more symbols;
authorwenzelm
Mon Dec 28 23:13:33 2015 +0100 (2015-12-28)
changeset 6195638b73f7940af
parent 61955 e96292f32c3c
child 61957 301833d9013a
more symbols;
src/HOL/Auth/CertifiedEmail.thy
src/HOL/Auth/Guard/Analz.thy
src/HOL/Auth/Guard/Extensions.thy
src/HOL/Auth/Guard/Guard.thy
src/HOL/Auth/Guard/GuardK.thy
src/HOL/Auth/Guard/Guard_NS_Public.thy
src/HOL/Auth/Guard/Guard_OtwayRees.thy
src/HOL/Auth/Guard/Guard_Public.thy
src/HOL/Auth/Guard/Guard_Yahalom.thy
src/HOL/Auth/Guard/List_Msg.thy
src/HOL/Auth/Guard/P1.thy
src/HOL/Auth/Guard/P2.thy
src/HOL/Auth/Guard/Proto.thy
src/HOL/Auth/Message.thy
src/HOL/Auth/OtwayRees.thy
src/HOL/Auth/OtwayRees_AN.thy
src/HOL/Auth/OtwayRees_Bad.thy
src/HOL/Auth/Public.thy
src/HOL/Auth/Recur.thy
src/HOL/Auth/TLS.thy
src/HOL/Auth/WooLam.thy
src/HOL/Auth/Yahalom.thy
src/HOL/Auth/Yahalom2.thy
src/HOL/Auth/Yahalom_Bad.thy
src/HOL/Auth/ZhouGollmann.thy
src/HOL/UNITY/Simple/NSP_Bad.thy
     1.1 --- a/src/HOL/Auth/CertifiedEmail.thy	Mon Dec 28 21:47:32 2015 +0100
     1.2 +++ b/src/HOL/Auth/CertifiedEmail.thy	Mon Dec 28 23:13:33 2015 +0100
     1.3 @@ -25,7 +25,7 @@
     1.4  
     1.5  text\<open>We formalize a fixed way of computing responses.  Could be better.\<close>
     1.6  definition "response" :: "agent => agent => nat => msg" where
     1.7 -   "response S R q == Hash {|Agent S, Key (shrK R), Nonce q|}"
     1.8 +   "response S R q == Hash \<lbrace>Agent S, Key (shrK R), Nonce q\<rbrace>"
     1.9  
    1.10  
    1.11  inductive_set certified_mail :: "event list set"
    1.12 @@ -42,28 +42,28 @@
    1.13  | FakeSSL: \<comment>\<open>The Spy may open SSL sessions with TTP, who is the only agent
    1.14      equipped with the necessary credentials to serve as an SSL server.\<close>
    1.15           "[| evsfssl \<in> certified_mail; X \<in> synth(analz(spies evsfssl))|]
    1.16 -          ==> Notes TTP {|Agent Spy, Agent TTP, X|} # evsfssl \<in> certified_mail"
    1.17 +          ==> Notes TTP \<lbrace>Agent Spy, Agent TTP, X\<rbrace> # evsfssl \<in> certified_mail"
    1.18  
    1.19  | CM1: \<comment>\<open>The sender approaches the recipient.  The message is a number.\<close>
    1.20   "[|evs1 \<in> certified_mail;
    1.21      Key K \<notin> used evs1;
    1.22      K \<in> symKeys;
    1.23      Nonce q \<notin> used evs1;
    1.24 -    hs = Hash{|Number cleartext, Nonce q, response S R q, Crypt K (Number m)|};
    1.25 -    S2TTP = Crypt(pubEK TTP) {|Agent S, Number BothAuth, Key K, Agent R, hs|}|]
    1.26 -  ==> Says S R {|Agent S, Agent TTP, Crypt K (Number m), Number BothAuth, 
    1.27 -                 Number cleartext, Nonce q, S2TTP|} # evs1 
    1.28 +    hs = Hash\<lbrace>Number cleartext, Nonce q, response S R q, Crypt K (Number m)\<rbrace>;
    1.29 +    S2TTP = Crypt(pubEK TTP) \<lbrace>Agent S, Number BothAuth, Key K, Agent R, hs\<rbrace>|]
    1.30 +  ==> Says S R \<lbrace>Agent S, Agent TTP, Crypt K (Number m), Number BothAuth, 
    1.31 +                 Number cleartext, Nonce q, S2TTP\<rbrace> # evs1 
    1.32          \<in> certified_mail"
    1.33  
    1.34  | CM2: \<comment>\<open>The recipient records @{term S2TTP} while transmitting it and her
    1.35       password to @{term TTP} over an SSL channel.\<close>
    1.36   "[|evs2 \<in> certified_mail;
    1.37 -    Gets R {|Agent S, Agent TTP, em, Number BothAuth, Number cleartext, 
    1.38 -             Nonce q, S2TTP|} \<in> set evs2;
    1.39 +    Gets R \<lbrace>Agent S, Agent TTP, em, Number BothAuth, Number cleartext, 
    1.40 +             Nonce q, S2TTP\<rbrace> \<in> set evs2;
    1.41      TTP \<noteq> R;  
    1.42 -    hr = Hash {|Number cleartext, Nonce q, response S R q, em|} |]
    1.43 +    hr = Hash \<lbrace>Number cleartext, Nonce q, response S R q, em\<rbrace> |]
    1.44    ==> 
    1.45 -   Notes TTP {|Agent R, Agent TTP, S2TTP, Key(RPwd R), hr|} # evs2
    1.46 +   Notes TTP \<lbrace>Agent R, Agent TTP, S2TTP, Key(RPwd R), hr\<rbrace> # evs2
    1.47        \<in> certified_mail"
    1.48  
    1.49  | CM3: \<comment>\<open>@{term TTP} simultaneously reveals the key to the recipient and gives
    1.50 @@ -72,12 +72,12 @@
    1.51           if the given password is that of the claimed sender, @{term R}.
    1.52           He replies over the established SSL channel.\<close>
    1.53   "[|evs3 \<in> certified_mail;
    1.54 -    Notes TTP {|Agent R, Agent TTP, S2TTP, Key(RPwd R), hr|} \<in> set evs3;
    1.55 +    Notes TTP \<lbrace>Agent R, Agent TTP, S2TTP, Key(RPwd R), hr\<rbrace> \<in> set evs3;
    1.56      S2TTP = Crypt (pubEK TTP) 
    1.57 -                     {|Agent S, Number BothAuth, Key k, Agent R, hs|};
    1.58 +                     \<lbrace>Agent S, Number BothAuth, Key k, Agent R, hs\<rbrace>;
    1.59      TTP \<noteq> R;  hs = hr;  k \<in> symKeys|]
    1.60    ==> 
    1.61 -   Notes R {|Agent TTP, Agent R, Key k, hr|} # 
    1.62 +   Notes R \<lbrace>Agent TTP, Agent R, Key k, hr\<rbrace> # 
    1.63     Gets S (Crypt (priSK TTP) S2TTP) # 
    1.64     Says TTP S (Crypt (priSK TTP) S2TTP) # evs3 \<in> certified_mail"
    1.65  
    1.66 @@ -116,8 +116,8 @@
    1.67  done
    1.68  
    1.69  lemma CM2_S2TTP_analz_knows_Spy:
    1.70 - "[|Gets R {|Agent A, Agent B, em, Number AO, Number cleartext, 
    1.71 -              Nonce q, S2TTP|} \<in> set evs;
    1.72 + "[|Gets R \<lbrace>Agent A, Agent B, em, Number AO, Number cleartext, 
    1.73 +              Nonce q, S2TTP\<rbrace> \<in> set evs;
    1.74      evs \<in> certified_mail|] 
    1.75    ==> S2TTP \<in> analz(spies evs)"
    1.76  apply (drule Gets_imp_Says, simp) 
    1.77 @@ -130,9 +130,9 @@
    1.78  lemma hr_form_lemma [rule_format]:
    1.79   "evs \<in> certified_mail
    1.80    ==> hr \<notin> synth (analz (spies evs)) --> 
    1.81 -      (\<forall>S2TTP. Notes TTP {|Agent R, Agent TTP, S2TTP, pwd, hr|}
    1.82 +      (\<forall>S2TTP. Notes TTP \<lbrace>Agent R, Agent TTP, S2TTP, pwd, hr\<rbrace>
    1.83            \<in> set evs --> 
    1.84 -      (\<exists>clt q S em. hr = Hash {|Number clt, Nonce q, response S R q, em|}))"
    1.85 +      (\<exists>clt q S em. hr = Hash \<lbrace>Number clt, Nonce q, response S R q, em\<rbrace>))"
    1.86  apply (erule certified_mail.induct)
    1.87  apply (synth_analz_mono_contra, simp_all, blast+)
    1.88  done 
    1.89 @@ -141,10 +141,10 @@
    1.90  the fakessl rule allows Spy to spoof the sender's name.  Maybe can
    1.91  strengthen the second disjunct with @{term "R\<noteq>Spy"}.\<close>
    1.92  lemma hr_form:
    1.93 - "[|Notes TTP {|Agent R, Agent TTP, S2TTP, pwd, hr|} \<in> set evs;
    1.94 + "[|Notes TTP \<lbrace>Agent R, Agent TTP, S2TTP, pwd, hr\<rbrace> \<in> set evs;
    1.95      evs \<in> certified_mail|]
    1.96    ==> hr \<in> synth (analz (spies evs)) | 
    1.97 -      (\<exists>clt q S em. hr = Hash {|Number clt, Nonce q, response S R q, em|})"
    1.98 +      (\<exists>clt q S em. hr = Hash \<lbrace>Number clt, Nonce q, response S R q, em\<rbrace>)"
    1.99  by (blast intro: hr_form_lemma) 
   1.100  
   1.101  lemma Spy_dont_know_private_keys [dest!]:
   1.102 @@ -184,9 +184,9 @@
   1.103  
   1.104  lemma CM3_k_parts_knows_Spy:
   1.105   "[| evs \<in> certified_mail;
   1.106 -     Notes TTP {|Agent A, Agent TTP,
   1.107 -                 Crypt (pubEK TTP) {|Agent S, Number AO, Key K, 
   1.108 -                 Agent R, hs|}, Key (RPwd R), hs|} \<in> set evs|]
   1.109 +     Notes TTP \<lbrace>Agent A, Agent TTP,
   1.110 +                 Crypt (pubEK TTP) \<lbrace>Agent S, Number AO, Key K, 
   1.111 +                 Agent R, hs\<rbrace>, Key (RPwd R), hs\<rbrace> \<in> set evs|]
   1.112    ==> Key K \<in> parts(spies evs)"
   1.113  apply (rotate_tac 1)
   1.114  apply (erule rev_mp)
   1.115 @@ -273,7 +273,7 @@
   1.116      provided @{term K} is secure.  Proof is surprisingly hard.\<close>
   1.117  
   1.118  lemma Notes_SSL_imp_used:
   1.119 -     "[|Notes B {|Agent A, Agent B, X|} \<in> set evs|] ==> X \<in> used evs"
   1.120 +     "[|Notes B \<lbrace>Agent A, Agent B, X\<rbrace> \<in> set evs|] ==> X \<in> used evs"
   1.121  by (blast dest!: Notes_imp_used)
   1.122  
   1.123  
   1.124 @@ -283,14 +283,14 @@
   1.125   "evs \<in> certified_mail ==>
   1.126      Key K \<notin> analz (spies evs) -->
   1.127      (\<forall>AO. Crypt (pubEK TTP)
   1.128 -           {|Agent S, Number AO, Key K, Agent R, hs|} \<in> used evs -->
   1.129 +           \<lbrace>Agent S, Number AO, Key K, Agent R, hs\<rbrace> \<in> used evs -->
   1.130      (\<exists>m ctxt q. 
   1.131 -        hs = Hash{|Number ctxt, Nonce q, response S R q, Crypt K (Number m)|} &
   1.132 +        hs = Hash\<lbrace>Number ctxt, Nonce q, response S R q, Crypt K (Number m)\<rbrace> &
   1.133          Says S R
   1.134 -           {|Agent S, Agent TTP, Crypt K (Number m), Number AO,
   1.135 +           \<lbrace>Agent S, Agent TTP, Crypt K (Number m), Number AO,
   1.136               Number ctxt, Nonce q,
   1.137               Crypt (pubEK TTP)
   1.138 -              {|Agent S, Number AO, Key K, Agent R, hs |}|} \<in> set evs))" 
   1.139 +              \<lbrace>Agent S, Number AO, Key K, Agent R, hs \<rbrace>\<rbrace> \<in> set evs))" 
   1.140  apply (erule certified_mail.induct, analz_mono_contra)
   1.141  apply (drule_tac [5] CM2_S2TTP_parts_knows_Spy, simp)
   1.142  apply (simp add: used_Nil Crypt_notin_initState, simp_all)
   1.143 @@ -310,16 +310,16 @@
   1.144  done 
   1.145  
   1.146  lemma S2TTP_sender:
   1.147 - "[|Crypt (pubEK TTP) {|Agent S, Number AO, Key K, Agent R, hs|} \<in> used evs;
   1.148 + "[|Crypt (pubEK TTP) \<lbrace>Agent S, Number AO, Key K, Agent R, hs\<rbrace> \<in> used evs;
   1.149      Key K \<notin> analz (spies evs);
   1.150      evs \<in> certified_mail|]
   1.151    ==> \<exists>m ctxt q. 
   1.152 -        hs = Hash{|Number ctxt, Nonce q, response S R q, Crypt K (Number m)|} &
   1.153 +        hs = Hash\<lbrace>Number ctxt, Nonce q, response S R q, Crypt K (Number m)\<rbrace> &
   1.154          Says S R
   1.155 -           {|Agent S, Agent TTP, Crypt K (Number m), Number AO,
   1.156 +           \<lbrace>Agent S, Agent TTP, Crypt K (Number m), Number AO,
   1.157               Number ctxt, Nonce q,
   1.158               Crypt (pubEK TTP)
   1.159 -              {|Agent S, Number AO, Key K, Agent R, hs |}|} \<in> set evs" 
   1.160 +              \<lbrace>Agent S, Number AO, Key K, Agent R, hs\<rbrace>\<rbrace> \<in> set evs" 
   1.161  by (blast intro: S2TTP_sender_lemma) 
   1.162  
   1.163  
   1.164 @@ -348,15 +348,15 @@
   1.165         Key K \<notin> analz (spies evs) -->
   1.166         (\<forall>m cleartext q hs.
   1.167          Says S R
   1.168 -           {|Agent S, Agent TTP, Crypt K (Number m), Number AO,
   1.169 +           \<lbrace>Agent S, Agent TTP, Crypt K (Number m), Number AO,
   1.170               Number cleartext, Nonce q,
   1.171 -             Crypt (pubEK TTP) {|Agent S, Number AO, Key K, Agent R, hs|}|}
   1.172 +             Crypt (pubEK TTP) \<lbrace>Agent S, Number AO, Key K, Agent R, hs\<rbrace>\<rbrace>
   1.173            \<in> set evs -->
   1.174         (\<forall>m' cleartext' q' hs'.
   1.175         Says S' R'
   1.176 -           {|Agent S', Agent TTP, Crypt K (Number m'), Number AO',
   1.177 +           \<lbrace>Agent S', Agent TTP, Crypt K (Number m'), Number AO',
   1.178               Number cleartext', Nonce q',
   1.179 -             Crypt (pubEK TTP) {|Agent S', Number AO', Key K, Agent R', hs'|}|}
   1.180 +             Crypt (pubEK TTP) \<lbrace>Agent S', Number AO', Key K, Agent R', hs'\<rbrace>\<rbrace>
   1.181            \<in> set evs --> R' = R & S' = S & AO' = AO & hs' = hs))" 
   1.182  apply (erule certified_mail.induct, analz_mono_contra, simp_all)
   1.183   prefer 2
   1.184 @@ -369,14 +369,14 @@
   1.185  text\<open>The key determines the sender, recipient and protocol options.\<close>
   1.186  lemma Key_unique:
   1.187        "[|Says S R
   1.188 -           {|Agent S, Agent TTP, Crypt K (Number m), Number AO,
   1.189 +           \<lbrace>Agent S, Agent TTP, Crypt K (Number m), Number AO,
   1.190               Number cleartext, Nonce q,
   1.191 -             Crypt (pubEK TTP) {|Agent S, Number AO, Key K, Agent R, hs|}|}
   1.192 +             Crypt (pubEK TTP) \<lbrace>Agent S, Number AO, Key K, Agent R, hs\<rbrace>\<rbrace>
   1.193            \<in> set evs;
   1.194           Says S' R'
   1.195 -           {|Agent S', Agent TTP, Crypt K (Number m'), Number AO',
   1.196 +           \<lbrace>Agent S', Agent TTP, Crypt K (Number m'), Number AO',
   1.197               Number cleartext', Nonce q',
   1.198 -             Crypt (pubEK TTP) {|Agent S', Number AO', Key K, Agent R', hs'|}|}
   1.199 +             Crypt (pubEK TTP) \<lbrace>Agent S', Number AO', Key K, Agent R', hs'\<rbrace>\<rbrace>
   1.200            \<in> set evs;
   1.201           Key K \<notin> analz (spies evs);
   1.202           evs \<in> certified_mail|]
   1.203 @@ -390,9 +390,9 @@
   1.204        If Spy gets the key then @{term R} is bad and @{term S} moreover
   1.205        gets his return receipt (and therefore has no grounds for complaint).\<close>
   1.206  theorem S_fairness_bad_R:
   1.207 -      "[|Says S R {|Agent S, Agent TTP, Crypt K (Number m), Number AO, 
   1.208 -                     Number cleartext, Nonce q, S2TTP|} \<in> set evs;
   1.209 -         S2TTP = Crypt (pubEK TTP) {|Agent S, Number AO, Key K, Agent R, hs|};
   1.210 +      "[|Says S R \<lbrace>Agent S, Agent TTP, Crypt K (Number m), Number AO, 
   1.211 +                     Number cleartext, Nonce q, S2TTP\<rbrace> \<in> set evs;
   1.212 +         S2TTP = Crypt (pubEK TTP) \<lbrace>Agent S, Number AO, Key K, Agent R, hs\<rbrace>;
   1.213           Key K \<in> analz (spies evs);
   1.214           evs \<in> certified_mail;
   1.215           S\<noteq>Spy|]
   1.216 @@ -418,9 +418,9 @@
   1.217  
   1.218  text\<open>Confidentially for the symmetric key\<close>
   1.219  theorem Spy_not_see_encrypted_key:
   1.220 -      "[|Says S R {|Agent S, Agent TTP, Crypt K (Number m), Number AO, 
   1.221 -                     Number cleartext, Nonce q, S2TTP|} \<in> set evs;
   1.222 -         S2TTP = Crypt (pubEK TTP) {|Agent S, Number AO, Key K, Agent R, hs|};
   1.223 +      "[|Says S R \<lbrace>Agent S, Agent TTP, Crypt K (Number m), Number AO, 
   1.224 +                     Number cleartext, Nonce q, S2TTP\<rbrace> \<in> set evs;
   1.225 +         S2TTP = Crypt (pubEK TTP) \<lbrace>Agent S, Number AO, Key K, Agent R, hs\<rbrace>;
   1.226           evs \<in> certified_mail;
   1.227           S\<noteq>Spy; R \<notin> bad|]
   1.228        ==> Key K \<notin> analz(spies evs)"
   1.229 @@ -430,10 +430,10 @@
   1.230  text\<open>Agent @{term R}, who may be the Spy, doesn't receive the key
   1.231   until @{term S} has access to the return receipt.\<close> 
   1.232  theorem S_guarantee:
   1.233 -     "[|Says S R {|Agent S, Agent TTP, Crypt K (Number m), Number AO, 
   1.234 -                    Number cleartext, Nonce q, S2TTP|} \<in> set evs;
   1.235 -        S2TTP = Crypt (pubEK TTP) {|Agent S, Number AO, Key K, Agent R, hs|};
   1.236 -        Notes R {|Agent TTP, Agent R, Key K, hs|} \<in> set evs;
   1.237 +     "[|Says S R \<lbrace>Agent S, Agent TTP, Crypt K (Number m), Number AO, 
   1.238 +                    Number cleartext, Nonce q, S2TTP\<rbrace> \<in> set evs;
   1.239 +        S2TTP = Crypt (pubEK TTP) \<lbrace>Agent S, Number AO, Key K, Agent R, hs\<rbrace>;
   1.240 +        Notes R \<lbrace>Agent TTP, Agent R, Key K, hs\<rbrace> \<in> set evs;
   1.241          S\<noteq>Spy;  evs \<in> certified_mail|]
   1.242       ==> Gets S (Crypt (priSK TTP) S2TTP) \<in> set evs"
   1.243  apply (erule rev_mp)
   1.244 @@ -453,11 +453,11 @@
   1.245  theorem RR_validity:
   1.246    "[|Crypt (priSK TTP) S2TTP \<in> used evs;
   1.247       S2TTP = Crypt (pubEK TTP)
   1.248 -               {|Agent S, Number AO, Key K, Agent R, 
   1.249 -                 Hash {|Number cleartext, Nonce q, r, em|}|};
   1.250 -     hr = Hash {|Number cleartext, Nonce q, r, em|};
   1.251 +               \<lbrace>Agent S, Number AO, Key K, Agent R, 
   1.252 +                 Hash \<lbrace>Number cleartext, Nonce q, r, em\<rbrace>\<rbrace>;
   1.253 +     hr = Hash \<lbrace>Number cleartext, Nonce q, r, em\<rbrace>;
   1.254       R\<noteq>Spy;  evs \<in> certified_mail|]
   1.255 -  ==> Notes R {|Agent TTP, Agent R, Key K, hr|} \<in> set evs"
   1.256 +  ==> Notes R \<lbrace>Agent TTP, Agent R, Key K, hr\<rbrace> \<in> set evs"
   1.257  apply (erule rev_mp)
   1.258  apply (erule ssubst)
   1.259  apply (erule ssubst)
     2.1 --- a/src/HOL/Auth/Guard/Analz.thy	Mon Dec 28 21:47:32 2015 +0100
     2.2 +++ b/src/HOL/Auth/Guard/Analz.thy	Mon Dec 28 23:13:33 2015 +0100
     2.3 @@ -17,8 +17,8 @@
     2.4    for H :: "msg set"
     2.5  where
     2.6    Inj [intro]: "[| X:H; is_MPair X |] ==> X:pparts H"
     2.7 -| Fst [dest]: "[| {|X,Y|}:pparts H; is_MPair X |] ==> X:pparts H"
     2.8 -| Snd [dest]: "[| {|X,Y|}:pparts H; is_MPair Y |] ==> Y:pparts H"
     2.9 +| Fst [dest]: "[| \<lbrace>X,Y\<rbrace>:pparts H; is_MPair X |] ==> X:pparts H"
    2.10 +| Snd [dest]: "[| \<lbrace>X,Y\<rbrace>:pparts H; is_MPair Y |] ==> Y:pparts H"
    2.11  
    2.12  subsection\<open>basic facts about @{term pparts}\<close>
    2.13  
    2.14 @@ -53,8 +53,8 @@
    2.15  = pparts {X} Un pparts {Y} Un pparts H"
    2.16  by (rule eq, (erule pparts.induct, auto)+)
    2.17  
    2.18 -lemma pparts_insert_MPair [iff]: "pparts (insert {|X,Y|} H)
    2.19 -= insert {|X,Y|} (pparts ({X,Y} Un H))"
    2.20 +lemma pparts_insert_MPair [iff]: "pparts (insert \<lbrace>X,Y\<rbrace> H)
    2.21 += insert \<lbrace>X,Y\<rbrace> (pparts ({X,Y} \<union> H))"
    2.22  apply (rule eq, (erule pparts.induct, auto)+)
    2.23  apply (rule_tac Y=Y in pparts.Fst, auto)
    2.24  apply (erule pparts.induct, auto)
    2.25 @@ -119,8 +119,8 @@
    2.26    for H :: "msg set"
    2.27  where
    2.28    Inj [intro]: "[| X:H; not_MPair X |] ==> X:kparts H"
    2.29 -| Fst [intro]: "[| {|X,Y|}:pparts H; not_MPair X |] ==> X:kparts H"
    2.30 -| Snd [intro]: "[| {|X,Y|}:pparts H; not_MPair Y |] ==> Y:kparts H"
    2.31 +| Fst [intro]: "[| \<lbrace>X,Y\<rbrace> \<in> pparts H; not_MPair X |] ==> X:kparts H"
    2.32 +| Snd [intro]: "[| \<lbrace>X,Y\<rbrace> \<in> pparts H; not_MPair Y |] ==> Y:kparts H"
    2.33  
    2.34  subsection\<open>basic facts about @{term kparts}\<close>
    2.35  
    2.36 @@ -137,8 +137,8 @@
    2.37  = kparts {X} Un kparts {Y} Un kparts H"
    2.38  by (rule eq, (erule kparts.induct, auto)+)
    2.39  
    2.40 -lemma kparts_insert_MPair [iff]: "kparts (insert {|X,Y|} H)
    2.41 -= kparts ({X,Y} Un H)"
    2.42 +lemma kparts_insert_MPair [iff]: "kparts (insert \<lbrace>X,Y\<rbrace> H)
    2.43 += kparts ({X,Y} \<union> H)"
    2.44  by (rule eq, (erule kparts.induct, auto)+)
    2.45  
    2.46  lemma kparts_insert_Nonce [iff]: "kparts (insert (Nonce n) H)
     3.1 --- a/src/HOL/Auth/Guard/Extensions.thy	Mon Dec 28 21:47:32 2015 +0100
     3.2 +++ b/src/HOL/Auth/Guard/Extensions.thy	Mon Dec 28 23:13:33 2015 +0100
     3.3 @@ -51,11 +51,11 @@
     3.4  subsubsection\<open>messages that are pairs\<close>
     3.5  
     3.6  definition is_MPair :: "msg => bool" where
     3.7 -"is_MPair X == EX Y Z. X = {|Y,Z|}"
     3.8 +"is_MPair X == EX Y Z. X = \<lbrace>Y,Z\<rbrace>"
     3.9  
    3.10  declare is_MPair_def [simp]
    3.11  
    3.12 -lemma MPair_is_MPair [iff]: "is_MPair {|X,Y|}"
    3.13 +lemma MPair_is_MPair [iff]: "is_MPair \<lbrace>X,Y\<rbrace>"
    3.14  by simp
    3.15  
    3.16  lemma Agent_isnt_MPair [iff]: "~ is_MPair (Agent A)"
    3.17 @@ -86,7 +86,7 @@
    3.18  declare is_MPair_def [simp del]
    3.19  
    3.20  definition has_no_pair :: "msg set => bool" where
    3.21 -"has_no_pair H == ALL X Y. {|X,Y|} ~:H"
    3.22 +"has_no_pair H == ALL X Y. \<lbrace>X,Y\<rbrace> \<notin> H"
    3.23  
    3.24  declare has_no_pair_def [simp]
    3.25  
    3.26 @@ -218,7 +218,7 @@
    3.27  fun greatest_msg :: "msg => nat"
    3.28  where
    3.29    "greatest_msg (Nonce n) = n"
    3.30 -| "greatest_msg {|X,Y|} = max (greatest_msg X) (greatest_msg Y)"
    3.31 +| "greatest_msg \<lbrace>X,Y\<rbrace> = max (greatest_msg X) (greatest_msg Y)"
    3.32  | "greatest_msg (Crypt K X) = greatest_msg X"
    3.33  | "greatest_msg other = 0"
    3.34  
    3.35 @@ -233,7 +233,7 @@
    3.36  lemma keyset_in [dest]: "[| keyset G; X:G |] ==> EX K. X = Key K"
    3.37  by (auto simp: keyset_def)
    3.38  
    3.39 -lemma MPair_notin_keyset [simp]: "keyset G ==> {|X,Y|} ~:G"
    3.40 +lemma MPair_notin_keyset [simp]: "keyset G ==> \<lbrace>X,Y\<rbrace> \<notin> G"
    3.41  by auto
    3.42  
    3.43  lemma Crypt_notin_keyset [simp]: "keyset G ==> Crypt K X ~:G"
    3.44 @@ -332,7 +332,7 @@
    3.45  
    3.46  subsubsection\<open>lemma on knows\<close>
    3.47  
    3.48 -lemma Says_imp_spies2: "Says A B {|X,Y|}:set evs ==> Y:parts (spies evs)"
    3.49 +lemma Says_imp_spies2: "Says A B \<lbrace>X,Y\<rbrace> \<in> set evs ==> Y \<in> parts (spies evs)"
    3.50  by (drule Says_imp_spies, drule parts.Inj, drule parts.Snd, simp)
    3.51  
    3.52  lemma Says_not_parts: "[| Says A B X:set evs; Y ~:parts (spies evs) |]
     4.1 --- a/src/HOL/Auth/Guard/Guard.thy	Mon Dec 28 21:47:32 2015 +0100
     4.2 +++ b/src/HOL/Auth/Guard/Guard.thy	Mon Dec 28 23:13:33 2015 +0100
     4.3 @@ -19,7 +19,7 @@
     4.4    No_Nonce [intro]: "Nonce n ~:parts {X} ==> X:guard n Ks"
     4.5  | Guard_Nonce [intro]: "invKey K:Ks ==> Crypt K X:guard n Ks"
     4.6  | Crypt [intro]: "X:guard n Ks ==> Crypt K X:guard n Ks"
     4.7 -| Pair [intro]: "[| X:guard n Ks; Y:guard n Ks |] ==> {|X,Y|}:guard n Ks"
     4.8 +| Pair [intro]: "[| X:guard n Ks; Y:guard n Ks |] ==> \<lbrace>X,Y\<rbrace> \<in> guard n Ks"
     4.9  
    4.10  subsection\<open>basic facts about @{term guard}\<close>
    4.11  
    4.12 @@ -58,8 +58,8 @@
    4.13  lemma guard_Crypt: "[| Crypt K Y:guard n Ks; K ~:invKey`Ks |] ==> Y:guard n Ks"
    4.14    by (ind_cases "Crypt K Y:guard n Ks") (auto intro!: image_eqI)
    4.15  
    4.16 -lemma guard_MPair [iff]: "({|X,Y|}:guard n Ks) = (X:guard n Ks & Y:guard n Ks)"
    4.17 -by (auto, (ind_cases "{|X,Y|}:guard n Ks", auto)+)
    4.18 +lemma guard_MPair [iff]: "(\<lbrace>X,Y\<rbrace> \<in> guard n Ks) = (X \<in> guard n Ks \<and> Y \<in> guard n Ks)"
    4.19 +by (auto, (ind_cases "\<lbrace>X,Y\<rbrace> \<in> guard n Ks", auto)+)
    4.20  
    4.21  lemma guard_not_guard [rule_format]: "X:guard n Ks ==>
    4.22  Crypt K Y:kparts {X} --> Nonce n:kparts {Y} --> Y ~:guard n Ks"
    4.23 @@ -175,7 +175,7 @@
    4.24  fun crypt_nb :: "msg => nat"
    4.25  where
    4.26    "crypt_nb (Crypt K X) = Suc (crypt_nb X)"
    4.27 -| "crypt_nb {|X,Y|} = crypt_nb X + crypt_nb Y"
    4.28 +| "crypt_nb \<lbrace>X,Y\<rbrace> = crypt_nb X + crypt_nb Y"
    4.29  | "crypt_nb X = 0" (* otherwise *)
    4.30  
    4.31  subsection\<open>basic facts about @{term crypt_nb}\<close>
     5.1 --- a/src/HOL/Auth/Guard/GuardK.thy	Mon Dec 28 21:47:32 2015 +0100
     5.2 +++ b/src/HOL/Auth/Guard/GuardK.thy	Mon Dec 28 23:13:33 2015 +0100
     5.3 @@ -26,7 +26,7 @@
     5.4    No_Key [intro]: "Key n ~:parts {X} ==> X:guardK n Ks"
     5.5  | Guard_Key [intro]: "invKey K:Ks ==> Crypt K X:guardK n Ks"
     5.6  | Crypt [intro]: "X:guardK n Ks ==> Crypt K X:guardK n Ks"
     5.7 -| Pair [intro]: "[| X:guardK n Ks; Y:guardK n Ks |] ==> {|X,Y|}:guardK n Ks"
     5.8 +| Pair [intro]: "[| X:guardK n Ks; Y:guardK n Ks |] ==> \<lbrace>X,Y\<rbrace>:guardK n Ks"
     5.9  
    5.10  subsection\<open>basic facts about @{term guardK}\<close>
    5.11  
    5.12 @@ -65,9 +65,9 @@
    5.13  lemma guardK_Crypt: "[| Crypt K Y:guardK n Ks; K ~:invKey`Ks |] ==> Y:guardK n Ks"
    5.14    by (ind_cases "Crypt K Y:guardK n Ks") (auto intro!: image_eqI)
    5.15  
    5.16 -lemma guardK_MPair [iff]: "({|X,Y|}:guardK n Ks)
    5.17 +lemma guardK_MPair [iff]: "(\<lbrace>X,Y\<rbrace>:guardK n Ks)
    5.18  = (X:guardK n Ks & Y:guardK n Ks)"
    5.19 -by (auto, (ind_cases "{|X,Y|}:guardK n Ks", auto)+)
    5.20 +by (auto, (ind_cases "\<lbrace>X,Y\<rbrace>:guardK n Ks", auto)+)
    5.21  
    5.22  lemma guardK_not_guardK [rule_format]: "X:guardK n Ks ==>
    5.23  Crypt K Y:kparts {X} --> Key n:kparts {Y} --> Y ~:guardK n Ks"
    5.24 @@ -172,7 +172,7 @@
    5.25  
    5.26  fun crypt_nb :: "msg => nat" where
    5.27  "crypt_nb (Crypt K X) = Suc (crypt_nb X)" |
    5.28 -"crypt_nb {|X,Y|} = crypt_nb X + crypt_nb Y" |
    5.29 +"crypt_nb \<lbrace>X,Y\<rbrace> = crypt_nb X + crypt_nb Y" |
    5.30  "crypt_nb X = 0" (* otherwise *)
    5.31  
    5.32  subsection\<open>basic facts about @{term crypt_nb}\<close>
     6.1 --- a/src/HOL/Auth/Guard/Guard_NS_Public.thy	Mon Dec 28 21:47:32 2015 +0100
     6.2 +++ b/src/HOL/Auth/Guard/Guard_NS_Public.thy	Mon Dec 28 23:13:33 2015 +0100
     6.3 @@ -13,19 +13,19 @@
     6.4  
     6.5  abbreviation (input)
     6.6    ns1 :: "agent => agent => nat => event" where
     6.7 -  "ns1 A B NA == Says A B (Crypt (pubK B) {|Nonce NA, Agent A|})"
     6.8 +  "ns1 A B NA == Says A B (Crypt (pubK B) \<lbrace>Nonce NA, Agent A\<rbrace>)"
     6.9  
    6.10  abbreviation (input)
    6.11    ns1' :: "agent => agent => agent => nat => event" where
    6.12 -  "ns1' A' A B NA == Says A' B (Crypt (pubK B) {|Nonce NA, Agent A|})"
    6.13 +  "ns1' A' A B NA == Says A' B (Crypt (pubK B) \<lbrace>Nonce NA, Agent A\<rbrace>)"
    6.14  
    6.15  abbreviation (input)
    6.16    ns2 :: "agent => agent => nat => nat => event" where
    6.17 -  "ns2 B A NA NB == Says B A (Crypt (pubK A) {|Nonce NA, Nonce NB, Agent B|})"
    6.18 +  "ns2 B A NA NB == Says B A (Crypt (pubK A) \<lbrace>Nonce NA, Nonce NB, Agent B\<rbrace>)"
    6.19  
    6.20  abbreviation (input)
    6.21    ns2' :: "agent => agent => agent => nat => nat => event" where
    6.22 -  "ns2' B' B A NA NB == Says B' A (Crypt (pubK A) {|Nonce NA, Nonce NB, Agent B|})"
    6.23 +  "ns2' B' B A NA NB == Says B' A (Crypt (pubK A) \<lbrace>Nonce NA, Nonce NB, Agent B\<rbrace>)"
    6.24  
    6.25  abbreviation (input)
    6.26    ns3 :: "agent => agent => nat => event" where
    6.27 @@ -80,28 +80,28 @@
    6.28  subsection\<open>nonce are used only once\<close>
    6.29  
    6.30  lemma NA_is_uniq [rule_format]: "evs:nsp ==>
    6.31 -Crypt (pubK B) {|Nonce NA, Agent A|}:parts (spies evs)
    6.32 ---> Crypt (pubK B') {|Nonce NA, Agent A'|}:parts (spies evs)
    6.33 +Crypt (pubK B) \<lbrace>Nonce NA, Agent A\<rbrace>:parts (spies evs)
    6.34 +--> Crypt (pubK B') \<lbrace>Nonce NA, Agent A'\<rbrace>:parts (spies evs)
    6.35  --> Nonce NA ~:analz (spies evs) --> A=A' & B=B'"
    6.36  apply (erule nsp.induct, simp_all)
    6.37  by (blast intro: analz_insertI)+
    6.38  
    6.39  lemma no_Nonce_NS1_NS2 [rule_format]: "evs:nsp ==>
    6.40 -Crypt (pubK B') {|Nonce NA', Nonce NA, Agent A'|}:parts (spies evs)
    6.41 ---> Crypt (pubK B) {|Nonce NA, Agent A|}:parts (spies evs)
    6.42 +Crypt (pubK B') \<lbrace>Nonce NA', Nonce NA, Agent A'\<rbrace>:parts (spies evs)
    6.43 +--> Crypt (pubK B) \<lbrace>Nonce NA, Agent A\<rbrace>:parts (spies evs)
    6.44  --> Nonce NA:analz (spies evs)"
    6.45  apply (erule nsp.induct, simp_all)
    6.46  by (blast intro: analz_insertI)+
    6.47  
    6.48  lemma no_Nonce_NS1_NS2' [rule_format]:
    6.49 -"[| Crypt (pubK B') {|Nonce NA', Nonce NA, Agent A'|}:parts (spies evs);
    6.50 -Crypt (pubK B) {|Nonce NA, Agent A|}:parts (spies evs); evs:nsp |]
    6.51 +"[| Crypt (pubK B') \<lbrace>Nonce NA', Nonce NA, Agent A'\<rbrace>:parts (spies evs);
    6.52 +Crypt (pubK B) \<lbrace>Nonce NA, Agent A\<rbrace>:parts (spies evs); evs:nsp |]
    6.53  ==> Nonce NA:analz (spies evs)"
    6.54  by (rule no_Nonce_NS1_NS2, auto)
    6.55   
    6.56  lemma NB_is_uniq [rule_format]: "evs:nsp ==>
    6.57 -Crypt (pubK A) {|Nonce NA, Nonce NB, Agent B|}:parts (spies evs)
    6.58 ---> Crypt (pubK A') {|Nonce NA', Nonce NB, Agent B'|}:parts (spies evs)
    6.59 +Crypt (pubK A) \<lbrace>Nonce NA, Nonce NB, Agent B\<rbrace>:parts (spies evs)
    6.60 +--> Crypt (pubK A') \<lbrace>Nonce NA', Nonce NB, Agent B'\<rbrace>:parts (spies evs)
    6.61  --> Nonce NB ~:analz (spies evs) --> A=A' & B=B' & NA=NA'"
    6.62  apply (erule nsp.induct, simp_all)
    6.63  by (blast intro: analz_insertI)+
    6.64 @@ -166,13 +166,13 @@
    6.65  subsection\<open>Agents' Authentication\<close>
    6.66  
    6.67  lemma B_trusts_NS1: "[| evs:nsp; A ~:bad; B ~:bad |] ==>
    6.68 -Crypt (pubK B) {|Nonce NA, Agent A|}:parts (spies evs)
    6.69 +Crypt (pubK B) \<lbrace>Nonce NA, Agent A\<rbrace>:parts (spies evs)
    6.70  --> Nonce NA ~:analz (spies evs) --> ns1 A B NA:set evs"
    6.71  apply (erule nsp.induct, simp_all)
    6.72  by (blast intro: analz_insertI)+
    6.73  
    6.74  lemma A_trusts_NS2: "[| evs:nsp; A ~:bad; B ~:bad |] ==> ns1 A B NA:set evs
    6.75 ---> Crypt (pubK A) {|Nonce NA, Nonce NB, Agent B|}:parts (spies evs)
    6.76 +--> Crypt (pubK A) \<lbrace>Nonce NA, Nonce NB, Agent B\<rbrace>:parts (spies evs)
    6.77  --> ns2 B A NA NB:set evs"
    6.78  apply (erule nsp.induct, simp_all, safe)
    6.79  apply (frule_tac B=B in ns1_imp_Guard, simp+)
     7.1 --- a/src/HOL/Auth/Guard/Guard_OtwayRees.thy	Mon Dec 28 21:47:32 2015 +0100
     7.2 +++ b/src/HOL/Auth/Guard/Guard_OtwayRees.thy	Mon Dec 28 23:13:33 2015 +0100
     7.3 @@ -16,43 +16,43 @@
     7.4  abbreviation
     7.5    or1 :: "agent => agent => nat => event" where
     7.6    "or1 A B NA ==
     7.7 -    Says A B {|Nonce NA, Agent A, Agent B, Ciph A {|Nonce NA, Agent A, Agent B|}|}"
     7.8 +    Says A B \<lbrace>Nonce NA, Agent A, Agent B, Ciph A \<lbrace>Nonce NA, Agent A, Agent B\<rbrace>\<rbrace>"
     7.9  
    7.10  abbreviation
    7.11    or1' :: "agent => agent => agent => nat => msg => event" where
    7.12 -  "or1' A' A B NA X == Says A' B {|Nonce NA, Agent A, Agent B, X|}"
    7.13 +  "or1' A' A B NA X == Says A' B \<lbrace>Nonce NA, Agent A, Agent B, X\<rbrace>"
    7.14  
    7.15  abbreviation
    7.16    or2 :: "agent => agent => nat => nat => msg => event" where
    7.17    "or2 A B NA NB X ==
    7.18 -    Says B Server {|Nonce NA, Agent A, Agent B, X,
    7.19 -                    Ciph B {|Nonce NA, Nonce NB, Agent A, Agent B|}|}"
    7.20 +    Says B Server \<lbrace>Nonce NA, Agent A, Agent B, X,
    7.21 +                    Ciph B \<lbrace>Nonce NA, Nonce NB, Agent A, Agent B\<rbrace>\<rbrace>"
    7.22  
    7.23  abbreviation
    7.24    or2' :: "agent => agent => agent => nat => nat => event" where
    7.25    "or2' B' A B NA NB ==
    7.26 -    Says B' Server {|Nonce NA, Agent A, Agent B,
    7.27 -                     Ciph A {|Nonce NA, Agent A, Agent B|},
    7.28 -                     Ciph B {|Nonce NA, Nonce NB, Agent A, Agent B|}|}"
    7.29 +    Says B' Server \<lbrace>Nonce NA, Agent A, Agent B,
    7.30 +                     Ciph A \<lbrace>Nonce NA, Agent A, Agent B\<rbrace>,
    7.31 +                     Ciph B \<lbrace>Nonce NA, Nonce NB, Agent A, Agent B\<rbrace>\<rbrace>"
    7.32  
    7.33  abbreviation
    7.34    or3 :: "agent => agent => nat => nat => key => event" where
    7.35    "or3 A B NA NB K ==
    7.36 -    Says Server B {|Nonce NA, Ciph A {|Nonce NA, Key K|},
    7.37 -                    Ciph B {|Nonce NB, Key K|}|}"
    7.38 +    Says Server B \<lbrace>Nonce NA, Ciph A \<lbrace>Nonce NA, Key K\<rbrace>,
    7.39 +                    Ciph B \<lbrace>Nonce NB, Key K\<rbrace>\<rbrace>"
    7.40  
    7.41  abbreviation
    7.42    or3':: "agent => msg => agent => agent => nat => nat => key => event" where
    7.43    "or3' S Y A B NA NB K ==
    7.44 -    Says S B {|Nonce NA, Y, Ciph B {|Nonce NB, Key K|}|}"
    7.45 +    Says S B \<lbrace>Nonce NA, Y, Ciph B \<lbrace>Nonce NB, Key K\<rbrace>\<rbrace>"
    7.46  
    7.47  abbreviation
    7.48    or4 :: "agent => agent => nat => msg => event" where
    7.49 -  "or4 A B NA X == Says B A {|Nonce NA, X, nil|}"
    7.50 +  "or4 A B NA X == Says B A \<lbrace>Nonce NA, X, nil\<rbrace>"
    7.51  
    7.52  abbreviation
    7.53    or4' :: "agent => agent => nat => key => event" where
    7.54 -  "or4' B' A NA K == Says B' A {|Nonce NA, Ciph A {|Nonce NA, Key K|}, nil|}"
    7.55 +  "or4' B' A NA K == Says B' A \<lbrace>Nonce NA, Ciph A \<lbrace>Nonce NA, Key K\<rbrace>, nil\<rbrace>"
    7.56  
    7.57  subsection\<open>definition of the protocol\<close>
    7.58  
    7.59 @@ -108,7 +108,7 @@
    7.60  ==> X:parts (spies evs)"
    7.61  by blast
    7.62  
    7.63 -lemma or3_parts_spies [dest]: "Says S B {|NA, Y, Ciph B {|NB, K|}|}:set evs
    7.64 +lemma or3_parts_spies [dest]: "Says S B \<lbrace>NA, Y, Ciph B \<lbrace>NB, K\<rbrace>\<rbrace>:set evs
    7.65  ==> K:parts (spies evs)"
    7.66  by blast
    7.67  
    7.68 @@ -169,13 +169,13 @@
    7.69  apply (case_tac "Aa=B", clarsimp)
    7.70  apply (case_tac "NAa=NB", clarsimp)
    7.71  apply (drule Says_imp_spies)
    7.72 -apply (drule_tac Y="{|Nonce NB, Agent Aa, Agent Ba|}"
    7.73 +apply (drule_tac Y="\<lbrace>Nonce NB, Agent Aa, Agent Ba\<rbrace>"
    7.74                   and K="shrK Aa" in in_Guard_kparts_Crypt, simp+)
    7.75  apply (simp add: No_Nonce) 
    7.76  apply (case_tac "Ba=B", clarsimp)
    7.77  apply (case_tac "NBa=NB", clarify)
    7.78  apply (drule Says_imp_spies)
    7.79 -apply (drule_tac Y="{|Nonce NAa, Nonce NB, Agent Aa, Agent Ba|}"
    7.80 +apply (drule_tac Y="\<lbrace>Nonce NAa, Nonce NB, Agent Aa, Agent Ba\<rbrace>"
    7.81                   and K="shrK Ba" in in_Guard_kparts_Crypt, simp+)
    7.82  apply (simp add: No_Nonce) 
    7.83  (* OR4 *)
     8.1 --- a/src/HOL/Auth/Guard/Guard_Public.thy	Mon Dec 28 21:47:32 2015 +0100
     8.2 +++ b/src/HOL/Auth/Guard/Guard_Public.thy	Mon Dec 28 23:13:33 2015 +0100
     8.3 @@ -14,7 +14,7 @@
     8.4  subsubsection\<open>signature\<close>
     8.5  
     8.6  definition sign :: "agent => msg => msg" where
     8.7 -"sign A X == {|Agent A, X, Crypt (priK A) (Hash X)|}"
     8.8 +"sign A X == \<lbrace>Agent A, X, Crypt (priK A) (Hash X)\<rbrace>"
     8.9  
    8.10  lemma sign_inj [iff]: "(sign A X = sign A' X') = (A=A' & X=X')"
    8.11  by (auto simp: sign_def)
     9.1 --- a/src/HOL/Auth/Guard/Guard_Yahalom.thy	Mon Dec 28 21:47:32 2015 +0100
     9.2 +++ b/src/HOL/Auth/Guard/Guard_Yahalom.thy	Mon Dec 28 23:13:33 2015 +0100
     9.3 @@ -11,38 +11,38 @@
     9.4  
     9.5  abbreviation (input)
     9.6    ya1 :: "agent => agent => nat => event" where
     9.7 -  "ya1 A B NA == Says A B {|Agent A, Nonce NA|}"
     9.8 +  "ya1 A B NA == Says A B \<lbrace>Agent A, Nonce NA\<rbrace>"
     9.9  
    9.10  abbreviation (input)
    9.11    ya1' :: "agent => agent => agent => nat => event" where
    9.12 -  "ya1' A' A B NA == Says A' B {|Agent A, Nonce NA|}"
    9.13 +  "ya1' A' A B NA == Says A' B \<lbrace>Agent A, Nonce NA\<rbrace>"
    9.14  
    9.15  abbreviation (input)
    9.16    ya2 :: "agent => agent => nat => nat => event" where
    9.17 -  "ya2 A B NA NB == Says B Server {|Agent B, Ciph B {|Agent A, Nonce NA, Nonce NB|}|}"
    9.18 +  "ya2 A B NA NB == Says B Server \<lbrace>Agent B, Ciph B \<lbrace>Agent A, Nonce NA, Nonce NB\<rbrace>\<rbrace>"
    9.19  
    9.20  abbreviation (input)
    9.21    ya2' :: "agent => agent => agent => nat => nat => event" where
    9.22 -  "ya2' B' A B NA NB == Says B' Server {|Agent B, Ciph B {|Agent A, Nonce NA, Nonce NB|}|}"
    9.23 +  "ya2' B' A B NA NB == Says B' Server \<lbrace>Agent B, Ciph B \<lbrace>Agent A, Nonce NA, Nonce NB\<rbrace>\<rbrace>"
    9.24  
    9.25  abbreviation (input)
    9.26    ya3 :: "agent => agent => nat => nat => key => event" where
    9.27    "ya3 A B NA NB K ==
    9.28 -    Says Server A {|Ciph A {|Agent B, Key K, Nonce NA, Nonce NB|},
    9.29 -                    Ciph B {|Agent A, Key K|}|}"
    9.30 +    Says Server A \<lbrace>Ciph A \<lbrace>Agent B, Key K, Nonce NA, Nonce NB\<rbrace>,
    9.31 +                    Ciph B \<lbrace>Agent A, Key K\<rbrace>\<rbrace>"
    9.32  
    9.33  abbreviation (input)
    9.34    ya3':: "agent => msg => agent => agent => nat => nat => key => event" where
    9.35    "ya3' S Y A B NA NB K ==
    9.36 -    Says S A {|Ciph A {|Agent B, Key K, Nonce NA, Nonce NB|}, Y|}"
    9.37 +    Says S A \<lbrace>Ciph A \<lbrace>Agent B, Key K, Nonce NA, Nonce NB\<rbrace>, Y\<rbrace>"
    9.38  
    9.39  abbreviation (input)
    9.40    ya4 :: "agent => agent => nat => nat => msg => event" where
    9.41 -  "ya4 A B K NB Y == Says A B {|Y, Crypt K (Nonce NB)|}"
    9.42 +  "ya4 A B K NB Y == Says A B \<lbrace>Y, Crypt K (Nonce NB)\<rbrace>"
    9.43  
    9.44  abbreviation (input)
    9.45    ya4' :: "agent => agent => nat => nat => msg => event" where
    9.46 -  "ya4' A' B K NB Y == Says A' B {|Y, Crypt K (Nonce NB)|}"
    9.47 +  "ya4' A' B K NB Y == Says A' B \<lbrace>Y, Crypt K (Nonce NB)\<rbrace>"
    9.48  
    9.49  
    9.50  subsection\<open>definition of the protocol\<close>
    9.51 @@ -128,19 +128,19 @@
    9.52  
    9.53  lemma ya2'_parts_imp_ya1'_parts [rule_format]:
    9.54       "[| evs:ya; B ~:bad |] ==>
    9.55 -      Ciph B {|Agent A, Nonce NA, Nonce NB|}:parts (spies evs) -->
    9.56 -      {|Agent A, Nonce NA|}:spies evs"
    9.57 +      Ciph B \<lbrace>Agent A, Nonce NA, Nonce NB\<rbrace>:parts (spies evs) -->
    9.58 +      \<lbrace>Agent A, Nonce NA\<rbrace>:spies evs"
    9.59  by (erule ya.induct, auto dest: Says_imp_spies intro: parts_parts)
    9.60  
    9.61  lemma ya2'_imp_ya1'_parts: "[| ya2' B' A B NA NB:set evs; evs:ya; B ~:bad |]
    9.62 -==> {|Agent A, Nonce NA|}:spies evs"
    9.63 +==> \<lbrace>Agent A, Nonce NA\<rbrace>:spies evs"
    9.64  by (blast dest: Says_imp_spies ya2'_parts_imp_ya1'_parts)
    9.65  
    9.66  subsection\<open>uniqueness of NB\<close>
    9.67  
    9.68  lemma NB_is_uniq_in_ya2'_parts [rule_format]: "[| evs:ya; B ~:bad; B' ~:bad |] ==>
    9.69 -Ciph B {|Agent A, Nonce NA, Nonce NB|}:parts (spies evs) -->
    9.70 -Ciph B' {|Agent A', Nonce NA', Nonce NB|}:parts (spies evs) -->
    9.71 +Ciph B \<lbrace>Agent A, Nonce NA, Nonce NB\<rbrace>:parts (spies evs) -->
    9.72 +Ciph B' \<lbrace>Agent A', Nonce NA', Nonce NB\<rbrace>:parts (spies evs) -->
    9.73  A=A' & B=B' & NA=NA'"
    9.74  apply (erule ya.induct, simp_all, clarify)
    9.75  apply (drule Crypt_synth_insert, simp+)
    9.76 @@ -156,15 +156,15 @@
    9.77  subsection\<open>ya3' implies ya2'\<close>
    9.78  
    9.79  lemma ya3'_parts_imp_ya2'_parts [rule_format]: "[| evs:ya; A ~:bad |] ==>
    9.80 -Ciph A {|Agent B, Key K, Nonce NA, Nonce NB|}:parts (spies evs)
    9.81 ---> Ciph B {|Agent A, Nonce NA, Nonce NB|}:parts (spies evs)"
    9.82 +Ciph A \<lbrace>Agent B, Key K, Nonce NA, Nonce NB\<rbrace>:parts (spies evs)
    9.83 +--> Ciph B \<lbrace>Agent A, Nonce NA, Nonce NB\<rbrace>:parts (spies evs)"
    9.84  apply (erule ya.induct, simp_all)
    9.85  apply (clarify, drule Crypt_synth_insert, simp+)
    9.86  apply (blast intro: parts_sub, blast)
    9.87  by (auto dest: Says_imp_spies parts_parts)
    9.88  
    9.89  lemma ya3'_parts_imp_ya2' [rule_format]: "[| evs:ya; A ~:bad |] ==>
    9.90 -Ciph A {|Agent B, Key K, Nonce NA, Nonce NB|}:parts (spies evs)
    9.91 +Ciph A \<lbrace>Agent B, Key K, Nonce NA, Nonce NB\<rbrace>:parts (spies evs)
    9.92  --> (EX B'. ya2' B' A B NA NB:set evs)"
    9.93  apply (erule ya.induct, simp_all, safe)
    9.94  apply (drule Crypt_synth_insert, simp+)
    9.95 @@ -180,7 +180,7 @@
    9.96  subsection\<open>ya3' implies ya3\<close>
    9.97  
    9.98  lemma ya3'_parts_imp_ya3 [rule_format]: "[| evs:ya; A ~:bad |] ==>
    9.99 -Ciph A {|Agent B, Key K, Nonce NA, Nonce NB|}:parts(spies evs)
   9.100 +Ciph A \<lbrace>Agent B, Key K, Nonce NA, Nonce NB\<rbrace>:parts(spies evs)
   9.101  --> ya3 A B NA NB K:set evs"
   9.102  apply (erule ya.induct, simp_all, safe)
   9.103  apply (drule Crypt_synth_insert, simp+)
    10.1 --- a/src/HOL/Auth/Guard/List_Msg.thy	Mon Dec 28 21:47:32 2015 +0100
    10.2 +++ b/src/HOL/Auth/Guard/List_Msg.thy	Mon Dec 28 23:13:33 2015 +0100
    10.3 @@ -13,7 +13,7 @@
    10.4  
    10.5  abbreviation (input)
    10.6    cons :: "msg => msg => msg" where
    10.7 -  "cons x l == {|x,l|}"
    10.8 +  "cons x l == \<lbrace>x,l\<rbrace>"
    10.9  
   10.10  subsubsection\<open>induction principle\<close>
   10.11  
    11.1 --- a/src/HOL/Auth/Guard/P1.thy	Mon Dec 28 21:47:32 2015 +0100
    11.2 +++ b/src/HOL/Auth/Guard/P1.thy	Mon Dec 28 23:13:33 2015 +0100
    11.3 @@ -18,7 +18,7 @@
    11.4  the contents of the messages are not completely specified in the paper
    11.5  we assume that the user sends his request and his itinerary in the clear
    11.6  
    11.7 -we will adopt the following format for messages: {|A,r,I,L|}
    11.8 +we will adopt the following format for messages: \<lbrace>A,r,I,L\<rbrace>
    11.9  A: originator (agent)
   11.10  r: request (number)
   11.11  I: next shops (agent list)
   11.12 @@ -36,8 +36,8 @@
   11.13  definition chain :: "agent => nat => agent => msg => agent => msg" where
   11.14  "chain B ofr A L C ==
   11.15  let m1= Crypt (pubK A) (Nonce ofr) in
   11.16 -let m2= Hash {|head L, Agent C|} in
   11.17 -sign B {|m1,m2|}"
   11.18 +let m2= Hash \<lbrace>head L, Agent C\<rbrace> in
   11.19 +sign B \<lbrace>m1,m2\<rbrace>"
   11.20  
   11.21  declare Let_def [simp]
   11.22  
   11.23 @@ -51,7 +51,7 @@
   11.24  subsubsection\<open>agent whose key is used to sign an offer\<close>
   11.25  
   11.26  fun shop :: "msg => msg" where
   11.27 -"shop {|B,X,Crypt K H|} = Agent (agt K)"
   11.28 +"shop \<lbrace>B,X,Crypt K H\<rbrace> = Agent (agt K)"
   11.29  
   11.30  lemma shop_chain [simp]: "shop (chain B ofr A L C) = Agent B"
   11.31  by (simp add: chain_def sign_def)
   11.32 @@ -59,7 +59,7 @@
   11.33  subsubsection\<open>nonce used in an offer\<close>
   11.34  
   11.35  fun nonce :: "msg => msg" where
   11.36 -"nonce {|B,{|Crypt K ofr,m2|},CryptH|} = ofr"
   11.37 +"nonce \<lbrace>B,\<lbrace>Crypt K ofr,m2\<rbrace>,CryptH\<rbrace> = ofr"
   11.38  
   11.39  lemma nonce_chain [simp]: "nonce (chain B ofr A L C) = Nonce ofr"
   11.40  by (simp add: chain_def sign_def)
   11.41 @@ -67,7 +67,7 @@
   11.42  subsubsection\<open>next shop\<close>
   11.43  
   11.44  fun next_shop :: "msg => agent" where
   11.45 -"next_shop {|B,{|m1,Hash{|headL,Agent C|}|},CryptH|} = C"
   11.46 +"next_shop \<lbrace>B,\<lbrace>m1,Hash\<lbrace>headL,Agent C\<rbrace>\<rbrace>,CryptH\<rbrace> = C"
   11.47  
   11.48  lemma next_shop_chain [iff]: "next_shop (chain B ofr A L C) = C"
   11.49  by (simp add: chain_def sign_def)
   11.50 @@ -96,8 +96,8 @@
   11.51  subsubsection\<open>request event\<close>
   11.52  
   11.53  definition reqm :: "agent => nat => nat => msg => agent => msg" where
   11.54 -"reqm A r n I B == {|Agent A, Number r, cons (Agent A) (cons (Agent B) I),
   11.55 -cons (anchor A n B) nil|}"
   11.56 +"reqm A r n I B == \<lbrace>Agent A, Number r, cons (Agent A) (cons (Agent B) I),
   11.57 +cons (anchor A n B) nil\<rbrace>"
   11.58  
   11.59  lemma reqm_inj [iff]: "(reqm A r n I B = reqm A' r' n' I' B')
   11.60  = (A=A' & r=r' & n=n' & I=I' & B=B')"
   11.61 @@ -117,8 +117,8 @@
   11.62  
   11.63  definition prom :: "agent => nat => agent => nat => msg => msg =>
   11.64  msg => agent => msg" where
   11.65 -"prom B ofr A r I L J C == {|Agent A, Number r,
   11.66 -app (J, del (Agent B, I)), cons (chain B ofr A L C) L|}"
   11.67 +"prom B ofr A r I L J C == \<lbrace>Agent A, Number r,
   11.68 +app (J, del (Agent B, I)), cons (chain B ofr A L C) L\<rbrace>"
   11.69  
   11.70  lemma prom_inj [dest]: "prom B ofr A r I L J C
   11.71  = prom B' ofr' A' r' I' L' J' C'
   11.72 @@ -147,7 +147,7 @@
   11.73  
   11.74  | Request: "[| evsr:p1; Nonce n ~:used evsr; I:agl |] ==> req A r n I B # evsr : p1"
   11.75  
   11.76 -| Propose: "[| evsp:p1; Says A' B {|Agent A,Number r,I,cons M L|}:set evsp;
   11.77 +| Propose: "[| evsp:p1; Says A' B \<lbrace>Agent A,Number r,I,cons M L\<rbrace>:set evsp;
   11.78    I:agl; J:agl; isin (Agent C, app (J, del (Agent B, I)));
   11.79    Nonce ofr ~:used evsp |] ==> pro B ofr A r I (cons M L) J C # evsp : p1"
   11.80  
   11.81 @@ -198,7 +198,7 @@
   11.82  subsubsection\<open>list of offers\<close>
   11.83  
   11.84  fun offers :: "msg => msg" where
   11.85 -"offers (cons M L) = cons {|shop M, nonce M|} (offers L)" |
   11.86 +"offers (cons M L) = cons \<lbrace>shop M, nonce M\<rbrace> (offers L)" |
   11.87  "offers other = nil"
   11.88  
   11.89  subsubsection\<open>list of agents whose keys are used to sign a list of offers\<close>
   11.90 @@ -262,15 +262,15 @@
   11.91  apply clarify
   11.92  apply (frule len_not_empty, clarsimp)
   11.93  apply (frule len_not_empty, clarsimp)
   11.94 -apply (ind_cases "{|x,xa,l'a|}:valid A n B" for x xa l'a)
   11.95 -apply (ind_cases "{|x,M,l'a|}:valid A n B" for x l'a)
   11.96 +apply (ind_cases "\<lbrace>x,xa,l'a\<rbrace>:valid A n B" for x xa l'a)
   11.97 +apply (ind_cases "\<lbrace>x,M,l'a\<rbrace>:valid A n B" for x l'a)
   11.98  apply (simp add: chain_def)
   11.99  (* i > 0 *)
  11.100  apply clarify
  11.101  apply (frule len_not_empty, clarsimp)
  11.102 -apply (ind_cases "{|x,repl(l',Suc na,M)|}:valid A n B" for x l' na)
  11.103 +apply (ind_cases "\<lbrace>x,repl(l',Suc na,M)\<rbrace>:valid A n B" for x l' na)
  11.104  apply (frule len_not_empty, clarsimp)
  11.105 -apply (ind_cases "{|x,l'|}:valid A n B" for x l')
  11.106 +apply (ind_cases "\<lbrace>x,l'\<rbrace>:valid A n B" for x l')
  11.107  by (drule_tac x=l' in spec, simp, blast)
  11.108  
  11.109  subsubsection\<open>insertion resilience:
  11.110 @@ -286,15 +286,15 @@
  11.111  (* i = 0 *)
  11.112  apply clarify
  11.113  apply (frule len_not_empty, clarsimp)
  11.114 -apply (ind_cases "{|x,l'|}:valid A n B" for x l', simp)
  11.115 -apply (ind_cases "{|x,M,l'|}:valid A n B" for x l', clarsimp)
  11.116 -apply (ind_cases "{|head l',l'|}:valid A n B" for l', simp, simp)
  11.117 +apply (ind_cases "\<lbrace>x,l'\<rbrace>:valid A n B" for x l', simp)
  11.118 +apply (ind_cases "\<lbrace>x,M,l'\<rbrace>:valid A n B" for x l', clarsimp)
  11.119 +apply (ind_cases "\<lbrace>head l',l'\<rbrace>:valid A n B" for l', simp, simp)
  11.120  (* i > 0 *)
  11.121  apply clarify
  11.122  apply (frule len_not_empty, clarsimp)
  11.123 -apply (ind_cases "{|x,l'|}:valid A n B" for x l')
  11.124 +apply (ind_cases "\<lbrace>x,l'\<rbrace>:valid A n B" for x l')
  11.125  apply (frule len_not_empty, clarsimp)
  11.126 -apply (ind_cases "{|x,ins(l',Suc na,M)|}:valid A n B" for x l' na)
  11.127 +apply (ind_cases "\<lbrace>x,ins(l',Suc na,M)\<rbrace>:valid A n B" for x l' na)
  11.128  apply (frule len_not_empty, clarsimp)
  11.129  by (drule_tac x=l' in spec, clarsimp)
  11.130  
  11.131 @@ -307,14 +307,14 @@
  11.132  (* i = 0 *)
  11.133  apply clarify
  11.134  apply (frule len_not_empty, clarsimp)
  11.135 -apply (ind_cases "{|x,l'|}:valid A n B" for x l')
  11.136 +apply (ind_cases "\<lbrace>x,l'\<rbrace>:valid A n B" for x l')
  11.137  apply (frule len_not_empty, clarsimp)
  11.138 -apply (ind_cases "{|M,l'|}:valid A n B" for l')
  11.139 +apply (ind_cases "\<lbrace>M,l'\<rbrace>:valid A n B" for l')
  11.140  apply (frule len_not_empty, clarsimp, simp)
  11.141  (* i > 0 *)
  11.142  apply clarify
  11.143  apply (frule len_not_empty, clarsimp)
  11.144 -apply (ind_cases "{|x,l'|}:valid A n B" for x l')
  11.145 +apply (ind_cases "\<lbrace>x,l'\<rbrace>:valid A n B" for x l')
  11.146  apply (frule len_not_empty, clarsimp)
  11.147  by (drule_tac x=l' in spec, clarsimp)
  11.148  
  11.149 @@ -326,7 +326,7 @@
  11.150  
  11.151  subsubsection\<open>get components of a message\<close>
  11.152  
  11.153 -lemma get_ML [dest]: "Says A' B {|A,r,I,M,L|}:set evs ==>
  11.154 +lemma get_ML [dest]: "Says A' B \<lbrace>A,r,I,M,L\<rbrace>:set evs ==>
  11.155  M:parts (spies evs) & L:parts (spies evs)"
  11.156  by blast
  11.157  
  11.158 @@ -400,15 +400,15 @@
  11.159  lemma agl_guard [intro]: "I:agl ==> I:guard n Ks"
  11.160  by (erule agl.induct, auto)
  11.161  
  11.162 -lemma Says_to_knows_max'_guard: "[| Says A' C {|A'',r,I,L|}:set evs;
  11.163 +lemma Says_to_knows_max'_guard: "[| Says A' C \<lbrace>A'',r,I,L\<rbrace>:set evs;
  11.164  Guard n Ks (knows_max' C evs) |] ==> L:guard n Ks"
  11.165  by (auto dest: Says_to_knows_max')
  11.166  
  11.167 -lemma Says_from_knows_max'_guard: "[| Says C A' {|A'',r,I,L|}:set evs;
  11.168 +lemma Says_from_knows_max'_guard: "[| Says C A' \<lbrace>A'',r,I,L\<rbrace>:set evs;
  11.169  Guard n Ks (knows_max' C evs) |] ==> L:guard n Ks"
  11.170  by (auto dest: Says_from_knows_max')
  11.171  
  11.172 -lemma Says_Nonce_not_used_guard: "[| Says A' B {|A'',r,I,L|}:set evs;
  11.173 +lemma Says_Nonce_not_used_guard: "[| Says A' B \<lbrace>A'',r,I,L\<rbrace>:set evs;
  11.174  Nonce n ~:used evs |] ==> L:guard n Ks"
  11.175  by (drule not_used_not_parts, auto)
  11.176  
    12.1 --- a/src/HOL/Auth/Guard/P2.thy	Mon Dec 28 21:47:32 2015 +0100
    12.2 +++ b/src/HOL/Auth/Guard/P2.thy	Mon Dec 28 23:13:33 2015 +0100
    12.3 @@ -23,8 +23,8 @@
    12.4  definition chain :: "agent => nat => agent => msg => agent => msg" where
    12.5  "chain B ofr A L C ==
    12.6  let m1= sign B (Nonce ofr) in
    12.7 -let m2= Hash {|head L, Agent C|} in
    12.8 -{|Crypt (pubK A) m1, m2|}"
    12.9 +let m2= Hash \<lbrace>head L, Agent C\<rbrace> in
   12.10 +\<lbrace>Crypt (pubK A) m1, m2\<rbrace>"
   12.11  
   12.12  declare Let_def [simp]
   12.13  
   12.14 @@ -38,7 +38,7 @@
   12.15  subsubsection\<open>agent whose key is used to sign an offer\<close>
   12.16  
   12.17  fun shop :: "msg => msg" where
   12.18 -"shop {|Crypt K {|B,ofr,Crypt K' H|},m2|} = Agent (agt K')"
   12.19 +"shop \<lbrace>Crypt K \<lbrace>B,ofr,Crypt K' H\<rbrace>,m2\<rbrace> = Agent (agt K')"
   12.20  
   12.21  lemma shop_chain [simp]: "shop (chain B ofr A L C) = Agent B"
   12.22  by (simp add: chain_def sign_def)
   12.23 @@ -46,7 +46,7 @@
   12.24  subsubsection\<open>nonce used in an offer\<close>
   12.25  
   12.26  fun nonce :: "msg => msg" where
   12.27 -"nonce {|Crypt K {|B,ofr,CryptH|},m2|} = ofr"
   12.28 +"nonce \<lbrace>Crypt K \<lbrace>B,ofr,CryptH\<rbrace>,m2\<rbrace> = ofr"
   12.29  
   12.30  lemma nonce_chain [simp]: "nonce (chain B ofr A L C) = Nonce ofr"
   12.31  by (simp add: chain_def sign_def)
   12.32 @@ -54,7 +54,7 @@
   12.33  subsubsection\<open>next shop\<close>
   12.34  
   12.35  fun next_shop :: "msg => agent" where
   12.36 -"next_shop {|m1,Hash {|headL,Agent C|}|} = C"
   12.37 +"next_shop \<lbrace>m1,Hash \<lbrace>headL,Agent C\<rbrace>\<rbrace> = C"
   12.38  
   12.39  lemma "next_shop (chain B ofr A L C) = C"
   12.40  by (simp add: chain_def sign_def)
   12.41 @@ -77,8 +77,8 @@
   12.42  subsubsection\<open>request event\<close>
   12.43  
   12.44  definition reqm :: "agent => nat => nat => msg => agent => msg" where
   12.45 -"reqm A r n I B == {|Agent A, Number r, cons (Agent A) (cons (Agent B) I),
   12.46 -cons (anchor A n B) nil|}"
   12.47 +"reqm A r n I B == \<lbrace>Agent A, Number r, cons (Agent A) (cons (Agent B) I),
   12.48 +cons (anchor A n B) nil\<rbrace>"
   12.49  
   12.50  lemma reqm_inj [iff]: "(reqm A r n I B = reqm A' r' n' I' B')
   12.51  = (A=A' & r=r' & n=n' & I=I' & B=B')"
   12.52 @@ -98,8 +98,8 @@
   12.53  
   12.54  definition prom :: "agent => nat => agent => nat => msg => msg =>
   12.55  msg => agent => msg" where
   12.56 -"prom B ofr A r I L J C == {|Agent A, Number r,
   12.57 -app (J, del (Agent B, I)), cons (chain B ofr A L C) L|}"
   12.58 +"prom B ofr A r I L J C == \<lbrace>Agent A, Number r,
   12.59 +app (J, del (Agent B, I)), cons (chain B ofr A L C) L\<rbrace>"
   12.60  
   12.61  lemma prom_inj [dest]: "prom B ofr A r I L J C = prom B' ofr' A' r' I' L' J' C'
   12.62  ==> B=B' & ofr=ofr' & A=A' & r=r' & L=L' & C=C'"
   12.63 @@ -127,7 +127,7 @@
   12.64  
   12.65  | Request: "[| evsr:p2; Nonce n ~:used evsr; I:agl |] ==> req A r n I B # evsr : p2"
   12.66  
   12.67 -| Propose: "[| evsp:p2; Says A' B {|Agent A,Number r,I,cons M L|}:set evsp;
   12.68 +| Propose: "[| evsp:p2; Says A' B \<lbrace>Agent A,Number r,I,cons M L\<rbrace>:set evsp;
   12.69    I:agl; J:agl; isin (Agent C, app (J, del (Agent B, I)));
   12.70    Nonce ofr ~:used evsp |] ==> pro B ofr A r I (cons M L) J C # evsp : p2"
   12.71  
   12.72 @@ -154,7 +154,7 @@
   12.73  
   12.74  fun offers :: "msg => msg"
   12.75  where
   12.76 -  "offers (cons M L) = cons {|shop M, nonce M|} (offers L)"
   12.77 +  "offers (cons M L) = cons \<lbrace>shop M, nonce M\<rbrace> (offers L)"
   12.78  | "offers other = nil"
   12.79  
   12.80  
   12.81 @@ -173,15 +173,15 @@
   12.82  apply clarify
   12.83  apply (frule len_not_empty, clarsimp)
   12.84  apply (frule len_not_empty, clarsimp)
   12.85 -apply (ind_cases "{|x,xa,l'a|}:valid A n B" for x xa l'a)
   12.86 -apply (ind_cases "{|x,M,l'a|}:valid A n B" for x l'a)
   12.87 +apply (ind_cases "\<lbrace>x,xa,l'a\<rbrace>:valid A n B" for x xa l'a)
   12.88 +apply (ind_cases "\<lbrace>x,M,l'a\<rbrace>:valid A n B" for x l'a)
   12.89  apply (simp add: chain_def)
   12.90  (* i > 0 *)
   12.91  apply clarify
   12.92  apply (frule len_not_empty, clarsimp)
   12.93 -apply (ind_cases "{|x,repl(l',Suc na,M)|}:valid A n B" for x l' na)
   12.94 +apply (ind_cases "\<lbrace>x,repl(l',Suc na,M)\<rbrace>:valid A n B" for x l' na)
   12.95  apply (frule len_not_empty, clarsimp)
   12.96 -apply (ind_cases "{|x,l'|}:valid A n B" for x l')
   12.97 +apply (ind_cases "\<lbrace>x,l'\<rbrace>:valid A n B" for x l')
   12.98  by (drule_tac x=l' in spec, simp, blast)
   12.99  
  12.100  subsection\<open>insertion resilience:
  12.101 @@ -197,15 +197,15 @@
  12.102  (* i = 0 *)
  12.103  apply clarify
  12.104  apply (frule len_not_empty, clarsimp)
  12.105 -apply (ind_cases "{|x,l'|}:valid A n B" for x l', simp)
  12.106 -apply (ind_cases "{|x,M,l'|}:valid A n B" for x l', clarsimp)
  12.107 -apply (ind_cases "{|head l',l'|}:valid A n B" for l', simp, simp)
  12.108 +apply (ind_cases "\<lbrace>x,l'\<rbrace>:valid A n B" for x l', simp)
  12.109 +apply (ind_cases "\<lbrace>x,M,l'\<rbrace>:valid A n B" for x l', clarsimp)
  12.110 +apply (ind_cases "\<lbrace>head l',l'\<rbrace>:valid A n B" for l', simp, simp)
  12.111  (* i > 0 *)
  12.112  apply clarify
  12.113  apply (frule len_not_empty, clarsimp)
  12.114 -apply (ind_cases "{|x,l'|}:valid A n B" for x l')
  12.115 +apply (ind_cases "\<lbrace>x,l'\<rbrace>:valid A n B" for x l')
  12.116  apply (frule len_not_empty, clarsimp)
  12.117 -apply (ind_cases "{|x,ins(l',Suc na,M)|}:valid A n B" for x l' na)
  12.118 +apply (ind_cases "\<lbrace>x,ins(l',Suc na,M)\<rbrace>:valid A n B" for x l' na)
  12.119  apply (frule len_not_empty, clarsimp)
  12.120  by (drule_tac x=l' in spec, clarsimp)
  12.121  
  12.122 @@ -218,14 +218,14 @@
  12.123  (* i = 0 *)
  12.124  apply clarify
  12.125  apply (frule len_not_empty, clarsimp)
  12.126 -apply (ind_cases "{|x,l'|}:valid A n B" for x l')
  12.127 +apply (ind_cases "\<lbrace>x,l'\<rbrace>:valid A n B" for x l')
  12.128  apply (frule len_not_empty, clarsimp)
  12.129 -apply (ind_cases "{|M,l'|}:valid A n B" for l')
  12.130 +apply (ind_cases "\<lbrace>M,l'\<rbrace>:valid A n B" for l')
  12.131  apply (frule len_not_empty, clarsimp, simp)
  12.132  (* i > 0 *)
  12.133  apply clarify
  12.134  apply (frule len_not_empty, clarsimp)
  12.135 -apply (ind_cases "{|x,l'|}:valid A n B" for x l')
  12.136 +apply (ind_cases "\<lbrace>x,l'\<rbrace>:valid A n B" for x l')
  12.137  apply (frule len_not_empty, clarsimp)
  12.138  by (drule_tac x=l' in spec, clarsimp)
  12.139  
  12.140 @@ -237,7 +237,7 @@
  12.141  
  12.142  subsection\<open>get components of a message\<close>
  12.143  
  12.144 -lemma get_ML [dest]: "Says A' B {|A,R,I,M,L|}:set evs ==>
  12.145 +lemma get_ML [dest]: "Says A' B \<lbrace>A,R,I,M,L\<rbrace>:set evs ==>
  12.146  M:parts (spies evs) & L:parts (spies evs)"
  12.147  by blast
  12.148  
  12.149 @@ -312,15 +312,15 @@
  12.150  lemma agl_guard [intro]: "I:agl ==> I:guard n Ks"
  12.151  by (erule agl.induct, auto)
  12.152  
  12.153 -lemma Says_to_knows_max'_guard: "[| Says A' C {|A'',r,I,L|}:set evs;
  12.154 +lemma Says_to_knows_max'_guard: "[| Says A' C \<lbrace>A'',r,I,L\<rbrace>:set evs;
  12.155  Guard n Ks (knows_max' C evs) |] ==> L:guard n Ks"
  12.156  by (auto dest: Says_to_knows_max')
  12.157  
  12.158 -lemma Says_from_knows_max'_guard: "[| Says C A' {|A'',r,I,L|}:set evs;
  12.159 +lemma Says_from_knows_max'_guard: "[| Says C A' \<lbrace>A'',r,I,L\<rbrace>:set evs;
  12.160  Guard n Ks (knows_max' C evs) |] ==> L:guard n Ks"
  12.161  by (auto dest: Says_from_knows_max')
  12.162  
  12.163 -lemma Says_Nonce_not_used_guard: "[| Says A' B {|A'',r,I,L|}:set evs;
  12.164 +lemma Says_Nonce_not_used_guard: "[| Says A' B \<lbrace>A'',r,I,L\<rbrace>:set evs;
  12.165  Nonce n ~:used evs |] ==> L:guard n Ks"
  12.166  by (drule not_used_not_parts, auto)
  12.167  
    13.1 --- a/src/HOL/Auth/Guard/Proto.thy	Mon Dec 28 21:47:32 2015 +0100
    13.2 +++ b/src/HOL/Auth/Guard/Proto.thy	Mon Dec 28 23:13:33 2015 +0100
    13.3 @@ -39,7 +39,7 @@
    13.4  if (EX A. K = pubK A) then Crypt (pubK (agent s (agt K))) (apm s X)
    13.5  else if (EX A. K = priK A) then Crypt (priK (agent s (agt K))) (apm s X)
    13.6  else Crypt (key s K) (apm s X))"
    13.7 -| "apm s {|X,Y|} = {|apm s X, apm s Y|}"
    13.8 +| "apm s \<lbrace>X,Y\<rbrace> = \<lbrace>apm s X, apm s Y\<rbrace>"
    13.9  
   13.10  lemma apm_parts: "X:parts {Y} ==> apm s X:parts {apm s Y}"
   13.11  apply (erule parts.induct, simp_all, blast)
   13.12 @@ -371,17 +371,17 @@
   13.13  
   13.14  abbreviation
   13.15    ns1 :: rule where
   13.16 -  "ns1 == ({}, Says a b (Crypt (pubK b) {|Nonce Na, Agent a|}))"
   13.17 +  "ns1 == ({}, Says a b (Crypt (pubK b) \<lbrace>Nonce Na, Agent a\<rbrace>))"
   13.18  
   13.19  abbreviation
   13.20    ns2 :: rule where
   13.21 -  "ns2 == ({Says a' b (Crypt (pubK b) {|Nonce Na, Agent a|})},
   13.22 -    Says b a (Crypt (pubK a) {|Nonce Na, Nonce Nb, Agent b|}))"
   13.23 +  "ns2 == ({Says a' b (Crypt (pubK b) \<lbrace>Nonce Na, Agent a\<rbrace>)},
   13.24 +    Says b a (Crypt (pubK a) \<lbrace>Nonce Na, Nonce Nb, Agent b\<rbrace>))"
   13.25  
   13.26  abbreviation
   13.27    ns3 :: rule where
   13.28 -  "ns3 == ({Says a b (Crypt (pubK b) {|Nonce Na, Agent a|}),
   13.29 -    Says b' a (Crypt (pubK a) {|Nonce Na, Nonce Nb, Agent b|})},
   13.30 +  "ns3 == ({Says a b (Crypt (pubK b) \<lbrace>Nonce Na, Agent a\<rbrace>),
   13.31 +    Says b' a (Crypt (pubK a) \<lbrace>Nonce Na, Nonce Nb, Agent b\<rbrace>)},
   13.32      Says a b (Crypt (pubK b) (Nonce Nb)))"
   13.33  
   13.34  inductive_set ns :: proto where
   13.35 @@ -391,11 +391,11 @@
   13.36  
   13.37  abbreviation (input)
   13.38    ns3a :: event where
   13.39 -  "ns3a == Says a b (Crypt (pubK b) {|Nonce Na, Agent a|})"
   13.40 +  "ns3a == Says a b (Crypt (pubK b) \<lbrace>Nonce Na, Agent a\<rbrace>)"
   13.41  
   13.42  abbreviation (input)
   13.43    ns3b :: event where
   13.44 -  "ns3b == Says b' a (Crypt (pubK a) {|Nonce Na, Nonce Nb, Agent b|})"
   13.45 +  "ns3b == Says b' a (Crypt (pubK a) \<lbrace>Nonce Na, Nonce Nb, Agent b\<rbrace>)"
   13.46  
   13.47  definition keys :: "keyfun" where
   13.48  "keys R' s' n evs == {priK' s' a, priK' s' b}"
   13.49 @@ -405,8 +405,8 @@
   13.50  
   13.51  definition secret :: "secfun" where
   13.52  "secret R n s Ks ==
   13.53 -(if R=ns1 then apm s (Crypt (pubK b) {|Nonce Na, Agent a|})
   13.54 -else if R=ns2 then apm s (Crypt (pubK a) {|Nonce Na, Nonce Nb, Agent b|})
   13.55 +(if R=ns1 then apm s (Crypt (pubK b) \<lbrace>Nonce Na, Agent a\<rbrace>)
   13.56 +else if R=ns2 then apm s (Crypt (pubK a) \<lbrace>Nonce Na, Nonce Nb, Agent b\<rbrace>)
   13.57  else Number 0)"
   13.58  
   13.59  definition inf :: "rule => rule => bool" where
    14.1 --- a/src/HOL/Auth/Message.thy	Mon Dec 28 21:47:32 2015 +0100
    14.2 +++ b/src/HOL/Auth/Message.thy	Mon Dec 28 23:13:33 2015 +0100
    14.3 @@ -48,21 +48,17 @@
    14.4           | Crypt  key msg   \<comment>\<open>Encryption, public- or shared-key\<close>
    14.5  
    14.6  
    14.7 -text\<open>Concrete syntax: messages appear as {|A,B,NA|}, etc...\<close>
    14.8 +text\<open>Concrete syntax: messages appear as \<open>\<lbrace>A,B,NA\<rbrace>\<close>, etc...\<close>
    14.9  syntax
   14.10 -  "_MTuple"      :: "['a, args] => 'a * 'b"       ("(2{|_,/ _|})")
   14.11 -
   14.12 -syntax (xsymbols)
   14.13 -  "_MTuple"      :: "['a, args] => 'a * 'b"       ("(2\<lbrace>_,/ _\<rbrace>)")
   14.14 -
   14.15 +  "_MTuple" :: "['a, args] \<Rightarrow> 'a * 'b"  ("(2\<lbrace>_,/ _\<rbrace>)")
   14.16  translations
   14.17 -  "{|x, y, z|}"   == "{|x, {|y, z|}|}"
   14.18 -  "{|x, y|}"      == "CONST MPair x y"
   14.19 +  "\<lbrace>x, y, z\<rbrace>" \<rightleftharpoons> "\<lbrace>x, \<lbrace>y, z\<rbrace>\<rbrace>"
   14.20 +  "\<lbrace>x, y\<rbrace>" \<rightleftharpoons> "CONST MPair x y"
   14.21  
   14.22  
   14.23  definition HPair :: "[msg,msg] => msg" ("(4Hash[_] /_)" [0, 1000]) where
   14.24      \<comment>\<open>Message Y paired with a MAC computed with the help of X\<close>
   14.25 -    "Hash[X] Y == {| Hash{|X,Y|}, Y|}"
   14.26 +    "Hash[X] Y == \<lbrace>Hash\<lbrace>X,Y\<rbrace>, Y\<rbrace>"
   14.27  
   14.28  definition keysFor :: "msg set => key set" where
   14.29      \<comment>\<open>Keys useful to decrypt elements of a message set\<close>
   14.30 @@ -75,9 +71,9 @@
   14.31    parts :: "msg set => msg set"
   14.32    for H :: "msg set"
   14.33    where
   14.34 -    Inj [intro]:               "X \<in> H ==> X \<in> parts H"
   14.35 -  | Fst:         "{|X,Y|}   \<in> parts H ==> X \<in> parts H"
   14.36 -  | Snd:         "{|X,Y|}   \<in> parts H ==> Y \<in> parts H"
   14.37 +    Inj [intro]: "X \<in> H ==> X \<in> parts H"
   14.38 +  | Fst:         "\<lbrace>X,Y\<rbrace> \<in> parts H ==> X \<in> parts H"
   14.39 +  | Snd:         "\<lbrace>X,Y\<rbrace> \<in> parts H ==> Y \<in> parts H"
   14.40    | Body:        "Crypt K X \<in> parts H ==> X \<in> parts H"
   14.41  
   14.42  
   14.43 @@ -136,7 +132,7 @@
   14.44  lemma keysFor_insert_Hash [simp]: "keysFor (insert (Hash X) H) = keysFor H"
   14.45  by (unfold keysFor_def, auto)
   14.46  
   14.47 -lemma keysFor_insert_MPair [simp]: "keysFor (insert {|X,Y|} H) = keysFor H"
   14.48 +lemma keysFor_insert_MPair [simp]: "keysFor (insert \<lbrace>X,Y\<rbrace> H) = keysFor H"
   14.49  by (unfold keysFor_def, auto)
   14.50  
   14.51  lemma keysFor_insert_Crypt [simp]: 
   14.52 @@ -153,7 +149,7 @@
   14.53  subsection\<open>Inductive relation "parts"\<close>
   14.54  
   14.55  lemma MPair_parts:
   14.56 -     "[| {|X,Y|} \<in> parts H;        
   14.57 +     "[| \<lbrace>X,Y\<rbrace> \<in> parts H;        
   14.58           [| X \<in> parts H; Y \<in> parts H |] ==> P |] ==> P"
   14.59  by (blast dest: parts.Fst parts.Snd) 
   14.60  
   14.61 @@ -294,8 +290,8 @@
   14.62  done
   14.63  
   14.64  lemma parts_insert_MPair [simp]:
   14.65 -     "parts (insert {|X,Y|} H) =  
   14.66 -          insert {|X,Y|} (parts (insert X (insert Y H)))"
   14.67 +     "parts (insert \<lbrace>X,Y\<rbrace> H) =  
   14.68 +          insert \<lbrace>X,Y\<rbrace> (parts (insert X (insert Y H)))"
   14.69  apply (rule equalityI)
   14.70  apply (rule subsetI)
   14.71  apply (erule parts.induct, auto)
   14.72 @@ -330,9 +326,9 @@
   14.73    analz :: "msg set => msg set"
   14.74    for H :: "msg set"
   14.75    where
   14.76 -    Inj [intro,simp] :    "X \<in> H ==> X \<in> analz H"
   14.77 -  | Fst:     "{|X,Y|} \<in> analz H ==> X \<in> analz H"
   14.78 -  | Snd:     "{|X,Y|} \<in> analz H ==> Y \<in> analz H"
   14.79 +    Inj [intro,simp]: "X \<in> H ==> X \<in> analz H"
   14.80 +  | Fst:     "\<lbrace>X,Y\<rbrace> \<in> analz H ==> X \<in> analz H"
   14.81 +  | Snd:     "\<lbrace>X,Y\<rbrace> \<in> analz H ==> Y \<in> analz H"
   14.82    | Decrypt [dest]: 
   14.83               "[|Crypt K X \<in> analz H; Key(invKey K): analz H|] ==> X \<in> analz H"
   14.84  
   14.85 @@ -346,7 +342,7 @@
   14.86  
   14.87  text\<open>Making it safe speeds up proofs\<close>
   14.88  lemma MPair_analz [elim!]:
   14.89 -     "[| {|X,Y|} \<in> analz H;        
   14.90 +     "[| \<lbrace>X,Y\<rbrace> \<in> analz H;        
   14.91               [| X \<in> analz H; Y \<in> analz H |] ==> P   
   14.92            |] ==> P"
   14.93  by (blast dest: analz.Fst analz.Snd)
   14.94 @@ -427,8 +423,8 @@
   14.95  done
   14.96  
   14.97  lemma analz_insert_MPair [simp]:
   14.98 -     "analz (insert {|X,Y|} H) =  
   14.99 -          insert {|X,Y|} (analz (insert X (insert Y H)))"
  14.100 +     "analz (insert \<lbrace>X,Y\<rbrace> H) =  
  14.101 +          insert \<lbrace>X,Y\<rbrace> (analz (insert X (insert Y H)))"
  14.102  apply (rule equalityI)
  14.103  apply (rule subsetI)
  14.104  apply (erule analz.induct, auto)
  14.105 @@ -540,7 +536,7 @@
  14.106  
  14.107  text\<open>If there are no pairs or encryptions then analz does nothing\<close>
  14.108  lemma analz_trivial:
  14.109 -     "[| \<forall>X Y. {|X,Y|} \<notin> H;  \<forall>X K. Crypt K X \<notin> H |] ==> analz H = H"
  14.110 +     "[| \<forall>X Y. \<lbrace>X,Y\<rbrace> \<notin> H;  \<forall>X K. Crypt K X \<notin> H |] ==> analz H = H"
  14.111  apply safe
  14.112  apply (erule analz.induct, blast+)
  14.113  done
  14.114 @@ -571,7 +567,7 @@
  14.115    | Agent  [intro]:   "Agent agt \<in> synth H"
  14.116    | Number [intro]:   "Number n  \<in> synth H"
  14.117    | Hash   [intro]:   "X \<in> synth H ==> Hash X \<in> synth H"
  14.118 -  | MPair  [intro]:   "[|X \<in> synth H;  Y \<in> synth H|] ==> {|X,Y|} \<in> synth H"
  14.119 +  | MPair  [intro]:   "[|X \<in> synth H;  Y \<in> synth H|] ==> \<lbrace>X,Y\<rbrace> \<in> synth H"
  14.120    | Crypt  [intro]:   "[|X \<in> synth H;  Key(K) \<in> H|] ==> Crypt K X \<in> synth H"
  14.121  
  14.122  text\<open>Monotonicity\<close>
  14.123 @@ -585,7 +581,7 @@
  14.124   "Nonce n \<in> synth H"
  14.125   "Key K \<in> synth H"
  14.126   "Hash X \<in> synth H"
  14.127 - "{|X,Y|} \<in> synth H"
  14.128 + "\<lbrace>X,Y\<rbrace> \<in> synth H"
  14.129   "Crypt K X \<in> synth H"
  14.130  
  14.131  lemma synth_increasing: "H \<subseteq> synth(H)"
  14.132 @@ -694,7 +690,7 @@
  14.133  text\<open>Without this equation, other rules for synth and analz would yield
  14.134    redundant cases\<close>
  14.135  lemma MPair_synth_analz [iff]:
  14.136 -     "({|X,Y|} \<in> synth (analz H)) =  
  14.137 +     "(\<lbrace>X,Y\<rbrace> \<in> synth (analz H)) =  
  14.138        (X \<in> synth (analz H) & Y \<in> synth (analz H))"
  14.139  by blast
  14.140  
  14.141 @@ -706,7 +702,7 @@
  14.142  
  14.143  lemma Hash_synth_analz [simp]:
  14.144       "X \<notin> synth (analz H)  
  14.145 -      ==> (Hash{|X,Y|} \<in> synth (analz H)) = (Hash{|X,Y|} \<in> analz H)"
  14.146 +      ==> (Hash\<lbrace>X,Y\<rbrace> \<in> synth (analz H)) = (Hash\<lbrace>X,Y\<rbrace> \<in> analz H)"
  14.147  by blast
  14.148  
  14.149  
  14.150 @@ -742,11 +738,11 @@
  14.151  by (simp add: HPair_def)
  14.152  
  14.153  lemma MPair_eq_HPair [iff]:
  14.154 -     "({|X',Y'|} = Hash[X] Y) = (X' = Hash{|X,Y|} & Y'=Y)"
  14.155 +     "(\<lbrace>X',Y'\<rbrace> = Hash[X] Y) = (X' = Hash\<lbrace>X,Y\<rbrace> & Y'=Y)"
  14.156  by (simp add: HPair_def)
  14.157  
  14.158  lemma HPair_eq_MPair [iff]:
  14.159 -     "(Hash[X] Y = {|X',Y'|}) = (X' = Hash{|X,Y|} & Y'=Y)"
  14.160 +     "(Hash[X] Y = \<lbrace>X',Y'\<rbrace>) = (X' = Hash\<lbrace>X,Y\<rbrace> & Y'=Y)"
  14.161  by (auto simp add: HPair_def)
  14.162  
  14.163  
  14.164 @@ -757,18 +753,18 @@
  14.165  
  14.166  lemma parts_insert_HPair [simp]: 
  14.167      "parts (insert (Hash[X] Y) H) =  
  14.168 -     insert (Hash[X] Y) (insert (Hash{|X,Y|}) (parts (insert Y H)))"
  14.169 +     insert (Hash[X] Y) (insert (Hash\<lbrace>X,Y\<rbrace>) (parts (insert Y H)))"
  14.170  by (simp add: HPair_def)
  14.171  
  14.172  lemma analz_insert_HPair [simp]: 
  14.173      "analz (insert (Hash[X] Y) H) =  
  14.174 -     insert (Hash[X] Y) (insert (Hash{|X,Y|}) (analz (insert Y H)))"
  14.175 +     insert (Hash[X] Y) (insert (Hash\<lbrace>X,Y\<rbrace>) (analz (insert Y H)))"
  14.176  by (simp add: HPair_def)
  14.177  
  14.178  lemma HPair_synth_analz [simp]:
  14.179       "X \<notin> synth (analz H)  
  14.180      ==> (Hash[X] Y \<in> synth (analz H)) =  
  14.181 -        (Hash {|X, Y|} \<in> analz H & Y \<in> synth (analz H))"
  14.182 +        (Hash \<lbrace>X, Y\<rbrace> \<in> analz H & Y \<in> synth (analz H))"
  14.183  by (auto simp add: HPair_def)
  14.184  
  14.185  
  14.186 @@ -814,14 +810,14 @@
  14.187    | Number: "Number N \<in> keyfree"
  14.188    | Nonce:  "Nonce N \<in> keyfree"
  14.189    | Hash:   "Hash X \<in> keyfree"
  14.190 -  | MPair:  "[|X \<in> keyfree;  Y \<in> keyfree|] ==> {|X,Y|} \<in> keyfree"
  14.191 +  | MPair:  "[|X \<in> keyfree;  Y \<in> keyfree|] ==> \<lbrace>X,Y\<rbrace> \<in> keyfree"
  14.192    | Crypt:  "[|X \<in> keyfree|] ==> Crypt K X \<in> keyfree"
  14.193  
  14.194  
  14.195  declare keyfree.intros [intro] 
  14.196  
  14.197  inductive_cases keyfree_KeyE: "Key K \<in> keyfree"
  14.198 -inductive_cases keyfree_MPairE: "{|X,Y|} \<in> keyfree"
  14.199 +inductive_cases keyfree_MPairE: "\<lbrace>X,Y\<rbrace> \<in> keyfree"
  14.200  inductive_cases keyfree_CryptE: "Crypt K X \<in> keyfree"
  14.201  
  14.202  lemma parts_keyfree: "parts (keyfree) \<subseteq> keyfree"
    15.1 --- a/src/HOL/Auth/OtwayRees.thy	Mon Dec 28 21:47:32 2015 +0100
    15.2 +++ b/src/HOL/Auth/OtwayRees.thy	Mon Dec 28 23:13:33 2015 +0100
    15.3 @@ -31,17 +31,17 @@
    15.4  
    15.5           (*Alice initiates a protocol run*)
    15.6   | OR1:  "[| evs1 \<in> otway;  Nonce NA \<notin> used evs1 |]
    15.7 -          ==> Says A B {|Nonce NA, Agent A, Agent B,
    15.8 -                         Crypt (shrK A) {|Nonce NA, Agent A, Agent B|} |}
    15.9 +          ==> Says A B \<lbrace>Nonce NA, Agent A, Agent B,
   15.10 +                         Crypt (shrK A) \<lbrace>Nonce NA, Agent A, Agent B\<rbrace> \<rbrace>
   15.11                   # evs1 : otway"
   15.12  
   15.13           (*Bob's response to Alice's message.  Note that NB is encrypted.*)
   15.14   | OR2:  "[| evs2 \<in> otway;  Nonce NB \<notin> used evs2;
   15.15 -             Gets B {|Nonce NA, Agent A, Agent B, X|} : set evs2 |]
   15.16 +             Gets B \<lbrace>Nonce NA, Agent A, Agent B, X\<rbrace> : set evs2 |]
   15.17            ==> Says B Server
   15.18 -                  {|Nonce NA, Agent A, Agent B, X,
   15.19 +                  \<lbrace>Nonce NA, Agent A, Agent B, X,
   15.20                      Crypt (shrK B)
   15.21 -                      {|Nonce NA, Nonce NB, Agent A, Agent B|}|}
   15.22 +                      \<lbrace>Nonce NA, Nonce NB, Agent A, Agent B\<rbrace>\<rbrace>
   15.23                   # evs2 : otway"
   15.24  
   15.25           (*The Server receives Bob's message and checks that the three NAs
   15.26 @@ -49,34 +49,34 @@
   15.27             forwarding to Alice.*)
   15.28   | OR3:  "[| evs3 \<in> otway;  Key KAB \<notin> used evs3;
   15.29               Gets Server
   15.30 -                  {|Nonce NA, Agent A, Agent B,
   15.31 -                    Crypt (shrK A) {|Nonce NA, Agent A, Agent B|},
   15.32 -                    Crypt (shrK B) {|Nonce NA, Nonce NB, Agent A, Agent B|}|}
   15.33 +                  \<lbrace>Nonce NA, Agent A, Agent B,
   15.34 +                    Crypt (shrK A) \<lbrace>Nonce NA, Agent A, Agent B\<rbrace>,
   15.35 +                    Crypt (shrK B) \<lbrace>Nonce NA, Nonce NB, Agent A, Agent B\<rbrace>\<rbrace>
   15.36                 : set evs3 |]
   15.37            ==> Says Server B
   15.38 -                  {|Nonce NA,
   15.39 -                    Crypt (shrK A) {|Nonce NA, Key KAB|},
   15.40 -                    Crypt (shrK B) {|Nonce NB, Key KAB|}|}
   15.41 +                  \<lbrace>Nonce NA,
   15.42 +                    Crypt (shrK A) \<lbrace>Nonce NA, Key KAB\<rbrace>,
   15.43 +                    Crypt (shrK B) \<lbrace>Nonce NB, Key KAB\<rbrace>\<rbrace>
   15.44                   # evs3 : otway"
   15.45  
   15.46           (*Bob receives the Server's (?) message and compares the Nonces with
   15.47             those in the message he previously sent the Server.
   15.48             Need B \<noteq> Server because we allow messages to self.*)
   15.49   | OR4:  "[| evs4 \<in> otway;  B \<noteq> Server;
   15.50 -             Says B Server {|Nonce NA, Agent A, Agent B, X',
   15.51 +             Says B Server \<lbrace>Nonce NA, Agent A, Agent B, X',
   15.52                               Crypt (shrK B)
   15.53 -                                   {|Nonce NA, Nonce NB, Agent A, Agent B|}|}
   15.54 +                                   \<lbrace>Nonce NA, Nonce NB, Agent A, Agent B\<rbrace>\<rbrace>
   15.55                 : set evs4;
   15.56 -             Gets B {|Nonce NA, X, Crypt (shrK B) {|Nonce NB, Key K|}|}
   15.57 +             Gets B \<lbrace>Nonce NA, X, Crypt (shrK B) \<lbrace>Nonce NB, Key K\<rbrace>\<rbrace>
   15.58                 : set evs4 |]
   15.59 -          ==> Says B A {|Nonce NA, X|} # evs4 : otway"
   15.60 +          ==> Says B A \<lbrace>Nonce NA, X\<rbrace> # evs4 : otway"
   15.61  
   15.62           (*This message models possible leaks of session keys.  The nonces
   15.63             identify the protocol run.*)
   15.64   | Oops: "[| evso \<in> otway;
   15.65 -             Says Server B {|Nonce NA, X, Crypt (shrK B) {|Nonce NB, Key K|}|}
   15.66 +             Says Server B \<lbrace>Nonce NA, X, Crypt (shrK B) \<lbrace>Nonce NB, Key K\<rbrace>\<rbrace>
   15.67                 : set evso |]
   15.68 -          ==> Notes Spy {|Nonce NA, Nonce NB, Key K|} # evso : otway"
   15.69 +          ==> Notes Spy \<lbrace>Nonce NA, Nonce NB, Key K\<rbrace> # evso : otway"
   15.70  
   15.71  
   15.72  declare Says_imp_analz_Spy [dest]
   15.73 @@ -88,7 +88,7 @@
   15.74  text\<open>A "possibility property": there are traces that reach the end\<close>
   15.75  lemma "[| B \<noteq> Server; Key K \<notin> used [] |]
   15.76        ==> \<exists>evs \<in> otway.
   15.77 -             Says B A {|Nonce NA, Crypt (shrK A) {|Nonce NA, Key K|}|}
   15.78 +             Says B A \<lbrace>Nonce NA, Crypt (shrK A) \<lbrace>Nonce NA, Key K\<rbrace>\<rbrace>
   15.79                 \<in> set evs"
   15.80  apply (intro exI bexI)
   15.81  apply (rule_tac [2] otway.Nil
   15.82 @@ -108,12 +108,12 @@
   15.83  (** For reasoning about the encrypted portion of messages **)
   15.84  
   15.85  lemma OR2_analz_knows_Spy:
   15.86 -     "[| Gets B {|N, Agent A, Agent B, X|} \<in> set evs;  evs \<in> otway |]
   15.87 +     "[| Gets B \<lbrace>N, Agent A, Agent B, X\<rbrace> \<in> set evs;  evs \<in> otway |]
   15.88        ==> X \<in> analz (knows Spy evs)"
   15.89  by blast
   15.90  
   15.91  lemma OR4_analz_knows_Spy:
   15.92 -     "[| Gets B {|N, X, Crypt (shrK B) X'|} \<in> set evs;  evs \<in> otway |]
   15.93 +     "[| Gets B \<lbrace>N, X, Crypt (shrK B) X'\<rbrace> \<in> set evs;  evs \<in> otway |]
   15.94        ==> X \<in> analz (knows Spy evs)"
   15.95  by blast
   15.96  
   15.97 @@ -151,7 +151,7 @@
   15.98  (*Describes the form of K and NA when the Server sends this message.  Also
   15.99    for Oops case.*)
  15.100  lemma Says_Server_message_form:
  15.101 -     "[| Says Server B {|NA, X, Crypt (shrK B) {|NB, Key K|}|} \<in> set evs;
  15.102 +     "[| Says Server B \<lbrace>NA, X, Crypt (shrK B) \<lbrace>NB, Key K\<rbrace>\<rbrace> \<in> set evs;
  15.103           evs \<in> otway |]
  15.104        ==> K \<notin> range shrK & (\<exists>i. NA = Nonce i) & (\<exists>j. NB = Nonce j)"
  15.105  by (erule rev_mp, erule otway.induct, simp_all)
  15.106 @@ -190,8 +190,8 @@
  15.107  
  15.108  text\<open>The Key K uniquely identifies the Server's  message.\<close>
  15.109  lemma unique_session_keys:
  15.110 -     "[| Says Server B {|NA, X, Crypt (shrK B) {|NB, K|}|}   \<in> set evs;
  15.111 -         Says Server B' {|NA',X',Crypt (shrK B') {|NB',K|}|} \<in> set evs;
  15.112 +     "[| Says Server B \<lbrace>NA, X, Crypt (shrK B) \<lbrace>NB, K\<rbrace>\<rbrace>   \<in> set evs;
  15.113 +         Says Server B' \<lbrace>NA',X',Crypt (shrK B') \<lbrace>NB',K\<rbrace>\<rbrace> \<in> set evs;
  15.114           evs \<in> otway |] ==> X=X' & B=B' & NA=NA' & NB=NB'"
  15.115  apply (erule rev_mp)
  15.116  apply (erule rev_mp)
  15.117 @@ -205,27 +205,27 @@
  15.118  text\<open>Only OR1 can have caused such a part of a message to appear.\<close>
  15.119  lemma Crypt_imp_OR1 [rule_format]:
  15.120   "[| A \<notin> bad;  evs \<in> otway |]
  15.121 -  ==> Crypt (shrK A) {|NA, Agent A, Agent B|} \<in> parts (knows Spy evs) -->
  15.122 -      Says A B {|NA, Agent A, Agent B,
  15.123 -                 Crypt (shrK A) {|NA, Agent A, Agent B|}|}
  15.124 +  ==> Crypt (shrK A) \<lbrace>NA, Agent A, Agent B\<rbrace> \<in> parts (knows Spy evs) -->
  15.125 +      Says A B \<lbrace>NA, Agent A, Agent B,
  15.126 +                 Crypt (shrK A) \<lbrace>NA, Agent A, Agent B\<rbrace>\<rbrace>
  15.127          \<in> set evs"
  15.128  by (erule otway.induct, force,
  15.129      drule_tac [4] OR2_parts_knows_Spy, simp_all, blast+)
  15.130  
  15.131  lemma Crypt_imp_OR1_Gets:
  15.132 -     "[| Gets B {|NA, Agent A, Agent B,
  15.133 -                  Crypt (shrK A) {|NA, Agent A, Agent B|}|} \<in> set evs;
  15.134 +     "[| Gets B \<lbrace>NA, Agent A, Agent B,
  15.135 +                  Crypt (shrK A) \<lbrace>NA, Agent A, Agent B\<rbrace>\<rbrace> \<in> set evs;
  15.136           A \<notin> bad; evs \<in> otway |]
  15.137 -       ==> Says A B {|NA, Agent A, Agent B,
  15.138 -                      Crypt (shrK A) {|NA, Agent A, Agent B|}|}
  15.139 +       ==> Says A B \<lbrace>NA, Agent A, Agent B,
  15.140 +                      Crypt (shrK A) \<lbrace>NA, Agent A, Agent B\<rbrace>\<rbrace>
  15.141               \<in> set evs"
  15.142  by (blast dest: Crypt_imp_OR1)
  15.143  
  15.144  
  15.145  text\<open>The Nonce NA uniquely identifies A's message\<close>
  15.146  lemma unique_NA:
  15.147 -     "[| Crypt (shrK A) {|NA, Agent A, Agent B|} \<in> parts (knows Spy evs);
  15.148 -         Crypt (shrK A) {|NA, Agent A, Agent C|} \<in> parts (knows Spy evs);
  15.149 +     "[| Crypt (shrK A) \<lbrace>NA, Agent A, Agent B\<rbrace> \<in> parts (knows Spy evs);
  15.150 +         Crypt (shrK A) \<lbrace>NA, Agent A, Agent C\<rbrace> \<in> parts (knows Spy evs);
  15.151           evs \<in> otway;  A \<notin> bad |]
  15.152        ==> B = C"
  15.153  apply (erule rev_mp, erule rev_mp)
  15.154 @@ -238,9 +238,9 @@
  15.155    OR2 encrypts Nonce NB.  It prevents the attack that can occur in the
  15.156    over-simplified version of this protocol: see \<open>OtwayRees_Bad\<close>.\<close>
  15.157  lemma no_nonce_OR1_OR2:
  15.158 -   "[| Crypt (shrK A) {|NA, Agent A, Agent B|} \<in> parts (knows Spy evs);
  15.159 +   "[| Crypt (shrK A) \<lbrace>NA, Agent A, Agent B\<rbrace> \<in> parts (knows Spy evs);
  15.160         A \<notin> bad;  evs \<in> otway |]
  15.161 -    ==> Crypt (shrK A) {|NA', NA, Agent A', Agent A|} \<notin> parts (knows Spy evs)"
  15.162 +    ==> Crypt (shrK A) \<lbrace>NA', NA, Agent A', Agent A\<rbrace> \<notin> parts (knows Spy evs)"
  15.163  apply (erule rev_mp)
  15.164  apply (erule otway.induct, force,
  15.165         drule_tac [4] OR2_parts_knows_Spy, simp_all, blast+)
  15.166 @@ -250,13 +250,13 @@
  15.167    to start a run, then it originated with the Server!\<close>
  15.168  lemma NA_Crypt_imp_Server_msg [rule_format]:
  15.169       "[| A \<notin> bad;  evs \<in> otway |]
  15.170 -      ==> Says A B {|NA, Agent A, Agent B,
  15.171 -                     Crypt (shrK A) {|NA, Agent A, Agent B|}|} \<in> set evs -->
  15.172 -          Crypt (shrK A) {|NA, Key K|} \<in> parts (knows Spy evs)
  15.173 +      ==> Says A B \<lbrace>NA, Agent A, Agent B,
  15.174 +                     Crypt (shrK A) \<lbrace>NA, Agent A, Agent B\<rbrace>\<rbrace> \<in> set evs -->
  15.175 +          Crypt (shrK A) \<lbrace>NA, Key K\<rbrace> \<in> parts (knows Spy evs)
  15.176            --> (\<exists>NB. Says Server B
  15.177 -                         {|NA,
  15.178 -                           Crypt (shrK A) {|NA, Key K|},
  15.179 -                           Crypt (shrK B) {|NB, Key K|}|} \<in> set evs)"
  15.180 +                         \<lbrace>NA,
  15.181 +                           Crypt (shrK A) \<lbrace>NA, Key K\<rbrace>,
  15.182 +                           Crypt (shrK B) \<lbrace>NB, Key K\<rbrace>\<rbrace> \<in> set evs)"
  15.183  apply (erule otway.induct, force,
  15.184         drule_tac [4] OR2_parts_knows_Spy, simp_all, blast)
  15.185  apply blast  \<comment>\<open>OR1: by freshness\<close>
  15.186 @@ -270,14 +270,14 @@
  15.187    bad form of this protocol, even though we can prove
  15.188    \<open>Spy_not_see_encrypted_key\<close>\<close>
  15.189  lemma A_trusts_OR4:
  15.190 -     "[| Says A  B {|NA, Agent A, Agent B,
  15.191 -                     Crypt (shrK A) {|NA, Agent A, Agent B|}|} \<in> set evs;
  15.192 -         Says B' A {|NA, Crypt (shrK A) {|NA, Key K|}|} \<in> set evs;
  15.193 +     "[| Says A  B \<lbrace>NA, Agent A, Agent B,
  15.194 +                     Crypt (shrK A) \<lbrace>NA, Agent A, Agent B\<rbrace>\<rbrace> \<in> set evs;
  15.195 +         Says B' A \<lbrace>NA, Crypt (shrK A) \<lbrace>NA, Key K\<rbrace>\<rbrace> \<in> set evs;
  15.196       A \<notin> bad;  evs \<in> otway |]
  15.197    ==> \<exists>NB. Says Server B
  15.198 -               {|NA,
  15.199 -                 Crypt (shrK A) {|NA, Key K|},
  15.200 -                 Crypt (shrK B) {|NB, Key K|}|}
  15.201 +               \<lbrace>NA,
  15.202 +                 Crypt (shrK A) \<lbrace>NA, Key K\<rbrace>,
  15.203 +                 Crypt (shrK B) \<lbrace>NB, Key K\<rbrace>\<rbrace>
  15.204                   \<in> set evs"
  15.205  by (blast intro!: NA_Crypt_imp_Server_msg)
  15.206  
  15.207 @@ -288,9 +288,9 @@
  15.208  lemma secrecy_lemma:
  15.209   "[| A \<notin> bad;  B \<notin> bad;  evs \<in> otway |]
  15.210    ==> Says Server B
  15.211 -        {|NA, Crypt (shrK A) {|NA, Key K|},
  15.212 -          Crypt (shrK B) {|NB, Key K|}|} \<in> set evs -->
  15.213 -      Notes Spy {|NA, NB, Key K|} \<notin> set evs -->
  15.214 +        \<lbrace>NA, Crypt (shrK A) \<lbrace>NA, Key K\<rbrace>,
  15.215 +          Crypt (shrK B) \<lbrace>NB, Key K\<rbrace>\<rbrace> \<in> set evs -->
  15.216 +      Notes Spy \<lbrace>NA, NB, Key K\<rbrace> \<notin> set evs -->
  15.217        Key K \<notin> analz (knows Spy evs)"
  15.218  apply (erule otway.induct, force)
  15.219  apply (frule_tac [7] Says_Server_message_form)
  15.220 @@ -303,9 +303,9 @@
  15.221  
  15.222  theorem Spy_not_see_encrypted_key:
  15.223       "[| Says Server B
  15.224 -          {|NA, Crypt (shrK A) {|NA, Key K|},
  15.225 -                Crypt (shrK B) {|NB, Key K|}|} \<in> set evs;
  15.226 -         Notes Spy {|NA, NB, Key K|} \<notin> set evs;
  15.227 +          \<lbrace>NA, Crypt (shrK A) \<lbrace>NA, Key K\<rbrace>,
  15.228 +                Crypt (shrK B) \<lbrace>NB, Key K\<rbrace>\<rbrace> \<in> set evs;
  15.229 +         Notes Spy \<lbrace>NA, NB, Key K\<rbrace> \<notin> set evs;
  15.230           A \<notin> bad;  B \<notin> bad;  evs \<in> otway |]
  15.231        ==> Key K \<notin> analz (knows Spy evs)"
  15.232  by (blast dest: Says_Server_message_form secrecy_lemma)
  15.233 @@ -319,9 +319,9 @@
  15.234  @{term "Key K \<notin> analz (knows Spy evs)"}.\<close>
  15.235  lemma Spy_not_know_encrypted_key:
  15.236       "[| Says Server B
  15.237 -          {|NA, Crypt (shrK A) {|NA, Key K|},
  15.238 -                Crypt (shrK B) {|NB, Key K|}|} \<in> set evs;
  15.239 -         Notes Spy {|NA, NB, Key K|} \<notin> set evs;
  15.240 +          \<lbrace>NA, Crypt (shrK A) \<lbrace>NA, Key K\<rbrace>,
  15.241 +                Crypt (shrK B) \<lbrace>NB, Key K\<rbrace>\<rbrace> \<in> set evs;
  15.242 +         Notes Spy \<lbrace>NA, NB, Key K\<rbrace> \<notin> set evs;
  15.243           A \<notin> bad;  B \<notin> bad;  evs \<in> otway |]
  15.244        ==> Key K \<notin> knows Spy evs"
  15.245  by (blast dest: Spy_not_see_encrypted_key)
  15.246 @@ -330,10 +330,10 @@
  15.247  text\<open>A's guarantee.  The Oops premise quantifies over NB because A cannot know
  15.248    what it is.\<close>
  15.249  lemma A_gets_good_key:
  15.250 -     "[| Says A  B {|NA, Agent A, Agent B,
  15.251 -                     Crypt (shrK A) {|NA, Agent A, Agent B|}|} \<in> set evs;
  15.252 -         Says B' A {|NA, Crypt (shrK A) {|NA, Key K|}|} \<in> set evs;
  15.253 -         \<forall>NB. Notes Spy {|NA, NB, Key K|} \<notin> set evs;
  15.254 +     "[| Says A  B \<lbrace>NA, Agent A, Agent B,
  15.255 +                     Crypt (shrK A) \<lbrace>NA, Agent A, Agent B\<rbrace>\<rbrace> \<in> set evs;
  15.256 +         Says B' A \<lbrace>NA, Crypt (shrK A) \<lbrace>NA, Key K\<rbrace>\<rbrace> \<in> set evs;
  15.257 +         \<forall>NB. Notes Spy \<lbrace>NA, NB, Key K\<rbrace> \<notin> set evs;
  15.258           A \<notin> bad;  B \<notin> bad;  evs \<in> otway |]
  15.259        ==> Key K \<notin> analz (knows Spy evs)"
  15.260  by (blast dest!: A_trusts_OR4 Spy_not_see_encrypted_key)
  15.261 @@ -344,11 +344,11 @@
  15.262  text\<open>Only OR2 can have caused such a part of a message to appear.  We do not
  15.263    know anything about X: it does NOT have to have the right form.\<close>
  15.264  lemma Crypt_imp_OR2:
  15.265 -     "[| Crypt (shrK B) {|NA, NB, Agent A, Agent B|} \<in> parts (knows Spy evs);
  15.266 +     "[| Crypt (shrK B) \<lbrace>NA, NB, Agent A, Agent B\<rbrace> \<in> parts (knows Spy evs);
  15.267           B \<notin> bad;  evs \<in> otway |]
  15.268        ==> \<exists>X. Says B Server
  15.269 -                 {|NA, Agent A, Agent B, X,
  15.270 -                   Crypt (shrK B) {|NA, NB, Agent A, Agent B|}|}
  15.271 +                 \<lbrace>NA, Agent A, Agent B, X,
  15.272 +                   Crypt (shrK B) \<lbrace>NA, NB, Agent A, Agent B\<rbrace>\<rbrace>
  15.273                   \<in> set evs"
  15.274  apply (erule rev_mp)
  15.275  apply (erule otway.induct, force,
  15.276 @@ -358,8 +358,8 @@
  15.277  
  15.278  text\<open>The Nonce NB uniquely identifies B's  message\<close>
  15.279  lemma unique_NB:
  15.280 -     "[| Crypt (shrK B) {|NA, NB, Agent A, Agent B|} \<in> parts(knows Spy evs);
  15.281 -         Crypt (shrK B) {|NC, NB, Agent C, Agent B|} \<in> parts(knows Spy evs);
  15.282 +     "[| Crypt (shrK B) \<lbrace>NA, NB, Agent A, Agent B\<rbrace> \<in> parts(knows Spy evs);
  15.283 +         Crypt (shrK B) \<lbrace>NC, NB, Agent C, Agent B\<rbrace> \<in> parts(knows Spy evs);
  15.284             evs \<in> otway;  B \<notin> bad |]
  15.285           ==> NC = NA & C = A"
  15.286  apply (erule rev_mp, erule rev_mp)
  15.287 @@ -372,14 +372,14 @@
  15.288    then it originated with the Server!  Quite messy proof.\<close>
  15.289  lemma NB_Crypt_imp_Server_msg [rule_format]:
  15.290   "[| B \<notin> bad;  evs \<in> otway |]
  15.291 -  ==> Crypt (shrK B) {|NB, Key K|} \<in> parts (knows Spy evs)
  15.292 +  ==> Crypt (shrK B) \<lbrace>NB, Key K\<rbrace> \<in> parts (knows Spy evs)
  15.293        --> (\<forall>X'. Says B Server
  15.294 -                     {|NA, Agent A, Agent B, X',
  15.295 -                       Crypt (shrK B) {|NA, NB, Agent A, Agent B|}|}
  15.296 +                     \<lbrace>NA, Agent A, Agent B, X',
  15.297 +                       Crypt (shrK B) \<lbrace>NA, NB, Agent A, Agent B\<rbrace>\<rbrace>
  15.298             \<in> set evs
  15.299             --> Says Server B
  15.300 -                {|NA, Crypt (shrK A) {|NA, Key K|},
  15.301 -                      Crypt (shrK B) {|NB, Key K|}|}
  15.302 +                \<lbrace>NA, Crypt (shrK A) \<lbrace>NA, Key K\<rbrace>,
  15.303 +                      Crypt (shrK B) \<lbrace>NB, Key K\<rbrace>\<rbrace>
  15.304                      \<in> set evs)"
  15.305  apply simp
  15.306  apply (erule otway.induct, force,
  15.307 @@ -394,15 +394,15 @@
  15.308  text\<open>Guarantee for B: if it gets a message with matching NB then the Server
  15.309    has sent the correct message.\<close>
  15.310  theorem B_trusts_OR3:
  15.311 -     "[| Says B Server {|NA, Agent A, Agent B, X',
  15.312 -                         Crypt (shrK B) {|NA, NB, Agent A, Agent B|} |}
  15.313 +     "[| Says B Server \<lbrace>NA, Agent A, Agent B, X',
  15.314 +                         Crypt (shrK B) \<lbrace>NA, NB, Agent A, Agent B\<rbrace>\<rbrace>
  15.315             \<in> set evs;
  15.316 -         Gets B {|NA, X, Crypt (shrK B) {|NB, Key K|}|} \<in> set evs;
  15.317 +         Gets B \<lbrace>NA, X, Crypt (shrK B) \<lbrace>NB, Key K\<rbrace>\<rbrace> \<in> set evs;
  15.318           B \<notin> bad;  evs \<in> otway |]
  15.319        ==> Says Server B
  15.320 -               {|NA,
  15.321 -                 Crypt (shrK A) {|NA, Key K|},
  15.322 -                 Crypt (shrK B) {|NB, Key K|}|}
  15.323 +               \<lbrace>NA,
  15.324 +                 Crypt (shrK A) \<lbrace>NA, Key K\<rbrace>,
  15.325 +                 Crypt (shrK B) \<lbrace>NB, Key K\<rbrace>\<rbrace>
  15.326                   \<in> set evs"
  15.327  by (blast intro!: NB_Crypt_imp_Server_msg)
  15.328  
  15.329 @@ -410,11 +410,11 @@
  15.330  text\<open>The obvious combination of \<open>B_trusts_OR3\<close> with 
  15.331        \<open>Spy_not_see_encrypted_key\<close>\<close>
  15.332  lemma B_gets_good_key:
  15.333 -     "[| Says B Server {|NA, Agent A, Agent B, X',
  15.334 -                         Crypt (shrK B) {|NA, NB, Agent A, Agent B|} |}
  15.335 +     "[| Says B Server \<lbrace>NA, Agent A, Agent B, X',
  15.336 +                         Crypt (shrK B) \<lbrace>NA, NB, Agent A, Agent B\<rbrace>\<rbrace>
  15.337             \<in> set evs;
  15.338 -         Gets B {|NA, X, Crypt (shrK B) {|NB, Key K|}|} \<in> set evs;
  15.339 -         Notes Spy {|NA, NB, Key K|} \<notin> set evs;
  15.340 +         Gets B \<lbrace>NA, X, Crypt (shrK B) \<lbrace>NB, Key K\<rbrace>\<rbrace> \<in> set evs;
  15.341 +         Notes Spy \<lbrace>NA, NB, Key K\<rbrace> \<notin> set evs;
  15.342           A \<notin> bad;  B \<notin> bad;  evs \<in> otway |]
  15.343        ==> Key K \<notin> analz (knows Spy evs)"
  15.344  by (blast dest!: B_trusts_OR3 Spy_not_see_encrypted_key)
  15.345 @@ -422,11 +422,11 @@
  15.346  
  15.347  lemma OR3_imp_OR2:
  15.348       "[| Says Server B
  15.349 -              {|NA, Crypt (shrK A) {|NA, Key K|},
  15.350 -                Crypt (shrK B) {|NB, Key K|}|} \<in> set evs;
  15.351 +              \<lbrace>NA, Crypt (shrK A) \<lbrace>NA, Key K\<rbrace>,
  15.352 +                Crypt (shrK B) \<lbrace>NB, Key K\<rbrace>\<rbrace> \<in> set evs;
  15.353           B \<notin> bad;  evs \<in> otway |]
  15.354 -  ==> \<exists>X. Says B Server {|NA, Agent A, Agent B, X,
  15.355 -                            Crypt (shrK B) {|NA, NB, Agent A, Agent B|} |}
  15.356 +  ==> \<exists>X. Says B Server \<lbrace>NA, Agent A, Agent B, X,
  15.357 +                            Crypt (shrK B) \<lbrace>NA, NB, Agent A, Agent B\<rbrace>\<rbrace>
  15.358                \<in> set evs"
  15.359  apply (erule rev_mp)
  15.360  apply (erule otway.induct, simp_all)
  15.361 @@ -438,12 +438,12 @@
  15.362    We could probably prove that X has the expected form, but that is not
  15.363    strictly necessary for authentication.\<close>
  15.364  theorem A_auths_B:
  15.365 -     "[| Says B' A {|NA, Crypt (shrK A) {|NA, Key K|}|} \<in> set evs;
  15.366 -         Says A  B {|NA, Agent A, Agent B,
  15.367 -                     Crypt (shrK A) {|NA, Agent A, Agent B|}|} \<in> set evs;
  15.368 +     "[| Says B' A \<lbrace>NA, Crypt (shrK A) \<lbrace>NA, Key K\<rbrace>\<rbrace> \<in> set evs;
  15.369 +         Says A  B \<lbrace>NA, Agent A, Agent B,
  15.370 +                     Crypt (shrK A) \<lbrace>NA, Agent A, Agent B\<rbrace>\<rbrace> \<in> set evs;
  15.371           A \<notin> bad;  B \<notin> bad;  evs \<in> otway |]
  15.372 -  ==> \<exists>NB X. Says B Server {|NA, Agent A, Agent B, X,
  15.373 -                               Crypt (shrK B)  {|NA, NB, Agent A, Agent B|} |}
  15.374 +  ==> \<exists>NB X. Says B Server \<lbrace>NA, Agent A, Agent B, X,
  15.375 +                               Crypt (shrK B)  \<lbrace>NA, NB, Agent A, Agent B\<rbrace>\<rbrace>
  15.376                   \<in> set evs"
  15.377  by (blast dest!: A_trusts_OR4 OR3_imp_OR2)
  15.378  
    16.1 --- a/src/HOL/Auth/OtwayRees_AN.thy	Mon Dec 28 21:47:32 2015 +0100
    16.2 +++ b/src/HOL/Auth/OtwayRees_AN.thy	Mon Dec 28 23:13:33 2015 +0100
    16.3 @@ -39,30 +39,30 @@
    16.4  
    16.5   | OR1:  \<comment>\<open>Alice initiates a protocol run\<close>
    16.6           "evs1 \<in> otway
    16.7 -          ==> Says A B {|Agent A, Agent B, Nonce NA|} # evs1 \<in> otway"
    16.8 +          ==> Says A B \<lbrace>Agent A, Agent B, Nonce NA\<rbrace> # evs1 \<in> otway"
    16.9  
   16.10   | OR2:  \<comment>\<open>Bob's response to Alice's message.\<close>
   16.11           "[| evs2 \<in> otway;
   16.12 -             Gets B {|Agent A, Agent B, Nonce NA|} \<in>set evs2 |]
   16.13 -          ==> Says B Server {|Agent A, Agent B, Nonce NA, Nonce NB|}
   16.14 +             Gets B \<lbrace>Agent A, Agent B, Nonce NA\<rbrace> \<in>set evs2 |]
   16.15 +          ==> Says B Server \<lbrace>Agent A, Agent B, Nonce NA, Nonce NB\<rbrace>
   16.16                   # evs2 \<in> otway"
   16.17  
   16.18   | OR3:  \<comment>\<open>The Server receives Bob's message.  Then he sends a new
   16.19             session key to Bob with a packet for forwarding to Alice.\<close>
   16.20           "[| evs3 \<in> otway;  Key KAB \<notin> used evs3;
   16.21 -             Gets Server {|Agent A, Agent B, Nonce NA, Nonce NB|}
   16.22 +             Gets Server \<lbrace>Agent A, Agent B, Nonce NA, Nonce NB\<rbrace>
   16.23                 \<in>set evs3 |]
   16.24            ==> Says Server B
   16.25 -               {|Crypt (shrK A) {|Nonce NA, Agent A, Agent B, Key KAB|},
   16.26 -                 Crypt (shrK B) {|Nonce NB, Agent A, Agent B, Key KAB|}|}
   16.27 +               \<lbrace>Crypt (shrK A) \<lbrace>Nonce NA, Agent A, Agent B, Key KAB\<rbrace>,
   16.28 +                 Crypt (shrK B) \<lbrace>Nonce NB, Agent A, Agent B, Key KAB\<rbrace>\<rbrace>
   16.29                # evs3 \<in> otway"
   16.30  
   16.31   | OR4:  \<comment>\<open>Bob receives the Server's (?) message and compares the Nonces with
   16.32               those in the message he previously sent the Server.
   16.33               Need @{term "B \<noteq> Server"} because we allow messages to self.\<close>
   16.34           "[| evs4 \<in> otway;  B \<noteq> Server;
   16.35 -             Says B Server {|Agent A, Agent B, Nonce NA, Nonce NB|} \<in>set evs4;
   16.36 -             Gets B {|X, Crypt(shrK B){|Nonce NB,Agent A,Agent B,Key K|}|}
   16.37 +             Says B Server \<lbrace>Agent A, Agent B, Nonce NA, Nonce NB\<rbrace> \<in>set evs4;
   16.38 +             Gets B \<lbrace>X, Crypt(shrK B)\<lbrace>Nonce NB,Agent A,Agent B,Key K\<rbrace>\<rbrace>
   16.39                 \<in>set evs4 |]
   16.40            ==> Says B A X # evs4 \<in> otway"
   16.41  
   16.42 @@ -70,10 +70,10 @@
   16.43               identify the protocol run.\<close>
   16.44           "[| evso \<in> otway;
   16.45               Says Server B
   16.46 -                      {|Crypt (shrK A) {|Nonce NA, Agent A, Agent B, Key K|},
   16.47 -                        Crypt (shrK B) {|Nonce NB, Agent A, Agent B, Key K|}|}
   16.48 +                      \<lbrace>Crypt (shrK A) \<lbrace>Nonce NA, Agent A, Agent B, Key K\<rbrace>,
   16.49 +                        Crypt (shrK B) \<lbrace>Nonce NB, Agent A, Agent B, Key K\<rbrace>\<rbrace>
   16.50                 \<in>set evso |]
   16.51 -          ==> Notes Spy {|Nonce NA, Nonce NB, Key K|} # evso \<in> otway"
   16.52 +          ==> Notes Spy \<lbrace>Nonce NA, Nonce NB, Key K\<rbrace> # evso \<in> otway"
   16.53  
   16.54  
   16.55  declare Says_imp_knows_Spy [THEN analz.Inj, dest]
   16.56 @@ -85,7 +85,7 @@
   16.57  text\<open>A "possibility property": there are traces that reach the end\<close>
   16.58  lemma "[| B \<noteq> Server; Key K \<notin> used [] |]
   16.59        ==> \<exists>evs \<in> otway.
   16.60 -           Says B A (Crypt (shrK A) {|Nonce NA, Agent A, Agent B, Key K|})
   16.61 +           Says B A (Crypt (shrK A) \<lbrace>Nonce NA, Agent A, Agent B, Key K\<rbrace>)
   16.62               \<in> set evs"
   16.63  apply (intro exI bexI)
   16.64  apply (rule_tac [2] otway.Nil
   16.65 @@ -104,7 +104,7 @@
   16.66  text\<open>For reasoning about the encrypted portion of messages\<close>
   16.67  
   16.68  lemma OR4_analz_knows_Spy:
   16.69 -     "[| Gets B {|X, Crypt(shrK B) X'|} \<in> set evs;  evs \<in> otway |]
   16.70 +     "[| Gets B \<lbrace>X, Crypt(shrK B) X'\<rbrace> \<in> set evs;  evs \<in> otway |]
   16.71        ==> X \<in> analz (knows Spy evs)"
   16.72  by blast
   16.73  
   16.74 @@ -131,8 +131,8 @@
   16.75  text\<open>Describes the form of K and NA when the Server sends this message.\<close>
   16.76  lemma Says_Server_message_form:
   16.77       "[| Says Server B
   16.78 -            {|Crypt (shrK A) {|NA, Agent A, Agent B, Key K|},
   16.79 -              Crypt (shrK B) {|NB, Agent A, Agent B, Key K|}|}
   16.80 +            \<lbrace>Crypt (shrK A) \<lbrace>NA, Agent A, Agent B, Key K\<rbrace>,
   16.81 +              Crypt (shrK B) \<lbrace>NB, Agent A, Agent B, Key K\<rbrace>\<rbrace>
   16.82             \<in> set evs;
   16.83           evs \<in> otway |]
   16.84        ==> K \<notin> range shrK & (\<exists>i. NA = Nonce i) & (\<exists>j. NB = Nonce j)"
   16.85 @@ -175,12 +175,12 @@
   16.86  text\<open>The Key K uniquely identifies the Server's message.\<close>
   16.87  lemma unique_session_keys:
   16.88       "[| Says Server B
   16.89 -          {|Crypt (shrK A) {|NA, Agent A, Agent B, K|},
   16.90 -            Crypt (shrK B) {|NB, Agent A, Agent B, K|}|}
   16.91 +          \<lbrace>Crypt (shrK A) \<lbrace>NA, Agent A, Agent B, K\<rbrace>,
   16.92 +            Crypt (shrK B) \<lbrace>NB, Agent A, Agent B, K\<rbrace>\<rbrace>
   16.93           \<in> set evs;
   16.94          Says Server B'
   16.95 -          {|Crypt (shrK A') {|NA', Agent A', Agent B', K|},
   16.96 -            Crypt (shrK B') {|NB', Agent A', Agent B', K|}|}
   16.97 +          \<lbrace>Crypt (shrK A') \<lbrace>NA', Agent A', Agent B', K\<rbrace>,
   16.98 +            Crypt (shrK B') \<lbrace>NB', Agent A', Agent B', K\<rbrace>\<rbrace>
   16.99           \<in> set evs;
  16.100          evs \<in> otway |]
  16.101       ==> A=A' & B=B' & NA=NA' & NB=NB'"
  16.102 @@ -194,10 +194,10 @@
  16.103  text\<open>If the encrypted message appears then it originated with the Server!\<close>
  16.104  lemma NA_Crypt_imp_Server_msg [rule_format]:
  16.105      "[| A \<notin> bad;  A \<noteq> B;  evs \<in> otway |]
  16.106 -     ==> Crypt (shrK A) {|NA, Agent A, Agent B, Key K|} \<in> parts (knows Spy evs)
  16.107 +     ==> Crypt (shrK A) \<lbrace>NA, Agent A, Agent B, Key K\<rbrace> \<in> parts (knows Spy evs)
  16.108         --> (\<exists>NB. Says Server B
  16.109 -                    {|Crypt (shrK A) {|NA, Agent A, Agent B, Key K|},
  16.110 -                      Crypt (shrK B) {|NB, Agent A, Agent B, Key K|}|}
  16.111 +                    \<lbrace>Crypt (shrK A) \<lbrace>NA, Agent A, Agent B, Key K\<rbrace>,
  16.112 +                      Crypt (shrK B) \<lbrace>NB, Agent A, Agent B, Key K\<rbrace>\<rbrace>
  16.113                      \<in> set evs)"
  16.114  apply (erule otway.induct, force)
  16.115  apply (simp_all add: ex_disj_distrib)
  16.116 @@ -208,11 +208,11 @@
  16.117  text\<open>Corollary: if A receives B's OR4 message then it originated with the
  16.118        Server. Freshness may be inferred from nonce NA.\<close>
  16.119  lemma A_trusts_OR4:
  16.120 -     "[| Says B' A (Crypt (shrK A) {|NA, Agent A, Agent B, Key K|}) \<in> set evs;
  16.121 +     "[| Says B' A (Crypt (shrK A) \<lbrace>NA, Agent A, Agent B, Key K\<rbrace>) \<in> set evs;
  16.122           A \<notin> bad;  A \<noteq> B;  evs \<in> otway |]
  16.123        ==> \<exists>NB. Says Server B
  16.124 -                  {|Crypt (shrK A) {|NA, Agent A, Agent B, Key K|},
  16.125 -                    Crypt (shrK B) {|NB, Agent A, Agent B, Key K|}|}
  16.126 +                  \<lbrace>Crypt (shrK A) \<lbrace>NA, Agent A, Agent B, Key K\<rbrace>,
  16.127 +                    Crypt (shrK B) \<lbrace>NB, Agent A, Agent B, Key K\<rbrace>\<rbrace>
  16.128                   \<in> set evs"
  16.129  by (blast intro!: NA_Crypt_imp_Server_msg)
  16.130  
  16.131 @@ -223,10 +223,10 @@
  16.132  lemma secrecy_lemma:
  16.133       "[| A \<notin> bad;  B \<notin> bad;  evs \<in> otway |]
  16.134        ==> Says Server B
  16.135 -           {|Crypt (shrK A) {|NA, Agent A, Agent B, Key K|},
  16.136 -             Crypt (shrK B) {|NB, Agent A, Agent B, Key K|}|}
  16.137 +           \<lbrace>Crypt (shrK A) \<lbrace>NA, Agent A, Agent B, Key K\<rbrace>,
  16.138 +             Crypt (shrK B) \<lbrace>NB, Agent A, Agent B, Key K\<rbrace>\<rbrace>
  16.139            \<in> set evs -->
  16.140 -          Notes Spy {|NA, NB, Key K|} \<notin> set evs -->
  16.141 +          Notes Spy \<lbrace>NA, NB, Key K\<rbrace> \<notin> set evs -->
  16.142            Key K \<notin> analz (knows Spy evs)"
  16.143  apply (erule otway.induct, force)
  16.144  apply (frule_tac [7] Says_Server_message_form)
  16.145 @@ -239,10 +239,10 @@
  16.146  
  16.147  lemma Spy_not_see_encrypted_key:
  16.148       "[| Says Server B
  16.149 -            {|Crypt (shrK A) {|NA, Agent A, Agent B, Key K|},
  16.150 -              Crypt (shrK B) {|NB, Agent A, Agent B, Key K|}|}
  16.151 +            \<lbrace>Crypt (shrK A) \<lbrace>NA, Agent A, Agent B, Key K\<rbrace>,
  16.152 +              Crypt (shrK B) \<lbrace>NB, Agent A, Agent B, Key K\<rbrace>\<rbrace>
  16.153             \<in> set evs;
  16.154 -         Notes Spy {|NA, NB, Key K|} \<notin> set evs;
  16.155 +         Notes Spy \<lbrace>NA, NB, Key K\<rbrace> \<notin> set evs;
  16.156           A \<notin> bad;  B \<notin> bad;  evs \<in> otway |]
  16.157        ==> Key K \<notin> analz (knows Spy evs)"
  16.158    by (metis secrecy_lemma)
  16.159 @@ -251,8 +251,8 @@
  16.160  text\<open>A's guarantee.  The Oops premise quantifies over NB because A cannot know
  16.161    what it is.\<close>
  16.162  lemma A_gets_good_key:
  16.163 -     "[| Says B' A (Crypt (shrK A) {|NA, Agent A, Agent B, Key K|}) \<in> set evs;
  16.164 -         \<forall>NB. Notes Spy {|NA, NB, Key K|} \<notin> set evs;
  16.165 +     "[| Says B' A (Crypt (shrK A) \<lbrace>NA, Agent A, Agent B, Key K\<rbrace>) \<in> set evs;
  16.166 +         \<forall>NB. Notes Spy \<lbrace>NA, NB, Key K\<rbrace> \<notin> set evs;
  16.167           A \<notin> bad;  B \<notin> bad;  A \<noteq> B;  evs \<in> otway |]
  16.168        ==> Key K \<notin> analz (knows Spy evs)"
  16.169    by (metis A_trusts_OR4 secrecy_lemma)
  16.170 @@ -264,10 +264,10 @@
  16.171  text\<open>If the encrypted message appears then it originated with the Server!\<close>
  16.172  lemma NB_Crypt_imp_Server_msg [rule_format]:
  16.173   "[| B \<notin> bad;  A \<noteq> B;  evs \<in> otway |]
  16.174 -  ==> Crypt (shrK B) {|NB, Agent A, Agent B, Key K|} \<in> parts (knows Spy evs)
  16.175 +  ==> Crypt (shrK B) \<lbrace>NB, Agent A, Agent B, Key K\<rbrace> \<in> parts (knows Spy evs)
  16.176        --> (\<exists>NA. Says Server B
  16.177 -                   {|Crypt (shrK A) {|NA, Agent A, Agent B, Key K|},
  16.178 -                     Crypt (shrK B) {|NB, Agent A, Agent B, Key K|}|}
  16.179 +                   \<lbrace>Crypt (shrK A) \<lbrace>NA, Agent A, Agent B, Key K\<rbrace>,
  16.180 +                     Crypt (shrK B) \<lbrace>NB, Agent A, Agent B, Key K\<rbrace>\<rbrace>
  16.181                     \<in> set evs)"
  16.182  apply (erule otway.induct, force, simp_all add: ex_disj_distrib)
  16.183  apply blast+  \<comment>\<open>Fake, OR3\<close>
  16.184 @@ -278,12 +278,12 @@
  16.185  text\<open>Guarantee for B: if it gets a well-formed certificate then the Server
  16.186    has sent the correct message in round 3.\<close>
  16.187  lemma B_trusts_OR3:
  16.188 -     "[| Says S B {|X, Crypt (shrK B) {|NB, Agent A, Agent B, Key K|}|}
  16.189 +     "[| Says S B \<lbrace>X, Crypt (shrK B) \<lbrace>NB, Agent A, Agent B, Key K\<rbrace>\<rbrace>
  16.190             \<in> set evs;
  16.191           B \<notin> bad;  A \<noteq> B;  evs \<in> otway |]
  16.192        ==> \<exists>NA. Says Server B
  16.193 -                   {|Crypt (shrK A) {|NA, Agent A, Agent B, Key K|},
  16.194 -                     Crypt (shrK B) {|NB, Agent A, Agent B, Key K|}|}
  16.195 +                   \<lbrace>Crypt (shrK A) \<lbrace>NA, Agent A, Agent B, Key K\<rbrace>,
  16.196 +                     Crypt (shrK B) \<lbrace>NB, Agent A, Agent B, Key K\<rbrace>\<rbrace>
  16.197                     \<in> set evs"
  16.198  by (blast intro!: NB_Crypt_imp_Server_msg)
  16.199  
  16.200 @@ -291,9 +291,9 @@
  16.201  text\<open>The obvious combination of \<open>B_trusts_OR3\<close> with 
  16.202        \<open>Spy_not_see_encrypted_key\<close>\<close>
  16.203  lemma B_gets_good_key:
  16.204 -     "[| Gets B {|X, Crypt (shrK B) {|NB, Agent A, Agent B, Key K|}|}
  16.205 +     "[| Gets B \<lbrace>X, Crypt (shrK B) \<lbrace>NB, Agent A, Agent B, Key K\<rbrace>\<rbrace>
  16.206            \<in> set evs;
  16.207 -         \<forall>NA. Notes Spy {|NA, NB, Key K|} \<notin> set evs;
  16.208 +         \<forall>NA. Notes Spy \<lbrace>NA, NB, Key K\<rbrace> \<notin> set evs;
  16.209           A \<notin> bad;  B \<notin> bad;  A \<noteq> B;  evs \<in> otway |]
  16.210        ==> Key K \<notin> analz (knows Spy evs)"
  16.211  by (blast dest: B_trusts_OR3 Spy_not_see_encrypted_key)
    17.1 --- a/src/HOL/Auth/OtwayRees_Bad.thy	Mon Dec 28 21:47:32 2015 +0100
    17.2 +++ b/src/HOL/Auth/OtwayRees_Bad.thy	Mon Dec 28 23:13:33 2015 +0100
    17.3 @@ -36,17 +36,17 @@
    17.4  
    17.5   | OR1:  \<comment>\<open>Alice initiates a protocol run\<close>
    17.6           "[| evs1 \<in> otway;  Nonce NA \<notin> used evs1 |]
    17.7 -          ==> Says A B {|Nonce NA, Agent A, Agent B,
    17.8 -                         Crypt (shrK A) {|Nonce NA, Agent A, Agent B|} |}
    17.9 +          ==> Says A B \<lbrace>Nonce NA, Agent A, Agent B,
   17.10 +                         Crypt (shrK A) \<lbrace>Nonce NA, Agent A, Agent B\<rbrace>\<rbrace>
   17.11                   # evs1 \<in> otway"
   17.12  
   17.13   | OR2:  \<comment>\<open>Bob's response to Alice's message.
   17.14               This variant of the protocol does NOT encrypt NB.\<close>
   17.15           "[| evs2 \<in> otway;  Nonce NB \<notin> used evs2;
   17.16 -             Gets B {|Nonce NA, Agent A, Agent B, X|} \<in> set evs2 |]
   17.17 +             Gets B \<lbrace>Nonce NA, Agent A, Agent B, X\<rbrace> \<in> set evs2 |]
   17.18            ==> Says B Server
   17.19 -                  {|Nonce NA, Agent A, Agent B, X, Nonce NB,
   17.20 -                    Crypt (shrK B) {|Nonce NA, Agent A, Agent B|}|}
   17.21 +                  \<lbrace>Nonce NA, Agent A, Agent B, X, Nonce NB,
   17.22 +                    Crypt (shrK B) \<lbrace>Nonce NA, Agent A, Agent B\<rbrace>\<rbrace>
   17.23                   # evs2 \<in> otway"
   17.24  
   17.25   | OR3:  \<comment>\<open>The Server receives Bob's message and checks that the three NAs
   17.26 @@ -54,34 +54,34 @@
   17.27             forwarding to Alice.\<close>
   17.28           "[| evs3 \<in> otway;  Key KAB \<notin> used evs3;
   17.29               Gets Server
   17.30 -                  {|Nonce NA, Agent A, Agent B,
   17.31 -                    Crypt (shrK A) {|Nonce NA, Agent A, Agent B|},
   17.32 +                  \<lbrace>Nonce NA, Agent A, Agent B,
   17.33 +                    Crypt (shrK A) \<lbrace>Nonce NA, Agent A, Agent B\<rbrace>,
   17.34                      Nonce NB,
   17.35 -                    Crypt (shrK B) {|Nonce NA, Agent A, Agent B|}|}
   17.36 +                    Crypt (shrK B) \<lbrace>Nonce NA, Agent A, Agent B\<rbrace>\<rbrace>
   17.37                 \<in> set evs3 |]
   17.38            ==> Says Server B
   17.39 -                  {|Nonce NA,
   17.40 -                    Crypt (shrK A) {|Nonce NA, Key KAB|},
   17.41 -                    Crypt (shrK B) {|Nonce NB, Key KAB|}|}
   17.42 +                  \<lbrace>Nonce NA,
   17.43 +                    Crypt (shrK A) \<lbrace>Nonce NA, Key KAB\<rbrace>,
   17.44 +                    Crypt (shrK B) \<lbrace>Nonce NB, Key KAB\<rbrace>\<rbrace>
   17.45                   # evs3 \<in> otway"
   17.46  
   17.47   | OR4:  \<comment>\<open>Bob receives the Server's (?) message and compares the Nonces with
   17.48               those in the message he previously sent the Server.
   17.49               Need @{term "B \<noteq> Server"} because we allow messages to self.\<close>
   17.50           "[| evs4 \<in> otway;  B \<noteq> Server;
   17.51 -             Says B Server {|Nonce NA, Agent A, Agent B, X', Nonce NB,
   17.52 -                             Crypt (shrK B) {|Nonce NA, Agent A, Agent B|}|}
   17.53 +             Says B Server \<lbrace>Nonce NA, Agent A, Agent B, X', Nonce NB,
   17.54 +                             Crypt (shrK B) \<lbrace>Nonce NA, Agent A, Agent B\<rbrace>\<rbrace>
   17.55                 \<in> set evs4;
   17.56 -             Gets B {|Nonce NA, X, Crypt (shrK B) {|Nonce NB, Key K|}|}
   17.57 +             Gets B \<lbrace>Nonce NA, X, Crypt (shrK B) \<lbrace>Nonce NB, Key K\<rbrace>\<rbrace>
   17.58                 \<in> set evs4 |]
   17.59 -          ==> Says B A {|Nonce NA, X|} # evs4 \<in> otway"
   17.60 +          ==> Says B A \<lbrace>Nonce NA, X\<rbrace> # evs4 \<in> otway"
   17.61  
   17.62   | Oops: \<comment>\<open>This message models possible leaks of session keys.  The nonces
   17.63               identify the protocol run.\<close>
   17.64           "[| evso \<in> otway;
   17.65 -             Says Server B {|Nonce NA, X, Crypt (shrK B) {|Nonce NB, Key K|}|}
   17.66 +             Says Server B \<lbrace>Nonce NA, X, Crypt (shrK B) \<lbrace>Nonce NB, Key K\<rbrace>\<rbrace>
   17.67                 \<in> set evso |]
   17.68 -          ==> Notes Spy {|Nonce NA, Nonce NB, Key K|} # evso \<in> otway"
   17.69 +          ==> Notes Spy \<lbrace>Nonce NA, Nonce NB, Key K\<rbrace> # evso \<in> otway"
   17.70  
   17.71  
   17.72  declare Says_imp_knows_Spy [THEN analz.Inj, dest]
   17.73 @@ -92,7 +92,7 @@
   17.74  text\<open>A "possibility property": there are traces that reach the end\<close>
   17.75  lemma "[| B \<noteq> Server; Key K \<notin> used [] |]
   17.76        ==> \<exists>NA. \<exists>evs \<in> otway.
   17.77 -            Says B A {|Nonce NA, Crypt (shrK A) {|Nonce NA, Key K|}|}
   17.78 +            Says B A \<lbrace>Nonce NA, Crypt (shrK A) \<lbrace>Nonce NA, Key K\<rbrace>\<rbrace>
   17.79                \<in> set evs"
   17.80  apply (intro exI bexI)
   17.81  apply (rule_tac [2] otway.Nil
   17.82 @@ -112,17 +112,17 @@
   17.83  subsection\<open>For reasoning about the encrypted portion of messages\<close>
   17.84  
   17.85  lemma OR2_analz_knows_Spy:
   17.86 -     "[| Gets B {|N, Agent A, Agent B, X|} \<in> set evs;  evs \<in> otway |]
   17.87 +     "[| Gets B \<lbrace>N, Agent A, Agent B, X\<rbrace> \<in> set evs;  evs \<in> otway |]
   17.88        ==> X \<in> analz (knows Spy evs)"
   17.89  by blast
   17.90  
   17.91  lemma OR4_analz_knows_Spy:
   17.92 -     "[| Gets B {|N, X, Crypt (shrK B) X'|} \<in> set evs;  evs \<in> otway |]
   17.93 +     "[| Gets B \<lbrace>N, X, Crypt (shrK B) X'\<rbrace> \<in> set evs;  evs \<in> otway |]
   17.94        ==> X \<in> analz (knows Spy evs)"
   17.95  by blast
   17.96  
   17.97  lemma Oops_parts_knows_Spy:
   17.98 -     "Says Server B {|NA, X, Crypt K' {|NB,K|}|} \<in> set evs
   17.99 +     "Says Server B \<lbrace>NA, X, Crypt K' \<lbrace>NB,K\<rbrace>\<rbrace> \<in> set evs
  17.100        ==> K \<in> parts (knows Spy evs)"
  17.101  by blast
  17.102  
  17.103 @@ -155,7 +155,7 @@
  17.104  text\<open>Describes the form of K and NA when the Server sends this message.  Also
  17.105    for Oops case.\<close>
  17.106  lemma Says_Server_message_form:
  17.107 -     "[| Says Server B {|NA, X, Crypt (shrK B) {|NB, Key K|}|} \<in> set evs;
  17.108 +     "[| Says Server B \<lbrace>NA, X, Crypt (shrK B) \<lbrace>NB, Key K\<rbrace>\<rbrace> \<in> set evs;
  17.109           evs \<in> otway |]
  17.110        ==> K \<notin> range shrK & (\<exists>i. NA = Nonce i) & (\<exists>j. NB = Nonce j)"
  17.111  apply (erule rev_mp)
  17.112 @@ -196,8 +196,8 @@
  17.113  
  17.114  text\<open>The Key K uniquely identifies the Server's  message.\<close>
  17.115  lemma unique_session_keys:
  17.116 -     "[| Says Server B {|NA, X, Crypt (shrK B) {|NB, K|}|}   \<in> set evs;
  17.117 -         Says Server B' {|NA',X',Crypt (shrK B') {|NB',K|}|} \<in> set evs;
  17.118 +     "[| Says Server B \<lbrace>NA, X, Crypt (shrK B) \<lbrace>NB, K\<rbrace>\<rbrace>   \<in> set evs;
  17.119 +         Says Server B' \<lbrace>NA',X',Crypt (shrK B') \<lbrace>NB',K\<rbrace>\<rbrace> \<in> set evs;
  17.120           evs \<in> otway |] ==> X=X' & B=B' & NA=NA' & NB=NB'"
  17.121  apply (erule rev_mp)
  17.122  apply (erule rev_mp)
  17.123 @@ -212,9 +212,9 @@
  17.124  lemma secrecy_lemma:
  17.125   "[| A \<notin> bad;  B \<notin> bad;  evs \<in> otway |]
  17.126    ==> Says Server B
  17.127 -        {|NA, Crypt (shrK A) {|NA, Key K|},
  17.128 -          Crypt (shrK B) {|NB, Key K|}|} \<in> set evs -->
  17.129 -      Notes Spy {|NA, NB, Key K|} \<notin> set evs -->
  17.130 +        \<lbrace>NA, Crypt (shrK A) \<lbrace>NA, Key K\<rbrace>,
  17.131 +          Crypt (shrK B) \<lbrace>NB, Key K\<rbrace>\<rbrace> \<in> set evs -->
  17.132 +      Notes Spy \<lbrace>NA, NB, Key K\<rbrace> \<notin> set evs -->
  17.133        Key K \<notin> analz (knows Spy evs)"
  17.134  apply (erule otway.induct, force)
  17.135  apply (frule_tac [7] Says_Server_message_form)
  17.136 @@ -228,9 +228,9 @@
  17.137  
  17.138  lemma Spy_not_see_encrypted_key:
  17.139       "[| Says Server B
  17.140 -          {|NA, Crypt (shrK A) {|NA, Key K|},
  17.141 -                Crypt (shrK B) {|NB, Key K|}|} \<in> set evs;
  17.142 -         Notes Spy {|NA, NB, Key K|} \<notin> set evs;
  17.143 +          \<lbrace>NA, Crypt (shrK A) \<lbrace>NA, Key K\<rbrace>,
  17.144 +                Crypt (shrK B) \<lbrace>NB, Key K\<rbrace>\<rbrace> \<in> set evs;
  17.145 +         Notes Spy \<lbrace>NA, NB, Key K\<rbrace> \<notin> set evs;
  17.146           A \<notin> bad;  B \<notin> bad;  evs \<in> otway |]
  17.147        ==> Key K \<notin> analz (knows Spy evs)"
  17.148  by (blast dest: Says_Server_message_form secrecy_lemma)
  17.149 @@ -243,9 +243,9 @@
  17.150    up. Original Otway-Rees doesn't need it.\<close>
  17.151  lemma Crypt_imp_OR1 [rule_format]:
  17.152       "[| A \<notin> bad;  A \<noteq> B;  evs \<in> otway |]
  17.153 -      ==> Crypt (shrK A) {|NA, Agent A, Agent B|} \<in> parts (knows Spy evs) -->
  17.154 -          Says A B {|NA, Agent A, Agent B,
  17.155 -                     Crypt (shrK A) {|NA, Agent A, Agent B|}|}  \<in> set evs"
  17.156 +      ==> Crypt (shrK A) \<lbrace>NA, Agent A, Agent B\<rbrace> \<in> parts (knows Spy evs) -->
  17.157 +          Says A B \<lbrace>NA, Agent A, Agent B,
  17.158 +                     Crypt (shrK A) \<lbrace>NA, Agent A, Agent B\<rbrace>\<rbrace>  \<in> set evs"
  17.159  by (erule otway.induct, force,
  17.160      drule_tac [4] OR2_parts_knows_Spy, simp_all, blast+)
  17.161  
  17.162 @@ -256,14 +256,14 @@
  17.163  text\<open>Only it is FALSE.  Somebody could make a fake message to Server
  17.164            substituting some other nonce NA' for NB.\<close>
  17.165  lemma "[| A \<notin> bad;  A \<noteq> B;  evs \<in> otway |]
  17.166 -       ==> Crypt (shrK A) {|NA, Key K|} \<in> parts (knows Spy evs) -->
  17.167 -           Says A B {|NA, Agent A, Agent B,
  17.168 -                      Crypt (shrK A) {|NA, Agent A, Agent B|}|}
  17.169 +       ==> Crypt (shrK A) \<lbrace>NA, Key K\<rbrace> \<in> parts (knows Spy evs) -->
  17.170 +           Says A B \<lbrace>NA, Agent A, Agent B,
  17.171 +                      Crypt (shrK A) \<lbrace>NA, Agent A, Agent B\<rbrace>\<rbrace>
  17.172              \<in> set evs -->
  17.173             (\<exists>B NB. Says Server B
  17.174 -                {|NA,
  17.175 -                  Crypt (shrK A) {|NA, Key K|},
  17.176 -                  Crypt (shrK B) {|NB, Key K|}|}  \<in> set evs)"
  17.177 +                \<lbrace>NA,
  17.178 +                  Crypt (shrK A) \<lbrace>NA, Key K\<rbrace>,
  17.179 +                  Crypt (shrK B) \<lbrace>NB, Key K\<rbrace>\<rbrace> \<in> set evs)"
  17.180  apply (erule otway.induct, force,
  17.181         drule_tac [4] OR2_parts_knows_Spy, simp_all)
  17.182  apply blast  \<comment>\<open>Fake\<close>
  17.183 @@ -276,13 +276,13 @@
  17.184  (*The hypotheses at this point suggest an attack in which nonce NB is used
  17.185    in two different roles:
  17.186            Gets Server
  17.187 -           {|Nonce NA, Agent Aa, Agent A,
  17.188 -             Crypt (shrK Aa) {|Nonce NA, Agent Aa, Agent A|}, Nonce NB,
  17.189 -             Crypt (shrK A) {|Nonce NA, Agent Aa, Agent A|}|}
  17.190 +           \<lbrace>Nonce NA, Agent Aa, Agent A,
  17.191 +             Crypt (shrK Aa) \<lbrace>Nonce NA, Agent Aa, Agent A\<rbrace>, Nonce NB,
  17.192 +             Crypt (shrK A) \<lbrace>Nonce NA, Agent Aa, Agent A\<rbrace>\<rbrace>
  17.193            \<in> set evs3
  17.194            Says A B
  17.195 -           {|Nonce NB, Agent A, Agent B,
  17.196 -             Crypt (shrK A) {|Nonce NB, Agent A, Agent B|}|}
  17.197 +           \<lbrace>Nonce NB, Agent A, Agent B,
  17.198 +             Crypt (shrK A) \<lbrace>Nonce NB, Agent A, Agent B\<rbrace>\<rbrace>
  17.199            \<in> set evs3;
  17.200  *)
  17.201  
    18.1 --- a/src/HOL/Auth/Public.thy	Mon Dec 28 21:47:32 2015 +0100
    18.2 +++ b/src/HOL/Auth/Public.thy	Mon Dec 28 23:13:33 2015 +0100
    18.3 @@ -239,13 +239,13 @@
    18.4  apply (auto dest!: parts_cut simp add: used_Nil) 
    18.5  done
    18.6  
    18.7 -lemma MPair_used_D: "{|X,Y|} \<in> used H ==> X \<in> used H & Y \<in> used H"
    18.8 +lemma MPair_used_D: "\<lbrace>X,Y\<rbrace> \<in> used H ==> X \<in> used H & Y \<in> used H"
    18.9  by (drule used_parts_subset_parts, simp, blast)
   18.10  
   18.11  text\<open>There was a similar theorem in Event.thy, so perhaps this one can
   18.12    be moved up if proved directly by induction.\<close>
   18.13  lemma MPair_used [elim!]:
   18.14 -     "[| {|X,Y|} \<in> used H;
   18.15 +     "[| \<lbrace>X,Y\<rbrace> \<in> used H;
   18.16           [| X \<in> used H; Y \<in> used H |] ==> P |] 
   18.17        ==> P"
   18.18  by (blast dest: MPair_used_D) 
    19.1 --- a/src/HOL/Auth/Recur.thy	Mon Dec 28 21:47:32 2015 +0100
    19.2 +++ b/src/HOL/Auth/Recur.thy	Mon Dec 28 23:13:33 2015 +0100
    19.3 @@ -21,18 +21,18 @@
    19.4    for evs :: "event list"
    19.5    where
    19.6     One:  "Key KAB \<notin> used evs
    19.7 -          ==> (Hash[Key(shrK A)] {|Agent A, Agent B, Nonce NA, END|},
    19.8 -               {|Crypt (shrK A) {|Key KAB, Agent B, Nonce NA|}, END|},
    19.9 +          ==> (Hash[Key(shrK A)] \<lbrace>Agent A, Agent B, Nonce NA, END\<rbrace>,
   19.10 +               \<lbrace>Crypt (shrK A) \<lbrace>Key KAB, Agent B, Nonce NA\<rbrace>, END\<rbrace>,
   19.11                 KAB)   \<in> respond evs"
   19.12  
   19.13      (*The most recent session key is passed up to the caller*)
   19.14   | Cons: "[| (PA, RA, KAB) \<in> respond evs;
   19.15               Key KBC \<notin> used evs;  Key KBC \<notin> parts {RA};
   19.16 -             PA = Hash[Key(shrK A)] {|Agent A, Agent B, Nonce NA, P|} |]
   19.17 -          ==> (Hash[Key(shrK B)] {|Agent B, Agent C, Nonce NB, PA|},
   19.18 -               {|Crypt (shrK B) {|Key KBC, Agent C, Nonce NB|},
   19.19 -                 Crypt (shrK B) {|Key KAB, Agent A, Nonce NB|},
   19.20 -                 RA|},
   19.21 +             PA = Hash[Key(shrK A)] \<lbrace>Agent A, Agent B, Nonce NA, P\<rbrace> |]
   19.22 +          ==> (Hash[Key(shrK B)] \<lbrace>Agent B, Agent C, Nonce NB, PA\<rbrace>,
   19.23 +               \<lbrace>Crypt (shrK B) \<lbrace>Key KBC, Agent C, Nonce NB\<rbrace>,
   19.24 +                 Crypt (shrK B) \<lbrace>Key KAB, Agent A, Nonce NB\<rbrace>,
   19.25 +                 RA\<rbrace>,
   19.26                 KBC)
   19.27                \<in> respond evs"
   19.28  
   19.29 @@ -48,8 +48,8 @@
   19.30     Nil:  "END \<in> responses evs"
   19.31  
   19.32   | Cons: "[| RA \<in> responses evs;  Key KAB \<notin> used evs |]
   19.33 -          ==> {|Crypt (shrK B) {|Key KAB, Agent A, Nonce NB|},
   19.34 -                RA|}  \<in> responses evs"
   19.35 +          ==> \<lbrace>Crypt (shrK B) \<lbrace>Key KAB, Agent A, Nonce NB\<rbrace>,
   19.36 +                RA\<rbrace>  \<in> responses evs"
   19.37  
   19.38  
   19.39  inductive_set recur :: "event list set"
   19.40 @@ -65,15 +65,15 @@
   19.41           (*Alice initiates a protocol run.
   19.42             END is a placeholder to terminate the nesting.*)
   19.43   | RA1:  "[| evs1 \<in> recur;  Nonce NA \<notin> used evs1 |]
   19.44 -          ==> Says A B (Hash[Key(shrK A)] {|Agent A, Agent B, Nonce NA, END|})
   19.45 +          ==> Says A B (Hash[Key(shrK A)] \<lbrace>Agent A, Agent B, Nonce NA, END\<rbrace>)
   19.46                # evs1 \<in> recur"
   19.47  
   19.48           (*Bob's response to Alice's message.  C might be the Server.
   19.49 -           We omit PA = {|XA, Agent A, Agent B, Nonce NA, P|} because
   19.50 +           We omit PA = \<lbrace>XA, Agent A, Agent B, Nonce NA, P\<rbrace> because
   19.51             it complicates proofs, so B may respond to any message at all!*)
   19.52   | RA2:  "[| evs2 \<in> recur;  Nonce NB \<notin> used evs2;
   19.53               Says A' B PA \<in> set evs2 |]
   19.54 -          ==> Says B C (Hash[Key(shrK B)] {|Agent B, Agent C, Nonce NB, PA|})
   19.55 +          ==> Says B C (Hash[Key(shrK B)] \<lbrace>Agent B, Agent C, Nonce NB, PA\<rbrace>)
   19.56                # evs2 \<in> recur"
   19.57  
   19.58           (*The Server receives Bob's message and prepares a response.*)
   19.59 @@ -84,11 +84,11 @@
   19.60           (*Bob receives the returned message and compares the Nonces with
   19.61             those in the message he previously sent the Server.*)
   19.62   | RA4:  "[| evs4 \<in> recur;
   19.63 -             Says B  C {|XH, Agent B, Agent C, Nonce NB,
   19.64 -                         XA, Agent A, Agent B, Nonce NA, P|} \<in> set evs4;
   19.65 -             Says C' B {|Crypt (shrK B) {|Key KBC, Agent C, Nonce NB|},
   19.66 -                         Crypt (shrK B) {|Key KAB, Agent A, Nonce NB|},
   19.67 -                         RA|} \<in> set evs4 |]
   19.68 +             Says B  C \<lbrace>XH, Agent B, Agent C, Nonce NB,
   19.69 +                         XA, Agent A, Agent B, Nonce NA, P\<rbrace> \<in> set evs4;
   19.70 +             Says C' B \<lbrace>Crypt (shrK B) \<lbrace>Key KBC, Agent C, Nonce NB\<rbrace>,
   19.71 +                         Crypt (shrK B) \<lbrace>Key KAB, Agent A, Nonce NB\<rbrace>,
   19.72 +                         RA\<rbrace> \<in> set evs4 |]
   19.73            ==> Says B A RA # evs4 \<in> recur"
   19.74  
   19.75     (*No "oops" message can easily be expressed.  Each session key is
   19.76 @@ -101,7 +101,7 @@
   19.77  
   19.78     Oops:  "[| evso \<in> recur;  Says Server B RB \<in> set evso;
   19.79                RB \<in> responses evs';  Key K \<in> parts {RB} |]
   19.80 -           ==> Notes Spy {|Key K, RB|} # evso \<in> recur"
   19.81 +           ==> Notes Spy \<lbrace>Key K, RB\<rbrace> # evso \<in> recur"
   19.82    *)
   19.83  
   19.84  
   19.85 @@ -120,8 +120,8 @@
   19.86  text\<open>Simplest case: Alice goes directly to the server\<close>
   19.87  lemma "Key K \<notin> used [] 
   19.88         ==> \<exists>NA. \<exists>evs \<in> recur.
   19.89 -              Says Server A {|Crypt (shrK A) {|Key K, Agent Server, Nonce NA|},
   19.90 -                    END|}  \<in> set evs"
   19.91 +              Says Server A \<lbrace>Crypt (shrK A) \<lbrace>Key K, Agent Server, Nonce NA\<rbrace>,
   19.92 +                    END\<rbrace>  \<in> set evs"
   19.93  apply (intro exI bexI)
   19.94  apply (rule_tac [2] recur.Nil [THEN recur.RA1, 
   19.95                               THEN recur.RA3 [OF _ _ respond.One]])
   19.96 @@ -133,8 +133,8 @@
   19.97  lemma "[| Key K \<notin> used []; Key K' \<notin> used []; K \<noteq> K';
   19.98            Nonce NA \<notin> used []; Nonce NB \<notin> used []; NA < NB |]
   19.99         ==> \<exists>NA. \<exists>evs \<in> recur.
  19.100 -        Says B A {|Crypt (shrK A) {|Key K, Agent B, Nonce NA|},
  19.101 -                   END|}  \<in> set evs"
  19.102 +        Says B A \<lbrace>Crypt (shrK A) \<lbrace>Key K, Agent B, Nonce NA\<rbrace>,
  19.103 +                   END\<rbrace>  \<in> set evs"
  19.104  apply (intro exI bexI)
  19.105  apply (rule_tac [2] 
  19.106            recur.Nil
  19.107 @@ -152,8 +152,8 @@
  19.108            Nonce NA \<notin> used []; Nonce NB \<notin> used []; Nonce NC \<notin> used []; 
  19.109            NA < NB; NB < NC |]
  19.110         ==> \<exists>K. \<exists>NA. \<exists>evs \<in> recur.
  19.111 -             Says B A {|Crypt (shrK A) {|Key K, Agent B, Nonce NA|},
  19.112 -                        END|}  \<in> set evs"
  19.113 +             Says B A \<lbrace>Crypt (shrK A) \<lbrace>Key K, Agent B, Nonce NA\<rbrace>,
  19.114 +                        END\<rbrace>  \<in> set evs"
  19.115  apply (intro exI bexI)
  19.116  apply (rule_tac [2] 
  19.117            recur.Nil [THEN recur.RA1, 
  19.118 @@ -189,7 +189,7 @@
  19.119  lemmas RA2_analz_spies = Says_imp_spies [THEN analz.Inj]
  19.120  
  19.121  lemma RA4_analz_spies:
  19.122 -     "Says C' B {|Crypt K X, X', RA|} \<in> set evs ==> RA \<in> analz (spies evs)"
  19.123 +     "Says C' B \<lbrace>Crypt K X, X', RA\<rbrace> \<in> set evs ==> RA \<in> analz (spies evs)"
  19.124  by blast
  19.125  
  19.126  
  19.127 @@ -278,7 +278,7 @@
  19.128  
  19.129  text\<open>Everything that's hashed is already in past traffic.\<close>
  19.130  lemma Hash_imp_body:
  19.131 -     "[| Hash {|Key(shrK A), X|} \<in> parts (spies evs);
  19.132 +     "[| Hash \<lbrace>Key(shrK A), X\<rbrace> \<in> parts (spies evs);
  19.133           evs \<in> recur;  A \<notin> bad |] ==> X \<in> parts (spies evs)"
  19.134  apply (erule rev_mp)
  19.135  apply (erule recur.induct,
  19.136 @@ -299,8 +299,8 @@
  19.137  **)
  19.138  
  19.139  lemma unique_NA:
  19.140 -  "[| Hash {|Key(shrK A), Agent A, B, NA, P|} \<in> parts (spies evs);
  19.141 -      Hash {|Key(shrK A), Agent A, B',NA, P'|} \<in> parts (spies evs);
  19.142 +  "[| Hash \<lbrace>Key(shrK A), Agent A, B, NA, P\<rbrace> \<in> parts (spies evs);
  19.143 +      Hash \<lbrace>Key(shrK A), Agent A, B',NA, P'\<rbrace> \<in> parts (spies evs);
  19.144        evs \<in> recur;  A \<notin> bad |]
  19.145      ==> B=B' & P=P'"
  19.146  apply (erule rev_mp, erule rev_mp)
  19.147 @@ -348,8 +348,8 @@
  19.148  
  19.149  text\<open>The last key returned by respond indeed appears in a certificate\<close>
  19.150  lemma respond_certificate:
  19.151 -     "(Hash[Key(shrK A)] {|Agent A, B, NA, P|}, RA, K) \<in> respond evs
  19.152 -      ==> Crypt (shrK A) {|Key K, B, NA|} \<in> parts {RA}"
  19.153 +     "(Hash[Key(shrK A)] \<lbrace>Agent A, B, NA, P\<rbrace>, RA, K) \<in> respond evs
  19.154 +      ==> Crypt (shrK A) \<lbrace>Key K, B, NA\<rbrace> \<in> parts {RA}"
  19.155  apply (ind_cases "(Hash[Key (shrK A)] \<lbrace>Agent A, B, NA, P\<rbrace>, RA, K) \<in> respond evs")
  19.156  apply simp_all
  19.157  done
  19.158 @@ -361,8 +361,8 @@
  19.159    the quantifiers appear to be necessary.*)
  19.160  lemma unique_lemma [rule_format]:
  19.161       "(PB,RB,KXY) \<in> respond evs ==>
  19.162 -      \<forall>A B N. Crypt (shrK A) {|Key K, Agent B, N|} \<in> parts {RB} -->
  19.163 -      (\<forall>A' B' N'. Crypt (shrK A') {|Key K, Agent B', N'|} \<in> parts {RB} -->
  19.164 +      \<forall>A B N. Crypt (shrK A) \<lbrace>Key K, Agent B, N\<rbrace> \<in> parts {RB} -->
  19.165 +      (\<forall>A' B' N'. Crypt (shrK A') \<lbrace>Key K, Agent B', N'\<rbrace> \<in> parts {RB} -->
  19.166        (A'=A & B'=B) | (A'=B & B'=A))"
  19.167  apply (erule respond.induct)
  19.168  apply (simp_all add: all_conj_distrib)
  19.169 @@ -370,8 +370,8 @@
  19.170  done
  19.171  
  19.172  lemma unique_session_keys:
  19.173 -     "[| Crypt (shrK A) {|Key K, Agent B, N|} \<in> parts {RB};
  19.174 -         Crypt (shrK A') {|Key K, Agent B', N'|} \<in> parts {RB};
  19.175 +     "[| Crypt (shrK A) \<lbrace>Key K, Agent B, N\<rbrace> \<in> parts {RB};
  19.176 +         Crypt (shrK A') \<lbrace>Key K, Agent B', N'\<rbrace> \<in> parts {RB};
  19.177           (PB,RB,KXY) \<in> respond evs |]
  19.178        ==> (A'=A & B'=B) | (A'=B & B'=A)"
  19.179  by (rule unique_lemma, auto)
  19.180 @@ -384,7 +384,7 @@
  19.181  lemma respond_Spy_not_see_session_key [rule_format]:
  19.182       "[| (PB,RB,KAB) \<in> respond evs;  evs \<in> recur |]
  19.183        ==> \<forall>A A' N. A \<notin> bad & A' \<notin> bad -->
  19.184 -          Crypt (shrK A) {|Key K, Agent A', N|} \<in> parts{RB} -->
  19.185 +          Crypt (shrK A) \<lbrace>Key K, Agent A', N\<rbrace> \<in> parts{RB} -->
  19.186            Key K \<notin> analz (insert RB (spies evs))"
  19.187  apply (erule respond.induct)
  19.188  apply (frule_tac [2] respond_imp_responses)
  19.189 @@ -405,7 +405,7 @@
  19.190  
  19.191  
  19.192  lemma Spy_not_see_session_key:
  19.193 -     "[| Crypt (shrK A) {|Key K, Agent A', N|} \<in> parts (spies evs);
  19.194 +     "[| Crypt (shrK A) \<lbrace>Key K, Agent A', N\<rbrace> \<in> parts (spies evs);
  19.195           A \<notin> bad;  A' \<notin> bad;  evs \<in> recur |]
  19.196        ==> Key K \<notin> analz (spies evs)"
  19.197  apply (erule rev_mp)
  19.198 @@ -430,9 +430,9 @@
  19.199  
  19.200  text\<open>The response never contains Hashes\<close>
  19.201  lemma Hash_in_parts_respond:
  19.202 -     "[| Hash {|Key (shrK B), M|} \<in> parts (insert RB H);
  19.203 +     "[| Hash \<lbrace>Key (shrK B), M\<rbrace> \<in> parts (insert RB H);
  19.204           (PB,RB,K) \<in> respond evs |]
  19.205 -      ==> Hash {|Key (shrK B), M|} \<in> parts H"
  19.206 +      ==> Hash \<lbrace>Key (shrK B), M\<rbrace> \<in> parts H"
  19.207  apply (erule rev_mp)
  19.208  apply (erule respond_imp_responses [THEN responses.induct], auto)
  19.209  done
  19.210 @@ -442,9 +442,9 @@
  19.211    it can say nothing about how recent A's message is.  It might later be
  19.212    used to prove B's presence to A at the run's conclusion.\<close>
  19.213  lemma Hash_auth_sender [rule_format]:
  19.214 -     "[| Hash {|Key(shrK A), Agent A, Agent B, NA, P|} \<in> parts(spies evs);
  19.215 +     "[| Hash \<lbrace>Key(shrK A), Agent A, Agent B, NA, P\<rbrace> \<in> parts(spies evs);
  19.216           A \<notin> bad;  evs \<in> recur |]
  19.217 -      ==> Says A B (Hash[Key(shrK A)] {|Agent A, Agent B, NA, P|}) \<in> set evs"
  19.218 +      ==> Says A B (Hash[Key(shrK A)] \<lbrace>Agent A, Agent B, NA, P\<rbrace>) \<in> set evs"
  19.219  apply (unfold HPair_def)
  19.220  apply (erule rev_mp)
  19.221  apply (erule recur.induct,
    20.1 --- a/src/HOL/Auth/TLS.thy	Mon Dec 28 21:47:32 2015 +0100
    20.2 +++ b/src/HOL/Auth/TLS.thy	Mon Dec 28 23:13:33 2015 +0100
    20.3 @@ -20,7 +20,7 @@
    20.4  The model assumes that no fraudulent certificates are present, but it does
    20.5  assume that some private keys are to the spy.
    20.6  
    20.7 -REMARK.  The event "Notes A {|Agent B, Nonce PMS|}" appears in ClientKeyExch,
    20.8 +REMARK.  The event "Notes A \<lbrace>Agent B, Nonce PMS\<rbrace>" appears in ClientKeyExch,
    20.9  CertVerify, ClientFinished to record that A knows M.  It is a note from A to
   20.10  herself.  Nobody else can see it.  In ClientKeyExch, the Spy can substitute
   20.11  his own certificate for A's, but he cannot replace A's note by one for himself.
   20.12 @@ -35,7 +35,7 @@
   20.13  Proofs would be simpler if ClientKeyExch included A's name within
   20.14  Crypt KB (Nonce PMS).  As things stand, there is much overlap between proofs
   20.15  about that message (which B receives) and the stronger event
   20.16 -Notes A {|Agent B, Nonce PMS|}.
   20.17 +Notes A \<lbrace>Agent B, Nonce PMS\<rbrace>.
   20.18  *)
   20.19  
   20.20  section\<open>The TLS Protocol: Transport Layer Security\<close>
   20.21 @@ -43,7 +43,7 @@
   20.22  theory TLS imports Public "~~/src/HOL/Library/Nat_Bijection" begin
   20.23  
   20.24  definition certificate :: "[agent,key] => msg" where
   20.25 -    "certificate A KA == Crypt (priSK Server) {|Agent A, Key KA|}"
   20.26 +    "certificate A KA == Crypt (priSK Server) \<lbrace>Agent A, Key KA\<rbrace>"
   20.27  
   20.28  text\<open>TLS apparently does not require separate keypairs for encryption and
   20.29  signature.  Therefore, we formalize signature as encryption using the
   20.30 @@ -109,8 +109,8 @@
   20.31                  to available nonces\<close>
   20.32           "[| evsSK \<in> tls;
   20.33               {Nonce NA, Nonce NB, Nonce M} <= analz (spies evsSK) |]
   20.34 -          ==> Notes Spy {| Nonce (PRF(M,NA,NB)),
   20.35 -                           Key (sessionK((NA,NB,M),role)) |} # evsSK \<in> tls"
   20.36 +          ==> Notes Spy \<lbrace> Nonce (PRF(M,NA,NB)),
   20.37 +                           Key (sessionK((NA,NB,M),role))\<rbrace> # evsSK \<in> tls"
   20.38  
   20.39   | ClientHello:
   20.40           \<comment>\<open>(7.4.1.2)
   20.41 @@ -121,7 +121,7 @@
   20.42             May assume @{term "NA \<notin> range PRF"} because CLIENT RANDOM is 
   20.43             28 bytes while MASTER SECRET is 48 bytes\<close>
   20.44           "[| evsCH \<in> tls;  Nonce NA \<notin> used evsCH;  NA \<notin> range PRF |]
   20.45 -          ==> Says A B {|Agent A, Nonce NA, Number SID, Number PA|}
   20.46 +          ==> Says A B \<lbrace>Agent A, Nonce NA, Number SID, Number PA\<rbrace>
   20.47                  # evsCH  \<in>  tls"
   20.48  
   20.49   | ServerHello:
   20.50 @@ -130,9 +130,9 @@
   20.51             SERVER CERTIFICATE (7.4.2) is always present.
   20.52             \<open>CERTIFICATE_REQUEST\<close> (7.4.4) is implied.\<close>
   20.53           "[| evsSH \<in> tls;  Nonce NB \<notin> used evsSH;  NB \<notin> range PRF;
   20.54 -             Says A' B {|Agent A, Nonce NA, Number SID, Number PA|}
   20.55 +             Says A' B \<lbrace>Agent A, Nonce NA, Number SID, Number PA\<rbrace>
   20.56                 \<in> set evsSH |]
   20.57 -          ==> Says B A {|Nonce NB, Number SID, Number PB|} # evsSH  \<in>  tls"
   20.58 +          ==> Says B A \<lbrace>Nonce NB, Number SID, Number PB\<rbrace> # evsSH  \<in>  tls"
   20.59  
   20.60   | Certificate:
   20.61           \<comment>\<open>SERVER (7.4.2) or CLIENT (7.4.6) CERTIFICATE.\<close>
   20.62 @@ -150,7 +150,7 @@
   20.63           "[| evsCX \<in> tls;  Nonce PMS \<notin> used evsCX;  PMS \<notin> range PRF;
   20.64               Says B' A (certificate B KB) \<in> set evsCX |]
   20.65            ==> Says A B (Crypt KB (Nonce PMS))
   20.66 -              # Notes A {|Agent B, Nonce PMS|}
   20.67 +              # Notes A \<lbrace>Agent B, Nonce PMS\<rbrace>
   20.68                # evsCX  \<in>  tls"
   20.69  
   20.70   | CertVerify:
   20.71 @@ -160,9 +160,9 @@
   20.72            Checking the signature, which is the only use of A's certificate,
   20.73            assures B of A's presence\<close>
   20.74           "[| evsCV \<in> tls;
   20.75 -             Says B' A {|Nonce NB, Number SID, Number PB|} \<in> set evsCV;
   20.76 -             Notes A {|Agent B, Nonce PMS|} \<in> set evsCV |]
   20.77 -          ==> Says A B (Crypt (priK A) (Hash{|Nonce NB, Agent B, Nonce PMS|}))
   20.78 +             Says B' A \<lbrace>Nonce NB, Number SID, Number PB\<rbrace> \<in> set evsCV;
   20.79 +             Notes A \<lbrace>Agent B, Nonce PMS\<rbrace> \<in> set evsCV |]
   20.80 +          ==> Says A B (Crypt (priK A) (Hash\<lbrace>Nonce NB, Agent B, Nonce PMS\<rbrace>))
   20.81                # evsCV  \<in>  tls"
   20.82  
   20.83          \<comment>\<open>Finally come the FINISHED messages (7.4.8), confirming PA and PB
   20.84 @@ -170,37 +170,37 @@
   20.85            Either party may send its message first.\<close>
   20.86  
   20.87   | ClientFinished:
   20.88 -        \<comment>\<open>The occurrence of Notes A {|Agent B, Nonce PMS|} stops the
   20.89 +        \<comment>\<open>The occurrence of Notes A \<lbrace>Agent B, Nonce PMS\<rbrace> stops the
   20.90            rule's applying when the Spy has satisfied the "Says A B" by
   20.91            repaying messages sent by the true client; in that case, the
   20.92            Spy does not know PMS and could not send ClientFinished.  One
   20.93            could simply put @{term "A\<noteq>Spy"} into the rule, but one should not
   20.94            expect the spy to be well-behaved.\<close>
   20.95           "[| evsCF \<in> tls;
   20.96 -             Says A  B {|Agent A, Nonce NA, Number SID, Number PA|}
   20.97 +             Says A  B \<lbrace>Agent A, Nonce NA, Number SID, Number PA\<rbrace>
   20.98                 \<in> set evsCF;
   20.99 -             Says B' A {|Nonce NB, Number SID, Number PB|} \<in> set evsCF;
  20.100 -             Notes A {|Agent B, Nonce PMS|} \<in> set evsCF;
  20.101 +             Says B' A \<lbrace>Nonce NB, Number SID, Number PB\<rbrace> \<in> set evsCF;
  20.102 +             Notes A \<lbrace>Agent B, Nonce PMS\<rbrace> \<in> set evsCF;
  20.103               M = PRF(PMS,NA,NB) |]
  20.104            ==> Says A B (Crypt (clientK(NA,NB,M))
  20.105 -                        (Hash{|Number SID, Nonce M,
  20.106 +                        (Hash\<lbrace>Number SID, Nonce M,
  20.107                                 Nonce NA, Number PA, Agent A,
  20.108 -                               Nonce NB, Number PB, Agent B|}))
  20.109 +                               Nonce NB, Number PB, Agent B\<rbrace>))
  20.110                # evsCF  \<in>  tls"
  20.111  
  20.112   | ServerFinished:
  20.113          \<comment>\<open>Keeping A' and A'' distinct means B cannot even check that the
  20.114            two messages originate from the same source.\<close>
  20.115           "[| evsSF \<in> tls;
  20.116 -             Says A' B  {|Agent A, Nonce NA, Number SID, Number PA|}
  20.117 +             Says A' B  \<lbrace>Agent A, Nonce NA, Number SID, Number PA\<rbrace>
  20.118                 \<in> set evsSF;
  20.119 -             Says B  A  {|Nonce NB, Number SID, Number PB|} \<in> set evsSF;
  20.120 +             Says B  A  \<lbrace>Nonce NB, Number SID, Number PB\<rbrace> \<in> set evsSF;
  20.121               Says A'' B (Crypt (pubK B) (Nonce PMS)) \<in> set evsSF;
  20.122               M = PRF(PMS,NA,NB) |]
  20.123            ==> Says B A (Crypt (serverK(NA,NB,M))
  20.124 -                        (Hash{|Number SID, Nonce M,
  20.125 +                        (Hash\<lbrace>Number SID, Nonce M,
  20.126                                 Nonce NA, Number PA, Agent A,
  20.127 -                               Nonce NB, Number PB, Agent B|}))
  20.128 +                               Nonce NB, Number PB, Agent B\<rbrace>))
  20.129                # evsSF  \<in>  tls"
  20.130  
  20.131   | ClientAccepts:
  20.132 @@ -209,15 +209,15 @@
  20.133            needed to resume this session.  The "Notes A ..." premise is
  20.134            used to prove \<open>Notes_master_imp_Crypt_PMS\<close>.\<close>
  20.135           "[| evsCA \<in> tls;
  20.136 -             Notes A {|Agent B, Nonce PMS|} \<in> set evsCA;
  20.137 +             Notes A \<lbrace>Agent B, Nonce PMS\<rbrace> \<in> set evsCA;
  20.138               M = PRF(PMS,NA,NB);
  20.139 -             X = Hash{|Number SID, Nonce M,
  20.140 +             X = Hash\<lbrace>Number SID, Nonce M,
  20.141                         Nonce NA, Number PA, Agent A,
  20.142 -                       Nonce NB, Number PB, Agent B|};
  20.143 +                       Nonce NB, Number PB, Agent B\<rbrace>;
  20.144               Says A  B (Crypt (clientK(NA,NB,M)) X) \<in> set evsCA;
  20.145               Says B' A (Crypt (serverK(NA,NB,M)) X) \<in> set evsCA |]
  20.146            ==>
  20.147 -             Notes A {|Number SID, Agent A, Agent B, Nonce M|} # evsCA  \<in>  tls"
  20.148 +             Notes A \<lbrace>Number SID, Agent A, Agent B, Nonce M\<rbrace> # evsCA  \<in>  tls"
  20.149  
  20.150   | ServerAccepts:
  20.151          \<comment>\<open>Having transmitted ServerFinished and received an identical
  20.152 @@ -228,38 +228,38 @@
  20.153               A \<noteq> B;
  20.154               Says A'' B (Crypt (pubK B) (Nonce PMS)) \<in> set evsSA;
  20.155               M = PRF(PMS,NA,NB);
  20.156 -             X = Hash{|Number SID, Nonce M,
  20.157 +             X = Hash\<lbrace>Number SID, Nonce M,
  20.158                         Nonce NA, Number PA, Agent A,
  20.159 -                       Nonce NB, Number PB, Agent B|};
  20.160 +                       Nonce NB, Number PB, Agent B\<rbrace>;
  20.161               Says B  A (Crypt (serverK(NA,NB,M)) X) \<in> set evsSA;
  20.162               Says A' B (Crypt (clientK(NA,NB,M)) X) \<in> set evsSA |]
  20.163            ==>
  20.164 -             Notes B {|Number SID, Agent A, Agent B, Nonce M|} # evsSA  \<in>  tls"
  20.165 +             Notes B \<lbrace>Number SID, Agent A, Agent B, Nonce M\<rbrace> # evsSA  \<in>  tls"
  20.166  
  20.167   | ClientResume:
  20.168           \<comment>\<open>If A recalls the \<open>SESSION_ID\<close>, then she sends a FINISHED
  20.169               message using the new nonces and stored MASTER SECRET.\<close>
  20.170           "[| evsCR \<in> tls;
  20.171 -             Says A  B {|Agent A, Nonce NA, Number SID, Number PA|}: set evsCR;
  20.172 -             Says B' A {|Nonce NB, Number SID, Number PB|} \<in> set evsCR;
  20.173 -             Notes A {|Number SID, Agent A, Agent B, Nonce M|} \<in> set evsCR |]
  20.174 +             Says A  B \<lbrace>Agent A, Nonce NA, Number SID, Number PA\<rbrace>: set evsCR;
  20.175 +             Says B' A \<lbrace>Nonce NB, Number SID, Number PB\<rbrace> \<in> set evsCR;
  20.176 +             Notes A \<lbrace>Number SID, Agent A, Agent B, Nonce M\<rbrace> \<in> set evsCR |]
  20.177            ==> Says A B (Crypt (clientK(NA,NB,M))
  20.178 -                        (Hash{|Number SID, Nonce M,
  20.179 +                        (Hash\<lbrace>Number SID, Nonce M,
  20.180                                 Nonce NA, Number PA, Agent A,
  20.181 -                               Nonce NB, Number PB, Agent B|}))
  20.182 +                               Nonce NB, Number PB, Agent B\<rbrace>))
  20.183                # evsCR  \<in>  tls"
  20.184  
  20.185   | ServerResume:
  20.186           \<comment>\<open>Resumption (7.3):  If B finds the \<open>SESSION_ID\<close> then he can 
  20.187               send a FINISHED message using the recovered MASTER SECRET\<close>
  20.188           "[| evsSR \<in> tls;
  20.189 -             Says A' B {|Agent A, Nonce NA, Number SID, Number PA|}: set evsSR;
  20.190 -             Says B  A {|Nonce NB, Number SID, Number PB|} \<in> set evsSR;
  20.191 -             Notes B {|Number SID, Agent A, Agent B, Nonce M|} \<in> set evsSR |]
  20.192 +             Says A' B \<lbrace>Agent A, Nonce NA, Number SID, Number PA\<rbrace>: set evsSR;
  20.193 +             Says B  A \<lbrace>Nonce NB, Number SID, Number PB\<rbrace> \<in> set evsSR;
  20.194 +             Notes B \<lbrace>Number SID, Agent A, Agent B, Nonce M\<rbrace> \<in> set evsSR |]
  20.195            ==> Says B A (Crypt (serverK(NA,NB,M))
  20.196 -                        (Hash{|Number SID, Nonce M,
  20.197 +                        (Hash\<lbrace>Number SID, Nonce M,
  20.198                                 Nonce NA, Number PA, Agent A,
  20.199 -                               Nonce NB, Number PB, Agent B|})) # evsSR
  20.200 +                               Nonce NB, Number PB, Agent B\<rbrace>)) # evsSR
  20.201                  \<in>  tls"
  20.202  
  20.203   | Oops:
  20.204 @@ -333,7 +333,7 @@
  20.205  text\<open>Possibility property ending with ClientAccepts.\<close>
  20.206  lemma "[| \<forall>evs. (@ N. Nonce N \<notin> used evs) \<notin> range PRF;  A \<noteq> B |]
  20.207        ==> \<exists>SID M. \<exists>evs \<in> tls.
  20.208 -            Notes A {|Number SID, Agent A, Agent B, Nonce M|} \<in> set evs"
  20.209 +            Notes A \<lbrace>Number SID, Agent A, Agent B, Nonce M\<rbrace> \<in> set evs"
  20.210  apply (intro exI bexI)
  20.211  apply (rule_tac [2] tls.Nil
  20.212                      [THEN tls.ClientHello, THEN tls.ServerHello,
  20.213 @@ -346,7 +346,7 @@
  20.214  text\<open>And one for ServerAccepts.  Either FINISHED message may come first.\<close>
  20.215  lemma "[| \<forall>evs. (@ N. Nonce N \<notin> used evs) \<notin> range PRF; A \<noteq> B |]
  20.216        ==> \<exists>SID NA PA NB PB M. \<exists>evs \<in> tls.
  20.217 -           Notes B {|Number SID, Agent A, Agent B, Nonce M|} \<in> set evs"
  20.218 +           Notes B \<lbrace>Number SID, Agent A, Agent B, Nonce M\<rbrace> \<in> set evs"
  20.219  apply (intro exI bexI)
  20.220  apply (rule_tac [2] tls.Nil
  20.221                      [THEN tls.ClientHello, THEN tls.ServerHello,
  20.222 @@ -359,7 +359,7 @@
  20.223  text\<open>Another one, for CertVerify (which is optional)\<close>
  20.224  lemma "[| \<forall>evs. (@ N. Nonce N \<notin> used evs) \<notin> range PRF;  A \<noteq> B |]
  20.225         ==> \<exists>NB PMS. \<exists>evs \<in> tls.
  20.226 -              Says A B (Crypt (priK A) (Hash{|Nonce NB, Agent B, Nonce PMS|})) 
  20.227 +              Says A B (Crypt (priK A) (Hash\<lbrace>Nonce NB, Agent B, Nonce PMS\<rbrace>)) 
  20.228                  \<in> set evs"
  20.229  apply (intro exI bexI)
  20.230  apply (rule_tac [2] tls.Nil
  20.231 @@ -372,14 +372,14 @@
  20.232  text\<open>Another one, for session resumption (both ServerResume and ClientResume).
  20.233    NO tls.Nil here: we refer to a previous session, not the empty trace.\<close>
  20.234  lemma "[| evs0 \<in> tls;
  20.235 -          Notes A {|Number SID, Agent A, Agent B, Nonce M|} \<in> set evs0;
  20.236 -          Notes B {|Number SID, Agent A, Agent B, Nonce M|} \<in> set evs0;
  20.237 +          Notes A \<lbrace>Number SID, Agent A, Agent B, Nonce M\<rbrace> \<in> set evs0;
  20.238 +          Notes B \<lbrace>Number SID, Agent A, Agent B, Nonce M\<rbrace> \<in> set evs0;
  20.239            \<forall>evs. (@ N. Nonce N \<notin> used evs) \<notin> range PRF;
  20.240            A \<noteq> B |]
  20.241        ==> \<exists>NA PA NB PB X. \<exists>evs \<in> tls.
  20.242 -                X = Hash{|Number SID, Nonce M,
  20.243 +                X = Hash\<lbrace>Number SID, Nonce M,
  20.244                            Nonce NA, Number PA, Agent A,
  20.245 -                          Nonce NB, Number PB, Agent B|}  &
  20.246 +                          Nonce NB, Number PB, Agent B\<rbrace>  &
  20.247                  Says A B (Crypt (clientK(NA,NB,M)) X) \<in> set evs  &
  20.248                  Says B A (Crypt (serverK(NA,NB,M)) X) \<in> set evs"
  20.249  apply (intro exI bexI)
  20.250 @@ -425,7 +425,7 @@
  20.251  subsubsection\<open>Properties of items found in Notes\<close>
  20.252  
  20.253  lemma Notes_Crypt_parts_spies:
  20.254 -     "[| Notes A {|Agent B, X|} \<in> set evs;  evs \<in> tls |]
  20.255 +     "[| Notes A \<lbrace>Agent B, X\<rbrace> \<in> set evs;  evs \<in> tls |]
  20.256        ==> Crypt (pubK B) X \<in> parts (spies evs)"
  20.257  apply (erule rev_mp)
  20.258  apply (erule tls.induct, 
  20.259 @@ -435,7 +435,7 @@
  20.260  
  20.261  text\<open>C may be either A or B\<close>
  20.262  lemma Notes_master_imp_Crypt_PMS:
  20.263 -     "[| Notes C {|s, Agent A, Agent B, Nonce(PRF(PMS,NA,NB))|} \<in> set evs;
  20.264 +     "[| Notes C \<lbrace>s, Agent A, Agent B, Nonce(PRF(PMS,NA,NB))\<rbrace> \<in> set evs;
  20.265           evs \<in> tls |]
  20.266        ==> Crypt (pubK B) (Nonce PMS) \<in> parts (spies evs)"
  20.267  apply (erule rev_mp)
  20.268 @@ -448,9 +448,9 @@
  20.269  
  20.270  text\<open>Compared with the theorem above, both premise and conclusion are stronger\<close>
  20.271  lemma Notes_master_imp_Notes_PMS:
  20.272 -     "[| Notes A {|s, Agent A, Agent B, Nonce(PRF(PMS,NA,NB))|} \<in> set evs;
  20.273 +     "[| Notes A \<lbrace>s, Agent A, Agent B, Nonce(PRF(PMS,NA,NB))\<rbrace> \<in> set evs;
  20.274           evs \<in> tls |]
  20.275 -      ==> Notes A {|Agent B, Nonce PMS|} \<in> set evs"
  20.276 +      ==> Notes A \<lbrace>Agent B, Nonce PMS\<rbrace> \<in> set evs"
  20.277  apply (erule rev_mp)
  20.278  apply (erule tls.induct, force, simp_all)
  20.279  txt\<open>ServerAccepts\<close>
  20.280 @@ -463,7 +463,7 @@
  20.281  text\<open>B can check A's signature if he has received A's certificate.\<close>
  20.282  lemma TrustCertVerify_lemma:
  20.283       "[| X \<in> parts (spies evs);
  20.284 -         X = Crypt (priK A) (Hash{|nb, Agent B, pms|});
  20.285 +         X = Crypt (priK A) (Hash\<lbrace>nb, Agent B, pms\<rbrace>);
  20.286           evs \<in> tls;  A \<notin> bad |]
  20.287        ==> Says A B X \<in> set evs"
  20.288  apply (erule rev_mp, erule ssubst)
  20.289 @@ -473,7 +473,7 @@
  20.290  text\<open>Final version: B checks X using the distributed KA instead of priK A\<close>
  20.291  lemma TrustCertVerify:
  20.292       "[| X \<in> parts (spies evs);
  20.293 -         X = Crypt (invKey KA) (Hash{|nb, Agent B, pms|});
  20.294 +         X = Crypt (invKey KA) (Hash\<lbrace>nb, Agent B, pms\<rbrace>);
  20.295           certificate A KA \<in> parts (spies evs);
  20.296           evs \<in> tls;  A \<notin> bad |]
  20.297        ==> Says A B X \<in> set evs"
  20.298 @@ -482,25 +482,25 @@
  20.299  
  20.300  text\<open>If CertVerify is present then A has chosen PMS.\<close>
  20.301  lemma UseCertVerify_lemma:
  20.302 -     "[| Crypt (priK A) (Hash{|nb, Agent B, Nonce PMS|}) \<in> parts (spies evs);
  20.303 +     "[| Crypt (priK A) (Hash\<lbrace>nb, Agent B, Nonce PMS\<rbrace>) \<in> parts (spies evs);
  20.304           evs \<in> tls;  A \<notin> bad |]
  20.305 -      ==> Notes A {|Agent B, Nonce PMS|} \<in> set evs"
  20.306 +      ==> Notes A \<lbrace>Agent B, Nonce PMS\<rbrace> \<in> set evs"
  20.307  apply (erule rev_mp)
  20.308  apply (erule tls.induct, force, simp_all, blast)
  20.309  done
  20.310  
  20.311  text\<open>Final version using the distributed KA instead of priK A\<close>
  20.312  lemma UseCertVerify:
  20.313 -     "[| Crypt (invKey KA) (Hash{|nb, Agent B, Nonce PMS|})
  20.314 +     "[| Crypt (invKey KA) (Hash\<lbrace>nb, Agent B, Nonce PMS\<rbrace>)
  20.315             \<in> parts (spies evs);
  20.316           certificate A KA \<in> parts (spies evs);
  20.317           evs \<in> tls;  A \<notin> bad |]
  20.318 -      ==> Notes A {|Agent B, Nonce PMS|} \<in> set evs"
  20.319 +      ==> Notes A \<lbrace>Agent B, Nonce PMS\<rbrace> \<in> set evs"
  20.320  by (blast dest!: certificate_valid intro!: UseCertVerify_lemma)
  20.321  
  20.322  
  20.323  lemma no_Notes_A_PRF [simp]:
  20.324 -     "evs \<in> tls ==> Notes A {|Agent B, Nonce (PRF x)|} \<notin> set evs"
  20.325 +     "evs \<in> tls ==> Notes A \<lbrace>Agent B, Nonce (PRF x)\<rbrace> \<notin> set evs"
  20.326  apply (erule tls.induct, force, simp_all)
  20.327  txt\<open>ClientKeyExch: PMS is assumed to differ from any PRF.\<close>
  20.328  apply blast
  20.329 @@ -538,15 +538,15 @@
  20.330  
  20.331  
  20.332  (** It is frustrating that we need two versions of the unicity results.
  20.333 -    But Notes A {|Agent B, Nonce PMS|} determines both A and B.  Sometimes
  20.334 +    But Notes A \<lbrace>Agent B, Nonce PMS\<rbrace> determines both A and B.  Sometimes
  20.335      we have only the weaker assertion Crypt(pubK B) (Nonce PMS), which
  20.336      determines B alone, and only if PMS is secret.
  20.337  **)
  20.338  
  20.339  text\<open>In A's internal Note, PMS determines A and B.\<close>
  20.340  lemma Notes_unique_PMS:
  20.341 -     "[| Notes A  {|Agent B,  Nonce PMS|} \<in> set evs;
  20.342 -         Notes A' {|Agent B', Nonce PMS|} \<in> set evs;
  20.343 +     "[| Notes A  \<lbrace>Agent B,  Nonce PMS\<rbrace> \<in> set evs;
  20.344 +         Notes A' \<lbrace>Agent B', Nonce PMS\<rbrace> \<in> set evs;
  20.345           evs \<in> tls |]
  20.346        ==> A=A' & B=B'"
  20.347  apply (erule rev_mp, erule rev_mp)
  20.348 @@ -674,7 +674,7 @@
  20.349  
  20.350  text\<open>If A sends ClientKeyExch to an honest B, then the PMS will stay secret.\<close>
  20.351  lemma Spy_not_see_PMS:
  20.352 -     "[| Notes A {|Agent B, Nonce PMS|} \<in> set evs;
  20.353 +     "[| Notes A \<lbrace>Agent B, Nonce PMS\<rbrace> \<in> set evs;
  20.354           evs \<in> tls;  A \<notin> bad;  B \<notin> bad |]
  20.355        ==> Nonce PMS \<notin> analz (spies evs)"
  20.356  apply (erule rev_mp, erule tls.induct, frule_tac [7] CX_KB_is_pubKB)
  20.357 @@ -696,7 +696,7 @@
  20.358  text\<open>If A sends ClientKeyExch to an honest B, then the MASTER SECRET
  20.359    will stay secret.\<close>
  20.360  lemma Spy_not_see_MS:
  20.361 -     "[| Notes A {|Agent B, Nonce PMS|} \<in> set evs;
  20.362 +     "[| Notes A \<lbrace>Agent B, Nonce PMS\<rbrace> \<in> set evs;
  20.363           evs \<in> tls;  A \<notin> bad;  B \<notin> bad |]
  20.364        ==> Nonce (PRF(PMS,NA,NB)) \<notin> analz (spies evs)"
  20.365  apply (erule rev_mp, erule tls.induct, frule_tac [7] CX_KB_is_pubKB)
  20.366 @@ -720,7 +720,7 @@
  20.367    would send a message using a clientK generated from that PMS.\<close>
  20.368  lemma Says_clientK_unique:
  20.369       "[| Says A' B' (Crypt (clientK(Na,Nb,PRF(PMS,NA,NB))) Y) \<in> set evs;
  20.370 -         Notes A {|Agent B, Nonce PMS|} \<in> set evs;
  20.371 +         Notes A \<lbrace>Agent B, Nonce PMS\<rbrace> \<in> set evs;
  20.372           evs \<in> tls;  A' \<noteq> Spy |]
  20.373        ==> A = A'"
  20.374  apply (erule rev_mp, erule rev_mp)
  20.375 @@ -737,7 +737,7 @@
  20.376  text\<open>If A created PMS and has not leaked her clientK to the Spy,
  20.377    then it is completely secure: not even in parts!\<close>
  20.378  lemma clientK_not_spied:
  20.379 -     "[| Notes A {|Agent B, Nonce PMS|} \<in> set evs;
  20.380 +     "[| Notes A \<lbrace>Agent B, Nonce PMS\<rbrace> \<in> set evs;
  20.381           Says A Spy (Key (clientK(Na,Nb,PRF(PMS,NA,NB)))) \<notin> set evs;
  20.382           A \<notin> bad;  B \<notin> bad;
  20.383           evs \<in> tls |]
  20.384 @@ -762,7 +762,7 @@
  20.385    send a message using a serverK generated from that PMS.\<close>
  20.386  lemma Says_serverK_unique:
  20.387       "[| Says B' A' (Crypt (serverK(Na,Nb,PRF(PMS,NA,NB))) Y) \<in> set evs;
  20.388 -         Notes A {|Agent B, Nonce PMS|} \<in> set evs;
  20.389 +         Notes A \<lbrace>Agent B, Nonce PMS\<rbrace> \<in> set evs;
  20.390           evs \<in> tls;  A \<notin> bad;  B \<notin> bad;  B' \<noteq> Spy |]
  20.391        ==> B = B'"
  20.392  apply (erule rev_mp, erule rev_mp)
  20.393 @@ -779,7 +779,7 @@
  20.394  text\<open>If A created PMS for B, and B has not leaked his serverK to the Spy,
  20.395    then it is completely secure: not even in parts!\<close>
  20.396  lemma serverK_not_spied:
  20.397 -     "[| Notes A {|Agent B, Nonce PMS|} \<in> set evs;
  20.398 +     "[| Notes A \<lbrace>Agent B, Nonce PMS\<rbrace> \<in> set evs;
  20.399           Says B Spy (Key(serverK(Na,Nb,PRF(PMS,NA,NB)))) \<notin> set evs;
  20.400           A \<notin> bad;  B \<notin> bad;  evs \<in> tls |]
  20.401        ==> Key (serverK(Na,Nb,PRF(PMS,NA,NB))) \<notin> parts (spies evs)"
  20.402 @@ -804,13 +804,13 @@
  20.403  text\<open>The mention of her name (A) in X assures A that B knows who she is.\<close>
  20.404  lemma TrustServerFinished [rule_format]:
  20.405       "[| X = Crypt (serverK(Na,Nb,M))
  20.406 -               (Hash{|Number SID, Nonce M,
  20.407 +               (Hash\<lbrace>Number SID, Nonce M,
  20.408                        Nonce Na, Number PA, Agent A,
  20.409 -                      Nonce Nb, Number PB, Agent B|});
  20.410 +                      Nonce Nb, Number PB, Agent B\<rbrace>);
  20.411           M = PRF(PMS,NA,NB);
  20.412           evs \<in> tls;  A \<notin> bad;  B \<notin> bad |]
  20.413        ==> Says B Spy (Key(serverK(Na,Nb,M))) \<notin> set evs -->
  20.414 -          Notes A {|Agent B, Nonce PMS|} \<in> set evs -->
  20.415 +          Notes A \<lbrace>Agent B, Nonce PMS\<rbrace> \<in> set evs -->
  20.416            X \<in> parts (spies evs) --> Says B A X \<in> set evs"
  20.417  apply (erule ssubst)+
  20.418  apply (erule tls.induct, frule_tac [7] CX_KB_is_pubKB)
  20.419 @@ -829,7 +829,7 @@
  20.420  lemma TrustServerMsg [rule_format]:
  20.421       "[| M = PRF(PMS,NA,NB);  evs \<in> tls;  A \<notin> bad;  B \<notin> bad |]
  20.422        ==> Says B Spy (Key(serverK(Na,Nb,M))) \<notin> set evs -->
  20.423 -          Notes A {|Agent B, Nonce PMS|} \<in> set evs -->
  20.424 +          Notes A \<lbrace>Agent B, Nonce PMS\<rbrace> \<in> set evs -->
  20.425            Crypt (serverK(Na,Nb,M)) Y \<in> parts (spies evs)  -->
  20.426            (\<exists>A'. Says B A' (Crypt (serverK(Na,Nb,M)) Y) \<in> set evs)"
  20.427  apply (erule ssubst)
  20.428 @@ -855,7 +855,7 @@
  20.429  lemma TrustClientMsg [rule_format]:
  20.430       "[| M = PRF(PMS,NA,NB);  evs \<in> tls;  A \<notin> bad;  B \<notin> bad |]
  20.431        ==> Says A Spy (Key(clientK(Na,Nb,M))) \<notin> set evs -->
  20.432 -          Notes A {|Agent B, Nonce PMS|} \<in> set evs -->
  20.433 +          Notes A \<lbrace>Agent B, Nonce PMS\<rbrace> \<in> set evs -->
  20.434            Crypt (clientK(Na,Nb,M)) Y \<in> parts (spies evs) -->
  20.435            Says A B (Crypt (clientK(Na,Nb,M)) Y) \<in> set evs"
  20.436  apply (erule ssubst)
  20.437 @@ -878,7 +878,7 @@
  20.438           Says A Spy (Key(clientK(Na,Nb,M))) \<notin> set evs;
  20.439           Says A' B (Crypt (clientK(Na,Nb,M)) Y) \<in> set evs;
  20.440           certificate A KA \<in> parts (spies evs);
  20.441 -         Says A'' B (Crypt (invKey KA) (Hash{|nb, Agent B, Nonce PMS|}))
  20.442 +         Says A'' B (Crypt (invKey KA) (Hash\<lbrace>nb, Agent B, Nonce PMS\<rbrace>))
  20.443             \<in> set evs;
  20.444           evs \<in> tls;  A \<notin> bad;  B \<notin> bad |]
  20.445        ==> Says A B (Crypt (clientK(Na,Nb,M)) Y) \<in> set evs"
    21.1 --- a/src/HOL/Auth/WooLam.thy	Mon Dec 28 21:47:32 2015 +0100
    21.2 +++ b/src/HOL/Auth/WooLam.thy	Mon Dec 28 23:13:33 2015 +0100
    21.3 @@ -52,13 +52,13 @@
    21.4   | WL4:  "[| evs4 \<in> woolam;
    21.5               Says A'  B X         \<in> set evs4;
    21.6               Says A'' B (Agent A) \<in> set evs4 |]
    21.7 -          ==> Says B Server {|Agent A, Agent B, X|} # evs4 \<in> woolam"
    21.8 +          ==> Says B Server \<lbrace>Agent A, Agent B, X\<rbrace> # evs4 \<in> woolam"
    21.9  
   21.10           (*Server decrypts Alice's response for Bob.*)
   21.11   | WL5:  "[| evs5 \<in> woolam;
   21.12 -             Says B' Server {|Agent A, Agent B, Crypt (shrK A) (Nonce NB)|}
   21.13 +             Says B' Server \<lbrace>Agent A, Agent B, Crypt (shrK A) (Nonce NB)\<rbrace>
   21.14                 \<in> set evs5 |]
   21.15 -          ==> Says Server B (Crypt (shrK B) {|Agent A, Nonce NB|})
   21.16 +          ==> Says Server B (Crypt (shrK B) \<lbrace>Agent A, Nonce NB\<rbrace>)
   21.17                   # evs5 \<in> woolam"
   21.18  
   21.19  
   21.20 @@ -70,7 +70,7 @@
   21.21  
   21.22  (*A "possibility property": there are traces that reach the end*)
   21.23  lemma "\<exists>NB. \<exists>evs \<in> woolam.
   21.24 -             Says Server B (Crypt (shrK B) {|Agent A, Nonce NB|}) \<in> set evs"
   21.25 +             Says Server B (Crypt (shrK B) \<lbrace>Agent A, Nonce NB\<rbrace>) \<in> set evs"
   21.26  apply (intro exI bexI)
   21.27  apply (rule_tac [2] woolam.Nil
   21.28                      [THEN woolam.WL1, THEN woolam.WL2, THEN woolam.WL3,
   21.29 @@ -113,7 +113,7 @@
   21.30    Alice, then she originated that certificate.  But we DO NOT know that B
   21.31    ever saw it: the Spy may have rerouted the message to the Server.*)
   21.32  lemma Server_trusts_WL4 [dest]:
   21.33 -     "[| Says B' Server {|Agent A, Agent B, Crypt (shrK A) (Nonce NB)|}
   21.34 +     "[| Says B' Server \<lbrace>Agent A, Agent B, Crypt (shrK A) (Nonce NB)\<rbrace>
   21.35             \<in> set evs;
   21.36           A \<notin> bad;  evs \<in> woolam |]
   21.37        ==> \<exists>B. Says A B (Crypt (shrK A) (Nonce NB)) \<in> set evs"
   21.38 @@ -124,17 +124,17 @@
   21.39  
   21.40  (*Server sent WL5 only if it received the right sort of message*)
   21.41  lemma Server_sent_WL5 [dest]:
   21.42 -     "[| Says Server B (Crypt (shrK B) {|Agent A, NB|}) \<in> set evs;
   21.43 +     "[| Says Server B (Crypt (shrK B) \<lbrace>Agent A, NB\<rbrace>) \<in> set evs;
   21.44           evs \<in> woolam |]
   21.45 -      ==> \<exists>B'. Says B' Server {|Agent A, Agent B, Crypt (shrK A) NB|}
   21.46 +      ==> \<exists>B'. Says B' Server \<lbrace>Agent A, Agent B, Crypt (shrK A) NB\<rbrace>
   21.47               \<in> set evs"
   21.48  by (erule rev_mp, erule woolam.induct, force, simp_all, blast+)
   21.49  
   21.50  (*If the encrypted message appears then it originated with the Server!*)
   21.51  lemma NB_Crypt_imp_Server_msg [rule_format]:
   21.52 -     "[| Crypt (shrK B) {|Agent A, NB|} \<in> parts (spies evs);
   21.53 +     "[| Crypt (shrK B) \<lbrace>Agent A, NB\<rbrace> \<in> parts (spies evs);
   21.54           B \<notin> bad;  evs \<in> woolam |]
   21.55 -      ==> Says Server B (Crypt (shrK B) {|Agent A, NB|}) \<in> set evs"
   21.56 +      ==> Says Server B (Crypt (shrK B) \<lbrace>Agent A, NB\<rbrace>) \<in> set evs"
   21.57  by (erule rev_mp, erule woolam.induct, force, simp_all, blast+)
   21.58  
   21.59  (*Guarantee for B.  If B gets the Server's certificate then A has encrypted
   21.60 @@ -142,7 +142,7 @@
   21.61    But A may have sent the nonce to some other agent and it could have reached
   21.62    the Server via the Spy.*)
   21.63  lemma B_trusts_WL5:
   21.64 -     "[| Says S B (Crypt (shrK B) {|Agent A, Nonce NB|}): set evs;
   21.65 +     "[| Says S B (Crypt (shrK B) \<lbrace>Agent A, Nonce NB\<rbrace>): set evs;
   21.66           A \<notin> bad;  B \<notin> bad;  evs \<in> woolam  |]
   21.67        ==> \<exists>B. Says A B (Crypt (shrK A) (Nonce NB)) \<in> set evs"
   21.68  by (blast dest!: NB_Crypt_imp_Server_msg)
    22.1 --- a/src/HOL/Auth/Yahalom.thy	Mon Dec 28 21:47:32 2015 +0100
    22.2 +++ b/src/HOL/Auth/Yahalom.thy	Mon Dec 28 23:13:33 2015 +0100
    22.3 @@ -32,24 +32,24 @@
    22.4  
    22.5           (*Alice initiates a protocol run*)
    22.6   | YM1:  "[| evs1 \<in> yahalom;  Nonce NA \<notin> used evs1 |]
    22.7 -          ==> Says A B {|Agent A, Nonce NA|} # evs1 \<in> yahalom"
    22.8 +          ==> Says A B \<lbrace>Agent A, Nonce NA\<rbrace> # evs1 \<in> yahalom"
    22.9  
   22.10           (*Bob's response to Alice's message.*)
   22.11   | YM2:  "[| evs2 \<in> yahalom;  Nonce NB \<notin> used evs2;
   22.12 -             Gets B {|Agent A, Nonce NA|} \<in> set evs2 |]
   22.13 +             Gets B \<lbrace>Agent A, Nonce NA\<rbrace> \<in> set evs2 |]
   22.14            ==> Says B Server 
   22.15 -                  {|Agent B, Crypt (shrK B) {|Agent A, Nonce NA, Nonce NB|}|}
   22.16 +                  \<lbrace>Agent B, Crypt (shrK B) \<lbrace>Agent A, Nonce NA, Nonce NB\<rbrace>\<rbrace>
   22.17                  # evs2 \<in> yahalom"
   22.18  
   22.19           (*The Server receives Bob's message.  He responds by sending a
   22.20              new session key to Alice, with a packet for forwarding to Bob.*)
   22.21   | YM3:  "[| evs3 \<in> yahalom;  Key KAB \<notin> used evs3;  KAB \<in> symKeys;
   22.22               Gets Server 
   22.23 -                  {|Agent B, Crypt (shrK B) {|Agent A, Nonce NA, Nonce NB|}|}
   22.24 +                  \<lbrace>Agent B, Crypt (shrK B) \<lbrace>Agent A, Nonce NA, Nonce NB\<rbrace>\<rbrace>
   22.25                 \<in> set evs3 |]
   22.26            ==> Says Server A
   22.27 -                   {|Crypt (shrK A) {|Agent B, Key KAB, Nonce NA, Nonce NB|},
   22.28 -                     Crypt (shrK B) {|Agent A, Key KAB|}|}
   22.29 +                   \<lbrace>Crypt (shrK A) \<lbrace>Agent B, Key KAB, Nonce NA, Nonce NB\<rbrace>,
   22.30 +                     Crypt (shrK B) \<lbrace>Agent A, Key KAB\<rbrace>\<rbrace>
   22.31                  # evs3 \<in> yahalom"
   22.32  
   22.33   | YM4:  
   22.34 @@ -58,25 +58,25 @@
   22.35             @{term "A \<noteq> Server"} is needed for \<open>Says_Server_not_range\<close>.
   22.36             Alice can check that K is symmetric by its length.\<close>
   22.37           "[| evs4 \<in> yahalom;  A \<noteq> Server;  K \<in> symKeys;
   22.38 -             Gets A {|Crypt(shrK A) {|Agent B, Key K, Nonce NA, Nonce NB|}, X|}
   22.39 +             Gets A \<lbrace>Crypt(shrK A) \<lbrace>Agent B, Key K, Nonce NA, Nonce NB\<rbrace>, X\<rbrace>
   22.40                  \<in> set evs4;
   22.41 -             Says A B {|Agent A, Nonce NA|} \<in> set evs4 |]
   22.42 -          ==> Says A B {|X, Crypt K (Nonce NB)|} # evs4 \<in> yahalom"
   22.43 +             Says A B \<lbrace>Agent A, Nonce NA\<rbrace> \<in> set evs4 |]
   22.44 +          ==> Says A B \<lbrace>X, Crypt K (Nonce NB)\<rbrace> # evs4 \<in> yahalom"
   22.45  
   22.46           (*This message models possible leaks of session keys.  The Nonces
   22.47             identify the protocol run.  Quoting Server here ensures they are
   22.48             correct.*)
   22.49   | Oops: "[| evso \<in> yahalom;  
   22.50 -             Says Server A {|Crypt (shrK A)
   22.51 -                                   {|Agent B, Key K, Nonce NA, Nonce NB|},
   22.52 -                             X|}  \<in> set evso |]
   22.53 -          ==> Notes Spy {|Nonce NA, Nonce NB, Key K|} # evso \<in> yahalom"
   22.54 +             Says Server A \<lbrace>Crypt (shrK A)
   22.55 +                                   \<lbrace>Agent B, Key K, Nonce NA, Nonce NB\<rbrace>,
   22.56 +                             X\<rbrace>  \<in> set evso |]
   22.57 +          ==> Notes Spy \<lbrace>Nonce NA, Nonce NB, Key K\<rbrace> # evso \<in> yahalom"
   22.58  
   22.59  
   22.60  definition KeyWithNonce :: "[key, nat, event list] => bool" where
   22.61    "KeyWithNonce K NB evs ==
   22.62       \<exists>A B na X. 
   22.63 -       Says Server A {|Crypt (shrK A) {|Agent B, Key K, na, Nonce NB|}, X|} 
   22.64 +       Says Server A \<lbrace>Crypt (shrK A) \<lbrace>Agent B, Key K, na, Nonce NB\<rbrace>, X\<rbrace>
   22.65           \<in> set evs"
   22.66  
   22.67  
   22.68 @@ -88,7 +88,7 @@
   22.69  text\<open>A "possibility property": there are traces that reach the end\<close>
   22.70  lemma "[| A \<noteq> Server; K \<in> symKeys; Key K \<notin> used [] |]
   22.71        ==> \<exists>X NB. \<exists>evs \<in> yahalom.
   22.72 -             Says A B {|X, Crypt K (Nonce NB)|} \<in> set evs"
   22.73 +             Says A B \<lbrace>X, Crypt K (Nonce NB)\<rbrace> \<in> set evs"
   22.74  apply (intro exI bexI)
   22.75  apply (rule_tac [2] yahalom.Nil
   22.76                      [THEN yahalom.YM1, THEN yahalom.Reception,
   22.77 @@ -116,7 +116,7 @@
   22.78  
   22.79  text\<open>Lets us treat YM4 using a similar argument as for the Fake case.\<close>
   22.80  lemma YM4_analz_knows_Spy:
   22.81 -     "[| Gets A {|Crypt (shrK A) Y, X|} \<in> set evs;  evs \<in> yahalom |]
   22.82 +     "[| Gets A \<lbrace>Crypt (shrK A) Y, X\<rbrace> \<in> set evs;  evs \<in> yahalom |]
   22.83        ==> X \<in> analz (knows Spy evs)"
   22.84  by blast
   22.85  
   22.86 @@ -125,7 +125,7 @@
   22.87  
   22.88  text\<open>For Oops\<close>
   22.89  lemma YM4_Key_parts_knows_Spy:
   22.90 -     "Says Server A {|Crypt (shrK A) {|B,K,NA,NB|}, X|} \<in> set evs
   22.91 +     "Says Server A \<lbrace>Crypt (shrK A) \<lbrace>B,K,NA,NB\<rbrace>, X\<rbrace> \<in> set evs
   22.92        ==> K \<in> parts (knows Spy evs)"
   22.93    by (metis parts.Body parts.Fst parts.Snd  Says_imp_knows_Spy parts.Inj)
   22.94  
   22.95 @@ -170,7 +170,7 @@
   22.96  text\<open>Describes the form of K when the Server sends this message.  Useful for
   22.97    Oops as well as main secrecy property.\<close>
   22.98  lemma Says_Server_not_range [simp]:
   22.99 -     "[| Says Server A {|Crypt (shrK A) {|Agent B, Key K, na, nb|}, X|}
  22.100 +     "[| Says Server A \<lbrace>Crypt (shrK A) \<lbrace>Agent B, Key K, na, nb\<rbrace>, X\<rbrace>
  22.101             \<in> set evs;   evs \<in> yahalom |]
  22.102        ==> K \<notin> range shrK"
  22.103  by (erule rev_mp, erule yahalom.induct, simp_all)
  22.104 @@ -210,9 +210,9 @@
  22.105  text\<open>The Key K uniquely identifies the Server's  message.\<close>
  22.106  lemma unique_session_keys:
  22.107       "[| Says Server A
  22.108 -          {|Crypt (shrK A) {|Agent B, Key K, na, nb|}, X|} \<in> set evs;
  22.109 +          \<lbrace>Crypt (shrK A) \<lbrace>Agent B, Key K, na, nb\<rbrace>, X\<rbrace> \<in> set evs;
  22.110          Says Server A'
  22.111 -          {|Crypt (shrK A') {|Agent B', Key K, na', nb'|}, X'|} \<in> set evs;
  22.112 +          \<lbrace>Crypt (shrK A') \<lbrace>Agent B', Key K, na', nb'\<rbrace>, X'\<rbrace> \<in> set evs;
  22.113          evs \<in> yahalom |]
  22.114       ==> A=A' & B=B' & na=na' & nb=nb'"
  22.115  apply (erule rev_mp, erule rev_mp)
  22.116 @@ -226,10 +226,10 @@
  22.117  lemma secrecy_lemma:
  22.118       "[| A \<notin> bad;  B \<notin> bad;  evs \<in> yahalom |]
  22.119        ==> Says Server A
  22.120 -            {|Crypt (shrK A) {|Agent B, Key K, na, nb|},
  22.121 -              Crypt (shrK B) {|Agent A, Key K|}|}
  22.122 +            \<lbrace>Crypt (shrK A) \<lbrace>Agent B, Key K, na, nb\<rbrace>,
  22.123 +              Crypt (shrK B) \<lbrace>Agent A, Key K\<rbrace>\<rbrace>
  22.124             \<in> set evs -->
  22.125 -          Notes Spy {|na, nb, Key K|} \<notin> set evs -->
  22.126 +          Notes Spy \<lbrace>na, nb, Key K\<rbrace> \<notin> set evs -->
  22.127            Key K \<notin> analz (knows Spy evs)"
  22.128  apply (erule yahalom.induct, force,
  22.129         drule_tac [6] YM4_analz_knows_Spy)
  22.130 @@ -240,10 +240,10 @@
  22.131  text\<open>Final version\<close>
  22.132  lemma Spy_not_see_encrypted_key:
  22.133       "[| Says Server A
  22.134 -            {|Crypt (shrK A) {|Agent B, Key K, na, nb|},
  22.135 -              Crypt (shrK B) {|Agent A, Key K|}|}
  22.136 +            \<lbrace>Crypt (shrK A) \<lbrace>Agent B, Key K, na, nb\<rbrace>,
  22.137 +              Crypt (shrK B) \<lbrace>Agent A, Key K\<rbrace>\<rbrace>
  22.138             \<in> set evs;
  22.139 -         Notes Spy {|na, nb, Key K|} \<notin> set evs;
  22.140 +         Notes Spy \<lbrace>na, nb, Key K\<rbrace> \<notin> set evs;
  22.141           A \<notin> bad;  B \<notin> bad;  evs \<in> yahalom |]
  22.142        ==> Key K \<notin> analz (knows Spy evs)"
  22.143  by (blast dest: secrecy_lemma)
  22.144 @@ -253,11 +253,11 @@
  22.145  
  22.146  text\<open>If the encrypted message appears then it originated with the Server\<close>
  22.147  lemma A_trusts_YM3:
  22.148 -     "[| Crypt (shrK A) {|Agent B, Key K, na, nb|} \<in> parts (knows Spy evs);
  22.149 +     "[| Crypt (shrK A) \<lbrace>Agent B, Key K, na, nb\<rbrace> \<in> parts (knows Spy evs);
  22.150           A \<notin> bad;  evs \<in> yahalom |]
  22.151         ==> Says Server A
  22.152 -            {|Crypt (shrK A) {|Agent B, Key K, na, nb|},
  22.153 -              Crypt (shrK B) {|Agent A, Key K|}|}
  22.154 +            \<lbrace>Crypt (shrK A) \<lbrace>Agent B, Key K, na, nb\<rbrace>,
  22.155 +              Crypt (shrK B) \<lbrace>Agent A, Key K\<rbrace>\<rbrace>
  22.156             \<in> set evs"
  22.157  apply (erule rev_mp)
  22.158  apply (erule yahalom.induct, force,
  22.159 @@ -269,8 +269,8 @@
  22.160  text\<open>The obvious combination of \<open>A_trusts_YM3\<close> with
  22.161    \<open>Spy_not_see_encrypted_key\<close>\<close>
  22.162  lemma A_gets_good_key:
  22.163 -     "[| Crypt (shrK A) {|Agent B, Key K, na, nb|} \<in> parts (knows Spy evs);
  22.164 -         Notes Spy {|na, nb, Key K|} \<notin> set evs;
  22.165 +     "[| Crypt (shrK A) \<lbrace>Agent B, Key K, na, nb\<rbrace> \<in> parts (knows Spy evs);
  22.166 +         Notes Spy \<lbrace>na, nb, Key K\<rbrace> \<notin> set evs;
  22.167           A \<notin> bad;  B \<notin> bad;  evs \<in> yahalom |]
  22.168        ==> Key K \<notin> analz (knows Spy evs)"
  22.169    by (metis A_trusts_YM3 secrecy_lemma)
  22.170 @@ -281,12 +281,12 @@
  22.171  text\<open>B knows, by the first part of A's message, that the Server distributed
  22.172    the key for A and B.  But this part says nothing about nonces.\<close>
  22.173  lemma B_trusts_YM4_shrK:
  22.174 -     "[| Crypt (shrK B) {|Agent A, Key K|} \<in> parts (knows Spy evs);
  22.175 +     "[| Crypt (shrK B) \<lbrace>Agent A, Key K\<rbrace> \<in> parts (knows Spy evs);
  22.176           B \<notin> bad;  evs \<in> yahalom |]
  22.177        ==> \<exists>NA NB. Says Server A
  22.178 -                      {|Crypt (shrK A) {|Agent B, Key K,
  22.179 -                                         Nonce NA, Nonce NB|},
  22.180 -                        Crypt (shrK B) {|Agent A, Key K|}|}
  22.181 +                      \<lbrace>Crypt (shrK A) \<lbrace>Agent B, Key K,
  22.182 +                                         Nonce NA, Nonce NB\<rbrace>,
  22.183 +                        Crypt (shrK B) \<lbrace>Agent A, Key K\<rbrace>\<rbrace>
  22.184                       \<in> set evs"
  22.185  apply (erule rev_mp)
  22.186  apply (erule yahalom.induct, force,
  22.187 @@ -305,8 +305,8 @@
  22.188       "[|Crypt K (Nonce NB) \<in> parts (knows Spy evs);
  22.189          Nonce NB \<notin> analz (knows Spy evs);  evs \<in> yahalom|]
  22.190        ==> \<exists>A B NA. Says Server A
  22.191 -                      {|Crypt (shrK A) {|Agent B, Key K, Nonce NA, Nonce NB|},
  22.192 -                        Crypt (shrK B) {|Agent A, Key K|}|}
  22.193 +                      \<lbrace>Crypt (shrK A) \<lbrace>Agent B, Key K, Nonce NA, Nonce NB\<rbrace>,
  22.194 +                        Crypt (shrK B) \<lbrace>Agent A, Key K\<rbrace>\<rbrace>
  22.195                       \<in> set evs"
  22.196  apply (erule rev_mp, erule rev_mp)
  22.197  apply (erule yahalom.induct, force,
  22.198 @@ -329,14 +329,14 @@
  22.199  
  22.200  lemma KeyWithNonceI:
  22.201   "Says Server A
  22.202 -          {|Crypt (shrK A) {|Agent B, Key K, na, Nonce NB|}, X|}
  22.203 +          \<lbrace>Crypt (shrK A) \<lbrace>Agent B, Key K, na, Nonce NB\<rbrace>, X\<rbrace>
  22.204          \<in> set evs ==> KeyWithNonce K NB evs"
  22.205  by (unfold KeyWithNonce_def, blast)
  22.206  
  22.207  lemma KeyWithNonce_Says [simp]:
  22.208     "KeyWithNonce K NB (Says S A X # evs) =
  22.209        (Server = S &
  22.210 -       (\<exists>B n X'. X = {|Crypt (shrK A) {|Agent B, Key K, n, Nonce NB|}, X'|})
  22.211 +       (\<exists>B n X'. X = \<lbrace>Crypt (shrK A) \<lbrace>Agent B, Key K, n, Nonce NB\<rbrace>, X'\<rbrace>)
  22.212        | KeyWithNonce K NB evs)"
  22.213  by (simp add: KeyWithNonce_def, blast)
  22.214  
  22.215 @@ -358,7 +358,7 @@
  22.216  text\<open>The Server message associates K with NB' and therefore not with any
  22.217    other nonce NB.\<close>
  22.218  lemma Says_Server_KeyWithNonce:
  22.219 - "[| Says Server A {|Crypt (shrK A) {|Agent B, Key K, na, Nonce NB'|}, X|}
  22.220 + "[| Says Server A \<lbrace>Crypt (shrK A) \<lbrace>Agent B, Key K, na, Nonce NB'\<rbrace>, X\<rbrace>
  22.221         \<in> set evs;
  22.222       NB \<noteq> NB';  evs \<in> yahalom |]
  22.223    ==> ~ KeyWithNonce K NB evs"
  22.224 @@ -417,7 +417,7 @@
  22.225     for the induction to carry through.\<close>
  22.226  lemma single_Nonce_secrecy:
  22.227       "[| Says Server A
  22.228 -          {|Crypt (shrK A) {|Agent B, Key KAB, na, Nonce NB'|}, X|}
  22.229 +          \<lbrace>Crypt (shrK A) \<lbrace>Agent B, Key KAB, na, Nonce NB'\<rbrace>, X\<rbrace>
  22.230           \<in> set evs;
  22.231           NB \<noteq> NB';  KAB \<notin> range shrK;  evs \<in> yahalom |]
  22.232        ==> (Nonce NB \<in> analz (insert (Key KAB) (knows Spy evs))) =
  22.233 @@ -430,8 +430,8 @@
  22.234  subsubsection\<open>The Nonce NB uniquely identifies B's message.\<close>
  22.235  
  22.236  lemma unique_NB:
  22.237 -     "[| Crypt (shrK B) {|Agent A, Nonce NA, nb|} \<in> parts (knows Spy evs);
  22.238 -         Crypt (shrK B') {|Agent A', Nonce NA', nb|} \<in> parts (knows Spy evs);
  22.239 +     "[| Crypt (shrK B) \<lbrace>Agent A, Nonce NA, nb\<rbrace> \<in> parts (knows Spy evs);
  22.240 +         Crypt (shrK B') \<lbrace>Agent A', Nonce NA', nb\<rbrace> \<in> parts (knows Spy evs);
  22.241          evs \<in> yahalom;  B \<notin> bad;  B' \<notin> bad |]
  22.242        ==> NA' = NA & A' = A & B' = B"
  22.243  apply (erule rev_mp, erule rev_mp)
  22.244 @@ -445,9 +445,9 @@
  22.245  text\<open>Variant useful for proving secrecy of NB.  Because nb is assumed to be
  22.246    secret, we no longer must assume B, B' not bad.\<close>
  22.247  lemma Says_unique_NB:
  22.248 -     "[| Says C S   {|X,  Crypt (shrK B) {|Agent A, Nonce NA, nb|}|}
  22.249 +     "[| Says C S   \<lbrace>X,  Crypt (shrK B) \<lbrace>Agent A, Nonce NA, nb\<rbrace>\<rbrace>
  22.250             \<in> set evs;
  22.251 -         Gets S' {|X', Crypt (shrK B') {|Agent A', Nonce NA', nb|}|}
  22.252 +         Gets S' \<lbrace>X', Crypt (shrK B') \<lbrace>Agent A', Nonce NA', nb\<rbrace>\<rbrace>
  22.253             \<in> set evs;
  22.254           nb \<notin> analz (knows Spy evs);  evs \<in> yahalom |]
  22.255        ==> NA' = NA & A' = A & B' = B"
  22.256 @@ -458,9 +458,9 @@
  22.257  subsubsection\<open>A nonce value is never used both as NA and as NB\<close>
  22.258  
  22.259  lemma no_nonce_YM1_YM2:
  22.260 -     "[|Crypt (shrK B') {|Agent A', Nonce NB, nb'|} \<in> parts(knows Spy evs);
  22.261 +     "[|Crypt (shrK B') \<lbrace>Agent A', Nonce NB, nb'\<rbrace> \<in> parts(knows Spy evs);
  22.262          Nonce NB \<notin> analz (knows Spy evs);  evs \<in> yahalom|]
  22.263 -  ==> Crypt (shrK B)  {|Agent A, na, Nonce NB|} \<notin> parts(knows Spy evs)"
  22.264 +  ==> Crypt (shrK B)  \<lbrace>Agent A, na, Nonce NB\<rbrace> \<notin> parts(knows Spy evs)"
  22.265  apply (erule rev_mp, erule rev_mp)
  22.266  apply (erule yahalom.induct, force,
  22.267         frule_tac [6] YM4_parts_knows_Spy)
  22.268 @@ -471,18 +471,18 @@
  22.269  
  22.270  text\<open>The Server sends YM3 only in response to YM2.\<close>
  22.271  lemma Says_Server_imp_YM2:
  22.272 -     "[| Says Server A {|Crypt (shrK A) {|Agent B, k, na, nb|}, X|} \<in> set evs;
  22.273 +     "[| Says Server A \<lbrace>Crypt (shrK A) \<lbrace>Agent B, k, na, nb\<rbrace>, X\<rbrace> \<in> set evs;
  22.274           evs \<in> yahalom |]
  22.275 -      ==> Gets Server {| Agent B, Crypt (shrK B) {|Agent A, na, nb|} |}
  22.276 +      ==> Gets Server \<lbrace>Agent B, Crypt (shrK B) \<lbrace>Agent A, na, nb\<rbrace>\<rbrace>
  22.277               \<in> set evs"
  22.278  by (erule rev_mp, erule yahalom.induct, auto)
  22.279  
  22.280  text\<open>A vital theorem for B, that nonce NB remains secure from the Spy.\<close>
  22.281  lemma Spy_not_see_NB :
  22.282       "[| Says B Server
  22.283 -                {|Agent B, Crypt (shrK B) {|Agent A, Nonce NA, Nonce NB|}|}
  22.284 +                \<lbrace>Agent B, Crypt (shrK B) \<lbrace>Agent A, Nonce NA, Nonce NB\<rbrace>\<rbrace>
  22.285             \<in> set evs;
  22.286 -         (\<forall>k. Notes Spy {|Nonce NA, Nonce NB, k|} \<notin> set evs);
  22.287 +         (\<forall>k. Notes Spy \<lbrace>Nonce NA, Nonce NB, k\<rbrace> \<notin> set evs);
  22.288           A \<notin> bad;  B \<notin> bad;  evs \<in> yahalom |]
  22.289        ==> Nonce NB \<notin> analz (knows Spy evs)"
  22.290  apply (erule rev_mp, erule rev_mp)
  22.291 @@ -521,17 +521,17 @@
  22.292    If this run is broken and the spy substitutes a certificate containing an
  22.293    old key, B has no means of telling.\<close>
  22.294  lemma B_trusts_YM4:
  22.295 -     "[| Gets B {|Crypt (shrK B) {|Agent A, Key K|},
  22.296 -                  Crypt K (Nonce NB)|} \<in> set evs;
  22.297 +     "[| Gets B \<lbrace>Crypt (shrK B) \<lbrace>Agent A, Key K\<rbrace>,
  22.298 +                  Crypt K (Nonce NB)\<rbrace> \<in> set evs;
  22.299           Says B Server
  22.300 -           {|Agent B, Crypt (shrK B) {|Agent A, Nonce NA, Nonce NB|}|}
  22.301 +           \<lbrace>Agent B, Crypt (shrK B) \<lbrace>Agent A, Nonce NA, Nonce NB\<rbrace>\<rbrace>
  22.302             \<in> set evs;
  22.303 -         \<forall>k. Notes Spy {|Nonce NA, Nonce NB, k|} \<notin> set evs;
  22.304 +         \<forall>k. Notes Spy \<lbrace>Nonce NA, Nonce NB, k\<rbrace> \<notin> set evs;
  22.305           A \<notin> bad;  B \<notin> bad;  evs \<in> yahalom |]
  22.306         ==> Says Server A
  22.307 -                   {|Crypt (shrK A) {|Agent B, Key K,
  22.308 -                             Nonce NA, Nonce NB|},
  22.309 -                     Crypt (shrK B) {|Agent A, Key K|}|}
  22.310 +                   \<lbrace>Crypt (shrK A) \<lbrace>Agent B, Key K,
  22.311 +                             Nonce NA, Nonce NB\<rbrace>,
  22.312 +                     Crypt (shrK B) \<lbrace>Agent A, Key K\<rbrace>\<rbrace>
  22.313               \<in> set evs"
  22.314  by (blast dest: Spy_not_see_NB Says_unique_NB
  22.315                  Says_Server_imp_YM2 B_trusts_YM4_newK)
  22.316 @@ -541,12 +541,12 @@
  22.317  text\<open>The obvious combination of \<open>B_trusts_YM4\<close> with 
  22.318    \<open>Spy_not_see_encrypted_key\<close>\<close>
  22.319  lemma B_gets_good_key:
  22.320 -     "[| Gets B {|Crypt (shrK B) {|Agent A, Key K|},
  22.321 -                  Crypt K (Nonce NB)|} \<in> set evs;
  22.322 +     "[| Gets B \<lbrace>Crypt (shrK B) \<lbrace>Agent A, Key K\<rbrace>,
  22.323 +                  Crypt K (Nonce NB)\<rbrace> \<in> set evs;
  22.324           Says B Server
  22.325 -           {|Agent B, Crypt (shrK B) {|Agent A, Nonce NA, Nonce NB|}|}
  22.326 +           \<lbrace>Agent B, Crypt (shrK B) \<lbrace>Agent A, Nonce NA, Nonce NB\<rbrace>\<rbrace>
  22.327             \<in> set evs;
  22.328 -         \<forall>k. Notes Spy {|Nonce NA, Nonce NB, k|} \<notin> set evs;
  22.329 +         \<forall>k. Notes Spy \<lbrace>Nonce NA, Nonce NB, k\<rbrace> \<notin> set evs;
  22.330           A \<notin> bad;  B \<notin> bad;  evs \<in> yahalom |]
  22.331        ==> Key K \<notin> analz (knows Spy evs)"
  22.332    by (metis B_trusts_YM4 Spy_not_see_encrypted_key)
  22.333 @@ -556,10 +556,10 @@
  22.334  
  22.335  text\<open>The encryption in message YM2 tells us it cannot be faked.\<close>
  22.336  lemma B_Said_YM2 [rule_format]:
  22.337 -     "[|Crypt (shrK B) {|Agent A, Nonce NA, nb|} \<in> parts (knows Spy evs);
  22.338 +     "[|Crypt (shrK B) \<lbrace>Agent A, Nonce NA, nb\<rbrace> \<in> parts (knows Spy evs);
  22.339          evs \<in> yahalom|]
  22.340        ==> B \<notin> bad -->
  22.341 -          Says B Server {|Agent B, Crypt (shrK B) {|Agent A, Nonce NA, nb|}|}
  22.342 +          Says B Server \<lbrace>Agent B, Crypt (shrK B) \<lbrace>Agent A, Nonce NA, nb\<rbrace>\<rbrace>
  22.343              \<in> set evs"
  22.344  apply (erule rev_mp, erule yahalom.induct, force,
  22.345         frule_tac [6] YM4_parts_knows_Spy, simp_all)
  22.346 @@ -569,10 +569,10 @@
  22.347  
  22.348  text\<open>If the server sends YM3 then B sent YM2\<close>
  22.349  lemma YM3_auth_B_to_A_lemma:
  22.350 -     "[|Says Server A {|Crypt (shrK A) {|Agent B, Key K, Nonce NA, nb|}, X|}
  22.351 +     "[|Says Server A \<lbrace>Crypt (shrK A) \<lbrace>Agent B, Key K, Nonce NA, nb\<rbrace>, X\<rbrace>
  22.352         \<in> set evs;  evs \<in> yahalom|]
  22.353        ==> B \<notin> bad -->
  22.354 -          Says B Server {|Agent B, Crypt (shrK B) {|Agent A, Nonce NA, nb|}|}
  22.355 +          Says B Server \<lbrace>Agent B, Crypt (shrK B) \<lbrace>Agent A, Nonce NA, nb\<rbrace>\<rbrace>
  22.356              \<in> set evs"
  22.357  apply (erule rev_mp, erule yahalom.induct, simp_all)
  22.358  txt\<open>YM3, YM4\<close>
  22.359 @@ -581,10 +581,10 @@
  22.360  
  22.361  text\<open>If A receives YM3 then B has used nonce NA (and therefore is alive)\<close>
  22.362  lemma YM3_auth_B_to_A:
  22.363 -     "[| Gets A {|Crypt (shrK A) {|Agent B, Key K, Nonce NA, nb|}, X|}
  22.364 +     "[| Gets A \<lbrace>Crypt (shrK A) \<lbrace>Agent B, Key K, Nonce NA, nb\<rbrace>, X\<rbrace>
  22.365             \<in> set evs;
  22.366           A \<notin> bad;  B \<notin> bad;  evs \<in> yahalom |]
  22.367 -      ==> Says B Server {|Agent B, Crypt (shrK B) {|Agent A, Nonce NA, nb|}|}
  22.368 +      ==> Says B Server \<lbrace>Agent B, Crypt (shrK B) \<lbrace>Agent A, Nonce NA, nb\<rbrace>\<rbrace>
  22.369         \<in> set evs"
  22.370    by (metis A_trusts_YM3 Gets_imp_analz_Spy YM3_auth_B_to_A_lemma analz.Fst
  22.371           not_parts_not_analz)
  22.372 @@ -600,9 +600,9 @@
  22.373       "evs \<in> yahalom
  22.374        ==> Key K \<notin> analz (knows Spy evs) -->
  22.375            Crypt K (Nonce NB) \<in> parts (knows Spy evs) -->
  22.376 -          Crypt (shrK B) {|Agent A, Key K|} \<in> parts (knows Spy evs) -->
  22.377 +          Crypt (shrK B) \<lbrace>Agent A, Key K\<rbrace> \<in> parts (knows Spy evs) -->
  22.378            B \<notin> bad -->
  22.379 -          (\<exists>X. Says A B {|X, Crypt K (Nonce NB)|} \<in> set evs)"
  22.380 +          (\<exists>X. Says A B \<lbrace>X, Crypt K (Nonce NB)\<rbrace> \<in> set evs)"
  22.381  apply (erule yahalom.induct, force,
  22.382         frule_tac [6] YM4_parts_knows_Spy)
  22.383  apply (analz_mono_contra, simp_all)
  22.384 @@ -624,13 +624,13 @@
  22.385    Moreover, A associates K with NB (thus is talking about the same run).
  22.386    Other premises guarantee secrecy of K.\<close>
  22.387  lemma YM4_imp_A_Said_YM3 [rule_format]:
  22.388 -     "[| Gets B {|Crypt (shrK B) {|Agent A, Key K|},
  22.389 -                  Crypt K (Nonce NB)|} \<in> set evs;
  22.390 +     "[| Gets B \<lbrace>Crypt (shrK B) \<lbrace>Agent A, Key K\<rbrace>,
  22.391 +                  Crypt K (Nonce NB)\<rbrace> \<in> set evs;
  22.392           Says B Server
  22.393 -           {|Agent B, Crypt (shrK B) {|Agent A, Nonce NA, Nonce NB|}|}
  22.394 +           \<lbrace>Agent B, Crypt (shrK B) \<lbrace>Agent A, Nonce NA, Nonce NB\<rbrace>\<rbrace>
  22.395             \<in> set evs;
  22.396 -         (\<forall>NA k. Notes Spy {|Nonce NA, Nonce NB, k|} \<notin> set evs);
  22.397 +         (\<forall>NA k. Notes Spy \<lbrace>Nonce NA, Nonce NB, k\<rbrace> \<notin> set evs);
  22.398           A \<notin> bad;  B \<notin> bad;  evs \<in> yahalom |]
  22.399 -      ==> \<exists>X. Says A B {|X, Crypt K (Nonce NB)|} \<in> set evs"
  22.400 +      ==> \<exists>X. Says A B \<lbrace>X, Crypt K (Nonce NB)\<rbrace> \<in> set evs"
  22.401  by (metis A_Said_YM3_lemma B_gets_good_key Gets_imp_analz_Spy YM4_parts_knows_Spy analz.Fst not_parts_not_analz)
  22.402  end
    23.1 --- a/src/HOL/Auth/Yahalom2.thy	Mon Dec 28 21:47:32 2015 +0100
    23.2 +++ b/src/HOL/Auth/Yahalom2.thy	Mon Dec 28 23:13:33 2015 +0100
    23.3 @@ -36,44 +36,44 @@
    23.4  
    23.5           (*Alice initiates a protocol run*)
    23.6   | YM1:  "[| evs1 \<in> yahalom;  Nonce NA \<notin> used evs1 |]
    23.7 -          ==> Says A B {|Agent A, Nonce NA|} # evs1 \<in> yahalom"
    23.8 +          ==> Says A B \<lbrace>Agent A, Nonce NA\<rbrace> # evs1 \<in> yahalom"
    23.9  
   23.10           (*Bob's response to Alice's message.*)
   23.11   | YM2:  "[| evs2 \<in> yahalom;  Nonce NB \<notin> used evs2;
   23.12 -             Gets B {|Agent A, Nonce NA|} \<in> set evs2 |]
   23.13 +             Gets B \<lbrace>Agent A, Nonce NA\<rbrace> \<in> set evs2 |]
   23.14            ==> Says B Server
   23.15 -                  {|Agent B, Nonce NB, Crypt (shrK B) {|Agent A, Nonce NA|}|}
   23.16 +                  \<lbrace>Agent B, Nonce NB, Crypt (shrK B) \<lbrace>Agent A, Nonce NA\<rbrace>\<rbrace>
   23.17                  # evs2 \<in> yahalom"
   23.18  
   23.19           (*The Server receives Bob's message.  He responds by sending a
   23.20             new session key to Alice, with a certificate for forwarding to Bob.
   23.21             Both agents are quoted in the 2nd certificate to prevent attacks!*)
   23.22   | YM3:  "[| evs3 \<in> yahalom;  Key KAB \<notin> used evs3;
   23.23 -             Gets Server {|Agent B, Nonce NB,
   23.24 -                           Crypt (shrK B) {|Agent A, Nonce NA|}|}
   23.25 +             Gets Server \<lbrace>Agent B, Nonce NB,
   23.26 +                           Crypt (shrK B) \<lbrace>Agent A, Nonce NA\<rbrace>\<rbrace>
   23.27                 \<in> set evs3 |]
   23.28            ==> Says Server A
   23.29 -               {|Nonce NB,
   23.30 -                 Crypt (shrK A) {|Agent B, Key KAB, Nonce NA|},
   23.31 -                 Crypt (shrK B) {|Agent A, Agent B, Key KAB, Nonce NB|}|}
   23.32 +               \<lbrace>Nonce NB,
   23.33 +                 Crypt (shrK A) \<lbrace>Agent B, Key KAB, Nonce NA\<rbrace>,
   23.34 +                 Crypt (shrK B) \<lbrace>Agent A, Agent B, Key KAB, Nonce NB\<rbrace>\<rbrace>
   23.35                   # evs3 \<in> yahalom"
   23.36  
   23.37           (*Alice receives the Server's (?) message, checks her Nonce, and
   23.38             uses the new session key to send Bob his Nonce.*)
   23.39   | YM4:  "[| evs4 \<in> yahalom;
   23.40 -             Gets A {|Nonce NB, Crypt (shrK A) {|Agent B, Key K, Nonce NA|},
   23.41 -                      X|}  \<in> set evs4;
   23.42 -             Says A B {|Agent A, Nonce NA|} \<in> set evs4 |]
   23.43 -          ==> Says A B {|X, Crypt K (Nonce NB)|} # evs4 \<in> yahalom"
   23.44 +             Gets A \<lbrace>Nonce NB, Crypt (shrK A) \<lbrace>Agent B, Key K, Nonce NA\<rbrace>,
   23.45 +                      X\<rbrace>  \<in> set evs4;
   23.46 +             Says A B \<lbrace>Agent A, Nonce NA\<rbrace> \<in> set evs4 |]
   23.47 +          ==> Says A B \<lbrace>X, Crypt K (Nonce NB)\<rbrace> # evs4 \<in> yahalom"
   23.48  
   23.49           (*This message models possible leaks of session keys.  The nonces
   23.50             identify the protocol run.  Quoting Server here ensures they are
   23.51             correct. *)
   23.52   | Oops: "[| evso \<in> yahalom;
   23.53 -             Says Server A {|Nonce NB,
   23.54 -                             Crypt (shrK A) {|Agent B, Key K, Nonce NA|},
   23.55 -                             X|}  \<in> set evso |]
   23.56 -          ==> Notes Spy {|Nonce NA, Nonce NB, Key K|} # evso \<in> yahalom"
   23.57 +             Says Server A \<lbrace>Nonce NB,
   23.58 +                             Crypt (shrK A) \<lbrace>Agent B, Key K, Nonce NA\<rbrace>,
   23.59 +                             X\<rbrace>  \<in> set evso |]
   23.60 +          ==> Notes Spy \<lbrace>Nonce NA, Nonce NB, Key K\<rbrace> # evso \<in> yahalom"
   23.61  
   23.62  
   23.63  declare Says_imp_knows_Spy [THEN analz.Inj, dest]
   23.64 @@ -84,7 +84,7 @@
   23.65  text\<open>A "possibility property": there are traces that reach the end\<close>
   23.66  lemma "Key K \<notin> used []
   23.67         ==> \<exists>X NB. \<exists>evs \<in> yahalom.
   23.68 -             Says A B {|X, Crypt K (Nonce NB)|} \<in> set evs"
   23.69 +             Says A B \<lbrace>X, Crypt K (Nonce NB)\<rbrace> \<in> set evs"
   23.70  apply (intro exI bexI)
   23.71  apply (rule_tac [2] yahalom.Nil
   23.72                      [THEN yahalom.YM1, THEN yahalom.Reception,
   23.73 @@ -111,7 +111,7 @@
   23.74  text\<open>Result for reasoning about the encrypted portion of messages.
   23.75  Lets us treat YM4 using a similar argument as for the Fake case.\<close>
   23.76  lemma YM4_analz_knows_Spy:
   23.77 -     "[| Gets A {|NB, Crypt (shrK A) Y, X|} \<in> set evs;  evs \<in> yahalom |]
   23.78 +     "[| Gets A \<lbrace>NB, Crypt (shrK A) Y, X\<rbrace> \<in> set evs;  evs \<in> yahalom |]
   23.79        ==> X \<in> analz (knows Spy evs)"
   23.80  by blast
   23.81  
   23.82 @@ -157,7 +157,7 @@
   23.83  text\<open>Describes the form of K when the Server sends this message.  Useful for
   23.84    Oops as well as main secrecy property.\<close>
   23.85  lemma Says_Server_message_form:
   23.86 -     "[| Says Server A {|nb', Crypt (shrK A) {|Agent B, Key K, na|}, X|}
   23.87 +     "[| Says Server A \<lbrace>nb', Crypt (shrK A) \<lbrace>Agent B, Key K, na\<rbrace>, X\<rbrace>
   23.88            \<in> set evs;  evs \<in> yahalom |]
   23.89        ==> K \<notin> range shrK"
   23.90  by (erule rev_mp, erule yahalom.induct, simp_all)
   23.91 @@ -194,9 +194,9 @@
   23.92  text\<open>The Key K uniquely identifies the Server's  message\<close>
   23.93  lemma unique_session_keys:
   23.94       "[| Says Server A
   23.95 -          {|nb, Crypt (shrK A) {|Agent B, Key K, na|}, X|} \<in> set evs;
   23.96 +          \<lbrace>nb, Crypt (shrK A) \<lbrace>Agent B, Key K, na\<rbrace>, X\<rbrace> \<in> set evs;
   23.97          Says Server A'
   23.98 -          {|nb', Crypt (shrK A') {|Agent B', Key K, na'|}, X'|} \<in> set evs;
   23.99 +          \<lbrace>nb', Crypt (shrK A') \<lbrace>Agent B', Key K, na'\<rbrace>, X'\<rbrace> \<in> set evs;
  23.100          evs \<in> yahalom |]
  23.101       ==> A=A' & B=B' & na=na' & nb=nb'"
  23.102  apply (erule rev_mp, erule rev_mp)
  23.103 @@ -211,10 +211,10 @@
  23.104  lemma secrecy_lemma:
  23.105       "[| A \<notin> bad;  B \<notin> bad;  evs \<in> yahalom |]
  23.106        ==> Says Server A
  23.107 -            {|nb, Crypt (shrK A) {|Agent B, Key K, na|},
  23.108 -                  Crypt (shrK B) {|Agent A, Agent B, Key K, nb|}|}
  23.109 +            \<lbrace>nb, Crypt (shrK A) \<lbrace>Agent B, Key K, na\<rbrace>,
  23.110 +                  Crypt (shrK B) \<lbrace>Agent A, Agent B, Key K, nb\<rbrace>\<rbrace>
  23.111             \<in> set evs -->
  23.112 -          Notes Spy {|na, nb, Key K|} \<notin> set evs -->
  23.113 +          Notes Spy \<lbrace>na, nb, Key K\<rbrace> \<notin> set evs -->
  23.114            Key K \<notin> analz (knows Spy evs)"
  23.115  apply (erule yahalom.induct, force, frule_tac [7] Says_Server_message_form,
  23.116         drule_tac [6] YM4_analz_knows_Spy)
  23.117 @@ -226,10 +226,10 @@
  23.118  text\<open>Final version\<close>
  23.119  lemma Spy_not_see_encrypted_key:
  23.120       "[| Says Server A
  23.121 -            {|nb, Crypt (shrK A) {|Agent B, Key K, na|},
  23.122 -                  Crypt (shrK B) {|Agent A, Agent B, Key K, nb|}|}
  23.123 +            \<lbrace>nb, Crypt (shrK A) \<lbrace>Agent B, Key K, na\<rbrace>,
  23.124 +                  Crypt (shrK B) \<lbrace>Agent A, Agent B, Key K, nb\<rbrace>\<rbrace>
  23.125           \<in> set evs;
  23.126 -         Notes Spy {|na, nb, Key K|} \<notin> set evs;
  23.127 +         Notes Spy \<lbrace>na, nb, Key K\<rbrace> \<notin> set evs;
  23.128           A \<notin> bad;  B \<notin> bad;  evs \<in> yahalom |]
  23.129        ==> Key K \<notin> analz (knows Spy evs)"
  23.130  by (blast dest: secrecy_lemma Says_Server_message_form)
  23.131 @@ -245,10 +245,10 @@
  23.132  @{term "Key K \<notin> analz (knows Spy evs)"}.\<close>
  23.133  lemma Spy_not_know_encrypted_key:
  23.134       "[| Says Server A
  23.135 -            {|nb, Crypt (shrK A) {|Agent B, Key K, na|},
  23.136 -                  Crypt (shrK B) {|Agent A, Agent B, Key K, nb|}|}
  23.137 +            \<lbrace>nb, Crypt (shrK A) \<lbrace>Agent B, Key K, na\<rbrace>,
  23.138 +                  Crypt (shrK B) \<lbrace>Agent A, Agent B, Key K, nb\<rbrace>\<rbrace>
  23.139           \<in> set evs;
  23.140 -         Notes Spy {|na, nb, Key K|} \<notin> set evs;
  23.141 +         Notes Spy \<lbrace>na, nb, Key K\<rbrace> \<notin> set evs;
  23.142           A \<notin> bad;  B \<notin> bad;  evs \<in> yahalom |]
  23.143        ==> Key K \<notin> knows Spy evs"
  23.144  by (blast dest: Spy_not_see_encrypted_key)
  23.145 @@ -259,11 +259,11 @@
  23.146  text\<open>If the encrypted message appears then it originated with the Server.
  23.147    May now apply \<open>Spy_not_see_encrypted_key\<close>, subject to its conditions.\<close>
  23.148  lemma A_trusts_YM3:
  23.149 -     "[| Crypt (shrK A) {|Agent B, Key K, na|} \<in> parts (knows Spy evs);
  23.150 +     "[| Crypt (shrK A) \<lbrace>Agent B, Key K, na\<rbrace> \<in> parts (knows Spy evs);
  23.151           A \<notin> bad;  evs \<in> yahalom |]
  23.152        ==> \<exists>nb. Says Server A
  23.153 -                    {|nb, Crypt (shrK A) {|Agent B, Key K, na|},
  23.154 -                          Crypt (shrK B) {|Agent A, Agent B, Key K, nb|}|}
  23.155 +                    \<lbrace>nb, Crypt (shrK A) \<lbrace>Agent B, Key K, na\<rbrace>,
  23.156 +                          Crypt (shrK B) \<lbrace>Agent A, Agent B, Key K, nb\<rbrace>\<rbrace>
  23.157                    \<in> set evs"
  23.158  apply (erule rev_mp)
  23.159  apply (erule yahalom.induct, force,
  23.160 @@ -275,8 +275,8 @@
  23.161  text\<open>The obvious combination of \<open>A_trusts_YM3\<close> with 
  23.162  \<open>Spy_not_see_encrypted_key\<close>\<close>
  23.163  theorem A_gets_good_key:
  23.164 -     "[| Crypt (shrK A) {|Agent B, Key K, na|} \<in> parts (knows Spy evs);
  23.165 -         \<forall>nb. Notes Spy {|na, nb, Key K|} \<notin> set evs;
  23.166 +     "[| Crypt (shrK A) \<lbrace>Agent B, Key K, na\<rbrace> \<in> parts (knows Spy evs);
  23.167 +         \<forall>nb. Notes Spy \<lbrace>na, nb, Key K\<rbrace> \<notin> set evs;
  23.168           A \<notin> bad;  B \<notin> bad;  evs \<in> yahalom |]
  23.169        ==> Key K \<notin> analz (knows Spy evs)"
  23.170  by (blast dest!: A_trusts_YM3 Spy_not_see_encrypted_key)
  23.171 @@ -287,13 +287,13 @@
  23.172  text\<open>B knows, by the first part of A's message, that the Server distributed
  23.173    the key for A and B, and has associated it with NB.\<close>
  23.174  lemma B_trusts_YM4_shrK:
  23.175 -     "[| Crypt (shrK B) {|Agent A, Agent B, Key K, Nonce NB|}
  23.176 +     "[| Crypt (shrK B) \<lbrace>Agent A, Agent B, Key K, Nonce NB\<rbrace>
  23.177             \<in> parts (knows Spy evs);
  23.178           B \<notin> bad;  evs \<in> yahalom |]
  23.179    ==> \<exists>NA. Says Server A
  23.180 -             {|Nonce NB,
  23.181 -               Crypt (shrK A) {|Agent B, Key K, Nonce NA|},
  23.182 -               Crypt (shrK B) {|Agent A, Agent B, Key K, Nonce NB|}|}
  23.183 +             \<lbrace>Nonce NB,
  23.184 +               Crypt (shrK A) \<lbrace>Agent B, Key K, Nonce NA\<rbrace>,
  23.185 +               Crypt (shrK B) \<lbrace>Agent A, Agent B, Key K, Nonce NB\<rbrace>\<rbrace>
  23.186               \<in> set evs"
  23.187  apply (erule rev_mp)
  23.188  apply (erule yahalom.induct, force,
  23.189 @@ -309,13 +309,13 @@
  23.190  text\<open>What can B deduce from receipt of YM4?  Stronger and simpler than Yahalom
  23.191    because we do not have to show that NB is secret.\<close>
  23.192  lemma B_trusts_YM4:
  23.193 -     "[| Gets B {|Crypt (shrK B) {|Agent A, Agent B, Key K, Nonce NB|},  X|}
  23.194 +     "[| Gets B \<lbrace>Crypt (shrK B) \<lbrace>Agent A, Agent B, Key K, Nonce NB\<rbrace>,  X\<rbrace>
  23.195             \<in> set evs;
  23.196           A \<notin> bad;  B \<notin> bad;  evs \<in> yahalom |]
  23.197    ==> \<exists>NA. Says Server A
  23.198 -             {|Nonce NB,
  23.199 -               Crypt (shrK A) {|Agent B, Key K, Nonce NA|},
  23.200 -               Crypt (shrK B) {|Agent A, Agent B, Key K, Nonce NB|}|}
  23.201 +             \<lbrace>Nonce NB,
  23.202 +               Crypt (shrK A) \<lbrace>Agent B, Key K, Nonce NA\<rbrace>,
  23.203 +               Crypt (shrK B) \<lbrace>Agent A, Agent B, Key K, Nonce NB\<rbrace>\<rbrace>
  23.204              \<in> set evs"
  23.205  by (blast dest!: B_trusts_YM4_shrK)
  23.206  
  23.207 @@ -323,9 +323,9 @@
  23.208  text\<open>The obvious combination of \<open>B_trusts_YM4\<close> with 
  23.209  \<open>Spy_not_see_encrypted_key\<close>\<close>
  23.210  theorem B_gets_good_key:
  23.211 -     "[| Gets B {|Crypt (shrK B) {|Agent A, Agent B, Key K, Nonce NB|}, X|}
  23.212 +     "[| Gets B \<lbrace>Crypt (shrK B) \<lbrace>Agent A, Agent B, Key K, Nonce NB\<rbrace>, X\<rbrace>
  23.213             \<in> set evs;
  23.214 -         \<forall>na. Notes Spy {|na, Nonce NB, Key K|} \<notin> set evs;
  23.215 +         \<forall>na. Notes Spy \<lbrace>na, Nonce NB, Key K\<rbrace> \<notin> set evs;
  23.216           A \<notin> bad;  B \<notin> bad;  evs \<in> yahalom |]
  23.217        ==> Key K \<notin> analz (knows Spy evs)"
  23.218  by (blast dest!: B_trusts_YM4 Spy_not_see_encrypted_key)
  23.219 @@ -335,10 +335,10 @@
  23.220  
  23.221  text\<open>The encryption in message YM2 tells us it cannot be faked.\<close>
  23.222  lemma B_Said_YM2:
  23.223 -     "[| Crypt (shrK B) {|Agent A, Nonce NA|} \<in> parts (knows Spy evs);
  23.224 +     "[| Crypt (shrK B) \<lbrace>Agent A, Nonce NA\<rbrace> \<in> parts (knows Spy evs);
  23.225           B \<notin> bad;  evs \<in> yahalom |]
  23.226 -      ==> \<exists>NB. Says B Server {|Agent B, Nonce NB,
  23.227 -                               Crypt (shrK B) {|Agent A, Nonce NA|}|}
  23.228 +      ==> \<exists>NB. Says B Server \<lbrace>Agent B, Nonce NB,
  23.229 +                               Crypt (shrK B) \<lbrace>Agent A, Nonce NA\<rbrace>\<rbrace>
  23.230                        \<in> set evs"
  23.231  apply (erule rev_mp)
  23.232  apply (erule yahalom.induct, force,
  23.233 @@ -350,11 +350,11 @@
  23.234  
  23.235  text\<open>If the server sends YM3 then B sent YM2, perhaps with a different NB\<close>
  23.236  lemma YM3_auth_B_to_A_lemma:
  23.237 -     "[| Says Server A {|nb, Crypt (shrK A) {|Agent B, Key K, Nonce NA|}, X|}
  23.238 +     "[| Says Server A \<lbrace>nb, Crypt (shrK A) \<lbrace>Agent B, Key K, Nonce NA\<rbrace>, X\<rbrace>
  23.239             \<in> set evs;
  23.240           B \<notin> bad;  evs \<in> yahalom |]
  23.241 -      ==> \<exists>nb'. Says B Server {|Agent B, nb',
  23.242 -                                   Crypt (shrK B) {|Agent A, Nonce NA|}|}
  23.243 +      ==> \<exists>nb'. Says B Server \<lbrace>Agent B, nb',
  23.244 +                                   Crypt (shrK B) \<lbrace>Agent A, Nonce NA\<rbrace>\<rbrace>
  23.245                         \<in> set evs"
  23.246  apply (erule rev_mp)
  23.247  apply (erule yahalom.induct, simp_all)
  23.248 @@ -364,11 +364,11 @@
  23.249  
  23.250  text\<open>If A receives YM3 then B has used nonce NA (and therefore is alive)\<close>
  23.251  theorem YM3_auth_B_to_A:
  23.252 -     "[| Gets A {|nb, Crypt (shrK A) {|Agent B, Key K, Nonce NA|}, X|}
  23.253 +     "[| Gets A \<lbrace>nb, Crypt (shrK A) \<lbrace>Agent B, Key K, Nonce NA\<rbrace>, X\<rbrace>
  23.254             \<in> set evs;
  23.255           A \<notin> bad;  B \<notin> bad;  evs \<in> yahalom |]
  23.256   ==> \<exists>nb'. Says B Server
  23.257 -                  {|Agent B, nb', Crypt (shrK B) {|Agent A, Nonce NA|}|}
  23.258 +                  \<lbrace>Agent B, nb', Crypt (shrK B) \<lbrace>Agent A, Nonce NA\<rbrace>\<rbrace>
  23.259                 \<in> set evs"
  23.260  by (blast dest!: A_trusts_YM3 YM3_auth_B_to_A_lemma)
  23.261  
  23.262 @@ -385,8 +385,8 @@
  23.263  text\<open>This lemma allows a use of \<open>unique_session_keys\<close> in the next proof,
  23.264    which otherwise is extremely slow.\<close>
  23.265  lemma secure_unique_session_keys:
  23.266 -     "[| Crypt (shrK A) {|Agent B, Key K, na|} \<in> analz (spies evs);
  23.267 -         Crypt (shrK A') {|Agent B', Key K, na'|} \<in> analz (spies evs);
  23.268 +     "[| Crypt (shrK A) \<lbrace>Agent B, Key K, na\<rbrace> \<in> analz (spies evs);
  23.269 +         Crypt (shrK A') \<lbrace>Agent B', Key K, na'\<rbrace> \<in> analz (spies evs);
  23.270           Key K \<notin> analz (knows Spy evs);  evs \<in> yahalom |]
  23.271       ==> A=A' & B=B'"
  23.272  by (blast dest!: A_trusts_YM3 dest: unique_session_keys Crypt_Spy_analz_bad)
  23.273 @@ -397,10 +397,10 @@
  23.274        ==> Key K \<notin> analz (knows Spy evs) -->
  23.275            K \<in> symKeys -->
  23.276            Crypt K (Nonce NB) \<in> parts (knows Spy evs) -->
  23.277 -          Crypt (shrK B) {|Agent A, Agent B, Key K, Nonce NB|}
  23.278 +          Crypt (shrK B) \<lbrace>Agent A, Agent B, Key K, Nonce NB\<rbrace>
  23.279              \<in> parts (knows Spy evs) -->
  23.280            B \<notin> bad -->
  23.281 -          (\<exists>X. Says A B {|X, Crypt K (Nonce NB)|} \<in> set evs)"
  23.282 +          (\<exists>X. Says A B \<lbrace>X, Crypt K (Nonce NB)\<rbrace> \<in> set evs)"
  23.283  apply (erule yahalom.induct, force,
  23.284         frule_tac [6] YM4_parts_knows_Spy)
  23.285  apply (analz_mono_contra, simp_all)
  23.286 @@ -419,11 +419,11 @@
  23.287    Moreover, A associates K with NB (thus is talking about the same run).
  23.288    Other premises guarantee secrecy of K.\<close>
  23.289  theorem YM4_imp_A_Said_YM3 [rule_format]:
  23.290 -     "[| Gets B {|Crypt (shrK B) {|Agent A, Agent B, Key K, Nonce NB|},
  23.291 -                  Crypt K (Nonce NB)|} \<in> set evs;
  23.292 -         (\<forall>NA. Notes Spy {|Nonce NA, Nonce NB, Key K|} \<notin> set evs);
  23.293 +     "[| Gets B \<lbrace>Crypt (shrK B) \<lbrace>Agent A, Agent B, Key K, Nonce NB\<rbrace>,
  23.294 +                  Crypt K (Nonce NB)\<rbrace> \<in> set evs;
  23.295 +         (\<forall>NA. Notes Spy \<lbrace>Nonce NA, Nonce NB, Key K\<rbrace> \<notin> set evs);
  23.296           K \<in> symKeys;  A \<notin> bad;  B \<notin> bad;  evs \<in> yahalom |]
  23.297 -      ==> \<exists>X. Says A B {|X, Crypt K (Nonce NB)|} \<in> set evs"
  23.298 +      ==> \<exists>X. Says A B \<lbrace>X, Crypt K (Nonce NB)\<rbrace> \<in> set evs"
  23.299  by (blast intro: Auth_A_to_B_lemma
  23.300            dest: Spy_not_see_encrypted_key B_trusts_YM4_shrK)
  23.301  
    24.1 --- a/src/HOL/Auth/Yahalom_Bad.thy	Mon Dec 28 21:47:32 2015 +0100
    24.2 +++ b/src/HOL/Auth/Yahalom_Bad.thy	Mon Dec 28 23:13:33 2015 +0100
    24.3 @@ -31,34 +31,34 @@
    24.4  
    24.5           (*Alice initiates a protocol run*)
    24.6   | YM1:  "[| evs1 \<in> yahalom;  Nonce NA \<notin> used evs1 |]
    24.7 -          ==> Says A B {|Agent A, Nonce NA|} # evs1 \<in> yahalom"
    24.8 +          ==> Says A B \<lbrace>Agent A, Nonce NA\<rbrace> # evs1 \<in> yahalom"
    24.9  
   24.10           (*Bob's response to Alice's message.*)
   24.11   | YM2:  "[| evs2 \<in> yahalom;  Nonce NB \<notin> used evs2;
   24.12 -             Gets B {|Agent A, Nonce NA|} \<in> set evs2 |]
   24.13 +             Gets B \<lbrace>Agent A, Nonce NA\<rbrace> \<in> set evs2 |]
   24.14            ==> Says B Server
   24.15 -                  {|Agent B, Nonce NB, Crypt (shrK B) {|Agent A, Nonce NA|}|}
   24.16 +                  \<lbrace>Agent B, Nonce NB, Crypt (shrK B) \<lbrace>Agent A, Nonce NA\<rbrace>\<rbrace>
   24.17                  # evs2 \<in> yahalom"
   24.18  
   24.19           (*The Server receives Bob's message.  He responds by sending a
   24.20              new session key to Alice, with a packet for forwarding to Bob.*)
   24.21   | YM3:  "[| evs3 \<in> yahalom;  Key KAB \<notin> used evs3;  KAB \<in> symKeys;
   24.22               Gets Server
   24.23 -                  {|Agent B, Nonce NB, Crypt (shrK B) {|Agent A, Nonce NA|}|}
   24.24 +                  \<lbrace>Agent B, Nonce NB, Crypt (shrK B) \<lbrace>Agent A, Nonce NA\<rbrace>\<rbrace>
   24.25                 \<in> set evs3 |]
   24.26            ==> Says Server A
   24.27 -                   {|Crypt (shrK A) {|Agent B, Key KAB, Nonce NA, Nonce NB|},
   24.28 -                     Crypt (shrK B) {|Agent A, Key KAB|}|}
   24.29 +                   \<lbrace>Crypt (shrK A) \<lbrace>Agent B, Key KAB, Nonce NA, Nonce NB\<rbrace>,
   24.30 +                     Crypt (shrK B) \<lbrace>Agent A, Key KAB\<rbrace>\<rbrace>
   24.31                  # evs3 \<in> yahalom"
   24.32  
   24.33           (*Alice receives the Server's (?) message, checks her Nonce, and
   24.34             uses the new session key to send Bob his Nonce.  The premise
   24.35             A \<noteq> Server is needed to prove Says_Server_not_range.*)
   24.36   | YM4:  "[| evs4 \<in> yahalom;  A \<noteq> Server;  K \<in> symKeys;
   24.37 -             Gets A {|Crypt(shrK A) {|Agent B, Key K, Nonce NA, Nonce NB|}, X|}
   24.38 +             Gets A \<lbrace>Crypt(shrK A) \<lbrace>Agent B, Key K, Nonce NA, Nonce NB\<rbrace>, X\<rbrace>
   24.39                  \<in> set evs4;
   24.40 -             Says A B {|Agent A, Nonce NA|} \<in> set evs4 |]
   24.41 -          ==> Says A B {|X, Crypt K (Nonce NB)|} # evs4 \<in> yahalom"
   24.42 +             Says A B \<lbrace>Agent A, Nonce NA\<rbrace> \<in> set evs4 |]
   24.43 +          ==> Says A B \<lbrace>X, Crypt K (Nonce NB)\<rbrace> # evs4 \<in> yahalom"
   24.44  
   24.45  
   24.46  declare Says_imp_knows_Spy [THEN analz.Inj, dest]
   24.47 @@ -70,7 +70,7 @@
   24.48  text\<open>A "possibility property": there are traces that reach the end\<close>
   24.49  lemma "[| A \<noteq> Server; Key K \<notin> used []; K \<in> symKeys |] 
   24.50         ==> \<exists>X NB. \<exists>evs \<in> yahalom.
   24.51 -              Says A B {|X, Crypt K (Nonce NB)|} \<in> set evs"
   24.52 +              Says A B \<lbrace>X, Crypt K (Nonce NB)\<rbrace> \<in> set evs"
   24.53  apply (intro exI bexI)
   24.54  apply (rule_tac [2] yahalom.Nil
   24.55                      [THEN yahalom.YM1, THEN yahalom.Reception,
   24.56 @@ -98,7 +98,7 @@
   24.57  
   24.58  text\<open>Lets us treat YM4 using a similar argument as for the Fake case.\<close>
   24.59  lemma YM4_analz_knows_Spy:
   24.60 -     "[| Gets A {|Crypt (shrK A) Y, X|} \<in> set evs;  evs \<in> yahalom |]
   24.61 +     "[| Gets A \<lbrace>Crypt (shrK A) Y, X\<rbrace> \<in> set evs;  evs \<in> yahalom |]
   24.62        ==> X \<in> analz (knows Spy evs)"
   24.63  by blast
   24.64  
   24.65 @@ -168,9 +168,9 @@
   24.66  text\<open>The Key K uniquely identifies the Server's  message.\<close>
   24.67  lemma unique_session_keys:
   24.68       "[| Says Server A
   24.69 -          {|Crypt (shrK A) {|Agent B, Key K, na, nb|}, X|} \<in> set evs;
   24.70 +          \<lbrace>Crypt (shrK A) \<lbrace>Agent B, Key K, na, nb\<rbrace>, X\<rbrace> \<in> set evs;
   24.71          Says Server A'
   24.72 -          {|Crypt (shrK A') {|Agent B', Key K, na', nb'|}, X'|} \<in> set evs;
   24.73 +          \<lbrace>Crypt (shrK A') \<lbrace>Agent B', Key K, na', nb'\<rbrace>, X'\<rbrace> \<in> set evs;
   24.74          evs \<in> yahalom |]
   24.75       ==> A=A' & B=B' & na=na' & nb=nb'"
   24.76  apply (erule rev_mp, erule rev_mp)
   24.77 @@ -184,8 +184,8 @@
   24.78  lemma secrecy_lemma:
   24.79       "[| A \<notin> bad;  B \<notin> bad;  evs \<in> yahalom |]
   24.80        ==> Says Server A
   24.81 -            {|Crypt (shrK A) {|Agent B, Key K, na, nb|},
   24.82 -              Crypt (shrK B) {|Agent A, Key K|}|}
   24.83 +            \<lbrace>Crypt (shrK A) \<lbrace>Agent B, Key K, na, nb\<rbrace>,
   24.84 +              Crypt (shrK B) \<lbrace>Agent A, Key K\<rbrace>\<rbrace>
   24.85             \<in> set evs -->
   24.86            Key K \<notin> analz (knows Spy evs)"
   24.87  apply (erule yahalom.induct, force, drule_tac [6] YM4_analz_knows_Spy)
   24.88 @@ -196,8 +196,8 @@
   24.89  text\<open>Final version\<close>
   24.90  lemma Spy_not_see_encrypted_key:
   24.91       "[| Says Server A
   24.92 -            {|Crypt (shrK A) {|Agent B, Key K, na, nb|},
   24.93 -              Crypt (shrK B) {|Agent A, Key K|}|}
   24.94 +            \<lbrace>Crypt (shrK A) \<lbrace>Agent B, Key K, na, nb\<rbrace>,
   24.95 +              Crypt (shrK B) \<lbrace>Agent A, Key K\<rbrace>\<rbrace>
   24.96             \<in> set evs;
   24.97           A \<notin> bad;  B \<notin> bad;  evs \<in> yahalom |]
   24.98        ==> Key K \<notin> analz (knows Spy evs)"
   24.99 @@ -208,11 +208,11 @@
  24.100  
  24.101  text\<open>If the encrypted message appears then it originated with the Server\<close>
  24.102  lemma A_trusts_YM3:
  24.103 -     "[| Crypt (shrK A) {|Agent B, Key K, na, nb|} \<in> parts (knows Spy evs);
  24.104 +     "[| Crypt (shrK A) \<lbrace>Agent B, Key K, na, nb\<rbrace> \<in> parts (knows Spy evs);
  24.105           A \<notin> bad;  evs \<in> yahalom |]
  24.106         ==> Says Server A
  24.107 -            {|Crypt (shrK A) {|Agent B, Key K, na, nb|},
  24.108 -              Crypt (shrK B) {|Agent A, Key K|}|}
  24.109 +            \<lbrace>Crypt (shrK A) \<lbrace>Agent B, Key K, na, nb\<rbrace>,
  24.110 +              Crypt (shrK B) \<lbrace>Agent A, Key K\<rbrace>\<rbrace>
  24.111             \<in> set evs"
  24.112  apply (erule rev_mp)
  24.113  apply (erule yahalom.induct, force,
  24.114 @@ -224,7 +224,7 @@
  24.115  text\<open>The obvious combination of \<open>A_trusts_YM3\<close> with
  24.116    \<open>Spy_not_see_encrypted_key\<close>\<close>
  24.117  lemma A_gets_good_key:
  24.118 -     "[| Crypt (shrK A) {|Agent B, Key K, na, nb|} \<in> parts (knows Spy evs);
  24.119 +     "[| Crypt (shrK A) \<lbrace>Agent B, Key K, na, nb\<rbrace> \<in> parts (knows Spy evs);
  24.120           A \<notin> bad;  B \<notin> bad;  evs \<in> yahalom |]
  24.121        ==> Key K \<notin> analz (knows Spy evs)"
  24.122  by (blast dest!: A_trusts_YM3 Spy_not_see_encrypted_key)
  24.123 @@ -234,11 +234,11 @@
  24.124  text\<open>B knows, by the first part of A's message, that the Server distributed
  24.125    the key for A and B.  But this part says nothing about nonces.\<close>
  24.126  lemma B_trusts_YM4_shrK:
  24.127 -     "[| Crypt (shrK B) {|Agent A, Key K|} \<in> parts (knows Spy evs);
  24.128 +     "[| Crypt (shrK B) \<lbrace>Agent A, Key K\<rbrace> \<in> parts (knows Spy evs);
  24.129           B \<notin> bad;  evs \<in> yahalom |]
  24.130        ==> \<exists>NA NB. Says Server A
  24.131 -                      {|Crypt (shrK A) {|Agent B, Key K, Nonce NA, Nonce NB|},
  24.132 -                        Crypt (shrK B) {|Agent A, Key K|}|}
  24.133 +                      \<lbrace>Crypt (shrK A) \<lbrace>Agent B, Key K, Nonce NA, Nonce NB\<rbrace>,
  24.134 +                        Crypt (shrK B) \<lbrace>Agent A, Key K\<rbrace>\<rbrace>
  24.135                       \<in> set evs"
  24.136  apply (erule rev_mp)
  24.137  apply (erule yahalom.induct, force,
  24.138 @@ -262,9 +262,9 @@
  24.139       "[|Key K \<notin> analz (knows Spy evs);  evs \<in> yahalom|]
  24.140        ==> Crypt K (Nonce NB) \<in> parts (knows Spy evs) -->
  24.141            (\<exists>A B NA. Says Server A
  24.142 -                      {|Crypt (shrK A) {|Agent B, Key K,
  24.143 -                                Nonce NA, Nonce NB|},
  24.144 -                        Crypt (shrK B) {|Agent A, Key K|}|}
  24.145 +                      \<lbrace>Crypt (shrK A) \<lbrace>Agent B, Key K,
  24.146 +                                Nonce NA, Nonce NB\<rbrace>,
  24.147 +                        Crypt (shrK B) \<lbrace>Agent A, Key K\<rbrace>\<rbrace>
  24.148                       \<in> set evs)"
  24.149  apply (erule rev_mp)
  24.150  apply (erule yahalom.induct, force,
  24.151 @@ -285,15 +285,15 @@
  24.152  text\<open>B's session key guarantee from YM4.  The two certificates contribute to a
  24.153    single conclusion about the Server's message.\<close>
  24.154  lemma B_trusts_YM4:
  24.155 -     "[| Gets B {|Crypt (shrK B) {|Agent A, Key K|},
  24.156 -                  Crypt K (Nonce NB)|} \<in> set evs;
  24.157 +     "[| Gets B \<lbrace>Crypt (shrK B) \<lbrace>Agent A, Key K\<rbrace>,
  24.158 +                  Crypt K (Nonce NB)\<rbrace> \<in> set evs;
  24.159           Says B Server
  24.160 -           {|Agent B, Nonce NB, Crypt (shrK B) {|Agent A, Nonce NA|}|}
  24.161 +           \<lbrace>Agent B, Nonce NB, Crypt (shrK B) \<lbrace>Agent A, Nonce NA\<rbrace>\<rbrace>
  24.162             \<in> set evs;
  24.163           A \<notin> bad;  B \<notin> bad;  evs \<in> yahalom |]
  24.164         ==> \<exists>na nb. Says Server A
  24.165 -                   {|Crypt (shrK A) {|Agent B, Key K, na, nb|},
  24.166 -                     Crypt (shrK B) {|Agent A, Key K|}|}
  24.167 +                   \<lbrace>Crypt (shrK A) \<lbrace>Agent B, Key K, na, nb\<rbrace>,
  24.168 +                     Crypt (shrK B) \<lbrace>Agent A, Key K\<rbrace>\<rbrace>
  24.169               \<in> set evs"
  24.170  by (blast dest: B_trusts_YM4_newK B_trusts_YM4_shrK Spy_not_see_encrypted_key
  24.171                  unique_session_keys)
  24.172 @@ -302,10 +302,10 @@
  24.173  text\<open>The obvious combination of \<open>B_trusts_YM4\<close> with 
  24.174    \<open>Spy_not_see_encrypted_key\<close>\<close>
  24.175  lemma B_gets_good_key:
  24.176 -     "[| Gets B {|Crypt (shrK B) {|Agent A, Key K|},
  24.177 -                  Crypt K (Nonce NB)|} \<in> set evs;
  24.178 +     "[| Gets B \<lbrace>Crypt (shrK B) \<lbrace>Agent A, Key K\<rbrace>,
  24.179 +                  Crypt K (Nonce NB)\<rbrace> \<in> set evs;
  24.180           Says B Server
  24.181 -           {|Agent B, Nonce NB, Crypt (shrK B) {|Agent A, Nonce NA|}|}
  24.182 +           \<lbrace>Agent B, Nonce NB, Crypt (shrK B) \<lbrace>Agent A, Nonce NA\<rbrace>\<rbrace>
  24.183             \<in> set evs;
  24.184           A \<notin> bad;  B \<notin> bad;  evs \<in> yahalom |]
  24.185        ==> Key K \<notin> analz (knows Spy evs)"
  24.186 @@ -325,9 +325,9 @@
  24.187       "evs \<in> yahalom
  24.188        ==> Key K \<notin> analz (knows Spy evs) -->
  24.189            Crypt K (Nonce NB) \<in> parts (knows Spy evs) -->
  24.190 -          Crypt (shrK B) {|Agent A, Key K|} \<in> parts (knows Spy evs) -->
  24.191 +          Crypt (shrK B) \<lbrace>Agent A, Key K\<rbrace> \<in> parts (knows Spy evs) -->
  24.192            B \<notin> bad -->
  24.193 -          (\<exists>X. Says A B {|X, Crypt K (Nonce NB)|} \<in> set evs)"
  24.194 +          (\<exists>X. Says A B \<lbrace>X, Crypt K (Nonce NB)\<rbrace> \<in> set evs)"
  24.195  apply (erule yahalom.induct, force,
  24.196         frule_tac [6] YM4_parts_knows_Spy)
  24.197  apply (analz_mono_contra, simp_all)
  24.198 @@ -349,13 +349,13 @@
  24.199    Moreover, A associates K with NB (thus is talking about the same run).
  24.200    Other premises guarantee secrecy of K.\<close>
  24.201  lemma YM4_imp_A_Said_YM3 [rule_format]:
  24.202 -     "[| Gets B {|Crypt (shrK B) {|Agent A, Key K|},
  24.203 -                  Crypt K (Nonce NB)|} \<in> set evs;
  24.204 +     "[| Gets B \<lbrace>Crypt (shrK B) \<lbrace>Agent A, Key K\<rbrace>,
  24.205 +                  Crypt K (Nonce NB)\<rbrace> \<in> set evs;
  24.206           Says B Server
  24.207 -           {|Agent B, Nonce NB, Crypt (shrK B) {|Agent A, Nonce NA|}|}
  24.208 +           \<lbrace>Agent B, Nonce NB, Crypt (shrK B) \<lbrace>Agent A, Nonce NA\<rbrace>\<rbrace>
  24.209             \<in> set evs;
  24.210           A \<notin> bad;  B \<notin> bad;  evs \<in> yahalom |]
  24.211 -      ==> \<exists>X. Says A B {|X, Crypt K (Nonce NB)|} \<in> set evs"
  24.212 +      ==> \<exists>X. Says A B \<lbrace>X, Crypt K (Nonce NB)\<rbrace> \<in> set evs"
  24.213  by (blast intro!: A_Said_YM3_lemma
  24.214            dest: Spy_not_see_encrypted_key B_trusts_YM4 Gets_imp_Says)
  24.215  
    25.1 --- a/src/HOL/Auth/ZhouGollmann.thy	Mon Dec 28 21:47:32 2015 +0100
    25.2 +++ b/src/HOL/Auth/ZhouGollmann.thy	Mon Dec 28 23:13:33 2015 +0100
    25.3 @@ -43,24 +43,24 @@
    25.4      rather than to keep M secret.*)
    25.5  | ZG1: "[| evs1 \<in> zg;  Nonce L \<notin> used evs1; C = Crypt K (Number m);
    25.6             K \<in> symKeys;
    25.7 -           NRO = Crypt (priK A) {|Number f_nro, Agent B, Nonce L, C|}|]
    25.8 -       ==> Says A B {|Number f_nro, Agent B, Nonce L, C, NRO|} # evs1 \<in> zg"
    25.9 +           NRO = Crypt (priK A) \<lbrace>Number f_nro, Agent B, Nonce L, C\<rbrace>|]
   25.10 +       ==> Says A B \<lbrace>Number f_nro, Agent B, Nonce L, C, NRO\<rbrace> # evs1 \<in> zg"
   25.11  
   25.12    (*B must check that NRO is A's signature to learn the sender's name*)
   25.13  | ZG2: "[| evs2 \<in> zg;
   25.14 -           Gets B {|Number f_nro, Agent B, Nonce L, C, NRO|} \<in> set evs2;
   25.15 -           NRO = Crypt (priK A) {|Number f_nro, Agent B, Nonce L, C|};
   25.16 -           NRR = Crypt (priK B) {|Number f_nrr, Agent A, Nonce L, C|}|]
   25.17 -       ==> Says B A {|Number f_nrr, Agent A, Nonce L, NRR|} # evs2  \<in>  zg"
   25.18 +           Gets B \<lbrace>Number f_nro, Agent B, Nonce L, C, NRO\<rbrace> \<in> set evs2;
   25.19 +           NRO = Crypt (priK A) \<lbrace>Number f_nro, Agent B, Nonce L, C\<rbrace>;
   25.20 +           NRR = Crypt (priK B) \<lbrace>Number f_nrr, Agent A, Nonce L, C\<rbrace>|]
   25.21 +       ==> Says B A \<lbrace>Number f_nrr, Agent A, Nonce L, NRR\<rbrace> # evs2  \<in>  zg"
   25.22  
   25.23    (*A must check that NRR is B's signature to learn the sender's name;
   25.24      without spy, the matching label would be enough*)
   25.25  | ZG3: "[| evs3 \<in> zg; C = Crypt K M; K \<in> symKeys;
   25.26 -           Says A B {|Number f_nro, Agent B, Nonce L, C, NRO|} \<in> set evs3;
   25.27 -           Gets A {|Number f_nrr, Agent A, Nonce L, NRR|} \<in> set evs3;
   25.28 -           NRR = Crypt (priK B) {|Number f_nrr, Agent A, Nonce L, C|};
   25.29 -           sub_K = Crypt (priK A) {|Number f_sub, Agent B, Nonce L, Key K|}|]
   25.30 -       ==> Says A TTP {|Number f_sub, Agent B, Nonce L, Key K, sub_K|}
   25.31 +           Says A B \<lbrace>Number f_nro, Agent B, Nonce L, C, NRO\<rbrace> \<in> set evs3;
   25.32 +           Gets A \<lbrace>Number f_nrr, Agent A, Nonce L, NRR\<rbrace> \<in> set evs3;
   25.33 +           NRR = Crypt (priK B) \<lbrace>Number f_nrr, Agent A, Nonce L, C\<rbrace>;
   25.34 +           sub_K = Crypt (priK A) \<lbrace>Number f_sub, Agent B, Nonce L, Key K\<rbrace>|]
   25.35 +       ==> Says A TTP \<lbrace>Number f_sub, Agent B, Nonce L, Key K, sub_K\<rbrace>
   25.36               # evs3 \<in> zg"
   25.37  
   25.38   (*TTP checks that sub_K is A's signature to learn who issued K, then
   25.39 @@ -70,14 +70,14 @@
   25.40     also allowing lemma @{text Crypt_used_imp_spies} to omit the condition
   25.41     @{term "K \<noteq> priK TTP"}. *)
   25.42  | ZG4: "[| evs4 \<in> zg; K \<in> symKeys;
   25.43 -           Gets TTP {|Number f_sub, Agent B, Nonce L, Key K, sub_K|}
   25.44 +           Gets TTP \<lbrace>Number f_sub, Agent B, Nonce L, Key K, sub_K\<rbrace>
   25.45               \<in> set evs4;
   25.46 -           sub_K = Crypt (priK A) {|Number f_sub, Agent B, Nonce L, Key K|};
   25.47 -           con_K = Crypt (priK TTP) {|Number f_con, Agent A, Agent B,
   25.48 -                                      Nonce L, Key K|}|]
   25.49 +           sub_K = Crypt (priK A) \<lbrace>Number f_sub, Agent B, Nonce L, Key K\<rbrace>;
   25.50 +           con_K = Crypt (priK TTP) \<lbrace>Number f_con, Agent A, Agent B,
   25.51 +                                      Nonce L, Key K\<rbrace>|]
   25.52         ==> Says TTP Spy con_K
   25.53             #
   25.54 -           Notes TTP {|Number f_con, Agent A, Agent B, Nonce L, Key K, con_K|}
   25.55 +           Notes TTP \<lbrace>Number f_con, Agent A, Agent B, Nonce L, Key K, con_K\<rbrace>
   25.56             # evs4 \<in> zg"
   25.57  
   25.58  
   25.59 @@ -92,8 +92,8 @@
   25.60  text\<open>A "possibility property": there are traces that reach the end\<close>
   25.61  lemma "[|A \<noteq> B; TTP \<noteq> A; TTP \<noteq> B; K \<in> symKeys|] ==>
   25.62       \<exists>L. \<exists>evs \<in> zg.
   25.63 -           Notes TTP {|Number f_con, Agent A, Agent B, Nonce L, Key K,
   25.64 -               Crypt (priK TTP) {|Number f_con, Agent A, Agent B, Nonce L, Key K|} |}
   25.65 +           Notes TTP \<lbrace>Number f_con, Agent A, Agent B, Nonce L, Key K,
   25.66 +               Crypt (priK TTP) \<lbrace>Number f_con, Agent A, Agent B, Nonce L, Key K\<rbrace>\<rbrace>
   25.67                 \<in> set evs"
   25.68  apply (intro exI bexI)
   25.69  apply (rule_tac [2] zg.Nil
   25.70 @@ -128,18 +128,18 @@
   25.71  done
   25.72  
   25.73  lemma Notes_TTP_imp_Gets:
   25.74 -     "[|Notes TTP {|Number f_con, Agent A, Agent B, Nonce L, Key K, con_K |}
   25.75 +     "[|Notes TTP \<lbrace>Number f_con, Agent A, Agent B, Nonce L, Key K, con_K\<rbrace>
   25.76             \<in> set evs;
   25.77 -        sub_K = Crypt (priK A) {|Number f_sub, Agent B, Nonce L, Key K|};
   25.78 +        sub_K = Crypt (priK A) \<lbrace>Number f_sub, Agent B, Nonce L, Key K\<rbrace>;
   25.79          evs \<in> zg|]
   25.80 -    ==> Gets TTP {|Number f_sub, Agent B, Nonce L, Key K, sub_K|} \<in> set evs"
   25.81 +    ==> Gets TTP \<lbrace>Number f_sub, Agent B, Nonce L, Key K, sub_K\<rbrace> \<in> set evs"
   25.82  apply (erule rev_mp)
   25.83  apply (erule zg.induct, auto)
   25.84  done
   25.85  
   25.86  text\<open>For reasoning about C, which is encrypted in message ZG2\<close>
   25.87  lemma ZG2_msg_in_parts_spies:
   25.88 -     "[|Gets B {|F, B', L, C, X|} \<in> set evs; evs \<in> zg|]
   25.89 +     "[|Gets B \<lbrace>F, B', L, C, X\<rbrace> \<in> set evs; evs \<in> zg|]
   25.90        ==> C \<in> parts (spies evs)"
   25.91  by (blast dest: Gets_imp_Says)
   25.92  
   25.93 @@ -165,10 +165,10 @@
   25.94  
   25.95  text\<open>Strong conclusion for a good agent\<close>
   25.96  lemma NRO_validity_good:
   25.97 -     "[|NRO = Crypt (priK A) {|Number f_nro, Agent B, Nonce L, C|};
   25.98 +     "[|NRO = Crypt (priK A) \<lbrace>Number f_nro, Agent B, Nonce L, C\<rbrace>;
   25.99          NRO \<in> parts (spies evs);
  25.100          A \<notin> bad;  evs \<in> zg |]
  25.101 -     ==> Says A B {|Number f_nro, Agent B, Nonce L, C, NRO|} \<in> set evs"
  25.102 +     ==> Says A B \<lbrace>Number f_nro, Agent B, Nonce L, C, NRO\<rbrace> \<in> set evs"
  25.103  apply clarify
  25.104  apply (erule rev_mp)
  25.105  apply (erule zg.induct)
  25.106 @@ -176,7 +176,7 @@
  25.107  done
  25.108  
  25.109  lemma NRO_sender:
  25.110 -     "[|Says A' B {|n, b, l, C, Crypt (priK A) X|} \<in> set evs; evs \<in> zg|]
  25.111 +     "[|Says A' B \<lbrace>n, b, l, C, Crypt (priK A) X\<rbrace> \<in> set evs; evs \<in> zg|]
  25.112      ==> A' \<in> {A,Spy}"
  25.113  apply (erule rev_mp)  
  25.114  apply (erule zg.induct, simp_all)
  25.115 @@ -184,10 +184,10 @@
  25.116  
  25.117  text\<open>Holds also for @{term "A = Spy"}!\<close>
  25.118  theorem NRO_validity:
  25.119 -     "[|Gets B {|Number f_nro, Agent B, Nonce L, C, NRO|} \<in> set evs;
  25.120 -        NRO = Crypt (priK A) {|Number f_nro, Agent B, Nonce L, C|};
  25.121 +     "[|Gets B \<lbrace>Number f_nro, Agent B, Nonce L, C, NRO\<rbrace> \<in> set evs;
  25.122 +        NRO = Crypt (priK A) \<lbrace>Number f_nro, Agent B, Nonce L, C\<rbrace>;
  25.123          A \<notin> broken;  evs \<in> zg |]
  25.124 -     ==> Says A B {|Number f_nro, Agent B, Nonce L, C, NRO|} \<in> set evs"
  25.125 +     ==> Says A B \<lbrace>Number f_nro, Agent B, Nonce L, C, NRO\<rbrace> \<in> set evs"
  25.126  apply (drule Gets_imp_Says, assumption) 
  25.127  apply clarify 
  25.128  apply (frule NRO_sender, auto)
  25.129 @@ -205,10 +205,10 @@
  25.130  
  25.131  text\<open>Strong conclusion for a good agent\<close>
  25.132  lemma NRR_validity_good:
  25.133 -     "[|NRR = Crypt (priK B) {|Number f_nrr, Agent A, Nonce L, C|};
  25.134 +     "[|NRR = Crypt (priK B) \<lbrace>Number f_nrr, Agent A, Nonce L, C\<rbrace>;
  25.135          NRR \<in> parts (spies evs);
  25.136          B \<notin> bad;  evs \<in> zg |]
  25.137 -     ==> Says B A {|Number f_nrr, Agent A, Nonce L, NRR|} \<in> set evs"
  25.138 +     ==> Says B A \<lbrace>Number f_nrr, Agent A, Nonce L, NRR\<rbrace> \<in> set evs"
  25.139  apply clarify
  25.140  apply (erule rev_mp)
  25.141  apply (erule zg.induct) 
  25.142 @@ -216,7 +216,7 @@
  25.143  done
  25.144  
  25.145  lemma NRR_sender:
  25.146 -     "[|Says B' A {|n, a, l, Crypt (priK B) X|} \<in> set evs; evs \<in> zg|]
  25.147 +     "[|Says B' A \<lbrace>n, a, l, Crypt (priK B) X\<rbrace> \<in> set evs; evs \<in> zg|]
  25.148      ==> B' \<in> {B,Spy}"
  25.149  apply (erule rev_mp)  
  25.150  apply (erule zg.induct, simp_all)
  25.151 @@ -224,10 +224,10 @@
  25.152  
  25.153  text\<open>Holds also for @{term "B = Spy"}!\<close>
  25.154  theorem NRR_validity:
  25.155 -     "[|Says B' A {|Number f_nrr, Agent A, Nonce L, NRR|} \<in> set evs;
  25.156 -        NRR = Crypt (priK B) {|Number f_nrr, Agent A, Nonce L, C|};
  25.157 +     "[|Says B' A \<lbrace>Number f_nrr, Agent A, Nonce L, NRR\<rbrace> \<in> set evs;
  25.158 +        NRR = Crypt (priK B) \<lbrace>Number f_nrr, Agent A, Nonce L, C\<rbrace>;
  25.159          B \<notin> broken; evs \<in> zg|]
  25.160 -    ==> Says B A {|Number f_nrr, Agent A, Nonce L, NRR|} \<in> set evs"
  25.161 +    ==> Says B A \<lbrace>Number f_nrr, Agent A, Nonce L, NRR\<rbrace> \<in> set evs"
  25.162  apply clarify 
  25.163  apply (frule NRR_sender, auto)
  25.164  txt\<open>We are left with the case where @{term "B' = Spy"} and  @{term "B' \<noteq> B"},
  25.165 @@ -243,10 +243,10 @@
  25.166  
  25.167  text\<open>Strong conclusion for a good agent\<close>
  25.168  lemma sub_K_validity_good:
  25.169 -     "[|sub_K = Crypt (priK A) {|Number f_sub, Agent B, Nonce L, Key K|};
  25.170 +     "[|sub_K = Crypt (priK A) \<lbrace>Number f_sub, Agent B, Nonce L, Key K\<rbrace>;
  25.171          sub_K \<in> parts (spies evs);
  25.172          A \<notin> bad;  evs \<in> zg |]
  25.173 -     ==> Says A TTP {|Number f_sub, Agent B, Nonce L, Key K, sub_K|} \<in> set evs"
  25.174 +     ==> Says A TTP \<lbrace>Number f_sub, Agent B, Nonce L, Key K, sub_K\<rbrace> \<in> set evs"
  25.175  apply clarify
  25.176  apply (erule rev_mp)
  25.177  apply (erule zg.induct)
  25.178 @@ -256,7 +256,7 @@
  25.179  done
  25.180  
  25.181  lemma sub_K_sender:
  25.182 -     "[|Says A' TTP {|n, b, l, k, Crypt (priK A) X|} \<in> set evs;  evs \<in> zg|]
  25.183 +     "[|Says A' TTP \<lbrace>n, b, l, k, Crypt (priK A) X\<rbrace> \<in> set evs;  evs \<in> zg|]
  25.184      ==> A' \<in> {A,Spy}"
  25.185  apply (erule rev_mp)  
  25.186  apply (erule zg.induct, simp_all)
  25.187 @@ -264,10 +264,10 @@
  25.188  
  25.189  text\<open>Holds also for @{term "A = Spy"}!\<close>
  25.190  theorem sub_K_validity:
  25.191 -     "[|Gets TTP {|Number f_sub, Agent B, Nonce L, Key K, sub_K|} \<in> set evs;
  25.192 -        sub_K = Crypt (priK A) {|Number f_sub, Agent B, Nonce L, Key K|};
  25.193 +     "[|Gets TTP \<lbrace>Number f_sub, Agent B, Nonce L, Key K, sub_K\<rbrace> \<in> set evs;
  25.194 +        sub_K = Crypt (priK A) \<lbrace>Number f_sub, Agent B, Nonce L, Key K\<rbrace>;
  25.195          A \<notin> broken;  evs \<in> zg |]
  25.196 -     ==> Says A TTP {|Number f_sub, Agent B, Nonce L, Key K, sub_K|} \<in> set evs"
  25.197 +     ==> Says A TTP \<lbrace>Number f_sub, Agent B, Nonce L, Key K, sub_K\<rbrace> \<in> set evs"
  25.198  apply (drule Gets_imp_Says, assumption) 
  25.199  apply clarify 
  25.200  apply (frule sub_K_sender, auto)
  25.201 @@ -288,9 +288,9 @@
  25.202  lemma con_K_validity:
  25.203       "[|con_K \<in> used evs;
  25.204          con_K = Crypt (priK TTP)
  25.205 -                  {|Number f_con, Agent A, Agent B, Nonce L, Key K|};
  25.206 +                  \<lbrace>Number f_con, Agent A, Agent B, Nonce L, Key K\<rbrace>;
  25.207          evs \<in> zg |]
  25.208 -    ==> Notes TTP {|Number f_con, Agent A, Agent B, Nonce L, Key K, con_K|}
  25.209 +    ==> Notes TTP \<lbrace>Number f_con, Agent A, Agent B, Nonce L, Key K, con_K\<rbrace>
  25.210            \<in> set evs"
  25.211  apply clarify
  25.212  apply (erule rev_mp)
  25.213 @@ -306,11 +306,11 @@
  25.214   @{term sub_K}.  We assume that @{term A} is not broken.  Importantly, nothing
  25.215    needs to be assumed about the form of @{term con_K}!\<close>
  25.216  lemma Notes_TTP_imp_Says_A:
  25.217 -     "[|Notes TTP {|Number f_con, Agent A, Agent B, Nonce L, Key K, con_K|}
  25.218 +     "[|Notes TTP \<lbrace>Number f_con, Agent A, Agent B, Nonce L, Key K, con_K\<rbrace>
  25.219             \<in> set evs;
  25.220 -        sub_K = Crypt (priK A) {|Number f_sub, Agent B, Nonce L, Key K|};
  25.221 +        sub_K = Crypt (priK A) \<lbrace>Number f_sub, Agent B, Nonce L, Key K\<rbrace>;
  25.222          A \<notin> broken; evs \<in> zg|]
  25.223 -     ==> Says A TTP {|Number f_sub, Agent B, Nonce L, Key K, sub_K|} \<in> set evs"
  25.224 +     ==> Says A TTP \<lbrace>Number f_sub, Agent B, Nonce L, Key K, sub_K\<rbrace> \<in> set evs"
  25.225  apply clarify
  25.226  apply (erule rev_mp)
  25.227  apply (erule zg.induct)
  25.228 @@ -324,11 +324,11 @@
  25.229     assume that @{term A} is not broken.\<close>
  25.230  theorem B_sub_K_validity:
  25.231       "[|con_K \<in> used evs;
  25.232 -        con_K = Crypt (priK TTP) {|Number f_con, Agent A, Agent B,
  25.233 -                                   Nonce L, Key K|};
  25.234 -        sub_K = Crypt (priK A) {|Number f_sub, Agent B, Nonce L, Key K|};
  25.235 +        con_K = Crypt (priK TTP) \<lbrace>Number f_con, Agent A, Agent B,
  25.236 +                                   Nonce L, Key K\<rbrace>;
  25.237 +        sub_K = Crypt (priK A) \<lbrace>Number f_sub, Agent B, Nonce L, Key K\<rbrace>;
  25.238          A \<notin> broken; evs \<in> zg|]
  25.239 -     ==> Says A TTP {|Number f_sub, Agent B, Nonce L, Key K, sub_K|} \<in> set evs"
  25.240 +     ==> Says A TTP \<lbrace>Number f_sub, Agent B, Nonce L, Key K, sub_K\<rbrace> \<in> set evs"
  25.241  by (blast dest: con_K_validity Notes_TTP_imp_Says_A)
  25.242  
  25.243  
  25.244 @@ -340,9 +340,9 @@
  25.245  
  25.246  text\<open>Strange: unicity of the label protects @{term A}?\<close>
  25.247  lemma A_unicity: 
  25.248 -     "[|NRO = Crypt (priK A) {|Number f_nro, Agent B, Nonce L, Crypt K M|};
  25.249 +     "[|NRO = Crypt (priK A) \<lbrace>Number f_nro, Agent B, Nonce L, Crypt K M\<rbrace>;
  25.250          NRO \<in> parts (spies evs);
  25.251 -        Says A B {|Number f_nro, Agent B, Nonce L, Crypt K M', NRO'|}
  25.252 +        Says A B \<lbrace>Number f_nro, Agent B, Nonce L, Crypt K M', NRO'\<rbrace>
  25.253            \<in> set evs;
  25.254          A \<notin> bad; evs \<in> zg |]
  25.255       ==> M'=M"
  25.256 @@ -359,13 +359,13 @@
  25.257  text\<open>Fairness lemma: if @{term sub_K} exists, then @{term A} holds 
  25.258  NRR.  Relies on unicity of labels.\<close>
  25.259  lemma sub_K_implies_NRR:
  25.260 -     "[| NRO = Crypt (priK A) {|Number f_nro, Agent B, Nonce L, Crypt K M|};
  25.261 -         NRR = Crypt (priK B) {|Number f_nrr, Agent A, Nonce L, Crypt K M|};
  25.262 +     "[| NRO = Crypt (priK A) \<lbrace>Number f_nro, Agent B, Nonce L, Crypt K M\<rbrace>;
  25.263 +         NRR = Crypt (priK B) \<lbrace>Number f_nrr, Agent A, Nonce L, Crypt K M\<rbrace>;
  25.264           sub_K \<in> parts (spies evs);
  25.265           NRO \<in> parts (spies evs);
  25.266 -         sub_K = Crypt (priK A) {|Number f_sub, Agent B, Nonce L, Key K|};
  25.267 +         sub_K = Crypt (priK A) \<lbrace>Number f_sub, Agent B, Nonce L, Key K\<rbrace>;
  25.268           A \<notin> bad;  evs \<in> zg |]
  25.269 -     ==> Gets A {|Number f_nrr, Agent A, Nonce L, NRR|} \<in> set evs"
  25.270 +     ==> Gets A \<lbrace>Number f_nrr, Agent A, Nonce L, NRR\<rbrace> \<in> set evs"
  25.271  apply clarify
  25.272  apply hypsubst_thin
  25.273  apply (erule rev_mp)
  25.274 @@ -382,7 +382,7 @@
  25.275  
  25.276  
  25.277  lemma Crypt_used_imp_L_used:
  25.278 -     "[| Crypt (priK TTP) {|F, A, B, L, K|} \<in> used evs; evs \<in> zg |]
  25.279 +     "[| Crypt (priK TTP) \<lbrace>F, A, B, L, K\<rbrace> \<in> used evs; evs \<in> zg |]
  25.280        ==> L \<in> used evs"
  25.281  apply (erule rev_mp)
  25.282  apply (erule zg.induct, auto)
  25.283 @@ -400,11 +400,11 @@
  25.284       "[|con_K \<in> used evs;
  25.285          NRO \<in> parts (spies evs);
  25.286          con_K = Crypt (priK TTP)
  25.287 -                      {|Number f_con, Agent A, Agent B, Nonce L, Key K|};
  25.288 -        NRO = Crypt (priK A) {|Number f_nro, Agent B, Nonce L, Crypt K M|};
  25.289 -        NRR = Crypt (priK B) {|Number f_nrr, Agent A, Nonce L, Crypt K M|};
  25.290 +                      \<lbrace>Number f_con, Agent A, Agent B, Nonce L, Key K\<rbrace>;
  25.291 +        NRO = Crypt (priK A) \<lbrace>Number f_nro, Agent B, Nonce L, Crypt K M\<rbrace>;
  25.292 +        NRR = Crypt (priK B) \<lbrace>Number f_nrr, Agent A, Nonce L, Crypt K M\<rbrace>;
  25.293          A \<notin> bad;  evs \<in> zg |]
  25.294 -    ==> Gets A {|Number f_nrr, Agent A, Nonce L, NRR|} \<in> set evs"
  25.295 +    ==> Gets A \<lbrace>Number f_nrr, Agent A, Nonce L, NRR\<rbrace> \<in> set evs"
  25.296  apply clarify
  25.297  apply (erule rev_mp)
  25.298  apply (erule rev_mp)
  25.299 @@ -427,10 +427,10 @@
  25.300  A}.\<close>
  25.301  theorem B_fairness_NRR:
  25.302       "[|NRR \<in> used evs;
  25.303 -        NRR = Crypt (priK B) {|Number f_nrr, Agent A, Nonce L, C|};
  25.304 -        NRO = Crypt (priK A) {|Number f_nro, Agent B, Nonce L, C|};
  25.305 +        NRR = Crypt (priK B) \<lbrace>Number f_nrr, Agent A, Nonce L, C\<rbrace>;
  25.306 +        NRO = Crypt (priK A) \<lbrace>Number f_nro, Agent B, Nonce L, C\<rbrace>;
  25.307          B \<notin> bad; evs \<in> zg |]
  25.308 -    ==> Gets B {|Number f_nro, Agent B, Nonce L, C, NRO|} \<in> set evs"
  25.309 +    ==> Gets B \<lbrace>Number f_nro, Agent B, Nonce L, C, NRO\<rbrace> \<in> set evs"
  25.310  apply clarify
  25.311  apply (erule rev_mp)
  25.312  apply (erule zg.induct)
    26.1 --- a/src/HOL/UNITY/Simple/NSP_Bad.thy	Mon Dec 28 21:47:32 2015 +0100
    26.2 +++ b/src/HOL/UNITY/Simple/NSP_Bad.thy	Mon Dec 28 23:13:33 2015 +0100
    26.3 @@ -33,7 +33,7 @@
    26.4    NS1 :: "(state*state) set"
    26.5    where "NS1 = {(s1,s').
    26.6               \<exists>A1 B NA.
    26.7 -                 s' = Says A1 B (Crypt (pubK B) {|Nonce NA, Agent A1|}) # s1
    26.8 +                 s' = Says A1 B (Crypt (pubK B) \<lbrace>Nonce NA, Agent A1\<rbrace>) # s1
    26.9                 & Nonce NA \<notin> used s1}"
   26.10  
   26.11    (*Bob responds to Alice's message with a further nonce*)
   26.12 @@ -41,8 +41,8 @@
   26.13    NS2 :: "(state*state) set"
   26.14    where "NS2 = {(s2,s').
   26.15               \<exists>A' A2 B NA NB.
   26.16 -                 s' = Says B A2 (Crypt (pubK A2) {|Nonce NA, Nonce NB|}) # s2
   26.17 -               & Says A' B (Crypt (pubK B) {|Nonce NA, Agent A2|}) \<in> set s2
   26.18 +                 s' = Says B A2 (Crypt (pubK A2) \<lbrace>Nonce NA, Nonce NB\<rbrace>) # s2
   26.19 +               & Says A' B (Crypt (pubK B) \<lbrace>Nonce NA, Agent A2\<rbrace>) \<in> set s2
   26.20                 & Nonce NB \<notin> used s2}"
   26.21  
   26.22    (*Alice proves her existence by sending NB back to Bob.*)
   26.23 @@ -51,8 +51,8 @@
   26.24    where "NS3 = {(s3,s').
   26.25               \<exists>A3 B' B NA NB.
   26.26                   s' = Says A3 B (Crypt (pubK B) (Nonce NB)) # s3
   26.27 -               & Says A3  B (Crypt (pubK B) {|Nonce NA, Agent A3|}) \<in> set s3
   26.28 -               & Says B' A3 (Crypt (pubK A3) {|Nonce NA, Nonce NB|}) \<in> set s3}"
   26.29 +               & Says A3  B (Crypt (pubK B) \<lbrace>Nonce NA, Agent A3\<rbrace>) \<in> set s3
   26.30 +               & Says B' A3 (Crypt (pubK A3) \<lbrace>Nonce NA, Nonce NB\<rbrace>) \<in> set s3}"
   26.31  
   26.32  
   26.33  definition Nprg :: "state program" where
   26.34 @@ -151,8 +151,8 @@
   26.35       nonce is secret.  (Honest users generate fresh nonces.)*}
   26.36  lemma no_nonce_NS1_NS2:
   26.37   "Nprg
   26.38 -  \<in> Always {s. Crypt (pubK C) {|NA', Nonce NA|} \<in> parts (spies s) -->
   26.39 -                Crypt (pubK B) {|Nonce NA, Agent A|} \<in> parts (spies s) -->
   26.40 +  \<in> Always {s. Crypt (pubK C) \<lbrace>NA', Nonce NA\<rbrace> \<in> parts (spies s) -->
   26.41 +                Crypt (pubK B) \<lbrace>Nonce NA, Agent A\<rbrace> \<in> parts (spies s) -->
   26.42                  Nonce NA \<in> analz (spies s)}"
   26.43  apply ns_induct
   26.44  apply (blast intro: analz_insertI)+
   26.45 @@ -167,8 +167,8 @@
   26.46  lemma unique_NA_lemma:
   26.47       "Nprg
   26.48    \<in> Always {s. Nonce NA \<notin> analz (spies s) -->
   26.49 -                Crypt(pubK B) {|Nonce NA, Agent A|} \<in> parts(spies s) -->
   26.50 -                Crypt(pubK B') {|Nonce NA, Agent A'|} \<in> parts(spies s) -->
   26.51 +                Crypt(pubK B) \<lbrace>Nonce NA, Agent A\<rbrace> \<in> parts(spies s) -->
   26.52 +                Crypt(pubK B') \<lbrace>Nonce NA, Agent A'\<rbrace> \<in> parts(spies s) -->
   26.53                  A=A' & B=B'}"
   26.54  apply ns_induct
   26.55  apply auto
   26.56 @@ -177,8 +177,8 @@
   26.57  
   26.58  text{*Unicity for NS1: nonce NA identifies agents A and B*}
   26.59  lemma unique_NA:
   26.60 -     "[| Crypt(pubK B)  {|Nonce NA, Agent A|} \<in> parts(spies s);
   26.61 -         Crypt(pubK B') {|Nonce NA, Agent A'|} \<in> parts(spies s);
   26.62 +     "[| Crypt(pubK B)  \<lbrace>Nonce NA, Agent A\<rbrace> \<in> parts(spies s);
   26.63 +         Crypt(pubK B') \<lbrace>Nonce NA, Agent A'\<rbrace> \<in> parts(spies s);
   26.64           Nonce NA \<notin> analz (spies s);
   26.65           s \<in> reachable Nprg |]
   26.66        ==> A=A' & B=B'"
   26.67 @@ -189,7 +189,7 @@
   26.68  lemma Spy_not_see_NA:
   26.69       "[| A \<notin> bad;  B \<notin> bad |]
   26.70    ==> Nprg \<in> Always
   26.71 -              {s. Says A B (Crypt(pubK B) {|Nonce NA, Agent A|}) \<in> set s
   26.72 +              {s. Says A B (Crypt(pubK B) \<lbrace>Nonce NA, Agent A\<rbrace>) \<in> set s
   26.73                    --> Nonce NA \<notin> analz (spies s)}"
   26.74  apply ns_induct
   26.75  txt{*NS3*}
   26.76 @@ -208,9 +208,9 @@
   26.77  lemma A_trusts_NS2:
   26.78   "[| A \<notin> bad;  B \<notin> bad |]
   26.79    ==> Nprg \<in> Always
   26.80 -              {s. Says A B (Crypt(pubK B) {|Nonce NA, Agent A|}) \<in> set s &
   26.81 -                  Crypt(pubK A) {|Nonce NA, Nonce NB|} \<in> parts (knows Spy s)
   26.82 -         --> Says B A (Crypt(pubK A) {|Nonce NA, Nonce NB|}) \<in> set s}"
   26.83 +              {s. Says A B (Crypt(pubK B) \<lbrace>Nonce NA, Agent A\<rbrace>) \<in> set s &
   26.84 +                  Crypt(pubK A) \<lbrace>Nonce NA, Nonce NB\<rbrace> \<in> parts (knows Spy s)
   26.85 +         --> Says B A (Crypt(pubK A) \<lbrace>Nonce NA, Nonce NB\<rbrace>) \<in> set s}"
   26.86    (*insert an invariant for use in some of the subgoals*)
   26.87  apply (insert Spy_not_see_NA [of A B NA], simp, ns_induct)
   26.88  apply (auto dest: unique_NA)
   26.89 @@ -221,8 +221,8 @@
   26.90  lemma B_trusts_NS1:
   26.91       "Nprg \<in> Always
   26.92                {s. Nonce NA \<notin> analz (spies s) -->
   26.93 -                  Crypt (pubK B) {|Nonce NA, Agent A|} \<in> parts (spies s)
   26.94 -         --> Says A B (Crypt (pubK B) {|Nonce NA, Agent A|}) \<in> set s}"
   26.95 +                  Crypt (pubK B) \<lbrace>Nonce NA, Agent A\<rbrace> \<in> parts (spies s)
   26.96 +         --> Says A B (Crypt (pubK B) \<lbrace>Nonce NA, Agent A\<rbrace>) \<in> set s}"
   26.97  apply ns_induct
   26.98  apply blast
   26.99  done
  26.100 @@ -235,8 +235,8 @@
  26.101  lemma unique_NB_lemma:
  26.102   "Nprg
  26.103    \<in> Always {s. Nonce NB \<notin> analz (spies s)  -->
  26.104 -                Crypt (pubK A) {|Nonce NA, Nonce NB|} \<in> parts (spies s) -->
  26.105 -                Crypt(pubK A'){|Nonce NA', Nonce NB|} \<in> parts(spies s) -->
  26.106 +                Crypt (pubK A) \<lbrace>Nonce NA, Nonce NB\<rbrace> \<in> parts (spies s) -->
  26.107 +                Crypt(pubK A') \<lbrace>Nonce NA', Nonce NB\<rbrace> \<in> parts(spies s) -->
  26.108                  A=A' & NA=NA'}"
  26.109  apply ns_induct
  26.110  apply auto
  26.111 @@ -244,8 +244,8 @@
  26.112  done
  26.113  
  26.114  lemma unique_NB:
  26.115 -     "[| Crypt(pubK A) {|Nonce NA, Nonce NB|} \<in> parts(spies s);
  26.116 -         Crypt(pubK A'){|Nonce NA', Nonce NB|} \<in> parts(spies s);
  26.117 +     "[| Crypt(pubK A) \<lbrace>Nonce NA, Nonce NB\<rbrace> \<in> parts(spies s);
  26.118 +         Crypt(pubK A') \<lbrace>Nonce NA', Nonce NB\<rbrace> \<in> parts(spies s);
  26.119           Nonce NB \<notin> analz (spies s);
  26.120           s \<in> reachable Nprg |]
  26.121        ==> A=A' & NA=NA'"
  26.122 @@ -257,7 +257,7 @@
  26.123  lemma Spy_not_see_NB:
  26.124       "[| A \<notin> bad;  B \<notin> bad |]
  26.125    ==> Nprg \<in> Always
  26.126 -              {s. Says B A (Crypt (pubK A) {|Nonce NA, Nonce NB|}) \<in> set s &
  26.127 +              {s. Says B A (Crypt (pubK A) \<lbrace>Nonce NA, Nonce NB\<rbrace>) \<in> set s &
  26.128                    (ALL C. Says A C (Crypt (pubK C) (Nonce NB)) \<notin> set s)
  26.129                    --> Nonce NB \<notin> analz (spies s)}"
  26.130  apply ns_induct
  26.131 @@ -280,7 +280,7 @@
  26.132       "[| A \<notin> bad;  B \<notin> bad |]
  26.133    ==> Nprg \<in> Always
  26.134                {s. Crypt (pubK B) (Nonce NB) \<in> parts (spies s) &
  26.135 -                  Says B A  (Crypt (pubK A) {|Nonce NA, Nonce NB|}) \<in> set s
  26.136 +                  Says B A  (Crypt (pubK A) \<lbrace>Nonce NA, Nonce NB\<rbrace>) \<in> set s
  26.137                    --> (\<exists>C. Says A C (Crypt (pubK C) (Nonce NB)) \<in> set s)}"
  26.138    (*insert an invariant for use in some of the subgoals*)
  26.139  apply (insert Spy_not_see_NB [of A B NA NB], simp, ns_induct)
  26.140 @@ -294,7 +294,7 @@
  26.141  text{*Can we strengthen the secrecy theorem?  NO*}
  26.142  lemma "[| A \<notin> bad;  B \<notin> bad |]
  26.143    ==> Nprg \<in> Always
  26.144 -              {s. Says B A (Crypt (pubK A) {|Nonce NA, Nonce NB|}) \<in> set s
  26.145 +              {s. Says B A (Crypt (pubK A) \<lbrace>Nonce NA, Nonce NB\<rbrace>) \<in> set s
  26.146                    --> Nonce NB \<notin> analz (spies s)}"
  26.147  apply ns_induct
  26.148  apply auto
  26.149 @@ -317,13 +317,13 @@
  26.150  [| A \<notin> bad; B \<notin> bad |]
  26.151  ==> Nprg
  26.152     \<in> Always
  26.153 -       {s. Says B A (Crypt (pubK A) {|Nonce NA, Nonce NB|}) \<in> set s -->
  26.154 +       {s. Says B A (Crypt (pubK A) \<lbrace>Nonce NA, Nonce NB\<rbrace>) \<in> set s -->
  26.155             Nonce NB \<notin> analz (knows Spy s)}
  26.156   1. !!s B' C.
  26.157         [| A \<notin> bad; B \<notin> bad; s \<in> reachable Nprg
  26.158 -          Says A C (Crypt (pubK C) {|Nonce NA, Agent A|}) \<in> set s;
  26.159 -          Says B' A (Crypt (pubK A) {|Nonce NA, Nonce NB|}) \<in> set s;
  26.160 -          C \<in> bad; Says B A (Crypt (pubK A) {|Nonce NA, Nonce NB|}) \<in> set s;
  26.161 +          Says A C (Crypt (pubK C) \<lbrace>Nonce NA, Agent A\<rbrace>) \<in> set s;
  26.162 +          Says B' A (Crypt (pubK A) \<lbrace>Nonce NA, Nonce NB\<rbrace>) \<in> set s;
  26.163 +          C \<in> bad; Says B A (Crypt (pubK A) \<lbrace>Nonce NA, Nonce NB\<rbrace>) \<in> set s;
  26.164            Nonce NB \<notin> analz (knows Spy s) |]
  26.165         ==> False
  26.166  *)