Xu LL, Lin HM. Complete proof systems for amortised probabilistic bisimulations. JOURNAL OF COMPUTER SCIENCE
AND TECHNOLOGY 31(2): 300–316 Mar. 2016. DOI 10.1007/s11390-016-1628-4
Complete Proof Systems for Amortised Probabilistic Bisimulations
Li-Li Xu 1,2,3 and Hui-Min Lin 1 , Fellow, CCF
1
State Key Laboratory of Computer Science, Institute of Software, Chinese Academy of Sciences, Beijing 100190, China
2
University of Chinese Academy of Sciences, Beijing 100049, China
3
École Polytechnique, Palaiseau 91120, France
E-mail: {xulili, lhm}@ios.ac.cn
Received September 17, 2014; revised March 20, 2015.
Abstract
The notion of amortisation has been integrated in quantitative bisimulations to make long-term behavioral
comparisons between nondeterministic systems. In this paper, we present sound and complete proof systems for amortised
strong probabilistic bisimulation and its observational congruence on a process algebra with probability and nondeterminism,
and prove their soundness and completeness. Our results make it possible to reason about long-term (observable) probabilistic
behaviors by syntactic manipulations.
Keywords
bisimulation
1
axiomatization, probabilistic calculus for communication systems (CCS), probabilistic automata, amortised
Introduction
Bisimulation is a central notion at the heart of the
theory of process calculi[1] . The idea is to match any
transition in one process with a transition labelled by
the same action in the other process, and their residuals can continue to mimic each other. Bisimulation
equivalence is a mathematically elegant, tractable concept. Many tools, either automated or interactive, have
been developed for proving bisimulation between pro1
cesses (e.g., CADP○
, [2]).
The theory of bisimulation has been extended to
systems equipped with quantitative features, such as
cost, time and probabilities. In this paper, we focus
on probabilistic systems. Probabilistic bisimulation, as
first defined in [3], has been admitted not to be robust,
namely, small changes to any of those probabilities may
cause equivalent states to become inequivalent. This is
particularly relevant for security systems where requiring all agents to behave identically is impractical. It
is, therefore, desirable to know the extent they differ
from each other, thus seeing how difficult it is for the
attackers to differentiate them. This started the quest
for approximate notions of behavioral equivalence for
probabilistic systems.
The concept of amortisation was initially introduced for cost-based bisimulations[4-5] to make longterm behavioral comparisons between nondeterministic
systems. The idea of amortisation has been borrowed
in [6] to formulate an approximate notion for probabilistically behavioral equivalence: ǫ-amortised probabilistic bisimulation, where ǫ is a positive real number
which depicts a degree of similarity between processes.
The purpose is to capture probabilistic behaviors in
terms of a popular quantitative property: ǫ-differential
privacy[7] , which was originally proposed for privacy
protection in the context of statistical databases.
In the original definition of differential privacy[7] , a
query mechanism A is ǫ-differentially private if for any
two databases u1 and u2 which differ only for one individual (one row), and any property Z, the probability
distributions of A(u1 ), A(u2 ) differ on Z at most by eǫ ,
namely, Pr[A(u1 ) ∈ Z] 6 eǫ × Pr[A(u2 ) ∈ Z]. This
means that the presence (or the data) of an individual
Regular Paper
This work was supported by the National Natural Science Foundation of China under Grant No. 60833001.
1
○
CADP: Construction and analysis of distributed processes — Software tools for designing reliable protocols and systems.
http://cadp.inria.fr/, Dec. 2015.
©2016 Springer Science + Business Media, LLC & Science Press, China
Li-Li Xu et al.: Complete Proof Systems for Amortised Probabilistic Bisimulations
cannot be revealed by querying the database. In [8],
the principle of differential privacy has been formally
extended to measure the degree of protection of secrets
in more general settings.
Note that the principle of differential privacy requires that the observations generated by two different secret values be probabilistically similar. An ǫamortised probabilistic bisimulation characterizes the
required behavioral similarity by associating every pair
of processes with an index c ∈ [−ǫ, ǫ]. Intuitively, ǫ
stands for a total variation budget; c starting from
0, ranging over [−ǫ, ǫ], records the current amount of
variation. Variation c can get either increased or decreased over time by adding the difference of probabilities in each step during mutual simulation, but remaining in the region [−ǫ, ǫ]. In this way, successive
differences can compensate each other, and the longterm budget gets amortised. As variation c starts from
0 and the absolute value of the budget is ǫ, only a total
of ǫ variation can be allowed. When ǫ = 0, we retrieve the usual notions of bisimulation on probabilistic
automata[3] .
The notion of amortised bisimulation considered in
this paper stems from [6], where a bijection between the
support sets of two distributions is required when relations between processes are lifted to distributions over
processes. This is admitted to be too strict, as, for instance, the resulting amortised bisimilarity in [6] is not
substitutive, its 0-amortised bisimulation fails to fully
characterize the standard probabilistic bisimulation[3] ,
and the weak transitions built on it are not transitive.
In this paper, such a bijection requirement is removed
to allow the split of probabilities in the lifting operation
(Definition 1) so that these undesirable consequences
are avoided.
Based on the relaxed notion of amortised bisimulation, we provide sound and complete proof systems for
it. Proof systems are important both at the theoretical level, as they provide a deep insight into the nature
of process combinators and of the kind of transformations of expressions which preserve bisimulations, and
at the practical level, as they provide a foundation for
developing verification tools.
For two processes Q and Q′ , we denote by Q ≺(ǫ,c)
′
Q if there exists an ǫ-amortised bisimulation R such
that (Q, Q′ , c) ∈ R. The judgments of our inference
system are therefore indexed inequalities of the form
(ǫ, c) ⊲ Q ≺ Q′ .
The proof system consists of a set of axioms and a
set of inference rules. The axioms include the standard
301
monoid laws for bisimulation and three laws for probabilistic choice. The set of inference rules encompasses
the rules for manipulating the combinators in the calculus, plus one structural rule used to glue pieces of
derivations together.
Since the usual rules for equality (substitutivity, reflexivity, symmetry and transitivity) cannot be
straightforwardly applied when reasoning with inequalities, especially on indexed inequalities, the completeness proof relies on a careful maintenance of indices
when rewriting terms. In particular, the set of (0, 0)indexed pairs of states is still an equivalence relation.
However, for non-(0, 0)-indexed pairs, the inference rule
for transitivity takes a form like triangle inequality,
more specifically:
Triangle
(ǫ1 , c1 ) ⊲ Q1 ≺ Q2 (ǫ2 , c2 ) ⊲ Q2 ≺ Q3
.
(ǫ1 + ǫ2 , c1 + c2 ) ⊲ Q1 ≺ Q3
We also develop weak notions of amortised bisimulation and provide a sound and complete proof system
for amortised observational congruence. It turns out
that it is sufficient to add the probabilistic extensions
of Milner’s three τ -laws[1] to the proof system of strong
amortised bisimulation. They can also be considered as
the reminiscent of Segala’s τ -laws for non-alternating
models in [9], of which the only difference is that here
they are decorated with indexed inequalities.
Related Work. Amortised bisimulations were initially proposed in [4] and further studied in [5, 1011] concerning cost-based and weight-based quantitative behaviors of processes. In [4, 10-11], a given budget
can be increased or decreased but never gets negative.
In our setting, the variations are within a given distance
but range from −ǫ to ǫ, which is similar to the idea in
[5].
A similar notion, called ǫ-bisimulation, was proposed for labelled Markov processes in [12-13]. Although the two notions are both proposed to allow small
deviations in probabilities when comparing processes,
our notion is intended to characterize the kind of deviation as defined by ǫ-differential privacy. Because of
this motivation, our notion is different from theirs in
two aspects: 1) the difference between probabilities is
measured in a multiplicative sense (thanks to the ln expression), rather than in an additive sense as in [12-13];
2) the total variation allowed is ǫ, while in [12-13], the
variation allowed in each simulation step is ǫ.
Developing sound and complete proof systems for
behavioral equivalences has long been a research focus
in the process algebra community. Among the work
on analyzing quantitative systems, a lot of attention
302
J. Comput. Sci. & Technol., Mar. 2016, Vol.31, No.2
has been devoted to the analysis of probabilistic behaviors. For the classical notion of probabilistic bisimulations, Bandini and Segala in [9] gave axiomatizations
for strong and weak behavioral equivalences on simple
probabilistic automata. Deng et al. provided similar
axiomatizations for a language that includes parallel
composition and (guarded) recursion on simple probabilistic automata[14] and probabilistic automata[15] , respectively. For more related work, we refer to references
therein.
Plan of the Paper. Section 2 recalls the basic notions
of probabilistic automata and probabilistic process algebra. Strong and weak amortised bisimulations are introduced in Section 3 and Section 4, respectively. The
proof systems are presented in Section 5 and Section 6
where their soundness and completeness are proved.
Section 7 concludes the paper.
2
2.1
Preliminaries
Probabilistic Automata
Given a set X, we denote by Disc(X) the set of discrete probability measures over X, and by δ(x) (called
the Dirac measure on x) the probability measure that
assigns probability 1 to x. The support of a measure
µ is defined as supp(µ) = {x ∈ X|µ(x) > 0}. A
probabilistic automaton (henceforth PA) A is a tuple
(S, A, D) where S is a finite set of states, A is a finite
set of action labels, and D : S × A → Disc(S) is a trana
sition relation. We also write s −→ µ for D(s, a) = µ.
A PA A is fully probabilistic if from each state of A,
there is at most one transition available. Probabilistic automata are used to give an operational semantics
of our probabilistic process algebra. PA defined here
is in fact the “simple probabilistic automata” defined
in [16]. For simplicity, we just call them “probabilistic
automata” in the rest of the paper.
An execution α of a PA is a (possibly infinite) sequence s0 a1 s1 a2 s2 . . . of alternating states and labels,
ai+1
such that for each i, si −→ µi+1 and µi+1 (si+1 ) > 0.
We use lstate(α) to denote the last state of a finite execution α. A trace is a sequence of labels in A∗ ∪ Aω
obtained from executions by removing states. We use
[ ] to represent the empty trace, and a to concatenate
two traces. Given a fully probabilistic automaton A,
an execution α of A induces a probability measure over
traces as follows. The basic measurable events are the
cones of finite traces, where the cone of a finite trace
~t, denoted by C~t, is the set {~t′ ∈ A∗ ∪ Aω |~t 6 ~t′ },
where 6 is the standard prefix preorder on sequences.
The probability of a cone C~t induced by α, denoted by
Pr[α ⊲ C~t], is defined recursively as follows.
Pr[α ⊲ C~t]

1, if ~t = [ ],




b
0, if ~t = aa~t′ , lstate(α) −→ µ and b 6= a,
= P


t′ ],
si ∈supp(µ) µ(si )Pr[αasi ⊲ C~

a

a~′
~
if t = a t and lstate(α) −→ µ.
2.2
Probabilistic Process Algebra
We present a probabilistic process algebra (PPA)
that allows for both nondeterministic and probabilistic
behaviors. We define non-deterministic choice, prefixing and probabilistic choice for the process calculus.
Let I be a finite index set, and a range over a finite
set A of labels. Let τ ∈ A, where we call τ the silent
action. Let NProc denote the set of nondeterministic
processes, ranged over by E, F or G, and PProc denote the set of probabilistic processes, ranged over by
P . Finally, let Proc , NProc ∪ PProc denote the set of
processes, ranged over by Q. The syntax of our PPA is
defined by the following BNF grammar:
E, F ::= 0 | E + F | a.P,
M
P ::=
pi Ei .
i∈I
0 is the inactive process having no transitions.
The + operator is the classical nondeterministic choice
as defined in [1]. It is folklore that + is associaP
tive and commutative. We shall write i∈1..n Ei for
E1 + E2 + · · · + En . Process a.P performs action a and
then offers a probabilistic choice described by P which
L
must be a probabilistic choice of the form
i∈I pi Ei ,
P
where pi ’s satisfy pi ∈ (0, 1] and i∈I pi = 1. When I
is indexed for just one process E, it will be abbreviated
to ∆(E).
We use µ and ν to range over distributions over
processes. We represent a distribution over processes
P
by µ = ◦ i∈I pi Ei where µ(Ei ) = pi . When I is indexed for just one process E, it is degenerated to the
Dirac measure on E, namely, µ = δ(E).
The semantics of a PPA term is a probabilistic automaton defined according to the rules in Fig.1, essentially following the non-alternating model defined in [9].
a
A transition of the probabilistic automaton E −→ µ describes a transition labelled by a that leaves from E and
leads to a probability distribution µ over states (i.e.,
processes). P 7→ µ simply states that the probability
distribution associated with P is µ.
303
Li-Li Xu et al.: Complete Proof Systems for Amortised Probabilistic Bisimulations
a
lchoice
E −→ µ
a
a
E + F −→ µ
p-idle
P
i∈I pi Ei 7→ ◦ i∈I pi Ei
prefix
a
E + F −→ µ
−
idle L
F −→ µ
rchoice
P 7→ µ
τ
P −→ µ
P 7→ µ
a
a.P −→ µ
Fig.1. Operational semantics of PPA.
We define the depth of a process Q, d(Q), to be the
maximum number of nested probabilistic choice operators in Q. Formally,
d(0) = 0,
M
d(
pj Ej ) = 1 + max d(Ej ),
j∈J
j∈J
d(a.P ) = d(P ),
X
d(
Ei ) = max d(Ei ).
i∈I
3
that there is a way to split the probabilities of the states
of µ between the states of µ′ and vice versa, expressed
by two weight functions ω and ω ′ , so that the relation
R is preserved. In other words, each probability distribution can be embedded to the other up to R and
the given variation c. Our notion of lifting operation
is similar to the notion used for the simulation in [17]
where the two weight functions coincide.
Definition 1. Let ǫ > 0, c ∈ [−ǫ, ǫ], R ⊆
Proc × Proc × [−ǫ, ǫ]. The lifting of R up to c, denoted by L(R, c), is a relation on Disc(NProc) written as µ L(R, c) µ′ , iff there exist two weight functions
ω, ω ′ : NProc × NProc → [0, 1] such that
P
1) for all E ∈ NProc, F ∈NProc ω(E, F ) = µ(E);
P
2) for all F ∈ NProc, E∈NProc ω ′ (E, F ) = µ′ (F );
3) for all E, F ∈ NProc, ω(E, F ) = 0 iff ω ′ (E, F ) =
0;
4) for all E, F ∈ NProc, if ω ′ (E, F ) > 0, then
i∈I
Amortised Probabilistic Bisimulation
This section introduces the notion of amortised
probabilistic bisimulation, presents a fact about behavioral closeness based on it and some of its basic properties, and investigates its relation with probabilistic
bisimilarity.
An ǫ-amortised probabilistic bisimulation has a total variation budget of ǫ, and a parameter c starting
from 0 and ranging over [−ǫ, ǫ], which records the current amount of variation. Two related states are required to mimic transitions from each other. The distributions that result from these transitions may differ
to some extent. This difference is added to c to get a
new amount of variation between the residual states.
The variation c can get either increased or decreased
over time due to a positive or a negative difference of
probabilities, but remains in the region [−ǫ, ǫ]. In this
way, successive differences can compensate each other,
and the long-term budget gets amortised. As the variation started at 0 and the absolute value of the budget
is ǫ, only a total of ǫ variation can be allowed. The
behavioral similarity will be shown later in Theorem 1.
The following notion of lifting is used to introduce
amortised probabilistic bisimulation. Given a relation
R ⊆ Proc×Proc ×[−ǫ, ǫ], µ L(R, c) µ′ informally means
(E, F, c + ln
ω(E, F )
) ∈ R.
ω ′ (E, F )
)
Note that if ln ωω(E,F
′ (E,F ) is positive, then after this
mutual step, the amount of deviation between E and
F will be increased, and otherwise decreased.
P
For simplicity reasons, we write F ω(E, F ) whenever the summation is taken over the default range
NProc.
Definition 2 (Amortised Bisimulation). Given
ǫ > 0. A relation R ⊆ Proc × Proc × [−ǫ, ǫ] is an
ǫ-amortised bisimulation if for all (Q, Q′ , c) ∈ R:
a
a
1) Q −→ µ implies Q′ −→ µ′ and µ L(R, c) µ′ ;
a
a
2) Q′ −→ µ′ implies Q −→ µ and µ L(R, c) µ′ .
(ǫ,c)
We denote by Q ≺
Q′ , where |c| 6 ǫ, if
there exists an ǫ-amortised bisimulation R such that
(Q, Q′ , c) ∈ R.
)
The reason of using ln ωω(E,F
′ (E,F ) in the lifting operation is as follows: the amortised bisimulation notion
based on it allows us to learn the degree of behavioral similarity between two related processes, which
is, specifically, measured by the ratio between the probabilities of producing the same trace starting from the
two processes. The behavioral similarity measured in a
multiplicative form is of interest because it is required
by a popular privacy notion ǫ-differential privacy[7] .
More precisely, we have Theorem 1 as follows.
Theorem 1. Given a fully probabilistic PA A,
Q1 , Q2 are two states of A. Let R be an ǫ-amortised
bisimulation, and ~t a finite trace. If (Q1 , Q2 , c) ∈ R,
then
1
Pr[Q1 ⊲ C~t]
6
6 eǫ−c .
eǫ+c
Pr[Q2 ⊲ C~t]
304
J. Comput. Sci. & Technol., Mar. 2016, Vol.31, No.2
Proof. The proof proceeds by the induction on the
length of ~t, following the same line of the proof of
Lemma 2 in [6].
Pr[Q ⊲C ]
Note that when c = 0, it becomes e1ǫ 6 Pr[Q12 ⊲C~~t ] 6
t
Pr[Q ⊲C ]
eǫ , namely, | ln Pr[Q12 ⊲C~~t ] | 6 ǫ.
t
Example 1. Consider two processes E and F :
E = a.P1 + b.P2 ,
F = a.P3 + b.P4 ,
P1 = 0.5 0 ⊕ 0.3E1 ⊕ 0.2E2 ,
P2 = 0.5ok ⊕ 0.5no,
P3 = 0.5 0 ⊕ 0.2F1 ⊕ 0.3F2 ,
P4 = 0.4ok ⊕ 0.6no,
E1 = c.(0.4ok ⊕ 0.6no),
3.1
Basic Properties
Some basic properties of ≺(ǫ,c) are given in the following propositions.
Proposition 1. The following holds:
1) Q ≺(0,0) Q;
2) Q ≺(ǫ,c) Q′ iff Q′ ≺(ǫ,−c) Q;
3) ≺(ǫ1 ,c1 ) ⊆≺(ǫ2 ,c2 ) where ǫ1 6 ǫ2 and |c2 − c1 | 6
ǫ2 − ǫ1 ;
4) for any ǫ and any |c| 6 ǫ, ≺(0,0) ⊆≺(ǫ,c).
Proof. The proof proceeds by constructing an amortised bisimulation relation R′ witnessing each pair of
related processes as follows.
1) Let
R′ = Id Proc ,
E2 = d.(0.6ok ⊕ 0.4no),
F1 = c.P2 ,
F2 = d.P2 ,
where the Dirac measure ∆(0) after ok and no is omitted for simplicity.
When P1 and P2 are lifted, we can allocate all the
probability of reaching E1 to F1 and vice versa, and
do the same thing between E2 and F2 . According to
Definition 2, we can check that the following relation
R is a ln 59 -amortised bisimulation between E and F ,
9
thus E ≺(ln 5 ,0) F .
R = (E, F, 0),
3
6
9
E1 , F1 , ln
, ok , ok , ln
, no, no, ln
,
2
5
5
2
4
8
E2 , F2 , ln
, ok , ok , ln
, no, no, ln
,
3
5
15
5
5
0, 0, 0 , ok , ok , ln
, no, no, ln
.
4
6
In the above example, it happens that there is no
split of the probability of a state. Next example shows
the case where the split of the probability of a state is
needed.
Example 2. Consider two probabilistic processes P1
and P2 , where P1 = ∆(a.b) and P2 = 0.5 a.b⊕0.5 a.(b+
0). P1 has just one descending state a.b while P2 has
two: a.b and a.(b + 0). For them to match each other,
we need to split the probability of a.b in P1 into two
parts and allocate them to the two states of P2 . We
can find weight functions ω, ω ′ between them as below
and conclude that P1 ≺(0,0) P2 :
ω = ω′
a.b
a.(b + 0)
a.b
0.5
0.5
where Id Proc ⊆ Proc × Proc × [−0, 0] : {(Q, Q, 0)|Q ∈
Proc}. Clearly, Id Proc is a 0-amortised bisimulation.
2) Assuming there exists an ǫ-amortised bisimulation R and |c| 6 ǫ such that (Q, Q′ , c) ∈ R, let
R′ = { (Q′ , Q, −c) | (Q, Q′ , c) ∈ R }.
3) Assuming Q ≺(ǫ1 ,c1 ) Q′ , then there exists an
ǫ1 -amortised bisimulation R and |c1 | 6 ǫ1 such that
(Q, Q′ , c1 ) ∈ R. Let R′ ⊆ Proc × Proc × [−ǫ2 , ǫ2 ] where
ǫ1 6 ǫ2 :
{(Q, Q′ , c2 )|∃c1 , (Q, Q′ , c1 ) ∈ R ∧ |c2 − c1 | 6 ǫ2 − ǫ1 }.
4) An immediate consequence of 3).
It is routine to verify that the relation R′ defined above
is the required amortised bisimulation, respectively. The next proposition shows the triangle inequality
property of ≺(ǫ,c).
Proposition 2. If Q1 ≺(ǫ1 ,c1 ) Q2 ≺(ǫ2 ,c2 ) Q3 , then
Q1 ≺(ǫ1 +ǫ2 ,c1 +c2 ) Q3 .
Proof. Assume that there exists an ǫ1 -amortised
bisimulation R1 and |c1 | 6 ǫ1 such that (Q1 , Q2 , c1 ) ∈
R1 , and an ǫ2 -amortised bisimulation R2 and |c2 | 6 ǫ2
such that (Q2 , Q3 , c2 ) ∈ R2 . Let R ⊆ Proc × Proc ×
[−ǫ1 − ǫ2 , ǫ1 + ǫ2 ]:
{ (Q1 , Q3 , c) | ∃Q2 , c1 , c2 .(Q1 , Q2 , c1 ) ∈ R1 ∧
(Q2 , Q3 , c2 ) ∈ R2 ∧ c = c1 + c2 }.
We extend R to be RExt as follows.
1) R ⊆ RExt .
2) If (Q, Q′ , c1 ) ∈ RExt and (Q, Q′ , c2 ) ∈ RExt , then
for any c, if c1 6 c 6 c2 , (Q, Q′ , c) ∈ RExt .
We shall prove that RExt is an (ǫ1 +ǫ2 )-amortised bisimulation.
305
Li-Li Xu et al.: Complete Proof Systems for Amortised Probabilistic Bisimulations
Given (Q1 , Q3 , c) ∈ RExt , there are two cases:
a
1) (Q1 , Q3 , c) ∈ R. If Q1 −→ µ1 , by (Q1 , Q2 , c1 ) ∈
a
R1 , there exist Q2 −→ µ2 and µ1 L(R1 , c1 ) µ2 ;
a
by (Q2 , Q3 , c2 ) ∈ R2 , there exist Q3 −→ µ3 and
µ2 L(R2 , c2 ) µ3 . Let ω and ω ′ be two weight functions
between µ1 and µ2 , and γ and γ ′ be two weight functions between µ2 and µ3 . We shall construct two weight
functions π, π ′ between µ1 and µ3 out of ω, ω ′ , γ and γ ′
in such a way that µ1 L(RExt , c) µ3 where c = c1 + c2 .
Define weight functions π, π ′ : NProc × NProc →
[0, 1] as follows:
π(E, F ) =
X ω(E, G)γ(G, F )
G
π ′ (E, F ) =
µ2 (G)
µ2 (G)
.
P
We can check that
F π(E, F ) = µ1 (E) and
′
π
(E,
F
)
=
µ
(F
);
and
π(E,
F ) = 0 iff π ′ (E, F ) =
3
E
′
0. If π (E, F ) 6= 0, since
ω(E, G)γ(G, F )
G
ω ′ (E, G)γ ′ (G, F )
π(E, F )
6 ln ′
π (E, F )
ω(E, G)γ(G, F )
6 max ln ′
,
G
ω (E, G)γ ′ (G, F )
min ln
G
ω(E, G)γ(G, F )
) ∈ R,
ω ′ (E, G)γ ′ (G, F )
G
ω(E, G)γ(G, F )
) ∈ R,
ω ′ (E, G)γ ′ (G, F )
R′ = {(
Thus π, π ′ are the two required weight functions and
µ1 L(RExt , c) µ3 holds.
2) Otherwise, (Q1 , Q3 , c) ∈ RExt \R. Namely, there
exist c1 and c2 , c1 6 c 6 c2 , (Q1 , Q3 , c1 ) ∈ R and
(Q1 , Q3 , c2 ) ∈ R.
a
If Q1 −→ µ, by (Q1 , Q3 , c1 ) ∈ R and the result
a
of case 1, there exists Q3 −→ µ′ and µL(RExt , c1 )µ′ .
Namely there are two weight functions ω1 and ω1′ s.t.
P
P
′
′
F ω1 (E, F ) = µ(E),
E ω1 (E, F ) = µ (F ) and
(E, F, c1 + ln
ω1 (E, F )
) ∈ RExt .
ω1′ (E, F )
M
pi Ei ⊕ pn E,
i∈1..n−1
M
pi Ei ⊕ pn E ′ , c)}
i∈1..n−1
∪ R ∪ Id Proc .
by the definition of RExt ,
π(E, F )
(E, F, c + ln ′
) ∈ RExt .
π (E, F )
ω(E, F )
) ∈ RExt .
ω ′ (E, F )
Hence, RExt is an (ǫ1 + ǫ2 )-amortised bisimulation. The following proposition lists the congruence properties of ≺(ǫ,c), namely, ≺(ǫ,c) is substitutive under all
PPA combinators.
Proposition 3 (Substitutivity). Let E ≺(ǫ,c) E ′
and P ≺(ǫ,c) P ′ . Then
1) E + F ≺(ǫ,c) E ′ + F ;
L
L
(ǫ,c)
2)
i∈1..n−1 pi Ei ⊕ pn E ≺
i∈1..n−1 pi Ei ⊕
′
pn E ;
3) a.P ≺(ǫ,c) a.P ′ .
Proof. For case 1 and case 3, we can easily deduce
conditions 1 and 2 of Definition 2.
For case 2, the case where E = E ′ is trivial. Otherwise, let R be an ǫ-amortised bisimulation where
(E, E ′ , c) ∈ R, and we shall show that R′ is also an
ǫ-amortised bisimulation, where
and
(E, F, c + max ln
ω2 (E, F )
) ∈ RExt .
ω2′ (E, F )
We define weight functions ω and ω ′ s.t. ω(E, F ) =
1
1
1 ′
′
2 ω1 (E, F ) + 2 ω2 (E, F ) and ω (E, F ) = 2 ω1 (E, F ) +
1 ′
2 ω2 (E, F ). By the definition of RExt , it holds
(E, F, c + ln
P
(E, F, c + min ln
(E, F, c2 + ln
,
X ω ′ (E, G)γ ′ (G, F )
G
Analogously, by (Q1 , Q3 , c2 ) ∈ R, there are another two
P
weight functions ω2 and ω2′ s.t.
F ω2 (E, F ) = µ(E),
P
′
′
ω
(E,
F
)
=
µ
(F
)
and
E 2
L
τ
⊕ pn E −→ µ where µ =
P
L
τ
◦ i∈1..n−1 pi Ei ⊕ pn E, and i∈1..n−1 pi Ei ⊕pn E ′ −→
P
µ′ where µ′ = ◦ i∈1..n−1 pi Ei ⊕ pn E ′ . All we need to
observe is that distributions µ and µ′ satisfy the lifting of R′ up to c. More precisely, there exist weight
functions ω, ω ′ :
Let
i∈1..n−1 pi Ei
ω(F1 , F2 ) = ω ′ (F1 , F2 )

 pi , if F1 = F2 = Ei ,
= pn , if F1 = E and F2 = E ′ ,

0, otherwise,
such that (Ei , Ei , c+ln ppii ) ∈ R′ and (E, E ′ , c+ln ppnn ) ∈
R′ .
306
3.2
J. Comput. Sci. & Technol., Mar. 2016, Vol.31, No.2
Relationship with Conventional
Probabilistic Bisimilarity
A special case of ≺(ǫ,c) is when ǫ = 0 and, consequently, c = 0. Intuitively Q ≺(0,0) Q′ means that Q
and Q′ can mimic each other without using any budget
for variations, thus they are expected to be bisimilar[3] .
One may wonder whether, conversely, every bisimilar
pair of processes is captured by ≺(0,0) . Here we shall
show that ≺(0,0) is indeed a bisimulation, and the converse also holds.
We recall first the notion of probabilistic bisimilarity
introduced in [3]. An equivalence relation over Proc can
be lifted to a relation over distributions over Proc by
stating that two distributions are equivalent if they assign the same probability to the same equivalence class.
Formally, let R ⊆ Proc × Proc be an equivalence relation. Two probability distributions µ1 and µ2 are
R-equivalent, written as µ1 L(R)µ2 , iff for every equivalence class [Q] ∈ Proc/R, we have µ1 ([Q]) = µ2 ([Q]),
P
where µi ([Q]) = Q′ ∈[Q] µi (Q′ ), i = 1, 2.
Definition 3. An equivalence relation R ⊆ Proc ×
Proc is a strong bisimulation if for all (Q, Q′ ) ∈ R,
a
a
Q −→ µ implies Q′ −→ µ′ with µL(R)µ′ . We write
Q ∼ Q′ whenever there is a strong bisimulation between
them. ∼ is the largest strong bisimulation, namely
strong bisimilarity.
Note that the converse direction is implied by the
symmetry of the equivalence relation R.
Proposition 4. ≺(0,0) = ∼.
Proof. (⊆) Consider the relation R induced by
(0,0)
≺
. Namely,
(Q, Q′ ) ∈ R iff Q ≺(0,0) Q′ .
By clause 1 and clause 2 of Proposition 1 and Proposition 2, clearly, R is an equivalence relation. We show
that it is a strong bisimulation. Let Q ≺(0,0) Q′ . Cona
sider some Q −→ µ. Since Q ≺(0,0) Q′ , there exists
a 0-amortised bisimulation R′ ⊆ Proc × Proc × [0, 0]
such that (Q, Q′ , 0) ∈ R′ . There exist a distribua
tion µ′ : Q′ −→ µ′ and weight functions ω, ω ′ : NProc ×
P
NProc → [0, 1] such that for each E,
F ω(E, F ) =
P
µ(E); for each F , E ω ′ (E, F ) = µ′ (F ); and ω(E, F ) =
0 iff ω ′ (E, F ) = 0; if ω(E, F ) > 0, then
(E, F, 0 + ln
ω(E, F )
) ∈ R′ .
ω ′ (E, F )
Because the leakage budget is 0, during the mutual simulation, every step must have exactly the same
probability, i.e., ω(E, F ) = ω ′ (E, F ). Furthermore, by
(E, F, 0) ∈ R′ , we have E ≺(0,0) F , thus [E] = [F ].
Henceforth,
X
µ([E]) =
µ(E ′ )
E ′ ∈[E]
=
X
E ′ ∈[E]
=
X
X
ω(E ′ , F ′ )
F ′ ∈[F ]
X
ω ′ (E ′ , F ′ )
F ′ ∈[F ] E ′ ∈[E]
=
X
µ′ (F ′ )
F ′ ∈[F ]
= µ′ ([F ]),
for all [E] ∈ Proc/R as required.
(⊇) Let
R = {(Q, Q′ , 0) | Q ∼ Q′ }.
We need to prove that R is a 0-amortised bisimulation.
The key is to show that for any µ1 , µ2 ∈ Disc(NProc):
µ1 L(∼)µ2 implies µ1 L(R, 0)µ2 .
By Lemma 18 in [17], µ1 L(∼)µ2 implies that there
P
exists a weight function ω such that
F ω(E, F ) =
P
µ1 (E), E ω(E, F ) = µ2 (F ) and if ω(E, F ) > 0 then
E ∼ F , namely, (E, F, 0) ∈ R. Thus µ1 L(R, 0)µ2 holds
as required.
4
Weak Amortised Probabilistic Bisimulation
In this section, we shall introduce the notion of
weak amortised bisimulations and amortised observational congruence.
The definition of weak transitions[9] is given in Fig.2.
Rules Weak 1∼Weak 3 say that a weak transition either starts from a strong transition, or is a self-loop
of a process, while Weak 4 and Weak 5 allow internal
transitions after and before an a-action to be absorbed.
P
For any F ∈ NProc, ◦ Ei ∈supp(µ) µ(Ei )µi (F ) =
P
Ei ∈supp(µ) µ(Ei )µi (F ).
Note that E =⇒ µ means that there are zero or
τ
more τ actions performed, while E =⇒ µ means at least
one τ action is performed. In Weak 4 and Weak 5, ε
ε
represents an empty string, =⇒ is actually =⇒ where
ε is omitted for simplicity.
Following [1], given a sequence t ∈ A∗ of labels, we
denote by b
t the sequence obtained from t by removing
all occurrences of τ in t.
Definition 4 (Weak Amortised Bisimulation).
Given ǫ > 0 and |c| 6 ǫ. A relation R ⊆ Proc ×
Proc × [−ǫ, ǫ] is an ǫ-weak amortised bisimulation if for
all (Q, Q′ , c) ∈ R:
307
Li-Li Xu et al.: Complete Proof Systems for Amortised Probabilistic Bisimulations
a
E −→ µ
Weak 1
a
τ
a∈A
Weak 2
E =⇒ µ
Weak 5
−
Weak 3
E =⇒ µ
a
Weak 4
E −→ µ
E =⇒ δ(E)
E =⇒ µ
∀Ei ∈ supp(µ). Ei =⇒ µi
a ∈ A ∪ {ε}
P
E =⇒ ◦ Ei ∈supp(µ) µ(Ei )µi
a
a
E =⇒ µ
∀Ei ∈ supp(µ). Ei =⇒ µi
a ∈ A ∪ {ε}
a P
E =⇒ ◦ Ei ∈supp(µ) µ(Ei )µi
Fig.2. Weak transitions.
a
a
b
1) Q −→ µ implies Q′ =⇒ µ′ and µ L(R, c) µ′ ;
a
b
a
2) Q′ −→ µ′ implies Q =⇒ µ and µ L(R, c) µ′ .
We write Q 4(ǫ,c) Q′ , if there exists an ǫ-weak amortised bisimulation R such that (Q, Q′ , c) ∈ R.
Note that although invisible actions are abstracted
away in weak bisimulation, the contribution of the
probabilities of each internal action is still taken into
account when constituting a weak transition, as can
be seen from rules Weak 4 and Weak 5 in Fig.2. The
performance of every invisible action (if it is not an
empty move) will alter the probability distribution of
the resulting weak transition, thus affecting the variation budget during mutual simulations.
Let
[
4ǫ = {R : R is an ǫ-weak amortised bisimulation}.
We can check by Definition 4 that 4ǫ is itself an ǫ-weak
amortised bisimulation, and is the largest one.
4.1
Basic Properties of 4
This subsection aims at showing the metrical properties of 4ǫ , namely, reflexivity, symmetry and triangle
inequality.
The following lemma says an interesting fact that
two processes that satisfy both (ǫ, c1 ) and (ǫ, c3 ) indexed weak amortised bisimulation satisfy (ǫ, c2 ) indexed weak amortised bisimulation for any c3 < c2 <
c1 .
Lemma 1. If Q 4(ǫ,c1 ) Q′ , Q 4(ǫ,c3 ) Q′ and there
exists c2 satisfying c3 < c2 < c1 , then Q 4(ǫ,c2 ) Q′ .
Proof. Let R ⊆ Proc × Proc × [−ǫ, ǫ] be:
{(Q, Q′ , c2 ) | ∃c1 , c3 , c3 < c2 < c1 ∧
(Q, Q′ , c1 ) ∈4ǫ ∧(Q, Q′ , c3 ) ∈ 4ǫ }.
a
Assume (Q, Q′ , c2 ) ∈ R, if Q =⇒ µ, by (Q, Q′ , c1 ) ∈4ǫ ,
a
there exists Q′ =⇒ µ′ and µ L(4ǫ , c) µ′ . Namely, there
are two weight functions ω1 and ω1′ s.t.
P
µ(E), E ω1′ (E, F ) = µ′ (F ) and
(E, F, c1 + ln
P
F
ω1 (E, F ) =
ω1 (E, F )
) ∈ 4ǫ .
ω1′ (E, F )
Analogously, by (Q, Q′ , c3 ) ∈ 4ǫ , there are another two
P
weight functions ω3 and ω3′ s.t.
F ω3 (E, F ) = µ(E),
P
′
′
ω
(E,
F
)
=
µ
(F
)
and
E 3
(E, F, c3 + ln
ω3 (E, F )
) ∈ 4ǫ .
ω3′ (E, F )
We define weight functions ω2 and ω2′ s.t. ω2 (E, F ) =
1
1
1 ′
′
2 ω1 (E, F ) + 2 ω3 (E, F ) and ω2 (E, F ) = 2 ω1 (E, F ) +
1 ′
2 ω3 (E, F ). By the definition of R, it holds
(E, F, c2 + ln
ω2 (E, F )
) ∈ R.
ω2′ (E, F )
Hence, R is an ǫ-weak amortised bisimulation, namely,
Q 4(ǫ,c2 ) Q′ as required.
In order to prove the triangle inequality in the setting of weak transitions, we need to ensure that weak
transitions are transitive, as shown in the next lemma.
a
Lemma 2. If Q 4(ǫ,c) Q′ , then Q =⇒ µ implies
b
a
there exists µ′ : Q′ =⇒ µ′ and µ L(4ǫ , c) µ′ .
Proof. The proof proceeds by induction on the
a
length of the strong transitions which =⇒ is composed
of.
a
• The basis is that when the length equals 1, Q =⇒
µ degenerates to a strong transition and the result is
trivial.
• For the inductive step: consider the case where
a
the length equals N and the first move is −→, i.e.,
a
a
τ
=⇒=−→=⇒. Note that the other case is when the
τ
first move is −→, the essence of its proof is analogous
and omitted for simplicity.
τ
a
Assuming Q −→ ν and ∀Ei ∈ supp(ν), Ei =⇒ µi
whose length of strong transitions is less than N , we
P
have µ = ◦ Ei ∈supp(ν) ν(Ei )µi . There exists a weak
308
J. Comput. Sci. & Technol., Mar. 2016, Vol.31, No.2
b
a
transition Q′ =⇒ ν ′ and νL(4ǫ , c)ν ′ . Namely, there
are two weights functions ω, ω ′ such that for each
P
Ei ∈ supp(ν),
Fj ω(Ei , Fj ) = ν(Ei ); for each Fj ∈
P
′
′
supp(ν ), Ei ω (Ei , Fj ) = ν ′ (Fj ); and ω(Ei , Fj ) = 0
iff ω ′ (Ei , Fj ) = 0; if ω(Ei , Fj ) > 0, then
(Ei , Fj , c + ln
ω(Ei , Fj )
) ∈ 4ǫ .
ω ′ (Ei , Fj )
τ
By Ei =⇒ µi and inductive hypothesis, there exτ
ists a weak transition Fj =⇒ µ′j such that µi L(4ǫ ,
ω(E ,F )
c + ln ω′ (Eii ,Fjj ) ) µ′j . Namely, there exist weight funcP
′
′
tions γij , γij
s.t. ∀G, G′ ,
G′ γij (G, G ) = µi (G),
P ′
′
′
′
′
G γij (G, G ) = µj (G ); and γij (G, G ) = 0 iff
′
γij
(G, G′ ) = 0; if γij (G, G′ ) > 0, then
G, G′ , c + ln
ω(Ei , Fj )
γij (G, G′ ) +
ln
∈ 4ǫ ,
′ (G, G′ )
ω ′ (Ei , Fj )
γij
which equals
G, G′ , c + ln
ω(Ei , Fj )γij (G, G′ ) ∈ 4ǫ .
′ (G, G′ )
ω ′ (Ei , Fj )γij
Thus π, π ′ are the two required weight functions and
µ L(4ǫ , c) µ′ holds.
After proving that weak transitions are transitive,
we now can show the following basic properties of 4.
Proposition 5. The following holds:
1) Q 4(0,0) Q;
2) Q 4(ǫ,c) Q′ iff Q′ 4(ǫ,−c) Q;
3) If Q1 4(ǫ1 ,c1 ) Q2 4(ǫ2 ,c2 ) Q3 , then
Q1 4(ǫ1 +ǫ2 ,c1 +c2 ) Q3 .
Proof. The proofs of cases 1 and 2 are similar to the
proofs of the first two cases of Proposition 1 and Proposition 2, respectively, and the proof of case 3 needs the
help of Lemma 2.
The following proposition shows that the first τ transition can be ignored for weak bisimulation.
Proposition 6. τ.∆(E) 4(0,0) E.
Proof. The essence of the proof is the observation
that
R = {(τ.∆(E), E, 0)} ∪ Id Proc
(1)
P
Let µ = ◦ Fj ∈supp(ν ′ ) ν ′ (Fj )µ′j . We shall construct desirable weight functions π and π ′ for µ and µ′ out of ω,
′
ω ′ , γij and γij
in such a way that µ L(4ǫ , c) µ′ . Let
P
π(G, G′ ) = Ei ,Fj ω(Ei , Fj )γij (G, G′ ),
P
′
π ′ (G, G′ ) = Ei ,Fj ω ′ (Ei , Fj )γij
(G, G′ ).
is a 0-weak amortised bisimulation.
′
Then we have
P
′
PG′ π(G, G )
= G′ ,Ei ,Fj ω(Ei , Fj )γij (G, G′ )
P
P
= Ei ,Fj ω(Ei , Fj ) G′ γij (G, G′ )
P
= Ei ,Fj ω(Ei , Fj )µi (G)
P
= Ei µi (G)ν(Ei )
= µ(G).
(Definition of π)
(Commutativity)
(Definition of γij )
(Definition of ω)
(Definition of µ)
P ′
′
Analogously, we can check that
G π (G, G ) =
µ′ (G); π(G, G′ ) = 0 iff π ′ (G, G′ ) = 0; and if π(G, G′ ) >
0, by (1), Lemma 1 and
min ln
Ei ,Fj
ω(Ei , Fj )γij (G, G′ )
′ (G, G′ )
ω ′ (Ei , Fj )γij
π(G, G′ )
π ′ (G, G′ )
ω(Ei , Fj )γij (G, G′ )
6 max ln ′
′ (G, G′ ) ,
Ei ,Fj
ω (Ei , Fj )γij
6 ln
it follows:
G, G′ , c + ln
π(G, G′ ) ∈ 4ǫ .
π ′ (G, G′ )
4.2
Amortised Observational Congruence
It is well known that weak bisimulation is not preserved by the external choice operator +[1] . A typical
example is
τ.∆(b.∆(0)) 4(0,0) b.∆(0),
while
a.∆(0) + τ.∆(b.∆(0)) $(0,0) a.∆(0) + b.∆(0).
Hence, as usual, we define observational congruence
on top of weak bisimulation 4ǫ as follows.
Definition 5 (Amortised Observational Congruence). Given ǫ > 0 and |c| 6 ǫ. Q and Q′ are
(ǫ, c)-amortised observationally congruent, written as
Q (ǫ,c) Q′ , if for all a ∈ A,
a
a
1) Q −→ µ implies Q′ =⇒ µ′ and µ L(4ǫ , c) µ′ ;
a
a
2) Q′ −→ µ′ implies Q =⇒ µ and µ L(4ǫ , c) µ′ .
Definition 5 differs from Definition 4 only in one asa
b
a
pect: Q′ =⇒ µ′ , instead of Q′ =⇒ µ′ , is required to
a
match Q −→ µ. This implies that a τ -transition from
a process must be matched by at least one τ -transition
from the other. Note also that this is required only for
the initial transitions. For the initial transitions’ corresponding derivative distributions µ and µ′ , they are
required to satisfy the lifting operation just w.r.t 4,
rather than .
309
Li-Li Xu et al.: Complete Proof Systems for Amortised Probabilistic Bisimulations
The following two propositions establish the relations between 4 and . Proposition 8 will play an
important role when proving the completeness of the
proof system for in Section 6.
Proposition 7. Q (ǫ,c) Q′ implies Q 4(ǫ,c) Q′ .
Proof. Straightforward by their definitions (Definitions 4 and 5).
Proposition 8. Q 4(ǫ,c) Q′ iff Q (ǫ,c) Q′ or
Q (ǫ,c) τ.∆(Q′ ) or τ.∆(Q) (ǫ,c) Q′ .
Proof. (⇐=) By Proposition 7, we have Q 4(ǫ,c) Q′
or Q 4(ǫ,c) τ.∆(Q′ ) or τ.∆(Q) 4(ǫ,c) Q′ . Together with
the case 2 and case 3 of Proposition 5 and the whole
Proposition 6, we obtain Q 4(ǫ,c) Q′ .
(=⇒) Assuming Q 4(ǫ,c) Q′ , we need to consider
τ
three cases. First, suppose that Q −→ µ for some µ, Q′
′ ε
matches it with a null label Q =⇒ δ(Q′ ) and µL(4ǫ ,
c) δ(Q′ ), then it is easy to see that Q (ǫ,c) τ.∆(Q′ ).
τ
Second, suppose that Q′ −→ µ′ for some µ′ , Q matches
ε
it with a null label Q =⇒ δ(Q) and δ(Q) L(4ǫ , c) µ′ ,
then similarly, we show that τ.∆(Q) 4(ǫ,c) Q′ . Third,
neither of these conditions holds, namely, if Q performs
a τ -transition, then Q′ also has a non-zero τ -transition
to match it, and vise versa. Since and 4 naturally
coincide on performing visible transitions, we show that
Q (ǫ,c) Q′ as required.
Similar to the strong case, we have Proposition 9.
Proposition 9. The following holds:
1) Q (0,0) Q;
2) Q (ǫ,c) Q′ iff Q′ (ǫ,−c) Q;
3) If Q1
(ǫ1 ,c1 )
Q2
(ǫ2 ,c2 )
Q3 then
(ǫ1 +ǫ2 ,c1 +c2 )
Q1 Q3 ;
4) (ǫ1 ,c1 ) ⊆(ǫ2 ,c2 ) where ǫ1 6 ǫ2 and |c2 − c1 | 6
ǫ2 − ǫ1 .
Proof. The proofs of the first three cases proceed
analogously as in the proof of Proposition 5. Case 4’s
proof is similar to the proof of Proposition 1.
(ǫ,c)
Proposition 10 (Substitutivity). Let E E′
(ǫ,c)
′
and P P . Then
1) E + F (ǫ,c) E ′ + F ;
L
L
(ǫ,c)
2)
i∈1..n−1 pi Ei ⊕ pn E i∈1..n−1 pi Ei ⊕
′
pn E ;
3) a.P (ǫ,c) a.P ′ .
Proof. The proofs for clause 1 and clause 3 are
straightforward. We detail below the proof of clause
2.
By assumption, there exists an ǫ-amortised observational congruence R s.t. (E, E ′ , c) ∈ R. Let
M
M
R′ = {(
pi Ei ⊕ pn E,
pi Ei ⊕ pn E ′ , c)}
i∈1..n−1
∪ R ∪ Id Proc .
i∈1..n−1
L
a
Let i∈1..n−1 pi Ei ⊕ pn E =⇒ µ, we have to show that
L
there exists also a weak transition
i∈1..n−1 pi Ei ⊕
a
pn E ′ =⇒ µ′ such that µ L(4ǫ , c) µ′ .
P
Assume that µ = ◦ i∈1..n−1 pi µi ⊕ pn ν where for
a
a
i ∈ 1..n − 1, Ei =⇒ µi and E =⇒ ν. Since
a
(E, E ′ , c) ∈ R, there exists E ′ =⇒ ν ′ such that
ν L(4ǫ , c) ν ′ . Namely, there exist two weight functions ω, ω ′ : NProc × NProc → [0, 1] such that: for
P
′
each G ∈ NProc,
G′ ω(G, G ) = ν(G); for each
P
′
′
′
′
G ∈ NProc, G ω (G, G ) = ν (G′ ); and ω(G, G′ ) = 0
iff ω ′ (G, G′ ) = 0; if ω(G, G′ ) > 0 then
(G, G′ , c + ln
ω(G, G′ )
) ∈ 4ǫ .
ω ′ (G, G′ )
P
Let µ′ = ◦ i∈1..n−1 pi µi ⊕ pn ν ′ . We shall construct
two desirable weight functions π, π ′ for µ and µ′ out of
ω, ω ′ .
We rename the states in the support set of ν and ν ′ ,
such that for any i ∈ 1..n − 1, supp(µi ) ∩ supp(ν) = ∅
and also supp(µi ) ∩ supp(ν ′ ) = ∅.
Let π, π ′ :
if G ∈ supp(ν) and G′ ∈ supp(ν ′ ) :
π(G, G′ ) = pn ω(G, G′ ),
π ′ (G, G′ ) = pn ω ′ (G, G′ ),
′
if G = G′ ∈
/ supp(ν) ∪ supp(νP
):
′
′
′
π(G, G ) = π (G, G ) = i∈1..n−1 pi µi (G),
otherwise:
π(G, G′ ) = π ′ (G, G′ ) = 0.
We can check by definition that π, π ′ satisfy the lifting
condition, and µ L(4ǫ , c) µ′ holds as required.
5
Proof System A1
This section is devoted to presenting a proof system A1 for strong amortised probabilistic bisimulation
≺ and proving its soundness and completeness. Soundness ensures the correctness of the proof system. Completeness asserts that all amortised bisimulations can
be syntactically derived from the proof system.
The statements of the proof system are of the form
(ǫ, c) ⊲ Q ≺ Q′ . The proof system consists of axioms
and inference rules, shown in Fig.3 and Fig.4, in the
spirit of [18].
Axioms A 1∼A 4 are reminiscent of the monoid laws
for bisimulation. Axiom A 5 will be used to transform
probabilistic processes terms into normal forms. The
two axioms A 6 and A 7 allow us to permute and merge
branches of a probabilistic choice.
310
J. Comput. Sci. & Technol., Mar. 2016, Vol.31, No.2
A1
E+0=E
A2
E+E =E
A3
E+F =F +E
A4
(E + F ) + G = E + (F + G)
A5
τ.P = P
A6
p 1 E1 ⊕ · · · ⊕ p i Ei ⊕ p j Ej ⊕ · · · ⊕ p n En
=
A7
p 1 E1 ⊕ · · · ⊕ p j Ej ⊕ p i Ei ⊕ · · · ⊕ p n En
L
L
i∈I pi Ei ⊕ pE ⊕ qE =
i∈I pi Ei ⊕ (p + q)E
Fig.3. Proof system A1 : axioms.
The usual rules for equality (substitutivity, reflexivity, symmetry and transitivity) hold only for (0, 0)indexed pairs of processes, and cannot straightforwardly apply when reasoning on non-zero indexed inequalities. Hence we need Subs, Refl, Symm and a more
general rule Triangle (short for triangle inequality) to
regulate indexing inequalities when rewriting processes.
The Weakening rule does not deal with any specific
operator in the language. It is a kind of structural rule
used to glue proofs together. Rules Sum, Prefix and
Prob manipulate nondeterministic choice, prefixing and
probabilistic choice, respectively. The side condition of
Prob requires that probabilistic combinations be permitted only when for every ci indexing a related pair
Ei ≺ Fi and the corresponding probability weights pi
and qi , the updated index ci − ln pi + ln qi agrees on
the same value c. The side condition ensures that the
resulting pair of probabilistic distributions satisfies the
conditions of the lifting operation (Definition 1).
Theorem 2 (Soundness of A1 ). If A1 ⊢ (ǫ, c) ⊲
Q ≺ Q′ , then Q ≺(ǫ,c) Q′ .
Proof. The proof proceeds by induction on the
length of the derivation for (ǫ, c) ⊲ Q ≺ Q′ , with a case
analysis on the last applied axiom or inference rule.
When the length equals 1, for axioms (A′ 1∼A′ 7),
let R = {(Q, Q′ , 0)} ∪ Id Proc . It is easy to check that R
is a 0-amortised bisimulation. Refl is trivial from the
first item of Proposition 1.
For the inductive step, the soundness of the rules
Subs, Symm, Triangle and Weakening is supported by
Proposition 3, the second case of Proposition 1, Proposition 2, and the fourth case of Proposition 1, respectively.
• Sum. By the induction hypothesis, there exist
ǫ-amortised bisimulations R1 and R2 s.t. (E1 , F1 , c) ∈
R1 and (E2 , F2 , c) ∈ R2 . Let
R = {(E1 + E2 , F1 + F2 , c)} ∪ R1 ∪ R2 .
• P ref ix. By the induction hypothesis, there exists
an ǫ-amortised bisimulation R′ s.t. (P1 , P2 , c) ∈ R′ .
Let
R = {(a.P1 , a.P2 , c)} ∪ R′ .
• P rob. By the induction hypothesis, there exists an ǫ-amortised bisimulation Ri and |ci | 6 ǫ s.t.
A′ 1∼A′ 7
(0, 0) ⊲ Q ≺ Q′ , where Q = Q′ is an instance of one of the axioms A 1∼A 7.
Subs
If (0, 0) ⊲ Q ≺ Q′ , then Q and Q′ are substitutive under all PPA operators.
Refl
(0, 0) ⊲ Q ≺ Q
Triangle
Weakening
Sum
Prefix
Prob
Symm
(ǫ1 , c1 ) ⊲ Q1 ≺ Q2
(0, 0) ⊲ Q ≺ Q′
(0, 0) ⊲ Q′ ≺ Q
(ǫ2 , c2 ) ⊲ Q2 ≺ Q3
(ǫ1 + ǫ2 , c1 + c2 ) ⊲ Q1 ≺ Q3
(ǫ1 , c1 ) ⊲ Q ≺ Q′
(ǫ2 , c2 ) ⊲ Q ≺ Q′
ǫ1 6 ǫ2 and |c2 − c1 | 6 ǫ2 − ǫ1
(ǫ, c) ⊲ E1 ≺ F1
(ǫ, c) ⊲ E2 ≺ F2
(ǫ, c) ⊲ E1 + E2 ≺ F1 + F2
(ǫ, c) ⊲ P1 ≺ P2
(ǫ, c) ⊲ a.P1 ≺ a.P2
∀i ∈ I, (ǫ, ci ) ⊲ Ei ≺ Fi
∀i ∈ I, ci − ln pi + ln qi = c, |c| 6 ǫ
L
L
i∈I pi Ei ≺
i∈I qi Fi
(ǫ, c) ⊲
Fig.4. Proof system A1 : inference rules.
Li-Li Xu et al.: Complete Proof Systems for Amortised Probabilistic Bisimulations
(Ei , Fi , ci ) ∈ Ri . Let
M
M
[
R = {(
pi Ei ,
qi Fi , c)} ∪
Ri .
i∈I
i∈I
i∈I
For any i, j ∈ I, let ω(Ei , Fj ) = pi if i = j, otherwise
0; let ω ′ (Ei , Fj ) = qi if i = j, otherwise 0. By the
definition of lifting operation, ω and ω ′ can be shown
to be two desirable weight functions between the two
probabilistic processes.
It is routine to check that R’s defined above are all
ǫ-amortised bisimulations.
The proof of the completeness result is similar to
the corresponding proof for CCS[1] : processes are transformed to equivalent normal forms. Equivalence here
means two processes are (0, 0)-indexed. Then processes
are compared almost syntactically piece by piece, and
finally duplicate terms are merged. We first give the
notion of normal form that will be needed in the proof.
Definition 6. A process Q is in normal form (NF)
if
• either Q ≡ 0;
P
L
i i
i
• or Q ≡
i∈I ai .
j∈Ji pj Ej , where each Ej is
also in normal form.
b
Lemma 3. For any Q, there is a normal form Q
such that
b
A1 ⊢ (0, 0) ⊲ Q ≺ Q.
b to denote one normal form of Q.
We will use Q
Proof. The proof proceeds by induction on the
depth d(Q) of Q.
If d(Q) = 0, then Q ≡ 0.
For the inductive step, two cases need to be considered.
P
L
• If Q ∈ NProc, assume Q ≡ i∈I ai . j∈Ji pij Eji ,
by the induction hypothesis, every Eji has a normal
form. Using the proof system, the term 0 may be eliminated, and this results in a normal form.
L
• Otherwise, Q ∈ PProc, assume Q ≡ j∈J pj Ej ,
by the induction hypothesis, every Ei has a normal form
ci . We apply Axiom A′ 5 and rule Symm and obtain
E
L
ci such that
a normal form τ.Q′ where Q′ ≡ j∈J pj E
A1 ⊢ (0, 0) ⊲ Q ≺ τ.Q′ .
The following lemma says that normal forms inherit
indices from their original processes, and vise versa.
b ≺(ǫ,c) Q
c′ .
Lemma 4. Q ≺(ǫ,c) Q′ if f Q
Proof. By Lemma 3 and the soundness of the proof
b and Q′ ≺(0,0) Q
c′ . By use
system, we have Q ≺(0,0) Q
of the second case of Proposition 1, and Proposition 2,
b ≺(ǫ,c) Q
c′ .
Q ≺(ǫ,c) Q′ iff Q
311
Theorem 3 (Completeness of A1 ). If Q ≺(ǫ,c) Q′
then A1 ⊢ (ǫ, c) ⊲ Q ≺ Q′ .
Proof. By Lemma 3 and Lemma 4, we may assume Q and Q′ are already in normal form. Let Q ≡
P
L
P
L
i i
′
′
i i
i∈I1 ai .
j∈Ji pj Ej and Q ≡
i∈I2 ai .
j∈Ji qj Fj .
Assume that there exists an ǫ-amortised bisimulation R and |c| 6 ǫ such that (Q, Q′ , c) ∈ R. The proof
proceeds by induction on the maximum depth of Q and
Q′ .
• If the maximum depth is 0, then Q and Q′ are
both 0. By Refl and Weakening, it is easy to see that
A1 ⊢ (ǫ, c) ⊲ 0 ≺ 0.
• Otherwise, the maximum depth is greater than
L
0, let a. i∈1..n pi Ei be a summand of Q. Then
P
a
Q −→ µ where µ = ◦ i∈1..n pi Ei . Since (Q, Q′ , c) ∈ R,
P
a
there is some µ′ = ◦ j∈1..m qj Fj such that Q′ −→ µ′
and µ L(R, c) µ′ . Namely, there exist two weight
P
functions ω and ω ′ s.t.
j∈1..m ω(Ei , Fj ) = pi ,
P
′
ω
(E
,
F
)
=
q
;
for
any
i, j, ω(Ei , Fj ) = 0
i
j
j
i∈1..n
′
iff ω (Ei , Fj ) = 0; if ω(Ei , Fj ) > 0, then (Ei , Fj , c +
ω(E ,F )
ln ω′ (Eii ,Fjj ) ) ∈ R.
Then we have:
ω(E ,F )
A1 ⊢ (ǫ, c + ln ω′ (Eii ,Fjj ) ) ⊲ Ei ≺ Fj ,
L
L
(ǫ, c) ⊲ i,j ω(Ei , Fj )Ei ≺ i,j ω ′ (Ei , Fj )Fj ,
L
L
(ǫ, c) ⊲ i∈1..n pi Ei ≺ j∈1..m qj Fj ,
L
L
(ǫ, c) ⊲ a. i∈1..n pi Ei ≺ a. j∈1..m qj Fj .
The above steps are obtained by the IH, Prob, definitions of ω and ω ′ , A′ 6, A′ 7 and lastly Prefix respectively.
Similarly, every summand a′ .P ′ of Q′ can be proved
related to a summand a′ .P of Q with respect to (ǫ, c).
Namely,
A1 ⊢ (ǫ, c) ⊲ a′ .P ≺ a′ .P ′ .
By applying Sum to combine all these related pairs
of summands, using A′ 1∼A′ 4, Symm and Triangle
to reorder and regroup summands as necessary, and
eliminating duplicate summands, finally it follows that
A1 ⊢ (ǫ, c) ⊲ Q ≺ Q′ .
6
Proof System A2
In this section, we extend A1 to obtain a proof
system for amortised observational congruence . We
show that it suffices to add to A1 the probabilistic versions of the τ -laws T1 , T2 and T3 presented in Fig.5.
T2 and T3 can be considered as the reminiscent of A 6
and A 7 in the τ -laws for non-alternating models in [9],
with the only difference that here they are decorated
with indexed inequalities, rather than equalities.
312
J. Comput. Sci. & Technol., Mar. 2016, Vol.31, No.2
T1
(0, 0) ⊲ a.
T2
(0, 0) ⊲ τ.
T3
(0, 0) ⊲ a.
a.
L
i∈I
L
i∈I
L
i∈I
L
L
pi Ei ⊕ p τ.∆(F ) ≺ a.
i∈I pi Ei ⊕ p F
pi (Ei + a.Pi ) + a.
i∈I
pi (Ei + τ.Pi ) ⊕
pi (Ei + τ.Pi ) ⊕
L
j∈J
L
i∈I
L
j∈J
pi Pi ≺ τ.
L
i∈I
pi (Ei + a.Pi )
L
pj Ej + a. i∈I∪J pi Pi ≺
pj Ej , where for j ∈ J, Pj = ∆(Ej )
Fig.5. τ -laws.
L
Note that a new combinator
i∈I pi Pi is used in
Fig.5. It is the convex combination of probabilistic
processes[9]. Its semantics is given in Fig.6. Observe
that this combinator is not really new in the sense that
L
it is, in fact, equivalent to i∈I pi τ.Pi in the weak semantics.
It is routine to check that the two R′ s defined above
are all ǫ-amortised observational congruence.
3) By assumption, for each ci , there exists
an ǫ-amortised observational congruence Ri s.t.
(Ei , Fi , ci ) ∈ Ri . Let
M
M
[
R = {(
pi Ei ,
qi Fi , c)} ∪
Ri .
i∈I
Convex
∀i ∈ I. Pi →
7 µi
L
P
i∈I pi Pi 7→ ◦ i∈I pi µi
Fig.6. Operational semantics of the convex combinator.
Let A2 = A1 ∪ {T1 , T2 , T3 }. The main body of
this section is devoted to proving that A2 is sound and
complete w.r.t. .
We first show that rules Sum, Prefix and Prob are
sound w.r.t. .
Proposition 11. The following holds:
1) Let i ∈ {1, 2}, Ei (ǫ,c) Fi , then E1 + E2 (ǫ,c)
F1 + F2 ;
2) If P1 (ǫ,c) P2 , then a.P1 (ǫ,c) a.P2 ;
L
3) Given ∀i ∈ I, Ei (ǫ,ci ) Fi , and
i∈I pi Ei and
L
q
F
satisfy
that
for
all
i,
c
−
ln
p
+
ln
qi = c and
i
i
i
i
i∈I
L
L
|c| 6 ǫ, then i∈I pi Ei (ǫ,c) i∈I qi Fi .
Proof. We sketch the proofs for clause 1 and clause
2, but detail the proof of clause 3.
1) By assumption, there exist ǫ-amortised observational congruences R1 and R2 s.t. (E1 , F1 , c) ∈ R1 and
(E2 , F2 , c) ∈ R2 . Let
R = {(E1 + E2 , F1 + F2 , c)} ∪ R1 ∪ R2 .
2) By assumption, there exists an ǫ-amortised observational congruence R′ s.t. (P1 , P2 , c) ∈ R′ . Let
′
R = {(a.P1 , a.P2 , c)} ∪ R .
L
i∈I
i∈I
a
If
i∈I pi Ei =⇒ µ, we have to show that there exL
a
ists also a weak transition i∈I qi Fi =⇒ µ′ such that
ǫ
′
µ L(4 , c) µ .
P
Assume that µ = ◦ i∈I pi µi where for each i,
a
Ei =⇒ µi . Since (Ei , Fi , ci ) ∈ Ri , there exists
a
Fi =⇒ µ′i such that µi L(4ǫ , ci ) µ′i . Namely, there exP
ist weight functions γi , γi′ s.t. ∀G, G′ , G′ γi (G, G′ ) =
P ′
µi (G), G γi (G, G′ ) = µ′i (G′ )(G, G′ , ci + ln γi (G, G′ ) −
ln γi′ (G, G′ )) ∈ 4ǫ . By assumption that ci − ln pi +
ln qi = c, replacing ci with c + ln pi − ln qi in the above
equation allows us to deduce
( G, G′ , c + ln
pi γi (G, G′ )
) ∈ 4ǫ .
qi γi′ (G, G′ )
(2)
P
Let µ′ = ◦ i∈I qi µ′i . We shall construct desirable
weight functions π and π ′ for µ and µ′ out of pi , qi ,
γi and γi′ . Let
P
π(G, G′ ) = i∈I pi γi (G, G′ ),
P
π ′ (G, G′ ) = i∈I qi γi′ (G, G′ ).
Then we have
P
′
PG′ π(G, G
P)
= Pi∈I pi × G′ γi (G, G′ ) (Commutativity)
= i∈I pi × µi (G)
(Definition of γi )
= µ(G).
(Definition of µ)
P ′
Analogously, we can show G π (G, G′ ) = µ′ (G′ ). Furthermore,
min ln
i∈I
pi γi (G, G′ )
π(G, G′ )
6 ln ′
′
′
qi γi (G, G )
π (G, G′ )
313
Li-Li Xu et al.: Complete Proof Systems for Amortised Probabilistic Bisimulations
6 max ln
i∈I
pi γi (G, G′ )
.
qi γi′ (G, G′ )
By Lemma 1 and (2), it follows:
G, G′ , c + ln π(G, G′ ) − ln π ′ (G, G′ )
∈ 4ǫ .
Hence, µ L(4ǫ , c) µ′ which completes the proof.
Theorem 4 (Soundness of A2 ). If A2 ⊢ (ǫ, c) ⊲
Q ≺ Q′ then Q (ǫ,c) Q′ .
Proof. The proof proceeds by induction on the
length of the derivation for (ǫ, c) ⊲ Q ≺ Q′ , with a
case analysis on the last applied axiom or inference rule.
Here we show the soundness of axioms T1 , T2 and T3 .
The remaining reasonings follow straightforwardly from
Propositions 9∼11.
• T1 . By Proposition 6, we have τ.∆(F ) 4(0,0) F ,
namely, (τ.∆(F ), F, 0) ∈40 . By directly checking the
definition of amortised observational congruence (Definition 5),
M
a
a.
pi Ei ⊕ p τ.∆(F ) =⇒ µ implies
i∈I
a.
M
a
pi Ei ⊕ p F =⇒ µ′ ,
i∈I
0
i∈I
j∈J
We have the following derivations:
Pi 7→ µi
∀i ∈ I
i∈I
• T2 . Compared with the right-hand side (RHS)
of the inequality, the left-hand side (LHS) is enriched
L
with just one additional summand a. i∈I pi Pi . Thus
we only need to show that if the LHS proceeds any weak
L
transitions in a. i∈I pi Pi , the RHS has corresponding
transitions to match with them w.r.t. (0,0) .
L
a
Assume that a. i∈I pi Pi =⇒ µ, in which µ =
P
◦ i∈I pi µi where Pi 7→ µi . We aim to find also a
L
weak transition from the RHS such that τ. i∈I pi (Ei +
a
a.Pi ) =⇒ µ. Then it allows us to obtain easily that
µ L(40 , 0) µ holds.
We have the following derivations as shown in Fig.7,
where the top inference is obtained from p-idle and
Weak 2, the middle inference is from Weak 1, prefix and
rchoice, and the bottom one is from Weak 5. Hence we
L
a
obtain τ. i∈I pi (Ei + a.Pi ) =⇒ µ as required.
• T3 . Similar to the above case, we only need to
show that, for any weak transition performed by the
LHS of the inequality, the RHS has a matching transition.
Pi ⇒ µi
.
Ei + τ.Pi ⇒ µi
They are obtained in the same way as the top two inferences in case T2 .
For j ∈ J, by Weak 3, Ej =⇒ δ(Ej ), by Pj =
∆(Ej ) 7→ µj , we have Ej =⇒ µj .
Trivially,
M
M
a.
pi (Ei + τ.Pi ) ⊕
pj Ej
a
=⇒
M
i∈I
j∈J
pi (Ei + τ.Pi ) ⊕
i∈I
M
pj Ej .
j∈J
By Weak 4, it holds:
M
M
a P
a.
pi (Ei + τ.Pi ) ⊕
pj Ej =⇒ ◦ i∈I∪J pi µi .
i∈I
′
and, trivially, µ L(4 , 0) µ holds, we obtain the required
M
M
a.
pi Ei ⊕ p τ.∆(F ) (0,0) a.
pi Ei ⊕ p F .
i∈I
L
a
Assume that a. i∈I∪J pi Pi =⇒ µ, in which µ =
P
◦ i∈I∪J pi µi where Pi 7→ µi . We aim to find also a
weak transition from the RHS such that
M
M
a
a.
pi (Ei + τ.Pi ) ⊕
pj Ej =⇒ µ.
j∈J
Hence, we obtain
M
M
a
a.
pi (Ei + τ.Pi ) ⊕
pj Ej =⇒ µ
i∈I
j∈J
as required.
Now we turn to the proof of the completeness result.
As usual we need to use a stronger version of a normal
form.
Definition 7. A process Q is in full normal form
(FNF) if
• either Q ≡ 0;
P
L
i i
i
• or Q ≡
i∈I ai .
j∈Ji pj Ej , where each Ej is
also in full normal form;
a
a
• If Q =⇒ µ, then Q −→ µ.
a
Lemma 5 (Saturation). If Q =⇒ µ, then A2 ⊢
(0, 0) ⊲ Q ≺ Q + a.P where P 7→ µ.
Proof. We prove by induction on the depth d(Q) of
Q.
The case when d(Q) = 0 is trivial.
For the inductive step, three cases need to be considered. Let P 7→ µ.
Case 1. If a.P is a summand of Q, then the conclusion holds by A′ 2, Symm and Triangle.
Case 2. If a.P ′ is a summand of Q, assume that
L
L
′
P ≡
i∈I pi Ei ⊕
j∈J pj Ej where for each i ∈ I,
τ
Ei =⇒ µi , and for each j ∈ J, Ej stays unchanged,
314
J. Comput. Sci. & Technol., Mar. 2016, Vol.31, No.2
P
namely Ej ⇒ µj where µj = δ(Ej ). Let ◦ i∈I∪J pi µi =
µ. By the induction hypothesis, for i ∈ I, A2 ⊢ (0, 0) ⊲
Ei ≺ Ei + τ.Pi where Pi 7→ µi . For j ∈ J, let Pj 7→ µj ,
and thus
A2 ⊢ (0, 0) ⊲ Q
≺ Q + a.P ′
(by A′ 2, Symm and Triangle)
L
L
≺ Q + a.
i∈I pi Ei ⊕
j∈J pj Ej
L
L
≺ Q + a.
i∈I pi (Ei + τ.Pi ) ⊕
j∈J pj Ej
L
(by IH and Subs)
L
i∈I pi (Ei + τ.Pi ) ⊕
j∈J pj Ej +
≺ Q + a.
L
a. i∈I∪J pi Pi
(by T3 , Symm, Triangle)
L
≺ Q + a. i∈I∪J pi Pi (by reversing previous steps)
≺ Q + a.P.
(by P 7→ µ, ∀i ∈ I ∪ J. Pi 7→ µi
P
and ◦ i∈I∪J pi µi = µ)
Case 3. If τ.P ′ is a summand of Q, assume that
L
a
P ≡
i∈I pi Ei where for each i, Ei =⇒ µi and
P
◦ i∈I pi µi = µ. Then by induction A2 ⊢ (0, 0) ⊲ Ei ≺
Ei + a.Pi where Pi 7→ µi , thus
′
A2 ⊢ (0, 0) ⊲ Q
≺ Q + τ.P ′
(by A′ 2, Symm and Triangle)
L
≺ Q + τ. i∈I pi Ei
L
≺ Q + τ. i∈I pi (Ei + a.Pi )
(by IH and Subs)
L
L
≺ Q + τ. i∈I pi (Ei + a.Pi ) + a. i∈I pi Pi
≺ Q + a.
L
≺ Q + a.P.
i∈I
′
E 4(ǫ,c+ln ω(E,F )−ln ω (E,F )) F.
(by T2 , Symm and Triangle)
pi Pi
Analogous to the strong case, we need to show that
full normal forms and their original processes share the
same indices.
b (ǫ,c) Q
c′ , where Q
b
Lemma 7. Q (ǫ,c) Q′ iff Q
′
c′ are full normal forms of Q and Q respectively.
and Q
Now we are in a position to prove the completeness
of A2 .
Theorem 5 (Completeness of A2 ). If Q (ǫ,c) Q′
then A2 ⊢ (ǫ, c) ⊲ Q ≺ Q′ .
Proof. By Lemma 6 and Lemma 7, we may assume
that Q and Q′ are in full normal form. The proof proceeds by induction on the sum of the depths of Q and
Q′ .
If d(Q) = d(Q′ ) = 0, then Q ≡ 0 ≡ Q′ , and thus
the result is trivial.
Otherwise, assume that Q (ǫ,c) Q′ . Let a.P be a
summand of Q. We aim to prove that Q′ has a suma
mand provably equal to a.P . Now Q −→ µ where
P 7→ µ, and thus there is a P ′ such that P ′ 7→ µ′ ,
a
a
Q′ =⇒ µ′ and µ L(4ǫ , c) µ′ . Moreover Q′ −→ µ′ since
Q′ is a full normal form, therefore a.P ′ is a summand
of Q′ .
By µ L(4ǫ , c) µ′ , there exist weight functions ω
P
P
and ω ′ satisfying F ω(E, F ) = µ(E), E ω ′ (E, F ) =
µ′ (F ) and if ω(E, F ) > 0,
Here we cannot yet use the induction hypothesis. But
by Proposition 8, we know that either
(by reversing previous steps)
(by P 7→ µ, ∀i ∈ I. Pi 7→ µi
P
and ◦ i∈I pi µi = µ)
′
E (ǫ,c+ln ω(E,F )−ln ω (E,F )) F,
or
With the help of Lemma 5, we can further convert
a normal form to a full normal form.
Lemma 6. For any normal form Q, there is a full
normal form Q′ of equal depth, such that A2 ⊢ (0, 0) ⊲
Q ≺ Q′ .
Proof. The proof proceeds by induction on the
depth of Q, essentially following the same idea as
Lemma 17 in Chapter 7.4 of [1].
′
τ.∆(E) (ǫ,c+ln ω(E,F )−ln ω (E,F )) F,
(4)
or
E (ǫ,c+ln ω(E,F )−ln ω
′
(E,F ))
τ.∆(F ).
(5)
In the first case, (3), since E and F are full normal
form, and of lesser depth than Q and Q′ , by induction
A2 ⊢ (ǫ, c + ln ω(E, F ) − ln ω ′ (E, F )) ⊲ E ≺ F.
In the second case, (4), we must first convert τ.∆(E)
to full normal form before applying induction. From
Pi 7→ µi
∀i ∈ I,
(3)
L
P
Pi ⇒ µi
τ. i∈I pi (Ei + a.Pi ) ⇒ ◦ i∈I pi (Ei + a.Pi )
a
Ei + a.Pi =⇒ µi
L
a P
τ. i∈I pi (Ei + a.Pi ) =⇒ ◦ i∈I pi µi
Fig.7. Derivations in the soundness proof of case T2 .
Li-Li Xu et al.: Complete Proof Systems for Amortised Probabilistic Bisimulations
Lemma 6, there is a full normal form E ′ , of equal depth
to τ.∆(E), such that A2 ⊢ (0, 0) ⊲ τ.∆(E) ≺ E ′ ; but
the sum of depths of E ′ and F is one less than the sum
of depths of Q and Q′ , therefore by induction we infer
that
A2 ⊢ (ǫ, c + ln ω(E, F ) − ln ω ′ (E, F )) ⊲ E ′ ≺ F,
thus
315
family of pseudometrics[21] , which allows to deal with
a wider class of behavioral properties. It will be interesting to integrate the notion of amortised bisimulation
with Kantorovich metric and consider its axiomatization.
As for another direction of future work, we would
like to extend the process language investigated in this
paper with recursion and consider a semantics with infinite τ -loops, following the lines of [14-15].
A2 ⊢ (ǫ, c + ln ω(E, F ) − ln ω ′ (E, F )) ⊲ τ.∆(E) ≺ F.
In the third case, (5), similarly
A2 ⊢ (ǫ, c + ln ω(E, F ) − ln ω ′ (E, F )) ⊲ E ≺ τ.∆(F ).
Given a process E, we use E to denote either simply
E itself: E ≡ E or a τ -guarded E: E ≡ τ.∆(E). Applying first Prob to combine the sets {E | E ∈ supp(µ)}
and {F | F ∈ supp(µ′ )}, and then T1 to simplify all τ guarded processes, A′ 6 and A′ 7 to combine duplicate
probabilistic summands, we obtain that
A2 ⊢ (ǫ, c) ⊲ P ≺ P ′ .
Furthermore, by Prefix we get that
A2 ⊢ (ǫ, c) ⊲ a.P ≺ a.P ′ .
Thus, we have shown that from A2 , each summand
a.P of Q can be proved equal to a summand of Q′ . Similarly each summand a′ .P ′ of Q′ can be proved equal to
a summand of Q. Finally, using rules A′ 2, Symm and
Triangle to eliminate duplicate summands, we conclude
that A2 ⊢ (ǫ, c) ⊲ Q ≺ Q′ .
7
Conclusions and Future Work
A long-term goal of our research is to develop theories for measuring the degree of similarities between
probabilistic systems, which will allow us to reason
about probabilistic algorithms used in security and privacy related computing. With this in mind, we presented an improved version of the notion of amortised
bisimulation proposed in [6], formulated proof systems
for the amortised strong bisimulation and observational
congruence, and proved their soundness and completeness.
Among the studies on proposing robust notions for
probabilistically behavioral equivalence, a cornerstone
notion is the pseudometric based on the Kantorovich
metric proposed in [19] (which was axiomatized in [19]).
Recently this pseudometric has been generalized to a
Acknowledgements The authors would like to
thank the anonymous reviewers for their insightful and
helpful comments.
References
[1] Milner R. Communication and Concurrency. Upper Saddle
River, NJ, USA: Prentice Hall, 1989.
[2] Lin H. PAM: A process algebra manipulator. Formal Methods in System Design, 1995, 7(3): 243-259.
[3] Larsen K G, Skou A. Bisimulation through probabilistic
testing. Information and Computation, 1991, 94(1): 1-28.
[4] Kiehn A, Arun-Kumar S. Amortised bisimulations. In Proc.
the 25th FORTE, Oct. 2005, pp.320-334.
[5] de Frutos-Escrig D, Rosa-Velardo F, Gregorio-Rodrı́guez
C. New bisimulation semantics for distributed systems. In
Proc. the 27th FORTE, June 2007, pp.143-159.
[6] Xu L, Chatzikokolakis K, Lin H. Metrics for differential privacy in concurrent systems. In Proc. the 34th FORTE, June
2014, pp.199-215.
[7] Dwork C. Differential privacy. In Proc. the 33rd ICALP,
July 2006, pp.1-12.
[8] Chatzikokolakis K, Andrés M E, Bordenabe N E,
Palamidessi C. Broadening the scope of differential privacy
using metrics. In Proc. the 13th Int. Symp. Privacy Enhancing Technologies, July 2013, pp.82-102.
[9] Bandini E, Segala R. Axiomatizations for probabilistic
bisimulation. In Proc. the 28th ICALP, July 2001, pp.370381.
[10] Hennessy M. A calculus for costed computations. Logical
Methods in Computer Science, 2011, 7(1): 7:1-7:35.
[11] Deng Y, Hennessy M. Compositional reasoning for weighted
Markov decision processes. Science of Computer Programming, 2013, 78(12): 2537-2579.
[12] Desharnais J, Laviolette F, Tracol M. Approximate analysis of probabilistic processes: Logic, simulation and games.
In Proc. the 5th International Conference on Quantitative
Evaluation of Systems, Sept. 2008, pp.264-273.
[13] Tracol M, Desharnais J, Zhioua A. Computing distances
between probabilistic automata. In Proc. the 9th QAPL,
April 2011, pp.148-162.
316
[14] Deng Y, Palamidessi C, Pang J. Compositional reasoning
for probabilistic finite-state behaviors. In Lecture Notes in
Computer Science 3838, Middeldorp A, van Oostrom V,
van Raamsdonk F, de Vrijer (eds.), Spring-Verlag, 2005,
pp.309–337.
[15] Deng Y, Palamidessi C. Axiomatizations for probabilistic finite-state behaviors. In Proc. the 8th FoSSaCS, April
2005, pp.110–124.
[16] Segala R. Modeling and verification of randomized distributed real-time systems [Ph.D. Thesis]. Massachusetts
Institute of Technology, 1995.
[17] Segala R, Lynch N. Probabilistic simulations for probabilistic processes. Nordic Journal of Computing, 1995, 2(2):
250-273.
[18] Hennessy M, Lin H. Proof systems for message-passing process algebras. In Proc. the 4th CONCUR, August 1993,
pp.202-216.
[19] Desharnais J, Jagadeesan R, Gupta V, Panangaden P. The
metric analogue of weak bisimulation for probabilistic processes. In Proc. the 17th LICS, July 2002, pp.413-422.
[20] D’Argenio P R, Gebler D, Lee M D. Axiomatizing bisimulation equivalences and metrics from probabilistic SOS rules.
In Proc. the 17th FoSSaCS, April 2014, pp.289-303.
[21] Chatzikokolakis K, Gebler D, Palamidessi C, Xu L. Generalized bisimulation metrics. In Proc. the 25th CONCUR,
Sept. 2014, pp.32-46.
J. Comput. Sci. & Technol., Mar. 2016, Vol.31, No.2
Li-Li Xu received her B.S. degree
in computer science and technology
from Xiamen University, Xiamen, in
2008, and her Ph.D. degree in computer
software and theory from the University
of Chinese Academy of Sciences (CAS),
Beijing, in 2015. She was selected by
the 2011 Joint Doctoral Promotion
Program between the CAS, and the French National
Institute for Research in Computer Science and Control
(INRIA). She is now an assistant professor in the Institute
of Information Engineering, CAS, Beijing.
Hui-Min Lin received his Ph.D.
degree in computer science from the
Institute of Software, CAS, Beijing, in
1986. He is now a research professor in
the State Key Laboratory of Computer
Science, Institute of Software, CAS,
Beijing. His research interests include
concurrency theory, value-passing process algebras, mobile computing, model checking, modal
logics and formal methods.