author | mueller |
Mon, 12 Jan 1998 17:51:05 +0100 | |
changeset 4562 | 7aa75c767182 |
parent 4477 | b3e5857d8d99 |
child 4686 | 74a12e86b20b |
permissions | -rw-r--r-- |
3512
9dcb4daa15e8
Moving common declarations and proofs from theories "Shared"
paulson
parents:
diff
changeset
|
1 |
(* Title: HOL/Auth/Event |
9dcb4daa15e8
Moving common declarations and proofs from theories "Shared"
paulson
parents:
diff
changeset
|
2 |
ID: $Id$ |
9dcb4daa15e8
Moving common declarations and proofs from theories "Shared"
paulson
parents:
diff
changeset
|
3 |
Author: Lawrence C Paulson, Cambridge University Computer Laboratory |
9dcb4daa15e8
Moving common declarations and proofs from theories "Shared"
paulson
parents:
diff
changeset
|
4 |
Copyright 1996 University of Cambridge |
9dcb4daa15e8
Moving common declarations and proofs from theories "Shared"
paulson
parents:
diff
changeset
|
5 |
|
9dcb4daa15e8
Moving common declarations and proofs from theories "Shared"
paulson
parents:
diff
changeset
|
6 |
Theory of events for security protocols |
9dcb4daa15e8
Moving common declarations and proofs from theories "Shared"
paulson
parents:
diff
changeset
|
7 |
|
9dcb4daa15e8
Moving common declarations and proofs from theories "Shared"
paulson
parents:
diff
changeset
|
8 |
Datatype of events; function "sees"; freshness |
9dcb4daa15e8
Moving common declarations and proofs from theories "Shared"
paulson
parents:
diff
changeset
|
9 |
*) |
9dcb4daa15e8
Moving common declarations and proofs from theories "Shared"
paulson
parents:
diff
changeset
|
10 |
|
9dcb4daa15e8
Moving common declarations and proofs from theories "Shared"
paulson
parents:
diff
changeset
|
11 |
open Event; |
9dcb4daa15e8
Moving common declarations and proofs from theories "Shared"
paulson
parents:
diff
changeset
|
12 |
|
3683 | 13 |
AddIffs [Spy_in_bad, Server_not_bad]; |
3512
9dcb4daa15e8
Moving common declarations and proofs from theories "Shared"
paulson
parents:
diff
changeset
|
14 |
|
3683 | 15 |
(**** Function "spies" ****) |
3512
9dcb4daa15e8
Moving common declarations and proofs from theories "Shared"
paulson
parents:
diff
changeset
|
16 |
|
3683 | 17 |
(** Simplifying parts (insert X (spies evs)) |
18 |
= parts {X} Un parts (spies evs) -- since general case loops*) |
|
3512
9dcb4daa15e8
Moving common declarations and proofs from theories "Shared"
paulson
parents:
diff
changeset
|
19 |
|
3683 | 20 |
bind_thm ("parts_insert_spies", |
21 |
parts_insert |> |
|
22 |
read_instantiate_sg (sign_of thy) [("H", "spies evs")]); |
|
3678 | 23 |
|
24 |
||
3683 | 25 |
goal thy |
26 |
"P(event_case sf nf ev) = \ |
|
27 |
\ ((ALL A B X. ev = Says A B X --> P(sf A B X)) & \ |
|
28 |
\ (ALL A X. ev = Notes A X --> P(nf A X)))"; |
|
29 |
by (induct_tac "ev" 1); |
|
4477
b3e5857d8d99
New Auto_tac (by Oheimb), and new syntax (without parens), and expandshort
paulson
parents:
4266
diff
changeset
|
30 |
by Auto_tac; |
3683 | 31 |
qed "expand_event_case"; |
3678 | 32 |
|
3683 | 33 |
goal thy "spies (Says A B X # evs) = insert X (spies evs)"; |
34 |
by (Simp_tac 1); |
|
35 |
qed "spies_Says"; |
|
3678 | 36 |
|
3683 | 37 |
(*The point of letting the Spy see "bad" agents' notes is to prevent |
38 |
redundant case-splits on whether A=Spy and whether A:bad*) |
|
39 |
goal thy "spies (Notes A X # evs) = \ |
|
40 |
\ (if A:bad then insert X (spies evs) else spies evs)"; |
|
41 |
by (Simp_tac 1); |
|
42 |
qed "spies_Notes"; |
|
3678 | 43 |
|
3683 | 44 |
goal thy "spies evs <= spies (Says A B X # evs)"; |
4091 | 45 |
by (simp_tac (simpset() addsimps [subset_insertI]) 1); |
3683 | 46 |
qed "spies_subset_spies_Says"; |
3512
9dcb4daa15e8
Moving common declarations and proofs from theories "Shared"
paulson
parents:
diff
changeset
|
47 |
|
3683 | 48 |
goal thy "spies evs <= spies (Notes A X # evs)"; |
4091 | 49 |
by (simp_tac (simpset() addsplits [expand_if]) 1); |
3512
9dcb4daa15e8
Moving common declarations and proofs from theories "Shared"
paulson
parents:
diff
changeset
|
50 |
by (Fast_tac 1); |
3683 | 51 |
qed "spies_subset_spies_Notes"; |
3512
9dcb4daa15e8
Moving common declarations and proofs from theories "Shared"
paulson
parents:
diff
changeset
|
52 |
|
3678 | 53 |
(*Spy sees all traffic*) |
3683 | 54 |
goal thy "Says A B X : set evs --> X : spies evs"; |
3667 | 55 |
by (induct_tac "evs" 1); |
3683 | 56 |
by (ALLGOALS (asm_simp_tac |
4091 | 57 |
(simpset() addsplits [expand_event_case, expand_if]))); |
3683 | 58 |
qed_spec_mp "Says_imp_spies"; |
3512
9dcb4daa15e8
Moving common declarations and proofs from theories "Shared"
paulson
parents:
diff
changeset
|
59 |
|
3683 | 60 |
(*Spy sees Notes of bad agents*) |
61 |
goal thy "Notes A X : set evs --> A: bad --> X : spies evs"; |
|
3678 | 62 |
by (induct_tac "evs" 1); |
3683 | 63 |
by (ALLGOALS (asm_simp_tac |
4091 | 64 |
(simpset() addsplits [expand_event_case, expand_if]))); |
3683 | 65 |
qed_spec_mp "Notes_imp_spies"; |
3678 | 66 |
|
3512
9dcb4daa15e8
Moving common declarations and proofs from theories "Shared"
paulson
parents:
diff
changeset
|
67 |
(*Use with addSEs to derive contradictions from old Says events containing |
9dcb4daa15e8
Moving common declarations and proofs from theories "Shared"
paulson
parents:
diff
changeset
|
68 |
items known to be fresh*) |
3683 | 69 |
val spies_partsEs = make_elim (Says_imp_spies RS parts.Inj) :: partsEs; |
3512
9dcb4daa15e8
Moving common declarations and proofs from theories "Shared"
paulson
parents:
diff
changeset
|
70 |
|
3683 | 71 |
Addsimps [spies_Says, spies_Notes]; |
3512
9dcb4daa15e8
Moving common declarations and proofs from theories "Shared"
paulson
parents:
diff
changeset
|
72 |
|
3683 | 73 |
(**** NOTE REMOVAL--laws above are cleaner, as they don't involve "case" ****) |
74 |
Delsimps [spies_Cons]; |
|
3512
9dcb4daa15e8
Moving common declarations and proofs from theories "Shared"
paulson
parents:
diff
changeset
|
75 |
|
9dcb4daa15e8
Moving common declarations and proofs from theories "Shared"
paulson
parents:
diff
changeset
|
76 |
|
9dcb4daa15e8
Moving common declarations and proofs from theories "Shared"
paulson
parents:
diff
changeset
|
77 |
(*** Fresh nonces ***) |
9dcb4daa15e8
Moving common declarations and proofs from theories "Shared"
paulson
parents:
diff
changeset
|
78 |
|
3683 | 79 |
goal thy "parts (spies evs) <= used evs"; |
80 |
by (induct_tac "evs" 1); |
|
81 |
by (ALLGOALS (asm_simp_tac |
|
4091 | 82 |
(simpset() addsimps [parts_insert_spies] |
3919 | 83 |
addsplits [expand_event_case, expand_if]))); |
3683 | 84 |
by (ALLGOALS Blast_tac); |
3701
6f0ed3eef1a9
Names and saves the theorem parts_spies_subset_used
paulson
parents:
3683
diff
changeset
|
85 |
qed "parts_spies_subset_used"; |
6f0ed3eef1a9
Names and saves the theorem parts_spies_subset_used
paulson
parents:
3683
diff
changeset
|
86 |
|
6f0ed3eef1a9
Names and saves the theorem parts_spies_subset_used
paulson
parents:
3683
diff
changeset
|
87 |
bind_thm ("usedI", impOfSubs parts_spies_subset_used); |
3512
9dcb4daa15e8
Moving common declarations and proofs from theories "Shared"
paulson
parents:
diff
changeset
|
88 |
AddIs [usedI]; |
9dcb4daa15e8
Moving common declarations and proofs from theories "Shared"
paulson
parents:
diff
changeset
|
89 |
|
3683 | 90 |
goal thy "parts (initState B) <= used evs"; |
91 |
by (induct_tac "evs" 1); |
|
92 |
by (ALLGOALS (asm_simp_tac |
|
4091 | 93 |
(simpset() addsimps [parts_insert_spies] |
3919 | 94 |
addsplits [expand_event_case, expand_if]))); |
3683 | 95 |
by (ALLGOALS Blast_tac); |
96 |
bind_thm ("initState_into_used", impOfSubs (result())); |
|
97 |
||
3512
9dcb4daa15e8
Moving common declarations and proofs from theories "Shared"
paulson
parents:
diff
changeset
|
98 |
goal thy "used (Says A B X # evs) = parts{X} Un used evs"; |
3683 | 99 |
by (Simp_tac 1); |
3512
9dcb4daa15e8
Moving common declarations and proofs from theories "Shared"
paulson
parents:
diff
changeset
|
100 |
qed "used_Says"; |
9dcb4daa15e8
Moving common declarations and proofs from theories "Shared"
paulson
parents:
diff
changeset
|
101 |
Addsimps [used_Says]; |
9dcb4daa15e8
Moving common declarations and proofs from theories "Shared"
paulson
parents:
diff
changeset
|
102 |
|
9dcb4daa15e8
Moving common declarations and proofs from theories "Shared"
paulson
parents:
diff
changeset
|
103 |
goal thy "used (Notes A X # evs) = parts{X} Un used evs"; |
3683 | 104 |
by (Simp_tac 1); |
3512
9dcb4daa15e8
Moving common declarations and proofs from theories "Shared"
paulson
parents:
diff
changeset
|
105 |
qed "used_Notes"; |
9dcb4daa15e8
Moving common declarations and proofs from theories "Shared"
paulson
parents:
diff
changeset
|
106 |
Addsimps [used_Notes]; |
9dcb4daa15e8
Moving common declarations and proofs from theories "Shared"
paulson
parents:
diff
changeset
|
107 |
|
3683 | 108 |
goal thy "used [] <= used evs"; |
109 |
by (Simp_tac 1); |
|
4091 | 110 |
by (blast_tac (claset() addIs [initState_into_used]) 1); |
3512
9dcb4daa15e8
Moving common declarations and proofs from theories "Shared"
paulson
parents:
diff
changeset
|
111 |
qed "used_nil_subset"; |
9dcb4daa15e8
Moving common declarations and proofs from theories "Shared"
paulson
parents:
diff
changeset
|
112 |
|
3683 | 113 |
(**** NOTE REMOVAL--laws above are cleaner, as they don't involve "case" ****) |
114 |
Delsimps [used_Nil, used_Cons]; |
|
115 |
||
116 |
||
117 |
(*currently unused*) |
|
118 |
goal thy "used evs <= used (evs@evs')"; |
|
119 |
by (induct_tac "evs" 1); |
|
4091 | 120 |
by (simp_tac (simpset() addsimps [used_nil_subset]) 1); |
3667 | 121 |
by (induct_tac "a" 1); |
3512
9dcb4daa15e8
Moving common declarations and proofs from theories "Shared"
paulson
parents:
diff
changeset
|
122 |
by (ALLGOALS Asm_simp_tac); |
9dcb4daa15e8
Moving common declarations and proofs from theories "Shared"
paulson
parents:
diff
changeset
|
123 |
by (ALLGOALS Blast_tac); |
9dcb4daa15e8
Moving common declarations and proofs from theories "Shared"
paulson
parents:
diff
changeset
|
124 |
qed "used_subset_append"; |
9dcb4daa15e8
Moving common declarations and proofs from theories "Shared"
paulson
parents:
diff
changeset
|
125 |
|
9dcb4daa15e8
Moving common declarations and proofs from theories "Shared"
paulson
parents:
diff
changeset
|
126 |
|
3683 | 127 |
(*For proving theorems of the form X ~: analz (spies evs) --> P |
3512
9dcb4daa15e8
Moving common declarations and proofs from theories "Shared"
paulson
parents:
diff
changeset
|
128 |
New events added by induction to "evs" are discarded. Provided |
9dcb4daa15e8
Moving common declarations and proofs from theories "Shared"
paulson
parents:
diff
changeset
|
129 |
this information isn't needed, the proof will be much shorter, since |
9dcb4daa15e8
Moving common declarations and proofs from theories "Shared"
paulson
parents:
diff
changeset
|
130 |
it will omit complicated reasoning about analz.*) |
9dcb4daa15e8
Moving common declarations and proofs from theories "Shared"
paulson
parents:
diff
changeset
|
131 |
val analz_mono_contra_tac = |
4266 | 132 |
let val analz_impI = read_instantiate_sg (sign_of thy) |
133 |
[("P", "?Y ~: analz (spies ?evs)")] impI; |
|
3512
9dcb4daa15e8
Moving common declarations and proofs from theories "Shared"
paulson
parents:
diff
changeset
|
134 |
in |
4266 | 135 |
rtac analz_impI THEN' |
3512
9dcb4daa15e8
Moving common declarations and proofs from theories "Shared"
paulson
parents:
diff
changeset
|
136 |
REPEAT1 o |
9dcb4daa15e8
Moving common declarations and proofs from theories "Shared"
paulson
parents:
diff
changeset
|
137 |
(dresolve_tac |
3683 | 138 |
[spies_subset_spies_Says RS analz_mono RS contra_subsetD, |
139 |
spies_subset_spies_Notes RS analz_mono RS contra_subsetD]) |
|
3512
9dcb4daa15e8
Moving common declarations and proofs from theories "Shared"
paulson
parents:
diff
changeset
|
140 |
THEN' |
9dcb4daa15e8
Moving common declarations and proofs from theories "Shared"
paulson
parents:
diff
changeset
|
141 |
mp_tac |
9dcb4daa15e8
Moving common declarations and proofs from theories "Shared"
paulson
parents:
diff
changeset
|
142 |
end; |