isabelle: comparison src/HOL/Auth/NS

equal deleted inserted replaced

-:597efdb7decb
+:aafe719dff14
 open NS_Public;
 proof_timing:=true;
 HOL_quantifiers := false;
-AddIffs [Spy_in_lost];
+AddIffs [Spy_in_bad];
 (*A "possibility property": there are traces that reach the end*)
 goal thy
 "!!A B. A ~= B ==> EX NB. EX evs: ns_public.               \
 \                     Says A B (Crypt (pubK B) (Nonce NB)) : set evs";
 Addsimps [not_Says_to_self];
 AddSEs   [not_Says_to_self RSN (2, rev_notE)];
 (*Induction for regularity theorems.  If induction formula has the form
-X ~: analz (sees Spy evs) --> ... then it shortens the proof by discarding
+X ~: analz (spies evs) --> ... then it shortens the proof by discarding
-needless information about analz (insert X (sees Spy evs))  *)
+needless information about analz (insert X (spies evs))  *)
 fun parts_induct_tac i =
 etac ns_public.induct i
 THEN
 REPEAT (FIRSTGOAL analz_mono_contra_tac)
 THEN
 prove_simple_subgoals_tac i;
-(** Theorems of the form X ~: parts (sees Spy evs) imply that NOBODY
+(** Theorems of the form X ~: parts (spies evs) imply that NOBODY
 sends messages containing X! **)
-(*Spy never sees another agent's private key! (unless it's lost at start)*)
+(*Spy never sees another agent's private key! (unless it's bad at start)*)
 goal thy
-"!!A. evs: ns_public ==> (Key (priK A) : parts (sees Spy evs)) = (A : lost)";
+"!!A. evs: ns_public ==> (Key (priK A) : parts (spies evs)) = (A : bad)";
 by (parts_induct_tac 1);
 by (Fake_parts_insert_tac 1);
 qed "Spy_see_priK";
 Addsimps [Spy_see_priK];
 goal thy
-"!!A. evs: ns_public ==> (Key (priK A) : analz (sees Spy evs)) = (A : lost)";
+"!!A. evs: ns_public ==> (Key (priK A) : analz (spies evs)) = (A : bad)";
 by (auto_tac(!claset addDs [impOfSubs analz_subset_parts], !simpset));
 qed "Spy_analz_priK";
 Addsimps [Spy_analz_priK];
-goal thy  "!!A. [| Key (priK A) : parts (sees Spy evs);       \
+goal thy  "!!A. [| Key (priK A) : parts (spies evs);       \
-\                  evs : ns_public |] ==> A:lost";
+\                  evs : ns_public |] ==> A:bad";
 by (blast_tac (!claset addDs [Spy_see_priK]) 1);
 qed "Spy_see_priK_D";
 bind_thm ("Spy_analz_priK_D", analz_subset_parts RS subsetD RS Spy_see_priK_D);
 AddSDs [Spy_see_priK_D, Spy_analz_priK_D];
 (**** Authenticity properties obtained from NS2 ****)
 (*It is impossible to re-use a nonce in both NS1 and NS2, provided the nonce
 is secret.  (Honest users generate fresh nonces.)*)
 goal thy
-"!!evs. [| Crypt (pubK B) {|Nonce NA, Agent A|} : parts (sees Spy evs); \
+"!!evs. [| Crypt (pubK B) {|Nonce NA, Agent A|} : parts (spies evs); \
-\           Nonce NA ~: analz (sees Spy evs);       \
+\           Nonce NA ~: analz (spies evs);       \
 \           evs : ns_public |]                      \
-\ ==> Crypt (pubK C) {|NA', Nonce NA, Agent D|} ~: parts (sees Spy evs)";
+\ ==> Crypt (pubK C) {|NA', Nonce NA, Agent D|} ~: parts (spies evs)";
 by (etac rev_mp 1);
 by (etac rev_mp 1);
 by (parts_induct_tac 1);
 (*NS3*)
 by (blast_tac (!claset addSEs partsEs) 3);
 qed "no_nonce_NS1_NS2";
 (*Unicity for NS1: nonce NA identifies agents A and B*)
 goal thy
-"!!evs. [| Nonce NA ~: analz (sees Spy evs);  evs : ns_public |]      \
+"!!evs. [| Nonce NA ~: analz (spies evs);  evs : ns_public |]      \
 \ ==> EX A' B'. ALL A B.                                               \
-\      Crypt (pubK B) {|Nonce NA, Agent A|} : parts (sees Spy evs) --> \
+\      Crypt (pubK B) {|Nonce NA, Agent A|} : parts (spies evs) --> \
 \      A=A' & B=B'";
 by (etac rev_mp 1);
 by (parts_induct_tac 1);
 by (ALLGOALS
-(asm_simp_tac (!simpset addsimps [all_conj_distrib, parts_insert_sees])));
+(asm_simp_tac (!simpset addsimps [all_conj_distrib, parts_insert_spies])));
 (*NS1*)
 by (expand_case_tac "NA = ?y" 2 THEN blast_tac (!claset addSEs partsEs) 2);
 (*Fake*)
 by (step_tac (!claset addSIs [analz_insertI]) 1);
 by (ex_strip_tac 1);
 by (Fake_parts_insert_tac 1);
 val lemma = result();
 goal thy
-"!!evs. [| Crypt(pubK B)  {|Nonce NA, Agent A|}  : parts(sees Spy evs); \
+"!!evs. [| Crypt(pubK B)  {|Nonce NA, Agent A|}  : parts(spies evs); \
-\           Crypt(pubK B') {|Nonce NA, Agent A'|} : parts(sees Spy evs); \
+\           Crypt(pubK B') {|Nonce NA, Agent A'|} : parts(spies evs); \
-\           Nonce NA ~: analz (sees Spy evs);                            \
+\           Nonce NA ~: analz (spies evs);                            \
-\           evs : ns_public |]                                                \
+\           evs : ns_public |]                                        \
 \        ==> A=A' & B=B'";
 by (prove_unique_tac lemma 1);
 qed "unique_NA";
 (*Secrecy: Spy does not see the nonce sent in msg NS1 if A and B are secure*)
 goal thy
 "!!evs. [| Says A B (Crypt(pubK B) {|Nonce NA, Agent A|}) : set evs;         \
-\           A ~: lost;  B ~: lost;  evs : ns_public |]                        \
+\           A ~: bad;  B ~: bad;  evs : ns_public |]                        \
-\        ==>  Nonce NA ~: analz (sees Spy evs)";
+\        ==>  Nonce NA ~: analz (spies evs)";
 by (etac rev_mp 1);
 by (analz_induct_tac 1);
 (*NS3*)
-by (blast_tac (!claset addDs  [Says_imp_sees_Spy RS parts.Inj]
+by (blast_tac (!claset addDs  [Says_imp_spies RS parts.Inj]
 addEs  [no_nonce_NS1_NS2 RSN (2, rev_notE)]) 4);
 (*NS2*)
 by (blast_tac (!claset addSEs [MPair_parts]
-		       addDs  [Says_imp_sees_Spy RS parts.Inj,
+		       addDs  [Says_imp_spies RS parts.Inj,
 			       parts.Body, unique_NA]) 3);
 (*NS1*)
-by (blast_tac (!claset addSEs sees_Spy_partsEs
+by (blast_tac (!claset addSEs spies_partsEs
 addIs  [impOfSubs analz_subset_parts]) 2);
 (*Fake*)
 by (spy_analz_tac 1);
 qed "Spy_not_see_NA";
 to start a run, then B has sent message 2.*)
 goal thy
 "!!evs. [| Says A B (Crypt (pubK B) {|Nonce NA, Agent A|}) : set evs;  \
 \           Says B' A (Crypt(pubK A) {|Nonce NA, Nonce NB, Agent B|})   \
 \             : set evs;                                                \
-\           A ~: lost;  B ~: lost;  evs : ns_public |]                  \
+\           A ~: bad;  B ~: bad;  evs : ns_public |]                  \
 \        ==> Says B A (Crypt(pubK A) {|Nonce NA, Nonce NB, Agent B|})   \
 \              : set evs";
 by (etac rev_mp 1);
 (*prepare induction over Crypt (pubK A) {|NA,NB,B|} : parts H*)
-by (etac (Says_imp_sees_Spy RS parts.Inj RS rev_mp) 1);
+by (etac (Says_imp_spies RS parts.Inj RS rev_mp) 1);
 by (etac ns_public.induct 1);
 by (ALLGOALS Asm_simp_tac);
 (*NS1*)
-by (blast_tac (!claset addSEs sees_Spy_partsEs) 2);
+by (blast_tac (!claset addSEs spies_partsEs) 2);
 (*Fake*)
 by (blast_tac (!claset addSDs [impOfSubs Fake_parts_insert]
 addDs  [Spy_not_see_NA,
 			       impOfSubs analz_subset_parts]) 1);
 qed "A_trusts_NS2";
 (*If the encrypted message appears then it originated with Alice in NS1*)
 goal thy
-"!!evs. [| Crypt (pubK B) {|Nonce NA, Agent A|} : parts (sees Spy evs); \
+"!!evs. [| Crypt (pubK B) {|Nonce NA, Agent A|} : parts (spies evs); \
-\           Nonce NA ~: analz (sees Spy evs);                 \
+\           Nonce NA ~: analz (spies evs);                 \
-\           evs : ns_public |]                                     \
+\           evs : ns_public |]                             \
 \   ==> Says A B (Crypt (pubK B) {|Nonce NA, Agent A|}) : set evs";
 by (etac rev_mp 1);
 by (etac rev_mp 1);
 by (parts_induct_tac 1);
 by (Fake_parts_insert_tac 1);
 (*Unicity for NS2: nonce NB identifies nonce NA and agents A, B
 [unicity of B makes Lowe's fix work]
 [proof closely follows that for unique_NA] *)
 goal thy
-"!!evs. [| Nonce NB ~: analz (sees Spy evs);  evs : ns_public |]      \
+"!!evs. [| Nonce NB ~: analz (spies evs);  evs : ns_public |]      \
 \ ==> EX A' NA' B'. ALL A NA B.                                             \
-\      Crypt (pubK A) {|Nonce NA, Nonce NB, Agent B|}                       \
+\      Crypt (pubK A) {|Nonce NA, Nonce NB, Agent B|} : parts (spies evs) \
-\        : parts (sees Spy evs)  -->  A=A' & NA=NA' & B=B'";
+\         -->  A=A' & NA=NA' & B=B'";
 by (etac rev_mp 1);
 by (parts_induct_tac 1);
 by (ALLGOALS
-(asm_simp_tac (!simpset addsimps [all_conj_distrib, parts_insert_sees])));
+(asm_simp_tac (!simpset addsimps [all_conj_distrib, parts_insert_spies])));
 (*NS2*)
 by (expand_case_tac "NB = ?y" 2 THEN blast_tac (!claset addSEs partsEs) 2);
 (*Fake*)
 by (step_tac (!claset addSIs [analz_insertI]) 1);
 by (ex_strip_tac 1);
 by (Fake_parts_insert_tac 1);
 val lemma = result();
 goal thy
 "!!evs. [| Crypt(pubK A)  {|Nonce NA, Nonce NB, Agent B|}   \
-\             : parts(sees Spy evs);                         \
+\             : parts(spies evs);                         \
 \           Crypt(pubK A') {|Nonce NA', Nonce NB, Agent B'|} \
-\             : parts(sees Spy evs);                         \
+\             : parts(spies evs);                         \
-\           Nonce NB ~: analz (sees Spy evs);                \
+\           Nonce NB ~: analz (spies evs);                \
 \           evs : ns_public |]                               \
 \        ==> A=A' & NA=NA' & B=B'";
 by (prove_unique_tac lemma 1);
 qed "unique_NB";
 (*Secrecy: Spy does not see the nonce sent in msg NS2 if A and B are secure*)
 goal thy
 "!!evs. [| Says B A (Crypt (pubK A) {|Nonce NA, Nonce NB, Agent B|}) \
 \             : set evs;                                              \
-\           A ~: lost;  B ~: lost;  evs : ns_public |]                \
+\           A ~: bad;  B ~: bad;  evs : ns_public |]                \
-\ ==> Nonce NB ~: analz (sees Spy evs)";
+\ ==> Nonce NB ~: analz (spies evs)";
 by (etac rev_mp 1);
 by (analz_induct_tac 1);
 (*NS3*)
-by (blast_tac (!claset addDs [Says_imp_sees_Spy RS parts.Inj, unique_NB]) 4);
+by (blast_tac (!claset addDs [Says_imp_spies RS parts.Inj, unique_NB]) 4);
 (*NS1*)
-by (blast_tac (!claset addSEs sees_Spy_partsEs) 2);
+by (blast_tac (!claset addSEs spies_partsEs) 2);
 (*Fake*)
 by (spy_analz_tac 1);
 (*NS2*)
 by (Step_tac 1);
-by (blast_tac (!claset addSEs sees_Spy_partsEs) 3);
+by (blast_tac (!claset addSEs spies_partsEs) 3);
-by (blast_tac (!claset addSDs [Says_imp_sees_Spy RS parts.Inj]
+by (blast_tac (!claset addSDs [Says_imp_spies RS parts.Inj]
 addEs  [no_nonce_NS1_NS2 RSN (2, rev_notE)]) 2);
 by (blast_tac (!claset addSIs [impOfSubs analz_subset_parts]) 1);
 qed "Spy_not_see_NB";
 in message 2, then A has sent message 3.*)
 goal thy
 "!!evs. [| Says B A  (Crypt (pubK A) {|Nonce NA, Nonce NB, Agent B|}) \
 \             : set evs;                                               \
 \           Says A' B (Crypt (pubK B) (Nonce NB)): set evs;            \
-\           A ~: lost;  B ~: lost;  evs : ns_public |]                 \
+\           A ~: bad;  B ~: bad;  evs : ns_public |]                 \
 \        ==> Says A B (Crypt (pubK B) (Nonce NB)) : set evs";
 by (etac rev_mp 1);
 (*prepare induction over Crypt (pubK B) NB : parts H*)
-by (etac (Says_imp_sees_Spy RS parts.Inj RS rev_mp) 1);
+by (etac (Says_imp_spies RS parts.Inj RS rev_mp) 1);
 by (parts_induct_tac 1);
 (*NS1*)
-by (blast_tac (!claset addSEs sees_Spy_partsEs) 2);
+by (blast_tac (!claset addSEs spies_partsEs) 2);
 (*Fake*)
 by (blast_tac (!claset addSDs [impOfSubs Fake_parts_insert]
 addDs  [Spy_not_see_NB,
 			       impOfSubs analz_subset_parts]) 1);
 (*NS3; not clear why blast_tac needs to be preceeded by Step_tac*)
 by (Step_tac 1);
-by (blast_tac (!claset addDs [Says_imp_sees_Spy RS parts.Inj,
+by (blast_tac (!claset addDs [Says_imp_spies RS parts.Inj,
 			      Spy_not_see_NB, unique_NB]) 1);
 qed "B_trusts_NS3";
 (**** Overall guarantee for B*)
 (*Matches only NS2, not NS1 (or NS3)*)
-val Says_imp_sees_Spy' =
+val Says_imp_spies' =
-read_instantiate [("X","Crypt ?K {|?XX,?YY,?ZZ|}")] Says_imp_sees_Spy;
+read_instantiate [("X","Crypt ?K {|?XX,?YY,?ZZ|}")] Says_imp_spies;
 (*If B receives NS3 and the nonce NB agrees with the nonce he joined with
 NA, then A initiated the run using NA.  SAME proof as B_trusts_NS3!*)
 goal thy
 "!!evs. [| Says B A  (Crypt (pubK A) {|Nonce NA, Nonce NB, Agent B|}) \
 \             : set evs;                                               \
 \           Says A' B (Crypt (pubK B) (Nonce NB)): set evs;            \
-\           A ~: lost;  B ~: lost;  evs : ns_public |]                 \
+\           A ~: bad;  B ~: bad;  evs : ns_public |]                 \
 \    ==> Says A B (Crypt (pubK B) {|Nonce NA, Agent A|}) : set evs";
 by (etac rev_mp 1);
 (*prepare induction over Crypt (pubK B) {|NB|} : parts H*)
-by (etac (Says_imp_sees_Spy RS parts.Inj RS rev_mp) 1);
+by (etac (Says_imp_spies RS parts.Inj RS rev_mp) 1);
 by (etac ns_public.induct 1);
 by (ALLGOALS Asm_simp_tac);
 (*Fake, NS2, NS3*)
 (*NS1*)
-by (blast_tac (!claset addSEs sees_Spy_partsEs) 2);
+by (blast_tac (!claset addSEs spies_partsEs) 2);
 (*Fake*)
 by (REPEAT_FIRST (resolve_tac [impI, conjI]));
 by (Blast_tac 1);
 by (forward_tac [Spy_not_see_NB] 1 THEN REPEAT (assume_tac 1));
 by (blast_tac (!claset addSIs [disjI2]
 addDs [impOfSubs analz_subset_parts,
 impOfSubs Fake_parts_insert]) 1);
 (*NS3*)
 by (Step_tac 1);
 by (forward_tac [Spy_not_see_NB] 1 THEN REPEAT (assume_tac 1));
-by (blast_tac (!claset addSDs [Says_imp_sees_Spy' RS parts.Inj]
+by (blast_tac (!claset addSDs [Says_imp_spies' RS parts.Inj]
 addDs  [unique_NB]) 1);
 qed "B_trusts_protocol";

changeset 3683	aafe719dff14
parent 3675	70dd312b70b2
child 3709	c13c2137e9ee