(* (C) Copyright Andreas Viktor Hess, DTU, 2015-2018 All Rights Reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: - Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. - Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. - Neither the name of the copyright holder nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission. THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. *) (* Title: StrandsAndConstraints.thy Author: Andreas Viktor Hess, DTU *) section {* Theory: Definitions and Theorems Related to Strands and Intruder Constraints *} theory StrandsAndConstraints imports Messages Unification2 IntruderDeduction begin subsection {* Constraints, Intruder Strands and Related Definitions *} datatype (funs\<^sub>s\<^sub>t\<^sub>p: 'a, (* vars\<^sub>s\<^sub>t\<^sub>p: *) 'b) strand_step = Send (trm\<^sub>s\<^sub>t\<^sub>p: "('a,'b) term") ("snd\_\" 80) | Receive (trm\<^sub>s\<^sub>t\<^sub>p: "('a,'b) term") ("rcv\_\" 80) | Equality (trm\<^sub>s\<^sub>t\<^sub>p: "('a,'b) term") (trm_r\<^sub>s\<^sub>t\<^sub>p: "('a,'b) term") ("_ \ _" [80,80]) | Inequality (bvars\<^sub>s\<^sub>t\<^sub>p: "'b list") (trm\<^sub>s\<^sub>t\<^sub>p: "('a,'b) term") (trm_r\<^sub>s\<^sub>t\<^sub>p: "('a,'b) term") ("\_\_ \ _\" [80,80]) where "trm_r\<^sub>s\<^sub>t\<^sub>p (Send t) = t" | "trm_r\<^sub>s\<^sub>t\<^sub>p (Receive t) = t" | "bvars\<^sub>s\<^sub>t\<^sub>p (Send _) = []" | "bvars\<^sub>s\<^sub>t\<^sub>p (Receive _) = []" | "bvars\<^sub>s\<^sub>t\<^sub>p (Equality _ _) = []" definition vars\<^sub>s\<^sub>t\<^sub>p where "vars\<^sub>s\<^sub>t\<^sub>p x \ FV (trm\<^sub>s\<^sub>t\<^sub>p x) \ FV (trm_r\<^sub>s\<^sub>t\<^sub>p x) \ set (bvars\<^sub>s\<^sub>t\<^sub>p x)" declare vars\<^sub>s\<^sub>t\<^sub>p_def[simp] definition trms\<^sub>s\<^sub>t where "trms\<^sub>s\<^sub>t S \ trm\<^sub>s\<^sub>t\<^sub>p ` set S \ trm_r\<^sub>s\<^sub>t\<^sub>p ` set S" declare trms\<^sub>s\<^sub>t_def[simp] type_synonym ('a,'b) strand = "('a,'b) strand_step list" type_synonym ('a,'b) strands = "('a,'b) strand set" abbreviation strand_step_prepend (infixr ":" 65) where "(b::('f,'v) strand_step):A \ b#A" abbreviation strand_step_append (infixr ":" 65) where "A:(b::('f,'v) strand_step) \ A@[b]" abbreviation strand_append (infixr ":" 65) where "(A::('f,'v) strand):B \ A@B" definition FV\<^sub>s\<^sub>n\<^sub>d::"('a,'b) strand_step \ 'b set" where "FV\<^sub>s\<^sub>n\<^sub>d x \ case x of snd\t\ \ FV t | _ \ {}" definition FV\<^sub>r\<^sub>c\<^sub>v::"('a,'b) strand_step \ 'b set" where "FV\<^sub>r\<^sub>c\<^sub>v x \ case x of rcv\t\ \ FV t | _ \ {}" definition FV\<^sub>e\<^sub>q::"('a,'b) strand_step \ 'b set" where "FV\<^sub>e\<^sub>q x \ case x of (s \ t) \ FV s \ FV t | _ \ {}" definition FV_r\<^sub>e\<^sub>q::"('a,'b) strand_step \ 'b set" where "FV_r\<^sub>e\<^sub>q x \ case x of (s \ t) \ FV t | _ \ {}" definition FV\<^sub>i\<^sub>n\<^sub>e\<^sub>q::"('a,'b) strand_step \ 'b set" where "FV\<^sub>i\<^sub>n\<^sub>e\<^sub>q x \ case x of (\X\s \ t\) \ (FV s \ FV t) - set X | _ \ {}" fun FV\<^sub>s\<^sub>t\<^sub>p::"('a,'b) strand_step \ 'b set" where "FV\<^sub>s\<^sub>t\<^sub>p (Send t) = FV t" | "FV\<^sub>s\<^sub>t\<^sub>p (Receive t) = FV t" | "FV\<^sub>s\<^sub>t\<^sub>p (Equality t t') = FV t \ FV t'" | "FV\<^sub>s\<^sub>t\<^sub>p (Inequality X t t') = FV t \ FV t' - set X" definition FV\<^sub>s\<^sub>t::"('a,'b) strand \ 'b set" where "FV\<^sub>s\<^sub>t S \ \(set (map FV\<^sub>s\<^sub>t\<^sub>p S))" definition vars\<^sub>s\<^sub>t::"('a,'b) strand \ 'b set" where "vars\<^sub>s\<^sub>t S \ \(set (map vars\<^sub>s\<^sub>t\<^sub>p S))" definition bvars\<^sub>s\<^sub>t::"('a,'b) strand \ 'b set" where "bvars\<^sub>s\<^sub>t S \ \(set (map (set \ bvars\<^sub>s\<^sub>t\<^sub>p) S))" fun vars2\<^sub>s\<^sub>t::"('a,'b) strand \ 'b set" where "vars2\<^sub>s\<^sub>t [] = {}" | "vars2\<^sub>s\<^sub>t (Inequality _ t t'#S) = vars2\<^sub>s\<^sub>t S" | "vars2\<^sub>s\<^sub>t (x#S) = vars\<^sub>s\<^sub>t\<^sub>p x \ vars2\<^sub>s\<^sub>t S" definition wfvarsoccs\<^sub>s\<^sub>t\<^sub>p where "wfvarsoccs\<^sub>s\<^sub>t\<^sub>p x \ case x of snd\t\ \ FV t | s \ t \ FV s | _ \ {}" definition wfvarsoccs\<^sub>s\<^sub>t where "wfvarsoccs\<^sub>s\<^sub>t S \ \set (map wfvarsoccs\<^sub>s\<^sub>t\<^sub>p S)" definition funs\<^sub>s\<^sub>t::"('a,'b) strand \ 'a set" where "funs\<^sub>s\<^sub>t S \ \(set (map funs\<^sub>s\<^sub>t\<^sub>p S))" fun eqs_rhs\<^sub>s\<^sub>t where "eqs_rhs\<^sub>s\<^sub>t [] = {}" | "eqs_rhs\<^sub>s\<^sub>t (Equality t t'#S) = insert t' (eqs_rhs\<^sub>s\<^sub>t S)" | "eqs_rhs\<^sub>s\<^sub>t (x#S) = eqs_rhs\<^sub>s\<^sub>t S" definition subst_apply_strand_step::"('a,'b) strand_step \ ('a,'b) subst \ ('a,'b) strand_step" (infix "\\<^sub>s\<^sub>t\<^sub>p" 51) where "s \\<^sub>s\<^sub>t\<^sub>p \ \ (case s of snd\t\ \ snd\t \ \\ | rcv\t\ \ rcv\t \ \\ | t \ t' \ (t \ \) \ (t' \ \) | \X\t \ t'\ \ \X\(t \ (rm_vars (set X) \)) \ (t' \ (rm_vars (set X) \))\)" definition subst_apply_strand::"('a,'b) strand \ ('a,'b) subst \ ('a,'b) strand" (infix "\\<^sub>s\<^sub>t" 51) where "S \\<^sub>s\<^sub>t \ \ map (\x. x \\<^sub>s\<^sub>t\<^sub>p \) S" fun simple::"('a,'b) strand \ bool" where "simple [] = True" | "simple (rcv\t\#S) = simple S" | "simple (snd\Var v\#S) = simple S" | "simple (\_\s \ t\#S) = simple S" | "simple (_#S) = False" fun ik\<^sub>s\<^sub>t::"('a,'b) strand \ ('a,'b) terms" where "ik\<^sub>s\<^sub>t [] = {}" | "ik\<^sub>s\<^sub>t (rcv\t\#S) = insert t (ik\<^sub>s\<^sub>t S)" | "ik\<^sub>s\<^sub>t (_#S) = ik\<^sub>s\<^sub>t S" fun wf\<^sub>s\<^sub>t::"'b set \ ('a,'b) strand \ bool" where "wf\<^sub>s\<^sub>t V [] = True" | "wf\<^sub>s\<^sub>t V (rcv\t\#S) = (FV t \ V \ wf\<^sub>s\<^sub>t V S)" | "wf\<^sub>s\<^sub>t V (snd\t\#S) = wf\<^sub>s\<^sub>t (V \ FV t) S" | "wf\<^sub>s\<^sub>t V (s \ t#S) = (FV t \ V \ wf\<^sub>s\<^sub>t (V \ FV s) S)" | "wf\<^sub>s\<^sub>t V (\_\s \ t\#S) = wf\<^sub>s\<^sub>t V S" definition wf\<^sub>c\<^sub>o\<^sub>n\<^sub>s\<^sub>t\<^sub>r::"('a,'b) strand \ ('a,'b) subst \ bool" where "wf\<^sub>c\<^sub>o\<^sub>n\<^sub>s\<^sub>t\<^sub>r S \ \ (wf\<^sub>s\<^sub>u\<^sub>b\<^sub>s\<^sub>t \ \ wf\<^sub>s\<^sub>t {} S \ dom\<^sub>s\<^sub>u\<^sub>b\<^sub>s\<^sub>t \ \ vars\<^sub>s\<^sub>t S = {} \ FV_img\<^sub>s\<^sub>u\<^sub>b\<^sub>s\<^sub>t \ \ bvars\<^sub>s\<^sub>t S = {} \ FV\<^sub>s\<^sub>t S \ bvars\<^sub>s\<^sub>t S = {})" declare FV\<^sub>s\<^sub>n\<^sub>d_def[simp] declare FV\<^sub>r\<^sub>c\<^sub>v_def[simp] declare FV\<^sub>e\<^sub>q_def[simp] declare FV_r\<^sub>e\<^sub>q_def[simp] declare FV\<^sub>i\<^sub>n\<^sub>e\<^sub>q_def[simp] declare FV\<^sub>s\<^sub>t_def[simp] declare vars\<^sub>s\<^sub>t_def[simp] declare bvars\<^sub>s\<^sub>t_def[simp] declare wfvarsoccs\<^sub>s\<^sub>t\<^sub>p_def[simp] declare wfvarsoccs\<^sub>s\<^sub>t_def[simp] declare subst_apply_strand_step_def[simp] declare subst_apply_strand_def[simp] declare wf\<^sub>c\<^sub>o\<^sub>n\<^sub>s\<^sub>t\<^sub>r_def[simp] lemmas wf\<^sub>s\<^sub>t_induct = wf\<^sub>s\<^sub>t.induct[case_names Nil ConsRcv ConsSnd ConsEq ConsIneq] lemmas ik\<^sub>s\<^sub>t_induct = ik\<^sub>s\<^sub>t.induct[case_names Nil ConsRcv ConsSnd ConsEq ConsIneq] lemmas vars2\<^sub>s\<^sub>t_induct = vars2\<^sub>s\<^sub>t.induct[case_names Nil ConsIneq ConsSnd ConsRcv ConsEq] lemmas eqs_rhs\<^sub>s\<^sub>t_induct = eqs_rhs\<^sub>s\<^sub>t.induct[case_names Nil ConsEq ConsSnd ConsRcv ConsIneq] subsubsection {* Lexicographical measure on strands *} definition size\<^sub>s\<^sub>t::"('a,'b) strand \ nat" where "size\<^sub>s\<^sub>t S \ size_list (\x. size (trm\<^sub>s\<^sub>t\<^sub>p x)) S" definition measure\<^sub>s\<^sub>t::"((('a, 'b) strand \ ('a,'b) subst) \ ('a, 'b) strand \ ('a,'b) subst) set" where "measure\<^sub>s\<^sub>t \ measures [\(S,\). card (FV\<^sub>s\<^sub>t S), \(S,\). size\<^sub>s\<^sub>t S]" declare size\<^sub>s\<^sub>t_def[simp] declare measure\<^sub>s\<^sub>t_def[simp] lemma measure\<^sub>s\<^sub>t_alt_def: "((s,x),(t,y)) \ measure\<^sub>s\<^sub>t = (card (FV\<^sub>s\<^sub>t s) < card (FV\<^sub>s\<^sub>t t) \ (card (FV\<^sub>s\<^sub>t s) = card (FV\<^sub>s\<^sub>t t) \ size\<^sub>s\<^sub>t s < size\<^sub>s\<^sub>t t))" by simp lemma measure\<^sub>s\<^sub>t_trans: "trans measure\<^sub>s\<^sub>t" unfolding trans_def by auto subsubsection {* Some lemmas *} lemma trms\<^sub>s\<^sub>t_append: "trms\<^sub>s\<^sub>t (A@B) = trms\<^sub>s\<^sub>t A \ trms\<^sub>s\<^sub>t B" by auto lemma finite_ik\<^sub>s\<^sub>t[simp]: "finite (ik\<^sub>s\<^sub>t S)" by (induct S rule: ik\<^sub>s\<^sub>t.induct) simp_all lemma finite_eqs_rhs\<^sub>s\<^sub>t[simp]: "finite (eqs_rhs\<^sub>s\<^sub>t S)" by (induct S rule: eqs_rhs\<^sub>s\<^sub>t.induct) simp_all lemma ik\<^sub>s\<^sub>tD[dest]: "t \ ik\<^sub>s\<^sub>t S \ rcv\t\ \ set S" by (induct S rule: ik\<^sub>s\<^sub>t.induct) auto lemma ik\<^sub>s\<^sub>tD'[dest]: "t \ ik\<^sub>s\<^sub>t S \ t \ trm\<^sub>s\<^sub>t\<^sub>p ` set S" by (induct S rule: ik\<^sub>s\<^sub>t.induct) auto lemma ik\<^sub>s\<^sub>tD''[dest]: "t \ \(subterms ` ik\<^sub>s\<^sub>t S) \ t \ \(subterms ` (trm\<^sub>s\<^sub>t\<^sub>p ` set S))" by (induct S rule: ik\<^sub>s\<^sub>t.induct) auto lemma ik\<^sub>s\<^sub>tD'''[dest]: "t \ \(subterms ` ik\<^sub>s\<^sub>t S) \ t \ \(subterms ` (trms\<^sub>s\<^sub>t S))" by (induct S rule: ik\<^sub>s\<^sub>t.induct) auto lemma eqs_rhs\<^sub>s\<^sub>tD[dest]: "t \ eqs_rhs\<^sub>s\<^sub>t S \ \t'. t' \ t \ set S" by (induct S rule: eqs_rhs\<^sub>s\<^sub>t.induct) auto lemma eqs_rhs\<^sub>s\<^sub>tD'[dest]: "t \ eqs_rhs\<^sub>s\<^sub>t S \ t \ trm_r\<^sub>s\<^sub>t\<^sub>p ` set S" by (induct S rule: eqs_rhs\<^sub>s\<^sub>t.induct) auto lemma eqs_rhs\<^sub>s\<^sub>tD''[dest]: "t \ \(subterms ` eqs_rhs\<^sub>s\<^sub>t S) \ t \ \(subterms ` (trm_r\<^sub>s\<^sub>t\<^sub>p ` set S))" by (induct S rule: eqs_rhs\<^sub>s\<^sub>t.induct) auto lemma eqs_rhs\<^sub>s\<^sub>tD'''[dest]: "t \ \(subterms ` eqs_rhs\<^sub>s\<^sub>t S) \ t \ \(subterms ` (trms\<^sub>s\<^sub>t S))" by (induct S rule: eqs_rhs\<^sub>s\<^sub>t.induct) auto lemma bvars\<^sub>s\<^sub>t_split: "bvars\<^sub>s\<^sub>t (S@S') = bvars\<^sub>s\<^sub>t S \ bvars\<^sub>s\<^sub>t S'" unfolding bvars\<^sub>s\<^sub>t_def by auto lemma bvars\<^sub>s\<^sub>t_singleton: "bvars\<^sub>s\<^sub>t [x] = set (bvars\<^sub>s\<^sub>t\<^sub>p x)" unfolding bvars\<^sub>s\<^sub>t_def by auto lemma strand_subst_hom[iff]: "(S@S') \\<^sub>s\<^sub>t \ = (S \\<^sub>s\<^sub>t \)@(S' \\<^sub>s\<^sub>t \)" "(x#S) \\<^sub>s\<^sub>t \ = (x \\<^sub>s\<^sub>t\<^sub>p \)#(S \\<^sub>s\<^sub>t \)" unfolding subst_apply_strand_def by auto lemma strand_subst_comp: "FV\<^sub>s\<^sub>e\<^sub>t (img\<^sub>s\<^sub>u\<^sub>b\<^sub>s\<^sub>t \) \ bvars\<^sub>s\<^sub>t S = {} \ S \\<^sub>s\<^sub>t \ \\<^sub>s \ = ((S \\<^sub>s\<^sub>t \) \\<^sub>s\<^sub>t \)" proof (induction S) case (Cons x S) hence *: "FV\<^sub>s\<^sub>e\<^sub>t (img\<^sub>s\<^sub>u\<^sub>b\<^sub>s\<^sub>t \) \ bvars\<^sub>s\<^sub>t S = {}" "FV\<^sub>s\<^sub>e\<^sub>t (img\<^sub>s\<^sub>u\<^sub>b\<^sub>s\<^sub>t \) \ (set (bvars\<^sub>s\<^sub>t\<^sub>p x)) = {}" using bvars\<^sub>s\<^sub>t_split[of "[x]" S] bvars\<^sub>s\<^sub>t_def[of "[x]"] by auto hence IH: "S \\<^sub>s\<^sub>t \ \\<^sub>s \ = (S \\<^sub>s\<^sub>t \) \\<^sub>s\<^sub>t \" using Cons.IH by auto have "(x#S \\<^sub>s\<^sub>t \ \\<^sub>s \) = (x \\<^sub>s\<^sub>t\<^sub>p \ \\<^sub>s \)#(S \\<^sub>s\<^sub>t \ \\<^sub>s \)" by (metis strand_subst_hom(2)) hence "... = (x \\<^sub>s\<^sub>t\<^sub>p \ \\<^sub>s \)#((S \\<^sub>s\<^sub>t \) \\<^sub>s\<^sub>t \)" by (metis IH) hence "... = ((x \\<^sub>s\<^sub>t\<^sub>p \) \\<^sub>s\<^sub>t\<^sub>p \)#((S \\<^sub>s\<^sub>t \) \\<^sub>s\<^sub>t \)" using rm_vars_comp[OF *(2)] by (cases x) simp_all thus ?case using IH by auto qed simp lemma strand_substI[intro]: "dom\<^sub>s\<^sub>u\<^sub>b\<^sub>s\<^sub>t \ \ FV\<^sub>s\<^sub>t S = {} \ S \\<^sub>s\<^sub>t \ = S" "dom\<^sub>s\<^sub>u\<^sub>b\<^sub>s\<^sub>t \ \ vars\<^sub>s\<^sub>t S = {} \ S \\<^sub>s\<^sub>t \ = S" proof - show "dom\<^sub>s\<^sub>u\<^sub>b\<^sub>s\<^sub>t \ \ vars\<^sub>s\<^sub>t S = {} \ S \\<^sub>s\<^sub>t \ = S" proof (induction S) case (Cons x S) hence "S \\<^sub>s\<^sub>t \ = S" by auto moreover have "vars\<^sub>s\<^sub>t\<^sub>p x \ dom\<^sub>s\<^sub>u\<^sub>b\<^sub>s\<^sub>t \ = {}" using Cons.prems by auto hence "x \\<^sub>s\<^sub>t\<^sub>p \ = x" using rm_vars_subst_apply_ident by (cases x) fastforce+ ultimately show ?case by simp qed simp show "dom\<^sub>s\<^sub>u\<^sub>b\<^sub>s\<^sub>t \ \ FV\<^sub>s\<^sub>t S = {} \ S \\<^sub>s\<^sub>t \ = S" proof (induction S) case (Cons x S) hence "S \\<^sub>s\<^sub>t \ = S" by auto moreover have "FV\<^sub>s\<^sub>t\<^sub>p x \ dom\<^sub>s\<^sub>u\<^sub>b\<^sub>s\<^sub>t \ = {}" using Cons.prems by auto hence "x \\<^sub>s\<^sub>t\<^sub>p \ = x" using rm_vars_subst_apply_ident by (cases x) fastforce+ ultimately show ?case by simp qed simp qed lemma strand_substI': "FV\<^sub>s\<^sub>t S = {} \ S \\<^sub>s\<^sub>t \ = S" "vars\<^sub>s\<^sub>t S = {} \ S \\<^sub>s\<^sub>t \ = S" by (metis inf_bot_right strand_substI)+ lemma ik_union_subset: "\(P ` ik\<^sub>s\<^sub>t S) \ (\x \ (set S). P (trm\<^sub>s\<^sub>t\<^sub>p x))" by (induct S rule: ik\<^sub>s\<^sub>t.induct) auto lemma ik_snd_empty[simp]: "ik\<^sub>s\<^sub>t (map Send X) = {}" by (induct "map Send X" arbitrary: X rule: ik\<^sub>s\<^sub>t.induct) auto lemma ik_snd_empty'[simp]: "ik\<^sub>s\<^sub>t [snd\t\] = {}" by simp lemma ik_append[iff]: "ik\<^sub>s\<^sub>t (S@S') = ik\<^sub>s\<^sub>t S \ ik\<^sub>s\<^sub>t S'" by (induct S rule: ik\<^sub>s\<^sub>t.induct) auto lemma ik_cons: "ik\<^sub>s\<^sub>t (x#S) = ik\<^sub>s\<^sub>t [x] \ ik\<^sub>s\<^sub>t S" using ik_append[of "[x]" S] by simp lemma eqs_rhs_append[iff]: "eqs_rhs\<^sub>s\<^sub>t (S@S') = eqs_rhs\<^sub>s\<^sub>t S \ eqs_rhs\<^sub>s\<^sub>t S'" by (induct S rule: eqs_rhs\<^sub>s\<^sub>t.induct) auto lemma eqs_rcv_map_empty: "eqs_rhs\<^sub>s\<^sub>t (map Receive M) = {}" by auto lemma ik_rcv_map: assumes "t \ set L" shows "t \ ik\<^sub>s\<^sub>t (map Receive L)" proof - { fix L L' have "t \ ik\<^sub>s\<^sub>t [rcv\t\]" by auto hence "t \ ik\<^sub>s\<^sub>t (map Receive L@rcv\t\#map Receive L')" using ik_append by auto hence "t \ ik\<^sub>s\<^sub>t (map Receive (L@t#L'))" by auto } thus ?thesis using assms split_list_last by force qed lemma ik_subst: "ik\<^sub>s\<^sub>t (S \\<^sub>s\<^sub>t \) = ik\<^sub>s\<^sub>t S \set \" by (induct rule: ik\<^sub>s\<^sub>t_induct) auto lemma ik_rcv_map': assumes "t \ ik\<^sub>s\<^sub>t (map Receive L)" shows "t \ set L" using assms by force lemma (in intruder_model) ik_trp_union_is_subterm_subset: "trp\<^sub>s\<^sub>e\<^sub>t (ik\<^sub>s\<^sub>t S) \ (\x \ (set S). subterms (trm\<^sub>s\<^sub>t\<^sub>p x))" by (induct S rule: ik\<^sub>s\<^sub>t.induct, auto dest: trpD) lemma (in intruder_model) trp_ik_union_append_subset[simp]: "trp\<^sub>s\<^sub>e\<^sub>t (ik\<^sub>s\<^sub>t S) \ trp\<^sub>s\<^sub>e\<^sub>t (ik\<^sub>s\<^sub>t (S@S'))" "trp\<^sub>s\<^sub>e\<^sub>t (ik\<^sub>s\<^sub>t S) \ trp\<^sub>s\<^sub>e\<^sub>t (ik\<^sub>s\<^sub>t (S'@S))" by simp_all lemma ik_append_subset[simp]: "ik\<^sub>s\<^sub>t S \ ik\<^sub>s\<^sub>t (S@S')" "ik\<^sub>s\<^sub>t S' \ ik\<^sub>s\<^sub>t (S@S')" by (induct S rule: ik\<^sub>s\<^sub>t.induct) auto lemma eqs_rhs_append_subset[simp]: "eqs_rhs\<^sub>s\<^sub>t S \ eqs_rhs\<^sub>s\<^sub>t (S@S')" "eqs_rhs\<^sub>s\<^sub>t S' \ eqs_rhs\<^sub>s\<^sub>t (S@S')" by (induct S rule: eqs_rhs\<^sub>s\<^sub>t.induct) auto lemma (in intruder_model) trp_ik_union_append_split: "trp\<^sub>s\<^sub>e\<^sub>t (ik\<^sub>s\<^sub>t (S@S')) = (trp\<^sub>s\<^sub>e\<^sub>t (ik\<^sub>s\<^sub>t S)) \ (\(trp ` ik\<^sub>s\<^sub>t S'))" by (induct S rule: ik\<^sub>s\<^sub>t.induct) auto lemma (in intruder_model) trp_ik_union_rcv_single: "trp\<^sub>s\<^sub>e\<^sub>t (ik\<^sub>s\<^sub>t [rcv\t\]) = trp t" by auto lemma (in intruder_model) trp_ik_subtermD: assumes "t \ trp\<^sub>s\<^sub>e\<^sub>t (ik\<^sub>s\<^sub>t S)" obtains x where "x \ set S" "t \ trm\<^sub>s\<^sub>t\<^sub>p x" using assms ik\<^sub>s\<^sub>tD trpD by auto lemma (in intruder_model) trp_ik_subterm_exD: assumes "t \ trp\<^sub>s\<^sub>e\<^sub>t (ik\<^sub>s\<^sub>t S)" shows "\x \ set S. t \ trm\<^sub>s\<^sub>t\<^sub>p x" using assms ik\<^sub>s\<^sub>tD trpD by blast subsection {* Lemmas: Free Variables of Strands *} lemma FV_trm_snd_rcv: "FV (trm\<^sub>s\<^sub>t\<^sub>p (snd\t\)) = FV t" "FV (trm\<^sub>s\<^sub>t\<^sub>p (rcv\t\)) = FV t" by simp_all lemma in_strand_FV_subset: "x \ set S \ vars\<^sub>s\<^sub>t\<^sub>p x \ vars\<^sub>s\<^sub>t S" by auto lemma in_strand_FV_subset_snd: "snd\t\ \ set S \ FV t \ \set (map FV\<^sub>s\<^sub>n\<^sub>d S)" by auto lemma in_strand_FV_subset_rcv: "rcv\t\ \ set S \ FV t \ \set (map FV\<^sub>r\<^sub>c\<^sub>v S)" by auto lemma finite_vars\<^sub>s\<^sub>t\<^sub>p[simp]: "finite (vars\<^sub>s\<^sub>t\<^sub>p x)" using finite_FV by auto lemma finite_bvars\<^sub>s\<^sub>t\<^sub>p[simp]: "finite (set (bvars\<^sub>s\<^sub>t\<^sub>p x))" by rule lemma finite_FV\<^sub>s\<^sub>n\<^sub>d[simp]: "finite (FV\<^sub>s\<^sub>n\<^sub>d x)" using finite_FV by (cases x) auto lemma finite_FV\<^sub>r\<^sub>c\<^sub>v[simp]: "finite (FV\<^sub>r\<^sub>c\<^sub>v x)" using finite_FV by (cases x) auto lemma finite_FV\<^sub>s\<^sub>t\<^sub>p[simp]: "finite (FV\<^sub>s\<^sub>t\<^sub>p x)" using finite_FV by (cases x) auto lemma finite_vars\<^sub>s\<^sub>t[simp]: "finite (vars\<^sub>s\<^sub>t S)" by simp lemma finite_vars2\<^sub>s\<^sub>t[simp]: "finite (vars2\<^sub>s\<^sub>t S)" by (induct S rule: vars2\<^sub>s\<^sub>t.induct) auto lemma finite_bvars\<^sub>s\<^sub>t[simp]: "finite (bvars\<^sub>s\<^sub>t S)" by simp lemma finite_FV\<^sub>s\<^sub>t[simp]: "finite (FV\<^sub>s\<^sub>t S)" by simp lemma FV\<^sub>s\<^sub>n\<^sub>dE: assumes "v \ \set (map FV\<^sub>s\<^sub>n\<^sub>d S)" obtains t where "snd\t\ \ set S" "v \ FV t" using assms apply (induct S, simp_all) by (metis empty_iff strand_step.case_eq_if strand_step.collapse(1)) lemma FV\<^sub>r\<^sub>c\<^sub>vE: assumes "v \ \set (map FV\<^sub>r\<^sub>c\<^sub>v S)" obtains t where "rcv\t\ \ set S" "v \ FV t" using assms apply (induct S, simp_all) by (metis empty_iff strand_step.case_eq_if strand_step.collapse(2)) lemma vars\<^sub>s\<^sub>t\<^sub>pI[intro]: "x \ FV\<^sub>s\<^sub>t\<^sub>p s \ x \ vars\<^sub>s\<^sub>t\<^sub>p s" by (induct s rule: FV\<^sub>s\<^sub>t\<^sub>p.induct) auto lemma vars\<^sub>s\<^sub>tI[intro]: "x \ FV\<^sub>s\<^sub>t S \ x \ vars\<^sub>s\<^sub>t S" using vars\<^sub>s\<^sub>t\<^sub>pI by fastforce lemma FV\<^sub>s\<^sub>t_subset_vars\<^sub>s\<^sub>t[simp]: "FV\<^sub>s\<^sub>t S \ vars\<^sub>s\<^sub>t S" using vars\<^sub>s\<^sub>tI by force lemma vars\<^sub>s\<^sub>t_is_FV\<^sub>s\<^sub>t_bvars\<^sub>s\<^sub>t: "vars\<^sub>s\<^sub>t S = FV\<^sub>s\<^sub>t S \ bvars\<^sub>s\<^sub>t S" proof (induction S) case (Cons x S) thus ?case by (cases x) auto qed simp lemma vars_st_snd_map: "vars\<^sub>s\<^sub>t (map Send X) = FV (Fun f X)" by simp lemma vars_st_rcv_map: "vars\<^sub>s\<^sub>t (map Receive X) = FV (Fun f X)" by simp lemma vars_snd_rcv_union: "vars\<^sub>s\<^sub>t\<^sub>p x = FV\<^sub>s\<^sub>n\<^sub>d x \ FV\<^sub>r\<^sub>c\<^sub>v x \ FV\<^sub>e\<^sub>q x \ FV\<^sub>i\<^sub>n\<^sub>e\<^sub>q x \ set (bvars\<^sub>s\<^sub>t\<^sub>p x)" by (cases x) simp_all lemma FV_snd_rcv_union: "FV\<^sub>s\<^sub>t\<^sub>p x = FV\<^sub>s\<^sub>n\<^sub>d x \ FV\<^sub>r\<^sub>c\<^sub>v x \ FV\<^sub>e\<^sub>q x \ FV\<^sub>i\<^sub>n\<^sub>e\<^sub>q x" by (cases x) simp_all lemma FV_snd_rcv_empty[simp]: "FV\<^sub>s\<^sub>n\<^sub>d x = {} \ FV\<^sub>r\<^sub>c\<^sub>v x = {}" by (cases x) simp_all lemma vars_snd_rcv_strand[iff]: "vars\<^sub>s\<^sub>t (S::('a,'b) strand) = (\set (map FV\<^sub>s\<^sub>n\<^sub>d S)) \ (\set (map FV\<^sub>r\<^sub>c\<^sub>v S)) \ (\set (map FV\<^sub>e\<^sub>q S)) \ (\set (map FV\<^sub>i\<^sub>n\<^sub>e\<^sub>q S)) \ bvars\<^sub>s\<^sub>t S" unfolding bvars\<^sub>s\<^sub>t_def proof (induction S) case (Cons x S) have "\s V. vars\<^sub>s\<^sub>t\<^sub>p (s::('a,'b) strand_step) \ V = FV\<^sub>s\<^sub>n\<^sub>d s \ FV\<^sub>r\<^sub>c\<^sub>v s \ FV\<^sub>e\<^sub>q s \ FV\<^sub>i\<^sub>n\<^sub>e\<^sub>q s \ set (bvars\<^sub>s\<^sub>t\<^sub>p s) \ V" by (metis vars_snd_rcv_union) thus ?case using Cons.IH by (auto simp add: sup_assoc sup_left_commute) qed simp lemma FV_snd_rcv_strand[iff]: "FV\<^sub>s\<^sub>t (S::('a,'b) strand) = (\set (map FV\<^sub>s\<^sub>n\<^sub>d S)) \ (\set (map FV\<^sub>r\<^sub>c\<^sub>v S)) \ (\set (map FV\<^sub>e\<^sub>q S)) \ (\set (map FV\<^sub>i\<^sub>n\<^sub>e\<^sub>q S))" unfolding bvars\<^sub>s\<^sub>t_def proof (induction S) case (Cons x S) have "\s V. FV\<^sub>s\<^sub>t\<^sub>p (s::('a,'b) strand_step) \ V = FV\<^sub>s\<^sub>n\<^sub>d s \ FV\<^sub>r\<^sub>c\<^sub>v s \ FV\<^sub>e\<^sub>q s \ FV\<^sub>i\<^sub>n\<^sub>e\<^sub>q s \ V" by (metis FV_snd_rcv_union) thus ?case using Cons.IH by (auto simp add: sup_assoc sup_left_commute) qed simp lemma vars_snd_rcv_strand2[iff]: "vars2\<^sub>s\<^sub>t (S::('a,'b) strand) = (\set (map FV\<^sub>s\<^sub>n\<^sub>d S)) \ (\set (map FV\<^sub>r\<^sub>c\<^sub>v S)) \ (\set (map FV\<^sub>e\<^sub>q S))" proof (induction S) case (Cons x S) thus ?case by (cases x) auto qed simp lemma FV_snd_rcv_strand_subset[simp]: "\set (map FV\<^sub>s\<^sub>n\<^sub>d S) \ FV\<^sub>s\<^sub>t S" "\set (map FV\<^sub>r\<^sub>c\<^sub>v S) \ FV\<^sub>s\<^sub>t S" "\set (map FV\<^sub>e\<^sub>q S) \ FV\<^sub>s\<^sub>t S" "\set (map FV\<^sub>i\<^sub>n\<^sub>e\<^sub>q S) \ FV\<^sub>s\<^sub>t S" "wfvarsoccs\<^sub>s\<^sub>t S \ FV\<^sub>s\<^sub>t S" proof - show "\set (map FV\<^sub>s\<^sub>n\<^sub>d S) \ FV\<^sub>s\<^sub>t S" "\set (map FV\<^sub>r\<^sub>c\<^sub>v S) \ FV\<^sub>s\<^sub>t S" "\set (map FV\<^sub>e\<^sub>q S) \ FV\<^sub>s\<^sub>t S" "\set (map FV\<^sub>i\<^sub>n\<^sub>e\<^sub>q S) \ FV\<^sub>s\<^sub>t S" using FV_snd_rcv_strand[of S] by auto show "wfvarsoccs\<^sub>s\<^sub>t S \ FV\<^sub>s\<^sub>t S" proof (induction S) case (Cons x S) thus ?case by (cases x) auto qed simp qed lemma vars_snd_rcv_strand_subset2[simp]: "\set (map FV\<^sub>s\<^sub>n\<^sub>d S) \ vars2\<^sub>s\<^sub>t S" "\set (map FV\<^sub>r\<^sub>c\<^sub>v S) \ vars2\<^sub>s\<^sub>t S" "\set (map FV\<^sub>e\<^sub>q S) \ vars2\<^sub>s\<^sub>t S" "wfvarsoccs\<^sub>s\<^sub>t S \ vars2\<^sub>s\<^sub>t S" proof - show "\set (map FV\<^sub>s\<^sub>n\<^sub>d S) \ vars2\<^sub>s\<^sub>t S" "\set (map FV\<^sub>r\<^sub>c\<^sub>v S) \ vars2\<^sub>s\<^sub>t S" "\set (map FV\<^sub>e\<^sub>q S) \ vars2\<^sub>s\<^sub>t S" by auto show "wfvarsoccs\<^sub>s\<^sub>t S \ vars2\<^sub>s\<^sub>t S" proof (induction S) case (Cons x S) thus ?case by (cases x) auto qed simp qed lemma vars2\<^sub>s\<^sub>t_subset_vars\<^sub>s\<^sub>t: "vars2\<^sub>s\<^sub>t S \ vars\<^sub>s\<^sub>t S" by (induct S rule: vars2\<^sub>s\<^sub>t.induct) auto lemma subst_sends_strand_FV_to_img: "FV\<^sub>s\<^sub>t (S \\<^sub>s\<^sub>t \) \ FV\<^sub>s\<^sub>t S \ FV_img\<^sub>s\<^sub>u\<^sub>b\<^sub>s\<^sub>t \" proof (induction S) case (Cons x S) have *: "FV\<^sub>s\<^sub>t (x#S \\<^sub>s\<^sub>t \) = FV\<^sub>s\<^sub>t\<^sub>p (x \\<^sub>s\<^sub>t\<^sub>p \) \ FV\<^sub>s\<^sub>t (S \\<^sub>s\<^sub>t \)" "FV\<^sub>s\<^sub>t (x#S) \ FV_img\<^sub>s\<^sub>u\<^sub>b\<^sub>s\<^sub>t \ = FV\<^sub>s\<^sub>t\<^sub>p x \ FV\<^sub>s\<^sub>t S \ FV_img\<^sub>s\<^sub>u\<^sub>b\<^sub>s\<^sub>t \" by simp_all moreover have "FV\<^sub>s\<^sub>t\<^sub>p (x \\<^sub>s\<^sub>t\<^sub>p \) \ FV\<^sub>s\<^sub>t\<^sub>p x \ FV_img\<^sub>s\<^sub>u\<^sub>b\<^sub>s\<^sub>t \" using subst_sends_FV_to_img[of "trm\<^sub>s\<^sub>t\<^sub>p x" \] subst_sends_FV_to_img[of "trm_r\<^sub>s\<^sub>t\<^sub>p x" \] proof (cases x) case (Inequality X t t') let ?\ = "rm_vars (set X) \" have "FV (t \ ?\) \ FV t \ FV_img\<^sub>s\<^sub>u\<^sub>b\<^sub>s\<^sub>t ?\" "FV (t' \ ?\) \ FV t' \ FV_img\<^sub>s\<^sub>u\<^sub>b\<^sub>s\<^sub>t ?\" using Inequality subst_sends_FV_to_img[of _ ?\] by simp_all hence "FV (t \ ?\) \ FV t \ FV_img\<^sub>s\<^sub>u\<^sub>b\<^sub>s\<^sub>t \" "FV (t' \ ?\) \ FV t' \ FV_img\<^sub>s\<^sub>u\<^sub>b\<^sub>s\<^sub>t \" using rm_vars_img_subset[of "set X" \] by auto thus ?thesis using Inequality by auto qed auto ultimately show ?case using Cons.IH by auto qed simp lemma ineq_apply_subst: assumes "dom\<^sub>s\<^sub>u\<^sub>b\<^sub>s\<^sub>t \ \ set X = {}" shows "(\X\t \ t'\) \\<^sub>s\<^sub>t\<^sub>p \ = \X\(t \ \) \ (t' \ \)\" using rm_vars_apply'[OF assms] by simp lemma FV_strand_step_subst: assumes "P = FV\<^sub>s\<^sub>t\<^sub>p \ P = FV\<^sub>r\<^sub>c\<^sub>v \ P = FV\<^sub>s\<^sub>n\<^sub>d \ P = FV\<^sub>e\<^sub>q \ P = FV\<^sub>i\<^sub>n\<^sub>e\<^sub>q" and "set (bvars\<^sub>s\<^sub>t\<^sub>p x) \ (dom\<^sub>s\<^sub>u\<^sub>b\<^sub>s\<^sub>t \ \ FV\<^sub>s\<^sub>e\<^sub>t (img\<^sub>s\<^sub>u\<^sub>b\<^sub>s\<^sub>t \)) = {}" shows "FV\<^sub>s\<^sub>e\<^sub>t (\ ` (P x)) = P (x \\<^sub>s\<^sub>t\<^sub>p \)" proof (cases x) case (Send t) hence "vars\<^sub>s\<^sub>t\<^sub>p x = FV t" "FV\<^sub>s\<^sub>n\<^sub>d x = FV t" by auto thus ?thesis using assms Send subst_apply_FV_unfold[of _ \] by auto next case (Receive t) hence "vars\<^sub>s\<^sub>t\<^sub>p x = FV t" "FV\<^sub>r\<^sub>c\<^sub>v x = FV t" by auto thus ?thesis using assms Receive subst_apply_FV_unfold[of _ \] by auto next case (Equality t t') hence "vars\<^sub>s\<^sub>t\<^sub>p x = FV t \ FV t'" "FV\<^sub>e\<^sub>q x = FV t \ FV t'" by auto thus ?thesis using assms Equality subst_apply_FV_unfold[of _ \] by auto next case (Inequality X t t') hence *: "set X \ (dom\<^sub>s\<^sub>u\<^sub>b\<^sub>s\<^sub>t \ \ FV_img\<^sub>s\<^sub>u\<^sub>b\<^sub>s\<^sub>t \) = {}" "x \\<^sub>s\<^sub>t\<^sub>p \ = \X\(t \ \) \ (t' \ \)\" using assms ineq_apply_subst[of \ X t t'] by auto have "FV\<^sub>i\<^sub>n\<^sub>e\<^sub>q x = FV t \ FV t' - set X" using Inequality by auto hence "FV\<^sub>s\<^sub>e\<^sub>t (\ ` FV\<^sub>i\<^sub>n\<^sub>e\<^sub>q x) = FV\<^sub>s\<^sub>e\<^sub>t (\`(FV t - set X)) \ FV\<^sub>s\<^sub>e\<^sub>t (\`(FV t' - set X))" by auto hence "FV\<^sub>s\<^sub>e\<^sub>t (\ ` FV\<^sub>i\<^sub>n\<^sub>e\<^sub>q x) = FV\<^sub>s\<^sub>e\<^sub>t (\`(FV t)) \ FV\<^sub>s\<^sub>e\<^sub>t (\`(FV t')) - set X" using *(1) Inequality by force+ hence "FV\<^sub>s\<^sub>e\<^sub>t (\ ` FV\<^sub>i\<^sub>n\<^sub>e\<^sub>q x) = FV (t \ \) \ FV (t' \ \) - set X" using subst_apply_FV_unfold[of _ \] Inequality by simp moreover have "FV\<^sub>i\<^sub>n\<^sub>e\<^sub>q (x \\<^sub>s\<^sub>t\<^sub>p \) = (FV (t \ \) \ FV (t' \ \)) - set X" using *(2) by auto ultimately have "FV\<^sub>s\<^sub>e\<^sub>t (\ ` FV\<^sub>i\<^sub>n\<^sub>e\<^sub>q x) = FV\<^sub>i\<^sub>n\<^sub>e\<^sub>q (x \\<^sub>s\<^sub>t\<^sub>p \)" using assms(1) Inequality subst_apply_FV_unfold[of _ \] by simp thus ?thesis using assms(1) Inequality subst_apply_FV_unfold[of _ \] by auto qed lemma FV_strand_subst: assumes "P = FV\<^sub>s\<^sub>t\<^sub>p \ P = FV\<^sub>r\<^sub>c\<^sub>v \ P = FV\<^sub>s\<^sub>n\<^sub>d \ P = FV\<^sub>e\<^sub>q \ P = FV\<^sub>i\<^sub>n\<^sub>e\<^sub>q" and "bvars\<^sub>s\<^sub>t S \ (dom\<^sub>s\<^sub>u\<^sub>b\<^sub>s\<^sub>t \ \ FV\<^sub>s\<^sub>e\<^sub>t (img\<^sub>s\<^sub>u\<^sub>b\<^sub>s\<^sub>t \)) = {}" shows "FV\<^sub>s\<^sub>e\<^sub>t (\ ` (\set (map P S))) = \set (map P (S \\<^sub>s\<^sub>t \))" using assms(2) proof (induction S) case (Cons x S) hence *: "bvars\<^sub>s\<^sub>t S \ (dom\<^sub>s\<^sub>u\<^sub>b\<^sub>s\<^sub>t \ \ FV_img\<^sub>s\<^sub>u\<^sub>b\<^sub>s\<^sub>t \) = {}" "set (bvars\<^sub>s\<^sub>t\<^sub>p x) \ (dom\<^sub>s\<^sub>u\<^sub>b\<^sub>s\<^sub>t \ \ FV_img\<^sub>s\<^sub>u\<^sub>b\<^sub>s\<^sub>t \) = {}" unfolding bvars\<^sub>s\<^sub>t_def by auto hence **: "FV\<^sub>s\<^sub>e\<^sub>t (\ ` P x) = P (x \\<^sub>s\<^sub>t\<^sub>p \)" using FV_strand_step_subst[OF assms(1), of x \] by auto have "FV\<^sub>s\<^sub>e\<^sub>t (\ ` (\set (map P (x#S)))) = FV\<^sub>s\<^sub>e\<^sub>t (\ ` P x) \ (\set (map P ((S \\<^sub>s\<^sub>t \))))" using Cons unfolding bvars\<^sub>s\<^sub>t_def by auto hence "FV\<^sub>s\<^sub>e\<^sub>t (\ ` (\set (map P (x#S)))) = P (x \\<^sub>s\<^sub>t\<^sub>p \) \ FV\<^sub>s\<^sub>e\<^sub>t (\ ` (\set (map P S)))" using ** by simp thus ?case using Cons.IH[OF *(1)] unfolding bvars\<^sub>s\<^sub>t_def by simp qed simp lemma FV_strand_subst2: assumes "bvars\<^sub>s\<^sub>t S \ (dom\<^sub>s\<^sub>u\<^sub>b\<^sub>s\<^sub>t \ \ FV\<^sub>s\<^sub>e\<^sub>t (img\<^sub>s\<^sub>u\<^sub>b\<^sub>s\<^sub>t \)) = {}" shows "FV\<^sub>s\<^sub>e\<^sub>t (\ ` (vars2\<^sub>s\<^sub>t S)) = vars2\<^sub>s\<^sub>t (S \\<^sub>s\<^sub>t \)" by (metis (no_types, lifting) assms FV\<^sub>s\<^sub>e\<^sub>t_def vars_snd_rcv_strand2 FV_strand_subst UN_Un image_Un) lemma FV_strand_subst': assumes "bvars\<^sub>s\<^sub>t S \ (dom\<^sub>s\<^sub>u\<^sub>b\<^sub>s\<^sub>t \ \ FV\<^sub>s\<^sub>e\<^sub>t (img\<^sub>s\<^sub>u\<^sub>b\<^sub>s\<^sub>t \)) = {}" shows "FV\<^sub>s\<^sub>e\<^sub>t (\ ` (FV\<^sub>s\<^sub>t S)) = FV\<^sub>s\<^sub>t (S \\<^sub>s\<^sub>t \)" by (metis assms FV_strand_subst FV\<^sub>s\<^sub>t_def) lemma strand_map_set_subst: assumes \: "bvars\<^sub>s\<^sub>t S \ (dom\<^sub>s\<^sub>u\<^sub>b\<^sub>s\<^sub>t \ \ FV\<^sub>s\<^sub>e\<^sub>t (img\<^sub>s\<^sub>u\<^sub>b\<^sub>s\<^sub>t \)) = {}" shows "set (map trm\<^sub>s\<^sub>t\<^sub>p (S \\<^sub>s\<^sub>t \)) = (set (map trm\<^sub>s\<^sub>t\<^sub>p S)) \set \" "set (map trm_r\<^sub>s\<^sub>t\<^sub>p (S \\<^sub>s\<^sub>t \)) = (set (map trm_r\<^sub>s\<^sub>t\<^sub>p S)) \set \" using assms proof (induction S) case Nil { case 1 thus ?case by simp } { case 2 thus ?case by simp } next case (Cons x S) { case 1 hence *: "dom\<^sub>s\<^sub>u\<^sub>b\<^sub>s\<^sub>t \ \ set (bvars\<^sub>s\<^sub>t\<^sub>p x) = {}" "set (map trm\<^sub>s\<^sub>t\<^sub>p (S \\<^sub>s\<^sub>t \)) = set (map trm\<^sub>s\<^sub>t\<^sub>p S) \set \" using Cons.IH(1) bvars\<^sub>s\<^sub>t_split[of "[x]" S] bvars\<^sub>s\<^sub>t_singleton[of x] by auto hence **: "trm\<^sub>s\<^sub>t\<^sub>p (x \\<^sub>s\<^sub>t\<^sub>p \) = (trm\<^sub>s\<^sub>t\<^sub>p x) \ \" proof (cases x) case (Inequality X t t') thus ?thesis using rm_vars_apply'[of \ "set X"] * by simp qed simp_all thus ?case using * by (auto simp add: subst_all_insert) } { case 2 hence *: "dom\<^sub>s\<^sub>u\<^sub>b\<^sub>s\<^sub>t \ \ set (bvars\<^sub>s\<^sub>t\<^sub>p x) = {}" "set (map trm_r\<^sub>s\<^sub>t\<^sub>p (S \\<^sub>s\<^sub>t \)) = set (map trm_r\<^sub>s\<^sub>t\<^sub>p S) \set \" using Cons.IH(2) bvars\<^sub>s\<^sub>t_split[of "[x]" S] bvars\<^sub>s\<^sub>t_singleton[of x] by auto hence **: "trm_r\<^sub>s\<^sub>t\<^sub>p (x \\<^sub>s\<^sub>t\<^sub>p \) = (trm_r\<^sub>s\<^sub>t\<^sub>p x) \ \" proof (cases x) case (Inequality X t t') thus ?thesis using rm_vars_apply'[of \ "set X"] * by simp qed simp_all thus ?case using * by (auto simp add: subst_all_insert) } qed lemma subst_apply_FV_subset_strand_trm: assumes P: "P = FV\<^sub>s\<^sub>t\<^sub>p \ P = FV\<^sub>r\<^sub>c\<^sub>v \ P = FV\<^sub>s\<^sub>n\<^sub>d \ P = FV\<^sub>e\<^sub>q \ P = FV\<^sub>i\<^sub>n\<^sub>e\<^sub>q" and FV_sub: "FV t \ \set (map P S) \ V" and \: "bvars\<^sub>s\<^sub>t S \ (dom\<^sub>s\<^sub>u\<^sub>b\<^sub>s\<^sub>t \ \ FV\<^sub>s\<^sub>e\<^sub>t (img\<^sub>s\<^sub>u\<^sub>b\<^sub>s\<^sub>t \)) = {}" shows "FV (t \ \) \ \set (map P (S \\<^sub>s\<^sub>t \)) \ FV\<^sub>s\<^sub>e\<^sub>t (\ ` V)" using FV_strand_subst[OF P \] subst_apply_FV_subset[OF FV_sub, of \] by auto lemma subst_apply_FV_subset_strand_trm2: assumes FV_sub: "FV t \ vars2\<^sub>s\<^sub>t S \ V" and \: "bvars\<^sub>s\<^sub>t S \ (dom\<^sub>s\<^sub>u\<^sub>b\<^sub>s\<^sub>t \ \ FV\<^sub>s\<^sub>e\<^sub>t (img\<^sub>s\<^sub>u\<^sub>b\<^sub>s\<^sub>t \)) = {}" shows "FV (t \ \) \ vars2\<^sub>s\<^sub>t (S \\<^sub>s\<^sub>t \) \ FV\<^sub>s\<^sub>e\<^sub>t (\ ` V)" using FV_strand_subst2[OF \] subst_apply_FV_subset[OF FV_sub, of \] by auto lemma subst_apply_FV_subset_strand: assumes P: "P = FV\<^sub>s\<^sub>t\<^sub>p \ P = FV\<^sub>r\<^sub>c\<^sub>v \ P = FV\<^sub>s\<^sub>n\<^sub>d \ P = FV\<^sub>e\<^sub>q \ P = FV\<^sub>i\<^sub>n\<^sub>e\<^sub>q" and P_subset: "P x \ \set (map P S) \ V" and \: "bvars\<^sub>s\<^sub>t S \ (dom\<^sub>s\<^sub>u\<^sub>b\<^sub>s\<^sub>t \ \ FV\<^sub>s\<^sub>e\<^sub>t (img\<^sub>s\<^sub>u\<^sub>b\<^sub>s\<^sub>t \)) = {}" "set (bvars\<^sub>s\<^sub>t\<^sub>p x) \ (dom\<^sub>s\<^sub>u\<^sub>b\<^sub>s\<^sub>t \ \ FV\<^sub>s\<^sub>e\<^sub>t (img\<^sub>s\<^sub>u\<^sub>b\<^sub>s\<^sub>t \)) = {}" shows "P (x \\<^sub>s\<^sub>t\<^sub>p \) \ \set (map P (S \\<^sub>s\<^sub>t \)) \ FV\<^sub>s\<^sub>e\<^sub>t (\ ` V)" proof (cases x) case (Send t) hence *: "FV\<^sub>s\<^sub>t\<^sub>p x = FV t" "FV\<^sub>s\<^sub>t\<^sub>p (x \\<^sub>s\<^sub>t\<^sub>p \) = FV (t \ \)" "FV\<^sub>r\<^sub>c\<^sub>v x = {}" "FV\<^sub>r\<^sub>c\<^sub>v (x \\<^sub>s\<^sub>t\<^sub>p \) = {}" "FV\<^sub>s\<^sub>n\<^sub>d x = FV t" "FV\<^sub>s\<^sub>n\<^sub>d (x \\<^sub>s\<^sub>t\<^sub>p \) = FV (t \ \)" "FV\<^sub>e\<^sub>q x = {}" "FV\<^sub>e\<^sub>q (x \\<^sub>s\<^sub>t\<^sub>p \) = {}" "FV\<^sub>i\<^sub>n\<^sub>e\<^sub>q x = {}" "FV\<^sub>i\<^sub>n\<^sub>e\<^sub>q (x \\<^sub>s\<^sub>t\<^sub>p \) = {}" by auto hence **: "(P x = FV t \ P (x \\<^sub>s\<^sub>t\<^sub>p \) = FV (t \ \)) \ (P x = {} \ P (x \\<^sub>s\<^sub>t\<^sub>p \) = {})" by (metis P) moreover { assume "P x = {}" "P (x \\<^sub>s\<^sub>t\<^sub>p \) = {}" hence ?thesis by simp } moreover { assume "P x = FV t" "P (x \\<^sub>s\<^sub>t\<^sub>p \) = FV (t \ \)" hence "FV t \ \set (map P S) \ V" using P_subset by auto hence "FV (t \ \) \ \set (map P (S \\<^sub>s\<^sub>t \)) \ FV\<^sub>s\<^sub>e\<^sub>t (\ ` V)" unfolding vars\<^sub>s\<^sub>t_def using P subst_apply_FV_subset_strand_trm assms by blast hence ?thesis using \P (x \\<^sub>s\<^sub>t\<^sub>p \) = FV (t \ \)\ by auto } ultimately show ?thesis by metis next case (Receive t) hence *: "FV\<^sub>s\<^sub>t\<^sub>p x = FV t" "FV\<^sub>s\<^sub>t\<^sub>p (x \\<^sub>s\<^sub>t\<^sub>p \) = FV (t \ \)" "FV\<^sub>r\<^sub>c\<^sub>v x = FV t" "FV\<^sub>r\<^sub>c\<^sub>v (x \\<^sub>s\<^sub>t\<^sub>p \) = FV (t \ \)" "FV\<^sub>s\<^sub>n\<^sub>d x = {}" "FV\<^sub>s\<^sub>n\<^sub>d (x \\<^sub>s\<^sub>t\<^sub>p \) = {}" "FV\<^sub>e\<^sub>q x = {}" "FV\<^sub>e\<^sub>q (x \\<^sub>s\<^sub>t\<^sub>p \) = {}" "FV\<^sub>i\<^sub>n\<^sub>e\<^sub>q x = {}" "FV\<^sub>i\<^sub>n\<^sub>e\<^sub>q (x \\<^sub>s\<^sub>t\<^sub>p \) = {}" by auto hence **: "(P x = FV t \ P (x \\<^sub>s\<^sub>t\<^sub>p \) = FV (t \ \)) \ (P x = {} \ P (x \\<^sub>s\<^sub>t\<^sub>p \) = {})" by (metis P) moreover { assume "P x = {}" "P (x \\<^sub>s\<^sub>t\<^sub>p \) = {}" hence ?thesis by simp } moreover { assume "P x = FV t" "P (x \\<^sub>s\<^sub>t\<^sub>p \) = FV (t \ \)" hence "FV t \ \set (map P S) \ V" using P_subset by auto hence "FV (t \ \) \ \set (map P (S \\<^sub>s\<^sub>t \)) \ FV\<^sub>s\<^sub>e\<^sub>t (\ ` V)" unfolding vars\<^sub>s\<^sub>t_def using P subst_apply_FV_subset_strand_trm assms by blast hence ?thesis using \P (x \\<^sub>s\<^sub>t\<^sub>p \) = FV (t \ \)\ by auto } ultimately show ?thesis by metis next case (Equality t t') hence *: "FV\<^sub>s\<^sub>t\<^sub>p x = FV t \ FV t'" "FV\<^sub>s\<^sub>t\<^sub>p (x \\<^sub>s\<^sub>t\<^sub>p \) = FV (t \ \) \ FV (t' \ \)" "FV\<^sub>r\<^sub>c\<^sub>v x = {}" "FV\<^sub>r\<^sub>c\<^sub>v (x \\<^sub>s\<^sub>t\<^sub>p \) = {}" "FV\<^sub>s\<^sub>n\<^sub>d x = {}" "FV\<^sub>s\<^sub>n\<^sub>d (x \\<^sub>s\<^sub>t\<^sub>p \) = {}" "FV\<^sub>e\<^sub>q x = FV t \ FV t'" "FV\<^sub>e\<^sub>q (x \\<^sub>s\<^sub>t\<^sub>p \) = FV (t \ \) \ FV (t' \ \)" "FV\<^sub>i\<^sub>n\<^sub>e\<^sub>q x = {}" "FV\<^sub>i\<^sub>n\<^sub>e\<^sub>q (x \\<^sub>s\<^sub>t\<^sub>p \) = {}" by auto hence **: "(P x = FV t \ FV t' \ P (x \\<^sub>s\<^sub>t\<^sub>p \) = FV (t \ \) \ FV (t' \ \)) \ (P x = {} \ P (x \\<^sub>s\<^sub>t\<^sub>p \) = {})" by (metis P) moreover { assume "P x = {}" "P (x \\<^sub>s\<^sub>t\<^sub>p \) = {}" hence ?thesis by simp } moreover { assume "P x = FV t \ FV t'" "P (x \\<^sub>s\<^sub>t\<^sub>p \) = FV (t \ \) \ FV (t' \ \)" hence "FV t \ \set (map P S) \ V" "FV t' \ \set (map P S) \ V" using P_subset by auto hence "FV (t \ \) \ \set (map P (S \\<^sub>s\<^sub>t \)) \ FV\<^sub>s\<^sub>e\<^sub>t (\ ` V)" "FV (t' \ \) \ \set (map P (S \\<^sub>s\<^sub>t \)) \ FV\<^sub>s\<^sub>e\<^sub>t (\ ` V)" unfolding vars\<^sub>s\<^sub>t_def using P subst_apply_FV_subset_strand_trm assms by blast+ hence ?thesis using \P (x \\<^sub>s\<^sub>t\<^sub>p \) = FV (t \ \) \ FV (t' \ \)\ by auto } ultimately show ?thesis by metis next case (Inequality X t t') hence *: "FV\<^sub>s\<^sub>t\<^sub>p x = FV t \ FV t' - set X" "FV\<^sub>s\<^sub>t\<^sub>p (x \\<^sub>s\<^sub>t\<^sub>p \) = FV (t \ \) \ FV (t' \ \) - set X" "FV\<^sub>r\<^sub>c\<^sub>v x = {}" "FV\<^sub>r\<^sub>c\<^sub>v (x \\<^sub>s\<^sub>t\<^sub>p \) = {}" "FV\<^sub>s\<^sub>n\<^sub>d x = {}" "FV\<^sub>s\<^sub>n\<^sub>d (x \\<^sub>s\<^sub>t\<^sub>p \) = {}" "FV\<^sub>e\<^sub>q x = {}" "FV\<^sub>e\<^sub>q (x \\<^sub>s\<^sub>t\<^sub>p \) = {}" "FV\<^sub>i\<^sub>n\<^sub>e\<^sub>q x = (FV t \ FV t') - set X" "FV\<^sub>i\<^sub>n\<^sub>e\<^sub>q (x \\<^sub>s\<^sub>t\<^sub>p \) = FV (t \ \) \ FV (t' \ \) - set X" using \(2) ineq_apply_subst[of \ X t t'] by force+ hence **: "(P x = FV t \ FV t' - set X \ P (x \\<^sub>s\<^sub>t\<^sub>p \) = FV (t \ \) \ FV (t' \ \) - set X) \ (P x = {} \ P (x \\<^sub>s\<^sub>t\<^sub>p \) = {})" by (metis P) moreover { assume "P x = {}" "P (x \\<^sub>s\<^sub>t\<^sub>p \) = {}" hence ?thesis by simp } moreover { assume "P x = FV t \ FV t' - set X" "P (x \\<^sub>s\<^sub>t\<^sub>p \) = FV (t \ \) \ FV (t' \ \) - set X" hence "FV t - set X \ \set (map P S) \ V" "FV t' - set X \ \set (map P S) \ V" using P_subset by auto hence "FV (t \ \) \ \set (map P (S \\<^sub>s\<^sub>t \)) \ FV\<^sub>s\<^sub>e\<^sub>t (\ ` (V \ set X))" "FV (t' \ \) \ \set (map P (S \\<^sub>s\<^sub>t \)) \ FV\<^sub>s\<^sub>e\<^sub>t (\ ` (V \ set X))" unfolding vars\<^sub>s\<^sub>t_def using subst_apply_FV_subset_strand_trm[OF P _ assms(3), of _ "V \ set X"] by blast+ moreover have "FV\<^sub>s\<^sub>e\<^sub>t (\ ` set X) = set X" using assms(4) Inequality by force ultimately have "FV (t \ \) - set X \ \set (map P (S \\<^sub>s\<^sub>t \)) \ FV\<^sub>s\<^sub>e\<^sub>t (\ ` V)" "FV (t' \ \) - set X \ \set (map P (S \\<^sub>s\<^sub>t \)) \ FV\<^sub>s\<^sub>e\<^sub>t (\ ` V)" by auto hence ?thesis using \P (x \\<^sub>s\<^sub>t\<^sub>p \) = FV (t \ \) \ FV (t' \ \) - set X\ by auto } ultimately show ?thesis by metis qed lemma subst_apply_FV_subset_strand2: assumes P: "P = FV\<^sub>s\<^sub>t\<^sub>p \ P = FV\<^sub>r\<^sub>c\<^sub>v \ P = FV\<^sub>s\<^sub>n\<^sub>d \ P = FV\<^sub>e\<^sub>q \ P = FV\<^sub>i\<^sub>n\<^sub>e\<^sub>q \ P = FV_r\<^sub>e\<^sub>q" and P_subset: "P x \ vars2\<^sub>s\<^sub>t S \ V" and \: "bvars\<^sub>s\<^sub>t S \ (dom\<^sub>s\<^sub>u\<^sub>b\<^sub>s\<^sub>t \ \ FV\<^sub>s\<^sub>e\<^sub>t (img\<^sub>s\<^sub>u\<^sub>b\<^sub>s\<^sub>t \)) = {}" "set (bvars\<^sub>s\<^sub>t\<^sub>p x) \ (dom\<^sub>s\<^sub>u\<^sub>b\<^sub>s\<^sub>t \ \ FV\<^sub>s\<^sub>e\<^sub>t (img\<^sub>s\<^sub>u\<^sub>b\<^sub>s\<^sub>t \)) = {}" shows "P (x \\<^sub>s\<^sub>t\<^sub>p \) \ vars2\<^sub>s\<^sub>t (S \\<^sub>s\<^sub>t \) \ FV\<^sub>s\<^sub>e\<^sub>t (\ ` V)" proof (cases x) case (Send t) hence *: "FV\<^sub>s\<^sub>t\<^sub>p x = FV t" "FV\<^sub>s\<^sub>t\<^sub>p (x \\<^sub>s\<^sub>t\<^sub>p \) = FV (t \ \)" "FV\<^sub>r\<^sub>c\<^sub>v x = {}" "FV\<^sub>r\<^sub>c\<^sub>v (x \\<^sub>s\<^sub>t\<^sub>p \) = {}" "FV\<^sub>s\<^sub>n\<^sub>d x = FV t" "FV\<^sub>s\<^sub>n\<^sub>d (x \\<^sub>s\<^sub>t\<^sub>p \) = FV (t \ \)" "FV\<^sub>e\<^sub>q x = {}" "FV\<^sub>e\<^sub>q (x \\<^sub>s\<^sub>t\<^sub>p \) = {}" "FV\<^sub>i\<^sub>n\<^sub>e\<^sub>q x = {}" "FV\<^sub>i\<^sub>n\<^sub>e\<^sub>q (x \\<^sub>s\<^sub>t\<^sub>p \) = {}" "FV_r\<^sub>e\<^sub>q x = {}" "FV_r\<^sub>e\<^sub>q (x \\<^sub>s\<^sub>t\<^sub>p \) = {}" by auto hence **: "(P x = FV t \ P (x \\<^sub>s\<^sub>t\<^sub>p \) = FV (t \ \)) \ (P x = {} \ P (x \\<^sub>s\<^sub>t\<^sub>p \) = {})" by (metis P) moreover { assume "P x = {}" "P (x \\<^sub>s\<^sub>t\<^sub>p \) = {}" hence ?thesis by simp } moreover { assume "P x = FV t" "P (x \\<^sub>s\<^sub>t\<^sub>p \) = FV (t \ \)" hence "FV t \ vars2\<^sub>s\<^sub>t S \ V" using P_subset by auto hence "FV (t \ \) \ vars2\<^sub>s\<^sub>t (S \\<^sub>s\<^sub>t \) \ FV\<^sub>s\<^sub>e\<^sub>t (\ ` V)" using P subst_apply_FV_subset_strand_trm2 assms by blast hence ?thesis using \P (x \\<^sub>s\<^sub>t\<^sub>p \) = FV (t \ \)\ by auto } ultimately show ?thesis by metis next case (Receive t) hence *: "FV\<^sub>s\<^sub>t\<^sub>p x = FV t" "FV\<^sub>s\<^sub>t\<^sub>p (x \\<^sub>s\<^sub>t\<^sub>p \) = FV (t \ \)" "FV\<^sub>r\<^sub>c\<^sub>v x = FV t" "FV\<^sub>r\<^sub>c\<^sub>v (x \\<^sub>s\<^sub>t\<^sub>p \) = FV (t \ \)" "FV\<^sub>s\<^sub>n\<^sub>d x = {}" "FV\<^sub>s\<^sub>n\<^sub>d (x \\<^sub>s\<^sub>t\<^sub>p \) = {}" "FV\<^sub>e\<^sub>q x = {}" "FV\<^sub>e\<^sub>q (x \\<^sub>s\<^sub>t\<^sub>p \) = {}" "FV\<^sub>i\<^sub>n\<^sub>e\<^sub>q x = {}" "FV\<^sub>i\<^sub>n\<^sub>e\<^sub>q (x \\<^sub>s\<^sub>t\<^sub>p \) = {}" "FV_r\<^sub>e\<^sub>q x = {}" "FV_r\<^sub>e\<^sub>q (x \\<^sub>s\<^sub>t\<^sub>p \) = {}" by auto hence **: "(P x = FV t \ P (x \\<^sub>s\<^sub>t\<^sub>p \) = FV (t \ \)) \ (P x = {} \ P (x \\<^sub>s\<^sub>t\<^sub>p \) = {})" by (metis P) moreover { assume "P x = {}" "P (x \\<^sub>s\<^sub>t\<^sub>p \) = {}" hence ?thesis by simp } moreover { assume "P x = FV t" "P (x \\<^sub>s\<^sub>t\<^sub>p \) = FV (t \ \)" hence "FV t \ vars2\<^sub>s\<^sub>t S \ V" using P_subset by auto hence "FV (t \ \) \ vars2\<^sub>s\<^sub>t (S \\<^sub>s\<^sub>t \) \ FV\<^sub>s\<^sub>e\<^sub>t (\ ` V)" using P subst_apply_FV_subset_strand_trm2 assms by blast hence ?thesis using \P (x \\<^sub>s\<^sub>t\<^sub>p \) = FV (t \ \)\ by auto } ultimately show ?thesis by metis next case (Equality t t') hence *: "FV\<^sub>s\<^sub>t\<^sub>p x = FV t \ FV t'" "FV\<^sub>s\<^sub>t\<^sub>p (x \\<^sub>s\<^sub>t\<^sub>p \) = FV (t \ \) \ FV (t' \ \)" "FV\<^sub>r\<^sub>c\<^sub>v x = {}" "FV\<^sub>r\<^sub>c\<^sub>v (x \\<^sub>s\<^sub>t\<^sub>p \) = {}" "FV\<^sub>s\<^sub>n\<^sub>d x = {}" "FV\<^sub>s\<^sub>n\<^sub>d (x \\<^sub>s\<^sub>t\<^sub>p \) = {}" "FV\<^sub>e\<^sub>q x = FV t \ FV t'" "FV\<^sub>e\<^sub>q (x \\<^sub>s\<^sub>t\<^sub>p \) = FV (t \ \) \ FV (t' \ \)" "FV\<^sub>i\<^sub>n\<^sub>e\<^sub>q x = {}" "FV\<^sub>i\<^sub>n\<^sub>e\<^sub>q (x \\<^sub>s\<^sub>t\<^sub>p \) = {}" "FV_r\<^sub>e\<^sub>q x = FV t'" "FV_r\<^sub>e\<^sub>q (x \\<^sub>s\<^sub>t\<^sub>p \) = FV (t' \ \)" by auto hence **: "(P x = FV t \ FV t' \ P (x \\<^sub>s\<^sub>t\<^sub>p \) = FV (t \ \) \ FV (t' \ \)) \ (P x = {} \ P (x \\<^sub>s\<^sub>t\<^sub>p \) = {}) \ (P x = FV t' \ P (x \\<^sub>s\<^sub>t\<^sub>p \) = FV (t' \ \))" by (metis P) moreover { assume "P x = {}" "P (x \\<^sub>s\<^sub>t\<^sub>p \) = {}" hence ?thesis by simp } moreover { assume "P x = FV t \ FV t'" "P (x \\<^sub>s\<^sub>t\<^sub>p \) = FV (t \ \) \ FV (t' \ \)" hence "FV t \ vars2\<^sub>s\<^sub>t S \ V" "FV t' \ vars2\<^sub>s\<^sub>t S \ V" using P_subset by auto hence "FV (t \ \) \ vars2\<^sub>s\<^sub>t (S \\<^sub>s\<^sub>t \) \ FV\<^sub>s\<^sub>e\<^sub>t (\ ` V)" "FV (t' \ \) \ vars2\<^sub>s\<^sub>t (S \\<^sub>s\<^sub>t \) \ FV\<^sub>s\<^sub>e\<^sub>t (\ ` V)" using P subst_apply_FV_subset_strand_trm2 assms by blast+ hence ?thesis using \P (x \\<^sub>s\<^sub>t\<^sub>p \) = FV (t \ \) \ FV (t' \ \)\ by auto } moreover { assume "P x = FV t'" "P (x \\<^sub>s\<^sub>t\<^sub>p \) = FV (t' \ \)" hence "FV t' \ vars2\<^sub>s\<^sub>t S \ V" using P_subset by auto hence "FV (t' \ \) \ vars2\<^sub>s\<^sub>t (S \\<^sub>s\<^sub>t \) \ FV\<^sub>s\<^sub>e\<^sub>t (\ ` V)" using P subst_apply_FV_subset_strand_trm2 assms by blast+ hence ?thesis using \P (x \\<^sub>s\<^sub>t\<^sub>p \) = FV (t' \ \)\ by auto } ultimately show ?thesis by metis next case (Inequality X t t') hence *: "FV\<^sub>s\<^sub>t\<^sub>p x = FV t \ FV t' - set X" "FV\<^sub>s\<^sub>t\<^sub>p (x \\<^sub>s\<^sub>t\<^sub>p \) = FV (t \ \) \ FV (t' \ \) - set X" "FV\<^sub>r\<^sub>c\<^sub>v x = {}" "FV\<^sub>r\<^sub>c\<^sub>v (x \\<^sub>s\<^sub>t\<^sub>p \) = {}" "FV\<^sub>s\<^sub>n\<^sub>d x = {}" "FV\<^sub>s\<^sub>n\<^sub>d (x \\<^sub>s\<^sub>t\<^sub>p \) = {}" "FV\<^sub>e\<^sub>q x = {}" "FV\<^sub>e\<^sub>q (x \\<^sub>s\<^sub>t\<^sub>p \) = {}" "FV\<^sub>i\<^sub>n\<^sub>e\<^sub>q x = FV t \ FV t' - set X" "FV\<^sub>i\<^sub>n\<^sub>e\<^sub>q (x \\<^sub>s\<^sub>t\<^sub>p \) = FV (t \ \) \ FV (t' \ \) - set X" "FV_r\<^sub>e\<^sub>q x = {}" "FV_r\<^sub>e\<^sub>q (x \\<^sub>s\<^sub>t\<^sub>p \) = {}" using \(2) ineq_apply_subst[of \ X t t'] by force+ hence **: "(P x = FV t \ FV t' - set X \ P (x \\<^sub>s\<^sub>t\<^sub>p \) = FV (t \ \) \ FV (t' \ \) - set X) \ (P x = {} \ P (x \\<^sub>s\<^sub>t\<^sub>p \) = {})" by (metis P) moreover { assume "P x = {}" "P (x \\<^sub>s\<^sub>t\<^sub>p \) = {}" hence ?thesis by simp } moreover { assume "P x = FV t \ FV t' - set X" "P (x \\<^sub>s\<^sub>t\<^sub>p \) = FV (t \ \) \ FV (t' \ \) - set X" hence "FV t - set X \ vars2\<^sub>s\<^sub>t S \ V" "FV t' - set X \ vars2\<^sub>s\<^sub>t S \ V" using P_subset by auto hence "FV (t \ \) \ vars2\<^sub>s\<^sub>t (S \\<^sub>s\<^sub>t \) \ FV\<^sub>s\<^sub>e\<^sub>t (\ ` (V \ set X))" "FV (t' \ \) \ vars2\<^sub>s\<^sub>t (S \\<^sub>s\<^sub>t \) \ FV\<^sub>s\<^sub>e\<^sub>t (\ ` (V \ set X))" unfolding vars\<^sub>s\<^sub>t_def using subst_apply_FV_subset_strand_trm2[OF _ assms(3), of _ "V \ set X"] by blast+ moreover have "FV\<^sub>s\<^sub>e\<^sub>t (\ ` set X) = set X" using assms(4) Inequality by force ultimately have "FV (t \ \) - set X \ vars2\<^sub>s\<^sub>t (S \\<^sub>s\<^sub>t \) \ FV\<^sub>s\<^sub>e\<^sub>t (\ ` V)" "FV (t' \ \) - set X \ vars2\<^sub>s\<^sub>t (S \\<^sub>s\<^sub>t \) \ FV\<^sub>s\<^sub>e\<^sub>t (\ ` V)" by auto hence ?thesis using \P (x \\<^sub>s\<^sub>t\<^sub>p \) = FV (t \ \) \ FV (t' \ \) - set X\ by auto } ultimately show ?thesis by metis qed lemma strand_subst_FV_bounded_if_img_bounded: assumes "FV_img\<^sub>s\<^sub>u\<^sub>b\<^sub>s\<^sub>t \ \ FV\<^sub>s\<^sub>t S" shows "FV\<^sub>s\<^sub>t (S \\<^sub>s\<^sub>t \) \ FV\<^sub>s\<^sub>t S" using subst_sends_strand_FV_to_img[of S \] assms by auto lemma strand_FV_subst_subset_if_elim: assumes "elim \ v" and "v \ FV\<^sub>s\<^sub>t S \ bvars\<^sub>s\<^sub>t S \ (dom\<^sub>s\<^sub>u\<^sub>b\<^sub>s\<^sub>t \ \ FV_img\<^sub>s\<^sub>u\<^sub>b\<^sub>s\<^sub>t \) = {}" shows "v \ FV\<^sub>s\<^sub>t (S \\<^sub>s\<^sub>t \)" proof (cases "v \ FV\<^sub>s\<^sub>t S") case True thus ?thesis proof (induction S) case (Cons x S) have *: "v \ FV\<^sub>s\<^sub>t\<^sub>p (x \\<^sub>s\<^sub>t\<^sub>p \)" using assms(1) proof (cases x) case (Inequality X t t') hence "elim (rm_vars (set X) \) v \ v \ set X" using assms(1) by blast moreover have "FV\<^sub>s\<^sub>t\<^sub>p (x \\<^sub>s\<^sub>t\<^sub>p \) = FV (t \ rm_vars (set X) \) \ FV (t' \ rm_vars (set X) \) - set X" using Inequality by auto ultimately show ?thesis using Inequality by blast qed simp_all moreover have "v \ FV\<^sub>s\<^sub>t (S \\<^sub>s\<^sub>t \)" using Cons.IH proof (cases "v \ FV\<^sub>s\<^sub>t S") case False moreover have "v \ FV_img\<^sub>s\<^sub>u\<^sub>b\<^sub>s\<^sub>t \" by (simp add: elim_dest''[OF assms(1)] img\<^sub>s\<^sub>u\<^sub>b\<^sub>s\<^sub>t_def) ultimately show ?thesis by (meson UnE subsetCE subst_sends_strand_FV_to_img) qed simp ultimately show ?case by auto qed simp next case False thus ?thesis using assms FV_strand_subst' unfolding elim_def by (metis (mono_tags, hide_lams) FV\<^sub>s\<^sub>e\<^sub>t_def imageE mem_simps(8) subst_apply_term.simps(1)) qed lemma strand_FV_subst_subset_if_elim': assumes "elim \ v" "v \ FV\<^sub>s\<^sub>t S" "FV_img\<^sub>s\<^sub>u\<^sub>b\<^sub>s\<^sub>t \ \ FV\<^sub>s\<^sub>t S" shows "FV\<^sub>s\<^sub>t (S \\<^sub>s\<^sub>t \) \ FV\<^sub>s\<^sub>t S" using strand_FV_subst_subset_if_elim[OF assms(1)] assms(2) strand_subst_FV_bounded_if_img_bounded[OF assms(3)] by blast lemma FV_ik_is_FV_rcv: " FV\<^sub>s\<^sub>e\<^sub>t (ik\<^sub>s\<^sub>t S) = \set (map FV\<^sub>r\<^sub>c\<^sub>v S)" by (induct S rule: ik\<^sub>s\<^sub>t.induct) auto lemma FV_ik_subset_FV_st[simp]: "FV\<^sub>s\<^sub>e\<^sub>t (ik\<^sub>s\<^sub>t S) \ vars2\<^sub>s\<^sub>t S" by (induct S rule: ik\<^sub>s\<^sub>t.induct) auto lemma FV_eqs_rhs_subset_FV_st[simp]: "FV\<^sub>s\<^sub>e\<^sub>t (eqs_rhs\<^sub>s\<^sub>t S) \ vars2\<^sub>s\<^sub>t S" by (induct S rule: eqs_rhs\<^sub>s\<^sub>t.induct) auto lemma FV_ik_subset_FV_st'[simp]: "FV\<^sub>s\<^sub>e\<^sub>t (ik\<^sub>s\<^sub>t S) \ FV\<^sub>s\<^sub>t S" by (induct S rule: ik\<^sub>s\<^sub>t.induct) auto lemma FV_eqs_rhs_subset_FV_st'[simp]: "FV\<^sub>s\<^sub>e\<^sub>t (eqs_rhs\<^sub>s\<^sub>t S) \ FV\<^sub>s\<^sub>t S" by (induct S rule: eqs_rhs\<^sub>s\<^sub>t.induct) auto lemma strand_step_id_subst[iff]: "x \\<^sub>s\<^sub>t\<^sub>p Var = x" by (cases x) simp_all lemma strand_id_subst[iff]: "S \\<^sub>s\<^sub>t Var = S" using strand_step_id_subst by (induct S) auto lemma strand_step_subst_FV_union_bound: "FV\<^sub>s\<^sub>t\<^sub>p (x \\<^sub>s\<^sub>t\<^sub>p \) \ FV\<^sub>s\<^sub>t\<^sub>p x \ FV_img\<^sub>s\<^sub>u\<^sub>b\<^sub>s\<^sub>t \" using subst_sends_strand_FV_to_img[of "[x]" \] by simp lemma strand_subst_FV_union_bound[simp]: "FV\<^sub>s\<^sub>t (S \\<^sub>s\<^sub>t \) \ FV\<^sub>s\<^sub>t S \ FV_img\<^sub>s\<^sub>u\<^sub>b\<^sub>s\<^sub>t \" by (rule subst_sends_strand_FV_to_img) lemma strand_subst_vars_union_bound[simp]: "vars\<^sub>s\<^sub>t (S \\<^sub>s\<^sub>t \) \ vars\<^sub>s\<^sub>t S \ FV_img\<^sub>s\<^sub>u\<^sub>b\<^sub>s\<^sub>t \" proof (induction S) case (Cons x S) moreover have "vars\<^sub>s\<^sub>t\<^sub>p (x \\<^sub>s\<^sub>t\<^sub>p \) \ vars\<^sub>s\<^sub>t\<^sub>p x \ FV_img\<^sub>s\<^sub>u\<^sub>b\<^sub>s\<^sub>t \" using subst_sends_FV_to_img[of _ \] proof (cases x) case (Inequality X t t') let ?\ = "rm_vars (set X) \" have "vars\<^sub>s\<^sub>t\<^sub>p (x \\<^sub>s\<^sub>t\<^sub>p \) = FV (t \ ?\) \ FV (t' \ ?\) \ set X" "vars\<^sub>s\<^sub>t\<^sub>p x = FV t \ FV t' \ set X" using Inequality by auto moreover have "FV_img\<^sub>s\<^sub>u\<^sub>b\<^sub>s\<^sub>t ?\ \ FV_img\<^sub>s\<^sub>u\<^sub>b\<^sub>s\<^sub>t \" using rm_vars_img[of "set X" \] by auto hence "FV (t \ ?\) \ FV t \ FV_img\<^sub>s\<^sub>u\<^sub>b\<^sub>s\<^sub>t \" "FV (t' \ ?\) \ FV t' \ FV_img\<^sub>s\<^sub>u\<^sub>b\<^sub>s\<^sub>t \" using subst_sends_FV_to_img[of _ ?\] by blast+ ultimately show ?thesis by auto qed auto ultimately show ?case by auto qed simp lemma strand_vars_split: "vars\<^sub>s\<^sub>t (S@S') = vars\<^sub>s\<^sub>t S \ vars\<^sub>s\<^sub>t S'" "vars2\<^sub>s\<^sub>t (S@S') = vars2\<^sub>s\<^sub>t S \ vars2\<^sub>s\<^sub>t S'" "FV\<^sub>s\<^sub>t (S@S') = FV\<^sub>s\<^sub>t S \ FV\<^sub>s\<^sub>t S'" by auto lemma bvars_subst_ident: "bvars\<^sub>s\<^sub>t S = bvars\<^sub>s\<^sub>t (S \\<^sub>s\<^sub>t \)" proof (induction S) case (Cons x S) thus ?case by (cases x) auto qed simp lemma strand_subst_Idem: assumes "Idem \" "dom\<^sub>s\<^sub>u\<^sub>b\<^sub>s\<^sub>t \ \ FV_img\<^sub>s\<^sub>u\<^sub>b\<^sub>s\<^sub>t \ \ FV\<^sub>s\<^sub>t S" "dom\<^sub>s\<^sub>u\<^sub>b\<^sub>s\<^sub>t \ \ FV\<^sub>s\<^sub>t S = {}" "FV_img\<^sub>s\<^sub>u\<^sub>b\<^sub>s\<^sub>t \ \ bvars\<^sub>s\<^sub>t S = {}" "FV_img\<^sub>s\<^sub>u\<^sub>b\<^sub>s\<^sub>t \ \ bvars\<^sub>s\<^sub>t S = {}" shows "(S \\<^sub>s\<^sub>t \) \\<^sub>s\<^sub>t \ = (S \\<^sub>s\<^sub>t \)" and "(S \\<^sub>s\<^sub>t \) \\<^sub>s\<^sub>t (\ \\<^sub>s \) = (S \\<^sub>s\<^sub>t \)" proof - from assms(2,3) have "FV\<^sub>s\<^sub>t (S \\<^sub>s\<^sub>t \) \ dom\<^sub>s\<^sub>u\<^sub>b\<^sub>s\<^sub>t \ = {}" using strand_subst_FV_union_bound[of S \] by blast thus "(S \\<^sub>s\<^sub>t \) \\<^sub>s\<^sub>t \ = (S \\<^sub>s\<^sub>t \)" by blast thus "(S \\<^sub>s\<^sub>t \) \\<^sub>s\<^sub>t (\ \\<^sub>s \) = (S \\<^sub>s\<^sub>t \)" by (metis assms(4,5) bvars_subst_ident strand_subst_comp \Idem \\ Idem_def) qed lemma strand_subst_img_bound: assumes "dom\<^sub>s\<^sub>u\<^sub>b\<^sub>s\<^sub>t \ \ FV_img\<^sub>s\<^sub>u\<^sub>b\<^sub>s\<^sub>t \ \ FV\<^sub>s\<^sub>t S" "(dom\<^sub>s\<^sub>u\<^sub>b\<^sub>s\<^sub>t \ \ FV_img\<^sub>s\<^sub>u\<^sub>b\<^sub>s\<^sub>t \) \ bvars\<^sub>s\<^sub>t S = {}" shows "FV_img\<^sub>s\<^sub>u\<^sub>b\<^sub>s\<^sub>t \ \ FV\<^sub>s\<^sub>t (S \\<^sub>s\<^sub>t \)" proof - have "dom\<^sub>s\<^sub>u\<^sub>b\<^sub>s\<^sub>t \ \ \set (map FV\<^sub>s\<^sub>t\<^sub>p S)" by (metis (no_types) FV\<^sub>s\<^sub>t_def Un_subset_iff assms(1)) thus ?thesis unfolding img\<^sub>s\<^sub>u\<^sub>b\<^sub>s\<^sub>t_def FV\<^sub>s\<^sub>t_def by (metis FV_set_mono FV_strand_subst Int_commute assms(2) image_Un le_iff_sup) qed lemma strand_subst_img_bound': assumes "dom\<^sub>s\<^sub>u\<^sub>b\<^sub>s\<^sub>t \ \ FV_img\<^sub>s\<^sub>u\<^sub>b\<^sub>s\<^sub>t \ \ vars\<^sub>s\<^sub>t S" "(dom\<^sub>s\<^sub>u\<^sub>b\<^sub>s\<^sub>t \ \ FV_img\<^sub>s\<^sub>u\<^sub>b\<^sub>s\<^sub>t \) \ bvars\<^sub>s\<^sub>t S = {}" shows "FV_img\<^sub>s\<^sub>u\<^sub>b\<^sub>s\<^sub>t \ \ vars\<^sub>s\<^sub>t (S \\<^sub>s\<^sub>t \)" proof - have "(dom\<^sub>s\<^sub>u\<^sub>b\<^sub>s\<^sub>t \ \ FV\<^sub>s\<^sub>e\<^sub>t (\ ` dom\<^sub>s\<^sub>u\<^sub>b\<^sub>s\<^sub>t \)) \ vars\<^sub>s\<^sub>t S = dom\<^sub>s\<^sub>u\<^sub>b\<^sub>s\<^sub>t \ \ FV\<^sub>s\<^sub>e\<^sub>t (\ ` dom\<^sub>s\<^sub>u\<^sub>b\<^sub>s\<^sub>t \)" using assms(1) unfolding img\<^sub>s\<^sub>u\<^sub>b\<^sub>s\<^sub>t_def by (meson inf.absorb_iff1) hence "FV_img\<^sub>s\<^sub>u\<^sub>b\<^sub>s\<^sub>t \ \ FV\<^sub>s\<^sub>t (S \\<^sub>s\<^sub>t \)" using vars_snd_rcv_strand FV_snd_rcv_strand assms(2) img\<^sub>s\<^sub>u\<^sub>b\<^sub>s\<^sub>t_def by (metis (no_types) inf_le2 inf_sup_distrib1 strand_subst_img_bound sup_bot.right_neutral) thus "FV_img\<^sub>s\<^sub>u\<^sub>b\<^sub>s\<^sub>t \ \ vars\<^sub>s\<^sub>t (S \\<^sub>s\<^sub>t \)" by (metis FV_snd_rcv_strand le_supI1 vars_snd_rcv_strand) qed lemma strand_subst_all_FV_subset: assumes "FV t \ FV\<^sub>s\<^sub>t S" "(dom\<^sub>s\<^sub>u\<^sub>b\<^sub>s\<^sub>t \ \ FV_img\<^sub>s\<^sub>u\<^sub>b\<^sub>s\<^sub>t \) \ bvars\<^sub>s\<^sub>t S = {}" shows "FV (t \ \) \ FV\<^sub>s\<^sub>t (S \\<^sub>s\<^sub>t \)" using assms by (metis FV_strand_subst' Int_commute subst_apply_FV_subset) lemma strand_subst_not_dom_fixed: "\v \ FV\<^sub>s\<^sub>t S; v \ dom\<^sub>s\<^sub>u\<^sub>b\<^sub>s\<^sub>t \\ \ v \ FV\<^sub>s\<^sub>t (S \\<^sub>s\<^sub>t \)" proof (induction S) case (Cons x S') show ?case proof (cases "v \ FV\<^sub>s\<^sub>t S'") case True thus ?thesis using Cons.IH[OF _ Cons.prems(2)] by auto next case False hence *: "v \ FV\<^sub>s\<^sub>t\<^sub>p x" using Cons.prems(1) by simp hence "v \ FV\<^sub>s\<^sub>t\<^sub>p (x \\<^sub>s\<^sub>t\<^sub>p \)" using Cons.prems(2) subst_not_dom_fixed by (cases x) force+ thus ?thesis by auto qed qed simp lemma strand_vars_unfold: "v \ vars\<^sub>s\<^sub>t S \ \S' x S''. S = S'@x#S'' \ v \ vars\<^sub>s\<^sub>t\<^sub>p x" proof (induction S) case (Cons x S) thus ?case proof (cases "v \ vars\<^sub>s\<^sub>t\<^sub>p x") case True thus ?thesis by blast next case False hence "v \ vars\<^sub>s\<^sub>t S" using Cons.prems by auto thus ?thesis using Cons.IH by (metis append_Cons) qed qed simp lemma strand_FV_unfold: "v \ FV\<^sub>s\<^sub>t S \ \S' x S''. S = S'@x#S'' \ v \ FV\<^sub>s\<^sub>t\<^sub>p x" proof (induction S) case (Cons x S) thus ?case proof (cases "v \ FV\<^sub>s\<^sub>t\<^sub>p x") case True thus ?thesis by blast next case False hence "v \ FV\<^sub>s\<^sub>t S" using Cons.prems by auto thus ?thesis using Cons.IH by (metis append_Cons) qed qed simp lemma (in intruder_model) wf_FV_strand_if_in_trp_ik_union: "\t \ trp\<^sub>s\<^sub>e\<^sub>t (ik\<^sub>s\<^sub>t S); wf\<^sub>s\<^sub>t V S\ \ FV t \ FV\<^sub>s\<^sub>t S \ V" proof (induction S arbitrary: V rule: ik\<^sub>s\<^sub>t_induct) case (ConsRcv t' S) hence "FV t' \ V" "wf\<^sub>s\<^sub>t V S" by auto thus ?case using ConsRcv.IH ConsRcv.prems proof (cases "t \ trp\<^sub>s\<^sub>e\<^sub>t (ik\<^sub>s\<^sub>t S)") case False hence "t \\<^sub>t\<^sub>r\<^sub>p t'" using \t \ \(trp ` ik\<^sub>s\<^sub>t (rcv\t'\#S))\ by simp thus ?thesis using \FV t' \ V\ trpD[THEN subtermeq_vars_subset] by auto qed auto qed auto lemma (in intruder_model) subterm_if_in_strand_ik: "t \ trp\<^sub>s\<^sub>e\<^sub>t (ik\<^sub>s\<^sub>t S) \ \t'. rcv\t'\ \ set S \ t \ t'" proof (induction S rule: ik\<^sub>s\<^sub>t_induct) case (ConsRcv t' S) thus ?case by (cases "t \ trp\<^sub>s\<^sub>e\<^sub>t (ik\<^sub>s\<^sub>t S)", auto dest!: trpD) qed simp_all lemma (in intruder_model) FV_subset_if_in_strand_ik: "t \ trp\<^sub>s\<^sub>e\<^sub>t (ik\<^sub>s\<^sub>t S) \ FV t \ \set (map FV\<^sub>r\<^sub>c\<^sub>v S)" proof - assume "t \ trp\<^sub>s\<^sub>e\<^sub>t (ik\<^sub>s\<^sub>t S)" then obtain t' where "rcv\t'\ \ set S" "t \ t'" by (metis subterm_if_in_strand_ik) hence "FV t \ FV t'" by (simp add: subtermeq_vars_subset) thus ?thesis using in_strand_FV_subset_rcv[OF \rcv\t'\ \ set S\] by auto qed lemma (in intruder_model) FV_subset_if_in_strand_ik': "t \ trp\<^sub>s\<^sub>e\<^sub>t (ik\<^sub>s\<^sub>t S) \ FV t \ FV\<^sub>s\<^sub>t S" using FV_subset_if_in_strand_ik[of t S] FV_snd_rcv_strand_subset(2)[of S] by simp lemma (in intruder_model) vars_subset_if_in_strand_ik2: "t \ trp\<^sub>s\<^sub>e\<^sub>t (ik\<^sub>s\<^sub>t S) \ FV t \ vars2\<^sub>s\<^sub>t S" using FV_subset_if_in_strand_ik[of t S] vars_snd_rcv_strand_subset2(2)[of S] by simp subsection {* Lemmas: Simple Strands *} lemma simple_cons[dest]: "simple (s#S) \ simple S" by (induct s, auto elim: simple.elims(2)) lemma simple_split[dest]: assumes "simple (S@S')" shows "simple S" "simple S'" using assms by (induct S, auto elim: simple.elims(2)) lemma simple_append[intro]: "\simple S; simple S'\ \ simple (S@S')" proof (induction S) case (Cons x S) hence "simple (S@S')" by auto moreover have "simple [x]" by (metis Cons.prems(1) list.distinct(1) list.sel(1) simple.elims(2) simple.simps(1,2,3,4)) hence "\(\f X. x = snd\Fun f X\) \ \(\s t. x = s \ t)" by auto hence "(\t. x = rcv\t\) \ (\v. x = snd\Var v\) \ (\X t t'. x = \X\t \ t'\)" by (metis strand_step.exhaust_sel term.exhaust) ultimately show ?case by force qed simp lemma simple_append_sym[sym]: "simple (S@S') \ simple (S'@S)" by auto lemma not_simple_if_snd_fun: "(\S' S'' f X. S = S'@snd\Fun f X\#S'') \ \simple S" proof (induction S) case (Cons x S) then obtain S\<^sub>p\<^sub>r\<^sub>e f X S\<^sub>s\<^sub>u\<^sub>f where "x#S = S\<^sub>p\<^sub>r\<^sub>e@snd\Fun f X\#S\<^sub>s\<^sub>u\<^sub>f" by metis thus ?case by (cases "S\<^sub>p\<^sub>r\<^sub>e = []", auto simp add: Cons.IH) qed simp lemma simple_prefix_not_simple_suffix: "\simple S; \simple (S@S')\ \ \simple S'" by auto lemma not_simple_elim: assumes "\simple S" shows "(\S' S'' f X. S = S'@snd\Fun f X\#S'' \ simple S') \ (\S' S'' t t'. S = S'@t \ t'#S'' \ simple S')" using assms proof (induction S rule: List.rev_induct) case (snoc x S) thus ?case proof (cases "simple S") case True hence "\simple [x]" using simple_prefix_not_simple_suffix[OF _ snoc.prems] by metis hence "(\f X. x = snd\Fun f X\) \ (\s t. x = s \ t)" using list.inject simple.elims(3) by fastforce thus ?thesis using \simple S\ by force next case False thus ?thesis using snoc.IH by force qed qed simp lemma simple_fun_prefix_unique: assumes "A = S@snd\Fun f X\#S'" "simple S" shows "\T g Y T'. A = T@snd\Fun g Y\#T' \ simple T \ S = T \ f = g \ X = Y \ S' = T'" proof - { fix T g Y T' assume *: "A = T@snd\Fun g Y\#T'" "simple T" { assume "length S < length T" hence False using assms * by (metis id_take_nth_drop not_simple_if_snd_fun nth_append nth_append_length) } moreover { assume "length S > length T" hence False using assms * by (metis id_take_nth_drop not_simple_if_snd_fun nth_append nth_append_length) } ultimately have "S = T" using assms * by (meson List.append_eq_append_conv linorder_neqE_nat) } thus ?thesis using assms(1) by blast qed lemma simple_fun_prefix_unique': assumes "S = S'@snd\Fun f X\#S''" "simple S'" shows "\!S' f X S''. S = S'@snd\Fun f X\#S'' \ simple S'" proof - let ?P = "\(T,g,Y,T'). S = T@snd\Fun g Y\#T' \ simple T" obtain a where "?P a" using assms by blast have "\a. ?P a \ (\b. ?P b \ a = b)" using simple_fun_prefix_unique[of S] by blast hence "\b. ?P b \ a = b" using \?P a\ by simp hence "\!a. ?P a" using ex1I[of ?P] \?P a\ by (metis (no_types, lifting)) thus ?thesis by blast qed lemma simple_snd_is_var: "\snd\t\ \ set S; simple S\ \ \v. t = Var v" by (induct S rule: simple.induct) auto subsection {* Lemmas: Strand Measure *} lemma measure\<^sub>s\<^sub>t_wellfounded: "wf measure\<^sub>s\<^sub>t" unfolding measure\<^sub>s\<^sub>t_def by simp lemma strand_size_append[iff]: "size\<^sub>s\<^sub>t (S@S') = size\<^sub>s\<^sub>t S + size\<^sub>s\<^sub>t S'" by (induct S) auto lemma strand_size_map_fun_lt[simp]: "size\<^sub>s\<^sub>t (map Send X) < size (Fun f X)" "size\<^sub>s\<^sub>t (map Send X) < size\<^sub>s\<^sub>t [snd\Fun f X\]" "size\<^sub>s\<^sub>t (map Send X) < size\<^sub>s\<^sub>t [rcv\Fun f X\]" by (induct X) auto lemma strand_size_rm_fun_lt[simp]: "size\<^sub>s\<^sub>t (S@S') < size\<^sub>s\<^sub>t (S@snd\Fun f X\#S')" "size\<^sub>s\<^sub>t (S@S') < size\<^sub>s\<^sub>t (S@rcv\Fun f X\#S')" by (induct S) auto lemma strand_FV_card_map_fun_eq: "card (FV\<^sub>s\<^sub>t (S@snd\Fun f X\#S')) = card (FV\<^sub>s\<^sub>t (S@(map Send X)@S'))" proof - have "FV\<^sub>s\<^sub>t (S@snd\Fun f X\#S') = FV\<^sub>s\<^sub>t (S@(map Send X)@S')" by auto thus ?thesis by simp qed lemma strand_FV_card_rm_fun_le[simp]: "card (FV\<^sub>s\<^sub>t (S@S')) \ card (FV\<^sub>s\<^sub>t (S@snd\Fun f X\#S'))" by (force intro: card_mono) lemma strand_FV_card_rm_eq_le[simp]: "card (FV\<^sub>s\<^sub>t (S@S')) \ card (FV\<^sub>s\<^sub>t (S@t \ t'#S'))" by (force intro: card_mono) subsection {* Lemmas: Well-formed Strands *} lemma wf_prefix[dest]: "wf\<^sub>s\<^sub>t V (S@S') \ wf\<^sub>s\<^sub>t V S" by (induct S rule: wf\<^sub>s\<^sub>t.induct) auto lemma wf_vars_mono[simp]: "wf\<^sub>s\<^sub>t V S \ wf\<^sub>s\<^sub>t (V \ W) S" proof (induction S arbitrary: V) case (Cons x S) thus ?case proof (cases x) case (Send t) hence "wf\<^sub>s\<^sub>t (V \ FV t \ W) S" using Cons.prems(1) Cons.IH by simp thus ?thesis using Send by (simp add: sup_commute sup_left_commute) next case (Equality t t') hence "wf\<^sub>s\<^sub>t (V \ FV t \ W) S" "FV t' \ V \ W" using Cons.prems(1) Cons.IH by auto thus ?thesis using Equality by (simp add: sup_commute sup_left_commute) qed auto qed simp lemma wf\<^sub>s\<^sub>tI[intro]: "vars2\<^sub>s\<^sub>t S \ V \ wf\<^sub>s\<^sub>t V S" proof (induction S rule: vars2\<^sub>s\<^sub>t_induct) case (ConsSnd t S) hence "wf\<^sub>s\<^sub>t V S" "V \ FV t = V" by auto thus ?case by simp next case (ConsEq t t' S) hence "wf\<^sub>s\<^sub>t V S" "FV t' \ V" by auto thus ?case using wf_vars_mono by simp qed simp_all lemma wf_append_suffix: "wf\<^sub>s\<^sub>t V S \ vars2\<^sub>s\<^sub>t S' \ vars2\<^sub>s\<^sub>t S \ V \ wf\<^sub>s\<^sub>t V (S@S')" proof (induction V S rule: wf\<^sub>s\<^sub>t_induct) case (ConsSnd V t S) hence *: "wf\<^sub>s\<^sub>t (V \ FV t) S" by simp_all hence "vars2\<^sub>s\<^sub>t S' \ vars2\<^sub>s\<^sub>t S \ (V \ FV t)" using ConsSnd.prems(2) by auto thus ?case using ConsSnd.IH * by simp next case (ConsRcv V t S) hence *: "FV t \ V" "wf\<^sub>s\<^sub>t V S" by simp_all hence "vars2\<^sub>s\<^sub>t S' \ vars2\<^sub>s\<^sub>t S \ V" using ConsRcv.prems(2) by auto thus ?case using ConsRcv.IH * by simp next case (ConsEq V t t' S) hence *: "FV t' \ V" "wf\<^sub>s\<^sub>t (V \ FV t) S" by simp_all hence "vars2\<^sub>s\<^sub>t S' \ vars2\<^sub>s\<^sub>t S \ (V \ FV t)" using ConsEq.prems(2) by auto thus ?case using ConsEq.IH * by simp qed (simp_all add: wf\<^sub>s\<^sub>tI) lemma wf_send_compose: "wf\<^sub>s\<^sub>t V (S@(map Send X)@S') = wf\<^sub>s\<^sub>t V (S@snd\Fun f X\#S')" proof (induction S arbitrary: V) case Nil thus ?case proof (induction X arbitrary: V) case (Cons y Y) thus ?case by (simp add: sup_assoc) qed simp next case (Cons s S) thus ?case by (cases s) simp_all qed lemma wf_snd_append[iff]: "wf\<^sub>s\<^sub>t V (S@[snd\t\]) = wf\<^sub>s\<^sub>t V S" by (induct S rule: wf\<^sub>s\<^sub>t.induct) simp_all lemma wf_snd_append': "wf\<^sub>s\<^sub>t V S \ wf\<^sub>s\<^sub>t V (snd\t\#S)" by simp lemma wf_rcv_append[dest]: "wf\<^sub>s\<^sub>t V (S@rcv\t\#S') \ wf\<^sub>s\<^sub>t V (S@S')" by (induct S rule: wf\<^sub>s\<^sub>t.induct) simp_all lemma wf_rcv_append'[intro]: "\wf\<^sub>s\<^sub>t V (S@S'); FV t \ vars2\<^sub>s\<^sub>t S \ V\ \ wf\<^sub>s\<^sub>t V (S@rcv\t\#S')" proof (induction S rule: wf\<^sub>s\<^sub>t_induct) case (ConsRcv V t' S) hence "wf\<^sub>s\<^sub>t V (S@S')" "FV t \ vars2\<^sub>s\<^sub>t S \ V" by auto thus ?case using ConsRcv by auto next case (ConsEq V t' t'' S) hence "wf\<^sub>s\<^sub>t (V \ FV t') (S@S')" "FV t \ vars2\<^sub>s\<^sub>t S \ (V \ FV t')" by auto thus ?case using ConsEq by auto qed auto lemma wf_rcv_append''[intro]: "\wf\<^sub>s\<^sub>t V S; FV t \ \set (map FV\<^sub>s\<^sub>n\<^sub>d S)\ \ wf\<^sub>s\<^sub>t V (S@[rcv\t\])" apply (induct S, simp) by (metis vars_snd_rcv_strand_subset2(1) append_Nil2 le_supI1 order_trans wf_rcv_append') lemma wf_rcv_append'''[intro]: "\wf\<^sub>s\<^sub>t V S; FV t \ vars2\<^sub>s\<^sub>t S \ V\ \ wf\<^sub>s\<^sub>t V (S@[rcv\t\])" by (simp add: wf_rcv_append'[of _ _ "[]"]) lemma wf_eq_append[dest]: "wf\<^sub>s\<^sub>t V (S@t \ t'#S') \ FV t \ vars2\<^sub>s\<^sub>t S \ V \ wf\<^sub>s\<^sub>t V (S@S')" proof (induction S rule: wf\<^sub>s\<^sub>t_induct) case (Nil V) hence "V \ FV t = V" "wf\<^sub>s\<^sub>t (V \ FV t) S'" by auto thus ?case by auto next case (ConsRcv V u S) hence "wf\<^sub>s\<^sub>t V (S @ t \ t' # S')" "FV t \ vars2\<^sub>s\<^sub>t S \ V" "FV u \ V" by auto hence "wf\<^sub>s\<^sub>t V (S@S')" using ConsRcv.IH by auto thus ?case using \FV u \ V\ by simp next case (ConsEq V u u' S) hence "wf\<^sub>s\<^sub>t (V \ FV u) (S@t \ t'#S')" "FV t \ vars2\<^sub>s\<^sub>t S \ (V \ FV u)" "FV u' \ V" by auto hence "wf\<^sub>s\<^sub>t (V \ FV u) (S@S')" using ConsEq.IH by auto thus ?case using \FV u' \ V\ by simp qed auto lemma wf_eq_append'[intro]: "\wf\<^sub>s\<^sub>t V (S@S'); FV t' \ vars2\<^sub>s\<^sub>t S \ V\ \ wf\<^sub>s\<^sub>t V (S@t \ t'#S')" proof (induction S rule: wf\<^sub>s\<^sub>t_induct) case (ConsEq V u u' S) hence "wf\<^sub>s\<^sub>t (V \ FV u) (S@S')" "FV t' \ vars2\<^sub>s\<^sub>t S \ V \ FV u" by auto thus ?case using ConsEq by auto next case (ConsRcv V u S) hence "wf\<^sub>s\<^sub>t V (S@S')" "FV t' \ vars2\<^sub>s\<^sub>t S \ V" by auto thus ?case using ConsRcv by auto next case (ConsSnd V u S) hence "wf\<^sub>s\<^sub>t (V \ FV u) (S@S')" "FV t' \ vars2\<^sub>s\<^sub>t S \ (V \ FV u)" by auto thus ?case using ConsSnd by auto qed auto lemma wf_eq_append''[intro]: "\wf\<^sub>s\<^sub>t V (S@S'); FV t' \ wfvarsoccs\<^sub>s\<^sub>t S \ V\ \ wf\<^sub>s\<^sub>t V (S@[t \ t']@S')" proof (induction S rule: wf\<^sub>s\<^sub>t_induct) case (ConsEq V u u' S) hence "wf\<^sub>s\<^sub>t (V \ FV u) (S@S')" "FV t' \ wfvarsoccs\<^sub>s\<^sub>t S \ V \ FV u" by auto thus ?case using ConsEq by auto next case (ConsRcv V u S) hence "wf\<^sub>s\<^sub>t V (S@S')" "FV t' \ wfvarsoccs\<^sub>s\<^sub>t S \ V" by auto thus ?case using ConsRcv by auto next case (ConsSnd V u S) hence "wf\<^sub>s\<^sub>t (V \ FV u) (S@S')" "FV t' \ wfvarsoccs\<^sub>s\<^sub>t S \ (V \ FV u)" by auto thus ?case using ConsSnd by auto qed auto lemma wf_eq_append'''[intro]: "\wf\<^sub>s\<^sub>t V S; FV t' \ vars2\<^sub>s\<^sub>t S \ V\ \ wf\<^sub>s\<^sub>t V (S@[t \ t'])" by (simp add: wf_eq_append'[of _ _ "[]"]) lemma wf_ineq_append[dest]: "wf\<^sub>s\<^sub>t V (S@\X\t \ t'\#S') \ wf\<^sub>s\<^sub>t V (S@S')" by (induct S rule: wf\<^sub>s\<^sub>t.induct) simp_all lemma wf_ineq_append'[intro]: "wf\<^sub>s\<^sub>t V (S@S') \ wf\<^sub>s\<^sub>t V (S@\X\t \ t'\#S')" by (induct S rule: wf\<^sub>s\<^sub>t.induct) auto lemma wf_ineq_append''[intro]: "wf\<^sub>s\<^sub>t V S \ wf\<^sub>s\<^sub>t V (S@[\X\t \ t'\])" by (induct S rule: wf\<^sub>s\<^sub>t.induct) auto lemma wf_rcv_FV_single[elim]: "wf\<^sub>s\<^sub>t V (rcv\t\#S') \ FV t \ V" by simp lemma wf_append_exec: "wf\<^sub>s\<^sub>t V (S@S') \ wf\<^sub>s\<^sub>t (V \ wfvarsoccs\<^sub>s\<^sub>t S) S'" proof (induction S arbitrary: V) case (Cons x S V) thus ?case proof (cases x) case (Send t) hence "wf\<^sub>s\<^sub>t (V \ FV t \ wfvarsoccs\<^sub>s\<^sub>t S) S'" using Cons.prems Cons.IH by simp thus ?thesis using Send by (simp add: sup_assoc) next case (Equality t t') hence "wf\<^sub>s\<^sub>t (V \ FV t \ wfvarsoccs\<^sub>s\<^sub>t S) S'" using Cons.prems Cons.IH by simp thus ?thesis using Equality by (simp add: sup_assoc) qed auto qed simp lemma wf_rcv_FV: "wf\<^sub>s\<^sub>t V (S@rcv\t\#S') \ FV t \ wfvarsoccs\<^sub>s\<^sub>t S \ V" proof (induction S arbitrary: V) case (Cons x S V) thus ?case by (cases x) auto qed simp lemma wf_eq_FV: "wf\<^sub>s\<^sub>t V (S@t \ t'#S') \ FV t' \ wfvarsoccs\<^sub>s\<^sub>t S \ V" proof (induction S arbitrary: V) case (Cons x S V) thus ?case by (cases x) auto qed simp lemma wf_simple_FV_occurrence: assumes "wf\<^sub>s\<^sub>t {} S" "simple S" "v \ vars2\<^sub>s\<^sub>t S" shows "\S\<^sub>p\<^sub>r\<^sub>e S\<^sub>s\<^sub>u\<^sub>f. S = S\<^sub>p\<^sub>r\<^sub>e@snd\Var v\#S\<^sub>s\<^sub>u\<^sub>f \ v \ vars2\<^sub>s\<^sub>t S\<^sub>p\<^sub>r\<^sub>e" using assms proof (induction S rule: List.rev_induct) case (snoc x S) from \wf\<^sub>s\<^sub>t {} (S@[x])\ have "wf\<^sub>s\<^sub>t {} S" "wf\<^sub>s\<^sub>t (vars2\<^sub>s\<^sub>t S) [x]" using wf_append_exec[THEN wf_vars_mono, of "{}" S "[x]" "vars2\<^sub>s\<^sub>t S - wfvarsoccs\<^sub>s\<^sub>t S"] vars_snd_rcv_strand_subset2(4)[of S] Diff_partition[of "wfvarsoccs\<^sub>s\<^sub>t S" "vars2\<^sub>s\<^sub>t S"] by auto from \simple (S@[x])\ have "simple S" "simple [x]" by auto show ?case proof (cases "v \ vars2\<^sub>s\<^sub>t S") case True thus ?thesis using snoc.IH[OF \wf\<^sub>s\<^sub>t {} S\ \simple S\] by fastforce next case False show ?thesis proof (cases x) case (Receive t) hence "FV t \ vars2\<^sub>s\<^sub>t S" using \wf\<^sub>s\<^sub>t (vars2\<^sub>s\<^sub>t S) [x]\ by simp hence "v \ vars2\<^sub>s\<^sub>t S" using \v \ vars2\<^sub>s\<^sub>t (S@[x])\ \x = rcv\t\\ by auto thus ?thesis using \x = rcv\t\\ snoc.IH[OF \wf\<^sub>s\<^sub>t {} S\ \simple S\] by fastforce next case (Send t) hence "v \ vars\<^sub>s\<^sub>t\<^sub>p x" using \v \ vars2\<^sub>s\<^sub>t (S@[x])\ False by auto from Send obtain w where "t = Var w" using \simple [x]\ by (cases t) simp_all hence "v = w" using \x = snd\t\\ \v \ vars\<^sub>s\<^sub>t\<^sub>p x\ by simp thus ?thesis using \x = snd\t\\ \v \ vars2\<^sub>s\<^sub>t S\ \t = Var w\ by auto next case (Equality t t') thus ?thesis using snoc.prems(2) by auto next case (Inequality t t') thus ?thesis using False snoc.prems(3) by auto qed qed qed simp lemma (in intruder_model) Unifier_strand_FV_subset: assumes g_in_ik: "t \ trp\<^sub>s\<^sub>e\<^sub>t (ik\<^sub>s\<^sub>t S)" and \: "Unifier \ (Fun f X) t" and disj: "bvars\<^sub>s\<^sub>t S \ (dom\<^sub>s\<^sub>u\<^sub>b\<^sub>s\<^sub>t \ \ FV_img\<^sub>s\<^sub>u\<^sub>b\<^sub>s\<^sub>t \) = {}" shows "FV (Fun f X \ \) \ \set (map FV\<^sub>r\<^sub>c\<^sub>v (S \\<^sub>s\<^sub>t \))" proof - have "FV t \ \set (map FV\<^sub>r\<^sub>c\<^sub>v S)" using FV_subset_if_in_strand_ik[OF g_in_ik] by simp hence "FV (t \ \) \ \set (map FV\<^sub>r\<^sub>c\<^sub>v (S \\<^sub>s\<^sub>t \))" using FV_strand_subst by (metis (no_types) disj FV_strand_subst subst_apply_FV_subset) thus ?thesis using \ by simp qed lemma wf\<^sub>s\<^sub>t_induct'[consumes 1, case_names Nil ConsSnd ConsRcv ConsEq ConsIneq]: fixes S::"('a,'b) strand" assumes "wf\<^sub>s\<^sub>t V S" "P []" "\t S. \wf\<^sub>s\<^sub>t V S; P S\ \ P (S@[snd\t\])" "\t S. \wf\<^sub>s\<^sub>t V S; P S; FV t \ V \ wfvarsoccs\<^sub>s\<^sub>t S\ \ P (S@[rcv\t\])" "\t t' S. \wf\<^sub>s\<^sub>t V S; P S; FV t' \ V \ wfvarsoccs\<^sub>s\<^sub>t S\ \ P (S@[t \ t'])" "\X t t' S. \wf\<^sub>s\<^sub>t V S; P S\ \ P (S@[\X\t \ t'\])" shows "P S" using assms proof (induction S rule: List.rev_induct) case (snoc x S) hence *: "wf\<^sub>s\<^sub>t V S" "wf\<^sub>s\<^sub>t (V \ wfvarsoccs\<^sub>s\<^sub>t S) [x]" by (metis wf_prefix, metis wf_append_exec) show ?case proof (cases x) case (Send t) thus ?thesis using *(1) snoc.prems snoc.IH by auto next case (Equality t t') thus ?thesis using *(2) snoc.prems snoc.IH by auto next case (Inequality t t') thus ?thesis using *(2) snoc.prems snoc.IH by auto next case (Receive t) hence "P S" using snoc.prems snoc.IH[OF *(1) \P []\] by auto thus ?thesis using \x = rcv\t\\ snoc.prems(4)[OF *(1), of t] *(2) by auto qed qed simp lemma (in intruder_model) wf_subst_apply: "wf\<^sub>s\<^sub>t V S \ wf\<^sub>s\<^sub>t (FV\<^sub>s\<^sub>e\<^sub>t (\ ` V)) (S \\<^sub>s\<^sub>t \)" proof (induction S arbitrary: V rule: wf\<^sub>s\<^sub>t_induct) case (ConsRcv V t S) hence "wf\<^sub>s\<^sub>t V (rcv\t\#S)" "FV t \ V" by simp_all hence "wf\<^sub>s\<^sub>t (FV\<^sub>s\<^sub>e\<^sub>t (\ ` V)) (S \\<^sub>s\<^sub>t \)" "FV (t \ \) \ FV\<^sub>s\<^sub>e\<^sub>t (\ ` V)" using ConsRcv.IH subst_apply_FV_subset by simp_all thus ?case by simp next case (ConsSnd V t S) hence "wf\<^sub>s\<^sub>t (V \ FV t) S" by simp hence "wf\<^sub>s\<^sub>t (FV\<^sub>s\<^sub>e\<^sub>t (\ ` (V \ FV t))) (S \\<^sub>s\<^sub>t \)" using ConsSnd.IH by metis hence "wf\<^sub>s\<^sub>t (FV\<^sub>s\<^sub>e\<^sub>t (\ ` V) \ (FV (t \ \))) (S \\<^sub>s\<^sub>t \)" using subst_apply_FV_union by metis thus ?case by simp next case (ConsEq V t t' S) hence "wf\<^sub>s\<^sub>t (V \ FV t) (rcv\t\#S)" "FV t' \ V" by simp_all hence "wf\<^sub>s\<^sub>t (FV\<^sub>s\<^sub>e\<^sub>t (\ ` (V \ FV t))) (S \\<^sub>s\<^sub>t \)" and *: "FV (t' \ \) \ FV\<^sub>s\<^sub>e\<^sub>t (\ ` V)" using ConsEq.IH subst_apply_FV_subset by force+ hence "wf\<^sub>s\<^sub>t (FV\<^sub>s\<^sub>e\<^sub>t (\ ` V) \ (FV (t \ \))) (S \\<^sub>s\<^sub>t \)" using subst_apply_FV_union by metis thus ?case using * by simp qed simp_all lemma (in intruder_model) wf_unify: assumes wf: "wf\<^sub>s\<^sub>t V (S@snd\Fun f X\#S')" and g_in_ik: "t \ trp\<^sub>s\<^sub>e\<^sub>t (ik\<^sub>s\<^sub>t S)" and \: "Unifier \ (Fun f X) t" and disj: "bvars\<^sub>s\<^sub>t (S@snd\Fun f X\#S') \ (dom\<^sub>s\<^sub>u\<^sub>b\<^sub>s\<^sub>t \ \ FV_img\<^sub>s\<^sub>u\<^sub>b\<^sub>s\<^sub>t \) = {}" shows "wf\<^sub>s\<^sub>t (FV\<^sub>s\<^sub>e\<^sub>t (\ ` V)) ((S@S') \\<^sub>s\<^sub>t \)" using assms proof (induction S' arbitrary: V rule: List.rev_induct) case (snoc x S' V) have fun_FV_bound: "FV (Fun f X \ \) \ \set (map FV\<^sub>r\<^sub>c\<^sub>v (S \\<^sub>s\<^sub>t \))" using snoc.prems(4) bvars\<^sub>s\<^sub>t_split Unifier_strand_FV_subset[OF g_in_ik \] by auto hence "FV (Fun f X \ \) \ FV\<^sub>s\<^sub>e\<^sub>t (ik\<^sub>s\<^sub>t (S \\<^sub>s\<^sub>t \))" using FV_ik_is_FV_rcv by metis hence "FV (Fun f X \ \) \ vars2\<^sub>s\<^sub>t (S \\<^sub>s\<^sub>t \)" using FV_ik_subset_FV_st[of "S \\<^sub>s\<^sub>t \"] by blast hence *: "FV ((Fun f X) \ \) \ vars2\<^sub>s\<^sub>t ((S@S') \\<^sub>s\<^sub>t \)" by auto from snoc.prems(1) have "wf\<^sub>s\<^sub>t V (S@snd\Fun f X\#S')" using wf_prefix[of V "S@snd\Fun f X\#S'" "[x]"] by simp hence **: "wf\<^sub>s\<^sub>t (FV\<^sub>s\<^sub>e\<^sub>t (\ ` V)) ((S@S') \\<^sub>s\<^sub>t \)" using snoc.IH[OF _ snoc.prems(2,3)] snoc.prems(4) by auto from snoc.prems(1) have ***: "wf\<^sub>s\<^sub>t (V \ wfvarsoccs\<^sub>s\<^sub>t (S@snd\Fun f X\#S')) [x]" using wf_append_exec[of V "(S@snd\Fun f X\#S')" "[x]"] by simp from snoc.prems(4) have disj': "bvars\<^sub>s\<^sub>t (S@S') \ (dom\<^sub>s\<^sub>u\<^sub>b\<^sub>s\<^sub>t \ \ FV_img\<^sub>s\<^sub>u\<^sub>b\<^sub>s\<^sub>t \) = {}" "set (bvars\<^sub>s\<^sub>t\<^sub>p x) \ (dom\<^sub>s\<^sub>u\<^sub>b\<^sub>s\<^sub>t \ \ FV_img\<^sub>s\<^sub>u\<^sub>b\<^sub>s\<^sub>t \) = {}" by auto show ?case proof (cases x) case (Send t) thus ?thesis using wf_snd_append[of "FV\<^sub>s\<^sub>e\<^sub>t (\ ` V)" "(S@S') \\<^sub>s\<^sub>t \"] ** by auto next case (Receive t) hence "FV\<^sub>s\<^sub>t\<^sub>p x \ V \ wfvarsoccs\<^sub>s\<^sub>t (S@snd\Fun f X\#S')" using *** by auto hence "FV\<^sub>s\<^sub>t\<^sub>p x \ V \ vars2\<^sub>s\<^sub>t (S@snd\Fun f X\#S')" using vars_snd_rcv_strand_subset2(4)[of "S@snd\Fun f X\#S'"] by blast hence "FV\<^sub>s\<^sub>t\<^sub>p x \ V \ FV (Fun f X) \ vars2\<^sub>s\<^sub>t (S@S')" by auto hence "FV\<^sub>s\<^sub>t\<^sub>p (x \\<^sub>s\<^sub>t\<^sub>p \) \ FV\<^sub>s\<^sub>e\<^sub>t (\ ` V) \ FV ((Fun f X) \ \) \ vars2\<^sub>s\<^sub>t ((S@S') \\<^sub>s\<^sub>t \)" by (metis (no_types) inf_sup_aci(5) subst_apply_FV_subset_strand2 subst_apply_FV_union disj') hence "FV\<^sub>s\<^sub>t\<^sub>p (x \\<^sub>s\<^sub>t\<^sub>p \) \ FV\<^sub>s\<^sub>e\<^sub>t (\ ` V) \ vars2\<^sub>s\<^sub>t ((S@S') \\<^sub>s\<^sub>t \)" using * by blast hence "FV (t \ \) \ vars2\<^sub>s\<^sub>t ((S@S') \\<^sub>s\<^sub>t \) \ FV\<^sub>s\<^sub>e\<^sub>t (\ ` V) " using \x = rcv\t\\ by auto hence "wf\<^sub>s\<^sub>t (FV\<^sub>s\<^sub>e\<^sub>t (\ ` V)) (((S@S') \\<^sub>s\<^sub>t \)@[rcv\t \ \\])" using wf_rcv_append'''[OF **, of "t \ \"] by metis thus ?thesis using \x = rcv\t\\ by auto next case (Equality s s') hence "FV s' \ V \ wfvarsoccs\<^sub>s\<^sub>t (S@snd\Fun f X\#S')" using *** by auto hence "FV s' \ V \ vars2\<^sub>s\<^sub>t (S@snd\Fun f X\#S')" using vars_snd_rcv_strand_subset2(4)[of "S@snd\Fun f X\#S'"] by blast hence "FV s' \ V \ FV (Fun f X) \ vars2\<^sub>s\<^sub>t (S@S')" by auto moreover have "FV s' = FV_r\<^sub>e\<^sub>q x" "FV (s' \ \) = FV_r\<^sub>e\<^sub>q (x \\<^sub>s\<^sub>t\<^sub>p \)" using Equality by simp_all ultimately have "FV (s' \ \) \ FV\<^sub>s\<^sub>e\<^sub>t (\ ` V) \ FV (Fun f X \ \) \ vars2\<^sub>s\<^sub>t ((S@S') \\<^sub>s\<^sub>t \)" using subst_apply_FV_subset_strand2[of FV_r\<^sub>e\<^sub>q x] by (metis (no_types) inf_sup_aci(5) subst_apply_FV_union disj') hence "FV (s' \ \) \ FV\<^sub>s\<^sub>e\<^sub>t (\ ` V) \ vars2\<^sub>s\<^sub>t ((S@S') \\<^sub>s\<^sub>t \)" using * by blast hence "FV (s' \ \) \ vars2\<^sub>s\<^sub>t ((S@S') \\<^sub>s\<^sub>t \) \ FV\<^sub>s\<^sub>e\<^sub>t (\ ` V)" using \x = s \ s'\ by auto hence "wf\<^sub>s\<^sub>t (FV\<^sub>s\<^sub>e\<^sub>t (\ ` V)) (((S@S') \\<^sub>s\<^sub>t \)@[(s \ \) \ (s' \ \)])" using wf_eq_append'''[OF **] by metis thus ?thesis using \x = s \ s'\ by auto next case (Inequality t t') thus ?thesis using wf_ineq_append''[OF **] by simp qed qed (auto dest: wf_subst_apply) lemma (in intruder_model) wf_equality: assumes wf: "wf\<^sub>s\<^sub>t V (S@t \ t'#S')" and \: "mgu t t' = Some \" and disj: "bvars\<^sub>s\<^sub>t (S@t \ t'#S') \ (dom\<^sub>s\<^sub>u\<^sub>b\<^sub>s\<^sub>t \ \ FV_img\<^sub>s\<^sub>u\<^sub>b\<^sub>s\<^sub>t \) = {}" shows "wf\<^sub>s\<^sub>t (FV\<^sub>s\<^sub>e\<^sub>t (\ ` V)) ((S@S') \\<^sub>s\<^sub>t \)" using assms proof (induction S' arbitrary: V rule: List.rev_induct) case Nil thus ?case using wf_prefix[of V S "[t \ t']"] wf_subst_apply[of V S \] by auto next case (snoc x S' V) hence "FV t' \ V \ wfvarsoccs\<^sub>s\<^sub>t S" using wf_eq_FV[of V, of S t t' "S'@[x]"] by auto hence "FV t' \ V \ vars2\<^sub>s\<^sub>t S" using vars_snd_rcv_strand_subset2(4)[of S] by blast hence "FV t' \ V \ vars2\<^sub>s\<^sub>t (S@S')" by auto moreover have disj': "bvars\<^sub>s\<^sub>t (S@S') \ (dom\<^sub>s\<^sub>u\<^sub>b\<^sub>s\<^sub>t \ \ FV_img\<^sub>s\<^sub>u\<^sub>b\<^sub>s\<^sub>t \) = {}" "set (bvars\<^sub>s\<^sub>t\<^sub>p x) \ (dom\<^sub>s\<^sub>u\<^sub>b\<^sub>s\<^sub>t \ \ FV_img\<^sub>s\<^sub>u\<^sub>b\<^sub>s\<^sub>t \) = {}" "bvars\<^sub>s\<^sub>t (S@t \ t'#S') \ (dom\<^sub>s\<^sub>u\<^sub>b\<^sub>s\<^sub>t \ \ FV_img\<^sub>s\<^sub>u\<^sub>b\<^sub>s\<^sub>t \) = {}" using snoc.prems(3) by auto ultimately have "FV (t' \ \) \ FV\<^sub>s\<^sub>e\<^sub>t (\ ` V) \ vars2\<^sub>s\<^sub>t ((S@S') \\<^sub>s\<^sub>t \)" by (metis inf_sup_aci(5) subst_apply_FV_subset_strand_trm2) moreover have "FV (t \ \) = FV (t' \ \)" by (metis MGU_is_Unifier[OF mgu_gives_MGU[OF \]]) ultimately have *: "FV (t \ \) \ FV (t' \ \) \ FV\<^sub>s\<^sub>e\<^sub>t (\ ` V) \ vars2\<^sub>s\<^sub>t ((S@S') \\<^sub>s\<^sub>t \)" by simp from snoc.prems(1) have "wf\<^sub>s\<^sub>t V (S@t \ t'#S')" using wf_prefix[of V "S@t \ t'#S'"] by simp hence **: "wf\<^sub>s\<^sub>t (FV\<^sub>s\<^sub>e\<^sub>t (\ ` V)) ((S@S') \\<^sub>s\<^sub>t \)" by (metis snoc.IH \ disj'(3)) from snoc.prems(1) have ***: "wf\<^sub>s\<^sub>t (V \ wfvarsoccs\<^sub>s\<^sub>t (S@t \ t'#S')) [x]" using wf_append_exec[of V "(S@t \ t'#S')" "[x]"] by simp show ?case proof (cases x) case (Send t) thus ?thesis using wf_snd_append[of "FV\<^sub>s\<^sub>e\<^sub>t (\ ` V)" "(S@S') \\<^sub>s\<^sub>t \"] ** by auto next case (Receive s) hence "FV\<^sub>s\<^sub>t\<^sub>p x \ V \ wfvarsoccs\<^sub>s\<^sub>t (S@t \ t'#S')" using *** by auto hence "FV\<^sub>s\<^sub>t\<^sub>p x \ V \ vars2\<^sub>s\<^sub>t (S@t \ t'#S')" using vars_snd_rcv_strand_subset2(4)[of "S@t \ t'#S'"] by blast hence "FV\<^sub>s\<^sub>t\<^sub>p x \ V \ FV t \ FV t' \ vars2\<^sub>s\<^sub>t (S@S')" by auto hence "FV\<^sub>s\<^sub>t\<^sub>p (x \\<^sub>s\<^sub>t\<^sub>p \) \ FV\<^sub>s\<^sub>e\<^sub>t (\ ` V) \ FV (t \ \) \ FV (t' \ \) \ vars2\<^sub>s\<^sub>t ((S@S') \\<^sub>s\<^sub>t \)" using subst_apply_FV_subset_strand2[of FV\<^sub>s\<^sub>t\<^sub>p] by (metis (no_types) inf_sup_aci(5) subst_apply_FV_union disj'(1,2)) hence "FV\<^sub>s\<^sub>t\<^sub>p (x \\<^sub>s\<^sub>t\<^sub>p \) \ FV\<^sub>s\<^sub>e\<^sub>t (\ ` V) \ vars2\<^sub>s\<^sub>t ((S@S') \\<^sub>s\<^sub>t \)" using * by blast hence "FV (s \ \) \ vars2\<^sub>s\<^sub>t ((S@S') \\<^sub>s\<^sub>t \) \ (FV\<^sub>s\<^sub>e\<^sub>t (\ ` V))" using \x = rcv\s\\ by auto hence "wf\<^sub>s\<^sub>t (FV\<^sub>s\<^sub>e\<^sub>t (\ ` V)) (((S@S') \\<^sub>s\<^sub>t \)@[rcv\s \ \\])" using wf_rcv_append'''[OF **, of "s \ \"] by metis thus ?thesis using \x = rcv\s\\ by auto next case (Equality s s') hence "FV s' \ V \ wfvarsoccs\<^sub>s\<^sub>t (S@t \ t'#S')" using *** by auto hence "FV s' \ V \ vars2\<^sub>s\<^sub>t (S@t \ t'#S')" using vars_snd_rcv_strand_subset2(4)[of "S@t \ t'#S'"] by blast hence "FV s' \ V \ FV t \ FV t' \ vars2\<^sub>s\<^sub>t (S@S')" by auto moreover have "FV s' = FV_r\<^sub>e\<^sub>q x" "FV (s' \ \) = FV_r\<^sub>e\<^sub>q (x \\<^sub>s\<^sub>t\<^sub>p \)" using Equality by simp_all ultimately have "FV (s' \ \) \ FV\<^sub>s\<^sub>e\<^sub>t (\ ` V) \ FV (t \ \) \ FV (t' \ \) \ vars2\<^sub>s\<^sub>t ((S@S') \\<^sub>s\<^sub>t \)" using subst_apply_FV_subset_strand2[of FV_r\<^sub>e\<^sub>q x] by (metis (no_types) inf_sup_aci(5) subst_apply_FV_union disj'(1,2)) hence "FV (s' \ \) \ FV\<^sub>s\<^sub>e\<^sub>t (\ ` V) \ vars2\<^sub>s\<^sub>t ((S@S') \\<^sub>s\<^sub>t \)" using * by blast hence "FV (s' \ \) \ vars2\<^sub>s\<^sub>t ((S@S') \\<^sub>s\<^sub>t \) \ FV\<^sub>s\<^sub>e\<^sub>t (\ ` V)" using \x = s \ s'\ by auto hence "wf\<^sub>s\<^sub>t (FV\<^sub>s\<^sub>e\<^sub>t (\ ` V)) (((S@S') \\<^sub>s\<^sub>t \)@[(s \ \) \ (s' \ \)])" using wf_eq_append'''[OF **] by metis thus ?thesis using \x = s \ s'\ by auto next case (Inequality s s') thus ?thesis using wf_ineq_append''[OF **] by simp qed qed lemma wf_rcv_prefix_ground: "wf\<^sub>s\<^sub>t {} ((map Receive M)@S) \ vars\<^sub>s\<^sub>t (map Receive M) = {}" by (induct M) auto lemma simple_wfvarsoccs\<^sub>s\<^sub>t_is_FV\<^sub>s\<^sub>n\<^sub>d: assumes "simple S" shows "wfvarsoccs\<^sub>s\<^sub>t S = \set (map FV\<^sub>s\<^sub>n\<^sub>d S)" using assms by (induct S rule: simple.induct) auto lemma wf\<^sub>s\<^sub>t_simple_induct[consumes 2, case_names Nil ConsSnd ConsRcv ConsIneq]: fixes S::"('a,'b) strand" assumes "wf\<^sub>s\<^sub>t V S" "simple S" "P []" "\v S. \wf\<^sub>s\<^sub>t V S; simple S; P S\ \ P (S@[snd\Var v\])" "\t S. \wf\<^sub>s\<^sub>t V S; simple S; P S; FV t \ V \ \set (map FV\<^sub>s\<^sub>n\<^sub>d S)\ \ P (S@[rcv\t\])" "\X t t' S. \wf\<^sub>s\<^sub>t V S; simple S; P S\ \ P (S@[\X\t \ t'\])" shows "P S" using assms proof (induction S rule: wf\<^sub>s\<^sub>t_induct') case (ConsSnd t S) hence "P S" by auto obtain v where "t = Var v" using simple_snd_is_var[OF _ \simple (S@[snd\t\])\] by auto thus ?case using ConsSnd.prems(3)[OF \wf\<^sub>s\<^sub>t V S\ _ \P S\] \simple (S@[snd\t\])\ by auto next case (ConsRcv t S) thus ?case using simple_wfvarsoccs\<^sub>s\<^sub>t_is_FV\<^sub>s\<^sub>n\<^sub>d[of "S@[rcv\t\]"] by auto qed auto lemma wf_trm_stp_dom_FV_disjoint: "\wf\<^sub>c\<^sub>o\<^sub>n\<^sub>s\<^sub>t\<^sub>r S \; t \ trm\<^sub>s\<^sub>t\<^sub>p ` set S\ \ dom\<^sub>s\<^sub>u\<^sub>b\<^sub>s\<^sub>t \ \ FV t = {}" unfolding wf\<^sub>c\<^sub>o\<^sub>n\<^sub>s\<^sub>t\<^sub>r_def by auto lemma wf_constr_bvars_disj: "wf\<^sub>c\<^sub>o\<^sub>n\<^sub>s\<^sub>t\<^sub>r S \ \ (dom\<^sub>s\<^sub>u\<^sub>b\<^sub>s\<^sub>t \ \ FV_img\<^sub>s\<^sub>u\<^sub>b\<^sub>s\<^sub>t \) \ bvars\<^sub>s\<^sub>t S = {}" by auto lemma wf_constr_bvars_disj': assumes "wf\<^sub>c\<^sub>o\<^sub>n\<^sub>s\<^sub>t\<^sub>r S \" "dom\<^sub>s\<^sub>u\<^sub>b\<^sub>s\<^sub>t \ \ FV_img\<^sub>s\<^sub>u\<^sub>b\<^sub>s\<^sub>t \ \ FV\<^sub>s\<^sub>t S" shows "(dom\<^sub>s\<^sub>u\<^sub>b\<^sub>s\<^sub>t \ \ FV_img\<^sub>s\<^sub>u\<^sub>b\<^sub>s\<^sub>t \) \ bvars\<^sub>s\<^sub>t S = {}" (is ?A) and "(dom\<^sub>s\<^sub>u\<^sub>b\<^sub>s\<^sub>t \ \ FV_img\<^sub>s\<^sub>u\<^sub>b\<^sub>s\<^sub>t \) \ bvars\<^sub>s\<^sub>t (S \\<^sub>s\<^sub>t \) = {}" (is ?B) proof - have *: "(dom\<^sub>s\<^sub>u\<^sub>b\<^sub>s\<^sub>t \ \ FV_img\<^sub>s\<^sub>u\<^sub>b\<^sub>s\<^sub>t \) \ bvars\<^sub>s\<^sub>t S = {}" "FV\<^sub>s\<^sub>t S \ bvars\<^sub>s\<^sub>t S = {}" using assms(1) by auto thus ?A and ?B using assms(2) bvars_subst_ident[of S \] by blast+ qed lemma (in intruder_model) wf_trp_ik_dom_FV_disjoint: assumes "wf\<^sub>c\<^sub>o\<^sub>n\<^sub>s\<^sub>t\<^sub>r S \" "t \ trp\<^sub>s\<^sub>e\<^sub>t (ik\<^sub>s\<^sub>t S)" shows "dom\<^sub>s\<^sub>u\<^sub>b\<^sub>s\<^sub>t \ \ FV t = {}" using \wf\<^sub>c\<^sub>o\<^sub>n\<^sub>s\<^sub>t\<^sub>r S \\ FV_subset_if_in_strand_ik'[OF \t \ trp\<^sub>s\<^sub>e\<^sub>t (ik\<^sub>s\<^sub>t S)\] unfolding wf\<^sub>c\<^sub>o\<^sub>n\<^sub>s\<^sub>t\<^sub>r_def by blast lemma (in intruder_model) wf_simple_strand_first_snd_var_split: assumes "wf\<^sub>s\<^sub>t {} S" "simple S" "\v \ vars2\<^sub>s\<^sub>t S. t \ \ = \ v" shows "\v S\<^sub>p\<^sub>r\<^sub>e S\<^sub>s\<^sub>u\<^sub>f. S = S\<^sub>p\<^sub>r\<^sub>e@snd\Var v\#S\<^sub>s\<^sub>u\<^sub>f \ t \ \ = \ v \ \(\w \ vars2\<^sub>s\<^sub>t S\<^sub>p\<^sub>r\<^sub>e. t \ \ = \ w)" using assms proof (induction S rule: wf\<^sub>s\<^sub>t_simple_induct) case (ConsSnd v S) show ?case proof (cases "\w \ vars2\<^sub>s\<^sub>t S. t \ \ = \ w") case True thus ?thesis using ConsSnd.IH by fastforce next case False thus ?thesis using ConsSnd.prems by auto qed next case (ConsRcv t' S) have "\v. v \ FV t' \ v \ vars2\<^sub>s\<^sub>t S" using ConsRcv.hyps(3) by auto hence "\v \ vars2\<^sub>s\<^sub>t S. t \ \ = \ v" using ConsRcv.prems(1) by fastforce hence "\v S\<^sub>p\<^sub>r\<^sub>e S\<^sub>s\<^sub>u\<^sub>f. S = S\<^sub>p\<^sub>r\<^sub>e@snd\Var v\#S\<^sub>s\<^sub>u\<^sub>f \ t \ \ = \ v \ \ (\w\vars2\<^sub>s\<^sub>t S\<^sub>p\<^sub>r\<^sub>e. t \ \ = \ w)" by (metis ConsRcv.IH) thus ?case by fastforce next case (ConsIneq X s s' S) moreover have "vars2\<^sub>s\<^sub>t (S @ [\X\s \ s'\]) = vars2\<^sub>s\<^sub>t S" by auto ultimately have "\v S\<^sub>p\<^sub>r\<^sub>e S\<^sub>s\<^sub>u\<^sub>f. S = S\<^sub>p\<^sub>r\<^sub>e@snd\Var v\#S\<^sub>s\<^sub>u\<^sub>f \ t \ \ = \ v \ \ (\w\vars2\<^sub>s\<^sub>t S\<^sub>p\<^sub>r\<^sub>e. t \ \ = \ w)" by auto thus ?case by fastforce qed simp lemma (in intruder_model) wf_strand_first_snd_var_split: assumes "wf\<^sub>s\<^sub>t {} S" "\v \ vars2\<^sub>s\<^sub>t S. t \ \ \ \ v" shows "\S\<^sub>p\<^sub>r\<^sub>e S\<^sub>s\<^sub>u\<^sub>f. \(\w \ vars2\<^sub>s\<^sub>t S\<^sub>p\<^sub>r\<^sub>e. t \ \ \ \ w) \ ((\t'. S = S\<^sub>p\<^sub>r\<^sub>e@snd\t'\#S\<^sub>s\<^sub>u\<^sub>f \ t \ \ \ t' \ \) \ (\t' t''. S = S\<^sub>p\<^sub>r\<^sub>e@t' \ t''#S\<^sub>s\<^sub>u\<^sub>f \ t \ \ \ t' \ \))" using assms proof (induction S rule: wf\<^sub>s\<^sub>t_induct') case (ConsSnd t' S) show ?case proof (cases "\w \ vars2\<^sub>s\<^sub>t S. t \ \ \ \ w") case True then obtain S\<^sub>p\<^sub>r\<^sub>e S\<^sub>s\<^sub>u\<^sub>f where "\(\w \ vars2\<^sub>s\<^sub>t S\<^sub>p\<^sub>r\<^sub>e. t \ \ \ \ w)" "(\t'. S = S\<^sub>p\<^sub>r\<^sub>e@snd\t'\#S\<^sub>s\<^sub>u\<^sub>f \ t \ \ \ t' \ \) \ (\t' t''. S = S\<^sub>p\<^sub>r\<^sub>e@t' \ t''#S\<^sub>s\<^sub>u\<^sub>f \ t \ \ \ t' \ \)" using ConsSnd.IH by moura thus ?thesis by fastforce next case False then obtain v where v: "v \ FV t'" "t \ \ \ \ v" using ConsSnd.prems by auto hence "t \ \ \ t' \ \" using subst_mono[of "Var v" t' \] vars_iff_subtermeq[of v t'] subtermeq_trans by auto thus ?thesis using False v by auto qed next case (ConsRcv t' S) have "FV t' \ vars2\<^sub>s\<^sub>t S" using ConsRcv.hyps vars_snd_rcv_strand_subset2(4)[of S] by auto hence "\v \ vars2\<^sub>s\<^sub>t S. t \ \ \ \ v" using ConsRcv.prems by auto then obtain S\<^sub>p\<^sub>r\<^sub>e S\<^sub>s\<^sub>u\<^sub>f where "\(\w \ vars2\<^sub>s\<^sub>t S\<^sub>p\<^sub>r\<^sub>e. t \ \ \ \ w)" "(\t'. S = S\<^sub>p\<^sub>r\<^sub>e@snd\t'\#S\<^sub>s\<^sub>u\<^sub>f \ t \ \ \ t' \ \) \ (\t' t''. S = S\<^sub>p\<^sub>r\<^sub>e@t' \ t''#S\<^sub>s\<^sub>u\<^sub>f \ t \ \ \ t' \ \)" using ConsRcv.IH by moura thus ?case by fastforce next case (ConsEq s s' S) have *: "FV s' \ vars2\<^sub>s\<^sub>t S" using ConsEq.hyps vars_snd_rcv_strand_subset2(4)[of S] by auto show ?case proof (cases "\v \ vars2\<^sub>s\<^sub>t S. t \ \ \ \ v") case True then obtain S\<^sub>p\<^sub>r\<^sub>e S\<^sub>s\<^sub>u\<^sub>f where "\(\w \ vars2\<^sub>s\<^sub>t S\<^sub>p\<^sub>r\<^sub>e. t \ \ \ \ w)" "(\t'. S = S\<^sub>p\<^sub>r\<^sub>e@snd\t'\#S\<^sub>s\<^sub>u\<^sub>f \ t \ \ \ t' \ \) \ (\t' t''. S = S\<^sub>p\<^sub>r\<^sub>e@t' \ t''#S\<^sub>s\<^sub>u\<^sub>f \ t \ \ \ t' \ \)" using ConsEq.IH by moura thus ?thesis by fastforce next case False then obtain v where "v \ FV s" "t \ \ \ \ v" using ConsEq.prems * by auto hence "t \ \ \ s \ \" using vars_iff_subtermeq[of v s] subst_mono[of "Var v" s \] subtermeq_trans by auto thus ?thesis using False by fastforce qed next case (ConsIneq X s s' S) hence "\v \ vars2\<^sub>s\<^sub>t S. t \ \ \ \ v" by auto then obtain S\<^sub>p\<^sub>r\<^sub>e S\<^sub>s\<^sub>u\<^sub>f where "\(\w \ vars2\<^sub>s\<^sub>t S\<^sub>p\<^sub>r\<^sub>e. t \ \ \ \ w)" "(\t'. S = S\<^sub>p\<^sub>r\<^sub>e@snd\t'\#S\<^sub>s\<^sub>u\<^sub>f \ t \ \ \ t' \ \) \ (\t' t''. S = S\<^sub>p\<^sub>r\<^sub>e@t' \ t''#S\<^sub>s\<^sub>u\<^sub>f \ t \ \ \ t' \ \)" using ConsIneq.IH by moura thus ?case by fastforce qed simp subsection {* Constraint Semantics *} context intruder_model begin subsubsection {* Definitions *} type_synonym ('a,'b) constrsem = "('a,'b) subst \ bool" fun strand_sem_c::"('fun,'var) terms \ ('fun,'var) strand \ ('fun,'var) constrsem" ("\_; _\\<^sub>c") where "\M; []\\<^sub>c = (\\. True)" | "\M; snd\t\#S\\<^sub>c = (\\. M \set \ \\<^sub>c t \ \ \ \M; S\\<^sub>c \)" | "\M; rcv\t\#S\\<^sub>c = \insert t M; S\\<^sub>c" | "\M; t \ t'#S\\<^sub>c = (\\. t \ \ = t' \ \ \ \M; S\\<^sub>c \)" | "\M; \X\t \ t'\#S\\<^sub>c = (\\. (\\. dom\<^sub>s\<^sub>u\<^sub>b\<^sub>s\<^sub>t \ = set X \ ground (img\<^sub>s\<^sub>u\<^sub>b\<^sub>s\<^sub>t \) \ t \ \ \ \ \ t' \ \ \ \) \ \M; S\\<^sub>c \)" definition constr_sem_c ("_ \\<^sub>c \_,_\") where "\ \\<^sub>c \S,\\ \ (\ supports \ \ \{}; S\\<^sub>c \)" abbreviation constr_sem_c' ("_ \\<^sub>c \_\" 90) where "\ \\<^sub>c \S\ \ \ \\<^sub>c \S,Var\" fun strand_sem_d::"('fun,'var) terms \ ('fun,'var) strand \ ('fun,'var) constrsem" ("\_; _\\<^sub>d") where "\M; []\\<^sub>d = (\\. True)" | "\M; snd\t\#S\\<^sub>d = (\\. M \set \ \ t \ \ \ \M; S\\<^sub>d \)" | "\M; rcv\t\#S\\<^sub>d = \insert t M; S\\<^sub>d" | "\M; t \ t'#S\\<^sub>d = (\\. t \ \ = t' \ \ \ \M; S\\<^sub>d \)" | "\M; \X\t \ t'\#S\\<^sub>d = (\\. (\\. dom\<^sub>s\<^sub>u\<^sub>b\<^sub>s\<^sub>t \ = set X \ ground (img\<^sub>s\<^sub>u\<^sub>b\<^sub>s\<^sub>t \) \ t \ \ \ \ \ t' \ \ \ \) \ \M; S\\<^sub>d \)" definition constr_sem_d ("_ \ \_,_\") where "\ \ \S,\\ \ (\ supports \ \ \{}; S\\<^sub>d \)" abbreviation constr_sem_d' ("_ \ \_\" 90) where "\ \ \S\ \ \ \ \S,Var\" lemmas strand_sem_induct = strand_sem_c.induct[case_names Nil ConsSnd ConsRcv ConsEq ConsIneq] declare constr_sem_c_def[simp] declare constr_sem_d_def[simp] subsubsection {* Lemmas *} lemma strand_sem_d_mono_ik: "\M \ M'; \M; S\\<^sub>d \\ \ \M'; S\\<^sub>d \" proof (induction M S arbitrary: M' rule: strand_sem_induct) case (ConsSnd M t S) hence "M \set \ \ t \ \" "\M'; S\\<^sub>d \" by auto hence "M' \set \ \ t \ \" using ideduct_mono \M \ M'\ by (metis image_mono) thus ?case using \\M'; S\\<^sub>d \\ by simp qed auto lemma strand_sem_d_if_c: "\ \\<^sub>c \S,\\ \ \ \ \S,\\" proof - assume *: "\ \\<^sub>c \S,\\" { fix M have "\M; S\\<^sub>c \ \ \M; S\\<^sub>d \" proof (induction S rule: strand_sem_induct) case (ConsSnd M t S) hence "M \set \ \\<^sub>c t \ \" "\M; S\\<^sub>d \" by auto thus ?case using strand_sem_d.simps(2)[of M t S] by auto qed auto } thus ?thesis using * by simp qed lemma strand_sem_mono_ik: "\M \ M'; \M; S\\<^sub>c \\ \ \M'; S\\<^sub>c \" proof (induction M S arbitrary: M' rule: strand_sem_induct) case (ConsSnd M t S) hence "M \set \ \\<^sub>c t \ \" "\M'; S\\<^sub>c \" by auto hence "M' \set \ \\<^sub>c t \ \" using ideduct_synth_mono \M \ M'\ by (metis Union_mono image_mono) thus ?case using \\M'; S\\<^sub>c \\ by simp qed auto lemma strand_sem_split_left[dest]: "\M; S@S'\\<^sub>c \ \ \M; S\\<^sub>c \" proof (induct S arbitrary: M) case (Cons x S) thus ?case by (cases x) simp_all qed simp lemma strand_sem_split_left_d[dest]: "\M; S@S'\\<^sub>d \ \ \M; S\\<^sub>d \" proof (induct S arbitrary: M) case (Cons x S) thus ?case by (cases x) simp_all qed simp lemma strand_sem_split_right[dest]: "\M; S@S'\\<^sub>c \ \ \M \ ik\<^sub>s\<^sub>t S; S'\\<^sub>c \" proof (induction S arbitrary: M rule: ik\<^sub>s\<^sub>t_induct) case (ConsRcv t S M) thus ?case using ConsRcv.IH[of "insert t M"] by simp qed simp_all lemma strand_sem_split_right_d[dest]: "\M; S@S'\\<^sub>d \ \ \M \ ik\<^sub>s\<^sub>t S; S'\\<^sub>d \" proof (induction S arbitrary: M rule: ik\<^sub>s\<^sub>t_induct) case (ConsRcv t S M) thus ?case using ConsRcv.IH[of "insert t M"] by simp qed simp_all lemma strand_sem_snd_split[dest]: "\\M; map Send X\\<^sub>c \; x \ set X\ \ \M; [snd\x\]\\<^sub>c \" by (induct "map Send X" arbitrary: X rule: strand_sem_c.induct) auto lemma strand_sem_snd_split_d[dest]: "\\M; map Send X\\<^sub>d \; x \ set X\ \ \M; [snd\x\]\\<^sub>d \" by (induct "map Send X" arbitrary: X rule: strand_sem_d.induct) auto lemma strand_sem_snd_split'[dest]: "\\M; map Send X@S\\<^sub>c \; x \ set X\ \ \M; snd\x\#S\\<^sub>c \" using strand_sem_snd_split strand_sem_split_right strand_sem_split_left by (metis ik_snd_empty strand_sem_c.simps(2) sup_bot.right_neutral) lemma strand_sem_append[intro]: "\\M; S\\<^sub>c \; \M \ ik\<^sub>s\<^sub>t S; S'\\<^sub>c \\ \ \M; S@S'\\<^sub>c \" proof (induction S arbitrary: M) case (Cons x S) thus ?case by (cases x) auto qed simp lemma strand_sem_append_d[intro]: "\\M; S\\<^sub>d \; \M \ ik\<^sub>s\<^sub>t S; S'\\<^sub>d \\ \ \M; S@S'\\<^sub>d \" proof (induction S arbitrary: M) case (Cons x S) thus ?case by (cases x) auto qed simp lemma strand_sem_subst: assumes "(dom\<^sub>s\<^sub>u\<^sub>b\<^sub>s\<^sub>t \ \ FV\<^sub>s\<^sub>e\<^sub>t (img\<^sub>s\<^sub>u\<^sub>b\<^sub>s\<^sub>t \)) \ bvars\<^sub>s\<^sub>t S = {}" shows "\M; S\\<^sub>c (\ \\<^sub>s \) \ \M \set \; S \\<^sub>s\<^sub>t \\\<^sub>c \" using assms proof (induction S arbitrary: \ M rule: strand_sem_induct) case (ConsSnd M t S) hence "\M \set \; S \\<^sub>s\<^sub>t \\\<^sub>c \" "M \set (\ \\<^sub>s \) \\<^sub>c t \ (\ \\<^sub>s \)" by auto hence "(M \set \) \set \ \\<^sub>c (t \ \) \ \" using subst_comp_all[of \ \ M] subst_comp[of t \ \] by simp thus ?case using \\M \set \; S \\<^sub>s\<^sub>t \\\<^sub>c \\ unfolding subst_apply_strand_def by simp next case (ConsRcv M t S) hence "\(insert t M) \set \; S \\<^sub>s\<^sub>t \\\<^sub>c \" by force hence "\M \set \; rcv\t \ \\#(S \\<^sub>s\<^sub>t \)\\<^sub>c \" by (simp add: subst_all_insert) thus ?case by simp next case (ConsIneq M X t t' S) hence *: "\M \set \; S \\<^sub>s\<^sub>t \\\<^sub>c \" and **: "\\. dom\<^sub>s\<^sub>u\<^sub>b\<^sub>s\<^sub>t \ = set X \ ground (img\<^sub>s\<^sub>u\<^sub>b\<^sub>s\<^sub>t \) \ t \ \ \ \ \ \ \ t' \ \ \ \ \ \" and ***: "(dom\<^sub>s\<^sub>u\<^sub>b\<^sub>s\<^sub>t \ \ FV_img\<^sub>s\<^sub>u\<^sub>b\<^sub>s\<^sub>t \) \ set X = {}" unfolding bvars\<^sub>s\<^sub>t_def by auto hence "\\. dom\<^sub>s\<^sub>u\<^sub>b\<^sub>s\<^sub>t \ = set X \ ground (img\<^sub>s\<^sub>u\<^sub>b\<^sub>s\<^sub>t \) \ (dom\<^sub>s\<^sub>u\<^sub>b\<^sub>s\<^sub>t \ \ FV_img\<^sub>s\<^sub>u\<^sub>b\<^sub>s\<^sub>t \) \ (dom\<^sub>s\<^sub>u\<^sub>b\<^sub>s\<^sub>t \ \ FV_img\<^sub>s\<^sub>u\<^sub>b\<^sub>s\<^sub>t \) = {}" by auto hence "\\. dom\<^sub>s\<^sub>u\<^sub>b\<^sub>s\<^sub>t \ = set X \ ground (img\<^sub>s\<^sub>u\<^sub>b\<^sub>s\<^sub>t \) \ \ \\<^sub>s \ = \ \\<^sub>s \" by (metis subst_comp_eq_if_disjoint_vars) hence "\\. dom\<^sub>s\<^sub>u\<^sub>b\<^sub>s\<^sub>t \ = set X \ ground (img\<^sub>s\<^sub>u\<^sub>b\<^sub>s\<^sub>t \) \ t \ \ \ \ \ \ \ t' \ \ \ \ \ \" using ** by (metis (no_types, hide_lams) subst_comp) moreover have "rm_vars (set X) \ = \" using ConsIneq.prems(2) by force ultimately show ?case using * by auto qed simp_all lemma strand_sem_subst': assumes "(dom\<^sub>s\<^sub>u\<^sub>b\<^sub>s\<^sub>t \ \ FV\<^sub>s\<^sub>e\<^sub>t (img\<^sub>s\<^sub>u\<^sub>b\<^sub>s\<^sub>t \)) \ bvars\<^sub>s\<^sub>t S = {}" shows "\M \set \; S \\<^sub>s\<^sub>t \\\<^sub>c \ \ \M; S\\<^sub>c (\ \\<^sub>s \)" using assms proof (induction S arbitrary: \ M rule: strand_sem_induct) case (ConsSnd M t S) hence "\M \set \; [snd\t\] \\<^sub>s\<^sub>t \\\<^sub>c \" "\M \set \; S \\<^sub>s\<^sub>t \\\<^sub>c \" by auto hence "\M; S\\<^sub>c (\ \\<^sub>s \)" using ConsSnd.IH[OF _] ConsSnd.prems(2) by auto moreover have "\M; [snd\t\]\\<^sub>c (\ \\<^sub>s \)" proof - have "M \set \ \set \ \\<^sub>c t \ \ \ \" using \\M \set \; [snd\t\] \\<^sub>s\<^sub>t \\\<^sub>c \\ by auto hence "M \set (\ \\<^sub>s \) \\<^sub>c t \ (\ \\<^sub>s \)" using subst_comp subst_comp_all by metis thus "\M; [snd\t\]\\<^sub>c (\ \\<^sub>s \)" by auto qed ultimately show ?case by auto next case (ConsRcv M t S) hence "\(insert t M) \set \; S \\<^sub>s\<^sub>t \\\<^sub>c \" by (simp add: subst_all_insert) thus ?case using ConsRcv.IH ConsRcv.prems(2) by auto next case (ConsIneq M X t t' S) have "rm_vars (set X) \ = \" using ConsIneq.prems(2) by force hence *: "\M; S\\<^sub>c (\ \\<^sub>s \)" and **: "\\. dom\<^sub>s\<^sub>u\<^sub>b\<^sub>s\<^sub>t \ = set X \ ground (img\<^sub>s\<^sub>u\<^sub>b\<^sub>s\<^sub>t \) \ t \ \ \ \ \ \ \ t' \ \ \ \ \ \" and ***: "(dom\<^sub>s\<^sub>u\<^sub>b\<^sub>s\<^sub>t \ \ FV_img\<^sub>s\<^sub>u\<^sub>b\<^sub>s\<^sub>t \) \ set X = {}" using ConsIneq unfolding bvars\<^sub>s\<^sub>t_def by auto hence "\\. dom\<^sub>s\<^sub>u\<^sub>b\<^sub>s\<^sub>t \ = set X \ ground (img\<^sub>s\<^sub>u\<^sub>b\<^sub>s\<^sub>t \) \ (dom\<^sub>s\<^sub>u\<^sub>b\<^sub>s\<^sub>t \ \ FV_img\<^sub>s\<^sub>u\<^sub>b\<^sub>s\<^sub>t \) \ (dom\<^sub>s\<^sub>u\<^sub>b\<^sub>s\<^sub>t \ \ FV_img\<^sub>s\<^sub>u\<^sub>b\<^sub>s\<^sub>t \) = {}" by auto hence "\\. dom\<^sub>s\<^sub>u\<^sub>b\<^sub>s\<^sub>t \ = set X \ ground (img\<^sub>s\<^sub>u\<^sub>b\<^sub>s\<^sub>t \) \ \ \\<^sub>s \ = \ \\<^sub>s \" by (metis subst_comp_eq_if_disjoint_vars) hence "\\. dom\<^sub>s\<^sub>u\<^sub>b\<^sub>s\<^sub>t \ = set X \ ground (img\<^sub>s\<^sub>u\<^sub>b\<^sub>s\<^sub>t \) \ t \ \ \ \ \ \ \ t' \ \ \ \ \ \" using ** by (metis (no_types, hide_lams) subst_comp) thus ?case using * by auto next case ConsEq thus ?case unfolding bvars\<^sub>s\<^sub>t_def by auto qed simp_all lemma strand_sem_subst_d: assumes "(dom\<^sub>s\<^sub>u\<^sub>b\<^sub>s\<^sub>t \ \ FV\<^sub>s\<^sub>e\<^sub>t (img\<^sub>s\<^sub>u\<^sub>b\<^sub>s\<^sub>t \)) \ bvars\<^sub>s\<^sub>t S = {}" shows "\M; S\\<^sub>d (\ \\<^sub>s \) \ \M \set \; S \\<^sub>s\<^sub>t \\\<^sub>d \" using assms proof (induction S arbitrary: \ M rule: strand_sem_induct) case (ConsSnd M t S) hence "\M \set \; S \\<^sub>s\<^sub>t \\\<^sub>d \" "M \set (\ \\<^sub>s \) \ t \ (\ \\<^sub>s \)" by auto hence "(M \set \) \set \ \ (t \ \) \ \" using subst_comp_all[of \ \ M] subst_comp[of t \ \] by simp thus ?case using \\M \set \; S \\<^sub>s\<^sub>t \\\<^sub>d \\ by simp next case (ConsRcv M t S) hence "\(insert t M) \set \; S \\<^sub>s\<^sub>t \\\<^sub>d \" by fastforce hence "\M \set \; rcv\t \ \\#(S \\<^sub>s\<^sub>t \)\\<^sub>d \" by (simp add: subst_all_insert) thus ?case by simp next case (ConsIneq M X t t' S) hence *: "\M \set \; S \\<^sub>s\<^sub>t \\\<^sub>d \" and **: "\\. dom\<^sub>s\<^sub>u\<^sub>b\<^sub>s\<^sub>t \ = set X \ ground (img\<^sub>s\<^sub>u\<^sub>b\<^sub>s\<^sub>t \) \ t \ \ \ \ \ \ \ t' \ \ \ \ \ \" and ***: "(dom\<^sub>s\<^sub>u\<^sub>b\<^sub>s\<^sub>t \ \ FV_img\<^sub>s\<^sub>u\<^sub>b\<^sub>s\<^sub>t \) \ set X = {}" unfolding bvars\<^sub>s\<^sub>t_def by auto hence "\\. dom\<^sub>s\<^sub>u\<^sub>b\<^sub>s\<^sub>t \ = set X \ ground (img\<^sub>s\<^sub>u\<^sub>b\<^sub>s\<^sub>t \) \ (dom\<^sub>s\<^sub>u\<^sub>b\<^sub>s\<^sub>t \ \ FV_img\<^sub>s\<^sub>u\<^sub>b\<^sub>s\<^sub>t \) \ (dom\<^sub>s\<^sub>u\<^sub>b\<^sub>s\<^sub>t \ \ FV_img\<^sub>s\<^sub>u\<^sub>b\<^sub>s\<^sub>t \) = {}" by auto hence "\\. dom\<^sub>s\<^sub>u\<^sub>b\<^sub>s\<^sub>t \ = set X \ ground (img\<^sub>s\<^sub>u\<^sub>b\<^sub>s\<^sub>t \) \ \ \\<^sub>s \ = \ \\<^sub>s \" by (metis subst_comp_eq_if_disjoint_vars) hence "\\. dom\<^sub>s\<^sub>u\<^sub>b\<^sub>s\<^sub>t \ = set X \ ground (img\<^sub>s\<^sub>u\<^sub>b\<^sub>s\<^sub>t \) \ t \ \ \ \ \ \ \ t' \ \ \ \ \ \" using ** by (metis (no_types, hide_lams) subst_comp) moreover have "rm_vars (set X) \ = \" using ConsIneq.prems(2) by force ultimately show ?case using * by auto next case ConsEq thus ?case unfolding bvars\<^sub>s\<^sub>t_def by auto qed simp_all lemma strand_sem_subst_d': assumes "(dom\<^sub>s\<^sub>u\<^sub>b\<^sub>s\<^sub>t \ \ FV\<^sub>s\<^sub>e\<^sub>t (img\<^sub>s\<^sub>u\<^sub>b\<^sub>s\<^sub>t \)) \ bvars\<^sub>s\<^sub>t S = {}" shows "\M \set \; S \\<^sub>s\<^sub>t \\\<^sub>d \ \ \M; S\\<^sub>d (\ \\<^sub>s \)" using assms proof (induction S arbitrary: \ M rule: strand_sem_induct) case (ConsSnd M t S) hence "\M \set \; [snd\t\] \\<^sub>s\<^sub>t \\\<^sub>d \" "\M \set \; S \\<^sub>s\<^sub>t \\\<^sub>d \" by auto hence "\M; S\\<^sub>d (\ \\<^sub>s \)" using ConsSnd.IH[OF _] ConsSnd.prems(2) by auto moreover have "\M; [snd\t\]\\<^sub>d (\ \\<^sub>s \)" proof - have "M \set \ \set \ \ t \ \ \ \" using \\M \set \; [snd\t\] \\<^sub>s\<^sub>t \\\<^sub>d \\ by auto hence "M \set (\ \\<^sub>s \) \ t \ (\ \\<^sub>s \)" using subst_comp subst_comp_all by metis thus "\M; [snd\t\]\\<^sub>d (\ \\<^sub>s \)" by auto qed ultimately show ?case by auto next case (ConsRcv M t S) hence "\(insert t M) \set \; S \\<^sub>s\<^sub>t \\\<^sub>d \" by (simp add: subst_all_insert) thus ?case using ConsRcv.IH ConsRcv.prems(2) by auto next case (ConsIneq M X t t' S) have "rm_vars (set X) \ = \" using ConsIneq.prems(2) by force hence *: "\M; S\\<^sub>d (\ \\<^sub>s \)" and **: "\\. dom\<^sub>s\<^sub>u\<^sub>b\<^sub>s\<^sub>t \ = set X \ ground (img\<^sub>s\<^sub>u\<^sub>b\<^sub>s\<^sub>t \) \ t \ \ \ \ \ \ \ t' \ \ \ \ \ \" and ***: "(dom\<^sub>s\<^sub>u\<^sub>b\<^sub>s\<^sub>t \ \ FV_img\<^sub>s\<^sub>u\<^sub>b\<^sub>s\<^sub>t \) \ set X = {}" using ConsIneq by auto hence "\\. dom\<^sub>s\<^sub>u\<^sub>b\<^sub>s\<^sub>t \ = set X \ ground (img\<^sub>s\<^sub>u\<^sub>b\<^sub>s\<^sub>t \) \ (dom\<^sub>s\<^sub>u\<^sub>b\<^sub>s\<^sub>t \ \ FV_img\<^sub>s\<^sub>u\<^sub>b\<^sub>s\<^sub>t \) \ (dom\<^sub>s\<^sub>u\<^sub>b\<^sub>s\<^sub>t \ \ FV_img\<^sub>s\<^sub>u\<^sub>b\<^sub>s\<^sub>t \) = {}" by auto hence "\\. dom\<^sub>s\<^sub>u\<^sub>b\<^sub>s\<^sub>t \ = set X \ ground (img\<^sub>s\<^sub>u\<^sub>b\<^sub>s\<^sub>t \) \ \ \\<^sub>s \ = \ \\<^sub>s \" by (metis subst_comp_eq_if_disjoint_vars) hence "\\. dom\<^sub>s\<^sub>u\<^sub>b\<^sub>s\<^sub>t \ = set X \ ground (img\<^sub>s\<^sub>u\<^sub>b\<^sub>s\<^sub>t \) \ t \ \ \ \ \ \ \ t' \ \ \ \ \ \" using ** by (metis (no_types, hide_lams) subst_comp) thus ?case using * by auto next case ConsEq thus ?case unfolding bvars\<^sub>s\<^sub>t_def by auto qed simp_all lemma strand_sem_subst_Idem: assumes "(dom\<^sub>s\<^sub>u\<^sub>b\<^sub>s\<^sub>t \ \ FV\<^sub>s\<^sub>e\<^sub>t (img\<^sub>s\<^sub>u\<^sub>b\<^sub>s\<^sub>t \)) \ bvars\<^sub>s\<^sub>t S = {}" shows "\\M \set \; S \\<^sub>s\<^sub>t \\\<^sub>c (\ \\<^sub>s \); Idem \\ \ \M; S\\<^sub>c (\ \\<^sub>s \)" apply (induct "S \\<^sub>s\<^sub>t \" rule: strand_sem_c.induct) by (metis Idem_def comp_assoc strand_sem_subst'[OF assms])+ lemma strand_sem_subst_comp: assumes "(dom\<^sub>s\<^sub>u\<^sub>b\<^sub>s\<^sub>t \ \ FV\<^sub>s\<^sub>e\<^sub>t (img\<^sub>s\<^sub>u\<^sub>b\<^sub>s\<^sub>t \)) \ bvars\<^sub>s\<^sub>t S = {}" and "\M; S\\<^sub>c \" "dom\<^sub>s\<^sub>u\<^sub>b\<^sub>s\<^sub>t \ \ (vars\<^sub>s\<^sub>t S \ FV\<^sub>s\<^sub>e\<^sub>t M) = {}" shows "\M; S\\<^sub>c (\ \\<^sub>s \)" proof - from assms(3) have "dom\<^sub>s\<^sub>u\<^sub>b\<^sub>s\<^sub>t \ \ vars\<^sub>s\<^sub>t S = {}" "dom\<^sub>s\<^sub>u\<^sub>b\<^sub>s\<^sub>t \ \ FV\<^sub>s\<^sub>e\<^sub>t M = {}" by auto hence "S \\<^sub>s\<^sub>t \ = S" "M \set \ = M" using strand_substI set_subst_ident[of M \] by (blast, blast) thus ?thesis using assms(2) by (auto simp add: strand_sem_subst'[OF assms(1)]) qed lemma strand_sem_d_imp_ineqs_neq: assumes "\M; S\\<^sub>d \" "\X\t \ t'\ \ set S" shows "t \ t'" using assms proof (induction rule: strand_sem_induct) case (ConsIneq M Y s s' S) thus ?case proof (cases "\X\t \ t'\ \ set S") case False hence "X = Y" "t = s" "t' = s'" using ConsIneq by auto hence "\\. dom\<^sub>s\<^sub>u\<^sub>b\<^sub>s\<^sub>t \ = set X \ ground (img\<^sub>s\<^sub>u\<^sub>b\<^sub>s\<^sub>t \) \ t \ \ \ \ \ t' \ \ \ \" using ConsIneq by auto then obtain \ where "dom\<^sub>s\<^sub>u\<^sub>b\<^sub>s\<^sub>t \ = set X" "ground (img\<^sub>s\<^sub>u\<^sub>b\<^sub>s\<^sub>t \)" "t \ \ \ \ \ t' \ \ \ \" using interpretation_subst_exists'[of "set X"] by moura thus ?thesis by auto qed simp qed simp_all lemma strand_sem_c_imp_ineqs_neq: assumes "\M; S\\<^sub>c \" "\X\t \ t'\ \ set S" shows "t \ t' \ (\\. dom\<^sub>s\<^sub>u\<^sub>b\<^sub>s\<^sub>t \ = set X \ ground (img\<^sub>s\<^sub>u\<^sub>b\<^sub>s\<^sub>t \) \ t \ \ \ t' \ \ \ t \ \ \ \ \ t' \ \ \ \)" using assms proof (induction rule: strand_sem_induct) case (ConsIneq M Y s s' S) thus ?case proof (cases "\X\t \ t'\ \ set S") case False hence "X = Y" "t = s" "t' = s'" using ConsIneq by auto hence *: "\\. dom\<^sub>s\<^sub>u\<^sub>b\<^sub>s\<^sub>t \ = set X \ ground (img\<^sub>s\<^sub>u\<^sub>b\<^sub>s\<^sub>t \) \ t \ \ \ \ \ t' \ \ \ \" using ConsIneq by auto then obtain \ where \: "dom\<^sub>s\<^sub>u\<^sub>b\<^sub>s\<^sub>t \ = set X" "ground (img\<^sub>s\<^sub>u\<^sub>b\<^sub>s\<^sub>t \)" "t \ \ \ \ \ t' \ \ \ \" using interpretation_subst_exists'[of "set X"] by moura hence "t \ t'" by auto moreover have "\\ \. t \ \ \ \ \ t' \ \ \ \ \ t \ \ \ t' \ \" by auto ultimately show ?thesis using * by auto qed simp qed simp_all lemma strand_sem_snd_map: assumes "\t. t \ set X \ \M; [snd\t\]\\<^sub>c \" shows "\M; map Send X\\<^sub>c \" using assms by (induct X) auto lemma strand_sem_snd_map_d: assumes "\t. t \ set X \ \M; [snd\t\]\\<^sub>d \" shows "\M; map Send X\\<^sub>d \" using assms by (induct X) auto lemma strand_sem_rcv_map: "\M; map Receive X\\<^sub>c \" by (induct X arbitrary: M) auto lemma strand_sem_rcv_map_d: "\M; map Receive X\\<^sub>d \" by (induct X arbitrary: M) auto lemma strand_sem_wf_simple_FV_sat: assumes "wf\<^sub>s\<^sub>t {} S" "simple S" "\{}; S\\<^sub>c \" shows "\v. v \ vars2\<^sub>s\<^sub>t S \ ik\<^sub>s\<^sub>t S \set \ \\<^sub>c \ v" using assms proof (induction S rule: wf\<^sub>s\<^sub>t_simple_induct) case (ConsRcv t S) hence "v \ vars2\<^sub>s\<^sub>t S" by fastforce moreover have "\{}; S\\<^sub>c \" using \\{}; S@[rcv\t\]\\<^sub>c \\ by blast moreover have "ik\<^sub>s\<^sub>t S \set \ \ ik\<^sub>s\<^sub>t (S@[rcv\t\]) \set \" by auto ultimately show ?case using ConsRcv.IH ideduct_synth_mono by meson next case (ConsIneq X t t' S) hence "v \ vars2\<^sub>s\<^sub>t S" by fastforce moreover have "\{}; S\\<^sub>c \" using \\{}; S@[\X\t \ t'\]\\<^sub>c \\ by blast moreover have "ik\<^sub>s\<^sub>t S \set \ \ ik\<^sub>s\<^sub>t (S@[\X\t \ t'\]) \set \" by auto ultimately show ?case using ConsIneq.IH ideduct_synth_mono by meson next case (ConsSnd w S) hence *: "\{}; S\\<^sub>c \" "ik\<^sub>s\<^sub>t S \set \ \\<^sub>c \ w" by auto have **: "ik\<^sub>s\<^sub>t S \set \ \ ik\<^sub>s\<^sub>t (S@[snd\Var w\]) \set \" by simp show ?case proof (cases "v = w") case True thus ?thesis using *(2) ideduct_synth_mono[OF _ **] by meson next case False hence "v \ vars2\<^sub>s\<^sub>t S" using ConsSnd.prems(1) by auto thus ?thesis using ConsSnd.IH[OF _ *(1)] ideduct_synth_mono[OF _ **] by metis qed qed simp lemma strand_sem_wf_ik_or_eqs_rhs_fun_subterm: assumes "wf\<^sub>s\<^sub>t {} A" "\{}; A\\<^sub>c \" "Var x \ ik\<^sub>s\<^sub>t A" "\ x = Fun f T" "t\<^sub>i \ set T" "\ik\<^sub>s\<^sub>t A \set \ \\<^sub>c t\<^sub>i" "interpretation\<^sub>s\<^sub>u\<^sub>b\<^sub>s\<^sub>t \" obtains S where "Fun f S \ \(subterms ` ik\<^sub>s\<^sub>t A) \ Fun f S \ \(subterms ` eqs_rhs\<^sub>s\<^sub>t A)" "Fun f T = Fun f S \ \" proof - have "x \ vars2\<^sub>s\<^sub>t A" using assms(3) vars_iff_subterm_or_eq by force moreover have "Fun f T \ \ = Fun f T" by (metis subst_ground_ident interpretation_grounds_all assms(4,7)) ultimately obtain A\<^sub>p\<^sub>r\<^sub>e A\<^sub>s\<^sub>u\<^sub>f where *: "\(\w \ vars2\<^sub>s\<^sub>t A\<^sub>p\<^sub>r\<^sub>e. Fun f T \ \ w)" "(\t. A = A\<^sub>p\<^sub>r\<^sub>e@snd\t\#A\<^sub>s\<^sub>u\<^sub>f \ Fun f T \ t \ \) \ (\t t'. A = A\<^sub>p\<^sub>r\<^sub>e@t \ t'#A\<^sub>s\<^sub>u\<^sub>f \ Fun f T \ t \ \)" using wf_strand_first_snd_var_split[OF assms(1)] assms(4) subtermeqI' by metis moreover { fix t assume **: "A = A\<^sub>p\<^sub>r\<^sub>e@snd\t\#A\<^sub>s\<^sub>u\<^sub>f" "Fun f T \ t \ \" hence "ik\<^sub>s\<^sub>t A\<^sub>p\<^sub>r\<^sub>e \set \ \\<^sub>c t \ \" "\ik\<^sub>s\<^sub>t A\<^sub>p\<^sub>r\<^sub>e \set \ \\<^sub>c t\<^sub>i" using assms(2,6) by (auto intro: ideduct_synth_mono) then obtain s where s: "s \ ik\<^sub>s\<^sub>t A\<^sub>p\<^sub>r\<^sub>e" "Fun f T \ s \ \" using assms(5) **(2) by (induct rule: intruder_synth_induct) auto then obtain g S where gS: "Fun g S \ s" "Fun f T = Fun g S \ \" using subterm_subst_not_img_subterm[OF s(2)] *(1) by force hence ?thesis using that **(1) s(1) by force } moreover { fix t t' assume **: "A = A\<^sub>p\<^sub>r\<^sub>e@t \ t'#A\<^sub>s\<^sub>u\<^sub>f" "Fun f T \ t \ \" with assms(2) have "t \ \ = t' \ \" by auto hence "Fun f T \ t' \ \" using **(2) by auto from assms(1) **(1) have "FV t' \ vars2\<^sub>s\<^sub>t A\<^sub>p\<^sub>r\<^sub>e" using wf_eq_FV[of "{}" A\<^sub>p\<^sub>r\<^sub>e t t' A\<^sub>s\<^sub>u\<^sub>f] vars_snd_rcv_strand_subset2(4)[of A\<^sub>p\<^sub>r\<^sub>e] by auto then obtain g S where gS: "Fun g S \ t'" "Fun f T = Fun g S \ \" using subterm_subst_not_img_subterm[OF \Fun f T \ t' \ \\] *(1) by fastforce hence ?thesis using that **(1) by auto } ultimately show ?thesis by auto qed subsection {* Constraint Semantics (slightly modified and equivalent version) *} fun strand_sem_c'::"('fun,'var) terms \ ('fun,'var) strand \ ('fun,'var) constrsem" ("\_; _\\<^sub>c'") where "\M; []\\<^sub>c' = (\\. True)" | "\M; snd\t\#S\\<^sub>c' = (\\. M \\<^sub>c t \ \ \ \M; S\\<^sub>c' \)" | "\M; rcv\t\#S\\<^sub>c' = (\\. \insert (t \ \) M; S\\<^sub>c' \)" | "\M; t \ t'#S\\<^sub>c' = (\\. t \ \ = t' \ \ \ \M; S\\<^sub>c' \)" | "\M; \X\t \ t'\#S\\<^sub>c' = (\\. (\\. dom\<^sub>s\<^sub>u\<^sub>b\<^sub>s\<^sub>t \ = set X \ ground (img\<^sub>s\<^sub>u\<^sub>b\<^sub>s\<^sub>t \) \ t \ \ \ \ \ t' \ \ \ \) \ \M; S\\<^sub>c' \)" fun strand_sem_d'::"('fun,'var) terms \ ('fun,'var) strand \ ('fun,'var) constrsem" ("\_; _\\<^sub>d'") where "\M; []\\<^sub>d' = (\\. True)" | "\M; snd\t\#S\\<^sub>d' = (\\. M \ t \ \ \ \M; S\\<^sub>d' \)" | "\M; rcv\t\#S\\<^sub>d' = (\\. \insert (t \ \) M; S\\<^sub>d' \)" | "\M; t \ t'#S\\<^sub>d' = (\\. t \ \ = t' \ \ \ \M; S\\<^sub>d' \)" | "\M; \X\t \ t'\#S\\<^sub>d' = (\\. (\\. dom\<^sub>s\<^sub>u\<^sub>b\<^sub>s\<^sub>t \ = set X \ ground (img\<^sub>s\<^sub>u\<^sub>b\<^sub>s\<^sub>t \) \ t \ \ \ \ \ t' \ \ \ \) \ \M; S\\<^sub>d' \)" lemma strand_sem_eq_defs: "\M; \\\<^sub>c \ = \M \set \; \\\<^sub>c' \" "\M; \\\<^sub>d \ = \M \set \; \\\<^sub>d' \" proof - have 1: "\M; \\\<^sub>c \ \ \M \set \; \\\<^sub>c' \" by (induct \ arbitrary: M rule: strand_sem_induct) force+ have 2: "\M \set \; \\\<^sub>c' \ \ \M; \\\<^sub>c \" by (induct \ arbitrary: M rule: strand_sem_c'.induct) auto have 3: "\M; \\\<^sub>d \ \ \M \set \; \\\<^sub>d' \" by (induct \ arbitrary: M rule: strand_sem_induct) force+ have 4: "\M \set \; \\\<^sub>d' \ \ \M; \\\<^sub>d \" by (induct \ arbitrary: M rule: strand_sem_d'.induct) auto show "\M; \\\<^sub>c \ = \M \set \; \\\<^sub>c' \" "\M; \\\<^sub>d \ = \M \set \; \\\<^sub>d' \" by (metis 1 2, metis 3 4) qed end end