isabelle: comparison src/HOL/Metis

equal deleted inserted replaced

-:143f58bb34f9
+:0909deb8059b
 Author:     Jasmin Blanchette, TU Muenchen
 Metis example featuring message authentication.
 *)
-section {* Metis Example Featuring Message Authentication *}
+section \<open>Metis Example Featuring Message Authentication\<close>
 theory Message
 imports Main
 begin
 by (metis Un_commute Un_left_absorb)
 type_synonym key = nat
 consts
-all_symmetric :: bool        --{*true if all keys are symmetric*}
+all_symmetric :: bool        \<comment>\<open>true if all keys are symmetric\<close>
-invKey        :: "key=>key"  --{*inverse of a symmetric key*}
+invKey        :: "key=>key"  \<comment>\<open>inverse of a symmetric key\<close>
 specification (invKey)
 invKey [simp]: "invKey (invKey K) = K"
 invKey_symmetric: "all_symmetric --> invKey = id"
 by (metis id_apply)
-text{*The inverse of a symmetric key is itself; that of a public key
+text\<open>The inverse of a symmetric key is itself; that of a public key
-is the private key and vice versa*}
+is the private key and vice versa\<close>
 definition symKeys :: "key set" where
 "symKeys == {K. invKey K = K}"
-datatype  --{*We allow any number of friendly agents*}
+datatype  \<comment>\<open>We allow any number of friendly agents\<close>
 agent = Server | Friend nat | Spy
 datatype
-msg = Agent  agent     --{*Agent names*}
+msg = Agent  agent     \<comment>\<open>Agent names\<close>
-| Number nat       --{*Ordinary integers, timestamps, ...*}
+| Number nat       \<comment>\<open>Ordinary integers, timestamps, ...\<close>
-| Nonce  nat       --{*Unguessable nonces*}
+| Nonce  nat       \<comment>\<open>Unguessable nonces\<close>
-| Key    key       --{*Crypto keys*}
+| Key    key       \<comment>\<open>Crypto keys\<close>
-| Hash   msg       --{*Hashing*}
+| Hash   msg       \<comment>\<open>Hashing\<close>
-| MPair  msg msg   --{*Compound messages*}
+| MPair  msg msg   \<comment>\<open>Compound messages\<close>
-| Crypt  key msg   --{*Encryption, public- or shared-key*}
+| Crypt  key msg   \<comment>\<open>Encryption, public- or shared-key\<close>
-text{*Concrete syntax: messages appear as \<open>\<lbrace>A,B,NA\<rbrace>\<close>, etc...*}
+text\<open>Concrete syntax: messages appear as \<open>\<lbrace>A,B,NA\<rbrace>\<close>, etc...\<close>
 syntax
 "_MTuple"      :: "['a, args] => 'a * 'b"       ("(2\<lbrace>_,/ _\<rbrace>)")
 translations
 "\<lbrace>x, y, z\<rbrace>"   == "\<lbrace>x, \<lbrace>y, z\<rbrace>\<rbrace>"
 "\<lbrace>x, y\<rbrace>"      == "CONST MPair x y"
 definition HPair :: "[msg,msg] => msg" ("(4Hash[_] /_)" [0, 1000]) where
---{*Message Y paired with a MAC computed with the help of X*}
+\<comment>\<open>Message Y paired with a MAC computed with the help of X\<close>
 "Hash[X] Y == \<lbrace> Hash\<lbrace>X,Y\<rbrace>, Y\<rbrace>"
 definition keysFor :: "msg set => key set" where
---{*Keys useful to decrypt elements of a message set*}
+\<comment>\<open>Keys useful to decrypt elements of a message set\<close>
 "keysFor H == invKey ` {K. \<exists>X. Crypt K X \<in> H}"
-subsubsection{*Inductive Definition of All Parts" of a Message*}
+subsubsection\<open>Inductive Definition of All Parts" of a Message\<close>
 inductive_set
 parts :: "msg set => msg set"
 for H :: "msg set"
 where
 apply (metis parts.Inj set_rev_mp)
 apply (metis parts.Fst)
 apply (metis parts.Snd)
 by (metis parts.Body)
-text{*Equations hold because constructors are injective.*}
+text\<open>Equations hold because constructors are injective.\<close>
 lemma Friend_image_eq [simp]: "(Friend x \<in> Friend`A) = (x:A)"
 by (metis agent.inject image_iff)
 lemma Key_image_eq [simp]: "(Key x \<in> Key`A) = (x \<in> A)"
 by (metis image_iff msg.inject(4))
 lemma Nonce_Key_image_eq [simp]: "Nonce x \<notin> Key`A"
 by (metis image_iff msg.distinct(23))
-subsubsection{*Inverse of keys *}
+subsubsection\<open>Inverse of keys\<close>
 lemma invKey_eq [simp]: "(invKey K = invKey K') = (K = K')"
 by (metis invKey)
-subsection{*keysFor operator*}
+subsection\<open>keysFor operator\<close>
 lemma keysFor_empty [simp]: "keysFor {} = {}"
 by (unfold keysFor_def, blast)
 lemma keysFor_Un [simp]: "keysFor (H \<union> H') = keysFor H \<union> keysFor H'"
 by (unfold keysFor_def, blast)
 lemma keysFor_UN [simp]: "keysFor (\<Union>i\<in>A. H i) = (\<Union>i\<in>A. keysFor (H i))"
 by (unfold keysFor_def, blast)
-text{*Monotonicity*}
+text\<open>Monotonicity\<close>
 lemma keysFor_mono: "G \<subseteq> H ==> keysFor(G) \<subseteq> keysFor(H)"
 by (unfold keysFor_def, blast)
 lemma keysFor_insert_Agent [simp]: "keysFor (insert (Agent A) H) = keysFor H"
 by (unfold keysFor_def, auto)
 lemma Crypt_imp_invKey_keysFor: "Crypt K X \<in> H ==> invKey K \<in> keysFor H"
 by (unfold keysFor_def, blast)
-subsection{*Inductive relation "parts"*}
+subsection\<open>Inductive relation "parts"\<close>
 lemma MPair_parts:
 "[| \<lbrace>X,Y\<rbrace> \<in> parts H;
 [| X \<in> parts H; Y \<in> parts H |] ==> P |] ==> P"
 by (blast dest: parts.Fst parts.Snd)
 declare MPair_parts [elim!] parts.Body [dest!]
-text{*NB These two rules are UNSAFE in the formal sense, as they discard the
+text\<open>NB These two rules are UNSAFE in the formal sense, as they discard the
 compound message.  They work well on THIS FILE.
-@{text MPair_parts} is left as SAFE because it speeds up proofs.
+\<open>MPair_parts\<close> is left as SAFE because it speeds up proofs.
-The Crypt rule is normally kept UNSAFE to avoid breaking up certificates.*}
+The Crypt rule is normally kept UNSAFE to avoid breaking up certificates.\<close>
 lemma parts_increasing: "H \<subseteq> parts(H)"
 by blast
 lemmas parts_insertI = subset_insertI [THEN parts_mono, THEN subsetD]
 done
 lemma parts_emptyE [elim!]: "X\<in> parts{} ==> P"
 by simp
-text{*WARNING: loops if H = {Y}, therefore must not be repeated!*}
+text\<open>WARNING: loops if H = {Y}, therefore must not be repeated!\<close>
 lemma parts_singleton: "X\<in> parts H ==> \<exists>Y\<in>H. X\<in> parts {Y}"
 apply (erule parts.induct)
 apply fast+
 done
-subsubsection{*Unions *}
+subsubsection\<open>Unions\<close>
 lemma parts_Un_subset1: "parts(G) \<union> parts(H) \<subseteq> parts(G \<union> H)"
 by (intro Un_least parts_mono Un_upper1 Un_upper2)
 lemma parts_Un_subset2: "parts(G \<union> H) \<subseteq> parts(G) \<union> parts(H)"
 done
 lemma parts_UN [simp]: "parts(\<Union>x\<in>A. H x) = (\<Union>x\<in>A. parts(H x))"
 by (intro equalityI parts_UN_subset1 parts_UN_subset2)
-text{*Added to simplify arguments to parts, analz and synth.
+text\<open>Added to simplify arguments to parts, analz and synth.
-NOTE: the UN versions are no longer used!*}
+NOTE: the UN versions are no longer used!\<close>
-text{*This allows @{text blast} to simplify occurrences of
+text\<open>This allows \<open>blast\<close> to simplify occurrences of
-@{term "parts(G\<union>H)"} in the assumption.*}
+@{term "parts(G\<union>H)"} in the assumption.\<close>
 lemmas in_parts_UnE = parts_Un [THEN equalityD1, THEN subsetD, THEN UnE]
 declare in_parts_UnE [elim!]
 lemma parts_insert_subset: "insert X (parts H) \<subseteq> parts(insert X H)"
 by (blast intro: parts_mono [THEN [2] rev_subsetD])
-subsubsection{*Idempotence and transitivity *}
+subsubsection\<open>Idempotence and transitivity\<close>
 lemma parts_partsD [dest!]: "X\<in> parts (parts H) ==> X\<in> parts H"
 by (erule parts.induct, blast+)
 lemma parts_idem [simp]: "parts (parts H) = parts H"
 lemma parts_cut: "[|Y\<in> parts (insert X G);  X\<in> parts H|] ==> Y\<in> parts(G \<union> H)"
 by (metis (no_types) Un_insert_left Un_insert_right insert_absorb le_supE
 parts_Un parts_idem parts_increasing parts_trans)
-subsubsection{*Rewrite rules for pulling out atomic messages *}
+subsubsection\<open>Rewrite rules for pulling out atomic messages\<close>
 lemmas parts_insert_eq_I = equalityI [OF subsetI parts_insert_subset]
 lemma parts_insert_Agent [simp]:
 apply (simp_all add: parts_insert2)
 apply (metis Suc_n_not_le_n)
 apply (metis le_trans linorder_linear)
 done
-subsection{*Inductive relation "analz"*}
+subsection\<open>Inductive relation "analz"\<close>
-text{*Inductive definition of "analz" -- what can be broken down from a set of
+text\<open>Inductive definition of "analz" -- what can be broken down from a set of
 messages, including keys.  A form of downward closure.  Pairs can
-be taken apart; messages decrypted with known keys.  *}
+be taken apart; messages decrypted with known keys.\<close>
 inductive_set
 analz :: "msg set => msg set"
 for H :: "msg set"
 where
 | Snd:     "\<lbrace>X,Y\<rbrace> \<in> analz H ==> Y \<in> analz H"
 | Decrypt [dest]:
 "[|Crypt K X \<in> analz H; Key(invKey K): analz H|] ==> X \<in> analz H"
-text{*Monotonicity; Lemma 1 of Lowe's paper*}
+text\<open>Monotonicity; Lemma 1 of Lowe's paper\<close>
 lemma analz_mono: "G\<subseteq>H ==> analz(G) \<subseteq> analz(H)"
 apply auto
 apply (erule analz.induct)
 apply (auto dest: analz.Fst analz.Snd)
 done
-text{*Making it safe speeds up proofs*}
+text\<open>Making it safe speeds up proofs\<close>
 lemma MPair_analz [elim!]:
 "[| \<lbrace>X,Y\<rbrace> \<in> analz H;
 [| X \<in> analz H; Y \<in> analz H |] ==> P
 |] ==> P"
 by (blast dest: analz.Fst analz.Snd)
 apply (erule analz.induct, auto)
 done
 lemmas analz_insertI = subset_insertI [THEN analz_mono, THEN [2] rev_subsetD]
-subsubsection{*General equational properties *}
+subsubsection\<open>General equational properties\<close>
 lemma analz_empty [simp]: "analz{} = {}"
 apply safe
 apply (erule analz.induct, blast+)
 done
-text{*Converse fails: we can analz more from the union than from the
+text\<open>Converse fails: we can analz more from the union than from the
-separate parts, as a key in one might decrypt a message in the other*}
+separate parts, as a key in one might decrypt a message in the other\<close>
 lemma analz_Un: "analz(G) \<union> analz(H) \<subseteq> analz(G \<union> H)"
 by (intro Un_least analz_mono Un_upper1 Un_upper2)
 lemma analz_insert: "insert X (analz H) \<subseteq> analz(insert X H)"
 by (blast intro: analz_mono [THEN [2] rev_subsetD])
-subsubsection{*Rewrite rules for pulling out atomic messages *}
+subsubsection\<open>Rewrite rules for pulling out atomic messages\<close>
 lemmas analz_insert_eq_I = equalityI [OF subsetI analz_insert]
 lemma analz_insert_Agent [simp]:
 "analz (insert (Agent agt) H) = insert (Agent agt) (analz H)"
 "analz (insert (Hash X) H) = insert (Hash X) (analz H)"
 apply (rule analz_insert_eq_I)
 apply (erule analz.induct, auto)
 done
-text{*Can only pull out Keys if they are not needed to decrypt the rest*}
+text\<open>Can only pull out Keys if they are not needed to decrypt the rest\<close>
 lemma analz_insert_Key [simp]:
 "K \<notin> keysFor (analz H) ==>
 analz (insert (Key K) H) = insert (Key K) (analz H)"
 apply (unfold keysFor_def)
 apply (rule analz_insert_eq_I)
 apply (erule analz.induct, auto)
 apply (erule analz.induct)
 apply (blast intro: analz.Fst analz.Snd)+
 done
-text{*Can pull out enCrypted message if the Key is not known*}
+text\<open>Can pull out enCrypted message if the Key is not known\<close>
 lemma analz_insert_Crypt:
 "Key (invKey K) \<notin> analz H
 ==> analz (insert (Crypt K X) H) = insert (Crypt K X) (analz H)"
 apply (rule analz_insert_eq_I)
 apply (erule analz.induct, auto)
 "Key (invKey K) \<in> analz H ==>
 analz (insert (Crypt K X) H) =
 insert (Crypt K X) (analz (insert X H))"
 by (intro equalityI lemma1 lemma2)
-text{*Case analysis: either the message is secure, or it is not! Effective,
+text\<open>Case analysis: either the message is secure, or it is not! Effective,
-but can cause subgoals to blow up! Use with @{text "if_split"}; apparently
+but can cause subgoals to blow up! Use with \<open>if_split\<close>; apparently
-@{text "split_tac"} does not cope with patterns such as @{term"analz (insert
+\<open>split_tac\<close> does not cope with patterns such as @{term"analz (insert
-(Crypt K X) H)"} *}
+(Crypt K X) H)"}\<close>
 lemma analz_Crypt_if [simp]:
 "analz (insert (Crypt K X) H) =
 (if (Key (invKey K) \<in> analz H)
 then insert (Crypt K X) (analz (insert X H))
 else insert (Crypt K X) (analz H))"
 by (simp add: analz_insert_Crypt analz_insert_Decrypt)
-text{*This rule supposes "for the sake of argument" that we have the key.*}
+text\<open>This rule supposes "for the sake of argument" that we have the key.\<close>
 lemma analz_insert_Crypt_subset:
 "analz (insert (Crypt K X) H) \<subseteq>
 insert (Crypt K X) (analz (insert X H))"
 apply (rule subsetI)
 apply (erule analz.induct, auto)
 apply auto
 apply (erule analz.induct, auto)
 done
-subsubsection{*Idempotence and transitivity *}
+subsubsection\<open>Idempotence and transitivity\<close>
 lemma analz_analzD [dest!]: "X\<in> analz (analz H) ==> X\<in> analz H"
 by (erule analz.induct, blast+)
 lemma analz_idem [simp]: "analz (analz H) = analz H"
 declare analz_trans[intro]
 lemma analz_cut: "[| Y\<in> analz (insert X H);  X\<in> analz H |] ==> Y\<in> analz H"
 by (metis analz_idem analz_increasing analz_mono insert_absorb insert_mono insert_subset)
-text{*This rewrite rule helps in the simplification of messages that involve
+text\<open>This rewrite rule helps in the simplification of messages that involve
 the forwarding of unknown components (X).  Without it, removing occurrences
-of X can be very complicated. *}
+of X can be very complicated.\<close>
 lemma analz_insert_eq: "X\<in> analz H ==> analz (insert X H) = analz H"
 by (blast intro: analz_cut analz_insertI)
-text{*A congruence rule for "analz" *}
+text\<open>A congruence rule for "analz"\<close>
 lemma analz_subset_cong:
 "[| analz G \<subseteq> analz G'; analz H \<subseteq> analz H' |]
 ==> analz (G \<union> H) \<subseteq> analz (G' \<union> H')"
 apply simp
 lemma analz_insert_cong:
 "analz H = analz H' ==> analz(insert X H) = analz(insert X H')"
 by (force simp only: insert_def intro!: analz_cong)
-text{*If there are no pairs or encryptions then analz does nothing*}
+text\<open>If there are no pairs or encryptions then analz does nothing\<close>
 lemma analz_trivial:
 "[| \<forall>X Y. \<lbrace>X,Y\<rbrace> \<notin> H;  \<forall>X K. Crypt K X \<notin> H |] ==> analz H = H"
 apply safe
 apply (erule analz.induct, blast+)
 done
-text{*These two are obsolete (with a single Spy) but cost little to prove...*}
+text\<open>These two are obsolete (with a single Spy) but cost little to prove...\<close>
 lemma analz_UN_analz_lemma:
 "X\<in> analz (\<Union>i\<in>A. analz (H i)) ==> X\<in> analz (\<Union>i\<in>A. H i)"
 apply (erule analz.induct)
 apply (blast intro: analz_mono [THEN [2] rev_subsetD])+
 done
 lemma analz_UN_analz [simp]: "analz (\<Union>i\<in>A. analz (H i)) = analz (\<Union>i\<in>A. H i)"
 by (blast intro: analz_UN_analz_lemma analz_mono [THEN [2] rev_subsetD])
-subsection{*Inductive relation "synth"*}
+subsection\<open>Inductive relation "synth"\<close>
-text{*Inductive definition of "synth" -- what can be built up from a set of
+text\<open>Inductive definition of "synth" -- what can be built up from a set of
 messages.  A form of upward closure.  Pairs can be built, messages
 encrypted with known keys.  Agent names are public domain.
-Numbers can be guessed, but Nonces cannot be.  *}
+Numbers can be guessed, but Nonces cannot be.\<close>
 inductive_set
 synth :: "msg set => msg set"
 for H :: "msg set"
 where
 | Number [intro]:   "Number n  \<in> synth H"
 | Hash   [intro]:   "X \<in> synth H ==> Hash X \<in> synth H"
 | MPair  [intro]:   "[|X \<in> synth H;  Y \<in> synth H|] ==> \<lbrace>X,Y\<rbrace> \<in> synth H"
 | Crypt  [intro]:   "[|X \<in> synth H;  Key(K) \<in> H|] ==> Crypt K X \<in> synth H"
-text{*Monotonicity*}
+text\<open>Monotonicity\<close>
 lemma synth_mono: "G\<subseteq>H ==> synth(G) \<subseteq> synth(H)"
 by (auto, erule synth.induct, auto)
-text{*NO @{text Agent_synth}, as any Agent name can be synthesized.
+text\<open>NO \<open>Agent_synth\<close>, as any Agent name can be synthesized.
-The same holds for @{term Number}*}
+The same holds for @{term Number}\<close>
 inductive_cases Nonce_synth [elim!]: "Nonce n \<in> synth H"
 inductive_cases Key_synth   [elim!]: "Key K \<in> synth H"
 inductive_cases Hash_synth  [elim!]: "Hash X \<in> synth H"
 inductive_cases MPair_synth [elim!]: "\<lbrace>X,Y\<rbrace> \<in> synth H"
 inductive_cases Crypt_synth [elim!]: "Crypt K X \<in> synth H"
 lemma synth_increasing: "H \<subseteq> synth(H)"
 by blast
-subsubsection{*Unions *}
+subsubsection\<open>Unions\<close>
-text{*Converse fails: we can synth more from the union than from the
+text\<open>Converse fails: we can synth more from the union than from the
-separate parts, building a compound message using elements of each.*}
+separate parts, building a compound message using elements of each.\<close>
 lemma synth_Un: "synth(G) \<union> synth(H) \<subseteq> synth(G \<union> H)"
 by (intro Un_least synth_mono Un_upper1 Un_upper2)
 lemma synth_insert: "insert X (synth H) \<subseteq> synth(insert X H)"
 by (metis insert_iff insert_subset subset_insertI synth.Inj synth_mono)
-subsubsection{*Idempotence and transitivity *}
+subsubsection\<open>Idempotence and transitivity\<close>
 lemma synth_synthD [dest!]: "X\<in> synth (synth H) ==> X\<in> synth H"
 by (erule synth.induct, blast+)
 lemma synth_idem: "synth (synth H) = synth H"
 lemma keysFor_synth [simp]:
 "keysFor (synth H) = keysFor H \<union> invKey`{K. Key K \<in> H}"
 by (unfold keysFor_def, blast)
-subsubsection{*Combinations of parts, analz and synth *}
+subsubsection\<open>Combinations of parts, analz and synth\<close>
 lemma parts_synth [simp]: "parts (synth H) = parts H \<union> synth H"
 apply (rule equalityI)
 apply (rule subsetI)
 apply (erule parts.induct)
 hence "\<forall>x\<^sub>1. analz x\<^sub>1 \<union> synth x\<^sub>1 = analz (synth x\<^sub>1)" by (metis Un_commute)
 thus "analz (synth H) = analz H \<union> synth H" by metis
 qed
-subsubsection{*For reasoning about the Fake rule in traces *}
+subsubsection\<open>For reasoning about the Fake rule in traces\<close>
 lemma parts_insert_subset_Un: "X \<in> G ==> parts(insert X H) \<subseteq> parts G \<union> parts H"
 proof -
 assume "X \<in> G"
 hence "\<forall>x\<^sub>1. G \<subseteq> x\<^sub>1 \<longrightarrow> X \<in> x\<^sub>1 " by auto

changeset 63167	0909deb8059b
parent 62390	842917225d56
child 67443	3abf6a722518