Separability in the Ambient Logic

Logical Methods in Computer Science V ol. 4 (3:4) 2008, pp. 1–44 www .lmcs-online.org Submitted Nov . 8, 2007 Published Sep . 4, 2008 SEP ARABILITY IN THE AMBIENT LO GIC ∗ DANIEL HIRSCHKOFF a , ´ ETIENNE LOZES b , AND DA VIDE SANGIORGI c a ENS Lyo n, Universit ´ e de Lyon, CNRS , INR IA – F rance e-mail addr ess : Daniel.Hirsc hkoﬀ@ens-ly on.fr b LSV, ENS Cachan, CNRS – F rance e-mail addr ess : lozes@lsv.ens-cac han.fr c Universit` a di Bologna – Italy e-mail addr ess : Davide.Sangio rgi@cs.unibo.it Abstra ct. T he A mbient L o gic (AL) has been prop osed for ex pressing p roperties of pro- cess mobilit y in the calculus of M obile Ambien ts (MA), a nd as a basis for query languages on semistructured d ata. W e study some basic questions concerning t h e discriminating pow er of A L , fo cusing on the equiv alence on pro cesses induced by the logic (= L ). As u nderlying calculi b esides MA w e consider a sub calculus in whic h an image-ﬁniteness cond ition h olds and that we prov e to b e T uring complete. Synchronous v arian ts of these calculi are studied as well. In these calculi, w e provide tw o op erational c haracterisations of = L : a coinductive one (as a form of b isimilarity) and an inductive one (based on structual prop erties of pro cesses). After showi ng = L to b e stricly ﬁn er than b arbed congruence, w e establish axiomatisations of = L on the sub calculus of MA (both the asynchronous and the synchronous v ersion), enabling us to relate = L to structural congruence. W e also p resen t some (u n)decidability results that are related to the ab ov e separation properties for AL: the un decidabilit y of = L on MA and its decidability on the sub calculus. 1. Int roduction This pap er is dev oted to the study of the Ambient L o gic [14] (AL), a mo dal logic for expressing prop erties of Mobile Am bien ts [13] (MA) pro cesses. The mo del of Mobile Am bien ts is based on the notion of localit y (an ambien t is a named lo calit y), and interac tion in MA app ears as mo v ement of lo calities. Lo calities ma y b e nested, as in a [ P | b [ Q ] | c [ R ]], whic h describ es an am bien t a conta ining a p ro cess P as w ell as t w o su blo calities n amed b and c . 1998 ACM Subje ct Classiﬁc ation: F.3.2, F.4.1. Key wor ds and phr ases: Process algebra, mo dal logic, Mobile Ambien ts, spatial logic. ∗ This work is a rev ised and exten ded version of parts of [30] and [20] (p recisely , those parts that d eal with issues related to separability). a W ork supp orted by the french pro jects ACI GEOCAL and A N R CHoCo. c W ork supp orted by europ ean pro ject Sensoria, italian MIUR Pro j ect n. 2005015785, ”Logical F oundations of D istribu ted Systems an d Mobile Co de”. LOGICAL METHODS l IN COMPUTER SCIENCE DOI:10.216 8/LMCS-4 (3:4) 2008 c  D . Hirschkof, ´ E. Lozes, and D . Sangio rgi CC  Cre ative Commons 2 D. HIRSCHKOF, ´ E. LOZES, AND D. SANGIORGI An am b ient can b e thought of as a lab elled tree. The s ib ling relation on su btrees represent s spatial con tiguity; the subtree relation repr esen ts spatial nesting. A lab el m a y represent an ambien t name or a capabilit y; m oreo ver, a replication tag on lab els in dicates the resources that are p ersistent. The trees are unordered: the order of the children of a no de is not imp ortan t. As an example, the pro cess P def = ! a [ in c ] | op en a . b [ 0 ] can b e though t of as a tree with op en a . b [ 0 ] on the ro ots no de and in c on a c hild no de lab eled with a. Th e replication ! a ind icates that the resource a [ in c ] is p ersistent: un b oundedly man y suc h ambien ts can b e spawned. By con trast, op en a is ephemeral: it can op en only one am b ien t. Synt actical ly , eac h tree i s ﬁn ite. S eman tica lly , ho w ever, du e to replications, a tree is an inﬁnite ob ject. As a consequence, th e temp oral d ev elopments of a tree can b e quite rich. The pr o cess P ab o v e (w e freely switc h b et ween pro cesses and their tr ee representati on) h as only one reduction, to in c | ! a [ in c ] | b [ 0 ]. Ho w ev er, the pr o cess ! a [ in c ] | ! op en a . b [ 0 ] can ev olve in to any pr o cess of the form in c | . . . | i n c | b [ 0 ] | . . . | b [ 0 ] | ! a [ in c ] | ! op en a . b [ 0 ] . In general, a tree ma y ha v e an inﬁnite temp oral branc hing, that is, it can ev olv e in to an inﬁnite n um b er of trees, p ossibly qu ite diﬀeren t f rom eac h other (for instance, pairwise b eha viourally u n related). T ec hnically , th is means that the trees are n ot image-ﬁnite , w here image-ﬁnite ind icates a ﬁniteness on the temp oral br anc h ing of a pro cess (we will come bac k to the d eﬁnition of image-ﬁniteness later). Although the MA calculus often includes n ame restriction, ( ν n ) P , reminiscen t of the pi-calculus, we w ill omit th is construction (unless we menti on it explicitly), and will refer to p ublic MA, or simply MA, for the calculus withou t name restriction. In su mmary , MA is a calculus of dynamically-ev olving unord ered edge-lab elled trees. AL is a logic for reasoning on su c h trees. The actual deﬁnition of satisfaction of the formulas is give n on MA pro cesses quotient ed by a relation of structur al c ongruenc e , ≡ , wh ic h equates pro cesses with the same tree representati on. (Th is relation is similar to Milner’s structural congruence for the π -calculus [28].) AL has also b een advocated as a foundation of query languages f or semistructur ed data [9]. Here, the la ws of the logic are used to describ e query r ewr iting rules and query optimisations. This line of work exploits th e similarities b et ween dynamically-ev olving edge-labelled trees, un derlying the am bien t compu tational mo d el, and standard mo dels of semistructured data. AL has a connectiv e that talks ab out time , th at is, how p ro cesses can ev olve. The form ula ✸ A is satisﬁed by those p ro cesses with a fu ture in whic h A holds. The logic has also connectiv es that talk ab out sp ac e , that is, the shap e of the edge-lab elled trees that describ e pro cess distrib utions. the form ula n [ A ] is satisﬁed b y am bien ts named n w h ose con tent satisﬁes A (read on trees: n [ A ] is satisﬁed by the trees wh ose ro ot has just a single edge n leading to a subtr ee that satisﬁes A ); the f orm ula A 1 | A 2 is satisﬁed by the pro cesses that can b e d ecomp osed into p arallel comp onents P 1 and P 2 where eac h P i satisﬁes A i (read on trees: A 1 | A 2 is satisﬁed by th e trees that are the juxtap osition of tw o trees that resp ectiv ely s atisfy th e form ulas A 1 and A 2 ); the formula 0 is satisﬁed by the terminated pro cess 0 (on trees: 0 is satisﬁed by the tree consisting of just the ro ot n o de). AL is quite diﬀerent from standard mo d al logic s. First, the latter logics d o n ot talk ab out sp ace. S econdly , they ha v e more precise temp oral connectiv es. The only temp oral connectiv e of AL talks ab out the many-ste p ev olution of a system on its own. I n stand ard SEP ARABILITY IN THE AMBIENT LOGIC ∗ 3 mo dal logics, by contrast, th e temp oral connectiv es also talk ab out the p oten tial in teracti ons b et w een a pro cess and its environmen t. F or instance, in the Hennessy-Milner logic [18], the temp oral mo dalit y h µ i . A is satisﬁed by the pro cesses that can p erform the action µ and b ecome a pro cess that satisﬁes A . The action µ can b e a reduction, bu t also an input or an outpu t. In th is pap er w e study th e equiv alence b et w een MA p ro cesses induced b y th e logic, written = L : we write P = L Q if P and Q s atisfy exactly the same formulas. Our main goal is to und er s tand ho w muc h the logic d iscr im in ates b et w een pr o cesses, i.e., to study the separating p ow er of = L . W e show that = L is a r ather ﬁ ne-grained relation. Related to the pr ob lem of th e equiv alence induced by the logic are issues of decidabilit y , that we also in v estigate. The cen tral tec hnical device we rely on to analyse = L is a charact erisation as a form of bisimilarit y , that we call intensional bisimilarity and wr ite ≃ int . Th e bisimulatio n game deﬁning ≃ int tak es into accoun t the int eraction p ossibilities of agen ts, and also includes clauses to ob s erv e the spatial structure of pro cesses, corresp onding to the logical connectiv es of empt yness, spatial conjunction, and am bien t. Intensional bisimilarit y is to AL what standard bisimilarit y is to Hennessy-Milner logic. In particular, ≃ int can b e used to assess separabilit y and expressiv eness pr op erties of the mo d al logic it captur es. F or instance, th e deﬁnition of ≃ int rev eals th at, in some cases, logica l obs erv ations are unable to distinguish b et w een an agen t en tering an am bien t, and the same agen t going in and out of th is am b ien t b efore ﬁnally en terin g it. W e call this phenomenon stuttering . S tuttering can b e seen as the spatial counterpart of the follo w ing ‘eta la w’ f or the asynchronous π -calculus [31]: a ( x ).  a h x i | a ( x ). P  = a ( x ). P (a similar equalit y also holds f or communicati on in MA). Indeed, stu ttering disapp ears when the async hr onous mo v ements are replaced b y synchronous ones, as is the case, e.g., in the mo del of S afe Am bien ts [25]. Something wo rth stressing is that ou r c haracterisation resu lts are established on the fu ll, public, MA calculus in which, as mentio ned earlier, terms need not b e im age-ﬁnite, and with resp ect to a ﬁnitary logic. W e are not a ware of other results of this kind: characte risation results for a bisimilarit y with resp ect to a mo dal logic in the literature (pr ecisely , the completeness part of the c haracterisatio ns) r ely either on an image-ﬁniteness hyp othesis for the terms of the language, or on the presence of some inﬁnitary constructs (suc h as inﬁnitary conjunctions) in the synt ax of the logic. T ec hnically , the pro of of our result is based on th e deﬁnition of some complex mo dal form ulas. T o mak e it easier to understand our appr oac h, w e ﬁrst presen t the main structure of th e pro of in a sub calculus without inﬁnite b ehaviours; w e then mov e to the full p u blic MA calculus to sho w how replication is hand led. O ur pro of exp loits tw o main tec hnical notions. Th e ﬁrst id ea is to introdu ce an induction principle on pr o cesses, that allo w s us to pro vide an indu ctiv e charac terisation of ≃ int . W e then introd u ce mo dal form ulas wh ose role is, int uitiv ely , to establish that only ﬁnitely many terms hav e to b e tak en into consid eration wh en exploring the outcomes of a giv en pro cess. 4 D. HIRSCHKOF, ´ E. LOZES, AND D. SANGIORGI Exploiting ≃ int , we relate logical equiv alence with t w o imp ortant equiv alences for pro- cesses. The ﬁr st equiv alence is the standard extensional equiv alence, namely barb ed con- gruence ( ≈ ). Here the m ain result is that logical equiv alence is strictly ﬁn er. As count erex- amples to the inclusion ≈ ⊆ = L , w e h a ve found three axiom schemata . W e do n ot kno w whether they are complete, that is, if they exactly describ e the diﬀerence b et w een the t w o relations on MA. W e then compare logical equ iv alence with a second relation, namely structural con- gruence ( ≡ ), an in tensional and v ery discriminating equiv alence. W e establish an axioma- tisation of logical equiv alence on a rather b road class of p r o cesses, called MA s IF (deﬁned in 5.1). The deﬁnition of MA s IF relies on an image-ﬁniteness constrain t that is lighte r than the u sual notion of image-ﬁniteness in pro cess calculi, b ecause only certain su b terms of pro cesses are required to giv e rise to ﬁnitely m any redu cts. This sub calculus is sho w n to b e T ur ing complete in Section 6. W e are not a w are of other axiomatisations of semantic equiv alences (d eﬁned by op erational, d enotational , logical, or other means) in higher-order pro cess calculi. Ou r result sa ys that on MA s IF , = L almost exactly coincides with structur al congruence, the only diﬀerence b eing an ‘eta la w’ for comm u nication of th e form men - tioned ab o v e. This axiomatisation do es n ot hold in the full MA, for instance b ecause of the phenomenon of stu ttering. Comm unication in MA is async hronous, in the sense that outputs hav e n o con tinuatio n. W e show in 5.2 that if asynchronous comm unication is d r opp ed in fa v our of synchronous comm u nication, then logical equiv alence exactly coincides w ith stru ctur al congruence on the sync hronous version of MA s IF . The comparisons rev eal the int ensional ﬂav our of AL. Although the logic has op erators for looking in to the parallel structure of pr o cesses, the int ensionalit y of the logic was far from immediate, essentia lly for t w o r easons. Th e ﬁrst reason is that not all syntacti cal constructions of MA are reﬂected in th e logic, w h ic h en tirely lac k s op erators for capabilities, comm u nications, and replication. Th e second reason is that w e adopt a we ak in terpretation for redu ctions (i.e., we abstract from actions int ernal to the pro cesses); this mak es it p ossible to handle inﬁ nite pro cesses, b ut at the same time entail s a loss of precision when describing prop erties of pr o cesses. In suc h a setting it is therefore surp rising that = L is actually so close to ≡ , also b ecause ≡ is a v ery strong relation – a few axioms are the only diﬀerence with sy ntactic identit y . Being v ery close to a s yn tactic al description of pro cesses, the relation of structural congruence is decidable. As a consequence, in the sub calculus of MA where we show th at = L coincides with ≡ , we can also derive d ecidabilit y for = L . Ho w ev er, the f r on tier w ith undecidabilit y f or = L is v ery subtle: we establish undecidabilit y of = L in the full calculus b y en co d ing th e halting problem of a T ur ing mac hine. This b oils d own in our setting to sp eciﬁng T uring mac h in es in Mobile Ambien ts and bu ilding a scenario where the halting of a mac hine corresp onds to th e existence of r e duction lo op s , i.e., of pr o cesses P , Q suc h that P redu ces to Q and Q reduces to P . T his enco ding is a challengi ng ‘programming task’, since the p ro cess m ust retur n to its initial state mo du lo = L ; this is a d emanding condition, since, as mentio ned ab o v e, = L is a rather strong relation. F or instance, one has to b e very precise in garbage collecting dead co de durin g the execution of the T uring mac hine. Other related work Although not directly related fr om a tec hnical p oin t of view, a work w orth men tioning is [15]. In that w ork, mo dels of (enric hmen ts of ) relev ant and linear logic are deﬁned using Milner’s SCCS. In particular, th e interpretation of implication is SEP ARABILITY IN THE AMBIENT LOGIC ∗ 5 reminscen t of the deﬁn ition of satisfaction for the guarant ee op erator ( ⊲ ) in AL. Dam ho w ever explicitely renoun ces giving sense to formulas that talk ab out the stru ctur e of pro cesses, as is the case in the Am bien t L ogic. As stated b efore, intensional bisimilarit y is to AL what b isimilarit y is to Hennessy- Milner logic. Appr oximan ts of inte nsional bisimilarit y , that will b e needed in our pro ofs of completeness, ma y also b e expr essed in terms of Eh r enfeuc h t-F ra ¨ ıss ´ e games for sp atial logics, as sh o w n in [16]. These equ iv alences are standard devices to establish expressiv eness results. F or instance, they h a ve b een exploited to obtain adjunct elimination prop erties of spatial logics in [6, 26]. This work is a revised an d extended v ers ion of parts of [30 ] and [20], precisely , those parts that deal w ith issues related to separabilit y of AL. A companion p ap er [21] studies expressiv eness issues. By the time the writing of the presen t pap er was completed, a few pap ers hav e app eared that make use of resu lts or metho ds p resen ted here. These are works that stud y the inte nsionalit y of spatial logics or decidabilit y prop erties. W ork s r elated to the in tensionalit y of spatial logics includ e [8] where the spatial logic is static, and [6, 5], w here the logic is applied to reason on calculi that feature a simpler notion of s pace, with a strong in terpretation of the temp oral mo dalit y . A spatial logic for the π -calculus satisfying th e prop erty that logica l equiv alence coincides with b eha vioural equiv alence has b een studied in [19]. Th is logic is d eﬁned by r emo vin g mo dal op erators lik e 0 or spatial conju nction, and k eeping only ‘con textual’ op erators (guaran tee and revela tion adjun ct). A similar result, b ut for a logic that includes sp atial conjunction and 0, has b een established for a pr o cess calculus encompassing a f orm of distribution in [7]. W orks related to the decidabilit y prop erties of Mobile Ambien ts include [3, 27], th at address questions of termination, and [2, 4], that consider reac h abilit y in syntactic su b calculi of MA (in the sense that th ese sub calculi are obtained by eliminating some syntac tical constructs). It can b e n oted that our analysis of decidabilit y (in Section 6) allo ws us to deduce a p rop erty in terms of reac habilit y: as discussed ab o v e, we establish that one cannot detect the pr esence of r e duction lo ops (i.e., the existence of pro cesses P and Q that redu ce to eac hother). This in particular entai ls undecidabilit y of reac habilit y . Structure of the p ap er. W e d eﬁne the Mobile Ambien ts calc ulus and the Ambien t Logic in Section 2. Section 3 is dev oted to the stud y of intensional bisimilarit y , ≃ int . W e show that ≃ int is included in logical equiv alence , = L . Completeness, i.e., the rev erse inclusion, is ﬁ rst pro v ed only for ﬁ nite MA pro cesses. F or this, we need a certain n um b er of expressiveness results ab out AL from [21], wh ic h are collected in 3.3. The completeness pro of for the whole calculus is present ed in Section 4, whic h completes our study of ≃ int b y ﬁnally estabilishing that ≃ int and = L coincide. T he inductiv e charact erisation of ≃ int is giv en in 4.1, and the logica l characte risation of the outcomes of a pro cess in 4.3. W e compare = L with barb ed congruence and structural congruence in Section 5. Th e su b calculus MA s IF , on whic h w e establish an axiomatisation of = L , is also int ro duced here. Sub section 5.2 explains how our results are mo diﬁed when moving to sync hronous Am b ien ts. W e presen t our enco d ing of T ur ing mac hines into MA s IF in S ection 6, and giv e concluding remarks in Section 7. 2. Backgr ou nd This s ection collects the n ecessary b ac kground for this pap er. It includ es the Mobile Am bien ts calculus [13] syntax and semantics, and the Ambien t Logic [11]. 6 D. HIRSCHKOF, ´ E. LOZES, AND D. SANGIORGI 2.1. Syntax of Mobile Ambien ts. W e r ecall here the syn tax of Mobile Ambien ts (MA) (w e sometimes also call this calculus the Am bien t calculus). In the calculus w e study , only names, not capabilities, can b e comm unicated; this allo ws us to wo rk in an u n t yp ed calculus. The calculus is async hronous; a synchronous extension w ill b e consid ered in Section 5 . As in [11, 9, 10], the calculus h as no restriction op erator for creating new names. T able 2.1 sho ws the synt ax. Letters n, m, h range ov er names, x, y , z o ver v ariables; η ranges o v er names and v ariables. Both the set of names and the set of v ariables are inﬁ nite. The expressions in η , out η , and op en η are th e c ap abilities . Messages and abstractions are the input/output (I/O) p rimitiv es. A guar d is either an abstraction or a capabilit y . A pro cess P is single iﬀ there exists P ′ suc h that either P ≡ cap . P ′ for some cap or P ≡ n [ P ′ ] for some n ). Abstraction is a binding constru ct, giving rise to the set of free v ariables of a pro cess P , written fv(P). W e ignore synta ctic diﬀerences du e to alpha conv ersion. W e write fn(P) for the set of (free) names of pro cess P . A close d p ro cess has no free v ariable. Unless explicitely stated, we us e P , Q, . . . to range ov er close d pro cesses in our d eﬁnitions and results. S u bstitutions, ranged o v er with σ , are partial fun ctions from v ariables to n ames. Giv en σ , we write P σ to denote the result of the application of σ to P . Giv en t w o pro cesses P and Q , we sa y that σ is a closing subs titution for P and Q (in sh ort, a closing sub stitution) if P σ and Qσ are closed pr o cesses. W e also introduce another n otatio n: P { n / x } stands for the capture a voiding sub stitution of v ariable x with name n in P , and P { n / m } stands for the pro cess obtained b y replacing n ame m w ith name n in P . Giv en n pro cesses P 1 , . . . , P n , w e sometimes write Π 1 ≤ i ≤ n P i for the p arallel comp osition P 1 | . . . | P n . Pr o c ess c ontexts (simply called cont exts) are pro cesses con taining an occur rence of a sp ecial pr o cess, called the hole. W e us e C to range ov er p ro cess con texts, and C { | P | } stands for the pro cess obtained by r ep lacing the hole in C with P . Giv en t w o pro cesses P and Q , a closing c ontext for P and Q (in short, a closing con text) is a con text C suc h that C { | P | } and C { | Q | } are closed pr o cesses. h, k , . . . n, m Names x, y , . . . V aria bles η Names ∪ V ariables Cap abilities cap ::= in η (enter) | out η (exit) | op en η (op en) Pr o c esses P , Q, R ::= 0 (nil) | P | Q (p ar al lel) | ! P (r eplic ation) | cap . P (pr eﬁxing) | η [ P ] (ambient) | { η } (message) | ( x ) P (abstr action) Pro cesses with the same in ternal stru cture are id en tiﬁed. Th is is expr essed by means of the structur al c ongruenc e r elation , ≡ , the smallest congruence such that the follo w ing la ws hold: P | 0 ≡ P P | Q ≡ Q | P P | ( Q | R ) ≡ ( P | Q ) | R ! P ≡ ! P | P ! 0 ≡ 0 !( P | Q ) ≡ ! P | ! Q !! P ≡ ! P As a consequence of the results p resen ted in [32], w hic h works with a ric her calculus than the one we study , w e hav e: SEP ARABILITY IN THE AMBIENT LOGIC ∗ 7 op en n . P | n [ Q ] − → P | Q Red-Open n [ in m . P 1 | P 2 ] | m [ Q ] − → m [ n [ P 1 | P 2 ] | Q ] Red-In m [ n [ out m . P 1 | P 2 ] | Q ] − → n [ P 1 | P 2 ] | m [ Q ] Red-Out { η } | ( x ) P − → P { η / x } Red-Com P − → P ′ P | Q − → P ′ | Q Red-Par P − → P ′ n [ P ] − → n [ P ′ ] Red-Amb P ≡ P ′ P ′ − → P ′′ P ′′ ≡ P ′′′ P − → P ′′′ Red-Str T able 1: The r ules for r eduction Theorem 2.1. ≡ is de ci dable. Deﬁnition 2.2 (Finite p ro cess) . A pro cess P is ﬁnite iﬀ there exists a pro cess P ′ with no o ccurrence of the r eplication op erator such that P ≡ P ′ . 2.2. O p erational Semantics. The seman tics of the calculus is given by a reduction re- lation − → . W e shall sometimes use the phr ase ‘ τ -transitions’ to refer to − → transitions. The corresp onding rules are giv en in T able 2.2. T he reﬂexiv e and transitive closure of − → is wr itten = ⇒ . Behaviour al e quivalenc e is deﬁn ed using redu ction and obser v abilit y pr edicates ⇓ n that indicate wh ether a pr o cess can lib erate an am bien t named n : formally , P ⇓ n holds if there are P ′ , P ′′ suc h that P = ⇒ n [ P ′ ] | P ′′ . Deﬁnition 2.3 (barb ed congru en ce, [29, 24 ]) . A sym metric relation R b etw een pro cesses is a b arb e d bisimulation if P R Q implies: (1) wheneve r P = ⇒ P ′ , there exists Q ′ suc h that Q = ⇒ Q ′ and P ′ R Q ′ ; (2) for eac h n ame n , P ⇓ n iﬀ Q ⇓ n . Barb e d b i similarity , w ritten ≈ · , is the largest barb ed bisimulation. Two pro cesses P and Q are b arb e d c ongruent , w ritten P ≈ Q , if C { | P | } ≈ · C { | Q | } for all closing con texts C . 2.3. Ambien t Logic. The Am bien t Logic (AL), is presented in T able 2). W e u se an inﬁn ite set of lo gic al variables , ranged o v er with x, y , z ; η r anges o ver names and v ariables. (W e can use the same syn tax as for v ariables and names of the Am bien t calculus, sin ce f orm ula and pro cess terms are separate.) W e use A , B , . . . , F , F ′ , . . . to range ov er form u las. The logic has the prop ositional connectiv es, ⊤ , ¬A , A ∨ B , and un iv er s al qu an tiﬁcatio n on names, ∀ x . A , with the standard logica l in terpretation. The temp oral connectiv e, ✸ A is considered with a w eak in terpretation. The spatial connectiv es, 0, A | B , and η [ A ], are the logical coun terpart of the corresp ondin g constru ctions on pro cesses. A ⊲ B and A @ η 8 D. HIRSCHKOF, ´ E. LOZES, AND D. SANGIORGI A ::= ⊤ (tr ue) classical logic | ¬A (ne gation) | A ∨ B (disjunction) | ∀ x . A (universal quantiﬁc ation over names) | ✸ A (sometime) temp oral and spatial connective s | 0 (void) | η [ A ] (e dge) | A | B (c omp osition) | A @ η (lo c alisation) logica l adjuncts | A ⊲ B (line ar implic ation) T able 2: The s y ntax of logical form ulas are the adjuncts of A | B and η [ A ], in the sense of b eing, roughly , their in v erse (see b elo w). A{ n/x } is the f orm ula obtained from A b y subs tituting v ariable x by name n . A formula without fr ee v ariables is close d . Along the lines of the deﬁ n ition of pro cess context s, we deﬁne form ula con texts as formulas contai ning an o ccur rence of a sp ecial hole formula . W e use A{ | · | } to range ov er formula con texts; then A{ | B | } stand s for the f orm ula obtained b y replacing the hole in A{ | · | } with B . Deﬁnition 2.4 (Satisfaction) . T he satisfactio n relation is deﬁ n ed b et w een closed p ro cesses and closed formulas as follo w s: P | = ⊤ def = alw a ys true P | = ∀ x . A def = for an y n , P | = A{ n/x } P | = ¬ A def = not P | = A P | = A 1 | A 2 def = ∃ P 1 , P 2 s.t. P ≡ P 1 | P 2 and P i | = A i , i = 1 , 2 P | = A ∨ B def = P | = A or P | = B P | = n [ A ] def = ∃ P ′ s.t. P ≡ n [ P ′ ] and P ′ | = A P | = 0 def = P ≡ 0 P | = ✸ A def = ∃ P ′ s.t. P = ⇒ P ′ and P ′ | = A P | = A @ n def = n [ P ] | = A P | = A ⊲ B def = ∀ R, R | = A imp lies P | R | = B The logic in [11] has also a somewher e connectiv e, that holds of a pro cess con taining, at some arbitrary level of nesting of ambien ts, an am bien t wh ose con tent satisﬁes A . F or the sak e of simplicit y , we omit this connectiv e, b ut we b eliev e that the addition of this connectiv e would not c hange the resu lts in the pap er (in p articular Theorem 3.29 can b e adapted easily). Lemma 2.5 ([11 ]) . If P ≡ Q and P | = A , then also Q | = A . SEP ARABILITY IN THE AMBIENT LOGIC ∗ 9 W e giv e ∨ the least s y ntactic precedence, th us A 1 ⊲ A 2 ∨ A 3 reads ( A 1 ⊲ A 2 ) ∨ A 3 , and A 1 ⊲ ( ✸ A 2 ∨ ✸ A 3 ) reads A 1 ⊲ (( ✸ A 2 ) ∨ ( ✸ A 3 )). W e sh all use the follo w in g stand ard duals of disju nction and un iv ers al quanti ﬁcation: A ∧ B def = ¬ ( ¬A ∨ ¬B ) ∃ x . A def = ¬∀ x . ¬A Deﬁnition 2.6 (Logical equiv alence) . F or p ro cesses P and Q , we sa y that P and Q are lo gic al ly e quivalent, wr itten P = L Q , if for any closed formula A it holds that P | = A iﬀ Q | = A . The remainder of this pap er is devo ted to the study of = L on MA and on some sub calculi of MA. 3. Intensiona l bisimilarity In order to b e able to carry out our programme for = L , as d iscussed in the in tro duction, w e lo ok for a co-inductiv e c h aracterisatio n of this relation, as a f orm of lab elled bisimilarit y . Before introdu cing th e bisimilarit y relatio n, w e n eed to deﬁne lab elled transitions on MA, and a f ew derived relations such as the stuttering relation. 3.1. Deﬁnit ions. 3.1.1. L ab el le d tr ansitions and stuttering. Deﬁnition 3.1. Let P b e a closed pro cess. W e wr ite: • P cap − → P ′ , wh er e cap is a capabilit y , if P ≡ cap . P 1 | P 2 and P ′ = P 1 | P 2 . • P { n } − → P ′ if P ≡ { n } | P ′ . • P ? n − → P ′ if P ≡ ( x ) P 1 | P 2 and P ′ ≡ P 1 { n / x } | P 2 . • P µ = ⇒ P ′ , where µ is one of the ab o v e lab els, if P = ⇒ µ − → = ⇒ P ′ (where = ⇒ µ − → = ⇒ is relation comp osition). • (stuttering) P ( M 1 ,M 2 ) ⋆ = = = = = = = ⇒ P ′ if there is i ≥ 1 and p ro cesses P 1 , . . . , P i with P = P 1 and P ′ = P i suc h that P r M 1 = ⇒ M 2 = ⇒ P r +1 for all 1 ≤ r < i . • Finally , h cap i = ⇒ is a conv enient notation for compacting statemen ts in v olving capabilit y transitions. h in n i = ⇒ is ( out n , in n ) ⋆ = = = = = = = = ⇒ ; similarly h out n i = ⇒ is ( in n, out n ) ⋆ = = = = = = = = ⇒ ; and h open n i = ⇒ is = ⇒ . W e discuss in Examp le 3.3 b elo w why stuttering is needed to capture logical equ iv alence in MA . 3.1.2. Intensional bisimilarity, ≃ int . W e p resen t h ere our main lab elled bisimilarit y , inten- sional bisimilarity , written ≃ int . This relation will b e used to capture th e separating p o wer of = L . In tuitiv ely , the deﬁnition of ≃ int is b ased on the observ atio ns made av aila ble by the logic either using built-in op erators or thr ou gh derived formulas f or capabilities (see b elo w). Deﬁnition 3.2. A symmetric relation R on closed pro cesses is an intensional bisimulation if P R Q implies: 10 D. HIRSCHKOF, ´ E. LOZES, AND D. SANGIORGI (1) If P ≡ P 1 | P 2 then there are Q 1 , Q 2 suc h that Q ≡ Q 1 | Q 2 and P i R Q i , for i = 1 , 2. (2) If P ≡ 0 then Q ≡ 0 . (3) If P − → P ′ then th er e is Q ′ suc h that Q = ⇒ Q ′ and P ′ R Q ′ . (4) If P in n − → P ′ then th er e is Q ′ suc h that Q in n = ⇒ ( out n , in n ) ⋆ = = = = = = = = ⇒ Q ′ and P ′ R Q ′ . (5) If P out n − − → P ′ then th er e is Q ′ suc h that Q out n = ⇒ ( in n, out n ) ⋆ = = = = = = = = ⇒ Q ′ and P ′ R Q ′ . (6) If P open n − − − → P ′ then th er e is Q ′ suc h that Q open n = ⇒ Q ′ and P ′ R Q ′ . (7) If P { n } − → P ′ then there is Q ′ suc h that Q { n } = ⇒ Q ′ and P ′ R Q ′ . (8) If P ? n − → P ′ then th er e is Q ′ suc h that Q | { n } = ⇒ Q ′ and P ′ R Q ′ . (9) If P ≡ n [ P ′ ] then th ere is Q ′ suc h that Q ≡ n [ Q ′ ] and P ′ R Q ′ . Intensional bisimilarity , w ritten ≃ int , is the largest in tensional bisimulation. The d eﬁnition of ≃ int induces a relation ≃ o int , deﬁn ed on op en terms by saying that P ≃ o int Q iﬀ for any closing su bstitution σ , P σ ≃ int Qσ . The deﬁnition of ≃ int has (at least) three intensional clauses, namely (1), (2) and (9), whic h allo w u s to observ e parallel comp ositions, the terminated pro cess, and am bien ts. These clauses corresp ond to the in tensional connectiv es ‘ | ’, ‘0’ and ‘ n [ · ]’ of the logic. The clause (8) for abstraction is similar to the inp u t clause of bisimilarit y in async hronous message-passing calculi [1]. Th is is so b ecause communication in MA is async hr onous (see also Subsection 5.2 b elo w). Note that, u sing notation h cap i = ⇒ in tro duced ab o v e, items 4, 5, and 6 can b e replaced by the follo wing one: • if P cap − → P ′ , then th ere is Q ′ suc h that Q cap = ⇒ h cap i = ⇒ Q ′ and P ′ R Q ′ . As w e ha ve p oin ted out ab o ve, stuttering is used to capture some transitions of pro cesses that the logic cannot detect. It giv es rise to particular k in ds of lo ops, that we illustrate in the follo win g example. Example 3.3 (Stuttering Lo op ) . Consider the pr o cesses P def = ! op en n . i n n . out n . in n . out n . n [ 0 ] | n [ 0 ] Q def = ! op en n . i n n . out n . in n . out n . n [ 0 ] | in n . out n . n [ 0 ] . W e h av e the follo wing lo op, mo dulo stu ttering: P ( in n, out n ) ⋆ = = = = = = = = ⇒ Q ( in n, out n ) ⋆ = = = = = = = = ⇒ P . The existence of s u c h pairs of p r o cesses that reduce one to eac h other mo du lo stuttering will pla y an imp ortan t role in the axiomatiza tion of = L . W e call such a s itu ation a lo op. It holds that P 6≃ int Q ; how ev er, since P ( in n, out n ) ⋆ = = = = = = = = ⇒ Q ( in n, out n ) ⋆ = = = = = = = = ⇒ P , we hav e out n . P ≃ int out n . Q . Actually , out n . P ≈ out n . Q ., that is, these t wo pro cesses are extensionally equiv alen t, and th ey are also equ ated by the logic (i.e., out n . P = L out n . Q ). But they w ould n ot b e in tensionally bisimilar with ou t th e stuttering relations. The reason for this p eculiarit y is that, in tuitiv ely , these pro cesses ha v e the same b e- ha viour in an y testing con text. T o see wh y the extra capabilities of Q d o n ot aﬀect its b eha viour, consider a reduction inv olving out n . P , of th e f ollo wing shap e: n [ m [ out n . P | R ] ] − → n [ 0 ] | m [ P | R ] . SEP ARABILITY IN THE AMBIENT LOGIC ∗ 11 Pro cess out n . Q can matc h this transition usin g three redu ctions: n [ m [ out n . Q | R ] ] − → n [ 0 ] | m [ in n . out n . n [ 0 ] | Q ′ | R ] − → n [ m [ out n . n [ 0 ] | Q ′ | R ] ] − → n [ 0 ] | m [ P | R ] , where Q ′ is ! op en n . in n . out n . in n . out n . n [ 0 ]. Conv ersely , the pro cess out n . Q ma y b e in v olved in the follo wing scenario: n [ m [ out n . Q | R ] ] − → n [ 0 ] | m [ Q | R ] , and th e pro cess out n . P can mimic this reduction. If we set Q ′ = ! op en n . in n . out n . in n . out n . n [ 0 ], we ha v e n [ m [ out n . P | R ] ] − → n [ 0 ] | m [ n [ 0 ] | Q ′ | R ] − → n [ 0 ] | m [ Q ′ | in n . out n . in n . out n . n [ 0 ] | R ] − → n [ m [ Q ′ | out n . in n . out n . n [ 0 ] | R ] ] − → n [ 0 ] | m [ Q | R ] . By con trast, stuttering do es not show u p in S afe Am bien ts [24], where mo v ements are ac hieved by means of s y n c h ronisations b et ween a capabilit y and a c o-c ap ability , and alik e mo dels. The f ollo wing result is an easy consequence of the deﬁ n ition of ≃ int : Lemma 3.4. ≃ int is an e quivalenc e r elation. Pr o of. Th e only p oint wo rth men tioning is that, for transitivit y , to handle clause (8), one ﬁrst needs to p ro v e that ≃ int is preserved by p arallel comp ositions with messages (whic h is an yho w straigh tforward). ✷ Ho wev er, it is not ob vious that ≃ int is pr eserved b y all op erators of the calculus, due to the fact that ≃ int is, int rinsically , higher-order. F ormally , ≃ int is not higher-order, in that the lab els of actions d o not con tain terms. Clause (3) of Deﬁnition 3.2, h o wev er, in v olves some higher-ord er computation, for a reduction may in v olve mo vemen t of terms (for instance, if the r eduction uses rules Red- In or Red-Out ). This, as usual in higher- order f orm s of bisimilarity , complicates the p ro of that bisimilarit y is preserv ed by p arallel comp osition. 3.2. C ongruence. In this section, we establish congruence of intensional bisimilarity , u sing an auxiliary relation. 3.2.1. Syntactic al r e lation, ≅ . Ou r p ro of of congruen ce mak es u se of a second bisimilarit y , ≅ , that, by constru ction, is preserv ed b y all op erators of the calculus, and that is deﬁned as follo ws: Deﬁnition 3.5. A symmetric relation on pro cesses R is a syntax-b ase d intensional bisim- ulation if P R Q implies: (1) If P ≡ P 1 | P 2 then th er e are Q s ( s = 1 , 2) such th at Q ≡ Q 1 | Q 2 and for all s P s R Q s . (2) If P ≡ cap . P ′ then th er e are Q ′ , Q ′′ suc h that (a) Q ≡ cap . Q ′ , 12 D. HIRSCHKOF, ´ E. LOZES, AND D. SANGIORGI (b) Q ′ h cap i = ⇒ Q ′′ , and (c) P ′ R Q ′ . (3) If P ≡ { n } then Q ≡ { n } . (4) If P ≡ ( x ) P ′ then th er e is Q ′ suc h that (a) Q ≡ ( x ) Q ′ and (b) for all n there is Q ′′ suc h that { n } | Q = ⇒ Q ′′ and P ′ { n / x }R Q ′′ . (5) If P ≡ n [ P ′ ] then th ere is Q ′ suc h that Q ≡ n [ Q ′ ] and P ′ R Q ′ . ≅ is the largest synta x-based intensional bisim ulation. Given t wo op en terms P and Q , we sa y that P ≅ o Q h olds iﬀ for an y closing sub stitution σ , P σ ≅ Qσ . Clause (4) is t ypical of async h ronous calculi, as in clause (8) of Deﬁn ition 3.2. The diﬀerences b et w een the deﬁn itions of ≃ int and ≅ are the f ollo wing. First, lab elled transitions are replaced by str u ctural congruence in th e hyp othesis of the corresp onding clause. S econd, clause (3) ab out red uctions of related pro cesses is remo v ed. Note that a clause for the pro cess 0 is not necessary (see Lemma 3.9 b elo w). T rans itivit y of ≅ is n ot ob vious, b ecause it is not immediate that ≅ is preserved un der reductions (there is n o clause for matc hing τ -transitions, and red u ctions (i.e., relation = ⇒ ) are u sed in a few p laces, suc h as the stuttering relation in the clauses for mo v emen t. W e shall pro v e that ≃ int and ≅ coincide (Corollary 3.18 b elo w ). Thus, transitivit y of ≅ will hold b ecause of ≃ int ’s transitivit y , and con versely , congruence of ≅ will ensure congruence of ≃ int . This pro of metho d, wh ic h exploits an auxiliary relatio n that is mani- festly preserve d b y the op erators of the calculus but that is not manifestly preserve d under reductions, brings to mind Ho w e’s pr o of tec hnique for p ro ving congruence of bisimilarit y in h igher-order languages [23]. In our case, ho w ev er, the p roblem is simpler b ecause of the in tensional clauses (1) and (2) of the b isimilarit y and b ecause MA is n ot a fully higher- order calculus: terms ma y mo v e d u ring a computation, but th ey may not b e copied as a consequence of a mo vemen t. W e m a y say that MA is a line ar h igher-order calculus (indeed the congruence of ≃ int could also b e prov ed directly , w ith a little more wo rk). In order to establish congruence of ≅ , we int ro duce an imp ortan t equalit y b etw een pro cesses, that p lays a tec hnical role h ere bu t will also b e us ed wh en c haracterising logica l equiv alence in Section 5. Deﬁnition 3.6 (Eta law, ≡ E ) . The eta law is giv en by th e follo wing equation: ( x ) (( x ) P | { x } ) = ( x ) P . W e u s e the eta la w to deﬁn e the follo wing three relations: • − → η is the eta la w oriente d from left to righ t; that is, P − → η Q holds if Q is obtained from P b y app lying the eta la w once, fr om left to right, to one of its sub terms (mo dulo ≡ ). • − → ∗ η stands for the reﬂexive , transitiv e closure of − → η ; • ≡ E is the smallest congruence satisfying the la ws of ≡ plus the eta la w. In th e lemma b elo w, we write P − → η h P ′ if P − → η P ′ and th is represents a top-lev el rewrite step, i.e., we do n ot rewrite u nder capabilities and input pr eﬁxes. Similarly , − → ∗ η h is the reﬂ exiv e and transitive closure of − → η h . Lemma 3.7. L et R stand for − → η or − → η h . We say that (1) R is c onﬂuent up to ≡ , that is, for al l P , Q, R such that P R ∗ Q and P R ∗ R , ther e is Q ′ , R ′ such that Q R ∗ Q ′ , R R ∗ R ′ and Q ′ ≡ R ′ . SEP ARABILITY IN THE AMBIENT LOGIC ∗ 13 (2) R is terminating, that is R ∗ is a wel l-founde d or der. W e call the eta normal form of P (the he ad eta normal form of P , resp ectiv ely) the unique n orm al form , up to ≡ , of − → η (of − → η h , resp ectiv ely). Remark 3.8 (Eta la w and s tu ttering) . The eta la w expresses a form of s tuttering (in comm u nication, as opp osed to stuttering in mo vemen ts – see Deﬁnition 3.1). The logic b eing in sensitiv e to b oth forms of s tu ttering, w e hav e to reason mo du lo th e eta law. W e n ow present s ome r esu lts that are needed to pro v e congru en ce of ≅ . Lemma 3.9. If 0 ≅ Q then Q ≡ 0 . Pr o of. S u pp ose Q ≡ 0 do es not hold. Th is m eans that there exists Q ′ , Q ′′ s.t. Q ≡ Q ′ | Q ′′ , with Q ′ is of the form ( x ) R , { p } , M . R , or n [ R ]. Then by applying the corresp onding clause in the deﬁ nition of ≅ , we ded u ce Q 6≡ 0 , i.e., a con tradiction. ✷ Lemma 3.10. ≡ E ⊆ ≅ and ≡ E ≅ ≡ E ⊆ ≅ . Pr o of. S tr aigh tforward f r om the deﬁnition of ≅ . ✷ If R is a binary relation on p ro cesses, w e note R{ n / m } f or the relation deﬁn ed as { ( P { n / m } , Q { n / m } ). ( P , Q ) ∈ R} . Lemma 3.11. If R is a ≅ -bisimulation, then for any n, m , R{ n / m } is a ≅ -bisimulation. Pr o of. S in ce τ transitions are n ot tested in ≅ , substitution is not mentio ned in Def. 3.5. All clauses of the latter deﬁn ition are ob viously stable by sub stitution. ✷ Lemma 3.12. F or any p ossibly op en pr o c esses P and Q , if P ≅ o Q then C { | P | } ≅ o C { | Q | } , for al l c ontexts C . Pr o of. By ind uction on C , usin g th e d eﬁnition of ≅ . ✷ T o prov e that ≃ int and ≅ coincide, the main resu lt we need is that ≅ is pr eserv ed und er reductions: Lemma 3.13. Supp ose P ≅ Q and P − → P ′ . Then ther e is Q ′ such that Q = ⇒ Q ′ and P ′ ≅ Q ′ . Pr o of. By induction on th e depth of the deriv ation pro of of P − → P ′ . W e pr o ceed by case analysis on the last rule used in the d eriv ation. • Rule Red -struct : P ≡ P 1 P 1 − → P 2 P 2 ≡ P 3 P − → P 3 By Lemma 3.10, P 1 ≅ Q ; by indu ction Q = ⇒ Q ′ ≅ P 2 ; again by Lemma 3.10, Q ′ ≅ P 3 . • Rule Red -Par : P 1 − → P ′ 1 P 1 | P 2 − → P ′ 1 | P 2 By deﬁn ition of ≅ there are Q i suc h that Q ≡ Q 1 | Q 2 and P i ≅ Q i . Then we conclude, using in duction and Lemma 3.12. • Rule Red -Amb : Use induction and Lemma 3.12. 14 D. HIRSCHKOF, ´ E. LOZES, AND D. SANGIORGI • Rule Red -Com : Immediate by clauses (1), (3), and (4) of Deﬁnition 3.5. • Rule Red -Open : op en n . P 1 | n [ P 2 ] − → P 1 | P 2 By deﬁnition of ≅ , Q ≡ op en n . Q 1 | n [ Q 2 ], and for some Q ′ 1 with Q 1 = ⇒ Q ′ 1 , w e ha v e: P 2 ≅ Q 2 , P 1 ≅ Q ′ 1 . W e also h a ve Q = ⇒ Q ′ 1 | Q 2 . Using Lemma 3.12, we deriv e P 1 | P 2 ≅ Q ′ 1 | Q 2 , wh ich concludes the case. • Rule Red -In : n [ in m . P 1 | P 2 ] | m [ P 3 ] − → m [ n [ P 1 | P 2 ] | P 3 ] By deﬁnition of ≅ , Q ≡ n [ in m . Q 1 | Q 2 ] | m [ Q 3 ], and there exists Q ′ 1 suc h that Q 1 ( out n , in n ) ⋆ = = = = = = = = ⇒ Q ′ 1 and we ha v e: P 2 ≅ Q 2 , P 3 ≅ Q 3 , and P 1 ≅ Q ′ 1 . W e also ha v e Q = ⇒ m [ n [ Q ′ 1 | Q 2 ] | Q 3 ]. Using Lemma 3.12, w e d eriv e m [ n [ P 1 | P 2 ] | P 3 ] ≅ m [ n [ Q ′ 1 | Q 2 ] | Q 3 ] , whic h concludes the case. • Rule Red -Out : similar to the previous case. ✷ Corollary 3.14. Supp ose P ≅ Q and P = ⇒ P ′ . Then ther e is Q ′ such that Q = ⇒ Q ′ and P ′ ≅ Q ′ . Pr o of. By ind uction on the n um b er of transitions in P = ⇒ P ′ , using Lemma 3.13 for the inductiv e case. ✷ Lemma 3.15. − cap . P ≃ int Q implies Q ≡ cap . Q ′ , for some Q ′ . − { n } ≃ int Q implies Q ≡ { n } . − ( x ) P ≃ int Q implies Q ≡ ( x ) Q ′ , for some Q ′ . Pr o of. In ev ery case, w e supp ose by con tadiction that Q ≡ Q 1 | Q 2 where n one of th e Q i s is structur ally congruent to 0 . Then P and Q can b e distinguish ed using the clauses of ≃ int for p arallel comp osition and 0 , whic h m eans a con tr adiction. Therefore, Q is sin gle (it has only one comp onen t), and we can conclude using the appropriate clause of the deﬁnition of ≃ int in eac h case. ✷ Lemma 3.16. ≃ int ⊆ ≅ . Pr o of. By proving that ≃ int is a ≅ -bisim ulation. The p ro of is easy , us ing Lemma 3.15. ✷ Lemma 3.17. ≅ ⊆ ≃ int . Pr o of. By pro ving that ≅ is a ≃ int -bisim ulation. W e need L emma 3.12 (precisely , the fact that ≅ is pr eserv ed by parallel comp osition), Lemma 3.10, C orollary 3.14, and Lemma 3.9. ✷ Corollary 3.18. R elations ≃ int and ≅ c oincide. Corollary 3.19. R elations ≃ o int and ≅ o ar e c ongruenc e r elations. Pr o of. F oll o w s from Corollary 3.18, and Lemmas 3.4 and 3.12 ✷ SEP ARABILITY IN THE AMBIENT LOGIC ∗ 15 3.3. E xpressiv eness results. In this subs ection we recall some expr essiv en ess results for AL. These results state the existence of formulas capturing some n ontrivial prop erties of pro cesses. Th ey are prov ed in [21], and w ill b e exp loited later to assess the s eparating p ow er of the logic. W e start by in trod ucing tw o measures on terms, that represen t t wo w a ys of deﬁning the depth of a p ro cess. The ﬁr s t deﬁnition exp loits the notion of eta n ormal form (see Lemma 3.7 ): Deﬁnition 3.20 (Sequen tialit y degree, sd ) . The sequent ialit y degree of a term P is deﬁned as follo ws: • sd ( 0 ) = 0, sd ( P | Q ) = m ax  sd ( P ) , sd ( Q )  ; • sd ( n [ P ]) = sd (! P ) = sd ( P ); • sd ( cap . P ) = 1 + sd ( P ); • sd ( { n } ) = 1; • sd (( x ) P ) = sd ( P ′ ) + 1 where ( x ) P ′ is the eta normal form of ( x ) P . In tuitiv ely , the sequentia lit y degree counts the num b er of ‘parcels of in teraction’ (capa- bilities, messages, input preﬁxes) in a term. W e no w deﬁn e the depth de gr e e , that is sensitiv e to the num b er of n ested ambien ts. This quant it y w ill b e so on used in the in terpretation of some form ulas of AL, but also to deﬁ ne an inductiv e ord er on pr o cesses (see Subsection 3.4). Deﬁnition 3.21 (Depth degree) . The depth degree of a pro cess is compu ted using a func- tion d d from MA pro cesses to natural n um b ers, ind uctiv ely deﬁn ed by: • dd ( 0 ) def = 0, dd ( cap . P ) def = 0; • dd (( x ) P ) def = 0, dd ( { n } ) def = 0; • dd ( n [ P ]) def = dd ( P ) + 1; • dd ((!) P 1 | . . . | (!) P r ) def = max 1 ≤ i ≤ r dd ( P i ). W e in trod uce formulas that express some kind of p ossibility mo dalities corresp onding to the m ov ement capabilities and inpu t preﬁx of MA . Lemma 3.22. F or any cap , ther e exists a formula c ontext hh cap ii . { | · | } such that for any close d pr o c ess P , and any formula A , P | = hh cap ii . { | A | } iﬀ ∃ P ′ , P ′′ . P ≡ cap . P ′ , P ′ h cap i = ⇒ P ′′ and P ′′ | = A . F or al l n , ther e is a formula { n } such that P | = { n } iﬀ P ≡ { n } . F or al l n , ther e e xists a formula c ontext hh ? n ii . { | · | } such that for al l pr o c ess P and formula A , P | = hh ? n ii . { | A | } iﬀ ∃ x, P ′ , P ′′ . P ≡ ( x ) P ′ , ( x ) P ′ | { n } = ⇒ P ′′ and P ′′ | = A . W e will also n eed th e ne c essity mo dalities , that hav e a dual in terpretatio n w.r.t. the ab o v e form ulas: Lemma 3.23. F or al l cap , ther e is a formula c ontext [ [ cap ] ]. { | · | } such that for al l pr o c ess P and formula A , P | =[ [ cap ] ]. { | A | } iﬀ ∃ P ′ . P ≡ cap . P ′ and ∀ P ′′ . P ′ h cap i = ⇒ P ′′ implies P ′′ | = A . 16 D. HIRSCHKOF, ´ E. LOZES, AND D. SANGIORGI F or al l n , ther e is a formula c ontext [ [? n ] ]. { | · | } such that, for al l pr o c ess P and f ormula A , P | =[ [? n ] ]. { | A | } iﬀ ∃ P ′ , x . P ≡ ( x ) P ′ and ∀ P ′′ . ( x ) P ′ | { n } = ⇒ P ′′ implies P ′′ | = A . Eac h op er ator of the syntax of MA (T able 2.1) has thus a coun terpart in the logic, ex- cept replication. It is p ossible to express in AL a restricted form of replication on formulas, b y deﬁnin g a form ula ! A , expressin g th at there are inﬁnitely man y pro cesses in parallel sat- isfying A , mo dulo some ad d itional condition on A . More p recisely , based on Deﬁnitions 3.20 and 3.21 ab o ve, w e say th at a formula A is se quential ly sele ctive (resp . depth sele ctive ) if all p r o cesses satisfying A ha v e the same sequentia lit y degree (resp. depth d egree). Lemma 3.24. F or al l cap , ther e exists a formula c ontext Rep cap { | · | } such that for al l pr o c ess P and for al l se qu ential ly sele ctive formula A , whose mo dels ar e only of the form cap . R , P | = Rep cap { | A | } iﬀ ∃ P 1 , . . . , P r . P ≡ ! P 1 | (!) P 2 | . . . | (!) P r and , P i | = A , i = 1 . . . r . F or al l n , ther e is a formula ! { n } su c h that P | = ! { n } i ﬀ P ≡ ! { n } . Ther e exists a formula c ontext R ep input { | · | } such that for al l pr o c ess P and for al l formula A se q uential ly sele ctive whose mo dels ar e only of the form ( x ) P , P | = R ep input { | A | } iﬀ ∃ P 1 , . . . , P r . P ≡ ! P 1 | (!) P 2 | . . . | (!) P r and , P i | = A , i = 1 . . . r . Similar results h old for the replicated ve rsion of the dual mo d alities. Th e n otion of depth selectiv eness allo ws us to derive form ulas that capture rep licated am bien ts: Lemma 3.25. F or al l n , ther e is a formula c ontext ! n [ { | · | } ] such that for al l pr o c ess P and for al l depth sele ctive formula A , P | = ! n [ { | A | } ] iﬀ ∃ P 1 , . . . , P r . P ≡ ! P 1 | (!) P 2 | . . . | (!) P r and , P i | = n [ A ] , i = 1 . . . r . By putting together these expr essiveness r esults, w e can derive formulas charact erising the equiv alence class of a pro cess w.r.t. logical equiv alence f or a sub calculus of MA, deﬁn ed as follo ws: Deﬁnition 3.26 (Su b calculus MA IF ) . Consider a p ro cess P , and a name n 6∈ fn( P ). W e sa y that P is image-ﬁnite if any sub term of P of the form cap . P ′ (resp. ( x ) P ′ ) is such that the set { P ′′ : P ′ h cap i = ⇒ P ′′ } / ≃ int (resp. { P ′′ : P ′ { n / x } = ⇒ P ′′ } / ≃ int ) is ﬁn ite. MA IF is th e set of image-ﬁnite MA pro cesses. In the standard deﬁn ition of image-ﬁniteness, as us ed , e.g., to establish ind uctiv ely completeness of the Hennessy-Milner logic, one requir es that the set of outcomes of the pr o c ess is ﬁnite. While exploring the p ossible ou tcomes (and in absence of restriction in the pro cess calculus), we m a y exp ose at top-lev el any su b term of the p ro cess, and hence w e im p licitly require that all of its sub terms are image-ﬁnite in the stand ard sense. On the other hand , in our case, we do not imp ose that P has only ﬁnitely man y outcomes, bu t only do so for some subterms. As a consequence, our notion is less restrictiv e, and an y image-ﬁnite pro cess in the standard sense b elongs to MA IF . Lemma 3.27 (Characteristic form ulas on MA IF ) . F or any close d M A IF pr o c ess P , ther e exists a formula A P s.t. for any Q , these thr e e c onditions ar e e quivalent: SEP ARABILITY IN THE AMBIENT LOGIC ∗ 17 (1) Q | = A P ; (2) P = L Q ; (3) P ≃ int Q . A ﬁ nal expressiveness result that will b e needed later is the abilit y to test fr ee name o ccurrences in a pr o cess. Lemma 3.28. F or any name n , ther e exists a formula c  n such that for any P , P | = c  n iﬀ n ∈ fn( P ) . 3.4. Soundness, and Completene ss for Finit e Pro cesses. W e no w study soundness and completeness of ≃ int with resp ect to = L . S oundness means that ≃ int ⊆ = L , and completeness is the con v erse. W e sho w h ere sound ness on the whole calculus. By contrast, w e only prov e completeness on the ﬁ nite pr o cesses, deferring the general resu lt to the n ext section. W e chose to do this for the sake of clarit y: the pro of in the ﬁnite case is m uc h simpler, and exp oses the basic ideas of the argument in the full calculus. 3.4.1. Soundness on ful l public M A. In order to pro v e soundness (on the whole calculus), w e use the deﬁn ition of ≅ and the congruence prop erty to establish that bisimilar pro cesses satisfy the same formulas. Theorem 3.29 (Soun dness of ≃ int ) . Assume P , Q ∈ MA, and supp ose P ≃ int Q . Then, for al l A , it holds that P | = A iﬀ Q | = A . Pr o of. By ind uction on the size of A . • A = ⊤ . Nothing to pr o ve. • A = ¬ B or A = B 1 ∨ B 2 . By indu ction and the deﬁn ition of s atisfaction. • A = 0. By deﬁn ition of satisfaction and clause (2) of the d eﬁ nition of ≃ int . • A = n [ B ] . Then P ≡ n [ P ′ ] and P ′ | = B . Hence Q ≡ n [ Q ′ ] for some Q ′ ≃ int P ′ . By ind uction, Q ′ | = B ; we can therefore conclude that also Q | = n [ B ] h olds. • A = A 1 | A 2 . Then P ≡ P 1 | P 2 and P i | = A i . By clause (1) of Deﬁnition 3.2, Q ≡ Q 1 | Q 2 for some Q i ≃ int P i . By ind uction, Q i | = A i ; w e can th erefore conclude that also Q | = A 1 | A 2 holds. • A = ∀ x . B . By deﬁn ition of satisfaction, P | = B { n / x } for all n . The result for Q th en follo ws by induction, f or B { n / x } is str ictly small than ∀ x . B . • A = ✸ B . By deﬁn ition of satisfaction, there is P ′ suc h that P = ⇒ P ′ and P ′ | = B . Using clause (3) of the deﬁnition of ≃ int , there is Q ′ suc h that Q = ⇒ Q ′ ≃ int P ′ . By ind uction, Q ′ | = B ; hence Q | = A . • A = B @ n or A = A 1 ⊲ A 2 . F ollo w s usin g indu ction and the congruen ce of ≃ int . ✷ 18 D. HIRSCHKOF, ´ E. LOZES, AND D. SANGIORGI 3.4.2. Completeness, on ﬁnite pr o c esses. The pro of of completeness w e dev elop here is based on the construction of a sequence of appro x im ants of ≅ , whic h is a standard app roac h for image-ﬁnite calculi. This w orks in th e ﬁnite case (ﬁniteness im p lies image-ﬁniteness), but not in presence of r eplicatio n. Th e pro of is ho w ever inte resting on its own, and giv es a m uc h simpler accoun t on ho w the logic expresses the clauses of ≃ int than the pro of for th e whole calculus. Note that the deﬁn abilit y of c haracteristic formulas for ≃ int on MA IF (see Deﬁnition 3.26 and Lemm a 3.27) implies complete ness: for t wo MA IF pro cesses P and Q , P = L Q enta ils P ≃ int Q . Since MA IF con tains the set of ﬁnite pr o cesses, this already giv es completeness on ﬁn ite pro cesses. W e neve rtheless presen t here a pro of that is sp eciﬁc to the ﬁnite case, to p repare the ground for completeness on full public MA. T he route w e are inte rested in for the completeness pro of uses i -th app ro ximan ts ≅ i of relation ≅ , and the fact that ≅ ω def = T i ≅ i coincides w ith ≅ . Deﬁnition 3.30. W e deﬁne the relations ≅ i b et w een pr o cesses, for all i ≥ 0, as follo w s. ≅ 0 is the unive rsal relation, and ≅ i +1 is deﬁned by sa ying that P ≅ i +1 Q holds if w e ha v e: (1) If P ≡ P 1 | P 2 then there are Q s ( s = 1 , 2) such that Q ≡ Q 1 | Q 2 and for all s P s ≅ i Q s . (2) If P ≡ cap . P ′ then th er e are Q ′ , Q ′′ suc h that (a) Q ≡ cap . Q ′ , (b) Q ′ h cap i = ⇒ Q ′′ , and (c) P ′ ≅ i Q ′ . (3) If P ≡ { n } then Q ≡ { n } . (4) If P ≡ ( x ) P ′ then th er e is Q ′ suc h that (a) Q ≡ ( x ) Q ′ and (b) for all n there is Q ′′ suc h that { n } | Q = ⇒ Q ′′ and P ′ { n / x } ≅ i Q ′′ . (5) If P ≡ n [ P ′ ] then th ere is Q ′ suc h that Q ≡ n [ Q ′ ] and P ′ ≅ i Q ′ . W e set ≅ ω def = T i ≥ 0 ≅ i . Lemma 3.31. ≅ ω c oincides with ≅ on ﬁnite pr o c esses. Pr o of. S tand ard approximati on result (ﬁnite pro cesses are image ﬁ nite). ✷ Lemma 3.32. L et P , Q b e two ﬁ nite pr o c esses. If P = L Q then P ≅ ω Q . Pr o of. S u pp ose P 6 ≅ ω Q . Th en there is i su c h that P 6 ≅ i Q . W e prov e, by induction on i , that in this case we can ﬁ nd a formula A s u c h that P | = A holds bu t Q | = A do es not. F or i = 0, this trivially holds since the hypothesis P 6 ≅ 0 Q is absu rd for ≅ 0 b eing the unive rsal relation. No w the case i + 1, for i ≥ 0. W e p ro ceed by case analysis: (1) P ≡ P 1 | P 2 , and f or all Q 1 , Q 2 suc h that Q ≡ Q 1 | Q 2 there is t (1 ≤ t ≤ 2) s uc h th at P t 6 ≅ i Q t . Mo dulo ≡ , there is a ﬁnite num b er, sa y s , of pairs of pro cesses Q 1 , Q 2 suc h that Q ≡ Q 1 | Q 2 (note that b y h yp othesis P is ﬁnite). Call Q t,u the t -th p ro cess of the u -th pair. Th en for all u (1 ≤ u ≤ s ) ther e is t suc h that P t 6 ≅ i Q t,u . By indu ction, there is A t,u suc h that P t | = A t,u and Q t,u 6| = A t,u . SEP ARABILITY IN THE AMBIENT LOGIC ∗ 19 Deﬁne B t def = ^ u . 1 ≤ u ≤ s and P t 6 ≅ i Q t,u A t,u . Then P | = B 1 | B 2 , whereas Q 6| = B 1 | B 2 . (2) P ≡ cap . P ′ ; then necessarily Q ≡ cap . Q ′ , and for all Q t suc h th at Q ′ h cap i = ⇒ Q t , it holds that P ′ 6 ≅ i Q t . By induction, f or all t there is A t suc h that P ′ | = A t but Q t 6| = A t . S in ce Q is ﬁnite, there is only a ﬁnite n um b er of su ch pro cesses Q t (up to ≡ ). W r ite ( Q t ) t ∈ I for this set of pr o cesses up to ≡ (w e pick a representan t for eac h ≡ -equiv alence class), an d call A t the formula corresp onding to eac h Q t . Deﬁne A def = hh cap ii . { | ^ t ∈ I A t | } , using the standard notation f or the (ﬁnite) conjunction of the A t s. Then P | = A but Q 6| = A . (3) P ≡ { n } , and Q 6≡ { n } : then P | = { n } , and Q 6 | = { n } . (4) P ≡ ( x ) P ′ , Q ≡ ( x ) Q ′ and th ere is n such that for all Q t suc h that { n } | Q = ⇒ Q t , it holds th at P ′′ 6 ≅ i Q t , for P ′′ def = P ′ { n / x } . Mo dulo ≡ , there is only a ﬁnite n um b er of suc h Q t s, sa y Q 1 , . . . , Q s . By indu ction, there are formulas A 1 , . . . , A s with P ′′ | = A t and Q t 6| = A t . W e int ro duce as ab ov e the notation ( Q t ) t ∈ I , and we deﬁne A def = hh ? n ii . { | ^ t ∈ I A t | } . Then P | = A , bu t Q 6| = A , b ecause wh enev er { n } | Q = ⇒ Q t , it holds that Q t 6| = A t . (5) P ≡ n [ P ′ ], Q ≡ n [ Q ′ ] and P ′ 6 ≅ i Q ′ . By induction there is A ′ with P ′ | = A ′ but Q ′ 6| = A ′ . Deﬁne A def = n [ A ′ ]; then P | = A but Q 6| = A . ✷ Theorem 3.33 (Completeness on ﬁnite pro cesses) . L et P , Q b e two ﬁnite close d pr o c esses. If P = L Q then P ≃ int Q . Pr o of. F oll o w s from Lemma 3.31 and 3.32. ✷ 4. Compl eteness of ≃ int in the full cal culus The p ro of we ha v e p resen ted in the ﬁnite case cannot b e us ed directly in the fu ll MA calculus, b ecause we lac k the image-ﬁniteness hypothesis, whic h allo w ed u s to sh o w that the limit ≅ ω coincides with ≅ . In this section, we present a pro of of th e completeness of ≃ int for all pro cesses. T o do this, w e establish the existence, for any p ro cesses P , Q , of a formula F P ,Q suc h that P | = F P ,Q , and suc h that Q | = F P ,Q holds if and only if P ≃ int Q . T h is result is hence we ak er than th e existence of charac teristic formulas, but it do es not r equ ire image ﬁniteness. 20 D. HIRSCHKOF, ´ E. LOZES, AND D. SANGIORGI W e sk etc h th e structure of the pr o of. Our appr oac h exploits t wo tec hnical devices, th at w e in trod uce ﬁrst. W e start by proving some lemmas related to the sequentiali t y d egree of a term (Deﬁnition 3.20), which allo ws u s to deﬁne a sound ind u ction principle on MA pro cesses. This p rinciple sup p orts the introd uction of an inductive c h aracterisati on of ≃ int . The second technical device we int ro duce is the set of fr ozen subterms of a pro cess, that in tuitiv ely corresp onds to the collectio n of subterms app earing un der guards (capabilities or in put pr eﬁxes) in a give n term. These t w o technical n otions are then used to deﬁne lo c al char acteristic formulas , w hic h corresp ond to a relaxed n otion of c h aracteristic formula w.r.t. logica l equiv alence. An imp ortan t fact ab out the set of fr ozen subterms of a pro cess is that it enjo ys a kind of sub ject reduction prop ert y; this allo ws us to replace the p otent ially inﬁn ite set of images of a term with a ﬁnite set when constructing lo cal c haracteristic formula s. 4.1. An inductiv e c haracterisation of ≃ int . W e n ow establish some prop erties related to the sequentiali t y degree of pro cesses. These allo w us to introd uce a w ell-founded order on terms w hic h sup p orts the deﬁnition of an in ductiv e relation that coincides with ≃ int . Lemma 4.1. L et P , Q b e two terms of MA. Then: (1) if P ≡ Q , then sd ( P ) = s d ( Q ) ; (2) if P − → Q or P µ − → Q then sd ( P ) ≥ sd ( Q ) . Pr o of. 1 is immediate, as is the result on µ − → in 2. F or P − → Q , w e reason by induction on the heigh t of the deriv ation of P − → Q . ✷ Corollary 4.2. F or al l cap , if P h cap i = ⇒ Q , then s d ( P ) ≥ s d ( Q ) . This result w ill b e imp ortant for the justiﬁcation of Deﬁnition 4.9 b elo w . Lemma 4.3. F or any close d pr o c ess P ∈ MA, ther e exists a formula F sd ( P ) such that : • P | = F sd ( P ) , and • for any term Q , if Q | = F sd ( P ) , then sd ( Q ) ≥ sd ( P ) . Pr o of. W e can assu me that P is eta norm alised. Let u s ﬁrst reason b y induction on sd ( P ): • for sd ( P ) = 0, F sd ( P ) = ⊤ is suﬃcient. • for sd ( P ) > 0, let u s assum e that there exist form ulas F sd ( P ′ ) for an y P ′ suc h that sd ( P ′ ) < sd ( P ). W e r eason by indu ction on P . − the case P = 0 is imp ossib le. − for P = P 1 | P 2 , there is i such that sd ( P ) = sd ( P i ). T hen we m a y c h o ose F sd ( P ) = F sd ( P i ) | ⊤ . In the same wa y , let us set F sd ( { n } ) = F { n } , F sd (! P ) = F sd ( P ) | ⊤ and F sd ( n [ P ]) = n [ F sd ( P ) ]. − for P = cap . P ′ , we use the general induction hyp othesis to construct F sd ( P ′ ) . Let us then tak e F sd ( P ) = hh cap ii . F sd ( P ′ ) . Then P | = F sd ( P ) , and f or an y Q s u c h that Q | = F sd ( P ) , we dedu ce (from Lemma 3.22) that there are Q ′ , Q ′′ suc h that Q ≡ cap . Q ′ and Q ′ h cap i = ⇒ Q ′′ with Q ′′ | = F sd ( P ′ ) . No w by Lemma 4.1, sd ( Q ) − 1 = sd ( Q ′ ) ≥ sd ( Q ′′ ), and by in duction hyp othesis sd ( Q ′′ ) ≥ sd ( P ′ ) = sd ( P ) − 1, so that ﬁ nally sd ( Q ) ≥ sd ( P ). − for P = ( x ) P ′ , we use the general indu ction hyp othesis to get F sd ( P ′ ) . Let us then tak e F sd ( P ) = ∃ x . hh ? x ii . F sd ( P ′ ) . T hen P | = F sd ( P ) , an d for an y Q s uc h that Q | = F sd ( P ) , w e deduce (from Lemma 3.22) that there are n , Q ′ , Q ′′ suc h that Q ≡ ( x ) Q ′ and SEP ARABILITY IN THE AMBIENT LOGIC ∗ 21 Q 1 = { n } | ( x ) Q ′ = ⇒ Q ′′ with Q ′′ | = F sd ( P ′ ) . No w by Lemma 4.1 , sd ( Q 1 ) − 1 = sd ( Q ) − 1 = sd ( Q ′ { n / x } ) ≥ sd ( Q ′′ ), and b y in d uction h yp othesis sd ( Q ′′ ) ≥ sd ( P ′ ) = sd ( P ) − 1, so that ﬁ nally sd ( Q ) ≥ sd ( P ). ✷ A similar resu lt can b e prov ed for the d epth d egree of a pro cess: Lemma 4.4. F or any close d pr o c ess P ∈ MA, ther e exists a formula F dd ( P ) such that : • P | = F dd ( P ) , and • for any term Q , if Q | = F dd ( P ) , then dd ( Q ) ≥ dd ( P ) . Pr o of. W e reason as in the pr o of of the previous lemma. ✷ Corollary 4.5. If P ≃ int Q , then sd ( P ) = sd ( Q ) and dd ( P ) = dd ( Q ) . Pr o of. By Th eorem 3.29, P ≃ int Q imp lies P = L Q , wh ic h giv es the result. ✷ The sequen tialit y d egree can b e used as a basis for in ductiv e r easoning on pro cesses up to r ed uctions of some sub terms. This is formalized by the follo win g deﬁnition: Deﬁnition 4.6 (W ell-founded order) . Given tw o pr o cesses P an d Q , we write P < Q (or Q > P ) if either sd ( P ) < sd ( Q ) or P is a strict subterm of Q . Lemma 4.7. • < is wel l-founde d. • Supp ose P is of the form either cap . P ′ or ( x ) P ′ , and supp ose mor e over P > Q and Q h cap i = ⇒ Q ′ for some cap . Then P > Q ′ . Pr o of. • W ell -foundedness: if P is a strict sub term of Q , then sd ( P ) ≤ sd ( Q ). • P > Q ′ : follo ws from Lemma 4.1. ✷ In order to giv e an inductiv e c h aracterisatio n of ≃ int , w e establish the follo w ing results ab out ≃ int . These are i nversion pr op erties , in the sense that they allo w one to deduce, from P ≃ int Q , with P ha ving a giv en shap e, consequences ab out the shap e of Q . Lemma 4.8 (Inv ersion results for ≃ int ) . L et P , P 1 , P 2 , Q b e pr o c esses of MA. Then (1) 0 ≃ int Q iﬀ Q ≡ 0 . (2) n [ P ] ≃ int Q iﬀ ther e exists Q ′ such that Q ≡ n [ Q ′ ] and P ≃ int Q ′ . (3) P 1 | P 2 ≃ int Q iﬀ ther e exist Q 1 , Q 2 such that Q ≡ Q 1 | Q 2 and P i ≃ int Q i for i = 1 , 2 . (4) ! P ≃ int Q i ﬀ ther e exist r ≥ 1 , s ≥ r , Q i ( 1 ≤ i ≤ s ) such that Q ≡ Π 1 ≤ i ≤ r ! Q i | Π r +1 ≤ i ≤ s Q i , and P ≃ int Q i for i = 1 . . . s . (5) cap . P ≃ int Q iﬀ ther e exists Q ′ such that Q ≡ cap . Q ′ with P h cap i = ⇒ ≃ int Q ′ and Q ′ h cap i = ⇒ ≃ int P . (6) { n } ≃ int Q iﬀ Q ≡ { n } (7) ( x ) P ≃ int Q iﬀ ther e exists Q ′ , m . such that m 6∈ fn ( P ) ∪ fn( Q ) , Q ≡ ( x ) Q ′ Q | { m } = ⇒ ≃ int P { m / x } and ( x ) P | { m } = ⇒ ≃ int Q ′ { m / x } . Pr o of. W e ﬁrst lea ve out the fourth case. F or th e other cases, the left to righ t implications f ollo w b y the fact that, in eac h case, the corresp ondin g clauses in the deﬁ n itions of ≅ an d ≃ int are almost the same. F or the righ t to left implication, cases 1 and 6 hold b y reﬂexivity of ≃ int , and cases 2 and 3 follo w from congruence of ≃ int (Corollary 3.19). Case 5 is sim ilar to the corresp onding condition in ≅ (note that all other conditions are trivially fulﬁlled). 22 D. HIRSCHKOF, ´ E. LOZES, AND D. SANGIORGI W e exp lain case 7 in more details. W e tak e P , Q , Q ′ , x, m satisfying the required pr op er- ties, and further in tro duce p ro cesses P 1 and Q 1 b y imp osing ( x ) P | { m } = ⇒ P 1 ≃ int Q ′ { m / x } and Q | { m } = ⇒ Q 1 ≃ int P { m / x } . T o sho w that P ≃ int Q , we need to sho w that these pro cesses s atisfy the condition f or receptions in the deﬁnition of ≅ (De ﬁnition 3.5 ), all other requirements b eing s atisﬁed. Consider an arbitrary name m ′ , we w an t to sho w that there exist P ′′ , Q ′′ suc h that Q | { m ′ } = ⇒ Q ′′ , P { m ′ / x } ≃ int Q ′′ , ( x ) P | { m ′ } = ⇒ P ′′ and P ′′ ≃ int Q ′ { m ′ / x } . By h yp othesis, th is holds for m ′ = m , b y taking P ′′ = P 1 and Q ′′ = Q 1 . Oth er w ise, we set P ′′ = P 1 { m ′ / m } and Q ′′ = Q 1 { m ′ / m } . Then ( x ) P | { m ′ } = (( x ) P | { m } ) { m ′ / m } = ⇒ P 1 { m ′ / m } = P ′′ since = ⇒ is closed u nder name replacemen t, and Q | { m ′ } = ⇒ Q ′′ for th e same reason. Moreo v er, since ≃ int is also closed und er n ame r eplace- men t (Lemma 3.11), we deduce from the hyp othesis P 1 ≃ int Q ′ { m / x } that P ′′ ≃ int Q ′ { m ′ / x } , and s imilarly f r om Q 1 ≃ int P { m / x } that Q ′′ ≃ int P { m ′ / x } . As a consequence, the condition is established for all m ′ . Note that the h y p othesis ab out m b eing fresh for P , Q is crucial in the p ro of ab ov e. W e are th us left with case 4. T he righ t to left implication holds b ecause, if we deﬁn e R as ≅ extended with all pairs of the form ( P , Π 1 ≤ i ≤ r ! Q i | Π r +1 ≤ i ≤ s Q i ), with the ab ov e conditions, then R satisﬁes the clauses of ≅ , h ence R is ≅ . W e no w consider the left to right implication. First, note that by app lyin g clauses 1 and 2 of Def. 3.2, it can b e sho wn th at f or an y tw o bisimilar pro cesses P , Q , if P ≡ P ′ | P ′ | . . P ′ | P ′′ , where P con tains at least n copies of some single pro cess P ′ , then necessarily Q ≡ Q 1 | . . | Q n | Q ′ with Q i ≅ P ′ for all i . Th is en tails th e left to righ t implication in the case w here P is a single pro cess. When P is not single, we write P ≡ Π 1 ≤ i ≤ r ! P i | Π r +1 ≤ i ≤ s P i , where P 1 , . . , P s are single pro cesses. Thanks to the congru en ce ru le !( R 1 | R 2 ) = ! R 1 | ! R 2 , ! P ≡ ! P 1 | . . | ! P s . Assume ! P ≅ Q . Applying the inv ersion ru le for parallel comp osition, we ha ve Q ≡ Q 1 | Q s with, for ev ery i , ! P i ≅ Q i , that is, u sing our reasoning on single pro cesses, Q i ≡ Π 1 ≤ j ≤ r i ! Q i,j | Π r i +1 ≤ j ≤ s i Q i,j . Using the la w ! R ≡ ! R | ! R , it is p ossible to choose all r i equal, and similarly applying ! R ≡ ! R | R w e can c ho ose all s i equal. It is then a matter of rearranging the Q i,j in Q ′ 1 | . . | Q ′ s to write Q in the exp ected form. ✷ W e can no w deﬁne the in d uctiv ely deﬁn ed relation that c haracterises ≃ int . Deﬁnition 4.9. Let ∼ ind b e the binary relation P ∼ ind Q deﬁned by ind uction on P for the order < as follo w s: (1) 0 ∼ ind Q if Q ≡ 0 . (2) n [ P ] ∼ ind Q if th ere exists Q ′ suc h that Q ≡ n [ Q ′ ] and P ∼ ind Q ′ . (3) P 1 | P 2 ∼ ind Q if there exist Q 1 , Q 2 suc h that Q ≡ Q 1 | Q 2 and P i ∼ ind Q i for i = 1 , 2. (4) ! P ∼ ind Q if there exist r ≥ 1 , s ≥ r, Q i (1 ≤ i ≤ s ) su c h th at Q ≡ Π 1 ≤ i ≤ r ! Q i | Π r +1 ≤ i ≤ s Q i , and P ∼ ind Q i for i = 1 . . . s . (5) cap . P ∼ ind Q if there exists Q ′ suc h that Q ≡ cap . Q ′ with P h cap i = ⇒ ∼ ind Q ′ and Q ′ h cap i = ⇒ ∼ ind P . (6) { n } ∼ ind Q if Q ≡ { n } (7) ( x ) P ∼ ind Q if there exists Q ′ , m . suc h that m 6∈ f n ( P ) ∪ fn( Q ), Q ≡ ( x ) Q ′ , Q | { m } = ⇒ ∼ ind P { m / x } and ( x ) P | { m } = ⇒ ∼ ind Q ′ { m / x } . Theorem 4.10. R elation ∼ ind is wel l deﬁne d. Mor e over, r elations ∼ ind and ≃ int c oincide. SEP ARABILITY IN THE AMBIENT LOGIC ∗ 23 Pr o of. Th e deﬁn ition of ∼ ind is ju stiﬁed using Lemma 4.7. The inclusion ≃ int ⊆∼ ind is established usin g th e results of Lemm a 4.8, whic h corresp ond precisely to the deﬁ n ing clauses of ∼ ind . Th e con v erse inclusion follo ws from L emm a 4.8 to o. ✷ 4.2. F roz en subterms. W e now in tro duce th e notion of fr ozen subterms of a pro cess. The frozen subterms of a p ro cess corresp ond to o ccurr ences that do not participate in immediate in teractio ns b ut that may pla y a r ole in futur e reductions. In the reminder, we u se N to range o ve r sets of names. Unless otherwise stated, w e alw ays implicitly su pp ose that such a set is ﬁnite. Deﬁnition 4.11 (F rozen sub terms) . Let N b e a s et of names; the set froz N ( P ) is deﬁned b y ind u ction on P as follo ws: • froz N ( 0 ) = froz N ( { n } ) = ∅ ; • froz N ( P 1 | P 2 ) = froz N ( P 1 ) ∪ froz N ( P 2 ); • froz N (! P ) = froz N ( P ); • froz N ( cap . P ) = { P } ∪ froz N ( P ); • froz N (( x ) P ) = S n ∈ N { P { n / x }} ∪ froz N ( P { n / x } ). If P , P ′ are tw o str ucturally congruen t terms, th en , mo dulo ≡ , froz N ( P ) = froz N ( P ′ ). Hence this set (in its quotien ted ve rsion with resp ect to ≡ ) is uniquely determin ed b y the structural congru ence class of P . Lemma 4.12 (Finiteness of froz N ( P )) . F or any P ∈ MA, if N is ﬁnite, then the set obtaine d by taking the quotient of froz N ( P ) w.r.t. ≡ is ﬁnite. Pr o of. By ind uction on P . ✷ Not only is froz N ( P ) ﬁn ite, bu t, as expressed b y the follo wing resu lt, th is set is preserve d b y redu ction, in the follo win g sense: Lemma 4.13. L et P , Q b e two pr o c esses su ch that P − → Q or P cap − → Q for some cap , and assume fn( P ) ⊆ N . Then the quotient of froz N ( Q ) w.r.t. ≡ is include d in the qu otient of froz N ( P ) w.r.t. ≡ . Pr o of. W e recall that relation cap − → is deﬁn ed on the s yn tax of pro cesses (see Deﬁnition 3.1), and th e result follo ws by d eﬁnition of froz N ( P ) , froz N ( Q ). F or − → , we reason b y in duction on the d eriv ation of P − → Q . T he cases corresp onding to mo vemen t tran s itions follo w from cap − → . So the only wa y a r eduction could alter the set of frozen term s is through name substitutions generated b y comm u nications, and this is handled by the condition fn( P ) ⊆ N . ✷ 4.3. Lo cal c hara cterist ic form ulas and completeness. The pu rp ose of this sub section is to d eriv e lo cal c haracteristic form ulas, deﬁned as follo ws: Deﬁnition 4.14 (Lo cal c haracteristic formula) . Let E b e a set of terms, P a term and F a formula. W e say that F is a c h aracteristic form ula f or P on E (or, alternative ly , a E -c haracteristic formula for P ) if • P | = F , and • for any Q ∈ E , if Q | = F then Q ≃ int P . 24 D. HIRSCHKOF, ´ E. LOZES, AND D. SANGIORGI Note that the con v ers e of the second cond ition alw a ys h olds , due to soundness of ≃ int (Theorem 3.29): if Q ∈ E and Q ≃ int P , then Q | = F . With this deﬁnition, completeness of ≃ int b oils do wn to the existence, for any pro cesses P , Q , of a c haracteristic formula of P on the set { Q } . Although we do not deﬁne directly suc h a formula, this idea guides the construction of the completeness pr o of. More precisely , w e reason inductiv ely on the sequent ialit y degree of pro cesses, and manipu late t w o sets of terms, giv en a pr o cess P : • E ⇓ P def = { P ′ , ∃ cap . P h cap i = ⇒ P ′ } , that collects the p ossible ev olutions of P , • and E frz ,N P def = { P ′ , froz N ( P ′ ) ⊆ froz N ( P ) } , th at in tuitiv ely is the set of pro cesses whose p ossible ev olutions can b e captured using the ev olutions of P . W e wan t to establish th e existence, for all P , Q , of a lo cal characte ristic form ula for P on E ⇓ Q and E frz ,N Q . W e ﬁ r st prov e the follo win g result: Lemma 4.15. If a formula F char acterises P on E frz ,N Q and N ⊇ fn( Q ) , then F char ac- terises P on E ⇓ Q . Pr o of. F oll o w s from Lemma 4.13. ✷ The follo wing lemma d escrib es the constru ction of a lo cal c h aracteristic f orm ula for guarded terms (of the form cap . P or ( x ) P ) on E frz ,N Q , provided we can compute, give n sev eral (sm aller) pr o cesses R , lo cal c haracteristic formulas on E ⇓ R : Lemma 4.16. Consider two pr o c esses P and Q , and a set N of names such that f n( P ) ∪ fn( Q ) ⊆ N . Assume mor e over that, for al l Q ′ ∈ froz N ( Q ) , we c an c onstruct a f ormula F P ,Q ′ char acterising P on E ⇓ Q ′ and a formula F Q ′ ,P char acterising Q ′ on E ⇓ P . W e then have: • for al l cap ther e exists a formula char acterising cap . P on E frz ,N Q , • for al l n such that P is not of the form { n } | ( y ) P ′ with n 6∈ fn( P ′ ) , and for al l x with x 6∈ fv( P ) , ther e exists a formula char acterising ( x )  P { x / n }  on E frz ,N Q . Pr o of. • Let cap b e a give n capabilit y . Set E = { Q ′ ∈ froz N ( Q ) : ∀ P ′ s.t. P h cap i = ⇒ P ′ , P ′ 6≃ int Q ′ } ; E ⊆ froz N ( Q ), so by Lemma 4.12, E is ﬁ nite, and we can deﬁne the formula: F def = hh cap ii{ | ^ Q ′ ∈ froz N ( Q ) F P ,Q ′ | } ∧ [ [ cap ] ] { | ^ Q ′ ∈E ¬F Q ′ ,P | } . W e pro v e ﬁrst th at cap . P | = F ; by hyp othesis, P | = F P ,Q ′ for all Q ′ ∈ f roz N ( Q ), so that we ha v e cap . P | = hh cap ii{ | V Q ′ ∈ froz N ( Q ) F P ,Q ′ | } . Let P ′ b e such that P h cap i = ⇒ P ′ , and consider an y Q ′ ∈ E . Then by hyp othesis P ′ | = F Q ′ ,P w ould imply P ′ ≃ int Q ′ , an d hence Q ′ 6∈ E , whic h is con tradictory . So P ′ | = V Q ′ ∈E ¬F Q ′ ,P , and ﬁnally P | = F . Con v er s ely , consider R ∈ E frz ,N Q suc h th at R | = F . W e show that R ≃ int P . First, there is Q ′ suc h that R ≡ cap . Q ′ and Q ′ h cap i = ⇒ | = F P ,Q ′′ for all Q ′′ ∈ f roz N ( Q ). Since R ∈ E frz ,N Q and Q ′ ∈ f roz N ( R ), Q ′ ∈ f roz N ( Q ), so Q ′ h cap i = ⇒ | = F P ,Q ′ , and by hypothesis, Q ′ = ⇒ ≃ int P , which giv es the ﬁrst part of the cond ition to h av e cap . P ∼ ind R (Deﬁnition 4.9). F urth er m ore, since R satisﬁes the ‘necessit y’ part of the form ula F , Q ′ | = V Q ′′ ∈E ¬F Q ′′ ,P , SEP ARABILITY IN THE AMBIENT LOGIC ∗ 25 that is Q ′ 6∈ E . Thus, there is P ′ with P h cap i = ⇒ P ′ and P ′ ≃ int Q ′ , whic h give s the second part of the condition. • Let n, x b e c hosen as in th e statemen t of the lemma. W e set P 0 = ( x )  P { x / n }  . Similarly as b efore, w e d eﬁne E = { Q ′ ∈ froz N ( Q ) : ∀ P ′ s.t. P = ⇒ P ′ , P ′ 6≃ int Q ′ } ; again E ⊆ froz N ( Q ), so E is ﬁnite, and w e may deﬁn e the form ula: F def = ¬ c  n ∧ hh ? n ii  NonEta ∧ V Q ′ ∈ froz N ( Q ) F P ,Q ′  ∧ [ [? n ] ]  NonEta − → V Q ′ ∈E ¬F Q ′ ,P  with NonEta def = ¬  { n } | ( ¬ c  n ∧ hh ? n ii⊤ )  In tuitiv ely , the role of formula NonEta is to d etect w hen the r ed ucts of a pro cess satisfying F stop b eing eta-equiv alen t to the initial state. Let us p ro v e that P 0 | = F : n 6∈ fn( P 0 ) by construction, P 0 | { n } = ⇒ P , P | = NonEta and P | = V F P ,Q ′ b y hyp othesis, so P 0 satisﬁes the s econd conjunct in F . T ake P ′ suc h that P 0 | { n } = ⇒ P ′ and P ′ | = NonEta ; w e pr o ve that P ′ 6 | = F Q ′ ,P for all Q ′ ∈ E . Since P ′ | = NonEta , P 0 | { n } 6≡ P ′ , so P = ⇒ P ′ . As a consequence, P ′ | = F Q ′ ,P iﬀ P ′ ≃ int Q ′ . Then by deﬁnition of E , P ′ | = V Q ′ ∈E ¬F Q ′ ,P . As this h olds for all P ′ , w e hav e that P 0 | = F . Let us no w p r o ve that if R ∈ E frz ,N Q and R | = F , then P ≃ int R . Consider such a pro cess R . Th en n 6∈ fn( R ), and there exists Q ′ , R ′ suc h that R ≡ ( x ) Q ′ and R | { n } = ⇒ R ′ with R ′ | = NonEta ∧ V Q ′ ∈ froz N ( Q ) F P ,Q ′ . Let ( x ) Q ′′ b e the head eta normal form of ( x ) Q ′ . By d eﬁnition, Q ′′ { n / x } b elongs to froz N ( Q ), and an y reduction ( x ) Q ′ | { n } = ⇒ T where T is not eta equiv alent to ( x ) Q ′ | { n } go es throu gh the state Q ′′ { n / x } (i.e., that reduction can b e written ( x ) Q ′ | { n } = ⇒ Q ′′ { n / x } = ⇒ T ). Due to th e d eﬁnition of NonEta , w e actually h a ve that R ′ 6≡ E ( x ) Q ′ | { n } , so Q ′′ { n / x } = ⇒ R ′ . Since R ′ | = F P ,Q ′′ { n / x } , R ′ ≃ int P and the ﬁrs t part of the condition for input in Deﬁnition 4.9 is satisﬁed. Moreo ver, R | { n } = ⇒ Q ′′ { n / x } and Q ′′ { n / x } | = NonEta , so Q ′′ { n / x } | = V Q ′ ∈E ¬F Q ′ ,P . Since Q ′′ { n / x } ∈ froz N ( Q ), we ﬁ nally h a ve Q ′′ { n / x } 6∈ E , that is there is P ′ suc h that P = ⇒ P ′ and P ′ ≃ int Q ′′ { n / x } . Th is prov es th e second condition for P 0 ∼ ind ( x ) Q ′′ , and since ( x ) Q ′′ ≡ E R , w e ﬁ n ally hav e P 0 ≃ int R . ✷ W e no w prov e that giv en P , w e can d ed uce a lo cal c haracteristic formula for P fr om lo cal c h aracteristic formulas f or its guarded sub terms. Lemma 4.17. Consider two pr o c esses P and Q , and a set of names N , and supp ose that, for e ach subterm of P of the form cap . P ′ or ( x ) P ′ , we c an c onstruct a E frz ,N Q -char acteristic formula. Then ther e exists a E frz ,N Q -char acteristic formula for P . Pr o of. W e assume, withou t loss of generalit y , that all o ccurrences of the r eplication op erator in P are immediately ab ov e a guarded pro cess (this is alwa ys p ossible u p to ≡ ). W e constru ct suc h a form ula F P b y induction on P . The cases for 0 , parallel comp osi- tion, and ambien t are easy . F ormula s for messages and replicated messages hav e b een giv en ab o v e, and b y h yp othesis, we h a ve formulas for guarded pro cesses. W e are thus left with the case of rep licated terms. If P = ! n [ P ], then F P = ! n [ { | F ′ P | } ] is a E frz ,N Q -c h aracteristic formula, sin ce F P ′ is depth selectiv e (all pro cesses satysfying F P ′ are in tensionally bisimilar to P ′ , so their depth 26 D. HIRSCHKOF, ´ E. LOZES, AND D. SANGIORGI degree is equal to dd ( P ′ ) – see Corollary 4.5). If P = ! cap . P ′ , then F P = Rep cap { | F cap . P ′ | } , since F cap . P ′ is sequentiall y selectiv e. W e reason in the same w a y for the case P = !( x ) P ′ . ✷ Lemma 4.18. F or al l P , Q and N ⊇ fn( P ) ∪ f n( Q ) , ther e exist char acteristic formulas for P on E ⇓ Q and E frz ,N Q . Pr o of. F rom Lemma 4.15, it is suﬃcient to construct a lo cal charact eristic formula on E frz ,N Q . W e r emark that without loss of generalit y , P , Q can b e c ho osed so that ev ery b inding ( x ) P in v olves a diﬀeren t v ariable, and this is en ough to b uild c haracteristic formulas for the set N enric hed with distinct names n x asso ciated to all v ariables x o ccurr ing in P and Q . W e reason b y in d uction on sd ( P ). If sd ( P ) = 0, then P h as n o guard ed su bterms, and the conditions of Lemma 4.17 are fullﬁlled, wh ic h implies the existence of a lo cal c haracteristic form ula f or P . Assume n o w sd ( P ) > 0, and, for all P ′ suc h that sd ( P ′ ) < sd ( P ), and for all Q , there exists a c haracteristic f orm ula f or P ′ on E frz ,N Q . Consider a pro cess Q . By L emma 4.17, the existence of a E frz ,N Q -c h aracteristic form ula for P can b e prov ed b y establishin g th e existence of a E frz ,N Q -c h aracteristic formula for eac h guard ed su bterm of P of the form cap . P ′ or ( x ) P ′ . Consider suc h a guarded subterm cap . P ′ . W e ha v e sd ( P ′ ) < s d ( P ), so b y in duction there exists a form ula F P ,Q ′ whic h is a E ⇓ Q ′ -c h aracteristic form u la for P ′ for eac h Q ′ ∈ froz N ( Q ). Moreo ver, by induction, we also hav e a form ula F Q ′ ,P ′ whic h is a c haracteristic f ormula f or Q ′ on E ⇓ P ′ when sd ( Q ′ ) ≤ sd P ′ ) < sd ( P ). In the case sd ( Q ′ ) > sd ( P ′ ), we deﬁne F Q ′ ,P as the form u la F sd ( Q ′ ) giv en in Lemma 4.3. This form u la c haracterises Q ′ on E ⇓ P ′ : Q ′ | = F Q ′ ,P b y Lemma 4.3, and if P ′′ ∈ E ⇓ P ′ then sd ( P ′′ ) ≤ sd ( P ′ ) < sd ( Q ′ ), so P ′′ 6 | = F sd ( Q ′ ) . Hence the requirement s of Lemma 4.16 are fullﬁlled, and there exists a E frz ,N Q -caracte ristic formula for cap . P ′ . Similarly , consider a s ubterm of th e form ( x ) P ′ , and w rite ( x ) P ′′ for its eta normal form. As ab o v e, we h a ve lo cal charac teristic formulas F P ′′ { n x / x } ,Q ′ and F Q ′ ,P ′′ { n x / x } b y induction and usin g Lemma 4.3 with a similar reasoning. Since ( x ) P ′′ is in normal form, all requirement s of Lemma 4.16 are satisﬁed, so that there exists a E frz ,N Q -c h aracteristic form ula for ( x ) P ′′ , whic h is also a characte ristic formula for ( x ) P ′ b y Lemma 3.10. Finally , w e h a ve c haracteristic form ulas for all guarded su b terms, and by Lemma 4.17, w e h av e a E frz ,N Q -c h aracteristic form ula for P . ✷ Theorem 4.19 (Completeness of ≃ int ) . In MA, = L ⊆ ≃ int . Pr o of. Let P , Q b e t wo terms suc h th at P 6≃ int Q . By Lemma 4.18, there is a form ula F c h aracterising P on E ⇓ Q . W e h a ve P | = F . W e then hav e Q ∈ E ⇓ Q , and Q | = F imp lies P ≃ int Q . Hence, since by h yp othesis P 6≃ int Q , Q 6 | = F , and P 6 = L Q . ✷ Corollary 4.20. In MA, r elations = L , ≃ int and ∼ ind c oincide. 5. Characteriza tions of logical equ iv alenc es In this section, w e compare logical equiv alence an d standard equiv alence relations on pro cesses, lik e b eha vioural equ iv alence and structural congruence. W e give an axiomati- zation of = L on MA s IF , a sub calculus of MA in whic h image-ﬁniteness is guaran teed b y a SEP ARABILITY IN THE AMBIENT LOGIC ∗ 27 syn tactica l cond ition (Deﬁnition 5.2 b elo w). W e shall see that AL is ve ry int ensional, in the sense that = L is ‘almost equal’ to ≡ . More precisely , w e sho w that logical equiv alence coincides with ≡ E , the relation obtained by extend ing structural congruence with the eta la w (Deﬁnition 3.6). W e establish the f ollo wing c hain of (dis)equalities, on MA s IF : ≡ ( ≡ E = = L = ≃ int ( ≈ . W e then mo ve to the stud y of a v ariant of MA s IF in wh ic h comm unication is syn c h ronous, and sh o w that logical equiv alence coincides with ≡ on this calculus. W e end this section with a d etaile d discussion of the treatmen t of name restricition. 5.1. E xtensionalit y a nd in tensionalit y. W e use the c haracterisation of = L as ≃ int to compare logical equiv alence w ith barb ed congruence ( ≈ ) and str u ctural equiv alence ( ≡ ). W e start by studying th e d iﬀerence b et w een = L and ≈ . 5.1.1. Non-extensionality. Theorem 5.1. R elation = L is strictly include d in ≈ . Pr o of. Th e inclusion follo ws from = L ⊆ ≃ int and ≃ int ⊆ ≈ (the second inclus ion is essenti ally a consequ en ce of the congruence of ≃ int ). The strictness of the inclusion is prov ed b y the follo wing laws, that are v alid for ≈ b ut not for ≃ int : (1) in n . in n = in n | in n (2) ( x ) ( y ) 0 = ( x ) 0 | ( y ) 0 (3) ( x ) { x } = 0 . ✷ The third axiom is typica l for b ehavi oural equiv alences in calculi where comm unication is asyn chronous. The ﬁrs t equalit y can b e derive d from a more general la w, called the distribution law in [22]: M . ( P | M . P | . . . | M . P ) = M . P | M . P | . . . | M . P (where M app ears the same num b er of times on b oth sid es of the equalit y). A similar la w is v alid for the inp ut preﬁx, f rom whic h th e second equalit y ab ov e is d eriv ed as an instance. Pr ob ab ly the ab o v e are not the only la w s that mak e = L ﬁner than ≈ , but a complete axiomatizat ion of ≈ ov er = L is out of the scop e of this pap er. 5.1.2. Intensionality. W e now provide a precise account of the diﬀerence b et w een = L and ≡ , in the setting of the sub calculus MA s IF , deﬁned as b elo w. W e r ecall that a pro cess is ﬁnite if it d o es not use th e r eplication op erator. Deﬁnition 5.2 (MA s IF ) . The sub calculus MA s IF is deﬁned b y the grammar: P ::= 0   P | P   ! P   n [ P ]   cap . P 0   { n }   ( x ) P 0 where P 0 is a ﬁn ite pro cess. In MA s IF , w e imp ose ﬁ niteness after an y f orm of interac tion; in contrast, p ro cesses exhibiting an ‘inﬁ nite spatial stru cture’, such as ! a [ b [ 0 ]] are allo wed. Lemma 5.3. Al l pr o c esses of M A s IF ar e i mage- ﬁnite. 28 D. HIRSCHKOF, ´ E. LOZES, AND D. SANGIORGI Pr o of. MA s IF is included in MA IF since the ﬁniteness condition on P 0 in Deﬁn ition 5.2 implies that { P ′ : P 0 h cap i = ⇒ P ′ } / ≃ int and { P ′ : P 0 { n / x } = ⇒ P ′ } / ≃ int resp ectiv ely are ﬁnite sets. An y pro cess in MA s IF is thus in MA IF , and is h ence im age-ﬁnite in the sense of Deﬁnition 3.26. ✷ MA s IF strictly con tains the ﬁnite calculus we considered for the completeness pr o of in Section 3.4.2. T h erefore, Theorem 3.33 do es not apply , b ut Corollary 4.20, whic h holds f or the whole calculus, do es. As MA IF , MA s IF is image-ﬁnite, in the sens e of Deﬁnition 3.26. While in the former sub calculus this prop erty is guaran teed at a seman tical lev el, in MA s IF it follo ws from a syntactic restriction (we forbid replication in pro cess P 0 – see Deﬁnition 5.2). W e will see in S ection 6 that MA s IF is T uring complete. W e let normalise d structur al c ongruenc e , w ritten ≡ E , b e the relation d eﬁned b y th e rules of ≡ plus the eta la w (see Deﬁnition 3.6). Lemma 5.4. ≡ E ⊆ ≅ . Pr o of. It is enough to pr o ve that give n P , Q su c h that P − → η Q , w e hav e P ≃ int Q . W e reason b y in d uction on P , f ollo wing Lemm a 4.8. In that lemma, th e situations corresp onding to the op erators of parallel comp osition, am bien ts and capabilit y p reﬁxes are easy b ecause of comm utation prop erties of − → η . In the cases of 0 and of messages, there is no r edex for − → η . So we only ha v e to examine the clause for the input condition in ≃ int . Let n b e a fresh name and w rite P ≡ ( x ) P ′ , Q ≡ ( x ) Q ′ . W e ha ve to pro ve that P | { n } = ⇒ ≃ int Q ′ { n / x } and Q | { n } = ⇒ ≃ int P ′ { n / x } . The reduction P − → η Q can follo w from t w o reasons: either P ≡ ( x )  { x } | ( x ) Q ′  , or P ′ − → η Q ′ . In the ﬁrst case, the pro of is straigh tforw ard, and in the second case, the indu ction hypothesis allo ws us to conclud e. ✷ The conv erse of this lemma is th e diﬃcult part of the charac terisation of = L in MA s IF . This is pro ved by sh o w in g that t wo in tensionally bisim ilar ﬁnite pr o cesses ha v e essent ially the same num b er of preﬁxes and m essages. Usin g th e separativ e p o wer giv en by the logic, this en tails th at ≅ ⊆≡ E on MA s IF . It has to b e stressed that we rely here on the syn tactic al ﬁniteness condition deﬁning MA s IF , and that our app roac h do es not apply to, e.g., MA IF . W e wr ite message s ( R ) for the num b er of messages in R , and pre f ( R ) f or the num b er of capabilities and abs tractions in R . Lemma 5.5. L et P , Q b e two ﬁnite pr o c esses. Supp ose P − → P ′ . Then (1) message s ( P ) ≥ me ssages ( P ′ ) ; (2) pref ( P ) ≥ pr ef ( P ′ ) . Pr o of. By ind uction on the d eriv ation of P − → P ′ . ✷ Lemma 5.6. L et P , Q b e two ﬁnite pr o c esses. Supp ose that P ≅ Q , and that b oth P and Q ar e eta-normalise d. Then m essages ( P ) = m essages ( Q ) . Pr o of. S u pp ose message s ( P ) > messages ( Q ). W e prov e that we derive a contradict ion. W e p r o ceed by a case analysis on the shap e of P (i.e., the num b er of its op erators) • P = P 1 | P 2 . Then, b y deﬁnition of ≅ , it must b e Q ≡ Q 1 | Q 2 with P i ≅ Q i . No w , for some i , w e s h ould h a ve messages ( P i ) 6 = messages ( Q i ), which is imp ossible, b y the induction on the sh ap e. SEP ARABILITY IN THE AMBIENT LOGIC ∗ 29 • P = cap . P ′ . Then, b y deﬁn ition of ≅ , it must b e Q ≡ cap . Q ′ and Q ′ h cap i = ⇒ Q ′′ ≅ P ′ . I t will then b e, b y Lemma 5.5(1), me ssages ( P ) = me ssages ( P ′ ) > mes sages ( Q ′′ ), which is imp ossible, b y the ind uction on the shap e. • P = ( x ) P ′ . Then, by deﬁnition of ≅ , it must b e Q ≡ ( x ) Q ′ ; moreo ver, for n fresh, there m ust b e Q ′′ suc h that { n } | ( x ) Q ′ = ⇒ Q ′′ ≅ P ′ { n / x } . If the reduction { n } | ( x ) Q ′ = ⇒ Q ′′ con tains at least one step, then we would h a ve messages ( P ′ { n / x } ) = me ssages ( P ) > messages ( Q ′ ) ≥ messages ( Q ′′ ) and therefore, b y induction on the sh ap e, we could not ha v e Q ′′ ≅ P ′ { n / x } . Therefore, su pp ose Q ′′ = { n } | ( x ) Q ′ . Then Q ′′ ≅ P ′ { n / x } implies P ′ { n / x } ≡ { n } | ( x ) P ′′ , for some ( x ) P ′′ with n fr esh for P and Q . Hence, sin ce n was c h osen fr esh, the original pr o cess P must hav e b een of the form ( x ) ( { x } | ( x ) P ′′ ). This means that, mo dulo ≡ , P w as n ot eta-normalised, thus cont radicting an h yp othesis of th e lemma. • If P = { n } then b y deﬁnition of ≅ w e s hould ha v e Q ≡ { n } , which is imp ossible, since the h yp othesis is mes sages ( P ) > messa ges ( Q ). ✷ Lemma 5.7. L et P , Q b e two ﬁnite pr o c esses. Supp ose P ≅ Q , and that b oth P and Q ar e eta-normalise d. Then pref ( P ) = pref ( Q ) . Pr o of. S u pp ose pref ( P ) > pref ( Q ). W e pr o ve that we derive a con tradiction. W e pr o ceed b y ind u ction on the shap e of P . • If P = 0 then Q ≡ 0 . • P = P 1 | P 2 . Then, b y deﬁ n ition of ≅ , it must b e Q ≡ Q 1 | Q 2 with P i ≅ Q i . No w , for some i , we should hav e pref ( P i ) 6 = pre f ( Q i ), whic h is imp ossible, b y the induction on the shap e. • P = cap . P ′ . Th en, b y deﬁnition of ≅ , it must b e Q ≡ cap . Q ′ and Q ′ h cap i = ⇒ Q ′′ ≅ P ′ . Then pref ( P ′ ) = pre f ( P ) − 1 > pre f ( Q ) − 1 = pref ( Q ′ ) ≥ pref ( Q ′′ ) Hence pr ef ( P ′ ) > pref ( Q ′′ ), w hic h is imp ossible b y the ind uction on the shap e. • P = ( x ) P ′ . Then , b y deﬁn ition of ≅ , it m ust b e Q ≡ ( x ) Q ′ ; moreo v er, giv en n fresh, there m ust b e Q ′′ suc h that { n } | ( x ) Q ′ = ⇒ Q ′′ ≅ P ′ { n / x } . Moreo ver, by the p revious lemma we kno w that mes sages ( P ) = mes sages ( Q ), and w e should also h a ve mess ages ( P ′ { n / x } ) = me ssages ( Q ′′ ) The reduction { n } | ( x ) Q ′ = ⇒ Q ′′ m ust con tain at least one step, for otherwise w e could not ha v e messages ( P ′ { n / x } ) = messag es ( Q ′′ ). F or the same reason, during these reductions only the message { n } ma y ha v e b een consumed (no other m essages). Thus { n } | ( x ) Q ′ = ⇒ Q ′′ can b e written as { n } | ( x ) Q ′ − → Q ′ { n / x } = ⇒ Q ′′ , where p ref ( Q ′ ) = pre f ( Q ′ { n / x } ) and also ≥ pref ( Q ′′ ) (Lemma 5.5(2)). Therefore we ha v e pre f ( P ′ { n / x } ) = pr ef ( P ) − 1 > pref ( Q ) − 1 = pr ef ( Q ′ ) ≥ pref ( Q ′′ ). By the induction on th e shap e, this is in con tradiction with Q ′′ ≅ P ′ { n / x } . ✷ Lemma 5.8. L et P , Q b e two ﬁnite pr o c esses. Supp ose P ≅ Q , with b oth P and Q eta- normalise d. If P µ − → P ′ , then ther e is Q ′ such that Q µ − → Q ′ ≅ P ′ . Similarly, if P − → P ′ , then ther e is Q ′ such that Q − → Q ′ ≅ P ′ . Pr o of. F rom Lemmas 5.7 and 5.6: if Q p erformed more than one action, then it would consume one more preﬁx or message than P . ✷ 30 D. HIRSCHKOF, ´ E. LOZES, AND D. SANGIORGI Theorem 5.9. L et P , Q b e pr o c esses of M A s IF . Supp ose P ≅ Q , with b oth P and Q eta- normalise d. Then P ≡ Q . Pr o of. By ind uction on the sh ap e of P . • If P = 0 then also Q ≡ 0 . • Supp ose P = P 1 | P 2 . Then, by deﬁnition of ≅ , Q ≡ Q 1 | Q 2 with P i ≅ Q i . By induction, P i ≡ Q i . Hence also P ≡ Q . • Supp ose P = ! P ′ . Th en, by Lemma 4.8, th er e are r and some ( Q i ) 1 ≤ i ≤ r suc h that Q ≡ ! Q 1 | (!) Q 2 | . . . | (!) Q r , and P ′ ≅ Q i for all i . By induction, P ′ ≡ Q i for all i , so ﬁnally Q ≡ ! Q 1 ≡ P . • P = cap . P ′ . By deﬁnition of ≅ , Q ≡ cap . Q ′ and there is Q ′′ suc h that Q ′ h cap i = ⇒ Q ′′ ≅ P ′ . By constru ction of MA s IF , P ′ , Q ′ are ﬁ nite, so that w e may apply Lemma 5.8. Th en it m ust b e Q ′ = Q ′′ , and therefore by induction Q ′ ≡ P ′ . W e conclude that P ≡ Q . • P = { n } , n [ P ′ ]: straightfo rw ard. • P = ( x ) P ′ . By d eﬁnition of ≅ , we h a ve Q ≡ ( x ) Q ′ , and again by construction of MA s IF , P ′ , Q ′ are ﬁnite. Since ≅ is a congruence, give n n , { n } | P ≅ { n } | ( x ) Q ′ . W e ha v e { n } | P − → P ′ { n / x } , hence by Lemma 5.8, { n } | ( x ) Q ′ − → Q ′ { n / x } ≅ P ′ { n / x } . By induction, P ′ { n / x } ≡ Q ′ { n / x } ; since this h olds for any n , P ′ ≡ Q ′ . ✷ Corollary 5.10. L et P, Q b e pr o c esses of MA s IF . Then P = L Q iﬀ P ≡ E Q . Pr o of. First, = L ⊆ ≃ int b y Theorem 3.33 , and ≃ int ⊆ ≡ E b y Th eorem 5.9. Con ve rsely , ≡ E ⊆ ≃ int b y Lemma 5.4, and ≃ int ⊆ = L b y Th eorem 3.29. ✷ 5.2. Synchrono us comm unications. W e n ow consider a v arian t of Mobile Ambien ts where comm unication is synchr onous . F or this the pr o duction { η } for m essages in the grammar of MA in T able 2.1 is replaced b y the pr o duction { η } . P . Communicat ion is th us sync hronous: in { η } . P , the pro cess P is blo ck ed until the message { η } has b een consumed. Reduction rule Red-Com b ecomes: { n } . Q | ( x ) P − → Q | P { n / x } Red-Com In the remainder of this subsection, terms b elonging to th e synchronous v ersion of the calculus will b e referred to s im p ly as ‘pro cesses’. Since our goal h ere is to study ho w the result giv en by Corollary 5.10 c h an ges when mo ving to a syn chronous calculus, w e f o cus directly on MA s , s IF , the set of all terms of th e syn chronous calculus in which pro cesses guarded b y pr eﬁxes are ﬁn ite (along the lines of Deﬁnition 5.2 that introdu ces MA s IF ). W e s h all see that in MA s , s IF , the eta la w fails and the equiv alence relation induced b y the logic is precisely structural congru ence. In order to show this, w e ha v e to p ort the results ab out (async h r onous) MA to the syn- c h ronous case. The co-inductiv e c haracterisatio n in terms of ≃ int (that is, Th eorems 3.29 and 3.33) remains tr u e, pro vided that in th e deﬁn ition of intensional bisimulatio n th e com- m unication clauses are replaced by the follo win g: • If P ! n − → P ′ , then th ere is Q ′ suc h that Q ! n = ⇒ Q ′ and P ′ R Q ′ . • If P ? n − → P ′ then th er e is Q ′ suc h that Q ? n = ⇒ Q ′ and P ′ R Q ′ . Accordingly , we ha ve to change the d eﬁnition of syntacti cal in tensional bisimulatio n b y adapting the follo wing clauses for comm unicating pro cesses: SEP ARABILITY IN THE AMBIENT LOGIC ∗ 31 • If P ≡ ( x ) P ′ then there is Q ′ suc h that Q ≡ ( x ) Q ′ and f or all n there is Q ′′ suc h that Q ′ { n / x } = ⇒ Q ′′ and P ′ { n / x }R Q ′′ . • If P ≡ { n } . P ′ then th er e is Q ′ suc h that Q ≡ { n } . Q ′ and Q ′ = ⇒ Q ′′ R P ′ . As shown in [21], formulas similar to th ose that are needed in the async h ronous case can b e derived for the synchronous calculus. In particular, we hav e: Lemma 5.11 ([21 ]) . • F or al l A , ther e is a formula hh ? n ii . { | A | } such that for al l P , P | = hh ? n ii . { | A | } iﬀ ther e is P ′ such that P ≡ ( x ) P ′ and P ′ { n / x } = ⇒| = A . • F or al l A , ther e is a formula hh ! n ii . { | A | } such that for al l P , P | = hh ! n ii . { | A | } iﬀ ther e is P ′ such that P ≡ { n } . P ′ and P ′ = ⇒| = A . Using this result, the sound ness and completeness pro ofs for ≃ int with resp ect to = L follo w exactly the same sc heme as in the asynchronous case (see Sections 3 and 4), except that we do not need to r eason on eta-normalised terms. Theorem 5.12 (Sound ness and completeness of ≃ int ) . Given two pr o c esses P and Q of synchr onous Mobile Ambients, P ≃ int Q iﬀ P = L Q . W e now deriv e the coun terpart of the prop erties w e ha v e established ab ov e for MA s IF ab out th e num b er of messages and pr eﬁxes in a term. Lemma 5.13. Supp ose P − → P ′ , wher e P is a ﬁnite pr o c ess. Then (1) message s ( P ) ≥ me ssages ( P ′ ) ; (2) pref ( P ) ≥ pr ef ( P ′ ) . Pr o of. By ind uction on the d eriv ation of P − → P ′ . ✷ Lemma 5.14. L et P , Q b e two ﬁnite pr o c esses and supp ose P ≅ Q . Then messages ( P ) = messages ( Q ) . Pr o of. S u pp ose message s ( P ) > messages ( Q ). W e prov e that we derive a contradict ion. W e p r o ceed by a case analysis on the shap e of P (ie, the n um b er of its op erators) • P = P 1 | P 2 . Then, b y deﬁnition of ≅ , it must b e Q ≡ Q 1 | Q 2 with P i ≅ Q i . No w , for some i , w e s h ould h a ve messages ( P i ) 6 = messages ( Q i ), which is imp ossible, b y the induction on the sh ap e. • P = cap . P ′ . Then, b y deﬁn ition of ≅ , it must b e Q ≡ cap . Q ′ and Q ′ h cap i = ⇒ Q ′′ ≅ P ′ . I t will then b e, b y Lemma 5.5(1), me ssages ( P ) = me ssages ( P ′ ) > mes sages ( Q ′′ ), which is imp ossible, b y the ind uction on the shap e. • P = { n } . P ′ . Th en Q ≡ { n } . Q ′ and P ′ ≅ Q ′ . But messa ges ( P ′ ) > messag es ( Q ′ ), which b y ind u ction is imp ossible. • P = ( x ) P ′ . Then Q ≡ ( x ) Q ′ and for all h fr esh, Q ′ { h / x } ≅ = ⇒ Q ′′ and P ′ { h / x } ≅ Q ′′ and messages ( P ′′ ) > messag es ( Q ′′ ), s o we can conclude by ind uction. ✷ Lemma 5.15. L et P , Q b e two ﬁnite pr o c esses, and supp ose P ≅ Q . Then pref ( P ) = pref ( Q ) . Pr o of. S u pp ose pref ( P ) > pref ( Q ). W e pr o ve that we derive a con tradiction. W e pr o ceed b y ind u ction on the shap e of P . • If P = 0 then Q ≡ 0 . 32 D. HIRSCHKOF, ´ E. LOZES, AND D. SANGIORGI • P = P 1 | P 2 . Then, b y deﬁ n ition of ≅ , it must b e Q ≡ Q 1 | Q 2 with P i ≅ Q i . No w , for some i , it should b e pref ( P i ) 6 = pref ( Q i ), which is imp ossible, by the induction on the shap e. • P = cap . P ′ . Th en, b y deﬁnition of ≅ , it must b e Q ≡ cap . Q ′ and Q ′ h cap i = ⇒ Q ′′ ≅ P ′ . Then pref ( P ′ ) = pre f ( P ) − 1 > pre f ( Q ) − 1 = pref ( Q ′ ) ≥ pref ( Q ′′ ) Hence pr ef ( P ′ ) > pref ( Q ′′ ), w hic h is imp ossible b y the ind uction on the shap e. • P = { n } . P ′ . S im ilar to capabilit y case. • P = ( x ) P ′ . Then Q ≡ ( x ) Q ′ and th ere is Q ′′ suc h that Q ′ { h / x } ≅ = ⇒ Q ′′ and P ′ { h / x } ≅ Q ′′ . Th ere is n o consumption of messages, hen ce pref ( P ′ { h / x } ) > pr ef ( Q ′′ ), and we can conclude using induction. ✷ Lemma 5.16. L et P , Q b e two ﬁnite pr o c esses, and supp ose P ≅ Q . If P µ − → P ′ , then ther e is Q ′ such that Q µ − → Q ′ ≅ P ′ . Similarly, if P − → P ′ , then ther e is Q ′ such that Q − → Q ′ ≅ P ′ . Pr o of. F rom the t w o p revious lemmas: if Q p erform ed more than one action, then it w ould consume one more preﬁx or message than P . ✷ Theorem 5.17. L et P , Q b e two pr o c esses in MA s , s IF , and supp ose P ≅ Q . Then P ≡ Q . Pr o of. By ind uction on the sh ap e of P (almost exactly as in Theorem 5.9). ✷ Corollary 5.18. L et P, Q b e pr o c esses of MA s , s IF . Then P = L Q iﬀ P ≡ Q . 5.3. Na me restriction. In this section, w e consider the v arian t of MA, n oted here MA ν , that includes name restriction ( ν n ) P . W e d iscuss, among previous results, whic h ones remain v alid, and which ones ha v e to b e amended. Adding name restriction inv olv es sev eral mo d iﬁcations in the d eﬁnition of the calculus and of the logic. Name n is b ound in ( ν n ) P , and the deﬁn ition of f n( P ) is mo diﬁ ed accordingly . Regarding structur al congruen ce, we add alpha con v ersion f or ν , as wel l as the follo wing la ws: ( ν n ) 0 ≡ 0 ( ν n )( ν m ) P ≡ ( ν m )( ν n ) P ( ν n ) ( P | Q ) ≡ P | ( ν n ) Q if n 6∈ fn( P ) ( ν n ) m [ P ] ≡ m [( ν n ) P ] cap . ( ν n ) P ≡ ( ν n ) cap . P if n 6∈ fn( cap ) The last rule is n ot alw a ys pr esen t in the deﬁnition of structural congruence. It is not an essen tial r u le, but includin g it mak es our some tec hnical details simpler. In the logic, additional connectiv es are in tro duced, as in [12], to h an d le restriction and the associated notion of freshness of names: formulas can also b e of th e form n r A , A⊘ n , or N n . A . Accordingly , th e enr ic h ed notion of satisfaction, written | = ν , is giv en by: − P | = ν n r A iﬀ P ≡ ( ν n ) P ′ and P ′ | = ν A f or some P ′ ; − P | = ν A⊘ n if ( ν n ) P | = ν A ; − P | = ν N n . A if there is n ′ / ∈ (fn( P ) ∪ fn ( A )) suc h that P | = ν A{ n ′ / n } . T o illustrate this new setting, w e consider the tw o follo wing formulas: free ( n ) def = ¬ n r ⊤ public def = N n . ¬  n r free ( n )  . SEP ARABILITY IN THE AMBIENT LOGIC ∗ 33 A pro cess P satisfying free ( n ) cannot reveal n , whic h m eans that n necessarily occurs free in P . In turn , if P satisﬁes public , th en it cannot rev eal a name n so as to exhibit free o ccurrences of n , which means that P is structurally congruent to some P ′ ∈ MA. F ormula public hence p ro vides a wa y of selecting pro cesses b elonging to MA among the pro cesses in MA ν . W e can indeed adapt any form ula A we h a ve used in the p ap er in to a form ula A ′ suc h that whenev er P | = ν A ′ , then P ≡ P ′ for some P ′ in MA suc h that P ′ | = A ; in particular, formulas of the form A 1 ⊲ A 2 are translated into formulas of the form ( B 1 ∧ pub lic ) ⊲ B 2 . In presence of name restriction, we can adapt r ather easily several im p ortan t resu lts of the pap er as follo w s (for eac h item, we ind icate the part of the p ap er we refer to): • a new ‘int ensional’ rule m ust b e added to the deﬁnition of ≃ int (Def. 3.2): if P ≡ ( ν n ) P ′ , then th er e is Q ′ suc h that Q ≡ ( ν n ) Q ′ and P ′ ≃ int Q ′ ; • with this deﬁnition, it is p ossible to establish a s oundness result ( ≃ int ⊆ = L , Th eo- rem 3.29), and completeness for ﬁnite pro cesses (pro cesses without rep lication, Theo- rem 3.33 ); • c h aracteristic formulas are d eriv able for pro cesses of the f orm ( ν n 1 ) . . . ( ν n k ) P , w here P is a ‘pu blic’ pro cess in MA IF (Lemma 3.27): we rely on n ame revela tion to get rid of the topmost r estrictions, and th en translate the c haracteristic formula for P u sing the approac h s ketc hed ab ov e; • logica l equ iv alence coincides with structural congruence enric hed w ith eta con v ersion for pro cesses of the form ( ν n 1 ) . . . ( ν n k ) P , with P a public pro cess in MA s IF (Corollary 5.10). The diﬃcult p oint, th at we lea ve for f uture work, is to analyse p r o cesses that can gen- erate unb oundedly many names, i.e., in which restriction o ccurs un der r eplication. Char- acteristic formulas seem m uc h more diﬃ cu lt to obtain for such pro cesses. W e do not kno w at p resen t h ow to derive completeness in absence of an image ﬁn iteness hyp othesis (in particular, w e d o not see ho w a counte rpart of Lemma 4.13 can b e obtained). 6. (Un)decidability of logical equiv alence In this section we deﬁne the enco ding of a T uring Mac hin e in MA s IF . The pur p ose of this enco d in g is to establish that logical equiv alence in und ecidable on MA IF . The deﬁnition of the enco ding requir es the in tro duction of some constructions that will b e giv en as (MA s IF ) con texts. T o ease the reading of ou r deﬁnitions, we shall sometimes w ork with p ar ametrise d c ontexts , wh ic h are conte xt d eﬁnitions that dep end on some v al- ues (names, w ords, or mo v emen ts of the head of the T uring Mac hine). Additionally , some parametrised deﬁnitions shall b e written foo ( p ); P : here, foo is the name of the deﬁ ni- tion, wh er eas p and P are parameters ( P b eing a pro cess); the notation emp hasizes the sequen tialit y b et w een th e pro cess b eing int ro duced and P . Remark 6.1. The results in this section imp ro v e and extend a preliminary v ersion pre- sen ted in [20]. By the time the writing of this pap er was completed, Busi and Zav at taro [3] ha v e studied enco dings of another universal m achine, namely the Rand om Access Mac h in e, in to a su bset of MA. Th eir enco dings are syn tactic ally more coincise than the on e b elo w of a T uring Mac h ine. Ho wev er, Busi and Zav att aro make u s e of com binations of op erators that are n ot licit in MA s IF (i.e., th eir enco dings are n ot enco dings into MA s IF ). Also, w hile longer, the en co d ing of T uring Mac h ines makes u se of comp onen ts whic h accomplish simple tasks and whic h in teract with eac h other in simple mann ers. Corresp ondin gly , eac h step 34 D. HIRSCHKOF, ´ E. LOZES, AND D. SANGIORGI of th e pr o of, w hic h follo ws the red uctions of the en cod ing of a T ur ing Mac hine, is rather straigh tforw ard . F or these reasons we maintain the sc hema of the original enco ding in [20]. 6.1. Ribb ons. Digits a nd w ords. W e asso ciate to b o oleans tru e and f alse t w o names tt and ﬀ . W e call these names digits , and range o v er digits with d, d ′ . A word will b e the result of a (p ossibly empt y) concatenation of digits. The empty wo rd shall b e written ǫ . W e range o v er w ords with w , w ′ , w 1 , w 2 . Giv en a w ord w consisting in r digits (with r ≥ 1), w e sh all sometimes w rite w 1 . . . w r to r efer to the digits of w . This should not b e confused with notation ﬀ n , that w e w ill sometimes u se to represen t the word consisting in n times digit ﬀ (this should b e clear f r om the cont ext). W e start with the deﬁnition of the su pp ort of the T uring Mac hine: ribb ons can b e in diﬀeren ts states (frozen, gro wing, work ribb on, old), and are d eﬁned as follo ws: Cells and W ords cell ( d ) { | | } := cell [ d [ 0 ] | ! op en w o | { | | } ] word ( w ) { | | } := cell ( w 1 ) { | cell ( w 2 ) { | . . . cell ( w r ) { | | } . . . | } | } ( w = w 1 w 2 . . . w r ) Ribb on E xtensor deadextc ode := ! open coin . op en new cell . i n cell . coin [ 0 ] | ! n ewcel l [ cell ( ﬀ ) { | out ext | } ] sendstar t := msg [ out ext . ! out cel l | out r ibbon lef t . s tar t [ i n T M ] ] Extensor Frozen := ext [ deadext code | op en coin . s endstart ] Extensor Alive := ext [ coin [ 0 ] | deadext code | op en coin . s endstart ] Extensor Dead := ext [ deadext code ] Ribb ons cleanins t := open cl eaner . op en r uncl ean | r uncl ean [ de adcleanco de ] deadclea ncode := ! open ﬀ | ! op en tt | ! op en cell | ! op en w o FrozenRi bb ( w ) := r ibbon lef t [ c leaninst | word ( w ) { | Extensor Frozen | } ] GrowingR ibb ( w ) := r ibbon lef t [ c leaninst | word ( w ) { | Extensor Alive | } ] WorkRibb ( w 1 , w 2 ) { | | } := r ibbon lef t [ c leaninst ] | w ord ( w 1 ) { | { | | } | word ( w 2 ) { | Extensor Dead | } | } OldRibb := r ibbon l ef t [ d eadcleanc ode | Extens orDead ] All names u sed in the deﬁn itions ab o ve are su pp osed to b e pairwise distinct. In par- ticular, T M is the name we shall use for the am bien t conta ining the T uring Mac hine (see Deﬁnition 6.5). The ribb on is represente d as a n esting of am bien ts named cel l , eac h of whic h con tains an empt y ambien t n amed d , w here d is the d igit v alue of the cell: th is cor- resp onds to the deﬁn itions of c ell ( d ) and w ord – the ! op en w o su bterm is there to tr igger the computation of the head of the mac hin e as so on as the head ‘p oin ts to’ (i.e., enters) the current cell (see Section 6.2). Ribb on extension is u sed to generate a suﬃcien tly long nesting of cel l ambien ts for the mac h ine to run. A frozen ribb on consists of a wo rd w , con taining at the end of the ribb on a frozen ribb on extensor (d eﬁnition of Froz enRibb – the clean inst part will b e usefu l later on). T he extensor is triggered by the pr esence of an am b ien t named coin (deﬁnitions Extensor Frozen and Exten sorAlive ) : when this happ ens, the lo op programmed in the deﬁnition of deadextco de can start, whic h can hav e the eﬀect of adding new cells, whose SEP ARABILITY IN THE AMBIENT LOGIC ∗ 35 v alue is ﬀ . Each time the extensor lo ops (state Exten sorAlive ) , the coin ambien t can b e erased by pro cess op en coin . sendst art , wh ic h has th e eﬀect of stopping the extension pro cess, and sending an ambien t msg out of the ribb on to instruct the mac hin e to start computation. Wh en this happ ens, the extensor is in ExtensorD ead state. A ribb on in Gr owingRibb s tate k eeps extending until the extensor dies, at w h ic h p oint it b ecomes a WorkRi bb ( Wo rkRibb h as t wo parameters, w 1 and w 2 , in order to reason ab out the cell where th e head of the mac hine currently is). Along this evol ution, the clea ninst co de is alw a ys p resen t. When th e machine successfully terminates computation (we will describ e b elo w h o w this happ ens), it generates an am bien t n amed cleaner , which triggers the cleaning of the mac hine: all am bien ts cell , tt , ﬀ , wo , that intuitiv ely constitute the “data structures” of the mac h ine, are remo v ed. At this p oin t, w e obtain an OldR ibb . Some of the explanations w e ha v e ju st give n are formalised by the follo w ing result, whic h will b e us ed to establish undecidabilit y of = L . Lemma 6.2 (Rib b on evo lution) . F or any wor d w and n ∈ N , we write P n = Growin gRibb ( w . ( ﬀ ) n ) , wher e ( ﬀ ) n stands for the wor d written as n times the name ﬀ . We have: • P n = ⇒ P n +1 ; • P n = ⇒ R with R = Wo rkRibb ( ǫ, w . ( ﬀ ) n ) { | ms g [ ! out cell | out r ibbon lef t . s tar t [ i n T M ] ] | } ; • for any term Q along the r e duction p aths fr om P n to P n +1 and fr om P n to R , ther e exists Q ′ such that Q ≡ r ibbon l ef t [ Q ′ ] . Mor e over, for any wor d w , we have: WorkRibb ( w, ǫ ) { | 0 | } | cl eaner [ in r ibbon lef t ] = ⇒ OldRibb . Pr o of. At an y step, the extensor can only choose b et w een creating a new ﬀ cell or dying and sending up through the ribb on an am bien t msg . Note that when extendin g the ribb on with a new ﬀ cell, th ere are at some p oint t w o concurrent actions in cell and out ext : these are in causal d ep endency , since the i n cel l can only h app en once the out ext has take n place, whic h ensu res sequ entialit y of the execution. ✷ 6.2. T uring Mac hine. Deﬁnition 6.3 ((Ideal) T uring Mac hin e) . W e int ro duce three sym b ols ← , ↓ and → for the mo v ements of th e head of a T u r ing Mac h in e. W e repr esen t a T uring Mac hine as a qu ad r uplet ( Q , q start , q A , δ ) w h ere Q is a set of states, q start is the in itial s tate, q A is the accepting state, and δ : Q × { ﬀ , tt } − → Q × { ﬀ , tt } × {← , ↓ , →} is the ev olution function. Notation: we shall write ( w 1 , q , w 2 ) ֌ ֌ ( w ′ 1 , q ′ , w ′ 2 ) to denote the fact th at the T u ring Mac hine in state q w ith the head on the cell of the last letter of w 1 (whic h will b e r eferr ed to as “the he ad dividing the ribb on into wor ds w 1 and w 2 ” ) evo lv es in one step of computation into th e mac hin e in state q ′ , dividin g the r ib b on in to words w ′ 1 and w ′ 2 . The r emainder of this su b section is d ev oted to establishing the follo w ing claim: 36 D. HIRSCHKOF, ´ E. LOZES, AND D. SANGIORGI T uring Mac hine T ransitions clear ( d ); P := w o [ out head . op en d . cl ack [ in head ] ] | op en cl ack . P write ( d ); P := w o [ out head . d [ 0 ] | w r ack [ in head ] ] | op en w r ack . P become ( mo ); P := mo [ out head . op en head . P ] | in mo domove ( mv ); P :=    in cel l . P if mv = ← P if mv = ↓ out cel l . P if mv = → tcode ( d r , q w , d w , mv ) := clear ( d r ); write ( d w ); become ( mo ); in T M . do move ( mv ); op en q w State ﬀ − → P + tt − → Q := coin [ i n ﬀ . out ﬀ . P ] | coin [ in tt . out tt . Q ] | op en coin code ( q ) := ! q [ head [ out T M .  ﬀ − → t code ( ﬀ , d ﬀ , q ﬀ , mv ﬀ ) + tt − → tc ode ( tt , d tt , q tt , mv tt )  ]] | ! coin [ in ﬀ . out ﬀ . tco de ( ﬀ , d ﬀ , q ﬀ , mv ﬀ ) ] | ! coin [ in tt . out tt . tcode ( tt , d tt , q tt , mv tt ) ] code ( q A ) := ! q A [ g et out [ 0 ] ] T uring Mac hine Beha vior after Recognition getout := ! op en g et out . out cel l . g et out [ 0 ] | ! op en g et out . out r ibbon lef t .  cleaner [ out T M . in r ibbon lef t ] | coin [ out T M . in r ibbon l ef t . in cel l length ( w ) . in ext ] | op en star t . in r ibbon lef t . in cel l . op en q start  Figure 1: Enco d in g T uring Mac hines in MA s IF Claim 6.4. Any T uring Machine c omputation may b e enc o de d in MA s IF . T o enco de T uring Mac hines, w e must d escrib e ho w we sim ulate in MA s IF the transitions of the mac h ine, and how some extra manipu lations are p erformed after recognition of a w ord (these are necessary to deduce the u ndecidabilit y result p ro v ed b elo w). The enco ding is giv en by the deﬁn itions collected in Figure 1. T he o v erall shap e of the enco ding can b e d escrib ed as follo ws: Deﬁnition 6.5 (T uring Mac h ine in Mobile Am bien ts) . T h e enco d in g of a T u r ing Mac h in e is based on an am bien t named T M , con taining a p ersisten t p ro cess n amed tmso up : tmsoup := co de ( q 0 ) | . . . | code ( q n ) | get out | ! op en m o . W e deﬁne t wo conﬁgurations for th e enco din g of a T u ring Mac hine. Before b eing activ e, the mac h ine is in starting state , d eﬁned by: TMStart := T M [ op en s tar t . i n r ibbon lef t . i n cel l . op en q start | t msoup ] . Once the computation has started, the T uring Mac h in e in state q is represen ted by the term TM ( q ) := T M [ op en q | tmsoup ] . SEP ARABILITY IN THE AMBIENT LOGIC ∗ 37 Lemma 6.6 (MA s IF enco ding) . Al l terms use d in the enc o ding of a T uring Machine b elong to M A s IF . Our T ur ing Mac h ine enco din g is someho w remin iscen t of the one presented in [13 ]. W e should ho w ever remark that we work here in a language without n ame restriction, and with a s im p ler enco din g of c hoice (op erator + ab o ve, to test the v alue of a cell). According to the explanations give n in Section 6.1, the mac h ine reacts to the presence of an am bien t named star t to enter th e ﬁ rst cell of the ribb on and start compu tation (deﬁnition T MStart ). The b eha viour of the runnin g mac hine is describ ed by the deﬁnition of code ( q ): the head of the mac hine en ters the cur ren t cell, and tests its v alue by concurrently trying to en ter ambien ts named ﬀ and tt . According to the ambien t b eing p resen t, the appropriate mac h ine transition is triggered (deﬁnition of tcode — d ﬀ , q ﬀ , mv ﬀ stand for th e new v alue, new state, and mov emen t of the h ead d etermined b y the current state if the v alue read is ﬀ , and similarly for tt ). The last tw o lines in the deﬁnition of code (pro cesses starting with ! coin . . . ) are th er e for garb age collect ion purp oses: they “absorb” th e branc h of the choice that h as not b een triggered. P erforming a transition inv olv es erasing the current v alue of the cell, installing the n ew v alue, getting bac k inside the T uring Mac hine (the curr en t wo rking am bien t had to get out of it to read the v alue of the cell) , and triggering th e mo v ement of the mac hine (deﬁn ition of tcode ). The corresp onding deﬁn itions on top of Figure 1 should b e self-explanatory , the become ( mo ) part b eing n ecessary to sync hronise w ith the ! op en m o in side am b ien t T M . Finally , op en q w starts the execution of the co d e corresp onding to q w , the new state of the mac h ine — according to Deﬁnition 6.5, the co de of all p ossible states of the mac hine is present in replicated form in T M . The co d e of the accepting s tate q A is p eculiar: wh en the machine reac hes this state, it triggers p ro cess get out , which mak es it exit the ribb on and start the cleaning pro cess. As explained ab ov e, the presence of an ambien t named cl eaner in am bien t r ibbon lef t triggers pro cess cl eaninst of Section 6.1. T he pro cess on the last line of Figure 1 is there to install the mac hine in the e xact initial state once the wo rd has b een r ecognized and cleaning has b een p erformed. Th is is necessary to obtain a lo op in the pro of of Lemma 6.13 b elo w. W e can remark that the enco ding is p arametric ov er a wo rd w , whose length (denoted length ( w )) is us ed in the deﬁnition of getout (in that deﬁn ition, in cell length ( w ) stands for the concatenation of l ength ( w ) copies of the capabilit y i n cel l ). Th is asp ect of our en co d ing is how ev er irr elev ant sin ce it is inﬂ uen t only after the end of the execution of the mac h ine, and n ot dur ing the cen tral part of th e simulat ion. W e no w formulate the ev olution of the terms w e ha v e deﬁned in order to simulat e T ur ing Mac hines. W e ﬁrs t introdu ce a useful r elatio n. Deﬁnition 6.7 (deterministic ev olution relation) . W e sa y that a pr o cess P deterministic al ly evolves to Q , written P ❀ Q , if and only if P − → Q and for an y Q ′ s.t. P − → Q ′ , either Q ′ 6 − → or Q ≡ Q ′ . Notation: W e shall w rite P ❀ k Q to sa y that P d eterministically redu ces to Q in k steps ( k ≥ 1). W e w rite P ❀ + Q wh en P ❀ k Q for some k . Using ❀ , w e can state some elemen tary facts ab out the macros inv olv ed in the execution of the mac hine. The r elation P ❀ + Q captures the fact that P cannot av oid red ucing to Q except for some immediately blo cki ng states. Such blo cki ng states ma y only app ear due to 38 D. HIRSCHKOF, ´ E. LOZES, AND D. SANGIORGI the ﬁr ing of the “wrong branch” in a c hoice enco ding ( ﬀ − → · · · + tt − → . . . ). (Incidentall y , w e ma y r emark that a purely d eterministic enco ding of the T uring Mac hin e could p robably b e deﬁnable, b ut at the cost of m ore complex d eﬁ nitions and pro ofs.) Lemma 6.8 (state ev olution) . F or any terms P , Q , names d, d ′ ∈ { ﬀ , tt } and wor d w , we set M = d [ 0 ] | ! open w o | wor d ( w ) { | ExtensorDe ad | } . We then have the fol lowing deterministic tr ansition se quenc es: (1) head [ d − → P + ¬ d − → Q ] | d [ 0 ] | ! open w o | cell [ M ] | T M [ tmsoup ] ❀ 3 head [ P | coin [ in ¬ d . out ¬ d . Q ] ] | d [ 0 ] | ! op en w o | cel l [ M ] | T M [ tmsoup ] ; (2) head [ clear ( d ); P | coin [ in d ′ . Q ] ] | d [ 0 ] | | ! op en wo | cel l [ M ] | T M [ t msoup ] ❀ 5 head [ P | coin [ in d ′ . Q ] ] | ! op en w o | cel l [ M ] | T M [ t msoup ] ; (3) head [ write ( d ); P | coin [ in d ′ . Q ] ] | ! op en w o | cell [ M ] | T M [ tmsoup ] ❀ 4 head [ P | coin [ in d ′ . Q ] ] | d [ 0 ] | ! op en wo | cel l [ M ] | T M [ tms oup ] ; (4) head [ become ( mo ); P | coin [ in d ′ . Q ] ] | d [ 0 ] | ! op en wo | cel l [ M ] | T M [ tmsoup ] ❀ 3 mo [ P | coin [ in d ′ . Q ] ] | d [ 0 ] | ! op en wo | cel l [ M ] | T M [ tms oup ] . Mor e over, the same r esults hold with a fr ozen (inste ad of de ad) extensor in M , the only c ondition b eing that ambient ext c ontains an inactive term. Pr o of. By insp ection of the p ossible reductions of the pr o cesses b eing considered. F rom the second statemen t on, the ambien t coin [ in d ′ . Q ] is frozen: it actually represents the non-c hosen branc h in the enco d ing of the c hoice op erator, that will b e erased later, when the head of the T uring Mac hine comes back inside ambien t T M (see b elo w). ✷ W e can no w merge the results ab ov e int o a prop erty r egarding transitions of th e T u r ing Mac hin e. Lemma 6.9 (On e step of T u ring Mac hine simulation) . L et M b e a T uring M achine, q one of its non ac c epting states, and w 1 , w 2 two wor ds, with w 2 6 = ǫ . Supp ose ( w 1 , q , w 2 ) ֌ ֌ ( w ′ 1 , q ′ , w ′ 2 ) . Then WorkRibb ( w 1 , w 2 ) { | TM ( q ) | } ❀ + WorkRibb ( w ′ 1 , w ′ 2 ) { | TM ( q ′ ) | } . Pr o of. W e divide the ev olution of the term r epresen ting the T ur ing Mac h ine in to the fol- lo win g s teps : (1) F rom state q , the TM can trigger the q co d e by p erform in g the corr esp onding op en op eration, w hic h has the eﬀect of releasing an am b ien t named head . Moreo v er , this is the only place wh er e some red uction is p ossible, b ecause ﬁrs t, Extensor is inactiv e and second, in ev ery ambien t named cell , no reduction o ccurs. Therefore, WorkRibb ( w 1 , w 2 ) { | TM ( q ) | } ❀ 2 WorkRibb ( w 1 , w 2 ) { | TM Nostate | head [ ﬀ − → · · · + tt − → . . . ] | } where the n otatio n TMNostat e stands for the f ollo wing conﬁguration of the T urin g Mac hin e ambien t: T M [ code ( q 0 ) | . . . | code ( q n ) | tms oup ] Note that this am b ien t cannot p erform an y reduction as long as it is not visited by a mo or g etout ambien t. SEP ARABILITY IN THE AMBIENT LOGIC ∗ 39 (2) Using the p revious fact, and considering that reductions can only tak e p lace at cel l lev el, w e h a ve WorkRibb ( w 1 , w 2 ) { | TM Nostate | head [ ﬀ − → · · · + tt − → . . . ] | } ❀ 15 WorkRibb ( w 1 1 . . . w r − 1 1 d, w 2 ) { | TM Nostate | mo [ in T M . domov e ( mv ). op en q ′ | coin [ in ¬ w r 1 . P ] ] | } where δ ( q , w r 1 ) = ( q ′ , d, m v ) (i.e., the mac h ine ev olv es from q to q ′ when reading w r 1 ). (3) The am b ien t mo comes bac k in to the T uring Mac h ine and is op ened by th e tmsoup comp onen t. Then the head mo vemen t (if an y) is p erformed, whic h activ ates an op en q ′ pro cess, s o that the T uring Mac h ine gets in to TM ( q ′ ) state. WorkRibb ( w 1 1 . . . w r − 1 1 d, w 2 ) { | TM Nostate | mo [ i n T M . domove ( mv ). op en q ′ | coin [ in ¬ w r 1 . P ] ] | } ❀ 2(+1) WorkRibb ( w ′ 1 , w ′ 2 ) { | TM ( q ′ ) | } . Note that op ening am b ien t mo triggers the absorbtion of the non-selected branc h of the choice (ambien t coin ) b y a ! coin [ . . . ] (from the co de for the original state of th e mac h ine). The 2(+1) ab o v e comes fr om the fact that the head of the mac hine can also mak e no mo v ement in its transition from a s tate to another (case ↓ ). ✷ W e obtain as a corollary of the Lemma ab ov e: Prop osition 6.10 (T ur ing Mac hine simulat ion) . Given a T uring Machine M , f or any wor d w and n ∈ N , the T uring Machine M r e c o gnises the wor d w on the ribb on w . ﬀ n iﬀ ther e exist two wor ds w 1 and w 2 s.t. WorkRibb ( ǫ, w . ﬀ n ) { | TM ( q start ) | } ❀ + WorkRibb ( w 1 , w 2 ) { | TM ( q A ) | } , wher e the terms ab ove ar e g i ven by the enc o ding of M . Let us ﬁnally describ e what happ ens after the machine has reac hed the accepting s tate. Lemma 6.11 (Acceptation) . L et w 1 , w 2 b e two wor ds. Then WorkRibb ( w 1 , w 2 ) { | TM ( q A ) | } = ⇒ OldRibb | TMStart | coin [ in r ibbon lef t . i n cel l length ( w ) . in ext ] wher e w is the wor d use d in the enc o ding of the machine. Pr o of. W e distinguish four steps: (1) When the q A am bien t h as b een op ened, the am bien t g et out is lib erated and is present within T M : WorkRibb ( w 1 , w 2 ) { | TM ( q A ) | } = ⇒ Wo rkRibb ( w 1 , w 2 ) { | TM Getout | } where T MGetout is the term T M [ g et out [ 0 ] | code ( q 0 ) | . . . | code ( q n ) | tms oup ] . (2) This allo ws the T M am bien t to get a g et out ‘tok en’, execute the br anc h cont aining the out cel l , and, doing this, lib erate a new g et out am bien t: WorkRibb ( w 1 , w 2 ) { | TM Getout | } = ⇒ WorkRibb ( w 1 1 . . . w r − 1 1 , w r 1 . w 2 ) { | TM Getout | } Note that the other subterm starting with op en g et out could also h a ve b een triggered, leading to a blo c k ed state. Th is is no harm for us, since we wan t to establish the 40 D. HIRSCHKOF, ´ E. LOZES, AND D. SANGIORGI existence of an execution where the m ac hin e exits the rib b on. T his wa y , T M progresses out w ard s until it is directly inside r ibbon lef t . (3) Then T M gets out of r ibbon lef t , c h o osing the other branch of op en g et out , which leads to the follo w ing state: WorkRibb ( ǫ, w 1 . w 2 ) { | 0 | } | T M [ cleaner [ out T M . i n r ibbon lef t ] | coin [ out T M . in ribbon l ef t . i n cel l length ( w ) . in ext ] | c ode ( q 0 ) | . . . | code ( q n ) | tmsou p ] (4) A t this p oint , the ambien t named T M ma y lib erate an am bien t cleaner that enters r ibbon lef t and starts the cleaning pro cess. T M may also lib erate the am bien t coin so that we exactly obtain the exp ected term. ✷ Remarks 6.12. • As we already ment ioned ab o v e, our enco ding of the T uring Mac hine is at this p oin t dep endent fr om the word w that we w an t it to recognize. • reason h ere u sing = ⇒ transitions instead of deterministic reduction ❀ : indeed, we are considering states where the mac hine has already recognized the word, and we only n eed to p ro v e that ther e exists some wa y bac k to its ( exact ) initial state. This will b e en ou gh for the p ro of of und ecidabilit y in Section 6.3. 6.3. Undecidability of Logical E quiv alence. W e can now exploit the encod ing w e ha v e studied to establish undecidabilit y of = L . Lemma 6.13 (Lo op lemma) . Given a T uring Machine M and a wor d w , deﬁne the fol- lowing terms, given fr om the enc o ding of M : Q := ! FrozenRibb ( w ) | ! OldRibb | ! op en msg | ! out cell | TMStart , P 0 := Q | G rowingRib b ( w ) and P 1 := Q | Growi ngRibb ( w . ﬀ ) . Then P 0 = ⇒ P 1 . Conversely, P 1 = ⇒ P 0 if and only if the wor d w may b e r e c o gnize d on a ﬁnite (but suﬃciently long) ribb on of the shap e w . ﬀ N , for some N ∈ N , by the T u ring Machine M . Pr o of. Th e transition P 0 = ⇒ P 1 follo ws f rom Lemma 6.2. Let us then ﬁrst assume that w can b e r ecognized on a r ibb on of the form w . ﬀ N , that is, w follo wed b y an arb itrary n um b er of ﬀ digits. Then from Lemma 6.2, w e can obtain the corresp onding extension of the rib b on from state P 1 , i.e. exhibit a transition P 1 = ⇒ Q | WorkRibb ( w . ﬀ N , ǫ ) { | 0 | } | star t [ in T M ]. A t this p oin t, the am bien t s tar t can ent er T M and allo w it to get into the w ork ribb on. T hen, u s ing the s imulation result (Prop osition 6.10), we kno w that the T uring Mac hine reac hes the acceptatio n s tate (this r e- sult is obtained by in d uction ov er the length of w ). A t this p oin t, according to Lemma 6.11, the w ork ribb on is transformed into an old r ibb on (collec ted b y the corresp onding replicated term in Q ), the T u r ing Mac hine comes out of the ribb on, and w aits for a start signal. The lib erated coin am b ien t may p rogress inside a frozen r ib b on (con taining word w by deﬁnition of Q ab o v e) until it r eac hes the frozen extensor and wa k es it up. W e then exactly obtain P 0 . No w let us assume that w cannot b e recognized on an y ribb on. As Q is b lo c ked (in particular, TMStart is w aiting for an am bien t star t to enter T M ), the ﬁ r st reducts of P 1 are of the form Q | r ibbon lef t [ R ], where Gro wingRibb ( w . ﬀ ) = ⇒ r ibbon l ef t [ R ]. If a SEP ARABILITY IN THE AMBIENT LOGIC ∗ 41 reduction chain from P 1 to P 0 can b e found, then by Lemma 6.2 there exists an in tege r n suc h that P 1 = ⇒ Q | WorkRib b ( w . ﬀ n ) { | 0 | } | s t ar t [ in T M ] | {z } T = ⇒ P 0 . In term T th e Wo rkRibb is blo c k ed, so the only ev olution can come from the mac hine en tering a r ibb on. W e distinguish three cases according to the kin d of rib b on which is en tered by the mac hine: (1) If it gets into an old ribb on, there can b e no m ore reduction, as the T M is stuck on an in cel l action. (2) If it gets into the work ribb on, according to Prop osition 6.10, there is a un iqu e w a y to evol v e, th r ough simulation of th e machine. A t this p oint, the machine ma y hav e an inﬁnite computation on the ﬁn ite ribb on, nev er reac hin g accepting state: this m eans that it will not get out of the rib b on, whic h pr even ts the system to evolv e into P 0 . Alternativ ely , the mac h ine ma y try to use more ribb on than what has b een created b efore ev olution from GrowingRi bb into WorkRib b , and th e mac hine is stuc k. So in any case, state P 0 cannot b e r eac hed. (3) W e reason similarly in the case where the mac hine enters a frozen ribb on. Finally , w e ha v e that state P 0 is unr eac hable if wo rd w cannot b e recognised b y the machine on a rib b on of the form w . ﬀ N for some N , wh ich concludes the p ro of. ✷ Theorem 6.14 (Undecidabilit y of = L ) . = L is an unde cidable r elation on M A. Pr o of. Let us ﬁrst note that the decidabilit y of = L o ver MA IF is a consequen ce of its inductiv e characte risation ∼ ind (Deﬁnition 4.9) together with the image ﬁnitess hyp othesis of MA IF . Consider pro cesses P 0 and P 1 from Lemma 6.13. W e sh o w th at the problem of d e- ciding w hether one can p r o ve op en n . P 0 = L op en n . P 1 is equiv alen t to deciding wh ether P 0 = ⇒ P 1 = ⇒ P 0 . Th is will b e enough, by Lemma 6.13, to obtain the undecidabilit y of = L . Let u s p ro v e no w the un decidabilit y of = L on MA. Consider pro cesses P 0 and P 1 of Lemma 6.13. T hese pro cesses are in MA s IF . Using Corollary 4.20, the deﬁnition of ≃ int , and T heorem 5.9, we ha v e: op en n . P 0 = L op en n . P 1 iﬀ open n . P 0 ≃ int op en n . P 1 iﬀ P 0 = ⇒ ≃ int P 1 = ⇒ ≃ int P 0 (from Th eorem 5.9, = ⇒ ≃ int is = ⇒ on MA s IF ). The ﬁrs t equiv alence follo ws from soundness and completeness (Th eorems 3.29 and 4.19). Th e second is the deﬁnition of ≃ int . Sin ce on MA s IF ≃ int = ≡ , the last condition is simply the lo op condition, and un d ecidabilit y follo ws from Lemma 6.13. ✷ 7. Concl usions and future work In th is pap er w e hav e pr esen ted a n um b er of characte risations of logical equiv alence, including a coinductiv e c haracterisatio n b y means of intensional bisimilarit y , ≃ int , and an inductiv e c haracterisation based on inv ersion results for ≃ int . These c haracterisatio n r esults are established on th e MA calculus in w h ic h terms need not b e image-ﬁnite, and with resp ect to a ﬁ nitary logic. W e are not a ware of other r esults of this kind. (Characterisation r esults 42 D. HIRSCHKOF, ´ E. LOZES, AND D. SANGIORGI for a bisimilarit y with resp ect to a m o dal logic in the literature rely either on an image- ﬁniteness h yp othesis for the terms of the language, or on the presence of some inﬁn itary constructs in the syntax of the logic.) W e ha v e compared logical equiv alence with barb ed congruence, sh o w ing that th e latter is strictly coarser, and with stru ctural congruence, showing that the tw o relations are “al- most th e same” in the (T uring-complete) calc ulus MA s IF (the tw o relations coincide on th e sync hronous v ersion of MA s IF , whereas an additional eta-la w has to b e added to stru ctural congruence in the async hronous calculus). A spin -oﬀ of th is study is a general b etter und er- standing of b ehavio ural equiv alences in Am b ien t-lik e calculi. F or instance, w e hav e sho wn that b eha viour al equiv alences can b e in sensitiv e to stuttering ph enomena originated by pro- cesses that ma y rep eatedly en ter and exit an am b ien t. Finally , w e ha v e prov ed that logical equiv alence, although decidable on MA s IF , it is not decidable on the whole MA calculus. W e discuss b elo w a f ew p ossible extensions of our w ork. On the logic side, other logical connectiv es could b e added without c h anging our resu lts, as long as form ulas expressin g capabilities and r ep licatio n can still b e deriv ed. W e b eliev e this holds in p articular for the ‘somewhere’ mo dalit y [11], and for fresh quantiﬁcat ion [17]. In our wo rk, w e h a ve inte rpreted the ‘sometimes’ mo dalit y ( ✸ A ) in a w eak sense, wh ich mak es inte nsional bisimilarit y a wea k form of bisimilarit y . W e b elieve that und er a strong in terpretation of the m o dalit y th e result corresp ond ing to Theorem 5.9 can b e deriv ed in a m uc h simp ler wa y , esp ecially b ecause stu ttering d o es not show up. On the calculus side, a ﬁ rst v ariation could b e the introdu ction of a general recursion sc heme instead of replication. T h is w ould mak e it p ossible to express recur sion ‘in depth’, and not only ‘in width’, as with replication. Ou r pro ofs do not obvio usly carry o v er to this setting, mainly due to the fact that the sequen tial degree of a p ro cess m ay then b e inﬁ nite, and we would lac k a measure to reason b y induction. Another in teresting extension is the addition of name restriction ( ν n ) P to the calcu- lus. Including restriction naturally implies to ad d its logical coun terpart, name rev elati on ( n r A , see [12]) to the logic. Ou r r esults can b e extended to this setting on the ﬁnite calcu- lus, and on inﬁn ite pro cesses with only ﬁnitely man y restricted names, but w e do n ot know ho w to extend them to r ic h er calculi. F o r in s tance, th e pro of of completeness cannot b e directly adapted to the extension with name restriction in the general case. The p ossibilit y of generating inﬁnitely man y fresh names breaks Lemma 4.12, intuitiv ely b ecause in ﬁnitely man y frozen subterms can app ear as outcomes of a give n term. F or the same r eason, we think that our appr oac h to obtain completeness in absence of an image-ﬁniteness h yp oth- esis cann ot b e adapted to the π -calculus, where inﬁnitely many names can b e generated. Ho wev er, our resu lts for the MA s IF fragmen t, in particular Th eorem 5.9 (= L = ≡ ), still hold in p resence of name restriction. In th e p ap er we ha ve considered only comm u nications of basic names. Certain pre- sen tatio n of th e MA calculus also include op erators f or comm un icatio n of capabilities. W e b eliev e that such communicati ons could b e add ed with mild mo diﬁ cations to the p ro ofs. Referen ces [1] R. A madio, I. Castellani, and D. S an giorgi. On bisim ulations for th e asynchronous π -calculus. The or et- ic al Computer Scienc e , 195:291–3 24, 1998. [2] I. Bonev a and J.-M. T albot. Wh en ambien ts cann ot b e op ened. The or etic al Computer Scienc e , 333(1- 2):127–1 69, 2005. SEP ARABILITY IN THE AMBIENT LOGIC ∗ 43 [3] N. Bu si and G. Zav attaro. On the exp ressiv e p ow er of mov ement and restriction in pure mobile ambien ts. The or etic al Computer Scienc e , 322(3):477–51 5, 2004. [4] N. Busi and G. Za v attaro. Deciding R eac habilit y in Mobile Ambien ts. In In Pr o c. of Eur op e an Symp o- sium on Pr o gr amming (ESOP’05) , volume 3444 of LNCS , pages 248–26 2. Springer V erlag, 2005. [5] L. Caires. Behavioral and S patial Observ ations in a Logic for the pi-Calculus. In Pr o c. of F OSSACS’04 , vol ume 2987, pages 72–89. Sp ringer V erlag, 2004. [6] L. Caires and E. Lozes. Elimination of Quantiﬁers and U ndecidability in Sp atial Logics for Concurrency . In Pr o c. of CONCUR’04 , vol ume 3170 of LNCS , p ages 240–257. Sp ringer Verlag, 2004. [7] L. Caires and H. T orres Vieira. Extensionalit y of Spatial Observa tions in Distributed Systems. El e ctr. Notes The or. Comput. Sci. , 175(3):131– 149, 2007. [8] C. Calcagno, L. Cardelli, and A. Gordon. Deciding Validity in a S p atial Logic for Trees. I n Pr o c. of TLDI’03 , pages 62–73. AC M Press, 2003. [9] L. Cardelli. Describing Semistructured Data. SIGMOD Re c or d, Datab ase Pri nciples Col umn , 30(4), 2001. [10] L. Cardelli and G. Ghelli. A Q uery Language Based on the Ambien t Logic. In Pr o c. of ESOP’01 , volume 2028 of LNCS , p ages 1–22. Sp ringer V erlag, 2001. in vited p aper. [11] L. Cardelli and A. Gordon. Anytime, Anywhere, Mo dal Logics for Mobile Ambien ts. In Pr o c. of POPL’00 , pages 365–377. ACM Press, 2000. [12] L. Cardelli and A. Gordon. Logical Prop erties of Name Restriction. I n Pr o c. of TLCA’ 01 , volume 2044 of LNCS . Sp ringer V erlag, 2001. [13] L. Cardelli and A .D. Gordon. Mobile ambien ts. In Pr o c. F oSSaCS ’98 , volume 1378 of L e ctur e Notes in Computer Scienc e , p ages 140–155. Sp ringer V erlag, 1998. [14] L. Cardelli and A.D. Gordon. Anytime, an ywhere: Modal logics for mobile ambien ts. I n Pr o c. 27th POPL . AC M Press, 2000. [15] M. Dam. Releva nce Logic and Concurrent Comp osition. In Pr o c. of LICS’88 , pages 178–185. IEEE, 1988. [16] A . Da w ar, P . Gardner, and G. Ghelli. Adjunct elimination through games in Static A mbien t Logic. In Pr o c. of the 24th Foundations of Softwar e Te chnolo gy and The or etic al Computer Scienc e (FSTTCS) , vol ume 3328, pages 211–223. S pringer Verlag, 2004. [17] M. Gabb ay and A.M. Pitts. A N ew Approach to A bstract S yntax with Variable Binding. F ormal Asp e cts of Computing , 13(3-5):341–363, 2002. [18] M. Hennessy and R . Milner. Algebraic la ws for nondet erminism and concurrency . Journal of the ACM , 32:137– 161, 1985. [19] D . H irsc hkoﬀ. An Extensional Spatial Logic for Mobile Pro cesses. In Pr o c. of CONCUR’04 , volume 3170 of LNCS , p ages 325–339. Sp ringer Verlag, 2004. [20] D . Hirschk oﬀ, E. Lozes, and D. Sangiorgi. Sep arability , Expressiveness and D ecidabilit y in the Ambient Logic. In 17th IEEE Symp osium on L og ic i n Computer Scienc e , p ages 423–432. IEEE Computer S ociety , 2002. [21] D . Hirsc hkoﬀ, E. Lozes, and D. Sangiorgi. On the expressiveness of the ambien t logic. L o gic al Metho ds in Computer Scienc e , 2(2), 2006. [22] D . Hirschk oﬀ and D. Pous. A distribution la w for ccs and a new congruence result for the pi -calculus. In Pr o c. of F oSSaCS’07 , vol ume 4423 of L e ctur e Notes in Computer Scienc e , p ages 228–24 2, 2007. [23] D . J. How e. Proving congruence of bisim ulation in fun ctional p rogramming languages. Inf ormation and Computation , 124(2):10 3–112, 1996. [24] F. Lev i and D. Sangiorgi. Controlling interference in ambien ts. Short version app eared in Pr o c. 27th POPL , AC M Press, 2000. [25] F. Levi and D. Sangiorgi. Mobile Safe Ambien ts. ACM T r ans. Pr o gr am. Lang. Syst. , 25(1):1–69 , 2003. Short ve rsion ap p eared in Pr o c. 27th POPL , ACM Press. [26] E. Lozes. Elimination of spatial connectives in static spatial logics. The or etic al Computer Scienc e , 330(3):475 –499, 2005. [27] S . Maﬀeis and I. Phillips. On the Computational S trength of Pure Ambien t Calculi. The or etic al Com- puter Scienc e , 330(3):50 1–551, 2005. [28] R . Milner. Communi c ating and Mobile Systems: the π -Calculus . Cambridge Un ivers it y Press, 1999. [29] R . Milner and D. Sangiorgi. Barbed b isim ulation. In W. Ku ic h, editor, Pr o c. 19th ICALP , volume 623 of L e ctur e Notes i n Computer Scienc e , pages 685–695. Springer V erlag, 1992. 44 D. HIRSCHKOF, ´ E. LOZES, AND D. SANGIORGI [30] D . S angiorgi. Extensionalit y and Intensio nalit y of the Ambient Logic. I n Pr o c. of 28th POPL , p ages 4–17. ACM Press, 2001. [31] D . Sangiorgi and D. W alker. T he π -c alculus: a The ory of Mobile Pr o c esses . Cambridge Universit y Press, 2001. [32] S . Dal Zilio. Struct ural Congruence for Ambients is Decidable. In Pr o c. of ASI AN’00 , volume 1961 of LNCS . Springer Verlag, 2000. This work is licensed under the Cr eative Commons Attr ibution-NoDe rivs License. T o view a copy of this license, visit http ://cr eativ ecommons.org/licenses/by-nd/2.0/ or send a letter to Creative Commons , 559 Nathan Abbott Wa y , S tanford, California 94305, USA.

Separability in the Ambient Logic

Original Paper

Comments & Academic Discussion

Leave a Comment

Original Paper

Related Papers

Comments & Academic Discussion

Leave a Comment