Quelle  Message.thy

(*  Title:      HOL/Auth/Message.thy
  Author: Lawrence C Paulson, Cambridge University Computer Laboratory
  Copyright 1996 University of Cambridge
 
 Datatypes of agents and messages;
 Inductive relations "parts", "analz" and "synth"
*)

section‹Theory of Agents and Messages for Security Protocols›

theory Message
imports Main
begin

(*Needed occasionally with spy_analz_tac, e.g. in analz_insert_Key_newK*)
lemma [simp] : "A ∪ (B ∪ A) = B ∪ A"
  by blast

type_synonym
  key = nat

consts
  all_symmetric :: bool        🍋 ‹true if all keys are symmetric›
  invKey        :: "key==>key"  🍋 ‹inverse of a symmetric key›

specification (invKey)
  invKey [simp]: "invKey (invKey K) = K"
  invKey_symmetric: "all_symmetric ⟶ invKey = id"
    by (rule exI [of _ id], auto)


text‹The inverse of a symmetric key is itself; that of a public key
  is the private key and vice versa›

definition symKeys :: "key set" where
  "symKeys == {K. invKey K = K}"

datatype  🍋 ‹We allow any number of friendly agents›
  agent = Server | Friend nat | Spy

datatype
     msg = Agent  agent     🍋 ‹Agent names›
         | Number nat       🍋 ‹Ordinary integers, timestamps, ...›
         | Nonce  nat       🍋 ‹Unguessable nonces›
         | Key    key       🍋 ‹Crypto keys›
         | Hash   msg       🍋 ‹Hashing›
         | MPair  msg msg   🍋 ‹Compound messages›
         | Crypt  key msg   🍋 ‹Encryption, public- or shared-key›


text‹Concrete syntax: messages appear as ‹{A,B,NA}›, etc...›
syntax
  "_MTuple" :: "['a, args] ==> 'a * 'b"  (‹(‹indent=2 notation=‹mixfix message tuple›\›\})›)
syntax_consts
  "_MTuple" ⇌ MPair
translations
  "{x, y, z}" ⇌ "{x, {y, z}}"
  "{x, y}" ⇌ "CONST MPair x y"


definition HPair :: "[msg,msg] ==> msg" (‹(4Hash[_] /_)› [0, 1000]) where
    🍋 ‹Message Y paired with a MAC computed with the help of X›
    "Hash[X] Y == {Hash{X,Y}, Y}"

definition keysFor :: "msg set ==> key set" where
    🍋 ‹Keys useful to decrypt elements of a message set›
  "keysFor H == invKey ` {K. ∃X. Crypt K X ∈ H}"


subsection‹Inductive Definition of All Parts of a Message›

inductive_set
  parts :: "msg set ==> msg set"
  for H :: "msg set"
  where
    Inj [intro]: "X ∈ H ==> X ∈ parts H"
  | Fst:         "{X,Y} ∈ parts H ==> X ∈ parts H"
  | Snd:         "{X,Y} ∈ parts H ==> Y ∈ parts H"
  | Body:        "Crypt K X ∈ parts H ==> X ∈ parts H"


text‹Monotonicity›
lemma parts_mono_aux: "[G ⊆ H; X ∈ parts G] ==> X ∈ parts H"
  by (erule parts.induct) (auto dest: parts.Fst parts.Snd parts.Body)

lemma parts_mono: "G ⊆ H ==> parts(G) ⊆ parts(H)"
  using parts_mono_aux by blast


text‹Equations hold because constructors are injective.›
lemma Friend_image_eq [simp]: "(Friend x ∈ Friend`A) = (x ∈A)"
  by auto

lemma Key_image_eq [simp]: "(Key x ∈ Key`A) = (x ∈A)"
  by auto

lemma Nonce_Key_image_eq [simp]: "(Nonce x ∉ Key`A)"
  by auto


subsection‹Inverse of keys›

lemma invKey_eq [simp]: "(invKey K = invKey K') = (K=K')"
  by (metis invKey)


subsection‹The @{term keysFor} operator›

lemma keysFor_empty [simp]: "keysFor {} = {}"
    unfolding keysFor_def by blast

lemma keysFor_Un [simp]: "keysFor (H ∪ H') = keysFor H ∪ keysFor H'"
    unfolding keysFor_def by blast

lemma keysFor_UN [simp]: "keysFor (∪i ∈A. H i) = (∪i ∈A. keysFor (H i))"
    unfolding keysFor_def by blast

text‹Monotonicity›
lemma keysFor_mono: "G ⊆ H ==> keysFor(G) ⊆ keysFor(H)"
  unfolding keysFor_def by blast

lemma keysFor_insert_Agent [simp]: "keysFor (insert (Agent A) H) = keysFor H"
  unfolding keysFor_def by auto

lemma keysFor_insert_Nonce [simp]: "keysFor (insert (Nonce N) H) = keysFor H"
  unfolding keysFor_def by auto

lemma keysFor_insert_Number [simp]: "keysFor (insert (Number N) H) = keysFor H"
  unfolding keysFor_def by auto

lemma keysFor_insert_Key [simp]: "keysFor (insert (Key K) H) = keysFor H"
  unfolding keysFor_def by auto

lemma keysFor_insert_Hash [simp]: "keysFor (insert (Hash X) H) = keysFor H"
  unfolding keysFor_def by auto

lemma keysFor_insert_MPair [simp]: "keysFor (insert {X,Y} H) = keysFor H"
  unfolding keysFor_def by auto

lemma keysFor_insert_Crypt [simp]: 
    "keysFor (insert (Crypt K X) H) = insert (invKey K) (keysFor H)"
  unfolding keysFor_def by auto

lemma keysFor_image_Key [simp]: "keysFor (Key`E) = {}"
  unfolding keysFor_def by auto

lemma Crypt_imp_invKey_keysFor: "Crypt K X ∈ H ==> invKey K ∈ keysFor H"
  unfolding keysFor_def by blast


subsection‹Inductive relation "parts"›

lemma MPair_parts:
  "[{X,Y} ∈ parts H;
         [X ∈ parts H; Y ∈ parts H] ==> P] ==> P"
  by (blast dest: parts.Fst parts.Snd) 

declare MPair_parts [elim!]  parts.Body [dest!]
text‹NB These two rules are UNSAFE in the formal sense, as they discard the
  compound message. They work well on THIS FILE.
  ‹MPair_parts› i
  The Crypt rule is normally kept UNSAFE to avoid breaking up certificates.›

lemma parts_increasing: "H ⊆ parts(H)"
  by blast

lemmas parts_insertI = subset_insertI [THEN parts_mono, THEN subsetD]

lemma parts_empty_aux: "X ∈ parts{} ==> False"
  by (induction rule: parts.induct) (blast+)

lemma parts_empty [simp]: "parts{} = {}"
  using parts_empty_aux by blast

lemma parts_emptyE [elim!]: "X ∈ parts{} ==> P"
  by simp

text‹WARNING: loops if H = {Y}, therefore must not be repeated!›
lemma parts_singleton: "X ∈ parts H ==> ∃Y ∈H. X ∈ parts {Y}"
  by (erule parts.induct, fast+)


subsubsection‹Unions›

lemma parts_Un [simp]: "parts(G ∪ H) = parts(G) ∪ parts(H)"
proof -
  have "X ∈ parts (G ∪ H) ==> X ∈ parts G ∪ parts H" for X
    by (induction rule: parts.induct) auto
  then show ?thesis
    by (simp add: order_antisym parts_mono subsetI)
qed

lemma parts_insert: "parts (insert X H) = parts {X} ∪ parts H"
  by (metis insert_is_Un parts_Un)

text‹TWO inserts to avoid looping. This rewrite is better than nothing.
  But its behaviour can be strange.›
lemma parts_insert2:
  "parts (insert X (insert Y H)) = parts {X} ∪ parts {Y} ∪ parts H"
  by (metis Un_commute Un_empty_right Un_insert_right insert_is_Un parts_Un)

lemma parts_image [simp]:
  "parts (f ` A) = (∪x ∈A. parts {f x})"
  apply auto
   apply (metis (mono_tags, opaque_lifting) image_iff parts_singleton)
  apply (metis empty_subsetI image_eqI insert_absorb insert_subset parts_mono)
  done

text‹Added to simplify arguments to parts, analz and synth.›

text‹This allows ‹blast› to simplify occurrences of 
  🍋‹parts(G∪H)› in the assumption.›
lemmas in_parts_UnE = parts_Un [THEN equalityD1, THEN subsetD, THEN UnE] 
declare in_parts_UnE [elim!]


lemma parts_insert_subset: "insert X (parts H) ⊆ parts(insert X H)"
  by (blast intro: parts_mono [THEN [2] rev_subsetD])

subsubsection‹Idempotence and transitivity›

lemma parts_partsD [dest!]: "X ∈ parts (parts H) ==> X ∈ parts H"
  by (erule parts.induct, blast+)

lemma parts_idem [simp]: "parts (parts H) = parts H"
  by blast

lemma parts_subset_iff [simp]: "(parts G ⊆ parts H) = (G ⊆ parts H)"
  by (metis parts_idem parts_increasing parts_mono subset_trans)

lemma parts_trans: "[X ∈ parts G; G ⊆ parts H] ==> X ∈ parts H"
  by (metis parts_subset_iff subsetD)

text‹Cut›
lemma parts_cut:
  "[Y ∈ parts (insert X G); X ∈ parts H] ==> Y ∈ parts (G ∪ H)" 
  by (blast intro: parts_trans) 

lemma parts_cut_eq [simp]: "X ∈ parts H ==> parts (insert X H) = parts H"
  by (metis insert_absorb parts_idem parts_insert)


subsubsection‹Rewrite rules for pulling out atomic messages›

lemmas parts_insert_eq_I = equalityI [OF subsetI parts_insert_subset]


lemma parts_insert_Agent [simp]:
  "parts (insert (Agent agt) H) = insert (Agent agt) (parts H)"
  apply (rule parts_insert_eq_I) 
  apply (erule parts.induct, auto) 
  done

lemma parts_insert_Nonce [simp]:
  "parts (insert (Nonce N) H) = insert (Nonce N) (parts H)"
  apply (rule parts_insert_eq_I) 
  apply (erule parts.induct, auto) 
  done

lemma parts_insert_Number [simp]:
  "parts (insert (Number N) H) = insert (Number N) (parts H)"
  apply (rule parts_insert_eq_I) 
  apply (erule parts.induct, auto) 
  done

lemma parts_insert_Key [simp]:
  "parts (insert (Key K) H) = insert (Key K) (parts H)"
  apply (rule parts_insert_eq_I) 
  apply (erule parts.induct, auto) 
  done

lemma parts_insert_Hash [simp]:
  "parts (insert (Hash X) H) = insert (Hash X) (parts H)"
  apply (rule parts_insert_eq_I) 
  apply (erule parts.induct, auto) 
  done

lemma parts_insert_Crypt [simp]:
  "parts (insert (Crypt K X) H) = insert (Crypt K X) (parts (insert X H))"
proof -
  have "Y ∈ parts (insert (Crypt K X) H) ==> Y ∈ insert (Crypt K X) (parts (insert X H))" for Y
    by (induction rule: parts.induct) auto
  then show ?thesis
    by (smt (verit) insertI1 insert_commute parts.simps parts_cut_eq parts_insert_eq_I)
qed

lemma parts_insert_MPair [simp]:
  "parts (insert {X,Y} H) = insert {X,Y} (parts (insert X (insert Y H)))"
proof -
  have "Z ∈ parts (insert {X, Y} H) ==> Z ∈ insert {X, Y} (parts (insert X (insert Y H)))" for Z
    by (induction rule: parts.induct) auto
  then show ?thesis
    by (smt (verit) insertI1 insert_commute parts.simps parts_cut_eq parts_insert_eq_I)
qed

lemma parts_image_Key [simp]: "parts (Key`N) = Key`N"
  by auto

text‹In any message, there is an upper bound N on its greatest nonce.›
lemma msg_Nonce_supply: "∃N. ∀n. N≤n ⟶ Nonce n ∉ parts {msg}"
proof (induct msg)
  case (Nonce n)
  show ?case
    by simp (metis Suc_n_not_le_n)
next
  case (MPair X Y)
  then show ?case 🍋 ‹metis works out the necessary sum itself!›
    by (simp add: parts_insert2) (metis le_trans nat_le_linear)
qed auto

subsection‹Inductive relation "analz"›

text‹Inductive definition of "analz" -- what can be broken down from a set of
  messages, including keys. A form of downward closure. Pairs can
  be taken apart; messages decrypted with known keys.›

inductive_set
  analz :: "msg set ==> msg set"
  for H :: "msg set"
  where
    Inj [intro,simp]: "X ∈ H ==> X ∈ analz H"
  | Fst:     "{X,Y} ∈ analz H ==> X ∈ analz H"
  | Snd:     "{X,Y} ∈ analz H ==> Y ∈ analz H"
  | Decrypt [dest]: 
    "[Crypt K X ∈ analz H; Key(invKey K) ∈ analz H] ==> X ∈ analz H"


text‹Monotonicity; Lemma 1 of Lowe's paper›
lemma analz_mono_aux: "[G ⊆ H; X ∈ analz G] ==> X ∈ analz H"
  by (erule analz.induct) (auto dest: analz.Fst analz.Snd) 

lemma analz_mono: "G⊆H ==> analz(G) ⊆ analz(H)"
  using analz_mono_aux by blast

text‹Making it safe speeds up proofs›
lemma MPair_analz [elim!]:
  "[{X,Y} ∈ analz H;
    [X ∈ analz H; Y ∈ analz H] ==> P] ==> P"
  by (blast dest: analz.Fst analz.Snd)

lemma analz_increasing: "H ⊆ analz(H)"
  by blast

lemma analz_into_parts: "X ∈ analz H ==> X ∈ parts H"
  by (erule analz.induct) auto

lemma analz_subset_parts: "analz H ⊆ parts H"
  using analz_into_parts by blast

lemma analz_parts [simp]: "analz (parts H) = parts H"
  using analz_subset_parts by blast

lemmas not_parts_not_analz = analz_subset_parts [THEN contra_subsetD]


lemma parts_analz [simp]: "parts (analz H) = parts H"
  by (metis analz_increasing analz_subset_parts parts_idem parts_mono subset_antisym)

lemmas analz_insertI = subset_insertI [THEN analz_mono, THEN [2] rev_subsetD]

subsubsection‹General equational properties›

lemma analz_empty [simp]: "analz{} = {}"
  using analz_parts by fastforce

text‹Converse fails: we can analz more from the union than from the
  separate parts, as a key in one might decrypt a message in the other›
lemma analz_Un: "analz(G) ∪ analz(H) ⊆ analz(G ∪ H)"
  by (intro Un_least analz_mono Un_upper1 Un_upper2)

lemma analz_insert: "insert X (analz H) ⊆ analz(insert X H)"
  by (blast intro: analz_mono [THEN [2] rev_subsetD])

subsubsection‹Rewrite rules for pulling out atomic messages›

lemmas analz_insert_eq_I = equalityI [OF subsetI analz_insert]

lemma analz_insert_Agent [simp]:
  "analz (insert (Agent agt) H) = insert (Agent agt) (analz H)"
  apply (rule analz_insert_eq_I) 
  apply (erule analz.induct, auto) 
  done

lemma analz_insert_Nonce [simp]:
  "analz (insert (Nonce N) H) = insert (Nonce N) (analz H)"
  apply (rule analz_insert_eq_I) 
  apply (erule analz.induct, auto) 
  done

lemma analz_insert_Number [simp]:
  "analz (insert (Number N) H) = insert (Number N) (analz H)"
  apply (rule analz_insert_eq_I) 
  apply (erule analz.induct, auto) 
  done

lemma analz_insert_Hash [simp]:
  "analz (insert (Hash X) H) = insert (Hash X) (analz H)"
  apply (rule analz_insert_eq_I) 
  apply (erule analz.induct, auto) 
  done

text‹Can only pull out Keys if they are not needed to decrypt the rest›
lemma analz_insert_Key [simp]: 
  "K ∉ keysFor (analz H) ==>
          analz (insert (Key K) H) = insert (Key K) (analz H)"
  unfolding keysFor_def
  apply (rule analz_insert_eq_I) 
  apply (erule analz.induct, auto) 
  done

lemma analz_insert_MPair [simp]:
  "analz (insert {X,Y} H) = insert {X,Y} (analz (insert X (insert Y H)))"
proof -
  have "Z ∈ analz (insert {X, Y} H) ==> Z ∈ insert {X, Y} (analz (insert X (insert Y H)))" for Z
    by (induction rule: analz.induct) auto
  moreover have "Z ∈ analz (insert X (insert Y H)) ==> Z ∈ analz (insert {X, Y} H)" for Z
    by (induction rule: analz.induct) (use analz.Inj in blast)+
  ultimately show ?thesis
    by auto
qed

text‹Can pull out encrypted message if the Key is not known›
lemma analz_insert_Crypt:
  "Key (invKey K) ∉ analz H
      ==> analz (insert (Crypt K X) H) = insert (Crypt K X) (analz H)"
  apply (rule analz_insert_eq_I) 
  apply (erule analz.induct, auto) 
  done

lemma analz_insert_Decrypt:
  assumes "Key (invKey K) ∈ analz H"
  shows "analz (insert (Crypt K X) H) = insert (Crypt K X) (analz (insert X H))"
proof -
  have "Y ∈ analz (insert (Crypt K X) H) ==> Y ∈ insert (Crypt K X) (analz (insert X H))" for Y
    by (induction rule: analz.induct) auto
  moreover
  have "Y ∈ analz (insert X H) ==> Y ∈ analz (insert (Crypt K X) H)" for Y
  proof (induction rule: analz.induct)
    case (Inj X)
    then show ?case
      by (metis analz.Decrypt analz.Inj analz_insertI assms insert_iff)
  qed auto
  ultimately show ?thesis
    by auto
qed

text‹Case analysis: either the message is secure, or it is not! Effective,
 but can cause subgoals to blow up! Use with ‹if_split›;
‹split_tac› does not cope with patterns such as 🍋‹analz (insert
 (Crypt K X) H)›\
lemma analz_Crypt_if [simp]:
  "analz (insert (Crypt K X) H) =
          (if (Key (invKey K) ∈ analz H)
           then insert (Crypt K X) (analz (insert X H))
           else insert (Crypt K X) (analz H))"
  by (simp add: analz_insert_Crypt analz_insert_Decrypt)


text‹This rule supposes "for the sake of argument" that we have the key.›
lemma analz_insert_Crypt_subset:
  "analz (insert (Crypt K X) H) ⊆
           insert (Crypt K X) (analz (insert X H))"
  apply (rule subsetI)
  apply (erule analz.induct, auto)
  done


lemma analz_image_Key [simp]: "analz (Key`N) = Key`N"
  apply auto
  apply (erule analz.induct, auto)
  done


subsubsection‹Idempotence and transitivity›

lemma analz_analzD [dest!]: "X ∈ analz (analz H) ==> X ∈ analz H"
  by (erule analz.induct, blast+)

lemma analz_idem [simp]: "analz (analz H) = analz H"
  by blast

lemma analz_subset_iff [simp]: "(analz G ⊆ analz H) = (G ⊆ analz H)"
  by (metis analz_idem analz_increasing analz_mono subset_trans)

lemma analz_trans: "[X ∈ analz G; G ⊆ analz H] ==> X ∈ analz H"
  by (drule analz_mono, blast)

text‹Cut; Lemma 2 of Lowe›
lemma analz_cut: "[Y ∈ analz (insert X H); X ∈ analz H] ==> Y ∈ analz H"
  by (erule analz_trans, blast)

(*Cut can be proved easily by induction on
  "Y: analz (insert X H) ==> X: analz H ⟶ Y: analz H"
*)

text‹This rewrite rule helps in the simplification of messages that involve
  the forwarding of unknown components (X). Without it, removing occurrences
  of X can be very complicated.›
lemma analz_insert_eq: "X ∈ analz H ==> analz (insert X H) = analz H"
  by (metis analz_cut analz_insert_eq_I insert_absorb)


text‹A congruence rule for "analz"›

lemma analz_subset_cong:
  "[analz G ⊆ analz G'; analz H ⊆ analz H']
      ==> analz (G ∪ H) ⊆ analz (G' ∪ H')"
  by (metis Un_mono analz_Un analz_subset_iff subset_trans)

lemma analz_cong:
  "[analz G = analz G'; analz H = analz H']
      ==> analz (G ∪ H) = analz (G' ∪ H')"
  by (intro equalityI analz_subset_cong, simp_all) 

lemma analz_insert_cong:
  "analz H = analz H' ==> analz(insert X H) = analz(insert X H')"
  by (force simp only: insert_def intro!: analz_cong)

text‹If there are no pairs or encryptions then analz does nothing›
lemma analz_trivial:
  "[∀X Y. {X,Y} ∉ H; ∀X K. Crypt K X ∉ H] ==> analz H = H"
  apply safe
   apply (erule analz.induct, blast+)
  done


subsection‹Inductive relation "synth"›

text‹Inductive definition of "synth" -- what can be built up from a set of
  messages. A form of upward closure. Pairs can be built, messages
  encrypted with known keys. Agent names are public domain.
  Numbers can be guessed, but Nonces cannot be.›

inductive_set
  synth :: "msg set => msg set"
  for H :: "msg set"
  where
    Inj    [intro]:   "X ∈ H ==> X ∈ synth H"
  | Agent  [intro]:   "Agent agt ∈ synth H"
  | Number [intro]:   "Number n ∈ synth H"
  | Hash   [intro]:   "X ∈ synth H ==> Hash X ∈ synth H"
  | MPair  [intro]:   "[X ∈ synth H; Y ∈ synth H] ==> {X,Y} ∈ synth H"
  | Crypt  [intro]:   "[X ∈ synth H; Key(K) ∈ H] ==> Crypt K X ∈ synth H"

text‹Monotonicity›
lemma synth_mono: "G⊆H ==> synth(G) ⊆ synth(H)"
  by (auto, erule synth.induct, auto)  

text‹NO ‹Agent_synth›, as any Agent name can be synthesized.
  The same holds for 🍋‹Number›\›

inductive_simps synth_simps [iff]:
  "Nonce n ∈ synth H"
  "Key K ∈ synth H"
  "Hash X ∈ synth H"
  "{X,Y} ∈ synth H"
  "Crypt K X ∈ synth H"

lemma synth_increasing: "H ⊆ synth(H)"
  by blast

subsubsection‹Unions›

text‹Converse fails: we can synth more from the union than from the
  separate parts, building a compound message using elements of each.›
lemma synth_Un: "synth(G) ∪ synth(H) ⊆ synth(G ∪ H)"
  by (intro Un_least synth_mono Un_upper1 Un_upper2)

lemma synth_insert: "insert X (synth H) ⊆ synth(insert X H)"
  by (blast intro: synth_mono [THEN [2] rev_subsetD])

subsubsection‹Idempotence and transitivity›

lemma synth_synthD [dest!]: "X ∈ synth (synth H) ==> X ∈ synth H"
  by (erule synth.induct, auto)

lemma synth_idem: "synth (synth H) = synth H"
  by blast

lemma synth_subset_iff [simp]: "(synth G ⊆ synth H) = (G ⊆ synth H)"
  by (metis subset_trans synth_idem synth_increasing synth_mono)

lemma synth_trans: "[X ∈ synth G; G ⊆ synth H] ==> X ∈ synth H"
  by (drule synth_mono, blast)

text‹Cut; Lemma 2 of Lowe›
lemma synth_cut: "[Y ∈ synth (insert X H); X ∈ synth H] ==> Y ∈ synth H"
  by (erule synth_trans, blast)

lemma Crypt_synth_eq [simp]:
  "Key K ∉ H ==> (Crypt K X ∈ synth H) = (Crypt K X ∈ H)"
  by blast


lemma keysFor_synth [simp]: 
  "keysFor (synth H) = keysFor H ∪ invKey`{K. Key K ∈ H}"
  unfolding keysFor_def by blast


subsubsection‹Combinations of parts, analz and synth›

lemma parts_synth [simp]: "parts (synth H) = parts H ∪ synth H"
proof -
  have "X ∈ parts (synth H) ==> X ∈ parts H ∪ synth H" for X
    by (induction X rule: parts.induct) (auto intro: parts.intros)
  then show ?thesis
    by (meson parts_increasing parts_mono subsetI antisym sup_least synth_increasing)
qed

lemma analz_analz_Un [simp]: "analz (analz G ∪ H) = analz (G ∪ H)"
  using analz_cong by blast

lemma analz_synth_Un [simp]: "analz (synth G ∪ H) = analz (G ∪ H) ∪ synth G"
proof -
  have "X ∈ analz (synth G ∪ H) ==> X ∈ analz (G ∪ H) ∪ synth G" for X
    by (induction X rule: analz.induct) (auto intro: analz.intros)
  then show ?thesis
    by (metis analz_subset_iff le_sup_iff subsetI subset_antisym synth_subset_iff)
qed

lemma analz_synth [simp]: "analz (synth H) = analz H ∪ synth H"
  by (metis Un_empty_right analz_synth_Un)


subsubsection‹For reasoning about the Fake rule in traces›

lemma parts_insert_subset_Un: "X ∈ G ==> parts(insert X H) ⊆ parts G ∪ parts H"
  by (metis UnCI Un_upper2 insert_subset parts_Un parts_mono)

text‹More specifically for Fake. See also ‹Fake_parts_sing› below›
lemma Fake_parts_insert:
  "X ∈ synth (analz H) ==>
      parts (insert X H) ⊆ synth (analz H) ∪ parts H"
  by (metis Un_commute analz_increasing insert_subset parts_analz parts_mono 
      parts_synth synth_mono synth_subset_iff)

lemma Fake_parts_insert_in_Un:
  "[Z ∈ parts (insert X H); X ∈ synth (analz H)]
      ==> Z ∈ synth (analz H) ∪ parts H"
  by (metis Fake_parts_insert subsetD)

text‹🍋‹H› is sometimes 🍋‹Key ` KK ∪ spies evs›, so can't put
  🍋‹G=H›.›
lemma Fake_analz_insert:
  "X ∈ synth (analz G) ==>
      analz (insert X H) ⊆ synth (analz G) ∪ analz (G ∪ H)"
  by (metis UnCI Un_commute Un_upper1 analz_analz_Un analz_mono analz_synth_Un insert_subset)

lemma analz_conj_parts [simp]:
  "(X ∈ analz H ∧ X ∈ parts H) = (X ∈ analz H)"
  by (blast intro: analz_subset_parts [THEN subsetD])

lemma analz_disj_parts [simp]:
  "(X ∈ analz H | X ∈ parts H) = (X ∈ parts H)"
  by (blast intro: analz_subset_parts [THEN subsetD])

text‹Without this equation, other rules for synth and analz would yield
  redundant cases›
lemma MPair_synth_analz [iff]:
  "{X,Y} ∈ synth (analz H) ⟷ X ∈ synth (analz H) ∧ Y ∈ synth (analz H)"
  by blast

lemma Crypt_synth_analz:
  "[Key K ∈ analz H; Key (invKey K) ∈ analz H]
       ==> (Crypt K X ∈ synth (analz H)) = (X ∈ synth (analz H))"
  by blast

lemma Hash_synth_analz [simp]:
  "X ∉ synth (analz H)
      ==> (Hash{X,Y} ∈ synth (analz H)) = (Hash{X,Y} ∈ analz H)"
  by blast


subsection‹HPair: a combination of Hash and MPair›

subsubsection‹Freeness›

lemma Agent_neq_HPair: "Agent A ≠ Hash[X] Y"
  unfolding HPair_def by simp

lemma Nonce_neq_HPair: "Nonce N ≠ Hash[X] Y"
  unfolding HPair_def by simp

lemma Number_neq_HPair: "Number N ≠ Hash[X] Y"
  unfolding HPair_def by simp

lemma Key_neq_HPair: "Key K ≠ Hash[X] Y"
  unfolding HPair_def by simp

lemma Hash_neq_HPair: "Hash Z ≠ Hash[X] Y"
  unfolding HPair_def by simp

lemma Crypt_neq_HPair: "Crypt K X' ≠ Hash[X] Y"
  unfolding HPair_def by simp

lemmas HPair_neqs = Agent_neq_HPair Nonce_neq_HPair Number_neq_HPair 
  Key_neq_HPair Hash_neq_HPair Crypt_neq_HPair

declare HPair_neqs [iff]
declare HPair_neqs [symmetric, iff]

lemma HPair_eq [iff]: "(Hash[X'] Y' = Hash[X] Y) = (X' = X ∧ Y'=Y)"
  by (simp add: HPair_def)

lemma MPair_eq_HPair [iff]:
  "({X',Y'} = Hash[X] Y) = (X' = Hash{X,Y} ∧ Y'=Y)"
  by (simp add: HPair_def)

lemma HPair_eq_MPair [iff]:
  "(Hash[X] Y = {X',Y'}) = (X' = Hash{X,Y} ∧ Y'=Y)"
  by (auto simp add: HPair_def)


subsubsection‹Specialized laws, proved in terms of those for Hash and MPair›

lemma keysFor_insert_HPair [simp]: "keysFor (insert (Hash[X] Y) H) = keysFor H"
  by (simp add: HPair_def)

lemma parts_insert_HPair [simp]: 
  "parts (insert (Hash[X] Y) H) =
     insert (Hash[X] Y) (insert (Hash{X,Y}) (parts (insert Y H)))"
  by (simp add: HPair_def)

lemma analz_insert_HPair [simp]: 
  "analz (insert (Hash[X] Y) H) =
     insert (Hash[X] Y) (insert (Hash{X,Y}) (analz (insert Y H)))"
  by (simp add: HPair_def)

lemma HPair_synth_analz [simp]:
  "X ∉ synth (analz H)
    ==> (Hash[X] Y ∈ synth (analz H)) =
        (Hash {X, Y} ∈ analz H ∧ Y ∈ synth (analz H))"
  by (auto simp add: HPair_def)


text‹We do NOT want Crypt... messages broken up in protocols!!›
declare parts.Body [rule del]


text‹Rewrites to push in Key and Crypt messages, so that other messages can
  be pulled out using the ‹analz_insert› rules›

lemmas pushKeys =
  insert_commute [of "Key K" "Agent C"]
  insert_commute [of "Key K" "Nonce N"]
  insert_commute [of "Key K" "Number N"]
  insert_commute [of "Key K" "Hash X"]
  insert_commute [of "Key K" "MPair X Y"]
  insert_commute [of "Key K" "Crypt X K'"]
  for K C N X Y K'

lemmas pushCrypts =
  insert_commute [of "Crypt X K" "Agent C"]
  insert_commute [of "Crypt X K" "Agent C"]
  insert_commute [of "Crypt X K" "Nonce N"]
  insert_commute [of "Crypt X K" "Number N"]
  insert_commute [of "Crypt X K" "Hash X'"]
  insert_commute [of "Crypt X K" "MPair X' Y"]
  for X K C N X' Y

text‹Cannot be added with ‹[simp]› -- messages should not always be
  re-ordered.›
lemmas pushes = pushKeys pushCrypts


subsection‹The set of key-free messages›

(*Note that even the encryption of a key-free message remains key-free.
  This concept is valuable because of the theorem analz_keyfree_into_Un, proved below. *)

inductive_set
  keyfree :: "msg set"
  where
    Agent:  "Agent A ∈ keyfree"
  | Number: "Number N ∈ keyfree"
  | Nonce:  "Nonce N ∈ keyfree"
  | Hash:   "Hash X ∈ keyfree"
  | MPair:  "[X ∈ keyfree; Y ∈ keyfree] ==> {X,Y} ∈ keyfree"
  | Crypt:  "[X ∈ keyfree] ==> Crypt K X ∈ keyfree"


declare keyfree.intros [intro] 

inductive_cases keyfree_KeyE: "Key K ∈ keyfree"
inductive_cases keyfree_MPairE: "{X,Y} ∈ keyfree"
inductive_cases keyfree_CryptE: "Crypt K X ∈ keyfree"

lemma parts_keyfree: "parts (keyfree) ⊆ keyfree"
  by (clarify, erule parts.induct, auto elim!: keyfree_KeyE keyfree_MPairE keyfree_CryptE)

(*The key-free part of a set of messages can be removed from the scope of the analz operator.*)
lemma analz_keyfree_into_Un: "[X ∈ analz (G ∪ H); G ⊆ keyfree] ==> X ∈ parts G ∪ analz H"
proof (induction rule: analz.induct)
  case (Decrypt K X)
  then show ?case
    by (metis Un_iff analz.Decrypt in_mono keyfree_KeyE parts.Body parts_keyfree parts_mono)
qed (auto dest: parts.Body)

subsection‹Tactics useful for many protocol proofs›
ML
  ‹
 (*Analysis of Fake cases. Also works for messages that forward unknown parts,
  but this application is no longer necessary if analz_insert_eq is used.
  DEPENDS UPON "X" REFERRING TO THE FRADULENT MESSAGE *)

fun impOfSubs th = th RSN (2, @{thm rev_subsetD})

(*Apply rules to break down assumptions of the form
  Y ∈ parts(insert X H) and Y ∈ analz(insert X H)
*)
fun Fake_insert_tac ctxt = 
    dresolve_tac ctxt [impOfSubs @{thm Fake_analz_insert},
                  impOfSubs @{thm Fake_parts_insert}] THEN'
    eresolve_tac ctxt [asm_rl, @{thm synth.Inj}];

fun Fake_insert_simp_tac ctxt i = 
  REPEAT (Fake_insert_tac ctxt i) THEN asm_full_simp_tac ctxt i;

fun atomic_spy_analz_tac ctxt =
  SELECT_GOAL
   (Fake_insert_simp_tac ctxt 1 THEN
    IF_UNSOLVED
      (Blast.depth_tac
        (ctxt addIs [@{thm analz_insertI}, impOfSubs @{thm analz_subset_parts}]) 4 1));

fun spy_analz_tac ctxt i =
  DETERM
   (SELECT_GOAL
     (EVERY 
      [  (*push in occurrences of X...*)
       (REPEAT o CHANGED)
         (Rule_Insts.res_inst_tac ctxt [((("x", 1), Position.none), "X")] []
           (@{thm insert_commute} RS ssubst) 1),
       (*...allowing further simplifications*)
       simp_tac ctxt 1,
       REPEAT (FIRSTGOAL (resolve_tac ctxt [allI,impI,notI,conjI,iffI])),
       DEPTH_SOLVE (atomic_spy_analz_tac ctxt 1)]) i);
›

text‹By default only ‹o_apply› is built-in.  But in the presence of
eta-expansion this means that some terms displayed as 🍋‹f o g› will be
rewritten, and others will not!›
declare o_def [simp]


lemma Crypt_notin_image_Key [simp]: "Crypt K X ∉ Key ` A"
  by auto

lemma Hash_notin_image_Key [simp] :"Hash X ∉ Key ` A"
  by auto

lemma synth_analz_mono: "G⊆H ==> synth (analz(G)) ⊆ synth (analz(H))"
  by (iprover intro: synth_mono analz_mono) 

lemma Fake_analz_eq [simp]:
  "X ∈ synth(analz H) ==> synth (analz (insert X H)) = synth (analz H)"
  by (metis Fake_analz_insert Un_absorb Un_absorb1 Un_commute 
      subset_insertI synth_analz_mono synth_increasing synth_subset_iff)

text‹Two generalizations of ‹analz_insert_eq›\ lemma gen_analz_insert_eq [rule_format]:
  "X ∈ analz H ==> ∀G. H ⊆ G ⟶ analz (insert X G) = analz G"
  by (blast intro: analz_cut analz_insertI analz_mono [THEN [2] rev_subsetD])

lemma synth_analz_insert_eq:
  "[X ∈ synth (analz H); H ⊆ G]
      ==> (Key K ∈ analz (insert X G)) ⟷ (Key K ∈ analz G)"
proof (induction arbitrary: G rule: synth.induct)
  case (Inj X)
  then show ?case
    using gen_analz_insert_eq by presburger 
qed (simp_all add: subset_eq)

lemma Fake_parts_sing:
  "X ∈ synth (analz H) ==> parts{X} ⊆ synth (analz H) ∪ parts H"
  by (metis Fake_parts_insert empty_subsetI insert_mono parts_mono subset_trans)

lemmas Fake_parts_sing_imp_Un = Fake_parts_sing [THEN [2] rev_subsetD]

method_setup spy_analz = ‹
  Scan.succeed (SIMPLE_METHOD' o spy_analz_tac)›
  "for proving the Fake case when analz is involved"

method_setup atomic_spy_analz = ‹
  Scan.succeed (SIMPLE_METHOD' o atomic_spy_analz_tac)›
  "for debugging spy_analz"

method_setup Fake_insert_simp = ‹
  Scan.succeed (SIMPLE_METHOD' o Fake_insert_simp_tac)›
  "for debugging spy_analz"

end