Bisimulation Congruences for Higher-Order Mobile

Bisimulation Congruences for Higher-Order Mobile Embedded Resources Thomas Hildebrandt, Jens Chr. Godskesen, and Mikkel Bundgaard Theory Department, IT University of Copenhagen, Glentevej 67, DK-2400 NV, Denmark hilde, jcg, mikkelbu @itu.dk

Abstract. We present a calculus of Higher-Order Mobile Embedded Resources (Homer), extending Thomsen’s Plain CHOCS, a higher-order calculus with local names, to allow for strongly mobile computing resources in nested locations. We provide labelled transition semantics and strong and weak late labelled transition bisimulation congruences, which is proven to be sound with respect to respectively strong and weak barbed bisimulation congruence. The heritage to Plain CHOCS gives a simple reduction and labelled transition semantics, and applicability of Howe’s method for proving contextual bisimulation to be a congruence. The main technical contribution is the successful application of Howe’s method to a calculus with nested, strongly mobile resources with local names and static scoping. We demonstrate the expressiveness of the calculus by giving several examples, in particular we provide a novel encoding of π-calculus name-passing.

1 Introduction In the last five years, several new calculi for mobility have been proposed, aiming to provide a theory, in which to reason formally about the behavior of computing resources, moving in and out of nested, named locations. Among these, the Ambient calculus [3] and the Seal calculus [19, 5] have proven very durable. For both calculi, substantially progress has been made in providing labelled transition semantics and bisimulation congruences, which allow coinductive reasoning about the behaviour of processes in any context [12, 13, 4]. However, compared to the relatively simple reduction semantics, the labelled transition semantics so far have been quite complex. The aim of the present paper, is to present a higher-order calculus of mobile embedded resources, named Homer, which has expressive power comparable to the above mentioned calculi, yet has a simple labelled transition semantics amenable to standard proof techniques. The calculus we propose is an extension of Thomsen’s Plain CHOCS [18], a higherorder calculus with local names and static scoping, to allow strongly mobile resources in arbitrarily nested locations. To briefly recall, mobility of processes in Plain CHOCS is introduced by replacing the name passing of the π-calculus [16, 14] with process passing. We will represent this kind of interaction with the action prefixes n q (send) and n x (receive) respectively. Here x is a process variable for which the received process is substituted, as expressed formally by the reduction rule n q p1 n x p2

p1 p2 q x

As usual, there may be any number of occurrences of x in p 2 , meaning that processes may both get discarded and copied, making CHOCS a non-linear higher-order calculus. However, as also remarked by Thomsen, the process q can not start computing before it is moved, and once it has started computing, it can not be moved again. This is known as weak mobility, as opposed to strong mobility, where processes may move during their computation. We introduce strongly mobile, nested resources by allowing an additional kind of interaction, given by two new complementary prefixes n q (resource) and n x (take). The process n q p1 denotes a computing resource q residing at the location (or address) n, which may be moved or taken by the complementary action prefix, n x p2 . Just as for the CHOCS interaction, the synchronisation is expressed by the reduction n q p1 n x p2

p1 p2 q x

We impose two important differences between the two types of interactions. Firstly, in n q , but not in n q , the resource q may perform internal computations, i.e. q implies n q p1

q

n q p1

Moreover, the resource q in n q is able to interact with processes outside its location by allowing resources to be send down to and taken up from q. We introduce this kind of interaction as in the Mobile Resources (MR) calculus [7], by allowing sequences as addresses in the downward prefixes take and send. For instance, using the sequence n1 n2 in the address of the take prefix, a resource q may be taken from the address n 2 in a resource running at address n1 , as in n1 n2 q q q p1 n1 n2 x p2

n1 q q p1 p2 q x

Dually, a resource q may be send to address n2 in a resource running at address n1 by n1 n2 q p1 n1 n2 x p2 p2 p2

p1 n1 p2 q x p2 p2

In this way, the prefixes take and send may address resources at the same level or at arbitrarily deep sub locations, which is indicated by the downward arrow. Conversely, the upward arrow of the resource and receive prefixes indicates that they are visible at the same level or above. We allow as well sequences of names in addresses of the receive and resource prefixes. This permits the physical nested structure of the address space to be different than the abstract structure, e.g. a resource send to the nested address n 1 n2 may be received at the same level by a process waiting to receive on the address n 1 n2 as in n1 n2 q p1 n1 n2 x p2

p1 p2 q x

The interaction presented above is the only kind of interaction in Homer. The only other feature is generation of local names as found in the π-calculus and Plain CHOCS. We let n p denote a process p in which the name n is local. This provides the means to control access to resources. A standard example is the perfect firewall property, which in Homer will look like n n p 0

2

and is proven among other examples in Sec. 7. As described in [19, 4], one must take care when considering copyable, nested, strongly mobile resources with local names. Consider a resource p with a free name n. To allow the reduction m1 n m2 p p m1 m2 x q

n m1 p q p x

one may expect the structural congruence to equate m n p

n m p if n m

as indeed it is the case in the ambient calculus. However, this equation conflicts with the fact that resources can be copied, e.g. the processes at the right hand of the reductions m n p m x x x

n p n p

(1)

and m n p m x x x

n m p m x x x

n p p

(2)

will in general not be equivalent. We handle this similarly to [19, 4], by extending the scope by need when computing resources are moved. Structure of the paper: In Sec. 2 and Sec. 3 we present the syntax and reduction semantics of Homer. In Sec. 4 we provide examples of reductions, and show how local names and the non-linear, substitution based communication allows to encode recursion, generalising the encoding for Plain CHOCS in [18] to nested locations. We also provide a novel encoding of π-calculus name passing, exploiting the strongly mobile embedded resources. In Sec. 5 we extend the labelled transition semantics of Plain CHOCS to handle nested locations, and then in Sec. 6 we provide a late contextual labelled transition bisimulation and show how to adapt Howe’s method as presented in [1] to nested locations, proving the labelled transition bisimulation to be a congruence, sound with respect to barbed bisimulation congruence. Finally, we exemplify the use of the theory by proving equational properties in Sec. 7. Related work: The Homer calculus builds on the MR calculus introduced in [7], exchanging the linear and atomic three-party movement of resources in MR with the non-linear two-party movement of Thomsen’s Plain CHOCS [18]. This brings Homer in the family of calculi for mobility based on the λ-calculus, for which interaction involves substitution of processes for process variables. The idea of strong mobility was mentioned in [18], but never explored. It is well-known, that the weak mobility of CHOCS can be elegantly encoded in the π-calculus [16, 14], but there is no straightforward encoding of strongly mobile copyable resources. Conversely, Thomsen demonstrated that both recursion and the name passing of the π-calculus can be encoded in Plain CHOCS [18]. As opposed to our encoding, the CHOCS encoding of name-passing depends crucially on having explicit name substitution in the calculus. The Homer calculus shares with the Seal calculus of Vitek et al [19, 4] that resources are anonymous, and reside in named locations, which are used to address the resource and dissolves when the resource is moved. Also resources are copyable and moved 3

objectively, i.e. from the outside, as opposed to the linear, subjective mobility of the Ambient calculus where ambients move by themselves and can not be cloned. We believe that the calculus is conceptually simpler than both the Seal calculus and the full Ambient calculus (with capability passing), since process passing is the only communication primitive. The handling of dynamic scope extension in Homer is inspired by [4], and the labelled transition semantics is late and contextual as in [12, 13, 4], but considerably simpler than the semantics of Seal [4], which needs to handle the complex three-party interaction. The labelled bisimulation given in [4] is also proven sound with respect to barbed congruence. Our congruence proof for weak labelled transition bisimulation extends the careful presentation by Baldamus and Frauenstein in [1], who use Howe’s method [9, 8] on a Plain CHOCS-like calculus. The new contribution of the present paper is the treatment of nested computing resources together with local names. Interestingly, Howe’s method fails if one handles scope extension by forcing the second reduction (2) above, for reasons similar to those described by Jeffrey and Rathke for the ν-calculus in [10].

2 The Calculus We assume an infinite set of names N ranged over by m and n, and let n˜ range over finite sets of names. We let δ range over non-empty sequences of names, referred to as addresses. We assume an infinite set of process variables V ranged over by x and y. The set P of process expressions is then defined by the grammar: p q r t u :: 0

inactive process action prefixing parallel composition let n be local in p process variable

λ p p q n p x

where the set of prefixes Λ is defined by the grammars: :: λ λ :: δ x δ x λ :: δ r δ r

λ λ

τ

receive a resource at δ and bind it to x take computing resource from δ and bind it to x send a resource r to δ computing resource r at δ

The process constructors are the standard constructors from concurrent process calculi, extended with process variables as in the λ-calculus and Plain CHOCS. The prefixes δ r and δ x correspond to the send and receive prefixes in CHOCS, except that paths and not only names are allowed as addresses. The new prefixes allowing strong mobility are the prefixes δ r and δ x . In the rest of the paper we let ϕ :: δ δ . We define δ δ and δ δ . The restriction operator n and the prefixes ϕ x are the binding constructs for names and variables respectively. The sets fn λ , fn p and fv λ , fv p of free names and free variables are defined accordingly as usual. We say that a process with no free 4

E1 p 0 p E2 p q q p E3 p p p

p

p

p

E4 n E5 n E6 n E7 n

0 0 p p n p p if n m p m n p n p n p

fn p

Table 1. Structural congruence.

variables is closed and let Pc denote the set of closed processes. We write p α q if p and q are α-convertible (wrt. both names and variables). For any subset P of P we let P α denote the set of α-equivalence classes (wrt. both names and variables) of process expressions. We define the process p q x to be p with all free occurrences of x replaced by q, if necessary α-converting p such that no free names and variables in q are bound. Likewise, we let p n m be p with all free occurrences of m replaced by n, if necessary α-converting p such that n is not bound in p. By convenience, we omit trailing 0 s and hence write λ instead of λ 0 . As usual, we let prefixing and restriction be right associative and bind stronger than parallel composition. For a set of names n˜ n 1 nk we let n˜ p denote n1 nk p. We write m˜ n˜ for m˜ n, ˜ always implicitly assuming / Finally, we will write n for the set n when no confusion can occur. m˜ n˜ 0.

3 Reductions We provide Homer with a reduction semantics defined through the use of contexts, structural congruence, and reduction rules. Contexts are, as usual, terms with a hole . We write p for the insertion of p in the hole of context . Note that free names (and variables) of p may get bound by insertion of p in the hole of a context. We extend fn and fv to contexts by fn fn 0 and fv fv 0 . An equivalence relation R on P α is a congruence if for all p q P α and contexts , p R q implies p R q . Structural congruence is then the least congruence on P α satisfying the rules in Table 1. Evaluation contexts are contexts with no free variables, whose hole is not guarded by a prefix, or appear in the value of a send prefix, i.e.

::

p n

δ p for p Pc .

The evaluation context δ p expresses that a resource at a location δ may perform internal computations. As our calculus allows actions involving terms at depths arbitrarily far apart we define a family of path contexts γn˜ indexed by a path address γ N and a set of names n. ˜ The path address γ indicates the path under which the context’s ‘hole’ is found and the set n˜ of names indicates the bound names of the hole. We define the path contexts inductively in n˜ and γ by

0/ ε

::

n˜ m˜ δγ

:: δ n˜

m˜ γ

p q for n˜ m˜ γ 0/ and p q Pc . 5

send γδ r q

take

m˜ γ

δ r q

m˜ γ

δ x p

if m˜ fn r δ 0/ m˜ 1 γm˜ m˜ 1 q p r x if m˜ 1 m˜ fn r , m˜ δ 0/ q

γδ x p

m˜ γ

p r x

Table 2. Reduction rules

The side condition ensures that the local names bound by the context are unique and do not bind names in the address of the hole. Note that the path contexts are also a special kind of evaluation contexts, i.e. they address computing resources. We define an open operator m˜ for path contexts, used to handle scope extension when resources are taken up from sublocations as described in the introduction. The definition is by induction in the path address, letting

0/ ε

m˜

and δ n˜

m˜ γ

p q m˜ δ n˜ m˜

m˜ γ

m˜ p q

We finally define as the least binary relation on Pc α satisfying the two rules in Table 2 and closed under all evaluation contexts and structural congruence. The (send) rule expresses how a passive resource r is send down to the sub location γ, where it is received at the address δ, and substituted into the receiving process p, possibly in several copies. The side condition guarantees that no free names of r may be bound by the path context. This can always be guaranteed by α-conversion, and thus will never block mobility. The (take) rule captures that a computing resource r is taken from the sub location γ, where it is running at the address δ, and substituted into the process p, possibly in several copies. The open operator is used to extend the scope of the local names defined in γm˜ that occur free in r. The movement to and from arbitrarily deeply nested locations, adopted from the MR calculus [7], contrasts the local movement of the Seal calculus and the Ambient calculus, in which processes can only cross one boundary at a time. We choose to adopt the general format introduced in MR, since we find it natural to consider sub processes to be running in the same “address space”, and thus being directly addressable, and the inaccessibility of deep resources may be represented by the use of local names. Moreover, the use of path contexts allow us to treat local movement between two parallel processes as just special cases of moving up or down. It should be noted however, that all the results of the paper restricts easily to a sub calculus with only short moves. In this case, the reduction rules could be written out explicitly as

local ϕ r q ϕ x p q p r x down δ δ r q δ m˜ δ x p p q δ m˜ p r x p m˜ fn r δ 0/ δ m˜ δ r q q δ δ x p up m˜ 1 δ m˜ m˜ 1 q q p r x if m˜ 1 m˜ fn r and m˜ δ 0/

which resembles closely the rules for name passing in [4]. 6

4 Reduction Examples Synchronisation It is trivial to encode basic CCS-like synchronisation between a process and a local process or one of its sub resources by simply passing the inactive resource, i.e. n p

def

n 0 p and γn q

def

γn x q for x fv q

giving reductions n q n p

q p

δn q δ n p

and

q δ p

We shall use the shorthands for CCS-like action prefixes in Sec. 6. Recursion We may encode general recursion (up to weak equivalence) using local names, movement and copying of resources. The encoding is similar to the one given in [18], except that recursion variables may appear at sublocations, which makes the definition slightly more complicated. Define rec x p

def

a a a p

a p

where a p a y p a y y x , for y fv p and a not appearing in p. Intuitively, a p places a copy of itself at all occurrences of x in p in parallel with a copy at location a for future use. It may be shown that rec x p is weakly equiva lent to the usual definition of recursion. Assuming x fv p replication may be encoded as usual by !p de f rec x p x , which is then weakly equivalent to the usual notion of replication. MR slots and mobility Persistent slots as introduced in the MR calculus [7] can be encoded (using mutual recursion for readability) as

n p

def

n p n

n

def

n x n x

which defines a slot with and without content, respectively. In MR, a computing resource was moved from a slot named n to an empty slot named m by an atomic, threeparty move action n m, e.g. n m q n p m

q n m p

The three-party mobility of MR may be simulated naively as two actions, the first taking the resource (up) from a slot and the second placing the resource (down) into a slot. γn

γ m p

γn x γ m x p x fv p

def

This is of course not a faithful encoding, since the atomicity is broken. For instance, a resource may be moved out of a slot, without an empty slot being ready to receive it. To achieve atomic three-party movement one need to encode a locking scheme. 7

Seal-like mobility The basic mobility in Seal allows a computing resource to be moved from an address n and started again immediately in a number of copies at addresses m1 mk . Adopting a Seal-like notation, this may be defined in Homer as the prefix n m 1 m2 mk p

n x m1 x m2 x mk x p

def

for x fv p

Note that this is not an encoding of Seal. π-calculus name-passing Perhaps a bit surprisingly, π-calculus name-passing can be encoded in Homer by using nested computing resources. We encode π-calculus processes with names in N as Homer processes with names in N N , where N is ranged over by n m and we assume the mapping of n N to n N is a bijection. We then encode a name n as a mobile resource n that can perform three tasks: sending, receiving, and binding.

Sendn Receiven Bindn n

v x c y n x y v x c y n z a a x abv z ab z a z y z v x n x s Sendn r Receiven b Bindn

The encoding of a name n is then kept as a resource at the address n and copied whenever it is used. More detailed, the encoding of a π-calculus process p is defined to be

p Πn

n n

fn p

where the encoding is given inductively as follows. The encoding of local names, parallel composition and replication is defined by (using the encoding of replication given above) n p n n p n n p q p q !p ! p

We encode the send and receive prefixes of the π-calculus as follows (using the Seal-like mobility defined above)

¯n m p a n a n m y m y asv y asc p as x a z x n m p a n a n m m arv m arc p ar x a z x

n n m m , that we get reductions ¯n m p n b q r n m p n b q r

n m p b b n z pzbq r

p b b q b m r where pzbq a a b abv z ab z a z q z is the part of the

One may check, letting r

Receiven process that binds the received name to the local name b and then runs the continuation q . We leave the formal treatment of this encoding for the full version of the paper. 8

prefix

λ p

λ

par

p π

p

p

π

p q

p

q

sync rest

n p

π π

p1 p1

δ p q

fn q bn π 0/

p

p

nesting

n˜ ϕ t

p2

τ

p2

δ π

p δ p q

ϕ x

p2

n p

n fn π bn π

open

π

q

p

π

p

q

q p

fn p2 n˜ 0/

n˜ p1 p2 t x

p

fn q bn π 0/

p q

sym

p1

π

p

n p

n˜ ϕ t

p

nn˜ ϕ t

n fn t fn ϕ n˜

p

Table 3. Transition rules.

5 Transition Semantics In this section we provide Homer with a labelled transition semantics, given by the rules in Table 3. As for the reduction semantics we define the transitions for α-equivalence classes of closed processes. The rules are completely standard, except for the (nesting) rule. This rule takes care of the communication and computation of arbitrarily deeply nested resources. It uses an operation δ formally defined by: δ τ τ, δ δ x

δδ x , and δ n˜ δ t n˜ δδ t

/ for δ n˜ 0.

Note that the operation is not defined for take and send labels, since these actions are directed “downward” and thus not visible outside the resource. When we write δ π, we implicitly assume that π is a label for which the operation is defined. Since δ τ τ, the nesting rule allows resources to compute. As examples we have nm t

n m t p p

and

n p p τ

δ p q

nm x

n m x p p

δ p q

τ

if p

n p p

p.

As explained in the introduction, the action prefixes allow two kinds of movement of resources. Since they are completely dual, they are both treated by the rule (prefix) and the synchronisation rule (sync), recalling that δ δ and δ δ . In general, the scope of names may be extended when resources are moved. As for Plain CHOCS and the π-calculus, we handle this by an (open) rule, which moves the binding to the output label. The binding is then closed again by the (sync) rule. The side condition of the (open) rule ensures that the bound name is indeed free in the resource t 9

and neither part of the path nor already bound in the label. Similarly, the side conditions of the (par) and (nesting) rules ensure that no names are captured in the scope-extension performed by the combination of the (open) and (sync) rules. We let π range over the complete set Π of labels, formally defined as π :: τ ϕ x

n˜ ϕ t

The set of bound names in a label π, bn π , is n˜ if π is n˜ ϕ t , and 0/ otherwise. The set of free names in π, fn π , is fn λ n˜ whenever π n˜ λ. The rules in Table 3 then define a labelled transition system

Pc

α

Pc

α

P α

Π

6 Bisimulation Congruences In this section we address the semantic theory of Homer considering how to describe congruences as bisimulations. First we define strong and weak barbed bisimulation congruences based on the reduction semantics and next we define strong and weak late, contextual labelled transition bisimulations. We prove that the labelled transition bisimulations are congruences using Howe’s method, and that they are sound with respect to barbed bisimulation congruences. 6.1 Barbed Bisimulation Congruence We define weak and strong barbs standardly on closed terms using the encoding of CCS-actions given in Sec. 4 and letting be the transitive and reflexive closure of p n if p

n˜ n p q and n n˜

and

p

n if

p

p p n

The following two propositions state the correspondence between the reduction semantics and the transition semantics. Proposition 1. p n

Let p

τ

t if and only if p

n x

denote p

t.

t for some x and t. n

Proposition 2. p n if and only if p

We restrict binary relations R on P

α

to closed terms by Rc

Definition 1. A (weak) barbed simulation is a binary relation R on Pc whenever pR q, if p n then q n q if p

p then q

n

q q

R is a (weak) barbed bisimulation if R and R barbed bisimulation congruence ( b c ) is a barbed bisimulation.

b

(

q such that p R q

1

R Pc α Pc α .

α

such that

are (weak) barbed simulations. (Weak) ) is the largest congruence such that b c b

10

6.2 Labelled Bisimulation Congruence In this section we define context bisimulations and apply Howe’s method to prove that their open extensions are congruences, following closely the approach in [1]. As standard in context bisimulations, we employ abstractions for the higher order output transitions in the definition of our bisimulation. To handle the nested resources, we use a particular kind of abstractions, which are particular evaluation contexts (of open processes). Define n˜ δ :: γ t δ :: t

x . The abstractions

where fv t δ are used for resources moving upward, the abstractions δ are used for resources moving downward. The latter are essentially the standard abstractions used in [1], except that they are defined as contexts. This makes / them a special case of the former, taking γ to be the empty path ε and n˜ to be 0. We consider concretions of the form n˜ u t , and write m˜ u v α m˜ u v if m˜ ϕ u v α m˜ ϕ u v for some ϕ. We then define application of abstractions to concretions by

n˜ γ

t m˜ u v n˜ m˜

n˜ γ

where m˜ u v α m˜ u v , m˜ fn γn˜ t n˜ scope extension as for the (take) reduction rule.

n˜ v t u x

0, / where n˜ fn u n. ˜ Note the

p and p q if p p q. Note that we We define weak transitions by p do not allow internal transitions after the visible transition, which gives rise to so called delay bisimulation [17]. τ

m˜ λ

τ

m˜ λ

Definition 2. A (weak) late context simulation is a binary relation R on P c p R q implies

τ

if p

ϕx

if p

n˜ ϕ u

t q

ϕx

m˜ ϕ u

t then q

τ

ϕx

t then q

if p

t q

τ

t then q

t tR t

t q

m˜ ϕ u

ϕ

ϕ

n˜ u t R

R is a (weak) late context bisimulation if both R and R simulations. We let

such that

t

α

t tR t

m˜ u t

ϕ

1

are (weak) late context ( ) denote the largest (weak) late context bisimulation.

We extend binary relations R on Pc α to open terms the usual way, by defining pR q if x1 xk fv p fv q then for all t1 tk Pc α , p t1 x1 tk xk R q t1 x1 tk xk , i.e. requiring two open terms to be related after substitution with closed resources. Proposition 3.

and

.

It follows from the definition of (weak) late context bisimulation that their extension to open terms) are equivalence relations. 11

and

(and

0R p

nil

xR p

var

0R p

in

t1

u2 R p

u1 R p

t1 R t2

out

ϕ x p1 R p

ϕ t 2 p2 R p

p1 R p2

ϕ t 1 p1 R p

p1 R p2

τ p2 R p

tau

t2

n t R p

u1 R u2

ϕ x p2 R p

p1 R p2

rest

xR p

par

t1 R t2

n u R p

tR u

τ p1 R p

Table 4. Congruence Candidate

Proposition 4.

,

,

, and

are equivalence relations.

A binary relation R on Pc α is preserved by action renaming if p n m R q n m whenever pR q with n fn p fn q .

Proposition 5.

and

are preserved by action renaming.

A binary relation R on P α is substitutive if pR q and t R u implies p t x R q u x

Next we show that and are indeed also congruences, using Howe’s method. We say that a binary relation R on P α is constructor compatible if p R q and p R q implies ϕ x p R ϕ x q, ϕ p p R ϕ p q , p p R q q , and n p R n q. It is easy to verify, that an equivalence relation on P α is a congruence as defined in Sec. 3, if and only

if it is constructor compatible.

We define the usual congruence candidate R on P α , of a binary relation R on Pc α by the rules in Table 4. We extend binary relations R on Pc α to evaluation contexts (allowed to contain free variables)

by defining R , for and possibly open evaluation contexts, if for all t Pc α , t R t . Remember that free names in t may be bound when t is placed in a context. Since we use abstraction contexts, we also define a congruence candidate R on evaluation contexts (possibly containing free variables), of a binary relation R on

Pc α by rules in Table 5. We then say that R is substitutive if R , 1 R 1 , and t R u implies t R u and 1 R 1 . ( ) is a congruence and that ( ). The key is now to show that As in [1] we first prove the following properties of the congruence candidate.

Proposition 6. Let R be an equivalence relation on Pc 1. R and R is reflexive. 2. R R . 3. R R R .

12

α

then

hole

R

R

R

rest

par out

n R R

n

u1 R u2

2

1

R

1

R

1

u1 R

ϕ

2

ϕ

1

p1 R p2

u2 R

2

p1 R

2

p2 R

Table 5. Congruence Candidate for Evaluation Contexts

R is a congruence. if R is preserved by action renaming then so are R and R . if R is preserved by action renaming then R and R are substitutive. R 1 R . R is symmetric.

4. 5. 6. 7. 8.

The use of action renaming is the only non-standard part, and is introduced in [1] to handle α-conversion when proving R substitutive. The use of R is the only new contribution of the present paper, the properties for R is shown as for R . the method of Howe utilizes that satisfies the In order to establish following bisimulation property.

Lemma 1. Let p q Pc α . Then p

ϕx

if p

τ

p then q

n˜ ϕ r

if p

p then q

τ

if p

ϕx

p then q

q p

q p

m˜ ϕ r

q implies:

q

q

q

A similar bisimulation property for Theorem 1.

and

ϕ

ϕ

n˜ r p

ϕ

is used to prove

are congruences.

ϕ

m˜ r q

.

From the correspondence between τ-transitions and reductions (Prop. 1 and 2), and from the fact that and are congruences, it follows easily that and are sound with respect to the respectively barbed and weak barbed bisimulation congruences. Theorem 2.

b

and

b.

7 Equational properties In order to ease the proofs we introduce the standard notion of bisimulation up to inspired by [14].

Proposition 7. If R is a (weak) late context bisimulation up to p q (p q).

13

( ) and pR q then

Restricted send-receive interaction Whenever n fn δ and n fn p fn q fn r the equation n δ r p δ x q τ p q r x

holds true because then n δ r p δ x q τ p q r x Id is a late context

bisimulation up to

.

Perfect firewall equation As mentioned in Sec. 1 the perfect firewall equation can be written as n n p 0 . For open terms we write

n n p

0

which holds because n n r 0 r Pc is a weak late context bisimulation.

Local computation The following equation show that it is weakly unobservable, if a computing resource is moved via a local location (in which it may perform internal computations). a x n n x n y b y

a y b y

It follows by checking that Id R1 R2 is a weak late context bisimulation up to where y b y a y b y R1 a x n n x n R1 n n r n y b y b r r Pc n fn r

8 Conclusion and Future Work The main challenge of the paper was to combine higher-order communication of processes, local name generation, nested locations and strong mobility, while still obtaining a simple labelled transition semantics and bisimulation congruence. We believe that we have met this goal. We have presented a calculus, Homer, which is a simple extension of Plain CHOCS to allow nested, strongly mobile resources, only requiring a single extra transition rule for handling nested computation. We have given a late, labelled bisimulation, and shown how to adapt Howe’s method to prove that it is a congruence. Finally, we have illustrated that our calculus, despite its few primitives, is powerfull enough to express both recursion and name passing. Currently, we are developing a type system for Homer, inspired by the logic in [2], allowing to distinguish between linear (non-copyable) and non-linear (copyable) resources, and are working on extending the congruence proof to the typed setting along the lines in [6]. We also plan to investigate more complex type systems, expressing not only copyability capabilities, but also general access capabilities to resources. Concerning the labelled transition semantics, we are pursuing the question of finding a sound and complete characterisation of barbed bisimulation congruence. Barbed bisimulation congruence can be shown to imply early labelled transition bisimulation, but it is known to be problematic to apply Howe’s method directly for standard early bisimulations [1]. Along the same lines, we investigate how to define a bisimulation 14

that does not need the complex abstraction contexts as used in our bisimulation and the related bisimulations in [12, 13, 4]. Finally, we are studying how to give semantics for substitution based calculi as CHOCS and Homer in the general framework of Bigraphs [15].

References 1. M. Baldamus and T. Frauenstein. Congruence proofs for weak bisimulation equivalences on higher–order process calculi, 1995. Report 95–21, Berlin University of Technology, Computer Science Department. 2. Andrew Barber. Dual intuitionistic linear logic. Technical Report ECS-LFCS-96-347, LFCS, 1996. 3. Luca Cardelli and Andrew D. Gordon. Mobile ambients. In Maurice Nivat, editor, Proceedings of FoSSaCS ’98, volume 1378 of LNCS, pages 140–155. Springer, 1998. 4. G. Castagna, J. Vitek, and F. Zappa Nardelli. The Seal Calculus. Unpublished manuscript, 2003. 5. Giuseppe Castagna, Giorgio Ghelli, and Francesco Zappa Nardelli. Typing mobility in the seal calculus. In Kim G. Larsen and Mogens Nielsen, editors, Proceedings of CONCUR, volume 2154 of LNCS, pages 82–101, 2001. 6. Roy L. Crole. Completeness of bisimilarity for contextual equivalences in linear theories. Logic Journal of the IGPL, 9(1):27–51, January 2001. 7. Jens Chr. Godskesen, Thomas Hildebrandt, and Vladimiro Sassone. A calculus of mobile resources. In Proc. CONCUR’2002, LNCS. Springer, 2002. 8. D. J. Howe. Equality in lazy computation systems. In Proceedings of the 4th IEEE Symposium on Logic in Computer Science, pages 198–203, 1989. 9. Douglas J. Howe. Proving congruence of bisimulation in functional programming languages. Information and Computation, 124(2):103–112, 1996. 10. Alan Jeffrey and Julian Rathke. Towards a theory of bisimulation for local names. In Proceedings of LICS ’99, pages 56–66. IEEE, Computer Society Press, July 1999. 11. Alan Jeffrey and Julian Rathke. A theory of bisimulation for a fragment of concurrent ML with local names. In Logic in Computer Science, pages 311–321, 2000. 12. Massimo Merro and Matthew Hennessy. Bisimulation congruences in safe ambients, 2001. 13. Massimo Merro and Francesco Zappa Nardelli. Bisimulation proof methods for mobile ambients. In ICALP 2003, volume 2719, pages 584 – 598. Springer-Verlag Heidelberg, January 2003. 14. Robin Milner. Communicating and Mobile Systems: the π-Calculus. Cambridge University Press, May 1999. 15. Robin Milner. Bigraphical reactive systems. In Kim G. Larsen and Mogens Nielsen, editors, Proceedings of CONCUR, volume 2154 of LNCS, pages 16–35, 2001. 16. Robin Milner, Joachim Parrow, and David Walker. A calculus of mobile processes, part I/II. Journal of Information and Computation, 100:1–77, September 1992. 17. Davide Sangiorgi and David Walker. The π-calculus: a Theory of Mobile Processes. Cambridge University Press, 2001. To appear. 18. Bent Thomsen. Plain CHOCS. A second generation calculus for higher order processes. Acta Informatica, 30(1):1–59, 1993. 19. Jan Vitek and Giuseppe Castagna. Seal: A framework for secure mobile computations. In Internet Programming Languages, 1999.

15

A

Proof of Proposition 5

In the proof of Proposition 5 we need the auxiliary definitions and the lemma below. Define ε n m ε, mγ n m n γ n m , and n γ n m n γ n m if m n . Define δ n m δ n m and δ n m δ n m . Define ϕ x n m ϕ n m x , t ϕ n m t n m ϕ n m , and τ n m τ. Define n˜ λ n m n˜ λ if m n, ˜ and n˜ λ n m otherwise.

Lemma 2. Whenever m fn p and n fn q fn λ n˜ then

where n˜ λ q n m

n˜ λ q .

α

n˜ λ q if and only if p q

n˜ λ

p m n

Proof. Let m fn p and n fn q fn λ n. ˜

n˜ λ

Case: “only if”. By induction on the length of the inference for p m n Basis: Easy.

q.

n˜ λ

Step: Suppose p m n q by an inference of length more than one. We only consider the case where the last step in the inference is a application of the rule (open). Then p n p and n˜ n n˜ for some n , p , and n˜ , and λ ϕ r for some r and ϕ. Assuming n m n (using α-conversion if needed) p m n n p m n . By the n˜ ϕ r

rule (open), p m n q and

n fn r fn ϕ n˜

By induction, since m fn p , we have p

m˜ ϕ r

(3)

n˜ ϕ r q n m

q such that

m˜ ϕ r q

α

(4)

From (3) and (4) and the assumption n m n we infer n fn r fn ϕ m˜ . Then n m˜ ϕ r

applying the rule (rest) we get n˜ p q . Finally, from (4) and n m n we obtain n n˜ ϕ r q n m α n m˜ ϕ r q . n˜ λ Case: “if”. Suppose p q where n˜ λ t n m α n˜ λ q . Then, because m fn p , p p m n n m , so n˜ λ p m n n m q (5) Now, since n fn p m n and m fn q n m fn λ n m , by the “only if” direcn˜ λ tion applied on (5) we have, p m n q with n˜ λ q m n α n˜ λ q . But n˜ λ q α n˜ λ q because n fn q fn λ n. ˜

The actual proof of Proposition 5 goes as follows:

Proof. We only show that is preserved by action renaming, the proof for Define R i , i ω inductively by, R 0 and

Rk

1

p m n q m n p R k q m fn p fn q 16

is similar.

Let R k ω R k . We show by induction in k that R is a late context simulation. Then since R is symmetric it is a late context bisimulation and because it contains the largest late context bisimulation it follows that R . Basis: (k 0) Easy. π Step: (k 0) Suppose p m n R k 1 q m n and that p m n p1 . We only consider the case π n˜ 1 ϕ r1 , the other cases are similar. Because n fn p1 fn r1 n˜ 1 ϕ r1

fn ϕ n˜ 1 we obtain by Lemma 2 that p p1 with

n˜ 1 ϕ r1 p1 n m

By induction, there exists q

n˜ 2 r2 ϕ

n˜ 1 ϕ r1 p1

α

q1 such that

Aϕ Aϕ n˜1 r1 p1 R Aϕ n˜2 r2 q1

(6)

n˜ 2 r2 ϕ Now, by Lemma 2 we get q m n q1 with n˜ 2 r2 ϕ q1 n m α n˜ 2 r2 ϕ q1 such that n fn q1 fn r2 fn ϕ n˜ 2 . For any Aϕ we have for i 1 2

Aϕ n˜ i ri qi

Aϕ a n n˜ i ri qi m n n a

α

for some fresh a. Then from (6) (since Aϕ

Aϕ ) and the definition of R we conclude

Aϕ Aϕ n˜1 r1 q1 R Aϕ n˜2 r2 q2 B

Proof of Lemma 1

The proof of Lemma 1 follows closely [1], we provide only a few key cases.

Proof. Suppose p q Pc α , p π

tion of p

π

q and p

t. We proceed by induction in the deriva-

t.

t because p p1 p2 , π τ, p1 Case (sync): Assume p p1 p2

p2 and (*) fn p2 n˜ 0/ and t n˜ p1 p2 u x . By the definition of we get (1) p1 t1 , (2) p2 t2 and (3) t1 t2 q. m˜ϕ u t such that (4) ϕ y By induction and (1) we get t1 ˜ u p1 ϕ y ϕ n 1 m ˜ u t . ϕ 1 π

ϕx

n˜ ϕ u

By induction and (2) we get t2 t2 such that (5) p2 t2 . By use of (sync) (and (par) and (sym) to handle the τ steps of the weak transitions) τ of Table 3 and using α conversion to get fn t2 m˜ if necessary, we then get t1 t2 m t 1 t2 u x . τ q such that (6) m˜ t t u x q . By (3) it then follows that q 1 2 Letting ϕ p2 and ϕ t2 we get that ϕ ϕ using (2) and that is reflexive. It then follows from (4) that (7) t n˜ p1 p2 u x m˜ t1 t2 u x . Finally, from (6), (7) and we get t q as required.

ϕx

17

π π t1 , fn p1 t because p δ t1 p1 , π δ π , t1 Case (nesting): Assume p / t δ t1 p1 and π τ δ x n˜ δ v . 0, bn π By the definition of we get (1) t1 t2 , (2) p1 p2 and (3) δ t2 p2 q. π By induction and (1) we get t2 t2 such that (4a) If π τ then π π and t1 t2 (4b) If π δ x then π π and t1 t2 (4c) If π n˜ δ v then π m˜ δ v and δ ˜ v t1 δ δ n ˜ v t2 , and we may assume m˜ δ 0/ by α-conversion. δ m

By (nesting) of Table 3 (possibly repeatedly to handle the τ steps of the weak tranδ π sition) we then get δ t2 p2 δ t2 p2 , and (5a) If π π τ, then by 2), 4) and the (out) rule of Table 4 we get δ t1 p1 δ t2 p2 (5b) If π π δ x , then by 2), 4) and the (out) rule of Table 4 we get δ t1

p1 δ t2 p2 (5c) If π n˜ δ v and π m˜ δ v , then for δδ γn˜ 1 u1 δδ

δ p1 u1 and δ nγ˜ 2 δ p2 u2 . Since is substitutive it follows from 2) that δ δ . It then follows from 4c) that ˜ v δ t1 p1 ˜ v t1 ˜ v t2 ˜ v δ t2 p2 δδ n δ n δ m δδ m δπ By 3) we then get q q such that 6a+b) If π π τ δ x then π π and δ t2 p2 q . 6c) If π n˜ δ v and π m˜ δ v , then π m˜ δ v and δδ δδ m˜ v δ t2 p2 δδ m˜ v q . Finally, from (5) and (6) and we get: t q if π τ, t q if π δ x , and δδ ˜ v δ t1 p1 ˜ v q . if π δ v δδ δδ n δδ m as required. n˜ 2 γ

u2 , we let

δ

n˜ 1 γ

C

Proof of Theorem 1

Lemma 3. lations.

c and

c are respectively late and weak late context bisimu-

c is a weak late context bisimulation. The proof of Proof. We only show that c being a late context bisimulation is similar. It is enough to show that c is symmetric and hence is a weak context simulation because due to Proposition 6 so is c . Let p c q. Then for some k 0, p c k q. The rest of the proof is by induction in k. Base: k 0. Immediate because c is reflexive. Step: k 0. Let p p1 c p2 pk c pk 1 q

18

π

and suppose p Case: π

p.

n˜ k rk ϕ n˜ r ϕ. By induction, there exists pk pk such that for all

n˜ r p

c

ϕ

ϕ

n˜k rk pk

By repeated applications of Lemma 1 using the fact that

that

is transitive and

m˜ r ϕ

is reflexive we obtain the existence of some q

n˜k rk pk

ϕ

and hence for every

ϕ

c

and

q such that for all

ϕ

m˜ r q

ϕ

ϕ

n˜ u t

ϕ

c

m˜ u t

ϕ

because . Case: π τ or π ϕ x . Similar to the case above.

Proposition 8.

c

and

c

.

c because is monotone. Since is Proof. It is sufficient to prove that c is a late context bisimulation. the largest bisimulation it is enough to show that c . We refer the reader to Lemma 3. The proof is similar in case of

The actual proof of Theorem 1 goes as follows:

Proof. We only show that is a congruence, the proof of being a congruence is similar. Because is a congruence due to Proposition 6 it suffices to show that . From Proposition 6 we have . follows from Proposition 8 since c and c c .

19