Separability in the Ambient Logic

The \it{Ambient Logic} (AL) has been proposed for expressing properties of process mobility in the calculus of Mobile Ambients (MA), and as a basis for query languages on semistructured data. We study some basic questions concerning the discriminating power of AL, focusing on the equivalence on processes induced by the logic $(=_L>)$. As underlying calculi besides MA we consider a subcalculus in which an image-finiteness condition holds and that we prove to be Turing complete. Synchronous variants of these calculi are studied as well. In these calculi, we provide two operational characterisations of $_=L$: a coinductive one (as a form of bisimilarity) and an inductive one (based on structual properties of processes). After showing $_=L$ to be stricly finer than barbed congruence, we establish axiomatisations of $_=L$ on the subcalculus of MA (both the asynchronous and the synchronous version), enabling us to relate $_=L$ to structural congruence. We also present some (un)decidability results that are related to the above separation properties for AL: the undecidability of $_=L$ on MA and its decidability on the subcalculus.


Introduction
This paper is devoted to the study of the Ambient Logic [14] (AL), a modal logic for expressing properties of Mobile Ambients [13] (MA) processes.The model of Mobile Ambients is based on the notion of locality (an ambient is a named locality), and interaction in MA appears as movement of localities.Localities may be nested, as in a which describes an ambient a containing a process P as well as two sublocalities named b and c.An ambient can be thought of as a labelled tree.The sibling relation on subtrees represents spatial contiguity; the subtree relation represents spatial nesting.A label may represent an ambient name or a capability; moreover, a replication tag on labels indicates the resources that are persistent.The trees are unordered: the order of the children of a node is not important.As an example, the process P Syntactically, each tree is finite.Semantically, however, due to replications, a tree is an infinite object.As a consequence, the temporal developments of a tree can be quite rich.The process P above (we freely switch between processes and their tree representation In general, a tree may have an infinite temporal branching, that is, it can evolve into an infinite number of trees, possibly quite different from each other (for instance, pairwise behaviourally unrelated).Technically, this means that the trees are not image-finite, where image-finite indicates a finiteness on the temporal branching of a process (we will come back to the definition of image-finiteness later).
Although the MA calculus often includes name restriction, (νn)P , reminiscent of the pi-calculus, we will omit this construction (unless we mention it explicitly), and will refer to public MA, or simply MA, for the calculus without name restriction.
In summary, MA is a calculus of dynamically-evolving unordered edge-labelled trees.AL is a logic for reasoning on such trees.The actual definition of satisfaction of the formulas is given on MA processes quotiented by a relation of structural congruence, ≡, which equates processes with the same tree representation.(This relation is similar to Milner's structural congruence for the π-calculus [28].) AL has also been advocated as a foundation of query languages for semistructured data [9].Here, the laws of the logic are used to describe query rewriting rules and query optimisations.This line of work exploits the similarities between dynamically-evolving edge-labelled trees, underlying the ambient computational model, and standard models of semistructured data.
AL has a connective that talks about time, that is, how processes can evolve.The formula ✸ A is satisfied by those processes with a future in which A holds.The logic has also connectives that talk about space, that is, the shape of the edge-labelled trees that describe process distributions. the formula n[ A ] is satisfied by ambients named n whose content satisfies A (read on trees: n[ A ] is satisfied by the trees whose root has just a single edge n leading to a subtree that satisfies A); the formula A 1 | A 2 is satisfied by the processes that can be decomposed into parallel components P 1 and P 2 where each P i satisfies A i (read on trees: A 1 | A 2 is satisfied by the trees that are the juxtaposition of two trees that respectively satisfy the formulas A 1 and A 2 ); the formula 0 is satisfied by the terminated process 0 (on trees: 0 is satisfied by the tree consisting of just the root node).
AL is quite different from standard modal logics.First, the latter logics do not talk about space.Secondly, they have more precise temporal connectives.The only temporal connective of AL talks about the many-step evolution of a system on its own.In standard modal logics, by contrast, the temporal connectives also talk about the potential interactions between a process and its environment.For instance, in the Hennessy-Milner logic [18], the temporal modality µ .A is satisfied by the processes that can perform the action µ and become a process that satisfies A. The action µ can be a reduction, but also an input or an output.
In this paper we study the equivalence between MA processes induced by the logic, written = L : we write P = L Q if P and Q satisfy exactly the same formulas.Our main goal is to understand how much the logic discriminates between processes, i.e., to study the separating power of = L .We show that = L is a rather fine-grained relation.Related to the problem of the equivalence induced by the logic are issues of decidability, that we also investigate.
The central technical device we rely on to analyse = L is a characterisation as a form of bisimilarity, that we call intensional bisimilarity and write ≃ int .The bisimulation game defining ≃ int takes into account the interaction possibilities of agents, and also includes clauses to observe the spatial structure of processes, corresponding to the logical connectives of emptyness, spatial conjunction, and ambient.Intensional bisimilarity is to AL what standard bisimilarity is to Hennessy-Milner logic.In particular, ≃ int can be used to assess separability and expressiveness properties of the modal logic it captures.For instance, the definition of ≃ int reveals that, in some cases, logical observations are unable to distinguish between an agent entering an ambient, and the same agent going in and out of this ambient before finally entering it.We call this phenomenon stuttering.Stuttering can be seen as the spatial counterpart of the following 'eta law' for the asynchronous π-calculus [31]: a(x).a x | a(x).P = a(x).P (a similar equality also holds for communication in MA).Indeed, stuttering disappears when the asynchronous movements are replaced by synchronous ones, as is the case, e.g., in the model of Safe Ambients [25].
Something worth stressing is that our characterisation results are established on the full, public, MA calculus in which, as mentioned earlier, terms need not be image-finite, and with respect to a finitary logic.We are not aware of other results of this kind: characterisation results for a bisimilarity with respect to a modal logic in the literature (precisely, the completeness part of the characterisations) rely either on an image-finiteness hypothesis for the terms of the language, or on the presence of some infinitary constructs (such as infinitary conjunctions) in the syntax of the logic.Technically, the proof of our result is based on the definition of some complex modal formulas.To make it easier to understand our approach, we first present the main structure of the proof in a subcalculus without infinite behaviours; we then move to the full public MA calculus to show how replication is handled.Our proof exploits two main technical notions.The first idea is to introduce an induction principle on processes, that allows us to provide an inductive characterisation of ≃ int .We then introduce modal formulas whose role is, intuitively, to establish that only finitely many terms have to be taken into consideration when exploring the outcomes of a given process.
Exploiting ≃ int , we relate logical equivalence with two important equivalences for processes.The first equivalence is the standard extensional equivalence, namely barbed congruence (≈).Here the main result is that logical equivalence is strictly finer.As counterexamples to the inclusion ≈⊆ = L , we have found three axiom schemata.We do not know whether they are complete, that is, if they exactly describe the difference between the two relations on MA.
We then compare logical equivalence with a second relation, namely structural congruence (≡), an intensional and very discriminating equivalence.We establish an axiomatisation of logical equivalence on a rather broad class of processes, called MA s IF (defined in 5.1).The definition of MA s IF relies on an image-finiteness constraint that is lighter than the usual notion of image-finiteness in process calculi, because only certain subterms of processes are required to give rise to finitely many reducts.This subcalculus is shown to be Turing complete in Section 6.We are not aware of other axiomatisations of semantic equivalences (defined by operational, denotational, logical, or other means) in higher-order process calculi.Our result says that on MA s IF , = L almost exactly coincides with structural congruence, the only difference being an 'eta law' for communication of the form mentioned above.This axiomatisation does not hold in the full MA, for instance because of the phenomenon of stuttering.
Communication in MA is asynchronous, in the sense that outputs have no continuation.We show in 5.2 that if asynchronous communication is dropped in favour of synchronous communication, then logical equivalence exactly coincides with structural congruence on the synchronous version of MA s IF .The comparisons reveal the intensional flavour of AL.Although the logic has operators for looking into the parallel structure of processes, the intensionality of the logic was far from immediate, essentially for two reasons.The first reason is that not all syntactical constructions of MA are reflected in the logic, which entirely lacks operators for capabilities, communications, and replication.The second reason is that we adopt a weak interpretation for reductions (i.e., we abstract from actions internal to the processes); this makes it possible to handle infinite processes, but at the same time entails a loss of precision when describing properties of processes.In such a setting it is therefore surprising that = L is actually so close to ≡, also because ≡ is a very strong relation -a few axioms are the only difference with syntactic identity.
Being very close to a syntactical description of processes, the relation of structural congruence is decidable.As a consequence, in the subcalculus of MA where we show that = L coincides with ≡, we can also derive decidability for = L .However, the frontier with undecidability for = L is very subtle: we establish undecidability of = L in the full calculus by encoding the halting problem of a Turing machine.This boils down in our setting to specifing Turing machines in Mobile Ambients and building a scenario where the halting of a machine corresponds to the existence of reduction loops, i.e., of processes P , Q such that P reduces to Q and Q reduces to P .This encoding is a challenging 'programming task', since the process must return to its initial state modulo = L ; this is a demanding condition, since, as mentioned above, = L is a rather strong relation.For instance, one has to be very precise in garbage collecting dead code during the execution of the Turing machine.

Other related work
Although not directly related from a technical point of view, a work worth mentioning is [15].In that work, models of (enrichments of) relevant and linear logic are defined using Milner's SCCS.In particular, the interpretation of implication is reminscent of the definition of satisfaction for the guarantee operator (⊲) in AL.Dam however explicitely renounces giving sense to formulas that talk about the structure of processes, as is the case in the Ambient Logic.
As stated before, intensional bisimilarity is to AL what bisimilarity is to Hennessy-Milner logic.Approximants of intensional bisimilarity, that will be needed in our proofs of completeness, may also be expressed in terms of Ehrenfeucht-Fraïssé games for spatial logics, as shown in [16].These equivalences are standard devices to establish expressiveness results.For instance, they have been exploited to obtain adjunct elimination properties of spatial logics in [6,26].
This work is a revised and extended version of parts of [30] and [20], precisely, those parts that deal with issues related to separability of AL.A companion paper [21] studies expressiveness issues.By the time the writing of the present paper was completed, a few papers have appeared that make use of results or methods presented here.These are works that study the intensionality of spatial logics or decidability properties.Works related to the intensionality of spatial logics include [8] where the spatial logic is static, and [6,5], where the logic is applied to reason on calculi that feature a simpler notion of space, with a strong interpretation of the temporal modality.A spatial logic for the π-calculus satisfying the property that logical equivalence coincides with behavioural equivalence has been studied in [19].This logic is defined by removing modal operators like 0 or spatial conjunction, and keeping only 'contextual' operators (guarantee and revelation adjunct).A similar result, but for a logic that includes spatial conjunction and 0, has been established for a process calculus encompassing a form of distribution in [7].Works related to the decidability properties of Mobile Ambients include [3,27], that address questions of termination, and [2,4], that consider reachability in syntactic subcalculi of MA (in the sense that these subcalculi are obtained by eliminating some syntactical constructs).It can be noted that our analysis of decidability (in Section 6) allows us to deduce a property in terms of reachability: as discussed above, we establish that one cannot detect the presence of reduction loops (i.e., the existence of processes P and Q that reduce to eachother).This in particular entails undecidability of reachability.
Structure of the paper.We define the Mobile Ambients calculus and the Ambient Logic in Section 2. Section 3 is devoted to the study of intensional bisimilarity, ≃ int .We show that ≃ int is included in logical equivalence, = L .Completeness, i.e., the reverse inclusion, is first proved only for finite MA processes.For this, we need a certain number of expressiveness results about AL from [21], which are collected in 3.3.The completeness proof for the whole calculus is presented in Section 4, which completes our study of ≃ int by finally estabilishing that ≃ int and = L coincide.The inductive characterisation of ≃ int is given in 4.1, and the logical characterisation of the outcomes of a process in 4.3.We compare = L with barbed congruence and structural congruence in Section 5.The subcalculus MA s IF , on which we establish an axiomatisation of = L , is also introduced here.Subsection 5.2 explains how our results are modified when moving to synchronous Ambients.We present our encoding of Turing machines into MA s IF in Section 6, and give concluding remarks in Section 7.

Background
This section collects the necessary background for this paper.It includes the Mobile Ambients calculus [13] syntax and semantics, and the Ambient Logic [11].
2.1.Syntax of Mobile Ambients.We recall here the syntax of Mobile Ambients (MA) (we sometimes also call this calculus the Ambient calculus).In the calculus we study, only names, not capabilities, can be communicated; this allows us to work in an untyped calculus.
The calculus is asynchronous; a synchronous extension will be considered in Section 5.As in [11,9,10], the calculus has no restriction operator for creating new names.
Table 2.1 shows the syntax.Letters n, m, h range over names, x, y, z over variables; η ranges over names and variables.Both the set of names and the set of variables are infinite.The expressions in η, out η, and open η are the capabilities.Messages and abstractions are the input/output (I/O) primitives.A guard is either an abstraction or a capability.A process P is single iff there exists P ′ such that either P ≡ cap.P ′ for some cap or Abstraction is a binding construct, giving rise to the set of free variables of a process P , written fv(P).We ignore syntactic differences due to alpha conversion.We write fn(P) for the set of (free) names of process P .A closed process has no free variable.Unless explicitely stated, we use P, Q, . . . to range over closed processes in our definitions and results.Substitutions, ranged over with σ, are partial functions from variables to names.Given σ, we write P σ to denote the result of the application of σ to P .Given two processes P and Q, we say that σ is a closing substitution for P and Q (in short, a closing substitution) if P σ and Qσ are closed processes.We also introduce another notation: P { n /x} stands for the capture avoiding substitution of variable x with name n in P , and P { n /m} stands for the process obtained by replacing name m with name n in P .Given n processes P 1 , . . ., P n , we sometimes write Π 1≤i≤n P i for the parallel composition P 1 | . . .| P n .
Process contexts (simply called contexts) are processes containing an occurrence of a special process, called the hole.We use C to range over process contexts, and C{| P |} stands for the process obtained by replacing the hole in C with P .Given two processes P and Q, a closing context for P and Q (in short, a closing context) is a context C such that C{| P |} and C{| Q |} are closed processes.
Processes with the same internal structure are identified.This is expressed by means of the structural congruence relation, ≡, the smallest congruence such that the following laws hold: As a consequence of the results presented in [32], which works with a richer calculus than the one we study, we have: Red-Amb P ≡ P ′ P ′ −→ P ′′ P ′′ ≡ P ′′′ P −→ P ′′′ Red-Str  [29,24]).A symmetric relation R between processes is a barbed bisimulation if P RQ implies: (1) whenever P =⇒ P ′ , there exists Q ′ such that Q=⇒Q ′ and P ′ RQ ′ ; (2) for each name n, P ⇓ n iff Q ⇓ n .Barbed bisimilarity, written ≈ • , is the largest barbed bisimulation.Two processes P and 2.3.Ambient Logic.The Ambient Logic (AL), is presented in Table 2).We use an infinite set of logical variables, ranged over with x, y, z; η ranges over names and variables.(We can use the same syntax as for variables and names of the Ambient calculus, since formula and process terms are separate.)We use A, B, . . ., F, F ′ , . . . to range over formulas.
The logic has the propositional connectives, ⊤, ¬A, A ∨ B, and universal quantification on names, ∀x.A, with the standard logical interpretation.The temporal connective, ✸A is considered with a weak interpretation.The spatial connectives, 0, A | B, and η[ A ], are the logical counterpart of the corresponding constructions on processes.A ⊲ B and A@η   The logic in [11] has also a somewhere connective, that holds of a process containing, at some arbitrary level of nesting of ambients, an ambient whose content satisfies A. For the sake of simplicity, we omit this connective, but we believe that the addition of this connective would not change the results in the paper (in particular Theorem 3.29 can be adapted easily).Lemma 2.5 ([11]).If P ≡ Q and P |= A, then also Q |= A.
We give ∨ the least syntactic precedence, thus ).We shall use the following standard duals of disjunction and universal quantification: Definition 2.6 (Logical equivalence).For processes P and Q, we say that P and Q are logically equivalent, written P = L Q, if for any closed formula A it holds that The remainder of this paper is devoted to the study of = L on MA and on some subcalculi of MA.

Intensional bisimilarity
In order to be able to carry out our programme for = L , as discussed in the introduction, we look for a co-inductive characterisation of this relation, as a form of labelled bisimilarity.Before introducing the bisimilarity relation, we need to define labelled transitions on MA, and a few derived relations such as the stuttering relation.
there is i ≥ 1 and processes P 1 , . . ., P i with P = P 1 and • Finally, cap =⇒ is a convenient notation for compacting statements involving capability transitions.
We discuss in Example 3.3 below why stuttering is needed to capture logical equivalence in MA.
Intuitively, the definition of ≃ int is based on the observations made available by the logic either using built-in operators or through derived formulas for capabilities (see below).Definition 3.2.A symmetric relation R on closed processes is an intensional bisimulation if P RQ implies: (1) If P ≡ P 1 | P 2 then there are The definition of ≃ int has (at least) three intensional clauses, namely (1), ( 2) and ( 9), which allow us to observe parallel compositions, the terminated process, and ambients.These clauses correspond to the intensional connectives '|', '0' and 'n[ • ]' of the logic.The clause (8) for abstraction is similar to the input clause of bisimilarity in asynchronous message-passing calculi [1].This is so because communication in MA is asynchronous (see also Subsection 5.2 below).Note that, using notation cap =⇒ introduced above, items 4, 5, and 6 can be replaced by the following one: As we have pointed out above, stuttering is used to capture some transitions of processes that the logic cannot detect.It gives rise to particular kinds of loops, that we illustrate in the following example.

Example 3.3 (Stuttering Loop). Consider the processes
We have the following loop, modulo stuttering: The existence of such pairs of processes that reduce one to each other modulo stuttering will play an important role in the axiomatization of = L .We call such a situation a loop.
It holds that P ≃ int Q; however, since P Actually, out n. P ≈ out n. Q., that is, these two processes are extensionally equivalent, and they are also equated by the logic (i.e., out n. P = L out n. Q).But they would not be intensionally bisimilar without the stuttering relations.The reason for this peculiarity is that, intuitively, these processes have the same behaviour in any testing context.To see why the extra capabilities of Q do not affect its behaviour, consider a reduction involving out n. P , of the following shape: Process out n. Q can match this transition using three reductions: where Conversely, the process out n. Q may be involved in the following scenario: and the process out n. P can mimic this reduction.
If we set By contrast, stuttering does not show up in Safe Ambients [24], where movements are achieved by means of synchronisations between a capability and a co-capability, and alike models.
The following result is an easy consequence of the definition of ≃ int : Lemma 3.4.≃ int is an equivalence relation.
Proof.The only point worth mentioning is that, for transitivity, to handle clause (8), one first needs to prove that ≃ int is preserved by parallel compositions with messages (which is anyhow straightforward).✷ However, it is not obvious that ≃ int is preserved by all operators of the calculus, due to the fact that ≃ int is, intrinsically, higher-order.Formally, ≃ int is not higher-order, in that the labels of actions do not contain terms.Clause (3) of Definition 3.2, however, involves some higher-order computation, for a reduction may involve movement of terms (for instance, if the reduction uses rules Red-In or Red-Out).This, as usual in higherorder forms of bisimilarity, complicates the proof that bisimilarity is preserved by parallel composition.

Congruence.
In this section, we establish congruence of intensional bisimilarity, using an auxiliary relation.

Syntactical relation, ≅.
Our proof of congruence makes use of a second bisimilarity, ≅, that, by construction, is preserved by all operators of the calculus, and that is defined as follows: ≅ is the largest syntax-based intensional bisimulation.Given two open terms P and Q, we say that P ≅ o Q holds iff for any closing substitution σ, P σ ≅ Qσ.
Clause ( 4) is typical of asynchronous calculi, as in clause (8) of Definition 3.2.The differences between the definitions of ≃ int and ≅ are the following.First, labelled transitions are replaced by structural congruence in the hypothesis of the corresponding clause.Second, clause (3) about reductions of related processes is removed.Note that a clause for the process 0 is not necessary (see Lemma 3.9 below).
Transitivity of ≅ is not obvious, because it is not immediate that ≅ is preserved under reductions (there is no clause for matching τ -transitions, and reductions (i.e., relation =⇒) are used in a few places, such as the stuttering relation in the clauses for movement.
We shall prove that ≃ int and ≅ coincide (Corollary 3.18 below).Thus, transitivity of ≅ will hold because of ≃ int 's transitivity, and conversely, congruence of ≅ will ensure congruence of ≃ int .This proof method, which exploits an auxiliary relation that is manifestly preserved by the operators of the calculus but that is not manifestly preserved under reductions, brings to mind Howe's proof technique for proving congruence of bisimilarity in higher-order languages [23].In our case, however, the problem is simpler because of the intensional clauses (1) and (2) of the bisimilarity and because MA is not a fully higherorder calculus: terms may move during a computation, but they may not be copied as a consequence of a movement.We may say that MA is a linear higher-order calculus (indeed the congruence of ≃ int could also be proved directly, with a little more work).
In order to establish congruence of ≅, we introduce an important equality between processes, that plays a technical role here but will also be used when characterising logical equivalence in Section 5. Definition 3.6 (Eta law, ≡ E ).The eta law is given by the following equation: We use the eta law to define the following three relations: from P by applying the eta law once, from left to right, to one of its subterms (modulo ≡).• −→ * η stands for the reflexive, transitive closure of −→ η ; • ≡ E is the smallest congruence satisfying the laws of ≡ plus the eta law.
In the lemma below, we write P −→ ηh P ′ if P −→ η P ′ and this represents a top-level rewrite step, i.e., we do not rewrite under capabilities and input prefixes.Similarly, −→ * ηh is the reflexive and transitive closure of −→ ηh .Lemma 3.7.Let R stand for −→ η or −→ ηh .We say that (1) R is confluent up to ≡, that is, for all P, Q, R such that P R * Q and P R * R, there is (2) R is terminating, that is R * is a well-founded order.
We call the eta normal form of P (the head eta normal form of P , respectively) the unique normal form, up to ≡, of −→ η (of −→ ηh , respectively).Remark 3.8 (Eta law and stuttering).The eta law expresses a form of stuttering (in communication, as opposed to stuttering in movements -see Definition 3.1).The logic being insensitive to both forms of stuttering, we have to reason modulo the eta law.
We now present some results that are needed to prove congruence of ≅.
Proof.Suppose Q ≡ 0 does not hold.This means that there exists Then by applying the corresponding clause in the definition of ≅, we deduce Q ≡ 0, i.e., a contradiction.
Proof.Straightforward from the definition of ≅. ✷ If R is a binary relation on processes, we note R{ n /m} for the relation defined as Proof.Since τ transitions are not tested in ≅, substitution is not mentioned in Def.3.5.All clauses of the latter definition are obviously stable by substitution.✷ Lemma 3.12.For any possibly open processes P and Q, if Proof.By induction on C, using the definition of ≅. ✷ To prove that ≃ int and ≅ coincide, the main result we need is that ≅ is preserved under reductions: Lemma 3.13.Suppose P ≅ Q and P −→ P ′ .Then there is Proof.By induction on the depth of the derivation proof of P −→ P ′ .We proceed by case analysis on the last rule used in the derivation.
• Rule Red-struct: • Rule Red-Par: By definition of ≅ there are Then we conclude, using induction and Lemma 3.12.• Rule Red-Amb: Use induction and Lemma 3.12.
, and for some Using Lemma 3.12, we derive , and there exists 1 and we have: , which concludes the case.
• Rule Red-Out: similar to the previous case.✷ Corollary 3.14.Suppose P ≅ Q and P =⇒ P ′ .Then there is Proof.By induction on the number of transitions in P =⇒ P ′ , using Lemma 3.13 for the inductive case.✷ Lemma 3.15.
Proof.In every case, we suppose by contadiction that Q ≡ Q 1 | Q 2 where none of the Q i s is structurally congruent to 0. Then P and Q can be distinguished using the clauses of ≃ int for parallel composition and 0, which means a contradiction.Therefore, Q is single (it has only one component), and we can conclude using the appropriate clause of the definition of ≃ int in each case.
Proof.By proving that ≅ is a ≃ int -bisimulation.We need Lemma 3.12 (precisely, the fact that ≅ is preserved by parallel composition), Lemma 3.10, Corollary 3.14, and Lemma 3.9.✷ Corollary 3.18.Relations ≃ int and ≅ coincide.In this subsection we recall some expressiveness results for AL.These results state the existence of formulas capturing some nontrivial properties of processes.They are proved in [21], and will be exploited later to assess the separating power of the logic.We start by introducing two measures on terms, that represent two ways of defining the depth of a process.The first definition exploits the notion of eta normal form (see Lemma 3.7): Definition 3.20 (Sequentiality degree, sd).The sequentiality degree of a term P is defined as follows: • sd((x) P ) = sd(P ′ ) + 1 where (x) P ′ is the eta normal form of (x) P .
Intuitively, the sequentiality degree counts the number of 'parcels of interaction' (capabilities, messages, input prefixes) in a term.We now define the depth degree, that is sensitive to the number of nested ambients.This quantity will be soon used in the interpretation of some formulas of AL, but also to define an inductive order on processes (see Subsection 3.4).Definition 3.21 (Depth degree).The depth degree of a process is computed using a function dd from MA processes to natural numbers, inductively defined by: We introduce formulas that express some kind of possibility modalities corresponding to the movement capabilities and input prefix of MA.Each operator of the syntax of MA (Table 2.1) has thus a counterpart in the logic, except replication.It is possible to express in AL a restricted form of replication on formulas, by defining a formula !A, expressing that there are infinitely many processes in parallel satisfying A, modulo some additional condition on A. More precisely, based on Definitions 3.20 and 3.21 above, we say that a formula A is sequentially selective (resp.depth selective) if all processes satisfying A have the same sequentiality degree (resp.depth degree).Lemma 3.24.For all cap, there exists a formula context Rep cap {| • |} such that for all process P and for all sequentially selective formula A, whose models are only of the form cap. R, For all n, there is a formula !{n} such that There exists a formula context Rep input {| • |} such that for all process P and for all formula A sequentially selective whose models are only of the form (x)P , By putting together these expressiveness results, we can derive formulas characterising the equivalence class of a process w.r.t.logical equivalence for a subcalculus of MA, defined as follows: Definition 3.26 (Subcalculus MA IF ).Consider a process P , and a name n ∈ fn(P ).We say that P is image-finite if any subterm of P of the form cap. P ′ (resp.(x)P ′ ) is such that the set In the standard definition of image-finiteness, as used, e.g., to establish inductively completeness of the Hennessy-Milner logic, one requires that the set of outcomes of the process is finite.While exploring the possible outcomes (and in absence of restriction in the process calculus), we may expose at top-level any subterm of the process, and hence we implicitly require that all of its subterms are image-finite in the standard sense.On the other hand, in our case, we do not impose that P has only finitely many outcomes, but only do so for some subterms.As a consequence, our notion is less restrictive, and any image-finite process in the standard sense belongs to MA IF .Lemma 3.27 (Characteristic formulas on MA IF ).For any closed MA IF process P , there exists a formula A P s.t. for any Q, these three conditions are equivalent: A final expressiveness result that will be needed later is the ability to test free name occurrences in a process.Lemma 3.28.For any name n, there exists a formula c n such that for any P , P |= c n iff n ∈ fn(P ).
3.4.Soundness, and Completeness for Finite Processes.We now study soundness and completeness of ≃ int with respect to = L .Soundness means that ≃ int ⊆ = L , and completeness is the converse.We show here soundness on the whole calculus.By contrast, we only prove completeness on the finite processes, deferring the general result to the next section.We chose to do this for the sake of clarity: the proof in the finite case is much simpler, and exposes the basic ideas of the argument in the full calculus.
3.4.1.Soundness on full public MA.In order to prove soundness (on the whole calculus), we use the definition of ≅ and the congruence property to establish that bisimilar processes satisfy the same formulas.
Theorem 3.29 (Soundness of ≃ int ).Assume P, Q ∈ MA, and suppose P ≃ int Q.Then, for all A, it holds that P |=A iff Q|=A.
Proof.By induction on the size of A.
Nothing to prove.
By induction and the definition of satisfaction.
By definition of satisfaction and clause (2) of the definition of ≃ int .
Then P ≡ n[ P ′ ] and Then P ≡ P 1 | P 2 and By definition of satisfaction, P |= B{ n /x} for all n.The result for Q then follows by induction, for B{ n /x} is strictly small than ∀ x .B.
By definition of satisfaction, there is P ′ such that P =⇒ P ′ and P ′ |= B. Using clause (3) of the definition of ≃ int , there is Follows using induction and the congruence of ≃ int .✷ 3.4.2.Completeness, on finite processes.The proof of completeness we develop here is based on the construction of a sequence of approximants of ≅, which is a standard approach for image-finite calculi.This works in the finite case (finiteness implies image-finiteness), but not in presence of replication.The proof is however interesting on its own, and gives a much simpler account on how the logic expresses the clauses of ≃ int than the proof for the whole calculus.
Note that the definability of characteristic formulas for ≃ int on MA IF (see Definition 3.26 and Lemma 3.27) implies completeness: for two MA IF processes P and Q, P = L Q entails P ≃ int Q.Since MA IF contains the set of finite processes, this already gives completeness on finite processes.We nevertheless present here a proof that is specific to the finite case, to prepare the ground for completeness on full public MA.The route we are interested in for the completeness proof uses i-th approximants ≅ i of relation ≅, and the fact that i ≅ i coincides with ≅.Definition 3.30.We define the relations ≅ i between processes, for all i ≥ 0, as follows.
≅ 0 is the universal relation, and ≅ i+1 is defined by saying that P ≅ i+1 Q holds if we have: (1) If P ≡ P 1 | P 2 then there are We set ≅ ω def = i≥0 ≅ i .Lemma 3.31.≅ ω coincides with ≅ on finite processes.
Proof.Standard approximation result (finite processes are image finite).✷ Lemma 3.32.Let P, Q be two finite processes.If P = L Q then P ≅ ω Q.
Proof.Suppose P ≅ ω Q.Then there is i such that P ≅ i Q.We prove, by induction on i, that in this case we can find a formula A such that P |= A holds but Q |= A does not.For i = 0, this trivially holds since the hypothesis P ≅ 0 Q is absurd for ≅ 0 being the universal relation.Now the case i + 1, for i ≥ 0. We proceed by case analysis: (1) P ≡ P 1 | P 2 , and for all Modulo ≡, there is a finite number, say s, of pairs of processes that by hypothesis P is finite).Call Q t,u the t-th process of the u-th pair.Then for all u (1 ≤ u ≤ s) there is t such that P t ≅ i Q t,u .By induction, there is A t,u such that (2) P ≡ cap.P ′ ; then necessarily Q ≡ cap.Q ′ , and for all By induction, for all t there is A t such that P ′ |= A t but Q t |= A t .Since Q is finite, there is only a finite number of such processes Q t (up to ≡).Write (Q t ) t∈I for this set of processes up to ≡ (we pick a representant for each ≡-equivalence class), and call A t the formula corresponding to each Q t .Define there is only a finite number of such Q t s, say Q 1 , . . ., Q s .By induction, there are formulas A 1 , . . ., A s with P ′′ |= A t and Q t |= A t .We introduce as above the notation (Q t ) t∈I , and we define .33 (Completeness on finite processes).Let P, Q be two finite closed processes.

Completeness of ≃ int in the full calculus
The proof we have presented in the finite case cannot be used directly in the full MA calculus, because we lack the image-finiteness hypothesis, which allowed us to show that the limit ≅ ω coincides with ≅.In this section, we present a proof of the completeness of ≃ int for all processes.To do this, we establish the existence, for any processes P, Q, of a formula F P,Q such that P |=F P,Q , and such that Q|=F P,Q holds if and only if P ≃ int Q.This result is hence weaker than the existence of characteristic formulas, but it does not require image finiteness.
We sketch the structure of the proof.Our approach exploits two technical devices, that we introduce first.We start by proving some lemmas related to the sequentiality degree of a term (Definition 3.20), which allows us to define a sound induction principle on MA processes.This principle supports the introduction of an inductive characterisation of ≃ int .The second technical device we introduce is the set of frozen subterms of a process, that intuitively corresponds to the collection of subterms appearing under guards (capabilities or input prefixes) in a given term.These two technical notions are then used to define local characteristic formulas, which correspond to a relaxed notion of characteristic formula w.r.t.logical equivalence.An important fact about the set of frozen subterms of a process is that it enjoys a kind of subject reduction property; this allows us to replace the potentially infinite set of images of a term with a finite set when constructing local characteristic formulas.
4.1.An inductive characterisation of ≃ int .We now establish some properties related to the sequentiality degree of processes.These allow us to introduce a well-founded order on terms which supports the definition of an inductive relation that coincides with ≃ int .Lemma 4.1.Let P, Q be two terms of MA.Then: This result will be important for the justification of Definition 4.9 below.
Lemma 4.3.For any closed process P ∈ MA, there exists a formula F sd(P ) such that: • P |= F sd(P ) , and Proof.We can assume that P is eta normalised.Let us first reason by induction on sd(P ): • for sd(P ) = 0, F sd(P ) = ⊤ is sufficient.
• for sd(P ) > 0, let us assume that there exist formulas F sd(P ′ ) for any P ′ such that sd(P ′ ) < sd(P ).We reason by induction on P .− the case P = 0 is impossible.− for P = P 1 | P 2 , there is i such that sd(P ) = sd(P i ).Then we may choose F sd(P ) = F sd(P i ) | ⊤.In the same way, let us set ]. − for P = cap.P ′ , we use the general induction hypothesis to construct F sd(P ′ ) .Let us then take F sd(P ) = cap .F sd(P ′ ) .Then P |= F sd(P ) , and for any Q such that Q |= F sd(P ) , we deduce (from Lemma 3.22) that there are , and by induction hypothesis sd(Q ′′ ) ≥ sd(P ′ ) = sd(P ) − 1, so that finally sd(Q) ≥ sd(P ).− for P = (x)P ′ , we use the general induction hypothesis to get F sd(P ′ ) .Let us then take F sd(P ) = ∃x.?x .F sd(P ′ ) .Then P |= F sd(P ) , and for any Q such that Q |= F sd(P ) , we deduce (from Lemma 3.22) that there are n, Q ′ , Q ′′ such that Q ≡ (x) Q ′ and , and by induction hypothesis sd(Q ′′ ) ≥ sd(P ′ ) = sd(P ) − 1, so that finally sd(Q) ≥ sd(P ).✷ A similar result can be proved for the depth degree of a process: Lemma 4.4.For any closed process P ∈ MA, there exists a formula F dd(P ) such that: • P |= F dd(P ) , and Proof.We reason as in the proof of the previous lemma.✷ Corollary 4.5.If P ≃ int Q, then sd(P ) = sd(Q) and dd(P ) = dd(Q).
Proof.By Theorem 3.29, P ≃ int Q implies P = L Q, which gives the result.✷ The sequentiality degree can be used as a basis for inductive reasoning on processes up to reductions of some subterms.This is formalized by the following definition: Definition 4.6 (Well-founded order).Given two processes P and Q , we write P < Q (or • Suppose P is of the form either cap.P ′ or (x)P ′ , and suppose moreover P > Q and Proof.• Well-foundedness: if P is a strict subterm of Q, then sd(P ) ≤ sd(Q).
• P > Q ′ : follows from Lemma 4.1.✷ In order to give an inductive characterisation of ≃ int , we establish the following results about ≃ int .These are inversion properties, in the sense that they allow one to deduce, from P ≃ int Q, with P having a given shape, consequences about the shape of Q. Lemma 4.8 (Inversion results for ≃ int ).Let P, P 1 , P 2 , Q be processes of MA.Then ( Proof.We first leave out the fourth case.
For the other cases, the left to right implications follow by the fact that, in each case, the corresponding clauses in the definitions of ≅ and ≃ int are almost the same.
For the right to left implication, cases 1 and 6 hold by reflexivity of ≃ int , and cases 2 and 3 follow from congruence of ≃ int (Corollary 3.19).Case 5 is similar to the corresponding condition in ≅ (note that all other conditions are trivially fulfilled).
Proof.The definition of ∼ ind is justified using Lemma 4.7.The inclusion ≃ int ⊆∼ ind is established using the results of Lemma 4.8, which correspond precisely to the defining clauses of ∼ ind .The converse inclusion follows from Lemma 4.8 too.✷ 4.2.Frozen subterms.We now introduce the notion of frozen subterms of a process.The frozen subterms of a process correspond to occurrences that do not participate in immediate interactions but that may play a role in future reductions.
In the reminder, we use N to range over sets of names.Unless otherwise stated, we always implicitly suppose that such a set is finite.Definition 4.11 (Frozen subterms).Let N be a set of names; the set froz N (P ) is defined by induction on P as follows: If P, P ′ are two structurally congruent terms, then, modulo ≡, froz N (P ) = froz N (P ′ ).Hence this set (in its quotiented version with respect to ≡) is uniquely determined by the structural congruence class of P .Lemma 4.12 (Finiteness of froz N (P )).For any P ∈ MA, if N is finite, then the set obtained by taking the quotient of froz N (P ) w.r.t.≡ is finite.

Proof. By induction on P . ✷
Not only is froz N (P ) finite, but, as expressed by the following result, this set is preserved by reduction, in the following sense: Lemma 4.13.Let P, Q be two processes such that P −→ Q or P cap − → Q for some cap, and assume fn(P ) ⊆ N .Then the quotient of froz N (Q) w.r.t.≡ is included in the quotient of froz N (P ) w.r.t.≡.
Proof.We recall that relation cap − → is defined on the syntax of processes (see Definition 3.1), and the result follows by definition of froz N (P ), froz N (Q).
For −→, we reason by induction on the derivation of P −→ Q.The cases corresponding to movement transitions follow from cap − → .So the only way a reduction could alter the set of frozen terms is through name substitutions generated by communications, and this is handled by the condition fn(P ) ⊆ N .✷

4.3.
Local characteristic formulas and completeness.The purpose of this subsection is to derive local characteristic formulas, defined as follows: Definition 4.14 (Local characteristic formula).Let E be a set of terms, P a term and F a formula.We say that F is a characteristic formula for P on E (or, alternatively, a E-characteristic formula for P ) if • P |= F, and Note that the converse of the second condition always holds, due to soundness of ≃ int (Theorem 3.29 With this definition, completeness of ≃ int boils down to the existence, for any processes P, Q, of a characteristic formula of P on the set {Q}.Although we do not define directly such a formula, this idea guides the construction of the completeness proof.More precisely, we reason inductively on the sequentiality degree of processes, and manipulate two sets of terms, given a process P : collects the possible evolutions of P , • and E frz,N P def = {P ′ , froz N (P ′ ) ⊆ froz N (P )}, that intuitively is the set of processes whose possible evolutions can be captured using the evolutions of P .
We want to establish the existence, for all P, Q, of a local characteristic formula for P on E ⇓ Q and E frz,N Q .We first prove the following result: ✷ The following lemma describes the construction of a local characteristic formula for guarded terms (of the form cap. P or (x)P ) on E frz,N Q , provided we can compute, given several (smaller) processes R, local characteristic formulas on E ⇓ R : Lemma 4.16.Consider two processes P and Q, and a set N of names such that fn(P ) ∪ fn(Q) ⊆ N .Assume moreover that, for all Q ′ ∈ froz N (Q), we can construct a formula F P,Q ′ characterising P on E ⇓ Q ′ and a formula F Q ′ ,P characterising Q ′ on E ⇓ P .We then have: • for all cap there exists a formula characterising cap.P on E frz,N Q , • for all n such that P is not of the form {n} | (y)P ′ with n ∈ fn(P ′ ), and for all x with x ∈ fv(P ), there exists a formula characterising (x) P { x /n} on E frz,N Q . Proof.
• Let cap be a given capability.
so by Lemma 4.12, E is finite, and we can define the formula: We prove first that cap.P |= F ; by hypothesis, Let P ′ be such that P cap =⇒ P ′ , and consider any Q ′ ∈ E. Then by hypothesis P ′ |= F Q ′ ,P would imply P ′ ≃ int Q ′ , and hence Q ′ ∈ E, which is contradictory.So P ′ |= Q ′ ∈E ¬F Q ′ ,P , and finally P |= F .
and by hypothesis, Q ′ =⇒ ≃ int P , which gives the first part of the condition to have cap.P ∼ ind R (Definition 4.9).Furthermore, since R satisfies the 'necessity' part of the formula that is Q ′ ∈ E. Thus, there is P ′ with P cap =⇒ P ′ and P ′ ≃ int Q ′ , which gives the second part of the condition.
• Let n, x be chosen as in the statement of the lemma.We set P 0 = (x) P { x /n} .Similarly as before, we define , so E is finite, and we may define the formula: Intuitively, the role of formula NonEta is to detect when the reducts of a process satisfying F stop being eta-equivalent to the initial state.
Let us prove that P 0 |= F : n ∈ fn(P 0 ) by construction, P 0 | {n}=⇒P , P |= NonEta and P |= F P,Q ′ by hypothesis, so P 0 satisfies the second conjunct in F .Take P ′ such that P 0 | {n}=⇒P ′ and P ′ |= NonEta; we prove that Then by definition of E, P ′ |= Q ′ ∈E ¬F Q ′ ,P .As this holds for all P ′ , we have that P 0 |= F .
Let us now prove that if R ∈ E frz,N Q and R |= F , then P ≃ int R. Consider such a process R. Then n ∈ fn(R), and there exists the head eta normal form of (x)Q ′ .By definition, Q ′′ { n /x} belongs to froz N (Q), and any reduction (x)Q ′ | {n}=⇒T where T is not eta equivalent to (x)Q ′ | {n} goes through the state Q ′′ { n /x} (i.e., that reduction can be written (x)Q ′ | {n}=⇒Q ′′ { n /x}=⇒T ).Due to the definition of NonEta, we actually have that and the first part of the condition for input in Definition 4.9 is satisfied.
that is there is P ′ such that P =⇒P ′ and P ′ ≃ int Q ′′ { n /x}.This proves the second condition for P 0 ∼ ind (x)Q ′′ , and since (x)Q ′′ ≡ E R, we finally have P 0 ≃ int R.
✷ We now prove that given P , we can deduce a local characteristic formula for P from local characteristic formulas for its guarded subterms.Lemma 4.17.Consider two processes P and Q, and a set of names N , and suppose that, for each subterm of P of the form cap. P ′ or (x)P ′ , we can construct a E frz,N Q -characteristic formula.Then there exists a E frz,N Q -characteristic formula for P .
Proof.We assume, without loss of generality, that all occurrences of the replication operator in P are immediately above a guarded process (this is always possible up to ≡).
We construct such a formula F P by induction on P .The cases for 0, parallel composition, and ambient are easy.Formulas for messages and replicated messages have been given above, and by hypothesis, we have formulas for guarded processes.We are thus left with the case of replicated terms.

Q
-characteristic formula, since F P ′ is depth selective (all processes satysfying F P ′ are intensionally bisimilar to P ′ , so their depth degree is equal to dd(P ′ ) -see Corollary 4.5).If P = !cap.P ′ , then F P = Rep cap {| F cap.P ′ |}, since F cap.P ′ is sequentially selective.We reason in the same way for the case P = !(x)P′ .✷ Lemma 4.18.For all P, Q and N ⊇ fn(P ) ∪ fn(Q), there exist characteristic formulas for Proof.From Lemma 4.15, it is sufficient to construct a local characteristic formula on E frz,N Q .We remark that without loss of generality, P, Q can be choosed so that every binding (x)P involves a different variable, and this is enough to build characteristic formulas for the set N enriched with distinct names n x associated to all variables x occurring in P and Q.We reason by induction on sd(P ).If sd(P ) = 0, then P has no guarded subterms, and the conditions of Lemma 4.17 are fullfilled, which implies the existence of a local characteristic formula for P .
Assume now sd(P ) > 0, and, for all P ′ such that sd(P ′ ) < sd(P ), and for all Q, there exists a characteristic formula for P ′ on E frz,N Q .Consider a process Q.By Lemma 4.17, the existence of a E frz,N Q -characteristic formula for P can be proved by establishing the existence of a E frz,N Q -characteristic formula for each guarded subterm of P of the form cap. P ′ or (x)P ′ .Consider such a guarded subterm cap.P ′ .We have sd(P ′ ) < sd(P ), so by induction there exists a formula Moreover, by induction, we also have a formula F Q ′ ,P ′ which is a characteristic formula for Q ′ on E ⇓ P ′ when sd(Q ′ ) ≤ sdP ′ ) < sd(P ).In the case sd(Q ′ ) > sd(P ′ ), we define F Q ′ ,P as the formula F sd(Q ′ ) given in Lemma 4.3.This formula characterises Q ′ on E ⇓ P ′ : Q ′ |=F Q ′ ,P by Lemma 4.3, and if P ′′ ∈ E ⇓ P ′ then sd(P ′′ ) ≤ sd(P ′ ) < sd(Q ′ ), so P ′′ |=F sd(Q ′ ) .Hence the requirements of Lemma 4.16 are fullfilled, and there exists a E frz,N Q -caracteristic formula for cap.P ′ .
Similarly, consider a subterm of the form (x)P ′ , and write (x)P ′′ for its eta normal form.As above, we have local characteristic formulas F P ′′ { n x/x},Q ′ and F Q ′ ,P ′′ { n x/x} by induction and using Lemma 4.3 with a similar reasoning.Since (x)P ′′ is in normal form, all requirements of Lemma 4.16 are satisfied, so that there exists a E frz,N Q -characteristic formula for (x)P ′′ , which is also a characteristic formula for (x)P ′ by Lemma 3.10.
Finally, we have characteristic formulas for all guarded subterms, and by Lemma 4.17, we have a Proof.Let P, Q be two terms such that P ≃ int Q.By Lemma 4.18, there is a formula F characterising P on E ⇓ Q .We have P |= F .We then have Q ∈ E ⇓ Q , and Q |= F implies P ≃ int Q.Hence, since by hypothesis P ≃ int Q, Q |= F , and P = L Q. ✷ Corollary 4.20.In MA, relations = L , ≃ int and ∼ ind coincide.

Characterizations of logical equivalences
In this section, we compare logical equivalence and standard equivalence relations on processes, like behavioural equivalence and structural congruence.We give an axiomatization of = L on MA s IF , a subcalculus of MA in which image-finiteness is guaranteed by a syntactical condition (Definition 5.2 below).We shall see that AL is very intensional, in the sense that = L is 'almost equal' to ≡.More precisely, we show that logical equivalence coincides with ≡ E , the relation obtained by extending structural congruence with the eta law (Definition 3.6).We establish the following chain of (dis)equalities, on MA s IF : We then move to the study of a variant of MA s IF in which communication is synchronous, and show that logical equivalence coincides with ≡ on this calculus.We end this section with a detailed discussion of the treatment of name restricition.5.1.Extensionality and intensionality.We use the characterisation of = L as ≃ int to compare logical equivalence with barbed congruence (≈) and structural equivalence (≡).We start by studying the difference between = L and ≈.Proof.The inclusion follows from = L ⊆ ≃ int and ≃ int ⊆ ≈ (the second inclusion is essentially a consequence of the congruence of ≃ int ).
The strictness of the inclusion is proved by the following laws, that are valid for ≈ but not for The third axiom is typical for behavioural equivalences in calculi where communication is asynchronous.The first equality can be derived from a more general law, called the distribution law in [22]: M .(P | M .P | . . .| M .P ) = M .P | M .P | . . .| M .P (where M appears the same number of times on both sides of the equality).A similar law is valid for the input prefix, from which the second equality above is derived as an instance.Probably the above are not the only laws that make = L finer than ≈, but a complete axiomatization of ≈ over = L is out of the scope of this paper.5.1.2.Intensionality.We now provide a precise account of the difference between = L and ≡, in the setting of the subcalculus MA s IF , defined as below.We recall that a process is finite if it does not use the replication operator.where P 0 is a finite process.
In MA s IF , we impose finiteness after any form of interaction; in contrast, processes exhibiting an 'infinite spatial structure', such as !a[b[0]] are allowed.Lemma 5.3.All processes of MA s IF are image-finite.
• P = cap.P ′ .Then, by definition of ≅, it must be Q ≡ cap.Q ′ and Q ′ cap =⇒ Q ′′ ≅ P ′ .It will then be, by Lemma 5.5 (1), messages(P ) = messages(P ′ ) > messages(Q ′′ ), which is impossible, by the induction on the shape.• P = (x) P ′ .Then, by definition of ≅, it must be Q ≡ (x) Q ′ ; moreover, for n fresh, there must be at least one step, then we would have messages(P ′ { n /x}) = messages(P ) > messages(Q ′ ) ≥ messages(Q ′′ ) and therefore, by induction on the shape, we could not have Therefore, suppose for some (x) P ′′ with n fresh for P and Q.Hence, since n was chosen fresh, the original process P must have been of the form (x) ({x} | (x) P ′′ ).This means that, modulo ≡, P was not eta-normalised, thus contradicting an hypothesis of the lemma.
• If P = {n} then by definition of ≅ we should have Q ≡ {n}, which is impossible, since the hypothesis is messages(P ) > messages(Q).✷ Lemma 5.7.Let P, Q be two finite processes.Suppose P ≅ Q, and that both P and Q are eta-normalised.Then pref(P ) = pref(Q).
Proof.Suppose pref(P ) > pref(Q).We prove that we derive a contradiction.We proceed by induction on the shape of P .
for some i, we should have pref(P i ) = pref(Q i ), which is impossible, by the induction on the shape.
• P = cap.P ′ .Then, by definition of ≅, it must be , which is impossible by the induction on the shape.• P = (x) P ′ .Then, by definition of ≅, it must be Q ≡ (x) Q ′ ; moreover, given n fresh, there must be Moreover, by the previous lemma we know that messages(P ) = messages(Q), and we should also have messages( The reduction {n} | (x) Q ′ =⇒ Q ′′ must contain at least one step, for otherwise we could not have messages(P ′ { n /x}) = messages(Q ′′ ).For the same reason, during these reductions only the message {n} may have been consumed (no other messages).Thus Therefore we have pref( . By the induction on the shape, this is in contradiction with Q ′′ ≅ P ′ { n /x}.✷ Lemma 5.8.Let P, Q be two finite processes.Suppose P ≅ Q, with both P and Q etanormalised.If Proof.From Lemmas 5.7 and 5.6: if Q performed more than one action, then it would consume one more prefix or message than P .✷ Theorem 5.9.Let P, Q be processes of MA s IF .Suppose P ≅ Q, with both P and Q etanormalised.Then P ≡ Q.
Proof.By induction on the shape of P .
Hence also P ≡ Q. • Suppose P = !P ′ .Then, by Lemma 4.8, there are r and some (Q i ) 1≤i≤r such that finite, so that we may apply Lemma 5.8.Then it must be Q ′ = Q ′′ , and therefore by induction Q ′ ≡ P ′ .We conclude that P ≡ Q.

and again by construction of MA
by Theorem 3.33, and ≃ int ⊆ ≡ E by Theorem 5.9.Conversely, ≡ E ⊆ ≃ int by Lemma 5.4, and ≃ int ⊆ = L by Theorem 3.29.✷ 5.2.Synchronous communications.We now consider a variant of Mobile Ambients where communication is synchronous.For this the production {η} for messages in the grammar of MA in Table 2.1 is replaced by the production {η}.P .Communication is thus synchronous: in {η}.P , the process P is blocked until the message {η} has been consumed.Reduction rule Red-Com becomes: In the remainder of this subsection, terms belonging to the synchronous version of the calculus will be referred to simply as 'processes'.Since our goal here is to study how the result given by Corollary 5.10 changes when moving to a synchronous calculus, we focus directly on MA s,s IF , the set of all terms of the synchronous calculus in which processes guarded by prefixes are finite (along the lines of Definition 5.2 that introduces MA s IF ).We shall see that in MA s,s IF , the eta law fails and the equivalence relation induced by the logic is precisely structural congruence.
In order to show this, we have to port the results about (asynchronous) MA to the synchronous case.The co-inductive characterisation in terms of ≃ int (that is, Theorems 3.29 and 3.33) remains true, provided that in the definition of intensional bisimulation the communication clauses are replaced by the following: Accordingly, we have to change the definition of syntactical intensional bisimulation by adapting the following clauses for communicating processes: As shown in [21], formulas similar to those that are needed in the asynchronous case can be derived for the synchronous calculus.In particular, we have: Lemma 5.11 ([21]).
• For all A, there is a formula ?n .{| A |} such that for all P , P |= ?n .{| A |} iff there is P ′ such that P ≡ (x) P ′ and P ′ { n /x}=⇒|=A.• For all A, there is a formula !n .{| A |} such that for all P , P |= !n .{| A |} iff there is P ′ such that P ≡ {n}.P ′ and P ′ =⇒|=A.
Using this result, the soundness and completeness proofs for ≃ int with respect to = L follow exactly the same scheme as in the asynchronous case (see Sections 3 and 4), except that we do not need to reason on eta-normalised terms.
Theorem 5.12 (Soundness and completeness of ≃ int ).Given two processes P and Q of synchronous Mobile Ambients, P ≃ int Q iff P = L Q.
We now derive the counterpart of the properties we have established above for MA s IF about the number of messages and prefixes in a term.Lemma 5.13.Suppose P −→ P ′ , where P is a finite process.Then (1) messages(P ) ≥ messages(P ′ ); (2) pref(P ) ≥ pref(P ′ ).
Proof.By induction on the derivation of P −→P ′ .✷ Lemma 5.14.Let P, Q be two finite processes and suppose P ≅ Q.Then messages(P ) = messages(Q).
Proof.Suppose messages(P ) > messages(Q).We prove that we derive a contradiction.We proceed by a case analysis on the shape of P (ie, the number of its operators) for some i, we should have messages(P i ) = messages(Q i ), which is impossible, by the induction on the shape.
by induction is impossible.
Proof.Suppose pref(P ) > pref(Q).We prove that we derive a contradiction.We proceed by induction on the shape of P .
• P = P 1 | P 2 .Then, by definition of ≅, it must be Q ≡ Q 1 | Q 2 with P i ≅ Q i .Now, for some i, it should be pref(P i ) = pref(Q i ), which is impossible, by the induction on the shape.
• P = cap.P ′ .Then, by definition of ≅, it must be , which is impossible by the induction on the shape.
There is no consumption of messages, hence pref(P ′ { h /x}) > pref(Q ′′ ), and we can conclude using induction.✷ Lemma 5.16.Let P, Q be two finite processes, and suppose Proof.From the two previous lemmas: if Q performed more than one action, then it would consume one more prefix or message than P .✷ Theorem 5.17.Let P, Q be two processes in MA s,s IF , and suppose P ≅ Q.Then P ≡ Q. Proof.By induction on the shape of P (almost exactly as in Theorem 5.9).✷ Corollary 5.18.Let P, Q be processes of MA s,s IF .Then P = L Q iff P ≡ Q.

Name restriction.
In this section, we consider the variant of MA, noted here MA ν , that includes name restriction (νn) P .We discuss, among previous results, which ones remain valid, and which ones have to be amended.Adding name restriction involves several modifications in the definition of the calculus and of the logic.Name n is bound in (νn) P , and the definition of fn(P ) is modified accordingly.Regarding structural congruence, we add alpha conversion for ν, as well as the following laws: (νn) 0 ≡ 0 (νn)(νm) P ≡ (νm)(νn) P (νn The last rule is not always present in the definition of structural congruence.It is not an essential rule, but including it makes our some technical details simpler. In the logic, additional connectives are introduced, as in [12], to handle restriction and the associated notion of freshness of names: formulas can also be of the form n A, A⊘n, or Nn. A. Accordingly, the enriched notion of satisfaction, written |= ν , is given by: − P |= ν n A iff P ≡ (νn) P ′ and P ′ |= ν A for some P ′ ; − P |= ν A⊘n if (νn) P |= ν A; − P |= ν Nn.A if there is n ′ / ∈ (fn(P ) ∪ fn(A)) such that P |= ν A{ n ′ /n}.To illustrate this new setting, we consider the two following formulas: A process P satisfying free(n) cannot reveal n, which means that n necessarily occurs free in P .In turn, if P satisfies public, then it cannot reveal a name n so as to exhibit free occurrences of n, which means that P is structurally congruent to some P ′ ∈ MA.
Formula public hence provides a way of selecting processes belonging to MA among the processes in MA ν .We can indeed adapt any formula A we have used in the paper into a formula A ′ such that whenever P |= ν A ′ , then P ≡ P ′ for some P ′ in MA such that P ′ |=A; in particular, formulas of the form A 1 ⊲ A 2 are translated into formulas of the form In presence of name restriction, we can adapt rather easily several important results of the paper as follows (for each item, we indicate the part of the paper we refer to): • a new 'intensional' rule must be added to the definition of ≃ int (Def.3.2): if P ≡ (νn) P ′ , then there is Q ′ such that Q ≡ (νn) Q ′ and P ′ ≃ int Q ′ ; • with this definition, it is possible to establish a soundness result (≃ int ⊆ = L , Theorem 3.29), and completeness for finite processes (processes without replication, Theorem 3.33); • characteristic formulas are derivable for processes of the form (νn 1 ) . . .(νn k ) P , where P is a 'public' process in MA IF (Lemma 3.27): we rely on name revelation to get rid of the topmost restrictions, and then translate the characteristic formula for P using the approach sketched above; • logical equivalence coincides with structural congruence enriched with eta conversion for processes of the form (νn 1 ) . . .(νn k ) P , with P a public process in MA s IF (Corollary 5.10).The difficult point, that we leave for future work, is to analyse processes that can generate unboundedly many names, i.e., in which restriction occurs under replication.Characteristic formulas seem much more difficult to obtain for such processes.We do not know at present how to derive completeness in absence of an image finiteness hypothesis (in particular, we do not see how a counterpart of Lemma 4.13 can be obtained).

(Un)decidability of logical equivalence
In this section we define the encoding of a Turing Machine in MA s IF .The purpose of this encoding is to establish that logical equivalence in undecidable on MA IF .
The definition of the encoding requires the introduction of some constructions that will be given as (MA s IF ) contexts.To ease the reading of our definitions, we shall sometimes work with parametrised contexts, which are context definitions that depend on some values (names, words, or movements of the head of the Turing Machine).Additionally, some parametrised definitions shall be written foo(p); P : here, foo is the name of the definition, whereas p and P are parameters (P being a process); the notation emphasizes the sequentiality between the process being introduced and P .Remark 6.1.The results in this section improve and extend a preliminary version presented in [20].By the time the writing of this paper was completed, Busi and Zavattaro [3] have studied encodings of another universal machine, namely the Random Access Machine, into a subset of MA.Their encodings are syntactically more coincise than the one below of a Turing Machine.However, Busi and Zavattaro make use of combinations of operators that are not licit in MA s IF (i.e., their encodings are not encodings into MA s IF ).Also, while longer, the encoding of Turing Machines makes use of components which accomplish simple tasks and which interact with each other in simple manners.Correspondingly, each step of the proof, which follows the reductions of the encoding of a Turing Machine, is rather straightforward.For these reasons we maintain the schema of the original encoding in [20].
6.1.Ribbons.Digits and words.We associate to booleans true and false two names tt and ff .We call these names digits, and range over digits with d, d ′ .A word will be the result of a (possibly empty) concatenation of digits.The empty word shall be written ǫ.We range over words with w, w ′ , w 1 , w 2 .Given a word w consisting in r digits (with r ≥ 1), we shall sometimes write w 1 . . .w r to refer to the digits of w.This should not be confused with notation ff n , that we will sometimes use to represent the word consisting in n times digit ff (this should be clear from the context).
We start with the definition of the support of the Turing Machine: ribbons can be in differents states (frozen, growing, work ribbon, old), and are defined as follows: All names used in the definitions above are supposed to be pairwise distinct.In particular, T M is the name we shall use for the ambient containing the Turing Machine (see Definition 6.5).The ribbon is represented as a nesting of ambients named cell, each of which contains an empty ambient named d, where d is the digit value of the cell: this corresponds to the definitions of cell(d) and word -the !open wo subterm is there to trigger the computation of the head of the machine as soon as the head 'points to' (i.e., enters) the current cell (see Section 6.2).
Ribbon extension is used to generate a sufficiently long nesting of cell ambients for the machine to run.A frozen ribbon consists of a word w, containing at the end of the ribbon a frozen ribbon extensor (definition of FrozenRibb -the cleaninst part will be useful later on).The extensor is triggered by the presence of an ambient named coin (definitions ExtensorFrozen and ExtensorAlive): when this happens, the loop programmed in the definition of deadextcode can start, which can have the effect of adding new cells, whose value is ff .Each time the extensor loops (state ExtensorAlive), the coin ambient can be erased by process open coin.sendstart, which has the effect of stopping the extension process, and sending an ambient msg out of the ribbon to instruct the machine to start computation.When this happens, the extensor is in ExtensorDead state.
A ribbon in GrowingRibb state keeps extending until the extensor dies, at which point it becomes a WorkRibb (WorkRibb has two parameters, w 1 and w 2 , in order to reason about the cell where the head of the machine currently is).Along this evolution, the cleaninst code is always present.When the machine successfully terminates computation (we will describe below how this happens), it generates an ambient named cleaner, which triggers the cleaning of the machine: all ambients cell, tt, ff , wo, that intuitively constitute the "data structures" of the machine, are removed.At this point, we obtain an OldRibb.Some of the explanations we have just given are formalised by the following result, which will be used to establish undecidability of = L .Lemma 6.2 (Ribbon evolution).
For any word w and n ∈ N, we write P n = GrowingRibb(w.(ff) n ), where (ff) n stands for the word written as n times the name ff.We have: • for any term Q along the reduction paths from P n to P n+1 and from P n to R, there exists Moreover, for any word w, we have: Proof.At any step, the extensor can only choose between creating a new ff cell or dying and sending up through the ribbon an ambient msg.Note that when extending the ribbon with a new ff cell, there are at some point two concurrent actions in cell and out ext: these are in causal dependency, since the in cell can only happen once the out ext has taken place, which ensures sequentiality of the execution.✷ 6.2.Turing Machine.Definition 6.3 ((Ideal) Turing Machine).We introduce three symbols ←, ↓ and → for the movements of the head of a Turing Machine.We represent a Turing Machine as a quadruplet (Q, q start , q A , δ) where Q is a set of states, q start is the initial state, q A is the accepting state, and δ : Q × {ff , tt} −→ Q × {ff , tt} × {←, ↓, →} is the evolution function.
Notation: we shall write (w 1 , q, w 2 ) (w ′ 1 , q ′ , w ′ 2 ) to denote the fact that the Turing Machine in state q with the head on the cell of the last letter of w 1 (which will be referred to as "the head dividing the ribbon into words w 1 and w 2 ") evolves in one step of computation into the machine in state q ′ , dividing the ribbon into words w ′ 1 and w ′ 2 .The remainder of this subsection is devoted to establishing the following claim:  IF the transitions of the machine, and how some extra manipulations are performed after recognition of a word (these are necessary to deduce the undecidability result proved below).
The encoding is given by the definitions collected in Figure 1.The overall shape of the encoding can be described as follows: Definition 6.5 (Turing Machine in Mobile Ambients).The encoding of a Turing Machine is based on an ambient named T M , containing a persistent process named tmsoup: We define two configurations for the encoding of a Turing Machine.Before being active, the machine is in starting state, defined by: Once the computation has started, the Turing Machine in state q is represented by the term Lemma 6.6 (MA s IF encoding).All terms used in the encoding of a Turing Machine belong to MA s IF .Our Turing Machine encoding is somehow reminiscent of the one presented in [13].We should however remark that we work here in a language without name restriction, and with a simpler encoding of choice (operator + above, to test the value of a cell).
According to the explanations given in Section 6.1, the machine reacts to the presence of an ambient named start to enter the first cell of the ribbon and start computation (definition TMStart).
The behaviour of the running machine is described by the definition of code(q): the head of the machine enters the current cell, and tests its value by concurrently trying to enter ambients named ff and tt.According to the ambient being present, the appropriate machine transition is triggered (definition of tcode -d ff , q ff , mv ff stand for the new value, new state, and movement of the head determined by the current state if the value read is ff , and similarly for tt).The last two lines in the definition of code (processes starting with !coin . . . ) are there for garbage collection purposes: they "absorb" the branch of the choice that has not been triggered.
Performing a transition involves erasing the current value of the cell, installing the new value, getting back inside the Turing Machine (the current working ambient had to get out of it to read the value of the cell), and triggering the movement of the machine (definition of tcode).The corresponding definitions on top of Figure 1 should be self-explanatory, the become(mo) part being necessary to synchronise with the !open mo inside ambient T M .Finally, open q w starts the execution of the code corresponding to q w , the new state of the machine -according to Definition 6.5, the code of all possible states of the machine is present in replicated form in T M .
The code of the accepting state q A is peculiar: when the machine reaches this state, it triggers process getout, which makes it exit the ribbon and start the cleaning process.As explained above, the presence of an ambient named cleaner in ambient ribbon lef t triggers process cleaninst of Section 6.1.The process on the last line of Figure 1 is there to install the machine in the exact initial state once the word has been recognized and cleaning has been performed.This is necessary to obtain a loop in the proof of Lemma 6.13 below.
We can remark that the encoding is parametric over a word w, whose length (denoted length(w)) is used in the definition of getout (in that definition, in cell length(w) stands for the concatenation of length(w) copies of the capability in cell).This aspect of our encoding is however irrelevant since it is influent only after the end of the execution of the machine, and not during the central part of the simulation.
We now formulate the evolution of the terms we have defined in order to simulate Turing Machines.We first introduce a useful relation.Definition 6.7 (deterministic evolution relation).We say that a process P deterministically evolves to Q, written P ❀ Q, if and only if P −→Q and for any Q Notation: We shall write P ❀ k Q to say that P deterministically reduces to Q in k steps (k ≥ 1).We write P ❀ + Q when P ❀ k Q for some k.
Using ❀, we can state some elementary facts about the macros involved in the execution of the machine.The relation P ❀ + Q captures the fact that P cannot avoid reducing to Q except for some immediately blocking states.Such blocking states may only appear due to the firing of the "wrong branch" in a choice encoding (ff −→ • • • + tt−→ . . .). (Incidentally, we may remark that a purely deterministic encoding of the Turing Machine could probably be definable, but at the cost of more complex definitions and proofs.)Moreover, the same results hold with a frozen (instead of dead) extensor in M , the only condition being that ambient ext contains an inactive term.
Proof.By inspection of the possible reductions of the processes being considered.From the second statement on, the ambient coin[ in d ′ .Q ] is frozen: it actually represents the non-chosen branch in the encoding of the choice operator, that will be erased later, when the head of the Turing Machine comes back inside ambient T M (see below).✷ We can now merge the results above into a property regarding transitions of the Turing Machine.Lemma 6.9 (One step of Turing Machine simulation).
Let M be a Turing Machine, q one of its non accepting states, and w 1 , w 2 two words, with w 2 = ǫ.Suppose (w 1 , q, w 2 ) (w ′ 1 , q ′ , w ′ 2 ).Then WorkRibb(w 1 , w 2 ){| TM(q) |} ❀ + WorkRibb(w ′ 1 , w ′ 2 ){| TM(q ′ ) |} .Proof.We divide the evolution of the term representing the Turing Machine into the following steps: (1) From state q, the TM can trigger the q code by performing the corresponding open operation, which has the effect of releasing an ambient named head.Moreover, this is the only place where some reduction is possible, because first, Extensor is inactive and second, in every ambient named cell, no reduction occurs.Therefore,  P ] ] |} where δ(q, w r 1 ) = (q ′ , d, mv) (i.e., the machine evolves from q to q ′ when reading w r 1 ).(3) The ambient mo comes back into the Turing Machine and is opened by the tmsoup component.Then the head movement (if any) is performed, which activates an open q ′ process, so that the Turing Machine gets into TM(q ′ ) state.
The 2(+1) above comes from the fact that the head of the machine can also make no movement in its transition from a state to another (case ↓). ✷ We obtain as a corollary of the Lemma above: Proposition 6.10 (Turing Machine simulation).Given a Turing Machine M, for any word w and n ∈ N, the Turing Machine M recognises the word w on the ribbon w. ff n iff there exist two words w 1 and w 2 s.t.
Let us finally describe what happens after the machine has reached the accepting state.where w is the word used in the encoding of the machine.
Proof.We distinguish four steps: (1) When the q A ambient has been opened, the ambient get out is liberated and is present within T M : (2) This allows the T M ambient to get a get out 'token', execute the branch containing the out cell, and, doing this, liberate a new get out ambient: WorkRibb(w 1 , w 2 ){| TMGetout |} =⇒ WorkRibb(w 1 1 . . .w r−1 1 , w r 1 .w 2 ){| TMGetout |} Note that the other subterm starting with open get out could also have been triggered, leading to a blocked state.This is no harm for us, since we want to establish the existence of an execution where the machine exits the ribbon.This way, T M progresses outwards until it is directly inside ribbon lef t. (4) At this point, the ambient named T M may liberate an ambient cleaner that enters ribbon lef t and starts the cleaning process.T M may also liberate the ambient coin so that we exactly obtain the expected term.✷ Remarks 6.12.
• As we already mentioned above, our encoding of the Turing Machine is at this point dependent from the word w that we want it to recognize.• reason here using =⇒ transitions instead of deterministic reduction ❀: indeed, we are considering states where the machine has already recognized the word, and we only need to prove that there exists some way back to its (exact) initial state.This will be enough for the proof of undecidability in Section 6.3.Then P 0 =⇒ P 1 .Conversely, P 1 =⇒ P 0 if and only if the word w may be recognized on a finite (but sufficiently long) ribbon of the shape w. ff N , for some N ∈ N, by the Turing Machine M.
Proof.The transition P 0 =⇒ P 1 follows from Lemma 6.2.Let us then first assume that w can be recognized on a ribbon of the form w. ff N , that is, w followed by an arbitrary number of ff digits.Then from Lemma 6.2, we can obtain the corresponding extension of the ribbon from state P 1 , i.e. exhibit a transition At this point, the ambient start can enter T M and allow it to get into the work ribbon.Then, using the simulation result (Proposition 6.10), we know that the Turing Machine reaches the acceptation state (this result is obtained by induction over the length of w).At this point, according to Lemma 6.11, the work ribbon is transformed into an old ribbon (collected by the corresponding replicated term in Q), the Turing Machine comes out of the ribbon, and waits for a start signal.The liberated coin ambient may progress inside a frozen ribbon (containing word w by definition of Q above) until it reaches the frozen extensor and wakes it up.We then exactly obtain P 0 .Now let us assume that w cannot be recognized on any ribbon.As Q is blocked (in particular, TMStart is waiting for an ambient start to enter T M ), the first reducts of

2 D
. HIRSCHKOF, É. LOZES, AND D. SANGIORGI def = !a[ in c ] | open a. b[ 0 ] can be thought of as a tree with open a. b[ 0 ] on the roots node and in c on a child node labeled with a.The replication !a indicates that the resource a[ in c ] is persistent: unboundedly many such ambients can be spawned.By contrast, open a is ephemeral: it can open only one ambient.
A def = cap .{| t∈I A t |} , using the standard notation for the (finite) conjunction of the A t s.Then P |= A but Q |= A. (3) P ≡ {n}, and Q ≡ {n}: then P |={n}, and Q |={n}.(

Proof. 1 Corollary 4 . 2 .
is immediate, as is the result on µ − → in 2. For P −→ Q, we reason by induction on the height of the derivation of P −→ Q.✷For all cap, if P cap =⇒ Q, then sd(P ) ≥ sd(Q).

Lemma 4 . 15 .
If a formula F characterises P on E frz,N Q and N ⊇ fn(Q), then F characterises P on E ⇓ Q .Proof.Follows from Lemma 4.13.

( 3 )
Then T M gets out of ribbon lef t, choosing the other branch of open get out, which leads to the following state:WorkRibb(ǫ, w 1 .w 2 ){| 0 |} | T M [ cleaner[ out T M . in ribbon lef t ] | coin[ out T M . in ribbon lef t. in cell length(w) . in ext ] | code(q 0 ) | . . .| code(q n ) | tmsoup]
P 1 are of the form Q | ribbon lef t[ R ], where GrowingRibb(w.ff ) =⇒ ribbon lef t[ R ].If a

Table 1 :
The rules for reduction Theorem 2.1.≡ is decidable.Definition 2.2 (Finite process).A process P is finite iff there exists a process P ′ with no occurrence of the replication operator such that P ≡ P ′ .Behavioural equivalence is defined using reduction and observability predicates ⇓ n that indicate whether a process can liberate an ambient named n: formally, P ⇓ n holds if there are P ′ , P ′′ such that P =⇒ n[ P ′ ] | P ′′ .

Table 2 :
The syntax of logical formulas are the adjuncts of A | B and η[ A ], in the sense of being, roughly, their inverse (see below).A{n/x} is the formula obtained from A by substituting variable x by name n.A formula without free variables is closed.Along the lines of the definition of process contexts, we define formula contexts as formulas containing an occurrence of a special hole formula.We use A{| • |} to range over formula contexts; then A{| B |} stands for the formula obtained by replacing the hole in A{| • |} with B.
µ =⇒ P and P ′ RQ ′ .Intensional bisimilarity, written ≃ int , is the largest intensional bisimulation.The definition of ≃ int induces a relation ≃ o int , defined on open terms by saying that P ≃ o int Q iff for any closing substitution σ, P σ ≃ int Qσ.
if mv =→ tcode(d r , q w , d w , mv) := clear(d r ); write(d w ); become(mo); in T M .domove(mv); open q w State ff −→P + tt−→Q := coin[ in ff .out ff .P ] | coin[ in tt.out tt. Q ] | open coin code(q) Any Turing Machine computation may be encoded in MA s IF .To encode Turing Machines, we must describe how we simulate in MA s Turing Machine Behavior after Recognition getout := !open get out.out cell.get out[ 0 ] | !open get out.out ribbon lef t. cleaner[ out T M . in ribbon lef t ] | coin[ out T M . in ribbon lef t. in cell length(w) . in ext ] | open start. in ribbon lef t. in cell.open q start Figure 1: Encoding Turing Machines in MA s IF Claim 6.4.