reserve i,n for Nat;
reserve m for non zero Nat;
reserve p,q for Tuple of n, BOOLEAN;
reserve d,d1,d2 for Element of BOOLEAN;

theorem
  for z1,z2 being Tuple of m, BOOLEAN for d1,d2 being Element of BOOLEAN holds
  Intval(z1^<*d1*>-z2^<*d2*>)
  + IFEQ(Int_add_ovfl(z1^<*d1*>,Neg2(z2^<*d2*>)),FALSE,0,2 to_power(m+1))
  - IFEQ(Int_add_udfl(z1^<*d1*>,Neg2(z2^<*d2*>)),FALSE,0,2 to_power(m+1))
  + IFEQ(Int_add_ovfl('not' (z2^<*d2*>),Bin1(m+1)),FALSE,0,2 to_power(m+1))
  = Intval(z1^<*d1*>) - Intval(z2^<*d2*>)
proof
  let z1,z2 be Tuple of m, BOOLEAN;
  let d1,d2;
  set OV1 = IFEQ(Int_add_ovfl(z1^<*d1*>,Neg2(z2^<*d2*>)),FALSE,0,
  2 to_power(m+1)),
  UD1 = IFEQ(Int_add_udfl(z1^<*d1*>,Neg2(z2^<*d2*>)),FALSE,0,
  2 to_power(m+1)),
  OV2 = IFEQ(Int_add_ovfl('not' (z2^<*d2*>),Bin1(m+1)),FALSE,0,
  2 to_power(m+1)),
  NEG = Neg2(z2)^<*'not' d2 'xor' add_ovfl('not' z2,Bin1(m))*>;
  thus Intval(z1^<*d1*>-z2^<*d2*>) + OV1 - UD1 + OV2
  = Intval(z1^<*d1*>+Neg2(z2^<*d2*>)) + OV1 - UD1 + OV2 by Th17
    .= Intval(z1^<*d1*>+NEG) + OV1 - UD1 + OV2 by Th14
    .= Intval(z1^<*d1*>+NEG)
  + IFEQ(Int_add_ovfl(z1^<*d1*>,NEG),FALSE,0,2 to_power(m+1))
  - UD1 + OV2 by Th14
    .= Intval(z1^<*d1*>+NEG)
  + IFEQ(Int_add_ovfl(z1^<*d1*>,NEG),FALSE,0,2 to_power(m+1))
  - IFEQ(Int_add_udfl(z1^<*d1*>,NEG),FALSE,0,2 to_power(m+1)) + OV2 by Th14
    .= Intval(z1^<*d1*>) + Intval(NEG) + OV2 by Th11
    .= Intval(z1^<*d1*>) + (Intval(NEG) + OV2)
    .= Intval(z1^<*d1*>) + (Intval(Neg2(z2^<*d2*>)) + OV2) by Th14
    .= Intval(z1^<*d1*>) + (- Intval(z2^<*d2*>)) by Th15
    .= Intval(z1^<*d1*>) - Intval(z2^<*d2*>);
end;
