Safety verification of complex systems is often hindered by the difficulty of constructing inductive invariants, intricate Boolean structures, and extensive quantifier alternations. This work proposes an incremental safety proof method that integrates forward reasoning, backward reasoning under time reversal, and a prophecy variable mechanism to decompose global invariants into simpler subgoals. Without expanding the set of candidate invariant formulas, the approach strictly enhances proof power while substantially reducing the logical complexity of required invariants. Experiments on Paxos, its variants, and the Raft protocol demonstrate that the method effectively eliminates complex Boolean structures, reduces quantifier usage and alternation depth, and significantly shrinks the invariant search space.

We propose an incremental approach for safety proofs that decomposes a proof with a complex inductive invariant into a sequence of simpler proof steps. Our proof system combines rules for (i) forward reasoning using inductive invariants, (ii) backward reasoning using inductive invariants of a time-reversed system, and (iii) prophecy steps that add witnesses for existentially quantified properties. We prove each rule sound and give a construction that recovers a single safe inductive invariant from an incremental proof. The construction of the invariant demonstrates the increased complexity of a single inductive invariant compared to the invariant formulas used in an incremental proof, which may have simpler Boolean structures and fewer quantifiers and quantifier alternations. Under natural restrictions on the available invariant formulas, each proof rule strictly increases proof power. That is, each rule allows to prove more safety problems with the same set of formulas. Thus, the incremental approach is able to reduce the search space of invariant formulas needed to prove safety of a given system. A case study on Paxos, several of its variants, and Raft demonstrates that forward-backward steps can remove complex Boolean structure while prophecy eliminates quantifiers and quantifier alternations.