Oversimplifying the message in the paper by Moshe and Sumit, in their opinion the plethora of process semantics is due to "semantic underspecification". To overcome this underspecification, they propose to develop process semantics based on the following principles.
- Principle of Contextual Equivalence: Two processes are equivalent if they behave the
same in all contexts, which are processes with “holes”. - Principle of Comprehensive Modeling: A process description should model all relevant
aspects of process behaviour. - Principle of Observable I/O: The observable behaviour of a tested process is precisely
its input/output behaviour.
As the authors state in the paper "In conclusion, this paper puts forward an, admittedly provocative, thesis, which is that process-equivalence theory allowed itself to wander in the “wilderness” for lack of accepted guiding principles. The obvious definition of contextual equivalence was not scrupulously adhered to, and the underspecificity of the formalisms proposed led to too many interpretations of equivalence.While one may not realistic expect a single paper to overwrite about 30 years of research, a more modest hope would be for a renewed discussion on the basic principles of process-equivalence theory."
What do you think?
1 comment:
The principle of contextual equivalence makes a lot of sense for security. (Security can often be defined as indistinguishability between instantiations of a parameterized process.) Bisimulation is indeed too fine an equivalence for security; often weaker notions of observational congruence are defined, such as for the applied pi calculus.
However deriving (denotational) semantics from equivalences seldom helps proofs. I find proofs easier in a setting that starts off with an operational semantics and then defines congruences.
I don't think bisimulation is a good technique for proving implementations correct (given a specification) in any case; a much better approach is proving full abstraction, i.e., preservation of observational congruence. However without bisimulation, proving full abstraction can be tedious. I usually show simulations both ways modulo "wrappers", and then show that the wrappers in the two directions "cancel out", thus doing 3 proofs for one. Is there a better technique for this setting?
The principle of observable I/O is also obvious. However I don't quite understand the principle of comprehensive modeling. To me it seems to push under the rug the very reasons for having so many equivalences.
Post a Comment