Deleted leading parameters thanks to new Goal command
authorpaulson
Thu Jul 02 17:48:11 1998 +0200 (1998-07-02)
changeset 5114c729d4c299c1
parent 5113 c4da11bb0592
child 5115 caf39b7b7a12
Deleted leading parameters thanks to new Goal command
src/HOL/Auth/Event.ML
src/HOL/Auth/Kerberos_BAN.ML
src/HOL/Auth/Message.ML
src/HOL/Auth/NS_Public.ML
src/HOL/Auth/NS_Public_Bad.ML
src/HOL/Auth/NS_Shared.ML
src/HOL/Auth/OtwayRees.ML
src/HOL/Auth/OtwayRees_AN.ML
src/HOL/Auth/OtwayRees_Bad.ML
src/HOL/Auth/Public.ML
src/HOL/Auth/Recur.ML
src/HOL/Auth/Shared.ML
src/HOL/Auth/TLS.ML
src/HOL/Auth/WooLam.ML
src/HOL/Auth/Yahalom.ML
src/HOL/Auth/Yahalom2.ML
     1.1 --- a/src/HOL/Auth/Event.ML	Thu Jul 02 17:27:35 1998 +0200
     1.2 +++ b/src/HOL/Auth/Event.ML	Thu Jul 02 17:48:11 1998 +0200
     1.3 @@ -22,8 +22,7 @@
     1.4  	  read_instantiate_sg (sign_of thy) [("H", "spies evs")]);
     1.5  
     1.6  
     1.7 -Goal
     1.8 -    "P(event_case sf nf ev) = \
     1.9 +Goal "P(event_case sf nf ev) = \
    1.10  \      ((ALL A B X. ev = Says A B X --> P(sf A B X)) & \
    1.11  \       (ALL A X. ev = Notes A X --> P(nf A X)))";
    1.12  by (induct_tac "ev" 1);
     2.1 --- a/src/HOL/Auth/Kerberos_BAN.ML	Thu Jul 02 17:27:35 1998 +0200
     2.2 +++ b/src/HOL/Auth/Kerberos_BAN.ML	Thu Jul 02 17:48:11 1998 +0200
     2.3 @@ -33,11 +33,10 @@
     2.4  
     2.5  
     2.6  (*A "possibility property": there are traces that reach the end.*)
     2.7 -Goal 
     2.8 - "!!A B. [| A ~= B; A ~= Server; B ~= Server |]       \
     2.9 -\        ==> EX Timestamp K. EX evs: kerberos_ban.    \
    2.10 -\               Says B A (Crypt K (Number Timestamp)) \
    2.11 -\                    : set evs";
    2.12 +Goal "[| A ~= B; A ~= Server; B ~= Server |]       \
    2.13 +\     ==> EX Timestamp K. EX evs: kerberos_ban.    \
    2.14 +\            Says B A (Crypt K (Number Timestamp)) \
    2.15 +\                 : set evs";
    2.16  by (REPEAT (resolve_tac [exI,bexI] 1));
    2.17  by (rtac (kerberos_ban.Nil RS kerberos_ban.Kb1 RS kerberos_ban.Kb2 RS 
    2.18            kerberos_ban.Kb3 RS kerberos_ban.Kb4) 2);
    2.19 @@ -52,7 +51,7 @@
    2.20  (**** Inductive proofs about kerberos_ban ****)
    2.21  
    2.22  (*Nobody sends themselves messages*)
    2.23 -Goal "!!evs. evs : kerberos_ban ==> ALL A X. Says A A X ~: set evs";
    2.24 +Goal "evs : kerberos_ban ==> ALL A X. Says A A X ~: set evs";
    2.25  by (etac kerberos_ban.induct 1);
    2.26  by Auto_tac;
    2.27  qed_spec_mp "not_Says_to_self";
    2.28 @@ -61,14 +60,13 @@
    2.29  
    2.30  
    2.31  (*Forwarding Lemma for reasoning about the encrypted portion of message Kb3*)
    2.32 -Goal "!!evs. Says S A (Crypt KA {|Timestamp, B, K, X|}) : set evs \
    2.33 -\                ==> X : parts (spies evs)";
    2.34 +Goal "Says S A (Crypt KA {|Timestamp, B, K, X|}) : set evs \
    2.35 +\             ==> X : parts (spies evs)";
    2.36  by (Blast_tac 1);
    2.37  qed "Kb3_msg_in_parts_spies";
    2.38                                
    2.39 -Goal
    2.40 -    "!!evs. Says Server A (Crypt (shrK A) {|Timestamp, B, K, X|}) : set evs \
    2.41 -\           ==> K : parts (spies evs)";
    2.42 +Goal "Says Server A (Crypt (shrK A) {|Timestamp, B, K, X|}) : set evs \
    2.43 +\        ==> K : parts (spies evs)";
    2.44  by (Blast_tac 1);
    2.45  qed "Oops_parts_spies";
    2.46  
    2.47 @@ -81,22 +79,20 @@
    2.48  
    2.49  
    2.50  (*Spy never sees another agent's shared key! (unless it's bad at start)*)
    2.51 -Goal 
    2.52 -"!!evs. evs : kerberos_ban ==> (Key (shrK A) : parts (spies evs)) = (A : bad)";
    2.53 +Goal "evs : kerberos_ban ==> (Key (shrK A) : parts (spies evs)) = (A : bad)";
    2.54  by (parts_induct_tac 1);
    2.55  by (ALLGOALS Blast_tac);
    2.56  qed "Spy_see_shrK";
    2.57  Addsimps [Spy_see_shrK];
    2.58  
    2.59  
    2.60 -Goal 
    2.61 -"!!evs. evs : kerberos_ban ==> (Key (shrK A) : analz (spies evs)) = (A : bad)";
    2.62 +Goal "evs : kerberos_ban ==> (Key (shrK A) : analz (spies evs)) = (A : bad)";
    2.63  by Auto_tac;
    2.64  qed "Spy_analz_shrK";
    2.65  Addsimps [Spy_analz_shrK];
    2.66  
    2.67 -Goal  "!!A. [| Key (shrK A) : parts (spies evs);       \
    2.68 -\                  evs : kerberos_ban |] ==> A:bad";
    2.69 +Goal  "[| Key (shrK A) : parts (spies evs);       \
    2.70 +\               evs : kerberos_ban |] ==> A:bad";
    2.71  by (blast_tac (claset() addDs [Spy_see_shrK]) 1);
    2.72  qed "Spy_see_shrK_D";
    2.73  
    2.74 @@ -105,8 +101,8 @@
    2.75  
    2.76  
    2.77  (*Nobody can have used non-existent keys!*)
    2.78 -Goal "!!evs. evs : kerberos_ban ==>      \
    2.79 -\         Key K ~: used evs --> K ~: keysFor (parts (spies evs))";
    2.80 +Goal "evs : kerberos_ban ==>      \
    2.81 +\      Key K ~: used evs --> K ~: keysFor (parts (spies evs))";
    2.82  by (parts_induct_tac 1);
    2.83  (*Fake*)
    2.84  by (blast_tac (claset() addSDs [keysFor_parts_insert]) 1);
    2.85 @@ -124,12 +120,11 @@
    2.86  (** Lemmas concerning the form of items passed in messages **)
    2.87  
    2.88  (*Describes the form of K, X and K' when the Server sends this message.*)
    2.89 -Goal 
    2.90 - "!!evs. [| Says Server A (Crypt K' {|Number Ts, Agent B, Key K, X|})  \
    2.91 -\           : set evs; evs : kerberos_ban |]                           \
    2.92 -\        ==> K ~: range shrK &                                         \
    2.93 -\            X = (Crypt (shrK B) {|Number Ts, Agent A, Key K|}) &      \
    2.94 -\            K' = shrK A";
    2.95 +Goal "[| Says Server A (Crypt K' {|Number Ts, Agent B, Key K, X|})  \
    2.96 +\        : set evs; evs : kerberos_ban |]                           \
    2.97 +\     ==> K ~: range shrK &                                         \
    2.98 +\         X = (Crypt (shrK B) {|Number Ts, Agent A, Key K|}) &      \
    2.99 +\         K' = shrK A";
   2.100  by (etac rev_mp 1);
   2.101  by (etac kerberos_ban.induct 1);
   2.102  by Auto_tac;
   2.103 @@ -141,12 +136,11 @@
   2.104  
   2.105    This shows implicitly the FRESHNESS OF THE SESSION KEY to A
   2.106  *)
   2.107 -Goal
   2.108 - "!!evs. [| Crypt (shrK A) {|Number Ts, Agent B, Key K, X|} \
   2.109 -\             : parts (spies evs);                          \
   2.110 -\           A ~: bad;  evs : kerberos_ban |]                \
   2.111 -\         ==> Says Server A (Crypt (shrK A) {|Number Ts, Agent B, Key K, X|}) \
   2.112 -\               : set evs";
   2.113 +Goal "[| Crypt (shrK A) {|Number Ts, Agent B, Key K, X|} \
   2.114 +\          : parts (spies evs);                          \
   2.115 +\        A ~: bad;  evs : kerberos_ban |]                \
   2.116 +\      ==> Says Server A (Crypt (shrK A) {|Number Ts, Agent B, Key K, X|}) \
   2.117 +\            : set evs";
   2.118  by (etac rev_mp 1);
   2.119  by (parts_induct_tac 1);
   2.120  by (Blast_tac 1);
   2.121 @@ -155,13 +149,12 @@
   2.122  
   2.123  (*If the TICKET appears then it originated with the Server*)
   2.124  (*FRESHNESS OF THE SESSION KEY to B*)
   2.125 -Goal
   2.126 - "!!evs. [| Crypt (shrK B) {|Number Ts, Agent A, Key K|} : parts (spies evs); \
   2.127 -\           B ~: bad;  evs : kerberos_ban |]                        \
   2.128 -\         ==> Says Server A                                         \
   2.129 -\              (Crypt (shrK A) {|Number Ts, Agent B, Key K,                   \
   2.130 -\                            Crypt (shrK B) {|Number Ts, Agent A, Key K|}|})  \
   2.131 -\             : set evs";
   2.132 +Goal "[| Crypt (shrK B) {|Number Ts, Agent A, Key K|} : parts (spies evs); \
   2.133 +\        B ~: bad;  evs : kerberos_ban |]                        \
   2.134 +\      ==> Says Server A                                         \
   2.135 +\           (Crypt (shrK A) {|Number Ts, Agent B, Key K,                   \
   2.136 +\                         Crypt (shrK B) {|Number Ts, Agent A, Key K|}|})  \
   2.137 +\          : set evs";
   2.138  by (etac rev_mp 1);
   2.139  by (parts_induct_tac 1);
   2.140  by (Blast_tac 1);
   2.141 @@ -171,12 +164,11 @@
   2.142  (*EITHER describes the form of X when the following message is sent, 
   2.143    OR     reduces it to the Fake case.
   2.144    Use Says_Server_message_form if applicable.*)
   2.145 -Goal 
   2.146 - "!!evs. [| Says S A (Crypt (shrK A) {|Number Ts, Agent B, Key K, X|})     \
   2.147 -\              : set evs;                                                  \
   2.148 -\           evs : kerberos_ban |]                                          \
   2.149 -\   ==> (K ~: range shrK & X = (Crypt (shrK B) {|Number Ts, Agent A, Key K|}))\
   2.150 -\            | X : analz (spies evs)";
   2.151 +Goal "[| Says S A (Crypt (shrK A) {|Number Ts, Agent B, Key K, X|})     \
   2.152 +\           : set evs;                                                  \
   2.153 +\        evs : kerberos_ban |]                                          \
   2.154 +\==> (K ~: range shrK & X = (Crypt (shrK B) {|Number Ts, Agent A, Key K|}))\
   2.155 +\         | X : analz (spies evs)";
   2.156  by (case_tac "A : bad" 1);
   2.157  by (fast_tac (claset() addSDs [Says_imp_spies RS analz.Inj]
   2.158                        addss (simpset())) 1);
   2.159 @@ -206,11 +198,10 @@
   2.160  
   2.161  (** Session keys are not used to encrypt other session keys **)
   2.162  
   2.163 -Goal  
   2.164 - "!!evs. evs : kerberos_ban ==>                          \
   2.165 +Goal "evs : kerberos_ban ==>                          \
   2.166  \  ALL K KK. KK <= Compl (range shrK) -->                \
   2.167 -\            (Key K : analz (Key``KK Un (spies evs))) =  \
   2.168 -\            (K : KK | Key K : analz (spies evs))";
   2.169 +\         (Key K : analz (Key``KK Un (spies evs))) =  \
   2.170 +\         (K : KK | Key K : analz (spies evs))";
   2.171  by (etac kerberos_ban.induct 1);
   2.172  by analz_spies_tac;
   2.173  by (REPEAT_FIRST (resolve_tac [allI, impI]));
   2.174 @@ -222,22 +213,20 @@
   2.175  qed_spec_mp "analz_image_freshK";
   2.176  
   2.177  
   2.178 -Goal
   2.179 - "!!evs. [| evs : kerberos_ban;  KAB ~: range shrK |] ==>     \
   2.180 -\        Key K : analz (insert (Key KAB) (spies evs)) =       \
   2.181 -\        (K = KAB | Key K : analz (spies evs))";
   2.182 +Goal "[| evs : kerberos_ban;  KAB ~: range shrK |] ==>     \
   2.183 +\     Key K : analz (insert (Key KAB) (spies evs)) =       \
   2.184 +\     (K = KAB | Key K : analz (spies evs))";
   2.185  by (asm_simp_tac (analz_image_freshK_ss addsimps [analz_image_freshK]) 1);
   2.186  qed "analz_insert_freshK";
   2.187  
   2.188  
   2.189  (** The session key K uniquely identifies the message **)
   2.190  
   2.191 -Goal 
   2.192 - "!!evs. evs : kerberos_ban ==>                                         \
   2.193 -\      EX A' Ts' B' X'. ALL A Ts B X.                                   \
   2.194 -\       Says Server A (Crypt (shrK A) {|Number Ts, Agent B, Key K, X|}) \
   2.195 -\             : set evs \
   2.196 -\       -->         A=A' & Ts=Ts' & B=B' & X=X'";
   2.197 +Goal "evs : kerberos_ban ==>                                         \
   2.198 +\   EX A' Ts' B' X'. ALL A Ts B X.                                   \
   2.199 +\    Says Server A (Crypt (shrK A) {|Number Ts, Agent B, Key K, X|}) \
   2.200 +\          : set evs \
   2.201 +\    -->         A=A' & Ts=Ts' & B=B' & X=X'";
   2.202  by (etac kerberos_ban.induct 1);
   2.203  by (ALLGOALS (asm_simp_tac (simpset() addsimps [all_conj_distrib])));
   2.204  by Safe_tac;
   2.205 @@ -248,12 +237,11 @@
   2.206  val lemma = result();
   2.207  
   2.208  (*In messages of this form, the session key uniquely identifies the rest*)
   2.209 -Goal 
   2.210 - "!!evs. [| Says Server A                                    \
   2.211 -\             (Crypt (shrK A) {|Number Ts, Agent B, Key K, X|}) : set evs; \ 
   2.212 -\           Says Server A'                                   \
   2.213 -\            (Crypt (shrK A') {|Number Ts', Agent B', Key K, X'|}) : set evs;\
   2.214 -\           evs : kerberos_ban |] ==> A=A' & Ts=Ts' & B=B' & X = X'";
   2.215 +Goal "[| Says Server A                                    \
   2.216 +\          (Crypt (shrK A) {|Number Ts, Agent B, Key K, X|}) : set evs; \ 
   2.217 +\        Says Server A'                                   \
   2.218 +\         (Crypt (shrK A') {|Number Ts', Agent B', Key K, X'|}) : set evs;\
   2.219 +\        evs : kerberos_ban |] ==> A=A' & Ts=Ts' & B=B' & X = X'";
   2.220  by (prove_unique_tac lemma 1);
   2.221  qed "unique_session_keys";
   2.222  
   2.223 @@ -262,13 +250,12 @@
   2.224      if the spy could see it!
   2.225  **)
   2.226  
   2.227 -Goal 
   2.228 - "!!evs. [| A ~: bad;  B ~: bad;  evs : kerberos_ban |]           \
   2.229 -\    ==> Says Server A                                            \
   2.230 -\            (Crypt (shrK A) {|Number Ts, Agent B, Key K,         \
   2.231 -\                              Crypt (shrK B) {|Number Ts, Agent A, Key K|}|})\
   2.232 -\           : set evs -->                                         \
   2.233 -\        Key K : analz (spies evs) --> Expired Ts evs"; 
   2.234 +Goal "[| A ~: bad;  B ~: bad;  evs : kerberos_ban |]           \
   2.235 +\ ==> Says Server A                                            \
   2.236 +\         (Crypt (shrK A) {|Number Ts, Agent B, Key K,         \
   2.237 +\                           Crypt (shrK B) {|Number Ts, Agent A, Key K|}|})\
   2.238 +\        : set evs -->                                         \
   2.239 +\     Key K : analz (spies evs) --> Expired Ts evs"; 
   2.240  by (etac kerberos_ban.induct 1);
   2.241  by analz_spies_tac;
   2.242  by (ALLGOALS
   2.243 @@ -294,12 +281,11 @@
   2.244                       Spy does not see the keys sent in msg Kb2 
   2.245                       as long as they have NOT EXPIRED
   2.246  **)
   2.247 -Goal 
   2.248 - "!!evs. [| Says Server A                                           \
   2.249 -\            (Crypt K' {|Number T, Agent B, Key K, X|}) : set evs;  \
   2.250 -\           ~ Expired T evs;                                        \
   2.251 -\           A ~: bad;  B ~: bad;  evs : kerberos_ban                \
   2.252 -\        |] ==> Key K ~: analz (spies evs)";
   2.253 +Goal "[| Says Server A                                           \
   2.254 +\         (Crypt K' {|Number T, Agent B, Key K, X|}) : set evs;  \
   2.255 +\        ~ Expired T evs;                                        \
   2.256 +\        A ~: bad;  B ~: bad;  evs : kerberos_ban                \
   2.257 +\     |] ==> Key K ~: analz (spies evs)";
   2.258  by (forward_tac [Says_Server_message_form] 1 THEN assume_tac 1);
   2.259  by (Clarify_tac 1);   (*prevents PROOF FAILED*)
   2.260  by (blast_tac (claset() addSEs [lemma]) 1);
   2.261 @@ -312,35 +298,32 @@
   2.262  
   2.263  (** CONFIDENTIALITY for ALICE: **)
   2.264  (** Also A_trusts_K_by_Kb2 RS Confidentiality_S **)
   2.265 -Goal 
   2.266 -"!!evs. [| Crypt (shrK A) {|Number T, Agent B, Key K, X|} : parts (spies evs);\
   2.267 -\           ~ Expired T evs;          \
   2.268 -\           A ~: bad;  B ~: bad;  evs : kerberos_ban                \
   2.269 -\        |] ==> Key K ~: analz (spies evs)";
   2.270 +Goal "[| Crypt (shrK A) {|Number T, Agent B, Key K, X|} : parts (spies evs);\
   2.271 +\        ~ Expired T evs;          \
   2.272 +\        A ~: bad;  B ~: bad;  evs : kerberos_ban                \
   2.273 +\     |] ==> Key K ~: analz (spies evs)";
   2.274  by (blast_tac (claset() addSDs [A_trusts_K_by_Kb2, Confidentiality_S]) 1);
   2.275  qed "Confidentiality_A";
   2.276  
   2.277  
   2.278  (** CONFIDENTIALITY for BOB: **)
   2.279  (** Also B_trusts_K_by_Kb3 RS Confidentiality_S **)
   2.280 -Goal
   2.281 -"!!evs. [| Crypt (shrK B) {|Number Tk, Agent A, Key K|} \
   2.282 -\            : parts (spies evs);              \
   2.283 -\          ~ Expired Tk evs;          \
   2.284 -\          A ~: bad;  B ~: bad;  evs : kerberos_ban                \
   2.285 -\        |] ==> Key K ~: analz (spies evs)";             
   2.286 +Goal "[| Crypt (shrK B) {|Number Tk, Agent A, Key K|} \
   2.287 +\         : parts (spies evs);              \
   2.288 +\       ~ Expired Tk evs;          \
   2.289 +\       A ~: bad;  B ~: bad;  evs : kerberos_ban                \
   2.290 +\     |] ==> Key K ~: analz (spies evs)";             
   2.291  by (blast_tac (claset() addSDs [B_trusts_K_by_Kb3, 
   2.292                                  Confidentiality_S]) 1);
   2.293  qed "Confidentiality_B";
   2.294  
   2.295  
   2.296 -Goal
   2.297 - "!!evs. [| B ~: bad;  evs : kerberos_ban |]                        \
   2.298 -\        ==> Key K ~: analz (spies evs) -->                    \
   2.299 -\            Says Server A (Crypt (shrK A) {|Number Ts, Agent B, Key K, X|}) \
   2.300 -\            : set evs -->                                             \
   2.301 -\            Crypt K (Number Ta) : parts (spies evs) -->        \
   2.302 -\            Says B A (Crypt K (Number Ta)) : set evs";
   2.303 +Goal "[| B ~: bad;  evs : kerberos_ban |]                        \
   2.304 +\     ==> Key K ~: analz (spies evs) -->                    \
   2.305 +\         Says Server A (Crypt (shrK A) {|Number Ts, Agent B, Key K, X|}) \
   2.306 +\         : set evs -->                                             \
   2.307 +\         Crypt K (Number Ta) : parts (spies evs) -->        \
   2.308 +\         Says B A (Crypt K (Number Ta)) : set evs";
   2.309  by (etac kerberos_ban.induct 1);
   2.310  by (forward_tac [Says_S_message_form] 5 THEN assume_tac 5);     
   2.311  by (dtac Kb3_msg_in_parts_spies 5);
   2.312 @@ -367,27 +350,25 @@
   2.313  
   2.314  
   2.315  (*AUTHENTICATION OF B TO A*)
   2.316 -Goal
   2.317 - "!!evs. [| Crypt K (Number Ta) : parts (spies evs);           \
   2.318 -\           Crypt (shrK A) {|Number Ts, Agent B, Key K, X|}    \
   2.319 -\           : parts (spies evs);                               \
   2.320 -\           ~ Expired Ts evs;                                  \
   2.321 -\           A ~: bad;  B ~: bad;  evs : kerberos_ban |]        \
   2.322 -\        ==> Says B A (Crypt K (Number Ta)) : set evs";
   2.323 +Goal "[| Crypt K (Number Ta) : parts (spies evs);           \
   2.324 +\        Crypt (shrK A) {|Number Ts, Agent B, Key K, X|}    \
   2.325 +\        : parts (spies evs);                               \
   2.326 +\        ~ Expired Ts evs;                                  \
   2.327 +\        A ~: bad;  B ~: bad;  evs : kerberos_ban |]        \
   2.328 +\     ==> Says B A (Crypt K (Number Ta)) : set evs";
   2.329  by (blast_tac (claset() addSDs [A_trusts_K_by_Kb2]
   2.330                          addSIs [lemma_B RS mp RS mp RS mp]
   2.331                          addSEs [Confidentiality_S RSN (2,rev_notE)]) 1);
   2.332  qed "Authentication_B";
   2.333  
   2.334  
   2.335 -Goal
   2.336 - "!!evs. [| A ~: bad; B ~: bad; evs : kerberos_ban |]      ==>         \ 
   2.337 -\           Key K ~: analz (spies evs) -->         \
   2.338 -\           Says Server A (Crypt (shrK A) {|Number Ts, Agent B, Key K, X|})  \
   2.339 -\           : set evs -->  \
   2.340 -\            Crypt K {|Agent A, Number Ta|} : parts (spies evs) -->\
   2.341 -\           Says A B {|X, Crypt K {|Agent A, Number Ta|}|}  \
   2.342 -\               : set evs";
   2.343 +Goal "[| A ~: bad; B ~: bad; evs : kerberos_ban |]      ==>         \ 
   2.344 +\        Key K ~: analz (spies evs) -->         \
   2.345 +\        Says Server A (Crypt (shrK A) {|Number Ts, Agent B, Key K, X|})  \
   2.346 +\        : set evs -->  \
   2.347 +\         Crypt K {|Agent A, Number Ta|} : parts (spies evs) -->\
   2.348 +\        Says A B {|X, Crypt K {|Agent A, Number Ta|}|}  \
   2.349 +\            : set evs";
   2.350  by (etac kerberos_ban.induct 1);
   2.351  by (forward_tac [Says_S_message_form] 5 THEN assume_tac 5);     
   2.352  by (forward_tac [Kb3_msg_in_parts_spies] 5);
   2.353 @@ -404,14 +385,13 @@
   2.354  
   2.355  
   2.356  (*AUTHENTICATION OF A TO B*)
   2.357 -Goal
   2.358 - "!!evs. [| Crypt K {|Agent A, Number Ta|} : parts (spies evs);  \
   2.359 -\           Crypt (shrK B) {|Number Ts, Agent A, Key K|}         \
   2.360 -\           : parts (spies evs);                                 \
   2.361 -\           ~ Expired Ts evs;                                    \
   2.362 -\           A ~: bad;  B ~: bad;  evs : kerberos_ban |]          \
   2.363 -\        ==> Says A B {|Crypt (shrK B) {|Number Ts, Agent A, Key K|}, \       
   2.364 -\                       Crypt K {|Agent A, Number Ta|}|} : set evs";
   2.365 +Goal "[| Crypt K {|Agent A, Number Ta|} : parts (spies evs);  \
   2.366 +\        Crypt (shrK B) {|Number Ts, Agent A, Key K|}         \
   2.367 +\        : parts (spies evs);                                 \
   2.368 +\        ~ Expired Ts evs;                                    \
   2.369 +\        A ~: bad;  B ~: bad;  evs : kerberos_ban |]          \
   2.370 +\     ==> Says A B {|Crypt (shrK B) {|Number Ts, Agent A, Key K|}, \    
   2.371 +\                    Crypt K {|Agent A, Number Ta|}|} : set evs";
   2.372  by (blast_tac (claset() addSDs [B_trusts_K_by_Kb3]
   2.373                          addSIs [lemma_A RS mp RS mp RS mp]
   2.374                          addSEs [Confidentiality_S RSN (2,rev_notE)]) 1);
     3.1 --- a/src/HOL/Auth/Message.ML	Thu Jul 02 17:27:35 1998 +0200
     3.2 +++ b/src/HOL/Auth/Message.ML	Thu Jul 02 17:48:11 1998 +0200
     3.3 @@ -60,7 +60,7 @@
     3.4  qed "keysFor_UN";
     3.5  
     3.6  (*Monotonicity*)
     3.7 -Goalw [keysFor_def] "!!G H. G<=H ==> keysFor(G) <= keysFor(H)";
     3.8 +Goalw [keysFor_def] "G<=H ==> keysFor(G) <= keysFor(H)";
     3.9  by (Blast_tac 1);
    3.10  qed "keysFor_mono";
    3.11  
    3.12 @@ -105,7 +105,7 @@
    3.13  qed "keysFor_image_Key";
    3.14  Addsimps [keysFor_image_Key];
    3.15  
    3.16 -Goalw [keysFor_def] "!!H. Crypt K X : H ==> invKey K : keysFor H";
    3.17 +Goalw [keysFor_def] "Crypt K X : H ==> invKey K : keysFor H";
    3.18  by (Blast_tac 1);
    3.19  qed "Crypt_imp_invKey_keysFor";
    3.20  
    3.21 @@ -135,7 +135,7 @@
    3.22  qed "parts_increasing";
    3.23  
    3.24  (*Monotonicity*)
    3.25 -Goalw parts.defs "!!G H. G<=H ==> parts(G) <= parts(H)";
    3.26 +Goalw parts.defs "G<=H ==> parts(G) <= parts(H)";
    3.27  by (rtac lfp_mono 1);
    3.28  by (REPEAT (ares_tac basic_monos 1));
    3.29  qed "parts_mono";
    3.30 @@ -149,13 +149,13 @@
    3.31  qed "parts_empty";
    3.32  Addsimps [parts_empty];
    3.33  
    3.34 -Goal "!!X. X: parts{} ==> P";
    3.35 +Goal "X: parts{} ==> P";
    3.36  by (Asm_full_simp_tac 1);
    3.37  qed "parts_emptyE";
    3.38  AddSEs [parts_emptyE];
    3.39  
    3.40  (*WARNING: loops if H = {Y}, therefore must not be repeated!*)
    3.41 -Goal "!!H. X: parts H ==> EX Y:H. X: parts {Y}";
    3.42 +Goal "X: parts H ==> EX Y:H. X: parts {Y}";
    3.43  by (etac parts.induct 1);
    3.44  by (ALLGOALS Blast_tac);
    3.45  qed "parts_singleton";
    3.46 @@ -215,7 +215,7 @@
    3.47  
    3.48  (** Idempotence and transitivity **)
    3.49  
    3.50 -Goal "!!H. X: parts (parts H) ==> X: parts H";
    3.51 +Goal "X: parts (parts H) ==> X: parts H";
    3.52  by (etac parts.induct 1);
    3.53  by (ALLGOALS Blast_tac);
    3.54  qed "parts_partsD";
    3.55 @@ -226,19 +226,19 @@
    3.56  qed "parts_idem";
    3.57  Addsimps [parts_idem];
    3.58  
    3.59 -Goal "!!H. [| X: parts G;  G <= parts H |] ==> X: parts H";
    3.60 +Goal "[| X: parts G;  G <= parts H |] ==> X: parts H";
    3.61  by (dtac parts_mono 1);
    3.62  by (Blast_tac 1);
    3.63  qed "parts_trans";
    3.64  
    3.65  (*Cut*)
    3.66 -Goal "!!H. [| Y: parts (insert X G);  X: parts H |] \
    3.67 +Goal "[| Y: parts (insert X G);  X: parts H |] \
    3.68  \              ==> Y: parts (G Un H)";
    3.69  by (etac parts_trans 1);
    3.70  by Auto_tac;
    3.71  qed "parts_cut";
    3.72  
    3.73 -Goal "!!H. X: parts H ==> parts (insert X H) = parts H";
    3.74 +Goal "X: parts H ==> parts (insert X H) = parts H";
    3.75  by (fast_tac (claset() addSDs [parts_cut]
    3.76                         addIs  [parts_insertI] 
    3.77                         addss (simpset())) 1);
    3.78 @@ -366,7 +366,7 @@
    3.79  Addsimps [analz_parts];
    3.80  
    3.81  (*Monotonicity; Lemma 1 of Lowe*)
    3.82 -Goalw analz.defs "!!G H. G<=H ==> analz(G) <= analz(H)";
    3.83 +Goalw analz.defs "G<=H ==> analz(G) <= analz(H)";
    3.84  by (rtac lfp_mono 1);
    3.85  by (REPEAT (ares_tac basic_monos 1));
    3.86  qed "analz_mono";
    3.87 @@ -417,7 +417,7 @@
    3.88  
    3.89  (*Can only pull out Keys if they are not needed to decrypt the rest*)
    3.90  Goalw [keysFor_def]
    3.91 -    "!!K. K ~: keysFor (analz H) ==>  \
    3.92 +    "K ~: keysFor (analz H) ==>  \
    3.93  \         analz (insert (Key K) H) = insert (Key K) (analz H)";
    3.94  by (analz_tac 1);
    3.95  qed "analz_insert_Key";
    3.96 @@ -433,13 +433,13 @@
    3.97  qed "analz_insert_MPair";
    3.98  
    3.99  (*Can pull out enCrypted message if the Key is not known*)
   3.100 -Goal "!!H. Key (invKey K) ~: analz H ==>  \
   3.101 +Goal "Key (invKey K) ~: analz H ==>  \
   3.102  \              analz (insert (Crypt K X) H) = \
   3.103  \              insert (Crypt K X) (analz H)";
   3.104  by (analz_tac 1);
   3.105  qed "analz_insert_Crypt";
   3.106  
   3.107 -Goal "!!H. Key (invKey K) : analz H ==>  \
   3.108 +Goal "Key (invKey K) : analz H ==>  \
   3.109  \              analz (insert (Crypt K X) H) <= \
   3.110  \              insert (Crypt K X) (analz (insert X H))";
   3.111  by (rtac subsetI 1);
   3.112 @@ -447,7 +447,7 @@
   3.113  by (ALLGOALS (Blast_tac));
   3.114  val lemma1 = result();
   3.115  
   3.116 -Goal "!!H. Key (invKey K) : analz H ==>  \
   3.117 +Goal "Key (invKey K) : analz H ==>  \
   3.118  \              insert (Crypt K X) (analz (insert X H)) <= \
   3.119  \              analz (insert (Crypt K X) H)";
   3.120  by Auto_tac;
   3.121 @@ -456,7 +456,7 @@
   3.122  by (blast_tac (claset() addIs [analz_insertI, analz.Decrypt]) 1);
   3.123  val lemma2 = result();
   3.124  
   3.125 -Goal "!!H. Key (invKey K) : analz H ==>  \
   3.126 +Goal "Key (invKey K) : analz H ==>  \
   3.127  \              analz (insert (Crypt K X) H) = \
   3.128  \              insert (Crypt K X) (analz (insert X H))";
   3.129  by (REPEAT (ares_tac [equalityI, lemma1, lemma2] 1));
   3.130 @@ -499,7 +499,7 @@
   3.131  
   3.132  (** Idempotence and transitivity **)
   3.133  
   3.134 -Goal "!!H. X: analz (analz H) ==> X: analz H";
   3.135 +Goal "X: analz (analz H) ==> X: analz H";
   3.136  by (etac analz.induct 1);
   3.137  by (ALLGOALS Blast_tac);
   3.138  qed "analz_analzD";
   3.139 @@ -510,52 +510,52 @@
   3.140  qed "analz_idem";
   3.141  Addsimps [analz_idem];
   3.142  
   3.143 -Goal "!!H. [| X: analz G;  G <= analz H |] ==> X: analz H";
   3.144 +Goal "[| X: analz G;  G <= analz H |] ==> X: analz H";
   3.145  by (dtac analz_mono 1);
   3.146  by (Blast_tac 1);
   3.147  qed "analz_trans";
   3.148  
   3.149  (*Cut; Lemma 2 of Lowe*)
   3.150 -Goal "!!H. [| Y: analz (insert X H);  X: analz H |] ==> Y: analz H";
   3.151 +Goal "[| Y: analz (insert X H);  X: analz H |] ==> Y: analz H";
   3.152  by (etac analz_trans 1);
   3.153  by (Blast_tac 1);
   3.154  qed "analz_cut";
   3.155  
   3.156  (*Cut can be proved easily by induction on
   3.157 -   "!!H. Y: analz (insert X H) ==> X: analz H --> Y: analz H"
   3.158 +   "Y: analz (insert X H) ==> X: analz H --> Y: analz H"
   3.159  *)
   3.160  
   3.161  (*This rewrite rule helps in the simplification of messages that involve
   3.162    the forwarding of unknown components (X).  Without it, removing occurrences
   3.163    of X can be very complicated. *)
   3.164 -Goal "!!H. X: analz H ==> analz (insert X H) = analz H";
   3.165 +Goal "X: analz H ==> analz (insert X H) = analz H";
   3.166  by (blast_tac (claset() addIs [analz_cut, analz_insertI]) 1);
   3.167  qed "analz_insert_eq";
   3.168  
   3.169  
   3.170  (** A congruence rule for "analz" **)
   3.171  
   3.172 -Goal "!!H. [| analz G <= analz G'; analz H <= analz H' \
   3.173 +Goal "[| analz G <= analz G'; analz H <= analz H' \
   3.174  \              |] ==> analz (G Un H) <= analz (G' Un H')";
   3.175  by (Clarify_tac 1);
   3.176  by (etac analz.induct 1);
   3.177  by (ALLGOALS (best_tac (claset() addIs [analz_mono RS subsetD])));
   3.178  qed "analz_subset_cong";
   3.179  
   3.180 -Goal "!!H. [| analz G = analz G'; analz H = analz H' \
   3.181 +Goal "[| analz G = analz G'; analz H = analz H' \
   3.182  \              |] ==> analz (G Un H) = analz (G' Un H')";
   3.183  by (REPEAT_FIRST (ares_tac [equalityI, analz_subset_cong]
   3.184            ORELSE' etac equalityE));
   3.185  qed "analz_cong";
   3.186  
   3.187  
   3.188 -Goal "!!H. analz H = analz H' ==> analz(insert X H) = analz(insert X H')";
   3.189 +Goal "analz H = analz H' ==> analz(insert X H) = analz(insert X H')";
   3.190  by (asm_simp_tac (simpset() addsimps [insert_def] delsimps [singleton_conv]
   3.191                              setloop (rtac analz_cong)) 1);
   3.192  qed "analz_insert_cong";
   3.193  
   3.194  (*If there are no pairs or encryptions then analz does nothing*)
   3.195 -Goal "!!H. [| ALL X Y. {|X,Y|} ~: H;  ALL X K. Crypt K X ~: H |] ==> \
   3.196 +Goal "[| ALL X Y. {|X,Y|} ~: H;  ALL X K. Crypt K X ~: H |] ==> \
   3.197  \         analz H = H";
   3.198  by Safe_tac;
   3.199  by (etac analz.induct 1);
   3.200 @@ -563,7 +563,7 @@
   3.201  qed "analz_trivial";
   3.202  
   3.203  (*These two are obsolete (with a single Spy) but cost little to prove...*)
   3.204 -Goal "!!X. X: analz (UN i:A. analz (H i)) ==> X: analz (UN i:A. H i)";
   3.205 +Goal "X: analz (UN i:A. analz (H i)) ==> X: analz (UN i:A. H i)";
   3.206  by (etac analz.induct 1);
   3.207  by (ALLGOALS (blast_tac (claset() addIs [impOfSubs analz_mono])));
   3.208  val lemma = result();
   3.209 @@ -596,7 +596,7 @@
   3.210  qed "synth_increasing";
   3.211  
   3.212  (*Monotonicity*)
   3.213 -Goalw synth.defs "!!G H. G<=H ==> synth(G) <= synth(H)";
   3.214 +Goalw synth.defs "G<=H ==> synth(G) <= synth(H)";
   3.215  by (rtac lfp_mono 1);
   3.216  by (REPEAT (ares_tac basic_monos 1));
   3.217  qed "synth_mono";
   3.218 @@ -615,7 +615,7 @@
   3.219  
   3.220  (** Idempotence and transitivity **)
   3.221  
   3.222 -Goal "!!H. X: synth (synth H) ==> X: synth H";
   3.223 +Goal "X: synth (synth H) ==> X: synth H";
   3.224  by (etac synth.induct 1);
   3.225  by (ALLGOALS Blast_tac);
   3.226  qed "synth_synthD";
   3.227 @@ -625,13 +625,13 @@
   3.228  by (Blast_tac 1);
   3.229  qed "synth_idem";
   3.230  
   3.231 -Goal "!!H. [| X: synth G;  G <= synth H |] ==> X: synth H";
   3.232 +Goal "[| X: synth G;  G <= synth H |] ==> X: synth H";
   3.233  by (dtac synth_mono 1);
   3.234  by (Blast_tac 1);
   3.235  qed "synth_trans";
   3.236  
   3.237  (*Cut; Lemma 2 of Lowe*)
   3.238 -Goal "!!H. [| Y: synth (insert X H);  X: synth H |] ==> Y: synth H";
   3.239 +Goal "[| Y: synth (insert X H);  X: synth H |] ==> Y: synth H";
   3.240  by (etac synth_trans 1);
   3.241  by (Blast_tac 1);
   3.242  qed "synth_cut";
   3.243 @@ -652,7 +652,7 @@
   3.244  by (Blast_tac 1);
   3.245  qed "Key_synth_eq";
   3.246  
   3.247 -Goal "!!K. Key K ~: H ==> (Crypt K X : synth H) = (Crypt K X : H)";
   3.248 +Goal "Key K ~: H ==> (Crypt K X : synth H) = (Crypt K X : H)";
   3.249  by (Blast_tac 1);
   3.250  qed "Crypt_synth_eq";
   3.251  
   3.252 @@ -701,23 +701,23 @@
   3.253  
   3.254  (** For reasoning about the Fake rule in traces **)
   3.255  
   3.256 -Goal "!!Y. X: G ==> parts(insert X H) <= parts G Un parts H";
   3.257 +Goal "X: G ==> parts(insert X H) <= parts G Un parts H";
   3.258  by (rtac ([parts_mono, parts_Un_subset2] MRS subset_trans) 1);
   3.259  by (Blast_tac 1);
   3.260  qed "parts_insert_subset_Un";
   3.261  
   3.262  (*More specifically for Fake.  Very occasionally we could do with a version
   3.263    of the form  parts{X} <= synth (analz H) Un parts H *)
   3.264 -Goal "!!H. X: synth (analz H) ==> \
   3.265 -\              parts (insert X H) <= synth (analz H) Un parts H";
   3.266 +Goal "X: synth (analz H) ==> \
   3.267 +\     parts (insert X H) <= synth (analz H) Un parts H";
   3.268  by (dtac parts_insert_subset_Un 1);
   3.269  by (Full_simp_tac 1);
   3.270  by (Blast_tac 1);
   3.271  qed "Fake_parts_insert";
   3.272  
   3.273  (*H is sometimes (Key `` KK Un spies evs), so can't put G=H*)
   3.274 -Goal "!!H. X: synth (analz G) ==> \
   3.275 -\              analz (insert X H) <= synth (analz G) Un analz (G Un H)";
   3.276 +Goal "X: synth (analz G) ==> \
   3.277 +\     analz (insert X H) <= synth (analz G) Un analz (G Un H)";
   3.278  by (rtac subsetI 1);
   3.279  by (subgoal_tac "x : analz (synth (analz G) Un H)" 1);
   3.280  by (blast_tac (claset() addIs [impOfSubs analz_mono,
   3.281 @@ -739,20 +739,20 @@
   3.282  (*Without this equation, other rules for synth and analz would yield
   3.283    redundant cases*)
   3.284  Goal "({|X,Y|} : synth (analz H)) = \
   3.285 -\         (X : synth (analz H) & Y : synth (analz H))";
   3.286 +\     (X : synth (analz H) & Y : synth (analz H))";
   3.287  by (Blast_tac 1);
   3.288  qed "MPair_synth_analz";
   3.289  
   3.290  AddIffs [MPair_synth_analz];
   3.291  
   3.292 -Goal "!!K. [| Key K : analz H;  Key (invKey K) : analz H |] \
   3.293 -\              ==> (Crypt K X : synth (analz H)) = (X : synth (analz H))";
   3.294 +Goal "[| Key K : analz H;  Key (invKey K) : analz H |] \
   3.295 +\      ==> (Crypt K X : synth (analz H)) = (X : synth (analz H))";
   3.296  by (Blast_tac 1);
   3.297  qed "Crypt_synth_analz";
   3.298  
   3.299  
   3.300 -Goal "!!K. X ~: synth (analz H) \
   3.301 -\   ==> (Hash{|X,Y|} : synth (analz H)) = (Hash{|X,Y|} : analz H)";
   3.302 +Goal "X ~: synth (analz H) \
   3.303 +\     ==> (Hash{|X,Y|} : synth (analz H)) = (Hash{|X,Y|} : analz H)";
   3.304  by (Blast_tac 1);
   3.305  qed "Hash_synth_analz";
   3.306  Addsimps [Hash_synth_analz];
   3.307 @@ -825,7 +825,7 @@
   3.308  by (Simp_tac 1);
   3.309  qed "analz_insert_HPair";
   3.310  
   3.311 -Goalw [HPair_def] "!!H. X ~: synth (analz H) \
   3.312 +Goalw [HPair_def] "X ~: synth (analz H) \
   3.313  \   ==> (Hash[X] Y : synth (analz H)) = \
   3.314  \       (Hash {|X, Y|} : analz H & Y : synth (analz H))";
   3.315  by (Simp_tac 1);
     4.1 --- a/src/HOL/Auth/NS_Public.ML	Thu Jul 02 17:27:35 1998 +0200
     4.2 +++ b/src/HOL/Auth/NS_Public.ML	Thu Jul 02 17:48:11 1998 +0200
     4.3 @@ -19,9 +19,8 @@
     4.4  AddIffs [Spy_in_bad];
     4.5  
     4.6  (*A "possibility property": there are traces that reach the end*)
     4.7 -Goal 
     4.8 - "!!A B. A ~= B ==> EX NB. EX evs: ns_public.               \
     4.9 -\                     Says A B (Crypt (pubK B) (Nonce NB)) : set evs";
    4.10 +Goal "A ~= B ==> EX NB. EX evs: ns_public.               \
    4.11 +\                  Says A B (Crypt (pubK B) (Nonce NB)) : set evs";
    4.12  by (REPEAT (resolve_tac [exI,bexI] 1));
    4.13  by (rtac (ns_public.Nil RS ns_public.NS1 RS ns_public.NS2 RS ns_public.NS3) 2);
    4.14  by possibility_tac;
    4.15 @@ -31,7 +30,7 @@
    4.16  (**** Inductive proofs about ns_public ****)
    4.17  
    4.18  (*Nobody sends themselves messages*)
    4.19 -Goal "!!evs. evs : ns_public ==> ALL A X. Says A A X ~: set evs";
    4.20 +Goal "evs : ns_public ==> ALL A X. Says A A X ~: set evs";
    4.21  by (etac ns_public.induct 1);
    4.22  by Auto_tac;
    4.23  qed_spec_mp "not_Says_to_self";
    4.24 @@ -54,15 +53,13 @@
    4.25      sends messages containing X! **)
    4.26  
    4.27  (*Spy never sees another agent's private key! (unless it's bad at start)*)
    4.28 -Goal 
    4.29 - "!!A. evs: ns_public ==> (Key (priK A) : parts (spies evs)) = (A : bad)";
    4.30 +Goal "evs: ns_public ==> (Key (priK A) : parts (spies evs)) = (A : bad)";
    4.31  by (parts_induct_tac 1);
    4.32  by (Blast_tac 1);
    4.33  qed "Spy_see_priK";
    4.34  Addsimps [Spy_see_priK];
    4.35  
    4.36 -Goal 
    4.37 - "!!A. evs: ns_public ==> (Key (priK A) : analz (spies evs)) = (A : bad)";
    4.38 +Goal "evs: ns_public ==> (Key (priK A) : analz (spies evs)) = (A : bad)";
    4.39  by Auto_tac;
    4.40  qed "Spy_analz_priK";
    4.41  Addsimps [Spy_analz_priK];
    4.42 @@ -75,9 +72,8 @@
    4.43  
    4.44  (*It is impossible to re-use a nonce in both NS1 and NS2, provided the nonce
    4.45    is secret.  (Honest users generate fresh nonces.)*)
    4.46 -Goal 
    4.47 - "!!evs. [| Crypt (pubK B) {|Nonce NA, Agent A|} : parts (spies evs); \
    4.48 -\           Nonce NA ~: analz (spies evs);   evs : ns_public |]       \
    4.49 +Goal "[| Crypt (pubK B) {|Nonce NA, Agent A|} : parts (spies evs); \
    4.50 +\        Nonce NA ~: analz (spies evs);   evs : ns_public |]       \
    4.51  \ ==> Crypt (pubK C) {|NA', Nonce NA, Agent D|} ~: parts (spies evs)";
    4.52  by (etac rev_mp 1);
    4.53  by (etac rev_mp 1);
    4.54 @@ -90,11 +86,10 @@
    4.55  
    4.56  
    4.57  (*Unicity for NS1: nonce NA identifies agents A and B*)
    4.58 -Goal 
    4.59 - "!!evs. [| Nonce NA ~: analz (spies evs);  evs : ns_public |]      \
    4.60 +Goal "[| Nonce NA ~: analz (spies evs);  evs : ns_public |]      \
    4.61  \ ==> EX A' B'. ALL A B.                                            \
    4.62 -\      Crypt (pubK B) {|Nonce NA, Agent A|} : parts (spies evs) --> \
    4.63 -\      A=A' & B=B'";
    4.64 +\   Crypt (pubK B) {|Nonce NA, Agent A|} : parts (spies evs) --> \
    4.65 +\   A=A' & B=B'";
    4.66  by (etac rev_mp 1);
    4.67  by (parts_induct_tac 1);
    4.68  by (ALLGOALS (asm_simp_tac (simpset() addsimps [all_conj_distrib])));
    4.69 @@ -105,12 +100,11 @@
    4.70  by (Blast_tac 1);
    4.71  val lemma = result();
    4.72  
    4.73 -Goal 
    4.74 - "!!evs. [| Crypt(pubK B)  {|Nonce NA, Agent A|}  : parts(spies evs); \
    4.75 -\           Crypt(pubK B') {|Nonce NA, Agent A'|} : parts(spies evs); \
    4.76 -\           Nonce NA ~: analz (spies evs);                            \
    4.77 -\           evs : ns_public |]                                        \
    4.78 -\        ==> A=A' & B=B'";
    4.79 +Goal "[| Crypt(pubK B)  {|Nonce NA, Agent A|}  : parts(spies evs); \
    4.80 +\        Crypt(pubK B') {|Nonce NA, Agent A'|} : parts(spies evs); \
    4.81 +\        Nonce NA ~: analz (spies evs);                            \
    4.82 +\        evs : ns_public |]                                        \
    4.83 +\     ==> A=A' & B=B'";
    4.84  by (prove_unique_tac lemma 1);
    4.85  qed "unique_NA";
    4.86  
    4.87 @@ -122,10 +116,9 @@
    4.88  
    4.89  
    4.90  (*Secrecy: Spy does not see the nonce sent in msg NS1 if A and B are secure*)
    4.91 -Goal 
    4.92 - "!!evs. [| Says A B (Crypt(pubK B) {|Nonce NA, Agent A|}) : set evs;   \
    4.93 -\           A ~: bad;  B ~: bad;  evs : ns_public |]                    \
    4.94 -\        ==>  Nonce NA ~: analz (spies evs)";
    4.95 +Goal "[| Says A B (Crypt(pubK B) {|Nonce NA, Agent A|}) : set evs;   \
    4.96 +\        A ~: bad;  B ~: bad;  evs : ns_public |]                    \
    4.97 +\     ==>  Nonce NA ~: analz (spies evs)";
    4.98  by (etac rev_mp 1);
    4.99  by (analz_induct_tac 1);
   4.100  (*NS3*)
   4.101 @@ -141,13 +134,12 @@
   4.102  
   4.103  (*Authentication for A: if she receives message 2 and has used NA
   4.104    to start a run, then B has sent message 2.*)
   4.105 -Goal 
   4.106 - "!!evs. [| Says A  B (Crypt(pubK B) {|Nonce NA, Agent A|}) : set evs;  \
   4.107 -\           Says B' A (Crypt(pubK A) {|Nonce NA, Nonce NB, Agent B|})   \
   4.108 -\             : set evs;                                                \
   4.109 -\           A ~: bad;  B ~: bad;  evs : ns_public |]                    \
   4.110 -\        ==> Says B A (Crypt(pubK A) {|Nonce NA, Nonce NB, Agent B|})   \
   4.111 -\              : set evs";
   4.112 +Goal "[| Says A  B (Crypt(pubK B) {|Nonce NA, Agent A|}) : set evs;  \
   4.113 +\        Says B' A (Crypt(pubK A) {|Nonce NA, Nonce NB, Agent B|})   \
   4.114 +\          : set evs;                                                \
   4.115 +\        A ~: bad;  B ~: bad;  evs : ns_public |]                    \
   4.116 +\     ==> Says B A (Crypt(pubK A) {|Nonce NA, Nonce NB, Agent B|})   \
   4.117 +\           : set evs";
   4.118  by (etac rev_mp 1);
   4.119  (*prepare induction over Crypt (pubK A) {|NA,NB,B|} : parts H*)
   4.120  by (etac (Says_imp_spies RS parts.Inj RS rev_mp) 1);
   4.121 @@ -161,11 +153,10 @@
   4.122  
   4.123  
   4.124  (*If the encrypted message appears then it originated with Alice in NS1*)
   4.125 -Goal 
   4.126 - "!!evs. [| Crypt (pubK B) {|Nonce NA, Agent A|} : parts (spies evs); \
   4.127 -\           Nonce NA ~: analz (spies evs);                            \
   4.128 -\           evs : ns_public |]                                        \
   4.129 -\   ==> Says A B (Crypt (pubK B) {|Nonce NA, Agent A|}) : set evs";
   4.130 +Goal "[| Crypt (pubK B) {|Nonce NA, Agent A|} : parts (spies evs); \
   4.131 +\        Nonce NA ~: analz (spies evs);                            \
   4.132 +\        evs : ns_public |]                                        \
   4.133 +\==> Says A B (Crypt (pubK B) {|Nonce NA, Agent A|}) : set evs";
   4.134  by (etac rev_mp 1);
   4.135  by (etac rev_mp 1);
   4.136  by (parts_induct_tac 1);
   4.137 @@ -179,11 +170,10 @@
   4.138  (*Unicity for NS2: nonce NB identifies nonce NA and agents A, B 
   4.139    [unicity of B makes Lowe's fix work]
   4.140    [proof closely follows that for unique_NA] *)
   4.141 -Goal 
   4.142 - "!!evs. [| Nonce NB ~: analz (spies evs);  evs : ns_public |]            \
   4.143 +Goal "[| Nonce NB ~: analz (spies evs);  evs : ns_public |]            \
   4.144  \ ==> EX A' NA' B'. ALL A NA B.                                           \
   4.145 -\      Crypt (pubK A) {|Nonce NA, Nonce NB, Agent B|} : parts (spies evs) \
   4.146 -\         -->  A=A' & NA=NA' & B=B'";
   4.147 +\   Crypt (pubK A) {|Nonce NA, Nonce NB, Agent B|} : parts (spies evs) \
   4.148 +\      -->  A=A' & NA=NA' & B=B'";
   4.149  by (etac rev_mp 1);
   4.150  by (parts_induct_tac 1);
   4.151  by (ALLGOALS (asm_simp_tac (simpset() addsimps [all_conj_distrib])));
   4.152 @@ -194,14 +184,13 @@
   4.153  by (Blast_tac 1);
   4.154  val lemma = result();
   4.155  
   4.156 -Goal 
   4.157 - "!!evs. [| Crypt(pubK A)  {|Nonce NA, Nonce NB, Agent B|}   \
   4.158 -\             : parts(spies evs);                            \
   4.159 -\           Crypt(pubK A') {|Nonce NA', Nonce NB, Agent B'|} \
   4.160 -\             : parts(spies evs);                            \
   4.161 -\           Nonce NB ~: analz (spies evs);                   \
   4.162 -\           evs : ns_public |]                               \
   4.163 -\        ==> A=A' & NA=NA' & B=B'";
   4.164 +Goal "[| Crypt(pubK A)  {|Nonce NA, Nonce NB, Agent B|}   \
   4.165 +\          : parts(spies evs);                            \
   4.166 +\        Crypt(pubK A') {|Nonce NA', Nonce NB, Agent B'|} \
   4.167 +\          : parts(spies evs);                            \
   4.168 +\        Nonce NB ~: analz (spies evs);                   \
   4.169 +\        evs : ns_public |]                               \
   4.170 +\     ==> A=A' & NA=NA' & B=B'";
   4.171  by (prove_unique_tac lemma 1);
   4.172  qed "unique_NB";
   4.173  
   4.174 @@ -209,10 +198,9 @@
   4.175  
   4.176  
   4.177  (*Secrecy: Spy does not see the nonce sent in msg NS2 if A and B are secure*)
   4.178 -Goal 
   4.179 - "!!evs. [| Says B A (Crypt (pubK A) {|Nonce NA, Nonce NB, Agent B|}) \
   4.180 -\             : set evs;                                              \
   4.181 -\           A ~: bad;  B ~: bad;  evs : ns_public |]                \
   4.182 +Goal "[| Says B A (Crypt (pubK A) {|Nonce NA, Nonce NB, Agent B|}) \
   4.183 +\          : set evs;                                              \
   4.184 +\        A ~: bad;  B ~: bad;  evs : ns_public |]                \
   4.185  \ ==> Nonce NB ~: analz (spies evs)";
   4.186  by (etac rev_mp 1);
   4.187  by (analz_induct_tac 1);
   4.188 @@ -231,12 +219,11 @@
   4.189  
   4.190  (*Authentication for B: if he receives message 3 and has used NB
   4.191    in message 2, then A has sent message 3.*)
   4.192 -Goal 
   4.193 - "!!evs. [| Says B A  (Crypt (pubK A) {|Nonce NA, Nonce NB, Agent B|}) \
   4.194 -\             : set evs;                                               \
   4.195 -\           Says A' B (Crypt (pubK B) (Nonce NB)): set evs;            \
   4.196 -\           A ~: bad;  B ~: bad;  evs : ns_public |]                   \
   4.197 -\        ==> Says A B (Crypt (pubK B) (Nonce NB)) : set evs";
   4.198 +Goal "[| Says B A  (Crypt (pubK A) {|Nonce NA, Nonce NB, Agent B|}) \
   4.199 +\          : set evs;                                               \
   4.200 +\        Says A' B (Crypt (pubK B) (Nonce NB)): set evs;            \
   4.201 +\        A ~: bad;  B ~: bad;  evs : ns_public |]                   \
   4.202 +\     ==> Says A B (Crypt (pubK B) (Nonce NB)) : set evs";
   4.203  by (etac rev_mp 1);
   4.204  (*prepare induction over Crypt (pubK B) NB : parts H*)
   4.205  by (etac (Says_imp_spies RS parts.Inj RS rev_mp) 1);
   4.206 @@ -255,12 +242,11 @@
   4.207  
   4.208  (*If B receives NS3 and the nonce NB agrees with the nonce he joined with
   4.209    NA, then A initiated the run using NA.  SAME proof as B_trusts_NS3!*)
   4.210 -Goal 
   4.211 - "!!evs. [| Says B A  (Crypt (pubK A) {|Nonce NA, Nonce NB, Agent B|}) \
   4.212 -\             : set evs;                                               \
   4.213 -\           Says A' B (Crypt (pubK B) (Nonce NB)): set evs;            \
   4.214 -\           A ~: bad;  B ~: bad;  evs : ns_public |]                 \
   4.215 -\    ==> Says A B (Crypt (pubK B) {|Nonce NA, Agent A|}) : set evs";
   4.216 +Goal "[| Says B A  (Crypt (pubK A) {|Nonce NA, Nonce NB, Agent B|}) \
   4.217 +\          : set evs;                                               \
   4.218 +\        Says A' B (Crypt (pubK B) (Nonce NB)): set evs;            \
   4.219 +\        A ~: bad;  B ~: bad;  evs : ns_public |]                 \
   4.220 +\ ==> Says A B (Crypt (pubK B) {|Nonce NA, Agent A|}) : set evs";
   4.221  by (etac rev_mp 1);
   4.222  (*prepare induction over Crypt (pubK B) {|NB|} : parts H*)
   4.223  by (etac (Says_imp_spies RS parts.Inj RS rev_mp) 1);
     5.1 --- a/src/HOL/Auth/NS_Public_Bad.ML	Thu Jul 02 17:27:35 1998 +0200
     5.2 +++ b/src/HOL/Auth/NS_Public_Bad.ML	Thu Jul 02 17:48:11 1998 +0200
     5.3 @@ -23,9 +23,8 @@
     5.4  AddIffs [Spy_in_bad];
     5.5  
     5.6  (*A "possibility property": there are traces that reach the end*)
     5.7 -Goal 
     5.8 - "!!A B. A ~= B ==> EX NB. EX evs: ns_public.               \
     5.9 -\                     Says A B (Crypt (pubK B) (Nonce NB)) : set evs";
    5.10 +Goal "A ~= B ==> EX NB. EX evs: ns_public.               \
    5.11 +\                  Says A B (Crypt (pubK B) (Nonce NB)) : set evs";
    5.12  by (REPEAT (resolve_tac [exI,bexI] 1));
    5.13  by (rtac (ns_public.Nil RS ns_public.NS1 RS ns_public.NS2 RS ns_public.NS3) 2);
    5.14  by possibility_tac;
    5.15 @@ -35,7 +34,7 @@
    5.16  (**** Inductive proofs about ns_public ****)
    5.17  
    5.18  (*Nobody sends themselves messages*)
    5.19 -Goal "!!evs. evs : ns_public ==> ALL A X. Says A A X ~: set evs";
    5.20 +Goal "evs : ns_public ==> ALL A X. Says A A X ~: set evs";
    5.21  by (etac ns_public.induct 1);
    5.22  by Auto_tac;
    5.23  qed_spec_mp "not_Says_to_self";
    5.24 @@ -58,15 +57,13 @@
    5.25      sends messages containing X! **)
    5.26  
    5.27  (*Spy never sees another agent's private key! (unless it's bad at start)*)
    5.28 -Goal 
    5.29 - "!!A. evs: ns_public ==> (Key (priK A) : parts (spies evs)) = (A : bad)";
    5.30 +Goal "evs: ns_public ==> (Key (priK A) : parts (spies evs)) = (A : bad)";
    5.31  by (parts_induct_tac 1);
    5.32  by (Blast_tac 1);
    5.33  qed "Spy_see_priK";
    5.34  Addsimps [Spy_see_priK];
    5.35  
    5.36 -Goal 
    5.37 - "!!A. evs: ns_public ==> (Key (priK A) : analz (spies evs)) = (A : bad)";
    5.38 +Goal "evs: ns_public ==> (Key (priK A) : analz (spies evs)) = (A : bad)";
    5.39  by Auto_tac;
    5.40  qed "Spy_analz_priK";
    5.41  Addsimps [Spy_analz_priK];
    5.42 @@ -79,9 +76,8 @@
    5.43  
    5.44  (*It is impossible to re-use a nonce in both NS1 and NS2, provided the nonce
    5.45    is secret.  (Honest users generate fresh nonces.)*)
    5.46 -Goal 
    5.47 - "!!evs. [| Crypt (pubK B) {|Nonce NA, Agent A|} : parts (spies evs); \
    5.48 -\           Nonce NA ~: analz (spies evs);   evs : ns_public |]       \
    5.49 +Goal "[| Crypt (pubK B) {|Nonce NA, Agent A|} : parts (spies evs); \
    5.50 +\        Nonce NA ~: analz (spies evs);   evs : ns_public |]       \
    5.51  \ ==> Crypt (pubK C) {|NA', Nonce NA|} ~: parts (spies evs)";
    5.52  by (etac rev_mp 1);
    5.53  by (etac rev_mp 1);
    5.54 @@ -94,11 +90,10 @@
    5.55  
    5.56  
    5.57  (*Unicity for NS1: nonce NA identifies agents A and B*)
    5.58 -Goal 
    5.59 - "!!evs. [| Nonce NA ~: analz (spies evs);  evs : ns_public |]      \
    5.60 +Goal "[| Nonce NA ~: analz (spies evs);  evs : ns_public |]      \
    5.61  \ ==> EX A' B'. ALL A B.                                            \
    5.62 -\      Crypt (pubK B) {|Nonce NA, Agent A|} : parts (spies evs) --> \
    5.63 -\      A=A' & B=B'";
    5.64 +\   Crypt (pubK B) {|Nonce NA, Agent A|} : parts (spies evs) --> \
    5.65 +\   A=A' & B=B'";
    5.66  by (etac rev_mp 1);
    5.67  by (parts_induct_tac 1);
    5.68  by (ALLGOALS (asm_simp_tac (simpset() addsimps [all_conj_distrib])));
    5.69 @@ -109,12 +104,11 @@
    5.70  by (Blast_tac 1);
    5.71  val lemma = result();
    5.72  
    5.73 -Goal 
    5.74 - "!!evs. [| Crypt(pubK B)  {|Nonce NA, Agent A|}  : parts(spies evs); \
    5.75 -\           Crypt(pubK B') {|Nonce NA, Agent A'|} : parts(spies evs); \
    5.76 -\           Nonce NA ~: analz (spies evs);                            \
    5.77 -\           evs : ns_public |]                                        \
    5.78 -\        ==> A=A' & B=B'";
    5.79 +Goal "[| Crypt(pubK B)  {|Nonce NA, Agent A|}  : parts(spies evs); \
    5.80 +\        Crypt(pubK B') {|Nonce NA, Agent A'|} : parts(spies evs); \
    5.81 +\        Nonce NA ~: analz (spies evs);                            \
    5.82 +\        evs : ns_public |]                                        \
    5.83 +\     ==> A=A' & B=B'";
    5.84  by (prove_unique_tac lemma 1);
    5.85  qed "unique_NA";
    5.86  
    5.87 @@ -126,10 +120,9 @@
    5.88  
    5.89  
    5.90  (*Secrecy: Spy does not see the nonce sent in msg NS1 if A and B are secure*)
    5.91 -Goal 
    5.92 - "!!evs. [| Says A B (Crypt(pubK B) {|Nonce NA, Agent A|}) : set evs;   \
    5.93 -\           A ~: bad;  B ~: bad;  evs : ns_public |]                    \
    5.94 -\        ==>  Nonce NA ~: analz (spies evs)";
    5.95 +Goal "[| Says A B (Crypt(pubK B) {|Nonce NA, Agent A|}) : set evs;   \
    5.96 +\        A ~: bad;  B ~: bad;  evs : ns_public |]                    \
    5.97 +\     ==>  Nonce NA ~: analz (spies evs)";
    5.98  by (etac rev_mp 1);
    5.99  by (analz_induct_tac 1);
   5.100  (*NS3*)
   5.101 @@ -145,11 +138,10 @@
   5.102  
   5.103  (*Authentication for A: if she receives message 2 and has used NA
   5.104    to start a run, then B has sent message 2.*)
   5.105 -Goal 
   5.106 - "!!evs. [| Says A  B (Crypt(pubK B) {|Nonce NA, Agent A|}) : set evs;  \
   5.107 -\           Says B' A (Crypt(pubK A) {|Nonce NA, Nonce NB|}): set evs;  \
   5.108 -\           A ~: bad;  B ~: bad;  evs : ns_public |]                    \
   5.109 -\        ==> Says B A (Crypt(pubK A) {|Nonce NA, Nonce NB|}): set evs";
   5.110 +Goal "[| Says A  B (Crypt(pubK B) {|Nonce NA, Agent A|}) : set evs;  \
   5.111 +\        Says B' A (Crypt(pubK A) {|Nonce NA, Nonce NB|}): set evs;  \
   5.112 +\        A ~: bad;  B ~: bad;  evs : ns_public |]                    \
   5.113 +\     ==> Says B A (Crypt(pubK A) {|Nonce NA, Nonce NB|}): set evs";
   5.114  by (etac rev_mp 1);
   5.115  (*prepare induction over Crypt (pubK A) {|NA,NB|} : parts H*)
   5.116  by (etac (Says_imp_spies RS parts.Inj RS rev_mp) 1);
   5.117 @@ -166,11 +158,10 @@
   5.118  
   5.119  
   5.120  (*If the encrypted message appears then it originated with Alice in NS1*)
   5.121 -Goal 
   5.122 - "!!evs. [| Crypt (pubK B) {|Nonce NA, Agent A|} : parts (spies evs); \
   5.123 -\           Nonce NA ~: analz (spies evs);                            \
   5.124 -\           evs : ns_public |]                                        \
   5.125 -\   ==> Says A B (Crypt (pubK B) {|Nonce NA, Agent A|}) : set evs";
   5.126 +Goal "[| Crypt (pubK B) {|Nonce NA, Agent A|} : parts (spies evs); \
   5.127 +\        Nonce NA ~: analz (spies evs);                            \
   5.128 +\        evs : ns_public |]                                        \
   5.129 +\==> Says A B (Crypt (pubK B) {|Nonce NA, Agent A|}) : set evs";
   5.130  by (etac rev_mp 1);
   5.131  by (etac rev_mp 1);
   5.132  by (parts_induct_tac 1);
   5.133 @@ -183,11 +174,10 @@
   5.134  
   5.135  (*Unicity for NS2: nonce NB identifies nonce NA and agent A
   5.136    [proof closely follows that for unique_NA] *)
   5.137 -Goal 
   5.138 - "!!evs. [| Nonce NB ~: analz (spies evs);  evs : ns_public |]            \
   5.139 +Goal "[| Nonce NB ~: analz (spies evs);  evs : ns_public |]            \
   5.140  \ ==> EX A' NA'. ALL A NA.                                                \
   5.141 -\      Crypt (pubK A) {|Nonce NA, Nonce NB|} : parts (spies evs)          \
   5.142 -\         -->  A=A' & NA=NA'";
   5.143 +\   Crypt (pubK A) {|Nonce NA, Nonce NB|} : parts (spies evs)          \
   5.144 +\      -->  A=A' & NA=NA'";
   5.145  by (etac rev_mp 1);
   5.146  by (parts_induct_tac 1);
   5.147  by (ALLGOALS (asm_simp_tac (simpset() addsimps [all_conj_distrib])));
   5.148 @@ -197,22 +187,20 @@
   5.149  by (Blast_tac 1);
   5.150  val lemma = result();
   5.151  
   5.152 -Goal 
   5.153 - "!!evs. [| Crypt(pubK A) {|Nonce NA, Nonce NB|}  : parts(spies evs); \
   5.154 -\           Crypt(pubK A'){|Nonce NA', Nonce NB|} : parts(spies evs); \
   5.155 -\           Nonce NB ~: analz (spies evs);                            \
   5.156 -\           evs : ns_public |]                                        \
   5.157 -\        ==> A=A' & NA=NA'";
   5.158 +Goal "[| Crypt(pubK A) {|Nonce NA, Nonce NB|}  : parts(spies evs); \
   5.159 +\        Crypt(pubK A'){|Nonce NA', Nonce NB|} : parts(spies evs); \
   5.160 +\        Nonce NB ~: analz (spies evs);                            \
   5.161 +\        evs : ns_public |]                                        \
   5.162 +\     ==> A=A' & NA=NA'";
   5.163  by (prove_unique_tac lemma 1);
   5.164  qed "unique_NB";
   5.165  
   5.166  
   5.167  (*NB remains secret PROVIDED Alice never responds with round 3*)
   5.168 -Goal 
   5.169 - "!!evs.[| Says B A (Crypt (pubK A) {|Nonce NA, Nonce NB|}) : set evs;  \
   5.170 -\          ALL C. Says A C (Crypt (pubK C) (Nonce NB)) ~: set evs;      \
   5.171 -\          A ~: bad;  B ~: bad;  evs : ns_public |]                     \
   5.172 -\       ==> Nonce NB ~: analz (spies evs)";
   5.173 +Goal "[| Says B A (Crypt (pubK A) {|Nonce NA, Nonce NB|}) : set evs;  \
   5.174 +\       ALL C. Says A C (Crypt (pubK C) (Nonce NB)) ~: set evs;      \
   5.175 +\       A ~: bad;  B ~: bad;  evs : ns_public |]                     \
   5.176 +\    ==> Nonce NB ~: analz (spies evs)";
   5.177  by (etac rev_mp 1);
   5.178  by (etac rev_mp 1);
   5.179  by (analz_induct_tac 1);
   5.180 @@ -232,11 +220,10 @@
   5.181  
   5.182  (*Authentication for B: if he receives message 3 and has used NB
   5.183    in message 2, then A has sent message 3--to somebody....*)
   5.184 -Goal 
   5.185 - "!!evs. [| Says B A  (Crypt (pubK A) {|Nonce NA, Nonce NB|}) : set evs; \
   5.186 -\           Says A' B (Crypt (pubK B) (Nonce NB)): set evs;              \
   5.187 -\           A ~: bad;  B ~: bad;  evs : ns_public |]                   \
   5.188 -\        ==> EX C. Says A C (Crypt (pubK C) (Nonce NB)) : set evs";
   5.189 +Goal "[| Says B A  (Crypt (pubK A) {|Nonce NA, Nonce NB|}) : set evs; \
   5.190 +\        Says A' B (Crypt (pubK B) (Nonce NB)): set evs;              \
   5.191 +\        A ~: bad;  B ~: bad;  evs : ns_public |]                   \
   5.192 +\     ==> EX C. Says A C (Crypt (pubK C) (Nonce NB)) : set evs";
   5.193  by (etac rev_mp 1);
   5.194  (*prepare induction over Crypt (pubK B) NB : parts H*)
   5.195  by (etac (Says_imp_spies RS parts.Inj RS rev_mp) 1);
   5.196 @@ -254,10 +241,9 @@
   5.197  
   5.198  
   5.199  (*Can we strengthen the secrecy theorem?  NO*)
   5.200 -Goal 
   5.201 - "!!evs. [| A ~: bad;  B ~: bad;  evs : ns_public |]           \
   5.202 +Goal "[| A ~: bad;  B ~: bad;  evs : ns_public |]           \
   5.203  \ ==> Says B A (Crypt (pubK A) {|Nonce NA, Nonce NB|}) : set evs \
   5.204 -\     --> Nonce NB ~: analz (spies evs)";
   5.205 +\  --> Nonce NB ~: analz (spies evs)";
   5.206  by (analz_induct_tac 1);
   5.207  by (ALLGOALS Clarify_tac);
   5.208  (*NS2: by freshness and unicity of NB*)
     6.1 --- a/src/HOL/Auth/NS_Shared.ML	Thu Jul 02 17:27:35 1998 +0200
     6.2 +++ b/src/HOL/Auth/NS_Shared.ML	Thu Jul 02 17:48:11 1998 +0200
     6.3 @@ -22,7 +22,7 @@
     6.4  
     6.5  (*A "possibility property": there are traces that reach the end*)
     6.6  Goal 
     6.7 - "!!A B. [| A ~= B; A ~= Server; B ~= Server |]       \
     6.8 + "[| A ~= B; A ~= Server; B ~= Server |]       \
     6.9  \        ==> EX N K. EX evs: ns_shared.               \
    6.10  \               Says A B (Crypt K {|Nonce N, Nonce N|}) : set evs";
    6.11  by (REPEAT (resolve_tac [exI,bexI] 1));
    6.12 @@ -32,7 +32,7 @@
    6.13  result();
    6.14  
    6.15  Goal 
    6.16 - "!!A B. [| A ~= B; A ~= Server; B ~= Server |]       \
    6.17 + "[| A ~= B; A ~= Server; B ~= Server |]       \
    6.18  \        ==> EX evs: ns_shared.          \
    6.19  \               Says A B (Crypt ?K {|Nonce ?N, Nonce ?N|}) : set evs";
    6.20  by (REPEAT (resolve_tac [exI,bexI] 1));
    6.21 @@ -43,7 +43,7 @@
    6.22  (**** Inductive proofs about ns_shared ****)
    6.23  
    6.24  (*Nobody sends themselves messages*)
    6.25 -Goal "!!evs. evs : ns_shared ==> ALL A X. Says A A X ~: set evs";
    6.26 +Goal "evs : ns_shared ==> ALL A X. Says A A X ~: set evs";
    6.27  by (etac ns_shared.induct 1);
    6.28  by Auto_tac;
    6.29  qed_spec_mp "not_Says_to_self";
    6.30 @@ -51,13 +51,13 @@
    6.31  AddSEs   [not_Says_to_self RSN (2, rev_notE)];
    6.32  
    6.33  (*For reasoning about the encrypted portion of message NS3*)
    6.34 -Goal "!!evs. Says S A (Crypt KA {|N, B, K, X|}) : set evs \
    6.35 +Goal "Says S A (Crypt KA {|N, B, K, X|}) : set evs \
    6.36  \                ==> X : parts (spies evs)";
    6.37  by (Blast_tac 1);
    6.38  qed "NS3_msg_in_parts_spies";
    6.39                                
    6.40  Goal
    6.41 -    "!!evs. Says Server A (Crypt (shrK A) {|NA, B, K, X|}) : set evs \
    6.42 +    "Says Server A (Crypt (shrK A) {|NA, B, K, X|}) : set evs \
    6.43  \           ==> K : parts (spies evs)";
    6.44  by (Blast_tac 1);
    6.45  qed "Oops_parts_spies";
    6.46 @@ -76,14 +76,14 @@
    6.47  
    6.48  (*Spy never sees another agent's shared key! (unless it's bad at start)*)
    6.49  Goal 
    6.50 - "!!evs. evs : ns_shared ==> (Key (shrK A) : parts (spies evs)) = (A : bad)";
    6.51 + "evs : ns_shared ==> (Key (shrK A) : parts (spies evs)) = (A : bad)";
    6.52  by (parts_induct_tac 1);
    6.53  by (ALLGOALS Blast_tac);
    6.54  qed "Spy_see_shrK";
    6.55  Addsimps [Spy_see_shrK];
    6.56  
    6.57  Goal 
    6.58 - "!!evs. evs : ns_shared ==> (Key (shrK A) : analz (spies evs)) = (A : bad)";
    6.59 + "evs : ns_shared ==> (Key (shrK A) : analz (spies evs)) = (A : bad)";
    6.60  by Auto_tac;
    6.61  qed "Spy_analz_shrK";
    6.62  Addsimps [Spy_analz_shrK];
    6.63 @@ -93,7 +93,7 @@
    6.64  
    6.65  
    6.66  (*Nobody can have used non-existent keys!*)
    6.67 -Goal "!!evs. evs : ns_shared ==>      \
    6.68 +Goal "evs : ns_shared ==>      \
    6.69  \         Key K ~: used evs --> K ~: keysFor (parts (spies evs))";
    6.70  by (parts_induct_tac 1);
    6.71  (*Fake*)
    6.72 @@ -113,7 +113,7 @@
    6.73  
    6.74  (*Describes the form of K, X and K' when the Server sends this message.*)
    6.75  Goal 
    6.76 - "!!evs. [| Says Server A (Crypt K' {|N, Agent B, Key K, X|}) : set evs; \
    6.77 + "[| Says Server A (Crypt K' {|N, Agent B, Key K, X|}) : set evs; \
    6.78  \           evs : ns_shared |]                           \
    6.79  \        ==> K ~: range shrK &                           \
    6.80  \            X = (Crypt (shrK B) {|Key K, Agent A|}) &   \
    6.81 @@ -126,7 +126,7 @@
    6.82  
    6.83  (*If the encrypted message appears then it originated with the Server*)
    6.84  Goal
    6.85 - "!!evs. [| Crypt (shrK A) {|NA, Agent B, Key K, X|} : parts (spies evs); \
    6.86 + "[| Crypt (shrK A) {|NA, Agent B, Key K, X|} : parts (spies evs); \
    6.87  \           A ~: bad;  evs : ns_shared |]                                 \
    6.88  \         ==> Says Server A (Crypt (shrK A) {|NA, Agent B, Key K, X|})    \
    6.89  \               : set evs";
    6.90 @@ -137,7 +137,7 @@
    6.91  
    6.92  
    6.93  Goal
    6.94 - "!!evs. [| Crypt (shrK A) {|NA, Agent B, Key K, X|} : parts (spies evs); \
    6.95 + "[| Crypt (shrK A) {|NA, Agent B, Key K, X|} : parts (spies evs); \
    6.96  \           A ~: bad;  evs : ns_shared |]                                 \
    6.97  \         ==> K ~: range shrK &  X = (Crypt (shrK B) {|Key K, Agent A|})";
    6.98  by (blast_tac (claset() addSDs [A_trusts_NS2, Says_Server_message_form]) 1);
    6.99 @@ -148,7 +148,7 @@
   6.100    OR     reduces it to the Fake case.
   6.101    Use Says_Server_message_form if applicable.*)
   6.102  Goal 
   6.103 - "!!evs. [| Says S A (Crypt (shrK A) {|Nonce NA, Agent B, Key K, X|})      \
   6.104 + "[| Says S A (Crypt (shrK A) {|Nonce NA, Agent B, Key K, X|})      \
   6.105  \              : set evs;                                                  \
   6.106  \           evs : ns_shared |]                                             \
   6.107  \        ==> (K ~: range shrK & X = (Crypt (shrK B) {|Key K, Agent A|}))   \
   6.108 @@ -181,7 +181,7 @@
   6.109    to encrypt messages containing other keys, in the actual protocol.
   6.110    We require that agents should behave like this subsequently also.*)
   6.111  Goal 
   6.112 - "!!evs. [| evs : ns_shared;  Kab ~: range shrK |] ==>  \
   6.113 + "[| evs : ns_shared;  Kab ~: range shrK |] ==>  \
   6.114  \           (Crypt KAB X) : parts (spies evs) &         \
   6.115  \           Key K : parts {X} --> Key K : parts (spies evs)";
   6.116  by (parts_induct_tac 1);
   6.117 @@ -197,7 +197,7 @@
   6.118  
   6.119  (*The equality makes the induction hypothesis easier to apply*)
   6.120  Goal  
   6.121 - "!!evs. evs : ns_shared ==>                             \
   6.122 + "evs : ns_shared ==>                             \
   6.123  \  ALL K KK. KK <= Compl (range shrK) -->                \
   6.124  \            (Key K : analz (Key``KK Un (spies evs))) =  \
   6.125  \            (K : KK | Key K : analz (spies evs))";
   6.126 @@ -213,7 +213,7 @@
   6.127  
   6.128  
   6.129  Goal
   6.130 - "!!evs. [| evs : ns_shared;  KAB ~: range shrK |] ==>  \
   6.131 + "[| evs : ns_shared;  KAB ~: range shrK |] ==>  \
   6.132  \        Key K : analz (insert (Key KAB) (spies evs)) = \
   6.133  \        (K = KAB | Key K : analz (spies evs))";
   6.134  by (asm_simp_tac (analz_image_freshK_ss addsimps [analz_image_freshK]) 1);
   6.135 @@ -223,7 +223,7 @@
   6.136  (** The session key K uniquely identifies the message **)
   6.137  
   6.138  Goal 
   6.139 - "!!evs. evs : ns_shared ==>                                               \
   6.140 + "evs : ns_shared ==>                                               \
   6.141  \      EX A' NA' B' X'. ALL A NA B X.                                      \
   6.142  \       Says Server A (Crypt (shrK A) {|NA, Agent B, Key K, X|}) : set evs \
   6.143  \       -->         A=A' & NA=NA' & B=B' & X=X'";
   6.144 @@ -241,7 +241,7 @@
   6.145  
   6.146  (*In messages of this form, the session key uniquely identifies the rest*)
   6.147  Goal 
   6.148 - "!!evs. [| Says Server A                                               \
   6.149 + "[| Says Server A                                               \
   6.150  \             (Crypt (shrK A) {|NA, Agent B, Key K, X|}) : set evs;     \ 
   6.151  \           Says Server A'                                              \
   6.152  \             (Crypt (shrK A') {|NA', Agent B', Key K, X'|}) : set evs; \
   6.153 @@ -253,7 +253,7 @@
   6.154  (** Crucial secrecy property: Spy does not see the keys sent in msg NS2 **)
   6.155  
   6.156  Goal 
   6.157 - "!!evs. [| A ~: bad;  B ~: bad;  evs : ns_shared |]                   \
   6.158 + "[| A ~: bad;  B ~: bad;  evs : ns_shared |]                   \
   6.159  \        ==> Says Server A                                             \
   6.160  \              (Crypt (shrK A) {|NA, Agent B, Key K,                   \
   6.161  \                                Crypt (shrK B) {|Key K, Agent A|}|})  \
   6.162 @@ -286,7 +286,7 @@
   6.163  
   6.164  (*Final version: Server's message in the most abstract form*)
   6.165  Goal 
   6.166 - "!!evs. [| Says Server A                                        \
   6.167 + "[| Says Server A                                        \
   6.168  \              (Crypt K' {|NA, Agent B, Key K, X|}) : set evs;   \
   6.169  \           ALL NB. Notes Spy {|NA, NB, Key K|} ~: set evs;      \
   6.170  \           A ~: bad;  B ~: bad;  evs : ns_shared                \
   6.171 @@ -303,7 +303,7 @@
   6.172  
   6.173  (*If the encrypted message appears then it originated with the Server*)
   6.174  Goal
   6.175 - "!!evs. [| Crypt (shrK B) {|Key K, Agent A|} : parts (spies evs);     \
   6.176 + "[| Crypt (shrK B) {|Key K, Agent A|} : parts (spies evs);     \
   6.177  \           B ~: bad;  evs : ns_shared |]                              \
   6.178  \         ==> EX NA. Says Server A                                     \
   6.179  \              (Crypt (shrK A) {|NA, Agent B, Key K,                   \
   6.180 @@ -316,7 +316,7 @@
   6.181  
   6.182  
   6.183  Goal
   6.184 - "!!evs. [| Crypt K (Nonce NB) : parts (spies evs);                   \
   6.185 + "[| Crypt K (Nonce NB) : parts (spies evs);                   \
   6.186  \           Says Server A (Crypt (shrK A) {|NA, Agent B, Key K, X|})  \
   6.187  \              : set evs;                                             \
   6.188  \           Key K ~: analz (spies evs);                               \
   6.189 @@ -343,7 +343,7 @@
   6.190  
   6.191  (*This version no longer assumes that K is secure*)
   6.192  Goal
   6.193 - "!!evs. [| Crypt K (Nonce NB) : parts (spies evs);                   \
   6.194 + "[| Crypt K (Nonce NB) : parts (spies evs);                   \
   6.195  \           Crypt (shrK A) {|NA, Agent B, Key K, X|} : parts (spies evs); \
   6.196  \           ALL NB. Notes Spy {|NA, NB, Key K|} ~: set evs;           \
   6.197  \           A ~: bad;  B ~: bad;  evs : ns_shared |]                  \
   6.198 @@ -357,7 +357,7 @@
   6.199    component X in some instance of NS4.  Perhaps an interesting property, 
   6.200    but not needed (after all) for the proofs below.*)
   6.201  Goal
   6.202 - "!!evs. [| Crypt K (Nonce NB) : parts (spies evs);     \
   6.203 + "[| Crypt K (Nonce NB) : parts (spies evs);     \
   6.204  \           Says Server A (Crypt (shrK A) {|NA, Agent B, Key K, X|})  \
   6.205  \             : set evs;                                              \
   6.206  \           Key K ~: analz (spies evs);                               \
   6.207 @@ -384,7 +384,7 @@
   6.208  
   6.209  
   6.210  Goal
   6.211 - "!!evs. [| B ~: bad;  evs : ns_shared |]                              \
   6.212 + "[| B ~: bad;  evs : ns_shared |]                              \
   6.213  \        ==> Key K ~: analz (spies evs) -->                            \
   6.214  \            Says Server A                                             \
   6.215  \              (Crypt (shrK A) {|NA, Agent B, Key K,                   \
   6.216 @@ -412,7 +412,7 @@
   6.217  
   6.218  (*Very strong Oops condition reveals protocol's weakness*)
   6.219  Goal
   6.220 - "!!evs. [| Crypt K {|Nonce NB, Nonce NB|} : parts (spies evs);      \
   6.221 + "[| Crypt K {|Nonce NB, Nonce NB|} : parts (spies evs);      \
   6.222  \           Says B A (Crypt K (Nonce NB))  : set evs;                \
   6.223  \           Crypt (shrK B) {|Key K, Agent A|} : parts (spies evs);   \
   6.224  \           ALL NA NB. Notes Spy {|NA, NB, Key K|} ~: set evs;       \
     7.1 --- a/src/HOL/Auth/OtwayRees.ML	Thu Jul 02 17:27:35 1998 +0200
     7.2 +++ b/src/HOL/Auth/OtwayRees.ML	Thu Jul 02 17:48:11 1998 +0200
     7.3 @@ -24,10 +24,10 @@
     7.4  
     7.5  (*A "possibility property": there are traces that reach the end*)
     7.6  Goal 
     7.7 - "!!A B. [| A ~= B; A ~= Server; B ~= Server |]   \
     7.8 -\        ==> EX K. EX NA. EX evs: otway.          \
     7.9 -\               Says B A {|Nonce NA, Crypt (shrK A) {|Nonce NA, Key K|}|} \
    7.10 -\                 : set evs";
    7.11 + "[| A ~= B; A ~= Server; B ~= Server |]   \
    7.12 +\     ==> EX K. EX NA. EX evs: otway.          \
    7.13 +\            Says B A {|Nonce NA, Crypt (shrK A) {|Nonce NA, Key K|}|} \
    7.14 +\              : set evs";
    7.15  by (REPEAT (resolve_tac [exI,bexI] 1));
    7.16  by (rtac (otway.Nil RS otway.OR1 RS otway.OR2 RS otway.OR3 RS otway.OR4) 2);
    7.17  by possibility_tac;
    7.18 @@ -37,7 +37,7 @@
    7.19  (**** Inductive proofs about otway ****)
    7.20  
    7.21  (*Nobody sends themselves messages*)
    7.22 -Goal "!!evs. evs : otway ==> ALL A X. Says A A X ~: set evs";
    7.23 +Goal "evs : otway ==> ALL A X. Says A A X ~: set evs";
    7.24  by (etac otway.induct 1);
    7.25  by Auto_tac;
    7.26  qed_spec_mp "not_Says_to_self";
    7.27 @@ -47,20 +47,20 @@
    7.28  
    7.29  (** For reasoning about the encrypted portion of messages **)
    7.30  
    7.31 -Goal "!!evs. Says A' B {|N, Agent A, Agent B, X|} : set evs \
    7.32 -\                ==> X : analz (spies evs)";
    7.33 +Goal "Says A' B {|N, Agent A, Agent B, X|} : set evs \
    7.34 +\      ==> X : analz (spies evs)";
    7.35  by (dtac (Says_imp_spies RS analz.Inj) 1);
    7.36  by (Blast_tac 1);
    7.37  qed "OR2_analz_spies";
    7.38  
    7.39 -Goal "!!evs. Says S' B {|N, X, Crypt (shrK B) X'|} : set evs \
    7.40 -\                ==> X : analz (spies evs)";
    7.41 +Goal "Says S' B {|N, X, Crypt (shrK B) X'|} : set evs \
    7.42 +\      ==> X : analz (spies evs)";
    7.43  by (dtac (Says_imp_spies RS analz.Inj) 1);
    7.44  by (Blast_tac 1);
    7.45  qed "OR4_analz_spies";
    7.46  
    7.47 -Goal "!!evs. Says Server B {|NA, X, Crypt K' {|NB,K|}|} : set evs \
    7.48 -\                ==> K : parts (spies evs)";
    7.49 +Goal "Says Server B {|NA, X, Crypt K' {|NB,K|}|} : set evs \
    7.50 +\      ==> K : parts (spies evs)";
    7.51  by (Blast_tac 1);
    7.52  qed "Oops_parts_spies";
    7.53  
    7.54 @@ -83,14 +83,14 @@
    7.55  
    7.56  (*Spy never sees a good agent's shared key!*)
    7.57  Goal 
    7.58 - "!!evs. evs : otway ==> (Key (shrK A) : parts (spies evs)) = (A : bad)";
    7.59 + "evs : otway ==> (Key (shrK A) : parts (spies evs)) = (A : bad)";
    7.60  by (parts_induct_tac 1);
    7.61  by (ALLGOALS Blast_tac);
    7.62  qed "Spy_see_shrK";
    7.63  Addsimps [Spy_see_shrK];
    7.64  
    7.65  Goal 
    7.66 - "!!evs. evs : otway ==> (Key (shrK A) : analz (spies evs)) = (A : bad)";
    7.67 + "evs : otway ==> (Key (shrK A) : analz (spies evs)) = (A : bad)";
    7.68  by (auto_tac(claset() addDs [impOfSubs analz_subset_parts], simpset()));
    7.69  qed "Spy_analz_shrK";
    7.70  Addsimps [Spy_analz_shrK];
    7.71 @@ -100,8 +100,8 @@
    7.72  
    7.73  
    7.74  (*Nobody can have used non-existent keys!*)
    7.75 -Goal "!!evs. evs : otway ==>          \
    7.76 -\         Key K ~: used evs --> K ~: keysFor (parts (spies evs))";
    7.77 +Goal "evs : otway ==>          \
    7.78 +\  Key K ~: used evs --> K ~: keysFor (parts (spies evs))";
    7.79  by (parts_induct_tac 1);
    7.80  (*Fake*)
    7.81  by (blast_tac (claset() addSDs [keysFor_parts_insert]) 1);
    7.82 @@ -122,8 +122,8 @@
    7.83  (*Describes the form of K and NA when the Server sends this message.  Also
    7.84    for Oops case.*)
    7.85  Goal 
    7.86 - "!!evs. [| Says Server B {|NA, X, Crypt (shrK B) {|NB, Key K|}|} : set evs; \
    7.87 -\           evs : otway |]                                           \
    7.88 + "[| Says Server B {|NA, X, Crypt (shrK B) {|NB, Key K|}|} : set evs; \
    7.89 +\    evs : otway |]                                           \
    7.90  \     ==> K ~: range shrK & (EX i. NA = Nonce i) & (EX j. NB = Nonce j)";
    7.91  by (etac rev_mp 1);
    7.92  by (etac otway.induct 1);
    7.93 @@ -154,10 +154,10 @@
    7.94  
    7.95  (*The equality makes the induction hypothesis easier to apply*)
    7.96  Goal  
    7.97 - "!!evs. evs : otway ==>                                    \
    7.98 + "evs : otway ==>                                    \
    7.99  \  ALL K KK. KK <= Compl (range shrK) -->                   \
   7.100 -\            (Key K : analz (Key``KK Un (spies evs))) =  \
   7.101 -\            (K : KK | Key K : analz (spies evs))";
   7.102 +\     (Key K : analz (Key``KK Un (spies evs))) =  \
   7.103 +\     (K : KK | Key K : analz (spies evs))";
   7.104  by (etac otway.induct 1);
   7.105  by analz_spies_tac;
   7.106  by (REPEAT_FIRST (resolve_tac [allI, impI]));
   7.107 @@ -169,9 +169,9 @@
   7.108  
   7.109  
   7.110  Goal
   7.111 - "!!evs. [| evs : otway;  KAB ~: range shrK |] ==>          \
   7.112 -\        Key K : analz (insert (Key KAB) (spies evs)) =  \
   7.113 -\        (K = KAB | Key K : analz (spies evs))";
   7.114 + "[| evs : otway;  KAB ~: range shrK |] ==>          \
   7.115 +\ Key K : analz (insert (Key KAB) (spies evs)) =  \
   7.116 +\ (K = KAB | Key K : analz (spies evs))";
   7.117  by (asm_simp_tac (analz_image_freshK_ss addsimps [analz_image_freshK]) 1);
   7.118  qed "analz_insert_freshK";
   7.119  
   7.120 @@ -179,7 +179,7 @@
   7.121  (*** The Key K uniquely identifies the Server's  message. **)
   7.122  
   7.123  Goal 
   7.124 - "!!evs. evs : otway ==>                                                  \
   7.125 + "evs : otway ==>                                                  \
   7.126  \   EX B' NA' NB' X'. ALL B NA NB X.                                      \
   7.127  \     Says Server B {|NA, X, Crypt (shrK B) {|NB, K|}|} : set evs -->     \
   7.128  \     B=B' & NA=NA' & NB=NB' & X=X'";
   7.129 @@ -196,9 +196,9 @@
   7.130  val lemma = result();
   7.131  
   7.132  Goal 
   7.133 - "!!evs. [| Says Server B {|NA, X, Crypt (shrK B) {|NB, K|}|}   : set evs; \ 
   7.134 -\           Says Server B' {|NA',X',Crypt (shrK B') {|NB',K|}|} : set evs; \
   7.135 -\           evs : otway |] ==> X=X' & B=B' & NA=NA' & NB=NB'";
   7.136 + "[| Says Server B {|NA, X, Crypt (shrK B) {|NB, K|}|}   : set evs; \ 
   7.137 +\    Says Server B' {|NA',X',Crypt (shrK B') {|NB',K|}|} : set evs; \
   7.138 +\    evs : otway |] ==> X=X' & B=B' & NA=NA' & NB=NB'";
   7.139  by (prove_unique_tac lemma 1);
   7.140  qed "unique_session_keys";
   7.141  
   7.142 @@ -208,11 +208,11 @@
   7.143  
   7.144  (*Only OR1 can have caused such a part of a message to appear.*)
   7.145  Goal 
   7.146 - "!!evs. [| A ~: bad;  evs : otway |]                             \
   7.147 -\        ==> Crypt (shrK A) {|NA, Agent A, Agent B|} : parts (spies evs) --> \
   7.148 -\            Says A B {|NA, Agent A, Agent B,                      \
   7.149 -\                       Crypt (shrK A) {|NA, Agent A, Agent B|}|}  \
   7.150 -\             : set evs";
   7.151 + "[| A ~: bad;  evs : otway |]                             \
   7.152 +\ ==> Crypt (shrK A) {|NA, Agent A, Agent B|} : parts (spies evs) --> \
   7.153 +\     Says A B {|NA, Agent A, Agent B,                      \
   7.154 +\                Crypt (shrK A) {|NA, Agent A, Agent B|}|}  \
   7.155 +\      : set evs";
   7.156  by (parts_induct_tac 1);
   7.157  by (Blast_tac 1);
   7.158  qed_spec_mp "Crypt_imp_OR1";
   7.159 @@ -221,7 +221,7 @@
   7.160  (** The Nonce NA uniquely identifies A's message. **)
   7.161  
   7.162  Goal 
   7.163 - "!!evs. [| evs : otway; A ~: bad |]               \
   7.164 + "[| evs : otway; A ~: bad |]               \
   7.165  \ ==> EX B'. ALL B.                                 \
   7.166  \        Crypt (shrK A) {|NA, Agent A, Agent B|} : parts (spies evs) \
   7.167  \        --> B = B'";
   7.168 @@ -234,7 +234,7 @@
   7.169  val lemma = result();
   7.170  
   7.171  Goal 
   7.172 - "!!evs.[| Crypt (shrK A) {|NA, Agent A, Agent B|}: parts (spies evs); \
   7.173 + "[| Crypt (shrK A) {|NA, Agent A, Agent B|}: parts (spies evs); \
   7.174  \          Crypt (shrK A) {|NA, Agent A, Agent C|}: parts (spies evs); \
   7.175  \          evs : otway;  A ~: bad |]                                   \
   7.176  \        ==> B = C";
   7.177 @@ -246,7 +246,7 @@
   7.178    OR2 encrypts Nonce NB.  It prevents the attack that can occur in the
   7.179    over-simplified version of this protocol: see OtwayRees_Bad.*)
   7.180  Goal 
   7.181 - "!!evs. [| A ~: bad;  evs : otway |]                      \
   7.182 + "[| A ~: bad;  evs : otway |]                      \
   7.183  \        ==> Crypt (shrK A) {|NA, Agent A, Agent B|} : parts (spies evs) --> \
   7.184  \            Crypt (shrK A) {|NA', NA, Agent A', Agent A|}  \
   7.185  \             ~: parts (spies evs)";
   7.186 @@ -259,7 +259,7 @@
   7.187  (*Crucial property: If the encrypted message appears, and A has used NA
   7.188    to start a run, then it originated with the Server!*)
   7.189  Goal 
   7.190 - "!!evs. [| A ~: bad;  evs : otway |]                                  \
   7.191 + "[| A ~: bad;  evs : otway |]                                  \
   7.192  \    ==> Crypt (shrK A) {|NA, Key K|} : parts (spies evs)              \
   7.193  \        --> Says A B {|NA, Agent A, Agent B,                          \
   7.194  \                       Crypt (shrK A) {|NA, Agent A, Agent B|}|}      \
   7.195 @@ -291,15 +291,15 @@
   7.196    bad form of this protocol, even though we can prove
   7.197    Spy_not_see_encrypted_key*)
   7.198  Goal 
   7.199 - "!!evs. [| Says A  B {|NA, Agent A, Agent B,                       \
   7.200 -\                       Crypt (shrK A) {|NA, Agent A, Agent B|}|} : set evs; \
   7.201 -\           Says B' A {|NA, Crypt (shrK A) {|NA, Key K|}|} : set evs; \
   7.202 -\           A ~: bad;  evs : otway |]                              \
   7.203 -\        ==> EX NB. Says Server B                                  \
   7.204 -\                     {|NA,                                        \
   7.205 -\                       Crypt (shrK A) {|NA, Key K|},              \
   7.206 -\                       Crypt (shrK B) {|NB, Key K|}|}             \
   7.207 -\                       : set evs";
   7.208 + "[| Says A  B {|NA, Agent A, Agent B,                       \
   7.209 +\                Crypt (shrK A) {|NA, Agent A, Agent B|}|} : set evs; \
   7.210 +\    Says B' A {|NA, Crypt (shrK A) {|NA, Key K|}|} : set evs; \
   7.211 +\    A ~: bad;  evs : otway |]                              \
   7.212 +\ ==> EX NB. Says Server B                                  \
   7.213 +\              {|NA,                                        \
   7.214 +\                Crypt (shrK A) {|NA, Key K|},              \
   7.215 +\                Crypt (shrK B) {|NB, Key K|}|}             \
   7.216 +\                : set evs";
   7.217  by (blast_tac (claset() addSIs [NA_Crypt_imp_Server_msg]) 1);
   7.218  qed "A_trusts_OR4";
   7.219  
   7.220 @@ -309,12 +309,12 @@
   7.221      the premises, e.g. by having A=Spy **)
   7.222  
   7.223  Goal 
   7.224 - "!!evs. [| A ~: bad;  B ~: bad;  evs : otway |]                      \
   7.225 -\        ==> Says Server B                                            \
   7.226 -\              {|NA, Crypt (shrK A) {|NA, Key K|},                    \
   7.227 -\                Crypt (shrK B) {|NB, Key K|}|} : set evs -->         \
   7.228 -\            Notes Spy {|NA, NB, Key K|} ~: set evs -->               \
   7.229 -\            Key K ~: analz (spies evs)";
   7.230 + "[| A ~: bad;  B ~: bad;  evs : otway |]                      \
   7.231 +\ ==> Says Server B                                            \
   7.232 +\       {|NA, Crypt (shrK A) {|NA, Key K|},                    \
   7.233 +\         Crypt (shrK B) {|NB, Key K|}|} : set evs -->         \
   7.234 +\     Notes Spy {|NA, NB, Key K|} ~: set evs -->               \
   7.235 +\     Key K ~: analz (spies evs)";
   7.236  by (etac otway.induct 1);
   7.237  by analz_spies_tac;
   7.238  by (ALLGOALS
   7.239 @@ -331,13 +331,12 @@
   7.240  by (spy_analz_tac 1);
   7.241  val lemma = result() RS mp RS mp RSN(2,rev_notE);
   7.242  
   7.243 -Goal 
   7.244 - "!!evs. [| Says Server B                                           \
   7.245 -\            {|NA, Crypt (shrK A) {|NA, Key K|},                    \
   7.246 -\                  Crypt (shrK B) {|NB, Key K|}|} : set evs;        \
   7.247 -\           Notes Spy {|NA, NB, Key K|} ~: set evs;                 \
   7.248 -\           A ~: bad;  B ~: bad;  evs : otway |]                    \
   7.249 -\        ==> Key K ~: analz (spies evs)";
   7.250 +Goal "[| Says Server B                                           \
   7.251 +\         {|NA, Crypt (shrK A) {|NA, Key K|},                    \
   7.252 +\               Crypt (shrK B) {|NB, Key K|}|} : set evs;        \
   7.253 +\        Notes Spy {|NA, NB, Key K|} ~: set evs;                 \
   7.254 +\        A ~: bad;  B ~: bad;  evs : otway |]                    \
   7.255 +\     ==> Key K ~: analz (spies evs)";
   7.256  by (forward_tac [Says_Server_message_form] 1 THEN assume_tac 1);
   7.257  by (blast_tac (claset() addSEs [lemma]) 1);
   7.258  qed "Spy_not_see_encrypted_key";
   7.259 @@ -345,13 +344,12 @@
   7.260  
   7.261  (*A's guarantee.  The Oops premise quantifies over NB because A cannot know
   7.262    what it is.*)
   7.263 -Goal 
   7.264 - "!!evs. [| Says A  B {|NA, Agent A, Agent B,                       \
   7.265 -\                       Crypt (shrK A) {|NA, Agent A, Agent B|}|} : set evs; \
   7.266 -\           Says B' A {|NA, Crypt (shrK A) {|NA, Key K|}|} : set evs; \
   7.267 -\           ALL NB. Notes Spy {|NA, NB, Key K|} ~: set evs;         \
   7.268 -\           A ~: bad;  B ~: bad;  evs : otway |]                    \
   7.269 -\        ==> Key K ~: analz (spies evs)";
   7.270 +Goal "[| Says A  B {|NA, Agent A, Agent B,                       \
   7.271 +\                    Crypt (shrK A) {|NA, Agent A, Agent B|}|} : set evs; \
   7.272 +\        Says B' A {|NA, Crypt (shrK A) {|NA, Key K|}|} : set evs; \
   7.273 +\        ALL NB. Notes Spy {|NA, NB, Key K|} ~: set evs;         \
   7.274 +\        A ~: bad;  B ~: bad;  evs : otway |]                    \
   7.275 +\     ==> Key K ~: analz (spies evs)";
   7.276  by (blast_tac (claset() addSDs [A_trusts_OR4, Spy_not_see_encrypted_key]) 1);
   7.277  qed "A_gets_good_key";
   7.278  
   7.279 @@ -361,13 +359,13 @@
   7.280  (*Only OR2 can have caused such a part of a message to appear.  We do not
   7.281    know anything about X: it does NOT have to have the right form.*)
   7.282  Goal 
   7.283 - "!!evs. [| B ~: bad;  evs : otway |]                         \
   7.284 -\        ==> Crypt (shrK B) {|NA, NB, Agent A, Agent B|}       \
   7.285 -\             : parts (spies evs) -->                       \
   7.286 -\            (EX X. Says B Server                              \
   7.287 -\             {|NA, Agent A, Agent B, X,                       \
   7.288 -\               Crypt (shrK B) {|NA, NB, Agent A, Agent B|}|}  \
   7.289 -\             : set evs)";
   7.290 + "[| B ~: bad;  evs : otway |]                         \
   7.291 +\     ==> Crypt (shrK B) {|NA, NB, Agent A, Agent B|}       \
   7.292 +\          : parts (spies evs) -->                       \
   7.293 +\         (EX X. Says B Server                              \
   7.294 +\          {|NA, Agent A, Agent B, X,                       \
   7.295 +\            Crypt (shrK B) {|NA, NB, Agent A, Agent B|}|}  \
   7.296 +\          : set evs)";
   7.297  by (parts_induct_tac 1);
   7.298  by (ALLGOALS Blast_tac);
   7.299  bind_thm ("Crypt_imp_OR2", result() RSN (2,rev_mp) RS exE);
   7.300 @@ -375,8 +373,7 @@
   7.301  
   7.302  (** The Nonce NB uniquely identifies B's  message. **)
   7.303  
   7.304 -Goal 
   7.305 - "!!evs. [| evs : otway; B ~: bad |]  \
   7.306 +Goal "[| evs : otway; B ~: bad |]  \
   7.307  \ ==> EX NA' A'. ALL NA A.            \
   7.308  \      Crypt (shrK B) {|NA, NB, Agent A, Agent B|} : parts(spies evs) \
   7.309  \      --> NA = NA' & A = A'";
   7.310 @@ -389,7 +386,7 @@
   7.311  val lemma = result();
   7.312  
   7.313  Goal 
   7.314 - "!!evs.[| Crypt (shrK B) {|NA, NB, Agent A, Agent B|} : parts(spies evs); \
   7.315 + "[| Crypt (shrK B) {|NA, NB, Agent A, Agent B|} : parts(spies evs); \
   7.316  \          Crypt (shrK B) {|NC, NB, Agent C, Agent B|} : parts(spies evs); \
   7.317  \          evs : otway;  B ~: bad |]             \
   7.318  \        ==> NC = NA & C = A";
   7.319 @@ -399,16 +396,15 @@
   7.320  
   7.321  (*If the encrypted message appears, and B has used Nonce NB,
   7.322    then it originated with the Server!*)
   7.323 -Goal 
   7.324 - "!!evs. [| B ~: bad;  evs : otway |]                                    \
   7.325 -\    ==> Crypt (shrK B) {|NB, Key K|} : parts (spies evs)                \
   7.326 -\        --> (ALL X'. Says B Server                                      \
   7.327 -\                       {|NA, Agent A, Agent B, X',                      \
   7.328 -\                         Crypt (shrK B) {|NA, NB, Agent A, Agent B|}|}  \
   7.329 -\             : set evs                                                  \
   7.330 -\             --> Says Server B                                          \
   7.331 -\                  {|NA, Crypt (shrK A) {|NA, Key K|},                   \
   7.332 -\                        Crypt (shrK B) {|NB, Key K|}|}                  \
   7.333 +Goal "[| B ~: bad;  evs : otway |]                                    \
   7.334 +\ ==> Crypt (shrK B) {|NB, Key K|} : parts (spies evs)                \
   7.335 +\     --> (ALL X'. Says B Server                                      \
   7.336 +\                    {|NA, Agent A, Agent B, X',                      \
   7.337 +\                      Crypt (shrK B) {|NA, NB, Agent A, Agent B|}|}  \
   7.338 +\          : set evs                                                  \
   7.339 +\          --> Says Server B                                          \
   7.340 +\               {|NA, Crypt (shrK A) {|NA, Key K|},                   \
   7.341 +\                     Crypt (shrK B) {|NB, Key K|}|}                  \
   7.342  \                   : set evs)";
   7.343  by (parts_induct_tac 1);
   7.344  by (Blast_tac 1);
   7.345 @@ -430,42 +426,39 @@
   7.346  
   7.347  (*Guarantee for B: if it gets a message with matching NB then the Server
   7.348    has sent the correct message.*)
   7.349 -Goal 
   7.350 - "!!evs. [| Says B Server {|NA, Agent A, Agent B, X',              \
   7.351 -\                           Crypt (shrK B) {|NA, NB, Agent A, Agent B|} |} \
   7.352 -\            : set evs;                                            \
   7.353 -\           Says S' B {|NA, X, Crypt (shrK B) {|NB, Key K|}|} : set evs;   \
   7.354 -\           B ~: bad;  evs : otway |]                              \
   7.355 -\        ==> Says Server B                                         \
   7.356 -\                 {|NA,                                            \
   7.357 -\                   Crypt (shrK A) {|NA, Key K|},                  \
   7.358 -\                   Crypt (shrK B) {|NB, Key K|}|}                 \
   7.359 -\                   : set evs";
   7.360 +Goal "[| Says B Server {|NA, Agent A, Agent B, X',              \
   7.361 +\                        Crypt (shrK B) {|NA, NB, Agent A, Agent B|} |} \
   7.362 +\         : set evs;                                            \
   7.363 +\        Says S' B {|NA, X, Crypt (shrK B) {|NB, Key K|}|} : set evs;   \
   7.364 +\        B ~: bad;  evs : otway |]                              \
   7.365 +\     ==> Says Server B                                         \
   7.366 +\              {|NA,                                            \
   7.367 +\                Crypt (shrK A) {|NA, Key K|},                  \
   7.368 +\                Crypt (shrK B) {|NB, Key K|}|}                 \
   7.369 +\                : set evs";
   7.370  by (blast_tac (claset() addSIs [NB_Crypt_imp_Server_msg]) 1);
   7.371  qed "B_trusts_OR3";
   7.372  
   7.373  
   7.374  (*The obvious combination of B_trusts_OR3 with Spy_not_see_encrypted_key*)
   7.375 -Goal 
   7.376 - "!!evs. [| Says B Server {|NA, Agent A, Agent B, X',              \
   7.377 -\                           Crypt (shrK B) {|NA, NB, Agent A, Agent B|} |} \
   7.378 -\             : set evs;                                           \
   7.379 -\           Says S' B {|NA, X, Crypt (shrK B) {|NB, Key K|}|} : set evs;   \
   7.380 -\           Notes Spy {|NA, NB, Key K|} ~: set evs;                \
   7.381 -\           A ~: bad;  B ~: bad;  evs : otway |]                   \
   7.382 -\        ==> Key K ~: analz (spies evs)";
   7.383 +Goal "[| Says B Server {|NA, Agent A, Agent B, X',              \
   7.384 +\                        Crypt (shrK B) {|NA, NB, Agent A, Agent B|} |} \
   7.385 +\          : set evs;                                           \
   7.386 +\        Says S' B {|NA, X, Crypt (shrK B) {|NB, Key K|}|} : set evs;   \
   7.387 +\        Notes Spy {|NA, NB, Key K|} ~: set evs;                \
   7.388 +\        A ~: bad;  B ~: bad;  evs : otway |]                   \
   7.389 +\     ==> Key K ~: analz (spies evs)";
   7.390  by (blast_tac (claset() addSDs [B_trusts_OR3, Spy_not_see_encrypted_key]) 1);
   7.391  qed "B_gets_good_key";
   7.392  
   7.393  
   7.394 -Goal 
   7.395 - "!!evs. [| B ~: bad;  evs : otway |]                            \
   7.396 -\        ==> Says Server B                                       \
   7.397 -\              {|NA, Crypt (shrK A) {|NA, Key K|},               \
   7.398 -\                Crypt (shrK B) {|NB, Key K|}|} : set evs -->    \
   7.399 -\            (EX X. Says B Server {|NA, Agent A, Agent B, X,     \
   7.400 -\                            Crypt (shrK B) {|NA, NB, Agent A, Agent B|} |} \
   7.401 -\            : set evs)";
   7.402 +Goal "[| B ~: bad;  evs : otway |]                            \
   7.403 +\     ==> Says Server B                                       \
   7.404 +\           {|NA, Crypt (shrK A) {|NA, Key K|},               \
   7.405 +\             Crypt (shrK B) {|NB, Key K|}|} : set evs -->    \
   7.406 +\         (EX X. Says B Server {|NA, Agent A, Agent B, X,     \
   7.407 +\                         Crypt (shrK B) {|NA, NB, Agent A, Agent B|} |} \
   7.408 +\         : set evs)";
   7.409  by (etac otway.induct 1);
   7.410  by (ALLGOALS Asm_simp_tac);
   7.411  by (blast_tac (claset() addSEs [Crypt_imp_OR2]) 3);
   7.412 @@ -476,14 +469,13 @@
   7.413  (*After getting and checking OR4, agent A can trust that B has been active.
   7.414    We could probably prove that X has the expected form, but that is not
   7.415    strictly necessary for authentication.*)
   7.416 -Goal 
   7.417 - "!!evs. [| Says B' A {|NA, Crypt (shrK A) {|NA, Key K|}|} : set evs;        \
   7.418 -\           Says A  B {|NA, Agent A, Agent B,                                \
   7.419 -\                       Crypt (shrK A) {|NA, Agent A, Agent B|}|} : set evs; \
   7.420 -\           A ~: bad;  B ~: bad;  evs : otway |]                             \
   7.421 -\        ==> EX NB X. Says B Server {|NA, Agent A, Agent B, X,               \
   7.422 -\                              Crypt (shrK B)  {|NA, NB, Agent A, Agent B|} |}\
   7.423 -\            : set evs";
   7.424 +Goal "[| Says B' A {|NA, Crypt (shrK A) {|NA, Key K|}|} : set evs;        \
   7.425 +\        Says A  B {|NA, Agent A, Agent B,                                \
   7.426 +\                    Crypt (shrK A) {|NA, Agent A, Agent B|}|} : set evs; \
   7.427 +\        A ~: bad;  B ~: bad;  evs : otway |]                             \
   7.428 +\     ==> EX NB X. Says B Server {|NA, Agent A, Agent B, X,               \
   7.429 +\                           Crypt (shrK B)  {|NA, NB, Agent A, Agent B|} |}\
   7.430 +\         : set evs";
   7.431  by (blast_tac (claset() addSDs [A_trusts_OR4]
   7.432                          addSEs [OR3_imp_OR2]) 1);
   7.433  qed "A_auths_B";
     8.1 --- a/src/HOL/Auth/OtwayRees_AN.ML	Thu Jul 02 17:27:35 1998 +0200
     8.2 +++ b/src/HOL/Auth/OtwayRees_AN.ML	Thu Jul 02 17:48:11 1998 +0200
     8.3 @@ -24,10 +24,10 @@
     8.4  
     8.5  (*A "possibility property": there are traces that reach the end*)
     8.6  Goal 
     8.7 - "!!A B. [| A ~= B; A ~= Server; B ~= Server |]                               \
     8.8 -\        ==> EX K. EX NA. EX evs: otway.                                      \
     8.9 -\             Says B A (Crypt (shrK A) {|Nonce NA, Agent A, Agent B, Key K|}) \
    8.10 -\             : set evs";
    8.11 + "[| A ~= B; A ~= Server; B ~= Server |]                               \
    8.12 +\  ==> EX K. EX NA. EX evs: otway.                                      \
    8.13 +\       Says B A (Crypt (shrK A) {|Nonce NA, Agent A, Agent B, Key K|}) \
    8.14 +\       : set evs";
    8.15  by (REPEAT (resolve_tac [exI,bexI] 1));
    8.16  by (rtac (otway.Nil RS otway.OR1 RS otway.OR2 RS otway.OR3 RS otway.OR4) 2);
    8.17  by possibility_tac;
    8.18 @@ -37,7 +37,7 @@
    8.19  (**** Inductive proofs about otway ****)
    8.20  
    8.21  (*Nobody sends themselves messages*)
    8.22 -Goal "!!evs. evs : otway ==> ALL A X. Says A A X ~: set evs";
    8.23 +Goal "evs : otway ==> ALL A X. Says A A X ~: set evs";
    8.24  by (etac otway.induct 1);
    8.25  by Auto_tac;
    8.26  qed_spec_mp "not_Says_to_self";
    8.27 @@ -47,14 +47,14 @@
    8.28  
    8.29  (** For reasoning about the encrypted portion of messages **)
    8.30  
    8.31 -Goal "!!evs. Says S' B {|X, Crypt(shrK B) X'|} : set evs ==> \
    8.32 -\                X : analz (spies evs)";
    8.33 +Goal "Says S' B {|X, Crypt(shrK B) X'|} : set evs ==> \
    8.34 +\          X : analz (spies evs)";
    8.35  by (dtac (Says_imp_spies RS analz.Inj) 1);
    8.36  by (Blast_tac 1);
    8.37  qed "OR4_analz_spies";
    8.38  
    8.39 -Goal "!!evs. Says Server B {|X, Crypt K' {|NB, a, Agent B, K|}|} \
    8.40 -\                  : set evs ==> K : parts (spies evs)";
    8.41 +Goal "Says Server B {|X, Crypt K' {|NB, a, Agent B, K|}|} \
    8.42 +\            : set evs ==> K : parts (spies evs)";
    8.43  by (Blast_tac 1);
    8.44  qed "Oops_parts_spies";
    8.45  
    8.46 @@ -73,15 +73,13 @@
    8.47      sends messages containing X! **)
    8.48  
    8.49  (*Spy never sees a good agent's shared key!*)
    8.50 -Goal 
    8.51 - "!!evs. evs : otway ==> (Key (shrK A) : parts (spies evs)) = (A : bad)";
    8.52 +Goal "evs : otway ==> (Key (shrK A) : parts (spies evs)) = (A : bad)";
    8.53  by (parts_induct_tac 1);
    8.54  by (ALLGOALS Blast_tac);
    8.55  qed "Spy_see_shrK";
    8.56  Addsimps [Spy_see_shrK];
    8.57  
    8.58 -Goal 
    8.59 - "!!evs. evs : otway ==> (Key (shrK A) : analz (spies evs)) = (A : bad)";
    8.60 +Goal "evs : otway ==> (Key (shrK A) : analz (spies evs)) = (A : bad)";
    8.61  by (auto_tac(claset() addDs [impOfSubs analz_subset_parts], simpset()));
    8.62  qed "Spy_analz_shrK";
    8.63  Addsimps [Spy_analz_shrK];
    8.64 @@ -91,8 +89,7 @@
    8.65  
    8.66  
    8.67  (*Nobody can have used non-existent keys!*)
    8.68 -Goal "!!evs. evs : otway ==>          \
    8.69 -\         Key K ~: used evs --> K ~: keysFor (parts (spies evs))";
    8.70 +Goal "evs : otway ==> Key K ~: used evs --> K ~: keysFor (parts (spies evs))";
    8.71  by (parts_induct_tac 1);
    8.72  (*Fake*)
    8.73  by (blast_tac (claset() addSDs [keysFor_parts_insert]) 1);
    8.74 @@ -111,13 +108,12 @@
    8.75  (*** Proofs involving analz ***)
    8.76  
    8.77  (*Describes the form of K and NA when the Server sends this message.*)
    8.78 -Goal 
    8.79 - "!!evs. [| Says Server B                                           \
    8.80 -\              {|Crypt (shrK A) {|NA, Agent A, Agent B, Key K|},    \
    8.81 -\                Crypt (shrK B) {|NB, Agent A, Agent B, Key K|}|}   \
    8.82 -\             : set evs;                                            \
    8.83 -\           evs : otway |]                                          \
    8.84 -\        ==> K ~: range shrK & (EX i. NA = Nonce i) & (EX j. NB = Nonce j)";
    8.85 +Goal "[| Says Server B                                           \
    8.86 +\           {|Crypt (shrK A) {|NA, Agent A, Agent B, Key K|},    \
    8.87 +\             Crypt (shrK B) {|NB, Agent A, Agent B, Key K|}|}   \
    8.88 +\          : set evs;                                            \
    8.89 +\        evs : otway |]                                          \
    8.90 +\     ==> K ~: range shrK & (EX i. NA = Nonce i) & (EX j. NB = Nonce j)";
    8.91  by (etac rev_mp 1);
    8.92  by (etac otway.induct 1);
    8.93  by (ALLGOALS Asm_simp_tac);
    8.94 @@ -146,11 +142,10 @@
    8.95  (** Session keys are not used to encrypt other session keys **)
    8.96  
    8.97  (*The equality makes the induction hypothesis easier to apply*)
    8.98 -Goal  
    8.99 - "!!evs. evs : otway ==>                                 \
   8.100 +Goal "evs : otway ==>                                 \
   8.101  \  ALL K KK. KK <= Compl (range shrK) -->                \
   8.102 -\            (Key K : analz (Key``KK Un (spies evs))) =  \
   8.103 -\            (K : KK | Key K : analz (spies evs))";
   8.104 +\         (Key K : analz (Key``KK Un (spies evs))) =  \
   8.105 +\         (K : KK | Key K : analz (spies evs))";
   8.106  by (etac otway.induct 1);
   8.107  by analz_spies_tac;
   8.108  by (REPEAT_FIRST (resolve_tac [allI, impI]));
   8.109 @@ -161,23 +156,21 @@
   8.110  qed_spec_mp "analz_image_freshK";
   8.111  
   8.112  
   8.113 -Goal
   8.114 - "!!evs. [| evs : otway;  KAB ~: range shrK |] ==>       \
   8.115 -\        Key K : analz (insert (Key KAB) (spies evs)) =  \
   8.116 -\        (K = KAB | Key K : analz (spies evs))";
   8.117 +Goal "[| evs : otway;  KAB ~: range shrK |] ==>       \
   8.118 +\     Key K : analz (insert (Key KAB) (spies evs)) =  \
   8.119 +\     (K = KAB | Key K : analz (spies evs))";
   8.120  by (asm_simp_tac (analz_image_freshK_ss addsimps [analz_image_freshK]) 1);
   8.121  qed "analz_insert_freshK";
   8.122  
   8.123  
   8.124  (*** The Key K uniquely identifies the Server's message. **)
   8.125  
   8.126 -Goal 
   8.127 - "!!evs. evs : otway ==>                                            \
   8.128 -\      EX A' B' NA' NB'. ALL A B NA NB.                             \
   8.129 -\       Says Server B                                               \
   8.130 -\         {|Crypt (shrK A) {|NA, Agent A, Agent B, K|},             \
   8.131 -\           Crypt (shrK B) {|NB, Agent A, Agent B, K|}|} : set evs  \
   8.132 -\       --> A=A' & B=B' & NA=NA' & NB=NB'";
   8.133 +Goal "evs : otway ==>                                            \
   8.134 +\   EX A' B' NA' NB'. ALL A B NA NB.                             \
   8.135 +\    Says Server B                                               \
   8.136 +\      {|Crypt (shrK A) {|NA, Agent A, Agent B, K|},             \
   8.137 +\        Crypt (shrK B) {|NB, Agent A, Agent B, K|}|} : set evs  \
   8.138 +\    --> A=A' & B=B' & NA=NA' & NB=NB'";
   8.139  by (etac otway.induct 1);
   8.140  by (ALLGOALS (asm_simp_tac (simpset() addsimps [all_conj_distrib])));
   8.141  by (ALLGOALS Clarify_tac);
   8.142 @@ -191,17 +184,16 @@
   8.143  val lemma = result();
   8.144  
   8.145  
   8.146 -Goal 
   8.147 -"!!evs. [| Says Server B                                           \
   8.148 -\            {|Crypt (shrK A) {|NA, Agent A, Agent B, K|},         \
   8.149 -\              Crypt (shrK B) {|NB, Agent A, Agent B, K|}|}        \
   8.150 -\           : set evs;                                             \
   8.151 -\          Says Server B'                                          \
   8.152 -\            {|Crypt (shrK A') {|NA', Agent A', Agent B', K|},     \
   8.153 -\              Crypt (shrK B') {|NB', Agent A', Agent B', K|}|}    \
   8.154 -\           : set evs;                                             \
   8.155 -\          evs : otway |]                                          \
   8.156 -\       ==> A=A' & B=B' & NA=NA' & NB=NB'";
   8.157 +Goal "[| Says Server B                                           \
   8.158 +\         {|Crypt (shrK A) {|NA, Agent A, Agent B, K|},         \
   8.159 +\           Crypt (shrK B) {|NB, Agent A, Agent B, K|}|}        \
   8.160 +\        : set evs;                                             \
   8.161 +\       Says Server B'                                          \
   8.162 +\         {|Crypt (shrK A') {|NA', Agent A', Agent B', K|},     \
   8.163 +\           Crypt (shrK B') {|NB', Agent A', Agent B', K|}|}    \
   8.164 +\        : set evs;                                             \
   8.165 +\       evs : otway |]                                          \
   8.166 +\    ==> A=A' & B=B' & NA=NA' & NB=NB'";
   8.167  by (prove_unique_tac lemma 1);
   8.168  qed "unique_session_keys";
   8.169  
   8.170 @@ -210,13 +202,12 @@
   8.171  (**** Authenticity properties relating to NA ****)
   8.172  
   8.173  (*If the encrypted message appears then it originated with the Server!*)
   8.174 -Goal 
   8.175 - "!!evs. [| A ~: bad;  evs : otway |]                 \
   8.176 +Goal "[| A ~: bad;  evs : otway |]                 \
   8.177  \ ==> Crypt (shrK A) {|NA, Agent A, Agent B, Key K|} : parts (spies evs) \
   8.178 -\     --> (EX NB. Says Server B                                          \
   8.179 -\                  {|Crypt (shrK A) {|NA, Agent A, Agent B, Key K|},     \
   8.180 -\                    Crypt (shrK B) {|NB, Agent A, Agent B, Key K|}|}    \
   8.181 -\                  : set evs)";
   8.182 +\  --> (EX NB. Says Server B                                          \
   8.183 +\               {|Crypt (shrK A) {|NA, Agent A, Agent B, Key K|},     \
   8.184 +\                 Crypt (shrK B) {|NB, Agent A, Agent B, Key K|}|}    \
   8.185 +\               : set evs)";
   8.186  by (parts_induct_tac 1);
   8.187  by (Blast_tac 1);
   8.188  by (ALLGOALS (asm_simp_tac (simpset() addsimps [ex_disj_distrib])));
   8.189 @@ -227,14 +218,13 @@
   8.190  
   8.191  (*Corollary: if A receives B's OR4 message then it originated with the Server.
   8.192    Freshness may be inferred from nonce NA.*)
   8.193 -Goal 
   8.194 - "!!evs. [| Says B' A (Crypt (shrK A) {|NA, Agent A, Agent B, Key K|})  \
   8.195 -\            : set evs;                                                 \
   8.196 -\           A ~: bad;  evs : otway |]                                  \
   8.197 -\        ==> EX NB. Says Server B                                       \
   8.198 -\                    {|Crypt (shrK A) {|NA, Agent A, Agent B, Key K|},  \
   8.199 -\                      Crypt (shrK B) {|NB, Agent A, Agent B, Key K|}|} \
   8.200 -\                   : set evs";
   8.201 +Goal "[| Says B' A (Crypt (shrK A) {|NA, Agent A, Agent B, Key K|})  \
   8.202 +\         : set evs;                                                 \
   8.203 +\        A ~: bad;  evs : otway |]                                  \
   8.204 +\     ==> EX NB. Says Server B                                       \
   8.205 +\                 {|Crypt (shrK A) {|NA, Agent A, Agent B, Key K|},  \
   8.206 +\                   Crypt (shrK B) {|NB, Agent A, Agent B, Key K|}|} \
   8.207 +\                : set evs";
   8.208  by (blast_tac (claset() addSIs [NA_Crypt_imp_Server_msg]) 1);
   8.209  qed "A_trusts_OR4";
   8.210  
   8.211 @@ -243,14 +233,13 @@
   8.212      Does not in itself guarantee security: an attack could violate 
   8.213      the premises, e.g. by having A=Spy **)
   8.214  
   8.215 -Goal 
   8.216 - "!!evs. [| A ~: bad;  B ~: bad;  evs : otway |]                   \
   8.217 -\        ==> Says Server B                                         \
   8.218 -\             {|Crypt (shrK A) {|NA, Agent A, Agent B, Key K|},    \
   8.219 -\               Crypt (shrK B) {|NB, Agent A, Agent B, Key K|}|}   \
   8.220 -\            : set evs -->                                         \
   8.221 -\            Notes Spy {|NA, NB, Key K|} ~: set evs -->            \
   8.222 -\            Key K ~: analz (spies evs)";
   8.223 +Goal "[| A ~: bad;  B ~: bad;  evs : otway |]                   \
   8.224 +\     ==> Says Server B                                         \
   8.225 +\          {|Crypt (shrK A) {|NA, Agent A, Agent B, Key K|},    \
   8.226 +\            Crypt (shrK B) {|NB, Agent A, Agent B, Key K|}|}   \
   8.227 +\         : set evs -->                                         \
   8.228 +\         Notes Spy {|NA, NB, Key K|} ~: set evs -->            \
   8.229 +\         Key K ~: analz (spies evs)";
   8.230  by (etac otway.induct 1);
   8.231  by analz_spies_tac;
   8.232  by (ALLGOALS
   8.233 @@ -267,14 +256,13 @@
   8.234  by (spy_analz_tac 1);
   8.235  val lemma = result() RS mp RS mp RSN(2,rev_notE);
   8.236  
   8.237 -Goal 
   8.238 - "!!evs. [| Says Server B                                           \
   8.239 -\              {|Crypt (shrK A) {|NA, Agent A, Agent B, Key K|},    \
   8.240 -\                Crypt (shrK B) {|NB, Agent A, Agent B, Key K|}|}   \
   8.241 -\             : set evs;                                            \
   8.242 -\           Notes Spy {|NA, NB, Key K|} ~: set evs;                 \
   8.243 -\           A ~: bad;  B ~: bad;  evs : otway |]                    \
   8.244 -\        ==> Key K ~: analz (spies evs)";
   8.245 +Goal "[| Says Server B                                           \
   8.246 +\           {|Crypt (shrK A) {|NA, Agent A, Agent B, Key K|},    \
   8.247 +\             Crypt (shrK B) {|NB, Agent A, Agent B, Key K|}|}   \
   8.248 +\          : set evs;                                            \
   8.249 +\        Notes Spy {|NA, NB, Key K|} ~: set evs;                 \
   8.250 +\        A ~: bad;  B ~: bad;  evs : otway |]                    \
   8.251 +\     ==> Key K ~: analz (spies evs)";
   8.252  by (forward_tac [Says_Server_message_form] 1 THEN assume_tac 1);
   8.253  by (blast_tac (claset() addSEs [lemma]) 1);
   8.254  qed "Spy_not_see_encrypted_key";
   8.255 @@ -282,12 +270,11 @@
   8.256  
   8.257  (*A's guarantee.  The Oops premise quantifies over NB because A cannot know
   8.258    what it is.*)
   8.259 -Goal 
   8.260 - "!!evs. [| Says B' A (Crypt (shrK A) {|NA, Agent A, Agent B, Key K|})  \
   8.261 -\            : set evs;                                                 \
   8.262 -\           ALL NB. Notes Spy {|NA, NB, Key K|} ~: set evs;         \
   8.263 -\           A ~: bad;  B ~: bad;  evs : otway |]                    \
   8.264 -\        ==> Key K ~: analz (spies evs)";
   8.265 +Goal "[| Says B' A (Crypt (shrK A) {|NA, Agent A, Agent B, Key K|})  \
   8.266 +\         : set evs;                                                 \
   8.267 +\        ALL NB. Notes Spy {|NA, NB, Key K|} ~: set evs;         \
   8.268 +\        A ~: bad;  B ~: bad;  evs : otway |]                    \
   8.269 +\     ==> Key K ~: analz (spies evs)";
   8.270  by (blast_tac (claset() addSDs [A_trusts_OR4, Spy_not_see_encrypted_key]) 1);
   8.271  qed "A_gets_good_key";
   8.272  
   8.273 @@ -295,13 +282,12 @@
   8.274  (**** Authenticity properties relating to NB ****)
   8.275  
   8.276  (*If the encrypted message appears then it originated with the Server!*)
   8.277 -Goal 
   8.278 - "!!evs. [| B ~: bad;  evs : otway |]                                 \
   8.279 -\    ==> Crypt (shrK B) {|NB, Agent A, Agent B, Key K|} : parts (spies evs) \
   8.280 -\        --> (EX NA. Says Server B                                          \
   8.281 -\                     {|Crypt (shrK A) {|NA, Agent A, Agent B, Key K|},     \
   8.282 -\                       Crypt (shrK B) {|NB, Agent A, Agent B, Key K|}|}    \
   8.283 -\                     : set evs)";
   8.284 +Goal "[| B ~: bad;  evs : otway |]                                 \
   8.285 +\ ==> Crypt (shrK B) {|NB, Agent A, Agent B, Key K|} : parts (spies evs) \
   8.286 +\     --> (EX NA. Says Server B                                          \
   8.287 +\                  {|Crypt (shrK A) {|NA, Agent A, Agent B, Key K|},     \
   8.288 +\                    Crypt (shrK B) {|NB, Agent A, Agent B, Key K|}|}    \
   8.289 +\                  : set evs)";
   8.290  by (parts_induct_tac 1);
   8.291  by (Blast_tac 1);
   8.292  by (ALLGOALS (asm_simp_tac (simpset() addsimps [ex_disj_distrib])));
   8.293 @@ -312,24 +298,22 @@
   8.294  
   8.295  (*Guarantee for B: if it gets a well-formed certificate then the Server
   8.296    has sent the correct message in round 3.*)
   8.297 -Goal 
   8.298 - "!!evs. [| Says S' B {|X, Crypt (shrK B) {|NB, Agent A, Agent B, Key K|}|} \
   8.299 -\             : set evs;                                                    \
   8.300 -\           B ~: bad;  evs : otway |]                                       \
   8.301 -\        ==> EX NA. Says Server B                                           \
   8.302 -\                     {|Crypt (shrK A) {|NA, Agent A, Agent B, Key K|},     \
   8.303 -\                       Crypt (shrK B) {|NB, Agent A, Agent B, Key K|}|}    \
   8.304 -\                     : set evs";
   8.305 +Goal "[| Says S' B {|X, Crypt (shrK B) {|NB, Agent A, Agent B, Key K|}|} \
   8.306 +\          : set evs;                                                    \
   8.307 +\        B ~: bad;  evs : otway |]                                       \
   8.308 +\     ==> EX NA. Says Server B                                           \
   8.309 +\                  {|Crypt (shrK A) {|NA, Agent A, Agent B, Key K|},     \
   8.310 +\                    Crypt (shrK B) {|NB, Agent A, Agent B, Key K|}|}    \
   8.311 +\                  : set evs";
   8.312  by (blast_tac (claset() addSIs [NB_Crypt_imp_Server_msg]) 1);
   8.313  qed "B_trusts_OR3";
   8.314  
   8.315  
   8.316  (*The obvious combination of B_trusts_OR3 with Spy_not_see_encrypted_key*)
   8.317 -Goal 
   8.318 - "!!evs. [| Says S' B {|X, Crypt (shrK B) {|NB, Agent A, Agent B, Key K|}|} \
   8.319 -\            : set evs;                                            \
   8.320 -\           ALL NA. Notes Spy {|NA, NB, Key K|} ~: set evs;                \
   8.321 -\           A ~: bad;  B ~: bad;  evs : otway |]                   \
   8.322 -\        ==> Key K ~: analz (spies evs)";
   8.323 +Goal "[| Says S' B {|X, Crypt (shrK B) {|NB, Agent A, Agent B, Key K|}|} \
   8.324 +\         : set evs;                                            \
   8.325 +\        ALL NA. Notes Spy {|NA, NB, Key K|} ~: set evs;                \
   8.326 +\        A ~: bad;  B ~: bad;  evs : otway |]                   \
   8.327 +\     ==> Key K ~: analz (spies evs)";
   8.328  by (blast_tac (claset() addDs [B_trusts_OR3, Spy_not_see_encrypted_key]) 1);
   8.329  qed "B_gets_good_key";
     9.1 --- a/src/HOL/Auth/OtwayRees_Bad.ML	Thu Jul 02 17:27:35 1998 +0200
     9.2 +++ b/src/HOL/Auth/OtwayRees_Bad.ML	Thu Jul 02 17:48:11 1998 +0200
     9.3 @@ -27,10 +27,10 @@
     9.4  
     9.5  (*A "possibility property": there are traces that reach the end*)
     9.6  Goal 
     9.7 - "!!A B. [| A ~= B; A ~= Server; B ~= Server |]   \
     9.8 -\        ==> EX K. EX NA. EX evs: otway.          \
     9.9 -\               Says B A {|Nonce NA, Crypt (shrK A) {|Nonce NA, Key K|}|} \
    9.10 -\                 : set evs";
    9.11 + "[| A ~= B; A ~= Server; B ~= Server |]   \
    9.12 +\  ==> EX K. EX NA. EX evs: otway.          \
    9.13 +\         Says B A {|Nonce NA, Crypt (shrK A) {|Nonce NA, Key K|}|} \
    9.14 +\           : set evs";
    9.15  by (REPEAT (resolve_tac [exI,bexI] 1));
    9.16  by (rtac (otway.Nil RS otway.OR1 RS otway.OR2 RS otway.OR3 RS otway.OR4) 2);
    9.17  by possibility_tac;
    9.18 @@ -40,7 +40,7 @@
    9.19  (**** Inductive proofs about otway ****)
    9.20  
    9.21  (*Nobody sends themselves messages*)
    9.22 -Goal "!!evs. evs : otway ==> ALL A X. Says A A X ~: set evs";
    9.23 +Goal "evs : otway ==> ALL A X. Says A A X ~: set evs";
    9.24  by (etac otway.induct 1);
    9.25  by Auto_tac;
    9.26  qed_spec_mp "not_Says_to_self";
    9.27 @@ -50,20 +50,20 @@
    9.28  
    9.29  (** For reasoning about the encrypted portion of messages **)
    9.30  
    9.31 -Goal "!!evs. Says A' B {|N, Agent A, Agent B, X|} : set evs \
    9.32 -\                ==> X : analz (spies evs)";
    9.33 +Goal "Says A' B {|N, Agent A, Agent B, X|} : set evs \
    9.34 +\          ==> X : analz (spies evs)";
    9.35  by (dtac (Says_imp_spies RS analz.Inj) 1);
    9.36  by (Blast_tac 1);
    9.37  qed "OR2_analz_spies";
    9.38  
    9.39 -Goal "!!evs. Says S' B {|N, X, Crypt (shrK B) X'|} : set evs \
    9.40 -\                ==> X : analz (spies evs)";
    9.41 +Goal "Says S' B {|N, X, Crypt (shrK B) X'|} : set evs \
    9.42 +\          ==> X : analz (spies evs)";
    9.43  by (dtac (Says_imp_spies RS analz.Inj) 1);
    9.44  by (Blast_tac 1);
    9.45  qed "OR4_analz_spies";
    9.46  
    9.47 -Goal "!!evs. Says Server B {|NA, X, Crypt K' {|NB,K|}|} : set evs \
    9.48 -\                ==> K : parts (spies evs)";
    9.49 +Goal "Says Server B {|NA, X, Crypt K' {|NB,K|}|} : set evs \
    9.50 +\          ==> K : parts (spies evs)";
    9.51  by (Blast_tac 1);
    9.52  qed "Oops_parts_spies";
    9.53  
    9.54 @@ -85,15 +85,13 @@
    9.55      sends messages containing X! **)
    9.56  
    9.57  (*Spy never sees a good agent's shared key!*)
    9.58 -Goal 
    9.59 - "!!evs. evs : otway ==> (Key (shrK A) : parts (spies evs)) = (A : bad)";
    9.60 +Goal "evs : otway ==> (Key (shrK A) : parts (spies evs)) = (A : bad)";
    9.61  by (parts_induct_tac 1);
    9.62  by (ALLGOALS Blast_tac);
    9.63  qed "Spy_see_shrK";
    9.64  Addsimps [Spy_see_shrK];
    9.65  
    9.66 -Goal 
    9.67 - "!!evs. evs : otway ==> (Key (shrK A) : analz (spies evs)) = (A : bad)";
    9.68 +Goal "evs : otway ==> (Key (shrK A) : analz (spies evs)) = (A : bad)";
    9.69  by (auto_tac(claset() addDs [impOfSubs analz_subset_parts], simpset()));
    9.70  qed "Spy_analz_shrK";
    9.71  Addsimps [Spy_analz_shrK];
    9.72 @@ -103,8 +101,7 @@
    9.73  
    9.74  
    9.75  (*Nobody can have used non-existent keys!*)
    9.76 -Goal "!!evs. evs : otway ==>          \
    9.77 -\         Key K ~: used evs --> K ~: keysFor (parts (spies evs))";
    9.78 +Goal "evs : otway ==> Key K ~: used evs --> K ~: keysFor (parts (spies evs))";
    9.79  by (parts_induct_tac 1);
    9.80  (*Fake*)
    9.81  by (blast_tac (claset() addSDs [keysFor_parts_insert]) 1);
    9.82 @@ -124,10 +121,9 @@
    9.83  
    9.84  (*Describes the form of K and NA when the Server sends this message.  Also
    9.85    for Oops case.*)
    9.86 -Goal 
    9.87 - "!!evs. [| Says Server B {|NA, X, Crypt (shrK B) {|NB, Key K|}|} : set evs; \
    9.88 -\           evs : otway |]                                           \
    9.89 -\     ==> K ~: range shrK & (EX i. NA = Nonce i) & (EX j. NB = Nonce j)";
    9.90 +Goal "[| Says Server B {|NA, X, Crypt (shrK B) {|NB, Key K|}|} : set evs; \
    9.91 +\        evs : otway |]                                           \
    9.92 +\  ==> K ~: range shrK & (EX i. NA = Nonce i) & (EX j. NB = Nonce j)";
    9.93  by (etac rev_mp 1);
    9.94  by (etac otway.induct 1);
    9.95  by (ALLGOALS Simp_tac);
    9.96 @@ -156,11 +152,10 @@
    9.97  (** Session keys are not used to encrypt other session keys **)
    9.98  
    9.99  (*The equality makes the induction hypothesis easier to apply*)
   9.100 -Goal  
   9.101 - "!!evs. evs : otway ==>                                    \
   9.102 -\  ALL K KK. KK <= Compl (range shrK) -->                   \
   9.103 -\            (Key K : analz (Key``KK Un (spies evs))) =  \
   9.104 -\            (K : KK | Key K : analz (spies evs))";
   9.105 +Goal "evs : otway ==>                                 \
   9.106 +\  ALL K KK. KK <= Compl (range shrK) -->             \
   9.107 +\         (Key K : analz (Key``KK Un (spies evs))) =  \
   9.108 +\         (K : KK | Key K : analz (spies evs))";
   9.109  by (etac otway.induct 1);
   9.110  by analz_spies_tac;
   9.111  by (REPEAT_FIRST (resolve_tac [allI, impI]));
   9.112 @@ -171,19 +166,17 @@
   9.113  qed_spec_mp "analz_image_freshK";
   9.114  
   9.115  
   9.116 -Goal
   9.117 - "!!evs. [| evs : otway;  KAB ~: range shrK |] ==>          \
   9.118 -\        Key K : analz (insert (Key KAB) (spies evs)) =  \
   9.119 -\        (K = KAB | Key K : analz (spies evs))";
   9.120 +Goal "[| evs : otway;  KAB ~: range shrK |] ==>       \
   9.121 +\     Key K : analz (insert (Key KAB) (spies evs)) =  \
   9.122 +\     (K = KAB | Key K : analz (spies evs))";
   9.123  by (asm_simp_tac (analz_image_freshK_ss addsimps [analz_image_freshK]) 1);
   9.124  qed "analz_insert_freshK";
   9.125  
   9.126  
   9.127  (*** The Key K uniquely identifies the Server's  message. **)
   9.128  
   9.129 -Goal 
   9.130 - "!!evs. evs : otway ==>                                                  \
   9.131 -\   EX B' NA' NB' X'. ALL B NA NB X.                                      \
   9.132 +Goal "evs : otway ==>                                                  \
   9.133 +\     EX B' NA' NB' X'. ALL B NA NB X.                                    \
   9.134  \     Says Server B {|NA, X, Crypt (shrK B) {|NB, K|}|} : set evs -->     \
   9.135  \     B=B' & NA=NA' & NB=NB' & X=X'";
   9.136  by (etac otway.induct 1);
   9.137 @@ -198,10 +191,9 @@
   9.138  by (blast_tac (claset() addSEs spies_partsEs) 1);
   9.139  val lemma = result();
   9.140  
   9.141 -Goal 
   9.142 - "!!evs. [| Says Server B {|NA, X, Crypt (shrK B) {|NB, K|}|}   : set evs; \ 
   9.143 -\           Says Server B' {|NA',X',Crypt (shrK B') {|NB',K|}|} : set evs; \
   9.144 -\           evs : otway |] ==> X=X' & B=B' & NA=NA' & NB=NB'";
   9.145 +Goal "[| Says Server B {|NA, X, Crypt (shrK B) {|NB, K|}|}   : set evs; \ 
   9.146 +\        Says Server B' {|NA',X',Crypt (shrK B') {|NB',K|}|} : set evs; \
   9.147 +\        evs : otway |] ==> X=X' & B=B' & NA=NA' & NB=NB'";
   9.148  by (prove_unique_tac lemma 1);
   9.149  qed "unique_session_keys";
   9.150  
   9.151 @@ -210,13 +202,12 @@
   9.152      Does not in itself guarantee security: an attack could violate 
   9.153      the premises, e.g. by having A=Spy **)
   9.154  
   9.155 -Goal 
   9.156 - "!!evs. [| A ~: bad;  B ~: bad;  evs : otway |]                      \
   9.157 -\        ==> Says Server B                                            \
   9.158 -\              {|NA, Crypt (shrK A) {|NA, Key K|},                    \
   9.159 -\                Crypt (shrK B) {|NB, Key K|}|} : set evs -->         \
   9.160 -\            Notes Spy {|NA, NB, Key K|} ~: set evs -->               \
   9.161 -\            Key K ~: analz (spies evs)";
   9.162 +Goal "[| A ~: bad;  B ~: bad;  evs : otway |]                      \
   9.163 +\     ==> Says Server B                                            \
   9.164 +\           {|NA, Crypt (shrK A) {|NA, Key K|},                    \
   9.165 +\             Crypt (shrK B) {|NB, Key K|}|} : set evs -->         \
   9.166 +\         Notes Spy {|NA, NB, Key K|} ~: set evs -->               \
   9.167 +\         Key K ~: analz (spies evs)";
   9.168  by (etac otway.induct 1);
   9.169  by analz_spies_tac;
   9.170  by (ALLGOALS
   9.171 @@ -233,13 +224,12 @@
   9.172  by (spy_analz_tac 1);
   9.173  val lemma = result() RS mp RS mp RSN(2,rev_notE);
   9.174  
   9.175 -Goal 
   9.176 - "!!evs. [| Says Server B                                           \
   9.177 -\            {|NA, Crypt (shrK A) {|NA, Key K|},                    \
   9.178 -\                  Crypt (shrK B) {|NB, Key K|}|} : set evs;        \
   9.179 -\           Notes Spy {|NA, NB, Key K|} ~: set evs;                 \
   9.180 -\           A ~: bad;  B ~: bad;  evs : otway |]                    \
   9.181 -\        ==> Key K ~: analz (spies evs)";
   9.182 +Goal "[| Says Server B                                           \
   9.183 +\         {|NA, Crypt (shrK A) {|NA, Key K|},                    \
   9.184 +\               Crypt (shrK B) {|NB, Key K|}|} : set evs;        \
   9.185 +\        Notes Spy {|NA, NB, Key K|} ~: set evs;                 \
   9.186 +\        A ~: bad;  B ~: bad;  evs : otway |]                    \
   9.187 +\     ==> Key K ~: analz (spies evs)";
   9.188  by (forward_tac [Says_Server_message_form] 1 THEN assume_tac 1);
   9.189  by (blast_tac (claset() addSEs [lemma]) 1);
   9.190  qed "Spy_not_see_encrypted_key";
   9.191 @@ -251,11 +241,10 @@
   9.192    I'm not sure why A ~= B premise is needed: OtwayRees.ML doesn't need it.
   9.193    Perhaps it's because OR2 has two similar-looking encrypted messages in
   9.194          this version.*)
   9.195 -Goal 
   9.196 - "!!evs. [| A ~: bad;  A ~= B;  evs : otway |]                \
   9.197 -\        ==> Crypt (shrK A) {|NA, Agent A, Agent B|} : parts (spies evs) --> \
   9.198 -\            Says A B {|NA, Agent A, Agent B,                  \
   9.199 -\                       Crypt (shrK A) {|NA, Agent A, Agent B|}|}  : set evs";
   9.200 +Goal "[| A ~: bad;  A ~= B;  evs : otway |]                \
   9.201 +\     ==> Crypt (shrK A) {|NA, Agent A, Agent B|} : parts (spies evs) --> \
   9.202 +\         Says A B {|NA, Agent A, Agent B,                  \
   9.203 +\                    Crypt (shrK A) {|NA, Agent A, Agent B|}|}  : set evs";
   9.204  by (parts_induct_tac 1);
   9.205  by (ALLGOALS Blast_tac);
   9.206  qed_spec_mp "Crypt_imp_OR1";
   9.207 @@ -265,16 +254,15 @@
   9.208    to start a run, then it originated with the Server!*)
   9.209  (*Only it is FALSE.  Somebody could make a fake message to Server
   9.210            substituting some other nonce NA' for NB.*)
   9.211 -Goal 
   9.212 - "!!evs. [| A ~: bad;  evs : otway |]                                \
   9.213 -\        ==> Crypt (shrK A) {|NA, Key K|} : parts (spies evs) -->    \
   9.214 -\            Says A B {|NA, Agent A, Agent B,                        \
   9.215 -\                       Crypt (shrK A) {|NA, Agent A, Agent B|}|}    \
   9.216 -\             : set evs -->                                          \
   9.217 -\            (EX B NB. Says Server B                                 \
   9.218 -\                 {|NA,                                              \
   9.219 -\                   Crypt (shrK A) {|NA, Key K|},                    \
   9.220 -\                   Crypt (shrK B) {|NB, Key K|}|}  : set evs)";
   9.221 +Goal "[| A ~: bad;  evs : otway |]                                \
   9.222 +\     ==> Crypt (shrK A) {|NA, Key K|} : parts (spies evs) -->    \
   9.223 +\         Says A B {|NA, Agent A, Agent B,                        \
   9.224 +\                    Crypt (shrK A) {|NA, Agent A, Agent B|}|}    \
   9.225 +\          : set evs -->                                          \
   9.226 +\         (EX B NB. Says Server B                                 \
   9.227 +\              {|NA,                                              \
   9.228 +\                Crypt (shrK A) {|NA, Key K|},                    \
   9.229 +\                Crypt (shrK B) {|NB, Key K|}|}  : set evs)";
   9.230  by (parts_induct_tac 1);
   9.231  (*Fake*)
   9.232  by (Blast_tac 1);
    10.1 --- a/src/HOL/Auth/Public.ML	Thu Jul 02 17:27:35 1998 +0200
    10.2 +++ b/src/HOL/Auth/Public.ML	Thu Jul 02 17:48:11 1998 +0200
    10.3 @@ -15,7 +15,7 @@
    10.4  
    10.5  AddIffs [inj_pubK RS inj_eq];
    10.6  
    10.7 -Goal "!!A B. (priK A = priK B) = (A=B)";
    10.8 +Goal "(priK A = priK B) = (A=B)";
    10.9  by Safe_tac;
   10.10  by (dres_inst_tac [("f","invKey")] arg_cong 1);
   10.11  by (Full_simp_tac 1);
   10.12 @@ -80,7 +80,7 @@
   10.13  qed_spec_mp "spies_pubK";
   10.14  
   10.15  (*Spy sees private keys of bad agents!*)
   10.16 -Goal "!!A. A: bad ==> Key (priK A) : spies evs";
   10.17 +Goal "A: bad ==> Key (priK A) : spies evs";
   10.18  by (induct_tac "evs" 1);
   10.19  by (ALLGOALS (asm_simp_tac
   10.20  	      (simpset() addsimps [imageI, spies_Cons]
   10.21 @@ -92,8 +92,8 @@
   10.22  
   10.23  
   10.24  (*For not_bad_tac*)
   10.25 -Goal "!!A. [| Crypt (pubK A) X : analz (spies evs);  A: bad |] \
   10.26 -\              ==> X : analz (spies evs)";
   10.27 +Goal "[| Crypt (pubK A) X : analz (spies evs);  A: bad |] \
   10.28 +\           ==> X : analz (spies evs)";
   10.29  by (blast_tac (claset() addSDs [analz.Decrypt]) 1);
   10.30  qed "Crypt_Spy_analz_bad";
   10.31  
    11.1 --- a/src/HOL/Auth/Recur.ML	Thu Jul 02 17:27:35 1998 +0200
    11.2 +++ b/src/HOL/Auth/Recur.ML	Thu Jul 02 17:48:11 1998 +0200
    11.3 @@ -20,11 +20,10 @@
    11.4  
    11.5  
    11.6  (*Simplest case: Alice goes directly to the server*)
    11.7 -Goal
    11.8 - "!!A. A ~= Server                                                      \
    11.9 +Goal "A ~= Server                                                      \
   11.10  \ ==> EX K NA. EX evs: recur.                                           \
   11.11 -\     Says Server A {|Crypt (shrK A) {|Key K, Agent Server, Nonce NA|}, \
   11.12 -\                     Agent Server|}  : set evs";
   11.13 +\  Says Server A {|Crypt (shrK A) {|Key K, Agent Server, Nonce NA|}, \
   11.14 +\                  Agent Server|}  : set evs";
   11.15  by (REPEAT (resolve_tac [exI,bexI] 1));
   11.16  by (rtac (recur.Nil RS recur.RA1 RS 
   11.17            (respond.One RSN (4,recur.RA3))) 2);
   11.18 @@ -33,11 +32,10 @@
   11.19  
   11.20  
   11.21  (*Case two: Alice, Bob and the server*)
   11.22 -Goal
   11.23 - "!!A B. [| A ~= B; A ~= Server; B ~= Server |]                 \
   11.24 +Goal "[| A ~= B; A ~= Server; B ~= Server |]                 \
   11.25  \ ==> EX K. EX NA. EX evs: recur.                               \
   11.26 -\       Says B A {|Crypt (shrK A) {|Key K, Agent B, Nonce NA|}, \
   11.27 -\                  Agent Server|}  : set evs";
   11.28 +\    Says B A {|Crypt (shrK A) {|Key K, Agent B, Nonce NA|}, \
   11.29 +\               Agent Server|}  : set evs";
   11.30  by (cut_facts_tac [Nonce_supply2, Key_supply2] 1);
   11.31  by (REPEAT (eresolve_tac [exE, conjE] 1));
   11.32  by (REPEAT (resolve_tac [exI,bexI] 1));
   11.33 @@ -52,11 +50,10 @@
   11.34  
   11.35  (*Case three: Alice, Bob, Charlie and the server
   11.36    TOO SLOW to run every time!
   11.37 -Goal
   11.38 - "!!A B. [| A ~= B; B ~= C; A ~= Server; B ~= Server; C ~= Server |]   \
   11.39 +Goal "[| A ~= B; B ~= C; A ~= Server; B ~= Server; C ~= Server |]   \
   11.40  \ ==> EX K. EX NA. EX evs: recur.                                      \
   11.41 -\       Says B A {|Crypt (shrK A) {|Key K, Agent B, Nonce NA|},        \
   11.42 -\                  Agent Server|}  : set evs";
   11.43 +\    Says B A {|Crypt (shrK A) {|Key K, Agent B, Nonce NA|},        \
   11.44 +\               Agent Server|}  : set evs";
   11.45  by (cut_facts_tac [Nonce_supply3, Key_supply3] 1);
   11.46  by (REPEAT (eresolve_tac [exE, conjE] 1));
   11.47  by (REPEAT (resolve_tac [exI,bexI] 1));
   11.48 @@ -75,7 +72,7 @@
   11.49  (**** Inductive proofs about recur ****)
   11.50  
   11.51  (*Nobody sends themselves messages*)
   11.52 -Goal "!!evs. evs : recur ==> ALL A X. Says A A X ~: set evs";
   11.53 +Goal "evs : recur ==> ALL A X. Says A A X ~: set evs";
   11.54  by (etac recur.induct 1);
   11.55  by Auto_tac;
   11.56  qed_spec_mp "not_Says_to_self";
   11.57 @@ -84,19 +81,18 @@
   11.58  
   11.59  
   11.60  
   11.61 -Goal "!!evs. (PA,RB,KAB) : respond evs ==> Key KAB : parts{RB}";
   11.62 +Goal "(PA,RB,KAB) : respond evs ==> Key KAB : parts{RB}";
   11.63  by (etac respond.induct 1);
   11.64  by (ALLGOALS Simp_tac);
   11.65  qed "respond_Key_in_parts";
   11.66  
   11.67 -Goal "!!evs. (PA,RB,KAB) : respond evs ==> Key KAB ~: used evs";
   11.68 +Goal "(PA,RB,KAB) : respond evs ==> Key KAB ~: used evs";
   11.69  by (etac respond.induct 1);
   11.70  by (REPEAT (assume_tac 1));
   11.71  qed "respond_imp_not_used";
   11.72  
   11.73 -Goal
   11.74 - "!!evs. [| Key K : parts {RB};  (PB,RB,K') : respond evs |] \
   11.75 -\        ==> Key K ~: used evs";
   11.76 +Goal "[| Key K : parts {RB};  (PB,RB,K') : respond evs |] \
   11.77 +\     ==> Key K ~: used evs";
   11.78  by (etac rev_mp 1);
   11.79  by (etac respond.induct 1);
   11.80  by (auto_tac(claset() addDs [Key_not_used, respond_imp_not_used],
   11.81 @@ -104,7 +100,7 @@
   11.82  qed_spec_mp "Key_in_parts_respond";
   11.83  
   11.84  (*Simple inductive reasoning about responses*)
   11.85 -Goal "!!evs. (PA,RB,KAB) : respond evs ==> RB : responses evs";
   11.86 +Goal "(PA,RB,KAB) : respond evs ==> RB : responses evs";
   11.87  by (etac respond.induct 1);
   11.88  by (REPEAT (ares_tac (respond_imp_not_used::responses.intrs) 1));
   11.89  qed "respond_imp_responses";
   11.90 @@ -114,8 +110,8 @@
   11.91  
   11.92  val RA2_analz_spies = Says_imp_spies RS analz.Inj |> standard;
   11.93  
   11.94 -Goal "!!evs. Says C' B {|Crypt K X, X', RA|} : set evs \
   11.95 -\                ==> RA : analz (spies evs)";
   11.96 +Goal "Says C' B {|Crypt K X, X', RA|} : set evs \
   11.97 +\             ==> RA : analz (spies evs)";
   11.98  by (blast_tac (claset() addSDs [Says_imp_spies RS analz.Inj]) 1);
   11.99  qed "RA4_analz_spies";
  11.100  
  11.101 @@ -144,8 +140,7 @@
  11.102  
  11.103  (** Spy never sees another agent's shared key! (unless it's bad at start) **)
  11.104  
  11.105 -Goal 
  11.106 - "!!evs. evs : recur ==> (Key (shrK A) : parts (spies evs)) = (A : bad)";
  11.107 +Goal "evs : recur ==> (Key (shrK A) : parts (spies evs)) = (A : bad)";
  11.108  by (parts_induct_tac 1);
  11.109  by (Fake_parts_insert_tac 1);
  11.110  by (ALLGOALS 
  11.111 @@ -155,8 +150,7 @@
  11.112  qed "Spy_see_shrK";
  11.113  Addsimps [Spy_see_shrK];
  11.114  
  11.115 -Goal 
  11.116 - "!!evs. evs : recur ==> (Key (shrK A) : analz (spies evs)) = (A : bad)";
  11.117 +Goal "evs : recur ==> (Key (shrK A) : analz (spies evs)) = (A : bad)";
  11.118  by (auto_tac(claset() addDs [impOfSubs analz_subset_parts], simpset()));
  11.119  qed "Spy_analz_shrK";
  11.120  Addsimps [Spy_analz_shrK];
  11.121 @@ -168,17 +162,16 @@
  11.122  (** Nobody can have used non-existent keys! **)
  11.123  
  11.124  (*The special case of H={} has the same proof*)
  11.125 -Goal
  11.126 - "!!evs. [| K : keysFor (parts (insert RB H));  (PB,RB,K') : respond evs |] \
  11.127 -\        ==> K : range shrK | K : keysFor (parts H)";
  11.128 +Goal "[| K : keysFor (parts (insert RB H));  (PB,RB,K') : respond evs |] \
  11.129 +\     ==> K : range shrK | K : keysFor (parts H)";
  11.130  by (etac rev_mp 1);
  11.131  by (etac (respond_imp_responses RS responses.induct) 1);
  11.132  by Auto_tac;
  11.133  qed_spec_mp "Key_in_keysFor_parts";
  11.134  
  11.135  
  11.136 -Goal "!!evs. evs : recur ==>          \
  11.137 -\                Key K ~: used evs --> K ~: keysFor (parts (spies evs))";
  11.138 +Goal "evs : recur ==>          \
  11.139 +\             Key K ~: used evs --> K ~: keysFor (parts (spies evs))";
  11.140  by (parts_induct_tac 1);
  11.141  (*RA3*)
  11.142  by (blast_tac (claset() addSDs [Key_in_keysFor_parts]) 2);
  11.143 @@ -209,24 +202,22 @@
  11.144  (*Version for "responses" relation.  Handles case RA3 in the theorem below.  
  11.145    Note that it holds for *any* set H (not just "spies evs")
  11.146    satisfying the inductive hypothesis.*)
  11.147 -Goal  
  11.148 - "!!evs. [| RB : responses evs;                             \
  11.149 -\           ALL K KK. KK <= Compl (range shrK) -->          \
  11.150 -\                     (Key K : analz (Key``KK Un H)) =      \
  11.151 -\                     (K : KK | Key K : analz H) |]         \
  11.152 -\       ==> ALL K KK. KK <= Compl (range shrK) -->          \
  11.153 -\                     (Key K : analz (insert RB (Key``KK Un H))) = \
  11.154 -\                     (K : KK | Key K : analz (insert RB H))";
  11.155 +Goal "[| RB : responses evs;                             \
  11.156 +\        ALL K KK. KK <= Compl (range shrK) -->          \
  11.157 +\                  (Key K : analz (Key``KK Un H)) =      \
  11.158 +\                  (K : KK | Key K : analz H) |]         \
  11.159 +\    ==> ALL K KK. KK <= Compl (range shrK) -->          \
  11.160 +\                  (Key K : analz (insert RB (Key``KK Un H))) = \
  11.161 +\                  (K : KK | Key K : analz (insert RB H))";
  11.162  by (etac responses.induct 1);
  11.163  by (ALLGOALS (asm_simp_tac analz_image_freshK_ss));
  11.164  qed "resp_analz_image_freshK_lemma";
  11.165  
  11.166  (*Version for the protocol.  Proof is almost trivial, thanks to the lemma.*)
  11.167 -Goal  
  11.168 - "!!evs. evs : recur ==>                                 \
  11.169 +Goal "evs : recur ==>                                 \
  11.170  \  ALL K KK. KK <= Compl (range shrK) -->                \
  11.171 -\            (Key K : analz (Key``KK Un (spies evs))) =  \
  11.172 -\            (K : KK | Key K : analz (spies evs))";
  11.173 +\         (Key K : analz (Key``KK Un (spies evs))) =  \
  11.174 +\         (K : KK | Key K : analz (spies evs))";
  11.175  by (etac recur.induct 1);
  11.176  by analz_spies_tac;
  11.177  by (REPEAT_FIRST (resolve_tac [allI, impI]));
  11.178 @@ -250,18 +241,17 @@
  11.179            raw_analz_image_freshK RSN
  11.180              (2, resp_analz_image_freshK_lemma) RS spec RS spec RS mp);
  11.181  
  11.182 -Goal
  11.183 - "!!evs. [| evs : recur;  KAB ~: range shrK |] ==>           \
  11.184 -\        Key K : analz (insert (Key KAB) (spies evs)) =      \
  11.185 -\        (K = KAB | Key K : analz (spies evs))";
  11.186 +Goal "[| evs : recur;  KAB ~: range shrK |] ==>           \
  11.187 +\     Key K : analz (insert (Key KAB) (spies evs)) =      \
  11.188 +\     (K = KAB | Key K : analz (spies evs))";
  11.189  by (asm_simp_tac (analz_image_freshK_ss addsimps [analz_image_freshK]) 1);
  11.190  qed "analz_insert_freshK";
  11.191  
  11.192  
  11.193  (*Everything that's hashed is already in past traffic. *)
  11.194 -Goal "!!evs. [| Hash {|Key(shrK A), X|} : parts (spies evs);  \
  11.195 -\                   evs : recur;  A ~: bad |]                     \
  11.196 -\                ==> X : parts (spies evs)";
  11.197 +Goal "[| Hash {|Key(shrK A), X|} : parts (spies evs);  \
  11.198 +\                evs : recur;  A ~: bad |]                     \
  11.199 +\             ==> X : parts (spies evs)";
  11.200  by (etac rev_mp 1);
  11.201  by (parts_induct_tac 1);
  11.202  (*RA3 requires a further induction*)
  11.203 @@ -278,11 +268,10 @@
  11.204    Unicity is not used in other proofs but is desirable in its own right.
  11.205  **)
  11.206  
  11.207 -Goal 
  11.208 - "!!evs. [| evs : recur; A ~: bad |]                   \
  11.209 +Goal "[| evs : recur; A ~: bad |]                   \
  11.210  \ ==> EX B' P'. ALL B P.                                     \
  11.211 -\        Hash {|Key(shrK A), Agent A, B, NA, P|} : parts (spies evs) \
  11.212 -\          -->  B=B' & P=P'";
  11.213 +\     Hash {|Key(shrK A), Agent A, B, NA, P|} : parts (spies evs) \
  11.214 +\       -->  B=B' & P=P'";
  11.215  by (parts_induct_tac 1);
  11.216  by (Fake_parts_insert_tac 1);
  11.217  by (etac responses.induct 3);
  11.218 @@ -296,10 +285,10 @@
  11.219  val lemma = result();
  11.220  
  11.221  Goalw [HPair_def]
  11.222 - "!!A.[| Hash[Key(shrK A)] {|Agent A, B,NA,P|}   : parts (spies evs); \
  11.223 -\        Hash[Key(shrK A)] {|Agent A, B',NA,P'|} : parts (spies evs); \
  11.224 -\        evs : recur;  A ~: bad |]                                    \
  11.225 -\      ==> B=B' & P=P'";
  11.226 + "[| Hash[Key(shrK A)] {|Agent A, B,NA,P|}   : parts (spies evs); \
  11.227 +\     Hash[Key(shrK A)] {|Agent A, B',NA,P'|} : parts (spies evs); \
  11.228 +\     evs : recur;  A ~: bad |]                                    \
  11.229 +\   ==> B=B' & P=P'";
  11.230  by (REPEAT (eresolve_tac partsEs 1));
  11.231  by (prove_unique_tac lemma 1);
  11.232  qed "unique_NA";
  11.233 @@ -309,8 +298,7 @@
  11.234        (relations "respond" and "responses") 
  11.235  ***)
  11.236  
  11.237 -Goal
  11.238 - "!!evs. [| RB : responses evs;  evs : recur |] \
  11.239 +Goal "[| RB : responses evs;  evs : recur |] \
  11.240  \ ==> (Key (shrK B) : analz (insert RB (spies evs))) = (B:bad)";
  11.241  by (etac responses.induct 1);
  11.242  by (ALLGOALS
  11.243 @@ -321,13 +309,12 @@
  11.244  Addsimps [shrK_in_analz_respond];
  11.245  
  11.246  
  11.247 -Goal  
  11.248 - "!!evs. [| RB : responses evs;                             \
  11.249 -\           ALL K KK. KK <= Compl (range shrK) -->          \
  11.250 -\                     (Key K : analz (Key``KK Un H)) =      \
  11.251 -\                     (K : KK | Key K : analz H) |]         \
  11.252 -\       ==> (Key K : analz (insert RB H)) -->               \
  11.253 -\           (Key K : parts{RB} | Key K : analz H)";
  11.254 +Goal "[| RB : responses evs;                             \
  11.255 +\        ALL K KK. KK <= Compl (range shrK) -->          \
  11.256 +\                  (Key K : analz (Key``KK Un H)) =      \
  11.257 +\                  (K : KK | Key K : analz H) |]         \
  11.258 +\    ==> (Key K : analz (insert RB H)) -->               \
  11.259 +\        (Key K : parts{RB} | Key K : analz H)";
  11.260  by (etac responses.induct 1);
  11.261  by (ALLGOALS
  11.262      (asm_simp_tac 
  11.263 @@ -344,9 +331,8 @@
  11.264  
  11.265  (*The Server does not send such messages.  This theorem lets us avoid
  11.266    assuming B~=Server in RA4.*)
  11.267 -Goal 
  11.268 - "!!evs. evs : recur \
  11.269 -\        ==> ALL C X Y. Says Server C {|X, Agent Server, Y|} ~: set evs";
  11.270 +Goal "evs : recur \
  11.271 +\     ==> ALL C X Y. Says Server C {|X, Agent Server, Y|} ~: set evs";
  11.272  by (etac recur.induct 1);
  11.273  by (etac (respond.induct) 5);
  11.274  by Auto_tac;
  11.275 @@ -355,19 +341,17 @@
  11.276  
  11.277  
  11.278  (*The last key returned by respond indeed appears in a certificate*)
  11.279 -Goal 
  11.280 - "!!K. (Hash[Key(shrK A)] {|Agent A, B, NA, P|}, RA, K) : respond evs \
  11.281 -\      ==> Crypt (shrK A) {|Key K, B, NA|} : parts {RA}";
  11.282 +Goal "(Hash[Key(shrK A)] {|Agent A, B, NA, P|}, RA, K) : respond evs \
  11.283 +\   ==> Crypt (shrK A) {|Key K, B, NA|} : parts {RA}";
  11.284  by (etac respond.elim 1);
  11.285  by (ALLGOALS Asm_full_simp_tac);
  11.286  qed "respond_certificate";
  11.287  
  11.288  
  11.289 -Goal 
  11.290 - "!!K'. (PB,RB,KXY) : respond evs                          \
  11.291 +Goal "!!K'. (PB,RB,KXY) : respond evs                          \
  11.292  \  ==> EX A' B'. ALL A B N.                                \
  11.293 -\        Crypt (shrK A) {|Key K, Agent B, N|} : parts {RB} \
  11.294 -\          -->   (A'=A & B'=B) | (A'=B & B'=A)";
  11.295 +\     Crypt (shrK A) {|Key K, Agent B, N|} : parts {RB} \
  11.296 +\       -->   (A'=A & B'=B) | (A'=B & B'=A)";
  11.297  by (etac respond.induct 1);
  11.298  by (ALLGOALS (asm_full_simp_tac (simpset() addsimps [all_conj_distrib]))); 
  11.299  (*Base case*)
  11.300 @@ -385,10 +369,9 @@
  11.301  by (Fast_tac 1);
  11.302  val lemma = result();
  11.303  
  11.304 -Goal 
  11.305 - "!!RB. [| Crypt (shrK A) {|Key K, Agent B, N|} : parts {RB};      \
  11.306 -\          Crypt (shrK A') {|Key K, Agent B', N'|} : parts {RB};   \
  11.307 -\          (PB,RB,KXY) : respond evs |]                            \
  11.308 +Goal "[| Crypt (shrK A) {|Key K, Agent B, N|} : parts {RB};      \
  11.309 +\       Crypt (shrK A') {|Key K, Agent B', N'|} : parts {RB};   \
  11.310 +\       (PB,RB,KXY) : respond evs |]                            \
  11.311  \ ==>   (A'=A & B'=B) | (A'=B & B'=A)";
  11.312  by (prove_unique_tac lemma 1);
  11.313  qed "unique_session_keys";
  11.314 @@ -398,11 +381,10 @@
  11.315      Does not in itself guarantee security: an attack could violate 
  11.316      the premises, e.g. by having A=Spy **)
  11.317  
  11.318 -Goal 
  11.319 - "!!evs. [| (PB,RB,KAB) : respond evs;  evs : recur |]              \
  11.320 -\        ==> ALL A A' N. A ~: bad & A' ~: bad -->                   \
  11.321 -\            Crypt (shrK A) {|Key K, Agent A', N|} : parts{RB} -->  \
  11.322 -\            Key K ~: analz (insert RB (spies evs))";
  11.323 +Goal "[| (PB,RB,KAB) : respond evs;  evs : recur |]              \
  11.324 +\     ==> ALL A A' N. A ~: bad & A' ~: bad -->                   \
  11.325 +\         Crypt (shrK A) {|Key K, Agent A', N|} : parts{RB} -->  \
  11.326 +\         Key K ~: analz (insert RB (spies evs))";
  11.327  by (etac respond.induct 1);
  11.328  by (forward_tac [respond_imp_responses] 2);
  11.329  by (forward_tac [respond_imp_not_used] 2);
  11.330 @@ -429,10 +411,9 @@
  11.331  qed_spec_mp "respond_Spy_not_see_session_key";
  11.332  
  11.333  
  11.334 -Goal
  11.335 - "!!evs. [| Crypt (shrK A) {|Key K, Agent A', N|} : parts (spies evs); \
  11.336 -\           A ~: bad;  A' ~: bad;  evs : recur |]                      \
  11.337 -\        ==> Key K ~: analz (spies evs)";
  11.338 +Goal "[| Crypt (shrK A) {|Key K, Agent A', N|} : parts (spies evs); \
  11.339 +\        A ~: bad;  A' ~: bad;  evs : recur |]                      \
  11.340 +\     ==> Key K ~: analz (spies evs)";
  11.341  by (etac rev_mp 1);
  11.342  by (etac recur.induct 1);
  11.343  by analz_spies_tac;
  11.344 @@ -463,10 +444,9 @@
  11.345  (**** Authenticity properties for Agents ****)
  11.346  
  11.347  (*The response never contains Hashes*)
  11.348 -Goal
  11.349 - "!!evs. [| Hash {|Key (shrK B), M|} : parts (insert RB H); \
  11.350 -\           (PB,RB,K) : respond evs |]                      \
  11.351 -\        ==> Hash {|Key (shrK B), M|} : parts H";
  11.352 +Goal "[| Hash {|Key (shrK B), M|} : parts (insert RB H); \
  11.353 +\        (PB,RB,K) : respond evs |]                      \
  11.354 +\     ==> Hash {|Key (shrK B), M|} : parts H";
  11.355  by (etac rev_mp 1);
  11.356  by (etac (respond_imp_responses RS responses.induct) 1);
  11.357  by Auto_tac;
  11.358 @@ -477,9 +457,9 @@
  11.359    it can say nothing about how recent A's message is.  It might later be
  11.360    used to prove B's presence to A at the run's conclusion.*)
  11.361  Goalw [HPair_def]
  11.362 - "!!evs. [| Hash {|Key(shrK A), Agent A, Agent B, NA, P|} : parts(spies evs); \
  11.363 -\           A ~: bad;  evs : recur |]                      \
  11.364 -\     ==> Says A B (Hash[Key(shrK A)] {|Agent A, Agent B, NA, P|}) : set evs";
  11.365 + "[| Hash {|Key(shrK A), Agent A, Agent B, NA, P|} : parts(spies evs); \
  11.366 +\        A ~: bad;  evs : recur |]                      \
  11.367 +\  ==> Says A B (Hash[Key(shrK A)] {|Agent A, Agent B, NA, P|}) : set evs";
  11.368  by (etac rev_mp 1);
  11.369  by (parts_induct_tac 1);
  11.370  by (Fake_parts_insert_tac 1);
  11.371 @@ -493,11 +473,10 @@
  11.372  
  11.373  
  11.374  (*Certificates can only originate with the Server.*)
  11.375 -Goal 
  11.376 - "!!evs. [| Crypt (shrK A) Y : parts (spies evs);    \
  11.377 -\           A ~: bad;  evs : recur |]                \
  11.378 -\        ==> EX C RC. Says Server C RC : set evs  &  \
  11.379 -\                     Crypt (shrK A) Y : parts {RC}";
  11.380 +Goal "[| Crypt (shrK A) Y : parts (spies evs);    \
  11.381 +\        A ~: bad;  evs : recur |]                \
  11.382 +\     ==> EX C RC. Says Server C RC : set evs  &  \
  11.383 +\                  Crypt (shrK A) Y : parts {RC}";
  11.384  by (etac rev_mp 1);
  11.385  by (parts_induct_tac 1);
  11.386  by (Fake_parts_insert_tac 1);
    12.1 --- a/src/HOL/Auth/Shared.ML	Thu Jul 02 17:27:35 1998 +0200
    12.2 +++ b/src/HOL/Auth/Shared.ML	Thu Jul 02 17:48:11 1998 +0200
    12.3 @@ -29,7 +29,7 @@
    12.4  Addsimps [keysFor_parts_initState];
    12.5  
    12.6  (*Specialized to shared-key model: no need for addss in protocol proofs*)
    12.7 -Goal "!!X. [| K: keysFor (parts (insert X H));  X : synth (analz H) |] \
    12.8 +Goal "[| K: keysFor (parts (insert X H));  X : synth (analz H) |] \
    12.9  \              ==> K : keysFor (parts H) | Key K : parts H";
   12.10  by (fast_tac
   12.11        (claset() addSDs [impOfSubs (parts_insert_subset_Un RS keysFor_mono),
   12.12 @@ -38,7 +38,7 @@
   12.13                  addss  (simpset())) 1);
   12.14  qed "keysFor_parts_insert";
   12.15  
   12.16 -Goal "!!H. Crypt K X : H ==> K : keysFor H";
   12.17 +Goal "Crypt K X : H ==> K : keysFor H";
   12.18  by (dtac Crypt_imp_invKey_keysFor 1);
   12.19  by (Asm_full_simp_tac 1);
   12.20  qed "Crypt_imp_keysFor";
   12.21 @@ -47,7 +47,7 @@
   12.22  (*** Function "spies" ***)
   12.23  
   12.24  (*Spy sees shared keys of agents!*)
   12.25 -Goal "!!A. A: bad ==> Key (shrK A) : spies evs";
   12.26 +Goal "A: bad ==> Key (shrK A) : spies evs";
   12.27  by (induct_tac "evs" 1);
   12.28  by (ALLGOALS (asm_simp_tac
   12.29  	      (simpset() addsimps [imageI, spies_Cons]
   12.30 @@ -57,7 +57,7 @@
   12.31  AddSIs [Spy_spies_bad];
   12.32  
   12.33  (*For not_bad_tac*)
   12.34 -Goal "!!A. [| Crypt (shrK A) X : analz (spies evs);  A: bad |] \
   12.35 +Goal "[| Crypt (shrK A) X : analz (spies evs);  A: bad |] \
   12.36  \              ==> X : analz (spies evs)";
   12.37  by (fast_tac (claset() addSDs [analz.Decrypt] addss (simpset())) 1);
   12.38  qed "Crypt_Spy_analz_bad";
   12.39 @@ -92,11 +92,11 @@
   12.40  
   12.41  (*Used in parts_induct_tac and analz_Fake_tac to distinguish session keys
   12.42    from long-term shared keys*)
   12.43 -Goal "!!K. Key K ~: used evs ==> K ~: range shrK";
   12.44 +Goal "Key K ~: used evs ==> K ~: range shrK";
   12.45  by (Blast_tac 1);
   12.46  qed "Key_not_used";
   12.47  
   12.48 -Goal "!!K. Key K ~: used evs ==> shrK B ~= K";
   12.49 +Goal "Key K ~: used evs ==> shrK B ~= K";
   12.50  by (Blast_tac 1);
   12.51  qed "shrK_neq";
   12.52  
   12.53 @@ -223,7 +223,7 @@
   12.54  
   12.55  (*** Specialized rewriting for analz_insert_freshK ***)
   12.56  
   12.57 -Goal "!!A. A <= Compl (range shrK) ==> shrK x ~: A";
   12.58 +Goal "A <= Compl (range shrK) ==> shrK x ~: A";
   12.59  by (Blast_tac 1);
   12.60  qed "subset_Compl_range";
   12.61  
   12.62 @@ -250,7 +250,7 @@
   12.63  
   12.64  (*Lemma for the trivial direction of the if-and-only-if*)
   12.65  Goal  
   12.66 - "!!evs. (Key K : analz (Key``nE Un H)) --> (K : nE | Key K : analz H)  ==> \
   12.67 + "(Key K : analz (Key``nE Un H)) --> (K : nE | Key K : analz H)  ==> \
   12.68  \        (Key K : analz (Key``nE Un H)) = (K : nE | Key K : analz H)";
   12.69  by (blast_tac (claset() addIs [impOfSubs analz_mono]) 1);
   12.70  qed "analz_image_freshK_lemma";
    13.1 --- a/src/HOL/Auth/TLS.ML	Thu Jul 02 17:27:35 1998 +0200
    13.2 +++ b/src/HOL/Auth/TLS.ML	Thu Jul 02 17:48:11 1998 +0200
    13.3 @@ -64,11 +64,10 @@
    13.4  
    13.5  
    13.6  (*Possibility property ending with ClientAccepts.*)
    13.7 -Goal 
    13.8 - "!!A B. [| ALL evs. (@ N. Nonce N ~: used evs) ~: range PRF;  \
    13.9 -\           A ~= B |]            \
   13.10 +Goal "[| ALL evs. (@ N. Nonce N ~: used evs) ~: range PRF;  \
   13.11 +\        A ~= B |]            \
   13.12  \  ==> EX SID M. EX evs: tls.    \
   13.13 -\        Notes A {|Number SID, Agent A, Agent B, Nonce M|} : set evs";
   13.14 +\     Notes A {|Number SID, Agent A, Agent B, Nonce M|} : set evs";
   13.15  by (REPEAT (resolve_tac [exI,bexI] 1));
   13.16  by (rtac (tls.Nil RS tls.ClientHello RS tls.ServerHello RS tls.Certificate RS
   13.17  	  tls.ClientKeyExch RS tls.ClientFinished RS tls.ServerFinished RS
   13.18 @@ -78,11 +77,10 @@
   13.19  result();
   13.20  
   13.21  (*And one for ServerAccepts.  Either FINISHED message may come first.*)
   13.22 -Goal 
   13.23 - "!!A B. [| ALL evs. (@ N. Nonce N ~: used evs) ~: range PRF;  \
   13.24 -\           A ~= B |]                        \
   13.25 +Goal "[| ALL evs. (@ N. Nonce N ~: used evs) ~: range PRF;  \
   13.26 +\        A ~= B |]                        \
   13.27  \  ==> EX SID NA PA NB PB M. EX evs: tls.    \
   13.28 -\        Notes B {|Number SID, Agent A, Agent B, Nonce M|} : set evs";
   13.29 +\     Notes B {|Number SID, Agent A, Agent B, Nonce M|} : set evs";
   13.30  by (REPEAT (resolve_tac [exI,bexI] 1));
   13.31  by (rtac (tls.Nil RS tls.ClientHello RS tls.ServerHello RS tls.Certificate RS
   13.32  	  tls.ClientKeyExch RS tls.ServerFinished RS tls.ClientFinished RS
   13.33 @@ -92,9 +90,8 @@
   13.34  result();
   13.35  
   13.36  (*Another one, for CertVerify (which is optional)*)
   13.37 -Goal 
   13.38 - "!!A B. [| ALL evs. (@ N. Nonce N ~: used evs) ~: range PRF;  \
   13.39 -\           A ~= B |]                       \
   13.40 +Goal "[| ALL evs. (@ N. Nonce N ~: used evs) ~: range PRF;  \
   13.41 +\        A ~= B |]                       \
   13.42  \  ==> EX NB PMS. EX evs: tls.   \
   13.43  \  Says A B (Crypt (priK A) (Hash{|Nonce NB, Agent B, Nonce PMS|})) : set evs";
   13.44  by (REPEAT (resolve_tac [exI,bexI] 1));
   13.45 @@ -105,17 +102,16 @@
   13.46  result();
   13.47  
   13.48  (*Another one, for session resumption (both ServerResume and ClientResume) *)
   13.49 -Goal 
   13.50 - "!!A B. [| evs0 : tls;     \
   13.51 -\           Notes A {|Number SID, Agent A, Agent B, Nonce M|} : set evs0; \
   13.52 -\           Notes B {|Number SID, Agent A, Agent B, Nonce M|} : set evs0; \
   13.53 -\           ALL evs. (@ N. Nonce N ~: used evs) ~: range PRF;  \
   13.54 -\           A ~= B |] ==> EX NA PA NB PB X. EX evs: tls.    \
   13.55 -\      X = Hash{|Number SID, Nonce M,             \
   13.56 -\                       Nonce NA, Number PA, Agent A,      \
   13.57 -\                       Nonce NB, Number PB, Agent B|}  &  \
   13.58 -\      Says A B (Crypt (clientK(NA,NB,M)) X) : set evs  &  \
   13.59 -\      Says B A (Crypt (serverK(NA,NB,M)) X) : set evs";
   13.60 +Goal "[| evs0 : tls;     \
   13.61 +\        Notes A {|Number SID, Agent A, Agent B, Nonce M|} : set evs0; \
   13.62 +\        Notes B {|Number SID, Agent A, Agent B, Nonce M|} : set evs0; \
   13.63 +\        ALL evs. (@ N. Nonce N ~: used evs) ~: range PRF;  \
   13.64 +\        A ~= B |] ==> EX NA PA NB PB X. EX evs: tls.    \
   13.65 +\   X = Hash{|Number SID, Nonce M,             \
   13.66 +\                    Nonce NA, Number PA, Agent A,      \
   13.67 +\                    Nonce NB, Number PB, Agent B|}  &  \
   13.68 +\   Says A B (Crypt (clientK(NA,NB,M)) X) : set evs  &  \
   13.69 +\   Says B A (Crypt (serverK(NA,NB,M)) X) : set evs";
   13.70  by (REPEAT (resolve_tac [exI,bexI] 1));
   13.71  by (etac (tls.ClientHello RS tls.ServerHello RS tls.ServerResume RS 
   13.72  	  tls.ClientResume) 2);
   13.73 @@ -128,7 +124,7 @@
   13.74  (**** Inductive proofs about tls ****)
   13.75  
   13.76  (*Nobody sends themselves messages*)
   13.77 -Goal "!!evs. evs : tls ==> ALL A X. Says A A X ~: set evs";
   13.78 +Goal "evs : tls ==> ALL A X. Says A A X ~: set evs";
   13.79  by (etac tls.induct 1);
   13.80  by Auto_tac;
   13.81  qed_spec_mp "not_Says_to_self";
   13.82 @@ -152,15 +148,13 @@
   13.83      sends messages containing X! **)
   13.84  
   13.85  (*Spy never sees another agent's private key! (unless it's bad at start)*)
   13.86 -Goal 
   13.87 - "!!evs. evs : tls ==> (Key (priK A) : parts (spies evs)) = (A : bad)";
   13.88 +Goal "evs : tls ==> (Key (priK A) : parts (spies evs)) = (A : bad)";
   13.89  by (parts_induct_tac 1);
   13.90  by (Fake_parts_insert_tac 1);
   13.91  qed "Spy_see_priK";
   13.92  Addsimps [Spy_see_priK];
   13.93  
   13.94 -Goal 
   13.95 - "!!evs. evs : tls ==> (Key (priK A) : analz (spies evs)) = (A : bad)";
   13.96 +Goal "evs : tls ==> (Key (priK A) : analz (spies evs)) = (A : bad)";
   13.97  by (auto_tac(claset() addDs [impOfSubs analz_subset_parts], simpset()));
   13.98  qed "Spy_analz_priK";
   13.99  Addsimps [Spy_analz_priK];
  13.100 @@ -174,8 +168,8 @@
  13.101    little point in doing so: the loss of their private keys is a worse
  13.102    breach of security.*)
  13.103  Goalw [certificate_def]
  13.104 - "!!evs. [| certificate B KB : parts (spies evs);  evs : tls |]  \
  13.105 -\        ==> pubK B = KB";
  13.106 + "[| certificate B KB : parts (spies evs);  evs : tls |]  \
  13.107 +\     ==> pubK B = KB";
  13.108  by (etac rev_mp 1);
  13.109  by (parts_induct_tac 1);
  13.110  by (Fake_parts_insert_tac 1);
  13.111 @@ -203,18 +197,17 @@
  13.112  
  13.113  (*** Properties of items found in Notes ***)
  13.114  
  13.115 -Goal "!!evs. [| Notes A {|Agent B, X|} : set evs;  evs : tls |]  \
  13.116 -\                ==> Crypt (pubK B) X : parts (spies evs)";
  13.117 +Goal "[| Notes A {|Agent B, X|} : set evs;  evs : tls |]  \
  13.118 +\             ==> Crypt (pubK B) X : parts (spies evs)";
  13.119  by (etac rev_mp 1);
  13.120  by (analz_induct_tac 1);
  13.121  by (blast_tac (claset() addIs [parts_insertI]) 1);
  13.122  qed "Notes_Crypt_parts_spies";
  13.123  
  13.124  (*C may be either A or B*)
  13.125 -Goal
  13.126 - "!!evs. [| Notes C {|s, Agent A, Agent B, Nonce(PRF(PMS,NA,NB))|} : set evs; \
  13.127 -\           evs : tls     \
  13.128 -\        |] ==> Crypt (pubK B) (Nonce PMS) : parts (spies evs)";
  13.129 +Goal "[| Notes C {|s, Agent A, Agent B, Nonce(PRF(PMS,NA,NB))|} : set evs; \
  13.130 +\        evs : tls     \
  13.131 +\     |] ==> Crypt (pubK B) (Nonce PMS) : parts (spies evs)";
  13.132  by (etac rev_mp 1);
  13.133  by (parts_induct_tac 1);
  13.134  by (ALLGOALS Clarify_tac);
  13.135 @@ -226,10 +219,9 @@
  13.136  qed "Notes_master_imp_Crypt_PMS";
  13.137  
  13.138  (*Compared with the theorem above, both premise and conclusion are stronger*)
  13.139 -Goal
  13.140 - "!!evs. [| Notes A {|s, Agent A, Agent B, Nonce(PRF(PMS,NA,NB))|} : set evs;\
  13.141 -\           evs : tls     \
  13.142 -\        |] ==> Notes A {|Agent B, Nonce PMS|} : set evs";
  13.143 +Goal "[| Notes A {|s, Agent A, Agent B, Nonce(PRF(PMS,NA,NB))|} : set evs;\
  13.144 +\        evs : tls     \
  13.145 +\     |] ==> Notes A {|Agent B, Nonce PMS|} : set evs";
  13.146  by (etac rev_mp 1);
  13.147  by (parts_induct_tac 1);
  13.148  (*ServerAccepts*)
  13.149 @@ -240,11 +232,10 @@
  13.150  (*** Protocol goal: if B receives CertVerify, then A sent it ***)
  13.151  
  13.152  (*B can check A's signature if he has received A's certificate.*)
  13.153 -Goal
  13.154 - "!!evs. [| X : parts (spies evs);                          \
  13.155 -\           X = Crypt (priK A) (Hash{|nb, Agent B, pms|});  \
  13.156 -\           evs : tls;  A ~: bad |]                         \
  13.157 -\    ==> Says A B X : set evs";
  13.158 +Goal "[| X : parts (spies evs);                          \
  13.159 +\        X = Crypt (priK A) (Hash{|nb, Agent B, pms|});  \
  13.160 +\        evs : tls;  A ~: bad |]                         \
  13.161 +\ ==> Says A B X : set evs";
  13.162  by (etac rev_mp 1);
  13.163  by (hyp_subst_tac 1);
  13.164  by (parts_induct_tac 1);
  13.165 @@ -252,39 +243,36 @@
  13.166  val lemma = result();
  13.167  
  13.168  (*Final version: B checks X using the distributed KA instead of priK A*)
  13.169 -Goal
  13.170 - "!!evs. [| X : parts (spies evs);                            \
  13.171 -\           X = Crypt (invKey KA) (Hash{|nb, Agent B, pms|}); \
  13.172 -\           certificate A KA : parts (spies evs);             \
  13.173 -\           evs : tls;  A ~: bad |]                           \
  13.174 -\    ==> Says A B X : set evs";
  13.175 +Goal "[| X : parts (spies evs);                            \
  13.176 +\        X = Crypt (invKey KA) (Hash{|nb, Agent B, pms|}); \
  13.177 +\        certificate A KA : parts (spies evs);             \
  13.178 +\        evs : tls;  A ~: bad |]                           \
  13.179 +\ ==> Says A B X : set evs";
  13.180  by (blast_tac (claset() addSDs [certificate_valid] addSIs [lemma]) 1);
  13.181  qed "TrustCertVerify";
  13.182  
  13.183  
  13.184  (*If CertVerify is present then A has chosen PMS.*)
  13.185 -Goal
  13.186 - "!!evs. [| Crypt (priK A) (Hash{|nb, Agent B, Nonce PMS|}) \
  13.187 -\             : parts (spies evs);                          \
  13.188 -\           evs : tls;  A ~: bad |]                         \
  13.189 -\        ==> Notes A {|Agent B, Nonce PMS|} : set evs";
  13.190 +Goal "[| Crypt (priK A) (Hash{|nb, Agent B, Nonce PMS|}) \
  13.191 +\          : parts (spies evs);                          \
  13.192 +\        evs : tls;  A ~: bad |]                         \
  13.193 +\     ==> Notes A {|Agent B, Nonce PMS|} : set evs";
  13.194  by (etac rev_mp 1);
  13.195  by (parts_induct_tac 1);
  13.196  by (Fake_parts_insert_tac 1);
  13.197  val lemma = result();
  13.198  
  13.199  (*Final version using the distributed KA instead of priK A*)
  13.200 -Goal
  13.201 - "!!evs. [| Crypt (invKey KA) (Hash{|nb, Agent B, Nonce PMS|}) \
  13.202 -\             : parts (spies evs);                             \
  13.203 -\           certificate A KA : parts (spies evs);              \
  13.204 -\           evs : tls;  A ~: bad |]                            \
  13.205 -\        ==> Notes A {|Agent B, Nonce PMS|} : set evs";
  13.206 +Goal "[| Crypt (invKey KA) (Hash{|nb, Agent B, Nonce PMS|}) \
  13.207 +\          : parts (spies evs);                             \
  13.208 +\        certificate A KA : parts (spies evs);              \
  13.209 +\        evs : tls;  A ~: bad |]                            \
  13.210 +\     ==> Notes A {|Agent B, Nonce PMS|} : set evs";
  13.211  by (blast_tac (claset() addSDs [certificate_valid] addSIs [lemma]) 1);
  13.212  qed "UseCertVerify";
  13.213  
  13.214  
  13.215 -Goal "!!evs. evs : tls ==> Notes A {|Agent B, Nonce (PRF x)|} ~: set evs";
  13.216 +Goal "evs : tls ==> Notes A {|Agent B, Nonce (PRF x)|} ~: set evs";
  13.217  by (parts_induct_tac 1);
  13.218  (*ClientKeyExch: PMS is assumed to differ from any PRF.*)
  13.219  by (Blast_tac 1);
  13.220 @@ -292,9 +280,9 @@
  13.221  Addsimps [no_Notes_A_PRF];
  13.222  
  13.223  
  13.224 -Goal "!!evs. [| Nonce (PRF (PMS,NA,NB)) : parts (spies evs);  \
  13.225 -\                   evs : tls |]  \
  13.226 -\                ==> Nonce PMS : parts (spies evs)";
  13.227 +Goal "[| Nonce (PRF (PMS,NA,NB)) : parts (spies evs);  \
  13.228 +\                evs : tls |]  \
  13.229 +\             ==> Nonce PMS : parts (spies evs)";
  13.230  by (etac rev_mp 1);
  13.231  by (parts_induct_tac 1);
  13.232  by (Fake_parts_insert_tac 1);
  13.233 @@ -309,10 +297,9 @@
  13.234  (*** Unicity results for PMS, the pre-master-secret ***)
  13.235  
  13.236  (*PMS determines B.  Proof borrowed from NS_Public/unique_NA and from Yahalom*)
  13.237 -Goal 
  13.238 - "!!evs. [| Nonce PMS ~: analz (spies evs);  evs : tls |]   \
  13.239 -\        ==> EX B'. ALL B.   \
  13.240 -\              Crypt (pubK B) (Nonce PMS) : parts (spies evs) --> B=B'";
  13.241 +Goal "[| Nonce PMS ~: analz (spies evs);  evs : tls |]   \
  13.242 +\     ==> EX B'. ALL B.   \
  13.243 +\           Crypt (pubK B) (Nonce PMS) : parts (spies evs) --> B=B'";
  13.244  by (etac rev_mp 1);
  13.245  by (parts_induct_tac 1);
  13.246  by (Fake_parts_insert_tac 1);
  13.247 @@ -323,12 +310,11 @@
  13.248      blast_tac (claset() addSEs partsEs) 1);
  13.249  val lemma = result();
  13.250  
  13.251 -Goal 
  13.252 - "!!evs. [| Crypt(pubK B)  (Nonce PMS) : parts (spies evs); \
  13.253 -\           Crypt(pubK B') (Nonce PMS) : parts (spies evs); \
  13.254 -\           Nonce PMS ~: analz (spies evs);                 \
  13.255 -\           evs : tls |]                                          \
  13.256 -\        ==> B=B'";
  13.257 +Goal "[| Crypt(pubK B)  (Nonce PMS) : parts (spies evs); \
  13.258 +\        Crypt(pubK B') (Nonce PMS) : parts (spies evs); \
  13.259 +\        Nonce PMS ~: analz (spies evs);                 \
  13.260 +\        evs : tls |]                                          \
  13.261 +\     ==> B=B'";
  13.262  by (prove_unique_tac lemma 1);
  13.263  qed "Crypt_unique_PMS";
  13.264  
  13.265 @@ -340,9 +326,9 @@
  13.266  **)
  13.267  
  13.268  (*In A's internal Note, PMS determines A and B.*)
  13.269 -Goal "!!evs. evs : tls               \
  13.270 -\                ==> EX A' B'. ALL A B.  \
  13.271 -\                    Notes A {|Agent B, Nonce PMS|} : set evs --> A=A' & B=B'";
  13.272 +Goal "evs : tls               \
  13.273 +\             ==> EX A' B'. ALL A B.  \
  13.274 +\                 Notes A {|Agent B, Nonce PMS|} : set evs --> A=A' & B=B'";
  13.275  by (parts_induct_tac 1);
  13.276  by (asm_simp_tac (simpset() addsimps [all_conj_distrib]) 1);
  13.277  (*ClientKeyExch: if PMS is fresh, then it can't appear in Notes A X.*)
  13.278 @@ -350,11 +336,10 @@
  13.279      blast_tac (claset() addSDs [Notes_Crypt_parts_spies] addSEs partsEs) 1);
  13.280  val lemma = result();
  13.281  
  13.282 -Goal 
  13.283 - "!!evs. [| Notes A  {|Agent B,  Nonce PMS|} : set evs;  \
  13.284 -\           Notes A' {|Agent B', Nonce PMS|} : set evs;  \
  13.285 -\           evs : tls |]                               \
  13.286 -\        ==> A=A' & B=B'";
  13.287 +Goal "[| Notes A  {|Agent B,  Nonce PMS|} : set evs;  \
  13.288 +\        Notes A' {|Agent B', Nonce PMS|} : set evs;  \
  13.289 +\        evs : tls |]                               \
  13.290 +\     ==> A=A' & B=B'";
  13.291  by (prove_unique_tac lemma 1);
  13.292  qed "Notes_unique_PMS";
  13.293  
  13.294 @@ -364,10 +349,9 @@
  13.295  
  13.296  (*Key compromise lemma needed to prove analz_image_keys.
  13.297    No collection of keys can help the spy get new private keys.*)
  13.298 -Goal  
  13.299 - "!!evs. evs : tls ==>                                      \
  13.300 +Goal "evs : tls ==>                                      \
  13.301  \  ALL KK. (Key(priK B) : analz (Key``KK Un (spies evs))) = \
  13.302 -\          (priK B : KK | B : bad)";
  13.303 +\       (priK B : KK | B : bad)";
  13.304  by (etac tls.induct 1);
  13.305  by (ALLGOALS
  13.306      (asm_simp_tac (analz_image_keys_ss
  13.307 @@ -378,27 +362,25 @@
  13.308  
  13.309  
  13.310  (*slightly speeds up the big simplification below*)
  13.311 -Goal "!!evs. KK <= range sessionK ==> priK B ~: KK";
  13.312 +Goal "KK <= range sessionK ==> priK B ~: KK";
  13.313  by (Blast_tac 1);
  13.314  val range_sessionkeys_not_priK = result();
  13.315  
  13.316  (*Lemma for the trivial direction of the if-and-only-if*)
  13.317 -Goal  
  13.318 - "!!evs. (X : analz (G Un H)) --> (X : analz H)  ==> \
  13.319 -\        (X : analz (G Un H))  =  (X : analz H)";
  13.320 +Goal "(X : analz (G Un H)) --> (X : analz H)  ==> \
  13.321 +\     (X : analz (G Un H))  =  (X : analz H)";
  13.322  by (blast_tac (claset() addIs [impOfSubs analz_mono]) 1);
  13.323  val analz_image_keys_lemma = result();
  13.324  
  13.325  (** Strangely, the following version doesn't work:
  13.326 -\    ALL Z. (Nonce N : analz (Key``(sessionK``Z) Un (spies evs))) = \
  13.327 -\           (Nonce N : analz (spies evs))";
  13.328 +\ ALL Z. (Nonce N : analz (Key``(sessionK``Z) Un (spies evs))) = \
  13.329 +\        (Nonce N : analz (spies evs))";
  13.330  **)
  13.331  
  13.332 -Goal  
  13.333 - "!!evs. evs : tls ==>                                    \
  13.334 -\    ALL KK. KK <= range sessionK -->                     \
  13.335 -\            (Nonce N : analz (Key``KK Un (spies evs))) = \
  13.336 -\            (Nonce N : analz (spies evs))";
  13.337 +Goal "evs : tls ==>                                    \
  13.338 +\ ALL KK. KK <= range sessionK -->                     \
  13.339 +\         (Nonce N : analz (Key``KK Un (spies evs))) = \
  13.340 +\         (Nonce N : analz (spies evs))";
  13.341  by (etac tls.induct 1);
  13.342  by (ClientKeyExch_tac 7);
  13.343  by (REPEAT_FIRST (resolve_tac [allI, impI]));
  13.344 @@ -414,10 +396,9 @@
  13.345  qed_spec_mp "analz_image_keys";
  13.346  
  13.347  (*Knowing some session keys is no help in getting new nonces*)
  13.348 -Goal
  13.349 - "!!evs. evs : tls ==>          \
  13.350 -\        Nonce N : analz (insert (Key (sessionK z)) (spies evs)) =  \
  13.351 -\        (Nonce N : analz (spies evs))";
  13.352 +Goal "evs : tls ==>          \
  13.353 +\     Nonce N : analz (insert (Key (sessionK z)) (spies evs)) =  \
  13.354 +\     (Nonce N : analz (spies evs))";
  13.355  by (asm_simp_tac (analz_image_keys_ss addsimps [analz_image_keys]) 1);
  13.356  qed "analz_insert_key";
  13.357  Addsimps [analz_insert_key];
  13.358 @@ -432,10 +413,9 @@
  13.359    Nonces don't have to agree, allowing session resumption.
  13.360    Converse doesn't hold; revealing PMS doesn't force the keys to be sent.
  13.361    THEY ARE NOT SUITABLE AS SAFE ELIM RULES.*)
  13.362 -Goal 
  13.363 - "!!evs. [| Nonce PMS ~: parts (spies evs);  \
  13.364 -\           K = sessionK((Na, Nb, PRF(PMS,NA,NB)), b);  \
  13.365 -\           evs : tls |]             \
  13.366 +Goal "[| Nonce PMS ~: parts (spies evs);  \
  13.367 +\        K = sessionK((Na, Nb, PRF(PMS,NA,NB)), b);  \
  13.368 +\        evs : tls |]             \
  13.369  \  ==> Key K ~: parts (spies evs) & (ALL Y. Crypt K Y ~: parts (spies evs))";
  13.370  by (etac rev_mp 1);
  13.371  by (hyp_subst_tac 1);
  13.372 @@ -455,17 +435,15 @@
  13.373                           addSEs spies_partsEs) 1));
  13.374  val lemma = result();
  13.375  
  13.376 -Goal 
  13.377 - "!!evs. [| Key (sessionK((Na, Nb, PRF(PMS,NA,NB)), b)) : parts (spies evs); \
  13.378 -\           evs : tls |]             \
  13.379 -\        ==> Nonce PMS : parts (spies evs)";
  13.380 +Goal "[| Key (sessionK((Na, Nb, PRF(PMS,NA,NB)), b)) : parts (spies evs); \
  13.381 +\        evs : tls |]             \
  13.382 +\     ==> Nonce PMS : parts (spies evs)";
  13.383  by (blast_tac (claset() addDs [lemma]) 1);
  13.384  qed "PMS_sessionK_not_spied";
  13.385  
  13.386 -Goal 
  13.387 - "!!evs. [| Crypt (sessionK((Na, Nb, PRF(PMS,NA,NB)), b)) Y  \
  13.388 -\             : parts (spies evs);  evs : tls |]             \
  13.389 -\        ==> Nonce PMS : parts (spies evs)";
  13.390 +Goal "[| Crypt (sessionK((Na, Nb, PRF(PMS,NA,NB)), b)) Y  \
  13.391 +\          : parts (spies evs);  evs : tls |]             \
  13.392 +\     ==> Nonce PMS : parts (spies evs)";
  13.393  by (blast_tac (claset() addDs [lemma]) 1);
  13.394  qed "PMS_Crypt_sessionK_not_spied";
  13.395  
  13.396 @@ -473,10 +451,9 @@
  13.397    Converse doesn't hold; betraying M doesn't force the keys to be sent!
  13.398    The strong Oops condition can be weakened later by unicity reasoning, 
  13.399  	with some effort.*)
  13.400 -Goal 
  13.401 - "!!evs. [| ALL A. Says A Spy (Key (sessionK((NA,NB,M),b))) ~: set evs; \
  13.402 -\           Nonce M ~: analz (spies evs);  evs : tls |]   \
  13.403 -\        ==> Key (sessionK((NA,NB,M),b)) ~: parts (spies evs)";
  13.404 +Goal "[| ALL A. Says A Spy (Key (sessionK((NA,NB,M),b))) ~: set evs; \
  13.405 +\        Nonce M ~: analz (spies evs);  evs : tls |]   \
  13.406 +\     ==> Key (sessionK((NA,NB,M),b)) ~: parts (spies evs)";
  13.407  by (etac rev_mp 1);
  13.408  by (etac rev_mp 1);
  13.409  by (analz_induct_tac 1);        (*17 seconds*)
  13.410 @@ -491,10 +468,9 @@
  13.411  
  13.412  
  13.413  (*If A sends ClientKeyExch to an honest B, then the PMS will stay secret.*)
  13.414 -Goal
  13.415 - "!!evs. [| evs : tls;  A ~: bad;  B ~: bad |]           \
  13.416 -\        ==> Notes A {|Agent B, Nonce PMS|} : set evs  -->   \
  13.417 -\            Nonce PMS ~: analz (spies evs)";
  13.418 +Goal "[| evs : tls;  A ~: bad;  B ~: bad |]           \
  13.419 +\     ==> Notes A {|Agent B, Nonce PMS|} : set evs  -->   \
  13.420 +\         Nonce PMS ~: analz (spies evs)";
  13.421  by (analz_induct_tac 1);   (*11 seconds*)
  13.422  (*ClientAccepts and ServerAccepts: because PMS ~: range PRF*)
  13.423  by (REPEAT (fast_tac (claset() addss (simpset())) 6));
  13.424 @@ -513,10 +489,9 @@
  13.425  
  13.426  (*If A sends ClientKeyExch to an honest B, then the MASTER SECRET
  13.427    will stay secret.*)
  13.428 -Goal
  13.429 - "!!evs. [| evs : tls;  A ~: bad;  B ~: bad |]           \
  13.430 -\        ==> Notes A {|Agent B, Nonce PMS|} : set evs  -->   \
  13.431 -\            Nonce (PRF(PMS,NA,NB)) ~: analz (spies evs)";
  13.432 +Goal "[| evs : tls;  A ~: bad;  B ~: bad |]           \
  13.433 +\     ==> Notes A {|Agent B, Nonce PMS|} : set evs  -->   \
  13.434 +\         Nonce (PRF(PMS,NA,NB)) ~: analz (spies evs)";
  13.435  by (analz_induct_tac 1);   (*13 seconds*)
  13.436  (*ClientAccepts and ServerAccepts: because PMS was already visible*)
  13.437  by (REPEAT (blast_tac (claset() addDs [Spy_not_see_PMS, 
  13.438 @@ -541,11 +516,10 @@
  13.439  
  13.440  (*If A created PMS then nobody other than the Spy would send a message
  13.441    using a clientK generated from that PMS.*)
  13.442 -Goal
  13.443 - "!!evs. [| evs : tls;  A' ~= Spy |]                \
  13.444 +Goal "[| evs : tls;  A' ~= Spy |]                \
  13.445  \  ==> Notes A {|Agent B, Nonce PMS|} : set evs -->                  \
  13.446 -\      Says A' B' (Crypt (clientK(Na,Nb,PRF(PMS,NA,NB))) Y) : set evs -->  \
  13.447 -\      A = A'";
  13.448 +\   Says A' B' (Crypt (clientK(Na,Nb,PRF(PMS,NA,NB))) Y) : set evs -->  \
  13.449 +\   A = A'";
  13.450  by (analz_induct_tac 1);	(*8 seconds*)
  13.451  by (ALLGOALS Clarify_tac);
  13.452  (*ClientFinished, ClientResume: by unicity of PMS*)
  13.453 @@ -561,11 +535,10 @@
  13.454  
  13.455  (*If A created PMS and has not leaked her clientK to the Spy, 
  13.456    then nobody has.*)
  13.457 -Goal
  13.458 - "!!evs. evs : tls                         \
  13.459 +Goal "evs : tls                         \
  13.460  \  ==> Says A Spy (Key(clientK(Na,Nb,PRF(PMS,NA,NB)))) ~: set evs --> \
  13.461 -\      Notes A {|Agent B, Nonce PMS|} : set evs -->                   \
  13.462 -\      (ALL A. Says A Spy (Key(clientK(Na,Nb,PRF(PMS,NA,NB)))) ~: set evs) ";
  13.463 +\   Notes A {|Agent B, Nonce PMS|} : set evs -->                   \
  13.464 +\   (ALL A. Says A Spy (Key(clientK(Na,Nb,PRF(PMS,NA,NB)))) ~: set evs) ";
  13.465  by (etac tls.induct 1);
  13.466  (*This roundabout proof sequence avoids looping in simplification*)
  13.467  by (ALLGOALS Simp_tac);
  13.468 @@ -585,11 +558,10 @@
  13.469  
  13.470  (*If A created PMS for B, then nobody other than B or the Spy would
  13.471    send a message using a serverK generated from that PMS.*)
  13.472 -Goal
  13.473 - "!!evs. [| evs : tls;  A ~: bad;  B ~: bad;  B' ~= Spy |]                \
  13.474 +Goal "[| evs : tls;  A ~: bad;  B ~: bad;  B' ~= Spy |]                \
  13.475  \  ==> Notes A {|Agent B, Nonce PMS|} : set evs -->                  \
  13.476 -\      Says B' A' (Crypt (serverK(Na,Nb,PRF(PMS,NA,NB))) Y) : set evs -->  \
  13.477 -\      B = B'";
  13.478 +\   Says B' A' (Crypt (serverK(Na,Nb,PRF(PMS,NA,NB))) Y) : set evs -->  \
  13.479 +\   B = B'";
  13.480  by (analz_induct_tac 1);	(*9 seconds*)
  13.481  by (ALLGOALS Clarify_tac);
  13.482  (*ServerResume, ServerFinished: by unicity of PMS*)
  13.483 @@ -608,11 +580,10 @@
  13.484  
  13.485  (*If A created PMS for B, and B has not leaked his serverK to the Spy, 
  13.486    then nobody has.*)
  13.487 -Goal
  13.488 - "!!evs. [| evs : tls;  A ~: bad;  B ~: bad |]                        \
  13.489 +Goal "[| evs : tls;  A ~: bad;  B ~: bad |]                        \
  13.490  \  ==> Says B Spy (Key(serverK(Na,Nb,PRF(PMS,NA,NB)))) ~: set evs --> \
  13.491 -\      Notes A {|Agent B, Nonce PMS|} : set evs -->                   \
  13.492 -\      (ALL A. Says A Spy (Key(serverK(Na,Nb,PRF(PMS,NA,NB)))) ~: set evs) ";
  13.493 +\   Notes A {|Agent B, Nonce PMS|} : set evs -->                   \
  13.494 +\   (ALL A. Says A Spy (Key(serverK(Na,Nb,PRF(PMS,NA,NB)))) ~: set evs) ";
  13.495  by (etac tls.induct 1);
  13.496  (*This roundabout proof sequence avoids looping in simplification*)
  13.497  by (ALLGOALS Simp_tac);
  13.498 @@ -634,42 +605,39 @@
  13.499  ***)
  13.500  
  13.501  (*The mention of her name (A) in X assures A that B knows who she is.*)
  13.502 -Goal
  13.503 - "!!evs. [| X = Crypt (serverK(Na,Nb,M))                  \
  13.504 -\                 (Hash{|Number SID, Nonce M,             \
  13.505 -\                        Nonce Na, Number PA, Agent A,    \
  13.506 -\                        Nonce Nb, Number PB, Agent B|}); \
  13.507 -\           M = PRF(PMS,NA,NB);                           \
  13.508 -\           evs : tls;  A ~: bad;  B ~: bad |]            \
  13.509 -\        ==> (ALL A. Says A Spy (Key(serverK(Na,Nb,M))) ~: set evs) --> \
  13.510 -\            Notes A {|Agent B, Nonce PMS|} : set evs --> \
  13.511 -\            X : parts (spies evs) --> Says B A X : set evs";
  13.512 +Goal "[| X = Crypt (serverK(Na,Nb,M))                  \
  13.513 +\              (Hash{|Number SID, Nonce M,             \
  13.514 +\                     Nonce Na, Number PA, Agent A,    \
  13.515 +\                     Nonce Nb, Number PB, Agent B|}); \
  13.516 +\        M = PRF(PMS,NA,NB);                           \
  13.517 +\        evs : tls;  A ~: bad;  B ~: bad |]            \
  13.518 +\     ==> (ALL A. Says A Spy (Key(serverK(Na,Nb,M))) ~: set evs) --> \
  13.519 +\         Notes A {|Agent B, Nonce PMS|} : set evs --> \
  13.520 +\         X : parts (spies evs) --> Says B A X : set evs";
  13.521  by (hyp_subst_tac 1);
  13.522 -by (analz_induct_tac 1);        (*26 seconds*)
  13.523 +by (analz_induct_tac 1);        (*10 seconds*)
  13.524  by (ALLGOALS (asm_simp_tac (simpset() addsimps [all_conj_distrib])));
  13.525 -(*proves ServerResume*)
  13.526  by (ALLGOALS Clarify_tac);
  13.527  (*ClientKeyExch*)
  13.528  by (blast_tac (claset() addSDs [PMS_Crypt_sessionK_not_spied]) 2);
  13.529  (*Fake: the Spy doesn't have the critical session key!*)
  13.530 -by (subgoal_tac "Key (serverK(Na,Nb,PRF(PMS,NA,NB))) ~: analz(spies evsa)" 1);
  13.531 +by (subgoal_tac "Key (serverK(Na,Nb,PRF(PMS,NA,NB))) ~: analz(spies evs)" 1);
  13.532  by (asm_simp_tac (simpset() addsimps [Spy_not_see_MS, 
  13.533  				      not_parts_not_analz]) 2);
  13.534  by (Fake_parts_insert_tac 1);
  13.535  val lemma = normalize_thm [RSmp] (result());
  13.536  
  13.537  (*Final version*)
  13.538 -Goal
  13.539 - "!!evs. [| X = Crypt (serverK(Na,Nb,M))                  \
  13.540 -\                 (Hash{|Number SID, Nonce M,             \
  13.541 -\                        Nonce Na, Number PA, Agent A,    \
  13.542 -\                        Nonce Nb, Number PB, Agent B|}); \
  13.543 -\           M = PRF(PMS,NA,NB);                           \
  13.544 -\           X : parts (spies evs);                        \
  13.545 -\           Notes A {|Agent B, Nonce PMS|} : set evs;     \
  13.546 -\           Says B Spy (Key (serverK(Na,Nb,M))) ~: set evs; \
  13.547 -\           evs : tls;  A ~: bad;  B ~: bad |]          \
  13.548 -\        ==> Says B A X : set evs";
  13.549 +Goal "[| X = Crypt (serverK(Na,Nb,M))                  \
  13.550 +\              (Hash{|Number SID, Nonce M,             \
  13.551 +\                     Nonce Na, Number PA, Agent A,    \
  13.552 +\                     Nonce Nb, Number PB, Agent B|}); \
  13.553 +\        M = PRF(PMS,NA,NB);                           \
  13.554 +\        X : parts (spies evs);                        \
  13.555 +\        Notes A {|Agent B, Nonce PMS|} : set evs;     \
  13.556 +\        Says B Spy (Key (serverK(Na,Nb,M))) ~: set evs; \
  13.557 +\        evs : tls;  A ~: bad;  B ~: bad |]          \
  13.558 +\     ==> Says B A X : set evs";
  13.559  by (blast_tac (claset() addIs [lemma]
  13.560                          addEs [serverK_Oops_ALL RSN(2, rev_notE)]) 1);
  13.561  qed_spec_mp "TrustServerFinished";
  13.562 @@ -681,12 +649,11 @@
  13.563    have changed A's identity in all other messages, so we can't be sure
  13.564    that B sends his message to A.  If CLIENT KEY EXCHANGE were augmented
  13.565    to bind A's identity with PMS, then we could replace A' by A below.*)
  13.566 -Goal
  13.567 - "!!evs. [| M = PRF(PMS,NA,NB);  evs : tls;  A ~: bad;  B ~: bad |]     \
  13.568 -\        ==> (ALL A. Says A Spy (Key(serverK(Na,Nb,M))) ~: set evs) --> \
  13.569 -\            Notes A {|Agent B, Nonce PMS|} : set evs -->              \
  13.570 -\            Crypt (serverK(Na,Nb,M)) Y : parts (spies evs)  -->  \
  13.571 -\            (EX A'. Says B A' (Crypt (serverK(Na,Nb,M)) Y) : set evs)";
  13.572 +Goal "[| M = PRF(PMS,NA,NB);  evs : tls;  A ~: bad;  B ~: bad |]     \
  13.573 +\     ==> (ALL A. Says A Spy (Key(serverK(Na,Nb,M))) ~: set evs) --> \
  13.574 +\         Notes A {|Agent B, Nonce PMS|} : set evs -->              \
  13.575 +\         Crypt (serverK(Na,Nb,M)) Y : parts (spies evs)  -->  \
  13.576 +\         (EX A'. Says B A' (Crypt (serverK(Na,Nb,M)) Y) : set evs)";
  13.577  by (hyp_subst_tac 1);
  13.578  by (analz_induct_tac 1);	(*20 seconds*)
  13.579  by (ALLGOALS (asm_simp_tac (simpset() addsimps [ex_disj_distrib])));
  13.580 @@ -702,20 +669,19 @@
  13.581  (*ClientKeyExch*)
  13.582  by (blast_tac (claset() addSDs [PMS_Crypt_sessionK_not_spied]) 2);
  13.583  (*Fake: the Spy doesn't have the critical session key!*)
  13.584 -by (subgoal_tac "Key (serverK(Na,Nb,PRF(PMS,NA,NB))) ~: analz(spies evsa)" 1);
  13.585 +by (subgoal_tac "Key (serverK(Na,Nb,PRF(PMS,NA,NB))) ~: analz(spies evs)" 1);
  13.586  by (asm_simp_tac (simpset() addsimps [Spy_not_see_MS, 
  13.587  				      not_parts_not_analz]) 2);
  13.588  by (Fake_parts_insert_tac 1);
  13.589  val lemma = normalize_thm [RSmp] (result());
  13.590  
  13.591  (*Final version*)
  13.592 -Goal
  13.593 - "!!evs. [| M = PRF(PMS,NA,NB);                           \
  13.594 -\           Crypt (serverK(Na,Nb,M)) Y : parts (spies evs); \
  13.595 -\           Notes A {|Agent B, Nonce PMS|} : set evs;     \
  13.596 -\           Says B Spy (Key (serverK(Na,Nb,M))) ~: set evs; \
  13.597 -\           evs : tls;  A ~: bad;  B ~: bad |]          \
  13.598 -\        ==> EX A'. Says B A' (Crypt (serverK(Na,Nb,M)) Y) : set evs";
  13.599 +Goal "[| M = PRF(PMS,NA,NB);                           \
  13.600 +\        Crypt (serverK(Na,Nb,M)) Y : parts (spies evs); \
  13.601 +\        Notes A {|Agent B, Nonce PMS|} : set evs;     \
  13.602 +\        Says B Spy (Key (serverK(Na,Nb,M))) ~: set evs; \
  13.603 +\        evs : tls;  A ~: bad;  B ~: bad |]          \
  13.604 +\     ==> EX A'. Says B A' (Crypt (serverK(Na,Nb,M)) Y) : set evs";
  13.605  by (blast_tac (claset() addIs [lemma]
  13.606                          addEs [serverK_Oops_ALL RSN(2, rev_notE)]) 1);
  13.607  qed_spec_mp "TrustServerMsg";
  13.608 @@ -728,12 +694,11 @@
  13.609       ClientFinished, then B can then check the quoted values PA, PB, etc.
  13.610  ***)
  13.611  
  13.612 -Goal
  13.613 - "!!evs. [| M = PRF(PMS,NA,NB);  evs : tls;  A ~: bad;  B ~: bad |] \
  13.614 -\    ==> (ALL A. Says A Spy (Key(clientK(Na,Nb,M))) ~: set evs) --> \
  13.615 -\        Notes A {|Agent B, Nonce PMS|} : set evs -->               \
  13.616 -\        Crypt (clientK(Na,Nb,M)) Y : parts (spies evs) -->         \
  13.617 -\        Says A B (Crypt (clientK(Na,Nb,M)) Y) : set evs";
  13.618 +Goal "[| M = PRF(PMS,NA,NB);  evs : tls;  A ~: bad;  B ~: bad |] \
  13.619 +\ ==> (ALL A. Says A Spy (Key(clientK(Na,Nb,M))) ~: set evs) --> \
  13.620 +\     Notes A {|Agent B, Nonce PMS|} : set evs -->               \
  13.621 +\     Crypt (clientK(Na,Nb,M)) Y : parts (spies evs) -->         \
  13.622 +\     Says A B (Crypt (clientK(Na,Nb,M)) Y) : set evs";
  13.623  by (hyp_subst_tac 1);
  13.624  by (analz_induct_tac 1);	(*15 seconds*)
  13.625  by (ALLGOALS Clarify_tac);
  13.626 @@ -744,19 +709,18 @@
  13.627  (*ClientKeyExch*)
  13.628  by (blast_tac (claset() addSDs [PMS_Crypt_sessionK_not_spied]) 2);
  13.629  (*Fake: the Spy doesn't have the critical session key!*)
  13.630 -by (subgoal_tac "Key (clientK(Na,Nb,PRF(PMS,NA,NB))) ~: analz(spies evsa)" 1);
  13.631 +by (subgoal_tac "Key (clientK(Na,Nb,PRF(PMS,NA,NB))) ~: analz(spies evs)" 1);
  13.632  by (asm_simp_tac (simpset() addsimps [Spy_not_see_MS, 
  13.633  				      not_parts_not_analz]) 2);
  13.634  by (Fake_parts_insert_tac 1);
  13.635  val lemma = normalize_thm [RSmp] (result());
  13.636  
  13.637  (*Final version*)
  13.638 -Goal
  13.639 - "!!evs. [| M = PRF(PMS,NA,NB);                           \
  13.640 -\           Crypt (clientK(Na,Nb,M)) Y : parts (spies evs);  \
  13.641 -\           Notes A {|Agent B, Nonce PMS|} : set evs;        \
  13.642 -\           Says A Spy (Key(clientK(Na,Nb,M))) ~: set evs;  \
  13.643 -\           evs : tls;  A ~: bad;  B ~: bad |]                         \
  13.644 +Goal "[| M = PRF(PMS,NA,NB);                           \
  13.645 +\        Crypt (clientK(Na,Nb,M)) Y : parts (spies evs);  \
  13.646 +\        Notes A {|Agent B, Nonce PMS|} : set evs;        \
  13.647 +\        Says A Spy (Key(clientK(Na,Nb,M))) ~: set evs;  \
  13.648 +\        evs : tls;  A ~: bad;  B ~: bad |]                         \
  13.649  \  ==> Says A B (Crypt (clientK(Na,Nb,M)) Y) : set evs";
  13.650  by (blast_tac (claset() addIs [lemma]
  13.651                          addEs [clientK_Oops_ALL RSN(2, rev_notE)]) 1);
  13.652 @@ -768,15 +732,14 @@
  13.653       check a CertVerify from A, then A has used the quoted
  13.654       values PA, PB, etc.  Even this one requires A to be uncompromised.
  13.655   ***)
  13.656 -Goal
  13.657 - "!!evs. [| M = PRF(PMS,NA,NB);                           \
  13.658 -\           Says A Spy (Key(clientK(Na,Nb,M))) ~: set evs;\
  13.659 -\           Says A' B (Crypt (clientK(Na,Nb,M)) Y) : set evs; \
  13.660 -\           certificate A KA : parts (spies evs);       \
  13.661 -\           Says A'' B (Crypt (invKey KA) (Hash{|nb, Agent B, Nonce PMS|}))\
  13.662 -\             : set evs;                                                  \
  13.663 -\        evs : tls;  A ~: bad;  B ~: bad |]                             \
  13.664 -\     ==> Says A B (Crypt (clientK(Na,Nb,M)) Y) : set evs";
  13.665 +Goal "[| M = PRF(PMS,NA,NB);                           \
  13.666 +\        Says A Spy (Key(clientK(Na,Nb,M))) ~: set evs;\
  13.667 +\        Says A' B (Crypt (clientK(Na,Nb,M)) Y) : set evs; \
  13.668 +\        certificate A KA : parts (spies evs);       \
  13.669 +\        Says A'' B (Crypt (invKey KA) (Hash{|nb, Agent B, Nonce PMS|}))\
  13.670 +\          : set evs;                                                  \
  13.671 +\     evs : tls;  A ~: bad;  B ~: bad |]                             \
  13.672 +\  ==> Says A B (Crypt (clientK(Na,Nb,M)) Y) : set evs";
  13.673  by (blast_tac (claset() addSIs [TrustClientMsg, UseCertVerify]
  13.674                          addDs  [Says_imp_spies RS parts.Inj]) 1);
  13.675  qed "AuthClientFinished";
    14.1 --- a/src/HOL/Auth/WooLam.ML	Thu Jul 02 17:27:35 1998 +0200
    14.2 +++ b/src/HOL/Auth/WooLam.ML	Thu Jul 02 17:48:11 1998 +0200
    14.3 @@ -21,10 +21,9 @@
    14.4  
    14.5  
    14.6  (*A "possibility property": there are traces that reach the end*)
    14.7 -Goal 
    14.8 - "!!A B. [| A ~= B; A ~= Server; B ~= Server |]   \
    14.9 -\        ==> EX NB. EX evs: woolam.               \
   14.10 -\              Says Server B (Crypt (shrK B) {|Agent A, Nonce NB|}) : set evs";
   14.11 +Goal "[| A ~= B; A ~= Server; B ~= Server |]   \
   14.12 +\     ==> EX NB. EX evs: woolam.               \
   14.13 +\           Says Server B (Crypt (shrK B) {|Agent A, Nonce NB|}) : set evs";
   14.14  by (REPEAT (resolve_tac [exI,bexI] 1));
   14.15  by (rtac (woolam.Nil RS woolam.WL1 RS woolam.WL2 RS woolam.WL3 RS 
   14.16            woolam.WL4 RS woolam.WL5) 2);
   14.17 @@ -35,7 +34,7 @@
   14.18  (**** Inductive proofs about woolam ****)
   14.19  
   14.20  (*Nobody sends themselves messages*)
   14.21 -Goal "!!evs. evs : woolam ==> ALL A X. Says A A X ~: set evs";
   14.22 +Goal "evs : woolam ==> ALL A X. Says A A X ~: set evs";
   14.23  by (etac woolam.induct 1);
   14.24  by Auto_tac;
   14.25  qed_spec_mp "not_Says_to_self";
   14.26 @@ -45,7 +44,7 @@
   14.27  
   14.28  (** For reasoning about the encrypted portion of messages **)
   14.29  
   14.30 -Goal "!!evs. Says A' B X : set evs ==> X : analz (spies evs)";
   14.31 +Goal "Says A' B X : set evs ==> X : analz (spies evs)";
   14.32  by (etac (Says_imp_spies RS analz.Inj) 1);
   14.33  qed "WL4_analz_spies";
   14.34  
   14.35 @@ -63,15 +62,13 @@
   14.36      sends messages containing X! **)
   14.37  
   14.38  (*Spy never sees another agent's shared key! (unless it's bad at start)*)
   14.39 -Goal 
   14.40 - "!!evs. evs : woolam ==> (Key (shrK A) : parts (spies evs)) = (A : bad)";
   14.41 +Goal "evs : woolam ==> (Key (shrK A) : parts (spies evs)) = (A : bad)";
   14.42  by (parts_induct_tac 1);
   14.43  by (Blast_tac 1);
   14.44  qed "Spy_see_shrK";
   14.45  Addsimps [Spy_see_shrK];
   14.46  
   14.47 -Goal 
   14.48 - "!!evs. evs : woolam ==> (Key (shrK A) : analz (spies evs)) = (A : bad)";
   14.49 +Goal "evs : woolam ==> (Key (shrK A) : analz (spies evs)) = (A : bad)";
   14.50  by Auto_tac;
   14.51  qed "Spy_analz_shrK";
   14.52  Addsimps [Spy_analz_shrK];
   14.53 @@ -86,10 +83,9 @@
   14.54  (*** WL4 ***)
   14.55  
   14.56  (*If the encrypted message appears then it originated with Alice*)
   14.57 -Goal 
   14.58 - "!!evs. [| Crypt (shrK A) (Nonce NB) : parts (spies evs);  \
   14.59 -\           A ~: bad;  evs : woolam |]                      \
   14.60 -\        ==> EX B. Says A B (Crypt (shrK A) (Nonce NB)) : set evs";
   14.61 +Goal "[| Crypt (shrK A) (Nonce NB) : parts (spies evs);  \
   14.62 +\        A ~: bad;  evs : woolam |]                      \
   14.63 +\     ==> EX B. Says A B (Crypt (shrK A) (Nonce NB)) : set evs";
   14.64  by (etac rev_mp 1);
   14.65  by (parts_induct_tac 1);
   14.66  by (ALLGOALS Blast_tac);
   14.67 @@ -98,11 +94,10 @@
   14.68  (*Guarantee for Server: if it gets a message containing a certificate from 
   14.69    Alice, then she originated that certificate.  But we DO NOT know that B
   14.70    ever saw it: the Spy may have rerouted the message to the Server.*)
   14.71 -Goal 
   14.72 - "!!evs. [| Says B' Server {|Agent A, Agent B, Crypt (shrK A) (Nonce NB)|} \
   14.73 -\             : set evs;                                                   \
   14.74 -\           A ~: bad;  evs : woolam |]                                     \
   14.75 -\        ==> EX B. Says A B (Crypt (shrK A) (Nonce NB)) : set evs";
   14.76 +Goal "[| Says B' Server {|Agent A, Agent B, Crypt (shrK A) (Nonce NB)|} \
   14.77 +\          : set evs;                                                   \
   14.78 +\        A ~: bad;  evs : woolam |]                                     \
   14.79 +\     ==> EX B. Says A B (Crypt (shrK A) (Nonce NB)) : set evs";
   14.80  by (blast_tac (claset() addSIs [NB_Crypt_imp_Alice_msg]) 1);
   14.81  qed "Server_trusts_WL4";
   14.82  
   14.83 @@ -112,11 +107,10 @@
   14.84  (*** WL5 ***)
   14.85  
   14.86  (*Server sent WL5 only if it received the right sort of message*)
   14.87 -Goal 
   14.88 - "!!evs. [| Says Server B (Crypt (shrK B) {|Agent A, NB|}) : set evs;      \
   14.89 -\           evs : woolam |]                                                \
   14.90 -\        ==> EX B'. Says B' Server {|Agent A, Agent B, Crypt (shrK A) NB|} \
   14.91 -\               : set evs";
   14.92 +Goal "[| Says Server B (Crypt (shrK B) {|Agent A, NB|}) : set evs;      \
   14.93 +\        evs : woolam |]                                                \
   14.94 +\     ==> EX B'. Says B' Server {|Agent A, Agent B, Crypt (shrK A) NB|} \
   14.95 +\            : set evs";
   14.96  by (etac rev_mp 1);
   14.97  by (parts_induct_tac 1);
   14.98  by (ALLGOALS Blast_tac);
   14.99 @@ -125,10 +119,9 @@
  14.100  AddDs [Server_sent_WL5];
  14.101  
  14.102  (*If the encrypted message appears then it originated with the Server!*)
  14.103 -Goal 
  14.104 - "!!evs. [| Crypt (shrK B) {|Agent A, NB|} : parts (spies evs);  \
  14.105 -\           B ~: bad;  evs : woolam |]                           \
  14.106 -\        ==> Says Server B (Crypt (shrK B) {|Agent A, NB|}) : set evs";
  14.107 +Goal "[| Crypt (shrK B) {|Agent A, NB|} : parts (spies evs);  \
  14.108 +\        B ~: bad;  evs : woolam |]                           \
  14.109 +\     ==> Says Server B (Crypt (shrK B) {|Agent A, NB|}) : set evs";
  14.110  by (etac rev_mp 1);
  14.111  by (parts_induct_tac 1);
  14.112  by (Blast_tac 1);
  14.113 @@ -138,18 +131,16 @@
  14.114    the nonce using her key.  This event can be no older than the nonce itself.
  14.115    But A may have sent the nonce to some other agent and it could have reached
  14.116    the Server via the Spy.*)
  14.117 -Goal 
  14.118 - "!!evs. [| Says S B (Crypt (shrK B) {|Agent A, Nonce NB|}): set evs; \
  14.119 -\           A ~: bad;  B ~: bad;  evs : woolam  |]                  \
  14.120 -\        ==> EX B. Says A B (Crypt (shrK A) (Nonce NB)) : set evs";
  14.121 +Goal "[| Says S B (Crypt (shrK B) {|Agent A, Nonce NB|}): set evs; \
  14.122 +\        A ~: bad;  B ~: bad;  evs : woolam  |]                  \
  14.123 +\     ==> EX B. Says A B (Crypt (shrK A) (Nonce NB)) : set evs";
  14.124  by (blast_tac (claset() addSDs [NB_Crypt_imp_Server_msg]) 1);
  14.125  qed "B_trusts_WL5";
  14.126  
  14.127  
  14.128  (*B only issues challenges in response to WL1.  Not used.*)
  14.129 -Goal 
  14.130 - "!!evs. [| Says B A (Nonce NB) : set evs;  B ~= Spy;  evs : woolam |]  \
  14.131 -\        ==> EX A'. Says A' B (Agent A) : set evs";
  14.132 +Goal "[| Says B A (Nonce NB) : set evs;  B ~= Spy;  evs : woolam |]  \
  14.133 +\     ==> EX A'. Says A' B (Agent A) : set evs";
  14.134  by (etac rev_mp 1);
  14.135  by (parts_induct_tac 1);
  14.136  by (ALLGOALS Blast_tac);
  14.137 @@ -157,11 +148,10 @@
  14.138  
  14.139  
  14.140  (**CANNOT be proved because A doesn't know where challenges come from...
  14.141 -Goal 
  14.142 - "!!evs. [| A ~: bad;  B ~= Spy;  evs : woolam |]           \
  14.143 -\    ==> Crypt (shrK A) (Nonce NB) : parts (spies evs) &  \
  14.144 -\        Says B A (Nonce NB) : set evs                       \
  14.145 -\        --> Says A B (Crypt (shrK A) (Nonce NB)) : set evs";
  14.146 +Goal "[| A ~: bad;  B ~= Spy;  evs : woolam |]           \
  14.147 +\ ==> Crypt (shrK A) (Nonce NB) : parts (spies evs) &  \
  14.148 +\     Says B A (Nonce NB) : set evs                       \
  14.149 +\     --> Says A B (Crypt (shrK A) (Nonce NB)) : set evs";
  14.150  by (parts_induct_tac 1);
  14.151  by (Blast_tac 1);
  14.152  by Safe_tac;
    15.1 --- a/src/HOL/Auth/Yahalom.ML	Thu Jul 02 17:27:35 1998 +0200
    15.2 +++ b/src/HOL/Auth/Yahalom.ML	Thu Jul 02 17:48:11 1998 +0200
    15.3 @@ -18,10 +18,9 @@
    15.4  
    15.5  
    15.6  (*A "possibility property": there are traces that reach the end*)
    15.7 -Goal 
    15.8 - "!!A B. [| A ~= B; A ~= Server; B ~= Server |]   \
    15.9 -\        ==> EX X NB K. EX evs: yahalom.          \
   15.10 -\               Says A B {|X, Crypt K (Nonce NB)|} : set evs";
   15.11 +Goal "[| A ~= B; A ~= Server; B ~= Server |]   \
   15.12 +\     ==> EX X NB K. EX evs: yahalom.          \
   15.13 +\            Says A B {|X, Crypt K (Nonce NB)|} : set evs";
   15.14  by (REPEAT (resolve_tac [exI,bexI] 1));
   15.15  by (rtac (yahalom.Nil RS yahalom.YM1 RS yahalom.YM2 RS yahalom.YM3 RS 
   15.16            yahalom.YM4) 2);
   15.17 @@ -32,7 +31,7 @@
   15.18  (**** Inductive proofs about yahalom ****)
   15.19  
   15.20  (*Nobody sends themselves messages*)
   15.21 -Goal "!!evs. evs: yahalom ==> ALL A X. Says A A X ~: set evs";
   15.22 +Goal "evs: yahalom ==> ALL A X. Says A A X ~: set evs";
   15.23  by (etac yahalom.induct 1);
   15.24  by Auto_tac;
   15.25  qed_spec_mp "not_Says_to_self";
   15.26 @@ -43,8 +42,8 @@
   15.27  (** For reasoning about the encrypted portion of messages **)
   15.28  
   15.29  (*Lets us treat YM4 using a similar argument as for the Fake case.*)
   15.30 -Goal "!!evs. Says S A {|Crypt (shrK A) Y, X|} : set evs ==> \
   15.31 -\                X : analz (spies evs)";
   15.32 +Goal "Says S A {|Crypt (shrK A) Y, X|} : set evs ==> \
   15.33 +\             X : analz (spies evs)";
   15.34  by (blast_tac (claset() addSDs [Says_imp_spies RS analz.Inj]) 1);
   15.35  qed "YM4_analz_spies";
   15.36  
   15.37 @@ -52,8 +51,8 @@
   15.38            YM4_analz_spies RS (impOfSubs analz_subset_parts));
   15.39  
   15.40  (*Relates to both YM4 and Oops*)
   15.41 -Goal "!!evs. Says S A {|Crypt (shrK A) {|B,K,NA,NB|}, X|} : set evs ==> \
   15.42 -\                K : parts (spies evs)";
   15.43 +Goal "Says S A {|Crypt (shrK A) {|B,K,NA,NB|}, X|} : set evs ==> \
   15.44 +\             K : parts (spies evs)";
   15.45  by (blast_tac (claset() addSEs partsEs
   15.46                          addSDs [Says_imp_spies RS parts.Inj]) 1);
   15.47  qed "YM4_Key_parts_spies";
   15.48 @@ -78,16 +77,14 @@
   15.49      sends messages containing X! **)
   15.50  
   15.51  (*Spy never sees another agent's shared key! (unless it's bad at start)*)
   15.52 -Goal 
   15.53 - "!!evs. evs : yahalom ==> (Key (shrK A) : parts (spies evs)) = (A : bad)";
   15.54 +Goal "evs : yahalom ==> (Key (shrK A) : parts (spies evs)) = (A : bad)";
   15.55  by (parts_induct_tac 1);
   15.56  by (Fake_parts_insert_tac 1);
   15.57  by (ALLGOALS Blast_tac);
   15.58  qed "Spy_see_shrK";
   15.59  Addsimps [Spy_see_shrK];
   15.60  
   15.61 -Goal 
   15.62 - "!!evs. evs : yahalom ==> (Key (shrK A) : analz (spies evs)) = (A : bad)";
   15.63 +Goal "evs : yahalom ==> (Key (shrK A) : analz (spies evs)) = (A : bad)";
   15.64  by (auto_tac(claset() addDs [impOfSubs analz_subset_parts], simpset()));
   15.65  qed "Spy_analz_shrK";
   15.66  Addsimps [Spy_analz_shrK];
   15.67 @@ -97,8 +94,8 @@
   15.68  
   15.69  
   15.70  (*Nobody can have used non-existent keys!  Needed to apply analz_insert_Key*)
   15.71 -Goal "!!evs. evs : yahalom ==>          \
   15.72 -\         Key K ~: used evs --> K ~: keysFor (parts (spies evs))";
   15.73 +Goal "evs : yahalom ==>          \
   15.74 +\      Key K ~: used evs --> K ~: keysFor (parts (spies evs))";
   15.75  by (parts_induct_tac 1);
   15.76  (*Fake*)
   15.77  by (blast_tac (claset() addSDs [keysFor_parts_insert]) 1);
   15.78 @@ -115,11 +112,10 @@
   15.79  
   15.80  (*Describes the form of K when the Server sends this message.  Useful for
   15.81    Oops as well as main secrecy property.*)
   15.82 -Goal 
   15.83 - "!!evs. [| Says Server A {|Crypt (shrK A) {|Agent B, Key K, na, nb|}, X|} \
   15.84 -\             : set evs;                                                   \
   15.85 -\           evs : yahalom |]                                          \
   15.86 -\        ==> K ~: range shrK";
   15.87 +Goal "[| Says Server A {|Crypt (shrK A) {|Agent B, Key K, na, nb|}, X|} \
   15.88 +\          : set evs;                                                   \
   15.89 +\        evs : yahalom |]                                          \
   15.90 +\     ==> K ~: range shrK";
   15.91  by (etac rev_mp 1);
   15.92  by (etac yahalom.induct 1);
   15.93  by (ALLGOALS Asm_simp_tac);
   15.94 @@ -143,11 +139,10 @@
   15.95  
   15.96  (** Session keys are not used to encrypt other session keys **)
   15.97  
   15.98 -Goal  
   15.99 - "!!evs. evs : yahalom ==>                              \
  15.100 +Goal "evs : yahalom ==>                              \
  15.101  \  ALL K KK. KK <= Compl (range shrK) -->               \
  15.102 -\            (Key K : analz (Key``KK Un (spies evs))) = \
  15.103 -\            (K : KK | Key K : analz (spies evs))";
  15.104 +\         (Key K : analz (Key``KK Un (spies evs))) = \
  15.105 +\         (K : KK | Key K : analz (spies evs))";
  15.106  by (etac yahalom.induct 1);
  15.107  by analz_spies_tac;
  15.108  by (REPEAT_FIRST (resolve_tac [allI, impI]));
  15.109 @@ -158,22 +153,20 @@
  15.110  by (spy_analz_tac 1);
  15.111  qed_spec_mp "analz_image_freshK";
  15.112  
  15.113 -Goal
  15.114 - "!!evs. [| evs : yahalom;  KAB ~: range shrK |]              \
  15.115 -\         ==> Key K : analz (insert (Key KAB) (spies evs)) =  \
  15.116 -\             (K = KAB | Key K : analz (spies evs))";
  15.117 +Goal "[| evs : yahalom;  KAB ~: range shrK |]              \
  15.118 +\      ==> Key K : analz (insert (Key KAB) (spies evs)) =  \
  15.119 +\          (K = KAB | Key K : analz (spies evs))";
  15.120  by (asm_simp_tac (analz_image_freshK_ss addsimps [analz_image_freshK]) 1);
  15.121  qed "analz_insert_freshK";
  15.122  
  15.123  
  15.124  (*** The Key K uniquely identifies the Server's  message. **)
  15.125  
  15.126 -Goal 
  15.127 - "!!evs. evs : yahalom ==>                                     \
  15.128 -\      EX A' B' na' nb' X'. ALL A B na nb X.                   \
  15.129 -\          Says Server A                                       \
  15.130 -\           {|Crypt (shrK A) {|Agent B, Key K, na, nb|}, X|}   \
  15.131 -\          : set evs --> A=A' & B=B' & na=na' & nb=nb' & X=X'";
  15.132 +Goal "evs : yahalom ==>                                     \
  15.133 +\   EX A' B' na' nb' X'. ALL A B na nb X.                   \
  15.134 +\       Says Server A                                       \
  15.135 +\        {|Crypt (shrK A) {|Agent B, Key K, na, nb|}, X|}   \
  15.136 +\       : set evs --> A=A' & B=B' & na=na' & nb=nb' & X=X'";
  15.137  by (etac yahalom.induct 1);
  15.138  by (ALLGOALS (asm_simp_tac (simpset() addsimps [all_conj_distrib])));
  15.139  by (ALLGOALS Clarify_tac);
  15.140 @@ -187,27 +180,25 @@
  15.141                          delrules [conjI]    (*no split-up to 4 subgoals*)) 1);
  15.142  val lemma = result();
  15.143  
  15.144 -Goal 
  15.145 -"!!evs. [| Says Server A                                                 \
  15.146 -\            {|Crypt (shrK A) {|Agent B, Key K, na, nb|}, X|} : set evs; \
  15.147 -\          Says Server A'                                                \
  15.148 -\            {|Crypt (shrK A') {|Agent B', Key K, na', nb'|}, X'|} : set evs; \
  15.149 -\          evs : yahalom |]                                    \
  15.150 -\       ==> A=A' & B=B' & na=na' & nb=nb'";
  15.151 +Goal "[| Says Server A                                                 \
  15.152 +\         {|Crypt (shrK A) {|Agent B, Key K, na, nb|}, X|} : set evs; \
  15.153 +\       Says Server A'                                                \
  15.154 +\         {|Crypt (shrK A') {|Agent B', Key K, na', nb'|}, X'|} : set evs; \
  15.155 +\       evs : yahalom |]                                    \
  15.156 +\    ==> A=A' & B=B' & na=na' & nb=nb'";
  15.157  by (prove_unique_tac lemma 1);
  15.158  qed "unique_session_keys";
  15.159  
  15.160  
  15.161  (** Crucial secrecy property: Spy does not see the keys sent in msg YM3 **)
  15.162  
  15.163 -Goal 
  15.164 - "!!evs. [| A ~: bad;  B ~: bad;  evs : yahalom |]                \
  15.165 -\        ==> Says Server A                                        \
  15.166 -\              {|Crypt (shrK A) {|Agent B, Key K, na, nb|},       \
  15.167 -\                Crypt (shrK B) {|Agent A, Key K|}|}              \
  15.168 -\             : set evs -->                                       \
  15.169 -\            Notes Spy {|na, nb, Key K|} ~: set evs -->           \
  15.170 -\            Key K ~: analz (spies evs)";
  15.171 +Goal "[| A ~: bad;  B ~: bad;  evs : yahalom |]                \
  15.172 +\     ==> Says Server A                                        \
  15.173 +\           {|Crypt (shrK A) {|Agent B, Key K, na, nb|},       \
  15.174 +\             Crypt (shrK B) {|Agent A, Key K|}|}              \
  15.175 +\          : set evs -->                                       \
  15.176 +\         Notes Spy {|na, nb, Key K|} ~: set evs -->           \
  15.177 +\         Key K ~: analz (spies evs)";
  15.178  by (etac yahalom.induct 1);
  15.179  by analz_spies_tac;
  15.180  by (ALLGOALS
  15.181 @@ -226,14 +217,13 @@
  15.182  
  15.183  
  15.184  (*Final version*)
  15.185 -Goal 
  15.186 - "!!evs. [| Says Server A                                         \
  15.187 -\              {|Crypt (shrK A) {|Agent B, Key K, na, nb|},       \
  15.188 -\                Crypt (shrK B) {|Agent A, Key K|}|}              \
  15.189 -\             : set evs;                                          \
  15.190 -\           Notes Spy {|na, nb, Key K|} ~: set evs;               \
  15.191 -\           A ~: bad;  B ~: bad;  evs : yahalom |]                \
  15.192 -\        ==> Key K ~: analz (spies evs)";
  15.193 +Goal "[| Says Server A                                         \
  15.194 +\           {|Crypt (shrK A) {|Agent B, Key K, na, nb|},       \
  15.195 +\             Crypt (shrK B) {|Agent A, Key K|}|}              \
  15.196 +\          : set evs;                                          \
  15.197 +\        Notes Spy {|na, nb, Key K|} ~: set evs;               \
  15.198 +\        A ~: bad;  B ~: bad;  evs : yahalom |]                \
  15.199 +\     ==> Key K ~: analz (spies evs)";
  15.200  by (blast_tac (claset() addSEs [lemma]) 1);
  15.201  qed "Spy_not_see_encrypted_key";
  15.202  
  15.203 @@ -241,24 +231,22 @@
  15.204  (** Security Guarantee for A upon receiving YM3 **)
  15.205  
  15.206  (*If the encrypted message appears then it originated with the Server*)
  15.207 -Goal
  15.208 - "!!evs. [| Crypt (shrK A) {|Agent B, Key K, na, nb|} : parts (spies evs); \
  15.209 -\           A ~: bad;  evs : yahalom |]                          \
  15.210 -\         ==> Says Server A                                            \
  15.211 -\              {|Crypt (shrK A) {|Agent B, Key K, na, nb|},            \
  15.212 -\                Crypt (shrK B) {|Agent A, Key K|}|}                   \
  15.213 -\             : set evs";
  15.214 +Goal "[| Crypt (shrK A) {|Agent B, Key K, na, nb|} : parts (spies evs); \
  15.215 +\        A ~: bad;  evs : yahalom |]                          \
  15.216 +\      ==> Says Server A                                            \
  15.217 +\           {|Crypt (shrK A) {|Agent B, Key K, na, nb|},            \
  15.218 +\             Crypt (shrK B) {|Agent A, Key K|}|}                   \
  15.219 +\          : set evs";
  15.220  by (etac rev_mp 1);
  15.221  by (parts_induct_tac 1);
  15.222  by (Fake_parts_insert_tac 1);
  15.223  qed "A_trusts_YM3";
  15.224  
  15.225  (*The obvious combination of A_trusts_YM3 with Spy_not_see_encrypted_key*)
  15.226 -Goal
  15.227 - "!!evs. [| Crypt (shrK A) {|Agent B, Key K, na, nb|} : parts (spies evs); \
  15.228 -\           Notes Spy {|na, nb, Key K|} ~: set evs;               \
  15.229 -\           A ~: bad;  B ~: bad;  evs : yahalom |]                \
  15.230 -\        ==> Key K ~: analz (spies evs)";
  15.231 +Goal "[| Crypt (shrK A) {|Agent B, Key K, na, nb|} : parts (spies evs); \
  15.232 +\        Notes Spy {|na, nb, Key K|} ~: set evs;               \
  15.233 +\        A ~: bad;  B ~: bad;  evs : yahalom |]                \
  15.234 +\     ==> Key K ~: analz (spies evs)";
  15.235  by (blast_tac (claset() addSDs [A_trusts_YM3, Spy_not_see_encrypted_key]) 1);
  15.236  qed "A_gets_good_key";
  15.237  
  15.238 @@ -266,14 +254,13 @@
  15.239  
  15.240  (*B knows, by the first part of A's message, that the Server distributed 
  15.241    the key for A and B.  But this part says nothing about nonces.*)
  15.242 -Goal 
  15.243 - "!!evs. [| Crypt (shrK B) {|Agent A, Key K|} : parts (spies evs);      \
  15.244 -\           B ~: bad;  evs : yahalom |]                                 \
  15.245 -\        ==> EX NA NB. Says Server A                                    \
  15.246 -\                        {|Crypt (shrK A) {|Agent B, Key K,             \
  15.247 -\                                           Nonce NA, Nonce NB|},       \
  15.248 -\                          Crypt (shrK B) {|Agent A, Key K|}|}          \
  15.249 -\                       : set evs";
  15.250 +Goal "[| Crypt (shrK B) {|Agent A, Key K|} : parts (spies evs);      \
  15.251 +\        B ~: bad;  evs : yahalom |]                                 \
  15.252 +\     ==> EX NA NB. Says Server A                                    \
  15.253 +\                     {|Crypt (shrK A) {|Agent B, Key K,             \
  15.254 +\                                        Nonce NA, Nonce NB|},       \
  15.255 +\                       Crypt (shrK B) {|Agent A, Key K|}|}          \
  15.256 +\                    : set evs";
  15.257  by (etac rev_mp 1);
  15.258  by (parts_induct_tac 1);
  15.259  by (Fake_parts_insert_tac 1);
  15.260 @@ -285,15 +272,14 @@
  15.261    the key quoting nonce NB.  This part says nothing about agent names. 
  15.262    Secrecy of NB is crucial.  Note that  Nonce NB  ~: analz (spies evs)  must
  15.263    be the FIRST antecedent of the induction formula.*)
  15.264 -Goal 
  15.265 - "!!evs. evs : yahalom                                          \
  15.266 -\        ==> Nonce NB ~: analz (spies evs) -->                  \
  15.267 -\            Crypt K (Nonce NB) : parts (spies evs) -->         \
  15.268 -\            (EX A B NA. Says Server A                          \
  15.269 -\                        {|Crypt (shrK A) {|Agent B, Key K,     \
  15.270 -\                                  Nonce NA, Nonce NB|},        \
  15.271 -\                          Crypt (shrK B) {|Agent A, Key K|}|}  \
  15.272 -\                       : set evs)";
  15.273 +Goal "evs : yahalom                                          \
  15.274 +\     ==> Nonce NB ~: analz (spies evs) -->                  \
  15.275 +\         Crypt K (Nonce NB) : parts (spies evs) -->         \
  15.276 +\         (EX A B NA. Says Server A                          \
  15.277 +\                     {|Crypt (shrK A) {|Agent B, Key K,     \
  15.278 +\                               Nonce NA, Nonce NB|},        \
  15.279 +\                       Crypt (shrK B) {|Agent A, Key K|}|}  \
  15.280 +\                    : set evs)";
  15.281  by (parts_induct_tac 1);
  15.282  by (ALLGOALS Clarify_tac);
  15.283  (*YM3 & Fake*)
  15.284 @@ -313,17 +299,17 @@
  15.285  (** Lemmas about the predicate KeyWithNonce **)
  15.286  
  15.287  Goalw [KeyWithNonce_def]
  15.288 - "!!evs. Says Server A                                              \
  15.289 -\            {|Crypt (shrK A) {|Agent B, Key K, na, Nonce NB|}, X|} \
  15.290 -\          : set evs ==> KeyWithNonce K NB evs";
  15.291 + "Says Server A                                              \
  15.292 +\         {|Crypt (shrK A) {|Agent B, Key K, na, Nonce NB|}, X|} \
  15.293 +\       : set evs ==> KeyWithNonce K NB evs";
  15.294  by (Blast_tac 1);
  15.295  qed "KeyWithNonceI";
  15.296  
  15.297  Goalw [KeyWithNonce_def]
  15.298     "KeyWithNonce K NB (Says S A X # evs) =                                    \
  15.299 -\    (Server = S &                                                            \
  15.300 -\     (EX B n X'. X = {|Crypt (shrK A) {|Agent B, Key K, n, Nonce NB|}, X'|}) \
  15.301 -\    | KeyWithNonce K NB evs)";
  15.302 +\ (Server = S &                                                            \
  15.303 +\  (EX B n X'. X = {|Crypt (shrK A) {|Agent B, Key K, n, Nonce NB|}, X'|}) \
  15.304 +\ | KeyWithNonce K NB evs)";
  15.305  by (Simp_tac 1);
  15.306  by (Blast_tac 1);
  15.307  qed "KeyWithNonce_Says";
  15.308 @@ -338,18 +324,18 @@
  15.309  (*A fresh key cannot be associated with any nonce 
  15.310    (with respect to a given trace). *)
  15.311  Goalw [KeyWithNonce_def]
  15.312 - "!!evs. Key K ~: used evs ==> ~ KeyWithNonce K NB evs";
  15.313 + "Key K ~: used evs ==> ~ KeyWithNonce K NB evs";
  15.314  by (blast_tac (claset() addSEs spies_partsEs) 1);
  15.315  qed "fresh_not_KeyWithNonce";
  15.316  
  15.317  (*The Server message associates K with NB' and therefore not with any 
  15.318    other nonce NB.*)
  15.319  Goalw [KeyWithNonce_def]
  15.320 - "!!evs. [| Says Server A                                                \
  15.321 -\                {|Crypt (shrK A) {|Agent B, Key K, na, Nonce NB'|}, X|} \
  15.322 -\             : set evs;                                                 \
  15.323 -\           NB ~= NB';  evs : yahalom |]                                 \
  15.324 -\        ==> ~ KeyWithNonce K NB evs";
  15.325 + "[| Says Server A                                                \
  15.326 +\             {|Crypt (shrK A) {|Agent B, Key K, na, Nonce NB'|}, X|} \
  15.327 +\          : set evs;                                                 \
  15.328 +\        NB ~= NB';  evs : yahalom |]                                 \
  15.329 +\     ==> ~ KeyWithNonce K NB evs";
  15.330  by (blast_tac (claset() addDs [unique_session_keys]) 1);
  15.331  qed "Says_Server_KeyWithNonce";
  15.332  
  15.333 @@ -361,24 +347,22 @@
  15.334  
  15.335  (*As with analz_image_freshK, we take some pains to express the property
  15.336    as a logical equivalence so that the simplifier can apply it.*)
  15.337 -Goal  
  15.338 - "!!evs. P --> (X : analz (G Un H)) --> (X : analz H)  ==> \
  15.339 -\        P --> (X : analz (G Un H)) = (X : analz H)";
  15.340 +Goal "P --> (X : analz (G Un H)) --> (X : analz H)  ==> \
  15.341 +\     P --> (X : analz (G Un H)) = (X : analz H)";
  15.342  by (blast_tac (claset() addIs [impOfSubs analz_mono]) 1);
  15.343  val Nonce_secrecy_lemma = result();
  15.344  
  15.345 -Goal 
  15.346 - "!!evs. evs : yahalom ==>                                      \
  15.347 -\        (ALL KK. KK <= Compl (range shrK) -->                  \
  15.348 -\             (ALL K: KK. ~ KeyWithNonce K NB evs)   -->        \
  15.349 -\             (Nonce NB : analz (Key``KK Un (spies evs))) =     \
  15.350 -\             (Nonce NB : analz (spies evs)))";
  15.351 +Goal "evs : yahalom ==>                                      \
  15.352 +\     (ALL KK. KK <= Compl (range shrK) -->                  \
  15.353 +\          (ALL K: KK. ~ KeyWithNonce K NB evs)   -->        \
  15.354 +\          (Nonce NB : analz (Key``KK Un (spies evs))) =     \
  15.355 +\          (Nonce NB : analz (spies evs)))";
  15.356  by (etac yahalom.induct 1);
  15.357  by analz_spies_tac;
  15.358  by (REPEAT_FIRST (resolve_tac [impI RS allI]));
  15.359  by (REPEAT_FIRST (rtac Nonce_secrecy_lemma));
  15.360  (*For Oops, simplification proves NBa~=NB.  By Says_Server_KeyWithNonce,
  15.361 -  we get (~ KeyWithNonce K NB evsa); then simplification can apply the
  15.362 +  we get (~ KeyWithNonce K NB evs); then simplification can apply the
  15.363    induction hypothesis with KK = {K}.*)
  15.364  by (ALLGOALS  (*4 seconds*)
  15.365      (asm_simp_tac 
  15.366 @@ -402,13 +386,12 @@
  15.367  (*Version required below: if NB can be decrypted using a session key then it
  15.368    was distributed with that key.  The more general form above is required
  15.369    for the induction to carry through.*)
  15.370 -Goal 
  15.371 - "!!evs. [| Says Server A                                               \
  15.372 -\            {|Crypt (shrK A) {|Agent B, Key KAB, na, Nonce NB'|}, X|}  \
  15.373 -\           : set evs;                                                  \
  15.374 -\           NB ~= NB';  KAB ~: range shrK;  evs : yahalom |]            \
  15.375 -\        ==> (Nonce NB : analz (insert (Key KAB) (spies evs))) =        \
  15.376 -\            (Nonce NB : analz (spies evs))";
  15.377 +Goal "[| Says Server A                                               \
  15.378 +\         {|Crypt (shrK A) {|Agent B, Key KAB, na, Nonce NB'|}, X|}  \
  15.379 +\        : set evs;                                                  \
  15.380 +\        NB ~= NB';  KAB ~: range shrK;  evs : yahalom |]            \
  15.381 +\     ==> (Nonce NB : analz (insert (Key KAB) (spies evs))) =        \
  15.382 +\         (Nonce NB : analz (spies evs))";
  15.383  by (asm_simp_tac (analz_image_freshK_ss addsimps 
  15.384  		  [Nonce_secrecy, Says_Server_KeyWithNonce]) 1);
  15.385  qed "single_Nonce_secrecy";
  15.386 @@ -416,11 +399,10 @@
  15.387  
  15.388  (*** The Nonce NB uniquely identifies B's message. ***)
  15.389  
  15.390 -Goal 
  15.391 - "!!evs. evs : yahalom ==>                                         \
  15.392 -\   EX NA' A' B'. ALL NA A B.                                      \
  15.393 -\      Crypt (shrK B) {|Agent A, Nonce NA, nb|} : parts(spies evs) \
  15.394 -\      --> B ~: bad --> NA = NA' & A = A' & B = B'";
  15.395 +Goal "evs : yahalom ==>                                         \
  15.396 +\EX NA' A' B'. ALL NA A B.                                      \
  15.397 +\   Crypt (shrK B) {|Agent A, Nonce NA, nb|} : parts(spies evs) \
  15.398 +\   --> B ~: bad --> NA = NA' & A = A' & B = B'";
  15.399  by (parts_induct_tac 1);
  15.400  (*Fake*)
  15.401  by (REPEAT (etac (exI RSN (2,exE)) 1)   (*stripping EXs makes proof faster*)
  15.402 @@ -432,24 +414,22 @@
  15.403  by (blast_tac (claset() addSEs spies_partsEs) 1);
  15.404  val lemma = result();
  15.405  
  15.406 -Goal 
  15.407 - "!!evs.[| Crypt (shrK B) {|Agent A, Nonce NA, nb|} : parts (spies evs);    \
  15.408 -\          Crypt (shrK B') {|Agent A', Nonce NA', nb|} : parts (spies evs); \
  15.409 -\          evs : yahalom;  B ~: bad;  B' ~: bad |]  \
  15.410 -\        ==> NA' = NA & A' = A & B' = B";
  15.411 +Goal "[| Crypt (shrK B) {|Agent A, Nonce NA, nb|} : parts (spies evs);    \
  15.412 +\       Crypt (shrK B') {|Agent A', Nonce NA', nb|} : parts (spies evs); \
  15.413 +\       evs : yahalom;  B ~: bad;  B' ~: bad |]  \
  15.414 +\     ==> NA' = NA & A' = A & B' = B";
  15.415  by (prove_unique_tac lemma 1);
  15.416  qed "unique_NB";
  15.417  
  15.418  
  15.419  (*Variant useful for proving secrecy of NB: the Says... form allows 
  15.420    not_bad_tac to remove the assumption B' ~: bad.*)
  15.421 -Goal 
  15.422 - "!!evs.[| Says C D   {|X,  Crypt (shrK B) {|Agent A, Nonce NA, nb|}|}    \
  15.423 -\            : set evs;          B ~: bad;                                \
  15.424 -\          Says C' D' {|X', Crypt (shrK B') {|Agent A', Nonce NA', nb|}|} \
  15.425 -\            : set evs;                                                   \
  15.426 -\          nb ~: analz (spies evs);  evs : yahalom |]                     \
  15.427 -\        ==> NA' = NA & A' = A & B' = B";
  15.428 +Goal "[| Says C D   {|X,  Crypt (shrK B) {|Agent A, Nonce NA, nb|}|}    \
  15.429 +\         : set evs;          B ~: bad;                                \
  15.430 +\       Says C' D' {|X', Crypt (shrK B') {|Agent A', Nonce NA', nb|}|} \
  15.431 +\         : set evs;                                                   \
  15.432 +\       nb ~: analz (spies evs);  evs : yahalom |]                     \
  15.433 +\     ==> NA' = NA & A' = A & B' = B";
  15.434  by (not_bad_tac "B'" 1);
  15.435  by (blast_tac (claset() addSDs [Says_imp_spies RS parts.Inj]
  15.436                          addSEs [MPair_parts]
  15.437 @@ -459,11 +439,10 @@
  15.438  
  15.439  (** A nonce value is never used both as NA and as NB **)
  15.440  
  15.441 -Goal 
  15.442 - "!!evs. evs : yahalom                     \
  15.443 +Goal "evs : yahalom                     \
  15.444  \ ==> Nonce NB ~: analz (spies evs) -->    \
  15.445 -\     Crypt (shrK B') {|Agent A', Nonce NB, nb'|} : parts(spies evs) --> \
  15.446 -\     Crypt (shrK B)  {|Agent A, na, Nonce NB|} ~: parts(spies evs)";
  15.447 +\  Crypt (shrK B') {|Agent A', Nonce NB, nb'|} : parts(spies evs) --> \
  15.448 +\  Crypt (shrK B)  {|Agent A, na, Nonce NB|} ~: parts(spies evs)";
  15.449  by (parts_induct_tac 1);
  15.450  by (Fake_parts_insert_tac 1);
  15.451  by (blast_tac (claset() addDs [Says_imp_spies RS analz.Inj]
  15.452 @@ -475,13 +454,12 @@
  15.453  standard (result() RS mp RSN (2,rev_mp));
  15.454  
  15.455  (*The Server sends YM3 only in response to YM2.*)
  15.456 -Goal 
  15.457 - "!!evs. [| Says Server A                                                \
  15.458 -\            {|Crypt (shrK A) {|Agent B, k, na, nb|}, X|} : set evs;     \
  15.459 -\           evs : yahalom |]                                             \
  15.460 -\        ==> EX B'. Says B' Server                                       \
  15.461 -\                      {| Agent B, Crypt (shrK B) {|Agent A, na, nb|} |} \
  15.462 -\                   : set evs";
  15.463 +Goal "[| Says Server A                                                \
  15.464 +\         {|Crypt (shrK A) {|Agent B, k, na, nb|}, X|} : set evs;     \
  15.465 +\        evs : yahalom |]                                             \
  15.466 +\     ==> EX B'. Says B' Server                                       \
  15.467 +\                   {| Agent B, Crypt (shrK B) {|Agent A, na, nb|} |} \
  15.468 +\                : set evs";
  15.469  by (etac rev_mp 1);
  15.470  by (etac yahalom.induct 1);
  15.471  by (ALLGOALS Asm_simp_tac);
  15.472 @@ -490,13 +468,12 @@
  15.473  
  15.474  
  15.475  (*A vital theorem for B, that nonce NB remains secure from the Spy.*)
  15.476 -Goal 
  15.477 - "!!evs. [| A ~: bad;  B ~: bad;  evs : yahalom |]  \
  15.478 +Goal "[| A ~: bad;  B ~: bad;  evs : yahalom |]  \
  15.479  \ ==> Says B Server                                                    \
  15.480 -\          {|Agent B, Crypt (shrK B) {|Agent A, Nonce NA, Nonce NB|}|} \
  15.481 -\     : set evs -->                                                    \
  15.482 -\     (ALL k. Notes Spy {|Nonce NA, Nonce NB, k|} ~: set evs) -->      \
  15.483 -\     Nonce NB ~: analz (spies evs)";
  15.484 +\       {|Agent B, Crypt (shrK B) {|Agent A, Nonce NA, Nonce NB|}|} \
  15.485 +\  : set evs -->                                                    \
  15.486 +\  (ALL k. Notes Spy {|Nonce NA, Nonce NB, k|} ~: set evs) -->      \
  15.487 +\  Nonce NB ~: analz (spies evs)";
  15.488  by (etac yahalom.induct 1);
  15.489  by analz_spies_tac;
  15.490  by (ALLGOALS
  15.491 @@ -549,19 +526,18 @@
  15.492    assumption must quantify over ALL POSSIBLE keys instead of our particular K.
  15.493    If this run is broken and the spy substitutes a certificate containing an
  15.494    old key, B has no means of telling.*)
  15.495 -Goal 
  15.496 - "!!evs. [| Says A' B {|Crypt (shrK B) {|Agent A, Key K|},                  \
  15.497 -\                       Crypt K (Nonce NB)|} : set evs;                     \
  15.498 -\           Says B Server                                                   \
  15.499 -\             {|Agent B, Crypt (shrK B) {|Agent A, Nonce NA, Nonce NB|}|}   \
  15.500 -\             : set evs;                                                    \
  15.501 -\           ALL k. Notes Spy {|Nonce NA, Nonce NB, k|} ~: set evs;          \
  15.502 -\           A ~: bad;  B ~: bad;  evs : yahalom |]       \
  15.503 -\         ==> Says Server A                                                 \
  15.504 -\                     {|Crypt (shrK A) {|Agent B, Key K,                    \
  15.505 -\                               Nonce NA, Nonce NB|},                       \
  15.506 -\                       Crypt (shrK B) {|Agent A, Key K|}|}                 \
  15.507 -\               : set evs";
  15.508 +Goal "[| Says A' B {|Crypt (shrK B) {|Agent A, Key K|},                  \
  15.509 +\                    Crypt K (Nonce NB)|} : set evs;                     \
  15.510 +\        Says B Server                                                   \
  15.511 +\          {|Agent B, Crypt (shrK B) {|Agent A, Nonce NA, Nonce NB|}|}   \
  15.512 +\          : set evs;                                                    \
  15.513 +\        ALL k. Notes Spy {|Nonce NA, Nonce NB, k|} ~: set evs;          \
  15.514 +\        A ~: bad;  B ~: bad;  evs : yahalom |]       \
  15.515 +\      ==> Says Server A                                                 \
  15.516 +\                  {|Crypt (shrK A) {|Agent B, Key K,                    \
  15.517 +\                            Nonce NA, Nonce NB|},                       \
  15.518 +\                    Crypt (shrK B) {|Agent A, Key K|}|}                 \
  15.519 +\            : set evs";
  15.520  by (forward_tac [Spy_not_see_NB] 1 THEN REPEAT (assume_tac 1));
  15.521  by (etac (Says_imp_spies RS parts.Inj RS MPair_parts) 1 THEN
  15.522      dtac B_trusts_YM4_shrK 1);
  15.523 @@ -574,15 +550,14 @@
  15.524  
  15.525  
  15.526  (*The obvious combination of B_trusts_YM4 with Spy_not_see_encrypted_key*)
  15.527 -Goal 
  15.528 - "!!evs. [| Says A' B {|Crypt (shrK B) {|Agent A, Key K|},                  \
  15.529 -\                       Crypt K (Nonce NB)|} : set evs;                     \
  15.530 -\           Says B Server                                                   \
  15.531 -\             {|Agent B, Crypt (shrK B) {|Agent A, Nonce NA, Nonce NB|}|}   \
  15.532 -\             : set evs;                                                    \
  15.533 -\           ALL k. Notes Spy {|Nonce NA, Nonce NB, k|} ~: set evs;          \
  15.534 -\           A ~: bad;  B ~: bad;  evs : yahalom |]                \
  15.535 -\        ==> Key K ~: analz (spies evs)";
  15.536 +Goal "[| Says A' B {|Crypt (shrK B) {|Agent A, Key K|},                  \
  15.537 +\                    Crypt K (Nonce NB)|} : set evs;                     \
  15.538 +\        Says B Server                                                   \
  15.539 +\          {|Agent B, Crypt (shrK B) {|Agent A, Nonce NA, Nonce NB|}|}   \
  15.540 +\          : set evs;                                                    \
  15.541 +\        ALL k. Notes Spy {|Nonce NA, Nonce NB, k|} ~: set evs;          \
  15.542 +\        A ~: bad;  B ~: bad;  evs : yahalom |]                \
  15.543 +\     ==> Key K ~: analz (spies evs)";
  15.544  by (blast_tac (claset() addSDs [B_trusts_YM4, Spy_not_see_encrypted_key]) 1);
  15.545  qed "B_gets_good_key";
  15.546  
  15.547 @@ -590,24 +565,22 @@
  15.548  (*** Authenticating B to A ***)
  15.549  
  15.550  (*The encryption in message YM2 tells us it cannot be faked.*)
  15.551 -Goal 
  15.552 - "!!evs. evs : yahalom                                            \
  15.553 +Goal "evs : yahalom                                            \
  15.554  \  ==> Crypt (shrK B) {|Agent A, Nonce NA, nb|} : parts (spies evs) --> \
  15.555 -\      B ~: bad -->                                              \
  15.556 -\      Says B Server {|Agent B, Crypt (shrK B) {|Agent A, Nonce NA, nb|}|}  \
  15.557 -\         : set evs";
  15.558 +\   B ~: bad -->                                              \
  15.559 +\   Says B Server {|Agent B, Crypt (shrK B) {|Agent A, Nonce NA, nb|}|}  \
  15.560 +\      : set evs";
  15.561  by (parts_induct_tac 1);
  15.562  by (Fake_parts_insert_tac 1);
  15.563  bind_thm ("B_Said_YM2", result() RSN (2, rev_mp) RS mp);
  15.564  
  15.565  (*If the server sends YM3 then B sent YM2*)
  15.566 -Goal 
  15.567 - "!!evs. evs : yahalom                                                      \
  15.568 +Goal "evs : yahalom                                                      \
  15.569  \  ==> Says Server A {|Crypt (shrK A) {|Agent B, Key K, Nonce NA, nb|}, X|} \
  15.570 -\         : set evs -->                                                     \
  15.571 -\      B ~: bad -->                                                        \
  15.572 -\      Says B Server {|Agent B, Crypt (shrK B) {|Agent A, Nonce NA, nb|}|}  \
  15.573 -\                 : set evs";
  15.574 +\      : set evs -->                                                     \
  15.575 +\   B ~: bad -->                                                        \
  15.576 +\   Says B Server {|Agent B, Crypt (shrK B) {|Agent A, Nonce NA, nb|}|}  \
  15.577 +\              : set evs";
  15.578  by (etac yahalom.induct 1);
  15.579  by (ALLGOALS Asm_simp_tac);
  15.580  (*YM4*)
  15.581 @@ -618,12 +591,11 @@
  15.582  val lemma = result() RSN (2, rev_mp) RS mp |> standard;
  15.583  
  15.584  (*If A receives YM3 then B has used nonce NA (and therefore is alive)*)
  15.585 -Goal
  15.586 - "!!evs. [| Says S A {|Crypt (shrK A) {|Agent B, Key K, Nonce NA, nb|}, X|} \
  15.587 -\             : set evs;                                                    \
  15.588 -\           A ~: bad;  B ~: bad;  evs : yahalom |]                        \
  15.589 -\   ==> Says B Server {|Agent B, Crypt (shrK B) {|Agent A, Nonce NA, nb|}|} \
  15.590 -\         : set evs";
  15.591 +Goal "[| Says S A {|Crypt (shrK A) {|Agent B, Key K, Nonce NA, nb|}, X|} \
  15.592 +\          : set evs;                                                    \
  15.593 +\        A ~: bad;  B ~: bad;  evs : yahalom |]                        \
  15.594 +\==> Says B Server {|Agent B, Crypt (shrK B) {|Agent A, Nonce NA, nb|}|} \
  15.595 +\      : set evs";
  15.596  by (blast_tac (claset() addSDs [A_trusts_YM3, lemma]
  15.597  		        addEs spies_partsEs) 1);
  15.598  qed "YM3_auth_B_to_A";
  15.599 @@ -634,13 +606,12 @@
  15.600  (*Assuming the session key is secure, if both certificates are present then
  15.601    A has said NB.  We can't be sure about the rest of A's message, but only
  15.602    NB matters for freshness.*)  
  15.603 -Goal 
  15.604 - "!!evs. evs : yahalom                                             \
  15.605 -\        ==> Key K ~: analz (spies evs) -->                     \
  15.606 -\            Crypt K (Nonce NB) : parts (spies evs) -->         \
  15.607 -\            Crypt (shrK B) {|Agent A, Key K|} : parts (spies evs) --> \
  15.608 -\            B ~: bad -->                                         \
  15.609 -\            (EX X. Says A B {|X, Crypt K (Nonce NB)|} : set evs)";
  15.610 +Goal "evs : yahalom                                             \
  15.611 +\     ==> Key K ~: analz (spies evs) -->                     \
  15.612 +\         Crypt K (Nonce NB) : parts (spies evs) -->         \
  15.613 +\         Crypt (shrK B) {|Agent A, Key K|} : parts (spies evs) --> \
  15.614 +\         B ~: bad -->                                         \
  15.615 +\         (EX X. Says A B {|X, Crypt K (Nonce NB)|} : set evs)";
  15.616  by (parts_induct_tac 1);
  15.617  (*Fake*)
  15.618  by (Fake_parts_insert_tac 1);
  15.619 @@ -659,15 +630,14 @@
  15.620  (*If B receives YM4 then A has used nonce NB (and therefore is alive).
  15.621    Moreover, A associates K with NB (thus is talking about the same run).
  15.622    Other premises guarantee secrecy of K.*)
  15.623 -Goal 
  15.624 - "!!evs. [| Says A' B {|Crypt (shrK B) {|Agent A, Key K|},                  \
  15.625 -\                       Crypt K (Nonce NB)|} : set evs;                     \
  15.626 -\           Says B Server                                                   \
  15.627 -\             {|Agent B, Crypt (shrK B) {|Agent A, Nonce NA, Nonce NB|}|}   \
  15.628 -\             : set evs;                                                    \
  15.629 -\           (ALL NA k. Notes Spy {|Nonce NA, Nonce NB, k|} ~: set evs);     \
  15.630 -\           A ~: bad;  B ~: bad;  evs : yahalom |]       \
  15.631 -\        ==> EX X. Says A B {|X, Crypt K (Nonce NB)|} : set evs";
  15.632 +Goal "[| Says A' B {|Crypt (shrK B) {|Agent A, Key K|},                  \
  15.633 +\                    Crypt K (Nonce NB)|} : set evs;                     \
  15.634 +\        Says B Server                                                   \
  15.635 +\          {|Agent B, Crypt (shrK B) {|Agent A, Nonce NA, Nonce NB|}|}   \
  15.636 +\          : set evs;                                                    \
  15.637 +\        (ALL NA k. Notes Spy {|Nonce NA, Nonce NB, k|} ~: set evs);     \
  15.638 +\        A ~: bad;  B ~: bad;  evs : yahalom |]       \
  15.639 +\     ==> EX X. Says A B {|X, Crypt K (Nonce NB)|} : set evs";
  15.640  by (forward_tac [B_trusts_YM4] 1);
  15.641  by (REPEAT_FIRST (eresolve_tac [asm_rl, spec]));
  15.642  by (etac (Says_imp_spies RS parts.Inj RS MPair_parts) 1);
    16.1 --- a/src/HOL/Auth/Yahalom2.ML	Thu Jul 02 17:27:35 1998 +0200
    16.2 +++ b/src/HOL/Auth/Yahalom2.ML	Thu Jul 02 17:48:11 1998 +0200
    16.3 @@ -23,10 +23,9 @@
    16.4  
    16.5  
    16.6  (*A "possibility property": there are traces that reach the end*)
    16.7 -Goal 
    16.8 - "!!A B. [| A ~= B; A ~= Server; B ~= Server |]   \
    16.9 -\        ==> EX X NB K. EX evs: yahalom.          \
   16.10 -\               Says A B {|X, Crypt K (Nonce NB)|} : set evs";
   16.11 +Goal "[| A ~= B; A ~= Server; B ~= Server |]   \
   16.12 +\     ==> EX X NB K. EX evs: yahalom.          \
   16.13 +\            Says A B {|X, Crypt K (Nonce NB)|} : set evs";
   16.14  by (REPEAT (resolve_tac [exI,bexI] 1));
   16.15  by (rtac (yahalom.Nil RS yahalom.YM1 RS yahalom.YM2 RS yahalom.YM3 RS 
   16.16            yahalom.YM4) 2);
   16.17 @@ -37,7 +36,7 @@
   16.18  (**** Inductive proofs about yahalom ****)
   16.19  
   16.20  (*Nobody sends themselves messages*)
   16.21 -Goal "!!evs. evs: yahalom ==> ALL A X. Says A A X ~: set evs";
   16.22 +Goal "evs: yahalom ==> ALL A X. Says A A X ~: set evs";
   16.23  by (etac yahalom.induct 1);
   16.24  by Auto_tac;
   16.25  qed_spec_mp "not_Says_to_self";
   16.26 @@ -48,8 +47,8 @@
   16.27  (** For reasoning about the encrypted portion of messages **)
   16.28  
   16.29  (*Lets us treat YM4 using a similar argument as for the Fake case.*)
   16.30 -Goal "!!evs. Says S A {|NB, Crypt (shrK A) Y, X|} : set evs ==> \
   16.31 -\                X : analz (spies evs)";
   16.32 +Goal "Says S A {|NB, Crypt (shrK A) Y, X|} : set evs ==> \
   16.33 +\             X : analz (spies evs)";
   16.34  by (blast_tac (claset() addSDs [Says_imp_spies RS analz.Inj]) 1);
   16.35  qed "YM4_analz_spies";
   16.36  
   16.37 @@ -57,8 +56,8 @@
   16.38            YM4_analz_spies RS (impOfSubs analz_subset_parts));
   16.39  
   16.40  (*Relates to both YM4 and Oops*)
   16.41 -Goal "!!evs. Says S A {|NB, Crypt (shrK A) {|B,K,NA|}, X|} : set evs ==> \
   16.42 -\                K : parts (spies evs)";
   16.43 +Goal "Says S A {|NB, Crypt (shrK A) {|B,K,NA|}, X|} : set evs ==> \
   16.44 +\             K : parts (spies evs)";
   16.45  by (Blast_tac 1);
   16.46  qed "YM4_Key_parts_spies";
   16.47  
   16.48 @@ -82,15 +81,13 @@
   16.49      sends messages containing X! **)
   16.50  
   16.51  (*Spy never sees another agent's shared key! (unless it's bad at start)*)
   16.52 -Goal 
   16.53 - "!!evs. evs : yahalom ==> (Key (shrK A) : parts (spies evs)) = (A : bad)";
   16.54 +Goal "evs : yahalom ==> (Key (shrK A) : parts (spies evs)) = (A : bad)";
   16.55  by (parts_induct_tac 1);
   16.56  by (ALLGOALS Blast_tac);
   16.57  qed "Spy_see_shrK";
   16.58  Addsimps [Spy_see_shrK];
   16.59  
   16.60 -Goal 
   16.61 - "!!evs. evs : yahalom ==> (Key (shrK A) : analz (spies evs)) = (A : bad)";
   16.62 +Goal "evs : yahalom ==> (Key (shrK A) : analz (spies evs)) = (A : bad)";
   16.63  by Auto_tac;
   16.64  qed "Spy_analz_shrK";
   16.65  Addsimps [Spy_analz_shrK];
   16.66 @@ -100,8 +97,8 @@
   16.67  
   16.68  
   16.69  (*Nobody can have used non-existent keys!  Needed to apply analz_insert_Key*)
   16.70 -Goal "!!evs. evs : yahalom ==>          \
   16.71 -\         Key K ~: used evs --> K ~: keysFor (parts (spies evs))";
   16.72 +Goal "evs : yahalom ==>          \
   16.73 +\      Key K ~: used evs --> K ~: keysFor (parts (spies evs))";
   16.74  by (parts_induct_tac 1);
   16.75  (*YM4: Key K is not fresh!*)
   16.76  by (Blast_tac 3);
   16.77 @@ -119,11 +116,10 @@
   16.78  
   16.79  (*Describes the form of K when the Server sends this message.  Useful for
   16.80    Oops as well as main secrecy property.*)
   16.81 -Goal 
   16.82 - "!!evs. [| Says Server A {|nb', Crypt (shrK A) {|Agent B, Key K, na|}, X|} \
   16.83 -\            : set evs;                                            \
   16.84 -\           evs : yahalom |]                                       \
   16.85 -\        ==> K ~: range shrK & A ~= B";
   16.86 +Goal "[| Says Server A {|nb', Crypt (shrK A) {|Agent B, Key K, na|}, X|} \
   16.87 +\         : set evs;                                            \
   16.88 +\        evs : yahalom |]                                       \
   16.89 +\     ==> K ~: range shrK & A ~= B";
   16.90  by (etac rev_mp 1);
   16.91  by (etac yahalom.induct 1);
   16.92  by (ALLGOALS Asm_simp_tac);
   16.93 @@ -150,11 +146,10 @@
   16.94  
   16.95  (** Session keys are not used to encrypt other session keys **)
   16.96  
   16.97 -Goal  
   16.98 - "!!evs. evs : yahalom ==>                               \
   16.99 +Goal "evs : yahalom ==>                               \
  16.100  \  ALL K KK. KK <= Compl (range shrK) -->                \
  16.101 -\            (Key K : analz (Key``KK Un (spies evs))) =  \
  16.102 -\            (K : KK | Key K : analz (spies evs))";
  16.103 +\         (Key K : analz (Key``KK Un (spies evs))) =  \
  16.104 +\         (K : KK | Key K : analz (spies evs))";
  16.105  by (etac yahalom.induct 1);
  16.106  by analz_spies_tac;
  16.107  by (REPEAT_FIRST (resolve_tac [allI, impI]));
  16.108 @@ -164,22 +159,20 @@
  16.109  by (spy_analz_tac 1);
  16.110  qed_spec_mp "analz_image_freshK";
  16.111  
  16.112 -Goal
  16.113 - "!!evs. [| evs : yahalom;  KAB ~: range shrK |] ==>     \
  16.114 -\        Key K : analz (insert (Key KAB) (spies evs)) =  \
  16.115 -\        (K = KAB | Key K : analz (spies evs))";
  16.116 +Goal "[| evs : yahalom;  KAB ~: range shrK |] ==>     \
  16.117 +\     Key K : analz (insert (Key KAB) (spies evs)) =  \
  16.118 +\     (K = KAB | Key K : analz (spies evs))";
  16.119  by (asm_simp_tac (analz_image_freshK_ss addsimps [analz_image_freshK]) 1);
  16.120  qed "analz_insert_freshK";
  16.121  
  16.122  
  16.123  (*** The Key K uniquely identifies the Server's  message. **)
  16.124  
  16.125 -Goal 
  16.126 - "!!evs. evs : yahalom ==>                                     \
  16.127 -\      EX A' B' na' nb' X'. ALL A B na nb X.                   \
  16.128 -\          Says Server A                                       \
  16.129 -\           {|nb, Crypt (shrK A) {|Agent B, Key K, na|}, X|}   \
  16.130 -\          : set evs --> A=A' & B=B' & na=na' & nb=nb' & X=X'";
  16.131 +Goal "evs : yahalom ==>                                     \
  16.132 +\   EX A' B' na' nb' X'. ALL A B na nb X.                   \
  16.133 +\       Says Server A                                       \
  16.134 +\        {|nb, Crypt (shrK A) {|Agent B, Key K, na|}, X|}   \
  16.135 +\       : set evs --> A=A' & B=B' & na=na' & nb=nb' & X=X'";
  16.136  by (etac yahalom.induct 1);
  16.137  by (ALLGOALS (asm_simp_tac (simpset() addsimps [all_conj_distrib])));
  16.138  by (Clarify_tac 1);
  16.139 @@ -191,28 +184,26 @@
  16.140                          addss (simpset() addsimps [parts_insertI])) 1);
  16.141  val lemma = result();
  16.142  
  16.143 -Goal 
  16.144 -"!!evs. [| Says Server A                                            \
  16.145 -\            {|nb, Crypt (shrK A) {|Agent B, Key K, na|}, X|} : set evs; \
  16.146 -\          Says Server A'                                           \
  16.147 -\            {|nb', Crypt (shrK A') {|Agent B', Key K, na'|}, X'|} : set evs; \
  16.148 -\          evs : yahalom |]                                         \
  16.149 -\       ==> A=A' & B=B' & na=na' & nb=nb'";
  16.150 +Goal "[| Says Server A                                            \
  16.151 +\         {|nb, Crypt (shrK A) {|Agent B, Key K, na|}, X|} : set evs; \
  16.152 +\       Says Server A'                                           \
  16.153 +\         {|nb', Crypt (shrK A') {|Agent B', Key K, na'|}, X'|} : set evs; \
  16.154 +\       evs : yahalom |]                                         \
  16.155 +\    ==> A=A' & B=B' & na=na' & nb=nb'";
  16.156  by (prove_unique_tac lemma 1);
  16.157  qed "unique_session_keys";
  16.158  
  16.159  
  16.160  (** Crucial secrecy property: Spy does not see the keys sent in msg YM3 **)
  16.161  
  16.162 -Goal 
  16.163 - "!!evs. [| A ~: bad;  B ~: bad;  A ~= B;                       \
  16.164 -\           evs : yahalom |]                                    \
  16.165 -\        ==> Says Server A                                      \
  16.166 -\              {|nb, Crypt (shrK A) {|Agent B, Key K, na|},     \
  16.167 -\                    Crypt (shrK B) {|Agent A, Agent B, Key K, nb|}|} \
  16.168 -\             : set evs -->                                     \
  16.169 -\            Notes Spy {|na, nb, Key K|} ~: set evs -->         \
  16.170 -\            Key K ~: analz (spies evs)";
  16.171 +Goal "[| A ~: bad;  B ~: bad;  A ~= B;                       \
  16.172 +\        evs : yahalom |]                                    \
  16.173 +\     ==> Says Server A                                      \
  16.174 +\           {|nb, Crypt (shrK A) {|Agent B, Key K, na|},     \
  16.175 +\                 Crypt (shrK B) {|Agent A, Agent B, Key K, nb|}|} \
  16.176 +\          : set evs -->                                     \
  16.177 +\         Notes Spy {|na, nb, Key K|} ~: set evs -->         \
  16.178 +\         Key K ~: analz (spies evs)";
  16.179  by (etac yahalom.induct 1);
  16.180  by analz_spies_tac;
  16.181  by (ALLGOALS
  16.182 @@ -229,14 +220,13 @@
  16.183  
  16.184  
  16.185  (*Final version*)
  16.186 -Goal 
  16.187 - "!!evs. [| Says Server A                                    \
  16.188 -\              {|nb, Crypt (shrK A) {|Agent B, Key K, na|},  \
  16.189 -\                    Crypt (shrK B) {|Agent A, Agent B, Key K, nb|}|}    \
  16.190 -\           : set evs;                                       \
  16.191 -\           Notes Spy {|na, nb, Key K|} ~: set evs;          \
  16.192 -\           A ~: bad;  B ~: bad;  evs : yahalom |]           \
  16.193 -\        ==> Key K ~: analz (spies evs)";
  16.194 +Goal "[| Says Server A                                    \
  16.195 +\           {|nb, Crypt (shrK A) {|Agent B, Key K, na|},  \
  16.196 +\                 Crypt (shrK B) {|Agent A, Agent B, Key K, nb|}|}    \
  16.197 +\        : set evs;                                       \
  16.198 +\        Notes Spy {|na, nb, Key K|} ~: set evs;          \
  16.199 +\        A ~: bad;  B ~: bad;  evs : yahalom |]           \
  16.200 +\     ==> Key K ~: analz (spies evs)";
  16.201  by (forward_tac [Says_Server_message_form] 1 THEN assume_tac 1);
  16.202  by (blast_tac (claset() addSEs [lemma]) 1);
  16.203  qed "Spy_not_see_encrypted_key";
  16.204 @@ -246,25 +236,23 @@
  16.205  
  16.206  (*If the encrypted message appears then it originated with the Server.
  16.207    May now apply Spy_not_see_encrypted_key, subject to its conditions.*)
  16.208 -Goal
  16.209 - "!!evs. [| Crypt (shrK A) {|Agent B, Key K, na|}                      \
  16.210 -\            : parts (spies evs);                                      \
  16.211 -\           A ~: bad;  evs : yahalom |]                                \
  16.212 -\         ==> EX nb. Says Server A                                     \
  16.213 -\                      {|nb, Crypt (shrK A) {|Agent B, Key K, na|},    \
  16.214 -\                            Crypt (shrK B) {|Agent A, Agent B, Key K, nb|}|} \
  16.215 -\                    : set evs";
  16.216 +Goal "[| Crypt (shrK A) {|Agent B, Key K, na|}                      \
  16.217 +\         : parts (spies evs);                                      \
  16.218 +\        A ~: bad;  evs : yahalom |]                                \
  16.219 +\      ==> EX nb. Says Server A                                     \
  16.220 +\                   {|nb, Crypt (shrK A) {|Agent B, Key K, na|},    \
  16.221 +\                         Crypt (shrK B) {|Agent A, Agent B, Key K, nb|}|} \
  16.222 +\                 : set evs";
  16.223  by (etac rev_mp 1);
  16.224  by (parts_induct_tac 1);
  16.225  by (ALLGOALS Blast_tac);
  16.226  qed "A_trusts_YM3";
  16.227  
  16.228  (*The obvious combination of A_trusts_YM3 with Spy_not_see_encrypted_key*)
  16.229 -Goal
  16.230 - "!!evs. [| Crypt (shrK A) {|Agent B, Key K, na|} : parts (spies evs); \
  16.231 -\           ALL nb. Notes Spy {|na, nb, Key K|} ~: set evs;            \
  16.232 -\           A ~: bad;  B ~: bad;  evs : yahalom |]                     \
  16.233 -\        ==> Key K ~: analz (spies evs)";
  16.234 +Goal "[| Crypt (shrK A) {|Agent B, Key K, na|} : parts (spies evs); \
  16.235 +\        ALL nb. Notes Spy {|na, nb, Key K|} ~: set evs;            \
  16.236 +\        A ~: bad;  B ~: bad;  evs : yahalom |]                     \
  16.237 +\     ==> Key K ~: analz (spies evs)";
  16.238  by (blast_tac (claset() addSDs [A_trusts_YM3, Spy_not_see_encrypted_key]) 1);
  16.239  qed "A_gets_good_key";
  16.240  
  16.241 @@ -273,15 +261,14 @@
  16.242  
  16.243  (*B knows, by the first part of A's message, that the Server distributed 
  16.244    the key for A and B, and has associated it with NB.*)
  16.245 -Goal 
  16.246 - "!!evs. [| Crypt (shrK B) {|Agent A, Agent B, Key K, Nonce NB|} \
  16.247 -\             : parts (spies evs);                               \
  16.248 -\           B ~: bad;  evs : yahalom |]                          \
  16.249 +Goal "[| Crypt (shrK B) {|Agent A, Agent B, Key K, Nonce NB|} \
  16.250 +\          : parts (spies evs);                               \
  16.251 +\        B ~: bad;  evs : yahalom |]                          \
  16.252  \ ==> EX NA. Says Server A                                       \
  16.253 -\               {|Nonce NB,                                      \
  16.254 -\                 Crypt (shrK A) {|Agent B, Key K, Nonce NA|},   \
  16.255 -\                 Crypt (shrK B) {|Agent A, Agent B, Key K, Nonce NB|}|} \
  16.256 -\               : set evs";
  16.257 +\            {|Nonce NB,                                      \
  16.258 +\              Crypt (shrK A) {|Agent B, Key K, Nonce NA|},   \
  16.259 +\              Crypt (shrK B) {|Agent A, Agent B, Key K, Nonce NB|}|} \
  16.260 +\            : set evs";
  16.261  by (etac rev_mp 1);
  16.262  by (parts_induct_tac 1);
  16.263  by (ALLGOALS Blast_tac);
  16.264 @@ -293,28 +280,26 @@
  16.265  
  16.266  (*What can B deduce from receipt of YM4?  Stronger and simpler than Yahalom
  16.267    because we do not have to show that NB is secret. *)
  16.268 -Goal 
  16.269 - "!!evs. [| Says A' B {|Crypt (shrK B) {|Agent A, Agent B, Key K, Nonce NB|}, \
  16.270 -\                       X|}                                         \
  16.271 -\             : set evs;                                            \
  16.272 -\           A ~: bad;  B ~: bad;  evs : yahalom |]                  \
  16.273 +Goal "[| Says A' B {|Crypt (shrK B) {|Agent A, Agent B, Key K, Nonce NB|}, \
  16.274 +\                    X|}                                         \
  16.275 +\          : set evs;                                            \
  16.276 +\        A ~: bad;  B ~: bad;  evs : yahalom |]                  \
  16.277  \ ==> EX NA. Says Server A                                          \
  16.278 -\               {|Nonce NB,                                         \
  16.279 -\                 Crypt (shrK A) {|Agent B, Key K, Nonce NA|},      \
  16.280 -\                 Crypt (shrK B) {|Agent A, Agent B, Key K, Nonce NB|}|} \
  16.281 -\              : set evs";
  16.282 +\            {|Nonce NB,                                         \
  16.283 +\              Crypt (shrK A) {|Agent B, Key K, Nonce NA|},      \
  16.284 +\              Crypt (shrK B) {|Agent A, Agent B, Key K, Nonce NB|}|} \
  16.285 +\           : set evs";
  16.286  by (blast_tac (claset() addSDs [B_trusts_YM4_shrK]) 1);
  16.287  qed "B_trusts_YM4";
  16.288  
  16.289  
  16.290  (*The obvious combination of B_trusts_YM4 with Spy_not_see_encrypted_key*)
  16.291 -Goal 
  16.292 - "!!evs. [| Says A' B {|Crypt (shrK B) {|Agent A, Agent B, Key K, Nonce NB|}, \
  16.293 -\                       X|}                                         \
  16.294 -\             : set evs;                                            \
  16.295 -\           ALL na. Notes Spy {|na, Nonce NB, Key K|} ~: set evs;   \
  16.296 -\           A ~: bad;  B ~: bad;  evs : yahalom |]                  \
  16.297 -\        ==> Key K ~: analz (spies evs)";
  16.298 +Goal "[| Says A' B {|Crypt (shrK B) {|Agent A, Agent B, Key K, Nonce NB|}, \
  16.299 +\                    X|}                                         \
  16.300 +\          : set evs;                                            \
  16.301 +\        ALL na. Notes Spy {|na, Nonce NB, Key K|} ~: set evs;   \
  16.302 +\        A ~: bad;  B ~: bad;  evs : yahalom |]                  \
  16.303 +\     ==> Key K ~: analz (spies evs)";
  16.304  by (blast_tac (claset() addSDs [B_trusts_YM4, Spy_not_see_encrypted_key]) 1);
  16.305  qed "B_gets_good_key";
  16.306  
  16.307 @@ -323,12 +308,11 @@
  16.308  (*** Authenticating B to A ***)
  16.309  
  16.310  (*The encryption in message YM2 tells us it cannot be faked.*)
  16.311 -Goal 
  16.312 - "!!evs. [| Crypt (shrK B) {|Agent A, Nonce NA|} : parts (spies evs);  \
  16.313 -\           B ~: bad;  evs : yahalom                                   \
  16.314 -\        |] ==> EX NB. Says B Server {|Agent B, Nonce NB,              \
  16.315 -\                               Crypt (shrK B) {|Agent A, Nonce NA|}|} \
  16.316 -\                        : set evs";
  16.317 +Goal "[| Crypt (shrK B) {|Agent A, Nonce NA|} : parts (spies evs);  \
  16.318 +\        B ~: bad;  evs : yahalom                                   \
  16.319 +\     |] ==> EX NB. Says B Server {|Agent B, Nonce NB,              \
  16.320 +\                            Crypt (shrK B) {|Agent A, Nonce NA|}|} \
  16.321 +\                     : set evs";
  16.322  by (etac rev_mp 1);
  16.323  by (etac rev_mp 1);
  16.324  by (parts_induct_tac 1);
  16.325 @@ -337,14 +321,13 @@
  16.326  
  16.327  
  16.328  (*If the server sends YM3 then B sent YM2, perhaps with a different NB*)
  16.329 -Goal 
  16.330 - "!!evs. [| Says Server A                                              \
  16.331 -\               {|nb, Crypt (shrK A) {|Agent B, Key K, Nonce NA|}, X|} \
  16.332 -\             : set evs;                                               \
  16.333 -\           B ~: bad;  evs : yahalom                                   \
  16.334 -\        |] ==> EX nb'. Says B Server {|Agent B, nb',                  \
  16.335 -\                               Crypt (shrK B) {|Agent A, Nonce NA|}|} \
  16.336 -\                         : set evs";
  16.337 +Goal "[| Says Server A                                              \
  16.338 +\            {|nb, Crypt (shrK A) {|Agent B, Key K, Nonce NA|}, X|} \
  16.339 +\          : set evs;                                               \
  16.340 +\        B ~: bad;  evs : yahalom                                   \
  16.341 +\     |] ==> EX nb'. Says B Server {|Agent B, nb',                  \
  16.342 +\                            Crypt (shrK B) {|Agent A, Nonce NA|}|} \
  16.343 +\                      : set evs";
  16.344  by (etac rev_mp 1);
  16.345  by (etac rev_mp 1);
  16.346  by (etac yahalom.induct 1);
  16.347 @@ -356,13 +339,12 @@
  16.348  val lemma = result();
  16.349  
  16.350  (*If A receives YM3 then B has used nonce NA (and therefore is alive)*)
  16.351 -Goal
  16.352 - "!!evs. [| Says S A {|nb, Crypt (shrK A) {|Agent B, Key K, Nonce NA|}, X|} \
  16.353 -\             : set evs;                                                    \
  16.354 -\           A ~: bad;  B ~: bad;  evs : yahalom |]                   \
  16.355 -\   ==> EX nb'. Says B Server                                               \
  16.356 -\                    {|Agent B, nb', Crypt (shrK B) {|Agent A, Nonce NA|}|} \
  16.357 -\                 : set evs";
  16.358 +Goal "[| Says S A {|nb, Crypt (shrK A) {|Agent B, Key K, Nonce NA|}, X|} \
  16.359 +\          : set evs;                                                    \
  16.360 +\        A ~: bad;  B ~: bad;  evs : yahalom |]                   \
  16.361 +\==> EX nb'. Says B Server                                               \
  16.362 +\                 {|Agent B, nb', Crypt (shrK B) {|Agent A, Nonce NA|}|} \
  16.363 +\              : set evs";
  16.364  by (blast_tac (claset() addSDs [A_trusts_YM3, lemma]) 1);
  16.365  qed "YM3_auth_B_to_A";
  16.366  
  16.367 @@ -373,14 +355,13 @@
  16.368    A has said NB.  We can't be sure about the rest of A's message, but only
  16.369    NB matters for freshness.  Note that  Key K ~: analz (spies evs)  must be
  16.370    the FIRST antecedent of the induction formula.*)  
  16.371 -Goal 
  16.372 - "!!evs. evs : yahalom                                     \
  16.373 -\        ==> Key K ~: analz (spies evs) -->                \
  16.374 -\            Crypt K (Nonce NB) : parts (spies evs) -->    \
  16.375 -\            Crypt (shrK B) {|Agent A, Agent B, Key K, Nonce NB|}      \
  16.376 -\              : parts (spies evs) -->                     \
  16.377 -\            B ~: bad -->                                  \
  16.378 -\            (EX X. Says A B {|X, Crypt K (Nonce NB)|} : set evs)";
  16.379 +Goal "evs : yahalom                                     \
  16.380 +\     ==> Key K ~: analz (spies evs) -->                \
  16.381 +\         Crypt K (Nonce NB) : parts (spies evs) -->    \
  16.382 +\         Crypt (shrK B) {|Agent A, Agent B, Key K, Nonce NB|}      \
  16.383 +\           : parts (spies evs) -->                     \
  16.384 +\         B ~: bad -->                                  \
  16.385 +\         (EX X. Says A B {|X, Crypt K (Nonce NB)|} : set evs)";
  16.386  by (parts_induct_tac 1);
  16.387  (*Fake*)
  16.388  by (Blast_tac 1);
  16.389 @@ -398,12 +379,11 @@
  16.390  (*If B receives YM4 then A has used nonce NB (and therefore is alive).
  16.391    Moreover, A associates K with NB (thus is talking about the same run).
  16.392    Other premises guarantee secrecy of K.*)
  16.393 -Goal 
  16.394 - "!!evs. [| Says A' B {|Crypt (shrK B) {|Agent A, Agent B, Key K, Nonce NB|}, \
  16.395 -\                       Crypt K (Nonce NB)|} : set evs;                 \
  16.396 -\           (ALL NA. Notes Spy {|Nonce NA, Nonce NB, Key K|} ~: set evs); \
  16.397 -\           A ~: bad;  B ~: bad;  evs : yahalom |]                    \
  16.398 -\        ==> EX X. Says A B {|X, Crypt K (Nonce NB)|} : set evs";
  16.399 +Goal "[| Says A' B {|Crypt (shrK B) {|Agent A, Agent B, Key K, Nonce NB|}, \
  16.400 +\                    Crypt K (Nonce NB)|} : set evs;                 \
  16.401 +\        (ALL NA. Notes Spy {|Nonce NA, Nonce NB, Key K|} ~: set evs); \
  16.402 +\        A ~: bad;  B ~: bad;  evs : yahalom |]                    \
  16.403 +\     ==> EX X. Says A B {|X, Crypt K (Nonce NB)|} : set evs";
  16.404  by (subgoal_tac "Key K ~: analz (spies evs)" 1);
  16.405  by (blast_tac (claset() addIs [Auth_A_to_B_lemma]) 1);
  16.406  by (blast_tac (claset() addDs  [Spy_not_see_encrypted_key,