A Characterisation of Open Bisimilarity using an Intuitionistic Modal Logic

Open bisimilarity is defined for open process terms in which free variables may appear. The insight is, in order to characterise open bisimilarity, we move to the setting of intuitionistic modal logics. The intuitionistic modal logic introduced, called $\mathcal{OM}$, is such that modalities are closed under substitutions, which induces a property known as intuitionistic hereditary. Intuitionistic hereditary reflects in logic the lazy instantiation of free variables performed when checking open bisimilarity. The soundness proof for open bisimilarity with respect to our intuitionistic modal logic is mechanised in Abella. The constructive content of the completeness proof provides an algorithm for generating distinguishing formulae, which we have implemented. We draw attention to the fact that there is a spectrum of bisimilarity congruences that can be characterised by intuitionistic modal logics.


Introduction
This work provides insight into the logical nature of open bisimilarity [San96], but firstly we recall why open bisimilarity itself is important. An asset of open bisimilarity is that it defines a congruence relation for open process terms, i.e., process terms containing free variables. Recall that the original notions of bisimilarity proposed for the π-calculus (early and late bisimilarity [MPW92,MPW93]) do not directly define congruence relations for open process terms. Having a bisimilarity that is a congruence for open process terms improves compositional reasoning, since, having established an algebraic property, we can apply the property with confidence, anywhere inside a process, even under constructs such as input prefixes that bind variables. By providing a notion of bisimilarity that is a congruence for open process terms, open bisimilarity provides a method for the π-calculus that stays true to this desirable property of a processes algebra.
Besides improved algebraic properties, open bisimilarity can be used to improve the efficiency of equivalence checking. For example, open bisimilarity is the notion of bisimilarity implemented in the Mobility Workbench [VM94] -the first toolkit for the π-calculus; and in the tool SPEC [TNH16] -an equivalence checker for the spi-calculus, useful for verifying cryptographic protocols. A reason open bisimilarity is efficient to implement is that it allows a lazy approach to instantiating variables. When we perform an input action, we are not required to explore all possible inputs. Instead, we can represent the input value as a variable symbolically representing all possible inputs. This symbolic approach to inputs can avoid unnecessarily exploring hyper-exponentially many inputs; instead, exploring only the state space necessary. This lazy "call-by-need" approach to input transitions is particularly useful when checking bisimilarity for applied extensions of the π-calculus, where infinitely many messages may be received for a single input action [BN06,TD10,HM21]. Thus open bisimilarity has impact beyond the setting of the π-calculus.
The trick for ensuring that open bisimilarity is a congruence, and also for permitting a lazy approach to inputs is as follows: an open bisimulation is closed under all permitted substitutions at every step in the bisimulation game. When we move to the setting of logic, closure under substitutions corresponds to a concept called intuitionistic hereditary, which can be used to induce an intuitionistic logic [Kri65]. This observation leads us to the intuitionistic modal logic in this work.
To understand why closing under substitutions results in an intuitionistic modal logic, firstly consider the setting of a classical modal logic. In a classical setting, the law of excluded middle holds, hence we expect that τ tt ∨ ¬ τ tt is a tautology. That is, any process can either perform a τ -transition or it cannot perform a τ -transition.
In contrast, now consider the setting of an intuitionistic modal logic. In the intuitionistic setting we close under all substitutions, so P |= ¬ τ tt now reads, under any substitution σ, process P σ cannot perform a τ -transition. Under this interpretation we have the following.
ab | c(x) |= ¬ τ tt To see why the above is not satisfiable, observe that, by applying substitution { c a } to the above process, we reach process cb | c(x), which is a π-calculus process for which a communication is enabled on the channel represented by variable c. Since we have demonstrated there is a substitution under which a τ -transition can be performed, process ab | c(x) cannot satisfy formula ¬ τ tt in the intuitionistic setting.
As in the classical case, in the intuitionistic case we have the following, since there is a substitution under which no communication can be performed (the identity substitution).
ab | c(x) |= τ tt Putting the above together, we have the following in our intuitionistic modal logic, since we have just shown that neither branch of the disjunction is satisfiable.
ab | c(x) |= τ tt ∨ ¬ τ tt Notice the above we claimed was a tautology in the classical case, since it is an instance of the law of excluded middle. Hence the above example demonstrates that, by closing operators of the modal logic under substitutions, the law of excluded middle does not hold. The absence of the law of excluded middle is a key criterion for any intuitionistic logic.
Intuitively, the absence of the law of excluded middle for the example above can be interpreted as follows. For ab | c(x), we have not yet decided whether the process can perform a τ -transition or not perform a τ -transition. It is possible that a and c could be the same channel but, since they are variables, we have not yet decided whether this is the case. So, inducing the key feature of an open bisimulation, closure under substitutions, in a modal logic gives rise to an intuitionistic modal logic. Furthermore, we establish in this work that such an intuitionistic modal logic, called OM, characterises open bisimilarity. In the tradition pioneered by Hennessy and Milner [HM85], a modal logic characterises a bisimilarity whenever, given two processes, they are bisimilar if and only if there is no distinguishing formula separating them. A distinguishing formula is a formula that holds for one process but does not hold for the other process. Such distinguishing formulae are useful for explaining why two processes are not bisimilar, since when processes are not bisimilar we can always exhibit a distinguishing formula.
As an example of a distinguishing formula, consider the following two processes.
R τ.(ab.a(x) + a(x).ab + τ ) + τ.(ab.c(x) + c(x).ab) S R + τ.(ab | c(x)) The above processes are not open bisimilar. Process R satisfies τ τ tt ∨ ¬ τ tt , where the box modality indicates that τ tt ∨ ¬ τ tt holds for all processes reachable by applying a substitution and then a τ -transition. However, process S does not satisfy τ τ tt ∨ ¬ τ tt , since there is a τ -transition to process ab | c(x) that we just agreed does not satisfy τ tt ∨ ¬ τ tt. In this example, the absence of the law of excluded middle is necessary in order for a formula distinguishing these processes to exist in OM.
Modal logics characterising late bisimilarity and early bisimilarity were developed early in the literature on the π-calculus, by Milner, Parrow and Walker [MPW93], as part of the motivation for the π-calculus itself. However, proving that a modal logic can characterise open bisimilarity was an open problem until a solution was provided in the conference version of this paper [AHT17a]. This extended version includes more details on proofs, new examples, details on the mechanisation of soundness, and further insight into the spectrum of bisimilarity congruences that can be characterised by variants of our intuitionistic modal logic. We also show that soundness and completeness results for OM extend from finite processes to infinite but finitely branching processes, without changing the logic, since finite distinguishing strategies are sufficient to distinguish such processes.
A key novelty of this work is the constructive proof of completeness of this logical characterisation. Due to the intuitionistic nature of the modal logic, the completeness proof cannot appeal to certain classical principles, such as de Morgan dualities. This forces the proof to follow a strategy quite different to corresponding completeness proofs for classical modal logics. The proof directly constructs a pair of distinguishing formulae for every pair of processes that are not open bisimilar.
Outline. Section 2 introduces the semantics of intuitionistic modal logic OM. Section 3 recalls open bisimilarity and states the soundness and completeness results. Section 4 presents the proof of the correctness of an algorithm for generating distinguishing formulae, which is used to establish completeness of OM with respect to open bisimilarity. Section 5 situates OM with respect to other modal logics in the spectrum of classical and intuitionistic notions of bisimilarity, highlighting that open bisimilarity is not a canonical notion of bisimilarity congruence for the π-calculus and that other bisimilarity congruences can also be characterised by intuitionistic modal logics, including a new notion of late bisimilarity congruence, called intermediate bisimilarity, introduced for this discussion. Section 6 describes how the proof assistant Abella [BCG + 14] was used to mechanically prove soundness of OM with respect to open bisimulation. The soundness theorem (Section 6) and selected examples (Section 2 and Section 4) have been mechanised in the Abella theorem prover, and are π ::= τ (progress) xz (free output) π.P π P P π Q νx.P π νx.Q x ∈ n(π) Figure 1: Syntax and semantics of the π-calculus, omitting symmetric rules for choice and parallel composition, where n(x(y)) = n(x(y)) = n(xy) = {x, y}, bn(x(y)) = bn(x(y)) = {y}, n(τ ) = bn(τ ) = bn(xy) = ∅, and fn(π) = n(π) \ bn(π). Processes νx.P , z(x).P andz(x).P bind x in P .
available online. 1 Section 7 demonstrates an implementation of the algorithm automatically generating distinguishing formulae, extracted from the proof of Proposition 4.9.

Introducing the intuitionistic modal logic OM
We recall the syntax and labelled transition system of the π-calculus (Fig. 1). Note all the atomic symbols x, y, . . . are variables. There is no separate syntactic class for channels or names in this presentation of the π-calculus. Distinctions between the roles of variables are made by the use of binders: variables may appear as open variables, be bound by an input binder, or by a new name binder. Notably, the new name binder νx.P indicates any occurrence of x in P is a ground name that is distinct from any other ground name and cannot be guessed by an observer unless it is provided explicitly to the observer through an output action 2 . Variables may also be bound by an input binder, say z(x).P where occurrences of variable x in P are treated as placeholders for some message (also represented by a variable) that will be received when an input on a channel represented by variable z occurs. Variables that are not bound, i.e., free variables, are critical for this call-by-need approach to the π-calculus where they are used as symbolic placeholders that range over all possible ways in which they may be instantiated. Other features include: the deadlocked process that can do nothing, output prefixes that output a free variable or extrude a variable bound by a new name binder on a channel, the silent progress action τ , the match guard that tests for equality, parallel composition, and non-deterministic choice. We also include a replication operator, which creates unboundedly many parallel copies of a process.
Transitions are labelled with four types of action ranged over by π: free outputs, bound outputs, inputs and internal progress (τ ). A free output represents sending a free variable, whereas a bound output represents extruding a bounded name. We employ a late labelled transition system for the π-calculus, where the variable on the input action is a symbolic placeholder that need not be instantiated until after an input transition. The action τ represents some internal communication, resulting from the synchronisation of an input and output action. We use the notations bn(E) and fn(E) to represent the bound variables and, respectively, free variables in a given expression E (processes, actions, formulae, etc.). We assume α-conversion for bound variables.
Histories are used in the definitions of both the intuitionistic modal logic and open bisimilarity. Histories are lists representing what is known about free variables due to how they have been communicated previously to the environment. There are two types of information about variables recorded in a history. Variables x, that were bound by a new name binder and have been extruded using output action a(x), we call private names, and denote them in histories by x o . Variables z, symbolically representing the possible messages received by an input action a(z), are denoted in histories by z i . What matters is the alternation in the history between variables representing extruded private names and variables representing symbolic inputs: if an input variable is to be instantiated with a private name, the private name must have been extruded by an earlier output in the history. This is reflected in the following definition of a respectful substitution.
Definition 2.1 (σ respects h). A history is a (dot separated) list of variables annotated with o or i. Substitution σ respects history h whenever, for all h and h such that h = h · x o · h , xσ = x, and for all y ∈ fn(h ), we have yσ = x. Here fn(h ) is all the variables appearing anywhere in h .
For example, substitution { y z } respects history x i · y o · z i , since input variable z appears after y was output, hence y was known to the environment at the time z was input. In contrast, substitution { y x } does not respect history x i · y o · z i , since variable x was input before private name y was output.
Remark 2.2. Note that histories fulfil the role of sets of inequality constraints called distinctions in the original work on open bisimilarity [San96]. Although distinctions are more general than histories, it is shown in [TM10] that given a history h and its corresponding distinction D, the corresponding definitions of open bisimilarity coincide.
Histories effectively form a symbolic constraint system restricting the use of variables. It is worth noting that the effect of histories can also be achieved by maintaining a set of fresh name constraints, indicating that a private name output is fresh with respect to the free variables in the process at the moment the private name was output, as proposed for symbolic approaches to the ψ-calculus [JVP12]. In order to capture open bisimilarity using such a symbolic constraint systems, care needs to be taken to ensure that the constraint system is interpreted intuitionistically.
2.1. The semantics of the intuitionistic modal logic OM. The syntax for modal logic OM extends intuitionistic logic with equality and modalities, as follows.
P |= h tt always holds. P |= h ff never holds. P |= h x = y iff x and y are the same variable.
In each of the above, α is of the form τ or ab; and z is fresh for h, and σ. Definition 2.3. The syntax for modal logic OM is defined by the following grammar.
The semantics of intuitionistic modal logic OM, presented in Fig. 2, is defined in terms of the late labelled transition system in Fig. 1 and history respecting substitutions (Definition 2.1). Satisfaction is defined as follows, by treating all free variables as inputs in the past.
Both modalities are closed under all respectful substitutions. However, observe in Fig. 2 there is an asymmetry in the definition of these modalities. In contrast to the box modality, the definition of the diamond modality need not be closed under all respectful substitutions.
To explain this asymmetry between the box and diamond modalities in the definitions, observe, for the diamond modality, a transition must be possible regardless of the substitution. Thus it is sufficient to check the identity substitution. For example, the following is not satisfiable.
[x = y]τ |= τ tt To check the above does not hold, it is sufficient to check that [x = y]τ cannot perform a τ -transition. This is reflected in the semantics of the diamond modalities. In contrast, for the box modality there may exist substitutions other than the identity substitution enabling a transition, hence we should consider all respectful substitutions. Perhaps the simplest example, requiring closure of box under respectful substitutions, is the following: The above satisfaction holds since for any substitution σ such that ([x = y]τ )σ τ 0 it must be case that xσ = yσ. Thus for all such substitutions we have 0 |= xσ = yσ holds, as required. In contrast, observe the above process does not satisfy τ ff.
Intuitionistic hereditary establishes that all formulae are closed under respectful substitutions. We state this property of OM as a lemma, since it will be used in the completeness proof later in this paper.
The hereditary lemma suggests a Kripke model for OM that satisfies the usual frame conditions for intuitionistic logic: consider respectful substitutions as a binary relation between 'worlds', where a world is simple a set of equalities between variables. Then it can be proven that this gives rise to an intuitionistic Kripke frame. The satisfaction relation in Figure 2 can be reformulated using this notion of worlds explicitly. The interested reader may consult Appendix A for details of a Kripke semantics for OM. We note that the Kripke semantics presented there is not needed to prove the main results of this paper; hence can be safely skipped.

2.2.
Checking the law of excluded middle is invalidated. Given the semantics in Fig. 2, we can now formally check examples from the introduction. We claimed ab | c(x) |= τ tt ∨ ¬ τ tt, where ¬φ, as standard, is defined as φ ⊃ ff. This example demonstrates the law of excluded middle is invalid. Appealing to the rule for disjunction, observe that we have the following.
ab | c(x) |= τ tt and ab | c(x) |= ¬ τ tt The former can hold only if ab | c(x) is guaranteed to make a τ -transition; but such a transition is only possible under a substitution σ such that aσ = cσ, hence ab | c(x) |= τ tt.
For the latter, we should consider all substitutions which enable a τ -transition; and, since such a substitution { c a } exists, ab | c(x) |= ¬ τ tt. Critically for this work, the above example illustrates that a property typically used to establish the completeness of open bisimilarity with respect to a classical modal logic breaks down. In the classical setting, we expect P |= φ if and only if P |= ¬φ. However, as the above example demonstrates, there are processes, such as ab | c(x), that do not satisfy τ tt, but also do not satisfy ¬ τ tt. Hence in the intuitionistic setting we cannot appeal to this principle of classical modal logic.
As a further example of this principle, observe the following are both unsatisfiable.
τ |= τ (x = y) and τ |= ¬ τ (x = y) The former is unsatisfiable since, under the identity substitution, τ τ 0, but 0 |= x = y. The latter is also unsatisfiable since, there is a substitution { y x } such that τ { y x } τ 0 still holds and 0 |= x{ y x } = y{ y x } holds; but clearly 0 |= ff{ y x } can never hold; hence τ |= ¬ τ (x = y). As expected for an intuitionistic logic, further classical dualities break, as witnessed by the following examples of unsatisfiable formulae.
Note, in this paper, intuitionistic negation is used only to explain such examples illustrating the intuitionistic nature of OM. Results in subsequent sections do not depend on intuitionistic negation. However, related work [HALT18] highlights that intuitionistic negation has a role when logically characterising open bisimilarity for processes with mismatch (inequality guards, which can model the else branch of an if-then-else statement). Thus this formulation of OM is robust for some useful extensions of the π-calculus.

Open bisimilarity, soundness and completeness
We recall the definition of open bisimilarity. Open bisimilarity is the greatest symmetric relation closed under all respectful substitutions and labelled transitions at every step. Notice we use the history to record whenever a (symbolic) input or private output occurs.

Definition 3.1 (open bisimilarity
). An open bisimulation R is a symmetric relation on processes, indexed by a history h, such that: if P R h Q then, the following hold: • For all substitutions σ respecting h, we have P σ R hσ Qσ.
• If P α P , then there exists Q such that Q α Q and P R h Q , where α is a τ or ab.
• If P a(x) P , for x fresh for h and Q, there exists Q such that Q a(x) Q and P R h·x o Q .
• If P a(x) P , for x is fresh for h, there exists Q such that Q a(x) Q and P R h·x i Q . Open bisimilarity, written P ∼ Q, is defined whenever there exists an open bisimulation R such that P R x i 0 ·...·x i n Q, where fn(P ) ∪ fn(Q) ⊆ {x 0 , . . . , x n }.
The main result of this paper is that, for finite π-calculus processes open bisimilarity is characterised by OM formulae. This result is broken into soundness and completeness of the intuitionistic modal logic characterisation.
The proof of soundness has been mechanically checked in the proof assistant Abella [BCG + 14] using the two-level logic approach [GMN12] to reason about the π-calculus semantics specified in λProlog [NM88]. The proof of soundness proceeds by induction on the structure of formulae. An explanation of the soundness proof and mechanisation we defer until Section 6.
The proof of completeness is explained in detail in Section 4. Before providing proofs, we provide examples demonstrating the implications of Theorems 3.2 and 3.3. Due to soundness, if two processes are bisimilar, we cannot find a distinguishing formula that holds for one process but does not hold for the other process. Due to completeness, if two process are not [x = y]τ ∼ τ : The distinguishing strategy for these processes is as follows: the process τ leads with transition τ τ 0, but [xθ = yθ]τ can make a τ -transition only when xθ = yθ. From this distinguishing strategy we generate two formulae, one biased to each process 3 . Since process τ leads in the distinguishing strategy, τ tt is a distinguishing formula biased to process τ , as follows.
τ |= τ tt and [x = y]τ |= τ tt As remarked in the previous section, negating formula τ tt does not provide a formula biased to [x = y]τ . To construct a formula biased towards [x = y]τ , write down a box modality τ followed by the strongest postcondition that holds after a τ -transition is enabled, i.e. x = y. This gives rise to the following distinguishing formula, as required.
[x = y]τ |= τ (x = y) and τ |= τ (x = y) [x = y]τ ∼ 0: For these processes the distinguishing strategy is ([x = y]τ ){ y x } τ 0, but 0 cannot make a τ -transition, under any substitution. To construct a distinguishing formula biased to [x = y]τ , we write down x = y as the weakest pre-condition under which a τ -transition is enabled, expressed as follows.
To construct a formula biased to 0, write τ followed by ff, which, vacuously, is the strongest postcondition guaranteed after 0 performs a τ -transition, since no τtransition is enabled under any substitution. This gives us the following distinguishing formula. 0 |= τ ff and [x = y]τ |= τ ff Now consider the inductive case of an algorithm for constructing distinguishing formulae. In the inductive cases, two processes cannot be distinguished by an immediate transition. However, under some substitution, one process can make a π transition to a state, say P , but, under the same substitution the other process can only make a corresponding π transition to reach states Q i that are not open bisimilar to P . This allows a distinguishing formula to be inductively constructed from the distinguishing formulae for P paired with each Q i . For example, consider how to construct distinguishing formulae for processes P and Q below.
τ Observe from the above transitions, that the process P can perform a τ -transition to a state [x = y]τ that is not bisimilar to any state reachable by a τ -transition from process Q. Process Q may perform τ -transitions either to τ or 0. However we have just seen above that [x = y]τ ∼ 0 and [x = y]τ ∼ τ ; hence we have a distinguishing strategy.
The distinguishing strategies and distinguishing formulae for the above base cases, enable us to construct distinguishing formulae for this inductive case. The distinguishing formula satisfied by P is a diamond modality followed by the conjunction of the distinguishing formulae biased to [x = y]τ in each base case above, as follows.
The distinguishing formula satisfied by Q is a box followed by the disjunction of the formulae not satisfied by [x = y]τ in each of the base cases above, as follows: To confirm that the above are indeed distinguishing formulae for P and Q, assume for contradiction that Q |= τ τ (x = y) ∧ x = y ⊃ τ tt holds. By definition of diamond modalities, this holds iff either 0 |= τ (x = y) ∧ x = y ⊃ τ tt or τ |= τ (x = y) ∧ x = y ⊃ τ tt holds. Observe that 0 |= x = y ⊃ τ tt holds iff we make the additional assumption that x and y are persistently distinct, i.e., we have additional assumption ¬(x = y). In addition, observe that τ |= τ (x = y) holds iff we make the additional assumption that x = y. Indeed, by these observations, we know that the following hold: Notice that x = y ∨ ¬(x = y) is an instance of the law of excluded middle for equality; hence, in the classical setting, assuming the law of excluded middle, the formula above biased to Q is also satisfied by P ; and vice versa. Indeed there would be no distinguishing formulae for processes P and Q; and hence in a classical framework the modal logic would be incomplete for open bisimilarity. Similarly, in the intuitionistic setting, we can mechanically prove the following.
Since intuitionistic logics do not assume the law of excluded middle, as long as we evaluate the semantics of OM in an intuitionistic framework, we have distinguishing formulae. We have formalised in Abella the above four examples of satisfaction involving the law of excluded middle. These processes are not open bisimilar because P can make the following three transition steps: νx.ax.a(y).τ a(x) a(y).τ a(y) τ τ 0. However, Q can only match the first two steps. At the third step, a base case of the distinguishing formula algorithm for τ ∼ a i ·x o ·y i [x = y]τ applies. In this case, any substitution θ respecting a i ·x o ·y i enabling transition [x = y]τ θ τ 0 is such that yθ = x and xθ = x; hence xθ = yθ. Hence we have the following formulae biased to each process.
By applying inductive cases of the distinguishing formulae algorithm to the input and output actions, we obtain the following two distinguishing formulae.
3.1.3. Example involving private names that are indistinguishable. In contrast to the previous example, consider the following processes where the process on the right extrudes a private name and then compares it to a free variable.
These processes are open bisimilar, hence by Theorem 3.2 there is no distinguishing formula. The existence of a distinguishing formula of the form a(x) x = a ⊃ τ tt is prevented by the history. For example, both νx.ax.
To see why, observe νx.ax |= a i a(x) x = a ⊃ τ tt holds if and only if νx.ax a(x) 0 and 0 |= a i ·x o x = a ⊃ τ tt. By definition of implication, this holds if only if, for all θ respecting a i · x o and such that xθ = aθ, we have 0 |= a i ·x o τ tt. However, there is no substitution θ respecting a i · x o such that xθ = aθ. By the definition of a respectful substitution, θ must satisfy xθ = x and x = aθ, contradicting constraint xθ = aθ. Thereby 0 |= a i ·x o x = a ⊃ τ tt holds vacuously; hence we have that νx.ax |= a i a(x) x = a ⊃ τ tt holds as required.

Completeness of open bisimilarity with respect to OM
In order to prove completeness we first provide a direct definition of what it means for two processes to be not open bisimilar, which we refer to as distinguishability. Since open bisimilarity is defined in terms of a greatest fixed point of relations satisfying a certain closure property, distinguishability is defined in terms of a least fixed point satisfying the dual property. This leads to the direct definition of distinguishability in this section.
Since distinguishability is defined in terms of a least fixed point, there is a distinguishing strategy, consisting of a finite tree of moves. We inductively define distinguishability in terms of a family of relations on processes indexed by a history ∼ n , for n ∈ N. The base case is when, for some respectful substitution one player can make a move, that move cannot be matched by the other player without applying an additional substitution. We then define inductively, the family of relations P ∼ h n Q containing all processes that can be distinguished by a strategy with depth at most n, i.e., at most n moves are required to reach a pair of processes distinguished according to relation ∼ 0 , at which point, as just explained above, there is a process reachable by a respectful substitution that can make a move that the other process cannot match under the same substitution.
Definition 4.1 (distinguishability). The relation ∼ 0 is the least relation, indexed by a history, such that P ∼ h 0 Q holds whenever there exist action π and substitution σ respecting h such that one of the following holds: • there exists process P such that P σ πσ P and there is no Q such that Qσ πσ Q , or • there exist process Q such that Qσ πσ Q and there is no P such that P σ πσ P . In both cases, we require that if x ∈ bn(π), then x is fresh for P σ, Qσ and hσ.
Inductively, ∼ n+1 is the least relation extending ∼ n such that P ∼ h n+1 Q whenever for some substitution σ respecting h, one of the following holds, where, in the following, α is τ or ab and x is fresh for P σ, Qσ and hσ: The relation ∼, pronounced distinguishability, is defined to be the least relation containing ∼ n for all n ∈ N, i.e. n∈N ∼ n . Define P ∼ Q whenever P ∼ x i It is immediate from the definition that distinguishability is symmetric.
Lemma 4.2. The relations ∼ and ∼ n , for all n ≥ 0, are symmetric.
It is an established result that, for the version of the π-calculus with replication that we employ, image finiteness holds.
Lemma 4.3 (image finiteness [San95]). For process P and action π there are finitely many P i , up to α-conversion, such that P π P i .  Proof. In order to establish the forward implication, we construct a relation such that P R h Q whenever fn(P ) ∪ fn(Q) ⊆ fn(h) and there does not exists n such that P ∼ h n Q. We then show that R is an open bisimulation. Symmetry of R is immediate from Lemma 4.2. Below we consider the remaining cases required to show that R is an open bisimulation. Case of a respectful substitution: Assume that P R h Q holds and θ respects h, and suppose for contradiction that P θ R hθ Qθ does not hold. Thus there exists n such that P θ ∼ hθ n Qθ. In the case n = 0, there exists σ respecting hθ and action πθ such that either: P θσ πθσ P but there is no Q such that Qθσ πθσ Q ; or Qθσ πθσ Q but there is no P such that P θσ πθσ P . Without loss of generality, consider the former case, where P θσ πθσ P but there is no Q such that Qθσ πθσ Q , and observe that, since θ · σ respects h, by definition, we have P ∼ h 0 Q holds, contradicting the assumption that P R h Q holds. A similar argument yields a contradiction in the case that n > 0. Therefore P θ R hθ Qθ holds.
Case of a free transition: Assume that P R h Q and P α P hold, where α = τ or α = xz. For contradiction, suppose there is no Q such that Q α Q . Thereby P ∼ h 0 Q, contradicting the assumption that P R h Q; hence there is at least one Q i such that Q α Q i . By image finiteness, there are finitely many such Q i (quotienting by α-conversion). Now, for contradiction, assume that P R h Q i does not hold for all i. Hence for all i there exists Case of a bound output transition: Assume that P R h Q and P x(z) P hold, where z is fresh for P , Q and h. For contradiction, suppose there is no Q such that Q x(z) Q . Thereby P ∼ h 0 Q, contradicting the assumption that P R h Q; hence for some Q i we have Q x(z) Q i . By image finiteness, there are finitely many such Q i (quotienting by α-conversion). Now assume that for all i, Case of an input transition: This is almost identical to the case for bound output transitions.
Thus R is an open bisimulation. Now assume P ∼ Q does not hold, hence we have . . x m }; thereby, by definition of open bisimilarity, P ∼ Q holds, as required. The converse direction is immediate from the definitions.
Notice that distinguishability in Def. 4.1 requires that a distinguishing strategy is finite, and finite distinguishing strategies are sufficient to distinguish processes whose transition systems are image finite. In a more general setting where we do not have image finiteness (such as for weak variants of open bisimilarity or where infinitely branching process are permitted in an extended process language) such a finite notion of distinguishability would not suffice. In such a setting without image finiteness, in order for the negation of bisimilarity and distinguishability to coincide, distinguishability must be defined in terms of transfinite induction. Hence we would be required to extend OM with features offering additional distinguishing power, for example with least and greatest fixed points as in the µ-calculus [Koz83], or with finitely supported conjunctions as in related work on nominal transition systems [PBE + 20]. Here we stick to the setting where we have image finiteness, hence, by Lemma 4.4, we can rely on finite distinguishing strategies. An investigation of the more general setting where we cannot rely on image finiteness is proposed as future work.
4.1. Preliminaries. For the completeness proof that follows, we require the following terminology for substitutions, and abbreviations for formulae. These are mainly standard. Definition 4.5. Composition of substitutions σ and θ is defined such that x (σ · θ) = (xσ) θ, for all x. For substitutions σ and θ, σ ≤ θ holds whenever there exists σ such that where the empty conjunction is tt.
We require the following technical lemmas. The first unfolds the definition of σ φ in Def. 4.5 above. The second is required in inductive cases involving bound output and input. The third is a monotonicity property for transitions, along with side conditions for the bookkeeping of bound names that may appear in labels.
Proof. The proof follows directly by induction on the derivation of rules. We consider two cases only. Consider the base case for input transitions.
a(x).P a(x) P Clearly, if xθ = x, then we have aθ(x).P θ = (a(x).P )θ and the following labelled transition is enabled, as required.
aθ(x).P θ aθ(x) P θ Consider the inductive case for the following rule.
By the induction hypothesis, for all θ, we have P θ aθxθ Qθ. Hence if, in addition, xθ = x, we have P θ aθx Qθ and νx.P θ = (νx.P )θ and so the following labelled transition is enabled, as required.
We comment on the generality of the results in this work. Remarkably, monotonicity of the labelled transitions (Lemma 4.8) is the only property we require of the process model in order to prove completeness, other than image finiteness (which, as discussed previously, could even be lifted in an extended logic). Thus it would be possible to make the results of this paper more abstract, by ranging over any process model where the labelled transition system satisfies image finiteness (Lemma 4.3), monotonicity of the labelled transition system (Lemma 4.8), and, furthermore, has the same labels as for the late transition system of the π-calculus (i.e., of the form τ , x(z), xz or x(z), where x and z are variables). When viewed in terms of Kripke semantics in Appendix A, monotonicity is essentially the first compatibility condition of Plotkin and Sterling [PS86]; which is the "zig-zag" between the modal accessibility relation (here defined by the labelled transition along with its history) and the intuitionistic information partial ordering (here defined by substitutions respecting a history), that is sufficient to guarantee intuitionistic hereditary.
We have chosen to stick a more concrete formulation of the π-calculus rather than being more abstract, for two reasons. Firstly, we can clearly provide concrete examples in a single process language familiar to a large audience. Secondly, results obtained using such a more abstract approach should be treated with caution, since it does not immediately cover many richer process calculi, for which the definition of open bisimilarity must be modified. For example, when extending our results to the π-calculus with mismatch [HALT18], we require that the definition of open bisimilarity is extended to allow for the retrospective creation of fresh private names in the past, when our supply of private names runs out, otherwise open bisimilarity is not a congruence. Going further, for the applied π-calculus [ABF18] or ψcalculi [BJPV11], to define open bisimilarity the labels employed are of a more general form, so both the labels and the definition of open bisimilarity change in order to conservatively extend open bisimilarity to these settings while retaining the property that open bisimilarity is a congruence [HM21]. Thus it is a deliberate choice that, in this paper, we do not provide results at the maximum level of abstraction or generality that we know how to provide; instead, we seek to clearly map out the key novel ideas in a widely understood process language.
4.2. Algorithm for distinguishing formulae. The direct definition of distinguishability (Definition 4.1) provides us with a tree of substitutions and actions forming a strategy showing that two processes are not open bisimilar. The following proposition shows that OM formulae are sufficient to describe such strategies. For any strategy that distinguishes two processes, we can construct distinguishing formula in OM. A distinguishing formula holds for one process but not for the other process. In the proof of the following proposition, at each step we construct two distinguishing formulae, one biased to the process on the left and another biased to the process on the right, since we cannot simply construct a formula biased to one process and negate it to obtain a formula biased to the other process, which is the standard trick used since the early days of classical Hennessy-Milner logics [HM85]. We discussed in Section 2, why the left biased formula cannot be simply obtained by negating the right biased formula and vice versa; both must be constructed simultaneously and may be unrelated by negation.
Proposition 4.9. If P ∼ Q then there exists φ L such that P |= φ L and Q |= φ L .
Proof. Since ∼ is defined by a least fixed point over a family of relations ∼ n , if P ∼ h Q, there exists n such that P ∼ h n Q, so we can proceed by induction on the depth of a distinguishing strategy.
In the base case, assume P ∼ h 0 Q, hence by definition, for substitution σ respecting h, P σ πσ P , for x ∈ bn(π), x is fresh for P σ, Qσ and hσ, such that there is no Q such that Qσ πσ Q . It is sufficient to consider only this base case without loss of generality, since the other case is symmetric (Q leads and P cannot follow).
We require the following property concerning substitutions enabling πθ-transitions from Qθ, exploiting the observation that necessarily each such θ must induce an additional equality that was not yet enabled by σ. There exist finitely many pairs of variables x j and y j in fn(P ) ∪ fn(Q) ∪ fn(π) such that x j σ and y j σ are distinct, and, for any R and substitution θ respecting h, if Qθ πθ R there exists j such that x j θ = y j θ. To see why, assume for contradiction that there is some θ respecting h such that Qθ πθ R but there is no x and y in fn(P ) ∪ fn(Q) ∪ fn(π) such that xσ and yσ are distinct, and xθ = yθ. Stated otherwise, for all x and y in fn(P ) ∪ fn(Q) ∪ fn(π) if xθ = yθ then xσ = yσ, which is precisely the definition of a function, i.e., there is a substitution, say θ , defined on the range of θ such that θ maps zθ to zσ. In that case, θ · θ = σ on fn(P ) ∪ fn(Q) ∪ fn(π); and hence, by Lemma 4.8, Qθθ πθθ Rθ contradicting the initial assumption for the base case that no transition Qσ πσ Q exists for any Q .
In this case, there are two distinguishing formulae σ π tt and π j (x j = y j ) biased to P and Q respectively. There are four cases to check to confirm that these are distinguishing formulae. Case P |= h σ π tt : Consider all θ respecting h such that σ ≤ θ. By definition there exists θ such that σ · θ = θ, so since P σ πσ P , by Lemma 4.8, P θ πθ P θ . Thereby, since P θ |= h tt holds, P θ |= hθ πθ tt. Hence, by Lemma 4.6, P |= h σ π tt. Case Q |= h σ π tt : For contradiction, assume Q |= h σ π tt. Since σ respects h and σ ≤ σ, by Lemma 4.6, Q |= h σ π tt holds only if Qσ |= hσ πσ tt holds; which holds only if there exists Q such that Qσ πσ Q , contradicting the assumption no such Q exists. Thereby Q |= h σ π tt. Case Q |= h π j (x j = y j ) : Consider substitutions θ respecting h and Q such that Qθ πθ Q . It must be the case that there exists j such that x j θ = y j θ, thereby Q |= hθ x j θ = y j θ holds; hence clearly Q |= hθ j (x j = y j )θ holds. Hence Q |= h π j (x j = y j ). Case P |= h π j (x j = y j ) : Assume for contradiction P |= h π j (x j = y j ). This holds iff for all processes S and substitutions θ respecting h, P θ πθ S implies S |= h j (x j = y j )θ. Since we know that σ respects h and P σ πσ P , for some h , we have P |= h j (x j = y j )σ. This holds only if for some j, P |= h x j σ = y j σ; hence, x j σ = y j σ for some j, which contradicts the assumption that x j σ and y j σ are distinct. Thereby P |= h π j (x j = y j ). Now consider the inductive cases. Given P , Q, if P ∼ h n+1 Q, up to symmetry of ∼ h n+1 , there are three cases to consider, for some substitution σ respecting h, where α is either τ or ab, where x is fresh for P σ, Qσ and hσ: • P σ ασ P and for all Q i such that Qσ ασ Q i , P ∼ hσ n Q i . • P σ aσ(x) P , and, for all We consider the second case above involving bound output only, the other two cases are similar -differing only in the accounting for respectful substitutions according to Def. 2.1.
For P σ aσ(x) P , by Lemma 4.3, there exist finitely many Q i such that Qσ aσ(x) Q i . For each i, since P ∼ hσ·x o n Q i , by the induction hypothesis, there exist φ L i and φ R i such that We require the following property, referred to later using †. There are finitely many pairs of variables x j and y j selected from fn(P ) ∪ fn(Q) ∪ {a} such that x j σ and y j σ are distinct, and, for any substitution θ respecting h (note we can apply α-conversion to ensure that θ also respects h · x o ), such that σ ≤ θ, and for any S such that, Qθ aθ(x) S then either: for some i, we have S |= hθ·x o φ R i θ, or there exists some j such that x j θ = y j θ. To see why such pairs of variables x j and y j can be constructed, suppose, for contradiction, that they cannot be constructed in general. Hence, there would exist substitution ρ respecting h·x o , where σ ≤ ρ, and process S such that: Qρ aρ(x) S, there is no i such that S |= hρ·x o φ R i ρ, and also there is no pair of variables u and v in fn(P ) ∪ fn(Q) ∪ {a} such that uσ and vσ are distinct and uρ = vρ. Hence ρ ≤ σ; therefore, there exists ρ respecting hρ · x o such that ρ · ρ = σ and hence, by Lemma 4.8, Qσ aσ(x) Sρ , where Sρ = Q i for some i. Since, ρ ≤ σ and σ ≤ ρ, we know ρ has an inverse, say σ . Now since, by Lemma 4.8, contradicting the assumption no such i exists. From the above, it is possible to construct distinguishing formulae σ a(x) i φ L i and σ a(x) i φ R i ∨ j (x j = y j ) . There are four cases to consider to verify these are distinguishing formulae.
Consider all θ such that σ ≤ θ, θ respects h, and without loss of generality x is fresh for θ, i.e., for y ∈ dom(θ) and x ∈ yθ. By definition, there exists θ such that σ · θ = θ. Now since σ · θ respects h, by Lemma 4.7, θ respects hσ hence since x ∈ dom(θ ) and x ∈ fn(hσθ ), θ respects hσ · x o . Thereby since θ respects hσ · x o and also P |= hσ·x o φ L i σ holds, by Lemma 2.5, it holds that P θ |= hθ·x o φ L i θ. The above holds for all i, hence it holds that P θ |= hθ·x o i φ L i θ. Now, since P σ aσ(x) P , by Lemma 4.8, since x is fresh, P θ aθ(x) P θ holds; and hence P θ |= hθ a(x) i φ L i θ holds. Thereby, by Lemma 4.6, Since σ respects h and σ ≤ σ, by Lemma 4.6, the above assumption holds only if Qσ |= hσ a(x) i φ L i σ holds. Now Qσ |= hσ aσ(x) i φ L i σ holds only if there exists Q such that Qσ aσ(x) Q and Q |= hσ·x o i φ L i σ, which holds only if Q |= hσ·x o φ L i σ for all i. Notice that Q = Q k for some k, and therefore Q k |= hσ·x o φ L k σ; but it was assumed that and Qθ aθ(x) Q . Above, in †, we established that, in this scenario, either: for some , we have Q |= hθ·x o φ R θ, or there exists some k such that x k θ = y k θ. In the case where, for some k, x k θ = y k θ, we have Q |= hθ·x o x k θ = y k θ holds. Hence in either case we have Since σ respects h, σ ≤ σ, and P σ aσ(x) P , the previous assumption can hold only if P |= hσ·x o i φ R i ∨ j (x j = y j ) σ. This holds only if, for some i, P |= hσ·x o φ R i σ, or, for some j, P |= hσ·x o (x j σ = y j σ). However, for all i, P |= hσ·x o φ R i σ; and also, for all j, we have x j σ and y j σ are distinct and P |= hσ·x o (x j σ = y j σ), leading to a contradiction in either case. Thereby P |= h σ a(x) i φ R i ∨ j (x j = y j ) . By induction we have established that, for any history h, processes P and Q, and any n, if P ∼ h n Q then we can construct φ L such that P |= h φ L and Q |= h φ L ; and also we can construct φ R such that Q |= h φ R and P |= h φ R . The result then follows by observing that, since ∼ is the least relation containing all ∼ n whenever P ∼ Q; there exists n such that P ∼ x i 1 ·...·x i n n Q and, where fn(P ) ∪ fn(Q) ⊆ x i 1 , . . . , x i n ; for which, there is φ L such that P |= x i 1 ·...·x i n φ L and Q |= x i 1 ·...·x i n φ L ; and also φ R such that Q |= x i 1 ·...·x i n φ R and P |= x i 1 ·...·x i n φ R . Hence, by Definition 2.4, indeed P |= φ L , Q |= φ L , Q |= φ R and P |= φ R as required. Proof of Theorem 3.3: Assume that for finite processes P and Q, for all formulae φ, P |= φ iff Q |= φ. Now for contradiction suppose that P ∼ Q does not hold. By Lemma 4.4, P ∼ Q must hold. Hence by Proposition 4.9 there exists φ L such that P |= φ L but Q |= φ L , but we assumed at the beginning that P |= φ L holds iff Q |= φ L holds, leading to a contradiction. Thereby P ∼ Q. Observe that clearly τ τ 0 but ([x = y]τ + [w = z]τ )θ τ only if xθ = yθ or wθ = zθ. Thus, [x = y]τ + [w = z]τ |= τ ((x = y) ∨ (w = z)) is a distinguishing formula biased to the left process, while τ |= τ tt is biased to the right.
We consider now an example where postconditions are required in the inductive case of the distinguishing formulae algorithm. However, firstly observe that aa + bb ∼ aa are distinguished since aa + bb bb 0, but process aa can only make a bb transition under a substitution such that a = b. Hence we have the distinguishing formulae aa + bb |= bb tt and aa |= bb (a = b). Now consider the following.
To distinguish these processes, Q τ aa leads, a move which can only be matched by P τ aa + bb.
To construct formulae distinguishing P from Q we use the following ingredients: the distinguishing formulae constructed for the sub-problem aa + bb ∼ aa; and the observation that, for substitutions θ such that xθ = yθ, there is an additional τ -transitions enabled: P θ τ aa. These observations lead us to the following distinguishing formula biased to the process P in the left above, consisting of a box τ followed by a disjunction comprised of the distinguishing formula for aa + bb ∼ aa biased to the process aa + bb on the left, and the postcondition x = y, which must hold after the additional τ transition is enabled. The distinguishing formula biased to the process Q on the right above is "diamond τ " followed by the distinguishing formula for aa + bb ∼ aa biased to the process aa, as follows.
τ. aa + bb + τ.aa |= τ bb (a = b) 4.4.2. Formulae generated by substitutions applied to labels. In some cases, substitutions applied to labels play a role when generating distinguishing formulae. For a minimal example consider the following distinguishable processes: aa ∼ ab. A distinguishing strategy is where process ab makes a ab transition, which cannot be matched by aa. However, we do have transition (aa)σ (ab)σ 0 for any substitution such that aσ = bσ, leading to distinguishing formula ab (a = b) biased to aa. Notice substitution σ is applied to both the process and the label. For a trickier example consider the following processes.

νb.ab.a(x).[x = b]xx ∼ νb.ab.a(x).xx
After two actions, the above problem reduces to base case [ From these observations we can construct a distinguishing formula biased to the left as follows.

νb.ab.a(x).[x
4.4.3. Alternative forms for distinguishing formulae. Note our algorithm copes with suboptimal distinguishing strategies. To understand this, consider the distinguishing strategy for the following processes that are clearly not open bisimilar.
There is an obvious optimal distinguishing strategy: τ.[x = y]τ τ [x = y]τ , which cannot be matched by [x = y]τ . By appealing to the base case of the distinguishing formulae algorithm, we obtain two distinguishing formulae τ (x = y) and τ tt biased each respective process. There are however, sub-optimal, distinguishing strategies. Under substitution { y x }, the process on the left has transition ([x = y]τ ){ y x } τ 0, which can be matched, under the same substitution, by (τ.[x = y]τ ){ y x } τ [y = y]τ . Now 0 and [y = y]τ are distinguished, since [y = y]τ τ 0 whereas 0 is deadlocked. By applying the algorithm in Proposition 4.9, we obtain the formula x = y ⊃ τ τ tt biased to the process on the right, which is indeed distinguishing.
As a further example of alternative distinguishing formulae, consider the following processes.
x = y τ.τ + τ ∼ τ.τ + τ The following is a distinguishing formula biased to the left process: τ τ (x = y). However, this is different from the left-biased formula τ τ ff ∨ (x = y) generated by the algorithm. Thus, there exist alternative distinguishing formulae . . . and alternative algorithms. In particular, the above two examples highlight the open question of whether restricting ourselves to minimal substitutions in the distinguishing strategy allows us to simplify slightly the formulae in the inductive case of the distinguishing formula algorithm, thereby avoiding generating formulae such as x = y ⊃ τ τ tt featuring a prefix x = y ⊃ before a box modality. 4.4.4. A more elaborate example. This example forces the use of postconditions regardless of whether we construct a distinguishing formula biased to the process on the left or on the right. Consider the following processes.
The processes above are distinguished by the following strategy. Firstly, the process Q moves, as follows; for which there are three moves P can perform. Q This leads to three sub-problems, for which we know already the distinguishing strategies and formulae. Note, to distinguish [x = y](τ.τ + τ ) from [x = y](τ.[u = v]τ + τ.τ + τ ), there is a switch in the process that leads.
From the above strategy, we can construct the following distinguishing formulae.
Notice this example nests a classic example, explained previously, inside itself. The absence of the law of excluded middle is essential for the existence of distinguishing formulae in this example.

Situating OM with Respect to Other Modal Logics Characterising Bisimilarities
Open bisimilarity is not the only bisimilarity congruence. We consider here the relationship between the intuitionistic modal logic for open bisimilarity presented in this work and other modal logics. In doing so, we clarify why we introduce OM rather than taking an intuitionistic variant of an established modal logic. We check that OM has a classical counterpart characterising late bisimilarity. Also, we note open bisimilarity is not the only notion of bisimilarity that is a congruence relation. We

Why a new modal logic OM, rather than an intuitionistic variant of LM?
A classical logic characterising late bisimilarity, called LM for "(L) late modality with (M) match," was provided by Milner, Parrow, and Walker [MPW93]. LM differs from OM in two significant ways. Firstly, LM is classical: a classical semantics is induced due to the fact that all grounded inputs are considered immediately after an input action, where variables appearing free represent distinct ground names, hence an input is either equal to another ground message or it is not. Secondly, the late input box modality is defined differently, involving an existential quantification over substitutions. Moving to an intuitionistic variant of LM, this gives rise to the following variant of the box input modality.
P |= a(x) L φ iff ∀σ respecting h, ∀Q, P σ aσ(x) Q =⇒ ∃x, such that Q |= hσ φ. In the semantics of OM, we deliberately use a universally quantified box input modality, recalled bellow; rather than existentially quantified box input modality used in LM above.
Recall from Sec. 6, in the box input modality of OM immediately above, the x i appended to the history has the effect of ∀x appearing immediately after the implication (made explicit in Fig. 5).
Hence, due to the differences in quantification for the box input modality, OM is not quite an intuitionistic variant of LM. The carefully selected box input modality in OM is necessary for our construction of distinguishing formulae in the completeness proof for the characterisation of open bisimilarity using OM. To understand why, consider the following processes that are not open bisimilar.
For the above processes, our algorithm for distinguishing formulae, Proposition 4.9, correctly generates the following OM formula biased to the right: If we were to use an intuitionistic variant of the input box modality of LM, as suggested in related work [TM10], both processes satisfy the above formulae modified with a late box input modality a(x) [y = w]τ ) Each of the processes reachable by a a(x)-transition from P are not open bisimilar to the process reachable from Q indicated above. The interesting case is the third process reached from P above. After applying substitution { v x }, the process on the right leads the distinguishing strategy. [v = v](a(y) + a(y).τ ) The necessity of box input modalities is due to the switch from Q leading initially to the other process leading for the second input in the distinguishing strategy. From the above distinguishing strategy the following formula biased to P can be constructed.
For a formula biased to Q we obtain the following. 5.1.2. Discussion on intuitionistic LM. We have formalised the intuitionistic variant of LM in Abella. The language of formulae for LM replaces the "basic" box input modality of OM with the following "late" box input modality: The clauses for the satisfaction relation (encoded as the predicate satLM) are those for OM ( Figure 5) without the "basic" box operator, but with the following clause for satLM : The example involving triple negation above (5.1) has been verified using this formalisation of intuitionistic LM. Related work [TM10] suggested that intuitionistic LM characterises open bisimilarity. Unfortunately, the completeness proof in that work is flawed since they appeal to classical principles that are not valid in the intuitionistic setting. This oversight is rectified in the current paper, by a more direct construction in the completeness proof and by the careful choice of input modalities in OM, explained in this section. Note however the example above involving triple negation, suggests the problem of whether intuitionistic LM characterises open bisimilarity remains an open problem. To offer an intuition for triple negation: it can be regarded as an explicit test that variables are "not equal yet," in contrast to single negation indicating that variables are never going to be equal.

5.2.
What about the classical counterpart to OM? A criteria an intuitionistic modal logic is expected to satisfy is that, when the law of excluded middle is induced, we obtain a meaningful classical logic [Sim94]. Fortunately, this criteria holds for OM -the classical counterpart to OM characterises late bisimilarity. For convenience we, recall a definition of late bisimilarity.
Definition 5.1 (late bisimilarity). A late bisimulation R is a symmetric relation, such that, whenever P R Q: • If P α P then there exists Q such that Q α Q and P R Q .
• If P a(x) P then there exists Q such that Q a(x) Q and P R Q .
• If P a(x) P then there exists Q such that Q a(x) Q and, for all x, P R Q . Late bisimilarity∼ L is the greatest late bisimulation.
P|= L a(z) φ iff ∃ Q, P a(z) Q and, ∀y, Q{ y z }|= L φ{ y z }. P|= L a(z) φ iff ∀Q, P a(z) Q =⇒ ∀z, Q|= L φ. A direct semantics of classical OM, in the style of Milner, Parrow and Walker [MPW93], is presented in Fig. 3. Observe histories are not employed in the classical semantics since inputs are instantiated eagerly, immediately after performing an input transition (see the clauses for the input labelled transitions). Also, missing operators (conjunction, disjunction, and α φ) are derivable using classical negation; whereas in an intuitionistic modal logic they have independent interpretations. Classical OM characterises late bisimilarity.
Corollary 5.2 (characterisation). P∼ L Q if and only if, for all OM formulae φ, we have P|= L φ iff Q|= L φ, according to the classical semantics for OM in Fig. 3.
Proof. Observe that the definition of a(x) φ in Figure 3 coincides with the late modality a(x) L φ in LM. Also observe that, classically, ¬ a(x) ¬φ is the "basic" diamond modality of Milner, Parrow and Walker [MPW93]; hence classical OM is classical LM extended with "basic" modalities. That original paper on modal logics for the π-calculus establishes that, classical LM characterises late bisimilarity, and also LM extend with basic modalities has the same expressive power at LM.
Historically, Milner, Parrow and Walker emphasised late equivalence (the greatest congruence contained in late bisimilarity) rather than late bisimilarity in the original paper on the π-calculus [MPW92]. This is because late equivalence is closed under input prefixes. Late equivalence can be defined by restricting to late bisimulations closed under substitutions; and its characterisic modal logic can be defined in a simlar way, as follows.
Definition 5.3. P is late equivalent to Q, written P ∼ L Q, whenever there exists a late bisimulation R such that for all σ, P σ R Qσ. Define P |= L φ whenever for all σ, P σ|= L φσ.
Quantifying over all substitutions, combined with the distinct name assumption, means that we check late bisimilarity with respect to all combinations of equalities and inequalities between free variables. As such, late equivalence is not a bisimilarity; but is a late bisimulation. Using the above, we obtain a characteristic logic for late equivalence, using OM formulae.
Corollary 5.4. P ∼ L Q if and only if, for all φ, P |= L φ iff Q |= L φ.
As for open bisimilarity, [x = y]τ and 0 are not late equivalent. This is because ([x = y]τ ){ x y } and 0{ x y } are clearly not late bisimilar. Two distinguishing formulae in this logic are defined as follows: P |= L x = y ⊃ τ tt and Q |= L τ ff. The point is, if we take OM and induce the law of excluded middle, we obtain a logic, defined by |= L , characterising late equivalence. If we then, in addition, enforce the distinct name assumption, we obtain a logic, defined by|= L , characterising late bisimilarity.

5.3.
A sharpened picture of the spectrum of bisimilarity congruences. We emphasise here that open bisimilarity is not the only bisimilarity congruence. A notable, strictly coarser, bisimilarity congruence for the π-calculus is open barbed bisimilarity [SW01]. Notions of open barbed bisimilarity are, by definition, the greatest bisimilarity congruences. We give the strong formulation of open barbed bisimilarity here, consistent with the rest of the paper (of course, the weak formulation of open barbed bisimilarity is coarser).
Definition 5.5. Process P has a barb x, written P ↓ x, whenever P x(z) P or P xy P or P x(z) P . An open barbed bisimulation R is a symmetric relation such that, whenever P R Q we have: • If P τ P then there exists Q such that Q τ Q and P R Q .

Unlike open bisimilarity, open barbed bisimilarity is incomparable with late bisimilarity.
A key example that holds for open barbed bisimilarity, but not for late bisimilarity is the following. There is however a (minimal) refinement of open barbed bisimilarity forbidding the above property, defined as follows.
Definition 5.6. An intermediate bisimulation R is a symmetric relation indexed by a set of variables, such that, whenever P R E Q the following hold: • If P α P then there exists Q such that Q α Q and P R E Q . • If P a(x) P then there exists Q such that Q a(x) Q and P R E,x Q . • If P a(x) P then there exists Q such that Q a(x) Q and, for all x, P R E Q . Intermediate bisimilarity ∼ I is the greatest intermediate bisimulation.
Intermediate bisimilarity, a secondary contribution of this paper, defined above, sits between open bisimilarity, late equivalence and open barbed bisimilarity. Intermediate bisimilarity is a congruence, hence is sound with respect to open barbed bisimilarity. Strictness of this inclusion follows since νk.ak.(a(x).τ + a(x)) and νk.ak.(a(x).[x = k]τ + a(x).τ + a(x)) are distinguished by intermediate bisimilarity, as witnessed by the following strategy.
Intermediate bisimilarity is strictly coarser than open bisimilarity. To see why, observe the following processes are equivalent according to intermediate bisimilarity.
In contrast, for open bisimilarity, there is a distinguishing strategy for the same pair of processes, as witnessed by the following formula in OM.
The difference is, when constructing an open bisimulation, we can proceed with the first τ transition without deciding whether x = k or x = k. In contrast, intermediate bisimilarity forces this decision immediately after x is input.
It is important to note that we are not advocating that intermediate bisimilarity should be used in preference to open bisimilarity. What we are emphasising here is that open bisimilarity does not hold a canonical status as a bisimilarity congruence sound with respect to late bisimilarity. Indeed, there is a spectrum bisimilarities between open bisimilarity and open barbed bisimilarity.
A picture of part of the spectrum surrounding open bisimilarity is provided in Fig. 4. To complete the picture in Fig. 4, note that related work [HALT18] introduced a modal logic characterising open barbed bisimilarity called intuitionistic FM -the intuitionistic counterpart to a classical modal logic characterising early bisimilarity. That paper emphasises the merits of open barbed bisimilarity due to its more objective definition, and, more importantly still, its coarser granularity suitable for verifying privacy properties. Open barbed bisimilarity can be used to verify properties of protocols that make use of else branches to maintain the privacy of honest participants; whereas open bisimilarity fails to verify such scenarios, instead discovering spurious attacks. This is due to the intuitionistic early bisimilarity classical FM [MPW93] late bisimilarity classical OM, Fig. 3 9 9 barbed equivalence [MS92] early equivalence non-classical open bisimilarity [San96] intuitionistic OM, Fig. 2 h h Figure 4: The line between classical and non-classical notions of bisimilarity. Their framework, is classical and works by syntactically restricting "effect" modalities in formulae, depending on the type of bisimulation. Their effects represent substitutions that reach worlds permitted by the type of bisimulation. In contrast, the modalities of the intuitionistic modal logic OM in this paper are syntactically closer to long established modalities for the π-calculus [MPW93]; differing instead in their intuitionistic interpretation. An explanation for the stylistic differences is that for every intuitionistic logic, such as the intuitionistic modal logic in this work, there should be a corresponding classical modal logic based on an underlying Kripke semantics. Such a Kripke semantics would reflect the accessible worlds, as achieved by the syntactically restricted effect modalities in the abstract classical framework instantiated for open bisimilarity.

Mechanising the Soundness Proof in Abella
Abella [BCG + 14] is a proof assistant based on intuitionistic logic that supports both inductive and coinductive reasoning over logical specifications of operational semantics for languages that contain binding structures, such as the π-calculus. In particular, Abella is well-suited for reasoning involving operational semantics specified in the higher-order logic programming language λProlog [MN12]. The formalisation of the modal logic OM in this section is built on top of existing work on the formalisation of the π-calculus and bisimulation based on the higher-order abstract syntax (HOAS) approach [BGM + 07, TM10, BCG + 14]. We present the coinductive definition of open bisimilarity (Section 6.1) and the semantics of the modal logic OM (Section 6.2) formalised in Abella, leading up to our mechanised proof of the soundness theorem (Theorem 3.2).
Interestingly, the proof of soundness (Theorem 3.2) is quite abstract since it can be proven without defining a specific language of process terms and their labelled transition system rules, since the proof only looks at the labels and makes the implicit assumption that transitions satisfy monotonicity. Thus although it is not required for the main theorems of this paper, we none-the-less, for a self-contained presentation also recall an established λProlog specification of the π-calculus at the end of this section (Section 6.3), which can be used as the basis of tooling.
12 Kind o type. % syntax of the modal logic 13 Type tt, ff o . 14 Type , ,  Open bisimulation relation bisim is coinductively defined in Fig. 5. The relation bisim is an Abella encoding of the open bisimulation relation R in Definition 3.1 from Section 3. Lines 5, 6, and 7 correspond to the latter three of the four bullet items in Definition 3.1, which state the closure property under every pairwise bisimulation step where P leads and Q follows. Lines 8, 9, and 10 are symmetric cases where Q leads and P follows. Curly braces (e.g., {one P A P 1 }) are used for referring to the object logic proposition (i.e., λProlog proposition) from the reasoning logic of Abella. The λProlog relation one : p→ → →a→ → →p→ → →o (see Section 6.3 for further details), when applied to three arguments, becomes an object logic proposition one P A P 1 : o. In order refer to such λProlog propositions from Abella's reasoning logic, we use curly braces to convert a λProlog proposition (o) into a reasoning logic proposition (prop). For instance, {one P A P 1 } : prop. Abella's reasoning logic is richer than the object logic. It supports coinductive definitions, which we used to define bisim. It also supports nominal quantification (∇), which will be discussed shortly, in addition to universal (∀) and existential (∃) quantifications. The first bullet item in Definition 3.1 states that open bisimulation must be closed under all substitutions that respect the history. In the definition of bisim, Abella guarantees this closure property under respectful substitutions for free. Let us first demonstrate how histories are being handled in the relation bisim, in order to explain how the closure property under respectful substitutions is ensured in Abella. Consider a trivial bisimulation over identical processes, illustrated using both Abella and mathematical notations as follows: 4 ∀x,∇z,∀y, bisim 0 0 . . .
Even for identical processes without nondeterministic constructs, the bisimulation tree has at least two branches for each node because either one of the two sides may take a leading step to be followed by the other side. Here, let us focus on the leftmost branches where the left process leads. The environment of quantified variables for the Abella relation bisim grows after each bisimulation step. Growing the environment exactly corresponds to growing the history. The bound output step extends the environment with ∇z in Abella, which corresponds to extending the history with z o . The input step extends the environment with ∀y in Abella, which corresponds to extending the history with y i . These quantified variables come from the definition of bisim in Fig. 5, more specifically, from lines 6 and 7.
Recall the definition of respectful substitution (Definition 2.1) from Section 2. An input variable in the history adds no restriction to the respectfulness of a substitution. An extruded private name in the history adds a restriction such that respectful substitutions should not unify the output variable with any variable that precedes the output variable. The nabla quantifier (∇) in Abella coincides with such a notion of restriction. Nabla quantified variables are guaranteed to be fresh names with respect to all the previously introduced names. For instance, consider the environment ∀x,∇z,∀y,· · · . Abella ensures that z cannot occur free in x, hence, x cannot be unified with z; however, y can be unified with z because y is introduced after z.
Intuitively, universal quantification represents all possible substitutions over universally quantified variables. For example, consider ∀ x, pred x. Proving this in Abella means that the predicate pred holds for all possible substitutions over x. Together with nabla quantification, the notion of all possible respectful substitutions can be represented by the environment of quantified variables in Abella. In summary, the list of universal and nabla quantified variables before the bisim relation in Abella not only transcribes the history but also represents all possible respectful substitutions. 6.2. Embedding of OM in Abella and the soundness proof. The latter part of Fig. 5 is an embedding of the syntax and semantics of OM introduced earlier in Section 2.1. Recall the stylistic difference between Abella and mathematical notations for the process syntaxprefixes of free actions, bound output actions, and input actions are defined as three different syntactic constructs in the Abella definitions (see Fig. 5). There are similar stylistic difference regarding OM formulae in the Abella embedding (Fig. 5) and the notation in Section 2.1. There are three formulae constructs for each kind of modality. For instance, , ↑ , and ↓ are the three different syntactic constructs of the box modality for free actions, bound output actions, and input actions, respectively. Similarly, there are three constructs for the diamond modality. 5 Recall that histories on the bisimulation relation are transcribed as universal and nabla quantified variables in Abella and that closure under respectful substitutions holds for free in Abella. Similarly, histories in the semantics of OM are handled in exactly the same manner in Abella and enjoy the closure properties regarding respectful substitutions. For example, ∀x,∇z,∀y, sat (P x y z) φ corresponds to ∀σ respecting x i · z o · y i , P (x, y, z) |= x i ·z o ·y i φ. The relation sat in Fig. 5 is an embedding of OM (|=) in Abella. There is no explicit handing of substitutions in the semantics of the definition of the sat relation because they are handled by Abella automatically.
We mechanised the proof of soundness of open bisimilarity with respect to OM by proving the following theorem.
In the above, form: o → → →prop is an inductive predicate for well-formed OM formulae, defined as follows: The predicate form is a trick used to guide the induction in Abella by the structure of formulae (instead of by the structure of sat, which is not stratified [MT04], due to the presence of implication). Thereby the proof of theorem bisim_sat below is established by induction on the structure of the modal formulae and by case analyses on the definition of the satisfiability relation sat. % bound input 24 one (out X Y P) (up X Y) P. % free output 25 one (taup P) tau P.
% tau 26 % match prefix 27 one (match X X P) A Q :-one P A Q. oneb (match X X P) A M :-oneb P A M. 28 % sum 29 one (plus P Q) A R :-one P A R.
oneb (plus P Q) A M :-oneb P A M. 30 one (plus P Q) A R :-one Q A R.
oneb (plus P Q) A M :-oneb Q A M. 31 % par 32 one (par P Q) A (par P 1 Q) :-one P A P 1 . oneb (par P Q) A (z\par (M z) Q) :-oneb P A M. 33 one (par P Q) A (par P Q 1 ) :-one Q A Q 1 . oneb (par P Q) A (z\par P (N z)) :-oneb Q A N. 34 % restriction 35 one (nu z\P z) A (nu z\Q z) :-pi z\ one (P z) A (Q z). 36 oneb (nu z\P z) A (y\nu z\Q z y) :-pi z\ oneb (P z) A (y\Q x z). 37 % open (bound output) 38 oneb (nu x\P x) (up X) Q :-pi y\ one (P y) (up X y) (Q y). 39 % close 40 one (par P Q) tau (nu z\par (M z) (N z)) :-oneb P (dn X) M, oneb Q (up X) N.  process arguments to construct a process, as its type (p→ → →p→ → →p) suggests. The table below summarises the process syntax in λProlog and the notations used in the previous sections.
λProlog syntax mathematical notation null 0 nu x\P x (or nu P) νz.P (P z) corresponds to P taup P τ.P out x z P xz.P in x z\P z (or in x P) x(z).P (P z) corresponds to P match x y P [x = y]P par P Q P | Q plus P Q P + Q Fig. 6 has few stylistic differences from Fig. 1. Firstly, distinct constants are used for actions and their related processes (e.g., a tau action for taup prefixed process) because the constants cannot be overloaded as in mathematical notation. Secondly, the action prefix π.P in Fig. 1, where π ranges over several different types of action (progress, free out, and input), is transcribed as three distinct process syntactic constructs (taup, out, and in). Thirdly, free and bound actions are distinguished by their types instead of using different notations (xz and x(z)) as in Fig. 1. That is, bound actions (e.g., up x : n→ → →a) are partially applied free actions (e.g., up x z : a) using the same constants. Fourthly, two different sets of transition relations are defined: one relating a process (p) to another process (p) via a free action (a) and oneb relating a process (p) with a bound process (n→ → →p) via a bound action (n→ → →a).
One advantage of using λProlog [MN12] is that we can rely on its native support for a variant of HOAS, known as λ-tree syntax [MP99], for handling bound variables and αβη-equivalence automatically. For instance, consider the rule for name extrusion from both Fig. 6 and Fig. 1: oneb (nu z\P z) (up X) Q :pi z\one (P z) (up X z) (Q z) There is no need to explicitly state and keep track of the side conditions such as x = z and x / ∈ n(π) in λProlog definitions. For example, consider pi z\one (P z) (up X z) (Q z) from above. Here, it is guaranteed that z does not to occur free in the logic variables P, X, and Q. This guarantee comes from the scoping of variables: the scopes of P, X, and Q go beyond the scope of z, which is limited only to one (P z) (up X z) (Q z). Had z freely occurred in any of P, X, or Q, the scope of z would have been violated. Hence, X cannot be unified with z.

Distinguishing formulae generation algorithm implementation
Our completeness proof in Section 4 is constructive in the sense that it follows the structure of an algorithm (Section 4.2) to build a pair of formulae for a pair of distinguishable processes. That is, one can find distinguishing formulae for any given pair of processes when they are actually distinguishable, guided by the steps described in our completeness proof (Section 4.3). These steps can be automated by writing a program that implements this algorithm. We first implemented the distinguishing formulae generation algorithm using  Haskell [AHT17b], accompanying the conference publication [AHT17a] of our work. Here, we provide pointers to our current implementation and describe continuing work to make it more accessible to those who are not accustomed to Haskell development tools including the GHC compiler. Our current implementation is available online from a public GitHub repository 6 . This repository contains an example notebook and some utility shell scripts, which utilize a Docker container published on DockerHub to run the example notebook. All the necessary software dependencies, including Jupyter and Haskell, to run our implementation is contained in a Docker image so that it does not interfere with your own system. Anyone with access to an Internet-connected machine with a properly working Docker system can easily run our implementation with a single shell script command, although it would initially require some download time and disk space for a sizable (<10GB) Docker image to start running. Figure 7 is a screenshot of a web browser connected to a Jupyter server running on the same machine (i.e., localhost). The Haskell source code documented in our technical report [AHT17b] is executed via IHaskell, a Haskell language kernel for the Jupyter notebook environment. Some additional features are the enhanced output exploiting Jupyter notebook's ability to render HTML and also some LaTeX via MathJax. In addition to the plain text output, which you can still use inside the Jupyter notebook, we provide LaTeX output that looks the same as the notation used in this article.
In Figure 7, we define the function runBisimExperiment and demonstrate it used on a pair of non-bisimilar processes, discussed previously in Section 3.1.1. We are providing the implementation as a Haskell library so that one can build programs that automate tasks related to bisimulation. The function runBisimExperiment is defined in terms of more primitive definitions provided in our implementation. This function is applied to three arguments: the initial history, the left processes, and the right process. The free variables of the two processes must be closed by the initial history, either as input (using All) as output (using Nab). In the example run, we closed the two free variables x and y as inputs in the initial history [All x, All y]. To provide processes, one should build them as Haskell values representing abstract syntax trees, whose data type is defined as follows: import GHC.Generics (Generic) import Unbound.Generics.LocallyNameless --using unbound-generics library For instance, the procsseses τ.0 + τ.τ.0 is written as (Plus (TauP Null) (TauP(TauP Null))) and the process τ.[x = y]τ.0 is written as (TauP(Match (Var x) (Var y) (TauP Null))) using the data type definition above. We additionally provide shorthand definitions below to reduce keyboard strokes and to make it look closer to the notations used in this article. Using these shorthand definitions, we can write τ.0+τ.τ.0 and τ.[x = y]τ.0 as (tau .+ taup tau) and (taup $ (x.=y) tau). As a result of running the function runBisimExperiment, it displays the following: • the initial history and the two processes, • the result of bisimilarity test, • a pair of distinguishing formulae (for non-bisimilar processes), and • a set of trees consisting of all transitions in a distinguishing strategy.
The first two items are self explanatory from its rendered output. Let us explain few additional details on the last two items above. Our implementation handles a subset of OM-formulae (Defintion 2.3) that is sufficient to generate distinguishing formulae for any pair of non-bisimilar processes. The distinguishing formulae constructed during our completeness proof contain a limited form of implication (x = y) ⊃ φ, where the left side of the implication connective is always an equality. For more compact output, our implementation uses a notation that abbreviates this form of implication. For instance, x = y φ abbreviates (x = y) ⊃ φ. More generally, x 1 = y 1 , · · · , x n = y n φ abbreviates (x 1 = y 1 ) ⊃ · · · ⊃ (x n = y n ) ⊃ φ. This abbreviation is also used in the screenshot of Figure 7.
The tool can also displaying multiple pairs of distinguishing formulae and displaying the entire bisimulation tree, which can be useful since the first distinguishing formula generated is not necessarily the most insightful. A single pair of distinguishing formulae is enough to witness distinguishability (or, non-bisimilarity) and the entire bisimulation tree is rarely required to generate a pair of distinguishing formulae. Our Haskell source code conceptually computes over the structure of the entire bisimulation tree in order to generate distinguishing formulae. However, only part of the tree that is needed for the formulae construction would actually be computed, thanks to Haskell's lazy evaluation, unless the entire tree is needed elsewhere. Further details of our algorithm implementation can be found in the technical report on our initial implementation [AHT17b].

Conclusion
The main result of this paper is a sound and complete logical characterisation of open bisimilarity for the π-calculus. To achieve this result, we introduce modal logic OM, defined in Fig. 2. The soundness of OM with respect to open bisimilarity, Theorem 3.2, is mechanically proven in Abella as explained in Section 6. The details of the completeness, Theorem 3.3, are provided in Section 4.
Intuitionistic modal logic OM satisfies the following established criteria for an intuitionistic modal logic [Sim94]: • Intuitionistic OM is a conservative extension of intuitionistic logic. Removing modalities, we obtain a standard semantics of intuitionistic modal logic without any new theorems. • Intuitionistic OM satisfies intuitionistic hereditary. Every operator is closed under an accessible world relation, as given by our Kripke semantics in the Appendix, and also as captured by the notion of respectful substitution in the body of the paper. • The law of excluded middle is invalidated. As demonstrated in Examples 3.1.1 and 4.4.4, the absence of the law of excluded middle is essential for the existence of distinguishing formulae in OM for processes that are not open bisimilar but are late equivalent. • As explored in Corollary 5.4, if we induce the law of excluded middle, we obtain a classical modal logic (characterising late equivalence). • In contrast to classical modal logics, diamond and box modalities have independent interpretations, not de Morgan dual to each other. A more direct proof theory for OM is left as an open problem. A proof system can be used to confirm criteria such as: if φ ∨ ψ has a proof, then either φ has a proof or ψ has a proof. A sound and complete proof system would be a step towards addressing the following, more philosophical, criterion for an intuitionistic modal logic [Sim94]: There is an intuitionistically comprehensible explanation of the meaning of the modalities, relative to which IML is sound and complete. Previous work on intuitionistic modal logic for program analysis [PS86,SI94] was motivated by topological interpretations of liveness properties. The intuitionistic information partial ordering in that work is quite different from in OM, where the intuitionistic information partial ordering is given by the instantiation of inputs. We expect creative use of intuitionistic information partial orderings will lead to further useful intuitionistic modal logics.
The main novelty of this paper is the completeness proof, Proposition 4.9, involving an algorithm constructing distinguishing formulae for processes that are not open bisimilar. To use this algorithm, firstly attempt to prove that two processes are open bisimilar. If they are not open bisimilar, after a finite number of steps, a distinguishing strategy, according to Def. 4.1, will be discovered. The strategy can then be used to inductively construct two distinguishing formulae, one biased to each process. A key feature of the construction is the use of preconditions and diamond for the leading process, e.g., x = y ⊃ π tt, and box and postconditions for the following process, e.g., π (x = y). Interesting examples involving postconditions are provided in Section 4.4.
The logic OM is suitable for formal and automated reasoning. It has natural encodings in Abella for mechanised reasoning, used to establish Theorem 3.2. In addition, our distinguishing formulae generation algorithm is implemented in Haskell, as explained in Section 7 and a companion report [AHT17b]. We envision that OM and related intuitionistic modal logics characterising bisimilarity congruences have a role in symbolic model checking.
Proof. By structural induction on the derivation of P σ π Q. We show here an interesting case where match is involved, e.g., when P = [x = y]R, and xσ = yσ = u, so P σ = [u = u]Rσ.