Conditional Bisimilarity for Reactive Systems

Reactive systems \`a la Leifer and Milner, an abstract categorical framework for rewriting, provide a suitable framework for deriving bisimulation congruences. This is done by synthesizing interactions with the environment in order to obtain a compositional semantics. We enrich the notion of reactive systems by conditions on two levels: first, as in earlier work, we consider rules enriched with application conditions and second, we investigate the notion of conditional bisimilarity. Conditional bisimilarity allows us to say that two system states are bisimilar provided that the environment satisfies a given condition. We present several equivalent definitions of conditional bisimilarity, including one that is useful for concrete proofs and that employs an up-to-context technique, and we compare with related behavioural equivalences. We consider examples based on DPO graph rewriting, an instantiation of reactive systems.


Introduction
Behavioural equivalences, such as bisimilarity, relate system states with the same behaviour. Here, we are in particular interested in conditional bisimilarity, which allows us to say that two states a, b are bisimilar provided that the environment satisfies a condition C. Work on such conditional bisimulations appears somewhat scattered in the literature (see for instance [Lar86,HL95,Fit02,BKKS17]). They also play a role in the setting of featured transition systems for modelling software product lines [CCP + 12], where the behaviour of many products is specified in a single transition system. In this setting it is possible to state that two states are bisimilar for certain products, but not for others.
We believe that conditional notions of behavioural equivalence are worthy of further study. In practice it may easily happen that two sub-systems are only ever used in restricted environments and it is too much to ask that they behave equivalently under all possible contexts. Furthermore, instead of giving a simple yes/no-answer, bisimulation checks can answer in a more fine-grained way, specifying conditions which ensure bisimilarity.
We state our results in a very general setting: reactive systemsà la Leifer and Milner [LM00], a categorical abstract framework for rewriting, which provides a suitable framework for deriving bisimulation congruences. In particular, this framework allows to synthesize labelled transitions from plain reaction rules, such that the resulting bisimilarity is automatically a congruence. Intuitively, the label is the minimal context that has to be borrowed from the environment in order to trigger a reduction. (Transitions labelled with such a minimal context will be called representative steps in the sequel. They are related to the idem pushout steps of [LM00].) Here, we rely on the notion of saturated bisimilarity introduced in [BKM06] and we consider reactive system rules with application conditions, generalizing [HK12].
Important instances of reactive systems are process calculi with contextualization, bigraphs [JM03] and double-pushout graph rewriting [CMR + 97], or in general rewriting in adhesive categories [LS05]. Hence we can use our results to reason about process calculi as well as dynamically evolving graphs and networks for various different types of graphs (directed or undirected graphs, node-or edge-labelled graphs, hypergraphs, etc.).
Our contributions in this paper can be summarized as follows: • We define the notion of conditional bisimilarity, in fact we provide three equivalent definitions: two notions are derived from saturated bisimilarity, where a context step (or a representative step) can be mimicked by several answering steps. Third, we compare with the notion of conditional environment congruence, which is based on the idea of annotating transitions with passive environments enabling a step. • Conditional bisimulation relations tend to be very large -often infinite in size. To obtain possibly substantial reductions of proof obligations in a bisimulation proof, we propose an up-to context technique (for up-to techniques and their history see [PS19]). In particular, it can replace an infinite conditional bisimulation relation by a possibly finite bisimulation up-to context, which provides a witness for bisimilarity. We also view our up-to technique in a general lattice-theoretical setting and prove the compatibility property [PS11b], which not only implies soundness of the technique, but also allows it to be composed with other (compatible) up-to techniques. • We use the notion of representative steps in order to obtain finitely branching transition systems, further reducing proof obligations. • We compare conditional bisimilarity with related notions of behavioural equivalence.
• To illustrate our concepts, we work out a small case study in the context of double-pushout graph rewriting, where we model message passing over reliable and unreliable channels.
The article is structured as follows: First, in Section 2 we introduce the fundamental ideas for reactive systems without conditions, including all preliminary definitions and techniques developed for reactive systems relevant to our work. In Section 3, we consider the refinement to conditional reactive systems, before we turn towards our main contribution in Section 4, which is conditional bisimulation and its up-to variant in Section 5. In Section 6 we give an alternative characterization of conditional bisimilarity and compare to related notions of behavioural equivalence and we conclude in Section 7.

Reactive Systems
We denote the composition of arrows f : A → B, g : B → C by f ;g : A → C. Usually written g • f , we chose f ;g to better match the reading order of the diagram A  2.1. Reactive Systems without Conditions. We now define reactive systems, which were introduced in [LM00] and extended in [HK12] with application conditions for rules. We initially only look at reactive systems without conditions. Conditions and the definition of reactive systems with conditions will be introduced later, in Section 3.
Definition 2.1 (Reactive system rules, reaction). Let C be a category with a distinguished object 0 (not necessarily initial). A rule is a pair ( , r) of arrows , r : 0 → I (called left-hand side and right-hand side). A reactive system is a set of rules. Let S be a reactive system and a, a : 0 → J be arrows. We say that a reduces to a (a a ) whenever there exists a rule ( , r) ∈ S with , r : 0 → I and an arrow c : I → J (the reactive context) such that a = ;c and a = r;c.
Using a notation closer to process calculi, we could write C[P ] C[P ] whenever there is a reaction rule P → P and a context C[ ]. Fixing a distinguished object 0 means that we consider only ground reaction rules (as opposed to the open reactive systems investigated in [KSS05]).
An important instance are reactive systems where the arrows are cospans in a base category D with pushouts [SS05,Sob04]. A cospan is a pair of arrows f L : A → C, f R : B → C. A cospan is input linear if its left arrow f L is mono.
where Z is the pushout object of f R , g L . For adhesive categories [LS05] (see Appendix A), the composition of input linear cospans again yields an input linear cospan (by applying [LS05,Lemma 4.2] to the cospan composition diagram). Given an adhesive category D, ILC(D) is the category where the objects are the objects of D, the arrows f : A → C are input linear cospans f : A → B ← C of D and composition is performed via pushouts as described above. We see an arrow f : A → C of ILC(D) as an object B of D equipped with two interfaces A, C and corresponding arrows f L , f R to relate the interfaces to B, and composition glues the inner objects of two cospans via their common interface. Input linearity is useful since we rely on adhesive categories where pushouts along monos are well-behaved. In particular, they always exist and form Van Kampen squares (see Appendix A), the latter being a requirement for borrowed context diagrams (Subsection 2.3).
In this article, as a running example we consider the category Graph fin , which has finite graphs (we use directed multigraphs with node and edge labels) as objects and total graph morphisms (functions that map nodes and edges of one graph to another, with the edge map being consistent to the node map) as arrows. In Graph fin , monos are exactly the injective graph morphisms. We then use reactive systems over ILC(Graph fin ) (input-linear cospans of graphs), i.e. we rewrite graphs with interfaces. If the distinguished object 0 is the empty graph (the initial object of Graph fin ), such reactive systems coincide [SS05] with the well-known double pushout (DPO) graph transformation approach [EPS73,HMP01] when used with injective matches. As shown in Figure 2, a DPO rewrite step G ⇒ H can be expressed as a reactive system reaction a a where the pushouts of the DPO step are obtained from cospan compositions ;c and r;c.

Deriving Bisimulation Congruences. The reduction relation
generates an unlabelled transition system, where the states are the reactive agents (in our example, graphs). Note that bisimilarity on this transition system only checks whether any reaction is possible: for two bisimilar agents, it is not required that the same rule is used in their reactions, or even that the reaction is applied at the same position.
A disadvantage of bisimilarity on is that it usually is not a congruence: it is easy to construct an example where neither a nor b can perform a step since no complete left-hand side is present (hence a would be bisimilar to b). However, by adding a suitable context f , a;f could contain a full left-hand side and can reduce, whereas b;f can not.
Therefore, to check whether two components can be exchanged, they have to be combined with every possible context and bisimilarity has to be shown for each.
In order to obtain a congruence, we can resort to defining bisimulation on labelled transitions, using as labels the additional contexts that allow an agent to react [LM00,HK12].
Definition 2.2 (Context step (without conditions) [HK12]). Let S be a reactive system and a : 0 → J, f : J → K, a : 0 → K be arrows. We write a f − → C a whenever a;f a (i.e. there exists a rule ( , r) ∈ S and an arrow c such that a;f = ;c, a = r;c). Such steps are called context steps.
Intuitively we have to find a context f for the arrow a (which we want to rewrite) such that we obtain the left-hand side plus some additional context c. The name context step stems from the fact that a might not be able to do a reaction on its own, but requires an additional context f . This can be seen in the following example: Example 2.3 (Context step (without conditions)). Consider the following reactive system over ILC(Graph fin ), i.e. all arrows (such as , r, . . . ) are input-linear cospans of graphs that represent graphs with interfaces. We model a network of nodes that pass messages (represented by m-loops) over communication channels (represented by ch-edges). The transmission of a message from the left node to the right node can be represented with the following rule: We can observe that a channel by itself (a = ∅ → ch ← ) cannot do a reaction, since there is no message to be transferred. However, if a message on the left node is borrowed (f = → m ← ), we obtain a;f (Figure 3a), to which the example rule can be applied (Figure 3b). As a result, we obtain the context step a   A bisimulation relation over → C is called saturated bisimulation, as it checks all contexts. Consequently, saturated bisimilarity ∼ C (∼ SAT in [HK12]) is a congruence [BKM06,HK12], i.e., it is closed under contextualization. In other words a ∼ C b implies a;c ∼ C b;c for all contexts c.
2.3. Representative Squares. Checking bisimilarity of context steps is impractical because the transition system is generally infinitely branching: usually, f can be chosen from an infinite set of possible contexts, which all have to be checked. Most of these contexts are larger than necessary, that is, they contain elements that do not actively participate in the reduction. (In Example 2.3, contexts can be arbitrarily large, as long as they have an m-loop on the left node.) An improvement would be to check only the minimal contexts from which all other context steps can be derived.
When checking which contexts are required to make a rule applicable, in the reaction diagram (Definition 2.2) the arrows a, are given and we need to check for possible values of f (which generate matching c, a ). To derive a set of contexts f which is as small as possible -preferably finite - [BCHK11,HK12] introduced the notion of representative squares, which describe a way to represent all possible squares that close a pair a, by a smaller set of squares (the so-called representative squares). We can then limit bisimilarity checking to just the steps using representative squares, which, if this smaller set is indeed finite, leads to a finitely branching transition system.
The original paper on reactive systems [LM00] used the (more restrictive) notion of idem pushouts instead of representative squares. Unfortunately, the universal property of idem pushouts leads to complications, in particular for cospan categories, where one has to resort to the theory of bicategories in order to be able to express this requirement. For the purposes of this paper, we stick to the simpler notion of representative squares, in order to keep our results independent of the concrete class of squares chosen.
The question arises which constructions yield suitable classes of representative squares, ideally with finite κ(α 1 , α 2 ), in order to represent all possible contexts δ 1 , δ 2 with a finite set of representative contexts β 1 , β 2 . Pushouts can be used when they exist [HK12], however, they do not exist for ILC(Graph fin ).
For cospan categories over adhesive categories, borrowed context diagrams -initially introduced as an extension of DPO rewriting [EK04] -can be used as representative squares. Before we can introduce such diagrams, we first need the notion of jointly epi.
Definition 2.5 (Jointly epi). A pair of arrows f : B → D, g : C → D is jointly epi (JE ) if for each pair of arrows d 1 , d 2 : D → E the following holds: if f ;d 1 = f ;d 2 and g;d 1 = g;d 2 , then d 1 = d 2 .
In Graph fin jointly epi equals jointly surjective, meaning that each node or edge of D is required to have a preimage under f or g or both (it contains only images of B or C).
This criterion is similar to, but weaker than a pushout: For jointly epi graph morphisms d 1 : B → D, d 2 : C → D, there are no restrictions on which elements of B, C can be merged in D. However, in a pushout constructed from morphisms a 1 : A → B, a 2 : A → C, elements in D can (and must) only be merged if they have a common preimage in A. (Hence every pushout generates a pair of jointly epi arrows, but not vice versa.) Definition 2.6 (Borrowed context diagram [HK12]). A commuting diagram in the category ILC(C), where C is adhesive, is a borrowed context diagram whenever it has the form of the diagram shown in Figure 5a, and the four squares in the base category C are pushout (PO), pullback (PB) or jointly epi (JE) as indicated. In particular L G + , G G + must be jointly epi.  Being jointly epi ensures that it really is an overlap and does not contain unrelated elements. The top right pushout corresponds to the left pushout of a DPO rewriting diagram. It contains a total match of L in G + . Then, the bottom left pushout gives us the minimal borrowed context F such that applying the rule becomes possible. The bottom right pullback ensures that the interface K is as large as possible. We will discuss an example of a borrowed context diagram below (Example 2.9). For additional examples, we refer to [EK04].
For cospan categories over adhesive categories, borrowed context diagrams form a representative class of squares [BCHK11]. Furthermore, for some categories (such as Graph fin ), there are -up to isomorphism -only finitely many jointly epi squares for a given span of monos and hence only finitely many borrowed context diagrams given a, (since pushout complements along monos in adhesive categories are unique up to isomorphism).
This motivates the following finiteness assumption that we will refer to in this paper: given a, , we require that κ(a, ) is finite. (Fin) 2.4. Representative Steps. It is possible to define a reaction relation based on representative squares. By requiring that the left square is representative, we ensure that the contextŝ f are not larger than necessary: Definition 2.7 (Representative step (without conditions) [HK12]). Let a : 0 → J,f : J → K, a : 0 → K be arrows. We write af − → R a if a context step af − → C a is possible (i.e. a;f a , i.e. for some rule ( , r) and some arrowĉ we have a;f = ;ĉ and r;ĉ = a ) and additionally κ(a, ) (f ,ĉ) (i.e. the arrows (a, ,f ,ĉ) form a representative square). Such steps are called representative steps. For this, we construct the representative square (a, ,f ,ĉ) ∈ κ (which, according to Definition 2.4, always exists) from the square (a, , f, c) describing the context step. We obtain arrowsf ,ĉ and an arrowĝ which completesf ,ĉ to f, c (i.e.f ;ĝ = f,ĉ;ĝ = c).
Example 2.9 (Representative steps). Reconsider the reactive system described in Example 2.3, i.e., a message m can be transferred along a channel ch. One possible context step allows a channel ch to borrow a message m (depicted in Figure 6a) and do a transfer: . Another possible context step is to borrow an additional message on the right node, i.e. Figure 6b). Clearly, this is a valid context step, but the right message is not required by the rule, and we do not want to consider such steps in our analysis (by adding yet more messages, we obtain infinitely many context steps).
However, the second context step is not a representative step (assuming that representative squares correspond to borrowed context diagrams). We try to construct a borrowed context diagram: First we fill in the graphs given by a, f and , then we construct the bottom left pushout, we obtain G + = On the other hand, the first context step is representative, since there G + = ch m does not contain the problematic right m-loop and it is possible to complete the borrowed context diagram as shown in Figure 6a. (To obtain the result of the context step, the right-hand side a is constructed just as for context steps (see Example 2.3), which is not depicted here.) In a semi-saturated bisimulation, → R -steps are answered by → C -steps (for every The resulting bisimilarity ∼ R is identical [HK12] to saturated bisimilarity (i.e. ∼ R = ∼ C ) and therefore also a congruence. Whenever (Fin) holds, ∼ R is amenable to mechanization, since we have to consider only finitely many → R -steps (→ R is finitely branching).
Remark 2.10. Note that answering → R -steps with → R -steps gives a different, finer notion of behavioural equivalence than answering → R -steps with → C -steps. As an example, consider the reactive system with two rules: a b ⇒ a b and c ⇒ c , where the single node is in the rule interface. Both rules replace the graphs with themselves, hence, any rewriting step does not change the graph at all.
By exhaustive enumeration of all representative steps, it is easy to see that a c , −−−→ C b c (using the second rule). Because the resulting graphs both contain a c-loop, they are also bisimilar, since any subsequent steps (using either rule) can always be answered by applying the second rule.
However, the step is not a representative step, because it borrows more than what is necessary to apply the second rule. There is also no other representative step that originates from c and borrows exactly b . Hence, under a notion of bisimulation where → R -steps are answered by → R -steps, a c , c are not bisimilar.

Conditions for Reactive Systems
The reactive systems defined so far cannot represent rules where a certain component is required to be absent: whenever a reaction a a is possible, a reaction a;c a ;c (with additional context c) is also possible, with no method to prevent this. Restricting rule applications can be useful, e.g. to model access to a shared resource, which may only be accessed if no other entity is currently using it.
For graph transformation systems, application conditions with a first-order logic flavour have been studied extensively (e.g. in [HHT96,HP09]) and generalized to reactive systems in [BCHK11]. If we interpret such conditions in ILC(Graph fin ), we obtain a logic that subsumes first-order logic (for more details on expressiveness see [BCHK11]).
In this section, we summarize the definitions from [BCHK11] and define shifting of conditions as partial evaluation. We then summarize the changes that are necessary to extend reactive systems with conditions. We illustrate the concepts of this chapter with various examples. An example for conditional reactive systems will be discussed later (Example 4.7). For an additional example, we refer to [BCHK11]. Note that conditions can be represented as finite trees.  • A node recognizes graphs that contain at least one node: The condition is checked as follows: any arrow that satisfies the condition must be decomposable into two arrows, the first of which is given in the condition and contributes the required node, and the second optionally provides additional elements. Since the output interface is not empty, the second arrow is free to connect edges to the required node, i.e. the condition matches both isolated and non-isolated nodes. • The condition A iso recognizes graphs that contain an isolated node: As the outer interface of h = ∅ → ← ∅ is empty, h;g has to contain an isolated node (g can only connect an edge to the node provided by h if it is contained in the interface).
• A ab recognizes the graphs where for all occurrences of an a-edge, there also exists a b-edge in the opposite direction: Note that in the examples above, the root object of the condition is empty, since we only consider isolated conditions. When using conditions in a transformation rule, we would use the interface of the rule instead. This ensures that the condition is evaluated at the same position where the rule is applied, and not in any other position.
3.2. Shifting as Partial Evaluation of Conditions. When evaluating conditions, it is sometimes known that a given context is guaranteed to be present. In this case, a condition can be rewritten, using representative squares, under the assumption that this context is provided by the environment. This operation is known as shift [HP09]: Definition 3.5 (Shift of a condition [BCHK11]). Given a fixed class of representative squares κ, the shift of a condition A = (A, Q, S) along an arrow c : A → B is inductively defined as follows: The shift operation can be understood as a partial evaluation of A under the assumption that c is already present. It satisfies c;d |= A ⇐⇒ d |= A ↓c .
The typical case, which we will encounter throughout the rest of this paper, is that a condition on the context of some arrow a is given, this arrow is then placed into some environment c (which might not fully satisfy the condition, but possibly parts of it), and we are interested in a condition that an additional context d has to satisfy. (For instance, if A requires the existence of two elements and c already provides one of them, then d only needs to add the other one, which is reflected in A ↓c .) The representation of the shifted condition may differ depending on the class of representative squares chosen. However, no matter which class is chosen, the resulting conditions are equivalent to each other. Furthermore, if we assume that (Fin) holds, shifting a finite condition will again result in a finite condition.
Representative squares as well as shift play a major role in the diagrammatic proofs. The shift operation satisfies a few equivalences that we will use in the proofs of our theorems:  .
Example 3.7 (Simplifying conditions by shifting). Let the following condition A nb be given, which requires that the interface node does not have a b-loop attached: Furthermore let the cospan c = → b ← . We now compute the result of the shift A nb↓c , i.e., the condition A nb under the assumption that c is already given. We expect the resulting condition to be equivalent to false, since the presence of the b-loop in c already violates A nb . We will show that this is indeed the case. By Definition 3.5 we have: We can obtain possible α, β by enumerating the borrowed context diagrams where h, c are already given. As seen in Figure 7, there are two possible choices for the jointly epi square in the top left: the b-loops of h and c can be mapped to two different loops in the center graph ( Figure 7a) or they can be mapped to a single loop (Figure 7b). The remaining pushout and pullback squares are then uniquely determined. We therefore obtain: false along any arrow α i again results in false: is an identity cospan, the condition is equivalent to . . . ∧ false ≡ false, which is the expected result. 3.3. Conditional Reactive Systems. We now extend reactive systems with application conditions: Definition 3.8 (Conditional reactive system [BCHK11]). A rule with condition is a triple ( , r, R) where , r : 0 → I are arrows and R is a condition with root object I. A conditional reactive system is a set of rules with conditions.
As the root object I of the condition is the codomain of the rule arrow, it is also the domain of the reactive context, which has to satisfy the rule condition in order to be able to apply the rule: Definition 3.9 (Reaction). Let a, a be arrows of a conditional reactive system with rules S. We say that a reduces to a (a a ) whenever there exists a rule ( , r, R) ∈ S with , r : 0 → I and a reactive context c : I → J such that a = ;c, a = r;c and additionally c |= R.
In order to define a bisimulation for conditional reactive systems that is also a congruence, it is necessary to enrich labels with conditions derived from the application conditions. Since we can not assume that the full context is present, the application condition might refer to currently unknown parts of the context and this has to be suitably integrated into the label.
Definition 3.10 (Context/representative step with conditions [HK12]). Let S be a conditional reactive system, let a : 0 → J, f : J → K, a : 0 → K be arrows and A be a condition over K. We write a f, A − − → C a whenever there exists a rule ( , r, R) ∈ S and an arrow c such that a;f = ;c, a = r;c (i.e. the reaction is possible without conditions) and furthermore A |= R ↓c (a condition on an additional context d as explained below). Such steps are called context steps.
We write a (f, c) and A = R ↓c . Such steps are called representative steps.
Conditions are represented graphically in the form of "arrowhead shapes" depicted next to the root object. Intuitively a f, A − − → C a means that a can make a step to a when borrowing f , if the yet unknown context d beyond f satisfies condition A (since this context d does not directly participate in the reduction, we call it passive context).
The intuition behind this requirement is that A should allow only the contexts that are allowed by the rule condition R (thereby checking that the rule can actually be applied). Since A is a condition over an additional context d that is beyond the reaction context c, and c might partially satisfy R, we shift R over c to obtain a condition that only requires the parts of R that are still missing. For context steps, A may also be stronger, hence |=.
In the case of a representative step, we require that a context step is possible, the borrowed context is minimal, and the condition on the passive context is not stronger than necessary.
In the proofs, we will make extensive use of the following construction to obtain a representative step for a given context step: Remark 3.11. Definitions 2.4 and 3.10 imply, analogously to Remark 2.8, that every , with R being the condition of the rule ( , r, R) that enables the given context step.
We will also make use of the following context-step-rewriting lemma: Proof. According to Definition 3.10, for a step a;d f, A − − → C a there exists a rule ( , r, R) such that (a;d);f = ;c, a = r;c, A |= R ↓c for some arrow c. Since composition is associative, we rewrite this to a;(d;f ) = ;c, which immediately results in the definition of a We now extend (semi-)saturated bisimilarity to rules with conditions: Definition 3.13 ((Semi-)Saturated bisimilarity [HK12]). Let S be a conditional reactive system. A saturated bisimulation is a relation R, relating arrows a, b : 0 → J, such that: for all (a, b) ∈ R and for every context step a where I is a finite index set; and, vice versa, Two arrows a, b are called saturated bisimilar ((a, b) ∈ ∼ C ) whenever there exists a saturated bisimulation R with (a, b) ∈ R. Similarly, for semi-saturated bisimilarity we require that → R -steps of a can be answered by → C -steps of b, and vice versa for → R -steps of b. Saturated and semi-saturated bisimilarity agree and both are congruences [HK12].

Conditional Bisimilarity
We will now introduce our new results on conditional bisimilarity: as stated earlier, our motivation is to extend the notion of saturated bisimilarity, which is often too strict, since it requires that two system states behave identically in all possible contexts. However, sometimes it is enough to ensure behavioural equivalence only in specific environments.
Hence we now replace standard bisimilarity, which is a binary relation, by a ternary relation -called conditional relation -with tuples of the form (a, b, C). Then, a conditional bisimulation is a conditional relation, where a tuple (a, b, C) can be read as: a, b are bisimilar in all contexts satisfying C. Definition 4.1 (Conditional relation). A conditional relation is a set of triples (a, b, C), where a, b : 0 → J are arrows with identical target and C is a condition over J.
Note that for a triple (a, b, C), the root object of the condition C is not the source of a (as is the case for satisfaction), but the target codom(a). This is because we do not state a condition on the arrows a, b themselves, but on the context in which they are embedded (a;f resp. b;f for some context f ), so the condition is over dom(f ) = codom(a) = codom(b).
Definition 4.2 (Closure under contextualization, u(R), conditional congruence). If R is a conditional relation, then: closed under contextualization For a conditional relation R, u(R) is its closure under contextualization, that is, Closure under contextualization means that whenever a, b are related under a context satisfying C, then they are still related when we contextualize under d, where however the condition has to be shifted since we commit to the fact that the context is of the form d;c for some additional context c.
We will now introduce one of the central definitions of this paper. Here, given a conditional reactive system we will describe when two arrows a, b are bisimilar in all contexts that satisfy a condition C.
Definition 4.3 (Conditional bisimulation). We fix a conditional reactive system. A conditional bisimulation R is a conditional relation such that the following holds: for each triple (a, b, C) ∈ R and each context step a The situation for one answer step is depicted in Figure 8. Since the definition is rather complex, we will discuss its various aspects in the following remarks.
Remark 4.4 (Logical implication). In Definition 4.3, the implication A∧C ↓f |= i∈I (C i ∧B i ) is to be understood as follows: For every step, we have a borrowed context f and an additional passive context d (as explained below Definition 3.10). The condition C from the triple refers to the full context of a (i.e. both the borrowed context f and the passive context d, hence f ;d |= C or equivalently d |= C ↓f ), while A, coming from the context step, only refers to the passive context d (hence d |= A).
Every environment d that is valid for the context step of a (i.e. which satisfies A ∧ C ↓f ) must also be valid for some answering step of b, i.e. satisfies at least one B i . Depending on 1 For each triple (a, b, C) ∈ R and each context step b f, B − − →C b , there are answering steps a f, A j −−−→C a j and conditions C j such that (a j , b , C j ) ∈ R and B ∧ C ↓f |= j∈J C j ∧ Aj 2 Note that since conditional bisimulations are closed under union, • ∼C is itself a conditional bisimulation.
the context, different answering steps may be chosen, and the resulting pair a , b i might only be conditionally bisimilar for some contexts, which is indicated by the condition C i .
Remark 4.5 (Necessity of multiple answering steps). As for saturated bisimilarity, we need to allow several answering moves for a single step of a: the answering step taken by b might depend on the context, using different rules for contexts satisfying different conditions B i . We just have to ensure that all answering step conditions taken together (disjunction on the right-hand side) fully cover the conditions under which the step of a is feasible (left-hand side). As an example for this, consider the following example (originally presented in [HK12, remark after Definition 15]). Assume three rules: (Hence rules 2 and 3 together allow a b-edge to be deleted in any context, since every context satisfies either A q or ¬A q . The condition A q can be chosen arbitrarily, as long as it is not equivalent to true or false.) Then, an a-edge is conditionally bisimilar to a b-edge under true (all contexts): a step that deletes the a-edge can be answered by deleting the b-edge, but depending on the context that the step happens in, a different rule has to be chosen: two answering steps with B 1 = A q , B 2 = ¬A q are required, and together they cover true. (The other direction -deleting the b-edge using either rule 2 or 3 being answered by deleting the a-edge using rule 1 -does not require multiple answering steps in this example.) Remark 4.6 (Infinitely many answering steps). The definition explicitly permits an infinite index set I for the answering steps (this is in contrast to saturated bisimilarity, cf. Definition 3.13, which required finite I). If we do not consider conditional bisimilarity and the finiteness assumption (Fin) holds, it does not make a difference whether we consider finite or infinite index sets, since there are only finitely many possible answering steps [HK12]. However, in the presence of conditions, it might make a difference.
Since the logic does not support infinite disjunctions, In many practical applications, it may be useful to restrict to a variant of the definition that permits only finitely many answering steps. Our theorems are valid for either variant (finite or infinite), except for the proof of Theorem 6.4 which in its current version requires I to be infinite.
Example 4.7 (Message passing over unreliable channels). We now work in the category of input-linear cospans of graphs, i.e., ILC(Graph fin ).
We extend our previous example (cf. Example 2.3) of networked nodes, introducing different types of channels. A channel can be reliable or unreliable, indicated by an rel -edge or unr -edge respectively. Sending a message over a reliable channel always succeeds (rule P R ), while an unreliable channel only transmits a message if there is no noise (indicated by a parallel noise-edge) in the environment that disturbs the transmission (rule P U ). The reactive system has the following rules with application conditions, where condition A U n states that the unreliable channel must not have an noise-edge in parallel: Hence the application condition A U n says that the context must not be decomposable into U 0 → U N ← U 0 and some other cospan, which is only the case if the unr -edge in the interface of P U has no parallel noise-edge. In other words: there is no noise.
We compare the behaviour of a reliable channel (r := ∅ → rel ← ) to that of an unreliable channel (u := ∅ → unr ← ). It is easy to see that they are not saturated bisimilar: r can do a step by borrowing a message on the left (f := → m ← ) without further restrictions (i.e. using an environment condition A = true). But u is unable to answer this step, because the corresponding rule is only applicable if no noise-edge is present.
However, r and u are conditionally bisimilar under the assumption that no noise-edge is present between the two nodes (C = A n , where A n := , ∀, ( → noise ← , false ) ), i.e. there exists a conditional bisimulation that contains (r, u, A n ). A direct proof is hard, since the proof involves checking infinitely many context steps, since messages accumulate on the right-hand side. However, in Example 4.18 we will use an argument based on representative steps to construct a proof. Remark 4.8 (Condition strengthening). It holds that (a, b, C ) ∈ • ∼ C , C |= C implies (a, b, C) ∈ • ∼ C . (This is due to the fact that C |= C implies C ↓f |= C ↓f which, in Definition 4.3, implies A ∧ C ↓f |= A ∧ C ↓f for any condition A and arrow f .) Our motivation for introducing the notion of conditional bisimilarity was to check whether two systems are behaviourally equivalent when they are put into a context that satisfies some condition C. It is not immediately obvious that our definition can be used for this purpose, since all context steps are checked, not just the ones that actually satisfy C.
Hence we now show that our definition is sound, i.e. if two systems are conditionally bisimilar, then they show identical behaviour under all contexts that satisfy C.  We have c |= R (otherwise the rule would not be applicable and therefore the step a;d a would not be possible) and d |= C (follows from the given (a;d, b;d) ∈ R by construction of R ). To make them usable for the answering steps, we transform R, C to be conditions over K. Trivially d = d; id K , so using Definition 3.5 we rewrite d; id K |= C to id K |= C ↓d . Analogously, we rewrite c; id K |= R to id K |= R ↓c .
We set A := R ↓c and interpret this diagram as a Generally, not every answering step that is possible for our given triple (a, b, C) is a suitable answering step for the given context d. But since R is a conditional bisimulation, we know that R ↓c ∧ C ↓d |= i∈I (C i ∧ B i ). Previously we derived id K |= R ↓c ∧ C ↓d . Therefore, id K also satisfies i∈I (C i ∧ B i ), that is, id K satisfies C i ∧ B i = C i ∧ R i↓e i for some i. From now on, we only consider answering steps for which this is indeed the case.
Using Definition 3.5 we rewrite id K |= R i↓e i to e i ; id K = e i |= R i , which means that the rule ( i , r i , R i ) can actually be applied, that is, b;d b i = r i ;e i . So b has a suitable answering step.
To show that R is a bisimulation, we only have to show that (a , b i ) ∈ R . As R is a conditional bisimulation, for the given answering step we know that (a , b i , C i ) ∈ R. Previously we had id K |= C i , therefore, the requested pair (a ; id K , b i ; id K ) = (a , b i ) is added during the construction of R .
Remark 4.10. Note that the converse of Theorem 4.9 (if R is a bisimulation, then R is a conditional bisimulation) does not hold. Consider the following counterexample: Here X = x . In this case, an a-loop can be replaced with an e-loop if an x-loop is present, ensured by requiring (and retaining) it in the rule R 1 . A b-loop can also be replaced with an e-loop, also if an x-loop is present, this time ensured by an application condition. Now consider the conditional relation R = {( a , b , true)} ∪ {(G, G, true) | G is a graph} 3 (all graphs are seen as cospans with empty interfaces) and the accompanying relation Clearly, the graphs a and b are bisimilar under all contexts, and therefore R is a bisimulation: either the context contains an x-loop, then they both reduce to a graph that contains e x and possibly further context (both steps reach the same graph), or the context does not contain an x-loop, in which case neither rule is applicable.
However, R is not a conditional bisimulation, the violating triple being ( a , b , true): cannot be answered by a , since in R 1 , the x-loop is directly participating in the reaction, but A ∃X only guarantees its existence in a passive environment (i.e. it is not participating in the reaction). ( a could only do a step by borrowing x , but this does not constitute a valid answering step for the step of b where id (i.e. no additional elements) has been borrowed.) Next, we will show that conditional bisimilarity • ∼ C is a conditional congruence. This is an important plausibility check, since reactive systems have been introduced with the express purpose to define and reason about bisimulation congruences.
Proof. We show that • ∼ C is: reflexive: We prove that R = {(a, a, C) | codom(a) = Ro(C)} is a conditional bisimulation. 3 The reflexive triples (G, G, true) are needed because a , b can both be transformed to e in the presence of x and we require that the resulting (identical) graphs are related. Any context step a f, A − − → C a can be trivially answered by the exact same step, setting B 1 := A, C 1 := C ↓f , b 1 := a , where I = {1}, and we have (a , b 1 , C 1 ) = (a , a , C ↓f ) ∈ R. symmetric: Let R be a conditional bisimulation. It is easily seen that R −1 , due to the symmetric nature of the definition, is also a conditional bisimulation. Then, R ⊆ • ∼ C implies R −1 ⊆ • ∼ C , which proves symmetry of • ∼ C . transitive: Let R 1 , R 2 be conditional bisimulations that are closed under condition strengthening, i.e. (a, b, C ) ∈ R i and C |= C implies (a, b, C) ∈ R i . We show that R 1 R 2 := {(a, c, D) | there exists b such that (a, b, D) ∈ R 1 and (b, c, D) ∈ R 2 } is a conditional bisimulation. Then, since • ∼ C is a conditional bisimulation closed under condition strengthening (Remark 4.8), (a, b, D) ∼ C is a conditional bisimulation, a, c are conditionally bisimilar under D, which proves transitivity of • ∼ C . Consider a triple (a, c, D) ∈ R 1 R 2 , which by construction of R 1 R 2 results from some (a, b, D) ∈ R 1 , (b, c, D) ∈ R 2 . Also consider a step a f, A − − → C a . Then, R 1 R 2 fulfills the requirements of a conditional bisimulation: (1) Answering steps c We now collect all answering steps c (2) (a , c i,j , D i,j ) ∈ R 1 R 2 : Since (a , b i , D i ) ∈ R 1 , and R 1 is closed under condition strengthening, and , therefore this also implies: Observe that this implication is of the required form for the previously derived tuples (a , c i,j , D i,j ∧ D i ) ∈ R 1 R 2 . In case I is infinite, the same idea can be applied, but we need to slightly change the notation to prevent the creation of infinite disjunctions: , therefore this also implies: Symmetrically, steps c f, C − − → C c can be answered by a. Therefore, R 1 R 2 is a conditional bisimulation. closed under contextualization: We show that u(R) = {(a;d, b;d, C ↓d ) | (a, b, C) ∈ R} is a conditional bisimulation, assuming R is a conditional bisimulation.
Consider a triple (a;d, b;d, C ↓d ) ∈ u(R) and a step a;d f, A − − → C a . This step is due to some rule ( , r, R). We have to show that there exist answering steps b;d According to Lemma 3.12, the given step can be rewritten to a The implication to be shown is identical to the one that we obtained above, except for (C ↓d ) ↓f , which, however, is equivalent to C ↓d;f .

Answering steps for
− − → C b can be derived analogously.

4.2.
Alternative Characterization using Fixpoint Theory. Behavioural equivalences can be characterized as fixpoints of certain functions on complete lattices [PS11b]. Before we provide definitions that characterize conditional bisimulation relations as fixpoints, we provide a quick summary of fixpoint theory. We do not rely on this characterization in the proofs in this section. However, we will use the theory and the alternative definitions for the proofs of up-to techniques in Section 5. A complete lattice is a partially ordered set (L, ) where each subset Y ⊆ L has an infimum, denoted by Y and a supremum, denoted by Y . In this paper, the type of lattices that we consider contain relations ordered by inclusion, i.e. the elements of the lattice are relations and thus the functions we consider map relations to relations. Given some behavioural equivalence, we define a monotone function f : L → L in such a way that its greatest fixpoint νf equals the behavioural equivalence. Behavioural equivalence can then be checked by establishing whether some given element of the lattice l ∈ L (for instance a relation consisting of a single pair) is under the fixpoint, i.e., if l νf . By Tarski's Theorem [Tar55], νf = {x | x f (x)}, i.e., the greatest fixpoint is the supremum of all post-fixpoints. Hence for showing that l νf , it is sufficient to prove that l is under some post-fixpoint l , i.e., l l f (l ). Using these preliminaries, we can now give an alternative characterization of conditional bisimulation using fixpoint theory: Remark 4.12 (Conditional bisimulation function f C ). Consider the complete lattice Condrel, which is the set of all conditional relations ordered by set inclusion. Then, conditional bisimulations can also be seen as post-fixpoints of f C (i.e. R is a conditional bisimulation if and only if R ⊆ f C (R)), and conditional bisimilarity as the greatest fix- where the monotone function f C : Condrel → Condrel is the conditional bisimulation function defined by The correctness of this characterization (i.e. that "f C is the right function") can be seen by expanding the definition of f C on the right-hand side of (a, b, C) ∈ R =⇒ (a, b, C) ∈ f C (R), which results in exactly the definition of a conditional bisimulation relation.

Representative Conditional Bisimulations.
Checking whether two arrows are conditionally bisimilar, or whether a given relation is a conditional bisimulation, can be hard in practice, since we have to check all possible context steps, of which there are typically infinitely many.
For saturated bisimilarity, we used representative steps instead of context steps (cf. Subsections 2.3 and 2.4) to reduce the number of contexts to be checked. In this section, we extend our definition of conditional bisimulation to use representative steps and prove that the resulting bisimilarity is identical to the one previously defined.
Definition 4.13 (Representative conditional bisimulation). We fix a conditional reactive system. A representative conditional bisimulation R is a conditional relation such that the following holds: for each triple (a, b, C) ∈ R and each representative step a Remark 4.14. Analogously to Remark 4.12, we can define representative conditional bisimulations as post-fixpoints of f R , and representative conditional bisimilarity as the greatest fixpoint of f R , where f R is defined on Condrel as follows: It is easy to see that f C ⊆ f R : Their definitions differ only in the type of steps which are checked. A triple that satisfies the requirements for all context steps (is in f C (R)) naturally satisfies them for all representative steps (is in f R (R)), since every representative step is also a context step.
To show that the two conditional bisimilarities using context and representative steps are equivalent (Theorem 4.17) and for the proofs of Theorems 5.16, 6.4 and 6.6, we need the following two lemmas: Proof. We show that u(R) = {(a;d, b;d, C ↓d ) | (a, b, C) ∈ R} is a representative conditional bisimulation, assuming R is a representative conditional bisimulation.
Consider a triple (a;d, b;d, C ↓d ) ∈ u(R) and a step a;d f, A − − → R a . This step is due to some rule ( , r, R). We have to show that there exist answering steps b;d The representative step is of course also a context step (a;d Note thatf ;ĝ = d;f,ĉ;ĝ = c. Variables with a hat (e.g.ĉ) refer to the representative step, but otherwise play the same role than their unhatted counterparts (e.g. c), which refer to the original step. The result is a representative step af By construction of u(R), for the given triple (a;d, b;d, C ↓d ) ∈ u(R) there must exist a triple (a, b, C) ∈ R. As R is a representative conditional bisimulation, the step af (3) A ∧ (C ↓d ) ↓f |= i∈I (C i ∧ B i ): Above, we already showed R ↓ĉ ∧ C ↓f |= i∈I Ĉ i ∧B i . By shifting both sides withĝ and applying the rules of Theorem 3.6, we get: , which was to be shown.
Analogously, answering steps for b;d The following theorem is based on a proof strategy similar to Lemma 4.16.
Theorem 4.17. Conditional bisimilarity and representative conditional bisimilarity coincide, that is, Proof.
Consider a triple (a, b, C) ∈ • ∼ C . By Definition 4.3, for each step a  context steps, which are a superset of representative steps (every → R step is also a → C step), Definition 4.13 is trivially satisfied. a conditional bisimulation, i.e. that it satisfies the requirements of Definition 4.3.
Consider a triple (a, b, C) ∈ R and a context step a f, A − − → C a . This step is due to some rule ( , r, R). According to Remark 3.11, this context step can be reduced to a representative step af , R ↓ĉ − −−− → R r;ĉ, and there existsĝ such thatf ;ĝ = f,ĉ;ĝ = c. Again, all variables with a hat (e.g.ĉ) refer to the representative step, but otherwise take the same role as their unhatted counterparts.
Since R is the representative conditional bisimilarity, R is a representative conditional bisimulation. Together with (a, b, C) ∈ R, this means that for the aforementioned step there exist answering steps bf However we are not interested in answering steps for the representative step, but rather for the original step a f, A − − → C a , that is, we need answering steps of b using context f . So we need (1) answering steps b (2) (a , b i , C i ) ∈ R: Since R is the representative conditional bisimilarity, by Lemma 4. 16 we know that R is closed under contextualization. Therefore, (r;ĉ,b i ,Ĉ i ) ∈ R implies (r;ĉ;ĝ,b i ;ĝ,Ĉ i↓ĝ ) = (a , b i , C i ) ∈ R, i.e. the original target a is conditionally bisimilar to the targetsb i ;ĝ of the answering steps. (3) A ∧ C ↓f |= i∈I (C i ∧ B i ): Using the rules of Theorem 3.6 we get: , which is the required condition for the triple (a, b, C).
Analogously, we can construct answering steps for b We have therefore shown that R = • ∼ R is a conditional bisimulation and therefore • ∼ R ⊆ • ∼ C .
We now discuss the notion of representative condition bisimulation in two examples.
We consider the representative steps that are possible from either rel or unr and only explain the most interesting cases (cf. Figure 10a).
• The graph rel can do a step using rule P R by borrowing a message on the left node, that is, f = → m ← , reacting to rel m . No further restrictions on the environment are necessary, so A = true. The graph unr can answer this step using P U and reacts to unr m , but only if no noise is present (environment satisfies B i = A n ). We evaluate the implication (Note that A n↓f ≡ A n since A n forbids the existence of an noise-edge between the two interface nodes and f is unrelated, providing an m-loop on the left-hand node.) We now require (∅ → rel m ← , ∅ → unr m ← , A n ) ∈ R. • Symmetrically, unr can do a step using P U by borrowing a message on the left node, reacting to unr m in an environment without noise (A = A n ). rel can answer this step under any condition B i . Then, the implication is satisfied if we set C i = A n , so we require again (∅ → rel m ← , ∅ → unr m ← , A n ) ∈ R. • There are additional representative steps that differ in how much of the left-hand side is borrowed, but can be proven analogously to the two previously discussed steps. This means we have to add the pair (∅ → rel m ← , ∅ → unr m ← , A n ) to R and to continue adding pairs until we obtain a bisimulation: with every step, a new triple with an additional m-loop on the right node is added to the relation, therefore, the smallest conditional bisimulation has infinite size. This is visualized in Figure 10a. However, except for the additional m-loop on the right node, which does not affect rule application, this pair is identical to the initial one and we can hence use a similar argument. In Section 5 we show how to make this formal, using up-to technique. In summary, we conclude that rel is conditionally bisimilar to unr under the condition A n .
Example 4.19 (Unreliable channel vs. no channel). For Examples 4.7 and 4.18, it can also be shown that under the condition ¬A n , the unreliable channel ∅ → unr ← is conditionally bisimilar to not having a channel between the two nodes (∅ → ← ). In this case, unr can still do a reaction under A n . Then, can answer with an empty set of steps. The implication A n ∧C ↓f |= i∈I (C i ∧ B i ) is then simplified to A n ∧¬A n |= false, which is easily seen to be valid.

Up-to Techniques for Proving Conditional Bisimilarity
Our optimizations so far involved replacing context steps by representative steps, which ensure finite branching and thus greatly reduce the proof obligations for a single step. However, it can still happen very easily that the smallest possible bisimulation is of infinite size, in which case automated proving of conditional bisimilarity becomes impossible. For instance, in Example 4.18, the least conditional bisimulation relating the two cospans u, r (representing (un)reliable channels) under A n contains infinitely many triples (u;m n , r;m n , A n ) for any number n of messages on the right node (m = → m ← ). On the other hand, conditional bisimilarity is closed under contextualization, hence if u, r are related, we can conclude that u;m and r;m must be related as well. Intuitively the relation R = {(u, r, A n )} is a sufficient witness, since after one step we reach the triple (u;m, r;m, A n ), from which we can "peel off" a common context m to obtain a triple already contained in R (visualized in Figure 10b). This is an instance of an up-to technique, which can be used to obtain smaller witness relations by identifying and removing redundant elements from a bisimulation relation. Instead of requiring the redundant triple (u;m, r;m, A n ) to be contained in the relation, it is sufficient to say that up to the passive context m, the triple is represented by (u, r, A n ), which is already contained in the relation. In particular, this specific up-to technique is known as up-to context [PS11b], a well-known proof technique for process calculi. 4 Note that in general, a bisimulation up-to context is not a bisimulation relation. However, it can be converted into a bisimulation by closing it under all contexts.
In this section, we show how to adapt this concept to conditional bisimilarity and in particular discuss how to deal with the conditions in a conditional bisimulation up-to context. 5.1. Up-To Techniques and Fixpoint Theory. As in Section 4, we will provide definitions and proofs that are based on fixpoint theory. Hence, we first introduce the remaining preliminary concepts for implementing up-to techniques using fixpoint theory, again mostly following [PS11b].
In Subsection 4.2 we already explained that to show that some element l of the lattice is contained in behavioural equivalence (l νf ), it is sufficient to prove that l is under some post-fixpoint l (l l f (l )). The idea of using up-to techniques is now to define 4 Stated in the language of process algebra, a symmetric relation R is a bisimulation up-to context, if whenever (P, Q) ∈ R and P • (l f (u(l)) ⇐ u(l) f (u(l))): u is extensive, therefore l u(l). Combined, we obtain l u(l) f (u(l)) and hence our desired result.

5.2.
Conditional Bisimilarity Up-To Context. We start our investigation of conditional bisimilarity up-to context with the idea of a relation that can be extended to a conditional bisimulation. To show, using such a conditional bisimulation up-to context R, that a pair of arrows is conditionally bisimilar, it is not in general necessary to find this pair in R, but one can instead extend a pair in R to the pair under review. As this extension might provide parts of the context that the original condition referred to, it is necessary to shift the associated condition over the extension.
Definition 5.7 (Conditional bisimulation up-to context (CBUC)). A conditional relation R is a conditional bisimulation up-to context if the following holds: for each triple (a, b, C) ∈ R and each context step a The situation for one answer step is depicted in Figure 11. The weakest possible A, B i can be derived from the rule conditions as Figure 11: A single answer step in conditional bisimulation up-to context Compared to a regular conditional bisimulation, which directly relates the results of the answering steps (a , b i , C i ), in a CBUC it is sufficient to relate some pair (a i , b i , C i ), where a i , b i are obtained from a , b i by removing an identical context j i . (The conditional bisimilarity of the actual successors a , b i can then be derived by contextualizing the relation, i.e., we use Theorem 5.10 and refer to a triple in u(R) that is contextualized under j i .) Remark 5.8. A CBUC can also be defined based on the closure under contextualization u (see Definition 4.2, note that u is easily seen to be a closure 5 ): A conditional relation R is a CBUC if and only if R ⊆ f C (u(R)) (i.e. R is a post-fixpoint of f C • u). This can be seen by expanding the definitions of f C and u on the right-hand side of (a, b, C) ∈ R =⇒ (a, b, C) ∈ f C (u(R)), which results in exactly the definition of a CBUC.
We now show that this up-to technique is useful or sound (Definition 5.1), that is, all elements recognized as bisimilar by the up-to technique are actually bisimilar [San98,PS11b]. In fact, we prove the stronger result that the technique is f C -compatible, which (as outlined in Subsection 4.2) not only implies soundness, but also makes it possible to combine our technique with other f C -compatible up-to techniques.
Theorem 5.9 (u is f C -compatible). Let R be a conditional relation. Then it holds that Within this proof, we use the following notation: Given arrows x, d, x \d indicates an arrow such that x = x \d ;d. Given a condition C, C ↑d is a condition such that C = (C ↑d ) ↓d .
• Since (a, b, C) ∈ u(f C (R)), by definition of u this means that there exist d, a \d , b \d , C ↑d such that a = a \d ; This is exactly the definition of (a, b, C) ∈ f C (R). Therefore, u(f C (R)) ⊆ f C (R).
Since R ⊆ u(R) due to extensiveness of u, we can infer f C (R) ⊆ f C (u(R)) since f C is monotone. Combined, this gives us f C -compatibility of u.
Note the stronger result (u(f C (R)) ⊆ f C (R) instead of just u(f C (R)) ⊆ f C (u(R))) can intuitively be explained as follows: since f C quantifies over all context steps and the size of the borrowed context f is not bounded, this means the successor triples are already closed under contextualization.
From compatibility, we obtain as a corollary that this up-to technique is useful or sound, that is, all elements recognized as bisimilar by the up-to technique are actually bisimilar (see Lemma 5.3 and [San98,PS11b] Proof. R satisfying Definition 5.7 is, by Remark 5.8, equivalent to R being a post-fixpoint of f C • u, i.e., R ⊆ f C (u(R)). Also, R satisfying the definition from Theorem 5.10, i.e., u(R) being a conditional bisimulation, is, by Remark 4.12, equivalent to u(R) ⊆ f C (u(R)).
Since u is f C -compatible and u is a closure, we can instantiate Lemma 5.6 to obtain the desired result. Hence, every relation that our initial definition recognizes as a CBUC indeed represents a conditional bisimulation (when closed under contextualization), and all relations that should intuitively be a CBUC are recognized by Definition 5.7 as such.
Remark 5.11. From Theorem 5.10 we easily obtain as a corollary that every CBUC R is i.e. all elements contained in some CBUC are indeed conditionally bisimilar. This follows from the fact that R ⊆ u(R) (set d = id J ) and u(R) ⊆ • ∼ C (since by Theorem 5.10 u(R) is a conditional bisimulation).
Note that while Theorem 5.10 gives a more accessible definition of CBUCs than Definition 5.7, the latter definition is more amenable to mechanization, since R might be finite, whereas u(R) is infinite.

Conditional Bisimilarity Up-To Context with Representative
Steps. CBUCs allow us to represent certain infinite bisimulation relations in a finite way. For instance, we can use a finite CBUC in Example 4.18. However, automated checking if two agents are conditionally bisimilar -which can be done by incrementally extending a conditional bisimulation relation -is still hard, even using up-to context, since up-to context can only reduce the size of the relation itself. However, for just a single triple, there are infinitely many context steps to be checked.
For conditional bisimulations, we introduced an alternative definition using representative steps (Definition 4.13) and showed that it yields an equivalent notion of conditional bisimilarity (Theorem 4.17). We will show that the same approach can be used for CBUCs.
Definition 5.12 (CBUC with representative steps). A CBUC with representative steps is a conditional relation R such that the following holds: for each triple (a, b, C) ∈ R and each representative step a Remark 5.13. A CBUC with representative steps can also be defined based on the closure under contextualization u: A conditional relation R satisfies Definition 5.12 if and only if R ⊆ f R (u(R)) (i.e. R is a post-fixpoint of f R • u). Analogously to Remark 5.8, this can be seen by expanding definitions.
To show that CBUCs defined using context and representative steps are essentially equivalent, we first relate the underlying functions by showing f R ⊆ f C • u. 6 Afterwards, we use that result to show that the two up-to techniques are equivalent. 6 Intuitively, fR guarantees only that representative steps are answered by context steps and that their successors are related again, but fC requires this for non-representative steps as well, so generally fR fC . Therefore we contextualize using u to let fC access the non-representative successors as well. Lemma 5.14. f R (R) ⊆ f C (u(R)).
Proof. Let (a, b, C) ∈ f R (R) be given, which by its definition means that: for all representative steps af We show that this implies (a, b, C) ∈ f C (u(R)). Consider a context step a f, A − − → C a . This step is not necessarily a representative step. According to Remark 3.11, this context step can be reduced to a representative step af , R ↓ĉ − −−− → Râ , where R is the condition of the rule used for the step, c is the reactive context of the context step, and there existsĝ such that f ;ĝ = f,ĉ;ĝ = c,â ;ĝ = a , withf ,ĉ,â referring to the representative step.
Since (a, b, C) ∈ f R (R), we know that answering steps for our representative step exist. From that we can conclude the following: (1) bf ,B i − −− → Cb i implies, according to Lemma 4.15, that a step bf (3) Using the rules of Theorem 3.6 we get: For context steps, A |= R ↓c holds, so we have A ∧ C ↓f |= R ↓c ∧ C ↓f |= (C i ∧ B i ).
Analogously, we can construct answering steps for b To summarize, for the given (a, b, C) ∈ f R (R) we have concluded that for all context steps a which is exactly the definition of (a, b, C) ∈ f C (u(R)). Proof.
Theorem 5.16. A conditional relation is a CBUC (Definition 5.7) if and only if it is a CBUC with representative steps (Definition 5.12).
Proof. R satisfying Definitions 5.7 and 5.12 means that R is a post-fixpoint of f C • u or f R • u, respectively. By Corollary 5.15, f C • u = f R • u, therefore post-fixpoints of one are also post-fixpoints of the other.
Observe that this is a stronger result than for normal conditional bisimilarity: for that, we know that the bisimilarities are the same (νf C = νf R ) but the bisimulation functions are not (f C = f R ). On the other hand, using up-to techniques, the difference between the bisimulation functions themselves disappears (i.e. ). This results from Lemma 5.14 and can be explained intuitively as follows: the function f R requires that every representative step can be answered by a context step and the resulting pair is in R, while f C requires such an answer for all context steps. This means that f C (R) ⊆ f R (R) as explained earlier. The pairs potentially missing in f C (R) resulted from larger-than-necessary contexts and hence f R did not require them. Using u, however, the relation is contextualized beforehand, using all (even non-representative) contexts, and hence makes these triples "available" to f C .
Note that even though the difference between the two variants disappears, using representative steps with CBUCs still is advantageous because it typically results in a finitely branching transition system. This can be seen in the continuation of our example: Example 5.17. Consider again Examples 4.7 and 4.18. We have previously seen that it is possible to repeatedly borrow a message on the left-hand node and transfer it to the right-hand node, which leads to more and more received messages accumulating at the right-hand node. We now show that the two types of channels are conditionally bisimilar by showing that R = (∅ → rel ← , ∅ → unr ← , A n ) is a CBUC, i.e. it satisfies Definition 5.12. We consider the same steps as in Example 4.18: • The graph rel can do a step using rule P R by borrowing a message on the left node, with environment condition A = true, and reduces to a = ∅ → rel m ← . Then, unr can answer this step using P U under B i = A n (no noise) and reacts to we consider the m-loop on the right node as irrelevant context. Then, using a i = ∅ → rel ← , b i = ∅ → unr ← , C i = A n we have a = a i ;j i , b i = b i ;j i , and we find that the triple without the irrelevant context j i , that is (a i , b i , C i ) (which happens to be the same as our initial triple), is contained in R. As before, the implication A ∧ C ↓f |= i∈I (C i ∧ B i ) holds.
• Symmetrically, unr borrows a message on the left node and reacts to unr m under A = A n . Analogously to the previous case and to Example 4.18, rel answers this step, using C i = A n and j i = → m ← . • Again, the remaining representative steps can be proven in an analogous way. Figure 10 shows a comparison of the necessary steps with and without using up-to techniques. Note that instead of working with an infinite bisimulation, we now have a singleton. Finally, we show compatibility of f R and summarize the theorems of this section.
Corollary 5.18 (u is f R -compatible). Let R be a conditional relation. Then it holds that Proof. By transitivity from previous results: (Lemma 5.14) Figure 12 summarizes the known inclusions and equalities that were proven throughout this section.
.9 ∀→C ⇒ ∀→R / 4.14 5.14 (5.9 or trans.) Note that using the results of this section, it is possible to provide alternative proofs of various theorems of Section 4, in particular: • Remark 4.8 ( • ∼ C is closed under condition strengthening): We can define the function str(R) := {(a, b, C) | (a, b, C ) ∈ R, C |= C } and show that str is f C -compatible by showing (a, b, C) ∈ str(f C (R)) =⇒ (a, b, C) ∈ f C (str(R)). This can be done by expanding the definitions of str, f C in (a, b, C) ∈ str(f C (R)) and rewriting it to match the definition of (a, b, C) ∈ f C (str(R)). Then, we can apply Proposition 5.5. • Lemma 4.11 part 4 ( • ∼ C is closed under contextualization): Restated using u, f C (note that • ∼ C = νf C ), we have to show that u(νf C ) ⊆ νf C . This follows immediately from f C -compatibility and Proposition 5.5. • Lemma 4.16 ( • ∼ R is closed under contextualization): As for We show that νf C = νf R . For this we use the fact that f R • u = f C • u (Corollary 5.15) and therefore also ν(f R • u) = ν(f C • u). u is f C -compatible (Theorem 5.9), so by Lemma 5.3, ν(f C • u) = νf C . Similarly, u is f Rcompatible (Corollary 5.18) and therefore ν(f R • u) = νf R . Combining these results, we Steps. We will now give an alternative characterization of conditional bisimilarity, in order to justify Definitions 4.3 and 4.13. This alternative definition is more elegant since it characterizes • ∼ C as the largest conditional congruence that is a conditional environment bisimulation. On the other hand, this definition is (like conditional bisimilarity, as described in Example 4.18) not directly suitable for mechanization, since the underlying transition system is not finitely branching.
In [HK12], environment steps, which capture the idea that a reaction is possible under some passive context d, have been defined to obtain a more natural characterization of saturated bisimilarity. Unlike the borrowed context f , the passive context d does not participate in the reaction itself, but we refer to it to ensure that the application condition of the rule holds.
Definition 6.1 (Environment step [HK12]). Let S be a conditional reactive system and let a : 0 → K, a : 0 → K, d : K → J be arrows. We write a d a whenever there exists a rule ( , r, R) ∈ S and an arrow c such that a = ;c, a = r;c and c;d |= R.
Environment steps and context steps are related: they can be transformed into each other. Furthermore saturated bisimilarity is the coarsest bisimulation relation over environment steps that is also a congruence [HK12]. We now give a characterization of conditional bisimilarity based on environment steps: Definition 6.2 (Conditional environment congruence). A conditional relation R is a conditional environment bisimulation if whenever (a, b, C) ∈ R and a d a for some d |= C, then b d b and (a , b , C ) ∈ R for some condition C such that d |= C ; vice versa for b d b . We denote by • ∼ E the largest conditional environment bisimulation that is also a conditional congruence and call it conditional environment congruence.
For the proof of Theorem 6.4, we need the following lemma: Theorem 6.4. Conditional bisimilarity and conditional environment congruence coincide, that is, Proof. In both parts we show only how steps of a can be answered by b, the other direction can be shown analogously. Since (a, b, C) ∈ • ∼ C , there exist answering steps b This directly gives us the answering step required by conditional environment bisimilarity: Since d |= B i , using Lemma 6.3 we rewrite the corresponding context step b We show that • ∼ E is a conditional bisimulation. Let (a, b, C) ∈ • ∼ E and a f, A − − → C a . Let d be some context. If d |= A ∧ C ↓f , we can easily satisfy Definition 4.3 by letting b answer with an empty set of answering steps. We therefore assume that d |= A ∧ C ↓f .
Since d |= A, using Lemma 6.3 we rewrite a Since (a;f, b;f, C ↓f ) ∈ • ∼ E , a;f d a and d |= C ↓f , there exists an answering step Thus, whenever d |= A ∧ C ↓f , there exists an answering step b which concludes the proof of • ∼ E being a conditional bisimulation.
Note that in the second part of the proof, we use the fact that b can reply with an infinite set of answering steps, since the infinitely many answering steps b;f d b d might give rise to infinitely many different B d and accompanying C d .
It is an open question if the proof is also possible with finitely many answering steps. In [HK12, Theorem 23], a similar comparison of saturated bisimilarity and environment congruence was done, although for binary relations which did not include conditions in the relation itself. In that proof, the finiteness assumption (Fin) was used to obtain a finite set of answering steps, which is however not possible in the presence of conditions. 6.2. Comparison to Other Equivalences. We conclude this section by considering the binary relation • ∼ T := {(a, b) | (a, b, true) ∈ • ∼ C }, derived from conditional bisimilarity, which is ternary. Intuitively it contains pairs (a, b), where a, b are system states that behave equivalently in every possible context. We investigate how • ∼ T compares to other behavioural equivalences that also check for identical behaviour in all contexts. First, we consider saturated bisimilarity (∼ C ), which has been characterized in [HK12] as the coarsest relation which is a congruence as well as a bisimilarity: Theorem 6.5. Saturated bisimilarity implies true-conditional bisimilarity (∼ C ⊆ • ∼ T ). However, true-conditional bisimilarity does not imply saturated bisimilarity ( • ∼ T ∼ C ). Proof.
• (∼ C ⊆ • ∼ T ): Let R be a saturated bisimulation relation. Then we define R = R × {true} and show that R is a conditional bisimulation relation. For that purpose, let some (a, b, true) ∈ R be given, i.e. (a, b) ∈ R. Now assume a transition a f, A − − → C a , then by the fact that (a, b) ∈ R we know that there exist some answering steps b By definition of R it follows that, for all i ∈ I, (a , b i , true) ∈ R . So it remains to show that A ∧ true ↓f |= i∈I (true ∧ B i ). We can simplify this to A |= i∈I B i , which holds because R is a saturated bisimulation.
Steps b f, B − − → C b can be answered analogously.
Consider the following reactive system {R A , R B1 , T B1 , R B2 , T B2 }: . An a-loop can be replaced with a graph which allows no further steps. A b-loop can, in case the environment contains a c-loop (A C ), transition to a b 1 -loop, from which another transition is possible if no c-loop is present (as this contradicts the condition of the first step, this transition can never actually be executed). Similarly, if no c-loop is present, a transition to a b 2 -loop is possible and subsequently another transition is possible if there is a c-loop.
It is easy to see that no matter which context a and b are placed into, both admit at most one transition. Therefore, ( a , b ) ∈ • ∼ T , as witnessed by the conditional bisimulation relation R = {( a , b , true), ( ea , b1 , A C ), ( ea , b2 , ¬A C )}. For saturated bisimilarity however, the initial step of a to ea can be answered by b with two steps as for conditional bisimilarity, and it would be required that ( ea , b1 ), ( ea , b2 ) ∈ ∼ C . But then, b1 can do a step (under ¬A C as indicated by rule T B1 ) which ea cannot answer.
For saturated bisimilarity, if a step of a is answered by b with multiple steps, all b i reached in this way must be saturated bisimilar to a (that is, show the same behaviour even if the environment is later changed to one which did not allow the given b i to be reached). In fact, it was an explicit goal in the design of saturated bisimilarity to account for external modification of the environment. On the other hand, for conditional bisimilarity, each b i is only required to be conditionally bisimilar to a under the condition which allowed this particular answering step -that is, after a step, the environment is fixed (or, depending on the system, can only assume a subset of all possible environments, cf. Definition 6.2 and Theorem 6.4).
Next, we compare • ∼ T to id-congruence, the coarsest congruence contained in bisimilarity over the reaction relation . It simply relates two agents whenever they are bisimilar in all contexts, i.e. ∼ id := {(a, b) | for all contexts d, a;d, b;d are bisimilar wrt. }.
Intuitively, true-conditional bisimilarity allows to observe whether some item is consumed and recreated (by including it in both sides of a rule) or whether it is simply required (using an existential rule condition, cf. Theorem 6.6). On the other hand, id-congruence does not recognize this and simply checks whether reactions are possible in the same set of contexts.
Hence we have ∼ C • ∼ T ∼ id , which implies that checking for identical behaviour in all contexts using conditional bisimilarity gives rise to a new kind of behavioural equivalence, which does not allow arbitrary changes to the environment (as ∼ C does), yet allows distinguishing borrowed and passive context (which ∼ id does not).

Conclusion, Related and Future Work
The conditions that we studied in this paper are also known under the name of nested conditions or graph conditions and were introduced in [Ren04], where their equivalence to first-order logic was shown. They were studied more extensively in [HP09,Pen09] and generalized to reactive systems in [BCHK11]. In fact, the related notion of Q-trees was introduced earlier in [FS90].
As stated earlier, there are some scattered approaches to notions of behavioural equivalence that can be compared to conditional bisimilarity. The concept of behaviour depending on a context is also present in Larsen's PhD thesis [Lar86]. There, the idea is to embed an LTS into an environment, which is modelled as an action transducer, an LTS that consumes transitions of the system under investigation -similar to CCS synchronization. Larsen then defines environment-parameterized bisimulation by considering only those transitions that are consumed in a certain environment. In [HL95], Hennessy and Lin describe symbolic bisimulations in the setting of value-passing processes, where Boolean expressions restrict the interpretations for which one shows bisimilarity. Instead in [BBB02], Baldan, Bracciali and Bruni propose bisimilarity on open systems, specified by terms with a hole or place-holder. Instead of imposing conditions on the environment, they restrict the components that are filling the holes.
In [Fit02], Fitting studies a matrix view of unlabelled transition systems, annotated by Boolean conditions. In [BKKS17] we have shown that such systems can alternatively be viewed as conditional transition systems, where activation of transitions depends on conditions of the environment and one can state the bisimilarity of two states provided that the environment meets certain requirements. This view is closely tied to featured transition systems, which have been studied extensively in the software engineering literature. The idea here is to specify system behaviour dependent on the features that are present in the product (see for instance [CCP + 12] for simulations on featured transition systems).
Our contribution in this paper is to consider conditional bisimilarity based on contextualization in a rule-based setting. That is, system behaviour is specified by generic rewriting rules, system states can be composed with a context specifying the environment and we impose restrictions on those contexts. By viewing both system states and contexts as arrows of a category, we can work in the framework of reactive systemsà la Leifer and Milner and define a general theory of conditional bisimilarity. While in [HK12] conditions were only used to restrict applicability of the rules and bisimilarity was checked for all contexts, we here additionally use conditions to establish behavioural equivalence only in specific contexts.
As future work we want to take a closer look at the logic that we used to specify conditions. Conditional bisimilarity is defined in a way that is largely independent of the kind of logic, provided that the logic supports Boolean operators and shift. It is unclear and worth exploring whether the logic considered by us is expressive enough to characterize all contexts that ensure bisimilarity of two given arrows. This also affects the question whether or not infinitely many answering steps are required in Theorem 6.4. Furthermore, it is an open question whether there is an alternative characterization of the id-congruence of Theorem 6.6 that is amenable to mechanization.
We have already implemented label derivation and bisimulation checking in the borrowed context approach, see for instance [Nol12], and successfully applied it to a system with message-passing rules similar to the ones given in Example 4.18, however without conditions in either the rules or the bisimulation relation. Our aim is to also obtain an efficient implementation for the scenario described in this paper. Note that our conditions subsume first-order logic [BCHK11] and hence in order to come to terms with the undecidability of implication we have to resort to simpler conditions or use approximative methods.
Another natural question is whether our results can be stated in a coalgebraic setting, since coalgebra provides a generic framework for behavioural equivalences. We have already studied a much simplified coalgebraic version of conditional systems (without considering contextualization) in [ABH + 12], using coalgebras living in Kleisli categories. Reactive systems can also be viewed as coalgebras (see [Bon08]). However, a combination of these features has not yet been considered as far as we know.
Another direction for future research are further optimizations in terms of the up-to context technique. Note, that even bisimulations up-to context can still be infinite in size, which is somehow unavoidable due to undecidability issues, so further optimizations should be investigated. Furthermore we plan to integrate this method with other kinds of up-to techniques such as up-to bisimilarity, which should be easy due to the integration into the lattice-theoretical framework.
We recall here the definition of adhesive categories [LS05]. We do not provide any introduction to basic categorical constructions such as products, pullbacks and pushouts, instead referring the reader to Sections 5 and 9 of [BW99]. The motivation for using adhesive categories is that they are a suitable categorical framework for reasoning one rewriting of abstract objects, in the spirit of graph rewriting.