isabelle update_cartouches -c -t;
authorwenzelm
Thu Dec 10 21:39:33 2015 +0100 (2015-12-10)
changeset 618304f5ab843cf5b
parent 61829 55c85d25e18c
child 61831 c43f87119d80
child 61834 2154e6c8d52d
isabelle update_cartouches -c -t;
src/HOL/Auth/All_Symmetric.thy
src/HOL/Auth/Auth_Public.thy
src/HOL/Auth/Auth_Shared.thy
src/HOL/Auth/CertifiedEmail.thy
src/HOL/Auth/Event.thy
src/HOL/Auth/Guard/Analz.thy
src/HOL/Auth/Guard/Auth_Guard_Public.thy
src/HOL/Auth/Guard/Auth_Guard_Shared.thy
src/HOL/Auth/Guard/Extensions.thy
src/HOL/Auth/Guard/Guard.thy
src/HOL/Auth/Guard/GuardK.thy
src/HOL/Auth/Guard/Guard_NS_Public.thy
src/HOL/Auth/Guard/Guard_OtwayRees.thy
src/HOL/Auth/Guard/Guard_Public.thy
src/HOL/Auth/Guard/Guard_Shared.thy
src/HOL/Auth/Guard/Guard_Yahalom.thy
src/HOL/Auth/Guard/List_Msg.thy
src/HOL/Auth/Guard/P1.thy
src/HOL/Auth/Guard/P2.thy
src/HOL/Auth/Guard/Proto.thy
src/HOL/Auth/KerberosIV.thy
src/HOL/Auth/KerberosIV_Gets.thy
src/HOL/Auth/KerberosV.thy
src/HOL/Auth/Kerberos_BAN.thy
src/HOL/Auth/Kerberos_BAN_Gets.thy
src/HOL/Auth/Message.thy
src/HOL/Auth/NS_Public.thy
src/HOL/Auth/NS_Public_Bad.thy
src/HOL/Auth/NS_Shared.thy
src/HOL/Auth/OtwayRees.thy
src/HOL/Auth/OtwayReesBella.thy
src/HOL/Auth/OtwayRees_AN.thy
src/HOL/Auth/OtwayRees_Bad.thy
src/HOL/Auth/Public.thy
src/HOL/Auth/Recur.thy
src/HOL/Auth/Shared.thy
src/HOL/Auth/Smartcard/Auth_Smartcard.thy
src/HOL/Auth/Smartcard/EventSC.thy
src/HOL/Auth/Smartcard/ShoupRubin.thy
src/HOL/Auth/Smartcard/ShoupRubinBella.thy
src/HOL/Auth/Smartcard/Smartcard.thy
src/HOL/Auth/TLS.thy
src/HOL/Auth/WooLam.thy
src/HOL/Auth/Yahalom.thy
src/HOL/Auth/Yahalom2.thy
src/HOL/Auth/Yahalom_Bad.thy
src/HOL/Auth/ZhouGollmann.thy
     1.1 --- a/src/HOL/Auth/All_Symmetric.thy	Thu Dec 10 21:31:24 2015 +0100
     1.2 +++ b/src/HOL/Auth/All_Symmetric.thy	Thu Dec 10 21:39:33 2015 +0100
     1.3 @@ -2,7 +2,7 @@
     1.4  imports Message
     1.5  begin
     1.6  
     1.7 -text {* All keys are symmetric *}
     1.8 +text \<open>All keys are symmetric\<close>
     1.9  
    1.10  defs all_symmetric_def: "all_symmetric \<equiv> True"
    1.11  
     2.1 --- a/src/HOL/Auth/Auth_Public.thy	Thu Dec 10 21:31:24 2015 +0100
     2.2 +++ b/src/HOL/Auth/Auth_Public.thy	Thu Dec 10 21:39:33 2015 +0100
     2.3 @@ -2,7 +2,7 @@
     2.4      Copyright   1996  University of Cambridge
     2.5  *)
     2.6  
     2.7 -section {* Conventional protocols: rely on conventional Message, Event and Public -- Public-key protocols *}
     2.8 +section \<open>Conventional protocols: rely on conventional Message, Event and Public -- Public-key protocols\<close>
     2.9  
    2.10  theory Auth_Public
    2.11  imports
     3.1 --- a/src/HOL/Auth/Auth_Shared.thy	Thu Dec 10 21:31:24 2015 +0100
     3.2 +++ b/src/HOL/Auth/Auth_Shared.thy	Thu Dec 10 21:39:33 2015 +0100
     3.3 @@ -2,7 +2,7 @@
     3.4      Copyright   1996  University of Cambridge
     3.5  *)
     3.6  
     3.7 -section {* Conventional protocols: rely on conventional Message, Event and Public -- Shared-key protocols *}
     3.8 +section \<open>Conventional protocols: rely on conventional Message, Event and Public -- Shared-key protocols\<close>
     3.9  
    3.10  theory Auth_Shared
    3.11  imports
     4.1 --- a/src/HOL/Auth/CertifiedEmail.thy	Thu Dec 10 21:31:24 2015 +0100
     4.2 +++ b/src/HOL/Auth/CertifiedEmail.thy	Thu Dec 10 21:39:33 2015 +0100
     4.3 @@ -2,7 +2,7 @@
     4.4      Author:     Giampaolo Bella, Christiano Longo and Lawrence C Paulson
     4.5  *)
     4.6  
     4.7 -section{*The Certified Electronic Mail Protocol by Abadi et al.*}
     4.8 +section\<open>The Certified Electronic Mail Protocol by Abadi et al.\<close>
     4.9  
    4.10  theory CertifiedEmail imports Public begin
    4.11  
    4.12 @@ -23,7 +23,7 @@
    4.13    SAuth    :: nat
    4.14    BothAuth :: nat
    4.15  
    4.16 -text{*We formalize a fixed way of computing responses.  Could be better.*}
    4.17 +text\<open>We formalize a fixed way of computing responses.  Could be better.\<close>
    4.18  definition "response" :: "agent => agent => nat => msg" where
    4.19     "response S R q == Hash {|Agent S, Key (shrK R), Nonce q|}"
    4.20  
    4.21 @@ -31,20 +31,20 @@
    4.22  inductive_set certified_mail :: "event list set"
    4.23    where
    4.24  
    4.25 -  Nil: --{*The empty trace*}
    4.26 +  Nil: \<comment>\<open>The empty trace\<close>
    4.27       "[] \<in> certified_mail"
    4.28  
    4.29 -| Fake: --{*The Spy may say anything he can say.  The sender field is correct,
    4.30 -          but agents don't use that information.*}
    4.31 +| Fake: \<comment>\<open>The Spy may say anything he can say.  The sender field is correct,
    4.32 +          but agents don't use that information.\<close>
    4.33        "[| evsf \<in> certified_mail; X \<in> synth(analz(spies evsf))|] 
    4.34         ==> Says Spy B X # evsf \<in> certified_mail"
    4.35  
    4.36 -| FakeSSL: --{*The Spy may open SSL sessions with TTP, who is the only agent
    4.37 -    equipped with the necessary credentials to serve as an SSL server.*}
    4.38 +| FakeSSL: \<comment>\<open>The Spy may open SSL sessions with TTP, who is the only agent
    4.39 +    equipped with the necessary credentials to serve as an SSL server.\<close>
    4.40           "[| evsfssl \<in> certified_mail; X \<in> synth(analz(spies evsfssl))|]
    4.41            ==> Notes TTP {|Agent Spy, Agent TTP, X|} # evsfssl \<in> certified_mail"
    4.42  
    4.43 -| CM1: --{*The sender approaches the recipient.  The message is a number.*}
    4.44 +| CM1: \<comment>\<open>The sender approaches the recipient.  The message is a number.\<close>
    4.45   "[|evs1 \<in> certified_mail;
    4.46      Key K \<notin> used evs1;
    4.47      K \<in> symKeys;
    4.48 @@ -55,8 +55,8 @@
    4.49                   Number cleartext, Nonce q, S2TTP|} # evs1 
    4.50          \<in> certified_mail"
    4.51  
    4.52 -| CM2: --{*The recipient records @{term S2TTP} while transmitting it and her
    4.53 -     password to @{term TTP} over an SSL channel.*}
    4.54 +| CM2: \<comment>\<open>The recipient records @{term S2TTP} while transmitting it and her
    4.55 +     password to @{term TTP} over an SSL channel.\<close>
    4.56   "[|evs2 \<in> certified_mail;
    4.57      Gets R {|Agent S, Agent TTP, em, Number BothAuth, Number cleartext, 
    4.58               Nonce q, S2TTP|} \<in> set evs2;
    4.59 @@ -66,11 +66,11 @@
    4.60     Notes TTP {|Agent R, Agent TTP, S2TTP, Key(RPwd R), hr|} # evs2
    4.61        \<in> certified_mail"
    4.62  
    4.63 -| CM3: --{*@{term TTP} simultaneously reveals the key to the recipient and gives
    4.64 +| CM3: \<comment>\<open>@{term TTP} simultaneously reveals the key to the recipient and gives
    4.65           a receipt to the sender.  The SSL channel does not authenticate 
    4.66           the client (@{term R}), but @{term TTP} accepts the message only 
    4.67           if the given password is that of the claimed sender, @{term R}.
    4.68 -         He replies over the established SSL channel.*}
    4.69 +         He replies over the established SSL channel.\<close>
    4.70   "[|evs3 \<in> certified_mail;
    4.71      Notes TTP {|Agent R, Agent TTP, S2TTP, Key(RPwd R), hr|} \<in> set evs3;
    4.72      S2TTP = Crypt (pubEK TTP) 
    4.73 @@ -137,9 +137,9 @@
    4.74  apply (synth_analz_mono_contra, simp_all, blast+)
    4.75  done 
    4.76  
    4.77 -text{*Cannot strengthen the first disjunct to @{term "R\<noteq>Spy"} because
    4.78 +text\<open>Cannot strengthen the first disjunct to @{term "R\<noteq>Spy"} because
    4.79  the fakessl rule allows Spy to spoof the sender's name.  Maybe can
    4.80 -strengthen the second disjunct with @{term "R\<noteq>Spy"}.*}
    4.81 +strengthen the second disjunct with @{term "R\<noteq>Spy"}.\<close>
    4.82  lemma hr_form:
    4.83   "[|Notes TTP {|Agent R, Agent TTP, S2TTP, pwd, hr|} \<in> set evs;
    4.84      evs \<in> certified_mail|]
    4.85 @@ -152,11 +152,11 @@
    4.86       ==> A \<in> bad"
    4.87  apply (erule rev_mp) 
    4.88  apply (erule certified_mail.induct, simp_all)
    4.89 -txt{*Fake*}
    4.90 +txt\<open>Fake\<close>
    4.91  apply (blast dest: Fake_parts_insert_in_Un) 
    4.92 -txt{*Message 1*}
    4.93 +txt\<open>Message 1\<close>
    4.94  apply blast  
    4.95 -txt{*Message 3*}
    4.96 +txt\<open>Message 3\<close>
    4.97  apply (frule_tac hr_form, assumption)
    4.98  apply (elim disjE exE) 
    4.99  apply (simp_all add: parts_insert2) 
   4.100 @@ -177,8 +177,8 @@
   4.101       "evs \<in> certified_mail ==> Key (privateKey b TTP) \<notin> analz(spies evs)"
   4.102  by auto
   4.103  
   4.104 -text{*Thus, prove any goal that assumes that @{term Spy} knows a private key
   4.105 -belonging to @{term TTP}*}
   4.106 +text\<open>Thus, prove any goal that assumes that @{term Spy} knows a private key
   4.107 +belonging to @{term TTP}\<close>
   4.108  declare Spy_dont_know_TTPKey_parts [THEN [2] rev_notE, elim!]
   4.109  
   4.110  
   4.111 @@ -192,22 +192,22 @@
   4.112  apply (erule rev_mp)
   4.113  apply (erule certified_mail.induct, simp_all)
   4.114     apply (blast  intro:parts_insertI)
   4.115 -txt{*Fake SSL*}
   4.116 +txt\<open>Fake SSL\<close>
   4.117  apply (blast dest: parts.Body) 
   4.118 -txt{*Message 2*}
   4.119 +txt\<open>Message 2\<close>
   4.120  apply (blast dest!: Gets_imp_Says elim!: knows_Spy_partsEs)
   4.121 -txt{*Message 3*}
   4.122 +txt\<open>Message 3\<close>
   4.123  apply (metis parts_insertI)
   4.124  done
   4.125  
   4.126  lemma Spy_dont_know_RPwd [rule_format]:
   4.127      "evs \<in> certified_mail ==> Key (RPwd A) \<in> parts(spies evs) --> A \<in> bad"
   4.128  apply (erule certified_mail.induct, simp_all) 
   4.129 -txt{*Fake*}
   4.130 +txt\<open>Fake\<close>
   4.131  apply (blast dest: Fake_parts_insert_in_Un) 
   4.132 -txt{*Message 1*}
   4.133 +txt\<open>Message 1\<close>
   4.134  apply blast  
   4.135 -txt{*Message 3*}
   4.136 +txt\<open>Message 3\<close>
   4.137  apply (frule CM3_k_parts_knows_Spy, assumption)
   4.138  apply (frule_tac hr_form, assumption)
   4.139  apply (elim disjE exE) 
   4.140 @@ -225,17 +225,17 @@
   4.141      "evs \<in> certified_mail ==> (Key (RPwd A) \<in> analz(spies evs)) = (A\<in>bad)"
   4.142  by (metis Spy_know_RPwd_iff Spy_spies_bad_shrK analz.Inj analz_into_parts)
   4.143  
   4.144 -text{*Unused, but a guarantee of sorts*}
   4.145 +text\<open>Unused, but a guarantee of sorts\<close>
   4.146  theorem CertAutenticity:
   4.147       "[|Crypt (priSK TTP) X \<in> parts (spies evs); evs \<in> certified_mail|] 
   4.148        ==> \<exists>A. Says TTP A (Crypt (priSK TTP) X) \<in> set evs"
   4.149  apply (erule rev_mp)
   4.150  apply (erule certified_mail.induct, simp_all) 
   4.151 -txt{*Fake*}
   4.152 +txt\<open>Fake\<close>
   4.153  apply (blast dest: Spy_dont_know_private_keys Fake_parts_insert_in_Un)
   4.154 -txt{*Message 1*}
   4.155 +txt\<open>Message 1\<close>
   4.156  apply blast 
   4.157 -txt{*Message 3*}
   4.158 +txt\<open>Message 3\<close>
   4.159  apply (frule_tac hr_form, assumption)
   4.160  apply (elim disjE exE) 
   4.161  apply (simp_all add: parts_insert2 parts_insert_knows_A) 
   4.162 @@ -243,7 +243,7 @@
   4.163  done
   4.164  
   4.165  
   4.166 -subsection{*Proving Confidentiality Results*}
   4.167 +subsection\<open>Proving Confidentiality Results\<close>
   4.168  
   4.169  lemma analz_image_freshK [rule_format]:
   4.170   "evs \<in> certified_mail ==>
   4.171 @@ -269,8 +269,8 @@
   4.172        (K = KAB | Key K \<in> analz (spies evs))"
   4.173  by (simp only: analz_image_freshK analz_image_freshK_simps)
   4.174  
   4.175 -text{*@{term S2TTP} must have originated from a valid sender
   4.176 -    provided @{term K} is secure.  Proof is surprisingly hard.*}
   4.177 +text\<open>@{term S2TTP} must have originated from a valid sender
   4.178 +    provided @{term K} is secure.  Proof is surprisingly hard.\<close>
   4.179  
   4.180  lemma Notes_SSL_imp_used:
   4.181       "[|Notes B {|Agent A, Agent B, X|} \<in> set evs|] ==> X \<in> used evs"
   4.182 @@ -294,18 +294,18 @@
   4.183  apply (erule certified_mail.induct, analz_mono_contra)
   4.184  apply (drule_tac [5] CM2_S2TTP_parts_knows_Spy, simp)
   4.185  apply (simp add: used_Nil Crypt_notin_initState, simp_all)
   4.186 -txt{*Fake*}
   4.187 +txt\<open>Fake\<close>
   4.188  apply (blast dest: Fake_parts_sing [THEN subsetD]
   4.189               dest!: analz_subset_parts [THEN subsetD])  
   4.190 -txt{*Fake SSL*}
   4.191 +txt\<open>Fake SSL\<close>
   4.192  apply (blast dest: Fake_parts_sing [THEN subsetD]
   4.193               dest: analz_subset_parts [THEN subsetD])  
   4.194 -txt{*Message 1*}
   4.195 +txt\<open>Message 1\<close>
   4.196  apply (clarsimp, blast)
   4.197 -txt{*Message 2*}
   4.198 +txt\<open>Message 2\<close>
   4.199  apply (simp add: parts_insert2, clarify) 
   4.200  apply (metis parts_cut Un_empty_left usedI)
   4.201 -txt{*Message 3*} 
   4.202 +txt\<open>Message 3\<close> 
   4.203  apply (blast dest: Notes_SSL_imp_used used_parts_subset_parts) 
   4.204  done 
   4.205  
   4.206 @@ -323,26 +323,26 @@
   4.207  by (blast intro: S2TTP_sender_lemma) 
   4.208  
   4.209  
   4.210 -text{*Nobody can have used non-existent keys!*}
   4.211 +text\<open>Nobody can have used non-existent keys!\<close>
   4.212  lemma new_keys_not_used [simp]:
   4.213      "[|Key K \<notin> used evs; K \<in> symKeys; evs \<in> certified_mail|]
   4.214       ==> K \<notin> keysFor (parts (spies evs))"
   4.215  apply (erule rev_mp) 
   4.216  apply (erule certified_mail.induct, simp_all) 
   4.217 -txt{*Fake*}
   4.218 +txt\<open>Fake\<close>
   4.219  apply (force dest!: keysFor_parts_insert) 
   4.220 -txt{*Message 1*}
   4.221 +txt\<open>Message 1\<close>
   4.222  apply blast 
   4.223 -txt{*Message 3*}
   4.224 +txt\<open>Message 3\<close>
   4.225  apply (frule CM3_k_parts_knows_Spy, assumption)
   4.226  apply (frule_tac hr_form, assumption) 
   4.227  apply (force dest!: keysFor_parts_insert)
   4.228  done
   4.229  
   4.230  
   4.231 -text{*Less easy to prove @{term "m'=m"}.  Maybe needs a separate unicity
   4.232 +text\<open>Less easy to prove @{term "m'=m"}.  Maybe needs a separate unicity
   4.233  theorem for ciphertexts of the form @{term "Crypt K (Number m)"}, 
   4.234 -where @{term K} is secure.*}
   4.235 +where @{term K} is secure.\<close>
   4.236  lemma Key_unique_lemma [rule_format]:
   4.237       "evs \<in> certified_mail ==>
   4.238         Key K \<notin> analz (spies evs) -->
   4.239 @@ -360,13 +360,13 @@
   4.240            \<in> set evs --> R' = R & S' = S & AO' = AO & hs' = hs))" 
   4.241  apply (erule certified_mail.induct, analz_mono_contra, simp_all)
   4.242   prefer 2
   4.243 - txt{*Message 1*}
   4.244 + txt\<open>Message 1\<close>
   4.245   apply (blast dest!: Says_imp_knows_Spy [THEN parts.Inj] new_keys_not_used Crypt_imp_keysFor)
   4.246 -txt{*Fake*}
   4.247 +txt\<open>Fake\<close>
   4.248  apply (auto dest!: usedI S2TTP_sender analz_subset_parts [THEN subsetD]) 
   4.249  done
   4.250  
   4.251 -text{*The key determines the sender, recipient and protocol options.*}
   4.252 +text\<open>The key determines the sender, recipient and protocol options.\<close>
   4.253  lemma Key_unique:
   4.254        "[|Says S R
   4.255             {|Agent S, Agent TTP, Crypt K (Number m), Number AO,
   4.256 @@ -384,11 +384,11 @@
   4.257  by (rule Key_unique_lemma, assumption+)
   4.258  
   4.259  
   4.260 -subsection{*The Guarantees for Sender and Recipient*}
   4.261 +subsection\<open>The Guarantees for Sender and Recipient\<close>
   4.262  
   4.263 -text{*A Sender's guarantee:
   4.264 +text\<open>A Sender's guarantee:
   4.265        If Spy gets the key then @{term R} is bad and @{term S} moreover
   4.266 -      gets his return receipt (and therefore has no grounds for complaint).*}
   4.267 +      gets his return receipt (and therefore has no grounds for complaint).\<close>
   4.268  theorem S_fairness_bad_R:
   4.269        "[|Says S R {|Agent S, Agent TTP, Crypt K (Number m), Number AO, 
   4.270                       Number cleartext, Nonce q, S2TTP|} \<in> set evs;
   4.271 @@ -401,11 +401,11 @@
   4.272  apply (erule ssubst)
   4.273  apply (erule rev_mp)
   4.274  apply (erule certified_mail.induct, simp_all)
   4.275 -txt{*Fake*}
   4.276 +txt\<open>Fake\<close>
   4.277  apply spy_analz
   4.278 -txt{*Fake SSL*}
   4.279 +txt\<open>Fake SSL\<close>
   4.280  apply spy_analz
   4.281 -txt{*Message 3*}
   4.282 +txt\<open>Message 3\<close>
   4.283  apply (frule_tac hr_form, assumption)
   4.284  apply (elim disjE exE) 
   4.285  apply (simp_all add: synth_analz_insert_eq  
   4.286 @@ -416,7 +416,7 @@
   4.287  apply (blast dest: Notes_SSL_imp_used S2TTP_sender Key_unique)+
   4.288  done
   4.289  
   4.290 -text{*Confidentially for the symmetric key*}
   4.291 +text\<open>Confidentially for the symmetric key\<close>
   4.292  theorem Spy_not_see_encrypted_key:
   4.293        "[|Says S R {|Agent S, Agent TTP, Crypt K (Number m), Number AO, 
   4.294                       Number cleartext, Nonce q, S2TTP|} \<in> set evs;
   4.295 @@ -427,8 +427,8 @@
   4.296  by (blast dest: S_fairness_bad_R) 
   4.297  
   4.298  
   4.299 -text{*Agent @{term R}, who may be the Spy, doesn't receive the key
   4.300 - until @{term S} has access to the return receipt.*} 
   4.301 +text\<open>Agent @{term R}, who may be the Spy, doesn't receive the key
   4.302 + until @{term S} has access to the return receipt.\<close> 
   4.303  theorem S_guarantee:
   4.304       "[|Says S R {|Agent S, Agent TTP, Crypt K (Number m), Number AO, 
   4.305                      Number cleartext, Nonce q, S2TTP|} \<in> set evs;
   4.306 @@ -440,16 +440,16 @@
   4.307  apply (erule ssubst)
   4.308  apply (erule rev_mp)
   4.309  apply (erule certified_mail.induct, simp_all)
   4.310 -txt{*Message 1*}
   4.311 +txt\<open>Message 1\<close>
   4.312  apply (blast dest: Notes_imp_used) 
   4.313 -txt{*Message 3*}
   4.314 +txt\<open>Message 3\<close>
   4.315  apply (blast dest: Notes_SSL_imp_used S2TTP_sender Key_unique S_fairness_bad_R) 
   4.316  done
   4.317  
   4.318  
   4.319 -text{*If @{term R} sends message 2, and a delivery certificate exists, 
   4.320 +text\<open>If @{term R} sends message 2, and a delivery certificate exists, 
   4.321   then @{term R} receives the necessary key.  This result is also important
   4.322 - to @{term S}, as it confirms the validity of the return receipt.*}
   4.323 + to @{term S}, as it confirms the validity of the return receipt.\<close>
   4.324  theorem RR_validity:
   4.325    "[|Crypt (priSK TTP) S2TTP \<in> used evs;
   4.326       S2TTP = Crypt (pubEK TTP)
   4.327 @@ -462,16 +462,16 @@
   4.328  apply (erule ssubst)
   4.329  apply (erule ssubst)
   4.330  apply (erule certified_mail.induct, simp_all)
   4.331 -txt{*Fake*} 
   4.332 +txt\<open>Fake\<close> 
   4.333  apply (blast dest: Fake_parts_sing [THEN subsetD]
   4.334               dest!: analz_subset_parts [THEN subsetD])  
   4.335 -txt{*Fake SSL*}
   4.336 +txt\<open>Fake SSL\<close>
   4.337  apply (blast dest: Fake_parts_sing [THEN subsetD]
   4.338              dest!: analz_subset_parts [THEN subsetD])  
   4.339 -txt{*Message 2*}
   4.340 +txt\<open>Message 2\<close>
   4.341  apply (drule CM2_S2TTP_parts_knows_Spy, assumption)
   4.342  apply (force dest: parts_cut)
   4.343 -txt{*Message 3*}
   4.344 +txt\<open>Message 3\<close>
   4.345  apply (frule_tac hr_form, assumption)
   4.346  apply (elim disjE exE, simp_all) 
   4.347  apply (blast dest: Fake_parts_sing [THEN subsetD]
     5.1 --- a/src/HOL/Auth/Event.thy	Thu Dec 10 21:31:24 2015 +0100
     5.2 +++ b/src/HOL/Auth/Event.thy	Thu Dec 10 21:39:33 2015 +0100
     5.3 @@ -8,7 +8,7 @@
     5.4      stores are visible to him
     5.5  *)
     5.6  
     5.7 -section{*Theory of Events for Security Protocols*}
     5.8 +section\<open>Theory of Events for Security Protocols\<close>
     5.9  
    5.10  theory Event imports Message begin
    5.11  
    5.12 @@ -21,9 +21,9 @@
    5.13          | Notes agent       msg
    5.14         
    5.15  consts 
    5.16 -  bad    :: "agent set"                         -- {* compromised agents *}
    5.17 +  bad    :: "agent set"                         \<comment> \<open>compromised agents\<close>
    5.18  
    5.19 -text{*Spy has access to his own key for spoof messages, but Server is secure*}
    5.20 +text\<open>Spy has access to his own key for spoof messages, but Server is secure\<close>
    5.21  specification (bad)
    5.22    Spy_in_bad     [iff]: "Spy \<in> bad"
    5.23    Server_not_bad [iff]: "Server \<notin> bad"
    5.24 @@ -54,7 +54,7 @@
    5.25    therefore the oops case must use Notes
    5.26  *)
    5.27  
    5.28 -text{*The constant "spies" is retained for compatibility's sake*}
    5.29 +text\<open>The constant "spies" is retained for compatibility's sake\<close>
    5.30  
    5.31  abbreviation (input)
    5.32    spies  :: "event list => msg set" where
    5.33 @@ -72,9 +72,9 @@
    5.34                          Says A B X => parts {X} \<union> used evs
    5.35                        | Gets A X   => used evs
    5.36                        | Notes A X  => parts {X} \<union> used evs)"
    5.37 -    --{*The case for @{term Gets} seems anomalous, but @{term Gets} always
    5.38 +    \<comment>\<open>The case for @{term Gets} seems anomalous, but @{term Gets} always
    5.39          follows @{term Says} in real protocols.  Seems difficult to change.
    5.40 -        See @{text Gets_correct} in theory @{text "Guard/Extensions.thy"}. *}
    5.41 +        See \<open>Gets_correct\<close> in theory \<open>Guard/Extensions.thy\<close>.\<close>
    5.42  
    5.43  lemma Notes_imp_used [rule_format]: "Notes A X \<in> set evs --> X \<in> used evs"
    5.44  apply (induct_tac evs)
    5.45 @@ -87,7 +87,7 @@
    5.46  done
    5.47  
    5.48  
    5.49 -subsection{*Function @{term knows}*}
    5.50 +subsection\<open>Function @{term knows}\<close>
    5.51  
    5.52  (*Simplifying   
    5.53   parts(insert X (knows Spy evs)) = parts{X} \<union> parts(knows Spy evs).
    5.54 @@ -98,8 +98,8 @@
    5.55       "knows Spy (Says A B X # evs) = insert X (knows Spy evs)"
    5.56  by simp
    5.57  
    5.58 -text{*Letting the Spy see "bad" agents' notes avoids redundant case-splits
    5.59 -      on whether @{term "A=Spy"} and whether @{term "A\<in>bad"}*}
    5.60 +text\<open>Letting the Spy see "bad" agents' notes avoids redundant case-splits
    5.61 +      on whether @{term "A=Spy"} and whether @{term "A\<in>bad"}\<close>
    5.62  lemma knows_Spy_Notes [simp]:
    5.63       "knows Spy (Notes A X # evs) =  
    5.64            (if A:bad then insert X (knows Spy evs) else knows Spy evs)"
    5.65 @@ -120,7 +120,7 @@
    5.66       "knows Spy evs \<subseteq> knows Spy (Gets A X # evs)"
    5.67  by (simp add: subset_insertI)
    5.68  
    5.69 -text{*Spy sees what is sent on the traffic*}
    5.70 +text\<open>Spy sees what is sent on the traffic\<close>
    5.71  lemma Says_imp_knows_Spy [rule_format]:
    5.72       "Says A B X \<in> set evs --> X \<in> knows Spy evs"
    5.73  apply (induct_tac "evs")
    5.74 @@ -134,8 +134,8 @@
    5.75  done
    5.76  
    5.77  
    5.78 -text{*Elimination rules: derive contradictions from old Says events containing
    5.79 -  items known to be fresh*}
    5.80 +text\<open>Elimination rules: derive contradictions from old Says events containing
    5.81 +  items known to be fresh\<close>
    5.82  lemmas Says_imp_parts_knows_Spy = 
    5.83         Says_imp_knows_Spy [THEN parts.Inj, elim_format] 
    5.84  
    5.85 @@ -144,13 +144,13 @@
    5.86  
    5.87  lemmas Says_imp_analz_Spy = Says_imp_knows_Spy [THEN analz.Inj]
    5.88  
    5.89 -text{*Compatibility for the old "spies" function*}
    5.90 +text\<open>Compatibility for the old "spies" function\<close>
    5.91  lemmas spies_partsEs = knows_Spy_partsEs
    5.92  lemmas Says_imp_spies = Says_imp_knows_Spy
    5.93  lemmas parts_insert_spies = parts_insert_knows_A [of _ Spy]
    5.94  
    5.95  
    5.96 -subsection{*Knowledge of Agents*}
    5.97 +subsection\<open>Knowledge of Agents\<close>
    5.98  
    5.99  lemma knows_subset_knows_Says: "knows A evs \<subseteq> knows A (Says A' B X # evs)"
   5.100  by (simp add: subset_insertI)
   5.101 @@ -161,21 +161,21 @@
   5.102  lemma knows_subset_knows_Gets: "knows A evs \<subseteq> knows A (Gets A' X # evs)"
   5.103  by (simp add: subset_insertI)
   5.104  
   5.105 -text{*Agents know what they say*}
   5.106 +text\<open>Agents know what they say\<close>
   5.107  lemma Says_imp_knows [rule_format]: "Says A B X \<in> set evs --> X \<in> knows A evs"
   5.108  apply (induct_tac "evs")
   5.109  apply (simp_all (no_asm_simp) split add: event.split)
   5.110  apply blast
   5.111  done
   5.112  
   5.113 -text{*Agents know what they note*}
   5.114 +text\<open>Agents know what they note\<close>
   5.115  lemma Notes_imp_knows [rule_format]: "Notes A X \<in> set evs --> X \<in> knows A evs"
   5.116  apply (induct_tac "evs")
   5.117  apply (simp_all (no_asm_simp) split add: event.split)
   5.118  apply blast
   5.119  done
   5.120  
   5.121 -text{*Agents know what they receive*}
   5.122 +text\<open>Agents know what they receive\<close>
   5.123  lemma Gets_imp_knows_agents [rule_format]:
   5.124       "A \<noteq> Spy --> Gets A X \<in> set evs --> X \<in> knows A evs"
   5.125  apply (induct_tac "evs")
   5.126 @@ -183,8 +183,8 @@
   5.127  done
   5.128  
   5.129  
   5.130 -text{*What agents DIFFERENT FROM Spy know 
   5.131 -  was either said, or noted, or got, or known initially*}
   5.132 +text\<open>What agents DIFFERENT FROM Spy know 
   5.133 +  was either said, or noted, or got, or known initially\<close>
   5.134  lemma knows_imp_Says_Gets_Notes_initState [rule_format]:
   5.135       "[| X \<in> knows A evs; A \<noteq> Spy |] ==> EX B.  
   5.136    Says A B X \<in> set evs | Gets A X \<in> set evs | Notes A X \<in> set evs | X \<in> initState A"
   5.137 @@ -194,8 +194,8 @@
   5.138  apply blast
   5.139  done
   5.140  
   5.141 -text{*What the Spy knows -- for the time being --
   5.142 -  was either said or noted, or known initially*}
   5.143 +text\<open>What the Spy knows -- for the time being --
   5.144 +  was either said or noted, or known initially\<close>
   5.145  lemma knows_Spy_imp_Says_Notes_initState [rule_format]:
   5.146       "[| X \<in> knows Spy evs |] ==> EX A B.  
   5.147    Says A B X \<in> set evs | Notes A X \<in> set evs | X \<in> initState Spy"
   5.148 @@ -231,15 +231,15 @@
   5.149  apply (blast intro: initState_into_used)
   5.150  done
   5.151  
   5.152 -text{*NOTE REMOVAL--laws above are cleaner, as they don't involve "case"*}
   5.153 +text\<open>NOTE REMOVAL--laws above are cleaner, as they don't involve "case"\<close>
   5.154  declare knows_Cons [simp del]
   5.155          used_Nil [simp del] used_Cons [simp del]
   5.156  
   5.157  
   5.158 -text{*For proving theorems of the form @{term "X \<notin> analz (knows Spy evs) --> P"}
   5.159 +text\<open>For proving theorems of the form @{term "X \<notin> analz (knows Spy evs) --> P"}
   5.160    New events added by induction to "evs" are discarded.  Provided 
   5.161    this information isn't needed, the proof will be much shorter, since
   5.162 -  it will omit complicated reasoning about @{term analz}.*}
   5.163 +  it will omit complicated reasoning about @{term analz}.\<close>
   5.164  
   5.165  lemmas analz_mono_contra =
   5.166         knows_Spy_subset_knows_Spy_Says [THEN analz_mono, THEN contra_subsetD]
   5.167 @@ -256,7 +256,7 @@
   5.168  done
   5.169  
   5.170  
   5.171 -text{*For proving @{text new_keys_not_used}*}
   5.172 +text\<open>For proving \<open>new_keys_not_used\<close>\<close>
   5.173  lemma keysFor_parts_insert:
   5.174       "[| K \<in> keysFor (parts (insert X G));  X \<in> synth (analz H) |] 
   5.175        ==> K \<in> keysFor (parts (G \<union> H)) | Key (invKey K) \<in> parts H"
   5.176 @@ -269,23 +269,23 @@
   5.177  lemmas analz_impI = impI [where P = "Y \<notin> analz (knows Spy evs)"] for Y evs
   5.178  
   5.179  ML
   5.180 -{*
   5.181 +\<open>
   5.182  fun analz_mono_contra_tac ctxt = 
   5.183    resolve_tac ctxt @{thms analz_impI} THEN' 
   5.184    REPEAT1 o (dresolve_tac ctxt @{thms analz_mono_contra})
   5.185    THEN' (mp_tac ctxt)
   5.186 -*}
   5.187 +\<close>
   5.188  
   5.189 -method_setup analz_mono_contra = {*
   5.190 -    Scan.succeed (fn ctxt => SIMPLE_METHOD (REPEAT_FIRST (analz_mono_contra_tac ctxt))) *}
   5.191 +method_setup analz_mono_contra = \<open>
   5.192 +    Scan.succeed (fn ctxt => SIMPLE_METHOD (REPEAT_FIRST (analz_mono_contra_tac ctxt)))\<close>
   5.193      "for proving theorems of the form X \<notin> analz (knows Spy evs) --> P"
   5.194  
   5.195 -subsubsection{*Useful for case analysis on whether a hash is a spoof or not*}
   5.196 +subsubsection\<open>Useful for case analysis on whether a hash is a spoof or not\<close>
   5.197  
   5.198  lemmas syan_impI = impI [where P = "Y \<notin> synth (analz (knows Spy evs))"] for Y evs
   5.199  
   5.200  ML
   5.201 -{*
   5.202 +\<open>
   5.203  fun synth_analz_mono_contra_tac ctxt = 
   5.204    resolve_tac ctxt @{thms syan_impI} THEN'
   5.205    REPEAT1 o 
   5.206 @@ -295,10 +295,10 @@
   5.207        @{thm knows_Spy_subset_knows_Spy_Gets} RS @{thm synth_analz_mono} RS @{thm contra_subsetD}])
   5.208    THEN'
   5.209    mp_tac ctxt
   5.210 -*}
   5.211 +\<close>
   5.212  
   5.213 -method_setup synth_analz_mono_contra = {*
   5.214 -    Scan.succeed (fn ctxt => SIMPLE_METHOD (REPEAT_FIRST (synth_analz_mono_contra_tac ctxt))) *}
   5.215 +method_setup synth_analz_mono_contra = \<open>
   5.216 +    Scan.succeed (fn ctxt => SIMPLE_METHOD (REPEAT_FIRST (synth_analz_mono_contra_tac ctxt)))\<close>
   5.217      "for proving theorems of the form X \<notin> synth (analz (knows Spy evs)) --> P"
   5.218  
   5.219  end
     6.1 --- a/src/HOL/Auth/Guard/Analz.thy	Thu Dec 10 21:31:24 2015 +0100
     6.2 +++ b/src/HOL/Auth/Guard/Analz.thy	Thu Dec 10 21:39:33 2015 +0100
     6.3 @@ -3,14 +3,14 @@
     6.4      Copyright   2001  University of Cambridge
     6.5  *)
     6.6  
     6.7 -section{*Decomposition of Analz into two parts*}
     6.8 +section\<open>Decomposition of Analz into two parts\<close>
     6.9  
    6.10  theory Analz imports Extensions begin
    6.11  
    6.12 -text{*decomposition of @{term analz} into two parts: 
    6.13 -      @{term pparts} (for pairs) and analz of @{term kparts}*}
    6.14 +text\<open>decomposition of @{term analz} into two parts: 
    6.15 +      @{term pparts} (for pairs) and analz of @{term kparts}\<close>
    6.16  
    6.17 -subsection{*messages that do not contribute to analz*}
    6.18 +subsection\<open>messages that do not contribute to analz\<close>
    6.19  
    6.20  inductive_set
    6.21    pparts :: "msg set => msg set"
    6.22 @@ -20,7 +20,7 @@
    6.23  | Fst [dest]: "[| {|X,Y|}:pparts H; is_MPair X |] ==> X:pparts H"
    6.24  | Snd [dest]: "[| {|X,Y|}:pparts H; is_MPair Y |] ==> Y:pparts H"
    6.25  
    6.26 -subsection{*basic facts about @{term pparts}*}
    6.27 +subsection\<open>basic facts about @{term pparts}\<close>
    6.28  
    6.29  lemma pparts_is_MPair [dest]: "X:pparts H ==> is_MPair X"
    6.30  by (erule pparts.induct, auto)
    6.31 @@ -98,13 +98,13 @@
    6.32  lemma in_pparts: "Y:pparts H ==> EX X. X:H & Y:pparts {X}"
    6.33  by (erule pparts.induct, auto)
    6.34  
    6.35 -subsection{*facts about @{term pparts} and @{term parts}*}
    6.36 +subsection\<open>facts about @{term pparts} and @{term parts}\<close>
    6.37  
    6.38  lemma pparts_no_Nonce [dest]: "[| X:pparts {Y}; Nonce n ~:parts {Y} |]
    6.39  ==> Nonce n ~:parts {X}"
    6.40  by (erule pparts.induct, simp_all)
    6.41  
    6.42 -subsection{*facts about @{term pparts} and @{term analz}*}
    6.43 +subsection\<open>facts about @{term pparts} and @{term analz}\<close>
    6.44  
    6.45  lemma pparts_analz: "X:pparts H ==> X:analz H"
    6.46  by (erule pparts.induct, auto)
    6.47 @@ -112,7 +112,7 @@
    6.48  lemma pparts_analz_sub: "[| X:pparts G; G<=H |] ==> X:analz H"
    6.49  by (auto dest: pparts_sub pparts_analz)
    6.50  
    6.51 -subsection{*messages that contribute to analz*}
    6.52 +subsection\<open>messages that contribute to analz\<close>
    6.53  
    6.54  inductive_set
    6.55    kparts :: "msg set => msg set"
    6.56 @@ -122,7 +122,7 @@
    6.57  | Fst [intro]: "[| {|X,Y|}:pparts H; not_MPair X |] ==> X:kparts H"
    6.58  | Snd [intro]: "[| {|X,Y|}:pparts H; not_MPair Y |] ==> Y:kparts H"
    6.59  
    6.60 -subsection{*basic facts about @{term kparts}*}
    6.61 +subsection\<open>basic facts about @{term kparts}\<close>
    6.62  
    6.63  lemma kparts_not_MPair [dest]: "X:kparts H ==> not_MPair X"
    6.64  by (erule kparts.induct, auto)
    6.65 @@ -195,7 +195,7 @@
    6.66  lemma kparts_has_no_pair [iff]: "has_no_pair (kparts H)"
    6.67  by auto
    6.68  
    6.69 -subsection{*facts about @{term kparts} and @{term parts}*}
    6.70 +subsection\<open>facts about @{term kparts} and @{term parts}\<close>
    6.71  
    6.72  lemma kparts_no_Nonce [dest]: "[| X:kparts {Y}; Nonce n ~:parts {Y} |]
    6.73  ==> Nonce n ~:parts {X}"
    6.74 @@ -212,7 +212,7 @@
    6.75  Nonce n:parts {Y} |] ==> Nonce n:parts {Z}"
    6.76  by auto
    6.77  
    6.78 -subsection{*facts about @{term kparts} and @{term analz}*}
    6.79 +subsection\<open>facts about @{term kparts} and @{term analz}\<close>
    6.80  
    6.81  lemma kparts_analz: "X:kparts H ==> X:analz H"
    6.82  by (erule kparts.induct, auto dest: pparts_analz)
    6.83 @@ -247,7 +247,7 @@
    6.84  by (metis Fake_parts_insert_in_Un Nonce_kparts_synth UnE analz_conj_parts synth_simps(5))
    6.85  
    6.86  
    6.87 -subsection{*analz is pparts + analz of kparts*}
    6.88 +subsection\<open>analz is pparts + analz of kparts\<close>
    6.89  
    6.90  lemma analz_pparts_kparts: "X:analz H ==> X:pparts H | X:analz (kparts H)"
    6.91  by (erule analz.induct, auto) 
     7.1 --- a/src/HOL/Auth/Guard/Auth_Guard_Public.thy	Thu Dec 10 21:31:24 2015 +0100
     7.2 +++ b/src/HOL/Auth/Guard/Auth_Guard_Public.thy	Thu Dec 10 21:39:33 2015 +0100
     7.3 @@ -2,7 +2,7 @@
     7.4      Copyright   1996  University of Cambridge
     7.5  *)
     7.6  
     7.7 -section {* Blanqui's "guard" concept: protocol-independent secrecy *}
     7.8 +section \<open>Blanqui's "guard" concept: protocol-independent secrecy\<close>
     7.9  
    7.10  theory Auth_Guard_Public
    7.11  imports
     8.1 --- a/src/HOL/Auth/Guard/Auth_Guard_Shared.thy	Thu Dec 10 21:31:24 2015 +0100
     8.2 +++ b/src/HOL/Auth/Guard/Auth_Guard_Shared.thy	Thu Dec 10 21:39:33 2015 +0100
     8.3 @@ -2,7 +2,7 @@
     8.4      Copyright   1996  University of Cambridge
     8.5  *)
     8.6  
     8.7 -section {* Blanqui's "guard" concept: protocol-independent secrecy *}
     8.8 +section \<open>Blanqui's "guard" concept: protocol-independent secrecy\<close>
     8.9  
    8.10  theory Auth_Guard_Shared
    8.11  imports
     9.1 --- a/src/HOL/Auth/Guard/Extensions.thy	Thu Dec 10 21:31:24 2015 +0100
     9.2 +++ b/src/HOL/Auth/Guard/Extensions.thy	Thu Dec 10 21:39:33 2015 +0100
     9.3 @@ -3,13 +3,13 @@
     9.4      Copyright   2001  University of Cambridge
     9.5  *)
     9.6  
     9.7 -section {*Extensions to Standard Theories*}
     9.8 +section \<open>Extensions to Standard Theories\<close>
     9.9  
    9.10  theory Extensions
    9.11  imports "../Event"
    9.12  begin
    9.13  
    9.14 -subsection{*Extensions to Theory @{text Set}*}
    9.15 +subsection\<open>Extensions to Theory \<open>Set\<close>\<close>
    9.16  
    9.17  lemma eq: "[| !!x. x:A ==> x:B; !!x. x:B ==> x:A |] ==> A=B"
    9.18  by auto
    9.19 @@ -21,9 +21,9 @@
    9.20  by auto
    9.21  
    9.22  
    9.23 -subsection{*Extensions to Theory @{text List}*}
    9.24 +subsection\<open>Extensions to Theory \<open>List\<close>\<close>
    9.25  
    9.26 -subsubsection{*"remove l x" erase the first element of "l" equal to "x"*}
    9.27 +subsubsection\<open>"remove l x" erase the first element of "l" equal to "x"\<close>
    9.28  
    9.29  primrec remove :: "'a list => 'a => 'a list" where
    9.30  "remove [] y = []" |
    9.31 @@ -32,9 +32,9 @@
    9.32  lemma set_remove: "set (remove l x) <= set l"
    9.33  by (induct l, auto)
    9.34  
    9.35 -subsection{*Extensions to Theory @{text Message}*}
    9.36 +subsection\<open>Extensions to Theory \<open>Message\<close>\<close>
    9.37  
    9.38 -subsubsection{*declarations for tactics*}
    9.39 +subsubsection\<open>declarations for tactics\<close>
    9.40  
    9.41  declare analz_subset_parts [THEN subsetD, dest]
    9.42  declare parts_insert2 [simp]
    9.43 @@ -43,12 +43,12 @@
    9.44  declare analz_insertI [intro]
    9.45  declare Un_Diff [simp]
    9.46  
    9.47 -subsubsection{*extract the agent number of an Agent message*}
    9.48 +subsubsection\<open>extract the agent number of an Agent message\<close>
    9.49  
    9.50  primrec agt_nb :: "msg => agent" where
    9.51  "agt_nb (Agent A) = A"
    9.52  
    9.53 -subsubsection{*messages that are pairs*}
    9.54 +subsubsection\<open>messages that are pairs\<close>
    9.55  
    9.56  definition is_MPair :: "msg => bool" where
    9.57  "is_MPair X == EX Y Z. X = {|Y,Z|}"
    9.58 @@ -90,7 +90,7 @@
    9.59  
    9.60  declare has_no_pair_def [simp]
    9.61  
    9.62 -subsubsection{*well-foundedness of messages*}
    9.63 +subsubsection\<open>well-foundedness of messages\<close>
    9.64  
    9.65  lemma wf_Crypt1 [iff]: "Crypt K X ~= X"
    9.66  by (induct X, auto)
    9.67 @@ -104,7 +104,7 @@
    9.68  lemma wf_Crypt_parts [iff]: "Crypt K X ~:parts {X}"
    9.69  by (auto dest: parts_size)
    9.70  
    9.71 -subsubsection{*lemmas on keysFor*}
    9.72 +subsubsection\<open>lemmas on keysFor\<close>
    9.73  
    9.74  definition usekeys :: "msg set => key set" where
    9.75  "usekeys G == {K. EX Y. Crypt K Y:G}"
    9.76 @@ -120,7 +120,7 @@
    9.77  by (subgoal_tac "{K. EX X. Crypt K X = x | Crypt K X:F} = usekeys F",
    9.78  auto simp: usekeys_def)
    9.79  
    9.80 -subsubsection{*lemmas on parts*}
    9.81 +subsubsection\<open>lemmas on parts\<close>
    9.82  
    9.83  lemma parts_sub: "[| X:parts G; G<=H |] ==> X:parts H"
    9.84  by (auto dest: parts_mono)
    9.85 @@ -153,7 +153,7 @@
    9.86  ==> Nonce n:parts G"
    9.87  by (blast intro: parts.Body dest: parts_parts)
    9.88  
    9.89 -subsubsection{*lemmas on synth*}
    9.90 +subsubsection\<open>lemmas on synth\<close>
    9.91  
    9.92  lemma synth_sub: "[| X:synth G; G<=H |] ==> X:synth H"
    9.93  by (auto dest: synth_mono)
    9.94 @@ -162,7 +162,7 @@
    9.95  Crypt K Y:parts {X} --> Crypt K Y:parts G"
    9.96  by (erule synth.induct, auto dest: parts_sub)
    9.97  
    9.98 -subsubsection{*lemmas on analz*}
    9.99 +subsubsection\<open>lemmas on analz\<close>
   9.100  
   9.101  lemma analz_UnI1 [intro]: "X:analz G ==> X:analz (G Un H)"
   9.102    by (subgoal_tac "G <= G Un H") (blast dest: analz_mono)+
   9.103 @@ -194,7 +194,7 @@
   9.104  lemma notin_analz_insert: "X ~:analz (insert Y G) ==> X ~:analz G"
   9.105  by auto
   9.106  
   9.107 -subsubsection{*lemmas on parts, synth and analz*}
   9.108 +subsubsection\<open>lemmas on parts, synth and analz\<close>
   9.109  
   9.110  lemma parts_invKey [rule_format,dest]:"X:parts {Y} ==>
   9.111  X:analz (insert (Crypt K Y) H) --> X ~:analz H --> Key (invKey K):analz H"
   9.112 @@ -213,7 +213,7 @@
   9.113  apply auto
   9.114  done
   9.115  
   9.116 -subsubsection{*greatest nonce used in a message*}
   9.117 +subsubsection\<open>greatest nonce used in a message\<close>
   9.118  
   9.119  fun greatest_msg :: "msg => nat"
   9.120  where
   9.121 @@ -225,7 +225,7 @@
   9.122  lemma greatest_msg_is_greatest: "Nonce n:parts {X} ==> n <= greatest_msg X"
   9.123  by (induct X, auto)
   9.124  
   9.125 -subsubsection{*sets of keys*}
   9.126 +subsubsection\<open>sets of keys\<close>
   9.127  
   9.128  definition keyset :: "msg set => bool" where
   9.129  "keyset G == ALL X. X:G --> (EX K. X = Key K)"
   9.130 @@ -245,7 +245,7 @@
   9.131  lemma parts_keyset [simp]: "keyset G ==> parts G = G"
   9.132  by (auto, erule parts.induct, auto)
   9.133  
   9.134 -subsubsection{*keys a priori necessary for decrypting the messages of G*}
   9.135 +subsubsection\<open>keys a priori necessary for decrypting the messages of G\<close>
   9.136  
   9.137  definition keysfor :: "msg set => msg set" where
   9.138  "keysfor G == Key ` keysFor (parts G)"
   9.139 @@ -265,7 +265,7 @@
   9.140  lemma finite_keysfor [intro]: "finite G ==> finite (keysfor G)"
   9.141  by (auto simp: keysfor_def intro: finite_UN_I)
   9.142  
   9.143 -subsubsection{*only the keys necessary for G are useful in analz*}
   9.144 +subsubsection\<open>only the keys necessary for G are useful in analz\<close>
   9.145  
   9.146  lemma analz_keyset: "keyset H ==>
   9.147  analz (G Un H) = H - keysfor G Un (analz (G Un (H Int keysfor G)))"
   9.148 @@ -280,10 +280,10 @@
   9.149  lemmas analz_keyset_substD = analz_keyset [THEN sym, THEN ssubst]
   9.150  
   9.151  
   9.152 -subsection{*Extensions to Theory @{text Event}*}
   9.153 +subsection\<open>Extensions to Theory \<open>Event\<close>\<close>
   9.154  
   9.155  
   9.156 -subsubsection{*general protocol properties*}
   9.157 +subsubsection\<open>general protocol properties\<close>
   9.158  
   9.159  definition is_Says :: "event => bool" where
   9.160  "is_Says ev == (EX A B X. ev = Says A B X)"
   9.161 @@ -330,7 +330,7 @@
   9.162  ==> Gets_correct p"
   9.163  by (auto simp: has_only_Says_def Gets_correct_def)
   9.164  
   9.165 -subsubsection{*lemma on knows*}
   9.166 +subsubsection\<open>lemma on knows\<close>
   9.167  
   9.168  lemma Says_imp_spies2: "Says A B {|X,Y|}:set evs ==> Y:parts (spies evs)"
   9.169  by (drule Says_imp_spies, drule parts.Inj, drule parts.Snd, simp)
   9.170 @@ -339,7 +339,7 @@
   9.171  ==> Y ~:parts {X}"
   9.172  by (auto dest: Says_imp_spies parts_parts)
   9.173  
   9.174 -subsubsection{*knows without initState*}
   9.175 +subsubsection\<open>knows without initState\<close>
   9.176  
   9.177  primrec knows' :: "agent => event list => msg set" where
   9.178    knows'_Nil: "knows' A [] = {}" |
   9.179 @@ -361,7 +361,7 @@
   9.180    spies' :: "event list => msg set" where
   9.181    "spies' == knows' Spy"
   9.182  
   9.183 -subsubsection{*decomposition of knows into knows' and initState*}
   9.184 +subsubsection\<open>decomposition of knows into knows' and initState\<close>
   9.185  
   9.186  lemma knows_decomp: "knows A evs = knows' A evs Un (initState A)"
   9.187  by (induct evs, auto split: event.split simp: knows.simps)
   9.188 @@ -394,12 +394,12 @@
   9.189  ==> knows' A evs <= spies' evs"
   9.190  by (induct evs, auto split: event.splits)
   9.191  
   9.192 -subsubsection{*knows' is finite*}
   9.193 +subsubsection\<open>knows' is finite\<close>
   9.194  
   9.195  lemma finite_knows' [iff]: "finite (knows' A evs)"
   9.196  by (induct evs, auto split: event.split simp: knows.simps)
   9.197  
   9.198 -subsubsection{*monotonicity of knows*}
   9.199 +subsubsection\<open>monotonicity of knows\<close>
   9.200  
   9.201  lemma knows_sub_Cons: "knows A evs <= knows A (ev#evs)"
   9.202  by(cases A, induct evs, auto simp: knows.simps split:event.split)
   9.203 @@ -413,8 +413,8 @@
   9.204  apply (rename_tac a b c)
   9.205  by (case_tac a, auto simp: knows.simps)
   9.206  
   9.207 -subsubsection{*maximum knowledge an agent can have
   9.208 -includes messages sent to the agent*}
   9.209 +subsubsection\<open>maximum knowledge an agent can have
   9.210 +includes messages sent to the agent\<close>
   9.211  
   9.212  primrec knows_max' :: "agent => event list => msg set" where
   9.213  knows_max'_def_Nil: "knows_max' A [] = {}" |
   9.214 @@ -442,7 +442,7 @@
   9.215    spies_max :: "event list => msg set" where
   9.216    "spies_max evs == knows_max Spy evs"
   9.217  
   9.218 -subsubsection{*basic facts about @{term knows_max}*}
   9.219 +subsubsection\<open>basic facts about @{term knows_max}\<close>
   9.220  
   9.221  lemma spies_max_spies [iff]: "spies_max evs = spies evs"
   9.222  by (induct evs, auto simp: knows_max_def split: event.splits)
   9.223 @@ -484,7 +484,7 @@
   9.224  lemma Says_from_knows_max': "Says A B X:set evs ==> X:knows_max' A evs"
   9.225  by (simp add: in_set_conv_decomp, clarify, simp add: knows_max'_app)
   9.226  
   9.227 -subsubsection{*used without initState*}
   9.228 +subsubsection\<open>used without initState\<close>
   9.229  
   9.230  primrec used' :: "event list => msg set" where
   9.231  "used' [] = {}" |
   9.232 @@ -511,7 +511,7 @@
   9.233  apply (blast dest: parts_trans)+ 
   9.234  done
   9.235  
   9.236 -subsubsection{*monotonicity of used*}
   9.237 +subsubsection\<open>monotonicity of used\<close>
   9.238  
   9.239  lemma used_sub_Cons: "used evs <= used (ev#evs)"
   9.240  by (induct evs, (induct ev, auto)+)
   9.241 @@ -550,7 +550,7 @@
   9.242  apply (drule_tac evs'=evs in used_appIL)
   9.243  by simp
   9.244  
   9.245 -subsubsection{*lemmas on used and knows*}
   9.246 +subsubsection\<open>lemmas on used and knows\<close>
   9.247  
   9.248  lemma initState_used: "X:parts (initState A) ==> X:used evs"
   9.249  by (induct evs, auto simp: used.simps split: event.split)
   9.250 @@ -605,7 +605,7 @@
   9.251  Gets_correct p; one_step p |] ==> X ~:parts (knows_max A evs)"
   9.252  by (case_tac "A=Spy", auto dest: not_used_not_spied known_max_used)
   9.253  
   9.254 -subsubsection{*a nonce or key in a message cannot equal a fresh nonce or key*}
   9.255 +subsubsection\<open>a nonce or key in a message cannot equal a fresh nonce or key\<close>
   9.256  
   9.257  lemma Nonce_neq [dest]: "[| Nonce n' ~:used evs;
   9.258  Says A B X:set evs; Nonce n:parts {X} |] ==> n ~= n'"
   9.259 @@ -615,7 +615,7 @@
   9.260  Says A B X:set evs; Key n:parts {X} |] ==> n ~= n'"
   9.261  by (drule not_used_not_spied, auto dest: Says_imp_knows_Spy parts_sub)
   9.262  
   9.263 -subsubsection{*message of an event*}
   9.264 +subsubsection\<open>message of an event\<close>
   9.265  
   9.266  primrec msg :: "event => msg"
   9.267  where
    10.1 --- a/src/HOL/Auth/Guard/Guard.thy	Thu Dec 10 21:31:24 2015 +0100
    10.2 +++ b/src/HOL/Auth/Guard/Guard.thy	Thu Dec 10 21:39:33 2015 +0100
    10.3 @@ -3,7 +3,7 @@
    10.4      Copyright   2002  University of Cambridge
    10.5  *)
    10.6  
    10.7 -section{*Protocol-Independent Confidentiality Theorem on Nonces*}
    10.8 +section\<open>Protocol-Independent Confidentiality Theorem on Nonces\<close>
    10.9  
   10.10  theory Guard imports Analz Extensions begin
   10.11  
   10.12 @@ -21,7 +21,7 @@
   10.13  | Crypt [intro]: "X:guard n Ks ==> Crypt K X:guard n Ks"
   10.14  | Pair [intro]: "[| X:guard n Ks; Y:guard n Ks |] ==> {|X,Y|}:guard n Ks"
   10.15  
   10.16 -subsection{*basic facts about @{term guard}*}
   10.17 +subsection\<open>basic facts about @{term guard}\<close>
   10.18  
   10.19  lemma Key_is_guard [iff]: "Key K:guard n Ks"
   10.20  by auto
   10.21 @@ -68,12 +68,12 @@
   10.22  lemma guard_extand: "[| X:guard n Ks; Ks <= Ks' |] ==> X:guard n Ks'"
   10.23  by (erule guard.induct, auto)
   10.24  
   10.25 -subsection{*guarded sets*}
   10.26 +subsection\<open>guarded sets\<close>
   10.27  
   10.28  definition Guard :: "nat => key set => msg set => bool" where
   10.29  "Guard n Ks H == ALL X. X:H --> X:guard n Ks"
   10.30  
   10.31 -subsection{*basic facts about @{term Guard}*}
   10.32 +subsection\<open>basic facts about @{term Guard}\<close>
   10.33  
   10.34  lemma Guard_empty [iff]: "Guard n Ks {}"
   10.35  by (simp add: Guard_def)
   10.36 @@ -154,7 +154,7 @@
   10.37  Nonce n:kparts {Y} |] ==> invKey K:Ks"
   10.38  by (auto dest: guard_invKey)
   10.39  
   10.40 -subsection{*set obtained by decrypting a message*}
   10.41 +subsection\<open>set obtained by decrypting a message\<close>
   10.42  
   10.43  abbreviation (input)
   10.44    decrypt :: "msg set => key => msg => msg set" where
   10.45 @@ -170,7 +170,7 @@
   10.46  lemma parts_decrypt: "[| Crypt K Y:H; X:parts (decrypt H K Y) |] ==> X:parts H"
   10.47  by (erule parts.induct, auto intro: parts.Fst parts.Snd parts.Body)
   10.48  
   10.49 -subsection{*number of Crypt's in a message*}
   10.50 +subsection\<open>number of Crypt's in a message\<close>
   10.51  
   10.52  fun crypt_nb :: "msg => nat"
   10.53  where
   10.54 @@ -178,19 +178,19 @@
   10.55  | "crypt_nb {|X,Y|} = crypt_nb X + crypt_nb Y"
   10.56  | "crypt_nb X = 0" (* otherwise *)
   10.57  
   10.58 -subsection{*basic facts about @{term crypt_nb}*}
   10.59 +subsection\<open>basic facts about @{term crypt_nb}\<close>
   10.60  
   10.61  lemma non_empty_crypt_msg: "Crypt K Y:parts {X} ==> crypt_nb X \<noteq> 0"
   10.62  by (induct X, simp_all, safe, simp_all)
   10.63  
   10.64 -subsection{*number of Crypt's in a message list*}
   10.65 +subsection\<open>number of Crypt's in a message list\<close>
   10.66  
   10.67  primrec cnb :: "msg list => nat"
   10.68  where
   10.69    "cnb [] = 0"
   10.70  | "cnb (X#l) = crypt_nb X + cnb l"
   10.71  
   10.72 -subsection{*basic facts about @{term cnb}*}
   10.73 +subsection\<open>basic facts about @{term cnb}\<close>
   10.74  
   10.75  lemma cnb_app [simp]: "cnb (l @ l') = cnb l + cnb l'"
   10.76  by (induct l, auto)
   10.77 @@ -213,7 +213,7 @@
   10.78  lemma non_empty_crypt: "Crypt K Y:parts (set l) ==> cnb l \<noteq> 0"
   10.79  by (induct l, auto dest: non_empty_crypt_msg parts_insert_substD)
   10.80  
   10.81 -subsection{*list of kparts*}
   10.82 +subsection\<open>list of kparts\<close>
   10.83  
   10.84  lemma kparts_msg_set: "EX l. kparts {X} = set l & cnb l = crypt_nb X"
   10.85  apply (induct X, simp_all)
   10.86 @@ -234,20 +234,20 @@
   10.87  apply (rule kparts_insert_substI, simp)
   10.88  by (rule kparts_msg_set)
   10.89  
   10.90 -subsection{*list corresponding to "decrypt"*}
   10.91 +subsection\<open>list corresponding to "decrypt"\<close>
   10.92  
   10.93  definition decrypt' :: "msg list => key => msg => msg list" where
   10.94  "decrypt' l K Y == Y # remove l (Crypt K Y)"
   10.95  
   10.96  declare decrypt'_def [simp]
   10.97  
   10.98 -subsection{*basic facts about @{term decrypt'}*}
   10.99 +subsection\<open>basic facts about @{term decrypt'}\<close>
  10.100  
  10.101  lemma decrypt_minus: "decrypt (set l) K Y <= set (decrypt' l K Y)"
  10.102  by (induct l, auto)
  10.103  
  10.104 -subsection{*if the analyse of a finite guarded set gives n then it must also gives
  10.105 -one of the keys of Ks*}
  10.106 +subsection\<open>if the analyse of a finite guarded set gives n then it must also gives
  10.107 +one of the keys of Ks\<close>
  10.108  
  10.109  lemma Guard_invKey_by_list [rule_format]: "ALL l. cnb l = p
  10.110  --> Guard n Ks (set l) --> Nonce n:analz (set l)
  10.111 @@ -295,8 +295,8 @@
  10.112  ==> EX K. K:Ks & Key K:analz G"
  10.113  by (auto dest: analz_needs_only_finite Guard_invKey_finite)
  10.114  
  10.115 -subsection{*if the analyse of a finite guarded set and a (possibly infinite) set of keys
  10.116 -gives n then it must also gives Ks*}
  10.117 +subsection\<open>if the analyse of a finite guarded set and a (possibly infinite) set of keys
  10.118 +gives n then it must also gives Ks\<close>
  10.119  
  10.120  lemma Guard_invKey_keyset: "[| Nonce n:analz (G Un H); Guard n Ks G; finite G;
  10.121  keyset H |] ==> EX K. K:Ks & Key K:analz (G Un H)"
    11.1 --- a/src/HOL/Auth/Guard/GuardK.thy	Thu Dec 10 21:31:24 2015 +0100
    11.2 +++ b/src/HOL/Auth/Guard/GuardK.thy	Thu Dec 10 21:39:33 2015 +0100
    11.3 @@ -8,7 +8,7 @@
    11.4  - the hypothesis Key n ~:G (keyset G) is added
    11.5  *)
    11.6  
    11.7 -section{*protocol-independent confidentiality theorem on keys*}
    11.8 +section\<open>protocol-independent confidentiality theorem on keys\<close>
    11.9  
   11.10  theory GuardK
   11.11  imports Analz Extensions
   11.12 @@ -28,7 +28,7 @@
   11.13  | Crypt [intro]: "X:guardK n Ks ==> Crypt K X:guardK n Ks"
   11.14  | Pair [intro]: "[| X:guardK n Ks; Y:guardK n Ks |] ==> {|X,Y|}:guardK n Ks"
   11.15  
   11.16 -subsection{*basic facts about @{term guardK}*}
   11.17 +subsection\<open>basic facts about @{term guardK}\<close>
   11.18  
   11.19  lemma Nonce_is_guardK [iff]: "Nonce p:guardK n Ks"
   11.20  by auto
   11.21 @@ -77,12 +77,12 @@
   11.22  [| K:Ks'; K ~:Ks |] ==> Key K ~:parts {X} |] ==> X:guardK n Ks'"
   11.23  by (erule guardK.induct, auto)
   11.24  
   11.25 -subsection{*guarded sets*}
   11.26 +subsection\<open>guarded sets\<close>
   11.27  
   11.28  definition GuardK :: "nat => key set => msg set => bool" where
   11.29  "GuardK n Ks H == ALL X. X:H --> X:guardK n Ks"
   11.30  
   11.31 -subsection{*basic facts about @{term GuardK}*}
   11.32 +subsection\<open>basic facts about @{term GuardK}\<close>
   11.33  
   11.34  lemma GuardK_empty [iff]: "GuardK n Ks {}"
   11.35  by (simp add: GuardK_def)
   11.36 @@ -152,7 +152,7 @@
   11.37  [| K:Ks'; K ~:Ks |] ==> Key K ~:parts G |] ==> GuardK n Ks' G"
   11.38  by (auto simp: GuardK_def dest: guardK_extand parts_sub)
   11.39  
   11.40 -subsection{*set obtained by decrypting a message*}
   11.41 +subsection\<open>set obtained by decrypting a message\<close>
   11.42  
   11.43  abbreviation (input)
   11.44    decrypt :: "msg set => key => msg => msg set" where
   11.45 @@ -168,25 +168,25 @@
   11.46  lemma parts_decrypt: "[| Crypt K Y:H; X:parts (decrypt H K Y) |] ==> X:parts H"
   11.47  by (erule parts.induct, auto intro: parts.Fst parts.Snd parts.Body)
   11.48  
   11.49 -subsection{*number of Crypt's in a message*}
   11.50 +subsection\<open>number of Crypt's in a message\<close>
   11.51  
   11.52  fun crypt_nb :: "msg => nat" where
   11.53  "crypt_nb (Crypt K X) = Suc (crypt_nb X)" |
   11.54  "crypt_nb {|X,Y|} = crypt_nb X + crypt_nb Y" |
   11.55  "crypt_nb X = 0" (* otherwise *)
   11.56  
   11.57 -subsection{*basic facts about @{term crypt_nb}*}
   11.58 +subsection\<open>basic facts about @{term crypt_nb}\<close>
   11.59  
   11.60  lemma non_empty_crypt_msg: "Crypt K Y:parts {X} ==> crypt_nb X \<noteq> 0"
   11.61  by (induct X, simp_all, safe, simp_all)
   11.62  
   11.63 -subsection{*number of Crypt's in a message list*}
   11.64 +subsection\<open>number of Crypt's in a message list\<close>
   11.65  
   11.66  primrec cnb :: "msg list => nat" where
   11.67  "cnb [] = 0" |
   11.68  "cnb (X#l) = crypt_nb X + cnb l"
   11.69  
   11.70 -subsection{*basic facts about @{term cnb}*}
   11.71 +subsection\<open>basic facts about @{term cnb}\<close>
   11.72  
   11.73  lemma cnb_app [simp]: "cnb (l @ l') = cnb l + cnb l'"
   11.74  by (induct l, auto)
   11.75 @@ -207,7 +207,7 @@
   11.76  lemma non_empty_crypt: "Crypt K Y:parts (set l) ==> cnb l \<noteq> 0"
   11.77  by (induct l, auto dest: non_empty_crypt_msg parts_insert_substD)
   11.78  
   11.79 -subsection{*list of kparts*}
   11.80 +subsection\<open>list of kparts\<close>
   11.81  
   11.82  lemma kparts_msg_set: "EX l. kparts {X} = set l & cnb l = crypt_nb X"
   11.83  apply (induct X, simp_all)
   11.84 @@ -228,20 +228,20 @@
   11.85  apply (rule kparts_insert_substI, simp)
   11.86  by (rule kparts_msg_set)
   11.87  
   11.88 -subsection{*list corresponding to "decrypt"*}
   11.89 +subsection\<open>list corresponding to "decrypt"\<close>
   11.90  
   11.91  definition decrypt' :: "msg list => key => msg => msg list" where
   11.92  "decrypt' l K Y == Y # remove l (Crypt K Y)"
   11.93  
   11.94  declare decrypt'_def [simp]
   11.95  
   11.96 -subsection{*basic facts about @{term decrypt'}*}
   11.97 +subsection\<open>basic facts about @{term decrypt'}\<close>
   11.98  
   11.99  lemma decrypt_minus: "decrypt (set l) K Y <= set (decrypt' l K Y)"
  11.100  by (induct l, auto)
  11.101  
  11.102 -text{*if the analysis of a finite guarded set gives n then it must also give
  11.103 -one of the keys of Ks*}
  11.104 +text\<open>if the analysis of a finite guarded set gives n then it must also give
  11.105 +one of the keys of Ks\<close>
  11.106  
  11.107  lemma GuardK_invKey_by_list [rule_format]: "ALL l. cnb l = p
  11.108  --> GuardK n Ks (set l) --> Key n:analz (set l)
  11.109 @@ -289,8 +289,8 @@
  11.110  ==> EX K. K:Ks & Key K:analz G"
  11.111  by (auto dest: analz_needs_only_finite GuardK_invKey_finite)
  11.112  
  11.113 -text{*if the analyse of a finite guarded set and a (possibly infinite) set of
  11.114 -keys gives n then it must also gives Ks*}
  11.115 +text\<open>if the analyse of a finite guarded set and a (possibly infinite) set of
  11.116 +keys gives n then it must also gives Ks\<close>
  11.117  
  11.118  lemma GuardK_invKey_keyset: "[| Key n:analz (G Un H); GuardK n Ks G; finite G;
  11.119  keyset H; Key n ~:H |] ==> EX K. K:Ks & Key K:analz (G Un H)"
    12.1 --- a/src/HOL/Auth/Guard/Guard_NS_Public.thy	Thu Dec 10 21:31:24 2015 +0100
    12.2 +++ b/src/HOL/Auth/Guard/Guard_NS_Public.thy	Thu Dec 10 21:39:33 2015 +0100
    12.3 @@ -5,11 +5,11 @@
    12.4  Incorporating Lowe's fix (inclusion of B's identity in round 2).
    12.5  *)
    12.6  
    12.7 -section{*Needham-Schroeder-Lowe Public-Key Protocol*}
    12.8 +section\<open>Needham-Schroeder-Lowe Public-Key Protocol\<close>
    12.9  
   12.10  theory Guard_NS_Public imports Guard_Public begin
   12.11  
   12.12 -subsection{*messages used in the protocol*}
   12.13 +subsection\<open>messages used in the protocol\<close>
   12.14  
   12.15  abbreviation (input)
   12.16    ns1 :: "agent => agent => nat => event" where
   12.17 @@ -32,7 +32,7 @@
   12.18    "ns3 A B NB == Says A B (Crypt (pubK B) (Nonce NB))"
   12.19  
   12.20  
   12.21 -subsection{*definition of the protocol*}
   12.22 +subsection\<open>definition of the protocol\<close>
   12.23  
   12.24  inductive_set nsp :: "event list set"
   12.25  where
   12.26 @@ -49,13 +49,13 @@
   12.27  | NS3: "!!A B B' NA NB evs3. [| evs3:nsp; ns1 A B NA:set evs3; ns2' B' B A NA NB:set evs3 |] ==>
   12.28    ns3 A B NB # evs3:nsp"
   12.29  
   12.30 -subsection{*declarations for tactics*}
   12.31 +subsection\<open>declarations for tactics\<close>
   12.32  
   12.33  declare knows_Spy_partsEs [elim]
   12.34  declare Fake_parts_insert [THEN subsetD, dest]
   12.35  declare initState.simps [simp del]
   12.36  
   12.37 -subsection{*general properties of nsp*}
   12.38 +subsection\<open>general properties of nsp\<close>
   12.39  
   12.40  lemma nsp_has_no_Gets: "evs:nsp ==> ALL A X. Gets A X ~:set evs"
   12.41  by (erule nsp.induct, auto)
   12.42 @@ -77,7 +77,7 @@
   12.43  apply (simp only: regular_def, clarify)
   12.44  by (erule nsp.induct, auto simp: initState.simps knows.simps)
   12.45  
   12.46 -subsection{*nonce are used only once*}
   12.47 +subsection\<open>nonce are used only once\<close>
   12.48  
   12.49  lemma NA_is_uniq [rule_format]: "evs:nsp ==>
   12.50  Crypt (pubK B) {|Nonce NA, Agent A|}:parts (spies evs)
   12.51 @@ -106,7 +106,7 @@
   12.52  apply (erule nsp.induct, simp_all)
   12.53  by (blast intro: analz_insertI)+
   12.54  
   12.55 -subsection{*guardedness of NA*}
   12.56 +subsection\<open>guardedness of NA\<close>
   12.57  
   12.58  lemma ns1_imp_Guard [rule_format]: "[| evs:nsp; A ~:bad; B ~:bad |] ==>
   12.59  ns1 A B NA:set evs --> Guard NA {priK A,priK B} (spies evs)"
   12.60 @@ -133,7 +133,7 @@
   12.61  apply (drule Says_imp_knows_Spy)+
   12.62  by (drule no_Nonce_NS1_NS2, auto)
   12.63  
   12.64 -subsection{*guardedness of NB*}
   12.65 +subsection\<open>guardedness of NB\<close>
   12.66  
   12.67  lemma ns2_imp_Guard [rule_format]: "[| evs:nsp; A ~:bad; B ~:bad |] ==>
   12.68  ns2 B A NA NB:set evs --> Guard NB {priK A,priK B} (spies evs)" 
   12.69 @@ -163,7 +163,7 @@
   12.70  apply (auto simp add: guard.No_Nonce)
   12.71  done
   12.72  
   12.73 -subsection{*Agents' Authentication*}
   12.74 +subsection\<open>Agents' Authentication\<close>
   12.75  
   12.76  lemma B_trusts_NS1: "[| evs:nsp; A ~:bad; B ~:bad |] ==>
   12.77  Crypt (pubK B) {|Nonce NA, Agent A|}:parts (spies evs)
    13.1 --- a/src/HOL/Auth/Guard/Guard_OtwayRees.thy	Thu Dec 10 21:31:24 2015 +0100
    13.2 +++ b/src/HOL/Auth/Guard/Guard_OtwayRees.thy	Thu Dec 10 21:39:33 2015 +0100
    13.3 @@ -3,11 +3,11 @@
    13.4      Copyright   2002  University of Cambridge
    13.5  *)
    13.6  
    13.7 -section{*Otway-Rees Protocol*}
    13.8 +section\<open>Otway-Rees Protocol\<close>
    13.9  
   13.10  theory Guard_OtwayRees imports Guard_Shared begin
   13.11  
   13.12 -subsection{*messages used in the protocol*}
   13.13 +subsection\<open>messages used in the protocol\<close>
   13.14  
   13.15  abbreviation
   13.16    nil :: "msg" where
   13.17 @@ -54,7 +54,7 @@
   13.18    or4' :: "agent => agent => nat => key => event" where
   13.19    "or4' B' A NA K == Says B' A {|Nonce NA, Ciph A {|Nonce NA, Key K|}, nil|}"
   13.20  
   13.21 -subsection{*definition of the protocol*}
   13.22 +subsection\<open>definition of the protocol\<close>
   13.23  
   13.24  inductive_set or :: "event list set"
   13.25  where
   13.26 @@ -74,13 +74,13 @@
   13.27  | OR4: "[| evs4:or; or2 A B NA NB X:set evs4; or3' S Y A B NA NB K:set evs4 |]
   13.28    ==> or4 A B NA X # evs4:or"
   13.29  
   13.30 -subsection{*declarations for tactics*}
   13.31 +subsection\<open>declarations for tactics\<close>
   13.32  
   13.33  declare knows_Spy_partsEs [elim]
   13.34  declare Fake_parts_insert [THEN subsetD, dest]
   13.35  declare initState.simps [simp del]
   13.36  
   13.37 -subsection{*general properties of or*}
   13.38 +subsection\<open>general properties of or\<close>
   13.39  
   13.40  lemma or_has_no_Gets: "evs:or ==> ALL A X. Gets A X ~:set evs"
   13.41  by (erule or.induct, auto)
   13.42 @@ -98,7 +98,7 @@
   13.43  lemma or_has_only_Says [iff]: "has_only_Says or"
   13.44  by (auto simp: has_only_Says_def dest: or_has_only_Says')
   13.45  
   13.46 -subsection{*or is regular*}
   13.47 +subsection\<open>or is regular\<close>
   13.48  
   13.49  lemma or1'_parts_spies [dest]: "or1' A' A B NA X:set evs
   13.50  ==> X:parts (spies evs)"
   13.51 @@ -117,7 +117,7 @@
   13.52  apply (erule or.induct, simp_all add: initState.simps knows.simps)
   13.53  by (auto dest: parts_sub)
   13.54  
   13.55 -subsection{*guardedness of KAB*}
   13.56 +subsection\<open>guardedness of KAB\<close>
   13.57  
   13.58  lemma Guard_KAB [rule_format]: "[| evs:or; A ~:bad; B ~:bad |] ==>
   13.59  or3 A B NA NB K:set evs --> GuardK K {shrK A,shrK B} (spies evs)" 
   13.60 @@ -138,7 +138,7 @@
   13.61  (* OR4 *)
   13.62  by (blast dest: Says_imp_spies in_GuardK_kparts)
   13.63  
   13.64 -subsection{*guardedness of NB*}
   13.65 +subsection\<open>guardedness of NB\<close>
   13.66  
   13.67  lemma Guard_NB [rule_format]: "[| evs:or; B ~:bad |] ==>
   13.68  or2 A B NA NB X:set evs --> Guard NB {shrK B} (spies evs)" 
    14.1 --- a/src/HOL/Auth/Guard/Guard_Public.thy	Thu Dec 10 21:31:24 2015 +0100
    14.2 +++ b/src/HOL/Auth/Guard/Guard_Public.thy	Thu Dec 10 21:39:33 2015 +0100
    14.3 @@ -7,11 +7,11 @@
    14.4  
    14.5  theory Guard_Public imports Guard "../Public" Extensions begin
    14.6  
    14.7 -subsection{*Extensions to Theory @{text Public}*}
    14.8 +subsection\<open>Extensions to Theory \<open>Public\<close>\<close>
    14.9  
   14.10  declare initState.simps [simp del]
   14.11  
   14.12 -subsubsection{*signature*}
   14.13 +subsubsection\<open>signature\<close>
   14.14  
   14.15  definition sign :: "agent => msg => msg" where
   14.16  "sign A X == {|Agent A, X, Crypt (priK A) (Hash X)|}"
   14.17 @@ -19,7 +19,7 @@
   14.18  lemma sign_inj [iff]: "(sign A X = sign A' X') = (A=A' & X=X')"
   14.19  by (auto simp: sign_def)
   14.20  
   14.21 -subsubsection{*agent associated to a key*}
   14.22 +subsubsection\<open>agent associated to a key\<close>
   14.23  
   14.24  definition agt :: "key => agent" where
   14.25  "agt K == @A. K = priK A | K = pubK A"
   14.26 @@ -30,7 +30,7 @@
   14.27  lemma agt_pubK [simp]: "agt (pubK A) = A"
   14.28  by (simp add: agt_def)
   14.29  
   14.30 -subsubsection{*basic facts about @{term initState}*}
   14.31 +subsubsection\<open>basic facts about @{term initState}\<close>
   14.32  
   14.33  lemma no_Crypt_in_parts_init [simp]: "Crypt K X ~:parts (initState A)"
   14.34  by (cases A, auto simp: initState.simps)
   14.35 @@ -49,7 +49,7 @@
   14.36  lemma keyset_init [iff]: "keyset (initState A)"
   14.37  by (cases A, auto simp: keyset_def initState.simps)
   14.38  
   14.39 -subsubsection{*sets of private keys*}
   14.40 +subsubsection\<open>sets of private keys\<close>
   14.41  
   14.42  definition priK_set :: "key set => bool" where
   14.43  "priK_set Ks == ALL K. K:Ks --> (EX A. K = priK A)"
   14.44 @@ -63,7 +63,7 @@
   14.45  lemma priK_set2 [iff]: "priK_set {priK A, priK B}"
   14.46  by (simp add: priK_set_def)
   14.47  
   14.48 -subsubsection{*sets of good keys*}
   14.49 +subsubsection\<open>sets of good keys\<close>
   14.50  
   14.51  definition good :: "key set => bool" where
   14.52  "good Ks == ALL K. K:Ks --> agt K ~:bad"
   14.53 @@ -77,7 +77,7 @@
   14.54  lemma good2 [simp]: "[| A ~:bad; B ~:bad |] ==> good {priK A, priK B}"
   14.55  by (simp add: good_def)
   14.56  
   14.57 -subsubsection{*greatest nonce used in a trace, 0 if there is no nonce*}
   14.58 +subsubsection\<open>greatest nonce used in a trace, 0 if there is no nonce\<close>
   14.59  
   14.60  primrec greatest :: "event list => nat"
   14.61  where
   14.62 @@ -90,7 +90,7 @@
   14.63  apply (drule greatest_msg_is_greatest, arith)
   14.64  by simp
   14.65  
   14.66 -subsubsection{*function giving a new nonce*}
   14.67 +subsubsection\<open>function giving a new nonce\<close>
   14.68  
   14.69  definition new :: "event list => nat" where
   14.70  "new evs == Suc (greatest evs)"
   14.71 @@ -98,9 +98,9 @@
   14.72  lemma new_isnt_used [iff]: "Nonce (new evs) ~:used evs"
   14.73  by (clarify, drule greatest_is_greatest, auto simp: new_def)
   14.74  
   14.75 -subsection{*Proofs About Guarded Messages*}
   14.76 +subsection\<open>Proofs About Guarded Messages\<close>
   14.77  
   14.78 -subsubsection{*small hack necessary because priK is defined as the inverse of pubK*}
   14.79 +subsubsection\<open>small hack necessary because priK is defined as the inverse of pubK\<close>
   14.80  
   14.81  lemma pubK_is_invKey_priK: "pubK A = invKey (priK A)"
   14.82  by simp
   14.83 @@ -113,7 +113,7 @@
   14.84  apply (rule pubK_is_invKey_priK_substI, rule invKey_invKey_substI)
   14.85  by (rule Guard_Nonce, simp+)
   14.86  
   14.87 -subsubsection{*guardedness results*}
   14.88 +subsubsection\<open>guardedness results\<close>
   14.89  
   14.90  lemma sign_guard [intro]: "X:guard n Ks ==> sign A X:guard n Ks"
   14.91  by (auto simp: sign_def)
   14.92 @@ -142,7 +142,7 @@
   14.93  apply (rule_tac H="knows_max (Friend C) evs" in Guard_mono)
   14.94  by (auto simp: knows_max_def)
   14.95  
   14.96 -subsubsection{*regular protocols*}
   14.97 +subsubsection\<open>regular protocols\<close>
   14.98  
   14.99  definition regular :: "event list set => bool" where
  14.100  "regular p == ALL evs A. evs:p --> (Key (priK A):parts (spies evs)) = (A:bad)"
    15.1 --- a/src/HOL/Auth/Guard/Guard_Shared.thy	Thu Dec 10 21:31:24 2015 +0100
    15.2 +++ b/src/HOL/Auth/Guard/Guard_Shared.thy	Thu Dec 10 21:39:33 2015 +0100
    15.3 @@ -3,21 +3,21 @@
    15.4      Copyright   2002  University of Cambridge
    15.5  *)
    15.6  
    15.7 -section{*lemmas on guarded messages for protocols with symmetric keys*}
    15.8 +section\<open>lemmas on guarded messages for protocols with symmetric keys\<close>
    15.9  
   15.10  theory Guard_Shared imports Guard GuardK "../Shared" begin
   15.11  
   15.12 -subsection{*Extensions to Theory @{text Shared}*}
   15.13 +subsection\<open>Extensions to Theory \<open>Shared\<close>\<close>
   15.14  
   15.15  declare initState.simps [simp del]
   15.16  
   15.17 -subsubsection{*a little abbreviation*}
   15.18 +subsubsection\<open>a little abbreviation\<close>
   15.19  
   15.20  abbreviation
   15.21    Ciph :: "agent => msg => msg" where
   15.22    "Ciph A X == Crypt (shrK A) X"
   15.23  
   15.24 -subsubsection{*agent associated to a key*}
   15.25 +subsubsection\<open>agent associated to a key\<close>
   15.26  
   15.27  definition agt :: "key => agent" where
   15.28  "agt K == @A. K = shrK A"
   15.29 @@ -25,7 +25,7 @@
   15.30  lemma agt_shrK [simp]: "agt (shrK A) = A"
   15.31  by (simp add: agt_def)
   15.32  
   15.33 -subsubsection{*basic facts about @{term initState}*}
   15.34 +subsubsection\<open>basic facts about @{term initState}\<close>
   15.35  
   15.36  lemma no_Crypt_in_parts_init [simp]: "Crypt K X ~:parts (initState A)"
   15.37  by (cases A, auto simp: initState.simps)
   15.38 @@ -44,7 +44,7 @@
   15.39  lemma keyset_init [iff]: "keyset (initState A)"
   15.40  by (cases A, auto simp: keyset_def initState.simps)
   15.41  
   15.42 -subsubsection{*sets of symmetric keys*}
   15.43 +subsubsection\<open>sets of symmetric keys\<close>
   15.44  
   15.45  definition shrK_set :: "key set => bool" where
   15.46  "shrK_set Ks == ALL K. K:Ks --> (EX A. K = shrK A)"
   15.47 @@ -58,7 +58,7 @@
   15.48  lemma shrK_set2 [iff]: "shrK_set {shrK A, shrK B}"
   15.49  by (simp add: shrK_set_def)
   15.50  
   15.51 -subsubsection{*sets of good keys*}
   15.52 +subsubsection\<open>sets of good keys\<close>
   15.53  
   15.54  definition good :: "key set => bool" where
   15.55  "good Ks == ALL K. K:Ks --> agt K ~:bad"
   15.56 @@ -73,9 +73,9 @@
   15.57  by (simp add: good_def)
   15.58  
   15.59  
   15.60 -subsection{*Proofs About Guarded Messages*}
   15.61 +subsection\<open>Proofs About Guarded Messages\<close>
   15.62  
   15.63 -subsubsection{*small hack*}
   15.64 +subsubsection\<open>small hack\<close>
   15.65  
   15.66  lemma shrK_is_invKey_shrK: "shrK A = invKey (shrK A)"
   15.67  by simp
   15.68 @@ -88,7 +88,7 @@
   15.69  apply (rule shrK_is_invKey_shrK_substI, rule invKey_invKey_substI)
   15.70  by (rule Guard_Nonce, simp+)
   15.71  
   15.72 -subsubsection{*guardedness results on nonces*}
   15.73 +subsubsection\<open>guardedness results on nonces\<close>
   15.74  
   15.75  lemma guard_ciph [simp]: "shrK A:Ks ==> Ciph A X:guard n Ks"
   15.76  by (rule Guard_Nonce, simp)
   15.77 @@ -120,7 +120,7 @@
   15.78  apply (rule_tac H="knows_max (Friend C) evs" in Guard_mono)
   15.79  by (auto simp: knows_max_def)
   15.80  
   15.81 -subsubsection{*guardedness results on keys*}
   15.82 +subsubsection\<open>guardedness results on keys\<close>
   15.83  
   15.84  lemma GuardK_init [simp]: "n ~:range shrK ==> GuardK n Ks (initState B)"
   15.85  by (induct B, auto simp: GuardK_def initState.simps)
   15.86 @@ -146,7 +146,7 @@
   15.87  apply (rule_tac H="knows_max (Friend C) evs" in GuardK_mono)
   15.88  by (auto simp: knows_max_def)
   15.89  
   15.90 -subsubsection{*regular protocols*}
   15.91 +subsubsection\<open>regular protocols\<close>
   15.92  
   15.93  definition regular :: "event list set => bool" where
   15.94  "regular p == ALL evs A. evs:p --> (Key (shrK A):parts (spies evs)) = (A:bad)"
    16.1 --- a/src/HOL/Auth/Guard/Guard_Yahalom.thy	Thu Dec 10 21:31:24 2015 +0100
    16.2 +++ b/src/HOL/Auth/Guard/Guard_Yahalom.thy	Thu Dec 10 21:39:33 2015 +0100
    16.3 @@ -3,11 +3,11 @@
    16.4      Copyright   2002  University of Cambridge
    16.5  *)
    16.6  
    16.7 -section{*Yahalom Protocol*}
    16.8 +section\<open>Yahalom Protocol\<close>
    16.9  
   16.10  theory Guard_Yahalom imports "../Shared" Guard_Shared begin
   16.11  
   16.12 -subsection{*messages used in the protocol*}
   16.13 +subsection\<open>messages used in the protocol\<close>
   16.14  
   16.15  abbreviation (input)
   16.16    ya1 :: "agent => agent => nat => event" where
   16.17 @@ -45,7 +45,7 @@
   16.18    "ya4' A' B K NB Y == Says A' B {|Y, Crypt K (Nonce NB)|}"
   16.19  
   16.20  
   16.21 -subsection{*definition of the protocol*}
   16.22 +subsection\<open>definition of the protocol\<close>
   16.23  
   16.24  inductive_set ya :: "event list set"
   16.25  where
   16.26 @@ -65,13 +65,13 @@
   16.27  | YA4: "[| evs4:ya; ya1 A B NA:set evs4; ya3' S Y A B NA NB K:set evs4 |]
   16.28    ==> ya4 A B K NB Y # evs4:ya"
   16.29  
   16.30 -subsection{*declarations for tactics*}
   16.31 +subsection\<open>declarations for tactics\<close>
   16.32  
   16.33  declare knows_Spy_partsEs [elim]
   16.34  declare Fake_parts_insert [THEN subsetD, dest]
   16.35  declare initState.simps [simp del]
   16.36  
   16.37 -subsection{*general properties of ya*}
   16.38 +subsection\<open>general properties of ya\<close>
   16.39  
   16.40  lemma ya_has_no_Gets: "evs:ya ==> ALL A X. Gets A X ~:set evs"
   16.41  by (erule ya.induct, auto)
   16.42 @@ -94,7 +94,7 @@
   16.43  apply (erule ya.induct, simp_all add: initState.simps knows.simps)
   16.44  by (auto dest: parts_sub)
   16.45  
   16.46 -subsection{*guardedness of KAB*}
   16.47 +subsection\<open>guardedness of KAB\<close>
   16.48  
   16.49  lemma Guard_KAB [rule_format]: "[| evs:ya; A ~:bad; B ~:bad |] ==>
   16.50  ya3 A B NA NB K:set evs --> GuardK K {shrK A,shrK B} (spies evs)" 
   16.51 @@ -115,7 +115,7 @@
   16.52  apply (blast dest: Says_imp_spies in_GuardK_kparts)
   16.53  by blast
   16.54  
   16.55 -subsection{*session keys are not symmetric keys*}
   16.56 +subsection\<open>session keys are not symmetric keys\<close>
   16.57  
   16.58  lemma KAB_isnt_shrK [rule_format]: "evs:ya ==>
   16.59  ya3 A B NA NB K:set evs --> K ~:range shrK"
   16.60 @@ -124,7 +124,7 @@
   16.61  lemma ya3_shrK: "evs:ya ==> ya3 A B NA NB (shrK C) ~:set evs"
   16.62  by (blast dest: KAB_isnt_shrK)
   16.63  
   16.64 -subsection{*ya2' implies ya1'*}
   16.65 +subsection\<open>ya2' implies ya1'\<close>
   16.66  
   16.67  lemma ya2'_parts_imp_ya1'_parts [rule_format]:
   16.68       "[| evs:ya; B ~:bad |] ==>
   16.69 @@ -136,7 +136,7 @@
   16.70  ==> {|Agent A, Nonce NA|}:spies evs"
   16.71  by (blast dest: Says_imp_spies ya2'_parts_imp_ya1'_parts)
   16.72  
   16.73 -subsection{*uniqueness of NB*}
   16.74 +subsection\<open>uniqueness of NB\<close>
   16.75  
   16.76  lemma NB_is_uniq_in_ya2'_parts [rule_format]: "[| evs:ya; B ~:bad; B' ~:bad |] ==>
   16.77  Ciph B {|Agent A, Nonce NA, Nonce NB|}:parts (spies evs) -->
   16.78 @@ -153,7 +153,7 @@
   16.79  ==> A=A' & B=B' & NA=NA'"
   16.80  by (drule NB_is_uniq_in_ya2'_parts, auto dest: Says_imp_spies)
   16.81  
   16.82 -subsection{*ya3' implies ya2'*}
   16.83 +subsection\<open>ya3' implies ya2'\<close>
   16.84  
   16.85  lemma ya3'_parts_imp_ya2'_parts [rule_format]: "[| evs:ya; A ~:bad |] ==>
   16.86  Ciph A {|Agent B, Key K, Nonce NA, Nonce NB|}:parts (spies evs)
   16.87 @@ -177,7 +177,7 @@
   16.88  ==> (EX B'. ya2' B' A B NA NB:set evs)"
   16.89  by (drule ya3'_parts_imp_ya2', auto dest: Says_imp_spies)
   16.90  
   16.91 -subsection{*ya3' implies ya3*}
   16.92 +subsection\<open>ya3' implies ya3\<close>
   16.93  
   16.94  lemma ya3'_parts_imp_ya3 [rule_format]: "[| evs:ya; A ~:bad |] ==>
   16.95  Ciph A {|Agent B, Key K, Nonce NA, Nonce NB|}:parts(spies evs)
   16.96 @@ -190,7 +190,7 @@
   16.97  ==> ya3 A B NA NB K:set evs"
   16.98  by (blast dest: Says_imp_spies ya3'_parts_imp_ya3)
   16.99  
  16.100 -subsection{*guardedness of NB*}
  16.101 +subsection\<open>guardedness of NB\<close>
  16.102  
  16.103  definition ya_keys :: "agent => agent => nat => nat => event list => key set" where
  16.104  "ya_keys A B NA NB evs == {shrK A,shrK B} Un {K. ya3 A B NA NB K:set evs}"
    17.1 --- a/src/HOL/Auth/Guard/List_Msg.thy	Thu Dec 10 21:31:24 2015 +0100
    17.2 +++ b/src/HOL/Auth/Guard/List_Msg.thy	Thu Dec 10 21:39:33 2015 +0100
    17.3 @@ -3,35 +3,35 @@
    17.4      Copyright   2001  University of Cambridge
    17.5  *)
    17.6  
    17.7 -section{*Lists of Messages and Lists of Agents*}
    17.8 +section\<open>Lists of Messages and Lists of Agents\<close>
    17.9  
   17.10  theory List_Msg imports Extensions begin
   17.11  
   17.12 -subsection{*Implementation of Lists by Messages*}
   17.13 +subsection\<open>Implementation of Lists by Messages\<close>
   17.14  
   17.15 -subsubsection{*nil is represented by any message which is not a pair*}
   17.16 +subsubsection\<open>nil is represented by any message which is not a pair\<close>
   17.17  
   17.18  abbreviation (input)
   17.19    cons :: "msg => msg => msg" where
   17.20    "cons x l == {|x,l|}"
   17.21  
   17.22 -subsubsection{*induction principle*}
   17.23 +subsubsection\<open>induction principle\<close>
   17.24  
   17.25  lemma lmsg_induct: "[| !!x. not_MPair x ==> P x; !!x l. P l ==> P (cons x l) |]
   17.26  ==> P l"
   17.27  by (induct l) auto
   17.28  
   17.29 -subsubsection{*head*}
   17.30 +subsubsection\<open>head\<close>
   17.31  
   17.32  primrec head :: "msg => msg" where
   17.33  "head (cons x l) = x"
   17.34  
   17.35 -subsubsection{*tail*}
   17.36 +subsubsection\<open>tail\<close>
   17.37  
   17.38  primrec tail :: "msg => msg" where
   17.39  "tail (cons x l) = l"
   17.40  
   17.41 -subsubsection{*length*}
   17.42 +subsubsection\<open>length\<close>
   17.43  
   17.44  fun len :: "msg => nat" where
   17.45  "len (cons x l) = Suc (len l)" |
   17.46 @@ -40,13 +40,13 @@
   17.47  lemma len_not_empty: "n < len l ==> EX x l'. l = cons x l'"
   17.48  by (cases l) auto
   17.49  
   17.50 -subsubsection{*membership*}
   17.51 +subsubsection\<open>membership\<close>
   17.52  
   17.53  fun isin :: "msg * msg => bool" where
   17.54  "isin (x, cons y l) = (x=y | isin (x,l))" |
   17.55  "isin (x, other) = False"
   17.56  
   17.57 -subsubsection{*delete an element*}
   17.58 +subsubsection\<open>delete an element\<close>
   17.59  
   17.60  fun del :: "msg * msg => msg" where
   17.61  "del (x, cons y l) = (if x=y then l else cons y (del (x,l)))" |
   17.62 @@ -58,7 +58,7 @@
   17.63  lemma isin_del [rule_format]: "isin (y, del (x,l)) --> isin (y,l)"
   17.64  by (induct l) auto
   17.65  
   17.66 -subsubsection{*concatenation*}
   17.67 +subsubsection\<open>concatenation\<close>
   17.68  
   17.69  fun app :: "msg * msg => msg" where
   17.70  "app (cons x l, l') = cons x (app (l,l'))" |
   17.71 @@ -67,14 +67,14 @@
   17.72  lemma isin_app [iff]: "isin (x, app(l,l')) = (isin (x,l) | isin (x,l'))"
   17.73  by (induct l) auto
   17.74  
   17.75 -subsubsection{*replacement*}
   17.76 +subsubsection\<open>replacement\<close>
   17.77  
   17.78  fun repl :: "msg * nat * msg => msg" where
   17.79  "repl (cons x l, Suc i, x') = cons x (repl (l,i,x'))" |
   17.80  "repl (cons x l, 0, x') = cons x' l" |
   17.81  "repl (other, i, M') = other"
   17.82  
   17.83 -subsubsection{*ith element*}
   17.84 +subsubsection\<open>ith element\<close>
   17.85  
   17.86  fun ith :: "msg * nat => msg" where
   17.87  "ith (cons x l, Suc i) = ith (l,i)" |
   17.88 @@ -84,7 +84,7 @@
   17.89  lemma ith_head: "0 < len l ==> ith (l,0) = head l"
   17.90  by (cases l) auto
   17.91  
   17.92 -subsubsection{*insertion*}
   17.93 +subsubsection\<open>insertion\<close>
   17.94  
   17.95  fun ins :: "msg * nat * msg => msg" where
   17.96  "ins (cons x l, Suc i, y) = cons x (ins (l,i,y))" |
   17.97 @@ -93,7 +93,7 @@
   17.98  lemma ins_head [simp]: "ins (l,0,y) = cons y l"
   17.99  by (cases l) auto
  17.100  
  17.101 -subsubsection{*truncation*}
  17.102 +subsubsection\<open>truncation\<close>
  17.103  
  17.104  fun trunc :: "msg * nat => msg" where
  17.105  "trunc (l,0) = l" |
  17.106 @@ -103,9 +103,9 @@
  17.107  by (cases l) auto
  17.108  
  17.109  
  17.110 -subsection{*Agent Lists*}
  17.111 +subsection\<open>Agent Lists\<close>
  17.112  
  17.113 -subsubsection{*set of well-formed agent-list messages*}
  17.114 +subsubsection\<open>set of well-formed agent-list messages\<close>
  17.115  
  17.116  abbreviation
  17.117    nil :: msg where
  17.118 @@ -116,7 +116,7 @@
  17.119    Nil[intro]: "nil:agl"
  17.120  | Cons[intro]: "[| A:agent; I:agl |] ==> cons (Agent A) I :agl"
  17.121  
  17.122 -subsubsection{*basic facts about agent lists*}
  17.123 +subsubsection\<open>basic facts about agent lists\<close>
  17.124  
  17.125  lemma del_in_agl [intro]: "I:agl ==> del (a,I):agl"
  17.126  by (erule agl.induct, auto)
    18.1 --- a/src/HOL/Auth/Guard/P1.thy	Thu Dec 10 21:31:24 2015 +0100
    18.2 +++ b/src/HOL/Auth/Guard/P1.thy	Thu Dec 10 21:39:33 2015 +0100
    18.3 @@ -7,11 +7,11 @@
    18.4  Mobiles Agents 1998, LNCS 1477.
    18.5  *)
    18.6  
    18.7 -section{*Protocol P1*}
    18.8 +section\<open>Protocol P1\<close>
    18.9  
   18.10  theory P1 imports "../Public" Guard_Public List_Msg begin
   18.11  
   18.12 -subsection{*Protocol Definition*}
   18.13 +subsection\<open>Protocol Definition\<close>
   18.14  
   18.15  (******************************************************************************
   18.16  
   18.17 @@ -30,8 +30,8 @@
   18.18  (Crypt in injective)
   18.19  ******************************************************************************)
   18.20  
   18.21 -subsubsection{*offer chaining:
   18.22 -B chains his offer for A with the head offer of L for sending it to C*}
   18.23 +subsubsection\<open>offer chaining:
   18.24 +B chains his offer for A with the head offer of L for sending it to C\<close>
   18.25  
   18.26  definition chain :: "agent => nat => agent => msg => agent => msg" where
   18.27  "chain B ofr A L C ==
   18.28 @@ -48,7 +48,7 @@
   18.29  lemma Nonce_in_chain [iff]: "Nonce ofr:parts {chain B ofr A L C}"
   18.30  by (auto simp: chain_def sign_def)
   18.31  
   18.32 -subsubsection{*agent whose key is used to sign an offer*}
   18.33 +subsubsection\<open>agent whose key is used to sign an offer\<close>
   18.34  
   18.35  fun shop :: "msg => msg" where
   18.36  "shop {|B,X,Crypt K H|} = Agent (agt K)"
   18.37 @@ -56,7 +56,7 @@
   18.38  lemma shop_chain [simp]: "shop (chain B ofr A L C) = Agent B"
   18.39  by (simp add: chain_def sign_def)
   18.40  
   18.41 -subsubsection{*nonce used in an offer*}
   18.42 +subsubsection\<open>nonce used in an offer\<close>
   18.43  
   18.44  fun nonce :: "msg => msg" where
   18.45  "nonce {|B,{|Crypt K ofr,m2|},CryptH|} = ofr"
   18.46 @@ -64,7 +64,7 @@
   18.47  lemma nonce_chain [simp]: "nonce (chain B ofr A L C) = Nonce ofr"
   18.48  by (simp add: chain_def sign_def)
   18.49  
   18.50 -subsubsection{*next shop*}
   18.51 +subsubsection\<open>next shop\<close>
   18.52  
   18.53  fun next_shop :: "msg => agent" where
   18.54  "next_shop {|B,{|m1,Hash{|headL,Agent C|}|},CryptH|} = C"
   18.55 @@ -72,7 +72,7 @@
   18.56  lemma next_shop_chain [iff]: "next_shop (chain B ofr A L C) = C"
   18.57  by (simp add: chain_def sign_def)
   18.58  
   18.59 -subsubsection{*anchor of the offer list*}
   18.60 +subsubsection\<open>anchor of the offer list\<close>
   18.61  
   18.62  definition anchor :: "agent => nat => agent => msg" where
   18.63  "anchor A n B == chain A n A (cons nil nil) B"
   18.64 @@ -93,7 +93,7 @@
   18.65  lemma next_shop_anchor [iff]: "next_shop (anchor A n B) = B"
   18.66  by (simp add: anchor_def)
   18.67  
   18.68 -subsubsection{*request event*}
   18.69 +subsubsection\<open>request event\<close>
   18.70  
   18.71  definition reqm :: "agent => nat => nat => msg => agent => msg" where
   18.72  "reqm A r n I B == {|Agent A, Number r, cons (Agent A) (cons (Agent B) I),
   18.73 @@ -113,7 +113,7 @@
   18.74  = (A=A' & r=r' & n=n' & I=I' & B=B')"
   18.75  by (auto simp: req_def)
   18.76  
   18.77 -subsubsection{*propose event*}
   18.78 +subsubsection\<open>propose event\<close>
   18.79  
   18.80  definition prom :: "agent => nat => agent => nat => msg => msg =>
   18.81  msg => agent => msg" where
   18.82 @@ -136,7 +136,7 @@
   18.83  ==> B=B' & ofr=ofr' & A=A' & r=r' & L=L' & C=C'"
   18.84  by (auto simp: pro_def dest: prom_inj)
   18.85  
   18.86 -subsubsection{*protocol*}
   18.87 +subsubsection\<open>protocol\<close>
   18.88  
   18.89  inductive_set p1 :: "event list set"
   18.90  where
   18.91 @@ -151,7 +151,7 @@
   18.92    I:agl; J:agl; isin (Agent C, app (J, del (Agent B, I)));
   18.93    Nonce ofr ~:used evsp |] ==> pro B ofr A r I (cons M L) J C # evsp : p1"
   18.94  
   18.95 -subsubsection{*Composition of Traces*}
   18.96 +subsubsection\<open>Composition of Traces\<close>
   18.97  
   18.98  lemma "evs':p1 ==> 
   18.99         evs:p1 & (ALL n. Nonce n:used evs' --> Nonce n ~:used evs) --> 
  18.100 @@ -165,7 +165,7 @@
  18.101  apply (erule_tac A'=A' in p1.Propose, auto simp: pro_def)
  18.102  done
  18.103  
  18.104 -subsubsection{*Valid Offer Lists*}
  18.105 +subsubsection\<open>Valid Offer Lists\<close>
  18.106  
  18.107  inductive_set
  18.108    valid :: "agent => nat => agent => msg set"
  18.109 @@ -176,7 +176,7 @@
  18.110  | Propose [intro]: "L:valid A n B
  18.111  ==> cons (chain (next_shop (head L)) ofr A L C) L:valid A n B"
  18.112  
  18.113 -subsubsection{*basic properties of valid*}
  18.114 +subsubsection\<open>basic properties of valid\<close>
  18.115  
  18.116  lemma valid_not_empty: "L:valid A n B ==> EX M L'. L = cons M L'"
  18.117  by (erule valid.cases, auto)
  18.118 @@ -184,24 +184,24 @@
  18.119  lemma valid_pos_len: "L:valid A n B ==> 0 < len L"
  18.120  by (erule valid.induct, auto)
  18.121  
  18.122 -subsubsection{*offers of an offer list*}
  18.123 +subsubsection\<open>offers of an offer list\<close>
  18.124  
  18.125  definition offer_nonces :: "msg => msg set" where
  18.126  "offer_nonces L == {X. X:parts {L} & (EX n. X = Nonce n)}"
  18.127  
  18.128 -subsubsection{*the originator can get the offers*}
  18.129 +subsubsection\<open>the originator can get the offers\<close>
  18.130  
  18.131  lemma "L:valid A n B ==> offer_nonces L <= analz (insert L (initState A))"
  18.132  by (erule valid.induct, auto simp: anchor_def chain_def sign_def
  18.133  offer_nonces_def initState.simps)
  18.134  
  18.135 -subsubsection{*list of offers*}
  18.136 +subsubsection\<open>list of offers\<close>
  18.137  
  18.138  fun offers :: "msg => msg" where
  18.139  "offers (cons M L) = cons {|shop M, nonce M|} (offers L)" |
  18.140  "offers other = nil"
  18.141  
  18.142 -subsubsection{*list of agents whose keys are used to sign a list of offers*}
  18.143 +subsubsection\<open>list of agents whose keys are used to sign a list of offers\<close>
  18.144  
  18.145  fun shops :: "msg => msg" where
  18.146  "shops (cons M L) = cons (shop M) (shops L)" |
  18.147 @@ -210,7 +210,7 @@
  18.148  lemma shops_in_agl: "L:valid A n B ==> shops L:agl"
  18.149  by (erule valid.induct, auto simp: anchor_def chain_def sign_def)
  18.150  
  18.151 -subsubsection{*builds a trace from an itinerary*}
  18.152 +subsubsection\<open>builds a trace from an itinerary\<close>
  18.153  
  18.154  fun offer_list :: "agent * nat * agent * msg * nat => msg" where
  18.155  "offer_list (A,n,B,nil,ofr) = cons (anchor A n B) nil" |
  18.156 @@ -240,20 +240,20 @@
  18.157  
  18.158  declare trace'_def [simp]
  18.159  
  18.160 -subsubsection{*there is a trace in which the originator receives a valid answer*}
  18.161 +subsubsection\<open>there is a trace in which the originator receives a valid answer\<close>
  18.162  
  18.163  lemma p1_not_empty: "evs:p1 ==> req A r n I B:set evs -->
  18.164  (EX evs'. evs'@evs:p1 & pro B' ofr A r I' L J A:set evs' & L:valid A n B)"
  18.165  oops
  18.166  
  18.167  
  18.168 -subsection{*properties of protocol P1*}
  18.169 +subsection\<open>properties of protocol P1\<close>
  18.170  
  18.171 -text{*publicly verifiable forward integrity:
  18.172 -anyone can verify the validity of an offer list*}
  18.173 +text\<open>publicly verifiable forward integrity:
  18.174 +anyone can verify the validity of an offer list\<close>
  18.175  
  18.176 -subsubsection{*strong forward integrity:
  18.177 -except the last one, no offer can be modified*}
  18.178 +subsubsection\<open>strong forward integrity:
  18.179 +except the last one, no offer can be modified\<close>
  18.180  
  18.181  lemma strong_forward_integrity: "ALL L. Suc i < len L
  18.182  --> L:valid A n B & repl (L,Suc i,M):valid A n B --> M = ith (L,Suc i)"
  18.183 @@ -273,8 +273,8 @@
  18.184  apply (ind_cases "{|x,l'|}:valid A n B" for x l')
  18.185  by (drule_tac x=l' in spec, simp, blast)
  18.186  
  18.187 -subsubsection{*insertion resilience:
  18.188 -except at the beginning, no offer can be inserted*}
  18.189 +subsubsection\<open>insertion resilience:
  18.190 +except at the beginning, no offer can be inserted\<close>
  18.191  
  18.192  lemma chain_isnt_head [simp]: "L:valid A n B ==>
  18.193  head L ~= chain (next_shop (head L)) ofr A L C"
  18.194 @@ -298,8 +298,8 @@
  18.195  apply (frule len_not_empty, clarsimp)
  18.196  by (drule_tac x=l' in spec, clarsimp)
  18.197  
  18.198 -subsubsection{*truncation resilience:
  18.199 -only shop i can truncate at offer i*}
  18.200 +subsubsection\<open>truncation resilience:
  18.201 +only shop i can truncate at offer i\<close>
  18.202  
  18.203  lemma truncation_resilience: "ALL L. L:valid A n B --> Suc i < len L
  18.204  --> cons M (trunc (L,Suc i)):valid A n B --> shop M = shop (ith (L,i))"
  18.205 @@ -318,19 +318,19 @@
  18.206  apply (frule len_not_empty, clarsimp)
  18.207  by (drule_tac x=l' in spec, clarsimp)
  18.208  
  18.209 -subsubsection{*declarations for tactics*}
  18.210 +subsubsection\<open>declarations for tactics\<close>
  18.211  
  18.212  declare knows_Spy_partsEs [elim]
  18.213  declare Fake_parts_insert [THEN subsetD, dest]
  18.214  declare initState.simps [simp del]
  18.215  
  18.216 -subsubsection{*get components of a message*}
  18.217 +subsubsection\<open>get components of a message\<close>
  18.218  
  18.219  lemma get_ML [dest]: "Says A' B {|A,r,I,M,L|}:set evs ==>
  18.220  M:parts (spies evs) & L:parts (spies evs)"
  18.221  by blast
  18.222  
  18.223 -subsubsection{*general properties of p1*}
  18.224 +subsubsection\<open>general properties of p1\<close>
  18.225  
  18.226  lemma reqm_neq_prom [iff]:
  18.227  "reqm A r n I B ~= prom B' ofr A' r' I' (cons M L) J C"
  18.228 @@ -369,7 +369,7 @@
  18.229                       req_def reqm_def anchor_def chain_def sign_def)
  18.230  by (auto dest: no_Key_in_agl no_Key_in_appdel parts_trans)
  18.231  
  18.232 -subsubsection{*private keys are safe*}
  18.233 +subsubsection\<open>private keys are safe\<close>
  18.234  
  18.235  lemma priK_parts_Friend_imp_bad [rule_format,dest]:
  18.236       "[| evs:p1; Friend B ~= A |]
  18.237 @@ -395,7 +395,7 @@
  18.238  apply (drule_tac H="spies evs" in parts_sub)
  18.239  by (auto dest: knows'_sub_knows [THEN subsetD] priK_notin_initState_Friend)
  18.240  
  18.241 -subsubsection{*general guardedness properties*}
  18.242 +subsubsection\<open>general guardedness properties\<close>
  18.243  
  18.244  lemma agl_guard [intro]: "I:agl ==> I:guard n Ks"
  18.245  by (erule agl.induct, auto)
  18.246 @@ -412,7 +412,7 @@
  18.247  Nonce n ~:used evs |] ==> L:guard n Ks"
  18.248  by (drule not_used_not_parts, auto)
  18.249  
  18.250 -subsubsection{*guardedness of messages*}
  18.251 +subsubsection\<open>guardedness of messages\<close>
  18.252  
  18.253  lemma chain_guard [iff]: "chain B ofr A L C:guard n {priK A}"
  18.254  by (case_tac "ofr=n", auto simp: chain_def sign_def)
  18.255 @@ -443,7 +443,7 @@
  18.256  L:guard n {priK A} |] ==> prom B ofr A' r I L J C:guard n {priK A}"
  18.257  by (auto simp: prom_def)
  18.258  
  18.259 -subsubsection{*Nonce uniqueness*}
  18.260 +subsubsection\<open>Nonce uniqueness\<close>
  18.261  
  18.262  lemma uniq_Nonce_in_chain [dest]: "Nonce k:parts {chain B ofr A L C} ==> k=ofr"
  18.263  by (auto simp: chain_def sign_def)
  18.264 @@ -459,7 +459,7 @@
  18.265  I:agl; J:agl; Nonce k ~:parts {L} |] ==> k=ofr"
  18.266  by (auto simp: prom_def dest: no_Nonce_in_agl no_Nonce_in_appdel)
  18.267  
  18.268 -subsubsection{*requests are guarded*}
  18.269 +subsubsection\<open>requests are guarded\<close>
  18.270  
  18.271  lemma req_imp_Guard [rule_format]: "[| evs:p1; A ~:bad |] ==>
  18.272  req A r n I B:set evs --> Guard n {priK A} (spies evs)"
  18.273 @@ -477,7 +477,7 @@
  18.274  apply (rule_tac p=p1 in knows_max'_sub_spies', simp+)
  18.275  by (rule knows'_sub_knows)
  18.276  
  18.277 -subsubsection{*propositions are guarded*}
  18.278 +subsubsection\<open>propositions are guarded\<close>
  18.279  
  18.280  lemma pro_imp_Guard [rule_format]: "[| evs:p1; B ~:bad; A ~:bad |] ==>
  18.281  pro B ofr A r I (cons M L) J C:set evs --> Guard ofr {priK A} (spies evs)"
  18.282 @@ -526,8 +526,8 @@
  18.283  apply (rule_tac p=p1 in knows_max'_sub_spies', simp+)
  18.284  by (rule knows'_sub_knows)
  18.285  
  18.286 -subsubsection{*data confidentiality:
  18.287 -no one other than the originator can decrypt the offers*}
  18.288 +subsubsection\<open>data confidentiality:
  18.289 +no one other than the originator can decrypt the offers\<close>
  18.290  
  18.291  lemma Nonce_req_notin_spies: "[| evs:p1; req A r n I B:set evs; A ~:bad |]
  18.292  ==> Nonce n ~:analz (spies evs)"
  18.293 @@ -550,8 +550,8 @@
  18.294  apply (simp add: knows_max_def, drule Guard_invKey_keyset, simp+)
  18.295  by (drule priK_notin_knows_max_Friend, auto simp: knows_max_def)
  18.296  
  18.297 -subsubsection{*non repudiability:
  18.298 -an offer signed by B has been sent by B*}
  18.299 +subsubsection\<open>non repudiability:
  18.300 +an offer signed by B has been sent by B\<close>
  18.301  
  18.302  lemma Crypt_reqm: "[| Crypt (priK A) X:parts {reqm A' r n I B}; I:agl |] ==> A=A'"
  18.303  by (auto simp: reqm_def anchor_def chain_def sign_def dest: no_Crypt_in_agl)
    19.1 --- a/src/HOL/Auth/Guard/P2.thy	Thu Dec 10 21:31:24 2015 +0100
    19.2 +++ b/src/HOL/Auth/Guard/P2.thy	Thu Dec 10 21:39:33 2015 +0100
    19.3 @@ -7,18 +7,18 @@
    19.4  Mobiles Agents 1998, LNCS 1477.
    19.5  *)
    19.6  
    19.7 -section{*Protocol P2*}
    19.8 +section\<open>Protocol P2\<close>
    19.9  
   19.10  theory P2 imports Guard_Public List_Msg begin
   19.11  
   19.12 -subsection{*Protocol Definition*}
   19.13 +subsection\<open>Protocol Definition\<close>
   19.14  
   19.15  
   19.16 -text{*Like P1 except the definitions of @{text chain}, @{text shop},
   19.17 -  @{text next_shop} and @{text nonce}*}
   19.18 +text\<open>Like P1 except the definitions of \<open>chain\<close>, \<open>shop\<close>,
   19.19 +  \<open>next_shop\<close> and \<open>nonce\<close>\<close>
   19.20  
   19.21 -subsubsection{*offer chaining:
   19.22 -B chains his offer for A with the head offer of L for sending it to C*}
   19.23 +subsubsection\<open>offer chaining:
   19.24 +B chains his offer for A with the head offer of L for sending it to C\<close>
   19.25  
   19.26  definition chain :: "agent => nat => agent => msg => agent => msg" where
   19.27  "chain B ofr A L C ==
   19.28 @@ -35,7 +35,7 @@
   19.29  lemma Nonce_in_chain [iff]: "Nonce ofr:parts {chain B ofr A L C}"
   19.30  by (auto simp: chain_def sign_def)
   19.31  
   19.32 -subsubsection{*agent whose key is used to sign an offer*}
   19.33 +subsubsection\<open>agent whose key is used to sign an offer\<close>
   19.34  
   19.35  fun shop :: "msg => msg" where
   19.36  "shop {|Crypt K {|B,ofr,Crypt K' H|},m2|} = Agent (agt K')"
   19.37 @@ -43,7 +43,7 @@
   19.38  lemma shop_chain [simp]: "shop (chain B ofr A L C) = Agent B"
   19.39  by (simp add: chain_def sign_def)
   19.40  
   19.41 -subsubsection{*nonce used in an offer*}
   19.42 +subsubsection\<open>nonce used in an offer\<close>
   19.43  
   19.44  fun nonce :: "msg => msg" where
   19.45  "nonce {|Crypt K {|B,ofr,CryptH|},m2|} = ofr"
   19.46 @@ -51,7 +51,7 @@
   19.47  lemma nonce_chain [simp]: "nonce (chain B ofr A L C) = Nonce ofr"
   19.48  by (simp add: chain_def sign_def)
   19.49  
   19.50 -subsubsection{*next shop*}
   19.51 +subsubsection\<open>next shop\<close>
   19.52  
   19.53  fun next_shop :: "msg => agent" where
   19.54  "next_shop {|m1,Hash {|headL,Agent C|}|} = C"
   19.55 @@ -59,7 +59,7 @@
   19.56  lemma "next_shop (chain B ofr A L C) = C"
   19.57  by (simp add: chain_def sign_def)
   19.58  
   19.59 -subsubsection{*anchor of the offer list*}
   19.60 +subsubsection\<open>anchor of the offer list\<close>
   19.61  
   19.62  definition anchor :: "agent => nat => agent => msg" where
   19.63  "anchor A n B == chain A n A (cons nil nil) B"
   19.64 @@ -74,7 +74,7 @@
   19.65  lemma shop_anchor [simp]: "shop (anchor A n B) = Agent A"
   19.66  by (simp add: anchor_def)
   19.67  
   19.68 -subsubsection{*request event*}
   19.69 +subsubsection\<open>request event\<close>
   19.70  
   19.71  definition reqm :: "agent => nat => nat => msg => agent => msg" where
   19.72  "reqm A r n I B == {|Agent A, Number r, cons (Agent A) (cons (Agent B) I),
   19.73 @@ -94,7 +94,7 @@
   19.74  = (A=A' & r=r' & n=n' & I=I' & B=B')"
   19.75  by (auto simp: req_def)
   19.76  
   19.77 -subsubsection{*propose event*}
   19.78 +subsubsection\<open>propose event\<close>
   19.79  
   19.80  definition prom :: "agent => nat => agent => nat => msg => msg =>
   19.81  msg => agent => msg" where
   19.82 @@ -116,7 +116,7 @@
   19.83  ==> B=B' & ofr=ofr' & A=A' & r=r' & L=L' & C=C'"
   19.84  by (auto simp: pro_def dest: prom_inj)
   19.85  
   19.86 -subsubsection{*protocol*}
   19.87 +subsubsection\<open>protocol\<close>
   19.88  
   19.89  inductive_set p2 :: "event list set"
   19.90  where
   19.91 @@ -131,7 +131,7 @@
   19.92    I:agl; J:agl; isin (Agent C, app (J, del (Agent B, I)));
   19.93    Nonce ofr ~:used evsp |] ==> pro B ofr A r I (cons M L) J C # evsp : p2"
   19.94  
   19.95 -subsubsection{*valid offer lists*}
   19.96 +subsubsection\<open>valid offer lists\<close>
   19.97  
   19.98  inductive_set
   19.99    valid :: "agent => nat => agent => msg set"
  19.100 @@ -142,7 +142,7 @@
  19.101  | Propose [intro]: "L:valid A n B
  19.102    ==> cons (chain (next_shop (head L)) ofr A L C) L:valid A n B"
  19.103  
  19.104 -subsubsection{*basic properties of valid*}
  19.105 +subsubsection\<open>basic properties of valid\<close>
  19.106  
  19.107  lemma valid_not_empty: "L:valid A n B ==> EX M L'. L = cons M L'"
  19.108  by (erule valid.cases, auto)
  19.109 @@ -150,7 +150,7 @@
  19.110  lemma valid_pos_len: "L:valid A n B ==> 0 < len L"
  19.111  by (erule valid.induct, auto)
  19.112  
  19.113 -subsubsection{*list of offers*}
  19.114 +subsubsection\<open>list of offers\<close>
  19.115  
  19.116  fun offers :: "msg => msg"
  19.117  where
  19.118 @@ -158,13 +158,13 @@
  19.119  | "offers other = nil"
  19.120  
  19.121  
  19.122 -subsection{*Properties of Protocol P2*}
  19.123 +subsection\<open>Properties of Protocol P2\<close>
  19.124  
  19.125 -text{*same as @{text P1_Prop} except that publicly verifiable forward
  19.126 -integrity is replaced by forward privacy*}
  19.127 +text\<open>same as \<open>P1_Prop\<close> except that publicly verifiable forward
  19.128 +integrity is replaced by forward privacy\<close>
  19.129  
  19.130 -subsection{*strong forward integrity:
  19.131 -except the last one, no offer can be modified*}
  19.132 +subsection\<open>strong forward integrity:
  19.133 +except the last one, no offer can be modified\<close>
  19.134  
  19.135  lemma strong_forward_integrity: "ALL L. Suc i < len L
  19.136  --> L:valid A n B --> repl (L,Suc i,M):valid A n B --> M = ith (L,Suc i)"
  19.137 @@ -184,8 +184,8 @@
  19.138  apply (ind_cases "{|x,l'|}:valid A n B" for x l')
  19.139  by (drule_tac x=l' in spec, simp, blast)
  19.140  
  19.141 -subsection{*insertion resilience:
  19.142 -except at the beginning, no offer can be inserted*}
  19.143 +subsection\<open>insertion resilience:
  19.144 +except at the beginning, no offer can be inserted\<close>
  19.145  
  19.146  lemma chain_isnt_head [simp]: "L:valid A n B ==>
  19.147  head L ~= chain (next_shop (head L)) ofr A L C"
  19.148 @@ -209,8 +209,8 @@
  19.149  apply (frule len_not_empty, clarsimp)
  19.150  by (drule_tac x=l' in spec, clarsimp)
  19.151  
  19.152 -subsection{*truncation resilience:
  19.153 -only shop i can truncate at offer i*}
  19.154 +subsection\<open>truncation resilience:
  19.155 +only shop i can truncate at offer i\<close>
  19.156  
  19.157  lemma truncation_resilience: "ALL L. L:valid A n B --> Suc i < len L
  19.158  --> cons M (trunc (L,Suc i)):valid A n B --> shop M = shop (ith (L,i))"
  19.159 @@ -229,19 +229,19 @@
  19.160  apply (frule len_not_empty, clarsimp)
  19.161  by (drule_tac x=l' in spec, clarsimp)
  19.162  
  19.163 -subsection{*declarations for tactics*}
  19.164 +subsection\<open>declarations for tactics\<close>
  19.165  
  19.166  declare knows_Spy_partsEs [elim]
  19.167  declare Fake_parts_insert [THEN subsetD, dest]
  19.168  declare initState.simps [simp del]
  19.169  
  19.170 -subsection{*get components of a message*}
  19.171 +subsection\<open>get components of a message\<close>
  19.172  
  19.173  lemma get_ML [dest]: "Says A' B {|A,R,I,M,L|}:set evs ==>
  19.174  M:parts (spies evs) & L:parts (spies evs)"
  19.175  by blast
  19.176  
  19.177 -subsection{*general properties of p2*}
  19.178 +subsection\<open>general properties of p2\<close>
  19.179  
  19.180  lemma reqm_neq_prom [iff]:
  19.181  "reqm A r n I B ~= prom B' ofr A' r' I' (cons M L) J C"
  19.182 @@ -280,7 +280,7 @@
  19.183  req_def reqm_def anchor_def chain_def sign_def)
  19.184  by (auto dest: no_Key_in_agl no_Key_in_appdel parts_trans)
  19.185  
  19.186 -subsection{*private keys are safe*}
  19.187 +subsection\<open>private keys are safe\<close>
  19.188  
  19.189  lemma priK_parts_Friend_imp_bad [rule_format,dest]:
  19.190       "[| evs:p2; Friend B ~= A |]
  19.191 @@ -307,7 +307,7 @@
  19.192  apply (drule_tac H="spies evs" in parts_sub)
  19.193  by (auto dest: knows'_sub_knows [THEN subsetD] priK_notin_initState_Friend)
  19.194  
  19.195 -subsection{*general guardedness properties*}
  19.196 +subsection\<open>general guardedness properties\<close>
  19.197  
  19.198  lemma agl_guard [intro]: "I:agl ==> I:guard n Ks"
  19.199  by (erule agl.induct, auto)
  19.200 @@ -324,7 +324,7 @@
  19.201  Nonce n ~:used evs |] ==> L:guard n Ks"
  19.202  by (drule not_used_not_parts, auto)
  19.203  
  19.204 -subsection{*guardedness of messages*}
  19.205 +subsection\<open>guardedness of messages\<close>
  19.206  
  19.207  lemma chain_guard [iff]: "chain B ofr A L C:guard n {priK A}"
  19.208  by (case_tac "ofr=n", auto simp: chain_def sign_def)
  19.209 @@ -355,7 +355,7 @@
  19.210  L:guard n {priK A} |] ==> prom B ofr A' r I L J C:guard n {priK A}"
  19.211  by (auto simp: prom_def)
  19.212  
  19.213 -subsection{*Nonce uniqueness*}
  19.214 +subsection\<open>Nonce uniqueness\<close>
  19.215  
  19.216  lemma uniq_Nonce_in_chain [dest]: "Nonce k:parts {chain B ofr A L C} ==> k=ofr"
  19.217  by (auto simp: chain_def sign_def)
  19.218 @@ -371,7 +371,7 @@
  19.219  I:agl; J:agl; Nonce k ~:parts {L} |] ==> k=ofr"
  19.220  by (auto simp: prom_def dest: no_Nonce_in_agl no_Nonce_in_appdel)
  19.221  
  19.222 -subsection{*requests are guarded*}
  19.223 +subsection\<open>requests are guarded\<close>
  19.224  
  19.225  lemma req_imp_Guard [rule_format]: "[| evs:p2; A ~:bad |] ==>
  19.226  req A r n I B:set evs --> Guard n {priK A} (spies evs)"
  19.227 @@ -389,7 +389,7 @@
  19.228  apply (rule_tac p=p2 in knows_max'_sub_spies', simp+)
  19.229  by (rule knows'_sub_knows)
  19.230  
  19.231 -subsection{*propositions are guarded*}
  19.232 +subsection\<open>propositions are guarded\<close>
  19.233  
  19.234  lemma pro_imp_Guard [rule_format]: "[| evs:p2; B ~:bad; A ~:bad |] ==>
  19.235  pro B ofr A r I (cons M L) J C:set evs --> Guard ofr {priK A} (spies evs)"
  19.236 @@ -438,8 +438,8 @@
  19.237  apply (rule_tac p=p2 in knows_max'_sub_spies', simp+)
  19.238  by (rule knows'_sub_knows)
  19.239  
  19.240 -subsection{*data confidentiality:
  19.241 -no one other than the originator can decrypt the offers*}
  19.242 +subsection\<open>data confidentiality:
  19.243 +no one other than the originator can decrypt the offers\<close>
  19.244  
  19.245  lemma Nonce_req_notin_spies: "[| evs:p2; req A r n I B:set evs; A ~:bad |]
  19.246  ==> Nonce n ~:analz (spies evs)"
  19.247 @@ -462,8 +462,8 @@
  19.248  apply (simp add: knows_max_def, drule Guard_invKey_keyset, simp+)
  19.249  by (drule priK_notin_knows_max_Friend, auto simp: knows_max_def)
  19.250  
  19.251 -subsection{*forward privacy:
  19.252 -only the originator can know the identity of the shops*}
  19.253 +subsection\<open>forward privacy:
  19.254 +only the originator can know the identity of the shops\<close>
  19.255  
  19.256  lemma forward_privacy_Spy: "[| evs:p2; B ~:bad; A ~:bad;
  19.257  pro B ofr A r I (cons M L) J C:set evs |]
  19.258 @@ -475,7 +475,7 @@
  19.259  ==> sign B (Nonce ofr) ~:analz (knows_max (Friend D) evs)"
  19.260  by (auto simp:sign_def dest:Nonce_pro_notin_knows_max_Friend )
  19.261  
  19.262 -subsection{*non repudiability: an offer signed by B has been sent by B*}
  19.263 +subsection\<open>non repudiability: an offer signed by B has been sent by B\<close>
  19.264  
  19.265  lemma Crypt_reqm: "[| Crypt (priK A) X:parts {reqm A' r n I B}; I:agl |] ==> A=A'"
  19.266  by (auto simp: reqm_def anchor_def chain_def sign_def dest: no_Crypt_in_agl)
    20.1 --- a/src/HOL/Auth/Guard/Proto.thy	Thu Dec 10 21:31:24 2015 +0100
    20.2 +++ b/src/HOL/Auth/Guard/Proto.thy	Thu Dec 10 21:39:33 2015 +0100
    20.3 @@ -3,11 +3,11 @@
    20.4      Copyright   2002  University of Cambridge
    20.5  *)
    20.6  
    20.7 -section{*Other Protocol-Independent Results*}
    20.8 +section\<open>Other Protocol-Independent Results\<close>
    20.9  
   20.10  theory Proto imports Guard_Public begin
   20.11  
   20.12 -subsection{*protocols*}
   20.13 +subsection\<open>protocols\<close>
   20.14  
   20.15  type_synonym rule = "event set * event"
   20.16  
   20.17 @@ -21,7 +21,7 @@
   20.18  "wdef p == ALL R k. R:p --> Number k:parts {msg' R}
   20.19  --> Number k:parts (msg`(fst R))"
   20.20  
   20.21 -subsection{*substitutions*}
   20.22 +subsection\<open>substitutions\<close>
   20.23  
   20.24  record subs =
   20.25    agent   :: "agent => agent"
   20.26 @@ -82,7 +82,7 @@
   20.27    pubK' :: "subs => agent => key" where
   20.28    "pubK' s A == pubK (agent s A)"
   20.29  
   20.30 -subsection{*nonces generated by a rule*}
   20.31 +subsection\<open>nonces generated by a rule\<close>
   20.32  
   20.33  definition newn :: "rule => nat set" where
   20.34  "newn R == {n. Nonce n:parts {msg (snd R)} & Nonce n ~:parts (msg`(fst R))}"
   20.35 @@ -90,7 +90,7 @@
   20.36  lemma newn_parts: "n:newn R ==> Nonce (nonce s n):parts {apm' s R}"
   20.37  by (auto simp: newn_def dest: apm_parts)
   20.38  
   20.39 -subsection{*traces generated by a protocol*}
   20.40 +subsection\<open>traces generated by a protocol\<close>
   20.41  
   20.42  definition ok :: "event list => rule => subs => bool" where
   20.43  "ok evs R s == ((ALL x. x:fst R --> ap s x:set evs)
   20.44 @@ -108,7 +108,7 @@
   20.45  
   20.46  | Proto [intro]: "[| evs:tr p; R:p; ok evs R s |] ==> ap' s R # evs:tr p"
   20.47  
   20.48 -subsection{*general properties*}
   20.49 +subsection\<open>general properties\<close>
   20.50  
   20.51  lemma one_step_tr [iff]: "one_step (tr p)"
   20.52  apply (unfold one_step_def, clarify)
   20.53 @@ -147,13 +147,13 @@
   20.54  apply (drule has_only_SaysD, simp+)
   20.55  by (clarify, case_tac x, auto)
   20.56  
   20.57 -subsection{*types*}
   20.58 +subsection\<open>types\<close>
   20.59  
   20.60  type_synonym keyfun = "rule => subs => nat => event list => key set"
   20.61  
   20.62  type_synonym secfun = "rule => nat => subs => key set => msg"
   20.63  
   20.64 -subsection{*introduction of a fresh guarded nonce*}
   20.65 +subsection\<open>introduction of a fresh guarded nonce\<close>
   20.66  
   20.67  definition fresh :: "proto => rule => subs => nat => key set => event list
   20.68  => bool" where
   20.69 @@ -214,7 +214,7 @@
   20.70  apply (rule_tac Y="apm s' X" in parts_parts, blast)
   20.71  by (rule parts.Inj, rule Says_imp_spies, simp, blast)
   20.72  
   20.73 -subsection{*safe keys*}
   20.74 +subsection\<open>safe keys\<close>
   20.75  
   20.76  definition safe :: "key set => msg set => bool" where
   20.77  "safe Ks G == ALL K. K:Ks --> Key K ~:analz G"
   20.78 @@ -228,7 +228,7 @@
   20.79  lemma Guard_safe: "[| Guard n Ks G; safe Ks G |] ==> Nonce n ~:analz G"
   20.80  by (blast dest: Guard_invKey)
   20.81  
   20.82 -subsection{*guardedness preservation*}
   20.83 +subsection\<open>guardedness preservation\<close>
   20.84  
   20.85  definition preserv :: "proto => keyfun => nat => key set => bool" where
   20.86  "preserv p keys n Ks == (ALL evs R' s' R s. evs:tr p -->
   20.87 @@ -245,7 +245,7 @@
   20.88  ok evs (l,Says A B X) s; keys R' s' n evs <= Ks |] ==> apm s X:guard n Ks"
   20.89  by (drule preservD, simp+)
   20.90  
   20.91 -subsection{*monotonic keyfun*}
   20.92 +subsection\<open>monotonic keyfun\<close>
   20.93  
   20.94  definition monoton :: "proto => keyfun => bool" where
   20.95  "monoton p keys == ALL R' s' n ev evs. ev # evs:tr p -->
   20.96 @@ -255,7 +255,7 @@
   20.97  ev # evs:tr p |] ==> keys R' s' n evs <= Ks"
   20.98  by (unfold monoton_def, blast)
   20.99  
  20.100 -subsection{*guardedness theorem*}
  20.101 +subsection\<open>guardedness theorem\<close>
  20.102  
  20.103  lemma Guard_tr [rule_format]: "[| evs:tr p; has_only_Says' p;
  20.104  preserv p keys n Ks; monoton p keys; Guard n Ks (initState Spy) |] ==>
  20.105 @@ -295,7 +295,7 @@
  20.106  apply (blast dest: safe_insert)
  20.107  by (blast, simp, simp, blast)
  20.108  
  20.109 -subsection{*useful properties for guardedness*}
  20.110 +subsection\<open>useful properties for guardedness\<close>
  20.111  
  20.112  lemma newn_neq_used: "[| Nonce n:used evs; ok evs R s; k:newn R |]
  20.113  ==> n ~= nonce s k"
  20.114 @@ -311,7 +311,7 @@
  20.115  ok evs R s |] ==> n ~:newn R"
  20.116  by (auto simp: ok_def dest: not_used_not_spied parts_parts)
  20.117  
  20.118 -subsection{*unicity*}
  20.119 +subsection\<open>unicity\<close>
  20.120  
  20.121  definition uniq :: "proto => secfun => bool" where
  20.122  "uniq p secret == ALL evs R R' n n' Ks s s'. R:p --> R':p -->
  20.123 @@ -360,7 +360,7 @@
  20.124  apply (blast dest: uniq'D)
  20.125  by (auto dest: ordD uniq'D intro: sym)
  20.126  
  20.127 -subsection{*Needham-Schroeder-Lowe*}
  20.128 +subsection\<open>Needham-Schroeder-Lowe\<close>
  20.129  
  20.130  definition a :: agent where "a == Friend 0"
  20.131  definition b :: agent where "b == Friend 1"
  20.132 @@ -419,7 +419,7 @@
  20.133  apply (simp add: split_paired_all)
  20.134  by (rule impI, erule ns.cases, simp_all)+
  20.135  
  20.136 -subsection{*general properties*}
  20.137 +subsection\<open>general properties\<close>
  20.138  
  20.139  lemma ns_has_only_Says' [iff]: "has_only_Says' ns"
  20.140  apply (unfold has_only_Says'_def)
  20.141 @@ -439,7 +439,7 @@
  20.142  lemma ns_wdef [iff]: "wdef ns"
  20.143  by (auto simp: wdef_def elim: ns.cases)
  20.144  
  20.145 -subsection{*guardedness for NSL*}
  20.146 +subsection\<open>guardedness for NSL\<close>
  20.147  
  20.148  lemma "uniq ns secret ==> preserv ns keys n Ks"
  20.149  apply (unfold preserv_def)
  20.150 @@ -511,7 +511,7 @@
  20.151  (* fresh with NS3 *)
  20.152  by simp
  20.153  
  20.154 -subsection{*unicity for NSL*}
  20.155 +subsection\<open>unicity for NSL\<close>
  20.156  
  20.157  lemma "uniq' ns inf secret"
  20.158  apply (unfold uniq'_def)
    21.1 --- a/src/HOL/Auth/KerberosIV.thy	Thu Dec 10 21:31:24 2015 +0100
    21.2 +++ b/src/HOL/Auth/KerberosIV.thy	Thu Dec 10 21:39:33 2015 +0100
    21.3 @@ -3,11 +3,11 @@
    21.4      Copyright   1998  University of Cambridge
    21.5  *)
    21.6  
    21.7 -section{*The Kerberos Protocol, Version IV*}
    21.8 +section\<open>The Kerberos Protocol, Version IV\<close>
    21.9  
   21.10  theory KerberosIV imports Public begin
   21.11  
   21.12 -text{*The "u" prefix indicates theorems referring to an updated version of the protocol. The "r" suffix indicates theorems where the confidentiality assumptions are relaxed by the corresponding arguments.*}
   21.13 +text\<open>The "u" prefix indicates theorems referring to an updated version of the protocol. The "r" suffix indicates theorems where the confidentiality assumptions are relaxed by the corresponding arguments.\<close>
   21.14  
   21.15  abbreviation
   21.16    Kas :: agent where "Kas == Server"
   21.17 @@ -18,7 +18,7 @@
   21.18  
   21.19  axiomatization where
   21.20    Tgs_not_bad [iff]: "Tgs \<notin> bad"
   21.21 -   --{*Tgs is secure --- we already know that Kas is secure*}
   21.22 +   \<comment>\<open>Tgs is secure --- we already know that Kas is secure\<close>
   21.23  
   21.24  definition
   21.25   (* authKeys are those contained in an authTicket *)
   21.26 @@ -252,7 +252,7 @@
   21.27  declare Fake_parts_insert_in_Un [dest]
   21.28  
   21.29  
   21.30 -subsection{*Lemmas about lists, for reasoning about  Issues*}
   21.31 +subsection\<open>Lemmas about lists, for reasoning about  Issues\<close>
   21.32  
   21.33  lemma spies_Says_rev: "spies (evs @ [Says A B X]) = insert X (spies evs)"
   21.34  apply (induct_tac "evs")
   21.35 @@ -286,13 +286,13 @@
   21.36  apply (induct_tac "evs")
   21.37  apply (rename_tac [2] a b)
   21.38  apply (induct_tac [2] "a", auto)
   21.39 -txt{* Resembles @{text"used_subset_append"} in theory Event.*}
   21.40 +txt\<open>Resembles \<open>used_subset_append\<close> in theory Event.\<close>
   21.41  done
   21.42  
   21.43  lemmas parts_spies_takeWhile_mono = spies_takeWhile [THEN parts_mono]
   21.44  
   21.45  
   21.46 -subsection{*Lemmas about @{term authKeys}*}
   21.47 +subsection\<open>Lemmas about @{term authKeys}\<close>
   21.48  
   21.49  lemma authKeys_empty: "authKeys [] = {}"
   21.50  apply (unfold authKeys_def)
   21.51 @@ -330,9 +330,9 @@
   21.52  by (simp add: authKeys_def, blast)
   21.53  
   21.54  
   21.55 -subsection{*Forwarding Lemmas*}
   21.56 +subsection\<open>Forwarding Lemmas\<close>
   21.57  
   21.58 -text{*--For reasoning about the encrypted portion of message K3--*}
   21.59 +text\<open>--For reasoning about the encrypted portion of message K3--\<close>
   21.60  lemma K3_msg_in_parts_spies:
   21.61       "Says Kas' A (Crypt KeyA \<lbrace>authK, Peer, Ta, authTicket\<rbrace>)
   21.62                 \<in> set evs \<Longrightarrow> authTicket \<in> parts (spies evs)"
   21.63 @@ -346,7 +346,7 @@
   21.64  apply (erule kerbIV.induct, auto)
   21.65  done
   21.66  
   21.67 -text{*--For reasoning about the encrypted portion of message K5--*}
   21.68 +text\<open>--For reasoning about the encrypted portion of message K5--\<close>
   21.69  lemma K5_msg_in_parts_spies:
   21.70       "Says Tgs' A (Crypt authK \<lbrace>servK, Agent B, Ts, servTicket\<rbrace>)
   21.71                 \<in> set evs \<Longrightarrow> servTicket \<in> parts (spies evs)"
   21.72 @@ -384,7 +384,7 @@
   21.73  
   21.74  lemmas Spy_analz_shrK_D = analz_subset_parts [THEN subsetD, THEN Spy_see_shrK_D, dest!]
   21.75  
   21.76 -text{*Nobody can have used non-existent keys!*}
   21.77 +text\<open>Nobody can have used non-existent keys!\<close>
   21.78  lemma new_keys_not_used [simp]:
   21.79      "\<lbrakk>Key K \<notin> used evs; K \<in> symKeys; evs \<in> kerbIV\<rbrakk>
   21.80       \<Longrightarrow> K \<notin> keysFor (parts (spies evs))"
   21.81 @@ -392,9 +392,9 @@
   21.82  apply (erule kerbIV.induct)
   21.83  apply (frule_tac [7] K5_msg_in_parts_spies)
   21.84  apply (frule_tac [5] K3_msg_in_parts_spies, simp_all)
   21.85 -txt{*Fake*}
   21.86 +txt\<open>Fake\<close>
   21.87  apply (force dest!: keysFor_parts_insert)
   21.88 -txt{*Others*}
   21.89 +txt\<open>Others\<close>
   21.90  apply (force dest!: analz_shrK_Decrypt)+
   21.91  done
   21.92  
   21.93 @@ -407,7 +407,7 @@
   21.94  
   21.95  
   21.96  
   21.97 -subsection{*Lemmas for reasoning about predicate "before"*}
   21.98 +subsection\<open>Lemmas for reasoning about predicate "before"\<close>
   21.99  
  21.100  lemma used_Says_rev: "used (evs @ [Says A B X]) = parts {X} \<union> (used evs)"
  21.101  apply (induct_tac "evs")
  21.102 @@ -461,10 +461,10 @@
  21.103  by auto
  21.104  
  21.105  
  21.106 -subsection{*Regularity Lemmas*}
  21.107 -text{*These concern the form of items passed in messages*}
  21.108 +subsection\<open>Regularity Lemmas\<close>
  21.109 +text\<open>These concern the form of items passed in messages\<close>
  21.110  
  21.111 -text{*Describes the form of all components sent by Kas*}
  21.112 +text\<open>Describes the form of all components sent by Kas\<close>
  21.113  lemma Says_Kas_message_form:
  21.114       "\<lbrakk> Says Kas A (Crypt K \<lbrace>Key authK, Agent Peer, Number Ta, authTicket\<rbrace>)
  21.115             \<in> set evs;
  21.116 @@ -482,7 +482,7 @@
  21.117  apply (erule rev_mp)
  21.118  apply (erule kerbIV.induct)
  21.119  apply (simp_all (no_asm) add: authKeys_def authKeys_insert, blast, blast)
  21.120 -txt{*K2*}
  21.121 +txt\<open>K2\<close>
  21.122  apply (simp (no_asm) add: takeWhile_tail)
  21.123  apply (rule conjI)
  21.124  apply (metis Key_not_used authKeys_used length_rev set_rev takeWhile_void used_evs_rev)
  21.125 @@ -521,7 +521,7 @@
  21.126  apply (erule kerbIV.induct)
  21.127  apply (frule_tac [7] K5_msg_in_parts_spies)
  21.128  apply (frule_tac [5] K3_msg_in_parts_spies, simp_all)
  21.129 -txt{*Fake, K4*}
  21.130 +txt\<open>Fake, K4\<close>
  21.131  apply (blast+)
  21.132  done
  21.133  
  21.134 @@ -535,7 +535,7 @@
  21.135  apply blast
  21.136  done
  21.137  
  21.138 -text{*Describes the form of servK, servTicket and authK sent by Tgs*}
  21.139 +text\<open>Describes the form of servK, servTicket and authK sent by Tgs\<close>
  21.140  lemma Says_Tgs_message_form:
  21.141       "\<lbrakk> Says Tgs A (Crypt authK \<lbrace>Key servK, Agent B, Number Ts, servTicket\<rbrace>)
  21.142             \<in> set evs;
  21.143 @@ -554,16 +554,16 @@
  21.144  apply (erule rev_mp)
  21.145  apply (erule kerbIV.induct)
  21.146  apply (simp_all add: authKeys_insert authKeys_not_insert authKeys_empty authKeys_simp, blast)
  21.147 -txt{*We need this simplification only for Message 4*}
  21.148 +txt\<open>We need this simplification only for Message 4\<close>
  21.149  apply (simp (no_asm) add: takeWhile_tail)
  21.150  apply auto
  21.151 -txt{*Five subcases of Message 4*}
  21.152 +txt\<open>Five subcases of Message 4\<close>
  21.153  apply (blast dest!: SesKey_is_session_key)
  21.154  apply (blast dest: authTicket_crypt_authK)
  21.155  apply (blast dest!: authKeys_used Says_Kas_message_form)
  21.156 -txt{*subcase: used before*}
  21.157 +txt\<open>subcase: used before\<close>
  21.158  apply (metis used_evs_rev used_takeWhile_used)
  21.159 -txt{*subcase: CT before*}
  21.160 +txt\<open>subcase: CT before\<close>
  21.161  apply (metis length_rev set_evs_rev takeWhile_void)
  21.162  done
  21.163  
  21.164 @@ -581,7 +581,7 @@
  21.165  apply (blast+)
  21.166  done
  21.167  
  21.168 -text{* This form holds also over an authTicket, but is not needed below.*}
  21.169 +text\<open>This form holds also over an authTicket, but is not needed below.\<close>
  21.170  lemma servTicket_form:
  21.171       "\<lbrakk> Crypt authK \<lbrace>Key servK, Agent B, Ts, servTicket\<rbrace>
  21.172                \<in> parts (spies evs);
  21.173 @@ -596,7 +596,7 @@
  21.174  apply (frule_tac [5] K3_msg_in_parts_spies, simp_all, blast)
  21.175  done
  21.176  
  21.177 -text{* Essentially the same as @{text authTicket_form} *}
  21.178 +text\<open>Essentially the same as \<open>authTicket_form\<close>\<close>
  21.179  lemma Says_kas_message_form:
  21.180       "\<lbrakk> Says Kas' A (Crypt (shrK A)
  21.181                \<lbrace>Key authK, Agent Tgs, Ta, authTicket\<rbrace>) \<in> set evs;
  21.182 @@ -619,7 +619,7 @@
  21.183  by (metis Says_imp_analz_Spy Says_imp_parts_knows_Spy analz.Decrypt analz.Snd invKey_K servTicket_form)
  21.184  
  21.185  
  21.186 -subsection{*Authenticity theorems: confirm origin of sensitive messages*}
  21.187 +subsection\<open>Authenticity theorems: confirm origin of sensitive messages\<close>
  21.188  
  21.189  lemma authK_authentic:
  21.190       "\<lbrakk> Crypt (shrK A) \<lbrace>Key authK, Peer, Ta, authTicket\<rbrace>
  21.191 @@ -631,13 +631,13 @@
  21.192  apply (erule kerbIV.induct)
  21.193  apply (frule_tac [7] K5_msg_in_parts_spies)
  21.194  apply (frule_tac [5] K3_msg_in_parts_spies, simp_all)
  21.195 -txt{*Fake*}
  21.196 +txt\<open>Fake\<close>
  21.197  apply blast
  21.198 -txt{*K4*}
  21.199 +txt\<open>K4\<close>
  21.200  apply (blast dest!: authTicket_authentic [THEN Says_Kas_message_form])
  21.201  done
  21.202  
  21.203 -text{*If a certain encrypted message appears then it originated with Tgs*}
  21.204 +text\<open>If a certain encrypted message appears then it originated with Tgs\<close>
  21.205  lemma servK_authentic:
  21.206       "\<lbrakk> Crypt authK \<lbrace>Key servK, Agent B, Number Ts, servTicket\<rbrace>
  21.207             \<in> parts (spies evs);
  21.208 @@ -651,11 +651,11 @@
  21.209  apply (erule kerbIV.induct, analz_mono_contra)
  21.210  apply (frule_tac [7] K5_msg_in_parts_spies)
  21.211  apply (frule_tac [5] K3_msg_in_parts_spies, simp_all)
  21.212 -txt{*Fake*}
  21.213 +txt\<open>Fake\<close>
  21.214  apply blast
  21.215 -txt{*K2*}
  21.216 +txt\<open>K2\<close>
  21.217  apply blast
  21.218 -txt{*K4*}
  21.219 +txt\<open>K4\<close>
  21.220  apply auto
  21.221  done
  21.222  
  21.223 @@ -672,13 +672,13 @@
  21.224  apply (erule kerbIV.induct, analz_mono_contra)
  21.225  apply (frule_tac [7] K5_msg_in_parts_spies)
  21.226  apply (frule_tac [5] K3_msg_in_parts_spies, simp_all)
  21.227 -txt{*Fake*}
  21.228 +txt\<open>Fake\<close>
  21.229  apply blast
  21.230 -txt{*K4*}
  21.231 +txt\<open>K4\<close>
  21.232  apply blast
  21.233  done
  21.234  
  21.235 -text{*Authenticity of servK for B*}
  21.236 +text\<open>Authenticity of servK for B\<close>
  21.237  lemma servTicket_authentic_Tgs:
  21.238       "\<lbrakk> Crypt (shrK B) \<lbrace>Agent A, Agent B, Key servK, Number Ts\<rbrace>
  21.239             \<in> parts (spies evs); B \<noteq> Tgs;  B \<notin> bad;
  21.240 @@ -695,7 +695,7 @@
  21.241  apply blast+
  21.242  done
  21.243  
  21.244 -text{*Anticipated here from next subsection*}
  21.245 +text\<open>Anticipated here from next subsection\<close>
  21.246  lemma K4_imp_K2:
  21.247  "\<lbrakk> Says Tgs A (Crypt authK \<lbrace>Key servK, Agent B, Number Ts, servTicket\<rbrace>)
  21.248        \<in> set evs;  evs \<in> kerbIV\<rbrakk>
  21.249 @@ -711,7 +711,7 @@
  21.250  apply (blast dest!: Says_imp_spies [THEN parts.Inj, THEN parts.Fst, THEN authTicket_authentic])
  21.251  done
  21.252  
  21.253 -text{*Anticipated here from next subsection*}
  21.254 +text\<open>Anticipated here from next subsection\<close>
  21.255  lemma u_K4_imp_K2:
  21.256  "\<lbrakk> Says Tgs A (Crypt authK \<lbrace>Key servK, Agent B, Number Ts, servTicket\<rbrace>)
  21.257        \<in> set evs; evs \<in> kerbIV\<rbrakk>
  21.258 @@ -780,7 +780,7 @@
  21.259    by (metis le_less_trans)
  21.260  
  21.261  
  21.262 -subsection{* Reliability: friendly agents send something if something else happened*}
  21.263 +subsection\<open>Reliability: friendly agents send something if something else happened\<close>
  21.264  
  21.265  lemma K3_imp_K2:
  21.266       "\<lbrakk> Says A Tgs
  21.267 @@ -797,7 +797,7 @@
  21.268  apply (blast dest: Says_imp_spies [THEN parts.Inj, THEN authK_authentic])
  21.269  done
  21.270  
  21.271 -text{*Anticipated here from next subsection. An authK is encrypted by one and only one Shared key. A servK is encrypted by one and only one authK.*}
  21.272 +text\<open>Anticipated here from next subsection. An authK is encrypted by one and only one Shared key. A servK is encrypted by one and only one authK.\<close>
  21.273  lemma Key_unique_SesKey:
  21.274       "\<lbrakk> Crypt K  \<lbrace>Key SesKey,  Agent B, T, Ticket\<rbrace>
  21.275             \<in> parts (spies evs);
  21.276 @@ -811,7 +811,7 @@
  21.277  apply (erule kerbIV.induct, analz_mono_contra)
  21.278  apply (frule_tac [7] K5_msg_in_parts_spies)
  21.279  apply (frule_tac [5] K3_msg_in_parts_spies, simp_all)
  21.280 -txt{*Fake, K2, K4*}
  21.281 +txt\<open>Fake, K2, K4\<close>
  21.282  apply (blast+)
  21.283  done
  21.284  
  21.285 @@ -829,13 +829,13 @@
  21.286  apply (frule_tac [5] Says_ticket_parts)
  21.287  apply (frule_tac [7] Says_ticket_parts)
  21.288  apply (simp_all (no_asm_simp) add: all_conj_distrib)
  21.289 -txt{*Fake*}
  21.290 +txt\<open>Fake\<close>
  21.291  apply blast
  21.292 -txt{*K2*}
  21.293 +txt\<open>K2\<close>
  21.294  apply (force dest!: Crypt_imp_keysFor)
  21.295 -txt{*K3*}
  21.296 +txt\<open>K3\<close>
  21.297  apply (blast dest: Key_unique_SesKey)
  21.298 -txt{*K5*}
  21.299 +txt\<open>K5\<close>
  21.300  apply (metis K3_imp_K2 Key_unique_SesKey Spy_see_shrK parts.Body parts.Fst 
  21.301               Says_imp_knows_Spy [THEN parts.Inj])
  21.302  done
  21.303 @@ -855,15 +855,15 @@
  21.304  apply (frule_tac [7] Says_ticket_parts)
  21.305  apply (simp_all (no_asm_simp) add: all_conj_distrib)
  21.306  apply blast
  21.307 -txt{*K3*}
  21.308 +txt\<open>K3\<close>
  21.309  apply (blast dest: authK_authentic Says_Kas_message_form Says_Tgs_message_form)
  21.310 -txt{*K4*}
  21.311 +txt\<open>K4\<close>
  21.312  apply (force dest!: Crypt_imp_keysFor)
  21.313 -txt{*K5*}
  21.314 +txt\<open>K5\<close>
  21.315  apply (blast dest: Key_unique_SesKey)
  21.316  done
  21.317  
  21.318 -text{*Anticipated here from next subsection*}
  21.319 +text\<open>Anticipated here from next subsection\<close>
  21.320  lemma unique_CryptKey:
  21.321       "\<lbrakk> Crypt (shrK B)  \<lbrace>Agent A,  Agent B,  Key SesKey, T\<rbrace>
  21.322             \<in> parts (spies evs);
  21.323 @@ -877,7 +877,7 @@
  21.324  apply (erule kerbIV.induct, analz_mono_contra)
  21.325  apply (frule_tac [7] K5_msg_in_parts_spies)
  21.326  apply (frule_tac [5] K3_msg_in_parts_spies, simp_all)
  21.327 -txt{*Fake, K2, K4*}
  21.328 +txt\<open>Fake, K2, K4\<close>
  21.329  apply (blast+)
  21.330  done
  21.331  
  21.332 @@ -903,7 +903,7 @@
  21.333               unique_CryptKey) 
  21.334  done
  21.335  
  21.336 -text{*Needs a unicity theorem, hence moved here*}
  21.337 +text\<open>Needs a unicity theorem, hence moved here\<close>
  21.338  lemma servK_authentic_ter:
  21.339   "\<lbrakk> Says Kas A
  21.340      (Crypt (shrK A) \<lbrace>Key authK, Agent Tgs, Number Ta, authTicket\<rbrace>) \<in> set evs;
  21.341 @@ -920,18 +920,18 @@
  21.342  apply (erule kerbIV.induct, analz_mono_contra)
  21.343  apply (frule_tac [7] K5_msg_in_parts_spies)
  21.344  apply (frule_tac [5] K3_msg_in_parts_spies, simp_all, blast)
  21.345 -txt{*K2*}
  21.346 +txt\<open>K2\<close>
  21.347  apply (blast dest!: servK_authentic Says_Tgs_message_form authKeys_used)
  21.348 -txt{*K4 remain*}
  21.349 +txt\<open>K4 remain\<close>
  21.350  apply (blast dest!: unique_CryptKey)
  21.351  done
  21.352  
  21.353  
  21.354 -subsection{*Unicity Theorems*}
  21.355 +subsection\<open>Unicity Theorems\<close>
  21.356  
  21.357 -text{* The session key, if secure, uniquely identifies the Ticket
  21.358 +text\<open>The session key, if secure, uniquely identifies the Ticket
  21.359     whether authTicket or servTicket. As a matter of fact, one can read
  21.360 -   also Tgs in the place of B.                                     *}
  21.361 +   also Tgs in the place of B.\<close>
  21.362  
  21.363  
  21.364  (*
  21.365 @@ -963,11 +963,11 @@
  21.366  apply (erule kerbIV.induct)
  21.367  apply (frule_tac [7] K5_msg_in_parts_spies)
  21.368  apply (frule_tac [5] K3_msg_in_parts_spies, simp_all)
  21.369 -txt{*K2*}
  21.370 +txt\<open>K2\<close>
  21.371  apply blast
  21.372  done
  21.373  
  21.374 -text{* servK uniquely identifies the message from Tgs *}
  21.375 +text\<open>servK uniquely identifies the message from Tgs\<close>
  21.376  lemma unique_servKeys:
  21.377       "\<lbrakk> Says Tgs A
  21.378                (Crypt K \<lbrace>Key servK, Agent B, Ts, X\<rbrace>) \<in> set evs;
  21.379 @@ -979,11 +979,11 @@
  21.380  apply (erule kerbIV.induct)
  21.381  apply (frule_tac [7] K5_msg_in_parts_spies)
  21.382  apply (frule_tac [5] K3_msg_in_parts_spies, simp_all)
  21.383 -txt{*K4*}
  21.384 +txt\<open>K4\<close>
  21.385  apply blast
  21.386  done
  21.387  
  21.388 -text{* Revised unicity theorems *}
  21.389 +text\<open>Revised unicity theorems\<close>
  21.390  
  21.391  lemma Kas_Unique:
  21.392       "\<lbrakk> Says Kas A
  21.393 @@ -1006,7 +1006,7 @@
  21.394  done
  21.395  
  21.396  
  21.397 -subsection{*Lemmas About the Predicate @{term AKcryptSK}*}
  21.398 +subsection\<open>Lemmas About the Predicate @{term AKcryptSK}\<close>
  21.399  
  21.400  lemma not_AKcryptSK_Nil [iff]: "\<not> AKcryptSK authK servK []"
  21.401  by (simp add: AKcryptSK_def)
  21.402 @@ -1054,15 +1054,15 @@
  21.403  apply (erule kerbIV.induct)
  21.404  apply (frule_tac [7] K5_msg_in_parts_spies)
  21.405  apply (frule_tac [5] K3_msg_in_parts_spies, simp_all)
  21.406 -txt{*Fake*}
  21.407 +txt\<open>Fake\<close>
  21.408  apply blast
  21.409 -txt{*K2: by freshness*}
  21.410 +txt\<open>K2: by freshness\<close>
  21.411  apply (simp add: AKcryptSK_def)
  21.412 -txt{*K4*}
  21.413 +txt\<open>K4\<close>
  21.414  apply (blast+)
  21.415  done
  21.416  
  21.417 -text{*A secure serverkey cannot have been used to encrypt others*}
  21.418 +text\<open>A secure serverkey cannot have been used to encrypt others\<close>
  21.419  lemma servK_not_AKcryptSK:
  21.420   "\<lbrakk> Crypt (shrK B) \<lbrace>Agent A, Agent B, Key SK, Number Ts\<rbrace> \<in> parts (spies evs);
  21.421       Key SK \<notin> analz (spies evs);  SK \<in> symKeys;
  21.422 @@ -1073,11 +1073,11 @@
  21.423  apply (erule kerbIV.induct, analz_mono_contra)
  21.424  apply (frule_tac [7] K5_msg_in_parts_spies)
  21.425  apply (frule_tac [5] K3_msg_in_parts_spies, simp_all, blast)
  21.426 -txt{*K4*}
  21.427 +txt\<open>K4\<close>
  21.428  apply (metis Auth_fresh_not_AKcryptSK Crypt_imp_keysFor new_keys_not_used parts.Fst parts.Snd Says_imp_knows_Spy [THEN parts.Inj] unique_CryptKey)
  21.429  done
  21.430  
  21.431 -text{*Long term keys are not issued as servKeys*}
  21.432 +text\<open>Long term keys are not issued as servKeys\<close>
  21.433  lemma shrK_not_AKcryptSK:
  21.434       "evs \<in> kerbIV \<Longrightarrow> \<not> AKcryptSK K (shrK A) evs"
  21.435  apply (unfold AKcryptSK_def)
  21.436 @@ -1086,8 +1086,8 @@
  21.437  apply (frule_tac [5] K3_msg_in_parts_spies, auto)
  21.438  done
  21.439  
  21.440 -text{*The Tgs message associates servK with authK and therefore not with any
  21.441 -  other key authK.*}
  21.442 +text\<open>The Tgs message associates servK with authK and therefore not with any
  21.443 +  other key authK.\<close>
  21.444  lemma Says_Tgs_AKcryptSK:
  21.445       "\<lbrakk> Says Tgs A (Crypt authK \<lbrace>Key servK, Agent B, Number Ts, X \<rbrace>)
  21.446             \<in> set evs;
  21.447 @@ -1097,7 +1097,7 @@
  21.448  apply (blast dest: unique_servKeys)
  21.449  done
  21.450  
  21.451 -text{*Equivalently*}
  21.452 +text\<open>Equivalently\<close>
  21.453  lemma not_different_AKcryptSK:
  21.454       "\<lbrakk> AKcryptSK authK servK evs;
  21.455          authK' \<noteq> authK;  evs \<in> kerbIV \<rbrakk>
  21.456 @@ -1117,11 +1117,11 @@
  21.457               authKeys_used authTicket_crypt_authK parts.Fst parts.Inj)
  21.458  done
  21.459  
  21.460 -text{*The only session keys that can be found with the help of session keys are
  21.461 -  those sent by Tgs in step K4.  *}
  21.462 +text\<open>The only session keys that can be found with the help of session keys are
  21.463 +  those sent by Tgs in step K4.\<close>
  21.464  
  21.465 -text{*We take some pains to express the property
  21.466 -  as a logical equivalence so that the simplifier can apply it.*}
  21.467 +text\<open>We take some pains to express the property
  21.468 +  as a logical equivalence so that the simplifier can apply it.\<close>
  21.469  lemma Key_analz_image_Key_lemma:
  21.470       "P \<longrightarrow> (Key K \<in> analz (Key`KK Un H)) \<longrightarrow> (K:KK | Key K \<in> analz H)
  21.471        \<Longrightarrow>
  21.472 @@ -1152,9 +1152,9 @@
  21.473  done
  21.474  
  21.475  
  21.476 -subsection{*Secrecy Theorems*}
  21.477 +subsection\<open>Secrecy Theorems\<close>
  21.478  
  21.479 -text{*For the Oops2 case of the next theorem*}
  21.480 +text\<open>For the Oops2 case of the next theorem\<close>
  21.481  lemma Oops2_not_AKcryptSK:
  21.482       "\<lbrakk> evs \<in> kerbIV;
  21.483           Says Tgs A (Crypt authK
  21.484 @@ -1163,11 +1163,11 @@
  21.485        \<Longrightarrow> \<not> AKcryptSK servK SK evs"
  21.486  by (blast dest: AKcryptSKI AKcryptSK_not_AKcryptSK)
  21.487     
  21.488 -text{* Big simplification law for keys SK that are not crypted by keys in KK
  21.489 +text\<open>Big simplification law for keys SK that are not crypted by keys in KK
  21.490   It helps prove three, otherwise hard, facts about keys. These facts are
  21.491   exploited as simplification laws for analz, and also "limit the damage"
  21.492   in case of loss of a key to the spy. See ESORICS98.
  21.493 - [simplified by LCP] *}
  21.494 + [simplified by LCP]\<close>
  21.495  lemma Key_analz_image_Key [rule_format (no_asm)]:
  21.496       "evs \<in> kerbIV \<Longrightarrow>
  21.497        (\<forall>SK KK. SK \<in> symKeys & KK <= -(range shrK) \<longrightarrow>
  21.498 @@ -1180,38 +1180,38 @@
  21.499  apply (frule_tac [7] Says_tgs_message_form)
  21.500  apply (frule_tac [5] Says_kas_message_form)
  21.501  apply (safe del: impI intro!: Key_analz_image_Key_lemma [THEN impI])
  21.502 -txt{*Case-splits for Oops1 and message 5: the negated case simplifies using
  21.503 - the induction hypothesis*}
  21.504 +txt\<open>Case-splits for Oops1 and message 5: the negated case simplifies using
  21.505 + the induction hypothesis\<close>
  21.506  apply (case_tac [11] "AKcryptSK authK SK evsO1")
  21.507  apply (case_tac [8] "AKcryptSK servK SK evs5")
  21.508  apply (simp_all del: image_insert
  21.509          add: analz_image_freshK_simps AKcryptSK_Says shrK_not_AKcryptSK
  21.510               Oops2_not_AKcryptSK Auth_fresh_not_AKcryptSK
  21.511         Serv_fresh_not_AKcryptSK Says_Tgs_AKcryptSK Spy_analz_shrK)
  21.512 -txt{*Fake*} 
  21.513 +txt\<open>Fake\<close> 
  21.514  apply spy_analz
  21.515 -txt{*K2*}
  21.516 +txt\<open>K2\<close>
  21.517  apply blast 
  21.518 -txt{*K3*}
  21.519 +txt\<open>K3\<close>
  21.520  apply blast 
  21.521 -txt{*K4*}
  21.522 +txt\<open>K4\<close>
  21.523  apply (blast dest!: authK_not_AKcryptSK)
  21.524 -txt{*K5*}
  21.525 +txt\<open>K5\<close>
  21.526  apply (case_tac "Key servK \<in> analz (spies evs5) ")
  21.527 -txt{*If servK is compromised then the result follows directly...*}
  21.528 +txt\<open>If servK is compromised then the result follows directly...\<close>
  21.529  apply (simp (no_asm_simp) add: analz_insert_eq Un_upper2 [THEN analz_mono, THEN subsetD])
  21.530 -txt{*...therefore servK is uncompromised.*}
  21.531 -txt{*The AKcryptSK servK SK evs5 case leads to a contradiction.*}
  21.532 +txt\<open>...therefore servK is uncompromised.\<close>
  21.533 +txt\<open>The AKcryptSK servK SK evs5 case leads to a contradiction.\<close>
  21.534  apply (blast elim!: servK_not_AKcryptSK [THEN [2] rev_notE] del: allE ballE)
  21.535 -txt{*Another K5 case*}
  21.536 +txt\<open>Another K5 case\<close>
  21.537  apply blast 
  21.538 -txt{*Oops1*}
  21.539 +txt\<open>Oops1\<close>
  21.540  apply simp 
  21.541  apply (blast dest!: AKcryptSK_analz_insert)
  21.542  done
  21.543  
  21.544 -text{* First simplification law for analz: no session keys encrypt
  21.545 -authentication keys or shared keys. *}
  21.546 +text\<open>First simplification law for analz: no session keys encrypt
  21.547 +authentication keys or shared keys.\<close>
  21.548  lemma analz_insert_freshK1:
  21.549       "\<lbrakk> evs \<in> kerbIV;  K \<in> authKeys evs Un range shrK;
  21.550          SesKey \<notin> range shrK \<rbrakk>
  21.551 @@ -1223,7 +1223,7 @@
  21.552  done
  21.553  
  21.554  
  21.555 -text{* Second simplification law for analz: no service keys encrypt any other keys.*}
  21.556 +text\<open>Second simplification law for analz: no service keys encrypt any other keys.\<close>
  21.557  lemma analz_insert_freshK2:
  21.558       "\<lbrakk> evs \<in> kerbIV;  servK \<notin> (authKeys evs); servK \<notin> range shrK;
  21.559          K \<in> symKeys \<rbrakk>
  21.560 @@ -1235,7 +1235,7 @@
  21.561  done
  21.562  
  21.563  
  21.564 -text{* Third simplification law for analz: only one authentication key encrypts a certain service key.*}
  21.565 +text\<open>Third simplification law for analz: only one authentication key encrypts a certain service key.\<close>
  21.566  
  21.567  lemma analz_insert_freshK3:
  21.568   "\<lbrakk> AKcryptSK authK servK evs;
  21.569 @@ -1258,7 +1258,7 @@
  21.570  apply (simp add: analz_insert_freshK3)
  21.571  done
  21.572  
  21.573 -text{*a weakness of the protocol*}
  21.574 +text\<open>a weakness of the protocol\<close>
  21.575  lemma authK_compromises_servK:
  21.576       "\<lbrakk> Says Tgs A
  21.577                (Crypt authK \<lbrace>Key servK, Agent B, Number Ts, servTicket\<rbrace>)
  21.578 @@ -1284,8 +1284,8 @@
  21.579  done
  21.580  
  21.581  
  21.582 -text{*If Spy sees the Authentication Key sent in msg K2, then
  21.583 -    the Key has expired.*}
  21.584 +text\<open>If Spy sees the Authentication Key sent in msg K2, then
  21.585 +    the Key has expired.\<close>
  21.586  lemma Confidentiality_Kas_lemma [rule_format]:
  21.587       "\<lbrakk> authK \<in> symKeys; A \<notin> bad;  evs \<in> kerbIV \<rbrakk>
  21.588        \<Longrightarrow> Says Kas A
  21.589 @@ -1302,17 +1302,17 @@
  21.590  apply (frule_tac [5] Says_kas_message_form)
  21.591  apply (safe del: impI conjI impCE)
  21.592  apply (simp_all (no_asm_simp) add: Says_Kas_message_form less_SucI analz_insert_eq not_parts_not_analz analz_insert_freshK1 pushes)
  21.593 -txt{*Fake*}
  21.594 +txt\<open>Fake\<close>
  21.595  apply spy_analz
  21.596 -txt{*K2*}
  21.597 +txt\<open>K2\<close>
  21.598  apply blast
  21.599 -txt{*K4*}
  21.600 +txt\<open>K4\<close>
  21.601  apply blast
  21.602 -txt{*Level 8: K5*}
  21.603 +txt\<open>Level 8: K5\<close>
  21.604  apply (blast dest: servK_notin_authKeysD Says_Kas_message_form intro: less_SucI)
  21.605 -txt{*Oops1*}
  21.606 +txt\<open>Oops1\<close>
  21.607  apply (blast dest!: unique_authKeys intro: less_SucI)
  21.608 -txt{*Oops2*}
  21.609 +txt\<open>Oops2\<close>
  21.610  apply (blast dest: Says_Tgs_message_form Says_Kas_message_form)
  21.611  done
  21.612  
  21.613 @@ -1325,8 +1325,8 @@
  21.614        \<Longrightarrow> Key authK \<notin> analz (spies evs)"
  21.615  by (blast dest: Says_Kas_message_form Confidentiality_Kas_lemma)
  21.616  
  21.617 -text{*If Spy sees the Service Key sent in msg K4, then
  21.618 -    the Key has expired.*}
  21.619 +text\<open>If Spy sees the Service Key sent in msg K4, then
  21.620 +    the Key has expired.\<close>
  21.621  
  21.622  lemma Confidentiality_lemma [rule_format]:
  21.623       "\<lbrakk> Says Tgs A
  21.624 @@ -1343,11 +1343,11 @@
  21.625  apply (erule rev_mp)
  21.626  apply (erule kerbIV.induct)
  21.627  apply (rule_tac [9] impI)+
  21.628 -  --{*The Oops1 case is unusual: must simplify
  21.629 +  \<comment>\<open>The Oops1 case is unusual: must simplify
  21.630      @{term "Authkey \<notin> analz (spies (ev#evs))"}, not letting
  21.631 -   @{text analz_mono_contra} weaken it to
  21.632 +   \<open>analz_mono_contra\<close> weaken it to
  21.633     @{term "Authkey \<notin> analz (spies evs)"},
  21.634 -  for we then conclude @{term "authK \<noteq> authKa"}.*}
  21.635 +  for we then conclude @{term "authK \<noteq> authKa"}.\<close>
  21.636  apply analz_mono_contra
  21.637  apply (frule_tac [10] Oops_range_spies2)
  21.638  apply (frule_tac [9] Oops_range_spies1)
  21.639 @@ -1355,23 +1355,23 @@
  21.640  apply (frule_tac [5] Says_kas_message_form)
  21.641  apply (safe del: impI conjI impCE)
  21.642  apply (simp_all add: less_SucI new_keys_not_analzd Says_Kas_message_form Says_Tgs_message_form analz_insert_eq not_parts_not_analz analz_insert_freshK1 analz_insert_freshK2 analz_insert_freshK3_bis pushes)
  21.643 -txt{*Fake*}
  21.644 +txt\<open>Fake\<close>
  21.645       apply spy_analz
  21.646 -txt{*K2*}
  21.647 +txt\<open>K2\<close>
  21.648      apply (blast intro: parts_insertI less_SucI)
  21.649 -txt{*K4*}
  21.650 +txt\<open>K4\<close>
  21.651     apply (blast dest: authTicket_authentic Confidentiality_Kas)
  21.652 -txt{*K5*}
  21.653 +txt\<open>K5\<close>
  21.654    apply (metis Says_imp_spies Says_ticket_parts Tgs_not_bad analz_insert_freshK2 
  21.655               less_SucI parts.Inj servK_notin_authKeysD unique_CryptKey)
  21.656 -txt{*Oops1*} 
  21.657 +txt\<open>Oops1\<close> 
  21.658   apply (blast dest: Says_Kas_message_form Says_Tgs_message_form intro: less_SucI)
  21.659 -txt{*Oops2*}
  21.660 +txt\<open>Oops2\<close>
  21.661  apply (blast dest: Says_imp_spies [THEN parts.Inj] Key_unique_SesKey intro: less_SucI)
  21.662  done
  21.663  
  21.664  
  21.665 -text{* In the real world Tgs can't check wheter authK is secure! *}
  21.666 +text\<open>In the real world Tgs can't check wheter authK is secure!\<close>
  21.667  lemma Confidentiality_Tgs:
  21.668       "\<lbrakk> Says Tgs A
  21.669                (Crypt authK \<lbrace>Key servK, Agent B, Number Ts, servTicket\<rbrace>)
  21.670 @@ -1382,7 +1382,7 @@
  21.671        \<Longrightarrow> Key servK \<notin> analz (spies evs)"
  21.672  by (blast dest: Says_Tgs_message_form Confidentiality_lemma)
  21.673  
  21.674 -text{* In the real world Tgs CAN check what Kas sends! *}
  21.675 +text\<open>In the real world Tgs CAN check what Kas sends!\<close>
  21.676  lemma Confidentiality_Tgs_bis:
  21.677       "\<lbrakk> Says Kas A
  21.678                 (Crypt Ka \<lbrace>Key authK, Agent Tgs, Number Ta, authTicket\<rbrace>)
  21.679 @@ -1395,13 +1395,13 @@
  21.680        \<Longrightarrow> Key servK \<notin> analz (spies evs)"
  21.681  by (blast dest!: Confidentiality_Kas Confidentiality_Tgs)
  21.682  
  21.683 -text{*Most general form*}
  21.684 +text\<open>Most general form\<close>
  21.685  lemmas Confidentiality_Tgs_ter = authTicket_authentic [THEN Confidentiality_Tgs_bis]
  21.686  
  21.687  lemmas Confidentiality_Auth_A = authK_authentic [THEN Confidentiality_Kas]
  21.688  
  21.689 -text{*Needs a confidentiality guarantee, hence moved here.
  21.690 -      Authenticity of servK for A*}
  21.691 +text\<open>Needs a confidentiality guarantee, hence moved here.
  21.692 +      Authenticity of servK for A\<close>
  21.693  lemma servK_authentic_bis_r:
  21.694       "\<lbrakk> Crypt (shrK A) \<lbrace>Key authK, Agent Tgs, Number Ta, authTicket\<rbrace>
  21.695             \<in> parts (spies evs);
  21.696 @@ -1460,15 +1460,15 @@
  21.697  
  21.698  
  21.699  
  21.700 -subsection{*Parties authentication: each party verifies "the identity of
  21.701 -       another party who generated some data" (quoted from Neuman and Ts'o).*}
  21.702 +subsection\<open>Parties authentication: each party verifies "the identity of
  21.703 +       another party who generated some data" (quoted from Neuman and Ts'o).\<close>
  21.704  
  21.705 -text{*These guarantees don't assess whether two parties agree on
  21.706 +text\<open>These guarantees don't assess whether two parties agree on
  21.707           the same session key: sending a message containing a key
  21.708 -         doesn't a priori state knowledge of the key.*}
  21.709 +         doesn't a priori state knowledge of the key.\<close>
  21.710  
  21.711  
  21.712 -text{*@{text Tgs_authenticates_A} can be found above*}
  21.713 +text\<open>\<open>Tgs_authenticates_A\<close> can be found above\<close>
  21.714  
  21.715  lemma A_authenticates_Tgs:
  21.716   "\<lbrakk> Says Kas A
  21.717 @@ -1486,9 +1486,9 @@
  21.718  apply (erule kerbIV.induct, analz_mono_contra)
  21.719  apply (frule_tac [7] K5_msg_in_parts_spies)
  21.720  apply (frule_tac [5] K3_msg_in_parts_spies, simp_all, blast)
  21.721 -txt{*K2*}
  21.722 +txt\<open>K2\<close>
  21.723  apply (blast dest!: servK_authentic Says_Tgs_message_form authKeys_used)
  21.724 -txt{*K4*}
  21.725 +txt\<open>K4\<close>
  21.726  apply (blast dest!: unique_CryptKey)
  21.727  done
  21.728  
  21.729 @@ -1503,7 +1503,7 @@
  21.730                 Crypt servK \<lbrace>Agent A, Number T3\<rbrace>\<rbrace> \<in> set evs"
  21.731  by (blast dest: servTicket_authentic_Tgs intro: Says_K5)
  21.732  
  21.733 -text{*The second assumption tells B what kind of key servK is.*}
  21.734 +text\<open>The second assumption tells B what kind of key servK is.\<close>
  21.735  lemma B_authenticates_A_r:
  21.736       "\<lbrakk> Crypt servK \<lbrace>Agent A, Number T3\<rbrace> \<in> parts (spies evs);
  21.737           Crypt (shrK B) \<lbrace>Agent A, Agent B, Key servK, Number Ts\<rbrace>
  21.738 @@ -1518,7 +1518,7 @@
  21.739                    Crypt servK \<lbrace>Agent A, Number T3\<rbrace> \<rbrace> \<in> set evs"
  21.740  by (blast intro: Says_K5 dest: Confidentiality_B servTicket_authentic_Tgs)
  21.741  
  21.742 -text{* @{text u_B_authenticates_A} would be the same as @{text B_authenticates_A} because the servK confidentiality assumption is yet unrelaxed*}
  21.743 +text\<open>\<open>u_B_authenticates_A\<close> would be the same as \<open>B_authenticates_A\<close> because the servK confidentiality assumption is yet unrelaxed\<close>
  21.744  
  21.745  lemma u_B_authenticates_A_r:
  21.746       "\<lbrakk> Crypt servK \<lbrace>Agent A, Number T3\<rbrace> \<in> parts (spies evs);
  21.747 @@ -1563,10 +1563,10 @@
  21.748  done
  21.749  
  21.750  
  21.751 -subsection{* Key distribution guarantees
  21.752 +subsection\<open>Key distribution guarantees
  21.753         An agent knows a session key if he used it to issue a cipher.
  21.754         These guarantees also convey a stronger form of 
  21.755 -       authentication - non-injective agreement on the session key*}
  21.756 +       authentication - non-injective agreement on the session key\<close>
  21.757  
  21.758  
  21.759  lemma Kas_Issues_A:
  21.760 @@ -1583,7 +1583,7 @@
  21.761  apply (frule_tac [5] Says_ticket_parts)
  21.762  apply (frule_tac [7] Says_ticket_parts)
  21.763  apply (simp_all (no_asm_simp) add: all_conj_distrib)
  21.764 -txt{*K2*}
  21.765 +txt\<open>K2\<close>
  21.766  apply (simp add: takeWhile_tail)
  21.767  apply (blast dest: authK_authentic parts_spies_takeWhile_mono [THEN subsetD] parts_spies_evs_revD2 [THEN subsetD])
  21.768  done
  21.769 @@ -1638,9 +1638,9 @@
  21.770  apply (frule_tac [5] Says_ticket_parts)
  21.771  apply (frule_tac [7] Says_ticket_parts)
  21.772  apply (simp_all (no_asm_simp) add: all_conj_distrib)
  21.773 -txt{*fake*}
  21.774 +txt\<open>fake\<close>
  21.775  apply blast
  21.776 -txt{*K3*}
  21.777 +txt\<open>K3\<close>
  21.778  (*
  21.779  apply clarify
  21.780  apply (drule Says_imp_knows_Spy [THEN parts.Inj, THEN authK_authentic, THEN Says_Kas_message_form], assumption, assumption, assumption)
  21.781 @@ -1678,7 +1678,7 @@
  21.782  apply (frule_tac [5] Says_ticket_parts)
  21.783  apply (frule_tac [7] Says_ticket_parts)
  21.784  apply (simp_all (no_asm_simp) add: all_conj_distrib)
  21.785 -txt{*K4*}
  21.786 +txt\<open>K4\<close>
  21.787  apply (simp add: takeWhile_tail)
  21.788  (*Last two thms installed only to derive authK \<notin> range shrK*)
  21.789  apply (metis knows_Spy_partsEs(2) parts.Fst usedI used_evs_rev used_takeWhile_used)
  21.790 @@ -1709,7 +1709,7 @@
  21.791  apply (frule_tac [7] Says_ticket_parts)
  21.792  apply (simp_all (no_asm_simp) add: all_conj_distrib)
  21.793  apply blast
  21.794 -txt{*K6 requires numerous lemmas*}
  21.795 +txt\<open>K6 requires numerous lemmas\<close>
  21.796  apply (simp add: takeWhile_tail)
  21.797  apply (blast dest: servTicket_authentic parts_spies_takeWhile_mono [THEN subsetD] parts_spies_evs_revD2 [THEN subsetD] intro: Says_K6)
  21.798  done
  21.799 @@ -1776,11 +1776,11 @@
  21.800  apply (frule_tac [7] Says_ticket_parts)
  21.801  apply (simp_all (no_asm_simp))
  21.802  apply clarify
  21.803 -txt{*K5*}
  21.804 +txt\<open>K5\<close>
  21.805  apply auto
  21.806  apply (simp add: takeWhile_tail)
  21.807 -txt{*Level 15: case analysis necessary because the assumption doesn't state
  21.808 -  the form of servTicket. The guarantee becomes stronger.*}
  21.809 +txt\<open>Level 15: case analysis necessary because the assumption doesn't state
  21.810 +  the form of servTicket. The guarantee becomes stronger.\<close>
  21.811  apply (blast dest: Says_imp_spies [THEN analz.Inj, THEN analz_Decrypt']
  21.812                     K3_imp_K2 servK_authentic_ter
  21.813                     parts_spies_takeWhile_mono [THEN subsetD]
  21.814 @@ -1823,8 +1823,8 @@
  21.815     \<Longrightarrow> A Issues B with (Crypt servK \<lbrace>Agent A, Number T3\<rbrace>) on evs"
  21.816  by (blast dest: B_authenticates_A Confidentiality_B A_Issues_B)
  21.817  
  21.818 -text{* @{text u_B_authenticates_and_keydist_to_A} would be the same as @{text B_authenticates_and_keydist_to_A} because the
  21.819 - servK confidentiality assumption is yet unrelaxed*}
  21.820 +text\<open>\<open>u_B_authenticates_and_keydist_to_A\<close> would be the same as \<open>B_authenticates_and_keydist_to_A\<close> because the
  21.821 + servK confidentiality assumption is yet unrelaxed\<close>
  21.822  
  21.823  lemma u_B_authenticates_and_keydist_to_A_r:
  21.824       "\<lbrakk> Crypt servK \<lbrace>Agent A, Number T3\<rbrace> \<in> parts (spies evs);
    22.1 --- a/src/HOL/Auth/KerberosIV_Gets.thy	Thu Dec 10 21:31:24 2015 +0100
    22.2 +++ b/src/HOL/Auth/KerberosIV_Gets.thy	Thu Dec 10 21:39:33 2015 +0100
    22.3 @@ -3,11 +3,11 @@
    22.4      Copyright   1998  University of Cambridge
    22.5  *)
    22.6  
    22.7 -section{*The Kerberos Protocol, Version IV*}
    22.8 +section\<open>The Kerberos Protocol, Version IV\<close>
    22.9  
   22.10  theory KerberosIV_Gets imports Public begin
   22.11  
   22.12 -text{*The "u" prefix indicates theorems referring to an updated version of the protocol. The "r" suffix indicates theorems where the confidentiality assumptions are relaxed by the corresponding arguments.*}
   22.13 +text\<open>The "u" prefix indicates theorems referring to an updated version of the protocol. The "r" suffix indicates theorems where the confidentiality assumptions are relaxed by the corresponding arguments.\<close>
   22.14  
   22.15  abbreviation
   22.16    Kas :: agent where "Kas == Server"
   22.17 @@ -18,7 +18,7 @@
   22.18  
   22.19  axiomatization where
   22.20    Tgs_not_bad [iff]: "Tgs \<notin> bad"
   22.21 -   --{*Tgs is secure --- we already know that Kas is secure*}
   22.22 +   \<comment>\<open>Tgs is secure --- we already know that Kas is secure\<close>
   22.23  
   22.24  definition
   22.25   (* authKeys are those contained in an authTicket *)
   22.26 @@ -240,7 +240,7 @@
   22.27  declare analz_into_parts [dest]
   22.28  declare Fake_parts_insert_in_Un [dest]
   22.29  
   22.30 -subsection{*Lemmas about reception event*}
   22.31 +subsection\<open>Lemmas about reception event\<close>
   22.32  
   22.33  lemma Gets_imp_Says :
   22.34       "\<lbrakk> Gets B X \<in> set evs; evs \<in> kerbIV_gets \<rbrakk> \<Longrightarrow> \<exists>A. Says A B X \<in> set evs"
   22.35 @@ -260,7 +260,7 @@
   22.36       "\<lbrakk> Gets B X \<in> set evs; evs \<in> kerbIV_gets \<rbrakk>  \<Longrightarrow> X \<in> knows B evs"
   22.37  by (metis Gets_imp_knows_Spy Gets_imp_knows_agents)
   22.38  
   22.39 -subsection{*Lemmas about @{term authKeys}*}
   22.40 +subsection\<open>Lemmas about @{term authKeys}\<close>
   22.41  
   22.42  lemma authKeys_empty: "authKeys [] = {}"
   22.43  by (simp add: authKeys_def)
   22.44 @@ -296,7 +296,7 @@
   22.45  by (simp add: authKeys_def, blast)
   22.46  
   22.47  
   22.48 -subsection{*Forwarding Lemmas*}
   22.49 +subsection\<open>Forwarding Lemmas\<close>
   22.50  
   22.51  lemma Says_ticket_parts:
   22.52       "Says S A (Crypt K \<lbrace>SesKey, B, TimeStamp, Ticket\<rbrace>) \<in> set evs
   22.53 @@ -343,7 +343,7 @@
   22.54  by (blast dest: Spy_see_shrK)
   22.55  lemmas Spy_analz_shrK_D = analz_subset_parts [THEN subsetD, THEN Spy_see_shrK_D, dest!]
   22.56  
   22.57 -text{*Nobody can have used non-existent keys!*}
   22.58 +text\<open>Nobody can have used non-existent keys!\<close>
   22.59  lemma new_keys_not_used [simp]:
   22.60      "\<lbrakk>Key K \<notin> used evs; K \<in> symKeys; evs \<in> kerbIV_gets\<rbrakk>
   22.61       \<Longrightarrow> K \<notin> keysFor (parts (spies evs))"
   22.62 @@ -351,9 +351,9 @@
   22.63  apply (erule kerbIV_gets.induct)
   22.64  apply (frule_tac [8] Gets_ticket_parts)
   22.65  apply (frule_tac [6] Gets_ticket_parts, simp_all)
   22.66 -txt{*Fake*}
   22.67 +txt\<open>Fake\<close>
   22.68  apply (force dest!: keysFor_parts_insert)
   22.69 -txt{*Others*}
   22.70 +txt\<open>Others\<close>
   22.71  apply (force dest!: analz_shrK_Decrypt)+
   22.72  done
   22.73  
   22.74 @@ -365,10 +365,10 @@
   22.75  by (blast dest: new_keys_not_used intro: keysFor_mono [THEN subsetD])
   22.76  
   22.77  
   22.78 -subsection{*Regularity Lemmas*}
   22.79 -text{*These concern the form of items passed in messages*}
   22.80 +subsection\<open>Regularity Lemmas\<close>
   22.81 +text\<open>These concern the form of items passed in messages\<close>
   22.82  
   22.83 -text{*Describes the form of all components sent by Kas*}
   22.84 +text\<open>Describes the form of all components sent by Kas\<close>
   22.85  
   22.86  lemma Says_Kas_message_form:
   22.87       "\<lbrakk> Says Kas A (Crypt K \<lbrace>Key authK, Agent Peer, Number Ta, authTicket\<rbrace>)
   22.88 @@ -406,7 +406,7 @@
   22.89  apply (erule kerbIV_gets.induct)
   22.90  apply (frule_tac [8] Gets_ticket_parts)
   22.91  apply (frule_tac [6] Gets_ticket_parts, simp_all)
   22.92 -txt{*Fake, K4*}
   22.93 +txt\<open>Fake, K4\<close>
   22.94  apply (blast+)
   22.95  done
   22.96  
   22.97 @@ -431,7 +431,7 @@
   22.98  apply (erule rev_mp)
   22.99  apply (erule kerbIV_gets.induct)
  22.100  apply (simp_all add: authKeys_insert authKeys_not_insert authKeys_empty authKeys_simp, blast, auto)
  22.101 -txt{*Three subcases of Message 4*}
  22.102 +txt\<open>Three subcases of Message 4\<close>
  22.103  apply (blast dest!: SesKey_is_session_key)
  22.104  apply (blast dest: authTicket_crypt_authK)
  22.105  apply (blast dest!: authKeys_used Says_Kas_message_form)
  22.106 @@ -452,7 +452,7 @@
  22.107  apply blast+
  22.108  done
  22.109  
  22.110 -text{* This form holds also over an authTicket, but is not needed below.*}
  22.111 +text\<open>This form holds also over an authTicket, but is not needed below.\<close>
  22.112  lemma servTicket_form:
  22.113       "\<lbrakk> Crypt authK \<lbrace>Key servK, Agent B, Ts, servTicket\<rbrace>
  22.114                \<in> parts (spies evs);
  22.115 @@ -467,7 +467,7 @@
  22.116  apply (frule_tac [6] Gets_ticket_parts, simp_all, blast)
  22.117  done
  22.118  
  22.119 -text{* Essentially the same as @{text authTicket_form} *}
  22.120 +text\<open>Essentially the same as \<open>authTicket_form\<close>\<close>
  22.121  lemma Says_kas_message_form:
  22.122       "\<lbrakk> Gets A (Crypt (shrK A)
  22.123                \<lbrace>Key authK, Agent Tgs, Ta, authTicket\<rbrace>) \<in> set evs;
  22.124 @@ -494,7 +494,7 @@
  22.125  done
  22.126  
  22.127  
  22.128 -subsection{*Authenticity theorems: confirm origin of sensitive messages*}
  22.129 +subsection\<open>Authenticity theorems: confirm origin of sensitive messages\<close>
  22.130  
  22.131  lemma authK_authentic:
  22.132       "\<lbrakk> Crypt (shrK A) \<lbrace>Key authK, Peer, Ta, authTicket\<rbrace>
  22.133 @@ -506,13 +506,13 @@
  22.134  apply (erule kerbIV_gets.induct)
  22.135  apply (frule_tac [8] Gets_ticket_parts)
  22.136  apply (frule_tac [6] Gets_ticket_parts, simp_all)
  22.137 -txt{*Fake*}
  22.138 +txt\<open>Fake\<close>
  22.139  apply blast
  22.140 -txt{*K4*}
  22.141 +txt\<open>K4\<close>
  22.142  apply (blast dest!: authTicket_authentic [THEN Says_Kas_message_form])
  22.143  done
  22.144  
  22.145 -text{*If a certain encrypted message appears then it originated with Tgs*}
  22.146 +text\<open>If a certain encrypted message appears then it originated with Tgs\<close>
  22.147  lemma servK_authentic:
  22.148       "\<lbrakk> Crypt authK \<lbrace>Key servK, Agent B, Number Ts, servTicket\<rbrace>
  22.149             \<in> parts (spies evs);
  22.150 @@ -526,11 +526,11 @@
  22.151  apply (erule kerbIV_gets.induct, analz_mono_contra)
  22.152  apply (frule_tac [8] Gets_ticket_parts)
  22.153  apply (frule_tac [6] Gets_ticket_parts, simp_all)
  22.154 -txt{*Fake*}
  22.155 +txt\<open>Fake\<close>
  22.156  apply blast
  22.157 -txt{*K2*}
  22.158 +txt\<open>K2\<close>
  22.159  apply blast
  22.160 -txt{*K4*}
  22.161 +txt\<open>K4\<close>
  22.162  apply auto
  22.163  done
  22.164  
  22.165 @@ -547,13 +547,13 @@
  22.166  apply (erule kerbIV_gets.induct, analz_mono_contra)
  22.167  apply (frule_tac [8] Gets_ticket_parts)
  22.168  apply (frule_tac [6] Gets_ticket_parts, simp_all)
  22.169 -txt{*Fake*}
  22.170 +txt\<open>Fake\<close>
  22.171  apply blast
  22.172 -txt{*K4*}
  22.173 +txt\<open>K4\<close>
  22.174  apply blast
  22.175  done
  22.176  
  22.177 -text{*Authenticity of servK for B*}
  22.178 +text\<open>Authenticity of servK for B\<close>
  22.179  lemma servTicket_authentic_Tgs:
  22.180       "\<lbrakk> Crypt (shrK B) \<lbrace>Agent A, Agent B, Key servK, Number Ts\<rbrace>
  22.181             \<in> parts (spies evs); B \<noteq> Tgs;  B \<notin> bad;
  22.182 @@ -570,7 +570,7 @@
  22.183  apply blast+
  22.184  done
  22.185  
  22.186 -text{*Anticipated here from next subsection*}
  22.187 +text\<open>Anticipated here from next subsection\<close>
  22.188  lemma K4_imp_K2:
  22.189  "\<lbrakk> Says Tgs A (Crypt authK \<lbrace>Key servK, Agent B, Number Ts, servTicket\<rbrace>)
  22.190        \<in> set evs;  evs \<in> kerbIV_gets\<rbrakk>
  22.191 @@ -586,7 +586,7 @@
  22.192  apply (blast dest!: Gets_imp_knows_Spy [THEN parts.Inj, THEN parts.Fst, THEN authTicket_authentic])
  22.193  done
  22.194  
  22.195 -text{*Anticipated here from next subsection*}
  22.196 +text\<open>Anticipated here from next subsection\<close>
  22.197  lemma u_K4_imp_K2:
  22.198  "\<lbrakk> Says Tgs A (Crypt authK \<lbrace>Key servK, Agent B, Number Ts, servTicket\<rbrace>)
  22.199        \<in> set evs; evs \<in> kerbIV_gets\<rbrakk>
  22.200 @@ -655,7 +655,7 @@
  22.201  by (blast dest: leI le_trans dest: leD)
  22.202  
  22.203  
  22.204 -subsection{* Reliability: friendly agents send something if something else happened*}
  22.205 +subsection\<open>Reliability: friendly agents send something if something else happened\<close>
  22.206  
  22.207  lemma K3_imp_K2:
  22.208       "\<lbrakk> Says A Tgs
  22.209 @@ -672,7 +672,7 @@
  22.210  apply (blast dest: Gets_imp_knows_Spy [THEN parts.Inj, THEN authK_authentic])
  22.211  done
  22.212  
  22.213 -text{*Anticipated here from next subsection. An authK is encrypted by one and only one Shared key. A servK is encrypted by one and only one authK.*}
  22.214 +text\<open>Anticipated here from next subsection. An authK is encrypted by one and only one Shared key. A servK is encrypted by one and only one authK.\<close>
  22.215  lemma Key_unique_SesKey:
  22.216       "\<lbrakk> Crypt K  \<lbrace>Key SesKey,  Agent B, T, Ticket\<rbrace>
  22.217             \<in> parts (spies evs);
  22.218 @@ -686,7 +686,7 @@
  22.219  apply (erule kerbIV_gets.induct, analz_mono_contra)
  22.220  apply (frule_tac [8] Gets_ticket_parts)
  22.221  apply (frule_tac [6] Gets_ticket_parts, simp_all)
  22.222 -txt{*Fake, K2, K4*}
  22.223 +txt\<open>Fake, K2, K4\<close>
  22.224  apply (blast+)
  22.225  done
  22.226  
  22.227 @@ -704,22 +704,22 @@
  22.228  apply (frule_tac [6] Gets_ticket_parts)
  22.229  apply (frule_tac [9] Gets_ticket_parts)
  22.230  apply (simp_all (no_asm_simp) add: all_conj_distrib)
  22.231 -txt{*Fake*}
  22.232 +txt\<open>Fake\<close>
  22.233  apply blast
  22.234 -txt{*K2*}
  22.235 +txt\<open>K2\<close>
  22.236  apply (force dest!: Crypt_imp_keysFor)
  22.237 -txt{*K3*}
  22.238 +txt\<open>K3\<close>
  22.239  apply (blast dest: Key_unique_SesKey)
  22.240 -txt{*K5*}
  22.241 -txt{*If authKa were compromised, so would be authK*}
  22.242 +txt\<open>K5\<close>
  22.243 +txt\<open>If authKa were compromised, so would be authK\<close>
  22.244  apply (case_tac "Key authKa \<in> analz (spies evs5)")
  22.245  apply (force dest!: Gets_imp_knows_Spy [THEN analz.Inj, THEN analz.Decrypt, THEN analz.Fst])
  22.246 -txt{*Besides, since authKa originated with Kas anyway...*}
  22.247 +txt\<open>Besides, since authKa originated with Kas anyway...\<close>
  22.248  apply (clarify, drule K3_imp_K2, assumption, assumption)
  22.249  apply (clarify, drule Says_Kas_message_form, assumption)
  22.250 -txt{*...it cannot be a shared key*. Therefore @{term servK_authentic} applies. 
  22.251 +txt\<open>...it cannot be a shared key*. Therefore @{term servK_authentic} applies. 
  22.252       Contradition: Tgs used authK as a servkey, 
  22.253 -     while Kas used it as an authkey*}
  22.254 +     while Kas used it as an authkey\<close>
  22.255  apply (blast dest: servK_authentic Says_Tgs_message_form)
  22.256  done
  22.257  
  22.258 @@ -738,15 +738,15 @@
  22.259  apply (frule_tac [9] Gets_ticket_parts)
  22.260  apply (simp_all (no_asm_simp) add: all_conj_distrib)
  22.261  apply blast
  22.262 -txt{*K3*}
  22.263 +txt\<open>K3\<close>
  22.264  apply (blast dest: authK_authentic Says_Kas_message_form Says_Tgs_message_form)
  22.265 -txt{*K4*}
  22.266 +txt\<open>K4\<close>
  22.267  apply (force dest!: Crypt_imp_keysFor)
  22.268 -txt{*K5*}
  22.269 +txt\<open>K5\<close>
  22.270  apply (blast dest: Key_unique_SesKey)
  22.271  done
  22.272  
  22.273 -text{*Anticipated here from next subsection*}
  22.274 +text\<open>Anticipated here from next subsection\<close>
  22.275  lemma unique_CryptKey:
  22.276       "\<lbrakk> Crypt (shrK B)  \<lbrace>Agent A,  Agent B,  Key SesKey, T\<rbrace>
  22.277             \<in> parts (spies evs);
  22.278 @@ -760,7 +760,7 @@
  22.279  apply (erule kerbIV_gets.induct, analz_mono_contra)
  22.280  apply (frule_tac [8] Gets_ticket_parts)
  22.281  apply (frule_tac [6] Gets_ticket_parts, simp_all)
  22.282 -txt{*Fake, K2, K4*}
  22.283 +txt\<open>Fake, K2, K4\<close>
  22.284  apply (blast+)
  22.285  done
  22.286  
  22.287 @@ -784,7 +784,7 @@
  22.288  apply (blast dest: unique_CryptKey)
  22.289  done
  22.290  
  22.291 -text{*Needs a unicity theorem, hence moved here*}
  22.292 +text\<open>Needs a unicity theorem, hence moved here\<close>
  22.293  lemma servK_authentic_ter:
  22.294   "\<lbrakk> Says Kas A
  22.295      (Crypt (shrK A) \<lbrace>Key authK, Agent Tgs, Number Ta, authTicket\<rbrace>) \<in> set evs;
  22.296 @@ -801,17 +801,17 @@
  22.297  apply (erule kerbIV_gets.induct, analz_mono_contra)
  22.298  apply (frule_tac [8] Gets_ticket_parts)
  22.299  apply (frule_tac [6] Gets_ticket_parts, simp_all, blast)
  22.300 -txt{*K2 and K4 remain*}
  22.301 +txt\<open>K2 and K4 remain\<close>
  22.302  prefer 2 apply (blast dest!: unique_CryptKey)
  22.303  apply (blast dest!: servK_authentic Says_Tgs_message_form authKeys_used)
  22.304  done
  22.305  
  22.306  
  22.307 -subsection{*Unicity Theorems*}
  22.308 +subsection\<open>Unicity Theorems\<close>
  22.309  
  22.310 -text{* The session key, if secure, uniquely identifies the Ticket
  22.311 +text\<open>The session key, if secure, uniquely identifies the Ticket
  22.312     whether authTicket or servTicket. As a matter of fact, one can read
  22.313 -   also Tgs in the place of B.                                     *}
  22.314 +   also Tgs in the place of B.\<close>
  22.315  
  22.316  
  22.317  lemma unique_authKeys:
  22.318 @@ -825,11 +825,11 @@
  22.319  apply (erule kerbIV_gets.induct)
  22.320  apply (frule_tac [8] Gets_ticket_parts)
  22.321  apply (frule_tac [6] Gets_ticket_parts, simp_all)
  22.322 -txt{*K2*}
  22.323 +txt\<open>K2\<close>
  22.324  apply blast
  22.325  done
  22.326  
  22.327 -text{* servK uniquely identifies the message from Tgs *}
  22.328 +text\<open>servK uniquely identifies the message from Tgs\<close>
  22.329  lemma unique_servKeys:
  22.330       "\<lbrakk> Says Tgs A
  22.331                (Crypt K \<lbrace>Key servK, Agent B, Ts, X\<rbrace>) \<in> set evs;
  22.332 @@ -841,11 +841,11 @@
  22.333  apply (erule kerbIV_gets.induct)
  22.334  apply (frule_tac [8] Gets_ticket_parts)
  22.335  apply (frule_tac [6] Gets_ticket_parts, simp_all)
  22.336 -txt{*K4*}
  22.337 +txt\<open>K4\<close>
  22.338  apply blast
  22.339  done
  22.340  
  22.341 -text{* Revised unicity theorems *}
  22.342 +text\<open>Revised unicity theorems\<close>
  22.343  
  22.344  lemma Kas_Unique:
  22.345       "\<lbrakk> Says Kas A
  22.346 @@ -868,7 +868,7 @@
  22.347  done
  22.348  
  22.349  
  22.350 -subsection{*Lemmas About the Predicate @{term AKcryptSK}*}
  22.351 +subsection\<open>Lemmas About the Predicate @{term AKcryptSK}\<close>
  22.352  
  22.353  lemma not_AKcryptSK_Nil [iff]: "\<not> AKcryptSK authK servK []"
  22.354  by (simp add: AKcryptSK_def)
  22.355 @@ -915,16 +915,16 @@
  22.356  apply (erule kerbIV_gets.induct)
  22.357  apply (frule_tac [8] Gets_ticket_parts)
  22.358  apply (frule_tac [6] Gets_ticket_parts, simp_all)
  22.359 -txt{*Fake*}
  22.360 +txt\<open>Fake\<close>
  22.361  apply blast
  22.362 -txt{*Reception*}
  22.363 +txt\<open>Reception\<close>
  22.364  apply (simp add: AKcryptSK_def)
  22.365 -txt{*K2: by freshness*}
  22.366 +txt\<open>K2: by freshness\<close>
  22.367  apply (simp add: AKcryptSK_def)
  22.368 -txt{*K4*}
  22.369 +txt\<open>K4\<close>
  22.370  by (blast+)
  22.371  
  22.372 -text{*A secure serverkey cannot have been used to encrypt others*}
  22.373 +text\<open>A secure serverkey cannot have been used to encrypt others\<close>
  22.374  lemma servK_not_AKcryptSK:
  22.375   "\<lbrakk> Crypt (shrK B) \<lbrace>Agent A, Agent B, Key SK, Number Ts\<rbrace> \<in> parts (spies evs);
  22.376       Key SK \<notin> analz (spies evs);  SK \<in> symKeys;
  22.377 @@ -935,17 +935,17 @@
  22.378  apply (erule kerbIV_gets.induct, analz_mono_contra)
  22.379  apply (frule_tac [8] Gets_ticket_parts)
  22.380  apply (frule_tac [6] Gets_ticket_parts, simp_all, blast)
  22.381 -txt{*Reception*}
  22.382 +txt\<open>Reception\<close>
  22.383  apply (simp add: AKcryptSK_def)
  22.384 -txt{*K4 splits into distinct subcases*}
  22.385 +txt\<open>K4 splits into distinct subcases\<close>
  22.386  apply auto
  22.387 -txt{*servK can't have been enclosed in two certificates*}
  22.388 +txt\<open>servK can't have been enclosed in two certificates\<close>
  22.389   prefer 2 apply (blast dest: unique_CryptKey)
  22.390 -txt{*servK is fresh and so could not have been used, by
  22.391 -   @{text new_keys_not_used}*}
  22.392 +txt\<open>servK is fresh and so could not have been used, by
  22.393 +   \<open>new_keys_not_used\<close>\<close>
  22.394  by (force dest!: Crypt_imp_invKey_keysFor simp add: AKcryptSK_def)
  22.395  
  22.396 -text{*Long term keys are not issued as servKeys*}
  22.397 +text\<open>Long term keys are not issued as servKeys\<close>
  22.398  lemma shrK_not_AKcryptSK:
  22.399       "evs \<in> kerbIV_gets \<Longrightarrow> \<not> AKcryptSK K (shrK A) evs"
  22.400  apply (unfold AKcryptSK_def)
  22.401 @@ -953,8 +953,8 @@
  22.402  apply (frule_tac [8] Gets_ticket_parts)
  22.403  by (frule_tac [6] Gets_ticket_parts, auto)
  22.404  
  22.405 -text{*The Tgs message associates servK with authK and therefore not with any
  22.406 -  other key authK.*}
  22.407 +text\<open>The Tgs message associates servK with authK and therefore not with any
  22.408 +  other key authK.\<close>
  22.409  lemma Says_Tgs_AKcryptSK:
  22.410       "\<lbrakk> Says Tgs A (Crypt authK \<lbrace>Key servK, Agent B, Number Ts, X \<rbrace>)
  22.411             \<in> set evs;
  22.412 @@ -963,7 +963,7 @@
  22.413  apply (unfold AKcryptSK_def)
  22.414  by (blast dest: unique_servKeys)
  22.415  
  22.416 -text{*Equivalently*}
  22.417 +text\<open>Equivalently\<close>
  22.418  lemma not_different_AKcryptSK:
  22.419       "\<lbrakk> AKcryptSK authK servK evs;
  22.420          authK' \<noteq> authK;  evs \<in> kerbIV_gets \<rbrakk>
  22.421 @@ -978,23 +978,23 @@
  22.422  apply (erule kerbIV_gets.induct)
  22.423  apply (frule_tac [8] Gets_ticket_parts)
  22.424  apply (frule_tac [6] Gets_ticket_parts)
  22.425 -txt{*Reception*}
  22.426 +txt\<open>Reception\<close>
  22.427  prefer 3 apply (simp add: AKcryptSK_def)
  22.428  apply (simp_all, safe)
  22.429 -txt{*K4 splits into subcases*}
  22.430 +txt\<open>K4 splits into subcases\<close>
  22.431  prefer 4 apply (blast dest!: authK_not_AKcryptSK)
  22.432 -txt{*servK is fresh and so could not have been used, by
  22.433 -   @{text new_keys_not_used}*}
  22.434 +txt\<open>servK is fresh and so could not have been used, by
  22.435 +   \<open>new_keys_not_used\<close>\<close>
  22.436   prefer 2 
  22.437   apply (force dest!: Crypt_imp_invKey_keysFor simp add: AKcryptSK_def)
  22.438 -txt{*Others by freshness*}
  22.439 +txt\<open>Others by freshness\<close>
  22.440  by (blast+)
  22.441  
  22.442 -text{*The only session keys that can be found with the help of session keys are
  22.443 -  those sent by Tgs in step K4.  *}
  22.444 +text\<open>The only session keys that can be found with the help of session keys are
  22.445 +  those sent by Tgs in step K4.\<close>
  22.446  
  22.447 -text{*We take some pains to express the property
  22.448 -  as a logical equivalence so that the simplifier can apply it.*}
  22.449 +text\<open>We take some pains to express the property
  22.450 +  as a logical equivalence so that the simplifier can apply it.\<close>
  22.451  lemma Key_analz_image_Key_lemma:
  22.452       "P \<longrightarrow> (Key K \<in> analz (Key`KK Un H)) \<longrightarrow> (K:KK | Key K \<in> analz H)
  22.453        \<Longrightarrow>
  22.454 @@ -1022,9 +1022,9 @@
  22.455  by (blast dest: Says_Tgs_message_form)
  22.456  
  22.457  
  22.458 -subsection{*Secrecy Theorems*}
  22.459 +subsection\<open>Secrecy Theorems\<close>
  22.460  
  22.461 -text{*For the Oops2 case of the next theorem*}
  22.462 +text\<open>For the Oops2 case of the next theorem\<close>
  22.463  lemma Oops2_not_AKcryptSK:
  22.464       "\<lbrakk> evs \<in> kerbIV_gets;
  22.465           Says Tgs A (Crypt authK
  22.466 @@ -1033,10 +1033,10 @@
  22.467        \<Longrightarrow> \<not> AKcryptSK servK SK evs"
  22.468  by (blast dest: AKcryptSKI AKcryptSK_not_AKcryptSK)
  22.469     
  22.470 -text{* Big simplification law for keys SK that are not crypted by keys in KK
  22.471 +text\<open>Big simplification law for keys SK that are not crypted by keys in KK
  22.472   It helps prove three, otherwise hard, facts about keys. These facts are
  22.473   exploited as simplification laws for analz, and also "limit the damage"
  22.474 - in case of loss of a key to the spy. See ESORICS98. *}
  22.475 + in case of loss of a key to the spy. See ESORICS98.\<close>
  22.476  lemma Key_analz_image_Key [rule_format (no_asm)]:
  22.477       "evs \<in> kerbIV_gets \<Longrightarrow>
  22.478        (\<forall>SK KK. SK \<in> symKeys & KK <= -(range shrK) \<longrightarrow>
  22.479 @@ -1049,40 +1049,40 @@
  22.480  apply (frule_tac [8] Says_tgs_message_form)
  22.481  apply (frule_tac [6] Says_kas_message_form)
  22.482  apply (safe del: impI intro!: Key_analz_image_Key_lemma [THEN impI])
  22.483 -txt{*Case-splits for Oops1 and message 5: the negated case simplifies using
  22.484 - the induction hypothesis*}
  22.485 +txt\<open>Case-splits for Oops1 and message 5: the negated case simplifies using
  22.486 + the induction hypothesis\<close>
  22.487  apply (case_tac [12] "AKcryptSK authK SK evsO1")
  22.488  apply (case_tac [9] "AKcryptSK servK SK evs5")
  22.489  apply (simp_all del: image_insert
  22.490          add: analz_image_freshK_simps AKcryptSK_Says shrK_not_AKcryptSK
  22.491               Oops2_not_AKcryptSK Auth_fresh_not_AKcryptSK
  22.492         Serv_fresh_not_AKcryptSK Says_Tgs_AKcryptSK Spy_analz_shrK)
  22.493 -  --{*18 seconds on a 1.8GHz machine??*}
  22.494 -txt{*Fake*} 
  22.495 +  \<comment>\<open>18 seconds on a 1.8GHz machine??\<close>
  22.496 +txt\<open>Fake\<close> 
  22.497  apply spy_analz
  22.498 -txt{*Reception*}
  22.499 +txt\<open>Reception\<close>
  22.500  apply (simp add: AKcryptSK_def)
  22.501 -txt{*K2*}
  22.502 +txt\<open>K2\<close>
  22.503  apply blast 
  22.504 -txt{*K3*}
  22.505 +txt\<open>K3\<close>
  22.506  apply blast 
  22.507 -txt{*K4*}
  22.508 +txt\<open>K4\<close>
  22.509  apply (blast dest!: authK_not_AKcryptSK)
  22.510 -txt{*K5*}
  22.511 +txt\<open>K5\<close>
  22.512  apply (case_tac "Key servK \<in> analz (spies evs5) ")
  22.513 -txt{*If servK is compromised then the result follows directly...*}
  22.514 +txt\<open>If servK is compromised then the result follows directly...\<close>
  22.515  apply (simp (no_asm_simp) add: analz_insert_eq Un_upper2 [THEN analz_mono, THEN subsetD])
  22.516 -txt{*...therefore servK is uncompromised.*}
  22.517 -txt{*The AKcryptSK servK SK evs5 case leads to a contradiction.*}
  22.518 +txt\<open>...therefore servK is uncompromised.\<close>
  22.519 +txt\<open>The AKcryptSK servK SK evs5 case leads to a contradiction.\<close>
  22.520  apply (blast elim!: servK_not_AKcryptSK [THEN [2] rev_notE] del: allE ballE)
  22.521 -txt{*Another K5 case*}
  22.522 +txt\<open>Another K5 case\<close>
  22.523  apply blast 
  22.524 -txt{*Oops1*}
  22.525 +txt\<open>Oops1\<close>
  22.526  apply simp 
  22.527  by (blast dest!: AKcryptSK_analz_insert)
  22.528  
  22.529 -text{* First simplification law for analz: no session keys encrypt
  22.530 -authentication keys or shared keys. *}
  22.531 +text\<open>First simplification law for analz: no session keys encrypt
  22.532 +authentication keys or shared keys.\<close>
  22.533  lemma analz_insert_freshK1:
  22.534       "\<lbrakk> evs \<in> kerbIV_gets;  K \<in> authKeys evs Un range shrK;
  22.535          SesKey \<notin> range shrK \<rbrakk>
  22.536 @@ -1094,7 +1094,7 @@
  22.537  done
  22.538  
  22.539  
  22.540 -text{* Second simplification law for analz: no service keys encrypt any other keys.*}
  22.541 +text\<open>Second simplification law for analz: no service keys encrypt any other keys.\<close>
  22.542  lemma analz_insert_freshK2:
  22.543       "\<lbrakk> evs \<in> kerbIV_gets;  servK \<notin> (authKeys evs); servK \<notin> range shrK;
  22.544          K \<in> symKeys \<rbrakk>
  22.545 @@ -1106,7 +1106,7 @@
  22.546  done
  22.547  
  22.548  
  22.549 -text{* Third simplification law for analz: only one authentication key encrypts a certain service key.*}
  22.550 +text\<open>Third simplification law for analz: only one authentication key encrypts a certain service key.\<close>
  22.551  
  22.552  lemma analz_insert_freshK3:
  22.553   "\<lbrakk> AKcryptSK authK servK evs;
  22.554 @@ -1128,7 +1128,7 @@
  22.555  apply (frule AKcryptSKI, assumption)
  22.556  by (simp add: analz_insert_freshK3)
  22.557  
  22.558 -text{*a weakness of the protocol*}
  22.559 +text\<open>a weakness of the protocol\<close>
  22.560  lemma authK_compromises_servK:
  22.561       "\<lbrakk> Says Tgs A
  22.562                (Crypt authK \<lbrace>Key servK, Agent B, Number Ts, servTicket\<rbrace>)
  22.563 @@ -1153,8 +1153,8 @@
  22.564  by (blast+)
  22.565  
  22.566  
  22.567 -text{*If Spy sees the Authentication Key sent in msg K2, then
  22.568 -    the Key has expired.*}
  22.569 +text\<open>If Spy sees the Authentication Key sent in msg K2, then
  22.570 +    the Key has expired.\<close>
  22.571  lemma Confidentiality_Kas_lemma [rule_format]:
  22.572       "\<lbrakk> authK \<in> symKeys; A \<notin> bad;  evs \<in> kerbIV_gets \<rbrakk>
  22.573        \<Longrightarrow> Says Kas A
  22.574 @@ -1171,17 +1171,17 @@
  22.575  apply (frule_tac [6] Says_kas_message_form)
  22.576  apply (safe del: impI conjI impCE)
  22.577  apply (simp_all (no_asm_simp) add: Says_Kas_message_form less_SucI analz_insert_eq not_parts_not_analz analz_insert_freshK1 pushes)
  22.578 -txt{*Fake*}
  22.579 +txt\<open>Fake\<close>
  22.580  apply spy_analz
  22.581 -txt{*K2*}
  22.582 +txt\<open>K2\<close>
  22.583  apply blast
  22.584 -txt{*K4*}
  22.585 +txt\<open>K4\<close>
  22.586  apply blast
  22.587 -txt{*Level 8: K5*}
  22.588 +txt\<open>Level 8: K5\<close>
  22.589  apply (blast dest: servK_notin_authKeysD Says_Kas_message_form intro: less_SucI)
  22.590 -txt{*Oops1*}
  22.591 +txt\<open>Oops1\<close>
  22.592  apply (blast dest!: unique_authKeys intro: less_SucI)
  22.593 -txt{*Oops2*}
  22.594 +txt\<open>Oops2\<close>
  22.595  by (blast dest: Says_Tgs_message_form Says_Kas_message_form)
  22.596  
  22.597  lemma Confidentiality_Kas:
  22.598 @@ -1193,8 +1193,8 @@
  22.599        \<Longrightarrow> Key authK \<notin> analz (spies evs)"
  22.600  by (blast dest: Says_Kas_message_form Confidentiality_Kas_lemma)
  22.601  
  22.602 -text{*If Spy sees the Service Key sent in msg K4, then
  22.603 -    the Key has expired.*}
  22.604 +text\<open>If Spy sees the Service Key sent in msg K4, then
  22.605 +    the Key has expired.\<close>
  22.606  
  22.607  lemma Confidentiality_lemma [rule_format]:
  22.608       "\<lbrakk> Says Tgs A
  22.609 @@ -1211,11 +1211,11 @@
  22.610  apply (erule rev_mp)
  22.611  apply (erule kerbIV_gets.induct)
  22.612  apply (rule_tac [10] impI)+
  22.613 -  --{*The Oops1 case is unusual: must simplify
  22.614 +  \<comment>\<open>The Oops1 case is unusual: must simplify
  22.615      @{term "Authkey \<notin> analz (spies (ev#evs))"}, not letting
  22.616 -   @{text analz_mono_contra} weaken it to
  22.617 +   \<open>analz_mono_contra\<close> weaken it to
  22.618     @{term "Authkey \<notin> analz (spies evs)"},
  22.619 -  for we then conclude @{term "authK \<noteq> authKa"}.*}
  22.620 +  for we then conclude @{term "authK \<noteq> authKa"}.\<close>
  22.621  apply analz_mono_contra
  22.622  apply (frule_tac [11] Oops_range_spies2)
  22.623  apply (frule_tac [10] Oops_range_spies1)
  22.624 @@ -1223,20 +1223,20 @@
  22.625  apply (frule_tac [6] Says_kas_message_form)
  22.626  apply (safe del: impI conjI impCE)
  22.627  apply (simp_all add: less_SucI new_keys_not_analzd Says_Kas_message_form Says_Tgs_message_form analz_insert_eq not_parts_not_analz analz_insert_freshK1 analz_insert_freshK2 analz_insert_freshK3_bis pushes)
  22.628 -txt{*Fake*}
  22.629 +txt\<open>Fake\<close>
  22.630  apply spy_analz
  22.631 -txt{*K2*}
  22.632 +txt\<open>K2\<close>
  22.633  apply (blast intro: parts_insertI less_SucI)
  22.634 -txt{*K4*}
  22.635 +txt\<open>K4\<close>
  22.636  apply (blast dest: authTicket_authentic Confidentiality_Kas)
  22.637 -txt{*Oops2*}
  22.638 +txt\<open>Oops2\<close>
  22.639    prefer 3
  22.640    apply (blast dest: Says_imp_spies [THEN parts.Inj] Key_unique_SesKey intro: less_SucI)
  22.641 -txt{*Oops1*}
  22.642 +txt\<open>Oops1\<close>
  22.643   prefer 2
  22.644  apply (blast dest: Says_Kas_message_form Says_Tgs_message_form intro: less_SucI)
  22.645 -txt{*K5. Not clear how this step could be integrated with the main
  22.646 -       simplification step. Done in KerberosV.thy*}
  22.647 +txt\<open>K5. Not clear how this step could be integrated with the main
  22.648 +       simplification step. Done in KerberosV.thy\<close>
  22.649  apply clarify
  22.650  apply (erule_tac V = "Says Aa Tgs X \<in> set evs" for X evs in thin_rl)
  22.651  apply (frule Gets_imp_knows_Spy [THEN parts.Inj, THEN servK_notin_authKeysD])
  22.652 @@ -1246,7 +1246,7 @@
  22.653  done
  22.654  
  22.655  
  22.656 -text{* In the real world Tgs can't check wheter authK is secure! *}
  22.657 +text\<open>In the real world Tgs can't check wheter authK is secure!\<close>
  22.658  lemma Confidentiality_Tgs:
  22.659       "\<lbrakk> Says Tgs A
  22.660                (Crypt authK \<lbrace>Key servK, Agent B, Number Ts, servTicket\<rbrace>)
  22.661 @@ -1257,7 +1257,7 @@
  22.662        \<Longrightarrow> Key servK \<notin> analz (spies evs)"
  22.663  by (blast dest: Says_Tgs_message_form Confidentiality_lemma)
  22.664  
  22.665 -text{* In the real world Tgs CAN check what Kas sends! *}
  22.666 +text\<open>In the real world Tgs CAN check what Kas sends!\<close>
  22.667  lemma Confidentiality_Tgs_bis:
  22.668       "\<lbrakk> Says Kas A
  22.669                 (Crypt Ka \<lbrace>Key authK, Agent Tgs, Number Ta, authTicket\<rbrace>)
  22.670 @@ -1270,13 +1270,13 @@
  22.671        \<Longrightarrow> Key servK \<notin> analz (spies evs)"
  22.672  by (blast dest!: Confidentiality_Kas Confidentiality_Tgs)
  22.673  
  22.674 -text{*Most general form*}
  22.675 +text\<open>Most general form\<close>
  22.676  lemmas Confidentiality_Tgs_ter = authTicket_authentic [THEN Confidentiality_Tgs_bis]
  22.677  
  22.678  lemmas Confidentiality_Auth_A = authK_authentic [THEN Confidentiality_Kas]
  22.679  
  22.680 -text{*Needs a confidentiality guarantee, hence moved here.
  22.681 -      Authenticity of servK for A*}
  22.682 +text\<open>Needs a confidentiality guarantee, hence moved here.
  22.683 +      Authenticity of servK for A\<close>
  22.684  lemma servK_authentic_bis_r:
  22.685       "\<lbrakk> Crypt (shrK A) \<lbrace>Key authK, Agent Tgs, Number Ta, authTicket\<rbrace>
  22.686             \<in> parts (spies evs);
  22.687 @@ -1309,11 +1309,11 @@
  22.688  
  22.689  
  22.690  
  22.691 -subsection{*2. Parties' strong authentication: 
  22.692 +subsection\<open>2. Parties' strong authentication: 
  22.693         non-injective agreement on the session key. The same guarantees also
  22.694 -       express key distribution, hence their names*}
  22.695 +       express key distribution, hence their names\<close>
  22.696  
  22.697 -text{*Authentication here still is weak agreement - of B with A*}
  22.698 +text\<open>Authentication here still is weak agreement - of B with A\<close>
  22.699  lemma A_authenticates_B:
  22.700       "\<lbrakk> Crypt servK (Number T3) \<in> parts (spies evs);
  22.701           Crypt authK \<lbrace>Key servK, Agent B, Number Ts, servTicket\<rbrace>
    23.1 --- a/src/HOL/Auth/KerberosV.thy	Thu Dec 10 21:31:24 2015 +0100
    23.2 +++ b/src/HOL/Auth/KerberosV.thy	Thu Dec 10 21:39:33 2015 +0100
    23.3 @@ -2,11 +2,11 @@
    23.4      Author:     Giampaolo Bella, Catania University
    23.5  *)
    23.6  
    23.7 -section{*The Kerberos Protocol, Version V*}
    23.8 +section\<open>The Kerberos Protocol, Version V\<close>
    23.9  
   23.10  theory KerberosV imports Public begin
   23.11  
   23.12 -text{*The "u" prefix indicates theorems referring to an updated version of the protocol. The "r" suffix indicates theorems where the confidentiality assumptions are relaxed by the corresponding arguments.*}
   23.13 +text\<open>The "u" prefix indicates theorems referring to an updated version of the protocol. The "r" suffix indicates theorems where the confidentiality assumptions are relaxed by the corresponding arguments.\<close>
   23.14  
   23.15  abbreviation
   23.16    Kas :: agent where
   23.17 @@ -19,7 +19,7 @@
   23.18  
   23.19  axiomatization where
   23.20    Tgs_not_bad [iff]: "Tgs \<notin> bad"
   23.21 -   --{*Tgs is secure --- we already know that Kas is secure*}
   23.22 +   \<comment>\<open>Tgs is secure --- we already know that Kas is secure\<close>
   23.23  
   23.24  definition
   23.25   (* authKeys are those contained in an authTicket *)
   23.26 @@ -203,7 +203,7 @@
   23.27  
   23.28  
   23.29  
   23.30 -subsection{*Lemmas about lists, for reasoning about  Issues*}
   23.31 +subsection\<open>Lemmas about lists, for reasoning about  Issues\<close>
   23.32  
   23.33  lemma spies_Says_rev: "spies (evs @ [Says A B X]) = insert X (spies evs)"
   23.34  apply (induct_tac "evs")
   23.35 @@ -237,13 +237,13 @@
   23.36  apply (induct_tac "evs")
   23.37  apply (rename_tac [2] a b)
   23.38  apply (induct_tac [2] "a", auto)
   23.39 -txt{* Resembles @{text"used_subset_append"} in theory Event.*}
   23.40 +txt\<open>Resembles \<open>used_subset_append\<close> in theory Event.\<close>
   23.41  done
   23.42  
   23.43  lemmas parts_spies_takeWhile_mono = spies_takeWhile [THEN parts_mono]
   23.44  
   23.45  
   23.46 -subsection{*Lemmas about @{term authKeys}*}
   23.47 +subsection\<open>Lemmas about @{term authKeys}\<close>
   23.48  
   23.49  lemma authKeys_empty: "authKeys [] = {}"
   23.50    by (simp add: authKeys_def)
   23.51 @@ -279,7 +279,7 @@
   23.52    by (auto simp add: authKeys_def)
   23.53  
   23.54  
   23.55 -subsection{*Forwarding Lemmas*}
   23.56 +subsection\<open>Forwarding Lemmas\<close>
   23.57  
   23.58  lemma Says_ticket_parts:
   23.59       "Says S A \<lbrace>Crypt K \<lbrace>SesKey, B, TimeStamp\<rbrace>, Ticket\<rbrace>
   23.60 @@ -327,7 +327,7 @@
   23.61  
   23.62  lemmas Spy_analz_shrK_D = analz_subset_parts [THEN subsetD, THEN Spy_see_shrK_D, dest!]
   23.63  
   23.64 -text{*Nobody can have used non-existent keys!*}
   23.65 +text\<open>Nobody can have used non-existent keys!\<close>
   23.66  lemma new_keys_not_used [simp]:
   23.67      "\<lbrakk>Key K \<notin> used evs; K \<in> symKeys; evs \<in> kerbV\<rbrakk>
   23.68       \<Longrightarrow> K \<notin> keysFor (parts (spies evs))"
   23.69 @@ -335,9 +335,9 @@
   23.70  apply (erule kerbV.induct)
   23.71  apply (frule_tac [7] Says_ticket_parts)
   23.72  apply (frule_tac [5] Says_ticket_parts, simp_all)
   23.73 -txt{*Fake*}
   23.74 +txt\<open>Fake\<close>
   23.75  apply (force dest!: keysFor_parts_insert)
   23.76 -txt{*Others*}
   23.77 +txt\<open>Others\<close>
   23.78  apply (force dest!: analz_shrK_Decrypt)+
   23.79  done
   23.80  
   23.81 @@ -350,10 +350,10 @@
   23.82  
   23.83  
   23.84  
   23.85 -subsection{*Regularity Lemmas*}
   23.86 -text{*These concern the form of items passed in messages*}
   23.87 +subsection\<open>Regularity Lemmas\<close>
   23.88 +text\<open>These concern the form of items passed in messages\<close>
   23.89  
   23.90 -text{*Describes the form of all components sent by Kas*}
   23.91 +text\<open>Describes the form of all components sent by Kas\<close>
   23.92  lemma Says_Kas_message_form:
   23.93       "\<lbrakk> Says Kas A \<lbrace>Crypt K \<lbrace>Key authK, Agent Peer, Ta\<rbrace>, authTicket\<rbrace>
   23.94             \<in> set evs;
   23.95 @@ -399,7 +399,7 @@
   23.96  apply (erule kerbV.induct)
   23.97  apply (frule_tac [7] Says_ticket_parts)
   23.98  apply (frule_tac [5] Says_ticket_parts, simp_all)
   23.99 -txt{*Fake, K4*}
  23.100 +txt\<open>Fake, K4\<close>
  23.101  apply (blast+)
  23.102  done
  23.103  
  23.104 @@ -410,7 +410,7 @@
  23.105        \<Longrightarrow> authK \<in> authKeys evs"
  23.106  by (metis authKeysI authTicket_authentic)
  23.107  
  23.108 -text{*Describes the form of servK, servTicket and authK sent by Tgs*}
  23.109 +text\<open>Describes the form of servK, servTicket and authK sent by Tgs\<close>
  23.110  lemma Says_Tgs_message_form:
  23.111       "\<lbrakk> Says Tgs A \<lbrace>Crypt authK \<lbrace>Key servK, Agent B, Ts\<rbrace>, servTicket\<rbrace>
  23.112             \<in> set evs;
  23.113 @@ -422,7 +422,7 @@
  23.114  apply (erule rev_mp)
  23.115  apply (erule kerbV.induct)
  23.116  apply (simp_all add: authKeys_insert authKeys_not_insert authKeys_empty authKeys_simp, blast, auto)
  23.117 -txt{*Three subcases of Message 4*}
  23.118 +txt\<open>Three subcases of Message 4\<close>
  23.119  apply (blast dest!: authKeys_used Says_Kas_message_form)
  23.120  apply (blast dest!: SesKey_is_session_key)
  23.121  apply (blast dest: authTicket_crypt_authK)
  23.122 @@ -444,7 +444,7 @@
  23.123  servK_notin_authKeysD is no longer needed.
  23.124  *)
  23.125  
  23.126 -subsection{*Authenticity theorems: confirm origin of sensitive messages*}
  23.127 +subsection\<open>Authenticity theorems: confirm origin of sensitive messages\<close>
  23.128  
  23.129  lemma authK_authentic:
  23.130       "\<lbrakk> Crypt (shrK A) \<lbrace>Key authK, Peer, Ta\<rbrace>
  23.131 @@ -459,7 +459,7 @@
  23.132  apply blast+
  23.133  done
  23.134  
  23.135 -text{*If a certain encrypted message appears then it originated with Tgs*}
  23.136 +text\<open>If a certain encrypted message appears then it originated with Tgs\<close>
  23.137  lemma servK_authentic:
  23.138       "\<lbrakk> Crypt authK \<lbrace>Key servK, Agent B, Ts\<rbrace>
  23.139             \<in> parts (spies evs);
  23.140 @@ -491,7 +491,7 @@
  23.141  apply (frule_tac [5] Says_ticket_parts, simp_all, blast+)
  23.142  done
  23.143  
  23.144 -text{*Authenticity of servK for B*}
  23.145 +text\<open>Authenticity of servK for B\<close>
  23.146  lemma servTicket_authentic_Tgs:
  23.147       "\<lbrakk> Crypt (shrK B) \<lbrace>Agent A, Agent B, Key servK, Ts\<rbrace>
  23.148             \<in> parts (spies evs);  B \<noteq> Tgs;  B \<notin> bad;
  23.149 @@ -506,7 +506,7 @@
  23.150  apply (frule_tac [5] Says_ticket_parts, simp_all, blast+)
  23.151  done
  23.152  
  23.153 -text{*Anticipated here from next subsection*}
  23.154 +text\<open>Anticipated here from next subsection\<close>
  23.155  lemma K4_imp_K2:
  23.156  "\<lbrakk> Says Tgs A \<lbrace>Crypt authK \<lbrace>Key servK, Agent B, Number Ts\<rbrace>, servTicket\<rbrace>
  23.157        \<in> set evs;  evs \<in> kerbV\<rbrakk>
  23.158 @@ -521,7 +521,7 @@
  23.159  apply (metis MPair_analz Says_imp_analz_Spy analz_conj_parts authTicket_authentic)
  23.160  done
  23.161  
  23.162 -text{*Anticipated here from next subsection*}
  23.163 +text\<open>Anticipated here from next subsection\<close>
  23.164  lemma u_K4_imp_K2:
  23.165  "\<lbrakk> Says Tgs A \<lbrace>Crypt authK \<lbrace>Key servK, Agent B, Number Ts\<rbrace>, servTicket\<rbrace>  \<in> set evs; evs \<in> kerbV\<rbrakk>
  23.166     \<Longrightarrow> \<exists>Ta. Says Kas A \<lbrace>Crypt (shrK A) \<lbrace>Key authK, Agent Tgs, Number Ta\<rbrace>,
  23.167 @@ -588,7 +588,7 @@
  23.168        \<Longrightarrow> \<not> expiredAK Ta evs"
  23.169  by (metis order_le_less_trans)
  23.170  
  23.171 -subsection{* Reliability: friendly agents send somthing if something else happened*}
  23.172 +subsection\<open>Reliability: friendly agents send somthing if something else happened\<close>
  23.173  
  23.174  lemma K3_imp_K2:
  23.175       "\<lbrakk> Says A Tgs
  23.176 @@ -604,7 +604,7 @@
  23.177  apply (blast dest: Says_imp_spies [THEN parts.Inj, THEN parts.Fst, THEN authK_authentic])
  23.178  done
  23.179  
  23.180 -text{*Anticipated here from next subsection. An authK is encrypted by one and only one Shared key. A servK is encrypted by one and only one authK.*}
  23.181 +text\<open>Anticipated here from next subsection. An authK is encrypted by one and only one Shared key. A servK is encrypted by one and only one authK.\<close>
  23.182  lemma Key_unique_SesKey:
  23.183       "\<lbrakk> Crypt K  \<lbrace>Key SesKey,  Agent B, T\<rbrace>
  23.184             \<in> parts (spies evs);
  23.185 @@ -618,11 +618,11 @@
  23.186  apply (erule kerbV.induct, analz_mono_contra)
  23.187  apply (frule_tac [7] Says_ticket_parts)
  23.188  apply (frule_tac [5] Says_ticket_parts, simp_all)
  23.189 -txt{*Fake, K2, K4*}
  23.190 +txt\<open>Fake, K2, K4\<close>
  23.191  apply (blast+)
  23.192  done
  23.193  
  23.194 -text{*This inevitably has an existential form in version V*}
  23.195 +text\<open>This inevitably has an existential form in version V\<close>
  23.196  lemma Says_K5:
  23.197       "\<lbrakk> Crypt servK \<lbrace>Agent A, Number T3\<rbrace> \<in> parts (spies evs);
  23.198           Says Tgs A \<lbrace>Crypt authK \<lbrace>Key servK, Agent B, Number Ts\<rbrace>,
  23.199 @@ -638,15 +638,15 @@
  23.200  apply (frule_tac [7] Says_ticket_parts)
  23.201  apply (simp_all (no_asm_simp) add: all_conj_distrib)
  23.202  apply blast
  23.203 -txt{*K3*}
  23.204 +txt\<open>K3\<close>
  23.205  apply (blast dest: authK_authentic Says_Kas_message_form Says_Tgs_message_form)
  23.206 -txt{*K4*}
  23.207 +txt\<open>K4\<close>
  23.208  apply (force dest!: Crypt_imp_keysFor)
  23.209 -txt{*K5*}
  23.210 +txt\<open>K5\<close>
  23.211  apply (blast dest: Key_unique_SesKey)
  23.212  done
  23.213  
  23.214 -text{*Anticipated here from next subsection*}
  23.215 +text\<open>Anticipated here from next subsection\<close>
  23.216  lemma unique_CryptKey:
  23.217       "\<lbrakk> Crypt (shrK B)  \<lbrace>Agent A,  Agent B,  Key SesKey, T\<rbrace>
  23.218             \<in> parts (spies evs);
  23.219 @@ -660,7 +660,7 @@
  23.220  apply (erule kerbV.induct, analz_mono_contra)
  23.221  apply (frule_tac [7] Says_ticket_parts)
  23.222  apply (frule_tac [5] Says_ticket_parts, simp_all)
  23.223 -txt{*Fake, K2, K4*}
  23.224 +txt\<open>Fake, K2, K4\<close>
  23.225  apply (blast+)
  23.226  done
  23.227  
  23.228 @@ -680,15 +680,15 @@
  23.229  apply (frule_tac [5] Says_ticket_parts)
  23.230  apply simp_all
  23.231  
  23.232 -txt{*fake*}
  23.233 +txt\<open>fake\<close>
  23.234  apply blast
  23.235 -txt{*K4*}
  23.236 +txt\<open>K4\<close>
  23.237  apply (force dest!: Crypt_imp_keysFor)
  23.238 -txt{*K6*}
  23.239 +txt\<open>K6\<close>
  23.240  apply (metis MPair_parts Says_imp_parts_knows_Spy unique_CryptKey)
  23.241  done
  23.242  
  23.243 -text{*Needs a unicity theorem, hence moved here*}
  23.244 +text\<open>Needs a unicity theorem, hence moved here\<close>
  23.245  lemma servK_authentic_ter:
  23.246   "\<lbrakk> Says Kas A
  23.247         \<lbrace>Crypt (shrK A) \<lbrace>Key authK, Agent Tgs, Ta\<rbrace>, authTicket\<rbrace> \<in> set evs;
  23.248 @@ -707,17 +707,17 @@
  23.249  apply (erule kerbV.induct, analz_mono_contra)
  23.250  apply (frule_tac [7] Says_ticket_parts)
  23.251  apply (frule_tac [5] Says_ticket_parts, simp_all, blast)
  23.252 -txt{*K2 and K4 remain*}
  23.253 +txt\<open>K2 and K4 remain\<close>
  23.254  apply (blast dest!: servK_authentic Says_Tgs_message_form authKeys_used)
  23.255  apply (blast dest!: unique_CryptKey)
  23.256  done
  23.257  
  23.258  
  23.259 -subsection{*Unicity Theorems*}
  23.260 +subsection\<open>Unicity Theorems\<close>
  23.261  
  23.262 -text{* The session key, if secure, uniquely identifies the Ticket
  23.263 +text\<open>The session key, if secure, uniquely identifies the Ticket
  23.264     whether authTicket or servTicket. As a matter of fact, one can read
  23.265 -   also Tgs in the place of B.                                     *}
  23.266 +   also Tgs in the place of B.\<close>
  23.267  
  23.268  
  23.269  lemma unique_authKeys:
  23.270 @@ -734,7 +734,7 @@
  23.271  apply blast+
  23.272  done
  23.273  
  23.274 -text{* servK uniquely identifies the message from Tgs *}
  23.275 +text\<open>servK uniquely identifies the message from Tgs\<close>
  23.276  lemma unique_servKeys:
  23.277       "\<lbrakk> Says Tgs A
  23.278                \<lbrace>Crypt K \<lbrace>Key servK, Agent B, Ts\<rbrace>, X\<rbrace> \<in> set evs;
  23.279 @@ -749,7 +749,7 @@
  23.280  apply blast+
  23.281  done
  23.282  
  23.283 -subsection{*Lemmas About the Predicate @{term AKcryptSK}*}
  23.284 +subsection\<open>Lemmas About the Predicate @{term AKcryptSK}\<close>
  23.285  
  23.286  lemma not_AKcryptSK_Nil [iff]: "\<not> AKcryptSK authK servK []"
  23.287  apply (simp add: AKcryptSK_def)
  23.288 @@ -799,11 +799,11 @@
  23.289  apply (erule kerbV.induct)
  23.290  apply (frule_tac [7] Says_ticket_parts)
  23.291  apply (frule_tac [5] Says_ticket_parts, simp_all)
  23.292 -txt{*Fake,K2,K4*}
  23.293 +txt\<open>Fake,K2,K4\<close>
  23.294  apply (auto simp add: AKcryptSK_def)
  23.295  done
  23.296  
  23.297 -text{*A secure serverkey cannot have been used to encrypt others*}
  23.298 +text\<open>A secure serverkey cannot have been used to encrypt others\<close>
  23.299  lemma servK_not_AKcryptSK:
  23.300   "\<lbrakk> Crypt (shrK B) \<lbrace>Agent A, Agent B, Key SK, tt\<rbrace> \<in> parts (spies evs);
  23.301       Key SK \<notin> analz (spies evs);  SK \<in> symKeys;
  23.302 @@ -814,11 +814,11 @@
  23.303  apply (erule kerbV.induct, analz_mono_contra)
  23.304  apply (frule_tac [7] Says_ticket_parts)
  23.305  apply (frule_tac [5] Says_ticket_parts, simp_all, blast)
  23.306 -txt{*K4*}
  23.307 +txt\<open>K4\<close>
  23.308  apply (metis Auth_fresh_not_AKcryptSK MPair_parts Says_imp_parts_knows_Spy authKeys_used authTicket_crypt_authK unique_CryptKey)
  23.309  done
  23.310  
  23.311 -text{*Long term keys are not issued as servKeys*}
  23.312 +text\<open>Long term keys are not issued as servKeys\<close>
  23.313  lemma shrK_not_AKcryptSK:
  23.314       "evs \<in> kerbV \<Longrightarrow> \<not> AKcryptSK K (shrK A) evs"
  23.315  apply (unfold AKcryptSK_def)
  23.316 @@ -827,8 +827,8 @@
  23.317  apply (frule_tac [5] Says_ticket_parts, auto)
  23.318  done
  23.319  
  23.320 -text{*The Tgs message associates servK with authK and therefore not with any
  23.321 -  other key authK.*}
  23.322 +text\<open>The Tgs message associates servK with authK and therefore not with any
  23.323 +  other key authK.\<close>
  23.324  lemma Says_Tgs_AKcryptSK:
  23.325       "\<lbrakk> Says Tgs A \<lbrace>Crypt authK \<lbrace>Key servK, Agent B, tt\<rbrace>, X \<rbrace>
  23.326             \<in> set evs;
  23.327 @@ -844,13 +844,13 @@
  23.328  apply (frule_tac [7] Says_ticket_parts)
  23.329  apply (frule_tac [5] Says_ticket_parts)
  23.330  apply (simp_all, safe)
  23.331 -txt{*K4 splits into subcases*}
  23.332 +txt\<open>K4 splits into subcases\<close>
  23.333  prefer 4 apply (blast dest!: authK_not_AKcryptSK)
  23.334 -txt{*servK is fresh and so could not have been used, by
  23.335 -   @{text new_keys_not_used}*}
  23.336 +txt\<open>servK is fresh and so could not have been used, by
  23.337 +   \<open>new_keys_not_used\<close>\<close>
  23.338   prefer 2 
  23.339   apply (force dest!: Crypt_imp_invKey_keysFor simp add: AKcryptSK_def)
  23.340 -txt{*Others by freshness*}
  23.341 +txt\<open>Others by freshness\<close>
  23.342  apply (blast+)
  23.343  done
  23.344  
  23.345 @@ -862,11 +862,11 @@
  23.346  apply (blast dest: unique_servKeys Says_Tgs_message_form)
  23.347  done
  23.348  
  23.349 -text{*The only session keys that can be found with the help of session keys are
  23.350 -  those sent by Tgs in step K4.  *}
  23.351 +text\<open>The only session keys that can be found with the help of session keys are
  23.352 +  those sent by Tgs in step K4.\<close>
  23.353  
  23.354 -text{*We take some pains to express the property
  23.355 -  as a logical equivalence so that the simplifier can apply it.*}
  23.356 +text\<open>We take some pains to express the property
  23.357 +  as a logical equivalence so that the simplifier can apply it.\<close>
  23.358  lemma Key_analz_image_Key_lemma:
  23.359       "P \<longrightarrow> (Key K \<in> analz (Key`KK Un H)) \<longrightarrow> (K:KK | Key K \<in> analz H)
  23.360        \<Longrightarrow>
  23.361 @@ -897,9 +897,9 @@
  23.362  done
  23.363  
  23.364  
  23.365 -subsection{*Secrecy Theorems*}
  23.366 +subsection\<open>Secrecy Theorems\<close>
  23.367  
  23.368 -text{*For the Oops2 case of the next theorem*}
  23.369 +text\<open>For the Oops2 case of the next theorem\<close>
  23.370  lemma Oops2_not_AKcryptSK:
  23.371       "\<lbrakk> evs \<in> kerbV;
  23.372           Says Tgs A \<lbrace>Crypt authK
  23.373 @@ -908,10 +908,10 @@
  23.374        \<Longrightarrow> \<not> AKcryptSK servK SK evs"
  23.375  by (blast dest: AKcryptSKI AKcryptSK_not_AKcryptSK)
  23.376     
  23.377 -text{* Big simplification law for keys SK that are not crypted by keys in KK
  23.378 +text\<open>Big simplification law for keys SK that are not crypted by keys in KK
  23.379   It helps prove three, otherwise hard, facts about keys. These facts are
  23.380   exploited as simplification laws for analz, and also "limit the damage"
  23.381 - in case of loss of a key to the spy. See ESORICS98.*}
  23.382 + in case of loss of a key to the spy. See ESORICS98.\<close>
  23.383  lemma Key_analz_image_Key [rule_format (no_asm)]:
  23.384       "evs \<in> kerbV \<Longrightarrow>
  23.385        (\<forall>SK KK. SK \<in> symKeys & KK <= -(range shrK) \<longrightarrow>
  23.386 @@ -928,28 +928,28 @@
  23.387    Instead\<dots>*)
  23.388  apply (drule_tac [5] Says_ticket_analz)
  23.389  apply (safe del: impI intro!: Key_analz_image_Key_lemma [THEN impI])
  23.390 -txt{*Case-splits for Oops1 and message 5: the negated case simplifies using
  23.391 - the induction hypothesis*}
  23.392 +txt\<open>Case-splits for Oops1 and message 5: the negated case simplifies using
  23.393 + the induction hypothesis\<close>
  23.394  apply (case_tac [9] "AKcryptSK authK SK evsO1")
  23.395  apply (case_tac [7] "AKcryptSK servK SK evs5")
  23.396  apply (simp_all del: image_insert
  23.397            add: analz_image_freshK_simps AKcryptSK_Says shrK_not_AKcryptSK
  23.398                 Oops2_not_AKcryptSK Auth_fresh_not_AKcryptSK
  23.399                 Serv_fresh_not_AKcryptSK Says_Tgs_AKcryptSK Spy_analz_shrK)
  23.400 -txt{*Fake*} 
  23.401 +txt\<open>Fake\<close> 
  23.402  apply spy_analz
  23.403 -txt{*K2*}
  23.404 +txt\<open>K2\<close>
  23.405  apply blast 
  23.406 -txt{*Cases K3 and K5 solved by the simplifier thanks to the ticket being in 
  23.407 -analz - this strategy is new wrt version IV*} 
  23.408 -txt{*K4*}
  23.409 +txt\<open>Cases K3 and K5 solved by the simplifier thanks to the ticket being in 
  23.410 +analz - this strategy is new wrt version IV\<close> 
  23.411 +txt\<open>K4\<close>
  23.412  apply (blast dest!: authK_not_AKcryptSK)
  23.413 -txt{*Oops1*}
  23.414 +txt\<open>Oops1\<close>
  23.415  apply (metis AKcryptSK_analz_insert insert_Key_singleton)
  23.416  done
  23.417  
  23.418 -text{* First simplification law for analz: no session keys encrypt
  23.419 -authentication keys or shared keys. *}
  23.420 +text\<open>First simplification law for analz: no session keys encrypt
  23.421 +authentication keys or shared keys.\<close>
  23.422  lemma analz_insert_freshK1:
  23.423       "\<lbrakk> evs \<in> kerbV;  K \<in> authKeys evs Un range shrK;
  23.424          SesKey \<notin> range shrK \<rbrakk>
  23.425 @@ -961,7 +961,7 @@
  23.426  done
  23.427  
  23.428  
  23.429 -text{* Second simplification law for analz: no service keys encrypt any other keys.*}
  23.430 +text\<open>Second simplification law for analz: no service keys encrypt any other keys.\<close>
  23.431  lemma analz_insert_freshK2:
  23.432       "\<lbrakk> evs \<in> kerbV;  servK \<notin> (authKeys evs); servK \<notin> range shrK;
  23.433          K \<in> symKeys \<rbrakk>
  23.434 @@ -973,7 +973,7 @@
  23.435  done
  23.436  
  23.437  
  23.438 -text{* Third simplification law for analz: only one authentication key encrypts a certain service key.*}
  23.439 +text\<open>Third simplification law for analz: only one authentication key encrypts a certain service key.\<close>
  23.440  
  23.441  lemma analz_insert_freshK3:
  23.442   "\<lbrakk> AKcryptSK authK servK evs;
  23.443 @@ -995,7 +995,7 @@
  23.444  apply (simp add: analz_insert_freshK3)
  23.445  done
  23.446  
  23.447 -text{*a weakness of the protocol*}
  23.448 +text\<open>a weakness of the protocol\<close>
  23.449  lemma authK_compromises_servK:
  23.450       "\<lbrakk> Says Tgs A \<lbrace>Crypt authK \<lbrace>Key servK, Agent B, Number Ts\<rbrace>, servTicket\<rbrace>
  23.451          \<in> set evs;  authK \<in> symKeys;
  23.452 @@ -1004,10 +1004,10 @@
  23.453    by (metis Says_imp_analz_Spy analz.Fst analz_Decrypt')
  23.454  
  23.455  
  23.456 -text{*lemma @{text servK_notin_authKeysD} not needed in version V*}
  23.457 +text\<open>lemma \<open>servK_notin_authKeysD\<close> not needed in version V\<close>
  23.458  
  23.459 -text{*If Spy sees the Authentication Key sent in msg K2, then
  23.460 -    the Key has expired.*}
  23.461 +text\<open>If Spy sees the Authentication Key sent in msg K2, then
  23.462 +    the Key has expired.\<close>
  23.463  lemma Confidentiality_Kas_lemma [rule_format]:
  23.464       "\<lbrakk> authK \<in> symKeys; A \<notin> bad;  evs \<in> kerbV \<rbrakk>
  23.465        \<Longrightarrow> Says Kas A
  23.466 @@ -1023,15 +1023,15 @@
  23.467  apply (frule_tac [5] Says_ticket_analz)
  23.468  apply (safe del: impI conjI impCE)
  23.469  apply (simp_all (no_asm_simp) add: Says_Kas_message_form less_SucI analz_insert_eq not_parts_not_analz analz_insert_freshK1 pushes)
  23.470 -txt{*Fake*}
  23.471 +txt\<open>Fake\<close>
  23.472  apply spy_analz
  23.473 -txt{*K2*}
  23.474 +txt\<open>K2\<close>
  23.475  apply blast
  23.476 -txt{*K4*}
  23.477 +txt\<open>K4\<close>
  23.478  apply blast
  23.479 -txt{*Oops1*}
  23.480 +txt\<open>Oops1\<close>
  23.481  apply (blast dest!: unique_authKeys intro: less_SucI)
  23.482 -txt{*Oops2*}
  23.483 +txt\<open>Oops2\<close>
  23.484  apply (blast dest: Says_Tgs_message_form Says_Kas_message_form)
  23.485  done
  23.486  
  23.487 @@ -1045,8 +1045,8 @@
  23.488  apply (blast dest: Says_Kas_message_form Confidentiality_Kas_lemma)
  23.489  done
  23.490  
  23.491 -text{*If Spy sees the Service Key sent in msg K4, then
  23.492 -    the Key has expired.*}
  23.493 +text\<open>If Spy sees the Service Key sent in msg K4, then
  23.494 +    the Key has expired.\<close>
  23.495  
  23.496  lemma Confidentiality_lemma [rule_format]:
  23.497       "\<lbrakk> Says Tgs A
  23.498 @@ -1062,11 +1062,11 @@
  23.499  apply (erule rev_mp)
  23.500  apply (erule kerbV.induct)
  23.501  apply (rule_tac [9] impI)+
  23.502 -  --{*The Oops1 case is unusual: must simplify
  23.503 +  \<comment>\<open>The Oops1 case is unusual: must simplify
  23.504      @{term "Authkey \<notin> analz (spies (ev#evs))"}, not letting
  23.505 -   @{text analz_mono_contra} weaken it to
  23.506 +   \<open>analz_mono_contra\<close> weaken it to
  23.507     @{term "Authkey \<notin> analz (spies evs)"},
  23.508 -  for we then conclude @{term "authK \<noteq> authKa"}.*}
  23.509 +  for we then conclude @{term "authK \<noteq> authKa"}.\<close>
  23.510  apply analz_mono_contra
  23.511  apply (frule_tac [10] Oops_range_spies2)
  23.512  apply (frule_tac [9] Oops_range_spies1)
  23.513 @@ -1074,20 +1074,20 @@
  23.514  apply (frule_tac [5] Says_ticket_analz)
  23.515  apply (safe del: impI conjI impCE)
  23.516  apply (simp_all add: less_SucI new_keys_not_analzd Says_Kas_message_form Says_Tgs_message_form analz_insert_eq not_parts_not_analz analz_insert_freshK1 analz_insert_freshK2 analz_insert_freshK3_bis pushes)
  23.517 -    txt{*Fake*}
  23.518 +    txt\<open>Fake\<close>
  23.519      apply spy_analz
  23.520 -   txt{*K2*}
  23.521 +   txt\<open>K2\<close>
  23.522     apply (blast intro: parts_insertI less_SucI)
  23.523 -  txt{*K4*}
  23.524 +  txt\<open>K4\<close>
  23.525    apply (blast dest: authTicket_authentic Confidentiality_Kas)
  23.526 - txt{*Oops1*}
  23.527 + txt\<open>Oops1\<close>
  23.528   apply (blast dest: Says_Kas_message_form Says_Tgs_message_form intro: less_SucI)
  23.529 -txt{*Oops2*}
  23.530 +txt\<open>Oops2\<close>
  23.531  apply (metis Suc_le_eq linorder_linear linorder_not_le msg.simps(2) unique_servKeys)
  23.532  done
  23.533  
  23.534  
  23.535 -text{* In the real world Tgs can't check wheter authK is secure! *}
  23.536 +text\<open>In the real world Tgs can't check wheter authK is secure!\<close>
  23.537  lemma Confidentiality_Tgs:
  23.538       "\<lbrakk> Says Tgs A
  23.539                \<lbrace>Crypt authK \<lbrace>Key servK, Agent B, Number Ts\<rbrace>, servTicket\<rbrace>
  23.540 @@ -1098,7 +1098,7 @@
  23.541        \<Longrightarrow> Key servK \<notin> analz (spies evs)"
  23.542  by (blast dest: Says_Tgs_message_form Confidentiality_lemma)
  23.543  
  23.544 -text{* In the real world Tgs CAN check what Kas sends! *}
  23.545 +text\<open>In the real world Tgs CAN check what Kas sends!\<close>
  23.546  lemma Confidentiality_Tgs_bis:
  23.547       "\<lbrakk> Says Kas A
  23.548                 \<lbrace>Crypt Ka \<lbrace>Key authK, Agent Tgs, Number Ta\<rbrace>, authTicket\<rbrace>
  23.549 @@ -1111,13 +1111,13 @@
  23.550        \<Longrightarrow> Key servK \<notin> analz (spies evs)"
  23.551  by (blast dest!: Confidentiality_Kas Confidentiality_Tgs)
  23.552  
  23.553 -text{*Most general form*}
  23.554 +text\<open>Most general form\<close>
  23.555  lemmas Confidentiality_Tgs_ter = authTicket_authentic [THEN Confidentiality_Tgs_bis]
  23.556  
  23.557  lemmas Confidentiality_Auth_A = authK_authentic [THEN exE, THEN Confidentiality_Kas]
  23.558  
  23.559 -text{*Needs a confidentiality guarantee, hence moved here.
  23.560 -      Authenticity of servK for A*}
  23.561 +text\<open>Needs a confidentiality guarantee, hence moved here.
  23.562 +      Authenticity of servK for A\<close>
  23.563  lemma servK_authentic_bis_r:
  23.564       "\<lbrakk> Crypt (shrK A) \<lbrace>Key authK, Agent Tgs, Number Ta\<rbrace>
  23.565             \<in> parts (spies evs);
  23.566 @@ -1168,15 +1168,15 @@
  23.567  
  23.568  
  23.569  
  23.570 -subsection{*Parties authentication: each party verifies "the identity of
  23.571 -       another party who generated some data" (quoted from Neuman and Ts'o).*}
  23.572 +subsection\<open>Parties authentication: each party verifies "the identity of
  23.573 +       another party who generated some data" (quoted from Neuman and Ts'o).\<close>
  23.574  
  23.575 -text{*These guarantees don't assess whether two parties agree on
  23.576 +text\<open>These guarantees don't assess whether two parties agree on
  23.577        the same session key: sending a message containing a key
  23.578 -      doesn't a priori state knowledge of the key.*}
  23.579 +      doesn't a priori state knowledge of the key.\<close>
  23.580  
  23.581  
  23.582 -text{*These didn't have existential form in version IV*}
  23.583 +text\<open>These didn't have existential form in version IV\<close>
  23.584  lemma B_authenticates_A:
  23.585       "\<lbrakk> Crypt servK \<lbrace>Agent A, Number T3\<rbrace> \<in> parts (spies evs);
  23.586          Crypt (shrK B) \<lbrace>Agent A, Agent B, Key servK, Number Ts\<rbrace>
  23.587 @@ -1186,7 +1186,7 @@
  23.588    \<Longrightarrow> \<exists> ST. Says A B \<lbrace>ST, Crypt servK \<lbrace>Agent A, Number T3\<rbrace> \<rbrace> \<in> set evs"
  23.589  by (blast dest: servTicket_authentic_Tgs intro: Says_K5)
  23.590  
  23.591 -text{*The second assumption tells B what kind of key servK is.*}
  23.592 +text\<open>The second assumption tells B what kind of key servK is.\<close>
  23.593  lemma B_authenticates_A_r:
  23.594       "\<lbrakk> Crypt servK \<lbrace>Agent A, Number T3\<rbrace> \<in> parts (spies evs);
  23.595           Crypt (shrK B) \<lbrace>Agent A, Agent B, Key servK, Number Ts\<rbrace>
  23.596 @@ -1200,8 +1200,8 @@
  23.597    \<Longrightarrow> \<exists> ST. Says A B \<lbrace>ST, Crypt servK \<lbrace>Agent A, Number T3\<rbrace> \<rbrace> \<in> set evs"
  23.598  by (blast intro: Says_K5 dest: Confidentiality_B servTicket_authentic_Tgs)
  23.599  
  23.600 -text{* @{text u_B_authenticates_A} would be the same as @{text B_authenticates_A} because the
  23.601 - servK confidentiality assumption is yet unrelaxed*}
  23.602 +text\<open>\<open>u_B_authenticates_A\<close> would be the same as \<open>B_authenticates_A\<close> because the
  23.603 + servK confidentiality assumption is yet unrelaxed\<close>
  23.604  
  23.605  lemma u_B_authenticates_A_r:
  23.606       "\<lbrakk> Crypt servK \<lbrace>Agent A, Number T3\<rbrace> \<in> parts (spies evs);
  23.607 @@ -1243,10 +1243,10 @@
  23.608  
  23.609  
  23.610  
  23.611 -subsection{*Parties' knowledge of session keys. 
  23.612 +subsection\<open>Parties' knowledge of session keys. 
  23.613         An agent knows a session key if he used it to issue a cipher. These
  23.614         guarantees can be interpreted both in terms of key distribution
  23.615 -       and of non-injective agreement on the session key.*}
  23.616 +       and of non-injective agreement on the session key.\<close>
  23.617  
  23.618  lemma Kas_Issues_A:
  23.619     "\<lbrakk> Says Kas A \<lbrace>Crypt (shrK A) \<lbrace>Key authK, Peer, Ta\<rbrace>, authTicket\<rbrace> \<in> set evs;
  23.620 @@ -1262,7 +1262,7 @@
  23.621  apply (frule_tac [5] Says_ticket_parts)
  23.622  apply (frule_tac [7] Says_ticket_parts)
  23.623  apply (simp_all (no_asm_simp) add: all_conj_distrib)
  23.624 -txt{*K2*}
  23.625 +txt\<open>K2\<close>
  23.626  apply (simp add: takeWhile_tail)
  23.627  apply (metis MPair_parts parts.Body parts_idem parts_spies_takeWhile_mono parts_trans spies_evs_rev usedI)
  23.628  done
  23.629 @@ -1319,7 +1319,7 @@
  23.630  apply (erule kerbV.induct, analz_mono_contra)
  23.631  apply (simp_all (no_asm_simp) add: all_conj_distrib)
  23.632  apply blast
  23.633 -txt{*K6 requires numerous lemmas*}
  23.634 +txt\<open>K6 requires numerous lemmas\<close>
  23.635  apply (simp add: takeWhile_tail)
  23.636  apply (blast intro: Says_K6 dest: servTicket_authentic 
  23.637          parts_spies_takeWhile_mono [THEN subsetD] 
  23.638 @@ -1364,7 +1364,7 @@
  23.639  *)
  23.640  
  23.641  
  23.642 -text{*But can prove a less general fact conerning only authenticators!*}
  23.643 +text\<open>But can prove a less general fact conerning only authenticators!\<close>
  23.644  lemma honest_never_says_newer_timestamp_in_auth:
  23.645       "\<lbrakk> (CT evs) \<le> T; Number T \<in> parts {X}; A \<notin> bad; evs \<in> kerbV \<rbrakk> 
  23.646       \<Longrightarrow> Says A B \<lbrace>Y, X\<rbrace> \<notin> set evs"
  23.647 @@ -1394,11 +1394,11 @@
  23.648  apply (frule_tac [7] Says_ticket_parts)
  23.649  apply (frule_tac [5] Says_ticket_parts)
  23.650  apply (simp_all (no_asm_simp))
  23.651 -txt{*K5*}
  23.652 +txt\<open>K5\<close>
  23.653  apply auto
  23.654  apply (simp add: takeWhile_tail)
  23.655 -txt{*Level 15: case study necessary because the assumption doesn't state
  23.656 -  the form of servTicket. The guarantee becomes stronger.*}
  23.657 +txt\<open>Level 15: case study necessary because the assumption doesn't state
  23.658 +  the form of servTicket. The guarantee becomes stronger.\<close>
  23.659  prefer 2 apply (simp add: takeWhile_tail)
  23.660  (**This single command of version IV...
  23.661  apply (blast dest: Says_imp_spies [THEN analz.Inj, THEN analz_Decrypt']
  23.662 @@ -1415,11 +1415,11 @@
  23.663  apply (frule servK_authentic_ter, blast, assumption+)
  23.664  apply (drule parts_spies_takeWhile_mono [THEN subsetD])
  23.665  apply (drule parts_spies_evs_revD2 [THEN subsetD])
  23.666 -txt{* @{term Says_K5} closes the proof in version IV because it is clear which 
  23.667 -servTicket an authenticator appears with in msg 5. In version V an authenticator can appear with any item that the spy could replace the servTicket with*}
  23.668 +txt\<open>@{term Says_K5} closes the proof in version IV because it is clear which 
  23.669 +servTicket an authenticator appears with in msg 5. In version V an authenticator can appear with any item that the spy could replace the servTicket with\<close>
  23.670  apply (frule Says_K5, blast)
  23.671 -txt{*We need to state that an honest agent wouldn't send the wrong timestamp
  23.672 -within an authenticator, wathever it is paired with*}
  23.673 +txt\<open>We need to state that an honest agent wouldn't send the wrong timestamp
  23.674 +within an authenticator, wathever it is paired with\<close>
  23.675  apply (auto simp add: honest_never_says_current_timestamp_in_auth)
  23.676  done
  23.677  
  23.678 @@ -1434,16 +1434,16 @@
  23.679  
  23.680  
  23.681  
  23.682 -subsection{*
  23.683 +subsection\<open>
  23.684  Novel guarantees, never studied before. Because honest agents always say
  23.685  the right timestamp in authenticators, we can prove unicity guarantees based 
  23.686  exactly on timestamps. Classical unicity guarantees are based on nonces.
  23.687  Of course assuming the agent to be different from the Spy, rather than not in 
  23.688  bad, would suffice below. Similar guarantees must also hold of
  23.689 -Kerberos IV.*}
  23.690 +Kerberos IV.\<close>
  23.691  
  23.692 -text{*Notice that an honest agent can send the same timestamp on two
  23.693 -different traces of the same length, but not on the same trace!*}
  23.694 +text\<open>Notice that an honest agent can send the same timestamp on two
  23.695 +different traces of the same length, but not on the same trace!\<close>
  23.696  
  23.697  lemma unique_timestamp_authenticator1:
  23.698       "\<lbrakk> Says A Kas \<lbrace>Agent A, Agent Tgs, Number T1\<rbrace> \<in> set evs;
  23.699 @@ -1475,8 +1475,8 @@
  23.700  apply (auto simp add: honest_never_says_current_timestamp_in_auth)
  23.701  done
  23.702  
  23.703 -text{*The second part of the message is treated as an authenticator by the last
  23.704 -simplification step, even if it is not an authenticator!*}
  23.705 +text\<open>The second part of the message is treated as an authenticator by the last
  23.706 +simplification step, even if it is not an authenticator!\<close>
  23.707  lemma unique_timestamp_authticket:
  23.708       "\<lbrakk> Says Kas A \<lbrace>X, Crypt (shrK Tgs) \<lbrace>Agent A, Agent Tgs, Key AK, T\<rbrace>\<rbrace> \<in> set evs;
  23.709         Says Kas A' \<lbrace>X', Crypt (shrK Tgs') \<lbrace>Agent A', Agent Tgs', Key AK', T\<rbrace>\<rbrace> \<in> set evs;
  23.710 @@ -1487,8 +1487,8 @@
  23.711  apply (auto simp add: honest_never_says_current_timestamp_in_auth)
  23.712  done
  23.713  
  23.714 -text{*The second part of the message is treated as an authenticator by the last
  23.715 -simplification step, even if it is not an authenticator!*}
  23.716 +text\<open>The second part of the message is treated as an authenticator by the last
  23.717 +simplification step, even if it is not an authenticator!\<close>
  23.718  lemma unique_timestamp_servticket:
  23.719       "\<lbrakk> Says Tgs A \<lbrace>X, Crypt (shrK B) \<lbrace>Agent A, Agent B, Key SK, T\<rbrace>\<rbrace> \<in> set evs;
  23.720         Says Tgs A' \<lbrace>X', Crypt (shrK B') \<lbrace>Agent A', Agent B', Key SK', T\<rbrace>\<rbrace> \<in> set evs;
    24.1 --- a/src/HOL/Auth/Kerberos_BAN.thy	Thu Dec 10 21:31:24 2015 +0100
    24.2 +++ b/src/HOL/Auth/Kerberos_BAN.thy	Thu Dec 10 21:39:33 2015 +0100
    24.3 @@ -3,18 +3,18 @@
    24.4      Copyright   1998  University of Cambridge
    24.5  *)
    24.6  
    24.7 -section{*The Kerberos Protocol, BAN Version*}
    24.8 +section\<open>The Kerberos Protocol, BAN Version\<close>
    24.9  
   24.10  theory Kerberos_BAN imports Public begin
   24.11  
   24.12 -text{*From page 251 of
   24.13 +text\<open>From page 251 of
   24.14    Burrows, Abadi and Needham (1989).  A Logic of Authentication.
   24.15    Proc. Royal Soc. 426
   24.16  
   24.17    Confidentiality (secrecy) and authentication properties are also
   24.18    given in a termporal version: strong guarantees in a little abstracted 
   24.19    - but very realistic - model.
   24.20 -*}
   24.21 +\<close>
   24.22  
   24.23  (* Temporal model of accidents: session keys can be leaked
   24.24                                  ONLY when they have expired *)
   24.25 @@ -27,12 +27,12 @@
   24.26      (*Duration of the authenticator*)
   24.27      authlife :: nat
   24.28  
   24.29 -text{*The ticket should remain fresh for two journeys on the network at least*}
   24.30 +text\<open>The ticket should remain fresh for two journeys on the network at least\<close>
   24.31  specification (sesKlife)
   24.32    sesKlife_LB [iff]: "2 \<le> sesKlife"
   24.33      by blast
   24.34  
   24.35 -text{*The authenticator only for one journey*}
   24.36 +text\<open>The authenticator only for one journey\<close>
   24.37  specification (authlife)
   24.38    authlife_LB [iff]:    "authlife \<noteq> 0"
   24.39      by blast
   24.40 @@ -122,7 +122,7 @@
   24.41  declare analz_into_parts [dest]
   24.42  declare Fake_parts_insert_in_Un [dest]
   24.43  
   24.44 -text{*A "possibility property": there are traces that reach the end.*}
   24.45 +text\<open>A "possibility property": there are traces that reach the end.\<close>
   24.46  lemma "\<lbrakk>Key K \<notin> used []; K \<in> symKeys\<rbrakk>
   24.47         \<Longrightarrow> \<exists>Timestamp. \<exists>evs \<in> bankerberos.
   24.48               Says B A (Crypt K (Number Timestamp))
   24.49 @@ -135,7 +135,7 @@
   24.50  apply (possibility, simp_all (no_asm_simp) add: used_Cons)
   24.51  done
   24.52  
   24.53 -subsection{*Lemmas for reasoning about predicate "Issues"*}
   24.54 +subsection\<open>Lemmas for reasoning about predicate "Issues"\<close>
   24.55  
   24.56  lemma spies_Says_rev: "spies (evs @ [Says A B X]) = insert X (spies evs)"
   24.57  apply (induct_tac "evs")
   24.58 @@ -169,13 +169,13 @@
   24.59  apply (induct_tac "evs")
   24.60  apply (rename_tac [2] a b)
   24.61  apply (induct_tac [2] "a", auto)
   24.62 -txt{* Resembles @{text"used_subset_append"} in theory Event.*}
   24.63 +txt\<open>Resembles \<open>used_subset_append\<close> in theory Event.\<close>
   24.64  done
   24.65  
   24.66  lemmas parts_spies_takeWhile_mono = spies_takeWhile [THEN parts_mono]
   24.67  
   24.68  
   24.69 -text{*Lemmas for reasoning about predicate "before"*}
   24.70 +text\<open>Lemmas for reasoning about predicate "before"\<close>
   24.71  lemma used_Says_rev: "used (evs @ [Says A B X]) = parts {X} \<union> (used evs)"
   24.72  apply (induct_tac "evs")
   24.73  apply simp
   24.74 @@ -231,7 +231,7 @@
   24.75  
   24.76  (**** Inductive proofs about bankerberos ****)
   24.77  
   24.78 -text{*Forwarding Lemma for reasoning about the encrypted portion of message BK3*}
   24.79 +text\<open>Forwarding Lemma for reasoning about the encrypted portion of message BK3\<close>
   24.80  lemma BK3_msg_in_parts_spies:
   24.81       "Says S A (Crypt KA \<lbrace>Timestamp, B, K, X\<rbrace>) \<in> set evs
   24.82        \<Longrightarrow> X \<in> parts (spies evs)"
   24.83 @@ -244,7 +244,7 @@
   24.84  apply blast
   24.85  done
   24.86  
   24.87 -text{*Spy never sees another agent's shared key! (unless it's bad at start)*}
   24.88 +text\<open>Spy never sees another agent's shared key! (unless it's bad at start)\<close>
   24.89  lemma Spy_see_shrK [simp]:
   24.90       "evs \<in> bankerberos \<Longrightarrow> (Key (shrK A) \<in> parts (spies evs)) = (A \<in> bad)"
   24.91  apply (erule bankerberos.induct)
   24.92 @@ -267,7 +267,7 @@
   24.93  lemmas Spy_analz_shrK_D = analz_subset_parts [THEN subsetD, THEN Spy_see_shrK_D,  dest!]
   24.94  
   24.95  
   24.96 -text{*Nobody can have used non-existent keys!*}
   24.97 +text\<open>Nobody can have used non-existent keys!\<close>
   24.98  lemma new_keys_not_used [simp]:
   24.99      "\<lbrakk>Key K \<notin> used evs; K \<in> symKeys; evs \<in> bankerberos\<rbrakk>
  24.100       \<Longrightarrow> K \<notin> keysFor (parts (spies evs))"
  24.101 @@ -275,15 +275,15 @@
  24.102  apply (erule bankerberos.induct)
  24.103  apply (frule_tac [7] Oops_parts_spies)
  24.104  apply (frule_tac [5] BK3_msg_in_parts_spies, simp_all)
  24.105 -txt{*Fake*}
  24.106 +txt\<open>Fake\<close>
  24.107  apply (force dest!: keysFor_parts_insert)
  24.108 -txt{*BK2, BK3, BK4*}
  24.109 +txt\<open>BK2, BK3, BK4\<close>
  24.110  apply (force dest!: analz_shrK_Decrypt)+
  24.111  done
  24.112  
  24.113 -subsection{* Lemmas concerning the form of items passed in messages *}
  24.114 +subsection\<open>Lemmas concerning the form of items passed in messages\<close>
  24.115  
  24.116 -text{*Describes the form of K, X and K' when the Server sends this message.*}
  24.117 +text\<open>Describes the form of K, X and K' when the Server sends this message.\<close>
  24.118  lemma Says_Server_message_form:
  24.119       "\<lbrakk> Says Server A (Crypt K' \<lbrace>Number Tk, Agent B, Key K, Ticket\<rbrace>)
  24.120           \<in> set evs; evs \<in> bankerberos \<rbrakk>
  24.121 @@ -303,10 +303,10 @@
  24.122  done
  24.123  
  24.124  
  24.125 -text{*If the encrypted message appears then it originated with the Server
  24.126 +text\<open>If the encrypted message appears then it originated with the Server
  24.127    PROVIDED that A is NOT compromised!
  24.128    This allows A to verify freshness of the session key.
  24.129 -*}
  24.130 +\<close>
  24.131  lemma Kab_authentic:
  24.132       "\<lbrakk> Crypt (shrK A) \<lbrace>Number Tk, Agent B, Key K, X\<rbrace>
  24.133             \<in> parts (spies evs);
  24.134 @@ -320,8 +320,8 @@
  24.135  done
  24.136  
  24.137  
  24.138 -text{*If the TICKET appears then it originated with the Server*}
  24.139 -text{*FRESHNESS OF THE SESSION KEY to B*}
  24.140 +text\<open>If the TICKET appears then it originated with the Server\<close>
  24.141 +text\<open>FRESHNESS OF THE SESSION KEY to B\<close>
  24.142  lemma ticket_authentic:
  24.143       "\<lbrakk> Crypt (shrK B) \<lbrace>Number Tk, Agent A, Key K\<rbrace> \<in> parts (spies evs);
  24.144           B \<notin> bad;  evs \<in> bankerberos \<rbrakk>
  24.145 @@ -336,9 +336,9 @@
  24.146  done
  24.147  
  24.148  
  24.149 -text{*EITHER describes the form of X when the following message is sent,
  24.150 +text\<open>EITHER describes the form of X when the following message is sent,
  24.151    OR     reduces it to the Fake case.
  24.152 -  Use @{text Says_Server_message_form} if applicable.*}
  24.153 +  Use \<open>Says_Server_message_form\<close> if applicable.\<close>
  24.154  lemma Says_S_message_form:
  24.155       "\<lbrakk> Says S A (Crypt (shrK A) \<lbrace>Number Tk, Agent B, Key K, X\<rbrace>)
  24.156              \<in> set evs;
  24.157 @@ -363,7 +363,7 @@
  24.158  
  24.159  ****)
  24.160  
  24.161 -text{* Session keys are not used to encrypt other session keys *}
  24.162 +text\<open>Session keys are not used to encrypt other session keys\<close>
  24.163  lemma analz_image_freshK [rule_format (no_asm)]:
  24.164       "evs \<in> bankerberos \<Longrightarrow>
  24.165     \<forall>K KK. KK \<subseteq> - (range shrK) \<longrightarrow>
  24.166 @@ -382,7 +382,7 @@
  24.167  apply (simp only: analz_image_freshK analz_image_freshK_simps)
  24.168  done
  24.169  
  24.170 -text{* The session key K uniquely identifies the message *}
  24.171 +text\<open>The session key K uniquely identifies the message\<close>
  24.172  lemma unique_session_keys:
  24.173       "\<lbrakk> Says Server A
  24.174             (Crypt (shrK A) \<lbrace>Number Tk, Agent B, Key K, X\<rbrace>) \<in> set evs;
  24.175 @@ -394,7 +394,7 @@
  24.176  apply (erule bankerberos.induct)
  24.177  apply (frule_tac [7] Oops_parts_spies)
  24.178  apply (frule_tac [5] BK3_msg_in_parts_spies, simp_all)
  24.179 -txt{*BK2: it can't be a new key*}
  24.180 +txt\<open>BK2: it can't be a new key\<close>
  24.181  apply blast
  24.182  done
  24.183  
  24.184 @@ -409,13 +409,13 @@
  24.185  done
  24.186  
  24.187  
  24.188 -subsection{*Non-temporal guarantees, explicitly relying on non-occurrence of
  24.189 -oops events - refined below by temporal guarantees*}
  24.190 +subsection\<open>Non-temporal guarantees, explicitly relying on non-occurrence of
  24.191 +oops events - refined below by temporal guarantees\<close>
  24.192  
  24.193 -text{*Non temporal treatment of confidentiality*}
  24.194 +text\<open>Non temporal treatment of confidentiality\<close>
  24.195  
  24.196 -text{* Lemma: the session key sent in msg BK2 would be lost by oops
  24.197 -    if the spy could see it! *}
  24.198 +text\<open>Lemma: the session key sent in msg BK2 would be lost by oops
  24.199 +    if the spy could see it!\<close>
  24.200  lemma lemma_conf [rule_format (no_asm)]:
  24.201       "\<lbrakk> A \<notin> bad;  B \<notin> bad;  evs \<in> bankerberos \<rbrakk>
  24.202    \<Longrightarrow> Says Server A
  24.203 @@ -427,21 +427,21 @@
  24.204  apply (frule_tac [7] Says_Server_message_form)
  24.205  apply (frule_tac [5] Says_S_message_form [THEN disjE])
  24.206  apply (simp_all (no_asm_simp) add: analz_insert_eq analz_insert_freshK pushes)
  24.207 -txt{*Fake*}
  24.208 +txt\<open>Fake\<close>
  24.209  apply spy_analz
  24.210 -txt{*BK2*}
  24.211 +txt\<open>BK2\<close>
  24.212  apply (blast intro: parts_insertI)
  24.213 -txt{*BK3*}
  24.214 +txt\<open>BK3\<close>
  24.215  apply (case_tac "Aa \<in> bad")
  24.216   prefer 2 apply (blast dest: Kab_authentic unique_session_keys)
  24.217  apply (blast dest: Says_imp_spies [THEN analz.Inj] Crypt_Spy_analz_bad elim!: MPair_analz)
  24.218 -txt{*Oops*}
  24.219 +txt\<open>Oops\<close>
  24.220  apply (blast dest: unique_session_keys)
  24.221  done
  24.222  
  24.223  
  24.224 -text{*Confidentiality for the Server: Spy does not see the keys sent in msg BK2
  24.225 -as long as they have not expired.*}
  24.226 +text\<open>Confidentiality for the Server: Spy does not see the keys sent in msg BK2
  24.227 +as long as they have not expired.\<close>
  24.228  lemma Confidentiality_S:
  24.229       "\<lbrakk> Says Server A
  24.230            (Crypt K' \<lbrace>Number Tk, Agent B, Key K, Ticket\<rbrace>) \<in> set evs;
  24.231 @@ -452,7 +452,7 @@
  24.232  apply (blast intro: lemma_conf)
  24.233  done
  24.234  
  24.235 -text{*Confidentiality for Alice*}
  24.236 +text\<open>Confidentiality for Alice\<close>
  24.237  lemma Confidentiality_A:
  24.238       "\<lbrakk> Crypt (shrK A) \<lbrace>Number Tk, Agent B, Key K, X\<rbrace> \<in> parts (spies evs);
  24.239          Notes Spy \<lbrace>Number Tk, Key K\<rbrace> \<notin> set evs;
  24.240 @@ -461,7 +461,7 @@
  24.241  apply (blast dest!: Kab_authentic Confidentiality_S)
  24.242  done
  24.243  
  24.244 -text{*Confidentiality for Bob*}
  24.245 +text\<open>Confidentiality for Bob\<close>
  24.246  lemma Confidentiality_B:
  24.247       "\<lbrakk> Crypt (shrK B) \<lbrace>Number Tk, Agent A, Key K\<rbrace>
  24.248            \<in> parts (spies evs);
  24.249 @@ -471,9 +471,9 @@
  24.250  apply (blast dest!: ticket_authentic Confidentiality_S)
  24.251  done
  24.252  
  24.253 -text{*Non temporal treatment of authentication*}
  24.254 +text\<open>Non temporal treatment of authentication\<close>
  24.255  
  24.256 -text{*Lemmas @{text lemma_A} and @{text lemma_B} in fact are common to both temporal and non-temporal treatments*}
  24.257 +text\<open>Lemmas \<open>lemma_A\<close> and \<open>lemma_B\<close> in fact are common to both temporal and non-temporal treatments\<close>
  24.258  lemma lemma_A [rule_format]:
  24.259       "\<lbrakk> A \<notin> bad; B \<notin> bad; evs \<in> bankerberos \<rbrakk>
  24.260        \<Longrightarrow>
  24.261 @@ -488,11 +488,11 @@
  24.262  apply (frule_tac [5] Says_S_message_form)
  24.263  apply (frule_tac [6] BK3_msg_in_parts_spies, analz_mono_contra)
  24.264  apply (simp_all (no_asm_simp) add: all_conj_distrib)
  24.265 -txt{*Fake*}
  24.266 +txt\<open>Fake\<close>
  24.267  apply blast
  24.268 -txt{*BK2*}
  24.269 +txt\<open>BK2\<close>
  24.270  apply (force dest: Crypt_imp_invKey_keysFor)
  24.271 -txt{*BK3*}
  24.272 +txt\<open>BK3\<close>
  24.273  apply (blast dest: Kab_authentic unique_session_keys)
  24.274  done
  24.275  
  24.276 @@ -508,20 +508,20 @@
  24.277  apply (frule_tac [5] Says_S_message_form)
  24.278  apply (drule_tac [6] BK3_msg_in_parts_spies, analz_mono_contra)
  24.279  apply (simp_all (no_asm_simp) add: all_conj_distrib)
  24.280 -txt{*Fake*}
  24.281 +txt\<open>Fake\<close>
  24.282  apply blast
  24.283 -txt{*BK2*} 
  24.284 +txt\<open>BK2\<close> 
  24.285  apply (force dest: Crypt_imp_invKey_keysFor)
  24.286 -txt{*BK4*}
  24.287 +txt\<open>BK4\<close>
  24.288  apply (blast dest: ticket_authentic unique_session_keys
  24.289                     Says_imp_spies [THEN analz.Inj] Crypt_Spy_analz_bad)
  24.290  done
  24.291  
  24.292  
  24.293 -text{*The "r" suffix indicates theorems where the confidentiality assumptions are relaxed by the corresponding arguments.*}
  24.294 +text\<open>The "r" suffix indicates theorems where the confidentiality assumptions are relaxed by the corresponding arguments.\<close>
  24.295  
  24.296  
  24.297 -text{*Authentication of A to B*}
  24.298 +text\<open>Authentication of A to B\<close>
  24.299  lemma B_authenticates_A_r:
  24.300       "\<lbrakk> Crypt K \<lbrace>Agent A, Number Ta\<rbrace> \<in> parts (spies evs);
  24.301           Crypt (shrK B) \<lbrace>Number Tk, Agent A, Key K\<rbrace>  \<in> parts (spies evs);
  24.302 @@ -535,7 +535,7 @@
  24.303  done
  24.304  
  24.305  
  24.306 -text{*Authentication of B to A*}
  24.307 +text\<open>Authentication of B to A\<close>
  24.308  lemma A_authenticates_B_r:
  24.309       "\<lbrakk> Crypt K (Number Ta) \<in> parts (spies evs);
  24.310          Crypt (shrK A) \<lbrace>Number Tk, Agent B, Key K, X\<rbrace> \<in> parts (spies evs);
  24.311 @@ -565,14 +565,14 @@
  24.312  apply (blast dest!: Kab_authentic intro!: lemma_B)
  24.313  done
  24.314  
  24.315 -subsection{*Temporal guarantees, relying on a temporal check that insures that
  24.316 -no oops event occurred. These are available in the sense of goal availability*}
  24.317 +subsection\<open>Temporal guarantees, relying on a temporal check that insures that
  24.318 +no oops event occurred. These are available in the sense of goal availability\<close>
  24.319  
  24.320  
  24.321 -text{*Temporal treatment of confidentiality*}
  24.322 +text\<open>Temporal treatment of confidentiality\<close>
  24.323  
  24.324 -text{* Lemma: the session key sent in msg BK2 would be EXPIRED
  24.325 -    if the spy could see it! *}
  24.326 +text\<open>Lemma: the session key sent in msg BK2 would be EXPIRED
  24.327 +    if the spy could see it!\<close>
  24.328  lemma lemma_conf_temporal [rule_format (no_asm)]:
  24.329       "\<lbrakk> A \<notin> bad;  B \<notin> bad;  evs \<in> bankerberos \<rbrakk>
  24.330    \<Longrightarrow> Says Server A
  24.331 @@ -584,20 +584,20 @@
  24.332  apply (frule_tac [7] Says_Server_message_form)
  24.333  apply (frule_tac [5] Says_S_message_form [THEN disjE])
  24.334  apply (simp_all (no_asm_simp) add: less_SucI analz_insert_eq analz_insert_freshK pushes)
  24.335 -txt{*Fake*}
  24.336 +txt\<open>Fake\<close>
  24.337  apply spy_analz
  24.338 -txt{*BK2*}
  24.339 +txt\<open>BK2\<close>
  24.340  apply (blast intro: parts_insertI less_SucI)
  24.341 -txt{*BK3*}
  24.342 +txt\<open>BK3\<close>
  24.343  apply (metis Crypt_Spy_analz_bad Kab_authentic Says_imp_analz_Spy 
  24.344            Says_imp_parts_knows_Spy analz.Snd less_SucI unique_session_keys)
  24.345 -txt{*Oops: PROOF FAILS if unsafe intro below*}
  24.346 +txt\<open>Oops: PROOF FAILS if unsafe intro below\<close>
  24.347  apply (blast dest: unique_session_keys intro!: less_SucI)
  24.348  done
  24.349  
  24.350  
  24.351 -text{*Confidentiality for the Server: Spy does not see the keys sent in msg BK2
  24.352 -as long as they have not expired.*}
  24.353 +text\<open>Confidentiality for the Server: Spy does not see the keys sent in msg BK2
  24.354 +as long as they have not expired.\<close>
  24.355  lemma Confidentiality_S_temporal:
  24.356       "\<lbrakk> Says Server A
  24.357            (Crypt K' \<lbrace>Number T, Agent B, Key K, X\<rbrace>) \<in> set evs;
  24.358 @@ -608,7 +608,7 @@
  24.359  apply (blast intro: lemma_conf_temporal)
  24.360  done
  24.361  
  24.362 -text{*Confidentiality for Alice*}
  24.363 +text\<open>Confidentiality for Alice\<close>
  24.364  lemma Confidentiality_A_temporal:
  24.365       "\<lbrakk> Crypt (shrK A) \<lbrace>Number T, Agent B, Key K, X\<rbrace> \<in> parts (spies evs);
  24.366           \<not> expiredK T evs;
  24.367 @@ -617,7 +617,7 @@
  24.368  apply (blast dest!: Kab_authentic Confidentiality_S_temporal)
  24.369  done
  24.370  
  24.371 -text{*Confidentiality for Bob*}
  24.372 +text\<open>Confidentiality for Bob\<close>
  24.373  lemma Confidentiality_B_temporal:
  24.374       "\<lbrakk> Crypt (shrK B) \<lbrace>Number Tk, Agent A, Key K\<rbrace>
  24.375            \<in> parts (spies evs);
  24.376 @@ -627,9 +627,9 @@
  24.377  apply (blast dest!: ticket_authentic Confidentiality_S_temporal)
  24.378  done
  24.379  
  24.380 -text{*Temporal treatment of authentication*}
  24.381 +text\<open>Temporal treatment of authentication\<close>
  24.382  
  24.383 -text{*Authentication of A to B*}
  24.384 +text\<open>Authentication of A to B\<close>
  24.385  lemma B_authenticates_A_temporal:
  24.386       "\<lbrakk> Crypt K \<lbrace>Agent A, Number Ta\<rbrace> \<in> parts (spies evs);
  24.387           Crypt (shrK B) \<lbrace>Number Tk, Agent A, Key K\<rbrace>
  24.388 @@ -643,7 +643,7 @@
  24.389            elim!: Confidentiality_S_temporal [THEN [2] rev_notE])
  24.390  done
  24.391  
  24.392 -text{*Authentication of B to A*}
  24.393 +text\<open>Authentication of B to A\<close>
  24.394  lemma A_authenticates_B_temporal:
  24.395       "\<lbrakk> Crypt K (Number Ta) \<in> parts (spies evs);
  24.396           Crypt (shrK A) \<lbrace>Number Tk, Agent B, Key K, X\<rbrace>
  24.397 @@ -655,10 +655,10 @@
  24.398            intro!: lemma_B elim!: Confidentiality_S_temporal [THEN [2] rev_notE])
  24.399  done
  24.400  
  24.401 -subsection{*Treatment of the key distribution goal using trace inspection. All
  24.402 +subsection\<open>Treatment of the key distribution goal using trace inspection. All
  24.403  guarantees are in non-temporal form, hence non available, though their temporal
  24.404  form is trivial to derive. These guarantees also convey a stronger form of 
  24.405 -authentication - non-injective agreement on the session key*}
  24.406 +authentication - non-injective agreement on the session key\<close>
  24.407  
  24.408  
  24.409  lemma B_Issues_A:
  24.410 @@ -674,9 +674,9 @@
  24.411  apply (erule rev_mp)
  24.412  apply (erule bankerberos.induct, analz_mono_contra)
  24.413  apply (simp_all (no_asm_simp))
  24.414 -txt{*fake*}
  24.415 +txt\<open>fake\<close>
  24.416  apply blast
  24.417 -txt{*K4 obviously is the non-trivial case*}
  24.418 +txt\<open>K4 obviously is the non-trivial case\<close>
  24.419  apply (simp add: takeWhile_tail)
  24.420  apply (blast dest: ticket_authentic parts_spies_takeWhile_mono [THEN subsetD] parts_spies_evs_revD2 [THEN subsetD] intro: A_authenticates_B_temporal)
  24.421  done
  24.422 @@ -705,9 +705,9 @@
  24.423  apply (erule rev_mp)
  24.424  apply (erule bankerberos.induct, analz_mono_contra)
  24.425  apply (simp_all (no_asm_simp))
  24.426 -txt{*fake*}
  24.427 +txt\<open>fake\<close>
  24.428  apply blast
  24.429 -txt{*K3 is the non trivial case*}
  24.430 +txt\<open>K3 is the non trivial case\<close>
  24.431  apply (simp add: takeWhile_tail)
  24.432  apply auto (*Technically unnecessary, merely clarifies the subgoal as it is presemted in the book*)
  24.433  apply (blast dest: Kab_authentic Says_Server_message_form parts_spies_takeWhile_mono [THEN subsetD] parts_spies_evs_revD2 [THEN subsetD] 
    25.1 --- a/src/HOL/Auth/Kerberos_BAN_Gets.thy	Thu Dec 10 21:31:24 2015 +0100
    25.2 +++ b/src/HOL/Auth/Kerberos_BAN_Gets.thy	Thu Dec 10 21:39:33 2015 +0100
    25.3 @@ -2,18 +2,18 @@
    25.4      Author:     Giampaolo Bella, Catania University
    25.5  *)
    25.6  
    25.7 -section{*The Kerberos Protocol, BAN Version, with Gets event*}
    25.8 +section\<open>The Kerberos Protocol, BAN Version, with Gets event\<close>
    25.9  
   25.10  theory Kerberos_BAN_Gets imports Public begin
   25.11  
   25.12 -text{*From page 251 of
   25.13 +text\<open>From page 251 of
   25.14    Burrows, Abadi and Needham (1989).  A Logic of Authentication.
   25.15    Proc. Royal Soc. 426
   25.16  
   25.17    Confidentiality (secrecy) and authentication properties rely on
   25.18    temporal checks: strong guarantees in a little abstracted - but
   25.19    very realistic - model.
   25.20 -*}
   25.21 +\<close>
   25.22  
   25.23  (* Temporal modelization: session keys can be leaked
   25.24                            ONLY when they have expired *)
   25.25 @@ -26,14 +26,14 @@
   25.26      (*Duration of the authenticator*)
   25.27      authlife :: nat
   25.28  
   25.29 -text{*The ticket should remain fresh for two journeys on the network at least*}
   25.30 -text{*The Gets event causes longer traces for the protocol to reach its end*}
   25.31 +text\<open>The ticket should remain fresh for two journeys on the network at least\<close>
   25.32 +text\<open>The Gets event causes longer traces for the protocol to reach its end\<close>
   25.33  specification (sesKlife)
   25.34    sesKlife_LB [iff]: "4 \<le> sesKlife"
   25.35      by blast
   25.36  
   25.37 -text{*The authenticator only for one journey*}
   25.38 -text{*The Gets event causes longer traces for the protocol to reach its end*}
   25.39 +text\<open>The authenticator only for one journey\<close>
   25.40 +text\<open>The Gets event causes longer traces for the protocol to reach its end\<close>
   25.41  specification (authlife)
   25.42    authlife_LB [iff]:    "2 \<le> authlife"
   25.43      by blast
   25.44 @@ -119,7 +119,7 @@
   25.45  declare knows_Spy_partsEs [elim]
   25.46  
   25.47  
   25.48 -text{*A "possibility property": there are traces that reach the end.*}
   25.49 +text\<open>A "possibility property": there are traces that reach the end.\<close>
   25.50  lemma "\<lbrakk>Key K \<notin> used []; K \<in> symKeys\<rbrakk>
   25.51         \<Longrightarrow> \<exists>Timestamp. \<exists>evs \<in> bankerb_gets.
   25.52               Says B A (Crypt K (Number Timestamp))
   25.53 @@ -136,8 +136,8 @@
   25.54  done
   25.55  
   25.56  
   25.57 -text{*Lemmas about reception invariant: if a message is received it certainly
   25.58 -was sent*}
   25.59 +text\<open>Lemmas about reception invariant: if a message is received it certainly
   25.60 +was sent\<close>
   25.61  lemma Gets_imp_Says :
   25.62       "\<lbrakk> Gets B X \<in> set evs; evs \<in> bankerb_gets \<rbrakk> \<Longrightarrow> \<exists>A. Says A B X \<in> set evs"
   25.63  apply (erule rev_mp)
   25.64 @@ -164,7 +164,7 @@
   25.65  apply (blast dest: Gets_imp_knows [THEN analz.Inj])
   25.66  done
   25.67  
   25.68 -text{*Lemmas for reasoning about predicate "before"*}
   25.69 +text\<open>Lemmas for reasoning about predicate "before"\<close>
   25.70  lemma used_Says_rev: "used (evs @ [Says A B X]) = parts {X} \<union> (used evs)"
   25.71  apply (induct_tac "evs")
   25.72  apply simp
   25.73 @@ -220,7 +220,7 @@
   25.74  
   25.75  (**** Inductive proofs about bankerb_gets ****)
   25.76  
   25.77 -text{*Forwarding Lemma for reasoning about the encrypted portion of message BK3*}
   25.78 +text\<open>Forwarding Lemma for reasoning about the encrypted portion of message BK3\<close>
   25.79  lemma BK3_msg_in_parts_knows_Spy:
   25.80       "\<lbrakk>Gets A (Crypt KA \<lbrace>Timestamp, B, K, X\<rbrace>) \<in> set evs; evs \<in> bankerb_gets \<rbrakk> 
   25.81        \<Longrightarrow> X \<in> parts (knows Spy evs)"
   25.82 @@ -234,7 +234,7 @@
   25.83  done
   25.84  
   25.85  
   25.86 -text{*Spy never sees another agent's shared key! (unless it's bad at start)*}
   25.87 +text\<open>Spy never sees another agent's shared key! (unless it's bad at start)\<close>
   25.88  lemma Spy_see_shrK [simp]:
   25.89       "evs \<in> bankerb_gets \<Longrightarrow> (Key (shrK A) \<in> parts (knows Spy evs)) = (A \<in> bad)"
   25.90  apply (erule bankerb_gets.induct)
   25.91 @@ -255,7 +255,7 @@
   25.92  lemmas Spy_analz_shrK_D = analz_subset_parts [THEN subsetD, THEN Spy_see_shrK_D,  dest!]
   25.93  
   25.94  
   25.95 -text{*Nobody can have used non-existent keys!*}
   25.96 +text\<open>Nobody can have used non-existent keys!\<close>
   25.97  lemma new_keys_not_used [simp]:
   25.98      "\<lbrakk>Key K \<notin> used evs; K \<in> symKeys; evs \<in> bankerb_gets\<rbrakk>
   25.99       \<Longrightarrow> K \<notin> keysFor (parts (knows Spy evs))"
  25.100 @@ -263,15 +263,15 @@
  25.101  apply (erule bankerb_gets.induct)
  25.102  apply (frule_tac [8] Oops_parts_knows_Spy)
  25.103  apply (frule_tac [6] BK3_msg_in_parts_knows_Spy, simp_all)
  25.104 -txt{*Fake*}
  25.105 +txt\<open>Fake\<close>
  25.106  apply (force dest!: keysFor_parts_insert)
  25.107 -txt{*BK2, BK3, BK4*}
  25.108 +txt\<open>BK2, BK3, BK4\<close>
  25.109  apply (force dest!: analz_shrK_Decrypt)+
  25.110  done
  25.111  
  25.112 -subsection{* Lemmas concerning the form of items passed in messages *}
  25.113 +subsection\<open>Lemmas concerning the form of items passed in messages\<close>
  25.114  
  25.115 -text{*Describes the form of K, X and K' when the Server sends this message.*}
  25.116 +text\<open>Describes the form of K, X and K' when the Server sends this message.\<close>
  25.117  lemma Says_Server_message_form:
  25.118       "\<lbrakk> Says Server A (Crypt K' \<lbrace>Number Tk, Agent B, Key K, Ticket\<rbrace>)
  25.119           \<in> set evs; evs \<in> bankerb_gets \<rbrakk>
  25.120 @@ -286,21 +286,21 @@
  25.121  apply (unfold before_def)
  25.122  apply (erule rev_mp)
  25.123  apply (erule bankerb_gets.induct, simp_all)
  25.124 -txt{*We need this simplification only for Message 2*}
  25.125 +txt\<open>We need this simplification only for Message 2\<close>
  25.126  apply (simp (no_asm) add: takeWhile_tail)
  25.127  apply auto
  25.128 -txt{*Two subcases of Message 2. Subcase: used before*}
  25.129 +txt\<open>Two subcases of Message 2. Subcase: used before\<close>
  25.130  apply (blast dest: used_evs_rev [THEN equalityD2, THEN contra_subsetD] 
  25.131                     used_takeWhile_used)
  25.132 -txt{*subcase: CT before*}
  25.133 +txt\<open>subcase: CT before\<close>
  25.134  apply (fastforce dest!: set_evs_rev [THEN equalityD2, THEN contra_subsetD, THEN takeWhile_void])
  25.135  done
  25.136  
  25.137  
  25.138 -text{*If the encrypted message appears then it originated with the Server
  25.139 +text\<open>If the encrypted message appears then it originated with the Server
  25.140    PROVIDED that A is NOT compromised!
  25.141    This allows A to verify freshness of the session key.
  25.142 -*}
  25.143 +\<close>
  25.144  lemma Kab_authentic:
  25.145       "\<lbrakk> Crypt (shrK A) \<lbrace>Number Tk, Agent B, Key K, X\<rbrace>
  25.146             \<in> parts (knows Spy evs);
  25.147 @@ -314,8 +314,8 @@
  25.148  done
  25.149  
  25.150  
  25.151 -text{*If the TICKET appears then it originated with the Server*}
  25.152 -text{*FRESHNESS OF THE SESSION KEY to B*}
  25.153 +text\<open>If the TICKET appears then it originated with the Server\<close>
  25.154 +text\<open>FRESHNESS OF THE SESSION KEY to B\<close>
  25.155  lemma ticket_authentic:
  25.156       "\<lbrakk> Crypt (shrK B) \<lbrace>Number Tk, Agent A, Key K\<rbrace> \<in> parts (knows Spy evs);
  25.157           B \<notin> bad;  evs \<in> bankerb_gets \<rbrakk>
  25.158 @@ -330,9 +330,9 @@
  25.159  done
  25.160  
  25.161  
  25.162 -text{*EITHER describes the form of X when the following message is sent,
  25.163 +text\<open>EITHER describes the form of X when the following message is sent,
  25.164    OR     reduces it to the Fake case.
  25.165 -  Use @{text Says_Server_message_form} if applicable.*}
  25.166 +  Use \<open>Says_Server_message_form\<close> if applicable.\<close>
  25.167  lemma Gets_Server_message_form:
  25.168       "\<lbrakk> Gets A (Crypt (shrK A) \<lbrace>Number Tk, Agent B, Key K, X\<rbrace>)
  25.169              \<in> set evs;
  25.170 @@ -345,7 +345,7 @@
  25.171  done
  25.172  
  25.173  
  25.174 -text{*Reliability guarantees: honest agents act as we expect*}
  25.175 +text\<open>Reliability guarantees: honest agents act as we expect\<close>
  25.176  
  25.177  lemma BK3_imp_Gets:
  25.178     "\<lbrakk> Says A B \<lbrace>Ticket, Crypt K \<lbrace>Agent A, Number Ta\<rbrace>\<rbrace> \<in> set evs;
  25.179 @@ -394,7 +394,7 @@
  25.180  ****)
  25.181  
  25.182  
  25.183 -text{* Session keys are not used to encrypt other session keys *}
  25.184 +text\<open>Session keys are not used to encrypt other session keys\<close>
  25.185  lemma analz_image_freshK [rule_format (no_asm)]:
  25.186       "evs \<in> bankerb_gets \<Longrightarrow>
  25.187     \<forall>K KK. KK \<subseteq> - (range shrK) \<longrightarrow>
  25.188 @@ -413,7 +413,7 @@
  25.189  by (simp only: analz_image_freshK analz_image_freshK_simps)
  25.190  
  25.191  
  25.192 -text{* The session key K uniquely identifies the message *}
  25.193 +text\<open>The session key K uniquely identifies the message\<close>
  25.194  lemma unique_session_keys:
  25.195       "\<lbrakk> Says Server A
  25.196             (Crypt (shrK A) \<lbrace>Number Tk, Agent B, Key K, X\<rbrace>) \<in> set evs;
  25.197 @@ -425,7 +425,7 @@
  25.198  apply (erule bankerb_gets.induct)
  25.199  apply (frule_tac [8] Oops_parts_knows_Spy)
  25.200  apply (frule_tac [6] BK3_msg_in_parts_knows_Spy, simp_all)
  25.201 -txt{*BK2: it can't be a new key*}
  25.202 +txt\<open>BK2: it can't be a new key\<close>
  25.203  apply blast
  25.204  done
  25.205  
  25.206 @@ -451,13 +451,13 @@
  25.207  
  25.208  
  25.209  
  25.210 -subsection{*Non-temporal guarantees, explicitly relying on non-occurrence of
  25.211 -oops events - refined below by temporal guarantees*}
  25.212 +subsection\<open>Non-temporal guarantees, explicitly relying on non-occurrence of
  25.213 +oops events - refined below by temporal guarantees\<close>
  25.214  
  25.215 -text{*Non temporal treatment of confidentiality*}
  25.216 +text\<open>Non temporal treatment of confidentiality\<close>
  25.217  
  25.218 -text{* Lemma: the session key sent in msg BK2 would be lost by oops
  25.219 -    if the spy could see it! *}
  25.220 +text\<open>Lemma: the session key sent in msg BK2 would be lost by oops
  25.221 +    if the spy could see it!\<close>
  25.222  lemma lemma_conf [rule_format (no_asm)]:
  25.223       "\<lbrakk> A \<notin> bad;  B \<notin> bad;  evs \<in> bankerb_gets \<rbrakk>
  25.224    \<Longrightarrow> Says Server A
  25.225 @@ -469,21 +469,21 @@
  25.226  apply (frule_tac [8] Says_Server_message_form)
  25.227  apply (frule_tac [6] Gets_Server_message_form [THEN disjE])
  25.228  apply (simp_all (no_asm_simp) add: analz_insert_eq analz_insert_freshK pushes)
  25.229 -txt{*Fake*}
  25.230 +txt\<open>Fake\<close>
  25.231  apply spy_analz
  25.232 -txt{*BK2*}
  25.233 +txt\<open>BK2\<close>
  25.234  apply (blast intro: parts_insertI)
  25.235 -txt{*BK3*}
  25.236 +txt\<open>BK3\<close>
  25.237  apply (case_tac "Aa \<in> bad")
  25.238   prefer 2 apply (blast dest: Kab_authentic unique_session_keys)
  25.239  apply (blast dest: Gets_imp_knows_Spy [THEN analz.Inj] Crypt_Spy_analz_bad elim!: MPair_analz)
  25.240 -txt{*Oops*}
  25.241 +txt\<open>Oops\<close>
  25.242  apply (blast dest: unique_session_keys)
  25.243  done
  25.244  
  25.245  
  25.246 -text{*Confidentiality for the Server: Spy does not see the keys sent in msg BK2
  25.247 -as long as they have not expired.*}
  25.248 +text\<open>Confidentiality for the Server: Spy does not see the keys sent in msg BK2
  25.249 +as long as they have not expired.\<close>
  25.250  lemma Confidentiality_S:
  25.251       "\<lbrakk> Says Server A
  25.252            (Crypt K' \<lbrace>Number Tk, Agent B, Key K, Ticket\<rbrace>) \<in> set evs;
  25.253 @@ -494,7 +494,7 @@
  25.254  apply (blast intro: lemma_conf)
  25.255  done
  25.256  
  25.257 -text{*Confidentiality for Alice*}
  25.258 +text\<open>Confidentiality for Alice\<close>
  25.259  lemma Confidentiality_A:
  25.260       "\<lbrakk> Crypt (shrK A) \<lbrace>Number Tk, Agent B, Key K, X\<rbrace> \<in> parts (knows Spy evs);
  25.261          Notes Spy \<lbrace>Number Tk, Key K\<rbrace> \<notin> set evs;
  25.262 @@ -502,7 +502,7 @@
  25.263        \<rbrakk> \<Longrightarrow> Key K \<notin> analz (knows Spy evs)"
  25.264  by (blast dest!: Kab_authentic Confidentiality_S)
  25.265  
  25.266 -text{*Confidentiality for Bob*}
  25.267 +text\<open>Confidentiality for Bob\<close>
  25.268  lemma Confidentiality_B:
  25.269       "\<lbrakk> Crypt (shrK B) \<lbrace>Number Tk, Agent A, Key K\<rbrace>
  25.270            \<in> parts (knows Spy evs);
  25.271 @@ -512,9 +512,9 @@
  25.272  by (blast dest!: ticket_authentic Confidentiality_S)
  25.273  
  25.274  
  25.275 -text{*Non temporal treatment of authentication*}
  25.276 +text\<open>Non temporal treatment of authentication\<close>
  25.277  
  25.278 -text{*Lemmas @{text lemma_A} and @{text lemma_B} in fact are common to both temporal and non-temporal treatments*}
  25.279 +text\<open>Lemmas \<open>lemma_A\<close> and \<open>lemma_B\<close> in fact are common to both temporal and non-temporal treatments\<close>
  25.280  lemma lemma_A [rule_format]:
  25.281       "\<lbrakk> A \<notin> bad; B \<notin> bad; evs \<in> bankerb_gets \<rbrakk>
  25.282        \<Longrightarrow>
  25.283 @@ -529,11 +529,11 @@
  25.284  apply (frule_tac [6] Gets_Server_message_form)
  25.285  apply (frule_tac [7] BK3_msg_in_parts_knows_Spy, analz_mono_contra)
  25.286  apply (simp_all (no_asm_simp) add: all_conj_distrib)
  25.287 -txt{*Fake*}
  25.288 +txt\<open>Fake\<close>
  25.289  apply blast
  25.290 -txt{*BK2*}
  25.291 +txt\<open>BK2\<close>
  25.292  apply (force dest: Crypt_imp_invKey_keysFor)
  25.293 -txt{*BK3*}
  25.294 +txt\<open>BK3\<close>
  25.295  apply (blast dest: Kab_authentic unique_session_keys)
  25.296  done
  25.297  lemma lemma_B [rule_format]:
  25.298 @@ -548,19 +548,19 @@
  25.299  apply (frule_tac [6] Gets_Server_message_form)
  25.300  apply (drule_tac [7] BK3_msg_in_parts_knows_Spy, analz_mono_contra)
  25.301  apply (simp_all (no_asm_simp) add: all_conj_distrib)
  25.302 -txt{*Fake*}
  25.303 +txt\<open>Fake\<close>
  25.304  apply blast
  25.305 -txt{*BK2*} 
  25.306 +txt\<open>BK2\<close> 
  25.307  apply (force dest: Crypt_imp_invKey_keysFor)
  25.308 -txt{*BK4*}
  25.309 +txt\<open>BK4\<close>
  25.310  apply (blast dest: ticket_authentic unique_session_keys
  25.311                     Gets_imp_knows_Spy [THEN analz.Inj] Crypt_Spy_analz_bad)
  25.312  done
  25.313  
  25.314  
  25.315 -text{*The "r" suffix indicates theorems where the confidentiality assumptions are relaxed by the corresponding arguments.*}
  25.316 +text\<open>The "r" suffix indicates theorems where the confidentiality assumptions are relaxed by the corresponding arguments.\<close>
  25.317  
  25.318 -text{*Authentication of A to B*}
  25.319 +text\<open>Authentication of A to B\<close>
  25.320  lemma B_authenticates_A_r:
  25.321       "\<lbrakk> Crypt K \<lbrace>Agent A, Number Ta\<rbrace> \<in> parts (knows Spy evs);
  25.322           Crypt (shrK B) \<lbrace>Number Tk, Agent A, Key K\<rbrace>  \<in> parts (knows Spy evs);
  25.323 @@ -572,7 +572,7 @@
  25.324            intro!: lemma_A
  25.325            elim!: Confidentiality_S [THEN [2] rev_notE])
  25.326  
  25.327 -text{*Authentication of B to A*}
  25.328 +text\<open>Authentication of B to A\<close>
  25.329  lemma A_authenticates_B_r:
  25.330       "\<lbrakk> Crypt K (Number Ta) \<in> parts (knows Spy evs);
  25.331          Crypt (shrK A) \<lbrace>Number Tk, Agent B, Key K, X\<rbrace> \<in> parts (knows Spy evs);
  25.332 @@ -602,14 +602,14 @@
  25.333  done
  25.334  
  25.335  
  25.336 -subsection{*Temporal guarantees, relying on a temporal check that insures that
  25.337 -no oops event occurred. These are available in the sense of goal availability*}
  25.338 +subsection\<open>Temporal guarantees, relying on a temporal check that insures that
  25.339 +no oops event occurred. These are available in the sense of goal availability\<close>
  25.340  
  25.341  
  25.342 -text{*Temporal treatment of confidentiality*}
  25.343 +text\<open>Temporal treatment of confidentiality\<close>
  25.344  
  25.345 -text{* Lemma: the session key sent in msg BK2 would be EXPIRED
  25.346 -    if the spy could see it! *}
  25.347 +text\<open>Lemma: the session key sent in msg BK2 would be EXPIRED
  25.348 +    if the spy could see it!\<close>
  25.349  lemma lemma_conf_temporal [rule_format (no_asm)]:
  25.350       "\<lbrakk> A \<notin> bad;  B \<notin> bad;  evs \<in> bankerb_gets \<rbrakk>
  25.351    \<Longrightarrow> Says Server A
  25.352 @@ -621,21 +621,21 @@
  25.353  apply (frule_tac [8] Says_Server_message_form)
  25.354  apply (frule_tac [6] Gets_Server_message_form [THEN disjE])
  25.355  apply (simp_all (no_asm_simp) add: less_SucI analz_insert_eq analz_insert_freshK pushes)
  25.356 -txt{*Fake*}
  25.357 +txt\<open>Fake\<close>
  25.358  apply spy_analz
  25.359 -txt{*BK2*}
  25.360 +txt\<open>BK2\<close>
  25.361  apply (blast intro: parts_insertI less_SucI)
  25.362 -txt{*BK3*}
  25.363 +txt\<open>BK3\<close>
  25.364  apply (case_tac "Aa \<in> bad")
  25.365   prefer 2 apply (blast dest: Kab_authentic unique_session_keys)
  25.366  apply (blast dest: Gets_imp_knows_Spy [THEN analz.Inj] Crypt_Spy_analz_bad elim!: MPair_analz intro: less_SucI)
  25.367 -txt{*Oops: PROOF FAILS if unsafe intro below*}
  25.368 +txt\<open>Oops: PROOF FAILS if unsafe intro below\<close>
  25.369  apply (blast dest: unique_session_keys intro!: less_SucI)
  25.370  done
  25.371  
  25.372  
  25.373 -text{*Confidentiality for the Server: Spy does not see the keys sent in msg BK2
  25.374 -as long as they have not expired.*}
  25.375 +text\<open>Confidentiality for the Server: Spy does not see the keys sent in msg BK2
  25.376 +as long as they have not expired.\<close>
  25.377  lemma Confidentiality_S_temporal:
  25.378       "\<lbrakk> Says Server A
  25.379            (Crypt K' \<lbrace>Number T, Agent B, Key K, X\<rbrace>) \<in> set evs;
  25.380 @@ -646,7 +646,7 @@
  25.381  apply (blast intro: lemma_conf_temporal)
  25.382  done
  25.383  
  25.384 -text{*Confidentiality for Alice*}
  25.385 +text\<open>Confidentiality for Alice\<close>
  25.386  lemma Confidentiality_A_temporal:
  25.387       "\<lbrakk> Crypt (shrK A) \<lbrace>Number T, Agent B, Key K, X\<rbrace> \<in> parts (knows Spy evs);
  25.388           \<not> expiredK T evs;
  25.389 @@ -654,7 +654,7 @@
  25.390        \<rbrakk> \<Longrightarrow> Key K \<notin> analz (knows Spy evs)"
  25.391  by (blast dest!: Kab_authentic Confidentiality_S_temporal)
  25.392  
  25.393 -text{*Confidentiality for Bob*}
  25.394 +text\<open>Confidentiality for Bob\<close>
  25.395  lemma Confidentiality_B_temporal:
  25.396       "\<lbrakk> Crypt (shrK B) \<lbrace>Number Tk, Agent A, Key K\<rbrace>
  25.397            \<in> parts (knows Spy evs);
  25.398 @@ -664,9 +664,9 @@
  25.399  by (blast dest!: ticket_authentic Confidentiality_S_temporal)
  25.400  
  25.401  
  25.402 -text{*Temporal treatment of authentication*}
  25.403 +text\<open>Temporal treatment of authentication\<close>
  25.404  
  25.405 -text{*Authentication of A to B*}
  25.406 +text\<open>Authentication of A to B\<close>
  25.407  lemma B_authenticates_A_temporal:
  25.408       "\<lbrakk> Crypt K \<lbrace>Agent A, Number Ta\<rbrace> \<in> parts (knows Spy evs);
  25.409           Crypt (shrK B) \<lbrace>Number Tk, Agent A, Key K\<rbrace>
  25.410 @@ -679,7 +679,7 @@
  25.411            intro!: lemma_A
  25.412            elim!: Confidentiality_S_temporal [THEN [2] rev_notE])
  25.413  
  25.414 -text{*Authentication of B to A*}
  25.415 +text\<open>Authentication of B to A\<close>
  25.416  lemma A_authenticates_B_temporal:
  25.417       "\<lbrakk> Crypt K (Number Ta) \<in> parts (knows Spy evs);
  25.418           Crypt (shrK A) \<lbrace>Number Tk, Agent B, Key K, X\<rbrace>
  25.419 @@ -691,7 +691,7 @@
  25.420            intro!: lemma_B elim!: Confidentiality_S_temporal [THEN [2] rev_notE])
  25.421  
  25.422  
  25.423 -subsection{*Combined guarantees of key distribution and non-injective agreement on the session keys*}
  25.424 +subsection\<open>Combined guarantees of key distribution and non-injective agreement on the session keys\<close>
  25.425  
  25.426  lemma B_authenticates_and_keydist_to_A:
  25.427       "\<lbrakk> Gets B \<lbrace>Crypt (shrK B) \<lbrace>Number Tk, Agent A, Key K\<rbrace>,
    26.1 --- a/src/HOL/Auth/Message.thy	Thu Dec 10 21:31:24 2015 +0100
    26.2 +++ b/src/HOL/Auth/Message.thy	Thu Dec 10 21:39:33 2015 +0100
    26.3 @@ -6,7 +6,7 @@
    26.4  Inductive relations "parts", "analz" and "synth"
    26.5  *)
    26.6  
    26.7 -section{*Theory of Agents and Messages for Security Protocols*}
    26.8 +section\<open>Theory of Agents and Messages for Security Protocols\<close>
    26.9  
   26.10  theory Message
   26.11  imports Main
   26.12 @@ -20,8 +20,8 @@
   26.13    key = nat
   26.14  
   26.15  consts
   26.16 -  all_symmetric :: bool        --{*true if all keys are symmetric*}
   26.17 -  invKey        :: "key=>key"  --{*inverse of a symmetric key*}
   26.18 +  all_symmetric :: bool        \<comment>\<open>true if all keys are symmetric\<close>
   26.19 +  invKey        :: "key=>key"  \<comment>\<open>inverse of a symmetric key\<close>
   26.20  
   26.21  specification (invKey)
   26.22    invKey [simp]: "invKey (invKey K) = K"
   26.23 @@ -29,26 +29,26 @@
   26.24      by (rule exI [of _ id], auto)
   26.25  
   26.26  
   26.27 -text{*The inverse of a symmetric key is itself; that of a public key
   26.28 -      is the private key and vice versa*}
   26.29 +text\<open>The inverse of a symmetric key is itself; that of a public key
   26.30 +      is the private key and vice versa\<close>
   26.31  
   26.32  definition symKeys :: "key set" where
   26.33    "symKeys == {K. invKey K = K}"
   26.34  
   26.35 -datatype  --{*We allow any number of friendly agents*}
   26.36 +datatype  \<comment>\<open>We allow any number of friendly agents\<close>
   26.37    agent = Server | Friend nat | Spy
   26.38  
   26.39  datatype
   26.40 -     msg = Agent  agent     --{*Agent names*}
   26.41 -         | Number nat       --{*Ordinary integers, timestamps, ...*}
   26.42 -         | Nonce  nat       --{*Unguessable nonces*}
   26.43 -         | Key    key       --{*Crypto keys*}
   26.44 -         | Hash   msg       --{*Hashing*}
   26.45 -         | MPair  msg msg   --{*Compound messages*}
   26.46 -         | Crypt  key msg   --{*Encryption, public- or shared-key*}
   26.47 +     msg = Agent  agent     \<comment>\<open>Agent names\<close>
   26.48 +         | Number nat       \<comment>\<open>Ordinary integers, timestamps, ...\<close>
   26.49 +         | Nonce  nat       \<comment>\<open>Unguessable nonces\<close>
   26.50 +         | Key    key       \<comment>\<open>Crypto keys\<close>
   26.51 +         | Hash   msg       \<comment>\<open>Hashing\<close>
   26.52 +         | MPair  msg msg   \<comment>\<open>Compound messages\<close>
   26.53 +         | Crypt  key msg   \<comment>\<open>Encryption, public- or shared-key\<close>
   26.54  
   26.55  
   26.56 -text{*Concrete syntax: messages appear as {|A,B,NA|}, etc...*}
   26.57 +text\<open>Concrete syntax: messages appear as {|A,B,NA|}, etc...\<close>
   26.58  syntax
   26.59    "_MTuple"      :: "['a, args] => 'a * 'b"       ("(2{|_,/ _|})")
   26.60  
   26.61 @@ -61,15 +61,15 @@
   26.62  
   26.63  
   26.64  definition HPair :: "[msg,msg] => msg" ("(4Hash[_] /_)" [0, 1000]) where
   26.65 -    --{*Message Y paired with a MAC computed with the help of X*}
   26.66 +    \<comment>\<open>Message Y paired with a MAC computed with the help of X\<close>
   26.67      "Hash[X] Y == {| Hash{|X,Y|}, Y|}"
   26.68  
   26.69  definition keysFor :: "msg set => key set" where
   26.70 -    --{*Keys useful to decrypt elements of a message set*}
   26.71 +    \<comment>\<open>Keys useful to decrypt elements of a message set\<close>
   26.72    "keysFor H == invKey ` {K. \<exists>X. Crypt K X \<in> H}"
   26.73  
   26.74  
   26.75 -subsubsection{*Inductive Definition of All Parts" of a Message*}
   26.76 +subsubsection\<open>Inductive Definition of All Parts" of a Message\<close>
   26.77  
   26.78  inductive_set
   26.79    parts :: "msg set => msg set"
   26.80 @@ -81,7 +81,7 @@
   26.81    | Body:        "Crypt K X \<in> parts H ==> X \<in> parts H"
   26.82  
   26.83  
   26.84 -text{*Monotonicity*}
   26.85 +text\<open>Monotonicity\<close>
   26.86  lemma parts_mono: "G \<subseteq> H ==> parts(G) \<subseteq> parts(H)"
   26.87  apply auto
   26.88  apply (erule parts.induct) 
   26.89 @@ -89,7 +89,7 @@
   26.90  done
   26.91  
   26.92  
   26.93 -text{*Equations hold because constructors are injective.*}
   26.94 +text\<open>Equations hold because constructors are injective.\<close>
   26.95  lemma Friend_image_eq [simp]: "(Friend x \<in> Friend`A) = (x:A)"
   26.96  by auto
   26.97  
   26.98 @@ -100,13 +100,13 @@
   26.99  by auto
  26.100  
  26.101  
  26.102 -subsubsection{*Inverse of keys *}
  26.103 +subsubsection\<open>Inverse of keys\<close>
  26.104  
  26.105  lemma invKey_eq [simp]: "(invKey K = invKey K') = (K=K')"
  26.106  by (metis invKey)
  26.107  
  26.108  
  26.109 -subsection{*keysFor operator*}
  26.110 +subsection\<open>keysFor operator\<close>
  26.111  
  26.112  lemma keysFor_empty [simp]: "keysFor {} = {}"
  26.113  by (unfold keysFor_def, blast)
  26.114 @@ -117,7 +117,7 @@
  26.115  lemma keysFor_UN [simp]: "keysFor (\<Union>i\<in>A. H i) = (\<Union>i\<in>A. keysFor (H i))"
  26.116  by (unfold keysFor_def, blast)
  26.117  
  26.118 -text{*Monotonicity*}
  26.119 +text\<open>Monotonicity\<close>
  26.120  lemma keysFor_mono: "G \<subseteq> H ==> keysFor(G) \<subseteq> keysFor(H)"
  26.121  by (unfold keysFor_def, blast)
  26.122  
  26.123 @@ -150,7 +150,7 @@
  26.124  by (unfold keysFor_def, blast)
  26.125  
  26.126  
  26.127 -subsection{*Inductive relation "parts"*}
  26.128 +subsection\<open>Inductive relation "parts"\<close>
  26.129  
  26.130  lemma MPair_parts:
  26.131       "[| {|X,Y|} \<in> parts H;        
  26.132 @@ -158,10 +158,10 @@
  26.133  by (blast dest: parts.Fst parts.Snd) 
  26.134  
  26.135  declare MPair_parts [elim!]  parts.Body [dest!]
  26.136 -text{*NB These two rules are UNSAFE in the formal sense, as they discard the
  26.137 +text\<open>NB These two rules are UNSAFE in the formal sense, as they discard the
  26.138       compound message.  They work well on THIS FILE.  
  26.139 -  @{text MPair_parts} is left as SAFE because it speeds up proofs.
  26.140 -  The Crypt rule is normally kept UNSAFE to avoid breaking up certificates.*}
  26.141 +  \<open>MPair_parts\<close> is left as SAFE because it speeds up proofs.
  26.142 +  The Crypt rule is normally kept UNSAFE to avoid breaking up certificates.\<close>
  26.143  
  26.144  lemma parts_increasing: "H \<subseteq> parts(H)"
  26.145  by blast
  26.146 @@ -176,12 +176,12 @@
  26.147  lemma parts_emptyE [elim!]: "X\<in> parts{} ==> P"
  26.148  by simp
  26.149  
  26.150 -text{*WARNING: loops if H = {Y}, therefore must not be repeated!*}
  26.151 +text\<open>WARNING: loops if H = {Y}, therefore must not be repeated!\<close>
  26.152  lemma parts_singleton: "X\<in> parts H ==> \<exists>Y\<in>H. X\<in> parts {Y}"
  26.153  by (erule parts.induct, fast+)
  26.154  
  26.155  
  26.156 -subsubsection{*Unions *}
  26.157 +subsubsection\<open>Unions\<close>
  26.158  
  26.159  lemma parts_Un_subset1: "parts(G) \<union> parts(H) \<subseteq> parts(G \<union> H)"
  26.160  by (intro Un_least parts_mono Un_upper1 Un_upper2)
  26.161 @@ -197,8 +197,8 @@
  26.162  lemma parts_insert: "parts (insert X H) = parts {X} \<union> parts H"
  26.163  by (metis insert_is_Un parts_Un)
  26.164  
  26.165 -text{*TWO inserts to avoid looping.  This rewrite is better than nothing.
  26.166 -  But its behaviour can be strange.*}
  26.167 +text\<open>TWO inserts to avoid looping.  This rewrite is better than nothing.
  26.168 +  But its behaviour can be strange.\<close>
  26.169  lemma parts_insert2:
  26.170       "parts (insert X (insert Y H)) = parts {X} \<union> parts {Y} \<union> parts H"
  26.171  by (metis Un_commute Un_empty_right Un_insert_right insert_is_Un parts_Un)
  26.172 @@ -214,12 +214,12 @@
  26.173  lemma parts_UN [simp]: "parts(\<Union>x\<in>A. H x) = (\<Union>x\<in>A. parts(H x))"
  26.174  by (intro equalityI parts_UN_subset1 parts_UN_subset2)
  26.175  
  26.176 -text{*Added to simplify arguments to parts, analz and synth.
  26.177 -  NOTE: the UN versions are no longer used!*}
  26.178 +text\<open>Added to simplify arguments to parts, analz and synth.
  26.179 +  NOTE: the UN versions are no longer used!\<close>
  26.180  
  26.181  
  26.182 -text{*This allows @{text blast} to simplify occurrences of 
  26.183 -  @{term "parts(G\<union>H)"} in the assumption.*}
  26.184 +text\<open>This allows \<open>blast\<close> to simplify occurrences of 
  26.185 +  @{term "parts(G\<union>H)"} in the assumption.\<close>
  26.186  lemmas in_parts_UnE = parts_Un [THEN equalityD1, THEN subsetD, THEN UnE] 
  26.187  declare in_parts_UnE [elim!]
  26.188  
  26.189 @@ -227,7 +227,7 @@
  26.190  lemma parts_insert_subset: "insert X (parts H) \<subseteq> parts(insert X H)"
  26.191  by (blast intro: parts_mono [THEN [2] rev_subsetD])
  26.192  
  26.193 -subsubsection{*Idempotence and transitivity *}
  26.194 +subsubsection\<open>Idempotence and transitivity\<close>
  26.195  
  26.196  lemma parts_partsD [dest!]: "X\<in> parts (parts H) ==> X\<in> parts H"
  26.197  by (erule parts.induct, blast+)
  26.198 @@ -241,7 +241,7 @@
  26.199  lemma parts_trans: "[| X\<in> parts G;  G \<subseteq> parts H |] ==> X\<in> parts H"
  26.200  by (metis parts_subset_iff set_mp)
  26.201  
  26.202 -text{*Cut*}
  26.203 +text\<open>Cut\<close>
  26.204  lemma parts_cut:
  26.205       "[| Y\<in> parts (insert X G);  X\<in> parts H |] ==> Y\<in> parts (G \<union> H)" 
  26.206  by (blast intro: parts_trans) 
  26.207 @@ -250,7 +250,7 @@
  26.208  by (metis insert_absorb parts_idem parts_insert)
  26.209  
  26.210  
  26.211 -subsubsection{*Rewrite rules for pulling out atomic messages *}
  26.212 +subsubsection\<open>Rewrite rules for pulling out atomic messages\<close>
  26.213  
  26.214  lemmas parts_insert_eq_I = equalityI [OF subsetI parts_insert_subset]
  26.215  
  26.216 @@ -308,7 +308,7 @@
  26.217  done
  26.218  
  26.219  
  26.220 -text{*In any message, there is an upper bound N on its greatest nonce.*}
  26.221 +text\<open>In any message, there is an upper bound N on its greatest nonce.\<close>
  26.222  lemma msg_Nonce_supply: "\<exists>N. \<forall>n. N\<le>n --> Nonce n \<notin> parts {msg}"
  26.223  proof (induct msg)
  26.224    case (Nonce n)
  26.225 @@ -316,15 +316,15 @@
  26.226        by simp (metis Suc_n_not_le_n)
  26.227  next
  26.228    case (MPair X Y)
  26.229 -    then show ?case --{*metis works out the necessary sum itself!*}
  26.230 +    then show ?case \<comment>\<open>metis works out the necessary sum itself!\<close>
  26.231        by (simp add: parts_insert2) (metis le_trans nat_le_linear)
  26.232  qed auto
  26.233  
  26.234 -subsection{*Inductive relation "analz"*}
  26.235 +subsection\<open>Inductive relation "analz"\<close>
  26.236  
  26.237 -text{*Inductive definition of "analz" -- what can be broken down from a set of
  26.238 +text\<open>Inductive definition of "analz" -- what can be broken down from a set of
  26.239      messages, including keys.  A form of downward closure.  Pairs can
  26.240 -    be taken apart; messages decrypted with known keys.  *}
  26.241 +    be taken apart; messages decrypted with known keys.\<close>
  26.242  
  26.243  inductive_set
  26.244    analz :: "msg set => msg set"
  26.245 @@ -337,14 +337,14 @@
  26.246               "[|Crypt K X \<in> analz H; Key(invKey K): analz H|] ==> X \<in> analz H"
  26.247  
  26.248  
  26.249 -text{*Monotonicity; Lemma 1 of Lowe's paper*}
  26.250 +text\<open>Monotonicity; Lemma 1 of Lowe's paper\<close>
  26.251  lemma analz_mono: "G\<subseteq>H ==> analz(G) \<subseteq> analz(H)"
  26.252  apply auto
  26.253  apply (erule analz.induct) 
  26.254  apply (auto dest: analz.Fst analz.Snd) 
  26.255  done
  26.256  
  26.257 -text{*Making it safe speeds up proofs*}
  26.258 +text\<open>Making it safe speeds up proofs\<close>
  26.259  lemma MPair_analz [elim!]:
  26.260       "[| {|X,Y|} \<in> analz H;        
  26.261               [| X \<in> analz H; Y \<in> analz H |] ==> P   
  26.262 @@ -374,22 +374,22 @@
  26.263  
  26.264  lemmas analz_insertI = subset_insertI [THEN analz_mono, THEN [2] rev_subsetD]
  26.265  
  26.266 -subsubsection{*General equational properties *}
  26.267 +subsubsection\<open>General equational properties\<close>
  26.268  
  26.269  lemma analz_empty [simp]: "analz{} = {}"
  26.270  apply safe
  26.271  apply (erule analz.induct, blast+)
  26.272  done
  26.273  
  26.274 -text{*Converse fails: we can analz more from the union than from the 
  26.275 -  separate parts, as a key in one might decrypt a message in the other*}
  26.276 +text\<open>Converse fails: we can analz more from the union than from the 
  26.277 +  separate parts, as a key in one might decrypt a message in the other\<close>
  26.278  lemma analz_Un: "analz(G) \<union> analz(H) \<subseteq> analz(G \<union> H)"
  26.279  by (intro Un_least analz_mono Un_upper1 Un_upper2)
  26.280  
  26.281  lemma analz_insert: "insert X (analz H) \<subseteq> analz(insert X H)"
  26.282  by (blast intro: analz_mono [THEN [2] rev_subsetD])
  26.283  
  26.284 -subsubsection{*Rewrite rules for pulling out atomic messages *}
  26.285 +subsubsection\<open>Rewrite rules for pulling out atomic messages\<close>
  26.286  
  26.287  lemmas analz_insert_eq_I = equalityI [OF subsetI analz_insert]
  26.288  
  26.289 @@ -417,7 +417,7 @@
  26.290  apply (erule analz.induct, auto) 
  26.291  done
  26.292  
  26.293 -text{*Can only pull out Keys if they are not needed to decrypt the rest*}
  26.294 +text\<open>Can only pull out Keys if they are not needed to decrypt the rest\<close>
  26.295  lemma analz_insert_Key [simp]: 
  26.296      "K \<notin> keysFor (analz H) ==>   
  26.297            analz (insert (Key K) H) = insert (Key K) (analz H)"
  26.298 @@ -436,7 +436,7 @@
  26.299  apply (blast intro: analz.Fst analz.Snd)+
  26.300  done
  26.301  
  26.302 -text{*Can pull out enCrypted message if the Key is not known*}
  26.303 +text\<open>Can pull out enCrypted message if the Key is not known\<close>
  26.304  lemma analz_insert_Crypt:
  26.305       "Key (invKey K) \<notin> analz H 
  26.306        ==> analz (insert (Crypt K X) H) = insert (Crypt K X) (analz H)"
  26.307 @@ -466,10 +466,10 @@
  26.308                 insert (Crypt K X) (analz (insert X H))"
  26.309  by (intro equalityI lemma1 lemma2)
  26.310  
  26.311 -text{*Case analysis: either the message is secure, or it is not! Effective,
  26.312 -but can cause subgoals to blow up! Use with @{text "split_if"}; apparently
  26.313 -@{text "split_tac"} does not cope with patterns such as @{term"analz (insert
  26.314 -(Crypt K X) H)"} *} 
  26.315 +text\<open>Case analysis: either the message is secure, or it is not! Effective,
  26.316 +but can cause subgoals to blow up! Use with \<open>split_if\<close>; apparently
  26.317 +\<open>split_tac\<close> does not cope with patterns such as @{term"analz (insert
  26.318 +(Crypt K X) H)"}\<close> 
  26.319  lemma analz_Crypt_if [simp]:
  26.320       "analz (insert (Crypt K X) H) =                 
  26.321            (if (Key (invKey K) \<in> analz H)                 
  26.322 @@ -478,7 +478,7 @@
  26.323  by (simp add: analz_insert_Crypt analz_insert_Decrypt)
  26.324  
  26.325  
  26.326 -text{*This rule supposes "for the sake of argument" that we have the key.*}
  26.327 +text\<open>This rule supposes "for the sake of argument" that we have the key.\<close>
  26.328  lemma analz_insert_Crypt_subset:
  26.329       "analz (insert (Crypt K X) H) \<subseteq>   
  26.330             insert (Crypt K X) (analz (insert X H))"
  26.331 @@ -493,7 +493,7 @@
  26.332  done
  26.333  
  26.334  
  26.335 -subsubsection{*Idempotence and transitivity *}
  26.336 +subsubsection\<open>Idempotence and transitivity\<close>
  26.337  
  26.338  lemma analz_analzD [dest!]: "X\<in> analz (analz H) ==> X\<in> analz H"
  26.339  by (erule analz.induct, blast+)
  26.340 @@ -507,7 +507,7 @@
  26.341  lemma analz_trans: "[| X\<in> analz G;  G \<subseteq> analz H |] ==> X\<in> analz H"
  26.342  by (drule analz_mono, blast)
  26.343  
  26.344 -text{*Cut; Lemma 2 of Lowe*}
  26.345 +text\<open>Cut; Lemma 2 of Lowe\<close>
  26.346  lemma analz_cut: "[| Y\<in> analz (insert X H);  X\<in> analz H |] ==> Y\<in> analz H"
  26.347  by (erule analz_trans, blast)
  26.348  
  26.349 @@ -515,14 +515,14 @@
  26.350     "Y: analz (insert X H) ==> X: analz H --> Y: analz H"
  26.351  *)
  26.352  
  26.353 -text{*This rewrite rule helps in the simplification of messages that involve
  26.354 +text\<open>This rewrite rule helps in the simplification of messages that involve
  26.355    the forwarding of unknown components (X).  Without it, removing occurrences
  26.356 -  of X can be very complicated. *}
  26.357 +  of X can be very complicated.\<close>
  26.358  lemma analz_insert_eq: "X\<in> analz H ==> analz (insert X H) = analz H"
  26.359  by (metis analz_cut analz_insert_eq_I insert_absorb)
  26.360  
  26.361  
  26.362 -text{*A congruence rule for "analz" *}
  26.363 +text\<open>A congruence rule for "analz"\<close>
  26.364  
  26.365  lemma analz_subset_cong:
  26.366       "[| analz G \<subseteq> analz G'; analz H \<subseteq> analz H' |] 
  26.367 @@ -538,14 +538,14 @@
  26.368       "analz H = analz H' ==> analz(insert X H) = analz(insert X H')"
  26.369  by (force simp only: insert_def intro!: analz_cong)
  26.370  
  26.371 -text{*If there are no pairs or encryptions then analz does nothing*}
  26.372 +text\<open>If there are no pairs or encryptions then analz does nothing\<close>
  26.373  lemma analz_trivial:
  26.374       "[| \<forall>X Y. {|X,Y|} \<notin> H;  \<forall>X K. Crypt K X \<notin> H |] ==> analz H = H"
  26.375  apply safe
  26.376  apply (erule analz.induct, blast+)
  26.377  done
  26.378  
  26.379 -text{*These two are obsolete (with a single Spy) but cost little to prove...*}
  26.380 +text\<open>These two are obsolete (with a single Spy) but cost little to prove...\<close>
  26.381  lemma analz_UN_analz_lemma:
  26.382       "X\<in> analz (\<Union>i\<in>A. analz (H i)) ==> X\<in> analz (\<Union>i\<in>A. H i)"
  26.383  apply (erule analz.induct)
  26.384 @@ -556,12 +556,12 @@
  26.385  by (blast intro: analz_UN_analz_lemma analz_mono [THEN [2] rev_subsetD])
  26.386  
  26.387  
  26.388 -subsection{*Inductive relation "synth"*}
  26.389 +subsection\<open>Inductive relation "synth"\<close>
  26.390  
  26.391 -text{*Inductive definition of "synth" -- what can be built up from a set of
  26.392 +text\<open>Inductive definition of "synth" -- what can be built up from a set of
  26.393      messages.  A form of upward closure.  Pairs can be built, messages
  26.394      encrypted with known keys.  Agent names are public domain.
  26.395 -    Numbers can be guessed, but Nonces cannot be.  *}
  26.396 +    Numbers can be guessed, but Nonces cannot be.\<close>
  26.397  
  26.398  inductive_set
  26.399    synth :: "msg set => msg set"
  26.400 @@ -574,12 +574,12 @@
  26.401    | MPair  [intro]:   "[|X \<in> synth H;  Y \<in> synth H|] ==> {|X,Y|} \<in> synth H"
  26.402    | Crypt  [intro]:   "[|X \<in> synth H;  Key(K) \<in> H|] ==> Crypt K X \<in> synth H"
  26.403  
  26.404 -text{*Monotonicity*}
  26.405 +text\<open>Monotonicity\<close>
  26.406  lemma synth_mono: "G\<subseteq>H ==> synth(G) \<subseteq> synth(H)"
  26.407    by (auto, erule synth.induct, auto)  
  26.408  
  26.409 -text{*NO @{text Agent_synth}, as any Agent name can be synthesized.  
  26.410 -  The same holds for @{term Number}*}
  26.411 +text\<open>NO \<open>Agent_synth\<close>, as any Agent name can be synthesized.  
  26.412 +  The same holds for @{term Number}\<close>
  26.413  
  26.414  inductive_simps synth_simps [iff]:
  26.415   "Nonce n \<in> synth H"
  26.416 @@ -591,17 +591,17 @@
  26.417  lemma synth_increasing: "H \<subseteq> synth(H)"
  26.418  by blast
  26.419  
  26.420 -subsubsection{*Unions *}
  26.421 +subsubsection\<open>Unions\<close>
  26.422  
  26.423 -text{*Converse fails: we can synth more from the union than from the 
  26.424 -  separate parts, building a compound message using elements of each.*}
  26.425 +text\<open>Converse fails: we can synth more from the union than from the 
  26.426 +  separate parts, building a compound message using elements of each.\<close>
  26.427  lemma synth_Un: "synth(G) \<union> synth(H) \<subseteq> synth(G \<union> H)"
  26.428  by (intro Un_least synth_mono Un_upper1 Un_upper2)
  26.429  
  26.430  lemma synth_insert: "insert X (synth H) \<subseteq> synth(insert X H)"
  26.431  by (blast intro: synth_mono [THEN [2] rev_subsetD])
  26.432  
  26.433 -subsubsection{*Idempotence and transitivity *}
  26.434 +subsubsection\<open>Idempotence and transitivity\<close>
  26.435  
  26.436  lemma synth_synthD [dest!]: "X\<in> synth (synth H) ==> X\<in> synth H"
  26.437  by (erule synth.induct, auto)
  26.438 @@ -615,7 +615,7 @@
  26.439  lemma synth_trans: "[| X\<in> synth G;  G \<subseteq> synth H |] ==> X\<in> synth H"
  26.440  by (drule synth_mono, blast)
  26.441  
  26.442 -text{*Cut; Lemma 2 of Lowe*}
  26.443 +text\<open>Cut; Lemma 2 of Lowe\<close>
  26.444  lemma synth_cut: "[| Y\<in> synth (insert X H);  X\<in> synth H |] ==> Y\<in> synth H"
  26.445  by (erule synth_trans, blast)
  26.446  
  26.447 @@ -629,7 +629,7 @@
  26.448  by (unfold keysFor_def, blast)
  26.449  
  26.450  
  26.451 -subsubsection{*Combinations of parts, analz and synth *}
  26.452 +subsubsection\<open>Combinations of parts, analz and synth\<close>
  26.453  
  26.454  lemma parts_synth [simp]: "parts (synth H) = parts H \<union> synth H"
  26.455  apply (rule equalityI)
  26.456 @@ -656,12 +656,12 @@
  26.457  by (metis Un_empty_right analz_synth_Un)
  26.458  
  26.459  
  26.460 -subsubsection{*For reasoning about the Fake rule in traces *}
  26.461 +subsubsection\<open>For reasoning about the Fake rule in traces\<close>
  26.462  
  26.463  lemma parts_insert_subset_Un: "X\<in> G ==> parts(insert X H) \<subseteq> parts G \<union> parts H"
  26.464  by (metis UnCI Un_upper2 insert_subset parts_Un parts_mono)
  26.465  
  26.466 -text{*More specifically for Fake. See also @{text Fake_parts_sing} below *}
  26.467 +text\<open>More specifically for Fake. See also \<open>Fake_parts_sing\<close> below\<close>
  26.468  lemma Fake_parts_insert:
  26.469       "X \<in> synth (analz H) ==>  
  26.470        parts (insert X H) \<subseteq> synth (analz H) \<union> parts H"
  26.471 @@ -673,8 +673,8 @@
  26.472        ==> Z \<in>  synth (analz H) \<union> parts H"
  26.473  by (metis Fake_parts_insert set_mp)
  26.474  
  26.475 -text{*@{term H} is sometimes @{term"Key ` KK \<union> spies evs"}, so can't put 
  26.476 -  @{term "G=H"}.*}
  26.477 +text\<open>@{term H} is sometimes @{term"Key ` KK \<union> spies evs"}, so can't put 
  26.478 +  @{term "G=H"}.\<close>
  26.479  lemma Fake_analz_insert:
  26.480       "X\<in> synth (analz G) ==>  
  26.481        analz (insert X H) \<subseteq> synth (analz G) \<union> analz (G \<union> H)"
  26.482 @@ -691,8 +691,8 @@
  26.483       "(X \<in> analz H | X \<in> parts H) = (X \<in> parts H)"
  26.484  by (blast intro: analz_subset_parts [THEN subsetD])
  26.485  
  26.486 -text{*Without this equation, other rules for synth and analz would yield
  26.487 -  redundant cases*}
  26.488 +text\<open>Without this equation, other rules for synth and analz would yield
  26.489 +  redundant cases\<close>
  26.490  lemma MPair_synth_analz [iff]:
  26.491       "({|X,Y|} \<in> synth (analz H)) =  
  26.492        (X \<in> synth (analz H) & Y \<in> synth (analz H))"
  26.493 @@ -710,9 +710,9 @@
  26.494  by blast
  26.495  
  26.496  
  26.497 -subsection{*HPair: a combination of Hash and MPair*}
  26.498 +subsection\<open>HPair: a combination of Hash and MPair\<close>
  26.499  
  26.500 -subsubsection{*Freeness *}
  26.501 +subsubsection\<open>Freeness\<close>
  26.502  
  26.503  lemma Agent_neq_HPair: "Agent A ~= Hash[X] Y"
  26.504    unfolding HPair_def by simp
  26.505 @@ -750,7 +750,7 @@
  26.506  by (auto simp add: HPair_def)
  26.507  
  26.508  
  26.509 -subsubsection{*Specialized laws, proved in terms of those for Hash and MPair *}
  26.510 +subsubsection\<open>Specialized laws, proved in terms of those for Hash and MPair\<close>
  26.511  
  26.512  lemma keysFor_insert_HPair [simp]: "keysFor (insert (Hash[X] Y) H) = keysFor H"
  26.513  by (simp add: HPair_def)
  26.514 @@ -772,12 +772,12 @@
  26.515  by (auto simp add: HPair_def)
  26.516  
  26.517  
  26.518 -text{*We do NOT want Crypt... messages broken up in protocols!!*}
  26.519 +text\<open>We do NOT want Crypt... messages broken up in protocols!!\<close>
  26.520  declare parts.Body [rule del]
  26.521  
  26.522  
  26.523 -text{*Rewrites to push in Key and Crypt messages, so that other messages can
  26.524 -    be pulled out using the @{text analz_insert} rules*}
  26.525 +text\<open>Rewrites to push in Key and Crypt messages, so that other messages can
  26.526 +    be pulled out using the \<open>analz_insert\<close> rules\<close>
  26.527  
  26.528  lemmas pushKeys =
  26.529    insert_commute [of "Key K" "Agent C"]
  26.530 @@ -797,12 +797,12 @@
  26.531    insert_commute [of "Crypt X K" "MPair X' Y"]
  26.532    for X K C N X' Y
  26.533  
  26.534 -text{*Cannot be added with @{text "[simp]"} -- messages should not always be
  26.535 -  re-ordered. *}
  26.536 +text\<open>Cannot be added with \<open>[simp]\<close> -- messages should not always be
  26.537 +  re-ordered.\<close>
  26.538  lemmas pushes = pushKeys pushCrypts
  26.539  
  26.540  
  26.541 -subsection{*The set of key-free messages*}
  26.542 +subsection\<open>The set of key-free messages\<close>
  26.543  
  26.544  (*Note that even the encryption of a key-free message remains key-free.
  26.545    This concept is valuable because of the theorem analz_keyfree_into_Un, proved below. *)
  26.546 @@ -833,9 +833,9 @@
  26.547  apply (metis Un_absorb2 keyfree_KeyE parts_Un parts_keyfree UnI2)
  26.548  done
  26.549  
  26.550 -subsection{*Tactics useful for many protocol proofs*}
  26.551 +subsection\<open>Tactics useful for many protocol proofs\<close>
  26.552  ML
  26.553 -{*
  26.554 +\<open>
  26.555  (*Analysis of Fake cases.  Also works for messages that forward unknown parts,
  26.556    but this application is no longer necessary if analz_insert_eq is used.
  26.557    DEPENDS UPON "X" REFERRING TO THE FRADULENT MESSAGE *)
  26.558 @@ -872,11 +872,11 @@
  26.559         simp_tac ctxt 1,
  26.560         REPEAT (FIRSTGOAL (resolve_tac ctxt [allI,impI,notI,conjI,iffI])),
  26.561         DEPTH_SOLVE (atomic_spy_analz_tac ctxt 1)]) i);
  26.562 -*}
  26.563 +\<close>
  26.564  
  26.565 -text{*By default only @{text o_apply} is built-in.  But in the presence of
  26.566 +text\<open>By default only \<open>o_apply\<close> is built-in.  But in the presence of
  26.567  eta-expansion this means that some terms displayed as @{term "f o g"} will be
  26.568 -rewritten, and others will not!*}
  26.569 +rewritten, and others will not!\<close>
  26.570  declare o_def [simp]
  26.571  
  26.572  
  26.573 @@ -894,7 +894,7 @@
  26.574  by (metis Fake_analz_insert Un_absorb Un_absorb1 Un_commute 
  26.575            subset_insertI synth_analz_mono synth_increasing synth_subset_iff)
  26.576  
  26.577 -text{*Two generalizations of @{text analz_insert_eq}*}
  26.578 +text\<open>Two generalizations of \<open>analz_insert_eq\<close>\<close>
  26.579  lemma gen_analz_insert_eq [rule_format]:
  26.580       "X \<in> analz H ==> ALL G. H \<subseteq> G --> analz (insert X G) = analz G"
  26.581  by (blast intro: analz_cut analz_insertI analz_mono [THEN [2] rev_subsetD])
  26.582 @@ -912,16 +912,16 @@
  26.583  
  26.584  lemmas Fake_parts_sing_imp_Un = Fake_parts_sing [THEN [2] rev_subsetD]
  26.585  
  26.586 -method_setup spy_analz = {*
  26.587 -    Scan.succeed (SIMPLE_METHOD' o spy_analz_tac) *}
  26.588 +method_setup spy_analz = \<open>
  26.589 +    Scan.succeed (SIMPLE_METHOD' o spy_analz_tac)\<close>
  26.590      "for proving the Fake case when analz is involved"
  26.591  
  26.592 -method_setup atomic_spy_analz = {*
  26.593 -    Scan.succeed (SIMPLE_METHOD' o atomic_spy_analz_tac) *}
  26.594 +method_setup atomic_spy_analz = \<open>
  26.595 +    Scan.succeed (SIMPLE_METHOD' o atomic_spy_analz_tac)\<close>
  26.596      "for debugging spy_analz"
  26.597  
  26.598 -method_setup Fake_insert_simp = {*
  26.599 -    Scan.succeed (SIMPLE_METHOD' o Fake_insert_simp_tac) *}
  26.600 +method_setup Fake_insert_simp = \<open>
  26.601 +    Scan.succeed (SIMPLE_METHOD' o Fake_insert_simp_tac)\<close>
  26.602      "for debugging spy_analz"
  26.603  
  26.604  end
    27.1 --- a/src/HOL/Auth/NS_Public.thy	Thu Dec 10 21:31:24 2015 +0100
    27.2 +++ b/src/HOL/Auth/NS_Public.thy	Thu Dec 10 21:39:33 2015 +0100
    27.3 @@ -6,7 +6,7 @@
    27.4  Version incorporating Lowe's fix (inclusion of B's identity in round 2).
    27.5  *)
    27.6  
    27.7 -section{*Verifying the Needham-Schroeder-Lowe Public-Key Protocol*}
    27.8 +section\<open>Verifying the Needham-Schroeder-Lowe Public-Key Protocol\<close>
    27.9  
   27.10  theory NS_Public imports Public begin
   27.11  
   27.12 @@ -63,7 +63,7 @@
   27.13        "evs \<in> ns_public \<Longrightarrow> (Key (priEK A) \<in> analz (spies evs)) = (A \<in> bad)"
   27.14  by auto
   27.15  
   27.16 -subsection{*Authenticity properties obtained from NS2*}
   27.17 +subsection\<open>Authenticity properties obtained from NS2\<close>
   27.18  
   27.19  
   27.20  (*It is impossible to re-use a nonce in both NS1 and NS2, provided the nonce
   27.21 @@ -135,7 +135,7 @@
   27.22  done
   27.23  
   27.24  
   27.25 -subsection{*Authenticity properties obtained from NS2*}
   27.26 +subsection\<open>Authenticity properties obtained from NS2\<close>
   27.27  
   27.28  (*Unicity for NS2: nonce NB identifies nonce NA and agents A, B 
   27.29    [unicity of B makes Lowe's fix work]
   27.30 @@ -180,7 +180,7 @@
   27.31        \<Longrightarrow> Says A B (Crypt (pubEK B) (Nonce NB)) \<in> set evs"
   27.32  by (blast intro: B_trusts_NS3_lemma)
   27.33  
   27.34 -subsection{*Overall guarantee for B*}
   27.35 +subsection\<open>Overall guarantee for B\<close>
   27.36  
   27.37  (*If NS3 has been sent and the nonce NB agrees with the nonce B joined with
   27.38    NA, then A initiated the run using NA.*)
    28.1 --- a/src/HOL/Auth/NS_Public_Bad.thy	Thu Dec 10 21:31:24 2015 +0100
    28.2 +++ b/src/HOL/Auth/NS_Public_Bad.thy	Thu Dec 10 21:39:33 2015 +0100
    28.3 @@ -10,7 +10,7 @@
    28.4    Proc. Royal Soc. 426 (1989)
    28.5  *)
    28.6  
    28.7 -section{*Verifying the Needham-Schroeder Public-Key Protocol*}
    28.8 +section\<open>Verifying the Needham-Schroeder Public-Key Protocol\<close>
    28.9  
   28.10  theory NS_Public_Bad imports Public begin
   28.11  
   28.12 @@ -203,9 +203,9 @@
   28.13  apply (frule_tac A' = A in 
   28.14         Says_imp_knows_Spy [THEN parts.Inj, THEN unique_NB], auto)
   28.15  apply (rename_tac evs3 B' C)
   28.16 -txt{*This is the attack!
   28.17 +txt\<open>This is the attack!
   28.18  @{subgoals[display,indent=0,margin=65]}
   28.19 -*}
   28.20 +\<close>
   28.21  oops
   28.22  
   28.23  (*
    29.1 --- a/src/HOL/Auth/NS_Shared.thy	Thu Dec 10 21:31:24 2015 +0100
    29.2 +++ b/src/HOL/Auth/NS_Shared.thy	Thu Dec 10 21:39:33 2015 +0100
    29.3 @@ -3,15 +3,15 @@
    29.4      Copyright   1996  University of Cambridge
    29.5  *)
    29.6  
    29.7 -section{*Needham-Schroeder Shared-Key Protocol and the Issues Property*}
    29.8 +section\<open>Needham-Schroeder Shared-Key Protocol and the Issues Property\<close>
    29.9  
   29.10  theory NS_Shared imports Public begin
   29.11  
   29.12 -text{*
   29.13 +text\<open>
   29.14  From page 247 of
   29.15    Burrows, Abadi and Needham (1989).  A Logic of Authentication.
   29.16    Proc. Royal Soc. 426
   29.17 -*}
   29.18 +\<close>
   29.19  
   29.20  definition
   29.21   (* A is the true creator of X if she has sent X and X never appeared on
   29.22 @@ -88,7 +88,7 @@
   29.23  declare analz_into_parts [dest]
   29.24  
   29.25  
   29.26 -text{*A "possibility property": there are traces that reach the end*}
   29.27 +text\<open>A "possibility property": there are traces that reach the end\<close>
   29.28  lemma "[| A \<noteq> Server; Key K \<notin> used []; K \<in> symKeys |]
   29.29         ==> \<exists>N. \<exists>evs \<in> ns_shared.
   29.30                      Says A B (Crypt K \<lbrace>Nonce N, Nonce N\<rbrace>) \<in> set evs"
   29.31 @@ -105,25 +105,25 @@
   29.32  *)
   29.33  
   29.34  
   29.35 -subsection{*Inductive proofs about @{term ns_shared}*}
   29.36 +subsection\<open>Inductive proofs about @{term ns_shared}\<close>
   29.37  
   29.38 -subsubsection{*Forwarding lemmas, to aid simplification*}
   29.39 +subsubsection\<open>Forwarding lemmas, to aid simplification\<close>
   29.40  
   29.41 -text{*For reasoning about the encrypted portion of message NS3*}
   29.42 +text\<open>For reasoning about the encrypted portion of message NS3\<close>
   29.43  lemma NS3_msg_in_parts_spies:
   29.44       "Says S A (Crypt KA \<lbrace>N, B, K, X\<rbrace>) \<in> set evs \<Longrightarrow> X \<in> parts (spies evs)"
   29.45  by blast
   29.46  
   29.47 -text{*For reasoning about the Oops message*}
   29.48 +text\<open>For reasoning about the Oops message\<close>
   29.49  lemma Oops_parts_spies:
   29.50       "Says Server A (Crypt (shrK A) \<lbrace>NA, B, K, X\<rbrace>) \<in> set evs
   29.51              \<Longrightarrow> K \<in> parts (spies evs)"
   29.52  by blast
   29.53  
   29.54 -text{*Theorems of the form @{term "X \<notin> parts (spies evs)"} imply that NOBODY
   29.55 -    sends messages containing @{term X}*}
   29.56 +text\<open>Theorems of the form @{term "X \<notin> parts (spies evs)"} imply that NOBODY
   29.57 +    sends messages containing @{term X}\<close>
   29.58  
   29.59 -text{*Spy never sees another agent's shared key! (unless it's bad at start)*}
   29.60 +text\<open>Spy never sees another agent's shared key! (unless it's bad at start)\<close>
   29.61  lemma Spy_see_shrK [simp]:
   29.62       "evs \<in> ns_shared \<Longrightarrow> (Key (shrK A) \<in> parts (spies evs)) = (A \<in> bad)"
   29.63  apply (erule ns_shared.induct, force, drule_tac [4] NS3_msg_in_parts_spies, simp_all, blast+)
   29.64 @@ -134,20 +134,20 @@
   29.65  by auto
   29.66  
   29.67  
   29.68 -text{*Nobody can have used non-existent keys!*}
   29.69 +text\<open>Nobody can have used non-existent keys!\<close>
   29.70  lemma new_keys_not_used [simp]:
   29.71      "[|Key K \<notin> used evs; K \<in> symKeys; evs \<in> ns_shared|]
   29.72       ==> K \<notin> keysFor (parts (spies evs))"
   29.73  apply (erule rev_mp)
   29.74  apply (erule ns_shared.induct, force, drule_tac [4] NS3_msg_in_parts_spies, simp_all)
   29.75 -txt{*Fake, NS2, NS4, NS5*}
   29.76 +txt\<open>Fake, NS2, NS4, NS5\<close>
   29.77  apply (force dest!: keysFor_parts_insert, blast+)
   29.78  done
   29.79  
   29.80  
   29.81 -subsubsection{*Lemmas concerning the form of items passed in messages*}
   29.82 +subsubsection\<open>Lemmas concerning the form of items passed in messages\<close>
   29.83  
   29.84 -text{*Describes the form of K, X and K' when the Server sends this message.*}
   29.85 +text\<open>Describes the form of K, X and K' when the Server sends this message.\<close>
   29.86  lemma Says_Server_message_form:
   29.87       "\<lbrakk>Says Server A (Crypt K' \<lbrace>N, Agent B, Key K, X\<rbrace>) \<in> set evs;
   29.88         evs \<in> ns_shared\<rbrakk>
   29.89 @@ -157,7 +157,7 @@
   29.90  by (erule rev_mp, erule ns_shared.induct, auto)
   29.91  
   29.92  
   29.93 -text{*If the encrypted message appears then it originated with the Server*}
   29.94 +text\<open>If the encrypted message appears then it originated with the Server\<close>
   29.95  lemma A_trusts_NS2:
   29.96       "\<lbrakk>Crypt (shrK A) \<lbrace>NA, Agent B, Key K, X\<rbrace> \<in> parts (spies evs);
   29.97         A \<notin> bad;  evs \<in> ns_shared\<rbrakk>
   29.98 @@ -172,9 +172,9 @@
   29.99        \<Longrightarrow> K \<notin> range shrK \<and>  X = (Crypt (shrK B) \<lbrace>Key K, Agent A\<rbrace>)"
  29.100  by (blast dest!: A_trusts_NS2 Says_Server_message_form)
  29.101  
  29.102 -text{*EITHER describes the form of X when the following message is sent,
  29.103 +text\<open>EITHER describes the form of X when the following message is sent,
  29.104    OR     reduces it to the Fake case.
  29.105 -  Use @{text Says_Server_message_form} if applicable.*}
  29.106 +  Use \<open>Says_Server_message_form\<close> if applicable.\<close>
  29.107  lemma Says_S_message_form:
  29.108       "\<lbrakk>Says S A (Crypt (shrK A) \<lbrace>Nonce NA, Agent B, Key K, X\<rbrace>) \<in> set evs;
  29.109         evs \<in> ns_shared\<rbrakk>
  29.110 @@ -204,23 +204,23 @@
  29.111   A more general formula must be proved inductively.
  29.112  ****)
  29.113  
  29.114 -text{*NOT useful in this form, but it says that session keys are not used
  29.115 +text\<open>NOT useful in this form, but it says that session keys are not used
  29.116    to encrypt messages containing other keys, in the actual protocol.
  29.117 -  We require that agents should behave like this subsequently also.*}
  29.118 +  We require that agents should behave like this subsequently also.\<close>
  29.119  lemma  "\<lbrakk>evs \<in> ns_shared;  Kab \<notin> range shrK\<rbrakk> \<Longrightarrow>
  29.120           (Crypt KAB X) \<in> parts (spies evs) \<and>
  29.121           Key K \<in> parts {X} \<longrightarrow> Key K \<in> parts (spies evs)"
  29.122  apply (erule ns_shared.induct, force, drule_tac [4] NS3_msg_in_parts_spies, simp_all)
  29.123 -txt{*Fake*}
  29.124 +txt\<open>Fake\<close>
  29.125  apply (blast dest: parts_insert_subset_Un)
  29.126 -txt{*Base, NS4 and NS5*}
  29.127 +txt\<open>Base, NS4 and NS5\<close>
  29.128  apply auto
  29.129  done
  29.130  
  29.131  
  29.132 -subsubsection{*Session keys are not used to encrypt other session keys*}
  29.133 +subsubsection\<open>Session keys are not used to encrypt other session keys\<close>
  29.134  
  29.135 -text{*The equality makes the induction hypothesis easier to apply*}
  29.136 +text\<open>The equality makes the induction hypothesis easier to apply\<close>
  29.137  
  29.138  lemma analz_image_freshK [rule_format]:
  29.139   "evs \<in> ns_shared \<Longrightarrow>
  29.140 @@ -230,7 +230,7 @@
  29.141  apply (erule ns_shared.induct)
  29.142  apply (drule_tac [8] Says_Server_message_form)
  29.143  apply (erule_tac [5] Says_S_message_form [THEN disjE], analz_freshK, spy_analz)
  29.144 -txt{*NS2, NS3*}
  29.145 +txt\<open>NS2, NS3\<close>
  29.146  apply blast+ 
  29.147  done
  29.148  
  29.149 @@ -242,9 +242,9 @@
  29.150  by (simp only: analz_image_freshK analz_image_freshK_simps)
  29.151  
  29.152  
  29.153 -subsubsection{*The session key K uniquely identifies the message*}
  29.154 +subsubsection\<open>The session key K uniquely identifies the message\<close>
  29.155  
  29.156 -text{*In messages of this form, the session key uniquely identifies the rest*}
  29.157 +text\<open>In messages of this form, the session key uniquely identifies the rest\<close>
  29.158  lemma unique_session_keys:
  29.159       "\<lbrakk>Says Server A (Crypt (shrK A) \<lbrace>NA, Agent B, Key K, X\<rbrace>) \<in> set evs;
  29.160         Says Server A' (Crypt (shrK A') \<lbrace>NA', Agent B', Key K, X'\<rbrace>) \<in> set evs;
  29.161 @@ -252,9 +252,9 @@
  29.162  by (erule rev_mp, erule rev_mp, erule ns_shared.induct, simp_all, blast+)
  29.163  
  29.164  
  29.165 -subsubsection{*Crucial secrecy property: Spy doesn't see the keys sent in NS2*}
  29.166 +subsubsection\<open>Crucial secrecy property: Spy doesn't see the keys sent in NS2\<close>
  29.167  
  29.168 -text{*Beware of @{text "[rule_format]"} and the universal quantifier!*}
  29.169 +text\<open>Beware of \<open>[rule_format]\<close> and the universal quantifier!\<close>
  29.170  lemma secrecy_lemma:
  29.171       "\<lbrakk>Says Server A (Crypt (shrK A) \<lbrace>NA, Agent B, Key K,
  29.172                                        Crypt (shrK B) \<lbrace>Key K, Agent A\<rbrace>\<rbrace>)
  29.173 @@ -268,18 +268,18 @@
  29.174  apply (frule_tac [4] Says_S_message_form)
  29.175  apply (erule_tac [5] disjE)
  29.176  apply (simp_all add: analz_insert_eq analz_insert_freshK pushes split_ifs, spy_analz)
  29.177 -txt{*NS2*}
  29.178 +txt\<open>NS2\<close>
  29.179  apply blast
  29.180 -txt{*NS3*}
  29.181 +txt\<open>NS3\<close>
  29.182  apply (blast dest!: Crypt_Spy_analz_bad A_trusts_NS2
  29.183               dest:  Says_imp_knows_Spy analz.Inj unique_session_keys)
  29.184 -txt{*Oops*}
  29.185 +txt\<open>Oops\<close>
  29.186  apply (blast dest: unique_session_keys)
  29.187  done
  29.188  
  29.189  
  29.190  
  29.191 -text{*Final version: Server's message in the most abstract form*}
  29.192 +text\<open>Final version: Server's message in the most abstract form\<close>
  29.193  lemma Spy_not_see_encrypted_key:
  29.194       "\<lbrakk>Says Server A (Crypt K' \<lbrace>NA, Agent B, Key K, X\<rbrace>) \<in> set evs;
  29.195         \<forall>NB. Notes Spy \<lbrace>NA, NB, Key K\<rbrace> \<notin> set evs;
  29.196 @@ -288,9 +288,9 @@
  29.197  by (blast dest: Says_Server_message_form secrecy_lemma)
  29.198  
  29.199  
  29.200 -subsection{*Guarantees available at various stages of protocol*}
  29.201 +subsection\<open>Guarantees available at various stages of protocol\<close>
  29.202  
  29.203 -text{*If the encrypted message appears then it originated with the Server*}
  29.204 +text\<open>If the encrypted message appears then it originated with the Server\<close>
  29.205  lemma B_trusts_NS3:
  29.206       "\<lbrakk>Crypt (shrK B) \<lbrace>Key K, Agent A\<rbrace> \<in> parts (spies evs);
  29.207         B \<notin> bad;  evs \<in> ns_shared\<rbrakk>
  29.208 @@ -311,14 +311,14 @@
  29.209        Says B A (Crypt K (Nonce NB)) \<in> set evs"
  29.210  apply (erule ns_shared.induct, force, drule_tac [4] NS3_msg_in_parts_spies)
  29.211  apply (analz_mono_contra, simp_all, blast)
  29.212 -txt{*NS2: contradiction from the assumptions @{term "Key K \<notin> used evs2"} and
  29.213 -    @{term "Crypt K (Nonce NB) \<in> parts (spies evs2)"} *} 
  29.214 +txt\<open>NS2: contradiction from the assumptions @{term "Key K \<notin> used evs2"} and
  29.215 +    @{term "Crypt K (Nonce NB) \<in> parts (spies evs2)"}\<close> 
  29.216  apply (force dest!: Crypt_imp_keysFor)
  29.217 -txt{*NS4*}
  29.218 +txt\<open>NS4\<close>
  29.219  apply (metis B_trusts_NS3 Crypt_Spy_analz_bad Says_imp_analz_Spy Says_imp_parts_knows_Spy analz.Fst unique_session_keys)
  29.220  done
  29.221  
  29.222 -text{*This version no longer assumes that K is secure*}
  29.223 +text\<open>This version no longer assumes that K is secure\<close>
  29.224  lemma A_trusts_NS4:
  29.225       "\<lbrakk>Crypt K (Nonce NB) \<in> parts (spies evs);
  29.226         Crypt (shrK A) \<lbrace>NA, Agent B, Key K, X\<rbrace> \<in> parts (spies evs);
  29.227 @@ -328,9 +328,9 @@
  29.228  by (blast intro: A_trusts_NS4_lemma
  29.229            dest: A_trusts_NS2 Spy_not_see_encrypted_key)
  29.230  
  29.231 -text{*If the session key has been used in NS4 then somebody has forwarded
  29.232 +text\<open>If the session key has been used in NS4 then somebody has forwarded
  29.233    component X in some instance of NS4.  Perhaps an interesting property,
  29.234 -  but not needed (after all) for the proofs below.*}
  29.235 +  but not needed (after all) for the proofs below.\<close>
  29.236  theorem NS4_implies_NS3 [rule_format]:
  29.237    "evs \<in> ns_shared \<Longrightarrow>
  29.238       Key K \<notin> analz (spies evs) \<longrightarrow>
  29.239 @@ -341,9 +341,9 @@
  29.240  apply (drule_tac [4] NS3_msg_in_parts_spies)
  29.241  apply analz_mono_contra
  29.242  apply (simp_all add: ex_disj_distrib, blast)
  29.243 -txt{*NS2*}
  29.244 +txt\<open>NS2\<close>
  29.245  apply (blast dest!: new_keys_not_used Crypt_imp_keysFor)
  29.246 -txt{*NS4*}
  29.247 +txt\<open>NS4\<close>
  29.248  apply (metis B_trusts_NS3 Crypt_Spy_analz_bad Says_imp_analz_Spy Says_imp_parts_knows_Spy analz.Fst unique_session_keys)
  29.249  done
  29.250  
  29.251 @@ -359,16 +359,16 @@
  29.252  apply (erule ns_shared.induct, force)
  29.253  apply (drule_tac [4] NS3_msg_in_parts_spies)
  29.254  apply (analz_mono_contra, simp_all, blast)
  29.255 -txt{*NS2*}
  29.256 +txt\<open>NS2\<close>
  29.257  apply (blast dest!: new_keys_not_used Crypt_imp_keysFor)
  29.258 -txt{*NS5*}
  29.259 +txt\<open>NS5\<close>
  29.260  apply (blast dest!: A_trusts_NS2
  29.261               dest: Says_imp_knows_Spy [THEN analz.Inj]
  29.262                     unique_session_keys Crypt_Spy_analz_bad)
  29.263  done
  29.264  
  29.265  
  29.266 -text{*Very strong Oops condition reveals protocol's weakness*}
  29.267 +text\<open>Very strong Oops condition reveals protocol's weakness\<close>
  29.268  lemma B_trusts_NS5:
  29.269       "\<lbrakk>Crypt K \<lbrace>Nonce NB, Nonce NB\<rbrace> \<in> parts (spies evs);
  29.270         Crypt (shrK B) \<lbrace>Key K, Agent A\<rbrace> \<in> parts (spies evs);
  29.271 @@ -378,9 +378,9 @@
  29.272  by (blast intro: B_trusts_NS5_lemma
  29.273            dest: B_trusts_NS3 Spy_not_see_encrypted_key)
  29.274  
  29.275 -text{*Unaltered so far wrt original version*}
  29.276 +text\<open>Unaltered so far wrt original version\<close>
  29.277  
  29.278 -subsection{*Lemmas for reasoning about predicate "Issues"*}
  29.279 +subsection\<open>Lemmas for reasoning about predicate "Issues"\<close>
  29.280  
  29.281  lemma spies_Says_rev: "spies (evs @ [Says A B X]) = insert X (spies evs)"
  29.282  apply (induct_tac "evs")
  29.283 @@ -414,15 +414,15 @@
  29.284  apply (induct_tac "evs")
  29.285  apply (rename_tac [2] a b)
  29.286  apply (induct_tac [2] "a", auto)
  29.287 -txt{* Resembles @{text"used_subset_append"} in theory Event.*}
  29.288 +txt\<open>Resembles \<open>used_subset_append\<close> in theory Event.\<close>
  29.289  done
  29.290  
  29.291  lemmas parts_spies_takeWhile_mono = spies_takeWhile [THEN parts_mono]
  29.292  
  29.293  
  29.294 -subsection{*Guarantees of non-injective agreement on the session key, and
  29.295 +subsection\<open>Guarantees of non-injective agreement on the session key, and
  29.296  of key distribution. They also express forms of freshness of certain messages,
  29.297 -namely that agents were alive after something happened.*}
  29.298 +namely that agents were alive after something happened.\<close>
  29.299  
  29.300  lemma B_Issues_A:
  29.301       "\<lbrakk> Says B A (Crypt K (Nonce Nb)) \<in> set evs;
  29.302 @@ -437,24 +437,24 @@
  29.303  apply (erule rev_mp)
  29.304  apply (erule ns_shared.induct, analz_mono_contra)
  29.305  apply (simp_all)
  29.306 -txt{*fake*}
  29.307 +txt\<open>fake\<close>
  29.308  apply blast
  29.309  apply (simp_all add: takeWhile_tail)
  29.310 -txt{*NS3 remains by pure coincidence!*}
  29.311 +txt\<open>NS3 remains by pure coincidence!\<close>
  29.312  apply (force dest!: A_trusts_NS2 Says_Server_message_form)
  29.313 -txt{*NS4 would be the non-trivial case can be solved by Nb being used*}
  29.314 +txt\<open>NS4 would be the non-trivial case can be solved by Nb being used\<close>
  29.315  apply (blast dest: parts_spies_takeWhile_mono [THEN subsetD]
  29.316                     parts_spies_evs_revD2 [THEN subsetD])
  29.317  done
  29.318  
  29.319 -text{*Tells A that B was alive after she sent him the session key.  The
  29.320 +text\<open>Tells A that B was alive after she sent him the session key.  The
  29.321  session key must be assumed confidential for this deduction to be meaningful,
  29.322  but that assumption can be relaxed by the appropriate argument.
  29.323  
  29.324  Precisely, the theorem guarantees (to A) key distribution of the session key
  29.325  to B. It also guarantees (to A) non-injective agreement of B with A on the
  29.326  session key. Both goals are available to A in the sense of Goal Availability.
  29.327 -*}
  29.328 +\<close>
  29.329  lemma A_authenticates_and_keydist_to_B:
  29.330       "\<lbrakk>Crypt K (Nonce NB) \<in> parts (spies evs);
  29.331         Crypt (shrK A) \<lbrace>NA, Agent B, Key K, X\<rbrace> \<in> parts (spies evs);
  29.332 @@ -474,13 +474,13 @@
  29.333  apply (erule rev_mp)
  29.334  apply (erule ns_shared.induct, analz_mono_contra)
  29.335  apply (simp_all)
  29.336 -txt{*Fake*}
  29.337 +txt\<open>Fake\<close>
  29.338  apply blast
  29.339 -txt{*NS2*}
  29.340 +txt\<open>NS2\<close>
  29.341  apply (force dest!: Crypt_imp_keysFor)
  29.342 -txt{*NS3*}
  29.343 +txt\<open>NS3\<close>
  29.344  apply (metis NS3_msg_in_parts_spies parts_cut_eq)
  29.345 -txt{*NS5, the most important case, can be solved by unicity*}
  29.346 +txt\<open>NS5, the most important case, can be solved by unicity\<close>
  29.347  apply (metis A_trusts_NS2 Crypt_Spy_analz_bad Says_imp_analz_Spy Says_imp_parts_knows_Spy analz.Fst analz.Snd unique_session_keys)
  29.348  done
  29.349  
  29.350 @@ -497,20 +497,20 @@
  29.351  apply (erule rev_mp)
  29.352  apply (erule ns_shared.induct, analz_mono_contra)
  29.353  apply (simp_all)
  29.354 -txt{*fake*}
  29.355 +txt\<open>fake\<close>
  29.356  apply blast
  29.357  apply (simp_all add: takeWhile_tail)
  29.358 -txt{*NS3 remains by pure coincidence!*}
  29.359 +txt\<open>NS3 remains by pure coincidence!\<close>
  29.360  apply (force dest!: A_trusts_NS2 Says_Server_message_form)
  29.361 -txt{*NS5 is the non-trivial case and cannot be solved as in @{term B_Issues_A}! because NB is not fresh. We need @{term A_trusts_NS5}, proved for this very purpose*}
  29.362 +txt\<open>NS5 is the non-trivial case and cannot be solved as in @{term B_Issues_A}! because NB is not fresh. We need @{term A_trusts_NS5}, proved for this very purpose\<close>
  29.363  apply (blast dest: A_trusts_NS5 parts_spies_takeWhile_mono [THEN subsetD]
  29.364          parts_spies_evs_revD2 [THEN subsetD])
  29.365  done
  29.366  
  29.367 -text{*Tells B that A was alive after B issued NB.
  29.368 +text\<open>Tells B that A was alive after B issued NB.
  29.369  
  29.370  Precisely, the theorem guarantees (to B) key distribution of the session key to A. It also guarantees (to B) non-injective agreement of A with B on the session key. Both goals are available to B in the sense of Goal Availability.
  29.371 -*}
  29.372 +\<close>
  29.373  lemma B_authenticates_and_keydist_to_A:
  29.374       "\<lbrakk>Crypt K \<lbrace>Nonce NB, Nonce NB\<rbrace> \<in> parts (spies evs);
  29.375         Crypt (shrK B) \<lbrace>Key K, Agent A\<rbrace> \<in> parts (spies evs);
    30.1 --- a/src/HOL/Auth/OtwayRees.thy	Thu Dec 10 21:31:24 2015 +0100
    30.2 +++ b/src/HOL/Auth/OtwayRees.thy	Thu Dec 10 21:39:33 2015 +0100
    30.3 @@ -3,15 +3,15 @@
    30.4      Copyright   1996  University of Cambridge
    30.5  *)
    30.6  
    30.7 -section{*The Original Otway-Rees Protocol*}
    30.8 +section\<open>The Original Otway-Rees Protocol\<close>
    30.9  
   30.10  theory OtwayRees imports Public begin
   30.11  
   30.12 -text{* From page 244 of
   30.13 +text\<open>From page 244 of
   30.14    Burrows, Abadi and Needham (1989).  A Logic of Authentication.
   30.15    Proc. Royal Soc. 426
   30.16  
   30.17 -This is the original version, which encrypts Nonce NB.*}
   30.18 +This is the original version, which encrypts Nonce NB.\<close>
   30.19  
   30.20  inductive_set otway :: "event list set"
   30.21    where
   30.22 @@ -85,7 +85,7 @@
   30.23  declare Fake_parts_insert_in_Un  [dest]
   30.24  
   30.25  
   30.26 -text{*A "possibility property": there are traces that reach the end*}
   30.27 +text\<open>A "possibility property": there are traces that reach the end\<close>
   30.28  lemma "[| B \<noteq> Server; Key K \<notin> used [] |]
   30.29        ==> \<exists>evs \<in> otway.
   30.30               Says B A {|Nonce NA, Crypt (shrK A) {|Nonce NA, Key K|}|}
   30.31 @@ -127,10 +127,10 @@
   30.32    some reason proofs work without them!*)
   30.33  
   30.34  
   30.35 -text{*Theorems of the form @{term "X \<notin> parts (spies evs)"} imply that
   30.36 -NOBODY sends messages containing X! *}
   30.37 +text\<open>Theorems of the form @{term "X \<notin> parts (spies evs)"} imply that
   30.38 +NOBODY sends messages containing X!\<close>
   30.39  
   30.40 -text{*Spy never sees a good agent's shared key!*}
   30.41 +text\<open>Spy never sees a good agent's shared key!\<close>
   30.42  lemma Spy_see_shrK [simp]:
   30.43       "evs \<in> otway ==> (Key (shrK A) \<in> parts (knows Spy evs)) = (A \<in> bad)"
   30.44  by (erule otway.induct, force,
   30.45 @@ -146,7 +146,7 @@
   30.46  by (blast dest: Spy_see_shrK)
   30.47  
   30.48  
   30.49 -subsection{*Towards Secrecy: Proofs Involving @{term analz}*}
   30.50 +subsection\<open>Towards Secrecy: Proofs Involving @{term analz}\<close>
   30.51  
   30.52  (*Describes the form of K and NA when the Server sends this message.  Also
   30.53    for Oops case.*)
   30.54 @@ -167,9 +167,9 @@
   30.55  ****)
   30.56  
   30.57  
   30.58 -text{*Session keys are not used to encrypt other session keys*}
   30.59 +text\<open>Session keys are not used to encrypt other session keys\<close>
   30.60  
   30.61 -text{*The equality makes the induction hypothesis easier to apply*}
   30.62 +text\<open>The equality makes the induction hypothesis easier to apply\<close>
   30.63  lemma analz_image_freshK [rule_format]:
   30.64   "evs \<in> otway ==>
   30.65     \<forall>K KK. KK <= -(range shrK) -->
   30.66 @@ -188,7 +188,7 @@
   30.67  by (simp only: analz_image_freshK analz_image_freshK_simps)
   30.68  
   30.69  
   30.70 -text{*The Key K uniquely identifies the Server's  message. *}
   30.71 +text\<open>The Key K uniquely identifies the Server's  message.\<close>
   30.72  lemma unique_session_keys:
   30.73       "[| Says Server B {|NA, X, Crypt (shrK B) {|NB, K|}|}   \<in> set evs;
   30.74           Says Server B' {|NA',X',Crypt (shrK B') {|NB',K|}|} \<in> set evs;
   30.75 @@ -196,13 +196,13 @@
   30.76  apply (erule rev_mp)
   30.77  apply (erule rev_mp)
   30.78  apply (erule otway.induct, simp_all)
   30.79 -apply blast+  --{*OR3 and OR4*}
   30.80 +apply blast+  \<comment>\<open>OR3 and OR4\<close>
   30.81  done
   30.82  
   30.83  
   30.84 -subsection{*Authenticity properties relating to NA*}
   30.85 +subsection\<open>Authenticity properties relating to NA\<close>
   30.86  
   30.87 -text{*Only OR1 can have caused such a part of a message to appear.*}
   30.88 +text\<open>Only OR1 can have caused such a part of a message to appear.\<close>
   30.89  lemma Crypt_imp_OR1 [rule_format]:
   30.90   "[| A \<notin> bad;  evs \<in> otway |]
   30.91    ==> Crypt (shrK A) {|NA, Agent A, Agent B|} \<in> parts (knows Spy evs) -->
   30.92 @@ -222,7 +222,7 @@
   30.93  by (blast dest: Crypt_imp_OR1)
   30.94  
   30.95  
   30.96 -text{*The Nonce NA uniquely identifies A's message*}
   30.97 +text\<open>The Nonce NA uniquely identifies A's message\<close>
   30.98  lemma unique_NA:
   30.99       "[| Crypt (shrK A) {|NA, Agent A, Agent B|} \<in> parts (knows Spy evs);
  30.100           Crypt (shrK A) {|NA, Agent A, Agent C|} \<in> parts (knows Spy evs);
  30.101 @@ -234,9 +234,9 @@
  30.102  done
  30.103  
  30.104  
  30.105 -text{*It is impossible to re-use a nonce in both OR1 and OR2.  This holds because
  30.106 +text\<open>It is impossible to re-use a nonce in both OR1 and OR2.  This holds because
  30.107    OR2 encrypts Nonce NB.  It prevents the attack that can occur in the
  30.108 -  over-simplified version of this protocol: see @{text OtwayRees_Bad}.*}
  30.109 +  over-simplified version of this protocol: see \<open>OtwayRees_Bad\<close>.\<close>
  30.110  lemma no_nonce_OR1_OR2:
  30.111     "[| Crypt (shrK A) {|NA, Agent A, Agent B|} \<in> parts (knows Spy evs);
  30.112         A \<notin> bad;  evs \<in> otway |]
  30.113 @@ -246,8 +246,8 @@
  30.114         drule_tac [4] OR2_parts_knows_Spy, simp_all, blast+)
  30.115  done
  30.116  
  30.117 -text{*Crucial property: If the encrypted message appears, and A has used NA
  30.118 -  to start a run, then it originated with the Server!*}
  30.119 +text\<open>Crucial property: If the encrypted message appears, and A has used NA
  30.120 +  to start a run, then it originated with the Server!\<close>
  30.121  lemma NA_Crypt_imp_Server_msg [rule_format]:
  30.122       "[| A \<notin> bad;  evs \<in> otway |]
  30.123        ==> Says A B {|NA, Agent A, Agent B,
  30.124 @@ -259,16 +259,16 @@
  30.125                             Crypt (shrK B) {|NB, Key K|}|} \<in> set evs)"
  30.126  apply (erule otway.induct, force,
  30.127         drule_tac [4] OR2_parts_knows_Spy, simp_all, blast)
  30.128 -apply blast  --{*OR1: by freshness*}
  30.129 -apply (blast dest!: no_nonce_OR1_OR2 intro: unique_NA)  --{*OR3*}
  30.130 -apply (blast intro!: Crypt_imp_OR1)  --{*OR4*}
  30.131 +apply blast  \<comment>\<open>OR1: by freshness\<close>
  30.132 +apply (blast dest!: no_nonce_OR1_OR2 intro: unique_NA)  \<comment>\<open>OR3\<close>
  30.133 +apply (blast intro!: Crypt_imp_OR1)  \<comment>\<open>OR4\<close>
  30.134  done
  30.135  
  30.136  
  30.137 -text{*Corollary: if A receives B's OR4 message and the nonce NA agrees
  30.138 +text\<open>Corollary: if A receives B's OR4 message and the nonce NA agrees
  30.139    then the key really did come from the Server!  CANNOT prove this of the
  30.140    bad form of this protocol, even though we can prove
  30.141 -  @{text Spy_not_see_encrypted_key} *}
  30.142 +  \<open>Spy_not_see_encrypted_key\<close>\<close>
  30.143  lemma A_trusts_OR4:
  30.144       "[| Says A  B {|NA, Agent A, Agent B,
  30.145                       Crypt (shrK A) {|NA, Agent A, Agent B|}|} \<in> set evs;
  30.146 @@ -282,9 +282,9 @@
  30.147  by (blast intro!: NA_Crypt_imp_Server_msg)
  30.148  
  30.149  
  30.150 -text{*Crucial secrecy property: Spy does not see the keys sent in msg OR3
  30.151 +text\<open>Crucial secrecy property: Spy does not see the keys sent in msg OR3
  30.152      Does not in itself guarantee security: an attack could violate
  30.153 -    the premises, e.g. by having @{term "A=Spy"}*}
  30.154 +    the premises, e.g. by having @{term "A=Spy"}\<close>
  30.155  lemma secrecy_lemma:
  30.156   "[| A \<notin> bad;  B \<notin> bad;  evs \<in> otway |]
  30.157    ==> Says Server B
  30.158 @@ -297,8 +297,8 @@
  30.159  apply (drule_tac [6] OR4_analz_knows_Spy)
  30.160  apply (drule_tac [4] OR2_analz_knows_Spy)
  30.161  apply (simp_all add: analz_insert_eq analz_insert_freshK pushes)
  30.162 -apply spy_analz  --{*Fake*}
  30.163 -apply (blast dest: unique_session_keys)+  --{*OR3, OR4, Oops*}
  30.164 +apply spy_analz  \<comment>\<open>Fake\<close>
  30.165 +apply (blast dest: unique_session_keys)+  \<comment>\<open>OR3, OR4, Oops\<close>
  30.166  done
  30.167  
  30.168  theorem Spy_not_see_encrypted_key:
  30.169 @@ -310,13 +310,13 @@
  30.170        ==> Key K \<notin> analz (knows Spy evs)"
  30.171  by (blast dest: Says_Server_message_form secrecy_lemma)
  30.172  
  30.173 -text{*This form is an immediate consequence of the previous result.  It is 
  30.174 +text\<open>This form is an immediate consequence of the previous result.  It is 
  30.175  similar to the assertions established by other methods.  It is equivalent
  30.176  to the previous result in that the Spy already has @{term analz} and
  30.177  @{term synth} at his disposal.  However, the conclusion 
  30.178  @{term "Key K \<notin> knows Spy evs"} appears not to be inductive: all the cases
  30.179  other than Fake are trivial, while Fake requires 
  30.180 -@{term "Key K \<notin> analz (knows Spy evs)"}. *}
  30.181 +@{term "Key K \<notin> analz (knows Spy evs)"}.\<close>
  30.182  lemma Spy_not_know_encrypted_key:
  30.183       "[| Says Server B
  30.184            {|NA, Crypt (shrK A) {|NA, Key K|},
  30.185 @@ -327,8 +327,8 @@
  30.186  by (blast dest: Spy_not_see_encrypted_key)
  30.187  
  30.188  
  30.189 -text{*A's guarantee.  The Oops premise quantifies over NB because A cannot know
  30.190 -  what it is.*}
  30.191 +text\<open>A's guarantee.  The Oops premise quantifies over NB because A cannot know
  30.192 +  what it is.\<close>
  30.193  lemma A_gets_good_key:
  30.194       "[| Says A  B {|NA, Agent A, Agent B,
  30.195                       Crypt (shrK A) {|NA, Agent A, Agent B|}|} \<in> set evs;
  30.196 @@ -339,10 +339,10 @@
  30.197  by (blast dest!: A_trusts_OR4 Spy_not_see_encrypted_key)
  30.198  
  30.199  
  30.200 -subsection{*Authenticity properties relating to NB*}
  30.201 +subsection\<open>Authenticity properties relating to NB\<close>
  30.202  
  30.203 -text{*Only OR2 can have caused such a part of a message to appear.  We do not
  30.204 -  know anything about X: it does NOT have to have the right form.*}
  30.205 +text\<open>Only OR2 can have caused such a part of a message to appear.  We do not
  30.206 +  know anything about X: it does NOT have to have the right form.\<close>
  30.207  lemma Crypt_imp_OR2:
  30.208       "[| Crypt (shrK B) {|NA, NB, Agent A, Agent B|} \<in> parts (knows Spy evs);
  30.209           B \<notin> bad;  evs \<in> otway |]
  30.210 @@ -356,7 +356,7 @@
  30.211  done
  30.212  
  30.213  
  30.214 -text{*The Nonce NB uniquely identifies B's  message*}
  30.215 +text\<open>The Nonce NB uniquely identifies B's  message\<close>
  30.216  lemma unique_NB:
  30.217       "[| Crypt (shrK B) {|NA, NB, Agent A, Agent B|} \<in> parts(knows Spy evs);
  30.218           Crypt (shrK B) {|NC, NB, Agent C, Agent B|} \<in> parts(knows Spy evs);
  30.219 @@ -365,11 +365,11 @@
  30.220  apply (erule rev_mp, erule rev_mp)
  30.221  apply (erule otway.induct, force,
  30.222         drule_tac [4] OR2_parts_knows_Spy, simp_all)
  30.223 -apply blast+  --{*Fake, OR2*}
  30.224 +apply blast+  \<comment>\<open>Fake, OR2\<close>
  30.225  done
  30.226  
  30.227 -text{*If the encrypted message appears, and B has used Nonce NB,
  30.228 -  then it originated with the Server!  Quite messy proof.*}
  30.229 +text\<open>If the encrypted message appears, and B has used Nonce NB,
  30.230 +  then it originated with the Server!  Quite messy proof.\<close>
  30.231  lemma NB_Crypt_imp_Server_msg [rule_format]:
  30.232   "[| B \<notin> bad;  evs \<in> otway |]
  30.233    ==> Crypt (shrK B) {|NB, Key K|} \<in> parts (knows Spy evs)
  30.234 @@ -384,15 +384,15 @@
  30.235  apply simp
  30.236  apply (erule otway.induct, force,
  30.237         drule_tac [4] OR2_parts_knows_Spy, simp_all)
  30.238 -apply blast  --{*Fake*}
  30.239 -apply blast  --{*OR2*}
  30.240 -apply (blast dest: unique_NB dest!: no_nonce_OR1_OR2)  --{*OR3*}
  30.241 -apply (blast dest!: Crypt_imp_OR2)  --{*OR4*}
  30.242 +apply blast  \<comment>\<open>Fake\<close>
  30.243 +apply blast  \<comment>\<open>OR2\<close>
  30.244 +apply (blast dest: unique_NB dest!: no_nonce_OR1_OR2)  \<comment>\<open>OR3\<close>
  30.245 +apply (blast dest!: Crypt_imp_OR2)  \<comment>\<open>OR4\<close>
  30.246  done
  30.247  
  30.248  
  30.249 -text{*Guarantee for B: if it gets a message with matching NB then the Server
  30.250 -  has sent the correct message.*}
  30.251 +text\<open>Guarantee for B: if it gets a message with matching NB then the Server
  30.252 +  has sent the correct message.\<close>
  30.253  theorem B_trusts_OR3:
  30.254       "[| Says B Server {|NA, Agent A, Agent B, X',
  30.255                           Crypt (shrK B) {|NA, NB, Agent A, Agent B|} |}
  30.256 @@ -407,8 +407,8 @@
  30.257  by (blast intro!: NB_Crypt_imp_Server_msg)
  30.258  
  30.259  
  30.260 -text{*The obvious combination of @{text B_trusts_OR3} with 
  30.261 -      @{text Spy_not_see_encrypted_key}*}
  30.262 +text\<open>The obvious combination of \<open>B_trusts_OR3\<close> with 
  30.263 +      \<open>Spy_not_see_encrypted_key\<close>\<close>
  30.264  lemma B_gets_good_key:
  30.265       "[| Says B Server {|NA, Agent A, Agent B, X',
  30.266                           Crypt (shrK B) {|NA, NB, Agent A, Agent B|} |}
  30.267 @@ -434,9 +434,9 @@
  30.268  done
  30.269  
  30.270  
  30.271 -text{*After getting and checking OR4, agent A can trust that B has been active.
  30.272 +text\<open>After getting and checking OR4, agent A can trust that B has been active.
  30.273    We could probably prove that X has the expected form, but that is not
  30.274 -  strictly necessary for authentication.*}
  30.275 +  strictly necessary for authentication.\<close>
  30.276  theorem A_auths_B:
  30.277       "[| Says B' A {|NA, Crypt (shrK A) {|NA, Key K|}|} \<in> set evs;
  30.278           Says A  B {|NA, Agent A, Agent B,
    31.1 --- a/src/HOL/Auth/OtwayReesBella.thy	Thu Dec 10 21:31:24 2015 +0100
    31.2 +++ b/src/HOL/Auth/OtwayReesBella.thy	Thu Dec 10 21:39:33 2015 +0100
    31.3 @@ -2,19 +2,19 @@
    31.4      Author:     Giampaolo Bella, Catania University
    31.5  *)
    31.6  
    31.7 -section{*Bella's version of the Otway-Rees protocol*}
    31.8 +section\<open>Bella's version of the Otway-Rees protocol\<close>
    31.9  
   31.10  
   31.11  theory OtwayReesBella imports Public begin
   31.12  
   31.13 -text{*Bella's modifications to a version of the Otway-Rees protocol taken from
   31.14 +text\<open>Bella's modifications to a version of the Otway-Rees protocol taken from
   31.15  the BAN paper only concern message 7. The updated protocol makes the goal of
   31.16  key distribution of the session key available to A. Investigating the
   31.17  principle of Goal Availability undermines the BAN claim about the original
   31.18  protocol, that "this protocol does not make use of Kab as an encryption key,
   31.19  so neither principal can know whether the key is known to the other". The
   31.20  updated protocol makes no use of the session key to encrypt but informs A that
   31.21 -B knows it.*}
   31.22 +B knows it.\<close>
   31.23  
   31.24  inductive_set orb :: "event list set"
   31.25   where
   31.26 @@ -76,7 +76,7 @@
   31.27  declare Fake_parts_insert_in_Un  [dest]
   31.28  
   31.29  
   31.30 -text{*Fragile proof, with backtracking in the possibility call.*}
   31.31 +text\<open>Fragile proof, with backtracking in the possibility call.\<close>
   31.32  lemma possibility_thm: "\<lbrakk>A \<noteq> Server; B \<noteq> Server; Key K \<notin> used[]\<rbrakk>    
   31.33        \<Longrightarrow>   \<exists> evs \<in> orb.           
   31.34       Says B A \<lbrace>Nonce M, Crypt (shrK A) \<lbrace>Nonce Na, Key K\<rbrace>\<rbrace> \<in> set evs"
   31.35 @@ -125,15 +125,15 @@
   31.36      OR2_analz_knows_Spy [THEN analz_into_parts]
   31.37  
   31.38  ML
   31.39 -{*
   31.40 +\<open>
   31.41  fun parts_explicit_tac ctxt i =
   31.42      forward_tac ctxt [@{thm Oops_parts_knows_Spy}] (i+7) THEN
   31.43      forward_tac ctxt [@{thm OR4_parts_knows_Spy}]  (i+6) THEN
   31.44      forward_tac ctxt [@{thm OR2_parts_knows_Spy}]  (i+4)
   31.45 -*}
   31.46 +\<close>
   31.47   
   31.48 -method_setup parts_explicit = {*
   31.49 -    Scan.succeed (SIMPLE_METHOD' o parts_explicit_tac) *}
   31.50 +method_setup parts_explicit = \<open>
   31.51 +    Scan.succeed (SIMPLE_METHOD' o parts_explicit_tac)\<close>
   31.52    "to explicitly state that some message components belong to parts knows Spy"
   31.53  
   31.54  
   31.55 @@ -159,10 +159,10 @@
   31.56  
   31.57  
   31.58  
   31.59 -subsection{* Proofs involving analz *}
   31.60 +subsection\<open>Proofs involving analz\<close>
   31.61  
   31.62 -text{*Describes the form of K and NA when the Server sends this message.  Also
   31.63 -  for Oops case.*}
   31.64 +text\<open>Describes the form of K and NA when the Server sends this message.  Also
   31.65 +  for Oops case.\<close>
   31.66  lemma Says_Server_message_form: 
   31.67  "\<lbrakk>Says Server B  \<lbrace>Nonce M, Crypt (shrK B) \<lbrace>X, Nonce Nb, Key K\<rbrace>\<rbrace> \<in> set evs;  
   31.68       evs \<in> orb\<rbrakk>                                            
   31.69 @@ -233,7 +233,7 @@
   31.70  by (blast intro: analz_mono [THEN [2] rev_subsetD])
   31.71  
   31.72  ML
   31.73 -{*
   31.74 +\<open>
   31.75  structure OtwayReesBella =
   31.76  struct
   31.77  
   31.78 @@ -244,23 +244,23 @@
   31.79        addsimps @{thms analz_image_freshK_simps})
   31.80  
   31.81  end
   31.82 -*}
   31.83 +\<close>
   31.84  
   31.85 -method_setup analz_freshCryptK = {*
   31.86 +method_setup analz_freshCryptK = \<open>
   31.87      Scan.succeed (fn ctxt =>
   31.88       (SIMPLE_METHOD
   31.89        (EVERY [REPEAT_FIRST (resolve_tac ctxt [allI, ballI, impI]),
   31.90            REPEAT_FIRST (resolve_tac ctxt @{thms analz_image_freshCryptK_lemma}),
   31.91            ALLGOALS (asm_simp_tac
   31.92 -            (put_simpset OtwayReesBella.analz_image_freshK_ss ctxt))]))) *}
   31.93 +            (put_simpset OtwayReesBella.analz_image_freshK_ss ctxt))])))\<close>
   31.94    "for proving useful rewrite rule"
   31.95  
   31.96  
   31.97 -method_setup disentangle = {*
   31.98 +method_setup disentangle = \<open>
   31.99      Scan.succeed
  31.100       (fn ctxt => SIMPLE_METHOD
  31.101        (REPEAT_FIRST (eresolve_tac ctxt [asm_rl, conjE, disjE] 
  31.102 -                   ORELSE' hyp_subst_tac ctxt))) *}
  31.103 +                   ORELSE' hyp_subst_tac ctxt)))\<close>
  31.104    "for eliminating conjunctions, disjunctions and the like"
  31.105  
  31.106  
  31.107 @@ -303,21 +303,21 @@
  31.108  apply (frule_tac [7] Gets_Server_message_form)
  31.109  apply (frule_tac [9] Says_Server_message_form)
  31.110  apply disentangle
  31.111 -txt{*letting the simplifier solve OR2*}
  31.112 +txt\<open>letting the simplifier solve OR2\<close>
  31.113  apply (drule_tac [5] Gets_imp_knows_Spy [THEN analz.Inj, THEN analz.Snd, THEN analz.Snd, THEN analz.Snd])
  31.114  apply (simp_all (no_asm_simp) add: analz_insert_eq pushes split_ifs)
  31.115  apply (spy_analz)
  31.116 -txt{*OR1*}
  31.117 +txt\<open>OR1\<close>
  31.118  apply blast
  31.119 -txt{*Oops*}
  31.120 +txt\<open>Oops\<close>
  31.121  prefer 4 apply (blast dest: analz_insert_freshCryptK)
  31.122 -txt{*OR4 - ii*}
  31.123 +txt\<open>OR4 - ii\<close>
  31.124  prefer 3 apply (blast)
  31.125 -txt{*OR3*}
  31.126 +txt\<open>OR3\<close>
  31.127  (*adding Gets_imp_ and Says_imp_ for efficiency*)
  31.128  apply (blast dest: 
  31.129         A_trusts_OR1 unique_Na Key_not_used analz_insert_freshCryptK)
  31.130 -txt{*OR4 - i *}
  31.131 +txt\<open>OR4 - i\<close>
  31.132  apply clarify
  31.133  apply (simp add: pushes split_ifs)
  31.134  apply (case_tac "Aaa\<in>bad")
  31.135 @@ -370,7 +370,7 @@
  31.136  done
  31.137  
  31.138  
  31.139 -text{*Other properties as for the original protocol*}
  31.140 +text\<open>Other properties as for the original protocol\<close>
  31.141  
  31.142  
  31.143  end
    32.1 --- a/src/HOL/Auth/OtwayRees_AN.thy	Thu Dec 10 21:31:24 2015 +0100
    32.2 +++ b/src/HOL/Auth/OtwayRees_AN.thy	Thu Dec 10 21:39:33 2015 +0100
    32.3 @@ -3,11 +3,11 @@
    32.4      Copyright   1996  University of Cambridge
    32.5  *)
    32.6  
    32.7 -section{*The Otway-Rees Protocol as Modified by Abadi and Needham*}
    32.8 +section\<open>The Otway-Rees Protocol as Modified by Abadi and Needham\<close>
    32.9  
   32.10  theory OtwayRees_AN imports Public begin
   32.11  
   32.12 -text{*
   32.13 +text\<open>
   32.14  This simplified version has minimal encryption and explicit messages.
   32.15  
   32.16  Note that the formalization does not even assume that nonces are fresh.
   32.17 @@ -19,36 +19,36 @@
   32.18    Abadi and Needham (1996).  
   32.19    Prudent Engineering Practice for Cryptographic Protocols.
   32.20    IEEE Trans. SE 22 (1)
   32.21 -*}
   32.22 +\<close>
   32.23  
   32.24  inductive_set otway :: "event list set"
   32.25    where
   32.26 -   Nil: --{*The empty trace*}
   32.27 +   Nil: \<comment>\<open>The empty trace\<close>
   32.28          "[] \<in> otway"
   32.29  
   32.30 - | Fake: --{*The Spy may say anything he can say.  The sender field is correct,
   32.31 -            but agents don't use that information.*}
   32.32 + | Fake: \<comment>\<open>The Spy may say anything he can say.  The sender field is correct,
   32.33 +            but agents don't use that information.\<close>
   32.34           "[| evsf \<in> otway;  X \<in> synth (analz (knows Spy evsf)) |]
   32.35            ==> Says Spy B X  # evsf \<in> otway"
   32.36  
   32.37          
   32.38 - | Reception: --{*A message that has been sent can be received by the
   32.39 -                  intended recipient.*}
   32.40 + | Reception: \<comment>\<open>A message that has been sent can be received by the
   32.41 +                  intended recipient.\<close>
   32.42                "[| evsr \<in> otway;  Says A B X \<in>set evsr |]
   32.43                 ==> Gets B X # evsr \<in> otway"
   32.44  
   32.45 - | OR1:  --{*Alice initiates a protocol run*}
   32.46 + | OR1:  \<comment>\<open>Alice initiates a protocol run\<close>
   32.47           "evs1 \<in> otway
   32.48            ==> Says A B {|Agent A, Agent B, Nonce NA|} # evs1 \<in> otway"
   32.49  
   32.50 - | OR2:  --{*Bob's response to Alice's message.*}
   32.51 + | OR2:  \<comment>\<open>Bob's response to Alice's message.\<close>
   32.52           "[| evs2 \<in> otway;
   32.53               Gets B {|Agent A, Agent B, Nonce NA|} \<in>set evs2 |]
   32.54            ==> Says B Server {|Agent A, Agent B, Nonce NA, Nonce NB|}
   32.55                   # evs2 \<in> otway"
   32.56  
   32.57 - | OR3:  --{*The Server receives Bob's message.  Then he sends a new
   32.58 -           session key to Bob with a packet for forwarding to Alice.*}
   32.59 + | OR3:  \<comment>\<open>The Server receives Bob's message.  Then he sends a new
   32.60 +           session key to Bob with a packet for forwarding to Alice.\<close>
   32.61           "[| evs3 \<in> otway;  Key KAB \<notin> used evs3;
   32.62               Gets Server {|Agent A, Agent B, Nonce NA, Nonce NB|}
   32.63                 \<in>set evs3 |]
   32.64 @@ -57,17 +57,17 @@
   32.65                   Crypt (shrK B) {|Nonce NB, Agent A, Agent B, Key KAB|}|}
   32.66                # evs3 \<in> otway"
   32.67  
   32.68 - | OR4:  --{*Bob receives the Server's (?) message and compares the Nonces with
   32.69 + | OR4:  \<comment>\<open>Bob receives the Server's (?) message and compares the Nonces with
   32.70               those in the message he previously sent the Server.
   32.71 -             Need @{term "B \<noteq> Server"} because we allow messages to self.*}
   32.72 +             Need @{term "B \<noteq> Server"} because we allow messages to self.\<close>
   32.73           "[| evs4 \<in> otway;  B \<noteq> Server;
   32.74               Says B Server {|Agent A, Agent B, Nonce NA, Nonce NB|} \<in>set evs4;
   32.75               Gets B {|X, Crypt(shrK B){|Nonce NB,Agent A,Agent B,Key K|}|}
   32.76                 \<in>set evs4 |]
   32.77            ==> Says B A X # evs4 \<in> otway"
   32.78  
   32.79 - | Oops: --{*This message models possible leaks of session keys.  The nonces
   32.80 -             identify the protocol run.*}
   32.81 + | Oops: \<comment>\<open>This message models possible leaks of session keys.  The nonces
   32.82 +             identify the protocol run.\<close>
   32.83           "[| evso \<in> otway;
   32.84               Says Server B
   32.85                        {|Crypt (shrK A) {|Nonce NA, Agent A, Agent B, Key K|},
   32.86 @@ -82,7 +82,7 @@
   32.87  declare Fake_parts_insert_in_Un  [dest]
   32.88  
   32.89  
   32.90 -text{*A "possibility property": there are traces that reach the end*}
   32.91 +text\<open>A "possibility property": there are traces that reach the end\<close>
   32.92  lemma "[| B \<noteq> Server; Key K \<notin> used [] |]
   32.93        ==> \<exists>evs \<in> otway.
   32.94             Says B A (Crypt (shrK A) {|Nonce NA, Agent A, Agent B, Key K|})
   32.95 @@ -101,7 +101,7 @@
   32.96  
   32.97  
   32.98  
   32.99 -text{* For reasoning about the encrypted portion of messages *}
  32.100 +text\<open>For reasoning about the encrypted portion of messages\<close>
  32.101  
  32.102  lemma OR4_analz_knows_Spy:
  32.103       "[| Gets B {|X, Crypt(shrK B) X'|} \<in> set evs;  evs \<in> otway |]
  32.104 @@ -109,10 +109,10 @@
  32.105  by blast
  32.106  
  32.107  
  32.108 -text{*Theorems of the form @{term "X \<notin> parts (spies evs)"} imply that
  32.109 -NOBODY sends messages containing X! *}
  32.110 +text\<open>Theorems of the form @{term "X \<notin> parts (spies evs)"} imply that
  32.111 +NOBODY sends messages containing X!\<close>
  32.112  
  32.113 -text{*Spy never sees a good agent's shared key!*}
  32.114 +text\<open>Spy never sees a good agent's shared key!\<close>
  32.115  lemma Spy_see_shrK [simp]:
  32.116       "evs \<in> otway ==> (Key (shrK A) \<in> parts (knows Spy evs)) = (A \<in> bad)"
  32.117  by (erule otway.induct, simp_all, blast+)
  32.118 @@ -126,9 +126,9 @@
  32.119  by (blast dest: Spy_see_shrK)
  32.120  
  32.121  
  32.122 -subsection{*Proofs involving analz *}
  32.123 +subsection\<open>Proofs involving analz\<close>
  32.124  
  32.125 -text{*Describes the form of K and NA when the Server sends this message.*}
  32.126 +text\<open>Describes the form of K and NA when the Server sends this message.\<close>
  32.127  lemma Says_Server_message_form:
  32.128       "[| Says Server B
  32.129              {|Crypt (shrK A) {|NA, Agent A, Agent B, Key K|},
  32.130 @@ -152,9 +152,9 @@
  32.131  ****)
  32.132  
  32.133  
  32.134 -text{* Session keys are not used to encrypt other session keys *}
  32.135 +text\<open>Session keys are not used to encrypt other session keys\<close>
  32.136  
  32.137 -text{*The equality makes the induction hypothesis easier to apply*}
  32.138 +text\<open>The equality makes the induction hypothesis easier to apply\<close>
  32.139  lemma analz_image_freshK [rule_format]:
  32.140   "evs \<in> otway ==>
  32.141     \<forall>K KK. KK <= -(range shrK) -->
  32.142 @@ -172,7 +172,7 @@
  32.143  by (simp only: analz_image_freshK analz_image_freshK_simps)
  32.144  
  32.145  
  32.146 -text{*The Key K uniquely identifies the Server's message.*}
  32.147 +text\<open>The Key K uniquely identifies the Server's message.\<close>
  32.148  lemma unique_session_keys:
  32.149       "[| Says Server B
  32.150            {|Crypt (shrK A) {|NA, Agent A, Agent B, K|},
  32.151 @@ -185,13 +185,13 @@
  32.152          evs \<in> otway |]
  32.153       ==> A=A' & B=B' & NA=NA' & NB=NB'"
  32.154  apply (erule rev_mp, erule rev_mp, erule otway.induct, simp_all)
  32.155 -apply blast+  --{*OR3 and OR4*}
  32.156 +apply blast+  \<comment>\<open>OR3 and OR4\<close>
  32.157  done
  32.158  
  32.159  
  32.160 -subsection{*Authenticity properties relating to NA*}
  32.161 +subsection\<open>Authenticity properties relating to NA\<close>
  32.162  
  32.163 -text{*If the encrypted message appears then it originated with the Server!*}
  32.164 +text\<open>If the encrypted message appears then it originated with the Server!\<close>
  32.165  lemma NA_Crypt_imp_Server_msg [rule_format]:
  32.166      "[| A \<notin> bad;  A \<noteq> B;  evs \<in> otway |]
  32.167       ==> Crypt (shrK A) {|NA, Agent A, Agent B, Key K|} \<in> parts (knows Spy evs)
  32.168 @@ -201,12 +201,12 @@
  32.169                      \<in> set evs)"
  32.170  apply (erule otway.induct, force)
  32.171  apply (simp_all add: ex_disj_distrib)
  32.172 -apply blast+  --{*Fake, OR3*}
  32.173 +apply blast+  \<comment>\<open>Fake, OR3\<close>
  32.174  done
  32.175  
  32.176  
  32.177 -text{*Corollary: if A receives B's OR4 message then it originated with the
  32.178 -      Server. Freshness may be inferred from nonce NA.*}
  32.179 +text\<open>Corollary: if A receives B's OR4 message then it originated with the
  32.180 +      Server. Freshness may be inferred from nonce NA.\<close>
  32.181  lemma A_trusts_OR4:
  32.182       "[| Says B' A (Crypt (shrK A) {|NA, Agent A, Agent B, Key K|}) \<in> set evs;
  32.183           A \<notin> bad;  A \<noteq> B;  evs \<in> otway |]
  32.184 @@ -217,9 +217,9 @@
  32.185  by (blast intro!: NA_Crypt_imp_Server_msg)
  32.186  
  32.187  
  32.188 -text{*Crucial secrecy property: Spy does not see the keys sent in msg OR3
  32.189 +text\<open>Crucial secrecy property: Spy does not see the keys sent in msg OR3
  32.190      Does not in itself guarantee security: an attack could violate
  32.191 -    the premises, e.g. by having @{term "A=Spy"}*}
  32.192 +    the premises, e.g. by having @{term "A=Spy"}\<close>
  32.193  lemma secrecy_lemma:
  32.194       "[| A \<notin> bad;  B \<notin> bad;  evs \<in> otway |]
  32.195        ==> Says Server B
  32.196 @@ -232,8 +232,8 @@
  32.197  apply (frule_tac [7] Says_Server_message_form)
  32.198  apply (drule_tac [6] OR4_analz_knows_Spy)
  32.199  apply (simp_all add: analz_insert_eq analz_insert_freshK pushes)
  32.200 -apply spy_analz  --{*Fake*}
  32.201 -apply (blast dest: unique_session_keys)+  --{*OR3, OR4, Oops*}
  32.202 +apply spy_analz  \<comment>\<open>Fake\<close>
  32.203 +apply (blast dest: unique_session_keys)+  \<comment>\<open>OR3, OR4, Oops\<close>
  32.204  done
  32.205  
  32.206  
  32.207 @@ -248,8 +248,8 @@
  32.208    by (metis secrecy_lemma)
  32.209  
  32.210  
  32.211 -text{*A's guarantee.  The Oops premise quantifies over NB because A cannot know
  32.212 -  what it is.*}
  32.213 +text\<open>A's guarantee.  The Oops premise quantifies over NB because A cannot know
  32.214 +  what it is.\<close>
  32.215  lemma A_gets_good_key:
  32.216       "[| Says B' A (Crypt (shrK A) {|NA, Agent A, Agent B, Key K|}) \<in> set evs;
  32.217           \<forall>NB. Notes Spy {|NA, NB, Key K|} \<notin> set evs;
  32.218 @@ -259,9 +259,9 @@
  32.219  
  32.220  
  32.221  
  32.222 -subsection{*Authenticity properties relating to NB*}
  32.223 +subsection\<open>Authenticity properties relating to NB\<close>
  32.224  
  32.225 -text{*If the encrypted message appears then it originated with the Server!*}
  32.226 +text\<open>If the encrypted message appears then it originated with the Server!\<close>
  32.227  lemma NB_Crypt_imp_Server_msg [rule_format]:
  32.228   "[| B \<notin> bad;  A \<noteq> B;  evs \<in> otway |]
  32.229    ==> Crypt (shrK B) {|NB, Agent A, Agent B, Key K|} \<in> parts (knows Spy evs)
  32.230 @@ -270,13 +270,13 @@
  32.231                       Crypt (shrK B) {|NB, Agent A, Agent B, Key K|}|}
  32.232                     \<in> set evs)"
  32.233  apply (erule otway.induct, force, simp_all add: ex_disj_distrib)
  32.234 -apply blast+  --{*Fake, OR3*}
  32.235 +apply blast+  \<comment>\<open>Fake, OR3\<close>
  32.236  done
  32.237  
  32.238  
  32.239  
  32.240 -text{*Guarantee for B: if it gets a well-formed certificate then the Server
  32.241 -  has sent the correct message in round 3.*}
  32.242 +text\<open>Guarantee for B: if it gets a well-formed certificate then the Server
  32.243 +  has sent the correct message in round 3.\<close>
  32.244  lemma B_trusts_OR3:
  32.245       "[| Says S B {|X, Crypt (shrK B) {|NB, Agent A, Agent B, Key K|}|}
  32.246             \<in> set evs;
  32.247 @@ -288,8 +288,8 @@
  32.248  by (blast intro!: NB_Crypt_imp_Server_msg)
  32.249  
  32.250  
  32.251 -text{*The obvious combination of @{text B_trusts_OR3} with 
  32.252 -      @{text Spy_not_see_encrypted_key}*}
  32.253 +text\<open>The obvious combination of \<open>B_trusts_OR3\<close> with 
  32.254 +      \<open>Spy_not_see_encrypted_key\<close>\<close>
  32.255  lemma B_gets_good_key:
  32.256       "[| Gets B {|X, Crypt (shrK B) {|NB, Agent A, Agent B, Key K|}|}
  32.257            \<in> set evs;
    33.1 --- a/src/HOL/Auth/OtwayRees_Bad.thy	Thu Dec 10 21:31:24 2015 +0100
    33.2 +++ b/src/HOL/Auth/OtwayRees_Bad.thy	Thu Dec 10 21:39:33 2015 +0100
    33.3 @@ -4,44 +4,44 @@
    33.4  *)
    33.5  
    33.6  
    33.7 -section{*The Otway-Rees Protocol: The Faulty BAN Version*}
    33.8 +section\<open>The Otway-Rees Protocol: The Faulty BAN Version\<close>
    33.9  
   33.10  theory OtwayRees_Bad imports Public begin
   33.11  
   33.12 -text{*The FAULTY version omitting encryption of Nonce NB, as suggested on 
   33.13 +text\<open>The FAULTY version omitting encryption of Nonce NB, as suggested on 
   33.14  page 247 of
   33.15    Burrows, Abadi and Needham (1988).  A Logic of Authentication.
   33.16    Proc. Royal Soc. 426
   33.17  
   33.18  This file illustrates the consequences of such errors.  We can still prove
   33.19 -impressive-looking properties such as @{text Spy_not_see_encrypted_key}, yet
   33.20 +impressive-looking properties such as \<open>Spy_not_see_encrypted_key\<close>, yet
   33.21  the protocol is open to a middleperson attack.  Attempting to prove some key
   33.22 -lemmas indicates the possibility of this attack.*}
   33.23 +lemmas indicates the possibility of this attack.\<close>
   33.24  
   33.25  inductive_set otway :: "event list set"
   33.26    where
   33.27 -   Nil: --{*The empty trace*}
   33.28 +   Nil: \<comment>\<open>The empty trace\<close>
   33.29          "[] \<in> otway"
   33.30  
   33.31 - | Fake: --{*The Spy may say anything he can say.  The sender field is correct,
   33.32 -            but agents don't use that information.*}
   33.33 + | Fake: \<comment>\<open>The Spy may say anything he can say.  The sender field is correct,
   33.34 +            but agents don't use that information.\<close>
   33.35           "[| evsf \<in> otway;  X \<in> synth (analz (knows Spy evsf)) |]
   33.36            ==> Says Spy B X  # evsf \<in> otway"
   33.37  
   33.38          
   33.39 - | Reception: --{*A message that has been sent can be received by the
   33.40 -                  intended recipient.*}
   33.41 + | Reception: \<comment>\<open>A message that has been sent can be received by the
   33.42 +                  intended recipient.\<close>
   33.43                "[| evsr \<in> otway;  Says A B X \<in>set evsr |]
   33.44                 ==> Gets B X # evsr \<in> otway"
   33.45  
   33.46 - | OR1:  --{*Alice initiates a protocol run*}
   33.47 + | OR1:  \<comment>\<open>Alice initiates a protocol run\<close>
   33.48           "[| evs1 \<in> otway;  Nonce NA \<notin> used evs1 |]
   33.49            ==> Says A B {|Nonce NA, Agent A, Agent B,
   33.50                           Crypt (shrK A) {|Nonce NA, Agent A, Agent B|} |}
   33.51                   # evs1 \<in> otway"
   33.52  
   33.53 - | OR2:  --{*Bob's response to Alice's message.
   33.54 -             This variant of the protocol does NOT encrypt NB.*}
   33.55 + | OR2:  \<comment>\<open>Bob's response to Alice's message.
   33.56 +             This variant of the protocol does NOT encrypt NB.\<close>
   33.57           "[| evs2 \<in> otway;  Nonce NB \<notin> used evs2;
   33.58               Gets B {|Nonce NA, Agent A, Agent B, X|} \<in> set evs2 |]
   33.59            ==> Says B Server
   33.60 @@ -49,9 +49,9 @@
   33.61                      Crypt (shrK B) {|Nonce NA, Agent A, Agent B|}|}
   33.62                   # evs2 \<in> otway"
   33.63  
   33.64 - | OR3:  --{*The Server receives Bob's message and checks that the three NAs
   33.65 + | OR3:  \<comment>\<open>The Server receives Bob's message and checks that the three NAs
   33.66             match.  Then he sends a new session key to Bob with a packet for
   33.67 -           forwarding to Alice.*}
   33.68 +           forwarding to Alice.\<close>
   33.69           "[| evs3 \<in> otway;  Key KAB \<notin> used evs3;
   33.70               Gets Server
   33.71                    {|Nonce NA, Agent A, Agent B,
   33.72 @@ -65,9 +65,9 @@
   33.73                      Crypt (shrK B) {|Nonce NB, Key KAB|}|}
   33.74                   # evs3 \<in> otway"
   33.75  
   33.76 - | OR4:  --{*Bob receives the Server's (?) message and compares the Nonces with
   33.77 + | OR4:  \<comment>\<open>Bob receives the Server's (?) message and compares the Nonces with
   33.78               those in the message he previously sent the Server.
   33.79 -             Need @{term "B \<noteq> Server"} because we allow messages to self.*}
   33.80 +             Need @{term "B \<noteq> Server"} because we allow messages to self.\<close>
   33.81           "[| evs4 \<in> otway;  B \<noteq> Server;
   33.82               Says B Server {|Nonce NA, Agent A, Agent B, X', Nonce NB,
   33.83                               Crypt (shrK B) {|Nonce NA, Agent A, Agent B|}|}
   33.84 @@ -76,8 +76,8 @@
   33.85                 \<in> set evs4 |]
   33.86            ==> Says B A {|Nonce NA, X|} # evs4 \<in> otway"
   33.87  
   33.88 - | Oops: --{*This message models possible leaks of session keys.  The nonces
   33.89 -             identify the protocol run.*}
   33.90 + | Oops: \<comment>\<open>This message models possible leaks of session keys.  The nonces
   33.91 +             identify the protocol run.\<close>
   33.92           "[| evso \<in> otway;
   33.93               Says Server B {|Nonce NA, X, Crypt (shrK B) {|Nonce NB, Key K|}|}
   33.94                 \<in> set evso |]
   33.95 @@ -89,7 +89,7 @@
   33.96  declare analz_into_parts [dest]
   33.97  declare Fake_parts_insert_in_Un  [dest]
   33.98  
   33.99 -text{*A "possibility property": there are traces that reach the end*}
  33.100 +text\<open>A "possibility property": there are traces that reach the end\<close>
  33.101  lemma "[| B \<noteq> Server; Key K \<notin> used [] |]
  33.102        ==> \<exists>NA. \<exists>evs \<in> otway.
  33.103              Says B A {|Nonce NA, Crypt (shrK A) {|Nonce NA, Key K|}|}
  33.104 @@ -109,7 +109,7 @@
  33.105  done
  33.106  
  33.107  
  33.108 -subsection{*For reasoning about the encrypted portion of messages *}
  33.109 +subsection\<open>For reasoning about the encrypted portion of messages\<close>
  33.110  
  33.111  lemma OR2_analz_knows_Spy:
  33.112       "[| Gets B {|N, Agent A, Agent B, X|} \<in> set evs;  evs \<in> otway |]
  33.113 @@ -126,15 +126,15 @@
  33.114        ==> K \<in> parts (knows Spy evs)"
  33.115  by blast
  33.116  
  33.117 -text{*Forwarding lemma: see comments in OtwayRees.thy*}
  33.118 +text\<open>Forwarding lemma: see comments in OtwayRees.thy\<close>
  33.119  lemmas OR2_parts_knows_Spy =
  33.120      OR2_analz_knows_Spy [THEN analz_into_parts]
  33.121  
  33.122  
  33.123 -text{*Theorems of the form @{term "X \<notin> parts (spies evs)"} imply that
  33.124 -NOBODY sends messages containing X! *}
  33.125 +text\<open>Theorems of the form @{term "X \<notin> parts (spies evs)"} imply that
  33.126 +NOBODY sends messages containing X!\<close>
  33.127  
  33.128 -text{*Spy never sees a good agent's shared key!*}
  33.129 +text\<open>Spy never sees a good agent's shared key!\<close>
  33.130  lemma Spy_see_shrK [simp]:
  33.131       "evs \<in> otway ==> (Key (shrK A) \<in> parts (knows Spy evs)) = (A \<in> bad)"
  33.132  by (erule otway.induct, force,
  33.133 @@ -150,10 +150,10 @@
  33.134  by (blast dest: Spy_see_shrK)
  33.135  
  33.136  
  33.137 -subsection{*Proofs involving analz *}
  33.138 +subsection\<open>Proofs involving analz\<close>
  33.139  
  33.140 -text{*Describes the form of K and NA when the Server sends this message.  Also
  33.141 -  for Oops case.*}
  33.142 +text\<open>Describes the form of K and NA when the Server sends this message.  Also
  33.143 +  for Oops case.\<close>
  33.144  lemma Says_Server_message_form:
  33.145       "[| Says Server B {|NA, X, Crypt (shrK B) {|NB, Key K|}|} \<in> set evs;
  33.146           evs \<in> otway |]
  33.147 @@ -173,9 +173,9 @@
  33.148  ****)
  33.149  
  33.150  
  33.151 -text{*Session keys are not used to encrypt other session keys*}
  33.152 +text\<open>Session keys are not used to encrypt other session keys\<close>
  33.153  
  33.154 -text{*The equality makes the induction hypothesis easier to apply*}
  33.155 +text\<open>The equality makes the induction hypothesis easier to apply\<close>
  33.156  lemma analz_image_freshK [rule_format]:
  33.157   "evs \<in> otway ==>
  33.158     \<forall>K KK. KK <= -(range shrK) -->
  33.159 @@ -194,7 +194,7 @@
  33.160  by (simp only: analz_image_freshK analz_image_freshK_simps)
  33.161  
  33.162  
  33.163 -text{*The Key K uniquely identifies the Server's  message. *}
  33.164 +text\<open>The Key K uniquely identifies the Server's  message.\<close>
  33.165  lemma unique_session_keys:
  33.166       "[| Says Server B {|NA, X, Crypt (shrK B) {|NB, K|}|}   \<in> set evs;
  33.167           Says Server B' {|NA',X',Crypt (shrK B') {|NB',K|}|} \<in> set evs;
  33.168 @@ -202,13 +202,13 @@
  33.169  apply (erule rev_mp)
  33.170  apply (erule rev_mp)
  33.171  apply (erule otway.induct, simp_all)
  33.172 -apply blast+  --{*OR3 and OR4*}
  33.173 +apply blast+  \<comment>\<open>OR3 and OR4\<close>
  33.174  done
  33.175  
  33.176  
  33.177 -text{*Crucial secrecy property: Spy does not see the keys sent in msg OR3
  33.178 +text\<open>Crucial secrecy property: Spy does not see the keys sent in msg OR3
  33.179      Does not in itself guarantee security: an attack could violate
  33.180 -    the premises, e.g. by having @{term "A=Spy"} *}
  33.181 +    the premises, e.g. by having @{term "A=Spy"}\<close>
  33.182  lemma secrecy_lemma:
  33.183   "[| A \<notin> bad;  B \<notin> bad;  evs \<in> otway |]
  33.184    ==> Says Server B
  33.185 @@ -221,8 +221,8 @@
  33.186  apply (drule_tac [6] OR4_analz_knows_Spy)
  33.187  apply (drule_tac [4] OR2_analz_knows_Spy)
  33.188  apply (simp_all add: analz_insert_eq analz_insert_freshK pushes)
  33.189 -apply spy_analz  --{*Fake*}
  33.190 -apply (blast dest: unique_session_keys)+  --{*OR3, OR4, Oops*}
  33.191 +apply spy_analz  \<comment>\<open>Fake\<close>
  33.192 +apply (blast dest: unique_session_keys)+  \<comment>\<open>OR3, OR4, Oops\<close>
  33.193  done
  33.194  
  33.195  
  33.196 @@ -236,11 +236,11 @@
  33.197  by (blast dest: Says_Server_message_form secrecy_lemma)
  33.198  
  33.199  
  33.200 -subsection{*Attempting to prove stronger properties *}
  33.201 +subsection\<open>Attempting to prove stronger properties\<close>
  33.202  
  33.203 -text{*Only OR1 can have caused such a part of a message to appear. The premise
  33.204 +text\<open>Only OR1 can have caused such a part of a message to appear. The premise
  33.205    @{term "A \<noteq> B"} prevents OR2's similar-looking cryptogram from being picked 
  33.206 -  up. Original Otway-Rees doesn't need it.*}
  33.207 +  up. Original Otway-Rees doesn't need it.\<close>
  33.208  lemma Crypt_imp_OR1 [rule_format]:
  33.209       "[| A \<notin> bad;  A \<noteq> B;  evs \<in> otway |]
  33.210        ==> Crypt (shrK A) {|NA, Agent A, Agent B|} \<in> parts (knows Spy evs) -->
  33.211 @@ -250,11 +250,11 @@
  33.212      drule_tac [4] OR2_parts_knows_Spy, simp_all, blast+)
  33.213  
  33.214  
  33.215 -text{*Crucial property: If the encrypted message appears, and A has used NA
  33.216 +text\<open>Crucial property: If the encrypted message appears, and A has used NA
  33.217    to start a run, then it originated with the Server!
  33.218 -  The premise @{term "A \<noteq> B"} allows use of @{text Crypt_imp_OR1}*}
  33.219 -text{*Only it is FALSE.  Somebody could make a fake message to Server
  33.220 -          substituting some other nonce NA' for NB.*}
  33.221 +  The premise @{term "A \<noteq> B"} allows use of \<open>Crypt_imp_OR1\<close>\<close>
  33.222 +text\<open>Only it is FALSE.  Somebody could make a fake message to Server
  33.223 +          substituting some other nonce NA' for NB.\<close>
  33.224  lemma "[| A \<notin> bad;  A \<noteq> B;  evs \<in> otway |]
  33.225         ==> Crypt (shrK A) {|NA, Key K|} \<in> parts (knows Spy evs) -->
  33.226             Says A B {|NA, Agent A, Agent B,
  33.227 @@ -266,12 +266,12 @@
  33.228                    Crypt (shrK B) {|NB, Key K|}|}  \<in> set evs)"
  33.229  apply (erule otway.induct, force,
  33.230         drule_tac [4] OR2_parts_knows_Spy, simp_all)
  33.231 -apply blast  --{*Fake*}
  33.232 -apply blast  --{*OR1: it cannot be a new Nonce, contradiction.*}
  33.233 -txt{*OR3 and OR4*}
  33.234 +apply blast  \<comment>\<open>Fake\<close>
  33.235 +apply blast  \<comment>\<open>OR1: it cannot be a new Nonce, contradiction.\<close>
  33.236 +txt\<open>OR3 and OR4\<close>
  33.237  apply (simp_all add: ex_disj_distrib)
  33.238 - prefer 2 apply (blast intro!: Crypt_imp_OR1)  --{*OR4*}
  33.239 -txt{*OR3*}
  33.240 + prefer 2 apply (blast intro!: Crypt_imp_OR1)  \<comment>\<open>OR4\<close>
  33.241 +txt\<open>OR3\<close>
  33.242  apply clarify
  33.243  (*The hypotheses at this point suggest an attack in which nonce NB is used
  33.244    in two different roles:
    34.1 --- a/src/HOL/Auth/Public.thy	Thu Dec 10 21:31:24 2015 +0100
    34.2 +++ b/src/HOL/Auth/Public.thy	Thu Dec 10 21:39:33 2015 +0100
    34.3 @@ -14,7 +14,7 @@
    34.4  lemma invKey_K: "K \<in> symKeys ==> invKey K = K"
    34.5  by (simp add: symKeys_def)
    34.6  
    34.7 -subsection{*Asymmetric Keys*}
    34.8 +subsection\<open>Asymmetric Keys\<close>
    34.9  
   34.10  datatype keymode = Signature | Encryption
   34.11  
   34.12 @@ -43,8 +43,8 @@
   34.13    "priSK A == privateKey Signature A"
   34.14  
   34.15  
   34.16 -text{*These abbreviations give backward compatibility.  They represent the
   34.17 -simple situation where the signature and encryption keys are the same.*}
   34.18 +text\<open>These abbreviations give backward compatibility.  They represent the
   34.19 +simple situation where the signature and encryption keys are the same.\<close>
   34.20  
   34.21  abbreviation
   34.22    pubK :: "agent => key" where
   34.23 @@ -55,8 +55,8 @@
   34.24    "priK A == invKey (pubEK A)"
   34.25  
   34.26  
   34.27 -text{*By freeness of agents, no two agents have the same key.  Since
   34.28 -  @{term "True\<noteq>False"}, no agent has identical signing and encryption keys*}
   34.29 +text\<open>By freeness of agents, no two agents have the same key.  Since
   34.30 +  @{term "True\<noteq>False"}, no agent has identical signing and encryption keys\<close>
   34.31  specification (publicKey)
   34.32    injective_publicKey:
   34.33      "publicKey b A = publicKey c A' ==> b=c & A=A'"
   34.34 @@ -77,7 +77,7 @@
   34.35  declare publicKey_neq_privateKey [iff]
   34.36  
   34.37  
   34.38 -subsection{*Basic properties of @{term pubK} and @{term priK}*}
   34.39 +subsection\<open>Basic properties of @{term pubK} and @{term priK}\<close>
   34.40  
   34.41  lemma publicKey_inject [iff]: "(publicKey b A = publicKey c A') = (b=c & A=A')"
   34.42  by (blast dest!: injective_publicKey) 
   34.43 @@ -104,7 +104,7 @@
   34.44  
   34.45  
   34.46  
   34.47 -subsection{*"Image" equations that hold for injective functions*}
   34.48 +subsection\<open>"Image" equations that hold for injective functions\<close>
   34.49  
   34.50  lemma invKey_image_eq [simp]: "(invKey x \<in> invKey`A) = (x \<in> A)"
   34.51  by auto
   34.52 @@ -125,26 +125,26 @@
   34.53  by auto
   34.54  
   34.55  
   34.56 -subsection{*Symmetric Keys*}
   34.57 +subsection\<open>Symmetric Keys\<close>
   34.58  
   34.59 -text{*For some protocols, it is convenient to equip agents with symmetric as
   34.60 -well as asymmetric keys.  The theory @{text Shared} assumes that all keys
   34.61 -are symmetric.*}
   34.62 +text\<open>For some protocols, it is convenient to equip agents with symmetric as
   34.63 +well as asymmetric keys.  The theory \<open>Shared\<close> assumes that all keys
   34.64 +are symmetric.\<close>
   34.65  
   34.66  consts
   34.67 -  shrK    :: "agent => key"    --{*long-term shared keys*}
   34.68 +  shrK    :: "agent => key"    \<comment>\<open>long-term shared keys\<close>
   34.69  
   34.70  specification (shrK)
   34.71    inj_shrK: "inj shrK"
   34.72 -  --{*No two agents have the same long-term key*}
   34.73 +  \<comment>\<open>No two agents have the same long-term key\<close>
   34.74     apply (rule exI [of _ "case_agent 0 (\<lambda>n. n + 2) 1"]) 
   34.75     apply (simp add: inj_on_def split: agent.split) 
   34.76     done
   34.77  
   34.78  axiomatization where
   34.79 -  sym_shrK [iff]: "shrK X \<in> symKeys" --{*All shared keys are symmetric*}
   34.80 +  sym_shrK [iff]: "shrK X \<in> symKeys" \<comment>\<open>All shared keys are symmetric\<close>
   34.81  
   34.82 -text{*Injectiveness: Agents' long-term keys are distinct.*}
   34.83 +text\<open>Injectiveness: Agents' long-term keys are distinct.\<close>
   34.84  lemmas shrK_injective = inj_shrK [THEN inj_eq]
   34.85  declare shrK_injective [iff]
   34.86  
   34.87 @@ -189,15 +189,15 @@
   34.88  lemma shrK_image_eq [simp]: "(shrK x \<in> shrK ` AA) = (x \<in> AA)"
   34.89  by auto
   34.90  
   34.91 -text{*For some reason, moving this up can make some proofs loop!*}
   34.92 +text\<open>For some reason, moving this up can make some proofs loop!\<close>
   34.93  declare invKey_K [simp]
   34.94  
   34.95  
   34.96 -subsection{*Initial States of Agents*}
   34.97 +subsection\<open>Initial States of Agents\<close>
   34.98  
   34.99 -text{*Note: for all practical purposes, all that matters is the initial
  34.100 +text\<open>Note: for all practical purposes, all that matters is the initial
  34.101  knowledge of the Spy.  All other agents are automata, merely following the
  34.102 -protocol.*}
  34.103 +protocol.\<close>
  34.104  
  34.105  overloading
  34.106    initState \<equiv> initState
  34.107 @@ -224,10 +224,10 @@
  34.108  end
  34.109  
  34.110  
  34.111 -text{*These lemmas allow reasoning about @{term "used evs"} rather than
  34.112 +text\<open>These lemmas allow reasoning about @{term "used evs"} rather than
  34.113     @{term "knows Spy evs"}, which is useful when there are private Notes. 
  34.114     Because they depend upon the definition of @{term initState}, they cannot
  34.115 -   be moved up.*}
  34.116 +   be moved up.\<close>
  34.117  
  34.118  lemma used_parts_subset_parts [rule_format]:
  34.119       "\<forall>X \<in> used evs. parts {X} \<subseteq> used evs"
  34.120 @@ -235,15 +235,15 @@
  34.121   prefer 2
  34.122   apply (simp add: used_Cons split: event.split)
  34.123   apply (metis Un_iff empty_subsetI insert_subset le_supI1 le_supI2 parts_subset_iff)
  34.124 -txt{*Base case*}
  34.125 +txt\<open>Base case\<close>
  34.126  apply (auto dest!: parts_cut simp add: used_Nil) 
  34.127  done
  34.128  
  34.129  lemma MPair_used_D: "{|X,Y|} \<in> used H ==> X \<in> used H & Y \<in> used H"
  34.130  by (drule used_parts_subset_parts, simp, blast)
  34.131  
  34.132 -text{*There was a similar theorem in Event.thy, so perhaps this one can
  34.133 -  be moved up if proved directly by induction.*}
  34.134 +text\<open>There was a similar theorem in Event.thy, so perhaps this one can
  34.135 +  be moved up if proved directly by induction.\<close>
  34.136  lemma MPair_used [elim!]:
  34.137       "[| {|X,Y|} \<in> used H;
  34.138           [| X \<in> used H; Y \<in> used H |] ==> P |] 
  34.139 @@ -251,8 +251,8 @@
  34.140  by (blast dest: MPair_used_D) 
  34.141  
  34.142  
  34.143 -text{*Rewrites should not refer to  @{term "initState(Friend i)"} because
  34.144 -  that expression is not in normal form.*}
  34.145 +text\<open>Rewrites should not refer to  @{term "initState(Friend i)"} because
  34.146 +  that expression is not in normal form.\<close>
  34.147  
  34.148  lemma keysFor_parts_initState [simp]: "keysFor (parts (initState C)) = {}"
  34.149  apply (unfold keysFor_def)
  34.150 @@ -293,20 +293,20 @@
  34.151  declare neq_shrK [simp]
  34.152  
  34.153  
  34.154 -subsection{*Function @{term spies} *}
  34.155 +subsection\<open>Function @{term spies}\<close>
  34.156  
  34.157  lemma not_SignatureE [elim!]: "b \<noteq> Signature \<Longrightarrow> b = Encryption"
  34.158    by (cases b, auto) 
  34.159  
  34.160 -text{*Agents see their own private keys!*}
  34.161 +text\<open>Agents see their own private keys!\<close>
  34.162  lemma priK_in_initState [iff]: "Key (privateKey b A) \<in> initState A"
  34.163    by (cases A, auto)
  34.164  
  34.165 -text{*Agents see all public keys!*}
  34.166 +text\<open>Agents see all public keys!\<close>
  34.167  lemma publicKey_in_initState [iff]: "Key (publicKey b A) \<in> initState B"
  34.168    by (cases B, auto) 
  34.169  
  34.170 -text{*All public keys are visible*}
  34.171 +text\<open>All public keys are visible\<close>
  34.172  lemma spies_pubK [iff]: "Key (publicKey b A) \<in> spies evs"
  34.173  apply (induct_tac "evs")
  34.174  apply (auto simp add: imageI knows_Cons split add: event.split)
  34.175 @@ -315,14 +315,14 @@
  34.176  lemmas analz_spies_pubK = spies_pubK [THEN analz.Inj]
  34.177  declare analz_spies_pubK [iff]
  34.178  
  34.179 -text{*Spy sees private keys of bad agents!*}
  34.180 +text\<open>Spy sees private keys of bad agents!\<close>
  34.181  lemma Spy_spies_bad_privateKey [intro!]:
  34.182       "A \<in> bad ==> Key (privateKey b A) \<in> spies evs"
  34.183  apply (induct_tac "evs")
  34.184  apply (auto simp add: imageI knows_Cons split add: event.split)
  34.185  done
  34.186  
  34.187 -text{*Spy sees long-term shared keys of bad agents!*}
  34.188 +text\<open>Spy sees long-term shared keys of bad agents!\<close>
  34.189  lemma Spy_spies_bad_shrK [intro!]:
  34.190       "A \<in> bad ==> Key (shrK A) \<in> spies evs"
  34.191  apply (induct_tac "evs")
  34.192 @@ -346,7 +346,7 @@
  34.193  by force
  34.194  
  34.195  
  34.196 -subsection{*Fresh Nonces*}
  34.197 +subsection\<open>Fresh Nonces\<close>
  34.198  
  34.199  lemma Nonce_notin_initState [iff]: "Nonce N \<notin> parts (initState B)"
  34.200  by (induct_tac "B", auto)
  34.201 @@ -355,9 +355,9 @@
  34.202  by (simp add: used_Nil)
  34.203  
  34.204  
  34.205 -subsection{*Supply fresh nonces for possibility theorems*}
  34.206 +subsection\<open>Supply fresh nonces for possibility theorems\<close>
  34.207  
  34.208 -text{*In any trace, there is an upper bound N on the greatest nonce in use*}
  34.209 +text\<open>In any trace, there is an upper bound N on the greatest nonce in use\<close>
  34.210  lemma Nonce_supply_lemma: "EX N. ALL n. N<=n --> Nonce n \<notin> used evs"
  34.211  apply (induct_tac "evs")
  34.212  apply (rule_tac x = 0 in exI)
  34.213 @@ -374,7 +374,7 @@
  34.214  apply (rule someI, fast)
  34.215  done
  34.216  
  34.217 -subsection{*Specialized Rewriting for Theorems About @{term analz} and Image*}
  34.218 +subsection\<open>Specialized Rewriting for Theorems About @{term analz} and Image\<close>
  34.219  
  34.220  lemma insert_Key_singleton: "insert (Key K) H = Key ` {K} Un H"
  34.221  by blast
  34.222 @@ -386,22 +386,22 @@
  34.223  lemma Crypt_imp_keysFor :"[|Crypt K X \<in> H; K \<in> symKeys|] ==> K \<in> keysFor H"
  34.224  by (drule Crypt_imp_invKey_keysFor, simp)
  34.225  
  34.226 -text{*Lemma for the trivial direction of the if-and-only-if of the 
  34.227 -Session Key Compromise Theorem*}
  34.228 +text\<open>Lemma for the trivial direction of the if-and-only-if of the 
  34.229 +Session Key Compromise Theorem\<close>
  34.230  lemma analz_image_freshK_lemma:
  34.231       "(Key K \<in> analz (Key`nE \<union> H)) --> (K \<in> nE | Key K \<in> analz H)  ==>  
  34.232           (Key K \<in> analz (Key`nE \<union> H)) = (K \<in> nE | Key K \<in> analz H)"
  34.233  by (blast intro: analz_mono [THEN [2] rev_subsetD])
  34.234  
  34.235  lemmas analz_image_freshK_simps =
  34.236 -       simp_thms mem_simps --{*these two allow its use with @{text "only:"}*}
  34.237 +       simp_thms mem_simps \<comment>\<open>these two allow its use with \<open>only:\<close>\<close>
  34.238         disj_comms 
  34.239         image_insert [THEN sym] image_Un [THEN sym] empty_subsetI insert_subset
  34.240         analz_insert_eq Un_upper2 [THEN analz_mono, THEN subsetD]
  34.241         insert_Key_singleton 
  34.242         Key_not_used insert_Key_image Un_assoc [THEN sym]
  34.243  
  34.244 -ML {*
  34.245 +ML \<open>
  34.246  structure Public =
  34.247  struct
  34.248  
  34.249 @@ -428,25 +428,25 @@
  34.250       REPEAT_FIRST (resolve_tac ctxt [refl, conjI]))
  34.251  
  34.252  end
  34.253 -*}
  34.254 +\<close>
  34.255  
  34.256 -method_setup analz_freshK = {*
  34.257 +method_setup analz_freshK = \<open>
  34.258      Scan.succeed (fn ctxt =>
  34.259       (SIMPLE_METHOD
  34.260        (EVERY [REPEAT_FIRST (resolve_tac ctxt [allI, ballI, impI]),
  34.261            REPEAT_FIRST (resolve_tac ctxt @{thms analz_image_freshK_lemma}),
  34.262 -          ALLGOALS (asm_simp_tac (put_simpset Public.analz_image_freshK_ss ctxt))]))) *}
  34.263 +          ALLGOALS (asm_simp_tac (put_simpset Public.analz_image_freshK_ss ctxt))])))\<close>
  34.264      "for proving the Session Key Compromise theorem"
  34.265  
  34.266  
  34.267 -subsection{*Specialized Methods for Possibility Theorems*}
  34.268 +subsection\<open>Specialized Methods for Possibility Theorems\<close>
  34.269  
  34.270 -method_setup possibility = {*
  34.271 -    Scan.succeed (SIMPLE_METHOD o Public.possibility_tac) *}
  34.272 +method_setup possibility = \<open>
  34.273 +    Scan.succeed (SIMPLE_METHOD o Public.possibility_tac)\<close>
  34.274      "for proving possibility theorems"
  34.275  
  34.276 -method_setup basic_possibility = {*
  34.277 -    Scan.succeed (SIMPLE_METHOD o Public.basic_possibility_tac) *}
  34.278 +method_setup basic_possibility = \<open>
  34.279 +    Scan.succeed (SIMPLE_METHOD o Public.basic_possibility_tac)\<close>
  34.280      "for proving possibility theorems"
  34.281  
  34.282  end
    35.1 --- a/src/HOL/Auth/Recur.thy	Thu Dec 10 21:31:24 2015 +0100
    35.2 +++ b/src/HOL/Auth/Recur.thy	Thu Dec 10 21:39:33 2015 +0100
    35.3 @@ -3,11 +3,11 @@
    35.4      Copyright   1996  University of Cambridge
    35.5  *)
    35.6  
    35.7 -section{*The Otway-Bull Recursive Authentication Protocol*}
    35.8 +section\<open>The Otway-Bull Recursive Authentication Protocol\<close>
    35.9  
   35.10  theory Recur imports Public begin
   35.11  
   35.12 -text{*End marker for message bundles*}
   35.13 +text\<open>End marker for message bundles\<close>
   35.14  abbreviation
   35.15    END :: "msg" where
   35.16    "END == Number 0"
   35.17 @@ -117,7 +117,7 @@
   35.18  **)
   35.19  
   35.20  
   35.21 -text{*Simplest case: Alice goes directly to the server*}
   35.22 +text\<open>Simplest case: Alice goes directly to the server\<close>
   35.23  lemma "Key K \<notin> used [] 
   35.24         ==> \<exists>NA. \<exists>evs \<in> recur.
   35.25                Says Server A {|Crypt (shrK A) {|Key K, Agent Server, Nonce NA|},
   35.26 @@ -129,7 +129,7 @@
   35.27  done
   35.28  
   35.29  
   35.30 -text{*Case two: Alice, Bob and the server*}
   35.31 +text\<open>Case two: Alice, Bob and the server\<close>
   35.32  lemma "[| Key K \<notin> used []; Key K' \<notin> used []; K \<noteq> K';
   35.33            Nonce NA \<notin> used []; Nonce NB \<notin> used []; NA < NB |]
   35.34         ==> \<exists>NA. \<exists>evs \<in> recur.
   35.35 @@ -176,7 +176,7 @@
   35.36  apply (auto dest: Key_not_used respond_imp_not_used)
   35.37  done
   35.38  
   35.39 -text{*Simple inductive reasoning about responses*}
   35.40 +text\<open>Simple inductive reasoning about responses\<close>
   35.41  lemma respond_imp_responses:
   35.42       "(PA,RB,KAB) \<in> respond evs ==> RB \<in> responses evs"
   35.43  apply (erule respond.induct)
   35.44 @@ -210,7 +210,7 @@
   35.45  lemma Spy_see_shrK [simp]:
   35.46       "evs \<in> recur ==> (Key (shrK A) \<in> parts (spies evs)) = (A \<in> bad)"
   35.47  apply (erule recur.induct, auto)
   35.48 -txt{*RA3.  It's ugly to call auto twice, but it seems necessary.*}
   35.49 +txt\<open>RA3.  It's ugly to call auto twice, but it seems necessary.\<close>
   35.50  apply (auto dest: Key_in_parts_respond simp add: parts_insert_spies)
   35.51  done
   35.52  
   35.53 @@ -244,7 +244,7 @@
   35.54  done 
   35.55  
   35.56  
   35.57 -text{*Version for the protocol.  Proof is easy, thanks to the lemma.*}
   35.58 +text\<open>Version for the protocol.  Proof is easy, thanks to the lemma.\<close>
   35.59  lemma raw_analz_image_freshK:
   35.60   "evs \<in> recur ==>
   35.61     \<forall>K KK. KK \<subseteq> - (range shrK) -->
   35.62 @@ -254,7 +254,7 @@
   35.63  apply (drule_tac [4] RA2_analz_spies,
   35.64         drule_tac [5] respond_imp_responses,
   35.65         drule_tac [6] RA4_analz_spies, analz_freshK, spy_analz)
   35.66 -txt{*RA3*}
   35.67 +txt\<open>RA3\<close>
   35.68  apply (simp_all add: resp_analz_image_freshK_lemma)
   35.69  done
   35.70  
   35.71 @@ -276,7 +276,7 @@
   35.72           add: analz_image_freshK_simps raw_analz_image_freshK)
   35.73  
   35.74  
   35.75 -text{*Everything that's hashed is already in past traffic. *}
   35.76 +text\<open>Everything that's hashed is already in past traffic.\<close>
   35.77  lemma Hash_imp_body:
   35.78       "[| Hash {|Key(shrK A), X|} \<in> parts (spies evs);
   35.79           evs \<in> recur;  A \<notin> bad |] ==> X \<in> parts (spies evs)"
   35.80 @@ -285,9 +285,9 @@
   35.81         drule_tac [6] RA4_parts_spies,
   35.82         drule_tac [5] respond_imp_responses,
   35.83         drule_tac [4] RA2_parts_spies)
   35.84 -txt{*RA3 requires a further induction*}
   35.85 +txt\<open>RA3 requires a further induction\<close>
   35.86  apply (erule_tac [5] responses.induct, simp_all)
   35.87 -txt{*Fake*}
   35.88 +txt\<open>Fake\<close>
   35.89  apply (blast intro: parts_insertI)
   35.90  done
   35.91  
   35.92 @@ -307,10 +307,10 @@
   35.93  apply (erule recur.induct,
   35.94         drule_tac [5] respond_imp_responses)
   35.95  apply (force, simp_all)
   35.96 -txt{*Fake*}
   35.97 +txt\<open>Fake\<close>
   35.98  apply blast
   35.99  apply (erule_tac [3] responses.induct)
  35.100 -txt{*RA1,2: creation of new Nonce*}
  35.101 +txt\<open>RA1,2: creation of new Nonce\<close>
  35.102  apply simp_all
  35.103  apply (blast dest!: Hash_imp_body)+
  35.104  done
  35.105 @@ -339,14 +339,14 @@
  35.106  apply (erule rev_mp, erule responses.induct)
  35.107  apply (simp_all del: image_insert
  35.108               add: analz_image_freshK_simps resp_analz_image_freshK_lemma)
  35.109 -txt{*Simplification using two distinct treatments of "image"*}
  35.110 +txt\<open>Simplification using two distinct treatments of "image"\<close>
  35.111  apply (simp add: parts_insert2, blast)
  35.112  done
  35.113  
  35.114  lemmas resp_analz_insert =
  35.115         resp_analz_insert_lemma [OF _ raw_analz_image_freshK]
  35.116  
  35.117 -text{*The last key returned by respond indeed appears in a certificate*}
  35.118 +text\<open>The last key returned by respond indeed appears in a certificate\<close>
  35.119  lemma respond_certificate:
  35.120       "(Hash[Key(shrK A)] {|Agent A, B, NA, P|}, RA, K) \<in> respond evs
  35.121        ==> Crypt (shrK A) {|Key K, B, NA|} \<in> parts {RA}"
  35.122 @@ -392,12 +392,12 @@
  35.123  apply (simp_all del: image_insert
  35.124                  add: analz_image_freshK_simps split_ifs shrK_in_analz_respond
  35.125                       resp_analz_image_freshK parts_insert2)
  35.126 -txt{*Base case of respond*}
  35.127 +txt\<open>Base case of respond\<close>
  35.128  apply blast
  35.129 -txt{*Inductive step of respond*}
  35.130 +txt\<open>Inductive step of respond\<close>
  35.131  apply (intro allI conjI impI, simp_all)
  35.132 -txt{*by unicity, either @{term "B=Aa"} or @{term "B=A'"}, a contradiction
  35.133 -     if @{term "B \<in> bad"}*}   
  35.134 +txt\<open>by unicity, either @{term "B=Aa"} or @{term "B=A'"}, a contradiction
  35.135 +     if @{term "B \<in> bad"}\<close>   
  35.136  apply (blast dest: unique_session_keys respond_certificate)
  35.137  apply (blast dest!: respond_certificate)
  35.138  apply (blast dest!: resp_analz_insert)
  35.139 @@ -414,21 +414,21 @@
  35.140         frule_tac [5] respond_imp_responses,
  35.141         drule_tac [6] RA4_analz_spies,
  35.142         simp_all add: split_ifs analz_insert_eq analz_insert_freshK)
  35.143 -txt{*Fake*}
  35.144 +txt\<open>Fake\<close>
  35.145  apply spy_analz
  35.146 -txt{*RA2*}
  35.147 +txt\<open>RA2\<close>
  35.148  apply blast 
  35.149 -txt{*RA3*}
  35.150 +txt\<open>RA3\<close>
  35.151  apply (simp add: parts_insert_spies)
  35.152  apply (metis Key_in_parts_respond parts.Body parts.Fst resp_analz_insert 
  35.153               respond_Spy_not_see_session_key usedI)
  35.154 -txt{*RA4*}
  35.155 +txt\<open>RA4\<close>
  35.156  apply blast 
  35.157  done
  35.158  
  35.159  (**** Authenticity properties for Agents ****)
  35.160  
  35.161 -text{*The response never contains Hashes*}
  35.162 +text\<open>The response never contains Hashes\<close>
  35.163  lemma Hash_in_parts_respond:
  35.164       "[| Hash {|Key (shrK B), M|} \<in> parts (insert RB H);
  35.165           (PB,RB,K) \<in> respond evs |]
  35.166 @@ -437,10 +437,10 @@
  35.167  apply (erule respond_imp_responses [THEN responses.induct], auto)
  35.168  done
  35.169  
  35.170 -text{*Only RA1 or RA2 can have caused such a part of a message to appear.
  35.171 +text\<open>Only RA1 or RA2 can have caused such a part of a message to appear.
  35.172    This result is of no use to B, who cannot verify the Hash.  Moreover,
  35.173    it can say nothing about how recent A's message is.  It might later be
  35.174 -  used to prove B's presence to A at the run's conclusion.*}
  35.175 +  used to prove B's presence to A at the run's conclusion.\<close>
  35.176  lemma Hash_auth_sender [rule_format]:
  35.177       "[| Hash {|Key(shrK A), Agent A, Agent B, NA, P|} \<in> parts(spies evs);
  35.178           A \<notin> bad;  evs \<in> recur |]
  35.179 @@ -451,7 +451,7 @@
  35.180         drule_tac [6] RA4_parts_spies,
  35.181         drule_tac [4] RA2_parts_spies,
  35.182         simp_all)
  35.183 -txt{*Fake, RA3*}
  35.184 +txt\<open>Fake, RA3\<close>
  35.185  apply (blast dest: Hash_in_parts_respond)+
  35.186  done
  35.187  
  35.188 @@ -460,23 +460,23 @@
  35.189  **)
  35.190  
  35.191  
  35.192 -text{*Certificates can only originate with the Server.*}
  35.193 +text\<open>Certificates can only originate with the Server.\<close>
  35.194  lemma Cert_imp_Server_msg:
  35.195       "[| Crypt (shrK A) Y \<in> parts (spies evs);
  35.196           A \<notin> bad;  evs \<in> recur |]
  35.197        ==> \<exists>C RC. Says Server C RC \<in> set evs  &
  35.198                     Crypt (shrK A) Y \<in> parts {RC}"
  35.199  apply (erule rev_mp, erule recur.induct, simp_all)
  35.200 -txt{*Fake*}
  35.201 +txt\<open>Fake\<close>
  35.202  apply blast
  35.203 -txt{*RA1*}
  35.204 +txt\<open>RA1\<close>
  35.205  apply blast
  35.206 -txt{*RA2: it cannot be a new Nonce, contradiction.*}
  35.207 +txt\<open>RA2: it cannot be a new Nonce, contradiction.\<close>
  35.208  apply blast
  35.209 -txt{*RA3.  Pity that the proof is so brittle: this step requires the rewriting,
  35.210 -       which however would break all other steps.*}
  35.211 +txt\<open>RA3.  Pity that the proof is so brittle: this step requires the rewriting,
  35.212 +       which however would break all other steps.\<close>
  35.213  apply (simp add: parts_insert_spies, blast)
  35.214 -txt{*RA4*}
  35.215 +txt\<open>RA4\<close>
  35.216  apply blast
  35.217  done
  35.218  
    36.1 --- a/src/HOL/Auth/Shared.thy	Thu Dec 10 21:31:24 2015 +0100
    36.2 +++ b/src/HOL/Auth/Shared.thy	Thu Dec 10 21:39:33 2015 +0100
    36.3 @@ -16,12 +16,12 @@
    36.4  
    36.5  specification (shrK)
    36.6    inj_shrK: "inj shrK"
    36.7 -  --{*No two agents have the same long-term key*}
    36.8 +  \<comment>\<open>No two agents have the same long-term key\<close>
    36.9     apply (rule exI [of _ "case_agent 0 (\<lambda>n. n + 2) 1"]) 
   36.10     apply (simp add: inj_on_def split: agent.split) 
   36.11     done
   36.12  
   36.13 -text{*Server knows all long-term keys; other agents know only their own*}
   36.14 +text\<open>Server knows all long-term keys; other agents know only their own\<close>
   36.15  
   36.16  overloading
   36.17    initState \<equiv> initState
   36.18 @@ -35,7 +35,7 @@
   36.19  end
   36.20  
   36.21  
   36.22 -subsection{*Basic properties of shrK*}
   36.23 +subsection\<open>Basic properties of shrK\<close>
   36.24  
   36.25  (*Injectiveness: Agents' long-term keys are distinct.*)
   36.26  lemmas shrK_injective = inj_shrK [THEN inj_eq]
   36.27 @@ -51,12 +51,12 @@
   36.28       "[| Crypt K X \<in> analz H;  Key K  \<in> analz H |] ==> X \<in> analz H"
   36.29  by auto
   36.30  
   36.31 -text{*Now cancel the @{text dest} attribute given to
   36.32 - @{text analz.Decrypt} in its declaration.*}
   36.33 +text\<open>Now cancel the \<open>dest\<close> attribute given to
   36.34 + \<open>analz.Decrypt\<close> in its declaration.\<close>
   36.35  declare analz.Decrypt [rule del]
   36.36  
   36.37 -text{*Rewrites should not refer to  @{term "initState(Friend i)"} because
   36.38 -  that expression is not in normal form.*}
   36.39 +text\<open>Rewrites should not refer to  @{term "initState(Friend i)"} because
   36.40 +  that expression is not in normal form.\<close>
   36.41  
   36.42  lemma keysFor_parts_initState [simp]: "keysFor (parts (initState C)) = {}"
   36.43  apply (unfold keysFor_def)
   36.44 @@ -73,7 +73,7 @@
   36.45  by (metis Crypt_imp_invKey_keysFor invKey_K)
   36.46  
   36.47  
   36.48 -subsection{*Function "knows"*}
   36.49 +subsection\<open>Function "knows"\<close>
   36.50  
   36.51  (*Spy sees shared keys of agents!*)
   36.52  lemma Spy_knows_Spy_bad [intro!]: "A: bad ==> Key (shrK A) \<in> knows Spy evs"
   36.53 @@ -108,7 +108,7 @@
   36.54  declare shrK_sym_neq [simp]
   36.55  
   36.56  
   36.57 -subsection{*Fresh nonces*}
   36.58 +subsection\<open>Fresh nonces\<close>
   36.59  
   36.60  lemma Nonce_notin_initState [iff]: "Nonce N \<notin> parts (initState B)"
   36.61  by (induct_tac "B", auto)
   36.62 @@ -117,7 +117,7 @@
   36.63  by (simp add: used_Nil)
   36.64  
   36.65  
   36.66 -subsection{*Supply fresh nonces for possibility theorems.*}
   36.67 +subsection\<open>Supply fresh nonces for possibility theorems.\<close>
   36.68  
   36.69  (*In any trace, there is an upper bound N on the greatest nonce in use.*)
   36.70  lemma Nonce_supply_lemma: "\<exists>N. ALL n. N<=n --> Nonce n \<notin> used evs"
   36.71 @@ -152,14 +152,14 @@
   36.72  apply (rule someI, blast)
   36.73  done
   36.74  
   36.75 -text{*Unlike the corresponding property of nonces, we cannot prove
   36.76 +text\<open>Unlike the corresponding property of nonces, we cannot prove
   36.77      @{term "finite KK ==> \<exists>K. K \<notin> KK & Key K \<notin> used evs"}.
   36.78      We have infinitely many agents and there is nothing to stop their
   36.79      long-term keys from exhausting all the natural numbers.  Instead,
   36.80 -    possibility theorems must assume the existence of a few keys.*}
   36.81 +    possibility theorems must assume the existence of a few keys.\<close>
   36.82  
   36.83  
   36.84 -subsection{*Specialized Rewriting for Theorems About @{term analz} and Image*}
   36.85 +subsection\<open>Specialized Rewriting for Theorems About @{term analz} and Image\<close>
   36.86  
   36.87  lemma subset_Compl_range: "A <= - (range shrK) ==> shrK x \<notin> A"
   36.88  by blast
   36.89 @@ -175,7 +175,7 @@
   36.90      erase occurrences of forwarded message components (X). **)
   36.91  
   36.92  lemmas analz_image_freshK_simps =
   36.93 -       simp_thms mem_simps --{*these two allow its use with @{text "only:"}*}
   36.94 +       simp_thms mem_simps \<comment>\<open>these two allow its use with \<open>only:\<close>\<close>
   36.95         disj_comms 
   36.96         image_insert [THEN sym] image_Un [THEN sym] empty_subsetI insert_subset
   36.97         analz_insert_eq Un_upper2 [THEN analz_mono, THEN [2] rev_subsetD]
   36.98 @@ -189,10 +189,10 @@
   36.99  by (blast intro: analz_mono [THEN [2] rev_subsetD])
  36.100  
  36.101  
  36.102 -subsection{*Tactics for possibility theorems*}
  36.103 +subsection\<open>Tactics for possibility theorems\<close>
  36.104  
  36.105  ML
  36.106 -{*
  36.107 +\<open>
  36.108  structure Shared =
  36.109  struct
  36.110  
  36.111 @@ -223,7 +223,7 @@
  36.112        addsimps @{thms analz_image_freshK_simps})
  36.113  
  36.114  end
  36.115 -*}
  36.116 +\<close>
  36.117  
  36.118  
  36.119  
  36.120 @@ -234,20 +234,20 @@
  36.121  
  36.122  (*Specialized methods*)
  36.123  
  36.124 -method_setup analz_freshK = {*
  36.125 +method_setup analz_freshK = \<open>
  36.126      Scan.succeed (fn ctxt =>
  36.127       (SIMPLE_METHOD
  36.128        (EVERY [REPEAT_FIRST (resolve_tac ctxt [allI, ballI, impI]),
  36.129            REPEAT_FIRST (resolve_tac ctxt @{thms analz_image_freshK_lemma}),
  36.130 -          ALLGOALS (asm_simp_tac (put_simpset Shared.analz_image_freshK_ss ctxt))]))) *}
  36.131 +          ALLGOALS (asm_simp_tac (put_simpset Shared.analz_image_freshK_ss ctxt))])))\<close>
  36.132      "for proving the Session Key Compromise theorem"
  36.133  
  36.134 -method_setup possibility = {*
  36.135 -    Scan.succeed (fn ctxt => SIMPLE_METHOD (Shared.possibility_tac ctxt)) *}
  36.136 +method_setup possibility = \<open>
  36.137 +    Scan.succeed (fn ctxt => SIMPLE_METHOD (Shared.possibility_tac ctxt))\<close>
  36.138      "for proving possibility theorems"
  36.139  
  36.140 -method_setup basic_possibility = {*
  36.141 -    Scan.succeed (fn ctxt => SIMPLE_METHOD (Shared.basic_possibility_tac ctxt)) *}
  36.142 +method_setup basic_possibility = \<open>
  36.143 +    Scan.succeed (fn ctxt => SIMPLE_METHOD (Shared.basic_possibility_tac ctxt))\<close>
  36.144      "for proving possibility theorems"
  36.145  
  36.146  lemma knows_subset_knows_Cons: "knows A evs <= knows A (e # evs)"
    37.1 --- a/src/HOL/Auth/Smartcard/Auth_Smartcard.thy	Thu Dec 10 21:31:24 2015 +0100
    37.2 +++ b/src/HOL/Auth/Smartcard/Auth_Smartcard.thy	Thu Dec 10 21:39:33 2015 +0100
    37.3 @@ -2,7 +2,7 @@
    37.4      Copyright   1996  University of Cambridge
    37.5  *)
    37.6  
    37.7 -section {* Smartcard protocols: rely on conventional Message and on new EventSC and Smartcard *}
    37.8 +section \<open>Smartcard protocols: rely on conventional Message and on new EventSC and Smartcard\<close>
    37.9  
   37.10  theory Auth_Smartcard
   37.11  imports
    38.1 --- a/src/HOL/Auth/Smartcard/EventSC.thy	Thu Dec 10 21:31:24 2015 +0100
    38.2 +++ b/src/HOL/Auth/Smartcard/EventSC.thy	Thu Dec 10 21:39:33 2015 +0100
    38.3 @@ -1,4 +1,4 @@
    38.4 -section{*Theory of Events for Security Protocols that use smartcards*}
    38.5 +section\<open>Theory of Events for Security Protocols that use smartcards\<close>
    38.6  
    38.7  theory EventSC
    38.8  imports
    38.9 @@ -11,7 +11,7 @@
   38.10