Psi-calculi: a framework for mobile processes with nominal data and logic

Logical Methods in Computer Science V ol. 7 (1:11) 2011, pp. 1–44 www .lmcs-online.org Submitted Dec. 30, 2009 Published Mar . 29 , 2011 PSI-CALCULI: A FRAMEW ORK F O R MOBILE PR OCESSE S WITH NOMINAL D A T A AND LOGIC JESPER BENGTSON, MAGNUS JOHANSSON, JO ACHIM P ARRO W, AND BJ ¨ ORN VICTOR Department of Information T ec hnology , Uppsala Universit y , Sweden e-mail addr ess : { jesper.b engtson,magnus.j ohansson,joac him.parro w,b jorn.victor } @it.uu.se Abstra ct. The framew ork of psi-calculi extend s the pi-calculus with n ominal datatypes for data structures and for logical assertions and conditions. These can be transmitted b etw een pro cesses and their names can be statically scop ed as in the standard pi-calculus. Psi-calculi can capture th e same phenomena as other prop osed extensions of the p i-calculus such as the applied p i-calculus, t he spi-calculus, the fusion calculus, t h e concurrent con- strain t pi-calculus, and calculi with p olyadic comm unication channels or pattern matc hing. Psi-calculi can b e even more general, for example by allowi ng structured channels, higher- order formalisms such as the lambda calculus for data structures, and predicate logic for assertions. W e provide ample comparisons t o related calculi and d iscuss a few signiﬁcant applica- tions. Our labelled op erational seman tics and deﬁnition of bisim ulation is straightforw ard, without a struct u ral congruence. W e establish minimal requirements on the n ominal data and logic in order to prov e general algebraic p rop erties of psi-calculi, all of which hav e b een chec ked in the interactiv e th eorem pro ver Isab elle. Expressiveness of p si-calculi sig- niﬁcantly exceeds that of other formalisms, while the purity of the semantics is on par with the original pi-calculus. 1. Introduction The pi-calculus [MPW92] has a m u ltitude of extensions where higher-lev el data struc- tures and op erations on them are give n as p rimitiv e. T o menti on only tw o there are the spi-calculus by Abadi and Gordon [A G99] fo cusing on cryptographic primitiv es, and the ap- plied p i-calculus of Abadi and F our n et [AF01] where agen ts can in tro du ce statically scop ed aliases of n ames for d ata, u sed e.g. to express ho w knowledge of an encryption is restricted. It is also parametrised by an arbitrary signature for expressin g data and an equation s ys- tem for expressing data equ alities. The impact of these enr ic h ed cal culi is consid erable with hundreds of pap ers applying or deve loping the formalisms. As Abadi and F ournet righ tly obser ve there is a trade-oﬀ b et ween “purity” , meaning the simp licit y and elegance Received by the editors Nov ember 26, 2024. 1998 ACM Subje ct Classiﬁc ation: F.1.2, F.3.1, F.3.2. Key wor ds and phr ases: pi-calculus, nominal sets, bisim ulation, op erational semantics, t h eorem prov er. LOGICAL METHODS l IN COMPUTER SCIENCE DOI:10.216 8/LMCS-7 (1:11) 2011 c  J. Bengtson, M . Johan sson, J. P arrow, and B. Victor CC  Cr eative Comm ons 2 J. BENGTSON, M . JOHANSSON, J. P ARRO W, AN D B. VICTOR of the original pi-calculus, and mo delling con v enience; expressing complicated sc hemes in the original pi-calculus can simply b ecome to o gruesome and error p rone. But the mo d elling co nv enience of man y high-lev el p rimitiv es comes at a p rice. The theory of the formalism ma y instead b ecome gru esome and er r or prone, a nd it can b e diﬃcult to assess th e eﬀects of mo diﬁcations to it. Our contribution in this p ap er is to deﬁn e psi-calculi: a framewo rk where a ran ge of calculi can b e formulate d w ith a lean and sym metric seman tics, and wh ere p ro ofs can b e conducted usin g straigh tforward ind uction w ithout th e complicatio ns of stratiﬁed pro cess deﬁnitions, structur al congruence or explicit quan tiﬁcation of con texts. W e claim to b e the ﬁrst to form ulate s uc h truly comp ositional labelled op erational seman tics for calculi of this calibre. Psi-calculi accommo date p i-calculus extensions suc h as the spi-calculus, th e applied pi-calculus, fusion [W G05 ], concurrent constraints [BM07], and pi-calc ulus with p oly adic sync h ronisation [CM03]. The main idea is that a psi-calc ulus is obtained b y extendin g the b asic u n t yp ed p i- calculus with thr ee parameters. T h e ﬁrst is a set of data terms wh ic h can function as b oth comm u nication c hannels and comm un icated ob jects. The second is a set of conditions, for use in conditional constructs suc h as if statemen ts. The th ir d is a set of assertions, used to express e.g. constrain ts or aliases, w hic h can resolve the conditions. These sets need not b e disjoint , and one of our main results is to identify min imal requirement s on them. Th ey turn out to b e quite general and natural. Psi-calculi go b ey ond pr evious wo rk on extendin g p i-calculus since w e allo w arbitrary assertions (and not only declarati ons of aliases), and arbitrary conditions (and not only equalit y tests). Also, we base our exp osition on nominal datat yp es and these accommod ate e.g. alpha-equiv alence classes of terms with binders. F or example, w e can use a higher- order logic for assertions and conditions, and higher-order f orm alisms su c h as the lam b da calculus for data terms and c hannels. Thus w e get th e b est of tw o worlds: expressiv eness signiﬁcan tly exceeds that of the applied pi-calculus, while the “purit y” of the semanti cs is on par with the original p i-calculus. The straigh tforwa rd deﬁnitions mak e our pro ofs suitable for c hec king in a theorem pro v er. W e ha v e imp lemen ted our framew ork in I sab elle [NPW02] using its nominal data- t y p e p ack age [Urb08], also k n o wn as Nominal Isab elle, and pro v ed th e algebraic prop erties of b isimilarit y [BP09]. This giv es us absolute certain ty of general resu lts for a large class of calculi — at least to th e p oin t of the current state of the art for machine c hec k ed pro ofs. In th e n ext section w e giv e the basic deﬁn itions of the synta x and seman tics of psi- calculi. I n S ection 3 we relate to other work and demonstrate the expressiv eness b y s ho wing ho w a v ariet y of calculi can b e formulate d. Section 4 cont ains more s u bstant ial examples on frequency hopping spread sp ectrum, multiple lo cal services with a common global name, and cryp tographic mechanisms includ ing the Diﬃe-Hellman ke y agreeme nt proto col. In Section 5 we in tr o duce a notion of b isimilarit y , establish the exp ected algebraic results ab out it, and demonstrate the p ro of of the most diﬃcult parts. In S ection 6 w e discuss the full formalisation and implemen tation in Isab elle. Finally S ection 7 concludes with ideas for fu rther work. This article extends [BJPV09] by ad d itional exp lanations, examples, and p ro ofs, and a m ore strict formalisati on of some comparisons to r elated calc uli. W e are v ery grateful to the three anon ymous r eferees for man y suggestions of impro v emen ts. PSI-CALCULI: A FRAMEWORK FOR MOBILE PR OCESSES WITH NOMINAL D A T A AND LOGIC 3 2. Definitions 2.1. Nominal datat yp es. W e base psi-calculi on nominal datat yp es. A reader unfamiliar with these need n ot fear: we shall provide what little bac kground is needed and b e generous with examples. A traditional datat yp e can b e built from a signature of constan t sym b ols, functions sym b ols, etc. A nominal datat yp e is more general, for example it can also contai n binders and iden tify alpha-v arian ts of terms. F ormally a n ominal datat yp e is not required to b e built in an y particular wa y; the only requir emen ts are related to the treatmen t of the atomic sy mb ols called names as explained b elo w . As usual w e assume a coun tably inﬁnite set of atomic names N r anged ov er b y a, . . . , z . In tuitiv ely , names will repr esen t the sym b ols that can b e statically scop ed, and also repre- sen t symb ols acting as v ariables in the sense that they can b e su b jected to s ubstitution. A t y p ed calculus w ould distinguish names of diﬀerent kinds but our accoun t will b e unt yp ed. A t yping ma y con tribute to clarit y of expr essions bu t it is not necessary f or our results. A nominal set [Pit03, GP01 ] is a set equ ipp ed w ith name swapping f u nctions written ( a b ), for any names a, b . An int uition is that for an y mem b er X it holds that ( a b ) · X is X with a r eplaced by b and b replaced b y a . F ormally , a name sw apping is an y f unction satisfying certain n atural axioms such as ( a b ) · (( a b ) · X ) = X . O ne main p oin t of this is that ev en though we ha v e not deﬁned an y particular syn tax we can d eﬁne wh at it means for a name to “o ccur” in an elemen t: it is simply that it can b e aﬀected by sw appings. The names o ccurring in th is wa y in an element X constitute the supp ort of X , w ritten n ( X ). W e write a # X , pronounced “ a is fresh for X ”, for a 6∈ n( X ). In an ind uctiv ely deﬁned datat yp e without bind er s we will h a v e a # X if a do es not o ccur sy ntactic ally in X . In for example the lam b d a calculus wh ere alph a-equiv alen t terms are id en tiﬁed (i.e. the elemen ts are alpha-equiv alence classes of terms ) the supp ort corresp onds to the f ree names. If A is a set or a sequence of names we write A # X to mean ∀ a ∈ A . a # X . W e r equire all elemen ts to ha v e ﬁ nite sup p ort, i.e., n ( X ) is ﬁ nite for all X . It follo ws that for any X there are inﬁnitely man y a suc h th at a # X . Some elemen ts will ha v e empt y supp ort, a prime example is the iden tit y function in the lam b d a calculus, or a term of a tr aditional datat yp e not con taining an y n ames. A f unction f is e quivariant if ( a b ) · f ( X ) = f (( a b ) · X ) holds for all X , and similarly f or functions and relations of any arit y . In tuitive ly , th is means that all names are treated equ ally . A nom inal datatyp e is a n ominal set together with a set of equiv arian t functions on it. In particular we shall consider sub stitution functions that su bstitutes elemen ts for names. If X is an elemen t of a datat yp e, ˜ a is a sequen ce of names without du plicates and ˜ Y is an equally long sequence of elemen ts of p ossibly another datat yp e, the su b stitution X [˜ a := ˜ Y ] is an elemen t of the same datat yp e as X . In a traditional datat yp e sub s titution can b e though t of as replacing all occur rences of names ˜ a by ˜ Y . In a calculus with binders it can b e though t of as replacing the free n ames, alph a-con verting any bind ers to a vo id capture. F or the purp ose of psi-calculi it turns out that we need not deﬁn e exactly what a substitution d o es. The only f orm al requirements are that substitution is an equiv ariant function th at satisﬁes t w o substitution laws: 1: if ˜ a ⊆ n( X ) and b ∈ n ( ˜ T ) then b ∈ n( X [ ˜ a := ˜ T ]) 2: if ˜ b # X, ˜ a then X [˜ a := ˜ T ] = (( ˜ b ˜ a ) · X )[ ˜ b := ˜ T ] 4 J. BENGTSON, M . JOHANSSON, J. P ARRO W, AN D B. VICTOR La w 1 says that su bstitutions may not lose names: an y name b in the ob jects ˜ T that substitute for names ˜ a o ccurring in X must also app ear in the s u bstitution X [˜ a := ˜ T ]. La w 2 is a form of alpha-con v ersion f or substitutions; h ere it is implicit that ˜ a and ˜ b ha v e the same length, and (˜ a ˜ b ) swaps eac h elemen t of ˜ a with the corresp onding elemen t of ˜ b . A t the end of S ection 2.5 w e shall motiv ate why these la ws are n ecessary . Example: Consider an inductivel y deﬁ ned datat y p e w ithout bind ers, wh er e the sup p ort is the set of names that o ccur syntact ically , and su bstitution is the synta ctic replacemen t of names for terms, deﬁn ed ind u ctiv ely in the usual wa y . T he arguments that this su bstitution function satisﬁes our requirement s are straigh tforwa rd. Equiv ariance and Law 2 follo w immediately b y induction. F or Law 1, sup p ose ˜ a ⊆ n( X ). This means that all elemen ts of ˜ a o ccur syntac tically in X . Supp ose b ∈ n( ˜ T ). This means that for some i , b ∈ n( T i ). This means that b o ccurs synta ctically in T i . Consider the corresp onding a i . W e kno w a i o ccurs syn tactically in X . So then by deﬁnition T i o ccurs syn tactical ly in X [ ˜ a := ˜ T ]. Th erefore b o ccurs syn tactically in that term, and by deﬁnition is in the supp ort of it. The main p oin t of u sing n omin al datat yp es is that w e obtain a general framew ork, allo wing man y diﬀerent instantiat ions. Ou r only requiremen ts are on the notions of supp ort, name sw apping, and substitution. Th is corresp onds p recisely to the essential in gred ien ts for data transmitted b et w een agent s. Since names can b e s tatically scop ed and data sent in to and out of scop e b oundaries, it must b e p ossible to d iscern exactly what names are con tained in what data items, and this is just the role of the sup p ort. In case a data elemen t in trudes a scop e, the scop ed n ame needs to b e alpha conv erted to a v oid clashes, and name sw apping can ac hiev e precisely this. When a term is receiv ed in a comm u nication b et w een agen ts it must r eplace all o ccurrences of the placeholder in the input construct, in other w ords, the placeholder is subs tituted b y the term. Since these are th e only thin gs w e assume ab out data term s we can hand le datat yp es that are not indu ctiv ely deﬁned, su c h as equiv alences classes and sets d eﬁned b y comprehen- sion or co-induction. Examples include higher-order datat yp es su c h as the lambd a calculus. As long as it satisﬁes the axioms of a n ominal d atat yp e it can b e used in our f ramew ork. Similarly , the notions of conditions, i.e., the tests on data that agen ts can p erform during their execution, and assertions, i.e. the facts that can b e used to resolv e conditions, are for- m ulated as n ominal datat yp es. This means that logics with bind ers and eve n higher-order logics can b e u sed. Moreo ve r, al pha-v ariants of terms can b e formally equated b y taking the quotien t of terms under alph a equalit y , thereby facilitating the formalism and pr o ofs. 2.2. T erms, conditions, and assertions. F ormally , a psi-calculus is deﬁned b y in stan ti- ating thr ee n ominal datat yp es and f our op erators: Deﬁnition 2.1 (Psi-calculus parameters) . A psi-calculus requir es the thr ee (not necessarily disjoin t) nominal datat yp es: T the (data) terms, ranged o v er b y M , N C the conditions, ranged o ver by ϕ A the assertions, ranged o ver by Ψ PSI-CALCULI: A FRAMEWORK FOR MOBILE PR OCESSES WITH NOMINAL D A T A AND LOGIC 5 and th e four equiv arian t op erators: . ↔ : T × T → C Channel Equ iv alence ⊗ : A × A → A C omp osition 1 : A Unit ⊢ ⊆ A × C En tailmen t and s u bstitution f unctions [ e a := f M ], substituting terms for names, on all of T , C and A . As an exa mple, we can c ho ose data terms inductiv ely generated b y some signatur e, assertions and conditions to b e elemen ts of a ﬁr st-order logic with equalit y ov er these terms, en tailmen t to b e logical implication, ⊗ to b e conjun ction and 1 to b e true . The binary fu nctions ab o ve w ill b e written in inﬁx. Thus, if M and N are terms then M . ↔ N is a condition, pr onounced “ M and N are c h annel equiv alen t” and if Ψ and Ψ ′ are assertions then so is Ψ ⊗ Ψ ′ . Also we write Ψ ⊢ ϕ , pronounced “Ψ entail s ϕ ”, for (Ψ , ϕ ) ∈ ⊢ . The data terms are used to represent all kind s of data, including comm unication c han- nels. Intuitiv ely , t w o agen ts can comm un icate if one send s and the other r eceiv es along the same channel. This is wh y w e r equire a condition M . ↔ N to s a y that M and N represent the s ame comm u nication c hannel. F or example, in the pi-calculus . ↔ is just iden tit y of names. The assertions will b e used to d eclare information necessary to resolv e th e conditions. Assertions can b e con tained in agen ts and represen t constrain ts; they can conta in names and thereb y b e synt actically scop ed and represen t information kno wn only to the agen ts within that scop e. The op erator ⊗ on assertions will, in tu itiv ely , b e used to r epresent conjunction of the information in the assertions. The assertion 1 is the u nit f or ⊗ . The in tuition of enta ilmen t is that Ψ ⊢ ϕ means that giv en the information in Ψ, it is p ossible to in f er ϕ . W e sa y that tw o assertions are equiv alen t if they en tail the same conditions: Deﬁnition 2.2 (assertion equiv alence) . Tw o assertions are e qu i valent , written Ψ ≃ Ψ ′ , if for all ϕ we ha v e that Ψ ⊢ ϕ ⇔ Ψ ′ ⊢ ϕ . W e can now formulat e our requisites on v alid psi-calculus p arameters: Deﬁnition 2.3 (Requisites on v alid psi-calculus parameters) . Channel Sym metry: Ψ ⊢ M . ↔ N = ⇒ Ψ ⊢ N . ↔ M Channel T ransitivit y: Ψ ⊢ M . ↔ N ∧ Ψ ⊢ N . ↔ L = ⇒ Ψ ⊢ M . ↔ L Comp ositionalit y: Ψ ≃ Ψ ′ = ⇒ Ψ ⊗ Ψ ′′ ≃ Ψ ′ ⊗ Ψ ′′ Iden tit y: Ψ ⊗ 1 ≃ Ψ Asso ciativit y: (Ψ ⊗ Ψ ′ ) ⊗ Ψ ′′ ≃ Ψ ⊗ (Ψ ′ ⊗ Ψ ′′ ) Comm utativit y: Ψ ⊗ Ψ ′ ≃ Ψ ′ ⊗ Ψ Our r equ isites on a psi-calculus are that the c hannel equiv alence is a partial equiv alence relation, that ⊗ is comp ositional, an d that th e equiv alence classes of assertions form an ab elian monoid. In Section 2.6 b elo w w e will demonstrate that all requisites in Deﬁnition 2.3 are essential. Note that channel equiv alence is n ot requ ir ed to b e reﬂexive . Thus it is p ossible to ha v e data terms that are n ot c hannel equiv alen t to an ything at all, meaning that they cannot b e used as c hannels. Also, note that prop erties suc h as wea k ening (Ψ ⊢ ϕ ⇒ Ψ ⊗ Ψ ′ ⊢ ϕ ) and idemp otence (Ψ ⊗ Ψ ≃ Ψ ) are not required . T his means that we ca n in principle represent 6 J. BENGTSON, M . JOHANSSON, J. P ARRO W, AN D B. VICTOR non-monotonic logics as w ell as logics to r epresen t resour ce u s e, although these av en ues remain y et un explored. A main p oin t of our work is to identi fy m inimal requisites for th e formal resu lts on bisimilarit y to hold, and h ere n either we ak ening nor id emp otence tu r ns out to b e n ecessary . 2.3. F rames. Assertions can con tain information ab out names, and names can b e scoped using the familiar pi-calculus op erator ν . F or examp le, in a cryptography application an assertion Ψ could b e that the a datum repr esen ts the encodin g of a m essage usin g a k ey k . This Ψ can o ccur u nder the scop e of ν k , to s ignify th at the k ey is kn o wn only lo cally . In order to admit this in a general wa y we use the notion of a frame, ﬁrst introd uced by Abadi and F ourn et [AF01]. Basically , a frame is just an assertion with additional information ab out whic h names are scop ed. The example ab o ve wh ere Ψ o ccurs under the scop e of k will b e written ( ν k )Ψ, to signify a f rame consisting of the assertio n Ψ where the name k is lo cal. In the follo win g ˜ a means a ﬁ nite (p ossibly empty) sequence of n ames, a 1 , . . . , a n . The empt y sequence is written ǫ and the concatenation of ˜ a and ˜ b is written ˜ a ˜ b . When occur ring as an op erand of a set op erator, ˜ a means the corresp ond ing set of n ames { a 1 , . . . , a n } . W e also us e sequences of terms, cond itions, assertions etc. in the same w a y . Deﬁnition 2.4 (F rame) . A f r ame is of the form ( ν e b )Ψ where e b is a sequ ence of names that bind into the assertion Ψ . W e iden tify alpha v ariants of fr ames. 1 W e use F , G to range o v er frames. Since we identify alpha v arian ts w e can alw ays c ho ose the b ound names freely . Notatio nal con ven tions: W e write just Ψ instead of ( ν ǫ )Ψ wh en there is no risk of confusing a frame with an assertion, and ⊗ to mean comp osition on frames d eﬁned b y ( ν e b 1 )Ψ 1 ⊗ ( ν e b 2 )Ψ 2 = ( ν e b 1 e b 2 )Ψ 1 ⊗ Ψ 2 where e b 1 # e b 2 , Ψ 2 and vice versa. W e write ( ν c )(( ν e b )Ψ ) to mean ( ν c e b )Ψ . In tuitiv ely a condition is en tailed b y a frame if it is enta iled b y the assertion and does not con tain any names b ound by the frame. Tw o fr ames are equ iv alen t if they en tail the same cond itions: Deﬁnition 2.5 (Equiv alence of f rames) . W e deﬁne F ⊢ ϕ to mean that there exists an alpha v arian t ( ν e b )Ψ of F su ch that e b # ϕ and Ψ ⊢ ϕ . W e also deﬁne F ≃ G to mean that for all ϕ it holds that F ⊢ ϕ iﬀ G ⊢ ϕ . F or example ( ν ab )Ψ ≃ ( ν ba )Ψ, and if a #Ψ then ( ν a )Ψ ≃ Ψ . T o tak e an example of ﬁ rst-order logic with equalit y , assume that the term enc ( M , k ) represent s the enco d ing of message M with key k . Let Ψ b e the assertion C = enc ( M , k ), stating that th e ciphertext C is the r esult of enco din g M b y k . I f an agen t con tains this assertion the environmen t of the agen t w ill b e able to u se it to resolv e tests on th e data, in particular to infer th at C = enc ( M , k ). In other w ord s, if the en vironment r eceiv es C it can test if this is the encry p tion of M . In order to restrict access to the k ey k it can b e enclosed in a s cop e ν k . The en vironmen t of th e agen t w ill then ha v e access to th e frame ( ν k )Ψ 1 In some presentations frames hav e b een written just as pairs h e b , Ψ i . The notation in this pap er b etter conv ey s the idea that the n ames b in d into the assertion, at the sligh t risk of confusing frames with agents. F ormally , w e establish frames and agen ts as separate t yp es, although a v alid intuition is t o regard a frame as a special k ind of agen t, containing only scoping and assertions. This is t he view taken in [AF01]. PSI-CALCULI: A FRAMEWORK FOR MOBILE PR OCESSES WITH NOMINAL D A T A AND LOGIC 7 rather than Ψ itself. This fr ame is m uch less inf orm ativ e, for example it do es not hold that ( ν k )Ψ ⊢ C = enc ( M , k ). Here great care has to b e m ade to formulate the class of allo wed conditions. If these only con tain equiv alence tests of terms , ( ν k )Ψ will en tail n othing b ut tautologi es and b e equiv alen t to 1 . But if quan tiﬁers are allo wed in the cond itions, then b y existen tial in tro du ction Ψ ⊢ ∃ k . ( C = enc ( M , k )), and since this condition has n o free k we get ( ν k )Ψ ⊢ ∃ k . ( C = enc ( M , k )). In other w ords th e en vironment will learn that C is the encryption of M for some key k . W e shall return to examples related to cryptography in Section 3.2. Most of the prop erties of assertions carry ov er to frames. Channel s y m metry and c h annel transitivit y , iden tit y , asso ciativit y and commutati vit y all hold, but comp ositionalit y in general do es not. In other w ords, there are psi-calculi with f rames F , G, H wher e F ≃ G but not F ⊗ H ≃ G ⊗ H . An example is if there are assertions Ψ, Ψ ′ and Ψ a for all n ames a , conditions ϕ ′ and ϕ a for all names a , and where the en tailmen t relation satisﬁes Ψ a ⊢ ϕ a and Ψ ′ ⊢ ϕ ′ . S upp ose comp osition is deﬁned su ch that Ψ ⊗ Ψ = Ψ and all other comp ositions yield Ψ ′ . By adding a unit ele ment th is satisﬁes all requiremen ts on a psi-cal culus. In particular ⊗ is trivially comp ositional b ecause no t w o diﬀeren t assertions are equiv alen t. Also ( ν a )Ψ a ≃ Ψ, bu t Ψ ⊗ ( ν a )Ψ a 6≃ Ψ ⊗ Ψ s in ce Ψ ⊗ Ψ a = Ψ ′ ⊢ ϕ ′ . 2.4. Agen t s. Deﬁnition 2.6 (psi-calculus agen ts) . Giv en v alid psi-calculus parameters as in Deﬁni- tions 2.1 and 2.3, the psi-calc ulus agents , ranged o v er by P, Q, . . . , are of the follo wing forms. 0 Nil M N . P Output M ( λ e x ) N . P Input case ϕ 1 : P 1 [ ] · · · [ ] ϕ n : P n Case ( ν a ) P Restriction P | Q P arallel ! P Replication ( | Ψ | ) Assertion In the Inp ut M ( λ e x ) N .P w e require th at e x ⊆ n( N ) is a sequ en ce without du plicates, and the names e x bind occur rences in b oth N and P . Restriction binds a in P . W e id entify alpha equiv alen t agen ts. An assertion is guar de d if it is a subterm of an Inpu t or Ou tput. In a replication ! P there ma y b e no un guarded assertions in P , and in case ϕ 1 : P 1 [ ] · · · [ ] ϕ n : P n there ma y b e no unguarded assertion in any P i . In the Ou tput and Input f orms M is called the sub j ect and N the ob ject. Output and I n put are s imilar to those in the pi-calculus, but arbitrary terms can fun ction as b oth sub jects and ob jects. In th e in put M ( λ e x ) N .P the in tuition is that th e pattern ( λ e x ) N ca n matc h an y term obtained by instan tiating e x , e.g., M ( λx, y ) f ( x, y ) .P can only comm unicate with an output M f ( N 1 , N 2 ) f or some data terms N 1 , N 2 . T his can b e thought of as a gen- eralisation of the p olya dic pi-calculus where the patterns are just tup les of names. Another signiﬁcan t extension is that we allo w arbitrary data terms also as communicat ion c hannels. Th us it is p ossible to include fu nctions that create channels. The case construct as expected w orks b y b eha vin g as one of the P i for whic h the cor- resp ond ing ϕ i is true. case ϕ 1 : P 1 [ ] · · · [ ] ϕ n : P n is sometimes abb reviated as case e ϕ : e P , 8 J. BENGTSON, M . JOHANSSON, J. P ARRO W, AN D B. VICTOR or if n = 1 as if ϕ 1 then P 1 . In p si-calculi where a condition ⊤ exists su c h that Ψ ⊢ ⊤ for all Ψ w e w rite P + Q to mean case ⊤ : P [ ] ⊤ : Q . Input sub jects are underlined to facilitate p arsing of complicated expr essions; in simple cases w e often omit the underline. In the traditional pi-calculus terms are just names and its input construct a ( x ) . P can b e represented as a ( λx ) x.P . In s ome of the examples to follo w w e shall use the s im p ler notation a ( x ) . P for this in put form, and sometimes w e omit a trailing 0 , writing just M N for M N . 0 . If the ob ject of an Ou tput is a long term w e enclose it in brac ket s h i to mak e it easie r to pars e. F or a simple example, the p i-calculus [MPW92] can b e repr esen ted as a p si-calculus where the only data terms are names, the only assertion is 1, and the conditions are equalit y tests on names. S ubstitution is the standard capture-a voiding synta ctic replacemen t of names for names. W e call this ins tance Pi , and formally w e ha v e: T def = N C def = { a = b : a, b ∈ T } A def = { 1 } . ↔ def = = ⊗ def = λ Ψ 1 , Ψ 2 . 1 1 def = 1 ⊢ def = { (1 , a = a ) : a ∈ N }} W e can represen t pi-calculus c hoice using the case state ment : the pi-calculus term P + Q corresp onds to ( ν a )( case a = a : P [] a = a : Q ), wh er e a # P , Q , and pi-calculus matc h [ a = b ] P to if a = b then P . W e will return to this instance in Section 3. W e obtain the p oly adic pi-calculus b y adding the tuplin g sy mb ols t n for tuples of arit y n to T ., i.e. T = N ∪ { t n ( M 1 , . . . , M n ) : M 1 , . . . , M n ∈ T } . T he p oly ad ic output is to simp ly output the corresp ond ing tup le of ob j ect names, and the p oly adic input a ( b 1 , . . . , b n ) . P is represen ted by a pattern matc hing a ( λb 1 , . . . , b n ) t n ( b 1 , . . . , b n ) . P . Strictly sp eaking this allo ws nested tuples and tuples also in sub ject p osition in agen ts, b ut as w e shall see s uc h preﬁxes will not give rise to an y transition, since in this psi-calculus M . ↔ M is only enta iled when M is a name, i.e., only names are channels. In a psi-calculus the c hannels can b e arbitrary terms. This means that it is p ossible to in tro duce functions on c hannels (e.g., if M is a c hannel then so is f ( M )). It also means that a c hannel can cont ain more than one name. An extension of th is kind is explored by Carb one and Maﬀeis [CM03] in the s o called pi-cal culus with p oly adic synchronisation, e π . Here action sub jects are tuples of names, and it is demonstrated that this allo ws a gradual enabling of comm unication by op ening the scop e of names in a sub j ect, r esu lts in simple represent ations of lo calities and cryptography , and giv es a strictly greater exp r essiv eness than standard pi-calculus. W e can represent e π by using tuples of names in sub ject p osition. The only mo d iﬁcation to the representa tion of the p oly adic pi-calculus is to extend ⊢ to ⊢ = { ( 1 , M . ↔ M ) : M ∈ T } , and to remo v e th e conditions of type M = N (since they can b e encoded in e π ). The data terms can also b e drawn fr om a higher-order formalisms. I t is th us p os- sible to transmit functions b et ween ag ent s. F or example, let T b e the lam b da calcu- lus, con taining abstractions λ x.M and a pplications M N . In the paralle l comp osition a h λ x.M i . P | a ( z ) . b h z N i . Q the left hand comp onent transmits the function λ x.M to PSI-CALCULI: A FRAMEWORK FOR MOBILE PR OCESSES WITH NOMINAL D A T A AND LOGIC 9 the right, w here the application of it to N is transmitted along b . Reduction would b e represent ed as a b in ary p r edicate o v er lambd a terms and could b e tested in p s i-calculus conditions (the redu ction rules wo uld b e part of the deﬁn ition of en tailmen t). In this sense psi can resem ble a higher-order calculus. It is ev en p ossible to let the terms b e the psi- calculus agen ts themselve s. An agent transmitted as a term cannot directly communicate with the agen t that sen t or receiv ed it, but there is a p ossibilit y of indirect interac tion through the en tailmen t relation. T his area w e lea ve for furth er study . 2.5. Op erational seman t ics. In this s ection w e deﬁne an in ductiv e transition relation on agen ts. In particular it establishes wh at transitions are p ossible from a parallel comp osition P | Q . In the standard pi-calculus the transitions from a parallel comp osition can b e uniquely determined b y the transitions fr om its comp on ents, but in p si-calculi the situation is more complex. Here the assertions con tained in P can aﬀect the conditions tested in Q and vice v ersa. F or this reason we introd uce the notion of the fr ame of an agent as the com b ination of its top level assertions, retaining all the bind er s . It is precisely this that can aﬀect a parallel agent . Deﬁnition 2.7 (F rame of an agen t) . The fr ame F ( P ) of an agent P is deﬁn ed in ductiv ely as f ollo ws: F ( 0 ) = F ( M ( λ e x ) N .P ) = F ( M N .P ) = F ( case e ϕ : e P ) = F (! P ) = 1 F (( | Ψ | )) = Ψ F ( P | Q ) = F ( P ) ⊗ F ( Q ) F (( ν b ) P ) = ( ν b ) F ( P ) F or a simple example, if a #Ψ 1 : F (( | Ψ 1 | ) | ( ν a )(( | Ψ 2 | ) | M N . ( | Ψ 3 | )) = ( ν a )(Ψ 1 ⊗ Ψ 2 ) Here Ψ 3 o ccurs under a pr eﬁ x and is therefore not included in the fr ame. An agent where all assertions are guard ed th us has a f rame equiv alen t to 1 . In the follo wing w e often write ( ν e b P )Ψ P for F ( P ), but note that this is not a un iqu e representa tion since frames are iden tiﬁed u p to alpha equiv alence. The actions α that agen ts can p erform are of three kinds: output actions, in put actions of the early kind, m eaning that the input action con tains the r eceiv ed ob ject, and the silen t action τ . The op erational s eman tics consists of transitions of the form Ψ ✄ P α − → P ′ . This transition intuitiv ely means that P can p erf orm an act ion α lea ding to P ′ , in an en vironment that asserts Ψ. Deﬁnition 2.8 (Ac tions) . The actions ranged o v er by α, β are of the f ollo wing three kinds: M ( ν ˜ a ) N Ou tput, w here ˜ a ⊆ n( N ) M N Input τ Silen t F or actions we r efer to M as the subje ct and N as the obje ct . W e deﬁne b n( M ( ν ˜ a ) N ) = ˜ a , and bn ( α ) = ∅ if α is an input or τ . W e also deﬁne n( τ ) = ∅ and n( α ) = n( N ) ∪ n( M ) if α is an output or input. As in the p i-calculus, the output M ( ν ˜ a ) N represents an action sending N along M and op ening the scop es of the names ˜ a . Note in particular that the supp ort of this acti on includes ˜ a . Th u s M ( ν a ) a and M ( ν b ) b are diﬀeren t actions. 10 J. BENGTSON, M . JOHANSSON, J. P ARRO W, AN D B. VICTOR In Ψ ⊢ M . ↔ K Ψ ✄ M ( λ e y ) N .P K N [ e y : = e L ] − − − − − − − → P [ e y := e L ] Out Ψ ⊢ M . ↔ K Ψ ✄ M N .P K N − − → P Case Ψ ✄ P i α − → P ′ Ψ ⊢ ϕ i Ψ ✄ case e ϕ : e P α − → P ′ Com Ψ Q ⊗ Ψ ✄ P M ( ν e a ) N − − − − − → P ′ Ψ P ⊗ Ψ ✄ Q K N − − − → Q ′ Ψ ⊗ Ψ P ⊗ Ψ Q ⊢ M . ↔ K Ψ ✄ P | Q τ − → ( ν e a )( P ′ | Q ′ ) e a # Q P ar Ψ Q ⊗ Ψ ✄ P α − → P ′ Ψ ✄ P | Q α − → P ′ | Q bn( α )# Q Scope Ψ ✄ P α − → P ′ Ψ ✄ ( ν b ) P α − → ( ν b ) P ′ b # α, Ψ Open Ψ ✄ P M ( ν e a ) N − − − − − → P ′ Ψ ✄ ( ν b ) P M ( ν e a ∪{ b } ) N − − − − − − − − → P ′ b # e a, Ψ , M b ∈ n( N ) Rep Ψ ✄ P | ! P α − → P ′ Ψ ✄ ! P α − → P ′ T able 1: O p erational semantics. Symmetric v ersions of Com and P ar are elided. In the rule Com w e assume that F ( P ) = ( ν e b P )Ψ P and F ( Q ) = ( ν e b Q )Ψ Q where e b P is fresh for all of Ψ , e b Q , Q, M and P , and that e b Q is corresp ond ingly fr esh. I n th e rule P ar we assume that F ( Q ) = ( ν e b Q )Ψ Q where e b Q is f r esh for Ψ , P and α . In Open the expression ˜ a ∪ { b } means the sequence ˜ a with b inserted anywhere. Deﬁnition 2.9 (T r ansitions) . A tr ansition is of the kind Ψ ✄ P α − → P ′ , meaning that when the en vironment con tains the assertion Ψ the agen t P can d o an α to b ecome P ′ . The transitions are deﬁned indu ctiv ely in T able 1. W e w rite P α − → P ′ to mean 1 ✄ P α − → P ′ . In In the sub stitution is deﬁn ed by induction on agen ts, u sing substitution on terms, assertions and conditions for the base cases and a voi ding captures thr ough alpha-con v ersion in the standard wa y . Both agen ts and frames are iden tiﬁed by alph a equiv alence. This means that we can c h o ose the b ound names fresh in the premise of a rule. In a transition the names in bn( α ) coun t as b inding in to b oth the action ob ject an d the deriv ativ e, and transitions are iden tiﬁed up to alpha equiv alence. This means that the b ound names can b e c hosen fresh, sub stituting eac h o ccurr ence in b oth the ob ject an d the deriv ative . This is th e reason wh y bn( α ) is in the sup p ort of the output action: otherwise it could b e alpha-con verted in the action alone. Also, for the side conditions in Sc ope and Op en it is imp ortan t that bn( α ) ⊆ n( α ). In rules P ar and Com , the f reshness conditions on the inv olve d fr ames will ensure that if a name is b ound in one agen t its represen tativ e in a frame is d istin ct from names in parallel agen ts, an d also (in P ar ) that it d o es not o ccur on the transition lab el. W e defer a more precise acc ount of this to Section 6. The en vironmenta l assertions Ψ ✄ · · · in T able 1 express th e eﬀect that the en vironmen t has on the agen t: enabling conditions in Case , giving rise to action sub jects in In and Out and en ab lin g interacti ons in Com . Thus Ψ nev er c hanges b et wee n h yp othesis and conclusion PSI-CALCULI: A FRAMEWORK FOR MOBILE PR OCESSES WITH NOMINAL D A T A AND LOGIC 11 except for the parallel op erator, where an agen t is part of the en vir onmen t for another agen t. In a d eriv ation tree for a transition, the assertion will therefore increase tow ards the leafs b y app lication of P ar and Com . If all environmen tal assertio ns are erased and c hannel equiv alence replaced by iden tit y we get the standard la ws of the pi-calculus enric hed with data stru ctures. In comparison to the applied pi-calculus and the concurren t constrain t pi calculus one main no velt y is the inclusion of en v ir onmen tal assertions in the rules. Th ey are n ecessary to mak e our semantics comp ositional, i.e., the eﬀect of the environmen t on an agen t is wholly captured b y the s emantics. In con tr ast, the labelled transitions of the applied an d th e concurrent constraint pi-calculi m ust r ely on an auxiliary stru ctural congruence, con taining axioms su c h as scop e extension ( ν a )( P | Q ) ≡ ( ν a ) P | Q if a # Q . With our seman tics suc h la ws are derived rather than p ostulated. The adv an tage of our appr oac h is that pro ofs of meta-theoretic al results su ch as comp ositionalit y are m uc h simpler since there is only the one in ductiv e deﬁnition of transitions. Substitution en ters the seman tics at one p oin t only: the la w In which deﬁnes the eﬀect of an input. Returning to the sub stitution la ws in Section 2.1 it is easy to motiv ate Law 2: it is needed to mak e sure that alpha equiv alen t agen ts ha v e the same transitions. La w 1 has a more inv olv ed motiv ation related to the fact that the ob j ects of transition lab els must record all r eceiv ed names, otherwise w e lose the pr inciple of scop e extension. T o s ee this, let 1 ⊢ M . ↔ M , b # M , N , and R = M ( λx ) N . x ( y ) . 0 | ( ν b ) bc . 0 The only transitions f rom R are R M N [ x := L ] − − − − − − − → ( x ( y ) . 0 )[ x := L ] | ( ν b ) bc . 0 for all L . Here there is no comm unication p ossible b et ween the tw o comp onen ts, ev en if L = b . In con trast, consider T = ( ν b )( M ( λx ) N . x ( y ) . 0 | bc . 0 ) T is obtained from R throu gh scop e extension. Without La w 1 we can h a ve b # N [ x := b ] whic h means that th rough S cope th ere is a trans ition T M N [ x := b ] − − − − − − → ( ν b )( b ( y ) . 0 ) | bc . 0 ) whic h can contin ue with an in teraction b et ween the comp onents. R and T ther efore d o not b ehav e th e same. The culprit is the transition from T whic h corresp onds to a scop e in trusion, i.e. the reception of a n ame whic h is already b oun d in the receiving agen t. T o prev en t such tran s itions the la w Scope h as a side condition that the b ound n ame m a y not o ccur in the transition lab el. F or this side cond ition to b e eﬀectiv e, Law 1 guaran tees that a r eceiv ed name actuall y app ears in the label. 2.6. Illustrativ e exa mples. F or a simp le example of a transition, supp ose for an assertion Ψ and condition ϕ that Ψ ⊢ ϕ . Assum e that ∀ Ψ ′ . Ψ ′ ✄ Q α − → Q ′ i.e., Q has an action α regardless of the en vir on m en t. T hen by the Case rule w e get Ψ ✄ if ϕ then Q α − → Q ′ 12 J. BENGTSON, M . JOHANSSON, J. P ARRO W, AN D B. VICTOR i.e., if ϕ t he n Q has the same transition if the en vironment is Ψ . Since F (( | Ψ | )) = Ψ and Ψ ⊗ 1 = Ψ , if bn( α )#Ψ we get b y P ar that 1 ✄ ( | Ψ | ) | if ϕ then Q α − → ( | Ψ | ) | Q ′ Data terms ma y also rep resen t communicati on c hannels and here the c hannel equiv- alence comes in to play . F or example, in a polyadic pi-calculus th e terms include tuples and pro jection functions with the usu al equ alities, e.g. π 1 (t 2 ( a, b )) = a . If these terms can represent channels then they m u st rep resen t the same c h annel, consequently we must hav e Ψ ⊢ π 1 (t 2 ( a, b )) . ↔ a for all Ψ. As an example, aN . P | π 1 (t 2 ( a, b )) ( y ) . Q τ − → P | Q [ y := N ] Agen ts suc h as π 1 (t 2 ( a, b )) ( y ) . Q can arise naturally if tup les of c hannels are transm itted as ob jects. F or example, an agen t th at receiv es a pair of channels along c and then inputs along th e ﬁ rst of them is written c ( x ) . π 1 ( x )( y ) . Q . When put in parallel with an agen t that sends t 2 ( a, b ) along c it will hav e a transition leading to th e agen t wh ere x is sub stituted b y t 2 ( a, b ), i.e. π 1 (t 2 ( a, b )) ( y ) . Q . The seman tics mak es no p articular pro vision for an equalit y of terms in ob ject p osition. Th us, the agen ts ca . P and cπ 1 (t 2 ( a, b )) . P ha v e diﬀeren t transitions, and corresp ond to sending out th e u nev aluated “texts” a and π 1 (t 2 ( a, b )) resp ectiv ely . T o represent agen ts whic h send ev aluated “v alues” we can do as in the applied pi-calculus where assertions declare equiv alence of terms and agen ts send f reshly generated aliases, e.g. ( ν z )( cz . P | ( | z = π 1 (t 2 ( a, b )) | )) This agen t has the same transition as ( ν z )( cz . P | ( | z = a | )). Any agent receiving the z will not b e able to distingu ish if z is a or π 1 (t 2 ( a, b )) since these terms are equated b y all assertions. Also, if a and b are scop ed as in ( ν a, b, z )( cz . P | ( | z = π 1 (t 2 ( a, b )) | )) then their scop es will not op en as a consequence of th e outpu t. In the applied pi-calculus this is the on ly form of comm u n ication and it is n ot p ossible to directly transmit data structures con taining c hannel names, like the name tuples of the p oly adic pi-calculus ab o ve. In p si-calculi these comm u nication p ossibilities can co exist. The m ain tec hnical issu e in the s emantics is the treatmen t of scoping, as illustrated b y the follo wing example wh ere the terms are jus t n ames. The in tuition is that there is a comm u nication c hannel a v ailable to all agen ts, and agen ts can declare any name to rep resen t it through an assertion. The assertions are th us sets of names, and an y n ame occurrin g in the assertion can b e used as the sub ject of an action. An y t wo n ames in the assertion are deemed channel equiv alent . F ormally , T def = N C def = { a . ↔ b : a, b ∈ T } A def = P ﬁn ( N ) ⊗ def = ∪ 1 def = ∅ ⊢ def = { (Ψ , a . ↔ b ) : a, b ∈ Ψ } PSI-CALCULI: A FRAMEWORK FOR MOBILE PR OCESSES WITH NOMINAL D A T A AND LOGIC 13 Omitting the action and preﬁx ob jects we get { a, b } ✄ a . 0 a − → 0 and also { a, b } ✄ a . 0 b − → 0 By th e P ar rule w e ha ve ∅ ✄ a . 0 | ( |{ a, b }| ) a − → 0 | ( |{ a, b }| ) and ∅ ✄ a . 0 | ( |{ a, b }| ) b − → 0 | ( |{ a, b }| ) Applying a restriction w e get ∅ ✄ ( ν a )( a . 0 | ( |{ a, b }| )) b − → ( ν a )( 0 | ( |{ a, b }| )) but no corresp onding action with sub j ect a b ecause of th e side condition on Scope . Thus, a communicatio n through Com can b e inferr ed from ( ν a )( a . 0 | ( |{ a, b }| )) | b . 0 but not from ( ν a )( a . 0 | ( |{ a, b }| )) | a . 0 This instance of a p si-calculus also illustrates t wo features of th e semanti cs: ﬁr stly that c h annel equiv alence is used in all three rules In , Out and Com , and secondly that assertions rather than frames represent the en vironm en t. Both issues are r elated to the la w of scop e extension. Elab orating the example ab o ve and noting that { a } ∪ { b } ⊢ a . ↔ b , we get th at ( ν a, b )(( |{ a }| ) | ( |{ b }| ) | a . 0 | b . 0 ) has an internal communicatio n. By scop e extension th is agent should hav e the same tran- sitions as P | Q where P = ( ν a )(( |{ a }| ) | a . 0 ) Q = ( ν b )(( |{ b }| ) | b . 0 ) Here F ( P ) = ( ν a ) { a } and F ( Q ) = ( ν b ) { b } are alpha equiv alent . S ince they will b e com- p osed b elo w we choose d iﬀeren t repr esen tativ es for the b ou n d n ames. A comm u nication from P | Q is inferred b y Com and the premises 1 . { b } ✄ P b − → ( ν a )(( |{ a }| ) | 0 ) (deriv ed using { a } ⊗ { b } = { a, b } ⊢ a . ↔ b in Out ) 2 . { a } ✄ Q a − → ( ν b )(( |{ b }| ) | 0 ) (deriv ed using { b } ⊗ { a } = { a, b } ⊢ a . ↔ b in In) 3 . { a } ⊗ { b } = { a, b } ⊢ a . ↔ b Note ho w the action sub jects are deriv ed by the assertions in b oth ca ses to not clash with the binders, and that c h annel equiv alence is necessary in all three rules. The same example d emons trates wh y transitions in T able 1 are deﬁn ed with assertions and not fr ames, for whereas { a, b } ⊢ a . ↔ b the corresp onding result cannot b e obtained from the frames of the agen ts. W e ha v e that F ( Q ) ⊗ { a } = ( ν b ) { a, b } 0 a . ↔ b , so th at frame is not usefu l for d er ivin g a trans ition from P . Ou r earlier attempt [JPVB08] err oneously us ed frames rather than assertions, and this means that scop e extension do es not hold unless a further cond ition is imp osed on the en tailmen t relation to eliminate this kind of example. 14 J. BENGTSON, M . JOHANSSON, J. P ARRO W, AN D B. VICTOR W e close this section b y demonstrating w h y th e requisites in Deﬁnition 2.3 are necessary: omitting an y of them w ould lead to a calculus that do es n ot satisfy fu ndamenta l prop erties of the p arallel op erator. Comp ositionalit y an d the ab elian monoid la ws in Deﬁn ition 2.3 are straigh tforw ard in th is resp ect s in ce w ithout them the corresp ondin g prop erties of parallel comp osition on agent s do not h old. F or example, w e w ill wan t parallel comp osition to b e comm u tativ e in that the agen t P | Q b eha ves the same as Q | P in all resp ects. At the v ery least this implies that their frames en tail the s ame conditions (it ma y also imply other things not imp ortant for this argument), which means that ⊗ must b e commutativ e for assertion equiv alence. In a s im ilar wa y the other requisites on ⊗ are necessary f or p arallel op erator to b e comp ositional, associativ e, and ha ve 0 as iden tit y . T o demonstrate th at c h an n el equiv alence must b e symmetric, consider any psi-calculus where Ψ 1 and Ψ 2 are suc h that Ψ 1 ⊗ Ψ 2 ⊢ a . ↔ b and Ψ 1 ⊗ Ψ 2 ⊢ b . ↔ b . W e shall argue that also Ψ 1 ⊗ Ψ 2 ⊢ b . ↔ a must hold, otherwise scop e extension do es not hold. Consid er the agen t ( ν a, b )(( | Ψ 1 | ) | ( | Ψ 2 | ) | a . 0 | b . 0 ) whic h has an internal comm unication τ usin g b as sub jects in the p remises of the Com r ule. If b #Ψ 1 and a # Ψ 2 , by scop e extension the agen t should b eha v e as ( ν a )(( | Ψ 1 | ) | a . 0 ) | ( ν b )(( | Ψ 2 | ) | b . 0 ) and therefore this agen t must also ha v e a τ action. The left hand comp onent cannot do an a action, b ut in the environmen t of Ψ 2 it can do a b action. Similarly , the righ t hand comp onent cannot d o a b action. The only p ossibilit y is for it to do an a actio n, as in Ψ 1 ✄ ( ν b )(( | Ψ 2 | ) | b . 0 ) a − → · · · and th is requ ir es Ψ 1 ⊗ Ψ 2 ⊢ b . ↔ a . Finally , we motiv ate the requisite that . ↔ m u st b e transitiv e. Let 1 en tail a . ↔ a for all names a , and let Ψ b e an assertion with supp ort { a, b, c } that additionally en tails the tw o conditions a . ↔ b and b . ↔ c , but not a . ↔ c , and th us do es not satisfy transitivit y of channel equiv alence. If Ψ en tails no other cond itions then ( ν b )Ψ ≃ 1 , and w e exp ect ( ν b )( | Ψ | ) to b e in terc h angeable with ( | 1 | ) in all con texts. Consider the agen t a . 0 | c . 0 | ( ν b )( | Ψ | ) By s cop e extension it s h ould b eha ve precisely as ( ν b )( a . 0 | c . 0 | ( | Ψ | )) This agen t has a τ -transition since Ψ enables an inte raction b et ween the comp onents a . 0 and c . 0 . But th e agent a . 0 | c . 0 | ( | 1 | ) has no su c h transition. The conclusion is that ( ν b )Ψ m ust en tail that the comp onen ts can comm u nicate, ie. that a . ↔ c , in other wo rds Ψ ⊢ a . ↔ c . 3. Expressivenes s and rela ted cal culi In this section we exp lore the expressiveness of p s i-calculi, mainly in comparison to other pro cess calculi. PSI-CALCULI: A FRAMEWORK FOR MOBILE PR OCESSES WITH NOMINAL D A T A AND LOGIC 15 3.1. The pi-calculus. In Section 2.4 w e saw the in stance Pi w hic h corresp onds to the pi-calculus. W e will now mak e the r elationship formal. T he pi-calculus under consideration is the s tand ard p i-calculus with r eplication instead of recursion, without mism atc h, and without a rule for structural congruen ce in the seman tics. T he encod ing of a pi-calculus agen t P into Pi , [ [ P ] ] Pi , is deﬁned as: [ [ 0 ] ] Pi = 0 [ [ ab . P ] ] Pi = ab . [ [ P ] ] Pi [ [ a ( x ) . P ] ] Pi = a ( λx ) x . [ [ P ] ] Pi [ [ P | Q ] ] Pi = [ [ P ] ] Pi | [ [ Q ] ] Pi [ [! P ] ] Pi = ![ [ P ] ] Pi [ [( ν a ) P ] ] Pi = ( ν a )[ [ P ] ] Pi [ [[ a = b ] P ] ] Pi = case a = b : [ [ P ] ] Pi [ [ P + Q ] ] Pi = ( ν a )( case a = a : [ [ P ] ] Pi [ ] a = a : [ [ Q ] ] Pi ) w here a # P , Q T o prov e th at P and [ [ P ] ] Pi ha v e the same transitions the follo wing t w o lemmas ab out substitutions and supp ort are needed. W e use th e standard deﬁnition of substitution in the pi-calculus, r eplacing fr ee n ames for new ones, α -con verting as necessary to a v oid capture. Lemma 3.1. If P is a pi-c alculus agent, then [ [ P ] ] Pi [ x := b ] = [ [ P [ x := b ]] ] Pi . Pr o of. Straigh tforwa rd induction o v er the str ucture of P . Lemma 3.2. If P is a pi-c alculus agent, then n( P ) = n([ [ P ] ] Pi ) . Pr o of. Straigh tforwa rd induction o v er the str ucture of P . Let α b e a pi-calculus act ion. W e deﬁne the encod ing of α in to psi-calculi ac tions as: [ [ a b ] ] Pi = a b [ [ a ( ν b ) b ] ] Pi = a ( ν b ) b [ [ a b ] ] Pi = a b [ [ τ ] ] Pi = τ W e denote a pi-calc ulus transition as P α − → π P ′ . W e then ha v e th e f ollo wing relation b et we en the p i-calculus agent P and the Pi age nt [ [ P ] ] Pi : Lemma 3.3 (T ransitions in Pi and the pi-calculus corresp ond ) . If P is a pi-c alculus agent, then if P α − → π P ′ then [ [ P ] ] Pi [ [ α ] ] Pi − − − → [ [ P ′ ] ] Pi and if [ [ P ] ] Pi α ′ − → P ′′ then P α − → π P ′ wher e [ [ α ] ] Pi = α ′ and [ [ P ′ ] ] Pi = P ′′ . Pr o of. The pro of is b y indu ction o v er the length of the deriv ation of P α − → π P ′ and [ [ P ] ] Pi α − → P ′′ , r esp ectiv ely . As an illustration, one induction case is shown: the case when the pi-cal culus transition is deriv ed with π -Close : π -Close P a ( ν b ) b − − − − → π P ′ Q a b − → π Q ′ P | Q τ − → π ( ν b )( P ′ | Q ′ ) b / ∈ fn( Q ) By in duction it follo ws that [ [ P ] ] Pi a ( ν b ) b − − − − → [ [ P ′ ] ] Pi and that [ [ Q ] ] Pi a b − → [ [ Q ′ ] ] Pi . Since there is only on e assertion in Pi , th e fr ames of [ [ P ] ] Pi and [ [ Q ] ] Pi will b e equiv alen t to 1. W e 16 J. BENGTSON, M . JOHANSSON, J. P ARRO W, AN D B. VICTOR c h o ose the fr ames so that their b ou n d names are suﬃcien tly fresh according to ru le Com . It trivially holds that 1 ⊢ a = a , and by deﬁ n ition in Pi we ha v e that 1 ⊗ 1 = 1, so also 1 ⊗ 1 ⊗ 1 ⊢ a = a . Since b / ∈ fn ( Q ) (i.e . b # Q ) it follo ws f rom Lemma 3.2 that b #[ [ Q ] ] Pi . W e no w d eriv e th e f ollo wing: Com 1 ⊗ 1 ✄ [ [ P ] ] Pi a ( ν b ) b − − − − → [ [ P ′ ] ] Pi 1 ⊗ 1 ✄ [ [ Q ] ] Pi a b − → [ [ Q ′ ] ] Pi 1 ⊗ 1 ⊗ 1 ⊢ a = a 1 ✄ [ [ P ] ] Pi | [ [ Q ] ] Pi τ − → ( ν b )([ [ P ′ ] ] Pi | [ [ Q ′ ] ] Pi ) b #[ [ Q ] ] Pi By deﬁn ition we ha v e that [ [ P | Q ] ] Pi = [ [ P ] ] Pi | [ [ Q ] ] Pi , and that [ [( ν b )( P ′ | Q ′ )] ] Pi = ( ν b )([ [ P ′ ] ] Pi | [ [ Q ′ ] ] Pi ), and th at [ [ a ( ν b ) b ] ] Pi = a ( ν b ) b , so in other words w e ha ve that [ [ P | Q ] ] Pi [ [ τ ] ] Pi − − − → [ [ ( ν b )( P ′ | Q ′ )] ] Pi . In Section 5 w e sh all see that strong b isim ulation in the pi-calculus and in Pi coincide. 3.2. Calculi for cryptograph y . Psi-calculi can express a v ariet y of cryp tographic op er- ations on data. The main idea w as illustrated in Section 2.3, u sing assertions to deﬁne relations b et ween ciph ertext and plain text. Here we mak e the description more precise. Let the assertion “ C = enc ( M , k )” m ean that encrypting the messag e M with the k ey k r esults in the ciphertext C , an d let “ M = dec ( C, k )” mean that decryp ting C with k ey k yields M . En tailmen t cont ains equations relating encryption and decryption suc h as ∀ M , k . dec ( enc ( M , k ) , k ) = M . Th e p oint is that a secure key can b e represen ted b y a b ound name: it is u n guessable outside its scop e. An example agen t aC . ( ν k )(( | C = enc ( M , k ) | ) | P ) outputs a term C and asserts that it is the encryption of M u sing the b ound k as key , with- out op ening the scope of k . Therefore an agen t receiving C can resolv e the cond ition dec ( C, k ) = M only after receiving this k in a communicat ion. T ec hnically this is b ecause of th e f reshness conditions in the P ar rule in T able 1 where e b Q is assumed fresh for P : this means that to apply the r ule, P cannot use an y name b ound in the frame of Q . This closely resembles the situatio n in the applied pi-calculus [AF01 ]. By con tr ast, in the sp i-calculus [A G99] encrypted messages such as enc ( M , k ) are transmitted dir ectly . Consider an example spi-calc ulus pro cess P = ( ν k , m ) a h enc ( m, k ) i . P ′ where P ′ = b ( x ) . if x = m then c (3.1) Here P sends a fresh name m encryp ted with a fresh k ey k to the environmen t, and then receiv es a v alue x . Assuming p erfect en cryption, the environmen t cannot kn o w m or k , so P ′ cannot receiv e m along b , and the outp u t on c will n ev er b e p ossible. Ho we v er, in the spi-calculus the transition P ( ν k , m ) a h enc ( m,k ) i − − − − − − − − − − − → P ′ op ens the scop es of k and m , so here scoping do es n ot corresp ond to r estriction of kn owledge. A reasonable equiv alence must explicitly k eep trac k of wh ic h n ames are kn o wn, leading to several complex bisim ulation deﬁnitions (see [BN05] for an o v erview). The applied pi-calculus is data term s and an equational th eory ⊢ Σ o ver Σ , and, more imp ortantl y , int ro d u ces active substitutions { M / x } of data terms for v ariables. Th ese can b e in tro duced by the inferred structural rule ( ν x )( { M / x } | A ) ≡ A [ x := M ]. There are names a, b, c distinct from v ariables x, y , z w h ere only v ariables can b e sub s tituted, and a simple t y p e s y s tem to distingu ish names and v ariables of c hannel t yp e f rom other terms of b ase t y p e. Only names of c han n el typ e can b e u sed as communicati on channels. S tructured data terms cann ot b e sent directly , instead an alias v ariable suc h as x m ust b e used, and the PSI-CALCULI: A FRAMEWORK FOR MOBILE PR OCESSES WITH NOMINAL D A T A AND LOGIC 17 term itself do es not o ccur on th e transition lab el. W e h a ve P ≡ Q for P abov e in (3.1), where Q = ( ν x, k , m )( { enc ( m,k ) / x } | ax . P ′ ) (3.2) Here Q a ( ν x ) x − − − − → ( ν k , m )( { enc ( m,k ) / x } | P ′ ) and only the alias of the encryption (its “v alue”) app ears on the lab el; the scop e of k and m is not op ened and in this sense they are still conﬁdent ial to the environmen t. Ho w ev er, the lab elled seman tics d o es not allo w sending structured data terms where the scop e should b e op ened, su c h as a tuple of names in the p oly adic pi-calc ulus. The lab elled semantics for applied pi turns out to b e non-comp ositional. Consider the closed (extended) applied p i-calculus agents A = ( ν a )( { a / x } | x.b. 0 ) B = ( ν a )( { a / x } | 0 ) (3.3) where w e omit the ob jects of the p reﬁxes. They ha ve the same frame and no transi- tions, and are thus semantic ally equiv alen t. But a con text can con tain x and can there- fore u se the act iv e substitution to comm unicate with A . F ormally , let R = x. 0 and ⇓ b the usu al w eak observ ation or barb. W e ha v e by scope extension that A | R ≡ ( ν a )( { a / x } | x . b . 0 | x . 0 ) ⇓ b , bu t it is n ot the case that B | R ⇓ b . Th er efore, no observ ational equiv alence that is preserve d b y all con texts and s atisﬁes s cop e extension can b e captur ed by the lab elled seman tics. In this, Th eorem 1 of [AF01 ] is incorrect; the la- b elled and observ ational equiv alences do in fact n ot coincide, nor is lab elled equiv alence a congruence. This is r elev an t for other pap ers that use or dev elop the lab elled seman tics, e.g. [GLPT07, KR05, DKR07, CRZ07, Go d 10]. P ossible ﬁxes are to disallo w aliases for channel names, to b e s atisﬁed w ith comp osi- tionalit y for closed context s, or to allo w v ariables in action sub jects. The consequences are diﬃcult to assess, and our prop osed solution is to instead deﬁn e a psi-calculus. A complication w hen deﬁning a ps i-calculus to corresp ond to the app lied pi-calculus is that bisim ulation there is only deﬁned on closed agen ts, and remo ving this restriction y ields a n on -comp ositional theory . The source of this non-comp ositional it y is the requir ement that activ e su bstitutions must b e acyclic . Assume that the equational system includes the id en tit y f ( y ) = f ( z ). W e then get th at { f ( y ) / x } is bisimilar to { f ( z ) / x } , but only one b ecomes circular when comp osed with { x / y } . In psi-calculi, no notion of closedness exists, and comp ositionalit y is requir ed. F or these reasons w e cannot exactly capture the applied pi-calculus. W e deﬁne the instance APi as follo ws (this presen tation corrects a mistak e in [BJPV09]). Since our names and terms are unt yp ed we add constru cts for c hannels, Ch ( M ), for v ari- ables, Va r ( x ), and for names w hic h are neither c hannels nor v ariables, Nonce ( k ). W e extend ⊢ Σ so that ⊢ Σ Ch ( M ) = Ch ( M ) for all M ∈ T , ⊢ Σ Nonce ( a ) = Nonce ( a ) for all a ∈ N , and ⊢ Σ V a r ( x ) = Va r ( x ) for all x ∈ N . F urthermore w e d eﬁne EQN ( { M 1 / N 1 } , . . . , { M n / N n } ) to b e the set of equations { M 1 = N 1 , . . . , M n = N n } . Substitution on terms is deﬁned in the exp ected wa y except f or terms of kind Va r ( x ) and Nonce ( a ). F or terms of these kin ds we ha v e that V a r ( x )[ x := M ] = M and Nonce ( a )[ a := M ] = M . A term M is gr ound if it has no subterm s of kind Va r ( x ). W e write ⊢ Σ ∪ Σ ′ for the equational theory ⊢ Σ extended with 18 J. BENGTSON, M . JOHANSSON, J. P ARRO W, AN D B. VICTOR the equatio ns from ⊢ Σ ′ . T def = N ∪ { Nonce ( k ) : k ∈ N } ∪ { V ar ( x ) : x ∈ N } ∪ { Ch ( M ) : M ∈ T }∪ { f ( M 1 , . . . , M n ) : f ∈ Σ ∧ M i ∈ T } C def = { M = N , ¬ ( M = N ) , M . ↔ N : M , N ∈ T } A def = P ﬁn ( {{ M / N } : M , N ∈ T } ) } ⊗ def = ∪ 1 def = ∅ Ψ ⊢ M = N if ⊢ Σ ∪ EQN (Ψ) M = N Ψ ⊢ ¬ ( M = N ) if there exists groun d M ′ , N ′ suc h that ⊢ Σ ∪ EQN (Ψ) M = M ′ , ⊢ Σ ∪ EQN (Ψ) N = N ′ , and ¬ (Ψ ⊢ M ′ = N ′ ) Ψ ⊢ M . ↔ N if Ψ ⊢ M = N ∧ ∃ c : Ψ ⊢ M = Ch ( c ) Assertions are ﬁnite sets of activ e substitutions of the more general form { M / N } , ⊗ is union, and en tailmen t dedu ces equalit y under the equational theory with equations added to represent the activ e sub stitutions. The conditions are as for the applied pi-calculus except for ¬ ( M = N ) whic h is needed to represent the if M = N then P else Q construct of applied p i as case M = N : P [ ] ¬ ( M = N ) : Q in APi . As in applied pi, the terms compared for in equ alit y need to b e ground. Channel equiv alence M . ↔ N requires that there is a channel n ame equal to b oth M and N . T o see that this is a prop er instance we must c hec k that the sub stitution fun ction is equi- v arian t and r esp ects the fresh n ess and α -equiv alence p rop erties, as d escrib ed in Section 2.1. F urthermore it must s atisfy th e requirements fr om Deﬁnition 2.3. That the su bstitution function has th e required prop erties is sho wn in Section 2.1, and the sp ecial cases for V a r ( x ) and Nonce ( a ) p ose n o additional p r oblem. Ch an n el sym metry and transitivit y hold since the u n derlying equational theory is symmetric and transitive. Ident it y , asso ciativit y , and comm u tativit y hold since union has these pr op erties. Comp ositionali t y h olds assuming that the equational system is comp ositional, i.e if ∀ M , N : ⊢ Σ 1 M = N ⇔ ⊢ Σ 2 M = N imp lies ∀ M , N : ⊢ Σ 1 ∪ Σ ′ M = N ⇔ ⊢ Σ 2 ∪ Σ ′ M = N . The enco ding [ [ A ] ] APi of an applied pi agen t A into APi is h omomorp hic with the follo wing exceptions: [ [ a ] ] APi = Ch ( a ) if the n ame a is of c h annel t yp e and not a binding o ccurr ence [ [ x ] ] APi = V a r ( x ) if the v ariable x is not a bind ing o ccurrence [ [ k ] ] APi = Nonce ( k ) if th e name k is not of c hannel t yp e or a bin ding o ccurr en ce [ [ { M / x } ] ] APi = { [ [ M ] ] APi / Va r ( x ) } Note that in translations of applied pi-calculus agen ts and their deriv ativ es, the only form of activ e substitutions will b e on the form { M / Va r ( x ) } . Also the only su bstitutions will b e of v ariables. W e allo w for the general form of activ e substitutions { M / N } and substitution of c h annels and n onces simply to mak e the substitution f unction total as required. W e adhere to the app lied pi con v ent ion that c hannel names are ran ged o v er by a, b, c, . . . , nonces are ranged o ver by k , l , m, . . . , and v ariables are ranged o v er by x, y , z , . . . . F or readabilit y , in the follo wing w e omit the constru cts Ch ( a ), Nonce ( k ), and V ar ( x ), and just write a , k , and x , also in APi -agen ts. PSI-CALCULI: A FRAMEWORK FOR MOBILE PR OCESSES WITH NOMINAL D A T A AND LOGIC 19 APi d iﬀers from the applied pi-calc ulus in some w a ys. Requir emen ts on the activ e substitutions in applied p i are th at they can only conta in one activ e subs titution p er v ari- able, and that the activ e substitutions are non-circular. F urther m ore they do not o ccur under p reﬁxes, cond itionals, or rep lication. Th e instance APi do es not ha v e th ese limi- tations, but the most imp ortant diﬀerence is that in APi (and in psi-calculi in general), aM . P aM − − → P corresp ond s to send ing the cleartext of M directly . T his is not p ossible in the applied pi-calculus. In order to transmit M in the applied pi-calculus the structural rule ( ν x )( { M / x } | A ) ≡ A [ x := M ] must b e used and an alias x for M b e sent. T o send an alias in this wa y in APi it must b e introdu ced explicitly , as in ( |{ M / x }| ) | ax . P , and this agen t is not the same as aM . P . Therefore, although the age nts P = ( ν k , m ) a h enc ( m, k ) i . P ′ and Q = ( ν x, k , m )( { enc ( m,k ) / x } | ax . P ′ ) (from equations (3.1) and (3.2)) are the same in the applied pi-calculus, the APi coun ter- parts of the agent s are diﬀerent. In APi , P in (3.1) represents an agen t that emits the cleartext “ enc ( m, k )”. Any agen t that r eceiv es this will im m ediately learn b oth m an d k , and an y scop e of k will b e op ened in the pro cess. Th is kind of ag en t can only indirectly b e represent ed in the applied pi-calculus, b y sending the restricted names separately one at a time. In cont rast, the APi counterpart of (3.2) is Q = ( ν x, k , m )(( |{ enc ( m,k ) / x }| ) | ax . P ′ ) and deﬁnes Q to emit an alias for enc ( m, k ). As in the applied pi-calculus since k is scop ed a recipien t will not learn m . If the same recipient later receiv es k , an alias u for the message m can b e constructed as ( |{ dec ( x,k ) / u }| ). Similarly , the agent s R 1 and R 2 b elo w are equ iv alen t in applied p i, but the corresp onding agen ts in APi are diﬀeren t. R 1 = ( ν x, k , m )( { enc ( m,k ) / x } | ax . ax . P ′ ) R 2 = ( ν x, k , m )( { enc ( m,k ) / x } | ( ν y )( { x / y } | ax . ay . P ′ )) In the applied p i-calculus, a new alias for a term can alwa ys b e introd uced “on-the-ﬂy”, and it is imp ossible to tell R 1 and R 2 apart – they are structurally equiv alen t. T he psi- calculus approac h giv es the p ossibilit y to d iscern the t wo agen ts, similarly to h o w the same ciphertext b itstring sent t wice can b e iden tiﬁed eve n if th e p laintext cannot b e reco vered. T o a void this, a new alias n eeds to b e exp licitly in tro duced for eac h transmission, mimic king a probabilistic crypto where diﬀeren t ciphertext bitstrings corresp ond to the same plain text and key . Th us in p si-calculi, comm unication ob jects can range from literal data terms to indirect references, giving the user of the calculus the p ossibilit y to choose the app ropriate form. Another diﬀerence b et ween th e calculi is illustrated by the agen t A of the comp osi- tionalit y counte rexample (3.3): Its coun terpart P A in APi is ( ν a )(( |{ a / x }| ) | x.b. 0 ) x − → ( ν a )(( |{ a / x }| ) | b. 0 ) and is not equiv alen t to ( ν a )(( |{ a / x }| ) | 0 ); indeed also P A | x. 0 τ − → b − → in our lab elled semantics. In Section 4.2 w e pr esen t a simp ler psi-calculus for expressing cryp tographic examples. 20 J. BENGTSON, M . JOHANSSON, J. P ARRO W, AN D B. VICTOR 3.3. F usion a nd concurren t constraints. 3.3.1. F usion. Th e concept of fusi on means that comm un ication can result in p airs of names b eing “fused together” in the sense that they can thereafter b e considered the same. F usion w as indep endently d ev elop ed by F u [F u97] (the χ -calculus), Parro w and Victor [PV98] (the fusion calculus), and b y Wisc hik and Gardner [GW00 , WG0 5 ] (the pi-F calculus). The fusion primitiv e w as also enco ded in the async hronous pi-calculus by Merro [Mer98], using equators. In psi-calculi, fusion can b e form ulated in a wa y reminiscen t of th e equator enco ding: the assertions are equiv alence statemen ts b et w een names (cf. explicit fu sions or equators). A simple ps i-calculus with f u sion, call it Fi , w ould b e the follo wing: T def = N C def = { a = b : a, b ∈ T } A def = { { a 1 = b 1 , . . . , a n = b n } : a i ∈ N , b i ∈ N } . ↔ def = = ⊗ def = ∪ 1 def = ∅ Ψ ⊢ a = b if ( a, b ) ∈ eq (Ψ) where e q (Ψ) is the equiv alence closure of Ψ (i.e. transitiv e, sym m etric and reﬂexiv e closure). Th us terms are names, assertions are name fusions, and the entailme nt relation ded uces equalit y b et wee n names based on fusion assertions treate d as equiv alence relatio ns. W e can ve rify that th is is indeed a v alid psi-calculus: the substitution prop erties are pro v ed in Section 2.1, and w e just need to inv estigate the requisites of Deﬁnition 2.3. T ransitivit y and reﬂexivit y of th e c h annel equiv alence follo ws from the same p rop erties of =; comm utativit y , asso ciativit y and iden tit y follo w from th e same prop erties of ∪ . F or comp ositionalit y , let Ψ 1 and Ψ 2 b e t wo equiv alen t assertions. This means eq (Ψ 1 ) = eq (Ψ 2 ); w e must s h o w that for an y Ψ 3 w e ha ve eq (Ψ 1 ∪ Ψ 3 ) = eq (Ψ 2 ∪ Ψ 3 ). Using the fact th at eq ( A ∪ B ) = eq ( eq ( A ) ∪ B ), w e ha ve eq (Ψ 1 ∪ Ψ 3 ) = eq ( eq (Ψ 1 ) ∪ Ψ 3 ) = eq ( eq (Ψ 2 ) ∪ Ψ 3 ) = eq (Ψ 2 ∪ Ψ 3 ). In the χ -calculus, f usion calculus, and pi-F calculus, inp ut and output preﬁ xes are completely symmetric and in particular the input is not b inding. An example transition in the pi-F calculus (usin g the syntax of [Wis01 ]) is a ˜ b . P | a ˜ d . Q τ − → ˜ b = ˜ d | P | Q where ˜ b = ˜ d (for ˜ b and ˜ d of equal length) is a fusion wh ic h allo w s us to treat eac h b i ∈ ˜ b as equiv alen t to d i ∈ ˜ d . I n puts in F i can s till b e b in ding, and w e can represent the non-bind ing pi-F inpu t a ˜ b . P as a (˜ c ) . (( |{ ˜ b = ˜ c }| ) | P ) where ˜ c # a ˜ b . P . F or example, the pi-F comm unications ab . cc . P | ac . bd . Q τ − → b = c | cc . P | bd . Q τ − → b = c | c = d | P | Q are exp ressed as: a ( e ) .  ( |{ b = e }| ) | cc . P  | ac . b ( x ) .  ( |{ x = d }| ) | Q  τ − →  ( |{ b = e }| ) | cc . P  [ e := c ] | b ( x ) .  ( |{ x = d }| ) | Q  = ( |{ b = c }| ) | cc . P | b ( x ) .  ( |{ x = d }| ) | Q  τ − → ( |{ b = c }| ) | P |  ( |{ x = d }| ) | Q  [ x := c ] = ( |{ b = c }| ) | P | ( |{ c = d }| ) | Q Belo w, w e establish an op erational corresp ondence b etw een the pi-F calculus and Fi . Our p resen tation do es not includ e th e full details of the p i-F seman tics, instead we refer PSI-CALCULI: A FRAMEWORK FOR MOBILE PR OCESSES WITH NOMINAL D A T A AND LOGIC 21 to [W G05]. The syn tax used there diﬀers a little from that used in the examples abov e: most notably , a p r eﬁx w ritten a ˜ x . P ab ov e is instead written a . ( h ˜ x i | P ) (and sym metrically for inp uts); her e h ˜ x i is a ve ctor of datums and the parallel comp osition operator is not symmetric for d atums. In put and output tr ansitions in are on the form P a − → P ′ where P ′ is on the form ( ν ˜ c )( h ˜ x i | P ) and ˜ c ⊆ ˜ x . F or ease of reading, we w rite h ˜ x i P for ( h ˜ x i | P ) b elo w. The enco d ing of pi-F pr o cesses in to Fi is as follo ws: [ [ a . h ˜ b i P ] ] Fi = a ( ˜ c ) . (( |{ ˜ b = ˜ c }| ) | [ [ P ] ] Fi ) wh ere ˜ c # a ˜ b . P [ [ a . h ˜ c i P ] ] Fi = a ˜ c . [ [ P ] ] Fi [ [ ˜ x = ˜ y ] ] Fi = ( |{ ˜ x = ˜ y }| ) and is h omomorphic for the other op erators. T o encod e e.g . a . ( ν c ) h c i P w e ﬁr st rewr ite it to the structurally co ngruent pro cess ( ν c ) a . h c i P (where c 6 = a ). In [W G05 ], tw o lab elled transition seman tics are deﬁned for pi-F and pr o v ed to coincide: the quotiente d and the structur e d seman tics. The ﬁr st has a tr aditional ru le for using structural congruence ( ≡ ) to deriv e transitions: if Q ≡ P α − → P ′ ≡ Q ′ then Q α − → Q ′ . The second seman tics has a similar rule b ut wh ic h only allo w s ≡ to b e used after the transition: if P α − → P ′ ≡ P ′ 1 then P α − → P ′ 1 . In p si-calculi there is no suc h structural rule. F or the op erational corresp ondence, ho we v er, by the lemma b elo w we can select a suitable structural represent ativ e of the pi-F pr o cess. Lemma 3.4. In the quotiente d se mantics of pi-F, if P α − → P ′ with a de duction tr e e of depth n , ther e is a de duction tr e e for the tr ansition of depth no lar ger than n which uses structur al c ongruenc e only in its last de duction, or not at al l. Pr o of. By induction o v er n . In th e pro of b elo w, w e mak e use of the fact th at w eake ning holds in Fi : if Ψ ⊢ ϕ then Ψ ⊗ Ψ ′ ⊢ ϕ , and thus in particular 1 ✄ P α − → P ′ implies Ψ ✄ P α − → P ′ . Prop osition 3.5. In the quotiente d semantics of pi- F, (1) If P a − → ( ν ˜ c ) h ˜ x i P ′ with ˜ c ⊆ ˜ x and a # ˜ c , then ther e exists a Q s.t. Q ≡ P and 1 ✄ [ [ Q ] ] Fi a ( ν ˜ c ) ˜ x − − − − → Q ′ and ∃ P ′′ : P ′ ≡ P ′′ and Q ′ = [ [ P ′′ ] ] Fi . (2) If P a − → ( ν ˜ c ) h ˜ x i P ′ with ˜ c ⊆ ˜ x and a # ˜ c , then ther e exists a Q s.t. Q ≡ P and 1 ✄ [ [ Q ] ] Fi a ˜ y − → ( ν ˜ c )(( |{ ˜ x = ˜ y }| ) | Q ′ ) and ∃ P ′′ : P ′ ≡ P ′′ and Q ′ = [ [ P ′′ ] ] Fi . (3) If P τ − → P ′ then ther e exists a Q s.t. Q ≡ P and 1 ✄ [ [ Q ] ] Fi τ − → Q ′ and ∃ P ′′ : P ′ ≡ P ′′ and Q ′ = [ [ P ′′ ] ] Fi . Pr o of. By Lemma 3.4, w ith ou t loss of generalit y w e can assume that the transition of P in the premise can b e deduced also for Q w ithout u sing the transition r u le for stru ctural congruence. The pro of is then b y in duction on the depth of the deduction, matc h ing eac h op erational rule of pi-F with a rule in psi. (1) Base case: P = a . P 1 and P a − → P 1 where P 1 = ( ν ˜ c ) h ˜ x i P ′ with ˜ c ⊆ ˜ x . W e p r o ceed b y in duction o v er the length of ˜ c . The b ase case is w hen P 1 = h ˜ x i P ′ , and [ [ P ] ] Fi = a ˜ x . [ [ P ′ ] ] Fi . Then 1 ✄ [ [ P ] ] Fi a ˜ x − → [ [ P ′ ] ] Fi . In the in duction case, P ≡ ( ν ˜ c ) a . h ˜ x i P ′ = Q 22 J. BENGTSON, M . JOHANSSON, J. P ARRO W, AN D B. VICTOR with a # ˜ c . Then [ [ Q ] ] Fi = ( ν ˜ c ) a ˜ x . [ [ P ′ ] ] Fi and b y a suﬃcient num b er of uses of Open , 1 ✄ [ [ Q ] ] Fi a ( ν ˜ c ) ˜ x − − − − → [ [ P ′ ] ] Fi . Induction: w e sh ow the case for the parallel ru le. Here P = P 1 | P 2 and P 1 a − → ( ν ˜ c ) h ˜ x i P ′ 1 , so P 1 | P 2 a − → ( ν ˜ c ) h ˜ x i ( P ′ 1 | P 2 ) w ith ˜ c # P 2 . By induction, 1 ✄ [ [ P 1 ] ] Fi a ( ν ˜ c ) ˜ x − − − − → Q ′ 1 , and by P ar (and weak ening) also 1 ✄ [ [ P 1 ] ] Fi | [ [ P 2 ] ] Fi a ( ν ˜ c ) ˜ x − − − − → Q ′ 1 | [ [ P 2 ] ] Fi , sin ce ˜ c #[ [ P 2 ] ] Fi . (2) Similar to the outpu t case, using Scope instead of Open for the in duction ov er ˜ c . (3) Base case: P = a . P 1 | a . P 2 , where P i ≡ ( ν ˜ c i ) h ˜ x i i P ′ i with ˜ c i ⊆ ˜ x i , for i ∈ { 1 , 2 } , and ˜ c 1 # h ˜ x 2 i P ′ 2 and vice versa. Then P τ − → ( ν ˜ c 1 ˜ c 2 )( ˜ x 1 = ˜ x 2 | P ′ 1 | P ′ 2 ). By indu ction, 1 ✄ [ [ a . P 1 ] ] Fi a ( ν ˜ c 1 ) ˜ x 1 − − − − − → Q ′ 1 and 1 ✄ [ [ a . P 2 ] ] Fi a ˜ x 1 − − → ( ν ˜ c 2 )(( |{ ˜ x 1 = ˜ x 2 }| ) | Q ′ 2 ), and 1 ✄ [ [ P 1 ] ] Fi | [ [ P 2 ] ] Fi τ − → ( ν ˜ c 1 ˜ c 2 )(( |{ ˜ x 1 = ˜ x 2 }| ) | Q ′ 1 | Q ′ 2 ). Induction case: straigh t-forw ard, using corresp onding op erational ru les. F or the corresp ondence in the other direction, we u se the structured seman tics of pi-F, whic h has a ru le to rewrite lab els: if P α − → P ′ and P ⊢ α = β , then P β − → P ′ , wher e P ⊢ ϕ if the pi-F corresp onden t to the frame of P enta ils ϕ . This is similar to the r ewriting don e in p si-calculi, in the preﬁx and co mmunicatio n rules. A transition in psi uses an assertion Ψ, which n eeds to b e part of the pr o cess in pi-F; b elo w we write [ [Ψ] ] − 1 for the ob vious mapp ing f rom Fi assertions to pi-F f usions. In the pro ofs b elo w, we use results from Section 5.2, and wr ite P ≡ Q for tw o p si-calculus agen ts if they can b e pro v ed equal b y only T h eorems 5.7 and 5.8, whic h corresp ond to the standard structural congru ence. Prop osition 3.6. (1) If Ψ ✄ [ [ P ] ] Fi a ( ν ˜ c ) ˜ x − − − − → P ′ then [ [Ψ] ] − 1 | P a − → ( ν ˜ c ) h ˜ x i Q and ∃ Q ′ : Q ≡ [ [Ψ] ] − 1 | Q ′ and P ′ = [ [ Q ′ ] ] Fi (2) If Ψ ✄ [ [ P ] ] Fi a ˜ x − →≡ ( ν ˜ c )(( |{ ˜ x = ˜ y }| ) | P ′ ) wher e ˜ c ⊆ ˜ y then [ [Ψ ] ] − 1 | P a − → ( ν ˜ c ) h ˜ y i Q and ∃ Q ′ : Q ≡ [ [Ψ] ] − 1 | Q ′ and P ′ = [ [ Q ′ ] ] Fi (3) If Ψ ✄ [ [ P ] ] Fi τ − → P ′ then [ [Ψ] ] − 1 | P τ − → Q and ∃ Q ′ : Q ≡ [ [Ψ] ] − 1 | Q ′ and P ′ = [ [ Q ′ ] ] Fi . Pr o of. By in duction o ver the d eriv ation of the psi-calculus transition. W e sometimes use [W G05 , Lemma 11] to restructure a pi-F agen t b efore the transition ( P ≡ P 1 α − → P ′ implies P α − → P ′ ), and idemp otence of fusions. (1) Base case: Ψ ✄ [ [ P ] ] Fi a ˜ x − → P ′ b y th e Out rule. Then P = b ˜ x . Q and Ψ ✄ [ [ P ] ] Fi a ˜ x − → [ [ Q ] ] Fi where Ψ ⊢ a . ↔ b , th us in pi-F [ [Ψ ] ] − 1 | P b − → h ˜ x i Q and [ [Ψ] ] − 1 | P ⊢ a = b so [ [Ψ] ] − 1 | P a − → h ˜ x i Q . Induction: we sh o w the case f or Ope n . Here [ [ P ] ] Fi = ( ν c )[ [ P 1 ] ] Fi and Ψ ✄ [ [ P 1 ] ] Fi a − → ( ν ˜ e ) P ′ s.t. c # ˜ e, Ψ , a and c ∈ n( ˜ x ), and by Ope n Ψ ✄ ( ν c )[ [ P 1 ] ] Fi a − → ( ν c ˜ e ) P ′ . By induction [ [Ψ] ] − 1 | P 1 a − → ( ν ˜ e ) Q , and th u s ( ν c )([ [Ψ] ] − 1 | P 1 ) a − → ( ν c ˜ e ) P ′ , and also [ [Ψ] ] − 1 | ( ν c )( P 1 ) a − → ( ν c ˜ e ) P ′ . PSI-CALCULI: A FRAMEWORK FOR MOBILE PR OCESSES WITH NOMINAL D A T A AND LOGIC 23 (2) Base case: Ψ ✄ [ [ P ] ] Fi a ˜ x − → P ′ b y the In ru le. T hen P = b ˜ y . Q and Ψ ✄ [ [ P ] ] Fi a ˜ x − → ( |{ ˜ x = ˜ y }| ) | [ [ Q ] ] Fi where Ψ ⊢ a . ↔ b , thus in pi-F [ [Ψ] ] − 1 | P b − → h ˜ y i ([ [Ψ] ] − 1 | Q ) and as ab o ve equally [ [Ψ] ] − 1 | P a − → h ˜ y i ([ [Ψ ] ] − 1 | Q ). Induction: w e show the case f or P ar . Here [ [ P ] ] Fi = [ [ P 1 ] ] Fi | [ [ P 2 ] ] Fi and Ψ ⊗ Ψ [ [ P 2 ] ] Fi ✄ [ [ P 1 ] ] Fi a ˜ x − →≡ ( ν ˜ c )(( |{ ˜ x = ˜ y }| ) | P ′ 1 ) and by induction [ [Ψ ⊗ [ [Ψ [ [ P 2 ] ] Fi ] ] − 1 ] ] − 1 | P 1 a − → ( ν ˜ c ) h ˜ y i Q 1 , where ˜ c ⊆ ˜ y and ∃ Q ′ : Q ≡ ([ [ Ψ] ] − 1 | Q ′ ) ∧ P ′ 1 = [ [ Q ′ ] ] Fi . Then Ψ ✄ [ [ P 1 ] ] Fi | [ [ P 2 ] ] Fi a ˜ x − →≡ ( ν ˜ c )(( |{ ˜ x = ˜ y }| ) | P ′ 1 ) | [ [ P 2 ] ] Fi ≡ ( ν ˜ c )(( |{ ˜ x = ˜ y }| ) | P ′ 1 | [ [ P 2 ] ] Fi ) where ˜ c #[ [ P 2 ] ] Fi . In pi-F, we ha v e [ [Ψ] ] − 1 | [ [Ψ [ [ P 2 ] ] Fi ] ] − 1 | P 1 | P 2 a − → ( ν ˜ c ) h ˜ y i ( Q 1 | P 2 ). W.l.o.g. (see [W G05 , p613 ]) w e can assume that P 2 is on the form φ | P ′′ where φ is a fusion and P ′′ has no top-lev el fusions. Thus e b [ [ P 2 ] ] Fi = ǫ , and by idemp otence of fusions, equally [ [Ψ] ] − 1 | | P 1 | P 2 a − → ( ν ˜ c ) h ˜ y i ( Q 1 | P 2 ). (3) Base case: Ψ ✄ [ [ P ] ] Fi τ − → Q by the Com rule. Then [ [ P ] ] Fi = [ [ P 1 ] ] Fi | [ [ P 2 ] ] Fi and Ψ ⊗ Ψ [ [ P 2 ] ] Fi ✄ [ [ P 1 ] ] Fi a ( ν ˜ c ) ˜ x − − − − → P ′ 1 , Ψ ⊗ Ψ [ [ P 1 ] ] Fi ✄ [ [ P 2 ] ] Fi b ˜ x − → ( ν ˜ e )(( |{ ˜ x = ˜ y }| ) | P ′′ 2 ), where ˜ c # P 2 , ˜ e # P 1 , ˜ e ⊆ ˜ y , and Ψ ⊗ Ψ [ [ P 1 ] ] Fi ⊗ Ψ [ [ P 2 ] ] Fi ⊢ a . ↔ b , as w ell as Ψ ✄ [ [ P 1 ] ] Fi | [ [ P 2 ] ] Fi τ − → ( ν ˜ c )( P ′ 1 | ( ν ˜ e )(( |{ ˜ x = ˜ y }| ) | P ′′ 2 )) ≡ ( ν ˜ c ˜ e )(( |{ ˜ x = ˜ y }| ) | P ′ 1 | P ′′ 2 ) . Application of (1) yields [ [Ψ ⊗ Ψ [ [ P 2 ] ] Fi ] ] − 1 | P 1 a − → ( ν ˜ c ) h ˜ x i P ′ 1 | [ [Ψ ⊗ Ψ [ [ P 2 ] ] Fi ] ] − 1 , an d by (2) w e obtain [ [ Ψ ⊗ Ψ [ [ P 1 ] ] Fi ] ] − 1 | P 2 a − → ( ν ˜ e ) h ˜ y i P ′′ 2 | [ [Ψ ⊗ Ψ [ [ P 2 ] ] Fi ] ] − 1 . Then [ [Ψ ⊗ Ψ [ [ P 1 ] ] Fi ] ] − 1 | [ [Ψ ⊗ Ψ [ [ P 2 ] ] Fi ] ] − 1 | P 1 | P 2 ? a = b − − − → ( ν ˜ c ˜ e )( ˜ x = ˜ y | P ′ 1 | P ′′ 2 | [ [Ψ ⊗ Ψ [ [ P 1 ] ] Fi ] ] − 1 | [ [Ψ ⊗ Ψ [ [ P 2 ] ] Fi ] ] − 1 ) ≡ ( ν ˜ c ˜ e )( ˜ x = ˜ y | P ′ 1 | P ′′ 2 | [ [Ψ ⊗ Ψ [ [ P 1 ] ] Fi ⊗ Ψ [ [ P 2 ] ] Fi ] ] − 1 ) and since Ψ ⊗ Ψ [ [ P 1 ] ] Fi ⊗ Ψ [ [ P 2 ] ] Fi ⊢ a . ↔ b the lab el can b e rewritten to ? a = a and then further rewritten to τ . As ab o v e we can assume that P is on the form φ | P ′′ where φ is a fusion and P ′′ has no top-lev el fusions. Thus e b P 1 = e b P 2 = ǫ , and by idemp otence of fusions, equally [ [Ψ] ] − 1 | P 1 | P 2 τ − → ( ν ˜ c ˜ e )( ˜ x = ˜ y | P ′ 1 | P ′′ 2 ) | [ [Ψ] ] − 1 . Induction: s tr aigh t-forward matc hing of transitions rules. 3.3.2. Concurr ent c onstr aints. Pro cess calculi w hic h in tegrate comm unication and m obilit y with concurrent constrain t (CC) programming ha v e app eared e.g. in [Smo94, NM95, DR V98, BM08]. H ere, th e ask and tell op erations interac t with a constraint store. Th e ask ϕ . P op eration c h ecks whether a constrain t ϕ is satisﬁed by the curren t store and only then pro ceeds as P , corresp ond ing to if ϕ then τ . P in psi-calculi. The tell Ψ . P op er ation adds a constrain t Ψ to the current store b efore pr o ceeding as P . Tw o v arian ts of tell ha ve b een iden tiﬁed and u sed: one w hic h can only pro ceed if the resu lting store is consisten t is kn o wn as atomic tell, and one whic h allo w s an inconsisten t s tore and is called eventual tell [Sar93]. The ev en tual tell op eration is used in earlier pro cess calculi w hic h inte grate 24 J. BENGTSON, M . JOHANSSON, J. P ARRO W, AN D B. VICTOR constrain ts and communicatio n, e.g. the π + -calculus [DR V9 8 ] and the ρ -calculus [NM95]. The atomic tell op eration is used in the CC -Pi calculus [BM08]. W e here presen t a psi-calc ulus with concurren t constrain ts. Similarly to CC -Pi w e extend a basic p i-F-lik e calculus with ask and tell op erations and us e a name d c-semiring [BM08] as the constrain t system parameter. S uc h a constrain t system con tains names, n ame fusion/equalit y constraints an d a name hidin g op er ator ν , and s u pp orts general constrain t semirings, e.g. Herbrand constraints. Our psi-calculus, call it Ci , with asso ciated named c-semiring C = h A, ⊕ , ⊗ , 0 , 1 i and induced p r eorder  is: T def = N A def = C def = A . ↔ def = = ⊗ def = The sim ilarly notated op erator ⊗ in C 1 def = 1 ⊢ def =  Th us terms are n ames, while conditions and assertions are deﬁn ed by th e carrier A of the named c-semiring, w hic h b y deﬁn ition in cludes names and name fusions, and implicitl y name equalit y conditions. T he p r op erties of named c-semirings guaran tee the requ iremen ts of p si-calculi, assumin g that su bstitution on th e n amed c-semiring satisﬁes our r equ isites. Ab elian monoid prop erties follo w directly , comp ositionalit y from Ψ 1 ≃ Ψ 2 ⇒ Ψ 1 = Ψ 2 , and the c hann el equiv alence prop erties from th e fact that = is an equiv alence. W e extend the enco d ing of (monadic) pi-F pro cesses and represent ask ϕ . P as if ϕ then τ . P . An ev entual tell op eration tell e Ψ . P can b e represented as τ . (( | Ψ | ) | P ). The atomic tell a op eration can b e handled by add ing a condition cons (Ψ) to C with Ψ ⊢ cons (Ψ ′ ) if Ψ ⊗ Ψ ′ is consistent , and represen ting t e ll a Ψ . P as if cons (Ψ) then τ . (( | Ψ | ) | P ). The most prominent diﬀerence fr om the CC-Pi calculus is that there, name fusions resulting f rom comm unication are required to b e consistent with the s tore, otherwise the comm u nication cannot h app en. In con tr ast our seman tics will allo w comm unication tran- sitions that lead to an in consisten t store. This d iﬀerence is illustrated b elo w: In C C-Pi: P = Ψ | ab . Q | cd . R τ − → Ψ ⊗ ( b = d ) | Q | R if Ψ  a = c and Ψ ⊗ ( b = d ) consisten t In C i : P = ( | Ψ | ) | ab . Q | c ( x ) . (( | x = d | ) | R ) τ − → ( | Ψ | ) | ( | b = d | ) | Q | R if Ψ ⊢ a = c While it ap p ears not p ossible to in tegrate an atomic consistency c h eck in a psi-calc ulus comm u nication without c hanging our Com rule, exp licit consistency c hec ks (lik e cons (Ψ)) can b e used to handle in teresting applications in practice. The semantic s of C C -Pi is giv en by a stru ctural congru ence and a redu ction relation. There is also a lab elled op erational semant ics, but it is in f act not comp ositional. Consider the CC-Pi agen ts P = ( ν b, x )( x = b | ax . b . c ) Q = ( ν b, x )( x = b | ax ) PSI-CALCULI: A FRAMEWORK FOR MOBILE PR OCESSES WITH NOMINAL D A T A AND LOGIC 25 (where insigniﬁ can t ob jects are omitted). T hey hav e the same constrain t store and the same tran s itions in all constraint con texts. Ho w ev er, th ey do not ha ve th e s ame trans itions in all pro cess contexts: a parallel conte xt R = a ( y ) . y tells the diﬀerence: P | R τ − → τ − → ( ν b )( x = b | x = y | c ) c − → while Q | R of course has n o suc h c transition. Th us Theorem 1 of [BM08] is incorrect: op en bisimilarit y is not a congruen ce (see also [BM09 ]). The lab elled semantic s of CC-Pi h as a curious asymmetry b et ween the rule for p reﬁxes and the rule for comm u nication: in the ﬁ rst case, the constraint store cannot aﬀect the lab el induced by the preﬁx, wh ile in th e comm unication case, the constrain t store ju dges whether the sub j ects should b e considered the same, enabling the comm unication. The p si-calculi ha v e no suc h asymm etry: the assertions (corresp ond ing to the store) allo w the sub ject to b e rewritten in the preﬁx rules and the sub jects in Com are compared using the assertions (see Section 2.6 for a discussion). A p ossible ﬁx for CC-Pi wo uld inv olve allo wing the store to rewr ite terms , th us also sub jects in p r eﬁxes [Bus09]. Psi-calculi go b ey ond most concurren t constr aint systems in t wo wa ys. Firstly , w e allo w arbitrary logics, ev en higher-order ones. Secondly , we allo w constraints and conditions to b e data terms, whic h means an agen t can tr ansmit and receiv e th ese. F or example, assume that c is a constraint and that f is a function from assertions to assertions. T h en in the agent a c . P | a ( z ) . (( | f ( z ) | ) | Q ) τ − → P | ( | f ( c ) | ) | Q the left hand agen t sends the constrain t c to the r igh t, and f is applied to it. Similarly , if p is a unary predicate, in the agen t a p . P | a ( z ) . if z ( x ) then Q τ − → P | if p ( x ) then Q the left hand agen t sends the predicate to the righ t, whic h app lies it to x . 4. Applica tions In this section w e w ill lo ok at a few app lications of psi-calculi, some of w hic h h a v e b een describ ed b efore in other formalisms, and some whic h are no v el. 4.1. Structured terms as channels. Calculi with c hannels that can carry complex data are common, but in most cases the terms that repr esen t c h annels are v ery simp le, usually only a single name. W e h ere give some examples where they ha v e structure, and th u s may con tain more than one name. 4.1.1. F r e q uency hopping spr e ad sp e ctrum. Wirele ss comm unication o ver a constan t radio frequency has a n um b er of dra wbac ks. In a hostile environmen t a radio can b e tuned in to the correct frequency and monitor the co mmunicati on wh ic h is also vulnerable to jamming. A solution to these problems is to jump quic kly b et ween diﬀeren t frequencies in a sc heme called frequency hopp ing spread sp ectrum (FHSS), ﬁrs t p aten ted in 1942 [MA42]. T o ea v esdrop it would then b e necessary to matc h b oth the order of the frequencies and the pace of switc hing. Jamming is also made more diﬃcult since the av aila ble p o w er w ould ha v e to b e distributed o v er many frequencies. W e will here sho w ho w this is mo d elled in a psi-calculus. I t is assumed that the initiator of the comm unication and the receiv er s h are an algorithm used to calculate the next f requency . The p ro cedure starts b y the initiator sen d ing a comm un ication r equest o ver some p redetermined frequency . Th e receiv er then send s a seed bac k to th e initiator 26 J. BENGTSON, M . JOHANSSON, J. P ARRO W, AN D B. VICTOR and b oth use it to calculate the sequence of frequencies to b e used. Th en the initiator sync hronises ov er the ﬁrst calculated frequency to v erify that it got th e righ t sequence. The comm u nication then pr o ceeds and b oth parties c h ange frequencies accordingly . W e w ill no w lo ok at the psi-calculus u sed to mo d el this frequency h op p ing algorithm. W e let terms represen t radio frequencies and use the unary fu nction nextFre q ( M ) to rep- resen t the algorithm for calculating the next frequency , give n the previous fr equency M . This psi-calc ulus has n o assertions other than unit. T def = N ∪ { nextFreq ( M ) : M ∈ T } C def = { M . ↔ N : M , N ∈ T } A def = { 1 } ⊗ def = λ Ψ 1 , Ψ 2 . 1 1 ⊢ M . ↔ M W e deﬁne ⊤ to b e a . ↔ a in order to b e able to use non-deterministic choice as noted in Section 2.4. Let X in , out b e an arbitrary age nt th at comm u nicates with the en vironm ent via the c h annels in and out . This agent will b e wrapp ed in con texts that will let it do FHSS in a transparent w ay: fr om the agen t’s p oint of view it will only comm unicate o v er the lo cal c h annels in and out . The agen t FHSS that implements frequency hopping lo oks lik e: FHSS = ! fh ( fr e q ) .   out ( y ) . fr e q h y i . fh h nextFre q ( fr e q ) i + fr e q ( y ) . in h y i . fh h nextF req ( fr e q ) i   This agen t can b e th ough t of as a fun ction fh that will tak e a frequency and then either w ait for something to b e receiv ed from the lo cal c hannel out to send o v er this frequency , or to receiv e something o v er this frequency and forward it to th e lo cal channel in . It will then calculate the next frequency and start o v er. The b eha viour when the agen t X in , out acts as in itiator is mo d elled as a conte xt wh ere the initiating sequence starts b y sendin g a s y n c hronisation message sync o v er a predeter- mined con trol channel ctl , and then wa its for a seed from that c hannel. It then starts the frequency hoppin g algorithm with the s eed and sends a synchronisation message o ver the ﬁrst frequency , and b ehav es as X in , out . It is assumed that se e d # X in , out . I [ X in , out ] = ctl h sync i . ctl ( se e d ) . fh h se e d i . out h sync i . X in , out | FHSS The b ehavio ur when the agen t X in , out acts as a recei v er is m o delled similarly: the receiv er listens to the con trol c hannel c tl and sends bac k a seed. Th en it starts the frequency hopping algorithm with this seed an d waits f or a sync hronisation message. The receiv er then b eha v es as X in , out . It is assumed that x, se e d , s # X in , out . R [ X in , out ] = ctl ( s ) . ( ν se e d ) ctl h se e d i . fh h se e d i . in ( x ) . X in , out | FHSS The full system wh ere X in , out ma y b ehav e as eit her a receiv er or initiator is then mo delled as FH [ X in , out ] = ( ν fh , in , out ) ( I [ X in , out ] + R [ X in , out ]) where it is assum ed that fh # X in , out . PSI-CALCULI: A FRAMEWORK FOR MOBILE PR OCESSES WITH NOMINAL D A T A AND LOGIC 27 Let us look at a few transitions of the receiv er. First the receiv er gets a request to do frequency hopping o ver the cont rol c hann el: FH [ X in , out ] ctl sync − − − − → ( ν fh , i n , out )  ( ν se e d ) ctl h se e d i . fh h se e d i . in ( x ) . X in , out | FHSS  It then sends th e seed to the initiat or and starts the frequency hopping using this seed: ctl ( ν se ed ) h se e d i − − − − − − − − − − → ( ν fh , in , out )  fh h se e d i . in ( x ) . X in , out | FHSS  τ − → ( ν f h , in , out )      in ( x ) . X in , out     out ( y ) . se e d h y i . fh h nextF req ( se e d ) i + se e d ( y ) . in h y i . fh h nextF req ( se e d ) i   | FHSS      A t this p oin t the initiator will send the sync message: se e d sync − − − − − → ( ν fh , i n , out )  in ( x ) . X in , out | in h sync i . fh h nextF req ( se e d ) i | FHSS  τ − → ( ν fh , in , out )  X in , out | fh h nextFreq ( se e d ) i | FHSS  After another τ -transition the agen t is r eady to comm unicate o ver the next fr equency: τ − → ( ν f h , in , out )      X in , out     out ( y ) . nextFre q ( se e d ) h y i . fh h nextFreq ( nextF req ( se e d )) i + nextF req ( se e d ) ( y ) . in h y i . fh h nextF req ( nextF req ( se e d )) i   | FHSS      This example could easily b e made more complex b y adding relev ant error c hec king (e.g. the receiv er could chec k th at the syn chronisation message is correct), but ev en in this form it illustrates th e u se of structured channels. 4.1.2. L o c al servic es. A common scenario is that diﬀeren t serv ers imp lement the same k in d of fu nctionalit y kn o w n un der some globally k n o wn name. HTTP servers are examples of this where the service p r o vided is normally a v ailable on IP p ort 80. Here the name of the service (p ort 80) is sh ared among the diﬀerent serv er s . The general pr ob lem is that there is a service known un d er a global name, but a v ailable from serv ers with diﬀerent names. This problem is treated in depth in [CS 01] where the authors in v en t a new calculus for th is purp ose. Here we sho w ho w the same pr oblem can b e solved using an instance of psi-calculi. The in stance u sed is basically the same as for p oly adic p i-calculus as presented in Section 2.4 augmen ted with terms of form M @ N and the en tailmen t 1 ⊢ M @ N . ↔ M @ N , where M and N are terms. This giv es the p ossibilit y to scop e a part of a channel term, e.g 28 J. BENGTSON, M . JOHANSSON, J. P ARRO W, AN D B. VICTOR ( ν b )( a @ bc.P ), as in [CM03]. T def = { M @ N : M , N ∈ T }∪ { t 2 ( M , N ) : M , N ∈ T } ∪ N C def = { M . ↔ N : M , N ∈ T } A def = { 1 } ⊗ def = λ Ψ 1 , Ψ 2 . 1 1 ⊢ a . ↔ a ∀ a ∈ N 1 ⊢ M @ N . ↔ M @ N ∀ M , N ∈ T The follo wing example is adapted fr om [CS01]. Assume th ere are globally known names ﬁnger and daytime w hic h refer to resources lo cated at some serv er. Diﬀeren t servers ha v e diﬀeren t local information, but this information is accessed through the same globally kno wn names. T his can b e m o delled as Server = ! server (t 2 ( servic e , r eplyc )) . ( ν a )   servic e @ a h r eplyc i . 0 | Finger ( a ) | Daytime ( a )   Finger ( a ) = ﬁnger @ a ( r eplyc ) . r eplyc h UserList i . 0 Daytime ( a ) = daytime @ a ( r eplyc ) . r eplyc h Date i . 0 where U serList and Date are some terms con taining the requested information. Th e exact nature of these terms is u nimp ortan t for this example. The serve r listens to incoming requests on c h annel s er v er and receiv es tw o names. The ﬁrst name is th e requ ested service, and the second is the reply c hann el. I t will then do an in ternal communicat ion with the particular service d aemon. There is n o risk of interference since a lo cally scoped name is part of the service c hannel. The result of the request is then forw arded along the reply c hannel. Server server t 2 ( ﬁnger , c ) − − − − − − − − − − − → Server | ( ν a )   ﬁnger @ a h c i . 0 | Finge r ( a ) | D aytime ( a )   τ − → Server | ( ν a )  0 | c h UserList i . 0 | Daytime ( a )  c h UserList i − − − − − − − → Server | ( ν a )  0 | 0 | Daytime ( a )  Since an y transitions from Daytime ( a ) are prev en ted by the restriction, the ﬁn al d eriv ativ e will b eha ve lik e Server . 4.2. Cryptograph y. In this section we giv e a s equence of examples f rom cryptography , culminating with a mo del of the Diﬃe-Hellman k ey agree ment protocol. O ur exp osition is quite similar to the applied pi-calculus as p resen ted in [AF01], and w e w ill us e a psi-calculus that mim ics th is closely . The main p oin t is that psi-calculi can expr ess these cryp tographic examples in an equally concise w ay , and within a leaner and more symmetric formalism. The p si-calculus instance we u se for the examples b elo w can b e seen as a simpliﬁ cation of APi in Section 3.2 in that w e do not distinguish b etw een diﬀerent kin ds of names, and w e d o not use inequalit y . T o construct this psi-calculus w e assume an in ductiv ely d eﬁned set of terms using a signature Σ, and an equational theory ⊢ Σ whic h let us infer equations PSI-CALCULI: A FRAMEWORK FOR MOBILE PR OCESSES WITH NOMINAL D A T A AND LOGIC 29 M = N wher e M and N are terms. Exactly ho w this theory w orks is unimp ortan t for this present ation. Substitution is deﬁned in the exp ected w a y . T def = N ∪ { f ( M 1 , . . . , M n ) : f ∈ Σ ∧ M i ∈ T } C def = { M = N : M , N ∈ T } A def = P ﬁn ( { M = N : M , N ∈ T } ) } . ↔ def = = ⊗ def = ∪ 1 def = ∅ Ψ ⊢ M = N if ⊢ Σ ∪ Ψ M = N An assertion is a ﬁ nite set of equations b et w een terms . W e often elide the set brack ets in agen ts, e.g. writing ( | M = N | ) instead of ( |{ M = N }| ). The conditions are just equations M = N . En tailment is d eﬁned suc h that Ψ ⊢ M = N holds if M = N can b e inferr ed from the equational theory ⊢ Σ extended b y th e equ ations in Ψ. This instance satisﬁes the requirement s b y the same reasoning as for APi . W e start by looking at ho w one-w a y hashing is m o delled. I n ad d ition to symbols for tup ling and p ro jection, and their asso ciated equations, the signature con tains the u nary sym b ol hash ( x ) w h ic h has no equations. Th e only equation on hash that is true is hash ( M ) = hash ( M ), and this means that the h ash function is collision f ree. The follo wing example sho ws one agen t sending a m essage M together with a hashing x of the message and a secret name s to another agen t. The seco nd agen t will only forw ard M if it is pr op erly hashed. ( ν s )(( | hash ( t 2 ( s, M )) = x | ) | a h t 2 ( M , x ) i | a ( y ) . if hash ( t 2 ( s, π 1 ( y ))) = π 2 ( y ) then b h π 1 ( y ) i ) T o m o del symmetric cryptography , the signature is extend ed as in Section 3.2: we add the binary sym b ols enc ( x, y ) and dec ( x, y ) toget her with th e equ ation dec ( enc ( x, y ) , y ) = x . The follo wing agen t sends a message M encryp ted with the secret k ey k , withou t r ev ealing the plain text or key . ( ν k , x )(( | enc ( M , k ) = x | ) | ax ) a ( ν x ) x − − − − → . . . Asymmetric encryption is m o delled by adding tw o new unary sym b ols pk ( s ) and sk ( s ) whic h generate the p u blic and secret k eys from a common seed v alue, and the equation dec ( enc ( x, pk ( k )) , sk ( k )) = x . Th e follo win g agen t sen d s the public k ey on c hann el a , receiv es a message along channel b , decrypts it w ith the secret key , and send s the decryp ted m essage along channel c : ( ν s, x )(( | pk ( s ) = x | ) | ax | b ( y ) . (( | dec ( y , sk ( s )) = z | )) | cz ) Non-deterministic crypto is mo delled b y u s ing a ternary version of the symbol enc ( x, y , z ) with some salt in the last argumen t, together with the equation dec ( enc ( x, pk ( k ) , z ) , sk ( k )) = x . C onsider the follo wing agen t: a ( x ) .  ( ν m, y )(( | enc ( M , x, m ) = y | ) | by ) | ( ν n, z )(( | enc ( M , x, n ) = z | )) | cz  An observe r of th is agen t cannot tell whether y and z are encryptions of the same message or not, b ecause of the unique salt. Digital signatures are mo d elled by addin g the binary sym b ol sign ( x, y ), the ternary sym- b ol check ( x, y , z ), th e constant sym b ol ok , and the equation check ( x, sign ( x, sk ( k )) , pk ( k )) = 30 J. BENGTSON, M . JOHANSSON, J. P ARRO W, AN D B. VICTOR ok . Th e follo wing agen t sends a signed m essage along a , then the parallel comp onent receiv es it and c hec ks the signature. If it is ok it is then forw arded. ( ν s, z )( ( | pk ( s ) = y | ) | ( | sign ( M , s k ( s )) = z | ) | a t 2 ( M , z )) | a ( x ) . if check ( π 1 ( x ) , π 2 ( x ) , y ) = ok the n bπ 1 ( x ) The Diﬃe-Hellman proto col [DH76] is used to establish a s hared secret b et wee n t w o principals who do not necessarily s hare any secrets b eforehand. This is done b y exc hanging messages ov er a public c hannel. W e let Σ include f ( x, y ) a nd g ( x ), and the equation system includes f ( x, g ( y )) = f ( y , g ( x )), b ut n o other equ ations on f and g . Th e ﬁrst principal P creates a secret n P and s en ds an alias x P of g ( n P ) to the other principal Q , and Q do es lik ewise. Then P can create the term f ( n P , x Q ) and Q can create the term f ( n Q , x P ). Using the equations ab ov e these t wo terms are equiv alen t an d the sh ared secret has b een established. Concretely f and g are functions in a m u ltiplicativ e group mo dulo a large pr ime, but here w e ignore the n umber theory . Let P k P and Q k Q b e tw o agen ts th at will share a secret ke y and will use the names k P and k Q , resp ectiv ely , to refer to it. T he Diﬃe-Hellman k ey agreemen t is mo d elled as t wo symmetric con texts DH 01 [ · ] and D H 10 [ · ] in wh ic h the agents are placed. The cont ext DH 01 [ X k ] is deﬁned as DH 01 [ X k ] = ( ν n, x, a 01 , a 10 )(( | g ( n ) = x | ) | a 01 x | a 10 ( z ) . ( ν k )(( | f ( n, z ) = k | ) | X k )) where n, x, a 01 , a 10 # X k and k o ccurs in X k as a a name that refers to a k ey . The con text DH 10 [ X k ] is deﬁned in the same wa y but with a 10 and a 01 sw app ed . The agen ts P k P and Q k Q agree on the secret by placing them in the con texts: DH 01 [ P k P ] and D H 10 [ Q k Q ]. Th e key agreemen t will then d o tw o in ternal transitions: DH 01 [ P k P ] | D H 10 [ Q k Q ] τ − → τ − → ( ν x P , x Q )( P ′ | Q ′ ) where P ′ = ( ν n P , a 01 , a 10 )(( | g ( n P ) = x P | ) | ( ν k P )(( | f ( n P , x Q ) = k P | ) | P k P )) Q ′ = ( ν n Q , a 01 , a 10 )(( | g ( n Q ) = x Q | ) | ( ν k Q )(( | f ( n Q , x P ) = k Q | ) | Q k Q )) The x and n from the conte xt h a v e b een alpha-con verted to the v arian ts w ith subscripts to a void cla shes. Since the agen ts are comm unicating ov er a p ublic c hann el the messages ma y b e inter- cepted by a passive attac k er which then forw ards them unmo diﬁ ed. In presence of su c h an attac k er th e agen ts ev olv e to P ′ | Q ′ where th e lac k of binders for x P and x Q represent that the hostile en vironment no w has access to these v alues. W e show th at this do es not break the protocol. As a sp eciﬁcation f or this p roto col we put P k P | Q k Q in a conte xt wher e they already share a secret, here represented by the name k ′ : S = ( ν k P , k Q , k ′ )(( | k ′ = k P | ) | ( | k ′ = k Q | ) | P k P | Q k Q ). W e then sho w that P ′ | Q ′ and S b eh av e the same, denoted P ′ | Q ′ ∼ S . The pr ecise meaning of ∼ is giv en in S ection 5, but for this p articular example it is suﬃcient to think of ∼ as equ iv alence of the frames of S and P ′ | Q ′ according to Deﬁnition 2.5. This equiv alence is closed under parallel comp osition (if P and Q b eha v e the same, then so will P | R and Q | R for an y agen t R ) an d restriction (if P and Q b ehav e the same, then so will ( ν a ) P and ( ν a ) Q , for any a ). PSI-CALCULI: A FRAMEWORK FOR MOBILE PR OCESSES WITH NOMINAL D A T A AND LOGIC 31 W e ha v e that ( ν n P , a P )(( | g ( n P ) = x P | ) | ( | f ( n P , x Q ) = k P | )) | ( ν n Q , a Q )(( | g ( n Q ) = x Q | ) | ( | f ( n Q , x P ) = k Q | )) ∼ ( ν k ′ )(( | k ′ = k P | ) | ( | k ′ = k Q | )) The reason is that the only condition enta iled on b oth sid es is k P = k Q , no equalities can b e enta iled on x P and x Q . Sin ce ∼ is closed und er parallel comp osition we can add the agen ts: ( ν n P , a P )(( | g ( n P ) = x P | ) | ( | f ( n P , x Q ) = k P | )) | ( ν n Q , a Q )(( | g ( n Q ) = x Q | ) | ( | f ( n Q , x P ) = k Q | )) | P k P | Q k Q ∼ ( ν k ′ )(( | k ′ = k P | ) | ( | k ′ = k Q | )) | P k P | Q k Q Since ∼ is closed under the restriction op erator: ( ν k P , k Q ) ( ( ν n P , a P )(( | g ( n P ) = x P | ) | ( | f ( n P , x Q ) = k P | )) | ( ν n Q , a Q )(( | g ( n Q ) = x Q | ) | ( | f ( n Q , x P ) = k Q | )) | P k P | Q k Q ) ∼ ( ν k P , k Q ) ( ( ν k ′ )(( | k ′ = k P | ) | ( | k ′ = k Q | )) | P k P | Q k Q ) Finally , b y the structural la ws of T heorem 5.8 in Section 5.2: P ′ | Q ′ ∼ S. 5. Bisimilarity In this section w e deﬁn e a notion of str ong bisimilarit y on age nts and pro ve that it satisﬁes the exp ected algebraic la w s and substitutive prop erties. The resu lts h old f or any psi-calculus and giv e u s conﬁ dence in the semantic deﬁ n itions. 5.1. Deﬁnition. In the standard pi-calculus the notion of strong bisimulat ion is used to formalise the intuition that t wo agen ts “b ehav e in the same wa y”; it is d eﬁned as a symmetric binary relati on R satisfying the sim ulation prop erty: R ( P , Q ) imp lies th at for α su ch that bn( α )# Q , if P α − → P ′ then Q α − → Q ′ ∧ R ( P ′ , Q ′ ) F or a ps i-calculus we additionally n eed to take the assertions in to consideration. The b e- ha viour of an agen t is alw ays tak en with resp ect to an en vironmental assertion. W e deﬁne bisim ulation as a te rnary r elation R (Ψ , P , Q ), saying that P and Q b eha v e in th e same w a y when the en vironmen t asserts Ψ. Because of this tw o additional issues arise. The ﬁrst is th at the agen ts can aﬀect their environmen t through their fr ames (and not only b y p erformin g actions), and this m ust b e r epresent ed in the deﬁnition of b isim ulation. The second is that the en vironment (represen ted b y Ψ in R (Ψ , P , Q )) can c hange, and for P and 32 J. BENGTSON, M . JOHANSSON, J. P ARRO W, AN D B. VICTOR Q to b e bisimilar they m ust cont inue to b e related after su c h c hanges. T his leads to the follo wing deﬁ n ition of strong bisimulatio n. Deﬁnition 5.1 (Bisim ulation) . A bisimulation R is a ternary r elation b et w een assertions and p airs of agen ts such that R (Ψ , P , Q ) imp lies all of (1) Static equiv alence: Ψ ⊗F ( P ) ≃ Ψ ⊗F ( Q ) (2) Symmetry: R (Ψ , Q, P ) (3) Extension of arbitrary assertion: ∀ Ψ ′ . R (Ψ ⊗ Ψ ′ , P , Q ) (4) Sim ulation: for all α, P ′ suc h that bn( α )#Ψ , Q ther e exists a Q ′ suc h that if Ψ ✄ P α − → P ′ then Ψ ✄ Q α − → Q ′ ∧ R (Ψ , P ′ , Q ′ ) W e deﬁne P . ∼ Ψ Q to mean that th ere exists a bisimula tion R s u c h that R (Ψ , P , Q ), and write . ∼ for . ∼ 1 . Clauses 2 and 4 are familiar from the pi-calculus. Clause 1 captures the f act that the related agen ts hav e exactly the same inﬂuence on the environmen t thr ou gh their f r ames, namely that w hen they add to the existing environmen t (Ψ) then exactly the same conditions are en tailed. C lause 3 means that when the environmen t c hanges (by adding a new assertion Ψ ′ ) the agent s are still related. An example m a y clarify the role of this clause. Let β b e a preﬁx and let ϕ b e an y non-trivial cond ition, and consider P = β .β . 0 + β . 0 + β . if ϕ t hen β . 0 Q = β .β . 0 + β . 0 P can n on-deterministically choose b et w een three branches and Q b et w een the t w o ﬁrst of them. Here P and Q are not bisimilar. I f P p erforms an action corresp ond ing to its third case, reac hing the agen t P ′ = if ϕ then β . 0 , there is n o w a y that Q can simulat e since neither Q ′ = 0 nor Q ′ = β . 0 is equiv alen t to P ′ in all environmen ts. In fact, any reasonable v arian t of bisim ulation that equates P and Q will not b e p reserv ed by parallel. T o s ee this, let T b e γ . ( | Ψ | ), wh er e γ is an y preﬁ x and Ψ an assertion that en tails ϕ . Then the transition P | T β − → P ′ | T cannot b e simulat ed b y Q | T , s in ce P ′ | T can only do an action γ follo w ed b y an action β , whereas β . 0 | T can do β immediately , and 0 | T ca n d o no β at all. This demonstrates why clause 3, extension of arbitrary assertion, is n ecessary: it sa ys that after eac h step all p ossible extensions of the assertion m u st b e considered. If we would merely require this at top lev el, i.e. remov e clause 3 and instead require ∀ Ψ . R (Ψ , P , Q ) in the deﬁnition of P . ∼ Q , the extensions wo uld not recur; as a consequen ce P and Q in the example would b e equiv alen t, and the equiv alence w ould not b e pr eserv ed by parallel. F or another example, consider R = if ϕ then β . if ϕ then β . 0 S = if ϕ then β .β . 0 In R the condition ϕ is c h ec ked t wice. In general R and S are n ot equiv alen t. T o see this, let Ψ and Ψ ′ b e suc h th at Ψ ⊢ ϕ and Ψ ⊗ Ψ ′ 6⊢ ϕ . W e then hav e that Ψ ✄ R β − → if ϕ t hen β . 0 and it cannot b e sim ulated b y Ψ ✄ S β − → β . 0 b ecause of the recurrin g clause of extension of arb itrary assertion: if ϕ then β . 0 has no tr ansition in the environmen t Ψ ⊗ Ψ ′ . Ho wev er, if the enta ilmen t r elation satisﬁes wea k ening, i.e. Ψ ⊢ ϕ ⇒ Ψ ⊗ Ψ ′ ⊢ ϕ , w e get th e in tuitiv e result th at R and S are b isimilar. This also demonstrates the inadequacy of the smaller and s im p ler d eﬁnition of . ∼ as the largest relation satisfying if ∀ Ψ . Ψ ✄ P β − → P ′ then Ψ ✄ Q β − → Q ′ ∧ P ′ . ∼ Q ′ PSI-CALCULI: A FRAMEWORK FOR MOBILE PR OCESSES WITH NOMINAL D A T A AND LOGIC 33 The diﬀerence is that here b isim ulation recurrin gly requires to h old for al l assertions, not only for those that are extensions of the ones passed so far. This wo uld ha v e the u n in tuitiv e eﬀect of making R and S in the example abov e non-bisimilar, even if w eake ning holds. If there are inconsisten t assertions, i.e. assertions that en tail all cond itions, the eﬀect of Clause 3 is v ery strong: Bisimila r agen ts are required to b eha ve the same ev en if the envi- ronment is inconsisten t. F or example, in this s itu ation the agen t ( ν a ) a . 0 is not equiv alent to 0 , since an inconsisten t assertion can mak e all names channel equiv alen t, and therefore ( ν a ) a . 0 has actions with all names except a as sub ject. The algebraic prop er ties to follo w hold for all p si-calculi, including those w ith inconsistent assertions. It remains to b e seen if and h o w bisimulation in suc h psi-calculi is us efu l to m o del applications. In terestingly , there is an alternativ e w a y to deﬁne b isim ulation as a binary relation preserve d b y parallel co nte xts. Deﬁnition 5.2 (Con text bisim ulation) . A c ontext bisimulation R is a binary relation on agen ts such that R ( P, Q ) implies all of (1) Static equiv alence: F ( P ) ≃ F ( Q ) (2) Symmetry: R ( Q, P ) (3) Extension of con textual assertion: ∀ Ψ . R (( | Ψ | ) | P , ( | Ψ | ) | Q ) (4) Sim ulation: for all α, P ′ suc h that bn( α )# Q there exists a Q ′ suc h that if 1 ✄ P α − → P ′ then 1 ✄ Q α − → Q ′ ∧ R ( P ′ , Q ′ ) W e deﬁne P . ∼ c Q to mean th at there exists a conte xt bisimulat ion R su c h that R ( P , Q ). Suc h a deﬁn ition is more in line w ith stand ard con textual bisimulatio ns, and also the w a y bisim u lation is deﬁned in the applied p i-calculus. The dr a wbac k is that it relies on an op erator in the calculus (parallel) for its deﬁn ition. F or condu cting pro ofs our exp erience is that Deﬁn ition 5.1 is p r eferable. W e hav e s h o wn that these bisimilarities coincide, i.e., the deﬁnitions result in the s ame b isim ulation equ iv alence: Theorem 5.3 (Bisimilarit y and con text bisimilarit y coincide) . . ∼ = . ∼ c W e n o w show th at the usu al strong early bisimilarit y for the pi-calculus, denoted . ∼ π , and b isimilarit y in the instance Pi coincide. Theorem 5.4 (pi-calculus bisimilarit y and Pi bisimilarit y coincide) . P . ∼ π Q ⇔ [ [ P ] ] Pi . ∼ [ [ Q ] ] Pi Pr o of. ( ⇒ ): Static equiv alence and extension of arb itrary assertions hold trivially sin ce the only assertion is 1 . Symmetry follo ws directly , and simulatio n follo ws from Lemma 3.3. ( ⇐ ): Sym metry follo ws directly , and s imulation follo ws from Lemma 3.3. In addition, w e conjecture that Inside-outside bisimilarit y for the pi-F calc ulus [Wi s01 , Deﬁnition 17 ] coincides w ith b isim ilarity for the psi-calculus Fi (see Section 3.3.1). 5.2. Algebraic prop erties. Our results are that bisimilarity is pr eserv ed by the op erators in the exp ected wa y , and also satisﬁes the exp ected structural algebraic la w s. Theorem 5.5. F or al l Ψ : (1) P . ∼ Ψ Q = ⇒ P | R . ∼ Ψ Q | R . (2) P . ∼ Ψ Q = ⇒ ( ν a ) P . ∼ Ψ ( ν a ) Q if a #Ψ . 34 J. BENGTSON, M . JOHANSSON, J. P ARRO W, AN D B. VICTOR (3) P . ∼ Ψ Q = ⇒ ! P . ∼ Ψ ! Q . (4) ∀ i.P i . ∼ Ψ Q i = ⇒ case e ϕ : e P . ∼ Ψ case e ϕ : e Q . (5) P . ∼ Ψ Q = ⇒ M N .P . ∼ Ψ M N .Q . (6) ( ∀ e L. P [ e a := e L ] . ∼ Ψ Q [ e a := e L ]) = ⇒ M ( λ e a ) N .P . ∼ Ψ M ( λ e a ) N .Q if e a # Ψ . Deﬁnition 5 .6. P ∼ Ψ Q means th at for all sequen ces σ of substitutions it holds that P σ . ∼ Ψ Qσ , and we write P ∼ Q for P ∼ 1 Q . Our requiremen ts on the substitution function are very weak. F or example, we d o not require that P [ ǫ := ǫ ] (the substitution of length 0) is P , nor that sequences of substitutions [ ˜ x := ˜ M ][ ˜ y := ˜ N ] can b e com bined in to one. F or this reason, ∼ Ψ is deﬁned by closure und er se quenc es of su bstitutions r ather than single substitutions [ ˜ x := ˜ M ]. Theorem 5.7. ∼ Ψ is a c ongruenc e for al l Ψ . Theorem 5.8. ∼ satisﬁes the fol lowing structur al laws: P ∼ P | 0 P | ( Q | R ) ∼ ( P | Q ) | R P | Q ∼ Q | P ( ν a ) 0 ∼ 0 P | ( ν a ) Q ∼ ( ν a )( P | Q ) if a # P M N . ( ν a ) P ∼ ( ν a ) M N .P if a # M , N M ( λ e x ) N . ( ν a ) P ∼ ( ν a ) M ( λ e x )( N ) .P if a # e x, M , N case e ϕ : ^ ( ν a ) P ∼ ( ν a ) case e ϕ : e P if a # e ϕ ( ν a )( ν b ) P ∼ ( ν b )( ν a ) P ! P ∼ P | ! P The most a wkw ard part of the p ro ofs is for Theorem 5.5(1), and historically th is is the p ro of that m ost often fails in calculi of this complexit y; the intrica te corresp ond ences b et we en parallel pro cesses and their assertions are hard to get completely right. W e giv e an outline of the p ro of and co ver in d etail th e s im ulation case where the parallel pro cesses comm u nicate with eac h other. In the follo wing we tacitly assume F ( P ) = ( ν e b P )Ψ P , where e b P # P , for an y agen t P , unless otherwise noted. W e pic k the candid ate relation R = { (Ψ , ( ν e a )( P | R ) , ( ν e a )( Q | R )) : P . ∼ Ψ ⊗ Ψ R Q } where e a #Ψ, and prov e th at R is a b isim ulation. Moreo v er w e assume that e b P # e b Q , Q, e b R , R , Ψ, and e b R # P , Q , Ψ, or, in other w ords, that b oun d names are distinct from all fr ee n ames and other b ou n d names. F ormally the p ro of is condu cted by an ind uction on the length of e a . The induction s tep is straightfo rward, so w e fo cus on the base case. The agen t P | R can op erate either by P or R doing in dividual actions, or by P and R comm unicating, where w e co v er the latt er case, as it is the most in v olv ed. In this case we ha v e, by the Com rule, that P do es an input transition (Ψ ⊗ Ψ R ✄ P M N − − − → P ′ ), R do es an output tr ansition (Ψ ⊗ Ψ P ✄ R K ( ν e a ) N − − − − − → R ′ ), and that the s u b jects of the transitions are c h annel equiv alen t (Ψ ⊗ Ψ P ⊗ Ψ R ⊢ M . ↔ K ). The resulting comm unication b et we en P and R is th u s Ψ ✄ P | R τ − → ( ν ˜ a )( P ′ | R ′ ). T o complete this step of th e pro of w e need to ﬁ nd a Q ′ suc h that Ψ ✄ Q | R τ − → ( ν ˜ a )( Q ′ | R ′ ), and (Ψ , ( ν ˜ a )( P ′ | R ′ ) , ( ν ˜ a )( Q ′ | R ′ )) ∈ R . PSI-CALCULI: A FRAMEWORK FOR MOBILE PR OCESSES WITH NOMINAL D A T A AND LOGIC 35 The presence of assertions in the transitions complicates the pro of. W e kno w that P . ∼ Ψ Q , and hence b y Deﬁnition 5.1(3) that P . ∼ Ψ ⊗ Ψ R Q . Since Ψ ⊗ Ψ R ✄ P M N − − − → P ′ , w e can obtain a Q ′ suc h that Ψ ⊗ Ψ R ✄ Q M N − − − → Q ′ and P ′ . ∼ Ψ ⊗ Ψ R Q ′ . Ho wev er, this transition cannot communicate with Ψ ⊗ Ψ P ✄ R K ( ν e a ) N − − − − − → R ′ , since that transition is deriv ed b y the assertion Ψ ⊗ Ψ P , and n ot Ψ ⊗ Ψ Q . Moreo v er, M and K are c hann el equiv alent b y the assertion Ψ ⊗ Ψ P ⊗ Ψ R , and not Ψ ⊗ Ψ Q ⊗ Ψ R , whic h w ould b e n eeded to deriv e the desired comm u nication. In order to complete the pro of, w e need a lemma wh ic h sw itc h es the o ccurrences of Ψ P to Ψ Q in the transition of R , as wel l as in the c hannel equalit y . Once a comm un ication h as b een d eriv ed, w e must pro v e th at the corresp onding deriv a- tiv es ( ν ˜ a )( P ′ | R ′ ), and ( ν ˜ a )( Q ′ | R ′ ) are in the cand idate relation R . F rom the deﬁnition of R w e get that this holds if P ′ . ∼ Ψ ⊗ Ψ R ′ Q ′ , but w e only kno w that P ′ . ∼ Ψ ⊗ Ψ R Q ′ . In order to complete the pr o of, P ′ and Q ′ m ust b e bisimilar in the assertion Ψ ⊗ Ψ R ′ , and not only in Ψ ⊗ Ψ R . W e provi de lemmas whic h will address b oth of these obstac les in tur n, after which this p r o of w ill b e concluded. Lemm a 5.11 sim ultaneously c hanges the assertion d eriving the transition for R , and the c hannel equalit y , and Lemmas 5.12 and 5.13 ensu r e that the deriv ativ es of the comm unicating age nts are in the candidate relation R . Lemmas 5.9 and 5.10 are t w o generally applicable lemmas used to p ro v e Lemma 5.11. W e deﬁne sub j( M ( ν e a ) N ) = M and similarly for in put actions. The ﬁr st lemma sho ws that giv en a ﬁ n ite set of names B that are fresh f or P we can ﬁnd a term M c hannel equiv alen t to the su b ject of an action f r om P w hose names are fresh for B . Lemma 5.9 (Find equiv alen t term) . B ⊆ N ∧ B ﬁnite ∧ B # P ∧ Ψ ✄ P α − → P ′ wher e α 6 = τ ∧ e b P #Ψ , P , sub j( α ) , B = ⇒ ∃ M . B # M ∧ Ψ ⊗ Ψ P ⊢ M . ↔ s ub j( α ) Pr o of. A straigh tforw ard ind uction on the length of the deriv ation of the transition. In th e base case w e c ho ose M as the pr eﬁx in the agen t. The next lemma shows that giv en a transition w e can ﬁnd another transition wh ose sub ject is c hannel equiv alen t to the s u b ject of the original transition and th at leads to the same d eriv ativ e as the original transition. Lemma 5.10 (Rewrite sub ject) . Ψ ✄ P M ( ν e a ) N − − − − − → P ′ ∧ Ψ ⊗ Ψ P ⊢ K . ↔ M ∧ e b P #Ψ , P , K, M = ⇒ Ψ ✄ P K ( ν e a ) N − − − − − → P ′ The symmetric lemma wher e P do es an input is omitte d. Pr o of. A straightforw ard ind uction on the length of the deriv ation of the transition. 36 J. BENGTSON, M . JOHANSSON, J. P ARRO W, AN D B. VICTOR W e can no w prov e the lemma w hic h allo ws u s to sim ultaneously switc h the assertions deriving a transition, as w ell as c h annel equalit y in a comm un ication. T his lemma looks a bit in timidating and th e pro of details can safely b e skipp ed at a ﬁ rst reading. It sa ys that if P and Q are bisimilar and P can communicate with R via the c h annel K , then there exists a channel K ′ suc h that Q can comm unicate with R via K ′ . Lemma 5.11 (Switc hing) . P . ∼ Ψ ⊗ Ψ R Q ∧ Ψ ⊗ Ψ R ✄ P M N − − − → P ′ ∧ Ψ ⊗ Ψ P ✄ R K ( ν e a ) N − − − − − → R ′ ∧ Ψ ⊗ Ψ P ⊗ Ψ R ⊢ K . ↔ M ∧ e b R # e b P , e b Q , Ψ , P , Q , R, K ∧ e b Q #Ψ , R , P , Q, M ∧ e b P # R, M , Ψ = ⇒ ∃ K ′ . Ψ ⊗ Ψ Q ✄ R K ′ ( ν e a ) N − − − − − − → R ′ ∧ Ψ ⊗ Ψ Q ⊗ Ψ R ⊢ K ′ . ↔ M ∧ e b R # K ′ Ther e is also a symmetric lemma wher e R do es an input. Pr o of. By induction on the length of the d eriv ation of the transition from R . W e only lo ok at one base case and one induction step here. T h e other cases are similar. Out : I n this case R = K s N .R ′ for some term K s , and the trans ition is deriv ed lik e this: Out Ψ ⊗ Ψ P ⊢ K s . ↔ K Ψ ⊗ Ψ P ✄ K s N .R ′ K N − − → R ′ Since e b P #Ψ , R we get that Ψ ⊗ F ( P ) ⊢ K s . ↔ K s . T his in turn giv es us that Ψ ⊗F ( Q ) ⊢ K s . ↔ K s , whic h means that Ψ ⊗ Ψ Q ⊢ K s . ↔ K s . W e then establish the ﬁrst conjunct b y: Out Ψ ⊗ Ψ Q ⊢ K s . ↔ K s Ψ ⊗ Ψ Q ✄ K s N .R ′ K s N − − − → R ′ F or the second conjunct, w e ha v e that Ψ ⊗ Ψ P ⊢ K s . ↔ K and that Ψ ⊗ Ψ P ⊗ 1 ⊢ K . ↔ M (since in this case Ψ R is 1 ). Identit y and transitivit y th en giv e us that Ψ ⊗ Ψ P ⊢ K s . ↔ M . Since e b P # R, M w e hav e th at Ψ ⊗F ( P ) ⊢ K s . ↔ M and since P and Q are bisimilar w e also hav e that Ψ ⊗F ( Q ) ⊢ K s . ↔ M . W e ﬁ nally get Ψ ⊗ Ψ Q ⊢ K s . ↔ M . T he third conjunct is trivial since e b R is empty . Scope : In this case R = ( ν b ) R ′ for some name b and the transition is derived lik e this: Scope Ψ ⊗ Ψ P ✄ R ′ K ( ν e a ) N − − − − − → R ′′ Ψ ⊗ Ψ P ✄ ( ν b ) R ′ K ( ν e a ) N − − − − − → ( ν b ) R ′′ b # K ( ν e a ) N , Ψ Let b # e b P , e b Q , P , Q . Note that b y deﬁn ition we h a v e Ψ ( ν b ) R ′ = Ψ R ′ . W e also ha ve th at PSI-CALCULI: A FRAMEWORK FOR MOBILE PR OCESSES WITH NOMINAL D A T A AND LOGIC 37 e b ( ν b ) R ′ # e b P , e b Q , Ψ , P , Q , ( ν b ) R ′ , K = ⇒ e b R ′ # e b P , e b Q , Ψ , P , Q , R ′ , K and that e b ( ν b ) R ′ # e b P , e b Q ∧ e b P , e b Q #( ν b ) R ′ ∧ b # e b P , e b Q = ⇒ e b P , e b Q # R ′ . F rom the indu ction h yp othesis we then get that Ψ ⊗ Ψ Q ✄ R ′ K ′ ( ν e a ) N − − − − − − → R ′′ , Ψ ⊗ Ψ Q ⊗ Ψ R ′ ⊢ M . ↔ K ′ , and that e b R ′ # K ′ . F rom the fact that P and Q are bisimilar w e ge t that Ψ ⊗ Ψ ( ν b ) R ′ ✄ Q M N − − − → Q ′ . Let B = { b } ∪ e b R ′ . By Lemma 5.9 w e learn that there exists a term K ′′ suc h that Ψ ⊗ Ψ ( ν b ) R ′ ⊗ Ψ Q ⊢ K ′′ . ↔ M , fulﬁlling the second obligation, and that B # K ′′ . T his gives us that e b R ′ , b # K ′′ . By transitivit y w e then get that Ψ ⊗ Ψ ( ν b ) R ′ ⊗ Ψ Q ⊢ K ′ . ↔ K ′′ . W e no w u s e Lemma 5.10 to get that Ψ ⊗ Ψ Q ✄ R ′ K ′′ ( ν e a ) N − − − − − − → R ′′ . Finally we do th e follo wing deriv ation: Scope Ψ ⊗ Ψ Q ✄ R ′ K ′′ ( ν e a ) N − − − − − − → R ′′ Ψ ⊗ Ψ Q ✄ ( ν b ) R ′ K ′′ ( ν e a ) N − − − − − − → ( ν b ) R ′′ b # K ′′ ( ν e a ) N , Ψ That e b ( ν b ) R ′ # K ′′ follo ws from B # K ′′ . The follo wing lemma prov es that when an agen t p erforms a trans ition, its frame is extended with a new assertion (Ψ ′ b elo w): Lemma 5.12. If Ψ ✄ R M N − − − → R ′ and e b R # R, N , C wher e C is a set of names, then ∃ Ψ ′ , e b R ′ , Ψ R ′ such that F ( R ′ ) = ( ν e b R ′ )Ψ R ′ ∧ Ψ R ⊗ Ψ ′ ≃ Ψ R ′ ∧ e b R ′ # C, R ′ . Pr o of. A straightforw ard ind uction on the length of the deriv ation of the transition. Finally , we need a lemma whic h allo ws us to sw itc h the environmen t for a bisimulatio n for an equiv alen t one. Lemma 5.13. If Ψ ✄ P . ∼ Q and Ψ ≃ Ψ ′ then Ψ ′ ✄ P . ∼ Q Pr o of. The candidate relation for the b isim ulation is R = { (Ψ ′ , P, Q ) : Ψ ✄ P . ∼ Q ∧ Ψ ≃ Ψ ′ } . Th e four cases are pro v ed separately . Case 1: F ollo ws from the fact that ⊗ is comp ositional, where the b ound n ames of the frames of P and Q are alpha-co nv erted not to clash with Ψ ′ . Case 2: S is trivially symmetric, since . ∼ and ≃ are symmetric. Case 3: F ollo ws fr om the fact that ⊗ is comp ositional. Case 4: F rom the deﬁnition of . ∼ and the tran s ition Ψ ✄ P α − → P ′ , w e obtain a Q ′ . s.t. Ψ ✄ Q α − → Q ′ and Ψ ✄ P ′ . ∼ Q ′ . By induction on the deriv ation of this transition, and the fact that Ψ ≃ Ψ ′ , w e get that Ψ ′ ✄ Q α − → Q ′ . Moreo v er, since Ψ ✄ P ′ . ∼ Q ′ and Ψ ≃ Ψ ′ w e ha ve that (Ψ ′ , P ′ , Q ′ ) ∈ S . With these lemmas in place we complete the pro of of Theorem 5.5(1) commenced at the b eginning of this section. T he case we are pro ving is when P | R p erforms a comm unication. W e m u st ﬁn d a corresp onding transition from Q | R su c h that the deriv ativ es remain in the candidate relation R . The agen ts P and R can communicate u sing the follo w ing deriv ation. Com Ψ R ⊗ Ψ ✄ P M ( ν e a ) N − − − − − → P ′ Ψ P ⊗ Ψ ✄ R K N − − − → R ′ Ψ ⊗ Ψ P ⊗ Ψ R ⊢ M . ↔ K Ψ ✄ P | R τ − → ( ν e a )( P ′ | R ′ ) e a # R 38 J. BENGTSON, M . JOHANSSON, J. P ARRO W, AN D B. VICTOR Our goal is to replace P with Q in the pr emises so that w e can deriv e the sim ulating transition. Let F ( Q ) = ( ν e b Q )Ψ Q b e suc h that e b Q # P , e b R , R , Ψ , M . W e use Lemma 5.11, to obtain Ψ Q ⊗ Ψ ✄ R K ′ N − − − → R ′ and Ψ ⊗ Ψ Q ⊗ Ψ R ⊢ M . ↔ K ′ . Since P and Q are bisimilar we hav e that Ψ ⊗ Ψ R ✄ Q M ( ν e a ) N − − − − − → Q ′ . W e then derive the follo wing: Com Ψ R ⊗ Ψ ✄ Q M ( ν e a ) N − − − − − → Q ′ Ψ Q ⊗ Ψ ✄ R K ′ N − − − → R ′ Ψ ⊗ Ψ Q ⊗ Ψ R ⊢ M . ↔ K ′ Ψ ✄ Q | R τ − → ( ν e a )( Q ′ | R ′ ) e a # R W e kno w that P ′ . ∼ Ψ ⊗ Ψ R Q ′ and b y cla use 3 in th e d eﬁnition of bisim u lation (extension of arbitrary assertion) that P ′ . ∼ Ψ ⊗ Ψ R ⊗ Ψ ′ Q ′ for an y Ψ ′ . By Lemma 5.12 we kn o w that there exists a Ψ ′′ suc h that Ψ R ⊗ Ψ ′′ ≃ Ψ R ′ , so in p articular, using Lemm a 5.13 , w e hav e that P ′ . ∼ Ψ ⊗ Ψ R ′ Q ′ W e then conclude that (Ψ , ( ν e a )( P ′ | R ′ ) , ( ν e a )( Q ′ | R ′ )) ∈ R . The pro ofs of theorems 5.3 ,5.5–5.8 follo w a similar pattern, using indu ction ov er the lengths of the d er iv ations of the transitions. Th e part we h av e just shown is the most c h allenging. F urther pro ofs are found in [Joh10]. 6. F o rmalisa tion in Isa belle As the complexities of calculi increase, the pro ofs b ecome more complicated and there- fore more err or p rone. In Section 3 we discussed ho w b oth the applied pi-calculus and the concurrent constraint pi-calculus ha v e tur n ed out to b e non-comp ositional. This hin ts at the complexit y of the pr o ofs and th e diﬃculty of getti ng them righ t. Our pro ofs for psi-calc uli are also sometimes long and int ricate. F or example, th e pro of sket c h of Theorem 5.5 (1), describ ed in the previous section, is substant ially m ore complicated than its corresp ond ing pro of for the pi-calculus. Ho we v er, we emphasise that the pr o of is not sub stan tially diﬀeren t in structure: it is ju s t a set of prop erties of tr ansitions, all established b y indu ction o v er the the deﬁnition of the semantic s. In this, psi-calculi are simpler than man y other calculi that rely on stratiﬁed d eﬁnitions of the semantics with devices su c h as a s tr uctural congruen ce. In ord er to ensur e that p ro ofs are correct, automated and interact iv e pro of assistan ts or theorem pr o vers can b e us ed to formally v erify the pr o ofs with the aid of a compu ter. W e ha v e completely formalised all results in Section 5, with the exception of Th eorem 5.4, in the interact iv e theorem prov er Isab elle. T o the b est of our knowledge , no calculus of this complexit y has p reviously b een formalised in a theorem pro v er. W e ha ve earlier [BP07] formalised a su bstan tial part of the pi-calculus meta-theory in Isab elle. This section will co ver th e main extensions needed to formalise the framew ork f or psi-calculi. More in-depth exp ositions are found in [BP09, Ben10]. 6.1. Alpha-equiv alence. The m ain diﬃculty with formalising any pro cess algebra in a theorem pro v er is to reason ab out alpha-equiv alence in a con v enien t w ay . When condu cting man ual pr o ofs on pap er this notion is often glossed o v er, and statemen ts such as “w e assume an y b ound name u nder consideration to b e suﬃcien tly fresh” are commonplace . F or mac hine c h ec ked pro ofs this p oses a pr ob lem. Exactly wh at d o es it mean for a b oun d n ame to b e suﬃcien tly fresh? PSI-CALCULI: A FRAMEWORK FOR MOBILE PR OCESSES WITH NOMINAL D A T A AND LOGIC 39 W e use Nominal Isab elle [Urb08] to formalise datat yp es with binders, and to r eason ab out th em up to alpha-equiv alence; in other w ords, all our pr o ofs deal w ith alpha equiv a- lence classes rather than with particular representa tiv es. As usual alpha v arian ts of agen ts are identiﬁed , so e.g. ( ν a ) P = ( ν b )(( a b ) · P ), when b # P , and similarly for n ames b ound in the inpu t construct. F ormally , name sw apping on agents distribu tes o ver all constru ctors, and substitution on agen ts a v oids captur es b y bin ders through alpha-con v ersion as usual. In that wa y Nominal Isab elle pro vides an alpha-equiv alence class of agen ts where the sup p ort of P is the un ion of the supp orts of th e comp onents of P , remo ving th e b ound n ames. This corresp onds to the names with a free occurren ce in P . F rames con tain binders and we r eason ab out their alpha equiv alence classes in the same w a y . Also, transitions conta in binders. Consider the ou tp ut transition Ψ ✄ P M ( ν ˜ a ) N − − − − − → P ′ . T o b e completely formal, as describ ed in [BP07], ˜ a is a bind in g o ccur r ence with a scop e that con tains b oth N and P ′ . W e accomplish this b y creating a datat yp e con taining b oth an action and th e deriv ative pro cess as follo ws. Deﬁnition 6.1 (Residuals) . A r esidual with the action α and the deriv ativ e P ′ , is wr itten α ≺ P ′ . Th us we hav e the follo wing three forms of residuals: M ( ν ˜ a ) N ≺ P ′ Output M N ≺ P ′ Input τ ≺ P ′ Silen t In the O utput residual, ˜ a b inds in to b oth N and P ′ . In this w ay w e get a nominal datat yp e of residuals wh ere name swapping ju st distributes to its components and th e sup p ort is the free n ames. A tran s ition is then simply a pair consisting of an agen t and a residual. Again, Nominal Isab elle allo ws us to reason ab out alpha equiv alence classes of transitions. T ypically a prop ert y of transitions is established b y induction, with one case for eac h rule. This m eans that we assum e the prop erty of the premise of the r ule, and must establish it for the conclusion. Since we w ork with alph a equiv alence classes it is enough to establish the prop erty for one rep resen tativ e of the alpha equiv alence class. This formalises the prin ciple that we may alw a ys p ic k b ound names f resh. Datat yp es for agen ts, frames and transitions in Nominal Isab elle require sequences of bind ers, e.g. in the inp ut p r eﬁx and in the output action. It is imp ortan t to reason ab out arbitrarily long bind ing s equences as atomic ob jects, otherwise there w ould b e a constan t need for inductiv e p r o ofs o v er the length of these sequences. Nominal Isab elle only supp orts single binders, and we hav e therefore created infrastructure to r eason ab out arbitrarily long bind ing sequences. When alpha-con verting a b inding sequence, we generate a name p erm utation p whic h when applied to the sequ en ce mak es it suﬃcien tly fresh. The same p erm utation is then applied to ev erything und er the scop e of the binders, for examp le: M ( λ ˜ x ) N .P = M ( λp · ˜ x )( p · N ) . ( p · P ) if p ⊆ ˜ x × ( p · ˜ x ) an d ( p · ˜ x ) # ( N , P ) The sid e condition of this alpha-con version lo oks a bit intimidating, bu t intuitiv ely p s waps mem b ers of the original bindin g sequence to other names suc h that the r esulting bind- ing sequence meets the d esir ed fresh ness constr aints. T his style of alpha-conv ersion w as ﬁrst introd uced b y Urban and Berghofer, although to the b est of our kno wledge it is still unpu blished. W e co ver it more extensive ly in [BP09 ]. 40 J. BENGTSON, M . JOHANSSON, J. P ARRO W, AN D B. VICTOR 6.2. F ormalising parametric calculi. The framework f or psi-calc uli is a parametric for- malism. A p si-calculus agen t consists of terms, assertions and conditions. This is mod elled in Isab elle b y creating a p olymorphic datat yp e with three type v ariables. A ps i-calculus agen t will thus ha v e the t yp e ( α, β , γ ) psi , where α , β , and γ rep resen ts terms, assertions, and cond itions r esp ectiv ely . All memb ers of these types need to ha v e ﬁnite sup p ort. Isab elle has excellen t facilities for a p arametric st yle of reasoning th rough the use of lo cales [Bal03]. Lo cales allo w us to sp ecify whic h functions must exist for the parameters, and whic h assum ptions m u st hold on them. Th e en tire pro of structure of the meta theory is then bu ilt using the provided lo cale parameters. When creating a psi-calculus ins tance, the functions must b e pro vided and the assumptions must b e prov ed. On ce this is d one, all meta-theoretic al p ro ofs will b e guaran teed to hold for the new ins tance. One requirement f r om Section 2.1 is that there is a substitution fun ction wh ic h substi- tutes terms for names in assertions, conditions and terms. T o this end, a lo cale is created with a sub stitution function of t yp e δ → name list → α list → δ , wh ere the type α will b e what w e use for terms, and the t yp e δ can b e any of the three nominal sets. The lo cale con tains the follo wing assumptions, whic h imp lemen t th e requiremen ts of a substitution function m en tioned in Section 2.1 Equiv ariance: p · ( X [ ˜ x := ˜ T ]) = ( p · X )  ( p · ˜ x ) := ( p · ˜ T )  F reshness: if ˜ x ⊆ n( X ) and a # X [ ˜ x := ˜ T ] then a # ˜ T Alpha-equiv alence: if p ⊆ ˜ x × ( p · ˜ x ) and ( p · ˜ x )# X th en X [ ˜ x := ˜ T ] = ( p · X )[( p · ˜ x ) := ˜ T ] The assum ptions on this lo cale are straightforw ard. As all fun ctions in an y nominal for- malisation, substitution m ust b e equiv arian t. F reshness is a reformulatio n of requirement 1 in Section 2.1. Similarly , Alpha-equiv alence is r equirement 2. I n tuitiv ely this means th at the vect or b eing subs tituted is switc hed to one which is suﬃcien tly fresh. As an example of its use, co nsider the Inpu t ru le. In Ψ ⊢ M . ↔ K Ψ ✄ M ( λ e y ) N .P K N [ e y := e L ] − − − − − − − → P [ e y := e L ] If a pr o of requires the input agen t to b e alpha-con v erted to M ( λp · e y )( p · N ) . ( p · P ) su c h that p · ˜ y is suﬃ cien tly fresh, it is necessary to conv ert N [ e y := e L ] to ( p · N )[( p · e y ) := e L ], and P [ e y := e L ] to ( p · P )[( p · e y ) := e L ] to still b e able to deriv e the input transition. The last constraint accomplishes this. This lo cale is then instan tiated three times: for terms, assertions and conditions resp ectiv ely . The nominal morphisms in Deﬁnition 2.1 are mod elled in a lo cale w hic h sp eciﬁes their existence and equiv ariance prop erties. Inside this lo cale we also deﬁne equ iv alence for assertions and frames and pro vide an inf r astructure for reasoning ab out equiv alence. This lo cale is then extended with the requ isites in Deﬁnition 2.3. Finally , th e substitution lo cale is com bined with the lo cale for equiv alence to form an environmen t in which the r est of the theories can b e pr o v ed. The lo cales oﬀer a v ery in tuitiv e wa y of reasoning ab out parametric systems, and without them this form alisation w ould h a v e b een ve ry hard. PSI-CALCULI: A FRAMEWORK FOR MOBILE PR OCESSES WITH NOMINAL D A T A AND LOGIC 41 6.3. Enco ding partial op era tors. In Deﬁn ition 2.6, there is a well -formedness condition that all agen ts o ccurring und er a Case or Rep lication op erator m ust b e guard ed. F ormally , this m eans that these op erators are n ot total. F or example, ( | Ψ | ) is an agen t bu t !( | Ψ | ) is not. T o represent this in Isab elle, we tak e the tec h nically easiest approac h to augment the Case and the Rep -rules of the op erational seman tic with a p remise th at the agent s they op erate on are guarded. In eﬀec t this allo w s non we ll-formed age nt s, but they ha ve no transitions and are all bisimilar to 0 . All Isab elle pro ofs hold for all agents, so in particular they hold for all we ll-formed agen ts. Th erefore the Isab elle f orm alisation establishes the theorems presen ted in th is pap er. A few lemmas, for example that bisimilarit y is preserved b y Replication, need an extra pr emise that the agen ts are guarded, but in the v ast ma jorit y of lemmas the n ecessary p rop erties follo w from the op erational seman tics. An alternativ e w ould b e to constrain the datat yp e repr esen ting agen ts to w ell f ormed agen ts and th us ensur e th at all in habitan ts of that type meet th e required constrain ts. T his more closely resembles Deﬁnition 2.6, and wo uld b e the metho d of choice for use with a theorem pr ov er such as C o q that su pp orts dep end en t typing. There the well- formedness conditions can b e in tegrated in to the p si-datat yp es, i.e. f or all pro ofs w e can assu me that w e are only d ealing with well-fo rmed agen ts. The do wn s ide of this approac h is that w henev er an agen t is constructed, a pro of that it is w ell-formed m ust also b e sup p lied. A third op tion to encod e partial op erators would b e to d ecorate all lemmas whic h use the w ell formedness prop ert y with an assump tion th at the agent s are w ell formed. W e a voided this since it would clutter u p a signiﬁ cant amoun t of lemmas with extra premises. 6.4. Results and exp erie nces. Using Isab elle to formalise the pro ofs for psi-calculi in parallel to its dev elopmen t has tur ned out to b e inv aluable, and we wo uld certainly n ot ha v e ﬁ nished successfully without it. Throughout the develo pment w e ha v e uncounta ble times stumbled o ver sligh tly incorrect deﬁn itions and not quite correct lemmas, pr ompting frequent changes in the framework. F or example, our mistak e in [JPVB08] men tioned in Section 2.6 was found d uring pro of mechanisatio n and would probably not h av e b een foun d at all without it; at that time w e had completed a manual “pro of” that turn ed out incorrect. The Isab elle formalisation giv es us a h igh degree of conﬁd en ce in the pr o v ed theorems, and equally imp ortant , it give s u s a rep ository of pro ofs and p ro of strategies that can b e re-used when some d etail needs to change. Finding out w hic h ramiﬁcations a change has on the pro ofs is qu ic k and str aight forward. With man ual pro ofs, changing a detail w ould mean the b oring and dangerously error prone pro cess of going o v er eac h pro of b y hand . As ju s t one example, in a pr evious version, the Case rule look ed as follo ws: Old-Case Ψ ⊢ ϕ i Ψ ✄ case e ϕ : e P τ − → P i In this rule, the c hoice of wh ich branc h to tak e in a case statement yields an in ternal action, after whic h the pro cess P ev aluates as usual. An implication is that the r equ iremen t that P is guarded can b e omitted. W e initially adopted this r ule since it admits simpler ind uction pro ofs. A t a q u ite late stage we decided to c hange it to the p resen t rule, since th is more closely resem bles what is used in similar calculi. The c hange promp ted a rew ork of the en tire pro of tree from the semant ics and up. T he total eﬀort w as approximate ly eigh t hours, and w e no w kno w that the new rule do es not cause an y pr oblems. 42 J. BENGTSON, M . JOHANSSON, J. P ARRO W, AN D B. VICTOR Currently we ha v e formally pro v ed theorems 5.3,5.5–5.8 usin g Isab elle, includin g all supp orting lemmas. Th e entire implementa tion in Isab elle is about 18000 lines of co d e. It includes infrastru cture for smo oth treatmen t of binding sequ ences, and it has dev elop ed gradually o ve r t wo ye ars. The total eﬀort for the p resen t framew ork is hard to assess, sin ce it has follo wed u s through man y failed attempts and false starts. Once in place the marginal eﬀort of form alising more r esults is m anageable. As an example, the tota l eﬀort in pr o v in g Theorem 5.3, whic h w as one of the last things we implemented, wa s less than one day . 7. Conclusion and Fur ther W ork W e hav e deﬁ ned a fr amew ork f or mobile pro cess calculi, parametrised on nominal types for data terms and for a logic to expr ess assertions and conditions. Th e expressiv eness sur- passes the most adv anced comp eting calculi. The seman tics is a single inductive deﬁnition, whic h means that p ro ofs are comparativ ely easy . W e hav e fully formalised the f ramew ork in the interact iv e th eorem pro v er Isab elle, whic h give s us fu ll conﬁdence in our results on bisim ulation and pr o vides a readily a v ailable infrastructur e for condu cting pro ofs of many instances and v arian ts. In [JVP10] w e dev elop a symbolic semantic s and bisimulation equiv alence, and prov e full abstr action with r egards to ∼ . This kind of seman tics is essen tial for red u cing the state space explosion when exploring transitions and comparing for equ iv alence, making it id eal for use in automated to ols. I n [JBPV10] we explore weak bisim ulation equiv alence, w here τ ac tions are considered u nobserv able. Our results indicate that the p resence of assertions signiﬁcan tly complicates the deﬁnitions, in con trast to the situation with s trong bisimula- tion. Interestingly , for psi-calculi that satisfy we ak ening (i.e. Ψ ⊢ ϕ = ⇒ Ψ ⊗ Ψ ′ ⊢ ϕ ) the deﬁnitions can b e greatly simpliﬁed. W e also inv estigate a barb ed equiv alence and deter- mine what kind of observ ations are needed for full abstraction. The current devel opment of psi-calculi is co v ered in [Joh10] and the associated formalisation in Isab elle is accoun ted for in [Ben10]. W e intend to explore t yp ed psi-calc uli. One idea is to ﬁnd out what pr op erties the t y p e system must ha v e in ord er for the usu al theorems suc h as sub ject reduction to hold. W e are also considering v ariant s of psi-calculi with broadcast communicatio n, where one sender ma y communicate directly with sev eral receiv ers, and higher order communicatio n, where agen t deﬁn itions can b e transmitted an d executed b y the recipient. It seems th at b oth these v arian ts can b e accommo dated with very small c h anges of the semantic s and that large parts of our f ormal p ro ofs carry o ver. Referen ces [AF01] Mart ´ ın Abadi and C´ ed ric F ournet. Mobile v alues, new names, and secure communication. In Pr o c e e dings of POPL ’01 , pages 104–1 15. ACM, January 2001. [AG9 9] Mart ´ ın Abadi and And rew D. Gordon. A calculus for cryptographic p rotocols: The S pi calculus. Journal of Information and Com putation , 148(1):1–7 0, 1999. [Bal03] Clemens Bal larin. Locales and locale exp ressions in Isab elle/Isar. In T yp es for Pr o ofs and Pr o- gr ams , volume 3085 of Le ctur e Notes in Computer Scienc e , pages 34–50. Sp ringer, 2003. [Ben10] Jesper Bengtson. F ormali sing Pr o c ess Calculi . PhD thesis, Uppsala Universit y , June 2010. [BJPV09] Jesp er Bengtson, Magnus Johansson, Joac him Parro w, and Bj¨ orn V ictor. Psi-calculi: Mobile processes, n ominal data, and logic. I n Pr o c e e dings of LICS 2009 , pages 39–48. IEEE Computer Society , 2009. PSI-CALCULI: A FRAMEWORK FOR MOBILE PR OCESSES WITH NOMINAL D A T A AND LOGIC 43 [BM07] Maria Grazia Buscemi and U go Montanari. CC-Pi: A constraint-based language for sp ecifying service level agreements. I n Rocco De Nicola, editor, Pr o c e e dings of ESOP 2007 , vo lume 4421 of L e ctur e Notes in Computer Scienc e , p ages 18–32 . Sp ringer, 2007. [BM08] Maria Grazia Buscemi and Ugo Montanari. Op en b isimulation for th e concurrent constrain t p i- calculus. In Soph ia Drossop oulou, editor, Pr o c e e dings of ESOP 2008 , volume 4960 of L e ctur e Notes i n Computer Scienc e , pages 254–268. Springer, 2008. [BM09] Maria Grazia Buscemi and Ugo Montanari. Op en b isimulation for th e concurrent constrain t p i- calculus: Errata corrige. Av ailable from http://www .di.unipi.it/ ~ buscemi/Er rata.pdf , Janu- ary 2009. [BN05] Johannes Borgstr¨ om and Uwe Nestmann. On bisimulations for the spi calculus. M athematic al Structur es in Computer Scienc e , 15(03):4 87–552, 2005. [BP07] Jesp er Bengtson and Joac him Parro w. F ormalising the pi-calculus using nominal logic. In Pr o- c e e dings of F oSSaCS 2007 , vol ume 4423 of L e ctur e Notes i n Computer Scienc e , pages 63–77. Springer, 2007. [BP09] Jesp er Bengtson and Joa chim P arrow . Psi-calculi in Isabelle. I n Stefan Berghofer, T obias Nipko w, Christian Urban, and Mak arius W enzel, editors, Pr o c e e dings of TPHOLs 2009 , volume 5674 of L e ctur e Notes in Computer Scienc e , p ages 99–11 4. Springer, August 2009. [Bus09] Ma ria Grazia Buscemi. Personal comm unication, January 2009. [CM03] Marco Car b one and Sergio Maﬀeis. On the expressive p ow er of polyadic syn chronisa tion in π - calculus. Nor dic Journal of Computing , 10(2):70–98, 2003 . [CRZ07] V´ eronique Cortier, Mic hael R usinow itch, and Eugen Zalinescu. Relating tw o standard n otions of secrecy . L o gic al Metho ds in Computer Scienc e , 3(3), 2007. [CS01] T om Chothia and Ian Stark. A d istributed calculus with lo cal areas of comm u n ication. In HLCL ’00: Pr o c e e dings of the 4th I nternational W orkshop on High-L evel Concurr ent L anguages , vol ume 41.2 of Ele ctr onic Notes in The or etic al C omputer Scienc e . Elsevier, 2001. [DH76] Whitﬁeld Diﬃe and Martin E. Hellman. New directions in cryp tography . IEEE T r ansactions on Information The ory , IT-22(6):644–654 , 1976. [DKR07] St´ eph anie Delaune, Steve Kremer, and Mark D. R yan. Symbolic bisimulation for the applied pi-calculus. I n V . A rvind and Sanjiv a Prasad, editors, Pr o c e e dings of FSTTCS’07 , volume 4855 of L e ctur e Notes in Computer Scienc e , pages 133–145. Sprin ger, December 2007. [DR V98] Juan F. D iaz, Camil o Rueda, and F rank D. V alencia. Pi+-calculus: A calculus for concu rrent pro- cesses with constraints. CLEI Ele ctr onic Journal , 1(2), 1998. Proceedings of CLEI’97, V alparaiso, Chile. [F u97] Y uxi F u. A pro of-th eoretical app roac h to comm unication. In Pierpaolo Degano, Roberto Gorrieri, and Alb erto Marchetti-Spaccamela, editors, Pr o c e e dings of ICALP ’ 97 , volume 1256 of L e ctur e Notes i n Computer Scienc e , pages 325–335. Springer, 1997. [GLPT07] J. Goubault-Larrecq, C. Palamidessi , and A . T roina. A probabilistic applied p i-calculus. In Pr o c e e dings of APLAS’07 , vol ume 4807 of L e ctur e Notes i n Computer Scienc e , pages 175–1 90. Springer, 2007. [God10] Je ns Christian Godskesen. Observ ables for mobile and wireless b roadcasting sy stems. In Pr o c. of COORDINA TIO N 2010 , v olume 6116 of L e ctur e Notes in Computer Scienc e , pages 1–15. Springer, 2010. [GP01] Murdoch Gabbay and And rew Pitts. A new approac h to abstract syntax with vari able binding. F ormal Asp e cts of C om puting , 13:341–3 63, 2001. [GW00] Philippa Gardner and Lucian Wischik. Explicit fusions. In Mogens Nielsen and Branisla v R ov an, editors, Pr o c e e di ngs of MFCS 2000 , volume 1893 of L e ctur e Notes in Computer Scienc e , pages 373–382 . Springer, 2000. [JBPV10] Magnus Johansson, Jes p er Bengtson, Joac him Parro w, and Bj¨ orn Victor. W eak equiv alences in psi-calculi. In Pr o c e e dings of LICS 2010 . IEEE Computer Society , July 2010. [Joh10] Magn us Johansson. Psi-c al culi: a F r amework for M obi le Pr o c ess Calcul i . PhD thesis, Up psala Universit y , Ma y 2010. [JPVB08] Magnus Johansson, Joac him P arro w, Bj¨ orn Victor, and Jesper Bengtson. Extend ed pi-calculi. In Luca Aceto, Ivan Damg ˚ ard, Lesli e Ann Goldb erg, Magn ´ us M. H alld´ orsson, Anna Ing´ olfsd´ ottir, and Igor W alukiewicz, ed itors, Pr o c e e dings of ICALP 2008 , volume 5126 of L e ctur e Notes in Computer Scienc e , pages 87–98. Springer, July 2008. 44 J. BENGTSON, M . JOHANSSON, J. P ARRO W, AN D B. VICTOR [JVP10] Magnus Johansson, Bj¨ orn Victor, and Joachim P arro w. A fully abstract sym b olic seman tics for psi-calculi. In Pr o c e e dings of the 6th Workshop on Structur al Op er ational Semantics: SOS 2009 , vol ume 18 of Ele ctr oni c Pr o c e e dings i n The or etic al C omputer Scienc e , pages 17–31, 2010. [KR05] Steve Kremer and Mark D. Ryan. Analysis of an electronic voting protocol in the applied pi- calculus. In Mooly Sagiv, editor, Pr o c e e dings of ESOP’05 , volume 3444 of L e ctur e Notes in Com- puter Sci enc e , pages 186–200. Springer, Ap ril 2005. [MA42] H.K. Markey and G. Antheil. Secret communication system. U nited States Paten t 2,292,387 , 1942. [Mer98] Mas simo Merro. On th e expressiveness of c hi, up date, and fusion calculi. In Catuscia Palamidess i and Ilaria Castellani, editors, Pr o c e e di ngs of EXPRESS ’98 , vol ume 16.2 of El e ctr onic Notes in The or etic al Computer Scienc e . Elsevier Science Publishers, 1998. [MPW92] Robin Milner, Joachim Parro w, and Da vid W alk er. A calculus of mobile p rocesses, p art I/I I . Journal of Information and Com putation , 100:1– 77, September 1992. [NM95] Joac him Niehren and Martin M¨ uller. Constraints fo r free in concurrent computation. In Kanc hana Kanchanasut and Jean-Jacques L´ evy , editors, Asian Computer Scienc e Confer enc e , volume 102 3 of L e ctur e Notes in Computer Scienc e , pages 171–186 , Path u mthani, Thailand, 11–13 December 1995. Springer. [NPW02] T. Nipko w, L. C. Paulson, and M. W enzel. Isab el le/HOL: a Pr o of Assistant for H i gher-Or der L o gic , vol ume 2283 of L e ctur e Notes in Computer Scienc e . Springer, 2002. [Pit03] A. M. Pitts. Nominal logic, a ﬁrst order theory of n ames and binding. Information and Compu- tation , 186:165 –193, 2003. [PV98] Joachim Parro w and Bj¨ orn Victor. The fusion calculus: Exp ressiv eness and symmetry in mobile processes. In Pr o c e e dings of LIC S ’98 , p ages 176–185 . IEEE, Computer S ociety Press, July 1998. [Sar93] Vijay A. S arasw at. C oncurr ent Constr ai nt Pr o gr am m ing . ACM D octoral Dissertation A w ard. MIT Press, Cam bridge, Massac husetts, 1993. [Smo94] Gert Smolk a. A foundation for higher-order concu rrent constraint programming. In J.-P . Jouan- naud, editor, Pr o c e e dings 1st I nternational Confer enc e of Constr aints in Computat ional L o gics , vol ume 845 of L e ctur e Notes in Computer Scienc e , pages 50–72. S p ringer, 1994. Ava ilable as Researc h Rep ort RR- 94-16 from DFK I Kaiserslautern. [Urb08] Christian Urban. Nominal techniques in Isab elle/HOL. Journal of A utomate d R e asoning , 40(4):327– 356, May 2008. [W G05] Lucian Wischik and Philippa Gardner. Exp licit fusions. The or etic al C om puter Scienc e , 304(3):606 –630, 2005. [Wis01] Lucian W ischik. Explicit F usions: The ory and Implementation . PhD thesis, Computer Lab ora- tory , Un iversit y of Cam bridge, 2001. This wor k is licensed under the Creative Commons Attr ibution-NoDer ivs L icense. T o view a copy of this license, visit http://cr eativecommons.org/licenses/by-nd/2.0/ or se nd a letter to Creative Commons, 171 Second St, Su ite 300, San F rancisco, CA 94105, U SA, or Eisenacher Strasse 2, 10777 Berlin, Ger many

Psi-calculi: a framework for mobile processes with nominal data and logic

Original Paper

Comments & Academic Discussion

Leave a Comment

Original Paper

Related Papers

Comments & Academic Discussion

Leave a Comment