more symbols;
authorwenzelm
Thu Feb 15 12:11:00 2018 +0100 (16 months ago)
changeset 67613ce654b0e6d69
parent 67610 4939494ed791
child 67614 560fbd6bc047
more symbols;
src/Benchmarks/Quickcheck_Benchmark/Needham_Schroeder_Base.thy
src/Doc/Prog_Prove/Isar.thy
src/Doc/Prog_Prove/Logic.thy
src/Doc/Prog_Prove/Types_and_funs.thy
src/Doc/Sugar/Sugar.thy
src/Doc/Tutorial/CTL/CTL.thy
src/Doc/Tutorial/CTL/PDL.thy
src/Doc/Tutorial/Ifexpr/Ifexpr.thy
src/Doc/Tutorial/Inductive/Mutual.thy
src/Doc/Tutorial/Inductive/Star.thy
src/Doc/Tutorial/Misc/Plus.thy
src/Doc/Tutorial/Misc/Tree2.thy
src/Doc/Tutorial/Misc/prime_def.thy
src/Doc/Tutorial/Protocol/Event.thy
src/Doc/Tutorial/Protocol/Message.thy
src/Doc/Tutorial/Protocol/Public.thy
src/Doc/Tutorial/Rules/TPrimes.thy
src/Doc/Tutorial/Sets/Examples.thy
src/HOL/Algebra/AbelCoset.thy
src/HOL/Algebra/FiniteProduct.thy
src/HOL/Algebra/Group.thy
src/HOL/Algebra/Order.thy
src/HOL/Algebra/Ring.thy
src/HOL/Algebra/RingHom.thy
src/HOL/Algebra/Sylow.thy
src/HOL/Algebra/UnivPoly.thy
src/HOL/Analysis/Arcwise_Connected.thy
src/HOL/Analysis/Cauchy_Integral_Theorem.thy
src/HOL/Analysis/Continuous_Extension.thy
src/HOL/Analysis/Convex_Euclidean_Space.thy
src/HOL/Analysis/Equivalence_Lebesgue_Henstock_Integration.thy
src/HOL/Analysis/Extended_Real_Limits.thy
src/HOL/Analysis/Polytope.thy
src/HOL/Analysis/Starlike.thy
src/HOL/Analysis/Topology_Euclidean_Space.thy
src/HOL/Auth/CertifiedEmail.thy
src/HOL/Auth/Event.thy
src/HOL/Auth/Guard/Analz.thy
src/HOL/Auth/Guard/Extensions.thy
src/HOL/Auth/Guard/Guard.thy
src/HOL/Auth/Guard/GuardK.thy
src/HOL/Auth/Guard/Guard_NS_Public.thy
src/HOL/Auth/Guard/Guard_OtwayRees.thy
src/HOL/Auth/Guard/Guard_Public.thy
src/HOL/Auth/Guard/Guard_Shared.thy
src/HOL/Auth/Guard/Guard_Yahalom.thy
src/HOL/Auth/Guard/List_Msg.thy
src/HOL/Auth/Guard/P1.thy
src/HOL/Auth/Guard/P2.thy
src/HOL/Auth/Guard/Proto.thy
src/HOL/Auth/KerberosIV.thy
src/HOL/Auth/KerberosIV_Gets.thy
src/HOL/Auth/KerberosV.thy
src/HOL/Auth/Kerberos_BAN.thy
src/HOL/Auth/Kerberos_BAN_Gets.thy
src/HOL/Auth/Message.thy
src/HOL/Auth/NS_Shared.thy
src/HOL/Auth/OtwayRees.thy
src/HOL/Auth/OtwayReesBella.thy
src/HOL/Auth/OtwayRees_AN.thy
src/HOL/Auth/OtwayRees_Bad.thy
src/HOL/Auth/Public.thy
src/HOL/Auth/Recur.thy
src/HOL/Auth/Shared.thy
src/HOL/Auth/Smartcard/Smartcard.thy
src/HOL/Auth/TLS.thy
src/HOL/Auth/WooLam.thy
src/HOL/Auth/Yahalom.thy
src/HOL/Auth/Yahalom2.thy
src/HOL/Auth/Yahalom_Bad.thy
src/HOL/BNF_Cardinal_Arithmetic.thy
src/HOL/BNF_Cardinal_Order_Relation.thy
src/HOL/BNF_Composition.thy
src/HOL/BNF_Def.thy
src/HOL/BNF_Greatest_Fixpoint.thy
src/HOL/BNF_Wellorder_Constructions.thy
src/HOL/BNF_Wellorder_Embedding.thy
src/HOL/Bali/AxCompl.thy
src/HOL/Bali/AxSem.thy
src/HOL/Bali/AxSound.thy
src/HOL/Bali/Basis.thy
src/HOL/Bali/Decl.thy
src/HOL/Bali/DeclConcepts.thy
src/HOL/Bali/Example.thy
src/HOL/Bali/Table.thy
src/HOL/Bali/TypeRel.thy
src/HOL/Bali/WellForm.thy
src/HOL/Cardinals/Cardinal_Order_Relation.thy
src/HOL/Cardinals/Wellorder_Constructions.thy
src/HOL/Complete_Lattices.thy
src/HOL/Computational_Algebra/Primes.thy
src/HOL/Conditionally_Complete_Lattices.thy
src/HOL/Data_Structures/AA_Map.thy
src/HOL/Data_Structures/AA_Set.thy
src/HOL/Data_Structures/Brother12_Set.thy
src/HOL/Decision_Procs/MIR.thy
src/HOL/Decision_Procs/approximation.ML
src/HOL/Enum.thy
src/HOL/Filter.thy
src/HOL/Fun_Def.thy
src/HOL/HOLCF/FOCUS/Buffer.thy
src/HOL/HOLCF/FOCUS/Buffer_adm.thy
src/HOL/HOLCF/FOCUS/FOCUS.thy
src/HOL/HOLCF/FOCUS/Fstream.thy
src/HOL/HOLCF/FOCUS/Stream_adm.thy
src/HOL/HOLCF/IMP/Denotational.thy
src/HOL/HOLCF/IOA/ABP/Lemmas.thy
src/HOL/HOLCF/IOA/CompoExecs.thy
src/HOL/HOLCF/IOA/CompoScheds.thy
src/HOL/HOLCF/IOA/CompoTraces.thy
src/HOL/HOLCF/IOA/NTP/Abschannel.thy
src/HOL/HOLCF/IOA/NTP/Correctness.thy
src/HOL/HOLCF/IOA/NTP/Impl.thy
src/HOL/HOLCF/IOA/NTP/Lemmas.thy
src/HOL/HOLCF/IOA/NTP/Multiset.thy
src/HOL/HOLCF/IOA/NTP/Packet.thy
src/HOL/HOLCF/IOA/NTP/Receiver.thy
src/HOL/HOLCF/IOA/NTP/Sender.thy
src/HOL/HOLCF/IOA/NTP/Spec.thy
src/HOL/HOLCF/IOA/RefCorrectness.thy
src/HOL/HOLCF/IOA/SimCorrectness.thy
src/HOL/HOLCF/IOA/Simulations.thy
src/HOL/HOLCF/IOA/Storage/Action.thy
src/HOL/HOLCF/IOA/Storage/Correctness.thy
src/HOL/HOLCF/IOA/Storage/Impl.thy
src/HOL/HOLCF/IOA/Storage/Spec.thy
src/HOL/HOLCF/Library/Stream.thy
src/HOL/HOLCF/Tools/Domain/domain_induction.ML
src/HOL/HOLCF/ex/Loop.thy
src/HOL/Hilbert_Choice.thy
src/HOL/Hoare/Arith2.thy
src/HOL/Hoare/Examples.thy
src/HOL/Hoare/Heap.thy
src/HOL/Hoare/Hoare_Logic.thy
src/HOL/Hoare/Hoare_Logic_Abort.thy
src/HOL/Hoare/Pointer_Examples.thy
src/HOL/Hoare/Pointers0.thy
src/HOL/Hoare_Parallel/RG_Tran.thy
src/HOL/IMP/ACom.thy
src/HOL/IMP/Abs_Int0.thy
src/HOL/IMP/Abs_Int1.thy
src/HOL/IMP/Abs_Int2.thy
src/HOL/IMP/Abs_Int2_ivl.thy
src/HOL/IMP/Abs_Int3.thy
src/HOL/IMP/Abs_State.thy
src/HOL/IMP/Collecting.thy
src/HOL/IMP/Collecting1.thy
src/HOL/IMP/Complete_Lattice.thy
src/HOL/IMP/Def_Init_Small.thy
src/HOL/IMP/Denotational.thy
src/HOL/IMP/Fold.thy
src/HOL/IMP/Live.thy
src/HOL/IMP/Small_Step.thy
src/HOL/IMP/VCG_Total_EX.thy
src/HOL/IMP/VCG_Total_EX2.thy
src/HOL/IMPP/Com.thy
src/HOL/IMPP/Hoare.thy
src/HOL/IMPP/Misc.thy
src/HOL/IMPP/Natural.thy
src/HOL/IOA/Asig.thy
src/HOL/IOA/IOA.thy
src/HOL/IOA/Solve.thy
src/HOL/Induct/SList.thy
src/HOL/Induct/Sexp.thy
src/HOL/Isar_Examples/Hoare.thy
src/HOL/Lattices_Big.thy
src/HOL/Library/BNF_Corec.thy
src/HOL/Library/Countable_Set.thy
src/HOL/Library/IArray.thy
src/HOL/Library/Lub_Glb.thy
src/HOL/Library/Old_Datatype.thy
src/HOL/Library/Stream.thy
src/HOL/Library/Sublist.thy
src/HOL/Library/While_Combinator.thy
src/HOL/List.thy
src/HOL/Matrix_LP/ComputeFloat.thy
src/HOL/Matrix_LP/Matrix.thy
src/HOL/Matrix_LP/SparseMatrix.thy
src/HOL/Metis_Examples/Big_O.thy
src/HOL/Metis_Examples/Clausification.thy
src/HOL/Metis_Examples/Message.thy
src/HOL/Metis_Examples/Sets.thy
src/HOL/Metis_Examples/Tarski.thy
src/HOL/MicroJava/BV/BVExample.thy
src/HOL/MicroJava/BV/JType.thy
src/HOL/MicroJava/BV/Typing_Framework_JVM.thy
src/HOL/MicroJava/Comp/CorrComp.thy
src/HOL/MicroJava/Comp/LemmasComp.thy
src/HOL/MicroJava/DFA/Err.thy
src/HOL/MicroJava/DFA/Kildall.thy
src/HOL/MicroJava/DFA/Listn.thy
src/HOL/MicroJava/DFA/Opt.thy
src/HOL/MicroJava/DFA/Product.thy
src/HOL/MicroJava/DFA/Semilat.thy
src/HOL/MicroJava/DFA/SemilatAlg.thy
src/HOL/MicroJava/DFA/Typing_Framework.thy
src/HOL/MicroJava/J/Example.thy
src/HOL/MicroJava/J/JBasis.thy
src/HOL/MicroJava/J/TypeRel.thy
src/HOL/MicroJava/J/WellForm.thy
src/HOL/MicroJava/JVM/JVMExec.thy
src/HOL/NanoJava/Equivalence.thy
src/HOL/NanoJava/TypeRel.thy
src/HOL/Nitpick_Examples/Core_Nits.thy
src/HOL/Nitpick_Examples/Mini_Nits.thy
src/HOL/Nitpick_Examples/Refute_Nits.thy
src/HOL/Nominal/Examples/Class1.thy
src/HOL/Nonstandard_Analysis/HyperDef.thy
src/HOL/Nonstandard_Analysis/NSCA.thy
src/HOL/Nonstandard_Analysis/Star.thy
src/HOL/Predicate_Compile.thy
src/HOL/Predicate_Compile_Examples/Hotel_Example.thy
src/HOL/Predicate_Compile_Examples/Hotel_Example_Prolog.thy
src/HOL/Presburger.thy
src/HOL/Prolog/Test.thy
src/HOL/Prolog/Type.thy
src/HOL/Proofs/Lambda/Commutation.thy
src/HOL/Proofs/Lambda/Eta.thy
src/HOL/Proofs/Lambda/InductTermi.thy
src/HOL/Proofs/Lambda/Lambda.thy
src/HOL/Proofs/Lambda/ListOrder.thy
src/HOL/Proofs/Lambda/ParRed.thy
src/HOL/Quickcheck_Examples/Hotel_Example.thy
src/HOL/Quickcheck_Examples/Quickcheck_Examples.thy
src/HOL/Quickcheck_Examples/Quickcheck_Narrowing_Examples.thy
src/HOL/SET_Protocol/Cardholder_Registration.thy
src/HOL/SET_Protocol/Event_SET.thy
src/HOL/SET_Protocol/Merchant_Registration.thy
src/HOL/SET_Protocol/Message_SET.thy
src/HOL/SET_Protocol/Public_SET.thy
src/HOL/SET_Protocol/Purchase.thy
src/HOL/SMT_Examples/SMT_Examples.thy
src/HOL/Set.thy
src/HOL/Set_Interval.thy
src/HOL/TLA/Memory/Memory.thy
src/HOL/TLA/Memory/MemoryImplementation.thy
src/HOL/TLA/Memory/MemoryParameters.thy
src/HOL/TPTP/TPTP_Parser/tptp_reconstruct_library.ML
src/HOL/TPTP/TPTP_Proof_Reconstruction.thy
src/HOL/Transitive_Closure.thy
src/HOL/UNITY/Comp/Alloc.thy
src/HOL/UNITY/Comp/AllocBase.thy
src/HOL/UNITY/Comp/Handshake.thy
src/HOL/UNITY/Comp/Priority.thy
src/HOL/UNITY/Comp/PriorityAux.thy
src/HOL/UNITY/Comp/TimerArray.thy
src/HOL/UNITY/Constrains.thy
src/HOL/UNITY/ELT.thy
src/HOL/UNITY/Extend.thy
src/HOL/UNITY/FP.thy
src/HOL/UNITY/Guar.thy
src/HOL/UNITY/ListOrder.thy
src/HOL/UNITY/PPROD.thy
src/HOL/UNITY/Simple/NSP_Bad.thy
src/HOL/UNITY/Simple/Reach.thy
src/HOL/UNITY/Simple/Reachability.thy
src/HOL/UNITY/SubstAx.thy
src/HOL/UNITY/Transformers.thy
src/HOL/UNITY/UNITY.thy
src/HOL/UNITY/Union.thy
src/HOL/UNITY/WFair.thy
src/HOL/Word/Misc_Typedef.thy
src/HOL/ZF/Games.thy
src/HOL/ZF/HOLZF.thy
src/HOL/ZF/LProd.thy
src/HOL/ZF/Zet.thy
src/HOL/Zorn.thy
src/HOL/ex/Birthday_Paradox.thy
src/HOL/ex/Dedekind_Real.thy
src/HOL/ex/Executable_Relation.thy
src/HOL/ex/Groebner_Examples.thy
src/HOL/ex/Intuitionistic.thy
src/HOL/ex/LocaleTest2.thy
src/HOL/ex/Refute_Examples.thy
src/HOL/ex/SAT_Examples.thy
src/HOL/ex/Set_Comprehension_Pointfree_Examples.thy
src/HOL/ex/Set_Theory.thy
src/HOL/ex/Tarski.thy
src/HOL/ex/While_Combinator_Example.thy
     1.1 --- a/src/Benchmarks/Quickcheck_Benchmark/Needham_Schroeder_Base.thy	Tue Feb 13 14:24:50 2018 +0100
     1.2 +++ b/src/Benchmarks/Quickcheck_Benchmark/Needham_Schroeder_Base.thy	Thu Feb 15 12:11:00 2018 +0100
     1.3 @@ -49,7 +49,7 @@
     1.4    | Fst:     "\<lbrace>X,Y\<rbrace> \<in> analz H ==> X \<in> analz H"
     1.5    | Snd:     "\<lbrace>X,Y\<rbrace> \<in> analz H ==> Y \<in> analz H"
     1.6    | Decrypt [dest]: 
     1.7 -             "[|Crypt K X \<in> analz H; Key(invKey K): analz H|] ==> X \<in> analz H"
     1.8 +             "[|Crypt K X \<in> analz H; Key(invKey K) \<in> analz H|] ==> X \<in> analz H"
     1.9  
    1.10  inductive_set
    1.11    synth :: "msg set => msg set"
    1.12 @@ -168,7 +168,7 @@
    1.13  
    1.14  lemma [code]:
    1.15    "analz H = (let
    1.16 -     H' = H \<union> (\<Union>((%m. case m of \<lbrace>X, Y\<rbrace> => {X, Y} | Crypt K X => if Key (invKey K) : H then {X} else {} | _ => {}) ` H))
    1.17 +     H' = H \<union> (\<Union>((%m. case m of \<lbrace>X, Y\<rbrace> => {X, Y} | Crypt K X => if Key (invKey K) \<in> H then {X} else {} | _ => {}) ` H))
    1.18     in if H' = H then H else analz H')"
    1.19  sorry
    1.20  
    1.21 @@ -180,7 +180,7 @@
    1.22  
    1.23  definition synth' :: "msg set => msg => bool"
    1.24  where
    1.25 -  "synth' H m = (m : synth H)"
    1.26 +  "synth' H m = (m \<in> synth H)"
    1.27  
    1.28  lemmas [code_pred_intro] = synth.intros[folded synth'_def]
    1.29  
     2.1 --- a/src/Doc/Prog_Prove/Isar.thy	Tue Feb 13 14:24:50 2018 +0100
     2.2 +++ b/src/Doc/Prog_Prove/Isar.thy	Thu Feb 15 12:11:00 2018 +0100
     2.3 @@ -332,7 +332,7 @@
     2.4  \begin{minipage}[t]{.4\textwidth}
     2.5  \isa{%
     2.6  \<close>
     2.7 -(*<*)lemma "ALL x. P x" proof-(*>*)
     2.8 +(*<*)lemma "\<forall>x. P x" proof-(*>*)
     2.9  show "\<forall>x. P(x)"
    2.10  proof
    2.11    fix x
    2.12 @@ -346,7 +346,7 @@
    2.13  \begin{minipage}[t]{.4\textwidth}
    2.14  \isa{%
    2.15  \<close>
    2.16 -(*<*)lemma "EX x. P(x)" proof-(*>*)
    2.17 +(*<*)lemma "\<exists>x. P(x)" proof-(*>*)
    2.18  show "\<exists>x. P(x)"
    2.19  proof
    2.20    text_raw\<open>\\\mbox{}\quad$\vdots$\\\mbox{}\hspace{-1.4ex}\<close>
    2.21 @@ -370,7 +370,7 @@
    2.22  How to reason forward from \noquotes{@{prop[source] "\<exists>x. P(x)"}}:
    2.23  \end{isamarkuptext}%
    2.24  \<close>
    2.25 -(*<*)lemma True proof- assume 1: "EX x. P x"(*>*)
    2.26 +(*<*)lemma True proof- assume 1: "\<exists>x. P x"(*>*)
    2.27  have "\<exists>x. P(x)" (*<*)by(rule 1)(*>*)text_raw\<open>\ \isasymproof\\\<close>
    2.28  then obtain x where p: "P(x)" by blast
    2.29  (*<*)oops(*>*)
    2.30 @@ -1066,7 +1066,7 @@
    2.31  reasoning backwards: by which rules could some given fact have been proved?
    2.32  For the inductive definition of @{const ev}, rule inversion can be summarized
    2.33  like this:
    2.34 -@{prop[display]"ev n \<Longrightarrow> n = 0 \<or> (EX k. n = Suc(Suc k) \<and> ev k)"}
    2.35 +@{prop[display]"ev n \<Longrightarrow> n = 0 \<or> (\<exists>k. n = Suc(Suc k) \<and> ev k)"}
    2.36  The realisation in Isabelle is a case analysis.
    2.37  A simple example is the proof that @{prop"ev n \<Longrightarrow> ev (n - 2)"}. We
    2.38  already went through the details informally in \autoref{sec:Logic:even}. This
    2.39 @@ -1223,7 +1223,7 @@
    2.40  
    2.41  \begin{exercise}
    2.42  Define a recursive function @{text "elems ::"} @{typ"'a list \<Rightarrow> 'a set"}
    2.43 -and prove @{prop "x : elems xs \<Longrightarrow> \<exists>ys zs. xs = ys @ x # zs \<and> x \<notin> elems ys"}.
    2.44 +and prove @{prop "x \<in> elems xs \<Longrightarrow> \<exists>ys zs. xs = ys @ x # zs \<and> x \<notin> elems ys"}.
    2.45  \end{exercise}
    2.46  
    2.47  \begin{exercise}
     3.1 --- a/src/Doc/Prog_Prove/Logic.thy	Tue Feb 13 14:24:50 2018 +0100
     3.2 +++ b/src/Doc/Prog_Prove/Logic.thy	Thu Feb 15 12:11:00 2018 +0100
     3.3 @@ -97,7 +97,7 @@
     3.4  \noquotes{@{term[source] "{t | x y. P}"}}\index{$IMP042@@{text"{t |x. P}"}},
     3.5  where @{text "x y"} are those free variables in @{text t}
     3.6  that occur in @{text P}.
     3.7 -This is just a shorthand for @{term"{v. EX x y. v = t \<and> P}"}, where
     3.8 +This is just a shorthand for @{term"{v. \<exists>x y. v = t \<and> P}"}, where
     3.9  @{text v} is a new variable. For example, @{term"{x+y|x. x \<in> A}"}
    3.10  is short for \noquotes{@{term[source]"{v. \<exists>x. v = x+y \<and> x \<in> A}"}}.
    3.11  \end{warn}
    3.12 @@ -111,8 +111,8 @@
    3.13  @{text "\<inter>"} & \texttt{\char`\\\char`\<inter>} & \texttt{Int}
    3.14  \end{tabular}
    3.15  \end{center}
    3.16 -Sets also allow bounded quantifications @{prop"ALL x : A. P"} and
    3.17 -@{prop"EX x : A. P"}.
    3.18 +Sets also allow bounded quantifications @{prop"\<forall>x \<in> A. P"} and
    3.19 +@{prop"\<exists>x \<in> A. P"}.
    3.20  
    3.21  For the more ambitious, there are also @{text"\<Union>"}\index{$HOLSet6@\isasymUnion}
    3.22  and @{text"\<Inter>"}\index{$HOLSet7@\isasymInter}:
    3.23 @@ -703,7 +703,7 @@
    3.24  that maps a binary predicate to another binary predicate: if @{text r} is of
    3.25  type @{text"\<tau> \<Rightarrow> \<tau> \<Rightarrow> bool"} then @{term "star r"} is again of type @{text"\<tau> \<Rightarrow>
    3.26  \<tau> \<Rightarrow> bool"}, and @{prop"star r x y"} means that @{text x} and @{text y} are in
    3.27 -the relation @{term"star r"}. Think @{term"r^*"} when you see @{term"star
    3.28 +the relation @{term"star r"}. Think @{term"r\<^sup>*"} when you see @{term"star
    3.29  r"}, because @{text"star r"} is meant to be the reflexive transitive closure.
    3.30  That is, @{prop"star r x y"} is meant to be true if from @{text x} we can
    3.31  reach @{text y} in finitely many @{text r} steps. This concept is naturally
     4.1 --- a/src/Doc/Prog_Prove/Types_and_funs.thy	Tue Feb 13 14:24:50 2018 +0100
     4.2 +++ b/src/Doc/Prog_Prove/Types_and_funs.thy	Thu Feb 15 12:11:00 2018 +0100
     4.3 @@ -525,7 +525,7 @@
     4.4  simplify to @{const True}.
     4.5  
     4.6  We can split case-expressions similarly. For @{text nat} the rule looks like this:
     4.7 -@{prop[display,margin=65,indent=4]"P(case e of 0 \<Rightarrow> a | Suc n \<Rightarrow> b n) = ((e = 0 \<longrightarrow> P a) & (ALL n. e = Suc n \<longrightarrow> P(b n)))"}
     4.8 +@{prop[display,margin=65,indent=4]"P(case e of 0 \<Rightarrow> a | Suc n \<Rightarrow> b n) = ((e = 0 \<longrightarrow> P a) \<and> (\<forall>n. e = Suc n \<longrightarrow> P(b n)))"}
     4.9  Case expressions are not split automatically by @{text simp}, but @{text simp}
    4.10  can be instructed to do so:
    4.11  \begin{quote}
     5.1 --- a/src/Doc/Sugar/Sugar.thy	Tue Feb 13 14:24:50 2018 +0100
     5.2 +++ b/src/Doc/Sugar/Sugar.thy	Thu Feb 15 12:11:00 2018 +0100
     5.3 @@ -55,7 +55,7 @@
     5.4  
     5.5  \subsection{Logic}
     5.6  
     5.7 -The formula @{prop[source]"\<not>(\<exists>x. P x)"} is typeset as @{prop"~(EX x. P x)"}.
     5.8 +The formula @{prop[source]"\<not>(\<exists>x. P x)"} is typeset as @{prop"\<not>(\<exists>x. P x)"}.
     5.9  
    5.10  The predefined constructs @{text"if"}, @{text"let"} and
    5.11  @{text"case"} are set in sans serif font to distinguish them from
     6.1 --- a/src/Doc/Tutorial/CTL/CTL.thy	Tue Feb 13 14:24:50 2018 +0100
     6.2 +++ b/src/Doc/Tutorial/CTL/CTL.thy	Thu Feb 15 12:11:00 2018 +0100
     6.3 @@ -153,7 +153,7 @@
     6.4  done
     6.5  
     6.6  text\<open>\noindent
     6.7 -We assume the negation of the conclusion and prove @{term"s : lfp(af A)"}.
     6.8 +We assume the negation of the conclusion and prove @{term"s \<in> lfp(af A)"}.
     6.9  Unfolding @{const lfp} once and
    6.10  simplifying with the definition of @{const af} finishes the proof.
    6.11  
    6.12 @@ -214,14 +214,14 @@
    6.13  txt\<open>\noindent
    6.14  After simplification, the base case boils down to
    6.15  @{subgoals[display,indent=0,margin=70,goals_limit=1]}
    6.16 -The conclusion looks exceedingly trivial: after all, @{term t} is chosen such that @{prop"(s,t):M"}
    6.17 +The conclusion looks exceedingly trivial: after all, @{term t} is chosen such that @{prop"(s,t)\<in>M"}
    6.18  holds. However, we first have to show that such a @{term t} actually exists! This reasoning
    6.19  is embodied in the theorem @{thm[source]someI2_ex}:
    6.20  @{thm[display,eta_contract=false]someI2_ex}
    6.21  When we apply this theorem as an introduction rule, @{text"?P x"} becomes
    6.22 -@{prop"(s, x) : M & Q x"} and @{text"?Q x"} becomes @{prop"(s,x) : M"} and we have to prove
    6.23 -two subgoals: @{prop"EX a. (s, a) : M & Q a"}, which follows from the assumptions, and
    6.24 -@{prop"(s, x) : M & Q x ==> (s,x) : M"}, which is trivial. Thus it is not surprising that
    6.25 +@{prop"(s, x) \<in> M \<and> Q x"} and @{text"?Q x"} becomes @{prop"(s,x) \<in> M"} and we have to prove
    6.26 +two subgoals: @{prop"\<exists>a. (s, a) \<in> M \<and> Q a"}, which follows from the assumptions, and
    6.27 +@{prop"(s, x) \<in> M \<and> Q x \<Longrightarrow> (s,x) \<in> M"}, which is trivial. Thus it is not surprising that
    6.28  @{text fast} can prove the base case quickly:
    6.29  \<close>
    6.30  
     7.1 --- a/src/Doc/Tutorial/CTL/PDL.thy	Tue Feb 13 14:24:50 2018 +0100
     7.2 +++ b/src/Doc/Tutorial/CTL/PDL.thy	Thu Feb 15 12:11:00 2018 +0100
     7.3 @@ -129,7 +129,7 @@
     7.4  forward direction. Fortunately the converse induction theorem
     7.5  @{thm[source]converse_rtrancl_induct} already exists:
     7.6  @{thm[display,margin=60]converse_rtrancl_induct[no_vars]}
     7.7 -It says that if @{prop"(a,b):r\<^sup>*"} and we know @{prop"P b"} then we can infer
     7.8 +It says that if @{prop"(a,b)\<in>r\<^sup>*"} and we know @{prop"P b"} then we can infer
     7.9  @{prop"P a"} provided each step backwards from a predecessor @{term z} of
    7.10  @{term b} preserves @{term P}.
    7.11  \<close>
    7.12 @@ -176,7 +176,7 @@
    7.13  \footnote{We cannot use the customary @{text EX}: it is reserved
    7.14  as the \textsc{ascii}-equivalent of @{text"\<exists>"}.}
    7.15  with the intended semantics
    7.16 -@{prop[display]"(s \<Turnstile> EN f) = (EX t. (s,t) : M & t \<Turnstile> f)"}
    7.17 +@{prop[display]"(s \<Turnstile> EN f) = (\<exists>t. (s,t) \<in> M \<and> t \<Turnstile> f)"}
    7.18  Fortunately, @{term"EN f"} can already be expressed as a PDL formula. How?
    7.19  
    7.20  Show that the semantics for @{term EF} satisfies the following recursion equation:
    7.21 @@ -190,7 +190,7 @@
    7.22  apply(auto simp add: EF_lemma)
    7.23  done
    7.24  
    7.25 -lemma aux: "s \<Turnstile> f = (s : mc f)"
    7.26 +lemma aux: "s \<Turnstile> f = (s \<in> mc f)"
    7.27  apply(simp add: main)
    7.28  done
    7.29  
     8.1 --- a/src/Doc/Tutorial/Ifexpr/Ifexpr.thy	Tue Feb 13 14:24:50 2018 +0100
     8.2 +++ b/src/Doc/Tutorial/Ifexpr/Ifexpr.thy	Thu Feb 15 12:11:00 2018 +0100
     8.3 @@ -201,7 +201,7 @@
     8.4       (case b of CIF b => False | VIF x => True | IF x y z => False))"
     8.5  
     8.6  lemma [simp]:
     8.7 -  "ALL t e. valif (normif2 b t e) env = valif (IF b t e) env"
     8.8 +  "\<forall>t e. valif (normif2 b t e) env = valif (IF b t e) env"
     8.9  apply(induct b)
    8.10  by(auto)
    8.11  
    8.12 @@ -209,7 +209,7 @@
    8.13  apply(induct b)
    8.14  by(auto)
    8.15  
    8.16 -lemma [simp]: "ALL t e. normal2 t & normal2 e --> normal2(normif2 b t e)"
    8.17 +lemma [simp]: "\<forall>t e. normal2 t & normal2 e --> normal2(normif2 b t e)"
    8.18  apply(induct b)
    8.19  by(auto)
    8.20  
     9.1 --- a/src/Doc/Tutorial/Inductive/Mutual.thy	Tue Feb 13 14:24:50 2018 +0100
     9.2 +++ b/src/Doc/Tutorial/Inductive/Mutual.thy	Thu Feb 15 12:11:00 2018 +0100
     9.3 @@ -67,7 +67,7 @@
     9.4  
     9.5  text\<open>\noindent Everything works as before, except that
     9.6  you write \commdx{inductive} instead of \isacommand{inductive\_set} and
     9.7 -@{prop"evn n"} instead of @{prop"n : Even"}.
     9.8 +@{prop"evn n"} instead of @{prop"n \<in> Even"}.
     9.9  When defining an n-ary relation as a predicate, it is recommended to curry
    9.10  the predicate: its type should be \mbox{@{text"\<tau>\<^sub>1 \<Rightarrow> \<dots> \<Rightarrow> \<tau>\<^sub>n \<Rightarrow> bool"}}
    9.11  rather than
    10.1 --- a/src/Doc/Tutorial/Inductive/Star.thy	Tue Feb 13 14:24:50 2018 +0100
    10.2 +++ b/src/Doc/Tutorial/Inductive/Star.thy	Thu Feb 15 12:11:00 2018 +0100
    10.3 @@ -77,7 +77,7 @@
    10.4  is what we want, it is merely due to the order in which the assumptions occur
    10.5  in the subgoal, which it is not good practice to rely on. As a result,
    10.6  @{text"?xb"} becomes @{term x}, @{text"?xa"} becomes
    10.7 -@{term y} and @{text"?P"} becomes @{term"%u v. (u,z) : r*"}, thus
    10.8 +@{term y} and @{text"?P"} becomes @{term"\<lambda>u v. (u,z) \<in> r*"}, thus
    10.9  yielding the above subgoal. So what went wrong?
   10.10  
   10.11  When looking at the instantiation of @{text"?P"} we see that it does not
   10.12 @@ -85,7 +85,7 @@
   10.13  goal, of the pair @{term"(x,y)"} only @{term x} appears also in the
   10.14  conclusion, but not @{term y}. Thus our induction statement is too
   10.15  general. Fortunately, it can easily be specialized:
   10.16 -transfer the additional premise @{prop"(y,z):r*"} into the conclusion:\<close>
   10.17 +transfer the additional premise @{prop"(y,z)\<in>r*"} into the conclusion:\<close>
   10.18  (*<*)oops(*>*)
   10.19  lemma rtc_trans[rule_format]:
   10.20    "(x,y) \<in> r* \<Longrightarrow> (y,z) \<in> r* \<longrightarrow> (x,z) \<in> r*"
   10.21 @@ -157,7 +157,7 @@
   10.22  
   10.23  \begin{exercise}\label{ex:converse-rtc-step}
   10.24  Show that the converse of @{thm[source]rtc_step} also holds:
   10.25 -@{prop[display]"[| (x,y) : r*; (y,z) : r |] ==> (x,z) : r*"}
   10.26 +@{prop[display]"[| (x,y) \<in> r*; (y,z) \<in> r |] ==> (x,z) \<in> r*"}
   10.27  \end{exercise}
   10.28  \begin{exercise}
   10.29  Repeat the development of this section, but starting with a definition of
   10.30 @@ -166,7 +166,7 @@
   10.31  \end{exercise}
   10.32  \<close>
   10.33  (*<*)
   10.34 -lemma rtc_step2[rule_format]: "(x,y) : r* \<Longrightarrow> (y,z) : r --> (x,z) : r*"
   10.35 +lemma rtc_step2[rule_format]: "(x,y) \<in> r* \<Longrightarrow> (y,z) \<in> r \<longrightarrow> (x,z) \<in> r*"
   10.36  apply(erule rtc.induct)
   10.37   apply blast
   10.38  apply(blast intro: rtc_step)
    11.1 --- a/src/Doc/Tutorial/Misc/Plus.thy	Tue Feb 13 14:24:50 2018 +0100
    11.2 +++ b/src/Doc/Tutorial/Misc/Plus.thy	Thu Feb 15 12:11:00 2018 +0100
    11.3 @@ -10,7 +10,7 @@
    11.4  
    11.5  text\<open>\noindent and prove\<close>
    11.6  (*<*)
    11.7 -lemma [simp]: "!m. add m n = m+n"
    11.8 +lemma [simp]: "\<forall>m. add m n = m+n"
    11.9  apply(induct_tac n)
   11.10  by(auto)
   11.11  (*>*)
    12.1 --- a/src/Doc/Tutorial/Misc/Tree2.thy	Tue Feb 13 14:24:50 2018 +0100
    12.2 +++ b/src/Doc/Tutorial/Misc/Tree2.thy	Thu Feb 15 12:11:00 2018 +0100
    12.3 @@ -14,7 +14,7 @@
    12.4  
    12.5  text\<open>\noindent and prove\<close>
    12.6  (*<*)
    12.7 -lemma [simp]: "!xs. flatten2 t xs = flatten t @ xs"
    12.8 +lemma [simp]: "\<forall>xs. flatten2 t xs = flatten t @ xs"
    12.9  apply(induct_tac t)
   12.10  by(auto)
   12.11  (*>*)
    13.1 --- a/src/Doc/Tutorial/Misc/prime_def.thy	Tue Feb 13 14:24:50 2018 +0100
    13.2 +++ b/src/Doc/Tutorial/Misc/prime_def.thy	Thu Feb 15 12:11:00 2018 +0100
    13.3 @@ -7,12 +7,12 @@
    13.4  A common mistake when writing definitions is to introduce extra free
    13.5  variables on the right-hand side.  Consider the following, flawed definition
    13.6  (where @{text"dvd"} means ``divides''):
    13.7 -@{term[display,quotes]"prime(p) == 1 < p & (m dvd p --> (m=1 | m=p))"}
    13.8 +@{term[display,quotes]"prime(p) \<equiv> 1 < p \<and> (m dvd p \<longrightarrow> (m=1 \<or> m=p))"}
    13.9  \par\noindent\hangindent=0pt
   13.10  Isabelle rejects this ``definition'' because of the extra @{term"m"} on the
   13.11  right-hand side, which would introduce an inconsistency (why?). 
   13.12  The correct version is
   13.13 -@{term[display,quotes]"prime(p) == 1 < p & (!m. m dvd p --> (m=1 | m=p))"}
   13.14 +@{term[display,quotes]"prime(p) \<equiv> 1 < p \<and> (\<forall>m. m dvd p \<longrightarrow> (m=1 \<or> m=p))"}
   13.15  \end{warn}
   13.16  \<close>
   13.17  (*<*)
    14.1 --- a/src/Doc/Tutorial/Protocol/Event.thy	Tue Feb 13 14:24:50 2018 +0100
    14.2 +++ b/src/Doc/Tutorial/Protocol/Event.thy	Thu Feb 15 12:11:00 2018 +0100
    14.3 @@ -12,7 +12,7 @@
    14.4  theory Event imports Message begin
    14.5  
    14.6  consts  (*Initial states of agents -- parameter of the construction*)
    14.7 -  initState :: "agent => msg set"
    14.8 +  initState :: "agent \<Rightarrow> msg set"
    14.9  
   14.10  datatype
   14.11    event = Says  agent agent msg
   14.12 @@ -26,28 +26,28 @@
   14.13  text\<open>The constant "spies" is retained for compatibility's sake\<close>
   14.14  
   14.15  primrec
   14.16 -  knows :: "agent => event list => msg set"
   14.17 +  knows :: "agent \<Rightarrow> event list \<Rightarrow> msg set"
   14.18  where
   14.19    knows_Nil:   "knows A [] = initState A"
   14.20  | knows_Cons:
   14.21      "knows A (ev # evs) =
   14.22         (if A = Spy then 
   14.23          (case ev of
   14.24 -           Says A' B X => insert X (knows Spy evs)
   14.25 -         | Gets A' X => knows Spy evs
   14.26 -         | Notes A' X  => 
   14.27 +           Says A' B X \<Rightarrow> insert X (knows Spy evs)
   14.28 +         | Gets A' X \<Rightarrow> knows Spy evs
   14.29 +         | Notes A' X  \<Rightarrow> 
   14.30               if A' \<in> bad then insert X (knows Spy evs) else knows Spy evs)
   14.31          else
   14.32          (case ev of
   14.33 -           Says A' B X => 
   14.34 +           Says A' B X \<Rightarrow> 
   14.35               if A'=A then insert X (knows A evs) else knows A evs
   14.36 -         | Gets A' X    => 
   14.37 +         | Gets A' X    \<Rightarrow> 
   14.38               if A'=A then insert X (knows A evs) else knows A evs
   14.39 -         | Notes A' X    => 
   14.40 +         | Notes A' X    \<Rightarrow> 
   14.41               if A'=A then insert X (knows A evs) else knows A evs))"
   14.42  
   14.43  abbreviation (input)
   14.44 -  spies  :: "event list => msg set" where
   14.45 +  spies  :: "event list \<Rightarrow> msg set" where
   14.46    "spies == knows Spy"
   14.47  
   14.48  text\<open>Spy has access to his own key for spoof messages, but Server is secure\<close>
   14.49 @@ -65,24 +65,24 @@
   14.50  primrec
   14.51    (*Set of items that might be visible to somebody:
   14.52      complement of the set of fresh items*)
   14.53 -  used :: "event list => msg set"
   14.54 +  used :: "event list \<Rightarrow> msg set"
   14.55  where
   14.56    used_Nil:   "used []         = (UN B. parts (initState B))"
   14.57  | used_Cons:  "used (ev # evs) =
   14.58                       (case ev of
   14.59 -                        Says A B X => parts {X} \<union> used evs
   14.60 -                      | Gets A X   => used evs
   14.61 -                      | Notes A X  => parts {X} \<union> used evs)"
   14.62 +                        Says A B X \<Rightarrow> parts {X} \<union> used evs
   14.63 +                      | Gets A X   \<Rightarrow> used evs
   14.64 +                      | Notes A X  \<Rightarrow> parts {X} \<union> used evs)"
   14.65      \<comment> \<open>The case for @{term Gets} seems anomalous, but @{term Gets} always
   14.66          follows @{term Says} in real protocols.  Seems difficult to change.
   14.67          See @{text Gets_correct} in theory @{text "Guard/Extensions.thy"}.\<close>
   14.68  
   14.69 -lemma Notes_imp_used [rule_format]: "Notes A X \<in> set evs --> X \<in> used evs"
   14.70 +lemma Notes_imp_used [rule_format]: "Notes A X \<in> set evs \<longrightarrow> X \<in> used evs"
   14.71  apply (induct_tac evs)
   14.72  apply (auto split: event.split) 
   14.73  done
   14.74  
   14.75 -lemma Says_imp_used [rule_format]: "Says A B X \<in> set evs --> X \<in> used evs"
   14.76 +lemma Says_imp_used [rule_format]: "Says A B X \<in> set evs \<longrightarrow> X \<in> used evs"
   14.77  apply (induct_tac evs)
   14.78  apply (auto split: event.split) 
   14.79  done
   14.80 @@ -103,7 +103,7 @@
   14.81        on whether @{term "A=Spy"} and whether @{term "A\<in>bad"}\<close>
   14.82  lemma knows_Spy_Notes [simp]:
   14.83       "knows Spy (Notes A X # evs) =  
   14.84 -          (if A:bad then insert X (knows Spy evs) else knows Spy evs)"
   14.85 +          (if A\<in>bad then insert X (knows Spy evs) else knows Spy evs)"
   14.86  by simp
   14.87  
   14.88  lemma knows_Spy_Gets [simp]: "knows Spy (Gets A X # evs) = knows Spy evs"
   14.89 @@ -123,13 +123,13 @@
   14.90  
   14.91  text\<open>Spy sees what is sent on the traffic\<close>
   14.92  lemma Says_imp_knows_Spy [rule_format]:
   14.93 -     "Says A B X \<in> set evs --> X \<in> knows Spy evs"
   14.94 +     "Says A B X \<in> set evs \<longrightarrow> X \<in> knows Spy evs"
   14.95  apply (induct_tac "evs")
   14.96  apply (simp_all (no_asm_simp) split: event.split)
   14.97  done
   14.98  
   14.99  lemma Notes_imp_knows_Spy [rule_format]:
  14.100 -     "Notes A X \<in> set evs --> A: bad --> X \<in> knows Spy evs"
  14.101 +     "Notes A X \<in> set evs \<longrightarrow> A \<in> bad \<longrightarrow> X \<in> knows Spy evs"
  14.102  apply (induct_tac "evs")
  14.103  apply (simp_all (no_asm_simp) split: event.split)
  14.104  done
  14.105 @@ -158,7 +158,7 @@
  14.106  by simp
  14.107  
  14.108  lemma knows_Gets:
  14.109 -     "A \<noteq> Spy --> knows A (Gets A X # evs) = insert X (knows A evs)"
  14.110 +     "A \<noteq> Spy \<longrightarrow> knows A (Gets A X # evs) = insert X (knows A evs)"
  14.111  by simp
  14.112  
  14.113  
  14.114 @@ -172,14 +172,14 @@
  14.115  by (simp add: subset_insertI)
  14.116  
  14.117  text\<open>Agents know what they say\<close>
  14.118 -lemma Says_imp_knows [rule_format]: "Says A B X \<in> set evs --> X \<in> knows A evs"
  14.119 +lemma Says_imp_knows [rule_format]: "Says A B X \<in> set evs \<longrightarrow> X \<in> knows A evs"
  14.120  apply (induct_tac "evs")
  14.121  apply (simp_all (no_asm_simp) split: event.split)
  14.122  apply blast
  14.123  done
  14.124  
  14.125  text\<open>Agents know what they note\<close>
  14.126 -lemma Notes_imp_knows [rule_format]: "Notes A X \<in> set evs --> X \<in> knows A evs"
  14.127 +lemma Notes_imp_knows [rule_format]: "Notes A X \<in> set evs \<longrightarrow> X \<in> knows A evs"
  14.128  apply (induct_tac "evs")
  14.129  apply (simp_all (no_asm_simp) split: event.split)
  14.130  apply blast
  14.131 @@ -187,7 +187,7 @@
  14.132  
  14.133  text\<open>Agents know what they receive\<close>
  14.134  lemma Gets_imp_knows_agents [rule_format]:
  14.135 -     "A \<noteq> Spy --> Gets A X \<in> set evs --> X \<in> knows A evs"
  14.136 +     "A \<noteq> Spy \<longrightarrow> Gets A X \<in> set evs \<longrightarrow> X \<in> knows A evs"
  14.137  apply (induct_tac "evs")
  14.138  apply (simp_all (no_asm_simp) split: event.split)
  14.139  done
  14.140 @@ -196,8 +196,8 @@
  14.141  text\<open>What agents DIFFERENT FROM Spy know 
  14.142    was either said, or noted, or got, or known initially\<close>
  14.143  lemma knows_imp_Says_Gets_Notes_initState [rule_format]:
  14.144 -     "[| X \<in> knows A evs; A \<noteq> Spy |] ==> EX B.  
  14.145 -  Says A B X \<in> set evs | Gets A X \<in> set evs | Notes A X \<in> set evs | X \<in> initState A"
  14.146 +     "[| X \<in> knows A evs; A \<noteq> Spy |] ==> \<exists>B.
  14.147 +  Says A B X \<in> set evs \<or> Gets A X \<in> set evs \<or> Notes A X \<in> set evs \<or> X \<in> initState A"
  14.148  apply (erule rev_mp)
  14.149  apply (induct_tac "evs")
  14.150  apply (simp_all (no_asm_simp) split: event.split)
  14.151 @@ -207,8 +207,8 @@
  14.152  text\<open>What the Spy knows -- for the time being --
  14.153    was either said or noted, or known initially\<close>
  14.154  lemma knows_Spy_imp_Says_Notes_initState [rule_format]:
  14.155 -     "[| X \<in> knows Spy evs |] ==> EX A B.  
  14.156 -  Says A B X \<in> set evs | Notes A X \<in> set evs | X \<in> initState Spy"
  14.157 +     "[| X \<in> knows Spy evs |] ==> \<exists>A B.
  14.158 +  Says A B X \<in> set evs \<or> Notes A X \<in> set evs \<or> X \<in> initState Spy"
  14.159  apply (erule rev_mp)
  14.160  apply (induct_tac "evs")
  14.161  apply (simp_all (no_asm_simp) split: event.split)
  14.162 @@ -222,7 +222,7 @@
  14.163  
  14.164  lemmas usedI = parts_knows_Spy_subset_used [THEN subsetD, intro]
  14.165  
  14.166 -lemma initState_into_used: "X \<in> parts (initState B) ==> X \<in> used evs"
  14.167 +lemma initState_into_used: "X \<in> parts (initState B) \<Longrightarrow> X \<in> used evs"
  14.168  apply (induct_tac "evs")
  14.169  apply (simp_all add: parts_insert_knows_A split: event.split, blast)
  14.170  done
  14.171 @@ -246,7 +246,7 @@
  14.172          used_Nil [simp del] used_Cons [simp del]
  14.173  
  14.174  
  14.175 -text\<open>For proving theorems of the form @{term "X \<notin> analz (knows Spy evs) --> P"}
  14.176 +text\<open>For proving theorems of the form @{term "X \<notin> analz (knows Spy evs) \<longrightarrow> P"}
  14.177    New events added by induction to "evs" are discarded.  Provided 
  14.178    this information isn't needed, the proof will be much shorter, since
  14.179    it will omit complicated reasoning about @{term analz}.\<close>
  14.180 @@ -286,7 +286,7 @@
  14.181  
  14.182  method_setup analz_mono_contra = \<open>
  14.183      Scan.succeed (fn ctxt => SIMPLE_METHOD (REPEAT_FIRST (analz_mono_contra_tac ctxt)))\<close>
  14.184 -    "for proving theorems of the form X \<notin> analz (knows Spy evs) --> P"
  14.185 +    "for proving theorems of the form X \<notin> analz (knows Spy evs) \<longrightarrow> P"
  14.186  
  14.187  subsubsection\<open>Useful for case analysis on whether a hash is a spoof or not\<close>
  14.188  
  14.189 @@ -343,7 +343,7 @@
  14.190  
  14.191  method_setup synth_analz_mono_contra = \<open>
  14.192      Scan.succeed (fn ctxt => SIMPLE_METHOD (REPEAT_FIRST (synth_analz_mono_contra_tac ctxt)))\<close>
  14.193 -    "for proving theorems of the form X \<notin> synth (analz (knows Spy evs)) --> P"
  14.194 +    "for proving theorems of the form X \<notin> synth (analz (knows Spy evs)) \<longrightarrow> P"
  14.195  (*>*)
  14.196  
  14.197  section\<open>Event Traces \label{sec:events}\<close>
    15.1 --- a/src/Doc/Tutorial/Protocol/Message.thy	Tue Feb 13 14:24:50 2018 +0100
    15.2 +++ b/src/Doc/Tutorial/Protocol/Message.thy	Thu Feb 15 12:11:00 2018 +0100
    15.3 @@ -39,7 +39,7 @@
    15.4  
    15.5  specification (invKey)
    15.6    invKey [simp]: "invKey (invKey K) = K"
    15.7 -  invKey_symmetric: "all_symmetric --> invKey = id"
    15.8 +  invKey_symmetric: "all_symmetric \<longrightarrow> invKey = id"
    15.9      by (rule exI [of _ id], auto)
   15.10  
   15.11  
   15.12 @@ -81,13 +81,13 @@
   15.13  (*<*)
   15.14  text\<open>Concrete syntax: messages appear as \<open>\<lbrace>A,B,NA\<rbrace>\<close>, etc...\<close>
   15.15  syntax
   15.16 -  "_MTuple"      :: "['a, args] => 'a * 'b"       ("(2\<lbrace>_,/ _\<rbrace>)")
   15.17 +  "_MTuple"      :: "['a, args] \<Rightarrow> 'a * 'b"       ("(2\<lbrace>_,/ _\<rbrace>)")
   15.18  translations
   15.19    "\<lbrace>x, y, z\<rbrace>"   == "\<lbrace>x, \<lbrace>y, z\<rbrace>\<rbrace>"
   15.20    "\<lbrace>x, y\<rbrace>"      == "CONST MPair x y"
   15.21  
   15.22  
   15.23 -definition keysFor :: "msg set => key set" where
   15.24 +definition keysFor :: "msg set \<Rightarrow> key set" where
   15.25      \<comment> \<open>Keys useful to decrypt elements of a message set\<close>
   15.26    "keysFor H == invKey ` {K. \<exists>X. Crypt K X \<in> H}"
   15.27  
   15.28 @@ -95,17 +95,17 @@
   15.29  subsubsection\<open>Inductive Definition of All Parts" of a Message\<close>
   15.30  
   15.31  inductive_set
   15.32 -  parts :: "msg set => msg set"
   15.33 +  parts :: "msg set \<Rightarrow> msg set"
   15.34    for H :: "msg set"
   15.35    where
   15.36 -    Inj [intro]:               "X \<in> H ==> X \<in> parts H"
   15.37 -  | Fst:         "\<lbrace>X,Y\<rbrace>   \<in> parts H ==> X \<in> parts H"
   15.38 -  | Snd:         "\<lbrace>X,Y\<rbrace>   \<in> parts H ==> Y \<in> parts H"
   15.39 -  | Body:        "Crypt K X \<in> parts H ==> X \<in> parts H"
   15.40 +    Inj [intro]:               "X \<in> H \<Longrightarrow> X \<in> parts H"
   15.41 +  | Fst:         "\<lbrace>X,Y\<rbrace>   \<in> parts H \<Longrightarrow> X \<in> parts H"
   15.42 +  | Snd:         "\<lbrace>X,Y\<rbrace>   \<in> parts H \<Longrightarrow> Y \<in> parts H"
   15.43 +  | Body:        "Crypt K X \<in> parts H \<Longrightarrow> X \<in> parts H"
   15.44  
   15.45  
   15.46  text\<open>Monotonicity\<close>
   15.47 -lemma parts_mono: "G \<subseteq> H ==> parts(G) \<subseteq> parts(H)"
   15.48 +lemma parts_mono: "G \<subseteq> H \<Longrightarrow> parts(G) \<subseteq> parts(H)"
   15.49  apply auto
   15.50  apply (erule parts.induct) 
   15.51  apply (blast dest: parts.Fst parts.Snd parts.Body)+
   15.52 @@ -113,7 +113,7 @@
   15.53  
   15.54  
   15.55  text\<open>Equations hold because constructors are injective.\<close>
   15.56 -lemma Friend_image_eq [simp]: "(Friend x \<in> Friend`A) = (x:A)"
   15.57 +lemma Friend_image_eq [simp]: "(Friend x \<in> Friend`A) = (x\<in>A)"
   15.58  by auto
   15.59  
   15.60  lemma Key_image_eq [simp]: "(Key x \<in> Key`A) = (x\<in>A)"
   15.61 @@ -143,7 +143,7 @@
   15.62  by (unfold keysFor_def, blast)
   15.63  
   15.64  text\<open>Monotonicity\<close>
   15.65 -lemma keysFor_mono: "G \<subseteq> H ==> keysFor(G) \<subseteq> keysFor(H)"
   15.66 +lemma keysFor_mono: "G \<subseteq> H \<Longrightarrow> keysFor(G) \<subseteq> keysFor(H)"
   15.67  by (unfold keysFor_def, blast)
   15.68  
   15.69  lemma keysFor_insert_Agent [simp]: "keysFor (insert (Agent A) H) = keysFor H"
   15.70 @@ -165,7 +165,7 @@
   15.71  lemma keysFor_image_Key [simp]: "keysFor (Key`E) = {}"
   15.72  by (unfold keysFor_def, auto)
   15.73  
   15.74 -lemma Crypt_imp_invKey_keysFor: "Crypt K X \<in> H ==> invKey K \<in> keysFor H"
   15.75 +lemma Crypt_imp_invKey_keysFor: "Crypt K X \<in> H \<Longrightarrow> invKey K \<in> keysFor H"
   15.76  by (unfold keysFor_def, blast)
   15.77  
   15.78  
   15.79 @@ -192,11 +192,11 @@
   15.80  apply (erule parts.induct, blast+)
   15.81  done
   15.82  
   15.83 -lemma parts_emptyE [elim!]: "X\<in> parts{} ==> P"
   15.84 +lemma parts_emptyE [elim!]: "X\<in> parts{} \<Longrightarrow> P"
   15.85  by simp
   15.86  
   15.87  text\<open>WARNING: loops if H = {Y}, therefore must not be repeated!\<close>
   15.88 -lemma parts_singleton: "X\<in> parts H ==> \<exists>Y\<in>H. X\<in> parts {Y}"
   15.89 +lemma parts_singleton: "X\<in> parts H \<Longrightarrow> \<exists>Y\<in>H. X\<in> parts {Y}"
   15.90  by (erule parts.induct, fast+)
   15.91  
   15.92  
   15.93 @@ -252,7 +252,7 @@
   15.94  
   15.95  subsubsection\<open>Idempotence and transitivity\<close>
   15.96  
   15.97 -lemma parts_partsD [dest!]: "X\<in> parts (parts H) ==> X\<in> parts H"
   15.98 +lemma parts_partsD [dest!]: "X \<in> parts (parts H) \<Longrightarrow> X\<in> parts H"
   15.99  by (erule parts.induct, blast+)
  15.100  
  15.101  lemma parts_idem [simp]: "parts (parts H) = parts H"
  15.102 @@ -324,7 +324,7 @@
  15.103  
  15.104  
  15.105  text\<open>In any message, there is an upper bound N on its greatest nonce.\<close>
  15.106 -lemma msg_Nonce_supply: "\<exists>N. \<forall>n. N\<le>n --> Nonce n \<notin> parts {msg}"
  15.107 +lemma msg_Nonce_supply: "\<exists>N. \<forall>n. N\<le>n \<longrightarrow> Nonce n \<notin> parts {msg}"
  15.108  apply (induct_tac "msg")
  15.109  apply (simp_all (no_asm_simp) add: exI parts_insert2)
  15.110   txt\<open>MPair case: blast works out the necessary sum itself!\<close>
  15.111 @@ -363,7 +363,7 @@
  15.112                \<Longrightarrow> X \<in> analz H"
  15.113  (*<*)
  15.114  text\<open>Monotonicity; Lemma 1 of Lowe's paper\<close>
  15.115 -lemma analz_mono: "G\<subseteq>H ==> analz(G) \<subseteq> analz(H)"
  15.116 +lemma analz_mono: "G\<subseteq>H \<Longrightarrow> analz(G) \<subseteq> analz(H)"
  15.117  apply auto
  15.118  apply (erule analz.induct) 
  15.119  apply (auto dest: analz.Fst analz.Snd) 
  15.120 @@ -435,7 +435,7 @@
  15.121  
  15.122  text\<open>Can only pull out Keys if they are not needed to decrypt the rest\<close>
  15.123  lemma analz_insert_Key [simp]: 
  15.124 -    "K \<notin> keysFor (analz H) ==>   
  15.125 +    "K \<notin> keysFor (analz H) \<Longrightarrow>   
  15.126            analz (insert (Key K) H) = insert (Key K) (analz H)"
  15.127  apply (unfold keysFor_def)
  15.128  apply (rule analz_insert_eq_I) 
  15.129 @@ -455,20 +455,20 @@
  15.130  text\<open>Can pull out enCrypted message if the Key is not known\<close>
  15.131  lemma analz_insert_Crypt:
  15.132       "Key (invKey K) \<notin> analz H 
  15.133 -      ==> analz (insert (Crypt K X) H) = insert (Crypt K X) (analz H)"
  15.134 +      \<Longrightarrow> analz (insert (Crypt K X) H) = insert (Crypt K X) (analz H)"
  15.135  apply (rule analz_insert_eq_I) 
  15.136  apply (erule analz.induct, auto) 
  15.137  
  15.138  done
  15.139  
  15.140 -lemma lemma1: "Key (invKey K) \<in> analz H ==>   
  15.141 +lemma lemma1: "Key (invKey K) \<in> analz H \<Longrightarrow>   
  15.142                 analz (insert (Crypt K X) H) \<subseteq>  
  15.143                 insert (Crypt K X) (analz (insert X H))"
  15.144  apply (rule subsetI)
  15.145  apply (erule_tac x = x in analz.induct, auto)
  15.146  done
  15.147  
  15.148 -lemma lemma2: "Key (invKey K) \<in> analz H ==>   
  15.149 +lemma lemma2: "Key (invKey K) \<in> analz H \<Longrightarrow>   
  15.150                 insert (Crypt K X) (analz (insert X H)) \<subseteq>  
  15.151                 analz (insert (Crypt K X) H)"
  15.152  apply auto
  15.153 @@ -477,7 +477,7 @@
  15.154  done
  15.155  
  15.156  lemma analz_insert_Decrypt:
  15.157 -     "Key (invKey K) \<in> analz H ==>   
  15.158 +     "Key (invKey K) \<in> analz H \<Longrightarrow>   
  15.159                 analz (insert (Crypt K X) H) =  
  15.160                 insert (Crypt K X) (analz (insert X H))"
  15.161  by (intro equalityI lemma1 lemma2)
  15.162 @@ -511,7 +511,7 @@
  15.163  
  15.164  subsubsection\<open>Idempotence and transitivity\<close>
  15.165  
  15.166 -lemma analz_analzD [dest!]: "X\<in> analz (analz H) ==> X\<in> analz H"
  15.167 +lemma analz_analzD [dest!]: "X\<in> analz (analz H) \<Longrightarrow> X\<in> analz H"
  15.168  by (erule analz.induct, blast+)
  15.169  
  15.170  lemma analz_idem [simp]: "analz (analz H) = analz H"
  15.171 @@ -531,13 +531,13 @@
  15.172  by (erule analz_trans, blast)
  15.173  
  15.174  (*Cut can be proved easily by induction on
  15.175 -   "Y: analz (insert X H) ==> X: analz H --> Y: analz H"
  15.176 +   "Y \<in> analz (insert X H) \<Longrightarrow> X \<in> analz H \<longrightarrow> Y \<in> analz H"
  15.177  *)
  15.178  
  15.179  text\<open>This rewrite rule helps in the simplification of messages that involve
  15.180    the forwarding of unknown components (X).  Without it, removing occurrences
  15.181    of X can be very complicated.\<close>
  15.182 -lemma analz_insert_eq: "X\<in> analz H ==> analz (insert X H) = analz H"
  15.183 +lemma analz_insert_eq: "X\<in> analz H \<Longrightarrow> analz (insert X H) = analz H"
  15.184  by (blast intro: analz_cut analz_insertI)
  15.185  
  15.186  
  15.187 @@ -556,7 +556,7 @@
  15.188  by (intro equalityI analz_subset_cong, simp_all) 
  15.189  
  15.190  lemma analz_insert_cong:
  15.191 -     "analz H = analz H' ==> analz(insert X H) = analz(insert X H')"
  15.192 +     "analz H = analz H' \<Longrightarrow> analz(insert X H) = analz(insert X H')"
  15.193  by (force simp only: insert_def intro!: analz_cong)
  15.194  
  15.195  text\<open>If there are no pairs or encryptions then analz does nothing\<close>
  15.196 @@ -568,7 +568,7 @@
  15.197  
  15.198  text\<open>These two are obsolete (with a single Spy) but cost little to prove...\<close>
  15.199  lemma analz_UN_analz_lemma:
  15.200 -     "X\<in> analz (\<Union>i\<in>A. analz (H i)) ==> X\<in> analz (\<Union>i\<in>A. H i)"
  15.201 +     "X\<in> analz (\<Union>i\<in>A. analz (H i)) \<Longrightarrow> X\<in> analz (\<Union>i\<in>A. H i)"
  15.202  apply (erule analz.induct)
  15.203  apply (blast intro: analz_mono [THEN [2] rev_subsetD])+
  15.204  done
  15.205 @@ -598,7 +598,7 @@
  15.206    | Crypt  [intro]:
  15.207                "\<lbrakk>X \<in> synth H;  Key K \<in> H\<rbrakk> \<Longrightarrow> Crypt K X \<in> synth H"
  15.208  (*<*)
  15.209 -lemma synth_mono: "G\<subseteq>H ==> synth(G) \<subseteq> synth(H)"
  15.210 +lemma synth_mono: "G\<subseteq>H \<Longrightarrow> synth(G) \<subseteq> synth(H)"
  15.211    by (auto, erule synth.induct, auto)  
  15.212  
  15.213  inductive_cases Key_synth   [elim!]: "Key K \<in> synth H"
  15.214 @@ -668,7 +668,7 @@
  15.215  
  15.216  subsubsection\<open>Idempotence and transitivity\<close>
  15.217  
  15.218 -lemma synth_synthD [dest!]: "X\<in> synth (synth H) ==> X\<in> synth H"
  15.219 +lemma synth_synthD [dest!]: "X\<in> synth (synth H) \<Longrightarrow> X\<in> synth H"
  15.220  by (erule synth.induct, blast+)
  15.221  
  15.222  lemma synth_idem: "synth (synth H) = synth H"
  15.223 @@ -697,7 +697,7 @@
  15.224  by blast
  15.225  
  15.226  lemma Crypt_synth_eq [simp]:
  15.227 -     "Key K \<notin> H ==> (Crypt K X \<in> synth H) = (Crypt K X \<in> H)"
  15.228 +     "Key K \<notin> H \<Longrightarrow> (Crypt K X \<in> synth H) = (Crypt K X \<in> H)"
  15.229  by blast
  15.230  
  15.231  
  15.232 @@ -724,13 +724,13 @@
  15.233  
  15.234  subsubsection\<open>For reasoning about the Fake rule in traces\<close>
  15.235  
  15.236 -lemma parts_insert_subset_Un: "X\<in> G ==> parts(insert X H) \<subseteq> parts G \<union> parts H"
  15.237 +lemma parts_insert_subset_Un: "X \<in> G \<Longrightarrow> parts(insert X H) \<subseteq> parts G \<union> parts H"
  15.238  by (rule subset_trans [OF parts_mono parts_Un_subset2], blast)
  15.239  
  15.240  text\<open>More specifically for Fake.  Very occasionally we could do with a version
  15.241    of the form  @{term"parts{X} \<subseteq> synth (analz H) \<union> parts H"}\<close>
  15.242  lemma Fake_parts_insert:
  15.243 -     "X \<in> synth (analz H) ==>  
  15.244 +     "X \<in> synth (analz H) \<Longrightarrow>
  15.245        parts (insert X H) \<subseteq> synth (analz H) \<union> parts H"
  15.246  apply (drule parts_insert_subset_Un)
  15.247  apply (simp (no_asm_use))
  15.248 @@ -738,14 +738,14 @@
  15.249  done
  15.250  
  15.251  lemma Fake_parts_insert_in_Un:
  15.252 -     "[|Z \<in> parts (insert X H);  X: synth (analz H)|] 
  15.253 +     "[|Z \<in> parts (insert X H);  X \<in> synth (analz H)|] 
  15.254        ==> Z \<in>  synth (analz H) \<union> parts H"
  15.255  by (blast dest: Fake_parts_insert  [THEN subsetD, dest])
  15.256  
  15.257  text\<open>@{term H} is sometimes @{term"Key ` KK \<union> spies evs"}, so can't put 
  15.258    @{term "G=H"}.\<close>
  15.259  lemma Fake_analz_insert:
  15.260 -     "X\<in> synth (analz G) ==>  
  15.261 +     "X \<in> synth (analz G) \<Longrightarrow>  
  15.262        analz (insert X H) \<subseteq> synth (analz G) \<union> analz (G \<union> H)"
  15.263  apply (rule subsetI)
  15.264  apply (subgoal_tac "x \<in> analz (synth (analz G) \<union> H) ")
  15.265 @@ -869,11 +869,11 @@
  15.266  lemma Crypt_notin_image_Key [simp]: "Crypt K X \<notin> Key ` A"
  15.267  by auto
  15.268  
  15.269 -lemma synth_analz_mono: "G\<subseteq>H ==> synth (analz(G)) \<subseteq> synth (analz(H))"
  15.270 +lemma synth_analz_mono: "G\<subseteq>H \<Longrightarrow> synth (analz(G)) \<subseteq> synth (analz(H))"
  15.271  by (iprover intro: synth_mono analz_mono) 
  15.272  
  15.273  lemma Fake_analz_eq [simp]:
  15.274 -     "X \<in> synth(analz H) ==> synth (analz (insert X H)) = synth (analz H)"
  15.275 +     "X \<in> synth(analz H) \<Longrightarrow> synth (analz (insert X H)) = synth (analz H)"
  15.276  apply (drule Fake_analz_insert[of _ _ "H"])
  15.277  apply (simp add: synth_increasing[THEN Un_absorb2])
  15.278  apply (drule synth_mono)
  15.279 @@ -885,18 +885,18 @@
  15.280  
  15.281  text\<open>Two generalizations of @{text analz_insert_eq}\<close>
  15.282  lemma gen_analz_insert_eq [rule_format]:
  15.283 -     "X \<in> analz H ==> ALL G. H \<subseteq> G --> analz (insert X G) = analz G"
  15.284 +     "X \<in> analz H \<Longrightarrow> \<forall>G. H \<subseteq> G \<longrightarrow> analz (insert X G) = analz G"
  15.285  by (blast intro: analz_cut analz_insertI analz_mono [THEN [2] rev_subsetD])
  15.286  
  15.287  lemma synth_analz_insert_eq [rule_format]:
  15.288       "X \<in> synth (analz H) 
  15.289 -      ==> ALL G. H \<subseteq> G --> (Key K \<in> analz (insert X G)) = (Key K \<in> analz G)"
  15.290 +      \<Longrightarrow> \<forall>G. H \<subseteq> G \<longrightarrow> (Key K \<in> analz (insert X G)) = (Key K \<in> analz G)"
  15.291  apply (erule synth.induct) 
  15.292  apply (simp_all add: gen_analz_insert_eq subset_trans [OF _ subset_insertI]) 
  15.293  done
  15.294  
  15.295  lemma Fake_parts_sing:
  15.296 -     "X \<in> synth (analz H) ==> parts{X} \<subseteq> synth (analz H) \<union> parts H"
  15.297 +     "X \<in> synth (analz H) \<Longrightarrow> parts{X} \<subseteq> synth (analz H) \<union> parts H"
  15.298  apply (rule subset_trans) 
  15.299   apply (erule_tac [2] Fake_parts_insert)
  15.300  apply (rule parts_mono, blast)
    16.1 --- a/src/Doc/Tutorial/Protocol/Public.thy	Tue Feb 13 14:24:50 2018 +0100
    16.2 +++ b/src/Doc/Tutorial/Protocol/Public.thy	Thu Feb 15 12:11:00 2018 +0100
    16.3 @@ -32,7 +32,7 @@
    16.4  | initState_Friend:  "initState (Friend i) =    
    16.5                           insert (Key (priK (Friend i))) (Key ` range pubK)"
    16.6  | initState_Spy:     "initState Spy        =    
    16.7 -                         (Key`invKey`pubK`bad) Un (Key ` range pubK)"
    16.8 +                         (Key`invKey`pubK`bad) \<union> (Key ` range pubK)"
    16.9  
   16.10  end
   16.11  (*>*)
   16.12 @@ -77,14 +77,14 @@
   16.13  
   16.14  (** "Image" equations that hold for injective functions **)
   16.15  
   16.16 -lemma invKey_image_eq[simp]: "(invKey x : invKey`A) = (x:A)"
   16.17 +lemma invKey_image_eq[simp]: "(invKey x \<in> invKey`A) = (x\<in>A)"
   16.18    by auto
   16.19  
   16.20  (*holds because invKey is injective*)
   16.21 -lemma pubK_image_eq[simp]: "(pubK x : pubK`A) = (x:A)"
   16.22 +lemma pubK_image_eq[simp]: "(pubK x \<in> pubK`A) = (x\<in>A)"
   16.23    by auto
   16.24  
   16.25 -lemma priK_pubK_image_eq[simp]: "(priK x ~: pubK`A)"
   16.26 +lemma priK_pubK_image_eq[simp]: "(priK x \<notin> pubK`A)"
   16.27    by auto
   16.28  
   16.29  
   16.30 @@ -101,15 +101,15 @@
   16.31  (*** Function "spies" ***)
   16.32  
   16.33  (*Agents see their own private keys!*)
   16.34 -lemma priK_in_initState[iff]: "Key (priK A) : initState A"
   16.35 +lemma priK_in_initState[iff]: "Key (priK A) \<in> initState A"
   16.36    by (induct A) auto
   16.37  
   16.38  (*All public keys are visible*)
   16.39 -lemma spies_pubK[iff]: "Key (pubK A) : spies evs"
   16.40 +lemma spies_pubK[iff]: "Key (pubK A) \<in> spies evs"
   16.41    by (induct evs) (simp_all add: imageI knows_Cons split: event.split)
   16.42  
   16.43  (*Spy sees private keys of bad agents!*)
   16.44 -lemma Spy_spies_bad[intro!]: "A: bad ==> Key (priK A) : spies evs"
   16.45 +lemma Spy_spies_bad[intro!]: "A \<in> bad \<Longrightarrow> Key (priK A) \<in> spies evs"
   16.46    by (induct evs) (simp_all add: imageI knows_Cons split: event.split)
   16.47  
   16.48  lemmas [iff] = spies_pubK [THEN analz.Inj]
   16.49 @@ -117,17 +117,17 @@
   16.50  
   16.51  (*** Fresh nonces ***)
   16.52  
   16.53 -lemma Nonce_notin_initState[iff]: "Nonce N ~: parts (initState B)"
   16.54 +lemma Nonce_notin_initState[iff]: "Nonce N \<notin> parts (initState B)"
   16.55    by (induct B) auto
   16.56  
   16.57 -lemma Nonce_notin_used_empty[simp]: "Nonce N ~: used []"
   16.58 +lemma Nonce_notin_used_empty[simp]: "Nonce N \<notin> used []"
   16.59    by (simp add: used_Nil)
   16.60  
   16.61  
   16.62  (*** Supply fresh nonces for possibility theorems. ***)
   16.63  
   16.64  (*In any trace, there is an upper bound N on the greatest nonce in use.*)
   16.65 -lemma Nonce_supply_lemma: "EX N. ALL n. N<=n --> Nonce n \<notin> used evs"
   16.66 +lemma Nonce_supply_lemma: "\<exists>N. \<forall>n. N\<le>n \<longrightarrow> Nonce n \<notin> used evs"
   16.67  apply (induct_tac "evs")
   16.68  apply (rule_tac x = 0 in exI)
   16.69  apply (simp_all (no_asm_simp) add: used_Cons split: event.split)
   16.70 @@ -135,10 +135,10 @@
   16.71  apply (rule msg_Nonce_supply [THEN exE], blast elim!: add_leE)+
   16.72  done
   16.73  
   16.74 -lemma Nonce_supply1: "EX N. Nonce N \<notin> used evs"
   16.75 +lemma Nonce_supply1: "\<exists>N. Nonce N \<notin> used evs"
   16.76  by (rule Nonce_supply_lemma [THEN exE], blast)
   16.77  
   16.78 -lemma Nonce_supply: "Nonce (@ N. Nonce N \<notin> used evs) \<notin> used evs"
   16.79 +lemma Nonce_supply: "Nonce (SOME N. Nonce N \<notin> used evs) \<notin> used evs"
   16.80  apply (rule Nonce_supply_lemma [THEN exE])
   16.81  apply (rule someI, fast)
   16.82  done
   16.83 @@ -146,10 +146,10 @@
   16.84  
   16.85  (*** Specialized rewriting for the analz_image_... theorems ***)
   16.86  
   16.87 -lemma insert_Key_singleton: "insert (Key K) H = Key ` {K} Un H"
   16.88 +lemma insert_Key_singleton: "insert (Key K) H = Key ` {K} \<union> H"
   16.89    by blast
   16.90  
   16.91 -lemma insert_Key_image: "insert (Key K) (Key`KK Un C) = Key ` (insert K KK) Un C"
   16.92 +lemma insert_Key_image: "insert (Key K) (Key`KK \<union> C) = Key ` (insert K KK) \<union> C"
   16.93    by blast
   16.94  
   16.95  
    17.1 --- a/src/Doc/Tutorial/Rules/TPrimes.thy	Tue Feb 13 14:24:50 2018 +0100
    17.2 +++ b/src/Doc/Tutorial/Rules/TPrimes.thy	Thu Feb 15 12:11:00 2018 +0100
    17.3 @@ -96,7 +96,7 @@
    17.4  
    17.5  definition is_gcd :: "[nat,nat,nat] \<Rightarrow> bool" where        (*gcd as a relation*)
    17.6      "is_gcd p m n == p dvd m  \<and>  p dvd n  \<and>
    17.7 -                     (ALL d. d dvd m \<and> d dvd n \<longrightarrow> d dvd p)"
    17.8 +                     (\<forall>d. d dvd m \<and> d dvd n \<longrightarrow> d dvd p)"
    17.9  
   17.10  (*Function gcd yields the Greatest Common Divisor*)
   17.11  lemma is_gcd: "is_gcd (gcd m n) m n"
    18.1 --- a/src/Doc/Tutorial/Sets/Examples.thy	Tue Feb 13 14:24:50 2018 +0100
    18.2 +++ b/src/Doc/Tutorial/Sets/Examples.thy	Thu Feb 15 12:11:00 2018 +0100
    18.3 @@ -155,7 +155,7 @@
    18.4  by blast
    18.5  
    18.6  definition prime :: "nat set" where
    18.7 -    "prime == {p. 1<p & (ALL m. m dvd p --> m=1 | m=p)}"
    18.8 +    "prime == {p. 1<p & (\<forall>m. m dvd p \<longrightarrow> m=1 \<or> m=p)}"
    18.9  
   18.10  lemma "{p*q | p q. p\<in>prime \<and> q\<in>prime} =
   18.11         {z. \<exists>p q. z = p*q \<and> p\<in>prime \<and> q\<in>prime}"
    19.1 --- a/src/HOL/Algebra/AbelCoset.thy	Tue Feb 13 14:24:50 2018 +0100
    19.2 +++ b/src/HOL/Algebra/AbelCoset.thy	Thu Feb 15 12:11:00 2018 +0100
    19.3 @@ -554,7 +554,7 @@
    19.4    ..
    19.5  
    19.6  lemma (in abelian_group_hom) hom_add [simp]:
    19.7 -  "[| x : carrier G; y : carrier G |]
    19.8 +  "[| x \<in> carrier G; y \<in> carrier G |]
    19.9          ==> h (x \<oplus>\<^bsub>G\<^esub> y) = h x \<oplus>\<^bsub>H\<^esub> h y"
   19.10  by (rule group_hom.hom_mult[OF a_group_hom,
   19.11      simplified ring_record_simps])
    20.1 --- a/src/HOL/Algebra/FiniteProduct.thy	Tue Feb 13 14:24:50 2018 +0100
    20.2 +++ b/src/HOL/Algebra/FiniteProduct.thy	Thu Feb 15 12:11:00 2018 +0100
    20.3 @@ -22,7 +22,7 @@
    20.4    for D :: "'a set" and f :: "'b => 'a => 'a" and e :: 'a
    20.5    where
    20.6      emptyI [intro]: "e \<in> D ==> ({}, e) \<in> foldSetD D f e"
    20.7 -  | insertI [intro]: "[| x ~: A; f x y \<in> D; (A, y) \<in> foldSetD D f e |] ==>
    20.8 +  | insertI [intro]: "[| x \<notin> A; f x y \<in> D; (A, y) \<in> foldSetD D f e |] ==>
    20.9                        (insert x A, f x y) \<in> foldSetD D f e"
   20.10  
   20.11  inductive_cases empty_foldSetDE [elim!]: "({}, x) \<in> foldSetD D f e"
   20.12 @@ -178,7 +178,7 @@
   20.13    done
   20.14  
   20.15  lemma (in LCD) foldD_insert:
   20.16 -    "[| finite A; x ~: A; x \<in> B; e \<in> D; A \<subseteq> B |] ==>
   20.17 +    "[| finite A; x \<notin> A; x \<in> B; e \<in> D; A \<subseteq> B |] ==>
   20.18       foldD D f e (insert x A) = f x (foldD D f e A)"
   20.19    apply (unfold foldD_def)
   20.20    apply (simp add: foldD_insert_aux)
   20.21 @@ -423,13 +423,13 @@
   20.22        proof (intro finprod_insert)
   20.23          show "finite B" by fact
   20.24        next
   20.25 -        show "x ~: B" by fact
   20.26 +        show "x \<notin> B" by fact
   20.27        next
   20.28 -        assume "x ~: B" "!!i. i \<in> insert x B \<Longrightarrow> f i = g i"
   20.29 +        assume "x \<notin> B" "!!i. i \<in> insert x B \<Longrightarrow> f i = g i"
   20.30            "g \<in> insert x B \<rightarrow> carrier G"
   20.31          thus "f \<in> B \<rightarrow> carrier G" by fastforce
   20.32        next
   20.33 -        assume "x ~: B" "!!i. i \<in> insert x B \<Longrightarrow> f i = g i"
   20.34 +        assume "x \<notin> B" "!!i. i \<in> insert x B \<Longrightarrow> f i = g i"
   20.35            "g \<in> insert x B \<rightarrow> carrier G"
   20.36          thus "f x \<in> carrier G" by fastforce
   20.37        qed
   20.38 @@ -491,8 +491,8 @@
   20.39  (* The following two were contributed by Jeremy Avigad. *)
   20.40  
   20.41  lemma finprod_reindex:
   20.42 -  "f : (h ` A) \<rightarrow> carrier G \<Longrightarrow> 
   20.43 -        inj_on h A ==> finprod G f (h ` A) = finprod G (%x. f (h x)) A"
   20.44 +  "f \<in> (h ` A) \<rightarrow> carrier G \<Longrightarrow> 
   20.45 +        inj_on h A \<Longrightarrow> finprod G f (h ` A) = finprod G (\<lambda>x. f (h x)) A"
   20.46  proof (induct A rule: infinite_finite_induct)
   20.47    case (infinite A)
   20.48    hence "\<not> finite (h ` A)"
   20.49 @@ -501,8 +501,8 @@
   20.50  qed (auto simp add: Pi_def)
   20.51  
   20.52  lemma finprod_const:
   20.53 -  assumes a [simp]: "a : carrier G"
   20.54 -    shows "finprod G (%x. a) A = a [^] card A"
   20.55 +  assumes a [simp]: "a \<in> carrier G"
   20.56 +    shows "finprod G (\<lambda>x. a) A = a [^] card A"
   20.57  proof (induct A rule: infinite_finite_induct)
   20.58    case (insert b A)
   20.59    show ?case 
    21.1 --- a/src/HOL/Algebra/Group.thy	Tue Feb 13 14:24:50 2018 +0100
    21.2 +++ b/src/HOL/Algebra/Group.thy	Thu Feb 15 12:11:00 2018 +0100
    21.3 @@ -435,7 +435,7 @@
    21.4    "x \<in> carrier G \<Longrightarrow> x [^] (i + j::int) = x [^] i \<otimes> x [^] j"
    21.5  proof -
    21.6    have [simp]: "-i - j = -j - i" by simp
    21.7 -  assume "x : carrier G" then
    21.8 +  assume "x \<in> carrier G" then
    21.9    show ?thesis
   21.10      by (auto simp add: int_pow_def2 inv_solve_left inv_solve_right nat_add_distrib [symmetric] nat_pow_mult )
   21.11  qed
    22.1 --- a/src/HOL/Algebra/Order.thy	Tue Feb 13 14:24:50 2018 +0100
    22.2 +++ b/src/HOL/Algebra/Order.thy	Thu Feb 15 12:11:00 2018 +0100
    22.3 @@ -379,7 +379,7 @@
    22.4  proof -
    22.5    have "Upper L A \<subseteq> carrier L" by simp
    22.6    moreover from above L have "s \<in> Upper L A" by (simp add: Upper_def)
    22.7 -  moreover from below have "ALL x : Upper L A. s \<sqsubseteq> x" by fast
    22.8 +  moreover from below have "\<forall>x \<in> Upper L A. s \<sqsubseteq> x" by fast
    22.9    ultimately show ?thesis by (simp add: least_def)
   22.10  qed
   22.11  
   22.12 @@ -439,7 +439,7 @@
   22.13  proof -
   22.14    have "Lower L A \<subseteq> carrier L" by simp
   22.15    moreover from below L have "i \<in> Lower L A" by (simp add: Lower_def)
   22.16 -  moreover from above have "ALL x : Lower L A. x \<sqsubseteq> i" by fast
   22.17 +  moreover from above have "\<forall>x \<in> Lower L A. x \<sqsubseteq> i" by fast
   22.18    ultimately show ?thesis by (simp add: greatest_def)
   22.19  qed
   22.20  
    23.1 --- a/src/HOL/Algebra/Ring.thy	Tue Feb 13 14:24:50 2018 +0100
    23.2 +++ b/src/HOL/Algebra/Ring.thy	Thu Feb 15 12:11:00 2018 +0100
    23.3 @@ -74,7 +74,7 @@
    23.4      and a_comm:
    23.5        "!!x y. [| x \<in> carrier R; y \<in> carrier R |] ==> x \<oplus> y = y \<oplus> x"
    23.6      and l_zero: "!!x. x \<in> carrier R ==> \<zero> \<oplus> x = x"
    23.7 -    and l_inv_ex: "!!x. x \<in> carrier R ==> EX y : carrier R. y \<oplus> x = \<zero>"
    23.8 +    and l_inv_ex: "\<And>x. x \<in> carrier R \<Longrightarrow> \<exists>y \<in> carrier R. y \<oplus> x = \<zero>"
    23.9    shows "abelian_group R"
   23.10    by (auto intro!: abelian_group.intro abelian_monoidI
   23.11        abelian_group_axioms.intro comm_monoidI comm_groupI
    24.1 --- a/src/HOL/Algebra/RingHom.thy	Tue Feb 13 14:24:50 2018 +0100
    24.2 +++ b/src/HOL/Algebra/RingHom.thy	Thu Feb 15 12:11:00 2018 +0100
    24.3 @@ -39,8 +39,8 @@
    24.4    assumes "ring R" "ring S"
    24.5    assumes (* morphism: "h \<in> carrier R \<rightarrow> carrier S" *)
    24.6            hom_closed: "!!x. x \<in> carrier R ==> h x \<in> carrier S"
    24.7 -      and compatible_mult: "!!x y. [| x : carrier R; y : carrier R |] ==> h (x \<otimes> y) = h x \<otimes>\<^bsub>S\<^esub> h y"
    24.8 -      and compatible_add: "!!x y. [| x : carrier R; y : carrier R |] ==> h (x \<oplus> y) = h x \<oplus>\<^bsub>S\<^esub> h y"
    24.9 +      and compatible_mult: "\<And>x y. [| x \<in> carrier R; y \<in> carrier R |] ==> h (x \<otimes> y) = h x \<otimes>\<^bsub>S\<^esub> h y"
   24.10 +      and compatible_add: "\<And>x y. [| x \<in> carrier R; y \<in> carrier R |] ==> h (x \<oplus> y) = h x \<oplus>\<^bsub>S\<^esub> h y"
   24.11        and compatible_one: "h \<one> = \<one>\<^bsub>S\<^esub>"
   24.12    shows "ring_hom_ring R S h"
   24.13  proof -
   24.14 @@ -72,7 +72,7 @@
   24.15  lemma ring_hom_ringI3:
   24.16    fixes R (structure) and S (structure)
   24.17    assumes "abelian_group_hom R S h" "ring R" "ring S" 
   24.18 -  assumes compatible_mult: "!!x y. [| x : carrier R; y : carrier R |] ==> h (x \<otimes> y) = h x \<otimes>\<^bsub>S\<^esub> h y"
   24.19 +  assumes compatible_mult: "\<And>x y. [| x \<in> carrier R; y \<in> carrier R |] ==> h (x \<otimes> y) = h x \<otimes>\<^bsub>S\<^esub> h y"
   24.20        and compatible_one: "h \<one> = \<one>\<^bsub>S\<^esub>"
   24.21    shows "ring_hom_ring R S h"
   24.22  proof -
    25.1 --- a/src/HOL/Algebra/Sylow.thy	Tue Feb 13 14:24:50 2018 +0100
    25.2 +++ b/src/HOL/Algebra/Sylow.thy	Thu Feb 15 12:11:00 2018 +0100
    25.3 @@ -257,7 +257,7 @@
    25.4  lemmas H_elem_map_eq = H_elem_map [THEN someI_ex, THEN conjunct2]
    25.5  
    25.6  lemma rcosets_H_funcset_M:
    25.7 -  "(\<lambda>C \<in> rcosets H. M1 #> (@g. g \<in> carrier G \<and> H #> g = C)) \<in> rcosets H \<rightarrow> M"
    25.8 +  "(\<lambda>C \<in> rcosets H. M1 #> (SOME g. g \<in> carrier G \<and> H #> g = C)) \<in> rcosets H \<rightarrow> M"
    25.9    apply (simp add: RCOSETS_def)
   25.10    apply (fast intro: someI2
   25.11        intro!: M1_in_M in_quotient_imp_closed [OF RelM_equiv M_in_quot _  M1_RelM_rcosetGM1g])
    26.1 --- a/src/HOL/Algebra/UnivPoly.thy	Tue Feb 13 14:24:50 2018 +0100
    26.2 +++ b/src/HOL/Algebra/UnivPoly.thy	Thu Feb 15 12:11:00 2018 +0100
    26.3 @@ -284,7 +284,7 @@
    26.4  
    26.5  lemma UP_l_neg_ex:
    26.6    assumes R: "p \<in> carrier P"
    26.7 -  shows "EX q : carrier P. q \<oplus>\<^bsub>P\<^esub> p = \<zero>\<^bsub>P\<^esub>"
    26.8 +  shows "\<exists>q \<in> carrier P. q \<oplus>\<^bsub>P\<^esub> p = \<zero>\<^bsub>P\<^esub>"
    26.9  proof -
   26.10    let ?q = "\<lambda>i. \<ominus> (p i)"
   26.11    from R have closed: "?q \<in> carrier P"
    27.1 --- a/src/HOL/Analysis/Arcwise_Connected.thy	Tue Feb 13 14:24:50 2018 +0100
    27.2 +++ b/src/HOL/Analysis/Arcwise_Connected.thy	Thu Feb 15 12:11:00 2018 +0100
    27.3 @@ -21,12 +21,12 @@
    27.4      where "inj B" "\<And>n. open(B n)" and open_cov: "\<And>S. open S \<Longrightarrow> \<exists>K. S = \<Union>(B ` K)"
    27.5        by (metis Setcompr_eq_image that univ_second_countable_sequence)
    27.6    define A where "A \<equiv> rec_nat S (\<lambda>n a. if \<exists>U. U \<subseteq> a \<and> closed U \<and> \<phi> U \<and> U \<inter> (B n) = {}
    27.7 -                                        then @U. U \<subseteq> a \<and> closed U \<and> \<phi> U \<and> U \<inter> (B n) = {}
    27.8 +                                        then SOME U. U \<subseteq> a \<and> closed U \<and> \<phi> U \<and> U \<inter> (B n) = {}
    27.9                                          else a)"
   27.10    have [simp]: "A 0 = S"
   27.11      by (simp add: A_def)
   27.12    have ASuc: "A(Suc n) = (if \<exists>U. U \<subseteq> A n \<and> closed U \<and> \<phi> U \<and> U \<inter> (B n) = {}
   27.13 -                          then @U. U \<subseteq> A n \<and> closed U \<and> \<phi> U \<and> U \<inter> (B n) = {}
   27.14 +                          then SOME U. U \<subseteq> A n \<and> closed U \<and> \<phi> U \<and> U \<inter> (B n) = {}
   27.15                            else A n)" for n
   27.16      by (auto simp: A_def)
   27.17    have sub: "\<And>n. A(Suc n) \<subseteq> A n"
   27.18 @@ -1801,7 +1801,7 @@
   27.19      and peq: "\<And>x y. \<lbrakk>x \<in> T; y \<in> T; open_segment x y \<inter> T = {}\<rbrakk> \<Longrightarrow> p x = p y"
   27.20      unfolding \<phi>_def by metis+
   27.21    then have "T \<noteq> {}" by auto
   27.22 -  define h where "h \<equiv> \<lambda>x. p(@y. y \<in> T \<and> open_segment x y \<inter> T = {})"
   27.23 +  define h where "h \<equiv> \<lambda>x. p(SOME y. y \<in> T \<and> open_segment x y \<inter> T = {})"
   27.24    have "p y = p z" if "y \<in> T" "z \<in> T" and xyT: "open_segment x y \<inter> T = {}" and xzT: "open_segment x z \<inter> T = {}"
   27.25      for x y z
   27.26    proof (cases "x \<in> T")
    28.1 --- a/src/HOL/Analysis/Cauchy_Integral_Theorem.thy	Tue Feb 13 14:24:50 2018 +0100
    28.2 +++ b/src/HOL/Analysis/Cauchy_Integral_Theorem.thy	Thu Feb 15 12:11:00 2018 +0100
    28.3 @@ -714,9 +714,9 @@
    28.4    where "f contour_integrable_on g \<equiv> \<exists>i. (f has_contour_integral i) g"
    28.5  
    28.6  definition contour_integral
    28.7 -  where "contour_integral g f \<equiv> @i. (f has_contour_integral i) g \<or> ~ f contour_integrable_on g \<and> i=0"
    28.8 -
    28.9 -lemma not_integrable_contour_integral: "~ f contour_integrable_on g \<Longrightarrow> contour_integral g f = 0"
   28.10 +  where "contour_integral g f \<equiv> SOME i. (f has_contour_integral i) g \<or> \<not> f contour_integrable_on g \<and> i=0"
   28.11 +
   28.12 +lemma not_integrable_contour_integral: "\<not> f contour_integrable_on g \<Longrightarrow> contour_integral g f = 0"
   28.13    unfolding contour_integrable_on_def contour_integral_def by blast
   28.14  
   28.15  lemma contour_integral_unique: "(f has_contour_integral i) g \<Longrightarrow> contour_integral g f = i"
   28.16 @@ -3327,7 +3327,7 @@
   28.17  
   28.18  definition winding_number:: "[real \<Rightarrow> complex, complex] \<Rightarrow> complex" where
   28.19    "winding_number \<gamma> z \<equiv>
   28.20 -    @n. \<forall>e > 0. \<exists>p. valid_path p \<and> z \<notin> path_image p \<and>
   28.21 +    SOME n. \<forall>e > 0. \<exists>p. valid_path p \<and> z \<notin> path_image p \<and>
   28.22                      pathstart p = pathstart \<gamma> \<and>
   28.23                      pathfinish p = pathfinish \<gamma> \<and>
   28.24                      (\<forall>t \<in> {0..1}. norm(\<gamma> t - p t) < e) \<and>
    29.1 --- a/src/HOL/Analysis/Continuous_Extension.thy	Tue Feb 13 14:24:50 2018 +0100
    29.2 +++ b/src/HOL/Analysis/Continuous_Extension.thy	Thu Feb 15 12:11:00 2018 +0100
    29.3 @@ -309,7 +309,7 @@
    29.4                    "\<And>x. x \<in> S \<Longrightarrow> g x = f x"
    29.5  proof (cases "S = {}")
    29.6    case True then show thesis
    29.7 -    apply (rule_tac g="\<lambda>x. @y. y \<in> C" in that)
    29.8 +    apply (rule_tac g="\<lambda>x. SOME y. y \<in> C" in that)
    29.9        apply (rule continuous_intros)
   29.10       apply (meson all_not_in_conv \<open>C \<noteq> {}\<close> image_subsetI someI_ex, simp)
   29.11      done
    30.1 --- a/src/HOL/Analysis/Convex_Euclidean_Space.thy	Tue Feb 13 14:24:50 2018 +0100
    30.2 +++ b/src/HOL/Analysis/Convex_Euclidean_Space.thy	Thu Feb 15 12:11:00 2018 +0100
    30.3 @@ -1944,7 +1944,7 @@
    30.4        using \<open>u + v = 1\<close> by auto
    30.5      ultimately have "a + (u *\<^sub>R x + v *\<^sub>R y) \<in> (\<lambda>x. a + x) ` S"
    30.6        using h1 by auto
    30.7 -    then have "u *\<^sub>R x + v *\<^sub>R y : S" by auto
    30.8 +    then have "u *\<^sub>R x + v *\<^sub>R y \<in> S" by auto
    30.9    }
   30.10    then show ?thesis unfolding affine_def by auto
   30.11  qed
   30.12 @@ -2031,7 +2031,7 @@
   30.13    have [simp]: "(\<lambda>x. x - a) = plus (- a)" by (simp add: fun_eq_iff)
   30.14    have "affine ((\<lambda>x. (-a)+x) ` S)"
   30.15      using  affine_translation assms by auto
   30.16 -  moreover have "0 : ((\<lambda>x. (-a)+x) ` S)"
   30.17 +  moreover have "0 \<in> ((\<lambda>x. (-a)+x) ` S)"
   30.18      using assms exI[of "(\<lambda>x. x\<in>S \<and> -a+x = 0)" a] by auto
   30.19    ultimately show ?thesis using subspace_affine by auto
   30.20  qed
   30.21 @@ -2130,7 +2130,7 @@
   30.22  
   30.23  lemma mem_cone:
   30.24    assumes "cone S" "x \<in> S" "c \<ge> 0"
   30.25 -  shows "c *\<^sub>R x : S"
   30.26 +  shows "c *\<^sub>R x \<in> S"
   30.27    using assms cone_def[of S] by auto
   30.28  
   30.29  lemma cone_contains_0:
   30.30 @@ -3409,7 +3409,7 @@
   30.31    assumes "a \<notin> S"
   30.32    shows "affine_dependent (insert a S) \<longleftrightarrow> dependent ((\<lambda>x. -a + x) ` S)"
   30.33  proof -
   30.34 -  have "((+) (- a) ` S) = {x - a| x . x : S}" by auto
   30.35 +  have "((+) (- a) ` S) = {x - a| x . x \<in> S}" by auto
   30.36    then show ?thesis
   30.37      using affine_dependent_translation_eq[of "(insert a S)" "-a"]
   30.38        affine_dependent_imp_dependent2 assms
    31.1 --- a/src/HOL/Analysis/Equivalence_Lebesgue_Henstock_Integration.thy	Tue Feb 13 14:24:50 2018 +0100
    31.2 +++ b/src/HOL/Analysis/Equivalence_Lebesgue_Henstock_Integration.thy	Thu Feb 15 12:11:00 2018 +0100
    31.3 @@ -1324,7 +1324,7 @@
    31.4          using pairwise_subset [OF pw \<open>\<D>' \<subseteq> \<D>\<close>] unfolding pairwise_def apply force+
    31.5          done
    31.6        have le_meaT: "measure lebesgue (\<Union>\<D>') \<le> measure lebesgue T"
    31.7 -      proof (rule measure_mono_fmeasurable [OF _ _ \<open>T : lmeasurable\<close>])
    31.8 +      proof (rule measure_mono_fmeasurable [OF _ _ \<open>T \<in> lmeasurable\<close>])
    31.9          show "(\<Union>\<D>') \<in> sets lebesgue"
   31.10            using div lmeasurable_division by auto
   31.11          have "\<Union>\<D>' \<subseteq> \<Union>\<D>"
    32.1 --- a/src/HOL/Analysis/Extended_Real_Limits.thy	Tue Feb 13 14:24:50 2018 +0100
    32.2 +++ b/src/HOL/Analysis/Extended_Real_Limits.thy	Thu Feb 15 12:11:00 2018 +0100
    32.3 @@ -159,7 +159,7 @@
    32.4      then obtain b where b: "Inf S - e < b" "b < Inf S"
    32.5        using fin ereal_between[of "Inf S" e] dense[of "Inf S - e"]
    32.6        by auto
    32.7 -    then have "b: {Inf S - e <..< Inf S + e}"
    32.8 +    then have "b \<in> {Inf S - e <..< Inf S + e}"
    32.9        using e fin ereal_between[of "Inf S" e]
   32.10        by auto
   32.11      then have "b \<in> S"
    33.1 --- a/src/HOL/Analysis/Polytope.thy	Tue Feb 13 14:24:50 2018 +0100
    33.2 +++ b/src/HOL/Analysis/Polytope.thy	Thu Feb 15 12:11:00 2018 +0100
    33.3 @@ -3201,7 +3201,7 @@
    33.4          finite \<C> \<and>
    33.5          (\<forall>S \<in> \<C>. \<exists>n. n simplex S) \<and>
    33.6          (\<forall>F S. S \<in> \<C> \<and> F face_of S \<longrightarrow> F \<in> \<C>) \<and>
    33.7 -        (!S S'. S \<in> \<C> \<and> S' \<in> \<C>
    33.8 +        (\<forall>S S'. S \<in> \<C> \<and> S' \<in> \<C>
    33.9                  \<longrightarrow> (S \<inter> S') face_of S \<and> (S \<inter> S') face_of S')"
   33.10  
   33.11  definition triangulation where
   33.12 @@ -3350,7 +3350,7 @@
   33.13        and convex\<N>: "\<And>C. C \<in> \<N> \<Longrightarrow> convex C"
   33.14        and closed\<N>: "\<And>C. C \<in> \<N> \<Longrightarrow> closed C"
   33.15        by (auto simp: \<N>_def poly\<M> polytope_imp_convex polytope_imp_closed)
   33.16 -    have in_rel_interior: "(@z. z \<in> rel_interior C) \<in> rel_interior C" if "C \<in> \<N>" for C
   33.17 +    have in_rel_interior: "(SOME z. z \<in> rel_interior C) \<in> rel_interior C" if "C \<in> \<N>" for C
   33.18          using that poly\<M> polytope_imp_convex rel_interior_aff_dim some_in_eq by (fastforce simp: \<N>_def)
   33.19      have *: "\<exists>T. ~affine_dependent T \<and> card T \<le> n \<and> aff_dim K < n \<and> K = convex hull T"
   33.20        if "K \<in> \<U>" for K
   33.21 @@ -3396,7 +3396,7 @@
   33.22          by fastforce
   33.23      qed
   33.24      let ?\<T> = "(\<Union>C \<in> \<N>. \<Union>K \<in> \<U> \<inter> Pow (rel_frontier C).
   33.25 -                     {convex hull (insert (@z. z \<in> rel_interior C) K)})"
   33.26 +                     {convex hull (insert (SOME z. z \<in> rel_interior C) K)})"
   33.27      have "\<exists>\<T>. simplicial_complex \<T> \<and>
   33.28                (\<forall>K \<in> \<T>. aff_dim K \<le> of_nat n) \<and>
   33.29                (\<forall>C \<in> \<M>. \<exists>F. F \<subseteq> \<T> \<and> C = \<Union>F) \<and>
   33.30 @@ -3415,9 +3415,9 @@
   33.31              using S face\<U> that by blast
   33.32            moreover have "F \<in> \<U> \<union> ?\<T>"
   33.33              if "F face_of S" "C \<in> \<N>" "K \<in> \<U>" and "K \<subseteq> rel_frontier C"
   33.34 -              and S: "S = convex hull insert (@z. z \<in> rel_interior C) K" for C K
   33.35 +              and S: "S = convex hull insert (SOME z. z \<in> rel_interior C) K" for C K
   33.36            proof -
   33.37 -            let ?z = "@z. z \<in> rel_interior C"
   33.38 +            let ?z = "SOME z. z \<in> rel_interior C"
   33.39              have "?z \<in> rel_interior C"
   33.40                by (simp add: in_rel_interior \<open>C \<in> \<N>\<close>)
   33.41              moreover
   33.42 @@ -3490,13 +3490,13 @@
   33.43              proof -
   33.44                obtain C K
   33.45                  where "C \<in> \<N>" "K \<in> \<U>" "K \<subseteq> rel_frontier C"
   33.46 -                and Y: "Y = convex hull insert (@z. z \<in> rel_interior C) K"
   33.47 +                and Y: "Y = convex hull insert (SOME z. z \<in> rel_interior C) K"
   33.48                  using XY by blast
   33.49                have "convex C"
   33.50                  by (simp add: \<open>C \<in> \<N>\<close> convex\<N>)
   33.51                have "K \<subseteq> C"
   33.52                  by (metis DiffE \<open>C \<in> \<N>\<close> \<open>K \<subseteq> rel_frontier C\<close> closed\<N> closure_closed rel_frontier_def subset_iff)
   33.53 -              let ?z = "(@z. z \<in> rel_interior C)"
   33.54 +              let ?z = "(SOME z. z \<in> rel_interior C)"
   33.55                have z: "?z \<in> rel_interior C"
   33.56                  using \<open>C \<in> \<N>\<close> in_rel_interior by blast
   33.57                obtain D where "D \<in> \<S>" "X \<subseteq> D"
   33.58 @@ -3533,11 +3533,11 @@
   33.59              proof -
   33.60                obtain C K D L
   33.61                  where "C \<in> \<N>" "K \<in> \<U>" "K \<subseteq> rel_frontier C"
   33.62 -                and X: "X = convex hull insert (@z. z \<in> rel_interior C) K"
   33.63 +                and X: "X = convex hull insert (SOME z. z \<in> rel_interior C) K"
   33.64                  and "D \<in> \<N>" "L \<in> \<U>" "L \<subseteq> rel_frontier D"
   33.65 -                and Y: "Y = convex hull insert (@z. z \<in> rel_interior D) L"
   33.66 +                and Y: "Y = convex hull insert (SOME z. z \<in> rel_interior D) L"
   33.67                  using XY by blast
   33.68 -              let ?z = "(@z. z \<in> rel_interior C)"
   33.69 +              let ?z = "(SOME z. z \<in> rel_interior C)"
   33.70                have z: "?z \<in> rel_interior C"
   33.71                  using \<open>C \<in> \<N>\<close> in_rel_interior by blast
   33.72                have "convex C"
   33.73 @@ -3564,7 +3564,7 @@
   33.74                    by (metis DiffE \<open>C \<in> \<N>\<close> \<open>K \<subseteq> rel_frontier C\<close> closed\<N> closure_closed rel_frontier_def subset_eq)
   33.75                  have "L \<subseteq> D"
   33.76                    by (metis DiffE \<open>D \<in> \<N>\<close> \<open>L \<subseteq> rel_frontier D\<close> closed\<N> closure_closed rel_frontier_def subset_eq)
   33.77 -                let ?w = "(@w. w \<in> rel_interior D)"
   33.78 +                let ?w = "(SOME w. w \<in> rel_interior D)"
   33.79                  have w: "?w \<in> rel_interior D"
   33.80                    using \<open>D \<in> \<N>\<close> in_rel_interior by blast
   33.81                  have "C \<inter> rel_interior D = (D \<inter> C) \<inter> rel_interior D"
   33.82 @@ -3663,7 +3663,7 @@
   33.83          case False
   33.84          then have "C \<in> \<N>"
   33.85            by (simp add: \<N>_def \<S>_def aff\<M> less_le that)
   33.86 -        let ?z = "@z. z \<in> rel_interior C"
   33.87 +        let ?z = "SOME z. z \<in> rel_interior C"
   33.88          have z: "?z \<in> rel_interior C"
   33.89            using \<open>C \<in> \<N>\<close> in_rel_interior by blast
   33.90          let ?F = "\<Union>K \<in> \<U> \<inter> Pow (rel_frontier C). {convex hull (insert ?z K)}"
   33.91 @@ -3726,7 +3726,7 @@
   33.92        next
   33.93          assume "L \<in> ?\<T>"
   33.94          then obtain C K where "C \<in> \<N>"
   33.95 -          and L: "L = convex hull insert (@z. z \<in> rel_interior C) K"
   33.96 +          and L: "L = convex hull insert (SOME z. z \<in> rel_interior C) K"
   33.97            and K: "K \<in> \<U>" "K \<subseteq> rel_frontier C"
   33.98            by auto
   33.99          then have "convex hull C = C"
    34.1 --- a/src/HOL/Analysis/Starlike.thy	Tue Feb 13 14:24:50 2018 +0100
    34.2 +++ b/src/HOL/Analysis/Starlike.thy	Thu Feb 15 12:11:00 2018 +0100
    34.3 @@ -1272,7 +1272,7 @@
    34.4      fix x :: "'a::euclidean_space"
    34.5      fix u
    34.6      assume as: "\<forall>x\<in>?D. 0 \<le> u x" "sum u ?D \<le> 1" "(\<Sum>x\<in>?D. u x *\<^sub>R x) = x"
    34.7 -    have *: "\<forall>i\<in>Basis. i:d \<longrightarrow> u i = x\<bullet>i"
    34.8 +    have *: "\<forall>i\<in>Basis. i \<in> d \<longrightarrow> u i = x\<bullet>i"
    34.9        and "(\<forall>i\<in>Basis. i \<notin> d \<longrightarrow> x \<bullet> i = 0)"
   34.10        using as(3)
   34.11        unfolding substdbasis_expansion_unique[OF assms]
   34.12 @@ -1590,7 +1590,7 @@
   34.13            case True
   34.14            have "norm (x - y) < x\<bullet>i"
   34.15              using y[unfolded min_less_iff_conj dist_norm, THEN conjunct1]
   34.16 -            using Min_gr_iff[of "(\<bullet>) x ` d" "norm (x - y)"] \<open>0 < card d\<close> \<open>i:d\<close>
   34.17 +            using Min_gr_iff[of "(\<bullet>) x ` d" "norm (x - y)"] \<open>0 < card d\<close> \<open>i \<in> d\<close>
   34.18              by (simp add: card_gt_0_iff)
   34.19            then show "0 \<le> y\<bullet>i"
   34.20              using Basis_le_norm[OF i, of "x - y"] and as(1)[rule_format]
   34.21 @@ -1833,7 +1833,7 @@
   34.22             then have e1: "e1 > 0" "e1 \<le> 1" "e1 * norm (x - a) \<le> e"
   34.23               using \<open>x \<noteq> a\<close> \<open>e > 0\<close> le_divide_eq[of e1 e "norm (x - a)"]
   34.24               by simp_all
   34.25 -           then have *: "x - e1 *\<^sub>R (x - a) : rel_interior S"
   34.26 +           then have *: "x - e1 *\<^sub>R (x - a) \<in> rel_interior S"
   34.27               using rel_interior_closure_convex_shrink[of S a x e1] assms x a e1_def
   34.28               by auto
   34.29             have "\<exists>y. y \<in> rel_interior S \<and> y \<noteq> x \<and> dist y x \<le> e"
   34.30 @@ -2442,11 +2442,11 @@
   34.31  
   34.32  subsubsection \<open>Relative interior and closure under common operations\<close>
   34.33  
   34.34 -lemma rel_interior_inter_aux: "\<Inter>{rel_interior S |S. S : I} \<subseteq> \<Inter>I"
   34.35 +lemma rel_interior_inter_aux: "\<Inter>{rel_interior S |S. S \<in> I} \<subseteq> \<Inter>I"
   34.36  proof -
   34.37    {
   34.38      fix y
   34.39 -    assume "y \<in> \<Inter>{rel_interior S |S. S : I}"
   34.40 +    assume "y \<in> \<Inter>{rel_interior S |S. S \<in> I}"
   34.41      then have y: "\<forall>S \<in> I. y \<in> rel_interior S"
   34.42        by auto
   34.43      {
   34.44 @@ -2824,13 +2824,13 @@
   34.45        fix x
   34.46        assume "x \<in> f ` S"
   34.47        then obtain x1 where x1: "x1 \<in> S" "f x1 = x" by auto
   34.48 -      then obtain e where e: "e > 1" "(1 - e) *\<^sub>R x1 + e *\<^sub>R z1 : S"
   34.49 +      then obtain e where e: "e > 1" "(1 - e) *\<^sub>R x1 + e *\<^sub>R z1 \<in> S"
   34.50          using convex_rel_interior_iff[of S z1] \<open>convex S\<close> x1 z1 by auto
   34.51        moreover have "f ((1 - e) *\<^sub>R x1 + e *\<^sub>R z1) = (1 - e) *\<^sub>R x + e *\<^sub>R z"
   34.52          using x1 z1 \<open>linear f\<close> by (simp add: linear_add_cmul)
   34.53 -      ultimately have "(1 - e) *\<^sub>R x + e *\<^sub>R z : f ` S"
   34.54 +      ultimately have "(1 - e) *\<^sub>R x + e *\<^sub>R z \<in> f ` S"
   34.55          using imageI[of "(1 - e) *\<^sub>R x1 + e *\<^sub>R z1" S f] by auto
   34.56 -      then have "\<exists>e. e > 1 \<and> (1 - e) *\<^sub>R x + e *\<^sub>R z : f ` S"
   34.57 +      then have "\<exists>e. e > 1 \<and> (1 - e) *\<^sub>R x + e *\<^sub>R z \<in> f ` S"
   34.58          using e by auto
   34.59      }
   34.60      then have "z \<in> rel_interior (f ` S)"
   34.61 @@ -2861,7 +2861,7 @@
   34.62    {
   34.63      fix z
   34.64      assume "z \<in> f -` (rel_interior S)"
   34.65 -    then have z: "f z : rel_interior S"
   34.66 +    then have z: "f z \<in> rel_interior S"
   34.67        by auto
   34.68      {
   34.69        fix x
   34.70 @@ -3115,7 +3115,7 @@
   34.71        by (metis Domain_iff fst_eq_Domain)
   34.72      then have "y \<in> rel_interior {t. f t \<noteq> {}}"
   34.73        using h1 by auto
   34.74 -    then have "y \<in> rel_interior {t. f t \<noteq> {}}" and "(z : rel_interior (f y))"
   34.75 +    then have "y \<in> rel_interior {t. f t \<noteq> {}}" and "(z \<in> rel_interior (f y))"
   34.76        using h2 asm by auto
   34.77    }
   34.78    then show ?thesis using h2 by blast
   34.79 @@ -3238,7 +3238,7 @@
   34.80    have "?lhs \<supseteq> ?rhs"
   34.81    proof
   34.82      fix x
   34.83 -    assume "x : ?rhs"
   34.84 +    assume "x \<in> ?rhs"
   34.85      then obtain c s where *: "sum (\<lambda>i. c i *\<^sub>R s i) I = x" "sum c I = 1"
   34.86        "(\<forall>i\<in>I. c i \<ge> 0) \<and> (\<forall>i\<in>I. s i \<in> S i)" by auto
   34.87      then have "\<forall>i\<in>I. s i \<in> convex hull (\<Union>(S ` I))"
   34.88 @@ -3676,7 +3676,7 @@
   34.89        by auto
   34.90      define k where "k i = (c i, c i *\<^sub>R s i)" for i
   34.91      {
   34.92 -      fix i assume "i:I"
   34.93 +      fix i assume "i \<in> I"
   34.94        then have "k i \<in> rel_interior (K i)"
   34.95          using k_def K_def assms cs rel_interior_convex_cone[of "S i"]
   34.96          by auto
    35.1 --- a/src/HOL/Analysis/Topology_Euclidean_Space.thy	Tue Feb 13 14:24:50 2018 +0100
    35.2 +++ b/src/HOL/Analysis/Topology_Euclidean_Space.thy	Thu Feb 15 12:11:00 2018 +0100
    35.3 @@ -2353,7 +2353,7 @@
    35.4      by (meson Int_mono closure_mono closure_subset order_refl)
    35.5  qed
    35.6  
    35.7 -lemma islimpt_in_closure: "(x islimpt S) = (x:closure(S-{x}))"
    35.8 +lemma islimpt_in_closure: "(x islimpt S) = (x\<in>closure(S-{x}))"
    35.9    unfolding closure_def using islimpt_punctured by blast
   35.10  
   35.11  lemma connected_imp_connected_closure: "connected S \<Longrightarrow> connected (closure S)"
    36.1 --- a/src/HOL/Auth/CertifiedEmail.thy	Tue Feb 13 14:24:50 2018 +0100
    36.2 +++ b/src/HOL/Auth/CertifiedEmail.thy	Thu Feb 15 12:11:00 2018 +0100
    36.3 @@ -11,7 +11,7 @@
    36.4    "TTP == Server"
    36.5  
    36.6  abbreviation
    36.7 -  RPwd :: "agent => key" where
    36.8 +  RPwd :: "agent \<Rightarrow> key" where
    36.9    "RPwd == shrK"
   36.10  
   36.11   
   36.12 @@ -24,7 +24,7 @@
   36.13    BothAuth :: nat
   36.14  
   36.15  text\<open>We formalize a fixed way of computing responses.  Could be better.\<close>
   36.16 -definition "response" :: "agent => agent => nat => msg" where
   36.17 +definition "response" :: "agent \<Rightarrow> agent \<Rightarrow> nat \<Rightarrow> msg" where
   36.18     "response S R q == Hash \<lbrace>Agent S, Key (shrK R), Nonce q\<rbrace>"
   36.19  
   36.20  
   36.21 @@ -129,9 +129,9 @@
   36.22  
   36.23  lemma hr_form_lemma [rule_format]:
   36.24   "evs \<in> certified_mail
   36.25 -  ==> hr \<notin> synth (analz (spies evs)) --> 
   36.26 +  \<Longrightarrow> hr \<notin> synth (analz (spies evs)) \<longrightarrow>
   36.27        (\<forall>S2TTP. Notes TTP \<lbrace>Agent R, Agent TTP, S2TTP, pwd, hr\<rbrace>
   36.28 -          \<in> set evs --> 
   36.29 +          \<in> set evs \<longrightarrow>
   36.30        (\<exists>clt q S em. hr = Hash \<lbrace>Number clt, Nonce q, response S R q, em\<rbrace>))"
   36.31  apply (erule certified_mail.induct)
   36.32  apply (synth_analz_mono_contra, simp_all, blast+)
   36.33 @@ -201,7 +201,7 @@
   36.34  done
   36.35  
   36.36  lemma Spy_dont_know_RPwd [rule_format]:
   36.37 -    "evs \<in> certified_mail ==> Key (RPwd A) \<in> parts(spies evs) --> A \<in> bad"
   36.38 +    "evs \<in> certified_mail ==> Key (RPwd A) \<in> parts(spies evs) \<longrightarrow> A \<in> bad"
   36.39  apply (erule certified_mail.induct, simp_all) 
   36.40  txt\<open>Fake\<close>
   36.41  apply (blast dest: Fake_parts_insert_in_Un) 
   36.42 @@ -247,8 +247,8 @@
   36.43  
   36.44  lemma analz_image_freshK [rule_format]:
   36.45   "evs \<in> certified_mail ==>
   36.46 -   \<forall>K KK. invKey (pubEK TTP) \<notin> KK -->
   36.47 -          (Key K \<in> analz (Key`KK Un (spies evs))) =
   36.48 +   \<forall>K KK. invKey (pubEK TTP) \<notin> KK \<longrightarrow>
   36.49 +          (Key K \<in> analz (Key`KK \<union> (spies evs))) =
   36.50            (K \<in> KK | Key K \<in> analz (spies evs))"
   36.51  apply (erule certified_mail.induct)
   36.52  apply (drule_tac [6] A=TTP in symKey_neq_priEK) 
   36.53 @@ -281,11 +281,11 @@
   36.54     isn't inductive: message 3 case can't be proved *)
   36.55  lemma S2TTP_sender_lemma [rule_format]:
   36.56   "evs \<in> certified_mail ==>
   36.57 -    Key K \<notin> analz (spies evs) -->
   36.58 +    Key K \<notin> analz (spies evs) \<longrightarrow>
   36.59      (\<forall>AO. Crypt (pubEK TTP)
   36.60 -           \<lbrace>Agent S, Number AO, Key K, Agent R, hs\<rbrace> \<in> used evs -->
   36.61 +           \<lbrace>Agent S, Number AO, Key K, Agent R, hs\<rbrace> \<in> used evs \<longrightarrow>
   36.62      (\<exists>m ctxt q. 
   36.63 -        hs = Hash\<lbrace>Number ctxt, Nonce q, response S R q, Crypt K (Number m)\<rbrace> &
   36.64 +        hs = Hash\<lbrace>Number ctxt, Nonce q, response S R q, Crypt K (Number m)\<rbrace> \<and>
   36.65          Says S R
   36.66             \<lbrace>Agent S, Agent TTP, Crypt K (Number m), Number AO,
   36.67               Number ctxt, Nonce q,
   36.68 @@ -314,7 +314,7 @@
   36.69      Key K \<notin> analz (spies evs);
   36.70      evs \<in> certified_mail|]
   36.71    ==> \<exists>m ctxt q. 
   36.72 -        hs = Hash\<lbrace>Number ctxt, Nonce q, response S R q, Crypt K (Number m)\<rbrace> &
   36.73 +        hs = Hash\<lbrace>Number ctxt, Nonce q, response S R q, Crypt K (Number m)\<rbrace> \<and>
   36.74          Says S R
   36.75             \<lbrace>Agent S, Agent TTP, Crypt K (Number m), Number AO,
   36.76               Number ctxt, Nonce q,
   36.77 @@ -345,19 +345,19 @@
   36.78  where @{term K} is secure.\<close>
   36.79  lemma Key_unique_lemma [rule_format]:
   36.80       "evs \<in> certified_mail ==>
   36.81 -       Key K \<notin> analz (spies evs) -->
   36.82 +       Key K \<notin> analz (spies evs) \<longrightarrow>
   36.83         (\<forall>m cleartext q hs.
   36.84          Says S R
   36.85             \<lbrace>Agent S, Agent TTP, Crypt K (Number m), Number AO,
   36.86               Number cleartext, Nonce q,
   36.87               Crypt (pubEK TTP) \<lbrace>Agent S, Number AO, Key K, Agent R, hs\<rbrace>\<rbrace>
   36.88 -          \<in> set evs -->
   36.89 +          \<in> set evs \<longrightarrow>
   36.90         (\<forall>m' cleartext' q' hs'.
   36.91         Says S' R'
   36.92             \<lbrace>Agent S', Agent TTP, Crypt K (Number m'), Number AO',
   36.93               Number cleartext', Nonce q',
   36.94               Crypt (pubEK TTP) \<lbrace>Agent S', Number AO', Key K, Agent R', hs'\<rbrace>\<rbrace>
   36.95 -          \<in> set evs --> R' = R & S' = S & AO' = AO & hs' = hs))" 
   36.96 +          \<in> set evs \<longrightarrow> R' = R \<and> S' = S \<and> AO' = AO \<and> hs' = hs))" 
   36.97  apply (erule certified_mail.induct, analz_mono_contra, simp_all)
   36.98   prefer 2
   36.99   txt\<open>Message 1\<close>
  36.100 @@ -380,7 +380,7 @@
  36.101            \<in> set evs;
  36.102           Key K \<notin> analz (spies evs);
  36.103           evs \<in> certified_mail|]
  36.104 -       ==> R' = R & S' = S & AO' = AO & hs' = hs"
  36.105 +       ==> R' = R \<and> S' = S \<and> AO' = AO \<and> hs' = hs"
  36.106  by (rule Key_unique_lemma, assumption+)
  36.107  
  36.108  
  36.109 @@ -396,7 +396,7 @@
  36.110           Key K \<in> analz (spies evs);
  36.111           evs \<in> certified_mail;
  36.112           S\<noteq>Spy|]
  36.113 -      ==> R \<in> bad & Gets S (Crypt (priSK TTP) S2TTP) \<in> set evs"
  36.114 +      ==> R \<in> bad \<and> Gets S (Crypt (priSK TTP) S2TTP) \<in> set evs"
  36.115  apply (erule rev_mp)
  36.116  apply (erule ssubst)
  36.117  apply (erule rev_mp)
    37.1 --- a/src/HOL/Auth/Event.thy	Tue Feb 13 14:24:50 2018 +0100
    37.2 +++ b/src/HOL/Auth/Event.thy	Thu Feb 15 12:11:00 2018 +0100
    37.3 @@ -13,7 +13,7 @@
    37.4  theory Event imports Message begin
    37.5  
    37.6  consts  (*Initial states of agents -- parameter of the construction*)
    37.7 -  initState :: "agent => msg set"
    37.8 +  initState :: "agent \<Rightarrow> msg set"
    37.9  
   37.10  datatype
   37.11    event = Says  agent agent msg
   37.12 @@ -29,24 +29,24 @@
   37.13    Server_not_bad [iff]: "Server \<notin> bad"
   37.14      by (rule exI [of _ "{Spy}"], simp)
   37.15  
   37.16 -primrec knows :: "agent => event list => msg set"
   37.17 +primrec knows :: "agent \<Rightarrow> event list \<Rightarrow> msg set"
   37.18  where
   37.19    knows_Nil:   "knows A [] = initState A"
   37.20  | knows_Cons:
   37.21      "knows A (ev # evs) =
   37.22         (if A = Spy then 
   37.23          (case ev of
   37.24 -           Says A' B X => insert X (knows Spy evs)
   37.25 -         | Gets A' X => knows Spy evs
   37.26 -         | Notes A' X  => 
   37.27 +           Says A' B X \<Rightarrow> insert X (knows Spy evs)
   37.28 +         | Gets A' X \<Rightarrow> knows Spy evs
   37.29 +         | Notes A' X  \<Rightarrow> 
   37.30               if A' \<in> bad then insert X (knows Spy evs) else knows Spy evs)
   37.31          else
   37.32          (case ev of
   37.33 -           Says A' B X => 
   37.34 +           Says A' B X \<Rightarrow> 
   37.35               if A'=A then insert X (knows A evs) else knows A evs
   37.36 -         | Gets A' X    => 
   37.37 +         | Gets A' X    \<Rightarrow> 
   37.38               if A'=A then insert X (knows A evs) else knows A evs
   37.39 -         | Notes A' X    => 
   37.40 +         | Notes A' X    \<Rightarrow> 
   37.41               if A'=A then insert X (knows A evs) else knows A evs))"
   37.42  (*
   37.43    Case A=Spy on the Gets event
   37.44 @@ -57,31 +57,31 @@
   37.45  text\<open>The constant "spies" is retained for compatibility's sake\<close>
   37.46  
   37.47  abbreviation (input)
   37.48 -  spies  :: "event list => msg set" where
   37.49 +  spies  :: "event list \<Rightarrow> msg set" where
   37.50    "spies == knows Spy"
   37.51  
   37.52  
   37.53  (*Set of items that might be visible to somebody:
   37.54      complement of the set of fresh items*)
   37.55  
   37.56 -primrec used :: "event list => msg set"
   37.57 +primrec used :: "event list \<Rightarrow> msg set"
   37.58  where
   37.59    used_Nil:   "used []         = (UN B. parts (initState B))"
   37.60  | used_Cons:  "used (ev # evs) =
   37.61                       (case ev of
   37.62 -                        Says A B X => parts {X} \<union> used evs
   37.63 -                      | Gets A X   => used evs
   37.64 -                      | Notes A X  => parts {X} \<union> used evs)"
   37.65 +                        Says A B X \<Rightarrow> parts {X} \<union> used evs
   37.66 +                      | Gets A X   \<Rightarrow> used evs
   37.67 +                      | Notes A X  \<Rightarrow> parts {X} \<union> used evs)"
   37.68      \<comment> \<open>The case for @{term Gets} seems anomalous, but @{term Gets} always
   37.69          follows @{term Says} in real protocols.  Seems difficult to change.
   37.70          See \<open>Gets_correct\<close> in theory \<open>Guard/Extensions.thy\<close>.\<close>
   37.71  
   37.72 -lemma Notes_imp_used [rule_format]: "Notes A X \<in> set evs --> X \<in> used evs"
   37.73 +lemma Notes_imp_used [rule_format]: "Notes A X \<in> set evs \<longrightarrow> X \<in> used evs"
   37.74  apply (induct_tac evs)
   37.75  apply (auto split: event.split) 
   37.76  done
   37.77  
   37.78 -lemma Says_imp_used [rule_format]: "Says A B X \<in> set evs --> X \<in> used evs"
   37.79 +lemma Says_imp_used [rule_format]: "Says A B X \<in> set evs \<longrightarrow> X \<in> used evs"
   37.80  apply (induct_tac evs)
   37.81  apply (auto split: event.split) 
   37.82  done
   37.83 @@ -102,7 +102,7 @@
   37.84        on whether @{term "A=Spy"} and whether @{term "A\<in>bad"}\<close>
   37.85  lemma knows_Spy_Notes [simp]:
   37.86       "knows Spy (Notes A X # evs) =  
   37.87 -          (if A:bad then insert X (knows Spy evs) else knows Spy evs)"
   37.88 +          (if A\<in>bad then insert X (knows Spy evs) else knows Spy evs)"
   37.89  by simp
   37.90  
   37.91  lemma knows_Spy_Gets [simp]: "knows Spy (Gets A X # evs) = knows Spy evs"
   37.92 @@ -122,13 +122,13 @@
   37.93  
   37.94  text\<open>Spy sees what is sent on the traffic\<close>
   37.95  lemma Says_imp_knows_Spy [rule_format]:
   37.96 -     "Says A B X \<in> set evs --> X \<in> knows Spy evs"
   37.97 +     "Says A B X \<in> set evs \<longrightarrow> X \<in> knows Spy evs"
   37.98  apply (induct_tac "evs")
   37.99  apply (simp_all (no_asm_simp) split: event.split)
  37.100  done
  37.101  
  37.102  lemma Notes_imp_knows_Spy [rule_format]:
  37.103 -     "Notes A X \<in> set evs --> A: bad --> X \<in> knows Spy evs"
  37.104 +     "Notes A X \<in> set evs \<longrightarrow> A \<in> bad \<longrightarrow> X \<in> knows Spy evs"
  37.105  apply (induct_tac "evs")
  37.106  apply (simp_all (no_asm_simp) split: event.split)
  37.107  done
  37.108 @@ -162,14 +162,14 @@
  37.109  by (simp add: subset_insertI)
  37.110  
  37.111  text\<open>Agents know what they say\<close>
  37.112 -lemma Says_imp_knows [rule_format]: "Says A B X \<in> set evs --> X \<in> knows A evs"
  37.113 +lemma Says_imp_knows [rule_format]: "Says A B X \<in> set evs \<longrightarrow> X \<in> knows A evs"
  37.114  apply (induct_tac "evs")
  37.115  apply (simp_all (no_asm_simp) split: event.split)
  37.116  apply blast
  37.117  done
  37.118  
  37.119  text\<open>Agents know what they note\<close>
  37.120 -lemma Notes_imp_knows [rule_format]: "Notes A X \<in> set evs --> X \<in> knows A evs"
  37.121 +lemma Notes_imp_knows [rule_format]: "Notes A X \<in> set evs \<longrightarrow> X \<in> knows A evs"
  37.122  apply (induct_tac "evs")
  37.123  apply (simp_all (no_asm_simp) split: event.split)
  37.124  apply blast
  37.125 @@ -177,7 +177,7 @@
  37.126  
  37.127  text\<open>Agents know what they receive\<close>
  37.128  lemma Gets_imp_knows_agents [rule_format]:
  37.129 -     "A \<noteq> Spy --> Gets A X \<in> set evs --> X \<in> knows A evs"
  37.130 +     "A \<noteq> Spy \<longrightarrow> Gets A X \<in> set evs \<longrightarrow> X \<in> knows A evs"
  37.131  apply (induct_tac "evs")
  37.132  apply (simp_all (no_asm_simp) split: event.split)
  37.133  done
  37.134 @@ -186,8 +186,8 @@
  37.135  text\<open>What agents DIFFERENT FROM Spy know 
  37.136    was either said, or noted, or got, or known initially\<close>
  37.137  lemma knows_imp_Says_Gets_Notes_initState [rule_format]:
  37.138 -     "[| X \<in> knows A evs; A \<noteq> Spy |] ==> EX B.  
  37.139 -  Says A B X \<in> set evs | Gets A X \<in> set evs | Notes A X \<in> set evs | X \<in> initState A"
  37.140 +     "[| X \<in> knows A evs; A \<noteq> Spy |] ==> \<exists> B.
  37.141 +  Says A B X \<in> set evs \<or> Gets A X \<in> set evs \<or> Notes A X \<in> set evs \<or> X \<in> initState A"
  37.142  apply (erule rev_mp)
  37.143  apply (induct_tac "evs")
  37.144  apply (simp_all (no_asm_simp) split: event.split)
  37.145 @@ -197,8 +197,8 @@
  37.146  text\<open>What the Spy knows -- for the time being --
  37.147    was either said or noted, or known initially\<close>
  37.148  lemma knows_Spy_imp_Says_Notes_initState [rule_format]:
  37.149 -     "[| X \<in> knows Spy evs |] ==> EX A B.  
  37.150 -  Says A B X \<in> set evs | Notes A X \<in> set evs | X \<in> initState Spy"
  37.151 +     "X \<in> knows Spy evs \<Longrightarrow> \<exists>A B.
  37.152 +  Says A B X \<in> set evs \<or> Notes A X \<in> set evs \<or> X \<in> initState Spy"
  37.153  apply (erule rev_mp)
  37.154  apply (induct_tac "evs")
  37.155  apply (simp_all (no_asm_simp) split: event.split)
  37.156 @@ -212,7 +212,7 @@
  37.157  
  37.158  lemmas usedI = parts_knows_Spy_subset_used [THEN subsetD, intro]
  37.159  
  37.160 -lemma initState_into_used: "X \<in> parts (initState B) ==> X \<in> used evs"
  37.161 +lemma initState_into_used: "X \<in> parts (initState B) \<Longrightarrow> X \<in> used evs"
  37.162  apply (induct_tac "evs")
  37.163  apply (simp_all add: parts_insert_knows_A split: event.split, blast)
  37.164  done
  37.165 @@ -236,7 +236,7 @@
  37.166          used_Nil [simp del] used_Cons [simp del]
  37.167  
  37.168  
  37.169 -text\<open>For proving theorems of the form @{term "X \<notin> analz (knows Spy evs) --> P"}
  37.170 +text\<open>For proving theorems of the form @{term "X \<notin> analz (knows Spy evs) \<longrightarrow> P"}
  37.171    New events added by induction to "evs" are discarded.  Provided 
  37.172    this information isn't needed, the proof will be much shorter, since
  37.173    it will omit complicated reasoning about @{term analz}.\<close>
  37.174 @@ -278,7 +278,7 @@
  37.175  
  37.176  method_setup analz_mono_contra = \<open>
  37.177      Scan.succeed (fn ctxt => SIMPLE_METHOD (REPEAT_FIRST (analz_mono_contra_tac ctxt)))\<close>
  37.178 -    "for proving theorems of the form X \<notin> analz (knows Spy evs) --> P"
  37.179 +    "for proving theorems of the form X \<notin> analz (knows Spy evs) \<longrightarrow> P"
  37.180  
  37.181  subsubsection\<open>Useful for case analysis on whether a hash is a spoof or not\<close>
  37.182  
  37.183 @@ -299,6 +299,6 @@
  37.184  
  37.185  method_setup synth_analz_mono_contra = \<open>
  37.186      Scan.succeed (fn ctxt => SIMPLE_METHOD (REPEAT_FIRST (synth_analz_mono_contra_tac ctxt)))\<close>
  37.187 -    "for proving theorems of the form X \<notin> synth (analz (knows Spy evs)) --> P"
  37.188 +    "for proving theorems of the form X \<notin> synth (analz (knows Spy evs)) \<longrightarrow> P"
  37.189  
  37.190  end
    38.1 --- a/src/HOL/Auth/Guard/Analz.thy	Tue Feb 13 14:24:50 2018 +0100
    38.2 +++ b/src/HOL/Auth/Guard/Analz.thy	Thu Feb 15 12:11:00 2018 +0100
    38.3 @@ -16,37 +16,37 @@
    38.4    pparts :: "msg set => msg set"
    38.5    for H :: "msg set"
    38.6  where
    38.7 -  Inj [intro]: "[| X:H; is_MPair X |] ==> X:pparts H"
    38.8 -| Fst [dest]: "[| \<lbrace>X,Y\<rbrace>:pparts H; is_MPair X |] ==> X:pparts H"
    38.9 -| Snd [dest]: "[| \<lbrace>X,Y\<rbrace>:pparts H; is_MPair Y |] ==> Y:pparts H"
   38.10 +  Inj [intro]: "[| X \<in> H; is_MPair X |] ==> X \<in> pparts H"
   38.11 +| Fst [dest]: "[| \<lbrace>X,Y\<rbrace> \<in> pparts H; is_MPair X |] ==> X \<in> pparts H"
   38.12 +| Snd [dest]: "[| \<lbrace>X,Y\<rbrace> \<in> pparts H; is_MPair Y |] ==> Y \<in> pparts H"
   38.13  
   38.14  subsection\<open>basic facts about @{term pparts}\<close>
   38.15  
   38.16 -lemma pparts_is_MPair [dest]: "X:pparts H ==> is_MPair X"
   38.17 +lemma pparts_is_MPair [dest]: "X \<in> pparts H \<Longrightarrow> is_MPair X"
   38.18  by (erule pparts.induct, auto)
   38.19  
   38.20 -lemma Crypt_notin_pparts [iff]: "Crypt K X ~:pparts H"
   38.21 +lemma Crypt_notin_pparts [iff]: "Crypt K X \<notin> pparts H"
   38.22  by auto
   38.23  
   38.24 -lemma Key_notin_pparts [iff]: "Key K ~:pparts H"
   38.25 +lemma Key_notin_pparts [iff]: "Key K \<notin> pparts H"
   38.26  by auto
   38.27  
   38.28 -lemma Nonce_notin_pparts [iff]: "Nonce n ~:pparts H"
   38.29 +lemma Nonce_notin_pparts [iff]: "Nonce n \<notin> pparts H"
   38.30  by auto
   38.31  
   38.32 -lemma Number_notin_pparts [iff]: "Number n ~:pparts H"
   38.33 +lemma Number_notin_pparts [iff]: "Number n \<notin> pparts H"
   38.34  by auto
   38.35  
   38.36 -lemma Agent_notin_pparts [iff]: "Agent A ~:pparts H"
   38.37 +lemma Agent_notin_pparts [iff]: "Agent A \<notin> pparts H"
   38.38  by auto
   38.39  
   38.40  lemma pparts_empty [iff]: "pparts {} = {}"
   38.41  by (auto, erule pparts.induct, auto)
   38.42  
   38.43 -lemma pparts_insertI [intro]: "X:pparts H ==> X:pparts (insert Y H)"
   38.44 +lemma pparts_insertI [intro]: "X \<in> pparts H \<Longrightarrow> X \<in> pparts (insert Y H)"
   38.45  by (erule pparts.induct, auto)
   38.46  
   38.47 -lemma pparts_sub: "[| X:pparts G; G<=H |] ==> X:pparts H"
   38.48 +lemma pparts_sub: "[| X \<in> pparts G; G \<subseteq> H |] ==> X \<in> pparts H"
   38.49  by (erule pparts.induct, auto)
   38.50  
   38.51  lemma pparts_insert2 [iff]: "pparts (insert X (insert Y H))
   38.52 @@ -78,13 +78,13 @@
   38.53  lemma pparts_insert_Hash [iff]: "pparts (insert (Hash X) H) = pparts H"
   38.54  by (rule eq, erule pparts.induct, auto)
   38.55  
   38.56 -lemma pparts_insert: "X:pparts (insert Y H) ==> X:pparts {Y} Un pparts H"
   38.57 +lemma pparts_insert: "X \<in> pparts (insert Y H) \<Longrightarrow> X \<in> pparts {Y} \<union> pparts H"
   38.58  by (erule pparts.induct, blast+)
   38.59  
   38.60 -lemma insert_pparts: "X:pparts {Y} Un pparts H ==> X:pparts (insert Y H)"
   38.61 +lemma insert_pparts: "X \<in> pparts {Y} \<union> pparts H \<Longrightarrow> X \<in> pparts (insert Y H)"
   38.62  by (safe, erule pparts.induct, auto)
   38.63  
   38.64 -lemma pparts_Un [iff]: "pparts (G Un H) = pparts G Un pparts H"
   38.65 +lemma pparts_Un [iff]: "pparts (G \<union> H) = pparts G \<union> pparts H"
   38.66  by (rule eq, erule pparts.induct, auto dest: pparts_sub)
   38.67  
   38.68  lemma pparts_pparts [iff]: "pparts (pparts H) = pparts H"
   38.69 @@ -95,21 +95,21 @@
   38.70  
   38.71  lemmas pparts_insert_substI = pparts_insert_eq [THEN ssubst]
   38.72  
   38.73 -lemma in_pparts: "Y:pparts H ==> EX X. X:H & Y:pparts {X}"
   38.74 +lemma in_pparts: "Y \<in> pparts H \<Longrightarrow> \<exists>X. X \<in> H \<and> Y \<in> pparts {X}"
   38.75  by (erule pparts.induct, auto)
   38.76  
   38.77  subsection\<open>facts about @{term pparts} and @{term parts}\<close>
   38.78  
   38.79 -lemma pparts_no_Nonce [dest]: "[| X:pparts {Y}; Nonce n ~:parts {Y} |]
   38.80 -==> Nonce n ~:parts {X}"
   38.81 +lemma pparts_no_Nonce [dest]: "[| X \<in> pparts {Y}; Nonce n \<notin> parts {Y} |]
   38.82 +==> Nonce n \<notin> parts {X}"
   38.83  by (erule pparts.induct, simp_all)
   38.84  
   38.85  subsection\<open>facts about @{term pparts} and @{term analz}\<close>
   38.86  
   38.87 -lemma pparts_analz: "X:pparts H ==> X:analz H"
   38.88 +lemma pparts_analz: "X \<in> pparts H \<Longrightarrow> X \<in> analz H"
   38.89  by (erule pparts.induct, auto)
   38.90  
   38.91 -lemma pparts_analz_sub: "[| X:pparts G; G<=H |] ==> X:analz H"
   38.92 +lemma pparts_analz_sub: "[| X \<in> pparts G; G \<subseteq> H |] ==> X \<in> analz H"
   38.93  by (auto dest: pparts_sub pparts_analz)
   38.94  
   38.95  subsection\<open>messages that contribute to analz\<close>
   38.96 @@ -118,23 +118,23 @@
   38.97    kparts :: "msg set => msg set"
   38.98    for H :: "msg set"
   38.99  where
  38.100 -  Inj [intro]: "[| X:H; not_MPair X |] ==> X:kparts H"
  38.101 -| Fst [intro]: "[| \<lbrace>X,Y\<rbrace> \<in> pparts H; not_MPair X |] ==> X:kparts H"
  38.102 -| Snd [intro]: "[| \<lbrace>X,Y\<rbrace> \<in> pparts H; not_MPair Y |] ==> Y:kparts H"
  38.103 +  Inj [intro]: "[| X \<in> H; not_MPair X |] ==> X \<in> kparts H"
  38.104 +| Fst [intro]: "[| \<lbrace>X,Y\<rbrace> \<in> pparts H; not_MPair X |] ==> X \<in> kparts H"
  38.105 +| Snd [intro]: "[| \<lbrace>X,Y\<rbrace> \<in> pparts H; not_MPair Y |] ==> Y \<in> kparts H"
  38.106  
  38.107  subsection\<open>basic facts about @{term kparts}\<close>
  38.108  
  38.109 -lemma kparts_not_MPair [dest]: "X:kparts H ==> not_MPair X"
  38.110 +lemma kparts_not_MPair [dest]: "X \<in> kparts H \<Longrightarrow> not_MPair X"
  38.111  by (erule kparts.induct, auto)
  38.112  
  38.113  lemma kparts_empty [iff]: "kparts {} = {}"
  38.114  by (rule eq, erule kparts.induct, auto)
  38.115  
  38.116 -lemma kparts_insertI [intro]: "X:kparts H ==> X:kparts (insert Y H)"
  38.117 +lemma kparts_insertI [intro]: "X \<in> kparts H \<Longrightarrow> X \<in> kparts (insert Y H)"
  38.118  by (erule kparts.induct, auto dest: pparts_insertI)
  38.119  
  38.120  lemma kparts_insert2 [iff]: "kparts (insert X (insert Y H))
  38.121 -= kparts {X} Un kparts {Y} Un kparts H"
  38.122 += kparts {X} \<union> kparts {Y} \<union> kparts H"
  38.123  by (rule eq, (erule kparts.induct, auto)+)
  38.124  
  38.125  lemma kparts_insert_MPair [iff]: "kparts (insert \<lbrace>X,Y\<rbrace> H)
  38.126 @@ -165,17 +165,17 @@
  38.127  = insert (Hash X) (kparts H)"
  38.128  by (rule eq, erule kparts.induct, auto)
  38.129  
  38.130 -lemma kparts_insert: "X:kparts (insert X H) ==> X:kparts {X} Un kparts H"
  38.131 +lemma kparts_insert: "X \<in> kparts (insert X H) \<Longrightarrow> X \<in> kparts {X} \<union> kparts H"
  38.132  by (erule kparts.induct, (blast dest: pparts_insert)+)
  38.133  
  38.134 -lemma kparts_insert_fst [rule_format,dest]: "X:kparts (insert Z H) ==>
  38.135 -X ~:kparts H --> X:kparts {Z}"
  38.136 +lemma kparts_insert_fst [rule_format,dest]: "X \<in> kparts (insert Z H) \<Longrightarrow>
  38.137 +X \<notin> kparts H \<longrightarrow> X \<in> kparts {Z}"
  38.138  by (erule kparts.induct, (blast dest: pparts_insert)+)
  38.139  
  38.140 -lemma kparts_sub: "[| X:kparts G; G<=H |] ==> X:kparts H"
  38.141 +lemma kparts_sub: "[| X \<in> kparts G; G \<subseteq> H |] ==> X \<in> kparts H"
  38.142  by (erule kparts.induct, auto dest: pparts_sub)
  38.143  
  38.144 -lemma kparts_Un [iff]: "kparts (G Un H) = kparts G Un kparts H"
  38.145 +lemma kparts_Un [iff]: "kparts (G \<union> H) = kparts G \<union> kparts H"
  38.146  by (rule eq, erule kparts.induct, auto dest: kparts_sub)
  38.147  
  38.148  lemma pparts_kparts [iff]: "pparts (kparts H) = {}"
  38.149 @@ -184,12 +184,12 @@
  38.150  lemma kparts_kparts [iff]: "kparts (kparts H) = kparts H"
  38.151  by (rule eq, erule kparts.induct, auto)
  38.152  
  38.153 -lemma kparts_insert_eq: "kparts (insert X H) = kparts {X} Un kparts H"
  38.154 +lemma kparts_insert_eq: "kparts (insert X H) = kparts {X} \<union> kparts H"
  38.155  by (rule_tac A=H in insert_Un, rule kparts_Un)
  38.156  
  38.157  lemmas kparts_insert_substI = kparts_insert_eq [THEN ssubst]
  38.158  
  38.159 -lemma in_kparts: "Y:kparts H ==> EX X. X:H & Y:kparts {X}"
  38.160 +lemma in_kparts: "Y \<in> kparts H \<Longrightarrow> \<exists>X. X \<in> H \<and> Y \<in> kparts {X}"
  38.161  by (erule kparts.induct, auto dest: in_pparts)
  38.162  
  38.163  lemma kparts_has_no_pair [iff]: "has_no_pair (kparts H)"
  38.164 @@ -197,59 +197,59 @@
  38.165  
  38.166  subsection\<open>facts about @{term kparts} and @{term parts}\<close>
  38.167  
  38.168 -lemma kparts_no_Nonce [dest]: "[| X:kparts {Y}; Nonce n ~:parts {Y} |]
  38.169 -==> Nonce n ~:parts {X}"
  38.170 +lemma kparts_no_Nonce [dest]: "[| X \<in> kparts {Y}; Nonce n \<notin> parts {Y} |]
  38.171 +==> Nonce n \<notin> parts {X}"
  38.172  by (erule kparts.induct, auto)
  38.173  
  38.174 -lemma kparts_parts: "X:kparts H ==> X:parts H"
  38.175 +lemma kparts_parts: "X \<in> kparts H \<Longrightarrow> X \<in> parts H"
  38.176  by (erule kparts.induct, auto dest: pparts_analz)
  38.177  
  38.178 -lemma parts_kparts: "X:parts (kparts H) ==> X:parts H"
  38.179 +lemma parts_kparts: "X \<in> parts (kparts H) \<Longrightarrow> X \<in> parts H"
  38.180  by (erule parts.induct, auto dest: kparts_parts
  38.181  intro: parts.Fst parts.Snd parts.Body)
  38.182  
  38.183 -lemma Crypt_kparts_Nonce_parts [dest]: "[| Crypt K Y:kparts {Z};
  38.184 -Nonce n:parts {Y} |] ==> Nonce n:parts {Z}"
  38.185 +lemma Crypt_kparts_Nonce_parts [dest]: "[| Crypt K Y \<in> kparts {Z};
  38.186 +Nonce n \<in> parts {Y} |] ==> Nonce n \<in> parts {Z}"
  38.187  by auto
  38.188  
  38.189  subsection\<open>facts about @{term kparts} and @{term analz}\<close>
  38.190  
  38.191 -lemma kparts_analz: "X:kparts H ==> X:analz H"
  38.192 +lemma kparts_analz: "X \<in> kparts H \<Longrightarrow> X \<in> analz H"
  38.193  by (erule kparts.induct, auto dest: pparts_analz)
  38.194  
  38.195 -lemma kparts_analz_sub: "[| X:kparts G; G<=H |] ==> X:analz H"
  38.196 +lemma kparts_analz_sub: "[| X \<in> kparts G; G \<subseteq> H |] ==> X \<in> analz H"
  38.197  by (erule kparts.induct, auto dest: pparts_analz_sub)
  38.198  
  38.199 -lemma analz_kparts [rule_format,dest]: "X:analz H ==>
  38.200 -Y:kparts {X} --> Y:analz H"
  38.201 +lemma analz_kparts [rule_format,dest]: "X \<in> analz H \<Longrightarrow>
  38.202 +Y \<in> kparts {X} \<longrightarrow> Y \<in> analz H"
  38.203  by (erule analz.induct, auto dest: kparts_analz_sub)
  38.204  
  38.205 -lemma analz_kparts_analz: "X:analz (kparts H) ==> X:analz H"
  38.206 +lemma analz_kparts_analz: "X \<in> analz (kparts H) \<Longrightarrow> X \<in> analz H"
  38.207  by (erule analz.induct, auto dest: kparts_analz)
  38.208  
  38.209 -lemma analz_kparts_insert: "X:analz (kparts (insert Z H)) ==> X:analz (kparts {Z} Un kparts H)"
  38.210 +lemma analz_kparts_insert: "X \<in> analz (kparts (insert Z H)) \<Longrightarrow> X \<in> analz (kparts {Z} \<union> kparts H)"
  38.211  by (rule analz_sub, auto)
  38.212  
  38.213 -lemma Nonce_kparts_synth [rule_format]: "Y:synth (analz G)
  38.214 -==> Nonce n:kparts {Y} --> Nonce n:analz G"
  38.215 +lemma Nonce_kparts_synth [rule_format]: "Y \<in> synth (analz G)
  38.216 +\<Longrightarrow> Nonce n \<in> kparts {Y} \<longrightarrow> Nonce n \<in> analz G"
  38.217  by (erule synth.induct, auto)
  38.218  
  38.219 -lemma kparts_insert_synth: "[| Y:parts (insert X G); X:synth (analz G);
  38.220 -Nonce n:kparts {Y}; Nonce n ~:analz G |] ==> Y:parts G"
  38.221 +lemma kparts_insert_synth: "[| Y \<in> parts (insert X G); X \<in> synth (analz G);
  38.222 +Nonce n \<in> kparts {Y}; Nonce n \<notin> analz G |] ==> Y \<in> parts G"
  38.223  apply (drule parts_insert_substD, clarify)
  38.224  apply (drule in_sub, drule_tac X=Y in parts_sub, simp)
  38.225  apply (auto dest: Nonce_kparts_synth)
  38.226  done
  38.227  
  38.228  lemma Crypt_insert_synth:
  38.229 -  "[| Crypt K Y:parts (insert X G); X:synth (analz G); Nonce n:kparts {Y}; Nonce n ~:analz G |] 
  38.230 -   ==> Crypt K Y:parts G"
  38.231 +  "[| Crypt K Y \<in> parts (insert X G); X \<in> synth (analz G); Nonce n \<in> kparts {Y}; Nonce n \<notin> analz G |] 
  38.232 +   ==> Crypt K Y \<in> parts G"
  38.233  by (metis Fake_parts_insert_in_Un Nonce_kparts_synth UnE analz_conj_parts synth_simps(5))
  38.234  
  38.235  
  38.236  subsection\<open>analz is pparts + analz of kparts\<close>
  38.237  
  38.238 -lemma analz_pparts_kparts: "X:analz H ==> X:pparts H | X:analz (kparts H)"
  38.239 +lemma analz_pparts_kparts: "X \<in> analz H \<Longrightarrow> X \<in> pparts H \<or> X \<in> analz (kparts H)"
  38.240  by (erule analz.induct, auto) 
  38.241  
  38.242  lemma analz_pparts_kparts_eq: "analz H = pparts H Un analz (kparts H)"
    39.1 --- a/src/HOL/Auth/Guard/Extensions.thy	Tue Feb 13 14:24:50 2018 +0100
    39.2 +++ b/src/HOL/Auth/Guard/Extensions.thy	Thu Feb 15 12:11:00 2018 +0100
    39.3 @@ -11,13 +11,13 @@
    39.4  
    39.5  subsection\<open>Extensions to Theory \<open>Set\<close>\<close>
    39.6  
    39.7 -lemma eq: "[| !!x. x:A ==> x:B; !!x. x:B ==> x:A |] ==> A=B"
    39.8 +lemma eq: "[| \<And>x. x\<in>A \<Longrightarrow> x\<in>B; \<And>x. x\<in>B \<Longrightarrow> x\<in>A |] ==> A=B"
    39.9  by auto
   39.10  
   39.11 -lemma insert_Un: "P ({x} Un A) ==> P (insert x A)"
   39.12 +lemma insert_Un: "P ({x} \<union> A) \<Longrightarrow> P (insert x A)"
   39.13  by simp
   39.14  
   39.15 -lemma in_sub: "x:A ==> {x}<=A"
   39.16 +lemma in_sub: "x\<in>A \<Longrightarrow> {x}\<subseteq>A"
   39.17  by auto
   39.18  
   39.19  
   39.20 @@ -51,7 +51,7 @@
   39.21  subsubsection\<open>messages that are pairs\<close>
   39.22  
   39.23  definition is_MPair :: "msg => bool" where
   39.24 -"is_MPair X == EX Y Z. X = \<lbrace>Y,Z\<rbrace>"
   39.25 +"is_MPair X == \<exists>Y Z. X = \<lbrace>Y,Z\<rbrace>"
   39.26  
   39.27  declare is_MPair_def [simp]
   39.28  
   39.29 @@ -86,7 +86,7 @@
   39.30  declare is_MPair_def [simp del]
   39.31  
   39.32  definition has_no_pair :: "msg set => bool" where
   39.33 -"has_no_pair H == ALL X Y. \<lbrace>X,Y\<rbrace> \<notin> H"
   39.34 +"has_no_pair H == \<forall>X Y. \<lbrace>X,Y\<rbrace> \<notin> H"
   39.35  
   39.36  declare has_no_pair_def [simp]
   39.37  
   39.38 @@ -98,38 +98,38 @@
   39.39  lemma wf_Crypt2 [iff]: "X ~= Crypt K X"
   39.40  by (induct X, auto)
   39.41  
   39.42 -lemma parts_size: "X:parts {Y} ==> X=Y | size X < size Y"
   39.43 +lemma parts_size: "X \<in> parts {Y} \<Longrightarrow> X=Y \<or> size X < size Y"
   39.44  by (erule parts.induct, auto)
   39.45  
   39.46 -lemma wf_Crypt_parts [iff]: "Crypt K X ~:parts {X}"
   39.47 +lemma wf_Crypt_parts [iff]: "Crypt K X \<notin> parts {X}"
   39.48  by (auto dest: parts_size)
   39.49  
   39.50  subsubsection\<open>lemmas on keysFor\<close>
   39.51  
   39.52  definition usekeys :: "msg set => key set" where
   39.53 -"usekeys G == {K. EX Y. Crypt K Y:G}"
   39.54 +"usekeys G \<equiv> {K. \<exists>Y. Crypt K Y \<in> G}"
   39.55  
   39.56  lemma finite_keysFor [intro]: "finite G ==> finite (keysFor G)"
   39.57  apply (simp add: keysFor_def)
   39.58  apply (rule finite_imageI)
   39.59  apply (induct G rule: finite_induct)
   39.60  apply auto
   39.61 -apply (case_tac "EX K X. x = Crypt K X", clarsimp)
   39.62 -apply (subgoal_tac "{Ka. EX Xa. (Ka=K & Xa=X) | Crypt Ka Xa:F}
   39.63 +apply (case_tac "\<exists>K X. x = Crypt K X", clarsimp)
   39.64 +apply (subgoal_tac "{Ka. \<exists>Xa. (Ka=K \<and> Xa=X) \<or> Crypt Ka Xa \<in> F} 
   39.65  = insert K (usekeys F)", auto simp: usekeys_def)
   39.66 -by (subgoal_tac "{K. EX X. Crypt K X = x | Crypt K X:F} = usekeys F",
   39.67 +by (subgoal_tac "{K. \<exists>X. Crypt K X = x \<or> Crypt K X \<in> F} = usekeys F",
   39.68  auto simp: usekeys_def)
   39.69  
   39.70  subsubsection\<open>lemmas on parts\<close>
   39.71  
   39.72 -lemma parts_sub: "[| X:parts G; G<=H |] ==> X:parts H"
   39.73 +lemma parts_sub: "[| X \<in> parts G; G \<subseteq> H |] ==> X \<in> parts H"
   39.74  by (auto dest: parts_mono)
   39.75  
   39.76 -lemma parts_Diff [dest]: "X:parts (G - H) ==> X:parts G"
   39.77 +lemma parts_Diff [dest]: "X \<in> parts (G - H) \<Longrightarrow> X \<in> parts G"
   39.78  by (erule parts_sub, auto)
   39.79  
   39.80 -lemma parts_Diff_notin: "[| Y ~:H; Nonce n ~:parts (H - {Y}) |]
   39.81 -==> Nonce n ~:parts H"
   39.82 +lemma parts_Diff_notin: "[| Y \<notin> H; Nonce n \<notin> parts (H - {Y}) |]
   39.83 +==> Nonce n \<notin> parts H"
   39.84  by simp
   39.85  
   39.86  lemmas parts_insert_substI = parts_insert [THEN ssubst]
   39.87 @@ -138,39 +138,39 @@
   39.88  lemma finite_parts_msg [iff]: "finite (parts {X})"
   39.89  by (induct X, auto)
   39.90  
   39.91 -lemma finite_parts [intro]: "finite H ==> finite (parts H)"
   39.92 +lemma finite_parts [intro]: "finite H \<Longrightarrow> finite (parts H)"
   39.93  apply (erule finite_induct, simp)
   39.94  by (rule parts_insert_substI, simp)
   39.95  
   39.96 -lemma parts_parts: "[| X:parts {Y}; Y:parts G |] ==> X:parts G"
   39.97 +lemma parts_parts: "[| X \<in> parts {Y}; Y \<in> parts G |] ==> X \<in> parts G"
   39.98  by (frule parts_cut, auto) 
   39.99  
  39.100  
  39.101 -lemma parts_parts_parts: "[| X:parts {Y}; Y:parts {Z}; Z:parts G |] ==> X:parts G"
  39.102 +lemma parts_parts_parts: "[| X \<in> parts {Y}; Y \<in> parts {Z}; Z \<in> parts G |] ==> X \<in> parts G"
  39.103  by (auto dest: parts_parts)
  39.104  
  39.105 -lemma parts_parts_Crypt: "[| Crypt K X:parts G; Nonce n:parts {X} |]
  39.106 -==> Nonce n:parts G"
  39.107 +lemma parts_parts_Crypt: "[| Crypt K X \<in> parts G; Nonce n \<in> parts {X} |]
  39.108 +==> Nonce n \<in> parts G"
  39.109  by (blast intro: parts.Body dest: parts_parts)
  39.110  
  39.111  subsubsection\<open>lemmas on synth\<close>
  39.112  
  39.113 -lemma synth_sub: "[| X:synth G; G<=H |] ==> X:synth H"
  39.114 +lemma synth_sub: "[| X \<in> synth G; G \<subseteq> H |] ==> X \<in> synth H"
  39.115  by (auto dest: synth_mono)
  39.116  
  39.117 -lemma Crypt_synth [rule_format]: "[| X:synth G; Key K ~:G |] ==>
  39.118 -Crypt K Y:parts {X} --> Crypt K Y:parts G"
  39.119 +lemma Crypt_synth [rule_format]: "[| X \<in> synth G; Key K \<notin> G |] ==>
  39.120 +Crypt K Y \<in> parts {X} \<longrightarrow> Crypt K Y \<in> parts G"
  39.121  by (erule synth.induct, auto dest: parts_sub)
  39.122  
  39.123  subsubsection\<open>lemmas on analz\<close>
  39.124  
  39.125 -lemma analz_UnI1 [intro]: "X:analz G ==> X:analz (G Un H)"
  39.126 +lemma analz_UnI1 [intro]: "X \<in> analz G ==> X \<in> analz (G \<union> H)"
  39.127    by (subgoal_tac "G <= G Un H") (blast dest: analz_mono)+
  39.128  
  39.129 -lemma analz_sub: "[| X:analz G; G <= H |] ==> X:analz H"
  39.130 +lemma analz_sub: "[| X \<in> analz G; G \<subseteq> H |] ==> X \<in> analz H"
  39.131  by (auto dest: analz_mono)
  39.132  
  39.133 -lemma analz_Diff [dest]: "X:analz (G - H) ==> X:analz G"
  39.134 +lemma analz_Diff [dest]: "X \<in> analz (G - H) \<Longrightarrow> X \<in> analz G"
  39.135  by (erule analz.induct, auto)
  39.136  
  39.137  lemmas in_analz_subset_cong = analz_subset_cong [THEN subsetD]
  39.138 @@ -181,32 +181,32 @@
  39.139  lemmas insert_commute_substI = insert_commute [THEN ssubst]
  39.140  
  39.141  lemma analz_insertD:
  39.142 -     "[| Crypt K Y:H; Key (invKey K):H |] ==> analz (insert Y H) = analz H"
  39.143 +     "[| Crypt K Y \<in> H; Key (invKey K) \<in> H |] ==> analz (insert Y H) = analz H"
  39.144  by (blast intro: analz.Decrypt analz_insert_eq)  
  39.145  
  39.146 -lemma must_decrypt [rule_format,dest]: "[| X:analz H; has_no_pair H |] ==>
  39.147 -X ~:H --> (EX K Y. Crypt K Y:H & Key (invKey K):H)"
  39.148 +lemma must_decrypt [rule_format,dest]: "[| X \<in> analz H; has_no_pair H |] ==>
  39.149 +X \<notin> H \<longrightarrow> (\<exists>K Y. Crypt K Y \<in> H \<and> Key (invKey K) \<in> H)"
  39.150  by (erule analz.induct, auto)
  39.151  
  39.152 -lemma analz_needs_only_finite: "X:analz H ==> EX G. G <= H & finite G"
  39.153 +lemma analz_needs_only_finite: "X \<in> analz H \<Longrightarrow> \<exists>G. G \<subseteq> H \<and> finite G"
  39.154  by (erule analz.induct, auto)
  39.155  
  39.156 -lemma notin_analz_insert: "X ~:analz (insert Y G) ==> X ~:analz G"
  39.157 +lemma notin_analz_insert: "X \<notin> analz (insert Y G) \<Longrightarrow> X \<notin> analz G"
  39.158  by auto
  39.159  
  39.160  subsubsection\<open>lemmas on parts, synth and analz\<close>
  39.161  
  39.162 -lemma parts_invKey [rule_format,dest]:"X:parts {Y} ==>
  39.163 -X:analz (insert (Crypt K Y) H) --> X ~:analz H --> Key (invKey K):analz H"
  39.164 +lemma parts_invKey [rule_format,dest]:"X \<in> parts {Y} \<Longrightarrow>
  39.165 +X \<in> analz (insert (Crypt K Y) H) \<longrightarrow> X \<notin> analz H \<longrightarrow> Key (invKey K) \<in> analz H"
  39.166  by (erule parts.induct, auto dest: parts.Fst parts.Snd parts.Body)
  39.167  
  39.168 -lemma in_analz: "Y:analz H ==> EX X. X:H & Y:parts {X}"
  39.169 +lemma in_analz: "Y \<in> analz H \<Longrightarrow> \<exists>X. X \<in> H \<and> Y \<in> parts {X}"
  39.170  by (erule analz.induct, auto intro: parts.Fst parts.Snd parts.Body)
  39.171  
  39.172  lemmas in_analz_subset_parts = analz_subset_parts [THEN subsetD]
  39.173  
  39.174 -lemma Crypt_synth_insert: "[| Crypt K X:parts (insert Y H);
  39.175 -Y:synth (analz H); Key K ~:analz H |] ==> Crypt K X:parts H"
  39.176 +lemma Crypt_synth_insert: "[| Crypt K X \<in> parts (insert Y H);
  39.177 +Y \<in> synth (analz H); Key K \<notin> analz H |] ==> Crypt K X \<in> parts H"
  39.178  apply (drule parts_insert_substD, clarify)
  39.179  apply (frule in_sub)
  39.180  apply (frule parts_mono)
  39.181 @@ -222,24 +222,24 @@
  39.182  | "greatest_msg (Crypt K X) = greatest_msg X"
  39.183  | "greatest_msg other = 0"
  39.184  
  39.185 -lemma greatest_msg_is_greatest: "Nonce n:parts {X} ==> n <= greatest_msg X"
  39.186 +lemma greatest_msg_is_greatest: "Nonce n \<in> parts {X} \<Longrightarrow> n \<le> greatest_msg X"
  39.187  by (induct X, auto)
  39.188  
  39.189  subsubsection\<open>sets of keys\<close>
  39.190  
  39.191  definition keyset :: "msg set => bool" where
  39.192 -"keyset G == ALL X. X:G --> (EX K. X = Key K)"
  39.193 +"keyset G \<equiv> \<forall>X. X \<in> G \<longrightarrow> (\<exists>K. X = Key K)"
  39.194  
  39.195 -lemma keyset_in [dest]: "[| keyset G; X:G |] ==> EX K. X = Key K"
  39.196 +lemma keyset_in [dest]: "[| keyset G; X \<in> G |] ==> \<exists>K. X = Key K"
  39.197  by (auto simp: keyset_def)
  39.198  
  39.199  lemma MPair_notin_keyset [simp]: "keyset G ==> \<lbrace>X,Y\<rbrace> \<notin> G"
  39.200  by auto
  39.201  
  39.202 -lemma Crypt_notin_keyset [simp]: "keyset G ==> Crypt K X ~:G"
  39.203 +lemma Crypt_notin_keyset [simp]: "keyset G \<Longrightarrow> Crypt K X \<notin> G"
  39.204  by auto
  39.205  
  39.206 -lemma Nonce_notin_keyset [simp]: "keyset G ==> Nonce n ~:G"
  39.207 +lemma Nonce_notin_keyset [simp]: "keyset G \<Longrightarrow> Nonce n \<notin> G"
  39.208  by auto
  39.209  
  39.210  lemma parts_keyset [simp]: "keyset G ==> parts G = G"
  39.211 @@ -256,10 +256,10 @@
  39.212  lemma keyset_Diff_keysfor [simp]: "keyset H ==> keyset (H - keysfor G)"
  39.213  by (auto simp: keyset_def)
  39.214  
  39.215 -lemma keysfor_Crypt: "Crypt K X:parts G ==> Key (invKey K):keysfor G"
  39.216 +lemma keysfor_Crypt: "Crypt K X \<in> parts G \<Longrightarrow> Key (invKey K) \<in> keysfor G"
  39.217  by (auto simp: keysfor_def Crypt_imp_invKey_keysFor)
  39.218  
  39.219 -lemma no_key_no_Crypt: "Key K ~:keysfor G ==> Crypt (invKey K) X ~:parts G"
  39.220 +lemma no_key_no_Crypt: "Key K \<notin> keysfor G \<Longrightarrow> Crypt (invKey K) X \<notin> parts G"
  39.221  by (auto dest: keysfor_Crypt)
  39.222  
  39.223  lemma finite_keysfor [intro]: "finite G ==> finite (keysfor G)"
  39.224 @@ -273,7 +273,7 @@
  39.225  apply (erule analz.induct, blast)
  39.226  apply (simp, blast)
  39.227  apply (simp, blast)
  39.228 -apply (case_tac "Key (invKey K):H - keysfor G", clarsimp)
  39.229 +apply (case_tac "Key (invKey K) \<in> H - keysfor G", clarsimp)
  39.230  apply (drule_tac X=X in no_key_no_Crypt)
  39.231  by (auto intro: analz_sub)
  39.232  
  39.233 @@ -286,7 +286,7 @@
  39.234  subsubsection\<open>general protocol properties\<close>
  39.235  
  39.236  definition is_Says :: "event => bool" where
  39.237 -"is_Says ev == (EX A B X. ev = Says A B X)"
  39.238 +"is_Says ev == (\<exists>A B X. ev = Says A B X)"
  39.239  
  39.240  lemma is_Says_Says [iff]: "is_Says (Says A B X)"
  39.241  by (simp add: is_Says_def)
  39.242 @@ -294,36 +294,36 @@
  39.243  (* one could also require that Gets occurs after Says
  39.244  but this is sufficient for our purpose *)
  39.245  definition Gets_correct :: "event list set => bool" where
  39.246 -"Gets_correct p == ALL evs B X. evs:p --> Gets B X:set evs
  39.247 ---> (EX A. Says A B X:set evs)"
  39.248 +"Gets_correct p == \<forall>evs B X. evs \<in> p \<longrightarrow> Gets B X \<in> set evs
  39.249 +\<longrightarrow> (\<exists>A. Says A B X \<in> set evs)"
  39.250  
  39.251 -lemma Gets_correct_Says: "[| Gets_correct p; Gets B X # evs:p |]
  39.252 -==> EX A. Says A B X:set evs"
  39.253 +lemma Gets_correct_Says: "[| Gets_correct p; Gets B X # evs \<in> p |]
  39.254 +==> \<exists>A. Says A B X \<in> set evs"
  39.255  apply (simp add: Gets_correct_def)
  39.256  by (drule_tac x="Gets B X # evs" in spec, auto)
  39.257  
  39.258  definition one_step :: "event list set => bool" where
  39.259 -"one_step p == ALL evs ev. ev#evs:p --> evs:p"
  39.260 +"one_step p == \<forall>evs ev. ev#evs \<in> p \<longrightarrow> evs \<in> p"
  39.261  
  39.262 -lemma one_step_Cons [dest]: "[| one_step p; ev#evs:p |] ==> evs:p"
  39.263 +lemma one_step_Cons [dest]: "[| one_step p; ev#evs \<in> p |] ==> evs \<in> p"
  39.264  by (unfold one_step_def, blast)
  39.265  
  39.266 -lemma one_step_app: "[| evs@evs':p; one_step p; []:p |] ==> evs':p"
  39.267 +lemma one_step_app: "[| evs@evs' \<in> p; one_step p; [] \<in> p |] ==> evs' \<in> p"
  39.268  by (induct evs, auto)
  39.269  
  39.270 -lemma trunc: "[| evs @ evs':p; one_step p |] ==> evs':p"
  39.271 +lemma trunc: "[| evs @ evs' \<in> p; one_step p |] ==> evs' \<in> p"
  39.272  by (induct evs, auto)
  39.273  
  39.274  definition has_only_Says :: "event list set => bool" where
  39.275 -"has_only_Says p == ALL evs ev. evs:p --> ev:set evs
  39.276 ---> (EX A B X. ev = Says A B X)"
  39.277 +"has_only_Says p \<equiv> \<forall>evs ev. evs \<in> p \<longrightarrow> ev \<in> set evs
  39.278 +\<longrightarrow> (\<exists>A B X. ev = Says A B X)"
  39.279  
  39.280 -lemma has_only_SaysD: "[| ev:set evs; evs:p; has_only_Says p |]
  39.281 -==> EX A B X. ev = Says A B X"
  39.282 +lemma has_only_SaysD: "[| ev \<in> set evs; evs \<in> p; has_only_Says p |]
  39.283 +==> \<exists>A B X. ev = Says A B X"
  39.284  by (unfold has_only_Says_def, blast)
  39.285  
  39.286 -lemma in_has_only_Says [dest]: "[| has_only_Says p; evs:p; ev:set evs |]
  39.287 -==> EX A B X. ev = Says A B X"
  39.288 +lemma in_has_only_Says [dest]: "[| has_only_Says p; evs \<in> p; ev \<in> set evs |]
  39.289 +==> \<exists>A B X. ev = Says A B X"
  39.290  by (auto simp: has_only_Says_def)
  39.291  
  39.292  lemma has_only_Says_imp_Gets_correct [simp]: "has_only_Says p
  39.293 @@ -332,11 +332,11 @@
  39.294  
  39.295  subsubsection\<open>lemma on knows\<close>
  39.296  
  39.297 -lemma Says_imp_spies2: "Says A B \<lbrace>X,Y\<rbrace> \<in> set evs ==> Y \<in> parts (spies evs)"
  39.298 +lemma Says_imp_spies2: "Says A B \<lbrace>X,Y\<rbrace> \<in> set evs \<Longrightarrow> Y \<in> parts (spies evs)"
  39.299  by (drule Says_imp_spies, drule parts.Inj, drule parts.Snd, simp)
  39.300  
  39.301 -lemma Says_not_parts: "[| Says A B X:set evs; Y ~:parts (spies evs) |]
  39.302 -==> Y ~:parts {X}"
  39.303 +lemma Says_not_parts: "[| Says A B X \<in> set evs; Y \<notin> parts (spies evs) |]
  39.304 +==> Y \<notin> parts {X}"
  39.305  by (auto dest: Says_imp_spies parts_parts)
  39.306  
  39.307  subsubsection\<open>knows without initState\<close>
  39.308 @@ -349,7 +349,7 @@
  39.309       case ev of
  39.310         Says A' B X => insert X (knows' A evs)
  39.311       | Gets A' X => knows' A evs
  39.312 -     | Notes A' X => if A':bad then insert X (knows' A evs) else knows' A evs
  39.313 +     | Notes A' X => if A' \<in> bad then insert X (knows' A evs) else knows' A evs
  39.314     ) else (
  39.315       case ev of
  39.316         Says A' B X => if A=A' then insert X (knows' A evs) else knows' A evs
  39.317 @@ -390,8 +390,8 @@
  39.318  lemmas knows_Cons_substI = knows_Cons [THEN ssubst]
  39.319  lemmas knows_Cons_substD = knows_Cons [THEN sym, THEN ssubst]
  39.320  
  39.321 -lemma knows'_sub_spies': "[| evs:p; has_only_Says p; one_step p |]
  39.322 -==> knows' A evs <= spies' evs"
  39.323 +lemma knows'_sub_spies': "[| evs \<in> p; has_only_Says p; one_step p |]
  39.324 +==> knows' A evs \<subseteq> spies' evs"
  39.325  by (induct evs, auto split: event.splits)
  39.326  
  39.327  subsubsection\<open>knows' is finite\<close>
  39.328 @@ -404,7 +404,7 @@
  39.329  lemma knows_sub_Cons: "knows A evs <= knows A (ev#evs)"
  39.330  by(cases A, induct evs, auto simp: knows.simps split:event.split)
  39.331  
  39.332 -lemma knows_ConsI: "X:knows A evs ==> X:knows A (ev#evs)"
  39.333 +lemma knows_ConsI: "X \<in> knows A evs \<Longrightarrow> X \<in> knows A (ev#evs)"
  39.334  by (auto dest: knows_sub_Cons [THEN subsetD])
  39.335  
  39.336  lemma knows_sub_app: "knows A evs <= knows A (evs @ evs')"
  39.337 @@ -424,7 +424,7 @@
  39.338        Says A' B X => insert X (knows_max' A evs)
  39.339      | Gets A' X => knows_max' A evs
  39.340      | Notes A' X =>
  39.341 -      if A':bad then insert X (knows_max' A evs) else knows_max' A evs
  39.342 +      if A' \<in> bad then insert X (knows_max' A evs) else knows_max' A evs
  39.343    ) else (
  39.344      case ev of
  39.345        Says A' B X =>
  39.346 @@ -466,22 +466,22 @@
  39.347  lemma finite_knows_max' [iff]: "finite (knows_max' A evs)"
  39.348  by (induct evs, auto split: event.split)
  39.349  
  39.350 -lemma knows_max'_sub_spies': "[| evs:p; has_only_Says p; one_step p |]
  39.351 -==> knows_max' A evs <= spies' evs"
  39.352 +lemma knows_max'_sub_spies': "[| evs \<in> p; has_only_Says p; one_step p |]
  39.353 +==> knows_max' A evs \<subseteq> spies' evs"
  39.354  by (induct evs, auto split: event.splits)
  39.355  
  39.356 -lemma knows_max'_in_spies' [dest]: "[| evs:p; X:knows_max' A evs;
  39.357 -has_only_Says p; one_step p |] ==> X:spies' evs"
  39.358 +lemma knows_max'_in_spies' [dest]: "[| evs \<in> p; X \<in> knows_max' A evs;
  39.359 +has_only_Says p; one_step p |] ==> X \<in> spies' evs"
  39.360  by (rule knows_max'_sub_spies' [THEN subsetD], auto)
  39.361  
  39.362  lemma knows_max'_app: "knows_max' A (evs @ evs')
  39.363  = knows_max' A evs Un knows_max' A evs'"
  39.364  by (induct evs, auto split: event.splits)
  39.365  
  39.366 -lemma Says_to_knows_max': "Says A B X:set evs ==> X:knows_max' B evs"
  39.367 +lemma Says_to_knows_max': "Says A B X \<in> set evs \<Longrightarrow> X \<in> knows_max' B evs"
  39.368  by (simp add: in_set_conv_decomp, clarify, simp add: knows_max'_app)
  39.369  
  39.370 -lemma Says_from_knows_max': "Says A B X:set evs ==> X:knows_max' A evs"
  39.371 +lemma Says_from_knows_max': "Says A B X \<in> set evs \<Longrightarrow> X \<in> knows_max' A evs"
  39.372  by (simp add: in_set_conv_decomp, clarify, simp add: knows_max'_app)
  39.373  
  39.374  subsubsection\<open>used without initState\<close>
  39.375 @@ -501,10 +501,10 @@
  39.376  lemma used_decomp: "used evs = init Un used' evs"
  39.377  by (induct evs, auto simp: init_def split: event.split)
  39.378  
  39.379 -lemma used'_sub_app: "used' evs <= used' (evs@evs')"
  39.380 +lemma used'_sub_app: "used' evs \<subseteq> used' (evs@evs')"
  39.381  by (induct evs, auto split: event.split)
  39.382  
  39.383 -lemma used'_parts [rule_format]: "X:used' evs ==> Y:parts {X} --> Y:used' evs"
  39.384 +lemma used'_parts [rule_format]: "X \<in> used' evs \<Longrightarrow> Y \<in> parts {X} \<longrightarrow> Y \<in> used' evs"
  39.385  apply (induct evs, simp)
  39.386  apply (rename_tac a b)
  39.387  apply (case_tac a, simp_all) 
  39.388 @@ -516,35 +516,35 @@
  39.389  lemma used_sub_Cons: "used evs <= used (ev#evs)"
  39.390  by (induct evs, (induct ev, auto)+)
  39.391  
  39.392 -lemma used_ConsI: "X:used evs ==> X:used (ev#evs)"
  39.393 +lemma used_ConsI: "X \<in> used evs \<Longrightarrow> X \<in> used (ev#evs)"
  39.394  by (auto dest: used_sub_Cons [THEN subsetD])
  39.395  
  39.396 -lemma notin_used_ConsD: "X ~:used (ev#evs) ==> X ~:used evs"
  39.397 +lemma notin_used_ConsD: "X \<notin> used (ev#evs) \<Longrightarrow> X \<notin> used evs"
  39.398  by (auto dest: used_sub_Cons [THEN subsetD])
  39.399  
  39.400 -lemma used_appD [dest]: "X:used (evs @ evs') ==> X:used evs | X:used evs'"
  39.401 +lemma used_appD [dest]: "X \<in> used (evs @ evs') \<Longrightarrow> X \<in> used evs \<or> X \<in> used evs'"
  39.402  by (induct evs, auto, rename_tac a b, case_tac a, auto)
  39.403  
  39.404 -lemma used_ConsD: "X:used (ev#evs) ==> X:used [ev] | X:used evs"
  39.405 +lemma used_ConsD: "X \<in> used (ev#evs) \<Longrightarrow> X \<in> used [ev] \<or> X \<in> used evs"
  39.406  by (case_tac ev, auto)
  39.407  
  39.408  lemma used_sub_app: "used evs <= used (evs@evs')"
  39.409  by (auto simp: used_decomp dest: used'_sub_app [THEN subsetD])
  39.410  
  39.411 -lemma used_appIL: "X:used evs ==> X:used (evs' @ evs)"
  39.412 +lemma used_appIL: "X \<in> used evs \<Longrightarrow> X \<in> used (evs' @ evs)"
  39.413  by (induct evs', auto intro: used_ConsI)
  39.414  
  39.415 -lemma used_appIR: "X:used evs ==> X:used (evs @ evs')"
  39.416 +lemma used_appIR: "X \<in> used evs \<Longrightarrow> X \<in> used (evs @ evs')"
  39.417  by (erule used_sub_app [THEN subsetD])
  39.418  
  39.419 -lemma used_parts: "[| X:parts {Y}; Y:used evs |] ==> X:used evs"
  39.420 +lemma used_parts: "[| X \<in> parts {Y}; Y \<in> used evs |] ==> X \<in> used evs"
  39.421  apply (auto simp: used_decomp dest: used'_parts)
  39.422  by (auto simp: init_def used_Nil dest: parts_trans)
  39.423  
  39.424 -lemma parts_Says_used: "[| Says A B X:set evs; Y:parts {X} |] ==> Y:used evs"
  39.425 +lemma parts_Says_used: "[| Says A B X \<in> set evs; Y \<in> parts {X} |] ==> Y \<in> used evs"
  39.426  by (induct evs, simp_all, safe, auto intro: used_ConsI)
  39.427  
  39.428 -lemma parts_used_app: "X:parts {Y} ==> X:used (evs @ Says A B Y # evs')"
  39.429 +lemma parts_used_app: "X \<in> parts {Y} \<Longrightarrow> X \<in> used (evs @ Says A B Y # evs')"
  39.430  apply (drule_tac evs="[Says A B Y]" in used_parts, simp, blast)
  39.431  apply (drule_tac evs'=evs' in used_appIR)
  39.432  apply (drule_tac evs'=evs in used_appIL)
  39.433 @@ -552,67 +552,67 @@
  39.434  
  39.435  subsubsection\<open>lemmas on used and knows\<close>
  39.436  
  39.437 -lemma initState_used: "X:parts (initState A) ==> X:used evs"
  39.438 +lemma initState_used: "X \<in> parts (initState A) \<Longrightarrow> X \<in> used evs"
  39.439  by (induct evs, auto simp: used.simps split: event.split)
  39.440  
  39.441 -lemma Says_imp_used: "Says A B X:set evs ==> parts {X} <= used evs"
  39.442 +lemma Says_imp_used: "Says A B X \<in> set evs \<Longrightarrow> parts {X} \<subseteq> used evs"
  39.443  by (induct evs, auto intro: used_ConsI)
  39.444  
  39.445 -lemma not_used_not_spied: "X ~:used evs ==> X ~:parts (spies evs)"
  39.446 +lemma not_used_not_spied: "X \<notin> used evs \<Longrightarrow> X \<notin> parts (spies evs)"
  39.447  by (induct evs, auto simp: used_Nil)
  39.448  
  39.449 -lemma not_used_not_parts: "[| Y ~:used evs; Says A B X:set evs |]
  39.450 -==> Y ~:parts {X}"
  39.451 +lemma not_used_not_parts: "[| Y \<notin> used evs; Says A B X \<in> set evs |]
  39.452 +==> Y \<notin> parts {X}"
  39.453  by (induct evs, auto intro: used_ConsI)
  39.454  
  39.455 -lemma not_used_parts_false: "[| X ~:used evs; Y:parts (spies evs) |]
  39.456 -==> X ~:parts {Y}"
  39.457 +lemma not_used_parts_false: "[| X \<notin> used evs; Y \<in> parts (spies evs) |]
  39.458 +==> X \<notin> parts {Y}"
  39.459  by (auto dest: parts_parts)
  39.460  
  39.461 -lemma known_used [rule_format]: "[| evs:p; Gets_correct p; one_step p |]
  39.462 -==> X:parts (knows A evs) --> X:used evs"
  39.463 +lemma known_used [rule_format]: "[| evs \<in> p; Gets_correct p; one_step p |]
  39.464 +==> X \<in> parts (knows A evs) \<longrightarrow> X \<in> used evs"
  39.465  apply (case_tac "A=Spy", blast)
  39.466  apply (induct evs)
  39.467  apply (simp add: used.simps, blast)
  39.468  apply (rename_tac a evs)
  39.469  apply (frule_tac ev=a and evs=evs in one_step_Cons, simp, clarify)
  39.470 -apply (drule_tac P="%G. X:parts G" in knows_Cons_substD, safe)
  39.471 +apply (drule_tac P="\<lambda>G. X \<in> parts G" in knows_Cons_substD, safe)
  39.472  apply (erule initState_used)
  39.473  apply (case_tac a, auto)
  39.474  apply (rename_tac msg)
  39.475  apply (drule_tac B=A and X=msg and evs=evs in Gets_correct_Says)
  39.476  by (auto dest: Says_imp_used intro: used_ConsI)
  39.477  
  39.478 -lemma known_max_used [rule_format]: "[| evs:p; Gets_correct p; one_step p |]
  39.479 -==> X:parts (knows_max A evs) --> X:used evs"
  39.480 +lemma known_max_used [rule_format]: "[| evs \<in> p; Gets_correct p; one_step p |]
  39.481 +==> X \<in> parts (knows_max A evs) \<longrightarrow> X \<in> used evs"
  39.482  apply (case_tac "A=Spy")
  39.483  apply force
  39.484  apply (induct evs)
  39.485  apply (simp add: knows_max_def used.simps, blast)
  39.486  apply (rename_tac a evs)
  39.487  apply (frule_tac ev=a and evs=evs in one_step_Cons, simp, clarify)
  39.488 -apply (drule_tac P="%G. X:parts G" in knows_max_Cons_substD, safe)
  39.489 +apply (drule_tac P="\<lambda>G. X \<in> parts G" in knows_max_Cons_substD, safe)
  39.490  apply (case_tac a, auto)
  39.491  apply (rename_tac msg)
  39.492  apply (drule_tac B=A and X=msg and evs=evs in Gets_correct_Says)
  39.493  by (auto simp: knows_max'_Cons dest: Says_imp_used intro: used_ConsI)
  39.494  
  39.495 -lemma not_used_not_known: "[| evs:p; X ~:used evs;
  39.496 -Gets_correct p; one_step p |] ==> X ~:parts (knows A evs)"
  39.497 +lemma not_used_not_known: "[| evs \<in> p; X \<notin> used evs;
  39.498 +Gets_correct p; one_step p |] ==> X \<notin> parts (knows A evs)"
  39.499  by (case_tac "A=Spy", auto dest: not_used_not_spied known_used)
  39.500  
  39.501 -lemma not_used_not_known_max: "[| evs:p; X ~:used evs;
  39.502 -Gets_correct p; one_step p |] ==> X ~:parts (knows_max A evs)"
  39.503 +lemma not_used_not_known_max: "[| evs \<in> p; X \<notin> used evs;
  39.504 +Gets_correct p; one_step p |] ==> X \<notin> parts (knows_max A evs)"
  39.505  by (case_tac "A=Spy", auto dest: not_used_not_spied known_max_used)
  39.506  
  39.507  subsubsection\<open>a nonce or key in a message cannot equal a fresh nonce or key\<close>
  39.508  
  39.509 -lemma Nonce_neq [dest]: "[| Nonce n' ~:used evs;
  39.510 -Says A B X:set evs; Nonce n:parts {X} |] ==> n ~= n'"
  39.511 +lemma Nonce_neq [dest]: "[| Nonce n' \<notin> used evs;
  39.512 +Says A B X \<in> set evs; Nonce n \<in> parts {X} |] ==> n \<noteq> n'"
  39.513  by (drule not_used_not_spied, auto dest: Says_imp_knows_Spy parts_sub)
  39.514  
  39.515 -lemma Key_neq [dest]: "[| Key n' ~:used evs;
  39.516 -Says A B X:set evs; Key n:parts {X} |] ==> n ~= n'"
  39.517 +lemma Key_neq [dest]: "[| Key n' \<notin> used evs;
  39.518 +Says A B X \<in> set evs; Key n \<in> parts {X} |] ==> n ~= n'"
  39.519  by (drule not_used_not_spied, auto dest: Says_imp_knows_Spy parts_sub)
  39.520  
  39.521  subsubsection\<open>message of an event\<close>
  39.522 @@ -623,7 +623,7 @@
  39.523  | "msg (Gets A X) = X"
  39.524  | "msg (Notes A X) = X"
  39.525  
  39.526 -lemma used_sub_parts_used: "X:used (ev # evs) ==> X:parts {msg ev} Un used evs"
  39.527 +lemma used_sub_parts_used: "X \<in> used (ev # evs) ==> X \<in> parts {msg ev} \<union> used evs"
  39.528  by (induct ev, auto)
  39.529  
  39.530  end
    40.1 --- a/src/HOL/Auth/Guard/Guard.thy	Tue Feb 13 14:24:50 2018 +0100
    40.2 +++ b/src/HOL/Auth/Guard/Guard.thy	Thu Feb 15 12:11:00 2018 +0100
    40.3 @@ -13,82 +13,82 @@
    40.4  ******************************************************************************)
    40.5  
    40.6  inductive_set
    40.7 -  guard :: "nat => key set => msg set"
    40.8 +  guard :: "nat \<Rightarrow> key set \<Rightarrow> msg set"
    40.9    for n :: nat and Ks :: "key set"
   40.10  where
   40.11 -  No_Nonce [intro]: "Nonce n ~:parts {X} ==> X:guard n Ks"
   40.12 -| Guard_Nonce [intro]: "invKey K:Ks ==> Crypt K X:guard n Ks"
   40.13 -| Crypt [intro]: "X:guard n Ks ==> Crypt K X:guard n Ks"
   40.14 -| Pair [intro]: "[| X:guard n Ks; Y:guard n Ks |] ==> \<lbrace>X,Y\<rbrace> \<in> guard n Ks"
   40.15 +  No_Nonce [intro]: "Nonce n \<notin> parts {X} \<Longrightarrow> X \<in> guard n Ks"
   40.16 +| Guard_Nonce [intro]: "invKey K \<in> Ks \<Longrightarrow> Crypt K X \<in> guard n Ks"
   40.17 +| Crypt [intro]: "X \<in> guard n Ks \<Longrightarrow> Crypt K X \<in> guard n Ks"
   40.18 +| Pair [intro]: "[| X \<in> guard n Ks; Y \<in> guard n Ks |] ==> \<lbrace>X,Y\<rbrace> \<in> guard n Ks"
   40.19  
   40.20  subsection\<open>basic facts about @{term guard}\<close>
   40.21  
   40.22 -lemma Key_is_guard [iff]: "Key K:guard n Ks"
   40.23 +lemma Key_is_guard [iff]: "Key K \<in> guard n Ks"
   40.24  by auto
   40.25  
   40.26 -lemma Agent_is_guard [iff]: "Agent A:guard n Ks"
   40.27 +lemma Agent_is_guard [iff]: "Agent A \<in> guard n Ks"
   40.28  by auto
   40.29  
   40.30 -lemma Number_is_guard [iff]: "Number r:guard n Ks"
   40.31 +lemma Number_is_guard [iff]: "Number r \<in> guard n Ks"
   40.32  by auto
   40.33  
   40.34 -lemma Nonce_notin_guard: "X:guard n Ks ==> X ~= Nonce n"
   40.35 +lemma Nonce_notin_guard: "X \<in> guard n Ks \<Longrightarrow> X \<noteq> Nonce n"
   40.36  by (erule guard.induct, auto)
   40.37  
   40.38 -lemma Nonce_notin_guard_iff [iff]: "Nonce n ~:guard n Ks"
   40.39 +lemma Nonce_notin_guard_iff [iff]: "Nonce n \<notin> guard n Ks"
   40.40  by (auto dest: Nonce_notin_guard)
   40.41  
   40.42 -lemma guard_has_Crypt [rule_format]: "X:guard n Ks ==> Nonce n:parts {X}
   40.43 ---> (EX K Y. Crypt K Y:kparts {X} & Nonce n:parts {Y})"
   40.44 +lemma guard_has_Crypt [rule_format]: "X \<in> guard n Ks ==> Nonce n \<in> parts {X}
   40.45 +\<longrightarrow> (\<exists>K Y. Crypt K Y \<in> kparts {X} \<and> Nonce n \<in> parts {Y})"
   40.46  by (erule guard.induct, auto)
   40.47  
   40.48 -lemma Nonce_notin_kparts_msg: "X:guard n Ks ==> Nonce n ~:kparts {X}"
   40.49 +lemma Nonce_notin_kparts_msg: "X \<in> guard n Ks \<Longrightarrow> Nonce n \<notin> kparts {X}"
   40.50  by (erule guard.induct, auto)
   40.51  
   40.52 -lemma Nonce_in_kparts_imp_no_guard: "Nonce n:kparts H
   40.53 -==> EX X. X:H & X ~:guard n Ks"
   40.54 +lemma Nonce_in_kparts_imp_no_guard: "Nonce n \<in> kparts H
   40.55 +\<Longrightarrow> \<exists>X. X \<in> H \<and> X \<notin> guard n Ks"
   40.56  apply (drule in_kparts, clarify)
   40.57  apply (rule_tac x=X in exI, clarify)
   40.58  by (auto dest: Nonce_notin_kparts_msg)
   40.59  
   40.60 -lemma guard_kparts [rule_format]: "X:guard n Ks ==>
   40.61 -Y:kparts {X} --> Y:guard n Ks"
   40.62 +lemma guard_kparts [rule_format]: "X \<in> guard n Ks \<Longrightarrow>
   40.63 +Y \<in> kparts {X} \<longrightarrow> Y \<in> guard n Ks"
   40.64  by (erule guard.induct, auto)
   40.65  
   40.66 -lemma guard_Crypt: "[| Crypt K Y:guard n Ks; K ~:invKey`Ks |] ==> Y:guard n Ks"
   40.67 -  by (ind_cases "Crypt K Y:guard n Ks") (auto intro!: image_eqI)
   40.68 +lemma guard_Crypt: "[| Crypt K Y \<in> guard n Ks; K \<notin> invKey`Ks |] ==> Y \<in> guard n Ks"
   40.69 +  by (ind_cases "Crypt K Y \<in> guard n Ks") (auto intro!: image_eqI)
   40.70  
   40.71  lemma guard_MPair [iff]: "(\<lbrace>X,Y\<rbrace> \<in> guard n Ks) = (X \<in> guard n Ks \<and> Y \<in> guard n Ks)"
   40.72  by (auto, (ind_cases "\<lbrace>X,Y\<rbrace> \<in> guard n Ks", auto)+)
   40.73  
   40.74 -lemma guard_not_guard [rule_format]: "X:guard n Ks ==>
   40.75 -Crypt K Y:kparts {X} --> Nonce n:kparts {Y} --> Y ~:guard n Ks"
   40.76 +lemma guard_not_guard [rule_format]: "X \<in> guard n Ks \<Longrightarrow>
   40.77 +Crypt K Y \<in> kparts {X} \<longrightarrow> Nonce n \<in> kparts {Y} \<longrightarrow> Y \<notin> guard n Ks"
   40.78  by (erule guard.induct, auto dest: guard_kparts)
   40.79  
   40.80 -lemma guard_extand: "[| X:guard n Ks; Ks <= Ks' |] ==> X:guard n Ks'"
   40.81 +lemma guard_extand: "[| X \<in> guard n Ks; Ks \<subseteq> Ks' |] ==> X \<in> guard n Ks'"
   40.82  by (erule guard.induct, auto)
   40.83  
   40.84  subsection\<open>guarded sets\<close>
   40.85  
   40.86 -definition Guard :: "nat => key set => msg set => bool" where
   40.87 -"Guard n Ks H == ALL X. X:H --> X:guard n Ks"
   40.88 +definition Guard :: "nat \<Rightarrow> key set \<Rightarrow> msg set \<Rightarrow> bool" where
   40.89 +"Guard n Ks H \<equiv> \<forall>X. X \<in> H \<longrightarrow> X \<in> guard n Ks"
   40.90  
   40.91  subsection\<open>basic facts about @{term Guard}\<close>
   40.92  
   40.93  lemma Guard_empty [iff]: "Guard n Ks {}"
   40.94  by (simp add: Guard_def)
   40.95  
   40.96 -lemma notin_parts_Guard [intro]: "Nonce n ~:parts G ==> Guard n Ks G"
   40.97 +lemma notin_parts_Guard [intro]: "Nonce n \<notin> parts G \<Longrightarrow> Guard n Ks G"
   40.98  apply (unfold Guard_def, clarify)
   40.99 -apply (subgoal_tac "Nonce n ~:parts {X}")
  40.100 +apply (subgoal_tac "Nonce n \<notin> parts {X}")
  40.101  by (auto dest: parts_sub)
  40.102  
  40.103 -lemma Nonce_notin_kparts [simplified]: "Guard n Ks H ==> Nonce n ~:kparts H"
  40.104 +lemma Nonce_notin_kparts [simplified]: "Guard n Ks H \<Longrightarrow> Nonce n \<notin> kparts H"
  40.105  by (auto simp: Guard_def dest: in_kparts Nonce_notin_kparts_msg)
  40.106  
  40.107 -lemma Guard_must_decrypt: "[| Guard n Ks H; Nonce n:analz H |] ==>
  40.108 -EX K Y. Crypt K Y:kparts H & Key (invKey K):kparts H"
  40.109 -apply (drule_tac P="%G. Nonce n:G" in analz_pparts_kparts_substD, simp)
  40.110 +lemma Guard_must_decrypt: "[| Guard n Ks H; Nonce n \<in> analz H |] ==>
  40.111 +\<exists>K Y. Crypt K Y \<in> kparts H \<and> Key (invKey K) \<in> kparts H"
  40.112 +apply (drule_tac P="\<lambda>G. Nonce n \<in> G" in analz_pparts_kparts_substD, simp)
  40.113  by (drule must_decrypt, auto dest: Nonce_notin_kparts)
  40.114  
  40.115  lemma Guard_kparts [intro]: "Guard n Ks H ==> Guard n Ks (kparts H)"
  40.116 @@ -98,7 +98,7 @@
  40.117  by (auto simp: Guard_def)
  40.118  
  40.119  lemma Guard_insert [iff]: "Guard n Ks (insert X H)
  40.120 -= (Guard n Ks H & X:guard n Ks)"
  40.121 += (Guard n Ks H \<and> X \<in> guard n Ks)"
  40.122  by (auto simp: Guard_def)
  40.123  
  40.124  lemma Guard_Un [iff]: "Guard n Ks (G Un H) = (Guard n Ks G & Guard n Ks H)"
  40.125 @@ -107,51 +107,51 @@
  40.126  lemma Guard_synth [intro]: "Guard n Ks G ==> Guard n Ks (synth G)"
  40.127  by (auto simp: Guard_def, erule synth.induct, auto)
  40.128  
  40.129 -lemma Guard_analz [intro]: "[| Guard n Ks G; ALL K. K:Ks --> Key K ~:analz G |]
  40.130 +lemma Guard_analz [intro]: "[| Guard n Ks G; \<forall>K. K \<in> Ks \<longrightarrow> Key K \<notin> analz G |]
  40.131  ==> Guard n Ks (analz G)"
  40.132  apply (auto simp: Guard_def)
  40.133  apply (erule analz.induct, auto)
  40.134 -by (ind_cases "Crypt K Xa:guard n Ks" for K Xa, auto)
  40.135 +by (ind_cases "Crypt K Xa \<in> guard n Ks" for K Xa, auto)
  40.136  
  40.137 -lemma in_Guard [dest]: "[| X:G; Guard n Ks G |] ==> X:guard n Ks"
  40.138 +lemma in_Guard [dest]: "[| X \<in> G; Guard n Ks G |] ==> X \<in> guard n Ks"
  40.139  by (auto simp: Guard_def)
  40.140  
  40.141 -lemma in_synth_Guard: "[| X:synth G; Guard n Ks G |] ==> X:guard n Ks"
  40.142 +lemma in_synth_Guard: "[| X \<in> synth G; Guard n Ks G |] ==> X \<in> guard n Ks"
  40.143  by (drule Guard_synth, auto)
  40.144  
  40.145 -lemma in_analz_Guard: "[| X:analz G; Guard n Ks G;
  40.146 -ALL K. K:Ks --> Key K ~:analz G |] ==> X:guard n Ks"
  40.147 +lemma in_analz_Guard: "[| X \<in> analz G; Guard n Ks G;
  40.148 +\<forall>K. K \<in> Ks \<longrightarrow> Key K \<notin> analz G |] ==> X \<in> guard n Ks"
  40.149  by (drule Guard_analz, auto)
  40.150  
  40.151  lemma Guard_keyset [simp]: "keyset G ==> Guard n Ks G"
  40.152  by (auto simp: Guard_def)
  40.153  
  40.154 -lemma Guard_Un_keyset: "[| Guard n Ks G; keyset H |] ==> Guard n Ks (G Un H)"
  40.155 +lemma Guard_Un_keyset: "[| Guard n Ks G; keyset H |] ==> Guard n Ks (G \<union> H)"
  40.156  by auto
  40.157  
  40.158 -lemma in_Guard_kparts: "[| X:G; Guard n Ks G; Y:kparts {X} |] ==> Y:guard n Ks"
  40.159 +lemma in_Guard_kparts: "[| X \<in> G; Guard n Ks G; Y \<in> kparts {X} |] ==> Y \<in> guard n Ks"
  40.160  by blast
  40.161  
  40.162 -lemma in_Guard_kparts_neq: "[| X:G; Guard n Ks G; Nonce n':kparts {X} |]
  40.163 -==> n ~= n'"
  40.164 +lemma in_Guard_kparts_neq: "[| X \<in> G; Guard n Ks G; Nonce n' \<in> kparts {X} |]
  40.165 +==> n \<noteq> n'"
  40.166  by (blast dest: in_Guard_kparts)
  40.167  
  40.168 -lemma in_Guard_kparts_Crypt: "[| X:G; Guard n Ks G; is_MPair X;
  40.169 -Crypt K Y:kparts {X}; Nonce n:kparts {Y} |] ==> invKey K:Ks"
  40.170 +lemma in_Guard_kparts_Crypt: "[| X \<in> G; Guard n Ks G; is_MPair X;
  40.171 +Crypt K Y \<in> kparts {X}; Nonce n \<in> kparts {Y} |] ==> invKey K \<in> Ks"
  40.172  apply (drule in_Guard, simp)
  40.173  apply (frule guard_not_guard, simp+)
  40.174  apply (drule guard_kparts, simp)
  40.175 -by (ind_cases "Crypt K Y:guard n Ks", auto)
  40.176 +by (ind_cases "Crypt K Y \<in> guard n Ks", auto)
  40.177  
  40.178 -lemma Guard_extand: "[| Guard n Ks G; Ks <= Ks' |] ==> Guard n Ks' G"
  40.179 +lemma Guard_extand: "[| Guard n Ks G; Ks \<subseteq> Ks' |] ==> Guard n Ks' G"
  40.180  by (auto simp: Guard_def dest: guard_extand)
  40.181  
  40.182 -lemma guard_invKey [rule_format]: "[| X:guard n Ks; Nonce n:kparts {Y} |] ==>
  40.183 -Crypt K Y:kparts {X} --> invKey K:Ks"
  40.184 +lemma guard_invKey [rule_format]: "[| X \<in> guard n Ks; Nonce n \<in> kparts {Y} |] ==>
  40.185 +Crypt K Y \<in> kparts {X} \<longrightarrow> invKey K \<in> Ks"
  40.186  by (erule guard.induct, auto)
  40.187  
  40.188 -lemma Crypt_guard_invKey [rule_format]: "[| Crypt K Y:guard n Ks;
  40.189 -Nonce n:kparts {Y} |] ==> invKey K:Ks"
  40.190 +lemma Crypt_guard_invKey [rule_format]: "[| Crypt K Y \<in> guard n Ks;
  40.191 +Nonce n \<in> kparts {Y} |] ==> invKey K \<in> Ks"
  40.192  by (auto dest: guard_invKey)
  40.193  
  40.194  subsection\<open>set obtained by decrypting a message\<close>
  40.195 @@ -160,14 +160,14 @@
  40.196    decrypt :: "msg set => key => msg => msg set" where
  40.197    "decrypt H K Y == insert Y (H - {Crypt K Y})"
  40.198  
  40.199 -lemma analz_decrypt: "[| Crypt K Y:H; Key (invKey K):H; Nonce n:analz H |]
  40.200 -==> Nonce n:analz (decrypt H K Y)"
  40.201 -apply (drule_tac P="%H. Nonce n:analz H" in ssubst [OF insert_Diff])
  40.202 +lemma analz_decrypt: "[| Crypt K Y \<in> H; Key (invKey K) \<in> H; Nonce n \<in> analz H |]
  40.203 +==> Nonce n \<in> analz (decrypt H K Y)"
  40.204 +apply (drule_tac P="\<lambda>H. Nonce n \<in> analz H" in ssubst [OF insert_Diff])
  40.205  apply assumption
  40.206  apply (simp only: analz_Crypt_if, simp)
  40.207  done
  40.208  
  40.209 -lemma parts_decrypt: "[| Crypt K Y:H; X:parts (decrypt H K Y) |] ==> X:parts H"
  40.210 +lemma parts_decrypt: "[| Crypt K Y \<in> H; X \<in> parts (decrypt H K Y) |] ==> X \<in> parts H"
  40.211  by (erule parts.induct, auto intro: parts.Fst parts.Snd parts.Body)
  40.212  
  40.213  subsection\<open>number of Crypt's in a message\<close>
  40.214 @@ -180,7 +180,7 @@
  40.215  
  40.216  subsection\<open>basic facts about @{term crypt_nb}\<close>
  40.217  
  40.218 -lemma non_empty_crypt_msg: "Crypt K Y:parts {X} ==> crypt_nb X \<noteq> 0"
  40.219 +lemma non_empty_crypt_msg: "Crypt K Y \<in> parts {X} \<Longrightarrow> crypt_nb X \<noteq> 0"
  40.220  by (induct X, simp_all, safe, simp_all)
  40.221  
  40.222  subsection\<open>number of Crypt's in a message list\<close>
  40.223 @@ -206,16 +206,16 @@
  40.224  apply simp
  40.225  done
  40.226  
  40.227 -lemma parts_cnb: "Z:parts (set l) ==>
  40.228 +lemma parts_cnb: "Z \<in> parts (set l) \<Longrightarrow>
  40.229  cnb l = (cnb l - crypt_nb Z) + crypt_nb Z"
  40.230  by (erule parts.induct, auto simp: in_set_conv_decomp)
  40.231  
  40.232 -lemma non_empty_crypt: "Crypt K Y:parts (set l) ==> cnb l \<noteq> 0"
  40.233 +lemma non_empty_crypt: "Crypt K Y \<in> parts (set l) \<Longrightarrow> cnb l \<noteq> 0"
  40.234  by (induct l, auto dest: non_empty_crypt_msg parts_insert_substD)
  40.235  
  40.236  subsection\<open>list of kparts\<close>
  40.237  
  40.238 -lemma kparts_msg_set: "EX l. kparts {X} = set l & cnb l = crypt_nb X"
  40.239 +lemma kparts_msg_set: "\<exists>l. kparts {X} = set l \<and> cnb l = crypt_nb X"
  40.240  apply (induct X, simp_all)
  40.241  apply (rename_tac agent, rule_tac x="[Agent agent]" in exI, simp)
  40.242  apply (rename_tac nat, rule_tac x="[Number nat]" in exI, simp)
  40.243 @@ -225,11 +225,11 @@
  40.244  apply (clarify, rule_tac x="l@la" in exI, simp)
  40.245  by (clarify, rename_tac nat X y, rule_tac x="[Crypt nat X]" in exI, simp)
  40.246  
  40.247 -lemma kparts_set: "EX l'. kparts (set l) = set l' & cnb l' = cnb l"
  40.248 +lemma kparts_set: "\<exists>l'. kparts (set l) = set l' \<and> cnb l' = cnb l"
  40.249  apply (induct l)
  40.250  apply (rule_tac x="[]" in exI, simp, clarsimp)
  40.251  apply (rename_tac a b l')
  40.252 -apply (subgoal_tac "EX l''.  kparts {a} = set l'' & cnb l'' = crypt_nb a", clarify)
  40.253 +apply (subgoal_tac "\<exists>l''.  kparts {a} = set l'' \<and> cnb l'' = crypt_nb a", clarify)
  40.254  apply (rule_tac x="l''@l'" in exI, simp)
  40.255  apply (rule kparts_insert_substI, simp)
  40.256  by (rule kparts_msg_set)
  40.257 @@ -249,28 +249,28 @@
  40.258  subsection\<open>if the analyse of a finite guarded set gives n then it must also gives
  40.259  one of the keys of Ks\<close>
  40.260  
  40.261 -lemma Guard_invKey_by_list [rule_format]: "ALL l. cnb l = p
  40.262 ---> Guard n Ks (set l) --> Nonce n:analz (set l)
  40.263 ---> (EX K. K:Ks & Key K:analz (set l))"
  40.264 +lemma Guard_invKey_by_list [rule_format]: "\<forall>l. cnb l = p
  40.265 +\<longrightarrow> Guard n Ks (set l) \<longrightarrow> Nonce n \<in> analz (set l)
  40.266 +\<longrightarrow> (\<exists>K. K \<in> Ks \<and> Key K \<in> analz (set l))"
  40.267  apply (induct p)
  40.268  (* case p=0 *)
  40.269  apply (clarify, drule Guard_must_decrypt, simp, clarify)
  40.270  apply (drule kparts_parts, drule non_empty_crypt, simp)
  40.271  (* case p>0 *)
  40.272  apply (clarify, frule Guard_must_decrypt, simp, clarify)
  40.273 -apply (drule_tac P="%G. Nonce n:G" in analz_pparts_kparts_substD, simp)
  40.274 +apply (drule_tac P="\<lambda>G. Nonce n \<in> G" in analz_pparts_kparts_substD, simp)
  40.275  apply (frule analz_decrypt, simp_all)
  40.276 -apply (subgoal_tac "EX l'. kparts (set l) = set l' & cnb l' = cnb l", clarsimp)
  40.277 +apply (subgoal_tac "\<exists>l'. kparts (set l) = set l' \<and> cnb l' = cnb l", clarsimp)
  40.278  apply (drule_tac G="insert Y (set l' - {Crypt K Y})"
  40.279  and H="set (decrypt' l' K Y)" in analz_sub, rule decrypt_minus)
  40.280  apply (rule_tac analz_pparts_kparts_substI, simp)
  40.281 -apply (case_tac "K:invKey`Ks")
  40.282 +apply (case_tac "K \<in> invKey`Ks")
  40.283  (* K:invKey`Ks *)
  40.284  apply (clarsimp, blast)
  40.285  (* K ~:invKey`Ks *)
  40.286  apply (subgoal_tac "Guard n Ks (set (decrypt' l' K Y))")
  40.287  apply (drule_tac x="decrypt' l' K Y" in spec, simp)
  40.288 -apply (subgoal_tac "Crypt K Y:parts (set l)")
  40.289 +apply (subgoal_tac "Crypt K Y \<in> parts (set l)")
  40.290  apply (drule parts_cnb, rotate_tac -1, simp)
  40.291  apply (clarify, drule_tac X="Key Ka" and H="insert Y (set l')" in analz_sub)
  40.292  apply (rule insert_mono, rule set_remove)
  40.293 @@ -286,21 +286,21 @@
  40.294  apply (rule_tac B="set l'" in subset_trans, rule set_remove, blast)
  40.295  by (rule kparts_set)
  40.296  
  40.297 -lemma Guard_invKey_finite: "[| Nonce n:analz G; Guard n Ks G; finite G |]
  40.298 -==> EX K. K:Ks & Key K:analz G"
  40.299 +lemma Guard_invKey_finite: "[| Nonce n \<in> analz G; Guard n Ks G; finite G |]
  40.300 +==> \<exists>K. K \<in> Ks \<and> Key K \<in> analz G"
  40.301  apply (drule finite_list, clarify)
  40.302  by (rule Guard_invKey_by_list, auto)
  40.303  
  40.304 -lemma Guard_invKey: "[| Nonce n:analz G; Guard n Ks G |]
  40.305 -==> EX K. K:Ks & Key K:analz G"
  40.306 +lemma Guard_invKey: "[| Nonce n \<in> analz G; Guard n Ks G |]
  40.307 +==> \<exists>K. K \<in> Ks \<and> Key K \<in> analz G"
  40.308  by (auto dest: analz_needs_only_finite Guard_invKey_finite)
  40.309  
  40.310  subsection\<open>if the analyse of a finite guarded set and a (possibly infinite) set of keys
  40.311  gives n then it must also gives Ks\<close>
  40.312  
  40.313 -lemma Guard_invKey_keyset: "[| Nonce n:analz (G Un H); Guard n Ks G; finite G;
  40.314 -keyset H |] ==> EX K. K:Ks & Key K:analz (G Un H)"
  40.315 -apply (frule_tac P="%G. Nonce n:G" and G=G in analz_keyset_substD, simp_all)
  40.316 +lemma Guard_invKey_keyset: "[| Nonce n \<in> analz (G \<union> H); Guard n Ks G; finite G;
  40.317 +keyset H |] ==> \<exists>K. K \<in> Ks \<and> Key K \<in> analz (G \<union> H)"
  40.318 +apply (frule_tac P="\<lambda>G. Nonce n \<in> G" and G=G in analz_keyset_substD, simp_all)
  40.319  apply (drule_tac G="G Un (H Int keysfor G)" in Guard_invKey_finite)
  40.320  by (auto simp: Guard_def intro: analz_sub)
  40.321  
    41.1 --- a/src/HOL/Auth/Guard/GuardK.thy	Tue Feb 13 14:24:50 2018 +0100
    41.2 +++ b/src/HOL/Auth/Guard/GuardK.thy	Thu Feb 15 12:11:00 2018 +0100
    41.3 @@ -23,149 +23,149 @@
    41.4    guardK :: "nat => key set => msg set"
    41.5    for n :: nat and Ks :: "key set"
    41.6  where
    41.7 -  No_Key [intro]: "Key n ~:parts {X} ==> X:guardK n Ks"
    41.8 -| Guard_Key [intro]: "invKey K:Ks ==> Crypt K X:guardK n Ks"
    41.9 -| Crypt [intro]: "X:guardK n Ks ==> Crypt K X:guardK n Ks"
   41.10 -| Pair [intro]: "[| X:guardK n Ks; Y:guardK n Ks |] ==> \<lbrace>X,Y\<rbrace>:guardK n Ks"
   41.11 +  No_Key [intro]: "Key n \<notin> parts {X} \<Longrightarrow> X \<in> guardK n Ks"
   41.12 +| Guard_Key [intro]: "invKey K \<in> Ks ==> Crypt K X \<in> guardK n Ks"
   41.13 +| Crypt [intro]: "X \<in> guardK n Ks \<Longrightarrow> Crypt K X \<in> guardK n Ks"
   41.14 +| Pair [intro]: "[| X \<in> guardK n Ks; Y \<in> guardK n Ks |] ==> \<lbrace>X,Y\<rbrace> \<in> guardK n Ks"
   41.15  
   41.16  subsection\<open>basic facts about @{term guardK}\<close>
   41.17  
   41.18 -lemma Nonce_is_guardK [iff]: "Nonce p:guardK n Ks"
   41.19 +lemma Nonce_is_guardK [iff]: "Nonce p \<in> guardK n Ks"
   41.20  by auto
   41.21  
   41.22 -lemma Agent_is_guardK [iff]: "Agent A:guardK n Ks"
   41.23 +lemma Agent_is_guardK [iff]: "Agent A \<in> guardK n Ks"
   41.24  by auto
   41.25  
   41.26 -lemma Number_is_guardK [iff]: "Number r:guardK n Ks"
   41.27 +lemma Number_is_guardK [iff]: "Number r \<in> guardK n Ks"
   41.28  by auto
   41.29  
   41.30 -lemma Key_notin_guardK: "X:guardK n Ks ==> X ~= Key n"
   41.31 +lemma Key_notin_guardK: "X \<in> guardK n Ks \<Longrightarrow> X \<noteq> Key n"
   41.32  by (erule guardK.induct, auto)
   41.33  
   41.34 -lemma Key_notin_guardK_iff [iff]: "Key n ~:guardK n Ks"
   41.35 +lemma Key_notin_guardK_iff [iff]: "Key n \<notin> guardK n Ks"
   41.36  by (auto dest: Key_notin_guardK)
   41.37  
   41.38 -lemma guardK_has_Crypt [rule_format]: "X:guardK n Ks ==> Key n:parts {X}
   41.39 ---> (EX K Y. Crypt K Y:kparts {X} & Key n:parts {Y})"
   41.40 +lemma guardK_has_Crypt [rule_format]: "X \<in> guardK n Ks \<Longrightarrow> Key n \<in> parts {X}
   41.41 +\<longrightarrow> (\<exists>K Y. Crypt K Y \<in> kparts {X} \<and> Key n \<in> parts {Y})"
   41.42  by (erule guardK.induct, auto)
   41.43  
   41.44 -lemma Key_notin_kparts_msg: "X:guardK n Ks ==> Key n ~:kparts {X}"
   41.45 +lemma Key_notin_kparts_msg: "X \<in> guardK n Ks \<Longrightarrow> Key n \<notin> kparts {X}"
   41.46  by (erule guardK.induct, auto dest: kparts_parts)
   41.47  
   41.48 -lemma Key_in_kparts_imp_no_guardK: "Key n:kparts H
   41.49 -==> EX X. X:H & X ~:guardK n Ks"
   41.50 +lemma Key_in_kparts_imp_no_guardK: "Key n \<in> kparts H
   41.51 +\<Longrightarrow> \<exists>X. X \<in> H \<and> X \<notin> guardK n Ks"
   41.52  apply (drule in_kparts, clarify)
   41.53  apply (rule_tac x=X in exI, clarify)
   41.54  by (auto dest: Key_notin_kparts_msg)
   41.55  
   41.56 -lemma guardK_kparts [rule_format]: "X:guardK n Ks ==>
   41.57 -Y:kparts {X} --> Y:guardK n Ks"
   41.58 +lemma guardK_kparts [rule_format]: "X \<in> guardK n Ks \<Longrightarrow>
   41.59 +Y \<in> kparts {X} \<longrightarrow> Y \<in> guardK n Ks"
   41.60  by (erule guardK.induct, auto dest: kparts_parts parts_sub)
   41.61  
   41.62 -lemma guardK_Crypt: "[| Crypt K Y:guardK n Ks; K ~:invKey`Ks |] ==> Y:guardK n Ks"
   41.63 -  by (ind_cases "Crypt K Y:guardK n Ks") (auto intro!: image_eqI)
   41.64 +lemma guardK_Crypt: "[| Crypt K Y \<in> guardK n Ks; K \<notin> invKey`Ks |] ==> Y \<in> guardK n Ks"
   41.65 +  by (ind_cases "Crypt K Y \<in> guardK n Ks") (auto intro!: image_eqI)
   41.66  
   41.67 -lemma guardK_MPair [iff]: "(\<lbrace>X,Y\<rbrace>:guardK n Ks)
   41.68 -= (X:guardK n Ks & Y:guardK n Ks)"
   41.69 -by (auto, (ind_cases "\<lbrace>X,Y\<rbrace>:guardK n Ks", auto)+)
   41.70 +lemma guardK_MPair [iff]: "(\<lbrace>X,Y\<rbrace> \<in> guardK n Ks)
   41.71 += (X \<in> guardK n Ks \<and> Y \<in> guardK n Ks)"
   41.72 +by (auto, (ind_cases "\<lbrace>X,Y\<rbrace> \<in> guardK n Ks", auto)+)
   41.73  
   41.74 -lemma guardK_not_guardK [rule_format]: "X:guardK n Ks ==>
   41.75 -Crypt K Y:kparts {X} --> Key n:kparts {Y} --> Y ~:guardK n Ks"
   41.76 +lemma guardK_not_guardK [rule_format]: "X \<in>guardK n Ks \<Longrightarrow>
   41.77 +Crypt K Y \<in> kparts {X} \<longrightarrow> Key n \<in> kparts {Y} \<longrightarrow> Y \<notin> guardK n Ks"
   41.78  by (erule guardK.induct, auto dest: guardK_kparts)
   41.79  
   41.80 -lemma guardK_extand: "[| X:guardK n Ks; Ks <= Ks';
   41.81 -[| K:Ks'; K ~:Ks |] ==> Key K ~:parts {X} |] ==> X:guardK n Ks'"
   41.82 +lemma guardK_extand: "[| X \<in> guardK n Ks; Ks \<subseteq> Ks';
   41.83 +[| K \<in> Ks'; K \<notin> Ks |] ==> Key K \<notin> parts {X} |] ==> X \<in> guardK n Ks'"
   41.84  by (erule guardK.induct, auto)
   41.85  
   41.86  subsection\<open>guarded sets\<close>
   41.87  
   41.88 -definition GuardK :: "nat => key set => msg set => bool" where
   41.89 -"GuardK n Ks H == ALL X. X:H --> X:guardK n Ks"
   41.90 +definition GuardK :: "nat \<Rightarrow> key set \<Rightarrow> msg set \<Rightarrow> bool" where
   41.91 +"GuardK n Ks H \<equiv> \<forall>X. X \<in> H \<longrightarrow> X \<in> guardK n Ks"
   41.92  
   41.93  subsection\<open>basic facts about @{term GuardK}\<close>
   41.94  
   41.95  lemma GuardK_empty [iff]: "GuardK n Ks {}"
   41.96  by (simp add: GuardK_def)
   41.97  
   41.98 -lemma Key_notin_kparts [simplified]: "GuardK n Ks H ==> Key n ~:kparts H"
   41.99 +lemma Key_notin_kparts [simplified]: "GuardK n Ks H \<Longrightarrow> Key n \<notin> kparts H"
  41.100  by (auto simp: GuardK_def dest: in_kparts Key_notin_kparts_msg)
  41.101  
  41.102 -lemma GuardK_must_decrypt: "[| GuardK n Ks H; Key n:analz H |] ==>
  41.103 -EX K Y. Crypt K Y:kparts H & Key (invKey K):kparts H"
  41.104 -apply (drule_tac P="%G. Key n:G" in analz_pparts_kparts_substD, simp)
  41.105 +lemma GuardK_must_decrypt: "[| GuardK n Ks H; Key n \<in> analz H |] ==>
  41.106 +\<exists>K Y. Crypt K Y \<in> kparts H \<and> Key (invKey K) \<in> kparts H"
  41.107 +apply (drule_tac P="\<lambda>G. Key n \<in> G" in analz_pparts_kparts_substD, simp)
  41.108  by (drule must_decrypt, auto dest: Key_notin_kparts)
  41.109  
  41.110 -lemma GuardK_kparts [intro]: "GuardK n Ks H ==> GuardK n Ks (kparts H)"
  41.111 +lemma GuardK_kparts [intro]: "GuardK n Ks H \<Longrightarrow> GuardK n Ks (kparts H)"
  41.112  by (auto simp: GuardK_def dest: in_kparts guardK_kparts)
  41.113  
  41.114 -lemma GuardK_mono: "[| GuardK n Ks H; G <= H |] ==> GuardK n Ks G"
  41.115 +lemma GuardK_mono: "[| GuardK n Ks H; G \<subseteq> H |] ==> GuardK n Ks G"
  41.116  by (auto simp: GuardK_def)
  41.117  
  41.118  lemma GuardK_insert [iff]: "GuardK n Ks (insert X H)
  41.119 -= (GuardK n Ks H & X:guardK n Ks)"
  41.120 += (GuardK n Ks H \<and> X \<in> guardK n Ks)"
  41.121  by (auto simp: GuardK_def)
  41.122  
  41.123  lemma GuardK_Un [iff]: "GuardK n Ks (G Un H) = (GuardK n Ks G & GuardK n Ks H)"
  41.124  by (auto simp: GuardK_def)
  41.125  
  41.126 -lemma GuardK_synth [intro]: "GuardK n Ks G ==> GuardK n Ks (synth G)"
  41.127 +lemma GuardK_synth [intro]: "GuardK n Ks G \<Longrightarrow> GuardK n Ks (synth G)"
  41.128  by (auto simp: GuardK_def, erule synth.induct, auto)
  41.129  
  41.130 -lemma GuardK_analz [intro]: "[| GuardK n Ks G; ALL K. K:Ks --> Key K ~:analz G |]
  41.131 +lemma GuardK_analz [intro]: "[| GuardK n Ks G; \<forall>K. K \<in> Ks \<longrightarrow> Key K \<notin> analz G |]
  41.132  ==> GuardK n Ks (analz G)"
  41.133  apply (auto simp: GuardK_def)
  41.134  apply (erule analz.induct, auto)
  41.135 -by (ind_cases "Crypt K Xa:guardK n Ks" for K Xa, auto)
  41.136 +by (ind_cases "Crypt K Xa \<in> guardK n Ks" for K Xa, auto)
  41.137  
  41.138 -lemma in_GuardK [dest]: "[| X:G; GuardK n Ks G |] ==> X:guardK n Ks"
  41.139 +lemma in_GuardK [dest]: "[| X \<in> G; GuardK n Ks G |] ==> X \<in> guardK n Ks"
  41.140  by (auto simp: GuardK_def)
  41.141  
  41.142 -lemma in_synth_GuardK: "[| X:synth G; GuardK n Ks G |] ==> X:guardK n Ks"
  41.143 +lemma in_synth_GuardK: "[| X \<in> synth G; GuardK n Ks G |] ==> X \<in> guardK n Ks"
  41.144  by (drule GuardK_synth, auto)
  41.145  
  41.146 -lemma in_analz_GuardK: "[| X:analz G; GuardK n Ks G;
  41.147 -ALL K. K:Ks --> Key K ~:analz G |] ==> X:guardK n Ks"
  41.148 +lemma in_analz_GuardK: "[| X \<in> analz G; GuardK n Ks G;
  41.149 +\<forall>K. K \<in> Ks \<longrightarrow> Key K \<notin> analz G |] ==> X \<in> guardK n Ks"
  41.150  by (drule GuardK_analz, auto)
  41.151  
  41.152 -lemma GuardK_keyset [simp]: "[| keyset G; Key n ~:G |] ==> GuardK n Ks G"
  41.153 +lemma GuardK_keyset [simp]: "[| keyset G; Key n \<notin> G |] ==> GuardK n Ks G"
  41.154  by (simp only: GuardK_def, clarify, drule keyset_in, auto)
  41.155  
  41.156 -lemma GuardK_Un_keyset: "[| GuardK n Ks G; keyset H; Key n ~:H |]
  41.157 +lemma GuardK_Un_keyset: "[| GuardK n Ks G; keyset H; Key n \<notin> H |]
  41.158  ==> GuardK n Ks (G Un H)"
  41.159  by auto
  41.160  
  41.161 -lemma in_GuardK_kparts: "[| X:G; GuardK n Ks G; Y:kparts {X} |] ==> Y:guardK n Ks"
  41.162 +lemma in_GuardK_kparts: "[| X \<in> G; GuardK n Ks G; Y \<in> kparts {X} |] ==> Y \<in> guardK n Ks"
  41.163  by blast
  41.164  
  41.165 -lemma in_GuardK_kparts_neq: "[| X:G; GuardK n Ks G; Key n':kparts {X} |]
  41.166 -==> n ~= n'"
  41.167 +lemma in_GuardK_kparts_neq: "[| X \<in> G; GuardK n Ks G; Key n' \<in> kparts {X} |]
  41.168 +==> n \<noteq> n'"
  41.169  by (blast dest: in_GuardK_kparts)
  41.170  
  41.171 -lemma in_GuardK_kparts_Crypt: "[| X:G; GuardK n Ks G; is_MPair X;
  41.172 -Crypt K Y:kparts {X}; Key n:kparts {Y} |] ==> invKey K:Ks"
  41.173 +lemma in_GuardK_kparts_Crypt: "[| X \<in> G; GuardK n Ks G; is_MPair X;
  41.174 +Crypt K Y \<in> kparts {X}; Key n \<in> kparts {Y} |] ==> invKey K \<in> Ks"
  41.175  apply (drule in_GuardK, simp)
  41.176  apply (frule guardK_not_guardK, simp+)
  41.177  apply (drule guardK_kparts, simp)
  41.178 -by (ind_cases "Crypt K Y:guardK n Ks", auto)
  41.179 +by (ind_cases "Crypt K Y \<in> guardK n Ks", auto)
  41.180  
  41.181 -lemma GuardK_extand: "[| GuardK n Ks G; Ks <= Ks';
  41.182 -[| K:Ks'; K ~:Ks |] ==> Key K ~:parts G |] ==> GuardK n Ks' G"
  41.183 +lemma GuardK_extand: "[| GuardK n Ks G; Ks \<subseteq> Ks';
  41.184 +[| K \<in> Ks'; K \<notin> Ks |] ==> Key K \<notin> parts G |] ==> GuardK n Ks' G"
  41.185  by (auto simp: GuardK_def dest: guardK_extand parts_sub)
  41.186  
  41.187  subsection\<open>set obtained by decrypting a message\<close>
  41.188  
  41.189  abbreviation (input)
  41.190 -  decrypt :: "msg set => key => msg => msg set" where
  41.191 -  "decrypt H K Y == insert Y (H - {Crypt K Y})"
  41.192 +  decrypt :: "msg set \<Rightarrow> key \<Rightarrow> msg \<Rightarrow> msg set" where
  41.193 +  "decrypt H K Y \<equiv> insert Y (H - {Crypt K Y})"
  41.194  
  41.195 -lemma analz_decrypt: "[| Crypt K Y:H; Key (invKey K):H; Key n:analz H |]
  41.196 -==> Key n:analz (decrypt H K Y)"
  41.197 -apply (drule_tac P="%H. Key n:analz H" in ssubst [OF insert_Diff])
  41.198 +lemma analz_decrypt: "[| Crypt K Y \<in> H; Key (invKey K) \<in> H; Key n \<in> analz H |]
  41.199 +==> Key n \<in> analz (decrypt H K Y)"
  41.200 +apply (drule_tac P="\<lambda>H. Key n \<in> analz H" in ssubst [OF insert_Diff])
  41.201  apply assumption 
  41.202  apply (simp only: analz_Crypt_if, simp)
  41.203  done
  41.204  
  41.205 -lemma parts_decrypt: "[| Crypt K Y:H; X:parts (decrypt H K Y) |] ==> X:parts H"
  41.206 +lemma parts_decrypt: "[| Crypt K Y \<in> H; X \<in> parts (decrypt H K Y) |] ==> X \<in> parts H"
  41.207  by (erule parts.induct, auto intro: parts.Fst parts.Snd parts.Body)
  41.208  
  41.209  subsection\<open>number of Crypt's in a message\<close>
  41.210 @@ -177,7 +177,7 @@
  41.211  
  41.212  subsection\<open>basic facts about @{term crypt_nb}\<close>
  41.213  
  41.214 -lemma non_empty_crypt_msg: "Crypt K Y:parts {X} ==> crypt_nb X \<noteq> 0"
  41.215 +lemma non_empty_crypt_msg: "Crypt K Y \<in> parts {X} \<Longrightarrow> crypt_nb X \<noteq> 0"
  41.216  by (induct X, simp_all, safe, simp_all)
  41.217  
  41.218  subsection\<open>number of Crypt's in a message list\<close>
  41.219 @@ -200,16 +200,16 @@
  41.220  apply (induct l, auto)
  41.221  by (erule_tac l=l and x=x in mem_cnb_minus_substI, simp)
  41.222  
  41.223 -lemma parts_cnb: "Z:parts (set l) ==>
  41.224 +lemma parts_cnb: "Z \<in> parts (set l) \<Longrightarrow>
  41.225  cnb l = (cnb l - crypt_nb Z) + crypt_nb Z"
  41.226  by (erule parts.induct, auto simp: in_set_conv_decomp)
  41.227  
  41.228 -lemma non_empty_crypt: "Crypt K Y:parts (set l) ==> cnb l \<noteq> 0"
  41.229 +lemma non_empty_crypt: "Crypt K Y \<in> parts (set l) \<Longrightarrow> cnb l \<noteq> 0"
  41.230  by (induct l, auto dest: non_empty_crypt_msg parts_insert_substD)
  41.231  
  41.232  subsection\<open>list of kparts\<close>
  41.233  
  41.234 -lemma kparts_msg_set: "EX l. kparts {X} = set l & cnb l = crypt_nb X"
  41.235 +lemma kparts_msg_set: "\<exists>l. kparts {X} = set l \<and> cnb l = crypt_nb X"
  41.236  apply (induct X, simp_all)
  41.237  apply (rename_tac agent, rule_tac x="[Agent agent]" in exI, simp)
  41.238  apply (rename_tac nat, rule_tac x="[Number nat]" in exI, simp)
  41.239 @@ -219,11 +219,11 @@
  41.240  apply (clarify, rule_tac x="l@la" in exI, simp)
  41.241  by (clarify, rename_tac nat X y, rule_tac x="[Crypt nat X]" in exI, simp)
  41.242  
  41.243 -lemma kparts_set: "EX l'. kparts (set l) = set l' & cnb l' = cnb l"
  41.244 +lemma kparts_set: "\<exists>l'. kparts (set l) = set l' & cnb l' = cnb l"
  41.245  apply (induct l)
  41.246  apply (rule_tac x="[]" in exI, simp, clarsimp)
  41.247  apply (rename_tac a b l')
  41.248 -apply (subgoal_tac "EX l''.  kparts {a} = set l'' & cnb l'' = crypt_nb a", clarify)
  41.249 +apply (subgoal_tac "\<exists>l''.  kparts {a} = set l'' & cnb l'' = crypt_nb a", clarify)
  41.250  apply (rule_tac x="l''@l'" in exI, simp)
  41.251  apply (rule kparts_insert_substI, simp)
  41.252  by (rule kparts_msg_set)
  41.253 @@ -243,28 +243,28 @@
  41.254  text\<open>if the analysis of a finite guarded set gives n then it must also give
  41.255  one of the keys of Ks\<close>
  41.256  
  41.257 -lemma GuardK_invKey_by_list [rule_format]: "ALL l. cnb l = p
  41.258 ---> GuardK n Ks (set l) --> Key n:analz (set l)
  41.259 ---> (EX K. K:Ks & Key K:analz (set l))"
  41.260 +lemma GuardK_invKey_by_list [rule_format]: "\<forall>l. cnb l = p
  41.261 +\<longrightarrow> GuardK n Ks (set l) \<longrightarrow> Key n \<in> analz (set l)
  41.262 +\<longrightarrow> (\<exists>K. K \<in> Ks \<and> Key K \<in> analz (set l))"
  41.263  apply (induct p)
  41.264  (* case p=0 *)
  41.265  apply (clarify, drule GuardK_must_decrypt, simp, clarify)
  41.266  apply (drule kparts_parts, drule non_empty_crypt, simp)
  41.267  (* case p>0 *)
  41.268  apply (clarify, frule GuardK_must_decrypt, simp, clarify)
  41.269 -apply (drule_tac P="%G. Key n:G" in analz_pparts_kparts_substD, simp)
  41.270 +apply (drule_tac P="\<lambda>G. Key n \<in> G" in analz_pparts_kparts_substD, simp)
  41.271  apply (frule analz_decrypt, simp_all)
  41.272 -apply (subgoal_tac "EX l'. kparts (set l) = set l' & cnb l' = cnb l", clarsimp)
  41.273 +apply (subgoal_tac "\<exists>l'. kparts (set l) = set l' \<and> cnb l' = cnb l", clarsimp)
  41.274  apply (drule_tac G="insert Y (set l' - {Crypt K Y})"
  41.275  and H="set (decrypt' l' K Y)" in analz_sub, rule decrypt_minus)
  41.276  apply (rule_tac analz_pparts_kparts_substI, simp)
  41.277 -apply (case_tac "K:invKey`Ks")
  41.278 +apply (case_tac "K \<in> invKey`Ks")
  41.279  (* K:invKey`Ks *)
  41.280  apply (clarsimp, blast)
  41.281  (* K ~:invKey`Ks *)
  41.282  apply (subgoal_tac "GuardK n Ks (set (decrypt' l' K Y))")
  41.283  apply (drule_tac x="decrypt' l' K Y" in spec, simp)
  41.284 -apply (subgoal_tac "Crypt K Y:parts (set l)")
  41.285 +apply (subgoal_tac "Crypt K Y \<in> parts (set l)")
  41.286  apply (drule parts_cnb, rotate_tac -1, simp)
  41.287  apply (clarify, drule_tac X="Key Ka" and H="insert Y (set l')" in analz_sub)
  41.288  apply (rule insert_mono, rule set_remove)
  41.289 @@ -280,21 +280,21 @@
  41.290  apply (rule_tac B="set l'" in subset_trans, rule set_remove, blast)
  41.291  by (rule kparts_set)
  41.292  
  41.293 -lemma GuardK_invKey_finite: "[| Key n:analz G; GuardK n Ks G; finite G |]
  41.294 -==> EX K. K:Ks & Key K:analz G"
  41.295 +lemma GuardK_invKey_finite: "[| Key n \<in> analz G; GuardK n Ks G; finite G |]
  41.296 +==> \<exists>K. K \<in> Ks \<and> Key K \<in> analz G"
  41.297  apply (drule finite_list, clarify)
  41.298  by (rule GuardK_invKey_by_list, auto)
  41.299  
  41.300 -lemma GuardK_invKey: "[| Key n:analz G; GuardK n Ks G |]
  41.301 -==> EX K. K:Ks & Key K:analz G"
  41.302 +lemma GuardK_invKey: "[| Key n \<in> analz G; GuardK n Ks G |]
  41.303 +==> \<exists>K. K \<in> Ks \<and> Key K \<in> analz G"
  41.304  by (auto dest: analz_needs_only_finite GuardK_invKey_finite)
  41.305  
  41.306  text\<open>if the analyse of a finite guarded set and a (possibly infinite) set of
  41.307  keys gives n then it must also gives Ks\<close>
  41.308  
  41.309 -lemma GuardK_invKey_keyset: "[| Key n:analz (G Un H); GuardK n Ks G; finite G;
  41.310 -keyset H; Key n ~:H |] ==> EX K. K:Ks & Key K:analz (G Un H)"
  41.311 -apply (frule_tac P="%G. Key n:G" and G=G in analz_keyset_substD, simp_all)
  41.312 +lemma GuardK_invKey_keyset: "[| Key n \<in> analz (G \<union> H); GuardK n Ks G; finite G;
  41.313 +keyset H; Key n \<notin> H |] ==> \<exists>K. K \<in> Ks \<and> Key K \<in> analz (G \<union> H)"
  41.314 +apply (frule_tac P="\<lambda>G. Key n \<in> G" and G=G in analz_keyset_substD, simp_all)
  41.315  apply (drule_tac G="G Un (H Int keysfor G)" in GuardK_invKey_finite)
  41.316  apply (auto simp: GuardK_def intro: analz_sub)
  41.317  by (drule keyset_in, auto)
    42.1 --- a/src/HOL/Auth/Guard/Guard_NS_Public.thy	Tue Feb 13 14:24:50 2018 +0100
    42.2 +++ b/src/HOL/Auth/Guard/Guard_NS_Public.thy	Thu Feb 15 12:11:00 2018 +0100
    42.3 @@ -37,17 +37,17 @@
    42.4  inductive_set nsp :: "event list set"
    42.5  where
    42.6  
    42.7 -  Nil: "[]:nsp"
    42.8 +  Nil: "[] \<in> nsp"
    42.9  
   42.10 -| Fake: "[| evs:nsp; X:synth (analz (spies evs)) |] ==> Says Spy B X # evs : nsp"
   42.11 +| Fake: "[| evs \<in> nsp; X \<in> synth (analz (spies evs)) |] ==> Says Spy B X # evs \<in> nsp"
   42.12  
   42.13 -| NS1: "[| evs1:nsp; Nonce NA ~:used evs1 |] ==> ns1 A B NA # evs1 : nsp"
   42.14 +| NS1: "[| evs1 \<in> nsp; Nonce NA \<notin> used evs1 |] ==> ns1 A B NA # evs1 \<in> nsp"
   42.15  
   42.16 -| NS2: "[| evs2:nsp; Nonce NB ~:used evs2; ns1' A' A B NA:set evs2 |] ==>
   42.17 -  ns2 B A NA NB # evs2:nsp"
   42.18 +| NS2: "[| evs2 \<in> nsp; Nonce NB \<notin> used evs2; ns1' A' A B NA \<in> set evs2 |] ==>
   42.19 +  ns2 B A NA NB # evs2 \<in> nsp"
   42.20  
   42.21 -| NS3: "!!A B B' NA NB evs3. [| evs3:nsp; ns1 A B NA:set evs3; ns2' B' B A NA NB:set evs3 |] ==>
   42.22 -  ns3 A B NB # evs3:nsp"
   42.23 +| NS3: "\<And>A B B' NA NB evs3. [| evs3 \<in> nsp; ns1 A B NA \<in> set evs3; ns2' B' B A NA NB \<in> set evs3 |] ==>
   42.24 +  ns3 A B NB # evs3 \<in> nsp"
   42.25  
   42.26  subsection\<open>declarations for tactics\<close>
   42.27  
   42.28 @@ -57,17 +57,17 @@
   42.29  
   42.30  subsection\<open>general properties of nsp\<close>
   42.31  
   42.32 -lemma nsp_has_no_Gets: "evs:nsp ==> ALL A X. Gets A X ~:set evs"
   42.33 +lemma nsp_has_no_Gets: "evs \<in> nsp \<Longrightarrow> \<forall>A X. Gets A X \<notin> set evs"
   42.34  by (erule nsp.induct, auto)
   42.35  
   42.36  lemma nsp_is_Gets_correct [iff]: "Gets_correct nsp"
   42.37  by (auto simp: Gets_correct_def dest: nsp_has_no_Gets)
   42.38  
   42.39  lemma nsp_is_one_step [iff]: "one_step nsp"
   42.40 -by (unfold one_step_def, clarify, ind_cases "ev#evs:nsp" for ev evs, auto)
   42.41 +by (unfold one_step_def, clarify, ind_cases "ev#evs \<in> nsp" for ev evs, auto)
   42.42  
   42.43 -lemma nsp_has_only_Says' [rule_format]: "evs:nsp ==>
   42.44 -ev:set evs --> (EX A B X. ev=Says A B X)"
   42.45 +lemma nsp_has_only_Says' [rule_format]: "evs \<in> nsp \<Longrightarrow>
   42.46 +ev \<in> set evs \<longrightarrow> (\<exists>A B X. ev=Says A B X)"
   42.47  by (erule nsp.induct, auto)
   42.48  
   42.49  lemma nsp_has_only_Says [iff]: "has_only_Says nsp"
   42.50 @@ -79,37 +79,37 @@
   42.51  
   42.52  subsection\<open>nonce are used only once\<close>
   42.53  
   42.54 -lemma NA_is_uniq [rule_format]: "evs:nsp ==>
   42.55 -Crypt (pubK B) \<lbrace>Nonce NA, Agent A\<rbrace>:parts (spies evs)
   42.56 ---> Crypt (pubK B') \<lbrace>Nonce NA, Agent A'\<rbrace>:parts (spies evs)
   42.57 ---> Nonce NA ~:analz (spies evs) --> A=A' & B=B'"
   42.58 +lemma NA_is_uniq [rule_format]: "evs \<in> nsp \<Longrightarrow>
   42.59 +Crypt (pubK B) \<lbrace>Nonce NA, Agent A\<rbrace> \<in> parts (spies evs)
   42.60 +\<longrightarrow> Crypt (pubK B') \<lbrace>Nonce NA, Agent A'\<rbrace> \<in> parts (spies evs)
   42.61 +\<longrightarrow> Nonce NA \<notin> analz (spies evs) \<longrightarrow> A=A' \<and> B=B'"
   42.62  apply (erule nsp.induct, simp_all)
   42.63  by (blast intro: analz_insertI)+
   42.64  
   42.65 -lemma no_Nonce_NS1_NS2 [rule_format]: "evs:nsp ==>
   42.66 -Crypt (pubK B') \<lbrace>Nonce NA', Nonce NA, Agent A'\<rbrace>:parts (spies evs)
   42.67 ---> Crypt (pubK B) \<lbrace>Nonce NA, Agent A\<rbrace>:parts (spies evs)
   42.68 ---> Nonce NA:analz (spies evs)"
   42.69 +lemma no_Nonce_NS1_NS2 [rule_format]: "evs \<in> nsp \<Longrightarrow>
   42.70 +Crypt (pubK B') \<lbrace>Nonce NA', Nonce NA, Agent A'\<rbrace> \<in> parts (spies evs)
   42.71 +\<longrightarrow> Crypt (pubK B) \<lbrace>Nonce NA, Agent A\<rbrace> \<in> parts (spies evs)
   42.72 +\<longrightarrow> Nonce NA \<in> analz (spies evs)"
   42.73  apply (erule nsp.induct, simp_all)
   42.74  by (blast intro: analz_insertI)+
   42.75  
   42.76  lemma no_Nonce_NS1_NS2' [rule_format]:
   42.77 -"[| Crypt (pubK B') \<lbrace>Nonce NA', Nonce NA, Agent A'\<rbrace>:parts (spies evs);
   42.78 -Crypt (pubK B) \<lbrace>Nonce NA, Agent A\<rbrace>:parts (spies evs); evs:nsp |]
   42.79 -==> Nonce NA:analz (spies evs)"
   42.80 +"[| Crypt (pubK B') \<lbrace>Nonce NA', Nonce NA, Agent A'\<rbrace> \<in> parts (spies evs);
   42.81 +Crypt (pubK B) \<lbrace>Nonce NA, Agent A\<rbrace> \<in> parts (spies evs); evs \<in> nsp |]
   42.82 +==> Nonce NA \<in> analz (spies evs)"
   42.83  by (rule no_Nonce_NS1_NS2, auto)
   42.84   
   42.85 -lemma NB_is_uniq [rule_format]: "evs:nsp ==>
   42.86 -Crypt (pubK A) \<lbrace>Nonce NA, Nonce NB, Agent B\<rbrace>:parts (spies evs)
   42.87 ---> Crypt (pubK A') \<lbrace>Nonce NA', Nonce NB, Agent B'\<rbrace>:parts (spies evs)
   42.88 ---> Nonce NB ~:analz (spies evs) --> A=A' & B=B' & NA=NA'"
   42.89 +lemma NB_is_uniq [rule_format]: "evs \<in> nsp \<Longrightarrow>
   42.90 +Crypt (pubK A) \<lbrace>Nonce NA, Nonce NB, Agent B\<rbrace> \<in> parts (spies evs)
   42.91 +\<longrightarrow> Crypt (pubK A') \<lbrace>Nonce NA', Nonce NB, Agent B'\<rbrace> \<in> parts (spies evs)
   42.92 +\<longrightarrow> Nonce NB \<notin> analz (spies evs) \<longrightarrow> A=A' \<and> B=B' \<and> NA=NA'"
   42.93  apply (erule nsp.induct, simp_all)
   42.94  by (blast intro: analz_insertI)+
   42.95  
   42.96  subsection\<open>guardedness of NA\<close>
   42.97  
   42.98 -lemma ns1_imp_Guard [rule_format]: "[| evs:nsp; A ~:bad; B ~:bad |] ==>
   42.99 -ns1 A B NA:set evs --> Guard NA {priK A,priK B} (spies evs)"
  42.100 +lemma ns1_imp_Guard [rule_format]: "[| evs \<in> nsp; A \<notin> bad; B \<notin> bad |] ==>
  42.101 +ns1 A B NA \<in> set evs \<longrightarrow> Guard NA {priK A,priK B} (spies evs)"
  42.102  apply (erule nsp.induct)
  42.103  (* Nil *)
  42.104  apply simp_all
  42.105 @@ -135,8 +135,8 @@
  42.106  
  42.107  subsection\<open>guardedness of NB\<close>
  42.108  
  42.109 -lemma ns2_imp_Guard [rule_format]: "[| evs:nsp; A ~:bad; B ~:bad |] ==>
  42.110 -ns2 B A NA NB:set evs --> Guard NB {priK A,priK B} (spies evs)" 
  42.111 +lemma ns2_imp_Guard [rule_format]: "[| evs \<in> nsp; A \<notin> bad; B \<notin> bad |] ==>
  42.112 +ns2 B A NA NB \<in> set evs \<longrightarrow> Guard NB {priK A,priK B} (spies evs)" 
  42.113  apply (erule nsp.induct)
  42.114  (* Nil *)
  42.115  apply simp_all
  42.116 @@ -165,15 +165,15 @@
  42.117  
  42.118  subsection\<open>Agents' Authentication\<close>
  42.119  
  42.120 -lemma B_trusts_NS1: "[| evs:nsp; A ~:bad; B ~:bad |] ==>
  42.121 -Crypt (pubK B) \<lbrace>Nonce NA, Agent A\<rbrace>:parts (spies evs)
  42.122 ---> Nonce NA ~:analz (spies evs) --> ns1 A B NA:set evs"
  42.123 +lemma B_trusts_NS1: "[| evs \<in> nsp; A \<notin> bad; B \<notin> bad |] ==>
  42.124 +Crypt (pubK B) \<lbrace>Nonce NA, Agent A\<rbrace> \<in> parts (spies evs)
  42.125 +\<longrightarrow> Nonce NA \<notin> analz (spies evs) \<longrightarrow> ns1 A B NA \<in> set evs"
  42.126  apply (erule nsp.induct, simp_all)
  42.127  by (blast intro: analz_insertI)+
  42.128  
  42.129 -lemma A_trusts_NS2: "[| evs:nsp; A ~:bad; B ~:bad |] ==> ns1 A B NA:set evs
  42.130 ---> Crypt (pubK A) \<lbrace>Nonce NA, Nonce NB, Agent B\<rbrace>:parts (spies evs)
  42.131 ---> ns2 B A NA NB:set evs"
  42.132 +lemma A_trusts_NS2: "[| evs \<in> nsp; A \<notin> bad; B \<notin> bad |] ==> ns1 A B NA \<in> set evs
  42.133 +\<longrightarrow> Crypt (pubK A) \<lbrace>Nonce NA, Nonce NB, Agent B\<rbrace> \<in> parts (spies evs)
  42.134 +\<longrightarrow> ns2 B A NA NB \<in> set evs"
  42.135  apply (erule nsp.induct, simp_all, safe)
  42.136  apply (frule_tac B=B in ns1_imp_Guard, simp+)
  42.137  apply (drule Guard_Nonce_analz, simp+, blast)
  42.138 @@ -182,8 +182,8 @@
  42.139  apply (frule_tac B=B in ns1_imp_Guard, simp+)
  42.140  by (drule Guard_Nonce_analz, simp+, blast+)
  42.141  
  42.142 -lemma B_trusts_NS3: "[| evs:nsp; A ~:bad; B ~:bad |] ==> ns2 B A NA NB:set evs
  42.143 ---> Crypt (pubK B) (Nonce NB):parts (spies evs) --> ns3 A B NB:set evs"
  42.144 +lemma B_trusts_NS3: "[| evs \<in> nsp; A \<notin> bad; B \<notin> bad |] ==> ns2 B A NA NB \<in> set evs
  42.145 +\<longrightarrow> Crypt (pubK B) (Nonce NB) \<in> parts (spies evs) \<longrightarrow> ns3 A B NB \<in> set evs"
  42.146  apply (erule nsp.induct, simp_all, safe)
  42.147  apply (frule_tac B=B in ns2_imp_Guard, simp+)
  42.148  apply (drule Guard_Nonce_analz, simp+, blast)
    43.1 --- a/src/HOL/Auth/Guard/Guard_OtwayRees.thy	Tue Feb 13 14:24:50 2018 +0100
    43.2 +++ b/src/HOL/Auth/Guard/Guard_OtwayRees.thy	Thu Feb 15 12:11:00 2018 +0100
    43.3 @@ -59,20 +59,20 @@
    43.4  inductive_set or :: "event list set"
    43.5  where
    43.6  
    43.7 -  Nil: "[]:or"
    43.8 +  Nil: "[] \<in> or"
    43.9  
   43.10 -| Fake: "[| evs:or; X:synth (analz (spies evs)) |] ==> Says Spy B X # evs:or"
   43.11 +| Fake: "[| evs \<in> or; X \<in> synth (analz (spies evs)) |] ==> Says Spy B X # evs \<in> or"
   43.12  
   43.13 -| OR1: "[| evs1:or; Nonce NA ~:used evs1 |] ==> or1 A B NA # evs1:or"
   43.14 +| OR1: "[| evs1 \<in> or; Nonce NA \<notin> used evs1 |] ==> or1 A B NA # evs1 \<in> or"
   43.15  
   43.16 -| OR2: "[| evs2:or; or1' A' A B NA X:set evs2; Nonce NB ~:used evs2 |]
   43.17 -  ==> or2 A B NA NB X # evs2:or"
   43.18 +| OR2: "[| evs2 \<in> or; or1' A' A B NA X \<in> set evs2; Nonce NB \<notin> used evs2 |]
   43.19 +  ==> or2 A B NA NB X # evs2 \<in> or"
   43.20  
   43.21 -| OR3: "[| evs3:or; or2' B' A B NA NB:set evs3; Key K ~:used evs3 |]
   43.22 -  ==> or3 A B NA NB K # evs3:or"
   43.23 +| OR3: "[| evs3 \<in> or; or2' B' A B NA NB \<in> set evs3; Key K \<notin> used evs3 |]
   43.24 +  ==> or3 A B NA NB K # evs3 \<in> or"
   43.25  
   43.26 -| OR4: "[| evs4:or; or2 A B NA NB X:set evs4; or3' S Y A B NA NB K:set evs4 |]
   43.27 -  ==> or4 A B NA X # evs4:or"
   43.28 +| OR4: "[| evs4 \<in> or; or2 A B NA NB X \<in> set evs4; or3' S Y A B NA NB K \<in> set evs4 |]
   43.29 +  ==> or4 A B NA X # evs4 \<in> or"
   43.30  
   43.31  subsection\<open>declarations for tactics\<close>
   43.32  
   43.33 @@ -82,17 +82,17 @@
   43.34  
   43.35  subsection\<open>general properties of or\<close>
   43.36  
   43.37 -lemma or_has_no_Gets: "evs:or ==> ALL A X. Gets A X ~:set evs"
   43.38 +lemma or_has_no_Gets: "evs \<in> or \<Longrightarrow> \<forall>A X. Gets A X \<notin> set evs"
   43.39  by (erule or.induct, auto)
   43.40  
   43.41  lemma or_is_Gets_correct [iff]: "Gets_correct or"
   43.42  by (auto simp: Gets_correct_def dest: or_has_no_Gets)
   43.43  
   43.44  lemma or_is_one_step [iff]: "one_step or"
   43.45 -by (unfold one_step_def, clarify, ind_cases "ev#evs:or" for ev evs, auto)
   43.46 +by (unfold one_step_def, clarify, ind_cases "ev#evs \<in> or" for ev evs, auto)
   43.47  
   43.48 -lemma or_has_only_Says' [rule_format]: "evs:or ==>
   43.49 -ev:set evs --> (EX A B X. ev=Says A B X)"
   43.50 +lemma or_has_only_Says' [rule_format]: "evs \<in> or \<Longrightarrow>
   43.51 +ev \<in> set evs \<longrightarrow> (\<exists>A B X. ev=Says A B X)"
   43.52  by (erule or.induct, auto)
   43.53  
   43.54  lemma or_has_only_Says [iff]: "has_only_Says or"
   43.55 @@ -100,16 +100,16 @@
   43.56  
   43.57  subsection\<open>or is regular\<close>
   43.58  
   43.59 -lemma or1'_parts_spies [dest]: "or1' A' A B NA X:set evs
   43.60 -==> X:parts (spies evs)"
   43.61 +lemma or1'_parts_spies [dest]: "or1' A' A B NA X \<in> set evs
   43.62 +\<Longrightarrow> X \<in> parts (spies evs)"
   43.63  by blast
   43.64  
   43.65 -lemma or2_parts_spies [dest]: "or2 A B NA NB X:set evs
   43.66 -==> X:parts (spies evs)"
   43.67 +lemma or2_parts_spies [dest]: "or2 A B NA NB X \<in> set evs
   43.68 +\<Longrightarrow> X \<in> parts (spies evs)"
   43.69  by blast
   43.70  
   43.71 -lemma or3_parts_spies [dest]: "Says S B \<lbrace>NA, Y, Ciph B \<lbrace>NB, K\<rbrace>\<rbrace>:set evs
   43.72 -==> K:parts (spies evs)"
   43.73 +lemma or3_parts_spies [dest]: "Says S B \<lbrace>NA, Y, Ciph B \<lbrace>NB, K\<rbrace>\<rbrace> \<in> set evs
   43.74 +\<Longrightarrow> K \<in> parts (spies evs)"
   43.75  by blast
   43.76  
   43.77  lemma or_is_regular [iff]: "regular or"
   43.78 @@ -119,8 +119,8 @@
   43.79  
   43.80  subsection\<open>guardedness of KAB\<close>
   43.81  
   43.82 -lemma Guard_KAB [rule_format]: "[| evs:or; A ~:bad; B ~:bad |] ==>
   43.83 -or3 A B NA NB K:set evs --> GuardK K {shrK A,shrK B} (spies evs)" 
   43.84 +lemma Guard_KAB [rule_format]: "[| evs \<in> or; A \<notin> bad; B \<notin> bad |] ==>
   43.85 +or3 A B NA NB K \<in> set evs \<longrightarrow> GuardK K {shrK A,shrK B} (spies evs)" 
   43.86  apply (erule or.induct)
   43.87  (* Nil *)
   43.88  apply simp_all
   43.89 @@ -140,8 +140,8 @@
   43.90  
   43.91  subsection\<open>guardedness of NB\<close>
   43.92  
   43.93 -lemma Guard_NB [rule_format]: "[| evs:or; B ~:bad |] ==>
   43.94 -or2 A B NA NB X:set evs --> Guard NB {shrK B} (spies evs)" 
   43.95 +lemma Guard_NB [rule_format]: "[| evs \<in> or; B \<notin> bad |] ==>
   43.96 +or2 A B NA NB X \<in> set evs \<longrightarrow> Guard NB {shrK B} (spies evs)" 
   43.97  apply (erule or.induct)
   43.98  (* Nil *)
   43.99  apply simp_all
    44.1 --- a/src/HOL/Auth/Guard/Guard_Public.thy	Tue Feb 13 14:24:50 2018 +0100
    44.2 +++ b/src/HOL/Auth/Guard/Guard_Public.thy	Thu Feb 15 12:11:00 2018 +0100
    44.3 @@ -22,7 +22,7 @@
    44.4  subsubsection\<open>agent associated to a key\<close>
    44.5  
    44.6  definition agt :: "key => agent" where
    44.7 -"agt K == @A. K = priK A | K = pubK A"
    44.8 +"agt K == SOME A. K = priK A | K = pubK A"
    44.9  
   44.10  lemma agt_priK [simp]: "agt (priK A) = A"
   44.11  by (simp add: agt_def)
   44.12 @@ -32,18 +32,18 @@
   44.13  
   44.14  subsubsection\<open>basic facts about @{term initState}\<close>
   44.15  
   44.16 -lemma no_Crypt_in_parts_init [simp]: "Crypt K X ~:parts (initState A)"
   44.17 +lemma no_Crypt_in_parts_init [simp]: "Crypt K X \<notin> parts (initState A)"
   44.18  by (cases A, auto simp: initState.simps)
   44.19  
   44.20 -lemma no_Crypt_in_analz_init [simp]: "Crypt K X ~:analz (initState A)"
   44.21 +lemma no_Crypt_in_analz_init [simp]: "Crypt K X \<notin> analz (initState A)"
   44.22  by auto
   44.23  
   44.24 -lemma no_priK_in_analz_init [simp]: "A ~:bad
   44.25 -==> Key (priK A) ~:analz (initState Spy)"
   44.26 +lemma no_priK_in_analz_init [simp]: "A \<notin> bad
   44.27 +\<Longrightarrow> Key (priK A) \<notin> analz (initState Spy)"
   44.28  by (auto simp: initState.simps)
   44.29  
   44.30 -lemma priK_notin_initState_Friend [simp]: "A ~= Friend C
   44.31 -==> Key (priK A) ~: parts (initState (Friend C))"
   44.32 +lemma priK_notin_initState_Friend [simp]: "A \<noteq> Friend C
   44.33 +\<Longrightarrow> Key (priK A) \<notin> parts (initState (Friend C))"
   44.34  by (auto simp: initState.simps)
   44.35  
   44.36  lemma keyset_init [iff]: "keyset (initState A)"
   44.37 @@ -52,9 +52,9 @@
   44.38  subsubsection\<open>sets of private keys\<close>
   44.39  
   44.40  definition priK_set :: "key set => bool" where
   44.41 -"priK_set Ks == ALL K. K:Ks --> (EX A. K = priK A)"
   44.42 +"priK_set Ks \<equiv> \<forall>K. K \<in> Ks \<longrightarrow> (\<exists>A. K = priK A)"
   44.43  
   44.44 -lemma in_priK_set: "[| priK_set Ks; K:Ks |] ==> EX A. K = priK A"
   44.45 +lemma in_priK_set: "[| priK_set Ks; K \<in> Ks |] ==> \<exists>A. K = priK A"
   44.46  by (simp add: priK_set_def)
   44.47  
   44.48  lemma priK_set1 [iff]: "priK_set {priK A}"
   44.49 @@ -66,15 +66,15 @@
   44.50  subsubsection\<open>sets of good keys\<close>
   44.51  
   44.52  definition good :: "key set => bool" where
   44.53 -"good Ks == ALL K. K:Ks --> agt K ~:bad"
   44.54 +"good Ks == \<forall>K. K \<in> Ks \<longrightarrow> agt K \<notin> bad"
   44.55  
   44.56 -lemma in_good: "[| good Ks; K:Ks |] ==> agt K ~:bad"
   44.57 +lemma in_good: "[| good Ks; K \<in> Ks |] ==> agt K \<notin> bad"
   44.58  by (simp add: good_def)
   44.59  
   44.60 -lemma good1 [simp]: "A ~:bad ==> good {priK A}"
   44.61 +lemma good1 [simp]: "A \<notin> bad \<Longrightarrow> good {priK A}"
   44.62  by (simp add: good_def)
   44.63  
   44.64 -lemma good2 [simp]: "[| A ~:bad; B ~:bad |] ==> good {priK A, priK B}"
   44.65 +lemma good2 [simp]: "[| A \<notin> bad; B \<notin> bad |] ==> good {priK A, priK B}"
   44.66  by (simp add: good_def)
   44.67  
   44.68  subsubsection\<open>greatest nonce used in a trace, 0 if there is no nonce\<close>
   44.69 @@ -84,7 +84,7 @@
   44.70    "greatest [] = 0"
   44.71  | "greatest (ev # evs) = max (greatest_msg (msg ev)) (greatest evs)"
   44.72  
   44.73 -lemma greatest_is_greatest: "Nonce n:used evs ==> n <= greatest evs"
   44.74 +lemma greatest_is_greatest: "Nonce n \<in> used evs \<Longrightarrow> n \<le> greatest evs"
   44.75  apply (induct evs, auto simp: initState.simps)
   44.76  apply (drule used_sub_parts_used, safe)
   44.77  apply (drule greatest_msg_is_greatest, arith)
   44.78 @@ -92,10 +92,10 @@
   44.79  
   44.80  subsubsection\<open>function giving a new nonce\<close>
   44.81  
   44.82 -definition new :: "event list => nat" where
   44.83 -"new evs == Suc (greatest evs)"
   44.84 +definition new :: "event list \<Rightarrow> nat" where
   44.85 +"new evs \<equiv> Suc (greatest evs)"
   44.86  
   44.87 -lemma new_isnt_used [iff]: "Nonce (new evs) ~:used evs"
   44.88 +lemma new_isnt_used [iff]: "Nonce (new evs) \<notin> used evs"
   44.89  by (clarify, drule greatest_is_greatest, auto simp: new_def)
   44.90  
   44.91  subsection\<open>Proofs About Guarded Messages\<close>
   44.92 @@ -109,13 +109,13 @@
   44.93  
   44.94  lemmas invKey_invKey_substI = invKey [THEN ssubst]
   44.95  
   44.96 -lemma "Nonce n:parts {X} ==> Crypt (pubK A) X:guard n {priK A}"
   44.97 +lemma "Nonce n \<in> parts {X} \<Longrightarrow> Crypt (pubK A) X \<in> guard n {priK A}"
   44.98  apply (rule pubK_is_invKey_priK_substI, rule invKey_invKey_substI)
   44.99  by (rule Guard_Nonce, simp+)
  44.100  
  44.101  subsubsection\<open>guardedness results\<close>
  44.102  
  44.103 -lemma sign_guard [intro]: "X:guard n Ks ==> sign A X:guard n Ks"
  44.104 +lemma sign_guard [intro]: "X \<in> guard n Ks \<Longrightarrow> sign A X \<in> guard n Ks"
  44.105  by (auto simp: sign_def)
  44.106  
  44.107  lemma Guard_init [iff]: "Guard n Ks (initState B)"
  44.108 @@ -125,38 +125,38 @@
  44.109  ==> Guard n Ks (knows_max C evs)"
  44.110  by (simp add: knows_max_def)
  44.111  
  44.112 -lemma Nonce_not_used_Guard_spies [dest]: "Nonce n ~:used evs
  44.113 -==> Guard n Ks (spies evs)"
  44.114 +lemma Nonce_not_used_Guard_spies [dest]: "Nonce n \<notin> used evs
  44.115 +\<Longrightarrow> Guard n Ks (spies evs)"
  44.116  by (auto simp: Guard_def dest: not_used_not_known parts_sub)
  44.117  
  44.118 -lemma Nonce_not_used_Guard [dest]: "[| evs:p; Nonce n ~:used evs;
  44.119 +lemma Nonce_not_used_Guard [dest]: "[| evs \<in> p; Nonce n \<notin> used evs;
  44.120  Gets_correct p; one_step p |] ==> Guard n Ks (knows (Friend C) evs)"
  44.121  by (auto simp: Guard_def dest: known_used parts_trans)
  44.122  
  44.123 -lemma Nonce_not_used_Guard_max [dest]: "[| evs:p; Nonce n ~:used evs;
  44.124 +lemma Nonce_not_used_Guard_max [dest]: "[| evs \<in> p; Nonce n \<notin> used evs;
  44.125  Gets_correct p; one_step p |] ==> Guard n Ks (knows_max (Friend C) evs)"
  44.126  by (auto simp: Guard_def dest: known_max_used parts_trans)
  44.127  
  44.128 -lemma Nonce_not_used_Guard_max' [dest]: "[| evs:p; Nonce n ~:used evs;
  44.129 +lemma Nonce_not_used_Guard_max' [dest]: "[| evs \<in> p; Nonce n \<notin> used evs;
  44.130  Gets_correct p; one_step p |] ==> Guard n Ks (knows_max' (Friend C) evs)"
  44.131  apply (rule_tac H="knows_max (Friend C) evs" in Guard_mono)
  44.132  by (auto simp: knows_max_def)
  44.133  
  44.134  subsubsection\<open>regular protocols\<close>
  44.135  
  44.136 -definition regular :: "event list set => bool" where
  44.137 -"regular p == ALL evs A. evs:p --> (Key (priK A):parts (spies evs)) = (A:bad)"
  44.138 +definition regular :: "event list set \<Rightarrow> bool" where
  44.139 +"regular p \<equiv> \<forall>evs A. evs \<in> p \<longrightarrow> (Key (priK A) \<in> parts (spies evs)) = (A \<in> bad)"
  44.140  
  44.141 -lemma priK_parts_iff_bad [simp]: "[| evs:p; regular p |] ==>
  44.142 -(Key (priK A):parts (spies evs)) = (A:bad)"
  44.143 +lemma priK_parts_iff_bad [simp]: "[| evs \<in> p; regular p |] ==>
  44.144 +(Key (priK A) \<in> parts (spies evs)) = (A \<in> bad)"
  44.145  by (auto simp: regular_def)
  44.146  
  44.147 -lemma priK_analz_iff_bad [simp]: "[| evs:p; regular p |] ==>
  44.148 -(Key (priK A):analz (spies evs)) = (A:bad)"
  44.149 +lemma priK_analz_iff_bad [simp]: "[| evs \<in> p; regular p |] ==>
  44.150 +(Key (priK A) \<in> analz (spies evs)) = (A \<in> bad)"
  44.151  by auto
  44.152  
  44.153 -lemma Guard_Nonce_analz: "[| Guard n Ks (spies evs); evs:p;
  44.154 -priK_set Ks; good Ks; regular p |] ==> Nonce n ~:analz (spies evs)"
  44.155 +lemma Guard_Nonce_analz: "[| Guard n Ks (spies evs); evs \<in> p;
  44.156 +priK_set Ks; good Ks; regular p |] ==> Nonce n \<notin> analz (spies evs)"
  44.157  apply (clarify, simp only: knows_decomp)
  44.158  apply (drule Guard_invKey_keyset, simp+, safe)
  44.159  apply (drule in_good, simp)
    45.1 --- a/src/HOL/Auth/Guard/Guard_Shared.thy	Tue Feb 13 14:24:50 2018 +0100
    45.2 +++ b/src/HOL/Auth/Guard/Guard_Shared.thy	Thu Feb 15 12:11:00 2018 +0100
    45.3 @@ -20,25 +20,25 @@
    45.4  subsubsection\<open>agent associated to a key\<close>
    45.5  
    45.6  definition agt :: "key => agent" where
    45.7 -"agt K == @A. K = shrK A"
    45.8 +"agt K == SOME A. K = shrK A"
    45.9  
   45.10  lemma agt_shrK [simp]: "agt (shrK A) = A"
   45.11  by (simp add: agt_def)
   45.12  
   45.13  subsubsection\<open>basic facts about @{term initState}\<close>
   45.14  
   45.15 -lemma no_Crypt_in_parts_init [simp]: "Crypt K X ~:parts (initState A)"
   45.16 +lemma no_Crypt_in_parts_init [simp]: "Crypt K X \<notin> parts (initState A)"
   45.17  by (cases A, auto simp: initState.simps)
   45.18  
   45.19 -lemma no_Crypt_in_analz_init [simp]: "Crypt K X ~:analz (initState A)"
   45.20 +lemma no_Crypt_in_analz_init [simp]: "Crypt K X \<notin> analz (initState A)"
   45.21  by auto
   45.22  
   45.23 -lemma no_shrK_in_analz_init [simp]: "A ~:bad
   45.24 -==> Key (shrK A) ~:analz (initState Spy)"
   45.25 +lemma no_shrK_in_analz_init [simp]: "A \<notin> bad
   45.26 +\<Longrightarrow> Key (shrK A) \<notin> analz (initState Spy)"
   45.27  by (auto simp: initState.simps)
   45.28  
   45.29 -lemma shrK_notin_initState_Friend [simp]: "A ~= Friend C
   45.30 -==> Key (shrK A) ~: parts (initState (Friend C))"
   45.31 +lemma shrK_notin_initState_Friend [simp]: "A \<noteq> Friend C
   45.32 +\<Longrightarrow> Key (shrK A) \<notin> parts (initState (Friend C))"
   45.33  by (auto simp: initState.simps)
   45.34  
   45.35  lemma keyset_init [iff]: "keyset (initState A)"
   45.36 @@ -47,9 +47,9 @@
   45.37  subsubsection\<open>sets of symmetric keys\<close>
   45.38  
   45.39  definition shrK_set :: "key set => bool" where
   45.40 -"shrK_set Ks == ALL K. K:Ks --> (EX A. K = shrK A)"
   45.41 +"shrK_set Ks \<equiv> \<forall>K. K \<in> Ks \<longrightarrow> (\<exists>A. K = shrK A)"
   45.42  
   45.43 -lemma in_shrK_set: "[| shrK_set Ks; K:Ks |] ==> EX A. K = shrK A"
   45.44 +lemma in_shrK_set: "[| shrK_set Ks; K \<in> Ks |] ==> \<exists>A. K = shrK A"
   45.45  by (simp add: shrK_set_def)
   45.46  
   45.47  lemma shrK_set1 [iff]: "shrK_set {shrK A}"
   45.48 @@ -60,16 +60,16 @@
   45.49  
   45.50  subsubsection\<open>sets of good keys\<close>
   45.51  
   45.52 -definition good :: "key set => bool" where
   45.53 -"good Ks == ALL K. K:Ks --> agt K ~:bad"
   45.54 +definition good :: "key set \<Rightarrow> bool" where
   45.55 +"good Ks \<equiv> \<forall>K. K \<in> Ks \<longrightarrow> agt K \<notin> bad"
   45.56  
   45.57 -lemma in_good: "[| good Ks; K:Ks |] ==> agt K ~:bad"
   45.58 +lemma in_good: "[| good Ks; K \<in> Ks |] ==> agt K \<notin> bad"
   45.59  by (simp add: good_def)
   45.60  
   45.61 -lemma good1 [simp]: "A ~:bad ==> good {shrK A}"
   45.62 +lemma good1 [simp]: "A \<notin> bad \<Longrightarrow> good {shrK A}"
   45.63  by (simp add: good_def)
   45.64  
   45.65 -lemma good2 [simp]: "[| A ~:bad; B ~:bad |] ==> good {shrK A, shrK B}"
   45.66 +lemma good2 [simp]: "[| A \<notin> bad; B \<notin> bad |] ==> good {shrK A, shrK B}"
   45.67  by (simp add: good_def)
   45.68  
   45.69  
   45.70 @@ -84,16 +84,16 @@
   45.71  
   45.72  lemmas invKey_invKey_substI = invKey [THEN ssubst]
   45.73  
   45.74 -lemma "Nonce n:parts {X} ==> Crypt (shrK A) X:guard n {shrK A}"
   45.75 +lemma "Nonce n \<in> parts {X} \<Longrightarrow> Crypt (shrK A) X \<in> guard n {shrK A}"
   45.76  apply (rule shrK_is_invKey_shrK_substI, rule invKey_invKey_substI)
   45.77  by (rule Guard_Nonce, simp+)
   45.78  
   45.79  subsubsection\<open>guardedness results on nonces\<close>
   45.80  
   45.81 -lemma guard_ciph [simp]: "shrK A:Ks ==> Ciph A X:guard n Ks"
   45.82 +lemma guard_ciph [simp]: "shrK A \<in> Ks \<Longrightarrow> Ciph A X \<in> guard n Ks"
   45.83  by (rule Guard_Nonce, simp)
   45.84  
   45.85 -lemma guardK_ciph [simp]: "shrK A:Ks ==> Ciph A X:guardK n Ks"
   45.86 +lemma guardK_ciph [simp]: "shrK A \<in> Ks \<Longrightarrow> Ciph A X \<in> guardK n Ks"
   45.87  by (rule Guard_Key, simp)
   45.88  
   45.89  lemma Guard_init [iff]: "Guard n Ks (initState B)"
   45.90 @@ -103,45 +103,45 @@
   45.91  ==> Guard n Ks (knows_max C evs)"
   45.92  by (simp add: knows_max_def)
   45.93  
   45.94 -lemma Nonce_not_used_Guard_spies [dest]: "Nonce n ~:used evs
   45.95 -==> Guard n Ks (spies evs)"
   45.96 +lemma Nonce_not_used_Guard_spies [dest]: "Nonce n \<notin> used evs
   45.97 +\<Longrightarrow> Guard n Ks (spies evs)"
   45.98  by (auto simp: Guard_def dest: not_used_not_known parts_sub)
   45.99  
  45.100 -lemma Nonce_not_used_Guard [dest]: "[| evs:p; Nonce n ~:used evs;
  45.101 +lemma Nonce_not_used_Guard [dest]: "[| evs \<in> p; Nonce n \<notin> used evs;
  45.102  Gets_correct p; one_step p |] ==> Guard n Ks (knows (Friend C) evs)"
  45.103  by (auto simp: Guard_def dest: known_used parts_trans)
  45.104  
  45.105 -lemma Nonce_not_used_Guard_max [dest]: "[| evs:p; Nonce n ~:used evs;
  45.106 +lemma Nonce_not_used_Guard_max [dest]: "[| evs \<in> p; Nonce n \<notin> used evs;
  45.107  Gets_correct p; one_step p |] ==> Guard n Ks (knows_max (Friend C) evs)"
  45.108  by (auto simp: Guard_def dest: known_max_used parts_trans)
  45.109  
  45.110 -lemma Nonce_not_used_Guard_max' [dest]: "[| evs:p; Nonce n ~:used evs;
  45.111 +lemma Nonce_not_used_Guard_max' [dest]: "[| evs \<in> p; Nonce n \<notin> used evs;
  45.112  Gets_correct p; one_step p |] ==> Guard n Ks (knows_max' (Friend C) evs)"
  45.113  apply (rule_tac H="knows_max (Friend C) evs" in Guard_mono)
  45.114  by (auto simp: knows_max_def)
  45.115  
  45.116  subsubsection\<open>guardedness results on keys\<close>
  45.117  
  45.118 -lemma GuardK_init [simp]: "n ~:range shrK ==> GuardK n Ks (initState B)"
  45.119 +lemma GuardK_init [simp]: "n \<notin> range shrK \<Longrightarrow> GuardK n Ks (initState B)"
  45.120  by (induct B, auto simp: GuardK_def initState.simps)
  45.121  
  45.122 -lemma GuardK_knows_max': "[| GuardK n A (knows_max' C evs); n ~:range shrK |]
  45.123 +lemma GuardK_knows_max': "[| GuardK n A (knows_max' C evs); n \<notin> range shrK |]
  45.124  ==> GuardK n A (knows_max C evs)"
  45.125  by (simp add: knows_max_def)
  45.126  
  45.127 -lemma Key_not_used_GuardK_spies [dest]: "Key n ~:used evs
  45.128 -==> GuardK n A (spies evs)"
  45.129 +lemma Key_not_used_GuardK_spies [dest]: "Key n \<notin> used evs
  45.130 +\<Longrightarrow> GuardK n A (spies evs)"
  45.131  by (auto simp: GuardK_def dest: not_used_not_known parts_sub)
  45.132  
  45.133 -lemma Key_not_used_GuardK [dest]: "[| evs:p; Key n ~:used evs;
  45.134 +lemma Key_not_used_GuardK [dest]: "[| evs \<in> p; Key n \<notin> used evs;
  45.135  Gets_correct p; one_step p |] ==> GuardK n A (knows (Friend C) evs)"
  45.136  by (auto simp: GuardK_def dest: known_used parts_trans)
  45.137  
  45.138 -lemma Key_not_used_GuardK_max [dest]: "[| evs:p; Key n ~:used evs;
  45.139 +lemma Key_not_used_GuardK_max [dest]: "[| evs \<in> p; Key n \<notin> used evs;
  45.140  Gets_correct p; one_step p |] ==> GuardK n A (knows_max (Friend C) evs)"
  45.141  by (auto simp: GuardK_def dest: known_max_used parts_trans)
  45.142  
  45.143 -lemma Key_not_used_GuardK_max' [dest]: "[| evs:p; Key n ~:used evs;
  45.144 +lemma Key_not_used_GuardK_max' [dest]: "[| evs \<in> p; Key n \<notin> used evs;
  45.145  Gets_correct p; one_step p |] ==> GuardK n A (knows_max' (Friend C) evs)"
  45.146  apply (rule_tac H="knows_max (Friend C) evs" in GuardK_mono)
  45.147  by (auto simp: knows_max_def)
  45.148 @@ -149,18 +149,18 @@
  45.149  subsubsection\<open>regular protocols\<close>
  45.150  
  45.151  definition regular :: "event list set => bool" where
  45.152 -"regular p == ALL evs A. evs:p --> (Key (shrK A):parts (spies evs)) = (A:bad)"
  45.153 +"regular p \<equiv> \<forall>evs A. evs \<in> p \<longrightarrow> (Key (shrK A) \<in> parts (spies evs)) = (A \<in> bad)"
  45.154  
  45.155 -lemma shrK_parts_iff_bad [simp]: "[| evs:p; regular p |] ==>
  45.156 -(Key (shrK A):parts (spies evs)) = (A:bad)"
  45.157 +lemma shrK_parts_iff_bad [simp]: "[| evs \<in> p; regular p |] ==>
  45.158 +(Key (shrK A) \<in> parts (spies evs)) = (A \<in> bad)"
  45.159  by (auto simp: regular_def)
  45.160  
  45.161 -lemma shrK_analz_iff_bad [simp]: "[| evs:p; regular p |] ==>
  45.162 -(Key (shrK A):analz (spies evs)) = (A:bad)"
  45.163 +lemma shrK_analz_iff_bad [simp]: "[| evs \<in> p; regular p |] ==>
  45.164 +(Key (shrK A) \<in> analz (spies evs)) = (A \<in> bad)"
  45.165  by auto
  45.166  
  45.167 -lemma Guard_Nonce_analz: "[| Guard n Ks (spies evs); evs:p;
  45.168 -shrK_set Ks; good Ks; regular p |] ==> Nonce n ~:analz (spies evs)"
  45.169 +lemma Guard_Nonce_analz: "[| Guard n Ks (spies evs); evs \<in> p;
  45.170 +shrK_set Ks; good Ks; regular p |] ==> Nonce n \<notin> analz (spies evs)"
  45.171  apply (clarify, simp only: knows_decomp)
  45.172  apply (drule Guard_invKey_keyset, simp+, safe)
  45.173  apply (drule in_good, simp)
    46.1 --- a/src/HOL/Auth/Guard/Guard_Yahalom.thy	Tue Feb 13 14:24:50 2018 +0100
    46.2 +++ b/src/HOL/Auth/Guard/Guard_Yahalom.thy	Thu Feb 15 12:11:00 2018 +0100
    46.3 @@ -50,20 +50,20 @@
    46.4  inductive_set ya :: "event list set"
    46.5  where
    46.6  
    46.7 -  Nil: "[]:ya"
    46.8 +  Nil: "[] \<in> ya"
    46.9  
   46.10 -| Fake: "[| evs:ya; X:synth (analz (spies evs)) |] ==> Says Spy B X # evs:ya"
   46.11 +| Fake: "[| evs \<in> ya; X \<in> synth (analz (spies evs)) |] ==> Says Spy B X # evs \<in> ya"
   46.12  
   46.13 -| YA1: "[| evs1:ya; Nonce NA ~:used evs1 |] ==> ya1 A B NA # evs1:ya"
   46.14 +| YA1: "[| evs1 \<in> ya; Nonce NA \<notin> used evs1 |] ==> ya1 A B NA # evs1 \<in> ya"
   46.15  
   46.16 -| YA2: "[| evs2:ya; ya1' A' A B NA:set evs2; Nonce NB ~:used evs2 |]
   46.17 -  ==> ya2 A B NA NB # evs2:ya"
   46.18 +| YA2: "[| evs2 \<in> ya; ya1' A' A B NA \<in> set evs2; Nonce NB \<notin> used evs2 |]
   46.19 +  ==> ya2 A B NA NB # evs2 \<in> ya"
   46.20  
   46.21 -| YA3: "[| evs3:ya; ya2' B' A B NA NB:set evs3; Key K ~:used evs3 |]
   46.22 -  ==> ya3 A B NA NB K # evs3:ya"
   46.23 +| YA3: "[| evs3 \<in> ya; ya2' B' A B NA NB \<in> set evs3; Key K \<notin> used evs3 |]
   46.24 +  ==> ya3 A B NA NB K # evs3 \<in> ya"
   46.25  
   46.26 -| YA4: "[| evs4:ya; ya1 A B NA:set evs4; ya3' S Y A B NA NB K:set evs4 |]
   46.27 -  ==> ya4 A B K NB Y # evs4:ya"
   46.28 +| YA4: "[| evs4 \<in> ya; ya1 A B NA \<in> set evs4; ya3' S Y A B NA NB K \<in> set evs4 |]
   46.29 +  ==> ya4 A B K NB Y # evs4 \<in> ya"
   46.30  
   46.31  subsection\<open>declarations for tactics\<close>
   46.32  
   46.33 @@ -73,17 +73,17 @@
   46.34  
   46.35  subsection\<open>general properties of ya\<close>
   46.36  
   46.37 -lemma ya_has_no_Gets: "evs:ya ==> ALL A X. Gets A X ~:set evs"
   46.38 +lemma ya_has_no_Gets: "evs \<in> ya \<Longrightarrow> \<forall>A X. Gets A X \<notin> set evs"
   46.39  by (erule ya.induct, auto)
   46.40  
   46.41  lemma ya_is_Gets_correct [iff]: "Gets_correct ya"
   46.42  by (auto simp: Gets_correct_def dest: ya_has_no_Gets)
   46.43  
   46.44  lemma ya_is_one_step [iff]: "one_step ya"
   46.45 -by (unfold one_step_def, clarify, ind_cases "ev#evs:ya" for ev evs, auto)
   46.46 +by (unfold one_step_def, clarify, ind_cases "ev#evs \<in> ya" for ev evs, auto)
   46.47  
   46.48 -lemma ya_has_only_Says' [rule_format]: "evs:ya ==>
   46.49 -ev:set evs --> (EX A B X. ev=Says A B X)"
   46.50 +lemma ya_has_only_Says' [rule_format]: "evs \<in> ya \<Longrightarrow>
   46.51 +ev \<in> set evs \<longrightarrow> (\<exists>A B X. ev=Says A B X)"
   46.52  by (erule ya.induct, auto)
   46.53  
   46.54  lemma ya_has_only_Says [iff]: "has_only_Says ya"
   46.55 @@ -96,8 +96,8 @@
   46.56  
   46.57  subsection\<open>guardedness of KAB\<close>
   46.58  
   46.59 -lemma Guard_KAB [rule_format]: "[| evs:ya; A ~:bad; B ~:bad |] ==>
   46.60 -ya3 A B NA NB K:set evs --> GuardK K {shrK A,shrK B} (spies evs)" 
   46.61 +lemma Guard_KAB [rule_format]: "[| evs \<in> ya; A \<notin> bad; B \<notin> bad |] ==>
   46.62 +ya3 A B NA NB K \<in> set evs \<longrightarrow> GuardK K {shrK A,shrK B} (spies evs)" 
   46.63  apply (erule ya.induct)
   46.64  (* Nil *)
   46.65  apply simp_all
   46.66 @@ -117,55 +117,55 @@
   46.67  
   46.68  subsection\<open>session keys are not symmetric keys\<close>
   46.69  
   46.70 -lemma KAB_isnt_shrK [rule_format]: "evs:ya ==>
   46.71 -ya3 A B NA NB K:set evs --> K ~:range shrK"
   46.72 +lemma KAB_isnt_shrK [rule_format]: "evs \<in> ya \<Longrightarrow>
   46.73 +ya3 A B NA NB K \<in> set evs \<longrightarrow> K \<notin> range shrK"
   46.74  by (erule ya.induct, auto)
   46.75  
   46.76 -lemma ya3_shrK: "evs:ya ==> ya3 A B NA NB (shrK C) ~:set evs"
   46.77 +lemma ya3_shrK: "evs \<in> ya \<Longrightarrow> ya3 A B NA NB (shrK C) \<notin> set evs"
   46.78  by (blast dest: KAB_isnt_shrK)
   46.79  
   46.80  subsection\<open>ya2' implies ya1'\<close>
   46.81  
   46.82  lemma ya2'_parts_imp_ya1'_parts [rule_format]:
   46.83 -     "[| evs:ya; B ~:bad |] ==>
   46.84 -      Ciph B \<lbrace>Agent A, Nonce NA, Nonce NB\<rbrace>:parts (spies evs) -->
   46.85 -      \<lbrace>Agent A, Nonce NA\<rbrace>:spies evs"
   46.86 +     "[| evs \<in> ya; B \<notin> bad |] ==>
   46.87 +      Ciph B \<lbrace>Agent A, Nonce NA, Nonce NB\<rbrace> \<in> parts (spies evs) \<longrightarrow>
   46.88 +      \<lbrace>Agent A, Nonce NA\<rbrace> \<in> spies evs"
   46.89  by (erule ya.induct, auto dest: Says_imp_spies intro: parts_parts)
   46.90  
   46.91 -lemma ya2'_imp_ya1'_parts: "[| ya2' B' A B NA NB:set evs; evs:ya; B ~:bad |]
   46.92 -==> \<lbrace>Agent A, Nonce NA\<rbrace>:spies evs"
   46.93 +lemma ya2'_imp_ya1'_parts: "[| ya2' B' A B NA NB \<in> set evs; evs \<in> ya; B \<notin> bad |]
   46.94 +==> \<lbrace>Agent A, Nonce NA\<rbrace> \<in> spies evs"
   46.95  by (blast dest: Says_imp_spies ya2'_parts_imp_ya1'_parts)
   46.96  
   46.97  subsection\<open>uniqueness of NB\<close>
   46.98  
   46.99 -lemma NB_is_uniq_in_ya2'_parts [rule_format]: "[| evs:ya; B ~:bad; B' ~:bad |] ==>
  46.100 -Ciph B \<lbrace>Agent A, Nonce NA, Nonce NB\<rbrace>:parts (spies evs) -->
  46.101 -Ciph B' \<lbrace>Agent A', Nonce NA', Nonce NB\<rbrace>:parts (spies evs) -->
  46.102 -A=A' & B=B' & NA=NA'"
  46.103 +lemma NB_is_uniq_in_ya2'_parts [rule_format]: "[| evs \<in> ya; B \<notin> bad; B' \<notin> bad |] ==>
  46.104 +Ciph B \<lbrace>Agent A, Nonce NA, Nonce NB\<rbrace> \<in> parts (spies evs) \<longrightarrow>
  46.105 +Ciph B' \<lbrace>Agent A', Nonce NA', Nonce NB\<rbrace> \<in> parts (spies evs) \<longrightarrow>
  46.106 +A=A' \<and> B=B' \<and> NA=NA'"
  46.107  apply (erule ya.induct, simp_all, clarify)
  46.108  apply (drule Crypt_synth_insert, simp+)
  46.109  apply (drule Crypt_synth_insert, simp+, safe)
  46.110  apply (drule not_used_parts_false, simp+)+
  46.111  by (drule Says_not_parts, simp+)+
  46.112  
  46.113 -lemma NB_is_uniq_in_ya2': "[| ya2' C A B NA NB:set evs;
  46.114 -ya2' C' A' B' NA' NB:set evs; evs:ya; B ~:bad; B' ~:bad |]
  46.115 -==> A=A' & B=B' & NA=NA'"
  46.116 +lemma NB_is_uniq_in_ya2': "[| ya2' C A B NA NB \<in> set evs;
  46.117 +ya2' C' A' B' NA' NB \<in> set evs; evs \<in> ya; B \<notin> bad; B' \<notin> bad |]
  46.118 +==> A=A' \<and> B=B' \<and> NA=NA'"
  46.119  by (drule NB_is_uniq_in_ya2'_parts, auto dest: Says_imp_spies)
  46.120  
  46.121  subsection\<open>ya3' implies ya2'\<close>
  46.122  
  46.123 -lemma ya3'_parts_imp_ya2'_parts [rule_format]: "[| evs:ya; A ~:bad |] ==>
  46.124 -Ciph A \<lbrace>Agent B, Key K, Nonce NA, Nonce NB\<rbrace>:parts (spies evs)
  46.125 ---> Ciph B \<lbrace>Agent A, Nonce NA, Nonce NB\<rbrace>:parts (spies evs)"
  46.126 +lemma ya3'_parts_imp_ya2'_parts [rule_format]: "[| evs \<in> ya; A \<notin> bad |] ==>
  46.127 +Ciph A \<lbrace>Agent B, Key K, Nonce NA, Nonce NB\<rbrace> \<in> parts (spies evs)
  46.128 +\<longrightarrow> Ciph B \<lbrace>Agent A, Nonce NA, Nonce NB\<rbrace> \<in> parts (spies evs)"
  46.129  apply (erule ya.induct, simp_all)
  46.130  apply (clarify, drule Crypt_synth_insert, simp+)
  46.131  apply (blast intro: parts_sub, blast)
  46.132  by (auto dest: Says_imp_spies parts_parts)
  46.133  
  46.134 -lemma ya3'_parts_imp_ya2' [rule_format]: "[| evs:ya; A ~:bad |] ==>
  46.135 -Ciph A \<lbrace>Agent B, Key K, Nonce NA, Nonce NB\<rbrace>:parts (spies evs)
  46.136 ---> (EX B'. ya2' B' A B NA NB:set evs)"
  46.137 +lemma ya3'_parts_imp_ya2' [rule_format]: "[| evs \<in> ya; A \<notin> bad |] ==>
  46.138 +Ciph A \<lbrace>Agent B, Key K, Nonce NA, Nonce NB\<rbrace> \<in> parts (spies evs)
  46.139 +\<longrightarrow> (\<exists>B'. ya2' B' A B NA NB \<in> set evs)"
  46.140  apply (erule ya.induct, simp_all, safe)
  46.141  apply (drule Crypt_synth_insert, simp+)
  46.142  apply (drule Crypt_synth_insert, simp+, blast)
  46.143 @@ -173,30 +173,30 @@
  46.144  apply blast
  46.145  by (auto dest: Says_imp_spies2 parts_parts)
  46.146  
  46.147 -lemma ya3'_imp_ya2': "[| ya3' S Y A B NA NB K:set evs; evs:ya; A ~:bad |]
  46.148 -==> (EX B'. ya2' B' A B NA NB:set evs)"
  46.149 +lemma ya3'_imp_ya2': "[| ya3' S Y A B NA NB K \<in> set evs; evs \<in> ya; A \<notin> bad |]
  46.150 +==> (\<exists>B'. ya2' B' A B NA NB \<in> set evs)"
  46.151  by (drule ya3'_parts_imp_ya2', auto dest: Says_imp_spies)
  46.152  
  46.153  subsection\<open>ya3' implies ya3\<close>
  46.154  
  46.155 -lemma ya3'_parts_imp_ya3 [rule_format]: "[| evs:ya; A ~:bad |] ==>
  46.156 -Ciph A \<lbrace>Agent B, Key K, Nonce NA, Nonce NB\<rbrace>:parts(spies evs)
  46.157 ---> ya3 A B NA NB K:set evs"
  46.158 +lemma ya3'_parts_imp_ya3 [rule_format]: "[| evs \<in> ya; A \<notin> bad |] ==>
  46.159 +Ciph A \<lbrace>Agent B, Key K, Nonce NA, Nonce NB\<rbrace> \<in> parts(spies evs)
  46.160 +\<longrightarrow> ya3 A B NA NB K \<in> set evs"
  46.161  apply (erule ya.induct, simp_all, safe)
  46.162  apply (drule Crypt_synth_insert, simp+)
  46.163  by (blast dest: Says_imp_spies2 parts_parts)
  46.164  
  46.165 -lemma ya3'_imp_ya3: "[| ya3' S Y A B NA NB K:set evs; evs:ya; A ~:bad |]
  46.166 -==> ya3 A B NA NB K:set evs"
  46.167 +lemma ya3'_imp_ya3: "[| ya3' S Y A B NA NB K \<in> set evs; evs \<in> ya; A \<notin> bad |]
  46.168 +==> ya3 A B NA NB K \<in> set evs"
  46.169  by (blast dest: Says_imp_spies ya3'_parts_imp_ya3)
  46.170  
  46.171  subsection\<open>guardedness of NB\<close>
  46.172  
  46.173 -definition ya_keys :: "agent => agent => nat => nat => event list => key set" where
  46.174 -"ya_keys A B NA NB evs == {shrK A,shrK B} Un {K. ya3 A B NA NB K:set evs}"
  46.175 +definition ya_keys :: "agent \<Rightarrow> agent \<Rightarrow> nat \<Rightarrow> nat \<Rightarrow> event list \<Rightarrow> key set" where
  46.176 +"ya_keys A B NA NB evs \<equiv> {shrK A,shrK B} \<union> {K. ya3 A B NA NB K \<in> set evs}"
  46.177  
  46.178 -lemma Guard_NB [rule_format]: "[| evs:ya; A ~:bad; B ~:bad |] ==>
  46.179 -ya2 A B NA NB:set evs --> Guard NB (ya_keys A B NA NB evs) (spies evs)"
  46.180 +lemma Guard_NB [rule_format]: "[| evs \<in> ya; A \<notin> bad; B \<notin> bad |] ==>
  46.181 +ya2 A B NA NB \<in> set evs \<longrightarrow> Guard NB (ya_keys A B NA NB evs) (spies evs)"
  46.182  apply (erule ya.induct)
  46.183  (* Nil *)
  46.184  apply (simp_all add: ya_keys_def)
    47.1 --- a/src/HOL/Auth/Guard/List_Msg.thy	Tue Feb 13 14:24:50 2018 +0100
    47.2 +++ b/src/HOL/Auth/Guard/List_Msg.thy	Thu Feb 15 12:11:00 2018 +0100
    47.3 @@ -37,7 +37,7 @@
    47.4  "len (cons x l) = Suc (len l)" |
    47.5  "len other = 0"
    47.6  
    47.7 -lemma len_not_empty: "n < len l ==> EX x l'. l = cons x l'"
    47.8 +lemma len_not_empty: "n < len l \<Longrightarrow> \<exists>x l'. l = cons x l'"
    47.9  by (cases l) auto
   47.10  
   47.11  subsubsection\<open>membership\<close>
   47.12 @@ -113,36 +113,36 @@
   47.13  
   47.14  inductive_set agl :: "msg set"
   47.15  where
   47.16 -  Nil[intro]: "nil:agl"
   47.17 -| Cons[intro]: "[| A:agent; I:agl |] ==> cons (Agent A) I :agl"
   47.18 +  Nil[intro]: "nil \<in> agl"
   47.19 +| Cons[intro]: "[| A \<in> agent; I \<in> agl |] ==> cons (Agent A) I \<in> agl"
   47.20  
   47.21  subsubsection\<open>basic facts about agent lists\<close>
   47.22  
   47.23 -lemma del_in_agl [intro]: "I:agl ==> del (a,I):agl"
   47.24 +lemma del_in_agl [intro]: "I \<in> agl \<Longrightarrow> del (a,I) \<in> agl"
   47.25  by (erule agl.induct, auto)
   47.26  
   47.27 -lemma app_in_agl [intro]: "[| I:agl; J:agl |] ==> app (I,J):agl"
   47.28 +lemma app_in_agl [intro]: "[| I \<in> agl; J \<in> agl |] ==> app (I,J) \<in> agl"
   47.29  by (erule agl.induct, auto)
   47.30  
   47.31 -lemma no_Key_in_agl: "I:agl ==> Key K ~:parts {I}"
   47.32 +lemma no_Key_in_agl: "I \<in> agl \<Longrightarrow> Key K \<notin> parts {I}"
   47.33  by (erule agl.induct, auto)
   47.34  
   47.35 -lemma no_Nonce_in_agl: "I:agl ==> Nonce n ~:parts {I}"
   47.36 +lemma no_Nonce_in_agl: "I \<in> agl \<Longrightarrow> Nonce n \<notin> parts {I}"
   47.37  by (erule agl.induct, auto)
   47.38  
   47.39 -lemma no_Key_in_appdel: "[| I:agl; J:agl |] ==>
   47.40 -Key K ~:parts {app (J, del (Agent B, I))}"
   47.41 +lemma no_Key_in_appdel: "[| I \<in> agl; J \<in> agl |] ==>
   47.42 +Key K \<notin> parts {app (J, del (Agent B, I))}"
   47.43  by (rule no_Key_in_agl, auto)
   47.44  
   47.45 -lemma no_Nonce_in_appdel: "[| I:agl; J:agl |] ==>
   47.46 -Nonce n ~:parts {app (J, del (Agent B, I))}"
   47.47 +lemma no_Nonce_in_appdel: "[| I \<in> agl; J \<in> agl |] ==>
   47.48 +Nonce n \<notin> parts {app (J, del (Agent B, I))}"
   47.49  by (rule no_Nonce_in_agl, auto)
   47.50  
   47.51 -lemma no_Crypt_in_agl: "I:agl ==> Crypt K X ~:parts {I}"
   47.52 +lemma no_Crypt_in_agl: "I \<in> agl \<Longrightarrow> Crypt K X \<notin> parts {I}"
   47.53  by (erule agl.induct, auto)
   47.54  
   47.55 -lemma no_Crypt_in_appdel: "[| I:agl; J:agl |] ==>
   47.56 -Crypt K X ~:parts {app (J, del (Agent B,I))}"
   47.57 +lemma no_Crypt_in_appdel: "[| I \<in> agl; J \<in> agl |] ==>
   47.58 +Crypt K X \<notin> parts {app (J, del (Agent B,I))}"
   47.59  by (rule no_Crypt_in_agl, auto)
   47.60  
   47.61  end
    48.1 --- a/src/HOL/Auth/Guard/P1.thy	Tue Feb 13 14:24:50 2018 +0100
    48.2 +++ b/src/HOL/Auth/Guard/P1.thy	Thu Feb 15 12:11:00 2018 +0100
    48.3 @@ -45,7 +45,7 @@
    48.4  = (B=B' & ofr=ofr' & A=A' & head L = head L' & C=C')"
    48.5  by (auto simp: chain_def Let_def)
    48.6  
    48.7 -lemma Nonce_in_chain [iff]: "Nonce ofr:parts {chain B ofr A L C}"
    48.8 +lemma Nonce_in_chain [iff]: "Nonce ofr \<in> parts {chain B ofr A L C}"
    48.9  by (auto simp: chain_def sign_def)
   48.10  
   48.11  subsubsection\<open>agent whose key is used to sign an offer\<close>
   48.12 @@ -81,7 +81,7 @@
   48.13  = (A=A' & n=n' & B=B')"
   48.14  by (auto simp: anchor_def)
   48.15  
   48.16 -lemma Nonce_in_anchor [iff]: "Nonce n:parts {anchor A n B}"
   48.17 +lemma Nonce_in_anchor [iff]: "Nonce n \<in> parts {anchor A n B}"
   48.18  by (auto simp: anchor_def)
   48.19  
   48.20  lemma shop_anchor [simp]: "shop (anchor A n B) = Agent A"
   48.21 @@ -103,7 +103,7 @@
   48.22  = (A=A' & r=r' & n=n' & I=I' & B=B')"
   48.23  by (auto simp: reqm_def)
   48.24  
   48.25 -lemma Nonce_in_reqm [iff]: "Nonce n:parts {reqm A r n I B}"
   48.26 +lemma Nonce_in_reqm [iff]: "Nonce n \<in> parts {reqm A r n I B}"
   48.27  by (auto simp: reqm_def)
   48.28  
   48.29  definition req :: "agent => nat => nat => msg => agent => event" where
   48.30 @@ -125,7 +125,7 @@
   48.31  ==> B=B' & ofr=ofr' & A=A' & r=r' & L=L' & C=C'"
   48.32  by (auto simp: prom_def)
   48.33  
   48.34 -lemma Nonce_in_prom [iff]: "Nonce ofr:parts {prom B ofr A r I L J C}"
   48.35 +lemma Nonce_in_prom [iff]: "Nonce ofr \<in> parts {prom B ofr A r I L J C}"
   48.36  by (auto simp: prom_def)
   48.37  
   48.38  definition pro :: "agent => nat => agent => nat => msg => msg =>
   48.39 @@ -141,21 +141,21 @@
   48.40  inductive_set p1 :: "event list set"
   48.41  where
   48.42  
   48.43 -  Nil: "[]:p1"
   48.44 +  Nil: "[] \<in> p1"
   48.45  
   48.46 -| Fake: "[| evsf:p1; X:synth (analz (spies evsf)) |] ==> Says Spy B X # evsf : p1"
   48.47 +| Fake: "[| evsf \<in> p1; X \<in> synth (analz (spies evsf)) |] ==> Says Spy B X # evsf \<in> p1"
   48.48  
   48.49 -| Request: "[| evsr:p1; Nonce n ~:used evsr; I:agl |] ==> req A r n I B # evsr : p1"
   48.50 +| Request: "[| evsr \<in> p1; Nonce n \<notin> used evsr; I \<in> agl |] ==> req A r n I B # evsr \<in> p1"
   48.51  
   48.52 -| Propose: "[| evsp:p1; Says A' B \<lbrace>Agent A,Number r,I,cons M L\<rbrace>:set evsp;
   48.53 -  I:agl; J:agl; isin (Agent C, app (J, del (Agent B, I)));
   48.54 -  Nonce ofr ~:used evsp |] ==> pro B ofr A r I (cons M L) J C # evsp : p1"
   48.55 +| Propose: "[| evsp \<in> p1; Says A' B \<lbrace>Agent A,Number r,I,cons M L\<rbrace> \<in> set evsp;
   48.56 +  I \<in> agl; J \<in> agl; isin (Agent C, app (J, del (Agent B, I)));
   48.57 +  Nonce ofr \<notin> used evsp |] ==> pro B ofr A r I (cons M L) J C # evsp \<in> p1"
   48.58  
   48.59  subsubsection\<open>Composition of Traces\<close>
   48.60  
   48.61 -lemma "evs':p1 ==> 
   48.62 -       evs:p1 & (ALL n. Nonce n:used evs' --> Nonce n ~:used evs) --> 
   48.63 -       evs'@evs : p1"
   48.64 +lemma "evs' \<in> p1 \<Longrightarrow>
   48.65 +       evs \<in> p1 \<and> (\<forall>n. Nonce n \<in> used evs' \<longrightarrow> Nonce n \<notin> used evs) \<longrightarrow>
   48.66 +       evs' @ evs \<in> p1"
   48.67  apply (erule p1.induct, safe) 
   48.68  apply (simp_all add: used_ConsI) 
   48.69  apply (erule p1.Fake, erule synth_sub, rule analz_mono, rule knows_sub_app)
   48.70 @@ -168,30 +168,30 @@
   48.71  subsubsection\<open>Valid Offer Lists\<close>
   48.72  
   48.73  inductive_set
   48.74 -  valid :: "agent => nat => agent => msg set"
   48.75 +  valid :: "agent \<Rightarrow> nat \<Rightarrow> agent \<Rightarrow> msg set"
   48.76    for A :: agent and n :: nat and B :: agent
   48.77  where
   48.78 -  Request [intro]: "cons (anchor A n B) nil:valid A n B"
   48.79 +  Request [intro]: "cons (anchor A n B) nil \<in> valid A n B"
   48.80  
   48.81 -| Propose [intro]: "L:valid A n B
   48.82 -==> cons (chain (next_shop (head L)) ofr A L C) L:valid A n B"
   48.83 +| Propose [intro]: "L \<in> valid A n B
   48.84 +\<Longrightarrow> cons (chain (next_shop (head L)) ofr A L C) L \<in> valid A n B"
   48.85  
   48.86  subsubsection\<open>basic properties of valid\<close>
   48.87  
   48.88 -lemma valid_not_empty: "L:valid A n B ==> EX M L'. L = cons M L'"
   48.89 +lemma valid_not_empty: "L \<in> valid A n B \<Longrightarrow> \<exists>M L'. L = cons M L'"
   48.90  by (erule valid.cases, auto)
   48.91  
   48.92 -lemma valid_pos_len: "L:valid A n B ==> 0 < len L"
   48.93 +lemma valid_pos_len: "L \<in> valid A n B \<Longrightarrow> 0 < len L"
   48.94  by (erule valid.induct, auto)
   48.95  
   48.96  subsubsection\<open>offers of an offer list\<close>
   48.97  
   48.98 -definition offer_nonces :: "msg => msg set" where
   48.99 -"offer_nonces L == {X. X:parts {L} & (EX n. X = Nonce n)}"
  48.100 +definition offer_nonces :: "msg \<Rightarrow> msg set" where
  48.101 +"offer_nonces L \<equiv> {X. X \<in> parts {L} \<and> (\<exists>n. X = Nonce n)}"
  48.102  
  48.103  subsubsection\<open>the originator can get the offers\<close>
  48.104  
  48.105 -lemma "L:valid A n B ==> offer_nonces L <= analz (insert L (initState A))"
  48.106 +lemma "L \<in> valid A n B \<Longrightarrow> offer_nonces L \<subseteq> analz (insert L (initState A))"
  48.107  by (erule valid.induct, auto simp: anchor_def chain_def sign_def
  48.108  offer_nonces_def initState.simps)
  48.109  
  48.110 @@ -207,22 +207,22 @@
  48.111  "shops (cons M L) = cons (shop M) (shops L)" |
  48.112  "shops other = other"
  48.113  
  48.114 -lemma shops_in_agl: "L:valid A n B ==> shops L:agl"
  48.115 +lemma shops_in_agl: "L \<in> valid A n B \<Longrightarrow> shops L \<in> agl"
  48.116  by (erule valid.induct, auto simp: anchor_def chain_def sign_def)
  48.117  
  48.118  subsubsection\<open>builds a trace from an itinerary\<close>
  48.119  
  48.120 -fun offer_list :: "agent * nat * agent * msg * nat => msg" where
  48.121 +fun offer_list :: "agent \<times> nat \<times> agent \<times> msg \<times> nat \<Rightarrow> msg" where
  48.122  "offer_list (A,n,B,nil,ofr) = cons (anchor A n B) nil" |
  48.123  "offer_list (A,n,B,cons (Agent C) I,ofr) = (
  48.124  let L = offer_list (A,n,B,I,Suc ofr) in
  48.125  cons (chain (next_shop (head L)) ofr A L C) L)"
  48.126  
  48.127 -lemma "I:agl ==> ALL ofr. offer_list (A,n,B,I,ofr):valid A n B"
  48.128 +lemma "I \<in> agl \<Longrightarrow> \<forall>ofr. offer_list (A,n,B,I,ofr) \<in> valid A n B"
  48.129  by (erule agl.induct, auto)
  48.130  
  48.131 -fun trace :: "agent * nat * agent * nat * msg * msg * msg
  48.132 -=> event list" where
  48.133 +fun trace :: "agent \<times> nat \<times> agent \<times> nat \<times> msg \<times> msg \<times> msg
  48.134 +\<Rightarrow> event list" where
  48.135  "trace (B,ofr,A,r,I,L,nil) = []" |
  48.136  "trace (B,ofr,A,r,I,L,cons (Agent D) K) = (
  48.137  let C = (if K=nil then B else agt_nb (head K)) in
  48.138 @@ -232,8 +232,8 @@
  48.139  pro C (Suc ofr) A r I' L nil D
  48.140  # trace (B,Suc ofr,A,r,I'',tail L,K))"
  48.141  
  48.142 -definition trace' :: "agent => nat => nat => msg => agent => nat => event list" where
  48.143 -"trace' A r n I B ofr == (
  48.144 +definition trace' :: "agent \<Rightarrow> nat \<Rightarrow> nat \<Rightarrow> msg \<Rightarrow> agent \<Rightarrow> nat \<Rightarrow> event list" where
  48.145 +"trace' A r n I B ofr \<equiv> (
  48.146  let AI = cons (Agent A) I in
  48.147  let L = offer_list (A,n,B,AI,ofr) in
  48.148  trace (B,ofr,A,r,nil,L,AI))"
  48.149 @@ -242,8 +242,8 @@
  48.150  
  48.151  subsubsection\<open>there is a trace in which the originator receives a valid answer\<close>
  48.152  
  48.153 -lemma p1_not_empty: "evs:p1 ==> req A r n I B:set evs -->
  48.154 -(EX evs'. evs'@evs:p1 & pro B' ofr A r I' L J A:set evs' & L:valid A n B)"
  48.155 +lemma p1_not_empty: "evs \<in> p1 \<Longrightarrow> req A r n I B \<in> set evs \<longrightarrow>
  48.156 +(\<exists>evs'. evs' @ evs \<in> p1 \<and> pro B' ofr A r I' L J A \<in> set evs' \<and> L \<in> valid A n B)"
  48.157  oops
  48.158  
  48.159  
  48.160 @@ -255,66 +255,66 @@
  48.161  subsubsection\<open>strong forward integrity:
  48.162  except the last one, no offer can be modified\<close>
  48.163  
  48.164 -lemma strong_forward_integrity: "ALL L. Suc i < len L
  48.165 ---> L:valid A n B & repl (L,Suc i,M):valid A n B --> M = ith (L,Suc i)"
  48.166 +lemma strong_forward_integrity: "\<forall>L. Suc i < len L
  48.167 +\<longrightarrow> L \<in> valid A n B \<and> repl (L,Suc i,M) \<in> valid A n B \<longrightarrow> M = ith (L,Suc i)"
  48.168  apply (induct i)
  48.169  (* i = 0 *)
  48.170  apply clarify
  48.171  apply (frule len_not_empty, clarsimp)
  48.172  apply (frule len_not_empty, clarsimp)
  48.173 -apply (ind_cases "\<lbrace>x,xa,l'a\<rbrace>:valid A n B" for x xa l'a)
  48.174 -apply (ind_cases "\<lbrace>x,M,l'a\<rbrace>:valid A n B" for x l'a)
  48.175 +apply (ind_cases "\<lbrace>x,xa,l'a\<rbrace> \<in> valid A n B" for x xa l'a)
  48.176 +apply (ind_cases "\<lbrace>x,M,l'a\<rbrace> \<in> valid A n B" for x l'a)
  48.177  apply (simp add: chain_def)
  48.178  (* i > 0 *)
  48.179  apply clarify
  48.180  apply (frule len_not_empty, clarsimp)
  48.181 -apply (ind_cases "\<lbrace>x,repl(l',Suc na,M)\<rbrace>:valid A n B" for x l' na)
  48.182 +apply (ind_cases "\<lbrace>x,repl(l',Suc na,M)\<rbrace> \<in> valid A n B" for x l' na)
  48.183  apply (frule len_not_empty, clarsimp)
  48.184 -apply (ind_cases "\<lbrace>x,l'\<rbrace>:valid A n B" for x l')
  48.185 +apply (ind_cases "\<lbrace>x,l'\<rbrace> \<in> valid A n B" for x l')
  48.186  by (drule_tac x=l' in spec, simp, blast)
  48.187  
  48.188  subsubsection\<open>insertion resilience:
  48.189  except at the beginning, no offer can be inserted\<close>
  48.190  
  48.191 -lemma chain_isnt_head [simp]: "L:valid A n B ==>
  48.192 -head L ~= chain (next_shop (head L)) ofr A L C"
  48.193 +lemma chain_isnt_head [simp]: "L \<in> valid A n B \<Longrightarrow>
  48.194 +head L \<noteq> chain (next_shop (head L)) ofr A L C"
  48.195  by (erule valid.induct, auto simp: chain_def sign_def anchor_def)
  48.196  
  48.197 -lemma insertion_resilience: "ALL L. L:valid A n B --> Suc i < len L
  48.198 ---> ins (L,Suc i,M) ~:valid A n B"
  48.199 +lemma insertion_resilience: "\<forall>L. L \<in> valid A n B \<longrightarrow> Suc i < len L
  48.200 +\<longrightarrow> ins (L,Suc i,M) \<notin> valid A n B"
  48.201  apply (induct i)
  48.202  (* i = 0 *)
  48.203  apply clarify
  48.204  apply (frule len_not_empty, clarsimp)
  48.205 -apply (ind_cases "\<lbrace>x,l'\<rbrace>:valid A n B" for x l', simp)
  48.206 -apply (ind_cases "\<lbrace>x,M,l'\<rbrace>:valid A n B" for x l', clarsimp)
  48.207 -apply (ind_cases "\<lbrace>head l',l'\<rbrace>:valid A n B" for l', simp, simp)
  48.208 +apply (ind_cases "\<lbrace>x,l'\<rbrace> \<in> valid A n B" for x l', simp)
  48.209 +apply (ind_cases "\<lbrace>x,M,l'\<rbrace> \<in> valid A n B" for x l', clarsimp)
  48.210 +apply (ind_cases "\<lbrace>head l',l'\<rbrace> \<in> valid A n B" for l', simp, simp)
  48.211  (* i > 0 *)
  48.212  apply clarify
  48.213  apply (frule len_not_empty, clarsimp)
  48.214 -apply (ind_cases "\<lbrace>x,l'\<rbrace>:valid A n B" for x l')
  48.215 +apply (ind_cases "\<lbrace>x,l'\<rbrace> \<in> valid A n B" for x l')
  48.216  apply (frule len_not_empty, clarsimp)
  48.217 -apply (ind_cases "\<lbrace>x,ins(l',Suc na,M)\<rbrace>:valid A n B" for x l' na)
  48.218 +apply (ind_cases "\<lbrace>x,ins(l',Suc na,M)\<rbrace> \<in> valid A n B" for x l' na)
  48.219  apply (frule len_not_empty, clarsimp)
  48.220  by (drule_tac x=l' in spec, clarsimp)
  48.221  
  48.222  subsubsection\<open>truncation resilience:
  48.223  only shop i can truncate at offer i\<close>
  48.224  
  48.225 -lemma truncation_resilience: "ALL L. L:valid A n B --> Suc i < len L
  48.226 ---> cons M (trunc (L,Suc i)):valid A n B --> shop M = shop (ith (L,i))"
  48.227 +lemma truncation_resilience: "\<forall>L. L \<in> valid A n B \<longrightarrow> Suc i < len L
  48.228 +\<longrightarrow> cons M (trunc (L,Suc i)) \<in> valid A n B \<longrightarrow> shop M = shop (ith (L,i))"
  48.229  apply (induct i)
  48.230  (* i = 0 *)
  48.231  apply clarify
  48.232  apply (frule len_not_empty, clarsimp)
  48.233 -apply (ind_cases "\<lbrace>x,l'\<rbrace>:valid A n B" for x l')
  48.234 +apply (ind_cases "\<lbrace>x,l'\<rbrace> \<in> valid A n B" for x l')
  48.235  apply (frule len_not_empty, clarsimp)
  48.236 -apply (ind_cases "\<lbrace>M,l'\<rbrace>:valid A n B" for l')
  48.237 +apply (ind_cases "\<lbrace>M,l'\<rbrace> \<in> valid A n B" for l')
  48.238  apply (frule len_not_empty, clarsimp, simp)
  48.239  (* i > 0 *)
  48.240  apply clarify
  48.241  apply (frule len_not_empty, clarsimp)
  48.242 -apply (ind_cases "\<lbrace>x,l'\<rbrace>:valid A n B" for x l')
  48.243 +apply (ind_cases "\<lbrace>x,l'\<rbrace> \<in> valid A n B" for x l')
  48.244  apply (frule len_not_empty, clarsimp)
  48.245  by (drule_tac x=l' in spec, clarsimp)
  48.246  
  48.247 @@ -326,37 +326,37 @@
  48.248  
  48.249  subsubsection\<open>get components of a message\<close>
  48.250  
  48.251 -lemma get_ML [dest]: "Says A' B \<lbrace>A,r,I,M,L\<rbrace>:set evs ==>
  48.252 -M:parts (spies evs) & L:parts (spies evs)"
  48.253 +lemma get_ML [dest]: "Says A' B \<lbrace>A,r,I,M,L\<rbrace> \<in> set evs \<Longrightarrow>
  48.254 +M \<in> parts (spies evs) \<and> L \<in> parts (spies evs)"
  48.255  by blast
  48.256  
  48.257  subsubsection\<open>general properties of p1\<close>
  48.258  
  48.259  lemma reqm_neq_prom [iff]:
  48.260 -"reqm A r n I B ~= prom B' ofr A' r' I' (cons M L) J C"
  48.261 +"reqm A r n I B \<noteq> prom B' ofr A' r' I' (cons M L) J C"
  48.262  by (auto simp: reqm_def prom_def)
  48.263  
  48.264  lemma prom_neq_reqm [iff]:
  48.265 -"prom B' ofr A' r' I' (cons M L) J C ~= reqm A r n I B"
  48.266 +"prom B' ofr A' r' I' (cons M L) J C \<noteq> reqm A r n I B"
  48.267  by (auto simp: reqm_def prom_def)
  48.268  
  48.269 -lemma req_neq_pro [iff]: "req A r n I B ~= pro B' ofr A' r' I' (cons M L) J C"
  48.270 +lemma req_neq_pro [iff]: "req A r n I B \<noteq> pro B' ofr A' r' I' (cons M L) J C"
  48.271  by (auto simp: req_def pro_def)
  48.272  
  48.273 -lemma pro_neq_req [iff]: "pro B' ofr A' r' I' (cons M L) J C ~= req A r n I B"
  48.274 +lemma pro_neq_req [iff]: "pro B' ofr A' r' I' (cons M L) J C \<noteq> req A r n I B"
  48.275  by (auto simp: req_def pro_def)
  48.276  
  48.277 -lemma p1_has_no_Gets: "evs:p1 ==> ALL A X. Gets A X ~:set evs"
  48.278 +lemma p1_has_no_Gets: "evs \<in> p1 \<Longrightarrow> \<forall>A X. Gets A X \<notin> set evs"
  48.279  by (erule p1.induct, auto simp: req_def pro_def)
  48.280  
  48.281  lemma p1_is_Gets_correct [iff]: "Gets_correct p1"
  48.282  by (auto simp: Gets_correct_def dest: p1_has_no_Gets)
  48.283  
  48.284  lemma p1_is_one_step [iff]: "one_step p1"
  48.285 -by (unfold one_step_def, clarify, ind_cases "ev#evs:p1" for ev evs, auto)
  48.286 +by (unfold one_step_def, clarify, ind_cases "ev#evs \<in> p1" for ev evs, auto)
  48.287  
  48.288 -lemma p1_has_only_Says' [rule_format]: "evs:p1 ==>
  48.289 -ev:set evs --> (EX A B X. ev=Says A B X)"
  48.290 +lemma p1_has_only_Says' [rule_format]: "evs \<in> p1 \<Longrightarrow>
  48.291 +ev \<in> set evs \<longrightarrow> (\<exists>A B X. ev=Says A B X)"
  48.292  by (erule p1.induct, auto simp: req_def pro_def)
  48.293  
  48.294  lemma p1_has_only_Says [iff]: "has_only_Says p1"
  48.295 @@ -372,8 +372,8 @@
  48.296  subsubsection\<open>private keys are safe\<close>
  48.297  
  48.298  lemma priK_parts_Friend_imp_bad [rule_format,dest]:
  48.299 -     "[| evs:p1; Friend B ~= A |]
  48.300 -      ==> (Key (priK A):parts (knows (Friend B) evs)) --> (A:bad)"
  48.301 +     "[| evs \<in> p1; Friend B \<noteq> A |]
  48.302 +      ==> (Key (priK A) \<in> parts (knows (Friend B) evs)) \<longrightarrow> (A \<in> bad)"
  48.303  apply (erule p1.induct)
  48.304  apply (simp_all add: initState.simps knows.simps pro_def prom_def
  48.305                  req_def reqm_def anchor_def chain_def sign_def)
  48.306 @@ -383,12 +383,12 @@
  48.307  done
  48.308  
  48.309  lemma priK_analz_Friend_imp_bad [rule_format,dest]:
  48.310 -     "[| evs:p1; Friend B ~= A |]
  48.311 -==> (Key (priK A):analz (knows (Friend B) evs)) --> (A:bad)"
  48.312 +     "[| evs \<in> p1; Friend B \<noteq> A |]
  48.313 +==> (Key (priK A) \<in> analz (knows (Friend B) evs)) \<longrightarrow> (A \<in> bad)"
  48.314  by auto
  48.315  
  48.316 -lemma priK_notin_knows_max_Friend: "[| evs:p1; A ~:bad; A ~= Friend C |]
  48.317 -==> Key (priK A) ~:analz (knows_max (Friend C) evs)"
  48.318 +lemma priK_notin_knows_max_Friend: "[| evs \<in> p1; A \<notin> bad; A \<noteq> Friend C |]
  48.319 +==> Key (priK A) \<notin> analz (knows_max (Friend C) evs)"
  48.320  apply (rule not_parts_not_analz, simp add: knows_max_def, safe)
  48.321  apply (drule_tac H="spies' evs" in parts_sub)
  48.322  apply (rule_tac p=p1 in knows_max'_sub_spies', simp+)
  48.323 @@ -397,78 +397,78 @@
  48.324  
  48.325  subsubsection\<open>general guardedness properties\<close>
  48.326  
  48.327 -lemma agl_guard [intro]: "I:agl ==> I:guard n Ks"
  48.328 +lemma agl_guard [intro]: "I \<in> agl \<Longrightarrow> I \<in> guard n Ks"
  48.329  by (erule agl.induct, auto)
  48.330  
  48.331 -lemma Says_to_knows_max'_guard: "[| Says A' C \<lbrace>A'',r,I,L\<rbrace>:set evs;
  48.332 -Guard n Ks (knows_max' C evs) |] ==> L:guard n Ks"
  48.333 +lemma Says_to_knows_max'_guard: "[| Says A' C \<lbrace>A'',r,I,L\<rbrace> \<in> set evs;
  48.334 +Guard n Ks (knows_max' C evs) |] ==> L \<in> guard n Ks"
  48.335  by (auto dest: Says_to_knows_max')
  48.336  
  48.337 -lemma Says_from_knows_max'_guard: "[| Says C A' \<lbrace>A'',r,I,L\<rbrace>:set evs;
  48.338 -Guard n Ks (knows_max' C evs) |] ==> L:guard n Ks"
  48.339 +lemma Says_from_knows_max'_guard: "[| Says C A' \<lbrace>A'',r,I,L\<rbrace> \<in> set evs;
  48.340 +Guard n Ks (knows_max' C evs) |] ==> L \<in> guard n Ks"
  48.341  by (auto dest: Says_from_knows_max')
  48.342  
  48.343 -lemma Says_Nonce_not_used_guard: "[| Says A' B \<lbrace>A'',r,I,L\<rbrace>:set evs;
  48.344 -Nonce n ~:used evs |] ==> L:guard n Ks"
  48.345 +lemma Says_Nonce_not_used_guard: "[| Says A' B \<lbrace>A'',r,I,L\<rbrace> \<in> set evs;
  48.346 +Nonce n \<notin> used evs |] ==> L \<in> guard n Ks"
  48.347  by (drule not_used_not_parts, auto)
  48.348  
  48.349  subsubsection\<open>guardedness of messages\<close>
  48.350  
  48.351 -lemma chain_guard [iff]: "chain B ofr A L C:guard n {priK A}"
  48.352 +lemma chain_guard [iff]: "chain B ofr A L C \<in> guard n {priK A}"
  48.353  by (case_tac "ofr=n", auto simp: chain_def sign_def)
  48.354  
  48.355 -lemma chain_guard_Nonce_neq [intro]: "n ~= ofr
  48.356 -==> chain B ofr A' L C:guard n {priK A}"
  48.357 +lemma chain_guard_Nonce_neq [intro]: "n \<noteq> ofr
  48.358 +\<Longrightarrow> chain B ofr A' L C \<in> guard n {priK A}"
  48.359  by (auto simp: chain_def sign_def)
  48.360  
  48.361 -lemma anchor_guard [iff]: "anchor A n' B:guard n {priK A}"
  48.362 +lemma anchor_guard [iff]: "anchor A n' B \<in> guard n {priK A}"
  48.363  by (case_tac "n'=n", auto simp: anchor_def)
  48.364  
  48.365 -lemma anchor_guard_Nonce_neq [intro]: "n ~= n'
  48.366 -==> anchor A' n' B:guard n {priK A}"
  48.367 +lemma anchor_guard_Nonce_neq [intro]: "n \<noteq> n'
  48.368 +\<Longrightarrow> anchor A' n' B \<in> guard n {priK A}"
  48.369  by (auto simp: anchor_def)
  48.370  
  48.371 -lemma reqm_guard [intro]: "I:agl ==> reqm A r n' I B:guard n {priK A}"
  48.372 +lemma reqm_guard [intro]: "I \<in> agl \<Longrightarrow> reqm A r n' I B \<in> guard n {priK A}"
  48.373  by (case_tac "n'=n", auto simp: reqm_def)
  48.374  
  48.375 -lemma reqm_guard_Nonce_neq [intro]: "[| n ~= n'; I:agl |]
  48.376 -==> reqm A' r n' I B:guard n {priK A}"
  48.377 +lemma reqm_guard_Nonce_neq [intro]: "[| n \<noteq> n'; I \<in> agl |]
  48.378 +==> reqm A' r n' I B \<in> guard n {priK A}"
  48.379  by (auto simp: reqm_def)
  48.380  
  48.381 -lemma prom_guard [intro]: "[| I:agl; J:agl; L:guard n {priK A} |]
  48.382 -==> prom B ofr A r I L J C:guard n {priK A}"
  48.383 +lemma prom_guard [intro]: "[| I \<in> agl; J \<in> agl; L \<in> guard n {priK A} |]
  48.384 +==> prom B ofr A r I L J C \<in> guard n {priK A}"
  48.385  by (auto simp: prom_def)
  48.386  
  48.387 -lemma prom_guard_Nonce_neq [intro]: "[| n ~= ofr; I:agl; J:agl;
  48.388 -L:guard n {priK A} |] ==> prom B ofr A' r I L J C:guard n {priK A}"
  48.389 +lemma prom_guard_Nonce_neq [intro]: "[| n \<noteq> ofr; I \<in> agl; J \<in> agl;
  48.390 +L \<in> guard n {priK A} |] ==> prom B ofr A' r I L J C \<in> guard n {priK A}"
  48.391  by (auto simp: prom_def)
  48.392  
  48.393  subsubsection\<open>Nonce uniqueness\<close>
  48.394  
  48.395 -lemma uniq_Nonce_in_chain [dest]: "Nonce k:parts {chain B ofr A L C} ==> k=ofr"
  48.396 +lemma uniq_Nonce_in_chain [dest]: "Nonce k \<in> parts {chain B ofr A L C} \<Longrightarrow> k=ofr"
  48.397  by (auto simp: chain_def sign_def)
  48.398  
  48.399 -lemma uniq_Nonce_in_anchor [dest]: "Nonce k:parts {anchor A n B} ==> k=n"
  48.400 +lemma uniq_Nonce_in_anchor [dest]: "Nonce k \<in> parts {anchor A n B} \<Longrightarrow> k=n"
  48.401  by (auto simp: anchor_def chain_def sign_def)
  48.402  
  48.403 -lemma uniq_Nonce_in_reqm [dest]: "[| Nonce k:parts {reqm A r n I B};
  48.404 -I:agl |] ==> k=n"
  48.405 +lemma uniq_Nonce_in_reqm [dest]: "[| Nonce k \<in> parts {reqm A r n I B};
  48.406 +I \<in> agl |] ==> k=n"
  48.407  by (auto simp: reqm_def dest: no_Nonce_in_agl)
  48.408  
  48.409 -lemma uniq_Nonce_in_prom [dest]: "[| Nonce k:parts {prom B ofr A r I L J C};
  48.410 -I:agl; J:agl; Nonce k ~:parts {L} |] ==> k=ofr"
  48.411 +lemma uniq_Nonce_in_prom [dest]: "[| Nonce k \<in> parts {prom B ofr A r I L J C};
  48.412 +I \<in> agl; J \<in> agl; Nonce k \<notin> parts {L} |] ==> k=ofr"
  48.413  by (auto simp: prom_def dest: no_Nonce_in_agl no_Nonce_in_appdel)
  48.414  
  48.415  subsubsection\<open>requests are guarded\<close>
  48.416  
  48.417 -lemma req_imp_Guard [rule_format]: "[| evs:p1; A ~:bad |] ==>
  48.418 -req A r n I B:set evs --> Guard n {priK A} (spies evs)"
  48.419 +lemma req_imp_Guard [rule_format]: "[| evs \<in> p1; A \<notin> bad |] ==>
  48.420 +req A r n I B \<in> set evs \<longrightarrow> Guard n {priK A} (spies evs)"
  48.421  apply (erule p1.induct, simp)
  48.422  apply (simp add: req_def knows.simps, safe)
  48.423  apply (erule in_synth_Guard, erule Guard_analz, simp)
  48.424  by (auto simp: req_def pro_def dest: Says_imp_knows_Spy)
  48.425  
  48.426 -lemma req_imp_Guard_Friend: "[| evs:p1; A ~:bad; req A r n I B:set evs |]
  48.427 +lemma req_imp_Guard_Friend: "[| evs \<in> p1; A \<notin> bad; req A r n I B \<in> set evs |]
  48.428  ==> Guard n {priK A} (knows_max (Friend C) evs)"
  48.429  apply (rule Guard_knows_max')
  48.430  apply (rule_tac H="spies evs" in Guard_mono)
  48.431 @@ -479,8 +479,8 @@
  48.432  
  48.433  subsubsection\<open>propositions are guarded\<close>
  48.434  
  48.435 -lemma pro_imp_Guard [rule_format]: "[| evs:p1; B ~:bad; A ~:bad |] ==>
  48.436 -pro B ofr A r I (cons M L) J C:set evs --> Guard ofr {priK A} (spies evs)"
  48.437 +lemma pro_imp_Guard [rule_format]: "[| evs \<in> p1; B \<notin> bad; A \<notin> bad |] ==>
  48.438 +pro B ofr A r I (cons M L) J C \<in> set evs \<longrightarrow> Guard ofr {priK A} (spies evs)"
  48.439  apply (erule p1.induct) (* +3 subgoals *)
  48.440  (* Nil *)
  48.441  apply simp
  48.442 @@ -516,8 +516,8 @@
  48.443  apply (simp add: pro_def)
  48.444  by (blast dest: Says_imp_knows_Spy)
  48.445  
  48.446 -lemma pro_imp_Guard_Friend: "[| evs:p1; B ~:bad; A ~:bad;
  48.447 -pro B ofr A r I (cons M L) J C:set evs |]
  48.448 +lemma pro_imp_Guard_Friend: "[| evs \<in> p1; B \<notin> bad; A \<notin> bad;
  48.449 +pro B ofr A r I (cons M L) J C \<in> set evs |]
  48.450  ==> Guard ofr {priK A} (knows_max (Friend D) evs)"
  48.451  apply (rule Guard_knows_max')
  48.452  apply (rule_tac H="spies evs" in Guard_mono)
  48.453 @@ -529,23 +529,23 @@
  48.454  subsubsection\<open>data confidentiality:
  48.455  no one other than the originator can decrypt the offers\<close>
  48.456  
  48.457 -lemma Nonce_req_notin_spies: "[| evs:p1; req A r n I B:set evs; A ~:bad |]
  48.458 -==> Nonce n ~:analz (spies evs)"
  48.459 +lemma Nonce_req_notin_spies: "[| evs \<in> p1; req A r n I B \<in> set evs; A \<notin> bad |]
  48.460 +==> Nonce n \<notin> analz (spies evs)"
  48.461  by (frule req_imp_Guard, simp+, erule Guard_Nonce_analz, simp+)
  48.462  
  48.463 -lemma Nonce_req_notin_knows_max_Friend: "[| evs:p1; req A r n I B:set evs;
  48.464 -A ~:bad; A ~= Friend C |] ==> Nonce n ~:analz (knows_max (Friend C) evs)"
  48.465 +lemma Nonce_req_notin_knows_max_Friend: "[| evs \<in> p1; req A r n I B \<in> set evs;
  48.466 +A \<notin> bad; A \<noteq> Friend C |] ==> Nonce n \<notin> analz (knows_max (Friend C) evs)"
  48.467  apply (clarify, frule_tac C=C in req_imp_Guard_Friend, simp+)
  48.468  apply (simp add: knows_max_def, drule Guard_invKey_keyset, simp+)
  48.469  by (drule priK_notin_knows_max_Friend, auto simp: knows_max_def)
  48.470  
  48.471 -lemma Nonce_pro_notin_spies: "[| evs:p1; B ~:bad; A ~:bad;
  48.472 -pro B ofr A r I (cons M L) J C:set evs |] ==> Nonce ofr ~:analz (spies evs)"
  48.473 +lemma Nonce_pro_notin_spies: "[| evs \<in> p1; B \<notin> bad; A \<notin> bad;
  48.474 +pro B ofr A r I (cons M L) J C \<in> set evs |] ==> Nonce ofr \<notin> analz (spies evs)"
  48.475  by (frule pro_imp_Guard, simp+, erule Guard_Nonce_analz, simp+)
  48.476  
  48.477 -lemma Nonce_pro_notin_knows_max_Friend: "[| evs:p1; B ~:bad; A ~:bad;
  48.478 -A ~= Friend D; pro B ofr A r I (cons M L) J C:set evs |]
  48.479 -==> Nonce ofr ~:analz (knows_max (Friend D) evs)"
  48.480 +lemma Nonce_pro_notin_knows_max_Friend: "[| evs \<in> p1; B \<notin> bad; A \<notin> bad;
  48.481 +A \<noteq> Friend D; pro B ofr A r I (cons M L) J C \<in> set evs |]
  48.482 +==> Nonce ofr \<notin> analz (knows_max (Friend D) evs)"
  48.483  apply (clarify, frule_tac A=A in pro_imp_Guard_Friend, simp+)
  48.484  apply (simp add: knows_max_def, drule Guard_invKey_keyset, simp+)
  48.485  by (drule priK_notin_knows_max_Friend, auto simp: knows_max_def)
  48.486 @@ -553,59 +553,59 @@
  48.487  subsubsection\<open>non repudiability:
  48.488  an offer signed by B has been sent by B\<close>
  48.489  
  48.490 -lemma Crypt_reqm: "[| Crypt (priK A) X:parts {reqm A' r n I B}; I:agl |] ==> A=A'"
  48.491 +lemma Crypt_reqm: "[| Crypt (priK A) X \<in> parts {reqm A' r n I B}; I \<in> agl |] ==> A=A'"
  48.492  by (auto simp: reqm_def anchor_def chain_def sign_def dest: no_Crypt_in_agl)
  48.493  
  48.494 -lemma Crypt_prom: "[| Crypt (priK A) X:parts {prom B ofr A' r I L J C};
  48.495 -I:agl; J:agl |] ==> A=B | Crypt (priK A) X:parts {L}"
  48.496 +lemma Crypt_prom: "[| Crypt (priK A) X \<in> parts {prom B ofr A' r I L J C};
  48.497 +I \<in> agl; J \<in> agl |] ==> A=B \<or> Crypt (priK A) X \<in> parts {L}"
  48.498  apply (simp add: prom_def anchor_def chain_def sign_def)
  48.499  by (blast dest: no_Crypt_in_agl no_Crypt_in_appdel)
  48.500  
  48.501 -lemma Crypt_safeness: "[| evs:p1; A ~:bad |] ==> Crypt (priK A) X:parts (spies evs)
  48.502 ---> (EX B Y. Says A B Y:set evs & Crypt (priK A) X:parts {Y})"
  48.503 +lemma Crypt_safeness: "[| evs \<in> p1; A \<notin> bad |] ==> Crypt (priK A) X \<in> parts (spies evs)
  48.504 +\<longrightarrow> (\<exists>B Y. Says A B Y \<in> set evs \<and> Crypt (priK A) X \<in> parts {Y})"
  48.505  apply (erule p1.induct)
  48.506  (* Nil *)
  48.507  apply simp
  48.508  (* Fake *)
  48.509  apply clarsimp
  48.510 -apply (drule_tac P="%G. Crypt (priK A) X:G" in parts_insert_substD, simp)
  48.511 +apply (drule_tac P="\<lambda>G. Crypt (priK A) X \<in> G" in parts_insert_substD, simp)
  48.512  apply (erule disjE)
  48.513  apply (drule_tac K="priK A" in Crypt_synth, simp+, blast, blast)
  48.514  (* Request *)
  48.515  apply (simp add: req_def, clarify)
  48.516 -apply (drule_tac P="%G. Crypt (priK A) X:G" in parts_insert_substD, simp)
  48.517 +apply (drule_tac P="\<lambda>G. Crypt (priK A) X \<in> G" in parts_insert_substD, simp)
  48.518  apply (erule disjE)
  48.519  apply (frule Crypt_reqm, simp, clarify)
  48.520  apply (rule_tac x=B in exI, rule_tac x="reqm A r n I B" in exI, simp, blast)
  48.521  (* Propose *)
  48.522  apply (simp add: pro_def, clarify)
  48.523 -apply (drule_tac P="%G. Crypt (priK A) X:G" in parts_insert_substD, simp)
  48.524 +apply (drule_tac P="\<lambda>G. Crypt (priK A) X \<in> G" in parts_insert_substD, simp)
  48.525  apply (rotate_tac -1, erule disjE)
  48.526  apply (frule Crypt_prom, simp, simp)
  48.527  apply (rotate_tac -1, erule disjE)
  48.528  apply (rule_tac x=C in exI)
  48.529  apply (rule_tac x="prom B ofr Aa r I (cons M L) J C" in exI, blast)
  48.530 -apply (subgoal_tac "cons M L:parts (spies evsp)")
  48.531 +apply (subgoal_tac "cons M L \<in> parts (spies evsp)")
  48.532  apply (drule_tac G="{cons M L}" and H="spies evsp" in parts_trans, blast, blast)
  48.533  apply (drule Says_imp_spies, rotate_tac -1, drule parts.Inj)
  48.534  apply (drule parts.Snd, drule parts.Snd, drule parts.Snd)
  48.535  by auto
  48.536  
  48.537 -lemma Crypt_Hash_imp_sign: "[| evs:p1; A ~:bad |] ==>
  48.538 -Crypt (priK A) (Hash X):parts (spies evs)
  48.539 ---> (EX B Y. Says A B Y:set evs & sign A X:parts {Y})"
  48.540 +lemma Crypt_Hash_imp_sign: "[| evs \<in> p1; A \<notin> bad |] ==>
  48.541 +Crypt (priK A) (Hash X) \<in> parts (spies evs)
  48.542 +\<longrightarrow> (\<exists>B Y. Says A B Y \<in> set evs \<and> sign A X \<in> parts {Y})"
  48.543  apply (erule p1.induct)
  48.544  (* Nil *)
  48.545  apply simp
  48.546  (* Fake *)
  48.547  apply clarsimp
  48.548 -apply (drule_tac P="%G. Crypt (priK A) (Hash X):G" in parts_insert_substD)
  48.549 +apply (drule_tac P="\<lambda>G. Crypt (priK A) (Hash X) \<in> G" in parts_insert_substD)
  48.550  apply simp
  48.551  apply (erule disjE)
  48.552  apply (drule_tac K="priK A" in Crypt_synth, simp+, blast, blast)
  48.553  (* Request *)
  48.554  apply (simp add: req_def, clarify)
  48.555 -apply (drule_tac P="%G. Crypt (priK A) (Hash X):G" in parts_insert_substD)
  48.556 +apply (drule_tac P="\<lambda>G. Crypt (priK A) (Hash X) \<in> G" in parts_insert_substD)
  48.557  apply simp
  48.558  apply (erule disjE)
  48.559  apply (frule Crypt_reqm, simp+)
  48.560 @@ -614,7 +614,7 @@
  48.561  apply (simp add: chain_def sign_def, blast)
  48.562  (* Propose *)
  48.563  apply (simp add: pro_def, clarify)
  48.564 -apply (drule_tac P="%G. Crypt (priK A) (Hash X):G" in parts_insert_substD)
  48.565 +apply (drule_tac P="\<lambda>G. Crypt (priK A) (Hash X) \<in> G" in parts_insert_substD)
  48.566  apply simp
  48.567  apply (rotate_tac -1, erule disjE)
  48.568  apply (simp add: prom_def sign_def no_Crypt_in_agl no_Crypt_in_appdel)
  48.569 @@ -628,8 +628,8 @@
  48.570  apply (blast del: MPair_parts)+
  48.571  done
  48.572  
  48.573 -lemma sign_safeness: "[| evs:p1; A ~:bad |] ==> sign A X:parts (spies evs)
  48.574 ---> (EX B Y. Says A B Y:set evs & sign A X:parts {Y})"
  48.575 +lemma sign_safeness: "[| evs \<in> p1; A \<notin> bad |] ==> sign A X \<in> parts (spies evs)
  48.576 +\<longrightarrow> (\<exists>B Y. Says A B Y \<in> set evs \<and> sign A X \<in> parts {Y})"
  48.577  apply (clarify, simp add: sign_def, frule parts.Snd)
  48.578  apply (blast dest: Crypt_Hash_imp_sign [unfolded sign_def])
  48.579  done
    49.1 --- a/src/HOL/Auth/Guard/P2.thy	Tue Feb 13 14:24:50 2018 +0100
    49.2 +++ b/src/HOL/Auth/Guard/P2.thy	Thu Feb 15 12:11:00 2018 +0100
    49.3 @@ -32,7 +32,7 @@
    49.4  = (B=B' & ofr=ofr' & A=A' & head L = head L' & C=C')"
    49.5  by (auto simp: chain_def Let_def)
    49.6  
    49.7 -lemma Nonce_in_chain [iff]: "Nonce ofr:parts {chain B ofr A L C}"
    49.8 +lemma Nonce_in_chain [iff]: "Nonce ofr \<in> parts {chain B ofr A L C}"
    49.9  by (auto simp: chain_def sign_def)
   49.10  
   49.11  subsubsection\<open>agent whose key is used to sign an offer\<close>
   49.12 @@ -65,10 +65,10 @@
   49.13  "anchor A n B == chain A n A (cons nil nil) B"
   49.14  
   49.15  lemma anchor_inj [iff]:
   49.16 -     "(anchor A n B = anchor A' n' B') = (A=A' & n=n' & B=B')"
   49.17 +     "(anchor A n B = anchor A' n' B') = (A=A' \<and> n=n' \<and> B=B')"
   49.18  by (auto simp: anchor_def)
   49.19  
   49.20 -lemma Nonce_in_anchor [iff]: "Nonce n:parts {anchor A n B}"
   49.21 +lemma Nonce_in_anchor [iff]: "Nonce n \<in> parts {anchor A n B}"
   49.22  by (auto simp: anchor_def)
   49.23  
   49.24  lemma shop_anchor [simp]: "shop (anchor A n B) = Agent A"
   49.25 @@ -84,7 +84,7 @@
   49.26  = (A=A' & r=r' & n=n' & I=I' & B=B')"
   49.27  by (auto simp: reqm_def)
   49.28  
   49.29 -lemma Nonce_in_reqm [iff]: "Nonce n:parts {reqm A r n I B}"
   49.30 +lemma Nonce_in_reqm [iff]: "Nonce n \<in> parts {reqm A r n I B}"
   49.31  by (auto simp: reqm_def)
   49.32  
   49.33  definition req :: "agent => nat => nat => msg => agent => event" where
   49.34 @@ -105,7 +105,7 @@
   49.35  ==> B=B' & ofr=ofr' & A=A' & r=r' & L=L' & C=C'"
   49.36  by (auto simp: prom_def)
   49.37  
   49.38 -lemma Nonce_in_prom [iff]: "Nonce ofr:parts {prom B ofr A r I L J C}"
   49.39 +lemma Nonce_in_prom [iff]: "Nonce ofr \<in> parts {prom B ofr A r I L J C}"
   49.40  by (auto simp: prom_def)
   49.41  
   49.42  definition pro :: "agent => nat => agent => nat => msg => msg =>
   49.43 @@ -121,38 +121,38 @@
   49.44  inductive_set p2 :: "event list set"
   49.45  where
   49.46  
   49.47 -  Nil: "[]:p2"
   49.48 +  Nil: "[] \<in> p2"
   49.49  
   49.50 -| Fake: "[| evsf:p2; X:synth (analz (spies evsf)) |] ==> Says Spy B X # evsf : p2"
   49.51 +| Fake: "[| evsf \<in> p2; X \<in> synth (analz (spies evsf)) |] ==> Says Spy B X # evsf \<in> p2"
   49.52  
   49.53 -| Request: "[| evsr:p2; Nonce n ~:used evsr; I:agl |] ==> req A r n I B # evsr : p2"
   49.54 +| Request: "[| evsr \<in> p2; Nonce n \<notin> used evsr; I \<in> agl |] ==> req A r n I B # evsr \<in> p2"
   49.55  
   49.56 -| Propose: "[| evsp:p2; Says A' B \<lbrace>Agent A,Number r,I,cons M L\<rbrace>:set evsp;
   49.57 -  I:agl; J:agl; isin (Agent C, app (J, del (Agent B, I)));
   49.58 -  Nonce ofr ~:used evsp |] ==> pro B ofr A r I (cons M L) J C # evsp : p2"
   49.59 +| Propose: "[| evsp \<in> p2; Says A' B \<lbrace>Agent A,Number r,I,cons M L\<rbrace> \<in> set evsp;
   49.60 +  I \<in> agl; J \<in> agl; isin (Agent C, app (J, del (Agent B, I)));
   49.61 +  Nonce ofr \<notin> used evsp |] ==> pro B ofr A r I (cons M L) J C # evsp \<in> p2"
   49.62  
   49.63  subsubsection\<open>valid offer lists\<close>
   49.64  
   49.65  inductive_set
   49.66 -  valid :: "agent => nat => agent => msg set"
   49.67 +  valid :: "agent \<Rightarrow> nat \<Rightarrow> agent \<Rightarrow> msg set"
   49.68    for A :: agent and  n :: nat and B :: agent
   49.69  where
   49.70 -  Request [intro]: "cons (anchor A n B) nil:valid A n B"
   49.71 +  Request [intro]: "cons (anchor A n B) nil \<in> valid A n B"
   49.72  
   49.73 -| Propose [intro]: "L:valid A n B
   49.74 -  ==> cons (chain (next_shop (head L)) ofr A L C) L:valid A n B"
   49.75 +| Propose [intro]: "L \<in> valid A n B
   49.76 +  \<Longrightarrow> cons (chain (next_shop (head L)) ofr A L C) L \<in> valid A n B"
   49.77  
   49.78  subsubsection\<open>basic properties of valid\<close>
   49.79  
   49.80 -lemma valid_not_empty: "L:valid A n B ==> EX M L'. L = cons M L'"
   49.81 +lemma valid_not_empty: "L \<in> valid A n B \<Longrightarrow> \<exists>M L'. L = cons M L'"
   49.82  by (erule valid.cases, auto)
   49.83  
   49.84 -lemma valid_pos_len: "L:valid A n B ==> 0 < len L"
   49.85 +lemma valid_pos_len: "L \<in> valid A n B \<Longrightarrow> 0 < len L"
   49.86  by (erule valid.induct, auto)
   49.87  
   49.88  subsubsection\<open>list of offers\<close>
   49.89  
   49.90 -fun offers :: "msg => msg"
   49.91 +fun offers :: "msg \<Rightarrow> msg"
   49.92  where
   49.93    "offers (cons M L) = cons \<lbrace>shop M, nonce M\<rbrace> (offers L)"
   49.94  | "offers other = nil"
   49.95 @@ -166,66 +166,66 @@
   49.96  subsection\<open>strong forward integrity:
   49.97  except the last one, no offer can be modified\<close>
   49.98  
   49.99 -lemma strong_forward_integrity: "ALL L. Suc i < len L
  49.100 ---> L:valid A n B --> repl (L,Suc i,M):valid A n B --> M = ith (L,Suc i)"
  49.101 +lemma strong_forward_integrity: "\<forall>L. Suc i < len L
  49.102 +\<longrightarrow> L \<in> valid A n B \<longrightarrow> repl (L,Suc i,M) \<in> valid A n B \<longrightarrow> M = ith (L,Suc i)"
  49.103  apply (induct i)
  49.104  (* i = 0 *)
  49.105  apply clarify
  49.106  apply (frule len_not_empty, clarsimp)
  49.107  apply (frule len_not_empty, clarsimp)
  49.108 -apply (ind_cases "\<lbrace>x,xa,l'a\<rbrace>:valid A n B" for x xa l'a)
  49.109 -apply (ind_cases "\<lbrace>x,M,l'a\<rbrace>:valid A n B" for x l'a)
  49.110 +apply (ind_cases "\<lbrace>x,xa,l'a\<rbrace> \<in> valid A n B" for x xa l'a)
  49.111 +apply (ind_cases "\<lbrace>x,M,l'a\<rbrace> \<in> valid A n B" for x l'a)
  49.112  apply (simp add: chain_def)
  49.113  (* i > 0 *)
  49.114  apply clarify
  49.115  apply (frule len_not_empty, clarsimp)
  49.116 -apply (ind_cases "\<lbrace>x,repl(l',Suc na,M)\<rbrace>:valid A n B" for x l' na)
  49.117 +apply (ind_cases "\<lbrace>x,repl(l',Suc na,M)\<rbrace> \<in> valid A n B" for x l' na)
  49.118  apply (frule len_not_empty, clarsimp)
  49.119 -apply (ind_cases "\<lbrace>x,l'\<rbrace>:valid A n B" for x l')
  49.120 +apply (ind_cases "\<lbrace>x,l'\<rbrace> \<in> valid A n B" for x l')
  49.121  by (drule_tac x=l' in spec, simp, blast)
  49.122  
  49.123  subsection\<open>insertion resilience:
  49.124  except at the beginning, no offer can be inserted\<close>
  49.125  
  49.126 -lemma chain_isnt_head [simp]: "L:valid A n B ==>
  49.127 -head L ~= chain (next_shop (head L)) ofr A L C"
  49.128 +lemma chain_isnt_head [simp]: "L \<in> valid A n B \<Longrightarrow>
  49.129 +head L \<noteq> chain (next_shop (head L)) ofr A L C"
  49.130  by (erule valid.induct, auto simp: chain_def sign_def anchor_def)
  49.131  
  49.132 -lemma insertion_resilience: "ALL L. L:valid A n B --> Suc i < len L
  49.133 ---> ins (L,Suc i,M) ~:valid A n B"
  49.134 +lemma insertion_resilience: "\<forall>L. L \<in> valid A n B \<longrightarrow> Suc i < len L
  49.135 +\<longrightarrow> ins (L,Suc i,M) \<notin> valid A n B"
  49.136  apply (induct i)
  49.137  (* i = 0 *)
  49.138  apply clarify
  49.139  apply (frule len_not_empty, clarsimp)
  49.140 -apply (ind_cases "\<lbrace>x,l'\<rbrace>:valid A n B" for x l', simp)
  49.141 -apply (ind_cases "\<lbrace>x,M,l'\<rbrace>:valid A n B" for x l', clarsimp)
  49.142 -apply (ind_cases "\<lbrace>head l',l'\<rbrace>:valid A n B" for l', simp, simp)
  49.143 +apply (ind_cases "\<lbrace>x,l'\<rbrace> \<in> valid A n B" for x l', simp)
  49.144 +apply (ind_cases "\<lbrace>x,M,l'\<rbrace> \<in> valid A n B" for x l', clarsimp)
  49.145 +apply (ind_cases "\<lbrace>head l',l'\<rbrace> \<in> valid A n B" for l', simp, simp)
  49.146  (* i > 0 *)
  49.147  apply clarify
  49.148  apply (frule len_not_empty, clarsimp)
  49.149 -apply (ind_cases "\<lbrace>x,l'\<rbrace>:valid A n B" for x l')
  49.150 +apply (ind_cases "\<lbrace>x,l'\<rbrace> \<in> valid A n B" for x l')
  49.151  apply (frule len_not_empty, clarsimp)
  49.152 -apply (ind_cases "\<lbrace>x,ins(l',Suc na,M)\<rbrace>:valid A n B" for x l' na)
  49.153 +apply (ind_cases "\<lbrace>x,ins(l',Suc na,M)\<rbrace> \<in> valid A n B" for x l' na)
  49.154  apply (frule len_not_empty, clarsimp)
  49.155  by (drule_tac x=l' in spec, clarsimp)
  49.156  
  49.157  subsection\<open>truncation resilience:
  49.158  only shop i can truncate at offer i\<close>
  49.159  
  49.160 -lemma truncation_resilience: "ALL L. L:valid A n B --> Suc i < len L
  49.161 ---> cons M (trunc (L,Suc i)):valid A n B --> shop M = shop (ith (L,i))"
  49.162 +lemma truncation_resilience: "\<forall>L. L \<in> valid A n B \<longrightarrow> Suc i < len L
  49.163 +\<longrightarrow> cons M (trunc (L,Suc i)) \<in> valid A n B \<longrightarrow> shop M = shop (ith (L,i))"
  49.164  apply (induct i)
  49.165  (* i = 0 *)
  49.166  apply clarify
  49.167  apply (frule len_not_empty, clarsimp)
  49.168 -apply (ind_cases "\<lbrace>x,l'\<rbrace>:valid A n B" for x l')
  49.169 +apply (ind_cases "\<lbrace>x,l'\<rbrace> \<in> valid A n B" for x l')
  49.170  apply (frule len_not_empty, clarsimp)
  49.171 -apply (ind_cases "\<lbrace>M,l'\<rbrace>:valid A n B" for l')
  49.172 +apply (ind_cases "\<lbrace>M,l'\<rbrace> \<in> valid A n B" for l')
  49.173  apply (frule len_not_empty, clarsimp, simp)
  49.174  (* i > 0 *)
  49.175  apply clarify
  49.176  apply (frule len_not_empty, clarsimp)
  49.177 -apply (ind_cases "\<lbrace>x,l'\<rbrace>:valid A n B" for x l')
  49.178 +apply (ind_cases "\<lbrace>x,l'\<rbrace> \<in> valid A n B" for x l')
  49.179  apply (frule len_not_empty, clarsimp)
  49.180  by (drule_tac x=l' in spec, clarsimp)
  49.181  
  49.182 @@ -237,37 +237,37 @@
  49.183  
  49.184  subsection\<open>get components of a message\<close>
  49.185  
  49.186 -lemma get_ML [dest]: "Says A' B \<lbrace>A,R,I,M,L\<rbrace>:set evs ==>
  49.187 -M:parts (spies evs) & L:parts (spies evs)"
  49.188 +lemma get_ML [dest]: "Says A' B \<lbrace>A,R,I,M,L\<rbrace> \<in> set evs \<Longrightarrow>
  49.189 +M \<in> parts (spies evs) \<and> L \<in> parts (spies evs)"
  49.190  by blast
  49.191  
  49.192  subsection\<open>general properties of p2\<close>
  49.193  
  49.194  lemma reqm_neq_prom [iff]:
  49.195 -"reqm A r n I B ~= prom B' ofr A' r' I' (cons M L) J C"
  49.196 +"reqm A r n I B \<noteq> prom B' ofr A' r' I' (cons M L) J C"
  49.197  by (auto simp: reqm_def prom_def)
  49.198  
  49.199  lemma prom_neq_reqm [iff]:
  49.200 -"prom B' ofr A' r' I' (cons M L) J C ~= reqm A r n I B"
  49.201 +"prom B' ofr A' r' I' (cons M L) J C \<noteq> reqm A r n I B"
  49.202  by (auto simp: reqm_def prom_def)
  49.203  
  49.204 -lemma req_neq_pro [iff]: "req A r n I B ~= pro B' ofr A' r' I' (cons M L) J C"
  49.205 +lemma req_neq_pro [iff]: "req A r n I B \<noteq> pro B' ofr A' r' I' (cons M L) J C"
  49.206  by (auto simp: req_def pro_def)
  49.207  
  49.208 -lemma pro_neq_req [iff]: "pro B' ofr A' r' I' (cons M L) J C ~= req A r n I B"
  49.209 +lemma pro_neq_req [iff]: "pro B' ofr A' r' I' (cons M L) J C \<noteq> req A r n I B"
  49.210  by (auto simp: req_def pro_def)
  49.211  
  49.212 -lemma p2_has_no_Gets: "evs:p2 ==> ALL A X. Gets A X ~:set evs"
  49.213 +lemma p2_has_no_Gets: "evs \<in> p2 \<Longrightarrow> \<forall>A X. Gets A X \<notin> set evs"
  49.214  by (erule p2.induct, auto simp: req_def pro_def)
  49.215  
  49.216  lemma p2_is_Gets_correct [iff]: "Gets_correct p2"
  49.217  by (auto simp: Gets_correct_def dest: p2_has_no_Gets)
  49.218  
  49.219  lemma p2_is_one_step [iff]: "one_step p2"
  49.220 -by (unfold one_step_def, clarify, ind_cases "ev#evs:p2" for ev evs, auto)
  49.221 +by (unfold one_step_def, clarify, ind_cases "ev#evs \<in> p2" for ev evs, auto)
  49.222  
  49.223 -lemma p2_has_only_Says' [rule_format]: "evs:p2 ==>
  49.224 -ev:set evs --> (EX A B X. ev=Says A B X)"
  49.225 +lemma p2_has_only_Says' [rule_format]: "evs \<in> p2 \<Longrightarrow>
  49.226 +ev \<in> set evs \<longrightarrow> (\<exists>A B X. ev=Says A B X)"
  49.227  by (erule p2.induct, auto simp: req_def pro_def)
  49.228  
  49.229  lemma p2_has_only_Says [iff]: "has_only_Says p2"
  49.230 @@ -283,8 +283,8 @@
  49.231  subsection\<open>private keys are safe\<close>
  49.232  
  49.233  lemma priK_parts_Friend_imp_bad [rule_format,dest]:
  49.234 -     "[| evs:p2; Friend B ~= A |]
  49.235 -      ==> (Key (priK A):parts (knows (Friend B) evs)) --> (A:bad)"
  49.236 +     "[| evs \<in> p2; Friend B \<noteq> A |]
  49.237 +      ==> (Key (priK A) \<in> parts (knows (Friend B) evs)) \<longrightarrow> (A \<in> bad)"
  49.238  apply (erule p2.induct)
  49.239  apply (simp_all add: initState.simps knows.simps pro_def prom_def
  49.240                  req_def reqm_def anchor_def chain_def sign_def) 
  49.241 @@ -294,13 +294,13 @@
  49.242  done
  49.243  
  49.244  lemma priK_analz_Friend_imp_bad [rule_format,dest]:
  49.245 -     "[| evs:p2; Friend B ~= A |]
  49.246 -==> (Key (priK A):analz (knows (Friend B) evs)) --> (A:bad)"
  49.247 +     "[| evs \<in> p2; Friend B \<noteq> A |]
  49.248 +==> (Key (priK A) \<in> analz (knows (Friend B) evs)) \<longrightarrow> (A \<in> bad)"
  49.249  by auto
  49.250  
  49.251  lemma priK_notin_knows_max_Friend:
  49.252 -     "[| evs:p2; A ~:bad; A ~= Friend C |]
  49.253 -      ==> Key (priK A) ~:analz (knows_max (Friend C) evs)"
  49.254 +     "[| evs \<in> p2; A \<notin> bad; A \<noteq> Friend C |]
  49.255 +      ==> Key (priK A) \<notin> analz (knows_max (Friend C) evs)"
  49.256  apply (rule not_parts_not_analz, simp add: knows_max_def, safe)
  49.257  apply (drule_tac H="spies' evs" in parts_sub)
  49.258  apply (rule_tac p=p2 in knows_max'_sub_spies', simp+)
  49.259 @@ -309,78 +309,78 @@
  49.260  
  49.261  subsection\<open>general guardedness properties\<close>
  49.262  
  49.263 -lemma agl_guard [intro]: "I:agl ==> I:guard n Ks"
  49.264 +lemma agl_guard [intro]: "I \<in> agl \<Longrightarrow> I \<in> guard n Ks"
  49.265  by (erule agl.induct, auto)
  49.266  
  49.267 -lemma Says_to_knows_max'_guard: "[| Says A' C \<lbrace>A'',r,I,L\<rbrace>:set evs;
  49.268 -Guard n Ks (knows_max' C evs) |] ==> L:guard n Ks"
  49.269 +lemma Says_to_knows_max'_guard: "[| Says A' C \<lbrace>A'',r,I,L\<rbrace> \<in> set evs;
  49.270 +Guard n Ks (knows_max' C evs) |] ==> L \<in> guard n Ks"
  49.271  by (auto dest: Says_to_knows_max')
  49.272  
  49.273 -lemma Says_from_knows_max'_guard: "[| Says C A' \<lbrace>A'',r,I,L\<rbrace>:set evs;
  49.274 -Guard n Ks (knows_max' C evs) |] ==> L:guard n Ks"
  49.275 +lemma Says_from_knows_max'_guard: "[| Says C A' \<lbrace>A'',r,I,L\<rbrace> \<in> set evs;
  49.276 +Guard n Ks (knows_max' C evs) |] ==> L \<in> guard n Ks"
  49.277  by (auto dest: Says_from_knows_max')
  49.278  
  49.279 -lemma Says_Nonce_not_used_guard: "[| Says A' B \<lbrace>A'',r,I,L\<rbrace>:set evs;
  49.280 -Nonce n ~:used evs |] ==> L:guard n Ks"
  49.281 +lemma Says_Nonce_not_used_guard: "[| Says A' B \<lbrace>A'',r,I,L\<rbrace> \<in> set evs;
  49.282 +Nonce n \<notin> used evs |] ==> L \<in> guard n Ks"
  49.283  by (drule not_used_not_parts, auto)
  49.284  
  49.285  subsection\<open>guardedness of messages\<close>
  49.286  
  49.287 -lemma chain_guard [iff]: "chain B ofr A L C:guard n {priK A}"
  49.288 +lemma chain_guard [iff]: "chain B ofr A L C \<in> guard n {priK A}"
  49.289  by (case_tac "ofr=n", auto simp: chain_def sign_def)
  49.290  
  49.291 -lemma chain_guard_Nonce_neq [intro]: "n ~= ofr
  49.292 -==> chain B ofr A' L C:guard n {priK A}"
  49.293 +lemma chain_guard_Nonce_neq [intro]: "n \<noteq> ofr
  49.294 +\<Longrightarrow> chain B ofr A' L C \<in> guard n {priK A}"
  49.295  by (auto simp: chain_def sign_def)
  49.296  
  49.297 -lemma anchor_guard [iff]: "anchor A n' B:guard n {priK A}"
  49.298 +lemma anchor_guard [iff]: "anchor A n' B \<in> guard n {priK A}"
  49.299  by (case_tac "n'=n", auto simp: anchor_def)
  49.300  
  49.301 -lemma anchor_guard_Nonce_neq [intro]: "n ~= n'
  49.302 -==> anchor A' n' B:guard n {priK A}"
  49.303 +lemma anchor_guard_Nonce_neq [intro]: "n \<noteq> n'
  49.304 +\<Longrightarrow> anchor A' n' B \<in> guard n {priK A}"
  49.305  by (auto simp: anchor_def)
  49.306  
  49.307 -lemma reqm_guard [intro]: "I:agl ==> reqm A r n' I B:guard n {priK A}"
  49.308 +lemma reqm_guard [intro]: "I \<in> agl \<Longrightarrow> reqm A r n' I B \<in> guard n {priK A}"
  49.309  by (case_tac "n'=n", auto simp: reqm_def)
  49.310  
  49.311 -lemma reqm_guard_Nonce_neq [intro]: "[| n ~= n'; I:agl |]
  49.312 -==> reqm A' r n' I B:guard n {priK A}"
  49.313 +lemma reqm_guard_Nonce_neq [intro]: "[| n \<noteq> n'; I \<in> agl |]
  49.314 +==> reqm A' r n' I B \<in> guard n {priK A}"
  49.315  by (auto simp: reqm_def)
  49.316  
  49.317 -lemma prom_guard [intro]: "[| I:agl; J:agl; L:guard n {priK A} |]
  49.318 -==> prom B ofr A r I L J C:guard n {priK A}"
  49.319 +lemma prom_guard [intro]: "[| I \<in> agl; J \<in> agl; L \<in> guard n {priK A} |]
  49.320 +==> prom B ofr A r I L J C \<in> guard n {priK A}"
  49.321  by (auto simp: prom_def)
  49.322  
  49.323 -lemma prom_guard_Nonce_neq [intro]: "[| n ~= ofr; I:agl; J:agl;
  49.324 -L:guard n {priK A} |] ==> prom B ofr A' r I L J C:guard n {priK A}"
  49.325 +lemma prom_guard_Nonce_neq [intro]: "[| n \<noteq> ofr; I \<in> agl; J \<in> agl;
  49.326 +L \<in> guard n {priK A} |] ==> prom B ofr A' r I L J C \<in> guard n {priK A}"
  49.327  by (auto simp: prom_def)
  49.328  
  49.329  subsection\<open>Nonce uniqueness\<close>
  49.330  
  49.331 -lemma uniq_Nonce_in_chain [dest]: "Nonce k:parts {chain B ofr A L C} ==> k=ofr"
  49.332 +lemma uniq_Nonce_in_chain [dest]: "Nonce k \<in> parts {chain B ofr A L C} \<Longrightarrow> k=ofr"
  49.333  by (auto simp: chain_def sign_def)
  49.334  
  49.335 -lemma uniq_Nonce_in_anchor [dest]: "Nonce k:parts {anchor A n B} ==> k=n"
  49.336 +lemma uniq_Nonce_in_anchor [dest]: "Nonce k \<in> parts {anchor A n B} \<Longrightarrow> k=n"
  49.337  by (auto simp: anchor_def chain_def sign_def)
  49.338  
  49.339 -lemma uniq_Nonce_in_reqm [dest]: "[| Nonce k:parts {reqm A r n I B};
  49.340 -I:agl |] ==> k=n"
  49.341 +lemma uniq_Nonce_in_reqm [dest]: "[| Nonce k \<in> parts {reqm A r n I B};
  49.342 +I \<in> agl |] ==> k=n"
  49.343  by (auto simp: reqm_def dest: no_Nonce_in_agl)
  49.344  
  49.345 -lemma uniq_Nonce_in_prom [dest]: "[| Nonce k:parts {prom B ofr A r I L J C};
  49.346 -I:agl; J:agl; Nonce k ~:parts {L} |] ==> k=ofr"
  49.347 +lemma uniq_Nonce_in_prom [dest]: "[| Nonce k \<in> parts {prom B ofr A r I L J C};
  49.348 +I \<in> agl; J \<in> agl; Nonce k \<notin> parts {L} |] ==> k=ofr"
  49.349  by (auto simp: prom_def dest: no_Nonce_in_agl no_Nonce_in_appdel)
  49.350  
  49.351  subsection\<open>requests are guarded\<close>
  49.352  
  49.353 -lemma req_imp_Guard [rule_format]: "[| evs:p2; A ~:bad |] ==>
  49.354 -req A r n I B:set evs --> Guard n {priK A} (spies evs)"
  49.355 +lemma req_imp_Guard [rule_format]: "[| evs \<in> p2; A \<notin> bad |] ==>
  49.356 +req A r n I B \<in> set evs \<longrightarrow> Guard n {priK A} (spies evs)"
  49.357  apply (erule p2.induct, simp)
  49.358  apply (simp add: req_def knows.simps, safe)
  49.359  apply (erule in_synth_Guard, erule Guard_analz, simp)
  49.360  by (auto simp: req_def pro_def dest: Says_imp_knows_Spy)
  49.361  
  49.362 -lemma req_imp_Guard_Friend: "[| evs:p2; A ~:bad; req A r n I B:set evs |]
  49.363 +lemma req_imp_Guard_Friend: "[| evs \<in> p2; A \<notin> bad; req A r n I B \<in> set evs |]
  49.364  ==> Guard n {priK A} (knows_max (Friend C) evs)"
  49.365  apply (rule Guard_knows_max')
  49.366  apply (rule_tac H="spies evs" in Guard_mono)
  49.367 @@ -391,8 +391,8 @@
  49.368  
  49.369  subsection\<open>propositions are guarded\<close>
  49.370  
  49.371 -lemma pro_imp_Guard [rule_format]: "[| evs:p2; B ~:bad; A ~:bad |] ==>
  49.372 -pro B ofr A r I (cons M L) J C:set evs --> Guard ofr {priK A} (spies evs)"
  49.373 +lemma pro_imp_Guard [rule_format]: "[| evs \<in> p2; B \<notin> bad; A \<notin> bad |] ==>
  49.374 +pro B ofr A r I (cons M L) J C \<in> set evs \<longrightarrow> Guard ofr {priK A} (spies evs)"
  49.375  apply (erule p2.induct) (* +3 subgoals *)
  49.376  (* Nil *)
  49.377  apply simp
  49.378 @@ -428,8 +428,8 @@
  49.379  apply (simp add: pro_def)
  49.380  by (blast dest: Says_imp_knows_Spy)
  49.381  
  49.382 -lemma pro_imp_Guard_Friend: "[| evs:p2; B ~:bad; A ~:bad;
  49.383 -pro B ofr A r I (cons M L) J C:set evs |]
  49.384 +lemma pro_imp_Guard_Friend: "[| evs \<in> p2; B \<notin> bad; A \<notin> bad;
  49.385 +pro B ofr A r I (cons M L) J C \<in> set evs |]
  49.386  ==> Guard ofr {priK A} (knows_max (Friend D) evs)"
  49.387  apply (rule Guard_knows_max')
  49.388  apply (rule_tac H="spies evs" in Guard_mono)
  49.389 @@ -441,23 +441,23 @@
  49.390  subsection\<open>data confidentiality:
  49.391  no one other than the originator can decrypt the offers\<close>
  49.392  
  49.393 -lemma Nonce_req_notin_spies: "[| evs:p2; req A r n I B:set evs; A ~:bad |]
  49.394 -==> Nonce n ~:analz (spies evs)"
  49.395 +lemma Nonce_req_notin_spies: "[| evs \<in> p2; req A r n I B \<in> set evs; A \<notin> bad |]
  49.396 +==> Nonce n \<notin> analz (spies evs)"
  49.397  by (frule req_imp_Guard, simp+, erule Guard_Nonce_analz, simp+)
  49.398  
  49.399 -lemma Nonce_req_notin_knows_max_Friend: "[| evs:p2; req A r n I B:set evs;
  49.400 -A ~:bad; A ~= Friend C |] ==> Nonce n ~:analz (knows_max (Friend C) evs)"
  49.401 +lemma Nonce_req_notin_knows_max_Friend: "[| evs \<in> p2; req A r n I B \<in> set evs;
  49.402 +A \<notin> bad; A \<noteq> Friend C |] ==> Nonce n \<notin> analz (knows_max (Friend C) evs)"
  49.403  apply (clarify, frule_tac C=C in req_imp_Guard_Friend, simp+)
  49.404  apply (simp add: knows_max_def, drule Guard_invKey_keyset, simp+)
  49.405  by (drule priK_notin_knows_max_Friend, auto simp: knows_max_def)
  49.406  
  49.407 -lemma Nonce_pro_notin_spies: "[| evs:p2; B ~:bad; A ~:bad;
  49.408 -pro B ofr A r I (cons M L) J C:set evs |] ==> Nonce ofr ~:analz (spies evs)"
  49.409 +lemma Nonce_pro_notin_spies: "[| evs \<in> p2; B \<notin> bad; A \<notin> bad;
  49.410 +pro B ofr A r I (cons M L) J C \<in> set evs |] ==> Nonce ofr \<notin> analz (spies evs)"
  49.411  by (frule pro_imp_Guard, simp+, erule Guard_Nonce_analz, simp+)
  49.412  
  49.413 -lemma Nonce_pro_notin_knows_max_Friend: "[| evs:p2; B ~:bad; A ~:bad;
  49.414 -A ~= Friend D; pro B ofr A r I (cons M L) J C:set evs |]
  49.415 -==> Nonce ofr ~:analz (knows_max (Friend D) evs)"
  49.416 +lemma Nonce_pro_notin_knows_max_Friend: "[| evs \<in> p2; B \<notin> bad; A \<notin> bad;
  49.417 +A \<noteq> Friend D; pro B ofr A r I (cons M L) J C \<in> set evs |]
  49.418 +==> Nonce ofr \<notin> analz (knows_max (Friend D) evs)"
  49.419  apply (clarify, frule_tac A=A in pro_imp_Guard_Friend, simp+)
  49.420  apply (simp add: knows_max_def, drule Guard_invKey_keyset, simp+)
  49.421  by (drule priK_notin_knows_max_Friend, auto simp: knows_max_def)
  49.422 @@ -465,71 +465,71 @@
  49.423  subsection\<open>forward privacy:
  49.424  only the originator can know the identity of the shops\<close>
  49.425  
  49.426 -lemma forward_privacy_Spy: "[| evs:p2; B ~:bad; A ~:bad;
  49.427 -pro B ofr A r I (cons M L) J C:set evs |]
  49.428 -==> sign B (Nonce ofr) ~:analz (spies evs)"
  49.429 +lemma forward_privacy_Spy: "[| evs \<in> p2; B \<notin> bad; A \<notin> bad;
  49.430 +pro B ofr A r I (cons M L) J C \<in> set evs |]
  49.431 +==> sign B (Nonce ofr) \<notin> analz (spies evs)"
  49.432  by (auto simp:sign_def dest: Nonce_pro_notin_spies)
  49.433  
  49.434 -lemma forward_privacy_Friend: "[| evs:p2; B ~:bad; A ~:bad; A ~= Friend D;
  49.435 -pro B ofr A r I (cons M L) J C:set evs |]
  49.436 -==> sign B (Nonce ofr) ~:analz (knows_max (Friend D) evs)"
  49.437 +lemma forward_privacy_Friend: "[| evs \<in> p2; B \<notin> bad; A \<notin> bad; A \<noteq> Friend D;
  49.438 +pro B ofr A r I (cons M L) J C \<in> set evs |]
  49.439 +==> sign B (Nonce ofr) \<notin> analz (knows_max (Friend D) evs)"
  49.440  by (auto simp:sign_def dest:Nonce_pro_notin_knows_max_Friend )
  49.441  
  49.442  subsection\<open>non repudiability: an offer signed by B has been sent by B\<close>
  49.443  
  49.444 -lemma Crypt_reqm: "[| Crypt (priK A) X:parts {reqm A' r n I B}; I:agl |] ==> A=A'"
  49.445 +lemma Crypt_reqm: "[| Crypt (priK A) X \<in> parts {reqm A' r n I B}; I \<in> agl |] ==> A=A'"
  49.446  by (auto simp: reqm_def anchor_def chain_def sign_def dest: no_Crypt_in_agl)
  49.447  
  49.448 -lemma Crypt_prom: "[| Crypt (priK A) X:parts {prom B ofr A' r I L J C};
  49.449 -I:agl; J:agl |] ==> A=B | Crypt (priK A) X:parts {L}"
  49.450 +lemma Crypt_prom: "[| Crypt (priK A) X \<in> parts {prom B ofr A' r I L J C};
  49.451 +I \<in> agl; J \<in> agl |] ==> A=B | Crypt (priK A) X \<in> parts {L}"
  49.452  apply (simp add: prom_def anchor_def chain_def sign_def)
  49.453  by (blast dest: no_Crypt_in_agl no_Crypt_in_appdel)
  49.454  
  49.455 -lemma Crypt_safeness: "[| evs:p2; A ~:bad |] ==> Crypt (priK A) X:parts (spies evs)
  49.456 ---> (EX B Y. Says A B Y:set evs & Crypt (priK A) X:parts {Y})"
  49.457 +lemma Crypt_safeness: "[| evs \<in> p2; A \<notin> bad |] ==> Crypt (priK A) X \<in> parts (spies evs)
  49.458 +\<longrightarrow> (\<exists>B Y. Says A B Y \<in> set evs & Crypt (priK A) X \<in> parts {Y})"
  49.459  apply (erule p2.induct)
  49.460  (* Nil *)
  49.461  apply simp
  49.462  (* Fake *)
  49.463  apply clarsimp
  49.464 -apply (drule_tac P="%G. Crypt (priK A) X:G" in parts_insert_substD, simp)
  49.465 +apply (drule_tac P="\<lambda>G. Crypt (priK A) X \<in> G" in parts_insert_substD, simp)
  49.466  apply (erule disjE)
  49.467  apply (drule_tac K="priK A" in Crypt_synth, simp+, blast, blast)
  49.468  (* Request *)
  49.469  apply (simp add: req_def, clarify)
  49.470 -apply (drule_tac P="%G. Crypt (priK A) X:G" in parts_insert_substD, simp)
  49.471 +apply (drule_tac P="\<lambda>G. Crypt (priK A) X \<in> G" in parts_insert_substD, simp)
  49.472  apply (erule disjE)
  49.473  apply (frule Crypt_reqm, simp, clarify)
  49.474  apply (rule_tac x=B in exI, rule_tac x="reqm A r n I B" in exI, simp, blast)
  49.475  (* Propose *)
  49.476  apply (simp add: pro_def, clarify)
  49.477 -apply (drule_tac P="%G. Crypt (priK A) X:G" in parts_insert_substD, simp)
  49.478 +apply (drule_tac P="\<lambda>G. Crypt (priK A) X \<in> G" in parts_insert_substD, simp)
  49.479  apply (rotate_tac -1, erule disjE)
  49.480  apply (frule Crypt_prom, simp, simp)
  49.481  apply (rotate_tac -1, erule disjE)
  49.482  apply (rule_tac x=C in exI)
  49.483  apply (rule_tac x="prom B ofr Aa r I (cons M L) J C" in exI, blast)
  49.484 -apply (subgoal_tac "cons M L:parts (spies evsp)")
  49.485 +apply (subgoal_tac "cons M L \<in> parts (spies evsp)")
  49.486  apply (drule_tac G="{cons M L}" and H="spies evsp" in parts_trans, blast, blast)
  49.487  apply (drule Says_imp_spies, rotate_tac -1, drule parts.Inj)
  49.488  apply (drule parts.Snd, drule parts.Snd, drule parts.Snd)
  49.489  by auto
  49.490  
  49.491 -lemma Crypt_Hash_imp_sign: "[| evs:p2; A ~:bad |] ==>
  49.492 -Crypt (priK A) (Hash X):parts (spies evs)
  49.493 ---> (EX B Y. Says A B Y:set evs & sign A X:parts {Y})"
  49.494 +lemma Crypt_Hash_imp_sign: "[| evs \<in> p2; A \<notin> bad |] ==>
  49.495 +Crypt (priK A) (Hash X) \<in> parts (spies evs)
  49.496 +\<longrightarrow> (\<exists>B Y. Says A B Y \<in> set evs \<and> sign A X \<in> parts {Y})"
  49.497  apply (erule p2.induct)
  49.498  (* Nil *)
  49.499  apply simp
  49.500  (* Fake *)
  49.501  apply clarsimp
  49.502 -apply (drule_tac P="%G. Crypt (priK A) (Hash X):G" in parts_insert_substD)
  49.503 +apply (drule_tac P="\<lambda>G. Crypt (priK A) (Hash X) \<in> G" in parts_insert_substD)
  49.504  apply simp
  49.505  apply (erule disjE)
  49.506  apply (drule_tac K="priK A" in Crypt_synth, simp+, blast, blast)
  49.507  (* Request *)
  49.508  apply (simp add: req_def, clarify)
  49.509 -apply (drule_tac P="%G. Crypt (priK A) (Hash X):G" in parts_insert_substD)
  49.510 +apply (drule_tac P="\<lambda>G. Crypt (priK A) (Hash X) \<in> G" in parts_insert_substD)
  49.511  apply simp
  49.512  apply (erule disjE)
  49.513  apply (frule Crypt_reqm, simp+)
  49.514 @@ -538,7 +538,7 @@
  49.515  apply (simp add: chain_def sign_def, blast)
  49.516  (* Propose *)
  49.517  apply (simp add: pro_def, clarify)
  49.518 -apply (drule_tac P="%G. Crypt (priK A) (Hash X):G" in parts_insert_substD)
  49.519 +apply (drule_tac P="\<lambda>G. Crypt (priK A) (Hash X) \<in> G" in parts_insert_substD)
  49.520  apply simp
  49.521  apply (rotate_tac -1, erule disjE)
  49.522  apply (simp add: prom_def sign_def no_Crypt_in_agl no_Crypt_in_appdel)
  49.523 @@ -552,8 +552,8 @@
  49.524  apply (blast del: MPair_parts)+
  49.525  done
  49.526  
  49.527 -lemma sign_safeness: "[| evs:p2; A ~:bad |] ==> sign A X:parts (spies evs)
  49.528 ---> (EX B Y. Says A B Y:set evs & sign A X:parts {Y})"
  49.529 +lemma sign_safeness: "[| evs \<in> p2; A \<notin> bad |] ==> sign A X \<in> parts (spies evs)
  49.530 +\<longrightarrow> (\<exists>B Y. Says A B Y \<in> set evs \<and> sign A X \<in> parts {Y})"
  49.531  apply (clarify, simp add: sign_def, frule parts.Snd)
  49.532  apply (blast dest: Crypt_Hash_imp_sign [unfolded sign_def])
  49.533  done
    50.1 --- a/src/HOL/Auth/Guard/Proto.thy	Tue Feb 13 14:24:50 2018 +0100
    50.2 +++ b/src/HOL/Auth/Guard/Proto.thy	Thu Feb 15 12:11:00 2018 +0100
    50.3 @@ -18,8 +18,8 @@
    50.4  type_synonym proto = "rule set"
    50.5  
    50.6  definition wdef :: "proto => bool" where
    50.7 -"wdef p == ALL R k. R:p --> Number k:parts {msg' R}
    50.8 ---> Number k:parts (msg`(fst R))"
    50.9 +"wdef p \<equiv> \<forall>R k. R \<in> p \<longrightarrow> Number k \<in> parts {msg' R}
   50.10 +\<longrightarrow> Number k \<in> parts (msg`(fst R))"
   50.11  
   50.12  subsection\<open>substitutions\<close>
   50.13  
   50.14 @@ -36,89 +36,89 @@
   50.15  | "apm s (Key K) = Key (key s K)"
   50.16  | "apm s (Hash X) = Hash (apm s X)"
   50.17  | "apm s (Crypt K X) = (
   50.18 -if (EX A. K = pubK A) then Crypt (pubK (agent s (agt K))) (apm s X)
   50.19 -else if (EX A. K = priK A) then Crypt (priK (agent s (agt K))) (apm s X)
   50.20 +if (\<exists>A. K = pubK A) then Crypt (pubK (agent s (agt K))) (apm s X)
   50.21 +else if (\<exists>A. K = priK A) then Crypt (priK (agent s (agt K))) (apm s X)
   50.22  else Crypt (key s K) (apm s X))"
   50.23  | "apm s \<lbrace>X,Y\<rbrace> = \<lbrace>apm s X, apm s Y\<rbrace>"
   50.24  
   50.25 -lemma apm_parts: "X:parts {Y} ==> apm s X:parts {apm s Y}"
   50.26 +lemma apm_parts: "X \<in> parts {Y} \<Longrightarrow> apm s X \<in> parts {apm s Y}"
   50.27  apply (erule parts.induct, simp_all, blast)
   50.28  apply (erule parts.Fst)
   50.29  apply (erule parts.Snd)
   50.30  by (erule parts.Body)+
   50.31  
   50.32 -lemma Nonce_apm [rule_format]: "Nonce n:parts {apm s X} ==>
   50.33 -(ALL k. Number k:parts {X} --> Nonce n ~:parts {nb s k}) -->
   50.34 -(EX k. Nonce k:parts {X} & nonce s k = n)"
   50.35 +lemma Nonce_apm [rule_format]: "Nonce n \<in> parts {apm s X} \<Longrightarrow>
   50.36 +(\<forall>k. Number k \<in> parts {X} \<longrightarrow> Nonce n \<notin> parts {nb s k}) \<longrightarrow>
   50.37 +(\<exists>k. Nonce k \<in> parts {X} \<and> nonce s k = n)"
   50.38  by (induct X, simp_all, blast)
   50.39  
   50.40 -lemma wdef_Nonce: "[| Nonce n:parts {apm s X}; R:p; msg' R = X; wdef p;
   50.41 -Nonce n ~:parts (apm s `(msg `(fst R))) |] ==>
   50.42 -(EX k. Nonce k:parts {X} & nonce s k = n)"
   50.43 +lemma wdef_Nonce: "[| Nonce n \<in> parts {apm s X}; R \<in> p; msg' R = X; wdef p;
   50.44 +Nonce n \<notin> parts (apm s `(msg `(fst R))) |] ==>
   50.45 +(\<exists>k. Nonce k \<in> parts {X} \<and> nonce s k = n)"
   50.46  apply (erule Nonce_apm, unfold wdef_def)
   50.47  apply (drule_tac x=R in spec, drule_tac x=k in spec, clarsimp)
   50.48  apply (drule_tac x=x in bspec, simp)
   50.49  apply (drule_tac Y="msg x" and s=s in apm_parts, simp)
   50.50  by (blast dest: parts_parts)
   50.51  
   50.52 -primrec ap :: "subs => event => event" where
   50.53 +primrec ap :: "subs \<Rightarrow> event \<Rightarrow> event" where
   50.54    "ap s (Says A B X) = Says (agent s A) (agent s B) (apm s X)"
   50.55  | "ap s (Gets A X) = Gets (agent s A) (apm s X)"
   50.56  | "ap s (Notes A X) = Notes (agent s A) (apm s X)"
   50.57  
   50.58  abbreviation
   50.59 -  ap' :: "subs => rule => event" where
   50.60 -  "ap' s R == ap s (snd R)"
   50.61 +  ap' :: "subs \<Rightarrow> rule \<Rightarrow> event" where
   50.62 +  "ap' s R \<equiv> ap s (snd R)"
   50.63  
   50.64  abbreviation
   50.65 -  apm' :: "subs => rule => msg" where
   50.66 -  "apm' s R == apm s (msg' R)"
   50.67 +  apm' :: "subs \<Rightarrow> rule \<Rightarrow> msg" where
   50.68 +  "apm' s R \<equiv> apm s (msg' R)"
   50.69  
   50.70  abbreviation
   50.71 -  priK' :: "subs => agent => key" where
   50.72 -  "priK' s A == priK (agent s A)"
   50.73 +  priK' :: "subs \<Rightarrow> agent \<Rightarrow> key" where
   50.74 +  "priK' s A \<equiv> priK (agent s A)"
   50.75  
   50.76  abbreviation
   50.77 -  pubK' :: "subs => agent => key" where
   50.78 -  "pubK' s A == pubK (agent s A)"
   50.79 +  pubK' :: "subs \<Rightarrow> agent \<Rightarrow> key" where
   50.80 +  "pubK' s A \<equiv> pubK (agent s A)"
   50.81  
   50.82  subsection\<open>nonces generated by a rule\<close>
   50.83  
   50.84 -definition newn :: "rule => nat set" where
   50.85 -"newn R == {n. Nonce n:parts {msg (snd R)} & Nonce n ~:parts (msg`(fst R))}"
   50.86 +definition newn :: "rule \<Rightarrow> nat set" where
   50.87 +"newn R \<equiv> {n. Nonce n \<in> parts {msg (snd R)} \<and> Nonce n \<notin> parts (msg`(fst R))}"
   50.88  
   50.89 -lemma newn_parts: "n:newn R ==> Nonce (nonce s n):parts {apm' s R}"
   50.90 +lemma newn_parts: "n \<in> newn R \<Longrightarrow> Nonce (nonce s n) \<in> parts {apm' s R}"
   50.91  by (auto simp: newn_def dest: apm_parts)
   50.92  
   50.93  subsection\<open>traces generated by a protocol\<close>
   50.94  
   50.95 -definition ok :: "event list => rule => subs => bool" where
   50.96 -"ok evs R s == ((ALL x. x:fst R --> ap s x:set evs)
   50.97 -& (ALL n. n:newn R --> Nonce (nonce s n) ~:used evs))"
   50.98 +definition ok :: "event list \<Rightarrow> rule \<Rightarrow> subs \<Rightarrow> bool" where
   50.99 +"ok evs R s \<equiv> ((\<forall>x. x \<in> fst R \<longrightarrow> ap s x \<in> set evs)
  50.100 +\<and> (\<forall>n. n \<in> newn R \<longrightarrow> Nonce (nonce s n) \<notin> used evs))"
  50.101  
  50.102  inductive_set
  50.103    tr :: "proto => event list set"
  50.104    for p :: proto
  50.105  where
  50.106  
  50.107 -  Nil [intro]: "[]:tr p"
  50.108 +  Nil [intro]: "[] \<in> tr p"
  50.109  
  50.110 -| Fake [intro]: "[| evsf:tr p; X:synth (analz (spies evsf)) |]
  50.111 -  ==> Says Spy B X # evsf:tr p"
  50.112 +| Fake [intro]: "[| evsf \<in> tr p; X \<in> synth (analz (spies evsf)) |]
  50.113 +  ==> Says Spy B X # evsf \<in> tr p"
  50.114  
  50.115 -| Proto [intro]: "[| evs:tr p; R:p; ok evs R s |] ==> ap' s R # evs:tr p"
  50.116 +| Proto [intro]: "[| evs \<in> tr p; R \<in> p; ok evs R s |] ==> ap' s R # evs \<in> tr p"
  50.117  
  50.118  subsection\<open>general properties\<close>
  50.119  
  50.120  lemma one_step_tr [iff]: "one_step (tr p)"
  50.121  apply (unfold one_step_def, clarify)
  50.122 -by (ind_cases "ev # evs:tr p" for ev evs, auto)
  50.123 +by (ind_cases "ev # evs \<in> tr p" for ev evs, auto)
  50.124  
  50.125  definition has_only_Says' :: "proto => bool" where
  50.126 -"has_only_Says' p == ALL R. R:p --> is_Says (snd R)"
  50.127 +"has_only_Says' p \<equiv> \<forall>R. R \<in> p \<longrightarrow> is_Says (snd R)"
  50.128  
  50.129 -lemma has_only_Says'D: "[| R:p; has_only_Says' p |]
  50.130 -==> (EX A B X. snd R = Says A B X)"
  50.131 +lemma has_only_Says'D: "[| R \<in> p; has_only_Says' p |]
  50.132 +==> (\<exists>A B X. snd R = Says A B X)"
  50.133  by (unfold has_only_Says'_def is_Says_def, blast)
  50.134  
  50.135  lemma has_only_Says_tr [simp]: "has_only_Says' p ==> has_only_Says (tr p)"
  50.136 @@ -129,17 +129,17 @@
  50.137  by (drule_tac x=a in spec, auto simp: is_Says_def)
  50.138  
  50.139  lemma has_only_Says'_in_trD: "[| has_only_Says' p; list @ ev # evs1 \<in> tr p |]
  50.140 -==> (EX A B X. ev = Says A B X)"
  50.141 +==> (\<exists>A B X. ev = Says A B X)"
  50.142  by (drule has_only_Says_tr, auto)
  50.143  
  50.144 -lemma ok_not_used: "[| Nonce n ~:used evs; ok evs R s;
  50.145 -ALL x. x:fst R --> is_Says x |] ==> Nonce n ~:parts (apm s `(msg `(fst R)))"
  50.146 +lemma ok_not_used: "[| Nonce n \<notin> used evs; ok evs R s;
  50.147 +\<forall>x. x \<in> fst R \<longrightarrow> is_Says x |] ==> Nonce n \<notin> parts (apm s `(msg `(fst R)))"
  50.148  apply (unfold ok_def, clarsimp)
  50.149  apply (drule_tac x=x in spec, drule_tac x=x in spec)
  50.150  by (auto simp: is_Says_def dest: Says_imp_spies not_used_not_spied parts_parts)
  50.151  
  50.152 -lemma ok_is_Says: "[| evs' @ ev # evs:tr p; ok evs R s; has_only_Says' p;
  50.153 -R:p; x:fst R |] ==> is_Says x"
  50.154 +lemma ok_is_Says: "[| evs' @ ev # evs \<in> tr p; ok evs R s; has_only_Says' p;
  50.155 +R \<in> p; x \<in> fst R |] ==> is_Says x"
  50.156  apply (unfold ok_def is_Says_def, clarify)
  50.157  apply (drule_tac x=x in spec, simp)
  50.158  apply (subgoal_tac "one_step (tr p)")
  50.159 @@ -149,42 +149,42 @@
  50.160  
  50.161  subsection\<open>types\<close>
  50.162  
  50.163 -type_synonym keyfun = "rule => subs => nat => event list => key set"
  50.164 +type_synonym keyfun = "rule \<Rightarrow> subs \<Rightarrow> nat \<Rightarrow> event list \<Rightarrow> key set"
  50.165  
  50.166 -type_synonym secfun = "rule => nat => subs => key set => msg"
  50.167 +type_synonym secfun = "rule \<Rightarrow> nat \<Rightarrow> subs \<Rightarrow> key set \<Rightarrow> msg"
  50.168  
  50.169  subsection\<open>introduction of a fresh guarded nonce\<close>
  50.170  
  50.171 -definition fresh :: "proto => rule => subs => nat => key set => event list
  50.172 -=> bool" where
  50.173 -"fresh p R s n Ks evs == (EX evs1 evs2. evs = evs2 @ ap' s R # evs1
  50.174 -& Nonce n ~:used evs1 & R:p & ok evs1 R s & Nonce n:parts {apm' s R}
  50.175 -& apm' s R:guard n Ks)"
  50.176 +definition fresh :: "proto \<Rightarrow> rule \<Rightarrow> subs \<Rightarrow> nat \<Rightarrow> key set \<Rightarrow> event list
  50.177 +\<Rightarrow> bool" where
  50.178 +"fresh p R s n Ks evs \<equiv> (\<exists>evs1 evs2. evs = evs2 @ ap' s R # evs1
  50.179 +\<and> Nonce n \<notin> used evs1 \<and> R \<in> p \<and> ok evs1 R s \<and> Nonce n \<in> parts {apm' s R}
  50.180 +\<and> apm' s R \<in> guard n Ks)"
  50.181  
  50.182 -lemma freshD: "fresh p R s n Ks evs ==> (EX evs1 evs2.
  50.183 -evs = evs2 @ ap' s R # evs1 & Nonce n ~:used evs1 & R:p & ok evs1 R s
  50.184 -& Nonce n:parts {apm' s R} & apm' s R:guard n Ks)"
  50.185 +lemma freshD: "fresh p R s n Ks evs \<Longrightarrow> (\<exists>evs1 evs2.
  50.186 +evs = evs2 @ ap' s R # evs1 \<and> Nonce n \<notin> used evs1 \<and> R \<in> p \<and> ok evs1 R s
  50.187 +\<and> Nonce n \<in> parts {apm' s R} \<and> apm' s R \<in> guard n Ks)"
  50.188  by (unfold fresh_def, blast)
  50.189  
  50.190 -lemma freshI [intro]: "[| Nonce n ~:used evs1; R:p; Nonce n:parts {apm' s R};
  50.191 -ok evs1 R s; apm' s R:guard n Ks |]
  50.192 +lemma freshI [intro]: "[| Nonce n \<notin> used evs1; R \<in> p; Nonce n \<in> parts {apm' s R};
  50.193 +ok evs1 R s; apm' s R \<in> guard n Ks |]
  50.194  ==> fresh p R s n Ks (list @ ap' s R # evs1)"
  50.195  by (unfold fresh_def, blast)
  50.196  
  50.197 -lemma freshI': "[| Nonce n ~:used evs1; (l,r):p;
  50.198 -Nonce n:parts {apm s (msg r)}; ok evs1 (l,r) s; apm s (msg r):guard n Ks |]
  50.199 +lemma freshI': "[| Nonce n \<notin> used evs1; (l,r) \<in> p;
  50.200 +Nonce n \<in> parts {apm s (msg r)}; ok evs1 (l,r) s; apm s (msg r) \<in> guard n Ks |]
  50.201  ==> fresh p (l,r) s n Ks (evs2 @ ap s r # evs1)"
  50.202  by (drule freshI, simp+)
  50.203  
  50.204  lemma fresh_used: "[| fresh p R' s' n Ks evs; has_only_Says' p |]
  50.205 -==> Nonce n:used evs"
  50.206 +==> Nonce n \<in> used evs"
  50.207  apply (unfold fresh_def, clarify)
  50.208  apply (drule has_only_Says'D)
  50.209  by (auto intro: parts_used_app)
  50.210  
  50.211 -lemma fresh_newn: "[| evs' @ ap' s R # evs:tr p; wdef p; has_only_Says' p;
  50.212 -Nonce n ~:used evs; R:p; ok evs R s; Nonce n:parts {apm' s R} |]
  50.213 -==> EX k. k:newn R & nonce s k = n"
  50.214 +lemma fresh_newn: "[| evs' @ ap' s R # evs \<in> tr p; wdef p; has_only_Says' p;
  50.215 +Nonce n \<notin> used evs; R \<in> p; ok evs R s; Nonce n \<in> parts {apm' s R} |]
  50.216 +==> \<exists>k. k \<in> newn R \<and> nonce s k = n"
  50.217  apply (drule wdef_Nonce, simp+)
  50.218  apply (frule ok_not_used, simp+)
  50.219  apply (clarify, erule ok_is_Says, simp+)
  50.220 @@ -193,22 +193,22 @@
  50.221  apply (drule ok_not_used, simp+)
  50.222  by (clarify, erule ok_is_Says, simp_all)
  50.223  
  50.224 -lemma fresh_rule: "[| evs' @ ev # evs:tr p; wdef p; Nonce n ~:used evs;
  50.225 -Nonce n:parts {msg ev} |] ==> EX R s. R:p & ap' s R = ev"
  50.226 -apply (drule trunc, simp, ind_cases "ev # evs:tr p", simp)
  50.227 +lemma fresh_rule: "[| evs' @ ev # evs \<in> tr p; wdef p; Nonce n \<notin> used evs;
  50.228 +Nonce n \<in> parts {msg ev} |] ==> \<exists>R s. R \<in> p \<and> ap' s R = ev"
  50.229 +apply (drule trunc, simp, ind_cases "ev # evs \<in> tr p", simp)
  50.230  by (drule_tac x=X in in_sub, drule parts_sub, simp, simp, blast+)
  50.231  
  50.232 -lemma fresh_ruleD: "[| fresh p R' s' n Ks evs; keys R' s' n evs <= Ks; wdef p;
  50.233 -has_only_Says' p; evs:tr p; ALL R k s. nonce s k = n --> Nonce n:used evs -->
  50.234 -R:p --> k:newn R --> Nonce n:parts {apm' s R} --> apm' s R:guard n Ks -->
  50.235 -apm' s R:parts (spies evs) --> keys R s n evs <= Ks --> P |] ==> P"
  50.236 +lemma fresh_ruleD: "[| fresh p R' s' n Ks evs; keys R' s' n evs \<subseteq> Ks; wdef p;
  50.237 +has_only_Says' p; evs \<in> tr p; \<forall>R k s. nonce s k = n \<longrightarrow> Nonce n \<in> used evs \<longrightarrow>
  50.238 +R \<in> p \<longrightarrow> k \<in> newn R \<longrightarrow> Nonce n \<in> parts {apm' s R} \<longrightarrow> apm' s R \<in> guard n Ks \<longrightarrow>
  50.239 +apm' s R \<in> parts (spies evs) \<longrightarrow> keys R s n evs \<subseteq> Ks \<longrightarrow> P |] ==> P"
  50.240  apply (frule fresh_used, simp)
  50.241  apply (unfold fresh_def, clarify)
  50.242  apply (drule_tac x=R' in spec)
  50.243  apply (drule fresh_newn, simp+, clarify)
  50.244  apply (drule_tac x=k in spec)
  50.245  apply (drule_tac x=s' in spec)
  50.246 -apply (subgoal_tac "apm' s' R':parts (spies (evs2 @ ap' s' R' # evs1))")
  50.247 +apply (subgoal_tac "apm' s' R' \<in> parts (spies (evs2 @ ap' s' R' # evs1))")
  50.248  apply (case_tac R', drule has_only_Says'D, simp, clarsimp)
  50.249  apply (case_tac R', drule has_only_Says'D, simp, clarsimp)
  50.250  apply (rule_tac Y="apm s' X" in parts_parts, blast)
  50.251 @@ -216,50 +216,50 @@
  50.252  
  50.253  subsection\<open>safe keys\<close>
  50.254  
  50.255 -definition safe :: "key set => msg set => bool" where
  50.256 -"safe Ks G == ALL K. K:Ks --> Key K ~:analz G"
  50.257 +definition safe :: "key set \<Rightarrow> msg set \<Rightarrow> bool" where
  50.258 +"safe Ks G \<equiv> \<forall>K. K \<in> Ks \<longrightarrow> Key K \<notin> analz G"
  50.259  
  50.260 -lemma safeD [dest]: "[| safe Ks G; K:Ks |] ==> Key K ~:analz G"
  50.261 +lemma safeD [dest]: "[| safe Ks G; K \<in> Ks |] ==> Key K \<notin> analz G"
  50.262  by (unfold safe_def, blast)
  50.263  
  50.264  lemma safe_insert: "safe Ks (insert X G) ==> safe Ks G"
  50.265  by (unfold safe_def, blast)
  50.266  
  50.267 -lemma Guard_safe: "[| Guard n Ks G; safe Ks G |] ==> Nonce n ~:analz G"
  50.268 +lemma Guard_safe: "[| Guard n Ks G; safe Ks G |] ==> Nonce n \<notin> analz G"
  50.269  by (blast dest: Guard_invKey)
  50.270  
  50.271  subsection\<open>guardedness preservation\<close>
  50.272  
  50.273 -definition preserv :: "proto => keyfun => nat => key set => bool" where
  50.274 -"preserv p keys n Ks == (ALL evs R' s' R s. evs:tr p -->
  50.275 -Guard n Ks (spies evs) --> safe Ks (spies evs) --> fresh p R' s' n Ks evs -->
  50.276 -keys R' s' n evs <= Ks --> R:p --> ok evs R s --> apm' s R:guard n Ks)"
  50.277 +definition preserv :: "proto \<Rightarrow> keyfun \<Rightarrow> nat \<Rightarrow> key set \<Rightarrow> bool" where
  50.278 +"preserv p keys n Ks \<equiv> (\<forall>evs R' s' R s. evs \<in> tr p \<longrightarrow>
  50.279 +Guard n Ks (spies evs) \<longrightarrow> safe Ks (spies evs) \<longrightarrow> fresh p R' s' n Ks evs \<longrightarrow>
  50.280 +keys R' s' n evs \<subseteq> Ks \<longrightarrow> R \<in> p \<longrightarrow> ok evs R s \<longrightarrow> apm' s R \<in> guard n Ks)"
  50.281  
  50.282 -lemma preservD: "[| preserv p keys n Ks; evs:tr p; Guard n Ks (spies evs);
  50.283 -safe Ks (spies evs); fresh p R' s' n Ks evs; R:p; ok evs R s;
  50.284 -keys R' s' n evs <= Ks |] ==> apm' s R:guard n Ks"
  50.285 +lemma preservD: "[| preserv p keys n Ks; evs \<in> tr p; Guard n Ks (spies evs);
  50.286 +safe Ks (spies evs); fresh p R' s' n Ks evs; R \<in> p; ok evs R s;
  50.287 +keys R' s' n evs \<subseteq> Ks |] ==> apm' s R \<in> guard n Ks"
  50.288  by (unfold preserv_def, blast)
  50.289  
  50.290 -lemma preservD': "[| preserv p keys n Ks; evs:tr p; Guard n Ks (spies evs);
  50.291 -safe Ks (spies evs); fresh p R' s' n Ks evs; (l,Says A B X):p;
  50.292 -ok evs (l,Says A B X) s; keys R' s' n evs <= Ks |] ==> apm s X:guard n Ks"
  50.293 +lemma preservD': "[| preserv p keys n Ks; evs \<in> tr p; Guard n Ks (spies evs);
  50.294 +safe Ks (spies evs); fresh p R' s' n Ks evs; (l,Says A B X) \<in> p;
  50.295 +ok evs (l,Says A B X) s; keys R' s' n evs \<subseteq> Ks |] ==> apm s X \<in> guard n Ks"
  50.296  by (drule preservD, simp+)
  50.297  
  50.298  subsection\<open>monotonic keyfun\<close>
  50.299  
  50.300  definition monoton :: "proto => keyfun => bool" where
  50.301 -"monoton p keys == ALL R' s' n ev evs. ev # evs:tr p -->
  50.302 -keys R' s' n evs <= keys R' s' n (ev # evs)"
  50.303 +"monoton p keys \<equiv> \<forall>R' s' n ev evs. ev # evs \<in> tr p \<longrightarrow>
  50.304 +keys R' s' n evs \<subseteq> keys R' s' n (ev # evs)"
  50.305  
  50.306 -lemma monotonD [dest]: "[| keys R' s' n (ev # evs) <= Ks; monoton p keys;
  50.307 -ev # evs:tr p |] ==> keys R' s' n evs <= Ks"
  50.308 +lemma monotonD [dest]: "[| keys R' s' n (ev # evs) \<subseteq> Ks; monoton p keys;
  50.309 +ev # evs \<in> tr p |] ==> keys R' s' n evs \<subseteq> Ks"
  50.310  by (unfold monoton_def, blast)
  50.311  
  50.312  subsection\<open>guardedness theorem\<close>
  50.313  
  50.314 -lemma Guard_tr [rule_format]: "[| evs:tr p; has_only_Says' p;
  50.315 +lemma Guard_tr [rule_format]: "[| evs \<in> tr p; has_only_Says' p;
  50.316  preserv p keys n Ks; monoton p keys; Guard n Ks (initState Spy) |] ==>
  50.317 -safe Ks (spies evs) --> fresh p R' s' n Ks evs --> keys R' s' n evs <= Ks -->
  50.318 +safe Ks (spies evs) \<longrightarrow> fresh p R' s' n Ks evs \<longrightarrow> keys R' s' n evs \<subseteq> Ks \<longrightarrow>
  50.319  Guard n Ks (spies evs)"
  50.320  apply (erule tr.induct)
  50.321  (* Nil *)
  50.322 @@ -297,59 +297,59 @@
  50.323  
  50.324  subsection\<open>useful properties for guardedness\<close>
  50.325  
  50.326 -lemma newn_neq_used: "[| Nonce n:used evs; ok evs R s; k:newn R |]
  50.327 -==> n ~= nonce s k"
  50.328 +lemma newn_neq_used: "[| Nonce n \<in> used evs; ok evs R s; k \<in> newn R |]
  50.329 +==> n \<noteq> nonce s k"
  50.330  by (auto simp: ok_def)
  50.331  
  50.332 -lemma ok_Guard: "[| ok evs R s; Guard n Ks (spies evs); x:fst R; is_Says x |]
  50.333 -==> apm s (msg x):parts (spies evs) & apm s (msg x):guard n Ks"
  50.334 +lemma ok_Guard: "[| ok evs R s; Guard n Ks (spies evs); x \<in> fst R; is_Says x |]
  50.335 +==> apm s (msg x) \<in> parts (spies evs) \<and> apm s (msg x) \<in> guard n Ks"
  50.336  apply (unfold ok_def is_Says_def, clarify)
  50.337  apply (drule_tac x="Says A B X" in spec, simp)
  50.338  by (drule Says_imp_spies, auto intro: parts_parts)
  50.339  
  50.340 -lemma ok_parts_not_new: "[| Y:parts (spies evs); Nonce (nonce s n):parts {Y};
  50.341 -ok evs R s |] ==> n ~:newn R"
  50.342 +lemma ok_parts_not_new: "[| Y \<in> parts (spies evs); Nonce (nonce s n) \<in> parts {Y};
  50.343 +ok evs R s |] ==> n \<notin> newn R"
  50.344  by (auto simp: ok_def dest: not_used_not_spied parts_parts)
  50.345  
  50.346  subsection\<open>unicity\<close>
  50.347  
  50.348 -definition uniq :: "proto => secfun => bool" where
  50.349 -"uniq p secret == ALL evs R R' n n' Ks s s'. R:p --> R':p -->
  50.350 -n:newn R --> n':newn R' --> nonce s n = nonce s' n' -->
  50.351 -Nonce (nonce s n):parts {apm' s R} --> Nonce (nonce s n):parts {apm' s' R'} -->
  50.352 -apm' s R:guard (nonce s n) Ks --> apm' s' R':guard (nonce s n) Ks -->
  50.353 -evs:tr p --> Nonce (nonce s n) ~:analz (spies evs) -->
  50.354 -secret R n s Ks:parts (spies evs) --> secret R' n' s' Ks:parts (spies evs) -->
  50.355 +definition uniq :: "proto \<Rightarrow> secfun \<Rightarrow> bool" where
  50.356 +"uniq p secret \<equiv> \<forall>evs R R' n n' Ks s s'. R \<in> p \<longrightarrow> R' \<in> p \<longrightarrow>
  50.357 +n \<in> newn R \<longrightarrow> n' \<in> newn R' \<longrightarrow> nonce s n = nonce s' n' \<longrightarrow>
  50.358 +Nonce (nonce s n) \<in> parts {apm' s R} \<longrightarrow> Nonce (nonce s n) \<in> parts {apm' s' R'} \<longrightarrow>
  50.359 +apm' s R \<in> guard (nonce s n) Ks \<longrightarrow> apm' s' R' \<in> guard (nonce s n) Ks \<longrightarrow>
  50.360 +evs \<in> tr p \<longrightarrow> Nonce (nonce s n) \<notin> analz (spies evs) \<longrightarrow>
  50.361 +secret R n s Ks \<in> parts (spies evs) \<longrightarrow> secret R' n' s' Ks \<in> parts (spies evs) \<longrightarrow>
  50.362  secret R n s Ks = secret R' n' s' Ks"
  50.363  
  50.364 -lemma uniqD: "[| uniq p secret; evs: tr p; R:p; R':p; n:newn R; n':newn R';
  50.365 -nonce s n = nonce s' n'; Nonce (nonce s n) ~:analz (spies evs);
  50.366 -Nonce (nonce s n):parts {apm' s R}; Nonce (nonce s n):parts {apm' s' R'};
  50.367 -secret R n s Ks:parts (spies evs); secret R' n' s' Ks:parts (spies evs);
  50.368 -apm' s R:guard (nonce s n) Ks; apm' s' R':guard (nonce s n) Ks |] ==>
  50.369 +lemma uniqD: "[| uniq p secret; evs \<in> tr p; R \<in> p; R' \<in> p; n \<in> newn R; n' \<in> newn R';
  50.370 +nonce s n = nonce s' n'; Nonce (nonce s n) \<notin> analz (spies evs);
  50.371 +Nonce (nonce s n) \<in> parts {apm' s R}; Nonce (nonce s n) \<in> parts {apm' s' R'};
  50.372 +secret R n s Ks \<in> parts (spies evs); secret R' n' s' Ks \<in> parts (spies evs);
  50.373 +apm' s R \<in> guard (nonce s n) Ks; apm' s' R' \<in> guard (nonce s n) Ks |] ==>
  50.374  secret R n s Ks = secret R' n' s' Ks"
  50.375  by (unfold uniq_def, blast)
  50.376  
  50.377 -definition ord :: "proto => (rule => rule => bool) => bool" where
  50.378 -"ord p inff == ALL R R'. R:p --> R':p --> ~ inff R R' --> inff R' R"
  50.379 +definition ord :: "proto \<Rightarrow> (rule \<Rightarrow> rule \<Rightarrow> bool) \<Rightarrow> bool" where
  50.380 +"ord p inff \<equiv> \<forall>R R'. R \<in> p \<longrightarrow> R' \<in> p \<longrightarrow> \<not> inff R R' \<longrightarrow> inff R' R"
  50.381  
  50.382 -lemma ordD: "[| ord p inff; ~ inff R R'; R:p; R':p |] ==> inff R' R"
  50.383 +lemma ordD: "[| ord p inff; \<not> inff R R'; R \<in> p; R' \<in> p |] ==> inff R' R"
  50.384  by (unfold ord_def, blast)
  50.385  
  50.386 -definition uniq' :: "proto => (rule => rule => bool) => secfun => bool" where
  50.387 -"uniq' p inff secret == ALL evs R R' n n' Ks s s'. R:p --> R':p -->
  50.388 -inff R R' --> n:newn R --> n':newn R' --> nonce s n = nonce s' n' -->
  50.389 -Nonce (nonce s n):parts {apm' s R} --> Nonce (nonce s n):parts {apm' s' R'} -->
  50.390 -apm' s R:guard (nonce s n) Ks --> apm' s' R':guard (nonce s n) Ks -->
  50.391 -evs:tr p --> Nonce (nonce s n) ~:analz (spies evs) -->
  50.392 -secret R n s Ks:parts (spies evs) --> secret R' n' s' Ks:parts (spies evs) -->
  50.393 +definition uniq' :: "proto \<Rightarrow> (rule \<Rightarrow> rule \<Rightarrow> bool) \<Rightarrow> secfun \<Rightarrow> bool" where
  50.394 +"uniq' p inff secret \<equiv> \<forall>evs R R' n n' Ks s s'. R \<in> p \<longrightarrow> R' \<in> p \<longrightarrow>
  50.395 +inff R R' \<longrightarrow> n \<in> newn R \<longrightarrow> n' \<in> newn R' \<longrightarrow> nonce s n = nonce s' n' \<longrightarrow>
  50.396 +Nonce (nonce s n) \<in> parts {apm' s R} \<longrightarrow> Nonce (nonce s n) \<in> parts {apm' s' R'} \<longrightarrow>
  50.397 +apm' s R \<in> guard (nonce s n) Ks \<longrightarrow> apm' s' R' \<in> guard (nonce s n) Ks \<longrightarrow>
  50.398 +evs \<in> tr p \<longrightarrow> Nonce (nonce s n) \<notin> analz (spies evs) \<longrightarrow>
  50.399 +secret R n s Ks \<in> parts (spies evs) \<longrightarrow> secret R' n' s' Ks \<in> parts (spies evs) \<longrightarrow>
  50.400  secret R n s Ks = secret R' n' s' Ks"
  50.401  
  50.402 -lemma uniq'D: "[| uniq' p inff secret; evs: tr p; inff R R'; R:p; R':p; n:newn R;
  50.403 -n':newn R'; nonce s n = nonce s' n'; Nonce (nonce s n) ~:analz (spies evs);
  50.404 -Nonce (nonce s n):parts {apm' s R}; Nonce (nonce s n):parts {apm' s' R'};
  50.405 -secret R n s Ks:parts (spies evs); secret R' n' s' Ks:parts (spies evs);
  50.406 -apm' s R:guard (nonce s n) Ks; apm' s' R':guard (nonce s n) Ks |] ==>
  50.407 +lemma uniq'D: "[| uniq' p inff secret; evs \<in> tr p; inff R R'; R \<in> p; R' \<in> p; n \<in> newn R;
  50.408 +n' \<in> newn R'; nonce s n = nonce s' n'; Nonce (nonce s n) \<notin> analz (spies evs);
  50.409 +Nonce (nonce s n) \<in> parts {apm' s R}; Nonce (nonce s n) \<in> parts {apm' s' R'};
  50.410 +secret R n s Ks \<in> parts (spies evs); secret R' n' s' Ks \<in> parts (spies evs);
  50.411 +apm' s R \<in> guard (nonce s n) Ks; apm' s' R' \<in> guard (nonce s n) Ks |] ==>
  50.412  secret R n s Ks = secret R' n' s' Ks"
  50.413  by (unfold uniq'_def, blast)
  50.414  
  50.415 @@ -385,9 +385,9 @@
  50.416      Says a b (Crypt (pubK b) (Nonce Nb)))"
  50.417  
  50.418  inductive_set ns :: proto where
  50.419 -  [iff]: "ns1:ns"
  50.420 -| [iff]: "ns2:ns"
  50.421 -| [iff]: "ns3:ns"
  50.422 +  [iff]: "ns1 \<in> ns"
  50.423 +| [iff]: "ns2 \<in> ns"
  50.424 +| [iff]: "ns3 \<in> ns"
  50.425  
  50.426  abbreviation (input)
  50.427    ns3a :: event where
    51.1 --- a/src/HOL/Auth/KerberosIV.thy	Tue Feb 13 14:24:50 2018 +0100
    51.2 +++ b/src/HOL/Auth/KerberosIV.thy	Thu Feb 15 12:11:00 2018 +0100
    51.3 @@ -22,7 +22,7 @@
    51.4  
    51.5  definition
    51.6   (* authKeys are those contained in an authTicket *)
    51.7 -    authKeys :: "event list => key set" where
    51.8 +    authKeys :: "event list \<Rightarrow> key set" where
    51.9      "authKeys evs = {authK. \<exists>A Peer Ta. Says Kas A
   51.10                          (Crypt (shrK A) \<lbrace>Key authK, Agent Peer, Number Ta,
   51.11                 (Crypt (shrK Peer) \<lbrace>Agent A, Agent Peer, Key authK, Number Ta\<rbrace>)
   51.12 @@ -31,21 +31,21 @@
   51.13  definition
   51.14   (* A is the true creator of X if she has sent X and X never appeared on
   51.15      the trace before this event. Recall that traces grow from head. *)
   51.16 -  Issues :: "[agent, agent, msg, event list] => bool"
   51.17 +  Issues :: "[agent, agent, msg, event list] \<Rightarrow> bool"
   51.18               ("_ Issues _ with _ on _" [50, 0, 0, 50] 50) where
   51.19     "(A Issues B with X on evs) =
   51.20 -      (\<exists>Y. Says A B Y \<in> set evs & X \<in> parts {Y} &
   51.21 -        X \<notin> parts (spies (takeWhile (% z. z  \<noteq> Says A B Y) (rev evs))))"
   51.22 +      (\<exists>Y. Says A B Y \<in> set evs \<and> X \<in> parts {Y} \<and>
   51.23 +        X \<notin> parts (spies (takeWhile (\<lambda>z. z \<noteq> Says A B Y) (rev evs))))"
   51.24  
   51.25  definition
   51.26   (* Yields the subtrace of a given trace from its beginning to a given event *)
   51.27 -  before :: "[event, event list] => event list" ("before _ on _" [0, 50] 50)
   51.28 -  where "(before ev on evs) = takeWhile (% z. z ~= ev) (rev evs)"
   51.29 +  before :: "[event, event list] \<Rightarrow> event list" ("before _ on _" [0, 50] 50)
   51.30 +  where "(before ev on evs) = takeWhile (\<lambda>z. z \<noteq> ev) (rev evs)"
   51.31  
   51.32  definition
   51.33   (* States than an event really appears only once on a trace *)
   51.34 -  Unique :: "[event, event list] => bool" ("Unique _ on _" [0, 50] 50)
   51.35 -  where "(Unique ev on evs) = (ev \<notin> set (tl (dropWhile (% z. z \<noteq> ev) evs)))"
   51.36 +  Unique :: "[event, event list] \<Rightarrow> bool" ("Unique _ on _" [0, 50] 50)
   51.37 +  where "(Unique ev on evs) = (ev \<notin> set (tl (dropWhile (\<lambda>z. z \<noteq> ev) evs)))"
   51.38  
   51.39  
   51.40  consts
   51.41 @@ -79,30 +79,30 @@
   51.42  
   51.43  abbreviation
   51.44    (*The current time is the length of the trace*)
   51.45 -  CT :: "event list=>nat" where
   51.46 +  CT :: "event list \<Rightarrow> nat" where
   51.47    "CT == length"
   51.48  
   51.49  abbreviation
   51.50 -  expiredAK :: "[nat, event list] => bool" where
   51.51 +  expiredAK :: "[nat, event list] \<Rightarrow> bool" where
   51.52    "expiredAK Ta evs == authKlife + Ta < CT evs"
   51.53  
   51.54  abbreviation
   51.55 -  expiredSK :: "[nat, event list] => bool" where
   51.56 +  expiredSK :: "[nat, event list] \<Rightarrow> bool" where
   51.57    "expiredSK Ts evs == servKlife + Ts < CT evs"
   51.58  
   51.59  abbreviation
   51.60 -  expiredA :: "[nat, event list] => bool" where
   51.61 +  expiredA :: "[nat, event list] \<Rightarrow> bool" where
   51.62    "expiredA T evs == authlife + T < CT evs"
   51.63  
   51.64  abbreviation
   51.65 -  valid :: "[nat, nat] => bool" ("valid _ wrt _" [0, 50] 50) where
   51.66 -  "valid T1 wrt T2 == T1 <= replylife + T2"
   51.67 +  valid :: "[nat, nat] \<Rightarrow> bool" ("valid _ wrt _" [0, 50] 50) where
   51.68 +  "valid T1 wrt T2 == T1 \<le> replylife + T2"
   51.69  
   51.70  (*---------------------------------------------------------------------*)
   51.71  
   51.72  
   51.73  (* Predicate formalising the association between authKeys and servKeys *)
   51.74 -definition AKcryptSK :: "[key, key, event list] => bool" where
   51.75 +definition AKcryptSK :: "[key, key, event list] \<Rightarrow> bool" where
   51.76    "AKcryptSK authK servK evs ==
   51.77       \<exists>A B Ts.
   51.78         Says Tgs A (Crypt authK
   51.79 @@ -175,7 +175,7 @@
   51.80                  \<in> set evs4;
   51.81              \<not> expiredAK Ta evs4;
   51.82              \<not> expiredA T2 evs4;
   51.83 -            servKlife + (CT evs4) <= authKlife + Ta
   51.84 +            servKlife + (CT evs4) \<le> authKlife + Ta
   51.85           \<rbrakk>
   51.86            \<Longrightarrow> Says Tgs A
   51.87                  (Crypt authK \<lbrace>Key servK, Agent B, Number (CT evs4),
   51.88 @@ -267,7 +267,7 @@
   51.89  done
   51.90  
   51.91  lemma spies_Notes_rev: "spies (evs @ [Notes A X]) =
   51.92 -          (if A:bad then insert X (spies evs) else spies evs)"
   51.93 +          (if A\<in>bad then insert X (spies evs) else spies evs)"
   51.94  apply (induct_tac "evs")
   51.95  apply (rename_tac [2] a b)
   51.96  apply (induct_tac [2] a, auto)
   51.97 @@ -282,7 +282,7 @@
   51.98  
   51.99  lemmas parts_spies_evs_revD2 = spies_evs_rev [THEN equalityD2, THEN parts_mono]
  51.100  
  51.101 -lemma spies_takeWhile: "spies (takeWhile P evs) <=  spies evs"
  51.102 +lemma spies_takeWhile: "spies (takeWhile P evs) \<subseteq> spies evs"
  51.103  apply (induct_tac "evs")
  51.104  apply (rename_tac [2] a b)
  51.105  apply (induct_tac [2] "a", auto)
  51.106 @@ -341,7 +341,7 @@
  51.107  lemma Oops_range_spies1:
  51.108       "\<lbrakk> Says Kas A (Crypt KeyA \<lbrace>Key authK, Peer, Ta, authTicket\<rbrace>)
  51.109             \<in> set evs ;
  51.110 -         evs \<in> kerbIV \<rbrakk> \<Longrightarrow> authK \<notin> range shrK & authK \<in> symKeys"
  51.111 +         evs \<in> kerbIV \<rbrakk> \<Longrightarrow> authK \<notin> range shrK \<and> authK \<in> symKeys"
  51.112  apply (erule rev_mp)
  51.113  apply (erule kerbIV.induct, auto)
  51.114  done
  51.115 @@ -355,7 +355,7 @@
  51.116  lemma Oops_range_spies2:
  51.117       "\<lbrakk> Says Tgs A (Crypt authK \<lbrace>Key servK, Agent B, Ts, servTicket\<rbrace>)
  51.118             \<in> set evs ;
  51.119 -         evs \<in> kerbIV \<rbrakk> \<Longrightarrow> servK \<notin> range shrK & servK \<in> symKeys"
  51.120 +         evs \<in> kerbIV \<rbrakk> \<Longrightarrow> servK \<notin> range shrK \<and> servK \<in> symKeys"
  51.121  apply (erule rev_mp)
  51.122  apply (erule kerbIV.induct, auto)
  51.123  done
  51.124 @@ -379,7 +379,7 @@
  51.125  by auto
  51.126  
  51.127  lemma Spy_see_shrK_D [dest!]:
  51.128 -     "\<lbrakk> Key (shrK A) \<in> parts (spies evs);  evs \<in> kerbIV \<rbrakk> \<Longrightarrow> A:bad"
  51.129 +     "\<lbrakk> Key (shrK A) \<in> parts (spies evs);  evs \<in> kerbIV \<rbrakk> \<Longrightarrow> A\<in>bad"
  51.130  by (blast dest: Spy_see_shrK)
  51.131  
  51.132  lemmas Spy_analz_shrK_D = analz_subset_parts [THEN subsetD, THEN Spy_see_shrK_D, dest!]
  51.133 @@ -444,7 +444,7 @@
  51.134  done
  51.135  
  51.136  lemma used_takeWhile_used [rule_format]: 
  51.137 -      "x : used (takeWhile P X) --> x : used X"
  51.138 +      "x \<in> used (takeWhile P X) \<longrightarrow> x \<in> used X"
  51.139  apply (induct_tac "X")
  51.140  apply simp
  51.141  apply (rename_tac a b)
  51.142 @@ -469,12 +469,12 @@
  51.143       "\<lbrakk> Says Kas A (Crypt K \<lbrace>Key authK, Agent Peer, Number Ta, authTicket\<rbrace>)
  51.144             \<in> set evs;
  51.145           evs \<in> kerbIV \<rbrakk> \<Longrightarrow>  
  51.146 -  K = shrK A  & Peer = Tgs &
  51.147 -  authK \<notin> range shrK & authK \<in> authKeys evs & authK \<in> symKeys & 
  51.148 -  authTicket = (Crypt (shrK Tgs) \<lbrace>Agent A, Agent Tgs, Key authK, Number Ta\<rbrace>) &
  51.149 +  K = shrK A \<and> Peer = Tgs \<and>
  51.150 +  authK \<notin> range shrK \<and> authK \<in> authKeys evs \<and> authK \<in> symKeys \<and> 
  51.151 +  authTicket = (Crypt (shrK Tgs) \<lbrace>Agent A, Agent Tgs, Key authK, Number Ta\<rbrace>) \<and>
  51.152    Key authK \<notin> used(before 
  51.153             Says Kas A (Crypt K \<lbrace>Key authK, Agent Peer, Number Ta, authTicket\<rbrace>)
  51.154 -                   on evs) &
  51.155 +                   on evs) \<and>
  51.156    Ta = CT (before 
  51.157             Says Kas A (Crypt K \<lbrace>Key authK, Agent Peer, Number Ta, authTicket\<rbrace>)
  51.158             on evs)"
  51.159 @@ -540,13 +540,13 @@
  51.160       "\<lbrakk> Says Tgs A (Crypt authK \<lbrace>Key servK, Agent B, Number Ts, servTicket\<rbrace>)
  51.161             \<in> set evs;
  51.162           evs \<in> kerbIV \<rbrakk>
  51.163 -  \<Longrightarrow> B \<noteq> Tgs & 
  51.164 -      authK \<notin> range shrK & authK \<in> authKeys evs & authK \<in> symKeys &
  51.165 -      servK \<notin> range shrK & servK \<notin> authKeys evs & servK \<in> symKeys &
  51.166 -      servTicket = (Crypt (shrK B) \<lbrace>Agent A, Agent B, Key servK, Number Ts\<rbrace>) &
  51.167 +  \<Longrightarrow> B \<noteq> Tgs \<and> 
  51.168 +      authK \<notin> range shrK \<and> authK \<in> authKeys evs \<and> authK \<in> symKeys \<and>
  51.169 +      servK \<notin> range shrK \<and> servK \<notin> authKeys evs \<and> servK \<in> symKeys \<and>
  51.170 +      servTicket = (Crypt (shrK B) \<lbrace>Agent A, Agent B, Key servK, Number Ts\<rbrace>) \<and>
  51.171        Key servK \<notin> used (before
  51.172          Says Tgs A (Crypt authK \<lbrace>Key servK, Agent B, Number Ts, servTicket\<rbrace>)
  51.173 -                        on evs) &
  51.174 +                        on evs) \<and>
  51.175        Ts = CT(before 
  51.176          Says Tgs A (Crypt authK \<lbrace>Key servK, Agent B, Number Ts, servTicket\<rbrace>)
  51.177                on evs) "
  51.178 @@ -572,7 +572,7 @@
  51.179             \<in> parts (spies evs);
  51.180           A \<notin> bad;
  51.181           evs \<in> kerbIV \<rbrakk>
  51.182 -    \<Longrightarrow> authK \<notin> range shrK & authK \<in> symKeys & 
  51.183 +    \<Longrightarrow> authK \<notin> range shrK \<and> authK \<in> symKeys \<and> 
  51.184          authTicket = Crypt (shrK Tgs) \<lbrace>Agent A, Agent Tgs, Key authK, Ta\<rbrace>"
  51.185  apply (erule rev_mp)
  51.186  apply (erule kerbIV.induct)
  51.187 @@ -587,7 +587,7 @@
  51.188                \<in> parts (spies evs);
  51.189              Key authK \<notin> analz (spies evs);
  51.190              evs \<in> kerbIV \<rbrakk>
  51.191 -         \<Longrightarrow> servK \<notin> range shrK & servK \<in> symKeys & 
  51.192 +         \<Longrightarrow> servK \<notin> range shrK \<and> servK \<in> symKeys \<and> 
  51.193      (\<exists>A. servTicket = Crypt (shrK B) \<lbrace>Agent A, Agent B, Key servK, Ts\<rbrace>)"
  51.194  apply (erule rev_mp)
  51.195  apply (erule rev_mp)
  51.196 @@ -601,7 +601,7 @@
  51.197       "\<lbrakk> Says Kas' A (Crypt (shrK A)
  51.198                \<lbrace>Key authK, Agent Tgs, Ta, authTicket\<rbrace>) \<in> set evs;
  51.199           evs \<in> kerbIV \<rbrakk>
  51.200 -      \<Longrightarrow> authK \<notin> range shrK & authK \<in> symKeys & 
  51.201 +      \<Longrightarrow> authK \<notin> range shrK \<and> authK \<in> symKeys \<and> 
  51.202            authTicket =
  51.203                    Crypt (shrK Tgs) \<lbrace>Agent A, Agent Tgs, Key authK, Ta\<rbrace>
  51.204            | authTicket \<in> analz (spies evs)"
  51.205 @@ -612,7 +612,7 @@
  51.206   "\<lbrakk> Says Tgs' A (Crypt authK \<lbrace>Key servK, Agent B, Ts, servTicket\<rbrace>)
  51.207         \<in> set evs;  authK \<in> symKeys;
  51.208       evs \<in> kerbIV \<rbrakk>
  51.209 -  \<Longrightarrow> servK \<notin> range shrK &
  51.210 +  \<Longrightarrow> servK \<notin> range shrK \<and>
  51.211        (\<exists>A. servTicket =
  51.212                Crypt (shrK B) \<lbrace>Agent A, Agent B, Key servK, Ts\<rbrace>)
  51.213         | servTicket \<in> analz (spies evs)"
  51.214 @@ -718,7 +718,7 @@
  51.215     \<Longrightarrow> \<exists>Ta. (Says Kas A (Crypt (shrK A) \<lbrace>Key authK, Agent Tgs, Number Ta,
  51.216             Crypt (shrK Tgs) \<lbrace>Agent A, Agent Tgs, Key authK, Number Ta\<rbrace>\<rbrace>)
  51.217               \<in> set evs
  51.218 -          & servKlife + Ts <= authKlife + Ta)"
  51.219 +          \<and> servKlife + Ts \<le> authKlife + Ta)"
  51.220  apply (erule rev_mp)
  51.221  apply (erule kerbIV.induct)
  51.222  apply (frule_tac [7] K5_msg_in_parts_spies)
  51.223 @@ -744,7 +744,7 @@
  51.224    \<Longrightarrow> \<exists>authK Ta. Says Kas A (Crypt(shrK A) \<lbrace>Key authK, Agent Tgs, Number Ta,
  51.225             Crypt (shrK Tgs) \<lbrace>Agent A, Agent Tgs, Key authK, Number Ta\<rbrace>\<rbrace>)
  51.226               \<in> set evs
  51.227 -           & servKlife + Ts <= authKlife + Ta"
  51.228 +           \<and> servKlife + Ts \<le> authKlife + Ta"
  51.229  by (blast dest!: servTicket_authentic_Tgs u_K4_imp_K2)
  51.230  
  51.231  lemma servTicket_authentic:
  51.232 @@ -755,7 +755,7 @@
  51.233       Says Kas A (Crypt (shrK A) \<lbrace>Key authK, Agent Tgs, Number Ta,
  51.234                     Crypt (shrK Tgs) \<lbrace>Agent A, Agent Tgs, Key authK, Number Ta\<rbrace>\<rbrace>)
  51.235         \<in> set evs
  51.236 -     & Says Tgs A (Crypt authK \<lbrace>Key servK, Agent B, Number Ts,
  51.237 +     \<and> Says Tgs A (Crypt authK \<lbrace>Key servK, Agent B, Number Ts,
  51.238                     Crypt (shrK B) \<lbrace>Agent A, Agent B, Key servK, Number Ts\<rbrace>\<rbrace>)
  51.239         \<in> set evs"
  51.240  by (blast dest: servTicket_authentic_Tgs K4_imp_K2)
  51.241 @@ -768,14 +768,14 @@
  51.242       (Says Kas A (Crypt (shrK A) \<lbrace>Key authK, Agent Tgs, Number Ta,
  51.243                     Crypt (shrK Tgs) \<lbrace>Agent A, Agent Tgs, Key authK, Number Ta\<rbrace>\<rbrace>)
  51.244         \<in> set evs
  51.245 -     & Says Tgs A (Crypt authK \<lbrace>Key servK, Agent B, Number Ts,
  51.246 +     \<and> Says Tgs A (Crypt authK \<lbrace>Key servK, Agent B, Number Ts,
  51.247                     Crypt (shrK B) \<lbrace>Agent A, Agent B, Key servK, Number Ts\<rbrace>\<rbrace>)
  51.248         \<in> set evs
  51.249 -     & servKlife + Ts <= authKlife + Ta)"
  51.250 +     \<and> servKlife + Ts \<le> authKlife + Ta)"
  51.251  by (blast dest: servTicket_authentic_Tgs u_K4_imp_K2)
  51.252  
  51.253  lemma u_NotexpiredSK_NotexpiredAK:
  51.254 -     "\<lbrakk> \<not> expiredSK Ts evs; servKlife + Ts <= authKlife + Ta \<rbrakk>
  51.255 +     "\<lbrakk> \<not> expiredSK Ts evs; servKlife + Ts \<le> authKlife + Ta \<rbrakk>
  51.256        \<Longrightarrow> \<not> expiredAK Ta evs"
  51.257    by (metis le_less_trans)
  51.258  
  51.259 @@ -804,7 +804,7 @@
  51.260           Crypt K' \<lbrace>Key SesKey,  Agent B', T', Ticket'\<rbrace>
  51.261             \<in> parts (spies evs);  Key SesKey \<notin> analz (spies evs);
  51.262           evs \<in> kerbIV \<rbrakk>
  51.263 -      \<Longrightarrow> K=K' & B=B' & T=T' & Ticket=Ticket'"
  51.264 +      \<Longrightarrow> K=K' \<and> B=B' \<and> T=T' \<and> Ticket=Ticket'"
  51.265  apply (erule rev_mp)
  51.266  apply (erule rev_mp)
  51.267  apply (erule rev_mp)
  51.268 @@ -870,7 +870,7 @@
  51.269           Crypt (shrK B') \<lbrace>Agent A', Agent B', Key SesKey, T'\<rbrace>
  51.270             \<in> parts (spies evs);  Key SesKey \<notin> analz (spies evs);
  51.271           evs \<in> kerbIV \<rbrakk>
  51.272 -      \<Longrightarrow> A=A' & B=B' & T=T'"
  51.273 +      \<Longrightarrow> A=A' \<and> B=B' \<and> T=T'"
  51.274  apply (erule rev_mp)
  51.275  apply (erule rev_mp)
  51.276  apply (erule rev_mp)
  51.277 @@ -947,7 +947,7 @@
  51.278       \<Longrightarrow> Key Kc \<notin> analz (spies evs) \<longrightarrow>
  51.279             (\<exists>K' B' T' Ticket'. \<forall>K B T Ticket.
  51.280              Crypt Kc \<lbrace>Key K, Agent B, T, Ticket\<rbrace>
  51.281 -             \<in> parts (spies evs) \<longrightarrow> K=K' & B=B' & T=T' & Ticket=Ticket')"
  51.282 +             \<in> parts (spies evs) \<longrightarrow> K=K' \<and> B=B' \<and> T=T' \<and> Ticket=Ticket')"
  51.283  
  51.284    would fail on the K2 and K4 cases.
  51.285  *)
  51.286 @@ -957,7 +957,7 @@
  51.287                (Crypt Ka \<lbrace>Key authK, Agent Tgs, Ta, X\<rbrace>) \<in> set evs;
  51.288           Says Kas A'
  51.289                (Crypt Ka' \<lbrace>Key authK, Agent Tgs, Ta', X'\<rbrace>) \<in> set evs;
  51.290 -         evs \<in> kerbIV \<rbrakk> \<Longrightarrow> A=A' & Ka=Ka' & Ta=Ta' & X=X'"
  51.291 +         evs \<in> kerbIV \<rbrakk> \<Longrightarrow> A=A' \<and> Ka=Ka' \<and> Ta=Ta' \<and> X=X'"
  51.292  apply (erule rev_mp)
  51.293  apply (erule rev_mp)
  51.294  apply (erule kerbIV.induct)
  51.295 @@ -973,7 +973,7 @@
  51.296                (Crypt K \<lbrace>Key servK, Agent B, Ts, X\<rbrace>) \<in> set evs;
  51.297           Says Tgs A'
  51.298                (Crypt K' \<lbrace>Key servK, Agent B', Ts', X'\<rbrace>) \<in> set evs;
  51.299 -         evs \<in> kerbIV \<rbrakk> \<Longrightarrow> A=A' & B=B' & K=K' & Ts=Ts' & X=X'"
  51.300 +         evs \<in> kerbIV \<rbrakk> \<Longrightarrow> A=A' \<and> B=B' \<and> K=K' \<and> Ts=Ts' \<and> X=X'"
  51.301  apply (erule rev_mp)
  51.302  apply (erule rev_mp)
  51.303  apply (erule kerbIV.induct)
  51.304 @@ -1020,7 +1020,7 @@
  51.305  
  51.306  lemma AKcryptSK_Says [simp]:
  51.307     "AKcryptSK authK servK (Says S A X # evs) =
  51.308 -     (Tgs = S &
  51.309 +     (Tgs = S \<and>
  51.310        (\<exists>B Ts. X = Crypt authK
  51.311                  \<lbrace>Key servK, Agent B, Number Ts,
  51.312                    Crypt (shrK B) \<lbrace>Agent A, Agent B, Key servK, Number Ts\<rbrace> \<rbrace>)
  51.313 @@ -1123,9 +1123,9 @@
  51.314  text\<open>We take some pains to express the property
  51.315    as a logical equivalence so that the simplifier can apply it.\<close>
  51.316  lemma Key_analz_image_Key_lemma:
  51.317 -     "P \<longrightarrow> (Key K \<in> analz (Key`KK Un H)) \<longrightarrow> (K:KK | Key K \<in> analz H)
  51.318 +     "P \<longrightarrow> (Key K \<in> analz (Key`KK \<union> H)) \<longrightarrow> (K\<in>KK | Key K \<in> analz H)
  51.319        \<Longrightarrow>
  51.320 -      P \<longrightarrow> (Key K \<in> analz (Key`KK Un H)) = (K:KK | Key K \<in> analz H)"
  51.321 +      P \<longrightarrow> (Key K \<in> analz (Key`KK \<union> H)) = (K\<in>KK | Key K \<in> analz H)"
  51.322  by (blast intro: analz_mono [THEN subsetD])
  51.323  
  51.324  
  51.325 @@ -1137,7 +1137,7 @@
  51.326  done
  51.327  
  51.328  lemma authKeys_are_not_AKcryptSK:
  51.329 -     "\<lbrakk> K \<in> authKeys evs Un range shrK;  evs \<in> kerbIV \<rbrakk>
  51.330 +     "\<lbrakk> K \<in> authKeys evs \<union> range shrK;  evs \<in> kerbIV \<rbrakk>
  51.331        \<Longrightarrow> \<forall>SK. \<not> AKcryptSK SK K evs \<and> K \<in> symKeys"
  51.332  apply (simp add: authKeys_def AKcryptSK_def)
  51.333  apply (blast dest: Says_Kas_message_form Says_Tgs_message_form)
  51.334 @@ -1170,9 +1170,9 @@
  51.335   [simplified by LCP]\<close>
  51.336  lemma Key_analz_image_Key [rule_format (no_asm)]:
  51.337       "evs \<in> kerbIV \<Longrightarrow>
  51.338 -      (\<forall>SK KK. SK \<in> symKeys & KK <= -(range shrK) \<longrightarrow>
  51.339 +      (\<forall>SK KK. SK \<in> symKeys \<and> KK \<subseteq> -(range shrK) \<longrightarrow>
  51.340         (\<forall>K \<in> KK. \<not> AKcryptSK K SK evs)   \<longrightarrow>
  51.341 -       (Key SK \<in> analz (Key`KK Un (spies evs))) =
  51.342 +       (Key SK \<in> analz (Key`KK \<union> (spies evs))) =
  51.343         (SK \<in> KK | Key SK \<in> analz (spies evs)))"
  51.344  apply (erule kerbIV.induct)
  51.345  apply (frule_tac [10] Oops_range_spies2)
  51.346 @@ -1213,7 +1213,7 @@
  51.347  text\<open>First simplification law for analz: no session keys encrypt
  51.348  authentication keys or shared keys.\<close>
  51.349  lemma analz_insert_freshK1:
  51.350 -     "\<lbrakk> evs \<in> kerbIV;  K \<in> authKeys evs Un range shrK;
  51.351 +     "\<lbrakk> evs \<in> kerbIV;  K \<in> authKeys evs \<union> range shrK;
  51.352          SesKey \<notin> range shrK \<rbrakk>
  51.353        \<Longrightarrow> (Key K \<in> analz (insert (Key SesKey) (spies evs))) =
  51.354            (K = SesKey | Key K \<in> analz (spies evs))"
    52.1 --- a/src/HOL/Auth/KerberosIV_Gets.thy	Tue Feb 13 14:24:50 2018 +0100
    52.2 +++ b/src/HOL/Auth/KerberosIV_Gets.thy	Thu Feb 15 12:11:00 2018 +0100
    52.3 @@ -22,7 +22,7 @@
    52.4  
    52.5  definition
    52.6   (* authKeys are those contained in an authTicket *)
    52.7 -    authKeys :: "event list => key set" where
    52.8 +    authKeys :: "event list \<Rightarrow> key set" where
    52.9      "authKeys evs = {authK. \<exists>A Peer Ta. Says Kas A
   52.10                          (Crypt (shrK A) \<lbrace>Key authK, Agent Peer, Number Ta,
   52.11                 (Crypt (shrK Peer) \<lbrace>Agent A, Agent Peer, Key authK, Number Ta\<rbrace>)
   52.12 @@ -30,8 +30,8 @@
   52.13  
   52.14  definition
   52.15   (* States than an event really appears only once on a trace *)
   52.16 -  Unique :: "[event, event list] => bool" ("Unique _ on _" [0, 50] 50)
   52.17 -  where "(Unique ev on evs) = (ev \<notin> set (tl (dropWhile (% z. z \<noteq> ev) evs)))"
   52.18 +  Unique :: "[event, event list] \<Rightarrow> bool" ("Unique _ on _" [0, 50] 50)
   52.19 +  where "(Unique ev on evs) = (ev \<notin> set (tl (dropWhile (\<lambda>z. z \<noteq> ev) evs)))"
   52.20  
   52.21  
   52.22  consts
   52.23 @@ -65,30 +65,30 @@
   52.24  
   52.25  abbreviation
   52.26    (*The current time is just the length of the trace!*)
   52.27 -  CT :: "event list=>nat" where
   52.28 +  CT :: "event list \<Rightarrow> nat" where
   52.29    "CT == length"
   52.30  
   52.31  abbreviation
   52.32 -  expiredAK :: "[nat, event list] => bool" where
   52.33 +  expiredAK :: "[nat, event list] \<Rightarrow> bool" where
   52.34    "expiredAK Ta evs == authKlife + Ta < CT evs"
   52.35  
   52.36  abbreviation
   52.37 -  expiredSK :: "[nat, event list] => bool" where
   52.38 +  expiredSK :: "[nat, event list] \<Rightarrow> bool" where
   52.39    "expiredSK Ts evs == servKlife + Ts < CT evs"
   52.40  
   52.41  abbreviation
   52.42 -  expiredA :: "[nat, event list] => bool" where
   52.43 +  expiredA :: "[nat, event list] \<Rightarrow> bool" where
   52.44    "expiredA T evs == authlife + T < CT evs"
   52.45  
   52.46  abbreviation
   52.47 -  valid :: "[nat, nat] => bool" ("valid _ wrt _" [0, 50] 50) where
   52.48 -  "valid T1 wrt T2 == T1 <= replylife + T2"
   52.49 +  valid :: "[nat, nat] \<Rightarrow> bool" ("valid _ wrt _" [0, 50] 50) where
   52.50 +  "valid T1 wrt T2 == T1 \<le> replylife + T2"
   52.51  
   52.52  (*---------------------------------------------------------------------*)
   52.53  
   52.54  
   52.55  (* Predicate formalising the association between authKeys and servKeys *)
   52.56 -definition AKcryptSK :: "[key, key, event list] => bool" where
   52.57 +definition AKcryptSK :: "[key, key, event list] \<Rightarrow> bool" where
   52.58    "AKcryptSK authK servK evs ==
   52.59       \<exists>A B Ts.
   52.60         Says Tgs A (Crypt authK
   52.61 @@ -164,7 +164,7 @@
   52.62                  \<in> set evs4;
   52.63              \<not> expiredAK Ta evs4;
   52.64              \<not> expiredA T2 evs4;
   52.65 -            servKlife + (CT evs4) <= authKlife + Ta
   52.66 +            servKlife + (CT evs4) \<le> authKlife + Ta
   52.67           \<rbrakk>
   52.68            \<Longrightarrow> Says Tgs A
   52.69                  (Crypt authK \<lbrace>Key servK, Agent B, Number (CT evs4),
   52.70 @@ -311,7 +311,7 @@
   52.71  lemma Oops_range_spies1:
   52.72       "\<lbrakk> Says Kas A (Crypt KeyA \<lbrace>Key authK, Peer, Ta, authTicket\<rbrace>)
   52.73             \<in> set evs ;
   52.74 -         evs \<in> kerbIV_gets \<rbrakk> \<Longrightarrow> authK \<notin> range shrK & authK \<in> symKeys"
   52.75 +         evs \<in> kerbIV_gets \<rbrakk> \<Longrightarrow> authK \<notin> range shrK \<and> authK \<in> symKeys"
   52.76  apply (erule rev_mp)
   52.77  apply (erule kerbIV_gets.induct, auto)
   52.78  done
   52.79 @@ -319,7 +319,7 @@
   52.80  lemma Oops_range_spies2:
   52.81       "\<lbrakk> Says Tgs A (Crypt authK \<lbrace>Key servK, Agent B, Ts, servTicket\<rbrace>)
   52.82             \<in> set evs ;
   52.83 -         evs \<in> kerbIV_gets \<rbrakk> \<Longrightarrow> servK \<notin> range shrK & servK \<in> symKeys"
   52.84 +         evs \<in> kerbIV_gets \<rbrakk> \<Longrightarrow> servK \<notin> range shrK \<and> servK \<in> symKeys"
   52.85  apply (erule rev_mp)
   52.86  apply (erule kerbIV_gets.induct, auto)
   52.87  done
   52.88 @@ -339,7 +339,7 @@
   52.89  by auto
   52.90  
   52.91  lemma Spy_see_shrK_D [dest!]:
   52.92 -     "\<lbrakk> Key (shrK A) \<in> parts (spies evs);  evs \<in> kerbIV_gets \<rbrakk> \<Longrightarrow> A:bad"
   52.93 +     "\<lbrakk> Key (shrK A) \<in> parts (spies evs);  evs \<in> kerbIV_gets \<rbrakk> \<Longrightarrow> A\<in>bad"
   52.94  by (blast dest: Spy_see_shrK)
   52.95  lemmas Spy_analz_shrK_D = analz_subset_parts [THEN subsetD, THEN Spy_see_shrK_D, dest!]
   52.96  
   52.97 @@ -374,8 +374,8 @@
   52.98       "\<lbrakk> Says Kas A (Crypt K \<lbrace>Key authK, Agent Peer, Number Ta, authTicket\<rbrace>)
   52.99             \<in> set evs;
  52.100           evs \<in> kerbIV_gets \<rbrakk> \<Longrightarrow>  
  52.101 -  K = shrK A  & Peer = Tgs &
  52.102 -  authK \<notin> range shrK & authK \<in> authKeys evs & authK \<in> symKeys & 
  52.103 +  K = shrK A  \<and> Peer = Tgs \<and>
  52.104 +  authK \<notin> range shrK \<and> authK \<in> authKeys evs \<and> authK \<in> symKeys \<and> 
  52.105    authTicket = (Crypt (shrK Tgs) \<lbrace>Agent A, Agent Tgs, Key authK, Number Ta\<rbrace>)"
  52.106  apply (erule rev_mp)
  52.107  apply (erule kerbIV_gets.induct)
  52.108 @@ -424,9 +424,9 @@
  52.109       "\<lbrakk> Says Tgs A (Crypt authK \<lbrace>Key servK, Agent B, Number Ts, servTicket\<rbrace>)
  52.110             \<in> set evs;
  52.111           evs \<in> kerbIV_gets \<rbrakk>
  52.112 -  \<Longrightarrow> B \<noteq> Tgs & 
  52.113 -      authK \<notin> range shrK & authK \<in> authKeys evs & authK \<in> symKeys &
  52.114 -      servK \<notin> range shrK & servK \<notin> authKeys evs & servK \<in> symKeys &
  52.115 +  \<Longrightarrow> B \<noteq> Tgs \<and> 
  52.116 +      authK \<notin> range shrK \<and> authK \<in> authKeys evs \<and> authK \<in> symKeys \<and>
  52.117 +      servK \<notin> range shrK \<and> servK \<notin> authKeys evs \<and> servK \<in> symKeys \<and>
  52.118        servTicket = (Crypt (shrK B) \<lbrace>Agent A, Agent B, Key servK, Number Ts\<rbrace>)"
  52.119  apply (erule rev_mp)
  52.120  apply (erule kerbIV_gets.induct)
  52.121 @@ -443,7 +443,7 @@
  52.122             \<in> parts (spies evs);
  52.123           A \<notin> bad;
  52.124           evs \<in> kerbIV_gets \<rbrakk>
  52.125 -    \<Longrightarrow> authK \<notin> range shrK & authK \<in> symKeys & 
  52.126 +    \<Longrightarrow> authK \<notin> range shrK \<and> authK \<in> symKeys \<and>
  52.127          authTicket = Crypt (shrK Tgs) \<lbrace>Agent A, Agent Tgs, Key authK, Ta\<rbrace>"
  52.128  apply (erule rev_mp)
  52.129  apply (erule kerbIV_gets.induct)
  52.130 @@ -458,7 +458,7 @@
  52.131                \<in> parts (spies evs);
  52.132              Key authK \<notin> analz (spies evs);
  52.133              evs \<in> kerbIV_gets \<rbrakk>
  52.134 -         \<Longrightarrow> servK \<notin> range shrK & servK \<in> symKeys & 
  52.135 +         \<Longrightarrow> servK \<notin> range shrK \<and> servK \<in> symKeys \<and> 
  52.136      (\<exists>A. servTicket = Crypt (shrK B) \<lbrace>Agent A, Agent B, Key servK, Ts\<rbrace>)"
  52.137  apply (erule rev_mp)
  52.138  apply (erule rev_mp)
  52.139 @@ -472,7 +472,7 @@
  52.140       "\<lbrakk> Gets A (Crypt (shrK A)
  52.141                \<lbrace>Key authK, Agent Tgs, Ta, authTicket\<rbrace>) \<in> set evs;
  52.142           evs \<in> kerbIV_gets \<rbrakk>
  52.143 -      \<Longrightarrow> authK \<notin> range shrK & authK \<in> symKeys & 
  52.144 +      \<Longrightarrow> authK \<notin> range shrK \<and> authK \<in> symKeys \<and> 
  52.145            authTicket =
  52.146                    Crypt (shrK Tgs) \<lbrace>Agent A, Agent Tgs, Key authK, Ta\<rbrace>
  52.147            | authTicket \<in> analz (spies evs)"
  52.148 @@ -483,7 +483,7 @@
  52.149   "\<lbrakk> Gets A (Crypt authK \<lbrace>Key servK, Agent B, Ts, servTicket\<rbrace>)
  52.150         \<in> set evs;  authK \<in> symKeys;
  52.151       evs \<in> kerbIV_gets \<rbrakk>
  52.152 -  \<Longrightarrow> servK \<notin> range shrK &
  52.153 +  \<Longrightarrow> servK \<notin> range shrK \<and>
  52.154        (\<exists>A. servTicket =
  52.155                Crypt (shrK B) \<lbrace>Agent A, Agent B, Key servK, Ts\<rbrace>)
  52.156         | servTicket \<in> analz (spies evs)"
  52.157 @@ -593,7 +593,7 @@
  52.158     \<Longrightarrow> \<exists>Ta. (Says Kas A (Crypt (shrK A) \<lbrace>Key authK, Agent Tgs, Number Ta,
  52.159             Crypt (shrK Tgs) \<lbrace>Agent A, Agent Tgs, Key authK, Number Ta\<rbrace>\<rbrace>)
  52.160               \<in> set evs
  52.161 -          & servKlife + Ts <= authKlife + Ta)"
  52.162 +          \<and> servKlife + Ts \<le> authKlife + Ta)"
  52.163  apply (erule rev_mp)
  52.164  apply (erule kerbIV_gets.induct)
  52.165  apply (frule_tac [8] Gets_ticket_parts)
  52.166 @@ -619,7 +619,7 @@
  52.167    \<Longrightarrow> \<exists>authK Ta. Says Kas A (Crypt(shrK A) \<lbrace>Key authK, Agent Tgs, Number Ta,
  52.168             Crypt (shrK Tgs) \<lbrace>Agent A, Agent Tgs, Key authK, Number Ta\<rbrace>\<rbrace>)
  52.169               \<in> set evs
  52.170 -           & servKlife + Ts <= authKlife + Ta"
  52.171 +           \<and> servKlife + Ts \<le> authKlife + Ta"
  52.172  by (blast dest!: servTicket_authentic_Tgs u_K4_imp_K2)
  52.173  
  52.174  lemma servTicket_authentic:
  52.175 @@ -630,7 +630,7 @@
  52.176       Says Kas A (Crypt (shrK A) \<lbrace>Key authK, Agent Tgs, Number Ta,
  52.177                     Crypt (shrK Tgs) \<lbrace>Agent A, Agent Tgs, Key authK, Number Ta\<rbrace>\<rbrace>)
  52.178         \<in> set evs
  52.179 -     & Says Tgs A (Crypt authK \<lbrace>Key servK, Agent B, Number Ts,
  52.180 +     \<and> Says Tgs A (Crypt authK \<lbrace>Key servK, Agent B, Number Ts,
  52.181                     Crypt (shrK B) \<lbrace>Agent A, Agent B, Key servK, Number Ts\<rbrace>\<rbrace>)
  52.182         \<in> set evs"
  52.183  by (blast dest: servTicket_authentic_Tgs K4_imp_K2)
  52.184 @@ -643,14 +643,14 @@
  52.185       (Says Kas A (Crypt (shrK A) \<lbrace>Key authK, Agent Tgs, Number Ta,
  52.186                     Crypt (shrK Tgs) \<lbrace>Agent A, Agent Tgs, Key authK, Number Ta\<rbrace>\<rbrace>)
  52.187         \<in> set evs
  52.188 -     & Says Tgs A (Crypt authK \<lbrace>Key servK, Agent B, Number Ts,
  52.189 +     \<and> Says Tgs A (Crypt authK \<lbrace>Key servK, Agent B, Number Ts,
  52.190                     Crypt (shrK B) \<lbrace>Agent A, Agent B, Key servK, Number Ts\<rbrace>\<rbrace>)
  52.191         \<in> set evs
  52.192 -     & servKlife + Ts <= authKlife + Ta)"
  52.193 +     \<and> servKlife + Ts \<le> authKlife + Ta)"
  52.194  by (blast dest: servTicket_authentic_Tgs u_K4_imp_K2)
  52.195  
  52.196  lemma u_NotexpiredSK_NotexpiredAK:
  52.197 -     "\<lbrakk> \<not> expiredSK Ts evs; servKlife + Ts <= authKlife + Ta \<rbrakk>
  52.198 +     "\<lbrakk> \<not> expiredSK Ts evs; servKlife + Ts \<le> authKlife + Ta \<rbrakk>
  52.199        \<Longrightarrow> \<not> expiredAK Ta evs"
  52.200  by (blast dest: leI le_trans dest: leD)
  52.201  
  52.202 @@ -679,7 +679,7 @@
  52.203           Crypt K' \<lbrace>Key SesKey,  Agent B', T', Ticket'\<rbrace>
  52.204             \<in> parts (spies evs);  Key SesKey \<notin> analz (spies evs);
  52.205           evs \<in> kerbIV_gets \<rbrakk>
  52.206 -      \<Longrightarrow> K=K' & B=B' & T=T' & Ticket=Ticket'"
  52.207 +      \<Longrightarrow> K=K' \<and> B=B' \<and> T=T' \<and> Ticket=Ticket'"
  52.208  apply (erule rev_mp)
  52.209  apply (erule rev_mp)
  52.210  apply (erule rev_mp)
  52.211 @@ -753,7 +753,7 @@
  52.212           Crypt (shrK B') \<lbrace>Agent A', Agent B', Key SesKey, T'\<rbrace>
  52.213             \<in> parts (spies evs);  Key SesKey \<notin> analz (spies evs);
  52.214           evs \<in> kerbIV_gets \<rbrakk>
  52.215 -      \<Longrightarrow> A=A' & B=B' & T=T'"
  52.216 +      \<Longrightarrow> A=A' \<and> B=B' \<and> T=T'"
  52.217  apply (erule rev_mp)
  52.218  apply (erule rev_mp)
  52.219  apply (erule rev_mp)
  52.220 @@ -819,7 +819,7 @@
  52.221                (Crypt Ka \<lbrace>Key authK, Agent Tgs, Ta, X\<rbrace>) \<in> set evs;
  52.222           Says Kas A'
  52.223                (Crypt Ka' \<lbrace>Key authK, Agent Tgs, Ta', X'\<rbrace>) \<in> set evs;
  52.224 -         evs \<in> kerbIV_gets \<rbrakk> \<Longrightarrow> A=A' & Ka=Ka' & Ta=Ta' & X=X'"
  52.225 +         evs \<in> kerbIV_gets \<rbrakk> \<Longrightarrow> A=A' \<and> Ka=Ka' \<and> Ta=Ta' \<and> X=X'"
  52.226  apply (erule rev_mp)
  52.227  apply (erule rev_mp)
  52.228  apply (erule kerbIV_gets.induct)
  52.229 @@ -835,7 +835,7 @@
  52.230                (Crypt K \<lbrace>Key servK, Agent B, Ts, X\<rbrace>) \<in> set evs;
  52.231           Says Tgs A'
  52.232                (Crypt K' \<lbrace>Key servK, Agent B', Ts', X'\<rbrace>) \<in> set evs;
  52.233 -         evs \<in> kerbIV_gets \<rbrakk> \<Longrightarrow> A=A' & B=B' & K=K' & Ts=Ts' & X=X'"
  52.234 +         evs \<in> kerbIV_gets \<rbrakk> \<Longrightarrow> A=A' \<and> B=B' \<and> K=K' \<and> Ts=Ts' \<and> X=X'"
  52.235  apply (erule rev_mp)
  52.236  apply (erule rev_mp)
  52.237  apply (erule kerbIV_gets.induct)
  52.238 @@ -882,7 +882,7 @@
  52.239  
  52.240  lemma AKcryptSK_Says [simp]:
  52.241     "AKcryptSK authK servK (Says S A X # evs) =
  52.242 -     (Tgs = S &
  52.243 +     (Tgs = S \<and>
  52.244        (\<exists>B Ts. X = Crypt authK
  52.245                  \<lbrace>Key servK, Agent B, Number Ts,
  52.246                    Crypt (shrK B) \<lbrace>Agent A, Agent B, Key servK, Number Ts\<rbrace> \<rbrace>)
  52.247 @@ -996,9 +996,9 @@
  52.248  text\<open>We take some pains to express the property
  52.249    as a logical equivalence so that the simplifier can apply it.\<close>
  52.250  lemma Key_analz_image_Key_lemma:
  52.251 -     "P \<longrightarrow> (Key K \<in> analz (Key`KK Un H)) \<longrightarrow> (K:KK | Key K \<in> analz H)
  52.252 +     "P \<longrightarrow> (Key K \<in> analz (Key`KK \<union> H)) \<longrightarrow> (K \<in> KK | Key K \<in> analz H)
  52.253        \<Longrightarrow>
  52.254 -      P \<longrightarrow> (Key K \<in> analz (Key`KK Un H)) = (K:KK | Key K \<in> analz H)"
  52.255 +      P \<longrightarrow> (Key K \<in> analz (Key`KK \<union> H)) = (K \<in> KK | Key K \<in> analz H)"
  52.256  by (blast intro: analz_mono [THEN subsetD])
  52.257  
  52.258  
  52.259 @@ -1009,7 +1009,7 @@
  52.260  by (drule Says_imp_spies [THEN analz.Inj, THEN analz_insertI], auto)
  52.261  
  52.262  lemma authKeys_are_not_AKcryptSK:
  52.263 -     "\<lbrakk> K \<in> authKeys evs Un range shrK;  evs \<in> kerbIV_gets \<rbrakk>
  52.264 +     "\<lbrakk> K \<in> authKeys evs \<union> range shrK;  evs \<in> kerbIV_gets \<rbrakk>
  52.265        \<Longrightarrow> \<forall>SK. \<not> AKcryptSK SK K evs \<and> K \<in> symKeys"
  52.266  apply (simp add: authKeys_def AKcryptSK_def)
  52.267  by (blast dest: Says_Kas_message_form Says_Tgs_message_form)
  52.268 @@ -1039,9 +1039,9 @@
  52.269   in case of loss of a key to the spy. See ESORICS98.\<close>
  52.270  lemma Key_analz_image_Key [rule_format (no_asm)]:
  52.271       "evs \<in> kerbIV_gets \<Longrightarrow>
  52.272 -      (\<forall>SK KK. SK \<in> symKeys & KK <= -(range shrK) \<longrightarrow>
  52.273 +      (\<forall>SK KK. SK \<in> symKeys \<and> KK \<subseteq> -(range shrK) \<longrightarrow>
  52.274         (\<forall>K \<in> KK. \<not> AKcryptSK K SK evs)   \<longrightarrow>
  52.275 -       (Key SK \<in> analz (Key`KK Un (spies evs))) =
  52.276 +       (Key SK \<in> analz (Key`KK \<union> (spies evs))) =
  52.277         (SK \<in> KK | Key SK \<in> analz (spies evs)))"
  52.278  apply (erule kerbIV_gets.induct)
  52.279  apply (frule_tac [11] Oops_range_spies2)
  52.280 @@ -1084,7 +1084,7 @@
  52.281  text\<open>First simplification law for analz: no session keys encrypt
  52.282  authentication keys or shared keys.\<close>
  52.283  lemma analz_insert_freshK1:
  52.284 -     "\<lbrakk> evs \<in> kerbIV_gets;  K \<in> authKeys evs Un range shrK;
  52.285 +     "\<lbrakk> evs \<in> kerbIV_gets;  K \<in> authKeys evs \<union> range shrK;
  52.286          SesKey \<notin> range shrK \<rbrakk>
  52.287        \<Longrightarrow> (Key K \<in> analz (insert (Key SesKey) (spies evs))) =
  52.288            (K = SesKey | Key K \<in> analz (spies evs))"
    53.1 --- a/src/HOL/Auth/KerberosV.thy	Tue Feb 13 14:24:50 2018 +0100
    53.2 +++ b/src/HOL/Auth/KerberosV.thy	Thu Feb 15 12:11:00 2018 +0100
    53.3 @@ -23,7 +23,7 @@
    53.4  
    53.5  definition
    53.6   (* authKeys are those contained in an authTicket *)
    53.7 -    authKeys :: "event list => key set" where
    53.8 +    authKeys :: "event list \<Rightarrow> key set" where
    53.9      "authKeys evs = {authK. \<exists>A Peer Ta. 
   53.10          Says Kas A \<lbrace>Crypt (shrK A) \<lbrace>Key authK, Agent Peer, Ta\<rbrace>,
   53.11                       Crypt (shrK Peer) \<lbrace>Agent A, Agent Peer, Key authK, Ta\<rbrace>
   53.12 @@ -32,11 +32,11 @@
   53.13  definition
   53.14   (* A is the true creator of X if she has sent X and X never appeared on
   53.15      the trace before this event. Recall that traces grow from head. *)
   53.16 -  Issues :: "[agent, agent, msg, event list] => bool"
   53.17 +  Issues :: "[agent, agent, msg, event list] \<Rightarrow> bool"
   53.18               ("_ Issues _ with _ on _") where
   53.19     "A Issues B with X on evs =
   53.20        (\<exists>Y. Says A B Y \<in> set evs \<and> X \<in> parts {Y} \<and>
   53.21 -        X \<notin> parts (spies (takeWhile (% z. z  \<noteq> Says A B Y) (rev evs))))"
   53.22 +        X \<notin> parts (spies (takeWhile (\<lambda>z. z  \<noteq> Says A B Y) (rev evs))))"
   53.23  
   53.24  
   53.25  consts
   53.26 @@ -70,30 +70,30 @@
   53.27  
   53.28  abbreviation
   53.29    (*The current time is just the length of the trace!*)
   53.30 -  CT :: "event list=>nat" where
   53.31 +  CT :: "event list \<Rightarrow> nat" where
   53.32    "CT == length"
   53.33  
   53.34  abbreviation
   53.35 -  expiredAK :: "[nat, event list] => bool" where
   53.36 +  expiredAK :: "[nat, event list] \<Rightarrow> bool" where
   53.37    "expiredAK T evs == authKlife + T < CT evs"
   53.38  
   53.39  abbreviation
   53.40 -  expiredSK :: "[nat, event list] => bool" where
   53.41 +  expiredSK :: "[nat, event list] \<Rightarrow> bool" where
   53.42    "expiredSK T evs == servKlife + T < CT evs"
   53.43  
   53.44  abbreviation
   53.45 -  expiredA :: "[nat, event list] => bool" where
   53.46 +  expiredA :: "[nat, event list] \<Rightarrow> bool" where
   53.47    "expiredA T evs == authlife + T < CT evs"
   53.48  
   53.49  abbreviation
   53.50 -  valid :: "[nat, nat] => bool"  ("valid _ wrt _") where
   53.51 -  "valid T1 wrt T2 == T1 <= replylife + T2"
   53.52 +  valid :: "[nat, nat] \<Rightarrow> bool"  ("valid _ wrt _") where
   53.53 +  "valid T1 wrt T2 == T1 \<le> replylife + T2"
   53.54  
   53.55  (*---------------------------------------------------------------------*)
   53.56  
   53.57  
   53.58  (* Predicate formalising the association between authKeys and servKeys *)
   53.59 -definition AKcryptSK :: "[key, key, event list] => bool" where
   53.60 +definition AKcryptSK :: "[key, key, event list] \<Rightarrow> bool" where
   53.61    "AKcryptSK authK servK evs ==
   53.62       \<exists>A B tt.
   53.63         Says Tgs A \<lbrace>Crypt authK \<lbrace>Key servK, Agent B, tt\<rbrace>,
   53.64 @@ -142,7 +142,7 @@
   53.65                  \<in> set evs4;
   53.66              \<not> expiredAK Ta evs4;
   53.67              \<not> expiredA T2 evs4;
   53.68 -            servKlife + (CT evs4) <= authKlife + Ta
   53.69 +            servKlife + (CT evs4) \<le> authKlife + Ta
   53.70           \<rbrakk>
   53.71            \<Longrightarrow> Says Tgs A \<lbrace>
   53.72               Crypt authK \<lbrace>Key servK, Agent B, Number (CT evs4)\<rbrace>,
   53.73 @@ -218,7 +218,7 @@
   53.74  done
   53.75  
   53.76  lemma spies_Notes_rev: "spies (evs @ [Notes A X]) =
   53.77 -          (if A:bad then insert X (spies evs) else spies evs)"
   53.78 +          (if A\<in>bad then insert X (spies evs) else spies evs)"
   53.79  apply (induct_tac "evs")
   53.80  apply (rename_tac [2] a b)
   53.81  apply (induct_tac [2] "a", auto)
   53.82 @@ -233,7 +233,7 @@
   53.83  
   53.84  lemmas parts_spies_evs_revD2 = spies_evs_rev [THEN equalityD2, THEN parts_mono]
   53.85  
   53.86 -lemma spies_takeWhile: "spies (takeWhile P evs) <=  spies evs"
   53.87 +lemma spies_takeWhile: "spies (takeWhile P evs) \<subseteq> spies evs"
   53.88  apply (induct_tac "evs")
   53.89  apply (rename_tac [2] a b)
   53.90  apply (induct_tac [2] "a", auto)
   53.91 @@ -294,7 +294,7 @@
   53.92  lemma Oops_range_spies1:
   53.93       "\<lbrakk> Says Kas A \<lbrace>Crypt KeyA \<lbrace>Key authK, Peer, Ta\<rbrace>, authTicket\<rbrace>
   53.94             \<in> set evs ;
   53.95 -         evs \<in> kerbV \<rbrakk> \<Longrightarrow> authK \<notin> range shrK & authK \<in> symKeys"
   53.96 +         evs \<in> kerbV \<rbrakk> \<Longrightarrow> authK \<notin> range shrK \<and> authK \<in> symKeys"
   53.97  apply (erule rev_mp)
   53.98  apply (erule kerbV.induct, auto)
   53.99  done
  53.100 @@ -322,7 +322,7 @@
  53.101  by auto
  53.102  
  53.103  lemma Spy_see_shrK_D [dest!]:
  53.104 -     "\<lbrakk> Key (shrK A) \<in> parts (spies evs);  evs \<in> kerbV \<rbrakk> \<Longrightarrow> A:bad"
  53.105 +     "\<lbrakk> Key (shrK A) \<in> parts (spies evs);  evs \<in> kerbV \<rbrakk> \<Longrightarrow> A\<in>bad"
  53.106  by (blast dest: Spy_see_shrK)
  53.107  
  53.108  lemmas Spy_analz_shrK_D = analz_subset_parts [THEN subsetD, THEN Spy_see_shrK_D, dest!]
  53.109 @@ -527,7 +527,7 @@
  53.110     \<Longrightarrow> \<exists>Ta. Says Kas A \<lbrace>Crypt (shrK A) \<lbrace>Key authK, Agent Tgs, Number Ta\<rbrace>,
  53.111               Crypt (shrK Tgs) \<lbrace>Agent A, Agent Tgs, Key authK, Number Ta\<rbrace> \<rbrace>
  53.112               \<in> set evs
  53.113 -          \<and> servKlife + Ts <= authKlife + Ta"
  53.114 +          \<and> servKlife + Ts \<le> authKlife + Ta"
  53.115  apply (erule rev_mp)
  53.116  apply (erule kerbV.induct)
  53.117  apply (frule_tac [7] Says_ticket_parts)
  53.118 @@ -555,7 +555,7 @@
  53.119           \<lbrace>Crypt (shrK A) \<lbrace>Key authK, Agent Tgs, Number Ta\<rbrace>,
  53.120             Crypt (shrK Tgs) \<lbrace>Agent A, Agent Tgs, Key authK, Number Ta\<rbrace> \<rbrace>
  53.121          \<in> set evs \<and> 
  53.122 -      servKlife + Ts <= authKlife + Ta"
  53.123 +      servKlife + Ts \<le> authKlife + Ta"
  53.124  by (metis servTicket_authentic_Tgs u_K4_imp_K2)
  53.125  
  53.126  lemma servTicket_authentic:
  53.127 @@ -580,11 +580,11 @@
  53.128       \<and> Says Tgs A \<lbrace>Crypt authK \<lbrace>Key servK, Agent B, Number Ts\<rbrace>,
  53.129                   Crypt (shrK B) \<lbrace>Agent A, Agent B, Key servK, Number Ts\<rbrace>\<rbrace>
  53.130         \<in> set evs
  53.131 -     \<and> servKlife + Ts <= authKlife + Ta"
  53.132 +     \<and> servKlife + Ts \<le> authKlife + Ta"
  53.133  by (metis servTicket_authentic_Tgs u_K4_imp_K2)
  53.134  
  53.135  lemma u_NotexpiredSK_NotexpiredAK:
  53.136 -     "\<lbrakk> \<not> expiredSK Ts evs; servKlife + Ts <= authKlife + Ta \<rbrakk>
  53.137 +     "\<lbrakk> \<not> expiredSK Ts evs; servKlife + Ts \<le> authKlife + Ta \<rbrakk>
  53.138        \<Longrightarrow> \<not> expiredAK Ta evs"
  53.139  by (metis order_le_less_trans)
  53.140  
  53.141 @@ -653,7 +653,7 @@
  53.142           Crypt (shrK B') \<lbrace>Agent A', Agent B', Key SesKey, T'\<rbrace>
  53.143             \<in> parts (spies evs);  Key SesKey \<notin> analz (spies evs);
  53.144           evs \<in> kerbV \<rbrakk>
  53.145 -      \<Longrightarrow> A=A' & B=B' & T=T'"
  53.146 +      \<Longrightarrow> A=A' \<and> B=B' \<and> T=T'"
  53.147  apply (erule rev_mp)
  53.148  apply (erule rev_mp)
  53.149  apply (erule rev_mp)
  53.150 @@ -868,9 +868,9 @@
  53.151  text\<open>We take some pains to express the property
  53.152    as a logical equivalence so that the simplifier can apply it.\<close>
  53.153  lemma Key_analz_image_Key_lemma:
  53.154 -     "P \<longrightarrow> (Key K \<in> analz (Key`KK Un H)) \<longrightarrow> (K:KK | Key K \<in> analz H)
  53.155 +     "P \<longrightarrow> (Key K \<in> analz (Key`KK \<union> H)) \<longrightarrow> (K\<in>KK \<or> Key K \<in> analz H)
  53.156        \<Longrightarrow>
  53.157 -      P \<longrightarrow> (Key K \<in> analz (Key`KK Un H)) = (K:KK | Key K \<in> analz H)"
  53.158 +      P \<longrightarrow> (Key K \<in> analz (Key`KK \<union> H)) = (K\<in>KK \<or> Key K \<in> analz H)"
  53.159  by (blast intro: analz_mono [THEN subsetD])
  53.160  
  53.161  
  53.162 @@ -882,7 +882,7 @@
  53.163  done
  53.164  
  53.165  lemma authKeys_are_not_AKcryptSK:
  53.166 -     "\<lbrakk> K \<in> authKeys evs Un range shrK;  evs \<in> kerbV \<rbrakk>
  53.167 +     "\<lbrakk> K \<in> authKeys evs \<union> range shrK;  evs \<in> kerbV \<rbrakk>
  53.168        \<Longrightarrow> \<forall>SK. \<not> AKcryptSK SK K evs \<and> K \<in> symKeys"
  53.169  apply (simp add: authKeys_def AKcryptSK_def)
  53.170  apply (blast dest: Says_Kas_message_form Says_Tgs_message_form)
  53.171 @@ -914,9 +914,9 @@
  53.172   in case of loss of a key to the spy. See ESORICS98.\<close>
  53.173  lemma Key_analz_image_Key [rule_format (no_asm)]:
  53.174       "evs \<in> kerbV \<Longrightarrow>
  53.175 -      (\<forall>SK KK. SK \<in> symKeys & KK <= -(range shrK) \<longrightarrow>
  53.176 +      (\<forall>SK KK. SK \<in> symKeys \<and> KK \<subseteq> -(range shrK) \<longrightarrow>
  53.177         (\<forall>K \<in> KK. \<not> AKcryptSK K SK evs)   \<longrightarrow>
  53.178 -       (Key SK \<in> analz (Key`KK Un (spies evs))) =
  53.179 +       (Key SK \<in> analz (Key`KK \<union> (spies evs))) =
  53.180         (SK \<in> KK | Key SK \<in> analz (spies evs)))"
  53.181  apply (erule kerbV.induct)
  53.182  apply (frule_tac [10] Oops_range_spies2)
  53.183 @@ -951,7 +951,7 @@
  53.184  text\<open>First simplification law for analz: no session keys encrypt
  53.185  authentication keys or shared keys.\<close>
  53.186  lemma analz_insert_freshK1:
  53.187 -     "\<lbrakk> evs \<in> kerbV;  K \<in> authKeys evs Un range shrK;
  53.188 +     "\<lbrakk> evs \<in> kerbV;  K \<in> authKeys evs \<union> range shrK;
  53.189          SesKey \<notin> range shrK \<rbrakk>
  53.190        \<Longrightarrow> (Key K \<in> analz (insert (Key SesKey) (spies evs))) =
  53.191            (K = SesKey | Key K \<in> analz (spies evs))"
    54.1 --- a/src/HOL/Auth/Kerberos_BAN.thy	Tue Feb 13 14:24:50 2018 +0100
    54.2 +++ b/src/HOL/Auth/Kerberos_BAN.thy	Thu Feb 15 12:11:00 2018 +0100
    54.3 @@ -38,36 +38,36 @@
    54.4      by blast
    54.5  
    54.6  abbreviation
    54.7 -  CT :: "event list=>nat" where
    54.8 +  CT :: "event list \<Rightarrow> nat" where
    54.9    "CT == length "
   54.10  
   54.11  abbreviation
   54.12 -  expiredK :: "[nat, event list] => bool" where
   54.13 +  expiredK :: "[nat, event list] \<Rightarrow> bool" where
   54.14    "expiredK T evs == sesKlife + T < CT evs"
   54.15  
   54.16  abbreviation
   54.17 -  expiredA :: "[nat, event list] => bool" where
   54.18 +  expiredA :: "[nat, event list] \<Rightarrow> bool" where
   54.19    "expiredA T evs == authlife + T < CT evs"
   54.20  
   54.21  
   54.22  definition
   54.23   (* A is the true creator of X if she has sent X and X never appeared on
   54.24      the trace before this event. Recall that traces grow from head. *)
   54.25 -  Issues :: "[agent, agent, msg, event list] => bool"
   54.26 +  Issues :: "[agent, agent, msg, event list] \<Rightarrow> bool"
   54.27               ("_ Issues _ with _ on _") where
   54.28     "A Issues B with X on evs =
   54.29 -      (\<exists>Y. Says A B Y \<in> set evs & X \<in> parts {Y} &
   54.30 -        X \<notin> parts (spies (takeWhile (% z. z  \<noteq> Says A B Y) (rev evs))))"
   54.31 +      (\<exists>Y. Says A B Y \<in> set evs \<and> X \<in> parts {Y} \<and>
   54.32 +        X \<notin> parts (spies (takeWhile (\<lambda>z. z  \<noteq> Says A B Y) (rev evs))))"
   54.33  
   54.34  definition
   54.35   (* Yields the subtrace of a given trace from its beginning to a given event *)
   54.36 -  before :: "[event, event list] => event list" ("before _ on _")
   54.37 -  where "before ev on evs = takeWhile (% z. z ~= ev) (rev evs)"
   54.38 +  before :: "[event, event list] \<Rightarrow> event list" ("before _ on _")
   54.39 +  where "before ev on evs = takeWhile (\<lambda>z. z \<noteq> ev) (rev evs)"
   54.40  
   54.41  definition
   54.42   (* States than an event really appears only once on a trace *)
   54.43 -  Unique :: "[event, event list] => bool" ("Unique _ on _")
   54.44 -  where "Unique ev on evs = (ev \<notin> set (tl (dropWhile (% z. z \<noteq> ev) evs)))"
   54.45 +  Unique :: "[event, event list] \<Rightarrow> bool" ("Unique _ on _")
   54.46 +  where "Unique ev on evs = (ev \<notin> set (tl (dropWhile (\<lambda>z. z \<noteq> ev) evs)))"
   54.47  
   54.48  
   54.49  inductive_set bankerberos :: "event list set"
   54.50 @@ -104,7 +104,7 @@
   54.51  
   54.52   | BK4:  "\<lbrakk> evs4 \<in> bankerberos;
   54.53               Says A' B \<lbrace>(Crypt (shrK B) \<lbrace>Number Tk, Agent A, Key K\<rbrace>),
   54.54 -                         (Crypt K \<lbrace>Agent A, Number Ta\<rbrace>) \<rbrace>: set evs4;
   54.55 +                         (Crypt K \<lbrace>Agent A, Number Ta\<rbrace>) \<rbrace> \<in> set evs4;
   54.56               \<not> expiredK Tk evs4;  \<not> expiredA Ta evs4 \<rbrakk>
   54.57            \<Longrightarrow> Says B A (Crypt K (Number Ta)) # evs4
   54.58                  \<in> bankerberos"
   54.59 @@ -150,7 +150,7 @@
   54.60  done
   54.61  
   54.62  lemma spies_Notes_rev: "spies (evs @ [Notes A X]) =
   54.63 -          (if A:bad then insert X (spies evs) else spies evs)"
   54.64 +          (if A\<in>bad then insert X (spies evs) else spies evs)"
   54.65  apply (induct_tac "evs")
   54.66  apply (rename_tac [2] a b)
   54.67  apply (induct_tac [2] "a", auto)
   54.68 @@ -165,7 +165,7 @@
   54.69  
   54.70  lemmas parts_spies_evs_revD2 = spies_evs_rev [THEN equalityD2, THEN parts_mono]
   54.71  
   54.72 -lemma spies_takeWhile: "spies (takeWhile P evs) <=  spies evs"
   54.73 +lemma spies_takeWhile: "spies (takeWhile P evs) \<subseteq> spies evs"
   54.74  apply (induct_tac "evs")
   54.75  apply (rename_tac [2] a b)
   54.76  apply (induct_tac [2] "a", auto)
   54.77 @@ -211,7 +211,7 @@
   54.78  done
   54.79  
   54.80  lemma used_takeWhile_used [rule_format]: 
   54.81 -      "x : used (takeWhile P X) --> x : used X"
   54.82 +      "x \<in> used (takeWhile P X) \<longrightarrow> x \<in> used X"
   54.83  apply (induct_tac "X")
   54.84  apply simp
   54.85  apply (rename_tac a b)
   54.86 @@ -260,7 +260,7 @@
   54.87  
   54.88  lemma Spy_see_shrK_D [dest!]:
   54.89       "\<lbrakk> Key (shrK A) \<in> parts (spies evs);
   54.90 -                evs \<in> bankerberos \<rbrakk> \<Longrightarrow> A:bad"
   54.91 +                evs \<in> bankerberos \<rbrakk> \<Longrightarrow> A\<in>bad"
   54.92  apply (blast dest: Spy_see_shrK)
   54.93  done
   54.94  
   54.95 @@ -287,11 +287,11 @@
   54.96  lemma Says_Server_message_form:
   54.97       "\<lbrakk> Says Server A (Crypt K' \<lbrace>Number Tk, Agent B, Key K, Ticket\<rbrace>)
   54.98           \<in> set evs; evs \<in> bankerberos \<rbrakk>
   54.99 -      \<Longrightarrow> K' = shrK A & K \<notin> range shrK &
  54.100 -          Ticket = (Crypt (shrK B) \<lbrace>Number Tk, Agent A, Key K\<rbrace>) &
  54.101 +      \<Longrightarrow> K' = shrK A \<and> K \<notin> range shrK \<and>
  54.102 +          Ticket = (Crypt (shrK B) \<lbrace>Number Tk, Agent A, Key K\<rbrace>) \<and>
  54.103            Key K \<notin> used(before
  54.104                    Says Server A (Crypt K' \<lbrace>Number Tk, Agent B, Key K, Ticket\<rbrace>)
  54.105 -                  on evs) &
  54.106 +                  on evs) \<and>
  54.107            Tk = CT(before 
  54.108                    Says Server A (Crypt K' \<lbrace>Number Tk, Agent B, Key K, Ticket\<rbrace>)
  54.109                    on evs)"
  54.110 @@ -343,7 +343,7 @@
  54.111       "\<lbrakk> Says S A (Crypt (shrK A) \<lbrace>Number Tk, Agent B, Key K, X\<rbrace>)
  54.112              \<in> set evs;
  54.113           evs \<in> bankerberos \<rbrakk>
  54.114 - \<Longrightarrow> (K \<notin> range shrK & X = (Crypt (shrK B) \<lbrace>Number Tk, Agent A, Key K\<rbrace>))
  54.115 + \<Longrightarrow> (K \<notin> range shrK \<and> X = (Crypt (shrK B) \<lbrace>Number Tk, Agent A, Key K\<rbrace>))
  54.116            | X \<in> analz (spies evs)"
  54.117  apply (case_tac "A \<in> bad")
  54.118  apply (force dest!: Says_imp_spies [THEN analz.Inj])
  54.119 @@ -367,7 +367,7 @@
  54.120  lemma analz_image_freshK [rule_format (no_asm)]:
  54.121       "evs \<in> bankerberos \<Longrightarrow>
  54.122     \<forall>K KK. KK \<subseteq> - (range shrK) \<longrightarrow>
  54.123 -          (Key K \<in> analz (Key`KK Un (spies evs))) =
  54.124 +          (Key K \<in> analz (Key`KK \<union> (spies evs))) =
  54.125            (K \<in> KK | Key K \<in> analz (spies evs))"
  54.126  apply (erule bankerberos.induct)
  54.127  apply (drule_tac [7] Says_Server_message_form)
  54.128 @@ -388,7 +388,7 @@
  54.129             (Crypt (shrK A) \<lbrace>Number Tk, Agent B, Key K, X\<rbrace>) \<in> set evs;
  54.130           Says Server A'
  54.131            (Crypt (shrK A') \<lbrace>Number Tk', Agent B', Key K, X'\<rbrace>) \<in> set evs;
  54.132 -         evs \<in> bankerberos \<rbrakk> \<Longrightarrow> A=A' & Tk=Tk' & B=B' & X = X'"
  54.133 +         evs \<in> bankerberos \<rbrakk> \<Longrightarrow> A=A' \<and> Tk=Tk' \<and> B=B' \<and> X = X'"
  54.134  apply (erule rev_mp)
  54.135  apply (erule rev_mp)
  54.136  apply (erule bankerberos.induct)
    55.1 --- a/src/HOL/Auth/Kerberos_BAN_Gets.thy	Tue Feb 13 14:24:50 2018 +0100
    55.2 +++ b/src/HOL/Auth/Kerberos_BAN_Gets.thy	Thu Feb 15 12:11:00 2018 +0100
    55.3 @@ -40,27 +40,27 @@
    55.4  
    55.5  
    55.6  abbreviation
    55.7 -  CT :: "event list=>nat" where
    55.8 +  CT :: "event list \<Rightarrow> nat" where
    55.9    "CT == length"
   55.10  
   55.11  abbreviation
   55.12 -  expiredK :: "[nat, event list] => bool" where
   55.13 +  expiredK :: "[nat, event list] \<Rightarrow> bool" where
   55.14    "expiredK T evs == sesKlife + T < CT evs"
   55.15  
   55.16  abbreviation
   55.17 -  expiredA :: "[nat, event list] => bool" where
   55.18 +  expiredA :: "[nat, event list] \<Rightarrow> bool" where
   55.19    "expiredA T evs == authlife + T < CT evs"
   55.20  
   55.21  
   55.22  definition
   55.23   (* Yields the subtrace of a given trace from its beginning to a given event *)
   55.24 -  before :: "[event, event list] => event list" ("before _ on _")
   55.25 -  where "before ev on evs = takeWhile (% z. z ~= ev) (rev evs)"
   55.26 +  before :: "[event, event list] \<Rightarrow> event list" ("before _ on _")
   55.27 +  where "before ev on evs = takeWhile (\<lambda>z. z \<noteq> ev) (rev evs)"
   55.28  
   55.29  definition
   55.30   (* States than an event really appears only once on a trace *)
   55.31 -  Unique :: "[event, event list] => bool" ("Unique _ on _")
   55.32 -  where "Unique ev on evs = (ev \<notin> set (tl (dropWhile (% z. z \<noteq> ev) evs)))"
   55.33 +  Unique :: "[event, event list] \<Rightarrow> bool" ("Unique _ on _")
   55.34 +  where "Unique ev on evs = (ev \<notin> set (tl (dropWhile (\<lambda>z. z \<noteq> ev) evs)))"
   55.35  
   55.36