arX

iv:1

212.

4669

v1 [

cs.L

O]

19 D

ec 2

012 Communication, and concurrency with logic-based

restriction inside a calculus of structuresLuca Roversi

Università di Torino — Dipartimento di Informatica∗

Abstract

It is well known that we can use structural proof theory to refine, or generalize, exist-ing paradigmatic computational primitives, or to discovernew ones. Under such a pointof view we keep developing a programme whose goal is establishing a correspondencebetween proof-search of a logical system and computations in a process algebra. We givea purely logical account of a process algebra operation which strictly includes the be-havior of restriction on actions we find in MilnerCCS. This is possible inside a logicalsystem in the Calculus of Structures of Deep Inference endowed with a self-dual quanti-fier. Using proof-search of cut-free proofs of such a logicalsystem we show how to solvereachability problems in a process algebra that subsumes a significant fragment of MilnerCCS.

1 Introduction

This is a work in structural proof-theory which builds on [1,4, 5, 6]. Broadly speaking we aimat using structural proof theory to study primitives of paradigmatic programming languages,and to give evidence that some are the natural ones, while others, which we might be usedto think of as “given once for all”, can, in fact, be refined or generalized. In our case thismeans to keep developing the programme in [1] whose goal is establishing a correspondencebetween proof-search of a logical system, and computationsin a process algebra. From [1],we already know that both (i) sequential composition of Milner CCS [3] gets modeled bythe non commutative logical operatorSeq of BV [2], which is the paradigmatic calculus ofstructures in Deep Inference, and (ii) parallel composition of MilnerCCS gets modeled by thecommutative logical operatorPar of BV so that communication becomes logical annihilation.This is done under a logic-programming analogy. It says thatthe terms of a calculusC —which is a fragment of MilnerCCS in the case of [1] — correspond to formulas of a logicalsystemL — which is BV in the case of [1] —, and that computations insideC recast tosearching cut-free proofs inL , as summarized in (1) here below.

Paradigmatic calculusC Logical systemL

term formulastep of computation logical rule

computation searching a cut-free proof

(1)

∗E-mail: luca.roversi@unito.it

1

Contributions. We show that in (1) we can takeBVQ [4, 5, 6] for L , andCCSspq forC . The systemBVQ extendsBV with a self-dual quantifier, whileCCSspq is introducedby this work (Section 6). The distinguishing aspect ofCCSspq is its operational semanticswhich subsumes the one of the fragment of MilnerCCS that contains sequential, parallel, andrestriction operators, and which we identify asCCSspr. Specifically, the self-dual quantifierof CCSspq allows to relax the operational semantics of the restriction operator inCCSspr

without getting to an inconsistent calculus of processes. This is a direct consequence of (theanalogous of) the a cut-elimination property forBVQ [4, 5, 6].

The main step that allows to takeBVQ for L , andCCSspq for C is proving Soundnessof BVQ with respect toCCSspq (Section 8). The following example helps explaining whatSoundness amounts to. Let us suppose we want to observe what the following judgmentdescribes:

((a.b.E) | (a.F))|ab

(E | F)|a (2)

The processa.b.E can perform actionsa, andb, in this order, before enteringE. The otherprocess can performa before enteringF. In particular,a.b.E, anda.F internally communicatewhen simultaneously firinga, anda. In any case, firing ona, or a, would remain privatebecause of the outermost restriction· |a which hides botha, anda to the environment1. Theactionb is always observable becauseb differs froma. Of course, we might describe one ofthe possible dynamic evolutions of (2) thanks to a suitable labeled transition system able todevelop a derivation like (3):

−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−

a.b.Ea

b.E

−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−

a.Fa

F−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−

(a.b.E) | (a.F)ǫ

(b.E) | F−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−− ǫ.a((a.b.E) | (a.F))|a

ǫ((b.E) | F)|a

−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−

b.Eb

E−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−

(b.E) | Fb

E | F−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−b.a((b.E) | F)|a

b(E | F)|a

−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−

((a.b.E) | (a.F))|aǫ;b≅ b

(E | F)|a

(3)

Soundness says that instead of rewritinga.b.E to a.F, as in (3), we can (i) compile the whole

judgment((a.b.E) | a.F)|ab

(E | F)|a to a structure, sayR, of BVQ, and (ii) search for acut-free proof, sayP of R, and (iii) if P exists, then Soundness assures that (2) holds. So,

in general, Soundness recasts the reachability problem “Isit true thatEα−→ F” to a problem

of proof search. Noticeably, the Soundness we prove poses weaker constraints on the formof F than those ones we find in Soundness of [1]. Specifically, onlythe silent process0can be the target of the reachability problem in [1]. Here,F can belong to the set ofsimpleprocesseswhich contains0. Intuitively, every simple process different from0 is normal withrespect to internal communication, but is alive if we consider the external ones. Finally, froma technical standing point, our proof of Soundness in neatlydecomposed in steps that makesit reusable for further extensions of bothBVQ, andCCSspr.

Road map. Section 2 recallsBVQ and its symmetric versionSBVQ mainly from [6]. Sec-tion 3 is about two proof-theoretical properties ofBVQ which were not proved in [4, 5, 6]but which Soundness relies on. The first one says that everyTensor-free derivations ofBVQhas at least correspondingstandardone. The second one supplies sufficient conditions for a

1We write something related to MilnerCCS. Indeed, hiding botha, anda in Milner CCS is · |{a,a}.

2

structure ofBVQ to be invertible, somewhat internalizing derivability ofBVQ. Section 5 hasthe pedagogical aim of showing, with many examples, why the derivations ofBVQ embodya computational meaning. Section 6 introducesCCSspq, namely the process calculus thatBVQ embodies. Section 7 first formalizes the connections between BVQ, andCCSspq. Thenit shows how computations inside the labeled transition system of CCSspq recast to proof-search insideBVQ, justifying the need to prove Soundness. Section 8 proves Soundness,starting with a pedagogical overview of what proving it means. Section 9 points to futurework, mainly focused onCCSspq.

2 Recalling the systemsSBVQ and BVQ

We briefly recallSBVQ, andBVQ from [6].

Structures. Let a, b, c, . . . denote the elements of a countable set ofpositive propositionalvariables. Let a, b, c, . . . denote the elements of a countable set ofnegative propositionalvariables. The set ofnames, which we range over byl,m, andn, contains both positive, andnegative propositional variables, and nothing else. Let◦ be a constant, different from anyname, which we callunit. The set ofatomscontains both names and the unit, while the setof structuresidentifies formulas ofSBV. Structures belong to the language of the grammarin (4).

R ::= ◦ | l | R | (R� R) | 〈R ⊳ R〉 | [RO R] | ⌈R⌋a (4)

We useR,T,U,V to range over structures, in whichR is aNot, (R� T) is aCoPar, 〈R ⊳ T〉 isaSeq, [RO T] is aPar, and⌈R⌋a is a self-dual quantifierSdq, which comes with the provisothat a must be a positive atom. Namely,⌈R⌋a is not in the syntax.Sdq induces obviousnotions offree, andbound names[6].

Size of the structures. Thesize|R| of R is the number of occurrences of atoms inR plusthe number of occurrences ofSdq that effectively bind an atom. For example,|[a O a]| =|⌈[a O a]⌋b| = 2, while |⌈[a O a]⌋a| = 3.

(Structure) Contexts. We denote them byS{ }. A context is a structure with a singlehole { } in it. If S{R}, thenR is asubstructureof S. We shall tend to shortenS{[RO U]} asS[RO U] when [RO U] fills the hole{ } of S{ } exactly.

Congruence≈ on structures. Structures are partitioned by the smallest congruence≈ weobtain as reflexive, symmetric, transitive and contextual closure of the relation∼whose defin-ing clauses are (5), through (21) here below.

3

Negation

◦ ∼ ◦ (5)

R ∼ R (6)

[RO T] ∼ (R� T) (7)

(R� T) ∼ [RO T] (8)

〈R ⊳ T〉 ∼ 〈R ⊳ T〉 (9)

⌈R⌋a ∼ ⌈R⌋a (10)

Symmetry

[RO T] ∼ [T O R] (11)

(R� T) ∼ (T � R) (12)

Associativity

(R� (T � V)) ∼ ((R� T) � V) (13)

〈R ⊳ 〈T ⊳ V〉〉 ∼ 〈〈R ⊳ T〉 ⊳ V〉 (14)

[RO [T O V]] ∼ [[RO T] O V] (15)

Unit

(◦ � R) ∼ R (16)

〈◦ ⊳R〉 ∼ 〈R ⊳ ◦〉 ∼ R (17)

[◦ O R] ∼ R (18)

α-rule

⌈R⌋a ∼ R if a < fn(R) (19)

⌈R{a/b}⌋a ∼ ⌈R⌋b if a < fn(R) (20)

⌈⌈R⌋b⌋a ∼ ⌈⌈R⌋a⌋b (21)

Contextual closuremeans thatS{R} ≈ S{T} wheneverR ≈ T. Thanks to (21), we abbre-viate ⌈· · · ⌈R⌋a1 · · ·⌋an as⌈R⌋~a, where we may also interpret~a as one of the permutations ofa1, . . . , an.

Canonical structures. We inspire to the normal forms of [2] to define structures incanon-icalform insideSBVQ. Canonical structures will be used to define environment structures(Section 7, page 14.) A structureR is canonicalwhen either it is the unit◦, or the followingfour conditions hold: (i) the only negated structures appearing in Rare negative propositionalvariables, (ii) no unit◦ appears inR, but at least one name occurs in it, (iii) the nesting ofoccurrences ofPar, Tensor, Seq, andSdq build a right-recursive syntax tree ofR, and (iv)no occurrences ofSdq can be eliminated fromR, while maintaining the equivalence.

Example 2.1 (Canonical structures) The structure [(a � b) O ⌈c⌋c] is not canonical, but it isequivalent to the canonical one [a O (b � ⌈c⌋c)] whose syntax tree is right-recursive. Othernon canonical structures are[a O (◦ � b)], and ([a O (◦ � b)] � 〈◦ ⊳ b〉), and [a O (b � ⌈c⌋d)].The first two are equivalent to (a � b) which, instead, is canonical. Finally, also [a O ◦] is notcanonical, equivalent to the canonical onea.

Fact 2.2 (Normalization to canonical structures) Given a structureR: (i) negations can moveinward to atoms, and, possibly, disappear, thanks to (5), . .. , (10), (ii) units can be removedthanks to (16), . . . , (18), and (iii) brackets can move rightward by (13), . . . , (15).

So, for everyRwe can take the equivalent canonical structure which is either◦, or differ-ent from◦.

The systemSBVQ. It contains the set of inference rules in (22) here below. Every rule has

formT

ρ −−−−R

, nameρ, premise T, andconclusion R.

4

◦ai↓ −−−−−−−−−−−−−−−−−−

[a O a]

(a � a)ai↑ −−−−−−−−−−−−−−−−−−

◦

〈[RO U] ⊳ [T O V]〉q↓ −−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−

[〈R ⊳ T〉 O 〈U ⊳ V〉]

([RO T] � U)s −−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−[(R� U) O T]

(〈R ⊳ T〉 � 〈U ⊳ V〉)q↑ −−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−〈(R� U) ⊳ (T � V)〉

⌈[RO U]⌋au↓ −−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−

[⌈R⌋a O ⌈U⌋a]

(⌈R⌋a � ⌈U⌋a)u↑ −−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−⌈(R� U)⌋a

(22)

Derivations vs. proofs. A derivation in SBVQ is either a structure or an instance of theabove rules or a sequence of two derivations. BothD , andE will range over derivations. Thetopmost structure in a derivation is itspremise. The bottommost is itsconclusion. Thelength|D | of a derivationD is the number of rule instances inD . A derivationD of a structureR in

SBVQ from a structureT in SBVQ, only using a subsetB ⊆ SBVQ isT

D∥

∥

∥

∥

∥

∥

∥B

R. The equivalent

space-savingform isD : T ⊢B R. The derivationT

D

∥

∥

∥

∥

∥

∥

∥B

Ris aproof wheneverT ≈ ◦. We denote it

as◦

P

∥

∥

∥

∥

∥

∥

∥B

R, or

−P

∥

∥

∥

∥

∥

∥

∥B

R , orP : ⊢B R. BothP, andQ will range over proofs. In general, we shall drop

B when clear from the context. In a derivation, we writeT

ρ1,...,ρm,n1,...,np ====

R, whenever we use

the rulesρ1, . . . , ρm to deriveR from T with the help ofn1, . . . , np instances of (5), . . . , (12).To avoid cluttering derivations, whenever possible, we shall tend to omit the use of negationaxioms (5), . . . , (10), associativity axioms (13), (14), (15), and symmetry aximos (11), (12).This means we avoid writing all brackets, as in [RO [T O U]], in favor of [RO T O U], forexample. Finally if, for example,q > 1 instances of some axiom (n) of (5), . . . , (21) occursamongn1, . . . , np, then we write (n)q.

Up and down fragments of SBVQ. The set{ai↓, s, q↓, u↓} is thedown fragmentBVQ ofSBVQ. Theup fragmentis {ai↑, s, q↑, u↑}. Sos belongs to both.

Corollary 2.3 ([5, 6]) The up-fragment{ai↑, q↑, u↑} of SBVQ is admissible forBVQ. Thismeans that we can transform any proofP : ⊢SBVQ R into a proofQ : ⊢BVQ R free of everyoccurrence of rules that belong to the up-fragment ofSBVQ.

Remark 2.4 Thanks to Corollary 2.3, we shall always focus on the up-fragmentBVQ ofSBVQ.

3 Standardization inside a fragment ofBVQ

Taken a derivationD of BVQ, standardization reorganizesD into another derivationE withthe same premise, and conclusion, asD . The order of application of the instances ofai↓ inE satisfies a specific, given constraint which some examples illustrate. Standardization inBVQ is one of the properties we need to recast reachability problems in a suitable calculus ofcommunicating, and concurrent processes, to proof-searchinside (a fragment) ofBVQ.

Example 3.1 (Standard derivations ofBVQ) Both (23), and (24) here below are standardderivations of the same conclusion [〈a ⊳ R〉 O 〈b ⊳ T〉 O 〈a ⊳ b〉] from the same premise [RO T].

5

[RO T]ai↓,(17),(18)==================================================================================================================

[RO 〈[b O b] ⊳ [◦O T]〉]q↓ −−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−

[RO 〈b ⊳ ◦〉O 〈b ⊳ T〉](17)=====================================================================================================

[RO b O 〈b ⊳ T〉]ai↓ ==========================================================================================================================================

[〈[a O a] ⊳ [RO b]〉O 〈b ⊳ T〉]q↓ −−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−

[〈a ⊳ R〉O 〈b ⊳ T〉O 〈a ⊳ b〉]

(23)

[RO T](17)2 ================================================================================〈◦ ⊳ 〈◦ ⊳ [RO T]〉〉

ai↓ −−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−〈◦ ⊳ 〈[b O b] ⊳ [RO T]〉〉

ai↓ −−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−〈[a O a] ⊳ 〈[b O b] ⊳ [RO T]〉〉

(18)==============================================================================================================================================================〈[a O a] ⊳ 〈[◦O b O b] ⊳ [RO T]〉〉

q↓ −−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−〈[a O a] ⊳ [〈◦ ⊳ R〉O 〈[b O b] ⊳ T〉]〉

(17)=================================================================================================================================================================〈[a O a] ⊳ [RO 〈[b O b] ⊳ T〉]〉

(18)2 ===================================================================================================================================================================================================〈[[a O a] O ◦] ⊳ [RO 〈[b O b] ⊳ [◦ O T]〉]〉

q↓ −−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−〈[[a O a] O ◦] ⊳ [RO 〈b ⊳ ◦〉O 〈b ⊳ T〉]〉

(17)======================================================================================================================================================================================

〈[a O a O ◦] ⊳ [RO b O 〈b ⊳ T〉]〉q↓ −−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−

[〈[a O a] ⊳ [RO b]〉O 〈◦ ⊳ 〈b ⊳ T〉〉](17)=================================================================================================================================================================

[〈[a O a] ⊳ [RO b]〉O 〈b ⊳ T〉]q↓ −−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−

[〈a ⊳ R〉O 〈b ⊳ T〉O 〈a ⊳ b〉]

(24)

They are standard because every occurrence ofai↓ does not appear to the right-hand sideofan instance ofSeq.

Remark 3.2 (Proof-thoeretical meaning of standardization) Standardization says that (i) anyof the structures insideR, andT of 〈R ⊳ T〉 will never interact, and (ii) all the interactions in-sideR must occur before the interactions insideT.

Our goal is to show that we can transform asufficiently largeset of derivations inBVQ intostandard ones. We start by supplying the main definitions.

Right-contexts. We rephrase, inductively, and extend toBVQ the namesake definition in[1]. The following grammar generatesright-contextswhich we denote asS{ }x.

S{ }x ::= { } | (S′{ }x � R) | [S′{ }x O R] | 〈S′{ }x ⊳R〉

| (R� S′{ }x) | [RO S′{ }x] | ⌈S′{ }x⌋a(25)

Example 3.3 (Right-contexts) A right-context is [a O ⌈[b O 〈{ } ⊳ c ⊳ d〉]⌋c].Instead, [a O ⌈[b O 〈c ⊳ { } ⊳ d〉]⌋c] is not.

Left atomic interaction. Recalling it from [1], theleft atomic interactionis:

S{◦}xat↓x −−−−−−−−−−−−−−−−−−−−−−−−−−

S[a O a]x(26)

Example 3.4 (Some left atomic interaction instances) Let three proofs ofBVQ be given:

◦ai↓ −−−−−−−−−−−−−−−−−−

[b O b](17)================================

〈◦ ⊳ [b O b]〉ai↓ −−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−

〈[a O a] ⊳ [b O b]〉

(27)

◦at↓x −−−−−−−−−−−−−−−−−−

[b O b](17)================================

〈◦ ⊳ [b O b]〉at↓x −−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−

〈[a O a] ⊳ [b O b]〉

(28)

◦at↓x −−−−−−−−−−−−−−−−−−

[a O a](17)================================〈[a O a] ⊳ ◦〉

ai↓ −−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−

〈[a O a] ⊳ [b O b]〉

(29)

6

The two occurrences ofai↓ in (27) can correctly be seen as two instances ofat↓x, as outlinedby (28). Instead, the occurrence ofai↓ in (29) cannot be seen as an instance ofat↓x as itoccurs to the right ofSeq, namely in the context〈[a O a] ⊳ { }〉 which is not in (25).

Fact 3.5 By definition, every occurrence ofat↓x is one ofai↓. The vice versa is false.

Standard derivations of BVQ. Let R, andT be structures. A derivationD : T ⊢BVQ Ris standardwhenever all the atomic interactions thatD contains can be labeled asat↓x. Wenotice that nothing forbidsT ≈ ◦.

3.1 Standardization

We reorganize derivations of{at↓x, ai↓, q↓, u↓} ⊂ BVQ which operate onTensor-free struc-turesonly.

Tensor-free structures. By definition,R in BVQ is Tensor-freewhenever it does not con-tain (R1 � · · · � Rn), for anyR1, . . . ,Rn, andn > 1.

Our goal is to prove the following theorem, inspiring to the standardization in [1]:

Theorem 3.6 (Standardization in{at↓x, ai↓, q↓, u↓}) Let T, andRbeTensor-free. For everyD : T ⊢

{at↓x,ai↓,q↓,u↓} R, there is a standard derivationE : T ⊢{at↓x,q↓,u↓} R.

It proof relies on the coming lemmas, and proposition.

Lemma 3.7 (Existence ofat↓x) The topmost instance ofai↓ in a proofP : ⊢BVQ R is alwaysan instance ofat↓x.

Proof Let P be

−Q

∥

∥

∥

∥

∥

∥

∥{at↓x,q↓,u↓}

S{◦}ai↓• −−−−−−−−−−−−−−−−−

S[a O a]∥

∥

∥

∥

∥

∥

∥BVQ

R

with ai↓• its topmost instance ofai↓ which cannot be

relabeled asat↓x. By contraction, let us assumeS{ } be a non right-context, namelyS{ } ≈S′〈T ⊳ S′′{ }〉 for someS′{ },S′′{ }, andT such thatT 0 ◦. In this case, to let the names of

T, and, may be, those ones ofS′′{◦}, to disappear from

−Q

∥

∥

∥

∥

∥

∥

∥{at↓x,q↓,u↓}

S′〈T ⊳ S′′{◦}〉ai↓• −−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−

S′〈T ⊳ S′′[a O a]〉we would have

to apply at least one instance ofai↓ which would occur inQ, against our assumption on theposition ofai↓•.

Lemma 3.8 (Commuting conversions in{at↓x, ai↓, q↓, u↓}) LetR,T, andS{◦} beTensor-free.

Also, letρ ∈ {at↓x, q↓, u↓}. Finally, letD be

Tρ −−−−−−−−−−−−−−−−−−−S[a O a]x

ai↓• −−−−−−−−−−−−−−−−−−−R

, whereai↓• is the topmost occur-

rence ofai↓ which is notat↓x. Then, there is

Tai↓∗ −−−−

VD∥

∥

∥

∥

∥

∥

∥{at↓x,ai↓,q↓,u↓}

R

, whereV, and all the structures

of D areTensor-free, andai↓∗ may be an instance ofat↓x.

7

Proof The proof is, first, by cases onρ, and, then, by cases onS[a O a]x. FixedS[a O a]x,the proof is by cases onR which must contain a redex ofai↓, q↓, or u↓, that, afterai↓•, leadsto the chosenS[a O a]x. (Appendix A.)

Proposition 3.9 (One-step standardization in{at↓x, ai↓, q↓, u↓}) Let

TD ′′∥

∥

∥

∥

∥

∥

∥

Vai↓• −−−−

UD ′∥

∥

∥

∥

∥

∥

∥

R

be a derivation in

{at↓x, ai↓, q↓, u↓} such thatai↓• is the topmost instance ofai↓. There exists a derivationE :T ⊢

{at↓x,ai↓,q↓,u↓} R whereai↓• has been eventually moved upward to transform it into aninstance ofat↓x.

Proof Let n be the number of rules inD ′′. If U ≈ S[a O a]x, with [a O a] the redex ofai↓•,thenai↓• is already an instance ofat↓x, and we are done. Otherwise, we can apply Lemma3.8 movingai↓• one step upward, getting toE : T ⊢

{at↓x,ai↓,q↓,u↓} R, whereai↓• is no morethann − 1 rules far fromT. An obvious inductive argument allows to conclude thanks toLemma 3.7.

Proof of Theorem 3.6. Let XD be the set of all instances ofai↓ in D , that can be directlyseen as instances ofat↓x, andYD the set of all other instances ofai↓ in D . If YD = ∅ weare done becauseE is D where every instance ofai↓ in XD , if any, can be directly relabeledasat↓x. Otherwise, let us pick the topmost occurrence ofai↓ in D out of YD , and applyProposition 3.9 to it. We getE : T ⊢

{at↓x,ai↓,q↓,u↓} R, whose setYE is strictly smaller thanYD .An obvious inductive argument allows to conclude.

Standard fragment BVQx of BVQ. After Theorem 3.6 it is sensible definingBVQx as{at↓x, q↓, u↓} ⊂ BVQ whose derivations containTensor-free only structures.

4 Internalizing derivability of BVQ

Roughly, internalizing derivability inBVQ shows when we can “discharge assumptions”. Itis another of the properties we need to recast reachability problems in a suitable calculus ofcommunicating, and concurrent processes, to proof-searchinside (a fragment) ofBVQ. Theinternalization links to the notion of invertible structures.

Invertible, and co-invertible structures. We define them in (30) here below.

T is invertiblewhenever

−

P

∥

∥

∥

∥

∥

∥

∥

∥

∥

∥

∥

∥

∥

∥

∥

BVQ

[T O P]implies

T

D

∥

∥

∥

∥

∥

∥

∥

∥

∥

∥

∥

∥

∥

∥

∥

BVQ

P

, for everyT, andP (30)

If T is invertible, then, by definition,T is co-invertible.

Remark 4.1 Clearly, definition (30) here above omits the implication “If D : T ⊢BVQ P, thenP : ⊢BVQ [T O P]” on purpose. It always holds becausei↓ is derivable inBVQ. Moreover,our invertible structures inspire to the namesake concept in [8].

8

The following proposition gives sufficient conditions for a structure to be invertible.

Proposition 4.2 (A language of invertible structures) The following grammar (31) gener-ates invertible structures.

T ::= ◦ | [l1 O · · · O ln] | (T � T) | 〈T ⊳ T〉 | ⌈T⌋a

wheren > 0, and, for every 1≤ i, j ≤ n, if i , j thenli , l j(31)

Proof Let P : ⊢BVQ [T O P] be given withT in (31). We reason by induction on|[T O P]|,

and we buildD of (30), proceeding by cases onT. (Details in Appendix B.)

5 Intermezzo

We keep the content of this section at an intuitive level. We describe how structures ofBVQmodel terms in a language whose syntax is not formally identified yet, but which is related tothe one of MilnerCCS.

Example 5.1 (Modeling internal communication insideBVQ) Derivations ofBVQ modelinternal communication if we look at structures ofBVQ as they were terms of MilnerCCS,as in [1]. Let us focus on (32) here below.

[E O F](17)===================================〈◦ ⊳ [E O F]〉

ai↓ −−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−〈[a O a] ⊳ [E O F]〉

q↓ −−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−[〈a ⊳ E〉 O 〈a ⊳ F〉]

(32)a.E

aE a.F

aF

−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−

a.E | a.Fǫ

E | F(33)

The instance ofq↓ moves atomsa, anda, one aside the other, andai↓ annihilates them.Annihilation can be seen as an internal communication between the two components〈a ⊳ E〉,and〈a ⊳ F〉 of the structure [〈a ⊳ E〉 O 〈a ⊳ F〉]. The usual way to formalize such an internalcommunication is (33), derivation that belongs to the labeled transition system of MilnerCCS. The sequential composition of (33) stands forSeq, parallel composition forPar, andbothE, andF in (32) are represented by corresponding processesE, andF in (33).

Example 5.2 (Modeling external communication insideBVQ) Derivations ofBVQ modelexternal communication if we look at structures ofBVQ as they were terms of MilnerCCS,as in [1]. Let us focus on (34) here below.

E(17),(18)==================================

〈◦ ⊳ [E O ◦]〉ai↓ −−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−〈[a O a] ⊳ [E O ◦]〉

(17),q↓ ==================================================[〈a ⊳ E〉 O a]

(34) −−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−

a.Ea

E(35)

We look at [〈a ⊳ E〉 O a] as containing two sub-structures with different meaning. The struc-ture〈a ⊳ E〉 corresponds to the processa.E. Instead,a can be seen as an action of the context“around”〈a ⊳ E〉. This means that (32) formalizes MilnerCCS derivation (33).

Remark 5.3 (“Processes”, and “contexts” are first-citizens) The structure [〈a ⊳ E〉 O a] is equiv-alent to [〈a ⊳ E〉 O 〈a ⊳ ◦〉] in (34). This highlights a first difference between modeling the

9

communication by means of (a sub-system of)BVQ, instead than with MilnerCCS. Thislatter constantly separates terms from the contexts they interact with. Instead, the structuresof BVQ make no difference, and represent contexts as first-citizens. Namely, choosing whichstructures are the “real processes”, and which are “contexts” is, somewhat, only matter oftaste. Specifically, in our case, we could have said that〈a ⊳ ◦〉 represents the processa.0,instead than the context.

Example 5.4 (Hiding communication) Derivations inBVQ model hidden communicationsof Milner CCS thanks toSdq. So, we strictly extend the correspondence between a DIsystem and MilnerCCS, as given in [1]. We build on Example 5.2, placing an instanceofSdq around every of the two components of [〈a ⊳ E〉 O a] in (34).

⌈E⌋a(17)=========================⌈〈◦ ⊳ E〉⌋a

ai↓ −−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−⌈〈[a O a] ⊳ E〉⌋a

(17),q↓,(18)==========================================⌈[〈a ⊳ E〉 O a]⌋a

u↓ −−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−[⌈〈a ⊳ E〉⌋a O ⌈a⌋a]

(36)a.E

aE

−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−

(a.E)|aǫ

E|a(37)

We can look atSdq, which bindsa, anda as restricting the visibility of the communication.The derivation in the labeled transition system of MilnerCCS that models (36) is (37).

Example 5.5 (More freedom insideBVQ) Inside [〈a ⊳ E〉 O 〈a ⊳ 〈b ⊳ 〈c ⊳ F〉〉〉 O 〈b ⊳ 〈c ⊳ F〉〉],of (38) among others, we can identify the “processes”G1 ≡ 〈a ⊳ E〉, G2 ≡ 〈a ⊳ 〈b ⊳ 〈c ⊳ F〉〉〉,G3 ≡ 〈b ⊳ 〈c ⊳ F〉〉, andG4 ≡ 〈b ⊳ 〈c ⊳ F〉〉:

E(17)=================〈◦ ⊳ E〉

ai↓ −−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−〈[a O a] ⊳ E〉

i↓ −−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−

〈[a O a] ⊳ [E O 〈b ⊳ 〈c ⊳ F〉〉 O 〈b ⊳ 〈c ⊳ F〉〉]〉(18)======================================================================================================================================

〈[a O a O ◦] ⊳ [E O 〈b ⊳ 〈c ⊳ F〉〉 O 〈b ⊳ 〈c ⊳ F〉〉]〉q↓ −−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−

[〈[a O a] ⊳ [E O 〈b ⊳ 〈c ⊳ F〉〉]〉 O 〈◦ ⊳ 〈b ⊳ 〈c ⊳ F〉〉〉](17)=============================================================================================================================================

[〈[a O a] ⊳ [E O 〈b ⊳ 〈c ⊳ F〉〉]〉 O 〈b ⊳ 〈c ⊳ F〉〉]q↓ −−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−

[〈a ⊳ E〉 O 〈a ⊳ 〈b ⊳ 〈c ⊳ F〉〉〉 O 〈b ⊳ 〈c ⊳ F〉〉]

(38)

The lowermost instance ofq↓ predisposesG1, andG2 to an interaction througha, anda.However, only the instance ofai↓makes the interaction effective. Before that, the instance ofi↓ identifiesG4 as the negation ofG3, and annihilates them in a whole. So, (38) suggests thatmodeling process computations insideBVQ may result more flexible than usual, because itintroduces a notion of “negation of a process” which sounds as a higher-order ingredient ofproof-search-as-computation.

6 Communication, and concurrency with logic restriction

The correspondences Section 5 highlights, justify the introduction of a calculus of processeswhich we identify asCCSspq. Specifically,CCSspq is a calculus of communicating, andconcurrent processes, with a logic-based restriction, whose operational semantics is drivenby the logical behavior ofu↓ rule.

10

Remark 6.1 (CCSspq vs. Milner CCS) It will turn out thatCCSspq is not MilnerCCS [3] .The concluding Section 9 will discuss on this.

Actions on terms of CCSspq. Let a, b, c, . . . denote the elements of a countable set ofnames, and leta, b, c, . . . denote the elements of a countable set ofco-names. The set oflabels, which we range over byl ,m, andn contains both names, and co-names, and nothingelse. Letǫ be thesilent, orperfect action, different from any name, and co-name. The (set of)sequences of actionscontains equivalence classes defined on the language that (39) yields:

s ::= ǫ | l | s | s; s (39)

By definition, the equivalence relation (40) here below induces the congruence≅ on (39).

ǫ ∼ ǫ a ∼ a s; s′ ∼ s; s′ ǫ ; s∼ s (40)

We shall useα, β, andγ to range over the elements in the set of actions sequences.

Processes ofCCSspq. The terms ofCCSspq, i.e. processes, belong to the language of thegrammar (41) here below.

E ::= 0 | l.E | (E | E) | E|a (41)

We useE, F,G, andH to range over processes. Theinactive processis 0, theparallel compo-sition of E, andF is E | F. Thesequential compositionl.E sets the occurrence of theactionprefix l before the occurrence ofE. Logic restriction E|a hides all, and only, the occurrencesof a, anda, insideE, which becomes invisible outsideE.

Size of processes. The size|E| of E is the number of symbols ofE.

Congruence on processes ofCCSspq. We partition the processes ofCCSspq up to thesmallest congruence which, by abusing notation, we keep calling ≅, and which we obtainas reflexive, transitive, and contextual closure of the relation (42) here below.

a ∼ a E | 0 ∼ E E | F ∼ F | E E | (F | G) ∼ (E | F) | G

E|b|a ∼ E|a|b (E{a/b})|b ∼ E|a E|a ∼ E if a < fn(E)(42)

In (42) (i) E{a/b} denotes a standard clash-free substitution ofa for both b, andb in E thatwe can define as usual, and (ii) fn(·) is the set of free-names of a term inCCSspq, whosedefinition, again, is the obvious one. Namely, neithera, nora belong to the set fn(E|a).

Labeled transition system ofCCSspq. Its rules are in (43), and they justify whyCCSspq

is not MilnerCCS.

11

a −−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−

l.El

E

El

E′ Fl

F′c −−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−

E | Fǫ

E′ | F′

E | Fα

E′ | F′pi −−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−− (α ∈ {b,b})

E|b | F|bǫ

E′ |b | F′ |b

E | Fα

E′ | F′pe −−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−− (α < {b,b})

E|b | F|bα

E′ |b | F′ |b

rfl −−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−

Eǫ

E

Eα

Fctx −−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−

E | Gα

F | G

Fα

F′ F′β

G′trn −−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−

Eα; β

G

(43)

In (43), the rulea implements external communication, by firing the action prefix l, as usual.The rulec implements internal communication, annihilating two complementary actions. Therulespi, andpe allow processes, one aside the other, to communicate, even when both areinside a logic restriction. This is a consequence of the logical nature ofSdq, which bindsnames, and co-names, up to their renaming, indeed. The rulectx leaves processes, one asidethe other, to evolve independently. Finally,rfl makes the relation reflexive.

Example 6.2 (Using the labeled transition system) As a first example, we rewrite ((a.b.E) |a.F)|a to (E | F)|a, observing the actionb, as follows:

a −−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−

a.b.Ea−→ b.E

a −−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−

a.Fa−→ F

c −−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−

(a.b.E) | a.F | 0 ≅ (a.b.E) | a.Fǫ−→ (b.E) | F ≅ (b.E) | F | 0

pe −−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−− ǫ . a((a.b.E) | a.F)|a ≅ ((a.b.E) | a.F)|a | 0|a

ǫ−→ (b.E | F)|a | 0|a

a −−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−

b.Eb−→ E

ctx −−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−

b.E | F | 0 ≅ b.E | Fb−→ E | F ≅ E | F | 0

pe −−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−− b . a(b.E | F)|a | 0|a

b−→ (E | F)|a | 0|a ≅ (E | F)|a

trn −−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−

((a.b.E) | a.F)|aǫ;b≅b

(E | F)|a(44)

As a second example, we show that the labeled transition system (43) allows someinteraction which originates from the logical nature ofSdq. In CCSspq we model that(a.b.E)|a | (a.F)|a reduces to (E | F)|a, observingb, unlike in MilnerCCS:

a −−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−

a.b.Ea

b.E

a −−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−

a.Fa

Fc −−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−

(a.b.E) | a.Fǫ−→ (b.E) | F

pe −−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−− ǫ . a(a.b.E)|a | (a.F)|a

ǫ−→ (b.E)|a | F|a

a −−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−

b.Eb−→ E

ctx −−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−

b.E | Fb−→ E | F ≅ E | F | 0

pe −−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−− b . a(b.E)|a | F|a

b−→ (E | F)|a | 0|a ≅ (E | F)|a

trn −−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−

(a.b.E)|a | (a.F)|aǫ;b≅ b

(E | F)|a(45)

Simple processes. They are the last notion we introduce in this section. They are usefulfor technical reasons which Section 8 will make apparent. A processE is asimple processwhenever it satifies two constraints. First,E must belong to the language of (46):

E ::= 0 | l.0 | E | E | E|a (46)

12

Second, ifl1, . . . , ln are all, and only, the action prefixes that occur inE, theni , j impliesli , l j , for everyi, j ∈ {1, . . . , n}.

Example 6.3 (Simple processes) Some are in the following table.

(a.0) | (b.0)

(a.0) | (((a.0) | (c.0))|d | (b.0))|b | (a.0)

(((a.0) | (c.0))|c | (b.0))|b | (a.0)

Both the second, and the third process are simple because they belong to (46), anda, b, c isthe list of their pairwise distinct action prefixes.

Remark 6.4 (Aim, and nature of simple processes) In coming Section 7 we shall intuitivelyshow that simple processes play the role of results of computations when we use derivationsof BVQ to compute what the labeled transition system in (43) can, infact, compute by itself.

7 How computing in CCSspq by means ofBVQ

Given BVQ, andCCSspq we illustrate how transforming questions about the existence ofcomputations ofCCSspq into questions about proof-search inside the standard fragmentBVQxof BVQ. Let E, andF, be two processes ofCCSspq, with F simple. Let us assume we want to

checkEl1;··· ;ln

F . Next we highlight the main steps to answer such a question byansweringa question about proof-search insideBVQ, without resuming to computations in the labeledtransition system ofCCSspq.

To that purpose, this section has two parts. The first one formalizes the notions that makesthe link between processes ofCCSspq, and structures ofBVQ precise. The second part,i.e. Subsection 7.2, delineates the steps to transform one question into the other, eventuallyjustifying also the need to prove the Soundness ofBVQx — not BVQ — w.r.t. CCSspq, inSection 8.

7.1 ConnectingCCSspq, and BVQ

Process structures. They belong to the language of the grammar (47) here below, and,clearly, they areTensor-free:

R ::= ◦ | 〈l ⊳R〉 | [RO R] | ⌈R⌋a (47)

Like at page 4, we range over variable names of process structures byl,m, andn.

Fact 7.1 (Processes correspond to process structures) Processes, and process structures iso-morphically correspond thanks to the following isomorphism, so extending the correspon-dence in [1] amongCCS terms, andBV structures.

L 0M 7→ ◦

L aM 7→ a

L aM 7→ a

L ǫ.E M 7→ 〈◦ ⊳ L E M〉

L l.E M 7→ 〈L l M ⊳ L E M〉

L E | F M 7→ [L E M O L F M]

L E|a M 7→ ⌈L E M⌋a

(48)

13

Environment structures. Let us recall Example (5.2). It shows that representing an ex-ternal communication as a derivation ofBVQ requires to assign a specific meaning to thestructures in the conclusion of the derivation. One structure represents a process. The otherone encodes the labels that model the sequence of messages between the process, and an envi-ronment. So, we need to identify theenvironment structures, namely the set of structures thatcan fairly represent the sequence of messages. By definition, we say that everyenvironmentstructureis acanonicalstructure (page 4) that the following grammar (49) generates:

R ::= ◦ | l | 〈l ⊳R〉 | ⌈〈l ⊳R〉⌋a (49)

If different from◦, we have to think of every environment structure as a list, possibly in thescope of some instance ofSdq, that we can consume from its leftmost component, onward.

Example 7.2 (Environment structures) Let a, a1, a1, b1, b2 0 ◦.

a example (50)

〈a1 ⊳ ⌈〈a1 ⊳ ⌈〈b2 ⊳ b1〉⌋b1〉⌋b2〉 example (51)

〈a1 ⊳ ⌈〈a1 ⊳ ⌈〈b2 ⊳ b1〉⌋b1〉⌋b4〉 counterexample (52)

〈a1 ⊳ ⌈〈◦ ⊳ ⌈〈b2 ⊳ b1〉⌋b1〉⌋b2〉 counterexample (53)

(52) is not an environment structure becauseb4 does not occur in the structure. (53) is not anenvironment structure because◦ occurs in it.

Fact 7.3 (Environment structures map to sequences of actions) The map (54) takes both anenvironment structure, and a set of atoms as arguments. The map transforms a given environ-ment structure to a sequence of actions that may work as a label of transitions in (43).

~◦ �X 7→ ǫ

~l �X 7→ ǫ (l ∈ X)

~l �X 7→ l (l < X)

~⌈R⌋a �X 7→ ~R�X∪{a,a}

~〈P ⊳ R〉 �X 7→ ~P�X; ~R�X(54)

Given an environment structure, the map yields the corresponding sequence, if its secondargument is∅.

Example 7.4 (From an environment structure to actions) Both b1, andb2 are internal ac-tions of~〈a1 ⊳ ⌈〈a1 ⊳ ⌈〈b2 ⊳ b1〉⌋b1〉⌋b2〉 �∅ = a1; a1; ǫ; ǫ ≅ a1; a1 in (51). Intuitively, if a variablenamel that occurs in a structureE belongs toX in ~E �X, thenl gets mapped toǫ. The reasonwhy l is in X is thatl is not a free name ofE.

Trivial derivations. By definition, a derivationD of BVQ is trivial if (i) D only operateson Tensor-free structures, and (ii)D does not contain any occurrence ofai↓. All the othersarenon-trivial derivations.

Example 7.5 (A trivial derivation) It is in (55) here below.

14

⌈〈[a O a] ⊳ 〈[b O b] ⊳ [RO T O ◦]〉〉⌋aq↓ −−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−

⌈〈[a O a] ⊳ [〈b ⊳ [RO T]〉 O 〈b ⊳ ◦〉]〉⌋a(18),(17)=========================================================================================================

⌈〈[a O a O ◦] ⊳ [〈b ⊳ [RO T]〉 O b]〉⌋aq↓ −−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−

⌈[〈[a O a] ⊳ 〈b ⊳ [RO T]〉〉 O 〈◦ ⊳ b〉]⌋a(17)=========================================================================================================

⌈[〈[a O a] ⊳ 〈b ⊳ [RO T]〉〉 O b]⌋au↓ −−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−

[⌈〈[a O a] ⊳ 〈b ⊳ [RO T]〉〉⌋a O ⌈b⌋a](18),(19)===========================================================================================================

[⌈〈[a O a] ⊳ 〈[b O ◦] ⊳ [RO T]〉〉⌋a O b]q↓ −−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−

[⌈〈[a O a] ⊳ [〈b ⊳ R〉 O 〈◦ ⊳ T〉]〉⌋a O b](17)=========================================================================================================

[⌈〈[a O a] ⊳ [〈b ⊳R〉 O T]〉⌋a O b]q↓ −−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−

[⌈[〈a ⊳ b ⊳R〉 O 〈a ⊳ T〉]⌋a O b]

(55)

Being trivial does not mean without rules. “Trivial” identifies a derivation where no commu-nication, represented by instances ofai↓, occur.

Fact 7.6 (Trivial derivations on process structures are quite simple) Let R, andT be pro-cess structures, andD : T ⊢B R be trivial. ThenB = {q↓, u↓}, and all the instances ofq↓ in

D have form〈l ⊳ [R′ O R′′]〉

q↓ ============================[〈l ⊳R′〉 O R′′]

, or〈R′ ⊳ R′′〉

q↓ ===================[R′ O R′′]

, for someR′,R′′, andl 0 ◦.

Proof By definition, noai↓ can exist inD . Let us assume an instance([RO U] � T)

s −−−−−−−−−−−−−−−−−−−−−−−−−−−−−[(R� T) O U]

exists

in D . SinceD is Tensor-free, it must beT ≈ ◦ and we can eliminate such ans. Let us

assume one instance ofq↓ exists inD . In general it would be〈[l Om] ⊳ [R′ O R′′]〉

q↓ −−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−− (∗)[〈l ⊳ R′〉 O 〈m ⊳ R′′〉]

, for

somel ,m,R′, andR′′. So, let us assume such a (∗) occurs inD with l ,m 0 ◦. In absenceof ai↓, even though we might havel ≈ m, the structure [l O m] could not disappear fromD ,namely fromT. Consequently,T could not be a process structure, against assumption.

Simple structures. This notion strengthens the idea that “trivial” stands for “no interac-tions”. A structureR is asimple structureif it satisfies two constraints. First, it must belongto the language of (56).

R ::= ◦ | l | [RO R] | ⌈R⌋a (56)

Second, ifl1, . . . , ln are all, and only, the variable names that occur inR, theni , j impliesli , l j , for everyi, j ∈ {1, . . . , n}.

Fact 7.7 (Basic properties of simple structures) • Trivially, by definition, simple struc-tures are co-invertible, because every of them is the negation of an invertible structure(Proposition 4.2.)

• Simple structures are the logical counterpart of simple processes, thanks to the isomor-phism (48).

Example 7.8 (Simple structures) The following table shows some instances of simple struc-tures which correspond to the simple processes in Example (6.3).

15

Simple structures

[a O b]

[a O ⌈[⌈[a O c]⌋d O b]⌋b O a]

[⌈[⌈[a O c]⌋c O b]⌋b O a]

Both the second, and the third structures are simple becausebelong to (56), anda, b, c is thelist of their pairwise distinct variable names. All the structures are coinvertiblebecause nega-tion of (a � b), and (a � ⌈(⌈(a � c)⌋d � b)⌋b � a), and (⌈(⌈(a � c)⌋c � b)⌋b � a), respectively,which all are invertible. �

The following fact formalizes that trivial derivations operating on simple structures only,represent computations where only instances ofu↓ occur. In Section 8 this will allow to seethat a trivial derivation on simple structures stands for a process that cannot communicate,neither internally, nor externally.

Fact 7.9 (Trivial derivations on simple structures contain almost norules) For any simpleT, if D : T ⊢B R is trivial, thenB = {u↓}, andR is simple as well.

Proof Fact 7.6 implies that the derivationD only contains instances ofu↓, and of veryspecific instances ofq↓. Both kinds of rules neither erase, nor introduce atoms, or newoccurrences ofSeq in betweenR, andT. Let us assume thatD effectively contains aninstance ofq↓ with reduct〈l ⊳ R′〉, for somel, andR′. Then, the occurrence ofSeq wouldoccur in T, as well, making it not simple, against our assumption. So, no occurrence ofq↓ exists inD . This, of course, does not prevent the existence of〈l ⊳ R′〉 alongD , and, inparticular, insideR. However,u↓ could not eliminate it, and an occurrence ofSeq would beinsideT. In that caseT could not be simple, against assumption. But if no occurrence of〈l ⊳R′〉 is insideD , then our assumptions imply thatR is a simple structure. �

7.2 Recasting labeled transitions to proof-search

Once connectedBVQ, andCCSspq as in the previous subsection, we get back to our initial

reachability problem. Let us assume we want to checkEl1;··· ;ln

F in CCSspq, whereF is asimple process. The following steps recast the problem ofCCSspq into a problem of searchinginsideBVQ:

1. First we “compile” bothE, andF into process structuresL E M, andL F M, whereL F M isforcefully simple. Then, we fix anRsuch that~R�∅ = l1; · · · ; ln.

2. Second, it is sufficient to look forP : ⊢ [L E M O L F M O R] inside BVQ as the up-fragment ofSBVQ is admissible forBVQ (Corollary 2.3 [6].) .

3. Finally, if P of point (2) here above exists, we can concludeEl1;··· ;ln

F in CCSspq.

Point 3 rests on some simple observations. The structureL F M is invertible thanks to Fact 7.7.So, it existsD ′ : L F M ⊢BVQ [L E M O R] where bothL E M, andL F M areTensor-free becausethey are process structures. The same holds forR which is an environment structure. Conse-

quently, every instance ofs in D , if any, can only be([RO U] � ◦)

s −−−−−−−−−−−−−−−−−−−−−−−−−−−−[(R� ◦) O U]

, and it can be erased. This

16

means thatD only contains rules that belong to{ai↓, q↓, u↓}. Standardization (Theorem 3.6),which applies to{at↓x, ai↓, q↓, u↓}, implies we can transformD in BVQ to a standard deriva-tion E of BVQx. The only missing step is in the coming section. It shows thatproof-search inBVQx is sound w.r.t. the computations of the labeled transition system defined forCCSspq.

8 Soundness ofBVQx w.r.t. CCSspq

The goal is proving Soundness whose formal statement is in Theorem (8.9) below. We remarkthat our statement generalizes the one in [1], and our proof pinpoints many of the detailsmissing in [1].

Soundness relies on the notions “reduction of a non-trivialderivation”, and “environmentstructures that are consumed”, and needs some technical lemma.

Reduction of non-trivial, and standard derivations of BVQx. Let R, andT be process

structures. LetD be a non-trivial, and standard derivation

TD′′∥

∥

∥

∥

∥

∥

∥

∥

∥

∥

∥

∥BVQx

S[◦]xat↓x −−−−−−−−−−−−−−−−−−−−−−−−−− (∗)

S[a O a]x

D′∥

∥

∥

∥

∥

∥

∥

∥

∥

∥

∥

∥BVQx

R

, where (∗) is the

lowermost occurrence ofat↓x in D . Thereduction ofD is the derivationE of rules ofBVQxthat we get fromD by (i) replacing◦ for all occurrences ofa, anda in D ′ that, eventually,form the redex of (∗), and by (ii) eliminating all the fake instances of rules that the previousstep may have created.

Fact 8.1 (Reduction preserves process structures) Let R, andT be process structures. Forevery non-trivial, and standard derivationD : T ⊢BVQx R, its reductionE : T′ ⊢BVQx R′ issuch that bothR′, andT′ are process structures. Moreover,E may not be non-trivial, namely,noat↓x may remain inE . However, ifE is non-trivial, then it is standard.

Proof The first statement follows from the definition of process structures. If we erase anysub-structure from a given process structure, we still get aprocess structure which, at least,is ◦. Moreover, the lowermost instance ofat↓x disappears, after a reduction. So, if it was theonly one, none remains. Finally, reduction does not alter the order of rules inD .

Fact 8.2 (Preserving right-contexts) Let D be a trivial derivationD : S′{a} ⊢{q↓,u↓} S{a}, for

someS{ },S′{ }, anda.

1. If S{a} is not a right-context, thenS′{a} cannot be a right-context as well.

2. If S′{a} is a right-context, thenS{a} is a right-context as well.

Proof 1. If S{a} is not a right-context, then it has formS{a} ≈ S0 〈R ⊳ S1{a}〉, with R0 ◦,for someS0{ }, andS1{ }. Seq is non commutative. So, going upward inD , there isno hope to transformS0 〈R ⊳ S1{a}〉 into someS′0 〈S

′1{a}

x ⊳ R′〉x where the occurrenceof a in the first structure is the same occurrence asa in the second one. Moreover,[RO T]−−−−−−−−−−−−−−−

〈R ⊳ T〉is not derivable in{q↓, u↓} ⊂ BVQ. So,S0〈R ⊳ S1{a}〉 cannot transform into

someS′0 [R′ O S′1{a}x]x, going upward inD .

2. By contraposition of the previous point (1).

17

Proposition 8.3 (Process structures, trivial derivations, and right-contexts) Let Rbe a pro-cess structure, andD be a trivial derivationD : S[b O b]x ⊢

{q↓,u↓} R, for someS{ }x, b, and

b. Then:

1. R0 ◦, and bothb, b occur in it.

2. The structureR is a right-context for bothb, andb. Namely,R≈ S′{b}x, andR≈ S′′{b}x

for someS′{ }x, andS′′{ }x.

3. R0 S̃′〈α ⊳ S̆′{b}〉, andR0 S̃′′〈α ⊳ S̆′′{b}〉, for anyS̃′{ }, S̃′′{ }, S̆′{ }, andS̆′′{ }.

4. R 0 [S′{b}x O ⌈S′′{b}x⌋b O T], with b ∈ fn(S′{b}x), andR 0 [⌈S′{b}x⌋b O S′′{b}x O T],with b ∈ fn(S′′{b}x), for anyS′{ }x,S′′{ }x, and process structureT.

5. Let~a be a, possibly empty, sequence of names. LetT be a process structure, possiblysuch thatT ≈ ◦. ThenR≈ ⌈[S′{b}x O S′′{b}x O T]⌋~a such that either (i)b ∈ fn(S′{b}x),andb ∈ fn(S′′{b}x), or (ii) b ∈ bn(S′{b}x), andb ∈ bn(S′′{b}x).

6. Let S′{b}x be the one in Point (5) here above. IfE, andF are processes such that

L E M = S′{b}x, andL F M = S′{◦}x, thenEl

F , wherel is ǫ, if b ∈ bn(S′{b}x), andl is b, if b ∈ fn(S′{b}x). The same holds by replacingS′′{ }x for S′{ }x, andb for b.

7. Let S′{b}x, andS′′{b}x be the ones in Point (5) here above. IfE, F,E′, andF′ areprocesses such thatL E M = S′{b}x, L F M = S′′{b}x, L E′ M = S′{◦}x, andL F′ M = S′′{◦}x,

then E | Fǫ

E′ | F′ .

Proof Concerning point (1), since no rule ofD generates atoms bothb, andb must alreadyoccur inR.

Concerning point (2), we start from point (1), and we look atS[b O b]x by first “hiding”b, which givesS0{b}x ≡ S[b O b]x, for someS0 { }

x, and then “hiding”b yielding S1{b}x ≡S[b O b]x, for someS1 { }

x. Then, we apply point (2) of Fact 8.2 toS0{b}x. It implies thatR ≈ S′{b} is a right-context, for someS′{ }. Analogously, point (2) on Fact 8.2 toS1{b}x

implies thatR≈ S′′{b} is a right-context, for someS′′{ }.Point (3), directly follows from point (2).Point (4) holds because, for example,b cannot enter the scope of⌈S′′{b}x⌋b.Point (5) follows from (4).Point (6) holds by proceeding inductively on|E|, and by cases on the form ofS′{ }x, or

S′′{ }x, respectively. (Details, relative toS′{ }x, in Appendix C.)Point (7) holds thanks to points (4), and (6), by proceeding inductively on|E | F |, and by

cases on the form ofS′{ }x, andS′′{ }x. (Details in Appendix D.)

The coming theorem says that the absence of interactions, asin a trivial derivation, mod-els non interacting transitions inside the labeled transition system ofCCSspq. We includeproof details here, and not in an Appendix, because this proof supplies tha simplest technicalaccount of what we shall do for proving soundness.

Theorem 8.4 (Trivial derivations model empty computations in labeled transition system)Let E, andF be processes, withF simple. If D : L F M ⊢BVQ L E M is trivial — beware, not

necessarily inBVQx—, thenEǫ

F .

18

Proof Fact 7.9 implies thatL E M is simple, likeL F M is, and thatD can only contain instancesof u↓, if any rule occurs. We proceed by induction on the numbern of instances ofu↓ in D .

If n = 0, forcefullyL E M ≡ L F M. We conclude byrfl, i.e. Eǫ

E . Otherwise, the lastrule ofD is:

S⌈[L E′ M O L E′′ M]⌋au↓ −−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−

S[⌈L E′ M⌋a O ⌈L E′′ M⌋a]

for some contextS{ }, and processesE′, andE′′, such thatL E M ≈ S[⌈L E′ M⌋a O ⌈L E′′ M⌋a].We can proceed by cases on the form ofS{ }.

• Let S{ } ≈ { }. So,E must beE′|a | E′′|a, and we can write:rfl −−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−

E′ | E′′ǫ

E′ | E′′ ≅ E′ | E′′ | 0pi −−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−

E′ |a | E′′ |aǫ

(E′ | E′′)|a | 0|a ≅ (E′ | E′′)|a (E′ | E′′)|aǫ

Ftrn −−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−

E′ |a | E′′ |aǫ

F

where(E′ | E′′)|aǫ

F holds by induction becauseL F M ⊢{u↓} ⌈[L E′ M O L E′′ M]⌋a is

shorter thanD .

• Let S{ } ≈ [{ } O T]. So, E must beE′|a | E′′|a | F′, with L F′ M = T. The case isanalogous to the previous one, with the proviso that an instance ofctx must precede

the instance ofpi. In particular,(E′ | E′′)|a | F′ǫ

F holds by induction becauseL F M ⊢

{u↓} [⌈[L E′ M O L E′′ M]⌋a O L F′ M] is shorter thanD .

The third caseS{ } ≈ 〈l ⊳ { }〉 that we could obtain by assumingE = l.E′ cannot occurbecauseE would not be simple, against assumptions.

Remark 8.5 (Why do we define simple structures as such?) Theorem 8.4 would not hold ifwe used “process structures” in place of “simple structures”. Let us pretend, for a moment,thatF be any process structure, and not only a simple one, indeed. The bottommost rule inD might well be:

〈L l M ⊳ [L E′ M O L E′′ M]〉q↓ −−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−

[L E′ M O 〈L l M ⊳ L E′′ M〉]

for someE′, andE′′, such thatE = E′ | (l.E′′). By induction,l.(E′ | E′′)ǫ

F . However,

in the labeled transition system (43) ofCCSspq we cannot deduceE′ | (l.E′′)ǫl.(E′ | E′′)

wheneverl occurs free inE′. So, as we did in the definition of simple processes, we musteliminate any occurrence ofSeq structure.

Theorem 8.6 (Soundness w.r.t. internal communication) Let E, andF be processes, with

F simple, andE 0 ◦. Let D be the derivation

L F MD′′∥

∥

∥

∥

∥

∥

∥

∥

∥

∥

∥

∥BVQx

S{◦}xat↓x −−−−−−−−−−−−−−−−−−−−−−−−−− (∗)

S[b O b]x

D′∥

∥

∥

∥

∥

∥

∥

∥

∥

∥

∥

∥BVQx

L E M

which, besides being standard,

we assume to be non-trivial, and such that (∗) is its lowermost instance ofat↓x. If, for some

processG, the derivationE : L F M ⊢BVQx LG M is the reduction ofD , thenEǫ

G.

Proof The derivationD ′ satisfies the assumptions of Point (2) in Proposition 8.3 whichimplies L E M ≈ S′{b}x, andL E M ≈ S′′{b}x, for someS′{b}x, andS′′{b}x, which must beprocess structures. We proceed on the possible distinct forms thatL E M can assume. Point (7)of Proposition 8.3 will help concluding. (Details in Appendix E.)

19

Environment structures that get consumed. Let T, andU be process structures, andRbe an environment structure. LetD : U ⊢BVQx [T O R] which, since belongs toBVQx, isstandard. We say thatD consumes Rif every atom ofR eventually annihilates with an atomof T thanks to an instance ofat↓x, so that none of them occurs inU.

Example 8.7 (Consuming environment structures) Derivations that consume the environ-ment structure〈a ⊳ b〉 that occurs in their conclusion are (23), and (24). If we consider only apart of (23), as here below, we get a standard derivation thatdoes not consume〈a ⊳ b〉:

[T O 〈b ⊳ U〉 O b]at↓x ====================================================================================

[〈[a O a] ⊳ [T O b]〉 O 〈b ⊳U〉]q↓ −−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−

[〈a ⊳ T〉 O 〈b ⊳ U〉 O 〈a ⊳ b〉]

(57)

Theorem 8.8 (Soundness w.r.t. external communication) Let E, andF be processes, andRbe an environment structure. LetF be simple, andE 0 ◦. LetD be a non-trivial, and standardderivation that assumes one of the two following forms:

L F MD′′∥

∥

∥

∥

∥

∥

∥

∥

∥

∥

∥

∥BVQx

S{◦}xat↓x −−−−−−−−−−−−−−−−−−−−−−−−−− (∗)

S[b O b]x

D′∥

∥

∥

∥

∥

∥

∥

∥

∥

∥

∥

∥BVQx

[L E M O 〈b ⊳ R〉]

or

L F MD′′∥

∥

∥

∥

∥

∥

∥

∥

∥

∥

∥

∥BVQx

S{◦}xat↓x −−−−−−−−−−−−−−−−−−−−−−−−−− (∗)

S[b O b]x

D′∥

∥

∥

∥

∥

∥

∥

∥

∥

∥

∥

∥BVQx

[L E M O ⌈〈b ⊳R〉⌋b]

such that (∗) is its lowermost instance ofat↓x, andb in S[b O b] is the same occurrence ofb

as the one in〈b ⊳ R〉. If E : L F M ⊢BVQx [LG M O R] is the reduction ofD , then Eǫ

G if

b ∈ bn(E). Otherwise, ifb ∈ fn(E), thenEb

G.

Proof First, D necessarily consumes〈b ⊳ R〉, or ⌈〈b ⊳ R〉⌋b in either cases. The reason istwofold. BeingL F M a simple structure implies it cannot contain anySeq structure which, in-stead, is one of the operators that can compose〈b ⊳ R〉, or ⌈〈b ⊳ R〉⌋b. Moreover, no occurrenceof b insideRcan annihilate with the first occurrence ofb inside〈b ⊳ R〉, or ⌈〈b ⊳ R〉⌋b.

Second,D ′ satisfies the assumptions of Proposition 8.3. So, its Point (2) applies to[L E M O 〈b ⊳ R〉], and [L E M O ⌈〈b ⊳ R〉⌋b]. Sinceb occurs in〈b ⊳ R〉, for someS′{ }x, it mustbeL E M ≈ S′{b}x in which the occurrence ofb we outline is the one that annihilates the givenb. We proceed on the possible forms thatL E M can assume, in relation with the form ofR.Point (6) of Proposition 8.3 will help concluding. (Detailsin Appendix F.)

Theorem 8.9 (Soundness) Let E, andF be processes withF simple. For every standard

derivationD , and every environment structureR, ifL F MD

∥

∥

∥

∥

∥

∥

∥BVQx

[L E M O R], andD consumesR, then

E~R�∅

F .

Proof As a basic case we assumeL E M ≈ ◦. This means thatE is 0. Moreover, sinceDconsumesR, and no atom exists inL E M to annihilate atoms ofR, we must haveL F M ≈ ◦, i.e.

F ≡ 0, andR≈ ◦. Since0 ǫ 0, thanks torfl, we are done.Instead, ifL E M 0 ◦, in analogy with [1], we proceed by induction on the number ofrules

in D , in relation with the two cases whereR≈ ◦, or R0 ◦.SinceD is non-trivial, and standard, we can focus on its lowermost occurrence (∗) of

at↓x. Let us assume the redex of (∗) be [b O b]. We can have the following cases.

20

• Let R≈ ◦, andE : L F M ⊢BVQ LG M be the reduction ofD .

1. The first case is withE non-trivial. The inductive hypothesis holds onE , and we

get Gǫ=~◦ �∅

F .

2. The second case is withE trivial, so we cannot apply the inductive hypothesis on

E . However, Theorem 8.4 holds onE , and we getGǫ

F .

Finally, bothD , andE satisfy the assumptions of Theorem 8.6, so it impliesEǫ

G,and the statement we are proving holds thanks totrn.

• Let ◦ 0 R ≈ ⌈〈b ⊳ T〉⌋b, for some environment structureT. Let E : L F M ⊢BVQ[LG M O ⌈〈◦ ⊳ T〉⌋b] be the reduction ofD . Since⌈〈◦ ⊳ T〉⌋b is an environment struc-ture, it is canonical, so, necessarily⌈〈◦ ⊳ T〉⌋b ≈ ⌈T⌋b ≈ T becauseb < fn(T). Hence,E : L F M ⊢BVQ [LG M O T]. Moreover, sinceb disappears alongD , we forcefully haveb ∈ bn(L E M).

1. LetE be non-trivial. The inductive hypothesis holds onE , implying G~T �∅

F .

Moreover,D satisfies the assumptions of Theorem 8.8 which impliesEǫ

Galso because, as we said,b ∈ bn(L E M). So, the statement holds because~T �

{b,b} ≅

ǫ; ~T �{b,b} = ~b�{b,b}; ~T �{b,b} = ~⌈〈b ⊳ T〉⌋b �∅, and bytrn we getE

~⌈〈b⊳T〉⌋b �∅F .

2. The second case is withE trivial, so we cannot apply the inductive hypothesis

onE . However, Theorem 8.4 holds onE , and we getGǫ

F , which impliesT ≈ ◦. Indeed, ifT 0 ◦, thenD ′ could not consumeT. The reason is that beingEa trivial derivation, it cannot contain any instance ofai↓. But aD ′ not consumingT, would meanD not consumingR, against assumption. Finally, Theorem 8.8

holds onD , and impliesEǫ

G, because, as we said,b ∈ bn(L E M). So, thestatement holds because~◦ �

{b,b} ≅ ǫ; ~◦ �{b,b} = ~b�{b,b}; ~◦ �{b,b} = ~⌈〈b ⊳ ◦〉⌋b �∅,

and bytrn we getE~⌈〈b⊳◦〉⌋b �∅

F .

We could proceed in the same way when◦ 0 R≈ ⌈〈b ⊳ T〉⌋b.

• Let ◦ 0 R ≈ 〈b ⊳ T〉. Then, bothE : L F M ⊢BVQ [LG M O T], andb ∈ fn(L E M) for thereasons analogous to the ones given in the previous case.

1. The first case is withE non-trivial. The inductive hypothesis holds onE , and

we getG~T �∅

F . Moreover, Theorem 8.8 holds onD , and impliesEb

G,because, as we said,b ∈ fn(L E M). So, the statement holds because~b�∅; ~T �∅ =

~〈b ⊳ T〉 �∅, and bytrn we getE~〈b⊳T〉 �∅

F .

2. The second case is withE trivial, so we cannot apply the inductive hypothesis on

E . However, Theorem 8.4 holds onE , and we getGǫ

F , which impliesT ≈◦ for reasons analogous to the ones given in the previous case.Moreover, Theo-

rem 8.8 holds onD , and impliesEb

G, because, as we said,b ∈ fn(L E M).So, the statement holds because~b�∅ ≅ ~b�∅; ǫ = ~b�∅; ~◦ �∅ = ~〈b ⊳ ◦〉 �∅, and

by trn we getE~〈b⊳◦〉 �∅

F .

We could proceed in the same way when◦ 0 R≈ 〈b ⊳ T〉.

21

8.1 An instance of the proof of Soundness

The derivation (58) is standard.

⌈[L E′ M O L F′ M]⌋aat↓x,(17)=================================================================================

⌈〈[b O b] ⊳ [L E′ M O L F′ M]〉⌋aat↓x,(17),(18)2 ============================================================================================================================ (∗)

⌈〈[a O a] ⊳ 〈[b O b] ⊳ [L E′ M O L F′ M O ◦]〉〉⌋aq↓ −−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−

⌈〈[a O a] ⊳ [〈b ⊳ [L E′ M O L F′ M]〉 O 〈b ⊳ ◦〉]〉⌋a(18),(17)===============================================================================================================================

⌈〈[a O a O ◦] ⊳ [〈b ⊳ [L E′ M O L F′ M]〉 O b]〉⌋aq↓ −−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−

⌈[〈[a O a] ⊳ 〈b ⊳ [L E′ M O L F′ M]〉〉 O 〈◦ ⊳ b〉]⌋a(17)===============================================================================================================================

⌈[〈[a O a] ⊳ 〈b ⊳ [L E′ M O L F′ M]〉〉 O b]⌋au↓ −−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−

[⌈〈[a O a] ⊳ 〈b ⊳ [L E′ M O L F′ M]〉〉⌋a O ⌈b⌋a](18),(19)=================================================================================================================================

[⌈〈[a O a] ⊳ 〈[b O ◦] ⊳ [L E′ M O L F′ M]〉〉⌋a O b]q↓ −−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−

[⌈〈[a O a] ⊳ [〈b ⊳ L E′ M〉 O 〈◦ ⊳ L F′ M〉]〉⌋a O b](17)===============================================================================================================================

[⌈〈[a O a] ⊳ [〈b ⊳ L E′ M〉 O L F′ M]〉⌋a O b]q↓ −−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−

[⌈[〈a ⊳ b ⊳ L E′ M〉 O 〈a ⊳ L F′ M〉]⌋a O b]

(58)

Hence, (58) is an instance of the assumptionD : L F M ⊢BVQx [L E M O R] in Theorem 8.9

above. The structure⌈[〈a ⊳ b ⊳ L E′ M〉 O 〈a ⊳ L F′ M〉]⌋a in (58) plays the role ofL E M, while bcorresponds toR. Finally ⌈[L E′ M O L F′ M]⌋a plays the role ofL F M, for some processE′,and F′. By definition, E = ((a.b.E′) | (a.F′))|a, and F = (E′ | F′)|a. Once identifiedthe lowermost instance (∗) of at↓x, we replace◦ for all those occurrences of atoms that,eventually, annihilate in (∗). So, (58) becomes the structure (59) which is not a derivationbecause it contains fake instances of rules.

⌈[L E′ M O L F′ M]⌋a=================================================================================

⌈〈[b O b] ⊳ [L E′ M O L F′ M]〉⌋a============================================================================================================================

⌈〈[◦ O ◦] ⊳ 〈[b O b] ⊳ [L E′ M O L F′ M O ◦]〉〉⌋a−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−

⌈〈[◦ O ◦] ⊳ [〈b ⊳ [L E′ M O L F′ M]〉 O 〈b ⊳ ◦〉]〉⌋a===============================================================================================================================

⌈〈[◦ O ◦ O ◦] ⊳ [〈b ⊳ [L E′ M O L F′ M]〉 O b]〉⌋a−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−

⌈[〈[◦ O ◦] ⊳ 〈b ⊳ [L E′ M O L F′ M]〉〉 O 〈◦ ⊳ b〉]⌋a===============================================================================================================================

⌈[〈[◦ O ◦] ⊳ 〈b ⊳ [L E′ M O L F′ M]〉〉 O b]⌋a−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−

[⌈〈[◦ O ◦] ⊳ 〈b ⊳ [L E′ M O L F′ M]〉〉⌋a O ⌈b⌋a]=================================================================================================================================

[⌈〈[◦ O ◦] ⊳ 〈[b O ◦] ⊳ [L E′ M O L F′ M]〉〉⌋a O b]−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−

[⌈〈[◦ O ◦] ⊳ [〈b ⊳ L E′ M〉 O 〈◦ ⊳ L F′ M〉]〉⌋a O b]===============================================================================================================================

[⌈〈[◦ O ◦] ⊳ [〈b ⊳ L E′ M〉 O L F′ M]〉⌋a O b]−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−

[⌈[〈◦ ⊳ b ⊳ L E′ M〉 O 〈◦ ⊳ L F′ M〉]⌋a O b]

(59)

Removing all the fake rules, we get toE in (60):

22

⌈[L E′ M O L F′ M]⌋aat↓x,(17)=================================================================================

⌈〈[b O b] ⊳ [L E′ M O L F′ M]〉⌋a(18)=============================================================================================

⌈〈[b O b] ⊳ [L E′ M O L F′ M O ◦]〉⌋aq↓ −−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−

⌈[〈b ⊳ [L E′ M O L F′ M]〉 O 〈b ⊳ ◦〉]⌋a(17)2 ================================================================================================

⌈〈◦ ⊳ [〈b ⊳ [L E′ M O L F′ M]〉 O b]〉⌋aq↓ −−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−

⌈[〈b ⊳ [L E′ M O L F′ M]〉 O 〈◦ ⊳ b〉]⌋a(17)================================================================================================

⌈[〈b ⊳ [L E′ M O L F′ M]〉 O b]⌋au↓ −−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−

[⌈〈b ⊳ [L E′ M O L F′ M]〉⌋a O ⌈b⌋a](18),(19)==================================================================================================

[⌈〈[b O ◦] ⊳ [L E′ M O L F′ M]〉⌋a O b]q↓ −−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−

[⌈[〈b ⊳ L E′ M〉 O 〈◦ ⊳ L F′ M〉]⌋a O b](17)================================================================================================

[⌈[〈b ⊳ L E′ M〉 O L F′ M]⌋a O b]

(60)

The lowermost instance (∗) of at↓x in (58) has disappeared from (60). The inductive argument

on (60) implies((b.E′) | F′)|ab

(E′ | F′)|a . Since we can prove:

a −−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−

a.b.E′a

b.E′a −−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−

a.F′a

F′c −−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−

(a.b.E′) | (a.F′) | 0 ≅ (a.b.E′) | (a.F′)ǫ

(b.E′) | F′ ≅ (b.E′) | F′ | 0pe −−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−− ǫ . a

((a.b.E′) | (a.F′))|a ≅ ((a.b.E′) | (a.F′))|a | 0|aǫ

((b.E′) | F′)|a | 0|a ≅ ((b.E′) | F′)|a

(61)

by transitivity, we conclude((a.b.E′) | (a.F′))|ab

(E′ | F′)|a .

9 Final discussion, and future work

This work shows thatBVQ [4, 5, 6], which we can consider as a minimal extension ofBV [2],is expressive enough to model concurrent and communicatingcomputations, as expressed bythe languageCCSspq, whose logic-based restriction con hide actions to the environment inan unusual flexible way, as compared to the restriction of MilnerCCS. The reason why, invarious points, we have kept relatingCCSspq with a fragment of MilnerCCS is twofold.First, we start from the programme of [1], that shows the connections betweenBV and thesmallest meaningful fragment of MilnerCCS. Second, it is evident we can defineBVQ−

as follows. We takeBVQ \ {u↓} and we forbid clauses (19), and (20) on its structures. Sodefined,BVQ− would be very close to the fragment of MilnerCCS, which we have calledCCSspr, and which only contains restriction, and both sequential,and parallel composition.The reason is thatBVQ− could simulate the two standard rules for restriction:

El

E′−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−− l < {a,a}E|a

l

E′ |a

El

E′−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−− l ∈ {a,a}E|a

ǫE′ |a

but not the rulespi, andpe in (43). However, in fact,Sdq looks much closer to the hid-ing operator (νa)E of π-calculus [7]. Clause (21) “is” (νa)(νb)E ≈ (νb)(νa)E. Clause (19)generalizes (νa)0 ≈ 0. The instance:

⌈[E O F]⌋a(19),u↓ =============================

[⌈E⌋a O F](62)

23

weakly corresponds to scope extrusion (νa)(E | F) ≈ (νa)E | F which holds, in both direc-tions, whenevera is not free inF. We postpone the study of semantics and of the relationbetweenCCSspq, and the corresponding fragment ofπ-calculus, to future work.

Further future work we see as interesting, is about the generalization of Soundness. Webelieve that a version of Soundness where no restriction to simple processes holds. The reasonis twofold. First, thanks to the Splitting theorem ofBVQ [4, 5, 6] it is possible to prove thateveryproof of BVQ can be transformed in a standard proof ofBVQ. So, no need to restrict toTensor-free derivations ofBVQ exists to have standard proofs. Second, the reduction processlooks working on standard proofs as well, and no obstacle seems to exist to the application ofinductive arguments analogous to those ones we have used to prove our current Soundness.

We conclude with a remark on the “missing” Completeness. Ourreaders may have no-ticed the lack of any reference to a Completeness ofBVQ, w.r.t. CCSspq. Completenesswould say thatBVQ has enough derivations to represent any computation in the labeled tran-sition system ofCCSspq. Formally, it would amount to:

Theorem 9.1 (Completeness ofBVQ) For every process structureE, andF, if L E M~R�∅

L F M ,thenD : F ⊢BVQ [E O R].

Ideally, we leave the proof of Theorem (9.1) as an exercise. The systemBVQ is so flexiblethat, proving it complete, amounts to show that every rule ofCCSspq is derivable inBVQ.

References

[1] Paola Bruscoli. A purely logical account of sequentiality in proof search. In Pe-ter J. Stuckey, editor,Logic Programming, 18th International Conference, volume2401 of Lecture Notes in Computer Science, pages 302–316. Springer-Verlag, 2002.http://cs.bath.ac.uk/pb/bvl/bvl.pdf.

[2] Alessio Guglielmi. A system of interaction and structure. ACM Transactions on Compu-tational Logic, 8(1):1–64, 2007.http://cs.bath.ac.uk/ag/p/SystIntStr.pdf.

[3] Robin Milner. Communication and Concurrency. International Series in Computer Sci-ence. Prentice Hall, 1989.

[4] L. Roversi. Linear lambda calculus with explicit substitutions as proof-search in DeepInference.http://arxiv.org/abs/1011.3668. November 2010.

[5] Luca Roversi. Linear Lambda Calculus and Deep Inference. In Luke Ong, editor,TLCA2011 - 10th Typed Lambda Calculi and Applications, Part of RDP’11, volume 6690 ofARCoSS/LNCS, pages 184 – 197. Springer, 2011.

[6] Luca Roversi. Extending a system in the calculus of structures with a self-dual quantifier.Available athttp://arxiv.org/abs/1212.4483. Submitted, Dicember 2012.

[7] Davide Sangiorgi and David Walker.The Pi-Calculus - a theory of mobile processes.Cambridge University Press, 2001.

[8] Lutz Straßburger. System NEL is undecidable. In Ruy De Queiroz,Elaine Pimentel, and Lucília Figueiredo, editors,10th Workshop onLogic, Language, Information and Computation (WoLLIC), volume 84of Electronic Notes in Theoretical Computer Science. Elsevier, 2003.http://www.lix.polytechnique.fr/~lutz/papers/NELundec_wollic03.pdf.

24

A Proof of commuting conversions in{at↓x, ai↓, q↓, u↓}(Lemma 3.8, page 7)

The proof is, first, by cases onρ, and, then, by cases onS[a O a]x. FixedS[a O a]x, the proofis by cases onR which must contain a redex ofai↓, q↓, or u↓, that, afterai↓•, leads to thechosenS[a O a]x.

We start withρ ≡ ai↓.

• Let S[a O a]x ≈ [a O a]. So, [a O ⌈〈a ⊳ [b O b]〉⌋b], and [a O 〈a ⊳ [b O b]〉] are the mostrelevant forms ofR. Others can be [a O 〈a ⊳ ⌈[b O b]⌋b〉], and [[a O a] O ⌈[b O b]⌋b], and〈[a O a] ⊳ [b O b]〉, and〈[a O a] ⊳ ⌈[b O b]⌋b〉.

We fully develop only the first case withR≈ [a O ⌈〈a ⊳ [b O b]〉⌋b]. In it the derivation

◦at↓x −−−−−−−−−−−−−

[a O a]ai↓,(17),(19)==========================================

[a O ⌈〈a ⊳ [b O b]〉⌋b]

transforms to

◦ai↓,(19)===================

⌈[b O b]⌋bat↓x −−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−⌈〈[a O a] ⊳ [b O b]〉⌋b

(18),q↓,(18)==========================================

⌈[a O 〈a ⊳ [b O b]〉]⌋b(19),u↓ ==========================================

[a O ⌈〈a ⊳ [b O b]〉⌋b]

.

If, instead,S[a O a]x ≈ [a O 〈a ⊳ [b O b]〉], then no instances ofu↓ are required, but onlyone ofq↓.

• Let S{ } ≈ [S′{ }x O U′].

– If R≈ [S′[a O a]x O S′′[b O b]], with U′ ≈ S′′[b O b], then

[R′ O U′′]at↓x =====================================

[S′[a O a]x O U′′]ai↓ ===================================================

[S′[a O a]x O S′′[b O b]]transforms to

[R′ O U′′]ai↓ ==================================

[R′ O S′′[b O b]]at↓x ===================================================

[S′[a O a]x O S′′[b O b]]

, for someR′, andU′′. ===

– If R ≈ [S′[a O a]x O U′] ≡ [S′′[b O b] O U′], then

[R′ O U′]at↓x ======================================

[S′′′[a O a]x O U′]ai↓ ======================================

[S′′[b O b] O U′]

, for

someS′′′{ }x, which isS′′[b O b] with [b O b] replaced by◦, andR′, transforms to[R′ O U′]

ai↓ ======================================

[S′′′′[b O b] O U′]at↓x ======================================

[S′[a O a]x O U′]

for someS′′′′{ } which isS′[a O a], with [a O a] replaced

by ◦.

• Let S{ } ≈ ⌈S′{ }x⌋c wherec may also coincide toa, or b. This case is analogous tothe last point of the previous case, becauseS′[a O a]x ≡ S′′[b O b], for someS′′{ }.

• Let S{ } ≈ 〈S′{ }x ⊳ U′〉.

– If R≈ 〈S′[a O a]x ⊳ S′′[b O b]〉, with U′ ≈ S′′[b O b], then

〈R′ ⊳ U′′〉at↓x ====================================〈S′[a O a]x ⊳ U′′〉

ai↓ ==================================================

〈S′[a O a]x ⊳ S′′[b O b]〉transforms to

〈R′ ⊳ U′′〉ai↓ =================================

〈R′ ⊳ S′′[b O b]〉at↓x ==================================================

〈S′[a O a]x ⊳ S′′[b O b]〉

, for someR′, andU′′.

– If R ≈ 〈S′[a O a]x ⊳ U′〉 ≡ 〈S′′[b O b] ⊳U′〉, then

〈R′ ⊳ U′〉at↓x =====================================〈S′′′[a O a]x ⊳U′〉

ai↓ =====================================

〈S′′[b O b] ⊳ U′〉

, for some

S′′′{ }x, which is S′′[b O b], with [b O b] replaced by◦, andR′, transforms to

25

〈R′ ⊳ U′〉ai↓ ====================================

〈S′′′′[b O b] ⊳ U′〉at↓x ====================================〈S′[a O a]x ⊳ U′〉

for someS′′′′{ } which is S′[a O a], with [a O a] replaced

by ◦.

Now we focus on the case withρ ≡ q↓.

• LetS{ }x ≈ S′[〈U′ ⊳ S′′{ }〉 O 〈U′′ ⊳ U′′′〉]. ThenR≈ S′[〈U′ ⊳ S′′[a O a]〉 O 〈U′′ ⊳U′′′〉],and

S′〈[U′ O U′′] ⊳ [S′′{◦} O U′′′]〉q↓ −−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−

S′[〈U′ ⊳ S′′{◦}〉 O 〈U′′ ⊳ U′′′〉]ai↓ −−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−

S′[〈U′ ⊳ S′′[a O a]〉 O 〈U′′ ⊳ U′′′〉]

transforms to

S′〈[U′ O U′′] ⊳ [S′′{◦} O U′′′]〉ai↓ −−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−

S′〈[U′ O U′′] ⊳ [S′′[a O a] O U′′′]〉q↓ −−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−

S′[〈U′ ⊳ S′′[a O a]〉 O 〈U′′ ⊳ U′′′〉]

.

• Let S{ }x ≈ S′[〈S′′{ } ⊳U′〉 O 〈U′′ ⊳ U′′′〉]. This case is analogous to the previous one.

Finally, letρ ≡ u↓. Thenu↓ involves the redex ofai↓wheneverS{ }x isS′[⌈S′′{ }⌋a O ⌈U′⌋a]x.

So,R≈ S′[⌈S′′[a O a]⌋a O ⌈U′⌋a], and

S′⌈[S′′{◦} O U′]⌋au↓ −−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−

S′[⌈S′′{◦}⌋a O ⌈U′⌋a]ai↓ −−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−

S′[⌈S′′[a O a]⌋a O ⌈U′⌋a]

transforms to

S′⌈[S′′{◦} O U′]⌋aai↓ −−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−

S′⌈[S′′[a O a] O U′]⌋au↓ −−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−

S′[⌈S′′[a O a]⌋a O ⌈U′⌋a]

.

B Proof of A language of invertible structures(proposition 4.2,page 9)

This proof rests on Shallow splitting of [5, 6] whose statement we recall here.

Proposition B.1 (Shallow Splitting) Let R,T, andP be structures, anda be a name, andPbe a proof ofBVQ.

1. If P : ⊢BVQ [〈R ⊳ T〉 O P], then there areD : 〈P1 ⊳ P2〉 ⊢BVQ P, andP1 : ⊢BVQ [RO P1],andP2 : ⊢BVQ [T O P2], for someP1, andP2.

2. If P : ⊢BVQ [(R� T) O P], then there areD : [P1 O P2] ⊢BVQ P, andP1 : ⊢BVQ[RO P1], andP2 : ⊢BVQ [T O P2], for someP1, andP2.

3. LetP : ⊢BVQ [RO P] with R ≈ [l1 O · · · O lm], such thati , j implies li , l j , for everyi, j ∈ {1, . . . ,m}, andm > 0. Then, for every structureR0, andR1, if R ≈ [R0 O R1],there existsD : R1 ⊢BVQ [R0 O P].

4. If P : ⊢ [⌈R⌋a O P], then there areD : ⌈T⌋a ⊢BVQ P, andP ′ : ⊢BVQ [RO T], for someT.

Now, we reason by induction on|[T O P]|, proceeding by cases on the form ofT.As afirst casewe assumeT ≈ ◦, and we cope with a base case. The assumption becomes

P : ⊢ [◦ O P] which is exactly:◦ ≈ ◦

P

∥

∥

∥

∥

∥

∥

∥

[◦ O P] ≈ P

26

As a second casewe assumeT ≈ [a1 O · · · O am], and we cope with another base case.The assumption becomesP : ⊢ [[a1 O · · · O am] O P]. We conclude by Point 3 of ShallowSplitting (Proposition B.1) which implies (a1 � · · · � am) ⊢BVQ P.

As a third casewe assumeT ≈ (R1 � R2). So, the assumption isP : ⊢ [(R1 � R2) O P].Point 2 of Shallow Splitting (Proposition B.1) impliesD : [P1 O P2] ⊢ P, andQ1 : ⊢

[R1 O P1], andQ2 : ⊢ [R2 O P2], for someP1,P2.Both R1, and R2 are invertible, and|[R1 O P1]| < |[(R1 � R2) O P]|, and |[R2 O P2]| <

|[(R1 � R2) O P]|. So, the inductive hypothesis holds onQ1, andQ2. We getE1 : R1 ⊢ P1,andE2 : R2 ⊢ P2. We conclude by:

(R1 � R2)(7) ===================

[R1 O R2]E2

∥

∥

∥

∥

∥

∥

∥

[R1 O P2]E1

∥

∥

∥

∥

∥

∥

∥

[P1 O P2]D∥

∥

∥

∥

∥

∥

∥

P

As a fourth casewe assumeT ≈ ⌈R⌋a such that, without loss of generality,a ∈ bn(⌈R⌋a).So, the assumption isP : ⊢ [⌈R⌋a O P].

Point 4 of Shallow Splitting (Proposition B.1) impliesD : ⌈T⌋a ⊢ P, andQ : ⊢ [RO T],for someT.

Both R invertible, and|[RO T]| < |[⌈R⌋a O P]|, imply the induction holds onQ. We getE : R ⊢ T.

So, we conclude that:⌈R⌋a

(10)========⌈R⌋aE∥

∥

∥

∥

∥

∥

∥

⌈T⌋aD

∥

∥

∥

∥

∥

∥

∥

P

C Proving point (6) of Process structures, trivial derivationsand right-contexts(Proposition 8.3, page 18)

The proof is by induction on the size ofE, proceeding by cases on the form ofS′{ }x, which,by assumption, is a process structure, so it can assume only specific forms.

• The base case isS′{ }x ≈ 〈{ } ⊳ U〉, for someU. So,S′{◦}x ≈ 〈◦ ⊳ U〉 ≈ U. Moreover,L E M = 〈b ⊳ U〉 implies thatE is b.E′ for someE′ such thatL E′ M = U. Since we canprove:

a −−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−

b.E′b

E′

we are done becauseL F M = 〈◦ ⊳ U〉 ≈ U = L E′ M.

A first remark is that we cannot haveS′{ }x ≈ 〈S̆′{ }x ⊳ F〉with S̆′{ }x 0 { }. OtherwiseS′{ }x would not be a process structure.

27

A second remark is thatU ≈ ◦ does not pose any problem. In such a caseE is b.0, and

we can writeb.0 b 0.

• LetS′{ }x ≈ [S̆′{ }x O U]. The assumptionsL E M = [S̆′{b}x O U], andL F M = [S̆′{◦}x O U]imply that E is E′ | E′′, andF is F′ | E′′, for someE′,E′′, andF′ such thatL E′ M =S̆′{b}x, andL F′ M = S̆′{◦}x, andL E′′ M = U. We can prove:

E′l

F′ctx −−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−

E′ | E′′l

F′ | E′′

because the premise holds thanks to the inductive hypotheses, also assuring the desiredconstraints onl.

• Let S′{ }x ≈ ⌈S̆′{ }x⌋a. The assumptionsL E M = ⌈S̆′{b}x⌋a, andL F M = ⌈S̆′{◦}x⌋aimply that E is E′|a, andF is F′|a, for someE′, andF′ such thatL E′ M = S̆′{b}x, andL F′ M = S̆′{◦}x. We can prove:

E′l

F′ρ −−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−

E′ |al′

F′ |a

because the premise holds thanks to the inductive argument.Of course we chooseρ,depending ona. If a ≡ b, thenρ must bepi, andl′ ≡ ǫ. Otherwise, ifa . b, thenρmust bepe, andl′ ≡ l.

Point (3) of this Proposition excludes any further case.

D Proving point (7) of Process structures, trivial derivationsand right-contexts(Proposition 8.3, page 18)

The proof is by induction on the size ofE | F, proceeding by cases on the forms ofS′{ }x,andS′′{ }x, which, by assumption, are process structures, so they can assume only specificforms.

• The base case hasS′{ }x ≈ 〈{ } ⊳U′〉, andS′′{ }x ≈ 〈{ } ⊳ U′′〉, for someU′, andU′′

every of which may well be0. So,S′{◦}x ≈ 〈◦ ⊳ U′〉 ≈ U′, andS′′{◦}x ≈ 〈◦ ⊳ U′′〉 ≈U′′. The assumptionsL E M = 〈b ⊳U′〉, andL F M = 〈b ⊳ U′′〉, andL E′ M = 〈◦ ⊳U′〉 ≈ U′,andL F′ M = 〈◦ ⊳ U′′〉 ≈ U′′ imply thatE = b.E′, andF = b.E′. We can write:

a −−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−

b.E′b

E′a −−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−

b.E′b

E′c −−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−

(b.E′) | (b.F′)ǫ

E′ | F′

We remark that neitherS′{ }x ≈ 〈S̆′{ }x ⊳ U′〉with S̆′{ }x 0 { }, norS′{ }x ≈ 〈S̆′′{ }x ⊳ U′′〉with S̆′′{ }x 0 { }, can hold. Otherwise neitherS′{ }x, nor neitherS′′{ }x could be pro-cess structures.

• Let S′{ }x ≈ [S̆′{ }x O U′]. So, S′{◦}x ≈ [S̆′{◦} O U′]. The assumptionsL E M =[S̆′{b}x O U′], andL E′ M = [S̆′{◦}x O U′] imply that E = G1 | G2, andE′ = G′1 | G2 suchthatLG1 M = S̆′{b}x, andLG′1 M = S̆′{◦}x, andLG2 M = U′.

28

– Let S′′{ }x ≈ [S̆′′{ }x O U′′]. So, S′′{◦}x ≈ [S̆′′{◦} O U′′]. The assumptionsL F M = [S̆′′{b}x O U′′], andL F′ M = [S̆′′{◦}x O U′′] imply that F = H1 | H2, andF′ = H′1 | H2 such thatL H1 M = S̆′′{b}x, andL H′1 M = S̆′′{◦}x, andL H2 M = U′′. Wecan prove:

G1 | H1ǫ

G′1 | H′1

ctx −−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−

G1 | H1 | H2ǫ

G′1 | H′1 | H2

ctx −−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−

G1 | G2 | H1 | H2ǫ

G′1 | G2 | H′1 | H2

The premise holds thanks to the inductive hypothesis because bothG1 | H1 issmaller thanG1 | G2 | H1 | H2.

– Let S′′{ }x ≈ 〈S̆′′{ }x ⊳ U′′〉 with S̆′′{ }x ≈ { }. OtherwiseS′′{ }x could not bea process structure. So,S′′{◦}x ≈ 〈◦ ⊳U′′〉 ≈ U′′. The assumptionsL F M =

〈b ⊳ U′′〉, andL F′ M = 〈◦ ⊳ U′′〉 ≈ U′′ imply thatF = b.F′. We can prove:

G1 | (b.F′)ǫ

G′1 | F′

ctx −−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−

G1 | G2 | (b.F′)ǫ

G′1 | G2 | F′

The premise holds thanks to the inductive hypothesis because G1 | (b.F′) issmaller thanG1 | G2 | (b.F′).

– Let S′′{ }x ≈ ⌈S̆′′{ }x⌋a, for anya. So,S′′{◦}x ≈ ⌈S̆′′{◦}x⌋a. The assumptionsL F M = ⌈S̆′′{b}x⌋a, andL F′ M = ⌈S̆′′{◦}x⌋a imply thatF = H|b, andF′ = H′|b, forsomeH, andH′ such thatL H M = S̆′′{b}x, andL H′ M = S̆′′{◦}x. We can prove:

G1 | (H)|bǫ

G′1 | (H′)|b

ctx −−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−

G1 | G2 | (H)|bǫ

G′1 | G2 | (H′)|b

The premise holds thanks to the inductive hypothesis becauseG1 | (H)|b is smallerthanG1 | G2 | (H)|b.

• Let S′{ }x ≈ 〈S̆′{ }x ⊳ U′〉 with S̆′{ } ≈ { }. OtherwiseS′{ }x could not be a processstructure. So,S′{◦}x ≈ 〈◦ ⊳ U′〉 ≈ U′. The assumptionsL E M = 〈b ⊳ U′〉, andL E′ M =〈◦ ⊳ U′〉 ≈ U′′ imply thatE = b.E′.

– We already considered the case withS′′{ }x ≈ [S̆′′{ }x O U′′]. It is enough toswitchS′{ }x andS′′{ }x.

– LettingS′′{ }x ≈ 〈S̆′′{ }x ⊳U′′〉, with S̆′′{ } ≈ { }, otherwiseS′′{ }x could not bea process structure, becomes the base case, we started with.

– Let S′′{ }x ≈ ⌈S̆′′{ }x⌋a, for any a. So, S′′{◦}x ≈ ⌈S̆′′{◦}x⌋a where, thanks to(42), we can always be in a situation such thata is different from every elementin fn(S′{b}x). The assumptionsL F M = ⌈S̆′′{b}x⌋a, andL F′ M = ⌈S̆′′{◦}x⌋a implythat F = H|b, andF′ = H′|b, for someH, andH′ such thatL H M = S̆′′{b}x, andL H′ M = S̆′′{◦}x. We can prove:

b.E′ | Hǫ

E′ | H′ρ −−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−

(b.E′)|a | H|aǫ

E′ |a | H′ |a

whereρ can be any betweenpi, andpe. The premise holds thanks to the inductivehypothesis becauseb.E′ | H is smaller than (b.E′)|a | H|a.

29

• Let S′{ }x ≈ ⌈S̆′{ }x⌋a for a givena. So,S′{◦}x ≈ ⌈S̆′{◦}x⌋a. The assumptionsL E M =⌈S̆′{b}x⌋a, andL E′ M = ⌈S̆′{◦}x⌋a imply thatE = G|a, andE′ = G′|a, for someG, andG′

such thatLG M = S̆′{b}x, andLG′ M = S̆′{◦}x.

– We already considered the case withS′′{ }x ≈ [S̆′′{ }x O U′′]. It is enough toswitchS′{ }x andS′′{ }x.

– We already considered the case withS′′{ }x ≈ 〈S̆′′{ }x ⊳ U′′〉. It is enough toswitchS′{ }x andS′′{ }x.

– Let S′′{ }x ≈ ⌈S̆′′{ }x⌋c, for anyc. So, S′′{◦}x ≈ ⌈S̆′′{◦}x⌋c. The assumptionsL F M = ⌈S̆′′{b}x⌋c, andL F′ M = ⌈S̆′′{◦}x⌋c imply that F = H|c, andF′ = H′|c,for someH, andH′ such thatL H M = S̆′′{b}x, andL H′ M = S̆′′{◦}x. We need toconsider the following cases where (i)ρ can bepi, or pe, and (ii) the premise ofall the given derivations exists thanks to the inductive arguments we have used sofar in this proof.

* As a first case leta ≡ c, anda, c . b. We can prove:

G | Hǫ

G′ | H′ρ −−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−

G|a | H|aǫ

G′ |a | H′ |a

We can proceed in the same way also whena, c ≡ b, the derivation becoming:

G | Hǫ

G′ | H′ρ −−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−

G|b | H|bǫ

G′ |b | H′ |b

* As a third case leta ≡ b, andc . b. we can prove:

G{d/b} | H|cǫ

G′{d/b} | H′|cρ −−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−

G|b | H|c ≅ G{d/b}|d | H|c|dǫ

G′{d/b}|d | H′|c|d ≅ G′|b | H′|c

whered neither occurs inG, nor it occurs inH|c so that we can apply (42).

E Proof of Soundness w.r.t. internal communication(Theo-rem 8.6, page 19)

• As a base case, letL E M ≈ [〈b ⊳ L E M′〉 O 〈b ⊳ L E M′′〉], for some processE′, andE′′. So,E is (b.E′) | (b.E′′), andS′{ }x ≈ 〈{ } ⊳ L E′ M〉, andS′′{ }x ≈ 〈{ } ⊳ L E′′ M〉. We can takeG to beE′ | E′′ because [〈◦ ⊳ L E′ M〉 O 〈◦ ⊳ L E′′ M〉] ≈ [L E M′ O L E M′′]. We can write:

a −−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−

b.E′b

E′a −−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−

b.E′b

E′c −−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−

(b.E′) | (b.E′′)ǫ

E′ | E′′

• Let L E M ≈ [⌈S′{b}x⌋c O ⌈S′′{b}x⌋c O L E′′′ M], for someE′′′, andc. We remark thatc iseither different fromb in both ⌈S′{b}x⌋c, and⌈S′′{b}x⌋c, or it is equal tob in both ofthem. Otherwise, we could not get to the premise ofat↓x in D ′. So,E is E′|c | E′′|c |E′′′, whereL E′ M ≈ S′{b}x, andL E′′ M ≈ S′′{b}x. We can takeG asG′|c | G′′|c | E′′′,

30

becauseLG M ≈ [⌈S′{◦}x⌋c O ⌈S′′{◦}x⌋c O L E′′′ M], with LG′ M ≈ S′{◦}x, andLG′′ M ≈S′′{◦}x. We can write:

E′ | E′′ǫ

G′ | G′′ρ −−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−

E′ |c | E′′ |cǫ

G′|c | G′′|cctx −−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−

E′ |c | E′′ |c | E′′′ǫ

G′|c | G′′|c | E′′′

whereρ can bepe, or pi. The premise follows from Point (7) of Proposition 8.3.

• Let L E M ≈ ⌈[S′{b}x O S′′{b}x O L E′′′ M]⌋c, for someE′′′, andc. So, E is (E′ | E′′ |E′′′)|c, whereL E′ M ≈ S′{b}x, andL E′′ M ≈ S′′{b}x. We can takeG as (G′ | G′′ |E′′′)|c, becauseLG M ≈ ⌈[S′{◦}x O S′′{◦}x O L E′′′ M]⌋c, with LG′ M ≈ S′{◦}x, andLG′′ M ≈S′′{◦}x. We can write:

E′ | E′′ǫ

G′ | G′′ctx −−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−

E′ | E′′ | 0ǫ

G′ | G′ | 0ρ −−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−

(E′ | E′′ | E′′′)|c ≈ (E′ | E′′ | E′′′)|c | 0|cǫ

(G′ | G′′ | E′′′)|c | 0|c ≈ (G′ | G′′ | E′′′)|c

whereρ can bepe, or pi. The premise follows from Point (7) of Proposition 8.3.

Of course, ifL E M ≈ [S′{b}x O S′′{b}x O L E′′′ M], for someE′′′, we can proceed as hereabove, droppingρ.

Assuming that (∗) is the lowermost instance ofat↓x of D excludes other cases that wouldimpede getting to the premise of (∗) itself in a trivial derivation likeD ′ has to be.

F Proof of Soundness w.r.t. external communication(Theo-rem 8.8, page 20)

We proceed on the possible forms thatL E M can assume, in relation with the form ofR.Point (6) of Proposition 8.3 will help concluding.

First case. We focus onD concluding with [L E M O ⌈〈b ⊳ R〉⌋b]. In the simplest case, Points (3),and (4) of Proposition 8.3 imply that eitherL E M ≈ [⌈S′{b}x⌋b O L E′′ M], or L E M ≈⌈〈b ⊳ L E′′ M〉⌋b, for someE′′, andS′{ }x, such thatb ∈ fn(S′{b}x).

1. Let L E M ≈ ⌈〈b ⊳ L E′′ M〉⌋b. So, E is (b.E′′)|b. We can takeG coinciding toE′′,because⌈〈◦ ⊳ L E′′ M〉⌋b ≈ ⌈L E′′ M⌋b. We can prove:

a −−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−

b.E′′b

E′′pi −−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−

(b.E′′)|bǫ

E′′ |b

2. LetL E M ≈ [⌈S′{b}x⌋b O L E′′ M]. So,E is E′|b | E′′ whereL E′ M ≈ S′{b}x. We cantakeG asG′|b | E′′ whereLG′ M ≈ ⌈S′{◦}x⌋b. We can prove:

E′b

G′pi −−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−

E′ |bǫ

G′ |bctx −−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−

E′ |b | E′′ǫ

G′ |b | E′′

Point (6) of Proposition 8.3 implies that the premise holds.

31

In fact, the most general situations that Points (3), and (4)of Proposition 8.3 imply are:

L E M ≈ [⌈· · · ⌈S′{b}x⌋am · · ·⌋a1O L E′ M] L E M ≈ ⌈· · · ⌈〈b ⊳ L E′ M〉⌋am · · ·⌋a1

whereai . a j, for every 1≤ i, j ≤ m, andb ≡ ai , for some 1≤ i ≤ m. We can resume tothe situation we have just developed in detail, by rearranging the occurrences ofSdq,thanks to congruence (42).

Second case.Let us assume thatD concludes withR ≈ 〈b ⊳ R′〉. Points (3), and (4) ofProposition 8.3 imply eitherL E M ≈ 〈b ⊳ L E′ M〉, or L E M ≈ [S′{b}x O L E′ M], whereb ∈ fn(S′{b}x). Both combinations are simple sub-cases of the previous ones, justdeveloped in detail.

32