Logical Methods in Computer Science

Vol. 2 (2:3) 2006, pp. 1–35 Submitted Apr. 4, 2005

www.lmcs-online.org Published Mar. 24, 2006

ON THE EXPRESSIVENESS OF THE AMBIENT LOGIC

DANIEL HIRSCHKOFF a , ÉTIENNE LOZES b , AND DAVIDE SANGIORGI c

a
LIP - ENS Lyon
e-mail address: [email protected]
b
LSV- ENS Cachan
e-mail address: [email protected]
c
Università di Bologna
e-mail address: [email protected]

Abstract. The Ambient Logic (AL) has been proposed for expressing properties of pro-
cess mobility in the calculus of Mobile Ambients (MA), and as a basis for query languages
on semistructured data.
In this paper, we study the expressiveness of AL. We define formulas for capabilities
and for communication in MA. We also derive some formulas that capture finitess of a
term, name occurrences and persistence. We study extensions of the calculus involving
more complex forms of communications, and we define characteristic formulas for the
equivalence induced by the logic on a subcalculus of MA. This subcalculus is defined by
imposing an image-finiteness condition on the reducts of a MA process.

Contents
1. Introduction 2
2. Background 5
2.1. Syntax of Mobile Ambients 5
2.2. Operational Semantics 6
2.3. The Ambient Logic 7
3. Formulas for capabilities and communications 8
3.1. Preliminary formulas: counting components and comparing names 9
3.2. Formulas for capabilities 9
3.3. Formulas for communication 12
4. Other intensional properties 15
4.1. Capturing finiteness 16
4.2. Formula for name occurrence 17
Key words and phrases: Spatial Logics, Mobile Ambients.
Work supported by european project FET-Global computing PROFUNDIS..
This work is a revised and extended version of parts of [San01] and [HLS02] (precisely, those parts that
deal with expressiveness issues).

l LOGICAL METHODS
IN COMPUTER SCIENCE DOI:10.2168/LMCS-2 (2:3) 2006
c D. Hirschkoff, É. Lozes, and D. Sangiorgi


CC Creative Commons
2 D. HIRSCHKOFF, É. LOZES, AND D. SANGIORGI

4.3. Formulas for persistence 18

5. Characteristic formulas 21
5.1. Intensional bisimilarity 22
5.2. The sub-calculus MAIF 23
6. Extensions of the calculus 26
6.1. Capabilities in messages 26
6.2. Synchronous Ambients 30
6.3. Other Extensions 34
References 34

1. Introduction
The Ambient Logic, AL, [CG00] is a modal logic for expressing properties of processes
in the calculus of Mobile Ambients, MA [CG98a, CG99]. In MA the unit of movement is an
ambient, which, intuitively, is a named location. An ambient may contain other ambients,
and capabilities, which determine the ambient movements. The primitives for movement
allow: an ambient to enter a sibling ambient; an ambient to exit the parent ambient; a
process to dissolve an ambient boundary. MA has a replication operator to make a process
persistent, that is, to make infinite copies of the process available.
An ambient can be thought of as a labelled tree. The sibling relation on subtrees
represents spatial contiguity; the subtree relation represents spatial nesting. A label may
represent an ambient name or a capability; moreover, a replication tag on labels indicates
the resources that are persistent.1 The trees are unordered: the order of the children of a
def
node is not important. As an example, the process P = !a[in c] | open a. b[0] is represented
by the tree:

!aւ ցopen a

in c ↓ b ↓

The replication !a indicates that the resource a[in c] is persistent: unboundedly many such
ambients can be spawned. By contrast, open a is ephemeral: it can open only one ambient.
Syntactically, each tree is finite. Semantically, however, due to replications, a tree is an
infinite object. As a consequence, the temporal developments of a tree can be quite rich.
The process P above (we freely switch between processes and their tree representation) has
only one reduction, to in c | !a[in c] | b[0]. However, the process !a[in c] | !open a. b[0] can
evolve into any process of the form
in c | . . . | in c | b[0] | . . . | b[0] | !a[in c] | !open a. b[0] .
In general, a tree may have an infinite temporal branching, that is, it can evolve into an
infinite number of trees, possibly quite different from each other (for instance, pairwise
behaviourally unrelated). Technically, this means that the trees are not image-finite.
In summary, MA is a calculus of dynamically-evolving unordered edge-labelled trees,
and AL is a logic for reasoning on such trees. The actual definition of satisfaction of the
formulas of AL is given on MA processes quotiented by a relation of structural congruence,
1We are using a tree representation different from that of Cardelli and Gordon, but more convenient to
our purposes.
 ON THE EXPRESSIVENESS OF THE AMBIENT LOGIC 3

which equates processes with the same tree representation. (This relation is similar to
Milner’s structural congruence for the π-calculus [Mil99].)
AL has also been advocated as a foundation of query languages for semistructured
data [Car01]. Here, the laws of the logic are used to describe query rewriting rules and query
optimisations. This line of work exploits the similarities between dynamically-evolving edge-
labelled trees and standard models of semistructured data.
AL has a connective that talks about time, that is, how processes can evolve: the
formula ✸ A is satisfied by those processes with a future in which A holds. The logic has
also connectives that talk about space, that is, the shape of the edge-labelled trees that
describe process distributions: the formula n[A] is satisfied by ambients named n whose
content satisfies A (read on trees: n[A] is satisfied by the trees whose root has just a
single edge n leading to a subtree that satisfies A); the formula A1 | A2 is satisfied by
the processes that can be decomposed into parallel components P1 and P2 where each Pi
satisfies Ai (read on trees: A1 | A2 is satisfied by the trees that are the juxtaposition of two
trees that respectively satisfy the formulas A1 and A2 ); the formula 0 is satisfied by the
terminated process 0 (on trees: 0 is satisfied by the tree consisting of just the root node).
AL is quite different from standard modal logics. First, such logics do not talk about
space. Secondly, they have more precise temporal connectives. The only temporal connec-
tive of AL talks about the many-step evolution of a system on its own. In standard modal
logics, by contrast, the temporal connectives also talk about the potential interactions be-
tween a process and its environment. For instance, in the Hennessy-Milner logic [HM85],
the temporal modality hµi. A is satisfied by the processes that can perform the action µ and
become a process that satisfies A. The action µ can be a reduction, but also an input or
an output. The lack of temporal connectives in the ambient logic is particularly significant
because in MA interaction between a process and its environment can take several forms,
originated by the communication and the movement primitives. (There are 9 such forms;
they appear as labels of transitions in a purely SOS semantics of MA [CG98b, LS00].)

This paper is essentially devoted to the study of the expressiveness of AL. The results we
present show that AL is actually a very expressive formalism. In particular, we are able to
derive formulas expressing capabilities of processes for movement and for communication,
as well as the persistence of processes (as given by the replication operator), and free
occurrences of names in processes. The ability to derive such constructions is surprising,
considering that there is no connective in the logic that is directly related to such properties:
no construct mentions the capabilities of the calculus, nor does the logic include infinitary
operators, or operators that talk about resources with infinite multiplicity.
Our results are established using nontrivial technical developments, and the methods
we exploit are of interest in their own. More precisely, the general approach to derive
expressiveness formulas is to exploit adjunct connectives to introduce a form of contextual
reasoning, together with the temporal modality to make it possible to observe the desired
properties. It can be noted that related constructions have been introduced in the setting of
Separation Logic [Rey02] in order to express weakest preconditions for pointer manipulation
instructions in an imperative language.
The expressive power of AL that we thus prove has several consequences. The first
consequence is that we are able to define characteristic formulas for image-finite Ambi-
ent processes, i.e., formulas that capture the equivalence class of a process with respect
4 D. HIRSCHKOFF, É. LOZES, AND D. SANGIORGI

to the induced logical equivalence. This is in contrast with usual results in modal log-
ics. Typically, the definition of characteristic formulas exploits fixed-point operators, and
the characterised processes are finite-state [GS86, SI94]. As mentioned above, AL has no
fixed-point operator; moreover the image-finiteness condition on processes is weaker than
finite-state. (‘Image-finite’ expresses finiteness on internal reductions, whereas ‘finite-state’
also takes into account computations containing visible actions such as input and output
actions.)
Another major consequence of our results is to show that AL is an intensional logic.
Informally, this holds because the logic allows one to inspect the structure of processes,
not only by separating subcomponents of a process, but also by capturing its interaction
capabilities. More formally, intensionality of the Ambient Logic is expressed by showing
that the equivalence induced by the logic coincides with structural congruence on processes.
This result, that is established using the constructions we have discussed above (and, in
particular, characteristic formulas), says that AL is a very fine grained logic.

Structure of the paper. Section 2 introduces the calculus and the logic we study in this pa-
per. Sections 3 and 4 present two main contributions in terms of expressiveness of AL: we
define some formulas capturing respectively some syntactical constructions of the calculus
(capabilities for movement and communication) and some nontrivial properties of processes
(finiteness, occurrences of free names, and persistence). In Section 5, we exploit these con-
structions to define characteristic formulas for logical equivalence. Intensional bisimilarity,
which, for the purposes of the present work, is a technical device that is needed to reason
about characteristic formulas, is presented in Subsection 5.1. The proofs of the main prop-
erties enjoyed by intensional bisimilarity are not provided, and can be found in a companion
paper [HLS05]. Finally, in Section 6, we study extensions of the calculus we work with, and
show our results can be adapted to the corresponding settings.
The results of this paper come from the two conference papers [San01] and [HLS02]: in
[San01], the author presented the encoding of the modalities for capabilities and communica-
tions (Sections 3 and 6) and the definition of intensional bisimilarity, whereas the formulas
capturing finiteness, name occurrence, and persistence (Section 4) and the characteristic
formulas (Section 5) come from [HLS02]. This paper focuses on the expressiveness results
coming from these two conference papers, whereas a companion paper [HLS05] presents the
separability results.

Developments. By the time the writing of the present paper was completed, a few works
have appeared that make use of results or methods presented here. We discuss them below.
The ‘contextual games’ we have discussed above have been exploited in several set-
tings. Along the lines of the derivation of formulas capturing Mobile Ambients capabili-
ties, [HLS03] extends and develops this line of research in the setting of a sub-logic of AL,
that is applied to reason about MA and π-calculus processes. Other interesting properties
can be derived using this approach. An example is quantifiers elimination [CL04]. An-
other study [Hir04] demonstrates that in some sense, contextual games represent the logical
counterpart of ‘contextual testing’ as in barbed equivalence [SW01].
Our expressiveness results also allow us to bring to light redundancies in spatial logics
for concurrency. For example, an operator to express occurrences of free names in processes
is analysed in related works [CG01, HLS03]. In the setting of the present work, such an
operator is encodable in AL.
 ON THE EXPRESSIVENESS OF THE AMBIENT LOGIC 5

h, k, . . . n, m Names Processes
η Names ∪ Variables P, Q, R ::= 0 (nil)

 P | Q (parallel)

Expressions  !P (replication)

M, N ::= cap (capability)  M . P (prefixing)

 η[P ] (ambient)

Capabilities  {η} (message)

cap ::= in η (enter)  (x) P (abstraction)

 out η (exit)

 open η (open)

Table 1: The syntax of finite MA

This kind of encodability results allow one to compare different versions of spatial logics
for concurrency, and are useful to assess minimality properties of the logics.

2. Background
This section collects the necessary background for this paper. It includes the MA
calculus [CG98a] (semantic and syntax), and the Ambient Logic [CG00].

2.1. Syntax of Mobile Ambients. We recall here the syntax of MA [CG98a] (we some-
times call this calculus the Ambient calculus). We first consider the calculus in which only
names, not capabilities, can be communicated; this allows us to work in an untyped calculus.
We analyse extensions of the calculus in Section 6.
As in [CG00, Car99, CG04], the calculus has no restriction operator for creating new
names. The restriction-free calculus has a more direct correspondence with edge-labelled
trees and semistructured data.
Table 1 shows the syntax. Both the set of names and that of variables are infinite.
Letters n, m, h range over names, x, y, z over variables; η ranges over names and variables.
The expressions in η, out η, and open η are the capabilities, and are ranged over using
cap. Messages and abstractions are the input/output (I/O) primitives. The metavariables
M, N , for messages, will become usefull when considering extensions of the language (see
Section 6). A closed process has no free variables. We ignore syntactic differences due to
alpha conversion, and we write P {n/x} for the result of substituting x with n in P . In the
paper, all definitions and results are given only for closed processes, unless otherwise stated.
Given an integer n > 0, we will write Pi , (1 ≤ i ≤ n) for a (finite) sequence of processes
P1 , . . . , Pn .
Processes having the same internal structure are identified. This is expressed by means
of the structural congruence relation, ≡, the smallest congruence such that:
6 D. HIRSCHKOFF, É. LOZES, AND D. SANGIORGI

Red-Open Red-In
open n. P | n[Q] −→ P | Q n[in m. P1 | P2 ] | m[Q] −→ m[n[P1 | P2 ] | Q]
P −→ P ′
Red-Out Red-Amb
m[n[out m. P1 | P2 ] | Q] −→ n[P1 | P2 ] | m[Q] n[P ] −→ n[P ′ ]
P −→ P ′
Red-Com Red-Par
{M } | (x) P −→ P {M/x} P | Q −→ P ′ | Q
P ≡ P′ P ′ −→ P ′′ P ′′ ≡ P ′′′
Red-Str
P −→ P ′′′

Table 2: The rules for reduction

P |0 ≡ P P |Q ≡ Q|P P | (Q | R) ≡ (P | Q) | R

!P ≡ !P | P !0 ≡ 0 !(P | Q) ≡ !P | !Q !!P ≡ !P
As a consequence of results in [DZ00], that studies a richer calculus than the one we
study, we have:
Theorem 2.1. The relation ≡ is decidable.
The two following syntactic notions will be useful below.
Definition 2.1 (Finite and single processes).
• A closed process P is finite if there exists a process P ′ with no occurrence of the
replication operator such that P ≡ P ′ .
• A closed process P is single if there exists P ′ such that either P ≡ cap. P ′ for some
cap, or P ≡ n[P ′ ] for some n, or P ≡ (x)P for some x.
Unless otherwise stated, all results and definitions we state in the sequel are on closed
terms.

2.2. Operational Semantics. The operational semantics of the calculus is given by a

reduction relation −→, defined by the rules presented in Table 2.2. The reflexive and
transitive closure of −→ is written =⇒.
Lemma 2.2. If P −→ Q then there is a derivation of the reduction in which Red-Str is
applied, if at all, only as the last rule.
Lemma 2.2 shows that every reduction P −→ P ′ has a normalised derivation proof. As
a consequence, we have:
Lemma 2.3. If P −→ Q then either
(1) P ≡ R | m[n[out m. P1 | P2 ] | P3 ] and Q ≡ R | n[P1 | P2 ] | m[P3 ], or
(2) P ≡ R | n[in m. P1 | P2 ] | m[P3 ] and Q ≡ R | m[n[P1 | P2 ] | P3 ], or
(3) P ≡ R | open n. P1 | n[P2 ] and Q ≡ R | P1 | P2 , or
 ON THE EXPRESSIVENESS OF THE AMBIENT LOGIC 7

A ::= ⊤ (true)

 ¬A (negation)

 A∨B (disjunction)

 ∀ x. A (universal quantification over names)

 ✸A (sometime)

 0 (void)

 η[A] (edge)

 A|B (composition)

 A@η (localisation)

 A⊲B (guarantee)

Table 3: The syntax of logical formulas

(4) P ≡ R | {n} | (x) P1 and Q ≡ R | P1 {n/x}, or

(5) P ≡ R | n[P1 ], Q ≡ R | n[Q1 ] and P1 −→ Q1 .
We now introduce some forms of labelled transitions that we will use to give the inter-
pretation of some of our logical constructions.
Definition 2.2 (Labelled transitions). Let P be a closed process. We write:
cap
→ P ′ , where cap is a capability, if P ≡ cap. P1 | P2 and P ′ = P1 | P2 .
• P −
{n}
→ P ′ if P ≡ {n} | P ′ .
• P −
?n
• P − → P ′ if P ≡ (x) P1 | P2 and P ′ ≡ P1 {n/x} | P2 .
µ µ µ
• P =⇒ P ′ , where µ is one of the above labels, if P =⇒ −
→ =⇒ P ′ (where =⇒ −
→ =⇒
is relation composition).
(cap ,cap )⋆
• (stuttering) P ====1===2=⇒P ′ if there is i ≥ 1 and processes P1 , . . . , Pi with P = P1
cap cap
and P ′ = Pi such that Pr =⇒1 =⇒2 Pr+1 for all 1 ≤ r < i.
hcapi
• Finally, =⇒ is a convenient notation for compacting statements involving capability
hin ni (out n,in n)⋆ hout ni (in n,out n)⋆
transitions. We let =⇒ stand for ========⇒; similarly =⇒ is ========⇒;
hopen ni
and =⇒ is =⇒.

2.3. The Ambient Logic. The logic has the propositional connectives, ⊤, ¬A, A ∨ B,
and universal quantification on names, ∀x. A, with the standard logical interpretation. The
temporal connective, ✸A has been discussed in the introduction. The spatial connectives, 0,
A | B, and η[A], are the logical counterpart of the corresponding constructions on processes.
A⊲B and A@η are the logical adjuncts of A | B and η[A] respectively, in the sense of being
roughly their ‘contextual inverse’, as expressed in Definition 2.3 below.
The logic in [CG00] has also a somewhere connective, that holds of a process containing,
at some arbitrary level of nesting of ambients, an ambient whose content satisfies A. We do
8 D. HIRSCHKOFF, É. LOZES, AND D. SANGIORGI

not consider this connective in the paper because we find it less fundamental than the other
operators; in any case, its addition would not affect the results in the paper and has been
seldomly considered in other works. (Further, we discuss in the final section a “strong”
version of the sometimes modality.)
Definition 2.3 (Satisfaction). The satisfaction relation between closed processes and closed
formulas, written P |= A, is defined as follows:
def
P |= ⊤ = always true
def
P |= ∀ x . A = for any n, P |= A{n/x}
def
P |= ¬ A = not P |= A
def
P |= A1 | A2 = ∃P1 , P2 s.t. P ≡ P1 | P2 and Pi |= Ai , i = 1, 2
def
P |= A ∨ B = P |= A or P |= B
def
P |= n[A] = ∃P ′ s.t. P ≡ n[P ′ ] and P ′ |= A
def
P |= 0 = P ≡0
def
P |= ✸A = ∃P ′ s.t. P =⇒P ′ and P ′ |= A
def
P |= A@n = n[P ] |= A
def
P |= A ⊲ B = ∀R, R |= A implies P | R |= B
By definition, satisfaction is closed by structural congruence:
Lemma 2.4. If P ≡ Q and P |= A, then also Q |= A.
We give ∨ and ∧ the least syntactic precedence, thus A1 ⊲A2 ∧ A3 reads (A1 ⊲A2 ) ∧
A3 , and A1 ⊲(✸A2 ∧ ✸A3 ) reads A1 ⊲((✸A2 ) ∧ (✸A3 )). We shall use the dual of some
connectives, namely the duals of linear implication (A◮B), of the sometime modality (A),
of the parallel operator (k), and the standard duals of universal quantification (∃ x . A) and
disjunction (A ∧ B); we also define (classical) implication (A → B):

def def def

A ∧ B = ¬(¬A ∨ ¬B) A = ¬✸¬A A → B = ¬A ∨ B

def def def

∃ x . A = ¬∀ x . ¬A A◮B = ¬(A⊲¬B) ⊥ = ¬⊤
Thus P |= A◮B iff there exists Q with Q |= A and P | Q |= B, and P |= ✷A iff P ′ |= A
for all P ′ such that P =⇒ P ′ .
We now define the induced equivalence between processes induced by the logic:
Definition 2.4 (Logical equivalence). For processes P and Q, we write P =L Q if for any
closed formula A it holds that P |= A iff Q |= A.

3. Formulas for capabilities and communications

In this section, we show that we can capture at a logical level prefixes of the language,
both for movement and for communication.
 ON THE EXPRESSIVENESS OF THE AMBIENT LOGIC 9

3.1. Preliminary formulas: counting components and comparing names. We start

by recalling some formulas from [CG00] that will be useful for some constructions presented
below.
The Ambient Logic allows one to count the number of parallel components of a process.
The formula below is true of a process that has exactly one parallel component that is
different from 0.
def
1comp = ¬ (¬ 0 | ¬ 0) ∧ ¬ 0

Lemma 3.1. It holds that P |= 1comp iff P is single.

Similarly we define
def
2comp = 1comp | 1comp

We may impose a given formula A to be satisfied by all single parallel components of

a process, using the following definitions:

def
A∀ = ¬(¬A | ⊤)
def
Aω = (1comp → A)∀

Lemma 3.2.
• P |= A∀ iff for any Q, R such that P ≡ Q | R, it holds that Q |= A.
• P |= Aω iff all single parallel components of P satisfy A.
We shall use later the following derived formula, from [CG00], that expresses equality
between names:

def
m = n = (n[⊤])@m

Lemma 3.3. P |= m = n iff names m and n are equal.

3.2. Formulas for capabilities. The two formulas below are true of a process that is
(structurally congruent to) an ambient and (to) an empty ambient, respectively.

def
1amb = ∃ x . x[⊤]
def
1amb0 = ∃ x . x[0]

Lemma 3.4.
• P |= 1amb iff P ≡ n[Q], for some n and Q.
• P |= 1amb0 iff P ≡ n[0], for some n.
10 D. HIRSCHKOFF, É. LOZES, AND D. SANGIORGI

To help understanding the definitions of the capability formulas, we first discuss some
simpler formulas, which do not talk about the process underneath the prefix. We define,
for names n 6= h:
def
hhopen nii = n[h[0]] ⊲ ✸ (h[0] | ⊤)
∧ 1comp
∧ ¬ 1amb
def
hhout nii = (✸ (h[⊤] | n[0]))@n@h
∧ 1comp
∧ ¬ 1amb
It holds that P |= hhopen nii iff P ≡ open n. P ′ for some P ′ . We sketch the proof. The
sub-formula 1comp ∧ ¬ 1amb says that P is single and is not an ambient. Thus, modulo
≡, process P can only be 0, open m. P ′ , in m. P ′ , out m. P ′ , (x) P ′ , or {m}, for some m.
The sub-formula n[h[0]] ⊲ ✸ (h[0] | ⊤) says that P | n[h[0]] can reduce to a process with
an empty ambient h at the outermost level. From these requirements, we conclude that
P ≡ open n. P ′ , for some P ′ .
Similarly we prove that P |= hhout nii iff P ≡ out n. P ′ , for some P ′ . By the sub-
formula 1comp ∧ ¬ 1amb, process P is single and is not an ambient. By the sub-formula
(✸ (h[⊤] | n[0]))@n@h,
n[h[P ]] |= ✸ (h[⊤] | n[0])
hence P ≡ out n. P ′ , for some P ′ , otherwise h[P ] could not exit n.
To obtain the full capability formulas we add some quantification on names. Formula
hhopen nii. A is thus defined as follows:

def
hhopen nii. A = ∀ y . n[y[0]] ⊲ ✸ (y[0] | A)
∧ 1comp
∧ ¬ 1amb
def
1open = ∃ x . ∀ y . x[y[0]] ⊲ ✸ (y[0] | ⊤)
∧ 1comp
∧ ¬ 1amb

Remark 3.1 (Formulas containing free variables). It will often be the case in the remainder
of the paper that we define a formula involving a name, say n, and need the corresponding
logical construction where a variable x is used instead of n. For instance, the formula
1open above could be defined as as “ ∃ x . hhopen xii. ⊤”, which is not correct because
hhopen nii. A has been defined but hhopen xii. A has not. In the sequel, when clear from the
context, we shall allow ourselves to adopt nevertheless this abuse of notation, that should
be understood as ‘rewrite the definition of the corresponding formula using x instead of
n’ (see in particular the formulas to capture name reception, and their interpretation, in
Lemma 3.15, and characteristic formulas for input guarded processes in Section 5).
Satisfaction being defined only between closed processes and closed formulas, the im-
portant point in doing so is to avoid reasoning about the satisfaction of formulas containing
free variables: we shall therefore only write formulas containing an ‘x’ under the scope of a
variable quantification.
 ON THE EXPRESSIVENESS OF THE AMBIENT LOGIC 11

Lemma 3.5. P |= hhopen nii. A iff P ≡ open n. P ′ , for some P ′ such that P ′ =⇒ P ′′ and
P ′′ |= A.
P |= 1open iff P ≡ open n. P ′ for some n and P ′ .
Proof. We only consider the first property, from which the second follows easily. The im-
plication from right to left is easy.
For the reverse implication, we set
def
G = n[h[0]] ⊲ ✸ (h[0] | A)
where h 6∈ n(P ). Since P |= 1comp, we have P ≡ Q, for some Q that is not a parallel
composition. Since also P |= ¬ 1amb, we infer that Q is not an ambient. Finally since P |= G,
process Q cannot be of the form 0, in n. Q′ , out n. Q′ , (x) Q′ , {p}. For the same reason, Q
cannot be a prefix open m. Q′ with m 6= n. The only possibility left is Q = open n. Q′ , for
some Q′ .
Moreover, we have
n[h[0]] | open n. Q′ =⇒ R and R |= h[0] | A
for some R. The first step of this reduction must be
n[h[0]] | open n. Q′ −→ h[0] | Q′
(up to ≡). Since h is fresh, h[0] cannot interact with Q′ . Hence
R ≡ h[0] | Q′′
for some Q′′ such that Q′ =⇒ Q′′ .
Along the lines of our construction for the open prefix, we can define characteristic
formulas for the in and out prefixes.
 
def
hhout nii. A = ∀ x . (✸ (x[A] | n[0]))@n@x
∧ 1comp
∧ ¬ 1amb
def
1out = ∃ x . hhout xii
 
def
hhin nii. A = ∀ x . (n[0] ⊲ ✸ n[x[A]])@x
∧ 1comp
∧ ¬ 1amb
def
1in = ∃ x . hhin xii

(in n,out n)⋆

Lemma 3.6. P |= hhout nii. A iff P ≡ out n. P ′ , for some P ′ such that P ′ ========⇒P ′′
and P ′′ |= A.
Proof. Similar to the proof for the open prefix. The formula 1comp ∧ ¬ 1amb forces P to
be single and not an ambient. Therefore P ≡ Q, for some Q whose outermost operator is
not a parallel composition or an ambient. Then we should have
n[h[Q]] |= ✸ (h[A] | n[0])
12 D. HIRSCHKOFF, É. LOZES, AND D. SANGIORGI

(in n,out n)⋆

This can only happen if Q is of the form out n. Q′ , for some Q′ such that Q′ ========⇒Q′′
and Q′′ |= A.
(out n,in n)⋆
Lemma 3.7. P |= hhin nii. A iff P ≡ in n. P ′ , for some P ′ such that P ′ ========⇒P ′′ and
P ′′ |= A.
Proof. Similar to the previous proofs. The formula 1comp ∧ ¬ 1amb forces P to be single
and not an ambient. Therefore P ≡ Q, for some Q whose outermost operator is not a
parallel composition or an ambient. Then we should have
h[Q] | n[0] |= ✸ n[h[A]]
where h is fresh. As by previous arguments, this can only happen if Q is of the form in n. Q′ ,
and Q′ reduces (with suttering) to Q′′ satisfying A.
Given a capability cap, we may define the ‘necessity’ version of the ‘possibility’ formulas
we have just introduced as follows:

def
[[cap]]. A = hhcapii. ⊤ ∧ ¬hhcapii. ¬A

Lemma 3.8. For any capability cap, formula A and term P , P |= [[cap]]. A iff there is P ′
hcapi
such that P ≡ cap. P ′ , and, for any P ′′ such that P ′ =⇒ P ′′ , P ′′ |= A.
Note that necessity formulas are not the dual of the possibility formulas, as in standard
modal logics, because of the spatial aspects of AL. For instance, [[in n]]. ⊤ does not have the
same interpretation as ¬hhin nii. ¬⊤, the latter being actually equivalent to ⊤.
cap
Remark 3.2. We could think of deriving formulas for modalities =⇒, as in standard modal
logics for concurrency [HM85], instead of capturing the syntactical prefixes corresponding
to a capability cap. More precisely, we could look for a formula hhcapiiA capturing processes
cap
P for which there is P ′ such that P =⇒ P ′ and P ′ |= A. It turns out that spatial logics are
more intensional, and make actions more difficult to express than connectives. In particular,
open n
we do not know how to express directly a modality corresponding to action =⇒ .

3.3. Formulas for communication. The first step to characterise I/O processes (i.e.,
messages or abstractions) is to get rid of other possible constructs for single terms, as
follows:

def
1comm = 1comp ∧ ¬ 1amb ∧ ¬ 1open ∧ ¬ 1out ∧ ¬ 1in

Lemma 3.9. P |= 1comm iff (P ≡ {p} or P ≡ (x) P ′ ), for some p and P ′ .

The following formula, that holds of a process that is the parallel composition of two
I/O processes, will also be useful:
def
2comm = 1comm | 1comm .
 ON THE EXPRESSIVENESS OF THE AMBIENT LOGIC 13

The difficult part, however, is the definition of the I/O formulas for separating mes-
sages from abstractions, and also, within the messages and the abstractions, messages with
different contents and abstractions with different behaviours.
The capability formulas are easier to define than the I/O formulas because capabilities
act on ambients, and the logic has a connective, n[A], for talking about ambients. By
contrast, the I/O primitives act on themselves. To define the I/O formulas, we proceed as
follows:
(1) We define a formula, TestComm, that characterises the special abstraction (x) x[0].
(2) We use TestComm to define the formula for messages:
def
F{n} = 1comm ∧ (TestComm ⊲ ✸ n[0])
It holds that P |= F{n} iff P ≡ {n}.
(3) We then use F{n} to define the formulas for abstractions:
def
hh?nii. A = 1comm ∧ (¬ ∃ x . F{x} ) ∧ (F{n} ⊲ ✸ A)
It holds that P |= hh?nii. A iff P ≡ (x) Q and {n} | P =⇒ P ′ with P ′ |= A.
Lemma 3.10. Given (x) R, suppose there is q such that
{q} | (x) R |= ✷(2comm ∨ 1amb0)
and R contains no abstractions. Then R ≡ η[0], for some η.

We call ambient abstraction any closed abstraction described by the following grammar:

P ::= (x) η[0]  (x) ({η} | P )
The following lemma shows how to characterise ambient abstractions using formulas.
Lemma 3.11. Given an abstraction (x) R, suppose there is q such that
{q} | (x) R |= ✷(2comm ∨ 1amb0) (3.1)
and
{q} | (x) R |= ✸ 1amb0. (3.2)
Then (x) R is an ambient abstraction.
Proof. By induction on the number of nested abstractions in R. If this number is 0 then by
Lemma 3.10 we derive R ≡ η[0].
Suppose the number is greater than 0. From (3.1) and
{q} | (x) R −→ R{q/x}
we derive
R{q/x} |= 2comm ∨ 1amb0
Since R should contain an abstraction, the formula 1amb0 is not satisfied, hence
R{q/x} |= 2comm
Using this, the fact that R{q/x} should contain an abstraction, and (3.2) we infer that
R{q/x} ≡ {p} | (y) Q
for some p, y, Q. By induction hypothesis, we deduce that (y)Q is an ambient abstraction.
From this, R{q/x} is an ambient abstraction too, and this induces that R itself is an ambient
abstraction.
14 D. HIRSCHKOFF, É. LOZES, AND D. SANGIORGI

We say that an ambient abstraction P is simple if P =β (x) x[0], where =β is the least
congruence that is closed under the rule
{M } | (x) P = P {M/x} .
We recall that the operator ◮, used in the following lemma, has been introduced at the
end of Section 2.
Lemma 3.12. Suppose (x) Q is an ambient abstraction, and
(x) Q |= 1comm ◮ ✸ n[0]
(x) Q |= 1comm ◮ ✸ m[0]
with m 6= n. Then (x) Q is simple.
Proof. From the hypothesis, there are p and q such that
{p} | (x) Q |= ✸ n[0] and
{q} | (x) Q |= ✸ m[0] .
If (x) Q were not simple, then the name of the ambient to which it reduces to would not
depend on the argument x. (Note that any ambient abstraction is =β to an abstraction of
the form (x) η[0], for some x, η. The hypothesis of the lemma implies that η = x.)
As hinted above, the key step is the definition of the formula below, which is the
characteristic formula of simple ambient abstractions.

def
TestComm = 1comm
∧ 1comm ⊲ ✷(2comm ∨ 1amb0) (3.3)
∧ 1comm ◮ ✸ n[0] (3.4)
∧ 1comm ◮ ✸ m[0] (3.5)
where n, m are different names.
Lemma 3.13. P |= TestComm iff P is a simple ambient abstraction and is closed.
Proof. The implication from right to left is easy. We consider the opposite.
Process P must be an I/O, since P |= 1comm. Also, P cannot be a message, otherwise
it would not satisfy the formula
1comm ⊲ ✷(2comm ∨ 1amb0)
since a message in parallel with (x) 0 can reduce to 0, which does not satisfy 2comm ∨ 1amb0.
We conclude that P should be an abstraction, say (x) Q. Now, from (3.3) and (3.4),
we get that there are messages p, q such that
{p} | (x) Q |= ✷(2comm ∨ 1amb0)
{q} | (x) Q |= ✸ n[0]
From Lemma 3.11 we infer that (x) Q is an ambient abstraction. Moreover, by (3.4), (3.5)
and Lemma 3.12, (x) Q must be simple.
 ON THE EXPRESSIVENESS OF THE AMBIENT LOGIC 15

Now we are finally in the position of defining the characteristic formula for a message
{n}:
def
F{n} = TestComm ⊲ ✸ n[0]
∧ 1comm
and, then, the characteristic formula for a message is

def
1mess = ∃ x . F{x}

Lemma 3.14. P |= F{n} iff P ≡ {n}, and P |= 1mess iff P ≡ {n} for some n.
Proof. The right to left direction is easy. For the converse, we observe that P must be
an I/O, and that P cannot be an abstraction (otherwise, when adding a process satisfying
TestComm, we could not obtain an ambient). Hence P ≡ {m}, for some m.
Given a simple ambient abstraction Q, we have that
Q | {m} |= ✸ n[0] iff m = n.
This allows us to deduce that P ≡ {n}.
We can now define the two modalities for the input connective:

def
hh?nii. A = 1comm ∧ (¬ ∃ x . F{x} ) ∧ (F{n} ⊲ ✸ A)
def
[[?n]]. A = hh?nii. ⊤ ∧ ¬hh?nii. ¬A
def
1input = ∃x. hh?xii. ⊤

Lemma 3.15.
• P |= hh?nii. A iff there are P ′ , P ′′ such that P ≡ (x)P ′ , (x)P ′ | {n}=⇒P ′′ , and
P ′′ |= A.
• P |= [[?n]]. A iff there is P ′ with P ≡ (x)P ′ , and for all P ′′ such that (x)P ′ |
{n}=⇒P ′′ , P ′′ |= A.

4. Other intensional properties

As we have just seen, AL can capture several syntactical constructions of the calcu-
lus. We now further explore the expressiveness of AL, going beyond the results we have
established about capabilities and communications.
We first define a formula φf in that characterises finite terms, using a form of contextual
reasoning. The same method is applied to derive a formula n c that characterises the terms
containing n as a free name. We then introduce formulas that characterise in a restricted
sense persistent single terms of the calculus. These formulas will be used in Section 5 to
establish characteristic formulas for a sub-calculus of MA.
16 D. HIRSCHKOFF, É. LOZES, AND D. SANGIORGI

4.1. Capturing finiteness. We now present a formula that is satisfied by all and only
the finite processes. Detecting replication seems a priori unfeasible in the present version
of AL, as it does not provide a recursion operator. We capture the ‘finite’ character of a
term using the fact that a replicated process is persistent, i.e., it is always present along the
reductions of a term.
The characterisation of finiteness relies on the existence of a scenario which guarantees
reachability of 0, as expressed by the two following lemmas:
Lemma 4.1. Let P, Q be two terms such that P =⇒ Q. Then P is finite iff Q is finite.
Proof. By induction over the length of the =⇒ derivation, then induction over the structure
of the proof of the −→ transition.
Lemma 4.2. P is finite iff there are Q, R, n such that n[P | Q] | R =⇒ 0.
Proof.
• Let us first assume that P is finite. We prove by induction on the size of P that there
exist Q and R such that for any P ′ ,
n[P | P ′ | Q] | R =⇒ n[P ′ ]
The left to right implication can then be obtained using this property with P ′ = 0 and
adding open n in parallel with R.
1 For P = 0, take Q = R = 0.
2 For P ≡ m[P1 ], we have by induction Q1 , R1 such that n[P1 | P ′ | Q1 ] | R1 =⇒n[P ′ ]
for any P ′ . Now we set Q = open m | Q1 and R = R1 . Then it is clear that
n[m[P1 ] | P ′ | Q] | R =⇒ n[P ′ ] for any P ′ .
3 For P ≡ P1 | . . . | Pr (with no replicated component), we use the induction
hypothesis to obtain Qi and Ri , and then set Q = Q1 | . . . | Qr , R = R1 | . . . | Rr
such that for any P ′ ,
n[P | P ′ | Q] | R =⇒ n[P2 | . . . | Pr | P ′ | Q2 | . . . | Qr ] | R2 | . . . | Rr
=⇒ . . . =⇒ n[P ′ ]
reasoning inductively on r.
4 For P ≡ cap. P1 , we use the induction hypothesis to get Q1 and R1 , and we define
Q and R according to the shape of cap as follows:
– cap = in m. Then we set Q = Q1 and R = m[0] | open m | R1 . Then for any
P ′:
n[P | P ′ | Q] | R −→ m[n[P1 | P ′ | Q]] | open m | R1
−→ n[P1 | P ′ | Q1 ] | R1
=⇒ n[P ′ ]
– cap = out m. We set Q = in m | Q1 and R = m[0] | open m | R1 , so that we
can conclude.
– cap = open m. We set Q = m[0] | Q1 and R = R1 .
• For P ≡ {m}, we set Q = (x)0, and R = 0.
• For P ≡ (x)P1 : by induction hypothesis applied to P1 {n/x}, we get Q1 and R1 ;
then we set Q = {n} | Q1 and R = R1 .
The first implication is thus established.
 ON THE EXPRESSIVENESS OF THE AMBIENT LOGIC 17

• Let us now assume P is not finite. Then for any n, Q, R, n[P | Q] | R is also infinite, and
by the previous lemma, it is also the case for any of its reducts, and hence it cannot reduce
to 0.
We can now define:

def

φfin = ∃x. ⊤ ◮ (⊤ ◮ ✸0)@x

Theorem 4.3. For any P , P |= φfin iff P is finite.

Proof. From Definition 2.3, P |= φfin holds if there are n, Q, R such that n[P | Q] | R=⇒0.
We then conclude with Lemma 4.2.

4.2. Formula for name occurrence. Our aim is now to define a formula corresponding
c defined by:
to the connective n,
c iff n ∈ fn(P ) .
P |= n
For this, we exploit Lemma 4.4 together with the ability, using the formulas for capa-
bilities, to detect unguarded occurrences of names.
We say that a process P is flat if it has no inputs and the only process underneath all
capabilities, and inside all ambients of P is 0. We say that a process P has an occurrence
of name n at top level if P ≡ cap. P ′ | P ′′ with cap = in n, out n or open n, P ≡ n[P ′ ] | P ′′
or P ≡ {n} | P ′ .
For the proof of the next lemma, we would also need a more general notion. The
occurrence depth of a name n in an open term is given by a function depthn : P−→N ∪ {∞},
stable by ≡E , inductively defined as follows:
- depthn (0) = ∞.
- depthn (n[P1 ]) = 0, and for n 6= η, depthn (η[P1 ]) = depthn P1 + 1.
- depthn ((!)P1 | . . . (
| (!)Pr ) = min1≤i≤r depthn (Pi ) (here (!)Q stands for Q or !Q).
0 for cap ∈ {in n, out n, open n},
- depthn (cap. P ) =
depthn (P ) + 1 otherwise.
- depthn ((x)P ) = depthn (↓β P ) + 1, where ↓β P stands for the smallest term such
that P =β ↓β P
- depthn ({n}) = 0 and depthn ({η}) = ∞ for η 6= n.
Lemma 4.4. For all P, n, we have n ∈ fn(P ) iff for any name m, there exist some flat
processes Q, R, in which n does not occur free, and a process S with an occurrence of n at
top level such that m[P | Q] | R =⇒ m[S].
Proof. Note that the property of S having an occurrence of n at top level is equivalent to
depthn (S) = 0. We are now ready to prove the lemma:
• We first consider the implication from left to right. Let us assume that depthn (P )
is finite. We consider a name m, and prove by induction on depthn (P ) that there
exist Q, R, S satisfying the conditions of the lemma.
– if depthn (P ) = 0, we take Q = R = 0 and S = P .
18 D. HIRSCHKOFF, É. LOZES, AND D. SANGIORGI

– if depthn (P ) = i + 1, we first consider the case where P ≡ in m1 . P1 | P2 with

depthn (P1 ) = i. By induction hypothesis, there are Q1 , R1 , S1 and m satisfying
the conditions of the lemma for P1 | P2 . We then can set for P : Q = Q1 ,
R = m1 [0] | open m1 | R1 and S = S1 | P2 , then Q, R, S can be chosen for
P.
The other cases are treated similarly: we define processes that allow us to
trigger a capability in order to decrease the occurrence depth of n in the term.
The definition of these processes follows the ideas in the proof of Lemma 4.2.
The first implication is proved.
• For the implication from right to left, we assume that n 6∈ fn(P ). We consider m 6= n,
and some Q, R as in the statement of the lemma. Then n 6∈ fn(m[P | Q] | R), so
that for any T such that m[P | Q] | R =⇒ T , n 6∈ fn(T ).
We can now define the formula n c to capture the set of free names of a process,
c 1 n needed in the definition of n.
together with the two auxiliary formulas flat and c
These formulas are given in Table 4.

def
flat = (∃x. [[in x]]. 0 ∨ [[out x]]. 0 ∨ [[open x]]. 0 ∨ x[0] ∨ F{x} )ω
def

c 1n
= hhin nii. ⊤ ∨ hhout nii. ⊤ ∨ hhopen nii. ⊤ ∨ n[⊤] ∨ F{n} ⊤
def

c
n = ∀x. (flat ∧ ¬ c 1 n) ◮ (flat ∧ ¬ c 1 n) ◮ ✸ x[
c 1 n] @x

Table 4: Formulas for free names

Formula nc detects whether name n occurs in a process, while c 1 n detects whether

n occurs at top level (i.e. P satisfies this formula iff depthn (P ) = 0).
c iff n ∈ fn(P ).
Theorem 4.5 (Name occurrence). P |= n
Proof. Consequence of the previous lemma.

4.3. Formulas for persistence. We now move to the definition of formulas that char-
acterise persistence, which is given by the replication operator in MA. In other words, we
investigate the possibility of defining formulas !A that detect replicated term !P such that P
satisfies A. However, we cannot hope to define arbitrary formulas with precisely this prop-
erty. First, the form !P is too restrictive: as P =L Q implies !P =L !P | Q (see [HLS05]), a
formula !A would not distinguish between a uniquely replicated process !P , and a replicated
process ”with admissible garbage” !P | Q or !P | !Q. Second, if we want to express that the
process holds something replicated, one has to reject formulas satisfied by the process 0.
We hence restrict our attention to the case of formulas A whose models are single
processes only. For these formulas, !A characterizes replicated processes, in the sense that

1) P ≡ !P1 | (!)P2 | . . . | (!)Pn
P |= !A ⇔ ∃P1 , . . . , Pn s.t.
2) ∀i ∈ 1 . . . n, Pi |= A
where (!) denotes an optional replication. In the sequel, we show how to define the formula
!A when A characterizes a guarded process and has some extra conditions. For the purpose
of defining characteristic formulas, this will be sufficient. However, it remains an open
question how to define !A on a larger language.
 ON THE EXPRESSIVENESS OF THE AMBIENT LOGIC 19

def
Repin n (A) = Aω ∧ ∀m. (¬ m) c →

ω
([[out n]]. 0) ⊲ n[0] ⊲ ✸ ( n[m[A | ⊤]] ) @m
def
Repout n (A) = Aω ∧ ∀m. (¬ m) c →

([[in n]]. 0)ω ⊲ n[0] ⊲  ✸( m[A | ⊤] | n[0] ) @m
def
Repopen n (A) = Aω ∧ (n[0])ω ⊲  ( A | ⊤ )
def
Repn[] (A) = (n[A])ω ∧ ([[open n]]. 0)ω ⊲  ( n[A] | ⊤ )
def
F!{n} = F{n} ω ∧ TestCommω ⊲  ( F{n} | ⊤ )
def
Repinput (A) = Aω ∧ 1messω ⊲  ( A | ⊤ )

Table 5: Formulas for persistent single terms

The definition of !A has two parts. The first part says that if P |= !A then all parallel
components in P that are single and at top level satisfy A. This is expressed by the formula
Aω . The second part of the definition of !A addresses persistence, by saying that there are
infinitely many processes at top level that satisfy A in the sense that we may not consume
all copies by some finite sequence of reduction. Definitions are given in Table 5: there is
one formula for each possible topmost constructor (recall that we are considering a single
process).
Formula F!{n} is actually a characteristic formula, since it is satisfied only by the process
!{n}. For this reason, we anticipate the notation FP of the characteristic formula of P (see
Section 5). For the other formulas, we express the replication of a process satisfying A; the
interpretation of these formulas hence relies on the actual meaning of A.
To illustrate the point, consider formula Repopen n (hhopen nii. ⊤). This formula only
specifies that any number of capabilities open n should be present at top-level, and thus
holds for process !open n. 0, but also for open n. !open n. 0. On the other hand, hhopen nii. ⊤
can be replaced by the more discriminating formula [[open n]]. 0: then we obtain a formula
that only accepts process !open n. 0.
In light of these observations, we define the following measures on terms:
Definition 4.1 (Sequentiality degree, sd). The sequentiality degree of an open term is
defined as follows:


• sd(0) = 0, sd(P | Q) = max sd(P ), sd(Q) ;
• sd(η[P ]) = sd(!P ) = sd(P );
• sd(cap. P ) = sd(P ) + 1.
• sd({η}) = 1 and sd((x)P ) = sd(↓β P ) + 1
Definition 4.2 (Depth degree). The depth degree of a process is given by a function dd
from MA processes to natural numbers, inductively defined by:
• dd(0) = 0, dd(cap. P ) = dd((x)P ) = dd({η}) = 0;
• dd(η[P ]) = dd(P ) + 1;
• dd((!)P1 | . . . | (!)Pr ) = max1≤i≤r dd(Pi ).
Lemma 4.6. For any processes P and Q, P ≡ Q implies sd(P ) = sd(Q) and dd(P ) =
dd(Q).
20 D. HIRSCHKOFF, É. LOZES, AND D. SANGIORGI

Definition 4.3 (Selective and expressive formulas). A formula is sequentially (resp. depth)
selective if all processes satisfying it have the same sequentiality (resp. depth) degree.
For any capability cap (resp. name n) and formula A, A is cap-expressive (resp. n-
expressive, input-expressive) if all terms satisfying it are of the form cap. P (resp. n[P ],(x)P ).
Example 1. hhin nii. n[0] is in n-expressive but not sequentially selective: it admits both
in n. n[0] and in n. (n[0] | open n. n[0]) as models. On the other hand, [[in n]]. n[0] is both
sequentially selective and in n-expressive. As we will see below (Subsection 5.2), the com-
bination of hhcapii and [[cap]] modalities allows us to define sequentially selective formulas.
These two forms of selectivity are useful for the characterisation of persistence. Indeed,
the sequentiality (resp. depth) degree of a single prefixed (resp. ambient) term is strictly
decreasing when consuming the prefix (resp. opening the ambient). This property is needed
in order to detect the presence of replication at top-level in a process, and interpret the
formulas introduced above.
µ
Lemma 4.4. Let P, Q be two terms of MA. If P −→ Q or P −
→ Q for some µ, then
sd(P ) ≥ sd(Q).
µ
Proof. The property for −
→ follows from the definition of sd(P ). For P −→ Q, one reasons
by induction and case analysis (using Lemma 2.3).
hcapi
Corollary 4.5. For all cap, if P =⇒ Q, then sd(P ) ≥ sd(Q).
In the sequel, Π1≤i≤t Qi abbreviates Q1 | . . . | Qt .
Lemma 4.7 (Characterisation of replication of single processes).
(1) Given a capability cap, and a sequentially selective and cap-expressive formula A,
define
def
!A = Repcap (A).
Then P |= !A iff there are r ≥ 1, s ≥ r, Pi (1 ≤ i ≤ s) such that
P ≡ Π1≤i≤r !cap. Pi | Πr+1≤i≤s cap. Pi and cap. Pi |= A for all 1 ≤ i ≤ s.
(2) For any name n and depth selective and n-expressive formula A, define
def
!A = Repn[] (A).
Then P |= !A iff there are r ≥ 1, s ≥ r, Pi (1 ≤ i ≤ s) such that
P ≡ Π1≤i≤r !n[Pi ] | Πr+1≤i≤s n[Pi ] and n[Pi ] |= A for all 1 ≤ i ≤ s.
(3) For any formula A that is sequentially selective and input expressive, define
def
!A = Repinput (A).
Then P |= !A iff there are r ≥ 1, s ≥ r, Pi (1 ≤ i ≤ s) such that
P ≡ Π1≤i≤r !(x)Pi | Πr+1≤i≤s (x)Pi and (x)Pi |= A for all 1 ≤ i ≤ s.
Proof. Let us examine some cases:
Case 1, cap = in n. Assume there exist some terms P1 , . . . , Ps satisfying the condition
expressed in 1. Then the first part of !A is satisfied, i.e. P |= Aω .
To establish the second part, we have to show that for any Q ≡ out nω (where ω ∈
∗
N ∪ {∞}), any fresh name m, and any term R such that m[P | Q] | n[0] =⇒ R, there
 ON THE EXPRESSIVENESS OF THE AMBIENT LOGIC 21

is a further reduction R =⇒ n[m[R1 | R2 ]] for some R1 , R2 such that R1 |= A, which

entails in particular R1 ≡ in n. R1′ . Since ambient n does not contain any active process,
and since there is no active process at top-level in m[P | Q] | n[0], ambient n remains
at top-level in all evolutions of this term. Moreover, we have that m is fresh for P and
Q; therefore, no ambient may get out of m, so for any reduct R, there exists R′ such
(in n,out n)⋆
that either (i) R ≡ m[R′ ] | n[0], and P | Q ========⇒ R′ , or (ii) R ≡ n[m[R′ ]],
in n (out n,in n)⋆
and P | Q −−−→========⇒ R′ . In the first case, because of the shape of P , we may
perform one more step of reduction to reach a situation like (ii), and then, since P |
in n (out n,in n)⋆
Q −−−→========⇒ R′ , there exists R′′ such that R′ ≡ !in n. P1 | R′′ . The first implication
is thus proved.
Conversely, let us assume that P |= Repin n (A). Then according to the first part
of the formula, there exist some Pi ’s satisfying P ≡ (!)in n. P1 | . . . | (!)in n. Pr and
in n. Pi |= A. Suppose now by absurd that no component is replicated. We exploit the
sequential selectivity hypothesis to obtain a contradiction. Indeed, we have the reduction
m[P | (out n)r ] | n[0] =⇒ R = n[m[P1 | . . . | Pr ]] and R is a term whose sequentiality
degree is strictly smaller than sd(P ). Then it is also the case for any of its reducts, and
therefore the same reasoning holds for any R1 , R2 such that R =⇒ n[m[in n. R1 | R2 ]],
in n. R1 has a sequentiality degree too small to satisfy A because of sequential selectivity.
Thus, P cannot satisfy Repin n (A), and we obtain a contradiction. Hence, at least one of
the Pi ’s is replicated, and the reverse implication is proved.
The proofs for Case 1, other capabilities, and Case 3 follow from similar arguments.
Case 2. Assume that P ≡ !n[P1 ] | . . . | (!)n[Pr ], with the Pi ’s such that Pi |= A. Then
P satisfies Repn[] (A) iff for any Q ≡ open nω , and any R such that P | Q=⇒R, there are
Ri ’s such that R ≡ n[R1 ] | R2 with n[R1 ] |= A. Since for any R, R ≡ !n[P1 ] | R′ , the first
implication is established.
Conversely, suppose P satisfies Repn[] (A). Then P ≡ (!)n[P1 ] | . . . | (!)n[Pr ]. Moreover,
if no Pi is replicated, P | !open n =⇒ P1 | . . . | Pr | !open n, and if in some Pi there are
Pi,j (j = 1, 2) such that Pi ≡ n[Pi,1 ] | Pi,2 , then the depth degree of Pi,1 is too small for
n[Pi,1 ] to satisfy A, which gives us the second implication.
The formulas for persistence, together with the constructions of Section 3, will be used
to derive characteristic formulas with respect to =L for a sub-calculus of MA in Section 5.

5. Characteristic formulas
In this section we establish the existence of characteristic formulas for a large class of
processes. Given a process P , a characteristic formula for P is a formula FP such that:
∀Q. Q |= FP iff Q =L P ,
where =L is logical equivalence (i.e., P =L Q iff P and Q satisfy the same formulas).
The definability of characteristic formulas is an interesting property, though for now
only a purely theoretical result. The effectiveness and efficiency of the construction of
characteristic formula are beyond the scope of this paper, though we strongly believe that
our definition gives an algorithm for constructing formulas on the semi-decidable fragment
MAIF . Having such constructive characteristic formulas, would have some practical impact,
since we could relate the logical equivalence and model-checking problem to the validity
22 D. HIRSCHKOFF, É. LOZES, AND D. SANGIORGI

problem. Interestingly, we may also recall that validity reduces to model-checking the other
way round when the spatial logic considered has the guarantee (⊲) connective.
To be able to carry out our programme, we have first to understand what =L represents.
For this, we use a co-inductive characterisation of =L , as a form of labelled bisimilarity.
Then, making an intensive use of the formulas for the connectives of the calculus previously
defined, we derive the characteristic formulas.

5.1. Intensional bisimilarity.

Note for this subsection only. The results presented in this subsection have appeared pre-
viously in [San01, HLS02] and therefore are not a contribution of the present paper. Their
complete proofs, which are rather long and complex, can be found in a companion pa-
per [HLS05]. We will use the notion of intensional bisimilarity and all the properties that
are recalled in this subsection only in the proof about characteristic formulas for AL (The-
orem 5.5), which is one of our main expressiveness results.
We use the labelled transitions (Definition 2.2) to define a notion of intensional bisim-
ilarity in order to capture =L .
Definition 5.1. Intensional bisimilarity is the largest symmetric relation ≃int on closed
processes such that P ≃int Q implies:
(1) If P ≡ P1 | P2 then there are Q1 , Q2 such that Q ≡ Q1 | Q2 and Pi ≃int Qi , for
i = 1, 2.
(2) If P ≡ 0 then Q ≡ 0.
(3) If P −→ P ′ then there is Q′ such that Q =⇒ Q′ and P ′ ≃int Q′ .
in n in n (out n,in n)⋆
→ P ′ then there is Q′ such that Q =⇒ ========⇒Q′ and P ′ ≃int Q′ .
(4) If P −
out n out n (in n,out n)⋆
(5) If P −−→ P ′ then there is Q′ such that Q =⇒ ========⇒Q′ and P ′ ≃int Q′ .
open n open n
(6) If P −−−→ P ′ then there is Q′ such that Q =⇒ Q′ and P ′ ≃int Q′ .
{n} {n}
→ P ′ then there is Q′ such that Q =⇒ Q′ and P ′ ≃int Q′ .
(7) If P −
?n
→ P ′ then there is Q′ such that Q | {n} =⇒ Q′ and P ′ ≃int Q′ .
(8) If P −
(9) If P ≡ n[P ′ ] then there is Q′ such that Q ≡ n[Q′ ] and P ′ ≃int Q′ .
The definition of ≃int has (at least) two intensional clauses, namely (1) and (2), which
allow us to observe parallel compositions and the terminated process. These clauses corre-
spond to the intensional connectives ‘|’ and ‘0’ of the logic. The clause (8) for abstraction is
similar to the input clause of bisimilarity in asynchronous message-passing calculi [ACS98].
This is the case because communication in MA is asynchronous. Another consequence
of this is that the logic is insensitive to the following rewrite rule (modulo associativity-
commutativity of |):

(x) {x} | (x)P −→η (x)P .
This rule induces a notion of normal form of processes, that we shall call the eta-normalised
form.
Definition 5.2 (Eta-equivalence). We will note P ≡E Q if the normal forms of P and Q
for −→η are related by ≡.
Lemma 5.1 ([HLS02, HLS05]). For any closed process P, Q in MA, P ≡E Q implies
P ≃int Q.
 ON THE EXPRESSIVENESS OF THE AMBIENT LOGIC 23

By Theorem 5.2 below, this result says that the logic is insensitive to −→η . We shall
thus reason using normalised processes with respect to −→η in the proof of Theorem 5.5.
The most peculiar aspect of the definition of ≃int is the use of the stuttering relations.
Although they can be avoided on finite processes, they cannot in the full calculus. By con-
trast, stuttering does not show up in Safe Ambients [LS00], where movements are achieved
by means of synchronisations involving a capability and a co-capability.
We now state some results about ≃int that are proved in [HLS02, HLS05].
Theorem 5.2. For any P , Q, P ≃int Q implies P =L Q.
The latter result establishes correctness of ≃int with respect to =L . Given a process P ,
we try and characterise the equivalence class of P with respect to ≃int with a formula FP .
The definability of such a formula will actually entail that =L ⊆ ≃int (completeness), and
hence that FP actually characterises the =L -equivalence class of P .
We now mention a useful induction principle that allows us to reason ‘almost inductively’
on the structure of a process when checking relation ≃int . This principle is given by the
following inductive order:
Definition 5.3. We write P > Q if either sd(P ) > sd(Q) or Q is a sub-term of P .
This order allows us, using the following result, to derive an inductive characterisation
of ≃int [HLS02, HLS05].
Proposition 5.3. Let P, P1 , P2 , Q be processes of MA. Then
(1) 0 ≃int Q iff Q ≡ 0.
(2) n[P ] ≃int Q iff there exists Q′ such that Q ≡ n[Q′ ] and P ≃int Q′ .
(3) P1 | P2 ≃int Q iff there exist Q1 , Q2 such that Q ≡ Q1 | Q2 and Pi ≃int Qi for
i = 1, 2.
(4) !P ≃int Q iff there exist r ≥ 1, s ≥ r, Qi (1 ≤ i ≤ s) such that P ≃int Qi for
i = 1 . . . s, and Q ≡ Π1≤i≤r !Qi | Πr+1≤i≤s Qi .
hcapi
(5) cap. P ≃int Q iff there exists Q′ such that Q ≡ cap. Q′ with P =⇒ ≃int Q′ and
hcapi
Q′ =⇒ ≃int P .
(6) {n} ≃int Q iff Q ≡ {n}.
(7) (x)P ≃int Q iff there exists P ′ , Q′ , Q′′ and n 6∈ fn(P ) ∪ fn(Q) such that Q ≡ (x)Q′ ,
Q | {n}=⇒Q′′ , ↓β P {n/x} ≃int Q′′ , (x)P | {n}=⇒P ′ and P ′ ≃int Q′ {n/x}.

5.2. The sub-calculus MAIF . As we mentioned above, characteristic formulas and com-
pleteness for an algebraic characterisation of logical equivalence are two related problems.
In fact, the existence of characteristic formulas is a stronger result than completeness of
≃int with respect to =L : while we establish completeness in [HLS05] on the whole calculus,
we are only able to derive characteristic formulas on a sub-calculus of MA. To introduce the
necessity of restricting the class of processes we consider, and to illustrate the basic ideas
behind the construction of characteristic formulas, we examine some examples.
Example 2. We introduce the following processes: P1 = !open n. n[0], P2 = open n | n[0],
P3 = !open n. P2 , and P4 = open n. P2 .
A characteristic formula for P1 is easy to define since the continuation term n[0] has
no reducts. Hence the formula [[open n]]. n[0], using a formula for necessity, satisfies the
24 D. HIRSCHKOFF, É. LOZES, AND D. SANGIORGI

conditions of Lemma 4.7, and a characteristic formula for P1 is

def
F1 = ![[open n]]. n[0] .
In order to define a characteristic formula for P3 , we first look for a characteristic formula
for P2 . We can set
def
F2 = [[open n]]. 0 | n[0] .
F2 is indeed a characteristic formula for P2 . However, [[open n]]. F2 is not a characteristic
formula for P4 , nor for P3 . The reason is that the continuation process (P2 ) is not static,
as it may reduce to 0. Hence [[open n]]. F2 does not satisfy the conditions of Lemma 4.7, so
that we need to add the possibility to reduce to 0, yielding the formula [[open n]]. (F2 ∨ 0).
But then we also accept the term open n. 0, which shows why we are led to add a possibility
condition to the formula, and we finally define the following characteristic formula for P3 :
def
F3 = Repopen n (hhopen nii. F2 ∧ [[open n]]. (F2 ∨ 0)) .
We see on this example that characterising the continuation of a process starting with
a capability or an input requires to enumerate also all the possible reducts after consuming
the topmost constructor. Therefore, the definition of characteristic formulas relies on the
actual feasibility of such an enumeration, which leads us to the definition of a subclass of
MA processes.
In the definition below, we use the following notation: given a set S of processes,
S/≃int will stand for the quotient of S with respect to ≃int (which is, technically, a set of
≃int -equivalence classes of processes).
Definition 5.4 (Sub-calculus MAIF ). A process P is image-finite iff any sub-term of P
hcapi
of the form cap. P ′ (resp. (x)P ′ ) is such that the set {P ′′ : P ′ =⇒ P ′′ }/≃int (resp.
{P ′′ : P ′ {n/x} =⇒ P ′′ }/≃int , for some n 6∈ fn(P )) is finite.
MAIF is the set of image-finite MA processes.
MAIF is only a semi-decidable fragment of MA. A stronger restriction is considered in
[HLS05], whose definition involves decidable syntactic conditions. We however stick to this
larger fragment for the sake of generality.
For example, process in n. !(n[0] | open n. 0) is in MAIF , but in n. !(n[0] | open n. a[0])
is not.
To construct a characteristic formula FP for a closed MAIF process P , we can suppose
(up to ≡E ) that replication only appears above single terms and that P is eta normalised. We
then define the characteristic formula FP of P by induction using the order of Definition 5.3
(this defines a valid induction by Lemma 4.4). The defining formulas are given in Table 6.
Two technical remarks should be made regarding the definition of F(x)P . First, in the
disjunction over the quotiented set {P ′ : P {nx/x}=⇒P ′ }/≃int , it is intended that we pick
a representative in each equivalence class. Second, to avoid reasoning about processes
containing free variables (characteristic formulas are defined only for closed processes), we
introduce the auxiliary name nx , that is used as a placeholder for x, to be replaced by x again
once the characteristic formula of process P ′ has been computed (see the defining clause of
F(x)P ). So FP ′ {x/nx } is a slight abuse of notation that denotes the operation consisting of
(i) alpha-converting FP ′ so that no bound variable is named x, and (ii) textually replacing
nx with x in the resulting formula.
 ON THE EXPRESSIVENESS OF THE AMBIENT LOGIC 25

def def
F0 = 0 FP |Q = FP | FQ
def def W
Fn[P ] = n[FP ] Fcap.P = hhcapii. FP ∧ [[cap]]. hcapi FP ′
{P ′ , P =⇒ P ′ }/≃int
def def
F!n[P ] = Repn[] (FP ) F!cap.P = Repcap (Fcap.P )
def
F(x)P c ∧ hh?xii. FP ∧
= ∃x. ¬ x (nx ∈
/ fn(P )) 

W
c
[[?x]] F{x} | (1input ∧ ¬ x) ∨ {P ′ : P {nx /x}=⇒P ′ }/≃int F {x/nx }
P′
def def def
F{n} = cf. Lemma 3.14 F!{n} = cf. Table 5 F!(x)P = Repinput (F(x)P )

Table 6: Characteristic formulas in MAIF

Theorem 5.5 (Characteristic formulas for MAIF ). For any closed term P , define FP ac-
cording to Table 6. Then
Q |= FP iff P ≃int Q.
Proof. The proof is by induction, using the order of Definition 5.3.
• F0 characterises 0: this holds by Proposition 5.3.
• F{n} characterises {n} and F!{n} characterises !{n}: by Lemma 3.14, Lemma 4.7
and Proposition 5.3.
• if FP characterises P , then Fn[P ] characterises n[P ]: by Proposition 5.3.
• if FP1 characterises P1 and FP2 characterises P2 , then FP1 |P2 characterises P1 | P2 :
by Proposition 5.3.
• Suppose now that for every P ′ such that sd(P ′ ) ≤ sd(P ), FP ′ is a characteristic
formula for P ′ . We then have:
– Fcap.P characterises cap. P .
hcapi
By Lemma 4.4, sd(P ′ ) ≤ sd(P ) for any P ′ such that P =⇒ P ′ , so FP ′ is a
characteristic formula for such processes. We examine each of the two impli-
cations. W In one direction, cap. P |= hhcapii. FP , and by Lemma 3.8, cap. P |=
[[cap]]. ′
hcapi
′
FP ′ , so cap. P |= Fcap.P . Conversely, if Q |= FP , then
{P , P =⇒ P }/≃int
from Q |= hhcapii. FP we deduce the existence of Q′ , Q′′ such that Q ≡ cap. Q′ ,
hcapi W
Q′ =⇒ Q′′ , and Q′′ |= FP . Moreover, from Q |= [[cap]]. ′
hcapi
′
FP ′ ,
{P , P =⇒ P }/≃int
hcapi
we deduce that there is P ′ such that P =⇒ P ′ and Q′ |= FP ′ , so Q′ ≃int P ′ ,
and by Proposition 5.3, Q ≃int cap. P .
– F(x)P characterises (x)P .
We first prove that (x)P |= F(x)P . We pick n0 fresh for P . We can apply
the induction hypothesis for P {n0/x} and for all of its reducts P ′ . Then the
implication from right to left follows from Lemma 3.15.
For the other direction, let Q be such that Q |= F(x)P . We assume first that Q
is eta normalised. Let n0 be a name that can be used to satisfy formula F(x)P .
Then n0 6∈ fn(Q), and there are Q′ , Q′′ such that Q ≡ (x)Q′ , {n0 } | (x)Q′ =⇒Q′′ ,
and Q′′ |= FP {n0/x} , that is, by hypothesis, Q′′ ≃int P {n0/x}. Moreover, since Q
is eta normalised, Q′ {n0/x} is not of the form {n0 } | (x)R with n0 6∈ fn((x)R),
26 D. HIRSCHKOFF, É. LOZES, AND D. SANGIORGI

and hence this process does not satisfy the formula (F{n0 } | (1input ∧ ¬ n c 0 )).
Therefore, there exists P ′ such that P {n0/x}=⇒P ′ and Q′ {n0/x} |= FP ′ , that is,
by induction, Q′ {n0/x} ≃int P ′ . Using Proposition 5.3, we deduce Q ≃int (x)P .
We consider now the case when Q is not eta normalised. Let Q0 be the eta
normal form of Q. Then by Lemma 5.1 and Theorem 5.2, Q=L Q0 . Since by
hypothesis Q |= F(x)P , Q0 |= F(x)P and by the previous arguments, (x)P ≃int
Q0 . Finally, by Lemma 5.1, (x)P ≃int Q.
– F!cap.P characterises !cap. P and F!(x)P characterises !(x)P : these results follow
from the replication case in Proposition 5.3 and from Lemma 4.7. In particular,
the requirements in terms of sequential (or depth) selectiveness, and cap (or
n, input) expressiveness are satisfied because the formulas we are using in
our constructions are characteristic formulas, which, by induction, satisfy such
requirements.
Corollary 5.4. On the sub-calculus MAIF , we have ≃int = =L .
For any closed processes P and Q of MAIF , we have
Q |= FP iff P =L Q .

6. Extensions of the calculus

In this section, we study extensions of MA with different forms of communication: we
first examine the possibility to emit capabilities (in addition to names) in messages, and
then consider synchronous communication. We only show how to capture the modifications
brought to the language, without porting all the constructions seen in the previous sections.
We however believe that our approach would go through without any major modification.
We start by pointing out that Lemmas 3.5,3.7,3.6 about the interpretation of formulas
hhcapii. A hold in the extensions we consider, since their proofs are insensitive to the presence
of communication in the calculus.

6.1. Capabilities in messages. In the original MA calculus [CG98a], messages can also
carry paths of capabilities. To accommodate this in the grammar of Table 1, all occurrences
of η are replaced by M , and the path productions
 
M ::= cap  M1 . M2  ǫ ,
are added to those for expressions, where ǫ stands for the empty path. Thus a capability
can be a path, such as open n. in m. open h. Also, the rules
ǫ. P ≡ P (M1 . M2 ). P ≡ M1 . M2 . P
are added to those of ≡. Since messages can now carry names or capabilities, a type
system is introduced [CG99] to avoid run-time errors. We shall assume that all processes
are well-typed (according to the basic Ambient types), which means in particular that in
the interpretation of a formula of the form A⊲B, processes that are added in parallel are
of the right type. Moreover, we will say that the argument of an abstraction (x)P is of
capability type whenever the typing ensures that capabilities, and not names, can be sent
to instantiate x.
 ON THE EXPRESSIVENESS OF THE AMBIENT LOGIC 27

Our main focus will be on the characterisation of these new forms of messages. For this,
we need a formula TestCap, the analogous of the formula TestComm of Section 3.3, satisfied
by all abstractions that are eta-congruent to (x) m[x. 0], where m is some fixed name.
We also need a formula LM M, for any closed capability M , that identifies those processes
that are structurally congruent to M . 0. We first discuss an example, namely the formula
Lin n. open mM. For this, hhin nii. hhopen mii. 0 is not enough: this formula is satisfied by
in n. open m. 0 but also, for instance, by processes such as in n. ({M } | (x) open m), which
has some additional I/O, or in n. out n. in n. open m. 0, which stutters. A formula F for
Lin n. open mM could thus be (the actual definition of Lin n. open mM will be different; the
formula below is easier to read and semantically equivalent):
def
F = hhin nii. hhopen mii. 0
∧ ¬ hhin nii. ¬ 1comp
∧ ¬ hhin nii. hhout nii. ⊤
∧ ¬ hhin nii. hhopen mii. ¬ 0
In the definition of F, the second, third and fourth conjuncts take care of the problems
with I/O and stuttering mentioned above.
Here is the complete definition of LM M for any path M :
def
Lopen n. M M = hhopen nii. LM M
∧ ¬hhopen nii. (¬1comp ∨ 1amb)
def
Lout n. M M = hhout nii. LM M
∧ ¬hhout nii. (¬1comp ∨ 1amb)
∧ ¬hhout nii. hhin nii. hhout nii. LM M
def
Lin n. M M = hhin nii. LM M
∧ ¬hhin nii. (¬1comp ∨ 1amb)
∧ ¬hhin nii. hhout nii. hhin nii. LM M
def
Lǫ. M M = LM M
def
L0M = 0
In the definition of LM M, sub-formula ¬1comp∨1amb is used to control process reductions,
see Lemma 6.1.
We now define TestCap:
def
TestCap = 1comm
∧ 1comm ⊲ ✷(2comm ∨ m[1comp])
∧ 1comm ◮ ✸ m[Lin nM]
∧ 1comm ◮ ✸ m[0]
where (n, m) is any pair of different names.
28 D. HIRSCHKOFF, É. LOZES, AND D. SANGIORGI

The correctness of this definition is proved along the lines of that of TestComm. The formula
F{M } , where M is any closed capability, is then
 
def
F{M } = 1comm ∧ TestCap ⊲ ✸ m[LM M]

We now give the key steps that allow us to derive the interpretation of the formulas
presented above.
Lemma 6.1. Suppose P −→ P ′ . Then P |= ¬1comp ∨ 1amb.
Lemma 6.2. Suppose M, P are closed. Then P |= LM M iff P ≡ M . 0.
Proof. By induction on the size of M . If the size is 0 then M = 0 and the result follows
easily. For the inductive case, we proceed by a case analysis.
• M = in n. N . We have P |= hhin nii. LM M, therefore by Lemma 3.7 P ≡ in n. P ′ for
(in n,out n)⋆
some P ′ such that P ′ ========⇒P ′′ and P ′′ |= LM M.
However P ′ cannot stutter, otherwise P |= hhin nii. hhout nii. hhin nii. LM M. Also,
it cannot be P ′ −→ P ′′′ =⇒ P ′′ otherwise by Lemma 6.1 P ′ |= ¬1comp∨1amb, hence
P |= hhin nii. (¬1comp ∨ 1amb).
• M = in n. N : similar.
• M = open n. N : similar (without any stuttering phenomenon).
• M = ǫ. N . In this case, we also have P |= LN M, hence by induction P ≡ N , hence
P ≡ M.
We now adapt the notion of ambient abstraction, introduced in Section 3.3, in order to
define a class of processes that will be used to give the interpretation of formula TestCap.
Definition 6.1 (ambient abstraction and ambient semi-abstraction). The ambient abstrac-
tions are the subset of processes defined by the following grammar:

P ::= (x) m[x. 0]  (x) ({N } | P ) .
The ambient semi-abstractions are the subset of processes defined by the following grammar:

P ::= (x) m[Q]  (x) ({N } | P )
where Q is single.
Lemma 6.3. Given an abstraction (x)R whose argument is of capability type and R contains
e/ze}, {Le′/ze} such that
no abstractions, suppose there are messages M, N and substitutions {L
e/ze}) |= ✷(2comm ∨ m[1comp])
{M } | (x) (R{L
and
{N } | (x) (R{Le′/ze}) |= ✸ m[1comp].
Then (x) R is an ambient semi-abstraction (i.e., R ≡ m[P ] where P is single).
 ON THE EXPRESSIVENESS OF THE AMBIENT LOGIC 29

Lemma 6.4. Given an abstraction (x) R whose argument is of capability type,

e/ze}, {Le′/ze} such that
suppose there are messages M, N and substitutions {L
e/ze}) |= ✷(2comm ∨ m[1comp])
{M } | (x) (R{L
and
{N } | (x) (R{Le′/ze}) |= ✸ m[1comp].
Then (x) R is an ambient semi-abstraction.
Proof. By induction on the number of nested abstractions in R. If this number is 0 then
use Lemma 6.3.
Suppose the number is greater than 0. From
e/ze}) −→ R{L
{M } | (x) (R{L e/ze}{M/x}

we derive
R{Le/ze}{M/x} |= 2comm ∨ m[1comp]

Since R should contain an abstraction, the formula m[1comp] is not satisfied, hence
e/ze}{M/x} |= 2comm
R{L
Using this, the fact that R should contain an abstraction, and the other judgement in the
hypothesis of the lemma we infer that
R ≡ {M ′ } | (y) Q
for some M ′ , y, Q. This information on R and the judgements in the hypothesis of the
lemma imply:
e/ze}{M/x}} | (x) (Q{L
{M ′ {L e/ze}{M/x}) |= ✷(2comm ∨ m[1comp])

and
e/ze}{N/x}} | (x) (Q{L
{M ′ {L e/ze}{N/x}) |= ✸ m[1comp].

We can now conclude, using the inductive hypothesis on Q.

Lemma 6.5. Suppose (x)R is an ambient semi-abstraction, whose argument is of capability
e/ze}, {Le′/ze} such that
type, and suppose there are messages M, N and substitutions {L
e/ze}) |= ✸ m[Lin Mn]
{M } | (x) (R{L
and
{N } | (x) (R{Le′/ze}) |= ✸ m[0].
Then (x) R is an ambient abstraction.
Proof. By induction on the number of abstractions in R. The case when this number is 0
is easy: if R 6≡ x. 0 then R does not satisfy the given formulas.
If the number of abstractions is greater than 0 then Q ≡ ({O} | P ), for some message
O and process P and then we derive:
e/ze} | (y) P {L
{M } | (x) (O{L e/ze}) −→ O{L
e/ze}{M/x} | (y) P {L
e/ze}{M/x} |= ✸ m[Lin Mn]

and similarly
O{Le′/ze}{N/x} | (y) P {Le′/ze}{N/x} |= ✸ m[0]
and then we conclude using induction.
30 D. HIRSCHKOFF, É. LOZES, AND D. SANGIORGI

We say that an ambient abstraction P is simple if P =β (x) m[x. 0] where =β is the

least congruence that is closed under the rule
{M } | (x) P = P {M/x} .
Lemma 6.6. Suppose (x) Q is an ambient abstraction, and that we have
(x) Q |= 1comm ◮ ✸ m[Lin Mn] and (x) Q |= 1comm ◮ ✸ m[0] .
Then (x) Q is simple.
Proof. Any ambient abstraction is equivalent with respect to ≡E (structural equivalence
plus the eta law – see Definition 5.2) (x) m[M . 0].
Lemma 6.7. P |= TestCap iff P is a simple ambient abstraction.
Proof. We observe that P has to be an I/O, and cannot be a message (otherwise by adding
(x) 0 in parallel with P we could violate the definition of TestCap).
Hence P is an abstraction, and there are M, N such that
{M } | P |= ✸ m[Lin nM] ∧ ✷(2comm ∨ m[1comp])
{N } | P |= ✸ m[0] ∧ ✷(2comm ∨ m[1comp])
By Lemma 6.4, P must be an ambient semi-abstraction (note that 0 implies 1comp). Now
Lemma 6.5 shows that P must be an ambient abstraction, which by Lemma 6.6 is simple.

def
F{M } = 1comm ∧ TestCap ⊲ ✸ m[LM M]

Lemma 6.8. P |= F{M } iff P ≡ {M }.

6.2. Synchronous Ambients. Since the modal logic does not talk about the I/O prim-
itives, it is interesting to examine variations of these primitives, to see the effect on the
equality induced by the logic. In MA communication is asynchronous: since a message has
no continuation, no process is blocked until the message is consumed. The most natural
variation consists in making communication synchronous. For this the production {η} for
messages in the grammar of MA in Table 1 is replaced by the production {η}. P . Reduction
rule Red-Com becomes:
Red-Com
{M }. Q | (x) P −→ Q | P {M/x}
The communication act liberates, at the same time, both the continuation P of the abstrac-
tion and the continuation Q of the message. We write MAsync for the resulting synchronous
calculus.
Synchrony leads to some important modifications in the assertions and in the proofs of
the results in the paper. In MAsync , the eta law fails in the sense that the logic can separate
eta equivalent terms (cf. Definition 5.2). Indeed, we will define a formula hh{n}ii. A whose
models are processes {n}. P with P =⇒ |= A. Then, returning to the eta law, formula
1input ∧ (hh{n}ii. n[0])◮✷¬3Comp is satisfied by (x) {x} | (y)0), and not by (x)0, where
by 3Comp we mean the formula 1Comp | 1Comp | 1Comp.
We will focus now on the characterisation of this new form of communication. In
asynchronous MA, our separation of messages from abstractions exploited their asymmetry:
 ON THE EXPRESSIVENESS OF THE AMBIENT LOGIC 31

abstractions, but not messages, have a continuation. In the synchronous case the asymmetry
disappears, therefore we have to use a different route for the proof, which makes it a bit
more involved.
Again, the most delicate point is to find a replacement for the formula TestComm. We
sketch how the new definition is obtained.
• We first define a formula, OnlyCom, that is satisfied only by abstractions (x) P and
messages {M }. P in which capability prefixes and ambients do not appear in the
continuation P and, moreover, no sub-term of P contains more than two non-trivial
parallel components.
• Using OnlyCom we define a formula, ComAmb, that is satisfied only by processes
defined as those that satisfy OnlyCom except that the innermost operator is an
ambient η[x[0]].
• We then define a formula that characterises the abstraction (x) h[x[0]]; we write
3comm for 1comm | 1comm | 1comm:
def
Imm h = ComAmb
∧ OnlyCom ⊲ (✷¬ 1comm ∧ ✷¬ 3comm)
∧ OnlyCom ◮ ✸ h[n[⊤]]
∧ OnlyCom ◮ ✸ h[m[⊤]] ,
where n and m are different names.
Roughly, the first ∧-component implies that a process that satisfies Imm h has an
abstraction or a message as its outermost operator, and an ambient η[x[0]] as the
innermost. The second ∧-component, call it F, ensures that the process does not
have any other operators; that is, the ambient η[x[0]] is reached immediately after
def
the initial communication. For instance, the process R = {M }. (x) h[x[0]] does not
satisfy F because R | (x)0 =⇒ (x)h[x[0]] and (x)h[x[0]] satisfies 1comm. Finally, the
third and fourth ∧-components rule out the messages and the abstraction (x)x[x[0]].
Once we have defined formulas to capture primitives for synchronous communication,
the other expressiveness results in the paper also hold for synchronous MA. The corre-
sponding proofs follow closely the arguments in the previous sections.
We now move to the formal definition and analysis of the formulas we alluded to above.

Modifications between Lemma 3.10 and 3.14. To define a formula that captures synchronous
outputs (Lemma 6.14 below), we introduce tester processes of the form (x)h[x[0]], for a given
name h. The logical characterisation of these (Lemma 6.13) is slightly more complicated
than the corresponding result in the asynchronous case (Lemma 3.13), and is based on four
grammars describing communicating processes, that are defined as follows.

def
OnlyCom = 1comm ◮ (✷(2comm ∨ 0) ∧ ✸ 0)
32 D. HIRSCHKOFF, É. LOZES, AND D. SANGIORGI

To interpret formula OnlyCom, we introduce the following grammars:

    
H ::={η}. 0  (x) 0  {η}. (H | H)  (x) (H | H)  {η}. H  (x) H
    
K ::={η ′ }. η[y[0]]  (x) η[y[0]]  {η ′ }. (H | K)  (x) (H | K)  {η ′ }K  (x) K

H ⋆ ::=H  0
     
K ⋆ ::={η ′ }. η[η ′′ [0]]  (x) η[η ′′ [0]]  {η ′ }. (H | K)  (x) (H | K)  {η ′ }K  (x) K  η[η ′ [0]]
We write
• GH for the set of terms described by H,
• GK for those described by K,
• GH ⋆ for those described by H ⋆ , and
• GK ⋆ for those described by K ⋆ .
(The grammar for K ⋆ , with respect to that for K, has the additional production for η[η ′ [0]],
and has η[η ′ [0]] in place of η[y[0]] in the other productions.)
Lemma 6.9. Suppose P is a MAsync process. P {n/x} ∈ GH iff P ∈ GH.
Lemma 6.10. Suppose P is a MAsync process and P |= OnlyCom. Then P ≡ P ′ for some
P ′ ∈ GH.
Proof. Suppose P1 |= OnlyCom. Then there is a process P2 with P2 |= 1comm such that
P1 | P2 |= (✷(2comm ∨ 0) ∧ ✸ 0).
In particular, it holds that P1 | P2 |= 2comm, hence P1 |= 1comm.
We show that if Q1 , Q2 are processes that satisfy 1comm and such that
Q1 | Q2 |= (✷(2comm ∨ 0) ∧ ✸ 0),
then Q1 , Q2 ∈ GH.
The proof is by induction on the maximal depth of Q1 , Q2 . The case when this depth
is 1 is easy. If this depth is greater than 1, then Q1 | Q2 −→ Q′1 | Q′2 , using the com rule,
where Qi is the continuation of Qi . We have three cases:
• Q′1 ≡ 0, Q′2 ≡ R1 | R2 for some non-trivial R1 , R2 ;
• the symmetric case;
• none of Q′1 and Q′2 is structurally congruent to 0.
In the first two cases, we deduce that R1 , R2 satisfy 1comm, and then use induction to infer
R1 , R2 ∈ GH. Then using the first 4 productions of the grammar, and Lemma 6.9, Q1 , Q2 ∈
GH. In the third case, use induction to infer Q′1 , Q′2 ∈ GH. Hence also Q1 , Q2 ∈ GH, using
the last 2 productions of the grammar and Lemma 6.9.
Lemma 6.11. Suppose P is a MAsync process, and P |= ✷(2comm ∨ h[n[0]]) ∧ ✸ h[n[0]],
where h, n are any names. Then P ≡ P1 | P2 with P1 ∈ GH and P2 ∈ GK ⋆ .
Proof. By induction on the size of P , where the size is the number of operators in P . The
size cannot be 0 or 1. If the size is 2 then P = h[n[0]], and P ≡ 0 | h[n[0]], hence the
def
assertion of the lemma, for P1 = 0.
Suppose the size if greater than 2. Call
def
F = ✷(2comm ∨ h[n[0]]) ∧ ✸ h[n[0]]
Then
P ≡ P1 | P2 where, for i = 1, 2,we have Pi |= 1comm
 ON THE EXPRESSIVENESS OF THE AMBIENT LOGIC 33

Since P must reduce,

P1 | P2 ≡ {m}. Q1 | (x) Q2
and
Q1 | Q2 {m/x} |= F .
The size of Q1 | Q2 {m/x} is smaller.
It can be that Q1 or Q2 are 0, or none is 0 (they cannot both be 0). In both cases
we can conclude by referring to the appropriate grammar productions and by using the
inductive hypothesis.
Define now:
  
def
ComAmb = ∃ x . OnlyCom ◮ ✷(2comm ∨ x[n[0]]) ∧ ✸ x[n[0]]

∧ OnlyCom ◮ ✸ x[m[0]]
where n and m are different names.

Lemma 6.12. Suppose P is a MAsync process, and P |= ComAmb. Then P ≡ P ′ for some
P ′ ∈ GK.
Proof. Suppose P1 |= ComAmb. Then there is a process P2 and some h with P2 |= OnlyCom
such that P1 | P2 |= ✷(2comm ∨ h[n[0]]) ∧ ✸ h[n[0]]. By Lemma 6.10, P2 ≡∈ GH. By
Lemma 6.11, P1 ∈ GK ⋆ . Moreover, since P1 |= 1comm, it holds that P1 6≡ h[n[0]]; from this
and P1 |= OnlyCom ◮ ✸ h[m[0]], we deduce P1 ∈ GK.
Define
def
Imm h = ComAmb ∧
OnlyCom ⊲ (✷¬ 1comm ∧ ✷¬ 3comm)
OnlyCom ◮ ✸ h[n[⊤]]
OnlyCom ◮ ✸ h[m[⊤]]
where m 6= n.

Lemma 6.13. Suppose P |= Imm h. Then P ≡ (x) h[x[0]].

Proof. By Lemma 6.12, P ≡ P ′ ∈ GK. One then shows that (x) h[x[0]] satisfies Imm h,
whereas the other terms in GK do not (choosing the appropriate OnlyCom).
Now we can define the formula:
def
hh{n}ii. A = 1comm
∧ ∀ x . (Imm x ⊲ ✸ (x[n[0]] | A))

Lemma 6.14. Suppose P is a MAsync process. It holds that P |= hh{n}ii. A iff P ≡ {n}. Q
and Q =⇒ Q′ and Q′ |= A.
Proof. Take h fresh. Then by Lemma 6.13,
P | (x) h[x[0]] |= ✸ (h[x[0]] | A) .
From this, and P |= 1comm, we deduce P ≡ {m}. P ′ , for some m, P ′ . We also deduce that
P ′ | h[m[0]] |= ✸ (h[m[0]] | A) .
Since h is fresh, P ′ cannot interact with h. Hence m = n, and moreover P ′ =⇒|= A.
34 D. HIRSCHKOFF, É. LOZES, AND D. SANGIORGI

Lemma 6.15. Suppose P is a MAsync process. It holds that P |= hh?nii. A iff P ≡ (x) P ′
and P ′ {n/x} =⇒ P ′′ |= A.

6.3. Other Extensions.

6.3.1. Name restriction and revelation. Usually [CG98a, CG99], the syntax of MA also has
the restriction operator. In [CG01], Cardelli and Gordon propose an extension of AL with
logical connectives to describe restriction. In particular, the operator of name revelation
allows one to derive nc (Subsection 4.2). In presence of restriction in the calculus, we
cannot adapt our construction to capture finiteness of processes, intuitively because our
approach consists in exhibiting a context that allows a finite process to reduce to 0, which
is not possible in general in presence of restriction. However, characteristic formulas can
be derived, by enriching our constructions with a formula that says that a process has no
restriction (which is definable using name revelation).

6.3.2. Strong sometimes modality. One could consider a “strong” version of the sometimes
(✸) modality, where −→ replaces =⇒ in the definition of |=. This variant is easier to study,
and less interesting in a sense. We explain the effects it would have. The only drawback
is that with a strong version of ✸ we could not derive the formulas of Section 4, and as
a consequence characteristic formulas can be given for finite processes only. On the other
hand, the formulas for capabilities and communications would become much simpler; we
would not have to consider stuttering and eta conversions; logical equivalence would coincide
with structural congruence.

6.3.3. Recursion. In a different direction, a variant of MA can be considered in which a

recursion operator is used instead of replication (see for example [LS03]). Recursion gives
trees with infinite depth; this prevents us from defining the measures sd(P ) and dd(P ) up
to structural congruence. Moreover, the constructions in Subsection 4.3 are based on the
characterisation of persistence (that provides a form of ‘recursion in width’) of replicated
processes. We do not think that they could be easily adapted to a calculus with recursion.

Acknowledgments. We thank the anonymous referees for their careful reading of the paper,
and for their comments and suggestions, which resulted in a number of improvements for
the paper.

References
[ACS98] R. Amadio, I. Castellani, and D. Sangiorgi. On bisimulations for the asynchronous π-calculus.
Theoretical Computer Science, 195:291–324, 1998.
[Car99] L. Cardelli. Semistructured computations. Proc. 7th Intl. workshop on Data Base Programming
Languages (DBPL’99), invited talk (accompanying paper available from the author’s web page),
1999.
[Car01] L. Cardelli. Describing Semistructured Data. SIGMOD Record, Database Principles Column, 30(4),
2001.
[CG98a] L. Cardelli and A.D. Gordon. Mobile ambients. In Proc. FoSSaCS ’98, volume 1378 of Lecture
Notes in Computer Science, pages 140–155. Springer Verlag, 1998.
[CG98b] L. Cardelli and A.D. Gordon. Technical annex to [CG98a]. Unpublished notes, 1998.
 ON THE EXPRESSIVENESS OF THE AMBIENT LOGIC 35

[CG99] L. Cardelli and A.D. Gordon. Types for mobile ambients. In Proc. 26th POPL, pages 79–92. ACM
Press, 1999.
[CG00] L. Cardelli and A. Gordon. Anytime, Anywhere, Modal Logics for Mobile Ambients. In Proc. of
27th POPL, pages 365–377. ACM Press, 2000.
[CG01] L. Cardelli and A. Gordon. Logical Properties of Name Restriction. In Proc. of TLCA’01, volume
2044 of LNCS. Springer Verlag, 2001.
[CG04] L. Cardelli and G. Ghelli. A query language for semistructured data based on the ambient logic.
Mathematical Structures in Computer Science, 14(3), pages 285–327, 2004.
[CL04] L. Caires and E. Lozes. Elimination of Quantifiers and Undecidability in Spatial Logics for Con-
currency. In Proc. of CONCUR’04, volume 3170 of LNCS, pages 240–257. Springer Verlag, 2004.
[DZ00] S. Dal-Zilio. Structural Congruence for Ambients is Decidable. In Proc. of ASIAN’00, volume 1961
of LNCS. Springer Verlag, 2000.
[GS86] S. Graf and J. Sifakis. A modal characterization of observational congruence on finite terms of
CCS. Information and Control, 68:125–145, 1986.
[Hir04] D. Hirschkoff. An Extensional Spatial Logic for Mobile Processes. In Proc. of CONCUR’04, volume
3170 of LNCS, pages 325–339. Springer Verlag, 2004.
[HLS02] D. Hirschkoff, E. Lozes, and D. Sangiorgi. Separability, Expressiveness and Decidability in the
Ambient Logic. In 17th IEEE Symposium on Logic in Computer Science, pages 423–432. IEEE
Computer Society, 2002.
[HLS03] D. Hirschkoff, E. Lozes, and D. Sangiorgi. Minimality Results for the Spatial Logics. In Proc. of
FSTTCS’03, volume 2914 of LNCS, pages 252–264. Springer Verlag, 2003.
[HLS05] D. Hirschkoff, E. Lozes, and D. Sangiorgi. On the separability of the ambient logic. in preparation,
2005.
[HM85] M. Hennessy and R. Milner. Algebraic laws for nondeterminism and concurrency. Journal of the
ACM, 32:137–161, 1985.
[LS00] F. Levi and D. Sangiorgi. Controlling interference in ambients. Short version appeared in Proc.
27th POPL, ACM Press, 2000.
[LS03] F. Levi and D. Sangiorgi. Mobile Safe Ambients. ACM Trans. Program. Lang. Syst., 25(1):1–69,
2003. Short version appeared in Proc. 27th POPL, ACM Press.
[Mil99] R. Milner. Communicating and Mobile Systems: the π-Calculus. Cambridge University Press, 1999.
[Rey02] J. Reynolds. Separation logic: a logic for shared mutable data structures. In 17th IEEE Symposium
on Logic in Computer Science. IEEE Computer Society, 2002.
[San01] D. Sangiorgi. Extensionality and Intensionality of the Ambient Logic. In Proc. of 28th POPL, pages
4–17. ACM Press, 2001.
[SI94] B. Steffen and A. Ingólfsdóttir. Characteristic formulae for processes with divergence. Information
and Computation, 110(1):149–163, 1994.
[SW01] D. Sangiorgi and D. Walker. The π-calculus: a Theory of Mobile Processes. Cambridge University
Press, 2001.

This work is licensed under the Creative Commons Attribution-NoDerivs License. To view
a copy of this license, visit http://creativecommons.org/licenses/by-nd/2.0/ or send a
letter to Creative Commons, 559 Nathan Abbott Way, Stanford, California 94305, USA.