A Spatial Logic for Concurrency

Transcription

1 A Spatial Logic for Concurrency (Part I) Luís Caires Departamento de Informática FCT/UNL, Lisboa, Portugal Luca Cardelli Microsoft Research, Cambridge, UK Abstract We present a logic that can express properties of freshness, secrecy, structure, and behavior of concurrent systems. In addition to standard logical and temporal operators, our logic includes spatial operations corresponding to composition, local name restriction, and a primitive fresh name quantifier. Properties can also be defined by recursion; a central aim of this paper is then the combination of a logical notion of freshness with inductive and coinductive definitions of properties. 1 Introduction We present a logic for describing the behavior and spatial structure of concurrent systems. Logics for concurrent systems are certainly not new [22, 14, 29, 16], but the intent to describe spatial properties seems to have arisen only recently. The spatial properties that we consider here are essentially of two kinds: whether a system is composed of two or more identifiable subsystems, and whether a system restricts the use of certain resources to certain subsystems. Previous work [10] has considered also whether a system is composed of named locations; in that case, the notion of spatial structure is particularly natural. The initial motivation for studying these logics was to be able to specify systems that deal with fresh or secret resources such as keys, nonces, channels, and locations. In previous papers [10, 6], we have found that the spatial properties of process composition and of location structures are fairly manageable. Instead, the properties of restriction are much more challenging, and are closely related to the study of logical notions of freshness [20, 19, 31]. The main aim of this paper is to advance the study of restriction started in [11, 6] and to build a closer correspondence with treatments of freshness [19]. For simplicity, we use a basic process calculus (the asynchronous -calculus) that includes composition and restriction. We omit locations in this paper because they are easy to add along the lines of [10], and are comparatively easier to handle than composition or restriction. It will become clear that our general approach is fairly insensitive to the details of specific process calculi, and is largely insensitive to the dynamics (reduction behavior) of specific calculi. Therefore, it can be easily adapted to other calculi, and perhaps even generalized to process frameworks [21]. 1

2 A formula in our logic describes a property of a particular part of a concurrent system at a particular time; therefore it is modal in space as well as in time. This dual modality can be captured by standard box and diamond operators, reflecting reachability in space and in time [10, 6]. As a further contribution of this paper, though, we wish to investigate a more general framework akin to the -calculus [25], where formulas can be recursive and can subsume box and diamond operators. Moreover, by combining spatial and temporal connectives with recursion, we can then define new and interesting modalities, such as under an arbitrary number of restrictions. The most technically challenging part of the paper is then the interaction of recursive formulas, already present in [6, 9, 16], with logical notions of freshness, composition, and name restriction, already present in [6, 11]. We now give a brief overview of the constructs of the logic, before moving on to the formal treatment. Let È be the set of (asynchronous -calculus) processes. A property is a set of processes; a subset of È. A closed formula denotes a property, namely, it denotes the collection of processes satisfying that formula. The collection of all properties (which is not quite the powerset of È, as we shall discuss) has the structure of a Boolean Algebra under set inclusion, so we naturally get boolean connectives(we take F, and µ as primitive). The above propositional fragment is extended to predicate logic via a universal quantifier Ü. This quantifier has standard properties, but the bound variable Ü ranges always over the countable set of channel names of the process calculus. The collection of all properties has also the structure of a quantale, induced by the parallel composition operator over processes. In the logic, this is reflected by the operators (the tensor, or parallel composition, of two properties), ¼ (the unit of the tensor, or collection of void processes), and º (the linear implication associated with the tensor). This last operator corresponds to context-system specifications, which are the concurrency theory equivalent of pre/post conditions. In addition, º is a first class formula that can be freely and usefully combined with other operators. In much the same way that parallel process composition induces the quantale structure, process restriction induces a pair of operators ÒÖ and «Ò, called revelation and hiding, that give us a basis for describing restricted processes at the logical level. The notion of fresh name is introduced by a quantifier ÁÜ ; a process È satisfies ÁÜ if È satisfies for some name fresh in È and ÁÜ. This quantifier allows us to then derive a hidden name quantifier [11, 6]. ÁÜ is defined along the lines of the freshness quantifier of Gabbay-Pitts [19]: the connections will be discussed. A similar ÁÜ quantifier is studied in [11] (in absence of recursion), but is handled as a meta-level construct, and not as a proper formula that can be mixed with recursion. A logical operator Ò Ñ allows us to assert that a message Ñ is present over channel Ò, giving us some minimal power to observe the behavior of processes. A next step temporal operator,, allows us to talk about the behavior of a process after a single (unspecified) reduction step. Finally, a second-order quantifier enables us to quantify over the collection of all properties. Combining with other operators of our logic, we then define a maximal fixpoint operator (provided is monotonic in ), and a dual minimal fixpoint operator. From these recursive formulas, we can then define operators for temporal and spatial modalities, for instance denoting that holds anytime in the future, and, meaning that holds everywhere in space. 2

3 Related Work A logic for a process calculus including a tensor operator and a hidden name quantifier was developed in [6, 2], but a satisfactory semantic treatment for the latter connective not was achieved before the contributions of [11] and of the present paper. Initial versions of spatial logics for the Ambient Calculus were introduced in [10], which also investigated connections with linear logic. We now target the logic towards a more standard -calculus. Following the initial approach of Hennessy-Milner [22], modal logics for the - calculus have been proposed in [29, 16, 17]. The main difference between our logic and these more standard logics of concurrency is the presence in our case of structural operations: namely, of a tensor operator that corresponds to process composition, and of a revelation operator that corresponds to name restriction. Usually, those other logics require formulas to denote processes up to bisimulation, which is difficult to reconcile with a tensor operator that can make distinctions between bisimilar processes (however, such an operator was anticipated in [15]). In our case, we only require formulas to denote processes up to structural equivalence, so that a tensor operator makes easy sense. Sangiorgi has shown, for a closely related logic, that the equivalence induced by the logic is then essentially structural equivalence [33]. The connections between name restriction and Gabbay-Pitts notions of freshness [20, 19, 31], first studied in [11], are further explored in this paper. The work on Bunched Logics [30] and Separation Logic [32] is closely related to ours, at least in intent. Spatial logics for trees and graphs have also been investigated in [9, 7, 8]. Organization of the paper We start with a concise review of the asynchronous - calculus. In Section 3 we give a detailed presentation of the syntax of the spatial logic. In Section 4, we introduce the central notion of property set, we define satisfaction, and we proceed with the analysis of semantical aspects of the logic. In Section 4.3 we then study an appropriate notion of logical validity. In Sections 5 and 6 we motivate and discuss fresh and hidden name quantification, and the recursive definition of properties. In Section 7 we discuss in more detail the arguments that lead to our choices. 2 Preliminaries on the asynchronous -calculus We review the syntax and operational semantics of the asynchronous -calculus [1, 24], following the notations of [27]. We base our presentation of «-equivalence on the use of transpositions (simple name replacements), which become prominent later in the paper. Definition 2.1 (Processes) Given a countable set of names, the set È of processes is given by the following abstract syntax Ñ Ò Ô ¾ (Names) È É Ê ¼ (Void) È É (Par) ÒµÈ (Restriction) Ñ Ò (Message) Ñ Òµ È (Input) È (Replication) 3

4 We write na È µ for the set of all names that textually occur in a process È (either bound or free). Definition 2.2 (Free names in Processes) For any process È, the set of free names of È, written fn È µ, is inductively defined as follows. fn ¼µ ¼ fn È Éµ fn È µ fn ɵ fn Ñ Ò µ Ñ Ò fn ÒµÈ µ fn È µ Ò Ò fn Ñ Òµ È µ fn È µ Ò Ò µ Ñ fn È µ fn È µ In restriction ÒµÈ and input Ñ Òµ È, the distinguished occurrence of the name Ò is binding, with scope the process È. We write bn È µ for the set of names which occur bound in the process È, and c Æ for the set È Æ fn È µ of processes that contain all names in Æ free. If Æ is a finite set of names, and Æ ¼ is a any set of names, a substitution Æ Æ ¼ of domain Æ and codomain Æ ¼ is a mapping assigning Òµ ¾ Æ ¼ to each Ò ¾ Æ, and Ò to each Ò ¾ Æ. Thus, outside its domain, any substitution behaves like the identity. Given a substitution, we denote by µ its domain. The image of a substitution, written Á µ, is the set Òµ Ò ¾ µ. We write Ò Ñ for the singleton substitution of domain Ò that assigns Ñ to Ò. Substitutions that just interchange a pair of names will play a special role in technical developments to follow. More precisely, the transposition of Ò and Ñ, noted Ò Ñ, denotes the substitution Ñ Ò Ñ Ò such that Òµ Ñ and ѵ Ò. Note that Ò Ñ Ñ Ò. Before defining safe substitution on processes, we first introduce transposition, and then define «-congruence in the style of [19]. Definition 2.3 (Transposition) Given a process È and a transposition, we denote by È the process inductively defined as follows. ¼ ¼ Ñ Ò Ñµ Òµ È Éµ È µ ɵ ÒµÈ µ Òµµ È Ô Òµ È µ Ôµ Òµµ È µ È µ È Proposition 2.4 For all processes È and É, and transpositions, 1. È È 2. Ñ Ò È Ñµ Òµ È Proof. By induction on the structure of È. Definition 2.5 (Congruence) A binary relation on processes is a congruence whenever for all processes È, É and Ê, È È È É µ É È È É É Ê µ È Ê È É µ È Ê É Ê È É µ Ê È È É È É µ ÒµÈ ÒµÉ È É µ Ñ Òµ È Ñ Òµ É È É µ È É (Cong Refl) (Cong Symm) (Cong Trans) (Cong Parl) (Cong Parr) (Cong Res) (Cong In) (Cong Repl) 4

5 In this paper we essentially make use of two congruences: «-congruence and structural congruence. As usual, «-congruence «is the congruence that identifies processes up to the safe renaming of bound names. Definition 2.6 («-congruence) «-congruence «is the least congruence on processes such that, ÒµÈ «Ôµ Ò Ô È where Ô ¾ na È µ (Alpha Res) Ñ Òµ È «Ñ Ôµ Ò Ô È where Ô ¾ na È µ (Alpha In) Definition 2.7 (Safe substitution) For any process È and substitution we denote by È µ the process inductively defined as follows: ¼µ ¼ Ñ Ò µ ѵ Òµ È Éµ È µ ɵ ÒµÈ µ Ôµ È Ò Ô µ where Ô ¾ µ Á µ fn È µ Ñ Òµ È µ ѵ Ôµ È Ò Ô µ where Ô ¾ µ Á µ fn È µ È µ È µ The name Ô in the clauses for restriction and input is chosen fresh, hence safe substitution is well-defined mapping on «-equivalence classes of processes, as usual. We write È for È µ when has the form Ò Ñ or Ò Ñ. We have Lemma 2.8 Let È be a process. Then 1. È «È µ where is any transposition 2. È Ò Ô «Ò Ô È where Ô ¾ fn È µ Proof. By induction on the structure of È. From Lemma 2.8 the usual characterization of «-congruence follows: Proposition 2.9 «-congruence is the least congruence on processes such that ÒµÈ «ÔµÈ Ò Ô where Ô ¾ fn È µ Ñ Òµ È «Ñ Ôµ È Ò Ô where Ô ¾ fn È µ As expected, safe substitution preserves «-congruence: Proposition 2.10 If È «É then È µ «Éµ. Proof. Standard. Definition 2.11 (Structural congruence) Structural congruence is the least congruence on processes such that È «É µ È É È ¼ È È É É È È É Êµ È Éµ Ê Ò ¾ fn È µ µ È ÒµÉ Òµ È Éµ Ò Ô Ò Ñ µ ÒµÔ Ñµ È Ô Ñµ ÒµÈ Òµ¼ ¼ Òµ ÑµÈ Ñµ ÒµÈ ¼ ¼ È È È È Éµ È É È È (Struct Alpha) (Struct Par Void) (Struct Par Comm) (Struct Par Assoc) (Struct Res Par) (Struct Res Inp) (Struct Res Void) (Struct Res Comm) (Struct Repl Void) (Struct Repl Copy) (Struct Repl Par) (Struct Repl Repl) 5

6 Although the axiom (Struct Res Inp) is absent from standard presentations of -calculi, the general consensus seems to be that such an axiom is quite sensible as a structural congruence. (Struct Res Inp) is implicit in early work of Boudol on the chemical abstract machine, and is harmless as far as extensional properties of processes (e.g., behavioral equivalence) are concerned. On the other hand, it has some convenient consequences in the setting of a more intensional logic like ours. Moreover, Engelfriet and Gelsema have shown the decidability of structural congruence in the presence of the (Struct Repl Void/Par/Repl) and (Struct Res Inp) axioms [18]. Proposition 2.12 (Basic properties of ) For all processes È and É, 1. If È É then fn È µ fn ɵ. 2. If Ò ¾ fn È µ then ÒµÈ È. 3. For all transpositions, È É if and only if È µ ɵ. 4. For all substitutions, if È É, then È µ ɵ. Proof. Standard. Proposition 2.13 (Inversion) For all processes È and É, 1. If ÒµÈ ¼ then È ¼. 2. If ÒµÈ Ê É then there are Ê ¼ and É ¼ such that È Ê ¼ É ¼ and either Ê ÒµÊ ¼ and É É ¼ and Ò ¾ fn ɵ, or Ê Ê ¼ and É ÒµÉ ¼ and Ò ¾ fn ʵ. 3. If ÒµÈ ÑµÉ then either È Ò Ñ É or there are È ¼ and É ¼ such that È ÑµÈ ¼, É ÒµÉ ¼ and È ¼ É ¼. Versions of Proposition 2.13(1 2) for the Ambient Calculus have been proved in [13] and [12]. Proposition 2.13(3) has a simple proof based on results in [18], as suggested by J. Engelfriet. The dynamics of processes is captured by reduction: Definition 2.14 (Reduction) Reduction is the least binary relation on processes inductively defined as follows. Ñ Ò Ñ Ôµ È È Ô Ò É É ¼ µ È É È É ¼ È É µ ÒµÈ ÒµÉ È È ¼ È ¼ É ¼ É ¼ É µ È É (Red React) (Red Par) (Red Res) (Red Struct) Proposition 2.15 (Basic properties of ) For all processes È and É, 1. If È É then fn ɵ fn È µ. 2. For all substitutions, if È É, then È µ ɵ. 3. If È É and É ÒµÉ ¼ for some É ¼, then there is È ¼ such that È ÒµÈ ¼ and È ¼ É ¼. 6

7 Ü Ý Þ ¾ Î (Name variables) ¾ (Propositional variables) ¾ Î (Names or name variables) F (False) (Conjunction) µ (Implication) ¼ (Void) (Composition) º (Guarantee) Ö (Revelation) «(Hiding) ¼ (Message) Ü (First-order universal quantification) ÁÜ (Fresh name quantification) (Next step) (Propositional variable) (Second-order universal quantification) Figure 1: Formulas. Proof. (1 2) Standard. (3) By induction on the derivation of È É (see Remark 2.16 below). Remark 2.16 Proposition 2.15(3) is a consequence of Proposition 2.13(3) and does not hold for versions of -calculi where does not satisfy (Struct Res Inp). E.g., consider È Ô Ô Ô Ñµ ÒµÑ Ò : we have È ÒµÉ ¼ where É ¼ Ô Ò. Now, pick any È ¼ such that È ÒµÈ ¼. Then, we can show that for all Ê such that È ¼ Ê we have Ê ÒµÉ ¼ É ¼. However, if we admit (Struct Res Inp), we have È Òµ Ô Ô Ô Ñµ Ñ Ò µ, so we can take È ¼ Ô Ô Ô Ñµ Ñ Ò. Remark 2.17 Reduction as defined in Definition 2.14 is almost the same as the usual one in the following sense. Let be the the standard structural congruence of [27] restricted to the asynchronous -calculus. Thus. Likewise, let be the standard reduction of the asynchronous -calculus. It is clear that. We also have that for all processes È and É, if È É then there is a process Ê such that È Ê and É Ê. 3 Syntax of the Spatial Logic Basic constructs of our spatial logic include propositional, spatial, and temporal operators, first-order and second-order quantifications, and freshness quantification (cf. [19]). As shown later, from this basic set of connectives we can define a quite expressive set of properties, including fixpoint combinators (supporting inductive and coinductive definition of properties) and an internal satisfiability modality [10]. 7

8 Definition 3.1 (Formulas) Given an infinite set Î of name variables, and an infinite set of propositional variables (mutually disjoint from ), formulas are defined as shown in Fig. 1. The meaning of these formulas was briefly discussed in the introduction; their semantics is given later in Definition We highlight here some of the more unusual operators. The formula ¼ is satisfied by any process in the structural congruence class of ¼. The formula is satisfied by any process that can be decomposed into processes that satisfy respectively and. Guarantee is the logical adjunct of composition: º is satisfied by those processes whose composition with any process satisfying results in a process satisfying. The formula ÒÖ is satisfied by all processes congruent with some process ÒµÈ, where È satisfies. The formula «Ò is satisfied by any process È such that ÒµÈ satisfies ; i.e., by a process that satisfies after hiding Ò. Message Ñ Ò holds of processes structurally congruent to a message Ñ Ò. The formula ÁÜ denotes fresh name quantification; a process satisfies ÁÜ if for (some/all) fresh names Ò (fresh in the process and in the formula), it satisfies Ü Ò. This quantifier exhibits the universal/existential ambivalence typical of freshness: a property holding of some fresh names should also hold of any other fresh name. As we shall see, combining the fresh name quantifier with revelation will enable us to define a hidden name quantifier, that is a quantifier over names that are locally restricted in the process at hand. In formulas of the form Ü, ÁÜ, and the distinguished occurrences of Ü and are binding, with scope the formula. We define on formulas the relation «of «-congruence in the standard way, that is, as the least congruence identifying formulas modulo safe renaming of bound (name and propositional) variables. We consider formulas always modulo «-congruence. Definition 3.2 (Free names and variables in formulas) For any formula, we introduce the following sets, inductively defined in Fig. 2. fn µ fv µ fpv µ free names in free name variables in free propositional variables in By fnv µ we mean the set fv µ fn µ. A formula is name-closed if it has no free name variables, and closed if it has no free variables whatsoever. We extend the previously given notion of substitution to name variables and formulas as follows. When Ë is a finite set of either variables and names, and Æ is a set of names, Ë Æ means that is a substitution assigning a name in Æ to each variable or name in Ë. If Ë Æ is a substitution then Ü denotes the substitution of domain Ë Ò Ü and codomain Æ defined by Ü Ýµ ݵ, for all Ý ¾ Ë Ò Ü. Definition 3.3 (Safe substitution) For any formula and substitution we denote by µ the formula inductively defined as follows. Fµ F ¼µ ¼ µ µ µ µ µ µ µ µ µ µ µ º µ µ º µ ¼ µ µ ¼ µ Ö µ µö µ «µ µ«µ ÁÜ µ ÁÜ Ü µ Ü µ Ü Ü µ µ µ µ µ µ 8

9 fn µ fv µ fpv µ F ¼ µ º fn µ fn µ fv µ fv µ fpv µ fpv µ ¼ ¼ ¼ Î Ö fn µ µ fv µ ε fpv µ «Ü ÁÜ fn µ fv µ Ò Ü fpv µ fn µ fv µ fpv µ fn µ fv µ fpv µ Ò Figure 2: Free names in formulas. When and are formulas, we denote by the capture avoiding substitution of all free occurrences of in by, defined in the expected way. By we denote a formula context with possibly multiple occurrences of the hole. Then, whenever is a formula, we denote by the formula obtained by textually replacing every occurrence of the hole in the context by. Note that free (name or propositional) variables in will be captured by binders present in ; cf., the standard notion of context substitution. 4 Semantics The semantics of formulas is defined by assigning to each formula a set of processes  Ã, namely the set of all processes that satisfy the property denoted by formula. However not any set of processes can denote a property in a proper way. For instance, it is sensible to require  à to be closed under structural congruence. That is, if a process È satisfies some property, then any process É such that É È must also satisfy. We also want to be able to express freshness of names with relation to  Ã. Suppose we have È ¾  Ã, Ò ¾ fn µ but Ò ¾ fn È µ. Since Ò ¾ fn µ, the free occurrences of Ò in È are fresh for the formula. Now, the particular choice of the name Ò should not depend on itself, since it is natural to consider that all fresh names for are to be treated uniformly. Therefore, it is natural to require that also È Ò Ñ ¾  Ã, where Ñ is any other fresh name for and È, that is Ñ ¾ fn È µ fn µ. Hence, we say that a set of processes is supported by the set of names Æ if, for all Ñ Ò not in the support Æ, if È belongs to then È Ò Ñ is also in. We then take as properties only those sets of processes that have a finite support. Intuitively, the support of a property is the semantic counterpart of the set of free names of a formula; the least support of the denotation of a formula is included in the set of free names of the formula. Sets with infinite support could only correspond to formulas that have an 9

10 infinite set of free names, and are therefore excluded. Moreover, the notion of finite support seems crucial for the semantics of the fresh name quantifier, ÁÜ, and consequently for the semantics of the derived hidden name quantifier HÜ. The semantics of the spatial logics of [11, 10, 6] is given in terms of sets of processes that are closed only under structural congruence, but if we try to extend that semantics to recursive formulas, we run into a problem: ÁÜ is not a monotonic operator, and could not be used together with recursion. This discussion is continued in more detail in Section Property Sets The above observations motivate the following notion of property set. A property set is a set of processes closed under structural congruence and finitely supported. Definition 4.1 (Property Set) A property set (Pset) is a set of processes such that 1. (Closure under ) For all É, if È ¾ and È É then É ¾. 2. (Finite support) There is a finite set of names Æ such that, for all Ò Ñ ¾ Æ, if È ¾ then Ò Ñ È ¾. Definition 4.2 (Collections of Property Sets) 1. È Æ is the set of all Psets supported by the finite set of names Æ. 2. È is the set of all Psets. The finite set Æ mentioned in Definition 4.1(2) is referred to as a support of the Pset. We use and to range over property sets. A support Æ plays for a Pset a role similar to (a bound on) the set of free names of a formula, and enables the definition of a notion of name freshness with respect to a possibly infinite set of processes. We use the notation Ë to denote the closure under structural congruence of an arbitrary set of processes Ë. Lemma 4.3 (Operations on Psets) For all finite Æ, 1. If Æ Æ ¼ then È Æ È Æ ¼. 2. (Bottom and Top) ¾ È Æ and È ¾ È Æ. 3. (Meet and Join) If Ë È Æ then Ì Ë ¾ È Æ and Ë Ë ¾ È Æ. 4. (Inverse) If ¾ È Æ then È Ò ¾ È Æ. Proof. See appendix. We can also extend the application of transpositions (not of arbitrary substitutions!) to Psets as follows: if is a transposition and is a Pset, define µ È µ È ¾. Note that Lemma 4.3(2-4) implies Proposition 4.4 (Lattice) For all finite Æ, we have 1. È Æ is a complete lattice. 2. È Æ is a Boolean algebra. 10

11 Remark 4.5 Note that È is neither closed under arbitrary unions nor closed under arbitrary intersections. For instance, let Ñ ½ Ñ ¾ be a linear ordering of, let È ¼ ¼ and for any ¼, È Ñ Òµ È Ë ½. Then È is finitely supported (with support Ñ ½ Ñ ) for any ¼, but ¼ È is not. Thus the collection of all Psets È is not a complete lattice. However, we can recover closure under all basic set-theoretic operations, by restricting to a cumulative hierarchy of finitely supported sets [19]. Definition 4.6 For any finite set of names Æ, a collection Ë of Psets is finitely supported by Æ if for all Ñ Ò ¾ Æ and ¾ Ë we have Ñ Ò µ ¾ Ë. Definition 4.7 È ¾ Æ names Æ. is the set of all collections of Psets supported by the finite set of Lemma 4.8 If Ë ¾ È ¾ Æ then Ë Ë ¾ È Æ and Ì Ë ¾ È Æ. Ë Ë Proof. If È ¾ Ë then È ¾ for some ¾ Ë Ë. If É È then É ¾ Ë ¾ Ë. Let Ñ Ò with Ñ Ò ¾ Æ. Since µ ¾ Ë, we also have È µ ¾ Ë Ë. The case for Ì Ë is similar. Definition 4.9 (Tensor and Unit) For every È Æ, define operations Å È Æ È Æ È Æ ½ È Æ by letting, for all ¾ È Æ Å È Exists É Ê. È É Ê and É ¾ and Ê ¾ ½ È È ¼ In [10] it is shown that the set of all -closed subsets of È gives rise to a commutative quantale. The same result still holds for domains of Psets. Proposition 4.10 (Quantale) For all finite Æ, È Æ Ë Å ½ is a commutative quantale, that is: 1. È Æ Ë is a complete join semilattice. 2. È Æ Å ½ is a commutative monoid. 3. Å Ë Ë Ë Å ¾ Ë, for all ¾ È Æ and Ë È Æ. Proof. See appendix. Lemma 4.11 (Transposing Psets) We have 1. For any process È and Pset, È ¾ µ if and only if È µ ¾. 2. ¾ È Æ if and only if µ ¾ È Æµ. 3. If Ñ Ò ¾ Æ and ¾ È Æ then Ñ Ò µ. Proof. See appendix. 11

12 Definition 4.12 (Support) Let Æ be a set of names. A Pset is supported by Æ whenever every permutation that fixes Æ also fixes. Moreover is finitely supported by Æ if supported by Æ and Æ is finite. We also have Proposition 4.13 (Least Support) Let ¾ È Æ. Then 1. There is a least set of names supp µ such that ¾ Èsupp µ. 2. For any transposition, supp µµ supp µµ. Proof. See appendix. Intuitively, the set of names supp µ represents the set of free names of the Pset (in the sense of Lemma 4.11(3)), hence supp µ is the semantic counterpart of the set fn µ of free names of a formula. Remark 4.14 We can verify that a Pset supported by Æ is finitely supported by Æ in the precise sense of [19]: A name permutation over is an injective name substitution such that µ Á µ. Let Ë be the group of all name permutations; recall that any permutation can be expressed as a composition of transpositions. For any Pset, µ ¾ È, by Lemma 4.11(2). Hence È is an Ë set. Now, let ¾ È Æ. Pick any ¾ Ë and assume that is not the identity permutation. This implies that there is some permutation ¼, such that ¼ ѵ ѵ for all Ñ ¾ and ¼ ѵ Ñ, for all Ñ ¾ ¼ µ. Assume that for all Ò ¾ Æ, Òµ Ò. Then, for all Ò ¾ Æ, ¼ Òµ Ò. We can see that Æ is disjoint from ¼ µ Á ¼ µ. Hence, ¼ can be written as a composition of transpositions ½ such that Ô Õ and Ô Õ ¾ Æ, for all ½. Therefore ¼ µ µ. This means that Æ (finitely) supports. We conclude that È is a perm µ-set with the finite support property. 4.2 Satisfaction We define the denotation of a formula by a Pset  à ¾ È Ò µ. However, since may contain free occurrences of propositional variables, its denotation depends on the denotation of such variables, which is given by a valuation. Definition 4.15 (Valuation) A valuation Ú is a mapping from a finite subset of (the propositional variables), assigning to each propositional variable in its domain Úµ a Pset. Given a formula, a valuation for is any valuation Ú such that fpv µ Úµ. Thus, the role of valuations is to interpret free propositional variables occurring in the formula. When Ú is a valuation, we write Ú to denote the valuation of domain Úµ that assigns to the propositional variable, and Ú µ to any other propositional variable. For any valuation Ú, we let fn Úµ supp Ú µµ ¾ Úµ Taking into account the extra information yielded by a valuation, we now give a refined characterization of the free names of a formula as follows 12

13 ÂFÃÚ Â ÃÚ Â ÃÚ Â ÃÚ Â µ ÃÚ È if È ¾  ÃÚ then È ¾  ÃÚ Â¼ÃÚ ½  ÃÚ Â ÃÚ Å Â ÃÚ Â º ÃÚ È Forall É if É ¾  ÃÚ then È É ¾  ÃÚ ÂÒÖ ÃÚ È Exists É È ÒµÉ and É ¾  ÃÚ Â «ÒÃÚ È ÒµÈ ¾  ÃÚ ÂÑ Ò ÃÚ È È Ñ Ò Â Ü ÃÚ ÌÒ¾ Â Ü Ò Ã Ú ÂÁÜ ÃÚ ËÒ ¾ Ò Ú µ Â Ü Ò Ã Ú Ò È Ò ¾ fn È µ µ  ÃÚ È Exists É È É and É ¾  ÃÚ Â ÃÚ Ú µ  ÃÚ Ì ¾È Â Ã Ú Figure 3: Denotation of formulas. Definition 4.16 (Free names under a valuation) If is a formula and Ú a valuation for, we define the set Ò Ú µ of free names of under Ú by Ò Ú µ fn µ supp Ú µµ ¾ fpv µ The set Ò Ú µ is used in an essential way in the definition of the semantics of the fresh name quantifier, where the quantification witness is tested for freshness with respect to the property set denoted by the formula, where the formula may contain free occurrences of propositional variables. Definition 4.17 (Denotation and Satisfaction) The denotation map  ÃÚ, inductively defined in Fig. 3, is the function that assigns a set of processes  ÃÚ to each nameclosed formula and valuation (for ) Ú. We write È Ú whenever È ¾  ÃÚ: this means that È satisfies formula under valuation Ú. The boolean connectives (F, and µ) are interpreted as expected, while the spatial operations related to composition (¼, ) are interpreted in terms of the quantale operations in Definition 4.9. Then º is given the expected semantics for the adjunct operator of the tensor. The spatial operations related to name hiding (revelation and hiding) are defined along similar lines. In the semantics of name quantification the quantified name variable is ranged over the set of all names. The semantics given to the freshness quantifier is such that a process È satisfies ÂÁÜ ÃÚ if and only if È satisfies Â Ü Ò ÃÚ for some name Ò fresh in and È : this is the reason for subtracting È Ò ¾ fn È µ, as further discussed in Section 5. Since in general may contain free occurrences of propositional variables, freshness with relation to formula must be defined in terms of Ò Ú µ, as already mentioned; this is justified in more detail in Section 5.2, where alternative definitions for the semantics of ÁÜ are also discussed. The denotation of second order quantification is also defined as expected, except that the quantified propositional variable ranges over all property sets (rather than all sets of processes). 13

14 We now show that the denotation map is well-defined. Since we are considering formulas up to «-congruence, we start by verifying that the denotation map is welldefined on the corresponding equivalence classes. Lemma 4.18 For all formulas and valuations Ú for and, if «, then  ÃÚ Â ÃÚ. Proof. Induction on the structure of. Note that assignments to propositional variables that do not occur free in the interpreted formula do not affect its denotation. Therefore, valuations can always be weakened and thinned whenever appropriate. Remark 4.19 For any formula, Pset and valuation Ú for, if ¾ fpv µ then  ÃÚ Â Ã Ú. We now extend the application of transpositions to valuations, this is done in the expected way: when Ú is a valuation, let Úµ be the valuation with same domain as Ú and defined by Úµ µ Ú µµ, for all ¾ Úµ. Lemma 4.20 For any formula, valuation Ú and transposition, if Ñ Ò and Ñ Ò ¾ fn Úµ then  ÃÚ Â Ã Úµ. Proof. For any ¾ Úµ we have Ñ Ò ¾ supp Ú µµ and Ú µ ¾ Èsupp Ú µµ. Thus supp µµ supp µ by Lemma 4.11(3). Hence Úµ Ú. Fundamental properties of the denotation mapping are stated in the following main theorem, from which all correctness properties of the semantics follow. Theorem 4.21 For all formulas and appropriate valuations Ú 1.  ÃÚ ¾ È ÒÚ µ. 2. For all transpositions,  ÃÚµ  µã Úµ. Proof. See Appendix. The property expressed in Theorem 4.21(2) corresponds to the equivariance property of [19], and essentially means that the denotation of a formula depends on the distinctions between the names that occur on it, rather than on the particular identities of such names. Lemma 4.22 For any formula and valuation Ú for we have supp  ÃÚµ Ò Ú µ Proof. By Theorem 4.21(1)  ÃÚ ¾ È ÒÚ µ; hence by Proposition 4.13 there is a least set Æ supp  ÃÚµ such that  ÃÚ ¾ È Æ. So supp  ÃÚµ Ò Ú µ. Remark 4.23 By inspection of the proof of Theorem 4.21 we can verify Assume  ÃÚ ¾ È Æ and  ÃÚ ¾ È Å. Then ÂFÃÚ ¾ È Â¼ÃÚ ¾ È ÂÔ Õ ÃÚ ¾ È Ô Õ Â ÃÚ ¾ È Æ Å Â µ ÃÚ ¾ È Æ Å Â ÃÚ ¾ È Æ Å Â º ÃÚ ¾ È Æ Å ÂÒÖ ÃÚ ¾ È Æ Ò Â «ÒÃÚ ¾ È Æ Ò Â ÃÚ ¾ È Æ Â ÃÚ ¾ Èsupp Ú µµ 14

15 If Â Ü Ò ÃÚ ¾ È Æ Ò for all Ò ¾, then Â Ü ÃÚ ¾ È Æ If Â Ü Ò ÃÚ ¾ È Æ Ò for all Ò ¾ Ò Ú µ, then ÂÁÜ ÃÚ ¾ È Æ If Â Ã Ú ¾ È ¾ È ¾ Æ then Â Ã Ú ¾ È Æ Lemma 4.24 Let be any formula, Ú a valuation for and, and any formula in which does not occur free. Then  ÃÚ Â Ã Ú Â Ã Ú Proof. Induction on the structure of formula. Another consequence of the closure property stated in Theorem 4.21(2) is that the relation of satisfaction between processes and formulas is closed under fresh name renaming. Lemma 4.25 (Fresh renaming) Let È be a process and a closed formula such that È. If Ñ ¾ fn µ fn È µ then È Ò Ñ Ò Ñ. Proof. Since Ñ ¾ fn È µ fn µ, by Lemma 2.8(2) we have È Ò Ñ È Ò Ñ, and Ò Ñ Ò Ñ. We conclude by Theorem 4.21(2). It should be stressed that the use of transpositions, as suggested to us by A. Pitts, together with the notion of support, yields for Lemma 4.25 a proof that is much simpler than direct ones (e.g., [2, 10]). Further motivation and alternatives for the present semantics will be discussed in the next sections Basic Derived Connectives Some derived connectives of basic interest are defined as shown next. µ F (Negation) T F (True) µ µ (Disjunction) µ (Decomposition) Ü Ü (Existential quantification) (Second order existential quantification) º F (Unsatisfiability) (Validity) c ÖT (Free name) ¼ c º c «¼ µ (Inequality) ¼ ¼ µ (Equality) (All next) Standard operations of the classical predicate calculus, namely (Negation), Ü (Existential quantification), (Disjunction) and T (True) are defined as expected. Another interesting connective is, the DeMorgan dual of composition, which supports the definition of a form of spatial quantification. A process satisfies if and only if every component of È with respect to composition, satisfies either or. A process È satisfies if there does not exists any process É that satisfies. Hence is valid if some process satisfies [10]. A process satisfies c if the name denoted by is free in it [11]. Then, any process satisfies ¼ if, in presence of a process 15

16 containing free, if we hide ¼ we still have a process that contains free: this can only hold true if ¼ and ¼ denote distinct names. We also have the modality, which is the dual of : a process satisfies if and only if all processes to which it reduces in one step satisfy. Proposition 4.26 For every process È and names Ò Ô we have 1. È ¾  c ÒÃÚ if and only if Ò ¾ fn È µ. 2. È ¾ ÂÒ ÔÃÚ if and only if Ò Ô. Proof. 1. See [11]. 2. We verify that È ¾  c Ò º c Ò«ÔµÃÚ if and only if Ò Ô. Suppose È ¾  c Ò º c Ò«ÔµÃÚ. Then, for every É such that Ò ¾ fn ɵ we have É È ¾  c Ò«ÔÃÚ. This implies Ò ¾ fn Ôµ É È µµ, and thus Ò Ô. Conversely, if Ò Ô and Ò ¾ fn ɵ then Ò ¾ fn Ôµ É È µµ and Ò ¾ fn É È µ, for all È. Thus, for every É such that Ò ¾ fn ɵ, we have É È ¾  c Ò«ÔÃÚ for all È. 4.3 Validity We now introduce a notion of logical validity. A formula is valid if all of its ground instances, under all valuations, are satisfied by all processes. Definition 4.27 (Valid Formula) A formula is valid if for all substitutions with fv µ µ, and for all valuations Ú such that fpv µ Úµ, we have  µãú È. We use the meta-level statement valid µ to assert validity of formula. Logical validity satisfies the following general principles. Proposition 4.28 (Instantiation) Let be any formula context. We have 1. For any and formula, valid µ µ valid Ü µ. 2. For any formula, valid µ µ valid µ Proof. 1. Assume valid µ. Then for all substitutions where fv µ µ, for all valuations Ú such that fpv µ Úµ, we have È Â µãú. Let ¼ be any substitution with fv Ü µ ¼ µ and define ¼ Ü Æ Ü ¼ µ. Now, fv µ µ. Thus È Â µãú for any appropriate valuation Ú. Since µ ¼ Ü µ, we are done. 2. Similar to proof of Lemma 4.29 (induction in the size of ). Lemma 4.29 (Substitutivity) Let  µãú  µãú for all substitutions and valuations Ú, and let be a formula context. Then, for all substitutions and valuations Û we have  µãû  µãû. Proof. See appendix. A direct consequence of substitutivity is Proposition 4.30 (Replacement of equivalents) Let be any formula context. We have valid µ µ valid µ. Proof. Assume valid µ. Then  µãú  µãú for any valuation Ú for and substitution. Let Û be any valuation for ; we must show that  µãû  µãû, for any substitution. But this follows directly from Lemma

17 5 Fresh and Hidden Name Quantification In this section the semantics of Section 4 is used to investigate basic properties of the fresh name quantifier and of the derived hidden name quantifier. 5.1 The Fresh Name Quantifier As we have seen, freshness plays a central role in the spatial logic, but uses of the freshness quantifier ÁÜ can be rather subtle. Consider, as an example, the formula ÁÜ Ü Ñ, satisfied by any process È such that, for any Ò fresh in È and different from Ñ, È satisfies Ò Ñ. But if È satisfies Ò Ñ, it must be congruent to Ò Ñ, and hence it must contain Ò. Therefore, Ò is not fresh in È, a contradiction. In fact, the denotation of ÁÜ Ü Ñ is empty. This shows that many simple uses of Á are vacuous, when the fresh name maps directly to a free name of the process. There are, however, two basic ways of making good use of the fresh quantifier. The first way is to use Á in conjunction with Ö, so that the fresh name is used to reveal a restricted name of the process (then the fresh name does not map to a free name of the original process). In this situation, we definitely do not want the name used to reveal a restricted name to clash with some other name of the process. This is one of the reasons that motivates the use of Ò È Ò ¾ fn È µ in the semantics of ÁÜ (Fig. 3), to eliminate such a possibility. The combination of Á and Ö is discussed further in Section 5.3. The second way is to use Á in conjunction with º, so that the fresh name maps to a free name of the context, but not of the process. For example, consider the formula ÁÜ Ý Ü Ý º Ü Ý Tµµ This formula holds of all processes È that verify the following: if a message on a fresh channel Ü is composed in parallel with È, then no reduction from the resulting process consumes such a message. Intuitively, we expect such a property to hold of every process. In fact, let È be any process, Ò some name not free in È, and Ñ any name. Pick any process É such that É Ú Ò Ñ. So, É Ò Ñ. Now, we verify that if É È Ê, then Ê Ò Ñ È ¼, where È È ¼, because È Ò Õµ Ê ¼ Ê ¼¼. Thus È Ú Ò Ñ º Ò Ñ Tµ. Since Ñ is arbitrary, È Ú Ý Ò Ý º Ò Ý Tµ. Since Ò is neither free in È nor belongs to Ò Ú Ý Ü Ý º Ü Ý Tµµ, we conclude È Ú ÁÜ Ý Ü Ý º Ü Ý Tµ. A fundamental consequence of closure of satisfaction under fresh renaming (Lemma 4.25) is the following characterisation of fresh name quantification, that makes clear the universal/existential ambivalence of freshness: if some property holds of a fresh name, it holds of all fresh names. Proposition 5.1 (Gabbay-Pitts Property) Let ÁÜ be a name-closed formula, È a process, and Ú a valuation for ÁÜ. Then, the following statements are equivalent 1. È Ú ÁÜ. 2. There is Ò ¾ fn È µ Ò Ú µ such that È Ú Ü Ò. 3. For all Ò ¾ fn È µ Ò Ú µ we have È Ú Ü Ò. Proof. (½ µ ¾) By definition. (¾ µ ) By Remark 4.19, there is Ò such that Ò ¾ fn È µ Ò Ú µ and È Ú Ü Ò, where Ú is the restriction of Ú to 17

18 the free propositional variables of. Now, pick Ñ ¾ fn È µ Ò Ú µ, and let Ñ Ò. By Theorem 4.21(2), we conclude È µ Ú µ Ü Ò µ, that is, È Ú µ Ü Ñ. Note that Ñ Ò ¾ fn Ú µ; hence È Ú Ü Ñ, by Lemma 4.20(1). Hence È Ú Ü Ñ, by Remark ( µ ½) Immediate. A corollary of the previous proposition is Proposition 5.2 Let be a name-closed formula and Ú a valuation for and. We have 1. Â Ü ÃÚ ÂÁÜ ÃÚ Â Ü ÃÚ 2. ÂÁÜ µ µãú ÂÁÜ µ ÁÜ ÃÚ Proof. 2. (Left to right) Assume È ¾ ÂÁÜ µ µãú and È ¾ ÂÁÜ ÃÚ. Then È ¾ Â Ü Ò ÃÚ for some Ò ¾ fn È µ Ò Ú µ, and È ¾ Â Ü Ñ µ Ü Ñ ÃÚ for some Ñ ¾ fn È µ Ò Ú µ µ. By Proposition 5.1(3), for all Ò ¾ fn È µ Ò Ú µ we have È ¾ Â Ü Ò ÃÚ. In particular, È ¾ Â Ü Ñ ÃÚ, thus È ¾ Â Ü Ñ ÃÚ. We conclude È ¾ ÂÁÜ ÃÚ. (Right to left) Assume È ¾ ÂÁÜ µ ÁÜ ÃÚ. Pick Ñ ¾ fn È µ Ò Ú µ µ and assume È ¾ Â Ü Ñ ÃÚ. Then È ¾ ÂÁÜ ÃÚ, this implies È ¾ ÂÁÜ ÃÚ. By Proposition 5.1(3), È ¾ Â Ü Ñ ÃÚ. Hence È ¾ ÂÁÜ µ µãú. Fresh quantification distributes over all boolean connectives, not only implication (cf., Proposition 5.2(2), it suffices to note that (trivially) ÂÁÜ FÃÚ ÂFÃÚ). In the next lemma, we list some other distribution properties of freshness quantification. Lemma 5.3 (Distribution properties of Á) We have 1. ÂÁÜ µãú ÂÁÜ ÁÜ ÃÚ 2. ÂÁÜ º µãú ÂÁÜ º ÁÜ ÃÚ 3. ÂÁÜ ÃÚ Â ÁÜ ÃÚ 4. ÂÁÜ ÒÖ ÃÚ ÂÒÖÁÜ ÃÚ 5. ÂÁÜ Ý ÃÚ Â Ý ÁÜ ÃÚ 6. ÂÁÜ ÃÚ Â ÁÜ ÃÚ Proof. See Appendix. It is not hard to see that properties 5. and 6. above are not strict equalities: for a counterexample to Ý ÁÜ ÁÜ Ý consider, e.g., Ü Ý. 5.2 Discussion In [19] a Á-quantifier is defined, such that ÁÜ Ò Ü Ò is cofinite There is a quite close connection between this Á-quantifier and ours, superficial differences being related to the fact that we are working in a modal logic. In our case, we have Proposition 5.4 È Ú ÁÜ if and only if Ò È Ú Ü Ò is cofinite. Proof. (Left to right) Pick È Ú ÁÜ. Thus there is Ò ¾ Ò Ú µ fv È µ such that È Ú Ü Ò. By Gabbay-Pitts (Proposition 5.1(3)) we have that for all Ò if Ò ¾ Ò Ú µ fv È µ then È Ú Ü Ò. Hence Ò È Ú Ü Ò is cofinite. (Right to left) Assume Ë Ò È Ú Ü Ò is cofinite. Then, there 18

19 is a finite set Å Ò Ëµ such that for all Ò, if Ò ¾ Å then È Ú Ü Ò. Pick Ñ ¾ Ò Ú µ fn È µ Å. Then È Ú Ü Ñ, hence È Ú ÁÜ. Now, let us define the following (meta-level) quantifier Á Ü Ò ¾ Ü Ò is cofinite where is a meta-level statement of the (informal) theory of Psets of Section 4. Note that Á Ü is defined exactly as the Á-quantifier of Gabbay-Pitts. Then, we can read the statement of the previous proposition as: È ¾ ÂÁÜ ÃÚ if and only if Á Ò È ¾ Â Ü Ò ÃÚµ It is interesting to discuss alternative freshness quantifiers. Our semantics of ÁÜ is such that È Ú ÁÜ holds if and only if there is a name Ò, fresh both in and È, such that È Ü Ò (cf., Proposition 5.1). It is natural then to ask what happens if Ò only is required to be fresh in. Let us define for this propose a different quantifier FÜ where È ¾ ÂFÜ Ã if and only if Ò ¾ fn µ such that È ¾ Â Ü Ò Ã One could then attempt to define ÁÜ as FÜ c ܵ. Although ÂFÜ Ã is a Pset, the main problems with FÜ, with respect to ÁÜ, are a failure of monotonicity (Proposition 6.5), a failure of the substitutivity property (Lemma 4.29), and a failure of the Gabbay-Pitts property (Proposition 5.1) relating to a proper notion of freshness. For substitutivity, we have that ÂÒ Ò Ò Ò Ã ÂTÃ. So, we would expect that ÂFÜ Ò Ò Ò Ò µ Ü Ü µã ÂFÜ T Ü Ü µã. But Ò Ò ¾ ÂFÜ T Ü Ü µã, while Ò Ò ¾ ÂFÜ Ò Ò Ò Ò µ Ü Ü µã. So, FÜ is not a proper compositional logical operator. While, rather amazingly, ÁÜ is. For monotonicity, consider Õ Õ Ô Ô Õ Õ Note that ¾ È Ô Õ, Ò Ú Ü Ü µ Õ and Ò Ú Ü Ü µ Ô Õ. On the one hand, Õ Õ Ô Ô ¾ ÂFÜ Ü Ü Ã Ú, because there is Ò ¾ Õ (namely Ô) such that Õ Õ Ô Ô ¾ Â Ò Ò Ã Ú. On the other hand, we have Õ Õ Ô Ô ¾ ÂFÜ Ü Ü µã Ú, because there is no Ò out of Ô Õ such that Õ Õ Ô Ô ¾ Â Ò Ò Ã Ú. So ÂFÜ Ü Ü µã Ú ÂFÜ Ü Ü µã Ú. We conclude that FÜ cannot be used with recursive formulas. For the Gabbay-Pitts property, consider whether Ô Ô ¾ ÂFÜ Ü Ü Ã. This means, by definition: there is a name Ò such that Ô Ô ¾ Â Ò Ò Ã. This is true, take any Ò Ô. If we had a Gabbay-Pitts property for FÜ we would obtain that for all names Ò, Ô Ô ¾ ÂÒ Ò Ã. But this is false: take Ò Ô. So, by the interpretation of the Gabbay-Pitts property, the candidate FÜ is not a proper freshness quantifier. 5.3 The Hidden Name Quantifier When combined with revelation, the fresh name quantifier gives rise to a natural operation of quantification over hidden (restricted) names in a process. Intuitively, a hidden name is revealed under a fresh identity, and then a property is asserted of the process where the name is hidden. HÜ ÁÜ ÜÖ 19

20 A formula HÜ reads there is a restricted name Ü such that holds for the process under the restriction. From the above definition, we get the following direct semantic characterization of the name-closed formula HÜ ÂHÜ ÃÚ É É ÒµÈ and Ò ¾ fn ɵ Ò Ú µ and È ¾ Â Ü Ò ÃÚ The hidden name quantifier makes it possible to express properties of processes that depend on (or need to mention) some secret name. For a quite simple example, consider the closed formula Ý HÜ Ý Ü Tµ We can verify that a process satisfies this formula if there is some name Ò such that È satisfies the formula HÜ Ò Ü Tµ. But this means that there is some name Ñ, fresh with respect to È and HÜ Ò Ü Tµ, such that È ÒµÉ and É Ò Ñ Ê for some É and Ê. In summary, È satisfies Ý HÜ Ý Ü Tµ if and only if È Ñµ Ò Ñ Êµ for some Ñ and Ò Ñ (hence Ò is public). We conclude that the formula Ý HÜ Ý Ü Tµ is satisfied by those processes that are ready to send a secret name over a public channel. As a further example, let Ü be some formula with a free occurrence of the name variable Ü, and consider Keeps Ü µ HÜ Ü T º HÜ Ü Tµ A process that satisfies Keeps Ü µ is always able to guarantee, until the next step, persistence of property with respect to some secret Ü it owns, even when attacked by some other arbitrary process. Let É be the process ѵ Ñ Ò Ôµ Ñ Õµ Ñ Ô µ We have fn ɵ Ò. Now define Msg Ü Ýµ Ü Ý Tµ. We can verify that É satisfies Keeps Ý Msg Ü Ýµµ. As a further example, consider the formula NoRes HÜ c Ü A process È satisfies NoRes if and only if it is not the case that there is a process É and a name Ò such that È ÒµÉ and Ò ¾ fn ɵ. In other words, È satisfies NoRes if and only if for all processes É and names Ò such that È ÒµÉ we have Ò ¾ fn ɵ. Intuitively, this means that È has no genuine restricted hidden name at the outermost level, because if È ÒµÉ for some É and Ò, then È É (Ò ¾ fn ɵ implies ÒµÉ É). So, we will call restriction-free any process that satisfies NoRes. For instance Ò Ñ satisfies NoRes, and so does ÒµÑ Ñ if Ñ Ò, but ÒµÒ Ò does not. Lemma 5.5 (Some properties of H) We have 1. ÂHÜ c ܵÃÚ ÂÁÜ ÃÚ 2. If Ü ¾ fn µ then ÂHÜ c ܵµÃÚ Â HÜ µ ÃÚ 3. ÂHÜ ÁÜ ÃÚ ÂHÜ µãú 4. ÂHÜ ÃÚ Â HÜ ÃÚ 20

21 Proof. 1. (Left to right inclusion) Pick some process È ¾ ÂHÜ c ܵÃÚ. By the characterization given above, this means that È ÒµÉ for some É and Ò such that Ò ¾ fn È µ Ò Ú µ and É ¾ Â Ü Ò c ÒÃÚ. But then, Ò ¾ fn ɵ and É ¾ Â Ü Ò ÃÚ. We conclude È ÒµÉ É, by Proposition 2.12(2). Therefore, È ¾ ÂÁÜ ÃÚ. In the other direction the proof is similar. 2. (Left to right inclusion) Let È ¾ ÂHÜ c ܵµÃÚ. Then È Òµ É Êµ, here Ò ¾ fn È µ Ò Ú HÜ c ܵµµ, É Ú, Ê Ú and Ò ¾ fn ʵ. Then È ÒµÉ Ê, and we conclude È Ú HÜ. The converse inclusion is also immediate, using Proposition (Left to right inclusion) Let È ¾ ÂHÜ ÁÜ ÃÚ. Then È É Ê where for all Ò ¾ fn ɵ Ò Ú µ there is É ¼ such that É ÒµÉ ¼ and É ¼ Ú Ü Ò, and Ê Ü Ô for all Ô ¾ fn ʵ Ò Ú µ, by Proposition 5.1. Pick Ñ ¾ fn ɵ Ò Ú µ Ò Ú µ fn ʵ. Hence Ê Ú Ü Ñ. Moreover, there is É ¼¼ such that É ÑµÉ ¼¼ and É ¼¼ Ú Ü Ô. So É ¼¼ Ê µ Ü Ñ, and thus ѵ É ¼¼ ʵ HÜ µ. To conclude, note that È Ñµ É ¼¼ ʵ. 4. (Left to right inclusion) Pick some process È ¾ ÂHÜ ÃÚ. So, È ÒµÉ for some É and Ò such that É É ¼ and É ¼ ¾ Â Ü Ò ÃÚ, where Ò is fresh with respect to È and. But then È ÒµÉ ¼. Since Ò is also fresh w.r.t. ÒµÉ ¼, we conclude ÒµÉ ¼ ¾ ÂHÜ ÃÚ. Hence È ¾  HÜ ÃÚ. (Right to left inclusion) Take some process È ¾  HÜ ÃÚ. Then there is É such that È É and É ¾ ÂHÜ ÃÚ. Then É ÒµÊ where Ê ¾ Â Ü Ò ÃÚ and Ò ¾ fn ɵ Ò Ú µ. Now, since È É, by Proposition 2.15(3) there are È ¼ and Ê ¼ such that È ÒµÈ ¼, È ¼ Ê ¼ and Ê ¼ Ê. This means that È ¾ ÂHÜ Ã. In the next section, we give further examples using the hidden name quantifier together with recursion. 6 Recursive Definitions The possibility of defining properties by induction and coinduction is a major source of expressiveness of our spatial logic. Of particular interest is the combination of properties involving recursion and freshness. 6.1 Encoding Recursion We show that recursive definitions can be expressed in the logic via second order quantification and the guarantee operator. We begin by encoding validity of a formula by (see Section 4.2.1): µ Fµ º F (Validity) We compute:  ÃÚ Â µ Fµ º FÃÚ È Forall Ê Ê ¾  µ FÃÚ µ È Ê ¾ È Forall Ê Ê ¾  µ FÃÚ È Forall Ê Ê ¾  ÃÚ if  ÃÚ È then È else Next, we can use  µ µãú to say that  ÃÚ is included in  ÃÚ: µ µ µ (Entailment) 21

22 Then  µ ÃÚ Â µ µãú if  µ ÃÚ È then È else if È È ¾  ÃÚ µ È ¾  ÃÚ È then È else if  ÃÚ Â ÃÚ then È else Finally, we can use the following formula to define the greatest property such that, provided is monotonic in : µ µ (Greatest fixpoint) We can verify Ë Â ÃÚ Â µ µãú ¾È if Â Ã Ú then È else µ Ë ¾ È and Â Ã Ú We now show that the last line above defines a greatest fixpoint. Lemma 6.1 For any formula and valuation Ú with fpv µ Úµ the mapping Ú given by µ Ú µ µ Â Ã Ú is a mapping È È. Proof. Let ¾ È. Then ¾ È Å for some finite set of names Å. Let Å ¼ Å Ò Ú µ. Since Ò Ú µ Å Å ¼ by Theorem 4.21(1) we conclude Â Ã Ú ¾ È Å Å ¼ È. A mapping È È is monotonic if implies µ µ for all Psets and. For any mapping È È, a fixpoint of is a Pset ¾ È such that µ. The -greatest (respectively -smallest) fixpoint of, if it exists, is denoted by gfix µ (respectively lfix µ). We say that a formula is monotonic in if for all valuations Ú the mapping Ú is monotonic. We have µ Lemma 6.2 Let be a formula monotonic in. Then Ú has a unique greatest µ fixpoint given by gfix Ú µ µ Â Ã Ú Proof. First, note that although È is not a complete lattice we still have  ÃÚ ¾ È by Theorem 4.21 (1), since is definable in the logic. Let  ÃÚ and Ú µ µ  à Ú. We verify that. We first check that. If È ¾ then È ¾ for some ¾ È such that  à Ú. Since, by monotonicity, we have Â Ã Ú and thus È ¾. On the other hand, since, by monotonicity, we have Â Ã Ú Â Ã Ú. Then  ÃÚ. Finally, if some ¾ È verifies Â Ã Ú then. Hence we conclude the result. Note that Lemmas 4.24 and 6.2 imply soundness of the unfolding principle for, that is we have  ÃÚ Â ÃÚ. Similarly we can define the least fixpoint operator µ µ µ (Least fixpoint) and note that  ÃÚ Ì ¾ È and  à Ú. We then have 22