Quantum Bisimilarity via Barbs and Contexts: Curbing the Power of Non-deterministic Observers

Past years have seen the development of a few proposals for quantum extensions of process calculi. The rationale is clear: with the development of quantum communication protocols, there is a need to abstract and focus on the basic features of quantum concurrent systems, like CCS and CSP have done for their classical counterparts. So far, though, no accepted standard has emerged, neither for the syntax nor for the behavioural semantics. Indeed, the various proposals do not agree on what should be the observational properties of quantum values, and as a matter of fact, the soundness of such properties has never been validated against the prescriptions of quantum theory. To this aim, we introduce a new calculus, Linear Quantum CCS (lqCCS), and investigate the features of behavioural equivalences based on barbs and contexts. Our calculus can be thought of as an asynchronous, linear version of qCCS, which is in turn based on value-passing CCS. The combination of linearity and asynchronous communication fits well with the properties of quantum systems (e.g. the no-cloning theorem), since it ensures that each qubit is sent exactly once, precisely specifying which qubits of a process interact with the context. We exploit contexts to examine how bisimilarities relate to quantum theory. We show that the observational power of general contexts is incompatible with quantum theory: roughly, they can perform non-deterministic moves depending on quantum values without measuring (hence perturbing) them. Therefore, we refine the operational semantics in order to prevent contexts from performing unfeasible non-deterministic choices. This induces a coarser bisimilarity that better fits the quantum setting: (i) it lifts the indistinguishability of quantum states to the distributions of processes and, despite the additional constraints, (ii) it preserves the expressiveness of non-deterministic choices based on classical information. To the best of our knowledge, our semantics is the first one that satisfies the two properties above.


INTRODUCTION
Quantum computing is a promising emerging technology that exploits non-classical phenomena described by quantum mechanics, such as entanglement and superposition.The basic component of quantum algorithms and protocols is the qubit, a system that can be in one of two basis states |0⟩ and |1⟩, as well as in any linear combination of them, called a superposition.The state of a quantum system is modelled as a set of qubits on which the programmer applies various transformations.Differently from classical systems, the state of a composite quantum system can be entangled, i.e. the subsystems cannot be described separately.Moreover, reading the state of a qubit ("measuring" it, in quantum jargon), causes its state to probabilistically change to one of the basis states.Finally, the no-cloning theorem forbids copying qubits and thus poses serious constraints to programmers.Both theory and implementations of quantum computing attracted considerable research efforts in the last decades, leading to quantum algorithms with more than polynomial speedup over classical counterparts [Harrow et al. 2009;Shor 1994] and quantum protocols, e.g. for key distribution [Bennet and Brassard 2014;Poppe et al. 2004] and leader election [Tani et al. 2012].Practical applications, though, require quantum computers with large enough memories.This is a challenging task, as it is difficult to maintain quantum properties among a big number of qubits.A solution seems to lie on distributed computing, by suitably linking multiple quantum computers [Kimble 2008].
With the recent advances, the need has emerged for verification techniques applicable to quantum distributed algorithms and protocols.Concerning purely probabilistic systems, several models have been proposed so far: some only target the probabilistic behaviour, like Markov Chains [Sokolova 2011], while others also take into account pure non-determinism, like Segala Automata [Segala 1995] and Probabilistic Transition Systems [Hennessy 2012].This second approach appears to be more adequate to model protocols where actors can perform their choices freely, and not only according to some predefined probability distribution.Process calculi and bisimilarity have been successful in modelling and verifying classical concurrent systems characterized by probabilistic and non-deterministic behaviours.We expect the same will hold in the quantum case, where different process calculi and behavioural equivalences have been proposed that display both quantum and non-deterministic features.While the features of these calculi are mostly comparable, the proposed bisimilarities greatly vary from one work to the other, and are seldom compared with each other and with quantum theory.Indeed, they turn out to disagree on several simple cases which naturally occur when modelling real-world protocols.Moreover, such discrepancies are partially due to the fact that some proposed bisimilarities do not fit what is prescribed by quantum theory.In fact, Davidson [2012] and Kubota et al. [2012] prove that processes sending indistinguishable quantum values are spuriously discriminated.This discrepancy is yet to be investigated in depth, and there are no correctness results relating bisimilarity to indistinguishability in quantum theory.We exemplify in Table 1 some cases on which the current proposals diverge, and investigate the underlying causes.The works we compare are QPAlg by Lalire [2006], CQP by Davidson [2012] and qCCS, which comes with two different bisimilarities: ∼  proposed by Deng and Feng [2012], and ∼  by Feng and Ying [2015].For each row of the table, we discuss the prescriptions of quantum theory, reporting violations and proposing a possible solution.
In fact, to tackle these foundational issues, we introduce a new process calculus, namely linear quantum CCS (lqCCS), which offers the main features common to the previous proposals, and use it as a framework for exploring behavioural equivalence for quantum systems.Our calculus builds up on qCCS (in turn inspired by value-passing CCS [Hennessy 1991]), yet offers asynchronous communication and a linear type system.Quantum systems are modelled as configurations in a stateful manner, with the state of the qubits alongside the processes.Furthermore, the no-cloning theorem prescribes that once a qubit has been sent, the sender cannot use it any more.To comply with this requirement, quantum process calculi usually enforce affinity, guaranteeing that each qubit is sent at most once.We go one step further by requiring each qubit to be sent or discarded (i.e.sent on a restricted channel) exactly once, thus forcing the observability of each qubit to be clearly defined.This allows us to resolve a superficial discrepancy of the proposed behavioural equivalences, focusing on unambiguous cases only.Take as example the pair of processes of the first row of Table 1.Both receive a qubit on channel  (with ?), modify it (with either  () or  ()), and then terminate (0).The two processes apply different transformations, resulting in different quantum states.Both CQP and QPAlg assume unsent qubits are not visible and deem  and  bisimilar, while the bisimilarities for qCCS do the opposite.The linear typing of lqCCS forces to specify visibility, and allows matching these different results employing an appropriate discarding discipline (i.e. the processes are equivalent if the qubit is discarded using 0  as in the second row of Table 1, they are distinguishable if it is sent on a visible channel as in the third row).
We define a saturated probabilistic bisimilarity for lqCCS, denoted as ∼  , which relies on contexts for distinguishing quantum processes [Bonchi et al. 2014].This seems a fruitful choice, because the notion of observable property of a visible quantum value is not straightforward, as witnessed by the variety of labelled bisimulations proposed so far.On the contrary, available operations over quantum values are well known (unitaries and measurements), and thus contexts are easily defined and uniquely determined (at least as far as quantum properties are concerned).Take the fourth row of Table 1 as an example, where both processes prepare and send a pair of qubits, but only the latter is entangled.Remarkably, in both cases, the sent qubits are in the same state when taken separately.QPAlg uses the value of each sent qubit as labels, thus incorrectly equating the two processes.Indeed, detecting the entanglement requires considering the pair of qubits as a whole.
We also suffer from the problem highlighted by Davidson and Kubota et al., as our saturated bisimilarity spuriously discriminates between equivalent quantum values.More in detail, quantum theory prescribes that certain probability distributions of quantum states should be indistinguishable (namely if they are represented by the same density operator).Consider the processes of the fifth row of Table 1.After setting and measuring the qubits, the state of the sent qubit of both processes is in a fair distribution, respectively of |0⟩ and |1⟩, and of |+⟩ and |−⟩.Such distributions are prescribed to be indistinguishable.Nonetheless, the two processes are not bisimilar according to QPAlg and ∼  of qCCS.Also ∼  suffers from the same issue, but the use of contexts allow us to precisely pinpoint the cause of the problem in the interaction between non-determinism and quantum features.Indeed, unconstrained non-determinism allows contexts to choose a move based on the (in principle unknown) current quantum state, without performing a measurement (and thus, without perturbing the state, violating a defining feature of quantum objects).Non-determinism must be constrained for contexts to fit the limitations of quantum theory.
We give a new enhanced semantics and proper contexts, forbidding ill-formed moves where the non-deterministic choices depend on unknown quantum values.Moreover, we define constrained saturated bisimilarity, denoted as ∼  , which is strictly coarser than ∼  .We prove two main properties: ∼  recovers the indistinguishability of quantum values prescribed by quantum theory, and, even if constrained, non-deterministic sum can still simulate boolean conditional statements.Theorem 4.8 shows that our constraints suffice to equate lqCCS configurations with indistinguishable quantum states.Notice indeed that the processes of the fifth row of Table 1 are correctly deemed bisimilar by ∼  .We argue that our constraints are not overly restrictive.To confirm this, Theorem 4.12 shows that non-deterministic choices can always perform different moves according to known classical values, thus replicating the behaviour of boolean guards.This is an expected property that was missing in previous bisimilarities like the one of CQP and ∼  of qCCS, which also indirectly constrain non-determinism.Consider the last row of Table 1 where both processes send a qubit, choosing non-deterministically over two possible channels.Remarkably, for each channel, the state of the sent qubits is represented by the same density operator, but the two processes could be distinguished if they had chosen the channel according to the outcome of the measurement (e.g. by using a boolean guard).Since non-deterministic sum simulates such behaviour in our enhanced semantics, the two processes are correctly distinguished.On the contrary, all the previous works that correctly equates the processes of the fifth row of the table fails in distinguishing the ones in the last row: indeed, they overly constrain non-determinism.
As a final contribution, we provide a few proof techniques and employ them to analyse three real-world protocols: quantum teleportation, super-dense coding and quantum coin-flipping.

Synopsis.
In section 2 we give some background about probability distributions and quantum theory.In section 3 we present lqCCS, we discuss probabilistic bisimilarity and its interaction with non-determinism.In section 4 we propose our novel semantics and bisimilarity equivalence.In section 5 we describe the capabilities of the novel bisimilarity through the lenses of well-known quantum protocols.Finally, we compare with related works in section 6, and we conclude in section 7. To favour readability, the full proofs are postponed to the appendices.

BACKGROUND
We recall some background on probability distributions and introduce quantum computing.Finally, we present density operators that model probability distributions of quantum systems and their evolution.We refer to Nielsen and Chuang [2010] for further reading on quantum computing.

Probability Distributions
A probability distribution over a set  is a function Δ :  → [0, 1] such that  ∈ Δ() = 1.We call the support of a distribution Δ, written ⌈Δ⌉, the set { ∈  | Δ() > 0}.We write D () for the set of distributions over , and restrict ourselves to distributions with finite support.
For each  ∈ , we let  be the point distribution that assigns 1 to .Given a finite set of nonnegatives reals {  }  ∈ such that  ∈   = 1, we write  ∈   •Δ  for the distribution determined by (𝑠).Sometimes, we will use the notation above to write the distributions "explicitly" by listing the elements of the support with their probability as in Right-decomposability is defined symmetrically, and a relation is decomposable when it is both left-and right-decomposable.
Intuitively, different bases represent different observable properties of a quantum system.Note that |+⟩ and |−⟩ are non-trivial linear combinations of |0⟩ and |1⟩, roughly meaning that the property associated with the computational basis is undetermined in |+⟩ and |−⟩.In the quantum jargon, the states in the diagonal basis are superpositions with respect to the standard basis.Symmetrically, |0⟩ and |1⟩ are themselves superpositions with respect to the diagonal basis.

Unitary Transformations
For each linear operator  on a Hilbert space H , there is a linear operator  † , the adjoint of , which is given by the conjugate transpose of  and is the unique operator such that ⟨ ||⟩ =  †   .A linear operator  is said to be unitary when   † =  †  =  .In quantum physics, the evolution of a closed system is described by a unitary transformation: the state | ⟩ at time  0 is related to | ′ ⟩ at time  1 by a unitary operator  , which only depends on  0 and  1 , i.e. | ′ ⟩ =  | ⟩.
In quantum computing, the programmer manipulates the state of qubits by applying unitary transformations.Some of the most common transformations on single qubits are:  that transforms the qubit |0⟩ into |1⟩ and vice-versa (corresponding to the classical logical not);  that given

Measurement
Quantum measurements are needed for describing systems that exchange information with the environment.Performing a measurement on a quantum state returns a classical result and causes the quantum state to change (i.e. to decay).Thus, measurements alter the state of the qubits.Moreover, the result of a measurement is intrinsically probabilistic.
A measurement operator is a linear transformation that associates each input quantum state with a probability and a resulting quantum state.A measurement is then a set of possible classical outcomes: each of them is associated with a measurement operator that encodes how the probability of the outcome and the resulting quantum state depends on the current state | ⟩.
Formally, a measurement is a set {  }  of measurement operators, where  refers to the classical outcomes, such that the completeness equation   †    =  holds.If the state of the system is | ⟩ before the measurement, then the probability of  occurring is If  is the outcome, then the state after the measurement will be 1 The simplest measurements project a state into one of the basis of H , e.g. 01 = { 0 ,  1 } with  0 = |0⟩⟨0| ,  1 = |1⟩⟨1| in the computational basis of H , and As expected, applying the measurement  01 on |0⟩ returns the classical outcome 0 and the state |0⟩ with probability 1.When applying the same measurement on |+⟩, instead, the result may be 0 and |0⟩, or 1 and |1⟩ with equal probability.Note also that measuring |0⟩ with  ± leads to either 0 and |+⟩, or 1 and |−⟩, also with equal probability.

Composite quantum systems
We represent the state space of a composite physical system as the tensor product of the state spaces of its components.Let H  and H  be  and -dimensional Hilbert spaces: their tensor product We often omit the tensor product and write | ⟩ |⟩ or |⟩.We write H ⊗ for the 2  -dimensional Hilbert space defined as the tensor product of  copies of H (i.e. the possible states of  qubits).
What is said above about unitary transformations and measurements also applies to composite systems.Given a list of single-qubits unitaries  1 ,  2 . . .  , their tensor product  1 ⊗  2 • • • ⊗   is a unitary transformation over  qubits.Not all unitaries on  qubits can be obtained in this way: the most used that cannot be obtained via tensor product are the SWAP operator exchanging the state of two qubits, i.e.SWAP |⟩ = | ⟩, and the controlled not (CNOT) over two qubits, defined as A measurement for a composite system may measure only some of the qubits and leave others unaltered, e.g.{ 0 ⊗ ,  1 ⊗  } measures (in the computational basis) the first qubit of a pair.
A quantum state in H  ⊗ H  is separable when it can be expressed as the Kronecker product of two vectors of H  and H  .Otherwise, it is entangled, like the Bell state When two qubits are entangled, the evolution of the one depends on the transformations applied to the other.Measuring e.g. the first qubit of |Φ + ⟩ in the computational basis causes the state to decay into either |00⟩ or |11⟩ with equal probability, where also the state of the second qubit is updated.The Bell states {|Φ + ⟩ , |Φ − ⟩ , |Ψ + ⟩ , |Ψ − ⟩} form the Bell basis for H ⊗2 , with A defining feature of quantum computing is that qubits cannot be duplicated.
Proposition 2.1 (No-Cloning Theorem).There is no unitary operation  on As a result, qubits cannot be stored in multiple locations or broadcast to multiple receivers.

Density operator formalism
The density operator formalism puts together quantum systems and probability distributions by considering mixed states, i.e. probabilistic mixture of quantum states.A point distribution | ⟩ (called a pure state) is represented by the matrix | ⟩⟨ |.In general, a mixed state Δ ∈ D ( H ⊗ ) for  qubits is represented as the matrix  ∈ C 2  ×2  , known as its density operator, with  =  Δ(  ) |  ⟩⟨  |.We write DO (H ) for the set of density operators of H .
For example, the mixed state |0⟩ ⊕ 1/3 |+⟩ being |0⟩ with probability 1/3 and in |+⟩ with probability 2/3 is represented as 1 3 Note that the encoding of probabilistic mixtures of quantum states as density operators is not injective.For example, 1 2  is called the maximally mixed state and represents both the distribution This is a desired feature, as the laws of quantum mechanics deem indistinguishable all the distributions that result in the same density operator.The evolution of mixed states is given as a trace-preserving superoperator E : DO (H ) → DO (H ), a function defined by its Kraus operator sum decomposition {  }  for  = 1, . . ., dim(H ) 2 , satisfying that E () =     †  and   †    =  H , where  H is the identity operator on H . Notice that the operators   are not unitaries in general, see Nielsen and Chuang [2010, Section 8.2.3].We write T S(H ) for the set of trace-preserving superoperators on H .
The tensor product of density operators  ⊗  is defined as their Kronecker product, and of superoperators E ⊗ F as the superoperator having Kraus decomposition {  ⊗   } , with {  }  and {  }  Kraus decompositions of E and F .Superoperators represent unitary transformations  as E  with { } its Kraus decomposition.Other transformations are possible, like the constant Set  superoperators, transforming any input state in the given state ; and the probabilistic combination of unitaries having Kraus decomposition { √     }  with    = 1 and   a unitary transformation (each   is applied with a given probability, which is useful for modelling noisy channels and gates).
Density operators can be used to describe the state of a subsystem of a composite quantum system.Let H  = H  ⊗ H  represents a composite system, with subsystems  and .Given a (not necessarily separable)   ∈ H  , the reduced density operator of system ,   = tr  (  ), describes the state of the subsystem , with tr  the partial trace over , defined as the linear transformation such that tr When applied to pure separable states, the partial trace returns the actual state of the subsystem.When applied to an entangled state, instead, it produces a probability distribution of states, because "forgetting" the information on the subsystem  leaves us with only partial information on subsystem .As an example, the partial trace over the first qubit of  = |Φ + ⟩⟨Φ + | is the maximally mixed state.

A LINEAR PROCESS ALGEBRA
In the following sections we describe the syntax and the type system of lqCCS processes, as well as a reduction-style semantics and a first notion of bisimilarity.Our process calculus is enriched with a linear type system both for reflecting the no-cloning theorem (see Proposition 2.1) and for resolving the minor discrepancy on qubit visibility summarized in the first three rows of Table 1.

Syntax and Type System
The syntax of lqCCS is defined as follows where  ∈ B,  ∈ N,  ∈ Q,  ∈ Var,  ∈ Chan with Q, Var, Chan denumerable sets of respectively qubit names, variables and channels, each typed.We use ẽ to denote a (possibly empty) tuple  1 , . . .,   of expressions.The process 0 ẽ discards the qubits in ẽ.It behaves as a deadlock process that maintains ownership of the qubits in ẽ and makes them inaccessible to other processes.As we will see, discard processes are semantically equivalent to any deadlock process using the same qubits.The process 0  1 , 2 is e.g.equivalent to 0  2 , 1 and to ? .(! 1 ∥ ! 2 ∥ !) \ , since  1 and  2 will never be available.When ẽ is the empty sequence, we simply write 0 to stress the equivalence with the nil process of standard CCS.This feature of lqCCS allows to clearly mark which qubits are hidden to the environment, thus relieving bisimilar processes to agree on them.Note that "discard-like" processes can be written also in We let  01 and  ± be the projective measurement over the computational and Hadamard basis respectively.We say that the channel name  is bound in  \  and free otherwise.We denote with fc() the set of free channels and with fv() the set of free classical variables of , defined as usual.
Affinity is often enforced in quantum process calculi for preventing qubits from being broadcast, which is forbidden by the no-cloning theorem.We decided to go one step further and to impose a linear type system, which forces the processes to either send or explicitly discard each qubit that they own.Therefore, the visibility of qubits is explicitly stated, relieving us from performing an arbitrary choice about the visibility of those qubits that are neither sent nor discarded.
Typing judgments are of the form Σ ⊢ .The use of quantum names is subject to linearity and those in use are collected in Σ ⊆ Q.The set of types is {Q, N, B}, respectively the type of quantum names, naturals and booleans.The set of channel types is { Q, N, B}.From now on we will assume that channels and variables are typed, and expressions involving natural and booleans are typed as standard.The typing system is in Figure 1, where for a set  we use Ã to denote the set of tuples ã such that any element of  occurs exactly once in ã.Linearity is enforced by the combination of rules Nil, QSend and Par.In particular, the former two are the only rules that introduce new qubits into the quantum context, therefore each quantum name must be sent along some channel or discarded; while the latter ensures that each qubit is not shared between parallel processes.
It is easy to show that the typing of processes is unique, therefore in the following we will simply write Σ  for the unique set of quantum names such that Σ  ⊢ .
Proof sketch.By induction on the derivations of Σ ⊢  and Σ ′ ⊢ .□ As a simple example of lqCCS, we present the following quantum lottery protocol QL, which uses a qubit to randomly select a winner between two competitors.
Example 3.2.Let QL =  ().01 ( ▷ ).((if  = 0 then !1 else !1) ∥ 0  ).The qubit  is firstly transformed with  and then measured in the computational basis.Depending on the outcome, stored in , either Alice or Bob is announced as the winner (through !1 and !1 respectively).Finally, the qubit is discarded as it is no longer needed.The unique typing of QL is given by {} ⊢ QL, with  : N,  : N,  : N, and  : Q.

Operational Semantics
The operational semantics of lqCCS is defined as a probabilistic reduction system (Conf ⊥ , →) over closed processes (i.e., processes  such that fv() = ∅), where with Conf the set of configurations of the form ,  , and ⊥ the "deadlock" configuration that always evolves in ⊥; Given a set Σ = { 1 , . . .,   } ⊆ Q, a global quantum state  is a density operator over H Σ = H ⊗ , where   refers to the -th qubit in .Expressions  are evaluated through a big step semantics  ⇓  with  a value, i.e. either  ∈ N,  ∈ B, or  ∈ Var.We restrict ourselves to standard boolean and arithmetic operations, and therefore omit the rules and assume free variables are not evaluated.
The type system is extended to configurations by considering the qubits of the underlying quantum state.In the following, we denote as Σ  the set of qubits appearing in .
Hereafter, we restrict ourselves to well-typed distributions.We extend the standard structural congruence relation for CCS [Milner 1992] as presented in Figure 2, and we impose congruent processes to be typed by the same Σ.The new rules allow the evaluation of expressions and reduction of if • then • else • occurrences.We lift the congruence to distributions of configurations by linearity and imposing ⊥ ≡ ⊥ and ,  ≡ ,  ′ whenever  ≡  ′ .
The transition relation → is the smallest relation that satisfies the rules in Figure 3, augmented with C → ⊥ if there is no Δ such that C → Δ [Deng 2018].We have the standard rules for CCS operators, so for example a process  .performs a silent action that does not affect the quantum state, and then continues its evolution as , while  \  behaves as  but the channel  is restricted, i.e.  cannot synchronize with other processes on that channel.Along them we introduce rules for superoperators and measurements.Since the arity of E can be smaller than the number of qubits in the quantum state , we define E q as the superoperator obtained by composing () a suitable set of SWAP unitaries to bring the qubits q in the first positions; () the tensor product of the superoperator E with the identity on untouched qubits on the right; and () the inverse of the SWAP operators of point () to recover the original order of qubits [Lalire 2006].The same mechanism is applied to measurements to obtain Noteworthy, the typing is preserved by the transition relation.
Proof sketch.By induction on the derivation of ,  −→ Δ.The only interesting case is for Reduce, for which we prove that substitution works if the new name is not in the typing context of the process, i.e. that if ∉ Σ is guaranteed by the typing of parallel processes.Note also that Σ  is not impacted by any rule, therefore it is trivially preserved.□ Example 3.5.The semantics of QL from Example 3.2 on quantum state |0⟩⟨0| is as follows Since quantum mechanics is intrinsically probabilistic, quantum processes are commonly compared by using some probabilistic version of bisimilarity [Deng and Feng 2012;Feng et al. 2007Feng et al. , 2012;;Lalire 2006;Lalire and Jorrand 2004].We follow the approach of Hennessy [2012], defining bisimulations directly on distributions.Differently from the previous proposals, we do not use labels but rely instead on contexts and barbs, i.e. defining a saturated bisimilarity à la Bonchi et al. [2014].
We start by defining barbs, i.e. atomic observable properties of the lqCCS processes.
Definition 3.6.A process barb is a predicate ↓  on processes satisfied by  (written Intuitively, the barbs of a process are the visible channels on which a value is ready to be sent, while the barbs of a distribution are defined as the probability of having a process capable to send on a given channel, or as the probability of having a deadlocked process.Notice that if Note also that barbs are purely classical.In saturated bisimilarities, contexts  [ • ] play the role of observers that are used for discriminating processes.In this first version of bisimilarity, they are defined as lqCCS processes with a typed hole.
up to structural congruence and typed according to the rules in Figure 1 and to the following one

Hole
A process  is applied to contexts by replacing the hole with .Intuitively, a context Σ ′ ⊢  [ • ] Σ is a function that given a process  returns a process  [] obtained by replacing  for [ • ], where Σ is the typing context of the valid inputs and Σ ′ the one of the outputs.Note that a context can own some qubits and each qubit cannot be referred to in both  and  to the support of Δ.It is trivial to show that if Δ and Θ are typed by the same typing context, then  [Δ] is defined if and only if  [Θ] is defined, and that their typing is unique.
In the following, we only consider well-typed distributions and contexts, and we impose bisimulations to be over distributions of the same type (thus we avoid specifying types).
Let saturated bisimilarity ∼  be the largest saturated bisimulation.
We say that two processes ,  are saturated bisimilar if ,  ∼  ,  for any .
When encoding a protocol or its specification in lqCCS, each qubit must be sent on a visible channel if its value is a relevant aspect of the given protocol, discarded otherwise.Notice that, thanks to linearity, the visibility of qubits cannot be ambiguous, and that ∼  replicates the results of the previous proposals in the unambiguous cases (see the first three rows of Table 1).
, !1 ∥ 0  .It suffices then to give the relation R below, which is a bisimulation once closed for congruence and contexts Finally, note that this result depends on the use of discard, meaning that the messages over  and  are the outcome of the protocol, and not the resulting quantum state.For example, the distribution |0⟩⟨0| ,  ().01 To prove that, it suffices to consider the context .if  = 0 then 0  else fail!, which will eventually exhibit the barb fail with the former distribution only.
As a result of our saturated approach, entangled pairs are correctly distinguished from separable states with the same partial trace (see the fourth row of the same table ).
Example 3.10.The processes in the fourth row of Table 1 ), because it will eventually exhibit the barb  if the state decays in |01⟩ (which is only possible for 1 4  ).Finally, notice that saturated bisimilarity equates the discard process 0  1 , 2 with both 0  2 , 1 and ? .(! 1 ∥ ! 2 ∥ !) \ .To prove that, it suffices to give the relation associating Δ with Δ[  /] for any choice of  and  among the processes above.This is clearly a bisimulation, once closed for contexts and congruence: for any context

CURBING THE POWER OF NON-DETERMINISTIC CONTEXTS
The example in the fifth row of Table 1, shows that saturated bisimilarity is inadequate for the quantum case (similarly to QPAlg [Lalire 2006] and qCCS [Deng and Feng 2012]).Moreover, we trace the cause of this problem to the interaction between probabilistic and non-deterministic behaviour.We define a new semantics where non-determinism in contexts is constrained.These constraints solve the problem above, matching a defining feature of quantum systems, i.e. that states cannot be observed without being affected.Nonetheless, processes can still perform different non-deterministic choices upon known classical values.As a result of that, processes in the sixth row of Table 1 are distinguished.

Non-Deterministic Issues
In quantum theory, the encoding of probability distributions of quantum states as density operators is not injective.Formally, a density operator represents an equivalence class of distributions of quantum states that behave the same according to quantum theory.They are defined by the relation Consider a pair of non-biased random qubit sources, the first sending a qubit in state |0⟩ or |1⟩, the second in state |+⟩ or |−⟩.Quantum theory prescribes that such two sources cannot be distinguished by any observer, as the received qubit behaves the same (see Nielsen and Chuang [2010, Section 2.4.2]).Indeed, the (mixed) states of the qubits sent by the two sources are represented by the same density operator 1 2  .One expects the lqCCS encoding of these sources to be bisimilar.Somewhat surprisingly, this is not the case.
Example 4.1.Take the fifth row of Table 1.After two steps with empty contexts, the two dis- that exhibits the barb  but not .It is easy to check that Θ cannot replicate this behaviour: for any choice of  and  it will either express both  and , or none of them.
, , E ( q). -⇝  E q (), , This result is paradigmatic, where different mixtures of quantum states are discriminated by a non-deterministic context that chooses how to reduce based on the value of the received qubit, which in theory should be unknown (see Figure 4).Note also that the two sources above have a deterministic behaviour, while non-determinism is only introduced by the context.
We argue that unconstrained non-deterministic contexts are too strong for representing the real capacity of discriminating quantum processes.Therefore, in the following, we give a new semantics that constrains non-deterministic contexts so that they cannot apply the strategy above to discriminate between processes.Note that removing + from the contexts is not sufficient, as we can replicate the same non-deterministic behaviour of Example 4.1 with just the parallel composition, e.g. with  ′ [ • ] = [ • ] ∥ ? .∥ ? ..

Constrained Bisimilarity
We consider a special set of processes, called observers, that are used as constrained contexts for lqCCS.An observer  is a process without silent action, restrictions and with non-deterministic choice limited to sums of receptions.We constrain non-deterministic choices for matching the observational limitations prescribed by quantum theory, while silent actions and restrictions are safely omitted for convenience, as they do not increase the discriminating capabilities of contexts (as proved by Bonchi et al. [2014]).
Formally, an observer is defined by taking the pre-terms generated by the following grammar and by imposing additional constraints over parallel composition A pre-term  is an observer if  ? .′ + ?. ′′ +  ′ for any  appearing in .This additional constraint forbids parallel processes in  from performing non-deterministic choices upon reception, and it could be decided by a suitable extension of our type system.Despite the syntactical constraints, the major difference between a process  and an observer  is their treatment in our enhanced semantics, which is given on extended configurations: triples with an observer as the third element.In the following, we sometimes write ,  for , , 0 .We say that  6).We lift ≡  to distributions by linearity and imposing ⊥ ≡  ⊥ and , ,  ≡  ,  ′ ,  ′ if  ≡  ′ and  ≡   ′ .Note that the commutativity of the parallel operator is preserved for processes, while it does not hold for observers: we want to distinguish the locus of the reductions for properly constraining the non-deterministic evolution of distributions.We give an enhanced semantics for lqCCS in Figure 5, adopting the style of Degano and Priami [2001]: an arrow -⇝  ⊆ Conf ⊥ × D (Conf ⊥ ) for any index , which encodes the non-deterministic choice of the observer (or ⋄ if only the process evolves).Indices are strings in {ℓ,  } * ∪ {⋄}, and we write  for the empty string, • for string concatenation, and  for indices different from ⋄.
In the rules In and Out, we write \ for any sequence of restrictions.We also write Δ ∥  and  ∥ Δ meaning that  is composed with the observers of Δ.As for the probabilistic semantics, the -⇝  is extended by imposing that C -⇝  ⊥ if there is no Δ such that C -⇝  Δ In the following, we lift semantic transitions, and write -⇝  instead of lift(-⇝  ) ∈ D (Conf ⊥ ) × D (Conf ⊥ ).The observational power is limited by the indexing as the lifting of -⇝  allows a distribution to evolve only when all its configurations reduce by performing the same choice.The absence of rules for observer synchronization does not limit the observational power [Bonchi et al. 2014].Note that the transition system is still non-deterministic, but different non-deterministic choices produce different indices.Nevertheless, the observer is still capable to behave differently in different configurations of the same distribution, but only through the if • then • else • construct or because of a sum of receptions (where the choice is performed by the sending process and not by the observer).This ensures that the observer choices are based on classical information obtained from the process.
We say that a configuration satisfies the barb , written , ,  ↓  , if  ≡ (! + ) ∥  or  ≡ ! ∥  (notice that we use ≡ instead of ≡  for , thus considering also commutativity, associativity, and identity).The extension of barbs to distributions is as usual.
We now define constrained saturated bisimulation with the usual assumption that it is defined over distributions of the same type, and that contexts are taken accordingly.

Behavioural Assessment of Constrained Bisimilarity
In the following, we state some important properties of ∼  .A first result recovers the linearity of the relation.We then prove that ∼  is strictly coarser than the previously defined ∼  .Furthermore, we show that our constraints are strong enough to agree with the limitations of the observational power prescribed by quantum theory.More precisely, we consider the equivalence classes over distributions of quantum states implicitly represented by density operators, and we generalize them as classes of bisimilar distributions of lqCCS configurations.An undue curbing of contexts is not better than a deficient one, therefore, we finally prove that the expressivity of the non-deterministic sum of processes is preserved when justified by classical information.
It follows from the linearity of barbs and the decomposability of -⇝  , which hold by definition.□ Regarding quantum properties, the enhanced semantics limits the capability of the observer to perform different choices in different configurations of the same distribution.As a result, csbisimilarity is strictly broader than s-bisimilarity, as observers are less powerful.
Proof sketch.Example 4.6 shows that ∼  ⊈ ∼  .For ∼  ⊆ ∼  we provide a translation • that annotates a given  with fresh barbs encoding the non-deterministic choices.We prove by induction that the enhanced semantics of , ,  corresponds to the standard semantics of ,  ||  , where  is composed with the parallel operator (as required by ∼  ).In particular, , ,  -⇝  Δ if and only if  ↓  and ,  ||  → Δ ′ with Δ ′ ↓ 0  (roughly, a -⇝  move corresponds to a → one where the barb  is "consumed").This allows us to prove that ∼  is a cs-bisimulation.□ From the proof above it follows that the enhanced semantics does not give cs-bisimilarity any additional discriminating power with respect to the standard semantics.In other words, we could have defined ∼  without changing the semantics, just requiring instead that contexts express their non-deterministic choices as barbs.The enhanced semantics -as well as the absence of congruence rules for parallel observers -is then just a convenient way to assign a name to each possible non-deterministic choice, which fits well with the SOS-style rules.
We discuss now how cs-bisimilarity deals with the issue presented in subsection 4.1.
A distribution Δ is deterministic if its evolution is fully probabilistic, i.e. if it evolves in a single distribution up to bisimilarity.For example, distributions without parallel operators and nondeterministic sums are trivially deterministic.

Definition 4.7 (Deterministic processes). A set of distributions
A distribution Δ is called deterministic if it is contained in a deterministic set.A process  is deterministic if , , 0 is deterministic for any state .
As previously stated, mixed states represented by the same density operator are indistinguishable.We recover an analogous result for lqCCS.Roughly, quantum states can be combined into a point distribution when paired with identical deterministic processes.is a bisimulation up to convex hull [Bonchi et al. 2017] and up to bisimilarity (the soundness of which is given by Proposition 4.19 and according to Pous and Sangiorgi [2011]).
The result mainly follows from the fact that the classical components of the distributions are identical, while the quantum components are indistinguishable, as superoperators and measurements are convex, i.e.F () ⊕  F () = F ( ⊕  ) for any superoperator or measurement F .The hypothesis of determinism is required for the cases of non-deterministic sums and parallel compositions.Indeed, Δ = ,  ∥ , 0 ⊕  ,  ∥ , 0 may evolve differently with the left and right component, e.g.choosing  in the left and  in the right.The hypothesis of the process being deterministic ensures that no information is leaked about  and , and ensures that the choice of Δ is irrelevant, allowing  ⊕  , , 0 to replicate its move.This is not possible in general, as shown in Example 4.10.□ Remarkably, transitivity of ∼  suffices for proving the bisimilarity of deterministic processes paired with distributions of quantum states that are represented by the same density operator.Note for example that |0⟩⟨0| , ! ⊕ and 4.1 are both bisimilar to 1 2 , ! .More in general, the equivalence classes represented by density operators are lifted to lqCCS distributions, yielding the equivalence R ⊆ ∼  relating Δ and Θ deterministic whenever  Δ , ,   =  Θ , ,   for all , .Note also that, thanks to the linearity of ∼  , the property above is not limited to syntactically identical processes.
A consequence of Theorem 4.8 is that ∼  is not decomposable, similarly to other proposals addressing the limitations of probabilistic bisimilarity [Deng 2018;Feng and Ying 2015].
Notice that Δ ∼  Θ by Theorem 4.8.Then, for ∼  to be decomposable, Θ should be equal to , ! as they send observably different quantum values.□ Theorem 4.8 targets deterministic processes because they represent fully defined physical processes, e.g., where all the choices are performed by boolean conditions.Indeed, there is no reason to expect the property to hold for processes expressing non-determinism à la CCS, as it does not encode any physical behaviour considered in quantum theory.More in detail, an extension of this theorem for general processes can only hold with overly constrained non-deterministic sums, and it would contradict Theorem 4.12 below, attesting to the preservation of the expressiveness of non-determinism in processes.We show an example of a non-deterministic process, derived from the sixth row of Table 1, for which Theorem 4.8 does not apply.
As discussed previously, this is expected as we want to restrict the non-determinism of observers only.Non-deterministic sum is typically used in processes to model unspecified behaviour, to be instantiated in future refinements.Thus, we do not want to constrain non-determinism to the point that + cannot replicate the behaviour of its refinements like boolean conditions.
We say that  ′ refines , if  ′ can be obtained from  by substituting some occurrences of  +  ′ with either ,  ′ , or if  then  else  ′ for an arbitrary .
Definition 4.11.The refinement relation  ′ ⪯  is the smallest reflexive relation satisfying the rules in Figure 7.We say that  ′ refines , and that a configuration ,  ′ refines ,  , if  ′ ⪯ .We let ⊥ refine all the configurations, and define distribution refinement by linearity.
A process is expected to be capable of matching any move of its refinements, thus, when considering  =  01 ( ▷ ).( +  ′ ), the moves of all  ′ ⪯  should be available for , included the ones of  01 ( ▷ ).if  = 0 then  else  ′ where the choice between  and  ′ depends on the outcome of the measurement.
We prove in the following that our constraints on non-determinism are not too restrictive, namely, that a distribution can simulate all its refinements.Theorem 4.12.
Proof sketch.We prove by rule induction that whenever  ′ ⪯  and ,  ′ ,  -⇝  Δ ′ then , ,  -⇝  Δ for some Δ such that Δ ′ ⪯ Δ.The proof for Congr relies on the fact that refinement and structural congruence works well together.In detail, we show that given  ′ ⪯  with  ′ ≡  ′ we can find some  such that  ′ ⪯  and  ≡ .In the other cases it suffices to use the induction hypothesis.The theorem then holds by decomposability of -⇝  .□ As a result of this property, the distributions Δ and Θ of Example 4.10 are distinguishable.
Example 4.13.Consider Δ and Θ of Example 4.10, and notice that Δ ′ ⪯ Δ, where Δ ′ sends on  if and only if the qubit is in |0⟩.Formally Δ ′ = |+⟩⟨+| ,  01 ( ▷ ).if  = 0 then ! else !, 0 (see Figure 8).By performing this choice, Δ ′ is implicitly communicating the outcome of the measurement to the observer (through a side-channel, we could say).Consider the context Fig. 8.The existence of the dashed arrow on the right is guaranteed by the solid one on the left by Theorem 4.12.
and note that, after two steps,  [Δ ′ ] reduces to a distribution expressing barb  but not , which is impossible for  [Θ].As a result of Theorem 4.12, Δ can replicate this move of Δ ′ , hence Δ ≁  Θ.
Our constrained bisimilarity is the first one to verify both Theorem 4.8 and 4.12, while all the previously proposed ones either fail in equating indistinguishable quantum states, or overly constrain non-determinism (see Table 1 for an in-depth comparison).

Properties of Constrained Bisimilarity
We now investigate our cs-bisimilarity.We first recover two defining properties of [Deng and Feng 2012], namely that ∼  is closed for superoperator application on qubits not appearing in the processes, and that the state of such qubits is required to match in bisimilar distributions.Then we show that discarded qubits can be "traced out" from the quantum state without affecting bisimilarity.Finally, we discuss up-to techniques for proving constrained bisimilarity.
We start by recovering trace-identity and closure over superoperator application.
Proof sketch.For the first point, take any superoperator E q , then there is a context that performs such transformation, so a context-closed relation is necessarily superoperator-closed.For the second one, we proceed by contradiction: if the reduced density operators of two configurations are different, then we can build a context which measures such qubits obtaining a different distribution of outcomes and thus distinguishing the configurations via fresh barbs.□ Note that this is a useful result for disproving bisimilarity, as e.g., distributions with different partial trace are immediately deemed distinguishable.
A result that helps instead in proving bisimilarity is that the state of discarded qubits can be ignored.In order to prove this in general, we extend the partial trace as follows.
Definition 4.15.The partial trace tr q , ,  over q of a configuration is defined as tr q () ,  ′ ,  if  ≡  ′ ∥ 0 q .We let tr q (⊥) = ⊥, and define the partial trace of distributions by linearity.
Intuitively, we remove the discarded qubits together with the discard processes.Note that such an operation is defined only on distributions of configurations that discard the same qubits.Proposition 4.16.Let Δ, Θ be distributions such that tr q (Δ) and tr q (Θ) are well-defined for a given q.If tr q (Δ) ∼  tr q (Θ) then Δ ∼  Θ.
Proof sketch.We show, by induction on -⇝  , that the semantics of C and of tr q (C) are equivalent, and since the partial trace does not affect barbs, the desired property follows.□ Note that, even if this property is given for the process 0 q , we can apply it to any "discard-like" process thanks to the linearity of ∼  , i.e. to any process bisimilar to 0 q .
The capacity to ignore discarded qubit is useful in a lot of proofs, as for the example below.
Finally, we report a general proof technique.While proving bisimilarity of two distributions usually requires giving a bisimulation relating the two, up-to techniques allows using smaller relations in place of proper bisimulations.Given a relation R ⊆ D () × D (), its convex hull  (R) is the least relation such that Bisimulations up to  [Bonchi et al. 2017] are then defined as follows.

Definition 4.18 (Bisimulation up to convex hull
Giving a bisimulation up to convex hull is a sound proof technique for ∼  .Proposition 4.19.If Δ R Θ with R a bisimulation up to convex hull, then Δ ∼  Θ.
Proof sketch.We need to show that  is compatible [Pous and Sangiorgi 2011], which follows from the linearity of barbs and from the fact that -⇝  is decomposable.□

CONSTRAINED BISIMILARITY AT WORK
We discuss real-world protocols: quantum teleportation, superdense coding and quantum coin flipping.We show how lqCCS models them, and how ∼  is used for proving their properties.

Quantum Teleportation
The objective of quantum teleportation [Bennett et al. 1993] is to allow Alice to send quantum information to Bob without a quantum channel.Alice and Bob must have each a qubit of an entangled pair |Φ + ⟩.The protocol works as follows: Alice performs a fixed set of unitaries to the qubit to transfer and to their part of the entangled pair; then Alice measures the qubits and sends the classical outcome to Bob, which applies different unitaries to their own qubit according to the received information.In the end, the qubit of Bob will be in the state of Alice's one, and the entangled pair is discarded.Note that Alice is not required to know the state of the qubit to send.
Consider the following encoding of the protocol where we assume that Alice (A) and Bob (B) already share an entangled pair ( 1 ,  2 ) (we write () 2 to stress that  is in binary representation) Since there is no qubit in | Φ + ⟩⟨ Φ + | apart from the ones in Σ Tel ,  is in deadlock for any context until a send operation on an unrestricted channel is reached (and the same for Θ).For simplicity, we will therefore omit the contexts in the first steps where

Superdense Coding
We consider a generalization of the superdense coding protocol [Bennett and Wiesner 1992].Assume Alice and Bob have each a qubit of a Bell pair |Ψ + ⟩.The protocol allows Alice to communicate a distribution of two-bit integers to Bob by sending their single qubit to Bob.The protocol works as follows: Alice chooses a distribution of integers in [0, 3] and encode it by performing suitable transformations to their qubit, which is then sent to Bob; Bob receives the qubit and decodes the distribution by performing CNOT and H ⊗ I on the pair of qubits (the received qubit and their original one), and then a measurement on the standard basis.By measuring the qubits, Bob recovers the distribution chosen by Alice, and can use it as they like.
We consider the following instantiation of the protocol, where Bob uses the received value to decide (in an unspecified way) on which channel to send the received qubit (either channel  or ) More in detail, Alice encodes: the point distribution 0 by applying the unitary I, 1 with  , 2 with Z, and 3 with ZX.In general, they apply a superoperator E with Kraus decomposition Consider now the following where Rob (in place of Bob) forgets to measure the qubits R = ? .CNOT(,  1 ).H ()..((! + !) ∥ 0  1 ) Ideally, Rob cannot base their decision on the value sent by Alice, hence we expect SDC to be distinguishable from the case where R is substituted for .Indeed, |Ψ + ⟩⟨Ψ + | , A ∥ B \  and |Ψ + ⟩⟨Ψ + | , A ∥ R \  are not constrained bisimilar in general.Consider, for example, E with Kraus decomposition { 1 2 I, 1 2 X, 1 2 Z, 1 2 ZX} (i.e.Alice encodes a fair distribution of all the possible values).Assume we always take the empty observer  [ • ] = [ • ] whenever we do not specify otherwise, and note that the following steps are forced where Δ B is defined as Similarly, for Rob we have that the following are forced Take now the following context and assume  ′ [Δ B ] evolves as expresses the barbs success and fail with probability 1/2 and 0 respectively.On the contrary,  ′ [Δ R ] may only evolve as either and, after a reduction, must express both the barbs  and fail with either probability 1/2 or 0. This important result is due to the Theorem 4.12, which allows B to behave as if any boolean conditional was in place of +, thus to send the qubit on  if the outcome of the measurement is strictly lower than 2, and on  otherwise.The other proposed behavioural equivalences for addressing the problem of the standard probabilistic bisimilarity deem the two distributions indistinguishable (see section 6 for an in depth comparison).

Quantum Coin Flipping
We present now a more complex example, namely the Quantum Coin Flipping (QCF) protocol.Suppose Alice and Bob do not trust each other, and want to randomly select a winner between them.Bennet and Brassard [2014] propose a protocol in which Alice chooses either the 01 or ± basis at random, then generates a sequence of random bits and encodes them into a sequence of qubits in the selected basis (the first element of the basis stands for bit 0, the second for 1).The qubits are then sent to Bob, who measures each of them in a random basis (01 or ±).Finally, Bob tries to guess the basis chosen by Alice: Bob wins if the guess is correct.
Bob has no way to find Alice's basis from the received qubits, so the guess will be correct or wrong with equal probability.Alice could cheat, lying about their basis.To protect Bob, at the end of the protocol, Alice must reveal their basis and the original bit sequence.Bob then compares the original sequence with the previously stored outcomes of the measurements.For qubits where Alice's basis coincides with Bob's one, the outcomes must coincide with the original bit sequence.
Hereafter, we let   be the -th bit of the integer , and resort to some minor extensions of lqCCS ,  [1/] , and could be implemented with an additional qubit.
• We assume a mapping  from bit to bases with  (0) and  (1) the 01 and ± basis.
We formalize QCF as follows, where  is the number of qubits, and the outcome is sent on  and  (1 if Bob wins and 0 otherwise).We use  =   ′ for comparing digits, defined as (1 −) (1 − ′ ) + ′ .
where  = {AtoB, guess, secret, witness}.We will focus just on the execution of  01 , as the other one is symmetrical.The first actions of Alice are to prepare the qubit at random and send it to Bob.The latter will then measure it in a random basis and record the result.Formally 1 2 where Alice ′ 01 = guess?.(!( =  0) ∥ secret!0 ∥ witness!).After the measurement (and after synchronising with the server processes) Bob send their random guess of the secret basis to Alice, who reveals the correct one.Bob checks the consistency of Alice response, and if the protocol is executed correctly the two parties will agree on the outcome: either 0 or 1 with equal probability. 1 2 1 4 1 4 It is easy to see that in this last step QCF expresses the barbs ↓  and ↓ , sending the same values as the specification FairCoin, and the two are indeed bisimilar.
Dishonest Bob.In order to cheat, Bob needs to discover Alice's secret from the sent qubits alone.This is impossible, because Theorem 4.8 deems the initial prefixes of Alice 01 and Alice ± bisimilar.
Dishonest Alice.Interestingly, Alice can cheat by using additional qubits entangled with the ones they send to Bob.By measuring their entangled qubits in Bob's chosen basis, Alice forges a fake witness for deceiving Bob (in the process, Alice wins and 0 is sent on  and ).We call this attacker Alison, and show that 0 2 0 2 , (Alison ∥ Bob) \  ∼  0 2 0 2 , UnfairCoin .
The UnfairCoin specification always selects Alison as the winner, and never expresses the ↓ ℎ barb.In other words, (Alison ∥ Bob) \  ∼  UnfairCoin means that Alison is always capable of tricking Bob without being discovered.
The behaviour of Bob is identical to the previous case.Indeed, the reduced density operator of the qubits sent by Alison is indistinguishable from the one of the honest Alice.But after receiving Bob's guess, Alison can measure their own qubits, which have decayed as the ones of Bob.In this way, her fake witness  ′ will always be correct, as we show for the case 1 2 We focus on the quantum process calculi most similar to our proposal, as well as the better established and developed, namely QPAlg [Lalire 2006;Lalire and Jorrand 2004], CQP [Davidson 2012;Gay andNagarajan 2005, 2006], and qCCS [Deng 2018;Deng and Feng 2012;Feng et al. 2014Feng et al. , 2007Feng et al. , 2012;;Feng and Ying 2015;Ying et al. 2009].When comparing the proposed behavioural equivalences, we abstract from the "classical" details and focus on the quantum-related features, restricting ourselves to the strong version of the bisimulations.A first difference with lqCCS is that they are mostly based on labelled bisimilarities.Table 1 summarizes distinctive prototypical processes (in the lqCCS syntax) deemed bisimilar or not according to different approaches.
One of the discrepancies is the visibility of qubits that are neither sent nor discarded.The first three lines contain processes whose bisimilarity depends on the assumption about the visibility of these unsent qubits.Our linear type system makes the former assumptions irrelevant.In the fourth line, the processes send pairs of qubits with the same partial trace if taken separately, even if a pair is entangled and the other is not.The fifth line compares processes where the state of the sent qubits is represented by the same density operator, whose bisimilarity is implied by Theorem 4.8.Finally, the sixth line compares two processes where a qubit is sent non-deterministically over two channels: for each channel, the state of the sent qubits is represented by the same density operator, but if the chosen channel depends on the outcome of the measurement the two processes can be distinguished.Bisimilarities that do not distinguish these two processes cannot satisfy Theorem 4.12.

QPAlg
The Quantum Process Algebra (QPAlg) is an extension of synchronous value-passing CCS with primitives for unitary transformations and measurements.As common, quantum operations are silent, and quantum communication updates quantum variables.They propose a probabilistic branching bisimilarity, adapted for stateful computations by requiring bisimilar processes to send the same quantum state, defined as the partial trace of the global quantum state.However, this bisimilarity is coarser than prescribed by the theory when states are entangled [Davidson 2012].
Example 6.1.The processes in the fourth line of Table 1 are bisimilar in QPAlg, as they send pairs of qubits with the same partial trace ( ).Such processes are not bisimilar according to ∼  , as the context of Example 3.10 discriminates the two.
Finally, behaviourally equivalent processes are not required to behave similarly on unsent qubits, e.g. ().0 and  ().0 of the first line of Table 1.In lqCCS, the above processes are not legal, but a similar result holds for  ().0  and  ().0  .

CQP
The calculus of Communicating Quantum Processes (CQP) is inspired by the -calculus and it is enriched with qubits declarations (that extend the quantum state) and quantum transformations, but without guards or match operators, thus lacking the form of classical control used in lqCCS.They introduce an affine type system prescribing that every qubit is sent at most once.CQP comes with a reduction semantics [Gay andNagarajan 2005, 2006] and a labelled one [Davidson 2012], both based on pure quantum states.Davidson proposes mixed configurations, i.e. configurations where a single process is paired with a probability distribution of classical and quantum states.Mixed configurations represent non-observable probabilities due to measurements whose result is not communicated yet, and they are treated as a single state by the semantics.Our proposal generalizes CQP mixed configurations to distributions of configurations with possibly different processes.This is necessary for extending approach to processes with boolean guards.
A branching bisimilarity is defined for the labelled semantics of CQP.To avoid the problem of QPAlg with entangled states, bisimilarity requires that the reduced state obtained by collecting all the sent qubits coincide.Moreover, mixed configurations allow relating processes sending indistinguishable quantum states.The resulting bisimilarity is a congruence for parallel composition and is capable of equating interesting cases such as the one of the fifth line of Table 1.
Example 6.2.Consider |+⟩⟨+| ,  01 ( ▷ ).! and |0⟩⟨0| ,  ± ( ▷ ).! .Even though they end up in different quantum states, the two configurations above are bisimilar according to CQP, because they send on channel  qubits with the same partial trace.Our proposed bisimilarity replicates this result by resorting to contexts with constrained non-determinism (see Example 4.6).Indeed, a context receiving the qubit cannot behave differently depending on its state if not through measurement, and when measured, the states of the two qubits coincide.
Our cs-bisimilarity extends the one of CQP in a context-based fashion over standard distributions.CQP behaves as QPAlg with respect to unsent qubits (see the first line of Table 1).

qCCS
Our process calculus takes its most direct inspiration from qCCS, a synchronous CCS-style calculus with superoperators and measurements where syntactic restrictions guarantee each qubit is sent at most once.A feature of qCCS is the support for recursive processes, which we postpone to future work.Two different labelled bisimilarities are proposed for qCCS: the first is based on standard probabilistic bisimulations; the second one relies on transition consistency and subdistributions.
The probabilistic bisimilarity [Feng et al. 2007[Feng et al. , 2012] ] (denoted by ∼  in Table 1) requires bisimilar processes to send the same names on the same channels and to produce the same quantum state of qubits that are not owned any more.In addition, bisimulations must be closed under applications of trace-preserving superoperators on not-owned qubits.Therefore, the processes of the first line of Table 1 are distinguished.We recover this assumption by sending the qubits (see the third line).
Moreover, Proposition 4.14 shows that cd-bisimilarity replicates the ∼  requirements over superoperators and not owned qubits.The probabilistic bisimilarity of qCCS is proved to be a congruence with respect to parallel composition.Further extensions are the (weak) open bisimilarity proposed in Deng and Feng [2012], proven to be a weak barbed congruence, and a symbolic version of the bisimilarity in Feng et al. [2014], that relieves from considering all the (universally quantified) quantum states of a configuration when verifying bisimilarity.
Configurations like the ones of the fifth line of Table 1 are not bisimilar for ∼  , even though they are indistinguishable according to quantum theory.This discrepancy was signalled in Kubota et al. [2012] and lead to a new proposal called distribution bisimilarity [Deng 2018;Feng and Ying 2015] (denoted by ∼  in Table 1), which is directly defined on distributions and is based on transition consistency.A distribution is called transition consistent if any configuration in its support has exactly the same set of enabled visible actions.In addition to closure with respect to superoperator application, bisimilar distributions are required to be such that: () the weighted sums of the state of not owned qubits in the support coincide; () the possible transitions of one transition consistent distribution are matched by the other one, and; () if the distributions are not transition consistent, then they must be decomposable in bisimilar transition consistent distributions.On the one hand, considering distributions as a whole when comparing the quantum states equates processes like the ones of the fifth line of Table 1.On the other hand, transition consistent decompositions recover a weakened version of decomposability, avoiding equating distributions that cannot evolve because the processes in the supports enable different actions only.
The use of transition consistency in ∼  implicitly constrains non-determinism.In the last line of Table 1, we compare such constraints with the ones we impose on lqCCS.While our ∼  is capable of distinguishing the two processes, ∼  cannot.In fact, the lifting of the labelled semantics of qCCS forbids processes from replicating the moves of their refinements (as lqCCS does).
Example 6.3.Consider the pair of processes of the last line of Table 1.They reduce to We show in Example 4.13 that Δ ≁  Θ, as Δ can choose to send the qubit over  only when it is set to |0⟩, while Θ cannot.In the distribution bisimulation of Feng and Ying [2015], instead, only the moves that choose the same channel in all the configurations of the support are considered, deeming the two distributions bisimilar.This means that  01 ( ▷ ).(! + !) cannot use the value of  to choose the channel over which to send, as it would be expected, and thus that the constraints over non-determinism are arguably too strong in Feng and Ying [2015].
Finally, Feng and Ying [2015] acknowledge that weak distribution bisimilarity is not a congruence.Its strong version is not a congruence either: take The same also holds for ∼  , which is a congruence with respect to observers but not to parallel composition.We believe that ∼  actually verifies the indistinguishability property over deterministic processes of Theorem 4.8, and  [Δ] ≁   [Θ] shows that the result cannot be extended to general processes.On a similar note, ∼  does not preserve the expressiveness of non-deterministic choices based on classical information stated in Theorem 4.12.

CONCLUSIONS AND FUTURE WORK
We presented lqCCS, a quantum process calculus with asynchronous communication and a linear type system guaranteeing that each qubit is sent or discarded exactly once.The latter lifts the semantics from making arbitrary assumptions about the observability of unsent qubits, which was a discrepancy among related works.
The main result of this work is a novel stateful reduction semantics together with a saturated probabilistic bisimilarity that relies on contexts for distinguishing quantum processes.These choices allowed us to investigate and compare the discriminating capabilities of the bisimilarity against the principles of quantum theory.By employing standard contexts, we found that the problems highlighted by Davidson [2012] and Kubota et al. [2012] are caused by the interaction between non-determinism and quantum features.In particular the standard notion of non-determinism subverts a defining feature of quantum theory by allowing contexts to perform moves based on the possibly unknown quantum state, without performing a measurement and thus perturbing it.We enhanced the semantics of lqCCS and constrained non-determinism by requiring the contexts to perform the same move in all the configurations of a given distribution (when no classical branching is possible).The resulting bisimilarity relation is strictly coarser than the unconstrained one.
We prove two main properties: () indistinguishability of quantum states can be lifted to classes of bisimilar distributions of lqCCS configurations; and () non-deterministic choices can perform moves according to known classical values, simulating the semantics of boolean guards.Intuitively, the first guarantees that constraints are indeed sufficient to prevent non-determinism from subverting quantum features, while the second ensures that constraints are not too restrictive.Moreover, we showed by counterexample in Table 1 that no bisimilarity in the literature satisfies both of them.Furthermore, we proved that the novel bisimilarity is linear with respect to probabilistic composition, and closed for superoperator application on qubits not appearing in the processes, which are also required to be equal in bisimilar distributions.Moreover, discarded qubits can be "traced out" without affecting bisimilarity.An up-to technique is given to aid bisimilarity proofs.We tested our approach by modeling and analysing three real-world protocols.Finally, we compared our findings with previously proposed bisimilarities, using simple prototypical cases that highlights dinstinguishability features required by quantum theory.
Discussion.Our work starts with an example-based analysis of the proposed bisimilarities and their adherence to expected indistinguishability results prescribed by quantum theory.Through our analysis, we identify some desired properties that we later prove for our proposed bisimilarity (mainly, Theorem 4.8 and Theorem 4.12).Bisimilarities for quantum processes are difficult to justify and validate, as we have no touchstone but the prescriptions of quantum mechanics about what can be operationally distinguished.Our set of examples and the properties they suggest help with this problem, and they are sufficient to tell apart cs-bisimilarity and the previous proposals.
We opted to work with a well established and fairly standard calculus, limiting changes to the ones needed for addressing the problems at hand.Thus, we left unaltered the semantics of processes, only restricting the behaviour of observers, and we stick with a classical probabilistic approach.
Alternative approaches may be considered.One could characterise feasible non-deterministic choices in general, constraining them also in processes.Unfortunately, the expressivity of processes would be weaker than the ones considered in the related works, since this approach may result in overly constrained processes, thus making the comparison less direct.Otherwise, one could look for a more suitable notion of quantum distribution that naturally satisfy the desired properties of indistinguishability, similarly to what is done by Davidson [2012] and Feng et al. [2014].
Both these approaches seem promising follow-ups for our work, that can serve as a preliminary investigation on how process semantics should be changed to accommodate to quantum theory.
Future Work.One aim of our future work is to extend lqCCS, namely with qubit declaration primitives and recursive processes.We will also explore weak versions of the constrained bisimilarity, as done by Feng et al. [2007] and Davidson [2012], and enhanced proof methodologies, i.e. by investigating pruning techniques and by looking for an equivalent labelled bisimulation, following the approach of Bonchi et al. [2014].The advantage would be two-fold: to avoid the universal quantification over contexts and to identify an adequate set of observable properties.
Moreover, we will further investigate some of the shortcomings of probabilistic bisimulation with respect to non-determinism.The solution presented in this work is only one of many possible approaches, where non-determinism is unconstrained in the processes and constrained in the contexts.An alternative approach is to characterize feasible choices in general, constraining nondeterminism also in processes, by taking into account all the legit reasons for configurations of the same distribution to behave differently.We guess this will give a bisimilarity that is a congruence and that still satisfies our desired properties, something which is missing among current proposals.
Finally we will investigate how spurious non-deterministic moves impact on model checking when applied to quantum systems.

A GENERAL QUANTUM OPERATIONS
In order to prove some quantum-related properties, we need some additional definitions, which will be used in the rest of the appendices.We extend the notion of density operators and superoperators, in order to include also sub-probability distributions and trace-nonincreasing superoperators.
Lemma A.3.Let  ∈ DO (H p ⊗ H q ), with p =  0 . . . −1 and q =  0 . . . −1 .Then, for any two superoperator E p ∈ SO (H p ) and F q ∈ T S(H q ) tr q (E p ⊗ F q ) () = E p tr q () Proof.The density operator  is described in the form  =     , | ⟩⟨ |, where ,  are elements of some orthonormal basis of H p and ,  of H q tr q (E p ⊗ F p ) = ∑︁ Proof.By induction on the derivations Σ ⊢  and Σ ′ ⊢ .It is trivial to show that the derivation rules are non-overlapping, i.e. two distinct rules cannot be applied for the same process, thus the derivation tree must have the same rule applications.Only the QSend and Par rules can introduce quantum variables into the context.Since the QSend rule is completely determined by the syntax of the process, both derivations must introduce the same quantum variables in their respective contexts.Furthermore, for the Par rule, by induction it must hold that the two possibly smaller contexts of the subprocesses are equal between the two derivations, thus the resulting union is equal.
Proof.By induction on the derivation of Σ ∪ { } ⊢ .Let us analyse the interesting cases: For the QOp rule it must be that  = E ( x). for some process .By induction hypothesis, it holds that Σ ∪ { } ⊢ , but  ∉ x by the hypothesis  ∉ Σ, thus we can apply the QOp rule.The same line of reasoning is valid for the QMeas rule.The QSend rule is also guaranteed by the  ∉ Σ requirement.Finally, the derivation of Par imposes that only one of the components, w.l.o.g.  , contains the variable  in its quantum environment Σ  .Thus, by induction we obtain Σ  [  /] ⊢   .While for the other components, there is no change since they do not contain the variable .However, since  ∉ Σ, we can conclude that all smaller environments are still pairwise distinct, thus we can apply the Par rule again.□ Theorem 3.4 (Typing Preservation).If (Σ  , Σ  ) ⊢ ,  and ,  −→ Δ then (Σ  , Σ  ) ⊢ Δ.
Proof.By induction on the transition relation −→ rules.Most rules follow trivially by induction on the premises, in particular no rules affect Σ  .For measurements, with the QMeas rule, a substitution property for classical values is required, however, it is trivial in the standard type system for naturals and booleans.For transitions with the Congr rule, it must be that Σ  ⊢  by definition of ≡.By induction (Σ  , Σ  ) ⊢ Δ and, again, by definition of ≡ it must hold that (Σ  , Σ  ) ⊢ Δ ′ .The remaining interesting case is the Reduce rule.Since  = (! + ) ∥ ((? .′ ) + ) then if  is not a quantum channel Σ ⊢  ′ .By classical substitution results it holds that To prove Theorem 4.5 we need to introduce tagged processes.The idea is that whenever a distribution  [Δ] can perform an indexed transition -⇝  , then the tagged version  [Δ] express a barb named  with probability one.This allows us to interpret the enhanced semantics as standard probabilistic reductions, and show that constrained saturated bisimilarity does not have greater discriminating power (thanks to indices) with respect to saturated bisimilarity.
Definition C.1 (Tagging operation).We define the •   operation, which tags (the observer in a) configuration with barbs in {ℓ, , } * . is the starting string of the barb, and  is used when we want to add an additional  in front of the barbs starting with  , , We extend the tagging operation via linearity: Definition C.2 (Tagged transitions).We define the set of tags a configuration We define two kinds of tagged transition from (tagged) configurations to distributions And we extend this notion to distributions via linearity We now prove that the indexed transitions of , ,  are essentially the same of the tagged transitions of , ,  .If rule OQOp is valid, then  ≡ E ( q). 1 , we have We must further check that: C  → Δ   : .The first condition,  ∈  ( C  ), is true by !0.The second,  ∉  (C ′ ), is true because any new barb expressed by  1  must start with .The third condition,  ( C  ) \ { } ⊆  ( Δ   ), is also trivially true since the only syntactic difference between the C and Δ is the barb-expressing !0.
If rule OQMeas is valid, then  ≡  ( q ▷ ). 1 , we have and, noting as before that holds as for the OQOp noting that each element in Δ   has syntactically the same sendings.
If rule Input is valid, then  ≡ ? . 1 +  2 , we have holds trivially as for the OQOp.If rule Output is valid, then  ≡ !, we have :  holds trivially as for the QInput.If rule ParL is valid, then  ≡  1 ∥  2 , we have Proof.Note that any transition C  = ,  ∥   → Δ :  must involve , because a transition modifying only  would not be tagged as .We will then proceed on induction on the syntax of .
If  = 0 ẽ , there are no -tagged transitions going out from ,  ∥ 0 ẽ = ,  ∥ 0 ẽ .If  = E ( x). ′ , we have for some set of   and   .Then the proof is identical to the previous case, noticing that  [/]   =    [/] as the tags depends on the position of the processes and not on their content.If  = !, then  must be receiving on the unrestricted channel , so we have for some (possibly empty) set of restrictions  and processes  ′ ,  ′′ , .But then C ≡  , (((? . If  is a sum of reception, then  must be sending on at least one of the channel in , so we have C  ≡ , (((! + ) ∥  ∥ (? . ′  +   + !0)) \  → Δ ≡ , ( \ ) ∥  ′ [/] :  for some (possibly empty) set of restrictions  and process , and the proof is identical to the previous case.
If  = if  then  1 else  2 , then the only way to have a transition is after applying the structural congruence and obtaining either  1 or  2 , from which the desired property is obtained thanks to the inductive hypothesis and the fact that   ≡  ′  if and only if  ≡   ′ .If  =  1 ∥  2 and C  ≡ ,  ∥  1  ∥  2  → Δ : , then the transition cannot be a synchronisation between  1 and  2 because all the tags of   must be in Δ except from , and a synchronisation would destroy two tags, not just one.Suppose then that the transition involves  1 , the  2 case is symmetric.From the SemPar rule must be ,  ∥  1 ℓ → Δ ℓ with Δ = Δ ℓ ∥  2  .This transition is still tagged with , as the  tag is present in  1 ℓ ∥  2  but is absent in Δ ℓ ∥  2  , no must be in  1  .Besides, we know that  = ℓ ′ for some  ′ , as it is easy to verify that all the tags in  1 ℓ start with ℓ.Then we can apply the inductive hypothesis Proof.The direction ∼  ⊈∼  is given by Example 4.6.For ∼  ⊆∼  , we define the relation R = {(Δ, Θ) | Δ ∼  Θ } And then we prove that R is a constrained distribution bisimulation.Notice that, taken Δ, Θ ∈∼  , when we interpret them as distribution of triples they have a 0 observer, and so Δ = Δ and Θ = Θ.This means that ∼  ⊆ R, and if R is a bisimulation then ∼  ⊆∼  .Notice also that R is context-closed, meaning that if Δ, Θ ∈ R, then also because ∼  is context-closed.Finally, R is linear and decomposable, as • is defined by linearity and ∼  is linear and decomposable (as proven in [Hennessy 2012], proposition 5.8).
Take Δ, Θ ∈ R. Since Δ and Θ are bisimilar, they express the same barbs.But Δ expresses at least all the barbs of Δ (and similarly Θ ), so also Δ and Θ must express the same barbs.

𝜋
. But since they are bisimilar, they express the same barbs, and from Θ ̸ ⊥ → Θ ′ :  we get Θ ̸ ⊥ -⇝  Θ ′′ with Θ ′′  ≡ Θ ′ .To sum up, we have ∼  Θ ′′  .It's possible to verify that Δ  ∼  Θ  implies Δ ∼  Θ , as there is a bijection  between the free channels of Δ and of Δ  , and so any context  [ • ] applied on Δ has the same behaviour of the context  ( [ • ]) applied on Δ  , and vice versa.Given that, since ⊥, ⊥ ∈ R and R is linear, we can conclude Δ ′ RΘ ′ .□ C.2 Proof of Theorem 4.4 and Theorem 4.8 Before proving Theorem 4.4 and Theorem 4.8, it is convenient to prove the soundness of the bisimilarity up to convex hull technique [Bonchi et al. 2017].To do so, let us define the function on relations , which is the function of which bisimilarity is the greatest fix point and recall the definition of convex hull from [Bonchi et al. 2017] Observe that both  and  are monotone functions on the lattice of relations.
Lemma C.8.If Δ, Θ are deterministic, then Δ ⊕  Θ is deterministic for each probability .Proof.We will prove that, for any probability  For the first condition, we have that Δ ↓   if and only if  = 1 and  or  express the barb .Then, also Θ expresses the barb  with probability one, and vice versa.
For the second condition, suppose that , ,  -⇝  Δ ′ .We will proceed by induction on -⇝  to prove that Θ -⇝  Θ ′ with Δ ′  (R)Θ ′ .The "classical" cases, that do not modify the quantum state, are trivial, since if Δ -⇝  Δ ′ then Θ can go in Θ ′ performing the same move in both configurations, and Δ ′ RΘ ′ .The only interesting cases are QOp and QMeas for the process, and OQOp and OQMeas for the observer.

Fig. 4 .
Fig.4.On the bottom, the evolution of  [Δ] into Δ ′ and then Δ ′′ .The last step is built by convex combination of two freely chosen moves of the subdistributions, which are displayed above.It is clear that observers can make different non-deterministic choices for each subdistribution, also based on quantum states.
because  cannot be in Σ due to the application of the Par rule for the ∥ operator.□ C PROOFS OF SECTION 4.3 C.1 Proof of Theorem 4.5
ℓ  : ℓ holds by inductive hypothesis by setting  = ℓ.The case for ParR is analogous to the case for ParL.Finally, the Congr rule is simply resolved by induction, since its trivial to show that the congruence relation does not change the barbs expressed by a distribution.□ Lemma C.5.For any observer  and index  ≠ ⋄, we have ∀ ,  ∥   → Δ :  =⇒ , ,  -⇝  Δ ′ with Δ ′   ≡ Δ The proof follows from Lemma C.3, Lemma C.4 and Lemma C.5, thanks to linearity of -⇝  and → :  □ We can now finally prove Theorem 4.5 Theorem 4.5.∼  ⊊ ∼  .
and Σ ⊆ Σ  .Distributions of configurations  + 0 ẽ ≡     ≡   [  /] Structural congruence of lqCCS observers are typed as usual.Contexts  [ • ] Σ are defined from observers  up to structural congruence as  [ • ] Σ [ • ] Σ ∥ .Context application  , ,  is defined over configurations as , ,  [] .We define a new congruence for observers, named ≡  , based on ≡ but lacking rules for parallel and restriction operators (see Figure SCCSumNil  +  ≡   +  SCCSumComm  + ( + ) ≡  ( + ) +  SCCSumAssoc if ff then  else  ≡   SCCIteF if tt then  else  ≡   SCCIteT  ⇓ Definition A.1 (Partial Density Operators).Given a Hilbert Space H , to each subprobability distribution of states Δ we associate a partial density operator  =  Δ(  ) |  ⟩⟨  |.We indicate with D ≤1 (H ) the set of partial density operators of H . Notice that density operators and partial density operators are defined in the same way, but the latter can have trace less than one, since they come from sub-probability distributions.Definition A.2 (Trace-nonincreasing superoperators).A superoperator E : D ≤1 (H ) → D ≤1 (H ) is a function with a Kraus operator sum decomposition {  }  , with 1 ≤  ≤ dim(H ) such thatWhere  ⊑  means that  −  is a positive semidefinite matrix (i.e., ⟨ | ( − ) | ⟩ ≥ 0 for any | ⟩), and  H is the identity operator on H .We call SO (H ) the set of (trace-nonincreasing) superoperators on H , and T S(H ) ⊆ SO (H ) the set of all trace-preserving superoperators, i.e. superoperators such that for any  ∈ DO (H ): tr(E ()) = tr().