Characteristic bisimulation for higher-order session processes

For higher-order (process) languages, characterising contextual equivalence is a long-standing issue. In the setting of a higher-order \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$\pi $$\end{document}π-calculus with session types, we develop characteristic bisimilarity, a typed bisimilarity which fully characterises contextual equivalence. To our knowledge, ours is the first characterisation of its kind. Using simple values inhabiting (session) types, our approach distinguishes from untyped methods for characterising contextual equivalence in higher-order processes: we show that observing as inputs only a precise finite set of higher-order values suffices to reason about higher-order session processes. We demonstrate how characteristic bisimilarity can be used to justify optimisations in session protocols with mobile code communication.


Introduction
Context In higher-order process calculi communicated values may contain processes. Higher-order concurrency has received significant attention from untyped and typed perspectives; see, e.g., [13,15,20,26,30,33]. In this work, we consider HOπ, a higher-order process calculus with session communication: it combines functional constructs (abstractions/applications, as in the call-by-value λ-calculus) and concurrent primitives (synchronisation on shared names, communication on linear names, recursion). By amalgamating functional and concurrent constructs, HOπ may specify complex session protocols that include both first-order communication (name passing) and higher-order processes (process passing) and that can be type-checked using session types [9]. By enforcing shared and linear usage policies, session types ensure that each communication channel in a process specification conforms to its prescribed protocol. In session-based concurrency, distinguish-B Jorge A. Pérez j.a.perez@rug.nl ing between shared and linear names is important, for computation conceptually involves two distinct phases: the first one is non-deterministic and uses shared names, as it represents the interaction of processes seeking compatible protocol partners; the second phase proceeds deterministically along linear names, as it specifies the concurrent execution of the session protocols established in the first phase.
Although models of higher-order concurrency with session communication have been already developed (cf. works by Mostrous and Yoshida [25] and by Gay and Vasconcelos [5]), their behavioural equivalences remain little understood. Clarifying the status of these equivalences is essential to, e.g., justify non-trivial optimisations in protocols involving both name and process passing. An important aspect in the development of these typed equivalences is that typed semantics are usually coarser than untyped semantics. Indeed, since (session) types limit the contexts (environments) in which processes can interact, typed equivalences admit stronger properties than their untyped counterpart.
The form of contextual equivalence typically used in concurrency is barbed congruence [10,24]. A well-known behavioural equivalence for higher-order processes is context bisimilarity [31]. This is a characterisation of barbed congruence that offers an adequate distinguishing power at the price of heavy universal quantifications in output clauses. Obtaining alternative characterisations of context bisimilarity is thus a recurring, important problem for higher-order calculi-see, e.g., [13,15,21,30,31,34]. In particular, Sangiorgi [30,31] has given characterisations of context bisimilarity for higher-order processes; such characterisations, however, do not scale to calculi with recursive types, which are essential to express practical protocols in session-based concurrency. A characterisation that solves this limitation was developed by Jeffrey and Rathke [13]; their solution, however, does not consider linearity which, as explained above, is an important aspect in session-based concurrency.
This work Building upon [13,30,31], our discovery is that linearity as induced by session types plays a vital rôle in solving the open problem of characterising context bisimilarity for higher-order mobile processes with session communication. Our approach is to exploit the coarser semantics induced by session types to limit the behaviour of higher-order session processes. Indeed, the use of session typed contexts (i.e., environments disciplined by session types) leads to process semantics that admit stronger properties than untyped semantics. Formally, we enforce this limitation in behaviour by defining a refined labelled transition system (LTS) which effectively narrows down the spectrum of allowed process behaviours, exploiting elementary processes inhabiting session types. We then introduce characteristic bisimilarity: this new notion of typed bisimilarity is more tractable than context bisimilarity, in that it relies on the refined LTS for input actions and, more importantly, does not appeal to universal quantifications on output actions.
Our main result is that characteristic bisimilarity coincides with context bisimilarity. Besides confirming the value of characteristic bisimilarity as a useful reasoning technique for higher-order processes with sessions, this result is remarkable also from a technical perspective, for associated completeness proofs do not require operators for name matching, in contrast to Jeffrey and Rathke's technique for higher-order processes with recursive types [13].
Outline Next, we informally overview the key ideas of characteristic bisimilarity, our characterisation of contextual equivalence. Then, Sect. 3 presents the session calculus HOπ. Section 4 gives the session type system for HOπ and states type soundness. Section 5 develops characteristic bisimilarity and states our main result: characteristic bisimilarity and contextual equivalence coincide for well-typed HOπ processes (Theorem 2). Section 6 discusses related works, while Sect. 7 collects some concluding remarks.
This paper is a revised, extended version of the conference paper [16]. This presentation includes full technical details-definitions and proofs, collected in Appendices 1 and 2. In particular, we introduce higher-order bisimilarity (an auxiliary labelled bisimilarity) and highlight its rôle in the proof of Theorem 2. We also elaborate further on the use case scenario for characteristic bisimilarity given in [16] (the Hotel Booking scenario). Using an additional example, given in Sect. 6, we compare our approach with Jeffrey and Rathke's [13]. Moreover, we offer extended discussions of related works.

Overview: characteristic bisimulations
We explain how we exploit session types to define characteristic bisimilarity. Key notions are triggered and characteristic processes/values. We first informally introduce some basic notation and terminology; formal definitions will be given in Sect. 3.
Preliminaries The syntax of HOπ considered in this paper is given below. We write n to range over shared names a, b, . . . and s, s , . . . to range over session (linear) names. Also, u, w denotes a name or a name variable. Session names are sometimes called endpoints. We consider a notion of duality on names, particularly relevant for session names: we shall write s to denote the dual endpoint of s.
Values V, W ::= u names (shared and linear) | λx. P abstractions Processes P, Q ::= u! V .P | u?(x).P output and input | u l.P | u {l i : P i } i∈I labelled choice | X | μX.P recursion | V W value application | P | Q | (ν n)P | 0 composition, restriction, inaction Hence, the higher-order character of HOπ comes from the fact that values exchanged in synchronisations include abstractions. The semantics of HOπ can be given in terms of a labelled transition system (LTS), denoted P − → P , where denotes a transition label or the internal action τ . This way, for instance, P n? V − −− → P denotes an input transition (a value V received along n) and P (ν m)n! V Issues of context bisimilarity Context bisimilarity (denoted ≈, cf. Definition 12) is an overly demanding relation on higher-order processes. It is far from satisfactory due to two issues, associated to demanding clauses for output and input actions. A first issue is the universal quantification in the output clause of context bisimilarity. Suppose P Q, for some context bisimulation . We have the following clause: Q and, for all R with fv(R) = {x}, (ν m 1 )(P | R{ V /x}) (ν m 2 )(Q | R{ W /x}).
Intuitively, process R above stands for any possible context to which the emitted value (V and W ) is supposed to go. (As usual, R{ V /x} denotes the capture-avoiding substitution of V for x in process R.) As explained in [31], considering all possible contexts R is key to achieve an adequate distinguishing power.
The second issue is due to inputs, and follows from the fact that we work with an early labelled transition system (LTS). Thus, an input prefix may observe infinitely many different values.
To alleviate these issues, in characteristic bisimilarity (denoted ≈ C , cf. Definition 18) we take two (related) steps: (a) We replace ( ) with a clause involving a context more tractable than R{ V /x} (and R{ W /x}); and (b) We refine inputs to avoid observing infinitely many actions on the same input prefix.
Trigger processes To address (a), we exploit session types. We first observe that, for any V , process R{ V /x} in ( ) is context bisimilar to the process P = (ν s) ((λz. z?(x).R) s | s! V .0) In fact, through a name application and a synchronisation on session endpoint s we do have P ≈ R{ V /x}: where it is worth noticing that application and endpoint synchronisations are deterministic. Now let us consider process T V below, where t is a fresh name: If T V inputs value λz. z?(x).R then we have: Processes such as T V offer a value at a fresh name; this class of trigger processes already suggests a tractable formulation of bisimilarity without the demanding output clause ( ). Process T V in (1) requires a higher-order communication along t. As we explain below, we can give an alternative trigger process; the key is using elementary inhabitants of session types.

Characteristic processes and values
To address (b), we limit the possible input values (such as λz. z?(x).R above) by exploiting session types. The key concept is that of characteristic process/value of a type, i.e., a simple process term that inhabits that type (Definition 13). To illustrate the key idea underlying characteristic processes, consider the session type S =?(S 1 → ); ! S 2 ; end , which abstracts a protocol that first inputs an abstraction (i.e., a function from values S 1 to processes), and then outputs a value of type S 2 . Let P be the process u? (x).(u! s 2 .0 | x s 1 ), where s 1 , s 2 are fresh names. It can be shown that P inhabits session type S; for the purposes of the behavioural theory developed in this paper, process P will serve as a kind of characteristic (representative) process for S along name u. Given a session type S and a name u, we write [ (S) ] u for the characteristic process of S along u. Also, given a value type U (i.e., a type for channels or abstractions), we write [ (U ) ] c to denote its characteristic value (cf. Definition 13). As we explain next, we use [ (U ) ] c to refine input transitions.

Refined input transitions
To refine input transitions, we need to observe an additional value, λx. t?(y).(y x), called the trigger value (cf. Definition 14). This is necessary: it turns out that a characteristic value alone as the observable input is not enough to define a sound bisimulation (cf. Example 5). Intuitively, the trigger value is used to observe/simulate application processes.
Based on the above discussion, we define an alternative LTS on typed processes, denoted −→. We use this refined LTS to define characteristic bisimulation (Definition 18), in which the demanding clause ( ) is replaced with a more tractable output clause based on characteristic trigger processes (cf. (2) below). Key to this alternative LTS is the following (refined) transition rule for input actions (cf. Definition 15) which, roughly speaking, given some fresh Characteristic triggers Following the same reasoning as (1), we can use an alternative trigger process, called characteristic trigger process, to replace clause ( ). Given a fresh name t and a value V of with type U , we have: This formulation is justified, because given T V as in (1), we may show that Thus, unlike process (1), the characteristic trigger process in (2) does not involve a higherorder communication on t. In contrast to previous approaches [13,30] our characteristic trigger processes do not use recursion or replication. This is key to preserve linearity of session endpoints. It is also noteworthy that HOπ lacks name matching, which is crucial in [13] to prove completeness of bisimilarity. The lack of matching operators is compensated here with the use of (session) types. Matching gives the observer the ability to test the equality of received names. In contrast, in our theory a process trigger embeds a name into a characteristic process n, m ::= a, b | s, s u ,w ::= n | x, y, z V, W ::= u | λx. P P, Q : so as to observe its (typed) behaviour. Thus, equivalent processes deal with (possibly different) names that have the same (typed) behaviour.

A higher-order session π -calculus
We introduce the higher-order session π-calculus (HOπ) which, as hinted at above, includes both name and abstraction passing, shared and session communication, as well as recursion; it is essentially the language proposed in [25], where a behavioural theory is not developed.

Syntax
The syntax of HOπ is defined in Fig. 1a , where P is a process P and x is a name parameter. Process terms include usual π-calculus constructs for sending and receiving values V : process u! V .P denotes the output of V over name u, with continuation P, while process u?(x).P denotes the input prefix on name u of a value that will substitute variable x in the continuation P. Recursion is expressed by μX.P, which binds the recursive variable X in process P. Process V W represents the application of abstraction V to value W . Typing ensures that V is not a name. In the spirit of session-based π-calculi [9], we consider processes u {l i : P i } i∈I and u l.P to define labelled choice: given a finite index set I , process u {l i : P i } i∈I offers a choice among processes with pairwise distinct labels; process u l.P selects label l on name u and then behaves as P. Constructs for inaction 0 and parallel composition P 1 | P 2 are standard. Name restriction (ν n)P is also as customary; we notice that restriction for session names (ν s)P simultaneously binds endpoints s and s in P.
We use fv(P) and fn(P) to denote the sets of free variables and names in P, respectively. In a statement, we will say that a name is fresh if it is not among the names of the objects (processes, actions, etc.) of the statement. We assume that V in u! V .P does not include free recursive variables X . If fv(P) = ∅, we call P closed. Figure 1c defines the operational semantics of HOπ, given as a reduction relation that relies on a structural congruence relation, denoted ≡ (Fig. 1b): it includes a congruence that ensures the consistent renaming of bound names, denoted ≡ α . We assume the expected extension of ≡ to values V . Reduction is denoted −→; some intuitions on the rules in Fig. 1 follow. Rule [App] defines value application. Rule [Pass] defines an interaction/synchronization at n; it can be on a shared name (with n = n) or a session endpoint. Rule [Sel] is the standard rule for labelled choice/selection [9]: given a finite index set I , a process selects label l j on name n over a pairwise distinct set of labels {l i } i∈I offered by a branching on the dual endpoint n; as a result, process P j is selected, and the remaining alternatives are discarded. Other rules are standard. We write −→ * for a multi-step reduction.

An example: the hotel booking scenario
To illustrate HOπ and its expressive power, let us consider a usecase scenario that adapts the example given by Mostrous and Yoshida [25,26]. The scenario involves a Client process that wants to book a hotel room. Client narrows the choice down to two hotels, and requires a quote from the two in order to decide. The round-trip time (RTT) required for taking quotes from the two hotels in not optimal, so the client sends mobile processes to both hotels to automatically negotiate and book a room.
We now present two HOπ implementations of this scenario. For convenience, we write if e then (P 1 ; P 2 ) to denote a conditional process that executes P 1 or P 2 depending on boolean expression e (encodable using labelled choice). The first implementation is as follows: Process Client 1 sends two abstractions with body P xy , one to each hotel, using sessions s 1 and s 2 . That is, P xy is the mobile code with free names x, y: while name x is meant to be instantiated by the hotel as the negotiating endpoint, name y is used to interact with Client 1 . Intuitively, process P xy : (i) sends the room requirements to the hotel; (ii) receives a quote from the hotel; (iii) sends the quote to Client 1 ; (iv) expects a choice from Client 1 whether to accept or reject the offer; (v) if the choice is accept then it informs the hotel and performs the booking; otherwise, if the choice is reject then it informs the hotel and ends the session.
Client 1 instantiates two copies of P xy as abstractions on session x. It uses two fresh endpoints h 1 , h 2 to substitute channel y in P xy . This enables communication with the mobile code(s). In fact, Client 1 uses the dual endpoints h 1 and h 2 to receive the negotiation result from the two remote instances of P and then inform the two processes for the final booking decision.
We present now a second implementation in which the two mobile processes reach an agreement by interacting with each other (rather than with the client): Processes Q 1 and Q 2 negotiate a quote from the hotel in the same fashion as process P xy in Client 1 . The key difference with respect to P xy is that y is used for interaction between process Q 1 and Q 2 . Both processes send their quotes to each other and then internally follow the same logic to reach to a decision. Process Client 2 then uses sessions s 1 and s 2 to send the two instances of Q 1 and Q 2 to the two hotels, using them as abstractions on name x. It further substitutes the two endpoints of a fresh channel h to channels y respectively, in order for the two instances to communicate with each other.
The different protocols implemented by Client 1 and Client 2 can be represented by the sequence diagrams of Fig. 2. We will assign session types to these processes in Example 1. Later on, in Sect. 5.9 we will show that Client 1 and Client 2 are behaviourally equivalent using characteristic bisimilarity; see Proposition 3.

Types and typing
We define a session typing system for HOπ and state its main properties. As we explain below, our system distils the key features of [25,26].

Types
The syntax of types of HOπ is given below: Value types U include the first-order types C and the higher-order types L. Session types are denoted with S and shared types with S and L . We write to denote the process type. The functional types U → and U denote shared and linear higher-order types, respectively. Session types have the meaning already motivated in Sect. 2. The output type ! U ; S first sends a value of type U and then follows the type described by S. Dually, ?(U ); S denotes an input type. The selection type ⊕{l i : S i } i∈I and the branching type &{l i : S i } i∈I define labelled choice, implemented at the level of processes by internal and external choice mechanisms, respectively. Type end is the termination type. We assume the recursive type μt.S is guarded, i.e., the type variable t only appears under prefixes. This way, e.g., the type μt.t is not allowed. The sets of free/bound variables of a session type S are defined as usual; the sole binder is μt.S. Closed session types do not have free type variables.
Our type system is strictly included in that considered in [25,26], which admits asynchronous communication and arbitrary nesting in functional types, i.e., their types are of the form U T (resp. U→ T ), where T ranges over U and the process type . In contrast, our functional types are of the form U (resp. U→ ). We rely on notions of duality and equivalence for types. Let us write S 1 ∼ S 2 to denote that S 1 and S 2 are type-equivalent (see Definition 21 in the Appendix). This notion extends to value types as expected; in the following, we write U 1 ∼ U 2 to denote that U 1 and U 2 are type-equivalent. We write S 1 dual S 2 if S 1 is the dual of S 2 . Intuitively, duality converts ! into ? and ⊕ into & (and vice-versa). More formally, following [4], we have a co-inductive definition for type duality: Definition 1 (Duality) Let ST be a set of closed session types. Two types S and S are said to be dual if the pair (S, S ) is in the largest fixed point of the monotone function F : Standard arguments ensure that F is monotone, thus the greatest fixed point of F exists. We write S 1 dual S 2 if (S 1 , S 2 ) ∈ .

Typing environments and judgements
Typing environments are defined below: Typing environments Γ , Λ, and Δ satisfy different structural principles. Intuitively, the exchange principle indicates that the ordering of type assignments does not matter. Weakening says that type assignments need not be used. Finally, contraction says that type assignments may be duplicated. The environment Γ maps variables and shared names to value types, and recursive variables to session environments; it admits weakening, contraction, and exchange principles. While Λ maps variables to linear higher-order types, Δ maps session names to session types. Both Λ and Δ are only subject to exchange. The domains of Γ, Λ and Δ are assumed pairwise distinct.
Given Γ , we write Γ \x to denote the environment obtained from Γ by removing the assignment x : U → , for some U . This notation applies similarly to Δ and Λ; we write Δ\Δ (and Λ\Λ ) with the expected meaning. Notation Δ 1 · Δ 2 means the disjoint union of Δ 1 and Δ 2 . We define typing judgements for values V and processes P: While the judgement on the left says that under environments Γ , Λ, and Δ value V has type U ; the judgement on the right says that under environments Γ , Λ, and Δ process P has the process type . The type soundness result for HOπ (Theorem 1) relies on two auxiliary notions on session environments: Definition 2 (Session environments: balanced/reduction) Let Δ be a session environment.
• We define the reduction relation −→ on session environments as: We rely on a typing system that is similar to the one developed in [25,26]. The typing system is defined in Fig. 3 The key type for an abstraction is the type for the bound variable of the abstraction, i.e., for a bound variable with type C the corresponding abstraction has type C . The dual of abstraction typing is application typing, governed by Rule [App]: we expect the type U of an application value W to match the type U or U→ of the application variable x.
In Rule [Send], the type U of the sent value V should appear as a prefix on the session type ! U ; S of u. Rule [Rcv] is its dual. We use a similar approach with session prefixes to type interaction between shared names as defined in Rules [Req] and [Acc], where the type of the sent/received object (S and L, respectively) should match the type of the sent/received subject ( S and L , respectively). Rules [Sel] and [Bra] for selection and branching are standard: Γ ; ∅; Γ ; ∅; 0 both rules prefix the session type with the selection type ⊕{l i : S i } i∈I and &{l i : S i } i∈I , respectively. A shared name creation a creates and restricts a in environment Γ as defined in Rule [Res]. Creation of a session name s creates and restricts two endpoints with dual types in Rule [ResS]. Rule [Par], combines the environments Λ and Δ of the parallel components of a parallel process. The disjointness of environments Λ and Δ is implied. Rule [End] adds a name with type end in Δ. The recursion requires that the body process matches the type of the recursive variable as in Rule [Rec]. The recursive variable is typed directly from the shared environment Γ as in Rule [RVar]. Rule [Nil] says that the inactive process 0 is typed with empty linear environments Λ and Δ.
We state the type soundness result for HOπ processes.

Characteristic bisimulation
We develop a theory for observational equivalence over session typed HOπ processes that follows the principles laid in our previous works [18,19]. We introduce higher-order bisimulation (Definition 17) and characteristic bisimulation (Definition 18), denoted ≈ H and ≈ C , respectively. We prove that they coincide with (reduction-closed) barbed congruence (denoted ∼ =, cf. Definition 11), the form of contextual equivalence used in concurrency. This characterisation result is given in Theorem 2. We briefly summarise our strategy for obtaining Theorem 2. We begin by defining an (early) labelled transition system (LTS) on untyped processes (Sect. 5.1). Then, using the environmental transition semantics (Sect. 5.2), we define a typed LTS that formalises how a typed process interacts with a typed observer. Later, we define reduction-closed, barbed congruence and context bisimilarity, respectively (Sects. 5.3 and 5.4). Subsequently, we define the refined LTS based on characteristic values (Sect. 5.5). Building upon this LTS, we define higher-order and characteristic bisimilarities (Sect. 5.6). Then, we develop an auxiliary proof technique based on deterministic transitions (Sect. 5.7). Our main result, the characterisation of barbed congruence in terms of ≈ H and ≈ C , is stated in Sect. 5.8. Finally, we revisit our two implementations for the Hotel Booking Scenario (Sect. 3.3), using Theorem 2 to show that they are behaviourally equivalent (Sect. 5.9).

Labelled transition system for processes
We define the interaction of processes with their environment using action labels : Label τ defines internal actions. Action (ν m)n! V denotes the sending of value V over channel n with a possible empty set of restricted names m (we may write n! V when m is empty). Dually, the action for value reception is n? V . Actions for select and branch on a label l are denoted n ⊕ l and n & l, respectively. We write fn( ) and bn( ) to denote the sets The untyped LTS for HOπ processes. We omit Rule Par R of free/bound names in , respectively. Given = τ , we say is a visible action; we write subj( ) to denote its subject. This way, we have: Dual actions occur on subjects that are dual between them and carry the same object; thus, output is dual to input and selection is dual to branching.

Definition 3 (Dual actions)
We define duality on actions as the least symmetric relation on action labels that satisfies: The (early) labelled transition system (LTS) fpr untyped processes is given in Fig. 4. We write P 1 − → P 2 with the usual meaning. The rules are standard [18,19]; we comment on some of them. A process with an output prefix can interact with the environment with an output action that carries a value V (Rule Snd ). Dually, in Rule Rv a receiver process can observe an input of an arbitrary value V . Select and branch processes observe the select and branch actions in Rules Sel and Bra , respectively. Rule Res enables an observable action from a process with an outermost restriction, provided that the restricted name does not occur free in the action. If a restricted name occurs free in the carried value of an output action, the process performs scope opening (Rule New ). Rule Rec handles recursion unfolding. Rule Tau states that two parallel processes which perform dual actions can synchronise by an internal transition. Rules Par L / Par R and Alpha define standard treatments for actions under parallel composition and α-renaming.

Environmental labelled transition system
Our typed LTS is obtained by coupling the untyped LTS given before with a labelled transition relation on typing environments, given in Fig. 5. Building upon the reduction relation for session environments in Definition 2, such a relation is defined on triples of environments by extending the LTSs in [18,19]; it is denoted Recall that Γ admits weakening. Using this principle (not valid for Λ and Δ), we have  Then, by Rule [SSnd], we can derive: Observe how the protocol along s is partially consumed; also, the resulting session environment is extended with m, the dual endpoint of the extruded name m.

Notation 4 Given a value V of type U , we sometimes annotate the output action (ν m)n! V with the type of V as (ν m)n! V : U .
The typed LTS combines the LTSs in Figs. 4 and 5.

Definition 5 (Typed transition system) A typed transition relation is a typed relation
We write ⇒ for the reflexive and transitive closure of − →, ⇒ for the transitions ⇒ − → ⇒, A typed transition relation requires type judgements with an empty Λ, i.e., an empty environment for linear higher-order types. Notice that for open process terms (i.e., with free variables), we can always apply Rule [EProm] (cf. Fig. 3) and obtain an empty Λ. As it will be clear below (cf. Definition 7), we will be working with closed process terms, i.e., processes without free variables.

Reduction-closed, barbed congruence ( ∼ =)
We now define typed relations and contextual equivalence (i.e., barbed congruence). To define typed relations, we first define confluence over session environments Δ. Recall that Δ captures session communication, which is deterministic. The notion of confluence allows us to abstract away from alternative computation paths that may arise due to non-interfering reductions of session names. Definition 6 (Session environment confluence) Two session environments Δ 1 and Δ 2 are confluent, denoted Δ 1 Δ 2 , if there exists a Δ such that: i) Δ 1 −→ * Δ and ii) Δ 2 −→ * Δ (here we write −→ * for the multi-step reduction in Definition 2).
Typed relations relate only closed processes whose session environments are balanced and confluent:
Next we define barbs [24] with respect to types.
Definition 9 (Barbs) Let P be a closed process. We write A barb ↓ n is an observable on an output (resp. select) prefix with subject n; a weak barb ⇓ n is a barb after zero or more reduction steps. Typed barbs ↓ n (resp. ⇓ n ) are observed on typed processes Γ ; ∅; Δ P . When n is a session name we require that its dual endpoint n is not present in the session environment Δ.
Notice that observing output barbs is enough to (indirectly) observe input actions. For instance, the process P = n?(x).P has an input barb on n; by composing P with n! m .succ! .0 (with a fresh name succ) then one obtains a (weak) observation uniquely associated to the input along n in P.
To define a congruence relation, we introduce the family C of contexts: Definition 10 (Context) Context C is defined over the syntax: denotes the result of substituting the hole − in C with process P.
The first behavioural relation that we define is reduction-closed, barbed congruence [10].
Definition 11 (Reduction-closed, barbed congruence) Typed relation is a reduction-closed, barbed congruence whenever: (b) and the symmetric case; The largest such relation is denoted with ∼ =.
The largest such bisimulation is called context bisimilarity and is denoted by ≈.
As suggested in Sect. 2, in the general case, context bisimilarity is an overly demanding relation on processes. Below we introduce higher-order bisimulation and characteristic bisimulation, which are meant to offer a tractable proof technique over session typed processes with first-and higher-order communication.

Characteristic values and the refined LTS
We formalise the ideas given in Sect. 2, concerning characteristic processes/values and the refined LTS. We first define characteristic processes/values:  We can verify that characteristic processes/values do inhabit their associated type.

Let U be a channel type. Then, for some
Proof (Sketch) The proof is done by induction on the syntax of types. See Proposition 4 in the Appendix for details.
We give an example of a characteristic process inhabiting a recursive type.
Example 4 (Characteristic process for a recursive session type) Consider the type S = μt.! U 1 ; ?(U 2 ); t. By Definition 13, we have that [ For this process, we can infer the following type derivations: The following example motivates the refined LTS explained in Sect. 2. We rely on the following definition.

Definition 14 (Trigger value) Given a fresh name t, the trigger value on t is defined as the abstraction λx. t?(y).(y x).
Example 5 (The need for the refined typed LTS) We illustrate the complementary rôle that characteristic values (cf. Fig. 6) and the trigger value (Definition 14) play in defining sound bisimilarities.
We first notice that observing characteristic values as inputs is not enough to define a sound bisimulation. Consider processes such that with Δ = s 1 :end · s 2 :end. If P 1 and P 2 input along s a characteristic value of the form Fig. 6), then both of them would evolve into: therefore becoming context bisimilar. However, processes P 1 and P 2 in (3) are clearly not context bisimilar: many input actions may be used to distinguish them. For example, if P 1 and P 2 input λx. (ν s )(a! s .0) with Γ ; ∅; ∅ a end , then their derivatives are not bisimilar: Observing only the characteristic value results in an under-discriminating bisimulation. However, if a trigger value λx. t?(y).(y x) (Definition 14) is received along s, we can distinguish P 1 and P 2 in (3): In the light of this example, one natural question is whether the trigger value suffices to distinguish two processes (hence no need of characteristic values). This is not the case: the trigger value alone also results in an under-discriminating bisimulation relation. In fact, the trigger value can be observed on any input prefix of any type. For example, consider processes: If processes in (4) and (5) input the trigger value, we obtain: thus we can easily derive a bisimulation relation if we assume a definition of bisimulation that allows only trigger value input. But if processes in (4)/(5) input the characteristic value where m is a fresh name) then, under appropriate Γ and Δ, they would become: These examples illustrate the need for both trigger and characteristic values as an input observation in the refined transition relation. This will be the content of Definition 15 below.
As explained in Sect. 2, we define the refined typed LTS by considering a transition rule for input in which admitted values are trigger or characteristic values or names:

Definition 15 (Refined typed labelled transition system) The refined typed labelled transition relation on typing environments
is defined on top of the rules in Fig. 5 using the following rules: Then, the refined typed labelled transition system , as just defined. Following Definition 5, we write ⇒ for the reflexive and transitive closure of Notice that the (refined) transition Γ ;

Notation 16 We sometimes write
(ν m)n! V :U −→ when the type of V is U .

Higher-order bisimilarity (≈ H ) and characteristic bisimilarity (≈ C )
Having introduced a refined LTS on HOπ processes, we now define higher-order bisimilarity and characteristic bisimilarity, two tractable bisimilarity relations. As explained in Sect. 2, the two bisimulations use two different trigger processes [cf. (2)]: The process in (6) is called higher-order trigger process, while process in (7) is called characteristic trigger process. Notice that while in (6) there is a higher-order input on t, in (7) the variable x does not play any rôle. We use higher-order trigger processes to define higher-order bisimilarity: ⇒ Δ 2 Q 2 and, for a fresh t, The symmetric cases of 1 and 2.
The largest such bisimulation is called higher-order bisimilarity, denoted by ≈ H .
We exploit characteristic trigger processes to define characteristic bisimilarity: (3) The symmetric cases of 1 and 2.
The largest such bisimulation is called characteristic bisimilarity, denoted by ≈ C .
Observe how we have used Notation 16 to explicitly refer to the type of the emitted value in output actions.
Remark 1 (Differences between ≈ H and ≈ C ) Although ≈ H and ≈ C are conceptually similar, they differ in the kind of trigger process considered. Because of the application in t ← H V (cf. (6)), ≈ H cannot be used to reason about first-order session processes (i.e., processes without higher-order features). In contrast, ≈ C is more general: it can uniformly input characteristic, first-or higher-order values.

Deterministic transitions and up-to techniques
As hinted at earlier, internal transitions associated to session interactions or β-reductions are deterministic. To define an auxiliary proof technique that exploits determinacy we require some auxiliary definitions.
-session-transition whenever transition P τ − → P is derived using Rule Tau (where subj( 1 ) and subj( 2 ) in the premise are dual endpoints), possibly followed by uses of Rules Alpha , Res , Rec , or Par L / Par R (cf. Fig. 4).
-aβ-transition whenever transition P τ − → P is derived using Rule App , possibly followed by uses of Rules Alpha , Res , Rec , or Par L / Par R (cf. Fig. 4).

Notation 20
We use the following notations: P denotes either a session-transition or a β-transition.
Deterministic transitions imply the τ -inertness property [7], which ensures behavioural invariance on deterministic transitions: Proof (Sketch) The proof of Part 1 requires to show that relation (we omit type information) is a higher-order bisimulation. The proof for Part 2 is direct from Part 1. See "Deterministic transitions" section of Appendix 2 for the details.
Using the above properties, we can state the following up-to technique.
and for a fresh name t and Δ 1 , Δ 2 :

The symmetric cases of 1 and 2.
Then Proof (Sketch) The proof proceeds by considering the relation We may verify that τ d ⇒ is a higher-order bisimulation by using Proposition 2.

Characterisation of higher-order and characteristic bisimilarities
This section proves the main result; it allows us to use ≈ C and ≈ H as tractable reasoning techniques for HOπ processes.
Proof (Sketch) The main difference between ≈ H and ≈ C is the trigger process (higher-order triggers t ← H V in ≈ H and characteristic triggers t ⇐ C V : U in ≈ C ). Thus, the most interesting case in the proof is when we observe an output from a process. When showing that ≈ C ⊆ ≈ H , the key after the output is to show that given that Similarly, in the proof of ≈ H ⊆ ≈ C , the key step is showing that given that The proof for the above equalities is coinductive, exploiting the freshness of the trigger name in each case; see Lemma 13 in the Appendix. While the proof of the first equality (i.e., higher-order triggers imply characteristic triggers) follows expected lines, the proof of the second equality (i.e., characteristic triggers imply higher-order triggers) is a bit more involved. Indeed, while higher-order trigger processes can input trigger values, characteristic triggers cannot. However, we prove that this does not represent a difference in behaviour; see case 2(c) in Lemma 13. To this end, we exploit an alternative trigger process, denoted t A V , simpler than the higher-order trigger t ← H V in (6): In the proofs for these coincidence results, we exploit some auxiliary results for trigger processes, including a two-way connection between t ← H V and t A V (cf. Lemma 12 (3) in the Appendix). We thus infer that characteristic trigger processes t ⇐ C V : U and higher-order trigger processes t ← H V exhibit a similar behaviour. In turn, using the above results we can show that typed relations induced by ≈ H and ≈ C coincide. The full proof is in "Proof of Theorem 2" section in Appendix 2, Lemma 14.
The next lemma is crucial for the characterisation of higher-order and characteristic bisimilarities. It states that if two processes are equivalent under the trigger value then they are equivalent under any higher-order substitution.

Lemma 3 (Process substitution) Let P and Q be two processes and some fresh t. If
The full proof of Lemma 3 can be found in "Proof of Theorem 2" section in Appendix 2, Lemma 17; it is obtained by (i) constructing a typed relation on the substitution properties stated by the lemma and (ii) proving that it is a higher-order bisimulation, using the auxiliary result given next. In the following, given a finite index set I = {1, . . . , n}, we shall write i∈I P i to stand for P 1 | P 2 | · · · | P n . Lemma 4 (Trigger substitution) Let P and Q be processes. Also, let t be a fresh name. If Proof (Sketch) The proof follows the definition of the characteristic process; see Lemma 16, in the Appendix for details. Let us consider the particular case in which I is a singleton; we then construct a typed relation : The typed relation can be shown to be a higher-order bisimulation by taking advantage of the shape of the characteristic process; each time that a characteristic process does a transition, an output t! n .0 (on a fresh name t) is observed, where n is either a shared or a session name. To better illustrate this, let us sketch the demanding case of the proof that is a higher-order bisimulation. Assume that for some Δ 1 . Then, from the definition of , we have: for some Δ 3 . Characteristic processes have the following property, for any U = end: By the last property we can always observe, for some Δ 3 (note that below 1 may be an action τ , thus denoting the interaction of P and [ (U ) ] n 1 ): which implies, from the requirements of higher-order bisimulation, that there exist By the shape of the characteristic process we can always observe for 2 , subj( 2 ) = subj( 1 ) if 1 is output, and 2 = 1 otherwise, that: for some Δ 4 and for some Δ 4 . From (8) we get for some Δ 2 and from (9) we get which implies from the definition of that for R we get as required.
We now show that higher-order bisimilarity is sound with respect to context bisimilarity. To show soundness we use the crucial result of Lemma 3: Proof (Sketch) The proof relies on Lemma 3 to establish that: 1. Whenever two processes are higher-order bisimilar under the input of a characteristic value and a trigger value then they are higher-order bisimilar under the input of any value λx. R, which is the requirement for ≈ (cf. Definition 12). 2. The input requirement is then further used to prove that the output clause requirement for ≈ H (cf. Definition 17): implies the output clause requirement for ≈, that is, for all R with fv(R) = {x}: The full proof is found in "Proof of Theorem 2" section in Appendix 2, Lemma 18.
Context bisimilarity is included in barbed congruence: Proof (Sketch) We show that ≈ satisfies the defining properties of ∼ =. It is easy to show that ≈ is reduction-closed and barb preserving (cf. Definition 6 and Definition 9). The most challenging part is to show that ≈ is a congruence, in particular a congruence with respect to parallel composition. To this end, we construct the following relation: We show that S is a context bisimulation by a case analysis on the transitions of the pairs in S. The full proof is found in "Proof of Theorem 2" section in Appendix 2, Lemma 19.
The last ingredient required for our main result is the following inclusion.
Proof (Sketch) The proof exploits the definability technique developed in [8, § 6.7] and refined for session types in [18,19]. Intuitively, this technique exploits small test processes that reveal the presence of a visible action by reducing with a given pair of processes and exhibiting a barb on a fresh name.
Intuitively, for each visible action , we use a fresh name succ to we define a (typed) test process Γ ; ∅; Δ 2 T , succ with the following property: See Definition 25 for the formal definition. The test processes can therefore be used to check the typed labelled transition interactions of two processes that are related by reduction-closed, barbed congruence. Indeed, we have that implies from congruence of ∼ =, that if there exist Δ 3 , Δ 4 such that: then it implies from reduction-closeness of ∼ = and the definition of T , succ : which in turn means that whenever Γ ; Δ 1 P can perform an action −→ then we can derive that Γ ; Δ 2 Q can also perform action ⇒ because of the result in (10). By applying Lemma 21 on (10) we can deduce that Γ ; Δ 1 P ∼ = Δ 2 Q . This concludes the requirements of ≈: The full details can be found in "Proof of Theorem 2" section in Appendix 2, Lemma 22.

Revisiting the hotel booking scenario (Sect. 3.3)
Now we revisit our running example to prove that Client 1 and Client 2 in Sect. 3.3 are behaviourally equivalent.  For convenience, we recall the definition of Client 1 : Also, the definition of Client 2 is as follows: A detailed account of the observable behaviour of Client 1 is given in Fig. 7, where we use the following shorthand notation: Similarly, Fig. 8 illustrates the actions possible from Client 2 , which are the same as for Client 1 .

Related work
Since types can limit contexts (environments) where processes can interact, typed equivalences usually offer coarser semantics than untyped equivalences. Pierce and Sangiorgi [28] demonstrated that IO-subtyping can justify the optimal encoding of the λ-calculus by Milner-this was not possible in the untyped polyadic π-calculus [23]. After [28], several works on typed π-calculi have investigated correctness of encodings of known concurrent and sequential calculi in order to examine semantic effects of proposed typing systems.
A type discipline closely related to session types is a family of linear typing systems. Kobayashi, Pierce, and Turner [14] first proposed a linearly typed reduction-closed, barbed congruence and used it to reason about a tail-call optimisation of higher-order functions encoded as processes. Yoshida [35] used a bisimulation of graph-based types to prove the full abstraction of encodings of the polyadic synchronous π-calculus into the monadic synchronous π-calculus. Later, typed equivalences of a family of linear and affine calculi [2,3,36] were used to encode PCF [22,29], the simply typed λ-calculus with sums and products, and System F [6] fully abstractly (a fully abstract encoding of the λ-calculi was an open problem in [23]). Yoshida et al. [37] proposed a new bisimilarity method associated with a linear type structure and strong normalisation; it presented applications to reason about secrecy in programming languages. A subsequent work [11] adapted these results to a practical direction, proposing new typing systems for secure higher-order and multi-threaded programming languages. In these works, typed properties, linearity and liveness, play a fundamental rôle in the analysis. In general, linear types are suitable to encode "sequentiality" in the sense of [1,12].
Our work follows the behavioural semantics in [18,19,27] where a bisimulation is defined on an LTS that assumes a session typed observer. Our theory for higher-order sessions differentiates from the work in [19] and [18], which considers (first-order) binary and multiparty session types, respectively. Pérez et al [27] studied typed equivalences for a theory of binary sessions based on linear logic, without shared names.
Our approach to typed equivalences builds upon techniques developed by Sangiorgi [30,31] and Jeffrey and Rathke [13]. As we have discussed, although context bisimilarity has a satisfactory discriminative power, its use is hindered by the universal quantification on output. To deal with this, Sangiorgi proposes normal bisimilarity, a tractable equivalence without universal quantification. To prove that context and normal bisimilarities coincide, the approach in [30] uses triggered processes. Triggered bisimulation is also defined on firstorder labels where context bisimulation is restricted to arbitrary trigger substitution. This characterisation of context bisimilarity was refined in [13] for calculi with recursive types, not addressed in [30,31] and quite relevant in session-based concurrency. The bisimulation in [13] is based on an LTS extended with trigger meta-notation. As in [30,31], the LTS in [13] observes first-order triggered values instead of higher-order values, offering a more direct characterisation of contextual equivalence and lifting the restriction to finite types. Environmental bisimulations [32] use a higher-order LTS to define a bisimulation that stores the observer's knowledge; hence, observed actions are based on this knowledge at any given time. This approach is enhanced in [15] with a mapping from constants to higher-order values. This allows to observe first-order values instead of higher-order values. It differs from [13,31] in that the mapping between higher-and first-order values is no longer implicit.
Comparison with respect to [13] We briefly contrast the approach by Jeffrey and Rathke [13] and our approach based on characteristic bisimilarity (≈ C ): • The LTS in [13] is enriched with extra labels for triggers; an output action transition emits a trigger and introduces a parallel replicated trigger. Our approach retains usual labels/transitions; in case of output, ≈ C introduces a parallel non-replicated trigger. • Higher-order input in [13] involves the input of a trigger which reduces after substitution.
Rather than a trigger name, ≈ C decrees the input of a trigger value λz. t?(x).(x z). • Unlike [13], ≈ C treats first-and higher-order values uniformly. As the typed LTS distinguishes linear and shared values, replicated closures are used only for shared values. • In [13] name matching is crucial to prove completeness of bisimilarity. In our case, HOπ lacks name matching and we use session types: a characteristic value inhabiting a type enables the simplest form of interactions with the environment.
To further compare our approach to that in [13], we use a representative example.  Jeffrey and Rathke's approach [13].  Figure 9 presents a complete comparison of the labelled transitions in our approach (Fig. 9a) and in [13] (Fig. 9b). In our approach, we let (y a)) for some fresh a Then we have one input transition (Line (1)), followed by four deterministic internal transitions; no replicated processes are needed. The approach of [13] also uses five transitions, but more visible transitions are required (three, see Lines (1), (2), and (3) in Fig. 9b) and at the end, two replicated processes remain (on t and k). This is how linearity information in session types enables simpler bisimulations. Note that τ l and τ k in Lines (1) and (3) denote triggered processes on names l and k.
The previous comparison shows how our approach requires less visible transitions and replicated processes. Therefore, linearity information does simplify analyses, as it enables simpler witnesses in coinductive proofs.

Concluding remarks
Obtaining tractable characterisations of contextual equivalence is a long-standing issue for higher-order languages. In this paper, we have addressed this challenge for a higher-order language which integrates functional constructs and features from concurrent processes (name and process passing), and whose interactions are governed by session types, a behavioural type discipline for structured communications. The main result of our study is the development of characteristic bisimilarity, a relation on session typed processes which fully characterises contextual equivalence.
Compared to the well-known context bisimilarity, our notion of characteristic bisimilarity enables more tractable analyses without sacrificing distinguishing power. Our approach to simplified analysis rests upon two simple mechanisms. First, using trigger processes we lighten the requirements involved in output clauses. In particular, we can lift the need for heavy universal quantifications. Second, using characteristic processes and values we refine the requirements for input clauses. Formally supported by a refined LTS, the use of characteristic processes and values effectively narrows down input actions. Session type information (which includes linearity requirements on reciprocal communications), naturally available in scenarios of interacting processes, is crucial to define these two new mechanisms, and therefore to enable technical simplifications in our developments. As already discussed, our coincidence result is insightful also in the light of previous works on labelled equivalences for higher-order processes, in particular with respect to characterisations by Sangiorgi [30,31] and by Jeffrey and Rathke [13]. Our main result combines several technical innovations, including, e.g., up-to techniques for deterministic behaviours (cf. Lemma 1) and an alternative behavioural equivalence, called higher-order bisimilarity (denoted ≈ H , cf. Definition 17), which uses simpler trigger processes and is applicable to processes without first-order passing.
In addition to their intrinsic significance, our study has important consequences and applications in other aspects of the theory of higher-order processes. In particular, we have recently explored the relative expressivity of higher-order sessions [17]. Both characteristic and higherorder bisimilarities play an important rôle in establishing tight correctness properties (e.g., operational correspondence and full abstraction) for encodability results connecting different variants of HOπ. Such variants cover features such as pure process passing (with first-and higher-order abstractions), pure name passing, polyadicity, linear/shared communication.
Open Access This article is distributed under the terms of the Creative Commons Attribution 4.0 International License (http://creativecommons.org/licenses/by/4.0/), which permits unrestricted use, distribution, and reproduction in any medium, provided you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons license, and indicate if changes were made.

Appendix 1: The typing system of HOπ
We first formally define type equivalence. Then we give details of the proof of Theorem 1.
Standard arguments ensure that F is monotone, thus the greatest fixed point of F exists. We write S 1 ∼ S 2 if (S 1 , S 2 ) ∈ .

Proof of Theorem 1 (type soundness)
As our type system is closely related to that considered by Mostrous and Yoshida [26], the proof of type soundness requires notions and properties which are instances of those already shown in [26]. We first state weakening and strengthening lemmas, which have standard proofs.
We now state the instance of type soundness that we can derive from [26]. It is worth noticing the definition of structural congruence in [26] is richer than ours. Also, their statement for subject reduction relies on an ordering on typings, associated to queues and other runtime elements. Since we are working with synchronous communication this ordering can be omitted. The second part of the following statement corresponds to Theorem 1: with the substitution lemma (Lemma 10(1)), we obtain Γ ; ∅; Δ · u : S Q{ u /x} , as desired. 2. Case [Pass]: There are several sub-cases, depending on the type of the communication subject n (which could be a shared or a linear name) and the type of the object V (which could be an abstraction or a shared/linear name). We analyse two representative sub-cases: (a) n is a shared name and V is a name v. Then we have the following reduction: By assumption, we have the following typing derivation: Now, by applying Lemma 10(1) on Γ ; ∅; Δ 3 · x : S Q 2 we obtain and the case is completed by using Rule [Par] with this judgement: Observe how in this case the session environment does not reduce. (b) n is a shared name and V is a higher-order value. Then we have the following reduction: By assumption, we have the following typing derivation (below, we write L to stand for C→ and Γ to stand for Γ \ x). (13) and (14) are as follows: Γ ; ∅; ∅ n L Γ ; ∅; Δ 1 Q 1 Γ ; ∅; ∅ V L Γ ; ∅; Δ 1 n! V .Q 1 (13) Γ ; ∅; ∅ n L Γ ; ∅; Δ 3 Q 2 Γ ; ∅; ∅ x L Γ ; ∅; Δ 3 n?(x).Q 2 (14) Now, by applying Lemma 10(4) on Γ \x; ∅; Δ 3 Q 2 and Γ ; ∅; ∅ V L we obtain Γ ; ∅; Δ 3 Q 2 { V /x} and the case is completed by using Rule [Par] with this judgement: Observe how in this case the session environment does not reduce.

Case [Sel]:
The proof is standard, the session environment reduces.

Cases [Par] and [Res]:
The proof is standard, exploiting induction hypothesis.

Appendix 2: Proofs for Sect. 5 Typability of characteristic processes
We state and prove a more detailed form of Proposition 1. The case of recursive session types requires the following two auxiliary definitions for session type unfolding and prefix deletion. We define a relation for session type prefix deletion: Definition 23 (Session type prefix deletion) Given a session type S, the set del(S) is defined inductively as follows: We may now finally state and prove the following proposition: Proof The proof proceeds by mutual induction on the syntax of types. We analyze the three parts separately: 1. We use the results from Parts 2 and 3 in a case analysis on the syntax of U .  Fig. 3).
2. The proof is by induction on the syntax of S. We detail some notable cases: . and we may obtain the following derivation: The proof is done by induction on the shape of S . We detail two sub-cases; the rest is similar or simpler.

Deterministic transitions
The proofs for Theorem 2 require an auxiliary result on deterministic transitions (Lemma 1). Some notions needed to prove this auxiliary result are presented next.
In the following we sometimes use polyadic abstractions (denoted λ x. P) and polyadic name passing (denoted u! V .P and u?( x).P, respectively) as shorthand notations.
We now prove Proposition 2: Proof We only prove Part 1; the proof for Part 2 follows straightforwardly. The proof proceeds by showing that the relation is a higher-order bisimulation.
Suppose first that Γ ; Δ P −→ Δ P , for some P ; we have to show that P can produce an appropriate matching action. There are two main cases: = τ (a visible action) and = τ (an unobservable, possibly deterministic action).
1. The first case follows easily by typing conditions and type soundness, which ensure that P has the same potential as P for performing visible actions. 2. The second case can be divided into two sub-cases: first, if τ = τ d then P = P and the thesis trivially follows; second, if τ = τ d (i.e., P has the possibility of performing both τ d and some other τ ) then either P has the same τ or P does not have it, because τ d excluded the occurrence of τ . The thesis follows by noticing that, in the first case, P can match the move from P; the second case cannot occur because of typing and the definition of deterministic transitions.
Suppose now that Γ ; Δ P −→ Δ P , for some P . This case follows immediately by noticing that P can always match action by performing the deterministic action τ d first, i.e., we can always have Γ ; Δ P τ d −→ −→ Δ P . This concludes the proof.

Proof of Theorem 2
We split the proof of Theorem 2 into several lemmas: -Lemma 12 establishes useful properties of characteristic and higher-order processes, including a two-way connection between higher-order trigger processes and an alternative trigger process (denoted t A V , defined below). -Lemma 13 establishes the equivalence between characteristic and higher-order trigger processes. -Lemma 22 shows that ∼ = ⊆ ≈ H using Lemma 20 (definability) and Lemma 21 (extrusion). We introduce a useful notation for action labels, which will be used in the following to represent matching actions.

Definition 24
Let be an action label (cf. Sect. 5.1). We define the action˘ as Thus, given , its corresponding action˘ is either identical to , or an output on the same name, possibly with different object and extruded names.
We now introduce an alternative trigger process that is used to simplify the proofs. Let The simpler formulation of alternative trigger process (with respect to the higher-order trigger process, cf. (6)) is useful in proofs. However, the input of characteristic values on name t results in the creation of redundant parallel components: Indeed, processes of the form (ν s)t ! s .0 are redundant because the restricted name s has no interactions. The following lemma shows that we can ignore these processes (up to ≈ H and ≈ C ). It also states the equivalence (up to ≈ H ) between higher-order trigger processes t ← H V (cf. (6)) and t A V .
Lemma 12 (Auxiliary results for trigger processes) Let P and Q be processes.

Let t be a fresh name. Then
if and only if, for some Δ 3 , Δ 4 , Proof We analyze each of the three parts: -Part 1. We split the proof into the two directions of the if and only if requirements.
(a) First direction. Consider the typed relation (we omit the type information): We check the requirements of higher-order bisimulation for . Suppose that then we need to show a matching action from (ν m 2 )Q. We can derive that for some Δ 1 which, from the freshness of t, implies that there exist Q and Δ 2 such that (16) and where the shape of C 1 , C 2 depends on and˘ : if they are output actions with objects V 1 and V 2 , respectively, then C 1 = t ← H V 1 and C 2 = t ← H V 2 ; otherwise, C 1 = C 2 = 0. The latter equation implies from the definition of and (16) implies to complete the proof of the case. (b) Second direction. Consider the typed relation (we omit the type information): We check the requirements of higher-order bisimulation for . Suppose that (ν m 1 )(P | (ν s)(t! s .0)) moves; we need to infer an appropriate matching action from (ν m 2 )(Q | (ν s)(t! s .0)). We analyse three cases: (i) Process P moves autonomously, i.e., for some Δ 1 we have: Then the proof is similar to the previous case.
(ii) An action on the fresh name t, i.e., for some Δ 1 we have: First notice that the typing derivation reveals that Δ 1 (t) = Δ 2 (t) =! end ; end. This is because the dual endpoint of the (restricted) session s does not appear in (ν s)(t! s .0) and thus it has the inactive type end. We can then observe that, for some Δ 2 , we have: We need to show that The proof is easy if we consider that both processes can perform the up-to deter- The result is then immediate from the definition of that requires (iii) A synchronization along name t: this is not possible due to the freshness of t.
This concludes the proof of Part 1.
• Part 2 follows same arguments and structure as the proof for Part 1.
• Part 3 relies on Part 1. We analyse the two directions of the if and only if requirement.
(a) First direction. Let be the typed relation (we omit the type information): We show that ⊆ ≈ H , with a case analysis on the defining requirements of higher-order bisimulation. Suppose that (ν m 1 )(P | t ← H V 1 ) moves; we need to show an appropriate matching action from (ν m 2 )(Q | t ← H V 2 ). We analyze three possibilities: (i) P moves on its own, i.e., for some Δ 1 we have: The proof is similar to case (a) of Part 1 of this lemma.
(ii) An input action of the form t? n along a fresh name t. Let U be such that [ (U ) ] c = n and let V 1 be a higher-order value. There exists a Δ 1 such that: Furthermore, we can see that, for some Δ 2 , we have We therefore need to show that This is done by considering the requirements of . Because of the definition of the alternative trigger, the input of the trigger value has no effect on the bisimulation relation: Furthermore, we can see that We also have and so we can infer from the up-to technique for deterministic transitions (Lemma 1) that which implies, by Part 1 of this lemma, the desired conclusion: There exist U and Δ 1 such that Furthermore, we have the following transition, for some Δ 2 : We need to show that, for some Δ 3 , Δ 4 , the following holds: This is done by considering the requirements of .
Here again note that the input of the trigger value has no effect on the bisimulation relation.
We now consider the input of the characteristic value on t. From the fact that [ Furthermore, we have the following transition, for some Δ 2 : We also have and so we can infer from the up-to technique for deterministic transitions (Lemma 1) that which implies, by Part 1 of this lemma, the desired conclusion: Let be the typed relation (we omit the type information): We show that ⊆ ≈ H , with a case analysis on the defining requirements of higher-order bisimulation. We focus on the cases related to an input action on the fresh name t; other cases are similar.
i. Value V 1 is a higher-order value: This implies that there exist U and Δ 1 such that [ (?(U ); end) ] c = λz. z?(y).(t ! z .0 | y n) and Furthermore we can see that there exists Δ 2 such that We need to show that This is done by considering the requirements of . We know that [ (U ) ] c = n: for some Δ 3 . Furthermore we can see that for some Δ 4 which imply, by Part 1 of this lemma, the desired conclusion: ii Value V 1 is a first-order value: This implies that there exist U and Δ 3 such that This case follows a similar proof structure as the previous case.
This concludes the proof of Part 3.
The next lemma states the equivalence between the characteristic and higher-order trigger processes (cf. (6) and (7)).

Lemma 13 (Trigger process equivalence) Let P and Q be processes, t be a fresh name, and let
(1) If then there exist Δ 1 , Δ 2 such that Proof We analyse both parts separately: 1. Consider the typed relation (for readability, we omit type information): We show that ⊆ ≈ H . Suppose that (ν m 1 )(P | t ⇐ C V 1 : U ) moves; we need to find a matching move from (ν m 2 )(Q | t ⇐ C V 2 : U ). We distinguish three cases, depending on the source/kind of visible action: (a) P moves autonomously, i.e., for some Δ 3 we have: We follow the requirements of and the freshness of t to conclude that there exists a Δ 1 such that which implies, from the higher-order bisimilarity requirement of and the freshness of t, that there exist Q and Δ 2 such that and, for some Δ 1 and Δ 2 , that where the shape of C 1 , C 2 depends on and˘ : if they are output actions with objects V 1 and V 2 , respectively, then C 1 = t ← H V 1 and C 2 = t ← H V 2 ; otherwise, From (17) and the definition of we can conclude that there exists a Δ 4 such that Equation (18) then allows us to infer the required conclusion, for some Δ 3 , Δ 4 : (b) t ⇐ C V 1 : U moves autonomously, i.e., for some Δ 3 we have: Following requirements of and the freshness of t we can infer that there exists a Δ 1 such that which implies, from the higher-order bisimilarity requirement of and the freshness of t, that there exist Q and Δ 2 such that and The freshness of t allows us to mimic the transitions in (19); for some Δ 4 we obtain: The conclusion is immediate from (20). (c) The action comes from the interaction of P and t ← H V 1 : This case is not possible, due to the freshness of t.
2. Consider the typed relation (for readability, we omit type information): To prove that ⊆ ≈ C we first consider relation which uses the alternative trigger in (15) (for readability, we omit type information): By proving that ⊆ ≈ C we can apply Lemma 12 (Part 3), to obtain that ⊆ ≈ C . Suppose that (ν m 1 )(P | t A V 1 ) moves; we must exhibit a matching move from (ν m 2 )(Q | t A V 2 ). We distinguish four cases, depending on the source/kind of visible action: (a) P moves autonomously, i.e., for some Δ 3 we have: Then, following the requirements of and the freshness of t, we infer that there exists a Δ 1 such that which implies, from the characteristic bisimilarity requirement of and the freshness of t, that there exist Q and Δ 2 such that (21) and with C 1 (resp., C 2 ) being the characteristic trigger process in the cases where = (ν m)n! V 1 (resp.,˘ = (ν m )n! V 2 ), and C 1 = C 2 = 0 otherwise. From (21) we can infer that there exists Δ 4 such that Equation (22) then allows us to obtain the desired conclusion: moves autonomously due to the input of characteristic value, i.e., for some Δ 3 we have: Following requirements of and the freshness of t, we infer that there is a Δ 1 such that which implies, from the characteristic bisimulation requirement of and the freshness of t, that there exist Q and Δ 2 such that and which in turn implies from Lemma 12 (Part 2) the following, for a fresh t : The freshness of t allows us to mimic the transitions in (23) to infer that, for some Δ 4 , we have The conclusion is immediate from (24). (c) t A V 1 moves autonomously due to the input of a trigger process, i.e., for some Δ 3 we have: The action comes from the interaction of P and t A V 1 : This case is not possible, due to the freshness of t.
Proof We split the proof into two parts: the direction ≈ H ⊆ ≈ C and the direction ≈ C ⊆ ≈ H . Since the two equivalences differ only in the output case, our analysis focuses on output actions.
1. Direction ≈ H ⊆ ≈ C . Consider the typed relation (for readability, we omit type information): We show that is a characteristic bisimulation. Suppose Γ ; Δ 1 P −→ Δ 1 P . We need to show that Γ ; ∅; Δ 2 Q can match . The proof proceeds by a case analysis on the transition label = (ν m 1 )n! V 1 , which is the only non-trivial case. From the definition of we have that if: then there exist Δ 2 , Q, and V 2 such that: and for a fresh t and some Δ 1 and Δ 2 : To show that is a characteristic bisimulation after the fact that transition (25) implies transition (26), we need to show that for a fresh t and for some Δ 3 , Δ 4 : which follows from (27), Lemma 13(1), and the definition of . 2. Direction ≈ C ⊆ ≈ H . Consider the typed relation (for readability, we omit type information): We show that is a higher-order bisimulation. Suppose Γ ; Δ 1 P −→ Δ 1 P with = (ν m 1 )n! V 1 . We need to show that Γ ; ∅; Δ 2 Q can match . From the definition of we have that if: then there exist Δ 2 , Q, and V 2 such that: and for a fresh t and some Δ 1 , Δ 2 : To show that is a higher-order bisimulation after the fact that transition (29) implies transition (30), we need to show that for a fresh t and some Δ 3 , Δ 4 : which follows from (31), Lemma 13 (2), and the definition of .
We state an auxiliary lemma that captures a property of trigger processes in terms of process equivalence.
Lemma 15 (Trigger process application) Let P and Q be processes. Also, let t be a fresh name.
1. If n 1 = n 2 with Γ ; ∅; Δ n i U with U = end and then n 1 , n 2 are session names and n 1 ∈ fn(P) and n 2 ∈ fn(Q).

If n is fresh and
Proof We analyse each part separately: 1. The proof for Part 1 is by contradiction. Assume that n 1 / ∈ fn(P) or n 2 / ∈ fn(Q). Then the bisimulation requirement allows us to observe the following transition, for some U = end. Note that the shape of [ (U ) ] n 1 enables an observable action on n 1 , which results in the process t ! n 1 .0: where C = 0 if is not an input action, and C = [ (U ) ] m if is an input action and subj( ) = n 1 . Because of the characteristic process interaction, from the freshness of t, we have: with subj(˘ ) = n 2 But since (ν m 1 )(P | t ! n 1 .0) has an action on t not present in (ν m 2 )(Q | C | [ (U→ ) ] n 2 ), we derive a contradiction with respect to the bisimilarity assumption. 2. The proof for Part 2 is also by contradiction. Assume that From the bisimilarity requirement we can observe But then we can observe an action on the fresh name t on process that cannot be observed by process Γ ; ∅; Δ 2 (ν m 2 )(Q | [ (U ) ] c n 2 )-a contradiction. 3. For the proof of Part 3 we do a case analysis on the transitions for checking the bisimulation requirements. The most interesting case is when, for some Δ 1 : From the freshness of t we can derive that, for some Δ 2 and Q From the bisimulation requirement of the hypothesis we have that for some Δ 1 , Δ 2 and which concludes the case. 4. For the proof of Part 4, let be the typed relation Suppose that (ν m 1 )(P{ n 1/x }) moves: We need to show a matching action from (ν m 2 )(Q{ m 1/x }); we proceed to show that is a higher-order bisimulation by a case analysis on the subject/shape of action . There are three cases: (a) If subj( ) = n 1 then the proof is straightforward from the premise of the proposition. First observe that for some Δ 2 and with C 1 = t ← H n 1 and C 2 = t ← H m 1 if and˘ are output actions, C 1 = 0 and C 2 = 0 otherwise. From here we can deduce that Furthermore, we can easily see that We distinguish two sub-cases: n 1 = m 1 . The case is similar to the previous case.
n 1 = m 1 . From the premise and Part 1 of this lemma we get that n 1 ∈ fn(P) and m 1 ∈ fn(Q). The latter implies that this case is not possible, since no external action would be observed, because of the typed transition requirement. (c) = τ . This implies the untyped transitions: We distinguish two sub-cases: subj( 11 ) = n 1 . This case is similar to Case 1 of this proof.
subj( 11 ) = n 1 . First observe that for some Δ 1 with 11 { n 1/n} = 11 , which implies for some Δ 1 , which implies From (34), i.e., the fact that the two parallel components of the process interact on name n 1 , we can see that, for some Δ 1 for some Δ 2 and C 2 = 0 when the action on [ where (37) implies the untyped transition and furthermore, Furthermore, from (38) we can get that, for some Δ 3 , which in turn implies the required conclusion: A process substitution lemma is useful for showing the contextuality property for higherorder and characteristic bisimilarities. Before we state and prove a process substitution lemma, we give an intermediate result. (This is Lemma 4 in the main text.) Lemma 16 (Trigger substitution) Let P and Q be processes. Suppose that all t i , i ∈ I are fresh names. If Proof We prove the result up-to the application of names n i and m i to process R. Let be the relation We show that is a higher-order bisimulation. The proof is done by a case analysis on the actions that can be observed on the pairs of processes, so to check their higher-order bisimulation requirements. There are three cases: 1. Suppose an action from P, for some Δ 1 : This transition implies, for some Δ 3 , the following: which in turn implies, for some Δ 5 : The latter implies the following, from the definition of ≈ H and the freshness of t i , for some Δ 6 : where C 1 , C 2 are higher-order trigger processes if ,˘ are output actions, and C 1 = C 2 = 0 otherwise. At this point we can infer, for some Δ 4 : which in turn implies, for some Δ 2 : Equation (39) and the definition of imply the desired conclusion for the case: 2. Suppose an action from R: for some Δ 1 . We identify three sub-cases: i. subj( ) = n i , i.e. the subject of is not in n. The case is similar as above. ii. subj( ) = n k and n k = m k . From the definition of we get that Fig. 6); this transition implies and from bisimilarity up-to deterministic transition (Lemma 1): implies, for some Δ 4 : and furthermore, from Part 3 of Lemma 15 that implies from the definition of that for all R such that { x} ⊆ fv(R) The case concludes when we verify that, for some Δ 2 , we have: iii. subj( ) = n k and n k = m k . This case is not possible. Lemma 15 implies that n k is a session and n k ∈ fn(P). From the definition of typed transition (Definition 5) we get that we cannot observe on R{ n / x}, because n k ∈ fn(P) and (Γ ; ∅; Δ) −→ .
3. Suppose the interaction of P and R, for some Δ 1 : From the typed reduction definition (Definition 5) we get that We distinguish several subcases: i. 1 = n k ? V and 2 = (ν m)(n k ! V ). From the requirement of we get that there exists U→ such that, for some Δ 3 : for some Δ 4 . From Lemma 15(3) we obtain From the definition of we get that From the above result we can match actions in (40) and (41): to obtain, for some Δ 2 , that Furthermore the definition of and (42) allow us to conclude the case: ii. An important sub-case is when 1 = n? n k and 2 = n! n k . From the definition of we have that for some Δ 3 . This transition implies, for some Δ 4 , that and We infer from Lemma 15(4) that which implies from the definition of that (44) and (41) we obtain, for some Δ 2 , the following which concludes the case. iii. The sub-case 1 = n k ? n l and 2 = n k ! n l . The proof is a consequence of the previous two sub-cases. iv. The rest of the sub-cases are similar (or easier) to the above cases.
We can now state a process substitution lemma (Lemma 3 in the main text). Given a higher-order bisimulation under a trigger value substitution, we can generalise for any value substitution.
Lemma 17 (Process substitution) Let P 1 and P 2 be processes, with z ∈ fv(P 1 ) and z ∈ fv(P 2 ). Also, let t be a fresh name. If Proof Consider the typed relation (for readability, we omit type information):

?(y).(y x) /z})}
We show that is a higher-order bisimulation. Suppose that for some Δ 3 . We should exhibit an appropriate matching action from (ν m 2 )(P 2 { λx. R /z}). Our analysis distinguishes two cases, depending on whether the substitution { λx. R /z} has an effect on the action denoted by : 1. Case P 1 ≡ Q | z n: That is, the substitution does not affect top-level processes. In other words, we can infer from the freshness of t that subj( ) = t. Furthermore, from the requirements of we get that there exist Δ 1 and P 1 such that which, in turn, implies that there exist Δ 2 and P 2 such that with C 1 (resp., C 2 ) being the higher-order trigger process in the cases where = (ν m)n! V 1 (resp.,˘ = (ν m )n! V 2 ), and C 1 = C 2 = 0 otherwise. Because C 1 and C 2 are closed terms we can rewrite the substitution as: Since ,˘ do not act on the substitution, we can consider the same transition with any λx. R instead of λx. t?(y).(y x). Thus, from the definition of , we further deduce that Note that C 1 and C 2 are used to meet the bisimulation requirements for the output case. From (46) we can derive the transition Equation (47) concludes the case. 2. Case P 1 ≡ P | i∈I z n i | z n 1 , such that P ≡ P | z n . This is the case where action might happen on the process that is being substituted (note that a substituted process needs to be applied first). We identify two sub-cases, depending on the source of the action : (a) Consider the following transition, for some Δ 3 : This sub-case is similar to the previous case.
(b) Consider the following transition, for some Δ 3 , and assuming that Q = P | i∈I z n i : which is the application of name n 1 on abstraction λx. R.
From the requirements of we infer that for some Δ 1 . This implies that there exist P 2 and Δ 2 such that We show that we can mimic first the transition in (49) and then the silent part of transitions (50) to get: for some fresh t. From Case 2 of this proof (higher-order input) we can conclude that for all R with fv(R) = {x} and for some Δ 1 , Δ 2 : Proof We prove that ≈ (cf. Definition 12) satisfies the three defining properties of ∼ =: reduction closure, barb preservation, and congruence (cf. Definition 11).
I. Reduction-closed Let Γ ; Δ 1 P 1 ≈ Δ 2 P 2 . The reduction implies that there exist Δ 2 and P 2 such that The same arguments hold for the symmetric case, thus ≈ is reduction-closed. II. Barb preservation Following Definition 9, we have that Γ ; ∅; Δ 1 P 1 ↓ n implies implies the existence of Δ 2 , V 2 , and P 2 such that Therefore, we infer that Γ ; ∅; Δ 2 P 2 ⇓ n , as desired. III. Congruence We have to show that ≈ is preserved under any context. The most interesting context case is parallel composition. Input congruence, which is the case that generates substitution, is straightforward, since we are dealing with closed terms.

Suppose that originates in R:
This case is also divided into three sub-cases: i. Sub-case / ∈ {(ν m)n! λ x. Q , (ν m m 1 )n! m 1 }: From the LTS we infer that for some Δ 3 , which in turn implies Now, from the definition of S we may obtain the desired conclusion: ii. Sub-case = (ν m 1 )n! λ x. Q : From the LTS we infer that: for some Δ 3 . We then have that for some Δ 3 and for all R 1 with {x} = fv(R 1 ). Now, from (60) we obtain that Γ ; Δ 2 · Δ 3 (ν m 2 )(P 2 | R) − → Δ 2 · Δ 3 (ν m 2 )(P 2 | R ) Then, from (61) and the definition of S we obtain that for all R 1 with x ∈ fv(R 1 ), as desired. iii. Sub-case = (ν m m 1 )n! m : Similarly as above, from the typed LTS we infer that: for some Δ 3 . We then have that for all R 1 with { x} = fv(R 1 ), for some Δ 3 . Now, from (62), we obtain that Then, from (63) and the definition of S we obtain the desired conclusion: 3. We finally suppose that originates from the interaction between P 1 and R: for some Δ 1 , Δ 3 . We then have that with 1 2 (cf. Definition 3). This case is divided into two sub-cases: i. 1 / ∈ {(ν m)n! λ x. Q , (ν m m 1 )n! m 1 }: Then the transition from P 1 implies for some Δ 2 . From (64) and (65) we obtain Then, from (66) and the definition of S we obtain the desired conclusion: ii. 1 = (ν m 1 )n! V 1 : Then we have the transition for some Δ 1 , which implies for some Δ 1 and Δ 3 . In turn, the output transition from P 1 implies the existence of Δ 2 , Q 2 , P 2 such that for all R with {x} = fv(Q), and for some Δ 1 and Δ 2 . From (67) we obtain for some Δ 3 , which may be combined with (69) to obtain From (70) and the definition of S we can then get: as required.
2. If P | T , succ −→ Q with Γ ; ∅; Δ Q ↓ succ then there exists a P such that Γ ; Δ 1 P ⇒ Δ 1 P and one of the following holds: We first show that every visible action is definable.

Lemma 20 (Definability) Every visible action is definable.
Proof Let succ be a fresh name. We define: for some Δ 2 . Then, from the freshness of succ, we obtain Γ ; ∅; Δ 2 Q ⇓ m , as required. 2. Case: m = s (m is a session name) and m = n. The proof follows a similar reasoning as in the previous case. 3. Case: m = s (m is a session name) and m = n and Γ ; ∅; Δ 1 P ↓ n . In this case, the fact that n is a session name implies that n, n ∈ dom(Δ 1 ). Therefore, from the definition of barbs (Definition 9) we can infer that Γ ; ∅; Δ 1 (ν m 1 )(P | succ! n, V 1 .0) ↓ n because both endpoints of session n are present in Δ 1 .