Multiparty session types as coherence proofs
 784 Downloads
 3 Citations
Abstract
We propose a Curry–Howard correspondence between a language for programming multiparty sessions and a generalisation of Classical Linear Logic (CLL). In this framework, propositions correspond to the local behaviour of a participant in a multiparty session type, proofs to processes, and proof normalisation to executing communications. Our key contribution is generalising duality, from CLL, to a new notion of nary compatibility, called coherence. Building on coherence as a principle of compositionality, we generalise the cut rule of CLL to a new rule for composing many processes communicating in a multiparty session. We prove the soundness of our model by showing the admissibility of our new rule, which entails deadlockfreedom via our correspondence.
Keywords
Local Type Proof System Linear Logic Parallel Composition Proof Theory1 Introduction
Session types are protocols for communications in concurrent systems [16, 26]. A recent line of work investigates Curry–Howard correspondences between the type theory of session types and linear logic, where proofs correspond to processes, propositions to types, and proof normalisation to communications [6, 28]. An important consequence of such correspondences is that several notions that usually require complex additional definitions and proofs, e.g., dependency relations for deadlockfreedom [12, 23], follow for free from the theory of linear logic, yielding a succinct formulation of the formal foundations of sessions.
The aforementioned correspondences cover only session types with exactly two participants, called binary session types. In practice, however, protocols often describe the behaviour of multiple participants [25]. Multiparty Session Types (MPSTs) have been proposed to capture such protocols, by matching the communications enacted by many participants with a global scenario [17]. Unfortunately, MPSTs are more involved than binary session types, since they include complex analyses on the structure of protocols and a mapping from global types, which describe multiparty protocols, to local types, which describe the local behaviour of each single participant. So far, it has been unclear whether a succinct logical formulation of MPSTs can be developed, as done for binary session types. Therefore, we ask:
Can we design a proof theory for reasoning about multiparty sessions?
A positive answer to our question would lead to a clearer understanding of the principles that underpin multiparty session programming. The main challenge lies in the foundational notion of duality found in linear logic, which, in a Curry–Howard interpretation of propositions as types, checks whether the session types of two respective participants are compatible. It is an open question how to generalise the notion of type duality to that of “multiparty compatibility” found in MPSTs, which allows to compose an arbitrary number of participants [14, 17, 20]. Therefore, differently from previous work, we are in a situation where the existing logic does not provide us with natural tools for dealing with the types we desire to capture.

Coherence We start by formalising a language for local types and global types (Sect. 3, Types). As in MPSTs, a local type denotes the I/O actions of a single participant in a session, whereas a global type denotes the desired interactions among all participants in a session. We then present coherence, a proof system for determining whether a set of local types follow the scenario denoted by a global type (Sect. 3, Coherence). We prove the adequacy of coherence by showing that global types are proof terms for coherence proofs (Sect. 3, Fig. 2); equivalences between coherence proofs correspond to the equivalences between global types originally formulated with an auxiliary definition in [8] (Sect. 3, Proposition 1); and, the coherence proof system yields projection and extraction procedures from global types to local types and vice versa (Sect. 3, Proposition 2 and Proposition 3). Finally, we show that coherence generalises the notion of duality in CLL (Sect. 3, Proposition 4). Our extraction procedure is the first not requiring auxiliary conditions (e.g., dependency relations as in [19]) and capturing nested protocols [13].

Multiparty classical processes We present Multiparty Classical Processes (MCP), a proof theory that is in a Curry–Howard correspondence with a language for synchronous multiparty sessions (Sect. 4). The key aspect of MCP is using coherence as a new principle for compositionality in order to generalise the standard cut rule of linear logic, by allowing an arbitrary number of proofs to be composed (Sect. 4, Fig. 6). Such a generalisation gives us a consavative extension of the binary cut rule of Classical Linear Logic (CLL) (Sect. 7). From the proof theory of MCP, we derive logicallyfounded notions of structural equivalences and reductions for multiparty processes (Sect. 4, Figs. 7 and 8). Driven by the correspondence between processes and proofs, we show that: communications among processes always follow their session types (Sect. 5, Theorem 4); and, communications never get stuck (Sect. 5, Corollary 1), improving on previous techniques for analysing progress in multiparty sessions (Sect. 8).
2 Preview
3 Coherence
Types The syntax of local and global types is given in Fig. 1, where \(p,q\) range over a set of roles. Global types are highlighted, to distinguish them as proof terms. Highlighting is also used in our syntax of local types, to show the difference with CLL. We will adopt the same convention in Sect. 4 when we present more terms. A local type A describes the local behaviour of a role in a session. Types \(1\) and \(\bot \) denote session termination, respectively representing the request and the acceptance for closing a session (which were informally abstracted by \(\mathsf {end}\) in our previous examples). A type Open image in new window denotes a multicast output of a session with type A to roles \(\tilde{p}\), with a continuation B. A type \(A\otimes ^{p} B\) represents an input of a session with type A from role \(p\), with continuation B. Types \(A\oplus ^{\tilde{p}} B\) and Open image in new window denote, respectively, the output of a choice between the continuations A and B to roles \(\tilde{p}\) and the input of a choice from role \(p\). The replicated type !A offers behaviour A as many times as requested. Finally, type ?A requests the execution of a replicated type and proceeds as A.
A global type \(G\) describes the behaviour of many participants. In the interaction \(p \; \texttt {>} \; \tilde{q} : \langle G' \rangle ;G\), role \(p\) sends to roles \(\tilde{q}\) a message to create a new session of type \(G'\), and then the protocol proceeds as \(G\). In Open image in new window , role \(p\) communicates to roles \(\tilde{q}\) its choice of either branch \(G_1\) or \(G_2\). A type \(? p \; \texttt {>} \; !\tilde{q} : \langle G \rangle \) denotes that role \(p\) may ask roles \(\tilde{q}\) to execute \(G\) many times. Finally, in \(\mathsf {end}^{p\tilde{q}}\), role \(p\) asks roles \(\tilde{q}\) to terminate the session (for brevity, we often write \(\mathsf {end}\)).
We report the rules for deriving coherence judgements in Fig. 2. Rule Open image in new window matches the output type from role \(p\) to roles \(\tilde{q}\) with the input types of roles \(\tilde{q}\), whenever (i) the types for the newly created session are coherent and (ii) the types of all continuations are also coherent. Rule Open image in new window checks that both possibilities in a choice are coherent, where all roles participating in the communication are allowed to have different behaviour and the other roles are not (a multicast generalisation of [17]). In rule !?, we check that a client requests the creation of a coherent session only from replicated services. Finally, rule \(1\bot \) checks that all participants agree on the termination of a protocol. As in CLL, we interpret type \(1\) as a terminated process and \(\bot \) as a process that has terminated its behaviour in a session and proceeds with other sessions. Therefore, we read rule \(1\bot \) as “a protocol terminates when one participant waits (type \(\bot \)) for the termination of all the others (type \(1\)), which execute in parallel”. This design choice simplifies our development; we discuss a generalisation in Sect. 8.
For example, Open image in new window is not valid since \(\mathsf {end}\) does not have correct participant annotation. Open image in new window is not valid either since a global type in the right branch does not contain the participants p and \(q_i\) (hence it does not match with rule Open image in new window ).
Example 1
3.1 Properties of coherence
Definition 1
(Swapping congruence \(\simeq ^{\mathsf {g}}\)) The swapping congruence \(\simeq ^{\mathsf {g}}\) is the smallest congruence satisfying the rules in Fig. 3.
In general, two global types are proof terms for the same set of local typings if and only if they are equivalent. To prove this, we first need to introduce two auxiliary lemmas.
Lemma 1

Open image in new window implies that the proof for deriving \(G\) contains an application of rule Open image in new window that introduces Open image in new window ;

Open image in new window implies that the proof for deriving \(G\) contains an application of rule Open image in new window that introduces Open image in new window ;

\(\varTheta = \varTheta ', p\!:?A, \{q_i\!:!B_i\}_i\) implies that the proof for deriving \(G\) contains an application of rule !? that introduces \(p\!:?A, \{q_i\!:!B_i\}_i\).
Proof
The thesis follows immediately from the definition of the rules for coherence, since there are no elimination rules and, e.g., rule Open image in new window is the only one that can introduce the propositions that we are interested in. The same argument holds for the other cases. \(\square \)
Lemma 2

Open image in new window implies that there exists \(G_2 = p \; \texttt {>} \; \tilde{q} : \langle G''_2 \rangle ;G'_2\) such that \(G_1 \simeq ^{\mathsf {g}}G_2\), \(\mathsf {w}(G_1) = \mathsf {w}(G_2)\), and Open image in new window ;

Open image in new window implies that there exists Open image in new window such that \(G_1 \simeq ^{\mathsf {g}}G_2\), \(\mathsf {w}(G_1) = \mathsf {w}(G_2)\), and Open image in new window ;

\(G_1 \vDash \varTheta , p\!:?A, \{q_i\!:!B_i\}_i\) implies that there exists \(G_2 = ? p \; \texttt {>} \; !\tilde{q} : \langle G'_2 \rangle \) such that \(G_1 \simeq ^{\mathsf {g}}G_2\), \(\mathsf {w}(G_1) = \mathsf {w}(G_2)\), and \(G_2 \vDash \varTheta , p\!:?A, \{q_i\!:!B_i\}_i\).
Proof
The proof is by induction on the derivation of \(G_1\). We focus on the first implication; the others follow by similar reasoning. By Lemma 1, we know that the proof for deriving \(G_1\) must contain an application of rule Open image in new window that introduces Open image in new window .

Case \(1\bot \) (Base case) This case is not applicable since there must be an application of Open image in new window (by Lemma 1).
 Case Open image in new window introducing Open image in new window : The thesis follows trivially since \(G_1=G_2\).
 Case Open image in new window not introducing Open image in new window : By induction hypothesis, we know that we can rewrite this proof as: where such that \(G'_1 \simeq ^{\mathsf {g}}p \; \texttt {>} \; \tilde{q} : \langle G''_2 \rangle ;G'_2\) and \(\mathsf {w}(G'_1) = \mathsf {w}(p \; \texttt {>} \; \tilde{q} : \langle G''_2 \rangle ;G'_2)\). Hence, by the fact that the swapping relation \(\simeq ^{\mathsf {g}}\) is a congruence, we have \(r \; \texttt {>} \; \tilde{s} : \langle G''_1 \rangle ;G'_1 \simeq ^{\mathsf {g}}r \; \texttt {>} \; \tilde{s} : \langle G''_1 \rangle ;p \; \texttt {>} \; \tilde{q} : \langle G''_2 \rangle ;G'_2\). Moreover, applying rule \((\rightarrow \rightarrow )\) from the definition of \(\simeq ^{\mathsf {g}}\), we obtain: where such that \(r \; \texttt {>} \; \tilde{s} : \langle G''_1 \rangle ;G'_1\simeq ^{\mathsf {g}}p \; \texttt {>} \; \tilde{q} : \langle G''_2 \rangle ;r \; \texttt {>} \; \tilde{s} : \langle G''_1 \rangle ;G'_2\) and \(\mathsf {w}(r \; \texttt {>} \; \tilde{s} : \langle G''_1 \rangle ;G'_1)=\mathsf {w}(p \; \texttt {>} \; \tilde{q} : \langle G''_2 \rangle ;r \; \texttt {>} \; \tilde{s} : \langle G''_1 \rangle ;G'_2) \) .
 The cases for Open image in new window and !? are similar to the previous one. For case Open image in new window , we may have to apply the transformation \((\rightarrow \!\oplus )\). As anticipated, although this transformation changes the size of a proof, it does not change its weight (which is what we need to prove here). This follows from simple distribution of multiplication over addition. Rule \((\rightarrow \!\oplus )\) states (we report it verbatim, since our argument holds independently from this particular proof): We can easily verify that weight remains unaffected:
Proposition 1
(Swapping) Let \(G_1 \vDash \varTheta \). Then, \(G_1 \simeq ^{\mathsf {g}}G_2\) if and only if \(G_2 \vDash \varTheta \).
Proof
Proof
 Case Open image in new window . Here we have that \(G_1 = p \; \texttt {>} \; \tilde{q} : \langle G'_1 \rangle ;G''_1\) such that: If \(G_2\) ends with an application of Open image in new window that introduces the same principal formulas, we have that \(G_2 = p \; \texttt {>} \; \tilde{q} : \langle G''_2 \rangle ;G'_2\). Since \(G_2\) has the same typing of \(G_1\), from rule Open image in new window we know that also \(G''_2\) and \(G'_2\) have the same typings of \(G''_1\) and \(G'_1\) respectively, because the rule directs precisely the distribution of roles and types by looking at the role annotations. The thesis now follows directly by induction hypothesis (since the proofs for the premises are smaller). Otherwise, by Lemma 1 we know that we can apply Lemma 2 to obtain a \(G_3\) such that: Open image in new window ; and, the weight of the derivation of \(G_3\) is the same as that of the derivation of \(G_2\). By the correspondence between global types and coherence proofs, we know that: The thesis now follows by induction hypothesis on \(G''_3\) and \(G'_3\).

Case Open image in new window . This case is similar to that for Open image in new window .
 Case !?. Here we have that \(G_1 = ? p \; \texttt {>} \; !\tilde{q} : \langle G'_1 \rangle \) such that: By hypothesis, we know that \(G_2 \vDash p\!:?A, \{q_i\!:!B_i\}_i\). That means that \(G_2\) has !? as last applied rule: The thesis now follows by induction hypothesis. \(\square \)
Projection and extraction The hallmark of the theory of multiparty session types is projection: developers can write protocols as global types, and then automatically project a global type onto a set of local types that can be used to modularly verify the behaviour of each participant. As there is only one possible rule application for each production in the syntax of global types, we can construct an algorithm that traverses the structure of \(G\):
Proposition 2
(Projection) Given \(G\), we can compute in linear time \(\varTheta \) (if it exists) such that \(G\vDash \varTheta \).
We can also use coherence for the inverse procedure, i.e., the extraction of a global type from a set of local typings \(\varTheta \). If \(\varTheta \) is coherent, we can just apply the first applicable coherence rule, noting that the sizes of the local types in the premises always get smaller:
Proposition 3
(Extraction) Given \(\varTheta \), we can compute G (if it exists) such that \(G \vDash \varTheta \).
Example 2
Global reductions We define reductions for global types, denoted \(\tilde{G} \rightsquigarrow \tilde{G'}\), where \(\tilde{G}\) is a multiset \(\{G_1,\ldots ,G_n\}\). Global type reductions are just a convention (recalling [8]), which we use in Sect. 5 to concisely formalise how processes follow their protocols. Formally, \(\rightsquigarrow \) is the smallest relation satisfying the rules in Fig. 4. Rule Open image in new window models a communication that creates a new session of type \(G'\), which will then proceed in parallel to the continuation \(G\). Rule \(\mathsf {g}_{1\bot }\) models session termination. Rules Open image in new window and Open image in new window model the execution of a choice. In rules \(\mathsf {g}_{!?}, \mathsf {g}_{!C}\) and \(\mathsf {g}_{!W}\), a replicated protocol can be respectively executed exactly once, multiple, or zero times. Rule \(\mathsf {g}_{\mathsf {ctx}}\) lifts the behaviour of a protocol to a multiset of protocols executing concurrently. We abuse the notation \(\tilde{G},\tilde{G}'\) to indicate the union of the two multisets \(\tilde{G}\) and \(\tilde{G}'\). Finally, rule \(\mathsf {g}_{\mathsf {eq}}\) allows for swappings in a global type. In this rule, \(\tilde{G} \simeq ^{\mathsf {g}}\tilde{G}'\) is the pointwise extension of the swapping relation \(\simeq ^{\mathsf {g}}\) to multisets. Formally, \(\tilde{G} \simeq ^{\mathsf {g}}\tilde{G}'\) if and only if \(\tilde{G} = \{G_1,\ldots ,G_n\}, \tilde{G}' = \{G'_1,\ldots ,G'_n\}\), and \(G_i \simeq ^{\mathsf {g}}G'_i\) for all \(i \in [1,n]\). Our semantics preserves validity. Below we write that \(\tilde{G}\) is valid if all the \(G_i\) in \(\tilde{G}\) are valid.
Theorem 1
(Coherence preservation) If \(\tilde{G}\) is valid and \(\tilde{G} \rightsquigarrow \tilde{G'}\), then \(\tilde{G'}\) is valid.
Remark 1
Rule \(\mathsf {g}_{!?}\) can be derived from rules \(\mathsf {g}_{!C}\) and \(\mathsf {g}_{!W}\). Including it simplifies our presentation, since each global type reduction corresponds to a communication in MCP (Sect. 5).
Proposition 4
(Coherence as duality) Let A, B be propositions where all subterms of the form Open image in new window or \(C \oplus ^{\tilde{p}} D\) are such that \(\tilde{p} = q\) for some \(q\). Then, \([\![A]\!] = [\![B]\!]^{\bot }\) if and only if there exists \(G\) such that \(G \vDash p\!:A, q\!:B\).
Observe that, in Proposition 4, the \(G\) corresponding to the coherence proof for the validity of \(p\!:A, q\!:B\) is necessarily unique, since coherence is deterministic in the case of two propositions – the structures of the propositions force the order in which the rules must be applied.
4 Multiparty classical processes
In this section, we present Multiparty Classical Processes (MCP). MCP captures dependencies among actions performed by different participants in a multiparty session, whereas, in previous work, actions among different pairs of participants must be independent [6, 28]. We use the synchronous semantics from [18] for a simplicity of the presentation.
Processes We report the syntax of processes in Fig. 5. In MCP, both input and output names are bound, as in [28]. Term (send) creates a new session \(y\) and sends it, as role \(p\), to the processes respectively playing roles \(\tilde{q}\) in session \(x\); then, the process proceeds as \(P\). The dual operation (recv) receives, as role \(p\) in session \(x\), a fresh session \(y\) from the process playing role \(q\); the process then proceeds as the parallel composition of \(P\) (dedicated to session \(y\)) and \(Q\) (dedicated to continuing session \(x\)). Similarly, terms (left sel) and (right sel) multicast a selection of a left or right branch respectively to the processes playing roles \(\tilde{q}\) in session \(x\), as role \(p\). A selection is received by term (case), which offers the two selectable branches. Terms (close) and (wait) terminate a session. Term (choice) is the standard nondeterministic choice. In a restriction (res), \(x\) is bound in the processes \(P_i\); we use the standard type annotation (as in [28]) to show the relation between the semantics of processes and global types in Sect. 5. In term \({x}^{p\, q}(y);(P\ \;\varvec{}\ \;Q)\), \(y\) is bound in \(P\) but not in \(Q\). In terms \(\overline{x}^{\;p\, \tilde{q}}(y);{P}\), \(!x^p(y);P\), and \(?x^p(y);P\), \(y\) is bound in \(P\).
Judgements Judgements in MCP have the form \(P \vdash x_1^{p_1}\!:A_1,\ldots , x_n^{p_n}\!:A_n\), meaning that process \(P\) implements roles \(p_i\) in the respective session \(x_i\) with behaviour \(A_i\).
Rule \(\mathsf {MCut}\) is central: it extends the \(\mathsf {Cut}\) of CLL to composing in parallel an arbitrary number of \(P_i\) that communicate using session \(x\). The rule checks that the composition of the respective local behaviours of the composed processes is coherent (\(G \vDash \{p_i\!:A_i\}_i\)). In the conclusion, \(\{\varGamma _i\}_i\) is the disjoint union of all \(\varGamma _i\) in the premise.
Rule \(\otimes \) types an input \({x}^{p\, \!q}(y);(P\ \;\varvec{}\ \;Q)\), where the subprocess \(P\) plays role \(p\) with behaviour A in the received multiparty session \(y\); session \(x\) then proceeds by following behaviour B for role \(p\) in \(Q\). Observe that the \(\otimes \) is annotated with the role \(q\) that \(p\) wishes to receive from. The multicast output \(\overline{x}^{\;\!p\, \!\tilde{q}}(y);{P}\) in rule Open image in new window creates a new session \(y\) and sends it, as role \(p\) in session \(x\), to roles \(\tilde{q}\). The new session \(y\) is used by \(P\) as role \(p\) with type A, assuming that the other processes receiving it implement the other roles (this assumption is checked by coherence in \(\mathsf {MCut}\), when processes are composed). We discuss in Sect. 8 how to relax the constraint that the role \(p\) played in session \(y\) is the same.
Rules \(\oplus _1\) and \(\oplus _2\) type, respectively, the multicast of a left and right selection, by checking that the process continuation follows the expected local type. Similarly, rule Open image in new window types a branching by checking that the continuations implement the respective expected local types.
Rule \(+\) types the nondeterministic process \(P + Q\), by checking that both \(P\) and \(Q\) implement the same local behaviours. Observe that \(P\) and \(Q\) may still be substantially different, since they may (i) perform different selections on some sessions (as rules \(\oplus _1\) and \(\oplus _2\) can yield the same typing), and (ii) have different inner compositions of processes whose types have been hidden by rule \(\mathsf {MCut}\).
Rules \(1\) and \(\bot \) type, respectively, the request and the acceptance for closing a multiparty session. Rules ! and ? type, respectively, the replicated offering of a service and its repeated usage (a client). Since a service typed by ! may be used multiple times, we require that its continuation does not use any linear behaviour (\(?\varDelta \)). Rules \(\mathsf {Weaken}\) and \(\mathsf {Contract}\) type, respectively, the absence of clients or the presence of multiple clients. In rule \(\mathsf {Contract}\), sessions \(y\) and \(z\) are contracted into a single session \(x\) with a standard name substitution, provided that they have the same type ?A.
5 Semantics
In this section, we demonstrate the consistency of MCP, by establishing a cutelimination result that yields an operational semantics and important properties, e.g., deadlockfreedom.
5.1 Structural equivalences as commuting conversions
5.2 Process reductions as MCut reductions
5.3 Properties
In the remainder, we abuse the notation \(P \rightarrow P'\) to refer to process reductions closed up to our structural equivalence \(\equiv \), as in standard process calculi. We restrict \(P \rightarrow P'\) to be a toplevel reduction, i.e., we do not allow reductions of subterms in \(P\). This does not introduce any loss of generality, as in [28].
Processes and types Since both equivalences and reductions are derived from judgementpreserving proof transformations, we immediately obtain the following two properties:
Theorem 2
(Subject congruence) \(P \vdash \varDelta \) and \(P \equiv Q\) imply that \(Q \vdash \varDelta \).
Theorem 3
(Subject reduction) \(P \vdash \varDelta \) and \(P \rightarrow Q\) imply that \(Q \vdash \varDelta \).
In Fig. 8, global type annotations should not be mistaken for a requirement of our reductions; they are rather a guarantee given by our proof theory: if a process is reducible, then its sessions are surely typed with the respective global types reported in the rule. We use this property to reconstruct the result of session fidelity from multiparty session types [17]. In the following, \(\mathsf {gt}(P)\) denotes the multiset of global types used in the restrictions inside \(P\).
Theorem 4
(Session fidelity) \(P \vdash \varDelta \) and \(P \rightarrow P'\) imply that either \(\mathsf {gt}(P) \rightsquigarrow \mathsf {gt}(P')\) or \(\mathsf {gt}(P) \simeq ^{\mathsf {g}}\mathsf {gt}(P')\).
Proof
(Sketch) First, we observe that we can disregard structural equivalences (\(\equiv \)) without any loss of generality, because \(\equiv \) does not change the global types in \(P\). We now proceed by cases on the reduction applied to \(P\), from Fig. 8. For all such cases, we observe that the global types involved in the reduction are transformed according to the rules for the semantics of global types. \(\square \)
Deadlock freedom Processes in MCP are guaranteed to be deadlock free. We use the standard methodology from [6, 28]. First, we prove that the \(\mathsf {MCut}\) rule in MCP is admissible:
Theorem 5
(MCut Admissibility) \(P_i \vdash \varGamma _i, x^{p_i}\!:A_i\), for \(i\in [1,n]\), and \(G \vDash \{p_i\!:A_i\}_i\) imply that there exists \(Q\) such that \(Q \vdash \{\varGamma _i\}_i\).
Proof
By induction on the sizes of the proofs for \(P_i \vdash \varDelta _i, x^{p_i}\!:A_i\) and the formulae \(A_i\). If a reduction from Fig. 8 is applicable, then we apply it. For all such reductions, we can observe that the size of the proof and/or the formulae decrease in the righthand side, and therefore the thesis follows by induction hypothesis. Otherwise, we can apply one of the commuting conversions from Fig. 7. In this case, the proof gets smaller while the formulae stay the same.
Our case coverage is complete, because when a commuting conversion cannot be applied we can always apply a reduction. In fact, commuting conversions cannot be applied only if all proofs for \(P_i\) end with an application of a rule with principal variable x. But if that is the case, then by coherence we have that there must be at least two proofs for \(P_k\) and \(P_j\) that have compatible types and can be reduced. \(\square \)
The admissibility of \(\mathsf {MCut}\) gives us a methodology for removing cuts from a proof, corresponding to executing communications in a process until all restrictions are eliminated. However, the indiscriminate application of cut reductions inside of proofs allows for executing communications under input prefixes. This is not in line with the standard operational formulation of process calculi, where this kind of reductions are usually not allowed. Therefore, it is also useful to prove that all restrictions that appear at the toplevel can be eliminated without reducing prefixed subterms. Below, we say that \(P\) is a restriction if it is of the form \((\varvec{\nu }x\!:G)\,(\prod _i P_i)\), and we write \(\rightarrow ^+\) for one or more applications of \(\rightarrow \).
Corollary 1
(Deadlock freedom) \(P \!\vdash \!\!\varDelta \) and \(P\) is a restriction imply \(P \!\rightarrow ^+\! Q\) for some \(Q\) that is not a restriction.
Proof
The proof follows the same structure as that presented in [28] for the calculus CP, only generalised from the \(\mathsf {Cut}\) rule in Classical Linear Logic to rule \(\mathsf {MCut}\) in MCP.
Since \(P\) is a restriction, the last applied rule in the proof of \(P\) is \(\mathsf {MCut}\). We now proceed by cases on the last applied rules of the premises of such \(\mathsf {MCut}\). If one of the premises is itself an \(\mathsf {MCut}\), we recursively eliminate it. Otherwise, either: all premises are logical rules that act on the restriction variable, thus we can apply a reduction from Fig. 8; or, at least one premise is a logical rule that acts on a variable other than the restriction variable, thus we can apply a commuting conversion from Fig. 7. \(\square \)
6 The 2buyer protocol example
We now formalise the 2buyer protocol from Sect. 2 and expand it further.
7 Relation to linear logic
Theorem 6
(Derivable Judgements in MCP and CLL) \(\vdash \varGamma \) in MCP if and only if \(\vdash [\![\varGamma ]\!]\) in CLL.
Proof
Observe that removing proof terms in MCP yields a pure logic that differs from CLL only for two aspects. Firstly, rule \(\mathsf {MCut}\) in MCP is different from rule \(\mathsf {Cut}\) in CLL. Secondly, propositions in MCP are annotated with roles and the channels they type. However, we know that rule \(\mathsf {MCut}\) is admissible in MCP (Theorem 5), just like rule \(\mathsf {Cut}\) is admissible in CLL [15]. Therefore, when evaluating the expressivity of the two systems wrt the derivability of judgements, we can limit our comparison to the cutfree fragments of MCP and CLL without loss of generality. The only difference between these two fragments is that MCP propositions are annotated with channels and roles. But such annotations are used only by rule \(\mathsf {MCut}\) and can be freely chosen in all other rules. As a consequence, cutfree MCP is completely equivalent to the system with the same rules but without annotations; CLL is that system. \(\square \)
Theorem 7
(Binary MCP and CLL) \(\mathcal {P}\vdash _{\mathsf {2}} \varGamma \) in MCP if and only if \([\![\mathcal {P}]\!] \vdash [\![\varGamma ]\!]\) in CLL.
Proof
By induction on the construction of \([\![\mathcal {P}]\!]\). The interesting case is that of \(\mathsf {MCut}\). The thesis follows from Proposition 4. \(\square \)
Theorem 7 cannot be generalised to all of MCP, since CLL cannot compose more than two proofs at the same time as done in our rule \(\mathsf {MCut}\). Hence, \(\mathsf {MCut}\) must be somehow simulated using a different proof structure. An interesting line of work in this direction is the notion of “medium processes” studied in [4]. Given some processes that have compatible local types for a multiparty session, as composed in our rule \(\mathsf {MCut}\), a medium process corresponds to a proof in (intuitionistic) linear logic that can be composed with such processes using the standard \(\mathsf {Cut}\) rule. This medium process is synthesised by the original global type used to type the processes and acts as a middleware: all communications over the session are centralised on the medium, which distributes messages to the processes by following the original global type. This approach adds a layer of indirection (processes do not communicate directly, but through the medium) that is not present in the original theory of multiparty session types, and is also not necessary in MCP. However, it points to an interesting relationship between global types and the class of proofs in linear logic that correspond to medium processes (P. Wadler, personal communication, 2015).
8 Related work and discussion
Curry–Howard correspondences for session types. The works closest to ours are the Curry–Howard correspondences between binary session types and linear logic [6, 28]. We extended this line of work considerably by introducing multiparty sessions, which required generalising the notion of type compatibility in linear logic to address multiple types (coherence). Coherence reconstructs the standard relationship between the global and local views found in multiparty session types. We then used coherence to develop a new proof theory that conservatively extends linear logic to capture multiparty interactions (all derivable judgements in linear logic are derivable also in our framework, and vice versa). Furthermore, our work provides, for the first time, a notion of session fidelity in the context of a Curry–Howard correspondence between linear logic and session types (Sect. 5, Theorem 4). In this work we have not treated polymorphism and existential/universal quantification, which we believe can be naturally added to MCP following the lines presented in [5, 28] for binary sessions.
The standard cut rule in CLL forces the graph of connections among processes to be a tree [1], a known sufficient condition for deadlockfreedom in session types [7]. A multicut rule is proposed in [1] to allow two processes to share multiple channels. This enables reasoning on networks with cyclic interconnections, but breaks the deadlockfreedom property guaranteed by linear logic, since duality is no longer a sufficient condition when multiple resources are involved (also noted in [28]). For the first time, MCP processes can have cyclic interconnections (e.g., our example in Sect. 2), but they are still guaranteed to be deadlockfree. The key twist is to use coherence as a principle to check that the interconnections are safely resolved by communications. This suggests that coherence may be useful also in other settings related to linear logic, for reasoning about the sharing of resources among multiple entities (in our case, sessions). We leave this investigation as interesting future work.
Multiparty session types (MPSTs) Our work concisely unifies many of the ideas found in separate developments of multiparty session types. Our global types with multicasting are inspired from [12], to which we added nested and replicated types; both additions arise naturally from our proof theory. Our nesting of global types can be seen as a logical reconstruction of (a simplification of) those originally presented in [13], while repetitions in global types reconstruct the concept presented in [10].
Our proof system for coherence is inspired by the notion of wellformedness found in MPSTs [12, 17], in the context of synchronous communications [2]. Since coherence is a proof system, projection and extraction are derived from proof equivalences, rather than being defined separately as in [17, 19]. A benefit is that our projection and extraction are guaranteed to be correct by construction, whereas in previous works they have to be proven correct separately wrt the auxiliary notion of wellformedness.
We conjecture that MCP can be used to naturally extend the work in [9], where linear logic is used to type choreography programs, obtaining a Curry–Howard correspondence for the calculus of compositional choreographies typed with multiparty session types [22].
Coherence Coherence can be generalised, e.g., in Fig. 2: (1) rule !? could allow for more than one client; (2) similarly, rule \(1\bot \) could be relaxed to allow for more than one \(\bot \) type; (3) rule Open image in new window could allow the involved participants to play different roles in the nested session they create, as in [13] (adding such roles as an extra annotation to each type respectively). We leave these extensions as interesting future work. Point (2) influences greatly the complexity of the cut admissibility proof for MCP (Theorem 5), because it would imply that the cut reduction of a terminated session could lead to having more than one process in the reductum (all the processes typed with \(\bot \)), whereas now we have only one. This means that we would have to type a parallel composition of processes without restriction, requiring to extend our framework in the fashion of the logic presented in [9]. While extending the proof theory of MCP would be easy, (extending coherence to allow for missing participants to be added later, as in [22]), it would also cause an explosion in the number of cases to consider in the proof [9]. As future work, we will investigate how our rule \(\mathsf {MCut}\) and the notion of coherence can affect the mapping from the functional language GV [21, 28].
In [11], a proof system similar to the multiplicativeadditive fragment without channel passing of our coherence is embedded in the calculus of constructions. Differently from our approach, no correspondence between global types and proofs is provided; hence, extraction does not follow automatically from the theory (and is not presented).
Footnotes
 1.
\(1 \otimes B2 1\) or \(1 \otimes B2 \bot \)?
Notes
Acknowledgements
We thank Kim Skak Larsen and the anonymous reviewers for their useful comments. Montesi was supported by CRC (Choreographies for Reliable and efficient Communication software), grant no. DFF–400500304 from the Danish Council for Independent Research. Schürmann was partly supported by DemTech, grant no. 10092309 from the Danish Council for Strategic Research. Yoshida was partially sponsored by the EPSRC EP/K011715/1, EP/K034413/1, EP/L00058X/1, and EU project FP7612985 UpScale. This work is also supported by the COST Action IC1201 BETTY.
References
 1.Abramsky, S., Gay, S.J., Nagarajan, R.: Interaction categories and the foundations of typed concurrent programming. In: NATO ASI DPD, pp. 35–113 (1996)Google Scholar
 2.Bejleri, A., Yoshida, N.: Synchronous multiparty session types. Electr. Notes Theor. Comput. Sci. 241, 3–33 (2009)CrossRefGoogle Scholar
 3.Bellin, G., Scott, P.J.: On the picalculus and linear logic. Theor. Comput. Sci. 135(1), 11–65 (1994)MathSciNetCrossRefzbMATHGoogle Scholar
 4.Caires, L., Pérez, J.A.: A typeful characterization of multiparty structured conversations based on binary sessions. CoRR, abs/1407.4242 (2014)Google Scholar
 5.Caires, L., Pérez, J.A., Pfenning, F., Toninho, B.: Behavioral polymorphism and parametricity in sessionbased communication. In: ESOP, pp. 330–349 (2013)Google Scholar
 6.Caires, L., Pfenning, F.: Session types as intuitionistic linear propositions. In: CONCUR, pp. 222–236 (2010)Google Scholar
 7.Carbone, M., Debois, S.: A graphical approach to progress for structured communication in web services. In: Proceedings of ICE’10 (2010)Google Scholar
 8.Carbone, M., Montesi, F.: Deadlockfreedombydesign: multiparty asynchronous global programming. In: POPL, pp. 263–274 (2013)Google Scholar
 9.Carbone, M., Montesi, F., Schürmann, C.: Choreographies, logically. In: CONCUR, pp. 47–62 (2014)Google Scholar
 10.Castagna, G., DezaniCiancaglini, M., Padovani, L.: On global types and multiparty session. LMCS, 8(1), 1–45 (2012)Google Scholar
 11.Ciobanu, Gabriel, Horne, Ross: Behavioural analysis of sessions using the calculus of structures. In: Proceedings of the 10th International Andrei Ershov Informatics Conference, Perspectives of System Informatics (PSI 2015), volume to appear of LNCS. Springer (2016)Google Scholar
 12.Coppo, M., DezaniCiancaglini, M., Yoshida, N., Padovani, L.: Global progress for dynamically interleaved multiparty sessions. MSCS 760, 1–65 (2015)zbMATHGoogle Scholar
 13.Demangeon, R., Honda, K.: Nested protocols in session types. In: CONCUR, pp. 272–286 (2012)Google Scholar
 14.Deniélou, P.M., Yoshida, N.: Multiparty compatibility in communicating automata: characterisation and synthesis of global session types. ICALP 2, 174–186 (2013)MathSciNetzbMATHGoogle Scholar
 15.Girard, J.Y.: Linear logic. Theor. Comput. Sci. 50, 1–102 (1987)MathSciNetCrossRefzbMATHGoogle Scholar
 16.Honda, K., Vasconcelos, V., Kubo, M.: Language primitives and type disciplines for structured communicationbased programming. In: ESOP, pp. 22–138 (1998)Google Scholar
 17.Honda, K., Yoshida, N., Carbone, M.: Multiparty asynchronous session types. In: Proceedings of POPL, vol. 43(1), pp. 273–284. ACM (2008)Google Scholar
 18.Kouzapas, D., Yoshida, N.: Globally governed session semantics. LMCS 10 (2015)Google Scholar
 19.Lange, J., Tuosto, E.: Synthesising choreographies from local session types. In: CONCUR, pp. 225–239 (2012)Google Scholar
 20.Lange, J., Tuosto, E., Yoshida, N.: From communicating machines to graphical choreographies. In: POPL 2015, pp. 221–232. ACM (2015)Google Scholar
 21.Lindley, S., Garrett M.J.: A semantics for propositions as sessions. In: ESOP, pp. 560–584 (2015)Google Scholar
 22.Montesi, F., Yoshida, N.: Compositional choreographies. In: CONCUR, pp. 425–439 (2013)Google Scholar
 23.Padovani, L., Vasconcelos, V.T., Vieira, H.T.: Typing liveness in multiparty communicating systems. In: COORDINATION, pp. 147–162 (2014)Google Scholar
 24.Sangiorgi, D., Walker, D.: The \(\pi \)calculus: A Theory of Mobile Processes. Cambridge University Press, Cambridge (2001)zbMATHGoogle Scholar
 25.Scribble Project Home Page. http://www.scribble.org
 26.Vasconcelos, V.T.: Fundamentals of session types. Inf. Comput. 217, 52–70 (2012)MathSciNetCrossRefzbMATHGoogle Scholar
 27.Wadler, P.: Propositions as sessions. In: ICFP, pp. 273–286 (2012)Google Scholar
 28.Wadler, P.: Propositions as sessions. J. Funct. Prog. 24(2–3), 384–418 (2014)MathSciNetCrossRefzbMATHGoogle Scholar