isabelle: src/HOL/Auth/Guard/P2.thy@96ca738055a6 (annotated)

13508 890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	1	(******************************************************************************
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	2	from G. Karjoth, N. Asokan and C. Gulcu
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	3	"Protecting the computation results of free-roaming agents"
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	4	Mobiles Agents 1998, LNCS 1477
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	5
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	6	date: march 2002
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	7	author: Frederic Blanqui
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	8	email: blanqui@lri.fr
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	9	webpage: http://www.lri.fr/~blanqui/
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	10
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	11	University of Cambridge, Computer Laboratory
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	12	William Gates Building, JJ Thomson Avenue
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	13	Cambridge CB3 0FD, United Kingdom
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	14	******************************************************************************)
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	15
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	16	header{Protocol P2}
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	17
16417 9bc16273c2d4 migrated theory headers to new format haftmann parents: 13508 diff changeset	18	theory P2 imports Guard_Public List_Msg begin
13508 890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	19
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	20	subsection{Protocol Definition}
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	21
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	22
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	23	text{*Like P1 except the definitions of @{text chain}, @{text shop},
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	24	@{text next_shop} and @{text nonce}*}
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	25
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	26	subsubsection{*offer chaining:
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	27	B chains his offer for A with the head offer of L for sending it to C*}
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	28
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	29	constdefs chain :: "agent => nat => agent => msg => agent => msg"
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	30	"chain B ofr A L C ==
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	31	let m1= sign B (Nonce ofr) in
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	32	let m2= Hash {\|head L, Agent C\|} in
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	33	{\|Crypt (pubK A) m1, m2\|}"
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	34
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	35	declare Let_def [simp]
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	36
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	37	lemma chain_inj [iff]: "(chain B ofr A L C = chain B' ofr' A' L' C')
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	38	= (B=B' & ofr=ofr' & A=A' & head L = head L' & C=C')"
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	39	by (auto simp: chain_def Let_def)
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	40
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	41	lemma Nonce_in_chain [iff]: "Nonce ofr:parts {chain B ofr A L C}"
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	42	by (auto simp: chain_def sign_def)
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	43
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	44	subsubsection{agent whose key is used to sign an offer}
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	45
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	46	consts shop :: "msg => msg"
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	47
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	48	recdef shop "measure size"
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	49	"shop {\|Crypt K {\|B,ofr,Crypt K' H\|},m2\|} = Agent (agt K')"
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	50
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	51	lemma shop_chain [simp]: "shop (chain B ofr A L C) = Agent B"
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	52	by (simp add: chain_def sign_def)
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	53
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	54	subsubsection{nonce used in an offer}
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	55
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	56	consts nonce :: "msg => msg"
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	57
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	58	recdef nonce "measure size"
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	59	"nonce {\|Crypt K {\|B,ofr,CryptH\|},m2\|} = ofr"
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	60
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	61	lemma nonce_chain [simp]: "nonce (chain B ofr A L C) = Nonce ofr"
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	62	by (simp add: chain_def sign_def)
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	63
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	64	subsubsection{next shop}
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	65
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	66	consts next_shop :: "msg => agent"
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	67
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	68	recdef next_shop "measure size"
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	69	"next_shop {\|m1,Hash {\|headL,Agent C\|}\|} = C"
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	70
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	71	lemma "next_shop (chain B ofr A L C) = C"
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	72	by (simp add: chain_def sign_def)
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	73
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	74	subsubsection{anchor of the offer list}
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	75
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	76	constdefs anchor :: "agent => nat => agent => msg"
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	77	"anchor A n B == chain A n A (cons nil nil) B"
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	78
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	79	lemma anchor_inj [iff]:
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	80	"(anchor A n B = anchor A' n' B') = (A=A' & n=n' & B=B')"
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	81	by (auto simp: anchor_def)
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	82
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	83	lemma Nonce_in_anchor [iff]: "Nonce n:parts {anchor A n B}"
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	84	by (auto simp: anchor_def)
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	85
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	86	lemma shop_anchor [simp]: "shop (anchor A n B) = Agent A"
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	87	by (simp add: anchor_def)
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	88
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	89	subsubsection{request event}
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	90
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	91	constdefs reqm :: "agent => nat => nat => msg => agent => msg"
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	92	"reqm A r n I B == {\|Agent A, Number r, cons (Agent A) (cons (Agent B) I),
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	93	cons (anchor A n B) nil\|}"
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	94
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	95	lemma reqm_inj [iff]: "(reqm A r n I B = reqm A' r' n' I' B')
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	96	= (A=A' & r=r' & n=n' & I=I' & B=B')"
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	97	by (auto simp: reqm_def)
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	98
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	99	lemma Nonce_in_reqm [iff]: "Nonce n:parts {reqm A r n I B}"
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	100	by (auto simp: reqm_def)
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	101
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	102	constdefs req :: "agent => nat => nat => msg => agent => event"
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	103	"req A r n I B == Says A B (reqm A r n I B)"
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	104
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	105	lemma req_inj [iff]: "(req A r n I B = req A' r' n' I' B')
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	106	= (A=A' & r=r' & n=n' & I=I' & B=B')"
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	107	by (auto simp: req_def)
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	108
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	109	subsubsection{propose event}
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	110
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	111	constdefs prom :: "agent => nat => agent => nat => msg => msg =>
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	112	msg => agent => msg"
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	113	"prom B ofr A r I L J C == {\|Agent A, Number r,
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	114	app (J, del (Agent B, I)), cons (chain B ofr A L C) L\|}"
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	115
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	116	lemma prom_inj [dest]: "prom B ofr A r I L J C = prom B' ofr' A' r' I' L' J' C'
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	117	==> B=B' & ofr=ofr' & A=A' & r=r' & L=L' & C=C'"
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	118	by (auto simp: prom_def)
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	119
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	120	lemma Nonce_in_prom [iff]: "Nonce ofr:parts {prom B ofr A r I L J C}"
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	121	by (auto simp: prom_def)
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	122
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	123	constdefs pro :: "agent => nat => agent => nat => msg => msg =>
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	124	msg => agent => event"
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	125	"pro B ofr A r I L J C == Says B C (prom B ofr A r I L J C)"
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	126
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	127	lemma pro_inj [dest]: "pro B ofr A r I L J C = pro B' ofr' A' r' I' L' J' C'
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	128	==> B=B' & ofr=ofr' & A=A' & r=r' & L=L' & C=C'"
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	129	by (auto simp: pro_def dest: prom_inj)
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	130
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	131	subsubsection{protocol}
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	132
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	133	consts p2 :: "event list set"
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	134
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	135	inductive p2
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	136	intros
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	137
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	138	Nil: "[]:p2"
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	139
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	140	Fake: "[\| evsf:p2; X:synth (analz (spies evsf)) \|] ==> Says Spy B X # evsf : p2"
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	141
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	142	Request: "[\| evsr:p2; Nonce n ~:used evsr; I:agl \|] ==> req A r n I B # evsr : p2"
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	143
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	144	Propose: "[\| evsp:p2; Says A' B {\|Agent A,Number r,I,cons M L\|}:set evsp;
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	145	I:agl; J:agl; isin (Agent C, app (J, del (Agent B, I)));
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	146	Nonce ofr ~:used evsp \|] ==> pro B ofr A r I (cons M L) J C # evsp : p2"
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	147
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	148	subsubsection{valid offer lists}
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	149
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	150	consts valid :: "agent => nat => agent => msg set"
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	151
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	152	inductive "valid A n B"
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	153	intros
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	154	Request [intro]: "cons (anchor A n B) nil:valid A n B"
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	155
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	156	Propose [intro]: "L:valid A n B
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	157	==> cons (chain (next_shop (head L)) ofr A L C) L:valid A n B"
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	158
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	159	subsubsection{basic properties of valid}
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	160
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	161	lemma valid_not_empty: "L:valid A n B ==> EX M L'. L = cons M L'"
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	162	by (erule valid.cases, auto)
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	163
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	164	lemma valid_pos_len: "L:valid A n B ==> 0 < len L"
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	165	by (erule valid.induct, auto)
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	166
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	167	subsubsection{list of offers}
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	168
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	169	consts offers :: "msg => msg"
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	170
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	171	recdef offers "measure size"
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	172	"offers (cons M L) = cons {\|shop M, nonce M\|} (offers L)"
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	173	"offers other = nil"
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	174
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	175
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	176	subsection{Properties of Protocol P2}
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	177
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	178	text{*same as @{text P1_Prop} except that publicly verifiable forward
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	179	integrity is replaced by forward privacy*}
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	180
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	181	subsection{*strong forward integrity:
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	182	except the last one, no offer can be modified*}
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	183
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	184	lemma strong_forward_integrity: "ALL L. Suc i < len L
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	185	--> L:valid A n B --> repl (L,Suc i,M):valid A n B --> M = ith (L,Suc i)"
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	186	apply (induct i)
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	187	(* i = 0 *)
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	188	apply clarify
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	189	apply (frule len_not_empty, clarsimp)
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	190	apply (frule len_not_empty, clarsimp)
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	191	apply (ind_cases "{\|x,xa,l'a\|}:valid A n B")
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	192	apply (ind_cases "{\|x,M,l'a\|}:valid A n B")
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	193	apply (simp add: chain_def)
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	194	(* i > 0 *)
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	195	apply clarify
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	196	apply (frule len_not_empty, clarsimp)
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	197	apply (ind_cases "{\|x,repl(l',Suc na,M)\|}:valid A n B")
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	198	apply (frule len_not_empty, clarsimp)
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	199	apply (ind_cases "{\|x,l'\|}:valid A n B")
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	200	by (drule_tac x=l' in spec, simp, blast)
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	201
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	202	subsection{*insertion resilience:
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	203	except at the beginning, no offer can be inserted*}
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	204
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	205	lemma chain_isnt_head [simp]: "L:valid A n B ==>
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	206	head L ~= chain (next_shop (head L)) ofr A L C"
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	207	by (erule valid.induct, auto simp: chain_def sign_def anchor_def)
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	208
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	209	lemma insertion_resilience: "ALL L. L:valid A n B --> Suc i < len L
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	210	--> ins (L,Suc i,M) ~:valid A n B"
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	211	apply (induct i)
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	212	(* i = 0 *)
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	213	apply clarify
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	214	apply (frule len_not_empty, clarsimp)
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	215	apply (ind_cases "{\|x,l'\|}:valid A n B", simp)
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	216	apply (ind_cases "{\|x,M,l'\|}:valid A n B", clarsimp)
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	217	apply (ind_cases "{\|head l',l'\|}:valid A n B", simp, simp)
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	218	(* i > 0 *)
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	219	apply clarify
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	220	apply (frule len_not_empty, clarsimp)
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	221	apply (ind_cases "{\|x,l'\|}:valid A n B")
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	222	apply (frule len_not_empty, clarsimp)
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	223	apply (ind_cases "{\|x,ins(l',Suc na,M)\|}:valid A n B")
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	224	apply (frule len_not_empty, clarsimp)
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	225	by (drule_tac x=l' in spec, clarsimp)
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	226
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	227	subsection{*truncation resilience:
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	228	only shop i can truncate at offer i*}
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	229
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	230	lemma truncation_resilience: "ALL L. L:valid A n B --> Suc i < len L
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	231	--> cons M (trunc (L,Suc i)):valid A n B --> shop M = shop (ith (L,i))"
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	232	apply (induct i)
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	233	(* i = 0 *)
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	234	apply clarify
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	235	apply (frule len_not_empty, clarsimp)
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	236	apply (ind_cases "{\|x,l'\|}:valid A n B")
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	237	apply (frule len_not_empty, clarsimp)
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	238	apply (ind_cases "{\|M,l'\|}:valid A n B")
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	239	apply (frule len_not_empty, clarsimp, simp)
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	240	(* i > 0 *)
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	241	apply clarify
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	242	apply (frule len_not_empty, clarsimp)
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	243	apply (ind_cases "{\|x,l'\|}:valid A n B")
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	244	apply (frule len_not_empty, clarsimp)
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	245	by (drule_tac x=l' in spec, clarsimp)
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	246
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	247	subsection{declarations for tactics}
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	248
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	249	declare knows_Spy_partsEs [elim]
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	250	declare Fake_parts_insert [THEN subsetD, dest]
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	251	declare initState.simps [simp del]
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	252
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	253	subsection{get components of a message}
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	254
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	255	lemma get_ML [dest]: "Says A' B {\|A,R,I,M,L\|}:set evs ==>
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	256	M:parts (spies evs) & L:parts (spies evs)"
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	257	by blast
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	258
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	259	subsection{general properties of p2}
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	260
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	261	lemma reqm_neq_prom [iff]:
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	262	"reqm A r n I B ~= prom B' ofr A' r' I' (cons M L) J C"
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	263	by (auto simp: reqm_def prom_def)
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	264
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	265	lemma prom_neq_reqm [iff]:
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	266	"prom B' ofr A' r' I' (cons M L) J C ~= reqm A r n I B"
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	267	by (auto simp: reqm_def prom_def)
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	268
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	269	lemma req_neq_pro [iff]: "req A r n I B ~= pro B' ofr A' r' I' (cons M L) J C"
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	270	by (auto simp: req_def pro_def)
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	271
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	272	lemma pro_neq_req [iff]: "pro B' ofr A' r' I' (cons M L) J C ~= req A r n I B"
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	273	by (auto simp: req_def pro_def)
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	274
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	275	lemma p2_has_no_Gets: "evs:p2 ==> ALL A X. Gets A X ~:set evs"
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	276	by (erule p2.induct, auto simp: req_def pro_def)
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	277
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	278	lemma p2_is_Gets_correct [iff]: "Gets_correct p2"
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	279	by (auto simp: Gets_correct_def dest: p2_has_no_Gets)
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	280
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	281	lemma p2_is_one_step [iff]: "one_step p2"
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	282	by (unfold one_step_def, clarify, ind_cases "ev#evs:p2", auto)
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	283
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	284	lemma p2_has_only_Says' [rule_format]: "evs:p2 ==>
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	285	ev:set evs --> (EX A B X. ev=Says A B X)"
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	286	by (erule p2.induct, auto simp: req_def pro_def)
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	287
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	288	lemma p2_has_only_Says [iff]: "has_only_Says p2"
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	289	by (auto simp: has_only_Says_def dest: p2_has_only_Says')
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	290
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	291	lemma p2_is_regular [iff]: "regular p2"
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	292	apply (simp only: regular_def, clarify)
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	293	apply (erule_tac p2.induct)
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	294	apply (simp_all add: initState.simps knows.simps pro_def prom_def
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	295	req_def reqm_def anchor_def chain_def sign_def)
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	296	by (auto dest: no_Key_in_agl no_Key_in_appdel parts_trans)
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	297
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	298	subsection{private keys are safe}
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	299
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	300	lemma priK_parts_Friend_imp_bad [rule_format,dest]:
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	301	"[\| evs:p2; Friend B ~= A \|]
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	302	==> (Key (priK A):parts (knows (Friend B) evs)) --> (A:bad)"
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	303	apply (erule p2.induct)
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	304	apply (simp_all add: initState.simps knows.simps pro_def prom_def
17778 93d7e524417a changes due to new neq_simproc in simpdata.ML nipkow parents: 16417 diff changeset	305	req_def reqm_def anchor_def chain_def sign_def)
13508 890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	306	apply (blast dest: no_Key_in_agl)
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	307	apply (auto del: parts_invKey disjE dest: parts_trans
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	308	simp add: no_Key_in_appdel)
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	309	done
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	310
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	311	lemma priK_analz_Friend_imp_bad [rule_format,dest]:
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	312	"[\| evs:p2; Friend B ~= A \|]
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	313	==> (Key (priK A):analz (knows (Friend B) evs)) --> (A:bad)"
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	314	by auto
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	315
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	316	lemma priK_notin_knows_max_Friend:
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	317	"[\| evs:p2; A ~:bad; A ~= Friend C \|]
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	318	==> Key (priK A) ~:analz (knows_max (Friend C) evs)"
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	319	apply (rule not_parts_not_analz, simp add: knows_max_def, safe)
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	320	apply (drule_tac H="spies' evs" in parts_sub)
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	321	apply (rule_tac p=p2 in knows_max'_sub_spies', simp+)
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	322	apply (drule_tac H="spies evs" in parts_sub)
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	323	by (auto dest: knows'_sub_knows [THEN subsetD] priK_notin_initState_Friend)
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	324
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	325	subsection{general guardedness properties}
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	326
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	327	lemma agl_guard [intro]: "I:agl ==> I:guard n Ks"
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	328	by (erule agl.induct, auto)
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	329
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	330	lemma Says_to_knows_max'_guard: "[\| Says A' C {\|A'',r,I,L\|}:set evs;
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	331	Guard n Ks (knows_max' C evs) \|] ==> L:guard n Ks"
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	332	by (auto dest: Says_to_knows_max')
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	333
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	334	lemma Says_from_knows_max'_guard: "[\| Says C A' {\|A'',r,I,L\|}:set evs;
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	335	Guard n Ks (knows_max' C evs) \|] ==> L:guard n Ks"
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	336	by (auto dest: Says_from_knows_max')
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	337
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	338	lemma Says_Nonce_not_used_guard: "[\| Says A' B {\|A'',r,I,L\|}:set evs;
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	339	Nonce n ~:used evs \|] ==> L:guard n Ks"
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	340	by (drule not_used_not_parts, auto)
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	341
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	342	subsection{guardedness of messages}
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	343
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	344	lemma chain_guard [iff]: "chain B ofr A L C:guard n {priK A}"
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	345	by (case_tac "ofr=n", auto simp: chain_def sign_def)
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	346
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	347	lemma chain_guard_Nonce_neq [intro]: "n ~= ofr
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	348	==> chain B ofr A' L C:guard n {priK A}"
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	349	by (auto simp: chain_def sign_def)
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	350
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	351	lemma anchor_guard [iff]: "anchor A n' B:guard n {priK A}"
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	352	by (case_tac "n'=n", auto simp: anchor_def)
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	353
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	354	lemma anchor_guard_Nonce_neq [intro]: "n ~= n'
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	355	==> anchor A' n' B:guard n {priK A}"
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	356	by (auto simp: anchor_def)
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	357
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	358	lemma reqm_guard [intro]: "I:agl ==> reqm A r n' I B:guard n {priK A}"
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	359	by (case_tac "n'=n", auto simp: reqm_def)
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	360
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	361	lemma reqm_guard_Nonce_neq [intro]: "[\| n ~= n'; I:agl \|]
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	362	==> reqm A' r n' I B:guard n {priK A}"
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	363	by (auto simp: reqm_def)
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	364
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	365	lemma prom_guard [intro]: "[\| I:agl; J:agl; L:guard n {priK A} \|]
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	366	==> prom B ofr A r I L J C:guard n {priK A}"
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	367	by (auto simp: prom_def)
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	368
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	369	lemma prom_guard_Nonce_neq [intro]: "[\| n ~= ofr; I:agl; J:agl;
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	370	L:guard n {priK A} \|] ==> prom B ofr A' r I L J C:guard n {priK A}"
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	371	by (auto simp: prom_def)
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	372
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	373	subsection{Nonce uniqueness}
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	374
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	375	lemma uniq_Nonce_in_chain [dest]: "Nonce k:parts {chain B ofr A L C} ==> k=ofr"
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	376	by (auto simp: chain_def sign_def)
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	377
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	378	lemma uniq_Nonce_in_anchor [dest]: "Nonce k:parts {anchor A n B} ==> k=n"
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	379	by (auto simp: anchor_def chain_def sign_def)
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	380
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	381	lemma uniq_Nonce_in_reqm [dest]: "[\| Nonce k:parts {reqm A r n I B};
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	382	I:agl \|] ==> k=n"
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	383	by (auto simp: reqm_def dest: no_Nonce_in_agl)
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	384
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	385	lemma uniq_Nonce_in_prom [dest]: "[\| Nonce k:parts {prom B ofr A r I L J C};
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	386	I:agl; J:agl; Nonce k ~:parts {L} \|] ==> k=ofr"
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	387	by (auto simp: prom_def dest: no_Nonce_in_agl no_Nonce_in_appdel)
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	388
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	389	subsection{requests are guarded}
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	390
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	391	lemma req_imp_Guard [rule_format]: "[\| evs:p2; A ~:bad \|] ==>
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	392	req A r n I B:set evs --> Guard n {priK A} (spies evs)"
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	393	apply (erule p2.induct, simp)
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	394	apply (simp add: req_def knows.simps, safe)
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	395	apply (erule in_synth_Guard, erule Guard_analz, simp)
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	396	by (auto simp: req_def pro_def dest: Says_imp_knows_Spy)
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	397
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	398	lemma req_imp_Guard_Friend: "[\| evs:p2; A ~:bad; req A r n I B:set evs \|]
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	399	==> Guard n {priK A} (knows_max (Friend C) evs)"
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	400	apply (rule Guard_knows_max')
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	401	apply (rule_tac H="spies evs" in Guard_mono)
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	402	apply (rule req_imp_Guard, simp+)
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	403	apply (rule_tac B="spies' evs" in subset_trans)
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	404	apply (rule_tac p=p2 in knows_max'_sub_spies', simp+)
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	405	by (rule knows'_sub_knows)
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	406
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	407	subsection{propositions are guarded}
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	408
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	409	lemma pro_imp_Guard [rule_format]: "[\| evs:p2; B ~:bad; A ~:bad \|] ==>
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	410	pro B ofr A r I (cons M L) J C:set evs --> Guard ofr {priK A} (spies evs)"
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	411	apply (erule p2.induct) (* +3 subgoals *)
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	412	(* Nil *)
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	413	apply simp
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	414	(* Fake *)
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	415	apply (simp add: pro_def, safe) (* +4 subgoals *)
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	416	(* 1 *)
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	417	apply (erule in_synth_Guard, drule Guard_analz, simp, simp)
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	418	(* 2 *)
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	419	apply simp
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	420	(* 3 *)
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	421	apply (simp, simp add: req_def pro_def, blast)
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	422	(* 4 *)
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	423	apply (simp add: pro_def)
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	424	apply (blast dest: prom_inj Says_Nonce_not_used_guard Nonce_not_used_Guard)
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	425	(* 5 *)
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	426	apply simp
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	427	apply safe (* +1 subgoal *)
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	428	apply (simp add: pro_def)
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	429	apply (blast dest: prom_inj Says_Nonce_not_used_guard)
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	430	(* 6 *)
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	431	apply (simp add: pro_def)
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	432	apply (blast dest: Says_imp_knows_Spy)
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	433	(* Request *)
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	434	apply (simp add: pro_def)
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	435	apply (blast dest: prom_inj Says_Nonce_not_used_guard Nonce_not_used_Guard)
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	436	(* Propose *)
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	437	apply simp
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	438	apply safe (* +1 subgoal *)
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	439	(* 1 *)
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	440	apply (simp add: pro_def)
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	441	apply (blast dest: prom_inj Says_Nonce_not_used_guard)
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	442	(* 2 *)
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	443	apply (simp add: pro_def)
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	444	by (blast dest: Says_imp_knows_Spy)
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	445
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	446	lemma pro_imp_Guard_Friend: "[\| evs:p2; B ~:bad; A ~:bad;
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	447	pro B ofr A r I (cons M L) J C:set evs \|]
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	448	==> Guard ofr {priK A} (knows_max (Friend D) evs)"
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	449	apply (rule Guard_knows_max')
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	450	apply (rule_tac H="spies evs" in Guard_mono)
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	451	apply (rule pro_imp_Guard, simp+)
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	452	apply (rule_tac B="spies' evs" in subset_trans)
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	453	apply (rule_tac p=p2 in knows_max'_sub_spies', simp+)
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	454	by (rule knows'_sub_knows)
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	455
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	456	subsection{*data confidentiality:
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	457	no one other than the originator can decrypt the offers*}
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	458
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	459	lemma Nonce_req_notin_spies: "[\| evs:p2; req A r n I B:set evs; A ~:bad \|]
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	460	==> Nonce n ~:analz (spies evs)"
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	461	by (frule req_imp_Guard, simp+, erule Guard_Nonce_analz, simp+)
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	462
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	463	lemma Nonce_req_notin_knows_max_Friend: "[\| evs:p2; req A r n I B:set evs;
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	464	A ~:bad; A ~= Friend C \|] ==> Nonce n ~:analz (knows_max (Friend C) evs)"
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	465	apply (clarify, frule_tac C=C in req_imp_Guard_Friend, simp+)
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	466	apply (simp add: knows_max_def, drule Guard_invKey_keyset, simp+)
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	467	by (drule priK_notin_knows_max_Friend, auto simp: knows_max_def)
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	468
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	469	lemma Nonce_pro_notin_spies: "[\| evs:p2; B ~:bad; A ~:bad;
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	470	pro B ofr A r I (cons M L) J C:set evs \|] ==> Nonce ofr ~:analz (spies evs)"
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	471	by (frule pro_imp_Guard, simp+, erule Guard_Nonce_analz, simp+)
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	472
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	473	lemma Nonce_pro_notin_knows_max_Friend: "[\| evs:p2; B ~:bad; A ~:bad;
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	474	A ~= Friend D; pro B ofr A r I (cons M L) J C:set evs \|]
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	475	==> Nonce ofr ~:analz (knows_max (Friend D) evs)"
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	476	apply (clarify, frule_tac A=A in pro_imp_Guard_Friend, simp+)
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	477	apply (simp add: knows_max_def, drule Guard_invKey_keyset, simp+)
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	478	by (drule priK_notin_knows_max_Friend, auto simp: knows_max_def)
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	479
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	480	subsection{*forward privacy:
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	481	only the originator can know the identity of the shops*}
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	482
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	483	lemma forward_privacy_Spy: "[\| evs:p2; B ~:bad; A ~:bad;
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	484	pro B ofr A r I (cons M L) J C:set evs \|]
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	485	==> sign B (Nonce ofr) ~:analz (spies evs)"
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	486	by (auto simp:sign_def dest: Nonce_pro_notin_spies)
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	487
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	488	lemma forward_privacy_Friend: "[\| evs:p2; B ~:bad; A ~:bad; A ~= Friend D;
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	489	pro B ofr A r I (cons M L) J C:set evs \|]
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	490	==> sign B (Nonce ofr) ~:analz (knows_max (Friend D) evs)"
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	491	by (auto simp:sign_def dest:Nonce_pro_notin_knows_max_Friend )
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	492
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	493	subsection{non repudiability: an offer signed by B has been sent by B}
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	494
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	495	lemma Crypt_reqm: "[\| Crypt (priK A) X:parts {reqm A' r n I B}; I:agl \|] ==> A=A'"
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	496	by (auto simp: reqm_def anchor_def chain_def sign_def dest: no_Crypt_in_agl)
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	497
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	498	lemma Crypt_prom: "[\| Crypt (priK A) X:parts {prom B ofr A' r I L J C};
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	499	I:agl; J:agl \|] ==> A=B \| Crypt (priK A) X:parts {L}"
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	500	apply (simp add: prom_def anchor_def chain_def sign_def)
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	501	by (blast dest: no_Crypt_in_agl no_Crypt_in_appdel)
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	502
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	503	lemma Crypt_safeness: "[\| evs:p2; A ~:bad \|] ==> Crypt (priK A) X:parts (spies evs)
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	504	--> (EX B Y. Says A B Y:set evs & Crypt (priK A) X:parts {Y})"
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	505	apply (erule p2.induct)
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	506	(* Nil *)
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	507	apply simp
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	508	(* Fake *)
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	509	apply clarsimp
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	510	apply (drule_tac P="%G. Crypt (priK A) X:G" in parts_insert_substD, simp)
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	511	apply (erule disjE)
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	512	apply (drule_tac K="priK A" in Crypt_synth, simp+, blast, blast)
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	513	(* Request *)
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	514	apply (simp add: req_def, clarify)
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	515	apply (drule_tac P="%G. Crypt (priK A) X:G" in parts_insert_substD, simp)
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	516	apply (erule disjE)
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	517	apply (frule Crypt_reqm, simp, clarify)
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	518	apply (rule_tac x=B in exI, rule_tac x="reqm A r n I B" in exI, simp, blast)
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	519	(* Propose *)
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	520	apply (simp add: pro_def, clarify)
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	521	apply (drule_tac P="%G. Crypt (priK A) X:G" in parts_insert_substD, simp)
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	522	apply (rotate_tac -1, erule disjE)
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	523	apply (frule Crypt_prom, simp, simp)
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	524	apply (rotate_tac -1, erule disjE)
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	525	apply (rule_tac x=C in exI)
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	526	apply (rule_tac x="prom B ofr Aa r I (cons M L) J C" in exI, blast)
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	527	apply (subgoal_tac "cons M L:parts (spies evsp)")
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	528	apply (drule_tac G="{cons M L}" and H="spies evsp" in parts_trans, blast, blast)
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	529	apply (drule Says_imp_spies, rotate_tac -1, drule parts.Inj)
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	530	apply (drule parts.Snd, drule parts.Snd, drule parts.Snd)
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	531	by auto
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	532
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	533	lemma Crypt_Hash_imp_sign: "[\| evs:p2; A ~:bad \|] ==>
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	534	Crypt (priK A) (Hash X):parts (spies evs)
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	535	--> (EX B Y. Says A B Y:set evs & sign A X:parts {Y})"
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	536	apply (erule p2.induct)
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	537	(* Nil *)
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	538	apply simp
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	539	(* Fake *)
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	540	apply clarsimp
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	541	apply (drule_tac P="%G. Crypt (priK A) (Hash X):G" in parts_insert_substD)
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	542	apply simp
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	543	apply (erule disjE)
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	544	apply (drule_tac K="priK A" in Crypt_synth, simp+, blast, blast)
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	545	(* Request *)
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	546	apply (simp add: req_def, clarify)
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	547	apply (drule_tac P="%G. Crypt (priK A) (Hash X):G" in parts_insert_substD)
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	548	apply simp
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	549	apply (erule disjE)
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	550	apply (frule Crypt_reqm, simp+)
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	551	apply (rule_tac x=B in exI, rule_tac x="reqm Aa r n I B" in exI)
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	552	apply (simp add: reqm_def sign_def anchor_def no_Crypt_in_agl)
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	553	apply (simp add: chain_def sign_def, blast)
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	554	(* Propose *)
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	555	apply (simp add: pro_def, clarify)
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	556	apply (drule_tac P="%G. Crypt (priK A) (Hash X):G" in parts_insert_substD)
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	557	apply simp
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	558	apply (rotate_tac -1, erule disjE)
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	559	apply (simp add: prom_def sign_def no_Crypt_in_agl no_Crypt_in_appdel)
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	560	apply (simp add: chain_def sign_def)
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	561	apply (rotate_tac -1, erule disjE)
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	562	apply (rule_tac x=C in exI)
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	563	apply (rule_tac x="prom B ofr Aa r I (cons M L) J C" in exI)
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	564	apply (simp add: prom_def chain_def sign_def)
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	565	apply (erule impE)
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	566	apply (blast dest: get_ML parts_sub)
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	567	apply (blast del: MPair_parts)+
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	568	done
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	569
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	570	lemma sign_safeness: "[\| evs:p2; A ~:bad \|] ==> sign A X:parts (spies evs)
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	571	--> (EX B Y. Says A B Y:set evs & sign A X:parts {Y})"
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	572	apply (clarify, simp add: sign_def, frule parts.Snd)
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	573	apply (blast dest: Crypt_Hash_imp_sign [unfolded sign_def])
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	574	done
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	575
890d736b93a5 Frederic Blanqui's new "guard" examples paulson parents: diff changeset	576	end

author	paulson
	Tue, 28 Mar 2006 16:48:18 +0200
changeset 19334	96ca738055a6
parent 17778	93d7e524417a
child 23746	a455e69c31cc
permissions	-rw-r--r--