This page intentionally left blank

www.pdfgrip.com


A DISTRIBUTED pi-calculus
Distributed systems are fast becoming the norm in computer science. Formal
mathematical models and theories of distributed behaviour are needed in order to
understand them. This book proposes a distributed pi-calculus called aDpi, for
describing the behaviour of mobile agents in a distributed world. It is based on an
existing formal language, the pi-calculus, to which it adds a network layer and a
primitive migration construct.
A mathematical theory of the behaviour of these distributed systems is developed,
in which the presence of types plays a major role. It is also shown how, in principle,
this theory can be used to develop verification techniques for guaranteeing the
behaviour of distributed agents.
The text is accessible to computer scientists with a minimal background in
discrete mathematics. It contains an elementary account of the pi-calculus, and
the associated theory of bisimulations. It also develops the type theory required by
aDpi from first principles.

www.pdfgrip.com


www.pdfgrip.com


A DISTRIBUTED pi-calculus
M ATT H E W HE NNE SSY

www.pdfgrip.com


CAMBRIDGE UNIVERSITY PRESS

Cambridge, New York, Melbourne, Madrid, Cape Town, Singapore, São Paulo
Cambridge University Press
The Edinburgh Building, Cambridge CB2 8RU, UK
Published in the United States of America by Cambridge University Press, New York
www.cambridge.org
Information on this title: www.cambridge.org/9780521873307
© Cambridge University Press, 2007
This publication is in copyright. Subject to statutory exception and to the provision of
relevant collective licensing agreements, no reproduction of any part may take place
without the written permission of Cambridge University Press.
First published in print format 2007
ISBN-13
ISBN-10

978-0-511-27564-7 eBook (NetLibrary)
0-511-27564-1 eBook (NetLibrary)

ISBN-13
ISBN-10

978-0-521-87330-7 hardback
0-521-87330-4 hardback

Cambridge University Press has no responsibility for the persistence or accuracy of urls
for external or third-party internet websites referred to in this publication, and does not

guarantee that any content on such websites is, or will remain, accurate or appropriate.

www.pdfgrip.com


To the memory of John and Ray

www.pdfgrip.com


www.pdfgrip.com


Contents

Preface
Acknowledgements

ix
xvii

1 Inductive principles
1.1 Induction
1.2 Coinduction
1.3 Bisimulation equivalence

1
1
4
6


2 The asynchronous PI-CALCULUS
2.1 The language aPi
2.2 Reduction semantics for aPi
2.3 An action semantics for aPi
2.4 A coinductive behavioural equivalence for aPi
2.5 Contextual equivalences
2.6 An observational lts for aPi
2.7 Justifying bisimulation equivalence contextually
2.8 Questions

10
10
16
27
34
37
43
47
52

3 Types for API
3.1 Runtime errors
3.2 Typechecking with simple types
3.3 Properties of typechecking
3.4 Types as capabilities
3.5 Questions

55
55

60
65
72
93

4 Types and behaviour in aPi
4.1 Actions-in-context for aPi
4.2 Typed bisimulation equivalence
4.3 Questions

96
98
112
122

vii

www.pdfgrip.com


viii

Contents

5 A distributed asynchronous PI-CALCULUS
5.1 The language aDpi
5.2 Access control types for aDpi
5.3 Subject reduction for aDpi
5.4 Type safety for aDpi
5.5 Distributed consistency of local channels

5.6 Questions

124
127
139
159
169
185
191

6 Behavioural equivalences for aDpi
6.1 Actions-in-context for aDpi
6.2 Typed bisimulation equivalence for aDpi
6.3 Describing bisimulations
6.4 Servers and clients
6.5 Modelling a firewall
6.6 Typed contextual equivalences
6.7 Justifying bisimulation equivalence contextually in aDpi
6.8 Questions

194
195
200
202
215
221
226
230
242


Sources
List of figures
Notation
Bibliography
Index

244
248
250
254
257

www.pdfgrip.com


Preface

From ATM machines dispensing cash from our bank accounts, to online
shopping websites, interactive systems permeate our everyday life. The underlying
technology to support these systems, both hardware and software, is well advanced.
However design principles and techniques for assuring their correct behaviour are
at a much more primitive stage.
The provision of solid foundations for such activities, mathematical models
of system behaviour and associated reasoning tools, has been a central theme of
theoretical computer science over the last two decades. One approach has been the
design of formal calculi in which the fundamental concepts underlying interactive
systems can be described, and studied. The most obvious analogy is the use of the
λ-calculus as a simple model for the study of sequential computation, or indeed the
study of sequential programming languages. CCS (a Calculus for Communicating
Systems) [28] was perhaps the first calculus proposed for the study of interactive

systems, and was followed by numerous variations. This calculus consists of:
• A simple formal language for describing systems in terms of their structure; how they are

constructed from individual, but interconnected, components.
• A semantic theory that seeks to understand the behaviour of systems described in the

language, in terms of their ability to interact with users.

Here a system consists of a finite number of independent processes that intercommunicate using a fixed set of named communication channels. This set of
channels constitutes a connection topology through which all communication takes
place; it includes both communication between system components, and between
the system and its users.
Although successful, CCS can only describe a very limited range of systems. The
most serious restriction is that for any particular system its connection topology
is static. However modern interactive systems are highly dynamic, particularly
when one considers the proliferation of wide area networks. Here computational
ix

www.pdfgrip.com


x

Preface

entities, or agents, are highly mobile, and as they roam the underlying network they
forge new communication links with other entities, and perhaps relinquish existing
links.
The pi-calculus [9, 29] is a development from CCS that seeks to address at
least some dynamic aspects of such agents. Specifically it includes the dynamic

generation of communication channels and thus allows the underlying connection
topology to vary as systems evolve. Just as importantly it allows private
communication links to be established and maintained between agents, which adds
considerably to its expressive power. Indeed the pi-calculus very quickly became
the focus of intensive research, both in providing for it a semantic understanding,
and in its promotion as a suitable foundation for a theory of distributed systems;
see [39] for a comprehensive account.
But many concepts fundamental to modern distributed systems, in particular
those based on local area networks, are at most implicit in the pi-calculus. Perhaps
the most obvious is that of domain, to be understood quite generally as a locus for
computational activity. Thus one could view a distributed system as consisting of
a collection of domains, each capable of hosting computational processes, which
in turn can migrate between domains.
The aim of this book is to develop an extension of the pi-calculus in which
these domains have an explicit representation. Of course when presented with such
a prospect there is a bewildering number of concerns on which we may wish to
focus. For example:
•
•
•
•
•

What is the role of these domains?
How are they to be structured?
How is interprocess communication to be handled?
How is agent migration to be described?
Can agents be trusted upon entry to a domain?

Indeed the list is endless. Here our approach is conservative. We wish to develop

a minimal extension of the pi-calculus in which the concept of domain plays a
meaningful, and non-trivial role. However their presence automatically brings a
change of focus. The set of communication channels that in the pi-calculus
determines the interprocess communication topology now has to be reconciled with
the distribution topology. Following our minimalistic approach we decide on a very
simple distribution topology, namely a set of independent and non-overlapping
domains, and only allow communication to happen within individual domains.
This makes the communication channels of the pi-calculus into local entities, in
the sense that they only have significance relative to a particular domain. Indeed
we will view them as a particularly simple form of local resource, to be used by

www.pdfgrip.com


Preface

xi

migrant agents. Thus we view our extension of the pi-calculus, called aDpi – for
asynchronous Distributed pi-calculus, as a calculus for distributed systems in
which
• dynamically created domains are hosts to resources, which may be used by agents
• agents reside in domains, and may migrate between domains for the purpose of using

locally defined resources.

Types and type inference systems now form an intrinsic part of computer science.
They are traditionally used in programming languages as a form of static analysis
to ensure that no runtime errors occur during program execution. Increasingly
sophisticated type-theoretic concepts have emerged in order to handle modern

programming constructs [36]. However the application of type theory is very
diverse. For example types can be used to
• check the correctness of security protocols [12]
• detect deadlocks and livelocks in concurrent programs [26]
• analyse information flow in security systems [22].

In this book we also demonstrate how type systems can be developed to manage
access control to resources in distributed systems. In aDpi we can view domains
as offering resources, modelled as communication channels, to migrating agents.
Moreover a domain may wish to restrict access to certain resources to selected
agents. More generally we can think of resources having capabilities associated
with them. In our case two natural capabilities spring to mind:
• the ability to update a resource, that is write to a communication channel
• the ability to look up a resource, that is read from a communication channel.

Then domains may wish to distribute selectively to agents such capabilities on its
local resources.
We could develop a version of aDpi in which the principal values manipulated by
agents are these capabilities. But this would be a rather complex language, having
to explicitly track their generation, management, and distribution. Instead we show
that these capabilities can be implicitly managed by using a typed version of aDpi.
Moreover the required types are only a mild generalisation of those used in a type
inference system for ensuring the absence of runtime errors, when aDpi systems
are considered as distributed programs.
The behavioural theory of processes originally developed for CCS [28] based on
bisimulations, has been extended to the pi-calculus, and can be readily extended
to aDpi. Indeed the framework is quite general. The behaviour of processes can
be described, independently of the syntax, in terms of their ability to interact with
other processes, or more generally with their computing environment. The form


www.pdfgrip.com


xii

Preface

these interactions take depend on the nature of the processes, and in general will
depend on the process description language. They can be described mathematically
as relations between processes, with
l
P −→
Q

meaning the process P by interacting with its environment can be transformed into
the process Q. The label l serves to record the kind of interaction involved, and
perhaps some data used in the interaction. For example one can easily imagine the
behaviour of an ATM machine being described in this manner, in terms of its internal
states, and the evolution between these states depending of the different kinds of
interactions with a customer. Such a behavioural description is formalised as a
labelled transition system, or lts, and often refered to as an operational semantics.
The theory of bisimulations enables one to take such abstract behavioural
descriptions of processes and generate a behavioural equivalence between
processes. Intuitively
P≈Q

(1)

will mean that no user, or computing environment, will be able to distinguish
between P and Q using the interactions described in their behavioural descriptions.

However the use of types in aDpi has a serious impact on this general behavioural
framework, particularly as these types implicitly represent the limited capabilities
that agents have over resources. In other words these types limit the ways in which
agents can interact with other agents. Consequently whether or not two agents are
deemed equivalent will depend on the current distribution of the capabilities on the
resources in the system.
The third and final aim of this book is to address this issue. We demonstrate
that the general theory of bisimulations can be adapted to take the presence of
types into account. We develop a relativised version of behavioural equivalence in
which judgements such as (1) can never be made in absolute terms, but relative to a
description of current capabilities. Moreover we will show that the proof techniques
associated with standard bisimulations, based on coinduction, can be adapted to this
more general framework, at least in principle.
A secondary aim of the book is didactic. Research into the use of formal calculi
to model distributed or interactive systems, or even understanding the application
of such calculi, requires detailed knowledge of a variety of mathematical concepts.
We hope that the book will provide a good introduction to a range of these concepts,
and equip the reader with sufficient understanding and familiarity to enable them
to pursue independent research in the area. But we do not start from first principles.
We assume the reader is at least familiar with elementary discrete mathematics,

www.pdfgrip.com


Preface

xiii

and in particular structural induction. It would also be helpful to have a passing
acquaintance with bisimulations, as in [28]. Chapter 1 reviews the knowledge

assumed in these areas. But other than this, the aim is to be self-contained. In
particular we give a detailed exposition of the pi-calculus, and an elementary
introduction to types and typing systems.

Structure
As already stated, Chapter 1: Background recalls elementary notions of induction
and coinduction, which will be used extensively in all subsequent chapters.
However the only form of coinduction to be used is that associated with
bisimulations, the theory of which is also reviewed.
The pi-calculus, or at least our version of it – called aPi, for asynchronous
pi-calculus, is explained in Chapter 2: The asynchronous PI-CALCULUS. This
exposition starts from first principles, giving a detailed account of both syntactic and
semantic concerns. We give two semantic accounts. The first, a so-called reduction
semantics, may be viewed as a description, at a suitable level of abstraction, of a
prototypical implementation of the language, explaining how aPi processes can be
executed. The second gives an lts for aPi, explaining how processes can interact,
by communicating along channels, with their peers. As we have already indicated
this automatically gives us a bisimulation equivalence between processes, and
moreover bisimulation theory supplies a very powerful coinductive proof principle
for establishing equivalences.
However perhaps the most important topic in this chapter is a discussion of
appropriate behavioural equivalences for process description languages in general.
On the basis of some simple criteria we give a definition of a behavioural
equivalence between processes, called reduction barbed congruence, =,
∼ which
has the advantage of being applicable, or at least easily adapted to, most process
description languages. We will also argue that it is the most natural semantic
equivalence between processes; it relies essentially only on the process description
language having a reduction semantics, and therefore is widely applicable. The
chapter ends by showing how bisimulation equivalence needs to be adapted so as

to coincide with =,
∼ thereby providing a complete coinductive proof principle for
this natural behavioural equivalence.
In Chapter 3: Types in API we turn our attention to types, using a typed version
of our language, typed aPi. By focusing on a straightforward notion of runtime
error for aPi, we first explain the use of type systems, the general structure that the
types need to take and the associated typechecking system. We then elaborate on

www.pdfgrip.com


xiv

Preface

the kind of technical results one needs to establish about such a framework. These
cumulate to the demonstration of:
• Subject reduction: the property of being well-typed is preserved under the reduction

semantics.
• Type safety: well-typed processes do not give rise to runtime errors.

Next we introduce a more sophisticated capability-based type system, in which
a type corresponds to a set of capabilities, or permissions, on a channel or resource.
By means of examples we show how this type system can be used to manage, or
control, access to these resources. Establishing the required technical results in this
case is somewhat more challenging.
As we have already indicated, the presence of types affects the perceived
behaviour of processes, and consequently the behavioural theories of Chapter 2
need to be adapted to typed aPi. This is the topic of Chapter 4: Types and

behaviour in aPi , and is quite a challenge. We need to adapt the standard approach
for producing an lts from a process description language, explained in detailed in
Chapter 2, to generate a more descriptive lts in which the actions are parameterised
by the environment’s knowledge of the current capabilities concerned. Most of this
chapter is concerned with technical results, which ensure that the resulting lts is, in
some sense, self-consistent.
We then go on to show how this parameterised lts can be used to generate
a parameterised version of bisimulation equivalence between processes. In fact
this is relatively straightforward, but we also need to prove that the resulting
parameterised equivalence satisfies a range of mathematical properties, which one
would intuitively expect from such a framework.
At last, in Chapter 5: A distributed asynchronous pi-calculus we give a
detailed account of our distributed version of aPi, called aDpi. The syntax is
obtained by adding a new syntactic category, for systems, to that of typed aPi. We
obtain a description language in which systems consist of a collection of domains,
hosting agents, which can autonomously migrate between domains. These domains
also host local channels on which agents communicate; but more generally these
may be used to model local resources, accessible to agents currently located at the
host domain. The capability-based type system from Chapter 3 is also extended.
One novelty is the use of record types for domains, but the fact that resources are
purely local also requires a significant extension to the set of types. Essentially
the name of a local resource is useless, without knowledge of its location; for this
reason local resources are typed using a primitive kind of existential channel type.
We demonstrate the usefulness of the typing system via a sequence of examples,
and of course we also prove that it satisfies the standard properties one would
expect of any reasonable typing system. The chapter then ends with a detailed

www.pdfgrip.com



Preface

xv

Chapter 1: Background

Chapter 2: API

Chapter 3: Types for API

Chapter 4: Types and behaviour in API

Chapter 5: ADPI

Chapter 6: Behavioural equivalences for ADPI

formal account of the role of types in aDpi. This involves defining a version
of aDpi, called tagged-aDpi, in which capabilities, rather than values, are the
main entities manipulated by agents. This is a rather complicated language as the
capabilities, and their propagation, have to be explicitly managed by the reduction
semantics. However we demonstrate that in reality, there is no need for such a
detailed language; in the presence of the capability-based type system aDpi can
be considered as a more abstract, and therefore more manageable, version of
tagged-aDpi.
In Chapter 6: Behavioural equivalences for ADPI we adapt the parameterised
theory of bisimulation equivalence from Chapter 4 to aDpi. In fact we spare the
reader most of the technical proofs, as they can easily be adapted from those for
aPi. Instead we show, via a number of examples, that at least in theory many of the
standard methodologies associated with bisimulation equivalence can be adapted
to prove equivalences between aDpi systems.

We also revisit the principal topic of Chapter 2. We justify our parameterised
version of bisimulation equivalence by showing that it coincides with a natural
intuitively defined behavioural equivalence, a typed version of reduction barbed
congruence.

www.pdfgrip.com


xvi

Preface

We end with a brief section, entitled Sources, with references to the original
research papers on which our material is based, together with some pointers to
related work.
The book is essentially divided into two parts. After reviewing some required
background material in Chapter 2, the following three chapters aim to give a
coherent and detailed introduction to the pi-calculus. These chapters could form
the basis of a postgraduate course on the pi-calculus. Although they pursue
a particular viewpoint, students completing them should be competent in the
mathematical techniques underlying the theory of the pi-calculus, and therefore
should have no problem absorbing supplementary material, taken for example from
[39], [29], or the research literature.
The second part of the book, Chapter 5 and Chapter 6, give a detailed account
of the language aDpi, and its behavioural theory. This could form the core of a
postgraduate course on process calculi for distributed systems, for students familiar
with the pi-calculus. However once more this would need to be augmented with
additional material from the research literature, to reflect the varied approaches to
the subject.
Alternatively, a less theoretical course could be based upon the first four sections

of Chapter 2, Chapter 3 and the first three sections of Chapter 5. This foregoes most
of the material on behavioural equivalences, concentrating on the basic semantics
of the languages (the reduction semantics), and typing.
Each chapter ends with a set of exercises, which the reader is encouraged to
answer. For the most part these are related directly to the material of the chapter,
perhaps extending it in certain directions, or illustrating certain consequences. By
and large they should present no difficulties, although a few may be non-trivial.

www.pdfgrip.com


Acknowledgements

Most of the research reported on here was carried out over the years with a
large number of colleagues. The main language of the book, aDpi, was originally
developed in conjunction with James Riely, while the behavioural theory, in
Chapter 4 and Chapter 6, was developed jointly with Julian Rathke. Other
colleagues whose contributions and collaborative efforts I wish to acknowledge
include Alberto Ciaffaglione, Adrian Francalanza, Samuel Hym, Massimo Merro
and Nobuko Yoshida.
The book was largely written while the author held a Royal Society/Leverhulme
Trust Senior Fellowship during the academic year 2005/2006, although some
preliminary material on which it was based was presented at the Bertinoro
International Spring School for Graduate Studies in Computer Science in March
2004.
Finally a number of colleagues read parts of the book in draft form, and made
numerous useful suggestions for improvements. These include Adrian Francalanza,
Samuel Hym, Sergio Maffeis, Julian Rathke, James Riely and Nobuko Yoshida.

xvii


www.pdfgrip.com


www.pdfgrip.com


1
Inductive principles

Throughout the book we will make extensive use of both induction and coinduction,
and their associated proof techniques. Here we give a brief review of these concepts,
and an indication of how we intend to use them.

1.1 Induction
Figure 1.1 contains a definition of the (abstract) syntax of a simple language of
machines. Here a ranges over some set of action labels Act, and intuitively a
machine can carry out sequences of these actions, and periodically has a choice of
which actions to perform. Let M be the set of all machines defined in Figure 1.1.
Formally this is an inductive definition of a set, namely the least set S that satisfies
• stop ∈ S
• M ∈ S implies a.M ∈ S for every action label a in Act
• M1 , M2 ∈ S implies M1 + M2 ∈ S.

The fact that M is the least set that satisfies these conditions gives us a proof
technique for defining and proving properties of machines in M; any other set
satisfying the conditions is guaranteed to contain M.
As an example consider the following definition of the size of a machine:
• | stop | = 0
• |a.M | = 1 + |M |

• |M1 + M2 | = |M1 | + |M2 |.

We know by induction that this function is now defined for every machine.
Belabouring the point for emphasis let D be the domain of the size function | |,
the set of elements for which it is defined. The three clauses in the definition of
| | above imply that D satisfies the three defining properties of M. So we can
conclude that M ⊆ D; that is every machine is in the domain of | |. We refer to
1

www.pdfgrip.com


2

Inductive principles

Figure 1.1 Syntax for finite machines

this form of induction as structural induction, as it uses the structure of the language
of machines.
We can also use induction to define the intended behaviour of machines. These
machines perform sequences of actions, but these sequences can be characterised
indirectly by describing what initial action a machine M can perform, and the
residual of M after the action, the part of M that subsequently remains to be
executed. This is given by defining a ternary relation over M × Act × M, with
a
N
M −→

(1.1)


indicating that the machine M can perform an action labelled a, with N as residual.
a
N is defined inductively, as the least relation that
Formally the relation M −→
satisfies the axiom (m-move), and the rules (m-choice.l) and (m-choice.r) in
Figure 1.2. The general form of these rules is
(m-rule)

premise1 , . . . premisen
conclusion
This consists of a number, possibly zero, of premises, and a conclusion, meaning
that if all of the premises can be established then the conclusion is true. When the
set of premises is empty, we have an axiom, which will be written more simply as
(m-axiom)

conclusion
The nature of these rules ensures that there is always a least relation satisfying
them. Informally each rule can be viewed as a property of relations; it is true of R
if, whenever each premise is true of R it follows that the conclusion is also true
of R. Now consider a collection of such rules, C . Suppose Ri , i ∈ I , is a family
of relations, all of which satisfy each rule in C . Then one can check that ∩I Ri also
satisfies them. So the least relation satisfying the rules C can be taken to be the
intersection of all the relations satisfying them. In fact we take this least relation to
be the relation defined by the rules C .

Figure 1.2 An inductive definition of actions

www.pdfgrip.com



1.1 Induction

3

More prosaically one can show this least relation simply consists of all
judgements for which there is a proof using the rules from C . As an example of such
a C take those in Figure 1.2, consisting of one axiom and two rules. We can take
(1.1) above to be the relation defined by C . Thus if we assert (1.1) for a particular
M , N and a, then we have a proof of this fact, using a series of applications of this
axiom and of the two rules. For example we can prove
a
a.(b. stop + a. stop) + b.(a. stop + c.b. stop) −→
(b. stop + a. stop)

(1.2)

in two steps. The first is an application of the axiom (m-move) to obtain
a
a.(b. stop + a. stop) −→
(b. stop + a. stop)

Then an application of (m-choice.l) to this gives (1.2).
So if we want to prove a property of any judgement of the form (1.1) above we
can use induction on the length of its proof; that is on the number of applications of
rules or axioms, or more generally on the structure of the proof. We call this form
of induction rule induction.
As an example of its use let us prove the following, rather obvious, fact:
a
Lemma 1.1 If M −

→
M then |M | < |M |.

Proof: There is an embarrassing number of inductive definitions involved in this
statement; the set of machines over which M and M range, the inductively defined
a
function | | and the inductively defined relation M −→
N ; for the purposes of
exposition we concentrate on this last.
a
Since M −→
M we have a proof of this fact using the rules in Figure 1.2. We
prove the statement of the lemma using induction on the structure of this proof;
that is we use rule induction.
The proof must have non-zero length, and we examine the last rule used in its
derivation. There are three possibilities.
• The first is when this last rule is (m-move), in which case the length of the proof is one.

Then M and M are of the form a.N and N respectively, for some machine N . Looking up
the definition of the function | | we immediately find that |a.N | = 1 + |N |, and therefore
the required result is true.
• The second possibility is that the rule (m-choice.l) is used. So M has the form M1 + M2
a
and we know that M1 −→
M . Moreover the derivation of this latter judgement is strictly
a
contained in that of M −→ M . Therefore we may apply the inductive hypothesis to
conclude that |M | < |M1 |. Again looking up the definition of the function we see that
|M | = |M1 | + |M2 |, and therefore |M1 | ≤ |M |. The requirement, that |M | < |M |,
therefore again follows.

• The third and final possibility is that (m-choice.r) is the last rule used. This is another
inductive case, and the argument is identical to the second possibility.

www.pdfgrip.com


4

Inductive principles

Let us end this section by remarking that formally we have defined (1.1) as a
ternary relation over M × Act × M. However we will often view this as a family
a
of relations −→,
one for each a in Act.
1.2 Coinduction
Induction is a mathematical argument obtained by virtue of the fact that some
relation R is defined to be the least one satisfying certain properties; any other
relation satisfying these properties contains R. Coinduction, the dual argument,
is obtained by virtue of the fact that a relation R is defined to be the largest
one satisfying certain properties; then any other relation satisfying the defining
properties is contained in R. To see an example let us first set up the general
framework we will use in our behavioural descriptions of languages.
Definition 1.2 (lts) A labelled transition system, or more briefly, an lts, consists of
• a set of configurations or states, S
• a set of action labels, Act
• for each action label a, a binary next state relation Ra ⊆ S × S.
a
We will often use suggestive notation such as P −→
Q to denote the fact that P, Q

is contained in Ra , and refer to Q as a residual of P after performing the action a.

The set of states S will often be simply the set of terms of some language and the
relations will define the various ways in which observers or users can interact with
programs or processes written in the language. Figures 1.1 and 1.2 give a typical
example. Taken together they define the following lts:
• The set of states are all terms M that can be defined using the rules in Figure 1.1.
• For each action label a in Act the relation Ra consists of all pairs M , M for which the
a
judgement M −→
M can be derived using the rules in Figure 1.2.

Indeed this is a proto-typical example of the operational semantics of a language.
We will see many other examples, but each follow precisely this schema. An lts will
be defined using the terms of some language for describing processes, some set of
action labels Act appropriate to the language, and for each a in Act an inductively
defined relation over process terms. Note that this framework will give us two
forms of induction; structural induction on process terms, and rule induction on
the relations.
a
Now consider an arbitrary lts, (S , Act, −→)
and let R be an arbitrary relation over
the set of states S ; that is suppose R ⊆ S × S . We say R is a strong bisimulation
if it satisfies the following two properties:
a
a
(1) P1 R P2 and P1 −→
P1 implies P2 −→
P2 for some state P2 such that P1 R P2
a

a
(2) P1 R P2 and P2 −→ P2 implies P1 −→
P1 for some state P1 such that P1 R P2

www.pdfgrip.com


1.2 Coinduction

5

for every action a in Act. These properties are often written graphically (less
precisely); for example the property (1) of R above can be represented as:

This is often called the strong transfer property for R in the lts in question; in
these diagrams the dotted arrow refers to a relation that is required, as opposed
to the standard arrow that indicates a given relation. Note that property (2)
is equivalent to requiring that the inverse of R, denoted R−1 , also satisfies this
transfer property. In other words R is a bisimulation if it, and its inverse, satisfies
the transfer property. In general there is no requirement for a bisimulation to be
symmetric; but if it happens to be symmetric then checking (2), the transfer property
for its inverse, is vacuous.
We use ∼bis to denote the largest bisimulation, which is referred to as strong
bisimulation equivalence. Note that if Ri is any family of bisimulations, where
i ranges over some index set I , then it is easy to check that ∪I Ri is also a
bisimulation. From this we see that ∼bis exists since we can define it to be the
set theoretic union of all bisimulations.
The fact that ∼bis is the largest relation satisfying the transfer property gives us
a proof technique: any other relation satisfying the transfer property is contained
in ∼bis . So, for example, to prove that P ∼bis Q for some particular pair of states

P, Q, it is sufficient to exhibit any bisimulation containing the pair P, Q . For
example
a.(b. stop + b. stop) + a.b. stop ∼bis a.b. stop
because the following is a bisimulation:
a.(b. stop + b. stop) + a.b. stop ↔

a.b. stop

b. stop + b. stop

↔ b. stop

b. stop

↔ b. stop

stop

↔ stop

Here we have given a graphical representation of a relation R over machine states
by enumerating all its elements; P ↔ Q signifies that the pair P, Q is in R.
Demonstrating that R is indeed a bisimulation requires some checking. But an
exhaustive analysis will show that this relation does indeed satisfy the transfer

www.pdfgrip.com