Conference Proceeding
Encoding cryptographic primitives in a calculus with polyadic synchronization.
01/2008;
pp.102-109 In proceeding of: International Conference on Theoretical and Mathematical Foundations of Computer Science, TMFCS-08, Orlando, Florida, USA, July 7-10, 2008
Source: DBLP
0
0
·
0 Bookmarks
·
15 Views
-
Citations (0)
-
Cited In (0)
Data provided are for informational purposes only. Although carefully collected, accuracy cannot be guaranteed.
The impact factor represents a rough estimation of the journal's impact factor and does not reflect the actual
current impact factor.
Publisher conditions are provided by RoMEO. Differing provisions from the publisher's actual policy or licence
agreement may be applicable.
Page 1
Encoding cryptographic primitives in a
calculus with polyadic synchronization
Joana Martinho∗
Dep. of Mathematics, Instituto Superior T´ ecnico,
Technical University of Lisbon.
Av. Rovisco Pais, 1. 1049-001 Lisboa, Portugal
E-mail: joana dk@portugalmail.pt
Ant´ onio Ravara†
Security and Quantum Information Group,
Instituto de Telecomunicac ¸˜ oes, and
Dep. of Mathematics, Instituto Superior T´ ecnico,
Technical University of Lisbon.
Av. Rovisco Pais, 1. 1049-001 Lisboa, Portugal
E-mail: aravara@ist.utl.pt
Abstract
We thoroughly study the behavioral theory of epi, a π-calculus
extended with polyadic synchronization. We show that the nat-
ural contextual equivalence, barbed congruence, coincides with
early bisimilarity, which is thus its co-inductive characterization.
Moreover, we relate early bisimilarity with the other usual notions,
ground, late and open, obtaining a lattice of equivalence relations
that clarifies the relashionship among the “standard” bisimilarities.
Furthermore, we apply the theory developed to obtain an ex-
pressiveness result: epi extended with (symmetrical) key encryp-
tion primitives may be fully abstractly encoded in the original epi
calculus. The proposed encoding is sound and complete with re-
spect to barbed congruence. Therefore, cryptographic epi (crypto-
epi) gets behavioral theory for free, what contrasts with other pro-
cess languages with cryptographic constructs that usually require a
big effort to develop such theory.
Therefore, it is thus possible to use crypto-epi to analyze and to
verify properties of security protocols using equational reasoning.
To illustrate this claim, we prove the correctness of a protocol of
secure message exchange.
Categories and Subject Descriptors
tion]: Correctness Proofs; F.1.1 [Models of Computation]: Process
Algebra; F.1.3 [Specification, Verification, and Reasoning about
Programs]: Logics and Meanings of Programs; F.3.3 [Program
constructs]: Control Primitives
D.2.4 [Program Verifica-
General Terms
lus
Behavioral Theory, Cryptographic Mobile Calcu-
Keywords
graphic Primitives, Fully Abstract Encoding, π-calculus, Polyadic
Synchronization
Barbed Congruence, (Early) Bisimulation, Crypto-
∗Affiliation when developing a preliminary version of this work, until
October 2004.
†Corresponding author.
Permission to make digital or hard copies of all or part of this work for personal or
classroom use is granted without fee provided that copies are not made or distributed
for profit or commercial advantage and that copies bear this notice and the full citation
on the first page. To copy otherwise, to republish, to post on servers or to redistribute
to lists, requires prior specific permission and/or a fee.
International Conference on Theoretical and Mathematical Foundations of Computer
Science (TMFCS-08) July 7-10 2008, Orlando, FL, USA
Copyright c ? 2008 International Society for Research in Science and Technology
(ISRST)
1.
We study herein the behavioral theory of a π-calculus where, in-
stead of on simple names, processes synchronize in vectors of
names (epi, acronym standing for extended π-calculus). To illus-
trate the expressive power of the calculus and a possible application
area, we show that some cryptographic primitives are derivable in
epi. Therefore, if one extends the calculus with such primitives, the
resulting process language enjoys the same theory of the original
language, and thus one may use it to prove properties of security
protocols.
Introduction
Extended π-calculus.
nization (epi), proposed by Carbone and Maffeis [CM03] is an ex-
tension of the π-calculus of Milner, Parrow, and Walker [MPW92,
SW01] that generalizes the synchronization mechanism, based on
handshaking, i.e., the simultaneous execution of input/output ac-
tions, by allowing channel names to be composite.
The fact that in epi communication is only established if the
channel vectors match element-wise, enhances its expressive power
with respect to the π-calculus. In particular, Carbone and Maffeis
show that the matching construct1can be encoded in the π-calculus
withpolyadicsynchronisationbutnotintheπ-calculus.Inaddition,
they also prove that the higher the degree of synchronization (i.e.
the maximum length of the channel vectors), the higher the expres-
sive power of the calculus.
Carbone and Maffeis did not fully developed the behavioral the-
ory of the process language they proposed. Defining a grammar and
an operational semantics yields a description language and a rigor-
ous definition of its computational behavior, but a calculus (in the
logical sense) requires a theory to equate terms. A process calculus
is achieved either by axiomatically, inductively, or co-inductively
defining a behavioral equivalence (ideally a congruence).
The π-calculus with polyadic synchro-
Goals and contributions.
velop the behavioral theory of epi, defining a contextual equiva-
lence and looking for its co-inductive characterization; and to use
this theory to show how to define cryptographic primitives preserv-
ing it, thus allowing the calculus extended with such primitives to
be used to analyze and to verify security protocols.
The first goal is hence to study in detail the behavioral seman-
tics of epi: (1) defining an operational semantics (a late labeled
transition system semantics); (2) defining the usual equivalence no-
tions (in the context of mobile calculi): contextual and co-inductive
The aim of this paper is twofold: to de-
1The matching construct is a process like if x = y then P which compares
names x and y and, if they coincide, behaves like process P; otherwise does
nothing.
Page 2
(ground, late, early and open bisimilarities); and (3) extending re-
sults from the π-calculus to epi, namely obtaining congruence re-
sults, finding which (if any) bisimilarity coincides with the con-
textual equivalence, and establishing a lattice of inter-relations be-
tween the various equivalence relations;2. We find that, in epi, like
in π, barbed congruence coincides with early congruence (early
bisimilarity closed for all substitutions), and thus, we have a co-
inductive characterization of the “natural” contextual equivalence
of the calculus. Moreover, we relate all these “standard” notions of
co-inductive equivalences, ground, late, early, and open, bisimilar-
ities and congruences, obtaining a lattice of equivalence relations
that clarifies the relationship among them. To our knowledge, this
is original work, and provides to epi the basic behavioral theory of
a mobile calculus.
The second goal is to use the theory developed to show that
epi extended with nondeterministic, symmetrical, key encryption
primitives may be used to analyze and to verify security proto-
cols. To explore this possible application area, and to further show
the expressive power of epi, we define a new calculus, the crypto-
graphic π-calculus with polyadic synchronisation (crypto-epi), an
extension of epi with the referred cryptographic primitives (in the
spirit of the spi-calculus of Abadi and Gordon [AG97] — itself an
extension of the π-calculus with constructs that allow for encryp-
tion and decryption of messages — or of the applied π-calculus of
Abadi and Fournet [AF01] — another extension of the π-calculus
with a term algebra). These two primitives are suggested by Car-
bone and Maffeis in the introduction of their paper [CM03] as an-
other argument to support the expressiveness of the calculus they
propose—epi. However, they did not defined nor studied its exten-
sion with such primitives. Herein, we formally define crypto-epi:
(1) adding to the grammar of epi primitives for (symmetrically) en-
coding and decoding names; (2) providing transition rules to deal
withtheseconstructs,enrichingthelabeledtransitionsystemofepi;
(3) extending results from epi to crypto-epi, namely showing that
the new constructs preserve early bisimilarity. Then we show that
crypto-epi is fully abstractly encoded, with respect to barbed con-
gruence, in the original π-calculus with polyadic synchronisation,
thus reflecting the behavioral theory of epi back to crypto-epi, and
allowing the usual reasoning principles using behavioral equiva-
lences to be used in the latter.
The encoding is also proposed by Carbone and Maffeis in the
introduction of their paper, but they do not study its properties. To
our knowledge, our result is original: not only it shows that these
cryptographic primitives may be defined in epi as programming
constructs and do not need to be primitive, re-enforcing the expres-
sive power of epi, but also it provides standard behavioral theory
to a cryptographic mobile process calculus. Moreover, since the
results closely follow those of the pi-calculus, it should be straight-
forward to adapt tools like the Mobility Workbench [Vic94, VM94]
to epi and crypto-epi, achieving a powerful tool to prove by equa-
tional reasoning properties of security protocols. Note that other
cryptographiccalculilikethespi-calculusortheappliedpi-calculus
have a more evolved and sometimes cumbersome behavioral the-
ory. The extra structure for data handling severely complicates
equational reasoning: na¨ ıve adaptation of bisimulations are not ad-
equate; new notions developed are “heavy”, and difficult to auto-
mate [AF01, AG97, BAF07, BNP02, BN05]. To illustrate the use
of the theory developed, we prove the correctness of a protocol of
secure message exchange.
Structure of the paper.
in the following manner:
We structure the presentation of our work
2The result is a lattice similar to that of the π-calculus.
P ::=
0
|π.P
|!P
|(νx)P
|(P|P)
|(P + P)
processes
inaction
prefix
replication
restriction
parallel composition
choice
π ::=
τ
|x1· ... · xk(y)
|x1· ... · xk?y?
prefixes
internal
input
output
Figure 1. crypto-epi syntax.
• InSection2weintroducethesyntaxandalatelabeledtransition
semantics of the π-calculus with polyadic synchronisation, as
first proposed by Carbone and Maffeis.
• In Section 3 we define the four usual co-inductive notions of
equivalence (ground, late, early and open bisimilarity), and
compare these notions, concluding that they relate to each other
just as in the π-calculus. We further introduce the notions of
barbed bisimilarity, equivalence and congruence, and conclude
the latter coincides with early congruence. Although relying
on a similar result obtained for the π-calculus [San92], the
proof of the coincidence of the notions in epi requires several
adjustments.
• In Section 4 we extend the π-calculus with polyadic synchroni-
sation with the cryptographic primitives proposed by Carbone
and Maffeis in the introduction of their paper [CM03]. In addi-
tion to their work, we give an operational semantics to the new
calculus, adding new rules to the original labeled transition sys-
tem, and moreover, we analyze in detail a simple cryptographic
protocol, proving it correct. Furthermore, we prove fully ab-
stract (with respect to barbed congruence) the encoding they
propose of the cryptographic constructs in epi.
• Section 5 concludes the paper, listing our contributions and
giving directions for future research.
Due to the lack of space, we do not present herein the proofs of the
results obtained. These may be found in a technical report [MR07].
2.
The π-calculus with polyadic synchronization, epi, is a variant
of the π-calculus where the channels can consist of sequences of
names and communication is established if and only if the channel
vectors match element-wise.3
epi: π-calculus with Polyadic Synchronization
2.1
We introduce the syntax of the calculus in detail and also mention
some of the main differences between this and the π-calculus.
These differences will be explained in further detail in subsequent
parts throughout this section.
Syntax
DEFINITION 2.1. Processes
Let N be a countable set of names and x,x1,...,xk,y range over
N for some k ∈ N. The grammar in Figure 1 defines the class of
processes PS, ranged over by P, Q.
The decreasing order of precedence of operators follows that of
the definition, where the prefix operator has the highest precedence.
In what follows we use the notation π for π.0, and (νz,w)P for
(νz)(νw)P.
All operators used here are also present in the π-calculus and
their behavior is as expected. Nonetheless, note that restriction is
3We call π-calculus with biadic synchronization the particular case of the
π-calculus with polyadic synchronization where the composite channels
have at most two names.
Page 3
Action
τ
u?y?
u(y)
u(y)
Description
internal
free output
bound output
input
fn(α)
∅
bn(α)
∅
∅
{y}
{y}
nm(u) ∪ {y}
nm(u)
nm(u)
Table 1. Actions.
P
0
fn(P)
∅
bn(P)
∅
π.Q
!Q
(νy)Q
(Q | R)
(Q + R)
fn(π) ∪ (fn(Q)\bn(π))
fn(Q)
fn(Q)\{y}
fn(Q,R)
fn(Q,R)
bn(π) ∪ bn(Q)
bn(Q)
{y} ∪ bn(Q)
bn(Q,R)
bn(Q,R)
Table 2. Names in Processes.
made on names as in the π-calculus and not on composite channels:
this allows for partial restriction.
One should also note that in the π-calculus with polyadic syn-
chronization it is not necessary to include the match operator since
it can be encoded in the calculus. This is not possible in a ‘sen-
sible’ manner using the original π-calculus that, therefore, takes
the match operator as a primitive. This important separation re-
sult between the two calculi was obtained by Carbone and Maf-
feis [CM03], and it is the central expressiveness result about epi.
Consider u = x1· ... · xkand u = x1· ... · xk, where k ∈ N,
represent respectively the input and output channel vectors. Then,
nm(u) = nm(u) = {x1,...,xk}. As in the π-calculus, there
are four possible kinds of actions α in the present calculus, as
seen in Table 1. Let bn(α) denote the set of bound names in α,
fn(α) the set of free names in α and nm(α) the set of all names
in α (the union of the previous two sets). The respective notions
for prefixes, i.e., fn(π), bn(π), and nm(π), are defined similarly.
Furthermore, the notions of bound and free names in a process
P, denoted by bn(P) and fn(P) respectively, follow from those
of the π-calculus. Table 2 presents the rigorous definition of these
notions, where nm(P) denotes the names in the process P. Let
fn(P1,P2) = fn(P1)∪fn(P2), and consider similar definitions for
bn(P1,P2) and nm(P1,P2).
Note that we sometimes use polyadic CCS-like prefixes a · w
and a · y where no item is being sent or expected to be received.
We do this to highlight the fact that what could be transmitted is
irrelevant, the problem lies in the synchronization of the composite
channels. In general, u.P will be used as shorthand for u?y?.P
for some y, and u.P will be used as shorthand for u(y).P where
y ?∈ fn(P).
Substitution and α-convertibility are defined as in the π-
calculus [SW01], though we now require that the latter takes into
account the possibility of composite channels. Note that given a
substitution σ = {w/z} we denote the result of applying σ to z as
σ(z). In this case, we then have that σ(z) = w. Moreover, substi-
tution may imply the renaming via α-conversion of bound actions
to avoid unwanted captures of free names.
2.2
We define herein a late labeled transition semantics of the π-
calculus with polyadic synchronization. In addition, we provide
examples that reflect the differences between this calculus and the
π-calculus.
Late Labeled Transition Semantics
(PREFIX)
−
−→ P α.P
α
(CH1)
P
α
−→ P?
−→ P?
−→ P?
P|Q
P + Q
α
(PAR1)
P
α
α
−→ P?|Q
where bn(α) ∩ fn(Q) = ∅
(RES)
P
α
−→ P?
α
−→ (νx)P?
(νx)P
where x ?∈ nm(α)
(REP-ACT)
P
α
−→ P?
α
−→ P?|!P!P
(REP-COMM)
P
u?x?
−→ P?
τ
−→ (P?|P??{x/z})|!P
P
u(z)
−→ P??
!P
(REP-CLOSE)
P
u(x)
−→ P?
τ
−→ (νx)(P?|P??)|!P
P
u(x)
−→ P??
!P
where x ?∈ fn(P)
(OPEN)
P
u?x?
−→ P?
u(x)
−→ P?
(νx)P
where x ?∈ nm(u)
(CLOSE1)
P
P|Q
u(x)
−→ P?
−→ (νx)(P?|Q?)
Q
u(x)
−→ Q?
τ
(COMM1)
P
P|Q
u?x?
−→ P?
−→ P?|Q?{x/z}
α
−→ P?
Q
−→ P?
Figure 2. Late transition rules.
Q
u(z)
−→ Q?
τ
(CONV)
P
α
if Q =α P
DEFINITION 2.2. Late labeled transition relation
Let u = x1 · ... · xk, where k ∈ N. The late labeled transition
relation
−→⊆ PS × PS, where α is an action, is the smallest
relation generated by the set of rules in Figure 2.4
α
The rules follow in a straightforward manner those of the π-
calculus, considering now vectors of names as channels. Note once
again that the restriction rule, RES, considers singular and not com-
posite names, i.e., restriction is partial. Nevertheless, we enforce
an all-or-nothing behavior, that is, we require the match of all the
names in the vector channel to allow synchronization. The follow-
ing example reflects the consequences of this type of restriction.
EXAMPLE 2.3. Let P = (νx1)x1· x2?y? and Q = x1· x2?y?.
Then, P cannot perform the input action because of the restriction
in one of its channel names, while Q can. Consider now P =
x(y)y · z?v? |x?w?. Its reduction performs a substitution in (only)
one of the channel names, yelding w · z?v?.
4Note that not included in the figure are four rules: the symmetric form
CH2 of CH1 which has Q+P instead of P +Q, and the symmetric forms
PAR2, COMM2 and CLOSE2 of PAR1, COMM1, CLOSE1 in which the
roles of the left and right components are swapped.
Page 4
3.
In this section we develop the behavioral theory of epi. In short, we
define a contextual equivalence for epi—barbed congruence—and
find its co-inductive characterization. Following the literature for
the π-calculus [MPW92, San96], with the necessary adjustments
we introduce the “standard” notions of bisimilarity: ground, late,
early, and open. Then study their preservation by the operators of
epi and inter-relate these notions, getting a lattice of discriminating
power. Finally, we show that early congruence (early bisimilarity
closed for all substitutions) coincides with barbed congruence, be-
ing thus its co-inductive characterization.
Although not surprising, these results are technically difficult,
and some proofs deviate from those in the π-calculus. This work is
necessary to provide to epi behavioral theory.
Observational Semantics
3.1
In this part we prove that a “natural” contextual equivalence coin-
cides with early bisimilarity, which is thus a co-inductive charac-
terization of the latter. We rely on a similar result obtained for the
π-calculus by Sangiorgi [San92].
A Contextual Equivalence
DEFINITION 3.1. Barbs
The predicate ‘P exhibits barb β’, written P ↓β, is defined by:
- P ↓uif P can perform an input action on channel u
- P ↓uif P can perform an output action on channel u
A barb is an input or output channel identifier. Note that the
predicate just defined concerns only visible and immediate possi-
ble action. We now introduce the notion of barbed bisimilarity as
proposed by Milner and Sangiorgi [MS92].
DEFINITION 3.2. Barbed bisimilarity
1. A binary symmetric relation S is a barbed bisimulation if PSQ
implies:
- if P ↓βthen Q ↓βfor each barb β
- if P
−→ P?then there exists a Q?such that Q
P?SQ?
2. Processes P and Q are barbed bisimilar if PSQ for some
barbed bisimulation S.
3. Barbed bisimilarity, written ∼b, is the greatest barbed bisimu-
lation.
ττ
−→ Q?and
Barbed bisimilarity is a much coarser relation than the ones
introduced so far. The following example illustrates the difference
between barbed bisimilarity and those notions of bisimilarity.
EXAMPLE 3.3. Let P = m?n?.m?n? and Q = m?n?. Then, P
and Q are barbed bisimilar since their only barb is m. However, P
and Q are not ground, nor late, nor early nor open bisimilar since
m?n?
−→ m?n? and Q
Note that barbed bisimilarity is not a congruence since it is
not preserved by parallel composition, nor by replication, nor by
substitution. Nonetheless, barbed bisimilarity is preserved by the
remaining operators.
P
m?n?
−→ 0, which are obviously not bisimilar.
PROPOSITION 3.4. The relation ∼b is preserved by prefixing, re-
striction and choice operators.
Closing barbed bisimilarity for parallel composition yields an
equivalence notion.
DEFINITION 3.5. Barbed equivalence
Two processes P and Q are barbed equivalent, written ∼beq, if
P | R ∼bQ | R for every process R.
In order to define barbed congruence we must first introduce the
notion of context. Contexts are processes with a “hole”.
DEFINITION 3.6. Barbed congruence
1. A context is obtained when a ‘hole’ [·] replaces a process in
P ∈ PS.
2. The process obtained by replacing the [·] in C by P, where C
is a context and P a process, is denoted by C[P].
3. Two processes P and Q are barbed congruent, written ?b, if
C[P] ∼bC[Q] for every context C[·].
We now extend the result that establishes an alternative defini-
tion of barbed congruence in the π-calculus, as done by Sangiorgi
and Walker [SW01], to epi.
LEMMA 3.7. P ?b Q if and only if Pσ ∼beq Qσ for any
substitution σ
The notion of barbed congruence was proposed by Milner and
Sangiorgi [MS92], while the less demanding notion of barbed
equivalence was later proposed by Sangiorgi [San92]. Note that
barbed equivalence and barbed congruence do not coincide, as
there are processes barbed equivalent but not barbed congruent
(see Example 3.34 in the long version of this paper [MR07]).
3.2
Seeking for a co-inductive characterization of barbed congruence,
we define the usual notions of bisimilarity, and inter-relate them.
The first notion we will consider is that of ground bisimilarity,
where there is no name instantiation.
Four Notions of Bisimilarity
DEFINITION 3.8. Ground bisimilarity
1. A binary symmetric relation S is a ground bisimulation if PSQ
implies:
if P
−→ P?where bn(α) ∩ fn(P,Q) = ∅ then there is a Q?
such that Q
−→ Q?and P?SQ?.
2. Processes P and Q are ground bisimilar if PSQ for some
ground bisimulation S.
3. Ground bisimilarity, written ∼g, is the largest ground bisimu-
lation.5
α
α
The notion of ground bisimilarity is very simple since a process
merely has to imitate the other in its possible transitions and vice
versa without considering name instantiation. Unfortunately, as in
the π-calculus, a consequence of this is that ground bisimilarity is
not preserved by the parallel composition operator, as seen in the
following example.
EXAMPLE 3.9. Let P = (νa)(z(w).a · w?c? | a · y(b)) and Q =
z(w). Then both P and Q are ground bisimilar since after per-
forming the input action they both become inactive. Conversely,
P?= P | z?y?
τ
−→ (νa)(a · y?c? | a · y(b)),
which can also perform an internal action, while Q?= Q | z?y?
can only perform one internal action and then becomes inactive.
We can then conclude that although P and Q are ground bisimilar,
P?and Q?are not ground bisimilar.
Ground bisimilarity is not preserved by replication either. A
counter-example may be found in the long version of this paper.6
5The existence and uniqueness of a largest bisimulation is a direct conse-
quence of the Kn¨ aster-Tarski’s Fixed Point Theorem.
6Several propositions in the remaining of this section present results with
strict inclusions. The counter-examples may be found in the long version of
this paper.
Page 5
Nonetheless, ground bisimilarity is preserved, just like in the π-
calculus, by the remaining operators.
LEMMA 3.10. The relation ∼g is preserved by the restriction, the
prefixing and the choice operators.
We now introduce the notions of late and early bisimilarity,
which differ in their treatment of name instantiation for input ac-
tions. The definitions of these notions are standard. In late bisim-
ilarity we require that the derivative of a process simulates the
derivative of the other process (and vice versa) for all possible in-
stantiations of the bound parameter. It is called late because the
choice of the name instantiation is made after the choice of the
derivative.
DEFINITION 3.11. Late bisimilarity
Let u = x1· ... · xkwhere k ∈ N.
1. A binary symmetric relation S is a late bisimulation if PSQ
implies:
- if P
−→ P?where α = u?y?,u(y) or τ and bn(α) ∩
fn(P,Q) = ∅ then there is a Q?such that Q
P?SQ?.
- if P
−→ P?where y ?∈ fn(P,Q) then there is a Q?such
that Q
−→ Q?and for each w, P?{w/y}SQ?{w/y}.
2. Two processes P and Q are late bisimilar if PSQ for some late
bisimulation S.
3. Late bisimilarity, written ∼l, is the largest late bisimulation.
In early bisimilarity we require that under the same possible
name instantiation there is a derivative of each of the processes that
simulates the other and vice versa. It is named early because the
choice of the name instantiation is made before the choice of the
derivative.
α
α
−→ Q?and
u(y)
u(y)
DEFINITION 3.12. Early bisimilarity
Let u = x1· ... · xkwhere k ∈ N.
1. A binary symmetric relation S is an early bisimulation if PSQ
implies:
- if P
−→ P?where α = u?y?,u(y) or τ and bn(α) ∩
fn(P,Q) = ∅ then there is a Q?such that Q
P?SQ?.
- if P
−→ P?where y ?∈ fn(P,Q) then for each w there is a
Q?such that Q
−→ Q?and P?{w/y}SQ?{w/y}.
2. Two processes P and Q are early bisimilar if PSQ for some
early bisimulation S.
3. Early bisimilarity, written ∼e, is the largest early bisimulation.
Similarly to what happens in the π-calculus, in the π-calculus
with polyadic synchronization both late and early bisimilarity are
not preserved by input prefixing, but are preserved by all other
operators.
α
α
−→ Q?and
u(y)
u(y)
PROPOSITION 3.13. The relations ∼land ∼eare preserved by all
operators except input prefixing.
Moreover, as in the original π-calculus congruences for late
and early bisimilarity, ?l and ?e, are achieved by closing the
equivalences over all name substitutions [MPW92]. The relation
between the notions of late bisimilarity and late congruence, and of
early bisimilarity and early congruence, are shown in the following
proposition.
PROPOSITION 3.14. ?l⊂∼land ?e⊂∼e.
The notion of open bisimilarity was introduced by Sangiorgi
and proved to be a congruence relation in the π-calculus [San96].
That is also the case here: in epi, open bisimilarity is a congruence.
DEFINITION 3.15. Open bisimilarity
1. A binary symmetric relation S is an open bisimulation if PSQ
implies for every substitution σ:
If Pσ
−→ P?where bn(α) ∩ fn(Pσ,Qσ) = ∅ then there is a
Q?such that Qσ
−→ Q?and P?SQ?.
2. Two processes P and Q are open bisimilar if PSQ for some
open bisimulation S.
3. Open bisimilarity, written ∼o, is the largest open bisimulation.
As expected, open bisimilarity is a congruence.
α
α
PROPOSITION 3.16. Therelation∼oispreservedbyalloperators.
Thus the congruence properties appear to stem directly from
those of the π-calculus. However, ground bisimilarity is a full con-
gruence in the asynchronous π-calculus without match [San00]
(and a similar result holds for late and for early bisimilarity
[HHK95]), but this result does not hold if we consider the asyn-
chronous π-calculus with polyadic synchronization, as seen in Ex-
ample 3.9. Matching does not need to be considered as a primitive
in the π-calculus with polyadic synchronization (synchronous or
asynchronous) since it can be derived. Therefore, ground, late and
early bisimilarities are not congruences in the asynchronous π-
calculus with polyadic synchronisation (without match).
We now analyze the relationships between the bisimilarity re-
lations previously defined and present a general diagram that sum-
marizes these results in Corollary 3.20. The results and proofs are
similartothosepresentedfortheπ-calculus[MPW92,Qua99].The
largest open bisimulation is itself a late bisimulation, and it is also
included in late congruence.
PROPOSITION 3.17. ∼o⊂∼land ∼o⊂?l.
Late bisimilarity is itself an early bisimulation, although the
reverse does not hold. The same result holds if we consider the
notions of late and early congruences instead of late and early
bisimilarity.
PROPOSITION 3.18. ∼l⊂∼eand ?l⊂?e.
Our last result shows that if two processes are early bisimilar
then they are also ground bisimilar, although the reverse does not
hold.
PROPOSITION 3.19. ∼e⊂∼g.
We now summarize the results presented in the following dia-
gram where → stands for strict inclusion ⊂.
COROLLARY 3.20.
∼o
→
?
∼l
↑
?l
→
→
∼e
↑
?e
→
?
∼g
Sangiorgi obtained an alternative characterization of barbed
equivalenceby provingit coincidedwith earlybisimilarity [San92].
We extend that result for the π-calculus with polyadic synchroni-
sation, completing the behavioral theory.
THEOREM 3.21. ∼e=∼beq
COROLLARY 3.22. ?e=?b
