161 We have infinitely many agents and there is nothing to stop their |
161 We have infinitely many agents and there is nothing to stop their |
162 long-term keys from exhausting all the natural numbers. Instead, |
162 long-term keys from exhausting all the natural numbers. Instead, |
163 possibility theorems must assume the existence of a few keys.*} |
163 possibility theorems must assume the existence of a few keys.*} |
164 |
164 |
165 |
165 |
|
166 subsection{*Specialized Rewriting for Theorems About @{term analz} and Image*} |
|
167 |
|
168 lemma subset_Compl_range: "A <= - (range shrK) ==> shrK x \<notin> A" |
|
169 by blast |
|
170 |
|
171 lemma insert_Key_singleton: "insert (Key K) H = Key ` {K} \<union> H" |
|
172 by blast |
|
173 |
|
174 lemma insert_Key_image: "insert (Key K) (Key`KK \<union> C) = Key`(insert K KK) \<union> C" |
|
175 by blast |
|
176 |
|
177 (** Reverse the normal simplification of "image" to build up (not break down) |
|
178 the set of keys. Use analz_insert_eq with (Un_upper2 RS analz_mono) to |
|
179 erase occurrences of forwarded message components (X). **) |
|
180 |
|
181 lemmas analz_image_freshK_simps = |
|
182 simp_thms mem_simps --{*these two allow its use with @{text "only:"}*} |
|
183 disj_comms |
|
184 image_insert [THEN sym] image_Un [THEN sym] empty_subsetI insert_subset |
|
185 analz_insert_eq Un_upper2 [THEN analz_mono, THEN [2] rev_subsetD] |
|
186 insert_Key_singleton subset_Compl_range |
|
187 Key_not_used insert_Key_image Un_assoc [THEN sym] |
|
188 |
|
189 (*Lemma for the trivial direction of the if-and-only-if*) |
|
190 lemma analz_image_freshK_lemma: |
|
191 "(Key K \<in> analz (Key`nE \<union> H)) --> (K \<in> nE | Key K \<in> analz H) ==> |
|
192 (Key K \<in> analz (Key`nE \<union> H)) = (K \<in> nE | Key K \<in> analz H)" |
|
193 by (blast intro: analz_mono [THEN [2] rev_subsetD]) |
|
194 |
|
195 |
166 subsection{*Tactics for possibility theorems*} |
196 subsection{*Tactics for possibility theorems*} |
167 |
197 |
168 ML |
198 ML |
169 {* |
199 {* |
170 val inj_shrK = thm "inj_shrK"; |
200 structure Shared = |
171 val isSym_keys = thm "isSym_keys"; |
201 struct |
172 val Nonce_supply = thm "Nonce_supply"; |
202 |
173 val invKey_K = thm "invKey_K"; |
|
174 val analz_Decrypt' = thm "analz_Decrypt'"; |
|
175 val keysFor_parts_initState = thm "keysFor_parts_initState"; |
|
176 val keysFor_parts_insert = thm "keysFor_parts_insert"; |
|
177 val Crypt_imp_keysFor = thm "Crypt_imp_keysFor"; |
|
178 val Spy_knows_Spy_bad = thm "Spy_knows_Spy_bad"; |
|
179 val Crypt_Spy_analz_bad = thm "Crypt_Spy_analz_bad"; |
|
180 val shrK_in_initState = thm "shrK_in_initState"; |
|
181 val shrK_in_used = thm "shrK_in_used"; |
|
182 val Key_not_used = thm "Key_not_used"; |
|
183 val shrK_neq = thm "shrK_neq"; |
|
184 val Nonce_notin_initState = thm "Nonce_notin_initState"; |
|
185 val Nonce_notin_used_empty = thm "Nonce_notin_used_empty"; |
|
186 val Nonce_supply_lemma = thm "Nonce_supply_lemma"; |
|
187 val Nonce_supply1 = thm "Nonce_supply1"; |
|
188 val Nonce_supply2 = thm "Nonce_supply2"; |
|
189 val Nonce_supply3 = thm "Nonce_supply3"; |
|
190 val Nonce_supply = thm "Nonce_supply"; |
|
191 *} |
|
192 |
|
193 |
|
194 ML |
|
195 {* |
|
196 (*Omitting used_Says makes the tactic much faster: it leaves expressions |
203 (*Omitting used_Says makes the tactic much faster: it leaves expressions |
197 such as Nonce ?N \<notin> used evs that match Nonce_supply*) |
204 such as Nonce ?N \<notin> used evs that match Nonce_supply*) |
198 fun possibility_tac ctxt = |
205 fun possibility_tac ctxt = |
199 (REPEAT |
206 (REPEAT |
200 (ALLGOALS (simp_tac (local_simpset_of ctxt delsimps [used_Says, used_Notes, used_Gets] |
207 (ALLGOALS (simp_tac (local_simpset_of ctxt |
201 setSolver safe_solver)) |
208 delsimps [@{thm used_Says}, @{thm used_Notes}, @{thm used_Gets}] |
|
209 setSolver safe_solver)) |
202 THEN |
210 THEN |
203 REPEAT_FIRST (eq_assume_tac ORELSE' |
211 REPEAT_FIRST (eq_assume_tac ORELSE' |
204 resolve_tac [refl, conjI, Nonce_supply]))) |
212 resolve_tac [refl, conjI, @{thm Nonce_supply}]))) |
205 |
213 |
206 (*For harder protocols (such as Recur) where we have to set up some |
214 (*For harder protocols (such as Recur) where we have to set up some |
207 nonces and keys initially*) |
215 nonces and keys initially*) |
208 fun basic_possibility_tac ctxt = |
216 fun basic_possibility_tac ctxt = |
209 REPEAT |
217 REPEAT |
210 (ALLGOALS (asm_simp_tac (local_simpset_of ctxt setSolver safe_solver)) |
218 (ALLGOALS (asm_simp_tac (local_simpset_of ctxt setSolver safe_solver)) |
211 THEN |
219 THEN |
212 REPEAT_FIRST (resolve_tac [refl, conjI])) |
220 REPEAT_FIRST (resolve_tac [refl, conjI])) |
213 *} |
221 |
214 |
222 |
215 subsection{*Specialized Rewriting for Theorems About @{term analz} and Image*} |
223 val analz_image_freshK_ss = |
216 |
224 @{simpset} delsimps [image_insert, image_Un] |
217 lemma subset_Compl_range: "A <= - (range shrK) ==> shrK x \<notin> A" |
225 delsimps [@{thm imp_disjL}] (*reduces blow-up*) |
218 by blast |
226 addsimps @{thms analz_image_freshK_simps} |
219 |
227 |
220 lemma insert_Key_singleton: "insert (Key K) H = Key ` {K} \<union> H" |
228 end |
221 by blast |
|
222 |
|
223 lemma insert_Key_image: "insert (Key K) (Key`KK \<union> C) = Key`(insert K KK) \<union> C" |
|
224 by blast |
|
225 |
|
226 (** Reverse the normal simplification of "image" to build up (not break down) |
|
227 the set of keys. Use analz_insert_eq with (Un_upper2 RS analz_mono) to |
|
228 erase occurrences of forwarded message components (X). **) |
|
229 |
|
230 lemmas analz_image_freshK_simps = |
|
231 simp_thms mem_simps --{*these two allow its use with @{text "only:"}*} |
|
232 disj_comms |
|
233 image_insert [THEN sym] image_Un [THEN sym] empty_subsetI insert_subset |
|
234 analz_insert_eq Un_upper2 [THEN analz_mono, THEN [2] rev_subsetD] |
|
235 insert_Key_singleton subset_Compl_range |
|
236 Key_not_used insert_Key_image Un_assoc [THEN sym] |
|
237 |
|
238 (*Lemma for the trivial direction of the if-and-only-if*) |
|
239 lemma analz_image_freshK_lemma: |
|
240 "(Key K \<in> analz (Key`nE \<union> H)) --> (K \<in> nE | Key K \<in> analz H) ==> |
|
241 (Key K \<in> analz (Key`nE \<union> H)) = (K \<in> nE | Key K \<in> analz H)" |
|
242 by (blast intro: analz_mono [THEN [2] rev_subsetD]) |
|
243 |
|
244 ML |
|
245 {* |
|
246 val analz_image_freshK_lemma = thm "analz_image_freshK_lemma"; |
|
247 |
|
248 val analz_image_freshK_ss = |
|
249 simpset() delsimps [image_insert, image_Un] |
|
250 delsimps [imp_disjL] (*reduces blow-up*) |
|
251 addsimps thms "analz_image_freshK_simps" |
|
252 *} |
229 *} |
253 |
230 |
254 |
231 |
255 |
232 |
256 (*Lets blast_tac perform this step without needing the simplifier*) |
233 (*Lets blast_tac perform this step without needing the simplifier*) |
262 |
239 |
263 method_setup analz_freshK = {* |
240 method_setup analz_freshK = {* |
264 Method.ctxt_args (fn ctxt => |
241 Method.ctxt_args (fn ctxt => |
265 (Method.SIMPLE_METHOD |
242 (Method.SIMPLE_METHOD |
266 (EVERY [REPEAT_FIRST (resolve_tac [allI, ballI, impI]), |
243 (EVERY [REPEAT_FIRST (resolve_tac [allI, ballI, impI]), |
267 REPEAT_FIRST (rtac analz_image_freshK_lemma), |
244 REPEAT_FIRST (rtac @{thm analz_image_freshK_lemma}), |
268 ALLGOALS (asm_simp_tac (Simplifier.context ctxt analz_image_freshK_ss))]))) *} |
245 ALLGOALS (asm_simp_tac (Simplifier.context ctxt Shared.analz_image_freshK_ss))]))) *} |
269 "for proving the Session Key Compromise theorem" |
246 "for proving the Session Key Compromise theorem" |
270 |
247 |
271 method_setup possibility = {* |
248 method_setup possibility = {* |
272 Method.ctxt_args (fn ctxt => |
249 Method.ctxt_args (fn ctxt => |
273 Method.SIMPLE_METHOD (possibility_tac ctxt)) *} |
250 Method.SIMPLE_METHOD (Shared.possibility_tac ctxt)) *} |
274 "for proving possibility theorems" |
251 "for proving possibility theorems" |
275 |
252 |
276 method_setup basic_possibility = {* |
253 method_setup basic_possibility = {* |
277 Method.ctxt_args (fn ctxt => |
254 Method.ctxt_args (fn ctxt => |
278 Method.SIMPLE_METHOD (basic_possibility_tac ctxt)) *} |
255 Method.SIMPLE_METHOD (Shared.basic_possibility_tac ctxt)) *} |
279 "for proving possibility theorems" |
256 "for proving possibility theorems" |
280 |
257 |
281 lemma knows_subset_knows_Cons: "knows A evs <= knows A (e # evs)" |
258 lemma knows_subset_knows_Cons: "knows A evs <= knows A (e # evs)" |
282 by (induct e) (auto simp: knows_Cons) |
259 by (induct e) (auto simp: knows_Cons) |
283 |
260 |