# HG changeset patch # User paulson # Date 1666267026 -3600 # Node ID d72a8cdca1ab43990739676aefda54da084e0891 # Parent fdb91b733b6574c4b2bb2f6d04b2ce59aa90d8c6 tidying of ugly legacy proofs diff -r fdb91b733b65 -r d72a8cdca1ab src/HOL/Auth/Event.thy --- a/src/HOL/Auth/Event.thy Wed Oct 19 15:34:41 2022 +0100 +++ b/src/HOL/Auth/Event.thy Thu Oct 20 12:57:06 2022 +0100 @@ -12,7 +12,7 @@ theory Event imports Message begin -consts (*Initial states of agents -- parameter of the construction*) +consts \ \Initial states of agents --- a parameter of the construction\ initState :: "agent \ msg set" datatype @@ -58,12 +58,10 @@ abbreviation (input) spies :: "event list \ msg set" where - "spies == knows Spy" + "spies \ knows Spy" -(*Set of items that might be visible to somebody: - complement of the set of fresh items*) - +text \Set of items that might be visible to somebody: complement of the set of fresh items\ primrec used :: "event list \ msg set" where used_Nil: "used [] = (UN B. parts (initState B))" @@ -76,15 +74,11 @@ follows \<^term>\Says\ in real protocols. Seems difficult to change. See \Gets_correct\ in theory \Guard/Extensions.thy\.\ -lemma Notes_imp_used [rule_format]: "Notes A X \ set evs \ X \ used evs" -apply (induct_tac evs) -apply (auto split: event.split) -done +lemma Notes_imp_used: "Notes A X \ set evs \ X \ used evs" + by (induct evs) (auto split: event.split) -lemma Says_imp_used [rule_format]: "Says A B X \ set evs \ X \ used evs" -apply (induct_tac evs) -apply (auto split: event.split) -done +lemma Says_imp_used: "Says A B X \ set evs \ X \ used evs" + by (induct evs) (auto split: event.split) subsection\Function \<^term>\knows\\ @@ -95,43 +89,39 @@ lemmas parts_insert_knows_A = parts_insert [of _ "knows A evs"] for A evs lemma knows_Spy_Says [simp]: - "knows Spy (Says A B X # evs) = insert X (knows Spy evs)" -by simp + "knows Spy (Says A B X # evs) = insert X (knows Spy evs)" + by simp text\Letting the Spy see "bad" agents' notes avoids redundant case-splits on whether \<^term>\A=Spy\ and whether \<^term>\A\bad\\ lemma knows_Spy_Notes [simp]: - "knows Spy (Notes A X # evs) = + "knows Spy (Notes A X # evs) = (if A\bad then insert X (knows Spy evs) else knows Spy evs)" -by simp + by simp lemma knows_Spy_Gets [simp]: "knows Spy (Gets A X # evs) = knows Spy evs" -by simp + by simp lemma knows_Spy_subset_knows_Spy_Says: - "knows Spy evs \ knows Spy (Says A B X # evs)" -by (simp add: subset_insertI) + "knows Spy evs \ knows Spy (Says A B X # evs)" + by (simp add: subset_insertI) lemma knows_Spy_subset_knows_Spy_Notes: - "knows Spy evs \ knows Spy (Notes A X # evs)" -by force + "knows Spy evs \ knows Spy (Notes A X # evs)" + by force lemma knows_Spy_subset_knows_Spy_Gets: - "knows Spy evs \ knows Spy (Gets A X # evs)" -by (simp add: subset_insertI) + "knows Spy evs \ knows Spy (Gets A X # evs)" + by (simp add: subset_insertI) text\Spy sees what is sent on the traffic\ -lemma Says_imp_knows_Spy [rule_format]: - "Says A B X \ set evs \ X \ knows Spy evs" -apply (induct_tac "evs") -apply (simp_all (no_asm_simp) split: event.split) -done +lemma Says_imp_knows_Spy: + "Says A B X \ set evs \ X \ knows Spy evs" + by (induct evs) (auto split: event.split) lemma Notes_imp_knows_Spy [rule_format]: - "Notes A X \ set evs \ A \ bad \ X \ knows Spy evs" -apply (induct_tac "evs") -apply (simp_all (no_asm_simp) split: event.split) -done + "Notes A X \ set evs \ A \ bad \ X \ knows Spy evs" + by (induct evs) (auto split: event.split) text\Elimination rules: derive contradictions from old Says events containing @@ -153,85 +143,64 @@ subsection\Knowledge of Agents\ lemma knows_subset_knows_Says: "knows A evs \ knows A (Says A' B X # evs)" -by (simp add: subset_insertI) + by (simp add: subset_insertI) lemma knows_subset_knows_Notes: "knows A evs \ knows A (Notes A' X # evs)" -by (simp add: subset_insertI) + by (simp add: subset_insertI) lemma knows_subset_knows_Gets: "knows A evs \ knows A (Gets A' X # evs)" -by (simp add: subset_insertI) + by (simp add: subset_insertI) text\Agents know what they say\ -lemma Says_imp_knows [rule_format]: "Says A B X \ set evs \ X \ knows A evs" -apply (induct_tac "evs") -apply (simp_all (no_asm_simp) split: event.split) -apply blast -done +lemma Says_imp_knows [rule_format]: "Says A B X \ set evs \ X \ knows A evs" + by (induct evs) (force split: event.split)+ text\Agents know what they note\ -lemma Notes_imp_knows [rule_format]: "Notes A X \ set evs \ X \ knows A evs" -apply (induct_tac "evs") -apply (simp_all (no_asm_simp) split: event.split) -apply blast -done +lemma Notes_imp_knows [rule_format]: "Notes A X \ set evs \ X \ knows A evs" + by (induct evs) (force split: event.split)+ text\Agents know what they receive\ lemma Gets_imp_knows_agents [rule_format]: - "A \ Spy \ Gets A X \ set evs \ X \ knows A evs" -apply (induct_tac "evs") -apply (simp_all (no_asm_simp) split: event.split) -done - + "A \ Spy \ Gets A X \ set evs \ X \ knows A evs" + by (induct evs) (force split: event.split)+ text\What agents DIFFERENT FROM Spy know was either said, or noted, or got, or known initially\ -lemma knows_imp_Says_Gets_Notes_initState [rule_format]: - "\X \ knows A evs; A \ Spy\ \ \ B. - Says A B X \ set evs \ Gets A X \ set evs \ Notes A X \ set evs \ X \ initState A" -apply (erule rev_mp) -apply (induct_tac "evs") -apply (simp_all (no_asm_simp) split: event.split) -apply blast -done +lemma knows_imp_Says_Gets_Notes_initState: + "\X \ knows A evs; A \ Spy\ \ + \B. Says A B X \ set evs \ Gets A X \ set evs \ Notes A X \ set evs \ X \ initState A" + by(induct evs) (auto split: event.split_asm if_split_asm) text\What the Spy knows -- for the time being -- was either said or noted, or known initially\ -lemma knows_Spy_imp_Says_Notes_initState [rule_format]: - "X \ knows Spy evs \ \A B. - Says A B X \ set evs \ Notes A X \ set evs \ X \ initState Spy" -apply (erule rev_mp) -apply (induct_tac "evs") -apply (simp_all (no_asm_simp) split: event.split) -apply blast -done +lemma knows_Spy_imp_Says_Notes_initState: + "X \ knows Spy evs \ + \A B. Says A B X \ set evs \ Notes A X \ set evs \ X \ initState Spy" + by(induct evs) (auto split: event.split_asm if_split_asm) lemma parts_knows_Spy_subset_used: "parts (knows Spy evs) \ used evs" -apply (induct_tac "evs", force) -apply (simp add: parts_insert_knows_A knows_Cons add: event.split, blast) -done + by (induct evs) (auto simp: parts_insert_knows_A split: event.split_asm if_split_asm) lemmas usedI = parts_knows_Spy_subset_used [THEN subsetD, intro] lemma initState_into_used: "X \ parts (initState B) \ X \ used evs" -apply (induct_tac "evs") -apply (simp_all add: parts_insert_knows_A split: event.split, blast) -done + by (induct evs) (auto simp: parts_insert_knows_A split: event.split) + +text \New simprules to replace the primitive ones for @{term used} and @{term knows}\ lemma used_Says [simp]: "used (Says A B X # evs) = parts{X} \ used evs" -by simp + by simp lemma used_Notes [simp]: "used (Notes A X # evs) = parts{X} \ used evs" -by simp + by simp lemma used_Gets [simp]: "used (Gets A X # evs) = used evs" -by simp + by simp lemma used_nil_subset: "used [] \ used evs" -apply simp -apply (blast intro: initState_into_used) -done + using initState_into_used by auto -text\NOTE REMOVAL--laws above are cleaner, as they don't involve "case"\ +text\NOTE REMOVAL: the laws above are cleaner, as they don't involve "case"\ declare knows_Cons [simp del] used_Nil [simp del] used_Cons [simp del] @@ -248,13 +217,10 @@ lemma knows_subset_knows_Cons: "knows A evs \ knows A (e # evs)" -by (cases e, auto simp: knows_Cons) + by (cases e, auto simp: knows_Cons) lemma initState_subset_knows: "initState A \ knows A evs" -apply (induct_tac evs, simp) -apply (blast intro: knows_subset_knows_Cons [THEN subsetD]) -done - + by (induct evs) (use knows_subset_knows_Cons in fastforce)+ text\For proving \new_keys_not_used\\ lemma keysFor_parts_insert: