The Complexity of Model Checking Mobile Ambients - Semantic Scholar

The Complexity of Model Checking Mobile Ambients – DRAFT VERSION – Witold Charatonik1;2

Silvano Dal Zilio3 Andrew D. Gordon3 Jean-Marc Talbot1

Abstract We settle the complexity bounds of the model-checking problem for the replication-free ambient calculus with public names against the ambient logic without parallel adjunct. We show that the problem is PSPACE-complete. For the complexity upper-bound, we devise a new representation of processes that remains of polynomial size during process execution; this allows us to keep the modelchecking procedure in polynomial space. Moreover, we prove PSPACE-hardness of the problem for several quite simple fragments of the calculus and the logic; this suggests that there are no interesting fragments with polynomial-time model-checking algorithms. 1 Introduction The ambient calculus [3, 2, 4] is a formalism for describing the mobility of both software and hardware. An ambient is a named cluster of running processes and nested sub-ambients. Each computation state has a spatial structure, the tree induced by the nesting of ambients. Mobility is abstractly represented by re-arrangement of this tree: an ambient may move inside or outside other ambients. The ambient logic [5] is a modal logic designed to specify properties of distributed and mobile computations programmed in the ambient calculus. As well as standard temporal modalities for describing the evolution of ambient processes, the logic includes novel spatial modalities for describing the tree structure of ambient processes. Serendipitously, these spatial modalities can also usefully describe the tree structure of semistructured databases [1]. Other work on the ambient logic includes a study of the process equivalence induced by the satisfaction relation [10] and a study of the logic extended with constructs for describing private names [6]. The model-checking problem is to decide whether a given object (in our case, an ambient process) satisfies (that is, is a model of) a given formula. Cardelli and Gordon [5] show decidability of the model-checking problem for a finite-state fragment of the ambient calculus against the fragment of the ambient logic without their parallel adjunct modality. This finite-state ambient calculus omits the constructs for unbounded replication and dynamic name generation of the full calculus. The parallel adjunct modality is omitted because it is defined as an infinite quantification over processes. Cardelli and Gordon give no complexity analysis for their algorithm. Still, given the various possible applications of the logic, it is of interest to analyse the complexity of model-checking mobile ambients. 1

Max-Planck-Institut für Informatik, Germany. University of Wrocław, Poland. 3 Microsoft Research, United Kingdom. 2

Supratik Mukhopadhyay1

In fact, a naive analysis of the algorithm of Cardelli and Gordon gives only a doubly exponential bound on its use of time and space. A more sophisticated analysis based on results in this paper shows that their algorithm works in single-exponential time on single-exponential space. In this paper we settle the complexity bounds of the modelchecking problem for the finite-state ambient calculus (that is, the full calculus apart from replication and name generation) against the logic without parallel adjunct. Our main result (embodied in Theorems 1 and 2) is that the problem is PSPACE-complete. Hence, this situates model-checking the ambient logic in the same complexity class as model-checking concurrent programs against CTL and CTL [9]. As we discuss in Section 2, there are two reasons that the algorithm in [5] uses exponential space. One of them is that a process may grow exponentially during its execution; the other is that there may be exponentially many processes reachable from a given one. In Section 3, we present a new model checking algorithm that avoids these problems as follows. We avoid the first problem by devising a new representation of processes using a form of closure. The main feature of this representation is that substitutions that occur when communications take place within an ambient are not applied directly, but are kept explicit. These explicit substitutions prevent the representation blowing up exponentially in the size of the original process. The idea of using closures comes from DAG representations used in unification for avoiding exponential blow-up. A sequential substitution that we use here can be seen as a DAG representation of the substitution. To avoid the second problem, we first devise a nondeterministic algorithm that does not have to store all the reachable processes, and then remove nondeterminism using Savitch’s theorem [11]. Hence we prove Theorem 1, that the model-checking problem is solvable in PSPACE. We show this upper bound to be tight in Section 4; Theorem 2 asserts that the model-checking problem is PSPACE-hard. Actually, we give PSPACE-hardness results for various fragments of the logic and of the calculus. For instance, by Theorem 3, even for a calculus of purely mobile ambients (that is, a calculus without communication or the capability to dissolve ambients) and the logic without quantifiers, the problem is PSPACE-hard. Moreover, by Theorem 4, for a calculus of purely communicative ambients (that is, a calculus without the capabilities to move or to dissolve ambients) and the logic without quantifiers, the problem is also PSPACE-hard. Often in the study of model checking fixing the model or the formula makes the problem easier. Here this is not the case. Even if we fix the process to be 0, the model-checking problem remains PSPACE-hard. Although we do not prove PSPACE-hardness for

! Q and sublocation P # Q: n[in m:P j Q℄ j m[R℄ ! m[n[P j Q℄ j R℄ m[n[out m:P j Q℄ j R℄ ! n[P j Q℄ j m[R℄ open n:P j n[Q℄ ! P j Q hM i j (n):P ! P fn M g Reduction P

fixed formulas, our result is not much weaker: Theorem 5 asserts that for any level of the polynomial-time hierarchy we can find a fixed formula such that the model-checking problem is hard for that level. A more complete presentation of the calculus and the logics, together with examples, as well as omitted proofs may be found in an extended version of this paper [7].

P !Q)P jR!QjR P ! Q ) n[P ℄ ! n[Q℄ P 0 P; P ! Q; Q Q0 ) P 0 ! Q0 P n[P 0 ℄ j P 00 ) P # P 0

2 Review of the Ambient Calculus and Logic We present a finite-state ambient calculus (that is, the full calculus [3] apart from replication and name generation) and the ambient logic without parallel adjunct. This is the same calculus and logic for which Cardelli and Gordon present a model-checking algorithm [5].

The following table describes the expressions and processes of our calculus.

h

Expressions and processes: expressions name can enter M can exit M can open M null path

P; Q; R ::= 0

P jQ M [P ℄ M:P (n):P hM i

processes inactivity composition ambient action input output

g

f

h

!

!

#

#

Structural congruence P

!

Q: Q

p[in q:out q ℄ j q [℄ p[(in q:out q )2 ℄ j q [℄ p[(in q:out q )4 ℄ j q [℄ n p[(in q:out q )2 ℄ j q [℄

#

ij

j

!

P , Q are -equivalent ) P QP )P Q P Q; Q R ) P R

(Struct Refl) (Struct Symm) (Struct Trans)

2.2 The Logic (for Public Names)

P P P P

(Struct Par) (Struct Amb) (Struct Action) (Struct Input)

Q)P jRQjR Q ) M [P ℄ M [Q℄ Q ) M:P M:Q Q ) (n):P (n):Q P jQQjP (P j Q) j R P j (Q j R) P j0P :P P (M:M 0 ):P M:M 0 :P

(Loc)

n Since (in q:out q )2 is a sequence of 2n copies of in q:out q , n the process p[(in q:out q )2 ℄ q [℄ reduces in 2n+1 steps to p[℄ q [℄ n+1 and therefore, in q:out q Pn (n+1)+2 p[℄ q [℄. This example points out two facts. First, using a simple representation of processes (such as the one proposed in [5]), it may be that the size of a process considered during model-checking grows exponentially bigger than the size of the initial process. Second, during the model-checking procedure, there may be an exponential number of reachable processes to consider. Therefore, a direct implementation of the algorithm proposed in [5] may use space exponential in the size of the input process. These remarks motivate the approach taken in this paper. First, we devise a new representation for ambient processes that remains of polynomial size with respect to to the input process. Second, we give a non-deterministic algorithm using only polynomial space in the combined size of the problem, which gives a deterministic version that itself uses only polynomial space.

g

!

j

ij

hin q:out qi j P0 !1 hin q:out qi j P1 !2 hin q:out qi j P2 !3 hin q:out qi j Pn !n+1

A name n is said to be bound in a process P if it occurs within an input prefix (n). A name is said to be free in a process P if there is an occurrence of n outside the scope of any input (n). We write bn (P ) and fn (P ) for respectively the set of bound names and the set of free names in P . We say two processes are -equivalent if they are identical apart from the choice of bound names. We write M n N and P n N for the outcomes of capture-avoiding substitutions of the expression N for the name n in the expression M and the process P , respectively. Q The semantics of the calculus is given by the relations P and P Q. The reduction relation, P Q, defines the evolution of processes over time. The structural congruence relation, P Q, is an auxiliary relation used in the definition of reduction. When we define the satisfaction relation of the modal logic in the next section, we use an auxiliary relation, the sublocation relation, P Q, that defines the spatial distribution of processes. We write and for the reflexive and transitive closure of and , respectively.

f

(Red Par) (Red Amb) (Red )

The following example shows that the size of reachable processes may be exponential, and that there may be a reduction path of exponential length. The algorithm given in [5] may use exponential space to check properties of this example. An innovation of this paper is a new polynomial-size representation of processes that allows us to solve the model-checking problem in polynomial space, in spite of this example. Consider the family of processes (Pn )n0 , recursively deq [℄) and Pn+1 = fined by the equations P0 = (y ):(p[y ℄ (xn+1 ):( xn+1 :xn+1 Pn ). Intuitively, the process Pn+1 reads the variable xn+1 , doubles it and sends the result to the process Pn . We have the following, where M 1 = M and M n+1 = M:M n .

2.1 The Ambient Calculus with Public Names

M; N ::= n in M out M open M M:M 0

(Red In) (Red Out) (Red Open) (Red I/O)

j

We describe the formulas and satisfaction relation of the logic. Logical formulas:

A; B ::= T :A A_B 0 [A℄ AjB 9x:A

(Struct Par Comm) (Struct Par Assoc) (Struct Zero Par) (Struct ) (Struct :)

2

a name n or a variable x formula true negation disjunction void ambient match composition match existential quantification

j

A ✧A A

sometime modality somewhere modality location adjunct

Annotated processes, substitutions, closures:

P~ ::= Q

i2I i

::= M [P~ ℄ M (o):P~ (x):P~ hM i ::= fx1 M1 g fxk Mk g hP~ ; i

We assume that names and variables belong to two disjoint vocabularies. We write x m for the outcome of substituting with the each free occurrence of the variable x in the formula name m. We say a formula is closed if and only if it has no free variables (though it may contain free names). Intuitively, we interpret closed formulas as follows. The for, and embed propositional logic. The formulas mulas T, 0, [ ℄, and are spatial modalities. A process satisfies 0 if it is structurally congruent to 0. A process satisfies n[ ℄ if it is structurally congruent to an ambient n[P ℄ where P satisfies . A if it is structurally congruent to a composiprocess satisfies A tion P Q, where P satisfies , and Q satisfies . The formula x: is an existential quantification over names. The formulas (sometime) and ✧ (somewhere) quantify over time and space, reif it has a temporal successor, spectively. A process satisfies that is, a process into which it evolves, that satisfies . A process satisfies ✧ if it has a spatial successor, that is, a sublocation, that satisfies . Finally, a process P satisfies the formula n if the ambient n[P ℄ satisfies . The satisfaction relation P = formalises this intuitive interpretation as follows.

Af

g

A

A

:A

A

9 A

A_B AjB jB

j

Satisfaction P

P P P P P P P P P P

A

A

A A

j= T j= :A j= A _ B j= 0 j= n[A℄ j= A j B j= 9x:A j= A j= ✧A j= An

A

B

A

A

A

A A

U

U

j A

U (P~ ; ) of a closure (P~ ; ): Q U ( i2I i ; ) = U (1 ; ) j : : : j U (n ; ) if I = f1; : : : ; ng 6= ?

The unfolding

:(P j= A) P j= A _ P j= B P 0 9P 0:P j= n[P 0 ℄ ^ P 0 j= A 9P 0; P 00 :P P 0 j P 00 ^ P 0 j= A ^ P 00 j= B 9m:P j= Afx mg 9P 0:P ! P 0 ^ P 0 j= A 9P 0:P # P 0 ^ P 0 j= A n[P ℄ j= A

A : 9 :A

A

0

U

0

otherwise

U (M [P~ ℄; ) = M[U (P~ ; )℄ U (8M (o):P~ ; ) = = N1 : :Nl ; o < l and Ni > < No+1 : :Nl :U (P~ ; ) if M being either a name or of the form

ap N 0 with ap 2 fin ; out ; open g > : undefined otherwise U ((x):P~ ; ) = (x):U (P~ ; ) U (hM i; ) = hMi We are actually only interested in a particular kind of closure, which we refer to as normal. Let a closure P~ ; be normal if (P~ ; ) is defined and if it meets some technical conditions about free and bound names. The next proposition says that our representation of ambient processes with normal closures preserves their basic properties. We write and ++ for the empty multiset and the multiset union operation, respectively.

We use (everytime modality), ❏ (everywhere modality) and x: (universal quantification) as abbreviations for ( ), (✧ ) and ( x: ), respectively.

8 A : :A

0

We denote by the empty sequence of substitutions and treat it as the identity substitution. For an annotated process P~ , we define free and bound names in the same way as for ambient processes and names ( ) as the set of all names occurring in . We define a partial mapping from closures to the set of ambient processes. Intuitively, it unfolds a closure to the process it represents by applying the substitution and cutting off the prefix defined by the offset. Roughly speaking, the expression (P~ ; ) is defined if the offsets within the annotated process do not exceed the length of the expression they are associated with. The unfolding (P~ ; ) is defined as follows.

A

j= A (for A closed): = = = = = = = = =

annotated process multiset of primes prime ambient action, with offset o input output sequential substitution, k closure

: :A

h

U

i

fg

3 A Model Checking Algorithm We show that the model checking problem can be decided in polynomial space by devising a new representation of processes (Section 3.1) that remains polynomial in the size of the initial process (Section 3.2). In Section 3.3 we present a new model checking algorithm based on this representation. Since the reduction relation is defined up to -equivalence, we may assume for the purposes of computing reachable processes that the free and bound names of every ambient process are distinct, and moreover that the bound names are pairwise distinct.

Proposition 1 (Structural Equivalences) normal closure. Then

Let

hQi2I i ; i be a

U (Qi2I i ; ) 0 iff I = ?. U (Qi2I i ; ) M [Q℄ iff 9M 0 ; Q~ : I is a singleton fig, ~ ) Q. i = M 0 [Q~ ℄, M 0 = M , U (Q; Q U ( i2I i ; Q ) P 0 j P 00 iff 9J; K : J [ K = I , J \ K = ?, P 0 U ( j2J j ; ), P 00 U (Qk2K k ; ). U (Qi2I i ; ) hM i iff 9M 0 : I is a singleton fig, i = hM 0 i and M 0 = M . U (Qi2I i ; ) (x):P iff 9P~ : I is a singleton fig, i = (x):P~ and U (P~ ; ) P .

3.1 A Polynomial-Space Representation We give in this section a new representation for ambient processes based on normal closures. (It is different from the normal form of processes introduced in [5].) We also present basic operations on closures and prove that closures indeed simulate the processes they represent. All proofs not in this section (in particular, proofs of Propositions 10–5) can be found in the appendix. 3

len (M; ) can be computed in polynomial space1 . We can compute the capability returned by fst (M; o; ) and the pair returned by split (M (o):P~ ; ), or whether they are undefined in polynomial space. P~ 0 ; 0 and P~ ; The following relations P~ ; P~ 0 ; on closures simulates the reduction and the sublocation relations on processes defined in Section 2.1.

Next, we present how the reduction and sublocation transitions Due to this particular representation and the fact that some part of the ambient process is contained in the sequential substitution, some auxiliary treatments are needed. One can see in the definition of that only expressions M in the annotated process are concerned by the sequential substitution. For the sublocation transition, it is important to extract the name represented by the expression M under the substitution . So, one of those treatments, nam (M; ), consists in recovering from an expression M the name it effectively represents within the substitution . The reduction transition for a closure P~ ; is more involved and requires some other auxiliary treatments. Those treatments are more specifically dedicated to the case where the substitution applied on the expression M leads to a sequence of capabilities in M 0 , out M 0 , open M 0 : we need first an algorithm to compute the length in terms of capabilities of an expression M with a substitution . To keep the algorithm polynomial space, we must simply be able to compute this length without applying explicitly on M ; this is the role of len (M; ). Now, from the definition of the reduction on ambient processes, one can see that the reduction consumes one capability: once the reduction is done, the involved capability disappears from the resulting process. This is slightly different for the representation we have proposed: a sequence of capabilities can be partially contained in a sequential substitution . This substitution remains fixed during the execution of capabilities and the offset attached to this sequence plays the role of a program counter. Therefore, to perform a reduction step one has to extract a substitution and an offset the first capability to execute; from a sequence of capabilities. This is computed by fst (M; o; ). Finally, the last subroutine split (M (o):P~ ; ) computes a pair from a prime M (o):P~ and a sequential substitution . The first component is the first capability to be executed in M (o):P~ ; . The second component is the remaining annotated process once this first capability has been executed.

!, # can be defined on closures.

U

h

hf

h

nam (n; fm M g ) = nam (n; ) = n

nam (M; ) nam (n; )

i

i

h

i #

split (; ) = (in m; P~ ) nam (M; ) = m nam (N; ) = n hfN [Q~ ++ fg℄; M [R~ ℄g; i ! hfM [fN [Q~ ++ P~ ℄g ++ R~ ℄g; i

(Trans Out)

split (; ) = (out m; P~ ) nam (M; ) = m nam (N; ) = n hfM [fN [Q~ ++ fg℄g ++ R~ ℄g; i ! hfN [Q~ ++ P~ ℄; M [R~ ℄g; i

(Trans Open)

split (; ) = (open m; Q~ ) nam (M; ) = m hfM [P~ ℄; g; i ! hP~ ++ Q~ ; i

(Trans I/O)

hf(x):P~ ; hM ig; i ! hP~ ; fx M gi (Trans Par)

hP~ ; i ! hP~ 0 ; 0 i hP~ ++ Q~ ; i ! hP~ 0 ++ Q~ ; 0 i

g i

(Trans Amb)

hP~ ; i ! hP~ 0 ; 0 i nam (M; ) = m hfM [P~ ℄g; i ! hfM [P~ 0 ℄g; 0 i

(Loc)

nam (M; ) = m ~ hQ ++ fM [P~ ℄g; i # hP~ ; i

if n = m otherwise

len (; ) = 0 len (M:N; ) = len (M; ) + len (N; ) len (M; ) = 1 if M 2 fin N; out N; open N g len (M; ) if n = m len (n; fm M g ) = len (n; ) otherwise len (n; ) = 1

The condition for (Loc) ensures simply that the expression

M together with is a name. For two normal closures hP ; i, hP 0 ; 0 i, deciding whether hP ; i # hP 0 ; 0i can be achieved in

polynomial space. There is no rule corresponding to (Red ) since we always keep closures in unique normal forms. The two rules (Trans Par) and (Trans Amb) reflect the stability under contexts expressed in the definition of the reduction on processes by the rules (Red Par) and (Red Amb). They can also be viewed as a nondeterministic algorithm that guesses a position (or, a redex) where one of the rules (Trans In), (Trans Out), (Trans Open) or (Trans I/O) may be applied. This redex can be guessed using only polynomial space in the size of P~ . Once this redex is guessed, then it is easy to see that testing whether a rule (Trans In), (Trans Out), (Trans Open) or (Trans I/O) has been applied can be done in polynomial space. Therefore, one can decide for two closures P~ ; and P~ 0 ; 0 whether P~ ; P~ 0 ; 0 using only polynomial ~ space in the size of P ; . The relations and are the reflexive, transitive closures of and defined on closures. respectively

if len (M; ) > o (M; o; ) fst (M:N; o; ) = fst fst (N; o len (M; ); ) otherwise fst ( ap N; 0; ) = ap ( nam (N; )) for ap in fin ; out ; open g fst (M; o; ) if n = m fst (n; o; fm M g ) = fst (n; o; ) otherwise

split (M (o):P~ ; ) = (fst (M; o; ); fM (o + 1):P~ g) (fst (M; o; ); P~ )

i ! h

Transitions and sublocations of closures: (Trans In)

The auxiliary functions nam , len , fst and split :

h

i

if len (M; ) > o + 1 otherwise

h

Notice that nam (M; ) is undefined if M is of the form , N:N 0 , in N , out N , or open N . Therefore, the expression nam (M; ) is either undefined or is evaluated to a name. Moreover, we can compute the name returned by nam (M; ), or

1

i

h ! ! #

h

i #

i!h

i

h

i

We are not interested here in time complexity; a naive algorithm for computing

len (M; ), as presented here, runs in exponential time in the worst case. However,

whether it is undefined, in linear time. The number returned by

it is quite easy to provide a version of this function that runs in polynomial time.

4

hP~ ; i is normal, then for any hP~ 0 ; i such that 0 ~ ~ hP ; i # hP ; i, the closure hP~ 0 ; i is normal. Proposition 2 If

The following proposition is a key fact in the proof that our model-checking algorithm and also the algorithm in [5] terminate in exponential time. It implies that the computation tree of a given process might be very deep and very narrow (as in our example in Section 2) or not so deep and wider; in any case the number of nodes in the tree remains exponentially bounded. A naive argument (without using closures) gives only a doubly exponential bound on the number of reachable processes: one can prove that the computation tree of a given process is at most exponentially deep (as our example in Section 2 shows, this bound is tight) and that the number of successors for every node is at most polynomial. 2 These two facts do not give, however, the exponential bound on the number of nodes in the tree, which is given by the following proposition.

The next proposition says that the representation of processes as closures preserves sublocations. Proposition 3 (Sublocation Equivalences) if P~ ; is normal then

For all P~ ; P~ 0 ; ; P 0 ,

h i if hP~ ; i # hP~ 0 ; i then U (P~ ; ) # U (P~ 0 ; ). if U (P~ ; ) # P 0 then there exists P~ 0 such that hP~ ; i # hP~ 0 ; i and U (P~ 0 ; ) P 0 . Proposition 4 If hP~ ; i is normal, then for any hP~ 0 ; i such that hP~ ; i ! hP~ 0 ; i, the closure hP~ 0 ; i is normal.

Proposition 7 Let P~ ; be a normal closure. Then there exist at P~ 0 ; 0 . most exponentially many P~ 0 ; 0 such that P~ ;

h

The next proposition is a counterpart of Proposition 3. It refers to time in the same way as Proposition 3 refers to space. Together with Propositions 1–4 it shows that normal closures indeed simulate the processes they represent. Proposition 5 (Reduction Equivalences) P 0 , if P~ ; is normal then

h

For all

i

P~ ; P~ 0 ; ; 0 ;

kh

ik

Then

The folding

i!

Che k (P~ ; ; T) = T Che k (P~ ; ; :A) = :Che k (P~ ; ; A) Che k (P~ ; ; A _ B) = Che k (P~ ; ; A) _ Che k (P~ ; ; B) Q T if I = ? Che k ( i2I i ; ; 0) = F otherwise Q Che k ( i2I ~i ; ; n[A℄) = Che k (Q; ; A) if I = fig; i = M [Q~ ℄; nam (M; ) = n

Proposition 6 Suppose that the closure P~ ; is normal and P~ ; P~ 0 ; 0 . Then all offsets used in P~ and P~ 0 can be represented on the same number of bits, polynomial in P~ ; . Moreover, with such a representation, P~ 0 ; 0 P~ ; .

h

i!h

h

i

jh

i

ij jh

jh ij

ij

FQ

Che k 8 (

< :

Proof A simple induction on the length of the substitution 0 proves that the offsets in P~ 0 are bounded by the value 0 0 P~ 0 ; 0 khP~ ; ik . By Lemma 1, they are also bounded by P~ ; khP~ ;ik and then all offsets used in P~ and P~ 0 are

kh kh

ik ik

bounded by this value,

6

Computing whether a process satisfies a closed formula:

hi

fg

if P is not of the form M 0 :P 0 for M 0 =

For any process P , the closure hF (P ); i is normal and U (F (P ); ) is structurally equivalent to P . Furthermore, F (P ) can be computed in linear time in the size of P . Let A be a closed formula. For a model-checking problem P j= A, we may assume without loss of generality that the free names of A are disjoint from the bound names of P . We denote by fn (P~ ; ) the set (fn (P~ ) [ names ( )) r dom ( ).

By a simple case analysis on the derivation of P~ ; In cases (Trans In), (Trans Out) and (Trans Open), the transition either does not change or decreases the representation’s size. In case (Trans I/O), the three nodes representing input, output and process composition ((); ; :) together with the representation of x and M are replaced with two nodes representing assignment and substitution composition ( ; ) together with the representation of x and M . Thus the tree decreases by one node.

h

F (P )

F (P ) of a process P :

F (0) = fg F (P j Q) = F (P ) ++ F (Q) F (M:P ) = fM (0):F (P )g F (M [P ℄) = fM [F (P )℄g F ((n):P ) = f(n):F (P )g F (hM i) = fhM ig

khP~ 0 ; 0 ik

Proof

i

The folding of an ambient process P is an annotated process defined as follows:

j j

hP~ 0 ; 0 i.

i! h

3.3 A New Algorithm

We show that closures indeed give a polynomial representation of processes. To do this, we have to bound the size of offsets that occur in closures. For a given object (a closure or a process) O, by O we mean the length of its string representation and by O the number of nodes in its tree representation. We assume that an offset is represented in a single node in the tree representation.

hP~ ; i ! hP~ 0 ; 0 i.

h

3.2 Size of the Representation

Lemma 1 Suppose that P~ ; .

i

Proof This is a direct consequence of Proposition 6 and the observation that there are only exponentially many strings of polynomial length.

if hP~ ; i ! hP~ 0 ; 0 i then U (P~ ; ) ! U (P~ 0 ; 0 ). if U (P~ ; ) ! P 0 then there exists P~ 0 ; 0 such that hP~ ; i ! hP~ 0 ; 0 i and U (P~ 0 ; 0 ) P 0 .

k k

i h

T

otherwise

A j B) = 9 I ^ J \ K = ?^Q Q[ K = Che k ( ; ; A) ^ Che k (

i2I i ; ; if J; K:J

F otherwise

k2K k ; ;

j 2J j

B)

Che k (P~ ; ; 9x:A) = let fm1 ; : : : ; mk g = fn (P~ ; ) [ fn (A) in let m0 2= fm1 ; : : :~; mk g [ bn (P~ ) [ dom () be fresh in T if Che k (P ; ; Afx mi g) for some i 2 0::k

which can be represented on khP~ ; ik

(blog(khP~ ; ik) + 1) bits.

With this representation of offsets, incrementing an offset does not increase the size of its string representation. Thus no transitions can increase the length of the string representations of closures.

F otherwise

2

5

Note that the process n[in

j j

n:P0 ℄ : : : n[in n:Pk ℄ has k2 successors.

Che k (P~ ; ; A) = W Che k (P~ ; ; A) _ hP~ ;i!hP~ 0 ;0 i Che k (P~ 0 ; 0 ; A) Che k (P~ ; ; ✧A) = W Che k (P~ ; ; A) _ hP~ ;i#hP~ 0 ;i Che k (P~ 0 ; ; ✧A) Che k (P~ ; ; An) = Che k (n[P~ ℄; ; A)

(QBF): we can assume without loss of generality that these Boolean formulas are in prenex and conjunctive normal form. The alternation depth of a formula is the number of alternations between existential and universal quantifiers in its prenex quantification. Those known results are: (1) deciding the validity problem for a closed quantified Boolean formula ' is PSPACE-complete; (2) deciding the validity problem for a closed quantified Boolean formula ' of alternation depth k whose outermost quantifier is is Pk complete [12], where P k denotes the k-th level of the polynomialP time hierarchy (in particular, P 0 = P and 1 = NP ) We will use the following formula as a running example of a valid closed QBF formula:

9

An expression Che k (P~ ; ; ) is said to be normal iff (1) the closure P~ ; is normal, (2) is a closed formula and (3) fn ( ) (bn (P~ ) dom ()) = . Hence, for the model-checking problem P = where is a closed formula, the expression Che k ( (P ); ; ) is normal and moreover we have:

h i [

?

A

A

A\ A

j A A

F

8v1 :9v2 :9v3 :(v1 _ v2 _ v3 ) ^ (v1 _ v2 _ v3 ) ^ v3

Proposition 8 The algorithm described above preserves the normality of Che k (P~ ; ; ).

4.1 The Full Calculus and Logic

Proposition 9 For all processes P and closed formulas have P = if and only if Che k ( (P ); ; ) = T.

We assume that the truth values tt and used in the definition of QBF satisfaction are distinct ambient calculus names. Recall an encoding of name equality in the ambient logic [5]:

A

j A

Proof

F

A

See Appendix A.1 for the proof.

A,

we

[T℄ = =

Theorem 1 Model-checking for the ambient calculus and logic of this paper is decidable in PSPACE.

j

Then 0 = m = n if and only if the names m and n are equal. We encode the and quantifiers over truth values as follows.

8 9 8x 2 f ; tt g:A = 8x:(x = _ x = tt ) ) A 9x 2 f ; tt g:A = 9x:(x = _ x = tt ) ^ A

Proof The detailed proof is given in Appendix A.2. Here we give only its sketch. Deciding Che k (P~ ; ; ) = T can be done by means of a non-deterministic algorithm which uses only polynomial-space in the size of P~ ; and . This holds in partic(P ); . ular for the closure Intuitively, this non-deterministic algorithm either (in the case of T; 0; n[ ℄; n) directly checks whether the respective conditions hold, or (in the case of ; ; x: ; ; ✧ ) simply guesses which of the disjuncts in the definition of Che k holds. The only more difficult case is that of negation; here we apply the Immerman’s theorem (NSPACE(n) = co-NSPACE(n)). Then, using the general statement of Savitch’s theorem (NPSPACE(n) PSPACE(n2 )), this non-deterministic algorithm can be turned into a deterministic one. Finally, the fact that (P ) is polynomial in the size of P and the statement of Proposition 9 complete the proof.

A

hF

A A

i

h

i

A

Encoding QBF formulas as ambient logic formulas:

[ v℄ = (v = tt ) [ v ℄ = (v = ) [ `1 _ _ `k ℄ = [ `1 ℄ _ _ [ `k ℄ [ C1 ^ ^ Ck ℄ = [ C1 ℄ ^ ^ [ Ck ℄ [ 8v:'℄ = 8v 2 f ; tt g:[ '℄ [ 9v:'℄ = 9v 2 f ; tt g:[ '℄

A_B A j B 9 A A A

F

The following lemma is proved in the appendix. Discussion. The algorithm above relies on two non-trivial results from computational complexity theory, namely the theorems by Savitch and Immerman. A direct implementation of the algorithm as it is could be quite impractical. It is possible to improve this by introducing to the logic dual constructs: conjunction, universal quantification, everytime and everywhere modalities, constructs dual to names, parallel composition etc. Then, every formula of the logic can be transformed to a positive normal form that does not contain negation at all — in this way we eliminate the use of Immerman’s theorem. It is then not difficult to modify the algorithm in such a way that the use of Savitch’s theorem is limited to the reachability subproblem (more precisely, to the problem of enumerating for a given closure P~ ; all closures P~ 0 ; 0 such that P~ ; P~ 0 ; 0 ). Due to the lack of space we do not present the details here.

h

i! h

i

h

i

h

Lemma 2 Consider a closed quantified boolean formula ' and its encoding [ '℄ in the ambient logic. The formula ' is valid if and only if the model-checking problem 0 = [ '℄ holds.

j

Theorem 2 Expression complexity of checking the full logic (including name quantification) is PSPACE-hard. Proof Straightforward from Lemma 2 since for the fixed ambient process 0 solving the model-checking problem 0 = ' is PSPACE-hard.

j

i

The theorem above holds for any fragment of the logic including boolean connectives, name quantification, and the location and location adjunct modalities, and for any fragment of the calculus including ambients. It might suggest that the complexity of the model-checking problem comes from the quantification in the logic. Below we show that it is not the case: the problem remains so complex even if we remove quantification from the logic and communication or mobility from the calculus. This suggests there is little chance of finding interesting fragments of the calculus and the logic that would admit a faster model-checking algorithm.

4 Complexity Lower Bounds Below we present lower bounds on the space complexity of model checking our process calculus against our modal logic, and also for two significant fragments. The results given here are based on known results about the complexity of decision problems for quantified Boolean formulas 6

able v1 ”. We have described above the mechanism for the instantiation of the Boolean variable v1 in the ambient process. It consists of first a non-deterministic step, then two deterministic steps. Whatever the first step is, those three steps lead to a situation where the ambient process is of the form R v20 [R0 ℄. It should be noticed that those two processes (one for each possibility of the first step) are the only processes of this form reachable from the initial process. Therefore, the statement “for all possible interpretations of the variable v1 ” can be translated as “for all processes of the form R v20 [R0 ℄ reachable from the initial process”. This rephrased statement can be expressed in the ambient logic as ((v20 [T℄ T) : : : ). A dual reasoning can be applied then for v2 , the following quantification of the formula '. In that case, the statement “there exists an interpretation for the variable v2 ” is translated into “there exists an ambient process of the form T v30 [T 0 ℄ reachable from the current process”. This current process is one of the two processes after the instantiation of the variable v2 , that is of the form S v30 [S 0 ℄. This statement can be expressed by means of the ambient logic by the formula ((v30 [T℄ T) : : : ). Finally, the quantification v3 is expressed by ((end [T℄ T) : : : ).

4.2 Mobile Ambients Without I/O, No Quantifiers Encoding QBF formulas as ambient processes and formulas:

[ v℄ = v[pos [0℄ j v00[0℄℄ j T [ v ℄ = v[neg [0℄ j v [0℄℄ j T [ `1 _ _ `k ℄ = [ `1 ℄ _ _ [ `k ℄ [ C1 ^ ^ C0 k ℄ = (end [℄;0[ C1 ℄ ^ ^ [ Ck ℄ ) [ 8v:'℄ = (v [in v:n[out v :out v:P ℄℄; ((n[T℄ j T) ) A)) where (n[P ℄; A) = [ '℄ [ 9v:'℄ = (v0 [in v:n[out v0 :out v:P ℄℄; ((n[T℄ j T) ^ A)) where (n[P ℄; A) = [ '℄ en (') = (v1 [pos [℄℄ j v1 [neg [℄℄ j j vn [pos [℄℄ j vn [neg [℄℄ j P; A) where (P; A) = [ '℄ and ' = Q1 v1 : : : : :Qn vn :C1 ^ ^ Ck where each Qi

j

j

j

9

For the formula ' given above as an example, one would obtain en (') = (P; ) where P is depicted in Figure 1(a). We explain this encoding with reference to the ambient process depicted in Figure 1(a). The ambients whose names range over vi describe an interpretation for the Boolean variables vi whereas the ambients named vi0 are the “material” to extend this interpretation. In the initial ambient, the ambients vi encode the empty interpretation and the material is in an ambient named v10 marking the fact that v1 is the first variable to treat. The first step of reduction will move the ambient v10 non-deterministically either inside v1 [pos [℄℄ (the Boolean variable v1 takes the value tt ) or inside v1 [neg [℄℄ (the Boolean variable v1 takes the value ). The next two steps of reduction are deterministic. They aim to leave a mark in one of the ambients v1 according to the first non-deterministic choice and to reach a situation in which the Boolean variable v2 is considered. For instance, if the first choice was to instantiate v1 with tt then, one would obtain a parallel composition of v1 [pos [℄ v10 [℄℄ and v1 [neg [℄℄. The ambients named v2 , v3 are kept unchanged and the ambient containing the rest of the interpretation would be of the form v20 [in v2 :v30 [Q℄℄ where Q is the internal of v30 in the initial process. This computation, consisting of one non-deterministic step followed by two deterministic ones, can be carried on for the variables v2 and v3 . Then, when no more reduction step is possible, the resulting process is a parallel composition of the empty ambient end [℄ and, for each i, of vi [n[℄ vi0 [℄℄ and vi [n0 [℄℄ where n; n0 are distinct elements from pos ; neg . For instance, the irreducible process given in Figure 1(b) represents the interpretation v1 tt ; v2 tt ; v3 . For the encoding of ', the resulting ambient formula will be of the form

A

7!

7!

A

Proof

j

^ j

^

j A

See Appendix B.2 for the proof.

Proof Straightforward from the PSPACE-completeness of the validity for QBF and from Lemma 3, taking into account that for en (') = (P; ), both P and are of polynomial size with respect to '.

A

A

4.3 Immobile Ambients With I/O, No Quantifiers We let for any ambient name vi0 ,

v 0 [T℄ j T Inst (vi0 ) = i

v 0 [v 00 [T℄ j T℄ j T Inst + (vi0 ) = i i

and for the name end ,

end [T℄ j T Inst (end ) =

end [end 0 [T℄ j T℄ j T Inst + (end ) =

Encoding QBF formulas as ambient processes and formulas:

[ v℄ = v[℄ [ v ℄ = v[℄ [ `1 _ : : : _ ` k ℄ = [ `1 ℄ j : : : j [ ` k ℄

A

en (C1 ^ : : : ^ Ck ) = (end [C [ [ C1 ℄ ℄ j : : : j C [ [ Ck ℄ ℄℄; ❏((C [T℄ j T) ) C [tt [0℄ j T℄ j T)) en (9v:') = (v 0 [htt i j h i j (v ):(v 00 [℄ j (v ):n[P ℄)℄; T j v 0 [( (Inst (n) ^ :Inst + (n)) ^ A )℄) where en (') = (n[P ℄; A) en (8v:') = (v 0 [htt i j h i j (v ):(v 00 [℄ j (v ):n[P ℄)℄; T j v 0 [( (Inst (n) ^ :Inst + (n)) ) A )℄) where en (') = (n[P ℄; A)

((v20 [T℄ j T) ) ((v30 [T℄ j T) ^ ((end [T℄ j T) ^ B))) where B = [ v1 _ v2 _ v3 ℄ ^ [ v1 _ v2 _ v3 ℄ ^ [ v3 ℄ .

We have said that the ambient processes encode interpretations. The Boolean formula itself is encoded in the ambient formula . Once no more reduction step is possible on the ambient process, this latter represents an interpretation whose domain is the set of all variables in ': this interpretation is given by the places where the marks vi0 have been put. It is easy with an ambient formula to test whether this interpretation renders true the quantifier-free part of '. This role is played by the ambient formula whereas the remaining part of aims to encode the quantifiers of '. Let us first consider the outermost quantifier v1 in ': this quantification stands for “for all possible interpretations of the vari-

A

A

Theorem 3 Combined complexity of model-checking mobile ambients without I/O against the quantifier-free logic is PSPACEhard.

g

7!

9

Lemma 3 Assume ' is a closed quantified Boolean formula, and that (P; ) = en ('). Then P = if and only if ' is valid.

j

f

)

j

2 f9; 8g.

j

j

B 8

For the formula ' used in our example, one would en (') = (P; A), where P is depicted in Figure 2(a).

have

The key idea of this encoding is to use (reductions of) communications for performing the instantiation of the quantifier-free part

7

v1 pos [℄

j

v1 neg [℄

v2 pos [℄

j

j

v2 neg [℄

j

v10

v3 pos [℄

v1

v3 neg [℄

j

v10 [℄

j

v1 neg [℄

j

v2 pos [℄ j v20 [℄

j

v2 neg [℄

j

v3 neg [℄ j v30 [℄

j

pos [℄

j

v20

v30 in v1 : out v 0 :out v :in v : 1 2 out v 0 :out v :in v :end [out v 0 :out v :0℄ 1 2 3 3 2 3

v3 pos [℄

j

j

end (a) The process P in en (') = (P;

0

A

)

7!

7!

7!

(b) The irreducible process for the interpretation v1 tt ; v2 tt ; v3

Figure 1: Encoding for mobile ambients without I/O, no quantifiers

v

0

1 v

0

2 v

0

3

end

end

C

C

tt

i j

h ijh

00

(v1 ):(v1 [℄ j (v1 )):

v

tt i j h i

h

tt

i

1 [℄ j v2 [℄ j v3 [℄

j

C

h ijh

00 [℄ j (v2 )): j (v2 ):(v2

tt [℄ j [℄ j [℄

C

00

j (v3 ):(v3 [℄ j (v3 )):

v

1 [℄ j v2 [℄ j v3 [℄

[℄ j tt [℄ j [℄

j

j

j

C

tt [℄

C v

(a) The process P in en (') = (P;

3 [℄

^ ^ 7! tt ; v2 7! tt ; v3 7!

(b) The process representing the instantiation of C1 C2 C3 by

A

v1

)

Figure 2: Encoding for immobile ambients with I/O, no quantifiers of ' with respect to some interpretation. Therefore, the quantifierfree formula C1 : : : Ck is encoded in the ambient process itself, inside an ambient named end . For instance, in Figure 2(a) for our example, the ambient end [C [v1 [℄ v2 [℄v3 [℄℄ C [v1 [℄ v2 [℄v3 [℄℄ C [v3 [℄℄℄ encodes the quantifier-free part of ': the ambient end contains a sub-ambient called C for each clause Ci in ' and the ambient corresponding to Ci contains an ambient `j [℄ for each literal `j from Ci . Starting from P described in Figure 2(a), let us inspect the behaviour of processes through reductions. Two reductions can be performed on P : one establishes a communication between tt and (v1 ) and the other one between and (v1 ). Once this reduction step is performed the name v1 has been replaced by either tt or uniformly at every position and in particular in the ambient named end . Hence, the first step of computation is nondeterministic and instantiates the literal v1 . It has also a side-effect: it reveals an ambient process v100 [℄ within the ambient v10 ; this process is a marker for the control of computations. Its precise role will be explained later on. The second step is deterministic: for each first step, only one second step is possible. This second step

aims to instantiate the literal v1 according to the instantiation of v1 . Indeed, if the first communication has consumed the output tt then for the second one only the output remains and viceversa. So, after the second step, the name v1 is globally replaced by a Boolean value. Moreover, at this point there are no more actions prefixing the ambient named v20 and so this ambient can be now reduced using the rules (Red Par) and (Red Amb). The next reduction steps are performed in a similar way: a non-deterministic step follows by a deterministic one. This leads finally to replacing in the ambient end all the names corresponding to literals by Boolean values tt and . As an example, in Figure 2(b), we have depicted the ambient end once the reductions corresponding to the interpre= v1 tt ; v2 tt ; v3 have been performed. tation Now, using an ambient formula it is not difficult to test whether the interpretation induced from the process in Figure 2(b) is a model for C1 C2 C3 : as C1 C2 C3 is in conjunctive normal form, is a model for it if and only if renders at least one literal true in every clause Ci . According to the way reductions are performed and correspond to instantiations, this is equivalent to the claim that in the process from Figure 2(b), every ambient named

^ ^

j

j

h i

j

h i

j

h i

h i

M

M

8

7!

^ ^

7!

7!

^ ^

M

C contains a sub-ambient tt [℄. This can be tested with the formula B = ❏((C [T℄ j T) ) C [tt [0℄ j T℄ j T) and exactly this formula comes out in the encoding en (C1 ^ C2 ^ C3 ). In the encoding en (') = (P; A), one part of A aims to

but only those obtained by strictly more than two steps reveal the marker v300 [℄ inside v30 and thus, satisfy v30 [v300 [T℄ T℄ T, that is Inst + (v30 ). Those computations from R of exactly two steps correspond to the complete treatment of the variable v2 and sat(Inst + (v30 )). So, model-checking carries on by isfy Inst (v30 ) checking that one of these two processes reachable from R in two steps and defined as the interior of v2 in which the literals v1 , v1 , v2 , v2 have been replaced by Boolean values, is a model for the remaining part of the encoding of the formula. Finally, the quantification v3 is encoded as

j

^:

test whether the interpretation corresponding to the reductions is is used to encode the quana model of '. The other part of tification of '. Let us illustrate on our example the ideas of this is encoding: for the formula ' from our example, the formula equal to

A

A

T j v10 [( (Inst (v20 ) ^ :Inst + (v20 )) ) (T j v20 [( (Inst (v30 ) ^ :Inst + (v30 )) ^ (T j v30 [(Inst (end ) ^ :Inst +(end )

9 T j v30 [( ((T j end [T℄) ^ :(T j end [end 0 [T℄ j T℄)) ^ :::)℄ and its treatment is similar to that of 9v2 . It leads to modelchecking the process named end given in Figure 2(b) against the formula B.

^ B)℄) )℄) )℄

B

where is the result of the encoding of the quantifier-free part of '. For the variable vi , the intuitive reading of Inst (vi0 ) is “the next variable to consider is vi ”, that is, the instantiation of the variable vi 1 has been completed. The reading of Inst + (vi0 ) is “the variable vi has been partially treated”, that is, the instantiation has been performed for the positive literal vi . For the ambient name end , Inst (end ) refers to the completion of the instantiation of the variable vn . The first quantification v1 stands for “for all possible interpretations of the variable v1 ” and the part of ' related with this quantification is

Lemma 4 Assume ' is a closed quantified Boolean formula, and that (P; ) = en ('). Then P = if and only if ' is valid.

A

Proof

A

This formula is model-checked against the process P given in 0 P , the model-checking problem is reFigure 2(a). As P duced to checking the interior of v10 against the sub-formula of the form 1 : all processes reachable from the interior of v10 must satisfy 1 . Let us have a look at the form of those reachable processes: the interior of v10 is itself reachable as well as the two processes corresponding to the instantiation of the literal v1 (reachable in one step). In those processes v1 has been replaced by a Boolean value but none of them satisfies v20 [T℄ T, that is, Inst (v20 ). Now, the processes reachable in two steps or more indeed satisfy the formula Inst (v20 ); but the ones reachable in exactly two steps can be distinguished from the others since these former are the only ones which do not satisfy v20 [v200 [T℄ T℄ T, that is, Inst + (v20 ). Indeed, steps beyond the second one reveal the marker v200 [℄ inside the ambient v20 . We have already mentioned the fact that the two steps of computation correspond exactly to the complete treatment of the variable v1 which is the intended meaning of Inst (v20 ) Inst + (v20 ). Therefore, model-checking continues by checking the two processes (the second step of computation being deterministic), defined as the interior of v10 in which the literals v1 and v1 have been replaced by Boolean values, against the formula

j

9 9

9 9

j

j

a [T℄ j T Inst (ai ) = i

^:

a [a [℄ j T℄ j T Inst + (ai ) = i i

The revised encoding:

en (8v:') = en (8v:'; 1) en (9v:') = en (9v:'; 1) en (8v:'; i) = (ai [htt i j h i j (v ):(ai [℄ j (v )):P; T j ai [( Inst (ai+1 ) ^ Inst + (ai+1 ) ) A )℄) where en 8 ('; i) = (P; A) en (9v:'; i) = (ai [htt i j h i j (v ):(ai [℄ j (v )):P; T j ai [( Inst (ai+1 ) ^ Inst + (ai+1 ) ^ A )℄) where en 9 ('; i) = (P; A)

^ :::)℄

9

from the encoding of the quantification v2 . It stands for “there exists an interpretation for v2 ”. The process that is checked against this formula is of the form v100 [℄ v20 [R℄. Therefore, it amounts to check whether the process R, which is the interior of v20 in which names v1 ; v1 have been replaced with Boolean values, is a model for the sub-formula of the form 2 . Equivalently, there must exist a process reachable from R which satisfies 2 . Let us inspect the processes reachable from R. Of course, R itself is reachable as well as the two processes reachable in one step of computation performing the instantiation for the literal v2 . None of these processes satisfies the formula v30 [T℄ T, that is, Inst (v30 ). Processes that are obtained with two steps or more from R do satisfy Inst (v30 )

j

A

A

We can strengthen this result by slightly modifying our encoding. Our previous encoding is based on an individual treatment for the variables in the quantification. The improved encoding will be based on the alternation of quantifiers: roughly, v2 v3 can be grouped together by saying that “there exists an interpretation for v2 and v3 ”. As far as the previous encoding is concerned, the ambient formula resulting from the encoding of v2 v3 will test for two successive reachabilities; this can be modified in such a way that only one test of reachability is performed. This will imply for the new encoding that the markers used to control the model-checking (namely, the ambients v 0 ) will no longer be associated with the variables but with the alternation of quantifiers. Those ambient names will range over ai where i is an integer. We define for those ai ’s:

A A

T j v20 [( (Inst (v30 ) ^ :Inst + (v30 ))

See Appendix B.3 for the proof.

Proof Straightforward from the PSPACE-completeness of the validity for QBF, from Lemma 4 taking into account that for en (') = (P; ), both P and are of polynomial size with respect to '.

) : : : )℄

j

j A

Theorem 4 Combined complexity of model-checking immobile ambients with I/O against the quantifier-free logic is PSPACE-hard.

8

T j v10 [( (Inst (v20 ) ^ :Inst + (v20 ))

j

en 8 (9v:'; i) = en (9v:'; i + 1) en 8 (8v:'; i) = (htt i j h i j (v ):(v ):P; A) where en 8 ('; i) = (P; A) en 9 (8v:') = en (8v:'; i + 1) en 9 (8v:'; i) = (htt i j h i j (v ):(v ):P; A) where en 9 ('; i) = (P; A)

A

j

9

en (C1 ^ : : : ^ Ck ; i) = (ai [C [ [ C1 ℄ ℄ j : : : j C [ [ Ck ℄ ℄℄; ❏((C [T℄ j T) ) C [tt [0℄ j T℄ j T)) [ `1 _ : : : _ `k ℄ = [ `1 ℄ j : : : j [ `k ℄ [ v℄ = v[℄ [ v ℄ = v[℄

[4] L. Cardelli and A.D. Gordon. Types for mobile ambients. In Proceedings POPL’99, pages 79–92. ACM, January 1999. [5] L. Cardelli and A.D. Gordon. Anytime, anywhere: Modal logics for mobile ambients. In Proceedings POPL’00, pages 365–377. ACM, January 2000. [6] L. Cardelli and A.D. Gordon. Logical properties of name restriction. Submitted for publication, 2000.

The statement of Lemma 4 still holds for this new encoding. Furthermore, in the encoding (P; ) of the Boolean formula ', the ambient logic formula depends only on the alternation depth and the outermost quantifier of '; for any two Boolean formulas '; '0 having the same alternation depth k and the same outermost quantifier Q, if en (') = (P; ) and en ('0 ) = (P 0 ; 0 ) then = 0.

A

A

A

A A

[7] W. Charatonik, S. Dal Zilio, Gordon A. D., S. Mukhopadhyay, and J.-M. Talbot. The complexity of model checking mobile ambients. Extended version, available at http://research.microsoft.com/ãdg/, 2000.

A

Theorem 5 For every integer k there exists a formula 9k such that the program complexity of model checking for 9k is P k -hard.

A

A

[8] N. Immerman. Nondeterministic space is closed under complementation. SIAM Journal on Computing, 17(5):935–938, October 1988.

Proof Let A9k be the formula such that for any closed quantified Boolean formula ' of alternation depth k whose outermost quantifier is 9, en (') = (P' ; A9k ). Due to the remark above, we know that this formula exists and furthermore, is of size polynomial in k.

[9] O. Kupferman, M. Y. Vardi, and P. Wolper. An automatatheoretic approach to branching-time model checking. Journal of ACM, 47(2):312–360, 2000. [10] D. Sangiorgi. Extensionality and intensionality of the ambient logics. In Proceedings POPL’01. ACM, January 2001. To appear.

Now, by Lemma 4, every instance of the validity problem for a closed quantified Boolean formula ' of alternation depth k whose outermost quantifier is can be reduced to the model-checking problem P' = 9k for en (') = (P' ; 9k ). Thus, since the size of P' is polynomial in the size of ', the theorem follows.

j A

9

A

[11] W.J. Savitch. Relationships between nondeterministic and deterministic tape complexities. Journal of Computer and System Sciences, 4(2):177–192, April 1970.

5 Conclusion [12] L. J. Stockmeyer. The Polynomial-time Hierarchy. Theoretical Computer Science, 3(1):1–22, October 1976.

We have shown in this paper that the model-checking problem of the replication-free ambient calculus with public names against the ambient logic without composition-adjunct is PSPACE-complete. We have proposed a new representation for processes that prevents exponential blow-up of the size. We used this representation together with a new non-deterministic algorithm to prove the PSPACE upper bound. We also have shown that there is little chance to find polynomial algorithms for interesting subproblems: model checking remains PSPACE-hard even for quite simple fragments of the calculus and the logic. Possible directions for future work include investigations of the model-checking problem for extensions of the logic and the calculus. Recently, Cardelli and Gordon [6] presented an extended version of the logic that allows reasoning about restricted names; it seems that there is no difficulty in extending our algorithm to deal with name restriction. References [1] L. Cardelli and G. Ghelli. A query language for semistructured data based on the ambient logic. Submitted for publication, 2000. [2] L. Cardelli and A. D. Gordon. Equational properties of mobile ambients. In Proceedings FoSSaCS’99, volume 1578 of Lecture Notes in Computer Science, pages 212–226. Springer, 1999. An extended version appears as Microsoft Research Technical Report MSR–TR–99–11, April 1999. [3] L. Cardelli and A.D. Gordon. Mobile ambients. In Proceedings FoSSaCS’98, volume 1378 of Lecture Notes in Computer Science, pages 140–155. Springer, 1998. Accepted for publication in Theoretical Computer Science.

10

A

Correctness and Complexity

In the proof of Proposition 1 we will have to show that some processes are equivalent if and only if some conditions hold. In particular, we will have to show that if these conditions do not hold, the processes are not equivalent. Although it is relatively easy to prove equivalence of processes, it is not so easy to prove their inequivalence (which requires showing that no equivalence proof exists). We use Theorem 6 and Propositions 11–13 below as tools for proving inequivalences needed in Proposition 1. Let us consider the signature used to build processes from the ambient calculus with public names. The signature contains an infinite number of constants used as names. It contains moreover 0 and as constant symbols, the capabilities in ; out ; open and as unary function symbol. Finally, the binary function symbols ; [℄; :; () belong to . Let us denote T the set of all terms over . Any ambient process from the ambient calculus with public names can be written as a term over this vocabulary. And of course, some terms from T are not ambient process, as for instance, 0 0 . The set T induces a canonical algebra that we denote : the algebra has for career the set T and each function symbols from is interpreted syntactically in . The relation defined in Section 2.1 over pairs of ambient proT . One cesses can be viewed as a relation defined over T should notice that the set of axioms defining is a set of definite Horn clauses, and thus, ( ; ) is a Herbrand model for this set of axioms. Moreover, as we consider the least relation satisfying these axioms, the structure ( ; ) is the least Herbrand model for this set of axioms. This implies that for two processes P; Q, one Q iff P Q belongs to the least Herbrand model of have P these axioms. Note that if is not assumed to be the least relation satisfying the axioms but for instance the greatest one, then one would have P Q whatever P; Q are. We recall that

A.1 Correctness

= or

A sequential substitution is said to be acyclic if either = x M 0 , x doesn’t occur in 0 and 0 is acyclic.

f

g

Definition 1 A closure

hP~ ; i is normal if:

U (P~ ; ) is defined, bn (P~ ) \ (fn (P~ ) [ names ()) = ?, every name n in P~ occurs at most one within an input, every offset o occuring in the scope of an input in P~ is equal

hi

j

to 0.

is acyclic.

h j i

T

The next proposition states the preservation of normality by decomposition with ambient or parallel composition.

hP~ ; i and hQ~ ; i are normal and fn (P~ ) \ bn (Q~ ) = bn (P~ ) \ fn (Q~ ) = bn (P~ ) \ bn (Q~ ) = ? iff hP~ ++ Q~ ; i is for all expressions M such that M doesn’t contain names from bn (P~ ), M [P~ ℄ ; is normal iff P~ ; is normal.

hf

g i

h

i

[

h

U

U

\

\

?

i

i

[

?

h

\

h

[

U

\

h \

[

\ \

i

\

U i

\

\

[

h

\

f

f

g

f

g \

g

i

g

[ f g \ \ f g ? \ ?

j S

That is, if there exists a structure

R such that R j= S and R j=

Let us consider now the algebra

A^ defined over ; the career

DA^ is the least set such that

the constants from except and 0 belong to DA^ ,

for any d1 ; : : : ; dn DA^ , the string d1 tiset d1 ; : : : ; dn belong to DA^ .

the empty string and the empty multiset belong to DA^ ,

2

for any d1 ; d2 DA^ , the items in d1 , out d1 , open d1 , (d1 )d2 and d1 [d2 ℄ belong to DA^ ,

f

g

2

hd1 i,

: : : dn and the mul-

The function symbols from are interpreted in as follows:

g

f f

R j= s t if (T ; ) j= s t

s 6 t, then (T ; ) j= s 6 t.

? ? h i h i ? 2f g \ ? ?h i h i \ ?

f

S

Theorem 6 Let be a set of definite Horn clauses defining a relation symbol . Then for all algebras A, for all structures R defined over A and giving an interpretation for such that R = ,

[

Uf

U

i

[

h

Proof For the first point: from right to left, it is straightforward ~ ) is defined then both from the definition of that if (P~ ++ Q; ~ ~ ~ (P ; ) and (Q; ) are so. As fn (P ++ Q~ ) = fn (P~ ) fn (Q~ ) ~ ) = bn (P~ ) bn (Q~ ), if bn (P~ ++ Q~ ) (fn (P~ ++ and bn (P~ ++ Q ~ Q) names ( )) = then bn (P~ ) (fn (P~ ) names ( )) = bn (Q~ ) (fn (Q~ ) names ( )) = . If for P~ ++ Q~ bound variables occur at most once within an input and offsets in the scope of ~ . The last condian input are equal to 0, then it is so for P~ and Q tion for normality on sequential substitution is obvious. The three ~; . other conditions follow directy from the normality of P~ ++ Q ~ From left to right, the definition of implies that if P ; and Q~ ; are defined then P~ ++ Q~ ; is defined. Now, fn (P~ ++ ~ Q) bn (P~ ++ Q~ ) = (fn (P~ ) fn (Q~ )) (bn (P~ ) bn (Q~ )). We ~ ) = bn (P~ ) fn (Q~ ) = by assumption and have fn (P~ ) bn (Q fn (P~ ) bn (P~ ) = fn (Q~ ) bn (Q~ ) = as P~ ; and Q~ ; are ~ ) bn (P~ ++ Q~ ) = . By normality of normal. So, fn (P~ ++ Q P~ ; and Q~ ; , names ( ) bn (R~ ) = for R~ P~ ; Q~ . So, names ( ) bn (P~ ++ Q~ ) = . P~ ; and Q~ ; being normal ~ ) = , every input variable and as by assumption bn (P~ ) bn (Q ~ . The last conditions occurs at most once within an input in P~ ++ Q on offsets in the scope of an input and on sequential substitution is obvious. For the second point: It is easy to see that ( M [P~ ℄ ; ) is defined iff (P~ ; ) is so. Note that the set of names occurring free in M is exactly the set fn ( M [0℄ ). Now, as bn ( M [P~ ℄ ) = bn (P~ ) and fn ( M [P~ ℄ ) = fn (P~ ) fn ( M [0℄ ), fn ( M [P~ ℄ ) bn ( M [P~ ℄ ) is empty iff fn (P~ ) bn (P~ ) is empty (taking into account the assumption that bn (P~ ) fn ( M [0℄ ) = ) and bn ( M [P~ ℄ ) names ( ) = bn (P~ ) names ( ) = . Finally, the last three statements are obvious to check.

U

T T

normal.

T

Proposition 10

T

g g\

the constants from except and 0 are interpreted syntactically.

and 0 are interpreted respectively as the empty string and as the empty multiset.

11

the function symbols preted syntactically.

in , out , open ,

hi, () and [℄ are inter-

for the function symbol :: d1 :d2 is the string obtained by concatenation of d1 and d2 if both d1 and d2 are strings. Otherwise, elements from d1 ; d2 that are not strings are transformed into a string of length one and then, the concatenation is performed.

f

Proof It is easy to check that all the statements above holds for R^ . Using Proposition 11 with Theorem 6, those statements holds for ambient processes and .

g

j

Proposition 13 For any sequential substitution , for any prime such that ; is normal, (; ) 0.

hf g i

j

for the function symbol : d1 d2 is the multiset obtained by union of d1 and d2 if both d1 and d2 are multisets. Otherwise, elements from d1 ; d2 that are not multisets are transformed into a singleton multiset and then, the union is performed.

f

Proof 11

^ is extended into a structure R^ in which is inThe algebra A terpreted as the binary relation over DA^ DA^ . The relation is defined recursively as follows: d d0 iff

$

$

d and d0 are both the empty string. d and d0 are both composed strings such that dh and d0h , the first two elements of d; d0 satisfy dh $ d0h and dt and d0t the two strings obtained by removing the first element in respectively d and d0 satisfy dt $ d0t . d and d0 are both the empty multiset. d0and d0 are both non-empty multiset and there exists de and de respectively in d and d0 such that de $ d0e and d r de $ d0 r d0e . d0and d0 are respectively of the form hd1 i and hd01 i and d1 $

d1 . d and d0 are respectively of the form ap d1 and ap d01 and d1 $ d01 where ap belongs to fin ; out ; open g. d and d0 are respectively of the form d1 [d2 ℄ and d01 [d02 ℄ and d1 $ d01 , d2 $ d02 . d and d0 are respectively of the form (d1 )d2 and (d01 )d02 and d1 $ d01 , d2 $ d02 .

Proposition 11 Proof

R^ is a model of the axioms for

By case inspection.

Proposition 12 For any process for any ap in ; out ; open ,

2f

g

U

6

U and Proposition Proof of Proposition 1 For the first point, if I = ? then P~ = fg; so, by definition for U , U (P~ ; ) 0. Now for the other direction, the closure hP~ ; i being normal, ifQI is not empty, then by Proposition 12 and the definition for U , U ( 2I ; ) 6 0. For the second point, for the direction from right to left: U (Qi2I i ; ) U (fi g; ) U (fM 0 [Q~ ℄g; ) since I is a ~ ℄. Now, by definition for U , singleton fig and i = M 0 [Q ~ )℄ M [U (Q; ~ )℄ since M 0 = U (Qi2I i ; Q) M 0 [U (Q; M . So, U ( i2I i ; ) M [Q℄. From left to right: let us not a singleton. For I = ?, according to assume that I is Q the first point, U ( i2I i ; ) 0 and thus, by Proposition 12, U (Qi2I i ; ) 6 M [Q℄ for any M; Q. Now, the closure hP~ ; i being normal, if I contains at least two elements then by definition of U , U (P~ ; ) R0 j R00 for some R; R0 6 0 by Propositions 13 and 12 . Thus, still by Proposition 12, U (P~ ; ) 6 M [Q℄ whatever M , Q are. So, I is a singleton. Now, if i = 6 M 0 [Q~ ℄ or 0 M ; M are two different sequences, once again from the definition of U and Proposition 12, U (P~ ; ) 6 M [Q℄. Finally, since ~ )℄, we have U (Q; ~ ) Q. U (Qi2I i ; ) = M [U (Q; For the third point, from right to left: we have P 0 j P 00 Q Q U ( j2J j ; ) j U ( k2K k ; ). By definition Q of U , since J; K are disjoint and J [ K =Q I , P 0 j P 00 U ( i2I i ; ). From left to right: by definition, U ( i2I i ; ) = U (1 ; ) j : : : j U (k ; ) where I is assumed to be f1; : : : ; kg and the i ’s are primes. Since U (Qi2I i ; ) = P 0 j P 00 , there must existQI; J two disjoint sets of indices such that I [ J = 1::k, P 0 U ( i2I i ; ) and P 00 Q U ( j2J j ; ). For the fourth from right to left: from the definition of Q point, 0 U , we have U (Q i2I i ; ) = U (i ; ) = hM i. So, using the hypothesis, U ( i2I i ; ) hM i. From left to right: similar to the second point. For the fifth from right to left: from the definition of U , Q point, ; ) = U (i ; ) = (x):U (P~ ; ). Using the we have U ( iQ i 2I hypothesis, U ( i2I i ; ) (x):P . From left to right: similar to the second point.

g

$

P , for any M , for any name x,

for any process Q, we have 0 6 M [P ℄, 0 6 (x):P , 0 6 hM i, 0 6 ap M:P and 0 6 P j Q if P 6 0. if P 6 0, then for any processes Q; P 0 such that Q 6 0, we have P j Q 6 M [P 0 ℄, P j Q 6 (x):P 0 , P j Q 6 hM i, P j Q 6 ap M:P 0 . for any processes Q; P 0 and for any M 0 , we have M [P ℄ 6 (x)0 :Q,0 M [P ℄ 60 hM 0 i, M [P ℄ 6 ap M 0 :P 0 and M [P ℄ 0 6 M [P ℄ if M; M are two different sequences or if P 6 P . for any M 0 , we have hM i 6 ap M 0 :P , hM i 6 (x):P and hM i 6 hM 0 i if M; M 0 are two different sequences. for any processes Q, for any name x; y , we have (x):P 6

ap M:Q and (x):P 6 (y ):Q if x; y are two different names or if P 6 Q.

Straightforward from the definition of

The function nam is corrrect is in the following sense: Proposition 14

nam (M; ) = n iff M = n.

Proof Straightforward by induction over the length of the sequential substitution .

Using Lemma 5 below, we show that sitive closure of the sublocation relation closures (Proposition 2).

# , the reflexive and tran# preserves normality of

hP~ ; i is normal, then for any hP~ 0 ; i 0 ~ ~ hP ; i # hP ; i, the closure hP~ 0 ; i is normal.

Q, for any M 0 and for any capability

ap 0 2 fin ; out ; open g, we have ap M:P 6 ap 0 M 0 :Q if either ap 6= ap 0 or M; M 0 are two different sequences or if Q 6 Q.

Lemma 5 If

for any processes

12

such that

~ ++ M [P~ 0 ℄ Proof From the definition of , we have P~ = Q ~ for some Q, M . Thus, by the first point of Proposition 10, the closure M [P~ 0 ℄ ; is normal. Now, the names from M occur freely in M [P~ 0 ℄ . So, M [P~ 0 ℄ ; being normal, none of the names from M is in bn ( M [P~ 0 ℄ ) and thus, in bn (P~ 0 ). Therefore, by the second point of Proposition 10, P~ 0 ; is normal.

#

hf f

g i g hf f

Proof of Proposition 2 tion using Lemma 5.

g

f

g

g i

h

The proof for

i

# simply goes by induc

We prove now that the sublocation relation defined on closures simulates the sublocation relation defined on processes. Proof of Proposition 3 on closures, we have P~ n such that nam (M; )

For the first point, by definition for

#

= Q~ ++ fM [P~ 0 ℄g for some Q~ , M , = n. Therefore, by definition of U , ~ ) j M[U (P~ 0 ; )℄. Note that hP~ ; i being U (P~ ; ) = U (Q; ~ ; i, hP~ 0 ; i are defined and thus, processes. Now, normal, both hQ for the two processes U (P~ ; ), U (P~ 0 ; ), there exists a process Q ~ )) and a name n (n = M by Proposition 14) such (namely U (Q; that U (P~ ; ) Q j n[U (P~ 0 ; )℄. So, U (P~ ; ) # U (P~ 0 ; ). For the second point, by definition of # on processes, U (P~ ; ) # P 0 iff there exists Q; n such that U (P~ ; Q ) Q j n[P 0 ℄. The ~ annotated process P being of the form k2K k , by Proposition 1, Q there exists I; J such that Q I [ J = K, I \ J = ? and U ( i2I i ; ) Q, U ( j 2J j ; ) n[P 0 ℄. From U (Qj2J j ; ) n[P 0 ℄, by Proposition 1, there exists M 0 ; P~ 0 such that J is a singleton fj g, j = M 0 [P~ 0 ℄, M 0 = n and U (P~ 0 ; ) P 0 . Since M 0 = n, by Proposition 14, Q nam (M 0 ; ) = n. Furthermore, P~ is equal to i2I i ++ 0 0 0 0 0 fM [P~ ℄g. So, hP~ ; i # hP~ ; i and U (P~ ; ) P . We prove here the correctness of the function Proposition 15 len (M; ) = l iff M Ni being either a name or of the form in ; out ; open .

f

g

Let us prove now the correctness of fst in Proposition 16. To achieve this we first show the statement of Lemma 6. Lemma 6 Let Then P~ x N

h f

hP~ ; fx N gi g; i is normal

U (P~ fx N g; ).

be a and

normal

closure.

U (P~ ; fx N g)

For the normality of hP~ fx N g; i: we can show that U (P~ fx N g; ) is defined by induction over the structure of proProof

cesses and primes. The only non-trivial case is for P~ = M (o):P~ 0 : in this case, P~ x N = M x N (o):P~ 0 x N . Since (P~ ; x N ) by assumption and (P~ 0 x N ; ) by induction hypothesis are defined and (M x N ) = M ( x N ), (P~ x N ; ) is defined. For the second statement, since P~ ; x N is normal, x and names from N are not bound in P~ , so bn (P~ x N ) = bn (P~ ) and fn (P~ x N ) contains fn (P~ ) and some possibly other names that do not belong to bn (P~ ). So, fn (P~ x N ) bn (P~ x N ) = . Moreover, as the bound names from P~ do not occur in x N and bn (P~ x N ) = bn (P~ ), bn (P~ x N ) names ( ) = . Since x isn’t bound in P~ , occurrences of bound variables in P~ are not affected by the substitution x N . The requirement on offsets is trivially preserved and finally, as x N is acyclic, is so. (P~ x N ; ) by inducWe show that (P~ ; x N ) tion over the structures of processes and primes taking into account that x in not a bound variable in P~ .

U f U f h f

len .

f

f

= N1 : : : : :Nl with

ap N 0 with ap 2

f

Proof The proof goes by induction on the length of the sequential substitution . For being the empty sequence : M = M = N1 : : : : :Nl . P By definition, len (N1 : : : : :Nl ; ) = li=1 len (Ni ; ). Since each Ni is either a name n or of the form in N 0 , out N 0 or open N 0 , we have len (Ni ; ) = 1. This is equivalent to len (N1 : : : : :Nl ; ) = l. For being the sequence x M 0 0 of length at least 1: let M = N10 : : : : :Nk0 . By induction over k:

f

N10 is the name x: in this case, M fx M 0 g = M 0 and len (M; fx M 0 g ) = len (M 0 ; ). By the induction hypothesis M 0 = N100 : : : : :Nl00 iff len (M 0 ; ) = l, hence M fx M 0 g = N100 : : : : :Nl00 iff len (M; fx M 0 g ) = l. k > 1 and the statement holds for all numbers < k: By the induction hypothesis, len (N10 : : : : :Nk0 1 ; fx M 0 g ) = = l0 iff N10 fx M 0 g: : : : :Nk0 1 fx M 0 g N100 : : : : :Nl000 and len (Nk ; fx M 0 g ) = l00 iff Nk0 fx M 0 g = Nl000 +1 : : : : :Nl000 +l00 . By deflen (N10 : : : : :Nk0 1 :Nk0 ; fx M 0 g ) = inition, len (N10 : : : : :Nk0 1 ; fx M 0 g ) + len (Nk0 ; fx M 0 g ). M fx M 0 g = N100 : : : : :Nl000 +l00 iff Hence, 0 0 00 len (M; fx M g ) = l + l .

-

g g gi

f

g

g

g \

f

f

g \

f

f

g

U

g

f

g f

g U f f g

f

f

g

? g

g

?

g U f

g

f

g

f

g

g

g

Proposition 16 Let N be of the form in n, out n or open n. Then ~ ) N:Q~ iff fst (M; o; ) = N . (M (o):Q;

U

k = 0: in this case, M = and M fx M 0 g = . So, l = 0 and by definition len (M; ) = 0. k = 1: in this case M = N10 and we have three cases - N10 is of the form ap N 0 for some ap 2 fin ; out ; open g: in this case, M fx M 0 g is of the form ap N 00 and by definition, len (M; fx M g) = 1. in this case, - N10 is a name different from x: M fx M 0 g = M and len (M; fx M 0 g ) = By the induction hypothesis M = len (M; . N100 : : : : :Nl00 iff len (M; ) = l, hence M fx M 0 g = N100 : : : : :Nl00 iff len (M; fx M 0 g ) = l.

Proof Let us assume that M = N1 : : : : Nl and that N = ap n where ap ranges over in ; out ; open . By induction over the offset o. Case where o = 0: we have fst (M; 0; ) = ap n. By induction over the length of the sequential substitution . - case where the length of is 0: = and fst (M; 0; ) = ap n. By the definition of fst , this is equivalent to fst (N1 ; 0; ) = ~ ) =

ap n and to N1 = ap n. Furthermore, as (M (0):Q; ~ ) N1 : : : : :Nl : (Q~ ), this is equivalent to (M (0):Q;

ap n:Q for some Q.

U

U

U

- case where is of the form x M 0 0 and the proposition holds for 0 : by definition of fst , fst (M; 0; ) = fst (N1 ; 0; ) =

ap n. Now, according to the value of N1 :

f

13

g

Case where m = x: we have ap n = fst (M 0 ; p; 0 ). By induction hypothesis, this is equivalent to ~ 0 ) ~ , (M 0 (p):Q; that for any Q

ap n:Q for some Q. In particular, this latter holds for Q~ = Ni+1 x M 0 : : : : :Nl x M 0 (0):P~ x M 0 and Q = P . Now, from the definition of and using that M 0 = Ni x M 0 , this is equivalent to that (Ni x M 0 : : : : :Nl x M0 0 (p):P~ 0 x M 0 ; 0 ) =

ap n:P for some P . Let N1 : : : : :Nk be Ni . Then, still by definition of unfold, it is equivalent to that Np0 +1 : : : : :Nk0 :Ni+1 : : : : :Nl : (P x M 0 ; 0 ) =

ap n:P . By Lemma 6, it is equivalent to that Np0 +1 : : : : :Nk0 :Ni+1 : : : : :Nl : (P; ) = ap n:P . Once again, by definition of , we have (Ni : : : : :Nl (p):P~ ; ) = ap n:P . Let p0 be len (N1 : : : : :Ni 1 ; ). From the definition of , (N1 : : : : Ni 1 (p0 ):Ni : : : : :Nl (p):P~ ; ) = ap n:P . By definition of , (N1 : : : : Ni 1 :Ni : : : : :Nl (p + p0 ):P~ ; ) = ap n:P . Finally, since p + p0 = o, this latter is equivalent to that (M (o):P~ ; ) = ap n:P for some P.

N1

is of the form ap L: so, nam (L; ) = n which is equivalent due to Proposition 14, to L = n. Fur~ ) = N1 : : : : :Nl : (Q; ~ ), thermore, as (M (0):Q; ~ ) = ap n:N2 : : : :Nl : (Q; ~ ). There(M (0):Q; ~ ) ap n:Q fore, this is equivalent to that (M (0):Q; for some Q. N1 is a name m: for each of the two cases in the definition of fst . Case where m = x: in this case, fst (N1 ; 0; ) = fst (m; 0; x M 0 0 ) = fst (M 0 ; 0; 0 ) = ap n. By induction, hypothesis, it is equivalent to that ~ 0 ) ~ , (M 0 (0):Q; for any Q

ap n:Q for some Q. In particular, we have for some P , ap n:P (M 0 (0):N2 x M 0 : : : : :Nl x M 0 (0):P~ x N 0 ; 0).

ap n:P This is equivalent to M 0 0 :N2 x M 0 0 : : : : :Nl x M 0 0 : (P~ x N 0 ; 0 ) and thus, using Lemma 6 to ap n:P m x M 0 0 :N2 : : : : :Nl : (P~ ; x N 0 0 ). And thus, by definition of , this is equivalent to that for some P , ap n:P (M (0):P~ ; ). Case where m = x: in this case, fst (M; 0; ) = fst (m; 0; 0 ) = ap n. By induction hypothesis, this is ~ 0 ) ap n:Q ~ , (m(0):Q; equivalent to that for any Q for some Q. This rest of the proof is similar to the previous case, using the fact that m 0 = m x M 0 0 since m = x.

U

U

U

f

U

g

f

f

g

g

U

U

f U

f g U f f g

U

f

g

Case where the proposition holds for any o0 < o: we have fst (M; o; ) = ap n. By induction over the length of the sequential substitution .

U

U

U f

U

U

U

U U

hQ

i

Proposition 17 Let i2I i ; be a normal Q closure, and let L be of the form in n, out n or open n. Then ( i2I i ; ) L:P iff L0 ; o; P~ ; P~ 0 : I is a singleton i , i = L0 (o):P~ 0 , split (i ; ) = (L; P~ ) and (P~ ; ) P .

U

U

UQ

U

fg

U U

so, nam (L; ) = n which is equivalent due to Proposition 14, to L = n. Furthermore, since len (Ni ; ) = 1, we have o = len (N1 : : : : :Ni 1 ; ) and thus, p = 0. Hence, ap n = fst (Ni : : : : :Nl ; 0; ). According to the base case, this is equivalent to that for any P~ , (Ni : : : : :Nl (0):P~ ; )

ap n:P for some P . Let M be N10 : : : : :Nk0 . Then by definition of , we have (M (o):P~ ; ) = No0 +1 : : : : :Nk0 : (P~ ; ). Now, as o = len (N1 : : : : :Ni 1 ; ), Ni : : : : :Nl = No0 +1 : : : : :Nk0 . Hence, (M (o):P~ ; ) = Ni : : : : :Nl : (P~ ; ). This is equivalent to (M (o):P~ ; ) = (Ni : : : : :Nl (0):P~ ; ) and so, to (M (o):P~ ; ) ap n:P for some P . Ni is a name m: in this case, we have len (Ni ; ) > p. Hence, by definition of fst , ap n = fst (M; o; ) = fst (Ni ; p; x M 0 0 ). For each of the two cases in the definition of fst :

U

g

U

U

in this case, P~ = L0 (o + 1):P~ 0 . , ( L0 (o +Q1):P~ 0 ; ) = So, by definition of 0 0 0 ~ Lo+2 : : : : :Ll : (P ; ) and thus, ( i2I i ; ) L0o+1 : ( L0 (o + 1):P~ 0 ; ) L:P for P ( L0 (o + 1):P~ 0 ; ) (P~ ; ).

len (L0 ; ) > o + 1:

Uf

Ni is of the form ap L:

U

f

g

We prove here that split is correct in the following sense:

g

U

g

f U g

U

g

g

U

U

- case where is of the form x M 0 0 and the proposition holds for 0 : since fst (M; o; ) is defined, o < len (M; ). Let i be the unique integer such that len (N1 : : : : :Ni 1 ; ) o and len (N1 : : : : :Ni ; ) > o and p be o len (N1 : : : : :Ni 1 ; ). Then we have then

ap n = fst (M; o; ) = fst (Ni : : : : :Nl ; p; ). Now, according to the value of Ni :

f

f

f

Proof From right to left: we have ( i2I i ; ) = (i ; ), i = L0 (o):P~ 0 , split (i ; ) = (L; P~ ). By Proposition 16, (i ; ) L:P for some P . Moreover, for L0 being of the form 0 L1 : : : : :L0l , (i ; ) = L0o+1 : : : : :L0l : (P~ ; ) and L0o+1 = L. Note that (i ; ) being defined, we have o < len (L0 ; ) = l. Now, by the definition of split , according to the values of o and len (L0 ; ):

U

U

f

g

U U

9

- case where the length of is 0: = and fst (M; 0; ) = ap n. Since len (N1 : : : : :No ; ) = o, ap n = fst (No+1 : : : : :Nl ; 0; ). Using the base case, this latter is equivalent to that for any P~ , (No+1 : : : : :Nl (0):P~ ; ) ap n:P fro some P . Now, by definition of , it is equivalent to ap n:P No+1 : : : : :Nl : (P~ ; ). Finally, as M = N1 : : : : :Nl , by definition of , it is equivalent to that ap n:P (M (o):P~ ; ) for some P .

f

U f U

6

6

U

U

g g

g

U g

f

g

U f

f

U

U

Uf

U

g

U Uf

g U

f

U

g

g

len (L0 ; ) = o + 1: in this case, P~ = P~ 0 . So, by definition of U , U (fL0 (o + 1):P~ 0 g; ) = L0l :U (P~ 0 ; ) = Q L0o+1 :U (P~ 0 ; ) = L:U (P~ 0 ; ). Thus, U ( i2I i ; ) L:P for P U (P~ 0 ; ) U (P~ ; ).

UQ

L:P . From left to right: let us assume that ( i2I i ; ) Using Proposition 12, the set I has to be a singleton and i has to be of the form L0 (o):P~ 0 . Now, by Proposition 16, we know that fst (L0 ; o; ) = L. Thus, it is sufficient to prove that P (P~ ; ) for split (i ; ) = (L; P~ ). From the definitions of and split and from Proposition Q 12, it is straightforward to see that P (P~ ; ) implies ( i2I i ; ) L:P .

U

U

U

U

6

Using Lemmas 7 and 8 below, we show that and transitive closure of the reduction relation mality of closures (Proposition 4).

g

14

U

6 U

! , the reflexive ! preserves nor-

hf g; i is normal and split (; ) = (N; S~) then

fn (P~ ) = fn (fhM i; (x):P~ g) [ fxg, bn (fhM i; (x):P~ g) \ fn (fhM i; (x):P~ g) = ?. Let us show that names from bn (P~ ) don’t occur in 0 = fx M g . As bn (P~ ) bn (fhM i; (x):P~ g), because of the hypothesis of normality, names from bn (P~ ) don’t occur in . Moreover, we know that x 62 bn (P~ ) and names occurring in M are free in fhM i; (x):P~ g and so, in P~ . It is straightfor-

Lemma 7 If S~; is normal.

h

i

since

Proof Since split (; ) = (N; S~), = M (o):S~0 for some expression M and some annotated process S~0 . Furthermore, ( ; ) being defined, (S~0 ; ) is defined. Now, according to the value of S~: if S~ = M (o + 1):S~0 then, from the definition of split , o + 1 < len (M; ). So, from the definition of , (S~0 ; ) ~ ) is defined. If S~ = S~0 being defined, (M (o +1):S~0 ; )= (S; ~ ) is defined. then (S; Let us first notice that bn ( ) = bn ( M (o + 1):S~0 ) = bn (S~0 ) and that fn ( ) = fn ( M (o + 1):S~0 ) fn (S~0 ). Therefore, since by normality bn ( ) (fn ( ) names ( )) = , we have bn (S~) (fn (S~) names ( ) = . The last three statements are obvious to check.

Ufg

U

U

U

U

fg f f g\

fg

?

\

[

ward that the property of the uniqueness of variable within an input and the fact that offsets are equal to 0 in the scope of an input are preserved. Finally, since M ; (x):P~ ; is normal, is acyclic and as x is bound, x doesn’t occur in ; so the last point holds for for P~ ; x M .

UU

f g g f g[ ?

hfh i

h f

h

hP~ ; i is normal, then for any hP~ 0 ; i such that hP~ ; i ! hP~ 0 ; i, the closure hP~ 0 ; i is normal, and moreover

fx M g, bn (P~ ) = bn (P~ 0) [ fxg [ fxg.

or for some x; M , 0 = and fn (P~ 0 ) = fn (P~ )

[f g [f g

Proof The proof goes by induction over the structure of the context under which the reduction takes place. If the context is empty, then the reduction applied corresponds to one of the rules (Trans In), (Trans Out), (Trans Open) and (Trans I/O). For (Trans In), (Trans Out) N [Q~ ++ ℄; M [R~ ℄ ; , and (Trans Open) respectively, M [ N [Q~ ++ ℄ ++ R~ ℄ ; and M [P~ ℄; ; are normal by assumption. Concerning the second claim of the lemma: obviously, 0 = , bn (P~ ) = bn (P~ 0 ). For the rules (Trans In) and (Trans Out), fn (P~ ) = fn (P~ 0 ) and for (Trans Open) fn (P~ 0 ) fn (P~ ) (the execution of open may let an ambient name disappeared). Now for the first claim, by using Proposition 10, ; is normal. Then, from Lemma 7 together with the transition rules on closures, P~ ; is normal (where split (; ) = (N; P~ ) and N being respectively in m, out m and open m). Finally, using fn (P~ ) the fact that bn ( ) = bn (P~ ) and that fn ( ) and by applying once more Proposition 10, the closures M [ N [Q~ ++ ℄ ++ R~ ℄ ; , N [Q~ ++ ℄; M [R~ ℄ ; ~ ; are normal. and P~ ++ Q

hf f

g

g i

fg g i

h

g i

h

hf f h

i

i fg g

g i

f

i

h

f

U

U

g i

fh i g [f g f g fh ig

g

g f

g

f

f

g

f

h

[f g

U

f

f

h ig r f g

f

i

i

[f g

h h

h

i

i

i

[

i

g

[f g h i h i i!h i h h U h

[f g h

i

2

i

U i

h

Proof of Proposition 4 ing Lemma 8.

h

[f g

h

i

i

i

U

h

i

i

h

i i

The proof simply goes by induction us-

Using Lemmas 9 and 10 below, we prove that the reduction relation defined on closures simulates the reduction relation defined on processes (Proposition 5).

g

g

h

i

[f g

g

fh i U

h

M ; (x):P~ ; is normal by assumpFor (Trans I/O), tion. Let us start with the second claim of the lemma. We have 0 = x M . Due to the assumption of normality, x occurs at most once within an input in P~ and bound and free names x and are disjoint in P~ . So, bn ( M ; (x):P~ ) = bn (P~ ) fn (P~ ) = fn ( M ; (x):P~ ) x . Now, for the first claim, let us first prove that (P~ ; x M ) is defined by induction over the structure of P~ : this is obvious for P~ being the empty multiset or the singleton M . For the induction step, this is also straightforward for P~ being a multiset of primes or a singleton (x):P~ 0 or M [P~ 0 ℄ . Now, for P~ = M (o):P~ 0 . By hypothesis, (M (o):P~ 0 ; ) is defined. So, o < len (M; ). Furthermore, len (M; ) len (M; x M ). Hence, (P~ ; x M ) = (M (o):P~ 0 ; x M ) is defined. Since every variable occurs at most once within an input in the annotated process of a norx ; Moreover, mal closure, bn (P~ ) = bn ( (x):P~ ; M )

hfh i

g

[

fg fg g i

hf

i!h

f

[f g

h

h

i

[

either 0 = , bn (P~ ) = bn (P~ 0 ) and fn (P~ 0 ) fn (P~ ),

hf hf

gi

Now, we investigate the case where the context of reduction is non-empty, that is the rule used for reduction is either (Trans Par) or (Trans Amb). We show in this case that the second claim of the lemma holds and then that normality is preserved. For (Trans Amb): we assume the closure M [P~ ℄; to be normal. For any S~, we have bn (M [S~℄) = bn (S~), fn (M [S~℄) = fn (S~) fn (M [0℄). Let us first consider the case where = 0 : by induction hypothesis bn (P~ ) = bn (P~ 0 ), fn (P~ 0 ) fn (P~ ). So, bn (M [P~ ℄) = bn (M [P~ 0 ℄) and fn (M [P~ 0 ℄) fn (M [P~ ℄). Now, for the case where 0 = x M : By induction hypothesis, bn (P~ ) = bn (P~ 0 ) x , fn (P~ 0 ) = fn (P~ ) x . So, bn (M [P~ ℄) = bn (M [P~ 0 ℄) x and fn (M [P~ 0 ℄) = fn (M [P~ ℄) x . Let us show now that M [P~ 0 ℄; 0 is normal: since M [P~ ℄; is normal, by Proposition 10, P~ ; is normal. Then, since P~ ; P~ 0 ; 0 , by induction hypothesis, P~ 0 ; 0 is normal. ~ So, as bn (P 0 ) bn (P~ ), by Proposition 10, M [P~ 0 ℄; 0 is normal. ~ ; to be For (Trans Par): we assume the closure P~ ++ Q 0 0 ~ ~ ~ ~ ~ normal. For any S; S , we have bn (S ++ S ) = bn (S ) bn (S~0 ) and fn (S~ ++ S~0 ) = fn (S~) fn (S~0 ). Let us first consider the case where = 0 : as by induction hypothesis bn (P~ ) = bn (P~ 0 ) ~ ) fn (P~ ++ Q~ ), we have bn (P~ ++ Q~ ) = and fn (P~ 0 ++ Q bn (P~ 0 ++ Q~ ) and fn (P~ ++ Q~ ) = fn (P~ 0 ++ Q~ ). Now, for the case where 0 = x M : as by induction hypothesis bn (P~ ) = bn (P~ 0 ) x and fn (P~ 0 ) = fn (P~ ) x , we have bn (P~ ++ Q~ ) = bn (P~ 0 ++ Q~ ) x and fn (P~ 0 ++ Q~ ) fn (P~ ++ Q~ ) x . ~ ; 0 is normal: P~ ++ Q~ ; 0 Let us show now that P~ ++ Q ~ ; are norbeing normal, by Proposition 10, both P~ ; and Q mal. Now, since P~ ; P~ 0 ; 0 , by induction hypothesis, P~ 0 ; 0 is normal. Let us now prove that Q~ ; 0 is normal: we ~ ; , x does know that x bn (P~ ); so, by normality of P~ ++ Q 0 ~ ~ ~ 0 ) is de~ not occur in Q, so (Q; ) (Q; ) and thus, (Q; fined. The other points are obviously implied by the normality of Q~ ; and Q~ 0 ; 0 . Finally, the fact that P~ ++ Q~ ; and Q~ ; 0 ~ ; 0 are normal together with Proposition 10 implies that P~ 0 ++ Q is normal.

Lemma 8 If

g i

g

Lemma 9 Let P~ ; x M be a normal closure such that all the offsets o occurring in P~ are set to 0. Then (P~ ; x M ) (P~ ; ) x M .

h

U 15

f

f

g

gi

U

f

g

occurrences of y may appear in this latter, due to the possible occurrences of y in M 0 . As x does not occur in M 0 , we can first replace (P~ ; 0 ) the occurrences of y with M 0 and then, replace the occurrences of x with an expression L; this expression L is the expression M in which the occurrences of y are replaced by M 0 . Hence,

Proof The proof goes by induction over the structures of processes and primes. Most of the cases simply uses the definition of and the application of a substitution. We detail here only the two cases that are not straightforward. For primes :

U

case where

U

= (y):P~ 0 :

U (P~ ; 0 )fx M0 g)fy M 0 g (U (P~ ; 0 )fy M 0 g)fx M0 fy M 0 gg

U ((y):P~ 0 ; )fx M g ((y):U (P~ 0 ; ))fx M g ((y)fx M g):(U (P~ 0 ; )fx M g) (y):(U (P~ 0 ; )fx M g) (y):(U (P~ 0 ; fx M g) U ((y):P~ 0 ; fx M g)

By

f gi gi \ f g

h f hf g f

case where

g

f

g

?

U (M 0 (o):P~ 0 ; )fx M g (M 0 :U (P~ 0 ; ))fx M g M 0 fx M g:U (P~ 0 ; )fx M g M 0 fx M g:U (P~ 0 ; fx M g) U (M 0 (o):P~ 0 ; fx M g) g

U

Lemma 10 Let P~ ; x M be a normal closure such that all the offsets o occurring in P~ are set to 0. Then (P~ ; x M ) (P~ ; ) x M .

U

f

U

g

f

U

f

g

f

U

g U

f f

f

g

U

U

g

g g

U (P~ ; fx M g0 fy M 0 g) U (P~ ; fx M g0 )fy M 0 g (U (P~ ; 0)fx M0 g)fy M 0 g

f

The first equivalence follows from Lemma 9 and the second one from the induction hypothesis. Now, the fact that P~ ; x M 0 y M 0 is normal implies that x = y and that x does not occur in M 0 . Let us consider now the process (P~ ; 0 ) x M 0 . As x = y , the occurrences of y in (P~ ; 0 ) are preserved in (P~ ; 0 ) x M 0 and some new

6

U

U

h f f

g f

g U

gi

6 f

and

equivalent so,

to to

The proof is similar for the rules (Trans Out) and (Trans Open). Now, for the first point and the rule (Trans I/O): by the definiM (x): (P~ ; ) tion of , we have ( M ; (x):P~ ; ) ~ and by Lemma 10, the closure M ; (x):P ; being normal, (P~ ; x M ) (P~ ; ) x M . (P~ ; x M ). Therefore, ( M ; (x):P~ ; ) Let us consider now the second case with the assumption that the context is empty, that is the reduction is made by (Red In), (Red Out), (Red Open) or (Red I/O). For the second point and the rule (Red In): let us assume ~ ) S 0 by the rule (Red In). Therefore, S 0 that (S; ~ ) m[n[Q P ℄ R℄ for some m; n; P; Q; R and (S; n[Q in m:P ℄ m[R℄. So, by Proposition 1 and Propo~ R~ such that S~ = sition 17, there exists N; M; L0 , P~ ; P~ 0 ; Q; ~ ) N [Q~ ++ L0 (o):P~ 0 ℄; M [R~ ℄ , N = n, M = m, (Q; 0 0 ~ ~ ~ ~ Q, (R; ) R, split (L (o):P ) = (in m; P ) and (P ; ) P . Using Proposition 14, we have nam (M; ) = m and nam (N; ) = n. So, by definition for (Red In),

Proof The proof goes by induction on the length of the sequential substitution . For being the empty substitution : (P~ ; x M ) ~ (P ; x M ) since corresponds to the identity. So, by Lemma 9, (P~ ; x M ) (P~ ; ) x M . For being of the form 0 y M 0 :

U

is

U (M [N [Q~ ++ P~ ℄ ++ R~ ℄; ) ~ ) j U (P~ ; )℄ j U (R; ~ )℄ M[N[U (Q; ~ ~ ~ m[n[U (Q; ) j U (P ; )℄ j U (R; )℄ The first equivalence follows from the definition of U and the second one from the conditions of the rule (Trans In) and from ~ ++ fg℄ ++ M [R~ ℄; ) ! Proposition 14. Therefore, U (N [Q U (M [N [Q~ ++ P~ ℄ ++ R~ ℄; ).

U

gi

latter

ond one is a consequence of the conditions of the rule (Trans In) and of Proposition 14. The third equivalence follows from the condition of the rule (Trans In) and from Proposition 17. On the other hand,

The first equivalence uses the definition of and the fact that by hypothesis, o is equal to 0; the second one is simply the application of the substitution x M . The third equivalence is due to the induction hypothesis. Finally, the last equivalence is a direct consequence of the definition of and of o = 0.

h f

this

U (fN [Q~ ++ fg℄; M [R~ ℄g; ) ~ ) j U (fg; )℄ j M[U (R; ~ )℄ N[U (Q; ~ ) j U (fg; )℄ j m[U (R; ~ )℄ n[U (Q; ~ ) j in m:U (P~ ; )℄ j m[U (R; ~ )℄ n[U (Q; The first equivalence follows from the definition of U . The sec-

= M 0 (o):P~ 0 :

f

9,

Proof of Proposition 5 The proof goes by induction over the structure of the context under which the reduction takes place. If the context is empty, then for the first point, the reduction applied corresponds to one of the rules (Trans In), (Trans Out), (Trans Open) and (Trans I/O). For the first point and the rule (Trans In):

The first and the last equivalences follow from the definition of ; the second one corresponds simply to the application of the substitution x M . For the third one, the closure P~ ; x M being normal, by Proposition 10, the closure ; x M is normal too. Therefore, as y is a bound variable and bn (P~ ) dom ( x M ) = , x and y are different. So, y x M = y . The fourth equivalence appeals to the induction hypothesis.

U

Lemma

U (P~ ; 0 fy M 0 g)fx M0 fy M 0 gg U (P~ ; )fx Mg.

U fh i

f

g U U fh i

U j j

! j

U

f

g h ij U hfh i g i f g g !U f g

j

g

U

U U

g

hS~; i ! hfM [fN [P~ ++ Q~ ℄g ++ R~ ℄g; i

g

16

and furthermore,

Proof of Proposition 8 By case inspection of the algorithm, we show that if Che k (P~ ; ; ) is normal in the left-hand side of equality then any expression Che k (P~ 0 ; 0 ; 0 ) occurring in the right-hand side is also normal.

A

U (M [N [Q~ ++ P~ ℄ ++ R~ ℄; ) ~ ) j U (P~ ; )℄ j U (R; ~ )℄ m[n[U (Q; 0 m[n[Q j P ℄ j R℄ S

The proof is similar for the rules (Red Out) and (Red Open). Now, for the first point and the rule (Red I/O): let us assume that ~ ) S 0 by the rule (Red I/O). Therefore, S 0 P x M (S; ~ ) and (S; (x):P M . So, by Proposition 1, there exists M 0 ; P~ such that S~ = M 0 ; (x):P~ , M 0 = M and ~ ~ (P ; ) P . therefore, S ; P~ ; x M 0 . Further0 ~ more, M ; (x):P ; being normal, by Proposition 17,

U U

U

!

j h i fh i g h i!h f

f

g

gi hfh i g i U (P~ ; fx M 0 g) U (P~ ; )fx M 0 g P fx M g

Now, we investigate the case where the context of reduction is non-empty: for the first point, the rule used for reduction is either (Trans Par) or (Trans Amb). P~ 0 ; 0 then For the rule (Trans Amb): if P~ ; 0 0 M [P~ ℄; M [P~ ℄; . In this case, (M [P~ ℄; ) = M [ (P~ ; )℄ and (M [P~ 0 ℄; 0 ) = M 0 [ (P~ 0 ; 0 )℄. By 8, either 0 = or 0 = x L . In this last case, x is bound in P~ and thus, by normality, x does not occur in M . So in both cases, M 0 = M . Moreover, by the rule (Red Amb), M [ (P~ ; )℄ (M [P~ 0 ℄; 0 ) M [ (P~ 0 ; 0 )℄. So, (M [P~ ℄; ) ~ For the rule (Trans Par): if P ; P~ 0 ; 0 then P~ ++ 0 0 ~ ~ ~ ~ ~ ) (P~ ; ) Q; P ++ Q; . In this case, (P ++ Q; 0 0 0 0 ~ ~ ~ ~ 0 ). By 8, ~ (Q; ) and (P ++ Q; ) (P ; ) (Q; either 0 = or 0 = x M . In this last case, x is bound ~ . SO, in both in P~ and thus, by normality does not occur in Q ~ 0 ) ~ ). Moreover, by the rule (Red (Q; cases, we have (Q; ~ ) ~ ). So, (P~ ++ Par), (P~ ; ) (Q; (P~ 0 ; 0 ) (Q; 0 ~ ~ ~ Q; ) (P ++ Q; ). For the second point, the rule used for reduction is either (Red Par) or (Red Amb). ~ ) S 0 by (Red For (Red Amb): let us assume that (S; 0 0 ~ n[P ℄. So, by PropoAmb). We have S = n[P ℄ and (S; ) sition 1, there exists N; such that S~ is a singleton , = N [P~ ℄, N = n and (P~ ; ) P . By hypothesis P P 0 , so (P~ ; ) P 0 . By induction hypothesis, there exists P~ 0 ; 0 such that P~ ; P~ 0 ; 0 and (P~ 0 ; 0 ) P 0 . Then by the rule (Trans Amb), N [P~ ℄ ; N [P~ 0 ℄ ; 0 ; so, S~; 0 0 0 ~ ~ N [P ℄ ; . Finally, ( N [P ℄ ; 0 ) N 0 [ (P~ 0 ; 0 )℄. By Lemma 8, either = 0 or 0 = x M with x a bound variable in P~ . By normality x doesn’t belong to N , so N 0 = N = n. Therefore, N 0 [ (P~ 0 ; 0 )℄ n[ (P~ 0 ; 0 )℄ n[P 0 ℄ S 0 . ~ ) S 0 by (Red Amb). For (Red Par): let us assume that (S; 0 0 ~ We have S = P Q and (S; ) P Q. So, by Proposition ~ such that S~ = P~ ++ Q~ , (P~ ; ) P and 1, there exists P~ ; Q ~ (Q; ) Q. By hypothesis, P P 0 , so (P~ ; ) P 0. By induction hypothesis, there exists P~ 0 ; 0 such that P~ ; P~ 0 ; 0 and (P~ 0 ; 0 ) P 0 . Then by the rule (Trans Par), P~ ++ Q~ ; P~ 0 ++ Q~ ; 0 ; so, S~; P~ 0 ++ Q~ ; 0 . Finally, 0 0 0 0 0 ~ ) ~ ). Now, by Lemma 8, (P~ ++ Q; (P~ ; ) (Q; either = 0 or 0 = x M with x a bound variable in ~ 0 ) ~ ). (Q; P~ . By normality x doesn’t occur in Q~ ; so, (Q; ~ 0 ) P 0 Q S 0 . Therefore, (P~ 0 ++ Q;

h

U

i ! h

U

f

i!h

f

U U jU !U

U !U

jU

U

U

hf

U

U U ! U j U ! U

h

U

i U i!h U

U

i

h

f

i!h jU g j

i

U

U

~℄ for the ambient match = n[ 0 ℄: in this case, P~ = n[Q ~ ; is norand = 0 . By Proposition 10 the closure Q mal. The remaining conditions are fulfilled since bn (P 0 ) = bn (P ), 0 = and for the closed formula 0 fn ( 0 ) fn ( ).

A

A

for the composition match to the previous case.

A

f g h i A A

A = A0 j A00 : this proof is similar

for the existential quantification x: : in this case, P~ 0 = P~ and = 0 and the fact that x mi is closed is straightforward. So, it is sufficient to show that whatever the ambient name mi is, fn ( x mi ) (bn (P~ ) dom ( )) = . By noticing that fn ( x mi ) is either mi and using the equal to fn ( x: ) or to fn ( x: ) normality for Che k (P~ ; ; x: ), this amounts to prove that mi = bn (P~ ) dom ( ). According to the value of mi :

-

[

9 A Af g Af g \ Af g 9 A [f g 9 A

[

mi 2 fn (P~ ; ) [ fn (A): let us assume that mi 2 fn (A). Then, mi 2 fn (9x:A). So, by normality of Che k (P~ ; ; 9x:A), mi 2= bn (P~ ) [ dom ( ). Let us assume now that mi 2 fn (P~ ; ): by definition, mi 2 = dom ( ). Now, by normality of hP~ ; i, since mi 2 fn (P~ ) or mi 2 names ( ), mi 2 = bn (P~ ).

for the sometime modality -

A:

case where Che k (P~ 0 ; 0 ; A0 ) = Che k (P~ ; ; A): obvious since fn (A) = fn (A). case where Che k (P~ 0 ; 0 ; A0 ) = Che k (P~ 0 ; 0 ; A) with hP~ ; i ! hP~ 0 ; 0 i: by Proposition 4, hP~ 0 ; 0 i is normal.

Now, according to Lemma 8: -

= 0 , bn (P~ ) = bn (P~ 0 ) and fn (A) = fn (A): in this case, the requirement is trivially satisfied.

-

i!

0 = fx M g , bn (P~ ) = bn (P~ 0 ) [ fxg: by pothesis, fn (A) \ (bn (P~ ) [ dom ( )) = ?. fn (A) \ (bn (P~ 0 ) [ dom ( 0 )) = ?.

hySo,

A

for the somewhere modality ✧ :

- case where Che k (P~ 0 ; 0 ; A0 ) = Che k (P~ ; ; A): obvious since fn (A) = fn (A). - case where Che k (P~ 0 ; 0 ; A0 ) = Che k (P~ 0 ; 0 ; A) with hP~ ; i # hP~ 0 ; 0 i: by Proposition 2, hP~ 0 ; 0 i is normal. The last condition holds since 0 = and fn (P~ 0 ) fn (P~ ). for the location adjunct modality An: from the hypothesis of normality for Che k (P~ ; ; An), since n 2 fn (A), n 2= bn (P~ ). Therefore, by Proposition 10, hn[P ℄; i is nor-

h

A

:_

A

- for mi = m0 : straightforward.

!

A

2

!

h

for the Boolean connectives ; : since in any case, P~ 0 = P~ and = 0 and 0 is a closed formula such that and fn ( 0 ) fn ( ), this is straightforward.

? 9 A

U

! h i!h i U hf g i ! hf g i Uf g U g i f g j

U

U

U

i

U ! !U h i!h i h U U j U jU g

i

U

i ! h U U

g

U

U

U

h

i

A

! i! h

A is a closed formula. Finally, by hypoth\ (bn (P~ ) [ dom ()) = ?, and bn (P~ ) = A) fn (An). So, fn (A) \ (bn (n[P~ ℄) [ ?

mal. Moreover, esis, fn ( n) bn (n[P~ ℄), fn ( dom ( )) = .

A

17

-

Lemma 11 ([5]) For any ambient process P and any ambient formula , let m1 ; : : : ; mk = fn (P ) fn ( ) and suppose m0 m1 ; : : : ; mk . Then P = x: iff P = x mi for some i in 0 : : : k.

62 f

A

f

g

g

[

j 9 A

A j Af

-

g

-

Lemma 12 For any normal closure hP~ ; i, U (P~ ; ) j= A if and only if Che k (P~ ; ; A) = T.

Proof The proof goes by induction on the structure of the ambient formula :

A

the base case = T is trivial. The other base case a consequence of Proposition 1.

A

for Boolean connectives ; , this is obvious from the induction hypothesis and the algorithm.

for the ambient match = n[ 0 ℄: by the algorithm, Q 0 Che k ( i21:::k i ; ; n[ ℄) = T iff there exists Q~ and M such that k = 1, 1 = M [Q~ ℄, nam (M; ) = n ~ ; 0 ) = T. Then, by Proposition 1, and Che k (Q; Q ~ )℄. By induction hypothe( i21:::k i ; ) n[ (Q; 0 ~ ~ ) = 0 . sis, Che k (Q; ; ) = T is equivalent Q to (Q; Therefore, this is equivalent to ( i21:::k i ; ) = n[ 0 ℄.

9 A f

[ 2 f

A

g[ Af g U j Af

-

g

[

g

mi 2 fm1 ; : : : ; mk g\ (fn (A) [ fn (U (P~ ; ))): by Lemma 11, we have U (P~ ; ) j= 9x:A. mi 2 fm1 ; : : : ; mk g and mi 2= (fn (A) [ fn (U (P~ ; ))): by Lemma 11, we have U (P~ ; ) j= 9x:A. mi 2= fm1 ; : : : ; mk g: it is obvious to see then that mi 2= fn (A) [ fn (U (P~ ; )). So, by Lemma 11, we have U (P~ ; ) j= 9x:A.

Af

U 2f

[

g

Af

A g

j 9 A f g U

U

A

U

j A

and

0 < n: in this case, by Proposition 5, there exists P~ 00 ; 00 such that hP~ ; i ! hP~ 00 ; 00 i !n 1 hP~ 0 ; 0 i. So, by induction hypothesis using that Che k (P~ 0 ; 0 ; A) = T, Che k (P~ 00 ; 00 ; A) = T . Since hP~ ; i ! hP~ 00 ; 00 i, by the algorithm we have Che k (P~ ; ; A) = T. Conversely, let us assume that Che k (P~ ; ; A) = T and let us show that there exists P 0 ; n such that U (P~ ; ) !n P 0 and P 0 j= A. The proof goes by induction on m the number of recursive calls of Che k (P~ 0 ; 0 ; A) = T. For m = 0: in this case, Che k (P~ ; ; A) = T due to the fact that Che k (P~ ; ; A) = T. Then by induction hypothesis on the structure of the formula, U (P~ ; ) j= A. So, we can choose P 0 = U (P~ ; ) and n = 0. For m > 0: in this case, Che k (P~ ; ; A) = T due to the fact that for some hP~ 0 ; 0 i such that hP~ ; i ! hP~ 0 ; 0 i, Che k (P~ 0 ; 0 ; A) = T. By the induction hypothesis, on the number of recursive calls, we have that there exists P 0 ; n such that U (P~ 0 ; 0 ) !n P 0 and P 0 j= A. By Proposition 5, we have U (P~ ; ) ! U (P~ 0 ; 0 ). So, U (P~ ; ) !n+1 P 0 and P 0 j= A.

A

for the Somewhere modality ✧ : the proof is similar to the previous case using Proposition 3 instead of Proposition 5.

A j A U

for the location adjunct modality n: by definition, (P~ ; ) = n iff n[ (P~ ; )℄ = . By assumption n does not belong to dom ( ). So, from the definition for , n[ (P~ ; )℄ = (n[P~ ℄; ). So, n[ (P~ ; )℄ = is equivalent to that (n[P~ ℄; ) = . Using the induction hypothesis, this latter is equivalent to Che k (n[P~ ℄; ; ) = T, and thus by the algorithm to Che k (P~ ; ; n) = T.

U

j A

U

Conversely, let us assume that (P~ ; ) = x: . From Lemma 11, this is equivalent to that for m1 ; : : : ; mk = fn ( (P~ ; )) fn ( ) and for any arbitrary m0 such that m0 = m1 ; : : : ; mk , there exists i such that (P~ ; ) = x mi . By induction hypothesis, this latter implies Che k (P~ ; ; x mi ) = T. Now according to the value of mi :

U

! U j A

For

for the existential quantification x: : let us assume that Che k (P~ ; ; x: ) = T. Let m1 ; : : : ; mk = fn (P~ ; ) fn ( ) and m0 , an ambient name such that m0 = m 1 ; : : : ; m k bn (P~ ) dom ( ). From the algorithm, this implies that there exists i such that Che k (P~ ; ; x mi ) = T. So, by the induction hypothesis, (P~ ; ) = x mi . Now, according to the value of mi :

9 A

j A

! U A For n = 0: in this case, hP~ ; i = hP~ 0 ; 0 i Che k (P~ ; ; A) = Che k (P~ ; ; A) = T. U

U j A U j A for the compositionQmatch A = 0 A0 j A00 00 : by the algorithm, Che k ( i21:::k i ; ; A j A) = T iff there exists I; J such that I [ J = 1 : : : k, Q I \ J =Q ?, Che k ( i2I i ; ; A0 ) = T and Che k ( j 2J j ; ; A00 ) By inducQ = T. tion hypothesis, Che k ( i2I i ; ; A0 ) = T and Q Che k ( j2J j ; ; A00 ) = T are equivalent to Q U ( i2I i ; ) j= A0 and U (Qj2J j ; ) j= A00 . Finally, by Proposition 1, it is equivalent to U (Q ; ) j= A0 j A00 .

!

U U

A

i21:::k i

A U j A

By Proposition 5, this latter implies that there exists P~ 0 ; 0 n such that (P~ ; ) (P~ 0 ; 0 ) and (P~ 0 ; 0 ) P0 0 0 ~ and thus, (P ; ) = . Therefore, by induction hypothesis, this implies Che k (P~ 0 ; 0 ; ) = T. Now, let us show by induction over n that (P~ ; ) n (P~ 0 ; 0 ) and (P~ 0 ; 0 ) = implies Che k (P~ ; ; ) = T.

A U A

U

for the Sometime modality : (P~ ; ) = is by definition equivalent to the fact that there exists P 0 ; n such that (P~ ; ) n P 0 and P 0 = .

U

A = 0 is

:^ A A

mi 2 fn (U (P~ ; )) [ fn (A): in this case mi 2 fn (P~ ; ) [ fn (A). So, by the algorithm, Che k (P~ ; ; 9x:A) = T. mi 2= fn (U (P~ ; )) [ fn (A) and mi 2 fn (P~ ; ) [ fn (A): once again, by the algorithm, Che k (P~ ; ; 9x:A) = T. mi 2= fn (P~ ; ) [ fn (A): so, mi = m0 . Since m0 can be chosen arbitrarily, one can assume moreover = bn (P~ ) [ dom ( ). So, by the algorithm, that mi 2 Che k (P~ ; ; 9x:A) = T.

U

U

U

j A

A

j

Proof of Proposition 9 The closure Lemma 12 implies Proposition 9.

g

18

j A

U

A

hF (P ); i being normal,

A = A1 n. The algorithm computes Che k (n[P~ ℄; ; A1 ). A = :A1 . The algorithm in this case is given by a direct

A.2 Complexity : PSPACE Upper Bound We first recall two classical theorems in the complexity theory.

application of Theorem 8. No additional space is needed.

Theorem 7 (Savitch [11]) If a language is recognized by some nondeterministic Turing machine in space S (n) log n, then it can be recognized by some deterministic Turing machine in space S (n)2 , that is

To estimate the space used by the algorithm we first recall that by Proposition 6 one-step transition of normal closures does not increase the size of the closure. Thus, the space S (k; P~ + ) used by the algorithm to compute Che k (P~ ; ; ) for formulas of depth not exceeding k is bounded by the inequality

NSPACE(S (n)) PSPACE(S (n)2 ):

A

Theorem 8 (Immerman [8]) If a language is recognized by some nondeterministic Turing machine in space S (n) log n, then its complement can be recognized by some nondeterministic Turing machine in space S (n), that is

for some constant and some polynomial p (the constant comes = 1 n the size of n[P~ ℄ is from the fact that in the case of greater than the size of P~ ; the polynomial p estimates the additional memory). Therefore, S (k; P~ + ) k p( P~ + k + ). This yields a nondeterministic polynomial space algorithm. To eliminate the nondeterminism, we appeal to Theorem 7.

A

A

A

A

A

A = A1 _ A2 .

The algorithm guesses which of the two disjuncts is satisfied. No additional space is needed.

A = n[A1 ℄. The check whether P~ consists of only one prime does not require additional space. We need only the additional (polynomial) memory to compute nam (M; ).

A = A 1 j A2 .

The algorithm guesses the sets I and J , checks that they are complementary (linear space) and then Q first computes Che k Q ( i2I i ; ; 1 ) and second (using the same space) Che k ( j 2J j ; ; 2 ). The only additional space is needed for storing the sets I and J .

A A

A = 9x:A1 . The algorithm guesses a name m in fn (P~ ; ) [ fn (A) [ fm0 g where m0 2= fn (P~ ; ) [ fn (A) [ bn (P~ ) [ dom ( ) and computes Che k (P~ ; ; Afx mg). It requires only the additional (linear) space for storing the set of names.

A = A1 . The algorithm guesses one of the two cases: U (P~ ; ) j= A1 or U (P~ 0 ; 0 ) j= A for some successor hP~ 0 ; 0 i of hP~ ; i. In the first case, no additional space is needed. In the second case, the algorithm guesses P~ 0 and 0 and checks if it is indeed a successor (of course, this can be done in polynomial space needed for splitting actions, resolving names etc.). Once this has been verified, the algorithm can ) discard P~ ; and continues computing Che k (P~ 0 ; 0 ; using the same space. Thus, at each step here, the algorithm needs the additional memory only for keeping at most two closures P~ ; and P~ 0 ; 0 and for testing whether one of them is a successor of the other.

h

i

h

A

i

h

jj

A

A

A

j j jj j j

Proof of Theorem 1 We first design a nondeterministic algorithm working in polynomial space that decides whether Che k (P~ ; ; ) = T. Then we obtain the final algorithm by an application of Savitch’s theorem. The nondeterministic algorithm is defined by induction on the structure of the formula . The base case for being one of T or 0 is obvious; the algorithm uses only the space needed to store P~ , and . Now suppose that a nondeterministic algorithm computing Che k (P~ ; ; ) is given for all P~ , and being an expression of depth k. In the following, we define the algorithm for of depth k + 1, depending on the form of . By the additional space used by the algorithm we mean the space that is used in addition to the space used by recursive calls to the algorithm applied to formulas with a depth not exceeding k.

A

A

S (k + 1; jP~ j + j j) S (k; jP~ j + + j j) + p(jP~ j + j j)

NSPACE(S (n)) = o NSPACE(S (n)):

A

j j jj

i

A = ✧A1 . This case is analogous to the previous one. 19

B

1, we consider M to be v1 7! Proof For m < n t1 ; : : : ; vm 7! tm and we have 'm = Qm+1 vm+1 : : : Qn vn . Whatever Qm+1 is, by definition of en , 0 [in vm+1 :vm+2 [out v 0 :out vm+1 :R'm+1 ℄℄ P 'm = vm +1 m+1 ' 0 ' m +1 m +1 for P = vm+1 [R ℄. Now from, the process PM =

Hardness Proofs

B.1 Full Logic Proof of Lemma 2 Let us denote C1 : : : Ck by . We consider a closed QBF formula Q1 v1 : : : Qn vn . We are going to show that for any 0 m n, denoting '0 the formula Qm+1 vm+1 : : : Qn vn ,

^

^

V1t1 j : : : j Vmtm j Vm+2 j : : : Vn j vm+1 [pos [℄℄ j vm+1 [neg [℄℄ j 0 +1 [in vm+1 :vm 0 +2 [out vm 0 +1 :out vm+1 :R'm+1 ℄℄ vm

v1 7! t1 ; : : : ; vm 7! tm j= '0 iff 0 j= [ '0 ℄ fv1 t1 ; : : : ; vm tm g

only two reduction steps are possible leading to pos PM

Note that this statement obviously implies Lemma 2. The proof of this statement goes by induction on the number l of variables that are quantified in '0 . t1 ; : : : ; v n tn = iff For the base case l = 0: v1 for each Ci , there exists `j in Ci such that tj = tt iff lj = vj and tj = iff `j = vj . This is equivalent to saying that for each Ci , there exists `j in Ci such that 0 = [ lj ℄ v1 t1 ; : : : ; vn tn , which is equivalent to 0 = v1 t1 ; : : : ; vn tn . n: let us denote the For the induction step 0 < l t1 ; : : : ; v n l tn l , the correspondinterpretation v1 ing substitution v1 t1 ; : : : ; vn l tn l and '0 the formula Qn l+2 vn l+2 : : : Qn vn . Assuming that the statement holds for l 1, let us consider = Qn l+1 vn l+1 '0 . By case distinction over Qn l+1 : ; vn l+1 Case where Qn l+1 = : in this case, either tt = '0 or ; vn l+1 = '0 . By induction hypothesis, this is equivalent to that either 0 = [ '0 ℄ vn l+1 tt or 0 = [ '0 ℄ vn 0l+1 . This latter is equivalent to 0 = vn l+1 tt ; :[ ' ℄ which is equivalent by definition of the encoding to 0 = [ Qn l+1 vn l+1 '0 ℄ . Case where Qn l+1 = : this case is symmetric to the previous one.

7!

j

f

7!

j

f

f

7!

7!

j

or to neg PM

g

g

t1 : : j V tm j V m+2 j : : : Vn j vm+1 [pos [℄℄ j m vVm1 +1j [:neg [℄ j vm0 +1 [vm0 +2 [out vm0 +1 :out vm+1 :R'm+1 ℄℄℄ t1 : : j Vmtm j Vm+2 j : : : Vn j vm+1 [neg [℄℄ j Vvm1 +1j [:pos [℄ j vm0 +1 [vm0 +2 [out vm0 +1 :out vm+1 :R'm+1 ℄℄℄

' Now, we have from each of Pposn istic reduction steps:

M

g

pos PM

Mj

j

f

M

7!

f g

j

9

j

g

M

j

f

j 9

g

8

t1 : : j V tm j V m+2 j : : : Vn j vm+1 [neg [℄℄ j m ! Vvm1 +1j [:pos [℄ j vm0 +1 [℄ j vm0 +2 [out vm+1 :R'm+1 ℄℄ t1 : : j V tm j V m+2 j : : : Vn j vm+1 [neg [℄℄ j m ! vVm1 +1j [:pos [℄ j vm0 +1 [℄℄ j vm0 +2 [R'm+1 ℄ PM;vm+1 7!tt

7! j 2

and neg PM

t1 : : j V tm j V m+2 j : : : Vn j vm+1 [pos [℄℄ j m ! vVm1 +1j [:neg [℄ j vm0 +1 [℄ j vm0 +2 [out vm+1 :R'm+1 ℄℄ t1 : : j V tm j V m+2 j : : : Vn j vm+1 [pos [℄℄ j m ! vVm1 +1j [:neg [℄ j vm0 +1 [℄℄ j vm0 +2 [R'm+1 ℄ PM;vm+1 7!

B.2 Mobile Ambients Without I/O, No Quantifiers

^

^

Proof of Lemma 3 We denote C1 : : : Ck by and we consider the closed QBF formula Q1 v1 : : : Qn vn . For all 0 i n, let

The proof goes in a similar way for the case where m = n

equal to Qm+1 vm+1 : : : Qn vn ,

V1t1 j : : : j Vmtm j Vm+1 j : : : j Vn j P j= A

iff

where en ('0 ) = (P; ). Let us first prove some auxiliary lemmas. For all 0 m n, we denote by 'm the formula Qm+1 vm+1 : : : Qn vn and for equal to v1 t1 ; : : : ; v m tm , by PM the ambient process V1t1 : : : Vmtm Vm+1 : : : Vn P 'm where en ('m ) = (P 'm ; 'm ). It should be noticed that due to the definition of en , for all 0 m < n, P 'm = vm0 +1 [T℄ and P 'n = end [T℄.

A

j

A

j

7!

j

j

j

7!

M

j

!

M

j

6

where v is a primed ambient name different from vm+2 . Now, still from the proof of Lemma 13, we know that any reachable process 0 of or a “interfrom PM is either PM0 for some extension mediate” process reachable from PM0 in one or two steps. It is easy to see that none of this “intermediate” processes satisfies an ambient formula v 0 [T℄ T whatever the primed name v 0 is. Finally, as 0 is different from 0 , PM0 will satisfy a formula v 0 [T℄ T for 0 +2 , but not the formula vm 0 +2 [T℄ T. some v 0 = vm The proof goes in a similar way for the case where m = n 1.

j

M

m < n, PM !3 PM;vm+1 7!tt ,

Lemma 13 For all 0 PM 3 PM;vm+1 7! and there doesn’t exist P 0 such that P 0 PM;vm+1 7!tt , P 0 PM;vm+1 7! and PM 3 P 0 .

!

1.

Lemma 14 For all 0 m < n, M being the interpretation v1 7! t1 ; : : : ; vm 7! tm , we have for 0 m < n 1, PM;vm+1 7!tt and PM;vm+1 7! are the two unique processes reachable from PM that satisfy the 0 +2 [T℄ j T. ambient formula vm for m = n 1, PM;vm+1 7!tt and PM;vm+1 7! are the two unique processes reachable from PM that satisfy the ambient formula end [T℄ j T. Proof For 0 m < n 1, we know from the proof of Lemma 13 that both PM;vm+1 7!tt and PM;vm+1 7! satisfy the ambient 0 [T℄ j T and does not satisfy formulas v 0 [T℄ j T formula vm 0 +2 0

8 > < Vi =vi [pos [℄℄ j vi [neg [℄℄ V tt = v [pos [℄ j v 0 [℄℄ j v [neg [℄℄ > : Vi = vii [pos [℄℄ j vii [neg [℄i j vi0 [℄℄ i We are going to show for any 0 m n that for the interpretation M equal to v1 7! t1 ; : : : ; vm 7! tm and for the formula '0

M j= '0

'n 1 1 and Pneg two determin-

6

6

j

M

M

j

j

20

en ('0 ) = (P; A) if m = 0 or m = n, P = vm00 1 [℄ j P 0 and en ('0 ) = (P 0 ; A) if 0 < m < n.

Now, we can show the main statement by induction on l the number of quantification in '0 . For the base case l = 0: '0 = C1 : : : Ck is a closed QBF formula and = v1 t1 ; : : : vn tn . Furthermore, by definition of en , P = PM = V1t1 : : : Vntn . The interpretation is a model for the formula '0 . In other words, renders true at most one literal in each of the Ci ’s. According to ì one of literals from Ci that is true according to :

M

7!

^ ^ 7! j M

j

M

It is straightforward that this statement implies Lemma 4 (for

M = ?).

Let us start by proving some auxiliary lemmas. m n, let 'm be the formula For 0 Qm+1 vm+1 : : : Qn vn and en ('m ) = (P 'm ; 'm ). = v1 t1 ; : : : ; vm 0 tm , let us denote PM the For ' process Q'm M such that P 'm vm +1 [Q m ℄.

M

ì = v i :

M

by the encoding and the definition of PM , this is equivalent to that [ ì ℄ = vi [pos [0℄ vi0 [0℄℄ T rue and PM = vi [pos [0℄ vi0 [0℄℄ P 0 for some ambient process P 0 which does not contains the ambient name vi0 . Therefore, it is equivalent to that PM = [ ì ℄ .

j

j

j

j

00 [℄ j (vm+1 ):P 'm+1 )M;v PM ! (htt i j vm +1 m+1 0 0 and there is no other P such that P ! P .

j A

7!

7!

Proof

Mj

9 7!

M

tt

and

Now, since PM is a model for at least one literal in each of the Ci ’s, it is equivalent that PM = [ '0 ℄ , that is P 'n = 'n . For the induction step 1 < l n (the particular base case where l = 1 can be solved in a similar way): let us denote the interpretation v1 t1 ; : : : ; v n l tn l , '0 the formula Qn l+2 vn l+2 : : : Qn vn (that is '0 = 'n l+1 ). As= suming that the statement holds for l 1, let us consider Qn l+1 vn l+1 '0 . By case distinction over Qn l+1 : Case where Qn l+1 = : in this case, either ; vn l+1 = '0 . By induction hypothtt = '0 or ; vn l+1 esis, this is equivalent to that either V1t1 : : : Vntn l l tt ' n l +1 Vn l+1 Vn l+2 : : : Vn P PM;fvn l+1 g7!tt or V1t1 : : : Vntn l l Vn l+1 Vn l+2 : : : Vn P 'n l+1 PM;fvn l+1 g7! is a model for 'n l+1 . By Lemma 14, we know that PM;fvn l+1 g7!tt and PM;fvn l+1 g7! are the two unique processes reachable from PM satisfying the ambient formula vn l+2 [T℄ T. Therefore, the last statement is equivalent to that 'n l+1 PM = (vn l+2 [T℄ T)

M

A

7!

m < n, 00 [℄ j (vm+1 ):P 'm+1 )M;v PM ! (h i j vm +1 m+1

ì = vi : this case is dual from the previous one.

7!

Lemma 15 For all 0

j

j

Straightforward from the encoding.

M

Denoting ; vn tively by + and

M

7!

M

tt ; vn ,

! !

and

M; vn

; vn tt

respec-

! (vm00 +1 [℄ j

j

2 m < n, PM Lemma 16 For all 0 00 +1 [℄ P 'm+1 ) P 'm+1 )M+ and PM 2 (vm M is no other P 0 such that P 2 P 0 .

j

Proof Straightforward from the encoding, Lemma 15 and the definition of PM .

Case where Qn l+1 = : this case is dual from the previous one and leads to show the equivalence with

The proof of the main statement goes by induction over l the number of quantified variables in '0 . Case where l = 0: the formula '0 is equal to C1 : : : Ck , is a the form v1 t1 ; : : : ; vn tn and = C1 : : : Ck . As C1 : : : Ck is in conjunctive normal form, for at least one literal `j in each Ci , (`j ) = tt . This is equivalent to that for each Ci , there exists at least one literal lj in Ci such that

M

j

j j

j

j

j

j j

j

j

j

A

j

j

j

j

8

Â

PM j= (vn l+2 [T℄ j T) In both cases, by definition of with PM = 'n l , that is

j A V1t1 j : : : j Vntn l l j Vn

l+1

) A'n

en ,

^ ^

vj vj

we have the equivalence

A

l

where en ('n l ) = (P 'n l ; 'n l ). B.3 Immobile Ambients With I/O, No Quantifiers

^

^

Proof of Lemma 4 We denote C1 : : : Ck by and we consider the closed QBF formula Q1 v1 : : : Qn vn . be an interpretation v1 t1 ; : : : ; vm tm . We deLet note M the substitution v1 t1 ; v1 t1 ; : : : ; vm tm ; vm tm where ti is the negated value of ti . For being the empty interpretation, we let M to be the identity. We are going to show for any 0 m n that for the interpreequal to v1 t1 ; : : : ; vm tm and for the formula '0 tation equal to Qm+1 vm+1 : : : Qn vn ,

M

M

7!

f

M j= '0

7!

M 7!

7!

iff

7 ! M

7!

Mj

^ ^ ^ ^

M

tt ; vj belongs to M if `j = vj and ; vj tt belongs to M if `j = vj Therefore, from the definition of P in en ('0 ) = (P; A), for the process P M , in each ambient C occurs a sub-ambient tt [℄. This is equivalent to P M j= ❏((C [T℄ j T) ) C [tt [0℄ j T℄ j T) that is, P M j= '0 . Case where l = 1: the formula '0 is equal to Qn vn , M is a the form v1 7! t1 ; : : : ; vn 1 7! tn 1 and M j= Qn vn . According to the value of Qn : case where Qn = 9: the last statement is then equivalent to either M; vn tt j= or M; vn j= . Using the case where l = 0, this is equivalent to that either P 'n M+ j= A'n or P 'n M j= A'n for M+ and M being respectively M; vn tt ; vn and M; vn ; vn tt . By Lemma 16, the processes vn00 [℄ j P 'n M+ and vn00 [℄ j P 'n M are the two unique ones reachable from PM in two steps. Moreover, as P 'n can not be reduced, there is no process reachable from PM in strictly more than two steps. It should be noticed that P 'n M+ and P 'n M both satisfy the formula Inst (end ) ^ :Inst + (end ) whereas by Lemma 15 the two unique processes as well as PM itself do not satisfy the formula Inst (end ). Therefore,

l+1

j : : : j Vn j P 'n l j= A'n

and there

j

j

j

P M j= A

for P such that

21

P 'n M+ j= A'n or P 'n M j= A'n holds iff PM j= ((Inst (end ) ^ :Inst + (end )) ^ P 'n )M . And thus, this is equivalent to vn00 1 [℄ j vn [PM ℄ j= T j vn [((Inst (end ) ^ :Inst + (end )) ^ P 'n )℄M , that is vn00 1 [℄ j P 'n 1 j=

A'n

1.

case where one.

Qn =

8: this case is symmetric to the previous

is a Case where 1 < l < n: the formula '0 is equal to 'n l , the form v1 t1 ; : : : ; vn l tn l and = 'n l . According to the value of Qn l+1 :

7!

7! 9

M

Mj

case where Qn l+1 = : the last statement is then equivalent to either ; vn tt = 'n l+1 or ; vn = 'n l+1 . By induction hypothesis, this is equivalent to that either vn00 l+1 [℄ P 'n l+1 M+ = 'n l+1 or vn00 l+1 [℄ P 'n l+1 M = 'n l+1 where + and are respectively ; vn tt ; vn and ; vn ; vn tt .

M

M j j A

j

M

M

j A M

M

j

j

Let us have a look now at processes reachable from PM : of course, PM itself is reachable, but by construction doesn’t satisfy the formula Inst (vn0 l+2 ). By Lemma 15, two processes are reachable in one step from PM , but they don’t satisfy the formula Inst (vn0 l+2 ). By Lemma 16, two processes are reachable from PM in two steps, namely (vn00 l+1 [℄ P 'n l+1 )M+ and (vn00 l+1 [℄ P 'n l+1 )M and they both satisfy the formulas Inst (vn0 l+2 ) and Inst + (vn0 l+2 ) (by construction). Now, by using once again Lemma 15 for the internal of vn0 l+2 in P 'n l+1 M+ and P 'n l+1 M , all the processes reachable from one of those latter satisfy Inst + (vn0 l+2 ).

j

j

:

Therefore, the last statement is equivalent to that PM j= (Inst (vn0 l+2 ) ^ :Inst0 + (vn0 l+20)) ^ A'n l+1 . Thus, this is equivalent to vn l [℄ j vn l+1 [PM ℄ j= T j vn0 l+1 [(Inst (vn0 l+2 ) ^ :Inst + (vn0 l+2 )) ^ A'n l+1 ℄, that is vn0 l [℄ j P 'n l j= A'n l . case where Qn l+1 = 8: this case is symmetric to the previous one.

Case where l noticing that as P any formula .

= n:

this case is similar to the previous one

P j 0, v1 [PM ℄ j= T j v1 [A℄ iff PM j= A for A

22