Journal of Logical and Algebraic Methods in Programming

Multiparty session types (MPST) are a typing discipline for ensuring the coordination of multi-agent communication in concurrent and distributed programs. The original MPST framework mainly focuses on the communication aspects of concurrency, unable to capture important data invariants in communicating programs. This work introduces value dependent types to the MPST framework in order to increase its expressiveness for certifying invariants of data exchanged among multiple participants. The key idea is to impose constraints on the exchanged data, which is explicitly witnessed at runtime by proof objects . The enriched MPST framework provides programmers with a precise global description of the interaction and data dependent patterns, from which local (data dependent) descriptions can be automatically generated for each endpoint, faithfully capturing at a local level the global data constraints. The framework ensures the absence of communication errors and guarantees communication progress in well-typed multiparty sessions. We also develop an extension of value dependencies based on proof irrelevance that enables the selective erasure of proof objects at runtime.


Introduction
Session types [7,15] are a type discipline for concurrency which imposes structure to communication actions and ensures consistency and compatibility between the two ends of a given communication. It can be seen as the analogue of the data type which imposes structure to data instances and matches use and definition of a method, and import and export of a module. A more general view of a session is that it combines multiple interactions forming a meaningful scenario into a single logical unit, offering a basic programming abstraction for communicating processes. Given that in a wide range of application scenarios it is necessary to coordinate multiple communicating agents, multiparty session types (MPST) are proposed in [3,8] to enable the specification of interactions involving multiple peers from a global perspective. This global specification is then automatically mapped (or projected) to local types against which a conformance of each individual endpoint process is validated. Using this framework, communication safety is ensured among multiple endpoints.
This work proposes a multiparty session discipline for expressing and certifying global properties that may depend on the exchanged data, by introducing value dependent types for multiparty sessions. Our proposed typing discipline ensures that implementations of a multiparty conversation not only adhere to the session discipline but also satisfy rich constraints imposed on the exchanged data, which may be explicitly witnessed at runtime by proof objects. Our aim is to thus raise MPST to the level of data types in a concurrency setting. The resulting type discipline is capable not only of providing ✩ This work is partially supported by EPSRC EP/K034413/1, EP/K011715/1, EP/L00058X/1 and EP/N027833/1; and by EU FetOpen UPSCALE 612985. G p = q!(Int); r!(String); end G q = p?(Int); ⊕r(yes : G q; no : end) G r = p?(String); Nq(yes : G r; no : end) the programmer with a precise description of the interaction patterns followed by the communicating parties, but also to specify (and certify) the global invariants of data that are required and ensured throughout the multiparty communication.

Motivation
We motivate a technique to certify properties of exchanged data in multiparty session types (MPST) using a notion of value dependencies [17]. We begin with a brief introduction of the original MPST framework and its shortcomings with respect to expressing certain functional constraints on global protocols. We then address these issues through the use of value dependencies in the framework.
Multiparty session types In MPST, we begin with a global type, consisting of a global view of the interactions shared amongst the several interested parties. For instance, the following consists of a global type specification of a toy protocol involving three parties: G = p → q : (Int).p → r : (String).q → r : yes:G ; no:end (1.1) In the specification G above, participant p sends an integer and a string to participants q and r, respectively. Afterwards, q will either send to r a no message, ending the global interaction; or a yes message, causing the interaction to proceed to G . We may assume that G specifies a portion of some coordinated agreement, such as that between a service broker p, giving a price quote to client q while making a tentative reservation of the service to provider r (encoded as a string), which is accepted or rejected by q.
Given a global type, we must define a notion of projection, which constructs the view for each endpoint of the global interaction as a local type. For G, the projection of G for p, written G p, is given by the local type q!(Int); r!(String); end, assuming p does not participate in G , which describes the parts of the global interaction that pertain to actions of participant p. Given the projected local types (Fig. 1) for each communicating party we may then check that the global specification is satisfied by the interactions of the several endpoint processes to ensure deadlock-freedom.
Value dependent multiparty session types The framework sketched above is only suited for describing the shape of communication. While we may argue that G does indeed specify the interactions between a service broker p, a client q, and a provider r, such a global specification is satisfied by many process instances of p, q and r that may not in fact offer the desired functionality. For instance, the implementation of the broker p may send an incorrect price to client q, or the wrong service identifier to provider r and the system would still be correct according to G. The crucial issue is that while a global type specifies precisely how parties communicate, it only captures what the parties should communicate in a very loose sense (for example, "send a string" vs. "send a string corresponding to the service code for which the client was sent the price").
To overcome this issue, we propose the adoption of value dependent multiparty session types, which refine multiparty session types by adding type dependencies to specifications of exchanged data (extending the work of [12,17] for the binary setting).
The technical challenge here is reconciling the global specification of the distributed interaction, which may reference properties depending on data spread across multiple endpoints, with the local knowledge of each participant. Projection must ensure that whenever two endpoint processes exchange a proof object, the object is consistent with the knowledge of both endpoints. Specifically, the sender must know each term referenced by the proof object and propagate the relevant information to the receiver in a consistent way. Another issue is that the local types generated for each endpoint may not necessarily have matching dependencies due to the potentially incomplete views of the global agreement (for instance, participant p may assert some relationship between two data elements to q, where q only knows one of the datum). We must nevertheless ensure that endpoint projections are well-formed given the local knowledge of each endpoint and preserve the intended data dependencies, given the partial view of the system.

Global types and value dependencies
The key motivation for using value dependent types is to enable type level specifications of properties of data used in computation. Given that MPST have a natural distributed interpretation, we wish not only to express properties of exchanged data but also to support the ability for processes to exchange proof objects witnessing the properties of interest, providing a degree of certified communication in some sense. For instance, a value dependent version of G above can be: G Dep = p → q : (x:Int).p → r : (y:String). p → q : (z:isPrice(x, y)).q → r : yes:G ; no:end) where the predicate isPrice(x, y) holds only if the integer x is indeed the price for service y. In the specification G Dep , p must also send to q a proof of the relationship between the previously sent price and the service code. While the notion of proofs as first-class objects might seem somewhat foreign insofar as one might simply expect some runtime verification mechanism that ensures the received data is in the required form (as specified by the type-level assertions), explicit proof exchange is a more general approach: proof generation might not be decidable in general, whereas proof checking should be. Moreover, even when proof generation is decidable, it can often require more computational resources than checking the validity of a proof object.
Local types and value dependencies By leveraging the Curry-Howard correspondence between propositions and types (and proofs and programs), we can represent such proof objects as terms in a language with a suitable (dependent) type discipline, such that the only well-typed instances of processes implementing the role of p will be those that not only adhere to the session discipline but also satisfy the functional constraints encoded in the dependently typed values. The framework also ensures that proof objects are explicitly exchanged between communicating parties, which is of practical significance in a distributed setting. As mentioned above, the key challenge here arises in the definition of a projection procedure from global to local types that ensures that local types are well-formed and preserve data dependencies. For instance, neither of the naive local types for roles p and q can be deemed as well-formed: T p = q!(x:Int); r!( y:String); q!(z:isPrice(x, y)); end T q = p?(x:Int); p?(z:isPrice(x, y)); ⊕r(yes:T ; no:end) Intuitively, while T p appears correct given the global type in (1.2), it is specifying an output to q of an object of type isPrice(x, y) that depends on y which q has not received. We discuss how to correctly project well-formed local types in this sense in Section 3.

Overview
This article is an extended version of [18] with full proofs, additional theorems, examples and explanations. We also include the additional development of a progress result, which was absent from [18].
The article is structured as follows: Section 2 introduces the formalism of value dependent multiparty session types, describing the extension to both local and global types for expressing dependencies on exchanged data; Section 3 develops a notion of projection from global to local types in the presence of value dependencies, such that the generated local types preserve the dependencies specified in the global type and are well-formed with respect to the partial view of each session participant; Section 4 introduces the process model and presents the local value dependent typing system for processes; Section 5 develops the type safety properties induced by our typing discipline, showing that our system satisfies both type preservation and progress, entailing the absence of communication errors and deadlocks; Section 6 studies an extension of our framework that enable constraints on data to be specified without requiring the explicit exchange of witnesses for the constraints between communicating processes; Section 7 discusses related and future work.

Value dependent multiparty session types
This section introduces the extension of value dependencies to the multiparty session types framework. We begin by introducing the syntax of value dependent global and local types. We describe the concept of value dependencies in global types with several extended examples in Section 2.2. Finally, Section 2.3 describes global type well-formedness.

Syntax of value dependent session types
Global types The syntax for value dependent MPST is given in Fig. 2. A message exchange p → q : (x:τ ).G specifies communication between sender p and receiver q of a value of type τ , bound to x in G. The type structure of τ is somewhat generic, with the following requirements: we assume a dependently typed λ-calculus with dependent functions x:τ .σ and pairs x:τ .σ , where x binds its occurrence in and . We recall that x:τ .σ denotes the type of functions from τ to σ , where σ can depend on the argument x. For instance n:Nat. x:Vec(n). m:Nat. y:Vec(m).Vec(n + m) would be the type of a function that takes a vector of size n and a vector of size m and produces a vector of size n + m. Dependent pairs x:τ .σ are dual, denoting a pair of elements of type τ and σ where the type σ can depend on x. We project the first and second elements of the pair using π 1 and π 2 , respectively.
In our theory and examples, we generalise dependent pair types x:τ .σ to l.σ , where l is a list of type bindings of the form x i :τ i . We manipulate such lists using Haskell-style notation. We assume some base types b and singleton types [14], written S(M), where M is a value of some base type b and S(M) denotes a value of type b equal to M. For example, if we assume natural numbers Nat as base types then the natural number 5 can be typed with both Nat and Nat (5). We require type preservation and progress for this language of message values, as well as decidability of type-checking (although, crucially, not of type inhabitance).
The branching p → q : l j :G j j∈ J denotes a selection made by p between a set of behaviours G j identified by labels l j , achieved by the emission of a label l i with {l i : i ∈ J } from p to q. The session then continues as G i for all participants.
Session delegation p → q : (T ).G denotes that participant p delegates to q its interactions with a session channel of local type T (defined above), achieved by sending the channel endpoint, after which the interaction proceeds as G. Note that there is no binding for T since we only consider dependencies of values, rather than on sessions.
Recursive global types μt (x = M:τ ).G, where t and x bind its occurrences in G, enable the specification of how a recursive interaction should proceed among the different participants. The parameter x is a recursion variable standing for a term M of type τ , which defines the initial value of x in the first recursive instance, acting as a parameter of the recursion.
A recursion is instantiated with t M , where M denotes the value taken by x in the next instance. We assume that recursive type definitions are contractive and, for the sake of simplicity, that there is at least one occurrence of t in G. We consider recursive types in the typical equirecursive sense, up to unfolding. Finally, end denotes a lack of further interactions. We often omit end and write message exchange and recursion as p → q : (τ ).G and μt.G if x does not occur in G.
We write fv(G) for the free variables of G, defined inductively in the usual way. We state that a global type G is closed (resp. open) if fv(G) = ∅ (resp. fv(G) = ∅). We write CJ−K for a global type context (i.e., a global type with a hole). G G states that G is a subterm of G .

Definition 1 (Global type context).
Given a global type, we define its subterms via the following notion of context: with the hole _ occurring in at most one C i .

Examples of value dependent global types
We introduce three examples of value dependent global types, showcasing their heightened expressiveness.

Example 1 (Three party interaction: buyer-seller-distributor).
We specify the interaction patterns between three parties: a buyer, a seller and a distributor, illustrating the use of dependencies in a standard multiparty setting.
Seller → Buyer : (exit : end, sell : end) The session begins with the buyer requesting a query of a product from the distributor. The distributor then communicates with the seller, sending the number of items currently available. The seller sends to the buyer the number of available product and an initial price. The buyer and the seller then initiate in a negotiation, where the buyer selects to either proceed with the negotiation or to quit the protocol. In the former case, the buyer sends the seller an offer, upon which the seller must decide whether to terminate the negotiation by rejecting the offer, or to terminate the negotiation by accepting the offer.
This interaction, beyond the equality constraints between the stock message sent from the distributor to the seller and then from the seller to the buyer, captures in a relatively simple way the encoding of the loop invariant -that each offer made by the buyer is always increasing, and at least as much as the initial quote.

Example 2 (MapReduce).
We specify a distributed computation where a client sends to a server some data upon which the server is intended to run some potentially computationally expensive computation, represented by a map-style function f and a reduce-style function g.
Aggr → Server : (r 3 : r:String.r = g(π 1 (r 1 ), π 1 (r 2 ))) Server → Client : (res : String(π 1 (r 3 ))) Upon receiving the data from the client, the server divides it into two parts which are then sent to be processed by the two workers. The system includes an aggregator service, which is informed by the server of the division of the data. The workers then send to the aggregator the result of the computation f on their respective data partitions, which then sends back to the server the aggregation result (computed using the aggregation function g). Finally, the server sends back to the client the final result.
The crucial aspect of this simple example is that not only are we describing the structure of communication (and to some extent, the topology of the service), we are specifying in a very precise way the actual functionality of the global coordination.

Example 3 (Recursive game).
To clarify the interaction of recursion and value dependencies, we encode a simple toy game protocol between three parties: Alice, Bob and Carol.
μt(x = n : y:Nat. y≥0). In the protocol above, Carol sends both Alice and Bob a number of total tries n the two participants are allowed to attempt to guess some random number generated by Carol. The protocol then proceeds by repeatedly accepting guesses from both Alice and Bob until they both guess correctly, upon which the protocol terminates, or until the number of tries n runs out (we write M for the object denoting that x − 1 is greater than or equal to 0). While very minimal in its features, this example showcases how the combination of recursion and value dependencies allows us to specify sophisticated global types, such as counting down from a sent or received number, insofar as we are able to make the actual communication structure of the protocol depend on previously received data.

Well-formedness of global types
We detail the well-formedness conditions on global value-dependent MPST. In contrast with the work on design-bycontract [1], which introduces assertions to MPST, we do not in general enforce the property that all well-formed global types are realisable by some well-typed endpoint processes. In [1], global type well-formedness entails that assertions expressed in a global type are possible to satisfy, by restricting the assertion language to decidable logics. Given our aim of maintaining a general dependent type theory as our proof language, we opt for a different design.
In our general setting, we can use a larger set of well-formed global types for which no process realisers may exist. The decision problem of determining if such process realisers exist is itself undecidable. Our goal is to define well-formedness of global and local types such that: 1. Projection of a well-formed global type produces well-formed local types by a simple projection rule; and 2. If a collection of processes which satisfy local types exist, then the global specification is satisfied.
Below we define simple well-formedness conditions which are sufficient to ensure the above properties. The first condition defines a binding restriction on recursions, essentially stating that recursive calls can only use closed terms; the second captures the fact that in a message exchange between two participants, the sender should always know all the message variables mentioned in the message's type. We note that history-sensitivity has been shown decidable in [1], where a compositional proof system for history sensitivity is presented.

Definition 2 (Well-formedness conditions).
1. (recursion) Let G be a closed global type. We say that G has well-formed recursion iff for all t M ∈ G, x ∈ fv(M), there exists CJ−K such that either: Then for any natural number n, G is n-history sensitive on a message variable x iff for all G such that G is a n-times unfolding of G, and for all types We say that G is history sensitive iff it is n-history sensitive for all natural numbers n on all message variables in G.
G is well-formed if all recursions in G are well-formed and G is history sensitive.
Decidability of history sensitivity follows a similar reasoning to that of [1]. From this point onward, we assume all global types have well-formed recursion and are history sensitive.
We note that all examples of Section 2.2 are well-formed. For instance, the global type G 1 below does not satisfy history sensitivity, whereas G 2 does: In G 1 , r is supposed to send to s a message of type P(x), where x is a message exchanged between p and q which therefore r cannot possibly know, and thus we deem the type ill formed (whereas in G 2 it is role q that sends the message).

Projection and data dependencies
We now motivate some of the challenges of defining projection of a global type while respecting the partial local knowledge of each participant. Recall the global type G Dep of Section 1.1 (Equation (1.2)), which is a well-formed global type. In the final interaction between participants p and q, p is supposed to send a proof that the previously received integer value x is indeed the price for the service code sent to r, identified by the string y. From the perspective of p, the value of both x and y are known. However, q only knows the value of x since y was sent only to r. Thus, if we consider a typical notion of projection that traverses the type G Dep and collects the direction of communication accordingly we obtain the following local types for p and q (for some T q ): G Dep p = q!(x:Int); r!( y:String); q!(z:isPrice(x, y)); end The local type for q cannot be correct since it contains a free variable y (given q's local knowledge), which is not free in the local type for p. In order to generate adequate local types for both endpoints we must ensure that the two types respect the local knowledge of each participant.
Intuitively, the type for the endpoint corresponding to participant p must bundle in the message identified by z all the unknown information from participant q's perspective. However, if we modify the projection for participant p to, q!(x:Int); r!( y:String); q!(z: y :String.isPrice(x, y )); end we do not preserve the semantics of G Dep , in the sense that a process with the type above may send to q any price, provided it is indeed the price of a service in the system.
In order to preserve both the semantics of data dependencies in global types and generate well-formed local types for both endpoints, we make use of singleton types and subtyping, which is formally defined in Section 3.1. Crucially, we make use of singleton types to implicitly refer to the equality constraints induced by dependencies in a global type. In the example above, generating the following local type for p, q!(x:Int); r!( y:String); q!(z: y :String(y).isPrice(x, y )); end (3.4) we can preserve the semantics of G Dep , in the sense that p may only send x and y such that one is the price of the other.
Moreover, we exploit the fact that for any base type b, if M : b then S(M) ≤ b in order to produce the following local type for endpoint q, p?(x:Int); p?(z: y :String.isPrice(x, y )); T q (3.5) The type above not only respects the local knowledge of endpoint q but is also compatible with the interactions specified by the local type for endpoint p due to the subtyping of singletons, since y :String(y).isPrice(x, y ) ≤ y :String.isPrice(x, y ) by the usual covariant subtyping rules for -types and the fact that a singleton is always a subtype of its corresponding base type (we note that session subtyping for message input is contravariant in the message type; and dually, covariant for output).

Subtyping and knowledge
Having discussed the main challenges of preserving global data dependencies in local types, we define a notion of projection that generates compatible message types (in the sense of Definition 4) for well-formed global types.
We begin by introducing the subtyping rules for both local and data types. The rules are mostly standard from the literature of subtyping in session types [5] and singleton types [14]. For conciseness we only consider session subtyping for input and output types. Subtyping for choices and branching are orthogonal. The subtyping judgement, written τ ≤ σ for data types and T ≤ S for local types, denotes that τ (resp. T ) is a subtype of σ (resp. S), where is a context tracking free variables in types. Note that if T is a subtype of U , then a process implementing type T may be safely used wherever one of type U is expected. We write M : τ for the typing judgement of terms M, which we maintain mostly unspecified. We write τ for the well-formedness of τ and M ≡ N : τ for definitional equality of M and N. The key subtyping rules are given in Fig. 3.
The key rules for the development of a well-defined notion of projection is the singleton subtyping rule (SUB-S), which specifies that a singleton for a base type is always a subtype of its base type and the rules for subtyping of input and output local types, enabling receiving processes to receive instances of the singleton type when expecting to receive instances of the corresponding base types.
We make precise the notion of a participant knowing the identity of a message or recursion variable occurring in a global type. Intuitively, a participant knows the identity of a message variable if it is involved in corresponding communication. Similarly, knowing a recursion variable requires knowledge of all message variables that occur in the recursive parameter.

Definition 3 (Knowledge).
Let G be a closed global type and p ∈ G. We say that p knows x:τ in G iff there is C such that either: We say that a participant p knows M in G iff p knows all the free variables of M in G.

Compatibility
Equipped with our notion of subtyping and knowledge, we define compatibility between message types in Definition 4, appealing to a consistent priming of the variables in a type. Given a variable x:τ , where τ is a base type, and a type σ with x ∈ fv(σ ), we say that x is a primed version of x iff x :τ (x), where τ (x) denotes a singleton type for τ whose values must equal x. A priming of type σ is a pointwise priming of (some) of its free variables. For instance, a priming of type isPrice(x, y) is isPrice(x, y ) with y :String(y). We maintain the connection between a primed variable and its unprimed version (we write primedV ars(r) to denote the primed variables of set r).
Two message types σ 1 and σ 2 are deemed compatible from the perspective of participants p and q if both types are well-formed, their free variables are known by the corresponding participants and they are related by subtyping. Moreover, we enforce that compatible message types must be dependent tuples (without loss of generality). For example, in the global type G Dep discussed above, for the last message exchange between participants p and q, the pair of message types y :String(y).isPrice(x, y ) and y :String.isPrice(x, y ) is compatible for p and q, respectively.
We make use of an auxiliary function, dubbed compatible type binding generation (CTB), that given a message exchange p → q : (x:τ ).G in a global type G produces a dependent tuple l.τ , where τ is a priming of τ (τ and τ differ only on the names of free variables of base type, where x ∈ fv(τ ) corresponds to x ∈ fv(τ )) and l is a list of variable bindings (occurring in τ ) that are known by participant p and not known by q, making use of singleton types to preserve the value dependencies specified in the global type G.

Definition 5 (Compatible type binding generation).
For any closed global type G, with p → q : (x : τ ).G G. We generate a compatible type binding for x:τ , written C T B(x:τ ), as follows. If τ is a base type then C T B(x:τ ) = [x:τ ]. Otherwise, the compatible type binding for x:τ is given by the recursive function F (x:τ ), given below making use of typical list manipulation notation (i.e. merge is a list merging function and fold is the usual fold operation over lists): Let u be the list of bindings corresponding to the free variables of τ , known by p and not by q. We note that in recursive calls to F , the participants p and q are fixed in the sense that F (b) considers variables in the binding b known by p and unknown by q. Moreover, usages of CTB tacitly assume that we convert the resulting list into a dependent tuple in the natural dependency-preserving way.
For instance, in the global type G Dep (Equation (1.2)), the CTB for the third exchange between p and q produces the type y :String(y).isPrice(x, y ) which may be used as the message type for the output of p, bundling all the necessary data that is unknown by q at the given point in the protocol. The key insight is that CTB consists of a terminating function that computes a tuple bundling all the unknown information from the perspective of the recipient of a message, using singleton types to preserve data dependencies from the perspective of the sender.

Theorem 1 (Compatible type binding generation). Compatible type binding generation (Definition 5) is a terminating function.
Proof. We first point out that the fact that we consider closed global types enforces some constraints on free variables in data types. In particular, all free variables in a data type must have all been defined by previous communication actions, which immediately excludes circular dependencies where two data types mutually depend on each other (e.g. the binding for a free variable y of a type x:P( y) being of the form y:Q(x)).
Function C T B(x:τ ) in Definition 5 inspects bindings of free variables of τ , known by participant p and unknown by q (c.f. Definition 3). By construction, these variables are bound by previous interactions involving p. Since there is no possibility for circularity, the free variables of a data type and the free variables of types in their binding occurrences form a directed acyclic graph (DAG).
The termination of F follows from the observation that it simply performs a traversal of this DAG, producing a reverse topological ordering of the graph. Specifically, F traverses the subgraph of this DAG made up of variables known by p and not by q (itself a DAG). This is straightforward to see: the terminal nodes of the graph are those when we reach a base type or have no unknown variables; for non-terminal nodes, that is, those with unknown variables, we perform a depth-first search traversal of the DAG, collecting the outcomes in a merged list with the appropriately primed type as the last element.
We note that this traversal produces a reverse topological ordering of the DAG. 2

Projection
To ensure that projection produces well-formed local types for both endpoints, we make use of singleton erasure (Definition 6) to erase singletons from a dependent tuple. Intuitively, we use CTB to generate the message type for the sender and its singleton erasure to generate the type for the recipient, observing that the two are related by subtyping. In the two cases for (dependent) input and output we write #(G) in the continuation of the local type to denote the global type obtained from G where we replace all instances of x with π i (x), with i being the length of the list generated by the CTB function (in the case where CTB produces no change to τ , # also does not replace x).
Definition 6 (Singleton erasure). Given a type τ of the form l.σ , we write τ † for its singleton erased version, that is, where each primed binding in l of the form Finally, for projection of choices and branchings we appeal to a merge operator along the lines of [4], written T T , ensuring that if the locally observable behaviour of the local type is not independent of the chosen branch then it is identifiable via a unique choice/branching label (the merge operator is otherwise undefined).

Definition 7 (Merge).
Let T = Nr l i : T i i∈I and T = Nr l j : T j j∈ J . The merge T T of T and T is defined as: ) and is undefined otherwise.

Definition 8 (Global projection).
Let G by a global type. The projection of G in a participant p is defined by the partial function G p in Fig. 4. We note that projection makes use of the merge operator, which may be undefined. If merge is undefined then projection is undefined.
String(π 1 (r 3 ))); end Server!(r 3 : r:String.r = g(π 1 (r 1 ), π 2 (r 2 ))); end The projection for the server role illustrates the key elements in our notion of endpoint projection. In the third message (the output to the aggregator), we bundle the information unknown by the aggregator in order to ensure the type is well-formed from the perspective of the recipient. Moreover, the usage of singletons preserves the dependencies specified in the global type (i.e. that the objects in question are indeed those received from the client and subsequently sent to the two worker endpoints). Note that in the input from the aggregator, the projected type does not require singletons since the server endpoint knows the identities of d 1 and d 2 .
Example 5 (Buyer-seller-distributor). We present the local types for roles Buyer and Seller from Example 1, which specifies a certified interaction between a buyer, seller and distributor roles: G ok Seller = Buyer?(offer : z : Double.z ≥ π 2 (π 2 (q))); ⊕Buyer(exit : end, sell : commit : end) Crucially, in order for the first message from Seller to be well-formed, projection (through compatible type binding generation) must force the Seller to bundle the stock message in the exchange labelled as q. The remaining messages are projected straightforwardly. The projection for the role Bob is identical to that for Alice.

Value dependent processes and typing
This section presents semantics and a typing system of value dependent processes.

Syntax and operational semantics
We define the process syntax (Fig. 5), introducing the operational semantics (Fig. 6), which is an extension of the synchronous multiparty session π -calculus studied in [10]. We use s to range over session names, c to range over channels

Typing system
We now introduce the typing system assigning local types to channels in processes. The typing rules are given in Fig. 7.
We define the judgement ; ; P , where is a typing context for message terms, a mapping of shared names to global types and process variables to the specification of their variables, and a (linear) mapping of channels to local types. The intuitive reading of the typing judgement is that P uses channels (and recursion variables) according to the types specified in and and message variables according to the types specified in . We write a:G iff a:G ∈ .
We also make use of a typing judgement for message terms M : τ , denoting that M has type τ under the typing assumptions recorded in . We omit this typing judgement for the sake of generality of the underlying type theory. We recall the requirement of the usual type safety results of progress and type preservation (and so, a substitution principle) in the presence of singleton types and subtyping (as detailed in Section 3.1). Rules (VSEND) and (CSEND) types sending of data messages and session channels respectively. Sending a datum M binds it to x in the continuation type, as expected in a (value) dependently-typed setting. Sending a channel requires its existence in the context with the appropriate type. Dually, rule (VRECV) and (CRECV) types the reception of data, where the process that expects to receive a data message of type τ is warranted to use it in its continuation. Rules (SEL) and (CHOICE) type selection and choice, respectively, in the standard way.
The typing rule for (REC) recursive process definitions assigns a channel with a parameterised recursive type by registering in the necessary information regarding the process recursion variable (the channel name, the recursive type variable and the parameter variable), where the local typing environment must be empty. Rule (VAR) simply matches the process recursion variable with the type recursion variable according to the information if , checking that the recursive parameter is appropriately typed. The remaining rules are standard in the MPST literature [8,10,19], of which we highlight the (SRES) rule for session channel restriction, requiring that all the several role annotated endpoints be coherent (Definition 15). Coherence relies on a notion of partial projection (Definition 10) and session duality (Definition 11), which we now introduce.
Partial projection is defined as a function taking an endpoint type and a role identifier. Intuitively, it extracts from the endpoint type the behaviour that pertains only to the specified role, erasing all role annotations (since the type is now completely localised to a single role -i.e. a binary session type). We range over binary session types with S, T . Duality is defined in the natural way, matching inputs with outputs (appealing to subtyping in the case for data communication to ensure compatibility of the data types); and branching with selection.   (r!(x:τ ); Definition 9 (Binary type merge). Let T = ⊕ l i : T i i∈I and T = ⊕ l j : T j j∈ J . The merge T T of T and T is defined as: ) and is undefined otherwise.
Definition 10 (Partial projection). The partial projection of a local type T onto p, denoted by T p, is defined by the rules of Fig. 8.

Definition 11 (Duality).
The dual of a projected local type T , written T is the minimal symmetric relation satisfying: Duality is crucial to ensure compatibility between the different participants in a multiparty conversions. This notion is made precise in the following lemma. (Well-formedness). Let G be a global type. G is well-formed iff for all p, q ∈ roles(G), p = q implies (G p) q is defined.

Definition 12
Coherence thus ensures compatibility of all participants in a multiparty session, requiring that for each role in the multiparty conversation, all performed actions are matched by a dual action performed by the expected recipient. Coherence relies on a standard subtyping relation on binary sessions (i.e. projected local types).

Definition 13 (Subtyping of binary session types).
We define the subtyping relation T ≤ S, where T and S are binary session types as the largest equivalence relation satisfying the following rules (i.e. the rules are interpreted coinductively):

Properties of value dependencies
This section lists the main properties of the typing system, namely the soundness of projection, subject reduction and progress for a single multiparty session.

Subject congruence and reduction
Recalling the notion of history sensitivity (Definition 2), which intuitively requires that in a global type G, for each interaction in which s sends some data of type τ , all free variables of type τ must have been defined in a previous interaction of G involving s, we state soundness of compatible type binding generation. (1) is immediate by well-formedness of G and the fact that the list ordering produced by C T B is a reversed topological ordering of the variable dependencies in τ . # and † do not affect well-formedness of data types.

Theorem 2 (Compatible type binding generation is sound). Let G be a well-formed
(2) follows by history sensitivity and the fact that C T B only collects data known by p. Intuitively, it is easy to see that CTB generates pairs of compatible types given the subtyping rules for singletons (and Definition 6 of singleton erasure), combined with the fact that CTB collects only data known by p and unknown by q, relevant to the message exchange of type τ .
We now establish the safety of our type system. We seek the usual properties of subject transition and subject reduction, which entail strong notions of safety for well-typed processes. Given that types intrinsically specify properties of exchanged data, subject reduction ensures that any well-typed process is guaranteed to conform with its behavioural specification in a strong sense.

Lemma 1 (Subject congruence). If ; ;
P and P ≡ Q then there is ≡ such that ; ; Q .

Lemma 2.
Let T = Nq{l i : T i } i∈I or T = ⊕q{l i : T i } i∈I with T r defined and r = q. We have that: ∀k ∈ I.(T k r) ≤ (T r).
Proof. See [13]. 2 Proposition 1. If p, q ∈ G with p = q and G is well-formed then G p q ≤ G q p Proof. By induction on the structure of G. Case: When neither r nor s equal p or q, the result follows immediately by induction.
Subcase: r = p and s = q r → s : (x : τ ).G p q = s! (C T B(x:τ )).(G p) q = (G p) q by def. Case: Other cases are identical to those above. 2 Subject reduction relies crucially on a substitution principle for types and processes, which is a lifted version of the substitution principle for the dependent data layer.   We now define a synchronous reduction semantics for local types extended to include session environments. The reduction on a session environment of a process shows the change on the session environment after a possible reduction on the process.
We can now show subject reduction for synchronous communication.

Proof. We proceed by induction on reduction.
Case: ; ; Case:  (1), (2) and rule (SRES) Case: (1) by subtyping, duality and partial projection Let ; ; (νs)P 1 by (3), rule (SRES) Case: by sync. semantics : T 0 ∈ 1 T 0 q ≤ T 2 p and T 2 p ≤ T 0 q by co( 1 , 2 ) T 1 q ≤ T 0 q by Lemma 2 when T 0 is a branching or a selection or by def. otw T 1 q ≤ T 2 p and T 2 p ≤ T 1 q (6) by transitivity of ≤ and definition of ≤ and duality co( 1 , 2 ) by (5) and (6) 2 We note that adherence to the properties of data specified by the types is intrinsic: values occurring in well-typed processes act as proof witnesses to the stated properties which are thus inherently satisfied, entailing a notion of communication safety.

Error freedom
In order to characterise the kind of communication errors that are disallowed by our typing discipline, we define a notion of extended process which explicitly references message typing information by considering the following process constructs for (data) input and output: We then define a typed reduction and labelled semantics, written −→ and α −→, respectively. Typed reduction −→ is defined by the same rules as those of Fig. 6 but where the message synchronisation rule is replaced with (error is a special process construct denoting the error state): Equipped with extended processes and typed reduction, we may then show that well-typed (extended) processes never reach an error state.

Theorem 4 (Error freedom). Let
P and P −→ * P . Then error is not a subterm of P .

Progress
The standard theory of multiparty session types [3,8] is able to ensure a strong form of progress within a single multiparty session (i.e. when a system is composed solely of well-typed processes implementing every role in a multiparty session, but not participating in any other linear sessions). The framework developed in this article also satisfies this property, which we now make precise. The formal development follows closely that of [9]. Proof. Straightforward induction on typing. 2 Definition 18 (Well-linked). We say P is well-linked when for each P − → * Q , whenever Q has an active prefix whose subject is a (free or bound) shared name, then it is always part of a redex.

P .
Proof. Without loss of generality we can assume P does not have name restrictions. Since is coherent then if contains any communication prefix then, by Proposition 3, there must be a reduction available in P , satisfying (1). (2) is immediate by the fact that P is simple and well-linked, and is coherent. 2 As a corollary of the above theorem, we can derive the following result, which states progress within a single session.
We say Q is a single session process if Q = a[n](z).P | a [1](z).P 1 | · · · a[n n ](z).P n and Q does not contain any hiding and delegation, and a : G Q for some G. (Progress within a single session). Suppose Q is a single session process. Then for all Q such that Q − → * Q , either Q − → + Q or Q ≡ 0.

Specification without communication
So far we have mostly been concerned with the challenges of certifying data exchanges in a multiparty setting by having process endpoints exchange explicit proof objects. However, it is quite often the case that we may wish to reference data and constraints that are reasonable at a specification level but that have little computational interest at runtime. For instance, consider the following global type, p → q : (x:Nat).p → q : (y:x > 2).G (6.1) In the example above, participant p sends q some natural number x, followed by a proof denoting that x is greater than 2. While such an exchange does ensure that a well-typed implementation of the endpoint p must necessarily send to q an integer greater than 2, the endpoint q may have little interest in actually receiving a proof that x > 2. Rather, the exchange denoted by the second message from p to q appears as an encoding artefact due to the fact that the framework requires explicit proof exchanges by default.
While it is the case that we could omit a second exchange by "currying" the two communication actions into a pair, p → q : (x: a:Nat.a > 2).G (6.2) the issue still remains that we are forced to send potentially unnecessary data.
We can alleviate this issue through the usage of a proof irrelevance modality, written [τ ], denoting that there exists a term of type τ (and thus, a proof of τ ), but the identity of the term itself is deemed computationally irrelevant. To make this notion precise, we appeal to a new class of typing assumptions x ÷ τ , meaning that x stands for a term of type τ that is not computationally available; and to a promotion operation on contexts (written ⊕ ) mapping computationally irrelevant assumptions to ordinary ones: Given that we are only warranted in using irrelevant assumptions within proof irrelevant terms, it is easy to see that proof irrelevance cannot affect the computational outcome of a program and so we may consistently erase proof irrelevant terms at runtime.
We combine this notion of proof irrelevance with an erasure operation that eliminates communication of proof irrelevant terms -since they may not be used in a computationally significant way, they bear no impact on the computational outcome of the session. For instance, we may rewrite the global type of (6.2) as: marking that the proof of a > 2 is not computationally significant, but must exist during type-checking.
With the combined use of proof irrelevance and erasure we ensure that the specification must still hold, in the sense that the proof objects must be present in endpoint processes for the purposes of type-checking, but are then omitted at runtime to minimise potentially unnecessary communication. An alternative approach, only feasible for decidable theories, would be to generate proofs automatically by appealing to some external decision procedure.

Erasure of proof irrelevant terms
We introduce a simple erasure procedure on types, processes and terms that replaces proof irrelevance with the unit type (and the unit element at the term level). Recall that since proof irrelevant terms have no bearing on the computational outcome of programs, the erasure is safe w.r.t. the behaviour of programs.

Definition 19 (Erasure).
We inductively define erasure on local types, terms and processes, written T ↓ (resp. τ ↓ , M ↓ and P ↓ ) by the following rules (we show only the most significant cases, all others simply traverse the underlying structure inductively): By performing the erasure before projecting, we eliminate a substantial amount of dependency information from the local type for the Client. We note that transforming processes satisfying G [M R] Client into ones satisfying G ↓ [M R] Client can easily be achieved by some simple program transformations, related to those used in program generation for dependently typed functional languages [11,16].

Soundness of erasure
We make precise the static and dynamic soundness of our erasure procedures. The static safety theorem (Theorem 6) states that a consistent usage of erasures does not violate the typing discipline.
Theorem 6 (Static safety). Let ; ; P . Then we have that: Proof. Straightforward induction on typing, observing that both mappings ↓ and * are completely homomorphic with the exception of proof irrelevant types in the former (which are replaced with unit types) and communication of unit types in the latter (which are erased). 2 We also show that erased processes have an operational correspondence with their un-erased counterparts.

Theorem 7 (Operational correspondence). Let
P : Proof. Both proofs follow by a straightforward induction on the reduction relation. In (a) we note that the reductions are completely unchanged by the ↓ mapping which simply replaces proof irrelevant terms with the unit element. Moreover, proof irrelevant terms, by construction, have no effect on the computational outcomes of a process. In (b) we note that communications of values of proof irrelevant type in P will be erased in (P ↓ ) * , which is otherwise identical to P . Since proof irrelevant terms have no effect on computational outcome, the result follows straightforwardly. 2 For the erasure of Definition 19, we have a very precise operational correspondence by virtue of the computational insignificance of proof irrelevant terms (Theorem 7 (a)). For the communication erasure of Definition 20, the processes in the image of the erasures may naturally produce less reductions, which account for the erased communication steps.
However, we can ensure that a reduction in an erased process (P ↓ ) * − → P can be matched by potentially a sequence of reductions in the original process P , such that applying the two erasures to the reduct of P produces a structurally equivalent process to P (Theorem 7 (b)).

Conclusion
This article introduces value dependent multiparty session types which enable us to specify data dependent properties in communication protocols. The key technical point is to reconcile the global specification of the distributed interaction, whose data is spread and shared across multiple endpoints, with the local knowledge of each participant. For this, we define projection based on history sensitivity and local type binding generation, which augments the partial knowledge of participants with the needed additional information. Projection thus ensures that the data dependent global specification can be consistently mapped to the local protocols. This enables us to support the ability of processes to exchange proof objects witnessing the properties of interest, providing a degree of certified communication.
We conclude the article with some additional discussion of key design choices and avenues of future work. We discuss two fundamental considerations: some of the particulars of compatible type binding generation and how they may be potentially simplified through a fundamental use of proof irrelevance akin to that of Section 6; and how our design choices affect a potential implementation of the language discussed in this article, specifically what should be verified statically and/or dynamically and in what circumstances does the type system help guide these choices.

Related work
While a wide range of works on binary and multiparty session types exist in the literature [3,4,9,10], the two that are most related to this work consist of the logically-motivated value dependent binary session types of [2,12,17] and the assertion-based extensions of multiparty session types [1].
The line of work of [17] is the main inspiration for our approach, which essentially extends their binary framework to the multiparty setting. The work of [12,17] takes the interpretation of intuitionistic linear logic as (binary) session typed processes and extends it with first-order quantification over exponential objects, which are the proof witnesses for the data-dependent properties expressed in session types. The key challenges that arise when moving to a multiparty setting consist in defining an adequate notion of projection that preserves the dependencies expressed in global types in a way that is locally consistent to all involved participants.
The work of [6] integrates refinement types (in the sense of Liquid Types) with binary session types, studying the problem of type inference which entails generation of constraints on the refinement predicates that are then solved via an SMT solver. Their methodology, being based on Liquid Types, is concerned with the issue of inference via SMT solvers, whereas we focus on a more general dependent type formulation with explicit proof exchange. If we restrict our type dependencies to a fragment for which inhabitance is decidable we can in principle apply similar techniques to those proposed in [6]. This would consist an interesting practical application of a subset of our work.
The design-by-contract framework of [1] extends multiparty session types with logical assertions. Since their work does not induce any additional communication the framework is only effective when the assertion language is decidable. In our framework this would amount to requiring proof object generation to be decidable, whereas by insisting on explicit communication of proof objects we only require decidability of proof checking. Their framework can be seen as a special case of the work developed in this article, where all type dependencies use the proof irrelevance modality (and where proof objects are generated transparently to programmers due to the decidability of the theory).

Further discussion
Compatible type binding generation In Section 3 we have discussed the challenges of defining projection in the presence of value dependencies, given that each participant only has a partial view of the global protocol and thus the notion of projection from previous works on multiparty sessions produce endpoint types that are either not well-formed or fail to capture the appropriate data restrictions specified in global types.
We address this issue by bundling in each message exchange all the information that is unknown by message recipients such that the endpoint types for senders and receivers are well-formed, compatible and preserve the intended semantics of global types. A potential disadvantage of our approach is that the bundling procedure can insert a non-trivial amount of extra information in message exchanges. For instance, in the global type: Participant A sends to participant B a sequence of n messages, after which it sends to participant C a message of type z : τ .P(z, x 1 , . . . , x n ), such that C does not know x 1 through x n . In this scenario, when projecting the exchange of message y, A must not only send the object of type z : τ .P(x 1 , . . . , x n ) but also the n messages previously sent to participant B which are unknown to C . In Section 6 we have introduced a way of minimising potentially unnecessary communications through the usage of proof irrelevance and type-oriented erasure, where certain portions of data types are marked as irrelevant and subsequently erased. At the level of compatible type binding generation, it should also be possible to directly make use of proof irrelevance to reduce the communication overheads mentioned above, given that unknown message variables have a somewhat proof irrelevant flavour (i.e. they cannot be used precisely because they are unknown).
One potential approach to this issue is to introduce a proof-irrelevant -type, written x ÷ τ .σ and modify compatible type binding generation to quantify over unknown variables using these proof irrelevant pairs. The main issue is that it forces type families using such proof irrelevant variables to be themselves proof irrelevant. We leave these challenges for future work.
On implementation The main contribution of this article is the conceptual extension of the multiparty session typed framework with value dependencies, the language presented in this article leads itself towards more realistic implementation considerations. Our basic foundation is that proofs are exchanged as witnesses to the properties specified in types. These proof objects are no more than terms from a dependently-typed language, but one may wonder if it is indeed feasible to explicitly exchange proof objects instead of somehow verifying the necessary properties dynamically. Regardless, given the potential distributed nature of the framework, it seems natural to require that communicated proof objects be checked at runtime on the recipient side.
While there are circumstances where proof objects may not be exchanged and instead generated (or have the necessary properties checked) at runtime on the receiver side, this requires the property language to be decidable, which may be too restrictive (we note that we require proof checking to be decidable, which is a significantly weaker condition), although a potentially reasonable assumption in certain application scenarios, or for settings where programmers cannot be expected to write proof objects by hand. Another alternative worth considering is to have participants exchange digitally signed objects that hold them accountable for the existence of certain proofs.
While there seems to be a somewhat flexible range of possibilities in terms of proof communication, it is unavoidable that an implementation of the language integrates both static and dynamic checking in order to ensure that the specified properties indeed hold throughout execution. To this end, an extension of the system where trust amongst session participants is determined a priori might help guide the static/dynamic verification procedures. For instance, among trusted participants one may avoid dynamic checks entirely, among "somewhat" trusted participants, digital proof certificates might be required, but not the complete proof objects, whereas communication with untrusted agents would require the full range of dynamic and static checks.
We are currently investigating some of these avenues of research, in particular how the exchange of signed certificates interacts with assurances of data provenance. Another aspect that needs to be studied is the potential leakage of sensitive information that may occur while generating compatible endpoint types due to unknown message dependencies, which should be alleviated by the techniques discussed in the sections above.