Psi-calculi: a framework for mobile processes with nominal data and logic

The framework of psi-calculi extends the pi-calculus with nominal datatypes for data structures and for logical assertions and conditions. These can be transmitted between processes and their names can be statically scoped as in the standard pi-calculus. Psi-calculi can capture the same phenomena as other proposed extensions of the pi-calculus such as the applied pi-calculus, the spi-calculus, the fusion calculus, the concurrent constraint pi-calculus, and calculi with polyadic communication channels or pattern matching. Psi-calculi can be even more general, for example by allowing structured channels, higher-order formalisms such as the lambda calculus for data structures, and predicate logic for assertions. We provide ample comparisons to related calculi and discuss a few significant applications. Our labelled operational semantics and definition of bisimulation is straightforward, without a structural congruence. We establish minimal requirements on the nominal data and logic in order to prove general algebraic properties of psi-calculi, all of which have been checked in the interactive theorem prover Isabelle. Expressiveness of psi-calculi significantly exceeds that of other formalisms, while the purity of the semantics is on par with the original pi-calculus.


Introduction
The pi-calculus [MPW92] has a multitude of extensions where higher-level data structures and operations on them are given as primitive. To mention only two there are the spi-calculus by Abadi and Gordon [AG99] focusing on cryptographic primitives, and the applied pi-calculus of Abadi and Fournet [AF01] where agents can introduce statically scoped aliases of names for data, used e.g. to express how knowledge of an encryption is restricted. It is also parametrised by an arbitrary signature for expressing data and an equation system for expressing data equalities. The impact of these enriched calculi is considerable with hundreds of papers applying or developing the formalisms. As Abadi and Fournet rightly observe there is a trade-off between "purity", meaning the simplicity and elegance PSI-CALCULI: A FRAMEWORK FOR MOBILE PROCESSES WITH NOMINAL DATA AND LOGIC 3 2. Definitions 2.1. Nominal datatypes. We base psi-calculi on nominal datatypes. A reader unfamiliar with these need not fear: we shall provide what little background is needed and be generous with examples. A traditional datatype can be built from a signature of constant symbols, functions symbols, etc. A nominal datatype is more general, for example it can also contain binders and identify alpha-variants of terms. Formally a nominal datatype is not required to be built in any particular way; the only requirements are related to the treatment of the atomic symbols called names as explained below.
As usual we assume a countably infinite set of atomic names N ranged over by a, . . . , z. Intuitively, names will represent the symbols that can be statically scoped, and also represent symbols acting as variables in the sense that they can be subjected to substitution. A typed calculus would distinguish names of different kinds but our account will be untyped. A typing may contribute to clarity of expressions but it is not necessary for our results.
A nominal set [Pit03,GP01] is a set equipped with name swapping functions written (a b), for any names a, b. An intuition is that for any member X it holds that (a b) · X is X with a replaced by b and b replaced by a. Formally, a name swapping is any function satisfying certain natural axioms such as (a b) · ((a b) · X) = X. One main point of this is that even though we have not defined any particular syntax we can define what it means for a name to "occur" in an element: it is simply that it can be affected by swappings. The names occurring in this way in an element X constitute the support of X, written n(X). We write a#X, pronounced "a is fresh for X", for a ∈ n(X). In an inductively defined datatype without binders we will have a#X if a does not occur syntactically in X. In for example the lambda calculus where alpha-equivalent terms are identified (i.e. the elements are alpha-equivalence classes of terms) the support corresponds to the free names. If A is a set or a sequence of names we write A#X to mean ∀a ∈ A . a#X.
We require all elements to have finite support, i.e., n(X) is finite for all X. It follows that for any X there are infinitely many a such that a#X. Some elements will have empty support, a prime example is the identity function in the lambda calculus, or a term of a traditional datatype not containing any names. A function f is equivariant if (a b) · f (X) = f ((a b) · X) holds for all X, and similarly for functions and relations of any arity. Intuitively, this means that all names are treated equally.
A nominal datatype is a nominal set together with a set of equivariant functions on it. In particular we shall consider substitution functions that substitutes elements for names. If X is an element of a datatype,ã is a sequence of names without duplicates andỸ is an equally long sequence of elements of possibly another datatype, the substitution X[ã :=Ỹ ] is an element of the same datatype as X. In a traditional datatype substitution can be thought of as replacing all occurrences of namesã byỸ . In a calculus with binders it can be thought of as replacing the free names, alpha-converting any binders to avoid capture.
For the purpose of psi-calculi it turns out that we need not define exactly what a substitution does. The only formal requirements are that substitution is an equivariant function that satisfies two substitution laws: .
and substitution functions [ a := M ], substituting terms for names, on all of T, C and A.
As an example, we can choose data terms inductively generated by some signature, assertions and conditions to be elements of a first-order logic with equality over these terms, entailment to be logical implication, ⊗ to be conjunction and 1 to be true.
The binary functions above will be written in infix. Thus, if M and N are terms then M .
The data terms are used to represent all kinds of data, including communication channels. Intuitively, two agents can communicate if one sends and the other receives along the same channel. This is why we require a condition M . ↔ N to say that M and N represent the same communication channel. For example, in the pi-calculus .
↔ is just identity of names.
The assertions will be used to declare information necessary to resolve the conditions. Assertions can be contained in agents and represent constraints; they can contain names and thereby be syntactically scoped and represent information known only to the agents within that scope. The operator ⊗ on assertions will, intuitively, be used to represent conjunction of the information in the assertions. The assertion 1 is the unit for ⊗.
The intuition of entailment is that Ψ ⊢ ϕ means that given the information in Ψ, it is possible to infer ϕ. We say that two assertions are equivalent if they entail the same conditions: Definition 2.2 (assertion equivalence). Two assertions are equivalent, written Ψ ≃ Ψ ′ , if for all ϕ we have that Ψ ⊢ ϕ ⇔ Ψ ′ ⊢ ϕ.
We can now formulate our requisites on valid psi-calculus parameters: Definition 2.3 (Requisites on valid psi-calculus parameters).
Channel Symmetry: Our requisites on a psi-calculus are that the channel equivalence is a partial equivalence relation, that ⊗ is compositional, and that the equivalence classes of assertions form an abelian monoid. In Section 2.6 below we will demonstrate that all requisites in Definition 2.3 are essential.
Note that channel equivalence is not required to be reflexive. Thus it is possible to have data terms that are not channel equivalent to anything at all, meaning that they cannot be used as channels. Also, note that properties such as weakening (Ψ ⊢ ϕ ⇒ Ψ⊗Ψ ′ ⊢ ϕ) and idempotence (Ψ⊗Ψ ≃ Ψ) are not required. This means that we can in principle represent non-monotonic logics as well as logics to represent resource use, although these avenues remain yet unexplored. A main point of our work is to identify minimal requisites for the formal results on bisimilarity to hold, and here neither weakening nor idempotence turns out to be necessary.

2.3.
Frames. Assertions can contain information about names, and names can be scoped using the familiar pi-calculus operator ν. For example, in a cryptography application an assertion Ψ could be that the a datum represents the encoding of a message using a key k. This Ψ can occur under the scope of νk, to signify that the key is known only locally. In order to admit this in a general way we use the notion of a frame, first introduced by Abadi and Fournet [AF01]. Basically, a frame is just an assertion with additional information about which names are scoped. The example above where Ψ occurs under the scope of k will be written (νk)Ψ, to signify a frame consisting of the assertion Ψ where the name k is local.
In the followingã means a finite (possibly empty) sequence of names, a 1 , . . . , a n . The empty sequence is written ǫ and the concatenation ofã andb is writtenãb. When occurring as an operand of a set operator,ã means the corresponding set of names {a 1 , . . . , a n }. We also use sequences of terms, conditions, assertions etc. in the same way.
Definition 2.4 (Frame). A frame is of the form (ν b)Ψ where b is a sequence of names that bind into the assertion Ψ. We identify alpha variants of frames. 1 We use F, G to range over frames. Since we identify alpha variants we can always choose the bound names freely.
Intuitively a condition is entailed by a frame if it is entailed by the assertion and does not contain any names bound by the frame. Two frames are equivalent if they entail the same conditions: Definition 2.5 (Equivalence of frames). We define F ⊢ ϕ to mean that there exists an alpha variant (ν b)Ψ of F such that b#ϕ and Ψ ⊢ ϕ. We also define F ≃ G to mean that for all ϕ it holds that F ⊢ ϕ iff G ⊢ ϕ.
For example (νab)Ψ ≃ (νba)Ψ, and if a#Ψ then (νa)Ψ ≃ Ψ. To take an example of first-order logic with equality, assume that the term enc(M, k) represents the encoding of message M with key k. Let Ψ be the assertion C = enc(M, k), stating that the ciphertext C is the result of encoding M by k. If an agent contains this assertion the environment of the agent will be able to use it to resolve tests on the data, in particular to infer that C = enc(M, k). In other words, if the environment receives C it can test if this is the encryption of M . In order to restrict access to the key k it can be enclosed in a scope νk. The environment of the agent will then have access to the frame (νk)Ψ 1 In some presentations frames have been written just as pairs b, Ψ . The notation in this paper better conveys the idea that the names bind into the assertion, at the slight risk of confusing frames with agents. Formally, we establish frames and agents as separate types, although a valid intuition is to regard a frame as a special kind of agent, containing only scoping and assertions. This is the view taken in [AF01]. rather than Ψ itself. This frame is much less informative, for example it does not hold that (νk)Ψ ⊢ C = enc(M, k). Here great care has to be made to formulate the class of allowed conditions. If these only contain equivalence tests of terms, (νk)Ψ will entail nothing but tautologies and be equivalent to 1. But if quantifiers are allowed in the conditions, then by existential introduction Ψ ⊢ ∃k.(C = enc(M, k)), and since this condition has no free k we get (νk)Ψ ⊢ ∃k.(C = enc(M, k)). In other words the environment will learn that C is the encryption of M for some key k. We shall return to examples related to cryptography in Section 3.2.
Most of the properties of assertions carry over to frames. Channel symmetry and channel transitivity, identity, associativity and commutativity all hold, but compositionality in general does not. In other words, there are psi-calculi with frames F, G, H where F ≃ G but not F ⊗H ≃ G⊗H. An example is if there are assertions Ψ, Ψ ′ and Ψ a for all names a, conditions ϕ ′ and ϕ a for all names a, and where the entailment relation satisfies Ψ a ⊢ ϕ a and Ψ ′ ⊢ ϕ ′ . Suppose composition is defined such that Ψ⊗Ψ = Ψ and all other compositions yield Ψ ′ . By adding a unit element this satisfies all requirements on a psi-calculus. In particular ⊗ is trivially compositional because no two different assertions are equivalent. Also (νa)Ψ a ≃ Ψ, but Ψ⊗(νa)Ψ a ≃ Ψ⊗Ψ since Ψ⊗Ψ a = Ψ ′ ⊢ ϕ ′ .

Agents.
Definition 2.6 (psi-calculus agents). Given valid psi-calculus parameters as in Definitions 2.1 and 2.3, the psi-calculus agents, ranged over by P, Q, . . ., are of the following forms.
0 Nil M N . P Output M (λ x)N . P Input case ϕ 1 : P 1 [] · · · [] ϕ n : P n Case (νa)P Restriction P | Q Parallel !P Replication (|Ψ|) Assertion In the Input M (λ x)N.P we require that x ⊆ n(N ) is a sequence without duplicates, and the names x bind occurrences in both N and P . Restriction binds a in P . We identify alpha equivalent agents. An assertion is guarded if it is a subterm of an Input or Output. In a replication !P there may be no unguarded assertions in P , and in case ϕ 1 : P 1 [] · · · [] ϕ n : P n there may be no unguarded assertion in any P i .
In the Output and Input forms M is called the subject and N the object. Output and Input are similar to those in the pi-calculus, but arbitrary terms can function as both subjects and objects. In the input M (λ x)N.P the intuition is that the pattern (λ x)N can match any term obtained by instantiating x, e.g., M (λx, y)f (x, y).P can only communicate with an output M f (N 1 , N 2 ) for some data terms N 1 , N 2 . This can be thought of as a generalisation of the polyadic pi-calculus where the patterns are just tuples of names. Another significant extension is that we allow arbitrary data terms also as communication channels. Thus it is possible to include functions that create channels.
The case construct as expected works by behaving as one of the P i for which the corresponding ϕ i is true. case ϕ 1 : P 1 [] · · · [] ϕ n : P n is sometimes abbreviated as case ϕ : P , or if n = 1 as if ϕ 1 then P 1 . In psi-calculi where a condition ⊤ exists such that Ψ ⊢ ⊤ for all Ψ we write P + Q to mean case ⊤ : P [] ⊤ : Q.
Input subjects are underlined to facilitate parsing of complicated expressions; in simple cases we often omit the underline. In the traditional pi-calculus terms are just names and its input construct a(x) . P can be represented as a(λx)x.P . In some of the examples to follow we shall use the simpler notation a(x) . P for this input form, and sometimes we omit a trailing 0, writing just M N for M N . 0. If the object of an Output is a long term we enclose it in brackets to make it easier to parse. For a simple example, the pi-calculus [MPW92] can be represented as a psi-calculus where the only data terms are names, the only assertion is 1, and the conditions are equality tests on names. Substitution is the standard capture-avoiding syntactic replacement of names for names. We call this instance Pi, and formally we have: We can represent pi-calculus choice using the case statement: the pi-calculus term P + Q corresponds to (νa)(case a = a : P [] a = a : Q), where a#P, Q, and pi-calculus match [a = b]P to if a = b then P . We will return to this instance in Section 3.
We obtain the polyadic pi-calculus by adding the tupling symbols t n for tuples of arity n to T., i.e. T = N ∪ {t n (M 1 , . . . , M n ) : M 1 , . . . , M n ∈ T}. The polyadic output is to simply output the corresponding tuple of object names, and the polyadic input a(b 1 , . . . , b n ) . P is represented by a pattern matching a(λb 1 , . . . , b n )t n (b 1 , . . . , b n ) . P . Strictly speaking this allows nested tuples and tuples also in subject position in agents, but as we shall see such prefixes will not give rise to any transition, since in this psi-calculus M . ↔ M is only entailed when M is a name, i.e., only names are channels.
In a psi-calculus the channels can be arbitrary terms. This means that it is possible to introduce functions on channels (e.g., if M is a channel then so is f (M )). It also means that a channel can contain more than one name. An extension of this kind is explored by Carbone and Maffeis [CM03] in the so called pi-calculus with polyadic synchronisation, e π. Here action subjects are tuples of names, and it is demonstrated that this allows a gradual enabling of communication by opening the scope of names in a subject, results in simple representations of localities and cryptography, and gives a strictly greater expressiveness than standard pi-calculus. We can represent e π by using tuples of names in subject position. The only modification to the representation of the polyadic pi-calculus is to extend ⊢ to ⊢= {(1, M . ↔ M ) : M ∈ T}, and to remove the conditions of type M = N (since they can be encoded in e π).
The data terms can also be drawn from a higher-order formalisms. It is thus possible to transmit functions between agents. For example, let T be the lambda calculus, containing abstractions λx.M and applications M N . In the parallel composition a λx.M . P | a(z) . b zN . Q the left hand component transmits the function λx.M to the right, where the application of it to N is transmitted along b. Reduction would be represented as a binary predicate over lambda terms and could be tested in psi-calculus conditions (the reduction rules would be part of the definition of entailment). In this sense psi can resemble a higher-order calculus. It is even possible to let the terms be the psicalculus agents themselves. An agent transmitted as a term cannot directly communicate with the agent that sent or received it, but there is a possibility of indirect interaction through the entailment relation. This area we leave for further study.
2.5. Operational semantics. In this section we define an inductive transition relation on agents. In particular it establishes what transitions are possible from a parallel composition P | Q. In the standard pi-calculus the transitions from a parallel composition can be uniquely determined by the transitions from its components, but in psi-calculi the situation is more complex. Here the assertions contained in P can affect the conditions tested in Q and vice versa. For this reason we introduce the notion of the frame of an agent as the combination of its top level assertions, retaining all the binders. It is precisely this that can affect a parallel agent.
Definition 2.7 (Frame of an agent). The frame F(P ) of an agent P is defined inductively as follows: For a simple example, if a#Ψ 1 : Here Ψ 3 occurs under a prefix and is therefore not included in the frame. An agent where all assertions are guarded thus has a frame equivalent to 1. In the following we often write (ν b P )Ψ P for F(P ), but note that this is not a unique representation since frames are identified up to alpha equivalence. The actions α that agents can perform are of three kinds: output actions, input actions of the early kind, meaning that the input action contains the received object, and the silent action τ . The operational semantics consists of transitions of the form Ψ ✄ P α −→ P ′ . This transition intuitively means that P can perform an action α leading to P ′ , in an environment that asserts Ψ.
Definition 2.8 (Actions). The actions ranged over by α, β are of the following three kinds: For actions we refer to M as the subject and N as the object. We define bn(M(νã)N ) = a, and bn(α) = ∅ if α is an input or τ . We also define n(τ ) = ∅ and n(α) = n(N ) ∪ n(M ) if α is an output or input. As in the pi-calculus, the output M (νã)N represents an action sending N along M and opening the scopes of the namesã. Note in particular that the support of this action includesã. Thus M (νa)a and M (νb)b are different actions.
fresh for all of Ψ, b Q , Q, M and P , and that b Q is correspondingly fresh. In the rule Par we assume that F(Q) = (ν b Q )Ψ Q where b Q is fresh for Ψ, P and α. In Open the expressionã ∪ {b} means the sequenceã with b inserted anywhere.
Definition 2.9 (Transitions). A transition is of the kind Ψ ✄ P α −→ P ′ , meaning that when the environment contains the assertion Ψ the agent P can do an α to become P ′ . The transitions are defined inductively in Table 1. We write P α −→ P ′ to mean 1 ✄ P α −→ P ′ . In In the substitution is defined by induction on agents, using substitution on terms, assertions and conditions for the base cases and avoiding captures through alpha-conversion in the standard way.
Both agents and frames are identified by alpha equivalence. This means that we can choose the bound names fresh in the premise of a rule. In a transition the names in bn(α) count as binding into both the action object and the derivative, and transitions are identified up to alpha equivalence. This means that the bound names can be chosen fresh, substituting each occurrence in both the object and the derivative. This is the reason why bn(α) is in the support of the output action: otherwise it could be alpha-converted in the action alone. Also, for the side conditions in Scope and Open it is important that bn(α) ⊆ n(α). In rules Par and Com, the freshness conditions on the involved frames will ensure that if a name is bound in one agent its representative in a frame is distinct from names in parallel agents, and also (in Par) that it does not occur on the transition label. We defer a more precise account of this to Section 6.
The environmental assertions Ψ ✄ · · · in Table 1 express the effect that the environment has on the agent: enabling conditions in Case, giving rise to action subjects in In and Out and enabling interactions in Com. Thus Ψ never changes between hypothesis and conclusion except for the parallel operator, where an agent is part of the environment for another agent. In a derivation tree for a transition, the assertion will therefore increase towards the leafs by application of Par and Com. If all environmental assertions are erased and channel equivalence replaced by identity we get the standard laws of the pi-calculus enriched with data structures.
In comparison to the applied pi-calculus and the concurrent constraint pi calculus one main novelty is the inclusion of environmental assertions in the rules. They are necessary to make our semantics compositional, i.e., the effect of the environment on an agent is wholly captured by the semantics. In contrast, the labelled transitions of the applied and the concurrent constraint pi-calculi must rely on an auxiliary structural congruence, containing axioms such as scope extension (νa)(P | Q) ≡ (νa)P | Q if a#Q. With our semantics such laws are derived rather than postulated. The advantage of our approach is that proofs of meta-theoretical results such as compositionality are much simpler since there is only the one inductive definition of transitions.
Substitution enters the semantics at one point only: the law In which defines the effect of an input. Returning to the substitution laws in Section 2.1 it is easy to motivate Law 2: it is needed to make sure that alpha equivalent agents have the same transitions. Law 1 has a more involved motivation related to the fact that the objects of transition labels must record all received names, otherwise we lose the principle of scope extension. To see this, which can continue with an interaction between the components. R and T therefore do not behave the same. The culprit is the transition from T which corresponds to a scope intrusion, i.e. the reception of a name which is already bound in the receiving agent. To prevent such transitions the law Scope has a side condition that the bound name may not occur in the transition label. For this side condition to be effective, Law 1 guarantees that a received name actually appears in the label.

2.6.
Illustrative examples. For a simple example of a transition, suppose for an assertion Ψ and condition ϕ that Ψ ⊢ ϕ. Assume that i.e., Q has an action α regardless of the environment. Then by the Case rule we get i.e., if ϕ then Q has the same transition if the environment is Ψ. Since F((|Ψ|)) = Ψ and Ψ⊗1 = Ψ, if bn(α)#Ψ we get by Par that Data terms may also represent communication channels and here the channel equivalence comes into play. For example, in a polyadic pi-calculus the terms include tuples and projection functions with the usual equalities, e.g. π 1 (t 2 (a, b)) = a. If these terms can represent channels then they must represent the same channel, consequently we must have Ψ ⊢ π 1 (t 2 (a, b)) .
↔ a for all Ψ. As an example, Agents such as π 1 (t 2 (a, b)) (y) . Q can arise naturally if tuples of channels are transmitted as objects. For example, an agent that receives a pair of channels along c and then inputs along the first of them is written c(x) . π 1 (x)(y) . Q. When put in parallel with an agent that sends t 2 (a, b) along c it will have a transition leading to the agent where x is substituted by t 2 (a, b), i.e. π 1 (t 2 (a, b)) (y) . Q. The semantics makes no particular provision for an equality of terms in object position. Thus, the agents ca . P and cπ 1 (t 2 (a, b)) . P have different transitions, and correspond to sending out the unevaluated "texts" a and π 1 (t 2 (a, b)) respectively. To represent agents which send evaluated "values" we can do as in the applied pi-calculus where assertions declare equivalence of terms and agents send freshly generated aliases, e.g.
(νz)(cz . P | (|z = π 1 (t 2 (a, b))|)) This agent has the same transition as (νz)(cz . P | (|z = a|)). Any agent receiving the z will not be able to distinguish if z is a or π 1 (t 2 (a, b)) since these terms are equated by all assertions. Also, if a and b are scoped as in (νa, b, z)(cz . P | (|z = π 1 (t 2 (a, b))|)) then their scopes will not open as a consequence of the output. In the applied pi-calculus this is the only form of communication and it is not possible to directly transmit data structures containing channel names, like the name tuples of the polyadic pi-calculus above. In psi-calculi these communication possibilities can coexist.
The main technical issue in the semantics is the treatment of scoping, as illustrated by the following example where the terms are just names. The intuition is that there is a communication channel available to all agents, and agents can declare any name to represent it through an assertion. The assertions are thus sets of names, and any name occurring in the assertion can be used as the subject of an action. Any two names in the assertion are deemed channel equivalent. Formally,

PSI-CALCULI: A FRAMEWORK FOR MOBILE PROCESSES WITH NOMINAL DATA AND LOGIC 13
Omitting the action and prefix objects we get but no corresponding action with subject a because of the side condition on Scope. Thus, a communication through Com can be inferred from 0 This instance of a psi-calculus also illustrates two features of the semantics: firstly that channel equivalence is used in all three rules In, Out and Com, and secondly that assertions rather than frames represent the environment. Both issues are related to the law of scope extension. Elaborating the example above and noting that {a} ∪ {b} ⊢ a . ↔ b, we get that has an internal communication. By scope extension this agent should have the same transitions as P | Q where Here F(P ) = (νa){a} and F(Q) = (νb){b} are alpha equivalent. Since they will be composed below we choose different representatives for the bound names. A communication from P | Q is inferred by Com and the premises Note how the action subjects are derived by the assertions in both cases to not clash with the binders, and that channel equivalence is necessary in all three rules. The same example demonstrates why transitions in Table 1 are defined with assertions and not frames, for whereas {a, b} ⊢ a . ↔ b the corresponding result cannot be obtained from the frames of the agents. We have that F(Q) ⊗ {a} = (νb){a, b} a . ↔ b, so that frame is not useful for deriving a transition from P . Our earlier attempt [JPVB08] erroneously used frames rather than assertions, and this means that scope extension does not hold unless a further condition is imposed on the entailment relation to eliminate this kind of example.
We close this section by demonstrating why the requisites in Definition 2.3 are necessary: omitting any of them would lead to a calculus that does not satisfy fundamental properties of the parallel operator. Compositionality and the abelian monoid laws in Definition 2.3 are straightforward in this respect since without them the corresponding properties of parallel composition on agents do not hold. For example, we will want parallel composition to be commutative in that the agent P | Q behaves the same as Q | P in all respects. At the very least this implies that their frames entail the same conditions (it may also imply other things not important for this argument), which means that ⊗ must be commutative for assertion equivalence. In a similar way the other requisites on ⊗ are necessary for parallel operator to be compositional, associative, and have 0 as identity.
To demonstrate that channel equivalence must be symmetric, consider any psi-calculus where Ψ 1 and Ψ 2 are such that Ψ 1 ⊗Ψ 2 ⊢ a .
↔ a must hold, otherwise scope extension does not hold. Consider the agent which has an internal communication τ using b as subjects in the premises of the Com rule. If b#Ψ 1 and a#Ψ 2 , by scope extension the agent should behave as and therefore this agent must also have a τ action. The left hand component cannot do an a action, but in the environment of Ψ 2 it can do a b action. Similarly, the right hand component cannot do a b action. The only possibility is for it to do an a action, as in and this requires Ψ 1 ⊗Ψ 2 ⊢ b . ↔ a. Finally, we motivate the requisite that . ↔ must be transitive. Let 1 entail a . ↔ a for all names a, and let Ψ be an assertion with support {a, b, c} that additionally entails the two conditions a . ↔ b and b . ↔ c, but not a . ↔ c, and thus does not satisfy transitivity of channel equivalence. If Ψ entails no other conditions then (νb)Ψ ≃ 1, and we expect (νb)(|Ψ|) to be interchangeable with (|1|) in all contexts. Consider the agent By scope extension it should behave precisely as This agent has a τ -transition since Ψ enables an interaction between the components a . 0 and c . 0. But the agent a . 0 | c . 0 | (|1|) has no such transition. The conclusion is that (νb)Ψ must entail that the components can communicate, ie. that a . ↔ c, in other words Ψ ⊢ a . ↔ c.

Expressiveness and related calculi
In this section we explore the expressiveness of psi-calculi, mainly in comparison to other process calculi.

PSI-CALCULI: A FRAMEWORK FOR MOBILE PROCESSES WITH NOMINAL DATA AND LOGIC 15
3.1. The pi-calculus. In Section 2.4 we saw the instance Pi which corresponds to the pi-calculus. We will now make the relationship formal. The pi-calculus under consideration is the standard pi-calculus with replication instead of recursion, without mismatch, and without a rule for structural congruence in the semantics. The encoding of a pi-calculus agent P into Pi, [[P ]] Pi , is defined as: To prove that P and [[P ]] Pi have the same transitions the following two lemmas about substitutions and support are needed. We use the standard definition of substitution in the pi-calculus, replacing free names for new ones, α-converting as necessary to avoid capture.
Proof. Straightforward induction over the structure of P .

Lemma 3.2. If P is a pi-calculus agent, then n(P ) = n([[P ]] Pi ).
Proof. Straightforward induction over the structure of P .
Let α be a pi-calculus action. We define the encoding of α into psi-calculi actions as: We denote a pi-calculus transition as P α −→ π P ′ . We then have the following relation between the pi-calculus agent P and the Pi agent [[P ]] Pi : Lemma 3.3 (Transitions in Pi and the pi-calculus correspond). If P is a pi-calculus agent, Proof. The proof is by induction over the length of the derivation of P α −→ π P ′ and [[P ]] Pi α −→ P ′′ , respectively. As an illustration, one induction case is shown: the case when the pi-calculus transition is derived with π-Close:

By induction it follows that [[P ]] Pi
Since there is only one assertion in Pi, the frames of [[P ]] Pi and [[Q]] Pi will be equivalent to 1. We choose the frames so that their bound names are sufficiently fresh according to rule Com. It trivially holds that 1 ⊢ a = a, and by definition in Pi we have that 1⊗1 = 1, so also 1⊗1⊗1 ⊢ a = a. Since b / ∈ fn(Q) (i.e. b#Q) it follows from Lemma 3.2 that b#[[Q]] Pi . We now derive the following: In Section 5 we shall see that strong bisimulation in the pi-calculus and in Pi coincide.

3.2.
Calculi for cryptography. Psi-calculi can express a variety of cryptographic operations on data. The main idea was illustrated in Section 2.3, using assertions to define relations between ciphertext and plaintext. Here we make the description more precise. Let the assertion "C = enc(M, k)" mean that encrypting the message M with the key k results in the ciphertext C, and let "M = dec(C, k)" mean that decrypting C with key k yields M . Entailment contains equations relating encryption and decryption such as The point is that a secure key can be represented by a bound name: it is unguessable outside its scope. An example agent aC . (νk)((|C = enc(M, k)|) | P ) outputs a term C and asserts that it is the encryption of M using the bound k as key, without opening the scope of k. Therefore an agent receiving C can resolve the condition dec(C, k) = M only after receiving this k in a communication. Technically this is because of the freshness conditions in the Par rule in Table 1 where b Q is assumed fresh for P : this means that to apply the rule, P cannot use any name bound in the frame of Q. This closely resembles the situation in the applied pi-calculus [AF01]. By contrast, in the spi-calculus [AG99] encrypted messages such as enc(M, k) are transmitted directly. Consider an example spi-calculus process Here P sends a fresh name m encrypted with a fresh key k to the environment, and then receives a value x. Assuming perfect encryption, the environment cannot know m or k, so P ′ cannot receive m along b, and the output on c will never be possible. However, in the spi-calculus the transition P opens the scopes of k and m, so here scoping does not correspond to restriction of knowledge. A reasonable equivalence must explicitly keep track of which names are known, leading to several complex bisimulation definitions (see [BN05] for an overview).
The applied pi-calculus is data terms and an equational theory ⊢ Σ over Σ, and, more importantly, introduces active substitutions { M / x } of data terms for variables. These can be introduced by the inferred structural rule (νx)( There are names a, b, c distinct from variables x, y, z where only variables can be substituted, and a simple type system to distinguish names and variables of channel type from other terms of base type. Only names of channel type can be used as communication channels. Structured data terms cannot be sent directly, instead an alias variable such as x must be used, and the

PSI-CALCULI: A FRAMEWORK FOR MOBILE PROCESSES WITH NOMINAL DATA AND LOGIC 17
term itself does not occur on the transition label. We have P ≡ Q for P above in (3.1), and only the alias of the encryption (its "value") appears on the label; the scope of k and m is not opened and in this sense they are still confidential to the environment. However, the labelled semantics does not allow sending structured data terms where the scope should be opened, such as a tuple of names in the polyadic pi-calculus.
The labelled semantics for applied pi turns out to be non-compositional. Consider the closed (extended) applied pi-calculus agents where we omit the objects of the prefixes. They have the same frame and no transitions, and are thus semantically equivalent. But a context can contain x and can therefore use the active substitution to communicate with A. Formally, let R = x.0 and ⇓ b the usual weak observation or barb. We have by scope extension that Therefore, no observational equivalence that is preserved by all contexts and satisfies scope extension can be captured by the labelled semantics. In this, Theorem 1 of [AF01] is incorrect; the labelled and observational equivalences do in fact not coincide, nor is labelled equivalence a congruence. This is relevant for other papers that use or develop the labelled semantics, Possible fixes are to disallow aliases for channel names, to be satisfied with compositionality for closed contexts, or to allow variables in action subjects. The consequences are difficult to assess, and our proposed solution is to instead define a psi-calculus.
A complication when defining a psi-calculus to correspond to the applied pi-calculus is that bisimulation there is only defined on closed agents, and removing this restriction yields a non-compositional theory. The source of this non-compositionality is the requirement that active substitutions must be acyclic. Assume that the equational system includes the identity f(y) = f(z). We then get that { f(y) / x } is bisimilar to { f(z) / x }, but only one becomes circular when composed with { x / y }. In psi-calculi, no notion of closedness exists, and compositionality is required. For these reasons we cannot exactly capture the applied pi-calculus.
We define the instance APi as follows (this presentation corrects a mistake in [BJPV09]). Since our names and terms are untyped we add constructs for channels, Ch(M ), for variables, Var(x), and for names which are neither channels nor variables, Nonce(k). We extend Assertions To see that this is a proper instance we must check that the substitution function is equivariant and respects the freshness and α-equivalence properties, as described in Section 2.1. Furthermore it must satisfy the requirements from Definition 2.3. That the substitution function has the required properties is shown in Section 2.1, and the special cases for Var(x) and Nonce(a) pose no additional problem. Channel symmetry and transitivity hold since the underlying equational theory is symmetric and transitive. Identity, associativity, and commutativity hold since union has these properties. Compositionality holds assuming that the equational system is compositional, i.e if ∀M, N : The encoding [[A]] APi of an applied pi agent A into APi is homomorphic with the following exceptions: the name a is of channel type and not a binding occurrence Note that in translations of applied pi-calculus agents and their derivatives, the only form of active substitutions will be on the form { M / Var(x) }. Also the only substitutions will be of variables. We allow for the general form of active substitutions { M / N } and substitution of channels and nonces simply to make the substitution function total as required. We adhere to the applied pi convention that channel names are ranged over by a, b, c, . . . , nonces are ranged over by k, l, m, . . . , and variables are ranged over by x, y, z, . . . . For readability, in the following we omit the constructs Ch(a), Nonce(k), and Var(x), and just write a, k, and x, also in APi-agents.
APi differs from the applied pi-calculus in some ways. Requirements on the active substitutions in applied pi are that they can only contain one active substitution per variable, and that the active substitutions are non-circular. Furthermore they do not occur under prefixes, conditionals, or replication. The instance APi does not have these limitations, but the most important difference is that in APi (and in psi-calculi in general), aM . P aM − − → P corresponds to sending the cleartext of M directly. This is not possible in the applied pi-calculus. In order to transmit M in the applied pi-calculus the structural = M ] must be used and an alias x for M be sent. To send an alias in this way in APi it must be introduced explicitly, as in (|{ M / x }|) | ax . P , and this agent is not the same as aM . P .
Therefore, although the agents (3.1) and (3.2)) are the same in the applied pi-calculus, the APi counterparts of the agents are different. In APi, P in (3.1) represents an agent that emits the cleartext "enc(m, k)". Any agent that receives this will immediately learn both m and k, and any scope of k will be opened in the process. This kind of agent can only indirectly be represented in the applied pi-calculus, by sending the restricted names separately one at a time. In contrast, the APi counterpart of (3.2) is Q = (νx, k, m)((|{ enc(m,k) / x }|) | ax . P ′ ) and defines Q to emit an alias for enc(m, k). As in the applied pi-calculus since k is scoped a recipient will not learn m. If the same recipient later receives k, an alias u for the message m can be constructed as (|{ dec(x,k) / u }|).
Similarly, the agents R 1 and R 2 below are equivalent in applied pi, but the corresponding agents in APi are different.
In the applied pi-calculus, a new alias for a term can always be introduced "on-the-fly", and it is impossible to tell R 1 and R 2 apart -they are structurally equivalent. The psicalculus approach gives the possibility to discern the two agents, similarly to how the same ciphertext bitstring sent twice can be identified even if the plaintext cannot be recovered. To avoid this, a new alias needs to be explicitly introduced for each transmission, mimicking a probabilistic crypto where different ciphertext bitstrings correspond to the same plaintext and key.
Thus in psi-calculi, communication objects can range from literal data terms to indirect references, giving the user of the calculus the possibility to choose the appropriate form.
Another difference between the calculi is illustrated by the agent A of the compositionality counterexample (3.3): In Section 4.2 we present a simpler psi-calculus for expressing cryptographic examples.

Fusion and concurrent constraints.
3.3.1. Fusion. The concept of fusion means that communication can result in pairs of names being "fused together" in the sense that they can thereafter be considered the same. Fusion was independently developed by Fu [Fu97] (the χ-calculus), Parrow and Victor [PV98] (the fusion calculus), and by Wischik and Gardner [GW00,WG05] (the pi-F calculus). The fusion primitive was also encoded in the asynchronous pi-calculus by Merro [Mer98], using equators. In psi-calculi, fusion can be formulated in a way reminiscent of the equator encoding: the assertions are equivalence statements between names (cf. explicit fusions or equators). A simple psi-calculus with fusion, call it Fi, would be the following: where eq(Ψ) is the equivalence closure of Ψ (i.e. transitive, symmetric and reflexive closure). Thus terms are names, assertions are name fusions, and the entailment relation deduces equality between names based on fusion assertions treated as equivalence relations. We can verify that this is indeed a valid psi-calculus: the substitution properties are proved in Section 2.1, and we just need to investigate the requisites of Definition 2.3. Transitivity and reflexivity of the channel equivalence follows from the same properties of =; commutativity, associativity and identity follow from the same properties of ∪. For compositionality, let Ψ 1 and Ψ 2 be two equivalent assertions. This means eq(Ψ 1 ) = eq(Ψ 2 ); we must show that for any Ψ 3 we have eq(Ψ 1 ∪Ψ 3 ) = eq(Ψ 2 ∪Ψ 3 ). Using the fact that eq(A∪B) = eq(eq(A)∪B), we have eq(Ψ 1 ∪ Ψ 3 ) = eq(eq(Ψ 1 ) ∪ Ψ 3 ) = eq(eq(Ψ 2 ) ∪ Ψ 3 ) = eq(Ψ 2 ∪ Ψ 3 ).
In the χ-calculus, fusion calculus, and pi-F calculus, input and output prefixes are completely symmetric and in particular the input is not binding. An example transition in the pi-F calculus (using the syntax of [Wis01]) is ab . P | ad . Q τ −→b=d | P | Q whereb=d (forb andd of equal length) is a fusion which allows us to treat each b i ∈b as equivalent to d i ∈d. Inputs in Fi can still be binding, and we can represent the non-binding pi-F input ab . P as a(c) . ((|{b =c}|) | P ) wherec#ab . P . For example, the pi-F communications Below, we establish an operational correspondence between the pi-F calculus and Fi. Our presentation does not include the full details of the pi-F semantics, instead we refer to [WG05]. The syntax used there differs a little from that used in the examples above: most notably, a prefix written ax . P above is instead written a . ( x | P ) (and symmetrically for inputs); here x is a vector of datums and the parallel composition operator is not symmetric for datums. Input and output transitions in are on the form P a −→ P ′ where P ′ is on the form (νc)( x | P ) andc ⊆x. For ease of reading, we write x P for ( x | P ) below.
The encoding of pi-F processes into Fi is as follows: and is homomorphic for the other operators. To encode e.g. a . (νc) c P we first rewrite it to the structurally congruent process (νc)a . c P (where c = a).
In [WG05], two labelled transition semantics are defined for pi-F and proved to coincide: the quotiented and the structured semantics. The first has a traditional rule for using structural congruence (≡) to derive transitions: The second semantics has a similar rule but which only allows ≡ to be used after the transition: In psi-calculi there is no such structural rule. For the operational correspondence, however, by the lemma below we can select a suitable structural representative of the pi-F process.
Lemma 3.4. In the quotiented semantics of pi-F, if P α −→ P ′ with a deduction tree of depth n, there is a deduction tree for the transition of depth no larger than n which uses structural congruence only in its last deduction, or not at all.
Proof. By induction over n.
In the proof below, we make use of the fact that weakening holds in Fi: if Ψ ⊢ ϕ then Ψ⊗Ψ ′ ⊢ ϕ, and thus in particular Proof. By Lemma 3.4, without loss of generality we can assume that the transition of P in the premise can be deduced also for Q without using the transition rule for structural congruence. The proof is then by induction on the depth of the deduction, matching each operational rule of pi-F with a rule in psi.
(1) Base case: P = a . P 1 and P a −→ P 1 where P 1 = (νc) x P ′ withc ⊆x. We proceed by induction over the length ofc. The base case is when P 1 = x P ′ , and Induction: we show the case for the parallel rule. Here P = P 1 | P 2 and P 1 , and by Par (and weakening) also (2) Similar to the output case, using Scope instead of Open for the induction overc.
For the correspondence in the other direction, we use the structured semantics of pi-F, which has a rule to rewrite labels: if P α −→ P ′ and P ⊢ α = β, then P β −→ P ′ , where P ⊢ ϕ if the pi-F correspondent to the frame of P entails ϕ. This is similar to the rewriting done in psi-calculi, in the prefix and communication rules.
A transition in psi uses an assertion Ψ, which needs to be part of the process in pi-F; below we write [[Ψ]] −1 for the obvious mapping from Fi assertions to pi-F fusions. In the proofs below, we use results from Section 5.2, and write P ≡ Q for two psi-calculus agents if they can be proved equal by only Theorems 5.7 and 5.8, which correspond to the standard structural congruence.     ↔ b the label can be rewritten to ?a = a and then further rewritten to τ . As above we can assume that P is on the form φ | P ′′ where φ is a fusion and P ′′ has no top-level fusions. Thus b P 1 = b P 2 = ǫ, and by idempotence of . Here, the ask and tell operations interact with a constraint store. The ask ϕ . P operation checks whether a constraint ϕ is satisfied by the current store and only then proceeds as P , corresponding to if ϕ then τ . P in psi-calculi. The tell Ψ . P operation adds a constraint Ψ to the current store before proceeding as P . Two variants of tell have been identified and used: one which can only proceed if the resulting store is consistent is known as atomic tell, and one which allows an inconsistent store and is called eventual tell [Sar93]. The eventual tell operation is used in earlier process calculi which integrate constraints and communication, e.g. the π + -calculus [DRV98] and the ρ-calculus [NM95]. The atomic tell operation is used in the CC-Pi calculus [BM08].
We here present a psi-calculus with concurrent constraints. Similarly to CC-Pi we extend a basic pi-F-like calculus with ask and tell operations and use a named c-semiring [BM08] as the constraint system parameter. Such a constraint system contains names, name fusion/equality constraints and a name hiding operator ν, and supports general constraint semirings, e.g. Herbrand constraints.
Our psi-calculus, call it Ci, with associated named c-semiring C = A, ⊕, ⊗, 0, 1 and induced preorder is: Thus terms are names, while conditions and assertions are defined by the carrier A of the named c-semiring, which by definition includes names and name fusions, and implicitly name equality conditions. The properties of named c-semirings guarantee the requirements of psi-calculi, assuming that substitution on the named c-semiring satisfies our requisites. Abelian monoid properties follow directly, compositionality from Ψ 1 ≃ Ψ 2 ⇒ Ψ 1 = Ψ 2 , and the channel equivalence properties from the fact that = is an equivalence. We extend the encoding of (monadic) pi-F processes and represent ask ϕ . P as if ϕ then τ . P . An eventual tell operation tell e Ψ . P can be represented as τ . ((|Ψ|) | P ). The atomic tell a operation can be handled by adding a condition cons(Ψ) to C with Ψ ⊢ cons(Ψ ′ ) if Ψ⊗Ψ ′ is consistent, and representing tell a Ψ . P as if cons(Ψ) then τ . ((|Ψ|) | P ).
The most prominent difference from the CC-Pi calculus is that there, name fusions resulting from communication are required to be consistent with the store, otherwise the communication cannot happen. In contrast our semantics will allow communication transitions that lead to an inconsistent store. This difference is illustrated below: In CC-Pi: While it appears not possible to integrate an atomic consistency check in a psi-calculus communication without changing our Com rule, explicit consistency checks (like cons(Ψ)) can be used to handle interesting applications in practice. The semantics of CC-Pi is given by a structural congruence and a reduction relation. There is also a labelled operational semantics, but it is in fact not compositional. Consider the CC-Pi agents (where insignificant objects are omitted). They have the same constraint store and the same transitions in all constraint contexts. However, they do not have the same transitions in all process contexts: a parallel context R = a(y).y tells the difference: while Q | R of course has no such c transition. Thus Theorem 1 of [BM08] is incorrect: open bisimilarity is not a congruence (see also [BM09]). The labelled semantics of CC-Pi has a curious asymmetry between the rule for prefixes and the rule for communication: in the first case, the constraint store cannot affect the label induced by the prefix, while in the communication case, the constraint store judges whether the subjects should be considered the same, enabling the communication. The psi-calculi have no such asymmetry: the assertions (corresponding to the store) allow the subject to be rewritten in the prefix rules and the subjects in Com are compared using the assertions (see Section 2.6 for a discussion). A possible fix for CC-Pi would involve allowing the store to rewrite terms, thus also subjects in prefixes [Bus09].
Psi-calculi go beyond most concurrent constraint systems in two ways. Firstly, we allow arbitrary logics, even higher-order ones. Secondly, we allow constraints and conditions to be data terms, which means an agent can transmit and receive these. For example, assume that c is a constraint and that f is a function from assertions to assertions. Then in the agent a c . P | a(z) . ((|f(z)|) | Q) τ −→ P | (|f(c)|) | Q the left hand agent sends the constraint c to the right, and f is applied to it. Similarly, if p is a unary predicate, in the agent a p . P | a(z) . if z(x) then Q τ −→ P | if p(x) then Q the left hand agent sends the predicate to the right, which applies it to x.

Applications
In this section we will look at a few applications of psi-calculi, some of which have been described before in other formalisms, and some which are novel. 4.1. Structured terms as channels. Calculi with channels that can carry complex data are common, but in most cases the terms that represent channels are very simple, usually only a single name. We here give some examples where they have structure, and thus may contain more than one name. 4.1.1. Frequency hopping spread spectrum. Wireless communication over a constant radio frequency has a number of drawbacks. In a hostile environment a radio can be tuned in to the correct frequency and monitor the communication which is also vulnerable to jamming. A solution to these problems is to jump quickly between different frequencies in a scheme called frequency hopping spread spectrum (FHSS), first patented in 1942 [MA42]. To eavesdrop it would then be necessary to match both the order of the frequencies and the pace of switching. Jamming is also made more difficult since the available power would have to be distributed over many frequencies.
We will here show how this is modelled in a psi-calculus. It is assumed that the initiator of the communication and the receiver share an algorithm used to calculate the next frequency. The procedure starts by the initiator sending a communication request over some predetermined frequency. The receiver then sends a seed back to the initiator and both use it to calculate the sequence of frequencies to be used. Then the initiator synchronises over the first calculated frequency to verify that it got the right sequence. The communication then proceeds and both parties change frequencies accordingly.
We will now look at the psi-calculus used to model this frequency hopping algorithm. We let terms represent radio frequencies and use the unary function nextFreq(M ) to represent the algorithm for calculating the next frequency, given the previous frequency M . This psi-calculus has no assertions other than unit.
We define ⊤ to be a . ↔ a in order to be able to use non-deterministic choice as noted in Section 2.4.
Let X in,out be an arbitrary agent that communicates with the environment via the channels in and out. This agent will be wrapped in contexts that will let it do FHSS in a transparent way: from the agent's point of view it will only communicate over the local channels in and out. The agent FHSS that implements frequency hopping looks like: This agent can be thought of as a function fh that will take a frequency and then either wait for something to be received from the local channel out to send over this frequency, or to receive something over this frequency and forward it to the local channel in. It will then calculate the next frequency and start over. The behaviour when the agent X in,out acts as initiator is modelled as a context where the initiating sequence starts by sending a synchronisation message sync over a predetermined control channel ctl, and then waits for a seed from that channel. It then starts the frequency hopping algorithm with the seed and sends a synchronisation message over the first frequency, and behaves as X in,out . It is assumed that seed #X in,out .
I[X in,out ] = ctl sync . ctl (seed ) . fh seed . out sync . X in ,out | FHSS The behaviour when the agent X in,out acts as a receiver is modelled similarly: the receiver listens to the control channel ctl and sends back a seed. Then it starts the frequency hopping algorithm with this seed and waits for a synchronisation message. The receiver then behaves as X in,out . It is assumed that x, seed , s#X in,out .
R[X in,out ] = ctl (s) . (νseed )ctl seed . fh seed . in(x) . X in ,out | FHSS The full system where X in,out may behave as either a receiver or initiator is then modelled as FH [X in,out ] = (νfh, in, out) (I[X in,out ] + R[X in,out ]) where it is assumed that fh#X in,out .
Let us look at a few transitions of the receiver. First the receiver gets a request to do frequency hopping over the control channel: It then sends the seed to the initiator and starts the frequency hopping using this seed: At this point the initiator will send the sync message: After another τ -transition the agent is ready to communicate over the next frequency: This example could easily be made more complex by adding relevant error checking (e.g. the receiver could check that the synchronisation message is correct), but even in this form it illustrates the use of structured channels.

Local services.
A common scenario is that different servers implement the same kind of functionality known under some globally known name. HTTP servers are examples of this where the service provided is normally available on IP port 80. Here the name of the service (port 80) is shared among the different servers. The general problem is that there is a service known under a global name, but available from servers with different names. This problem is treated in depth in [CS01] where the authors invent a new calculus for this purpose. Here we show how the same problem can be solved using an instance of psi-calculi.
The instance used is basically the same as for polyadic pi-calculus as presented in Section 2.4 augmented with terms of form M @N and the entailment 1 ⊢ M @N . ↔ M @N , where M and N are terms. This gives the possibility to scope a part of a channel term, e.g (νb)(a@bc.P ), as in [CM03].
The following example is adapted from [CS01]. Assume there are globally known names finger and daytime which refer to resources located at some server. Different servers have different local information, but this information is accessed through the same globally known names. This can be modelled as where UserList and Date are some terms containing the requested information. The exact nature of these terms is unimportant for this example.
The server listens to incoming requests on channel server and receives two names. The first name is the requested service, and the second is the reply channel. It will then do an internal communication with the particular service daemon. There is no risk of interference since a locally scoped name is part of the service channel. The result of the request is then forwarded along the reply channel.
Since any transitions from Daytime(a) are prevented by the restriction, the final derivative will behave like Server .

4.2.
Cryptography. In this section we give a sequence of examples from cryptography, culminating with a model of the Diffie-Hellman key agreement protocol. Our exposition is quite similar to the applied pi-calculus as presented in [AF01], and we will use a psi-calculus that mimics this closely. The main point is that psi-calculi can express these cryptographic examples in an equally concise way, and within a leaner and more symmetric formalism.
The psi-calculus instance we use for the examples below can be seen as a simplification of APi in Section 3.2 in that we do not distinguish between different kinds of names, and we do not use inequality. To construct this psi-calculus we assume an inductively defined set of terms using a signature Σ, and an equational theory ⊢ Σ which let us infer equations M = N where M and N are terms. Exactly how this theory works is unimportant for this presentation. Substitution is defined in the expected way.
An assertion is a finite set of equations between terms. We often elide the set brackets in agents, e.g. writing (|M = N |) instead of (|{M = N }|). The conditions are just equations M = N . Entailment is defined such that Ψ ⊢ M = N holds if M = N can be inferred from the equational theory ⊢ Σ extended by the equations in Ψ. This instance satisfies the requirements by the same reasoning as for APi.
We start by looking at how one-way hashing is modelled. In addition to symbols for tupling and projection, and their associated equations, the signature contains the unary symbol hash(x) which has no equations. The only equation on hash that is true is hash(M ) = hash(M ), and this means that the hash function is collision free. The following example shows one agent sending a message M together with a hashing x of the message and a secret name s to another agent. The second agent will only forward M if it is properly hashed.
(νs)((|hash(t 2 (s, M )) = x|) | a t 2 (M, x) | a(y) . if hash(t 2 (s, π 1 (y))) = π 2 (y) then b π 1 (y) ) To model symmetric cryptography, the signature is extended as in Section 3.2: we add the binary symbols enc(x, y) and dec(x, y) together with the equation dec(enc(x, y), y) = x. The following agent sends a message M encrypted with the secret key k, without revealing the plaintext or key.
(νk, x)((|enc(M, k) = x|) | ax) a(νx)x − −−− → . . . Asymmetric encryption is modelled by adding two new unary symbols pk(s) and sk(s) which generate the public and secret keys from a common seed value, and the equation dec(enc(x, pk(k)), sk(k)) = x. The following agent sends the public key on channel a, receives a message along channel b, decrypts it with the secret key, and sends the decrypted message along channel c: Non-deterministic crypto is modelled by using a ternary version of the symbol enc(x, y, z) with some salt in the last argument, together with the equation dec(enc(x, pk(k), z), sk(k)) = x. Consider the following agent: a(x). (νm, y)((|enc(M, x, m) = y|) | by) | (νn, z)((|enc(M, x, n) = z|)) | cz An observer of this agent cannot tell whether y and z are encryptions of the same message or not, because of the unique salt.
Digital signatures are modelled by adding the binary symbol sign(x, y), the ternary symbol check(x, y, z), the constant symbol ok, and the equation check(x, sign(x, sk(k)), pk(k)) = ok. The following agent sends a signed message along a, then the parallel component receives it and checks the signature. If it is ok it is then forwarded.
We let Σ include f(x, y) and g(x), and the equation system includes f(x, g(y)) = f(y, g(x)), but no other equations on f and g. The first principal P creates a secret n P and sends an alias x P of g(n P ) to the other principal Q, and Q does likewise. Then P can create the term f(n P , x Q ) and Q can create the term f(n Q , x P ). Using the equations above these two terms are equivalent and the shared secret has been established. Concretely f and g are functions in a multiplicative group modulo a large prime, but here we ignore the number theory.
Let P k P and Q k Q be two agents that will share a secret key and will use the names k P and k Q , respectively, to refer to it. The Diffie-Hellman key agreement is modelled as two symmetric contexts DH 01 [·] and DH 10 [·] in which the agents are placed. The context DH 01 [X k ] is defined as where n, x, a 01 , a 10 #X k and k occurs in X k as a a name that refers to a key. The context DH 10 [X k ] is defined in the same way but with a 10 and a 01 swapped.
The agents P k P and Q k Q agree on the secret by placing them in the contexts: DH 01 [P k P ] and DH 10 [Q k Q ]. The key agreement will then do two internal transitions: where P ′ = (νn P , a 01 , a 10 )((|g(n P ) = x P |) | (νk P )((|f(n P , x Q ) = k P |) | P k P )) Q ′ = (νn Q , a 01 , a 10 )((|g( The x and n from the context have been alpha-converted to the variants with subscripts to avoid clashes.
Since the agents are communicating over a public channel the messages may be intercepted by a passive attacker which then forwards them unmodified. In presence of such an attacker the agents evolve to P ′ | Q ′ where the lack of binders for x P and x Q represent that the hostile environment now has access to these values. We show that this does not break the protocol.
As a specification for this protocol we put P k P | Q k Q in a context where they already share a secret, here represented by the name k ′ : S = (νk P , k Q , k ′ )((|k ′ = k P |) | (|k ′ = k Q |) | P k P | Q k Q ). We then show that P ′ | Q ′ and S behave the same, denoted P ′ | Q ′ ∼ S. The precise meaning of ∼ is given in Section 5, but for this particular example it is sufficient to think of ∼ as equivalence of the frames of S and P ′ | Q ′ according to Definition 2.5. This equivalence is closed under parallel composition (if P and Q behave the same, then so will P | R and Q | R for any agent R) and restriction (if P and Q behave the same, then so will (νa)P and (νa)Q, for any a).
We have that (νn P , a P )((|g(n P ) = x P |) | (|f(n P , The reason is that the only condition entailed on both sides is k P = k Q , no equalities can be entailed on x P and x Q . Since ∼ is closed under parallel composition we can add the agents: (νn P , a P )((|g(n P ) = x P |) | (|f(n P , Finally, by the structural laws of Theorem 5.8 in Section 5.2:

Bisimilarity
In this section we define a notion of strong bisimilarity on agents and prove that it satisfies the expected algebraic laws and substitutive properties. The results hold for any psi-calculus and give us confidence in the semantic definitions. 5.1. Definition. In the standard pi-calculus the notion of strong bisimulation is used to formalise the intuition that two agents "behave in the same way"; it is defined as a symmetric binary relation R satisfying the simulation property: R(P, Q) implies that for α such that bn(α)#Q, For a psi-calculus we additionally need to take the assertions into consideration. The behaviour of an agent is always taken with respect to an environmental assertion. We define bisimulation as a ternary relation R(Ψ, P, Q), saying that P and Q behave in the same way when the environment asserts Ψ. Because of this two additional issues arise. The first is that the agents can affect their environment through their frames (and not only by performing actions), and this must be represented in the definition of bisimulation. The second is that the environment (represented by Ψ in R(Ψ, P, Q)) can change, and for P and Q to be bisimilar they must continue to be related after such changes. This leads to the following definition of strong bisimulation.
Clauses 2 and 4 are familiar from the pi-calculus. Clause 1 captures the fact that the related agents have exactly the same influence on the environment through their frames, namely that when they add to the existing environment (Ψ) then exactly the same conditions are entailed. Clause 3 means that when the environment changes (by adding a new assertion Ψ ′ ) the agents are still related. An example may clarify the role of this clause. Let β be a prefix and let ϕ be any non-trivial condition, and consider P = β.β.0 + β.0 + β. if ϕ then β.0 Q = β.β.0 + β.0 P can non-deterministically choose between three branches and Q between the two first of them. Here P and Q are not bisimilar. If P performs an action corresponding to its third case, reaching the agent P ′ = if ϕ then β.0, there is no way that Q can simulate since neither Q ′ = 0 nor Q ′ = β.0 is equivalent to P ′ in all environments. In fact, any reasonable variant of bisimulation that equates P and Q will not be preserved by parallel. To see this, let T be γ.(|Ψ|), where γ is any prefix and Ψ an assertion that entails ϕ. Then the transition P | T β −→ P ′ | T cannot be simulated by Q|T , since P ′ |T can only do an action γ followed by an action β, whereas β.0|T can do β immediately, and 0|T can do no β at all. This demonstrates why clause 3, extension of arbitrary assertion, is necessary: it says that after each step all possible extensions of the assertion must be considered. If we would merely require this at top level, i.e. remove clause 3 and instead require ∀Ψ.R(Ψ, P, Q) in the definition of P . ∼ Q, the extensions would not recur; as a consequence P and Q in the example would be equivalent, and the equivalence would not be preserved by parallel.
For another example, consider In R the condition ϕ is checked twice. In general R and S are not equivalent. To see this, let Ψ and Ψ ′ be such that Ψ ⊢ ϕ and Ψ⊗Ψ ′ ⊢ ϕ. We then have that Ψ ✄ R β −→ if ϕ then β.0 and it cannot be simulated by Ψ ✄ S β −→ β.0 because of the recurring clause of extension of arbitrary assertion: if ϕ then β.0 has no transition in the environment Ψ⊗Ψ ′ . However, if the entailment relation satisfies weakening, i.e. Ψ ⊢ ϕ ⇒ Ψ⊗Ψ ′ ⊢ ϕ, we get the intuitive result that R and S are bisimilar. This also demonstrates the inadequacy of the smaller and simpler definition of . ∼ as the largest relation satisfying The difference is that here bisimulation recurringly requires to hold for all assertions, not only for those that are extensions of the ones passed so far. This would have the unintuitive effect of making R and S in the example above non-bisimilar, even if weakening holds. If there are inconsistent assertions, i.e. assertions that entail all conditions, the effect of Clause 3 is very strong: Bisimilar agents are required to behave the same even if the environment is inconsistent. For example, in this situation the agent (νa)a . 0 is not equivalent to 0, since an inconsistent assertion can make all names channel equivalent, and therefore (νa)a . 0 has actions with all names except a as subject. The algebraic properties to follow hold for all psi-calculi, including those with inconsistent assertions. It remains to be seen if and how bisimulation in such psi-calculi is useful to model applications.
Interestingly, there is an alternative way to define bisimulation as a binary relation preserved by parallel contexts.
Such a definition is more in line with standard contextual bisimulations, and also the way bisimulation is defined in the applied pi-calculus. The drawback is that it relies on an operator in the calculus (parallel) for its definition. For conducting proofs our experience is that Definition 5.1 is preferable. We have shown that these bisimilarities coincide, i.e., the definitions result in the same bisimulation equivalence: Theorem 5.3 (Bisimilarity and context bisimilarity coincide). .
We now show that the usual strong early bisimilarity for the pi-calculus, denoted . ∼ π , and bisimilarity in the instance Pi coincide.
Proof. (⇒): Static equivalence and extension of arbitrary assertions hold trivially since the only assertion is 1. Symmetry follows directly, and simulation follows from Lemma 3.3. (⇐): Symmetry follows directly, and simulation follows from Lemma 3.3.
In addition, we conjecture that Inside-outside bisimilarity for the pi-F calculus [Wis01, Definition 17] coincides with bisimilarity for the psi-calculus Fi (see Section 3.3.1).

Algebraic properties.
Our results are that bisimilarity is preserved by the operators in the expected way, and also satisfies the expected structural algebraic laws.
Definition 5.6. P ∼ Ψ Q means that for all sequences σ of substitutions it holds that P σ . ∼ Ψ Qσ, and we write P ∼ Q for P ∼ 1 Q.
Our requirements on the substitution function are very weak. For example, we do not require that P Theorem 5.7. ∼ Ψ is a congruence for all Ψ.
Theorem 5.8. ∼ satisfies the following structural laws: The most awkward part of the proofs is for Theorem 5.5(1), and historically this is the proof that most often fails in calculi of this complexity; the intricate correspondences between parallel processes and their assertions are hard to get completely right. We give an outline of the proof and cover in detail the simulation case where the parallel processes communicate with each other. In the following we tacitly assume F(P ) = (ν b P )Ψ P , where b P #P , for any agent P , unless otherwise noted.
We pick the candidate relation R = {(Ψ, (ν a)(P | R), (ν a)(Q | R)) : P . ∼ Ψ⊗Ψ R Q} where a#Ψ, and prove that R is a bisimulation. Moreover we assume that b P # b Q , Q, b R , R, Ψ, and b R #P, Q, Ψ, or, in other words, that bound names are distinct from all free names and other bound names. Formally the proof is conducted by an induction on the length of a. The induction step is straightforward, so we focus on the base case. The agent P | R can operate either by P or R doing individual actions, or by P and R communicating, where we cover the latter case, as it is the most involved.

PSI-CALCULI: A FRAMEWORK FOR MOBILE PROCESSES WITH NOMINAL DATA AND LOGIC 35
The presence of assertions in the transitions complicates the proof. We know that P . ∼ Ψ Q, and hence by Definition 5.1(3) that P .
since that transition is derived by the assertion Ψ⊗Ψ P , and not Ψ⊗Ψ Q . Moreover, M and K are channel equivalent by the assertion Ψ⊗Ψ P ⊗Ψ R , and not Ψ⊗Ψ Q ⊗Ψ R , which would be needed to derive the desired communication. In order to complete the proof, we need a lemma which switches the occurrences of Ψ P to Ψ Q in the transition of R, as well as in the channel equality.
Once a communication has been derived, we must prove that the corresponding derivatives (νã)(P ′ | R ′ ), and (νã)(Q ′ | R ′ ) are in the candidate relation R. From the definition of R we get that this holds if P ′ .
∼ Ψ⊗Ψ R ′ Q ′ , but we only know that P ′ . ∼ Ψ⊗Ψ R Q ′ . In order to complete the proof, P ′ and Q ′ must be bisimilar in the assertion Ψ⊗Ψ R ′ , and not only in Ψ⊗Ψ R .
We provide lemmas which will address both of these obstacles in turn, after which this proof will be concluded. Lemma 5.11 simultaneously changes the assertion deriving the transition for R, and the channel equality, and Lemmas 5.12 and 5.13 ensure that the derivatives of the communicating agents are in the candidate relation R. Lemmas 5.9 and 5.10 are two generally applicable lemmas used to prove Lemma 5.11. We define subj(M (ν a)N ) = M and similarly for input actions.
The first lemma shows that given a finite set of names B that are fresh for P we can find a term M channel equivalent to the subject of an action from P whose names are fresh for B.
Proof. A straightforward induction on the length of the derivation of the transition. In the base case we choose M as the prefix in the agent.
The next lemma shows that given a transition we can find another transition whose subject is channel equivalent to the subject of the original transition and that leads to the same derivative as the original transition.
The symmetric lemma where P does an input is omitted.
Proof. A straightforward induction on the length of the derivation of the transition.
We can now prove the lemma which allows us to simultaneously switch the assertions deriving a transition, as well as channel equality in a communication. This lemma looks a bit intimidating and the proof details can safely be skipped at a first reading. It says that if P and Q are bisimilar and P can communicate with R via the channel K, then there exists a channel K ′ such that Q can communicate with R via K ′ .
There is also a symmetric lemma where R does an input.
Proof. By induction on the length of the derivation of the transition from R. We only look at one base case and one induction step here. The other cases are similar. Out: In this case R = K s N.R ′ for some term K s , and the transition is derived like this: Since b P #Ψ, R we get that Ψ⊗F(P ) ⊢ K s . ↔ K s . This in turn gives us that Ψ⊗F(Q) ⊢ K s . ↔ K s , which means that Ψ⊗Ψ Q ⊢ K s . ↔ K s . We then establish the first conjunct by: ↔ M (since in this case Ψ R is 1). Identity and transitivity then give us that Ψ⊗Ψ P ⊢ K s . ↔ M . Since b P #R, M we have that Ψ⊗F(P ) ⊢ K s . ↔ M and since P and Q are bisimilar we also have that Ψ⊗F(Q) ⊢ K s . ↔ M . We finally get Ψ⊗Ψ Q ⊢ K s . ↔ M . The third conjunct is trivial since b R is empty. Scope: In this case R = (νb)R ′ for some name b and the transition is derived like this: Let b# b P , b Q , P, Q. Note that by definition we have Ψ (νb)R ′ = Ψ R ′ . We also have that From the induction hypothesis we then get From the fact that P and Q are bisimilar we get that Ψ⊗Ψ (νb) By Lemma 5.9 we learn that there exists a term K ′′ such that ↔ M , fulfilling the second obligation, and that B#K ′′ . This gives us that b R ′ , b#K ′′ . By transitivity we then get that Ψ⊗Ψ (νb)R ′ ⊗Ψ Q ⊢ K ′ .
↔ K ′′ . We now use Lemma 5.10 to get that Ψ⊗Ψ Q ✄ R ′ K ′′ (ν a)N − −−−−− → R ′′ . Finally we do the following derivation: The following lemma proves that when an agent performs a transition, its frame is extended with a new assertion (Ψ ′ below): Proof. A straightforward induction on the length of the derivation of the transition.
Finally, we need a lemma which allows us to switch the environment for a bisimulation for an equivalent one. ∼ Q ∧ Ψ ≃ Ψ ′ }. The four cases are proved separately. Case 1: Follows from the fact that ⊗ is compositional, where the bound names of the frames of P and Q are alpha-converted not to clash with Ψ ′ . Case 2: S is trivially symmetric, since . ∼ and ≃ are symmetric. Case 3: Follows from the fact that ⊗ is compositional. Case 4: From the definition of . ∼ and the transition Ψ ✄ P ∼ Q ′ . By induction on the derivation of this transition, and the fact that Ψ ≃ Ψ ′ , we get that With these lemmas in place we complete the proof of Theorem 5.5(1) commenced at the beginning of this section. The case we are proving is when P | R performs a communication. We must find a corresponding transition from Q | R such that the derivatives remain in the candidate relation R. The agents P and R can communicate using the following derivation.
Our goal is to replace P with Q in the premises so that we can derive the simulating transition. Let F(Q) = (ν b Q )Ψ Q be such that b Q #P, b R , R, Ψ, M .
We use Lemma 5.11, to obtain Ψ Q ⊗Ψ ✄ R Since P and Q are bisimilar we have that We then derive the following: We know that P ′ . ∼ Ψ⊗Ψ R Q ′ and by clause 3 in the definition of bisimulation (extension of arbitrary assertion) that P ′ .
∼ Ψ⊗Ψ R ⊗Ψ ′ Q ′ for any Ψ ′ . By Lemma 5.12 we know that there exists a Ψ ′′ such that Ψ R ⊗Ψ ′′ ≃ Ψ R ′ , so in particular, using Lemma 5.13, we have that The proofs of theorems 5.3,5.5-5.8 follow a similar pattern, using induction over the lengths of the derivations of the transitions. The part we have just shown is the most challenging. Further proofs are found in [Joh10].

Formalisation in Isabelle
As the complexities of calculi increase, the proofs become more complicated and therefore more error prone. In Section 3 we discussed how both the applied pi-calculus and the concurrent constraint pi-calculus have turned out to be non-compositional. This hints at the complexity of the proofs and the difficulty of getting them right. Our proofs for psi-calculi are also sometimes long and intricate. For example, the proof sketch of Theorem 5.5(1), described in the previous section, is substantially more complicated than its corresponding proof for the pi-calculus. However, we emphasise that the proof is not substantially different in structure: it is just a set of properties of transitions, all established by induction over the the definition of the semantics. In this, psi-calculi are simpler than many other calculi that rely on stratified definitions of the semantics with devices such as a structural congruence.
In order to ensure that proofs are correct, automated and interactive proof assistants or theorem provers can be used to formally verify the proofs with the aid of a computer. We have completely formalised all results in Section 5, with the exception of Theorem 5.4, in the interactive theorem prover Isabelle. To the best of our knowledge, no calculus of this complexity has previously been formalised in a theorem prover. We have earlier [BP07] formalised a substantial part of the pi-calculus meta-theory in Isabelle. This section will cover the main extensions needed to formalise the framework for psi-calculi. More in-depth expositions are found in [BP09,Ben10].
6.1. Alpha-equivalence. The main difficulty with formalising any process algebra in a theorem prover is to reason about alpha-equivalence in a convenient way. When conducting manual proofs on paper this notion is often glossed over, and statements such as "we assume any bound name under consideration to be sufficiently fresh" are commonplace. For machine checked proofs this poses a problem. Exactly what does it mean for a bound name to be sufficiently fresh?
We use Nominal Isabelle [Urb08] to formalise datatypes with binders, and to reason about them up to alpha-equivalence; in other words, all our proofs deal with alpha equivalence classes rather than with particular representatives. As usual alpha variants of agents are identified , so e.g. (νa)P = (νb)((a b) · P ), when b#P , and similarly for names bound in the input construct. Formally, name swapping on agents distributes over all constructors, and substitution on agents avoids captures by binders through alpha-conversion as usual. In that way Nominal Isabelle provides an alpha-equivalence class of agents where the support of P is the union of the supports of the components of P , removing the bound names. This corresponds to the names with a free occurrence in P .
Frames contain binders and we reason about their alpha equivalence classes in the same way. Also, transitions contain binders. Consider the output transition Ψ ✄ P To be completely formal, as described in [BP07],ã is a binding occurrence with a scope that contains both N and P ′ . We accomplish this by creating a datatype containing both an action and the derivative process as follows.
Definition 6.1 (Residuals). A residual with the action α and the derivative P ′ , is written α ≺ P ′ .
Thus we have the following three forms of residuals: In the Output residual,ã binds into both N and P ′ . In this way we get a nominal datatype of residuals where name swapping just distributes to its components and the support is the free names. A transition is then simply a pair consisting of an agent and a residual. Again, Nominal Isabelle allows us to reason about alpha equivalence classes of transitions. Typically a property of transitions is established by induction, with one case for each rule. This means that we assume the property of the premise of the rule, and must establish it for the conclusion. Since we work with alpha equivalence classes it is enough to establish the property for one representative of the alpha equivalence class. This formalises the principle that we may always pick bound names fresh.
Datatypes for agents, frames and transitions in Nominal Isabelle require sequences of binders, e.g. in the input prefix and in the output action. It is important to reason about arbitrarily long binding sequences as atomic objects, otherwise there would be a constant need for inductive proofs over the length of these sequences. Nominal Isabelle only supports single binders, and we have therefore created infrastructure to reason about arbitrarily long binding sequences. When alpha-converting a binding sequence, we generate a name permutation p which when applied to the sequence makes it sufficiently fresh. The same permutation is then applied to everything under the scope of the binders, for example: if p ⊆x × (p ·x) and (p ·x) # (N, P ) The side condition of this alpha-conversion looks a bit intimidating, but intuitively p swaps members of the original binding sequence to other names such that the resulting binding sequence meets the desired freshness constraints. This style of alpha-conversion was first introduced by Urban and Berghofer, although to the best of our knowledge it is still unpublished. We cover it more extensively in [BP09].
6.2. Formalising parametric calculi. The framework for psi-calculi is a parametric formalism. A psi-calculus agent consists of terms, assertions and conditions. This is modelled in Isabelle by creating a polymorphic datatype with three type variables. A psi-calculus agent will thus have the type (α, β, γ) psi, where α, β, and γ represents terms, assertions, and conditions respectively. All members of these types need to have finite support. Isabelle has excellent facilities for a parametric style of reasoning through the use of locales [Bal03]. Locales allow us to specify which functions must exist for the parameters, and which assumptions must hold on them. The entire proof structure of the meta theory is then built using the provided locale parameters. When creating a psi-calculus instance, the functions must be provided and the assumptions must be proved. Once this is done, all meta-theoretical proofs will be guaranteed to hold for the new instance.
One requirement from Section 2.1 is that there is a substitution function which substitutes terms for names in assertions, conditions and terms. To this end, a locale is created with a substitution function of type δ → name list → α list → δ, where the type α will be what we use for terms, and the type δ can be any of the three nominal sets. The locale contains the following assumptions, which implement the requirements of a substitution function mentioned in Section 2.1 The assumptions on this locale are straightforward. As all functions in any nominal formalisation, substitution must be equivariant. Freshness is a reformulation of requirement 1 in Section 2.1. Similarly, Alpha-equivalence is requirement 2. Intuitively this means that the vector being substituted is switched to one which is sufficiently fresh. As an example of its use, consider the Input rule. If a proof requires the input agent to be alpha-converted to M (λp · y)(p · N ).(p · P ) such that p ·ỹ is sufficiently fresh, it is necessary to convert N [ y := L] to (p · N )[(p · y) := L], and P [ y := L] to (p · P )[(p · y) := L] to still be able to derive the input transition. The last constraint accomplishes this. This locale is then instantiated three times: for terms, assertions and conditions respectively. The nominal morphisms in Definition 2.1 are modelled in a locale which specifies their existence and equivariance properties. Inside this locale we also define equivalence for assertions and frames and provide an infrastructure for reasoning about equivalence. This locale is then extended with the requisites in Definition 2.3.
Finally, the substitution locale is combined with the locale for equivalence to form an environment in which the rest of the theories can be proved. The locales offer a very intuitive way of reasoning about parametric systems, and without them this formalisation would have been very hard. 6.3. Encoding partial operators. In Definition 2.6, there is a well-formedness condition that all agents occurring under a Case or Replication operator must be guarded. Formally, this means that these operators are not total. For example, (|Ψ|) is an agent but !(|Ψ|) is not.
To represent this in Isabelle, we take the technically easiest approach to augment the Case and the Rep-rules of the operational semantic with a premise that the agents they operate on are guarded. In effect this allows non well-formed agents, but they have no transitions and are all bisimilar to 0. All Isabelle proofs hold for all agents, so in particular they hold for all well-formed agents. Therefore the Isabelle formalisation establishes the theorems presented in this paper. A few lemmas, for example that bisimilarity is preserved by Replication, need an extra premise that the agents are guarded, but in the vast majority of lemmas the necessary properties follow from the operational semantics.
An alternative would be to constrain the datatype representing agents to well formed agents and thus ensure that all inhabitants of that type meet the required constraints. This more closely resembles Definition 2.6, and would be the method of choice for use with a theorem prover such as Coq that supports dependent typing. There the well-formedness conditions can be integrated into the psi-datatypes, i.e. for all proofs we can assume that we are only dealing with well-formed agents. The downside of this approach is that whenever an agent is constructed, a proof that it is well-formed must also be supplied.
A third option to encode partial operators would be to decorate all lemmas which use the well formedness property with an assumption that the agents are well formed. We avoided this since it would clutter up a significant amount of lemmas with extra premises. 6.4. Results and experiences. Using Isabelle to formalise the proofs for psi-calculi in parallel to its development has turned out to be invaluable, and we would certainly not have finished successfully without it. Throughout the development we have uncountable times stumbled over slightly incorrect definitions and not quite correct lemmas, prompting frequent changes in the framework. For example, our mistake in [JPVB08] mentioned in Section 2.6 was found during proof mechanisation and would probably not have been found at all without it; at that time we had completed a manual "proof" that turned out incorrect. The Isabelle formalisation gives us a high degree of confidence in the proved theorems, and equally important, it gives us a repository of proofs and proof strategies that can be re-used when some detail needs to change. Finding out which ramifications a change has on the proofs is quick and straight forward. With manual proofs, changing a detail would mean the boring and dangerously error prone process of going over each proof by hand.
As just one example, in a previous version, the Case rule looked as follows: In this rule, the choice of which branch to take in a case statement yields an internal action, after which the process P evaluates as usual. An implication is that the requirement that P is guarded can be omitted. We initially adopted this rule since it admits simpler induction proofs. At a quite late stage we decided to change it to the present rule, since this more closely resembles what is used in similar calculi. The change prompted a rework of the entire proof tree from the semantics and up. The total effort was approximately eight hours, and we now know that the new rule does not cause any problems.
Currently we have formally proved theorems 5.3,5.5-5.8 using Isabelle, including all supporting lemmas. The entire implementation in Isabelle is about 18000 lines of code. It includes infrastructure for smooth treatment of binding sequences, and it has developed gradually over two years. The total effort for the present framework is hard to assess, since it has followed us through many failed attempts and false starts. Once in place the marginal effort of formalising more results is manageable. As an example, the total effort in proving Theorem 5.3, which was one of the last things we implemented, was less than one day.

Conclusion and Further Work
We have defined a framework for mobile process calculi, parametrised on nominal types for data terms and for a logic to express assertions and conditions. The expressiveness surpasses the most advanced competing calculi. The semantics is a single inductive definition, which means that proofs are comparatively easy. We have fully formalised the framework in the interactive theorem prover Isabelle, which gives us full confidence in our results on bisimulation and provides a readily available infrastructure for conducting proofs of many instances and variants.
In [JVP10] we develop a symbolic semantics and bisimulation equivalence, and prove full abstraction with regards to ∼. This kind of semantics is essential for reducing the state space explosion when exploring transitions and comparing for equivalence, making it ideal for use in automated tools. In [JBPV10] we explore weak bisimulation equivalence, where τ actions are considered unobservable. Our results indicate that the presence of assertions significantly complicates the definitions, in contrast to the situation with strong bisimulation. Interestingly, for psi-calculi that satisfy weakening (i.e. Ψ ⊢ ϕ =⇒ Ψ⊗Ψ ′ ⊢ ϕ) the definitions can be greatly simplified. We also investigate a barbed equivalence and determine what kind of observations are needed for full abstraction. The current development of psi-calculi is covered in [Joh10] and the associated formalisation in Isabelle is accounted for in [Ben10].
We intend to explore typed psi-calculi. One idea is to find out what properties the type system must have in order for the usual theorems such as subject reduction to hold. We are also considering variants of psi-calculi with broadcast communication, where one sender may communicate directly with several receivers, and higher order communication, where agent definitions can be transmitted and executed by the recipient. It seems that both these variants can be accommodated with very small changes of the semantics and that large parts of our formal proofs carry over.