Chapter 5

Labeled Transitions Systems

and Bisimulation

For finite automata and push-down automata we have occassionaly encountered con-
structs composing these automata in the preceding chapters. In this chapter we intro-
duce constructs to combine so-called labeled transition systems. Exploiting the notion
of branching bisimulation we can analyze such composed systems and verify whether
they meet the requirements for which they were designed.

5.1 Labeled transition systems

In this section we give the formal definition of a labeled transition system, LTS for
short. To compare states within an LTS or to compare LTSs, we introduce two notions
of equivalence, viz. bisimulation and branching bisimulation and we discuss procedures
to decide this.

Definition 5.1. A labeled transition system (LTS) is a quadruple S = ( Q, Σ, →S , q0 )

where

1. Q is a finite or infinite set of states,

2. Σ a finite or infinite set of actions, τ ∈

/ Σ,

3. →S ⊆ Q × Στ × Q a set of transitions or steps, with Στ = Σ ∪ {τ }, and

4. q0 ∈ Q is the initial state.

a
If, with respect to a labeled transition system S, (q, a, q ′ ) ∈ →S we write q −→S q ′ . The
action a ∈ Σ is referred to as the label of the transition; the state q is called the source
state, the state q ′ is called the target state. The label τ is also allowed for transitions.
In the context of LTSs τ is called the silent action, although τ ∈ / Σ. In concrete cases
an LTS is also called a process.

1
2 CHAPTER 5. LTS AND BISIMULATION

An LTS resembles an NFA. However, an LTS has no final states. Also an LTS can have
an infinite set of states and may have infinitely many different actions. Consequently,
we don’t compare LTSs by language equivalence, but by a notion called bisimulation
instead. However, in the discussion of the decision procedures below we will restrict
ourselves to LTSs with finitely many states involving finitely many actions. Such LTSs
are called finite LTSs.

S1 S2
q0 p0

a a a

q1 q2 p1

b c b c

q3 q4 p2 p3

Figure 5.1: Two non-bisimilar LTSs

Example 5.2. Consider LTSs S1 and S2 in Figure 5.1. LTS S1 has five states of which
q0 is its initial state, S1 has four transitions with labels from the action set {a, b, c}.
LTS S2 has four states of which p0 is its initial state, S2 has three transitions with labels
from {a, b, c}.
If we interpret the LTSs S1 and S2 as NFAs N1 and N2 with final states q3 , q4 and
p2 , p3 , respectively, we would have L(N1 ) = {ab, ac} = L(N2 ). However, the states q1
and q2 of S1 are different from the state p1 of S2 : q1 and q2 each only offer one action,
b or c exclusively, hence miss the other action, whereas p1 offers both actions.
The point is, in S1 the choice for the action b or the action c is made in state q0
already. In S2 the choice is made at a later moment in execution, viz. in p1 after the
action a has taken place.

Example 5.3. An LTS for a FIFO queue of capacity 2 that can handle data items of
value 0 and 1 is displayed in Figure 5.2. Starting from the empty queue, state ε, either
a 0 or a 1 can be input by executing the action in 0 or in 1 leading to state 0 and state 1,
respectively. If, for example, in state 0 a 1 is input by executing the action in 1 the next
state is state 10 where first a 0 will be output, only the action out 0 is possible.

Example 5.4. Figure 5.3 shows part of an LTS with an infinite set of states. The LTS
represents a counter which can count up a number of steps once, and then can count
down the same number of steps (or less). Thus once the LTS goes down, it keeps going
5.1. LABELED TRANSITION SYSTEMS 3

ε
in 0 in 1

out 0 out 1
0 1
in 0 in 1
out 1 out 0
in 1 in 0
out 0 out 1
00 10 01 11

Figure 5.2: LTS of a FIFO queue of capacity 2

up up up up
q0 q1 q2 q3

down down down

p0 p1 p2
down down down

Figure 5.3: Counter: An LTS with infinite set of states

down until it stops. More precisely, we put

Scnt = ( Qcnt , {up, down}, →cnt , q0 ) where

Qcnt = { qi | i > 0 } ∪ { pj | j > 0 }
→cnt = { (qi , up, qi+1 ) | i > 0 } ∪
{ (qk , down, pk−1 ) | k > 1 } ∪ { (pj+1 , down, pj ) | j > 0 }

State p0 is called a deadlock state, since it has no outgoing transitions. (Also in Fig-
ure 5.1, states q3 , q4 and states p2 , p3 are deadlock states.)
Next we provide the definition of bisimilarity for two states in an LTS and of bisimilarity
between two LTSs. The two notions are also referred to as strong bisimilarity to stress
that it does not treat τ -actions differently from other actions. We will encounter so-called
branching bisimilarity later, being a notion of weak bisimilarity.
Definition 5.5. (a) Let S = ( Q, Σ, →S , q0 ) be an LTS. A relation R ⊆ Q × Q is
called a bisimulation relation for S if, for all q, p ∈ Q,
α α
→S q ′ , for some α ∈ Στ , q ′ ∈ Q, then p −
(i) if R(q, p) and q − →S p′ for some
p′ ∈ Q such that R(q ′ , p′ );
α α
→S p′ , for some α ∈ Στ , p′ ∈ Q, then q −
(ii) if R(q, p) and p − →S q ′ for some
′ ′ ′
q ∈ Q such that R(q , p ).
4 CHAPTER 5. LTS AND BISIMULATION

S1 S2
q0 p0

a b a b

q1 q5 p1

b a b a

q2 q4 p2

a b a b

q3 p3

Figure 5.4: Bisimilar states and bisimliar LTSs

Two states q, p ∈ Q of S are called bisimilar if there exists a bisimulation R for S

with R(q, p). Notation q ↔ p.
(b) Let S1 = ( Q1 , Σ, →1 , q0 ) and S2 = ( Q2 , Σ, →2 , p0 ) be two LTSs. A relation R ⊆
Q1 ×Q2 is called a bisimulation relation between S1 and S2 if, for all q ∈ Q1 , p ∈ Q2 ,
α α
→1 q ′ , for some α ∈ Στ , q ′ ∈ Q1 , then p −
(i) if R(q, p) and q − →2 p′ for some
′ ′ ′
p ∈ Q2 such that R(q , p );
α α
→2 p′ , for some α ∈ Στ , p′ ∈ Q2 , then q −
(ii) if R(q, p) and p − →1 q ′ for some
′ ′ ′
q ∈ Q1 such that R(q , p ).
The LTSs S1 and S2 are called bisimilar if there exists a bisimulation relation R
between S1 and S2 with R(q0 , p0 ). Notation S1 ↔ S2 .
The requirements (i) and (ii) in both parts of Definition 5.5 are called transfer conditions.
Note that the target states q ′ and p′ mentioned in the transfer conditions are required
to be related, i.e. R(q ′ , p′ ) for the bisimulation involved.
A state q of an LTS S1 is called bisimilar to a state p of an LTS S2 if there exists a
bisimulation relation R for S1 and S2 with R(q, p).
Example 5.6. Figure 5.4 shows two LTSs, S1 and S2 . Let us focus on LTS S1 first.
The relation
R = { (q0 , q0 ), (q0 , q2 ), (q0 , q4 ), (q2 , q0 ), (q2 , q2 ), (q2 , q4 ), (q4 , q0 ), (q4 , q2 ), (q4 , q4 ),
(q1 , q1 ), (q1 , q3 ), (q1 , q5 ), (q3 , q1 ), (q3 , q3 ), (q3 , q5 ), (q5 , q1 ), (q5 , q3 ), (q5 , q5 ) }
constitutes a bisimulation relation for this LTS, as can be readily checked. Note that
the identity relation I = { (qi , qi ) | 0 6 i 6 5 } is included in the bisimulation relation.
We claim that the relation R is the largest bisimulation relation for S1 .
5.1. LABELED TRANSITION SYSTEMS 5

Comparing the left LTS and the right LTS, these LTSs are bisimilar. A bisimulation
for the LTSs is the relation R′ given by

R′ = { (q0 , p0 ), (q0 , p2 ), (q2 , p0 ), (q2 , p2 ), (q4 , p0 ), (q4 , p2 ),

(q1 , p1 ), (q1 , p3 ), (q3 , p1 ), (q3 , p3 ), (q5 , p1 ), (q5 , p3 ) }

To construct a bisimulation relation between S1 and S2 we can argue like this: the initial
states q0 and p0 should be related. But then also the states q1 and p1 , since these are
the only states that can be reached from q0 and p0 by an a-action. Next, in view of the
action b, the state q2 must be related to both p0 and p2 ; q2 is the only b-successor of q1
that can match p0 and p2 . Reasoning further like this leads to the conclusion that for
a bisimulation relation R′ the state q0 is to be related to both p0 and p2 . Note, by the
requirement R′ ⊆ Q1 × Q2 , no state on the left is related by R′ to a state on the left and
likewise for states on the right.

We next introduce a notion of a coloring scheme to prepare the description of a procedure

to actually construct bisimulation relations.
Let Q be a fixed set of states. An infinite sequence (cn )∞ n=0 of functions cn : Q → N
is called a coloring scheme if, for all n, and all q, p ∈ Q, it holds that if cn+1 (q) = cn+1 (p)
then cn (q) = cn (p).

Theorem 5.7. Let S = ( Q, Σ, →S , q0 ) be a finite LTS. Suppose (cn )∞n=0 is a coloring

scheme such that cn+1 (q) = cn+1 (p) iff for all α ∈ Στ it holds that
α α
→S q ′ for some q ′ ∈ Q then p −
(i) if q − →S p′ for some p′ ∈ Q such that cn (p′ ) = cn (q ′ ),
α α
→S p′ for some p′ ∈ Q then q −
(ii) if p − →S q ′ for some q ′ ∈ Q such that cn (q ′ ) = cn (p′ ).

Define the relation R ⊆ Q × Q by R(q, p) ⇐⇒ cn (q) = cn (p) for all n > 0. Then R is a
bisimulation relation for S.

Proof. Suppose R(q, p). Let α ∈ Στ and q ′ ∈ Q be an arbitrary action and state such
α α
that q − →S q ′ . We need to find p′ ∈ Q such that p − →S p′ and R(q ′ , p′ ).
Since R(q, p) we have that cn+1 (q) = cn+1 (p) for all n > 0. Choose for each n a
α
state p′n such that p − →S p′n and cn (q ′ ) = cn (p′n ). Consider the set of states {p′n | n > 0}.
Since S is finite, the set Q is finite. Therefore, there must be a state p′ ∈ Q such that
p′ = p′n for infinitely many n.
If m > 0 is an arbitrary number, pick n > m such that p′n = p′ . Then cn (q ′ ) =
cn (p′n ) = cn (p′ ). Since (cn )∞
i=0 is a coloring scheme and n > m it holds that cm (q ) =
′
′ ′ ′
cm (p ). Since m was chosen arbitrarily, it follows that cm (q ) = cm (p ) for all m > 0.
Thus R(q ′ , p′ ).
α
By symmetry if follows that if R(q, p), α ∈ Στ and p′ ∈ Q are such that p − →S p′ , we
α
can find q ′ ∈ Q such that q − →S q ′ and R(q ′ , p′ ). We conclude that R is a bisimulation
relation for S, as was to be shown.
6 CHAPTER 5. LTS AND BISIMULATION

The reverse of Theorem 5.7 also holds: If R ⊆ Q × Q is a bisimulation relation for an

LTS S, then the so-called equivalence closure R̃ of R, the smallest equivalence relation
containing R, is also a bisimulation relation. Moreover, the function c : Q → N such
that c(q) = c(p) iff R̃(q, p) induces a constant coloring scheme (cn )∞
n=0 with cn = c for
all n > 0 that satisfies the requirements of Theorem 5.7.
Example 5.8. Consider again the LTS at the left of Figure 5.4. In view of Theorem 5.7,
we want to construct a sequence of colorings from which a bisimulation can be deduced.
We start from an initial coloring c0 which assigns to each state the ‘color’ 0. Next
we check the outgoing transitions and group states accordingly. In this case we then
conclude that the sequence of colorings stabilizes.

c0 c1 c2
q0 0 a/0 1 a/2 1
q1 0 b/0 2 b/1 2
q2 0 a/0 1 a/2 1
q3 0 b/0 2 b/1 2
q4 0 a/0 1 a/2 1
q5 0 b/0 2 b/1 2
(1) (2) (3) (4) (5) (6)

In the leftmost column (1) we list the states and give them initially the color 0, col-
umn (2). Next, column (3), we examine the transitions of the states. For example,
state q0 gets the mark a/0 as q0 has a transition to state q1 which has currently color 0.
If the entry in this column is the same for another state, this state gets the same color in
column (4). Looking at the transitions-to-colors again, this does not distinguish further
states. Apparently two colors, 1 and 2, suffice. The theorem guarantees that the groups
of the same color, i.e. q0 , q2 , q4 vs. q1 , q3 , q5 , are groups of bisimilar states.
For the LTS at the right-hand side of Figure 5.4 the reasoning is similar. We get the
table
c0 c1 c2
p0 0 a/0 1 a/2 1
p1 0 b/0 2 b/1 2
p2 0 a/0 1 a/2 1
p3 0 b/0 2 b/1 2
(1) (2) (3) (4) (5) (6)
Note, e.g. for state p1 in column (3), although p1 admits two transitions on action b,
one to p0 and one to p2 , the two transitions collapse since for c0 the states p0 and p2 are
assigned the same color.
The examples illustrate that via this procedure all bisimilar states get assigned the
same color eventually, a claim we will not prove here.
 5.1. LABELED TRANSITION SYSTEMS 7

q0

a a

q1 q2

c b b c

q3 q4 q5
c c

d e

q6 q7

Figure 5.5: Coloring an LTS

Example 5.9. Consider the LTS in Figure 5.5. We construct a coloring table to find
bisimilar states. In particular, one may wonder if the states q1 and q2 are bisimilar.
We start off with the coloring c0 : Q → N, with Q the set of states of the LTS,
assigning each state the color 0. Next we determine the transition capabilities with
respect to c0 , listed in the next column and introduce new colors, a new color for each
capability. Note that c1 gives q1 and q2 the same color 2, the ordering of the transitions
is irrelevant. Also q6 and q7 , both deadlock states, get the same color.
However, coloring c2 distinguishes between color of q1 and q2 . This is because q1 has
a c-transition to state q3 with color 3 but no c-transition to state with color 5; for state q2
this is the other way around. For other states, the coloring is updated as well. As a
consequence, in the next column, state q0 gets a more refined capability, an a-transition
to color 8 and an a-transition to color 9. The lower part of the coloring is getting stable
now. However, due to changes in the coloring it takes to coloring c5 to obtain a stable
coloring.

c0 c1 c2 c3 c4 c5
q0 0 a/0 1 a/2 7 a/8, a/9 13 a/14, a/15 17 a/18, a/19 20 a/18, a/19
q1 0 c/0, b/0 2 c/3, b/4 8 c/10, b/11 14 c/10, b/16 18 c/10, b/16 18 c/10, b/16
q2 0 b/0, c/0 2 b/4, c/5 9 b/11, c/12 15 b/16, c/12 19 b/16, c/12 19 b/16, c/12
q3 0 d/0 3 d/6 10 d/6 10 d/6 10 d/6 10 d/6
q4 0 c/0 4 c/3, c/5 11 c/10, c/12 16 c/10, c/12 16 c/10, c/12 16 c/10, c/12
q5 0 e/0 5 e/6 12 e/6 12 e/6 12 e/6 12 e/6
q6 0 − 6 − 6 − 6 − 6 − 6 −
q7 0 − 6 − 6 − 6 − 6 − 6 −
1 6 7 7 7 7
8 CHAPTER 5. LTS AND BISIMULATION

q0 b q5 a q4 p0 b p3
c
a c c b a a
c
q1 q2 q3 p1 p2
b a b

Figure 5.6: Coloring two LTSs

It may happen though, that the procedure doesn’t stabilize in colors. However, eventu-
ally, because of the finite number of states involved, the colorings are not getting finer
any more. At some point the same number of colors will do to give each group of states
a distinguishing color. Here we see that only state q6 and q7 are colored identically for
coloring c2 and all other states do not have another states uniquely colored. As this
remains for coloring c3 , we could have stopped there: coloring c0 has 1 color; coloring c1
has 6 colors; colorings c2 , c3 , c4 and c5 have 7 colors.
A counterpart to Theorem 5.7 for LTSs is available as well.
Theorem 5.10. Let S1 = ( Q1 , Σ, →1 , q0 ) and S2 = ( Q2 , Σ, →2 , p0 ) be two finite
LTSs. Suppose (cn )∞ n=0 is a coloring scheme of Q1 ∪ Q2 such that, for all q ∈ Q1 and
p ∈ Q2 , cn+1 (q) = cn+1 (p) iff for all α ∈ Στ it holds that
α α
→1 q ′ for some q ′ ∈ Q1 then p −
• if q − →2 p′ for some p′ ∈ Q2 such that cn (p′ ) = cn (q ′ ),
α α
→2 p′ for some p′ ∈ Q2 then q −
• if p − →1 q ′ for some q ′ ∈ Q1 such that cn (q ′ ) = cn (p′ ),
Define the relation R ⊆ Q1 × Q2 by R(q, p) ⇐⇒ cn (q) = cn (p) for all n > 0. Then R is
a bisimulation relation between S1 and S2 .
Proof. Left to the reader.

Example 5.11. We construct a combined coloring table for the LTSs of Figure 5.6.
c0 c1 c2
S2 q0 0 a/0, c/0 1 a/2, c/1 3
q1 0 b/0 2 b/1 4
q2 0 a/0, c/0 1 a/2, c/1 3
q3 0 b/0 2 b/1 4
q4 0 a/0, c/0 1 a/2, c/1 3
q5 0 b/0 2 b/1 4
S1 p0 0 a/0, c/0 1 a/2, c/1 3
p1 0 b/0 2 b/1 4
p2 0 a/0, c/0 1 a/2, c/1 3
p3 0 b/0 2 b/1 4
1 2 2
5.1. LABELED TRANSITION SYSTEMS 9

q0 p0

a a a

q1 q2 p1

b b

q3 p2

Figure 5.7: Coloring two non-bisimilar LTSs

Note that in going from coloring c1 to c2 new colors have been introduced. However,
the number of colors did not increase, it remains 2, hence the grouping of states did not
change. There are no states that have the same value for c1 but different values for c2 .
That is why we can stop after having generated c2 .
To compare the LTS on the left to the LTS on the right of Figure 5.6 we compare
the initial states q0 and p0 . Since they have the same color for the final coloring c2 they
are bisimilar. We conclude that the relation R ⊆ Q1 × Q2 , with Q1 = { qi | 0 6 i 6 5 }
and Q2 = { pj | 0 6 j 6 3 }, given by
R(qi , pj ) ⇐⇒ i and j both even or both odd
for 0 6 i 6 5, 0 6 j 6 3 is a bisimulation between the LTSs and that the two LTSs are
bisimilar.

Example 5.12. A combined coloring table for the LTSs of Figure 5.7 is the following
c0 c1 c2 c3
q0 0 a/0 1 a/2, a/3 4 a/5, a/3 7
q1 0 b/0 2 b/3 5 b/3 5
q2 0 − 3 − 3 − 3
q3 0 − 3 − 3 − 3
p0 0 a/0 1 a/2 6 a/5 8
p1 0 b/0 2 b/3 5 b/3 5
p2 0 − 3 − 3 − 3
1 3 4 4

Since the initial state q0 and p0 of the two LTSs are differently colored we conclude that
the two LTSs of Figure 5.7 are not bisimilar.

Consider the two LTSs of Figure 5.8. The two actions a and b of the two LTSs are
considered observable, but the silent action τ of the left LTS isn’t. Therefore, from an
10 CHAPTER 5. LTS AND BISIMULATION

q0 p0

τ b a b

q1 q2 p1 p2

q3

Figure 5.8: Two LTSs that are not branching bisimilar

observer’s point of view, it may happen that at some moment in time the left LTS offers
an a-action only, whereas the right LTS remains offering both an a-action and a b-action
until one of these actions is executed. To capture the internal change in an LTS because
of τ -actions we introduce the notion of branching bisimilarity of states within an LTS
as well as branching bisimilarity of two LTSs. For this we make use, for an LTS S with
τ ∗ τ ∗
set of state Q, of the notation q − →S q ′ for states q, q ′ ∈ Q. We write q −
→S q ′ if for
τ
some n > 0, there exist q0 , q1 , . . . , qn ∈ Q such that q0 = q, qi−1 −→S qi for 1 6 i 6 n,
and qn = q ′ .

Definition 5.13. (a) Let S = ( Q, Σ, →S , q0 ) be an LTS. A relation R ⊆ Q × Q is

called a branching bisimulation relation for S if, for all q, p ∈ Q,
a τ ∗ a
→S q ′ , for some a ∈ Σ, q ′ ∈ Q, then p −
(i) if R(q, p) and q − →S p′ for
→S p̄ and p̄ −
′ ′ ′
some p̄, p ∈ Q such that R(q, p̄) and R(q , p );
a τ ∗ a
→S p′ , for some a ∈ Σ, p′ ∈ Q, then q −
(ii) if R(q, p) and p − →S q ′ for
→S q̄ and q̄ −
′ ′ ′
some q̄, q ∈ Q such that R(q̄, p) and R(q , p );
τ τ ∗ τ
→S q ′ for some q ′ ∈ Q, then either p −
(iii) if R(q, p) and q − →S p′ for
→S p̄ and p̄ −
′ ′ ′ τ ∗ ′
some p̄, p ∈ Q such that R(q, p̄) and R(q , p ), or p −→S p for some p′ ∈ Q
such that R(q, p′ ) and R(q ′ , p′ );
τ τ ∗ τ
(iv) if R(q, p) and p −→S p′ , for some p′ ∈ Q, then either q − →S q ′ for
→S q̄ and q̄ −
τ ∗
some q̄, q ′ ∈ Q such that R(q̄, p) and R(q ′ , p′ ), or q −
→S q ′ for some q ′ ∈ Q
′ ′ ′
such that R(q, p ) and R(q , p ).

Two states q, p ∈ Q of S are called branching bisimilar if there exists a branching

bisimulation relation R for S with R(q, p).

(b) Let S1 = ( Q1 , Σ, →1 , q0 ) and S2 = ( Q2 , Σ, →2 , p0 ) be two LTSs. A relation R ⊆

Q1 × Q2 is called a branching bisimulation relation between S1 and S2 if, for all
q ∈ Q1 , p ∈ Q2 ,
5.1. LABELED TRANSITION SYSTEMS 11

S1 S2
q0 p0

a a a

q1 τ q2 p1

b b

q3 p2

Figure 5.9: Branching bisimilar LTSs

a τ ∗ a
→1 q ′ , for some a ∈ Σ, q1′ ∈ Q, then p −
(i) if R(q, p) and q − →2 p′ for
→2 p̄ and p̄ −
′ ′ ′
some p̄, p ∈ Q2 such that R(q, p̄) and R(q , p );
a τ ∗ a
→2 p′ , for some a ∈ Σ, p′ ∈ Q2 , then q −
(ii) if R(q, p) and p − →1 q ′ for
→1 q̄ and q̄ −
′ ′ ′
some q̄, q ∈ Q1 such that R(p, q̄) and R(q , p ).
τ τ ∗ τ
(iii) if R(q, p) and q −→1 q ′ for some q ′ ∈ Q1 , then p − →2 p′ for some
→2 p̄ and p̄ −
τ ∗
p̄, p′ ∈ Q2 such that R(q, p̄) and R(q ′ , p′ ), or p −
→2 p′ for some p′ ∈ Q2 such
′ ′ ′
that R(q, p ) and R(q , p );
τ τ ∗ τ
→2 p′ , for some p′ ∈ Q2 , then q −
(iv) if R(q, p) and p − →1 q ′ for some
→1 q̄ and q̄ −
′ ′ ′ τ ∗ ′
→1 q for some q ′ ∈ Q1 such
q̄, q ∈ Q1 such that R(q̄, p) and R(q , p ), or q −
′ ′ ′
that R(q , p) and R(q , p ).

The LTSs S1 and S2 are called bisimilar if there exists a branching bisimulation
relation R for S1 and S2 with R(q0 , p0 ).

Compared to Definition 5.5 we have a separate transfer condition for both directions deal-
ing with τ -actions. In the transfer conditions for ordinary actions a ∈ Σ, the simulating
LTS is allowed first to take a number of silent steps before the matching a-transition
τ ∗ a a
is done. However, there are restrictions: if p − →S p̄ − →S p′ is matching q − →S q ′ then
the intermediate state p̄ must be related to the source state q and the state p′ must be
related to the target state q ′ . Symmetrically, requirements are put on the intermediate
τ ∗ a a
state q̄ and the state q ′ if q − →S q ′ is matching p −
→S q̄ − →S q ′ .
The τ -transitions are dealt with slightly differently. Now, in addition, a transition
τ
q −→S q ′ can be matched by no transition of p, provided the state p is related to the
τ ∗
state q ′ . Note that the reflexive and transitive closure −→S allows any finite number of
τ
steps −→S , including 0.

Example 5.14. Figure 5.9 shows an LTS S1 where the state q1 and the state q2 are
branching bisimilar. The state q1 can only do a τ -transition to q2 ; state q2 can match
this by doing nothing. State q2 only has the b-transition as possibility; this can be
12 CHAPTER 5. LTS AND BISIMULATION

matched by q1 by first making a τ -move to q2 and then doing the same b-transition. It
is straightforwardly checked that the relation R given by

R = { (q0 , q0 ), (q1 , q1 ), (q1 , q2 ), (q2 , q1 ), (q2 , q2 ), (q3 , q3 ) }

is a branching bisimulation relation. Note that the identity relation I = { (qi , qi ) | 0 6

i 6 3 } is included in R. This can always be done, since a state is always branching
bisimilar to itself.
To show that the left and the right LTS of Figure 5.9, LTS S1 and S2 , are branching
bisimilar LTSs, we consider the relation R′ ,

R′ = { (q0 , p0 ), (q1 , p1 ), (q2 , p1 ), (q3 , p2 ) }

We claim that R′ is a branching bisimulation relation. For example to compare q1

and p1 : The τ -transition of q1 is matched by no transition of p1 . This is OK since we
have both R′ (q1 , p1 ) and R′ (q2 , p1 ). The b-transition of p1 is matched by the τ -transition
of q1 to q2 followed by the b-transition from q2 to q3 . Again this is OK since R′ (q2 , p1 )
and R′ (q3 , p2 ).

We have for branching bisimulation a similar result as Theorem 5.7 for strong bisimula-
tion.

Theorem 5.15. Let S = ( Q, Σ, →S , q0 ) be a finite LTS. Suppose (cn )∞

n=0 is a coloring
scheme such that cn+1 (q) = cn+1 (p) iff for all a ∈ Σ it holds that
a τ ∗ a
→S q ′ for some q ′ ∈ Q then p −
• if q − →S p′ for some p̄, p′ ∈ Q such that
→S p̄ and p̄ −
′ ′
cn (q) = cn (p̄) and cn (q ) = cn (p ),
a τ ∗ a
• if p −→S p′ for some p′ ∈ Q then q − →S q ′ for some q̄, q ′ ∈ Q such that
→S q̄ and q̄ −
cn (q̄) = cn (p) and cn (q ′ ) = cn (p′ ), and
τ τ ∗ τ
• if q −→S q ′ for some q ′ ∈ Q then p − →S p̄ and p̄ − →S p′ for some p̄, p′ ∈ Q such
τ ∗
that cn (q) = cn (p̄) and cn (q ′ ) = cn (p′ ), or p −
→S p′ for some p′ ∈ Q such that
′ ′ ′
cn (q) = cn (p ) and cn (q ) = cn (p ),
τ τ ∗ τ
• if p − →S p′ for some p′ ∈ Q then q − →S q ′ for some q̄, q ′ ∈ Q such
→S q̄ and q̄ −
′ ′ τ ∗ ′
that cn (q̄) = cn (p) and cn (q ) = cn (p ), or q − →S q for some q ′ ∈ Q such that
cn (q ′ ) = cn (p) and cn (q ′ ) = cn (p′ ).

Define the relation R ⊆ Q × Q by R(q, p) ⇐⇒ cn (q) = cn (p) for all n > 0. Then R is a
bisimulation relation for S.

Proof. Omitted.

The proof of Theorem 5.15 goes along the same lines as the proof of Theorem 5.7.
However, the proof is technically slightly more involved because of the variation of the
transfer conditions for branching bisimilarity. E.g., one needs to argue that there are
5.1. LABELED TRANSITION SYSTEMS 13

q0 p0

τ τ τ τ
a
a
q1 q2 q3 p1 p2
a a

b b b b b

q4 q5 q6 p3
τ

Figure 5.10: Coloring LTSs with internal steps

only finitely many pairs (p̄, p′ ) ∈ Q × Q and that one can assume that in infinitely many
cases the one or the other form of the transfer conditions for silent steps applies.
As for Theorem 5.7 also the reverse of Theorem 5.15 holds: If two states are branching
bisimilar we can construct a coloring scheme that always give the two states the same
color. We will neither state nor prove this theorem here.

The parallel of Theorem 5.10 for branching bisimulation is available as well.

Theorem 5.16. Let S1 = ( Q1 , Σ, →1 , q0 ) and S2 = ( Q2 , Σ, →2 , p0 ) be two finite

LTSs. Suppose (cn )∞ n=0 is a coloring scheme for Q1 ∪ Q2 such that, for all q ∈ Q1 and
p ∈ Q2 , cn+1 (q) = cn+1 (p) iff for all α ∈ Στ it holds that
α τ ∗ α
→1 q ′ for some q ′ ∈ Q1 then p −
• if q − →2 p′ for some p̄, p′ ∈ Q2 such
→2 p̄ and p̄ −
′ ′
that cn (q) = cn (p̄) and cn (q ) = cn (p ),
α τ ∗ α
→2 p′ for some p′ ∈ Q2 then q −
• if p − →1 q ′ for some q̄, q ′ ∈ Q1 such
→1 q̄ and q̄ −
′ ′
that cn (q̄) = cn (p) and cn (q ) = cn (p ), and
τ τ ∗ τ
→1 q ′ for some q ′ ∈ Q1 then p −
• if q − →S p′ for some p̄, p′ ∈ Q2 such
→2 p̄ and p̄ −
′ ′ τ ∗ ′
→2 p for some p′ ∈ Q2 such that
that cn (q) = cn (p̄) and cn (q ) = cn (p ), or p −
′ ′ ′
cn (q) = cn (p ) and cn (q ) = cn (p ),
τ τ ∗ τ
• if p − →2 p′ for some p′ ∈ Q2 then q − →1 q̄ and q̄ − →1 q ′ for some q̄, q ′ ∈ Q1 such
τ ∗
that cn (q̄) = cn (p) and cn (q ′ ) = cn (p′ ), or q −
→1 q ′ for some q ′ ∈ Q1 such that
′ ′ ′
cn (q ) = cn (p) and cn (q ) = cn (p ).

Define the relation R ⊆ Q1 × Q2 by R(q, p) ⇐⇒ cn (q) = cn (p) for all n > 0. Then R is
a bisimulation relation between S1 and S2 .

Proof. Omitted as well.

14 CHAPTER 5. LTS AND BISIMULATION

Example 5.17. We construct a coloring scheme for the LTSs of Figure 5.10. We need
to take care of the τ -transitions. On the one hand, some τ -transitions extend the capa-
bilities of a state; on the other hand, some τ -transitions do not add to the capability.
We will first treat the states q0 to q6 of the left LTS. Initially all states get assigned
the color 0. Next we examine the capabilities. State q0 can make a direct transition
labeled a to q2 , of color 0. But, by first making a τ -transition to q1 it can also make a
b-transition to q4 of color 0 too. Similarly, q0 can make a combined b transition to q6 .
The τ -transitions to q1 and q3 are put in parentheses; these do not add to the capability
of q0 since it is a τ -transition to the same color as q0 has presently.
Likewise, the τ -transition of q6 to q5 is not counted for. Therefore, q6 is not distin-
guished by c1 (nor by any coloring later) from the deadlock states q4 and q5 . For the
rest, the scheme is filled in as before in the case of strong bisimilarity.
Given coloring c1 state q0 , of color 1, has a τ -transition to a state of a different
color, viz. to q3 of color 2. Therefore, the τ -transition is included in the capabilities
of q0 . Since the state q1 does not provide a τ -transition to a state of color 2 the next
coloring, coloring c2 , distinguishing between q0 and q1 . Intuitively, while q0 can ‘forget’
is potential of doing an action a by the silent transition to q3 , state q1 cannot do such.
State q1 keeps the potential of doing either an a or a b until one of these actions is taken.

c0 c1 c2 c3
q0 0 a/0, b/0, (τ /0) 1 a/2, b/3, τ /2, (τ /1) 4 a/6, τ /5, τ /6 7
q1 0 a/0, b/0 1 a/2, b/3 5 a/6, b/3 8
q2 0 b/0 2 b/3 6 b/3 6
q3 0 b/0 2 b/3 6 b/3 6
q4 0 − 3 − 3 − 3
q5 0 − 3 − 3 − 3
q6 0 (τ /0) 3 (τ /3) 3 (τ /3) 3
p0 0 a/0, b/0, (τ /0) 1 a/2, b/3, τ /2, (τ /1) 4 a/6, τ /5, τ /6 7
p1 0 a/0, b/0 1 a/2, b/3 5 a/6, b/3 8
p2 0 b/0 2 b/3 6 b/3 6
p3 0 − 3 − 3 − 3
1 3 4 4

Exercises for Section 5.1

Exercise 5.1.1. Consider the LTS S1 and S2 in Figure 5.11a.

(a) Provide a bisimulation relation that shows that the two states q0 and q1 of LTS S1
are bisimilar.

(b) Provide a bisimulation relation that shows that LTS S1 and LTS S2 are bisimilar.
5.1. LABELED TRANSITION SYSTEMS 15

Exercise 5.1.2. Construct a coloring table to decide which states in LTS S3 and and
which states in LTS S4 of Figure 5.11b are bisimilar. Is it the case that the two LTS are
bisimilar? If yes, provide a bisimulation relation. If no, point out why the initial states
cannot be bisimilar.

S3 S4
q0 p0

a a a
S1 S2
q0 a p0 q1 q2 p1

a a a c b b c c c
b

q1 a p1 p3 q3 q4 q5 p2 p3 p4
a c c c c

a a d e d e

p2 q6 q7 p5 p6

(a) LTS for Exercise 5.1.1 (b) LTS for Exercise 5.1.2

Figure 5.11: Bisimilarity

Exercise 5.1.3. Let S be an LTS with set of states Q. Prove that if R1 , R2 ⊆ Q × Q

are two bisimulation relations for S then R1 ∪ R2 is also bisimulation relation for S.

Exercise 5.1.4. Consider LTS S0 of Figure 5.12a. Apply the coloring procedure to show
that q0 , q1 , q2 , q3 are branching bisimilar states and that q4 , q5 , q6 , q7 , q8 , q9 are branching
bisimilar states.

Exercise 5.1.5. Consider LTS S1 and LTS S2 of Figure 5.12b. Apply the coloring
procedure to decide whether LTS S1 is branching bisimilar to LTS S2 .

Exercise 5.1.6. Consider LTS S3 and LTS S4 of Figure 5.12c. Apply the coloring
procedure to decide whether LTS S3 is branching bisimilar to LTS S4 .

Exercise 5.1.7. Consider LTS S5 and LTS S6 of Figure 5.12d. Apply the coloring
procedure to decide whether LTS S5 is branching bisimilar to LTS S6 .

Exercise 5.1.8. Let S be an LTS with set of states Q.

16 CHAPTER 5. LTS AND BISIMULATION

S1 S2
q0 p0

S0 a b a b
q0 τ q1 τ q2 τ q3
q1 τ q2 p1 p2
a b c a b c d d
c
d c c
d
q4 q5 q6 q7 q8 q9 d
d τ d
τ τ q3 p3 p4

(a) LTS for Exercise 5.1.4 (b) LTS for Exercise 5.1.5

S3 τ S4 S5 S6
q0 q1 p0 q0 τ p0
τ
a τ a a a
τ a

q2 q3 p1 p2 q1 τ p1 p3
a a

a b τ a a a

q4 p3 b p4 p2

(c) LTS for Exercise 5.1.6 (d) LTS for Exercise 5.1.7

Figure 5.12: Branching bisimilar?

5.2. INTERACTION 17

(a) Verify that the identity relation I = { (q, q) | q ∈ Q } is a bisimulation relation

for S.

(b) Suppose R ⊆ Q × Q is a bisimulation relation for S. Define the inverse relation

R−1 ⊆ Q × Q by R−1 (q, p) ⇔ R(p, q). Prove that R−1 is a bisimulation relation
for S as well.

(c) Prove that if R1 , R2 ⊆ Q × Q are two bisimulation relations for S then their
composition R1 ◦ R2 defined by

R1 ◦ R2 = { (q, p) | ∃r : R1 (q, r) ∧ R2 (r, p) }

is also bisimulation relation for S.

(d) Conclude that bisimilarity of states of an LTS is an equivalence relation.

Exercise 5.1.9. Let S1 = ( Q1 , Σ, →1 , q0 ) and S2 = ( Q2 , Σ, →2 , p0 ) be two LTSs,

and R ⊆ Q1 × Q2 a bisimulation relation for S1 and S2 .

(a) Prove that if q ∈ Q1 is reachable from q0 in S1 , there exists p ∈ Q2 reachable

from p0 such that R(q, p).

(b) Give an example of two bisimilar LTSs S1 and S2 for which there exists a state q
in S1 for which there is no bisimilar state in S2 and there exists a state p in S2 for
which there is no bisimilar state in S1 .

5.2 Interaction
In this section we introduce ways to compose and transform LTSs. We introduce the
notion of a parallel composition in the context of a communication function, and we
introduce the encapsulation and abstraction operators that are used to simplify an LTS
while maintaining its essential behaviour.
Consider the three LTSs S, T and S kγ T given in Figure 5.13. The left LTS S
with initial state s0 represents a webshop. When an order comes in, the order can be
accepted, action a, and put forward for transport, action p, or the order can be canceled,
action c. The topmost LTS T on the right with initial state t0 represents the transporter.
It can get an item, action g, and next deliver the item, action d.
Of course for a successful interaction of the two LTSs, the put action p and the get
action g need to be in sync. To this end we introduce a communication function γ;
we write γ(p, g) = m to indicate that the synchronized execution of the action p and
the action g yields the action m, indicating a move of an item from the shop to the
transporter. (Implicitly, we also have γ(g, p) = m, since communication functions are
required to be symmetric in their arguments.) We then put the LTS S and LTS T in
parallel taking the communication function γ into account, notation S kγ T . This is the
LTS at the bottom, on the right of Figure 5.13. Note the transition labeled with the
action m from state x20 to state x31 .
18 CHAPTER 5. LTS AND BISIMULATION

T
g d
t0 t1 t2

S
g d
s0 S kγ T x00 x01 x02

a a a a
c c c c
g d
s2 x20 x21 x22

g p d p p
s1 p x10 x11 x12
m
s3 x30 x31 x32
g d

Figure 5.13: An interaction example: webshop S, transporter T and system S kγ T

∂{p,g} (S kγ T ) x00

a
c
x20

x10
m
x31 x32
d

Figure 5.14: Encapsulated LTS: ∂{p,g} (S kγ T )

5.2. INTERACTION 19

τ{m} (∂{p,g} (S kγ T )) Q
p0 q0

a a
c c
p2 τ q2
p′2
d
p1 q1
d
q3
p3

Figure 5.15: Abstracted LTS τ{m} (∂{p,g} (S kγ T )) and expected LTS

Still, in the LTS S kγ T , putting and getting can occur independently. We would like
to enforce that an action p cannot be performed if no action g is present, and vice versa.
For this we have an encapsulation operator ∂H , for a set of actions H. Here we take
H = {p, g}. Figure 5.14 depicts the LTS ∂{p,g} (S kγ T ) where single actions p and g are
not allowed. As a result a number of states have become unreachable from the initial
state and are not displayed for that reason. For example, state x01 which could only be
reached via a g-action. As an unpaired g-action is not allowed in the LTS ∂{p,g} (S kγ T )
the state x01 will not occur anymore (as many of its successors). As a consequence of the
application of encapsulation, the number of (reachable) states has reduced significantly.
We even go one step further. The move, the action labeled m, from the shop to the
transporter can be considered internal to the LTS. One may argue that for a customer
such an action may be irrelevant. We can express this by hiding the action m by means
of applying the abstraction operator. The abstraction operator τI for a set of actions I
renames the actions occurring in I into the silent action τ . The advantage then is that
we can apply branching bisimulation to compare the resulting LTS with another LTS,
or to better see the resulting behaviour. In the case of the example we see that the LTS
τ{m} (∂{p,g} (S kγ T )) is branching bisimilar to the LTS Q with initial state q0 , depicted
next to it in Figure 5.15. The latter LTS expresses that an order is either canceled, or
accepted and delivered next.

We formalize the above with the following definitions.

Definition 5.18. Suppose S1 = ( Q1 , Σ1 , →1 , q0 ) and S2 = ( Q2 , Σ2 , →2 , p0 ) are two
LTSs. Let Σ0 and Σ be two sets of actions such that Σ0 ⊆ Σ1 ∪ Σ2 ⊆ Σ.
(a) A function γ : Σ0 × Σ0 → Σ is called a communication function for S1 and S2 , if,
for all a, b ∈ Σ0 , it holds that γ(a, b) = γ(b, a).

(b) If γ : Σ0 × Σ0 → Σ is a communication function for S1 and S2 , then the LTS

S1 kγ S2 is given by S1 kγ S2 = ( Q1 × Q2 , Σ, →, (q0 , p0 ) ) where
20 CHAPTER 5. LTS AND BISIMULATION

α α
→ (q ′ , p) if q −
– (q, p) − →1 q ′ for α ∈ Σ1 ∪ {τ };
α α
→ (q, p′ ) if p −
– (q, p) − →2 p′ for α ∈ Σ2 ∪ {τ };
c a b
→ (q ′ , p′ ) if q −
– (q, p) − →1 q ′ , p −
→2 p′ , and γ(a, b) = c for a, b ∈ Σ0 , c ∈ Σ;
τ τ τ
→ (q ′ , p′ ) if q −
– (q, p) − →1 q ′ , p −
→2 p′ .

If γ is a communication function for LTSs S1 and S2 , and also for S2 and an LTS S3 , then
it holds that (S1 kγ S2 ) kγ S3 amounts to the same LTS as the grouping S1 kγ (S2 kγ S3 )
(up to isomorphy of LTSs, which we do not detail here).

Definition 5.19. Let S = ( Q, Σ, →S , q0 ) be an LTS.

(a) Suppose H ⊆ Σ is a subset of actions of S. Then the LTS ∂H (S), the encapsulation
α
of S with respect to H, is given by ∂H (S) = ( Q, Σ, →′ , q0 ) where q −
→′ q ′ if α ∈
/H
α
→ q ′ for α ∈ Στ .
and q −

(b) Suppose I ⊆ Σ is a subset of actions of S. Then the LTS τI (S), the abstraction
of S with respect to I, is given by τI (S) = ( Q, Σ, →′ , q0 ) where

α α
→′ q ′ if α ∈
– q− → q ′ for α ∈ Στ
/ I and q −
τ a
→′ q ′ if q −
– q− → q ′ for some a ∈ I.

The format τI (∂H (S1 kγ · · · kγ Sk )) is encountered frequently in the analysis of concur-

rent systems. The format is called standard concurrent form.

Exercises for Section 5.2

Exercise 5.2.1. Consider LTS A, B and C below.

A c! B d! C c?
a0 a1 b0 b1 c0 c1
a b d?

Let the communication function γ be such that γ(c!, c?) = c and γ(d!, d?) = d. Define
the action set H = {c!, c?, d!, d?}. Draw the LTS ∂H (A kγ B kγ C).

Exercise 5.2.2. Consider LTS A, B and C below.

5.2. INTERACTION 21

A B C
a0 b0 c0

a x′′ c

a1 b1 c1
′ ′
x y y ′′
b
a2 a3 b2 c2

d e

a4 a5

Let the communication function γ be such that γ(x′ , x′′ ) = x and γ(y ′ , y ′′ ) = y. De-
fine the action set H = {x′ , x′′ , y ′ , y ′′ } and the action set I = {x, y}. Draw the LTS
∂H (A kγ B kγ C) and indicate how to obtain LTS τI (∂H (A kγ B kγ C)).

Exercise 5.2.3. Consider LTS A and B below.

A B
a0 b0
x′ y′ x′′ y ′′

a1 a2 b1 b2

a a′ b b′
a3 a4 b3 b4
′ ′′
y x′ y x′′
a5 a6 b5 b6

c d
a7 b7

Let the communication function γ be such that γ(x′ , x′′ ) = x and γ(y ′ , y ′′ ) = y. De-
fine the action set H = {x′ , x′′ , y ′ , y ′′ } and the action set I = {x, y}. Draw the LTS
∂H (A kγ B) and indicate how to obtain LTS τI (∂H (A kγ B)).

Exercise 5.2.4. Consider the processes C(0) and C(1), and the processes D(0) and D(1)
given by
c!0 c!1 d!0 d!1
C(0) C(1) D(0) D(1)

c0 c1 d0 d1
22 CHAPTER 5. LTS AND BISIMULATION

Design an LTS S such that, for suitable communication function γ and sets of actions H
and I, it holds that the LTS τI (∂H (S kγ C(i) kγ D(j))) for i, j = 0, 1, besides τ actions,
only performs an action a in case i + j = 0, an action b if i + j = 1, and an action c if
i + j = 2.

Exercise 5.2.5. LTS IC of an instable coin process, and LTS SC of a stable coin process
are given by

IC SC
ic 0 sc 0
τ τ τ τ
τ
c!head ic 1 ic 2 c!tail c!head sc 1 sc 2 c!tail
τ

Put H = { c!x , c?x | x = head , tail } and I = { cx | x = head , tail }. Give a process S and
a communication function γ, such that the LTS τI (∂H (S kγ IC )) and τI (∂H (S kγ SC ))
are not branching bisimilar.

5.3 A mutual exclusion protocol

We consider a simple mutual exclusion protocol, which concerns the exclusive access by
components of a system to a shared resource when needed. A component is in its critical
section when it is using the shared resource. We consider a protocol due to Peterson.
The protocol should guarantee that at most one component of a system is in its critical
section and components get access eventually.
The formulation of the protocol usually uses shared variables in order to achieve
coordination of components. We have to translate this to labeled transition system as
formalism we have adopted here. In order to do this, we model the shared variables as
separate processes.
The protocol uses three shared variables C, D, T and two components P, Q. The
variables C, D are Boolean variables, T (turn) has value p or q. Initially, the value of
C, D is false and the value of T is p. The value of T is the component that last started
an attempt to enter its critical section. If C is false, this signifies P is not in its critical
section, likewise D is false means Q is not in its critical section. If P intends to enter
its critical section, it must assign the value true to C before it checks the value of D,
to prevent situations in which the value of both variables is true. Similarly for Q. Still,
situations can arise in which the value of both C and D is true. In order to prevent
deadlock in this case, each component checks whether the other one last started an
attempt to enter its critical section, and the one of which this check succeeds actually
enters its critical section.
The LTSs for the variables are given in Figure 5.16. In each case, the LTS has two
states and provides three actions in each state. For example, with 0 corresponding to
5.3. A MUTUAL EXCLUSION PROTOCOL 23

c!0 c!1 d!0 d!1

C D
c?1 d?1
c?0 c0 c1 c?1 d?0 d0 d1 d?1
c?0 d?0
t!p t!q
T
t?q
t?p tp tq t?q
t?p

Figure 5.16: LTS for variables C, D, and T

the truth value false, state c0 represents that the variable C is false. In that state the
action c!0 can be performed. Likewise, in state c1 corresponding to the variable C having
value true, the action c!1 is possible. These actions occur when another process inspects
the variable. The actions c?0 and c?1 represent new assignments to the variable. The
action c?0 is taken if the new value is 0, i.e. false; the action c?1 is taken if the new value
is 1, i.e. true. Note the state change from state c0 to state c1 on action c?1 and, vice
versa, from state c1 to state c0 on action c?0 . In contrast, when in state c0 on action c?0
the variable remains in state c0 ; when in state c1 on action c?1 it remains in state c1 .
For the components P and Q, we draw the LTSs in Figure 5.17. So, focusing on
the component P , first the variable C is set to true, action c!1 , indicating that P is
approaching the critical section. Then the variable T is set to the value p, action t!p ,
indicating that P was the last one that approached the critical section up to now. Then
either when the variable D is false or when the variable T is q, the non-deterministic
choice between the actions d?0 and t?q , the component P enters the critical section,
action enter p . Then it leaves, action leave p , and next sets the variable C back to false
by performing action c!0 . The component Q is doing the same, but with the roles of the
variables C and D as well as of the components P and Q interchanged.

P Q
c!0 c!1 d!0 d!1
p5 p0 p1 q5 q0 q1

leave p t!p leave q t!q

d?0 c?0
p4 p3 p2 q4 q3 q2
enter p enter q
t?q t?p

Figure 5.17: Components P, Q of the mutual exclusion protocol

For the modeling of the setting and testing of the variables C, D and T , we use the
24 CHAPTER 5. LTS AND BISIMULATION

communication function γ. We choose γ such that

γ(c!0 , c?0 ) = c0 γ(d!0 , d?0 ) = d0 γ(t!p , t?p ) = tp

γ(c!1 , c?1 ) = c1 γ(d!1 , d?1 ) = d1 γ(t!q , t?q ) = tq

Thus γ synchronizes two actions c!b and c?b , one from a component P or Q and one
from variable C, into one action cb . Here the index b is equal to 0 or 1 referring to the
possible boolean values false and true of the variable C. Likewise for the variable D.
The communication function γ also synchronizes two actions t! r and t? r , one from a
component P or Q, and one from the variable T , into one action t r where the index r is
equal to p or q referring to the component P and Q, respectively.
Putting the whole thing together results in the LTS

∂H (P kγ Q kγ C kγ D kγ T )

in Figure 5.18, where H = { c!b , c?b , d!b , d?b | b = 0, 1 } ∪ { t! r , t? r | r = p, q }. In each

state, we put the values of the variables C, D, T (in this order). If the value of T does
not matter, we write an underscore as third component. We choose state 00 as the
initial state.
The conclusion is, that the two components cannot be in the critical section at the
same time: if one component executes an enter -action, then it needs to execute a leave-
action before the other component can execute an enter -action.
Again, all actions from the set I = {c0 , c1 , d0 , d1 , tp , tq } can be renamed into τ . In
this case, branching bisimulation will not remove all τ -steps. The result is shown in
Figure 5.19.
We see that an action enter p is followed by an action leave p before an action enter q
can occur, possibly interspersed with τ -actions. The symmetric observation can be
made for the action enter q as well. We conclude that the protocol guarantees mutual
exclusion indeed. A more refined analysis shows that when component P has reached
state p2 it will perform the action enter p within a finite number of steps. Likewise for
component Q.

Exercises for Section 5.3

Exercise 5.3.1. Consider LTS P and Q below:

5.3. A MUTUAL EXCLUSION PROTOCOL 25

11q 11q 11q

c0 leave p enter p

tq tq tq

tq
c0 11p 11p 11p
leave p enter p

d1 d1 d1

10p 10p 10p 11q

leave p enter p
d0 c0 d0
d0

11p 11q c1 01q 00 c1 10 10p

tp d0 tp tq
leave q leave q leave q d1 d1 d1
c1 tp
11p 11q c1 01q 01 11 11p
tp
enter q enter q enter q tq tq
tp c1
11p 11q c1 01q c0 01q 11q

tp tp
11p

Figure 5.18: Mutual exclusion protocol ∂H (P kγ Q kγ C kγ D kγ T )

26 CHAPTER 5. LTS AND BISIMULATION

enter p
leave p
leave p τ τ
enter p

leave p enter p
leave q τ τ

τ τ
leave q
leave q τ τ τ

τ τ
τ τ

enter q enter q τ τ

τ
τ τ
τ
enter q

Figure 5.19: Abstracted process τI (∂H (P kγ Q kγ C kγ D kγ T ))

5.4. THE ALTERNATING BIT PROTOCOL 27

P Q
p0 a p1 τ p2 τ p8 b p9 q0 a q1 b q2
τ τ

p7 p6 τ

τ τ
p5 p3

τ τ
p4

Prove that P and Q are branching bisimilar.

5.4 The Alternating Bit Protocol

In this section, we have a look at a communication protocol. This protocol is often
referred to as the Alternating Bit Protocol (ABP) in the literature. A communication
protocol concerns the transmission of data through an unreliable medium in such a
way that – despite the unreliability – no information will get lost. The communication
network used in the example is shown in Figure 5.20.

K
s k
in out
S R

ℓ r
L

Figure 5.20: Architecture for the ABP

The following describes the components of this network. The component S is the
sender, sending data elements d ∈ D to the receiver R via the unreliable channel K.
After having received a certain data element, R will send an acknowledgment to S
via channel L which is unreliable as well (in practice, K and L are usually physically
the same medium). The problem now is to define processes S and R such that no
information will get lost; that is, the behavior of the entire process, apart from the
internal communications, acts as a buffer of capacity 1.
For simplicity we assume the data set D to consist of two elements, denoted α and β.
The sender S is fed with data items carrying α and β expressed by the actions in α
and in β . The receiver R, when it receives a new data item (in a frame, as we will see)
it delivers it via an action out α or out β , dependent on the payload. So, the desired
observable behaviour of the entire system is described by the process
28 CHAPTER 5. LTS AND BISIMULATION

in α in β
qα q0 qβ
out α out β

A solution can be formulated as follows.

• The sender S reads a data item d at its input and passes on a sequence of frames
hd, 0i, hd, 0i, hd, 0i, . . . , i.e. of copies of the data item d tagged with a bit 0 to K
until an acknowledgment 0 is received from L. Then, the next data item is read,
and sent on together with the alternated bit, i.e. bit 1; the acknowledgment then
is the reception of a 1. The following data element has, in turn, 0 as an appended
bit. Thus, 0 and 1 form the alternating bit.

• The process K denotes the data transmission channel, passing on frames of the
form hd, 0i, hd, 1i. K may corrupt data, however, passing on ∗ (an error message;
thus, it is assumed that the incorrect transmission of d can be recognized, for
instance, using a checksum).

• The receiver R gets frames hd, 0i, hd, 1i and error messages ∗ from K, delivering d
to its output (if this was not already done earlier), and in response the acknow-
ledgment 0 respectively 1 is sent to L.

• The process L is the acknowledgment transmission channel, and passes bits 0 or 1,

received from R, on to S. L is also unreliable, and may send on ∗ instead of a bit
0 or 1.

The processes S, K, R, and L can be specified by means of LTSs. Let D be the data
set {α, β}, define the set of frames by F = { hα, 0i, hβ, 0i, hα, 1i, hβ, 1i }, and let τ be
the silent action. The LTSs of the channels K and L are given in Figure 5.21. In these
LTSs, the action τ serves to make the choice non-deterministic: the decision whether or
not the frame will be corrupted is internal to the channel, and cannot be influenced by
the environment. In branching bisimulation, the treatment of τ will entail that these
description is not bisimilar to the ones where the τ -steps are just removed.
The sender S and the receiver R are given in Figure 5.22 and Figure 5.23. From
the starting state s0 the sender takes an input α or β. It sends out the data item in a
frame with bit 0. If no correct acknowledgment is received, i.e. bit 1 or error message ∗
is received instead, the frame is resent. If the acknowledgment is received, i.e. bit 0,
the sender changes mode and moves to state s5 . There it behaves similarly. However,
frames are now sent out with bit 1 and acknowledgments are checked for bit 1.
As depicted in Figure 5.23, the receiver reacts on incoming frames. Starting from
state r0 it awaits an incoming frame. If the incoming frame is tagged with bit 1 or is an
error message, the acknowledgment 1 is repeated. But, if a frame with bit 0 is received,
the corresponding payload is output, actions out α and out β , and the receiver changes
mode by moving to state r3 . There the receiver behaves similarly. However, now bit 0
is repeated as acknowledgment until a frame is received that is tagged with bit 1.
5.4. THE ALTERNATING BIT PROTOCOL 29

τ k1 τ τ ℓ1 τ
k3 k2 ℓ3 ℓ2
s?hα,0i r?0
k!∗ k!hα,0i ℓ!∗ ℓ!0
k5 k!hα,1i k!∗ k12
τ τ
s?hα,1i s?hβ,1i
k4 k0 k10 ℓ0

τ τ
k6 k!∗ k!hβ,1i k11
k!hβ,0i k!∗ ℓ!1 ℓ!∗
s?hβ,0i r?1
k8 k9 ℓ5 ℓ6
τ k7 τ τ ℓ4 τ

Figure 5.21: LTSs of the channels K and L

ℓ?0 ℓ?0
s2 s4 in α s5 in β
s6 s8
ℓ?1 ℓ?1
s!hα,0i s!hβ,0i
ℓ?∗ ℓ?∗ ℓ?0 ℓ?0
s!hα,1i s!hβ,1i
ℓ?∗ ℓ?∗
s1 s3
in α s0 in β s7 s9
ℓ?1 ℓ?1

Figure 5.22: LTS of sender S

out α k!hα,0i
r1
r3 r0
r2
out β k!hβ,0i
k?hα,0i k?hα,1i
k?hβ,0i r!0 r!1 k?hβ,1i
k?∗ k?∗
k!hα,1i out α
r5
r4 r7
r6
k!hβ,1i out β

Figure 5.23: LTS of receiver R

30 CHAPTER 5. LTS AND BISIMULATION

The communication is governed by the communication function γ. Here γ synchro-

nizes actions of the form s?x with actions of the form s!x , for frames x of the form hα, 0i,
hβ, 0i, hα, 1i, and hβ, 1i, and likewise for k!x and k?x . The communication function γ
also synchronizes actions of the form r!b and r?b , and actions of the form ℓ!b and ℓ?b ,
for b ∈ {0, 1}. We put

γ(s!x , s?x ) = sx , γ(k!x , k?x ) = kx for x = hα, 0i, hβ, 0i, hα, 1i, hβ, 1i
γ(r!b , r?b ) = rb , γ(ℓ!b , ℓ?b ) = ℓb for b = 0, 1

To enforce synchronization the parallel composition of the components needs to be en-

closed by an encapsulation operator that forbids single actions s?x , s!x , k?x , k!x and r!b
and r?b , ℓ!b and ℓ?b , for all frames x and bits b. To this end we define

H = { s!x , s?x , k!x , k?x | x = hα, 0i, hβ, 0i, hα, 1i, hβ, 1i } ∪
{ r!b , r?b , ℓ!b , ℓ?b | b = 0, 1 }

Now an expression for the whole system is

∂H (S kγ K kγ L kγ R)

where ∂H will block all unmatched !-actions and ?-actions.

Using the rules for the composition of LTSs we can derive the LTS in Figure 5.24 for
the complete system for the ABP. In the first half of the LTS, we use a data-element d,
in the second half e. In fact, the LTS should show a branching over D, i.e. both for α
and β at states q0 and q18 . This means that the upper left-hand corner and the lower
right-hand corner should have outgoing edges in α and in β that we have depicted here,
for a compact presentation, as in d for the upper left-hand corner and in e for the lower
right-hand corner.
Next, we want to hide the communication over the internal channels, i.e. we want to
turn communication involving s, k, ℓ, and r into τ . Indeed, all τ -steps can be removed,
and we can show branching bisimilarity with the buffer of capacity one. Hence, the
analysis shows that the ABP does not loose information, as required.
Notice that the notion of branching bisimilarity embodies a form of fairness: after
a number of failing communications, eventually a successful communication will take
place, the channel cannot be totally defective.
5.4. THE ALTERNATING BIT PROTOCOL 31

in d shd,0i τ khd,0i
q0 q1 q2 q8 q9
ℓ∗
ℓ1
ℓ1 q6 q7 τ q15 out d
τ k∗
τ τ
q35 q5 q3 q14 q10
shd,0i khd,0i
r1 k∗ τ
τ q4 q13 q16 r0

τ ℓ∗
q29 q30 q12 q11
ℓ∗ τ

r1 q34 q31 q22 τ

τ k∗ r0
khe,1i she,1i
q28 q32 q21 q23 q17
τ τ
τ
out e k∗ q33 τ q25 q24 ℓ0
ℓ0
ℓ∗
q27 q26 q20 q19 q18
khe,1i τ she,1i in e

Figure 5.24: LTS of the ABP ∂H (S kγ K kγ L kγ R)