Changing "lost" from a parameter of protocol definitions to a constant.
authorpaulson
Mon Jul 14 12:47:21 1997 +0200 (1997-07-14)
changeset 3519ab0a9fbed4c0
parent 3518 6e11c7bfb9c7
child 3520 5b5807645a1a
Changing "lost" from a parameter of protocol definitions to a constant.

Advantages: no "lost" argument everywhere; fewer Vars in subgoals;
less need for specially instantiated rules
Disadvantage: can no longer prove "Agent_not_see_encrypted_key", but this
theorem was never used, and its original proof was also broken
the introduction of the "Notes" constructor.
src/HOL/Auth/Event.ML
src/HOL/Auth/Event.thy
src/HOL/Auth/Message.ML
src/HOL/Auth/NS_Public.ML
src/HOL/Auth/NS_Public.thy
src/HOL/Auth/NS_Public_Bad.ML
src/HOL/Auth/NS_Public_Bad.thy
src/HOL/Auth/NS_Shared.ML
src/HOL/Auth/NS_Shared.thy
src/HOL/Auth/OtwayRees.ML
src/HOL/Auth/OtwayRees.thy
src/HOL/Auth/OtwayRees_AN.ML
src/HOL/Auth/OtwayRees_AN.thy
src/HOL/Auth/OtwayRees_Bad.ML
src/HOL/Auth/OtwayRees_Bad.thy
src/HOL/Auth/Public.ML
src/HOL/Auth/Public.thy
src/HOL/Auth/Recur.ML
src/HOL/Auth/Recur.thy
src/HOL/Auth/Shared.ML
src/HOL/Auth/Shared.thy
src/HOL/Auth/TLS.ML
src/HOL/Auth/TLS.thy
src/HOL/Auth/WooLam.ML
src/HOL/Auth/WooLam.thy
src/HOL/Auth/Yahalom.ML
src/HOL/Auth/Yahalom.thy
src/HOL/Auth/Yahalom2.ML
src/HOL/Auth/Yahalom2.thy
     1.1 --- a/src/HOL/Auth/Event.ML	Mon Jul 14 12:44:09 1997 +0200
     1.2 +++ b/src/HOL/Auth/Event.ML	Mon Jul 14 12:47:21 1997 +0200
     1.3 @@ -10,53 +10,55 @@
     1.4  
     1.5  open Event;
     1.6  
     1.7 +AddIffs [Spy_in_lost, Server_not_lost];
     1.8 +
     1.9  (*** Function "sees" ***)
    1.10  
    1.11 -(** Specialized rewrite rules for (sees lost A (Says...#evs)) **)
    1.12 +(** Specialized rewrite rules for (sees A (Says...#evs)) **)
    1.13  
    1.14 -goal thy "sees lost B (Says A B X # evs) = insert X (sees lost B evs)";
    1.15 +goal thy "sees B (Says A B X # evs) = insert X (sees B evs)";
    1.16  by (Simp_tac 1);
    1.17  qed "sees_own";
    1.18  
    1.19 -goal thy "sees lost B (Notes A X # evs) = \
    1.20 -\         (if A=B then insert X (sees lost B evs) else sees lost B evs)";
    1.21 +goal thy "sees B (Notes A X # evs) = \
    1.22 +\         (if A=B then insert X (sees B evs) else sees B evs)";
    1.23  by (simp_tac (!simpset setloop split_tac [expand_if]) 1);
    1.24  qed "sees_Notes";
    1.25  
    1.26 -(** Three special-case rules for rewriting of sees lost A **)
    1.27 +(** Three special-case rules for rewriting of sees A **)
    1.28  
    1.29  goal thy "!!A. Server ~= B ==> \
    1.30 -\          sees lost Server (Says A B X # evs) = sees lost Server evs";
    1.31 +\          sees Server (Says A B X # evs) = sees Server evs";
    1.32  by (Asm_simp_tac 1);
    1.33  qed "sees_Server";
    1.34  
    1.35  goal thy "!!A. Friend i ~= B ==> \
    1.36 -\          sees lost (Friend i) (Says A B X # evs) = sees lost (Friend i) evs";
    1.37 +\          sees (Friend i) (Says A B X # evs) = sees (Friend i) evs";
    1.38  by (Asm_simp_tac 1);
    1.39  qed "sees_Friend";
    1.40  
    1.41 -goal thy "sees lost Spy (Says A B X # evs) = insert X (sees lost Spy evs)";
    1.42 +goal thy "sees Spy (Says A B X # evs) = insert X (sees Spy evs)";
    1.43  by (Simp_tac 1);
    1.44  qed "sees_Spy";
    1.45  
    1.46 -goal thy "sees lost A (Says A' B X # evs) <= insert X (sees lost A evs)";
    1.47 +goal thy "sees A (Says A' B X # evs) <= insert X (sees A evs)";
    1.48  by (simp_tac (!simpset setloop split_tac [expand_if]) 1);
    1.49  by (Fast_tac 1);
    1.50  qed "sees_Says_subset_insert";
    1.51  
    1.52 -goal thy "sees lost A evs <= sees lost A (Says A' B X # evs)";
    1.53 +goal thy "sees A evs <= sees A (Says A' B X # evs)";
    1.54  by (simp_tac (!simpset setloop split_tac [expand_if]) 1);
    1.55  by (Fast_tac 1);
    1.56  qed "sees_subset_sees_Says";
    1.57  
    1.58 -goal thy "sees lost A evs <= sees lost A (Notes A' X # evs)";
    1.59 +goal thy "sees A evs <= sees A (Notes A' X # evs)";
    1.60  by (simp_tac (!simpset setloop split_tac [expand_if]) 1);
    1.61  by (Fast_tac 1);
    1.62  qed "sees_subset_sees_Notes";
    1.63  
    1.64  (*Pushing Unions into parts.  One of the agents A is B, and thus sees Y.*)
    1.65 -goal thy "(UN A. parts (sees lost A (Says B C Y # evs))) = \
    1.66 -\         parts {Y} Un (UN A. parts (sees lost A evs))";
    1.67 +goal thy "(UN A. parts (sees A (Says B C Y # evs))) = \
    1.68 +\         parts {Y} Un (UN A. parts (sees A evs))";
    1.69  by (Step_tac 1);
    1.70  by (etac rev_mp 1);     (*split_tac does not work on assumptions*)
    1.71  by (ALLGOALS
    1.72 @@ -64,8 +66,8 @@
    1.73  				       setloop split_tac [expand_if]))));
    1.74  qed "UN_parts_sees_Says";
    1.75  
    1.76 -goal thy "(UN A. parts (sees lost A (Notes B Y # evs))) = \
    1.77 -\         parts {Y} Un (UN A. parts (sees lost A evs))";
    1.78 +goal thy "(UN A. parts (sees A (Notes B Y # evs))) = \
    1.79 +\         parts {Y} Un (UN A. parts (sees A evs))";
    1.80  by (Step_tac 1);
    1.81  by (etac rev_mp 1);     (*split_tac does not work on assumptions*)
    1.82  by (ALLGOALS
    1.83 @@ -73,7 +75,7 @@
    1.84  				       setloop split_tac [expand_if]))));
    1.85  qed "UN_parts_sees_Notes";
    1.86  
    1.87 -goal thy "Says A B X : set evs --> X : sees lost Spy evs";
    1.88 +goal thy "Says A B X : set evs --> X : sees Spy evs";
    1.89  by (list.induct_tac "evs" 1);
    1.90  by (Auto_tac ());
    1.91  qed_spec_mp "Says_imp_sees_Spy";
    1.92 @@ -90,7 +92,7 @@
    1.93  
    1.94  (*** Fresh nonces ***)
    1.95  
    1.96 -goalw thy [used_def] "!!X. X: parts (sees lost B evs) ==> X: used evs";
    1.97 +goalw thy [used_def] "!!X. X: parts (sees B evs) ==> X: used evs";
    1.98  by (etac (impOfSubs parts_mono) 1);
    1.99  by (Fast_tac 1);
   1.100  qed "usedI";
   1.101 @@ -124,12 +126,12 @@
   1.102  qed "used_subset_append";
   1.103  
   1.104  
   1.105 -(** Simplifying   parts (insert X (sees lost A evs))
   1.106 -      = parts {X} Un parts (sees lost A evs) -- since general case loops*)
   1.107 +(** Simplifying   parts (insert X (sees A evs))
   1.108 +      = parts {X} Un parts (sees A evs) -- since general case loops*)
   1.109  
   1.110  val parts_insert_sees = 
   1.111      parts_insert |> read_instantiate_sg (sign_of thy)
   1.112 -                                        [("H", "sees lost A evs")]
   1.113 +                                        [("H", "sees A evs")]
   1.114                   |> standard;
   1.115  
   1.116  
   1.117 @@ -140,7 +142,7 @@
   1.118    it will omit complicated reasoning about analz.*)
   1.119  val analz_mono_contra_tac = 
   1.120    let val impI' = read_instantiate_sg (sign_of thy)
   1.121 -                [("P", "?Y ~: analz (sees lost ?A ?evs)")] impI;
   1.122 +                [("P", "?Y ~: analz (sees ?A ?evs)")] impI;
   1.123    in
   1.124      rtac impI THEN' 
   1.125      REPEAT1 o 
     2.1 --- a/src/HOL/Auth/Event.thy	Mon Jul 14 12:44:09 1997 +0200
     2.2 +++ b/src/HOL/Auth/Event.thy	Mon Jul 14 12:47:21 1997 +0200
     2.3 @@ -11,7 +11,7 @@
     2.4  Event = Message + List + 
     2.5  
     2.6  consts  (*Initial states of agents -- parameter of the construction*)
     2.7 -  initState :: [agent set, agent] => msg set
     2.8 +  initState :: agent => msg set
     2.9  
    2.10  datatype  (*Messages--could add another constructor for agent knowledge*)
    2.11    event = Says  agent agent msg
    2.12 @@ -26,17 +26,22 @@
    2.13    sees1_Notes "sees1 A (Notes A' X)   = (if A = A'    then {X} else {})"
    2.14  
    2.15  consts  
    2.16 -  sees :: [agent set, agent, event list] => msg set
    2.17 +  lost :: agent set        (*agents whose private keys have been compromised*)
    2.18 +  sees :: [agent, event list] => msg set
    2.19 +
    2.20 +rules
    2.21 +  (*Spy has access to his own key for spoof messages, but Server is secure*)
    2.22 +  Spy_in_lost     "Spy: lost"
    2.23 +  Server_not_lost "Server ~: lost"
    2.24  
    2.25  primrec sees list
    2.26 -  sees_Nil  "sees lost A []       = initState lost A"
    2.27 -  sees_Cons "sees lost A (ev#evs) = sees1 A ev Un sees lost A evs"
    2.28 -
    2.29 +  sees_Nil  "sees A []       = initState A"
    2.30 +  sees_Cons "sees A (ev#evs) = sees1 A ev Un sees A evs"
    2.31  
    2.32  constdefs
    2.33    (*Set of items that might be visible to somebody: complement of the set
    2.34          of fresh items*)
    2.35    used :: event list => msg set
    2.36 -    "used evs == parts (UN lost B. sees lost B evs)"
    2.37 +    "used evs == parts (UN B. sees B evs)"
    2.38  
    2.39  end
     3.1 --- a/src/HOL/Auth/Message.ML	Mon Jul 14 12:44:09 1997 +0200
     3.2 +++ b/src/HOL/Auth/Message.ML	Mon Jul 14 12:47:21 1997 +0200
     3.3 @@ -908,8 +908,6 @@
     3.4  val Un_absorb3 = result();
     3.5  Addsimps [Un_absorb3];
     3.6  
     3.7 -Addsimps [Un_insert_left, Un_insert_right];
     3.8 -
     3.9  (*By default only o_apply is built-in.  But in the presence of eta-expansion
    3.10    this means that some terms displayed as (f o g) will be rewritten, and others
    3.11    will not!*)
     4.1 --- a/src/HOL/Auth/NS_Public.ML	Mon Jul 14 12:44:09 1997 +0200
     4.2 +++ b/src/HOL/Auth/NS_Public.ML	Mon Jul 14 12:47:21 1997 +0200
     4.3 @@ -5,8 +5,6 @@
     4.4  
     4.5  Inductive relation "ns_public" for the Needham-Schroeder Public-Key protocol.
     4.6  Version incorporating Lowe's fix (inclusion of B's identify in round 2).
     4.7 -
     4.8 -PROOFS BELOW MIGHT BE SIMPLIFIED using Yahalom's analz_mono_parts_induct_tac 
     4.9  *)
    4.10  
    4.11  open NS_Public;
    4.12 @@ -16,10 +14,6 @@
    4.13  
    4.14  AddIffs [Spy_in_lost];
    4.15  
    4.16 -(*Replacing the variable by a constant improves search speed by 50%!*)
    4.17 -val Says_imp_sees_Spy' = 
    4.18 -    read_instantiate_sg (sign_of thy) [("lost","lost")] Says_imp_sees_Spy;
    4.19 -
    4.20  (*A "possibility property": there are traces that reach the end*)
    4.21  goal thy 
    4.22   "!!A B. A ~= B ==> EX NB. EX evs: ns_public.               \
    4.23 @@ -41,27 +35,35 @@
    4.24  AddSEs   [not_Says_to_self RSN (2, rev_notE)];
    4.25  
    4.26  
    4.27 -(** Theorems of the form X ~: parts (sees lost Spy evs) imply that NOBODY
    4.28 +(*Induction for regularity theorems.  If induction formula has the form
    4.29 +   X ~: analz (sees Spy evs) --> ... then it shortens the proof by discarding
    4.30 +   needless information about analz (insert X (sees Spy evs))  *)
    4.31 +fun parts_induct_tac i = 
    4.32 +    etac ns_public.induct i
    4.33 +    THEN 
    4.34 +    REPEAT (FIRSTGOAL analz_mono_contra_tac)
    4.35 +    THEN 
    4.36 +    prove_simple_subgoals_tac i;
    4.37 +
    4.38 +
    4.39 +(** Theorems of the form X ~: parts (sees Spy evs) imply that NOBODY
    4.40      sends messages containing X! **)
    4.41  
    4.42  (*Spy never sees another agent's private key! (unless it's lost at start)*)
    4.43  goal thy 
    4.44 - "!!evs. evs : ns_public \
    4.45 -\        ==> (Key (priK A) : parts (sees lost Spy evs)) = (A : lost)";
    4.46 -by (etac ns_public.induct 1);
    4.47 -by (prove_simple_subgoals_tac 1);
    4.48 + "!!A. evs: ns_public ==> (Key (priK A) : parts (sees Spy evs)) = (A : lost)";
    4.49 +by (parts_induct_tac 1);
    4.50  by (Fake_parts_insert_tac 1);
    4.51  qed "Spy_see_priK";
    4.52  Addsimps [Spy_see_priK];
    4.53  
    4.54  goal thy 
    4.55 - "!!evs. evs : ns_public \
    4.56 -\        ==> (Key (priK A) : analz (sees lost Spy evs)) = (A : lost)";
    4.57 + "!!A. evs: ns_public ==> (Key (priK A) : analz (sees Spy evs)) = (A : lost)";
    4.58  by (auto_tac(!claset addDs [impOfSubs analz_subset_parts], !simpset));
    4.59  qed "Spy_analz_priK";
    4.60  Addsimps [Spy_analz_priK];
    4.61  
    4.62 -goal thy  "!!A. [| Key (priK A) : parts (sees lost Spy evs);       \
    4.63 +goal thy  "!!A. [| Key (priK A) : parts (sees Spy evs);       \
    4.64  \                  evs : ns_public |] ==> A:lost";
    4.65  by (blast_tac (!claset addDs [Spy_see_priK]) 1);
    4.66  qed "Spy_see_priK_D";
    4.67 @@ -70,87 +72,79 @@
    4.68  AddSDs [Spy_see_priK_D, Spy_analz_priK_D];
    4.69  
    4.70  
    4.71 +(**** Authenticity properties obtained from NS2 ****)
    4.72 +
    4.73 +(*It is impossible to re-use a nonce in both NS1 and NS2, provided the nonce
    4.74 +  is secret.  (Honest users generate fresh nonces.)*)
    4.75 +goal thy 
    4.76 + "!!evs. [| Crypt (pubK B) {|Nonce NA, Agent A|} : parts (sees Spy evs); \
    4.77 +\           Nonce NA ~: analz (sees Spy evs);       \
    4.78 +\           evs : ns_public |]                      \
    4.79 +\ ==> Crypt (pubK C) {|NA', Nonce NA, Agent D|} ~: parts (sees Spy evs)";
    4.80 +by (etac rev_mp 1);
    4.81 +by (etac rev_mp 1);
    4.82 +by (parts_induct_tac 1);
    4.83 +(*NS3*)
    4.84 +by (blast_tac (!claset addSEs partsEs) 3);
    4.85 +(*NS2*)
    4.86 +by (blast_tac (!claset addSEs partsEs) 2);
    4.87 +by (Fake_parts_insert_tac 1);
    4.88 +qed "no_nonce_NS1_NS2";
    4.89 +
    4.90 +
    4.91 +(*Unicity for NS1: nonce NA identifies agents A and B*)
    4.92 +goal thy 
    4.93 + "!!evs. [| Nonce NA ~: analz (sees Spy evs);  evs : ns_public |]      \
    4.94 +\ ==> EX A' B'. ALL A B.                                               \
    4.95 +\      Crypt (pubK B) {|Nonce NA, Agent A|} : parts (sees Spy evs) --> \
    4.96 +\      A=A' & B=B'";
    4.97 +by (etac rev_mp 1);
    4.98 +by (parts_induct_tac 1);
    4.99 +by (ALLGOALS
   4.100 +    (asm_simp_tac (!simpset addsimps [all_conj_distrib, parts_insert_sees])));
   4.101 +(*NS1*)
   4.102 +by (expand_case_tac "NA = ?y" 2 THEN blast_tac (!claset addSEs partsEs) 2);
   4.103 +(*Fake*)
   4.104 +by (step_tac (!claset addSIs [analz_insertI]) 1);
   4.105 +by (ex_strip_tac 1);
   4.106 +by (Fake_parts_insert_tac 1);
   4.107 +val lemma = result();
   4.108 +
   4.109 +goal thy 
   4.110 + "!!evs. [| Crypt(pubK B)  {|Nonce NA, Agent A|}  : parts(sees Spy evs); \
   4.111 +\           Crypt(pubK B') {|Nonce NA, Agent A'|} : parts(sees Spy evs); \
   4.112 +\           Nonce NA ~: analz (sees Spy evs);                            \
   4.113 +\           evs : ns_public |]                                                \
   4.114 +\        ==> A=A' & B=B'";
   4.115 +by (prove_unique_tac lemma 1);
   4.116 +qed "unique_NA";
   4.117 +
   4.118 +
   4.119 +(*Tactic for proving secrecy theorems*)
   4.120  fun analz_induct_tac i = 
   4.121      etac ns_public.induct i   THEN
   4.122      ALLGOALS (asm_simp_tac 
   4.123                (!simpset addsimps [not_parts_not_analz]
   4.124                          setloop split_tac [expand_if]));
   4.125  
   4.126 -(**** Authenticity properties obtained from NS2 ****)
   4.127 -
   4.128 -(*It is impossible to re-use a nonce in both NS1 and NS2, provided the nonce
   4.129 -  is secret.  (Honest users generate fresh nonces.)*)
   4.130 -goal thy 
   4.131 - "!!evs. [| Nonce NA ~: analz (sees lost Spy evs);  \
   4.132 -\           Crypt (pubK B) {|Nonce NA, Agent A|} : parts (sees lost Spy evs); \
   4.133 -\           evs : ns_public |]                      \
   4.134 -\ ==> Crypt (pubK C) {|NA', Nonce NA, Agent D|} ~: parts (sees lost Spy evs)";
   4.135 -by (etac rev_mp 1);
   4.136 -by (etac rev_mp 1);
   4.137 -by (analz_induct_tac 1);
   4.138 -(*NS3*)
   4.139 -by (blast_tac (!claset addSEs partsEs) 4);
   4.140 -(*NS2*)
   4.141 -by (blast_tac (!claset addSEs partsEs) 3);
   4.142 -(*Fake*)
   4.143 -by (blast_tac (!claset addSIs [analz_insertI]
   4.144 -                        addDs [impOfSubs analz_subset_parts,
   4.145 -			       impOfSubs Fake_parts_insert]) 2);
   4.146 -(*Base*)
   4.147 -by (Blast_tac 1);
   4.148 -qed "no_nonce_NS1_NS2";
   4.149 -
   4.150 -
   4.151 -(*Unicity for NS1: nonce NA identifies agents A and B*)
   4.152 -goal thy 
   4.153 - "!!evs. [| Nonce NA ~: analz (sees lost Spy evs);  evs : ns_public |]      \
   4.154 -\ ==> EX A' B'. ALL A B.                                                    \
   4.155 -\      Crypt (pubK B) {|Nonce NA, Agent A|} : parts (sees lost Spy evs) --> \
   4.156 -\      A=A' & B=B'";
   4.157 -by (etac rev_mp 1);
   4.158 -by (analz_induct_tac 1);
   4.159 -(*NS1*)
   4.160 -by (simp_tac (!simpset addsimps [all_conj_distrib]) 3);
   4.161 -by (expand_case_tac "NA = ?y" 3 THEN
   4.162 -    REPEAT (blast_tac (!claset addSEs partsEs) 3));
   4.163 -(*Base*)
   4.164 -by (Blast_tac 1);
   4.165 -(*Fake*)
   4.166 -by (simp_tac (!simpset addsimps [all_conj_distrib, parts_insert_sees]) 1);
   4.167 -by (step_tac (!claset addSIs [analz_insertI]) 1);
   4.168 -by (ex_strip_tac 1);
   4.169 -by (blast_tac (!claset delrules [conjI]
   4.170 -                       addSDs [impOfSubs Fake_parts_insert]
   4.171 -                       addDs  [impOfSubs analz_subset_parts]) 1);
   4.172 -val lemma = result();
   4.173 -
   4.174 -goal thy 
   4.175 - "!!evs. [| Crypt(pubK B)  {|Nonce NA, Agent A|}  : parts(sees lost Spy evs); \
   4.176 -\           Crypt(pubK B') {|Nonce NA, Agent A'|} : parts(sees lost Spy evs); \
   4.177 -\           Nonce NA ~: analz (sees lost Spy evs);                            \
   4.178 -\           evs : ns_public |]                                                \
   4.179 -\        ==> A=A' & B=B'";
   4.180 -by (prove_unique_tac lemma 1);
   4.181 -qed "unique_NA";
   4.182 -
   4.183  
   4.184  (*Secrecy: Spy does not see the nonce sent in msg NS1 if A and B are secure*)
   4.185  goal thy 
   4.186   "!!evs. [| Says A B (Crypt(pubK B) {|Nonce NA, Agent A|}) : set evs;         \
   4.187  \           A ~: lost;  B ~: lost;  evs : ns_public |]                        \
   4.188 -\        ==>  Nonce NA ~: analz (sees lost Spy evs)";
   4.189 +\        ==>  Nonce NA ~: analz (sees Spy evs)";
   4.190  by (etac rev_mp 1);
   4.191  by (analz_induct_tac 1);
   4.192  (*NS3*)
   4.193 -by (blast_tac (!claset addDs  [Says_imp_sees_Spy' RS parts.Inj]
   4.194 +by (blast_tac (!claset addDs  [Says_imp_sees_Spy RS parts.Inj]
   4.195                         addEs  [no_nonce_NS1_NS2 RSN (2, rev_notE)]) 4);
   4.196  (*NS2*)
   4.197  by (blast_tac (!claset addSEs [MPair_parts]
   4.198 -		       addDs  [Says_imp_sees_Spy' RS parts.Inj,
   4.199 +		       addDs  [Says_imp_sees_Spy RS parts.Inj,
   4.200  			       parts.Body, unique_NA]) 3);
   4.201  (*NS1*)
   4.202  by (blast_tac (!claset addSEs sees_Spy_partsEs
   4.203 -                      addIs  [impOfSubs analz_subset_parts]) 2);
   4.204 +                       addIs  [impOfSubs analz_subset_parts]) 2);
   4.205  (*Fake*)
   4.206  by (spy_analz_tac 1);
   4.207  qed "Spy_not_see_NA";
   4.208 @@ -159,15 +153,15 @@
   4.209  (*Authentication for A: if she receives message 2 and has used NA
   4.210    to start a run, then B has sent message 2.*)
   4.211  goal thy 
   4.212 - "!!evs. [| Says A B (Crypt (pubK B) {|Nonce NA, Agent A|}) : set evs; \
   4.213 -\           Says B' A (Crypt(pubK A) {|Nonce NA, Nonce NB, Agent B|})  \
   4.214 -\             : set evs;                                               \
   4.215 -\           A ~: lost;  B ~: lost;  evs : ns_public |]                 \
   4.216 -\        ==> Says B A (Crypt(pubK A) {|Nonce NA, Nonce NB, Agent B|})  \
   4.217 + "!!evs. [| Says A B (Crypt (pubK B) {|Nonce NA, Agent A|}) : set evs;  \
   4.218 +\           Says B' A (Crypt(pubK A) {|Nonce NA, Nonce NB, Agent B|})   \
   4.219 +\             : set evs;                                                \
   4.220 +\           A ~: lost;  B ~: lost;  evs : ns_public |]                  \
   4.221 +\        ==> Says B A (Crypt(pubK A) {|Nonce NA, Nonce NB, Agent B|})   \
   4.222  \              : set evs";
   4.223  by (etac rev_mp 1);
   4.224  (*prepare induction over Crypt (pubK A) {|NA,NB,B|} : parts H*)
   4.225 -by (etac (Says_imp_sees_Spy' RS parts.Inj RS rev_mp) 1);
   4.226 +by (etac (Says_imp_sees_Spy RS parts.Inj RS rev_mp) 1);
   4.227  by (etac ns_public.induct 1);
   4.228  by (ALLGOALS Asm_simp_tac);
   4.229  (*NS1*)
   4.230 @@ -180,19 +174,14 @@
   4.231  
   4.232  (*If the encrypted message appears then it originated with Alice in NS1*)
   4.233  goal thy 
   4.234 - "!!evs. [| Crypt (pubK B) {|Nonce NA, Agent A|} : parts (sees lost Spy evs); \
   4.235 -\           Nonce NA ~: analz (sees lost Spy evs);                 \
   4.236 + "!!evs. [| Crypt (pubK B) {|Nonce NA, Agent A|} : parts (sees Spy evs); \
   4.237 +\           Nonce NA ~: analz (sees Spy evs);                 \
   4.238  \           evs : ns_public |]                                     \
   4.239  \   ==> Says A B (Crypt (pubK B) {|Nonce NA, Agent A|}) : set evs";
   4.240  by (etac rev_mp 1);
   4.241  by (etac rev_mp 1);
   4.242 -by (analz_induct_tac 1);
   4.243 -(*Fake*)
   4.244 -by (blast_tac (!claset addSDs [impOfSubs Fake_parts_insert]
   4.245 -                       addIs  [analz_insertI]
   4.246 -                       addDs  [impOfSubs analz_subset_parts]) 2);
   4.247 -(*Base*)
   4.248 -by (Blast_tac 1);
   4.249 +by (parts_induct_tac 1);
   4.250 +by (Fake_parts_insert_tac 1);
   4.251  qed "B_trusts_NS1";
   4.252  
   4.253  
   4.254 @@ -203,33 +192,28 @@
   4.255    [unicity of B makes Lowe's fix work]
   4.256    [proof closely follows that for unique_NA] *)
   4.257  goal thy 
   4.258 - "!!evs. [| Nonce NB ~: analz (sees lost Spy evs);  evs : ns_public |]      \
   4.259 + "!!evs. [| Nonce NB ~: analz (sees Spy evs);  evs : ns_public |]      \
   4.260  \ ==> EX A' NA' B'. ALL A NA B.                                             \
   4.261  \      Crypt (pubK A) {|Nonce NA, Nonce NB, Agent B|}                       \
   4.262 -\        : parts (sees lost Spy evs)  -->  A=A' & NA=NA' & B=B'";
   4.263 +\        : parts (sees Spy evs)  -->  A=A' & NA=NA' & B=B'";
   4.264  by (etac rev_mp 1);
   4.265 -by (analz_induct_tac 1);
   4.266 +by (parts_induct_tac 1);
   4.267 +by (ALLGOALS
   4.268 +    (asm_simp_tac (!simpset addsimps [all_conj_distrib, parts_insert_sees])));
   4.269  (*NS2*)
   4.270 -by (simp_tac (!simpset addsimps [all_conj_distrib]) 3);
   4.271 -by (expand_case_tac "NB = ?y" 3 THEN
   4.272 -    REPEAT (blast_tac (!claset addSEs partsEs) 3));
   4.273 -(*Base*)
   4.274 -by (Blast_tac 1);
   4.275 +by (expand_case_tac "NB = ?y" 2 THEN blast_tac (!claset addSEs partsEs) 2);
   4.276  (*Fake*)
   4.277 -by (simp_tac (!simpset addsimps [all_conj_distrib, parts_insert_sees]) 1);
   4.278  by (step_tac (!claset addSIs [analz_insertI]) 1);
   4.279  by (ex_strip_tac 1);
   4.280 -by (blast_tac (!claset delrules [conjI]
   4.281 -                      addSDs [impOfSubs Fake_parts_insert]
   4.282 -                      addDs  [impOfSubs analz_subset_parts]) 1);
   4.283 +by (Fake_parts_insert_tac 1);
   4.284  val lemma = result();
   4.285  
   4.286  goal thy 
   4.287   "!!evs. [| Crypt(pubK A)  {|Nonce NA, Nonce NB, Agent B|}   \
   4.288 -\             : parts(sees lost Spy evs);                    \
   4.289 +\             : parts(sees Spy evs);                         \
   4.290  \           Crypt(pubK A') {|Nonce NA', Nonce NB, Agent B'|} \
   4.291 -\             : parts(sees lost Spy evs);                    \
   4.292 -\           Nonce NB ~: analz (sees lost Spy evs);           \
   4.293 +\             : parts(sees Spy evs);                         \
   4.294 +\           Nonce NB ~: analz (sees Spy evs);                \
   4.295  \           evs : ns_public |]                               \
   4.296  \        ==> A=A' & NA=NA' & B=B'";
   4.297  by (prove_unique_tac lemma 1);
   4.298 @@ -241,12 +225,11 @@
   4.299   "!!evs. [| Says B A (Crypt (pubK A) {|Nonce NA, Nonce NB, Agent B|}) \
   4.300  \             : set evs;                                              \
   4.301  \           A ~: lost;  B ~: lost;  evs : ns_public |]                \
   4.302 -\ ==> Nonce NB ~: analz (sees lost Spy evs)";
   4.303 +\ ==> Nonce NB ~: analz (sees Spy evs)";
   4.304  by (etac rev_mp 1);
   4.305  by (analz_induct_tac 1);
   4.306  (*NS3*)
   4.307 -by (blast_tac (!claset addDs [Says_imp_sees_Spy' RS parts.Inj,
   4.308 -			      unique_NB]) 4);
   4.309 +by (blast_tac (!claset addDs [Says_imp_sees_Spy RS parts.Inj, unique_NB]) 4);
   4.310  (*NS1*)
   4.311  by (blast_tac (!claset addSEs sees_Spy_partsEs) 2);
   4.312  (*Fake*)
   4.313 @@ -254,7 +237,7 @@
   4.314  (*NS2*)
   4.315  by (Step_tac 1);
   4.316  by (blast_tac (!claset addSEs sees_Spy_partsEs) 3);
   4.317 -by (blast_tac (!claset addSDs [Says_imp_sees_Spy' RS parts.Inj]
   4.318 +by (blast_tac (!claset addSDs [Says_imp_sees_Spy RS parts.Inj]
   4.319                         addEs  [no_nonce_NS1_NS2 RSN (2, rev_notE)]) 2);
   4.320  by (blast_tac (!claset addSIs [impOfSubs analz_subset_parts]) 1);
   4.321  qed "Spy_not_see_NB";
   4.322 @@ -270,8 +253,8 @@
   4.323  \        ==> Says A B (Crypt (pubK B) (Nonce NB)) : set evs";
   4.324  by (etac rev_mp 1);
   4.325  (*prepare induction over Crypt (pubK B) NB : parts H*)
   4.326 -by (etac (Says_imp_sees_Spy' RS parts.Inj RS rev_mp) 1);
   4.327 -by (analz_induct_tac 1);
   4.328 +by (etac (Says_imp_sees_Spy RS parts.Inj RS rev_mp) 1);
   4.329 +by (parts_induct_tac 1);
   4.330  (*NS1*)
   4.331  by (blast_tac (!claset addSEs sees_Spy_partsEs) 2);
   4.332  (*Fake*)
   4.333 @@ -280,7 +263,7 @@
   4.334  			       impOfSubs analz_subset_parts]) 1);
   4.335  (*NS3; not clear why blast_tac needs to be preceeded by Step_tac*)
   4.336  by (Step_tac 1);
   4.337 -by (blast_tac (!claset addDs [Says_imp_sees_Spy' RS parts.Inj,
   4.338 +by (blast_tac (!claset addDs [Says_imp_sees_Spy RS parts.Inj,
   4.339  			      Spy_not_see_NB, unique_NB]) 1);
   4.340  qed "B_trusts_NS3";
   4.341  
   4.342 @@ -288,8 +271,8 @@
   4.343  (**** Overall guarantee for B*)
   4.344  
   4.345  (*Matches only NS2, not NS1 (or NS3)*)
   4.346 -val Says_imp_sees_Spy'' = 
   4.347 -    read_instantiate [("X","Crypt ?K {|?XX,?YY,?ZZ|}")] Says_imp_sees_Spy';
   4.348 +val Says_imp_sees_Spy' = 
   4.349 +    read_instantiate [("X","Crypt ?K {|?XX,?YY,?ZZ|}")] Says_imp_sees_Spy;
   4.350  
   4.351  
   4.352  (*If B receives NS3 and the nonce NB agrees with the nonce he joined with
   4.353 @@ -302,7 +285,7 @@
   4.354  \    ==> Says A B (Crypt (pubK B) {|Nonce NA, Agent A|}) : set evs";
   4.355  by (etac rev_mp 1);
   4.356  (*prepare induction over Crypt (pubK B) {|NB|} : parts H*)
   4.357 -by (etac (Says_imp_sees_Spy' RS parts.Inj RS rev_mp) 1);
   4.358 +by (etac (Says_imp_sees_Spy RS parts.Inj RS rev_mp) 1);
   4.359  by (etac ns_public.induct 1);
   4.360  by (ALLGOALS Asm_simp_tac);
   4.361  (*Fake, NS2, NS3*)
   4.362 @@ -318,7 +301,7 @@
   4.363  (*NS3*)
   4.364  by (Step_tac 1);
   4.365  by (forward_tac [Spy_not_see_NB] 1 THEN REPEAT (assume_tac 1));
   4.366 -by (blast_tac (!claset addSDs [Says_imp_sees_Spy'' RS parts.Inj]
   4.367 +by (blast_tac (!claset addSDs [Says_imp_sees_Spy' RS parts.Inj]
   4.368                         addDs  [unique_NB]) 1);
   4.369  qed "B_trusts_protocol";
   4.370  
     5.1 --- a/src/HOL/Auth/NS_Public.thy	Mon Jul 14 12:44:09 1997 +0200
     5.2 +++ b/src/HOL/Auth/NS_Public.thy	Mon Jul 14 12:47:21 1997 +0200
     5.3 @@ -9,8 +9,7 @@
     5.4  
     5.5  NS_Public = Public + 
     5.6  
     5.7 -consts  lost       :: agent set        (*No need for it to be a variable*)
     5.8 -	ns_public  :: event list set
     5.9 +consts  ns_public  :: event list set
    5.10  
    5.11  inductive ns_public
    5.12    intrs 
    5.13 @@ -21,7 +20,7 @@
    5.14             invent new nonces here, but he can also use NS1.  Common to
    5.15             all similar protocols.*)
    5.16      Fake "[| evs: ns_public;  B ~= Spy;  
    5.17 -             X: synth (analz (sees lost Spy evs)) |]
    5.18 +             X: synth (analz (sees Spy evs)) |]
    5.19            ==> Says Spy B X  # evs : ns_public"
    5.20  
    5.21           (*Alice initiates a protocol run, sending a nonce to Bob*)
    5.22 @@ -44,8 +43,4 @@
    5.23  
    5.24    (**Oops message??**)
    5.25  
    5.26 -rules
    5.27 -  (*Spy has access to his own key for spoof messages*)
    5.28 -  Spy_in_lost "Spy: lost"
    5.29 -
    5.30  end
     6.1 --- a/src/HOL/Auth/NS_Public_Bad.ML	Mon Jul 14 12:44:09 1997 +0200
     6.2 +++ b/src/HOL/Auth/NS_Public_Bad.ML	Mon Jul 14 12:47:21 1997 +0200
     6.3 @@ -18,10 +18,6 @@
     6.4  
     6.5  AddIffs [Spy_in_lost];
     6.6  
     6.7 -(*Replacing the variable by a constant improves search speed by 50%!*)
     6.8 -val Says_imp_sees_Spy' = 
     6.9 -    read_instantiate_sg (sign_of thy) [("lost","lost")] Says_imp_sees_Spy;
    6.10 -
    6.11  (*A "possibility property": there are traces that reach the end*)
    6.12  goal thy 
    6.13   "!!A B. A ~= B ==> EX NB. EX evs: ns_public.               \
    6.14 @@ -43,27 +39,35 @@
    6.15  AddSEs   [not_Says_to_self RSN (2, rev_notE)];
    6.16  
    6.17  
    6.18 -(** Theorems of the form X ~: parts (sees lost Spy evs) imply that NOBODY
    6.19 +(*Induction for regularity theorems.  If induction formula has the form
    6.20 +   X ~: analz (sees Spy evs) --> ... then it shortens the proof by discarding
    6.21 +   needless information about analz (insert X (sees Spy evs))  *)
    6.22 +fun parts_induct_tac i = 
    6.23 +    etac ns_public.induct i
    6.24 +    THEN 
    6.25 +    REPEAT (FIRSTGOAL analz_mono_contra_tac)
    6.26 +    THEN 
    6.27 +    prove_simple_subgoals_tac i;
    6.28 +
    6.29 +
    6.30 +(** Theorems of the form X ~: parts (sees Spy evs) imply that NOBODY
    6.31      sends messages containing X! **)
    6.32  
    6.33  (*Spy never sees another agent's private key! (unless it's lost at start)*)
    6.34  goal thy 
    6.35 - "!!evs. evs : ns_public \
    6.36 -\        ==> (Key (priK A) : parts (sees lost Spy evs)) = (A : lost)";
    6.37 -by (etac ns_public.induct 1);
    6.38 -by (prove_simple_subgoals_tac 1);
    6.39 + "!!A. evs: ns_public ==> (Key (priK A) : parts (sees Spy evs)) = (A : lost)";
    6.40 +by (parts_induct_tac 1);
    6.41  by (Fake_parts_insert_tac 1);
    6.42  qed "Spy_see_priK";
    6.43  Addsimps [Spy_see_priK];
    6.44  
    6.45  goal thy 
    6.46 - "!!evs. evs : ns_public \
    6.47 -\        ==> (Key (priK A) : analz (sees lost Spy evs)) = (A : lost)";
    6.48 + "!!A. evs: ns_public ==> (Key (priK A) : analz (sees Spy evs)) = (A : lost)";
    6.49  by (auto_tac(!claset addDs [impOfSubs analz_subset_parts], !simpset));
    6.50  qed "Spy_analz_priK";
    6.51  Addsimps [Spy_analz_priK];
    6.52  
    6.53 -goal thy  "!!A. [| Key (priK A) : parts (sees lost Spy evs);       \
    6.54 +goal thy  "!!A. [| Key (priK A) : parts (sees Spy evs);       \
    6.55  \                  evs : ns_public |] ==> A:lost";
    6.56  by (blast_tac (!claset addDs [Spy_see_priK]) 1);
    6.57  qed "Spy_see_priK_D";
    6.58 @@ -72,6 +76,55 @@
    6.59  AddSDs [Spy_see_priK_D, Spy_analz_priK_D];
    6.60  
    6.61  
    6.62 +(**** Authenticity properties obtained from NS2 ****)
    6.63 +
    6.64 +(*It is impossible to re-use a nonce in both NS1 and NS2, provided the nonce
    6.65 +  is secret.  (Honest users generate fresh nonces.)*)
    6.66 +goal thy 
    6.67 + "!!evs. [| Crypt (pubK B) {|Nonce NA, Agent A|} : parts (sees Spy evs); \
    6.68 +\           Nonce NA ~: analz (sees Spy evs);       \
    6.69 +\           evs : ns_public |]                      \
    6.70 +\ ==> Crypt (pubK C) {|NA', Nonce NA|} ~: parts (sees Spy evs)";
    6.71 +by (etac rev_mp 1);
    6.72 +by (etac rev_mp 1);
    6.73 +by (parts_induct_tac 1);
    6.74 +(*NS3*)
    6.75 +by (blast_tac (!claset addSEs partsEs) 3);
    6.76 +(*NS2*)
    6.77 +by (blast_tac (!claset addSEs partsEs) 2);
    6.78 +by (Fake_parts_insert_tac 1);
    6.79 +qed "no_nonce_NS1_NS2";
    6.80 +
    6.81 +
    6.82 +(*Unicity for NS1: nonce NA identifies agents A and B*)
    6.83 +goal thy 
    6.84 + "!!evs. [| Nonce NA ~: analz (sees Spy evs);  evs : ns_public |]      \
    6.85 +\ ==> EX A' B'. ALL A B.                                               \
    6.86 +\      Crypt (pubK B) {|Nonce NA, Agent A|} : parts (sees Spy evs) --> \
    6.87 +\      A=A' & B=B'";
    6.88 +by (etac rev_mp 1);
    6.89 +by (parts_induct_tac 1);
    6.90 +by (ALLGOALS
    6.91 +    (asm_simp_tac (!simpset addsimps [all_conj_distrib, parts_insert_sees])));
    6.92 +(*NS1*)
    6.93 +by (expand_case_tac "NA = ?y" 2 THEN blast_tac (!claset addSEs partsEs) 2);
    6.94 +(*Fake*)
    6.95 +by (step_tac (!claset addSIs [analz_insertI]) 1);
    6.96 +by (ex_strip_tac 1);
    6.97 +by (Fake_parts_insert_tac 1);
    6.98 +val lemma = result();
    6.99 +
   6.100 +goal thy 
   6.101 + "!!evs. [| Crypt(pubK B)  {|Nonce NA, Agent A|}  : parts(sees Spy evs); \
   6.102 +\           Crypt(pubK B') {|Nonce NA, Agent A'|} : parts(sees Spy evs); \
   6.103 +\           Nonce NA ~: analz (sees Spy evs);                            \
   6.104 +\           evs : ns_public |]                                                \
   6.105 +\        ==> A=A' & B=B'";
   6.106 +by (prove_unique_tac lemma 1);
   6.107 +qed "unique_NA";
   6.108 +
   6.109 +
   6.110 +(*Tactic for proving secrecy theorems*)
   6.111  fun analz_induct_tac i = 
   6.112      etac ns_public.induct i   THEN
   6.113      ALLGOALS (asm_simp_tac 
   6.114 @@ -79,77 +132,19 @@
   6.115                          setloop split_tac [expand_if]));
   6.116  
   6.117  
   6.118 -(**** Authenticity properties obtained from NS2 ****)
   6.119 -
   6.120 -(*It is impossible to re-use a nonce in both NS1 and NS2, provided the nonce
   6.121 -  is secret.  (Honest users generate fresh nonces.)*)
   6.122 -goal thy 
   6.123 - "!!evs. [| Nonce NA ~: analz (sees lost Spy evs);  \
   6.124 -\           Crypt (pubK B) {|Nonce NA, Agent A|} : parts (sees lost Spy evs); \
   6.125 -\           evs : ns_public |]                      \
   6.126 -\ ==> Crypt (pubK C) {|NA', Nonce NA|} ~: parts (sees lost Spy evs)";
   6.127 -by (etac rev_mp 1);
   6.128 -by (etac rev_mp 1);
   6.129 -by (analz_induct_tac 1);
   6.130 -(*NS3*)
   6.131 -by (blast_tac (!claset addSEs partsEs) 4);
   6.132 -(*NS2*)
   6.133 -by (blast_tac (!claset addSEs partsEs) 3);
   6.134 -(*Fake*)
   6.135 -by (blast_tac (!claset addSIs [analz_insertI]
   6.136 -                        addDs [impOfSubs analz_subset_parts,
   6.137 -			       impOfSubs Fake_parts_insert]) 2);
   6.138 -(*Base*)
   6.139 -by (Blast_tac 1);
   6.140 -qed "no_nonce_NS1_NS2";
   6.141 -
   6.142 -
   6.143 -(*Unicity for NS1: nonce NA identifies agents A and B*)
   6.144 -goal thy 
   6.145 - "!!evs. [| Nonce NA ~: analz (sees lost Spy evs);  evs : ns_public |]      \
   6.146 -\ ==> EX A' B'. ALL A B.                                                    \
   6.147 -\      Crypt (pubK B) {|Nonce NA, Agent A|} : parts (sees lost Spy evs) --> \
   6.148 -\      A=A' & B=B'";
   6.149 -by (etac rev_mp 1);
   6.150 -by (analz_induct_tac 1);
   6.151 -(*NS1*)
   6.152 -by (simp_tac (!simpset addsimps [all_conj_distrib]) 3);
   6.153 -by (expand_case_tac "NA = ?y" 3 THEN
   6.154 -    REPEAT (blast_tac (!claset addSEs partsEs) 3));
   6.155 -(*Base*)
   6.156 -by (Blast_tac 1);
   6.157 -(*Fake*)
   6.158 -by (simp_tac (!simpset addsimps [all_conj_distrib, parts_insert_sees]) 1);
   6.159 -by (step_tac (!claset addSIs [analz_insertI]) 1);
   6.160 -by (ex_strip_tac 1);
   6.161 -by (blast_tac (!claset delrules [conjI]
   6.162 -                       addSDs [impOfSubs Fake_parts_insert]
   6.163 -                       addDs  [impOfSubs analz_subset_parts]) 1);
   6.164 -val lemma = result();
   6.165 -
   6.166 -goal thy 
   6.167 - "!!evs. [| Crypt(pubK B)  {|Nonce NA, Agent A|}  : parts(sees lost Spy evs); \
   6.168 -\           Crypt(pubK B') {|Nonce NA, Agent A'|} : parts(sees lost Spy evs); \
   6.169 -\           Nonce NA ~: analz (sees lost Spy evs);                            \
   6.170 -\           evs : ns_public |]                                                \
   6.171 -\        ==> A=A' & B=B'";
   6.172 -by (prove_unique_tac lemma 1);
   6.173 -qed "unique_NA";
   6.174 -
   6.175 -
   6.176  (*Secrecy: Spy does not see the nonce sent in msg NS1 if A and B are secure*)
   6.177  goal thy 
   6.178   "!!evs. [| Says A B (Crypt(pubK B) {|Nonce NA, Agent A|}) : set evs;         \
   6.179  \           A ~: lost;  B ~: lost;  evs : ns_public |]                        \
   6.180 -\        ==>  Nonce NA ~: analz (sees lost Spy evs)";
   6.181 +\        ==>  Nonce NA ~: analz (sees Spy evs)";
   6.182  by (etac rev_mp 1);
   6.183  by (analz_induct_tac 1);
   6.184  (*NS3*)
   6.185 -by (blast_tac (!claset addDs  [Says_imp_sees_Spy' RS parts.Inj]
   6.186 +by (blast_tac (!claset addDs  [Says_imp_sees_Spy RS parts.Inj]
   6.187                         addEs  [no_nonce_NS1_NS2 RSN (2, rev_notE)]) 4);
   6.188  (*NS2*)
   6.189  by (blast_tac (!claset addSEs [MPair_parts]
   6.190 -		       addDs  [Says_imp_sees_Spy' RS parts.Inj,
   6.191 +		       addDs  [Says_imp_sees_Spy RS parts.Inj,
   6.192  			       parts.Body, unique_NA]) 3);
   6.193  (*NS1*)
   6.194  by (blast_tac (!claset addSEs sees_Spy_partsEs
   6.195 @@ -168,7 +163,7 @@
   6.196  \        ==> Says B A (Crypt(pubK A) {|Nonce NA, Nonce NB|}): set evs";
   6.197  by (etac rev_mp 1);
   6.198  (*prepare induction over Crypt (pubK A) {|NA,NB|} : parts H*)
   6.199 -by (etac (Says_imp_sees_Spy' RS parts.Inj RS rev_mp) 1);
   6.200 +by (etac (Says_imp_sees_Spy RS parts.Inj RS rev_mp) 1);
   6.201  by (etac ns_public.induct 1);
   6.202  by (ALLGOALS Asm_simp_tac);
   6.203  (*NS1*)
   6.204 @@ -179,25 +174,20 @@
   6.205  			       impOfSubs analz_subset_parts]) 1);
   6.206  (*NS2; not clear why blast_tac needs to be preceeded by Step_tac*)
   6.207  by (Step_tac 1);
   6.208 -by (blast_tac (!claset addDs [Says_imp_sees_Spy' RS parts.Inj,
   6.209 +by (blast_tac (!claset addDs [Says_imp_sees_Spy RS parts.Inj,
   6.210  			      Spy_not_see_NA, unique_NA]) 1);
   6.211  qed "A_trusts_NS2";
   6.212  
   6.213  (*If the encrypted message appears then it originated with Alice in NS1*)
   6.214  goal thy 
   6.215 - "!!evs. [| Crypt (pubK B) {|Nonce NA, Agent A|} : parts (sees lost Spy evs); \
   6.216 -\           Nonce NA ~: analz (sees lost Spy evs);                 \
   6.217 + "!!evs. [| Crypt (pubK B) {|Nonce NA, Agent A|} : parts (sees Spy evs); \
   6.218 +\           Nonce NA ~: analz (sees Spy evs);                 \
   6.219  \           evs : ns_public |]                                     \
   6.220  \   ==> Says A B (Crypt (pubK B) {|Nonce NA, Agent A|}) : set evs";
   6.221  by (etac rev_mp 1);
   6.222  by (etac rev_mp 1);
   6.223 -by (analz_induct_tac 1);
   6.224 -(*Fake*)
   6.225 -by (blast_tac (!claset addSDs [impOfSubs Fake_parts_insert]
   6.226 -                       addIs  [analz_insertI]
   6.227 -                       addDs  [impOfSubs analz_subset_parts]) 2);
   6.228 -(*Base*)
   6.229 -by (Blast_tac 1);
   6.230 +by (parts_induct_tac 1);
   6.231 +by (Fake_parts_insert_tac 1);
   6.232  qed "B_trusts_NS1";
   6.233  
   6.234  
   6.235 @@ -207,31 +197,26 @@
   6.236  (*Unicity for NS2: nonce NB identifies agent A and nonce NA
   6.237    [proof closely follows that for unique_NA] *)
   6.238  goal thy 
   6.239 - "!!evs. [| Nonce NB ~: analz (sees lost Spy evs);  evs : ns_public |]      \
   6.240 + "!!evs. [| Nonce NB ~: analz (sees Spy evs);  evs : ns_public |]      \
   6.241  \ ==> EX A' NA'. ALL A NA.                                                  \
   6.242  \      Crypt (pubK A) {|Nonce NA, Nonce NB|}                                \
   6.243 -\        : parts (sees lost Spy evs)  -->  A=A' & NA=NA'";
   6.244 +\        : parts (sees Spy evs)  -->  A=A' & NA=NA'";
   6.245  by (etac rev_mp 1);
   6.246 -by (analz_induct_tac 1);
   6.247 +by (parts_induct_tac 1);
   6.248 +by (ALLGOALS
   6.249 +    (asm_simp_tac (!simpset addsimps [all_conj_distrib, parts_insert_sees])));
   6.250  (*NS2*)
   6.251 -by (simp_tac (!simpset addsimps [all_conj_distrib]) 3);
   6.252 -by (expand_case_tac "NB = ?y" 3 THEN
   6.253 -    REPEAT (blast_tac (!claset addSEs partsEs) 3));
   6.254 -(*Base*)
   6.255 -by (Blast_tac 1);
   6.256 +by (expand_case_tac "NB = ?y" 2 THEN blast_tac (!claset addSEs partsEs) 2);
   6.257  (*Fake*)
   6.258 -by (simp_tac (!simpset addsimps [all_conj_distrib, parts_insert_sees]) 1);
   6.259  by (step_tac (!claset addSIs [analz_insertI]) 1);
   6.260  by (ex_strip_tac 1);
   6.261 -by (blast_tac (!claset delrules [conjI]
   6.262 -                      addSDs [impOfSubs Fake_parts_insert]
   6.263 -                      addDs  [impOfSubs analz_subset_parts]) 1);
   6.264 +by (Fake_parts_insert_tac 1);
   6.265  val lemma = result();
   6.266  
   6.267  goal thy 
   6.268 - "!!evs. [| Crypt(pubK A) {|Nonce NA, Nonce NB|}  : parts(sees lost Spy evs); \
   6.269 -\           Crypt(pubK A'){|Nonce NA', Nonce NB|} : parts(sees lost Spy evs); \
   6.270 -\           Nonce NB ~: analz (sees lost Spy evs);                            \
   6.271 + "!!evs. [| Crypt(pubK A) {|Nonce NA, Nonce NB|}  : parts(sees Spy evs); \
   6.272 +\           Crypt(pubK A'){|Nonce NA', Nonce NB|} : parts(sees Spy evs); \
   6.273 +\           Nonce NB ~: analz (sees Spy evs);                            \
   6.274  \           evs : ns_public |]                                                \
   6.275  \        ==> A=A' & NA=NA'";
   6.276  by (prove_unique_tac lemma 1);
   6.277 @@ -243,7 +228,7 @@
   6.278   "!!evs.[| Says B A (Crypt (pubK A) {|Nonce NA, Nonce NB|}) : set evs;  \
   6.279  \          (ALL C. Says A C (Crypt (pubK C) (Nonce NB)) ~: set evs);    \
   6.280  \          A ~: lost;  B ~: lost;  evs : ns_public |]                   \
   6.281 -\       ==> Nonce NB ~: analz (sees lost Spy evs)";
   6.282 +\       ==> Nonce NB ~: analz (sees Spy evs)";
   6.283  by (etac rev_mp 1);
   6.284  by (etac rev_mp 1);
   6.285  by (analz_induct_tac 1);
   6.286 @@ -256,10 +241,10 @@
   6.287  by (step_tac (!claset delrules [allI]) 1);
   6.288  by (Blast_tac 5);
   6.289  (*NS3*)
   6.290 -by (blast_tac (!claset addDs [Says_imp_sees_Spy' RS parts.Inj, unique_NB]) 4);
   6.291 +by (blast_tac (!claset addDs [Says_imp_sees_Spy RS parts.Inj, unique_NB]) 4);
   6.292  (*NS2*)
   6.293  by (blast_tac (!claset addSEs sees_Spy_partsEs) 3);
   6.294 -by (blast_tac (!claset addSDs [Says_imp_sees_Spy' RS parts.Inj]
   6.295 +by (blast_tac (!claset addSDs [Says_imp_sees_Spy RS parts.Inj]
   6.296                         addEs  [no_nonce_NS1_NS2 RSN (2, rev_notE)]) 2);
   6.297  by (blast_tac (!claset addSIs [impOfSubs analz_subset_parts]) 1);
   6.298  qed "Spy_not_see_NB";
   6.299 @@ -276,8 +261,8 @@
   6.300  \        ==> EX C. Says A C (Crypt (pubK C) (Nonce NB)) : set evs";
   6.301  by (etac rev_mp 1);
   6.302  (*prepare induction over Crypt (pubK B) NB : parts H*)
   6.303 -by (etac (Says_imp_sees_Spy' RS parts.Inj RS rev_mp) 1);
   6.304 -by (analz_induct_tac 1);
   6.305 +by (etac (Says_imp_sees_Spy RS parts.Inj RS rev_mp) 1);
   6.306 +by (parts_induct_tac 1);
   6.307  by (ALLGOALS (asm_simp_tac (!simpset addsimps [ex_disj_distrib])));
   6.308  (*NS1*)
   6.309  by (blast_tac (!claset addSEs sees_Spy_partsEs) 2);
   6.310 @@ -287,7 +272,7 @@
   6.311  			       impOfSubs analz_subset_parts]) 1);
   6.312  (*NS3; not clear why blast_tac needs to be preceeded by Step_tac*)
   6.313  by (Step_tac 1);
   6.314 -by (blast_tac (!claset addDs [Says_imp_sees_Spy' RS parts.Inj,
   6.315 +by (blast_tac (!claset addDs [Says_imp_sees_Spy RS parts.Inj,
   6.316  			      Spy_not_see_NB, unique_NB]) 1);
   6.317  qed "B_trusts_NS3";
   6.318  
   6.319 @@ -296,11 +281,11 @@
   6.320  goal thy 
   6.321   "!!evs. [| A ~: lost;  B ~: lost;  evs : ns_public |]           \
   6.322  \ ==> Says B A (Crypt (pubK A) {|Nonce NA, Nonce NB|}) : set evs \
   6.323 -\     --> Nonce NB ~: analz (sees lost Spy evs)";
   6.324 +\     --> Nonce NB ~: analz (sees Spy evs)";
   6.325  by (analz_induct_tac 1);
   6.326  (*NS1*)
   6.327  by (blast_tac (!claset addSEs partsEs
   6.328 -                       addSDs [Says_imp_sees_Spy' RS parts.Inj]) 2);
   6.329 +                       addSDs [Says_imp_sees_Spy RS parts.Inj]) 2);
   6.330  (*Fake*)
   6.331  by (spy_analz_tac 1);
   6.332  (*NS2 and NS3*)
   6.333 @@ -308,12 +293,12 @@
   6.334  by (blast_tac (!claset addSIs [impOfSubs analz_subset_parts, usedI]) 1);
   6.335  (*NS2*)
   6.336  by (blast_tac (!claset addSEs partsEs
   6.337 -                       addSDs [Says_imp_sees_Spy' RS parts.Inj]) 2);
   6.338 -by (blast_tac (!claset addSDs [Says_imp_sees_Spy' RS parts.Inj]
   6.339 +                       addSDs [Says_imp_sees_Spy RS parts.Inj]) 2);
   6.340 +by (blast_tac (!claset addSDs [Says_imp_sees_Spy RS parts.Inj]
   6.341                         addEs  [no_nonce_NS1_NS2 RSN (2, rev_notE)]) 1);
   6.342  (*NS3*)
   6.343 -by (forw_inst_tac [("A'","A")] (Says_imp_sees_Spy' RS parts.Inj RS unique_NB) 1
   6.344 -    THEN REPEAT (eresolve_tac [asm_rl, Says_imp_sees_Spy' RS parts.Inj] 1));
   6.345 +by (forw_inst_tac [("A'","A")] (Says_imp_sees_Spy RS parts.Inj RS unique_NB) 1
   6.346 +    THEN REPEAT (eresolve_tac [asm_rl, Says_imp_sees_Spy RS parts.Inj] 1));
   6.347  by (Step_tac 1);
   6.348  
   6.349  (*
   6.350 @@ -322,14 +307,14 @@
   6.351  !!evs. [| A ~: lost; B ~: lost; evs : ns_public |]
   6.352         ==> Says B A (Crypt (pubK A) {|Nonce NA, Nonce NB|})
   6.353             : set evs -->
   6.354 -           Nonce NB ~: analz (sees lost Spy evs)
   6.355 +           Nonce NB ~: analz (sees Spy evs)
   6.356   1. !!evs Aa Ba B' NAa NBa evsa.
   6.357         [| A ~: lost; B ~: lost; evsa : ns_public; A ~= Ba;
   6.358            Says B' A (Crypt (pubK A) {|Nonce NA, Nonce NB|}) : set evsa;
   6.359            Says A Ba (Crypt (pubK Ba) {|Nonce NA, Agent A|}) : set evsa;
   6.360            Ba : lost;
   6.361            Says B A (Crypt (pubK A) {|Nonce NA, Nonce NB|}) : set evsa;
   6.362 -          Nonce NB ~: analz (sees lost Spy evsa) |]
   6.363 +          Nonce NB ~: analz (sees Spy evsa) |]
   6.364         ==> False
   6.365  *)
   6.366  
     7.1 --- a/src/HOL/Auth/NS_Public_Bad.thy	Mon Jul 14 12:44:09 1997 +0200
     7.2 +++ b/src/HOL/Auth/NS_Public_Bad.thy	Mon Jul 14 12:47:21 1997 +0200
     7.3 @@ -13,8 +13,7 @@
     7.4  
     7.5  NS_Public_Bad = Public + 
     7.6  
     7.7 -consts  lost       :: agent set        (*No need for it to be a variable*)
     7.8 -	ns_public  :: event list set
     7.9 +consts  ns_public  :: event list set
    7.10  
    7.11  inductive ns_public
    7.12    intrs 
    7.13 @@ -25,7 +24,7 @@
    7.14             invent new nonces here, but he can also use NS1.  Common to
    7.15             all similar protocols.*)
    7.16      Fake "[| evs: ns_public;  B ~= Spy;  
    7.17 -             X: synth (analz (sees lost Spy evs)) |]
    7.18 +             X: synth (analz (sees Spy evs)) |]
    7.19            ==> Says Spy B X  # evs : ns_public"
    7.20  
    7.21           (*Alice initiates a protocol run, sending a nonce to Bob*)
    7.22 @@ -47,8 +46,4 @@
    7.23  
    7.24    (**Oops message??**)
    7.25  
    7.26 -rules
    7.27 -  (*Spy has access to his own key for spoof messages*)
    7.28 -  Spy_in_lost "Spy: lost"
    7.29 -
    7.30  end
     8.1 --- a/src/HOL/Auth/NS_Shared.ML	Mon Jul 14 12:44:09 1997 +0200
     8.2 +++ b/src/HOL/Auth/NS_Shared.ML	Mon Jul 14 12:47:21 1997 +0200
     8.3 @@ -15,14 +15,11 @@
     8.4  proof_timing:=true;
     8.5  HOL_quantifiers := false;
     8.6  
     8.7 -(*Replacing the variable by a constant improves search speed by 50%!*)
     8.8 -val Says_imp_sees_Spy' = read_instantiate [("lost","lost")] Says_imp_sees_Spy;
     8.9 -
    8.10  
    8.11  (*A "possibility property": there are traces that reach the end*)
    8.12  goal thy 
    8.13   "!!A B. [| A ~= B; A ~= Server; B ~= Server |]       \
    8.14 -\        ==> EX N K. EX evs: ns_shared lost.          \
    8.15 +\        ==> EX N K. EX evs: ns_shared.          \
    8.16  \               Says A B (Crypt K {|Nonce N, Nonce N|}) : set evs";
    8.17  by (REPEAT (resolve_tac [exI,bexI] 1));
    8.18  by (rtac (ns_shared.Nil RS ns_shared.NS1 RS ns_shared.NS2 RS 
    8.19 @@ -34,7 +31,7 @@
    8.20  (**** Inductive proofs about ns_shared ****)
    8.21  
    8.22  (*Nobody sends themselves messages*)
    8.23 -goal thy "!!evs. evs : ns_shared lost ==> ALL A X. Says A A X ~: set evs";
    8.24 +goal thy "!!evs. evs : ns_shared ==> ALL A X. Says A A X ~: set evs";
    8.25  by (etac ns_shared.induct 1);
    8.26  by (Auto_tac());
    8.27  qed_spec_mp "not_Says_to_self";
    8.28 @@ -43,48 +40,46 @@
    8.29  
    8.30  (*For reasoning about the encrypted portion of message NS3*)
    8.31  goal thy "!!evs. Says S A (Crypt KA {|N, B, K, X|}) : set evs \
    8.32 -\                ==> X : parts (sees lost Spy evs)";
    8.33 +\                ==> X : parts (sees Spy evs)";
    8.34  by (blast_tac (!claset addSEs sees_Spy_partsEs) 1);
    8.35  qed "NS3_msg_in_parts_sees_Spy";
    8.36                                
    8.37  goal thy
    8.38      "!!evs. Says Server A (Crypt (shrK A) {|NA, B, K, X|}) : set evs \
    8.39 -\           ==> K : parts (sees lost Spy evs)";
    8.40 +\           ==> K : parts (sees Spy evs)";
    8.41  by (blast_tac (!claset addSEs sees_Spy_partsEs) 1);
    8.42  qed "Oops_parts_sees_Spy";
    8.43  
    8.44 -(*For proving the easier theorems about X ~: parts (sees lost Spy evs).
    8.45 -  We instantiate the variable to "lost" since leaving it as a Var would
    8.46 -  interfere with simplification.*)
    8.47 -val parts_induct_tac = 
    8.48 -    etac ns_shared.induct 1  THEN 
    8.49 -    dres_inst_tac [("lost","lost")] NS3_msg_in_parts_sees_Spy 5  THEN
    8.50 -    forw_inst_tac [("lost","lost")] Oops_parts_sees_Spy 8  THEN
    8.51 -    prove_simple_subgoals_tac 1;
    8.52 +(*For proving the easier theorems about X ~: parts (sees Spy evs).*)
    8.53 +fun parts_induct_tac i = 
    8.54 +    etac ns_shared.induct i  THEN 
    8.55 +    forward_tac [Oops_parts_sees_Spy] (i+7)  THEN
    8.56 +    dtac NS3_msg_in_parts_sees_Spy (i+4)     THEN
    8.57 +    prove_simple_subgoals_tac i;
    8.58  
    8.59  
    8.60 -(** Theorems of the form X ~: parts (sees lost Spy evs) imply that NOBODY
    8.61 +(** Theorems of the form X ~: parts (sees Spy evs) imply that NOBODY
    8.62      sends messages containing X! **)
    8.63  
    8.64  (*Spy never sees another agent's shared key! (unless it's lost at start)*)
    8.65  goal thy 
    8.66 - "!!evs. evs : ns_shared lost \
    8.67 -\        ==> (Key (shrK A) : parts (sees lost Spy evs)) = (A : lost)";
    8.68 -by parts_induct_tac;
    8.69 + "!!evs. evs : ns_shared \
    8.70 +\        ==> (Key (shrK A) : parts (sees Spy evs)) = (A : lost)";
    8.71 +by (parts_induct_tac 1);
    8.72  by (Fake_parts_insert_tac 1);
    8.73  by (Blast_tac 1);
    8.74  qed "Spy_see_shrK";
    8.75  Addsimps [Spy_see_shrK];
    8.76  
    8.77  goal thy 
    8.78 - "!!evs. evs : ns_shared lost \
    8.79 -\        ==> (Key (shrK A) : analz (sees lost Spy evs)) = (A : lost)";
    8.80 + "!!evs. evs : ns_shared \
    8.81 +\        ==> (Key (shrK A) : analz (sees Spy evs)) = (A : lost)";
    8.82  by (auto_tac(!claset addDs [impOfSubs analz_subset_parts], !simpset));
    8.83  qed "Spy_analz_shrK";
    8.84  Addsimps [Spy_analz_shrK];
    8.85  
    8.86 -goal thy  "!!A. [| Key (shrK A) : parts (sees lost Spy evs);       \
    8.87 -\                  evs : ns_shared lost |] ==> A:lost";
    8.88 +goal thy  "!!A. [| Key (shrK A) : parts (sees Spy evs);       \
    8.89 +\                  evs : ns_shared |] ==> A:lost";
    8.90  by (blast_tac (!claset addDs [Spy_see_shrK]) 1);
    8.91  qed "Spy_see_shrK_D";
    8.92  
    8.93 @@ -93,9 +88,9 @@
    8.94  
    8.95  
    8.96  (*Nobody can have used non-existent keys!*)
    8.97 -goal thy "!!evs. evs : ns_shared lost ==>      \
    8.98 -\         Key K ~: used evs --> K ~: keysFor (parts (sees lost Spy evs))";
    8.99 -by parts_induct_tac;
   8.100 +goal thy "!!evs. evs : ns_shared ==>      \
   8.101 +\         Key K ~: used evs --> K ~: keysFor (parts (sees Spy evs))";
   8.102 +by (parts_induct_tac 1);
   8.103  (*Fake*)
   8.104  by (best_tac
   8.105        (!claset addIs [impOfSubs analz_subset_parts]
   8.106 @@ -119,7 +114,7 @@
   8.107  goal thy 
   8.108   "!!evs. [| Says Server A (Crypt K' {|N, Agent B, Key K, X|}) \
   8.109  \             : set evs;                                      \
   8.110 -\           evs : ns_shared lost |]                           \
   8.111 +\           evs : ns_shared |]                           \
   8.112  \        ==> K ~: range shrK &                                \
   8.113  \            X = (Crypt (shrK B) {|Key K, Agent A|}) &        \
   8.114  \            K' = shrK A";
   8.115 @@ -132,15 +127,15 @@
   8.116  (*If the encrypted message appears then it originated with the Server*)
   8.117  goal thy
   8.118   "!!evs. [| Crypt (shrK A) {|NA, Agent B, Key K, X|}                   \
   8.119 -\            : parts (sees lost Spy evs);                              \
   8.120 -\           A ~: lost;  evs : ns_shared lost |]                        \
   8.121 +\            : parts (sees Spy evs);                              \
   8.122 +\           A ~: lost;  evs : ns_shared |]                        \
   8.123  \         ==> X = (Crypt (shrK B) {|Key K, Agent A|}) &                \
   8.124  \             Says Server A                                            \
   8.125  \              (Crypt (shrK A) {|NA, Agent B, Key K,                   \
   8.126  \                                Crypt (shrK B) {|Key K, Agent A|}|})  \
   8.127  \             : set evs";
   8.128  by (etac rev_mp 1);
   8.129 -by parts_induct_tac;
   8.130 +by (parts_induct_tac 1);
   8.131  by (Fake_parts_insert_tac 1);
   8.132  by (Auto_tac());
   8.133  qed "A_trusts_NS2";
   8.134 @@ -151,11 +146,11 @@
   8.135    Use Says_Server_message_form if applicable.*)
   8.136  goal thy 
   8.137   "!!evs. [| Says S A (Crypt (shrK A) {|Nonce NA, Agent B, Key K, X|})      \
   8.138 -\            : set evs;          evs : ns_shared lost |]                   \
   8.139 +\            : set evs;          evs : ns_shared |]                   \
   8.140  \        ==> (K ~: range shrK & X = (Crypt (shrK B) {|Key K, Agent A|}))   \
   8.141 -\            | X : analz (sees lost Spy evs)";
   8.142 +\            | X : analz (sees Spy evs)";
   8.143  by (case_tac "A : lost" 1);
   8.144 -by (fast_tac (!claset addSDs [Says_imp_sees_Spy' RS analz.Inj]
   8.145 +by (fast_tac (!claset addSDs [Says_imp_sees_Spy RS analz.Inj]
   8.146                        addss (!simpset)) 1);
   8.147  by (forward_tac [Says_imp_sees_Spy RS parts.Inj] 1);
   8.148  by (blast_tac (!claset addEs  partsEs
   8.149 @@ -163,18 +158,18 @@
   8.150  qed "Says_S_message_form";
   8.151  
   8.152  
   8.153 -(*For proofs involving analz.  We again instantiate the variable to "lost".*)
   8.154 +(*For proofs involving analz.*)
   8.155  val analz_sees_tac = 
   8.156 -    forw_inst_tac [("lost","lost")] Says_Server_message_form 8 THEN
   8.157 -    forw_inst_tac [("lost","lost")] Says_S_message_form 5 THEN 
   8.158 +    forward_tac [Says_Server_message_form] 8 THEN
   8.159 +    forward_tac [Says_S_message_form] 5 THEN 
   8.160      REPEAT_FIRST (eresolve_tac [asm_rl, conjE, disjE] ORELSE' hyp_subst_tac);
   8.161  
   8.162  
   8.163  (****
   8.164   The following is to prove theorems of the form
   8.165  
   8.166 -  Key K : analz (insert (Key KAB) (sees lost Spy evs)) ==>
   8.167 -  Key K : analz (sees lost Spy evs)
   8.168 +  Key K : analz (insert (Key KAB) (sees Spy evs)) ==>
   8.169 +  Key K : analz (sees Spy evs)
   8.170  
   8.171   A more general formula must be proved inductively.
   8.172  
   8.173 @@ -185,10 +180,10 @@
   8.174    to encrypt messages containing other keys, in the actual protocol.
   8.175    We require that agents should behave like this subsequently also.*)
   8.176  goal thy 
   8.177 - "!!evs. [| evs : ns_shared lost;  Kab ~: range shrK |] ==>  \
   8.178 -\           (Crypt KAB X) : parts (sees lost Spy evs) &      \
   8.179 -\           Key K : parts {X} --> Key K : parts (sees lost Spy evs)";
   8.180 -by parts_induct_tac;
   8.181 + "!!evs. [| evs : ns_shared;  Kab ~: range shrK |] ==>  \
   8.182 +\           (Crypt KAB X) : parts (sees Spy evs) &      \
   8.183 +\           Key K : parts {X} --> Key K : parts (sees Spy evs)";
   8.184 +by (parts_induct_tac 1);
   8.185  (*Deals with Faked messages*)
   8.186  by (blast_tac (!claset addSEs partsEs
   8.187                         addDs [impOfSubs parts_insert_subset_Un]) 1);
   8.188 @@ -201,10 +196,10 @@
   8.189  
   8.190  (*The equality makes the induction hypothesis easier to apply*)
   8.191  goal thy  
   8.192 - "!!evs. evs : ns_shared lost ==>                                \
   8.193 + "!!evs. evs : ns_shared ==>                                \
   8.194  \  ALL K KK. KK <= Compl (range shrK) -->                        \
   8.195 -\            (Key K : analz (Key``KK Un (sees lost Spy evs))) =  \
   8.196 -\            (K : KK | Key K : analz (sees lost Spy evs))";
   8.197 +\            (Key K : analz (Key``KK Un (sees Spy evs))) =  \
   8.198 +\            (K : KK | Key K : analz (sees Spy evs))";
   8.199  by (etac ns_shared.induct 1);
   8.200  by analz_sees_tac;
   8.201  by (REPEAT_FIRST (resolve_tac [allI, impI]));
   8.202 @@ -219,9 +214,9 @@
   8.203  
   8.204  
   8.205  goal thy
   8.206 - "!!evs. [| evs : ns_shared lost;  KAB ~: range shrK |] ==>     \
   8.207 -\        Key K : analz (insert (Key KAB) (sees lost Spy evs)) = \
   8.208 -\        (K = KAB | Key K : analz (sees lost Spy evs))";
   8.209 + "!!evs. [| evs : ns_shared;  KAB ~: range shrK |] ==>     \
   8.210 +\        Key K : analz (insert (Key KAB) (sees Spy evs)) = \
   8.211 +\        (K = KAB | Key K : analz (sees Spy evs))";
   8.212  by (asm_simp_tac (analz_image_freshK_ss addsimps [analz_image_freshK]) 1);
   8.213  qed "analz_insert_freshK";
   8.214  
   8.215 @@ -229,7 +224,7 @@
   8.216  (** The session key K uniquely identifies the message **)
   8.217  
   8.218  goal thy 
   8.219 - "!!evs. evs : ns_shared lost ==>                                        \
   8.220 + "!!evs. evs : ns_shared ==>                                        \
   8.221  \      EX A' NA' B' X'. ALL A NA B X.                                    \
   8.222  \       Says Server A (Crypt (shrK A) {|NA, Agent B, Key K, X|})         \
   8.223  \       : set evs -->         A=A' & NA=NA' & B=B' & X=X'";
   8.224 @@ -254,7 +249,7 @@
   8.225  \           Says Server A'                                   \
   8.226  \             (Crypt (shrK A') {|NA', Agent B', Key K, X'|}) \
   8.227  \                  : set evs;                                \
   8.228 -\           evs : ns_shared lost |] ==> A=A' & NA=NA' & B=B' & X = X'";
   8.229 +\           evs : ns_shared |] ==> A=A' & NA=NA' & B=B' & X = X'";
   8.230  by (prove_unique_tac lemma 1);
   8.231  qed "unique_session_keys";
   8.232  
   8.233 @@ -262,13 +257,13 @@
   8.234  (** Crucial secrecy property: Spy does not see the keys sent in msg NS2 **)
   8.235  
   8.236  goal thy 
   8.237 - "!!evs. [| A ~: lost;  B ~: lost;  evs : ns_shared lost |]            \
   8.238 + "!!evs. [| A ~: lost;  B ~: lost;  evs : ns_shared |]            \
   8.239  \        ==> Says Server A                                             \
   8.240  \              (Crypt (shrK A) {|NA, Agent B, Key K,                   \
   8.241  \                                Crypt (shrK B) {|Key K, Agent A|}|})  \
   8.242  \             : set evs -->                                            \
   8.243  \        (ALL NB. Says A Spy {|NA, NB, Key K|} ~: set evs) -->         \
   8.244 -\        Key K ~: analz (sees lost Spy evs)";
   8.245 +\        Key K ~: analz (sees Spy evs)";
   8.246  by (etac ns_shared.induct 1);
   8.247  by analz_sees_tac;
   8.248  by (ALLGOALS 
   8.249 @@ -287,7 +282,7 @@
   8.250  by (spy_analz_tac 1);
   8.251  (*NS3*) (**LEVEL 6 **)
   8.252  by (step_tac (!claset delrules [impCE]) 1);
   8.253 -by (forward_tac [Says_imp_sees_Spy' RS parts.Inj RS A_trusts_NS2] 1);
   8.254 +by (forward_tac [Says_imp_sees_Spy RS parts.Inj RS A_trusts_NS2] 1);
   8.255  by (assume_tac 2);
   8.256  by (blast_tac (!claset addDs [Says_imp_sees_Spy RS analz.Inj RS
   8.257  			      Crypt_Spy_analz_lost]) 1);
   8.258 @@ -300,8 +295,8 @@
   8.259   "!!evs. [| Says Server A                                               \
   8.260  \            (Crypt K' {|NA, Agent B, Key K, X|}) : set evs;            \
   8.261  \           (ALL NB. Says A Spy {|NA, NB, Key K|} ~: set evs);          \
   8.262 -\           A ~: lost;  B ~: lost;  evs : ns_shared lost                \
   8.263 -\        |] ==> Key K ~: analz (sees lost Spy evs)";
   8.264 +\           A ~: lost;  B ~: lost;  evs : ns_shared                \
   8.265 +\        |] ==> Key K ~: analz (sees Spy evs)";
   8.266  by (forward_tac [Says_Server_message_form] 1 THEN assume_tac 1);
   8.267  by (blast_tac (!claset addSDs [lemma]) 1);
   8.268  qed "Spy_not_see_encrypted_key";
   8.269 @@ -314,14 +309,14 @@
   8.270  
   8.271  (*If the encrypted message appears then it originated with the Server*)
   8.272  goal thy
   8.273 - "!!evs. [| Crypt (shrK B) {|Key K, Agent A|} : parts (sees lost Spy evs); \
   8.274 -\           B ~: lost;  evs : ns_shared lost |]                        \
   8.275 + "!!evs. [| Crypt (shrK B) {|Key K, Agent A|} : parts (sees Spy evs); \
   8.276 +\           B ~: lost;  evs : ns_shared |]                        \
   8.277  \         ==> EX NA. Says Server A                                     \
   8.278  \              (Crypt (shrK A) {|NA, Agent B, Key K,                   \
   8.279  \                                Crypt (shrK B) {|Key K, Agent A|}|})  \
   8.280  \             : set evs";
   8.281  by (etac rev_mp 1);
   8.282 -by parts_induct_tac;
   8.283 +by (parts_induct_tac 1);
   8.284  by (Fake_parts_insert_tac 1);
   8.285  (*Fake case*)
   8.286  by (ALLGOALS Blast_tac);
   8.287 @@ -329,16 +324,16 @@
   8.288  
   8.289  
   8.290  goal thy
   8.291 - "!!evs. [| B ~: lost;  evs : ns_shared lost |]                        \
   8.292 -\        ==> Key K ~: analz (sees lost Spy evs) -->                    \
   8.293 + "!!evs. [| B ~: lost;  evs : ns_shared |]                        \
   8.294 +\        ==> Key K ~: analz (sees Spy evs) -->                    \
   8.295  \            Says Server A (Crypt (shrK A) {|NA, Agent B, Key K, X|})  \
   8.296  \            : set evs -->                                             \
   8.297 -\            Crypt K (Nonce NB) : parts (sees lost Spy evs) -->        \
   8.298 +\            Crypt K (Nonce NB) : parts (sees Spy evs) -->        \
   8.299  \            Says B A (Crypt K (Nonce NB)) : set evs";
   8.300  by (etac ns_shared.induct 1);
   8.301  by (forward_tac [Says_S_message_form] 5 THEN assume_tac 5);     
   8.302 -by (dres_inst_tac [("lost","lost")] NS3_msg_in_parts_sees_Spy 5);
   8.303 -by (forw_inst_tac [("lost","lost")] Oops_parts_sees_Spy 8);
   8.304 +by (dtac NS3_msg_in_parts_sees_Spy 5);
   8.305 +by (forward_tac [Oops_parts_sees_Spy] 8);
   8.306  by (TRYALL (rtac impI));
   8.307  by (REPEAT_FIRST
   8.308      (dtac (sees_subset_sees_Says RS analz_mono RS contra_subsetD)));
   8.309 @@ -349,25 +344,25 @@
   8.310  by (Blast_tac 2);
   8.311  by (REPEAT_FIRST (rtac impI ORELSE' etac conjE ORELSE' hyp_subst_tac));
   8.312  (*Subgoal 1: contradiction from the assumptions  
   8.313 -  Key K ~: used evsa  and Crypt K (Nonce NB) : parts (sees lost Spy evsa) *)
   8.314 +  Key K ~: used evsa  and Crypt K (Nonce NB) : parts (sees Spy evsa) *)
   8.315  by (dtac Crypt_imp_invKey_keysFor 1);
   8.316  (**LEVEL 11**)
   8.317  by (Asm_full_simp_tac 1);
   8.318  by (rtac disjI1 1);
   8.319  by (thin_tac "?PP-->?QQ" 1);
   8.320  by (case_tac "Ba : lost" 1);
   8.321 -by (blast_tac (!claset addDs [Says_imp_sees_Spy' RS parts.Inj RS B_trusts_NS3, 
   8.322 +by (blast_tac (!claset addDs [Says_imp_sees_Spy RS parts.Inj RS B_trusts_NS3, 
   8.323  			      unique_session_keys]) 2);
   8.324  by (blast_tac (!claset addDs [Says_imp_sees_Spy RS analz.Inj RS
   8.325  			      Crypt_Spy_analz_lost]) 1);
   8.326  val lemma = result();
   8.327  
   8.328  goal thy
   8.329 - "!!evs. [| Crypt K (Nonce NB) : parts (sees lost Spy evs);           \
   8.330 + "!!evs. [| Crypt K (Nonce NB) : parts (sees Spy evs);           \
   8.331  \           Says Server A (Crypt (shrK A) {|NA, Agent B, Key K, X|})  \
   8.332  \           : set evs;                                                \
   8.333  \           ALL NB. Says A Spy {|NA, NB, Key K|} ~: set evs;          \
   8.334 -\           A ~: lost;  B ~: lost;  evs : ns_shared lost |]           \
   8.335 +\           A ~: lost;  B ~: lost;  evs : ns_shared |]           \
   8.336  \        ==> Says B A (Crypt K (Nonce NB)) : set evs";
   8.337  by (blast_tac (!claset addSIs [lemma RS mp RS mp RS mp]
   8.338                         addSEs [Spy_not_see_encrypted_key RSN (2,rev_notE)]) 1);
     9.1 --- a/src/HOL/Auth/NS_Shared.thy	Mon Jul 14 12:44:09 1997 +0200
     9.2 +++ b/src/HOL/Auth/NS_Shared.thy	Mon Jul 14 12:47:21 1997 +0200
     9.3 @@ -12,69 +12,69 @@
     9.4  
     9.5  NS_Shared = Shared + 
     9.6  
     9.7 -consts  ns_shared   :: agent set => event list set
     9.8 -inductive "ns_shared lost"
     9.9 +consts  ns_shared   :: event list set
    9.10 +inductive "ns_shared"
    9.11    intrs 
    9.12           (*Initial trace is empty*)
    9.13 -    Nil  "[]: ns_shared lost"
    9.14 +    Nil  "[]: ns_shared"
    9.15  
    9.16           (*The spy MAY say anything he CAN say.  We do not expect him to
    9.17             invent new nonces here, but he can also use NS1.  Common to
    9.18             all similar protocols.*)
    9.19 -    Fake "[| evs: ns_shared lost;  B ~= Spy;  
    9.20 -             X: synth (analz (sees lost Spy evs)) |]
    9.21 -          ==> Says Spy B X # evs : ns_shared lost"
    9.22 +    Fake "[| evs: ns_shared;  B ~= Spy;  
    9.23 +             X: synth (analz (sees Spy evs)) |]
    9.24 +          ==> Says Spy B X # evs : ns_shared"
    9.25  
    9.26           (*Alice initiates a protocol run, requesting to talk to any B*)
    9.27 -    NS1  "[| evs: ns_shared lost;  A ~= Server;  Nonce NA ~: used evs |]
    9.28 +    NS1  "[| evs: ns_shared;  A ~= Server;  Nonce NA ~: used evs |]
    9.29            ==> Says A Server {|Agent A, Agent B, Nonce NA|} # evs
    9.30 -                :  ns_shared lost"
    9.31 +                :  ns_shared"
    9.32  
    9.33           (*Server's response to Alice's message.
    9.34             !! It may respond more than once to A's request !!
    9.35  	   Server doesn't know who the true sender is, hence the A' in
    9.36                 the sender field.*)
    9.37 -    NS2  "[| evs: ns_shared lost;  A ~= B;  A ~= Server;  Key KAB ~: used evs;
    9.38 +    NS2  "[| evs: ns_shared;  A ~= B;  A ~= Server;  Key KAB ~: used evs;
    9.39               Says A' Server {|Agent A, Agent B, Nonce NA|} : set evs |]
    9.40            ==> Says Server A 
    9.41                  (Crypt (shrK A)
    9.42                     {|Nonce NA, Agent B, Key KAB,
    9.43                       (Crypt (shrK B) {|Key KAB, Agent A|})|}) 
    9.44 -                # evs : ns_shared lost"
    9.45 +                # evs : ns_shared"
    9.46  
    9.47            (*We can't assume S=Server.  Agent A "remembers" her nonce.
    9.48              Can inductively show A ~= Server*)
    9.49 -    NS3  "[| evs: ns_shared lost;  A ~= B;
    9.50 +    NS3  "[| evs: ns_shared;  A ~= B;
    9.51               Says S A (Crypt (shrK A) {|Nonce NA, Agent B, Key K, X|}) 
    9.52                 : set evs;
    9.53               Says A Server {|Agent A, Agent B, Nonce NA|} : set evs |]
    9.54 -          ==> Says A B X # evs : ns_shared lost"
    9.55 +          ==> Says A B X # evs : ns_shared"
    9.56  
    9.57           (*Bob's nonce exchange.  He does not know who the message came
    9.58             from, but responds to A because she is mentioned inside.*)
    9.59 -    NS4  "[| evs: ns_shared lost;  A ~= B;  Nonce NB ~: used evs;
    9.60 +    NS4  "[| evs: ns_shared;  A ~= B;  Nonce NB ~: used evs;
    9.61               Says A' B (Crypt (shrK B) {|Key K, Agent A|}) : set evs |]
    9.62            ==> Says B A (Crypt K (Nonce NB)) # evs
    9.63 -                : ns_shared lost"
    9.64 +                : ns_shared"
    9.65  
    9.66           (*Alice responds with Nonce NB if she has seen the key before.
    9.67             Maybe should somehow check Nonce NA again.
    9.68             We do NOT send NB-1 or similar as the Spy cannot spoof such things.
    9.69             Letting the Spy add or subtract 1 lets him send ALL nonces.
    9.70             Instead we distinguish the messages by sending the nonce twice.*)
    9.71 -    NS5  "[| evs: ns_shared lost;  A ~= B;  
    9.72 +    NS5  "[| evs: ns_shared;  A ~= B;  
    9.73               Says B' A (Crypt K (Nonce NB)) : set evs;
    9.74               Says S  A (Crypt (shrK A) {|Nonce NA, Agent B, Key K, X|})
    9.75                 : set evs |]
    9.76 -          ==> Says A B (Crypt K {|Nonce NB, Nonce NB|}) # evs : ns_shared lost"
    9.77 +          ==> Says A B (Crypt K {|Nonce NB, Nonce NB|}) # evs : ns_shared"
    9.78    
    9.79           (*This message models possible leaks of session keys.
    9.80             The two Nonces identify the protocol run: the rule insists upon
    9.81             the true senders in order to make them accurate.*)
    9.82 -    Oops "[| evs: ns_shared lost;  A ~= Spy;
    9.83 +    Oops "[| evs: ns_shared;  A ~= Spy;
    9.84               Says B A (Crypt K (Nonce NB)) : set evs;
    9.85               Says Server A (Crypt (shrK A) {|Nonce NA, Agent B, Key K, X|})
    9.86                 : set evs |]
    9.87 -          ==> Says A Spy {|Nonce NA, Nonce NB, Key K|} # evs : ns_shared lost"
    9.88 +          ==> Says A Spy {|Nonce NA, Nonce NB, Key K|} # evs : ns_shared"
    9.89  
    9.90  end
    10.1 --- a/src/HOL/Auth/OtwayRees.ML	Mon Jul 14 12:44:09 1997 +0200
    10.2 +++ b/src/HOL/Auth/OtwayRees.ML	Mon Jul 14 12:47:21 1997 +0200
    10.3 @@ -17,14 +17,11 @@
    10.4  proof_timing:=true;
    10.5  HOL_quantifiers := false;
    10.6  
    10.7 -(*Replacing the variable by a constant improves search speed by 50%!*)
    10.8 -val Says_imp_sees_Spy' = read_instantiate [("lost","lost")] Says_imp_sees_Spy;
    10.9 -
   10.10  
   10.11  (*A "possibility property": there are traces that reach the end*)
   10.12  goal thy 
   10.13   "!!A B. [| A ~= B; A ~= Server; B ~= Server |]   \
   10.14 -\        ==> EX K. EX NA. EX evs: otway lost.          \
   10.15 +\        ==> EX K. EX NA. EX evs: otway.          \
   10.16  \               Says B A {|Nonce NA, Crypt (shrK A) {|Nonce NA, Key K|}|} \
   10.17  \                 : set evs";
   10.18  by (REPEAT (resolve_tac [exI,bexI] 1));
   10.19 @@ -36,7 +33,7 @@
   10.20  (**** Inductive proofs about otway ****)
   10.21  
   10.22  (*Nobody sends themselves messages*)
   10.23 -goal thy "!!evs. evs : otway lost ==> ALL A X. Says A A X ~: set evs";
   10.24 +goal thy "!!evs. evs : otway ==> ALL A X. Says A A X ~: set evs";
   10.25  by (etac otway.induct 1);
   10.26  by (Auto_tac());
   10.27  qed_spec_mp "not_Says_to_self";
   10.28 @@ -47,17 +44,17 @@
   10.29  (** For reasoning about the encrypted portion of messages **)
   10.30  
   10.31  goal thy "!!evs. Says A' B {|N, Agent A, Agent B, X|} : set evs \
   10.32 -\                ==> X : analz (sees lost Spy evs)";
   10.33 -by (blast_tac (!claset addSDs [Says_imp_sees_Spy' RS analz.Inj]) 1);
   10.34 +\                ==> X : analz (sees Spy evs)";
   10.35 +by (blast_tac (!claset addSDs [Says_imp_sees_Spy RS analz.Inj]) 1);
   10.36  qed "OR2_analz_sees_Spy";
   10.37  
   10.38  goal thy "!!evs. Says S' B {|N, X, Crypt (shrK B) X'|} : set evs \
   10.39 -\                ==> X : analz (sees lost Spy evs)";
   10.40 -by (blast_tac (!claset addSDs [Says_imp_sees_Spy' RS analz.Inj]) 1);
   10.41 +\                ==> X : analz (sees Spy evs)";
   10.42 +by (blast_tac (!claset addSDs [Says_imp_sees_Spy RS analz.Inj]) 1);
   10.43  qed "OR4_analz_sees_Spy";
   10.44  
   10.45  goal thy "!!evs. Says Server B {|NA, X, Crypt K' {|NB,K|}|} : set evs \
   10.46 -\                 ==> K : parts (sees lost Spy evs)";
   10.47 +\                 ==> K : parts (sees Spy evs)";
   10.48  by (blast_tac (!claset addSEs sees_Spy_partsEs) 1);
   10.49  qed "Oops_parts_sees_Spy";
   10.50  
   10.51 @@ -71,42 +68,36 @@
   10.52  bind_thm ("OR4_parts_sees_Spy",
   10.53            OR4_analz_sees_Spy RS (impOfSubs analz_subset_parts));
   10.54  
   10.55 -(*For proving the easier theorems about X ~: parts (sees lost Spy evs).
   10.56 -  We instantiate the variable to "lost" since leaving it as a Var would
   10.57 -  interfere with simplification.*)
   10.58 -val parts_induct_tac = 
   10.59 -    let val tac = forw_inst_tac [("lost","lost")] 
   10.60 -    in  etac otway.induct	   1 THEN 
   10.61 -	tac OR2_parts_sees_Spy     4 THEN 
   10.62 -        tac OR4_parts_sees_Spy     6 THEN
   10.63 -        tac Oops_parts_sees_Spy    7 THEN
   10.64 -	prove_simple_subgoals_tac  1
   10.65 -    end;
   10.66 +(*For proving the easier theorems about X ~: parts (sees Spy evs).*)
   10.67 +fun parts_induct_tac i = 
   10.68 +    etac otway.induct i			THEN 
   10.69 +    forward_tac [Oops_parts_sees_Spy] (i+6) THEN
   10.70 +    forward_tac [OR4_parts_sees_Spy]  (i+5) THEN
   10.71 +    forward_tac [OR2_parts_sees_Spy]  (i+3) THEN 
   10.72 +    prove_simple_subgoals_tac  i;
   10.73  
   10.74  
   10.75 -(** Theorems of the form X ~: parts (sees lost Spy evs) imply that NOBODY
   10.76 +(** Theorems of the form X ~: parts (sees Spy evs) imply that NOBODY
   10.77      sends messages containing X! **)
   10.78  
   10.79  
   10.80  (*Spy never sees another agent's shared key! (unless it's lost at start)*)
   10.81  goal thy 
   10.82 - "!!evs. evs : otway lost \
   10.83 -\        ==> (Key (shrK A) : parts (sees lost Spy evs)) = (A : lost)";
   10.84 -by parts_induct_tac;
   10.85 + "!!evs. evs : otway ==> (Key (shrK A) : parts (sees Spy evs)) = (A : lost)";
   10.86 +by (parts_induct_tac 1);
   10.87  by (Fake_parts_insert_tac 1);
   10.88  by (Blast_tac 1);
   10.89  qed "Spy_see_shrK";
   10.90  Addsimps [Spy_see_shrK];
   10.91  
   10.92  goal thy 
   10.93 - "!!evs. evs : otway lost \
   10.94 -\        ==> (Key (shrK A) : analz (sees lost Spy evs)) = (A : lost)";
   10.95 + "!!evs. evs : otway ==> (Key (shrK A) : analz (sees Spy evs)) = (A : lost)";
   10.96  by (auto_tac(!claset addDs [impOfSubs analz_subset_parts], !simpset));
   10.97  qed "Spy_analz_shrK";
   10.98  Addsimps [Spy_analz_shrK];
   10.99  
  10.100 -goal thy  "!!A. [| Key (shrK A) : parts (sees lost Spy evs);       \
  10.101 -\                  evs : otway lost |] ==> A:lost";
  10.102 +goal thy  "!!A. [| Key (shrK A) : parts (sees Spy evs);       \
  10.103 +\                  evs : otway |] ==> A:lost";
  10.104  by (blast_tac (!claset addDs [Spy_see_shrK]) 1);
  10.105  qed "Spy_see_shrK_D";
  10.106  
  10.107 @@ -115,9 +106,9 @@
  10.108  
  10.109  
  10.110  (*Nobody can have used non-existent keys!*)
  10.111 -goal thy "!!evs. evs : otway lost ==>          \
  10.112 -\         Key K ~: used evs --> K ~: keysFor (parts (sees lost Spy evs))";
  10.113 -by parts_induct_tac;
  10.114 +goal thy "!!evs. evs : otway ==>          \
  10.115 +\         Key K ~: used evs --> K ~: keysFor (parts (sees Spy evs))";
  10.116 +by (parts_induct_tac 1);
  10.117  (*Fake*)
  10.118  by (best_tac
  10.119        (!claset addIs [impOfSubs analz_subset_parts]
  10.120 @@ -140,9 +131,8 @@
  10.121  (*Describes the form of K and NA when the Server sends this message.  Also
  10.122    for Oops case.*)
  10.123  goal thy 
  10.124 - "!!evs. [| Says Server B                                                 \
  10.125 -\            {|NA, X, Crypt (shrK B) {|NB, Key K|}|} : set evs;           \
  10.126 -\           evs : otway lost |]                                           \
  10.127 + "!!evs. [| Says Server B {|NA, X, Crypt (shrK B) {|NB, Key K|}|} : set evs; \
  10.128 +\           evs : otway |]                                           \
  10.129  \     ==> K ~: range shrK & (EX i. NA = Nonce i) & (EX j. NB = Nonce j)";
  10.130  by (etac rev_mp 1);
  10.131  by (etac otway.induct 1);
  10.132 @@ -151,11 +141,11 @@
  10.133  qed "Says_Server_message_form";
  10.134  
  10.135  
  10.136 -(*For proofs involving analz.  We again instantiate the variable to "lost".*)
  10.137 +(*For proofs involving analz.*)
  10.138  val analz_sees_tac = 
  10.139 -    dres_inst_tac [("lost","lost")] OR2_analz_sees_Spy 4 THEN 
  10.140 -    dres_inst_tac [("lost","lost")] OR4_analz_sees_Spy 6 THEN
  10.141 -    forw_inst_tac [("lost","lost")] Says_Server_message_form 7 THEN
  10.142 +    dtac OR2_analz_sees_Spy 4 THEN 
  10.143 +    dtac OR4_analz_sees_Spy 6 THEN
  10.144 +    forward_tac [Says_Server_message_form] 7 THEN
  10.145      assume_tac 7 THEN
  10.146      REPEAT ((eresolve_tac [exE, conjE] ORELSE' hyp_subst_tac) 7);
  10.147  
  10.148 @@ -163,8 +153,8 @@
  10.149  (****
  10.150   The following is to prove theorems of the form
  10.151  
  10.152 -  Key K : analz (insert (Key KAB) (sees lost Spy evs)) ==>
  10.153 -  Key K : analz (sees lost Spy evs)
  10.154 +  Key K : analz (insert (Key KAB) (sees Spy evs)) ==>
  10.155 +  Key K : analz (sees Spy evs)
  10.156  
  10.157   A more general formula must be proved inductively.
  10.158  ****)
  10.159 @@ -174,10 +164,10 @@
  10.160  
  10.161  (*The equality makes the induction hypothesis easier to apply*)
  10.162  goal thy  
  10.163 - "!!evs. evs : otway lost ==>                                    \
  10.164 -\  ALL K KK. KK <= Compl (range shrK) -->                        \
  10.165 -\            (Key K : analz (Key``KK Un (sees lost Spy evs))) =  \
  10.166 -\            (K : KK | Key K : analz (sees lost Spy evs))";
  10.167 + "!!evs. evs : otway ==>                                    \
  10.168 +\  ALL K KK. KK <= Compl (range shrK) -->                   \
  10.169 +\            (Key K : analz (Key``KK Un (sees Spy evs))) =  \
  10.170 +\            (K : KK | Key K : analz (sees Spy evs))";
  10.171  by (etac otway.induct 1);
  10.172  by analz_sees_tac;
  10.173  by (REPEAT_FIRST (resolve_tac [allI, impI]));
  10.174 @@ -191,9 +181,9 @@
  10.175  
  10.176  
  10.177  goal thy
  10.178 - "!!evs. [| evs : otway lost;  KAB ~: range shrK |] ==>          \
  10.179 -\        Key K : analz (insert (Key KAB) (sees lost Spy evs)) =  \
  10.180 -\        (K = KAB | Key K : analz (sees lost Spy evs))";
  10.181 + "!!evs. [| evs : otway;  KAB ~: range shrK |] ==>          \
  10.182 +\        Key K : analz (insert (Key KAB) (sees Spy evs)) =  \
  10.183 +\        (K = KAB | Key K : analz (sees Spy evs))";
  10.184  by (asm_simp_tac (analz_image_freshK_ss addsimps [analz_image_freshK]) 1);
  10.185  qed "analz_insert_freshK";
  10.186  
  10.187 @@ -201,7 +191,7 @@
  10.188  (*** The Key K uniquely identifies the Server's  message. **)
  10.189  
  10.190  goal thy 
  10.191 - "!!evs. evs : otway lost ==>                                             \
  10.192 + "!!evs. evs : otway ==>                                                  \
  10.193  \   EX B' NA' NB' X'. ALL B NA NB X.                                      \
  10.194  \     Says Server B {|NA, X, Crypt (shrK B) {|NB, K|}|} : set evs -->     \
  10.195  \     B=B' & NA=NA' & NB=NB' & X=X'";
  10.196 @@ -223,7 +213,7 @@
  10.197  \            : set evs;                                            \ 
  10.198  \           Says Server B' {|NA',X',Crypt (shrK B') {|NB',K|}|}    \
  10.199  \            : set evs;                                            \
  10.200 -\           evs : otway lost |] ==> X=X' & B=B' & NA=NA' & NB=NB'";
  10.201 +\           evs : otway |] ==> X=X' & B=B' & NA=NA' & NB=NB'";
  10.202  by (prove_unique_tac lemma 1);
  10.203  qed "unique_session_keys";
  10.204  
  10.205 @@ -233,13 +223,13 @@
  10.206  
  10.207  (*Only OR1 can have caused such a part of a message to appear.*)
  10.208  goal thy 
  10.209 - "!!evs. [| A ~: lost;  evs : otway lost |]                        \
  10.210 + "!!evs. [| A ~: lost;  evs : otway |]                             \
  10.211  \        ==> Crypt (shrK A) {|NA, Agent A, Agent B|}               \
  10.212 -\             : parts (sees lost Spy evs) -->                      \
  10.213 +\             : parts (sees Spy evs) -->                           \
  10.214  \            Says A B {|NA, Agent A, Agent B,                      \
  10.215  \                       Crypt (shrK A) {|NA, Agent A, Agent B|}|}  \
  10.216  \             : set evs";
  10.217 -by parts_induct_tac;
  10.218 +by (parts_induct_tac 1);
  10.219  by (Fake_parts_insert_tac 1);
  10.220  qed_spec_mp "Crypt_imp_OR1";
  10.221  
  10.222 @@ -247,11 +237,11 @@
  10.223  (** The Nonce NA uniquely identifies A's message. **)
  10.224  
  10.225  goal thy 
  10.226 - "!!evs. [| evs : otway lost; A ~: lost |]               \
  10.227 -\ ==> EX B'. ALL B.                                      \
  10.228 -\        Crypt (shrK A) {|NA, Agent A, Agent B|} : parts (sees lost Spy evs) \
  10.229 + "!!evs. [| evs : otway; A ~: lost |]               \
  10.230 +\ ==> EX B'. ALL B.                                 \
  10.231 +\        Crypt (shrK A) {|NA, Agent A, Agent B|} : parts (sees Spy evs) \
  10.232  \        --> B = B'";
  10.233 -by parts_induct_tac;
  10.234 +by (parts_induct_tac 1);
  10.235  by (Fake_parts_insert_tac 1);
  10.236  by (simp_tac (!simpset addsimps [all_conj_distrib]) 1); 
  10.237  (*OR1: creation of new Nonce.  Move assertion into global context*)
  10.238 @@ -260,9 +250,9 @@
  10.239  val lemma = result();
  10.240  
  10.241  goal thy 
  10.242 - "!!evs.[| Crypt (shrK A) {|NA, Agent A, Agent B|}: parts(sees lost Spy evs); \
  10.243 -\          Crypt (shrK A) {|NA, Agent A, Agent C|}: parts(sees lost Spy evs); \
  10.244 -\          evs : otway lost;  A ~: lost |]                                    \
  10.245 + "!!evs.[| Crypt (shrK A) {|NA, Agent A, Agent B|}: parts (sees Spy evs); \
  10.246 +\          Crypt (shrK A) {|NA, Agent A, Agent C|}: parts (sees Spy evs); \
  10.247 +\          evs : otway;  A ~: lost |]                                     \
  10.248  \        ==> B = C";
  10.249  by (prove_unique_tac lemma 1);
  10.250  qed "unique_NA";
  10.251 @@ -272,12 +262,12 @@
  10.252    OR2 encrypts Nonce NB.  It prevents the attack that can occur in the
  10.253    over-simplified version of this protocol: see OtwayRees_Bad.*)
  10.254  goal thy 
  10.255 - "!!evs. [| A ~: lost;  evs : otway lost |]                      \
  10.256 -\        ==> Crypt (shrK A) {|NA, Agent A, Agent B|}             \
  10.257 -\             : parts (sees lost Spy evs) -->                    \
  10.258 -\            Crypt (shrK A) {|NA', NA, Agent A', Agent A|}       \
  10.259 -\             ~: parts (sees lost Spy evs)";
  10.260 -by parts_induct_tac;
  10.261 + "!!evs. [| A ~: lost;  evs : otway |]                      \
  10.262 +\        ==> Crypt (shrK A) {|NA, Agent A, Agent B|}        \
  10.263 +\             : parts (sees Spy evs) -->                    \
  10.264 +\            Crypt (shrK A) {|NA', NA, Agent A', Agent A|}  \
  10.265 +\             ~: parts (sees Spy evs)";
  10.266 +by (parts_induct_tac 1);
  10.267  by (Fake_parts_insert_tac 1);
  10.268  by (REPEAT (blast_tac (!claset addSEs sees_Spy_partsEs
  10.269                                 addSDs  [impOfSubs parts_insert_subset_Un]) 1));
  10.270 @@ -287,8 +277,8 @@
  10.271  (*Crucial property: If the encrypted message appears, and A has used NA
  10.272    to start a run, then it originated with the Server!*)
  10.273  goal thy 
  10.274 - "!!evs. [| A ~: lost;  A ~= Spy;  evs : otway lost |]                 \
  10.275 -\    ==> Crypt (shrK A) {|NA, Key K|} : parts (sees lost Spy evs)      \
  10.276 + "!!evs. [| A ~: lost;  A ~= Spy;  evs : otway |]                 \
  10.277 +\    ==> Crypt (shrK A) {|NA, Key K|} : parts (sees Spy evs)      \
  10.278  \        --> Says A B {|NA, Agent A, Agent B,                          \
  10.279  \                       Crypt (shrK A) {|NA, Agent A, Agent B|}|}      \
  10.280  \             : set evs -->                                            \
  10.281 @@ -297,7 +287,7 @@
  10.282  \                   Crypt (shrK A) {|NA, Key K|},                      \
  10.283  \                   Crypt (shrK B) {|NB, Key K|}|}                     \
  10.284  \                   : set evs)";
  10.285 -by parts_induct_tac;
  10.286 +by (parts_induct_tac 1);
  10.287  by (Fake_parts_insert_tac 1);
  10.288  (*OR1: it cannot be a new Nonce, contradiction.*)
  10.289  by (blast_tac (!claset addSIs [parts_insertI] addSEs sees_Spy_partsEs) 1);
  10.290 @@ -311,10 +301,10 @@
  10.291  by (asm_simp_tac (!simpset addsimps [ex_disj_distrib]) 1);
  10.292  by (step_tac (!claset delrules [disjCI, impCE]) 1);
  10.293  by (blast_tac (!claset addSEs [MPair_parts]
  10.294 -                      addSDs [Says_imp_sees_Spy' RS parts.Inj]
  10.295 +                      addSDs [Says_imp_sees_Spy RS parts.Inj]
  10.296                        addEs  [no_nonce_OR1_OR2 RSN (2, rev_notE)]
  10.297                        delrules [conjI] (*stop split-up into 4 subgoals*)) 2);
  10.298 -by (blast_tac (!claset addSDs [Says_imp_sees_Spy' RS parts.Inj]
  10.299 +by (blast_tac (!claset addSDs [Says_imp_sees_Spy RS parts.Inj]
  10.300                        addSEs [MPair_parts]
  10.301                        addIs  [unique_NA]) 1);
  10.302  qed_spec_mp "NA_Crypt_imp_Server_msg";
  10.303 @@ -330,7 +320,7 @@
  10.304  \           Says A B {|NA, Agent A, Agent B,                       \
  10.305  \                      Crypt (shrK A) {|NA, Agent A, Agent B|}|}   \
  10.306  \            : set evs;                                            \
  10.307 -\           A ~: lost;  A ~= Spy;  evs : otway lost |]             \
  10.308 +\           A ~: lost;  A ~= Spy;  evs : otway |]                  \
  10.309  \        ==> EX NB. Says Server B                                  \
  10.310  \                     {|NA,                                        \
  10.311  \                       Crypt (shrK A) {|NA, Key K|},              \
  10.312 @@ -346,12 +336,12 @@
  10.313      the premises, e.g. by having A=Spy **)
  10.314  
  10.315  goal thy 
  10.316 - "!!evs. [| A ~: lost;  B ~: lost;  evs : otway lost |]                    \
  10.317 -\        ==> Says Server B                                                 \
  10.318 -\              {|NA, Crypt (shrK A) {|NA, Key K|},                         \
  10.319 -\                Crypt (shrK B) {|NB, Key K|}|} : set evs -->              \
  10.320 -\            Says B Spy {|NA, NB, Key K|} ~: set evs -->                   \
  10.321 -\            Key K ~: analz (sees lost Spy evs)";
  10.322 + "!!evs. [| A ~: lost;  B ~: lost;  evs : otway |]                    \
  10.323 +\        ==> Says Server B                                            \
  10.324 +\              {|NA, Crypt (shrK A) {|NA, Key K|},                    \
  10.325 +\                Crypt (shrK B) {|NB, Key K|}|} : set evs -->         \
  10.326 +\            Says B Spy {|NA, NB, Key K|} ~: set evs -->              \
  10.327 +\            Key K ~: analz (sees Spy evs)";
  10.328  by (etac otway.induct 1);
  10.329  by analz_sees_tac;
  10.330  by (ALLGOALS
  10.331 @@ -371,12 +361,12 @@
  10.332  val lemma = result() RS mp RS mp RSN(2,rev_notE);
  10.333  
  10.334  goal thy 
  10.335 - "!!evs. [| Says Server B                                                \
  10.336 -\            {|NA, Crypt (shrK A) {|NA, Key K|},                         \
  10.337 -\                  Crypt (shrK B) {|NB, Key K|}|} : set evs;             \
  10.338 -\           Says B Spy {|NA, NB, Key K|} ~: set evs;                     \
  10.339 -\           A ~: lost;  B ~: lost;  evs : otway lost |]                  \
  10.340 -\        ==> Key K ~: analz (sees lost Spy evs)";
  10.341 + "!!evs. [| Says Server B                                           \
  10.342 +\            {|NA, Crypt (shrK A) {|NA, Key K|},                    \
  10.343 +\                  Crypt (shrK B) {|NB, Key K|}|} : set evs;        \
  10.344 +\           Says B Spy {|NA, NB, Key K|} ~: set evs;                \
  10.345 +\           A ~: lost;  B ~: lost;  evs : otway |]                  \
  10.346 +\        ==> Key K ~: analz (sees Spy evs)";
  10.347  by (forward_tac [Says_Server_message_form] 1 THEN assume_tac 1);
  10.348  by (blast_tac (!claset addSEs [lemma]) 1);
  10.349  qed "Spy_not_see_encrypted_key";
  10.350 @@ -387,14 +377,14 @@
  10.351  (*Only OR2 can have caused such a part of a message to appear.  We do not
  10.352    know anything about X: it does NOT have to have the right form.*)
  10.353  goal thy 
  10.354 - "!!evs. [| B ~: lost;  evs : otway lost |]                    \
  10.355 + "!!evs. [| B ~: lost;  evs : otway |]                         \
  10.356  \        ==> Crypt (shrK B) {|NA, NB, Agent A, Agent B|}       \
  10.357 -\             : parts (sees lost Spy evs) -->                  \
  10.358 +\             : parts (sees Spy evs) -->                       \
  10.359  \            (EX X. Says B Server                              \
  10.360  \             {|NA, Agent A, Agent B, X,                       \
  10.361  \               Crypt (shrK B) {|NA, NB, Agent A, Agent B|}|}  \
  10.362  \             : set evs)";
  10.363 -by parts_induct_tac;
  10.364 +by (parts_induct_tac 1);
  10.365  by (Fake_parts_insert_tac 1);
  10.366  by (ALLGOALS Blast_tac);
  10.367  bind_thm ("Crypt_imp_OR2", result() RSN (2,rev_mp) RS exE);
  10.368 @@ -403,11 +393,11 @@
  10.369  (** The Nonce NB uniquely identifies B's  message. **)
  10.370  
  10.371  goal thy 
  10.372 - "!!evs. [| evs : otway lost; B ~: lost |]               \
  10.373 + "!!evs. [| evs : otway; B ~: lost |]                    \
  10.374  \ ==> EX NA' A'. ALL NA A.                               \
  10.375 -\      Crypt (shrK B) {|NA, NB, Agent A, Agent B|} : parts(sees lost Spy evs) \
  10.376 +\      Crypt (shrK B) {|NA, NB, Agent A, Agent B|} : parts(sees Spy evs) \
  10.377  \      --> NA = NA' & A = A'";
  10.378 -by parts_induct_tac;
  10.379 +by (parts_induct_tac 1);
  10.380  by (Fake_parts_insert_tac 1);
  10.381  by (simp_tac (!simpset addsimps [all_conj_distrib]) 1); 
  10.382  (*OR2: creation of new Nonce.  Move assertion into global context*)
  10.383 @@ -417,10 +407,10 @@
  10.384  
  10.385  goal thy 
  10.386   "!!evs.[| Crypt (shrK B) {|NA, NB, Agent A, Agent B|} \
  10.387 -\                  : parts(sees lost Spy evs);         \
  10.388 +\                  : parts(sees Spy evs);         \
  10.389  \          Crypt (shrK B) {|NC, NB, Agent C, Agent B|} \
  10.390 -\                  : parts(sees lost Spy evs);         \
  10.391 -\          evs : otway lost;  B ~: lost |]             \
  10.392 +\                  : parts(sees Spy evs);         \
  10.393 +\          evs : otway;  B ~: lost |]             \
  10.394  \        ==> NC = NA & C = A";
  10.395  by (prove_unique_tac lemma 1);
  10.396  qed "unique_NB";
  10.397 @@ -429,8 +419,8 @@
  10.398  (*If the encrypted message appears, and B has used Nonce NB,
  10.399    then it originated with the Server!*)
  10.400  goal thy 
  10.401 - "!!evs. [| B ~: lost;  B ~= Spy;  evs : otway lost |]                   \
  10.402 -\    ==> Crypt (shrK B) {|NB, Key K|} : parts (sees lost Spy evs)        \
  10.403 + "!!evs. [| B ~: lost;  B ~= Spy;  evs : otway |]                        \
  10.404 +\    ==> Crypt (shrK B) {|NB, Key K|} : parts (sees Spy evs)             \
  10.405  \        --> (ALL X'. Says B Server                                      \
  10.406  \                       {|NA, Agent A, Agent B, X',                      \
  10.407  \                         Crypt (shrK B) {|NA, NB, Agent A, Agent B|}|}  \
  10.408 @@ -439,7 +429,7 @@
  10.409  \                  {|NA, Crypt (shrK A) {|NA, Key K|},                   \
  10.410  \                        Crypt (shrK B) {|NB, Key K|}|}                  \
  10.411  \                   : set evs)";
  10.412 -by parts_induct_tac;
  10.413 +by (parts_induct_tac 1);
  10.414  by (Fake_parts_insert_tac 1);
  10.415  (*OR1: it cannot be a new Nonce, contradiction.*)
  10.416  by (blast_tac (!claset addSIs [parts_insertI] addSEs sees_Spy_partsEs) 1);
  10.417 @@ -448,11 +438,11 @@
  10.418  (*OR3*)
  10.419  by (step_tac (!claset delrules [disjCI, impCE]) 1);
  10.420  by (blast_tac (!claset delrules [conjI] (*stop split-up*)) 3); 
  10.421 -by (blast_tac (!claset addSDs [Says_imp_sees_Spy' RS parts.Inj]
  10.422 +by (blast_tac (!claset addSDs [Says_imp_sees_Spy RS parts.Inj]
  10.423                         addSEs [MPair_parts]
  10.424                         addDs  [unique_NB]) 2);
  10.425  by (blast_tac (!claset addSEs [MPair_parts, no_nonce_OR1_OR2 RSN (2, rev_notE)]
  10.426 -                       addSDs [Says_imp_sees_Spy' RS parts.Inj]
  10.427 +                       addSDs [Says_imp_sees_Spy RS parts.Inj]
  10.428                         delrules [conjI, impCE] (*stop split-up*)) 1);
  10.429  qed_spec_mp "NB_Crypt_imp_Server_msg";
  10.430  
  10.431 @@ -460,7 +450,7 @@
  10.432  (*Guarantee for B: if it gets a message with matching NB then the Server
  10.433    has sent the correct message.*)
  10.434  goal thy 
  10.435 - "!!evs. [| B ~: lost;  B ~= Spy;  evs : otway lost;               \
  10.436 + "!!evs. [| B ~: lost;  B ~= Spy;  evs : otway;                    \
  10.437  \           Says S' B {|NA, X, Crypt (shrK B) {|NB, Key K|}|}      \
  10.438  \            : set evs;                                            \
  10.439  \           Says B Server {|NA, Agent A, Agent B, X',              \
  10.440 @@ -480,16 +470,16 @@
  10.441  
  10.442  
  10.443  goal thy 
  10.444 - "!!evs. [| B ~: lost;  evs : otway lost |]                           \
  10.445 -\        ==> Says Server B                                            \
  10.446 -\              {|NA, Crypt (shrK A) {|NA, Key K|},                    \
  10.447 -\                Crypt (shrK B) {|NB, Key K|}|} : set evs -->         \
  10.448 -\            (EX X. Says B Server {|NA, Agent A, Agent B, X,          \
  10.449 + "!!evs. [| B ~: lost;  evs : otway |]                           \
  10.450 +\        ==> Says Server B                                       \
  10.451 +\              {|NA, Crypt (shrK A) {|NA, Key K|},               \
  10.452 +\                Crypt (shrK B) {|NB, Key K|}|} : set evs -->    \
  10.453 +\            (EX X. Says B Server {|NA, Agent A, Agent B, X,     \
  10.454  \                            Crypt (shrK B) {|NA, NB, Agent A, Agent B|} |} \
  10.455  \            : set evs)";
  10.456  by (etac otway.induct 1);
  10.457  by (ALLGOALS Asm_simp_tac);
  10.458 -by (blast_tac (!claset addDs [Says_imp_sees_Spy' RS parts.Inj]
  10.459 +by (blast_tac (!claset addDs [Says_imp_sees_Spy RS parts.Inj]
  10.460  		       addSEs [MPair_parts, Crypt_imp_OR2]) 3);
  10.461  by (ALLGOALS Blast_tac);
  10.462  bind_thm ("OR3_imp_OR2", result() RSN (2,rev_mp) RS exE);
  10.463 @@ -502,7 +492,7 @@
  10.464   "!!evs. [| Says B' A {|NA, Crypt (shrK A) {|NA, Key K|}|} : set evs;       \
  10.465  \           Says A B {|NA, Agent A, Agent B,                                \
  10.466  \                      Crypt (shrK A) {|NA, Agent A, Agent B|}|} : set evs; \
  10.467 -\           A ~: lost;  A ~= Spy;  B ~: lost;  evs : otway lost |]          \
  10.468 +\           A ~: lost;  A ~= Spy;  B ~: lost;  evs : otway |]               \
  10.469  \        ==> EX NB X. Says B Server {|NA, Agent A, Agent B, X,              \
  10.470  \                              Crypt (shrK B)  {|NA, NB, Agent A, Agent B|} |}\
  10.471  \            : set evs";
    11.1 --- a/src/HOL/Auth/OtwayRees.thy	Mon Jul 14 12:44:09 1997 +0200
    11.2 +++ b/src/HOL/Auth/OtwayRees.thy	Mon Jul 14 12:47:21 1997 +0200
    11.3 @@ -14,40 +14,40 @@
    11.4  
    11.5  OtwayRees = Shared + 
    11.6  
    11.7 -consts  otway   :: agent set => event list set
    11.8 -inductive "otway lost"
    11.9 +consts  otway   :: event list set
   11.10 +inductive "otway"
   11.11    intrs 
   11.12           (*Initial trace is empty*)
   11.13 -    Nil  "[]: otway lost"
   11.14 +    Nil  "[]: otway"
   11.15  
   11.16           (*The spy MAY say anything he CAN say.  We do not expect him to
   11.17             invent new nonces here, but he can also use NS1.  Common to
   11.18             all similar protocols.*)
   11.19 -    Fake "[| evs: otway lost;  B ~= Spy;  
   11.20 -             X: synth (analz (sees lost Spy evs)) |]
   11.21 -          ==> Says Spy B X  # evs : otway lost"
   11.22 +    Fake "[| evs: otway;  B ~= Spy;  
   11.23 +             X: synth (analz (sees Spy evs)) |]
   11.24 +          ==> Says Spy B X  # evs : otway"
   11.25  
   11.26           (*Alice initiates a protocol run*)
   11.27 -    OR1  "[| evs: otway lost;  A ~= B;  B ~= Server;  Nonce NA ~: used evs |]
   11.28 +    OR1  "[| evs: otway;  A ~= B;  B ~= Server;  Nonce NA ~: used evs |]
   11.29            ==> Says A B {|Nonce NA, Agent A, Agent B, 
   11.30                           Crypt (shrK A) {|Nonce NA, Agent A, Agent B|} |} 
   11.31 -                 # evs : otway lost"
   11.32 +                 # evs : otway"
   11.33  
   11.34           (*Bob's response to Alice's message.  Bob doesn't know who 
   11.35  	   the sender is, hence the A' in the sender field.
   11.36             Note that NB is encrypted.*)
   11.37 -    OR2  "[| evs: otway lost;  B ~= Server;  Nonce NB ~: used evs;
   11.38 +    OR2  "[| evs: otway;  B ~= Server;  Nonce NB ~: used evs;
   11.39               Says A' B {|Nonce NA, Agent A, Agent B, X|} : set evs |]
   11.40            ==> Says B Server 
   11.41                    {|Nonce NA, Agent A, Agent B, X, 
   11.42                      Crypt (shrK B)
   11.43                        {|Nonce NA, Nonce NB, Agent A, Agent B|}|}
   11.44 -                 # evs : otway lost"
   11.45 +                 # evs : otway"
   11.46  
   11.47           (*The Server receives Bob's message and checks that the three NAs
   11.48             match.  Then he sends a new session key to Bob with a packet for
   11.49             forwarding to Alice.*)
   11.50 -    OR3  "[| evs: otway lost;  B ~= Server;  Key KAB ~: used evs;
   11.51 +    OR3  "[| evs: otway;  B ~= Server;  Key KAB ~: used evs;
   11.52               Says B' Server 
   11.53                    {|Nonce NA, Agent A, Agent B, 
   11.54                      Crypt (shrK A) {|Nonce NA, Agent A, Agent B|}, 
   11.55 @@ -57,24 +57,24 @@
   11.56                    {|Nonce NA, 
   11.57                      Crypt (shrK A) {|Nonce NA, Key KAB|},
   11.58                      Crypt (shrK B) {|Nonce NB, Key KAB|}|}
   11.59 -                 # evs : otway lost"
   11.60 +                 # evs : otway"
   11.61  
   11.62           (*Bob receives the Server's (?) message and compares the Nonces with
   11.63  	   those in the message he previously sent the Server.*)
   11.64 -    OR4  "[| evs: otway lost;  A ~= B;  
   11.65 +    OR4  "[| evs: otway;  A ~= B;  
   11.66               Says B Server {|Nonce NA, Agent A, Agent B, X', 
   11.67                               Crypt (shrK B)
   11.68                                     {|Nonce NA, Nonce NB, Agent A, Agent B|}|}
   11.69                 : set evs;
   11.70               Says S' B {|Nonce NA, X, Crypt (shrK B) {|Nonce NB, Key K|}|}
   11.71                 : set evs |]
   11.72 -          ==> Says B A {|Nonce NA, X|} # evs : otway lost"
   11.73 +          ==> Says B A {|Nonce NA, X|} # evs : otway"
   11.74  
   11.75           (*This message models possible leaks of session keys.  The nonces
   11.76             identify the protocol run.*)
   11.77 -    Oops "[| evs: otway lost;  B ~= Spy;
   11.78 +    Oops "[| evs: otway;  B ~= Spy;
   11.79               Says Server B {|Nonce NA, X, Crypt (shrK B) {|Nonce NB, Key K|}|}
   11.80                 : set evs |]
   11.81 -          ==> Says B Spy {|Nonce NA, Nonce NB, Key K|} # evs : otway lost"
   11.82 +          ==> Says B Spy {|Nonce NA, Nonce NB, Key K|} # evs : otway"
   11.83  
   11.84  end
    12.1 --- a/src/HOL/Auth/OtwayRees_AN.ML	Mon Jul 14 12:44:09 1997 +0200
    12.2 +++ b/src/HOL/Auth/OtwayRees_AN.ML	Mon Jul 14 12:47:21 1997 +0200
    12.3 @@ -21,7 +21,7 @@
    12.4  (*A "possibility property": there are traces that reach the end*)
    12.5  goal thy 
    12.6   "!!A B. [| A ~= B; A ~= Server; B ~= Server |]                               \
    12.7 -\        ==> EX K. EX NA. EX evs: otway lost.                                 \
    12.8 +\        ==> EX K. EX NA. EX evs: otway.                                 \
    12.9  \             Says B A (Crypt (shrK A) {|Nonce NA, Agent A, Agent B, Key K|}) \
   12.10  \             : set evs";
   12.11  by (REPEAT (resolve_tac [exI,bexI] 1));
   12.12 @@ -33,7 +33,7 @@
   12.13  (**** Inductive proofs about otway ****)
   12.14  
   12.15  (*Nobody sends themselves messages*)
   12.16 -goal thy "!!evs. evs : otway lost ==> ALL A X. Says A A X ~: set evs";
   12.17 +goal thy "!!evs. evs : otway ==> ALL A X. Says A A X ~: set evs";
   12.18  by (etac otway.induct 1);
   12.19  by (Auto_tac());
   12.20  qed_spec_mp "not_Says_to_self";
   12.21 @@ -44,12 +44,12 @@
   12.22  (** For reasoning about the encrypted portion of messages **)
   12.23  
   12.24  goal thy "!!evs. Says S' B {|X, Crypt(shrK B) X'|} : set evs ==> \
   12.25 -\                X : analz (sees lost Spy evs)";
   12.26 +\                X : analz (sees Spy evs)";
   12.27  by (blast_tac (!claset addSDs [Says_imp_sees_Spy RS analz.Inj]) 1);
   12.28  qed "OR4_analz_sees_Spy";
   12.29  
   12.30  goal thy "!!evs. Says Server B {|X, Crypt K' {|NB, a, Agent B, K|}|} \
   12.31 -\                  : set evs ==> K : parts (sees lost Spy evs)";
   12.32 +\                  : set evs ==> K : parts (sees Spy evs)";
   12.33  by (blast_tac (!claset addSEs sees_Spy_partsEs) 1);
   12.34  qed "Oops_parts_sees_Spy";
   12.35  
   12.36 @@ -60,40 +60,34 @@
   12.37  bind_thm ("OR4_parts_sees_Spy",
   12.38            OR4_analz_sees_Spy RS (impOfSubs analz_subset_parts));
   12.39  
   12.40 -(*For proving the easier theorems about X ~: parts (sees lost Spy evs).
   12.41 -  We instantiate the variable to "lost" since leaving it as a Var would
   12.42 -  interfere with simplification.*)
   12.43 -val parts_induct_tac = 
   12.44 -    let val tac = forw_inst_tac [("lost","lost")] 
   12.45 -    in  etac otway.induct	   1 THEN 
   12.46 -        tac OR4_parts_sees_Spy     6 THEN
   12.47 -        tac Oops_parts_sees_Spy    7 THEN
   12.48 -	prove_simple_subgoals_tac  1
   12.49 -    end;
   12.50 +(*For proving the easier theorems about X ~: parts (sees Spy evs).*)
   12.51 +fun parts_induct_tac i = 
   12.52 +    etac otway.induct i			THEN 
   12.53 +    forward_tac [Oops_parts_sees_Spy] (i+6) THEN
   12.54 +    forward_tac [OR4_parts_sees_Spy]  (i+5) THEN
   12.55 +    prove_simple_subgoals_tac  i;
   12.56  
   12.57  
   12.58 -(** Theorems of the form X ~: parts (sees lost Spy evs) imply that NOBODY
   12.59 +(** Theorems of the form X ~: parts (sees Spy evs) imply that NOBODY
   12.60      sends messages containing X! **)
   12.61  
   12.62  (*Spy never sees another agent's shared key! (unless it's lost at start)*)
   12.63  goal thy 
   12.64 - "!!evs. evs : otway lost \
   12.65 -\        ==> (Key (shrK A) : parts (sees lost Spy evs)) = (A : lost)";
   12.66 -by parts_induct_tac;
   12.67 + "!!evs. evs : otway ==> (Key (shrK A) : parts (sees Spy evs)) = (A : lost)";
   12.68 +by (parts_induct_tac 1);
   12.69  by (Fake_parts_insert_tac 1);
   12.70  by (Blast_tac 1);
   12.71  qed "Spy_see_shrK";
   12.72  Addsimps [Spy_see_shrK];
   12.73  
   12.74  goal thy 
   12.75 - "!!evs. evs : otway lost \
   12.76 -\        ==> (Key (shrK A) : analz (sees lost Spy evs)) = (A : lost)";
   12.77 + "!!evs. evs : otway ==> (Key (shrK A) : analz (sees Spy evs)) = (A : lost)";
   12.78  by (auto_tac(!claset addDs [impOfSubs analz_subset_parts], !simpset));
   12.79  qed "Spy_analz_shrK";
   12.80  Addsimps [Spy_analz_shrK];
   12.81  
   12.82 -goal thy  "!!A. [| Key (shrK A) : parts (sees lost Spy evs);       \
   12.83 -\                  evs : otway lost |] ==> A:lost";
   12.84 +goal thy  "!!A. [| Key (shrK A) : parts (sees Spy evs);       \
   12.85 +\                  evs : otway |] ==> A:lost";
   12.86  by (blast_tac (!claset addDs [Spy_see_shrK]) 1);
   12.87  qed "Spy_see_shrK_D";
   12.88  
   12.89 @@ -102,9 +96,9 @@
   12.90  
   12.91  
   12.92  (*Nobody can have used non-existent keys!*)
   12.93 -goal thy "!!evs. evs : otway lost ==>          \
   12.94 -\         Key K ~: used evs --> K ~: keysFor (parts (sees lost Spy evs))";
   12.95 -by parts_induct_tac;
   12.96 +goal thy "!!evs. evs : otway ==>          \
   12.97 +\         Key K ~: used evs --> K ~: keysFor (parts (sees Spy evs))";
   12.98 +by (parts_induct_tac 1);
   12.99  (*Fake*)
  12.100  by (best_tac
  12.101        (!claset addIs [impOfSubs analz_subset_parts]
  12.102 @@ -131,7 +125,7 @@
  12.103  \              {|Crypt (shrK A) {|NA, Agent A, Agent B, Key K|},    \
  12.104  \                Crypt (shrK B) {|NB, Agent A, Agent B, Key K|}|}   \
  12.105  \             : set evs;                                            \
  12.106 -\           evs : otway lost |]                                     \
  12.107 +\           evs : otway |]                                     \
  12.108  \        ==> K ~: range shrK & (EX i. NA = Nonce i) & (EX j. NB = Nonce j)";
  12.109  by (etac rev_mp 1);
  12.110  by (etac otway.induct 1);
  12.111 @@ -140,10 +134,10 @@
  12.112  qed "Says_Server_message_form";
  12.113  
  12.114  
  12.115 -(*For proofs involving analz.  We again instantiate the variable to "lost".*)
  12.116 +(*For proofs involving analz.*)
  12.117  val analz_sees_tac = 
  12.118 -    dres_inst_tac [("lost","lost")] OR4_analz_sees_Spy 6 THEN
  12.119 -    forw_inst_tac [("lost","lost")] Says_Server_message_form 7 THEN
  12.120 +    dtac OR4_analz_sees_Spy 6 THEN
  12.121 +    forward_tac [Says_Server_message_form] 7 THEN
  12.122      assume_tac 7 THEN
  12.123      REPEAT ((eresolve_tac [exE, conjE] ORELSE' hyp_subst_tac) 7);
  12.124  
  12.125 @@ -151,8 +145,8 @@
  12.126  (****
  12.127   The following is to prove theorems of the form
  12.128  
  12.129 -  Key K : analz (insert (Key KAB) (sees lost Spy evs)) ==>
  12.130 -  Key K : analz (sees lost Spy evs)
  12.131 +  Key K : analz (insert (Key KAB) (sees Spy evs)) ==>
  12.132 +  Key K : analz (sees Spy evs)
  12.133  
  12.134   A more general formula must be proved inductively.
  12.135  ****)
  12.136 @@ -162,10 +156,10 @@
  12.137  
  12.138  (*The equality makes the induction hypothesis easier to apply*)
  12.139  goal thy  
  12.140 - "!!evs. evs : otway lost ==>                                    \
  12.141 -\  ALL K KK. KK <= Compl (range shrK) -->                        \
  12.142 -\            (Key K : analz (Key``KK Un (sees lost Spy evs))) =  \
  12.143 -\            (K : KK | Key K : analz (sees lost Spy evs))";
  12.144 + "!!evs. evs : otway ==>                                    \
  12.145 +\  ALL K KK. KK <= Compl (range shrK) -->                   \
  12.146 +\            (Key K : analz (Key``KK Un (sees Spy evs))) =  \
  12.147 +\            (K : KK | Key K : analz (sees Spy evs))";
  12.148  by (etac otway.induct 1);
  12.149  by analz_sees_tac;
  12.150  by (REPEAT_FIRST (resolve_tac [allI, impI]));
  12.151 @@ -179,9 +173,9 @@
  12.152  
  12.153  
  12.154  goal thy
  12.155 - "!!evs. [| evs : otway lost;  KAB ~: range shrK |] ==>          \
  12.156 -\        Key K : analz (insert (Key KAB) (sees lost Spy evs)) =  \
  12.157 -\        (K = KAB | Key K : analz (sees lost Spy evs))";
  12.158 + "!!evs. [| evs : otway;  KAB ~: range shrK |] ==>          \
  12.159 +\        Key K : analz (insert (Key KAB) (sees Spy evs)) =  \
  12.160 +\        (K = KAB | Key K : analz (sees Spy evs))";
  12.161  by (asm_simp_tac (analz_image_freshK_ss addsimps [analz_image_freshK]) 1);
  12.162  qed "analz_insert_freshK";
  12.163  
  12.164 @@ -189,7 +183,7 @@
  12.165  (*** The Key K uniquely identifies the Server's  message. **)
  12.166  
  12.167  goal thy 
  12.168 - "!!evs. evs : otway lost ==>                              \
  12.169 + "!!evs. evs : otway ==>                                   \
  12.170  \      EX A' B' NA' NB'. ALL A B NA NB.                    \
  12.171  \       Says Server B                                      \
  12.172  \         {|Crypt (shrK A) {|NA, Agent A, Agent B, K|},             \
  12.173 @@ -218,7 +212,7 @@
  12.174  \            {|Crypt (shrK A') {|NA', Agent A', Agent B', K|},     \
  12.175  \              Crypt (shrK B') {|NB', Agent A', Agent B', K|}|}    \
  12.176  \           : set evs;                                             \
  12.177 -\          evs : otway lost |]                                     \
  12.178 +\          evs : otway |]                                          \
  12.179  \       ==> A=A' & B=B' & NA=NA' & NB=NB'";
  12.180  by (prove_unique_tac lemma 1);
  12.181  qed "unique_session_keys";
  12.182 @@ -229,14 +223,14 @@
  12.183  
  12.184  (*If the encrypted message appears then it originated with the Server!*)
  12.185  goal thy 
  12.186 - "!!evs. [| A ~: lost;  evs : otway lost |]                 \
  12.187 -\ ==> Crypt (shrK A) {|NA, Agent A, Agent B, Key K|}        \
  12.188 -\      : parts (sees lost Spy evs)                          \
  12.189 + "!!evs. [| A ~: lost;  evs : otway |]                 \
  12.190 +\ ==> Crypt (shrK A) {|NA, Agent A, Agent B, Key K|}   \
  12.191 +\      : parts (sees Spy evs)                          \
  12.192  \     --> (EX NB. Says Server B                                          \
  12.193  \                  {|Crypt (shrK A) {|NA, Agent A, Agent B, Key K|},     \
  12.194  \                    Crypt (shrK B) {|NB, Agent A, Agent B, Key K|}|}    \
  12.195  \                  : set evs)";
  12.196 -by parts_induct_tac;
  12.197 +by (parts_induct_tac 1);
  12.198  by (Fake_parts_insert_tac 1);
  12.199  by (ALLGOALS (asm_simp_tac (!simpset addsimps [ex_disj_distrib])));
  12.200  (*OR3*)
  12.201 @@ -249,7 +243,7 @@
  12.202  goal thy 
  12.203   "!!evs. [| Says B' A (Crypt (shrK A) {|NA, Agent A, Agent B, Key K|})  \
  12.204  \            : set evs;                                                 \
  12.205 -\           A ~: lost;  evs : otway lost |]                             \
  12.206 +\           A ~: lost;  evs : otway |]                                  \
  12.207  \        ==> EX NB. Says Server B                                       \
  12.208  \                    {|Crypt (shrK A) {|NA, Agent A, Agent B, Key K|},  \
  12.209  \                      Crypt (shrK B) {|NB, Agent A, Agent B, Key K|}|} \
  12.210 @@ -264,13 +258,13 @@
  12.211      the premises, e.g. by having A=Spy **)
  12.212  
  12.213  goal thy 
  12.214 - "!!evs. [| A ~: lost;  B ~: lost;  evs : otway lost |]                    \
  12.215 + "!!evs. [| A ~: lost;  B ~: lost;  evs : otway |]                         \
  12.216  \        ==> Says Server B                                                 \
  12.217  \             {|Crypt (shrK A) {|NA, Agent A, Agent B, Key K|},            \
  12.218  \               Crypt (shrK B) {|NB, Agent A, Agent B, Key K|}|}           \
  12.219  \            : set evs -->                                                 \
  12.220  \            Says B Spy {|NA, NB, Key K|} ~: set evs -->                   \
  12.221 -\            Key K ~: analz (sees lost Spy evs)";
  12.222 +\            Key K ~: analz (sees Spy evs)";
  12.223  by (etac otway.induct 1);
  12.224  by analz_sees_tac;
  12.225  by (ALLGOALS
  12.226 @@ -295,8 +289,8 @@
  12.227  \                Crypt (shrK B) {|NB, Agent A, Agent B, Key K|}|}   \
  12.228  \             : set evs;                                            \
  12.229  \           Says B Spy {|NA, NB, Key K|} ~: set evs;                \
  12.230 -\           A ~: lost;  B ~: lost;  evs : otway lost |]             \
  12.231 -\        ==> Key K ~: analz (sees lost Spy evs)";
  12.232 +\           A ~: lost;  B ~: lost;  evs : otway |]                  \
  12.233 +\        ==> Key K ~: analz (sees Spy evs)";
  12.234  by (forward_tac [Says_Server_message_form] 1 THEN assume_tac 1);
  12.235  by (blast_tac (!claset addSEs [lemma]) 1);
  12.236  qed "Spy_not_see_encrypted_key";
  12.237 @@ -306,14 +300,14 @@
  12.238  
  12.239  (*If the encrypted message appears then it originated with the Server!*)
  12.240  goal thy 
  12.241 - "!!evs. [| B ~: lost;  evs : otway lost |]                                 \
  12.242 -\    ==> Crypt (shrK B) {|NB, Agent A, Agent B, Key K|}                     \
  12.243 -\         : parts (sees lost Spy evs)                                       \
  12.244 + "!!evs. [| B ~: lost;  evs : otway |]                                 \
  12.245 +\    ==> Crypt (shrK B) {|NB, Agent A, Agent B, Key K|}                \
  12.246 +\         : parts (sees Spy evs)                                       \
  12.247  \        --> (EX NA. Says Server B                                          \
  12.248  \                     {|Crypt (shrK A) {|NA, Agent A, Agent B, Key K|},     \
  12.249  \                       Crypt (shrK B) {|NB, Agent A, Agent B, Key K|}|}    \
  12.250  \                     : set evs)";
  12.251 -by parts_induct_tac;
  12.252 +by (parts_induct_tac 1);
  12.253  by (Fake_parts_insert_tac 1);
  12.254  by (ALLGOALS (asm_simp_tac (!simpset addsimps [ex_disj_distrib])));
  12.255  (*OR3*)
  12.256 @@ -324,7 +318,7 @@
  12.257  (*Guarantee for B: if it gets a well-formed certificate then the Server
  12.258    has sent the correct message in round 3.*)
  12.259  goal thy 
  12.260 - "!!evs. [| B ~: lost;  evs : otway lost;                                   \
  12.261 + "!!evs. [| B ~: lost;  evs : otway;                                        \
  12.262  \           Says S' B {|X, Crypt (shrK B) {|NB, Agent A, Agent B, Key K|}|} \
  12.263  \            : set evs |]                                                   \
  12.264  \        ==> EX NA. Says Server B                                           \
    13.1 --- a/src/HOL/Auth/OtwayRees_AN.thy	Mon Jul 14 12:44:09 1997 +0200
    13.2 +++ b/src/HOL/Auth/OtwayRees_AN.thy	Mon Jul 14 12:47:21 1997 +0200
    13.3 @@ -19,55 +19,55 @@
    13.4  
    13.5  OtwayRees_AN = Shared + 
    13.6  
    13.7 -consts  otway   :: agent set => event list set
    13.8 -inductive "otway lost"
    13.9 +consts  otway   :: event list set
   13.10 +inductive "otway"
   13.11    intrs 
   13.12           (*Initial trace is empty*)
   13.13 -    Nil  "[]: otway lost"
   13.14 +    Nil  "[]: otway"
   13.15  
   13.16           (*The spy MAY say anything he CAN say.  We do not expect him to
   13.17             invent new nonces here, but he can also use NS1.  Common to
   13.18             all similar protocols.*)
   13.19 -    Fake "[| evs: otway lost;  B ~= Spy;  
   13.20 -             X: synth (analz (sees lost Spy evs)) |]
   13.21 -          ==> Says Spy B X  # evs : otway lost"
   13.22 +    Fake "[| evs: otway;  B ~= Spy;  
   13.23 +             X: synth (analz (sees Spy evs)) |]
   13.24 +          ==> Says Spy B X  # evs : otway"
   13.25  
   13.26           (*Alice initiates a protocol run*)
   13.27 -    OR1  "[| evs: otway lost;  A ~= B;  B ~= Server |]
   13.28 -          ==> Says A B {|Agent A, Agent B, Nonce NA|} # evs : otway lost"
   13.29 +    OR1  "[| evs: otway;  A ~= B;  B ~= Server |]
   13.30 +          ==> Says A B {|Agent A, Agent B, Nonce NA|} # evs : otway"
   13.31  
   13.32           (*Bob's response to Alice's message.  Bob doesn't know who 
   13.33  	   the sender is, hence the A' in the sender field.*)
   13.34 -    OR2  "[| evs: otway lost;  B ~= Server;
   13.35 +    OR2  "[| evs: otway;  B ~= Server;
   13.36               Says A' B {|Agent A, Agent B, Nonce NA|} : set evs |]
   13.37            ==> Says B Server {|Agent A, Agent B, Nonce NA, Nonce NB|}
   13.38 -                 # evs : otway lost"
   13.39 +                 # evs : otway"
   13.40  
   13.41           (*The Server receives Bob's message.  Then he sends a new
   13.42             session key to Bob with a packet for forwarding to Alice.*)
   13.43 -    OR3  "[| evs: otway lost;  B ~= Server;  A ~= B;  Key KAB ~: used evs;
   13.44 +    OR3  "[| evs: otway;  B ~= Server;  A ~= B;  Key KAB ~: used evs;
   13.45               Says B' Server {|Agent A, Agent B, Nonce NA, Nonce NB|}
   13.46                 : set evs |]
   13.47            ==> Says Server B 
   13.48                 {|Crypt (shrK A) {|Nonce NA, Agent A, Agent B, Key KAB|},
   13.49                   Crypt (shrK B) {|Nonce NB, Agent A, Agent B, Key KAB|}|}
   13.50 -              # evs : otway lost"
   13.51 +              # evs : otway"
   13.52  
   13.53           (*Bob receives the Server's (?) message and compares the Nonces with
   13.54  	   those in the message he previously sent the Server.*)
   13.55 -    OR4  "[| evs: otway lost;  A ~= B;
   13.56 +    OR4  "[| evs: otway;  A ~= B;
   13.57               Says B Server {|Agent A, Agent B, Nonce NA, Nonce NB|} : set evs;
   13.58               Says S' B {|X, Crypt(shrK B){|Nonce NB,Agent A,Agent B,Key K|}|}
   13.59                 : set evs |]
   13.60 -          ==> Says B A X # evs : otway lost"
   13.61 +          ==> Says B A X # evs : otway"
   13.62  
   13.63           (*This message models possible leaks of session keys.  The nonces
   13.64             identify the protocol run.  B is not assumed to know shrK A.*)
   13.65 -    Oops "[| evs: otway lost;  B ~= Spy;
   13.66 +    Oops "[| evs: otway;  B ~= Spy;
   13.67               Says Server B 
   13.68                        {|Crypt (shrK A) {|Nonce NA, Agent A, Agent B, Key K|}, 
   13.69                          Crypt (shrK B) {|Nonce NB, Agent A, Agent B, Key K|}|}
   13.70                 : set evs |]
   13.71 -          ==> Says B Spy {|Nonce NA, Nonce NB, Key K|} # evs : otway lost"
   13.72 +          ==> Says B Spy {|Nonce NA, Nonce NB, Key K|} # evs : otway"
   13.73  
   13.74  end
    14.1 --- a/src/HOL/Auth/OtwayRees_Bad.ML	Mon Jul 14 12:44:09 1997 +0200
    14.2 +++ b/src/HOL/Auth/OtwayRees_Bad.ML	Mon Jul 14 12:47:21 1997 +0200
    14.3 @@ -20,9 +20,6 @@
    14.4  proof_timing:=true;
    14.5  HOL_quantifiers := false;
    14.6  
    14.7 -(*Replacing the variable by a constant improves search speed by 50%!*)
    14.8 -val Says_imp_sees_Spy' = 
    14.9 -    read_instantiate_sg (sign_of thy) [("lost","lost")] Says_imp_sees_Spy;
   14.10  
   14.11  (*A "possibility property": there are traces that reach the end*)
   14.12  goal thy 
   14.13 @@ -50,17 +47,17 @@
   14.14  (** For reasoning about the encrypted portion of messages **)
   14.15  
   14.16  goal thy "!!evs. Says A' B {|N, Agent A, Agent B, X|} : set evs ==> \
   14.17 -\                X : analz (sees lost Spy evs)";
   14.18 -by (blast_tac (!claset addSDs [Says_imp_sees_Spy' RS analz.Inj]) 1);
   14.19 +\                X : analz (sees Spy evs)";
   14.20 +by (blast_tac (!claset addSDs [Says_imp_sees_Spy RS analz.Inj]) 1);
   14.21  qed "OR2_analz_sees_Spy";
   14.22  
   14.23  goal thy "!!evs. Says S' B {|N, X, Crypt (shrK B) X'|} : set evs ==> \
   14.24 -\                X : analz (sees lost Spy evs)";
   14.25 -by (blast_tac (!claset addSDs [Says_imp_sees_Spy' RS analz.Inj]) 1);
   14.26 +\                X : analz (sees Spy evs)";
   14.27 +by (blast_tac (!claset addSDs [Says_imp_sees_Spy RS analz.Inj]) 1);
   14.28  qed "OR4_analz_sees_Spy";
   14.29  
   14.30  goal thy "!!evs. Says Server B {|NA, X, Crypt K' {|NB,K|}|} : set evs \
   14.31 -\                 ==> K : parts (sees lost Spy evs)";
   14.32 +\                 ==> K : parts (sees Spy evs)";
   14.33  by (blast_tac (!claset addSEs sees_Spy_partsEs) 1);
   14.34  qed "Oops_parts_sees_Spy";
   14.35  
   14.36 @@ -74,36 +71,34 @@
   14.37  bind_thm ("OR4_parts_sees_Spy",
   14.38            OR4_analz_sees_Spy RS (impOfSubs analz_subset_parts));
   14.39  
   14.40 -(*For proving the easier theorems about X ~: parts (sees lost Spy evs) *)
   14.41 -val parts_induct_tac = 
   14.42 -    etac otway.induct 1 THEN 
   14.43 -    forward_tac [OR2_parts_sees_Spy] 4 THEN 
   14.44 -    forward_tac [OR4_parts_sees_Spy] 6 THEN
   14.45 -    forward_tac [Oops_parts_sees_Spy] 7 THEN
   14.46 -    prove_simple_subgoals_tac 1;
   14.47 +(*For proving the easier theorems about X ~: parts (sees Spy evs).*)
   14.48 +fun parts_induct_tac i = 
   14.49 +    etac otway.induct i			THEN 
   14.50 +    forward_tac [Oops_parts_sees_Spy] (i+6) THEN
   14.51 +    forward_tac [OR4_parts_sees_Spy]  (i+5) THEN
   14.52 +    forward_tac [OR2_parts_sees_Spy]  (i+3) THEN 
   14.53 +    prove_simple_subgoals_tac  i;
   14.54  
   14.55  
   14.56 -(** Theorems of the form X ~: parts (sees lost Spy evs) imply that NOBODY
   14.57 +(** Theorems of the form X ~: parts (sees Spy evs) imply that NOBODY
   14.58      sends messages containing X! **)
   14.59  
   14.60  (*Spy never sees another agent's shared key! (unless it's lost at start)*)
   14.61  goal thy 
   14.62 - "!!evs. evs : otway \
   14.63 -\        ==> (Key (shrK A) : parts (sees lost Spy evs)) = (A : lost)";
   14.64 -by parts_induct_tac;
   14.65 + "!!evs. evs : otway ==> (Key (shrK A) : parts (sees Spy evs)) = (A : lost)";
   14.66 +by (parts_induct_tac 1);
   14.67  by (Fake_parts_insert_tac 1);
   14.68  by (Blast_tac 1);
   14.69  qed "Spy_see_shrK";
   14.70  Addsimps [Spy_see_shrK];
   14.71  
   14.72  goal thy 
   14.73 - "!!evs. evs : otway \
   14.74 -\        ==> (Key (shrK A) : analz (sees lost Spy evs)) = (A : lost)";
   14.75 + "!!evs. evs : otway ==> (Key (shrK A) : analz (sees Spy evs)) = (A : lost)";
   14.76  by (auto_tac(!claset addDs [impOfSubs analz_subset_parts], !simpset));
   14.77  qed "Spy_analz_shrK";
   14.78  Addsimps [Spy_analz_shrK];
   14.79  
   14.80 -goal thy  "!!A. [| Key (shrK A) : parts (sees lost Spy evs);       \
   14.81 +goal thy  "!!A. [| Key (shrK A) : parts (sees Spy evs);       \
   14.82  \                  evs : otway |] ==> A:lost";
   14.83  by (blast_tac (!claset addDs [Spy_see_shrK]) 1);
   14.84  qed "Spy_see_shrK_D";
   14.85 @@ -114,8 +109,8 @@
   14.86  
   14.87  (*Nobody can have used non-existent keys!*)
   14.88  goal thy "!!evs. evs : otway ==>          \
   14.89 -\         Key K ~: used evs --> K ~: keysFor (parts (sees lost Spy evs))";
   14.90 -by parts_induct_tac;
   14.91 +\         Key K ~: used evs --> K ~: keysFor (parts (sees Spy evs))";
   14.92 +by (parts_induct_tac 1);
   14.93  (*Fake*)
   14.94  by (best_tac
   14.95        (!claset addIs [impOfSubs analz_subset_parts]
   14.96 @@ -161,8 +156,8 @@
   14.97  (****
   14.98   The following is to prove theorems of the form
   14.99  
  14.100 -  Key K : analz (insert (Key KAB) (sees lost Spy evs)) ==>
  14.101 -  Key K : analz (sees lost Spy evs)
  14.102 +  Key K : analz (insert (Key KAB) (sees Spy evs)) ==>
  14.103 +  Key K : analz (sees Spy evs)
  14.104  
  14.105   A more general formula must be proved inductively.
  14.106  ****)
  14.107 @@ -172,10 +167,10 @@
  14.108  
  14.109  (*The equality makes the induction hypothesis easier to apply*)
  14.110  goal thy  
  14.111 - "!!evs. evs : otway ==>                                         \
  14.112 -\  ALL K KK. KK <= Compl (range shrK) -->                        \
  14.113 -\            (Key K : analz (Key``KK Un (sees lost Spy evs))) =  \
  14.114 -\            (K : KK | Key K : analz (sees lost Spy evs))";
  14.115 + "!!evs. evs : otway ==>                                    \
  14.116 +\  ALL K KK. KK <= Compl (range shrK) -->                   \
  14.117 +\            (Key K : analz (Key``KK Un (sees Spy evs))) =  \
  14.118 +\            (K : KK | Key K : analz (sees Spy evs))";
  14.119  by (etac otway.induct 1);
  14.120  by analz_sees_tac;
  14.121  by (REPEAT_FIRST (resolve_tac [allI, impI]));
  14.122 @@ -189,9 +184,9 @@
  14.123  
  14.124  
  14.125  goal thy
  14.126 - "!!evs. [| evs : otway;  KAB ~: range shrK |] ==>              \
  14.127 -\        Key K : analz (insert (Key KAB) (sees lost Spy evs)) = \
  14.128 -\        (K = KAB | Key K : analz (sees lost Spy evs))";
  14.129 + "!!evs. [| evs : otway;  KAB ~: range shrK |] ==>          \
  14.130 +\        Key K : analz (insert (Key KAB) (sees Spy evs)) =  \
  14.131 +\        (K = KAB | Key K : analz (sees Spy evs))";
  14.132  by (asm_simp_tac (analz_image_freshK_ss addsimps [analz_image_freshK]) 1);
  14.133  qed "analz_insert_freshK";
  14.134  
  14.135 @@ -231,7 +226,7 @@
  14.136  \              {|NA, Crypt (shrK A) {|NA, Key K|},                    \
  14.137  \                Crypt (shrK B) {|NB, Key K|}|} : set evs -->         \
  14.138  \            Says B Spy {|NA, NB, Key K|} ~: set evs -->              \
  14.139 -\            Key K ~: analz (sees lost Spy evs)";
  14.140 +\            Key K ~: analz (sees Spy evs)";
  14.141  by (etac otway.induct 1);
  14.142  by analz_sees_tac;
  14.143  by (ALLGOALS
  14.144 @@ -256,7 +251,7 @@
  14.145  \                  Crypt (shrK B) {|NB, Key K|}|} : set evs;      \
  14.146  \           Says B Spy {|NA, NB, Key K|} ~: set evs;              \
  14.147  \           A ~: lost;  B ~: lost;  evs : otway |]                \
  14.148 -\        ==> Key K ~: analz (sees lost Spy evs)";
  14.149 +\        ==> Key K ~: analz (sees Spy evs)";
  14.150  by (forward_tac [Says_Server_message_form] 1 THEN assume_tac 1);
  14.151  by (blast_tac (!claset addSEs [lemma]) 1);
  14.152  qed "Spy_not_see_encrypted_key";
  14.153 @@ -271,10 +266,10 @@
  14.154  goal thy 
  14.155   "!!evs. [| A ~: lost;  A ~= B;  evs : otway |]                \
  14.156  \        ==> Crypt (shrK A) {|NA, Agent A, Agent B|}           \
  14.157 -\             : parts (sees lost Spy evs) -->                  \
  14.158 +\             : parts (sees Spy evs) -->                       \
  14.159  \            Says A B {|NA, Agent A, Agent B,                  \
  14.160  \                       Crypt (shrK A) {|NA, Agent A, Agent B|}|}  : set evs";
  14.161 -by parts_induct_tac;
  14.162 +by (parts_induct_tac 1);
  14.163  by (Fake_parts_insert_tac 1);
  14.164  by (Blast_tac 1);
  14.165  qed_spec_mp "Crypt_imp_OR1";
  14.166 @@ -285,16 +280,16 @@
  14.167  (*Only it is FALSE.  Somebody could make a fake message to Server
  14.168            substituting some other nonce NA' for NB.*)
  14.169  goal thy 
  14.170 - "!!evs. [| A ~: lost;  A ~= Spy;  evs : otway |]                         \
  14.171 -\        ==> Crypt (shrK A) {|NA, Key K|} : parts (sees lost Spy evs) --> \
  14.172 -\            Says A B {|NA, Agent A, Agent B,                      \
  14.173 -\                       Crypt (shrK A) {|NA, Agent A, Agent B|}|}  \
  14.174 -\             : set evs -->                                    \
  14.175 -\            (EX B NB. Says Server B                           \
  14.176 -\                 {|NA,                                        \
  14.177 -\                   Crypt (shrK A) {|NA, Key K|},              \
  14.178 + "!!evs. [| A ~: lost;  A ~= Spy;  evs : otway |]                    \
  14.179 +\        ==> Crypt (shrK A) {|NA, Key K|} : parts (sees Spy evs) --> \
  14.180 +\            Says A B {|NA, Agent A, Agent B,                        \
  14.181 +\                       Crypt (shrK A) {|NA, Agent A, Agent B|}|}    \
  14.182 +\             : set evs -->                                          \
  14.183 +\            (EX B NB. Says Server B                                 \
  14.184 +\                 {|NA,                                              \
  14.185 +\                   Crypt (shrK A) {|NA, Key K|},                    \
  14.186  \                   Crypt (shrK B) {|NB, Key K|}|}  : set evs)";
  14.187 -by parts_induct_tac;
  14.188 +by (parts_induct_tac 1);
  14.189  by (Fake_parts_insert_tac 1);
  14.190  (*OR1: it cannot be a new Nonce, contradiction.*)
  14.191  by (blast_tac (!claset addSIs [parts_insertI]
    15.1 --- a/src/HOL/Auth/OtwayRees_Bad.thy	Mon Jul 14 12:44:09 1997 +0200
    15.2 +++ b/src/HOL/Auth/OtwayRees_Bad.thy	Mon Jul 14 12:47:21 1997 +0200
    15.3 @@ -12,8 +12,7 @@
    15.4  
    15.5  OtwayRees_Bad = Shared + 
    15.6  
    15.7 -consts  lost    :: agent set        (*No need for it to be a variable*)
    15.8 -	otway   :: event list set
    15.9 +consts  otway   :: event list set
   15.10  
   15.11  inductive otway
   15.12    intrs 
   15.13 @@ -23,7 +22,7 @@
   15.14           (*The spy MAY say anything he CAN say.  We do not expect him to
   15.15             invent new nonces here, but he can also use NS1.  Common to
   15.16             all similar protocols.*)
   15.17 -    Fake "[| evs: otway;  B ~= Spy;  X: synth (analz (sees lost Spy evs)) |]
   15.18 +    Fake "[| evs: otway;  B ~= Spy;  X: synth (analz (sees Spy evs)) |]
   15.19            ==> Says Spy B X  # evs : otway"
   15.20  
   15.21           (*Alice initiates a protocol run*)
    16.1 --- a/src/HOL/Auth/Public.ML	Mon Jul 14 12:44:09 1997 +0200
    16.2 +++ b/src/HOL/Auth/Public.ML	Mon Jul 14 12:47:21 1997 +0200
    16.3 @@ -37,7 +37,7 @@
    16.4  (** Rewrites should not refer to  initState(Friend i) 
    16.5      -- not in normal form! **)
    16.6  
    16.7 -goalw thy [keysFor_def] "keysFor (parts (initState lost C)) = {}";
    16.8 +goalw thy [keysFor_def] "keysFor (parts (initState C)) = {}";
    16.9  by (agent.induct_tac "C" 1);
   16.10  by (auto_tac (!claset addIs [range_eqI], !simpset));
   16.11  qed "keysFor_parts_initState";
   16.12 @@ -47,22 +47,22 @@
   16.13  (*** Function "sees" ***)
   16.14  
   16.15  (*Agents see their own private keys!*)
   16.16 -goal thy "A ~= Spy --> Key (priK A) : sees lost A evs";
   16.17 +goal thy "A ~= Spy --> Key (priK A) : sees A evs";
   16.18  by (list.induct_tac "evs" 1);
   16.19  by (agent.induct_tac "A" 1);
   16.20  by (ALLGOALS (asm_simp_tac (!simpset addsimps [sees_Cons])));
   16.21  qed_spec_mp "sees_own_priK";
   16.22  
   16.23  (*All public keys are visible to all*)
   16.24 -goal thy "Key (pubK A) : sees lost B evs";
   16.25 +goal thy "Key (pubK A) : sees B evs";
   16.26  by (list.induct_tac "evs" 1);
   16.27  by (agent.induct_tac "B" 1);
   16.28  by (ALLGOALS (asm_simp_tac (!simpset addsimps [sees_Cons])));
   16.29  by (Auto_tac ());
   16.30  qed_spec_mp "sees_pubK";
   16.31  
   16.32 -(*Spy sees private keys of lost agents!*)
   16.33 -goal thy "!!A. A: lost ==> Key (priK A) : sees lost Spy evs";
   16.34 +(*Spy sees private keys of agents!*)
   16.35 +goal thy "!!A. A: lost ==> Key (priK A) : sees Spy evs";
   16.36  by (list.induct_tac "evs" 1);
   16.37  by (ALLGOALS (asm_simp_tac (!simpset addsimps [sees_Cons])));
   16.38  by (Blast_tac 1);
   16.39 @@ -73,8 +73,8 @@
   16.40  
   16.41  
   16.42  (*For not_lost_tac*)
   16.43 -goal thy "!!A. [| Crypt (pubK A) X : analz (sees lost Spy evs);  A: lost |] \
   16.44 -\              ==> X : analz (sees lost Spy evs)";
   16.45 +goal thy "!!A. [| Crypt (pubK A) X : analz (sees Spy evs);  A: lost |] \
   16.46 +\              ==> X : analz (sees Spy evs)";
   16.47  by (blast_tac (!claset addSDs [analz.Decrypt]) 1);
   16.48  qed "Crypt_Spy_analz_lost";
   16.49  
   16.50 @@ -93,7 +93,7 @@
   16.51  
   16.52  (*** Fresh nonces ***)
   16.53  
   16.54 -goal thy "Nonce N ~: parts (initState lost B)";
   16.55 +goal thy "Nonce N ~: parts (initState B)";
   16.56  by (agent.induct_tac "B" 1);
   16.57  by (Auto_tac ());
   16.58  qed "Nonce_notin_initState";
    17.1 --- a/src/HOL/Auth/Public.thy	Mon Jul 14 12:44:09 1997 +0200
    17.2 +++ b/src/HOL/Auth/Public.thy	Mon Jul 14 12:47:21 1997 +0200
    17.3 @@ -21,11 +21,11 @@
    17.4  
    17.5  primrec initState agent
    17.6          (*Agents know their private key and all public keys*)
    17.7 -  initState_Server  "initState lost Server     =    
    17.8 +  initState_Server  "initState Server     =    
    17.9   		         insert (Key (priK Server)) (Key `` range pubK)"
   17.10 -  initState_Friend  "initState lost (Friend i) =    
   17.11 +  initState_Friend  "initState (Friend i) =    
   17.12   		         insert (Key (priK (Friend i))) (Key `` range pubK)"
   17.13 -  initState_Spy     "initState lost Spy        =    
   17.14 +  initState_Spy     "initState Spy        =    
   17.15   		         (Key``invKey``pubK``lost) Un (Key `` range pubK)"
   17.16  
   17.17  
    18.1 --- a/src/HOL/Auth/Recur.ML	Mon Jul 14 12:44:09 1997 +0200
    18.2 +++ b/src/HOL/Auth/Recur.ML	Mon Jul 14 12:47:21 1997 +0200
    18.3 @@ -22,7 +22,7 @@
    18.4  (*Simplest case: Alice goes directly to the server*)
    18.5  goal thy
    18.6   "!!A. A ~= Server                                                      \
    18.7 -\ ==> EX K NA. EX evs: recur lost.                                      \
    18.8 +\ ==> EX K NA. EX evs: recur.                                      \
    18.9  \     Says Server A {|Crypt (shrK A) {|Key K, Agent Server, Nonce NA|}, \
   18.10  \                     Agent Server|}  : set evs";
   18.11  by (REPEAT (resolve_tac [exI,bexI] 1));
   18.12 @@ -35,7 +35,7 @@
   18.13  (*Case two: Alice, Bob and the server*)
   18.14  goal thy
   18.15   "!!A B. [| A ~= B; A ~= Server; B ~= Server |]                 \
   18.16 -\ ==> EX K. EX NA. EX evs: recur lost.                          \
   18.17 +\ ==> EX K. EX NA. EX evs: recur.                          \
   18.18  \       Says B A {|Crypt (shrK A) {|Key K, Agent B, Nonce NA|}, \
   18.19  \                  Agent Server|}  : set evs";
   18.20  by (cut_facts_tac [Nonce_supply2, Key_supply2] 1);
   18.21 @@ -54,7 +54,7 @@
   18.22    TOO SLOW to run every time!
   18.23  goal thy
   18.24   "!!A B. [| A ~= B; B ~= C; A ~= Server; B ~= Server; C ~= Server |]   \
   18.25 -\ ==> EX K. EX NA. EX evs: recur lost.                                 \
   18.26 +\ ==> EX K. EX NA. EX evs: recur.                                 \
   18.27  \       Says B A {|Crypt (shrK A) {|Key K, Agent B, Nonce NA|},        \
   18.28  \                  Agent Server|}  : set evs";
   18.29  by (cut_facts_tac [Nonce_supply3, Key_supply3] 1);
   18.30 @@ -75,7 +75,7 @@
   18.31  (**** Inductive proofs about recur ****)
   18.32  
   18.33  (*Nobody sends themselves messages*)
   18.34 -goal thy "!!evs. evs : recur lost ==> ALL A X. Says A A X ~: set evs";
   18.35 +goal thy "!!evs. evs : recur ==> ALL A X. Says A A X ~: set evs";
   18.36  by (etac recur.induct 1);
   18.37  by (Auto_tac());
   18.38  qed_spec_mp "not_Says_to_self";
   18.39 @@ -115,7 +115,7 @@
   18.40  val RA2_analz_sees_Spy = Says_imp_sees_Spy RS analz.Inj |> standard;
   18.41  
   18.42  goal thy "!!evs. Says C' B {|Crypt K X, X', RA|} : set evs \
   18.43 -\                ==> RA : analz (sees lost Spy evs)";
   18.44 +\                ==> RA : analz (sees Spy evs)";
   18.45  by (blast_tac (!claset addSDs [Says_imp_sees_Spy RS analz.Inj]) 1);
   18.46  qed "RA4_analz_sees_Spy";
   18.47  
   18.48 @@ -129,30 +129,25 @@
   18.49  bind_thm ("RA4_parts_sees_Spy",
   18.50            RA4_analz_sees_Spy RS (impOfSubs analz_subset_parts));
   18.51  
   18.52 -(*For proving the easier theorems about X ~: parts (sees lost Spy evs).
   18.53 -  We instantiate the variable to "lost" since leaving it as a Var would
   18.54 -  interfere with simplification.*)
   18.55 -val parts_induct_tac = 
   18.56 -    let val tac = forw_inst_tac [("lost","lost")] 
   18.57 -    in  etac recur.induct      1	      THEN
   18.58 -	tac RA2_parts_sees_Spy 4              THEN
   18.59 -        etac subst 4 (*RA2: DELETE needless definition of PA!*)  THEN
   18.60 -        forward_tac [respond_imp_responses] 5 THEN
   18.61 -        tac RA4_parts_sees_Spy 6	      THEN
   18.62 -	prove_simple_subgoals_tac 1
   18.63 -    end;
   18.64 +(*For proving the easier theorems about X ~: parts (sees Spy evs).*)
   18.65 +fun parts_induct_tac i = 
   18.66 +    etac recur.induct i				THEN
   18.67 +    forward_tac [RA2_parts_sees_Spy] (i+3)	THEN
   18.68 +    etac subst (i+3) (*RA2: DELETE needless definition of PA!*)  THEN
   18.69 +    forward_tac [respond_imp_responses] (i+4)	THEN
   18.70 +    forward_tac [RA4_parts_sees_Spy] (i+5)	THEN
   18.71 +    prove_simple_subgoals_tac i;
   18.72  
   18.73  
   18.74 -(** Theorems of the form X ~: parts (sees lost Spy evs) imply that NOBODY
   18.75 +(** Theorems of the form X ~: parts (sees Spy evs) imply that NOBODY
   18.76      sends messages containing X! **)
   18.77  
   18.78  
   18.79 -(** Spy never sees another agent's long-term key (unless initially lost) **)
   18.80 +(** Spy never sees another agent's shared key! (unless it's lost at start) **)
   18.81  
   18.82  goal thy 
   18.83 - "!!evs. evs : recur lost \
   18.84 -\        ==> (Key (shrK A) : parts (sees lost Spy evs)) = (A : lost)";
   18.85 -by parts_induct_tac;
   18.86 + "!!evs. evs : recur ==> (Key (shrK A) : parts (sees Spy evs)) = (A : lost)";
   18.87 +by (parts_induct_tac 1);
   18.88  by (Fake_parts_insert_tac 1);
   18.89  by (ALLGOALS 
   18.90      (asm_simp_tac (!simpset addsimps [parts_insert2, parts_insert_sees])));
   18.91 @@ -164,14 +159,13 @@
   18.92  Addsimps [Spy_see_shrK];
   18.93  
   18.94  goal thy 
   18.95 - "!!evs. evs : recur lost \
   18.96 -\        ==> (Key (shrK A) : analz (sees lost Spy evs)) = (A : lost)";
   18.97 + "!!evs. evs : recur ==> (Key (shrK A) : analz (sees Spy evs)) = (A : lost)";
   18.98  by (auto_tac(!claset addDs [impOfSubs analz_subset_parts], !simpset));
   18.99  qed "Spy_analz_shrK";
  18.100  Addsimps [Spy_analz_shrK];
  18.101  
  18.102 -goal thy  "!!A. [| Key (shrK A) : parts (sees lost Spy evs);       \
  18.103 -\                  evs : recur lost |] ==> A:lost";
  18.104 +goal thy  "!!A. [| Key (shrK A) : parts (sees Spy evs);       \
  18.105 +\                  evs : recur |] ==> A:lost";
  18.106  by (blast_tac (!claset addDs [Spy_see_shrK]) 1);
  18.107  qed "Spy_see_shrK_D";
  18.108  
  18.109 @@ -191,9 +185,9 @@
  18.110  qed_spec_mp "Key_in_keysFor_parts";
  18.111  
  18.112  
  18.113 -goal thy "!!evs. evs : recur lost ==>          \
  18.114 -\       Key K ~: used evs --> K ~: keysFor (parts (sees lost Spy evs))";
  18.115 -by parts_induct_tac;
  18.116 +goal thy "!!evs. evs : recur ==>          \
  18.117 +\                Key K ~: used evs --> K ~: keysFor (parts (sees Spy evs))";
  18.118 +by (parts_induct_tac 1);
  18.119  (*RA3*)
  18.120  by (best_tac (!claset addDs  [Key_in_keysFor_parts]
  18.121  	      addss  (!simpset addsimps [parts_insert_sees])) 2);
  18.122 @@ -216,18 +210,18 @@
  18.123  
  18.124  (*** Proofs involving analz ***)
  18.125  
  18.126 -(*For proofs involving analz.  We again instantiate the variable to "lost".*)
  18.127 +(*For proofs involving analz.*)
  18.128  val analz_sees_tac = 
  18.129      etac subst 4 (*RA2: DELETE needless definition of PA!*)  THEN
  18.130 -    dres_inst_tac [("lost","lost")] RA2_analz_sees_Spy 4 THEN 
  18.131 +    dtac RA2_analz_sees_Spy 4 THEN 
  18.132      forward_tac [respond_imp_responses] 5                THEN
  18.133 -    dres_inst_tac [("lost","lost")] RA4_analz_sees_Spy 6;
  18.134 +    dtac RA4_analz_sees_Spy 6;
  18.135  
  18.136  
  18.137  (** Session keys are not used to encrypt other session keys **)
  18.138  
  18.139  (*Version for "responses" relation.  Handles case RA3 in the theorem below.  
  18.140 -  Note that it holds for *any* set H (not just "sees lost Spy evs")
  18.141 +  Note that it holds for *any* set H (not just "sees Spy evs")
  18.142    satisfying the inductive hypothesis.*)
  18.143  goal thy  
  18.144   "!!evs. [| RB : responses evs;                             \
  18.145 @@ -243,10 +237,10 @@
  18.146  
  18.147  (*Version for the protocol.  Proof is almost trivial, thanks to the lemma.*)
  18.148  goal thy  
  18.149 - "!!evs. evs : recur lost ==>                                   \
  18.150 -\  ALL K KK. KK <= Compl (range shrK) -->                       \
  18.151 -\            (Key K : analz (Key``KK Un (sees lost Spy evs))) = \
  18.152 -\            (K : KK | Key K : analz (sees lost Spy evs))";
  18.153 + "!!evs. evs : recur ==>                                    \
  18.154 +\  ALL K KK. KK <= Compl (range shrK) -->                   \
  18.155 +\            (Key K : analz (Key``KK Un (sees Spy evs))) =  \
  18.156 +\            (K : KK | Key K : analz (sees Spy evs))";
  18.157  by (etac recur.induct 1);
  18.158  by analz_sees_tac;
  18.159  by (REPEAT_FIRST (resolve_tac [allI, impI]));
  18.160 @@ -262,30 +256,30 @@
  18.161  qed_spec_mp "analz_image_freshK";
  18.162  
  18.163  
  18.164 -(*Instance of the lemma with H replaced by (sees lost Spy evs):
  18.165 -   [| RB : responses evs;  evs : recur lost; |]
  18.166 +(*Instance of the lemma with H replaced by (sees Spy evs):
  18.167 +   [| RB : responses evs;  evs : recur; |]
  18.168     ==> KK <= Compl (range shrK) --> 
  18.169 -       Key K : analz (insert RB (Key``KK Un sees lost Spy evs)) =
  18.170 -       (K : KK | Key K : analz (insert RB (sees lost Spy evs))) 
  18.171 +       Key K : analz (insert RB (Key``KK Un sees Spy evs)) =
  18.172 +       (K : KK | Key K : analz (insert RB (sees Spy evs))) 
  18.173  *)
  18.174  bind_thm ("resp_analz_image_freshK",
  18.175            raw_analz_image_freshK RSN
  18.176              (2, resp_analz_image_freshK_lemma) RS spec RS spec);
  18.177  
  18.178  goal thy
  18.179 - "!!evs. [| evs : recur lost;  KAB ~: range shrK |] ==>              \
  18.180 -\        Key K : analz (insert (Key KAB) (sees lost Spy evs)) =      \
  18.181 -\        (K = KAB | Key K : analz (sees lost Spy evs))";
  18.182 + "!!evs. [| evs : recur;  KAB ~: range shrK |] ==>              \
  18.183 +\        Key K : analz (insert (Key KAB) (sees Spy evs)) =      \
  18.184 +\        (K = KAB | Key K : analz (sees Spy evs))";
  18.185  by (asm_simp_tac (analz_image_freshK_ss addsimps [analz_image_freshK]) 1);
  18.186  qed "analz_insert_freshK";
  18.187  
  18.188  
  18.189  (*Everything that's hashed is already in past traffic. *)
  18.190 -goal thy "!!evs. [| Hash {|Key(shrK A), X|} : parts (sees lost Spy evs);  \
  18.191 -\                   evs : recur lost;  A ~: lost |]                       \
  18.192 -\                ==> X : parts (sees lost Spy evs)";
  18.193 +goal thy "!!evs. [| Hash {|Key(shrK A), X|} : parts (sees Spy evs);  \
  18.194 +\                   evs : recur;  A ~: lost |]                       \
  18.195 +\                ==> X : parts (sees Spy evs)";
  18.196  by (etac rev_mp 1);
  18.197 -by parts_induct_tac;
  18.198 +by (parts_induct_tac 1);
  18.199  (*RA3 requires a further induction*)
  18.200  by (etac responses.induct 2);
  18.201  by (ALLGOALS Asm_simp_tac);
  18.202 @@ -302,11 +296,11 @@
  18.203  **)
  18.204  
  18.205  goal thy 
  18.206 - "!!evs. [| evs : recur lost; A ~: lost |]                   \
  18.207 + "!!evs. [| evs : recur; A ~: lost |]                   \
  18.208  \ ==> EX B' P'. ALL B P.                                     \
  18.209 -\        Hash {|Key(shrK A), Agent A, B, NA, P|} : parts (sees lost Spy evs) \
  18.210 +\        Hash {|Key(shrK A), Agent A, B, NA, P|} : parts (sees Spy evs) \
  18.211  \          -->  B=B' & P=P'";
  18.212 -by parts_induct_tac;
  18.213 +by (parts_induct_tac 1);
  18.214  by (Fake_parts_insert_tac 1);
  18.215  by (etac responses.induct 3);
  18.216  by (ALLGOALS (simp_tac (!simpset addsimps [all_conj_distrib]))); 
  18.217 @@ -319,9 +313,9 @@
  18.218  val lemma = result();
  18.219  
  18.220  goalw thy [HPair_def]
  18.221 - "!!A.[| Hash[Key(shrK A)] {|Agent A, B,NA,P|}   : parts(sees lost Spy evs); \
  18.222 -\        Hash[Key(shrK A)] {|Agent A, B',NA,P'|} : parts(sees lost Spy evs); \
  18.223 -\        evs : recur lost;  A ~: lost |]                                     \
  18.224 + "!!A.[| Hash[Key(shrK A)] {|Agent A, B,NA,P|}   : parts(sees Spy evs); \
  18.225 +\        Hash[Key(shrK A)] {|Agent A, B',NA,P'|} : parts(sees Spy evs); \
  18.226 +\        evs : recur;  A ~: lost |]                                     \
  18.227  \      ==> B=B' & P=P'";
  18.228  by (REPEAT (eresolve_tac partsEs 1));
  18.229  by (prove_unique_tac lemma 1);
  18.230 @@ -333,8 +327,8 @@
  18.231  ***)
  18.232  
  18.233  goal thy
  18.234 - "!!evs. [| RB : responses evs;  evs : recur lost |] \
  18.235 -\ ==> (Key (shrK B) : analz (insert RB (sees lost Spy evs))) = (B:lost)";
  18.236 + "!!evs. [| RB : responses evs;  evs : recur |] \
  18.237 +\ ==> (Key (shrK B) : analz (insert RB (sees Spy evs))) = (B:lost)";
  18.238  by (etac responses.induct 1);
  18.239  by (ALLGOALS
  18.240      (asm_simp_tac 
  18.241 @@ -368,7 +362,7 @@
  18.242  (*The Server does not send such messages.  This theorem lets us avoid
  18.243    assuming B~=Server in RA4.*)
  18.244  goal thy 
  18.245 - "!!evs. evs : recur lost \
  18.246 + "!!evs. evs : recur \
  18.247  \        ==> ALL C X Y. Says Server C {|X, Agent Server, Y|} ~: set evs";
  18.248  by (etac recur.induct 1);
  18.249  by (etac (respond.induct) 5);
  18.250 @@ -399,8 +393,8 @@
  18.251  by (expand_case_tac "K = KBC" 1);
  18.252  by (dtac respond_Key_in_parts 1);
  18.253  by (blast_tac (!claset addSIs [exI]
  18.254 -                      addSEs partsEs
  18.255 -                      addDs [Key_in_parts_respond]) 1);
  18.256 +                       addSEs partsEs
  18.257 +                       addDs [Key_in_parts_respond]) 1);
  18.258  by (expand_case_tac "K = KAB" 1);
  18.259  by (REPEAT (ares_tac [exI] 2));
  18.260  by (ex_strip_tac 1);
  18.261 @@ -422,10 +416,10 @@
  18.262      the premises, e.g. by having A=Spy **)
  18.263  
  18.264  goal thy 
  18.265 - "!!evs. [| (PB,RB,KAB) : respond evs;  evs : recur lost |]         \
  18.266 + "!!evs. [| (PB,RB,KAB) : respond evs;  evs : recur |]              \
  18.267  \        ==> ALL A A' N. A ~: lost & A' ~: lost -->                 \
  18.268  \            Crypt (shrK A) {|Key K, Agent A', N|} : parts{RB} -->  \
  18.269 -\            Key K ~: analz (insert RB (sees lost Spy evs))";
  18.270 +\            Key K ~: analz (insert RB (sees Spy evs))";
  18.271  by (etac respond.induct 1);
  18.272  by (forward_tac [respond_imp_responses] 2);
  18.273  by (forward_tac [respond_imp_not_used] 2);
  18.274 @@ -450,10 +444,10 @@
  18.275  
  18.276  
  18.277  goal thy
  18.278 - "!!evs. [| Crypt (shrK A) {|Key K, Agent A', N|}          \
  18.279 -\              : parts (sees lost Spy evs);                \
  18.280 -\           A ~: lost;  A' ~: lost;  evs : recur lost |]   \
  18.281 -\        ==> Key K ~: analz (sees lost Spy evs)";
  18.282 + "!!evs. [| Crypt (shrK A) {|Key K, Agent A', N|}     \
  18.283 +\              : parts (sees Spy evs);                \
  18.284 +\           A ~: lost;  A' ~: lost;  evs : recur |]   \
  18.285 +\        ==> Key K ~: analz (sees Spy evs)";
  18.286  by (etac rev_mp 1);
  18.287  by (etac recur.induct 1);
  18.288  by analz_sees_tac;
  18.289 @@ -499,11 +493,11 @@
  18.290    used to prove B's presence to A at the run's conclusion.*)
  18.291  goalw thy [HPair_def]
  18.292   "!!evs. [| Hash {|Key(shrK A), Agent A, Agent B, NA, P|}         \
  18.293 -\             : parts (sees lost Spy evs);                        \
  18.294 -\            A ~: lost;  evs : recur lost |]                      \
  18.295 +\             : parts (sees Spy evs);                        \
  18.296 +\            A ~: lost;  evs : recur |]                      \
  18.297  \     ==> Says A B (Hash[Key(shrK A)] {|Agent A, Agent B, NA, P|}) : set evs";
  18.298  by (etac rev_mp 1);
  18.299 -by parts_induct_tac;
  18.300 +by (parts_induct_tac 1);
  18.301  by (Fake_parts_insert_tac 1);
  18.302  (*RA3*)
  18.303  by (blast_tac (!claset addSDs [Hash_in_parts_respond]) 1);
  18.304 @@ -516,12 +510,12 @@
  18.305  
  18.306  (*Certificates can only originate with the Server.*)
  18.307  goal thy 
  18.308 - "!!evs. [| Crypt (shrK A) Y : parts (sees lost Spy evs);    \
  18.309 -\           A ~: lost;  A ~= Spy;  evs : recur lost |]       \
  18.310 -\        ==> EX C RC. Says Server C RC : set evs  &          \
  18.311 + "!!evs. [| Crypt (shrK A) Y : parts (sees Spy evs);    \
  18.312 +\           A ~: lost;  A ~= Spy;  evs : recur |]       \
  18.313 +\        ==> EX C RC. Says Server C RC : set evs  &     \
  18.314  \                     Crypt (shrK A) Y : parts {RC}";
  18.315  by (etac rev_mp 1);
  18.316 -by parts_induct_tac;
  18.317 +by (parts_induct_tac 1);
  18.318  by (Fake_parts_insert_tac 1);
  18.319  (*RA4*)
  18.320  by (Blast_tac 4);
    19.1 --- a/src/HOL/Auth/Recur.thy	Mon Jul 14 12:44:09 1997 +0200
    19.2 +++ b/src/HOL/Auth/Recur.thy	Mon Jul 14 12:47:21 1997 +0200
    19.3 @@ -48,25 +48,25 @@
    19.4                  RA|}  : responses evs"
    19.5  
    19.6  
    19.7 -consts     recur   :: agent set => event list set
    19.8 -inductive "recur lost"
    19.9 +consts     recur   :: event list set
   19.10 +inductive "recur"
   19.11    intrs 
   19.12           (*Initial trace is empty*)
   19.13 -    Nil  "[]: recur lost"
   19.14 +    Nil  "[]: recur"
   19.15  
   19.16           (*The spy MAY say anything he CAN say.  Common to
   19.17             all similar protocols.*)
   19.18 -    Fake "[| evs: recur lost;  B ~= Spy;  
   19.19 -             X: synth (analz (sees lost Spy evs)) |]
   19.20 -          ==> Says Spy B X  # evs : recur lost"
   19.21 +    Fake "[| evs: recur;  B ~= Spy;  
   19.22 +             X: synth (analz (sees Spy evs)) |]
   19.23 +          ==> Says Spy B X  # evs : recur"
   19.24  
   19.25           (*Alice initiates a protocol run.
   19.26             "Agent Server" is just a placeholder, to terminate the nesting.*)
   19.27 -    RA1  "[| evs: recur lost;  A ~= B;  A ~= Server;  Nonce NA ~: used evs |]
   19.28 +    RA1  "[| evs: recur;  A ~= B;  A ~= Server;  Nonce NA ~: used evs |]
   19.29            ==> Says A B 
   19.30                  (Hash[Key(shrK A)] 
   19.31                   {|Agent A, Agent B, Nonce NA, Agent Server|})
   19.32 -              # evs : recur lost"
   19.33 +              # evs : recur"
   19.34  
   19.35           (*Bob's response to Alice's message.  C might be the Server.
   19.36             XA should be the Hash of the remaining components with KA, but
   19.37 @@ -74,27 +74,27 @@
   19.38             P is the previous recur message from Alice's caller.
   19.39             NOTE: existing proofs don't need PA and are complicated by its
   19.40                  presence!  See parts_Fake_tac.*)
   19.41 -    RA2  "[| evs: recur lost;  B ~= C;  B ~= Server;  Nonce NB ~: used evs;
   19.42 +    RA2  "[| evs: recur;  B ~= C;  B ~= Server;  Nonce NB ~: used evs;
   19.43               Says A' B PA : set evs;  
   19.44               PA = {|XA, Agent A, Agent B, Nonce NA, P|} |]
   19.45            ==> Says B C (Hash[Key(shrK B)] {|Agent B, Agent C, Nonce NB, PA|})
   19.46 -              # evs : recur lost"
   19.47 +              # evs : recur"
   19.48  
   19.49           (*The Server receives Bob's message and prepares a response.*)
   19.50 -    RA3  "[| evs: recur lost;  B ~= Server;
   19.51 +    RA3  "[| evs: recur;  B ~= Server;
   19.52               Says B' Server PB : set evs;
   19.53               (PB,RB,K) : respond evs |]
   19.54 -          ==> Says Server B RB # evs : recur lost"
   19.55 +          ==> Says Server B RB # evs : recur"
   19.56  
   19.57           (*Bob receives the returned message and compares the Nonces with
   19.58             those in the message he previously sent the Server.*)
   19.59 -    RA4  "[| evs: recur lost;  A ~= B;  
   19.60 +    RA4  "[| evs: recur;  A ~= B;  
   19.61               Says B  C {|XH, Agent B, Agent C, Nonce NB, 
   19.62                           XA, Agent A, Agent B, Nonce NA, P|} : set evs;
   19.63               Says C' B {|Crypt (shrK B) {|Key KBC, Agent C, Nonce NB|}, 
   19.64                           Crypt (shrK B) {|Key KAB, Agent A, Nonce NB|}, 
   19.65                           RA|} : set evs |]
   19.66 -          ==> Says B A RA # evs : recur lost"
   19.67 +          ==> Says B A RA # evs : recur"
   19.68  
   19.69  (**No "oops" message can easily be expressed.  Each session key is
   19.70     associated--in two separate messages--with two nonces.
    20.1 --- a/src/HOL/Auth/Shared.ML	Mon Jul 14 12:44:09 1997 +0200
    20.2 +++ b/src/HOL/Auth/Shared.ML	Mon Jul 14 12:47:21 1997 +0200
    20.3 @@ -22,7 +22,7 @@
    20.4  (** Rewrites should not refer to  initState(Friend i) 
    20.5      -- not in normal form! **)
    20.6  
    20.7 -goalw thy [keysFor_def] "keysFor (parts (initState lost C)) = {}";
    20.8 +goalw thy [keysFor_def] "keysFor (parts (initState C)) = {}";
    20.9  by (agent.induct_tac "C" 1);
   20.10  by (Auto_tac ());
   20.11  qed "keysFor_parts_initState";
   20.12 @@ -32,15 +32,15 @@
   20.13  (*** Function "sees" ***)
   20.14  
   20.15  (*Agents see their own shared keys!*)
   20.16 -goal thy "A ~= Spy --> Key (shrK A) : sees lost A evs";
   20.17 +goal thy "A ~= Spy --> Key (shrK A) : sees A evs";
   20.18  by (list.induct_tac "evs" 1);
   20.19  by (agent.induct_tac "A" 1);
   20.20  by (ALLGOALS (asm_simp_tac (!simpset addsimps [sees_Cons])));
   20.21  by (Blast_tac 1);
   20.22  qed_spec_mp "sees_own_shrK";
   20.23  
   20.24 -(*Spy sees shared keys of lost agents!*)
   20.25 -goal thy "!!A. A: lost ==> Key (shrK A) : sees lost Spy evs";
   20.26 +(*Spy sees shared keys of agents!*)
   20.27 +goal thy "!!A. A: lost ==> Key (shrK A) : sees Spy evs";
   20.28  by (list.induct_tac "evs" 1);
   20.29  by (ALLGOALS (asm_simp_tac (!simpset addsimps [sees_Cons])));
   20.30  by (Blast_tac 1);
   20.31 @@ -49,8 +49,8 @@
   20.32  AddSIs [sees_own_shrK, Spy_sees_lost];
   20.33  
   20.34  (*For not_lost_tac*)
   20.35 -goal thy "!!A. [| Crypt (shrK A) X : analz (sees lost Spy evs);  A: lost |] \
   20.36 -\              ==> X : analz (sees lost Spy evs)";
   20.37 +goal thy "!!A. [| Crypt (shrK A) X : analz (sees Spy evs);  A: lost |] \
   20.38 +\              ==> X : analz (sees Spy evs)";
   20.39  by (fast_tac (!claset addSDs [analz.Decrypt] addss (!simpset)) 1);
   20.40  qed "Crypt_Spy_analz_lost";
   20.41  
   20.42 @@ -90,7 +90,7 @@
   20.43  
   20.44  (*** Fresh nonces ***)
   20.45  
   20.46 -goal thy "Nonce N ~: parts (initState lost B)";
   20.47 +goal thy "Nonce N ~: parts (initState B)";
   20.48  by (agent.induct_tac "B" 1);
   20.49  by (Auto_tac ());
   20.50  qed "Nonce_notin_initState";
    21.1 --- a/src/HOL/Auth/Shared.thy	Mon Jul 14 12:44:09 1997 +0200
    21.2 +++ b/src/HOL/Auth/Shared.thy	Mon Jul 14 12:47:21 1997 +0200
    21.3 @@ -19,9 +19,9 @@
    21.4  
    21.5  primrec initState agent
    21.6          (*Server knows all long-term keys; other agents know only their own*)
    21.7 -  initState_Server  "initState lost Server     = Key `` range shrK"
    21.8 -  initState_Friend  "initState lost (Friend i) = {Key (shrK (Friend i))}"
    21.9 -  initState_Spy     "initState lost Spy        = Key``shrK``lost"
   21.10 +  initState_Server  "initState Server     = Key `` range shrK"
   21.11 +  initState_Friend  "initState (Friend i) = {Key (shrK (Friend i))}"
   21.12 +  initState_Spy     "initState Spy        = Key``shrK``lost"
   21.13  
   21.14  
   21.15  rules
    22.1 --- a/src/HOL/Auth/TLS.ML	Mon Jul 14 12:44:09 1997 +0200
    22.2 +++ b/src/HOL/Auth/TLS.ML	Mon Jul 14 12:47:21 1997 +0200
    22.3 @@ -22,13 +22,30 @@
    22.4  proof_timing:=true;
    22.5  HOL_quantifiers := false;
    22.6  
    22.7 -AddIffs [Spy_in_lost, Server_not_lost];
    22.8 -Addsimps [certificate_def];
    22.9 +(** We mostly DO NOT unfold the definition of "certificate".  The attached
   22.10 +    lemmas unfold it lazily, when "certificate B KB" occurs in appropriate
   22.11 +    contexts.
   22.12 +**)
   22.13 +
   22.14 +goalw thy [certificate_def] 
   22.15 +    "parts (insert (certificate B KB) H) =  \
   22.16 +\    parts (insert (Crypt (priK Server) {|Agent B, Key KB|}) H)";
   22.17 +by (rtac refl 1);
   22.18 +qed "parts_insert_certificate";
   22.19  
   22.20 -goal thy "!!A. A ~: lost ==> A ~= Spy";
   22.21 +goalw thy [certificate_def] 
   22.22 +    "analz (insert (certificate B KB) H) =  \
   22.23 +\    analz (insert (Crypt (priK Server) {|Agent B, Key KB|}) H)";
   22.24 +by (rtac refl 1);
   22.25 +qed "analz_insert_certificate";
   22.26 +Addsimps [parts_insert_certificate, analz_insert_certificate];
   22.27 +
   22.28 +goalw thy [certificate_def] 
   22.29 +    "(X = certificate B KB) = (Crypt (priK Server) {|Agent B, Key KB|} = X)";
   22.30  by (Blast_tac 1);
   22.31 -qed "not_lost_not_eq_Spy";
   22.32 -Addsimps [not_lost_not_eq_Spy];
   22.33 +qed "eq_certificate_iff";
   22.34 +AddIffs [eq_certificate_iff];
   22.35 +
   22.36  
   22.37  (*Injectiveness of key-generating functions*)
   22.38  AddIffs [inj_clientK RS inj_eq, inj_serverK RS inj_eq];
   22.39 @@ -38,11 +55,6 @@
   22.40  	  isSym_serverK, rewrite_rule [isSymKey_def] isSym_serverK];
   22.41  
   22.42  
   22.43 -(*Replacing the variable by a constant improves search speed by 50%!*)
   22.44 -val Says_imp_sees_Spy' = 
   22.45 -    read_instantiate_sg (sign_of thy) [("lost","lost")] Says_imp_sees_Spy;
   22.46 -
   22.47 -
   22.48  (*** clientK and serverK make symmetric keys; no clashes with pubK or priK ***)
   22.49  
   22.50  goal thy "pubK A ~= clientK arg";
   22.51 @@ -102,11 +114,10 @@
   22.52  
   22.53  (*And one for ClientFinished.  Either FINISHED message may come first.*)
   22.54  goal thy 
   22.55 - "!!A B. A ~= B ==> EX NA XA NB XB M. EX evs: tls.    \
   22.56 -\  Says A B (Crypt (clientK(NA,NB,M))                 \
   22.57 -\            (Hash{|Hash{|Nonce NA, Nonce NB, Nonce M|}, \
   22.58 -\                   Nonce NA, Agent XA,               \
   22.59 -\                   certificate A (pubK A),      \
   22.60 + "!!A B. A ~= B ==> EX NA XA NB XB M. EX evs: tls.              \
   22.61 +\  Says A B (Crypt (clientK(NA,NB,M))                           \
   22.62 +\            (Hash{|Hash{|Nonce NA, Nonce NB, Nonce M|},        \
   22.63 +\                   Nonce NA, Agent XA, certificate A (pubK A), \
   22.64  \                   Nonce NB, Agent XB, Agent B|})) : set evs";
   22.65  by (REPEAT (resolve_tac [exI,bexI] 1));
   22.66  by (rtac (tls.Nil RS tls.ClientHello RS tls.ServerHello RS tls.ClientCertKeyEx
   22.67 @@ -116,7 +127,7 @@
   22.68  
   22.69  (*Another one, for CertVerify (which is optional)*)
   22.70  goal thy 
   22.71 - "!!A B. A ~= B ==> EX NB M. EX evs: tls.     \
   22.72 + "!!A B. A ~= B ==> EX NB M. EX evs: tls.   \
   22.73  \  Says A B (Crypt (priK A)                 \
   22.74  \            (Hash{|Nonce NB, certificate B (pubK B), Nonce M|})) : set evs";
   22.75  by (REPEAT (resolve_tac [exI,bexI] 1));
   22.76 @@ -137,28 +148,36 @@
   22.77  AddSEs   [not_Says_to_self RSN (2, rev_notE)];
   22.78  
   22.79  
   22.80 -(** Theorems of the form X ~: parts (sees lost Spy evs) imply that NOBODY
   22.81 +(*Induction for regularity theorems.  If induction formula has the form
   22.82 +   X ~: analz (sees Spy evs) --> ... then it shortens the proof by discarding
   22.83 +   needless information about analz (insert X (sees Spy evs))  *)
   22.84 +fun parts_induct_tac i = 
   22.85 +    etac tls.induct i
   22.86 +    THEN 
   22.87 +    REPEAT (FIRSTGOAL analz_mono_contra_tac)
   22.88 +    THEN 
   22.89 +    fast_tac (!claset addss (!simpset)) i THEN
   22.90 +    ALLGOALS (asm_full_simp_tac (!simpset setloop split_tac [expand_if]));
   22.91 +
   22.92 +
   22.93 +(** Theorems of the form X ~: parts (sees Spy evs) imply that NOBODY
   22.94      sends messages containing X! **)
   22.95  
   22.96  (*Spy never sees another agent's private key! (unless it's lost at start)*)
   22.97  goal thy 
   22.98 - "!!evs. evs : tls \
   22.99 -\        ==> (Key (priK A) : parts (sees lost Spy evs)) = (A : lost)";
  22.100 -by (etac tls.induct 1);
  22.101 -by (prove_simple_subgoals_tac 1);
  22.102 -by (asm_simp_tac (!simpset setloop split_tac [expand_if]) 2);
  22.103 + "!!evs. evs : tls ==> (Key (priK A) : parts (sees Spy evs)) = (A : lost)";
  22.104 +by (parts_induct_tac 1);
  22.105  by (Fake_parts_insert_tac 1);
  22.106  qed "Spy_see_priK";
  22.107  Addsimps [Spy_see_priK];
  22.108  
  22.109  goal thy 
  22.110 - "!!evs. evs : tls \
  22.111 -\        ==> (Key (priK A) : analz (sees lost Spy evs)) = (A : lost)";
  22.112 + "!!evs. evs : tls ==> (Key (priK A) : analz (sees Spy evs)) = (A : lost)";
  22.113  by (auto_tac(!claset addDs [impOfSubs analz_subset_parts], !simpset));
  22.114  qed "Spy_analz_priK";
  22.115  Addsimps [Spy_analz_priK];
  22.116  
  22.117 -goal thy  "!!A. [| Key (priK A) : parts (sees lost Spy evs);       \
  22.118 +goal thy  "!!A. [| Key (priK A) : parts (sees Spy evs);       \
  22.119  \                  evs : tls |] ==> A:lost";
  22.120  by (blast_tac (!claset addDs [Spy_see_priK]) 1);
  22.121  qed "Spy_see_priK_D";
  22.122 @@ -168,22 +187,20 @@
  22.123  
  22.124  
  22.125  (*This lemma says that no false certificates exist.  One might extend the
  22.126 -  model to include bogus certificates for the lost agents, but there seems
  22.127 +  model to include bogus certificates for the agents, but there seems
  22.128    little point in doing so: the loss of their private keys is a worse
  22.129    breach of security.*)
  22.130  goalw thy [certificate_def]
  22.131   "!!evs. evs : tls     \
  22.132 -\        ==> certificate B KB : parts (sees lost Spy evs) --> KB = pubK B";
  22.133 -by (etac tls.induct 1);
  22.134 -by (ALLGOALS (asm_full_simp_tac (!simpset setloop split_tac [expand_if])));
  22.135 -by (Fake_parts_insert_tac 2);
  22.136 -by (Blast_tac 1);
  22.137 +\        ==> certificate B KB : parts (sees Spy evs) --> KB = pubK B";
  22.138 +by (parts_induct_tac 1);
  22.139 +by (Fake_parts_insert_tac 1);
  22.140  bind_thm ("Server_cert_pubB", result() RSN (2, rev_mp));
  22.141  
  22.142  
  22.143  (*Replace key KB in ClientCertKeyEx by (pubK B) *)
  22.144  val ClientCertKeyEx_tac = 
  22.145 -    forward_tac [Says_imp_sees_Spy' RS parts.Inj RS 
  22.146 +    forward_tac [Says_imp_sees_Spy RS parts.Inj RS 
  22.147  		 parts.Snd RS parts.Snd RS parts.Snd RS Server_cert_pubB]
  22.148      THEN' assume_tac
  22.149      THEN' hyp_subst_tac;
  22.150 @@ -193,7 +210,6 @@
  22.151      ClientCertKeyEx_tac  (i+7)  THEN	(*ClientFinished*)
  22.152      ClientCertKeyEx_tac  (i+6)  THEN	(*CertVerify*)
  22.153      ClientCertKeyEx_tac  (i+5)  THEN	(*ClientCertKeyEx*)
  22.154 -    rewrite_goals_tac  [certificate_def]  THEN
  22.155      ALLGOALS (asm_simp_tac 
  22.156                (!simpset addsimps [not_parts_not_analz]
  22.157                          setloop split_tac [expand_if]))  THEN
  22.158 @@ -207,36 +223,32 @@
  22.159  (*** Hashing of nonces ***)
  22.160  
  22.161  (*Every Nonce that's hashed is already in past traffic. *)
  22.162 -goal thy "!!evs. [| Hash {|Nonce N, X|} : parts (sees lost Spy evs);  \
  22.163 +goal thy "!!evs. [| Hash {|Nonce N, X|} : parts (sees Spy evs);  \
  22.164  \                   evs : tls |]  \
  22.165 -\                ==> Nonce N : parts (sees lost Spy evs)";
  22.166 +\                ==> Nonce N : parts (sees Spy evs)";
  22.167  by (etac rev_mp 1);
  22.168 -by (etac tls.induct 1);
  22.169 -by (ALLGOALS (asm_simp_tac (!simpset addsimps [parts_insert_sees]
  22.170 -			             setloop split_tac [expand_if])));
  22.171 -by (Fake_parts_insert_tac 2);
  22.172 -by (REPEAT (blast_tac (!claset addSDs [Says_imp_sees_Spy' RS parts.Inj]
  22.173 -		               addSEs partsEs) 1));
  22.174 +by (parts_induct_tac 1);
  22.175 +by (ALLGOALS (asm_simp_tac (!simpset addsimps [parts_insert_sees])));
  22.176 +by (Fake_parts_insert_tac 1);
  22.177 +by (blast_tac (!claset addSDs [Says_imp_sees_Spy RS parts.Inj]
  22.178 +	               addSEs partsEs) 1);
  22.179  qed "Hash_imp_Nonce1";
  22.180  
  22.181  (*Lemma needed to prove Hash_Hash_imp_Nonce*)
  22.182  goal thy "!!evs. [| Hash{|Nonce NA, Nonce NB, Nonce M|}  \
  22.183 -\                       : parts (sees lost Spy evs);     \
  22.184 +\                       : parts (sees Spy evs);     \
  22.185  \                   evs : tls |]  \
  22.186 -\                ==> Nonce M : parts (sees lost Spy evs)";
  22.187 +\                ==> Nonce M : parts (sees Spy evs)";
  22.188  by (etac rev_mp 1);
  22.189 -by (etac tls.induct 1);
  22.190 -by (ALLGOALS (asm_simp_tac (!simpset addsimps [parts_insert_sees]
  22.191 -			             setloop split_tac [expand_if])));
  22.192 -by (Fake_parts_insert_tac 2);
  22.193 -by (blast_tac (!claset addSDs [Says_imp_sees_Spy' RS parts.Inj]
  22.194 -		       addSEs partsEs) 1);
  22.195 +by (parts_induct_tac 1);
  22.196 +by (asm_simp_tac (!simpset addsimps [parts_insert_sees]) 1);
  22.197 +by (Fake_parts_insert_tac 1);
  22.198  qed "Hash_imp_Nonce2";
  22.199  AddSDs [Hash_imp_Nonce2];
  22.200  
  22.201  
  22.202  goal thy "!!evs. [| Notes A {|Agent B, X|} : set evs;  evs : tls |]  \
  22.203 -\                ==> Crypt (pubK B) X : parts (sees lost Spy evs)";
  22.204 +\                ==> Crypt (pubK B) X : parts (sees Spy evs)";
  22.205  by (etac rev_mp 1);
  22.206  by (analz_induct_tac 1);
  22.207  by (blast_tac (!claset addIs [parts_insertI]) 1);
  22.208 @@ -245,17 +257,16 @@
  22.209  
  22.210  (*NEEDED??*)
  22.211  goal thy "!!evs. [| Hash {| Hash{|Nonce NA, Nonce NB, Nonce M|}, X |}  \
  22.212 -\                      : parts (sees lost Spy evs);      \
  22.213 +\                      : parts (sees Spy evs);      \
  22.214  \                   evs : tls |]                         \
  22.215 -\                ==> Nonce M : parts (sees lost Spy evs)";
  22.216 +\                ==> Nonce M : parts (sees Spy evs)";
  22.217  by (etac rev_mp 1);
  22.218 -by (etac tls.induct 1);
  22.219 -by (ALLGOALS (asm_simp_tac (!simpset addsimps [parts_insert_sees]
  22.220 -			             setloop split_tac [expand_if])));
  22.221 -by (Fake_parts_insert_tac 2);
  22.222 -by (step_tac (!claset addSDs [Notes_Crypt_parts_sees,
  22.223 -			      Says_imp_sees_Spy' RS parts.Inj]
  22.224 -		      addSEs partsEs) 1);
  22.225 +by (parts_induct_tac 1);
  22.226 +by (ALLGOALS (asm_simp_tac (!simpset addsimps [parts_insert_sees])));
  22.227 +by (Fake_parts_insert_tac 1);
  22.228 +by (REPEAT (blast_tac (!claset addSDs [Notes_Crypt_parts_sees,
  22.229 +				       Says_imp_sees_Spy RS parts.Inj]
  22.230 +		               addSEs partsEs) 1));
  22.231  qed "Hash_Hash_imp_Nonce";
  22.232  
  22.233  
  22.234 @@ -263,14 +274,13 @@
  22.235    Every Nonce that's hashed is already in past traffic. 
  22.236    This general formulation is tricky to prove and hard to use, since the
  22.237    2nd premise is typically proved by simplification.*)
  22.238 -goal thy "!!evs. [| Hash X : parts (sees lost Spy evs);  \
  22.239 +goal thy "!!evs. [| Hash X : parts (sees Spy evs);  \
  22.240  \                   Nonce N : parts {X};  evs : tls |]  \
  22.241 -\                ==> Nonce N : parts (sees lost Spy evs)";
  22.242 +\                ==> Nonce N : parts (sees Spy evs)";
  22.243  by (etac rev_mp 1);
  22.244 -by (etac tls.induct 1);
  22.245 -by (ALLGOALS (asm_simp_tac (!simpset setloop split_tac [expand_if])));
  22.246 +by (parts_induct_tac 1);
  22.247  by (step_tac (!claset addSDs [Notes_Crypt_parts_sees,
  22.248 -			      Says_imp_sees_Spy' RS parts.Inj]
  22.249 +			      Says_imp_sees_Spy RS parts.Inj]
  22.250  		      addSEs partsEs) 1);
  22.251  by (ALLGOALS (asm_full_simp_tac (!simpset addsimps [parts_insert_sees])));
  22.252  by (Fake_parts_insert_tac 1);
  22.253 @@ -285,16 +295,15 @@
  22.254    Perhaps B~=Spy is unnecessary, but there's no obvious proof if the first
  22.255    message is Fake.  We don't need guarantees for the Spy anyway.  We must
  22.256    assume A~:lost; otherwise, the Spy can forge A's signature.*)
  22.257 -goalw thy [certificate_def]
  22.258 +goal thy
  22.259   "!!evs. [| X = Crypt (priK A)                                        \
  22.260  \                 (Hash{|Nonce NB, certificate B KB, Nonce M|});      \
  22.261  \           evs : tls;  A ~: lost;  B ~= Spy |]                       \
  22.262  \    ==> Says B A {|Nonce NA, Nonce NB, Agent XB, certificate B KB|}  \
  22.263  \          : set evs --> \
  22.264 -\        X : parts (sees lost Spy evs) --> Says A B X : set evs";
  22.265 +\        X : parts (sees Spy evs) --> Says A B X : set evs";
  22.266  by (hyp_subst_tac 1);
  22.267 -by (etac tls.induct 1);
  22.268 -by (ALLGOALS (asm_simp_tac (!simpset setloop split_tac [expand_if])));
  22.269 +by (parts_induct_tac 1);
  22.270  by (Fake_parts_insert_tac 1);
  22.271  (*ServerHello: nonce NB cannot be in X because it's fresh!*)
  22.272  by (blast_tac (!claset addSDs [Hash_imp_Nonce1]
  22.273 @@ -305,25 +314,23 @@
  22.274  (*If CERTIFICATE VERIFY is present then A has chosen M.*)
  22.275  goal thy
  22.276   "!!evs. [| Crypt (priK A) (Hash{|Nonce NB, certificate B KB, Nonce M|})  \
  22.277 -\             : parts (sees lost Spy evs);                                \
  22.278 +\             : parts (sees Spy evs);                                \
  22.279  \           evs : tls;  A ~: lost |]                                      \
  22.280  \        ==> Notes A {|Agent B, Nonce M|} : set evs";
  22.281  be rev_mp 1;
  22.282 -by (etac tls.induct 1);
  22.283 -by (ALLGOALS (asm_full_simp_tac (!simpset setloop split_tac [expand_if])));
  22.284 -by (Fake_parts_insert_tac 2);
  22.285 -by (Blast_tac 1);
  22.286 +by (parts_induct_tac 1);
  22.287 +by (Fake_parts_insert_tac 1);
  22.288  qed "UseCertVerify";
  22.289  
  22.290  
  22.291  (*No collection of keys can help the spy get new private keys*)
  22.292  goal thy  
  22.293   "!!evs. evs : tls ==>                                    \
  22.294 -\  ALL KK. (Key(priK B) : analz (Key``KK Un (sees lost Spy evs))) =  \
  22.295 +\  ALL KK. (Key(priK B) : analz (Key``KK Un (sees Spy evs))) =  \
  22.296  \            (priK B : KK | B : lost)";
  22.297  by (etac tls.induct 1);
  22.298  by (ALLGOALS
  22.299 -    (asm_simp_tac (analz_image_keys_ss 
  22.300 +    (asm_simp_tac (analz_image_keys_ss
  22.301  		   addsimps (certificate_def::keys_distinct))));
  22.302  (*Fake*) 
  22.303  by (spy_analz_tac 2);
  22.304 @@ -343,8 +350,8 @@
  22.305  goal thy  
  22.306   "!!evs. evs : tls ==>                                 \
  22.307  \    ALL KK. KK <= (range clientK Un range serverK) -->           \
  22.308 -\            (Nonce N : analz (Key``KK Un (sees lost Spy evs))) = \
  22.309 -\            (Nonce N : analz (sees lost Spy evs))";
  22.310 +\            (Nonce N : analz (Key``KK Un (sees Spy evs))) = \
  22.311 +\            (Nonce N : analz (sees Spy evs))";
  22.312  by (etac tls.induct 1);
  22.313  by (ClientCertKeyEx_tac 6);
  22.314  by (REPEAT_FIRST (resolve_tac [allI, impI]));
  22.315 @@ -352,8 +359,8 @@
  22.316  writeln"SLOW simplification: 50 secs!??";
  22.317  by (ALLGOALS
  22.318      (asm_simp_tac (analz_image_keys_ss 
  22.319 -		   addsimps (analz_image_priK::certificate_def::
  22.320 -			     keys_distinct))));
  22.321 +                   addsimps (analz_image_priK::certificate_def::
  22.322 +                             keys_distinct))));
  22.323  by (ALLGOALS (asm_simp_tac (analz_image_keys_ss addsimps [analz_image_priK])));
  22.324  by (ALLGOALS (asm_simp_tac (!simpset addsimps [insert_absorb])));
  22.325  (*ClientCertKeyEx: a nonce is sent, but one needs a priK to read it.*)
  22.326 @@ -369,7 +376,7 @@
  22.327  goal thy
  22.328   "!!evs. [| evs : tls;  A ~: lost;  B ~: lost |]           \
  22.329  \        ==> Notes A {|Agent B, Nonce M|} : set evs  -->   \
  22.330 -\            Nonce M ~: analz (sees lost Spy evs)";
  22.331 +\            Nonce M ~: analz (sees Spy evs)";
  22.332  by (analz_induct_tac 1);
  22.333  (*ClientHello*)
  22.334  by (blast_tac (!claset addSDs [Notes_Crypt_parts_sees]
  22.335 @@ -382,7 +389,7 @@
  22.336  by (REPEAT (blast_tac (!claset addSEs partsEs
  22.337  			       addDs  [Notes_Crypt_parts_sees,
  22.338  				       impOfSubs analz_subset_parts,
  22.339 -				       Says_imp_sees_Spy' RS analz.Inj]) 1));
  22.340 +				       Says_imp_sees_Spy RS analz.Inj]) 1));
  22.341  bind_thm ("Spy_not_see_premaster_secret", result() RSN (2, rev_mp));
  22.342  
  22.343  
  22.344 @@ -395,13 +402,13 @@
  22.345    Converse doesn't hold; betraying M doesn't force the keys to be sent!*)
  22.346  
  22.347  goal thy 
  22.348 - "!!evs. [| Nonce M ~: analz (sees lost Spy evs);  evs : tls |]   \
  22.349 -\        ==> Key (clientK(NA,NB,M)) ~: parts (sees lost Spy evs)";
  22.350 + "!!evs. [| Nonce M ~: analz (sees Spy evs);  evs : tls |]   \
  22.351 +\        ==> Key (clientK(NA,NB,M)) ~: parts (sees Spy evs)";
  22.352  by (etac rev_mp 1);
  22.353  by (analz_induct_tac 1);
  22.354  (*SpyKeys*)
  22.355  by (asm_simp_tac (analz_image_keys_ss addsimps [analz_image_keys]) 3);
  22.356 -by (blast_tac (!claset addDs [Says_imp_sees_Spy' RS analz.Inj]) 3);
  22.357 +by (blast_tac (!claset addDs [Says_imp_sees_Spy RS analz.Inj]) 3);
  22.358  (*Fake*) 
  22.359  by (spy_analz_tac 2);
  22.360  (*Base*)
  22.361 @@ -412,13 +419,13 @@
  22.362  AddSEs [clientK_notin_parts RSN (2, rev_notE)];
  22.363  
  22.364  goal thy 
  22.365 - "!!evs. [| Nonce M ~: analz (sees lost Spy evs);  evs : tls |]   \
  22.366 -\        ==> Key (serverK(NA,NB,M)) ~: parts (sees lost Spy evs)";
  22.367 + "!!evs. [| Nonce M ~: analz (sees Spy evs);  evs : tls |]   \
  22.368 +\        ==> Key (serverK(NA,NB,M)) ~: parts (sees Spy evs)";
  22.369  by (etac rev_mp 1);
  22.370  by (analz_induct_tac 1);
  22.371  (*SpyKeys*)
  22.372  by (asm_simp_tac (analz_image_keys_ss addsimps [analz_image_keys]) 3);
  22.373 -by (blast_tac (!claset addDs [Says_imp_sees_Spy' RS analz.Inj]) 3);
  22.374 +by (blast_tac (!claset addDs [Says_imp_sees_Spy RS analz.Inj]) 3);
  22.375  (*Fake*) 
  22.376  by (spy_analz_tac 2);
  22.377  (*Base*)
  22.378 @@ -434,7 +441,7 @@
  22.379  
  22.380  goal thy 
  22.381   "!!evs. [| Nonce M ~: used evs;  evs : tls |]                           \
  22.382 -\        ==> Crypt (clientK(NA,NB,M)) Y ~: parts (sees lost Spy evs)";
  22.383 +\        ==> Crypt (clientK(NA,NB,M)) Y ~: parts (sees Spy evs)";
  22.384  by (etac rev_mp 1);
  22.385  by (analz_induct_tac 1);
  22.386  (*ClientFinished: since M is fresh, a different instance of clientK was used.*)
  22.387 @@ -450,7 +457,7 @@
  22.388  
  22.389  goal thy 
  22.390   "!!evs. [| Nonce M ~: used evs;  evs : tls |]                           \
  22.391 -\        ==> Crypt (serverK(NA,NB,M)) Y ~: parts (sees lost Spy evs)";
  22.392 +\        ==> Crypt (serverK(NA,NB,M)) Y ~: parts (sees Spy evs)";
  22.393  by (etac rev_mp 1);
  22.394  by (analz_induct_tac 1);
  22.395  (*ServerFinished: since M is fresh, a different instance of serverK was used.*)
  22.396 @@ -465,10 +472,10 @@
  22.397  AddEs [Crypt_serverK_notin_parts RSN (2, rev_notE)];
  22.398  
  22.399  
  22.400 -(*Weakening A~:lost to A~=Spy would complicate later uses of the rule*)
  22.401 +(*NEEDED??*)
  22.402  goal thy
  22.403   "!!evs. [| Says A B {|certA, Crypt KB (Nonce M)|} : set evs;   \
  22.404 -\           A ~: lost;  evs : tls |] ==> KB = pubK B";
  22.405 +\           A ~= Spy;  evs : tls |] ==> KB = pubK B";
  22.406  be rev_mp 1;
  22.407  by (analz_induct_tac 1);
  22.408  qed "A_Crypt_pubB";
  22.409 @@ -476,36 +483,25 @@
  22.410  
  22.411  (*** Unicity results for M, the pre-master-secret ***)
  22.412  
  22.413 -(*Induction for theorems of the form X ~: analz (sees lost Spy evs) --> ...
  22.414 -  It simplifies the proof by discarding needless information about
  22.415 -	analz (insert X (sees lost Spy evs)) 
  22.416 -*)
  22.417 -fun analz_mono_parts_induct_tac i = 
  22.418 -    etac tls.induct i           THEN 
  22.419 -    ClientCertKeyEx_tac  (i+5)  THEN	(*ClientCertKeyEx*)
  22.420 -    REPEAT_FIRST analz_mono_contra_tac;
  22.421 -
  22.422 -
  22.423  (*M determines B.  Proof borrowed from NS_Public/unique_NA and from Yahalom*)
  22.424  goal thy 
  22.425 - "!!evs. [| Nonce M ~: analz (sees lost Spy evs);  evs : tls |]   \
  22.426 + "!!evs. [| Nonce M ~: analz (sees Spy evs);  evs : tls |]   \
  22.427  \        ==> EX B'. ALL B.   \
  22.428 -\              Crypt (pubK B) (Nonce M) : parts (sees lost Spy evs) --> B=B'";
  22.429 +\              Crypt (pubK B) (Nonce M) : parts (sees Spy evs) --> B=B'";
  22.430  by (etac rev_mp 1);
  22.431 -by (analz_mono_parts_induct_tac 1);
  22.432 -by (prove_simple_subgoals_tac 1);
  22.433 -by (asm_simp_tac (!simpset addsimps [all_conj_distrib]
  22.434 -                           setloop split_tac [expand_if]) 2);
  22.435 +by (parts_induct_tac 1);
  22.436 +by (Fake_parts_insert_tac 1);
  22.437  (*ClientCertKeyEx*)
  22.438 -by (expand_case_tac "M = ?y" 2 THEN
  22.439 -    REPEAT (blast_tac (!claset addSEs partsEs) 2));
  22.440 -by (Fake_parts_insert_tac 1);
  22.441 +by (ClientCertKeyEx_tac 1);
  22.442 +by (asm_simp_tac (!simpset addsimps [all_conj_distrib]) 1);
  22.443 +by (expand_case_tac "M = ?y" 1 THEN
  22.444 +    blast_tac (!claset addSEs partsEs) 1);
  22.445  val lemma = result();
  22.446  
  22.447  goal thy 
  22.448 - "!!evs. [| Crypt(pubK B)  (Nonce M) : parts (sees lost Spy evs); \
  22.449 -\           Crypt(pubK B') (Nonce M) : parts (sees lost Spy evs); \
  22.450 -\           Nonce M ~: analz (sees lost Spy evs);                 \
  22.451 + "!!evs. [| Crypt(pubK B)  (Nonce M) : parts (sees Spy evs); \
  22.452 +\           Crypt(pubK B') (Nonce M) : parts (sees Spy evs); \
  22.453 +\           Nonce M ~: analz (sees Spy evs);                 \
  22.454  \           evs : tls |]                                          \
  22.455  \        ==> B=B'";
  22.456  by (prove_unique_tac lemma 1);
  22.457 @@ -514,12 +510,11 @@
  22.458  
  22.459  (*In A's note to herself, M determines A and B.*)
  22.460  goal thy 
  22.461 - "!!evs. [| Nonce M ~: analz (sees lost Spy evs);  evs : tls |]            \
  22.462 + "!!evs. [| Nonce M ~: analz (sees Spy evs);  evs : tls |]            \
  22.463  \ ==> EX A' B'. ALL A B.                                                   \
  22.464  \        Notes A {|Agent B, Nonce M|} : set evs --> A=A' & B=B'";
  22.465  by (etac rev_mp 1);
  22.466 -by (analz_mono_parts_induct_tac 1);
  22.467 -by (prove_simple_subgoals_tac 1);
  22.468 +by (parts_induct_tac 1);
  22.469  by (asm_simp_tac (!simpset addsimps [all_conj_distrib]) 1);
  22.470  (*ClientCertKeyEx: if M is fresh, then it can't appear in Notes A X.*)
  22.471  by (expand_case_tac "M = ?y" 1 THEN
  22.472 @@ -529,7 +524,7 @@
  22.473  goal thy 
  22.474   "!!evs. [| Notes A  {|Agent B,  Nonce M|} : set evs;  \
  22.475  \           Notes A' {|Agent B', Nonce M|} : set evs;  \
  22.476 -\           Nonce M ~: analz (sees lost Spy evs);      \
  22.477 +\           Nonce M ~: analz (sees Spy evs);      \
  22.478  \           evs : tls |]                               \
  22.479  \        ==> A=A' & B=B'";
  22.480  by (prove_unique_tac lemma 1);
  22.481 @@ -550,13 +545,13 @@
  22.482  \                        Nonce NB, Agent XB, certificate B (pubK B)|}); \
  22.483  \           evs : tls;  A ~: lost;  B ~: lost |]                        \
  22.484  \        ==> Notes A {|Agent B, Nonce M|} : set evs -->                 \
  22.485 -\        X : parts (sees lost Spy evs) --> Says B A X : set evs";
  22.486 +\        X : parts (sees Spy evs) --> Says B A X : set evs";
  22.487  by (hyp_subst_tac 1);
  22.488  by (analz_induct_tac 1);
  22.489  by (REPEAT_FIRST (rtac impI));
  22.490  (*Fake: the Spy doesn't have the critical session key!*)
  22.491  by (REPEAT (rtac impI 1));
  22.492 -by (subgoal_tac "Key (serverK(NA,NB,M)) ~: analz (sees lost Spy evsa)" 1);
  22.493 +by (subgoal_tac "Key (serverK(NA,NB,M)) ~: analz (sees Spy evsa)" 1);
  22.494  by (asm_simp_tac (!simpset addsimps [Spy_not_see_premaster_secret, 
  22.495  				     not_parts_not_analz]) 2);
  22.496  by (Fake_parts_insert_tac 1);
  22.497 @@ -566,16 +561,17 @@
  22.498  (*This version refers not to SERVER FINISHED but to any message from B.
  22.499    We don't assume B has received CERTIFICATE VERIFY, and an intruder could
  22.500    have changed A's identity in all other messages, so we can't be sure
  22.501 -  that B sends his message to A.*)
  22.502 +  that B sends his message to A.  If CLIENT KEY EXCHANGE were augmented
  22.503 +  to bind A's identify with M, then we could replace A' by A below.*)
  22.504  goal thy
  22.505 - "!!evs. [| evs : tls;  A ~: lost;  B ~: lost |]                         \
  22.506 -\        ==> Notes A {|Agent B, Nonce M|} : set evs -->                  \
  22.507 -\            Crypt (serverK(NA,NB,M)) Y : parts (sees lost Spy evs)  --> \
  22.508 + "!!evs. [| evs : tls;  A ~: lost;  B ~: lost |]                     \
  22.509 +\        ==> Notes A {|Agent B, Nonce M|} : set evs -->              \
  22.510 +\            Crypt (serverK(NA,NB,M)) Y : parts (sees Spy evs)  -->  \
  22.511  \            (EX A'. Says B A' (Crypt (serverK(NA,NB,M)) Y) : set evs)";
  22.512  by (analz_induct_tac 1);
  22.513  by (REPEAT_FIRST (rtac impI));
  22.514  (*Fake: the Spy doesn't have the critical session key!*)
  22.515 -by (subgoal_tac "Key (serverK(NA,NB,M)) ~: analz (sees lost Spy evsa)" 1);
  22.516 +by (subgoal_tac "Key (serverK(NA,NB,M)) ~: analz (sees Spy evsa)" 1);
  22.517  by (asm_simp_tac (!simpset addsimps [Spy_not_see_premaster_secret, 
  22.518  				     not_parts_not_analz]) 2);
  22.519  by (Fake_parts_insert_tac 1);
  22.520 @@ -584,11 +580,11 @@
  22.521  (*...otherwise delete induction hyp and use unicity of M.*)
  22.522  by (thin_tac "?PP-->?QQ" 1);
  22.523  by (Step_tac 1);
  22.524 -by (subgoal_tac "Nonce M ~: analz (sees lost Spy evsa)" 1);
  22.525 +by (subgoal_tac "Nonce M ~: analz (sees Spy evsa)" 1);
  22.526  by (asm_simp_tac (!simpset addsimps [Spy_not_see_premaster_secret]) 2);
  22.527  by (blast_tac (!claset addSEs [MPair_parts]
  22.528  		       addDs  [Notes_Crypt_parts_sees,
  22.529 -			       Says_imp_sees_Spy' RS parts.Inj,
  22.530 +			       Says_imp_sees_Spy RS parts.Inj,
  22.531  			       unique_M]) 1);
  22.532  qed_spec_mp "TrustServerMsg";
  22.533  
  22.534 @@ -601,18 +597,18 @@
  22.535  goal thy
  22.536   "!!evs. [| evs : tls;  A ~: lost;  B ~: lost |]                         \
  22.537  \        ==> Notes A {|Agent B, Nonce M|} : set evs -->                  \
  22.538 -\            Crypt (clientK(NA,NB,M)) Y : parts (sees lost Spy evs) -->  \
  22.539 +\            Crypt (clientK(NA,NB,M)) Y : parts (sees Spy evs) -->  \
  22.540  \            Says A B (Crypt (clientK(NA,NB,M)) Y) : set evs";
  22.541  by (analz_induct_tac 1);
  22.542  by (REPEAT_FIRST (rtac impI));
  22.543  (*Fake: the Spy doesn't have the critical session key!*)
  22.544 -by (subgoal_tac "Key (clientK(NA,NB,M)) ~: analz (sees lost Spy evsa)" 1);
  22.545 +by (subgoal_tac "Key (clientK(NA,NB,M)) ~: analz (sees Spy evsa)" 1);
  22.546  by (asm_simp_tac (!simpset addsimps [Spy_not_see_premaster_secret, 
  22.547  				     not_parts_not_analz]) 2);
  22.548  by (Fake_parts_insert_tac 1);
  22.549  (*ClientFinished.  If the message is old then apply induction hypothesis...*)
  22.550  by (step_tac (!claset delrules [conjI]) 1);
  22.551 -by (subgoal_tac "Nonce M ~: analz (sees lost Spy evsa)" 1);
  22.552 +by (subgoal_tac "Nonce M ~: analz (sees Spy evsa)" 1);
  22.553  by (asm_simp_tac (!simpset addsimps [Spy_not_see_premaster_secret]) 2);
  22.554  by (blast_tac (!claset addSEs [MPair_parts]
  22.555  		       addDs  [Notes_unique_M]) 1);
    23.1 --- a/src/HOL/Auth/TLS.thy	Mon Jul 14 12:44:09 1997 +0200
    23.2 +++ b/src/HOL/Auth/TLS.thy	Mon Jul 14 12:47:21 1997 +0200
    23.3 @@ -13,7 +13,7 @@
    23.4  Server, who is in charge of all public keys.
    23.5  
    23.6  The model assumes that no fraudulent certificates are present, but it does
    23.7 -assume that some private keys are lost to the spy.
    23.8 +assume that some private keys are to the spy.
    23.9  
   23.10  Abstracted from "The TLS Protocol, Version 1.0" by Tim Dierks and Christopher
   23.11  Allen, Transport Layer Security Working Group, 21 May 1997,
   23.12 @@ -56,14 +56,8 @@
   23.13    (*Clashes with pubK and priK are impossible, but this axiom is needed.*)
   23.14    clientK_range "range clientK <= Compl (range serverK)"
   23.15  
   23.16 -  (*Spy has access to his own key for spoof messages, but Server is secure*)
   23.17 -  Spy_in_lost     "Spy: lost"
   23.18 -  Server_not_lost "Server ~: lost"
   23.19  
   23.20 -
   23.21 -consts  lost :: agent set        (*No need for it to be a variable*)
   23.22 -	tls  :: event list set
   23.23 -
   23.24 +consts    tls :: event list set
   23.25  inductive tls
   23.26    intrs 
   23.27      Nil  (*Initial trace is empty*)
   23.28 @@ -71,7 +65,7 @@
   23.29  
   23.30      Fake (*The spy, an active attacker, MAY say anything he CAN say.*)
   23.31           "[| evs: tls;  B ~= Spy;  
   23.32 -             X: synth (analz (sees lost Spy evs)) |]
   23.33 +             X: synth (analz (sees Spy evs)) |]
   23.34            ==> Says Spy B X # evs : tls"
   23.35  
   23.36      SpyKeys (*The spy may apply clientK & serverK to nonces he's found*)
    24.1 --- a/src/HOL/Auth/WooLam.ML	Mon Jul 14 12:44:09 1997 +0200
    24.2 +++ b/src/HOL/Auth/WooLam.ML	Mon Jul 14 12:47:21 1997 +0200
    24.3 @@ -41,41 +41,38 @@
    24.4  
    24.5  (** For reasoning about the encrypted portion of messages **)
    24.6  
    24.7 -goal thy "!!evs. Says A' B X : set evs \
    24.8 -\                ==> X : analz (sees lost Spy evs)";
    24.9 +goal thy "!!evs. Says A' B X : set evs ==> X : analz (sees Spy evs)";
   24.10  by (etac (Says_imp_sees_Spy RS analz.Inj) 1);
   24.11  qed "WL4_analz_sees_Spy";
   24.12  
   24.13  bind_thm ("WL4_parts_sees_Spy",
   24.14            WL4_analz_sees_Spy RS (impOfSubs analz_subset_parts));
   24.15  
   24.16 -(*For proving the easier theorems about X ~: parts (sees lost Spy evs) *)
   24.17 -val parts_induct_tac = 
   24.18 -    etac woolam.induct 1  THEN 
   24.19 -    forward_tac [WL4_parts_sees_Spy] 6  THEN
   24.20 +(*For proving the easier theorems about X ~: parts (sees Spy evs) *)
   24.21 +fun parts_induct_tac i = 
   24.22 +    etac woolam.induct i  THEN 
   24.23 +    forward_tac [WL4_parts_sees_Spy] (i+5)  THEN
   24.24      prove_simple_subgoals_tac 1;
   24.25  
   24.26  
   24.27 -(** Theorems of the form X ~: parts (sees lost Spy evs) imply that NOBODY
   24.28 +(** Theorems of the form X ~: parts (sees Spy evs) imply that NOBODY
   24.29      sends messages containing X! **)
   24.30  
   24.31  (*Spy never sees another agent's shared key! (unless it's lost at start)*)
   24.32  goal thy 
   24.33 - "!!evs. evs : woolam \
   24.34 -\        ==> (Key (shrK A) : parts (sees lost Spy evs)) = (A : lost)";
   24.35 -by parts_induct_tac;
   24.36 + "!!evs. evs : woolam ==> (Key (shrK A) : parts (sees Spy evs)) = (A : lost)";
   24.37 +by (parts_induct_tac 1);
   24.38  by (Fake_parts_insert_tac 1);
   24.39  qed "Spy_see_shrK";
   24.40  Addsimps [Spy_see_shrK];
   24.41  
   24.42  goal thy 
   24.43 - "!!evs. evs : woolam \
   24.44 -\        ==> (Key (shrK A) : analz (sees lost Spy evs)) = (A : lost)";
   24.45 + "!!evs. evs : woolam ==> (Key (shrK A) : analz (sees Spy evs)) = (A : lost)";
   24.46  by (auto_tac(!claset addDs [impOfSubs analz_subset_parts], !simpset));
   24.47  qed "Spy_analz_shrK";
   24.48  Addsimps [Spy_analz_shrK];
   24.49  
   24.50 -goal thy  "!!A. [| Key (shrK A) : parts (sees lost Spy evs);       \
   24.51 +goal thy  "!!A. [| Key (shrK A) : parts (sees Spy evs);       \
   24.52  \                  evs : woolam |] ==> A:lost";
   24.53  by (blast_tac (!claset addDs [Spy_see_shrK]) 1);
   24.54  qed "Spy_see_shrK_D";
   24.55 @@ -91,10 +88,10 @@
   24.56  
   24.57  (*If the encrypted message appears then it originated with Alice*)
   24.58  goal thy 
   24.59 - "!!evs. [| A ~: lost;  evs : woolam |]                   \
   24.60 -\    ==> Crypt (shrK A) (Nonce NB) : parts (sees lost Spy evs)        \
   24.61 -\        --> (EX B. Says A B (Crypt (shrK A) (Nonce NB)) : set evs)";
   24.62 -by parts_induct_tac;
   24.63 + "!!evs. [| A ~: lost;  evs : woolam |]                        \
   24.64 +\        ==> Crypt (shrK A) (Nonce NB) : parts (sees Spy evs)  \
   24.65 +\            --> (EX B. Says A B (Crypt (shrK A) (Nonce NB)) : set evs)";
   24.66 +by (parts_induct_tac 1);
   24.67  by (Fake_parts_insert_tac 1);
   24.68  by (Blast_tac 1);
   24.69  qed_spec_mp "NB_Crypt_imp_Alice_msg";
   24.70 @@ -121,7 +118,7 @@
   24.71  \        Says Server B (Crypt (shrK B) {|Agent A, NB|}) : set evs           \
   24.72  \        --> (EX B'. Says B' Server {|Agent A, Agent B, Crypt (shrK A) NB|} \
   24.73  \               : set evs)";
   24.74 -by parts_induct_tac;
   24.75 +by (parts_induct_tac 1);
   24.76  by (Fake_parts_insert_tac 1);
   24.77  by (ALLGOALS Blast_tac);
   24.78  bind_thm ("Server_sent_WL5", result() RSN (2, rev_mp));
   24.79 @@ -129,10 +126,10 @@
   24.80  
   24.81  (*If the encrypted message appears then it originated with the Server!*)
   24.82  goal thy 
   24.83 - "!!evs. [| B ~: lost;  evs : woolam |]                                  \
   24.84 -\        ==> Crypt (shrK B) {|Agent A, NB|} : parts (sees lost Spy evs)  \
   24.85 + "!!evs. [| B ~: lost;  evs : woolam |]                             \
   24.86 +\        ==> Crypt (shrK B) {|Agent A, NB|} : parts (sees Spy evs)  \
   24.87  \        --> Says Server B (Crypt (shrK B) {|Agent A, NB|}) : set evs";
   24.88 -by parts_induct_tac;
   24.89 +by (parts_induct_tac 1);
   24.90  by (Fake_parts_insert_tac 1);
   24.91  qed_spec_mp "NB_Crypt_imp_Server_msg";
   24.92  
   24.93 @@ -161,10 +158,10 @@
   24.94  
   24.95  (*B only issues challenges in response to WL1.  Useful??*)
   24.96  goal thy 
   24.97 - "!!evs. [| B ~= Spy;  evs : woolam |]                   \
   24.98 + "!!evs. [| B ~= Spy;  evs : woolam |]        \
   24.99  \    ==> Says B A (Nonce NB) : set evs        \
  24.100  \        --> (EX A'. Says A' B (Agent A) : set evs)";
  24.101 -by parts_induct_tac;
  24.102 +by (parts_induct_tac 1);
  24.103  by (Fake_parts_insert_tac 1);
  24.104  by (ALLGOALS Blast_tac);
  24.105  bind_thm ("B_said_WL2", result() RSN (2, rev_mp));
  24.106 @@ -172,11 +169,11 @@
  24.107  
  24.108  (**CANNOT be proved because A doesn't know where challenges come from...
  24.109  goal thy 
  24.110 - "!!evs. [| A ~: lost;  B ~= Spy;  evs : woolam |]                \
  24.111 -\    ==> Crypt (shrK A) (Nonce NB) : parts (sees lost Spy evs) &  \
  24.112 -\        Says B A (Nonce NB) : set evs                            \
  24.113 + "!!evs. [| A ~: lost;  B ~= Spy;  evs : woolam |]           \
  24.114 +\    ==> Crypt (shrK A) (Nonce NB) : parts (sees Spy evs) &  \
  24.115 +\        Says B A (Nonce NB) : set evs                       \
  24.116  \        --> Says A B (Crypt (shrK A) (Nonce NB)) : set evs";
  24.117 -by parts_induct_tac;
  24.118 +by (parts_induct_tac 1);
  24.119  by (Fake_parts_insert_tac 1);
  24.120  by (Step_tac 1);
  24.121  by (blast_tac (!claset addSEs partsEs) 1);
    25.1 --- a/src/HOL/Auth/WooLam.thy	Mon Jul 14 12:44:09 1997 +0200
    25.2 +++ b/src/HOL/Auth/WooLam.thy	Mon Jul 14 12:47:21 1997 +0200
    25.3 @@ -16,8 +16,7 @@
    25.4  
    25.5  WooLam = Shared + 
    25.6  
    25.7 -consts  lost    :: agent set        (*No need for it to be a variable*)
    25.8 -	woolam  :: event list set
    25.9 +consts  woolam  :: event list set
   25.10  inductive woolam
   25.11    intrs 
   25.12           (*Initial trace is empty*)
   25.13 @@ -27,7 +26,7 @@
   25.14             invent new nonces here, but he can also use NS1.  Common to
   25.15             all similar protocols.*)
   25.16      Fake "[| evs: woolam;  B ~= Spy;  
   25.17 -             X: synth (analz (sees lost Spy evs)) |]
   25.18 +             X: synth (analz (sees Spy evs)) |]
   25.19            ==> Says Spy B X  # evs : woolam"
   25.20  
   25.21           (*Alice initiates a protocol run*)
    26.1 --- a/src/HOL/Auth/Yahalom.ML	Mon Jul 14 12:44:09 1997 +0200
    26.2 +++ b/src/HOL/Auth/Yahalom.ML	Mon Jul 14 12:47:21 1997 +0200
    26.3 @@ -16,14 +16,11 @@
    26.4  HOL_quantifiers := false;
    26.5  Pretty.setdepth 25;
    26.6  
    26.7 -(*Replacing the variable by a constant improves speed*)
    26.8 -val Says_imp_sees_Spy' = read_instantiate [("lost","lost")] Says_imp_sees_Spy;
    26.9 -
   26.10  
   26.11  (*A "possibility property": there are traces that reach the end*)
   26.12  goal thy 
   26.13   "!!A B. [| A ~= B; A ~= Server; B ~= Server |]   \
   26.14 -\        ==> EX X NB K. EX evs: yahalom lost.     \
   26.15 +\        ==> EX X NB K. EX evs: yahalom.     \
   26.16  \               Says A B {|X, Crypt K (Nonce NB)|} : set evs";
   26.17  by (REPEAT (resolve_tac [exI,bexI] 1));
   26.18  by (rtac (yahalom.Nil RS yahalom.YM1 RS yahalom.YM2 RS yahalom.YM3 RS 
   26.19 @@ -35,7 +32,7 @@
   26.20  (**** Inductive proofs about yahalom ****)
   26.21  
   26.22  (*Nobody sends themselves messages*)
   26.23 -goal thy "!!evs. evs: yahalom lost ==> ALL A X. Says A A X ~: set evs";
   26.24 +goal thy "!!evs. evs: yahalom ==> ALL A X. Says A A X ~: set evs";
   26.25  by (etac yahalom.induct 1);
   26.26  by (Auto_tac());
   26.27  qed_spec_mp "not_Says_to_self";
   26.28 @@ -47,8 +44,8 @@
   26.29  
   26.30  (*Lets us treat YM4 using a similar argument as for the Fake case.*)
   26.31  goal thy "!!evs. Says S A {|Crypt (shrK A) Y, X|} : set evs ==> \
   26.32 -\                X : analz (sees lost Spy evs)";
   26.33 -by (blast_tac (!claset addSDs [Says_imp_sees_Spy' RS analz.Inj]) 1);
   26.34 +\                X : analz (sees Spy evs)";
   26.35 +by (blast_tac (!claset addSDs [Says_imp_sees_Spy RS analz.Inj]) 1);
   26.36  qed "YM4_analz_sees_Spy";
   26.37  
   26.38  bind_thm ("YM4_parts_sees_Spy",
   26.39 @@ -56,45 +53,47 @@
   26.40  
   26.41  (*Relates to both YM4 and Oops*)
   26.42  goal thy "!!evs. Says S A {|Crypt (shrK A) {|B,K,NA,NB|}, X|} : set evs ==> \
   26.43 -\                K : parts (sees lost Spy evs)";
   26.44 +\                K : parts (sees Spy evs)";
   26.45  by (blast_tac (!claset addSEs partsEs
   26.46 -                      addSDs [Says_imp_sees_Spy' RS parts.Inj]) 1);
   26.47 +                      addSDs [Says_imp_sees_Spy RS parts.Inj]) 1);
   26.48  qed "YM4_Key_parts_sees_Spy";
   26.49  
   26.50 -(*For proving the easier theorems about X ~: parts (sees lost Spy evs).
   26.51 -  We instantiate the variable to "lost" since leaving it as a Var would
   26.52 -  interfere with simplification.*)
   26.53 -val parts_sees_tac = 
   26.54 -    forw_inst_tac [("lost","lost")] YM4_parts_sees_Spy 6     THEN
   26.55 -    forw_inst_tac [("lost","lost")] YM4_Key_parts_sees_Spy 7 THEN
   26.56 -    prove_simple_subgoals_tac  1;
   26.57 +(*For proving the easier theorems about X ~: parts (sees Spy evs).*)
   26.58 +fun parts_sees_tac i = 
   26.59 +    forward_tac [YM4_Key_parts_sees_Spy] (i+6) THEN
   26.60 +    forward_tac [YM4_parts_sees_Spy] (i+5)     THEN
   26.61 +    prove_simple_subgoals_tac  i;
   26.62  
   26.63 -val parts_induct_tac = 
   26.64 -    etac yahalom.induct 1 THEN parts_sees_tac;
   26.65 +(*Induction for regularity theorems.  If induction formula has the form
   26.66 +   X ~: analz (sees Spy evs) --> ... then it shortens the proof by discarding
   26.67 +   needless information about analz (insert X (sees Spy evs))  *)
   26.68 +fun parts_induct_tac i = 
   26.69 +    etac yahalom.induct i
   26.70 +    THEN 
   26.71 +    REPEAT (FIRSTGOAL analz_mono_contra_tac)
   26.72 +    THEN  parts_sees_tac i;
   26.73  
   26.74  
   26.75 -(** Theorems of the form X ~: parts (sees lost Spy evs) imply that NOBODY
   26.76 +(** Theorems of the form X ~: parts (sees Spy evs) imply that NOBODY
   26.77      sends messages containing X! **)
   26.78  
   26.79  (*Spy never sees another agent's shared key! (unless it's lost at start)*)
   26.80  goal thy 
   26.81 - "!!evs. evs : yahalom lost \
   26.82 -\        ==> (Key (shrK A) : parts (sees lost Spy evs)) = (A : lost)";
   26.83 -by parts_induct_tac;
   26.84 + "!!evs. evs : yahalom ==> (Key (shrK A) : parts (sees Spy evs)) = (A : lost)";
   26.85 +by (parts_induct_tac 1);
   26.86  by (Fake_parts_insert_tac 1);
   26.87  by (Blast_tac 1);
   26.88  qed "Spy_see_shrK";
   26.89  Addsimps [Spy_see_shrK];
   26.90  
   26.91  goal thy 
   26.92 - "!!evs. evs : yahalom lost \
   26.93 -\        ==> (Key (shrK A) : analz (sees lost Spy evs)) = (A : lost)";
   26.94 + "!!evs. evs : yahalom ==> (Key (shrK A) : analz (sees Spy evs)) = (A : lost)";
   26.95  by (auto_tac(!claset addDs [impOfSubs analz_subset_parts], !simpset));
   26.96  qed "Spy_analz_shrK";
   26.97  Addsimps [Spy_analz_shrK];
   26.98  
   26.99 -goal thy  "!!A. [| Key (shrK A) : parts (sees lost Spy evs);       \
  26.100 -\                  evs : yahalom lost |] ==> A:lost";
  26.101 +goal thy  "!!A. [| Key (shrK A) : parts (sees Spy evs);       \
  26.102 +\                  evs : yahalom |] ==> A:lost";
  26.103  by (blast_tac (!claset addDs [Spy_see_shrK]) 1);
  26.104  qed "Spy_see_shrK_D";
  26.105  
  26.106 @@ -103,9 +102,9 @@
  26.107  
  26.108  
  26.109  (*Nobody can have used non-existent keys!  Needed to apply analz_insert_Key*)
  26.110 -goal thy "!!evs. evs : yahalom lost ==>          \
  26.111 -\         Key K ~: used evs --> K ~: keysFor (parts (sees lost Spy evs))";
  26.112 -by parts_induct_tac;
  26.113 +goal thy "!!evs. evs : yahalom ==>          \
  26.114 +\         Key K ~: used evs --> K ~: keysFor (parts (sees Spy evs))";
  26.115 +by (parts_induct_tac 1);
  26.116  (*YM4: Key K is not fresh!*)
  26.117  by (blast_tac (!claset addSEs sees_Spy_partsEs) 3);
  26.118  (*YM3*)
  26.119 @@ -130,7 +129,7 @@
  26.120  goal thy 
  26.121   "!!evs. [| Says Server A {|Crypt (shrK A) {|Agent B, Key K, na, nb|}, X|} \
  26.122  \             : set evs;                                                   \
  26.123 -\           evs : yahalom lost |]                                          \
  26.124 +\           evs : yahalom |]                                          \
  26.125  \        ==> K ~: range shrK";
  26.126  by (etac rev_mp 1);
  26.127  by (etac yahalom.induct 1);
  26.128 @@ -139,18 +138,18 @@
  26.129  qed "Says_Server_message_form";
  26.130  
  26.131  
  26.132 -(*For proofs involving analz.  We again instantiate the variable to "lost".*)
  26.133 +(*For proofs involving analz.*)
  26.134  val analz_sees_tac = 
  26.135 -    forw_inst_tac [("lost","lost")] YM4_analz_sees_Spy 6 THEN
  26.136 -    forw_inst_tac [("lost","lost")] Says_Server_message_form 7 THEN
  26.137 +    forward_tac [YM4_analz_sees_Spy] 6 THEN
  26.138 +    forward_tac [Says_Server_message_form] 7 THEN
  26.139      assume_tac 7 THEN REPEAT ((etac exE ORELSE' hyp_subst_tac) 7);
  26.140  
  26.141  
  26.142  (****
  26.143   The following is to prove theorems of the form
  26.144  
  26.145 -  Key K : analz (insert (Key KAB) (sees lost Spy evs)) ==>
  26.146 -  Key K : analz (sees lost Spy evs)
  26.147 +  Key K : analz (insert (Key KAB) (sees Spy evs)) ==>
  26.148 +  Key K : analz (sees Spy evs)
  26.149  
  26.150   A more general formula must be proved inductively.
  26.151  ****)
  26.152 @@ -158,10 +157,10 @@
  26.153  (** Session keys are not used to encrypt other session keys **)
  26.154  
  26.155  goal thy  
  26.156 - "!!evs. evs : yahalom lost ==>                                 \
  26.157 + "!!evs. evs : yahalom ==>                                 \
  26.158  \  ALL K KK. KK <= Compl (range shrK) -->                       \
  26.159 -\            (Key K : analz (Key``KK Un (sees lost Spy evs))) = \
  26.160 -\            (K : KK | Key K : analz (sees lost Spy evs))";
  26.161 +\            (Key K : analz (Key``KK Un (sees Spy evs))) = \
  26.162 +\            (K : KK | Key K : analz (sees Spy evs))";
  26.163  by (etac yahalom.induct 1);
  26.164  by analz_sees_tac;
  26.165  by (REPEAT_FIRST (resolve_tac [allI, impI]));
  26.166 @@ -174,9 +173,9 @@
  26.167  qed_spec_mp "analz_image_freshK";
  26.168  
  26.169  goal thy
  26.170 - "!!evs. [| evs : yahalom lost;  KAB ~: range shrK |] ==>             \
  26.171 -\        Key K : analz (insert (Key KAB) (sees lost Spy evs)) =       \
  26.172 -\        (K = KAB | Key K : analz (sees lost Spy evs))";
  26.173 + "!!evs. [| evs : yahalom;  KAB ~: range shrK |] ==>             \
  26.174 +\        Key K : analz (insert (Key KAB) (sees Spy evs)) =       \
  26.175 +\        (K = KAB | Key K : analz (sees Spy evs))";
  26.176  by (asm_simp_tac (analz_image_freshK_ss addsimps [analz_image_freshK]) 1);
  26.177  qed "analz_insert_freshK";
  26.178  
  26.179 @@ -184,7 +183,7 @@
  26.180  (*** The Key K uniquely identifies the Server's  message. **)
  26.181  
  26.182  goal thy 
  26.183 - "!!evs. evs : yahalom lost ==>                                     \
  26.184 + "!!evs. evs : yahalom ==>                                     \
  26.185  \      EX A' B' na' nb' X'. ALL A B na nb X.                        \
  26.186  \          Says Server A                                            \
  26.187  \           {|Crypt (shrK A) {|Agent B, Key K, na, nb|}, X|}        \
  26.188 @@ -209,7 +208,7 @@
  26.189  \          Says Server A'                                           \
  26.190  \           {|Crypt (shrK A') {|Agent B', Key K, na', nb'|}, X'|}   \
  26.191  \           : set evs;                                              \
  26.192 -\          evs : yahalom lost |]                                    \
  26.193 +\          evs : yahalom |]                                    \
  26.194  \       ==> A=A' & B=B' & na=na' & nb=nb'";
  26.195  by (prove_unique_tac lemma 1);
  26.196  qed "unique_session_keys";
  26.197 @@ -218,13 +217,13 @@
  26.198  (** Crucial secrecy property: Spy does not see the keys sent in msg YM3 **)
  26.199  
  26.200  goal thy 
  26.201 - "!!evs. [| A ~: lost;  B ~: lost;  evs : yahalom lost |]         \
  26.202 + "!!evs. [| A ~: lost;  B ~: lost;  evs : yahalom |]         \
  26.203  \        ==> Says Server A                                        \
  26.204  \              {|Crypt (shrK A) {|Agent B, Key K, na, nb|},       \
  26.205  \                Crypt (shrK B) {|Agent A, Key K|}|}              \
  26.206  \             : set evs -->                                       \
  26.207  \            Says A Spy {|na, nb, Key K|} ~: set evs -->          \
  26.208 -\            Key K ~: analz (sees lost Spy evs)";
  26.209 +\            Key K ~: analz (sees Spy evs)";
  26.210  by (etac yahalom.induct 1);
  26.211  by analz_sees_tac;
  26.212  by (ALLGOALS
  26.213 @@ -250,37 +249,26 @@
  26.214  \                Crypt (shrK B) {|Agent A, Key K|}|}              \
  26.215  \             : set evs;                                          \
  26.216  \           Says A Spy {|na, nb, Key K|} ~: set evs;              \
  26.217 -\           A ~: lost;  B ~: lost;  evs : yahalom lost |]         \
  26.218 -\        ==> Key K ~: analz (sees lost Spy evs)";
  26.219 +\           A ~: lost;  B ~: lost;  evs : yahalom |]         \
  26.220 +\        ==> Key K ~: analz (sees Spy evs)";
  26.221  by (forward_tac [Says_Server_message_form] 1 THEN assume_tac 1);
  26.222  by (blast_tac (!claset addSEs [lemma]) 1);
  26.223  qed "Spy_not_see_encrypted_key";
  26.224  
  26.225  
  26.226 -(*Induction for theorems of the form X ~: analz (sees lost Spy evs) --> ...
  26.227 -  It simplifies the proof by discarding needless information about
  26.228 -	analz (insert X (sees lost Spy evs)) 
  26.229 -*)
  26.230 -fun analz_mono_parts_induct_tac i = 
  26.231 -    etac yahalom.induct i
  26.232 -    THEN 
  26.233 -    REPEAT_FIRST analz_mono_contra_tac
  26.234 -    THEN  parts_sees_tac;
  26.235 -
  26.236 -
  26.237  (** Security Guarantee for A upon receiving YM3 **)
  26.238  
  26.239  (*If the encrypted message appears then it originated with the Server*)
  26.240  goal thy
  26.241   "!!evs. [| Crypt (shrK A) {|Agent B, Key K, na, nb|}                  \
  26.242 -\            : parts (sees lost Spy evs);                              \
  26.243 -\           A ~: lost;  evs : yahalom lost |]                          \
  26.244 +\            : parts (sees Spy evs);                              \
  26.245 +\           A ~: lost;  evs : yahalom |]                          \
  26.246  \         ==> Says Server A                                            \
  26.247  \              {|Crypt (shrK A) {|Agent B, Key K, na, nb|},            \
  26.248  \                Crypt (shrK B) {|Agent A, Key K|}|}                   \
  26.249  \             : set evs";
  26.250  by (etac rev_mp 1);
  26.251 -by parts_induct_tac;
  26.252 +by (parts_induct_tac 1);
  26.253  by (Fake_parts_insert_tac 1);
  26.254  qed "A_trusts_YM3";
  26.255  
  26.256 @@ -290,15 +278,15 @@
  26.257  (*B knows, by the first part of A's message, that the Server distributed 
  26.258    the key for A and B.  But this part says nothing about nonces.*)
  26.259  goal thy 
  26.260 - "!!evs. [| Crypt (shrK B) {|Agent A, Key K|} : parts (sees lost Spy evs); \
  26.261 -\           B ~: lost;  evs : yahalom lost |]                           \
  26.262 + "!!evs. [| Crypt (shrK B) {|Agent A, Key K|} : parts (sees Spy evs); \
  26.263 +\           B ~: lost;  evs : yahalom |]                           \
  26.264  \        ==> EX NA NB. Says Server A                                    \
  26.265  \                        {|Crypt (shrK A) {|Agent B, Key K,             \
  26.266  \                                           Nonce NA, Nonce NB|},       \
  26.267  \                          Crypt (shrK B) {|Agent A, Key K|}|}          \
  26.268  \                       : set evs";
  26.269  by (etac rev_mp 1);
  26.270 -by parts_induct_tac;
  26.271 +by (parts_induct_tac 1);
  26.272  by (Fake_parts_insert_tac 1);
  26.273  (*YM3*)
  26.274  by (Blast_tac 1);
  26.275 @@ -308,15 +296,15 @@
  26.276    the key quoting nonce NB.  This part says nothing about agent names. 
  26.277    Secrecy of NB is crucial.*)
  26.278  goal thy 
  26.279 - "!!evs. evs : yahalom lost                                             \
  26.280 -\        ==> Nonce NB ~: analz (sees lost Spy evs) -->                  \
  26.281 -\            Crypt K (Nonce NB) : parts (sees lost Spy evs) -->         \
  26.282 + "!!evs. evs : yahalom                                             \
  26.283 +\        ==> Nonce NB ~: analz (sees Spy evs) -->                  \
  26.284 +\            Crypt K (Nonce NB) : parts (sees Spy evs) -->         \
  26.285  \            (EX A B NA. Says Server A                                  \
  26.286  \                        {|Crypt (shrK A) {|Agent B, Key K,             \
  26.287  \                                  Nonce NA, Nonce NB|},                \
  26.288  \                          Crypt (shrK B) {|Agent A, Key K|}|}          \
  26.289  \                       : set evs)";
  26.290 -by (analz_mono_parts_induct_tac 1);
  26.291 +by (parts_induct_tac 1);
  26.292  (*YM3 & Fake*)
  26.293  by (Blast_tac 2);
  26.294  by (Fake_parts_insert_tac 1);
  26.295 @@ -325,7 +313,7 @@
  26.296  (*A is uncompromised because NB is secure*)
  26.297  by (not_lost_tac "A" 1);
  26.298  (*A's certificate guarantees the existence of the Server message*)
  26.299 -by (blast_tac (!claset addDs [Says_imp_sees_Spy' RS parts.Inj RS parts.Fst RS
  26.300 +by (blast_tac (!claset addDs [Says_imp_sees_Spy RS parts.Inj RS parts.Fst RS
  26.301  			      A_trusts_YM3]) 1);
  26.302  bind_thm ("B_trusts_YM4_newK", result() RS mp RSN (2, rev_mp));
  26.303  
  26.304 @@ -364,7 +352,7 @@
  26.305   "!!evs. [| Says Server A                                                \
  26.306  \                {|Crypt (shrK A) {|Agent B, Key K, na, Nonce NB'|}, X|} \
  26.307  \             : set evs;                                                 \
  26.308 -\           NB ~= NB';  evs : yahalom lost |]                            \
  26.309 +\           NB ~= NB';  evs : yahalom |]                            \
  26.310  \        ==> ~ KeyWithNonce K NB evs";
  26.311  by (blast_tac (!claset addDs [unique_session_keys]) 1);
  26.312  qed "Says_Server_KeyWithNonce";
  26.313 @@ -384,11 +372,11 @@
  26.314  val lemma = result();
  26.315  
  26.316  goal thy 
  26.317 - "!!evs. evs : yahalom lost ==>                                         \
  26.318 + "!!evs. evs : yahalom ==>                                         \
  26.319  \        (ALL KK. KK <= Compl (range shrK) -->                          \
  26.320  \             (ALL K: KK. ~ KeyWithNonce K NB evs)   -->                \
  26.321 -\             (Nonce NB : analz (Key``KK Un (sees lost Spy evs))) =     \
  26.322 -\             (Nonce NB : analz (sees lost Spy evs)))";
  26.323 +\             (Nonce NB : analz (Key``KK Un (sees Spy evs))) =     \
  26.324 +\             (Nonce NB : analz (sees Spy evs)))";
  26.325  by (etac yahalom.induct 1);
  26.326  by analz_sees_tac;
  26.327  by (REPEAT_FIRST (resolve_tac [impI RS allI]));
  26.328 @@ -410,7 +398,7 @@
  26.329  by (spy_analz_tac 1);
  26.330  (*YM4*)  (** LEVEL 7 **)
  26.331  by (not_lost_tac "A" 1);
  26.332 -by (dtac (Says_imp_sees_Spy' RS parts.Inj RS parts.Fst RS A_trusts_YM3) 1
  26.333 +by (dtac (Says_imp_sees_Spy RS parts.Inj RS parts.Fst RS A_trusts_YM3) 1
  26.334      THEN REPEAT (assume_tac 1));
  26.335  by (blast_tac (!claset addIs [KeyWithNonceI]) 1);
  26.336  qed_spec_mp "Nonce_secrecy";
  26.337 @@ -423,9 +411,9 @@
  26.338   "!!evs. [| Says Server A                                                 \
  26.339  \            {|Crypt (shrK A) {|Agent B, Key KAB, na, Nonce NB'|}, X|}    \
  26.340  \           : set evs;                                                    \
  26.341 -\           NB ~= NB';  KAB ~: range shrK;  evs : yahalom lost |]         \
  26.342 -\        ==> (Nonce NB : analz (insert (Key KAB) (sees lost Spy evs))) =  \
  26.343 -\            (Nonce NB : analz (sees lost Spy evs))";
  26.344 +\           NB ~= NB';  KAB ~: range shrK;  evs : yahalom |]         \
  26.345 +\        ==> (Nonce NB : analz (insert (Key KAB) (sees Spy evs))) =  \
  26.346 +\            (Nonce NB : analz (sees Spy evs))";
  26.347  by (asm_simp_tac (analz_image_freshK_ss addsimps 
  26.348  		  [Nonce_secrecy, Says_Server_KeyWithNonce]) 1);
  26.349  qed "single_Nonce_secrecy";
  26.350 @@ -434,11 +422,11 @@
  26.351  (*** The Nonce NB uniquely identifies B's message. ***)
  26.352  
  26.353  goal thy 
  26.354 - "!!evs. evs : yahalom lost ==>                                            \
  26.355 + "!!evs. evs : yahalom ==>                                            \
  26.356  \   EX NA' A' B'. ALL NA A B.                                              \
  26.357 -\      Crypt (shrK B) {|Agent A, Nonce NA, nb|} : parts(sees lost Spy evs) \
  26.358 +\      Crypt (shrK B) {|Agent A, Nonce NA, nb|} : parts(sees Spy evs) \
  26.359  \      --> B ~: lost --> NA = NA' & A = A' & B = B'";
  26.360 -by parts_induct_tac;
  26.361 +by (parts_induct_tac 1);
  26.362  (*Fake*)
  26.363  by (REPEAT (etac (exI RSN (2,exE)) 1)   (*stripping EXs makes proof faster*)
  26.364      THEN Fake_parts_insert_tac 1);
  26.365 @@ -451,10 +439,10 @@
  26.366  
  26.367  goal thy 
  26.368   "!!evs.[| Crypt (shrK B) {|Agent A, Nonce NA, nb|}        \
  26.369 -\                  : parts (sees lost Spy evs);            \
  26.370 +\                  : parts (sees Spy evs);            \
  26.371  \          Crypt (shrK B') {|Agent A', Nonce NA', nb|}     \
  26.372 -\                  : parts (sees lost Spy evs);            \
  26.373 -\          evs : yahalom lost;  B ~: lost;  B' ~: lost |]  \
  26.374 +\                  : parts (sees Spy evs);            \
  26.375 +\          evs : yahalom;  B ~: lost;  B' ~: lost |]  \
  26.376  \        ==> NA' = NA & A' = A & B' = B";
  26.377  by (prove_unique_tac lemma 1);
  26.378  qed "unique_NB";
  26.379 @@ -467,29 +455,27 @@
  26.380  \            : set evs;          B ~: lost;                               \
  26.381  \          Says C' D' {|X', Crypt (shrK B') {|Agent A', Nonce NA', nb|}|} \
  26.382  \            : set evs;                                                   \
  26.383 -\          nb ~: analz (sees lost Spy evs);  evs : yahalom lost |]        \
  26.384 +\          nb ~: analz (sees Spy evs);  evs : yahalom |]        \
  26.385  \        ==> NA' = NA & A' = A & B' = B";
  26.386  by (not_lost_tac "B'" 1);
  26.387 -by (blast_tac (!claset addSDs [Says_imp_sees_Spy' RS parts.Inj]
  26.388 +by (blast_tac (!claset addSDs [Says_imp_sees_Spy RS parts.Inj]
  26.389                         addSEs [MPair_parts]
  26.390                         addDs  [unique_NB]) 1);
  26.391  qed "Says_unique_NB";
  26.392  
  26.393 -val Says_unique_NB' = read_instantiate [("lost","lost")] Says_unique_NB;
  26.394 -
  26.395  
  26.396  (** A nonce value is never used both as NA and as NB **)
  26.397  
  26.398  goal thy 
  26.399 - "!!evs. [| B ~: lost;  evs : yahalom lost  |]       \
  26.400 -\ ==> Nonce NB ~: analz (sees lost Spy evs) -->      \
  26.401 + "!!evs. [| B ~: lost;  evs : yahalom  |]            \
  26.402 +\ ==> Nonce NB ~: analz (sees Spy evs) -->           \
  26.403  \     Crypt (shrK B') {|Agent A', Nonce NB, nb'|}    \
  26.404 -\       : parts(sees lost Spy evs)                   \
  26.405 +\       : parts(sees Spy evs)                        \
  26.406  \ --> Crypt (shrK B) {|Agent A, Nonce NA, Nonce NB|} \
  26.407 -\       ~: parts(sees lost Spy evs)";
  26.408 -by (analz_mono_parts_induct_tac 1);
  26.409 +\       ~: parts(sees Spy evs)";
  26.410 +by (parts_induct_tac 1);
  26.411  by (Fake_parts_insert_tac 1);
  26.412 -by (blast_tac (!claset addDs [Says_imp_sees_Spy' RS analz.Inj]
  26.413 +by (blast_tac (!claset addDs [Says_imp_sees_Spy RS analz.Inj]
  26.414                         addSIs [parts_insertI]
  26.415                         addSEs partsEs) 1);
  26.416  bind_thm ("no_nonce_YM1_YM2", result() RS mp RSN (2,rev_mp) RSN (2,rev_notE));
  26.417 @@ -498,7 +484,7 @@
  26.418  goal thy 
  26.419   "!!evs. [| Says Server A                                                \
  26.420  \            {|Crypt (shrK A) {|Agent B, k, na, nb|}, X|} : set evs;     \
  26.421 -\           evs : yahalom lost |]                                        \
  26.422 +\           evs : yahalom |]                                             \
  26.423  \        ==> EX B'. Says B' Server                                       \
  26.424  \                      {| Agent B, Crypt (shrK B) {|Agent A, na, nb|} |} \
  26.425  \                   : set evs";
  26.426 @@ -509,15 +495,14 @@
  26.427  qed "Says_Server_imp_YM2";
  26.428  
  26.429  
  26.430 -(*A vital theorem for B, that nonce NB remains secure from the Spy.
  26.431 -  Unusually, the Fake case requires Spy:lost.*)
  26.432 +(*A vital theorem for B, that nonce NB remains secure from the Spy.*)
  26.433  goal thy 
  26.434 - "!!evs. [| A ~: lost;  B ~: lost;  Spy: lost;  evs : yahalom lost |]  \
  26.435 + "!!evs. [| A ~: lost;  B ~: lost;  evs : yahalom |]  \
  26.436  \ ==> Says B Server                                                    \
  26.437  \          {|Agent B, Crypt (shrK B) {|Agent A, Nonce NA, Nonce NB|}|} \
  26.438  \     : set evs -->                                                    \
  26.439  \     (ALL k. Says A Spy {|Nonce NA, Nonce NB, k|} ~: set evs) -->     \
  26.440 -\     Nonce NB ~: analz (sees lost Spy evs)";
  26.441 +\     Nonce NB ~: analz (sees Spy evs)";
  26.442  by (etac yahalom.induct 1);
  26.443  by analz_sees_tac;
  26.444  by (ALLGOALS
  26.445 @@ -526,13 +511,13 @@
  26.446                            analz_insert_freshK] @ pushes)
  26.447                 setloop split_tac [expand_if])));
  26.448  (*Prove YM3 by showing that no NB can also be an NA*)
  26.449 -by (blast_tac (!claset addDs [Says_imp_sees_Spy' RS parts.Inj]
  26.450 +by (blast_tac (!claset addDs [Says_imp_sees_Spy RS parts.Inj]
  26.451  	               addSEs [MPair_parts]
  26.452 -		       addDs  [no_nonce_YM1_YM2, Says_unique_NB']) 4
  26.453 +		       addDs  [no_nonce_YM1_YM2, Says_unique_NB]) 4
  26.454      THEN flexflex_tac);
  26.455  (*YM2: similar freshness reasoning*) 
  26.456  by (blast_tac (!claset addSEs partsEs
  26.457 -		       addDs  [Says_imp_sees_Spy' RS analz.Inj,
  26.458 +		       addDs  [Says_imp_sees_Spy RS analz.Inj,
  26.459  			       impOfSubs analz_subset_parts]) 3);
  26.460  (*YM1: NB=NA is impossible anyway, but NA is secret because it is fresh!*)
  26.461  by (blast_tac (!claset addSIs [parts_insertI]
  26.462 @@ -543,12 +528,12 @@
  26.463  (*YM4: key K is visible to Spy, contradicting session key secrecy theorem*) 
  26.464  by (REPEAT (Safe_step_tac 1));
  26.465  by (not_lost_tac "Aa" 1);
  26.466 -by (dtac (Says_imp_sees_Spy' RS parts.Inj RS parts.Fst RS A_trusts_YM3) 1);
  26.467 +by (dtac (Says_imp_sees_Spy RS parts.Inj RS parts.Fst RS A_trusts_YM3) 1);
  26.468  by (forward_tac [Says_Server_message_form] 3);
  26.469  by (forward_tac [Says_Server_imp_YM2] 4);
  26.470  by (REPEAT_FIRST (eresolve_tac [asm_rl, bexE, exE, disjE]));
  26.471 -(*  use Says_unique_NB' to identify message components: Aa=A, Ba=B, NAa=NA *)
  26.472 -by (blast_tac (!claset addDs [Says_unique_NB', Spy_not_see_encrypted_key,
  26.473 +(*  use Says_unique_NB to identify message components: Aa=A, Ba=B, NAa=NA *)
  26.474 +by (blast_tac (!claset addDs [Says_unique_NB, Spy_not_see_encrypted_key,
  26.475  			      impOfSubs Fake_analz_insert]) 1);
  26.476  (** LEVEL 14 **)
  26.477  (*Oops case: if the nonce is betrayed now, show that the Oops event is 
  26.478 @@ -558,11 +543,11 @@
  26.479  by (forward_tac [Says_Server_imp_YM2] 1 THEN assume_tac 1 THEN etac exE 1);
  26.480  by (expand_case_tac "NB = NBa" 1);
  26.481  (*If NB=NBa then all other components of the Oops message agree*)
  26.482 -by (blast_tac (!claset addDs [Says_unique_NB']) 1 THEN flexflex_tac);
  26.483 +by (blast_tac (!claset addDs [Says_unique_NB]) 1 THEN flexflex_tac);
  26.484  (*case NB ~= NBa*)
  26.485  by (asm_simp_tac (!simpset addsimps [single_Nonce_secrecy]) 1);
  26.486  by (blast_tac (!claset addSEs [MPair_parts]
  26.487 -		       addDs  [Says_imp_sees_Spy' RS parts.Inj, 
  26.488 +		       addDs  [Says_imp_sees_Spy RS parts.Inj, 
  26.489  			       no_nonce_YM1_YM2 (*to prove NB~=NAa*) ]) 1);
  26.490  bind_thm ("Spy_not_see_NB", result() RSN(2,rev_mp) RSN(2,rev_mp));
  26.491  
  26.492 @@ -579,20 +564,20 @@
  26.493  \           Says A' B {|Crypt (shrK B) {|Agent A, Key K|},                  \
  26.494  \                       Crypt K (Nonce NB)|} : set evs;                     \
  26.495  \           ALL k. Says A Spy {|Nonce NA, Nonce NB, k|} ~: set evs;         \
  26.496 -\           A ~: lost;  B ~: lost;  Spy: lost;  evs : yahalom lost |]       \
  26.497 +\           A ~: lost;  B ~: lost;  evs : yahalom |]       \
  26.498  \         ==> Says Server A                                                 \
  26.499  \                     {|Crypt (shrK A) {|Agent B, Key K,                    \
  26.500  \                               Nonce NA, Nonce NB|},                       \
  26.501  \                       Crypt (shrK B) {|Agent A, Key K|}|}                 \
  26.502  \               : set evs";
  26.503  by (forward_tac [Spy_not_see_NB] 1 THEN REPEAT (assume_tac 1));
  26.504 -by (etac (Says_imp_sees_Spy' RS parts.Inj RS MPair_parts) 1 THEN
  26.505 +by (etac (Says_imp_sees_Spy RS parts.Inj RS MPair_parts) 1 THEN
  26.506      dtac B_trusts_YM4_shrK 1);
  26.507  by (dtac B_trusts_YM4_newK 3);
  26.508  by (REPEAT_FIRST (eresolve_tac [asm_rl, exE]));
  26.509  by (forward_tac [Says_Server_imp_YM2] 1 THEN assume_tac 1);
  26.510  by (dtac unique_session_keys 1 THEN REPEAT (assume_tac 1));
  26.511 -by (blast_tac (!claset addDs [Says_unique_NB']) 1);
  26.512 +by (blast_tac (!claset addDs [Says_unique_NB]) 1);
  26.513  qed "B_trusts_YM4";
  26.514  
  26.515  
  26.516 @@ -601,19 +586,19 @@
  26.517  
  26.518  (*The encryption in message YM2 tells us it cannot be faked.*)
  26.519  goal thy 
  26.520 - "!!evs. evs : yahalom lost                                            \
  26.521 -\  ==> Crypt (shrK B) {|Agent A, Nonce NA, nb|}                        \
  26.522 -\        : parts (sees lost Spy evs) -->                               \
  26.523 -\      B ~: lost -->                                                   \
  26.524 + "!!evs. evs : yahalom                                            \
  26.525 +\  ==> Crypt (shrK B) {|Agent A, Nonce NA, nb|}                   \
  26.526 +\        : parts (sees Spy evs) -->                               \
  26.527 +\      B ~: lost -->                                              \
  26.528  \      Says B Server {|Agent B, Crypt (shrK B) {|Agent A, Nonce NA, nb|}|}  \
  26.529  \         : set evs";
  26.530 -by parts_induct_tac;
  26.531 +by (parts_induct_tac 1);
  26.532  by (Fake_parts_insert_tac 1);
  26.533  bind_thm ("B_Said_YM2", result() RSN (2, rev_mp) RS mp);
  26.534  
  26.535  (*If the server sends YM3 then B sent YM2*)
  26.536  goal thy 
  26.537 - "!!evs. evs : yahalom lost                                                 \
  26.538 + "!!evs. evs : yahalom                                                      \
  26.539  \  ==> Says Server A {|Crypt (shrK A) {|Agent B, Key K, Nonce NA, nb|}, X|} \
  26.540  \         : set evs -->                                                     \
  26.541  \      B ~: lost -->                                                        \
  26.542 @@ -624,7 +609,7 @@
  26.543  (*YM4*)
  26.544  by (Blast_tac 2);
  26.545  (*YM3*)
  26.546 -by (best_tac (!claset addSDs [B_Said_YM2, Says_imp_sees_Spy' RS parts.Inj]
  26.547 +by (best_tac (!claset addSDs [B_Said_YM2, Says_imp_sees_Spy RS parts.Inj]
  26.548  		      addSEs [MPair_parts]) 1);
  26.549  val lemma = result() RSN (2, rev_mp) RS mp |> standard;
  26.550  
  26.551 @@ -632,7 +617,7 @@
  26.552  goal thy
  26.553   "!!evs. [| Says S A {|Crypt (shrK A) {|Agent B, Key K, Nonce NA, nb|}, X|} \
  26.554  \             : set evs;                                                    \
  26.555 -\           A ~: lost;  B ~: lost;  evs : yahalom lost |]                   \
  26.556 +\           A ~: lost;  B ~: lost;  evs : yahalom |]                        \
  26.557  \   ==> Says B Server {|Agent B, Crypt (shrK B) {|Agent A, Nonce NA, nb|}|} \
  26.558  \         : set evs";
  26.559  by (blast_tac (!claset addSDs [A_trusts_YM3, lemma]
  26.560 @@ -646,14 +631,14 @@
  26.561    A has said NB.  We can't be sure about the rest of A's message, but only
  26.562    NB matters for freshness.*)  
  26.563  goal thy 
  26.564 - "!!evs. evs : yahalom lost                                             \
  26.565 -\        ==> Key K ~: analz (sees lost Spy evs) -->                     \
  26.566 -\            Crypt K (Nonce NB) : parts (sees lost Spy evs) -->         \
  26.567 -\            Crypt (shrK B) {|Agent A, Key K|}                          \
  26.568 -\              : parts (sees lost Spy evs) -->                          \
  26.569 -\            B ~: lost -->                                              \
  26.570 + "!!evs. evs : yahalom                                             \
  26.571 +\        ==> Key K ~: analz (sees Spy evs) -->                     \
  26.572 +\            Crypt K (Nonce NB) : parts (sees Spy evs) -->         \
  26.573 +\            Crypt (shrK B) {|Agent A, Key K|}                     \
  26.574 +\              : parts (sees Spy evs) -->                          \
  26.575 +\            B ~: lost -->                                         \
  26.576  \             (EX X. Says A B {|X, Crypt K (Nonce NB)|} : set evs)";
  26.577 -by (analz_mono_parts_induct_tac 1);
  26.578 +by (parts_induct_tac 1);
  26.579  (*Fake*)
  26.580  by (Fake_parts_insert_tac 1);
  26.581  (*YM3: by new_keys_not_used we note that Crypt K (Nonce NB) could not exist*)
  26.582 @@ -664,7 +649,7 @@
  26.583  by (not_lost_tac "Aa" 1);
  26.584  by (blast_tac (!claset addSEs [MPair_parts]
  26.585                         addSDs [A_trusts_YM3, B_trusts_YM4_shrK]
  26.586 -		       addDs  [Says_imp_sees_Spy' RS parts.Inj,
  26.587 +		       addDs  [Says_imp_sees_Spy RS parts.Inj,
  26.588  			       unique_session_keys]) 1);
  26.589  val lemma = normalize_thm [RSspec, RSmp] (result()) |> standard;
  26.590  
  26.591 @@ -678,14 +663,14 @@
  26.592  \           Says A' B {|Crypt (shrK B) {|Agent A, Key K|},                  \
  26.593  \                       Crypt K (Nonce NB)|} : set evs;                     \
  26.594  \           (ALL NA k. Says A Spy {|Nonce NA, Nonce NB, k|} ~: set evs);    \
  26.595 -\           A ~: lost;  B ~: lost;  Spy: lost;  evs : yahalom lost |]       \
  26.596 +\           A ~: lost;  B ~: lost;  evs : yahalom |]       \
  26.597  \        ==> EX X. Says A B {|X, Crypt K (Nonce NB)|} : set evs";
  26.598  by (dtac B_trusts_YM4 1);
  26.599  by (REPEAT_FIRST (eresolve_tac [asm_rl, spec]));
  26.600 -by (etac (Says_imp_sees_Spy' RS parts.Inj RS MPair_parts) 1);
  26.601 +by (etac (Says_imp_sees_Spy RS parts.Inj RS MPair_parts) 1);
  26.602  by (rtac lemma 1);
  26.603  by (rtac Spy_not_see_encrypted_key 2);
  26.604  by (REPEAT_FIRST assume_tac);
  26.605  by (blast_tac (!claset addSEs [MPair_parts]
  26.606 -	       	       addDs [Says_imp_sees_Spy' RS parts.Inj]) 1);
  26.607 +	       	       addDs [Says_imp_sees_Spy RS parts.Inj]) 1);
  26.608  qed_spec_mp "YM4_imp_A_Said_YM3";
    27.1 --- a/src/HOL/Auth/Yahalom.thy	Mon Jul 14 12:44:09 1997 +0200
    27.2 +++ b/src/HOL/Auth/Yahalom.thy	Mon Jul 14 12:47:21 1997 +0200
    27.3 @@ -12,58 +12,58 @@
    27.4  
    27.5  Yahalom = Shared + 
    27.6  
    27.7 -consts  yahalom   :: agent set => event list set
    27.8 -inductive "yahalom lost"
    27.9 +consts  yahalom   :: event list set
   27.10 +inductive "yahalom"
   27.11    intrs 
   27.12           (*Initial trace is empty*)
   27.13 -    Nil  "[]: yahalom lost"
   27.14 +    Nil  "[]: yahalom"
   27.15  
   27.16           (*The spy MAY say anything he CAN say.  We do not expect him to
   27.17             invent new nonces here, but he can also use NS1.  Common to
   27.18             all similar protocols.*)
   27.19 -    Fake "[| evs: yahalom lost;  B ~= Spy;  
   27.20 -             X: synth (analz (sees lost Spy evs)) |]
   27.21 -          ==> Says Spy B X  # evs : yahalom lost"
   27.22 +    Fake "[| evs: yahalom;  B ~= Spy;  
   27.23 +             X: synth (analz (sees Spy evs)) |]
   27.24 +          ==> Says Spy B X  # evs : yahalom"
   27.25  
   27.26           (*Alice initiates a protocol run*)
   27.27 -    YM1  "[| evs: yahalom lost;  A ~= B;  Nonce NA ~: used evs |]
   27.28 -          ==> Says A B {|Agent A, Nonce NA|} # evs : yahalom lost"
   27.29 +    YM1  "[| evs: yahalom;  A ~= B;  Nonce NA ~: used evs |]
   27.30 +          ==> Says A B {|Agent A, Nonce NA|} # evs : yahalom"
   27.31  
   27.32           (*Bob's response to Alice's message.  Bob doesn't know who 
   27.33  	   the sender is, hence the A' in the sender field.*)
   27.34 -    YM2  "[| evs: yahalom lost;  B ~= Server;  Nonce NB ~: used evs;
   27.35 +    YM2  "[| evs: yahalom;  B ~= Server;  Nonce NB ~: used evs;
   27.36               Says A' B {|Agent A, Nonce NA|} : set evs |]
   27.37            ==> Says B Server 
   27.38                    {|Agent B, Crypt (shrK B) {|Agent A, Nonce NA, Nonce NB|}|}
   27.39 -                # evs : yahalom lost"
   27.40 +                # evs : yahalom"
   27.41  
   27.42           (*The Server receives Bob's message.  He responds by sending a
   27.43              new session key to Alice, with a packet for forwarding to Bob.*)
   27.44 -    YM3  "[| evs: yahalom lost;  A ~= Server;  Key KAB ~: used evs;
   27.45 +    YM3  "[| evs: yahalom;  A ~= Server;  Key KAB ~: used evs;
   27.46               Says B' Server 
   27.47                    {|Agent B, Crypt (shrK B) {|Agent A, Nonce NA, Nonce NB|}|}
   27.48                 : set evs |]
   27.49            ==> Says Server A
   27.50                     {|Crypt (shrK A) {|Agent B, Key KAB, Nonce NA, Nonce NB|},
   27.51                       Crypt (shrK B) {|Agent A, Key KAB|}|}
   27.52 -                # evs : yahalom lost"
   27.53 +                # evs : yahalom"
   27.54  
   27.55           (*Alice receives the Server's (?) message, checks her Nonce, and
   27.56             uses the new session key to send Bob his Nonce.*)
   27.57 -    YM4  "[| evs: yahalom lost;  A ~= Server;  
   27.58 +    YM4  "[| evs: yahalom;  A ~= Server;  
   27.59               Says S A {|Crypt (shrK A) {|Agent B, Key K, Nonce NA, Nonce NB|},
   27.60                          X|}  : set evs;
   27.61               Says A B {|Agent A, Nonce NA|} : set evs |]
   27.62 -          ==> Says A B {|X, Crypt K (Nonce NB)|} # evs : yahalom lost"
   27.63 +          ==> Says A B {|X, Crypt K (Nonce NB)|} # evs : yahalom"
   27.64  
   27.65           (*This message models possible leaks of session keys.  The Nonces
   27.66             identify the protocol run.  Quoting Server here ensures they are
   27.67             correct.*)
   27.68 -    Oops "[| evs: yahalom lost;  A ~= Spy;
   27.69 +    Oops "[| evs: yahalom;  A ~= Spy;
   27.70               Says Server A {|Crypt (shrK A)
   27.71                                     {|Agent B, Key K, Nonce NA, Nonce NB|},
   27.72                               X|}  : set evs |]
   27.73 -          ==> Says A Spy {|Nonce NA, Nonce NB, Key K|} # evs : yahalom lost"
   27.74 +          ==> Says A Spy {|Nonce NA, Nonce NB, Key K|} # evs : yahalom"
   27.75  
   27.76  
   27.77  constdefs 
    28.1 --- a/src/HOL/Auth/Yahalom2.ML	Mon Jul 14 12:44:09 1997 +0200
    28.2 +++ b/src/HOL/Auth/Yahalom2.ML	Mon Jul 14 12:47:21 1997 +0200
    28.3 @@ -18,13 +18,13 @@
    28.4  HOL_quantifiers := false;
    28.5  
    28.6  (*Replacing the variable by a constant improves speed*)
    28.7 -val Says_imp_sees_Spy' = read_instantiate [("lost","lost")] Says_imp_sees_Spy;
    28.8 +val Says_imp_sees_Spy' =  Says_imp_sees_Spy;
    28.9  
   28.10  
   28.11  (*A "possibility property": there are traces that reach the end*)
   28.12  goal thy 
   28.13 - "!!A B. [| A ~= B; A ~= Server; B ~= Server |]        \
   28.14 -\        ==> EX X NB K. EX evs: yahalom lost.          \
   28.15 + "!!A B. [| A ~= B; A ~= Server; B ~= Server |]   \
   28.16 +\        ==> EX X NB K. EX evs: yahalom.          \
   28.17  \               Says A B {|X, Crypt K (Nonce NB)|} : set evs";
   28.18  by (REPEAT (resolve_tac [exI,bexI] 1));
   28.19  by (rtac (yahalom.Nil RS yahalom.YM1 RS yahalom.YM2 RS yahalom.YM3 RS 
   28.20 @@ -36,7 +36,7 @@
   28.21  (**** Inductive proofs about yahalom ****)
   28.22  
   28.23  (*Nobody sends themselves messages*)
   28.24 -goal thy "!!evs. evs: yahalom lost ==> ALL A X. Says A A X ~: set evs";
   28.25 +goal thy "!!evs. evs: yahalom ==> ALL A X. Says A A X ~: set evs";
   28.26  by (etac yahalom.induct 1);
   28.27  by (Auto_tac());
   28.28  qed_spec_mp "not_Says_to_self";
   28.29 @@ -48,7 +48,7 @@
   28.30  
   28.31  (*Lets us treat YM4 using a similar argument as for the Fake case.*)
   28.32  goal thy "!!evs. Says S A {|NB, Crypt (shrK A) Y, X|} : set evs ==> \
   28.33 -\                X : analz (sees lost Spy evs)";
   28.34 +\                X : analz (sees Spy evs)";
   28.35  by (blast_tac (!claset addSDs [Says_imp_sees_Spy' RS analz.Inj]) 1);
   28.36  qed "YM4_analz_sees_Spy";
   28.37  
   28.38 @@ -57,45 +57,47 @@
   28.39  
   28.40  (*Relates to both YM4 and Oops*)
   28.41  goal thy "!!evs. Says S A {|NB, Crypt (shrK A) {|B,K,NA|}, X|} : set evs ==> \
   28.42 -\                K : parts (sees lost Spy evs)";
   28.43 +\                K : parts (sees Spy evs)";
   28.44  by (blast_tac (!claset addSEs partsEs
   28.45                         addSDs [Says_imp_sees_Spy' RS parts.Inj]) 1);
   28.46  qed "YM4_Key_parts_sees_Spy";
   28.47  
   28.48 -(*For proving the easier theorems about X ~: parts (sees lost Spy evs).
   28.49 -  We instantiate the variable to "lost" since leaving it as a Var would
   28.50 -  interfere with simplification.*)
   28.51 -val parts_sees_tac = 
   28.52 -    forw_inst_tac [("lost","lost")] YM4_parts_sees_Spy 6     THEN
   28.53 -    forw_inst_tac [("lost","lost")] YM4_Key_parts_sees_Spy 7 THEN
   28.54 -    prove_simple_subgoals_tac  1;
   28.55 +(*For proving the easier theorems about X ~: parts (sees Spy evs).*)
   28.56 +fun parts_sees_tac i = 
   28.57 +    forward_tac [YM4_Key_parts_sees_Spy] (i+6) THEN
   28.58 +    forward_tac [YM4_parts_sees_Spy] (i+5)     THEN
   28.59 +    prove_simple_subgoals_tac  i;
   28.60  
   28.61 -val parts_induct_tac = 
   28.62 -    etac yahalom.induct 1 THEN parts_sees_tac;
   28.63 +(*Induction for regularity theorems.  If induction formula has the form
   28.64 +   X ~: analz (sees Spy evs) --> ... then it shortens the proof by discarding
   28.65 +   needless information about analz (insert X (sees Spy evs))  *)
   28.66 +fun parts_induct_tac i = 
   28.67 +    etac yahalom.induct i
   28.68 +    THEN 
   28.69 +    REPEAT (FIRSTGOAL analz_mono_contra_tac)
   28.70 +    THEN  parts_sees_tac i;
   28.71  
   28.72  
   28.73 -(** Theorems of the form X ~: parts (sees lost Spy evs) imply that NOBODY
   28.74 +(** Theorems of the form X ~: parts (sees Spy evs) imply that NOBODY
   28.75      sends messages containing X! **)
   28.76  
   28.77  (*Spy never sees another agent's shared key! (unless it's lost at start)*)
   28.78  goal thy 
   28.79 - "!!evs. evs : yahalom lost \
   28.80 -\        ==> (Key (shrK A) : parts (sees lost Spy evs)) = (A : lost)";
   28.81 -by parts_induct_tac;
   28.82 + "!!evs. evs : yahalom ==> (Key (shrK A) : parts (sees Spy evs)) = (A : lost)";
   28.83 +by (parts_induct_tac 1);
   28.84  by (Fake_parts_insert_tac 1);
   28.85  by (Blast_tac 1);
   28.86  qed "Spy_see_shrK";
   28.87  Addsimps [Spy_see_shrK];
   28.88  
   28.89  goal thy 
   28.90 - "!!evs. evs : yahalom lost \
   28.91 -\        ==> (Key (shrK A) : analz (sees lost Spy evs)) = (A : lost)";
   28.92 + "!!evs. evs : yahalom ==> (Key (shrK A) : analz (sees Spy evs)) = (A : lost)";
   28.93  by (auto_tac(!claset addDs [impOfSubs analz_subset_parts], !simpset));
   28.94  qed "Spy_analz_shrK";
   28.95  Addsimps [Spy_analz_shrK];
   28.96  
   28.97 -goal thy  "!!A. [| Key (shrK A) : parts (sees lost Spy evs);       \
   28.98 -\                  evs : yahalom lost |] ==> A:lost";
   28.99 +goal thy  "!!A. [| Key (shrK A) : parts (sees Spy evs);       \
  28.100 +\                  evs : yahalom |] ==> A:lost";
  28.101  by (blast_tac (!claset addDs [Spy_see_shrK]) 1);
  28.102  qed "Spy_see_shrK_D";
  28.103  
  28.104 @@ -104,9 +106,9 @@
  28.105  
  28.106  
  28.107  (*Nobody can have used non-existent keys!  Needed to apply analz_insert_Key*)
  28.108 -goal thy "!!evs. evs : yahalom lost ==>          \
  28.109 -\         Key K ~: used evs --> K ~: keysFor (parts (sees lost Spy evs))";
  28.110 -by parts_induct_tac;
  28.111 +goal thy "!!evs. evs : yahalom ==>          \
  28.112 +\         Key K ~: used evs --> K ~: keysFor (parts (sees Spy evs))";
  28.113 +by (parts_induct_tac 1);
  28.114  (*YM4: Key K is not fresh!*)
  28.115  by (blast_tac (!claset addSEs sees_Spy_partsEs) 3);
  28.116  (*YM3*)
  28.117 @@ -129,8 +131,8 @@
  28.118    Oops as well as main secrecy property.*)
  28.119  goal thy 
  28.120   "!!evs. [| Says Server A {|nb', Crypt (shrK A) {|Agent B, Key K, na|}, X|} \
  28.121 -\            : set evs;                                                 \
  28.122 -\           evs : yahalom lost |]                                       \
  28.123 +\            : set evs;                                            \
  28.124 +\           evs : yahalom |]                                       \
  28.125  \        ==> K ~: range shrK & A ~= B";
  28.126  by (etac rev_mp 1);
  28.127  by (etac yahalom.induct 1);
  28.128 @@ -138,10 +140,10 @@
  28.129  qed "Says_Server_message_form";
  28.130  
  28.131  
  28.132 -(*For proofs involving analz.  We again instantiate the variable to "lost".*)
  28.133 +(*For proofs involving analz.*)
  28.134  val analz_sees_tac = 
  28.135 -    dres_inst_tac [("lost","lost")] YM4_analz_sees_Spy 6 THEN
  28.136 -    forw_inst_tac [("lost","lost")] Says_Server_message_form 7 THEN
  28.137 +    dtac YM4_analz_sees_Spy 6 THEN
  28.138 +    forward_tac [Says_Server_message_form] 7 THEN
  28.139      assume_tac 7 THEN
  28.140      REPEAT ((etac conjE ORELSE' hyp_subst_tac) 7);
  28.141  
  28.142 @@ -149,8 +151,8 @@
  28.143  (****
  28.144   The following is to prove theorems of the form
  28.145  
  28.146 -          Key K : analz (insert (Key KAB) (sees lost Spy evs)) ==>
  28.147 -          Key K : analz (sees lost Spy evs)
  28.148 +          Key K : analz (insert (Key KAB) (sees Spy evs)) ==>
  28.149 +          Key K : analz (sees Spy evs)
  28.150  
  28.151   A more general formula must be proved inductively.
  28.152  
  28.153 @@ -159,10 +161,10 @@
  28.154  (** Session keys are not used to encrypt other session keys **)
  28.155  
  28.156  goal thy  
  28.157 - "!!evs. evs : yahalom lost ==>                                  \
  28.158 -\  ALL K KK. KK <= Compl (range shrK) -->                        \
  28.159 -\            (Key K : analz (Key``KK Un (sees lost Spy evs))) =  \
  28.160 -\            (K : KK | Key K : analz (sees lost Spy evs))";
  28.161 + "!!evs. evs : yahalom ==>                                  \
  28.162 +\  ALL K KK. KK <= Compl (range shrK) -->                   \
  28.163 +\            (Key K : analz (Key``KK Un (sees Spy evs))) =  \
  28.164 +\            (K : KK | Key K : analz (sees Spy evs))";
  28.165  by (etac yahalom.induct 1);
  28.166  by analz_sees_tac;
  28.167  by (REPEAT_FIRST (resolve_tac [allI, impI]));
  28.168 @@ -175,9 +177,9 @@
  28.169  qed_spec_mp "analz_image_freshK";
  28.170  
  28.171  goal thy
  28.172 - "!!evs. [| evs : yahalom lost;  KAB ~: range shrK |] ==>             \
  28.173 -\        Key K : analz (insert (Key KAB) (sees lost Spy evs)) =       \
  28.174 -\        (K = KAB | Key K : analz (sees lost Spy evs))";
  28.175 + "!!evs. [| evs : yahalom;  KAB ~: range shrK |] ==>        \
  28.176 +\        Key K : analz (insert (Key KAB) (sees Spy evs)) =  \
  28.177 +\        (K = KAB | Key K : analz (sees Spy evs))";
  28.178  by (asm_simp_tac (analz_image_freshK_ss addsimps [analz_image_freshK]) 1);
  28.179  qed "analz_insert_freshK";
  28.180  
  28.181 @@ -185,10 +187,10 @@
  28.182  (*** The Key K uniquely identifies the Server's  message. **)
  28.183  
  28.184  goal thy 
  28.185 - "!!evs. evs : yahalom lost ==>                                     \
  28.186 -\      EX A' B' na' nb' X'. ALL A B na nb X.                        \
  28.187 -\          Says Server A                                            \
  28.188 -\           {|nb, Crypt (shrK A) {|Agent B, Key K, na|}, X|}        \
  28.189 + "!!evs. evs : yahalom ==>                                     \
  28.190 +\      EX A' B' na' nb' X'. ALL A B na nb X.                   \
  28.191 +\          Says Server A                                       \
  28.192 +\           {|nb, Crypt (shrK A) {|Agent B, Key K, na|}, X|}   \
  28.193  \          : set evs --> A=A' & B=B' & na=na' & nb=nb' & X=X'";
  28.194  by (etac yahalom.induct 1);
  28.195  by (ALLGOALS (asm_simp_tac (!simpset addsimps [all_conj_distrib])));
  28.196 @@ -198,8 +200,8 @@
  28.197  by (REPEAT (ares_tac [refl,exI,impI,conjI] 2));
  28.198  (*...we assume X is a recent message and handle this case by contradiction*)
  28.199  by (blast_tac (!claset addSEs sees_Spy_partsEs
  28.200 -                      delrules [conjI]    (*prevent split-up into 4 subgoals*)
  28.201 -                      addss (!simpset addsimps [parts_insertI])) 1);
  28.202 +                       delrules [conjI]    (*prevent split-up into 4 subgoals*)
  28.203 +                       addss (!simpset addsimps [parts_insertI])) 1);
  28.204  val lemma = result();
  28.205  
  28.206  goal thy 
  28.207 @@ -209,7 +211,7 @@
  28.208  \          Says Server A'                                           \
  28.209  \           {|nb', Crypt (shrK A') {|Agent B', Key K, na'|}, X'|}   \
  28.210  \           : set evs;                                              \
  28.211 -\          evs : yahalom lost |]                                    \
  28.212 +\          evs : yahalom |]                                         \
  28.213  \       ==> A=A' & B=B' & na=na' & nb=nb'";
  28.214  by (prove_unique_tac lemma 1);
  28.215  qed "unique_session_keys";
  28.216 @@ -218,14 +220,14 @@
  28.217  (** Crucial secrecy property: Spy does not see the keys sent in msg YM3 **)
  28.218  
  28.219  goal thy 
  28.220 - "!!evs. [| A ~: lost;  B ~: lost;  A ~= B;                          \
  28.221 -\           evs : yahalom lost |]                                    \
  28.222 -\        ==> Says Server A                                           \
  28.223 -\              {|nb, Crypt (shrK A) {|Agent B, Key K, na|},          \
  28.224 -\                    Crypt (shrK B) {|nb, Key K, Agent A|}|}         \
  28.225 -\             : set evs -->                                          \
  28.226 -\            Says A Spy {|na, nb, Key K|} ~: set evs -->             \
  28.227 -\            Key K ~: analz (sees lost Spy evs)";
  28.228 + "!!evs. [| A ~: lost;  B ~: lost;  A ~= B;                     \
  28.229 +\           evs : yahalom |]                                    \
  28.230 +\        ==> Says Server A                                      \
  28.231 +\              {|nb, Crypt (shrK A) {|Agent B, Key K, na|},     \
  28.232 +\                    Crypt (shrK B) {|nb, Key K, Agent A|}|}    \
  28.233 +\             : set evs -->                                     \
  28.234 +\            Says A Spy {|na, nb, Key K|} ~: set evs -->        \
  28.235 +\            Key K ~: analz (sees Spy evs)";
  28.236  by (etac yahalom.induct 1);
  28.237  by analz_sees_tac;
  28.238  by (ALLGOALS
  28.239 @@ -246,13 +248,13 @@
  28.240  
  28.241  (*Final version*)
  28.242  goal thy 
  28.243 - "!!evs. [| Says Server A                                         \
  28.244 -\              {|nb, Crypt (shrK A) {|Agent B, Key K, na|},       \
  28.245 -\                    Crypt (shrK B) {|nb, Key K, Agent A|}|}      \
  28.246 -\           : set evs;                                            \
  28.247 -\           Says A Spy {|na, nb, Key K|} ~: set evs;              \
  28.248 -\           A ~: lost;  B ~: lost;  evs : yahalom lost |]         \
  28.249 -\        ==> Key K ~: analz (sees lost Spy evs)";
  28.250 + "!!evs. [| Says Server A                                    \
  28.251 +\              {|nb, Crypt (shrK A) {|Agent B, Key K, na|},  \
  28.252 +\                    Crypt (shrK B) {|nb, Key K, Agent A|}|} \
  28.253 +\           : set evs;                                       \
  28.254 +\           Says A Spy {|na, nb, Key K|} ~: set evs;         \
  28.255 +\           A ~: lost;  B ~: lost;  evs : yahalom |]         \
  28.256 +\        ==> Key K ~: analz (sees Spy evs)";
  28.257  by (forward_tac [Says_Server_message_form] 1 THEN assume_tac 1);
  28.258  by (blast_tac (!claset addSEs [lemma]) 1);
  28.259  qed "Spy_not_see_encrypted_key";
  28.260 @@ -264,14 +266,14 @@
  28.261    May now apply Spy_not_see_encrypted_key, subject to its conditions.*)
  28.262  goal thy
  28.263   "!!evs. [| Crypt (shrK A) {|Agent B, Key K, na|}                      \
  28.264 -\            : parts (sees lost Spy evs);                              \
  28.265 -\           A ~: lost;  evs : yahalom lost |]                          \
  28.266 +\            : parts (sees Spy evs);                                   \
  28.267 +\           A ~: lost;  evs : yahalom |]                               \
  28.268  \         ==> EX nb. Says Server A                                     \
  28.269  \                      {|nb, Crypt (shrK A) {|Agent B, Key K, na|},    \
  28.270  \                            Crypt (shrK B) {|nb, Key K, Agent A|}|}   \
  28.271  \                    : set evs";
  28.272  by (etac rev_mp 1);
  28.273 -by parts_induct_tac;
  28.274 +by (parts_induct_tac 1);
  28.275  by (Fake_parts_insert_tac 1);
  28.276  by (Blast_tac 1);
  28.277  qed "A_trusts_YM3";
  28.278 @@ -283,15 +285,15 @@
  28.279    the key for A and B, and has associated it with NB. *)
  28.280  goal thy 
  28.281   "!!evs. [| Crypt (shrK B) {|Nonce NB, Key K, Agent A|}              \
  28.282 -\            : parts (sees lost Spy evs);                            \
  28.283 -\           B ~: lost;  evs : yahalom lost |]                        \
  28.284 +\            : parts (sees Spy evs);                                 \
  28.285 +\           B ~: lost;  evs : yahalom |]                             \
  28.286  \        ==> EX NA. Says Server A                                    \
  28.287  \                    {|Nonce NB,                                     \
  28.288  \                      Crypt (shrK A) {|Agent B, Key K, Nonce NA|},  \
  28.289  \                      Crypt (shrK B) {|Nonce NB, Key K, Agent A|}|} \
  28.290  \                       : set evs";
  28.291  by (etac rev_mp 1);
  28.292 -by parts_induct_tac;
  28.293 +by (parts_induct_tac 1);
  28.294  by (Fake_parts_insert_tac 1);
  28.295  (*YM3*)
  28.296  by (Blast_tac 1);
  28.297 @@ -306,7 +308,7 @@
  28.298  goal thy 
  28.299   "!!evs. [| Says A' B {|Crypt (shrK B) {|Nonce NB, Key K, Agent A|}, X|} \
  28.300  \             : set evs;                                                 \
  28.301 -\           A ~: lost;  B ~: lost;  evs : yahalom lost |]                \
  28.302 +\           A ~: lost;  B ~: lost;  evs : yahalom |]                     \
  28.303  \        ==> EX NA. Says Server A                                        \
  28.304  \                    {|Nonce NB,                                         \
  28.305  \                      Crypt (shrK A) {|Agent B, Key K, Nonce NA|},      \
  28.306 @@ -322,13 +324,13 @@
  28.307  
  28.308  (*The encryption in message YM2 tells us it cannot be faked.*)
  28.309  goal thy 
  28.310 - "!!evs. evs : yahalom lost                                            \
  28.311 -\  ==> Crypt (shrK B) {|Agent A, Nonce NA|} : parts (sees lost Spy evs) -->  \
  28.312 -\      B ~: lost -->                                                   \
  28.313 -\      (EX NB. Says B Server {|Agent B, Nonce NB,                      \
  28.314 -\                              Crypt (shrK B) {|Agent A, Nonce NA|}|}  \
  28.315 + "!!evs. evs : yahalom                                                  \
  28.316 +\  ==> Crypt (shrK B) {|Agent A, Nonce NA|} : parts (sees Spy evs) -->  \
  28.317 +\      B ~: lost -->                                                    \
  28.318 +\      (EX NB. Says B Server {|Agent B, Nonce NB,                       \
  28.319 +\                              Crypt (shrK B) {|Agent A, Nonce NA|}|}   \
  28.320  \         : set evs)";
  28.321 -by parts_induct_tac;
  28.322 +by (parts_induct_tac 1);
  28.323  by (Fake_parts_insert_tac 1);
  28.324  (*YM2*)
  28.325  by (Blast_tac 1);
  28.326 @@ -336,7 +338,7 @@
  28.327  
  28.328  (*If the server sends YM3 then B sent YM2, perhaps with a different NB*)
  28.329  goal thy 
  28.330 - "!!evs. evs : yahalom lost                                              \
  28.331 + "!!evs. evs : yahalom                                                   \
  28.332  \  ==> Says Server A {|nb, Crypt (shrK A) {|Agent B, Key K, Nonce NA|}, X|} \
  28.333  \         : set evs -->                                                  \
  28.334  \      B ~: lost -->                                                     \
  28.335 @@ -357,7 +359,7 @@
  28.336  goal thy
  28.337   "!!evs. [| Says S A {|nb, Crypt (shrK A) {|Agent B, Key K, Nonce NA|}, X|} \
  28.338  \             : set evs;                                                    \
  28.339 -\           A ~: lost;  B ~: lost;  evs : yahalom lost |]                   \
  28.340 +\           A ~: lost;  B ~: lost;  evs : yahalom |]                   \
  28.341  \   ==> EX nb'. Says B Server                                               \
  28.342  \                    {|Agent B, nb', Crypt (shrK B) {|Agent A, Nonce NA|}|} \
  28.343  \                 : set evs";
  28.344 @@ -368,29 +370,18 @@
  28.345  
  28.346  (*** Authenticating A to B using the certificate Crypt K (Nonce NB) ***)
  28.347  
  28.348 -(*Induction for theorems of the form X ~: analz (sees lost Spy evs) --> ...
  28.349 -  It simplifies the proof by discarding needless information about
  28.350 -	analz (insert X (sees lost Spy evs)) 
  28.351 -*)
  28.352 -fun analz_mono_parts_induct_tac i = 
  28.353 -    etac yahalom.induct i
  28.354 -    THEN 
  28.355 -    REPEAT_FIRST analz_mono_contra_tac
  28.356 -    THEN  parts_sees_tac;
  28.357 -
  28.358 -
  28.359  (*Assuming the session key is secure, if both certificates are present then
  28.360    A has said NB.  We can't be sure about the rest of A's message, but only
  28.361    NB matters for freshness.*)  
  28.362  goal thy 
  28.363 - "!!evs. evs : yahalom lost                                             \
  28.364 -\        ==> Key K ~: analz (sees lost Spy evs) -->                     \
  28.365 -\            Crypt K (Nonce NB) : parts (sees lost Spy evs) -->         \
  28.366 -\            Crypt (shrK B) {|Nonce NB, Key K, Agent A|}                \
  28.367 -\              : parts (sees lost Spy evs) -->                          \
  28.368 -\            B ~: lost -->                                              \
  28.369 + "!!evs. evs : yahalom                                        \
  28.370 +\        ==> Key K ~: analz (sees Spy evs) -->                \
  28.371 +\            Crypt K (Nonce NB) : parts (sees Spy evs) -->    \
  28.372 +\            Crypt (shrK B) {|Nonce NB, Key K, Agent A|}      \
  28.373 +\              : parts (sees Spy evs) -->                     \
  28.374 +\            B ~: lost -->                                    \
  28.375  \             (EX X. Says A B {|X, Crypt K (Nonce NB)|} : set evs)";
  28.376 -by (analz_mono_parts_induct_tac 1);
  28.377 +by (parts_induct_tac 1);
  28.378  (*Fake*)
  28.379  by (Fake_parts_insert_tac 1);
  28.380  (*YM3: by new_keys_not_used we note that Crypt K (Nonce NB) could not exist*)
  28.381 @@ -412,7 +403,7 @@
  28.382   "!!evs. [| Says A' B {|Crypt (shrK B) {|Nonce NB, Key K, Agent A|},    \
  28.383  \                       Crypt K (Nonce NB)|} : set evs;                 \
  28.384  \           (ALL NA. Says A Spy {|Nonce NA, Nonce NB, Key K|} ~: set evs); \
  28.385 -\           A ~: lost;  B ~: lost;  evs : yahalom lost |]               \
  28.386 +\           A ~: lost;  B ~: lost;  evs : yahalom |]                    \
  28.387  \        ==> EX X. Says A B {|X, Crypt K (Nonce NB)|} : set evs";
  28.388  by (etac (Says_imp_sees_Spy' RS parts.Inj RS MPair_parts) 1);
  28.389  by (dtac B_trusts_YM4_shrK 1);
    29.1 --- a/src/HOL/Auth/Yahalom2.thy	Mon Jul 14 12:44:09 1997 +0200
    29.2 +++ b/src/HOL/Auth/Yahalom2.thy	Mon Jul 14 12:47:21 1997 +0200
    29.3 @@ -15,35 +15,35 @@
    29.4  
    29.5  Yahalom2 = Shared + 
    29.6  
    29.7 -consts  yahalom   :: agent set => event list set
    29.8 -inductive "yahalom lost"
    29.9 +consts  yahalom   :: event list set
   29.10 +inductive "yahalom"
   29.11    intrs 
   29.12           (*Initial trace is empty*)
   29.13 -    Nil  "[]: yahalom lost"
   29.14 +    Nil  "[]: yahalom"
   29.15  
   29.16           (*The spy MAY say anything he CAN say.  We do not expect him to
   29.17             invent new nonces here, but he can also use NS1.  Common to
   29.18             all similar protocols.*)
   29.19 -    Fake "[| evs: yahalom lost;  B ~= Spy;  
   29.20 -             X: synth (analz (sees lost Spy evs)) |]
   29.21 -          ==> Says Spy B X  # evs : yahalom lost"
   29.22 +    Fake "[| evs: yahalom;  B ~= Spy;  
   29.23 +             X: synth (analz (sees Spy evs)) |]
   29.24 +          ==> Says Spy B X  # evs : yahalom"
   29.25  
   29.26           (*Alice initiates a protocol run*)
   29.27 -    YM1  "[| evs: yahalom lost;  A ~= B;  Nonce NA ~: used evs |]
   29.28 -          ==> Says A B {|Agent A, Nonce NA|} # evs : yahalom lost"
   29.29 +    YM1  "[| evs: yahalom;  A ~= B;  Nonce NA ~: used evs |]
   29.30 +          ==> Says A B {|Agent A, Nonce NA|} # evs : yahalom"
   29.31  
   29.32           (*Bob's response to Alice's message.  Bob doesn't know who 
   29.33  	   the sender is, hence the A' in the sender field.*)
   29.34 -    YM2  "[| evs: yahalom lost;  B ~= Server;  Nonce NB ~: used evs;
   29.35 +    YM2  "[| evs: yahalom;  B ~= Server;  Nonce NB ~: used evs;
   29.36               Says A' B {|Agent A, Nonce NA|} : set evs |]
   29.37            ==> Says B Server 
   29.38                    {|Agent B, Nonce NB, Crypt (shrK B) {|Agent A, Nonce NA|}|}
   29.39 -                # evs : yahalom lost"
   29.40 +                # evs : yahalom"
   29.41  
   29.42           (*The Server receives Bob's message.  He responds by sending a
   29.43             new session key to Alice, with a packet for forwarding to Bob.
   29.44             !! Fields are reversed in the 2nd packet to prevent attacks!! *)
   29.45 -    YM3  "[| evs: yahalom lost;  A ~= B;  A ~= Server;  Key KAB ~: used evs;
   29.46 +    YM3  "[| evs: yahalom;  A ~= B;  A ~= Server;  Key KAB ~: used evs;
   29.47               Says B' Server {|Agent B, Nonce NB,
   29.48  			      Crypt (shrK B) {|Agent A, Nonce NA|}|}
   29.49                 : set evs |]
   29.50 @@ -51,23 +51,23 @@
   29.51                 {|Nonce NB, 
   29.52                   Crypt (shrK A) {|Agent B, Key KAB, Nonce NA|},
   29.53                   Crypt (shrK B) {|Nonce NB, Key KAB, Agent A|}|}
   29.54 -                 # evs : yahalom lost"
   29.55 +                 # evs : yahalom"
   29.56  
   29.57           (*Alice receives the Server's (?) message, checks her Nonce, and
   29.58             uses the new session key to send Bob his Nonce.*)
   29.59 -    YM4  "[| evs: yahalom lost;  A ~= Server;  
   29.60 +    YM4  "[| evs: yahalom;  A ~= Server;  
   29.61               Says S A {|Nonce NB, Crypt (shrK A) {|Agent B, Key K, Nonce NA|},
   29.62                          X|}  : set evs;
   29.63               Says A B {|Agent A, Nonce NA|} : set evs |]
   29.64 -          ==> Says A B {|X, Crypt K (Nonce NB)|} # evs : yahalom lost"
   29.65 +          ==> Says A B {|X, Crypt K (Nonce NB)|} # evs : yahalom"
   29.66  
   29.67           (*This message models possible leaks of session keys.  The nonces
   29.68             identify the protocol run.  Quoting Server here ensures they are
   29.69             correct. *)
   29.70 -    Oops "[| evs: yahalom lost;  A ~= Spy;
   29.71 +    Oops "[| evs: yahalom;  A ~= Spy;
   29.72               Says Server A {|Nonce NB, 
   29.73                               Crypt (shrK A) {|Agent B, Key K, Nonce NA|},
   29.74                               X|}  : set evs |]
   29.75 -          ==> Says A Spy {|Nonce NA, Nonce NB, Key K|} # evs : yahalom lost"
   29.76 +          ==> Says A Spy {|Nonce NA, Nonce NB, Key K|} # evs : yahalom"
   29.77  
   29.78  end