diff -r 4939494ed791 -r ce654b0e6d69 src/HOL/Auth/Event.thy --- a/src/HOL/Auth/Event.thy Tue Feb 13 14:24:50 2018 +0100 +++ b/src/HOL/Auth/Event.thy Thu Feb 15 12:11:00 2018 +0100 @@ -13,7 +13,7 @@ theory Event imports Message begin consts (*Initial states of agents -- parameter of the construction*) - initState :: "agent => msg set" + initState :: "agent \ msg set" datatype event = Says agent agent msg @@ -29,24 +29,24 @@ Server_not_bad [iff]: "Server \ bad" by (rule exI [of _ "{Spy}"], simp) -primrec knows :: "agent => event list => msg set" +primrec knows :: "agent \ event list \ msg set" where knows_Nil: "knows A [] = initState A" | knows_Cons: "knows A (ev # evs) = (if A = Spy then (case ev of - Says A' B X => insert X (knows Spy evs) - | Gets A' X => knows Spy evs - | Notes A' X => + Says A' B X \ insert X (knows Spy evs) + | Gets A' X \ knows Spy evs + | Notes A' X \ if A' \ bad then insert X (knows Spy evs) else knows Spy evs) else (case ev of - Says A' B X => + Says A' B X \ if A'=A then insert X (knows A evs) else knows A evs - | Gets A' X => + | Gets A' X \ if A'=A then insert X (knows A evs) else knows A evs - | Notes A' X => + | Notes A' X \ if A'=A then insert X (knows A evs) else knows A evs))" (* Case A=Spy on the Gets event @@ -57,31 +57,31 @@ text\The constant "spies" is retained for compatibility's sake\ abbreviation (input) - spies :: "event list => msg set" where + spies :: "event list \ msg set" where "spies == knows Spy" (*Set of items that might be visible to somebody: complement of the set of fresh items*) -primrec used :: "event list => msg set" +primrec used :: "event list \ msg set" where used_Nil: "used [] = (UN B. parts (initState B))" | used_Cons: "used (ev # evs) = (case ev of - Says A B X => parts {X} \ used evs - | Gets A X => used evs - | Notes A X => parts {X} \ used evs)" + Says A B X \ parts {X} \ used evs + | Gets A X \ used evs + | Notes A X \ parts {X} \ used evs)" \ \The case for @{term Gets} seems anomalous, but @{term Gets} always follows @{term Says} in real protocols. Seems difficult to change. See \Gets_correct\ in theory \Guard/Extensions.thy\.\ -lemma Notes_imp_used [rule_format]: "Notes A X \ set evs --> X \ used evs" +lemma Notes_imp_used [rule_format]: "Notes A X \ set evs \ X \ used evs" apply (induct_tac evs) apply (auto split: event.split) done -lemma Says_imp_used [rule_format]: "Says A B X \ set evs --> X \ used evs" +lemma Says_imp_used [rule_format]: "Says A B X \ set evs \ X \ used evs" apply (induct_tac evs) apply (auto split: event.split) done @@ -102,7 +102,7 @@ on whether @{term "A=Spy"} and whether @{term "A\bad"}\ lemma knows_Spy_Notes [simp]: "knows Spy (Notes A X # evs) = - (if A:bad then insert X (knows Spy evs) else knows Spy evs)" + (if A\bad then insert X (knows Spy evs) else knows Spy evs)" by simp lemma knows_Spy_Gets [simp]: "knows Spy (Gets A X # evs) = knows Spy evs" @@ -122,13 +122,13 @@ text\Spy sees what is sent on the traffic\ lemma Says_imp_knows_Spy [rule_format]: - "Says A B X \ set evs --> X \ knows Spy evs" + "Says A B X \ set evs \ X \ knows Spy evs" apply (induct_tac "evs") apply (simp_all (no_asm_simp) split: event.split) done lemma Notes_imp_knows_Spy [rule_format]: - "Notes A X \ set evs --> A: bad --> X \ knows Spy evs" + "Notes A X \ set evs \ A \ bad \ X \ knows Spy evs" apply (induct_tac "evs") apply (simp_all (no_asm_simp) split: event.split) done @@ -162,14 +162,14 @@ by (simp add: subset_insertI) text\Agents know what they say\ -lemma Says_imp_knows [rule_format]: "Says A B X \ set evs --> X \ knows A evs" +lemma Says_imp_knows [rule_format]: "Says A B X \ set evs \ X \ knows A evs" apply (induct_tac "evs") apply (simp_all (no_asm_simp) split: event.split) apply blast done text\Agents know what they note\ -lemma Notes_imp_knows [rule_format]: "Notes A X \ set evs --> X \ knows A evs" +lemma Notes_imp_knows [rule_format]: "Notes A X \ set evs \ X \ knows A evs" apply (induct_tac "evs") apply (simp_all (no_asm_simp) split: event.split) apply blast @@ -177,7 +177,7 @@ text\Agents know what they receive\ lemma Gets_imp_knows_agents [rule_format]: - "A \ Spy --> Gets A X \ set evs --> X \ knows A evs" + "A \ Spy \ Gets A X \ set evs \ X \ knows A evs" apply (induct_tac "evs") apply (simp_all (no_asm_simp) split: event.split) done @@ -186,8 +186,8 @@ text\What agents DIFFERENT FROM Spy know was either said, or noted, or got, or known initially\ lemma knows_imp_Says_Gets_Notes_initState [rule_format]: - "[| X \ knows A evs; A \ Spy |] ==> EX B. - Says A B X \ set evs | Gets A X \ set evs | Notes A X \ set evs | X \ initState A" + "[| X \ knows A evs; A \ Spy |] ==> \ B. + Says A B X \ set evs \ Gets A X \ set evs \ Notes A X \ set evs \ X \ initState A" apply (erule rev_mp) apply (induct_tac "evs") apply (simp_all (no_asm_simp) split: event.split) @@ -197,8 +197,8 @@ text\What the Spy knows -- for the time being -- was either said or noted, or known initially\ lemma knows_Spy_imp_Says_Notes_initState [rule_format]: - "[| X \ knows Spy evs |] ==> EX A B. - Says A B X \ set evs | Notes A X \ set evs | X \ initState Spy" + "X \ knows Spy evs \ \A B. + Says A B X \ set evs \ Notes A X \ set evs \ X \ initState Spy" apply (erule rev_mp) apply (induct_tac "evs") apply (simp_all (no_asm_simp) split: event.split) @@ -212,7 +212,7 @@ lemmas usedI = parts_knows_Spy_subset_used [THEN subsetD, intro] -lemma initState_into_used: "X \ parts (initState B) ==> X \ used evs" +lemma initState_into_used: "X \ parts (initState B) \ X \ used evs" apply (induct_tac "evs") apply (simp_all add: parts_insert_knows_A split: event.split, blast) done @@ -236,7 +236,7 @@ used_Nil [simp del] used_Cons [simp del] -text\For proving theorems of the form @{term "X \ analz (knows Spy evs) --> P"} +text\For proving theorems of the form @{term "X \ analz (knows Spy evs) \ P"} New events added by induction to "evs" are discarded. Provided this information isn't needed, the proof will be much shorter, since it will omit complicated reasoning about @{term analz}.\ @@ -278,7 +278,7 @@ method_setup analz_mono_contra = \ Scan.succeed (fn ctxt => SIMPLE_METHOD (REPEAT_FIRST (analz_mono_contra_tac ctxt)))\ - "for proving theorems of the form X \ analz (knows Spy evs) --> P" + "for proving theorems of the form X \ analz (knows Spy evs) \ P" subsubsection\Useful for case analysis on whether a hash is a spoof or not\ @@ -299,6 +299,6 @@ method_setup synth_analz_mono_contra = \ Scan.succeed (fn ctxt => SIMPLE_METHOD (REPEAT_FIRST (synth_analz_mono_contra_tac ctxt)))\ - "for proving theorems of the form X \ synth (analz (knows Spy evs)) --> P" + "for proving theorems of the form X \ synth (analz (knows Spy evs)) \ P" end