove lemma 2, make it reusable, and then write lemma 1 afterwards, after which the proof of lemma 1 should be trivial.
hope this helps,
Cas