Workflow

forallmay x:A,p:P
    True → Conf += (x,p)
forall x:A,p:P
    B(x,p) → Assign += (x,p)
forall x:A,p:P
    (Assign(x,p) ∧ Oracle(x,p)) → Review += (x,p)
loop {
    forall xa:A,xb:A,p:P (Assign(xa,p) ∧ Review(xb,p)) → Read += (xa,xb,p)
    forallmay x:A,p:P (Assign(x,p)) → Review += (x,p)
}

Declassify

Oracle(x:A,p:P): ¬ Conf(xat:A,p:P)

Target

Read(xat:A, xbt:A, pt:P)