On the Expressiveness of the Ambient Logic

The Ambient Logic (AL) has been proposed for expressing properties of process mobility in the calculus of Mobile Ambients (MA), and as a basis for query languages on semistructured data. In this paper, we study the expressiveness of AL. We define formulas for capabilities and for communication in MA. We also derive some formulas that capture finitess of a term, name occurrences and persistence. We study extensions of the calculus involving more complex forms of communications, and we define characteristic formulas for the equivalence induced by the logic on a subcalculus of MA. This subcalculus is defined by imposing an image-finiteness condition on the reducts of a MA process.


Introduction
The Ambient Logic, AL, [CG00] is a modal logic for expressing properties of processes in the calculus of Mobile Ambients, MA [CG98a,CG99]. In MA the unit of movement is an ambient, which, intuitively, is a named location. An ambient may contain other ambients, and capabilities, which determine the ambient movements. The primitives for movement allow: an ambient to enter a sibling ambient; an ambient to exit the parent ambient; a process to dissolve an ambient boundary. MA has a replication operator to make a process persistent, that is, to make infinite copies of the process available.
An ambient can be thought of as a labelled tree. The sibling relation on subtrees represents spatial contiguity; the subtree relation represents spatial nesting. A label may represent an ambient name or a capability; moreover, a replication tag on labels indicates the resources that are persistent. 1 The trees are unordered: the order of the children of a node is not important. As an example, the process P Syntactically, each tree is finite. Semantically, however, due to replications, a tree is an infinite object. As a consequence, the temporal developments of a tree can be quite rich. The process P above (we freely switch between processes and their tree representation) has only one reduction, to in c | !a . In general, a tree may have an infinite temporal branching, that is, it can evolve into an infinite number of trees, possibly quite different from each other (for instance, pairwise behaviourally unrelated). Technically, this means that the trees are not image-finite.
In summary, MA is a calculus of dynamically-evolving unordered edge-labelled trees, and AL is a logic for reasoning on such trees. The actual definition of satisfaction of the formulas of AL is given on MA processes quotiented by a relation of structural congruence, which equates processes with the same tree representation. (This relation is similar to Milner's structural congruence for the π-calculus [Mil99]. ) AL has also been advocated as a foundation of query languages for semistructured data [Car01]. Here, the laws of the logic are used to describe query rewriting rules and query optimisations. This line of work exploits the similarities between dynamically-evolving edgelabelled trees and standard models of semistructured data.
AL has a connective that talks about time, that is, how processes can evolve: the formula ✸ A is satisfied by those processes with a future in which A holds. The logic has also connectives that talk about space, that is, the shape of the edge-labelled trees that describe process distributions: the formula n[A] is satisfied by ambients named n whose content satisfies A (read on trees: n[A] is satisfied by the trees whose root has just a single edge n leading to a subtree that satisfies A); the formula A 1 | A 2 is satisfied by the processes that can be decomposed into parallel components P 1 and P 2 where each P i satisfies A i (read on trees: A 1 | A 2 is satisfied by the trees that are the juxtaposition of two trees that respectively satisfy the formulas A 1 and A 2 ); the formula 0 is satisfied by the terminated process 0 (on trees: 0 is satisfied by the tree consisting of just the root node).
AL is quite different from standard modal logics. First, such logics do not talk about space. Secondly, they have more precise temporal connectives. The only temporal connective of AL talks about the many-step evolution of a system on its own. In standard modal logics, by contrast, the temporal connectives also talk about the potential interactions between a process and its environment. For instance, in the Hennessy-Milner logic [HM85], the temporal modality µ . A is satisfied by the processes that can perform the action µ and become a process that satisfies A. The action µ can be a reduction, but also an input or an output. The lack of temporal connectives in the ambient logic is particularly significant because in MA interaction between a process and its environment can take several forms, originated by the communication and the movement primitives. (There are 9 such forms; they appear as labels of transitions in a purely SOS semantics of MA [CG98b,LS00].) This paper is essentially devoted to the study of the expressiveness of AL. The results we present show that AL is actually a very expressive formalism. In particular, we are able to derive formulas expressing capabilities of processes for movement and for communication, as well as the persistence of processes (as given by the replication operator), and free occurrences of names in processes. The ability to derive such constructions is surprising, considering that there is no connective in the logic that is directly related to such properties: no construct mentions the capabilities of the calculus, nor does the logic include infinitary operators, or operators that talk about resources with infinite multiplicity.
Our results are established using nontrivial technical developments, and the methods we exploit are of interest in their own. More precisely, the general approach to derive expressiveness formulas is to exploit adjunct connectives to introduce a form of contextual reasoning, together with the temporal modality to make it possible to observe the desired properties. It can be noted that related constructions have been introduced in the setting of Separation Logic [Rey02] in order to express weakest preconditions for pointer manipulation instructions in an imperative language.
The expressive power of AL that we thus prove has several consequences. The first consequence is that we are able to define characteristic formulas for image-finite Ambient processes, i.e., formulas that capture the equivalence class of a process with respect to the induced logical equivalence. This is in contrast with usual results in modal logics. Typically, the definition of characteristic formulas exploits fixed-point operators, and the characterised processes are finite-state [GS86,SI94]. As mentioned above, AL has no fixed-point operator; moreover the image-finiteness condition on processes is weaker than finite-state. ('Image-finite' expresses finiteness on internal reductions, whereas 'finite-state' also takes into account computations containing visible actions such as input and output actions.) Another major consequence of our results is to show that AL is an intensional logic. Informally, this holds because the logic allows one to inspect the structure of processes, not only by separating subcomponents of a process, but also by capturing its interaction capabilities. More formally, intensionality of the Ambient Logic is expressed by showing that the equivalence induced by the logic coincides with structural congruence on processes. This result, that is established using the constructions we have discussed above (and, in particular, characteristic formulas), says that AL is a very fine grained logic.
Structure of the paper. Section 2 introduces the calculus and the logic we study in this paper. Sections 3 and 4 present two main contributions in terms of expressiveness of AL: we define some formulas capturing respectively some syntactical constructions of the calculus (capabilities for movement and communication) and some nontrivial properties of processes (finiteness, occurrences of free names, and persistence). In Section 5, we exploit these constructions to define characteristic formulas for logical equivalence. Intensional bisimilarity, which, for the purposes of the present work, is a technical device that is needed to reason about characteristic formulas, is presented in Subsection 5.1. The proofs of the main properties enjoyed by intensional bisimilarity are not provided, and can be found in a companion paper [HLS05]. Finally, in Section 6, we study extensions of the calculus we work with, and show our results can be adapted to the corresponding settings.
The results of this paper come from the two conference papers [San01] and [HLS02]: in [San01], the author presented the encoding of the modalities for capabilities and communications (Sections 3 and 6) and the definition of intensional bisimilarity, whereas the formulas capturing finiteness, name occurrence, and persistence (Section 4) and the characteristic formulas (Section 5) come from [HLS02]. This paper focuses on the expressiveness results coming from these two conference papers, whereas a companion paper [HLS05] presents the separability results.
Developments. By the time the writing of the present paper was completed, a few works have appeared that make use of results or methods presented here. We discuss them below.
The 'contextual games' we have discussed above have been exploited in several settings. Along the lines of the derivation of formulas capturing Mobile Ambients capabilities, [HLS03] extends and develops this line of research in the setting of a sub-logic of AL, that is applied to reason about MA and π-calculus processes. Other interesting properties can be derived using this approach. An example is quantifiers elimination [CL04]. Another study [Hir04] demonstrates that in some sense, contextual games represent the logical counterpart of 'contextual testing' as in barbed equivalence [SW01].
Our expressiveness results also allow us to bring to light redundancies in spatial logics for concurrency. For example, an operator to express occurrences of free names in processes is analysed in related works [CG01,HLS03]. In the setting of the present work, such an operator is encodable in AL.  This kind of encodability results allow one to compare different versions of spatial logics for concurrency, and are useful to assess minimality properties of the logics.

Background
This section collects the necessary background for this paper. It includes the MA calculus [CG98a] (semantic and syntax), and the Ambient Logic [CG00].
2.1. Syntax of Mobile Ambients. We recall here the syntax of MA [CG98a] (we sometimes call this calculus the Ambient calculus). We first consider the calculus in which only names, not capabilities, can be communicated; this allows us to work in an untyped calculus. We analyse extensions of the calculus in Section 6.
As in [CG00,Car99,CG04], the calculus has no restriction operator for creating new names. The restriction-free calculus has a more direct correspondence with edge-labelled trees and semistructured data. Table 1 shows the syntax. Both the set of names and that of variables are infinite. Letters n, m, h range over names, x, y, z over variables; η ranges over names and variables. The expressions in η, out η, and open η are the capabilities, and are ranged over using cap. Messages and abstractions are the input/output (I/O) primitives. The metavariables M, N , for messages, will become usefull when considering extensions of the language (see Section 6). A closed process has no free variables. We ignore syntactic differences due to alpha conversion, and we write P { n /x} for the result of substituting x with n in P . In the paper, all definitions and results are given only for closed processes, unless otherwise stated.
Given an integer n > 0, we will write P i , (1 ≤ i ≤ n) for a (finite) sequence of processes P 1 , . . . , P n .
Processes having the same internal structure are identified. This is expressed by means of the structural congruence relation, ≡, the smallest congruence such that: As a consequence of results in [DZ00], that studies a richer calculus than the one we study, we have: The two following syntactic notions will be useful below.
• A closed process P is finite if there exists a process P ′ with no occurrence of the replication operator such that P ≡ P ′ . • A closed process P is single if there exists P ′ such that either P ≡ cap. P ′ for some cap, or P ≡ n[P ′ ] for some n, or P ≡ (x)P for some x.
Unless otherwise stated, all results and definitions we state in the sequel are on closed terms.
2.2. Operational Semantics. The operational semantics of the calculus is given by a reduction relation −→, defined by the rules presented in Table 2.2. The reflexive and transitive closure of −→ is written =⇒.
Lemma 2.2. If P −→ Q then there is a derivation of the reduction in which Red-Str is applied, if at all, only as the last rule.
Lemma 2.2 shows that every reduction P −→ P ′ has a normalised derivation proof. As a consequence, we have: We now introduce some forms of labelled transitions that we will use to give the interpretation of some of our logical constructions.
Definition 2.2 (Labelled transitions). Let P be a closed process. We write: • P cap − → P ′ , where cap is a capability, if P ≡ cap. P 1 | P 2 and P ′ = P 1 | P 2 .
• (stuttering) P (cap 1 ,cap 2 ) ⋆ ========⇒P ′ if there is i ≥ 1 and processes P 1 , . . . , P i with P = P 1 and P ′ = P i such that P r cap 1 =⇒ cap 2 =⇒ P r+1 for all 1 ≤ r < i. The logic in [CG00] has also a somewhere connective, that holds of a process containing, at some arbitrary level of nesting of ambients, an ambient whose content satisfies A. We do not consider this connective in the paper because we find it less fundamental than the other operators; in any case, its addition would not affect the results in the paper and has been seldomly considered in other works. (Further, we discuss in the final section a "strong" version of the sometimes modality.) Definition 2.3 (Satisfaction). The satisfaction relation between closed processes and closed formulas, written P |= A, is defined as follows: By definition, satisfaction is closed by structural congruence: Lemma 2.4. If P ≡ Q and P |= A, then also Q |= A.
We give ∨ and ∧ the least syntactic precedence, thus A 1 ⊲A 2 ∧ A 3 reads (A 1 ⊲A 2 ) ∧ A 3 , and A 1 ⊲(✸A 2 ∧ ✸A 3 ) reads A 1 ⊲((✸A 2 ) ∧ (✸A 3 )). We shall use the dual of some connectives, namely the duals of linear implication (A◮B), of the sometime modality ( A), of the parallel operator ( ), and the standard duals of universal quantification (∃ x . A) and disjunction (A ∧ B); we also define (classical) implication (A → B): Thus P |= A◮B iff there exists Q with Q |= A and P | Q |= B, and P |= ✷A iff P ′ |= A for all P ′ such that P =⇒ P ′ .
We now define the induced equivalence between processes induced by the logic: Definition 2.4 (Logical equivalence). For processes P and Q, we write P = L Q if for any closed formula A it holds that P |= A iff Q |= A.

Formulas for capabilities and communications
In this section, we show that we can capture at a logical level prefixes of the language, both for movement and for communication.
3.1. Preliminary formulas: counting components and comparing names. We start by recalling some formulas from [CG00] that will be useful for some constructions presented below.
The Ambient Logic allows one to count the number of parallel components of a process. The formula below is true of a process that has exactly one parallel component that is different from 0.
Similarly we define We may impose a given formula A to be satisfied by all single parallel components of a process, using the following definitions: • P |= A ∀ iff for any Q, R such that P ≡ Q | R, it holds that Q |= A.
• P |= A ω iff all single parallel components of P satisfy A.
We shall use later the following derived formula, from [CG00], that expresses equality between names: 3.2. Formulas for capabilities. The two formulas below are true of a process that is (structurally congruent to) an ambient and (to) an empty ambient, respectively.
• P |= 1amb iff P ≡ n[Q], for some n and Q.
To help understanding the definitions of the capability formulas, we first discuss some simpler formulas, which do not talk about the process underneath the prefix. We define, for names n = h: It holds that P |= open n iff P ≡ open n. P ′ for some P ′ . We sketch the proof. The sub-formula 1comp ∧ ¬ 1amb says that P is single and is not an ambient. Thus, modulo ] can reduce to a process with an empty ambient h at the outermost level. From these requirements, we conclude that P ≡ open n. P ′ , for some P ′ .
Similarly we prove that P |= out n iff P ≡ out n. P ′ , for some P ′ . By the subformula 1comp ∧ ¬ 1amb, process P is single and is not an ambient. By the sub-formula To obtain the full capability formulas we add some quantification on names. Formula open n . A is thus defined as follows: Remark 3.1 (Formulas containing free variables). It will often be the case in the remainder of the paper that we define a formula involving a name, say n, and need the corresponding logical construction where a variable x is used instead of n. For instance, the formula 1open above could be defined as as " ∃ x . open x . ⊤", which is not correct because open n . A has been defined but open x . A has not. In the sequel, when clear from the context, we shall allow ourselves to adopt nevertheless this abuse of notation, that should be understood as 'rewrite the definition of the corresponding formula using x instead of n' (see in particular the formulas to capture name reception, and their interpretation, in Lemma 3.15, and characteristic formulas for input guarded processes in Section 5).
Satisfaction being defined only between closed processes and closed formulas, the important point in doing so is to avoid reasoning about the satisfaction of formulas containing free variables: we shall therefore only write formulas containing an 'x' under the scope of a variable quantification.
Lemma 3.5. P |= open n . A iff P ≡ open n. P ′ , for some P ′ such that P ′ =⇒ P ′′ and P ′′ |= A. P |= 1open iff P ≡ open n. P ′ for some n and P ′ .
Proof. We only consider the first property, from which the second follows easily. The implication from right to left is easy. For the reverse implication, we set where h ∈ n(P ). Since P |= 1comp, we have P ≡ Q, for some Q that is not a parallel composition. Since also P |= ¬ 1amb, we infer that Q is not an ambient. Finally since P |= G, process Q cannot be of the form 0, in n.
for some R. The first step of this reduction must be Along the lines of our construction for the open prefix, we can define characteristic formulas for the in and out prefixes.
Proof. Similar to the proof for the open prefix. The formula 1comp ∧ ¬ 1amb forces P to be single and not an ambient. Therefore P ≡ Q, for some Q whose outermost operator is not a parallel composition or an ambient. Then we should have This can only happen if Q is of the form out n. Q ′ , for some Q ′ such that Q ′ (in n,out n) ⋆ ========⇒Q ′′ and Q ′′ |= A.
Proof. Similar to the previous proofs. The formula 1comp ∧ ¬ 1amb forces P to be single and not an ambient. Therefore P ≡ Q, for some Q whose outermost operator is not a parallel composition or an ambient. Then we should have where h is fresh. As by previous arguments, this can only happen if Q is of the form in n. Q ′ , and Q ′ reduces (with suttering) to Q ′′ satisfying A.
Given a capability cap, we may define the 'necessity' version of the 'possibility' formulas we have just introduced as follows: Note that necessity formulas are not the dual of the possibility formulas, as in standard modal logics, because of the spatial aspects of AL. For instance, [[in n]]. ⊤ does not have the same interpretation as ¬ in n . ¬⊤, the latter being actually equivalent to ⊤.
Remark 3.2. We could think of deriving formulas for modalities cap =⇒, as in standard modal logics for concurrency [HM85], instead of capturing the syntactical prefixes corresponding to a capability cap. More precisely, we could look for a formula cap A capturing processes P for which there is P ′ such that P cap =⇒ P ′ and P ′ |= A. It turns out that spatial logics are more intensional, and make actions more difficult to express than connectives. In particular, we do not know how to express directly a modality corresponding to action open n =⇒ .
3.3. Formulas for communication. The first step to characterise I/O processes (i.e., messages or abstractions) is to get rid of other possible constructs for single terms, as follows: Lemma 3.9. P |= 1comm iff (P ≡ {p} or P ≡ (x) P ′ ), for some p and P ′ .
The following formula, that holds of a process that is the parallel composition of two I/O processes, will also be useful:

ON THE EXPRESSIVENESS OF THE AMBIENT LOGIC 13
The difficult part, however, is the definition of the I/O formulas for separating messages from abstractions, and also, within the messages and the abstractions, messages with different contents and abstractions with different behaviours.
The capability formulas are easier to define than the I/O formulas because capabilities act on ambients, and the logic has a connective, n[A], for talking about ambients. By contrast, the I/O primitives act on themselves. To define the I/O formulas, we proceed as follows: (1) We define a formula, TestComm, that characterises the special abstraction (x) x[0].
(2) We use TestComm to define the formula for messages: (3) We then use F {n} to define the formulas for abstractions: and R contains no abstractions. Then R ≡ η[0], for some η.
We call ambient abstraction any closed abstraction described by the following grammar: The following lemma shows how to characterise ambient abstractions using formulas.
Lemma 3.11. Given an abstraction (x) R, suppose there is q such that (3.2) Then (x) R is an ambient abstraction.
Proof. By induction on the number of nested abstractions in R. If this number is 0 then by Suppose the number is greater than 0. From (3.1) and Since R should contain an abstraction, the formula 1amb0 is not satisfied, hence Using this, the fact that R{ q /x} should contain an abstraction, and (3.2) we infer that R{ q /x} ≡ {p} | (y) Q for some p, y, Q. By induction hypothesis, we deduce that (y)Q is an ambient abstraction. From this, R{ q /x} is an ambient abstraction too, and this induces that R itself is an ambient abstraction.

We say that an ambient abstraction
We recall that the operator ◮, used in the following lemma, has been introduced at the end of Section 2.
Lemma 3.12. Suppose (x) Q is an ambient abstraction, and Proof. From the hypothesis, there are p and q such that If (x) Q were not simple, then the name of the ambient to which it reduces to would not depend on the argument x. (Note that any ambient abstraction is = β to an abstraction of the form (x) η[0], for some x, η. The hypothesis of the lemma implies that η = x.) As hinted above, the key step is the definition of the formula below, which is the characteristic formula of simple ambient abstractions.
where n, m are different names.
Lemma 3.13. P |= TestComm iff P is a simple ambient abstraction and is closed.
Proof. The implication from right to left is easy. We consider the opposite. Process P must be an I/O, since P |= 1comm. Also, P cannot be a message, otherwise it would not satisfy the formula 1comm ⊲ ✷(2comm ∨ 1amb0) since a message in parallel with (x) 0 can reduce to 0, which does not satisfy 2comm ∨ 1amb0.
We conclude that P should be an abstraction, say (x) Q. Now, from (3.3) and (3.4), we get that there are messages p, q such that From Lemma 3.11 we infer that (x) Q is an ambient abstraction. Moreover, by (3.4), (3.5) and Lemma 3.12, (x) Q must be simple. Now we are finally in the position of defining the characteristic formula for a message {n}: and, then, the characteristic formula for a message is Lemma 3.14. P |= F {n} iff P ≡ {n}, and P |= 1mess iff P ≡ {n} for some n.
Proof. The right to left direction is easy. For the converse, we observe that P must be an I/O, and that P cannot be an abstraction (otherwise, when adding a process satisfying TestComm, we could not obtain an ambient). Hence P ≡ {m}, for some m. Given a simple ambient abstraction Q, we have that This allows us to deduce that P ≡ {n}.
We can now define the two modalities for the input connective:

Other intensional properties
As we have just seen, AL can capture several syntactical constructions of the calculus. We now further explore the expressiveness of AL, going beyond the results we have established about capabilities and communications.
We first define a formula φ f in that characterises finite terms, using a form of contextual reasoning. The same method is applied to derive a formula c n that characterises the terms containing n as a free name. We then introduce formulas that characterise in a restricted sense persistent single terms of the calculus. These formulas will be used in Section 5 to establish characteristic formulas for a sub-calculus of MA. 4.1. Capturing finiteness. We now present a formula that is satisfied by all and only the finite processes. Detecting replication seems a priori unfeasible in the present version of AL, as it does not provide a recursion operator. We capture the 'finite' character of a term using the fact that a replicated process is persistent, i.e., it is always present along the reductions of a term.
The characterisation of finiteness relies on the existence of a scenario which guarantees reachability of 0, as expressed by the two following lemmas: Lemma 4.1. Let P, Q be two terms such that P =⇒ Q. Then P is finite iff Q is finite.
Proof. By induction over the length of the =⇒ derivation, then induction over the structure of the proof of the −→ transition. Proof.
• Let us first assume that P is finite. We prove by induction on the size of P that there exist Q and R such that for any P ′ , The left to right implication can then be obtained using this property with P ′ = 0 and adding open n in parallel with R.
for any P ′ . 3 For P ≡ P 1 | . . . | P r (with no replicated component), we use the induction hypothesis to obtain Q i and R i , and then set Q = Q 1 | . . . | Q r , R = R 1 | . . . | R r such that for any P ′ , reasoning inductively on r. 4 For P ≡ cap. P 1 , we use the induction hypothesis to get Q 1 and R 1 , and we define Q and R according to the shape of cap as follows: • For P ≡ {m}, we set Q = (x)0, and R = 0.
• For P ≡ (x)P 1 : by induction hypothesis applied to P 1 {n/x}, we get Q 1 and R 1 ; then we set Q = {n} | Q 1 and R = R 1 . The first implication is thus established.
• Let us now assume P is not finite. Then for any n, Q, R, n[P | Q] | R is also infinite, and by the previous lemma, it is also the case for any of its reducts, and hence it cannot reduce to 0.
We can now define: 4.2. Formula for name occurrence. Our aim is now to define a formula corresponding to the connective c n, defined by: P |= c n iff n ∈ fn(P ) .
For this, we exploit Lemma 4.4 together with the ability, using the formulas for capabilities, to detect unguarded occurrences of names.
We say that a process P is flat if it has no inputs and the only process underneath all capabilities, and inside all ambients of P is 0. We say that a process P has an occurrence of name n at top level if P ≡ cap. P ′ | P ′′ with cap = in n, out n or open n, P ≡ n[P ′ ] | P ′′ or P ≡ {n} | P ′ .
For the proof of the next lemma, we would also need a more general notion. The occurrence depth of a name n in an open term is given by a function depth n : P−→N ∪ {∞}, stable by ≡ E , inductively defined as follows: depth n (0) = ∞. depth n (n[P 1 ]) = 0, and for n = η, depth n (η[P 1 ]) = depth n P 1 + 1. depth n ((!)P 1 | . . . | (!)P r ) = min 1≤i≤r depth n (P i ) (here (!)Q stands for Q or !Q).
depth n (cap. P ) = 0 for cap ∈ {in n, out n, open n}, depth n (P ) + 1 otherwise. depth n ((x)P ) = depth n (↓ β P ) + 1, where ↓ β P stands for the smallest term such that P = β ↓ β P depth n ({n}) = 0 and depth n ({η}) = ∞ for η = n. Proof. Note that the property of S having an occurrence of n at top level is equivalent to depth n (S) = 0. We are now ready to prove the lemma: • We first consider the implication from left to right. Let us assume that depth n (P ) is finite. We consider a name m, and prove by induction on depth n (P ) that there exist Q, R, S satisfying the conditions of the lemma.
if depth n (P ) = 0, we take Q = R = 0 and S = P . if depth n (P ) = i + 1, we first consider the case where P ≡ in m 1 . P 1 | P 2 with depth n (P 1 ) = i. By induction hypothesis, there are Q 1 , R 1 , S 1 and m satisfying the conditions of the lemma for P 1 | P 2 . We then can set for P : | open m 1 | R 1 and S = S 1 | P 2 , then Q, R, S can be chosen for P . The other cases are treated similarly: we define processes that allow us to trigger a capability in order to decrease the occurrence depth of n in the term. The definition of these processes follows the ideas in the proof of Lemma 4.2. The first implication is proved.
• For the implication from right to left, we assume that n ∈ fn(P ). We consider m = n, and some Q, R as in the statement of the lemma. Then n ∈ fn(m[P | Q] | R), so that for any T such that m[P | Q] | R =⇒ T , n ∈ fn(T ).
We can now define the formula c n to capture the set of free names of a process, together with the two auxiliary formulas flat and c 1 n needed in the definition of c n. These formulas are given in Table 4. Table 4: Formulas for free names Formula c n detects whether name n occurs in a process, while c 1 n detects whether n occurs at top level (i.e. P satisfies this formula iff depth n (P ) = 0).
Proof. Consequence of the previous lemma. 4.3. Formulas for persistence. We now move to the definition of formulas that characterise persistence, which is given by the replication operator in MA. In other words, we investigate the possibility of defining formulas !A that detect replicated term !P such that P satisfies A. However, we cannot hope to define arbitrary formulas with precisely this property. First, the form !P is too restrictive: as P = L Q implies !P = L !P | Q (see [HLS05]), a formula !A would not distinguish between a uniquely replicated process !P , and a replicated process "with admissible garbage" !P | Q or !P | !Q. Second, if we want to express that the process holds something replicated, one has to reject formulas satisfied by the process 0.
We hence restrict our attention to the case of formulas A whose models are single processes only. For these formulas, !A characterizes replicated processes, in the sense that P |= !A ⇔ ∃P 1 , . . . , P n s.t. 1) P ≡ !P 1 | (!)P 2 | . . . | (!)P n 2) ∀i ∈ 1 . . . n, P i |= A where (!) denotes an optional replication. In the sequel, we show how to define the formula !A when A characterizes a guarded process and has some extra conditions. For the purpose of defining characteristic formulas, this will be sufficient. However, it remains an open question how to define !A on a larger language. The definition of !A has two parts. The first part says that if P |= !A then all parallel components in P that are single and at top level satisfy A. This is expressed by the formula A ω . The second part of the definition of !A addresses persistence, by saying that there are infinitely many processes at top level that satisfy A in the sense that we may not consume all copies by some finite sequence of reduction. Definitions are given in Table 5: there is one formula for each possible topmost constructor (recall that we are considering a single process).
Formula F !{n} is actually a characteristic formula, since it is satisfied only by the process !{n}. For this reason, we anticipate the notation F P of the characteristic formula of P (see Section 5). For the other formulas, we express the replication of a process satisfying A; the interpretation of these formulas hence relies on the actual meaning of A.
To In light of these observations, we define the following measures on terms: Lemma 4.6. For any processes P and Q, P ≡ Q implies sd(P ) = sd(Q) and dd(P ) = dd(Q).

Definition 4.3 (Selective and expressive formulas).
A formula is sequentially (resp. depth) selective if all processes satisfying it have the same sequentiality (resp. depth) degree. For any capability cap (resp. name n) and formula A, A is cap-expressive (resp. nexpressive, input-expressive) if all terms satisfying it are of the form cap. P (resp. n[P ],(x)P ). These two forms of selectivity are useful for the characterisation of persistence. Indeed, the sequentiality (resp. depth) degree of a single prefixed (resp. ambient) term is strictly decreasing when consuming the prefix (resp. opening the ambient). This property is needed in order to detect the presence of replication at top-level in a process, and interpret the formulas introduced above.  In the sequel, Π 1≤i≤t Q i abbreviates Q 1 | . . . | Q t . (1) Given a capability cap, and a sequentially selective and cap-expressive formula A, define !A def = Rep cap (A). Then P |= !A iff there are r ≥ 1, s ≥ r, P i (1 ≤ i ≤ s) such that P ≡ Π 1≤i≤r !cap. P i | Π r+1≤i≤s cap. P i and cap. P i |= A for all 1 ≤ i ≤ s.
(2) For any name n and depth selective and n-expressive formula A, define (3) For any formula A that is sequentially selective and input expressive, define Proof. Let us examine some cases: Case 1, cap = in n. Assume there exist some terms P 1 , . . . , P s satisfying the condition expressed in 1. Then the first part of !A is satisfied, i.e. P |= A ω . To establish the second part, we have to show that for any Q ≡ out n ω (where ω ∈ N * ∪ {∞}), any fresh name m, and any term R such that m[P | Q] | n[0] =⇒ R, there is a further reduction R =⇒ n[m[R 1 | R 2 ]] for some R 1 , R 2 such that R 1 |= A, which entails in particular R 1 ≡ in n. R ′ 1 . Since ambient n does not contain any active process, and since there is no active process at top-level in m[P | Q] | n[0], ambient n remains at top-level in all evolutions of this term. Moreover, we have that m is fresh for P and Q; therefore, no ambient may get out of m, so for any reduct R, there exists R ′ such that either In the first case, because of the shape of P , we may perform one more step of reduction to reach a situation like (ii), and then, since P | The first implication is thus proved.
Conversely, let us assume that P |= Rep in n (A). Then according to the first part of the formula, there exist some P i 's satisfying P ≡ (!)in n. P 1 | . . . | (!)in n. P r and in n. P i |= A. Suppose now by absurd that no component is replicated. We exploit the sequential selectivity hypothesis to obtain a contradiction. Indeed, we have the reduction m[P | (out n) r ] | n[0] =⇒ R = n[m[P 1 | . . . | P r ]] and R is a term whose sequentiality degree is strictly smaller than sd(P ). Then it is also the case for any of its reducts, and therefore the same reasoning holds for any R 1 , R 2 such that R =⇒ n[m[in n. R 1 | R 2 ]], in n. R 1 has a sequentiality degree too small to satisfy A because of sequential selectivity. Thus, P cannot satisfy Rep in n (A), and we obtain a contradiction. Hence, at least one of the P i 's is replicated, and the reverse implication is proved. The proofs for Case 1, other capabilities, and Case 3 follow from similar arguments. Case 2. Assume that P ≡ !n[P 1 ] | . . . | (!)n[P r ], with the P i 's such that P i |= A. Then P satisfies Rep n[] (A) iff for any Q ≡ open n ω , and any R such that P | Q=⇒R, there are R i 's such that R ≡ n[R 1 ] | R 2 with n[R 1 ] |= A. Since for any R, R ≡ !n[P 1 ] | R ′ , the first implication is established.
Conversely, suppose P satisfies Rep n[] (A). Then P ≡ (!)n[P 1 ] | . . . | (!)n[P r ]. Moreover, if no P i is replicated, P | !open n =⇒ P 1 | . . . | P r | !open n, and if in some P i there are P i,j (j = 1, 2) such that P i ≡ n[P i,1 ] | P i,2 , then the depth degree of P i,1 is too small for n[P i,1 ] to satisfy A, which gives us the second implication.
The formulas for persistence, together with the constructions of Section 3, will be used to derive characteristic formulas with respect to = L for a sub-calculus of MA in Section 5.

Characteristic formulas
In this section we establish the existence of characteristic formulas for a large class of processes. Given a process P , a characteristic formula for P is a formula F P such that: where = L is logical equivalence (i.e., P = L Q iff P and Q satisfy the same formulas).
The definability of characteristic formulas is an interesting property, though for now only a purely theoretical result. The effectiveness and efficiency of the construction of characteristic formula are beyond the scope of this paper, though we strongly believe that our definition gives an algorithm for constructing formulas on the semi-decidable fragment MA IF . Having such constructive characteristic formulas, would have some practical impact, since we could relate the logical equivalence and model-checking problem to the validity problem. Interestingly, we may also recall that validity reduces to model-checking the other way round when the spatial logic considered has the guarantee (⊲) connective.
To be able to carry out our programme, we have first to understand what = L represents. For this, we use a co-inductive characterisation of = L , as a form of labelled bisimilarity. Then, making an intensive use of the formulas for the connectives of the calculus previously defined, we derive the characteristic formulas.

Intensional bisimilarity.
Note for this subsection only. The results presented in this subsection have appeared previously in [San01,HLS02] and therefore are not a contribution of the present paper. Their complete proofs, which are rather long and complex, can be found in a companion paper [HLS05]. We will use the notion of intensional bisimilarity and all the properties that are recalled in this subsection only in the proof about characteristic formulas for AL (Theorem 5.5), which is one of our main expressiveness results.
We use the labelled transitions (Definition 2.2) to define a notion of intensional bisimilarity in order to capture = L .
Definition 5.1. Intensional bisimilarity is the largest symmetric relation ≃ int on closed processes such that P ≃ int Q implies: ( The definition of ≃ int has (at least) two intensional clauses, namely (1) and (2), which allow us to observe parallel compositions and the terminated process. These clauses correspond to the intensional connectives '|' and '0' of the logic. The clause (8) for abstraction is similar to the input clause of bisimilarity in asynchronous message-passing calculi [ACS98]. This is the case because communication in MA is asynchronous. Another consequence of this is that the logic is insensitive to the following rewrite rule (modulo associativitycommutativity of |): (x) {x} | (x)P −→ η (x)P . This rule induces a notion of normal form of processes, that we shall call the eta-normalised form.
Definition 5.2 (Eta-equivalence). We will note P ≡ E Q if the normal forms of P and Q for −→ η are related by ≡.
By Theorem 5.2 below, this result says that the logic is insensitive to −→ η . We shall thus reason using normalised processes with respect to −→ η in the proof of Theorem 5.5.
The most peculiar aspect of the definition of ≃ int is the use of the stuttering relations. Although they can be avoided on finite processes, they cannot in the full calculus. By contrast, stuttering does not show up in Safe Ambients [LS00], where movements are achieved by means of synchronisations involving a capability and a co-capability.
We now state some results about ≃ int that are proved in [HLS02,HLS05].
Theorem 5.2. For any P , Q, P ≃ int Q implies P = L Q.
The latter result establishes correctness of ≃ int with respect to = L . Given a process P , we try and characterise the equivalence class of P with respect to ≃ int with a formula F P . The definability of such a formula will actually entail that = L ⊆ ≃ int (completeness), and hence that F P actually characterises the = L -equivalence class of P .
We now mention a useful induction principle that allows us to reason 'almost inductively' on the structure of a process when checking relation ≃ int . This principle is given by the following inductive order: This order allows us, using the following result, to derive an inductive characterisation of ≃ int [HLS02,HLS05].
(2) n[P ] ≃ int Q iff there exists Q ′ such that Q ≡ n[Q ′ ] and P ≃ int Q ′ .
(3) P 1 | P 2 ≃ int Q iff there exist Q 1 , Q 2 such that Q ≡ Q 1 | Q 2 and P i ≃ int Q i for i = 1, 2.

5.2.
The sub-calculus MA IF . As we mentioned above, characteristic formulas and completeness for an algebraic characterisation of logical equivalence are two related problems. In fact, the existence of characteristic formulas is a stronger result than completeness of ≃ int with respect to = L : while we establish completeness in [HLS05] on the whole calculus, we are only able to derive characteristic formulas on a sub-calculus of MA. To introduce the necessity of restricting the class of processes we consider, and to illustrate the basic ideas behind the construction of characteristic formulas, we examine some examples.
Example 2. We introduce the following processes: In order to define a characteristic formula for P 3 , we first look for a characteristic formula for P 2 . We can set  F 2 ∨ 0). But then we also accept the term open n. 0, which shows why we are led to add a possibility condition to the formula, and we finally define the following characteristic formula for P 3 : We see on this example that characterising the continuation of a process starting with a capability or an input requires to enumerate also all the possible reducts after consuming the topmost constructor. Therefore, the definition of characteristic formulas relies on the actual feasibility of such an enumeration, which leads us to the definition of a subclass of MA processes.
In the definition below, we use the following notation: given a set S of processes, S /≃ int will stand for the quotient of S with respect to ≃ int (which is, technically, a set of ≃ int -equivalence classes of processes).
MA IF is the set of image-finite MA processes.
MA IF is only a semi-decidable fragment of MA. A stronger restriction is considered in [HLS05], whose definition involves decidable syntactic conditions. We however stick to this larger fragment for the sake of generality. To construct a characteristic formula F P for a closed MA IF process P , we can suppose (up to ≡ E ) that replication only appears above single terms and that P is eta normalised. We then define the characteristic formula F P of P by induction using the order of Definition 5.3 (this defines a valid induction by Lemma 4.4). The defining formulas are given in Table 6. Two technical remarks should be made regarding the definition of F (x)P . First, in the disjunction over the quotiented set {P ′ : P { n x/x}=⇒P ′ } /≃ int , it is intended that we pick a representative in each equivalence class. Second, to avoid reasoning about processes containing free variables (characteristic formulas are defined only for closed processes), we introduce the auxiliary name n x , that is used as a placeholder for x, to be replaced by x again once the characteristic formula of process P ′ has been computed (see the defining clause of F (x)P ). So F P ′ { x /n x } is a slight abuse of notation that denotes the operation consisting of (i) alpha-converting F P ′ so that no bound variable is named x, and (ii) textually replacing n x with x in the resulting formula. Theorem 5.5 (Characteristic formulas for MA IF ). For any closed term P , define F P according to Table 6. Then

ON THE EXPRESSIVENESS OF THE AMBIENT LOGIC
Proof. The proof is by induction, using the order of Definition 5.3.
• if F P 1 characterises P 1 and F P 2 characterises P 2 , then F P 1 |P 2 characterises P 1 | P 2 : by Proposition 5.3. • Suppose now that for every P ′ such that sd(P ′ ) ≤ sd(P ), F P ′ is a characteristic formula for P ′ . We then have: -F cap.P characterises cap. P .
By Lemma 4.4, sd(P ′ ) ≤ sd(P ) for any P ′ such that P cap =⇒ P ′ , so F P ′ is a characteristic formula for such processes. We examine each of the two implications. In one direction, cap. P |= cap . F P , and by Lemma 3.8, cap. P |= we deduce that there is P ′ such that P cap =⇒ P ′ and Q ′ |= F P ′ , so Q ′ ≃ int P ′ , and by Proposition 5.3, Q ≃ int cap. P .
We first prove that (x)P |= F (x)P . We pick n 0 fresh for P . We can apply the induction hypothesis for P { n 0/x} and for all of its reducts P ′ . Then the implication from right to left follows from Lemma 3.15. For the other direction, let Q be such that Q |= F (x)P . We assume first that Q is eta normalised. Let n 0 be a name that can be used to satisfy formula F (x)P . Then n 0 ∈ fn(Q), and there are Q ′ , Q ′′ such that Q ≡ (x)Q ′ , {n 0 } | (x)Q ′ =⇒Q ′′ , and Q ′′ |= F P { n 0/x} , that is, by hypothesis, Q ′′ ≃ int P { n 0/x}. Moreover, since Q is eta normalised, Q ′ { n 0/x} is not of the form {n 0 } | (x)R with n 0 ∈ fn((x)R), and hence this process does not satisfy the formula (F {n 0 } | (1input ∧ ¬ c n 0 )). Therefore, there exists P ′ such that P { n 0/x}=⇒P ′ and Q ′ { n 0/x} |= F P ′ , that is, by induction, Q ′ { n 0/x} ≃ int P ′ . Using Proposition 5.3, we deduce Q ≃ int (x)P .
We consider now the case when Q is not eta normalised. Let Q 0 be the eta normal form of Q. Then by Lemma 5.1 and Theorem 5.2, Q= L Q 0 . Since by hypothesis Q |= F (x)P , Q 0 |= F (x)P and by the previous arguments, (x)P ≃ int Q 0 . Finally, by Lemma 5.1, (x)P ≃ int Q. -F !cap.P characterises !cap. P and F !(x)P characterises !(x)P : these results follow from the replication case in Proposition 5.3 and from Lemma 4.7. In particular, the requirements in terms of sequential (or depth) selectiveness, and cap (or n, input) expressiveness are satisfied because the formulas we are using in our constructions are characteristic formulas, which, by induction, satisfy such requirements.
Corollary 5.4. On the sub-calculus MA IF , we have ≃ int = = L . For any closed processes P and Q of MA IF , we have

Extensions of the calculus
In this section, we study extensions of MA with different forms of communication: we first examine the possibility to emit capabilities (in addition to names) in messages, and then consider synchronous communication. We only show how to capture the modifications brought to the language, without porting all the constructions seen in the previous sections. We however believe that our approach would go through without any major modification.
We start by pointing out that Lemmas 3.5,3.7,3.6 about the interpretation of formulas cap . A hold in the extensions we consider, since their proofs are insensitive to the presence of communication in the calculus.
6.1. Capabilities in messages. In the original MA calculus [CG98a], messages can also carry paths of capabilities. To accommodate this in the grammar of Table 1,  are added to those of ≡. Since messages can now carry names or capabilities, a type system is introduced [CG99] to avoid run-time errors. We shall assume that all processes are well-typed (according to the basic Ambient types), which means in particular that in the interpretation of a formula of the form A⊲B, processes that are added in parallel are of the right type. Moreover, we will say that the argument of an abstraction (x)P is of capability type whenever the typing ensures that capabilities, and not names, can be sent to instantiate x.
Our main focus will be on the characterisation of these new forms of messages. For this, we need a formula TestCap, the analogous of the formula TestComm of Section 3.3, satisfied by all abstractions that are eta-congruent to (x) m[x. 0], where m is some fixed name.
We also need a formula M , for any closed capability M , that identifies those processes that are structurally congruent to M . 0. We first discuss an example, namely the formula In the definition of M , sub-formula ¬1comp∨1amb is used to control process reductions, see Lemma 6.1.
We now define TestCap: where (n, m) is any pair of different names. The correctness of this definition is proved along the lines of that of TestComm. The formula F {M } , where M is any closed capability, is then We now give the key steps that allow us to derive the interpretation of the formulas presented above.
• M = in n. N : similar.
• M = ǫ. N . In this case, we also have P |= N , hence by induction P ≡ N , hence P ≡ M .
We now adapt the notion of ambient abstraction, introduced in Section 3.3, in order to define a class of processes that will be used to give the interpretation of formula TestCap.
Definition 6.1 (ambient abstraction and ambient semi-abstraction). The ambient abstractions are the subset of processes defined by the following grammar: The ambient semi-abstractions are the subset of processes defined by the following grammar: where Q is single. Lemma 6.3. Given an abstraction (x)R whose argument is of capability type and R contains no abstractions, suppose there are messages M, N and substitutions { L / z}, { L ′ / z} such that and . Then (x) R is an ambient semi-abstraction (i.e., R ≡ m[P ] where P is single).
Lemma 6.4. Given an abstraction (x) R whose argument is of capability type, suppose there are messages M, N and substitutions { L / z}, { L ′ / z} such that and . Then (x) R is an ambient semi-abstraction.
Proof. By induction on the number of nested abstractions in R. If this number is 0 then use Lemma 6.3.
Suppose the number is greater than 0. From Since R should contain an abstraction, the formula m[1comp] is not satisfied, hence Using this, the fact that R should contain an abstraction, and the other judgement in the hypothesis of the lemma we infer that for some M ′ , y, Q. This information on R and the judgements in the hypothesis of the lemma imply: and {M ′ { L / z}{ N /x}} | (x) (Q{ L / z}{ N /x}) |= ✸ m[1comp]. We can now conclude, using the inductive hypothesis on Q.
Lemma 6.5. Suppose (x)R is an ambient semi-abstraction, whose argument is of capability type, and suppose there are messages M, N and substitutions { L / z}, { L ′ / z} such that . Then (x) R is an ambient abstraction.
Proof. By induction on the number of abstractions in R. The case when this number is 0 is easy: if R ≡ x. 0 then R does not satisfy the given formulas.
If the number of abstractions is greater than 0 then Q ≡ ({O} | P ), for some message O and process P and then we derive: and similarly O{ L ′ / z}{ N /x} | (y) P { L ′ / z}{ N /x} |= ✸ m[0] and then we conclude using induction. We say that an ambient abstraction P is simple if P = β (x) m[x. 0] where = β is the least congruence that is closed under the rule Lemma 6.6. Suppose (x) Q is an ambient abstraction, and that we have Then (x) Q is simple.
Proof. Any ambient abstraction is equivalent with respect to ≡ E (structural equivalence plus the eta law -see Definition 5.2) (x) m[M . 0]. Lemma 6.7. P |= TestCap iff P is a simple ambient abstraction.
Proof. We observe that P has to be an I/O, and cannot be a message (otherwise by adding (x) 0 in parallel with P we could violate the definition of TestCap).
Hence P is an abstraction, and there are M, N such that By Lemma 6.4, P must be an ambient semi-abstraction (note that 0 implies 1comp). Now Lemma 6.5 shows that P must be an ambient abstraction, which by Lemma 6.6 is simple.
6.2. Synchronous Ambients. Since the modal logic does not talk about the I/O primitives, it is interesting to examine variations of these primitives, to see the effect on the equality induced by the logic. In MA communication is asynchronous: since a message has no continuation, no process is blocked until the message is consumed. The most natural variation consists in making communication synchronous. For this the production {η} for messages in the grammar of MA in Table 1 is replaced by the production {η}. P . Reduction rule Red-Com becomes: The communication act liberates, at the same time, both the continuation P of the abstraction and the continuation Q of the message. We write MA sync for the resulting synchronous calculus. Synchrony leads to some important modifications in the assertions and in the proofs of the results in the paper. In MA sync , the eta law fails in the sense that the logic can separate eta equivalent terms (cf. Definition 5.2). Indeed, we will define a formula {n} . A whose models are processes {n}. P with P =⇒ |= A. Then, returning to the eta law, formula 1input ∧ ( {n} . n[0])◮✷¬3Comp is satisfied by (x) {x} | (y)0), and not by (x)0, where by 3Comp we mean the formula 1Comp | 1Comp | 1Comp.
We will focus now on the characterisation of this new form of communication. In asynchronous MA, our separation of messages from abstractions exploited their asymmetry: abstractions, but not messages, have a continuation. In the synchronous case the asymmetry disappears, therefore we have to use a different route for the proof, which makes it a bit more involved.
Again, the most delicate point is to find a replacement for the formula TestComm. We sketch how the new definition is obtained.
• We first define a formula, OnlyCom, that is satisfied only by abstractions (x) P and messages {M }. P in which capability prefixes and ambients do not appear in the continuation P and, moreover, no sub-term of P contains more than two non-trivial parallel components. • Using OnlyCom we define a formula, ComAmb, that is satisfied only by processes defined as those that satisfy OnlyCom except that the innermost operator is an ambient η[ Once we have defined formulas to capture primitives for synchronous communication, the other expressiveness results in the paper also hold for synchronous MA. The corresponding proofs follow closely the arguments in the previous sections.
We now move to the formal definition and analysis of the formulas we alluded to above.
Modifications between Lemma 3.10 and 3.14. To define a formula that captures synchronous outputs (Lemma 6.14 below), we introduce tester processes of the form (x)h[x[0]], for a given name h. The logical characterisation of these (Lemma 6.13) is slightly more complicated than the corresponding result in the asynchronous case (Lemma 3.13), and is based on four grammars describing communicating processes, that are defined as follows. We write • GH for the set of terms described by H, • GK for those described by K, • GH ⋆ for those described by H ⋆ , and • GK ⋆ for those described by K ⋆ . (The grammar for K ⋆ , with respect to that for K, has the additional production for η[η ′ Lemma 6.9. Suppose P is a MA sync process. P { n /x} ∈ GH iff P ∈ GH.
Lemma 6.10. Suppose P is a MA sync process and P |= OnlyCom. Then P ≡ P ′ for some P ′ ∈ GH.
We show that if Q 1 , Q 2 are processes that satisfy 1comm and such that Q 1 | Q 2 |= (✷(2comm ∨ 0) ∧ ✸ 0), then Q 1 , Q 2 ∈ GH. The proof is by induction on the maximal depth of Q 1 , Q 2 . The case when this depth is 1 is easy. If this depth is greater than 1, then Q 1 | Q 2 −→ Q ′ 1 | Q ′ 2 , using the com rule, where Q i is the continuation of Q i . We have three cases: • Q ′ 1 ≡ 0, Q ′ 2 ≡ R 1 | R 2 for some non-trivial R 1 , R 2 ; • the symmetric case; • none of Q ′ 1 and Q ′ 2 is structurally congruent to 0. In the first two cases, we deduce that R 1 , R 2 satisfy 1comm, and then use induction to infer R 1 , R 2 ∈ GH. Then using the first 4 productions of the grammar, and Lemma 6.9, Q 1 , Q 2 ∈ GH. In the third case, use induction to infer Q ′ 1 , Q ′ 2 ∈ GH. Hence also Q 1 , Q 2 ∈ GH, using the last 2 productions of the grammar and Lemma 6.9.
Proof. By induction on the size of P , where the size is the number of operators in P . The size cannot be 0 or 1. If the size is 2 then P = h[n  Then P ≡ P 1 | P 2 where, for i = 1, 2,we have P i |= 1comm Since P must reduce, P 1 | P 2 ≡ {m}. Q 1 | (x) Q 2 and Q 1 | Q 2 { m /x} |= F . The size of Q 1 | Q 2 { m /x} is smaller.
It can be that Q 1 or Q 2 are 0, or none is 0 (they cannot both be 0). In both cases we can conclude by referring to the appropriate grammar productions and by using the inductive hypothesis.
Define now: where n and m are different names.
Lemma 6.12. Suppose P is a MA sync process, and P |= ComAmb. Then P ≡ P ′ for some P ′ ∈ GK.
Lemma 6.15. Suppose P is a MA sync process. It holds that P |= ?n . A iff P ≡ (x) P ′ and P ′ { n /x} =⇒ P ′′ |= A.
6.3.1. Name restriction and revelation. Usually [CG98a,CG99], the syntax of MA also has the restriction operator. In [CG01], Cardelli and Gordon propose an extension of AL with logical connectives to describe restriction. In particular, the operator of name revelation allows one to derive c n (Subsection 4.2). In presence of restriction in the calculus, we cannot adapt our construction to capture finiteness of processes, intuitively because our approach consists in exhibiting a context that allows a finite process to reduce to 0, which is not possible in general in presence of restriction. However, characteristic formulas can be derived, by enriching our constructions with a formula that says that a process has no restriction (which is definable using name revelation).
6.3.2. Strong sometimes modality. One could consider a "strong" version of the sometimes (✸) modality, where −→ replaces =⇒ in the definition of |=. This variant is easier to study, and less interesting in a sense. We explain the effects it would have. The only drawback is that with a strong version of ✸ we could not derive the formulas of Section 4, and as a consequence characteristic formulas can be given for finite processes only. On the other hand, the formulas for capabilities and communications would become much simpler; we would not have to consider stuttering and eta conversions; logical equivalence would coincide with structural congruence.
6.3.3. Recursion. In a different direction, a variant of MA can be considered in which a recursion operator is used instead of replication (see for example [LS03]). Recursion gives trees with infinite depth; this prevents us from defining the measures sd(P ) and dd(P ) up to structural congruence. Moreover, the constructions in Subsection 4.3 are based on the characterisation of persistence (that provides a form of 'recursion in width') of replicated processes. We do not think that they could be easily adapted to a calculus with recursion.