HAL Id: inria-00201100
https://hal.inria.fr/inria-00201100
Submitted on 23 Dec 2007
HAL
is a multi-disciplinary open access archive for the deposit and dissemination of sci- entific research documents, whether they are pub- lished or not. The documents may come from teaching and research institutions in France or
L’archive ouverte pluridisciplinaire
HAL, estdestinée au dépôt et à la diffusion de documents scientifiques de niveau recherche, publiés ou non, émanant des établissements d’enseignement et de recherche français ou étrangers, des laboratoires
Compositional Reasoning for Probabilistic Finite-State Behaviors
Yuxin Deng, Catuscia Palamidessi, Jun Pang
To cite this version:
Yuxin Deng, Catuscia Palamidessi, Jun Pang. Compositional Reasoning for Probabilistic Finite-State
Behaviors. Aart Middeldorp and Vincent van Oostrom and Femke van Raamsdonk and Roel C. de
Vrijer. Processes, Terms and Cycles: Steps on the Road to Infinity, 3838, Springer, pp.309-337, 2005,
Lecture Notes in Computer Science, �10.1007/11601548_17�. �inria-00201100�
Compositional Reasoning for Probabilistic Finite-State Behaviors
Yuxin Deng1?, Catuscia Palamidessi2??, and Jun Pang2
1 INRIA Sophia-Antipolis and Universit´e Paris 7, France
2 INRIA Futurs and LIX, ´Ecole Polytechnique, France
Abstract. We study a process algebra which combines both nondeter- ministic and probabilistic behavior in the style of Segala and Lynch’s simple probabilistic automata. We consider strong bisimulation and ob- servational equivalence, and provide complete axiomatizations for a lan- guage that includes parallel composition and (guarded) recursion. The presence of the parallel composition introduces various technical diffi- culties and some restrictions are necessary in order to achieve complete axiomatizations.
1 Introduction
Process algebras, also known as process calculi, are a powerful mathematical model for the specification and verification of concurrent systems. They provide a formal apparatus for representing and reasoning about the behaviors of dis- tributed systems, algorithms and protocols in a compositional way. Some of the most prominent representants of these formalisms are CCS [27], ACP [8, 6], and CSP [21].
The axiomatic theories of process algebra provide an elegant way for proving properties of systems. Both a system and its desired external behavior can be expressed as process terms. The correctness of the system can then be verified by proving that these two terms are equivalent.
In a process algebra typically there are only a few operators, such as action prefix, summation (nondeterministic choice), recursion and parallel composition.
The latter is particularly important for concurrency, as it allows to specify the structural properties of systems composed of several interacting parts. For exam- ple, a typical communication protocol for data transferring involves two agents S and R, representing the sender and the receiver, and two lossy channels K andL between them (see Figure 1). The behavior of each of these four compo- nents can be described as a process term in a chosen process algebra, and then they are all put together in parallel to form the complete view of the protocol.
The parallel composition operator captures both the interleaving behaviors and the possible synchronization of the components. The external behavior of the
?Supported by the EU project PROFUNDIS.
??Partially supported by the projet Rossignol of the ACI S´ecurit´e Informatique (Min- ist`ere de la recherche et nouvelles technologies).
S
K
L
R
Fig. 1.A communication protocol
protocol can be specified as a FIFO queue. The equivalence proof between the protocol and its external behavior is established by equational reasoning based on axiomatization, hiding internal behavior, using fairness assumption, and the other feasible methods (see e.g. [9, 17]).
Developing a both complete and sound axiomatization for a chosen bisimu- lation relation over a process algebra expressing finite-state processes has been a research focus for the process algebra community. This led to a wealth of classical results in the literature. Milner [26, 28] gave complete axiomatizations of both strong bisimilarity and observational equivalence for a core CCS (not containing the parallel composition operator) with both unguarded and guarded recursion.
Bergstra and Klop [10] axiomatized observational equivalence in an alternative way by using an interesting graph rewriting technique. Hennessy and Milner [20]
offered a complete equational axiomatization of strong bisimulation over the re- cursion free fragment of CCS. To deal with parallel composition, they used the so-calledexpansion law, which is an equation schema with a countably infinite number of instances. Bergstra and Klop [8] gave a finite equational axiomati- zation of the merge operator (as the parallel composition in CCS) using the auxiliary left merge and communication merge operators. An interesting essay on equational axiomatizations of parallel composition can be found in [2].
Having both recursion and parallel composition in a process algebra compli- cates the matters to establish a complete axiomatization, mostly because this can give rise to infinite-state systems even with the guardedness condition. For example, letEbe the expressionµX(a.(X|b)), then we have the infinite transi- tion graph starting fromEin Figure 2. Milner pointed out in [28] that in order to
E . . .
a
E | b E | b | b
a a
b b
b
Fig. 2.The transition graph ofE.
have a complete axiomatization for CCS with both recursion and parallel com- position, a sufficient condition is that the parallel composition does not occur in the body of any recursive expression.
In this paper we relax this restriction by requiring, instead, that free vari- ables do not appear in the scope of parallel composition. A similar restriction was adopted, independently, in [5]. In that paper, Baeten and Bravetti considered a generic process algebra of which CCS, CSP and ACP are subalgebras. Finite- stateness is achieved by requiring that recursion variables do not occur in the scope of static operators, which include the parallel composition. Our work and [5] are, in a sense, incomparable, because we consider a probabilistic and nonde- terministic framework (as explained in the rest of this introduction) with CCS- like communication, while [5] considers a purely nondeterministic paradigm, but more general than our nondeterministic fragment. The same restriction already appeared in [11], for a nondeterministic process algebra with CSP multiway synchronization.
Recently there has been an increasing interest in the area of formal meth- ods for the specification and analysis of probabilistic behaviors, as exhibited for instance in randomized, distributed and fault-tolerant systems. The notion of probabilistic bisimulation is introduced first by Larsen and Skou [22]. Later many variant behavioural equivalences have been defined for various probabilistic models. A representative model for analyzing probabilistic systems is provided by Segala and Lynch’s simple probabilistic automata [30], which take into ac- count both probabilistic and nondeterministic behavior and which have been successfully adopted in the studies of distributed algorithms [24, 29] and prac- tical communication protocols [33]. An axiomatization for the finite sequential fragment of simple probabilistic automata has been provided by Bandini and Segala in [7]. Following this line of research, Deng and Palamidessi [16, 15] have given a sound and complete axiomatization for a larger language, which includes the recursion operator.
In this paper, we improve on [16, 15] by considering also the parallel com- position. To our knowledge, it is the first time that an axiomatization for a probabilistic and nondeterministic process algebra with both recursion and par- allel operator has been attempted. Similar to the case of classical process algebra, once we have both parallel composition and recursion, the equational axiomati- zation of strong bisimulation and observational equivalence turns out to be quite complicated to achieve.
To obtain the completeness of the axiomatizations, we develop a probabilistic version of the expansion law to eliminate all occurrences of parallel composition.
In order to do that, we heavily rely on the condition that only closed terms are put in parallel (cf. Theorem 3).
Concerning soundness, it turns out to be particularly difficult to prove that strong and weak bisimilarities are closed under the parallel composition opera- tor. Our approach is to manipulate equivalences of distributions on terms. An important property that we exploit in our proofs is Lemma 2, which says that if two distributions are equivalent with respect to an equivalence relation R,
then there is a uniform way to extend them so that the resulting distributions in parallel contexts are equivalent with respect to another equivalence relation R|. It turns out that ifRis instantiated as strong or weak bisimilarity thenR| is a subset ofR, thusR|also relates bisimilar expressions.
Structure of the paper. In the next section we briefly recall some basic con- cepts and definitions about probabilistic distributions. In Section 3, we present the syntax and operational semantics of a probabilistic process calculus. Next, we give the notions of strong and weak behavioral equivalences in Section 4.
We provide complete axiomatizations for strong bisimilarity and observational equivalence in Sections 5 and 6 respectively, restricted to guarded expressions in the second case. In Section 7, we conclude and discuss some related work not yet mentioned in the introduction. Detailed proofs of the main propositions in Section 4 are in the Appendix.
2 Preliminaries
LetS be a set. A function η:S7→[0,1] is called adiscrete probability distribu- tion, ordistribution for short, onS if the supportofη, defined asspt(η) ={x∈ S |η(x)>0}, is finite or countably infinite and P
x∈Sη(x) = 1. We denote by P(S) the set of distributions over S. If η is a distribution with finite support and V ⊆ spt(η) we use the set {si : η(si)}si∈V to enumerate the probability associated with each element of V. The constructor ] on this kind of sets is defined as follows.
{si:pi}i∈I] {s:p}=
{si:pi}i∈I\j∪ {sj: (pj+p)} ifs=sj for somej ∈I {si:pi}i∈I∪ {s:p} otherwise.
{si:pi}i∈I] {tj :pj}j∈1..n=
({si:pi}i∈I] {t1:p1})] {tj :pj}j∈2..n
Given some distributions η1, ..., ηn onS and some real numbersr1, ..., rn ∈ [0,1] with P
i∈1..nri = 1, we define the convex combination r1η1+...+rnηn
of η1, ..., ηn to be the distribution η such that η(s) = P
i∈1..nriηi(s), for each s∈S.
Asimple probabilistic automaton is a tuple (S, s, Σ,T), where S is a set of states, s ∈ S is a start state, Σ is a set of actions, and T ⊆ S×Σ× P(S) is atransition relation. Informally, a simple probabilistic automaton is like an ordinary automaton except that a labeled transition leads to a probabilistic distribution over a set of states instead of a single state. Simple probabilistic automata are used in this paper to give operational semantics of our probabilistic process calculus.
3 Probabilistic process calculus
We assume a countable set of variables,Var={X, Y, ...}, and a countable set of atomic actions, A={a, b, ...}. Given a special actionτ not in A, we letu, v, ...
range over the set ofactions,Act =A ∪ A ∪ {τ}, and let α, β, ...range over the set Var∪Act. The class of expressionsE is defined by the following syntax:
E, F ::=u. M
i∈1..n
piEi
|
Xi∈1..m
Ei
|
E|F|
X|
µXEHere L
i∈1..npiEi stands for a probabilistic choice operator, where the pi’s represent positive probabilities, i.e., they satisfy pi ∈(0,1] and P
i∈1..npi = 1.
When n = 0 we abbreviate the probabilistic choice as 0; when n = 1 we abbreviate it as E1. Sometimes we are interested in certain branches of the probabilistic choice; in this case we write L
i∈1..npiEi as p1E1 ⊕... ⊕pnEn
or (L
i∈1..(n−1)piEi)⊕pnEn where L
i∈1..(n−1)piEi abbreviates (with a slight abuse of notation)p1E1⊕...⊕pn−1En−1. The second constructionP
i∈1..mEi
stands fornondeterministic choice, and occasionally we may write it asE1+...+
Em. As in CCS we let variables range over process expressions. The notationµX
stands for a recursion which binds the variableX. We shall usefv(E) for the set of free variables (i.e., not bound by anyµX) inE. As explained in the introduc- tion, we require that only closed expressions are put in parallel composition, i.e., in E | F we havefv(E | F) =∅. As usual we identify expressions which differ only by a change of bound variables. We shall writeE{F1, ..., Fn/X1, ..., Xn}or E{F /e X}e for the result of simultaneously substitutingFi for each occurrence of Xiin E (1≤i≤n), renaming bound variables if necessary.
Definition 1. The variableX isweakly guarded(resp.guarded) in E if every free occurrence of X in E occurs within some subexpression u.F (resp. a.F or
¯
a.F), otherwiseX isweakly unguarded(resp. unguarded) in E.
The operational semantics of an expressionE is defined as a simple proba- bilistic automaton whose states are the expressions reachable from E and the transition relation is defined by the axioms and inference rules in Table 1, where E−→α η describes a transition that, by performing an action or exposing a free variable, leaves fromEand leads to a distributionηoverE. The symmetric rules ofparandcomare omitted.
var X−→ {0X : 1} psum u.L
i∈1..npiEi
−→u U
i∈1..n{Ei:pi} rec E{µXE/X}−→α η
µXE−→α η nsum Ej
−→α η P
i∈1..mEi
−→α η for somej∈1..m
par E−→ {Eα i:pi}i
E|F −→ {Eα i|F :pi}i
com E−→ {Ea i:pi}i∈I F −→ {F¯a j :qj}j∈J
E|F−→ {Eτ i|Fj:piqj}i∈I,j∈J
Table 1.Strong transitions
Finitary weak transitions are defined as in [7]. We abstract away finitely many invisible actions that occur before or after the appearance of a single visible action or a variable. It is easy to see that ifE=X⇒η thenη={0: 1}. We use the notation=αˆ⇒to stand for=α⇒ifα6=τ, for =⇒otherwise. We also define aweak combined transition:E=α⇒ˆ c η if there exists a collection{ηi, ri}i∈1..n of distributions and probabilities such that P
i∈1..nri = 1, η =r1η1+...+rnηn
andE=αˆ⇒ηi for eachi∈1..n. Similarly we writeE=α⇒cη if every component is a “normal” (i.e., non-virtual) weak transition, namely,E=α⇒ηi for alli≤n.
wea1E=⇒ {E: 1} wea2 E−→τ η
E=⇒η wea3 E−→α η E=α⇒η wea4 E=α⇒ {Ei:pi}i∈I ∀i∈I:Ei=⇒ {Eij :pij}j∈Ji
E=α⇒ {Eij:pipij}i∈I,j∈Ji
wea5 E=⇒ {Ei:pi}i∈I ∀i∈I:Ei
=α⇒ {Eij :pij}j∈Ji
E=α⇒ {Eij:pipij}i∈I,j∈Ji
Table 2.Weak transitions
4 Behavioral equivalences
To define behavioral equivalences in probabilistic process algebra, it is customary to consider equivalence of distributions with respect to equivalence relations on expressions.
4.1 Equivalence of distributions
Ifη is a distribution on S andV ⊆S, we writeη(V) forP
s∈V η(s). We lift an equivalence relation onE to an equivalence relation between distributions over E in the following way.
Definition 2. Given two distributions η1 and η2 over E, we say that they are equivalent w.r.t. an equivalence relationRon E, writtenη1≡Rη2, if
∀V ∈ E/R:η1(V) =η2(V).
The following property is simple but important as it underpins many other results in the rest of the paper.
Lemma 1. If η1≡R1η2 andR1⊆ R2 thenη1≡R2 η2.
Given an equivalence relationR, we construct two relations:
RG
def= {(E|G, F |G)
|
E RF}R|def= S
{RG
|
G∈ E}.Clearly RG and R| are also equivalence relations. If V ∈ E/RG then we write V\G for the set{E
|
E|G∈V}. It is easy to see that ifV ∈ E/R| then there exists some expression G such that V ∈ E/RG. Furthermore, we observe that V ∈ E/RG iffV\G ∈ E/R. Supposeθ1={Ei :pi}i∈I andθ2={Fj:qj}j∈J, we introduce the following notation:θ1|θ2 def
= {Ei|Fj:piqj}i∈I,j∈J.
The following lemma is crucial for showing the congruence property of strong bisimilarity and observational equivalence (cf. Section 4.4). It says that if two distributions θ1 and θ2 are equivalent w.r.t. an equivalence relation R, then there is a uniform way to extend the two distributions so that the resulting dis- tributions on composed terms are equivalent w.r.t. another equivalence relation R|.
Lemma 2. If θ1≡Rθ2 then (θ1|θ) ≡R| (θ2|θ).
Proof. Let θ = {Gk : pk}k∈K. Without loss of generality, we assume that if i, j∈Kandi6=jthenGi6=Gj. For anyV ∈ E/R| there exists some expression Gsuch thatV ∈ E/RG. There are two cases:
1. ifG6=Gk for allk∈K, then (θ1|θ)(V) = 0 = (θ2|θ)(V);
2. if G=Gk for somek∈K, then (θ1 |θ)(V) =rkθ1(V\Gk) =rkθ2(V\Gk) = (θ2|θ)(V).
In summary, (θ1|θ)(V) = (θ2|θ)(V) for anyV ∈ E/R|, i.e., (θ1|θ) ≡R| (θ2|
θ), which is the required result. ut
Corollary 1. Ifθ1≡Rθ2,θ10 ≡Rθ02andRis closed under parallel composition, then(θ1|θ10) ≡R (θ2|θ02).
Proof. IfRis closed under parallel composition, thenR|⊆ R. By Lemma 1, we can state Lemma 2 as: if θ1≡Rθ2 then (θ1 |θ) ≡R (θ2|θ). Similarly we can establish a symmetric property: if θ1 ≡R θ2 then (θ | θ1) ≡R (θ | θ2). As a consequence we have (θ1|θ01) ≡R (θ2|θ10) ≡R (θ2|θ02). ut 4.2 Behavioral equivalences
Strong bisimulation is defined by requiring equivalence of distributions at every step. Because of the way equivalence of distributions is defined, we need to restrict to bisimulations which are equivalence relations.
Definition 3. An equivalence relation R ⊆ E × E is a strong bisimulation if E RF implies:
– wheneverE−→α η1, there existsη2 such thatF −→α η2 andη1≡Rη2. Two expressions E, F are strong bisimilar, written E ∼ F, if there exists a strong bisimulation Rs.t.E RF.
We have shown in [16, 15] that to define weak equivalences it is necessary to use weak combined transitions3, so weak probabilistic bisimulation is given in the following way.
Definition 4. An equivalence relationR ⊆ E × E is aweak probabilistic bisim- ulationif E RF implies:
– wheneverE−→α η1, there existsη2 such thatF =αˆ⇒cη2 andη1≡Rη2. We write E ≈F whenever there exists a weak probabilistic bisimulation Rs.t.
E RF.
As usual, observational equivalence is defined in terms of weak probabilistic bisimulation.
Definition 5. Two expressionsE, F areobservationally equivalent, writtenE' F, if
1. whenever E−→α η1, there existsη2 such thatF =α⇒cη2 andη1≡≈η2. 2. whenever F −→α η2, there existsη1 such that E=α⇒cη1 andη1≡≈η2.
One can check that all the relations defined above are indeed equivalence relations and we have the inclusion ordering:∼('(≈.
Example 1. Consider the following expressions:
E1
def= µX(a.X+X) E2def
= µX(12X⊕12(X+X)) F1
def= a.b+τ.c F2
def= F1+τ.(13F1⊕23c)
It can be checked that E1 ∼ E2, F1 ≈ F2, and τ.F1 ' τ.F2. Note that F16'F2 because the transitionF2
−→ {Fτ 1: 13, c: 23}cannot be matched up by the transition F1
−→ {cτ : 1}, which is the only normal transition fromF1 with
actionτ. ut
3 The example given in [16, 15] for supporting this argument is built in probabilis- tic automata [30], but it is easy to write a similar example in simple probabilistic automata.
4.3 Probabilistic “bisimulation up to” techniques
A natural way for showing E∼F in a probabilistic process calculus is to con- struct an equivalence relation R which includes the pair (E, F), and then to check that Ris a bisimulation. However, it is often difficult to ensure that the relationRone constructs is indeed an equivalence relation. In this case we use
“bisimulation up to” techniques. The idea is that we extend Rto be R0 such that R ⊆ R0 andR0 is easily shown to be a bisimulation.
Given a binary relation R we denote by R∼ the relation (R ∪ ∼)∗, the equivalence closure ofR ∪ ∼. Similarly for the notationR≈.
Definition 6. A binary relation Ris astrong bisimulation up to∼if E RF implies:
1. whenever E−→α η1, there existsη2 such thatF −→α η2 andη1≡R∼ η2. 2. whenever F −→α η2, there existsη1 such that E−→α η1 andη1≡R∼ η2.
A strong bisimulation up to∼is not necessarily an equivalence relation. It is just an ordinary binary relation included in∼, as shown by the next proposition.
Proposition 1. IfRis a strong bisimulation up to ∼, thenR ⊆∼.
For weak probabilistic bisimulation, the “up to” relation can be defined as well, but we need to be careful.
Definition 7. A binary relationRis aweak probabilistic bisimulation up to≈ if E RF implies:
1. whenever E=α⇒η1, there existsη2 such thatF =αˆ⇒cη2 andη1≡R≈ η2. 2. whenever F =α⇒η2, there existsη1 such that E=αˆ⇒cη1 andη1≡R≈ η2. In the above definition, we are not able to replace the first double arrow in each clause by a simple arrow. Otherwise, the resulting relation would not be included in ≈.
Proposition 2. IfRis a weak probabilistic bisimulation up to ≈, thenR ⊆≈.
In a way similar to Definition 7, we introduce an “up to'” relation.
Definition 8. A binary relation R is an observational equivalence up to' if E RF implies:
1. whenever E=α⇒η1, there existsη2 such thatF =α⇒cη2 andη1≡R≈ η2. 2. whenever F =α⇒η2, there existsη1 such that E=α⇒cη1 andη1≡R≈ η2.
As expected, observational equivalence up to'is useful because of the fol- lowing property.
Proposition 3. IfRis an observational equivalence up to ', thenR ⊆'.
4.4 Some properties of behavioral equivalences
By using the “bisimulation up to” techniques introduced in the previous section, together with Lemma 2, we can prove the following results. Their detailed proofs are in Appendices A and B, respectively.
Proposition 4 (Properties of∼).
1. ∼is a congruence relation;
2. µXE∼E{µXE/X};
3. µX(E+X)∼µXE;
4. IfE∼F{E/X}andX is weakly guarded inF, then E∼µXF. Proposition 5 (Properties of').
1. 'is a congruence relation;
2. Ifτ.E 'τ.E+F andτ.F 'τ.F +E thenτ.E 'τ.F; 3. IfE'F{E/X}andX is guarded inF thenE'µXF.
5 Axiomatizing strong bisimilarity
We present in this section the axiom system As for ∼, which includes all ax- ioms and rules displayed in Table 3. We assume the usual rules for equality (reflexivity, symmetry, transitivity and substitutivity), and the alpha-conversion of bound variables. If we omit all the axioms involving probabilities, we obtain the system composed byS1-3andR1-3, which characterizes exactly the class of nonprobabilistic finite-state behaviors studied in [26]. The two axiomsS4-5 allow us to permute and merge probabilistic branches in a probabilistic choice.
Eis a probabilistic version of the expansion law in CCS.
The notation As ` E = F (and As ` Ee = Fe for a finite sequence of equations) means that the equationE=F is derivable by applying the axioms and rules fromAs. The following theorem shows thatAs is sound with respect to∼.
Theorem 1 (Soundness of As).If As`E=E0 thenE∼E0.
Proof. The soundness of the recursion axiomsR1-3is shown in Section 4.4; the soundness ofS1-4andEis obvious, andS5is a consequence of Definition 2. ut For the completeness proof, the basic points are: (1) if two expressions are bisimilar then we can construct an equation set in a certain format (standard format) that they both satisfy; (2) if two expressions satisfy the same standard equation set, then they can be proved equal by As. This schema is inspired by [26, 32], but in our case the definition of standard format and the proof itself are more complicated due to the presence of both probabilistic and nondeterministic dimensions.
S1 E+0=E S2 E+E=E S3 P
i∈IEi=P
i∈IEρ(i) ρis any permutation onI S4 u.L
i∈IpiEi=u.L
i∈Ipρ(i)Eρ(i) ρis any permutation onI S5 u.((L
ipiEi)⊕pE⊕qE) =u.((L
ipiEi)⊕(p+q)E) R1µXE=E{µXE/X}
R2IfE=F{E/X},X weakly guarded in F, thenE=µXF R3µX(E+X) =µXE
E AssumeE≡P
iui.L
jpijEij andF ≡P
kvk.L
lqklFkl. Then infer:
E|F =P
iui.L
jpij(Eij |F) +P
kvk.L
lqkl(E|Fkl) +P
uiopp vkτ.L
j,l(pijqkl)(Eij|Fkl)
whereuiopp vk means thatuiandvkare complementary actions, i.e., ¯ui=vk.
Table 3.The axiom systemAs
Definition 9. LetXe ={X1, ..., Xm}andfW ={W1, W2, ...}be disjoint sets of variables. LetHe ={H1, ..., Hm}be expressions with free variables inXe∪fW. In the equation set S : Xe =H, we calle Xe formal variables and fW free variables.
We say S is standardif each Hi takes the form P
jEf(i,j)+P
lWh(i,l) where Ef(i,j)=uf(i,j).L
kpf(i,j,k)Xg(i,j,k). We callSweakly guardedif there is noHi
s.t. Hi Xi
−→ {0: 1}. We say that E provably satisfiesS if there are expressions Ee={E1, ..., Em}, withE1≡E and fv(E)e ⊆Wf, such thatAs`Ee=He{E/e Xe}.
We first recall the theorem of unique solution of equations originally appeared in [26]. Adding probabilistic choice does not affect the validity of this theorem.
Theorem 2 (Unique solution of equations I). If S is a weakly guarded equation set with free variables in fW, then there is an expressionE which prov- ably satisfiesS. Moreover, if F provably satisfiesS and has free variables in Wf, thenAs`E=F.
Proof. Exactly as in [26]. ut
Below we give an extension of Milner’s equational characterization theorem by accommodating probabilistic choice.
Theorem 3 (Equational characterization I). For any expression E, with free variables inWf, there exist some expressionsEe={E1, ..., Em}, withE1≡E and fv(E)e ⊆fW, satisfyingm equations
As`Ei = X
j∈1..n(i)
Ef(i,j)+ X
j∈1..l(i)
Wh(i,j) (i≤m)
whereEf(i,j)≡uf(i,j).L
k∈1..o(i,j)pf(i,j,k)Eg(i,j,k).
Proof. By induction on the structure ofE. We only consider the case thatE≡ F |F0; all other cases are similar to the proof in [26]. By definitionF andF0 are closed terms. By induction we have closed termsF1, .., Fmsatisfyingmequations
As`Fi= X
j∈1..n(i)
Ff(i,j) (i≤m)
where Ff(i,j) ≡uf(i,j).L
k∈1..o(i,j)pf(i,j,k)Fg(i,j,k). Similarly we have closed ex- pressionsF10, ..., Fm0 0 satisfyingm0 equations
As`Fi00 = X
j0∈1..n0(i0)
Ff00(i0,j0) (i≤m0)
where Ff00(i0,j0) ≡ u0f0(i0,j0).L
k0∈1..o0(i0,j0)p0f0(i0,j0,k0)Fg00(i0,j0,k0). Now set Ei,i0 ≡ Fi|Fi00. By the expansion lawE we obtain the equations
As`Ei,i0 =P
j∈1..n(i)uf(i,j).L
k∈1..o(i,j)pf(i,j,k)Eg(i,j,k),i0
+P
j0∈1..n0(i0)u0f0(i0,j0).L
k0∈1..o0(i0,j0)p0f0(i0,j0,k0)Ei,g0(i0,j0,k0)
+P
uf(i,j) opp u0f0(i0,j0)τ.L
k∈1..o(i,j),k0∈1..o0(i0,j0)(pf(i,j,k)p0f0(i0,j0,k0)) Ef(i,j,k),f0(i0,j0,k0)
where i ≤m, i0 ≤m0 and uf(i,j) opp u0f0(i0,j0) means that uf(i,j) and u0f0(i0,j0)
are complementary actions, i.e., they areaand ¯arespectively, for somea, or the inverse.
Moreover, we haveE≡F1|F10 ≡E1,1. ut
The following completeness proof is closely analogous to that of [32]. It is complicated somewhat by the presence of nondeterministic choice. For example, to construct the formal equations, we need to consider a more refined relation Liji0j0 underneath the relation Kii0 while in [26, 32] it is sufficient to just use Kii0.
Theorem 4 (Completeness of As).IfE ∼E0 thenAs`E=E0.
Proof. LetE andE0 have free variables infW. By Theorem 3 there are provable equations such thatE≡E1,E0≡E10 and
As`Ei= X
j∈1..n(i)
Ef(i,j)+ X
j∈1..l(i)
Wh(i,j) (i≤m)
As`Ei00 = X
j0∈1..n0(i0)
Ef00(i0,j0)+ X
j0∈1..l0(i0)
Wh0(i0,j0) (i0≤m0) with
Ef(i,j)≡uf(i,j). M
k∈1..o(i,j)
pf(i,j,k)Eg(i,j,k)
Ef00(i0,j0)≡u0f0(i0,j0). M
k0∈1..o0(i0,j0)
p0f0(i0,j0,k0)Eg00(i0,j0,k0).
LetI ={hi, i0i | Ei ∼Ei00}. By hypothesis we have E1 ∼E01, so h1,1i ∈I. Moreover, for each hi, i0i ∈ I, the following holds, by the definition of strong bisimilarity:
1. There exists a total surjective relationKii0between{1, ..., n(i)}and{1, ..., n0(i0)}, given by
Kii0 ={hj, j0i | hf(i, j), f0(i0, j0)i ∈I}.
Furthermore, for eachhj, j0i ∈Kii0, we haveuf(i,j)=u0f0(i0,j0)and there ex- ists a total surjective relationLiji0j0 between{1, ..., o(i, j)}and{1, ..., o0(i0, j0)}, given by
Liji0j0 ={hk, k0i | hg(i, j, k), g0(i0, j0, k0)i ∈I}.
2. As`P
j∈1..l(i)Wh(i,j)=P
j0∈1..l0(i0)Wh0(i0,j0).
Now, letLiji0j0(k) denote the image of k ∈ {1, ..., o(i, j)}under Liji0j0 and L−1iji0j0(k0) the preimage of k0 ∈ {1, ..., o0(i0, j0)}under Liji0j0. We write [k]iji0j0
for the set L−1iji0j0(Liji0j0(k)) and [k0]iji0j0 forLiji0j0(L−1iji0j0(k0)). It follows from the definitions that
1. If hi, i01i ∈ I, hi, i02i ∈ I, hj, j10i ∈ Kii01 and hj, j20i ∈ Kii02, then [k]iji01j10 = [k]iji02j02.
2. Ifq1∈[k]iji0j0 andq2∈[k]iji0j0, thenEg(i,j,q1)∼Eg(i,j,q2). Defineνijk=P
q∈[k]iji0j0pf(i,j,q)for anyi0, j0such thathi, i0i ∈Iandhj, j0i ∈ Kii0; defineν0i0j0k0 =P
q0∈[k0]iji0j0p0f0(i0,j0,q0) for anyi, j such thathi, i0i ∈I and hj, j0i ∈ Kii0. It is easy to see that whenever hi, i0i ∈ I, hj, j0i ∈ Kii0 and hk, k0i ∈Liji0j0 thenνijk =νi00j0k0.
We now consider the formal equations, one for eachhi, i0i ∈I: Xi,i0 = X
hj,j0i∈Kii0
Hf(i,j),f0(i0,j0)+ X
j∈1..l(i)
Wh(i,j)
where
Hf(i,j),f0(i0,j0)≡uf(i,j). M
hk,k0i∈Liji0j0
(pf(i,j,k)p0f0(i0,j0,k0)
νijk
)Xg(i,j,k),g0(i0,j0,k0).
These equations are provably satisfied when eachXi,i0 is instantiated toEi, since Kii0 and Liji0j0 are total and the right-hand side differs at most by repeated summands from that of the already proved equation for Ei. Note that each probabilistic branch pf(i,j,k)Eg(i,j,k) in the subterm Ef(i,j) of Ei becomes the probabilistic summation of several branches like
M
q0∈[k0]iji0j0
(pf(i,j,k)p0f0(i0,j0,q0)
νijk
)Eg(i,j,k)
in Hf(i,j),f0(i0,j0){Ei/Xi,i0}i, wherehi, i0i ∈I,hj, j0i ∈Kii0 and hk, k0i ∈Liji0j0. But they are provably equal because
P
q0∈[k0]iji0j0(pf(i,j,k)p
0 f0(i0,j0,q0)
νijk ) = pf(i,j,k)ν
ijk ·P
q0∈[k0]iji0j0p0f0(i0,j0,q0)
= pf(i,j,k)ν
ijk ·νi00j0k0 =pf(i,j,k)
and then the axiomS5can be used. Symmetrically, the equations are provably satisfied when eachXi,i0 is instantiated to Ei00; this depends on the surjectivity ofKii0 andJiji0j0.
Finally, we note that each Xi,i0 is weakly guarded in the right-hand sides of the formal equations. It follows from Theorem 2 that ` Ei = Ei00 for each hi, i0i ∈I, and hence`E=E0. ut
6 Axiomatizing observational equivalence
In this section we axiomatize the observational equivalence'. We are not able to give a complete axiomatization for the whole set of expressions (and we conjec- ture that it is not possible), so we restrict to the subset ofEconsisting ofguarded expressionsonly. An expression is guarded if for each of its subexpression of the formµXF, the variableX is guarded inF (cf. Definition 1).
First let us analyze the systemAs. All axioms except forR2-3are still valid for '.R3 is not needed because it deals with unguarded expressions. We can reuseR2by requiringX to be (strongly) guarded, so we getR20 in Table 4. To establish the system Aofor', we use fiveτ-laws,T1-5in Table 4, to abstract away invisible actions. Note thatT1andT2together constitute the probabilistic version of Milner’s secondτ-law ([28] page 231).T3andT4are the probabilistic extensions of Milner’s third and firstτ-laws, respectively. The extra ruleT5has no nonprobabilistic counterpart in CCS, but it plays an important role in the proof of Theorem 8. As in [7] the axiomC is needed because we use combined transitions when defining observational equivalence.
Theorem 5 (Soundness of Ao).IfAo`E=F thenE'F.
Proof. The rulesR20 andT5are proved to be sound in Proposition 5 (its proof is detailed in Appendix B). The soundness ofCandT1-4is straightforward. ut For the completeness proof, it is convenient to use the following saturation property, which relates operational semantics to term transformation, and which can be shown by using the probabilisticτ-lawsT1-4and the axiomC.
Lemma 3 (Saturation). Suppose there is no parallel composition inE.
1. IfE=u⇒η withη={Ei:pi}i, thenAo`E=E+u.L
ipiEi; 2. IfE=u⇒c η withη={Ei:pi}i, thenAo`E=E+u.L
ipiEi; 3. IfE=X⇒ {0: 1}thenAo`E=E+X.
T1 τ.L
ipi(Ei+X) =X+τ.L
ipi(Ei+X) T2 τ.L
ipi(Ei+u.L
jpij.Eij) +u.L
i,jpipij.Eij
=τ.L
ipi(Ei+u.L
jpij.Eij) T3 u.L
ipi(Ei+τ.L
jpij.Eij) +u.L
i,jpipij.Eij
=u.L
ipi(Ei+τ.L
jpij.Eij) T4 u.(pτ.E⊕L
ipiEi) =u.(pE⊕L
ipiEi)
T5 Ifτ.E=τ.E+F andτ.F =τ.F +Ethenτ.E=τ.F.
R20IfE=F{E/X},X guarded in F, thenE=µXF
C P
i∈1..nu.L
jpijEij =P
i∈1..nu.L
jpijEij+u.L
i∈1..n
L
jripijEij
withP
i∈1..nri= 1.
Table 4.Some laws for the axiom systemAo
Proof. The first and third clauses are proved by transition induction on the inferenceE=u⇒η; the second clause is a corollary of the first one. ut Below we state two simple properties of weak combined transitions. They will be used in proving Theorem 8.
Lemma 4. 1. IfE=ˆu⇒cη thenτ.E=u⇒cη;
2. IfE=X⇒c {0: 1}then E=X⇒ {0: 1}.
Proof. Trivial. ut
Lemma 5. If E=uˆ⇒c{Ei :pi}i thenAo`τ.E =τ.E+u.L
ipiEi.
Proof. It follows from Lemma 4 and Lemma 3. ut
To show the completeness ofAo, we need some notations. Given a standard equation set S : Xe = He, which has free variables fW, we define the relations
−→α S⊆Xe× P(X) (recall that the notatione P(V) represents all distributions on V) as Xi α
−→S η iff Hi α
−→ η. From −→α S we can define the weak transition
=α⇒S in the same way as in Section 3. We shall callS guarded if there is noXi
s.t. Xi Xi
=⇒S {0: 1}. The variable W isguarded in S if it is not the case that X1
=W⇒S {0: 1}.
For guarded expressions, the equational characterization theorem and the unique solution theorem given in last section can now be refined, as done in [28].
Theorem 6 (Equational characterization II). Each guarded expression E with free variables inWfprovably satisfies a standard guarded equation setSwith free variables in Wf. Moreover, if W is guarded inE thenW is guarded inS.
Proof. By induction on the structure ofE. Consider the case thatE≡u.L
i∈IpiEi. For eachi∈I, letXibe the distinguished variable of the equation setSiforEi. We can defineS as{X=u.L
i∈IpiXi} ∪S
i∈ISi, with the new variableX dis- tinguished. All other cases are the same as in [28]. For the case thatE≡F |F0, the arguments are similar to those in Theorem 3. ut Theorem 7 (Unique solution of equations II). If S is a guarded equation set with free variables inWf, then there is an expressionEwhich provably satisfies S. Moreover, if F provably satisfies S and has free variables in Wf, then Ao ` E=F.
Proof. Nearly the same as the proof of Theorem 2, just replacing the recursion
ruleR2withR20. ut
The following theorem plays a crucial role in proving the completeness ofAo. Theorem 8. LetE provably satisfy S andF provably satisfyT, where both S and T are standard, guarded equation sets, and let E ' F. Then there is a standard, guarded equation setU satisfied by bothE and F.
Proof. Suppose thatXe ={X1, ..., Xm},Ye ={Y1, ..., Yn}andWf={W1, W2, ...}
are disjoint sets of variables. Let
S:Xe =He T :Ye =Je
with fv(H)e ⊆ Xe ∪Wf, fv(Je) ⊆ Ye ∪Wf, and that there are expressions Ee = {E1, ..., Em}andFe={F1, ..., Fn}withE1≡E,F1≡F, andfv(E)∪fve (Fe)⊆fW, so that
Ao`Ee=H{e E/e Xe} Ao`Fe=Je{F /e Ye}.
Consider the least equivalence relationR ⊆(Xe∪Ye)×(Xe∪Ye) such that 1. whenever (Z, Z0)∈ R andZ −→α η, then there existsη0 s.t.Z0=αˆ⇒cη0 and
η≡Rη0;
2. (X1, Y1)∈ Rand ifX1 α
−→ηthen there existsη0s.t.Y1 α
=⇒cη0andη≡Rη0. Clearly R is a weak probabilistic bisimulation on the transition system over Xe∪Ye, determined by→def=→S ∪ →T. Now for two given distributionsη={Xi: pi}i∈I,η0 ={Yj:qj}j∈J, withη≡Rη0, we introduce the following notations:
Kη,η0 ={(i, j)|i∈I, j∈J, and (Xi, Yj)∈ R}
νi=P
{pi0 |i0 ∈I, and (Xi, Xi0)∈ R} fori∈I νj=P
{pj0 |j0∈J, and (Yj, Yj0)∈ R} forj∈J
Since η≡R η0 it follows by definition that if (i, j)∈Kη,η0, for someη, η0, then νi=νj. Thus we can define the expression
Gη,η0
def= M
(i,j)∈Kη,η0
piqj
νi
Zij
which will play the same role as the expression Hf(i,j),f0(i0,j0) in the proof of Theorem 4.
Based on the aboveRwe choose a new set of variablesZesuch that Ze={Zij |Xi∈X, Ye j ∈Ye and (Xi, Yj)∈ R}.
Furthermore, for eachZij ∈Ze we construct three auxiliary finite sets of expres- sions, denoted byAij,Bij andCij, by the following procedure.
1. Initially the three sets are empty.
2. For eachη withXi
−→α η, arbitrarily choose one (and only one — the same principle applies in other cases too)η0 (if it exists) satisfying η ≡R η0 and Yj α
=⇒c η0. If α∈ Act then we construct the expression Gη,η0 and update Aij to be Aij∪ {α.Gη,η0}; if α=X for some X then we update Aij to be Aij∪ {X}. Similarly for eachη0 withYj
−→α η0, arbitrarily choose oneη (if it exists) satisfyingη≡Rη0 andXi
=α⇒c η. Ifα∈Act then we construct the expressionGη,η0 and updateAij to beAij∪ {α.Gη,η0}; ifα=X for someX then we updateAij to beAij∪ {X}.
3. For each η with Xi τ
−→η, arbitrarily choose one η0 (if it exists) satisfying η≡R η0, Yj =⇒c η0 but not Yj
=τ⇒c η0, construct the expressionGη,η0 and updateBij to beBij∪ {τ.Gη,η0}.
4. For each η0 with Yj
−→τ η0, arbitrarily choose oneη (if it exists) satisfying η≡Rη0,Xi=⇒cηbut notXi
=τ⇒cη, constructGη,η0 and updateCij to be Cij∪ {τ.Gη,η0}.
Clearly the three sets constructed in this way are finite. Now we build a new equation set
U :Ze=Le whereU11is the distinguished variable and
Lij = ( P
G∈AijG ifBij∪Cij =∅
τ.(P
G∈Aij∪Bij∪CijG) otherwise.
We assert thatEprovably satisfies the equation setU. To see this, we choose expressions
Gij =
Ei ifBij∪Cij =∅ τ.Ei otherwise and verify thatAo`Gij =Lij{G/e Z}.e
In the case that Bij∪Cij =∅, all those summands ofLij{G/e Z}e which are not variables are of the form:
u. M
(i,j)∈Kη,η0
piqj
νi
Ei0
whereEi0 =Ei or E0i=τ.Ei for eachi. ByT4we can prove that u. M
(i,j)∈Kη,η0
piqj
νi
Ei0 =u. M
(i,j)∈Kη,η0
piqj
νi
Ei.
Then by some arguments similar to those in Theorem 4, together with Lemma 3, we can show that
Ao`Lij{G/e Z}e =Hi{E/e Xe}=Ei.
On the other hand, if Bij∪Cij 6=∅, we let Cij = {D1, ..., Do} (Cij =∅ is a special case of the following argument) and D = P
l∈1..oDl{G/e Z}. As in laste case we can show that
Ao`Lij{G/e Z}e =τ.(Hi{E/e Xe}+D).
For any l with 1 ≤ l ≤ o, let Dl{G/e Z}e = τ.L
kpkEk. It is easy to see that Ei=⇒c η withη={Ek:pk}k. So by Lemma 5 it holds that
Ao`τ.Ei=τ.Ei+Dl{G/e Z}.e As a result we can infer
Ao`τ.Ei=τ.Ei+D=τ.Ei+ (Ei+D).
by Lemma 3. Similarly,
Ao`τ.(Ei+D) =τ.(Ei+D) +Ei. Consequently it follows fromT5that
Ao`τ.Ei =τ.(Ei+D) =τ.(Hi{E/e Xe}+D) =Lij{G/e Ze}.
In the same way we can show thatF provably satisfiesU. At lastU is guarded
becauseS andT are guarded. ut
Theorem 9 (Completeness of Ao).If E andF are guarded expressions and E'F, thenAo`E=F.
Proof. A direct consequence by combining Theorems 6, 8 and 7. ut In the axiom systemAo the rule T5deserves more explanations. This rule holds also in the non-probabilistic setting, but usually it is not part of the axiom- atization because it is subsumed by other axioms. Here we need it, for instance
