39 machine, needed for some protocols), an infinite population of |
39 machine, needed for some protocols), an infinite population of |
40 friendly agents, and the~\isa{Spy}:% |
40 friendly agents, and the~\isa{Spy}:% |
41 \end{isamarkuptext}% |
41 \end{isamarkuptext}% |
42 \isamarkuptrue% |
42 \isamarkuptrue% |
43 \isacommand{datatype}\isamarkupfalse% |
43 \isacommand{datatype}\isamarkupfalse% |
44 \ agent\ {\isacharequal}\ Server\ {\isacharbar}\ Friend\ nat\ {\isacharbar}\ Spy% |
44 \ agent\ {\isaliteral{3D}{\isacharequal}}\ Server\ {\isaliteral{7C}{\isacharbar}}\ Friend\ nat\ {\isaliteral{7C}{\isacharbar}}\ Spy% |
45 \begin{isamarkuptext}% |
45 \begin{isamarkuptext}% |
46 Keys are just natural numbers. Function \isa{invKey} maps a public key to |
46 Keys are just natural numbers. Function \isa{invKey} maps a public key to |
47 the matching private key, and vice versa:% |
47 the matching private key, and vice versa:% |
48 \end{isamarkuptext}% |
48 \end{isamarkuptext}% |
49 \isamarkuptrue% |
49 \isamarkuptrue% |
50 \isacommand{types}\isamarkupfalse% |
50 \isacommand{types}\isamarkupfalse% |
51 \ key\ {\isacharequal}\ nat\isanewline |
51 \ key\ {\isaliteral{3D}{\isacharequal}}\ nat\isanewline |
52 \isacommand{consts}\isamarkupfalse% |
52 \isacommand{consts}\isamarkupfalse% |
53 \ invKey\ {\isacharcolon}{\isacharcolon}\ {\isachardoublequoteopen}key\ {\isasymRightarrow}\ key{\isachardoublequoteclose}% |
53 \ invKey\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}key\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ key{\isaliteral{22}{\isachardoublequoteclose}}% |
54 \isadelimproof |
54 \isadelimproof |
55 % |
55 % |
56 \endisadelimproof |
56 \endisadelimproof |
57 % |
57 % |
58 \isatagproof |
58 \isatagproof |
70 keys, compound messages, and encryptions.% |
70 keys, compound messages, and encryptions.% |
71 \end{isamarkuptext}% |
71 \end{isamarkuptext}% |
72 \isamarkuptrue% |
72 \isamarkuptrue% |
73 \isacommand{datatype}\isamarkupfalse% |
73 \isacommand{datatype}\isamarkupfalse% |
74 \isanewline |
74 \isanewline |
75 \ \ \ \ \ msg\ {\isacharequal}\ Agent\ \ agent\isanewline |
75 \ \ \ \ \ msg\ {\isaliteral{3D}{\isacharequal}}\ Agent\ \ agent\isanewline |
76 \ \ \ \ \ \ \ \ \ {\isacharbar}\ Nonce\ \ nat\isanewline |
76 \ \ \ \ \ \ \ \ \ {\isaliteral{7C}{\isacharbar}}\ Nonce\ \ nat\isanewline |
77 \ \ \ \ \ \ \ \ \ {\isacharbar}\ Key\ \ \ \ key\isanewline |
77 \ \ \ \ \ \ \ \ \ {\isaliteral{7C}{\isacharbar}}\ Key\ \ \ \ key\isanewline |
78 \ \ \ \ \ \ \ \ \ {\isacharbar}\ MPair\ \ msg\ msg\isanewline |
78 \ \ \ \ \ \ \ \ \ {\isaliteral{7C}{\isacharbar}}\ MPair\ \ msg\ msg\isanewline |
79 \ \ \ \ \ \ \ \ \ {\isacharbar}\ Crypt\ \ key\ msg% |
79 \ \ \ \ \ \ \ \ \ {\isaliteral{7C}{\isacharbar}}\ Crypt\ \ key\ msg% |
80 \begin{isamarkuptext}% |
80 \begin{isamarkuptext}% |
81 \noindent |
81 \noindent |
82 The notation $\comp{X\sb 1,\ldots X\sb{n-1},X\sb n}$ |
82 The notation $\comp{X\sb 1,\ldots X\sb{n-1},X\sb n}$ |
83 abbreviates |
83 abbreviates |
84 $\isa{MPair}\,X\sb 1\,\ldots\allowbreak(\isa{MPair}\,X\sb{n-1}\,X\sb n)$. |
84 $\isa{MPair}\,X\sb 1\,\ldots\allowbreak(\isa{MPair}\,X\sb{n-1}\,X\sb n)$. |
85 |
85 |
86 Since datatype constructors are injective, we have the theorem |
86 Since datatype constructors are injective, we have the theorem |
87 \begin{isabelle}% |
87 \begin{isabelle}% |
88 Crypt\ K\ X\ {\isacharequal}\ Crypt\ K{\isacharprime}\ X{\isacharprime}\ {\isasymLongrightarrow}\ K\ {\isacharequal}\ K{\isacharprime}\ {\isasymand}\ X\ {\isacharequal}\ X{\isacharprime}% |
88 Crypt\ K\ X\ {\isaliteral{3D}{\isacharequal}}\ Crypt\ K{\isaliteral{27}{\isacharprime}}\ X{\isaliteral{27}{\isacharprime}}\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ K\ {\isaliteral{3D}{\isacharequal}}\ K{\isaliteral{27}{\isacharprime}}\ {\isaliteral{5C3C616E643E}{\isasymand}}\ X\ {\isaliteral{3D}{\isacharequal}}\ X{\isaliteral{27}{\isacharprime}}% |
89 \end{isabelle} |
89 \end{isabelle} |
90 A ciphertext can be decrypted using only one key and |
90 A ciphertext can be decrypted using only one key and |
91 can yield only one plaintext. In the real world, decryption with the |
91 can yield only one plaintext. In the real world, decryption with the |
92 wrong key succeeds but yields garbage. Our model of encryption is |
92 wrong key succeeds but yields garbage. Our model of encryption is |
93 realistic if encryption adds some redundancy to the plaintext, such as a |
93 realistic if encryption adds some redundancy to the plaintext, such as a |
670 messages. The set \isa{analz\ H} formalizes what the adversary can learn |
670 messages. The set \isa{analz\ H} formalizes what the adversary can learn |
671 from the set of messages~$H$. The closure properties of this set are |
671 from the set of messages~$H$. The closure properties of this set are |
672 defined inductively.% |
672 defined inductively.% |
673 \end{isamarkuptext}% |
673 \end{isamarkuptext}% |
674 \isamarkuptrue% |
674 \isamarkuptrue% |
675 \isacommand{inductive{\isacharunderscore}set}\isamarkupfalse% |
675 \isacommand{inductive{\isaliteral{5F}{\isacharunderscore}}set}\isamarkupfalse% |
676 \isanewline |
676 \isanewline |
677 \ \ analz\ {\isacharcolon}{\isacharcolon}\ {\isachardoublequoteopen}msg\ set\ {\isasymRightarrow}\ msg\ set{\isachardoublequoteclose}\isanewline |
677 \ \ analz\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}msg\ set\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ msg\ set{\isaliteral{22}{\isachardoublequoteclose}}\isanewline |
678 \ \ \isakeyword{for}\ H\ {\isacharcolon}{\isacharcolon}\ {\isachardoublequoteopen}msg\ set{\isachardoublequoteclose}\isanewline |
678 \ \ \isakeyword{for}\ H\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}msg\ set{\isaliteral{22}{\isachardoublequoteclose}}\isanewline |
679 \ \ \isakeyword{where}\isanewline |
679 \ \ \isakeyword{where}\isanewline |
680 \ \ \ \ Inj\ {\isacharbrackleft}intro{\isacharcomma}simp{\isacharbrackright}\ {\isacharcolon}\ {\isachardoublequoteopen}X\ {\isasymin}\ H\ {\isasymLongrightarrow}\ X\ {\isasymin}\ analz\ H{\isachardoublequoteclose}\isanewline |
680 \ \ \ \ Inj\ {\isaliteral{5B}{\isacharbrackleft}}intro{\isaliteral{2C}{\isacharcomma}}simp{\isaliteral{5D}{\isacharbrackright}}\ {\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}X\ {\isaliteral{5C3C696E3E}{\isasymin}}\ H\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ X\ {\isaliteral{5C3C696E3E}{\isasymin}}\ analz\ H{\isaliteral{22}{\isachardoublequoteclose}}\isanewline |
681 \ \ {\isacharbar}\ Fst{\isacharcolon}\ \ \ \ \ {\isachardoublequoteopen}{\isasymlbrace}X{\isacharcomma}Y{\isasymrbrace}\ {\isasymin}\ analz\ H\ {\isasymLongrightarrow}\ X\ {\isasymin}\ analz\ H{\isachardoublequoteclose}\isanewline |
681 \ \ {\isaliteral{7C}{\isacharbar}}\ Fst{\isaliteral{3A}{\isacharcolon}}\ \ \ \ \ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{5C3C6C62726163653E}{\isasymlbrace}}X{\isaliteral{2C}{\isacharcomma}}Y{\isaliteral{5C3C7262726163653E}{\isasymrbrace}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ analz\ H\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ X\ {\isaliteral{5C3C696E3E}{\isasymin}}\ analz\ H{\isaliteral{22}{\isachardoublequoteclose}}\isanewline |
682 \ \ {\isacharbar}\ Snd{\isacharcolon}\ \ \ \ \ {\isachardoublequoteopen}{\isasymlbrace}X{\isacharcomma}Y{\isasymrbrace}\ {\isasymin}\ analz\ H\ {\isasymLongrightarrow}\ Y\ {\isasymin}\ analz\ H{\isachardoublequoteclose}\isanewline |
682 \ \ {\isaliteral{7C}{\isacharbar}}\ Snd{\isaliteral{3A}{\isacharcolon}}\ \ \ \ \ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{5C3C6C62726163653E}{\isasymlbrace}}X{\isaliteral{2C}{\isacharcomma}}Y{\isaliteral{5C3C7262726163653E}{\isasymrbrace}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ analz\ H\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ Y\ {\isaliteral{5C3C696E3E}{\isasymin}}\ analz\ H{\isaliteral{22}{\isachardoublequoteclose}}\isanewline |
683 \ \ {\isacharbar}\ Decrypt\ {\isacharbrackleft}dest{\isacharbrackright}{\isacharcolon}\ \isanewline |
683 \ \ {\isaliteral{7C}{\isacharbar}}\ Decrypt\ {\isaliteral{5B}{\isacharbrackleft}}dest{\isaliteral{5D}{\isacharbrackright}}{\isaliteral{3A}{\isacharcolon}}\ \isanewline |
684 \ \ \ \ \ \ \ \ \ \ \ \ \ {\isachardoublequoteopen}{\isasymlbrakk}Crypt\ K\ X\ {\isasymin}\ analz\ H{\isacharsemicolon}\ Key{\isacharparenleft}invKey\ K{\isacharparenright}\ {\isasymin}\ analz\ H{\isasymrbrakk}\isanewline |
684 \ \ \ \ \ \ \ \ \ \ \ \ \ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{5C3C6C6272616B6B3E}{\isasymlbrakk}}Crypt\ K\ X\ {\isaliteral{5C3C696E3E}{\isasymin}}\ analz\ H{\isaliteral{3B}{\isacharsemicolon}}\ Key{\isaliteral{28}{\isacharparenleft}}invKey\ K{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ analz\ H{\isaliteral{5C3C726272616B6B3E}{\isasymrbrakk}}\isanewline |
685 \ \ \ \ \ \ \ \ \ \ \ \ \ \ {\isasymLongrightarrow}\ X\ {\isasymin}\ analz\ H{\isachardoublequoteclose}% |
685 \ \ \ \ \ \ \ \ \ \ \ \ \ \ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ X\ {\isaliteral{5C3C696E3E}{\isasymin}}\ analz\ H{\isaliteral{22}{\isachardoublequoteclose}}% |
686 \isadelimproof |
686 \isadelimproof |
687 % |
687 % |
688 \endisadelimproof |
688 \endisadelimproof |
689 % |
689 % |
690 \isatagproof |
690 \isatagproof |
1102 \begin{isamarkuptext}% |
1102 \begin{isamarkuptext}% |
1103 Note the \isa{Decrypt} rule: the spy can decrypt a |
1103 Note the \isa{Decrypt} rule: the spy can decrypt a |
1104 message encrypted with key~$K$ if he has the matching key,~$K^{-1}$. |
1104 message encrypted with key~$K$ if he has the matching key,~$K^{-1}$. |
1105 Properties proved by rule induction include the following: |
1105 Properties proved by rule induction include the following: |
1106 \begin{isabelle}% |
1106 \begin{isabelle}% |
1107 G\ {\isasymsubseteq}\ H\ {\isasymLongrightarrow}\ analz\ G\ {\isasymsubseteq}\ analz\ H\rulename{analz{\isacharunderscore}mono}\par\smallskip% |
1107 G\ {\isaliteral{5C3C73756273657465713E}{\isasymsubseteq}}\ H\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ analz\ G\ {\isaliteral{5C3C73756273657465713E}{\isasymsubseteq}}\ analz\ H\rulename{analz{\isaliteral{5F}{\isacharunderscore}}mono}\par\smallskip% |
1108 analz\ {\isacharparenleft}analz\ H{\isacharparenright}\ {\isacharequal}\ analz\ H\rulename{analz{\isacharunderscore}idem}% |
1108 analz\ {\isaliteral{28}{\isacharparenleft}}analz\ H{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ analz\ H\rulename{analz{\isaliteral{5F}{\isacharunderscore}}idem}% |
1109 \end{isabelle} |
1109 \end{isabelle} |
1110 |
1110 |
1111 The set of fake messages that an intruder could invent |
1111 The set of fake messages that an intruder could invent |
1112 starting from~\isa{H} is \isa{synth{\isacharparenleft}analz\ H{\isacharparenright}}, where \isa{synth\ H} |
1112 starting from~\isa{H} is \isa{synth{\isaliteral{28}{\isacharparenleft}}analz\ H{\isaliteral{29}{\isacharparenright}}}, where \isa{synth\ H} |
1113 formalizes what the adversary can build from the set of messages~$H$.% |
1113 formalizes what the adversary can build from the set of messages~$H$.% |
1114 \end{isamarkuptext}% |
1114 \end{isamarkuptext}% |
1115 \isamarkuptrue% |
1115 \isamarkuptrue% |
1116 \isacommand{inductive{\isacharunderscore}set}\isamarkupfalse% |
1116 \isacommand{inductive{\isaliteral{5F}{\isacharunderscore}}set}\isamarkupfalse% |
1117 \isanewline |
1117 \isanewline |
1118 \ \ synth\ {\isacharcolon}{\isacharcolon}\ {\isachardoublequoteopen}msg\ set\ {\isasymRightarrow}\ msg\ set{\isachardoublequoteclose}\isanewline |
1118 \ \ synth\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}msg\ set\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ msg\ set{\isaliteral{22}{\isachardoublequoteclose}}\isanewline |
1119 \ \ \isakeyword{for}\ H\ {\isacharcolon}{\isacharcolon}\ {\isachardoublequoteopen}msg\ set{\isachardoublequoteclose}\isanewline |
1119 \ \ \isakeyword{for}\ H\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}msg\ set{\isaliteral{22}{\isachardoublequoteclose}}\isanewline |
1120 \ \ \isakeyword{where}\isanewline |
1120 \ \ \isakeyword{where}\isanewline |
1121 \ \ \ \ Inj\ \ \ \ {\isacharbrackleft}intro{\isacharbrackright}{\isacharcolon}\ {\isachardoublequoteopen}X\ {\isasymin}\ H\ {\isasymLongrightarrow}\ X\ {\isasymin}\ synth\ H{\isachardoublequoteclose}\isanewline |
1121 \ \ \ \ Inj\ \ \ \ {\isaliteral{5B}{\isacharbrackleft}}intro{\isaliteral{5D}{\isacharbrackright}}{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}X\ {\isaliteral{5C3C696E3E}{\isasymin}}\ H\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ X\ {\isaliteral{5C3C696E3E}{\isasymin}}\ synth\ H{\isaliteral{22}{\isachardoublequoteclose}}\isanewline |
1122 \ \ {\isacharbar}\ Agent\ \ {\isacharbrackleft}intro{\isacharbrackright}{\isacharcolon}\ {\isachardoublequoteopen}Agent\ agt\ {\isasymin}\ synth\ H{\isachardoublequoteclose}\isanewline |
1122 \ \ {\isaliteral{7C}{\isacharbar}}\ Agent\ \ {\isaliteral{5B}{\isacharbrackleft}}intro{\isaliteral{5D}{\isacharbrackright}}{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}Agent\ agt\ {\isaliteral{5C3C696E3E}{\isasymin}}\ synth\ H{\isaliteral{22}{\isachardoublequoteclose}}\isanewline |
1123 \ \ {\isacharbar}\ MPair\ \ {\isacharbrackleft}intro{\isacharbrackright}{\isacharcolon}\isanewline |
1123 \ \ {\isaliteral{7C}{\isacharbar}}\ MPair\ \ {\isaliteral{5B}{\isacharbrackleft}}intro{\isaliteral{5D}{\isacharbrackright}}{\isaliteral{3A}{\isacharcolon}}\isanewline |
1124 \ \ \ \ \ \ \ \ \ \ \ \ \ \ {\isachardoublequoteopen}{\isasymlbrakk}X\ {\isasymin}\ synth\ H{\isacharsemicolon}\ \ Y\ {\isasymin}\ synth\ H{\isasymrbrakk}\ {\isasymLongrightarrow}\ {\isasymlbrace}X{\isacharcomma}Y{\isasymrbrace}\ {\isasymin}\ synth\ H{\isachardoublequoteclose}\isanewline |
1124 \ \ \ \ \ \ \ \ \ \ \ \ \ \ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{5C3C6C6272616B6B3E}{\isasymlbrakk}}X\ {\isaliteral{5C3C696E3E}{\isasymin}}\ synth\ H{\isaliteral{3B}{\isacharsemicolon}}\ \ Y\ {\isaliteral{5C3C696E3E}{\isasymin}}\ synth\ H{\isaliteral{5C3C726272616B6B3E}{\isasymrbrakk}}\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ {\isaliteral{5C3C6C62726163653E}{\isasymlbrace}}X{\isaliteral{2C}{\isacharcomma}}Y{\isaliteral{5C3C7262726163653E}{\isasymrbrace}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ synth\ H{\isaliteral{22}{\isachardoublequoteclose}}\isanewline |
1125 \ \ {\isacharbar}\ Crypt\ \ {\isacharbrackleft}intro{\isacharbrackright}{\isacharcolon}\isanewline |
1125 \ \ {\isaliteral{7C}{\isacharbar}}\ Crypt\ \ {\isaliteral{5B}{\isacharbrackleft}}intro{\isaliteral{5D}{\isacharbrackright}}{\isaliteral{3A}{\isacharcolon}}\isanewline |
1126 \ \ \ \ \ \ \ \ \ \ \ \ \ \ {\isachardoublequoteopen}{\isasymlbrakk}X\ {\isasymin}\ synth\ H{\isacharsemicolon}\ \ Key\ K\ {\isasymin}\ H{\isasymrbrakk}\ {\isasymLongrightarrow}\ Crypt\ K\ X\ {\isasymin}\ synth\ H{\isachardoublequoteclose}% |
1126 \ \ \ \ \ \ \ \ \ \ \ \ \ \ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{5C3C6C6272616B6B3E}{\isasymlbrakk}}X\ {\isaliteral{5C3C696E3E}{\isasymin}}\ synth\ H{\isaliteral{3B}{\isacharsemicolon}}\ \ Key\ K\ {\isaliteral{5C3C696E3E}{\isasymin}}\ H{\isaliteral{5C3C726272616B6B3E}{\isasymrbrakk}}\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ Crypt\ K\ X\ {\isaliteral{5C3C696E3E}{\isasymin}}\ synth\ H{\isaliteral{22}{\isachardoublequoteclose}}% |
1127 \isadelimproof |
1127 \isadelimproof |
1128 % |
1128 % |
1129 \endisadelimproof |
1129 \endisadelimproof |
1130 % |
1130 % |
1131 \isatagproof |
1131 \isatagproof |
1170 using a key present in~$H$. |
1170 using a key present in~$H$. |
1171 |
1171 |
1172 Like \isa{analz}, this set operator is monotone and idempotent. It also |
1172 Like \isa{analz}, this set operator is monotone and idempotent. It also |
1173 satisfies an interesting equation involving \isa{analz}: |
1173 satisfies an interesting equation involving \isa{analz}: |
1174 \begin{isabelle}% |
1174 \begin{isabelle}% |
1175 analz\ {\isacharparenleft}synth\ H{\isacharparenright}\ {\isacharequal}\ analz\ H\ {\isasymunion}\ synth\ H\rulename{analz{\isacharunderscore}synth}% |
1175 analz\ {\isaliteral{28}{\isacharparenleft}}synth\ H{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ analz\ H\ {\isaliteral{5C3C756E696F6E3E}{\isasymunion}}\ synth\ H\rulename{analz{\isaliteral{5F}{\isacharunderscore}}synth}% |
1176 \end{isabelle} |
1176 \end{isabelle} |
1177 Rule inversion plays a major role in reasoning about \isa{synth}, through |
1177 Rule inversion plays a major role in reasoning about \isa{synth}, through |
1178 declarations such as this one:% |
1178 declarations such as this one:% |
1179 \end{isamarkuptext}% |
1179 \end{isamarkuptext}% |
1180 \isamarkuptrue% |
1180 \isamarkuptrue% |
1181 \isacommand{inductive{\isacharunderscore}cases}\isamarkupfalse% |
1181 \isacommand{inductive{\isaliteral{5F}{\isacharunderscore}}cases}\isamarkupfalse% |
1182 \ Nonce{\isacharunderscore}synth\ {\isacharbrackleft}elim{\isacharbang}{\isacharbrackright}{\isacharcolon}\ {\isachardoublequoteopen}Nonce\ n\ {\isasymin}\ synth\ H{\isachardoublequoteclose}% |
1182 \ Nonce{\isaliteral{5F}{\isacharunderscore}}synth\ {\isaliteral{5B}{\isacharbrackleft}}elim{\isaliteral{21}{\isacharbang}}{\isaliteral{5D}{\isacharbrackright}}{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}Nonce\ n\ {\isaliteral{5C3C696E3E}{\isasymin}}\ synth\ H{\isaliteral{22}{\isachardoublequoteclose}}% |
1183 \begin{isamarkuptext}% |
1183 \begin{isamarkuptext}% |
1184 \noindent |
1184 \noindent |
1185 The resulting elimination rule replaces every assumption of the form |
1185 The resulting elimination rule replaces every assumption of the form |
1186 \isa{Nonce\ n\ {\isasymin}\ synth\ H} by \isa{Nonce\ n\ {\isasymin}\ H}, |
1186 \isa{Nonce\ n\ {\isaliteral{5C3C696E3E}{\isasymin}}\ synth\ H} by \isa{Nonce\ n\ {\isaliteral{5C3C696E3E}{\isasymin}}\ H}, |
1187 expressing that a nonce cannot be guessed. |
1187 expressing that a nonce cannot be guessed. |
1188 |
1188 |
1189 A third operator, \isa{parts}, is useful for stating correctness |
1189 A third operator, \isa{parts}, is useful for stating correctness |
1190 properties. The set |
1190 properties. The set |
1191 \isa{parts\ H} consists of the components of elements of~$H$. This set |
1191 \isa{parts\ H} consists of the components of elements of~$H$. This set |
1192 includes~\isa{H} and is closed under the projections from a compound |
1192 includes~\isa{H} and is closed under the projections from a compound |
1193 message to its immediate parts. |
1193 message to its immediate parts. |
1194 Its definition resembles that of \isa{analz} except in the rule |
1194 Its definition resembles that of \isa{analz} except in the rule |
1195 corresponding to the constructor \isa{Crypt}: |
1195 corresponding to the constructor \isa{Crypt}: |
1196 \begin{isabelle}% |
1196 \begin{isabelle}% |
1197 \ \ \ \ \ Crypt\ K\ X\ {\isasymin}\ parts\ H\ {\isasymLongrightarrow}\ X\ {\isasymin}\ parts\ H% |
1197 \ \ \ \ \ Crypt\ K\ X\ {\isaliteral{5C3C696E3E}{\isasymin}}\ parts\ H\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ X\ {\isaliteral{5C3C696E3E}{\isasymin}}\ parts\ H% |
1198 \end{isabelle} |
1198 \end{isabelle} |
1199 The body of an encrypted message is always regarded as part of it. We can |
1199 The body of an encrypted message is always regarded as part of it. We can |
1200 use \isa{parts} to express general well-formedness properties of a protocol, |
1200 use \isa{parts} to express general well-formedness properties of a protocol, |
1201 for example, that an uncompromised agent's private key will never be |
1201 for example, that an uncompromised agent's private key will never be |
1202 included as a component of any message.% |
1202 included as a component of any message.% |