src/HOL/Auth/Message.ML
author paulson
Thu, 05 Dec 1996 19:03:38 +0100
changeset 2327 00ac25b2791d
parent 2284 80ebd1a213fd
child 2373 490ffa16952e
permissions -rw-r--r--
Moved much common material to Message.ML
Ignore whitespace changes - Everywhere: Within whitespace: At end of lines:
1839
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
     1
(*  Title:      HOL/Auth/Message
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
     2
    ID:         $Id$
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
     3
    Author:     Lawrence C Paulson, Cambridge University Computer Laboratory
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
     4
    Copyright   1996  University of Cambridge
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
     5
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
     6
Datatypes of agents and messages;
1913
2809adb15eb0 Renaming of functions, and tidying
paulson
parents: 1893
diff changeset
     7
Inductive relations "parts", "analz" and "synth"
1839
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
     8
*)
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
     9
2327
00ac25b2791d Moved much common material to Message.ML
paulson
parents: 2284
diff changeset
    10
val prems = goal HOL.thy "[| P ==> Q(True); ~P ==> Q(False) |] ==> Q(P)";
00ac25b2791d Moved much common material to Message.ML
paulson
parents: 2284
diff changeset
    11
by (case_tac "P" 1);
00ac25b2791d Moved much common material to Message.ML
paulson
parents: 2284
diff changeset
    12
by (ALLGOALS (asm_simp_tac (!simpset addsimps prems)));
00ac25b2791d Moved much common material to Message.ML
paulson
parents: 2284
diff changeset
    13
val expand_case = result();
00ac25b2791d Moved much common material to Message.ML
paulson
parents: 2284
diff changeset
    14
00ac25b2791d Moved much common material to Message.ML
paulson
parents: 2284
diff changeset
    15
fun expand_case_tac P i =
00ac25b2791d Moved much common material to Message.ML
paulson
parents: 2284
diff changeset
    16
    res_inst_tac [("P",P)] expand_case i THEN
00ac25b2791d Moved much common material to Message.ML
paulson
parents: 2284
diff changeset
    17
    Simp_tac (i+1) THEN 
00ac25b2791d Moved much common material to Message.ML
paulson
parents: 2284
diff changeset
    18
    Simp_tac i;
00ac25b2791d Moved much common material to Message.ML
paulson
parents: 2284
diff changeset
    19
00ac25b2791d Moved much common material to Message.ML
paulson
parents: 2284
diff changeset
    20
00ac25b2791d Moved much common material to Message.ML
paulson
parents: 2284
diff changeset
    21
00ac25b2791d Moved much common material to Message.ML
paulson
parents: 2284
diff changeset
    22
(*GOALS.ML??*)
00ac25b2791d Moved much common material to Message.ML
paulson
parents: 2284
diff changeset
    23
fun prlim n = (goals_limit:=n; pr());
00ac25b2791d Moved much common material to Message.ML
paulson
parents: 2284
diff changeset
    24
00ac25b2791d Moved much common material to Message.ML
paulson
parents: 2284
diff changeset
    25
(*FUN.ML??  WE NEED A NOTION OF INVERSE IMAGE, OR GRAPH!!*)
00ac25b2791d Moved much common material to Message.ML
paulson
parents: 2284
diff changeset
    26
goal Set.thy "!!f. B <= range f = (B = f`` {x. f x: B})";
00ac25b2791d Moved much common material to Message.ML
paulson
parents: 2284
diff changeset
    27
by (fast_tac (!claset addEs [equalityE]) 1);
00ac25b2791d Moved much common material to Message.ML
paulson
parents: 2284
diff changeset
    28
val subset_range_iff = result();
00ac25b2791d Moved much common material to Message.ML
paulson
parents: 2284
diff changeset
    29
00ac25b2791d Moved much common material to Message.ML
paulson
parents: 2284
diff changeset
    30
1839
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
    31
open Message;
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
    32
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
    33
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
    34
(** Inverse of keys **)
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
    35
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
    36
goal thy "!!K K'. (invKey K = invKey K') = (K=K')";
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
    37
by (Step_tac 1);
2032
1bbf1bdcaf56 Introduction of "lost" argument
paulson
parents: 2028
diff changeset
    38
by (rtac box_equals 1);
1839
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
    39
by (REPEAT (rtac invKey 2));
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
    40
by (Asm_simp_tac 1);
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
    41
qed "invKey_eq";
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
    42
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
    43
Addsimps [invKey, invKey_eq];
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
    44
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
    45
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
    46
(**** keysFor operator ****)
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
    47
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
    48
goalw thy [keysFor_def] "keysFor {} = {}";
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
    49
by (Fast_tac 1);
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
    50
qed "keysFor_empty";
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
    51
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
    52
goalw thy [keysFor_def] "keysFor (H Un H') = keysFor H Un keysFor H'";
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
    53
by (Fast_tac 1);
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
    54
qed "keysFor_Un";
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
    55
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
    56
goalw thy [keysFor_def] "keysFor (UN i. H i) = (UN i. keysFor (H i))";
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
    57
by (Fast_tac 1);
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
    58
qed "keysFor_UN";
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
    59
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
    60
(*Monotonicity*)
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
    61
goalw thy [keysFor_def] "!!G H. G<=H ==> keysFor(G) <= keysFor(H)";
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
    62
by (Fast_tac 1);
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
    63
qed "keysFor_mono";
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
    64
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
    65
goalw thy [keysFor_def] "keysFor (insert (Agent A) H) = keysFor H";
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
    66
by (fast_tac (!claset addss (!simpset)) 1);
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
    67
qed "keysFor_insert_Agent";
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
    68
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
    69
goalw thy [keysFor_def] "keysFor (insert (Nonce N) H) = keysFor H";
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
    70
by (fast_tac (!claset addss (!simpset)) 1);
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
    71
qed "keysFor_insert_Nonce";
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
    72
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
    73
goalw thy [keysFor_def] "keysFor (insert (Key K) H) = keysFor H";
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
    74
by (fast_tac (!claset addss (!simpset)) 1);
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
    75
qed "keysFor_insert_Key";
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
    76
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
    77
goalw thy [keysFor_def] "keysFor (insert {|X,Y|} H) = keysFor H";
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
    78
by (fast_tac (!claset addss (!simpset)) 1);
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
    79
qed "keysFor_insert_MPair";
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
    80
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
    81
goalw thy [keysFor_def]
2284
80ebd1a213fd Swapped arguments of Crypt (for clarity and because it is conventional)
paulson
parents: 2170
diff changeset
    82
    "keysFor (insert (Crypt K X) H) = insert (invKey K) (keysFor H)";
1839
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
    83
by (Auto_tac());
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
    84
qed "keysFor_insert_Crypt";
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
    85
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
    86
Addsimps [keysFor_empty, keysFor_Un, keysFor_UN, 
2032
1bbf1bdcaf56 Introduction of "lost" argument
paulson
parents: 2028
diff changeset
    87
          keysFor_insert_Agent, keysFor_insert_Nonce,
1bbf1bdcaf56 Introduction of "lost" argument
paulson
parents: 2028
diff changeset
    88
          keysFor_insert_Key, keysFor_insert_MPair,
1bbf1bdcaf56 Introduction of "lost" argument
paulson
parents: 2028
diff changeset
    89
          keysFor_insert_Crypt];
1839
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
    90
2284
80ebd1a213fd Swapped arguments of Crypt (for clarity and because it is conventional)
paulson
parents: 2170
diff changeset
    91
goalw thy [keysFor_def] "!!H. Crypt K X : H ==> invKey K : keysFor H";
2068
0d05468dc80c New theorem Crypt_imp_invKey_keysFor
paulson
parents: 2061
diff changeset
    92
by (Fast_tac 1);
0d05468dc80c New theorem Crypt_imp_invKey_keysFor
paulson
parents: 2061
diff changeset
    93
qed "Crypt_imp_invKey_keysFor";
0d05468dc80c New theorem Crypt_imp_invKey_keysFor
paulson
parents: 2061
diff changeset
    94
1839
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
    95
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
    96
(**** Inductive relation "parts" ****)
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
    97
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
    98
val major::prems = 
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
    99
goal thy "[| {|X,Y|} : parts H;       \
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   100
\            [| X : parts H; Y : parts H |] ==> P  \
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   101
\         |] ==> P";
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   102
by (cut_facts_tac [major] 1);
2032
1bbf1bdcaf56 Introduction of "lost" argument
paulson
parents: 2028
diff changeset
   103
by (resolve_tac prems 1);
1839
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   104
by (REPEAT (eresolve_tac [asm_rl, parts.Fst, parts.Snd] 1));
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   105
qed "MPair_parts";
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   106
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   107
AddIs  [parts.Inj];
1929
f0839bab4b00 Working version of NS, messages 1-3, WITH INTERLEAVING
paulson
parents: 1913
diff changeset
   108
f0839bab4b00 Working version of NS, messages 1-3, WITH INTERLEAVING
paulson
parents: 1913
diff changeset
   109
val partsEs = [MPair_parts, make_elim parts.Body];
f0839bab4b00 Working version of NS, messages 1-3, WITH INTERLEAVING
paulson
parents: 1913
diff changeset
   110
f0839bab4b00 Working version of NS, messages 1-3, WITH INTERLEAVING
paulson
parents: 1913
diff changeset
   111
AddSEs partsEs;
f0839bab4b00 Working version of NS, messages 1-3, WITH INTERLEAVING
paulson
parents: 1913
diff changeset
   112
(*NB These two rules are UNSAFE in the formal sense, as they discard the
f0839bab4b00 Working version of NS, messages 1-3, WITH INTERLEAVING
paulson
parents: 1913
diff changeset
   113
     compound message.  They work well on THIS FILE, perhaps because its
f0839bab4b00 Working version of NS, messages 1-3, WITH INTERLEAVING
paulson
parents: 1913
diff changeset
   114
     proofs concern only atomic messages.*)
1839
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   115
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   116
goal thy "H <= parts(H)";
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   117
by (Fast_tac 1);
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   118
qed "parts_increasing";
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   119
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   120
(*Monotonicity*)
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   121
goalw thy parts.defs "!!G H. G<=H ==> parts(G) <= parts(H)";
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   122
by (rtac lfp_mono 1);
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   123
by (REPEAT (ares_tac basic_monos 1));
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   124
qed "parts_mono";
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   125
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   126
goal thy "parts{} = {}";
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   127
by (Step_tac 1);
2032
1bbf1bdcaf56 Introduction of "lost" argument
paulson
parents: 2028
diff changeset
   128
by (etac parts.induct 1);
1839
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   129
by (ALLGOALS Fast_tac);
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   130
qed "parts_empty";
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   131
Addsimps [parts_empty];
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   132
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   133
goal thy "!!X. X: parts{} ==> P";
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   134
by (Asm_full_simp_tac 1);
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   135
qed "parts_emptyE";
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   136
AddSEs [parts_emptyE];
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   137
1893
fa58f4a06f21 Works up to main theorem, then XXX...X
paulson
parents: 1885
diff changeset
   138
(*WARNING: loops if H = {Y}, therefore must not be repeated!*)
fa58f4a06f21 Works up to main theorem, then XXX...X
paulson
parents: 1885
diff changeset
   139
goal thy "!!H. X: parts H ==> EX Y:H. X: parts {Y}";
2032
1bbf1bdcaf56 Introduction of "lost" argument
paulson
parents: 2028
diff changeset
   140
by (etac parts.induct 1);
1893
fa58f4a06f21 Works up to main theorem, then XXX...X
paulson
parents: 1885
diff changeset
   141
by (ALLGOALS Fast_tac);
fa58f4a06f21 Works up to main theorem, then XXX...X
paulson
parents: 1885
diff changeset
   142
qed "parts_singleton";
fa58f4a06f21 Works up to main theorem, then XXX...X
paulson
parents: 1885
diff changeset
   143
1839
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   144
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   145
(** Unions **)
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   146
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   147
goal thy "parts(G) Un parts(H) <= parts(G Un H)";
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   148
by (REPEAT (ares_tac [Un_least, parts_mono, Un_upper1, Un_upper2] 1));
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   149
val parts_Un_subset1 = result();
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   150
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   151
goal thy "parts(G Un H) <= parts(G) Un parts(H)";
2032
1bbf1bdcaf56 Introduction of "lost" argument
paulson
parents: 2028
diff changeset
   152
by (rtac subsetI 1);
1bbf1bdcaf56 Introduction of "lost" argument
paulson
parents: 2028
diff changeset
   153
by (etac parts.induct 1);
1839
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   154
by (ALLGOALS Fast_tac);
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   155
val parts_Un_subset2 = result();
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   156
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   157
goal thy "parts(G Un H) = parts(G) Un parts(H)";
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   158
by (REPEAT (ares_tac [equalityI, parts_Un_subset1, parts_Un_subset2] 1));
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   159
qed "parts_Un";
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   160
2011
d9af64c26be6 New laws for messages
paulson
parents: 1998
diff changeset
   161
goal thy "parts (insert X H) = parts {X} Un parts H";
1852
289ce6cb5c84 Added Msg 3; works up to Says_Server_imp_Key_newK
paulson
parents: 1839
diff changeset
   162
by (stac (read_instantiate [("A","H")] insert_is_Un) 1);
2011
d9af64c26be6 New laws for messages
paulson
parents: 1998
diff changeset
   163
by (simp_tac (HOL_ss addsimps [parts_Un]) 1);
d9af64c26be6 New laws for messages
paulson
parents: 1998
diff changeset
   164
qed "parts_insert";
d9af64c26be6 New laws for messages
paulson
parents: 1998
diff changeset
   165
d9af64c26be6 New laws for messages
paulson
parents: 1998
diff changeset
   166
(*TWO inserts to avoid looping.  This rewrite is better than nothing.
d9af64c26be6 New laws for messages
paulson
parents: 1998
diff changeset
   167
  Not suitable for Addsimps: its behaviour can be strange.*)
d9af64c26be6 New laws for messages
paulson
parents: 1998
diff changeset
   168
goal thy "parts (insert X (insert Y H)) = parts {X} Un parts {Y} Un parts H";
d9af64c26be6 New laws for messages
paulson
parents: 1998
diff changeset
   169
by (simp_tac (!simpset addsimps [Un_assoc]) 1);
d9af64c26be6 New laws for messages
paulson
parents: 1998
diff changeset
   170
by (simp_tac (!simpset addsimps [parts_insert RS sym]) 1);
1852
289ce6cb5c84 Added Msg 3; works up to Says_Server_imp_Key_newK
paulson
parents: 1839
diff changeset
   171
qed "parts_insert2";
289ce6cb5c84 Added Msg 3; works up to Says_Server_imp_Key_newK
paulson
parents: 1839
diff changeset
   172
1839
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   173
goal thy "(UN x:A. parts(H x)) <= parts(UN x:A. H x)";
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   174
by (REPEAT (ares_tac [UN_least, parts_mono, UN_upper] 1));
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   175
val parts_UN_subset1 = result();
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   176
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   177
goal thy "parts(UN x:A. H x) <= (UN x:A. parts(H x))";
2032
1bbf1bdcaf56 Introduction of "lost" argument
paulson
parents: 2028
diff changeset
   178
by (rtac subsetI 1);
1bbf1bdcaf56 Introduction of "lost" argument
paulson
parents: 2028
diff changeset
   179
by (etac parts.induct 1);
1839
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   180
by (ALLGOALS Fast_tac);
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   181
val parts_UN_subset2 = result();
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   182
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   183
goal thy "parts(UN x:A. H x) = (UN x:A. parts(H x))";
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   184
by (REPEAT (ares_tac [equalityI, parts_UN_subset1, parts_UN_subset2] 1));
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   185
qed "parts_UN";
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   186
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   187
goal thy "parts(UN x. H x) = (UN x. parts(H x))";
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   188
by (simp_tac (!simpset addsimps [UNION1_def, parts_UN]) 1);
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   189
qed "parts_UN1";
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   190
1913
2809adb15eb0 Renaming of functions, and tidying
paulson
parents: 1893
diff changeset
   191
(*Added to simplify arguments to parts, analz and synth*)
1839
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   192
Addsimps [parts_Un, parts_UN, parts_UN1];
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   193
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   194
goal thy "insert X (parts H) <= parts(insert X H)";
1852
289ce6cb5c84 Added Msg 3; works up to Says_Server_imp_Key_newK
paulson
parents: 1839
diff changeset
   195
by (fast_tac (!claset addEs [impOfSubs parts_mono]) 1);
1839
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   196
qed "parts_insert_subset";
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   197
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   198
(** Idempotence and transitivity **)
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   199
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   200
goal thy "!!H. X: parts (parts H) ==> X: parts H";
2032
1bbf1bdcaf56 Introduction of "lost" argument
paulson
parents: 2028
diff changeset
   201
by (etac parts.induct 1);
1839
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   202
by (ALLGOALS Fast_tac);
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   203
qed "parts_partsE";
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   204
AddSEs [parts_partsE];
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   205
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   206
goal thy "parts (parts H) = parts H";
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   207
by (Fast_tac 1);
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   208
qed "parts_idem";
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   209
Addsimps [parts_idem];
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   210
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   211
goal thy "!!H. [| X: parts G;  G <= parts H |] ==> X: parts H";
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   212
by (dtac parts_mono 1);
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   213
by (Fast_tac 1);
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   214
qed "parts_trans";
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   215
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   216
(*Cut*)
1998
f8230821f1e8 Reordering of premises for cut theorems, and new law MPair_synth_analz
paulson
parents: 1994
diff changeset
   217
goal thy "!!H. [| Y: parts (insert X H);  X: parts H |] ==> Y: parts H";
2032
1bbf1bdcaf56 Introduction of "lost" argument
paulson
parents: 2028
diff changeset
   218
by (etac parts_trans 1);
1839
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   219
by (Fast_tac 1);
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   220
qed "parts_cut";
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   221
2011
d9af64c26be6 New laws for messages
paulson
parents: 1998
diff changeset
   222
val parts_insertI = impOfSubs (subset_insertI RS parts_mono);
d9af64c26be6 New laws for messages
paulson
parents: 1998
diff changeset
   223
1929
f0839bab4b00 Working version of NS, messages 1-3, WITH INTERLEAVING
paulson
parents: 1913
diff changeset
   224
goal thy "!!H. X: parts H ==> parts (insert X H) = parts H";
f0839bab4b00 Working version of NS, messages 1-3, WITH INTERLEAVING
paulson
parents: 1913
diff changeset
   225
by (fast_tac (!claset addSEs [parts_cut]
2011
d9af64c26be6 New laws for messages
paulson
parents: 1998
diff changeset
   226
                      addIs  [parts_insertI]) 1);
1929
f0839bab4b00 Working version of NS, messages 1-3, WITH INTERLEAVING
paulson
parents: 1913
diff changeset
   227
qed "parts_cut_eq";
f0839bab4b00 Working version of NS, messages 1-3, WITH INTERLEAVING
paulson
parents: 1913
diff changeset
   228
2028
738bb98d65ec Last working version prior to addition of "lost" component
paulson
parents: 2026
diff changeset
   229
Addsimps [parts_cut_eq];
738bb98d65ec Last working version prior to addition of "lost" component
paulson
parents: 2026
diff changeset
   230
1839
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   231
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   232
(** Rewrite rules for pulling out atomic messages **)
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   233
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   234
goal thy "parts (insert (Agent agt) H) = insert (Agent agt) (parts H)";
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   235
by (rtac (parts_insert_subset RSN (2, equalityI)) 1);
2032
1bbf1bdcaf56 Introduction of "lost" argument
paulson
parents: 2028
diff changeset
   236
by (rtac subsetI 1);
1bbf1bdcaf56 Introduction of "lost" argument
paulson
parents: 2028
diff changeset
   237
by (etac parts.induct 1);
1839
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   238
(*Simplification breaks up equalities between messages;
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   239
  how to make it work for fast_tac??*)
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   240
by (ALLGOALS (fast_tac (!claset addss (!simpset))));
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   241
qed "parts_insert_Agent";
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   242
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   243
goal thy "parts (insert (Nonce N) H) = insert (Nonce N) (parts H)";
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   244
by (rtac (parts_insert_subset RSN (2, equalityI)) 1);
2032
1bbf1bdcaf56 Introduction of "lost" argument
paulson
parents: 2028
diff changeset
   245
by (rtac subsetI 1);
1bbf1bdcaf56 Introduction of "lost" argument
paulson
parents: 2028
diff changeset
   246
by (etac parts.induct 1);
1839
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   247
by (ALLGOALS (fast_tac (!claset addss (!simpset))));
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   248
qed "parts_insert_Nonce";
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   249
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   250
goal thy "parts (insert (Key K) H) = insert (Key K) (parts H)";
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   251
by (rtac (parts_insert_subset RSN (2, equalityI)) 1);
2032
1bbf1bdcaf56 Introduction of "lost" argument
paulson
parents: 2028
diff changeset
   252
by (rtac subsetI 1);
1bbf1bdcaf56 Introduction of "lost" argument
paulson
parents: 2028
diff changeset
   253
by (etac parts.induct 1);
1839
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   254
by (ALLGOALS (fast_tac (!claset addss (!simpset))));
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   255
qed "parts_insert_Key";
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   256
2284
80ebd1a213fd Swapped arguments of Crypt (for clarity and because it is conventional)
paulson
parents: 2170
diff changeset
   257
goal thy "parts (insert (Crypt K X) H) = \
80ebd1a213fd Swapped arguments of Crypt (for clarity and because it is conventional)
paulson
parents: 2170
diff changeset
   258
\         insert (Crypt K X) (parts (insert X H))";
2032
1bbf1bdcaf56 Introduction of "lost" argument
paulson
parents: 2028
diff changeset
   259
by (rtac equalityI 1);
1bbf1bdcaf56 Introduction of "lost" argument
paulson
parents: 2028
diff changeset
   260
by (rtac subsetI 1);
1bbf1bdcaf56 Introduction of "lost" argument
paulson
parents: 2028
diff changeset
   261
by (etac parts.induct 1);
1839
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   262
by (Auto_tac());
2032
1bbf1bdcaf56 Introduction of "lost" argument
paulson
parents: 2028
diff changeset
   263
by (etac parts.induct 1);
1839
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   264
by (ALLGOALS (best_tac (!claset addIs [parts.Body])));
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   265
qed "parts_insert_Crypt";
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   266
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   267
goal thy "parts (insert {|X,Y|} H) = \
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   268
\         insert {|X,Y|} (parts (insert X (insert Y H)))";
2032
1bbf1bdcaf56 Introduction of "lost" argument
paulson
parents: 2028
diff changeset
   269
by (rtac equalityI 1);
1bbf1bdcaf56 Introduction of "lost" argument
paulson
parents: 2028
diff changeset
   270
by (rtac subsetI 1);
1bbf1bdcaf56 Introduction of "lost" argument
paulson
parents: 2028
diff changeset
   271
by (etac parts.induct 1);
1839
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   272
by (Auto_tac());
2032
1bbf1bdcaf56 Introduction of "lost" argument
paulson
parents: 2028
diff changeset
   273
by (etac parts.induct 1);
1839
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   274
by (ALLGOALS (best_tac (!claset addIs [parts.Fst, parts.Snd])));
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   275
qed "parts_insert_MPair";
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   276
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   277
Addsimps [parts_insert_Agent, parts_insert_Nonce, 
2032
1bbf1bdcaf56 Introduction of "lost" argument
paulson
parents: 2028
diff changeset
   278
          parts_insert_Key, parts_insert_Crypt, parts_insert_MPair];
1839
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   279
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   280
2026
0df5a96bf77e Last working version prior to introduction of "lost"
paulson
parents: 2011
diff changeset
   281
goal thy "parts (Key``N) = Key``N";
0df5a96bf77e Last working version prior to introduction of "lost"
paulson
parents: 2011
diff changeset
   282
by (Auto_tac());
2032
1bbf1bdcaf56 Introduction of "lost" argument
paulson
parents: 2028
diff changeset
   283
by (etac parts.induct 1);
2026
0df5a96bf77e Last working version prior to introduction of "lost"
paulson
parents: 2011
diff changeset
   284
by (Auto_tac());
0df5a96bf77e Last working version prior to introduction of "lost"
paulson
parents: 2011
diff changeset
   285
qed "parts_image_Key";
0df5a96bf77e Last working version prior to introduction of "lost"
paulson
parents: 2011
diff changeset
   286
0df5a96bf77e Last working version prior to introduction of "lost"
paulson
parents: 2011
diff changeset
   287
Addsimps [parts_image_Key];
0df5a96bf77e Last working version prior to introduction of "lost"
paulson
parents: 2011
diff changeset
   288
0df5a96bf77e Last working version prior to introduction of "lost"
paulson
parents: 2011
diff changeset
   289
1913
2809adb15eb0 Renaming of functions, and tidying
paulson
parents: 1893
diff changeset
   290
(**** Inductive relation "analz" ****)
1839
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   291
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   292
val major::prems = 
1913
2809adb15eb0 Renaming of functions, and tidying
paulson
parents: 1893
diff changeset
   293
goal thy "[| {|X,Y|} : analz H;       \
2809adb15eb0 Renaming of functions, and tidying
paulson
parents: 1893
diff changeset
   294
\            [| X : analz H; Y : analz H |] ==> P  \
1839
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   295
\         |] ==> P";
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   296
by (cut_facts_tac [major] 1);
2032
1bbf1bdcaf56 Introduction of "lost" argument
paulson
parents: 2028
diff changeset
   297
by (resolve_tac prems 1);
1913
2809adb15eb0 Renaming of functions, and tidying
paulson
parents: 1893
diff changeset
   298
by (REPEAT (eresolve_tac [asm_rl, analz.Fst, analz.Snd] 1));
2809adb15eb0 Renaming of functions, and tidying
paulson
parents: 1893
diff changeset
   299
qed "MPair_analz";
1839
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   300
1913
2809adb15eb0 Renaming of functions, and tidying
paulson
parents: 1893
diff changeset
   301
AddIs  [analz.Inj];
2011
d9af64c26be6 New laws for messages
paulson
parents: 1998
diff changeset
   302
AddSEs [MPair_analz];      (*Perhaps it should NOT be deemed safe!*)
1913
2809adb15eb0 Renaming of functions, and tidying
paulson
parents: 1893
diff changeset
   303
AddDs  [analz.Decrypt];
1839
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   304
1913
2809adb15eb0 Renaming of functions, and tidying
paulson
parents: 1893
diff changeset
   305
Addsimps [analz.Inj];
1885
a18a6dc14f76 Auth proofs work up to the XXX...
paulson
parents: 1852
diff changeset
   306
1913
2809adb15eb0 Renaming of functions, and tidying
paulson
parents: 1893
diff changeset
   307
goal thy "H <= analz(H)";
1839
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   308
by (Fast_tac 1);
1913
2809adb15eb0 Renaming of functions, and tidying
paulson
parents: 1893
diff changeset
   309
qed "analz_increasing";
1839
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   310
1913
2809adb15eb0 Renaming of functions, and tidying
paulson
parents: 1893
diff changeset
   311
goal thy "analz H <= parts H";
1839
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   312
by (rtac subsetI 1);
2032
1bbf1bdcaf56 Introduction of "lost" argument
paulson
parents: 2028
diff changeset
   313
by (etac analz.induct 1);
1839
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   314
by (ALLGOALS Fast_tac);
1913
2809adb15eb0 Renaming of functions, and tidying
paulson
parents: 1893
diff changeset
   315
qed "analz_subset_parts";
1839
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   316
1913
2809adb15eb0 Renaming of functions, and tidying
paulson
parents: 1893
diff changeset
   317
bind_thm ("not_parts_not_analz", analz_subset_parts RS contra_subsetD);
1839
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   318
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   319
1913
2809adb15eb0 Renaming of functions, and tidying
paulson
parents: 1893
diff changeset
   320
goal thy "parts (analz H) = parts H";
2032
1bbf1bdcaf56 Introduction of "lost" argument
paulson
parents: 2028
diff changeset
   321
by (rtac equalityI 1);
1bbf1bdcaf56 Introduction of "lost" argument
paulson
parents: 2028
diff changeset
   322
by (rtac (analz_subset_parts RS parts_mono RS subset_trans) 1);
1839
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   323
by (Simp_tac 1);
1913
2809adb15eb0 Renaming of functions, and tidying
paulson
parents: 1893
diff changeset
   324
by (fast_tac (!claset addDs [analz_increasing RS parts_mono RS subsetD]) 1);
2809adb15eb0 Renaming of functions, and tidying
paulson
parents: 1893
diff changeset
   325
qed "parts_analz";
2809adb15eb0 Renaming of functions, and tidying
paulson
parents: 1893
diff changeset
   326
Addsimps [parts_analz];
1839
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   327
1913
2809adb15eb0 Renaming of functions, and tidying
paulson
parents: 1893
diff changeset
   328
goal thy "analz (parts H) = parts H";
1885
a18a6dc14f76 Auth proofs work up to the XXX...
paulson
parents: 1852
diff changeset
   329
by (Auto_tac());
2032
1bbf1bdcaf56 Introduction of "lost" argument
paulson
parents: 2028
diff changeset
   330
by (etac analz.induct 1);
1885
a18a6dc14f76 Auth proofs work up to the XXX...
paulson
parents: 1852
diff changeset
   331
by (Auto_tac());
1913
2809adb15eb0 Renaming of functions, and tidying
paulson
parents: 1893
diff changeset
   332
qed "analz_parts";
2809adb15eb0 Renaming of functions, and tidying
paulson
parents: 1893
diff changeset
   333
Addsimps [analz_parts];
1885
a18a6dc14f76 Auth proofs work up to the XXX...
paulson
parents: 1852
diff changeset
   334
1839
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   335
(*Monotonicity; Lemma 1 of Lowe*)
1913
2809adb15eb0 Renaming of functions, and tidying
paulson
parents: 1893
diff changeset
   336
goalw thy analz.defs "!!G H. G<=H ==> analz(G) <= analz(H)";
1839
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   337
by (rtac lfp_mono 1);
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   338
by (REPEAT (ares_tac basic_monos 1));
1913
2809adb15eb0 Renaming of functions, and tidying
paulson
parents: 1893
diff changeset
   339
qed "analz_mono";
1839
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   340
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   341
(** General equational properties **)
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   342
1913
2809adb15eb0 Renaming of functions, and tidying
paulson
parents: 1893
diff changeset
   343
goal thy "analz{} = {}";
1839
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   344
by (Step_tac 1);
2032
1bbf1bdcaf56 Introduction of "lost" argument
paulson
parents: 2028
diff changeset
   345
by (etac analz.induct 1);
1839
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   346
by (ALLGOALS Fast_tac);
1913
2809adb15eb0 Renaming of functions, and tidying
paulson
parents: 1893
diff changeset
   347
qed "analz_empty";
2809adb15eb0 Renaming of functions, and tidying
paulson
parents: 1893
diff changeset
   348
Addsimps [analz_empty];
1839
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   349
1913
2809adb15eb0 Renaming of functions, and tidying
paulson
parents: 1893
diff changeset
   350
(*Converse fails: we can analz more from the union than from the 
1839
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   351
  separate parts, as a key in one might decrypt a message in the other*)
1913
2809adb15eb0 Renaming of functions, and tidying
paulson
parents: 1893
diff changeset
   352
goal thy "analz(G) Un analz(H) <= analz(G Un H)";
2809adb15eb0 Renaming of functions, and tidying
paulson
parents: 1893
diff changeset
   353
by (REPEAT (ares_tac [Un_least, analz_mono, Un_upper1, Un_upper2] 1));
2809adb15eb0 Renaming of functions, and tidying
paulson
parents: 1893
diff changeset
   354
qed "analz_Un";
1839
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   355
1913
2809adb15eb0 Renaming of functions, and tidying
paulson
parents: 1893
diff changeset
   356
goal thy "insert X (analz H) <= analz(insert X H)";
2809adb15eb0 Renaming of functions, and tidying
paulson
parents: 1893
diff changeset
   357
by (fast_tac (!claset addEs [impOfSubs analz_mono]) 1);
2809adb15eb0 Renaming of functions, and tidying
paulson
parents: 1893
diff changeset
   358
qed "analz_insert";
1839
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   359
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   360
(** Rewrite rules for pulling out atomic messages **)
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   361
1913
2809adb15eb0 Renaming of functions, and tidying
paulson
parents: 1893
diff changeset
   362
goal thy "analz (insert (Agent agt) H) = insert (Agent agt) (analz H)";
2809adb15eb0 Renaming of functions, and tidying
paulson
parents: 1893
diff changeset
   363
by (rtac (analz_insert RSN (2, equalityI)) 1);
2032
1bbf1bdcaf56 Introduction of "lost" argument
paulson
parents: 2028
diff changeset
   364
by (rtac subsetI 1);
1bbf1bdcaf56 Introduction of "lost" argument
paulson
parents: 2028
diff changeset
   365
by (etac analz.induct 1);
1839
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   366
(*Simplification breaks up equalities between messages;
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   367
  how to make it work for fast_tac??*)
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   368
by (ALLGOALS (fast_tac (!claset addss (!simpset))));
1913
2809adb15eb0 Renaming of functions, and tidying
paulson
parents: 1893
diff changeset
   369
qed "analz_insert_Agent";
1839
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   370
1913
2809adb15eb0 Renaming of functions, and tidying
paulson
parents: 1893
diff changeset
   371
goal thy "analz (insert (Nonce N) H) = insert (Nonce N) (analz H)";
2809adb15eb0 Renaming of functions, and tidying
paulson
parents: 1893
diff changeset
   372
by (rtac (analz_insert RSN (2, equalityI)) 1);
2032
1bbf1bdcaf56 Introduction of "lost" argument
paulson
parents: 2028
diff changeset
   373
by (rtac subsetI 1);
1bbf1bdcaf56 Introduction of "lost" argument
paulson
parents: 2028
diff changeset
   374
by (etac analz.induct 1);
1839
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   375
by (ALLGOALS (fast_tac (!claset addss (!simpset))));
1913
2809adb15eb0 Renaming of functions, and tidying
paulson
parents: 1893
diff changeset
   376
qed "analz_insert_Nonce";
1839
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   377
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   378
(*Can only pull out Keys if they are not needed to decrypt the rest*)
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   379
goalw thy [keysFor_def]
1913
2809adb15eb0 Renaming of functions, and tidying
paulson
parents: 1893
diff changeset
   380
    "!!K. K ~: keysFor (analz H) ==>  \
2809adb15eb0 Renaming of functions, and tidying
paulson
parents: 1893
diff changeset
   381
\         analz (insert (Key K) H) = insert (Key K) (analz H)";
2809adb15eb0 Renaming of functions, and tidying
paulson
parents: 1893
diff changeset
   382
by (rtac (analz_insert RSN (2, equalityI)) 1);
2032
1bbf1bdcaf56 Introduction of "lost" argument
paulson
parents: 2028
diff changeset
   383
by (rtac subsetI 1);
1bbf1bdcaf56 Introduction of "lost" argument
paulson
parents: 2028
diff changeset
   384
by (etac analz.induct 1);
1839
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   385
by (ALLGOALS (fast_tac (!claset addss (!simpset))));
1913
2809adb15eb0 Renaming of functions, and tidying
paulson
parents: 1893
diff changeset
   386
qed "analz_insert_Key";
1839
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   387
1913
2809adb15eb0 Renaming of functions, and tidying
paulson
parents: 1893
diff changeset
   388
goal thy "analz (insert {|X,Y|} H) = \
2809adb15eb0 Renaming of functions, and tidying
paulson
parents: 1893
diff changeset
   389
\         insert {|X,Y|} (analz (insert X (insert Y H)))";
2032
1bbf1bdcaf56 Introduction of "lost" argument
paulson
parents: 2028
diff changeset
   390
by (rtac equalityI 1);
1bbf1bdcaf56 Introduction of "lost" argument
paulson
parents: 2028
diff changeset
   391
by (rtac subsetI 1);
1bbf1bdcaf56 Introduction of "lost" argument
paulson
parents: 2028
diff changeset
   392
by (etac analz.induct 1);
1885
a18a6dc14f76 Auth proofs work up to the XXX...
paulson
parents: 1852
diff changeset
   393
by (Auto_tac());
2032
1bbf1bdcaf56 Introduction of "lost" argument
paulson
parents: 2028
diff changeset
   394
by (etac analz.induct 1);
2102
41a667d2c3fa Replaced excluded_middle_tac by case_tac
paulson
parents: 2068
diff changeset
   395
by (ALLGOALS
41a667d2c3fa Replaced excluded_middle_tac by case_tac
paulson
parents: 2068
diff changeset
   396
    (deepen_tac (!claset addIs [analz.Fst, analz.Snd, analz.Decrypt]) 0));
1913
2809adb15eb0 Renaming of functions, and tidying
paulson
parents: 1893
diff changeset
   397
qed "analz_insert_MPair";
1885
a18a6dc14f76 Auth proofs work up to the XXX...
paulson
parents: 1852
diff changeset
   398
a18a6dc14f76 Auth proofs work up to the XXX...
paulson
parents: 1852
diff changeset
   399
(*Can pull out enCrypted message if the Key is not known*)
1913
2809adb15eb0 Renaming of functions, and tidying
paulson
parents: 1893
diff changeset
   400
goal thy "!!H. Key (invKey K) ~: analz H ==>  \
2284
80ebd1a213fd Swapped arguments of Crypt (for clarity and because it is conventional)
paulson
parents: 2170
diff changeset
   401
\              analz (insert (Crypt K X) H) = \
80ebd1a213fd Swapped arguments of Crypt (for clarity and because it is conventional)
paulson
parents: 2170
diff changeset
   402
\              insert (Crypt K X) (analz H)";
1913
2809adb15eb0 Renaming of functions, and tidying
paulson
parents: 1893
diff changeset
   403
by (rtac (analz_insert RSN (2, equalityI)) 1);
2032
1bbf1bdcaf56 Introduction of "lost" argument
paulson
parents: 2028
diff changeset
   404
by (rtac subsetI 1);
1bbf1bdcaf56 Introduction of "lost" argument
paulson
parents: 2028
diff changeset
   405
by (etac analz.induct 1);
1839
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   406
by (ALLGOALS (fast_tac (!claset addss (!simpset))));
1913
2809adb15eb0 Renaming of functions, and tidying
paulson
parents: 1893
diff changeset
   407
qed "analz_insert_Crypt";
1839
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   408
1913
2809adb15eb0 Renaming of functions, and tidying
paulson
parents: 1893
diff changeset
   409
goal thy "!!H. Key (invKey K) : analz H ==>  \
2284
80ebd1a213fd Swapped arguments of Crypt (for clarity and because it is conventional)
paulson
parents: 2170
diff changeset
   410
\              analz (insert (Crypt K X) H) <= \
80ebd1a213fd Swapped arguments of Crypt (for clarity and because it is conventional)
paulson
parents: 2170
diff changeset
   411
\              insert (Crypt K X) (analz (insert X H))";
2032
1bbf1bdcaf56 Introduction of "lost" argument
paulson
parents: 2028
diff changeset
   412
by (rtac subsetI 1);
1913
2809adb15eb0 Renaming of functions, and tidying
paulson
parents: 1893
diff changeset
   413
by (eres_inst_tac [("za","x")] analz.induct 1);
1839
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   414
by (ALLGOALS (fast_tac (!claset addss (!simpset))));
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   415
val lemma1 = result();
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   416
1913
2809adb15eb0 Renaming of functions, and tidying
paulson
parents: 1893
diff changeset
   417
goal thy "!!H. Key (invKey K) : analz H ==>  \
2284
80ebd1a213fd Swapped arguments of Crypt (for clarity and because it is conventional)
paulson
parents: 2170
diff changeset
   418
\              insert (Crypt K X) (analz (insert X H)) <= \
80ebd1a213fd Swapped arguments of Crypt (for clarity and because it is conventional)
paulson
parents: 2170
diff changeset
   419
\              analz (insert (Crypt K X) H)";
1839
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   420
by (Auto_tac());
1913
2809adb15eb0 Renaming of functions, and tidying
paulson
parents: 1893
diff changeset
   421
by (eres_inst_tac [("za","x")] analz.induct 1);
1839
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   422
by (Auto_tac());
1913
2809adb15eb0 Renaming of functions, and tidying
paulson
parents: 1893
diff changeset
   423
by (best_tac (!claset addIs [subset_insertI RS analz_mono RS subsetD,
2032
1bbf1bdcaf56 Introduction of "lost" argument
paulson
parents: 2028
diff changeset
   424
                             analz.Decrypt]) 1);
1839
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   425
val lemma2 = result();
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   426
1913
2809adb15eb0 Renaming of functions, and tidying
paulson
parents: 1893
diff changeset
   427
goal thy "!!H. Key (invKey K) : analz H ==>  \
2284
80ebd1a213fd Swapped arguments of Crypt (for clarity and because it is conventional)
paulson
parents: 2170
diff changeset
   428
\              analz (insert (Crypt K X) H) = \
80ebd1a213fd Swapped arguments of Crypt (for clarity and because it is conventional)
paulson
parents: 2170
diff changeset
   429
\              insert (Crypt K X) (analz (insert X H))";
1839
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   430
by (REPEAT (ares_tac [equalityI, lemma1, lemma2] 1));
1913
2809adb15eb0 Renaming of functions, and tidying
paulson
parents: 1893
diff changeset
   431
qed "analz_insert_Decrypt";
1839
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   432
1885
a18a6dc14f76 Auth proofs work up to the XXX...
paulson
parents: 1852
diff changeset
   433
(*Case analysis: either the message is secure, or it is not!
1946
b59a3d686436 New theorems for Fake case
paulson
parents: 1929
diff changeset
   434
  Effective, but can cause subgoals to blow up!
1885
a18a6dc14f76 Auth proofs work up to the XXX...
paulson
parents: 1852
diff changeset
   435
  Use with expand_if;  apparently split_tac does not cope with patterns
2284
80ebd1a213fd Swapped arguments of Crypt (for clarity and because it is conventional)
paulson
parents: 2170
diff changeset
   436
  such as "analz (insert (Crypt K X) H)" *)
80ebd1a213fd Swapped arguments of Crypt (for clarity and because it is conventional)
paulson
parents: 2170
diff changeset
   437
goal thy "analz (insert (Crypt K X) H) =                \
2154
913b4fc7670a New, purely illustrative result Crypt_synth_analz
paulson
parents: 2102
diff changeset
   438
\         (if (Key (invKey K) : analz H)                \
2284
80ebd1a213fd Swapped arguments of Crypt (for clarity and because it is conventional)
paulson
parents: 2170
diff changeset
   439
\          then insert (Crypt K X) (analz (insert X H)) \
80ebd1a213fd Swapped arguments of Crypt (for clarity and because it is conventional)
paulson
parents: 2170
diff changeset
   440
\          else insert (Crypt K X) (analz H))";
2102
41a667d2c3fa Replaced excluded_middle_tac by case_tac
paulson
parents: 2068
diff changeset
   441
by (case_tac "Key (invKey K)  : analz H " 1);
1913
2809adb15eb0 Renaming of functions, and tidying
paulson
parents: 1893
diff changeset
   442
by (ALLGOALS (asm_simp_tac (!simpset addsimps [analz_insert_Crypt, 
2032
1bbf1bdcaf56 Introduction of "lost" argument
paulson
parents: 2028
diff changeset
   443
                                               analz_insert_Decrypt])));
1913
2809adb15eb0 Renaming of functions, and tidying
paulson
parents: 1893
diff changeset
   444
qed "analz_Crypt_if";
1885
a18a6dc14f76 Auth proofs work up to the XXX...
paulson
parents: 1852
diff changeset
   445
1913
2809adb15eb0 Renaming of functions, and tidying
paulson
parents: 1893
diff changeset
   446
Addsimps [analz_insert_Agent, analz_insert_Nonce, 
2032
1bbf1bdcaf56 Introduction of "lost" argument
paulson
parents: 2028
diff changeset
   447
          analz_insert_Key, analz_insert_MPair, 
1bbf1bdcaf56 Introduction of "lost" argument
paulson
parents: 2028
diff changeset
   448
          analz_Crypt_if];
1839
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   449
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   450
(*This rule supposes "for the sake of argument" that we have the key.*)
2284
80ebd1a213fd Swapped arguments of Crypt (for clarity and because it is conventional)
paulson
parents: 2170
diff changeset
   451
goal thy  "analz (insert (Crypt K X) H) <=  \
80ebd1a213fd Swapped arguments of Crypt (for clarity and because it is conventional)
paulson
parents: 2170
diff changeset
   452
\          insert (Crypt K X) (analz (insert X H))";
2032
1bbf1bdcaf56 Introduction of "lost" argument
paulson
parents: 2028
diff changeset
   453
by (rtac subsetI 1);
1bbf1bdcaf56 Introduction of "lost" argument
paulson
parents: 2028
diff changeset
   454
by (etac analz.induct 1);
1839
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   455
by (Auto_tac());
1913
2809adb15eb0 Renaming of functions, and tidying
paulson
parents: 1893
diff changeset
   456
qed "analz_insert_Crypt_subset";
1839
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   457
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   458
2026
0df5a96bf77e Last working version prior to introduction of "lost"
paulson
parents: 2011
diff changeset
   459
goal thy "analz (Key``N) = Key``N";
0df5a96bf77e Last working version prior to introduction of "lost"
paulson
parents: 2011
diff changeset
   460
by (Auto_tac());
2032
1bbf1bdcaf56 Introduction of "lost" argument
paulson
parents: 2028
diff changeset
   461
by (etac analz.induct 1);
2026
0df5a96bf77e Last working version prior to introduction of "lost"
paulson
parents: 2011
diff changeset
   462
by (Auto_tac());
0df5a96bf77e Last working version prior to introduction of "lost"
paulson
parents: 2011
diff changeset
   463
qed "analz_image_Key";
0df5a96bf77e Last working version prior to introduction of "lost"
paulson
parents: 2011
diff changeset
   464
0df5a96bf77e Last working version prior to introduction of "lost"
paulson
parents: 2011
diff changeset
   465
Addsimps [analz_image_Key];
0df5a96bf77e Last working version prior to introduction of "lost"
paulson
parents: 2011
diff changeset
   466
0df5a96bf77e Last working version prior to introduction of "lost"
paulson
parents: 2011
diff changeset
   467
1839
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   468
(** Idempotence and transitivity **)
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   469
1913
2809adb15eb0 Renaming of functions, and tidying
paulson
parents: 1893
diff changeset
   470
goal thy "!!H. X: analz (analz H) ==> X: analz H";
2032
1bbf1bdcaf56 Introduction of "lost" argument
paulson
parents: 2028
diff changeset
   471
by (etac analz.induct 1);
1839
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   472
by (ALLGOALS Fast_tac);
1913
2809adb15eb0 Renaming of functions, and tidying
paulson
parents: 1893
diff changeset
   473
qed "analz_analzE";
2809adb15eb0 Renaming of functions, and tidying
paulson
parents: 1893
diff changeset
   474
AddSEs [analz_analzE];
1839
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   475
1913
2809adb15eb0 Renaming of functions, and tidying
paulson
parents: 1893
diff changeset
   476
goal thy "analz (analz H) = analz H";
1839
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   477
by (Fast_tac 1);
1913
2809adb15eb0 Renaming of functions, and tidying
paulson
parents: 1893
diff changeset
   478
qed "analz_idem";
2809adb15eb0 Renaming of functions, and tidying
paulson
parents: 1893
diff changeset
   479
Addsimps [analz_idem];
1839
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   480
1913
2809adb15eb0 Renaming of functions, and tidying
paulson
parents: 1893
diff changeset
   481
goal thy "!!H. [| X: analz G;  G <= analz H |] ==> X: analz H";
2809adb15eb0 Renaming of functions, and tidying
paulson
parents: 1893
diff changeset
   482
by (dtac analz_mono 1);
1839
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   483
by (Fast_tac 1);
1913
2809adb15eb0 Renaming of functions, and tidying
paulson
parents: 1893
diff changeset
   484
qed "analz_trans";
1839
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   485
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   486
(*Cut; Lemma 2 of Lowe*)
1998
f8230821f1e8 Reordering of premises for cut theorems, and new law MPair_synth_analz
paulson
parents: 1994
diff changeset
   487
goal thy "!!H. [| Y: analz (insert X H);  X: analz H |] ==> Y: analz H";
2032
1bbf1bdcaf56 Introduction of "lost" argument
paulson
parents: 2028
diff changeset
   488
by (etac analz_trans 1);
1839
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   489
by (Fast_tac 1);
1913
2809adb15eb0 Renaming of functions, and tidying
paulson
parents: 1893
diff changeset
   490
qed "analz_cut";
1839
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   491
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   492
(*Cut can be proved easily by induction on
1913
2809adb15eb0 Renaming of functions, and tidying
paulson
parents: 1893
diff changeset
   493
   "!!H. Y: analz (insert X H) ==> X: analz H --> Y: analz H"
1839
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   494
*)
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   495
1885
a18a6dc14f76 Auth proofs work up to the XXX...
paulson
parents: 1852
diff changeset
   496
1913
2809adb15eb0 Renaming of functions, and tidying
paulson
parents: 1893
diff changeset
   497
(** A congruence rule for "analz" **)
1885
a18a6dc14f76 Auth proofs work up to the XXX...
paulson
parents: 1852
diff changeset
   498
1913
2809adb15eb0 Renaming of functions, and tidying
paulson
parents: 1893
diff changeset
   499
goal thy "!!H. [| analz G <= analz G'; analz H <= analz H' \
2809adb15eb0 Renaming of functions, and tidying
paulson
parents: 1893
diff changeset
   500
\              |] ==> analz (G Un H) <= analz (G' Un H')";
1885
a18a6dc14f76 Auth proofs work up to the XXX...
paulson
parents: 1852
diff changeset
   501
by (Step_tac 1);
2032
1bbf1bdcaf56 Introduction of "lost" argument
paulson
parents: 2028
diff changeset
   502
by (etac analz.induct 1);
1913
2809adb15eb0 Renaming of functions, and tidying
paulson
parents: 1893
diff changeset
   503
by (ALLGOALS (best_tac (!claset addIs [analz_mono RS subsetD])));
2809adb15eb0 Renaming of functions, and tidying
paulson
parents: 1893
diff changeset
   504
qed "analz_subset_cong";
1885
a18a6dc14f76 Auth proofs work up to the XXX...
paulson
parents: 1852
diff changeset
   505
1913
2809adb15eb0 Renaming of functions, and tidying
paulson
parents: 1893
diff changeset
   506
goal thy "!!H. [| analz G = analz G'; analz H = analz H' \
2809adb15eb0 Renaming of functions, and tidying
paulson
parents: 1893
diff changeset
   507
\              |] ==> analz (G Un H) = analz (G' Un H')";
2809adb15eb0 Renaming of functions, and tidying
paulson
parents: 1893
diff changeset
   508
by (REPEAT_FIRST (ares_tac [equalityI, analz_subset_cong]
2032
1bbf1bdcaf56 Introduction of "lost" argument
paulson
parents: 2028
diff changeset
   509
          ORELSE' etac equalityE));
1913
2809adb15eb0 Renaming of functions, and tidying
paulson
parents: 1893
diff changeset
   510
qed "analz_cong";
1885
a18a6dc14f76 Auth proofs work up to the XXX...
paulson
parents: 1852
diff changeset
   511
a18a6dc14f76 Auth proofs work up to the XXX...
paulson
parents: 1852
diff changeset
   512
1913
2809adb15eb0 Renaming of functions, and tidying
paulson
parents: 1893
diff changeset
   513
goal thy "!!H. analz H = analz H' ==> analz(insert X H) = analz(insert X H')";
1885
a18a6dc14f76 Auth proofs work up to the XXX...
paulson
parents: 1852
diff changeset
   514
by (asm_simp_tac (!simpset addsimps [insert_def] 
2032
1bbf1bdcaf56 Introduction of "lost" argument
paulson
parents: 2028
diff changeset
   515
                           setloop (rtac analz_cong)) 1);
1913
2809adb15eb0 Renaming of functions, and tidying
paulson
parents: 1893
diff changeset
   516
qed "analz_insert_cong";
1885
a18a6dc14f76 Auth proofs work up to the XXX...
paulson
parents: 1852
diff changeset
   517
1913
2809adb15eb0 Renaming of functions, and tidying
paulson
parents: 1893
diff changeset
   518
(*If there are no pairs or encryptions then analz does nothing*)
2284
80ebd1a213fd Swapped arguments of Crypt (for clarity and because it is conventional)
paulson
parents: 2170
diff changeset
   519
goal thy "!!H. [| ALL X Y. {|X,Y|} ~: H;  ALL X K. Crypt K X ~: H |] ==> \
1913
2809adb15eb0 Renaming of functions, and tidying
paulson
parents: 1893
diff changeset
   520
\         analz H = H";
1839
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   521
by (Step_tac 1);
2032
1bbf1bdcaf56 Introduction of "lost" argument
paulson
parents: 2028
diff changeset
   522
by (etac analz.induct 1);
1839
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   523
by (ALLGOALS Fast_tac);
1913
2809adb15eb0 Renaming of functions, and tidying
paulson
parents: 1893
diff changeset
   524
qed "analz_trivial";
1839
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   525
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   526
(*Helps to prove Fake cases*)
1913
2809adb15eb0 Renaming of functions, and tidying
paulson
parents: 1893
diff changeset
   527
goal thy "!!X. X: analz (UN i. analz (H i)) ==> X: analz (UN i. H i)";
2032
1bbf1bdcaf56 Introduction of "lost" argument
paulson
parents: 2028
diff changeset
   528
by (etac analz.induct 1);
1913
2809adb15eb0 Renaming of functions, and tidying
paulson
parents: 1893
diff changeset
   529
by (ALLGOALS (fast_tac (!claset addEs [impOfSubs analz_mono])));
1839
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   530
val lemma = result();
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   531
1913
2809adb15eb0 Renaming of functions, and tidying
paulson
parents: 1893
diff changeset
   532
goal thy "analz (UN i. analz (H i)) = analz (UN i. H i)";
1839
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   533
by (fast_tac (!claset addIs [lemma]
2032
1bbf1bdcaf56 Introduction of "lost" argument
paulson
parents: 2028
diff changeset
   534
                      addEs [impOfSubs analz_mono]) 1);
1913
2809adb15eb0 Renaming of functions, and tidying
paulson
parents: 1893
diff changeset
   535
qed "analz_UN_analz";
2809adb15eb0 Renaming of functions, and tidying
paulson
parents: 1893
diff changeset
   536
Addsimps [analz_UN_analz];
1839
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   537
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   538
1913
2809adb15eb0 Renaming of functions, and tidying
paulson
parents: 1893
diff changeset
   539
(**** Inductive relation "synth" ****)
1839
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   540
1913
2809adb15eb0 Renaming of functions, and tidying
paulson
parents: 1893
diff changeset
   541
AddIs  synth.intrs;
1839
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   542
2011
d9af64c26be6 New laws for messages
paulson
parents: 1998
diff changeset
   543
(*Can only produce a nonce or key if it is already known,
d9af64c26be6 New laws for messages
paulson
parents: 1998
diff changeset
   544
  but can synth a pair or encryption from its components...*)
d9af64c26be6 New laws for messages
paulson
parents: 1998
diff changeset
   545
val mk_cases = synth.mk_cases msg.simps;
d9af64c26be6 New laws for messages
paulson
parents: 1998
diff changeset
   546
d9af64c26be6 New laws for messages
paulson
parents: 1998
diff changeset
   547
(*NO Agent_synth, as any Agent name can be synthd*)
d9af64c26be6 New laws for messages
paulson
parents: 1998
diff changeset
   548
val Nonce_synth = mk_cases "Nonce n : synth H";
d9af64c26be6 New laws for messages
paulson
parents: 1998
diff changeset
   549
val Key_synth   = mk_cases "Key K : synth H";
d9af64c26be6 New laws for messages
paulson
parents: 1998
diff changeset
   550
val MPair_synth = mk_cases "{|X,Y|} : synth H";
2284
80ebd1a213fd Swapped arguments of Crypt (for clarity and because it is conventional)
paulson
parents: 2170
diff changeset
   551
val Crypt_synth = mk_cases "Crypt K X : synth H";
2011
d9af64c26be6 New laws for messages
paulson
parents: 1998
diff changeset
   552
d9af64c26be6 New laws for messages
paulson
parents: 1998
diff changeset
   553
AddSEs [Nonce_synth, Key_synth, MPair_synth, Crypt_synth];
d9af64c26be6 New laws for messages
paulson
parents: 1998
diff changeset
   554
1913
2809adb15eb0 Renaming of functions, and tidying
paulson
parents: 1893
diff changeset
   555
goal thy "H <= synth(H)";
1839
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   556
by (Fast_tac 1);
1913
2809adb15eb0 Renaming of functions, and tidying
paulson
parents: 1893
diff changeset
   557
qed "synth_increasing";
1839
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   558
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   559
(*Monotonicity*)
1913
2809adb15eb0 Renaming of functions, and tidying
paulson
parents: 1893
diff changeset
   560
goalw thy synth.defs "!!G H. G<=H ==> synth(G) <= synth(H)";
1839
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   561
by (rtac lfp_mono 1);
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   562
by (REPEAT (ares_tac basic_monos 1));
1913
2809adb15eb0 Renaming of functions, and tidying
paulson
parents: 1893
diff changeset
   563
qed "synth_mono";
1839
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   564
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   565
(** Unions **)
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   566
1913
2809adb15eb0 Renaming of functions, and tidying
paulson
parents: 1893
diff changeset
   567
(*Converse fails: we can synth more from the union than from the 
1839
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   568
  separate parts, building a compound message using elements of each.*)
1913
2809adb15eb0 Renaming of functions, and tidying
paulson
parents: 1893
diff changeset
   569
goal thy "synth(G) Un synth(H) <= synth(G Un H)";
2809adb15eb0 Renaming of functions, and tidying
paulson
parents: 1893
diff changeset
   570
by (REPEAT (ares_tac [Un_least, synth_mono, Un_upper1, Un_upper2] 1));
2809adb15eb0 Renaming of functions, and tidying
paulson
parents: 1893
diff changeset
   571
qed "synth_Un";
1839
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   572
1913
2809adb15eb0 Renaming of functions, and tidying
paulson
parents: 1893
diff changeset
   573
goal thy "insert X (synth H) <= synth(insert X H)";
2809adb15eb0 Renaming of functions, and tidying
paulson
parents: 1893
diff changeset
   574
by (fast_tac (!claset addEs [impOfSubs synth_mono]) 1);
2809adb15eb0 Renaming of functions, and tidying
paulson
parents: 1893
diff changeset
   575
qed "synth_insert";
1885
a18a6dc14f76 Auth proofs work up to the XXX...
paulson
parents: 1852
diff changeset
   576
1839
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   577
(** Idempotence and transitivity **)
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   578
1913
2809adb15eb0 Renaming of functions, and tidying
paulson
parents: 1893
diff changeset
   579
goal thy "!!H. X: synth (synth H) ==> X: synth H";
2032
1bbf1bdcaf56 Introduction of "lost" argument
paulson
parents: 2028
diff changeset
   580
by (etac synth.induct 1);
1839
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   581
by (ALLGOALS Fast_tac);
1913
2809adb15eb0 Renaming of functions, and tidying
paulson
parents: 1893
diff changeset
   582
qed "synth_synthE";
2809adb15eb0 Renaming of functions, and tidying
paulson
parents: 1893
diff changeset
   583
AddSEs [synth_synthE];
1839
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   584
1913
2809adb15eb0 Renaming of functions, and tidying
paulson
parents: 1893
diff changeset
   585
goal thy "synth (synth H) = synth H";
1839
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   586
by (Fast_tac 1);
1913
2809adb15eb0 Renaming of functions, and tidying
paulson
parents: 1893
diff changeset
   587
qed "synth_idem";
1839
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   588
1913
2809adb15eb0 Renaming of functions, and tidying
paulson
parents: 1893
diff changeset
   589
goal thy "!!H. [| X: synth G;  G <= synth H |] ==> X: synth H";
2809adb15eb0 Renaming of functions, and tidying
paulson
parents: 1893
diff changeset
   590
by (dtac synth_mono 1);
1839
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   591
by (Fast_tac 1);
1913
2809adb15eb0 Renaming of functions, and tidying
paulson
parents: 1893
diff changeset
   592
qed "synth_trans";
1839
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   593
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   594
(*Cut; Lemma 2 of Lowe*)
1998
f8230821f1e8 Reordering of premises for cut theorems, and new law MPair_synth_analz
paulson
parents: 1994
diff changeset
   595
goal thy "!!H. [| Y: synth (insert X H);  X: synth H |] ==> Y: synth H";
2032
1bbf1bdcaf56 Introduction of "lost" argument
paulson
parents: 2028
diff changeset
   596
by (etac synth_trans 1);
1839
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   597
by (Fast_tac 1);
1913
2809adb15eb0 Renaming of functions, and tidying
paulson
parents: 1893
diff changeset
   598
qed "synth_cut";
1839
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   599
1946
b59a3d686436 New theorems for Fake case
paulson
parents: 1929
diff changeset
   600
goal thy "Agent A : synth H";
b59a3d686436 New theorems for Fake case
paulson
parents: 1929
diff changeset
   601
by (Fast_tac 1);
b59a3d686436 New theorems for Fake case
paulson
parents: 1929
diff changeset
   602
qed "Agent_synth";
b59a3d686436 New theorems for Fake case
paulson
parents: 1929
diff changeset
   603
1913
2809adb15eb0 Renaming of functions, and tidying
paulson
parents: 1893
diff changeset
   604
goal thy "(Nonce N : synth H) = (Nonce N : H)";
1839
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   605
by (Fast_tac 1);
1913
2809adb15eb0 Renaming of functions, and tidying
paulson
parents: 1893
diff changeset
   606
qed "Nonce_synth_eq";
1839
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   607
1913
2809adb15eb0 Renaming of functions, and tidying
paulson
parents: 1893
diff changeset
   608
goal thy "(Key K : synth H) = (Key K : H)";
1839
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   609
by (Fast_tac 1);
1913
2809adb15eb0 Renaming of functions, and tidying
paulson
parents: 1893
diff changeset
   610
qed "Key_synth_eq";
1839
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   611
2284
80ebd1a213fd Swapped arguments of Crypt (for clarity and because it is conventional)
paulson
parents: 2170
diff changeset
   612
goal thy "!!K. Key K ~: H ==> (Crypt K X : synth H) = (Crypt K X: H)";
2011
d9af64c26be6 New laws for messages
paulson
parents: 1998
diff changeset
   613
by (Fast_tac 1);
d9af64c26be6 New laws for messages
paulson
parents: 1998
diff changeset
   614
qed "Crypt_synth_eq";
d9af64c26be6 New laws for messages
paulson
parents: 1998
diff changeset
   615
d9af64c26be6 New laws for messages
paulson
parents: 1998
diff changeset
   616
Addsimps [Agent_synth, Nonce_synth_eq, Key_synth_eq, Crypt_synth_eq];
1839
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   617
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   618
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   619
goalw thy [keysFor_def]
1913
2809adb15eb0 Renaming of functions, and tidying
paulson
parents: 1893
diff changeset
   620
    "keysFor (synth H) = keysFor H Un invKey``{K. Key K : H}";
1839
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   621
by (Fast_tac 1);
1913
2809adb15eb0 Renaming of functions, and tidying
paulson
parents: 1893
diff changeset
   622
qed "keysFor_synth";
2809adb15eb0 Renaming of functions, and tidying
paulson
parents: 1893
diff changeset
   623
Addsimps [keysFor_synth];
1839
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   624
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   625
1913
2809adb15eb0 Renaming of functions, and tidying
paulson
parents: 1893
diff changeset
   626
(*** Combinations of parts, analz and synth ***)
1839
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   627
1913
2809adb15eb0 Renaming of functions, and tidying
paulson
parents: 1893
diff changeset
   628
goal thy "parts (synth H) = parts H Un synth H";
2032
1bbf1bdcaf56 Introduction of "lost" argument
paulson
parents: 2028
diff changeset
   629
by (rtac equalityI 1);
1bbf1bdcaf56 Introduction of "lost" argument
paulson
parents: 2028
diff changeset
   630
by (rtac subsetI 1);
1bbf1bdcaf56 Introduction of "lost" argument
paulson
parents: 2028
diff changeset
   631
by (etac parts.induct 1);
1839
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   632
by (ALLGOALS
1913
2809adb15eb0 Renaming of functions, and tidying
paulson
parents: 1893
diff changeset
   633
    (best_tac (!claset addIs ((synth_increasing RS parts_mono RS subsetD)
2032
1bbf1bdcaf56 Introduction of "lost" argument
paulson
parents: 2028
diff changeset
   634
                             ::parts.intrs))));
1913
2809adb15eb0 Renaming of functions, and tidying
paulson
parents: 1893
diff changeset
   635
qed "parts_synth";
2809adb15eb0 Renaming of functions, and tidying
paulson
parents: 1893
diff changeset
   636
Addsimps [parts_synth];
1839
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   637
1913
2809adb15eb0 Renaming of functions, and tidying
paulson
parents: 1893
diff changeset
   638
goal thy "analz (synth H) = analz H Un synth H";
2032
1bbf1bdcaf56 Introduction of "lost" argument
paulson
parents: 2028
diff changeset
   639
by (rtac equalityI 1);
1bbf1bdcaf56 Introduction of "lost" argument
paulson
parents: 2028
diff changeset
   640
by (rtac subsetI 1);
1bbf1bdcaf56 Introduction of "lost" argument
paulson
parents: 2028
diff changeset
   641
by (etac analz.induct 1);
1839
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   642
by (best_tac
1913
2809adb15eb0 Renaming of functions, and tidying
paulson
parents: 1893
diff changeset
   643
    (!claset addIs [synth_increasing RS analz_mono RS subsetD]) 5);
1839
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   644
(*Strange that best_tac just can't hack this one...*)
1913
2809adb15eb0 Renaming of functions, and tidying
paulson
parents: 1893
diff changeset
   645
by (ALLGOALS (deepen_tac (!claset addIs analz.intrs) 0));
2809adb15eb0 Renaming of functions, and tidying
paulson
parents: 1893
diff changeset
   646
qed "analz_synth";
2809adb15eb0 Renaming of functions, and tidying
paulson
parents: 1893
diff changeset
   647
Addsimps [analz_synth];
1839
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   648
2032
1bbf1bdcaf56 Introduction of "lost" argument
paulson
parents: 2028
diff changeset
   649
(*Hard to prove; still needed now that there's only one Spy?*)
1913
2809adb15eb0 Renaming of functions, and tidying
paulson
parents: 1893
diff changeset
   650
goal thy "analz (UN i. synth (H i)) = \
2809adb15eb0 Renaming of functions, and tidying
paulson
parents: 1893
diff changeset
   651
\         analz (UN i. H i) Un (UN i. synth (H i))";
2032
1bbf1bdcaf56 Introduction of "lost" argument
paulson
parents: 2028
diff changeset
   652
by (rtac equalityI 1);
1bbf1bdcaf56 Introduction of "lost" argument
paulson
parents: 2028
diff changeset
   653
by (rtac subsetI 1);
1bbf1bdcaf56 Introduction of "lost" argument
paulson
parents: 2028
diff changeset
   654
by (etac analz.induct 1);
1839
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   655
by (best_tac
1913
2809adb15eb0 Renaming of functions, and tidying
paulson
parents: 1893
diff changeset
   656
    (!claset addEs [impOfSubs synth_increasing,
2032
1bbf1bdcaf56 Introduction of "lost" argument
paulson
parents: 2028
diff changeset
   657
                    impOfSubs analz_mono]) 5);
1839
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   658
by (Best_tac 1);
1913
2809adb15eb0 Renaming of functions, and tidying
paulson
parents: 1893
diff changeset
   659
by (deepen_tac (!claset addIs [analz.Fst]) 0 1);
2809adb15eb0 Renaming of functions, and tidying
paulson
parents: 1893
diff changeset
   660
by (deepen_tac (!claset addIs [analz.Snd]) 0 1);
2809adb15eb0 Renaming of functions, and tidying
paulson
parents: 1893
diff changeset
   661
by (deepen_tac (!claset addSEs [analz.Decrypt]
2032
1bbf1bdcaf56 Introduction of "lost" argument
paulson
parents: 2028
diff changeset
   662
                        addIs  [analz.Decrypt]) 0 1);
1913
2809adb15eb0 Renaming of functions, and tidying
paulson
parents: 1893
diff changeset
   663
qed "analz_UN1_synth";
2809adb15eb0 Renaming of functions, and tidying
paulson
parents: 1893
diff changeset
   664
Addsimps [analz_UN1_synth];
1929
f0839bab4b00 Working version of NS, messages 1-3, WITH INTERLEAVING
paulson
parents: 1913
diff changeset
   665
1946
b59a3d686436 New theorems for Fake case
paulson
parents: 1929
diff changeset
   666
b59a3d686436 New theorems for Fake case
paulson
parents: 1929
diff changeset
   667
(** For reasoning about the Fake rule in traces **)
b59a3d686436 New theorems for Fake case
paulson
parents: 1929
diff changeset
   668
1929
f0839bab4b00 Working version of NS, messages 1-3, WITH INTERLEAVING
paulson
parents: 1913
diff changeset
   669
goal thy "!!Y. X: G ==> parts(insert X H) <= parts G Un parts H";
2032
1bbf1bdcaf56 Introduction of "lost" argument
paulson
parents: 2028
diff changeset
   670
by (rtac ([parts_mono, parts_Un_subset2] MRS subset_trans) 1);
1929
f0839bab4b00 Working version of NS, messages 1-3, WITH INTERLEAVING
paulson
parents: 1913
diff changeset
   671
by (Fast_tac 1);
f0839bab4b00 Working version of NS, messages 1-3, WITH INTERLEAVING
paulson
parents: 1913
diff changeset
   672
qed "parts_insert_subset_Un";
f0839bab4b00 Working version of NS, messages 1-3, WITH INTERLEAVING
paulson
parents: 1913
diff changeset
   673
1946
b59a3d686436 New theorems for Fake case
paulson
parents: 1929
diff changeset
   674
(*More specifically for Fake*)
b59a3d686436 New theorems for Fake case
paulson
parents: 1929
diff changeset
   675
goal thy "!!H. X: synth (analz G) ==> \
b59a3d686436 New theorems for Fake case
paulson
parents: 1929
diff changeset
   676
\              parts (insert X H) <= synth (analz G) Un parts G Un parts H";
2032
1bbf1bdcaf56 Introduction of "lost" argument
paulson
parents: 2028
diff changeset
   677
by (dtac parts_insert_subset_Un 1);
1946
b59a3d686436 New theorems for Fake case
paulson
parents: 1929
diff changeset
   678
by (Full_simp_tac 1);
b59a3d686436 New theorems for Fake case
paulson
parents: 1929
diff changeset
   679
by (Deepen_tac 0 1);
b59a3d686436 New theorems for Fake case
paulson
parents: 1929
diff changeset
   680
qed "Fake_parts_insert";
b59a3d686436 New theorems for Fake case
paulson
parents: 1929
diff changeset
   681
2061
b14a08bf61bf New theorem Crypt_Fake_parts_insert
paulson
parents: 2032
diff changeset
   682
goal thy
2284
80ebd1a213fd Swapped arguments of Crypt (for clarity and because it is conventional)
paulson
parents: 2170
diff changeset
   683
     "!!H. [| Crypt K Y : parts (insert X H);  X: synth (analz G);  \
2061
b14a08bf61bf New theorem Crypt_Fake_parts_insert
paulson
parents: 2032
diff changeset
   684
\             Key K ~: analz G |]                                   \
2284
80ebd1a213fd Swapped arguments of Crypt (for clarity and because it is conventional)
paulson
parents: 2170
diff changeset
   685
\          ==> Crypt K Y : parts G Un parts H";
2061
b14a08bf61bf New theorem Crypt_Fake_parts_insert
paulson
parents: 2032
diff changeset
   686
by (dtac (impOfSubs Fake_parts_insert) 1);
2170
c5e460f1ebb4 Ran expandshort
paulson
parents: 2154
diff changeset
   687
by (assume_tac 1);
2061
b14a08bf61bf New theorem Crypt_Fake_parts_insert
paulson
parents: 2032
diff changeset
   688
by (fast_tac (!claset addDs [impOfSubs analz_subset_parts]
b14a08bf61bf New theorem Crypt_Fake_parts_insert
paulson
parents: 2032
diff changeset
   689
                      addss (!simpset)) 1);
b14a08bf61bf New theorem Crypt_Fake_parts_insert
paulson
parents: 2032
diff changeset
   690
qed "Crypt_Fake_parts_insert";
b14a08bf61bf New theorem Crypt_Fake_parts_insert
paulson
parents: 2032
diff changeset
   691
1946
b59a3d686436 New theorems for Fake case
paulson
parents: 1929
diff changeset
   692
goal thy "!!H. [| X: synth (analz G); G <= H |] ==> \
b59a3d686436 New theorems for Fake case
paulson
parents: 1929
diff changeset
   693
\              analz (insert X H) <= synth (analz H) Un analz H";
2032
1bbf1bdcaf56 Introduction of "lost" argument
paulson
parents: 2028
diff changeset
   694
by (rtac subsetI 1);
1946
b59a3d686436 New theorems for Fake case
paulson
parents: 1929
diff changeset
   695
by (subgoal_tac "x : analz (synth (analz H))" 1);
b59a3d686436 New theorems for Fake case
paulson
parents: 1929
diff changeset
   696
by (best_tac (!claset addIs [impOfSubs (analz_mono RS synth_mono)]
b59a3d686436 New theorems for Fake case
paulson
parents: 1929
diff changeset
   697
                      addSEs [impOfSubs analz_mono]) 2);
b59a3d686436 New theorems for Fake case
paulson
parents: 1929
diff changeset
   698
by (Full_simp_tac 1);
b59a3d686436 New theorems for Fake case
paulson
parents: 1929
diff changeset
   699
by (Fast_tac 1);
b59a3d686436 New theorems for Fake case
paulson
parents: 1929
diff changeset
   700
qed "Fake_analz_insert";
1929
f0839bab4b00 Working version of NS, messages 1-3, WITH INTERLEAVING
paulson
parents: 1913
diff changeset
   701
2011
d9af64c26be6 New laws for messages
paulson
parents: 1998
diff changeset
   702
goal thy "(X: analz H & X: parts H) = (X: analz H)";
d9af64c26be6 New laws for messages
paulson
parents: 1998
diff changeset
   703
by (fast_tac (!claset addDs [impOfSubs analz_subset_parts]) 1);
d9af64c26be6 New laws for messages
paulson
parents: 1998
diff changeset
   704
val analz_conj_parts = result();
d9af64c26be6 New laws for messages
paulson
parents: 1998
diff changeset
   705
d9af64c26be6 New laws for messages
paulson
parents: 1998
diff changeset
   706
goal thy "(X: analz H | X: parts H) = (X: parts H)";
d9af64c26be6 New laws for messages
paulson
parents: 1998
diff changeset
   707
by (fast_tac (!claset addDs [impOfSubs analz_subset_parts]) 1);
d9af64c26be6 New laws for messages
paulson
parents: 1998
diff changeset
   708
val analz_disj_parts = result();
d9af64c26be6 New laws for messages
paulson
parents: 1998
diff changeset
   709
d9af64c26be6 New laws for messages
paulson
parents: 1998
diff changeset
   710
AddIffs [analz_conj_parts, analz_disj_parts];
d9af64c26be6 New laws for messages
paulson
parents: 1998
diff changeset
   711
1998
f8230821f1e8 Reordering of premises for cut theorems, and new law MPair_synth_analz
paulson
parents: 1994
diff changeset
   712
(*Without this equation, other rules for synth and analz would yield
f8230821f1e8 Reordering of premises for cut theorems, and new law MPair_synth_analz
paulson
parents: 1994
diff changeset
   713
  redundant cases*)
f8230821f1e8 Reordering of premises for cut theorems, and new law MPair_synth_analz
paulson
parents: 1994
diff changeset
   714
goal thy "({|X,Y|} : synth (analz H)) = \
f8230821f1e8 Reordering of premises for cut theorems, and new law MPair_synth_analz
paulson
parents: 1994
diff changeset
   715
\         (X : synth (analz H) & Y : synth (analz H))";
f8230821f1e8 Reordering of premises for cut theorems, and new law MPair_synth_analz
paulson
parents: 1994
diff changeset
   716
by (Fast_tac 1);
f8230821f1e8 Reordering of premises for cut theorems, and new law MPair_synth_analz
paulson
parents: 1994
diff changeset
   717
qed "MPair_synth_analz";
f8230821f1e8 Reordering of premises for cut theorems, and new law MPair_synth_analz
paulson
parents: 1994
diff changeset
   718
f8230821f1e8 Reordering of premises for cut theorems, and new law MPair_synth_analz
paulson
parents: 1994
diff changeset
   719
AddIffs [MPair_synth_analz];
1929
f0839bab4b00 Working version of NS, messages 1-3, WITH INTERLEAVING
paulson
parents: 1913
diff changeset
   720
2154
913b4fc7670a New, purely illustrative result Crypt_synth_analz
paulson
parents: 2102
diff changeset
   721
goal thy "!!K. [| Key K : analz H;  Key (invKey K) : analz H |] \
2284
80ebd1a213fd Swapped arguments of Crypt (for clarity and because it is conventional)
paulson
parents: 2170
diff changeset
   722
\              ==> (Crypt K X : synth (analz H)) = (X : synth (analz H))";
2154
913b4fc7670a New, purely illustrative result Crypt_synth_analz
paulson
parents: 2102
diff changeset
   723
by (Fast_tac 1);
913b4fc7670a New, purely illustrative result Crypt_synth_analz
paulson
parents: 2102
diff changeset
   724
qed "Crypt_synth_analz";
913b4fc7670a New, purely illustrative result Crypt_synth_analz
paulson
parents: 2102
diff changeset
   725
1929
f0839bab4b00 Working version of NS, messages 1-3, WITH INTERLEAVING
paulson
parents: 1913
diff changeset
   726
f0839bab4b00 Working version of NS, messages 1-3, WITH INTERLEAVING
paulson
parents: 1913
diff changeset
   727
(*We do NOT want Crypt... messages broken up in protocols!!*)
f0839bab4b00 Working version of NS, messages 1-3, WITH INTERLEAVING
paulson
parents: 1913
diff changeset
   728
Delrules partsEs;
f0839bab4b00 Working version of NS, messages 1-3, WITH INTERLEAVING
paulson
parents: 1913
diff changeset
   729
2327
00ac25b2791d Moved much common material to Message.ML
paulson
parents: 2284
diff changeset
   730
00ac25b2791d Moved much common material to Message.ML
paulson
parents: 2284
diff changeset
   731
(** Rewrites to push in Key and Crypt messages, so that other messages can
00ac25b2791d Moved much common material to Message.ML
paulson
parents: 2284
diff changeset
   732
    be pulled out using the analz_insert rules **)
00ac25b2791d Moved much common material to Message.ML
paulson
parents: 2284
diff changeset
   733
00ac25b2791d Moved much common material to Message.ML
paulson
parents: 2284
diff changeset
   734
fun insComm thy x y = read_instantiate_sg (sign_of thy) [("x",x), ("y",y)] 
00ac25b2791d Moved much common material to Message.ML
paulson
parents: 2284
diff changeset
   735
                          insert_commute;
00ac25b2791d Moved much common material to Message.ML
paulson
parents: 2284
diff changeset
   736
00ac25b2791d Moved much common material to Message.ML
paulson
parents: 2284
diff changeset
   737
val pushKeys = map (insComm thy "Key ?K") 
00ac25b2791d Moved much common material to Message.ML
paulson
parents: 2284
diff changeset
   738
                  ["Agent ?C", "Nonce ?N", "MPair ?X ?Y", "Crypt ?X ?K'"];
00ac25b2791d Moved much common material to Message.ML
paulson
parents: 2284
diff changeset
   739
00ac25b2791d Moved much common material to Message.ML
paulson
parents: 2284
diff changeset
   740
val pushCrypts = map (insComm thy "Crypt ?X ?K") 
00ac25b2791d Moved much common material to Message.ML
paulson
parents: 2284
diff changeset
   741
                    ["Agent ?C", "Nonce ?N", "MPair ?X' ?Y"];
00ac25b2791d Moved much common material to Message.ML
paulson
parents: 2284
diff changeset
   742
00ac25b2791d Moved much common material to Message.ML
paulson
parents: 2284
diff changeset
   743
(*Cannot be added with Addsimps -- we don't always want to re-order messages*)
00ac25b2791d Moved much common material to Message.ML
paulson
parents: 2284
diff changeset
   744
val pushes = pushKeys@pushCrypts;
00ac25b2791d Moved much common material to Message.ML
paulson
parents: 2284
diff changeset
   745
00ac25b2791d Moved much common material to Message.ML
paulson
parents: 2284
diff changeset
   746
00ac25b2791d Moved much common material to Message.ML
paulson
parents: 2284
diff changeset
   747
(*No premature instantiation of variables.  For proving weak liveness.*)
00ac25b2791d Moved much common material to Message.ML
paulson
parents: 2284
diff changeset
   748
fun safe_solver prems =
00ac25b2791d Moved much common material to Message.ML
paulson
parents: 2284
diff changeset
   749
    match_tac (TrueI::refl::prems) ORELSE' eq_assume_tac
00ac25b2791d Moved much common material to Message.ML
paulson
parents: 2284
diff changeset
   750
    ORELSE' etac FalseE;
00ac25b2791d Moved much common material to Message.ML
paulson
parents: 2284
diff changeset
   751
00ac25b2791d Moved much common material to Message.ML
paulson
parents: 2284
diff changeset
   752
(*Analysis of Fake cases and of messages that forward unknown parts
00ac25b2791d Moved much common material to Message.ML
paulson
parents: 2284
diff changeset
   753
  Abstraction over i is ESSENTIAL: it delays the dereferencing of claset
00ac25b2791d Moved much common material to Message.ML
paulson
parents: 2284
diff changeset
   754
  DEPENDS UPON "X" REFERRING TO THE FRADULENT MESSAGE *)
00ac25b2791d Moved much common material to Message.ML
paulson
parents: 2284
diff changeset
   755
fun spy_analz_tac i =
00ac25b2791d Moved much common material to Message.ML
paulson
parents: 2284
diff changeset
   756
  SELECT_GOAL 
00ac25b2791d Moved much common material to Message.ML
paulson
parents: 2284
diff changeset
   757
   (EVERY [  (*push in occurrences of X...*)
00ac25b2791d Moved much common material to Message.ML
paulson
parents: 2284
diff changeset
   758
           (REPEAT o CHANGED)
00ac25b2791d Moved much common material to Message.ML
paulson
parents: 2284
diff changeset
   759
             (res_inst_tac [("x1","X")] (insert_commute RS ssubst) 1),
00ac25b2791d Moved much common material to Message.ML
paulson
parents: 2284
diff changeset
   760
             (*...allowing further simplifications*)
00ac25b2791d Moved much common material to Message.ML
paulson
parents: 2284
diff changeset
   761
           simp_tac (!simpset setloop split_tac [expand_if]) 1,
00ac25b2791d Moved much common material to Message.ML
paulson
parents: 2284
diff changeset
   762
           REPEAT (resolve_tac [allI,impI,notI] 1),
00ac25b2791d Moved much common material to Message.ML
paulson
parents: 2284
diff changeset
   763
           dtac (impOfSubs Fake_analz_insert) 1,
00ac25b2791d Moved much common material to Message.ML
paulson
parents: 2284
diff changeset
   764
           eresolve_tac [asm_rl, synth.Inj] 1,
00ac25b2791d Moved much common material to Message.ML
paulson
parents: 2284
diff changeset
   765
           Fast_tac 1,
00ac25b2791d Moved much common material to Message.ML
paulson
parents: 2284
diff changeset
   766
           Asm_full_simp_tac 1,
00ac25b2791d Moved much common material to Message.ML
paulson
parents: 2284
diff changeset
   767
           IF_UNSOLVED (depth_tac (!claset addIs [impOfSubs analz_mono]) 2 1)
00ac25b2791d Moved much common material to Message.ML
paulson
parents: 2284
diff changeset
   768
           ]) i;
00ac25b2791d Moved much common material to Message.ML
paulson
parents: 2284
diff changeset
   769
00ac25b2791d Moved much common material to Message.ML
paulson
parents: 2284
diff changeset
   770
00ac25b2791d Moved much common material to Message.ML
paulson
parents: 2284
diff changeset
   771
(*Useful in many uniqueness proofs*)
00ac25b2791d Moved much common material to Message.ML
paulson
parents: 2284
diff changeset
   772
fun ex_strip_tac i = REPEAT (swap_res_tac [exI, conjI] i) THEN 
00ac25b2791d Moved much common material to Message.ML
paulson
parents: 2284
diff changeset
   773
                     assume_tac (i+1);
00ac25b2791d Moved much common material to Message.ML
paulson
parents: 2284
diff changeset
   774