· Index A goal A THM A thm A goal A THM A thm A goal A THM A thm a l al a l al ISO abs abs abs...

Formal Speci�cation and Analysis of

Cryptographic Protocols�

Appendix G

Einar Snekkenes

NDRE

P�O�Box ��

N�� Kjeller Norway

�January ��

Preface

This document contains the formal de�nitions and proofs on which the document Speci�cation and

Analysis of Cryptographic Protocols� is based�

This document is intended to be for reference only�

�

Index

A goal ��

A THM ��

A thm ��

A� goal ��

A� THM ��

A� thm ��

A� goal ��

A� THM ��

A� thm ��

a l al ��

a l al ISO ��

abs ��

abs� ��

abs� ��

ADD ANT FUNC TAC � ��

ADD CONJ TAC ��

ADD PRE ��

add theory ��

ae tac ��

AF ck S� ��

AF EQ DEF ��

AF EQ EQ PC V EQ PC V ��

AF EQ REFL ��

AF EQ SYM EQ ��

AF EQ TRANS ��

AF ID OWNERS Term ID OWNERS arg�

list ID OWNERS DEF ��

AF IDS Term IDS arg list IDS DEF ��

AF IMP DEF ��

AF IMP MP ��

AF IMP REFL ��

AF IMP TRANS ��

AF INDUCT THEN TAC ��

AF IS WF CONV ��

AF IS WF Term IS WF arg list IS WF�

DEF ��

AF IS WF true �

AF REPLACE AF Term REPLACE AF�

arg list REPLACE AF DEF ��

AF REPLACE Term Term REPLACE�

Term arg list REPLACE Term�

DEF ��

AF SUB AF DEF ��

AF SUB arg list DEF ��

AF SUB Term DEF ��

AF Term arg list V thm ��

AF Term induct thm ��

AF Term rec thm ��

AF Term rules ��

AF Term uniqueness thm ��

AF V AF EQ ��

AF V AF EQ� �

AF V AF IMP ��

AF V ck RHO ��

AF V IMP AF EQ ��

al a l ��

al a l ISO ��

all constructors ��

ALL REMOVE CHOICE TAC �

ANDMAP ��

ANDMAP APPEND ��

ANDMAP conj ��

ANDMAP FORALL ��

ANDMAP HD set minus ��

ANDMAP IS WF value ��

ANDMAP set minus ��

ANDMAP set minus single ��

ANDMAP split ��

ANDMAP split� ��

ant � ��

ANT CONV ��

ANT MATCH MP TAC ��

APPEND EQ NIL � ��

APPEND EQ SING ��

APPEND MAP ��

APPEND NIL ��

arg list ANDMAP Axiom ��

arg list INDUCT TAC ��

arg list ISO list ��

arg list to list Axiom ��

arg list V MAP ��

arity ��

AS ��

AS THM ��

ascii EQ CONV ��

ASM CONV ��

ass ��

ass� assums ��

�

� Index

ass� assums� ��

ass� assums ��

ass ��

ass a ��

ass b ��

ass c ��

ASS DEF ��

ass DEF ��

Ass EQ DEF ��

Ass EQ REFL ��

Ass EQ SYM EQ ��

Ass EQ TRANS ��

Ass IMP DEF ��

Ass IMP MP ��

Ass IMP REFL ��

Ass IMP TRANS ��

ass INDUCT TAC ��

Ass IS WF DEF ��

ASS IS WF REPLACE ��

ass lemma ��

Ass REPLACE AF DEF ��

Ass REPLACE Term DEF ��

ass res ��

Ass V DEF ��

ASS V EQ ASS V IMP ASS EQ ��

Ass V IMP Ass EQ ��

Ass V REPLACE AF V ��

Ass V REPLACE AF V EQ ��

ass value ��

assoc aux xor ��

assums ��

asym rules ��

aux xor Axiom �

aux xor cancel ��

aux xor NIL ��

base case ��

BDIFF DEF ��

BDIFF EQ ��

BDIFF T ��

BETA REWRITE ��

BITER DEF ��

BITER NIL � ��

BITERate ��

bn ��

bool DELTA ��

BPAR DEF ��

BPAR SUC � ��

browse ��

btree DEF ��

C ��

C THM �

C� ��

C� THM ��

C� � ��

C� � lemma �

C� � lemma� ��

C� � THM ��

C� lemma ��

C� lemma� ��

ca� ��

ca delta Ax� ��

ca delta Ax� Q nh ��

ca delta Ax� Q state ��

ca delta Bx� ��

ca delta Bx� U state ��

ca delta hd tp ��

ca delta i o ��

ca delta tp ��

cancel priv pub ��

cancel pub priv ��

CARD EQ � ��

CARD EQ ��

CARD REST �

cast ��

CFN DEF ��

chk rev fh ��

chk rev fh DEF ��

CK ��

CK THM ��

CK� ��

CK� THM ��

CK� ��

CK� THM ��

CK� ��

CK� THM ��

CK� ��

CK�� TAC ��

CK� THM ��

CK� ��

CK� THM ��

ck eq ��

clm ��

clm� ��

clm ��

clm� ��

clm� ��

clm� ��

clm� ��

clm� ��

clm� ��

clm� ��

clm� ��

clm ��

commute insert ��

commute insert rule ��

commute sort ��

Index �

COMPLETE ��

COND FL ��

COND OUT ��

COND OUT CONV ��

COND TO IMP RULE ��

conf invar DEF ��

conf lemma ��

conf lemma ��

conf lemma� ��

conf lemma� ��

conj ��

conj ��

CONJ CONV ��

conj� ��

CONJ� CONV ��

CONS ��

CONS APPEND CONS ��

CONS MK FH� ��

CONS set minus ��

conseq �

CONV FILTER ONCE ASM REWRITE�

TAC ��

count APPEND ��

count Axiom ��

count commute ��

count insert ��

count set minus �

count set minus single �

count sort ��

cp ENC ��

cp id term ��

cp L� ��

cp MK ��

CPR DEF ��

CPR MONOTONE ��

ctm ��

ctm� ��

ctm ��

ctm� ��

ctm� ��

ctm� ��

ctm� ��

ctm� ��

ctm� ��

ctm� ��

ctm� ��

ctm ��

curr su�x �

CV ADD ��

CV BOUND ��

CV DEF ��

CV EMPTY ��

CV FIX ��

CV fun ��

CV net funcs ��

D cont �

D D cont �

D rules ��

DC V cont ��

DC V DEF ��

DC V IMP DC V ��

DC V IMP DC V� ��

DC V IMP DC V� EQ ��

DC V IMP DC V EQ ��

DC V make list ��

DC V make list DC V REV make list ��

DC V RA ��

DC V REV CONS ��

DC V REV mk list ��

DC V strengthen ��

DC V true ��

DC V true lemma ��

dec ��

dec ��

DEC ENC ��

dec enc �

dec not enc ��

dec value ��

DECLARED IDS DEF ��

DECLARED IDS EMPTY ��

dedup ��

def ��

DELETE EQ EMPTY ��

DF CONJ goal ��

DF CONJ THM ��

DF CONJ thm ��

DFT goal ��

DFT THM ��

DFT thm ��

disc suf ��

disc term ��

disc thm ��

disj ��

DISJ CONV ��

disj� ��

DISJ� CONV ��

dismantle ��

e ��

EL � ��

EL � ��

EL APPEND CONS HD TL ��

EL LENGTH APPEND ��

EL LENGTH APPEND CONS ��

EL rules ��

elem not in NIL ��

ELSE CONV ��

� Index

empty ass ��

empty ass reduce ��

enc ��

enc ��

enc dec �

enc dec rules ��

enc dec tac ��

ENC EQ failure ��

enc EQ P dec ��

enc EQ P enc ��

enc EQ P lt SUB VALUE OF ��

enc not dec ��

enc SUB VALUE OF enc ��

enc SUB VALUE OF m� ��

enc SUB VALUE OF P dec ��

enc SUB VALUE OF P enc ��

enc SUB VALUE OF P g ��

enc SUB VALUE OF P g� ��

enc SUB VALUE OF P l ��

enc SUB VALUE OF P l� ��

enc SUB VALUE OF value list ��

enc value ��

env �

env rules ��

env selector defs �

eq ��

EQ NEG TO EQ RULE ��

EQ RULE � ��

EQ SET CONV ��

EQ TAUT PROVE ��

EqSub goal ��

EqSub THM ��

EqSub thm ��

EqSym goal ��

EqSym THM ��

EqSym thm ��

eval rules ��

EVERY� CONS ��

EVERY� DEF ��

EVERY� EVERY ��

EVERY� IMP EVERY� ��

EVERY� MAP MAP ��

EVERY� swap EVERY� ��

EVERY ANDMAP �

EVERY APPEND �

EVERY IMP ��

EVERY INTERLEAVE ��

EVERY IS WF value ��

EVERY IS WF value � ��




EVERY LAMBDA EXISTS ��

EVERY LENGTH FLST EQ FLST ��

EVERY MAP ��

EVERY NOT SOME �

EVERY PRESERVES INV FLST ��

EVERY PRESERVES INV o FLST F ��

EVERY PRESERVES INV Usage V FLST�

Usage V ��

EVERY PRESERVES INVAR IMP�

EVERY PRESERVES INVAR

��

EVERY RA ��

EVERY RE V ��

EVERY REV ��

EVERY sort ��

EVERY T ��

EVERY Usage V ��

EVERY weaken ��

exec ��

EXISTS CONJ EQ CONV ��

EXISTS CONV ��

EXISTS DEF �

exists DEF ��

EXISTS EQ TAC ��

EXISTS INTRO �

EXISTS ROTATE RIGHT CONV ��

expand name ��

EXPAND PAIR TAC ��

EXPAND TUPLE TAC ��

f ��

f tp ��

failure ��

failure in list ��

failure is failure value ��

failure IS WF value ��

failure SUB VALUE OF �

failure SUB VALUE OF IS WF value �

fd Axiom ��

fd rules ��

fh ��

��

fh ��

fh� ��

fh� ��

FINAL ��

FINAL DEF ��

FINAL MAP ��

�nd rand term ��

�nd top term ��

FINITE DECLARED IDS ��

FINITE GSPEC CONV

FINITE ID OWNERS ��

FINITE list to set �

FINITE num �

FINITE num CONV �

Index �

FINITE REST ��

FINITE rules � ��

FINITE TYPES ��

FINITE XX ID OWNERS ��

FIRST NO FAIL ��

�xity ��

� ��

� ��

��

FL COMM ��

FL DEF ��

FL EQ NIL ��

FL FL ��

FL IDEMPOT ��

FL UNIV ��

FLAT NIL EVERY ��

FLST DEF ��

FLST ETA ��

FLST F DEF ��

FLST F EQ FLST F ��

FLST F ETA ��

FLST F IDEMPOT ��

FLST IDEMPOT ��

FORALL CONV ��

FORALL CONV� ��

FORALL DEF �

FORALL EQ TAC ��

FORALL EXISTS ��

FORALL FORALL

FORALL imp �

FORALL IMP EXISTS lm ��

FORALL in list

FORALL LPAIR CONV ��

FORALL LPAIR TAC ��

forall pair ��

FORALL PAIR CONV ��

FORALL pair CONV ��

FORALL ROTATE RIGHT CONV ��

FORALL ROTATE RIGHT CONV� ��

FORALL true �

fs ��

FULL BETA� TAC ��

FULL BETA TAC ��

FUN EQ TAC ��

func lemma ��

funcdef �

g � ��

G� L� tac ��

G L� ��

G� L� ��

g DEF ��

gen ant ��

GEN ANT TAC ��

GEN BETA TAC ��

GEN EXISTS TAC ��

get ��

get beta redex ��

get bvars ��

get string equal ��

get tag arity ��

get unique ��

GF V DEF ��

global �

global error Axiom ��

global error IS WF value ��

GlobalFunc ��

GlobalFunc rules ��

GlobalFunc ty ��

GlobalFunc V DEF ��

GlobalFunc V IS WF value ��

globalfuncs ��

globalfuncs reduce ��

gname ��

goal ��

goals ��

GSPEC FINITE �

GSPEC GSPEC �

GSPEC GSPEC CONV �

GSPEC IN �

GSPEC OR CONV �

h ��

h� ��

H �

h DEF ��

H rules ��

H selector defs �

has same members Axiom ��

HAS SUB AF thm ��

HAS SUB Term thm ��

hd extension lemma ��

HD MAP PAIR ��

hyp� ��

i o ��

id owner ��

ID OWNERS CONS UNION ��

ID OWNERS DEF ��

ID OWNERS EMPTY ��

ID OWNERS EMPTY NOT in list ��

ID OWNERS idempot ��

ID OWNERS rules ��

ID OWNERS SING ID OWNERS�

EMPTY ��

id term ��

id term DEF ��

Ident ��

� Index

ident ��

IDENT ��

ident Axiom ��

IDENT REPLACE ��

ident state simpli�cation ��

Ident ty ��

ident ty ��

IdentDecl ��

IF �

IF CONV ��

if simplify ��

IF THM ��

IH ��

� ��

IH ��

IH � ��

IH APPEND ��

IH BITER ��

IH BPAR ��

IH INTERLEAVE ��

IH RE ��

ilm ��

ilm� ��

ilm ��

ilm� ��

ilm� ��

ilm� ��

ilm� ��

ilm� ��

ilm� ��

ilm� ��

ilm ��

ilm� ��

ilm��

ilm� ��

ilm��

ilm��

ilm��

ilm��

ilm��

ilm��

ilm��

ilm� ��

ilm� ��

ilm��

ilm� ��

ilm��

ilm��

ilm��

ilm��

ilm��

ilm��

ilm��

ilm� ��

ilm� ��

ilm��

ilm� ��

ilm��

ilm� ��

ilm� ��

ilm� ��

ilm� ��

ilm ��

imp ��

IMP ANT OR CONV ��

IMP BDIFF ��

IMP CONJ TAC ��

IMP CONSEQ AND CONV ��

IMP EQ TAC ��

IMP IMP CONV ��

IN GSPEC CONV �

IN GSPEC CONV� �

IN in list �

in list APPEND ��

in list aux xor �

in list DEF ��

in list eq not count ��

in list FLAT SOME ��

in list IN �

in list IN CONV

in list IN ID OWNERS ��

in list insert ��

in list rules �

in list set minus ��

in list set minus single ��

in list set to list ��

in list set to list� SING �

in list set to list� UNION �

in list set to list� UNION� ��

in list sort ��

IN list to set ��

in list value to list �

IN SAME CONV aux ��

IN SAME CONV aux lemma� ��

IN SAME CONV aux prc l ��

IN SAME CONV aux prc l� ��

IN SAME CONV aux prc l� ��

IN SAME CONV aux prc l� a ��

IN SAME CONV aux prc l� �

IN SAME CONV aux prc l� a �

IN SAME CONV DEF ��

IN SAME CONV imp prc ��

IN SAME CONV imp prc� ��

IN SELECT ��

IN SELECT CONV ��

IN UNION ABSORPTION ��

ind step� assums ��

induct conseq lemma �

Index ��

insert Axiom ��

INSERT EQ SING ��

insert in ordered ��

integrity invar DEF ��

INTER lm ��

INTERLEAVE ��

INTERLEAVE NIL ��

INTERLEAVE � NIL ��

INTERLEAVE � NIL ��

INTERLEAVE assoc ��

INTERLEAVE assoc lemma ��

INTERLEAVE commute ��

INTERLEAVE CONS ��

INTERLEAVE DEF �

INTERLEAVE EVERY ��

INTERLEAVE MAP ��

INTERLEAVE MAP MAP ��

INTERLEAVE NIL ��

inv enc ��

INVAR ��

INVAR CONS ��

INVAR DEF ��

invar DEF ��

INVAR ETA �

INVAR HYP ��

INVAR INSERT ��

INVAR INSERT� ��

INVAR MK FH� ��

INVAR MK FH� lemma ��

INVAR NEW STATE ��

INVAR NEW STATE� ��

INVAR NEW STATE INSERT ��

INVAR NEW STATE INSERT� ��

invar su�ces ��

invar true ��

invert P m� B ��

is dec value dec �

is enc value enc �

is failure value failure ��

is failure value list to value ��

is lap value lap value �

is LEAF btree DEF ��

is name value name ��

is NODE btree DEF ��

IS ORDERED Axiom ��

IS ORDERED set to list �

IS ORDERED sort ��

is partial cond ��

is priv not is pub ��

is pub not is priv ��

is rules ��

is seq value P lx ��

is seq value seq �

is sorted Axiom ��

is string const ��

IS TOTAL Axiom ��

IS V cont ��

IS V DEF ��

IS V IMP IS V ��

IS V strengthen ��

IS V true ��

IS V ty ��

is value tag defs ��

IS WF eq rules ��

IS WF funcdef DEF ��

IS WF funcdef fd ��

IS WF funcdef INVAR CV ��

IS WF funcdef IS WF Protspec LIST�

PRESERVES INV INVAR Prot�

V ��

IS WF imp rules ��

IS WF list to value ��

is wf NO DUP ��

IS WF PR CAST DEF ��

IS WF PR CAST init ��

IS WF PR CAST lambda ��

IS WF PR CAST prc init ��

IS WF PR CAST prevents replay ��

IS WF Protspec CONS Prot ��

IS WF Protspec DEF ��

IS WF Protspec EVERY PRESERVES�

INV Prot V fd �

IS WF Protspec LP ��

IS WF Protspec MAP REPLACE ��

IS WF Protspec rules ��

IS WF rules ��

IS WF simple rules ��

IS WF state DEF ��

IS WF state failure ��

IS WF state NEW STATE ��

IS WF state TP V ��

IS WF TAC ��

is wf tac ��

IS WF Term V arg list ��

IS WF trans DEF ��

IS WF trans list DEF ��

IS WF trans list IS WF trans ��

IS WF trans list Prot V ��

IS WF trans list set DEF ��

IS WF value ��

IS WF value arg list V ��

IS WF value global funcs ��

IS WF value local funcs ��

IS WF value P enc P dec tac ��

IS WF value set DEF ��

IS WF value set INSERT ��

IS WF value set nh� ��

IS WF value set UNION ��

� Index

IS WF value Term V ��

IS WF value Term V� ��

IS WF value Term V arg list V ��

it � ��

ITERATE ��

itm ��

itm� ��

itm ��

itm� ��

itm� ��

itm� ��

itm� ��

itm� ��

itm� ��

itm� ��

itm ��

itm� ��

itm��

itm� ��

itm��

itm��

itm��

itm��

itm��

itm��

itm��

itm� ��

itm� ��

itm��

itm� ��

itm��

itm��

itm��

itm��

itm��

itm��

itm��

itm� ��

itm� ��

itm��

itm� ��

itm��

itm� ��

itm� ��

itm� ��

itm� ��

itm ��

itm ass ��

l ��

l ��

l rules �

l� ��

L� EQ failure ��

l� ��

LAP DEF ��

lap value �

lap value ��

last run ��

LEFT IMP EXISTS TAC ��

LEFT IMP SL CONS ��

lemma ��

lemma� ��

lemma ��

lemma� ��

lemma� ��

lemma rules �

lemma� ��

lemma rules ��

lemma rules� �

lemma rules� �

LENGTH � �

LENGTH ��

LENGTH arg list V ��

LENGTH CONS HD TL ��

LENGTH EQ HD ��

LENGTH FL UNION ��

LENGTH LR ��

LENGTH ordered ��

LENGTH Prot V REPLACE Term ��

LENGTH RA ��

LENGTH REV ��

LENGTH sort �

LESS ��

LESS ADD ��

LESS EQ LESS ��

LESS LESS EQ ��

less to not eq ��

let AND CONV ��

let AND TAC ��

let RULE ��

let TAC � ��

LHS CONV ��

LIST COMPLETE ��

LIST EXISTS TAC ��

list extension ��

LIST GEN ANT TAC ��

list ISO arg list ��

LIST MATCH ACCEPT TAC ��

LIST MATCH MP TAC ��

LIST PRESERVES INV DEF ��

LIST PRESERVES INV FINAL MAP�

FINAL ��

LIST PRESERVES INV in list ��

LIST PRESERVES INV MAP� ��

LIST PRESERVES INV Usage V FLST�

FINAL Usage V FINAL ��

Index ��

list rules ��

��

��

list set list

LIST SPEC TAC ��

list to arg list Axiom ��

list to bag Axiom ��

list to set APPEND ��

list to set Axiom ��

list to value Axiom �

list value list ��

list value list aux xor ��

lm ��

lm� ��

lm � ��

��

lm ��

lm� ��

lm� ��

��

lm� � tac ��

lm� ��

��

lm� ��

lm� ��

lm� � ��

lm� ��

lm� ��

lm ��

lmx ��

local �

local error Axiom ��

local error IS WF value ��

LocalFunc ��

LocalFunc ty ��

log on �

LONG DISJ CASES TAC �

LOOP� ��

LP ��

LP thm ��

LR �

LR DEF �

LR RA ��

LR REV ��

LR REV CONS ��

ls ��

LT DEF ��

LTP DEF ��

LTP lambda ��

LTP REFL ��

m ��

m structure �

m SUB VALUE OF m� ��

m� ��

��

m� � ��

m� � ��

make list ��

make list DEF ��

make list LENGTH EL MAP� �

map ��

MAP APPEND make list LENGTH ��

MAP EL APPEND make list LENGTH

��

MAP EL make list LENGTH ��

MAP EQ MAP ��

MAP EQ NIL ��

MAP FST MAP ��

MAP INTERLEAVE ��

MAP make list ��

MAP make list LENGTH ��

MAP MAP ��

MAP NIL ��

MAP RA ��

MAP REV ��

MAP TL ��

MAPI DEF ��

masterkey �

masterkey ��

masterkey SUB VALUE OF m ��

masterkey SUB VALUE OF out dec

masterkey SUB VALUE OF out enc

masterkey SUB VALUE OF P dec ��

masterkey SUB VALUE OF P enc

masterkey SUB VALUE OF P g ��

masterkey SUB VALUE OF P g� ��

masterkey SUB VALUE OF P l� ��

masterkey SUB VALUE OF P m� B ��

masterkey SUB VALUE OF P masterkey�

table ��

MATCH MP� TAC ��

��

member Axiom ��

min Axiom ��

MK ��

MK ARITH REWRITE ��

MK commute ��

MK CONS RULE ��

mk curr ty ��

mk discriminator ��

MK FH� ��

MK FH� APPEND ��

MK FH� DEF ��

MK FH� FL SUBSET ��

MK FH� FL UNION ��

MK FH� INTERLEAVE ��

MK FH� LENGTH ��

MK FH� PRE ��

�� Index

MK FH� project ��

MK FH� project� ��

MK FH DEF ��

mk goal rhs ��

mk is mut rec tag def �

mk is mut rec tag def aux ��

mk is tag def lines ��

mk joint name ��

mk list DEF ��

mk MP rule ��

mk rewrite ��

mk set fun thm ��

mk TM thm �

mk TM thm� �

mk triv ��

mk unique arg list ��

move n out tac ��

MP goal ��

MP thm ��

msg ��

mut rec ty spec ��

mut rec ty spec to distinctness goals ��

MUTREC INDUCT THEN TAC ��

��

mx� v ��

my genvar ��

MY REWRITE TAC ��

my save thm ��

my use ��

N TIMES ��

name ��

name ��

name IS WF value ��

name list var prod ��

names ��

natmap� ��

natural set induct lemma ��

NEG ADD FUNC TAC ��

net funcs ��

net funcs invar ��

net has ��

net has goal ��

net has set ��

NEW I O DEF ��

new prc ��

new recursive de�nition �

new set induct �

NEW SET INDUCT TAC �

NEW STATE DEF �

NEW STATE rules ��

New Ty Distinct Thms �

newline ��

nh ��

nh� ��

NIL IN MK FH� ��

nil in MK FH� tac ��

NIL ORDERED ��

NIL set minus ��

NO DUP APPEND set minus �

NO DUP aux xor ��

NO DUP Axiom ��

NO DUP insert ��

NO DUP set minus ��

NO DUP set to list �

NO DUP sort ��

NO DUP to count ��

no sub lemma ��

no sub lemma goal ��

non empty ass ��

NOT AND ��

not dec ��

not enc ��

not enc dec ��

NOT enc EQ P lap ��

not enc EQ P null ��

NOT enc EQ P rr ��

not enc P masterkey table ��

not enc SUB VALUE OF P null ��

NOT F BDIFF ��

not failure in list aux xor ��

not failure list to value ��

not failure P dec ��

not failure P enc ��

not failure P enc P dec tac ��

not failure P l� ��

not failure P masterkey ��

NOT IMP TO CONJ CONV ��

not IN SAME CONV NET ��

not is failure out key dec �

not is failure out key enc ��

not is failure out msg dec ��

not is failure out msg enc ��

not is failure out msg enc P g�

not is failure out tac ��

not is failure value P xor ��

NOT LESS � ��

not m� SUB VALUE OF m ��

NOT masterkey EQ P lap ��

not masterkey SUB VALUE OF failure �

not masterkey SUB VALUE OF P null ��

not mk rewrite ��

not nil list to lap value ��

NOT NULL INSERT �

NOT OR ��

NOT OR CONV ��

NOT ORD IMP REV ORD �

not P g is failure to seq lap value ��

Index ��

not P g P g� is failure to seq lap value

��

not P l� EQ enc ��

not P l� EQ P enc P l� ��

NOT P l� EQ P null ��

not P l� EQ P null ��

not P masterkey table in nh ��

NOT RA NIL ��

not REFLEXIVE PROTECTED ��

not REFLEXIVE PROTECTED BY ��

NOT SUC ��

NOT SUC ADD LESS ��

NOT SUC LESS EQ � ��

NOT symbol EQ P null ��

not symbol in nh ��

not value TOTAL ORDER antisym ��

Null DEF ��

NULL NIL ��

num� �

num REDUCE TAC ��

num SUC ��

numpair �

occurs ��

ok ��

OK ��

OK THM �

OK � ��

OK � THM �

OK� ��

OK� rules ��

OK� THM �

OK� ��

OK� rules ��

OK� THM �

OK� ��

OK� THM �

OK� ��

OK� THM �

OK� ��

OK� THM �

OK� ��

OK� THM ��

OK ��

OK THM ��

OK tac ��

OK tac� ��

OK tac� ��

OK tac� ��

OKx rules ��

ONCE UNDISCH FILTER TAC ��

ONE ORDERED �

OR � ��

OR GSPEC �

order insert �

orig dir ��

os DEF ��

out hd lap value out list seq rev sub value

��

out hd lap value rev sub value ��

out ident name DEF ��

out left NODE DEF ��

out list seq rev sub value ��

out masterkey SUB VALUE OF out tac

�

out msg enc P g� rev sub value ��

out msg enc SUB VALUE OF ��

out right NODE DEF ��

out rules ��

out rules� �

out value �

P ��

P ass ��

P ass Axiom ��

P ass IS WF value ��

P ass key ��

P dec IS WF value ��

P dec P g� EQ symbol ��

P dec P g� symbol ��

P enc Axiom ��

P enc IS WF value ��

P enc P l� ��

P enc P l� EQ enc ��

P enc unique key ��

P g� P l� tac ��

P g Axiom ��

P g IS WF value �

P g P l� ��

P g rev sub value ��

P g� Axiom ��

P g� IS WF value �

P g� P l� ��

P g� rev sub value ��

P g� Axiom �

P g� IS WF value ��

P g� Axiom �


P g� Axiom �


P gx IS WF tac ��

P gx rules ��

P l Axiom ��

P l IS WF value �

P l� ��

P l� Axiom ��

P l� EQ P dec ��

P l� EQ P enc ��

�� Index

P l� EQ P lap ��

P l� IS WF value �

P l� simplify ��

P l� Axiom ��

P l� IS WF value ��

P l� Axiom ��


P l� Axiom ��


P lap Axiom ��

P lap IS WF value �

P lap IS WF value� ��

P lt �

P lt Axiom ��

P lt IS WF value �

P lt P rr IS WF value tac �

P lx rules ��

P m ��

P m A SUB VALUE OF P m� B ��

P m IS WF value ��

P m� ��

P m� IS WF value ��

P m�a SUB VALUE OF P m�b ��

P masterkey table ��

P masterkey table Axiom ��

P masterkey table commute ��

P masterkey table IS WF value ��

��

P masterkey table P g rev sub value ��

P null Axiom �

P null IS WF value ��

P priv key table ��

P privkey table Axiom ��

P privkey table IS WF value ��

P privkey table run independant ��

P pubkey table �

P pubkey table Axiom ��

P pubkey table IS WF value ��

P pw key Axiom �

P pw key di� �

P pw key IS WF value ��

P pw table Axiom �

P pw table IS WF value ��

P rr �

P rr Axiom ��

P rr is seq ��

P rr IS WF value �

P rules �

P sessionkey ��

P sessionkey Axiom ��

P sessionkey IS WF value ��

P xor assoc ��

P xor Axiom �

P xor cancel �

P xor commutative ��

P xor IS WF value ��

P xor to aux xor ��

PAIR lemma ��

PAIRED BETA� TAC ��

PAIRED BETA TAC ��

paired let RULE ��

paired let TAC ��

PC EQ DEF ��

PC EQ REFL ��

PC EQ SYM EQ ��

PC EQ TRANS ��

PC IMP DEF ��

PC IMP MP ��

PC IMP REFL ��

PC IMP TRANS ��

PC V DEF ��

PC V EQ PC V ��

PC V IMP PC V ��

PC V IMP PC V� ��

PC V IMP PC V lm ��

PC V INVAR ��

PC V ty ��

PCT ��

PCT DEF ��

PhiA ��

PhiB ��

PM � � ��

position ��

pr ��

pr ��

pr� ��

pr cast ��

prc ��

prc� ��

prc� ��

prc init ��

PRE ADD ��

pre�x ��

PRESERVES INV DEF ��

PRESERVES INV EQ ��

PRESERVES INV FINAL CONS FLST F

��

PRESERVES INV FLST F ��

PRESERVES INV IMP FLST F ��

Principal ��

PRINCIPAL ��

principal Axiom ��

principal DISTINCT ��

principal INDUCT TAC ��

principal ty ��

PRINT TAC ��

print term types �

print thm types �

Index ��

priv ��

priv ��

PRIV KEY DEF ��

priv lemma ��

progress table ��

project ��

prot ��

prot� ��

Prot ��

Prot EQ DEF ��

Prot EQ REFL ��

Prot EQ SYM EQ ��

Prot EQ TRANS ��

Prot IMP DEF ��

Prot IMP MP ��

Prot IMP REFL ��

Prot IMP TRANS ��

Prot list ��

Prot list ass �

Prot REPLACE AF DEF ��

Prot REPLACE Term DEF ��

Prot V APPEND ��

Prot V CONS ��

Prot V DEF �

Prot V EQ Prot V IMP Prot EQ ��

Prot V IMP PC V ��

Prot V IMP PC V EQ ��

Prot V IMP Prot EQ ��

Prot V Prot EQ ��

PROTECTED BY DEF ��

PROTECTED BY failure symbol P�

masterkey table ��

PROTECTED BY m symbol P�


PROTECTED BY name symbol P�


PROTECTED BY not equal �

PROTECTED BY P lap symbol P�


PROTECTED BY P null ��

PROTECTED DEF ��

PROTECTED failure P masterkey table

��

PROTECTED m P masterkey table ��

PROTECTED name P masterkey table

��

PROTECTED not equal ��

PROTECTED not in P g masterkey ��

PROTECTED not in P g� masterkey ��

PROTECTED P dec ��

PROTECTED P enc ��

PROTECTED P g ��

PROTECTED P g� ��

PROTECTED P l� ��

PROTECTED P lap P masterkey table

��

PROTECTED P lt ��

PROTECTED P lt masterkey ��

PROTECTED P lt P masterkey table ��

PROTECTED P lt P rr tac ��

PROTECTED P m� B ��

PROTECTED P null ��

PROTECTED P rr ��

PROTECTED P rr masterkey ��

PROTECTED P rr P masterkey table ��

Protspec ��

PROTSPEC PROP TAC ��

Protspec REPLACE AF DEF ��

Protspec REPLACE Ass DEF ��

Protspec REPLACE Prot DEF ��

Protspec REPLACE RE ��

Protspec REPLACE Term DEF ��

Protspec REPLACE Usage DEF ��

prove all goals distinct ��

prove distinct thm ��

PROVE RE ��

pt ��

PT ��

PT THM ��

PT� ��

PT� THM ��

pt MK FH� �

pub ��

pub ��

PUB KEY DEF ��

pub lemma ��

pure AF Term rules ��

PURE DEF ��

PURE MATCH REWRITE TAC ��

PURE ONCE MATCH REWRITE TAC

��

PW DEF ��

PW REFL ��

RA �

��

RA DEF ��

RA LR RT ��

RA LR RT CONS ��

RE ��

RE THM ��

RE� ��

RE� THM ��

RE� ��

RE� THM ��

RE� ��

RE� THM ��

RE� ��

RE�� TAC ��

�� Index

RE� THM ��

RE� ��

RE� THM ��

RE� ��

RE� THM ��

RE DEF ��

RE EQ DEF ��

RE IMP DEF ��

RE IMP MP ��

RE IMP REFL ��

RE IMP TRANS ��

RE INDUCT TAC ��

RE REPLACE RE DEF ��

RE V ��

RE V ��

RE V � NIL ��

RE V DEF ��

RE V EQ RE V IMP RE EQ ��

RE V EQ RE V IMP RE REPLACE RE

��

RE V EQ RE V IMP Usage V MAP EQ�

Usage V MAP ��

RE V EVERY ��

RE V IMP RE EQ ��

RE V MAP ��

RE V MAP EQ MAP RE V ��

RE V MK FH� ��

RE V NIL � ��

rec axiom ��

REFLEXIVE IN SAME CONV ��

REFLEXIVE SUB VALUE OF ��

rem tac ��

remove Axiom ��

REMOVE CHOICE TAC �

remove conj tac �

remove pair ��

remove pair� ��

REMOVE SELECT TAC ��

remove syntax tac ��

REPEAT UNTIL STABLE ��

REPLACE DEF ��

REPLACE Term RULES ��

REPLACE Term thm ��

residue ��

rest induct lemma ��

REV �

��

REV CONS ��

REV CONS CONS ��

REV DEF ��

REV NIL ��

REV RA ��

REV REV ��

rev sub value DEF ��

rev sub value out key dec ��

rev sub value out key enc ��

rev sub value out msg dec ��

rev sub value out msg enc ��

rev sub value out msg tac ��

rev sub value REFL ��

REVERSE ETA CONV ��

REVERSE NEG TOTAL ��

REVERSE REWRITE ��

reverse rewrite ��

REVERSE TOTAL �

reverse value TOTAL ORDER ��

RHO DEF ��

RHO PW EQUIV ��

RHO PW REFL ��

RHS CONV ��

rl� ��

rls ��

rm choice �

RM FUNC� TAC �

RM FUNC TAC ��

rn ��

rn ��

rn� ��

rn� ��

Role ��

role ��

role V DEF ��

rotate right ��

RR DEF ��

RS V cont ��

RS V DEF �

RS V IMP RS V ��

RS V IMP RS V� ��

RS V IMP RS V EQ ��

RS V IMP RS V EQ� ��

RS V strengthen ��

RS V true ��

RS V ty �

RT �

RT DEF �

RT RA ��

RT REV ��

RT REV CONS ��

rule ��

rule ��

rule� ��

rules � � ��

run ��

run ty ��

s ��

S ��

s ��

S� ��

Index ��

s� ��

s IDENT DEF ��

S cont � ��

s rules ��

S S cont � ��

second P m A SUB VALUE OF P m B

��

seq � ��

SEQ ��

SEQ THM ��

SEQ� ��

SEQ� THM ��

SEQ� ��

SEQ� THM ��

seq ��

seq map ��

seq rules �

sessionkey ��

SET INDUCT REST TAC �

set minus APPEND ��

set minus Axiom ��

set minus cancel ��

set minus set minus x �

set minus single Axiom ��

set minus x Axiom �

SET SPEC AND ��

SET SPEC EQ ��

SET SPEC OR ��

SET SPEC TAC ��

set to list ��

set to list� aux �

set to list� DEF �

set to list aux ��

set to list aux DEF ��

set to list Axiom ��

set to list DEF ��

set to list list to set sing ��

sg ��

simpler goal ��

simplify goal ��

SING ��

sing APPEND �

SING GSPEC �

sing set minus �

SINGLE REWRITE TAC ��

singleton set ��

SL DEF ��

SL LENGTH ��

SL min ��

SL REFLEXIVE ��

SL TL ��

slm ��

slm� ��

slm �

slm� �

slm� ��

slm� ��

slm� ��

slm� ��

slm� ��

slm� ��

slm� ��

slm ��

smallest �rst �

smin aux DEF ��

smin Axiom ��

smin DEF ��

sml DEST ��

snh ��

SOME DEF ��

SOME EL � ��

SOME EL � ��

SOME EVERY failure ��

SOME is failure value ��

SOME is failure value � ��




SOME NOT EVERY ��

sort Axiom ��

sort insert commute ��

sort lemma ��

sort single ��

sprint ��

SR ��

SR prove ��

st ��

ST � ��

ST DEF ��

ST expose ��

ST lambda right ��

ST LENGTH ��

ST min ��

st old ��

ST REFL ��

ST right lambda ��

state ��

state assume ��

state invar DEF ��

Step ��

step ��

step� ��

step� ��

step� ��

steps ��

steps ��

steps� ��

steps DEF ��

Index

stm ��

stm� ��

stm ��

stm� �

stm� ��

stm� ��

stm� ��

stm� ��

stm� ��

stm� ��

stm� ��

stm ��

STRENGTHEN TAC ��

strengthen tac ��

string CONV ��

string EQ CONV ��

string EQ TAC ��

string list to string ��

string REDUCE TAC ��

strong set induct lemma � �

STRONG SET INDUCT TAC �

strong set induct thm �

stronger P m ��

stronger P m� ��

stronger P m� � ��

stronger P m� � ��

stronger PC V INVAR ��

stronger Usage V MK FH� ��

sub goal ��

sub lemma ��

SUB LESS ��

SUB RULES ��

SUB VALUE OF DEF �

SUB VALUE OF failure ��

SUB VALUE OF name ��

SUB VALUE OF out msg dec ��

SUB VALUE OF out msg enc ��

SUB VALUE OF P g ��

SUB VALUE OF P g� ��

SUB VALUE OF P lap �

SUB VALUE OF P lt ��

SUB VALUE OF P masterkey table ��

SUB VALUE OF P rr ��

SUB VALUE OF symbol ��

SUB VALUE OF value list ��

SUB VALUE OF value list tac ��

sub value TRANSITIVE lemma ��

SUBSET FL ��

subterm ��

SUC num ��

SUC OR � �

SUC SUB ��

surface rules ��

surface rules� ��

SYM IMP ��

sym rule ��

symbol �

symbol �

symbol dec enc ��

symbol IS WF value ��

symbol P masterkey table PROTECTED�

BY P m� B � ��

symbol PROTECTED BY P dec ��

symbol PROTECTED BY P enc ��

symbol PROTECTED BY P enc P dec tac

��

symbol PROTECTED BY P g ��

symbol PROTECTED BY P g� ��

symbol PROTECTED BY P l� ��

symbol PROTECTED BY P lt ��

symbol PROTECTED BY P lt P rr tac

��

symbol PROTECTED BY P rr ��

symbol SUB VALUE OF P dec ��

symbol SUB VALUE OF P enc ��

symbol SUB VALUE OF P enc P dec tac

��

symbol SUB VALUE OF P g ��

symbol SUB VALUE OF P g� ��

symbol SUB VALUE OF P l� �

symbol SUB VALUE OF P lt ��

symbol SUB VALUE OF P masterkey�

table ��

symbol SUB VALUE OF P rr �

SYMMETRIC eq IN SAME CONV ��

SYMMETRIC IN SAME CONV �

syntax rules ��

t � ��

t ��

t� ��

T �

T BDIFF ��

T IN CPR ��

tab ��

��

tab� ��

tabx ��

tac ��

��

tac ��

tac� ��

tac� ��

tac� ��

Term EQ DEF ��

Term EQ REFL ��

Term EQ SYM EQ ��

Term EQ TRANS ��

Index �

Term IMP DEF ��

Term IMP REFL ��

Term IMP TRANS ��

Term IS WF CONV ��

Term SUB AF DEF ��

Term SUB Term DEF ��

Term V AF V AF REPLACE Term ��

Term V arg list V Terms REPLACE Term

��

Term V Ass V Ass REPLACE Term ��

Term V IMP Term EQ ��

Term V Term EQ� ��

Term V Term REPLACE Term lm ��

Term V Term V Term REPLACE Term

��

THEN CONV ��

thm ��

thm term ��

tm � ��

��

��

tm� ��

TM ��

tm ��

��

TM� �

TM� THM ��

TM ��

TM THM ��

TM� ��

TM� THM ��

TM� ��

TM� THM ��

TM� ��

TM� THM ��

TM� ��

TM� THM ��

TM� ��

TM� THM ��

TM� ��

TM� THM ��

TM THM ��

TM� ��

tm� ��

��

TM� THM ��

TM� ��

tm� ��

TM� THM ��

TM� ��

TM� THM ��

TM� ��

TM� THM ��

TM� ��

TM� THM ��

TM� ��

TM� THM ��

TM� ��

TM� THM ��

TM ��

TM THM ��

TM rules ��

TM rules ��

TM rules� �

TM tac ��

TM tac� �

TM tac� �

tmp goals ��

TOTAL ANTISYM ��

TOTAL REFLEXIVE ��

TOTAL TRANSITIVE ��

tp ��

TP V DEF ��

TP V IMP TP V �

TP V strengthen ��

TP V true ��

TP V ty ��

TP V Unpred simplify ��

TRANSITIVE IN SAME CONV �

TRANSITIVE SUB VALUE OF ��

tree to list DEF ��

triv equal ��

TrivSP ��

True ��

TUPLE IN GPSEC CONV �

Type ��

Type INDUCT TAC ��

type list ��

type name list ��

type synonym ��

TYPES DECLARED IDS ��

TYPES DEF ��

TYPES ID OWNERS ��

uc fn su�x ��

uc su�x ��

UNDISCH BOTTOM TAC ��

UNDISCH KEEP TAC ��

UNDISCH SPLIT ��

UNDISCH TOP TAC ��

UNION DELETE ��

UNION DIFF ��

UNION EQ EMPTY �

UNION EQ SING ��

UNION INSERT �

UNION lm ��

unique num ��

us ��

Index

us� ��

us� ��

Usage ��

usage ��

Usage EQ DEF ��

Usage EQ REFL ��

Usage EQ SYM EQ ��

Usage EQ TRANS ��

Usage IMP DEF ��

Usage IMP MP ��

Usage IMP REFL ��

Usage IMP TRANS ��

Usage V DEF �

Usage V EQ Usage V IMP Usage EQ ��

Usage V EVERY ��

Usage V FLST ��

Usage V FLST EVERY PRESERVES INV

��

Usage V MAP ��

Usage V MAP EQ MAP Usage V ��

Usage V MK FH� ��

Usage V ty �

Usage V Usage V MAP ��

usx ��

v l vl ��

v l vl ISO ��

value �

value IN set CONV ��

value INDUCT TAC ��

value induct thm ��

value list� INDUCT TAC ��

value list extension ��

value list INDUCT TAC ��

value list value �

value rec thm ��

value rules �

value to list Axiom �

value TOTAL ORDER antisym ��

value TOTAL ORDER Axiom �

value TOTAL ORDER Def �

value uniqueness thm �

vl v l ��

vl v l ISO ��

wait �

WEAKEN ANT THEN TAC ��

wf APPEND ��

wf aux xor ��

wf list Axiom ��

wf set minus �

wf sort ��

wf value Axiom ��

wf value to list ��

x ��

xor ��

XOR DEF ��

XX ID OWNER CONS EQ SING ��

XX ID OWNER idempot ��

XX ID OWNERS CONS UNION ��

XX ID OWNERS EQ EMPTY ��

XX ID OWNERS SING XX ID OWNERS�

EMPTY ��

XX REPLACE Term ��

z ��

ZERO LESS ��

ZERO LESS EQ ��

ZERO LESS SUC ��

hol�library�tactics�sml �

hol�library�tactics�sml

��

�� aux� functions ��

�� Convert a theorem to the corresponding term ��

fun thm�term thm � �snd �dest�thm thm��

exception Position of string�

fun position e � raise Position �Error� Element is not in list�

position e �a��ls� � if e�a then � else � � �position e ls��

val gname � Lib�fresh�name �gv��

fun my�genvar ty � mk�var �Name � gname�� Ty � ty��

fun project p �

project p �e��ls� � if �p e�

then e��project p ls�

else project p ls�

exception Get of string�

fun get i � raise Get �Error� Index is out of range�

get i �e��ls� � if i � � then e

else �get �i � �� ls��

�� lemmas ��

�� func�lemma f x y � � x � y �� f x � f y ��

fun func�lemma f x y �

let val zzzzz � my�genvar �type�of x�

in �prove �� x � �y � �� f �x � �f �y ��

�ACCEPT�TAC

�DISCH �� x � �y ��

�SUBST

�thm�ASSUME �� x � �y �� var � �� zzzzz ��

�� f �x � �f �zzzzz ��

�prove �� f �x � �f �x �� REWRITE�TAC��

end�

�� Various tactics ��

�� PRINT�TAC

print the current goal ��

� hol�library�tactics�sml

fun PRINT�TAC �p�c� �

��print ��n GOAL� premises��n��

map �fn pi �� print�term pi�print ��n�� p�

print ��n GOAL� conclusion��n��

print�term c�

print ��n�� ALL�TAC �p�c��

��

establish

� �Pv �� Q� �� x�Px� �� Q�

��

fun gen�ant xpx v q �

let val �Body�Bvar�� dest�forall xpx�

val pv � subst �redex � Bvar� residue�v� Body in

�DISCH �mk�imp �ant�pv�conseq�q��

�DISCH xpx

�MP �ASSUME�mk�imp�ant�pv�conseq�q��

�SPEC v �ASSUME xpx��

end�

��

��x�Px� �� Q

�� GEN�ANT�TAC �v�

Pv �� Q

��

fun GEN�ANT�TAC v g �

let val ��a��term�list�� conc� � g�

val �ant�conseq� � dest�imp conc�

val �Bvar�Body� � dest�forall ant in

��a� mk�imp�ant��subst �residue�v�redex�Bvar� Body��

conseq�conseq��

fn ts �� MP �gen�ant ant v conseq� �hd ts��

end�

��

testing

gen�ant ��x��a�Px�� v��a�� q�bool��

g ��x��a�P x� �� Q��

e �GEN�ANT�TAC ��v��a��

g ��P Q v� ��x��a�Px �� Q� �� Pv ��Q��

g ��Q��a��bool��P��a��bool�� x� P x� �� Q y��

e �GEN�ANT�TAC ��Q��a��bool��

e �GEN�ANT�TAC ��y��a��

��

��

LIST�GEN�ANT�TAC

like GEN�ANT�TAC� but accepts lists of specializations�


��

fun LIST�GEN�ANT�TAC � ALL�TAC

LIST�GEN�ANT�TAC �e��ls� �

��GEN�ANT�TAC e� THEN �LIST�GEN�ANT�TAC ls��

��

P

�� ADD�CONJ�TAC � Q

P �� Q

��

fun ADD�CONJ�TAC q g �

let val �gas� gconc� � g in

��gas� mk�conj�conj��gconc�conj��q��

fn ts �� CONJUNCT� �hd ts��

end�

�� test

g �T��

e �ADD�CONJ�TAC ��F �� T��

e Taut�PTAUT�TAC�

��

��

REVERSE�REWRITE

��

fun REVERSE�REWRITE thm �

GEN�ALL �SYM �SPEC�ALL thm��

��

IMP�CONJ�TAC

P �� Q �� R�

��

�P �� Q� �� R

��

fun IMP�CONJ�TAC g �

let val �a�c� � g�

val �ant�p�conseq�qr� � �dest�imp c��

val �ant�q� conseq�r� � �dest�imp qr� in

��a�term list� mk�imp�ant�list�mk�conjp� q� conseq�r��

fn ts �� MP �SPEC r �SPEC q �SPEC p

�GEN ��P�bool�� GEN ��Q�bool�� GEN ��R�bool��

�Compat�PROVE ��P �� Q� �� R� �� P �� Q �� R��

Taut�TAUT�TAC�� hd ts��

end�

��


test

g �P �� Q �� R �� T��

e �REPEAT IMP�CONJ�TAC��

��

��

STRENGTHEN�TAC Q t

P

� provided can prove � Q �� P as a tautology using tactic t

Q

��

fun STRENGTHEN�TAC q t g �

let val �a� term list�p� � g in

��a�q��

fn th ��

MP �Compat�PROVE�mk�imp�ant�q�conseq�p�� t THEN Taut�TAUT�TAC��

�hd th��

end�

��

test

g �P �� Q��

e �STRENGTHEN�TAC ��Q�bool�� Taut�TAUT�TAC��

��

��

UNDISCH�TOP�TAC

reverse of �� elimination�

��

fun UNDISCH�TOP�TAC g �

let val �a�p� � g in

UNDISCH�TAC �hd a� g

end�

�� test

set�goal � ��a��bool�� a��bool�� a��bool�� g�bool��

e UNDISCH�TOP�TAC�

��

��

UNDISCH�BOTTOM�TAC

reverse of �� elimination�

��

fun UNDISCH�BOTTOM�TAC g �

let val �a�p� � g in

UNDISCH�TAC �hd �rev a�� g

end�

�� test


set�goal � ��a��bool�� a��bool�� a��bool�� g�bool��

e UNDISCH�BOTTOM�TAC�

��

fun MK�ARITH�REWRITE f �

let val ft � SPEC f �Compat�PROVE ��mk�forall

�Bvar� ��P�bool��

Body��mk�imp�ant� ��P�T�� conseq� ��P�bool��

Taut�TAUT�TAC�� in

MP ft �ARITH�CONV f�

end�

�� test

MK�ARITH�REWRITE � ��

��

�� REPEAT�UNTIL�STABLE t� applies tactic t until the resulting goal

is identical to the previous goal� or t fails ��

fun REPEAT�UNTIL�STABLE tac asc �

let val �gs�v� � �tac ORELSE ALL�TAC� asc

in �if gs � asc

then �gs�v�

else ��tac THEN �REPEAT�UNTIL�STABLE tac�� asc��

end�

��

set�goal ��A �� B �� C �� D��

e �REPEAT�UNTIL�STABLE BETA�TAC��

��

��

PURE�DEF �x��xn� f x� �� xn � e

is converted to

f � �x��xn�e

��

fun PURE�DEF t �

let

val th� � SPEC�ALL t�

fun move�right t � let val �lhs�rhs� � �dest�eq t�

in

if �is�comb lhs�

then move�right

�mk�eq�lhs��Rator �dest�comb lhs��

rhs�mk�abs�Bvar��Rand �dest�comb lhs��

Body�rhs��

else t

end�

val goal � move�right �thm�term th��

in

if �thm�term t� � goal

then t


else prove�

goal�

��REPEAT �fn �p�c� �� REWRITE�TAC �t � FUN�EQ�CONV c��

THEN BETA�TAC THEN �REWRITE�TAC� THEN GEN�TAC��p�c�� THEN PRINT�TAC��

end�

�� testing

PURE�DEF �hd construct�defs��

FUN�EQ�CONV ��f��a��b� � �h��a��b��

FUN�EQ�CONV ��true � AF�abs JOINT�true��

map PURE�DEF construct�defs�

��

��

MUTREC�INDUCT�THEN�TAC thm tac

A � �x��P�x� �� xn�Pnxn

�� thm

A � A�� A � Am�

where �thm� is on the form

� A� �� Am �� x��P�x� �� xn�Pnxn

Ai� is Aixi where xi may be replaced by some other variable

to avoid clashes with A

��

fun MUTREC�INDUCT�THEN�TAC thm tac �

�fn �gass�gconc� ��

�let fun inst�list tr � if is�conj tr

then �mk�abs �dest�forall ��conj� �dest�conj tr��

�� inst�list ��conj� �dest�conj tr��

else mk�abs �dest�forall tr��

val thm� � BETA�RULE �SPECL �inst�list gconc� thm��

val �ant�conseq� � �dest�imp �thm�term thm��

in

��gass�ant��

fn ths �� MP thm� �hd ths��

end�� THEN �REPEAT CONJ�TAC� THEN tac�

�� old�version

RM�FUNC�TAC

f t� � f t�

�� RM�FUNC

t� � t�

fun RM�FUNC�TAC �a�c� �

let val �lhs�rhs� � dest�eq c�

val f � �Rator �dest�comb lhs��

val t� � �Rand�dest�comb lhs��

val t� � �Rand�dest�comb rhs��

val l � func�lemma f t� t��

in


��a�mk�eq�lhs�t��rhs�t��fn ths �� MP l �hd ths��

end�

��

��

RM�FUNC�TAC

f t� �� tn � f t�� tn�

�� RM�FUNC�TAC

t� � t�� tn�tn�

��

fun RM�FUNC�TAC �a�c� �

let fun get�conc�list l r � if �is�comb l�

then ��mk�eq�

lhs � �Rand �dest�comb l��

rhs � �Rand �dest�comb r��

�get�conc�list

��Rator �dest�comb l��

��Rator �dest�comb r��

else �

val �lhs�rhs� � dest�eq c�

val gc � list�mk�conj �get�conc�list lhs rhs��

val l � prove��mk�imp�ant�gc�

conseq� c��

��REPEAT STRIP�TAC� THEN

�ASM�REWRITE�TAC��

in

��a�gc��fn ths �� MP l �hd ths��

end�

��

testing

set�goal ��f��a��b ��c� t� t�� f t�� t��

e RM�FUNC�TAC�

set�goal ��f��a��c� t�� f t��

e RM�FUNC�TAC�

��

��

RM�FUNC��TAC

f t� � g t�

�� RM�FUNC��TAC

f � g� t� � t�

NOTE� Also checks if f � g� t� � t��

thus may result in �� or � remaining goals

��

val RM�FUNC��TAC �


�fn �a�c� ��

let val �lhs�rhs� � dest�eq c�

val f � �Rator �dest�comb lhs��

val g � �Rator �dest�comb rhs��

val t� � �Rand�dest�comb lhs��

val t� � �Rand�dest�comb rhs��

val l � ISPECL ��f��g��t��t��

�prove��f��a��b� g t� t��

��f � g� �� t� � t�� f t�� g t��

�REPEAT STRIP�TAC�

THEN ASM�REWRITE�TAC��

in

��a�mk�conj�conj� � mk�eq�lhs�f�rhs � g��

conj� � mk�eq�lhs�t��rhs�t��fn ths �� MP l �hd ths��

end�

THEN STRIP�TAC

THEN ��REWRITE�TAC THEN NO�TAC� ORELSE ALL�TAC��

��

set�goal��

��f��a��b��c� t� u�� h��a��b��c� t� u��

e �REPEAT RM�FUNC��TAC��

��

��

P� �� Q

�� WEAKEN�ANT�THEN�TAC P� tac

P� �� Q

provided P� �� P� can be proven using tactic tac

��

fun WEAKEN�ANT�THEN�TAC P� tac �a�g� �

let

val �ant�P��conseq�Q� � dest�imp g�

val trans�imp � prove�

��a b c� �a �� b� �� b �� c� �� a �� c��

Taut�TAUT�TAC�

in

�STRENGTHEN�TAC ��P� �� Q��

�ACCEPT�TAC

�MP

�SPECL��P��P��Q��

trans�imp�

�prove��P� �� P��tac��a�g�

end�

�� testing

set�goal ��P� �� Q��

e �WEAKEN�ANT�THEN�TAC ��P� �� P�� Taut�TAUT�TAC��

��

��

x � y �� Q

hol�library�tactics�sml ��

�� ADD�ANT�FUNC�TAC f

f x � f y �� Q

��

fun ADD�ANT�FUNC�TAC f �a�g� �

let val �lhs�x�rhs�y� � dest�eq ��ant �dest�imp g��

val Q � �conseq �dest�imp g��

val l � �func�lemma f x y�

in

�WEAKEN�ANT�THEN�TAC ��f �x� � ��f �y��

�ACCEPT�TAC �func�lemma f x y��a�g�

end�

�� testing

set�goal�� x��a� � y� �� Q��

e �ADD�ANT�FUNC�TAC ��z��a�� f z��a��

��

��

A !� R

�� LONG�DISJ�CASES�TAC A � P� �� Pn

A�P� !� R �� A�Pn !� R

��

fun LONG�DISJ�CASES�TAC thm �

�ASSUME�TAC thm

THEN �UNDISCH�TAC �thm�term thm��

THEN STRIP�TAC��

�� test

val t� �

�set�goal��x �� y �� z �� t��x �� y �� z �� t��

e UNDISCH�TOP�TAC�

e Taut�TAUT�TAC�

top�thm��

set�goal��x �� y �� z �� t��R�bool��

e �LONG�DISJ�CASES�TAC t��

��

val EQ�RULE �

prove��t� �t��bool��t��t�� t��t�� t��t��

�STRIP�TAC THEN STRIP�TAC THEN EQ�TAC THEN �REPEAT STRIP�TAC� THEN

��EQ�TAC THEN �REPEAT UNDISCH�TOP�TAC� THEN Taut�TAUT�TAC THEN NO�TAC�

ORELSE

�ASM�REWRITE�TAC THEN NO�TAC�

ORELSE

��REPEAT UNDISCH�TOP�TAC�


THEN �PURE�ONCE�REWRITE�TAC SYM�CONV ��t��bool�t��

THEN �REPEAT STRIP�TAC�

THEN �ASM�REWRITE�TAC� ��

val EQ�NEG�TO�EQ�RULE �

prove��p q� �"p � "q� � �p � q��

�REPEAT STRIP�TAC�

THEN �REWRITE�TACEQ�RULE�

THEN Taut�TAUT�TAC��

val COND�TO�IMP�RULE �

prove� ��p q��p �� q T� � �p �� q��

� �REWRITE�TACEQ�RULE�

THEN STRIP�TAC

THEN STRIP�TAC

THEN COND�CASES�TAC

THEN �REPEAT UNDISCH�TOP�TAC�

THEN Taut�TAUT�TAC��

��

SINGLE�REWRITE�TAC

ONCE�REWRITE�TACrs seems to apply the rules in rs once�

possibly giving rise to substitutions in several sub terms�

SINGLE�EQ�REWRITE�TAC � lhs � rhs

performs a single substitution of lhs by rhs�

��

fun SINGLE�REWRITE�TAC thm �a�g� �

let val �lhs�rhs� � dest�eq �thm�term thm��

val l � genvar �type�of lhs��

val r � genvar �type�of rhs��

val g� � subst�occs �

�redex � lhs� residue � l� g�

val g� � subst�occs �

�redex � lhs� residue � r� g�

val lemma � prove��l �r� ��l � �r� �� g� � �g��

�REPEAT STRIP�TAC� THEN ASM�REWRITE�TAC��

in

PURE�ONCE�REWRITE�TACMP �SPECLlhs�rhs lemma� thm �a�g�

end�

�� test

set�goal��

��P �� Q �� R �� Q � Q��

e �SINGLE�REWRITE�TAC �prove��Q�bool� � �""�Q �� Q�� Taut�TAUT�TAC��

compare with

set�goal��

��P �� Q �� R �� Q � Q��

e �PURE�ONCE�REWRITE�TAC prove��Q�bool� � �""�Q �� Q�� Taut�TAUT�TAC��


��

��

��

Q �x�P x

�� REMOVE�SELECT�TAC �x�P x

!x�P� �x�P �� Q

��

fun REMOVE�SELECT�TAC t �a�g� �

let

val �Body � P� Bvar � x� � dest�select t�

val Q � subst �redex � t� residue � x� g�

val rule � SELECT�CONV �subst �redex � x� residue � t� P��

val lemma � prove� ��P��a��bool� �Q��a��bool��

�!x� P x� �� x��P x� �� Q x�� Q ��x� �P x��

PURE�REWRITE�TAC

prove��p q r� �p �� q �� r�

� �p �� q �� r��

Taut�TAUT�TAC�

THEN STRIP�TAC

THEN STRIP�TAC

THEN �PURE�ONCE�REWRITE�TAC

REVERSE�REWRITE�SELECT�CONV ��P ��x��a� P x��

THEN DISCH�TAC

THEN �GEN�ANT�TAC ��x��a� P x��

THEN ASM�REWRITE�TAC��

val lemma� � BETA�RULE

�ISPECL ��x��P�� x��Q�� lemma��

in

��MATCH�MP�TAC lemma��

THEN CONJ�TAC� �a�g�

end�

�� test

set�goal��Q��a �� bool� ��x��P��a��bool� x��

e �REMOVE�SELECT�TAC ��x��a��P x��

��

��

�� A � B

�� UNDISCH�KEEP�TAC A

A � A �� B

��

fun UNDISCH�KEEP�TAC t �a�g� �

��UNDISCH�TAC t� THEN

PURE�ONCE�REWRITE�TAC

SPECL t�g

�� hol�library�tactics�sml

�prove��a b� �a ��b� � �a �� a �� b��

Taut�TAUT�TAC��

THEN STRIP�TAC��a�g��

��

set�goal��P�bool��Q�bool�� R�bool�� W�bool��

e �UNDISCH�KEEP�TAC ��Q�bool��

��

��

NEG�ADD�FUNC�TAC

"�t� � t��

�� NEG�ADD�FUNC�TAC f

"��f t�� f t��

��

fun NEG�ADD�FUNC�TAC f �p�c� �

let

val �lhs�rhs��dest�eq�dest�neg c��

val res � mk�neg �mk�eq�lhs�mk�comb�Rator�f�Rand�lhs��

rhs�mk�comb�Rator�f�Rand�rhs��

val justify � prove�

��res� �� c��

�ASSUME�TAC �func�lemma f lhs rhs��

THEN UNDISCH�TOP�TAC

THEN Taut�TAUT�TAC�

in

��p�res��fn ths �� MP justify �hd ths��

end�

��testing

set�goal��#�#��"�t��a � t��

e �NEG�ADD�FUNC�TAC ��h��a��b��

��

��

�� Extract paired beta redexes from term ��

exception unknown�hol�term�type of term�

fun get�beta�redex t �

�if �is�abs t� then

�let val �Body�Bvar� � dest�abs t

in �append �get�beta�redex Body� �get�beta�redex Bvar��

end�

else if �is�comb t� then

�let val �Rand�Rator� � dest�comb t

in �if �is�pabs Rator�

then �append t

�append �get�beta�redex Rand� �get�beta�redex Rator��

else �append �get�beta�redex Rand� �get�beta�redex Rator��

end�

else if �is�cond t� then


�let val �cond� larm� rarm� � dest�cond t

in �flatten

�get�beta�redex cond��

�get�beta�redex larm��

�get�beta�redex rarm��

end�

else if �is�conj t� then

�let val �conj�� conj�� dest�conj t

in �append �get�beta�redex conj�� get�beta�redex conj��

end�

else if �is�const t� then

else if �is�disj t� then

�let val �disj�� disj�� dest�disj t

in �append �get�beta�redex disj�� get�beta�redex disj��

end�

else if �is�eq t� then

�let val �lhs�rhs� � dest�eq t

in �append �get�beta�redex lhs� �get�beta�redex rhs��

end�

else if �is�exists t� then

�let val �Body�Bvar� � dest�exists t


end�

else if �is�forall t� then

�let val �Body�Bvar� � dest�exists t


end�

else if �is�imp t� then

�let val �ant� conseq� � dest�imp t

in �append �get�beta�redex ant� �get�beta�redex conseq��

end�

else if �is�let t� then

�let val �arg�func� � dest�let t

in �append �get�beta�redex arg� �get�beta�redex func��

end�

else if �is�list t� then

�let val �els�ty� � dest�list t

in �flatten �map get�beta�redex els��

end�

else if �is�neg t� then

�get�beta�redex �dest�neg t��

else if �is�pabs t� then

�let val �body�varstruct� � dest�pabs t

in �append �get�beta�redex body� �get�beta�redex varstruct��

end�

else if �is�pair t� then

�let val �fst�snd� � dest�pair t

in �append �get�beta�redex fst� �get�beta�redex snd��

end�

else if �is�select t� then

�let val �Body�Bvar� � dest�select t


end�

else if �is�var t� then

else �raise �unknown�hol�term�type t��

handle unknown�hol�term�type v �� print ��nUnknown type of object� �� print�term t� v��

�� hol�library�sml�sml

��

get�beta�redex ��a�b�c�� a � b � c� ��

get�beta�redex

��is�failure�value

��local�global�arity��

�global

��local�global�arity�� global � �local�error��x� value list� P�null��

�local�error��ls� P�lt �EL ls��

��

�� remove one paired beta redex ��

fun PAIRED�BETA�TAC �a�g� �

let val redex�list � get�beta�redex g

in

�PURE�REWRITE�TAC PAIRED�BETA�CONV �hd �rev redex�list��a�g�

end�

�� remove all beta redexes including the paired ones ��

val FULL�BETA�TAC �

�REPEAT�UNTIL�STABLE

��PAIRED�BETA�TAC ORELSE ALL�TAC�

THEN BETA�TAC��

fun PAIRED�BETA��TAC �a�g� �

let val redex�list � get�beta�redex g�

fun brv �

brv �e��ls� � ��PAIRED�BETA�CONV e��

�brv ls��

handle any�error �� brv ls��

in

PURE�REWRITE�TAC �brv redex�list��a�g�

end�

�� remove all beta redexes including the paired ones ��

val FULL�BETA��TAC �

�REPEAT�UNTIL�STABLE

�PAIRED�BETA��TAC

THEN BETA�TAC��

hol�library�sml�sml

��

hol�library�sml�sml ��

fun type�synonym s � ty�antiq�type�parser QUOTE s ��

fun sprint s � IO�output�IO�std�out�s��

fun newline �� IO�output�IO�std�out��n��

�� name�list�var�prod tp ls� where �tp� is a cartesian product with n factors�

and �ls� is a list of n identifiers� generates a pair ��prod�id�types��

where �prod� is a tuple of identifiers from �ls� typed according to �tp��

�id�types� is a list of identifier� typed identifier pairs� ��

fun name�list�var�prod tp a �

�prod � mk�var�Name�a��v��Ty�tp��

id�types� �a�mk�var�Name�a��v��Ty�tp��

name�list�var�prod tp �a �� b �� c��

let val �Tyop�Args� � dest�type tp

val �prod�id�types� � name�list�var�prod �hd �tl Args�� b �� c��

val tp � mk�pair�fst � mk�var�Name�a��v��Ty� hd Args�� snd � prod�

in

�prod � tp� id�types � �a�mk�var�Name�a��v��Ty� hd Args��id�types�

end�

�� given a list of tags �tl�� the type of �tl�� tp� ��tl� viewed as a product��

and an identifier �string� standing for the name of the type �tl�� tp�name�

generate the selector functions for �tp�� one for each tag�

The selectors are named s��tagi��tp�name�� and they are stored in the theory file

under the name s��tagi��tp�name��DEF� ��

fun mk�selector�tl�tp� tp�name� �

let val �prod�id�types� � �name�list�var�prod �type�of ��x��tp�� tl�

in map

�fn �id�tpd�id� ��

�let val s �

mk�var�Name��s��id��tp�name�

Ty�mk�type�Tyop � �fun��

Args�type�of ��prod�� type�of��tpd�id��

in

�new�definition�

�s��id��tp�name��DEF��

��s �prod � �tpd�id��

end��

id�types

end�

�� test� example

mk�selector ��local�res�� net�funcs�� funcdef�� id�owner��

�all�roles�� all�principals�� last�run�� all�casts�� env�s� �env��

val bn � ty�antiq ��bool�num��

mk�selector��b��n�� bn��bn��

�� hol�library�sml�sml

��

��generating unique numbers��

val unique�num � ref �

fun get�unique ��

�unique�num �� unique�num �� Makestring�intToStr ��unique�num��

�� construct is�t��t� x ��

�� is�t��t� x� is true iff x is constructed using the

constructor associated with the type t��

It is assumed that t� is a disjoint sum containing the summand t��

fun mk�unique�arg�list n �

if n$�

then � �

else �� unique��get�unique��mk�unique�arg�list �n��

�� first constructs the defining equation for a single t� ��

fun mk�is�tag�def�lines �� tag��tp��outer�tp� � � �

mk�is�tag�def�lines��tp�tag�arg�no��tag��tp��outer�tp��

��is�� tp� � �� outer�tp �

� �� tag � �mk�unique�arg�list arg�no� � ��

�if tag��tag then � T� � else � F� ��

mk�is�tag�def�lines��tp�tag�arg�no��ls��tag��tp��outer�tp��

��is�� tp� � ��outer�tp � � �� tag �

�mk�unique�arg�list arg�no� � ��

�if tag��tag then � T� � else � F� �� n � �

�mk�is�tag�def�lines�ls�tag��tp��outer�tp��

�� mk�is�tag�def ttas outer�tp ra� defines the �is�x�t� functions

for each of the cases of the sum�type �outer�tp�� ra� is the defining

axiom for �outer�tp�� t� stands for �outer�tp� �we need uniqueness�

and we want to allow same summand names in different sum types��

�ttas� is a list of �type� constructor� number of fields� for each of

the summands of �outer�tp��

fun mk�is�mut�rec�tag�def�aux ttas outer�tp ra �

map

�fn �tp�tag�arg�no� �� sprint tp� newline��

· Index A goal A THM A thm A goal A THM A thm A goal A THM A thm a l al a l al ISO abs abs abs...

Documents

Transcript of · Index A goal A THM A thm A goal A THM A thm A goal A THM A thm a l al a l al ISO abs abs abs...