src/HOL/Auth/Message.ML
author paulson
Tue, 07 Jan 1997 16:28:43 +0100
changeset 2484 596a5b5a68ff
parent 2415 46de4b035f00
child 2516 4d68fbe6378b
permissions -rw-r--r--
Incorporation of HPair into Message
Ignore whitespace changes - Everywhere: Within whitespace: At end of lines:
1839
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
     1
(*  Title:      HOL/Auth/Message
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
     2
    ID:         $Id$
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
     3
    Author:     Lawrence C Paulson, Cambridge University Computer Laboratory
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
     4
    Copyright   1996  University of Cambridge
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
     5
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
     6
Datatypes of agents and messages;
1913
2809adb15eb0 Renaming of functions, and tidying
paulson
parents: 1893
diff changeset
     7
Inductive relations "parts", "analz" and "synth"
1839
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
     8
*)
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
     9
2327
00ac25b2791d Moved much common material to Message.ML
paulson
parents: 2284
diff changeset
    10
val prems = goal HOL.thy "[| P ==> Q(True); ~P ==> Q(False) |] ==> Q(P)";
00ac25b2791d Moved much common material to Message.ML
paulson
parents: 2284
diff changeset
    11
by (case_tac "P" 1);
00ac25b2791d Moved much common material to Message.ML
paulson
parents: 2284
diff changeset
    12
by (ALLGOALS (asm_simp_tac (!simpset addsimps prems)));
00ac25b2791d Moved much common material to Message.ML
paulson
parents: 2284
diff changeset
    13
val expand_case = result();
00ac25b2791d Moved much common material to Message.ML
paulson
parents: 2284
diff changeset
    14
00ac25b2791d Moved much common material to Message.ML
paulson
parents: 2284
diff changeset
    15
fun expand_case_tac P i =
00ac25b2791d Moved much common material to Message.ML
paulson
parents: 2284
diff changeset
    16
    res_inst_tac [("P",P)] expand_case i THEN
00ac25b2791d Moved much common material to Message.ML
paulson
parents: 2284
diff changeset
    17
    Simp_tac (i+1) THEN 
00ac25b2791d Moved much common material to Message.ML
paulson
parents: 2284
diff changeset
    18
    Simp_tac i;
00ac25b2791d Moved much common material to Message.ML
paulson
parents: 2284
diff changeset
    19
00ac25b2791d Moved much common material to Message.ML
paulson
parents: 2284
diff changeset
    20
00ac25b2791d Moved much common material to Message.ML
paulson
parents: 2284
diff changeset
    21
00ac25b2791d Moved much common material to Message.ML
paulson
parents: 2284
diff changeset
    22
(*GOALS.ML??*)
00ac25b2791d Moved much common material to Message.ML
paulson
parents: 2284
diff changeset
    23
fun prlim n = (goals_limit:=n; pr());
00ac25b2791d Moved much common material to Message.ML
paulson
parents: 2284
diff changeset
    24
00ac25b2791d Moved much common material to Message.ML
paulson
parents: 2284
diff changeset
    25
(*FUN.ML??  WE NEED A NOTION OF INVERSE IMAGE, OR GRAPH!!*)
00ac25b2791d Moved much common material to Message.ML
paulson
parents: 2284
diff changeset
    26
goal Set.thy "!!f. B <= range f = (B = f`` {x. f x: B})";
00ac25b2791d Moved much common material to Message.ML
paulson
parents: 2284
diff changeset
    27
by (fast_tac (!claset addEs [equalityE]) 1);
00ac25b2791d Moved much common material to Message.ML
paulson
parents: 2284
diff changeset
    28
val subset_range_iff = result();
00ac25b2791d Moved much common material to Message.ML
paulson
parents: 2284
diff changeset
    29
00ac25b2791d Moved much common material to Message.ML
paulson
parents: 2284
diff changeset
    30
1839
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
    31
open Message;
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
    32
2373
490ffa16952e Addition of the Hash constructor
paulson
parents: 2327
diff changeset
    33
AddIffs (msg.inject);
1839
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
    34
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
    35
(** Inverse of keys **)
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
    36
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
    37
goal thy "!!K K'. (invKey K = invKey K') = (K=K')";
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
    38
by (Step_tac 1);
2032
1bbf1bdcaf56 Introduction of "lost" argument
paulson
parents: 2028
diff changeset
    39
by (rtac box_equals 1);
1839
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
    40
by (REPEAT (rtac invKey 2));
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
    41
by (Asm_simp_tac 1);
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
    42
qed "invKey_eq";
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
    43
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
    44
Addsimps [invKey, invKey_eq];
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
    45
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
    46
2484
596a5b5a68ff Incorporation of HPair into Message
paulson
parents: 2415
diff changeset
    47
(**** Freeness laws for HPair ****)
596a5b5a68ff Incorporation of HPair into Message
paulson
parents: 2415
diff changeset
    48
596a5b5a68ff Incorporation of HPair into Message
paulson
parents: 2415
diff changeset
    49
goalw thy [HPair_def] "Agent A ~= HPair X Y";
596a5b5a68ff Incorporation of HPair into Message
paulson
parents: 2415
diff changeset
    50
by (Simp_tac 1);
596a5b5a68ff Incorporation of HPair into Message
paulson
parents: 2415
diff changeset
    51
qed "Agent_neq_HPair";
596a5b5a68ff Incorporation of HPair into Message
paulson
parents: 2415
diff changeset
    52
596a5b5a68ff Incorporation of HPair into Message
paulson
parents: 2415
diff changeset
    53
goalw thy [HPair_def] "Nonce N ~= HPair X Y";
596a5b5a68ff Incorporation of HPair into Message
paulson
parents: 2415
diff changeset
    54
by (Simp_tac 1);
596a5b5a68ff Incorporation of HPair into Message
paulson
parents: 2415
diff changeset
    55
qed "Nonce_neq_HPair";
596a5b5a68ff Incorporation of HPair into Message
paulson
parents: 2415
diff changeset
    56
596a5b5a68ff Incorporation of HPair into Message
paulson
parents: 2415
diff changeset
    57
goalw thy [HPair_def] "Key K ~= HPair X Y";
596a5b5a68ff Incorporation of HPair into Message
paulson
parents: 2415
diff changeset
    58
by (Simp_tac 1);
596a5b5a68ff Incorporation of HPair into Message
paulson
parents: 2415
diff changeset
    59
qed "Key_neq_HPair";
596a5b5a68ff Incorporation of HPair into Message
paulson
parents: 2415
diff changeset
    60
596a5b5a68ff Incorporation of HPair into Message
paulson
parents: 2415
diff changeset
    61
goalw thy [HPair_def] "Hash Z ~= HPair X Y";
596a5b5a68ff Incorporation of HPair into Message
paulson
parents: 2415
diff changeset
    62
by (Simp_tac 1);
596a5b5a68ff Incorporation of HPair into Message
paulson
parents: 2415
diff changeset
    63
qed "Hash_neq_HPair";
596a5b5a68ff Incorporation of HPair into Message
paulson
parents: 2415
diff changeset
    64
596a5b5a68ff Incorporation of HPair into Message
paulson
parents: 2415
diff changeset
    65
goalw thy [HPair_def] "Crypt K X' ~= HPair X Y";
596a5b5a68ff Incorporation of HPair into Message
paulson
parents: 2415
diff changeset
    66
by (Simp_tac 1);
596a5b5a68ff Incorporation of HPair into Message
paulson
parents: 2415
diff changeset
    67
qed "Crypt_neq_HPair";
596a5b5a68ff Incorporation of HPair into Message
paulson
parents: 2415
diff changeset
    68
596a5b5a68ff Incorporation of HPair into Message
paulson
parents: 2415
diff changeset
    69
val HPair_neqs = [Agent_neq_HPair, Nonce_neq_HPair, 
596a5b5a68ff Incorporation of HPair into Message
paulson
parents: 2415
diff changeset
    70
		  Key_neq_HPair, Hash_neq_HPair, Crypt_neq_HPair];
596a5b5a68ff Incorporation of HPair into Message
paulson
parents: 2415
diff changeset
    71
596a5b5a68ff Incorporation of HPair into Message
paulson
parents: 2415
diff changeset
    72
AddIffs HPair_neqs;
596a5b5a68ff Incorporation of HPair into Message
paulson
parents: 2415
diff changeset
    73
AddIffs (HPair_neqs RL [not_sym]);
596a5b5a68ff Incorporation of HPair into Message
paulson
parents: 2415
diff changeset
    74
596a5b5a68ff Incorporation of HPair into Message
paulson
parents: 2415
diff changeset
    75
goalw thy [HPair_def] "(HPair X' Y' = HPair X Y) = (X' = X & Y'=Y)";
596a5b5a68ff Incorporation of HPair into Message
paulson
parents: 2415
diff changeset
    76
by (Simp_tac 1);
596a5b5a68ff Incorporation of HPair into Message
paulson
parents: 2415
diff changeset
    77
qed "HPair_eq";
596a5b5a68ff Incorporation of HPair into Message
paulson
parents: 2415
diff changeset
    78
596a5b5a68ff Incorporation of HPair into Message
paulson
parents: 2415
diff changeset
    79
goalw thy [HPair_def] "({|X',Y'|} = HPair X Y) = (X' = Hash{|X,Y|} & Y'=Y)";
596a5b5a68ff Incorporation of HPair into Message
paulson
parents: 2415
diff changeset
    80
by (Simp_tac 1);
596a5b5a68ff Incorporation of HPair into Message
paulson
parents: 2415
diff changeset
    81
qed "MPair_eq_HPair";
596a5b5a68ff Incorporation of HPair into Message
paulson
parents: 2415
diff changeset
    82
596a5b5a68ff Incorporation of HPair into Message
paulson
parents: 2415
diff changeset
    83
goalw thy [HPair_def] "(HPair X Y = {|X',Y'|}) = (X' = Hash{|X,Y|} & Y'=Y)";
596a5b5a68ff Incorporation of HPair into Message
paulson
parents: 2415
diff changeset
    84
by (Auto_tac());
596a5b5a68ff Incorporation of HPair into Message
paulson
parents: 2415
diff changeset
    85
qed "HPair_eq_MPair";
596a5b5a68ff Incorporation of HPair into Message
paulson
parents: 2415
diff changeset
    86
596a5b5a68ff Incorporation of HPair into Message
paulson
parents: 2415
diff changeset
    87
AddIffs [HPair_eq, MPair_eq_HPair, HPair_eq_MPair];
596a5b5a68ff Incorporation of HPair into Message
paulson
parents: 2415
diff changeset
    88
596a5b5a68ff Incorporation of HPair into Message
paulson
parents: 2415
diff changeset
    89
1839
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
    90
(**** keysFor operator ****)
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
    91
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
    92
goalw thy [keysFor_def] "keysFor {} = {}";
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
    93
by (Fast_tac 1);
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
    94
qed "keysFor_empty";
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
    95
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
    96
goalw thy [keysFor_def] "keysFor (H Un H') = keysFor H Un keysFor H'";
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
    97
by (Fast_tac 1);
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
    98
qed "keysFor_Un";
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
    99
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   100
goalw thy [keysFor_def] "keysFor (UN i. H i) = (UN i. keysFor (H i))";
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   101
by (Fast_tac 1);
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   102
qed "keysFor_UN";
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   103
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   104
(*Monotonicity*)
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   105
goalw thy [keysFor_def] "!!G H. G<=H ==> keysFor(G) <= keysFor(H)";
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   106
by (Fast_tac 1);
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   107
qed "keysFor_mono";
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   108
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   109
goalw thy [keysFor_def] "keysFor (insert (Agent A) H) = keysFor H";
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   110
by (fast_tac (!claset addss (!simpset)) 1);
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   111
qed "keysFor_insert_Agent";
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   112
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   113
goalw thy [keysFor_def] "keysFor (insert (Nonce N) H) = keysFor H";
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   114
by (fast_tac (!claset addss (!simpset)) 1);
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   115
qed "keysFor_insert_Nonce";
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   116
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   117
goalw thy [keysFor_def] "keysFor (insert (Key K) H) = keysFor H";
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   118
by (fast_tac (!claset addss (!simpset)) 1);
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   119
qed "keysFor_insert_Key";
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   120
2373
490ffa16952e Addition of the Hash constructor
paulson
parents: 2327
diff changeset
   121
goalw thy [keysFor_def] "keysFor (insert (Hash X) H) = keysFor H";
490ffa16952e Addition of the Hash constructor
paulson
parents: 2327
diff changeset
   122
by (fast_tac (!claset addss (!simpset)) 1);
490ffa16952e Addition of the Hash constructor
paulson
parents: 2327
diff changeset
   123
qed "keysFor_insert_Hash";
490ffa16952e Addition of the Hash constructor
paulson
parents: 2327
diff changeset
   124
1839
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   125
goalw thy [keysFor_def] "keysFor (insert {|X,Y|} H) = keysFor H";
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   126
by (fast_tac (!claset addss (!simpset)) 1);
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   127
qed "keysFor_insert_MPair";
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   128
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   129
goalw thy [keysFor_def]
2284
80ebd1a213fd Swapped arguments of Crypt (for clarity and because it is conventional)
paulson
parents: 2170
diff changeset
   130
    "keysFor (insert (Crypt K X) H) = insert (invKey K) (keysFor H)";
1839
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   131
by (Auto_tac());
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   132
qed "keysFor_insert_Crypt";
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   133
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   134
Addsimps [keysFor_empty, keysFor_Un, keysFor_UN, 
2373
490ffa16952e Addition of the Hash constructor
paulson
parents: 2327
diff changeset
   135
          keysFor_insert_Agent, keysFor_insert_Nonce, keysFor_insert_Key, 
490ffa16952e Addition of the Hash constructor
paulson
parents: 2327
diff changeset
   136
	  keysFor_insert_Hash, keysFor_insert_MPair, keysFor_insert_Crypt];
1839
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   137
2284
80ebd1a213fd Swapped arguments of Crypt (for clarity and because it is conventional)
paulson
parents: 2170
diff changeset
   138
goalw thy [keysFor_def] "!!H. Crypt K X : H ==> invKey K : keysFor H";
2068
0d05468dc80c New theorem Crypt_imp_invKey_keysFor
paulson
parents: 2061
diff changeset
   139
by (Fast_tac 1);
0d05468dc80c New theorem Crypt_imp_invKey_keysFor
paulson
parents: 2061
diff changeset
   140
qed "Crypt_imp_invKey_keysFor";
0d05468dc80c New theorem Crypt_imp_invKey_keysFor
paulson
parents: 2061
diff changeset
   141
1839
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   142
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   143
(**** Inductive relation "parts" ****)
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   144
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   145
val major::prems = 
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   146
goal thy "[| {|X,Y|} : parts H;       \
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   147
\            [| X : parts H; Y : parts H |] ==> P  \
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   148
\         |] ==> P";
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   149
by (cut_facts_tac [major] 1);
2032
1bbf1bdcaf56 Introduction of "lost" argument
paulson
parents: 2028
diff changeset
   150
by (resolve_tac prems 1);
1839
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   151
by (REPEAT (eresolve_tac [asm_rl, parts.Fst, parts.Snd] 1));
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   152
qed "MPair_parts";
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   153
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   154
AddIs  [parts.Inj];
1929
f0839bab4b00 Working version of NS, messages 1-3, WITH INTERLEAVING
paulson
parents: 1913
diff changeset
   155
f0839bab4b00 Working version of NS, messages 1-3, WITH INTERLEAVING
paulson
parents: 1913
diff changeset
   156
val partsEs = [MPair_parts, make_elim parts.Body];
f0839bab4b00 Working version of NS, messages 1-3, WITH INTERLEAVING
paulson
parents: 1913
diff changeset
   157
f0839bab4b00 Working version of NS, messages 1-3, WITH INTERLEAVING
paulson
parents: 1913
diff changeset
   158
AddSEs partsEs;
f0839bab4b00 Working version of NS, messages 1-3, WITH INTERLEAVING
paulson
parents: 1913
diff changeset
   159
(*NB These two rules are UNSAFE in the formal sense, as they discard the
f0839bab4b00 Working version of NS, messages 1-3, WITH INTERLEAVING
paulson
parents: 1913
diff changeset
   160
     compound message.  They work well on THIS FILE, perhaps because its
f0839bab4b00 Working version of NS, messages 1-3, WITH INTERLEAVING
paulson
parents: 1913
diff changeset
   161
     proofs concern only atomic messages.*)
1839
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   162
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   163
goal thy "H <= parts(H)";
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   164
by (Fast_tac 1);
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   165
qed "parts_increasing";
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   166
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   167
(*Monotonicity*)
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   168
goalw thy parts.defs "!!G H. G<=H ==> parts(G) <= parts(H)";
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   169
by (rtac lfp_mono 1);
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   170
by (REPEAT (ares_tac basic_monos 1));
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   171
qed "parts_mono";
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   172
2373
490ffa16952e Addition of the Hash constructor
paulson
parents: 2327
diff changeset
   173
val parts_insertI = impOfSubs (subset_insertI RS parts_mono);
490ffa16952e Addition of the Hash constructor
paulson
parents: 2327
diff changeset
   174
1839
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   175
goal thy "parts{} = {}";
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   176
by (Step_tac 1);
2032
1bbf1bdcaf56 Introduction of "lost" argument
paulson
parents: 2028
diff changeset
   177
by (etac parts.induct 1);
1839
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   178
by (ALLGOALS Fast_tac);
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   179
qed "parts_empty";
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   180
Addsimps [parts_empty];
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   181
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   182
goal thy "!!X. X: parts{} ==> P";
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   183
by (Asm_full_simp_tac 1);
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   184
qed "parts_emptyE";
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   185
AddSEs [parts_emptyE];
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   186
1893
fa58f4a06f21 Works up to main theorem, then XXX...X
paulson
parents: 1885
diff changeset
   187
(*WARNING: loops if H = {Y}, therefore must not be repeated!*)
fa58f4a06f21 Works up to main theorem, then XXX...X
paulson
parents: 1885
diff changeset
   188
goal thy "!!H. X: parts H ==> EX Y:H. X: parts {Y}";
2032
1bbf1bdcaf56 Introduction of "lost" argument
paulson
parents: 2028
diff changeset
   189
by (etac parts.induct 1);
1893
fa58f4a06f21 Works up to main theorem, then XXX...X
paulson
parents: 1885
diff changeset
   190
by (ALLGOALS Fast_tac);
fa58f4a06f21 Works up to main theorem, then XXX...X
paulson
parents: 1885
diff changeset
   191
qed "parts_singleton";
fa58f4a06f21 Works up to main theorem, then XXX...X
paulson
parents: 1885
diff changeset
   192
1839
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   193
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   194
(** Unions **)
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   195
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   196
goal thy "parts(G) Un parts(H) <= parts(G Un H)";
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   197
by (REPEAT (ares_tac [Un_least, parts_mono, Un_upper1, Un_upper2] 1));
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   198
val parts_Un_subset1 = result();
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   199
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   200
goal thy "parts(G Un H) <= parts(G) Un parts(H)";
2032
1bbf1bdcaf56 Introduction of "lost" argument
paulson
parents: 2028
diff changeset
   201
by (rtac subsetI 1);
1bbf1bdcaf56 Introduction of "lost" argument
paulson
parents: 2028
diff changeset
   202
by (etac parts.induct 1);
1839
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   203
by (ALLGOALS Fast_tac);
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   204
val parts_Un_subset2 = result();
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   205
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   206
goal thy "parts(G Un H) = parts(G) Un parts(H)";
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   207
by (REPEAT (ares_tac [equalityI, parts_Un_subset1, parts_Un_subset2] 1));
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   208
qed "parts_Un";
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   209
2011
d9af64c26be6 New laws for messages
paulson
parents: 1998
diff changeset
   210
goal thy "parts (insert X H) = parts {X} Un parts H";
1852
289ce6cb5c84 Added Msg 3; works up to Says_Server_imp_Key_newK
paulson
parents: 1839
diff changeset
   211
by (stac (read_instantiate [("A","H")] insert_is_Un) 1);
2011
d9af64c26be6 New laws for messages
paulson
parents: 1998
diff changeset
   212
by (simp_tac (HOL_ss addsimps [parts_Un]) 1);
d9af64c26be6 New laws for messages
paulson
parents: 1998
diff changeset
   213
qed "parts_insert";
d9af64c26be6 New laws for messages
paulson
parents: 1998
diff changeset
   214
d9af64c26be6 New laws for messages
paulson
parents: 1998
diff changeset
   215
(*TWO inserts to avoid looping.  This rewrite is better than nothing.
d9af64c26be6 New laws for messages
paulson
parents: 1998
diff changeset
   216
  Not suitable for Addsimps: its behaviour can be strange.*)
d9af64c26be6 New laws for messages
paulson
parents: 1998
diff changeset
   217
goal thy "parts (insert X (insert Y H)) = parts {X} Un parts {Y} Un parts H";
d9af64c26be6 New laws for messages
paulson
parents: 1998
diff changeset
   218
by (simp_tac (!simpset addsimps [Un_assoc]) 1);
d9af64c26be6 New laws for messages
paulson
parents: 1998
diff changeset
   219
by (simp_tac (!simpset addsimps [parts_insert RS sym]) 1);
1852
289ce6cb5c84 Added Msg 3; works up to Says_Server_imp_Key_newK
paulson
parents: 1839
diff changeset
   220
qed "parts_insert2";
289ce6cb5c84 Added Msg 3; works up to Says_Server_imp_Key_newK
paulson
parents: 1839
diff changeset
   221
1839
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   222
goal thy "(UN x:A. parts(H x)) <= parts(UN x:A. H x)";
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   223
by (REPEAT (ares_tac [UN_least, parts_mono, UN_upper] 1));
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   224
val parts_UN_subset1 = result();
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   225
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   226
goal thy "parts(UN x:A. H x) <= (UN x:A. parts(H x))";
2032
1bbf1bdcaf56 Introduction of "lost" argument
paulson
parents: 2028
diff changeset
   227
by (rtac subsetI 1);
1bbf1bdcaf56 Introduction of "lost" argument
paulson
parents: 2028
diff changeset
   228
by (etac parts.induct 1);
1839
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   229
by (ALLGOALS Fast_tac);
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   230
val parts_UN_subset2 = result();
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   231
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   232
goal thy "parts(UN x:A. H x) = (UN x:A. parts(H x))";
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   233
by (REPEAT (ares_tac [equalityI, parts_UN_subset1, parts_UN_subset2] 1));
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   234
qed "parts_UN";
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   235
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   236
goal thy "parts(UN x. H x) = (UN x. parts(H x))";
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   237
by (simp_tac (!simpset addsimps [UNION1_def, parts_UN]) 1);
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   238
qed "parts_UN1";
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   239
1913
2809adb15eb0 Renaming of functions, and tidying
paulson
parents: 1893
diff changeset
   240
(*Added to simplify arguments to parts, analz and synth*)
1839
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   241
Addsimps [parts_Un, parts_UN, parts_UN1];
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   242
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   243
goal thy "insert X (parts H) <= parts(insert X H)";
1852
289ce6cb5c84 Added Msg 3; works up to Says_Server_imp_Key_newK
paulson
parents: 1839
diff changeset
   244
by (fast_tac (!claset addEs [impOfSubs parts_mono]) 1);
1839
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   245
qed "parts_insert_subset";
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   246
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   247
(** Idempotence and transitivity **)
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   248
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   249
goal thy "!!H. X: parts (parts H) ==> X: parts H";
2032
1bbf1bdcaf56 Introduction of "lost" argument
paulson
parents: 2028
diff changeset
   250
by (etac parts.induct 1);
1839
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   251
by (ALLGOALS Fast_tac);
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   252
qed "parts_partsE";
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   253
AddSEs [parts_partsE];
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   254
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   255
goal thy "parts (parts H) = parts H";
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   256
by (Fast_tac 1);
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   257
qed "parts_idem";
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   258
Addsimps [parts_idem];
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   259
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   260
goal thy "!!H. [| X: parts G;  G <= parts H |] ==> X: parts H";
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   261
by (dtac parts_mono 1);
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   262
by (Fast_tac 1);
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   263
qed "parts_trans";
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   264
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   265
(*Cut*)
2373
490ffa16952e Addition of the Hash constructor
paulson
parents: 2327
diff changeset
   266
goal thy "!!H. [| Y: parts (insert X G);  X: parts H |] \
490ffa16952e Addition of the Hash constructor
paulson
parents: 2327
diff changeset
   267
\              ==> Y: parts (G Un H)";
2032
1bbf1bdcaf56 Introduction of "lost" argument
paulson
parents: 2028
diff changeset
   268
by (etac parts_trans 1);
2373
490ffa16952e Addition of the Hash constructor
paulson
parents: 2327
diff changeset
   269
by (Auto_tac());
1839
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   270
qed "parts_cut";
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   271
1929
f0839bab4b00 Working version of NS, messages 1-3, WITH INTERLEAVING
paulson
parents: 1913
diff changeset
   272
goal thy "!!H. X: parts H ==> parts (insert X H) = parts H";
2373
490ffa16952e Addition of the Hash constructor
paulson
parents: 2327
diff changeset
   273
by (fast_tac (!claset addSDs [parts_cut]
490ffa16952e Addition of the Hash constructor
paulson
parents: 2327
diff changeset
   274
                      addIs  [parts_insertI] 
490ffa16952e Addition of the Hash constructor
paulson
parents: 2327
diff changeset
   275
                      addss (!simpset)) 1);
1929
f0839bab4b00 Working version of NS, messages 1-3, WITH INTERLEAVING
paulson
parents: 1913
diff changeset
   276
qed "parts_cut_eq";
f0839bab4b00 Working version of NS, messages 1-3, WITH INTERLEAVING
paulson
parents: 1913
diff changeset
   277
2028
738bb98d65ec Last working version prior to addition of "lost" component
paulson
parents: 2026
diff changeset
   278
Addsimps [parts_cut_eq];
738bb98d65ec Last working version prior to addition of "lost" component
paulson
parents: 2026
diff changeset
   279
1839
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   280
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   281
(** Rewrite rules for pulling out atomic messages **)
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   282
2373
490ffa16952e Addition of the Hash constructor
paulson
parents: 2327
diff changeset
   283
fun parts_tac i =
490ffa16952e Addition of the Hash constructor
paulson
parents: 2327
diff changeset
   284
  EVERY [rtac ([subsetI, parts_insert_subset] MRS equalityI) i,
490ffa16952e Addition of the Hash constructor
paulson
parents: 2327
diff changeset
   285
	 etac parts.induct i,
490ffa16952e Addition of the Hash constructor
paulson
parents: 2327
diff changeset
   286
	 REPEAT (fast_tac (!claset addss (!simpset)) i)];
490ffa16952e Addition of the Hash constructor
paulson
parents: 2327
diff changeset
   287
1839
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   288
goal thy "parts (insert (Agent agt) H) = insert (Agent agt) (parts H)";
2373
490ffa16952e Addition of the Hash constructor
paulson
parents: 2327
diff changeset
   289
by (parts_tac 1);
1839
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   290
qed "parts_insert_Agent";
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   291
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   292
goal thy "parts (insert (Nonce N) H) = insert (Nonce N) (parts H)";
2373
490ffa16952e Addition of the Hash constructor
paulson
parents: 2327
diff changeset
   293
by (parts_tac 1);
1839
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   294
qed "parts_insert_Nonce";
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   295
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   296
goal thy "parts (insert (Key K) H) = insert (Key K) (parts H)";
2373
490ffa16952e Addition of the Hash constructor
paulson
parents: 2327
diff changeset
   297
by (parts_tac 1);
1839
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   298
qed "parts_insert_Key";
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   299
2373
490ffa16952e Addition of the Hash constructor
paulson
parents: 2327
diff changeset
   300
goal thy "parts (insert (Hash X) H) = insert (Hash X) (parts H)";
490ffa16952e Addition of the Hash constructor
paulson
parents: 2327
diff changeset
   301
by (parts_tac 1);
490ffa16952e Addition of the Hash constructor
paulson
parents: 2327
diff changeset
   302
qed "parts_insert_Hash";
490ffa16952e Addition of the Hash constructor
paulson
parents: 2327
diff changeset
   303
2284
80ebd1a213fd Swapped arguments of Crypt (for clarity and because it is conventional)
paulson
parents: 2170
diff changeset
   304
goal thy "parts (insert (Crypt K X) H) = \
80ebd1a213fd Swapped arguments of Crypt (for clarity and because it is conventional)
paulson
parents: 2170
diff changeset
   305
\         insert (Crypt K X) (parts (insert X H))";
2032
1bbf1bdcaf56 Introduction of "lost" argument
paulson
parents: 2028
diff changeset
   306
by (rtac equalityI 1);
1bbf1bdcaf56 Introduction of "lost" argument
paulson
parents: 2028
diff changeset
   307
by (rtac subsetI 1);
1bbf1bdcaf56 Introduction of "lost" argument
paulson
parents: 2028
diff changeset
   308
by (etac parts.induct 1);
1839
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   309
by (Auto_tac());
2032
1bbf1bdcaf56 Introduction of "lost" argument
paulson
parents: 2028
diff changeset
   310
by (etac parts.induct 1);
1839
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   311
by (ALLGOALS (best_tac (!claset addIs [parts.Body])));
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   312
qed "parts_insert_Crypt";
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   313
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   314
goal thy "parts (insert {|X,Y|} H) = \
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   315
\         insert {|X,Y|} (parts (insert X (insert Y H)))";
2032
1bbf1bdcaf56 Introduction of "lost" argument
paulson
parents: 2028
diff changeset
   316
by (rtac equalityI 1);
1bbf1bdcaf56 Introduction of "lost" argument
paulson
parents: 2028
diff changeset
   317
by (rtac subsetI 1);
1bbf1bdcaf56 Introduction of "lost" argument
paulson
parents: 2028
diff changeset
   318
by (etac parts.induct 1);
1839
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   319
by (Auto_tac());
2032
1bbf1bdcaf56 Introduction of "lost" argument
paulson
parents: 2028
diff changeset
   320
by (etac parts.induct 1);
1839
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   321
by (ALLGOALS (best_tac (!claset addIs [parts.Fst, parts.Snd])));
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   322
qed "parts_insert_MPair";
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   323
2373
490ffa16952e Addition of the Hash constructor
paulson
parents: 2327
diff changeset
   324
Addsimps [parts_insert_Agent, parts_insert_Nonce, parts_insert_Key, 
490ffa16952e Addition of the Hash constructor
paulson
parents: 2327
diff changeset
   325
          parts_insert_Hash, parts_insert_Crypt, parts_insert_MPair];
1839
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   326
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   327
2026
0df5a96bf77e Last working version prior to introduction of "lost"
paulson
parents: 2011
diff changeset
   328
goal thy "parts (Key``N) = Key``N";
0df5a96bf77e Last working version prior to introduction of "lost"
paulson
parents: 2011
diff changeset
   329
by (Auto_tac());
2032
1bbf1bdcaf56 Introduction of "lost" argument
paulson
parents: 2028
diff changeset
   330
by (etac parts.induct 1);
2026
0df5a96bf77e Last working version prior to introduction of "lost"
paulson
parents: 2011
diff changeset
   331
by (Auto_tac());
0df5a96bf77e Last working version prior to introduction of "lost"
paulson
parents: 2011
diff changeset
   332
qed "parts_image_Key";
0df5a96bf77e Last working version prior to introduction of "lost"
paulson
parents: 2011
diff changeset
   333
0df5a96bf77e Last working version prior to introduction of "lost"
paulson
parents: 2011
diff changeset
   334
Addsimps [parts_image_Key];
0df5a96bf77e Last working version prior to introduction of "lost"
paulson
parents: 2011
diff changeset
   335
0df5a96bf77e Last working version prior to introduction of "lost"
paulson
parents: 2011
diff changeset
   336
1913
2809adb15eb0 Renaming of functions, and tidying
paulson
parents: 1893
diff changeset
   337
(**** Inductive relation "analz" ****)
1839
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   338
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   339
val major::prems = 
1913
2809adb15eb0 Renaming of functions, and tidying
paulson
parents: 1893
diff changeset
   340
goal thy "[| {|X,Y|} : analz H;       \
2809adb15eb0 Renaming of functions, and tidying
paulson
parents: 1893
diff changeset
   341
\            [| X : analz H; Y : analz H |] ==> P  \
1839
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   342
\         |] ==> P";
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   343
by (cut_facts_tac [major] 1);
2032
1bbf1bdcaf56 Introduction of "lost" argument
paulson
parents: 2028
diff changeset
   344
by (resolve_tac prems 1);
1913
2809adb15eb0 Renaming of functions, and tidying
paulson
parents: 1893
diff changeset
   345
by (REPEAT (eresolve_tac [asm_rl, analz.Fst, analz.Snd] 1));
2809adb15eb0 Renaming of functions, and tidying
paulson
parents: 1893
diff changeset
   346
qed "MPair_analz";
1839
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   347
1913
2809adb15eb0 Renaming of functions, and tidying
paulson
parents: 1893
diff changeset
   348
AddIs  [analz.Inj];
2011
d9af64c26be6 New laws for messages
paulson
parents: 1998
diff changeset
   349
AddSEs [MPair_analz];      (*Perhaps it should NOT be deemed safe!*)
1913
2809adb15eb0 Renaming of functions, and tidying
paulson
parents: 1893
diff changeset
   350
AddDs  [analz.Decrypt];
1839
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   351
1913
2809adb15eb0 Renaming of functions, and tidying
paulson
parents: 1893
diff changeset
   352
Addsimps [analz.Inj];
1885
a18a6dc14f76 Auth proofs work up to the XXX...
paulson
parents: 1852
diff changeset
   353
1913
2809adb15eb0 Renaming of functions, and tidying
paulson
parents: 1893
diff changeset
   354
goal thy "H <= analz(H)";
1839
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   355
by (Fast_tac 1);
1913
2809adb15eb0 Renaming of functions, and tidying
paulson
parents: 1893
diff changeset
   356
qed "analz_increasing";
1839
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   357
1913
2809adb15eb0 Renaming of functions, and tidying
paulson
parents: 1893
diff changeset
   358
goal thy "analz H <= parts H";
1839
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   359
by (rtac subsetI 1);
2032
1bbf1bdcaf56 Introduction of "lost" argument
paulson
parents: 2028
diff changeset
   360
by (etac analz.induct 1);
1839
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   361
by (ALLGOALS Fast_tac);
1913
2809adb15eb0 Renaming of functions, and tidying
paulson
parents: 1893
diff changeset
   362
qed "analz_subset_parts";
1839
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   363
1913
2809adb15eb0 Renaming of functions, and tidying
paulson
parents: 1893
diff changeset
   364
bind_thm ("not_parts_not_analz", analz_subset_parts RS contra_subsetD);
1839
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   365
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   366
1913
2809adb15eb0 Renaming of functions, and tidying
paulson
parents: 1893
diff changeset
   367
goal thy "parts (analz H) = parts H";
2032
1bbf1bdcaf56 Introduction of "lost" argument
paulson
parents: 2028
diff changeset
   368
by (rtac equalityI 1);
1bbf1bdcaf56 Introduction of "lost" argument
paulson
parents: 2028
diff changeset
   369
by (rtac (analz_subset_parts RS parts_mono RS subset_trans) 1);
1839
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   370
by (Simp_tac 1);
1913
2809adb15eb0 Renaming of functions, and tidying
paulson
parents: 1893
diff changeset
   371
by (fast_tac (!claset addDs [analz_increasing RS parts_mono RS subsetD]) 1);
2809adb15eb0 Renaming of functions, and tidying
paulson
parents: 1893
diff changeset
   372
qed "parts_analz";
2809adb15eb0 Renaming of functions, and tidying
paulson
parents: 1893
diff changeset
   373
Addsimps [parts_analz];
1839
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   374
1913
2809adb15eb0 Renaming of functions, and tidying
paulson
parents: 1893
diff changeset
   375
goal thy "analz (parts H) = parts H";
1885
a18a6dc14f76 Auth proofs work up to the XXX...
paulson
parents: 1852
diff changeset
   376
by (Auto_tac());
2032
1bbf1bdcaf56 Introduction of "lost" argument
paulson
parents: 2028
diff changeset
   377
by (etac analz.induct 1);
1885
a18a6dc14f76 Auth proofs work up to the XXX...
paulson
parents: 1852
diff changeset
   378
by (Auto_tac());
1913
2809adb15eb0 Renaming of functions, and tidying
paulson
parents: 1893
diff changeset
   379
qed "analz_parts";
2809adb15eb0 Renaming of functions, and tidying
paulson
parents: 1893
diff changeset
   380
Addsimps [analz_parts];
1885
a18a6dc14f76 Auth proofs work up to the XXX...
paulson
parents: 1852
diff changeset
   381
1839
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   382
(*Monotonicity; Lemma 1 of Lowe*)
1913
2809adb15eb0 Renaming of functions, and tidying
paulson
parents: 1893
diff changeset
   383
goalw thy analz.defs "!!G H. G<=H ==> analz(G) <= analz(H)";
1839
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   384
by (rtac lfp_mono 1);
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   385
by (REPEAT (ares_tac basic_monos 1));
1913
2809adb15eb0 Renaming of functions, and tidying
paulson
parents: 1893
diff changeset
   386
qed "analz_mono";
1839
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   387
2373
490ffa16952e Addition of the Hash constructor
paulson
parents: 2327
diff changeset
   388
val analz_insertI = impOfSubs (subset_insertI RS analz_mono);
490ffa16952e Addition of the Hash constructor
paulson
parents: 2327
diff changeset
   389
1839
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   390
(** General equational properties **)
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   391
1913
2809adb15eb0 Renaming of functions, and tidying
paulson
parents: 1893
diff changeset
   392
goal thy "analz{} = {}";
1839
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   393
by (Step_tac 1);
2032
1bbf1bdcaf56 Introduction of "lost" argument
paulson
parents: 2028
diff changeset
   394
by (etac analz.induct 1);
1839
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   395
by (ALLGOALS Fast_tac);
1913
2809adb15eb0 Renaming of functions, and tidying
paulson
parents: 1893
diff changeset
   396
qed "analz_empty";
2809adb15eb0 Renaming of functions, and tidying
paulson
parents: 1893
diff changeset
   397
Addsimps [analz_empty];
1839
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   398
1913
2809adb15eb0 Renaming of functions, and tidying
paulson
parents: 1893
diff changeset
   399
(*Converse fails: we can analz more from the union than from the 
1839
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   400
  separate parts, as a key in one might decrypt a message in the other*)
1913
2809adb15eb0 Renaming of functions, and tidying
paulson
parents: 1893
diff changeset
   401
goal thy "analz(G) Un analz(H) <= analz(G Un H)";
2809adb15eb0 Renaming of functions, and tidying
paulson
parents: 1893
diff changeset
   402
by (REPEAT (ares_tac [Un_least, analz_mono, Un_upper1, Un_upper2] 1));
2809adb15eb0 Renaming of functions, and tidying
paulson
parents: 1893
diff changeset
   403
qed "analz_Un";
1839
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   404
1913
2809adb15eb0 Renaming of functions, and tidying
paulson
parents: 1893
diff changeset
   405
goal thy "insert X (analz H) <= analz(insert X H)";
2809adb15eb0 Renaming of functions, and tidying
paulson
parents: 1893
diff changeset
   406
by (fast_tac (!claset addEs [impOfSubs analz_mono]) 1);
2809adb15eb0 Renaming of functions, and tidying
paulson
parents: 1893
diff changeset
   407
qed "analz_insert";
1839
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   408
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   409
(** Rewrite rules for pulling out atomic messages **)
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   410
2373
490ffa16952e Addition of the Hash constructor
paulson
parents: 2327
diff changeset
   411
fun analz_tac i =
490ffa16952e Addition of the Hash constructor
paulson
parents: 2327
diff changeset
   412
  EVERY [rtac ([subsetI, analz_insert] MRS equalityI) i,
490ffa16952e Addition of the Hash constructor
paulson
parents: 2327
diff changeset
   413
	 etac analz.induct i,
490ffa16952e Addition of the Hash constructor
paulson
parents: 2327
diff changeset
   414
	 REPEAT (fast_tac (!claset addss (!simpset)) i)];
490ffa16952e Addition of the Hash constructor
paulson
parents: 2327
diff changeset
   415
1913
2809adb15eb0 Renaming of functions, and tidying
paulson
parents: 1893
diff changeset
   416
goal thy "analz (insert (Agent agt) H) = insert (Agent agt) (analz H)";
2373
490ffa16952e Addition of the Hash constructor
paulson
parents: 2327
diff changeset
   417
by (analz_tac 1);
1913
2809adb15eb0 Renaming of functions, and tidying
paulson
parents: 1893
diff changeset
   418
qed "analz_insert_Agent";
1839
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   419
1913
2809adb15eb0 Renaming of functions, and tidying
paulson
parents: 1893
diff changeset
   420
goal thy "analz (insert (Nonce N) H) = insert (Nonce N) (analz H)";
2373
490ffa16952e Addition of the Hash constructor
paulson
parents: 2327
diff changeset
   421
by (analz_tac 1);
1913
2809adb15eb0 Renaming of functions, and tidying
paulson
parents: 1893
diff changeset
   422
qed "analz_insert_Nonce";
1839
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   423
2373
490ffa16952e Addition of the Hash constructor
paulson
parents: 2327
diff changeset
   424
goal thy "analz (insert (Hash X) H) = insert (Hash X) (analz H)";
490ffa16952e Addition of the Hash constructor
paulson
parents: 2327
diff changeset
   425
by (analz_tac 1);
490ffa16952e Addition of the Hash constructor
paulson
parents: 2327
diff changeset
   426
qed "analz_insert_Hash";
490ffa16952e Addition of the Hash constructor
paulson
parents: 2327
diff changeset
   427
1839
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   428
(*Can only pull out Keys if they are not needed to decrypt the rest*)
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   429
goalw thy [keysFor_def]
1913
2809adb15eb0 Renaming of functions, and tidying
paulson
parents: 1893
diff changeset
   430
    "!!K. K ~: keysFor (analz H) ==>  \
2809adb15eb0 Renaming of functions, and tidying
paulson
parents: 1893
diff changeset
   431
\         analz (insert (Key K) H) = insert (Key K) (analz H)";
2373
490ffa16952e Addition of the Hash constructor
paulson
parents: 2327
diff changeset
   432
by (analz_tac 1);
1913
2809adb15eb0 Renaming of functions, and tidying
paulson
parents: 1893
diff changeset
   433
qed "analz_insert_Key";
1839
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   434
1913
2809adb15eb0 Renaming of functions, and tidying
paulson
parents: 1893
diff changeset
   435
goal thy "analz (insert {|X,Y|} H) = \
2809adb15eb0 Renaming of functions, and tidying
paulson
parents: 1893
diff changeset
   436
\         insert {|X,Y|} (analz (insert X (insert Y H)))";
2032
1bbf1bdcaf56 Introduction of "lost" argument
paulson
parents: 2028
diff changeset
   437
by (rtac equalityI 1);
1bbf1bdcaf56 Introduction of "lost" argument
paulson
parents: 2028
diff changeset
   438
by (rtac subsetI 1);
1bbf1bdcaf56 Introduction of "lost" argument
paulson
parents: 2028
diff changeset
   439
by (etac analz.induct 1);
1885
a18a6dc14f76 Auth proofs work up to the XXX...
paulson
parents: 1852
diff changeset
   440
by (Auto_tac());
2032
1bbf1bdcaf56 Introduction of "lost" argument
paulson
parents: 2028
diff changeset
   441
by (etac analz.induct 1);
2102
41a667d2c3fa Replaced excluded_middle_tac by case_tac
paulson
parents: 2068
diff changeset
   442
by (ALLGOALS
41a667d2c3fa Replaced excluded_middle_tac by case_tac
paulson
parents: 2068
diff changeset
   443
    (deepen_tac (!claset addIs [analz.Fst, analz.Snd, analz.Decrypt]) 0));
1913
2809adb15eb0 Renaming of functions, and tidying
paulson
parents: 1893
diff changeset
   444
qed "analz_insert_MPair";
1885
a18a6dc14f76 Auth proofs work up to the XXX...
paulson
parents: 1852
diff changeset
   445
a18a6dc14f76 Auth proofs work up to the XXX...
paulson
parents: 1852
diff changeset
   446
(*Can pull out enCrypted message if the Key is not known*)
1913
2809adb15eb0 Renaming of functions, and tidying
paulson
parents: 1893
diff changeset
   447
goal thy "!!H. Key (invKey K) ~: analz H ==>  \
2284
80ebd1a213fd Swapped arguments of Crypt (for clarity and because it is conventional)
paulson
parents: 2170
diff changeset
   448
\              analz (insert (Crypt K X) H) = \
80ebd1a213fd Swapped arguments of Crypt (for clarity and because it is conventional)
paulson
parents: 2170
diff changeset
   449
\              insert (Crypt K X) (analz H)";
2373
490ffa16952e Addition of the Hash constructor
paulson
parents: 2327
diff changeset
   450
by (analz_tac 1);
1913
2809adb15eb0 Renaming of functions, and tidying
paulson
parents: 1893
diff changeset
   451
qed "analz_insert_Crypt";
1839
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   452
1913
2809adb15eb0 Renaming of functions, and tidying
paulson
parents: 1893
diff changeset
   453
goal thy "!!H. Key (invKey K) : analz H ==>  \
2284
80ebd1a213fd Swapped arguments of Crypt (for clarity and because it is conventional)
paulson
parents: 2170
diff changeset
   454
\              analz (insert (Crypt K X) H) <= \
80ebd1a213fd Swapped arguments of Crypt (for clarity and because it is conventional)
paulson
parents: 2170
diff changeset
   455
\              insert (Crypt K X) (analz (insert X H))";
2032
1bbf1bdcaf56 Introduction of "lost" argument
paulson
parents: 2028
diff changeset
   456
by (rtac subsetI 1);
1913
2809adb15eb0 Renaming of functions, and tidying
paulson
parents: 1893
diff changeset
   457
by (eres_inst_tac [("za","x")] analz.induct 1);
1839
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   458
by (ALLGOALS (fast_tac (!claset addss (!simpset))));
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   459
val lemma1 = result();
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   460
1913
2809adb15eb0 Renaming of functions, and tidying
paulson
parents: 1893
diff changeset
   461
goal thy "!!H. Key (invKey K) : analz H ==>  \
2284
80ebd1a213fd Swapped arguments of Crypt (for clarity and because it is conventional)
paulson
parents: 2170
diff changeset
   462
\              insert (Crypt K X) (analz (insert X H)) <= \
80ebd1a213fd Swapped arguments of Crypt (for clarity and because it is conventional)
paulson
parents: 2170
diff changeset
   463
\              analz (insert (Crypt K X) H)";
1839
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   464
by (Auto_tac());
1913
2809adb15eb0 Renaming of functions, and tidying
paulson
parents: 1893
diff changeset
   465
by (eres_inst_tac [("za","x")] analz.induct 1);
1839
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   466
by (Auto_tac());
1913
2809adb15eb0 Renaming of functions, and tidying
paulson
parents: 1893
diff changeset
   467
by (best_tac (!claset addIs [subset_insertI RS analz_mono RS subsetD,
2032
1bbf1bdcaf56 Introduction of "lost" argument
paulson
parents: 2028
diff changeset
   468
                             analz.Decrypt]) 1);
1839
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   469
val lemma2 = result();
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   470
1913
2809adb15eb0 Renaming of functions, and tidying
paulson
parents: 1893
diff changeset
   471
goal thy "!!H. Key (invKey K) : analz H ==>  \
2284
80ebd1a213fd Swapped arguments of Crypt (for clarity and because it is conventional)
paulson
parents: 2170
diff changeset
   472
\              analz (insert (Crypt K X) H) = \
80ebd1a213fd Swapped arguments of Crypt (for clarity and because it is conventional)
paulson
parents: 2170
diff changeset
   473
\              insert (Crypt K X) (analz (insert X H))";
1839
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   474
by (REPEAT (ares_tac [equalityI, lemma1, lemma2] 1));
1913
2809adb15eb0 Renaming of functions, and tidying
paulson
parents: 1893
diff changeset
   475
qed "analz_insert_Decrypt";
1839
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   476
1885
a18a6dc14f76 Auth proofs work up to the XXX...
paulson
parents: 1852
diff changeset
   477
(*Case analysis: either the message is secure, or it is not!
1946
b59a3d686436 New theorems for Fake case
paulson
parents: 1929
diff changeset
   478
  Effective, but can cause subgoals to blow up!
1885
a18a6dc14f76 Auth proofs work up to the XXX...
paulson
parents: 1852
diff changeset
   479
  Use with expand_if;  apparently split_tac does not cope with patterns
2284
80ebd1a213fd Swapped arguments of Crypt (for clarity and because it is conventional)
paulson
parents: 2170
diff changeset
   480
  such as "analz (insert (Crypt K X) H)" *)
80ebd1a213fd Swapped arguments of Crypt (for clarity and because it is conventional)
paulson
parents: 2170
diff changeset
   481
goal thy "analz (insert (Crypt K X) H) =                \
2154
913b4fc7670a New, purely illustrative result Crypt_synth_analz
paulson
parents: 2102
diff changeset
   482
\         (if (Key (invKey K) : analz H)                \
2284
80ebd1a213fd Swapped arguments of Crypt (for clarity and because it is conventional)
paulson
parents: 2170
diff changeset
   483
\          then insert (Crypt K X) (analz (insert X H)) \
80ebd1a213fd Swapped arguments of Crypt (for clarity and because it is conventional)
paulson
parents: 2170
diff changeset
   484
\          else insert (Crypt K X) (analz H))";
2102
41a667d2c3fa Replaced excluded_middle_tac by case_tac
paulson
parents: 2068
diff changeset
   485
by (case_tac "Key (invKey K)  : analz H " 1);
1913
2809adb15eb0 Renaming of functions, and tidying
paulson
parents: 1893
diff changeset
   486
by (ALLGOALS (asm_simp_tac (!simpset addsimps [analz_insert_Crypt, 
2032
1bbf1bdcaf56 Introduction of "lost" argument
paulson
parents: 2028
diff changeset
   487
                                               analz_insert_Decrypt])));
1913
2809adb15eb0 Renaming of functions, and tidying
paulson
parents: 1893
diff changeset
   488
qed "analz_Crypt_if";
1885
a18a6dc14f76 Auth proofs work up to the XXX...
paulson
parents: 1852
diff changeset
   489
2373
490ffa16952e Addition of the Hash constructor
paulson
parents: 2327
diff changeset
   490
Addsimps [analz_insert_Agent, analz_insert_Nonce, analz_insert_Key, 
490ffa16952e Addition of the Hash constructor
paulson
parents: 2327
diff changeset
   491
	  analz_insert_Hash, analz_insert_MPair, analz_Crypt_if];
1839
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   492
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   493
(*This rule supposes "for the sake of argument" that we have the key.*)
2284
80ebd1a213fd Swapped arguments of Crypt (for clarity and because it is conventional)
paulson
parents: 2170
diff changeset
   494
goal thy  "analz (insert (Crypt K X) H) <=  \
80ebd1a213fd Swapped arguments of Crypt (for clarity and because it is conventional)
paulson
parents: 2170
diff changeset
   495
\          insert (Crypt K X) (analz (insert X H))";
2032
1bbf1bdcaf56 Introduction of "lost" argument
paulson
parents: 2028
diff changeset
   496
by (rtac subsetI 1);
1bbf1bdcaf56 Introduction of "lost" argument
paulson
parents: 2028
diff changeset
   497
by (etac analz.induct 1);
1839
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   498
by (Auto_tac());
1913
2809adb15eb0 Renaming of functions, and tidying
paulson
parents: 1893
diff changeset
   499
qed "analz_insert_Crypt_subset";
1839
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   500
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   501
2026
0df5a96bf77e Last working version prior to introduction of "lost"
paulson
parents: 2011
diff changeset
   502
goal thy "analz (Key``N) = Key``N";
0df5a96bf77e Last working version prior to introduction of "lost"
paulson
parents: 2011
diff changeset
   503
by (Auto_tac());
2032
1bbf1bdcaf56 Introduction of "lost" argument
paulson
parents: 2028
diff changeset
   504
by (etac analz.induct 1);
2026
0df5a96bf77e Last working version prior to introduction of "lost"
paulson
parents: 2011
diff changeset
   505
by (Auto_tac());
0df5a96bf77e Last working version prior to introduction of "lost"
paulson
parents: 2011
diff changeset
   506
qed "analz_image_Key";
0df5a96bf77e Last working version prior to introduction of "lost"
paulson
parents: 2011
diff changeset
   507
0df5a96bf77e Last working version prior to introduction of "lost"
paulson
parents: 2011
diff changeset
   508
Addsimps [analz_image_Key];
0df5a96bf77e Last working version prior to introduction of "lost"
paulson
parents: 2011
diff changeset
   509
0df5a96bf77e Last working version prior to introduction of "lost"
paulson
parents: 2011
diff changeset
   510
1839
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   511
(** Idempotence and transitivity **)
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   512
1913
2809adb15eb0 Renaming of functions, and tidying
paulson
parents: 1893
diff changeset
   513
goal thy "!!H. X: analz (analz H) ==> X: analz H";
2032
1bbf1bdcaf56 Introduction of "lost" argument
paulson
parents: 2028
diff changeset
   514
by (etac analz.induct 1);
1839
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   515
by (ALLGOALS Fast_tac);
1913
2809adb15eb0 Renaming of functions, and tidying
paulson
parents: 1893
diff changeset
   516
qed "analz_analzE";
2809adb15eb0 Renaming of functions, and tidying
paulson
parents: 1893
diff changeset
   517
AddSEs [analz_analzE];
1839
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   518
1913
2809adb15eb0 Renaming of functions, and tidying
paulson
parents: 1893
diff changeset
   519
goal thy "analz (analz H) = analz H";
1839
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   520
by (Fast_tac 1);
1913
2809adb15eb0 Renaming of functions, and tidying
paulson
parents: 1893
diff changeset
   521
qed "analz_idem";
2809adb15eb0 Renaming of functions, and tidying
paulson
parents: 1893
diff changeset
   522
Addsimps [analz_idem];
1839
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   523
1913
2809adb15eb0 Renaming of functions, and tidying
paulson
parents: 1893
diff changeset
   524
goal thy "!!H. [| X: analz G;  G <= analz H |] ==> X: analz H";
2809adb15eb0 Renaming of functions, and tidying
paulson
parents: 1893
diff changeset
   525
by (dtac analz_mono 1);
1839
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   526
by (Fast_tac 1);
1913
2809adb15eb0 Renaming of functions, and tidying
paulson
parents: 1893
diff changeset
   527
qed "analz_trans";
1839
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   528
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   529
(*Cut; Lemma 2 of Lowe*)
1998
f8230821f1e8 Reordering of premises for cut theorems, and new law MPair_synth_analz
paulson
parents: 1994
diff changeset
   530
goal thy "!!H. [| Y: analz (insert X H);  X: analz H |] ==> Y: analz H";
2032
1bbf1bdcaf56 Introduction of "lost" argument
paulson
parents: 2028
diff changeset
   531
by (etac analz_trans 1);
1839
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   532
by (Fast_tac 1);
1913
2809adb15eb0 Renaming of functions, and tidying
paulson
parents: 1893
diff changeset
   533
qed "analz_cut";
1839
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   534
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   535
(*Cut can be proved easily by induction on
1913
2809adb15eb0 Renaming of functions, and tidying
paulson
parents: 1893
diff changeset
   536
   "!!H. Y: analz (insert X H) ==> X: analz H --> Y: analz H"
1839
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   537
*)
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   538
1885
a18a6dc14f76 Auth proofs work up to the XXX...
paulson
parents: 1852
diff changeset
   539
1913
2809adb15eb0 Renaming of functions, and tidying
paulson
parents: 1893
diff changeset
   540
(** A congruence rule for "analz" **)
1885
a18a6dc14f76 Auth proofs work up to the XXX...
paulson
parents: 1852
diff changeset
   541
1913
2809adb15eb0 Renaming of functions, and tidying
paulson
parents: 1893
diff changeset
   542
goal thy "!!H. [| analz G <= analz G'; analz H <= analz H' \
2809adb15eb0 Renaming of functions, and tidying
paulson
parents: 1893
diff changeset
   543
\              |] ==> analz (G Un H) <= analz (G' Un H')";
1885
a18a6dc14f76 Auth proofs work up to the XXX...
paulson
parents: 1852
diff changeset
   544
by (Step_tac 1);
2032
1bbf1bdcaf56 Introduction of "lost" argument
paulson
parents: 2028
diff changeset
   545
by (etac analz.induct 1);
1913
2809adb15eb0 Renaming of functions, and tidying
paulson
parents: 1893
diff changeset
   546
by (ALLGOALS (best_tac (!claset addIs [analz_mono RS subsetD])));
2809adb15eb0 Renaming of functions, and tidying
paulson
parents: 1893
diff changeset
   547
qed "analz_subset_cong";
1885
a18a6dc14f76 Auth proofs work up to the XXX...
paulson
parents: 1852
diff changeset
   548
1913
2809adb15eb0 Renaming of functions, and tidying
paulson
parents: 1893
diff changeset
   549
goal thy "!!H. [| analz G = analz G'; analz H = analz H' \
2809adb15eb0 Renaming of functions, and tidying
paulson
parents: 1893
diff changeset
   550
\              |] ==> analz (G Un H) = analz (G' Un H')";
2809adb15eb0 Renaming of functions, and tidying
paulson
parents: 1893
diff changeset
   551
by (REPEAT_FIRST (ares_tac [equalityI, analz_subset_cong]
2032
1bbf1bdcaf56 Introduction of "lost" argument
paulson
parents: 2028
diff changeset
   552
          ORELSE' etac equalityE));
1913
2809adb15eb0 Renaming of functions, and tidying
paulson
parents: 1893
diff changeset
   553
qed "analz_cong";
1885
a18a6dc14f76 Auth proofs work up to the XXX...
paulson
parents: 1852
diff changeset
   554
a18a6dc14f76 Auth proofs work up to the XXX...
paulson
parents: 1852
diff changeset
   555
1913
2809adb15eb0 Renaming of functions, and tidying
paulson
parents: 1893
diff changeset
   556
goal thy "!!H. analz H = analz H' ==> analz(insert X H) = analz(insert X H')";
1885
a18a6dc14f76 Auth proofs work up to the XXX...
paulson
parents: 1852
diff changeset
   557
by (asm_simp_tac (!simpset addsimps [insert_def] 
2032
1bbf1bdcaf56 Introduction of "lost" argument
paulson
parents: 2028
diff changeset
   558
                           setloop (rtac analz_cong)) 1);
1913
2809adb15eb0 Renaming of functions, and tidying
paulson
parents: 1893
diff changeset
   559
qed "analz_insert_cong";
1885
a18a6dc14f76 Auth proofs work up to the XXX...
paulson
parents: 1852
diff changeset
   560
1913
2809adb15eb0 Renaming of functions, and tidying
paulson
parents: 1893
diff changeset
   561
(*If there are no pairs or encryptions then analz does nothing*)
2284
80ebd1a213fd Swapped arguments of Crypt (for clarity and because it is conventional)
paulson
parents: 2170
diff changeset
   562
goal thy "!!H. [| ALL X Y. {|X,Y|} ~: H;  ALL X K. Crypt K X ~: H |] ==> \
1913
2809adb15eb0 Renaming of functions, and tidying
paulson
parents: 1893
diff changeset
   563
\         analz H = H";
1839
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   564
by (Step_tac 1);
2032
1bbf1bdcaf56 Introduction of "lost" argument
paulson
parents: 2028
diff changeset
   565
by (etac analz.induct 1);
1839
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   566
by (ALLGOALS Fast_tac);
1913
2809adb15eb0 Renaming of functions, and tidying
paulson
parents: 1893
diff changeset
   567
qed "analz_trivial";
1839
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   568
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   569
(*Helps to prove Fake cases*)
1913
2809adb15eb0 Renaming of functions, and tidying
paulson
parents: 1893
diff changeset
   570
goal thy "!!X. X: analz (UN i. analz (H i)) ==> X: analz (UN i. H i)";
2032
1bbf1bdcaf56 Introduction of "lost" argument
paulson
parents: 2028
diff changeset
   571
by (etac analz.induct 1);
1913
2809adb15eb0 Renaming of functions, and tidying
paulson
parents: 1893
diff changeset
   572
by (ALLGOALS (fast_tac (!claset addEs [impOfSubs analz_mono])));
1839
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   573
val lemma = result();
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   574
1913
2809adb15eb0 Renaming of functions, and tidying
paulson
parents: 1893
diff changeset
   575
goal thy "analz (UN i. analz (H i)) = analz (UN i. H i)";
1839
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   576
by (fast_tac (!claset addIs [lemma]
2032
1bbf1bdcaf56 Introduction of "lost" argument
paulson
parents: 2028
diff changeset
   577
                      addEs [impOfSubs analz_mono]) 1);
1913
2809adb15eb0 Renaming of functions, and tidying
paulson
parents: 1893
diff changeset
   578
qed "analz_UN_analz";
2809adb15eb0 Renaming of functions, and tidying
paulson
parents: 1893
diff changeset
   579
Addsimps [analz_UN_analz];
1839
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   580
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   581
1913
2809adb15eb0 Renaming of functions, and tidying
paulson
parents: 1893
diff changeset
   582
(**** Inductive relation "synth" ****)
1839
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   583
1913
2809adb15eb0 Renaming of functions, and tidying
paulson
parents: 1893
diff changeset
   584
AddIs  synth.intrs;
1839
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   585
2011
d9af64c26be6 New laws for messages
paulson
parents: 1998
diff changeset
   586
(*Can only produce a nonce or key if it is already known,
d9af64c26be6 New laws for messages
paulson
parents: 1998
diff changeset
   587
  but can synth a pair or encryption from its components...*)
d9af64c26be6 New laws for messages
paulson
parents: 1998
diff changeset
   588
val mk_cases = synth.mk_cases msg.simps;
d9af64c26be6 New laws for messages
paulson
parents: 1998
diff changeset
   589
d9af64c26be6 New laws for messages
paulson
parents: 1998
diff changeset
   590
(*NO Agent_synth, as any Agent name can be synthd*)
d9af64c26be6 New laws for messages
paulson
parents: 1998
diff changeset
   591
val Nonce_synth = mk_cases "Nonce n : synth H";
d9af64c26be6 New laws for messages
paulson
parents: 1998
diff changeset
   592
val Key_synth   = mk_cases "Key K : synth H";
2373
490ffa16952e Addition of the Hash constructor
paulson
parents: 2327
diff changeset
   593
val Hash_synth  = mk_cases "Hash X : synth H";
2011
d9af64c26be6 New laws for messages
paulson
parents: 1998
diff changeset
   594
val MPair_synth = mk_cases "{|X,Y|} : synth H";
2284
80ebd1a213fd Swapped arguments of Crypt (for clarity and because it is conventional)
paulson
parents: 2170
diff changeset
   595
val Crypt_synth = mk_cases "Crypt K X : synth H";
2011
d9af64c26be6 New laws for messages
paulson
parents: 1998
diff changeset
   596
2373
490ffa16952e Addition of the Hash constructor
paulson
parents: 2327
diff changeset
   597
AddSEs [Nonce_synth, Key_synth, Hash_synth, MPair_synth, Crypt_synth];
2011
d9af64c26be6 New laws for messages
paulson
parents: 1998
diff changeset
   598
1913
2809adb15eb0 Renaming of functions, and tidying
paulson
parents: 1893
diff changeset
   599
goal thy "H <= synth(H)";
1839
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   600
by (Fast_tac 1);
1913
2809adb15eb0 Renaming of functions, and tidying
paulson
parents: 1893
diff changeset
   601
qed "synth_increasing";
1839
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   602
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   603
(*Monotonicity*)
1913
2809adb15eb0 Renaming of functions, and tidying
paulson
parents: 1893
diff changeset
   604
goalw thy synth.defs "!!G H. G<=H ==> synth(G) <= synth(H)";
1839
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   605
by (rtac lfp_mono 1);
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   606
by (REPEAT (ares_tac basic_monos 1));
1913
2809adb15eb0 Renaming of functions, and tidying
paulson
parents: 1893
diff changeset
   607
qed "synth_mono";
1839
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   608
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   609
(** Unions **)
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   610
1913
2809adb15eb0 Renaming of functions, and tidying
paulson
parents: 1893
diff changeset
   611
(*Converse fails: we can synth more from the union than from the 
1839
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   612
  separate parts, building a compound message using elements of each.*)
1913
2809adb15eb0 Renaming of functions, and tidying
paulson
parents: 1893
diff changeset
   613
goal thy "synth(G) Un synth(H) <= synth(G Un H)";
2809adb15eb0 Renaming of functions, and tidying
paulson
parents: 1893
diff changeset
   614
by (REPEAT (ares_tac [Un_least, synth_mono, Un_upper1, Un_upper2] 1));
2809adb15eb0 Renaming of functions, and tidying
paulson
parents: 1893
diff changeset
   615
qed "synth_Un";
1839
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   616
1913
2809adb15eb0 Renaming of functions, and tidying
paulson
parents: 1893
diff changeset
   617
goal thy "insert X (synth H) <= synth(insert X H)";
2809adb15eb0 Renaming of functions, and tidying
paulson
parents: 1893
diff changeset
   618
by (fast_tac (!claset addEs [impOfSubs synth_mono]) 1);
2809adb15eb0 Renaming of functions, and tidying
paulson
parents: 1893
diff changeset
   619
qed "synth_insert";
1885
a18a6dc14f76 Auth proofs work up to the XXX...
paulson
parents: 1852
diff changeset
   620
1839
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   621
(** Idempotence and transitivity **)
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   622
1913
2809adb15eb0 Renaming of functions, and tidying
paulson
parents: 1893
diff changeset
   623
goal thy "!!H. X: synth (synth H) ==> X: synth H";
2032
1bbf1bdcaf56 Introduction of "lost" argument
paulson
parents: 2028
diff changeset
   624
by (etac synth.induct 1);
1839
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   625
by (ALLGOALS Fast_tac);
1913
2809adb15eb0 Renaming of functions, and tidying
paulson
parents: 1893
diff changeset
   626
qed "synth_synthE";
2809adb15eb0 Renaming of functions, and tidying
paulson
parents: 1893
diff changeset
   627
AddSEs [synth_synthE];
1839
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   628
1913
2809adb15eb0 Renaming of functions, and tidying
paulson
parents: 1893
diff changeset
   629
goal thy "synth (synth H) = synth H";
1839
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   630
by (Fast_tac 1);
1913
2809adb15eb0 Renaming of functions, and tidying
paulson
parents: 1893
diff changeset
   631
qed "synth_idem";
1839
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   632
1913
2809adb15eb0 Renaming of functions, and tidying
paulson
parents: 1893
diff changeset
   633
goal thy "!!H. [| X: synth G;  G <= synth H |] ==> X: synth H";
2809adb15eb0 Renaming of functions, and tidying
paulson
parents: 1893
diff changeset
   634
by (dtac synth_mono 1);
1839
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   635
by (Fast_tac 1);
1913
2809adb15eb0 Renaming of functions, and tidying
paulson
parents: 1893
diff changeset
   636
qed "synth_trans";
1839
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   637
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   638
(*Cut; Lemma 2 of Lowe*)
1998
f8230821f1e8 Reordering of premises for cut theorems, and new law MPair_synth_analz
paulson
parents: 1994
diff changeset
   639
goal thy "!!H. [| Y: synth (insert X H);  X: synth H |] ==> Y: synth H";
2032
1bbf1bdcaf56 Introduction of "lost" argument
paulson
parents: 2028
diff changeset
   640
by (etac synth_trans 1);
1839
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   641
by (Fast_tac 1);
1913
2809adb15eb0 Renaming of functions, and tidying
paulson
parents: 1893
diff changeset
   642
qed "synth_cut";
1839
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   643
1946
b59a3d686436 New theorems for Fake case
paulson
parents: 1929
diff changeset
   644
goal thy "Agent A : synth H";
b59a3d686436 New theorems for Fake case
paulson
parents: 1929
diff changeset
   645
by (Fast_tac 1);
b59a3d686436 New theorems for Fake case
paulson
parents: 1929
diff changeset
   646
qed "Agent_synth";
b59a3d686436 New theorems for Fake case
paulson
parents: 1929
diff changeset
   647
1913
2809adb15eb0 Renaming of functions, and tidying
paulson
parents: 1893
diff changeset
   648
goal thy "(Nonce N : synth H) = (Nonce N : H)";
1839
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   649
by (Fast_tac 1);
1913
2809adb15eb0 Renaming of functions, and tidying
paulson
parents: 1893
diff changeset
   650
qed "Nonce_synth_eq";
1839
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   651
1913
2809adb15eb0 Renaming of functions, and tidying
paulson
parents: 1893
diff changeset
   652
goal thy "(Key K : synth H) = (Key K : H)";
1839
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   653
by (Fast_tac 1);
1913
2809adb15eb0 Renaming of functions, and tidying
paulson
parents: 1893
diff changeset
   654
qed "Key_synth_eq";
1839
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   655
2373
490ffa16952e Addition of the Hash constructor
paulson
parents: 2327
diff changeset
   656
goal thy "!!K. Key K ~: H ==> (Crypt K X : synth H) = (Crypt K X : H)";
2011
d9af64c26be6 New laws for messages
paulson
parents: 1998
diff changeset
   657
by (Fast_tac 1);
d9af64c26be6 New laws for messages
paulson
parents: 1998
diff changeset
   658
qed "Crypt_synth_eq";
d9af64c26be6 New laws for messages
paulson
parents: 1998
diff changeset
   659
d9af64c26be6 New laws for messages
paulson
parents: 1998
diff changeset
   660
Addsimps [Agent_synth, Nonce_synth_eq, Key_synth_eq, Crypt_synth_eq];
1839
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   661
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   662
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   663
goalw thy [keysFor_def]
1913
2809adb15eb0 Renaming of functions, and tidying
paulson
parents: 1893
diff changeset
   664
    "keysFor (synth H) = keysFor H Un invKey``{K. Key K : H}";
1839
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   665
by (Fast_tac 1);
1913
2809adb15eb0 Renaming of functions, and tidying
paulson
parents: 1893
diff changeset
   666
qed "keysFor_synth";
2809adb15eb0 Renaming of functions, and tidying
paulson
parents: 1893
diff changeset
   667
Addsimps [keysFor_synth];
1839
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   668
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   669
1913
2809adb15eb0 Renaming of functions, and tidying
paulson
parents: 1893
diff changeset
   670
(*** Combinations of parts, analz and synth ***)
1839
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   671
1913
2809adb15eb0 Renaming of functions, and tidying
paulson
parents: 1893
diff changeset
   672
goal thy "parts (synth H) = parts H Un synth H";
2032
1bbf1bdcaf56 Introduction of "lost" argument
paulson
parents: 2028
diff changeset
   673
by (rtac equalityI 1);
1bbf1bdcaf56 Introduction of "lost" argument
paulson
parents: 2028
diff changeset
   674
by (rtac subsetI 1);
1bbf1bdcaf56 Introduction of "lost" argument
paulson
parents: 2028
diff changeset
   675
by (etac parts.induct 1);
1839
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   676
by (ALLGOALS
1913
2809adb15eb0 Renaming of functions, and tidying
paulson
parents: 1893
diff changeset
   677
    (best_tac (!claset addIs ((synth_increasing RS parts_mono RS subsetD)
2032
1bbf1bdcaf56 Introduction of "lost" argument
paulson
parents: 2028
diff changeset
   678
                             ::parts.intrs))));
1913
2809adb15eb0 Renaming of functions, and tidying
paulson
parents: 1893
diff changeset
   679
qed "parts_synth";
2809adb15eb0 Renaming of functions, and tidying
paulson
parents: 1893
diff changeset
   680
Addsimps [parts_synth];
1839
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   681
2373
490ffa16952e Addition of the Hash constructor
paulson
parents: 2327
diff changeset
   682
goal thy "analz (analz G Un H) = analz (G Un H)";
490ffa16952e Addition of the Hash constructor
paulson
parents: 2327
diff changeset
   683
by (REPEAT_FIRST (resolve_tac [equalityI, analz_subset_cong]));
490ffa16952e Addition of the Hash constructor
paulson
parents: 2327
diff changeset
   684
by (ALLGOALS Simp_tac);
490ffa16952e Addition of the Hash constructor
paulson
parents: 2327
diff changeset
   685
qed "analz_analz_Un";
490ffa16952e Addition of the Hash constructor
paulson
parents: 2327
diff changeset
   686
490ffa16952e Addition of the Hash constructor
paulson
parents: 2327
diff changeset
   687
goal thy "analz (synth G Un H) = analz (G Un H) Un synth G";
2032
1bbf1bdcaf56 Introduction of "lost" argument
paulson
parents: 2028
diff changeset
   688
by (rtac equalityI 1);
1bbf1bdcaf56 Introduction of "lost" argument
paulson
parents: 2028
diff changeset
   689
by (rtac subsetI 1);
1bbf1bdcaf56 Introduction of "lost" argument
paulson
parents: 2028
diff changeset
   690
by (etac analz.induct 1);
2373
490ffa16952e Addition of the Hash constructor
paulson
parents: 2327
diff changeset
   691
by (deepen_tac (!claset addIs [impOfSubs analz_mono]) 0 5);
1839
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   692
(*Strange that best_tac just can't hack this one...*)
1913
2809adb15eb0 Renaming of functions, and tidying
paulson
parents: 1893
diff changeset
   693
by (ALLGOALS (deepen_tac (!claset addIs analz.intrs) 0));
2373
490ffa16952e Addition of the Hash constructor
paulson
parents: 2327
diff changeset
   694
qed "analz_synth_Un";
490ffa16952e Addition of the Hash constructor
paulson
parents: 2327
diff changeset
   695
490ffa16952e Addition of the Hash constructor
paulson
parents: 2327
diff changeset
   696
goal thy "analz (synth H) = analz H Un synth H";
490ffa16952e Addition of the Hash constructor
paulson
parents: 2327
diff changeset
   697
by (cut_inst_tac [("H","{}")] analz_synth_Un 1);
490ffa16952e Addition of the Hash constructor
paulson
parents: 2327
diff changeset
   698
by (Full_simp_tac 1);
1913
2809adb15eb0 Renaming of functions, and tidying
paulson
parents: 1893
diff changeset
   699
qed "analz_synth";
2373
490ffa16952e Addition of the Hash constructor
paulson
parents: 2327
diff changeset
   700
Addsimps [analz_analz_Un, analz_synth_Un, analz_synth];
1839
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   701
2032
1bbf1bdcaf56 Introduction of "lost" argument
paulson
parents: 2028
diff changeset
   702
(*Hard to prove; still needed now that there's only one Spy?*)
1913
2809adb15eb0 Renaming of functions, and tidying
paulson
parents: 1893
diff changeset
   703
goal thy "analz (UN i. synth (H i)) = \
2809adb15eb0 Renaming of functions, and tidying
paulson
parents: 1893
diff changeset
   704
\         analz (UN i. H i) Un (UN i. synth (H i))";
2032
1bbf1bdcaf56 Introduction of "lost" argument
paulson
parents: 2028
diff changeset
   705
by (rtac equalityI 1);
1bbf1bdcaf56 Introduction of "lost" argument
paulson
parents: 2028
diff changeset
   706
by (rtac subsetI 1);
1bbf1bdcaf56 Introduction of "lost" argument
paulson
parents: 2028
diff changeset
   707
by (etac analz.induct 1);
1839
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   708
by (best_tac
1913
2809adb15eb0 Renaming of functions, and tidying
paulson
parents: 1893
diff changeset
   709
    (!claset addEs [impOfSubs synth_increasing,
2032
1bbf1bdcaf56 Introduction of "lost" argument
paulson
parents: 2028
diff changeset
   710
                    impOfSubs analz_mono]) 5);
1839
199243afac2b Proving safety properties of authentication protocols
paulson
parents:
diff changeset
   711
by (Best_tac 1);
1913
2809adb15eb0 Renaming of functions, and tidying
paulson
parents: 1893
diff changeset
   712
by (deepen_tac (!claset addIs [analz.Fst]) 0 1);
2809adb15eb0 Renaming of functions, and tidying
paulson
parents: 1893
diff changeset
   713
by (deepen_tac (!claset addIs [analz.Snd]) 0 1);
2809adb15eb0 Renaming of functions, and tidying
paulson
parents: 1893
diff changeset
   714
by (deepen_tac (!claset addSEs [analz.Decrypt]
2032
1bbf1bdcaf56 Introduction of "lost" argument
paulson
parents: 2028
diff changeset
   715
                        addIs  [analz.Decrypt]) 0 1);
1913
2809adb15eb0 Renaming of functions, and tidying
paulson
parents: 1893
diff changeset
   716
qed "analz_UN1_synth";
2809adb15eb0 Renaming of functions, and tidying
paulson
parents: 1893
diff changeset
   717
Addsimps [analz_UN1_synth];
1929
f0839bab4b00 Working version of NS, messages 1-3, WITH INTERLEAVING
paulson
parents: 1913
diff changeset
   718
1946
b59a3d686436 New theorems for Fake case
paulson
parents: 1929
diff changeset
   719
b59a3d686436 New theorems for Fake case
paulson
parents: 1929
diff changeset
   720
(** For reasoning about the Fake rule in traces **)
b59a3d686436 New theorems for Fake case
paulson
parents: 1929
diff changeset
   721
1929
f0839bab4b00 Working version of NS, messages 1-3, WITH INTERLEAVING
paulson
parents: 1913
diff changeset
   722
goal thy "!!Y. X: G ==> parts(insert X H) <= parts G Un parts H";
2032
1bbf1bdcaf56 Introduction of "lost" argument
paulson
parents: 2028
diff changeset
   723
by (rtac ([parts_mono, parts_Un_subset2] MRS subset_trans) 1);
1929
f0839bab4b00 Working version of NS, messages 1-3, WITH INTERLEAVING
paulson
parents: 1913
diff changeset
   724
by (Fast_tac 1);
f0839bab4b00 Working version of NS, messages 1-3, WITH INTERLEAVING
paulson
parents: 1913
diff changeset
   725
qed "parts_insert_subset_Un";
f0839bab4b00 Working version of NS, messages 1-3, WITH INTERLEAVING
paulson
parents: 1913
diff changeset
   726
1946
b59a3d686436 New theorems for Fake case
paulson
parents: 1929
diff changeset
   727
(*More specifically for Fake*)
b59a3d686436 New theorems for Fake case
paulson
parents: 1929
diff changeset
   728
goal thy "!!H. X: synth (analz G) ==> \
b59a3d686436 New theorems for Fake case
paulson
parents: 1929
diff changeset
   729
\              parts (insert X H) <= synth (analz G) Un parts G Un parts H";
2032
1bbf1bdcaf56 Introduction of "lost" argument
paulson
parents: 2028
diff changeset
   730
by (dtac parts_insert_subset_Un 1);
1946
b59a3d686436 New theorems for Fake case
paulson
parents: 1929
diff changeset
   731
by (Full_simp_tac 1);
b59a3d686436 New theorems for Fake case
paulson
parents: 1929
diff changeset
   732
by (Deepen_tac 0 1);
b59a3d686436 New theorems for Fake case
paulson
parents: 1929
diff changeset
   733
qed "Fake_parts_insert";
b59a3d686436 New theorems for Fake case
paulson
parents: 1929
diff changeset
   734
2061
b14a08bf61bf New theorem Crypt_Fake_parts_insert
paulson
parents: 2032
diff changeset
   735
goal thy
2284
80ebd1a213fd Swapped arguments of Crypt (for clarity and because it is conventional)
paulson
parents: 2170
diff changeset
   736
     "!!H. [| Crypt K Y : parts (insert X H);  X: synth (analz G);  \
2061
b14a08bf61bf New theorem Crypt_Fake_parts_insert
paulson
parents: 2032
diff changeset
   737
\             Key K ~: analz G |]                                   \
2284
80ebd1a213fd Swapped arguments of Crypt (for clarity and because it is conventional)
paulson
parents: 2170
diff changeset
   738
\          ==> Crypt K Y : parts G Un parts H";
2061
b14a08bf61bf New theorem Crypt_Fake_parts_insert
paulson
parents: 2032
diff changeset
   739
by (dtac (impOfSubs Fake_parts_insert) 1);
2170
c5e460f1ebb4 Ran expandshort
paulson
parents: 2154
diff changeset
   740
by (assume_tac 1);
2061
b14a08bf61bf New theorem Crypt_Fake_parts_insert
paulson
parents: 2032
diff changeset
   741
by (fast_tac (!claset addDs [impOfSubs analz_subset_parts]
b14a08bf61bf New theorem Crypt_Fake_parts_insert
paulson
parents: 2032
diff changeset
   742
                      addss (!simpset)) 1);
b14a08bf61bf New theorem Crypt_Fake_parts_insert
paulson
parents: 2032
diff changeset
   743
qed "Crypt_Fake_parts_insert";
b14a08bf61bf New theorem Crypt_Fake_parts_insert
paulson
parents: 2032
diff changeset
   744
2373
490ffa16952e Addition of the Hash constructor
paulson
parents: 2327
diff changeset
   745
goal thy "!!H. X: synth (analz G) ==> \
490ffa16952e Addition of the Hash constructor
paulson
parents: 2327
diff changeset
   746
\              analz (insert X H) <= synth (analz G) Un analz (G Un H)";
490ffa16952e Addition of the Hash constructor
paulson
parents: 2327
diff changeset
   747
by (rtac subsetI 1);
490ffa16952e Addition of the Hash constructor
paulson
parents: 2327
diff changeset
   748
by (subgoal_tac "x : analz (synth (analz G) Un H)" 1);
490ffa16952e Addition of the Hash constructor
paulson
parents: 2327
diff changeset
   749
by (best_tac (!claset addIs [impOfSubs (analz_mono RS synth_mono)]
490ffa16952e Addition of the Hash constructor
paulson
parents: 2327
diff changeset
   750
                      addSEs [impOfSubs analz_mono]) 2);
490ffa16952e Addition of the Hash constructor
paulson
parents: 2327
diff changeset
   751
by (Full_simp_tac 1);
490ffa16952e Addition of the Hash constructor
paulson
parents: 2327
diff changeset
   752
by (Fast_tac 1);
490ffa16952e Addition of the Hash constructor
paulson
parents: 2327
diff changeset
   753
qed "Fake_analz_insert";
490ffa16952e Addition of the Hash constructor
paulson
parents: 2327
diff changeset
   754
490ffa16952e Addition of the Hash constructor
paulson
parents: 2327
diff changeset
   755
(*Needed????????????????*)
1946
b59a3d686436 New theorems for Fake case
paulson
parents: 1929
diff changeset
   756
goal thy "!!H. [| X: synth (analz G); G <= H |] ==> \
b59a3d686436 New theorems for Fake case
paulson
parents: 1929
diff changeset
   757
\              analz (insert X H) <= synth (analz H) Un analz H";
2032
1bbf1bdcaf56 Introduction of "lost" argument
paulson
parents: 2028
diff changeset
   758
by (rtac subsetI 1);
1946
b59a3d686436 New theorems for Fake case
paulson
parents: 1929
diff changeset
   759
by (subgoal_tac "x : analz (synth (analz H))" 1);
b59a3d686436 New theorems for Fake case
paulson
parents: 1929
diff changeset
   760
by (best_tac (!claset addIs [impOfSubs (analz_mono RS synth_mono)]
b59a3d686436 New theorems for Fake case
paulson
parents: 1929
diff changeset
   761
                      addSEs [impOfSubs analz_mono]) 2);
b59a3d686436 New theorems for Fake case
paulson
parents: 1929
diff changeset
   762
by (Full_simp_tac 1);
b59a3d686436 New theorems for Fake case
paulson
parents: 1929
diff changeset
   763
by (Fast_tac 1);
2373
490ffa16952e Addition of the Hash constructor
paulson
parents: 2327
diff changeset
   764
qed "Fake_analz_insert_old";
1929
f0839bab4b00 Working version of NS, messages 1-3, WITH INTERLEAVING
paulson
parents: 1913
diff changeset
   765
2011
d9af64c26be6 New laws for messages
paulson
parents: 1998
diff changeset
   766
goal thy "(X: analz H & X: parts H) = (X: analz H)";
d9af64c26be6 New laws for messages
paulson
parents: 1998
diff changeset
   767
by (fast_tac (!claset addDs [impOfSubs analz_subset_parts]) 1);
d9af64c26be6 New laws for messages
paulson
parents: 1998
diff changeset
   768
val analz_conj_parts = result();
d9af64c26be6 New laws for messages
paulson
parents: 1998
diff changeset
   769
d9af64c26be6 New laws for messages
paulson
parents: 1998
diff changeset
   770
goal thy "(X: analz H | X: parts H) = (X: parts H)";
d9af64c26be6 New laws for messages
paulson
parents: 1998
diff changeset
   771
by (fast_tac (!claset addDs [impOfSubs analz_subset_parts]) 1);
d9af64c26be6 New laws for messages
paulson
parents: 1998
diff changeset
   772
val analz_disj_parts = result();
d9af64c26be6 New laws for messages
paulson
parents: 1998
diff changeset
   773
d9af64c26be6 New laws for messages
paulson
parents: 1998
diff changeset
   774
AddIffs [analz_conj_parts, analz_disj_parts];
d9af64c26be6 New laws for messages
paulson
parents: 1998
diff changeset
   775
1998
f8230821f1e8 Reordering of premises for cut theorems, and new law MPair_synth_analz
paulson
parents: 1994
diff changeset
   776
(*Without this equation, other rules for synth and analz would yield
f8230821f1e8 Reordering of premises for cut theorems, and new law MPair_synth_analz
paulson
parents: 1994
diff changeset
   777
  redundant cases*)
f8230821f1e8 Reordering of premises for cut theorems, and new law MPair_synth_analz
paulson
parents: 1994
diff changeset
   778
goal thy "({|X,Y|} : synth (analz H)) = \
f8230821f1e8 Reordering of premises for cut theorems, and new law MPair_synth_analz
paulson
parents: 1994
diff changeset
   779
\         (X : synth (analz H) & Y : synth (analz H))";
f8230821f1e8 Reordering of premises for cut theorems, and new law MPair_synth_analz
paulson
parents: 1994
diff changeset
   780
by (Fast_tac 1);
f8230821f1e8 Reordering of premises for cut theorems, and new law MPair_synth_analz
paulson
parents: 1994
diff changeset
   781
qed "MPair_synth_analz";
f8230821f1e8 Reordering of premises for cut theorems, and new law MPair_synth_analz
paulson
parents: 1994
diff changeset
   782
f8230821f1e8 Reordering of premises for cut theorems, and new law MPair_synth_analz
paulson
parents: 1994
diff changeset
   783
AddIffs [MPair_synth_analz];
1929
f0839bab4b00 Working version of NS, messages 1-3, WITH INTERLEAVING
paulson
parents: 1913
diff changeset
   784
2154
913b4fc7670a New, purely illustrative result Crypt_synth_analz
paulson
parents: 2102
diff changeset
   785
goal thy "!!K. [| Key K : analz H;  Key (invKey K) : analz H |] \
2284
80ebd1a213fd Swapped arguments of Crypt (for clarity and because it is conventional)
paulson
parents: 2170
diff changeset
   786
\              ==> (Crypt K X : synth (analz H)) = (X : synth (analz H))";
2154
913b4fc7670a New, purely illustrative result Crypt_synth_analz
paulson
parents: 2102
diff changeset
   787
by (Fast_tac 1);
913b4fc7670a New, purely illustrative result Crypt_synth_analz
paulson
parents: 2102
diff changeset
   788
qed "Crypt_synth_analz";
913b4fc7670a New, purely illustrative result Crypt_synth_analz
paulson
parents: 2102
diff changeset
   789
1929
f0839bab4b00 Working version of NS, messages 1-3, WITH INTERLEAVING
paulson
parents: 1913
diff changeset
   790
2373
490ffa16952e Addition of the Hash constructor
paulson
parents: 2327
diff changeset
   791
goal thy "!!K. Key K ~: analz H \
490ffa16952e Addition of the Hash constructor
paulson
parents: 2327
diff changeset
   792
\   ==> (Hash{|Key K,X|} : synth (analz H)) = (Hash{|Key K,X|} : analz H)";
490ffa16952e Addition of the Hash constructor
paulson
parents: 2327
diff changeset
   793
by (Fast_tac 1);
490ffa16952e Addition of the Hash constructor
paulson
parents: 2327
diff changeset
   794
qed "Hash_synth_analz";
490ffa16952e Addition of the Hash constructor
paulson
parents: 2327
diff changeset
   795
Addsimps [Hash_synth_analz];
490ffa16952e Addition of the Hash constructor
paulson
parents: 2327
diff changeset
   796
490ffa16952e Addition of the Hash constructor
paulson
parents: 2327
diff changeset
   797
2484
596a5b5a68ff Incorporation of HPair into Message
paulson
parents: 2415
diff changeset
   798
(**** HPair: a combination of Hash and MPair ****)
596a5b5a68ff Incorporation of HPair into Message
paulson
parents: 2415
diff changeset
   799
596a5b5a68ff Incorporation of HPair into Message
paulson
parents: 2415
diff changeset
   800
(*** Freeness ***)
596a5b5a68ff Incorporation of HPair into Message
paulson
parents: 2415
diff changeset
   801
596a5b5a68ff Incorporation of HPair into Message
paulson
parents: 2415
diff changeset
   802
goalw thy [HPair_def] "Agent A ~= HPair X Y";
596a5b5a68ff Incorporation of HPair into Message
paulson
parents: 2415
diff changeset
   803
by (Simp_tac 1);
596a5b5a68ff Incorporation of HPair into Message
paulson
parents: 2415
diff changeset
   804
qed "Agent_neq_HPair";
596a5b5a68ff Incorporation of HPair into Message
paulson
parents: 2415
diff changeset
   805
596a5b5a68ff Incorporation of HPair into Message
paulson
parents: 2415
diff changeset
   806
goalw thy [HPair_def] "Nonce N ~= HPair X Y";
596a5b5a68ff Incorporation of HPair into Message
paulson
parents: 2415
diff changeset
   807
by (Simp_tac 1);
596a5b5a68ff Incorporation of HPair into Message
paulson
parents: 2415
diff changeset
   808
qed "Nonce_neq_HPair";
596a5b5a68ff Incorporation of HPair into Message
paulson
parents: 2415
diff changeset
   809
596a5b5a68ff Incorporation of HPair into Message
paulson
parents: 2415
diff changeset
   810
goalw thy [HPair_def] "Key K ~= HPair X Y";
596a5b5a68ff Incorporation of HPair into Message
paulson
parents: 2415
diff changeset
   811
by (Simp_tac 1);
596a5b5a68ff Incorporation of HPair into Message
paulson
parents: 2415
diff changeset
   812
qed "Key_neq_HPair";
596a5b5a68ff Incorporation of HPair into Message
paulson
parents: 2415
diff changeset
   813
596a5b5a68ff Incorporation of HPair into Message
paulson
parents: 2415
diff changeset
   814
goalw thy [HPair_def] "Hash Z ~= HPair X Y";
596a5b5a68ff Incorporation of HPair into Message
paulson
parents: 2415
diff changeset
   815
by (Simp_tac 1);
596a5b5a68ff Incorporation of HPair into Message
paulson
parents: 2415
diff changeset
   816
qed "Hash_neq_HPair";
596a5b5a68ff Incorporation of HPair into Message
paulson
parents: 2415
diff changeset
   817
596a5b5a68ff Incorporation of HPair into Message
paulson
parents: 2415
diff changeset
   818
goalw thy [HPair_def] "Crypt K X' ~= HPair X Y";
596a5b5a68ff Incorporation of HPair into Message
paulson
parents: 2415
diff changeset
   819
by (Simp_tac 1);
596a5b5a68ff Incorporation of HPair into Message
paulson
parents: 2415
diff changeset
   820
qed "Crypt_neq_HPair";
596a5b5a68ff Incorporation of HPair into Message
paulson
parents: 2415
diff changeset
   821
596a5b5a68ff Incorporation of HPair into Message
paulson
parents: 2415
diff changeset
   822
val HPair_neqs = [Agent_neq_HPair, Nonce_neq_HPair, 
596a5b5a68ff Incorporation of HPair into Message
paulson
parents: 2415
diff changeset
   823
		  Key_neq_HPair, Hash_neq_HPair, Crypt_neq_HPair];
596a5b5a68ff Incorporation of HPair into Message
paulson
parents: 2415
diff changeset
   824
596a5b5a68ff Incorporation of HPair into Message
paulson
parents: 2415
diff changeset
   825
AddIffs HPair_neqs;
596a5b5a68ff Incorporation of HPair into Message
paulson
parents: 2415
diff changeset
   826
AddIffs (HPair_neqs RL [not_sym]);
596a5b5a68ff Incorporation of HPair into Message
paulson
parents: 2415
diff changeset
   827
596a5b5a68ff Incorporation of HPair into Message
paulson
parents: 2415
diff changeset
   828
goalw thy [HPair_def] "(HPair X' Y' = HPair X Y) = (X' = X & Y'=Y)";
596a5b5a68ff Incorporation of HPair into Message
paulson
parents: 2415
diff changeset
   829
by (Simp_tac 1);
596a5b5a68ff Incorporation of HPair into Message
paulson
parents: 2415
diff changeset
   830
qed "HPair_eq";
596a5b5a68ff Incorporation of HPair into Message
paulson
parents: 2415
diff changeset
   831
596a5b5a68ff Incorporation of HPair into Message
paulson
parents: 2415
diff changeset
   832
goalw thy [HPair_def] "({|X',Y'|} = HPair X Y) = (X' = Hash{|X,Y|} & Y'=Y)";
596a5b5a68ff Incorporation of HPair into Message
paulson
parents: 2415
diff changeset
   833
by (Simp_tac 1);
596a5b5a68ff Incorporation of HPair into Message
paulson
parents: 2415
diff changeset
   834
qed "MPair_eq_HPair";
596a5b5a68ff Incorporation of HPair into Message
paulson
parents: 2415
diff changeset
   835
596a5b5a68ff Incorporation of HPair into Message
paulson
parents: 2415
diff changeset
   836
goalw thy [HPair_def] "(HPair X Y = {|X',Y'|}) = (X' = Hash{|X,Y|} & Y'=Y)";
596a5b5a68ff Incorporation of HPair into Message
paulson
parents: 2415
diff changeset
   837
by (Auto_tac());
596a5b5a68ff Incorporation of HPair into Message
paulson
parents: 2415
diff changeset
   838
qed "HPair_eq_MPair";
596a5b5a68ff Incorporation of HPair into Message
paulson
parents: 2415
diff changeset
   839
596a5b5a68ff Incorporation of HPair into Message
paulson
parents: 2415
diff changeset
   840
AddIffs [HPair_eq, MPair_eq_HPair, HPair_eq_MPair];
596a5b5a68ff Incorporation of HPair into Message
paulson
parents: 2415
diff changeset
   841
596a5b5a68ff Incorporation of HPair into Message
paulson
parents: 2415
diff changeset
   842
596a5b5a68ff Incorporation of HPair into Message
paulson
parents: 2415
diff changeset
   843
(*** Specialized laws, proved in terms of those for Hash and MPair ***)
596a5b5a68ff Incorporation of HPair into Message
paulson
parents: 2415
diff changeset
   844
596a5b5a68ff Incorporation of HPair into Message
paulson
parents: 2415
diff changeset
   845
goalw thy [HPair_def] "keysFor (insert (HPair X Y) H) = keysFor H";
596a5b5a68ff Incorporation of HPair into Message
paulson
parents: 2415
diff changeset
   846
by (Simp_tac 1);
596a5b5a68ff Incorporation of HPair into Message
paulson
parents: 2415
diff changeset
   847
qed "keysFor_insert_HPair";
596a5b5a68ff Incorporation of HPair into Message
paulson
parents: 2415
diff changeset
   848
596a5b5a68ff Incorporation of HPair into Message
paulson
parents: 2415
diff changeset
   849
goalw thy [HPair_def]
596a5b5a68ff Incorporation of HPair into Message
paulson
parents: 2415
diff changeset
   850
    "parts (insert (HPair X Y) H) = \
596a5b5a68ff Incorporation of HPair into Message
paulson
parents: 2415
diff changeset
   851
\    insert (HPair X Y) (insert (Hash{|X,Y|}) (parts (insert Y H)))";
596a5b5a68ff Incorporation of HPair into Message
paulson
parents: 2415
diff changeset
   852
by (Simp_tac 1);
596a5b5a68ff Incorporation of HPair into Message
paulson
parents: 2415
diff changeset
   853
qed "parts_insert_HPair";
596a5b5a68ff Incorporation of HPair into Message
paulson
parents: 2415
diff changeset
   854
596a5b5a68ff Incorporation of HPair into Message
paulson
parents: 2415
diff changeset
   855
goalw thy [HPair_def]
596a5b5a68ff Incorporation of HPair into Message
paulson
parents: 2415
diff changeset
   856
    "analz (insert (HPair X Y) H) = \
596a5b5a68ff Incorporation of HPair into Message
paulson
parents: 2415
diff changeset
   857
\    insert (HPair X Y) (insert (Hash{|X,Y|}) (analz (insert Y H)))";
596a5b5a68ff Incorporation of HPair into Message
paulson
parents: 2415
diff changeset
   858
by (Simp_tac 1);
596a5b5a68ff Incorporation of HPair into Message
paulson
parents: 2415
diff changeset
   859
qed "analz_insert_HPair";
596a5b5a68ff Incorporation of HPair into Message
paulson
parents: 2415
diff changeset
   860
596a5b5a68ff Incorporation of HPair into Message
paulson
parents: 2415
diff changeset
   861
goalw thy [HPair_def] "!!H. X ~: synth (analz H) \
596a5b5a68ff Incorporation of HPair into Message
paulson
parents: 2415
diff changeset
   862
\   ==> (HPair X Y : synth (analz H)) = \
596a5b5a68ff Incorporation of HPair into Message
paulson
parents: 2415
diff changeset
   863
\       (Hash {|X, Y|} : analz H & Y : synth (analz H))";
596a5b5a68ff Incorporation of HPair into Message
paulson
parents: 2415
diff changeset
   864
by (Simp_tac 1);
596a5b5a68ff Incorporation of HPair into Message
paulson
parents: 2415
diff changeset
   865
by (Fast_tac 1);
596a5b5a68ff Incorporation of HPair into Message
paulson
parents: 2415
diff changeset
   866
qed "HPair_synth_analz";
596a5b5a68ff Incorporation of HPair into Message
paulson
parents: 2415
diff changeset
   867
596a5b5a68ff Incorporation of HPair into Message
paulson
parents: 2415
diff changeset
   868
Addsimps [keysFor_insert_HPair, parts_insert_HPair, analz_insert_HPair, 
596a5b5a68ff Incorporation of HPair into Message
paulson
parents: 2415
diff changeset
   869
	  HPair_synth_analz, HPair_synth_analz];
596a5b5a68ff Incorporation of HPair into Message
paulson
parents: 2415
diff changeset
   870
596a5b5a68ff Incorporation of HPair into Message
paulson
parents: 2415
diff changeset
   871
1929
f0839bab4b00 Working version of NS, messages 1-3, WITH INTERLEAVING
paulson
parents: 1913
diff changeset
   872
(*We do NOT want Crypt... messages broken up in protocols!!*)
f0839bab4b00 Working version of NS, messages 1-3, WITH INTERLEAVING
paulson
parents: 1913
diff changeset
   873
Delrules partsEs;
f0839bab4b00 Working version of NS, messages 1-3, WITH INTERLEAVING
paulson
parents: 1913
diff changeset
   874
2327
00ac25b2791d Moved much common material to Message.ML
paulson
parents: 2284
diff changeset
   875
00ac25b2791d Moved much common material to Message.ML
paulson
parents: 2284
diff changeset
   876
(** Rewrites to push in Key and Crypt messages, so that other messages can
00ac25b2791d Moved much common material to Message.ML
paulson
parents: 2284
diff changeset
   877
    be pulled out using the analz_insert rules **)
00ac25b2791d Moved much common material to Message.ML
paulson
parents: 2284
diff changeset
   878
00ac25b2791d Moved much common material to Message.ML
paulson
parents: 2284
diff changeset
   879
fun insComm thy x y = read_instantiate_sg (sign_of thy) [("x",x), ("y",y)] 
00ac25b2791d Moved much common material to Message.ML
paulson
parents: 2284
diff changeset
   880
                          insert_commute;
00ac25b2791d Moved much common material to Message.ML
paulson
parents: 2284
diff changeset
   881
00ac25b2791d Moved much common material to Message.ML
paulson
parents: 2284
diff changeset
   882
val pushKeys = map (insComm thy "Key ?K") 
2373
490ffa16952e Addition of the Hash constructor
paulson
parents: 2327
diff changeset
   883
                   ["Agent ?C", "Nonce ?N", "Hash ?X", 
490ffa16952e Addition of the Hash constructor
paulson
parents: 2327
diff changeset
   884
		    "MPair ?X ?Y", "Crypt ?X ?K'"];
2327
00ac25b2791d Moved much common material to Message.ML
paulson
parents: 2284
diff changeset
   885
00ac25b2791d Moved much common material to Message.ML
paulson
parents: 2284
diff changeset
   886
val pushCrypts = map (insComm thy "Crypt ?X ?K") 
2373
490ffa16952e Addition of the Hash constructor
paulson
parents: 2327
diff changeset
   887
                     ["Agent ?C", "Nonce ?N", "Hash ?X'", "MPair ?X' ?Y"];
2327
00ac25b2791d Moved much common material to Message.ML
paulson
parents: 2284
diff changeset
   888
00ac25b2791d Moved much common material to Message.ML
paulson
parents: 2284
diff changeset
   889
(*Cannot be added with Addsimps -- we don't always want to re-order messages*)
00ac25b2791d Moved much common material to Message.ML
paulson
parents: 2284
diff changeset
   890
val pushes = pushKeys@pushCrypts;
00ac25b2791d Moved much common material to Message.ML
paulson
parents: 2284
diff changeset
   891
00ac25b2791d Moved much common material to Message.ML
paulson
parents: 2284
diff changeset
   892
2484
596a5b5a68ff Incorporation of HPair into Message
paulson
parents: 2415
diff changeset
   893
(*No premature instantiation of variables during simplification.
596a5b5a68ff Incorporation of HPair into Message
paulson
parents: 2415
diff changeset
   894
  For proving "possibility" properties.*)
2327
00ac25b2791d Moved much common material to Message.ML
paulson
parents: 2284
diff changeset
   895
fun safe_solver prems =
00ac25b2791d Moved much common material to Message.ML
paulson
parents: 2284
diff changeset
   896
    match_tac (TrueI::refl::prems) ORELSE' eq_assume_tac
00ac25b2791d Moved much common material to Message.ML
paulson
parents: 2284
diff changeset
   897
    ORELSE' etac FalseE;
00ac25b2791d Moved much common material to Message.ML
paulson
parents: 2284
diff changeset
   898
2373
490ffa16952e Addition of the Hash constructor
paulson
parents: 2327
diff changeset
   899
val Fake_insert_tac = 
490ffa16952e Addition of the Hash constructor
paulson
parents: 2327
diff changeset
   900
    dresolve_tac [impOfSubs Fake_analz_insert,
490ffa16952e Addition of the Hash constructor
paulson
parents: 2327
diff changeset
   901
		  impOfSubs Fake_parts_insert] THEN'
490ffa16952e Addition of the Hash constructor
paulson
parents: 2327
diff changeset
   902
    eresolve_tac [asm_rl, synth.Inj];
490ffa16952e Addition of the Hash constructor
paulson
parents: 2327
diff changeset
   903
490ffa16952e Addition of the Hash constructor
paulson
parents: 2327
diff changeset
   904
(*Analysis of Fake cases and of messages that forward unknown parts.
2327
00ac25b2791d Moved much common material to Message.ML
paulson
parents: 2284
diff changeset
   905
  Abstraction over i is ESSENTIAL: it delays the dereferencing of claset
00ac25b2791d Moved much common material to Message.ML
paulson
parents: 2284
diff changeset
   906
  DEPENDS UPON "X" REFERRING TO THE FRADULENT MESSAGE *)
00ac25b2791d Moved much common material to Message.ML
paulson
parents: 2284
diff changeset
   907
fun spy_analz_tac i =
2373
490ffa16952e Addition of the Hash constructor
paulson
parents: 2327
diff changeset
   908
  DETERM
490ffa16952e Addition of the Hash constructor
paulson
parents: 2327
diff changeset
   909
   (SELECT_GOAL
490ffa16952e Addition of the Hash constructor
paulson
parents: 2327
diff changeset
   910
     (EVERY 
490ffa16952e Addition of the Hash constructor
paulson
parents: 2327
diff changeset
   911
      [  (*push in occurrences of X...*)
490ffa16952e Addition of the Hash constructor
paulson
parents: 2327
diff changeset
   912
       (REPEAT o CHANGED)
490ffa16952e Addition of the Hash constructor
paulson
parents: 2327
diff changeset
   913
           (res_inst_tac [("x1","X")] (insert_commute RS ssubst) 1),
490ffa16952e Addition of the Hash constructor
paulson
parents: 2327
diff changeset
   914
       (*...allowing further simplifications*)
490ffa16952e Addition of the Hash constructor
paulson
parents: 2327
diff changeset
   915
       simp_tac (!simpset setloop split_tac [expand_if]) 1,
490ffa16952e Addition of the Hash constructor
paulson
parents: 2327
diff changeset
   916
       REPEAT (FIRSTGOAL (resolve_tac [allI,impI,notI,conjI])),
490ffa16952e Addition of the Hash constructor
paulson
parents: 2327
diff changeset
   917
       DEPTH_SOLVE 
490ffa16952e Addition of the Hash constructor
paulson
parents: 2327
diff changeset
   918
         (REPEAT (Fake_insert_tac 1) THEN Asm_full_simp_tac 1
490ffa16952e Addition of the Hash constructor
paulson
parents: 2327
diff changeset
   919
	  THEN
490ffa16952e Addition of the Hash constructor
paulson
parents: 2327
diff changeset
   920
	  IF_UNSOLVED (depth_tac (!claset addIs [impOfSubs analz_mono,
490ffa16952e Addition of the Hash constructor
paulson
parents: 2327
diff changeset
   921
						 impOfSubs analz_subset_parts]) 2 1))
490ffa16952e Addition of the Hash constructor
paulson
parents: 2327
diff changeset
   922
       ]) i);
2327
00ac25b2791d Moved much common material to Message.ML
paulson
parents: 2284
diff changeset
   923
2415
46de4b035f00 New tactic: prove_unique_tac
paulson
parents: 2373
diff changeset
   924
(** Useful in many uniqueness proofs **)
2327
00ac25b2791d Moved much common material to Message.ML
paulson
parents: 2284
diff changeset
   925
fun ex_strip_tac i = REPEAT (swap_res_tac [exI, conjI] i) THEN 
00ac25b2791d Moved much common material to Message.ML
paulson
parents: 2284
diff changeset
   926
                     assume_tac (i+1);
00ac25b2791d Moved much common material to Message.ML
paulson
parents: 2284
diff changeset
   927
2415
46de4b035f00 New tactic: prove_unique_tac
paulson
parents: 2373
diff changeset
   928
(*Apply the EX-ALL quantifification to prove uniqueness theorems in 
46de4b035f00 New tactic: prove_unique_tac
paulson
parents: 2373
diff changeset
   929
  their standard form*)
46de4b035f00 New tactic: prove_unique_tac
paulson
parents: 2373
diff changeset
   930
fun prove_unique_tac lemma = 
46de4b035f00 New tactic: prove_unique_tac
paulson
parents: 2373
diff changeset
   931
  EVERY' [dtac lemma,
46de4b035f00 New tactic: prove_unique_tac
paulson
parents: 2373
diff changeset
   932
	  REPEAT o (mp_tac ORELSE' eresolve_tac [asm_rl,exE]),
46de4b035f00 New tactic: prove_unique_tac
paulson
parents: 2373
diff changeset
   933
	  (*Duplicate the assumption*)
46de4b035f00 New tactic: prove_unique_tac
paulson
parents: 2373
diff changeset
   934
	  forw_inst_tac [("psi", "ALL C.?P(C)")] asm_rl,
46de4b035f00 New tactic: prove_unique_tac
paulson
parents: 2373
diff changeset
   935
	  fast_tac (!claset addSDs [spec])];
46de4b035f00 New tactic: prove_unique_tac
paulson
parents: 2373
diff changeset
   936
2373
490ffa16952e Addition of the Hash constructor
paulson
parents: 2327
diff changeset
   937
490ffa16952e Addition of the Hash constructor
paulson
parents: 2327
diff changeset
   938
(*Needed occasionally with spy_analz_tac, e.g. in analz_insert_Key_newK*)
490ffa16952e Addition of the Hash constructor
paulson
parents: 2327
diff changeset
   939
goal Set.thy "A Un (B Un A) = B Un A";
490ffa16952e Addition of the Hash constructor
paulson
parents: 2327
diff changeset
   940
by (Fast_tac 1);
490ffa16952e Addition of the Hash constructor
paulson
parents: 2327
diff changeset
   941
val Un_absorb3 = result();
490ffa16952e Addition of the Hash constructor
paulson
parents: 2327
diff changeset
   942
Addsimps [Un_absorb3];