Branching pomsets: design, expressiveness and applications to choreographies

Choreographic languages describe possible sequences of interactions among a set of agents. Typical models are based on languages or automata over sending and receiving actions. Pomsets provide a more compact alternative by using a partial order to explicitly represent causality and concurrency between these actions. However, pomsets offer no representation of choices, thus a set of pomsets is required to represent branching behaviour. For example, if an agent Alice can send one of two possible messages to Bob three times, one would need a set of 2 × 2 × 2 distinct pomsets to represent all possible branches of Alice’s behaviour. This paper proposes an extension of pomsets, named branching pomsets, with a branching structure that can represent Alice’s behaviour using 2+ 2+ 2 ordered actions. We compare the expressiveness of branching pomsets with that of several forms of event structures from the literature. We encode choreographies as branching pomsets and show that the pomset semantics of the encoded choreographies are bisimilar to their operational semantics. Furthermore, we define well-formedness conditions on branching pomsets, inspired by multiparty session types, and we prove that the well-formedness of a branching pomset is a sufficient condiEmail addresses: led@ou.nl (Luc Edixhoven ), ssj@ou.nl (Sung-Shik Jongmans), pro@isep.ipp.pt (José Proença), ilaria.castellani@inria.fr (Ilaria Castellani) Preprint submitted to Journal of Logical and Algebraic Methods in Programming18th September 2023 tion for the realisability of the represented communication protocol. Finally, we present a prototype tool that implements our theory of branching pomsets, focusing on its applications to choreographies.

approach based on traditional sets of pomsets [11]. We are keen to extend it to take full advantage of the new model presented in this paper.

A first example
We use a simple example to further introduce choreographies and motivate our approach: the review protocol. This protocol governs the communications between three agents: Alice (a), Bob (b), and Carol (c). The former two agents are reviewers; the latter agent is the editor of a journal.
Suppose that Carol has received a new manuscript. The review protocol consists of two stages to determine if the paper can be accepted for publication. We explain both stages separately.
First stage: first round of reviewing. In the first stage, a request (r) to review the manuscript is communicated from Carol to both Alice and Bob (in parallel). Subsequently, 'yes' (y) or 'no' (n) is communicated back from both Alice and Bob to Carol to indicate whether or not they recommend acceptance (still in parallel). This first stage of the protocol can be represented as a choreography as follows, using the notation of this paper: c fst = (c a:r ; (a c:y + a c:n)) ∥ (c b:r ; (b c:y + b c:n)) Here 'c a:r' denotes an asynchronous communication from c to a of a message of type r, ';' denotes sequential composition, '∥' denotes parallel composition and '+' denotes free (i.e., unguarded) nondeterministic choice.
Second stage: optional second round. After the first stage, Carol may send Alice and Bob a request for a second review (e.g., after the manuscript has been revised). Alternatively, Carol may choose not to request a second review, for instance, if both Alice and Bob recommended 'acceptance with minor revisions' in the first round. If Carol sends a second request, she sends Alice and Bob a message 'thanks' (t) after receiving their reviews to thank them for their work and signal that their part is done. If Carol does not send a second request, she still sends the message t for the same reasons.
Formally, the second stage of the protocol can be interpreted in at least two ways: after sending a review request, Carol could either (1) wait for both replies before sending t to both Alice and Bob, or (2) send t to Alice as soon as she receives her reply, without waiting for Bob's, and vice-versa. From now on we will refer to the first interpretation as 'strict' and to the second as Table 1: Formal semantics of choreographies and the corresponding number of states (state-based models) and events (event-based models and this paper) state-based event-based this models models paper

Problem: How to represent both choice and parallelism compactly
There are two major approaches to formalise the semantics of choreographies in the literature: state-based models and event-based models. Table 1 summarises the trade-off (for as far relevant to this paper).
State-based models. State-based models are good to represent choice (linear), but bad to represent parallelism (exponential). A typical such model is the LTS semantics of global types in the multiparty session types literature [12].
For instance, to demonstrate the explosion of states in the presence of parallel communications, the left of Figure 1 shows part of the LTS for c strict snd , whose full LTS consists of 44 states; the full LTS for the lenient version (i.e., more concurrent) consists of 64 states. In these LTSs, ca!r denotes a sending action from c to a with a message of type r, and ca?r denotes the dual receiving action.  Event-based models. Event-based models are bad to represent choice (exponential), but good to represent parallelism (linear). A typical such model is the pomset semantics of g-choreographies [13].
For instance, to demonstrate the non-explosion of events in the presence of parallelism (unlike the LTS semantics), the upper right of Figure 1 shows a graphical pomset representation of the special case of c strict snd where Carol sends a review request and both Alice and Bob reply y. The pomset contains 12 events (vs. 33 states in the LTS for this special case), whose labels are shown. The arrows represent the partial order between events: an event precedes, i.e., must occur before, any other event to which it has an outgoing arrow, either directly or transitively. In this example, the event with label ac?y precedes the events with labels ca!t and cb!t directly and the events with labels ca?t and cb?t transitively. However, it is independent of the event with label bc?y and those preceding it. 1 In general, the pomset grows linearly with 6 events for each additional reviewer (i.e., with n reviewers, there are 6n events vs. 5 n + 3 n − 1 states for this special case).
In contrast, to explain the explosion of events in the presence of choice, we note that the pomsets in Figure 1 only represent a single special case of the review protocol, namely that in which both reviewers recommend acceptance. Choices need to be represented as sets of pomsets: one for every possible combination of branches. Because of this, for the second stage of the review protocol we need 2 × 2 + 1 distinct pomsets: one for each combination of acceptance and rejection, plus one for the case where no review is requested. In general, while the size of each pomset only grows linearly with the number of reviewers, the number of pomsets (hence the total number of events) grows with roughly a factor 2 for each additional reviewer (i.e., with n reviewers, there are 2 n + 1 pomsets in the set).
The problem. As summarised in Table 1, and explained above, neither statebased models nor event-based models offer a compact representation of both choice and parallelism. This is a problem, as many protocols mix these features (e.g., the review protocol). The aim of this paper is to offer a solution.
1.3. This paper Contribution. This paper proposes an extension to pomsets, named branching pomsets, or BPs for short, with a branching structure that can compactly represent choices. In a nutshell, a BP initially contains all branches of choices, and discards non-chosen branches when firing events that require resolving a choice. For instance, the full behaviour of c lenient snd is depicted as a BP in Figure 2, where each white box (except for the outermost one) represents one branch of a choice, while the choice itself is represented by the enclosing blue box. Each additional reviewer would expand the BP by just eight events and a single choice. While we initially introduced BPs specifically to model and study choreographies, we now define them as a generic model for concurrency and study them as such in the first half, before moving on to the use case of choreographies in the second half.
The concept of BP and the way we use it are reminiscent of event structures [14] and their recent usage in the context of multiparty session types [15]. Event structures were introduced in the 80s as a generalisation of posets with shown in the lower pomset in the same figure.  branching, and similarly labelled event structures as a generalisation of pomsets. The main difference with BPs is in the added choice mechanism; in event structures this typically consists of a conflict relation, where two conflicting events may not occur together in the same execution. We give a thorough comparison between BPs and several classes of event structures in Section 3.
To aid in the understanding of BPs and their semantics, we provide a prototype tool to visualise and execute them, available at https://lmf.di. uminho.pt/b-pomset/. All the examples provided in the paper are predefined in the tool, such as c lenient snd and c strict snd ; their definitions in the remainder of the paper contain hyperlinks that open the tool with the specific example. We discuss the tool in more detail in Section 6.
Outline. The core contribution of this paper is the extension of pomsets with a branching structure, named BPs, in Section 2. We then explore this model in the following ways: In Section 3 we compare the expressiveness of BPs with that of several classes of event structures (ESs). Specifically, we show that BPs define an interesting new class of behaviour: they are incomparable with extended bundle ESs and with growing and shrinking causality ESs. We conjecture that they describe a proper subset of a variant of dynamic causality ESs and we prove their inclusion in ESs for resolvable conflict.
In Section 4 we provide an encoding from a choreographic language into BPs and prove that the operational semantics of a choreography are equivalent (bisimilar) to those of its encoding as BP. Consequently, any static analysis of properties of a choreography can also be performed on the corresponding BP. This yields two main advantages: -As Guanciale and Tuosto argue in a recent paper [13], pomsets are syntax-oblivious. So are BPs. As a result, the analysis on BPs makes no assumptions on syntax and is applicable to a wide range of languages, as long as they can be encoded as BPs.
-Compared to automata and traditional sets of pomsets, BPs supply additional structure in respectively concurrency and choices, yielding a more compact model. This structure makes it easier to reason over combinations of concurrency and choices, providing opportunities for more efficient analysis of choreographies featuring both.
In Section 5 we define structural well-formedness properties on BPs, inspired by multiparty session types (MPST) [3], and prove that they ensure realisability of the corresponding protocol. This approach sacrifices completeness for speed: the properties are easy to verify and ensure realisability, but there exist many realisable protocols which are nonetheless not well-formed. By defining these properties on BPs, they are not bound to the syntax of MPST. Consequently, verifying the conditions is slightly more complex as we can no longer take advantage of this syntax, but our results are applicable to any choreographic language which can be encoded as BPs. Furthermore, as BPs are a more generic model than global types in MPST, it may be easier to further generalise properties on BPs than on global types.
In Section 6 we describe our prototype implementation, both from a user and a developer's perspective. The former explains how to use our tool to encode choreographies into BPs and how to analyse BPs using the techniques described in this paper. The latter explains how the well-formedness properties described in Section 5.2 are realised by our tool, providing insights over its complexity.
We discuss related work in Section 7. Finally, Section 8 presents our conclusions and a brief discussion about future work. This paper is an extended version of the paper with Guillermina Cledou, presented at ICE 2022 [16]. We have joined it with the later FACS 2022 paper about realisability of BPs [17], which constitutes Section 5 and parts of Sections 7 and 8. The comparison with event structures (Section 3) and the description and analysis of the tool (Section 6) are new altogether.

Branching pomsets
In this section, we formally define the syntax and semantics of branching pomsets (BPs).
A partially ordered multiset [18], or pomset for short, consists of a set of nodes (events) E, a labelling function λ mapping events to a set of labels (e.g., send and receive actions), and a partial order ≤ defining causal dependencies between pairs of events (i.e., an event can only fire if all events preceding it in the partial order have already fired). Its behaviour (or language) is the set of all traces labelling sequences of its events that abide by ≤.
As noted in Section 1, however, there is no explicit representation of choices in pomsets, and they are represented only implicitly as a set of possible pomsets. We tackle this by extending pomsets with an explicit representation of choices: a branching structure on events.

Syntax
The general idea of a branching pomset is that all possible events are initially part of it, but some are defined as being part of a choice, depicted in Figure 2 as choice boxes containing branches. The branching structure does not interrupt the partial order and all events still participate in it, as shown in the example, where arrows point both into and out of the branches of the choice. Nested choices are supported as well.
Formally, the branching structure of a BP is a tree whose leaves are events and whose inner nodes represent a structure of (possibly nested) choices and branches. It is defined below with root node B, whose children C are either a single event e or a binary choice node with children (branches) B 1 , B 2 .
. We use the same notation for nodes C, events e (a special case of C) and combinations of all the aforementioned. Formally, the subtree relation is defined below, where N can be either a B or a C (and thus also a singleton e).
Branching pomsets themselves are then formally defined below.
Definition 3 (Branching pomset). A branching pomset (BP) is a four-tuple R = ⟨E, ⪯, λ, B⟩, where E is a set of events, ⪯ ⊆ E × E is the causality relation such that ⪯ * (the reflexive and transitive closure of ⪯) is a partial order on events 3 , λ : E → L is a labelling function assigning to every event a label in some labelling set L, and B is a branching structure such that the set of leaves of B is E and no event in E occurs in B more than once.
We note that, in contrast to traditional pomsets, the causality relation ⪯ is not necessarily a partial order. We briefly discuss this in Section 8. We use R.E, R.⪯, R.λ and R.B to refer to the components of R. We generally omit the prefix if doing so causes no confusion. We also write e 1 ≺ e 2 if e 1 ⪯ e 2 and e 1 ̸ = e 2 . We use the following terminology: Event e is minimal if e ′ ̸ ≺ e for all e ′ ∈ R.E (i.e., there exists no other event e ′ that precedes e).
Event e is active if e ∈ R.B (i.e., e is not part of a choice).
Event e is enabled if it is both active and minimal; we write en(R) to denote the set of enabled events.
Events e 1 and e 2 are causally ordered if either e 1 ⪯ e 2 or e 2 ⪯ e 1 .
Events e 1 and e 2 are mutually exclusive if there exists some C = {B 1 , B 2 } R.B such that e 1 B 1 and e 2 B 2 .

Semantics
Informally, every execution step of a BP R, in which an event e is fired, is brought about in three steps: 1. First, R is optionally refined to a "sub-BP" R ′ by resolving zero (i.e., R = R ′ ), one, or more choices. Each resolution is done by replacing a choice {{B 1 , B 2 }} at any level of the branching structure with one of its branches B i , thereby discarding the other branch B j . We note that this same idea governs the operational semantics of many existing languages, too. For instance, in process calculi, if P can reduce to P ′ , then also P + Q (i.e., free choice between P and Q) can reduce to P ′ , thus resolving the choice and discarding Q.
2. Second, an enabling is sought. If an event e in R ′ is enabled and, additionally, e is disabled in every refinement R ′′ of R that is larger than R ′ (i.e., fewer choices are resolved in R ′′ than in R ′ ), then refining R to R ′ is said to be an enabling of e. In other words, R ′ is the largest sub-BP of R in which e is enabled (i.e., the smallest number of choices are resolved to enable e). If R = R ′ , then zero choices were resolved in the first refinement step. In contrast, if R ̸ = R ′ , then one or more choices were resolved to enable e: either because e was a minimal event of a branch in R that was chosen in R ′ (so e also became active), or because e was active in R and causally ordered after events in a branch in R that was discarded in R ′ (so e also became minimal).
3. Third, R is reduced by firing e. The resulting BP is R ′ (the chosen refinement of R) without e.
(b) Enabling, reduction, and termination rules.  The empty BP cannot perform execution steps; it is said to terminate. Any BP which can refine to the empty BP is able to terminate.
Formally, execution and termination are defined through relations: Refinement: A branching structure B can refine to B ′ , written B ⊒ B ′ . We write B ⊐ B ′ to specify that B ̸ = B ′ . The refinement rules are  formalised in Figure 3a. To illustrate these, we use BPs R a , R b in Figure 4. As the labels are irrelevant for these examples, we use a, . . . , h for both the events and their labels. Finally, we assume that the relation ⪯ for each BP consists exactly of the arrows shown in the figures.
The first two rules, Refl and Trans, are straightforward. The third rule, Choice, resolves choices: it states that we can replace a choice with one of its branches. This rule serves a dual purpose: by applying it to the outer choice of R b we can discard its lower branch, after which we can fire a, which is then active; alternatively, by applying it to R a we can discard the upper branch of the choice, after which we can fire d, which is then minimal. Recall that ⪯ is not necessarily a partial order and that, in R a , a ⪯ * d but not a ⪯ d. Consequently, the transitive dependency from a to d does not carry over to R ′ a . The fourth rule, Congr, allows us to resolve nested choices (with Choice) without first having to resolve their outer choices. To make g minimal in R b we could resolve the outer choice and one inner choice with Choice (and Trans). However, we can also apply Choice to resolve both inner choices and then apply Congr to the outer choice to update it without unnecessarily resolving it. Finally, the fifth rule, Lift, overloads the refinement notation to also apply to BPs themselves: if R.B can refine to some B ′ then R itself can refine to a derived BP with branching structure B ′ , written R| B ′ 4 , whose events are restricted to those occurring in B ′ and likewise for ⪯ and λ. The refinements above then lead to respectively R ′ b , R ′ a and R ′′ b in Figure 5. Enabling, reduction, and termination: Figure 3b defines an enabling relation, two reduction relations, and a termination predicate.
-The first rule, Enable, defines the conditions for enabling an event e, written R ✓ e − → R ′ : a BP R can enable e by refining to R ′ if e is enabled in R ′ (e ∈ en(R ′ )), and if there is no other refinement R ′′ in between which already enables e.
As in the informal description, the enabling relation only discards the absolutely necessary: for example, in the BP R a in Figure 4, we may discard the choice's upper branch to fire d, but not to fire a. Similarly, in the BP R b in the same figure, we may discard the lower branch from both inner choices to fire g, but there is no need to also resolve the outer choice. In Figure 2, we can discard the outer choice's upper branch to fire the event labelled ca!t. The refinement rules in Figure 3a act as structural rules, which do not fire any event but may exclude events (by discarding branches), as opposed to the reduction rules in Figure 3b, which fire events and are therefore computational rules. In fact, refinements could also be seen as executing silent transitions to resolve choices, as in process algebras with an internal choice operator, although, traditionally, in process algebras only top-level choices can be resolved in this way.
-The second and third rules, Reduce1 and Reduce2, define the reduction relations. They state that, if R can enable e by refining to R ′ (through Enable), then it can fire e by reducing to R ′ − e, which is the BP obtained by removing e from R ′ (Figure 3c). This reduction is defined both on e's label (Reduce2) and on the event itself (Reduce1), the latter for internal use in proofs since λ(e) is typically not unique but e is.
-The fourth rule, Terminate, defines the termination predicate and simply states that a BP can terminate if its branching structure can reduce to the empty set.

Comparison with event structures
In this section, we study the expressive power of branching pomsets by comparing them with various classes of event structures.
Event structures (ESs) are a well-established model for concurrency, which bears a close relationship with both Petri nets and domain theory. Originally introduced by Nielsen, Plotkin and Winskel [19,14], this model represents a concurrent system as a set of (possibly labelled) events together with some relations among them, which regulate their occurrence in computations. Typically, in a prime event structure (PES), the original and simplest form of ES, there are two relations on events: causality (meaning that one event must occur before the other), and conflict (meaning that two events cannot occur in the same computation). 5 In their labelled version, PESs may be viewed as pomsets enriched with a conflict relation. This makes them conceptually very close to branching pomsets, therefore a comparison is in order.

Dynamic Counters
Resolvable Conflict

HDES
Branching Pomsets Tree-like ? Figure 6: Landscape of event structures as extended from [20]. Branching pomsets are added in bold. Dynamic causality event structures are replaced by a variant with counters. Flow, stable, dual, and higher order dynamic causality event structures are faded to indicate that they are not discussed in detail.
Many variants of ESs have been studied in the last decades. We start by reviewing a number of them, referring for more details to the extensive overview given in the paper by Arbach et al. [20].

Event structure landscape
We first introduce the classes of ESs that are relevant to our study, namely those represented in Figure 6 (except for the faded ones, which are only included for completeness). We then uniformly define their semantics using the notion of proving sequence, from which the classical notion of configuration (a set of events that may have occurred at some stage of computation) may be immediately derived.
We start by considering the classes of static ESs, namely prime, bundle, asymmetric, and extended bundle ESs, where the relations on events are fixed once and for all. We then move to the classes of dynamic ESs, namely growing, shrinking and dynamic causality ESs, as well as ESs for resolvable conflict, where one of the two relations of causality and conflict may vary along execution.

Static event structures
The simplest class of ESs we consider, which is also the original one, is that of prime ESs.
Definition 5 (Prime Event Structure (PES) [19]). A prime event structure is a triple S = ⟨E, #, ≤⟩, where E is a set of events, # ⊆ E ×E is a symmetric, irreflexive relation called the conflict relation, and ≤ ⊆ E × E is a partial order relation called the causality relation, satisfying the properties: The condition of conflict hereditariness implies that the relations of conflict and causality are disjoint and that events do not have conflicting causes. Two events which are neither in conflict nor causally related are said to be concurrent. Two events which are not in conflict are said to be consistent. The axiom of finite causes forbids events with an infinite set of (consistent) causes, namely an event e such that e n ≤ e for all n ∈ N, thus ruling out also infinite regression (which could arise if we had also e n+1 ≤ e n for all n ∈ N).
Event structures were originally conceived as a system model and not as an algebraic model endowed with a set of constructors. However, since ESs were introduced roughly at the same time as the first process calculi CSP, CCS and ACP, they appeared as a natural candidate model 6 to give semantics to process calculi. Because of their inability to represent disjunctive causality (i.e., events with multiple possible causes, only one of which needs to happen), PESs turned out to be too restrictive for that purpose. Typically, when two CCS processes are composed in parallel, some of their events (those carrying complementary labels) are allowed to synchronise giving rise to a new event, whose set of successor events should be the union of the sets of successors of the two original events, which can still occur independently. However, in a PES the conflict hereditariness condition prevents any sharing of the sets of successors, thus requiring their duplication after each synchronisation.
To overcome this problem, Winskel devised a more general class of ESs, called stable event structures [19], which accommodates disjunctive causality by replacing the causality relation ≤ with an enabling relation between sets of events and events. Hence, the first ES semantics for CCS [21] was given in terms of stable ESs. However, since the enabling relation is a secondorder relation on events, stable ESs lose the nice graphical representation offered by PESs. This observation motivated the subsequent introduction of two subclasses of stable ESs, respectively bundle ESs [22] and flow ESs [23], which allow for disjunctive causality while retaining a graphical representation. Both these classes of ESs may be viewed as simple extensions of PESs, flow ESs being slightly more expressive than bundle ESs [24]. Here we only consider bundle ESs, which use a simpler enabling relation than stable ESs.
Definition 6 (Bundle Event Structure (BES) [22]). A bundle event structure is a triple S = ⟨E, #, ↣⟩, where E is a set of events, # ⊆ E × E is the symmetric, irreflexive conflict relation and ↣ ⊆ P(E) × E is the enabling relation, satisfying the property: Intuitively, X ↣ e means that at least one of the events in X needs to happen before e can happen. The condition of stability furthermore implies that at most one of the events in X needs to happen, as all the events in X must be pairwise in conflict with each other.
For both PESs and BESs, more general variants where conflict is not required to be symmetric have been proposed. These are called respectively asymmetric ESs and extended bundle ES. We recall their definitions below.
Definition 7 (Asymmetric Event Structure (AES) [25]). An asymmetric event structure is a triple S = ⟨E, Y, ≤⟩, where E is a set of events, Y ⊆ E × E is the asymmetric conflict relation, and ≤ ⊆ E × E is the partially ordered causality relation, satisfying the following properties for all e, e ′ , e ′′ ∈ E: Y is acyclic on ⌊e⌋ In the above definition, Condition 2 expresses hereditariness of asymmetric conflict, while Condition 3 rules out cycles of asymmetric conflict in the set of causes of an event. Since cycles can be self-cycles, this implies in particular that asymmetric conflict is irreflexive. As for Condition 4, it requires that any semantic conflict between two events which is due to their co-occurrence on a cycle of asymmetric conflict be explicitly represented by an asymmetric conflict in both directions.
As explained in [25], the asymmetric conflict relation has two natural interpretations: e Y e ′ may be understood as (i) e ′ disables e, namely the occurrence of e ′ prevents the occurrence of e, or (ii) e (weakly) precedes e ′ , namely e occurs before e ′ in all executions where they both occur.
A similar disabling relation is used in extended bundle ESs.
Definition 8 (Extended Bundle Event Structure (EBES) [26]). An extended bundle event structure is a triple S = ⟨E, Y, ↣⟩, where E is a set of events, Y ⊆ E × E is the irreflexive disabling relation and ↣ ⊆ P(E) × E is the enabling relation, satisfying the following: X ↣ e =⇒ ∀e 1 ̸ = e 2 ∈ X : e 1 Y e 2 (stability condition) Here again, e Y e ′ should be read from right to left as e ′ disables e.
The construction of an EBES from an AES is similar to that of a BES from a PES. As such, AESs are included in EBESs.

Dynamic Event Structures
We review now the classes of dynamic ESs, where one of the two relations of causality and conflict may dynamically change along execution.
In [20], three new classes of ESs have been proposed, where the causality relation can be modified by effect of the occurrence of some other event: (1) shrinking causality event structures (SESs), where causal dependencies can be removed, (2) growing causality event structures (GESs), where causal dependencies can be added, and (3) dynamic causality event structures (DCESs), where causal dependencies can be both added and removed.
Shrinking ESs extend rPESs (relaxed PESs where the conflict relation is not required to be hereditary 7 ) by allowing the causality relation to decrease along execution.
Definition 9 (Shrinking Causality Event Structure (SES) [20]  Note that conflict does not appear in Theorem 10. This is because conflict may be simulated by mutual disabling, and disabling may be simulated by growing causality. The simulation of disabling as given in [20] assumes the existence of an "impossible" event e imp 8 such that e imp → e imp (exploiting the fact that → is not required to be irreflexive): then a conflict between e and e ′ may be modelled by setting e [e imp → e ′ ] and e ′ [e imp → e]. In fact, since Theorem 10 does not require e 1 ̸ = e 2 in Condition (GC), the conflict between e and e ′ may also be simulated more directly (see [20]  Combining the features of shrinking and growing ESs, and adding some constraints on the interplay between shrinking and growing causality, we obtain dynamic causality ESs (DCESs). In this paper, we consider a variant of DCESs, with the same syntax but subtly different semantics. This is discussed when we formally define the semantics.
Definition 11 (Dynamic Causality Event Structure [20]). A dynamic causal- are respectively the shrinking and growing causality relations, such that: Again, conflict is omitted because it may be simulated by growing causality. Conditions 6 and 8 correspond to the second half of Conditions (SC) and (GC) respectively. Conditions 5 and 7 correspond to the first half of Conditions (SC) and (GC), accounting for the possibility that the other operator could add or subtract some causal dependencies. Finally, Condition 9 prevents an event from adding and dropping the same causal dependency.
The last class of dynamic ESs we shall consider is the following, where the conflict relation may be changed dynamically.
Definition 12 (Resolvable Conflict Event Structure (RCES) [28]). An event structure for resolvable conflict is a pair S = ⟨E, ⊢⟩, where E is a set of events and ⊢ ⊆ P(E) × P(E) is the enabling relation.
We recall from [28] a simple example showing that RCESs can model resolvable conflicts, namely conflicts that disappear by effect of the occurrence of some event. Consider the structure ⟨E, ⊢⟩ where E = {a, b, c}, with {a} ⊢ {b, c} and ∅ ⊢ X iff X ⊆ E and X ̸ = {b, c}. This models an initial conflict between b and c, which can be resolved by the occurrence of a. We refer the reader to [28] for more examples, showing that RCESs are not stable. In fact, in [28] RCESs are shown to be able to represent any Petri net, a very strong expressiveness result.

Event Structure Semantics
The semantics of ESs is classically defined in terms of configurations. A configuration is a set of events that may have occurred at some stage of a computation. For all classes of ESs, we shall uniformly define a configuration to be a set of events enumerable as a proving sequence [19,24,26], namely a sequence of consistent events such that each event is "secured" -i.e., granted the possibility to occur -by the preceding ones. We will first introduce proving sequences for all classes of ESs, and then uniformly derive from them a notion of configuration and a reduction relation on configurations.
We start by introducing some terminology. A trace is a finite sequence of distinct events t = e 1 . . . e n , where n ≥ 0 and by convention t = ε if n = 0. Given a trace t = e 1 . . . e n , we denote by t i = e 1 . . . e i its prefix of length i for every i ≤ n, and by t the set {e 1 , . . . , e n } of events occurring in t. In particular, t n = t, t 0 = ε and t 0 = ∅. A set of events is consistent if it is conflict-free.
Proving sequences are traces with two distinguishing properties: consistency of the underlying set of events, and securing for each of their events. Their formal definitions differ depending on the considered class of ESs.
Definition 13 (PES proving sequence [19]). Let S = ⟨E, #, ≤⟩ be a prime event structure. A proving sequence of S is a trace t = e 1 . . . e n with t ⊆ E, satisfying the properties: Definition 14 (AES proving sequence [25]). Let S = ⟨E, Y, ≤⟩ be an asymmetric event structure. A proving sequence of S is a trace t = e 1 . . . e n with t ⊆ E, satisfying the properties: For PESs and asymmetric ESs, which have a global causality relation ≤, securing amounts to left-closure with respect to ≤. For more expressive ESs such as BESs and EBESs, which allow for disjunctive causality and only recover a partial order of causality within individual computations, securing is defined as consistent left-closure, namely left-closure up to conflicts. In BESs and EBESs, this property is called bundle satisfaction.
Definition 15 (BES proving sequence [26]). Let S = ⟨E, #, ↣⟩ be a bundle event structure. A proving sequence of S is a trace t = e 1 . . . e n with t ⊆ E satisfying the properties: Definition 16 (EBES proving sequence [26]). Let S = ⟨E, Y, ↣⟩ be an extended bundle event structure. A proving sequence of S is a trace t = e 1 . . . e n with t ⊆ E satisfying the properties: For dynamic classes of ESs, the definition of proving sequence is more subtle, since it needs to account for the fact that the causes of every event in the sequence may have been modified by some earlier event in the sequence. The definitions we give below for SESs and GESs are slightly different in form, but semantically equivalent, to the ones given in [20].
Definition 17 (SES proving sequence [20]). Let S = ⟨E, #, →, ¡⟩ be a shrinking causality event structure. A proving sequence of S is a trace t = e 1 . . . e n with t ⊆ E satisfying the properties: Informally, the securing property for SESs means that if e causes e i initially (e → e i ), then either e has indeed happened before e i (e ∈ t i−1 ), or another event e ′ has happened that removed the causality (∃e ′ ∈ t i−1 : . Definition 18 (GES proving sequence [20]). Let S = ⟨E, →, ⟩ be a growing causality event structure. A proving sequence of S is a trace t = e 1 . . . e n with t ⊆ E satisfying the property: Informally, the securing property for GESs means that if either e causes e i initially (e → e i ), or if another event e j has happened that added the causality (e ′ [e → e i ]), then e has indeed happened before e i (e ∈ t i−1 ).
Recall that DCESs combine the power of SESs and GESs: they are essentially PESs whose causality relations can both shrink and grow as events happen in a computation. Relative to SESs and GESs, the key complication to define the semantics of DCESs is that the same causality can be removed, added, removed again, etc., in the same computation. In contrast, in SESs (resp. GESs), once a causality is removed (resp. added), it remains absent (resp. present) forever. Thus, a more advanced bookkeeping mechanism is needed to account for the additions/removals of causalities to define proving sequences of DCESs.
In [20] the operations for adding and dropping a cause are idempotent, in the sense that the executions of two successive additions (resp. removals) of the same causal dependency have the same effect as that of a single one. Here, we adopt a finer mechanism, which counts the number of additions and removals along an execution. Thus, our semantics for DCESs is a variant of the original one proposed in [20], which we will call dynamic causality event structures with counters (DCCESs). One advantage of this new semantics is that it supports a simple definition of the transition relation on configurations, which does not require the pairing of configurations with an ordering as in [20]. More precisely, the intuition for a trace t = e 1 . . . e n to be a proving sequence of a DCCES is that for any event e i in the trace, any cause of e i which has been added more times than it has been dropped by events occurring in the prefix t i−1 does effectively cause e i at this stage of computation, and therefore it should occur in the prefix t i−1 . The definition relies on some auxiliary multisets, which are variations (enriched with multiplicities) of the auxiliary sets used in [20]. Clearly DCCESs extend both SESs and GESs. The proof for EBESs given in [20] also holds for DCCESs, thus giving the inclusions shown in Figure 6.
In the following definition we use e (k) ∈ X to indicate that e occurs in the multiset X with multiplicity k (where in case X is a set we write e ∈ X instead of e (1) ∈ X), mult(e, X) to denote the multiplicity of e in X, and | X | to denote the cardinality of the set X.

Definition 19 (Set of initial causes, multisets of added and dropped causes).
Let S = ⟨E, →, ¡, ⟩ be a dynamic causality event structure with counters.
Let e ∈ E and t = e 1 . . . e n with t ⊆ E. Then: 1. The set of initial causes of e is defined by ic(e) = {e ′ | (e ′ , e) ∈ →}; 2. The multiset of dropped causes of e after t is defined by 3. The multiset of added causes of e after t is defined by Definition 20 (DCCES proving sequence). Let S = ⟨E, →, ¡, ⟩ be a dynamic causality event structure with counters. A proving sequence of S is a trace t = e 1 . . . e n with t ⊆ E satisfying the property: ∀i ∈ [1, n] : ∀e ∈ E : Finally, we define proving sequences for RCESs directly, in agreement with the RCES semantics in [28]: Definition 21 (RCES proving sequence). Let S = ⟨E, ⊢⟩ be an event structure for resolvable conflict. A proving sequence of S is a trace t = e 1 . . . e n with t ⊆ E satisfying the property: Informally, the securing property for RCESs means that every subset of events Z at timestamp i must be enabled by a subset of events W at timestamp i − 1.
Having introduced the notion of proving sequence for each class of ESs, we may now uniformly define the notion of configuration and a transition system on configurations for all kinds of ESs.
Definition 22 (Configuration and transition system). Let S be any ES. A configuration of S is any set X such that X = t for some proving sequence t of S. The set of configurations of S is C(S) = {t | t is a proving sequence of S}. The multi-step transition relation ⇒ S ⊆ C(S) × C(S) on configurations is then defined as: X ⇒ S Y if there exist proving sequences t 1 and t 2 of S such that t 1 = X and t 2 = Y and t 1 is a prefix of Y . We then derive the single action transition relation → S as: X → S Y if X ⇒ S Y and |Y | = |X| + 1.
We state some simple properties of proving sequences, which will be used for proving Theorem 25: Lemma 23. Let S be an ES of any of the aforementioned classes. Then: 1. If t is a proving sequence of S, then any prefix t i of t is also a proving sequence of S; 2. Let t and t ′ be two proving sequences of S such that t = t ′ . If te is a proving sequence of S, then also t ′ e is a proving sequence of S. 9 We define a transition equivalence generically on any type of ES.
Definition 24 (ES transition equivalence [28]). Two ESs S 1 and S 2 are called multi-step transition equivalent, written Analogously, two ESs S 1 and S 2 are called single action transition equivalent, We note that, since we have only defined single action semantics for BPs, we will only use the single action transition relation for ESs in the remainder. We will thus simply use transition relation and transition relation equivalence, without further qualifiers, to refer to the single action ones.
We conclude by showing that, using these semantics, any type of ES considered in this paper can be encoded as an RCES. In particular, DCCESs also represent a subset of RCESs, while DCESs and RCESs have been shown to be incomparable [20]. Proof. First we use the proving sequences of S to define ⊢. For any proving sequence t = e 1 . . . e n of S, define Notice that for any t, we have (∅, t 1 ) ∈ ⊢ t . Let now We proceed to show that S and S have the same sets of proving sequences. 9 We note that this is true for any class of ESs in which the current configuration (i.e., the set of occurred events) wholly determines the current causal state (i.e., which events are enabled). In particular, this is true for DCCESs but not for DCESs, which is why Theorem 25 does not hold for the latter.
Let t = e 1 . . . e n be a proving sequence of S. Then, for any 1 ≤ i ≤ n and for any Z i ⊆ t i , we have t i−1 ⊢ t Z i . It follows from Theorem 21 that t is then also a proving sequence of S.
We prove now that any proving sequence t = e 1 . . . e n of S is also a proving sequence of S. We proceed by induction on the length n of t. For n = 0 we have t = t 0 = ε, which is a proving sequence of S by definition. Assume now that the statement holds for all proving sequences of length k, for 0 ≤ k ≤ n − 1. We want to show that it holds also for t = e 1 . . . e n = t n−1 e n . By induction t n−1 is a proving sequence of S. Since t is a proving sequence of S, by Theorem 21 for all Z ⊆ t there exists some W ⊆ t n−1 such that W ⊢ Z. In particular this holds for Z = t. Note that, on the one hand, W ⊆ t n−1 implies that |W | ≤ n − 1. On the other hand, the construction of ⊢ implies that, if W ⊢ Z, then |Z| < |W |. Since |t| = n, it follows that if W ⊢ t then it must be |W | = n − 1 and thus W = t n−1 . In other words: Since t = t n and t n and t ′ n have the same length, it follows that t = t ′ n . This means that t ′ n = t ′ n−1 e n . Now, since t ′ n and t ′ n−1 are prefixes of t ′ , by Theorem 23(1) they are also proving sequences of S. Then we may use Theorem 23 (2) to conclude that t = t n = t n−1 e n is a proving sequence of S.
Since S and S have the same proving sequences, it directly follows from Theorem 22 that → S = → S .

Comparing event structures and branching pomsets -Overview
We now compare branching pomsets with the various classes of ESs previously reviewed. We establish a number of relative expressiveness results, summarised in Figure 7, where we complete the initial picture of Figure 6 with dashed red lines representing the non-inclusion of one model into another. Non-inclusion results are proved by providing counterexamples. The inclusion of tree-like BPs into PESs is proved in Theorem 31. The inclusion of general BPs into RCESs is proved in Theorem 36. The inclusion of general BPs into DCCESs is work in progress and for now remains a conjecture.
To conduct this comparison, we first need to introduce configurations also on branching pomsets, as well as a transition relation between them. x L. 33 x L. 29 x L. 32 x L. 28 Definition 26 (Configuration). Let R = ⟨E, ⪯, λ, B⟩ be a branching pomset.
Just as for ESs, let C(R) be the set of configurations of R.
Definition 27 (Transition system). Let R = ⟨E, ⪯, λ, B⟩ be a branching pomset and let X ⊆ E. Then the transition relation . . e n such that t = X.
We may now proceed to prove the results and discuss the conjectures corresponding to the solid blue arrows and dashed red arrows in Figure 7.

Comparing event structures and branching pomsets -Static models
Our first result states that the class of prime ESs is not included in that of BPs. Since prime ESs are the simplest class of ESs (static and dynamic alike), extended by all the others, this implies that no class of ESs is included in that of BPs.
There exists a prime event structure S for which there does not exist a branching pomset R such that C(S) = C(R).
Now there are four possible ways to relate C 1 and C 2 in B. We show that all of them lead to a contradiction.
1. Suppose C 1 and C 2 are concurrent choices: , which is a contradiction; 2. Suppose C 1 and C 2 are nested choices. Let C 2 C 1 (the symmetric case is analogous). There are two subcases: can never occur together with c or d (which are then in B 1 ), thus contradicting {b, c} ∈ C(R); (b) or C 2 B 2 , in which case a (which is in B 1 ) can never occur together with c or d (which are then in B 2 ), thus contradicting {a, c} ∈ C(R); 3. Suppose C 1 and C 2 are the same choice, namely 4. Suppose C 1 and C 2 are mutually exclusive choices. Then, there must be Since all cases are contradictory, we conclude that there does not exist any BP R such that C(R) = C(S).
The following two lemmas state that the class of BPs is not included in the class of EBESs. Since EBESs are the most expressive class of static ESs in Figure 7 (it includes the class of PESs and BESs), this implies that no class of static ESs in Figure 7 includes that of BPs.
Lemma 29 (BP ̸ ⊆ EBES). There exists a branching pomset R for which there does not exist an extended bundle event structure S such that C(R) = C(S).
Proof. Let R be the BP in Figure 8b. Assume, for the sake of contradiction, that there exists some EBES S = ⟨E, Y, ↣⟩ with the same set of con- However, it follows from these that {c, d} ∈ C(S), which is a contradiction.
The following theorem follows directly from Theorems 28 and 29.
Theorem 30. Branching pomsets are incomparable with the static event structures in Figure 7 (prime, bundle, and extended bundle).
In contrast, for the special class of tree-like BPs, we can prove that it is strictly subsumed by the class of PESs.
Lemma 31. For every tree-like branching pomset R there exists a prime event structure S such that C(R) = C(S).
Proof. Let R = ⟨E, ⪯, λ, B⟩ be a BP. We construct the PES S = ⟨E, #, ≤⟩, where ≤ = ⪯ * , the reflexive and transitive closure of ⪯, and # = {(e 1 , e 2 ) | ∃{B 1 , B 2 } B : e 1 B 1 ∧ e 2 B 2 }, i.e., the set of conflicts consists exactly of all pairs of events which are separated by some choice. Since R is tree-like, e B ′ ∧ e ⪯ e ′ =⇒ e ′ B ′ , from which it follows that S satisfies conflict hereditariness. We proceed by showing that R and S have the same traces and thus the same configurations.
Let t = e 1 . . . e n be a trace of R. Then R t − → * R ′ for some R ′ . Since two mutually exclusive events can never occur in the same trace of R, t satisfies the PES consistency condition. Furthermore, for all i ∈ {1, . . . , n}, if there exists some e ≺ e i then, since R is tree-like, e ∈ t i−1 . In other words, t also satisfies the PES left-closure condition, and then t is also a trace of S.
Let t = e 1 . . . e n be a trace of S. Then t must be consistent and leftclosed. Let i ∈ {1, . . . , n} and assume that R Since t is left-closed, it follows that, for every e such that e ≤ e i , we have e ∈ t i−1 . Consequently, e i is minimal in R ′ . Furthermore, since t is consistent, e i cannot be in conflict with any event in t i−1 and thus also does not belong to a different branch of any choice than the events in t i−1 . Since R is treelike, there is no need to resolve choices for any reason other than firing events in them. It follows that e i R ′ , and then R ′ e i − → R ′′ for some R ′′ . Finally, it then follows by induction that R t − → * R for someR and then t is a trace of R.
Since R and S have the same set of traces, it follows that C(R) = C(S).

Comparing event structures and branching pomsets -Dynamic models
Our next two lemmas state that the class of BPs is not included in the classes of SESs and GESs. Combined with our result in the previous subsection that the class of PESs (subsumed by those of SESs and GESs) is not included in the class of BPs, we conclude that BPs and SESs/GESs are incomparable: the expressive power to only remove, or to only add, causalities dynamically is insufficient to cover the expressive power of BPs, and vice versa.
Lemma 32 (BP ̸ ⊆ SES). There exists a branching pomset R for which there does not exist a shrinking causality event structure S such that C(R) = C(S).
Proof. Let R be the BP in Figure 8b. Assume, for the sake of contradiction, that there exists some SES S = ⟨E, #, →, ¡⟩ with the same set of con- Furthermore, since {a, c, d} ∈ C(S), it follows that ¬(c # d). However, it follows from these that {c, d} ∈ C(S), which is a contradiction.
Lemma 33 (BP ̸ ⊆ GES). There exists a branching pomset R for which there does not exist a growing causality event structure S such that C(R) = C(S).
Proof. Let R be the BP in Figure 8c ∈ C(S) and {a, c} ∈ C(S), it follows that a → c. However, since GESs cannot model disjunctive causality, it follows from a → c that {b, c} / ∈ C(S), which is a contradiction.
The following theorem follows directly from Theorems 28, 32 and 33.
Theorem 34. Branching pomsets are incomparable with two dynamic event structures in Figure 7 (growing and shrinking).
In contrast, we conjecture that DCCESs (which combine the power of SESs and GESs) have more expressive power than BPs. The idea is that the power to remove dependencies can be used to encode disjunctive causality, while the power to add dependencies can be used to encode partial termination (as asymmetric conflicts).

Conjecture 35.
For every branching pomset R there exists a dynamic causality event structure with counters S such that R ≃ t S.
Finally, the general enabling relation of RCESs can essentially encode arbitrary transition graphs, including those induced by BPs. When equating traces of BPs to proving sequences for ESs, their definitions for configurations and (single action) transition relations (Theorems 22, 26 and 27) coincide. Then, occasionally substituting the word 'trace' for 'proving sequence' in the proof of Theorem 25 also proves the following theorem.
Theorem 36. For every branching pomset R there exists an event structure for resolvable conflict S such that R ≃ t S.

Choreographies
We now turn to our study of applications of branching pomsets to choreographies. In this section we define a simple choreographic language. We then encode choreographic expressions into BPs and show the expressions' operational semantics to be bisimilar to the encoding's BP semantics.

Choreography language definition
The syntax of our choreography language is formally defined in Figure 9. Its components are standard: '1' is the empty choreography; 'a b:x' is the asynchronous communication from a to b of a message of type x; the boxed term 'ab?x' represents a pending receive on b from a of a message of type x (it is boxed in Figure 9 to indicate that it is only used internally to formalise behaviour but the box is not part of the syntax); 'c 1 ; c 2 ', 'c 1 + c 2 ' and 'c 1 ∥ c 2 ' are respectively the weak sequential composition, nondeterministic choice and parallel composition of choreographies c 1 and c 2 ; finally, 'c * ' is the finite repetition (or, more informally, loop) of choreography c. The semantics for choice, parallel composition and loop are standard. We note that our sequential composition is weak. With standard sequential composition, when sequencing c 1 and c 2 , the choreography c 1 must fully terminate before proceeding to c 2 . With weak sequential composition, however, actions in c 2 can already be executed as long as they do not interfere with c 1 . For example, in a b:x ; c d:x we can execute the action cd!x as it does not affect the participants of a b:x: there is no dependency and thus no need to wait for a b:x to go first. On the other hand, in a b:x ; a c:x the action ac!x cannot be executed first as its subject (a) must first execute ab!x. This is the common interpretation of sequential composition in the context of message sequence charts [29], multiparty session types [3] and choreographic programming [5].
The reduction rules of our choreographic language are formally defined in Figure 10a and its termination rules in Figure 10b. To formalise the reduction of weak sequential composition, we follow Rensink and Wehrheim [30], who define a notion of partial termination. Partial termination inspired our (a) Reduction rules.

1↓
[ (c) Partial termination rules. refinement and enabling rules for BPs, so both the concepts and notation are similar.
Partial termination. In a weak sequential composition c 1 ; c 2 , an action ℓ in c 2 can be executed if c 1 can partially terminate for ℓ. Conceptually, a choreography c 1 can partially terminate for ℓ by discarding all branches of its behaviour which would conflict with it, i.e., in which the subject of ℓ occurs. This is written c 1 . Otherwise we allow c * to be skipped entirely, represented as partial termination to 1, i.e., . This can happen either if c can partially terminate to c ′ but c ′ ̸ = c, or if c cannot partially terminate at all. We use c ̸ ✓ ℓ − → c as a shorthand to cover both these cases. Skipping a loop is necessary, for example, in a protocol such as (a b:x ; b a:x) * ; a b:done, in which Alice and Bob exchange an arbitrary number of messages x until Alice signals done. In this choreography, the loop has to partially terminate to 1 to eventually allow for the action ab!done.     As already discovered by Rensink and Wehrheim [30], an unwanted consequence of these rules for partial termination is that unfolding iterations of loops no longer preserves behaviour. We would like c * and (c;c * )+1 to behave the same, but this is not the case. For example, if c = a b:x + c d:x, then   (c ; c * ) + 1    Figure 11 shows two choreographies and corresponding BPs similar to those in Figure 4. Formally, the rules for the construction of a BP for a choreography c, written c , are defined in Figure 12. Most rules are as expected. We highlight the rules for operators. In the following, let

BP encoding
and let E a i be the subset of events in E i with subject a. The rule for parallel composition ( c 1 ∥ c 2 ) takes the pairwise union of all components.
The rule for sequential composition ( c 1 ; c 2 ) also adds dependencies to ensure that, for every a, all events with subject a in c 1 (denoted E a 1 ) must precede all events with subject a in c 2 (E a 2 ). This matches the reduction rule for weak sequential composition of choreographies (Figure 10a), as events in c 2 are only required to wait for events in c 1 whose subject is the same.
The rule for choice ( c 1 + c 2 ) adds a single top-level choice in the branching structure to choose between the BPs for c 1 and c 2 .
The rule for loops ( c * ) encodes a loop as a choice between terminating (1) and unfolding one iteration of the loop (c ; c * ). This results in a BP of infinite size. We note that our theoretical results still hold even on infinite BPs, but that any analysis of an infinite BP will have to be symbolic. However, since the focus of this paper is on supporting choices, we do not discuss this further and leave symbolic analyses for loops for future work.
Example 39. As an example, we construct part of the BP in Figure 2: (c a:r ; (a c:y + a c:n)) ∥ (c b:r ; (b c:y + b c:n)) + 1 (thus omitting c a:t and c b:t). Let c a:r = ⟨{e 1 , e 2 }, ⪯ 1 , λ 1 , B 1 ⟩, a c:y = . . ., a c:n = . . ., c b:r = . . ., b c:y = . . . and b c:n = ⟨{e 11 , e 12 }, ⪯ 6 , λ 6 , B 6 ⟩ as in Figure 12. First a c:y + a c:n = ⟨{e 3 , . . . , e 6 }, ⪯ 2 ∪ ⪯ 3 , λ 2 ∪ λ 3 , {{B 2 , B 3 }}⟩; this is the pairwise union of the first three components, with the branching structure adding a choice between the two branches. Then c a:r ; (a c:y + a c:n) = ⟨{e 1 , . . . , e 6 }, ⪯ 1 ∪ ⪯ 2 ∪ ⪯ 3 ∪ {e 1 ⪯ e 4 , e 1 ⪯ e 6 , e 2 ⪯ e 3 , e 2 ⪯ e 5 }, λ 1 ∪ λ 2 ∪ λ 3 , B 1 ∪ {{B 2 , B 3 }}⟩; again, this is the pairwise union of all components, with the addition of four dependencies: e 2 ⪯ e 3 and e 2 ⪯ e 5 represent the arrows in Figure 2 from ca?r to respectively ac!y and ac!n as they both have subject a, while e 1 ⪯ e 4 and e 1 ⪯ e 6 adds direct dependencies between ca!r and respectively ac?y and ac?n as they both have subject c. The parallel branch involving Bob is analogous, and their parallel composition simply consists of the pairwise union of their components. Finally, adding the choice with 1 retains the first three components and yields the branching structure {{B p , ∅}}, where B p is the branching structure yielded by the parallel composition.
Remark (expressiveness). There is no way to obtain the precise BP from Figure 2, as parallel composition of the BP constructed in Theorem 39 with c a:t ∥ c b:t yields too few dependencies and sequential composition yields too many: amongst others, sequential composition would also add arrows from ac?y and ac?n to cb!t, as they have the same subject c. The behaviour can be expressed by duplicating events, resulting in the choreography c lenient snd in Section 1. Expressing it without duplication would require more sophisticated compositional operators than the ones in our choreographic language. As a second example, there is also no way to obtain the BP from Figure 13. In this BP, Alice (a) and Bob (b) both send the other a vote (v), but they must send their own vote before receiving the other's. From our choreographic language we can obtain BPs for a b:v and b a:v, but we have no compositional operator to compose them in the desired way: parallel composition adds no dependencies at all, and sequential composition will also enforce an ordering on the send and receive events.

Equivalence of BP encoding
For any given choreography c we can now derive two labelled transition systems: one from the operational semantics in Figure 10  from the pomset semantics in Figure 3 over the BP c produced by the rules in Figure 12. In the remainder of this section we show that the two transition systems are bisimilar. Two systems are language equivalent (or trace equivalent) if their languages are the same, i.e., if they accept the same set of words (or traces), regardless of the way these words are obtained. On the other hand, two systems are bisimilar if their internal branching behaviour is also the same. This is a stronger notion of equivalence than language equivalence: if two systems are bisimilar then they are also language equivalent, but the inverse is not necessarily true.

Example 40.
a b:x;(b a:x+b a:y) is language equivalent but not bisimilar to (a b:x; b a:x) + (a b:x ; b a:y). In the former the choice between b a:x and b a:y is made only after a b:x, while in the latter the choice is made up front. As a result, it is possible in the latter system to fire ab!x;ab?x and then end up in a state where ba!x cannot be fired because the branch with b a:y was chosen -or the other way around; in the former system it is always possible to fire both ba!x and ba!y. a b:x is bisimilar to a b:x + a b:x. While the latter contains a choice, the two systems cannot be distinguished by their behaviour. In both cases, the only allowed action is ab!x and then ab?x.
Formally, two transition systems A 1 , A 2 are bisimilar, written A 1 ∼ A 2 , if there exists a bisimulation relation R between the states of A 1 and A 2 which relates their initial states [31]. The relation R is a bisimulation relation if, for every pair of states ⟨p, q⟩ ∈ R: If p ℓ − → p ′ then q ℓ − → q ′ and ⟨p ′ , q ′ ⟩ ∈ R for some q ′ , and vice-versa.
In other words: if one of the two can perform a step, then the other can perform a matching step such that the resulting states are again in the bisimulation relation. This is also the approach we follow when proving that c ∼ c for all (dependently guarded) choreographies c: we define a relation R = {⟨c, c ⟩ | c is a dependently guarded choreography} relating all dependently guarded choreographies with their interpretation as BP by the rules in Figure 12. We then show that: If c↓ then c ↓ (Theorem 44).
Together these lemmas prove that c ∼ c for all dependently guarded c To prove these specific cases we need to show a correspondence between partial termination and enabling events. We do this with Theorem 41, in which we show two directions simultaneously. If the choreography c 1 can partially terminate for an action ℓ in c 2 then the BP c 1 ; c 2 can enable the corresponding event. Conversely, if c 1 ; c 2 can enable some event in c 2 then the choreography c 1 can partially terminate for its label. When proving these cases in Theorems 42 and 43, we then only have to show that the preconditions of Theorem 41 hold.
In the following, a number of technical lemmas and most of the proofs are omitted in favour of informal proof sketches or highlights. The omitted proofs and technical lemmas for this section can be found in the technical report of our ICE 2022 paper [32].
Proof sketch. This proof is by structural induction on c 1 . Although the details require careful consideration, it is conceptually straightforward: every case in (a) consists of showing that e is minimal and active in c ′ 1 ; R ′ 2 and that c ′ 1 ; R ′ 2 is the first refinement for which this is true, and then applying the second rule in Figure 3b If c↓ then R↓ (Theorem 44).
Then R is a bisimulation relation and c ∼ c ( [31]).

Realisability
In this section we formally define the realisability property for BPs representing choreographies. For our analysis, we draw inspiration from multiparty session types (MPST) [3]. Through its syntax and projection operator, MPST defines a number of well-formedness conditions on global types which ensure realisability. We define similar well-formedness conditions on BPs and prove that they ensure realisability as well. These conditions are sufficient but not necessary, i.e., a protocol may be realisable without being well-formed. We discuss some possible relaxations of the conditions at the end of the paper.
As in the previous section, we omit a number of technical lemmas and most of the proofs in favour of informal proof sketches or highlights. The omitted proofs and lemmas for this section can be found in the technical report of our FACS 2022 paper [33].

Realisability of BPs
We model distributed implementations as compositions of a collection of local BPs ⃗ R and ordered buffers (FIFO queues) ⃗ b containing the messages in transit (sent but not yet received) between directed pairs of agents (or channels), similar to communicating finite-state machines [34]. The local BPs only contain actions for a single agent; there should be one local BP for each agent and one buffer for each channel.
Composition is formally defined below. We use three auxiliary functions: add (ab!x, ⃗ b) returns ⃗ b with x added to b ab , remove(ab!x, ⃗ b) returns ⃗ b with x removed from b ab and has(ab!x, ⃗ b) returns whether x is pending in b ab . Since we consider ordered buffers, add appends message types to the end of the corresponding queue, remove removes message types from the front, and has only checks whether the first message matches.
We note that our termination condition does not require the buffers to be empty. In practice asynchronous communication channels will typically have some latency, and requiring empty buffers would require processes (the local BPs) to be aware of messages in transit. Instead, in our model the presence or absence of orphan messages (messages unreceived on termination) is a separate property from realisability, to be verified in isolation. It does, however, follow from our well-formedness conditions in Section 5.2 that a well-formed and realisable protocol is also free of orphan messages.

Definition 47 (Composition). Let ⃗
R be an agent-indexed vector of local BPs. Let ⃗ b be a channel-indexed vector of ordered buffers. Their composition is the tuple ⟨ ⃗ R, ⃗ b⟩, whose semantics is defined as the labeled transition system defined by the rules below.
A protocol is realisable if there exists a faithful distributed implementation of it, i.e., one defining the same behaviour. We formally define realisability below. We note that it is typically defined in terms of language (trace) equivalence [13]. However, as the exact branching of choices plays an important part in BPs, we use a more strict notion of equivalence and require the global BP and the composition to be bisimilar [31], as in Section 4. We note that our well-formedness conditions enforce a deterministic setting, in which bisimilarity agrees with language equivalence. We then choose to prove bisimilarity rather than language equivalence because the proofs are typically more straightforward.
Recall from Section 4 that two BPs R 1 , R 2 are bisimilar, written R 1 ∼ R 2 , if, for every reduction R 1 1 and R ′ 2 are again bisimilar, and vice-versa. Additionally, we require that two bisimilar BPs R 1 , R 2 can terminate iff the other can do so as well.
Definition 48 (Realisability). Let R be a BP. The protocol it represents is realisable if there exists a composition ⟨ ⃗ R, ⃗ b⟩ such that b ab is empty for all ab and R ∼ ⟨ ⃗ R, ⃗ b⟩.
Example 49. Consider the BPs in Figure 14: R f is unrealisable. Alice and Bob both have to send a yes or a no to the other but the two messages must be the same. It is impossible without further synchronisation or communication to prevent a scenario in which one will send a different message than the other.
R g is realisable. Alice first sends an int and then a bool to Bob. After receiving the int, Bob returns either a yes or a no.
R h is unrealisable. Alice sends an int and a bool to Bob, but while they agree that Alice first sends the int and then the bool, the order in which Bob receives the message is unspecified. As we assume ordered buffers, Bob will first receive the int, but the global BP allows an execution in which Bob first receives the bool.
R i is realisable. Alice sends a yes or a no to Bob, followed by an int.
The second stage of the review protocol in Figure 2 is realisable as well. Each choice is resolved by a single agent, and there is no way for the other (relevant) agents to confuse the different branches, nor is there an ordering issue such as for R h .
We note that it is easy to go from a global BP R to a local BP for some agent a by projecting it on a, written R⇂ a . We will use projections in our well-formedness conditions and realisability proof, and we formally define them below. The projection R⇂ a restricts R to the events whose subject is a, and restricts ⪯ and λ accordingly. The branching structure is pruned by removing all discarded events (leaves), but no inner nodes of the tree are removed, even if they are left without any children. This is done to safeguard the symmetry with the branching structure of R to ease our proofs.
Definition 50 (Projection). ⟨E, ⪯, λ, B⟩⇂ a = ⟨E a , ⪯ a , λ a , B a ⟩ where: As an example, Figure 15 shows the projections of the BP for the second stage of the review protocol in Figure 2 on Carol and Alice. The projection on Bob is analogous to that on Alice. The events with different subjects are removed, as are dependencies involving them. We note that, as the graphical representation of a BP shows the transitive reduction of the causality relation and not the full relation, it is unclear from just Figure 2 whether, for example, the projection on Carol should contain dependencies between ca!r and respectively ac?y and ac?n. This is unambiguous in the formal textual definition of this example, which we omitted but which also relates these events.  Finally, we prove that R and its projections can mirror each other's refinements. Both proofs are straightforward by induction on the structure of the premise's derivation tree.

Well-formedness
We define four well-formedness conditions (Theorem 58): to be wellformed, a BP must be well-branched, well-channeled, tree-like and choreographic. Well-branchedness, well-channeledness and tree-likeness are inspired by MPST [3] and ensure some safety properties. Choreographicness ensures that the BP represents some sort of meaningful protocol.
Well-branched (Theorem 54): every choice is made only on the label of a send-receive pair, i.e., the first events in every branch must be a send and receive between some agents a and b, with the message type being different in every branch. Additionally, the projection on every agent uninvolved in the choice must be the same in every branch. Then a and b are both aware of the chosen branch and all other agents are unaffected by the choice. Although the BP model only contains binary choices, an n-ary choice C can be encoded as a nested binary one, where the n children of C become the leaves of a binary tree. We call such a leaf B an option of C, written B opt C, which is formally defined below. This allows us to properly interpret C as an n-ary choice again and reason about it accordingly.
Well-channeled (Theorem 55): pairs of sends and pairs of receives on the same channel that can occur in the same execution should be ordered, and the pairs of sends should have the same order as the pairs of their corresponding receives. A BP which is not well-channeled could, for example, yield a trace ab!x ; ab!y ; ab?y ; ab?x, which cannot be reproduced by a composition using ordered buffers.
Tree-like (Theorem 56): events inside of choices can only affect future events in the same branch. Graphically speaking, arrows can only enter boxes, not leave them. As a consequence, the causality relation ⪯ follows the branching structure B and has a tree-like shape -hence the name.
Choreographic (Theorem 57): the BP represents a choreography of some sort, i.e., a communication protocol in which the send and receive events are properly paired and all dependencies can be logically derived. Specifically, all dependencies are between send-receive pairs or between same-subject events, or they can be transitively derived from those. Additionally, there is the following correspondence between the send and receive events: every send can be matched to exactly one corresponding receive, and every non-top-level receive has some corresponding send at the same level of the branching structure B. This definition is similar to the definition of well-formedness by Guanciale and Tuosto [13].
Definition 54 (Well-branched). A BP R is well-branched if, for every C R.B there exist participants a, b such that for every B i ̸ = B j opt C there exist events e i1 , e i2 ∈ B i and e j1 , e j2 ∈ B j such that: λ(e i1 ) = ab!x, λ(e i2 ) = ab?x, λ(e j1 ) = ab!y and λ(e j2 ) = ab?y for some x ̸ = y; e i1 ⪯ e i for all e i B i and e j1 ⪯ e j for all e j B j ; e i2 ⪯ e i for all e i B i for which subj (e i ) = b and e j2 ⪯ e j for all e j B j for which subj (e j ) = b; and Definition 55 (Well-channeled). A BP R is well-channeled if, for all events e 1 , e 2 , e 3 , e 4 ∈ R.E: If e 1 and e 2 are either both sends or both receive events, and if they share the same channel, then they are either causally ordered or mutually exclusive.
If e 1 , e 3 and e 2 , e 4 are two pairs of matching send-receive events sharing the same channel, and if there exists no e 5 ∈ R.E such that e 1 ≺ e 5 ≺ e 3 or e 2 ≺ e 5 ≺ e 4 , then e 1 ⪯ e 2 =⇒ e 3 ⪯ e 4 .
If λ(e) = ab?x and e ∈ B for some B R.B then there exists some e ′ such that e ′ ∈ B and λ(e ′ ) = ab!x and e ′ ≺ e.
Definition 58 (Well-formed). A BP R is well-formed if it is well-branched, well-channeled, tree-like and choreographic.
Example 59. Recall the BPs in Figure 14: R f is not well-formed since it is not well-branched: for example, the branches of the choice have multiple minimal events. It is indeed unrealisable.
R g is both well-formed and realisable.
R h is not well-formed since it is not well-channeled: the two receive events are on the same channel but are unordered. It is indeed unrealisable.
R i is not well-formed since it is not tree-like: there are arrows from events inside branches of a choice to ab!int and ab?int, even though the latter are not part of the same branch. It is, however, realisable: by duplicating the events ab!int and ab?int and moving one copy inside each branch, we obtain an equivalent BP which is well-formed. This illustrates that, while we later prove that our well-formedness conditions are sufficient, they are not necessary.
The BP for the second stage of the review protocol in Figure 2 is not well-formed either. Specifically, it is not tree-like and it is not well-branched. An equivalent tree-like BP can be obtained by duplicating events as for R i . However, it is not possible to obtain an equivalent well-branched BP with our current definition.
Finally, we show that well-formedness is retained after a reduction.
Lemma 60. Let R be a BP and let R ℓ − → R ′ . If R is well-formed then so is R ′ .
Proof sketch. We use that the components of R ′ are subsets of, or derived from (in the case of the branching structure), the components of R. It then follows that a violation of one of the properties in R ′ would also invariably lead to a violation of one of the properties in R.

Realisability proof
To prove that R's protocol is realisable, we have to show the existence of a bisimilar composition of local BPs and buffers. To do this, we define a canonical decomposition of R by combining our previously defined projections with a buffer construction, and we prove that this canonical decomposition is bisimilar to R. The (re)construction of the buffer contents of channel ab based on R, written buff ab (R), and the canonical decomposition of R, written cd (R), are defined below.
The buffer construction buff ab (R) gathers the receive events in R that have no preceding matching send event. We infer that, since the send has already been fired and the receive has not, the message must be in transit.
Definition 61 (Buffer construction). Let R be a BP. Let a and b be agents in R. Let ε be the empty word. The corresponding message types are nondeterministically put in some order that respects the order of the gathered receive events -if e 1 ≺ e 2 then e 1 's message type must precede that of e 2 in the constructed buffer. We note that all unmatched receive events are top-level if R is choreographic, and that the same-channel top-level receive events are totally ordered if R is well-channeled. It follows that, although it may add duplicate messages and is nondeterministic in the general case, buff ab (R) does not add duplicate messages and is deterministic if R is well-formed.
Definition 62 (Canonical decomposition). Let R be a BP. Let ⃗ R be such that R a = R⇂ a for all a. Let ⃗ b be such that b ab = buff ab (R) for all ab. Then cd (R) = ⟨ ⃗ R, ⃗ b⟩ is the canonical decomposition of R.
To prove that a well-formed R is bisimilar to cd (R), we define the relation R = {⟨R, ⟨ ⃗ R † , ⃗ b⟩⟩ | ⟨ ⃗ R † , ⃗ b⟩ ∼ ⟨ ⃗ R, ⃗ b⟩ = cd (R)} and we prove that R is a bisimulation relation (Theorem 70). Note that the vector of buffers ⃗ b is the same across the definition; we only allow leeway in the vector of local BPs. The proof consists of the two parts mentioned at the start of this section. Given that ⟨R, ⟨ ⃗ R † , ⃗ b⟩⟩ ∈ R, if one can make some reduction then the other must be able to make the same reduction such that the resulting configurations are again related by R (Theorem 66, Theorem 67). Additionally, if one can terminate then so should the other (Theorem 68, Theorem 69).
The reason that R is not simply the set of all ⟨R, cd (R)⟩ is that a reduction from cd (R) may not always result in cd (R ′ ) for some R ′ . This is because choices are only resolved in the BP of the agent causing the reduction. For example, consider BP R i in Figure 14. Upon Alice sending yes the global BP would resolve the choice for both agents simultaneously. However, upon Alice sending yes in the canonical decomposition the projection on Bob remains unchanged and still contains receive events for both yes and no. Since yes has been added to the buffer from Alice to Bob, we know that Bob will eventually have to pick the branch containing yes -after all, there is no no to receive. In other words: this configuration is bisimilar to the canonical decomposition of the resulting global BP, in which the choice has also been resolved for Bob. If there were also some additional no being sent from Alice to Bob, e.g., if we replace the messages int in R i with no, then R i being wellchanneled and the buffers being ordered would still ensure that we can safely resolve Bob's choice. This crucial insight is formally proven in Theorem 63.
Proof sketch. If ℓ = ba?x for some b, x then it follows from the well-formedness of R that R ′ = R − e and the remainder is straightforward. The same is true if ℓ = ab!x and e is top-level, i.e., e ∈ R.B.
Otherwise it follows from the well-formedness of R that e is a minimal send event in one of the options of a top-level choice, i.e., e ∈ B opt C ∈ R.B for some B, C, and R ′ = R| (R.B\C)∪(B−e) . We proceed to show that the set of unmatched receive events in R ′ is exactly that of R with the addition of the one corresponding to e, and then ⃗ b ′ = add (ab!x, For the projections, we proceed in two steps: First we observe that, since R is well-branched, B ′ ⇂ c = B⇂ c for all B ′ opt C and for all c ̸ = a, b. It follows that R⇂ c ∼ R ′ ⇂ c , and then ⟨ ⃗ Note that the projection on a is R ′ ⇂ a and the projection on b is R⇂ b on both sides, and the projection on every other c is bisimilar.
Next we show that, with the new message added to the buffer, no event can ever fire in R⇂ b in any other option of C than B. It follows that we can discard all other options, and then ⟨ ⃗ To satisfy the preconditions of Theorem 63, we additionally prove that R's reductions can be mirrored by its projection on the reduction label's subject (Theorem 64) and dually that the reductions of R's canonical decomposition can be mirrored by R (Theorem 65). Their proofs rely on the observations that the corresponding event e must be minimal both in R and in R⇂ a , and that the branching structures of the two are the same (modulo discarded leaves). It then follows that the same refinement enables e in both R and R⇂ a .
Lemma 65. Let R be a well-channeled, tree-like and choreographic BP.
Finally, we bring everything together and prove the four necessary steps for bisimulation in the lemmas below, culminating in Theorem 70. The proof for Theorem 66 uses Theorem 64 to show the preconditions of Theorem 63 and then applies the latter. This gives us cd (R) the result is then straightforward. The proof for Theorem 67 is analogous but uses Theorem 65. The proofs for Theorem 68 and Theorem 69 respectively use Theorem 51 and Theorem 52 to show that, if one can terminate by refining to the empty set, then so must the other.
Theorem 70. Let R be a BP. If R is well-formed and buff ab (R) = ε for all ab then the protocol represented by R is realisable.
Proof. It follows from Theorem 66, Theorem 67, Theorem 68 and Theorem 69 that R is a bisimulation relation [31]. Specifically, it then follows that R ∼ cd (R). Then, since buff ab (R) = ε for all ab, by Theorem 48 the protocol represented by R is realisable.
Choice b 1 s!string b 1 s?string

Examples
Finally, we briefly look at two example protocols used by Honda et al. [3]. Both are depicted as BPs in Figure 16.
The two-buyers-protocol (top) features Buyer 1 and Buyer 2 (b 1 , b 2 ) who wish to jointly buy a book from Seller (s). Buyer 1 first sends the title of the book (string) to Seller, Seller sends its quote (int) to both Buyer 1 and Buyer 2, and Buyer 1 sends Buyer 2 the amount they can contribute (int). Buyer 2 then notifies Seller whether they accept (ok) or reject (quit) the quote. If they accept, they also send their address (string), and Seller returns a delivery date (date).
The simple streaming protocol (bottom) features Data Producer (d) and Key Producer (k), who continuously respectively send data and keys (both bool) to Kernel (r). Kernel performs some computation and sends the result (bool) to Consumer (c). The protocol in Figure 16 shows two iterations of this process.
Both BPs are well-formed, and hence the protocols are realisable. We note that, as in the paper by Honda et al., further communication between Buyers 1 and 2 has been omitted in the two-buyers-protocol. Since this is bound to be different in the case of acceptance and rejection, the resulting BP would not be well-branched and thus not well-formed -though still realisable. We discuss relaxed well-branchedness conditions in Section 7. Also note that the ok and address (string) messages are sent sequentially; sending these in par-allel would violate well-channeledness and make the protocol unrealisable with ordered buffers. The same is true for the streaming protocol: the two iterations are composed sequentially and doing so concurrently would violate well-channeledness and result in unrealisability. The size of the BP for the streaming protocol scales linearly with the number of depicted iterations; showing all (infinitely many) iterations would require an infinitely large BP. We briefly touch upon infinity in Section 8.

Tool: B-Pomset Encoder
We developed a companion tool to simulate BPs and analyse their applications to choreographies. The tool is open-source (https://github.com/ arcalab/choreo/tree/b-pomset), developed in Scala and compiled into Java-Script (JS). A snapshot of a compiled JS can be executed from an internet browser at http://lmf.di.uminho.pt/b-pomset/.
The tool fulfils 3 main objectives: (1) internal validation, providing the authors early insights over alternative notions of well-formedness, (2) dissemination, to better explain the propose analysis using an interactive environment, and (3) algorithmic insights of well-formedness (cf. Section 5.2), by transforming the declarative definitions into concrete algorithms and identifying possible bottlenecks. This section focuses on the last two objectives, i.e., on how to use the online tool, and on how to calculate well-formedness.

Using the B-Pomset Encoder
A screenshot of our analyser of BPs can be found in Figure 17. The tool displays a collection of widgets, including the "Choreography" widget with an editor where the user describes the BP to be analysed. Each widget can be expanded or collapsed by clicking on the widget title; e.g., in the screenshot the widget "Choreography" is expanded and the widget "Global LTS" is collapsed. Clicking the refresh button at the top-right of the "Choreography" widget (or pressing shift-enter) updates all expanded widgets.
BPs are described using choreographies (Section 4), and are visualised in widget "Global B-Pomset" after being encoded. Since some BPs cannot be described by choreographies, one can also write actions explicitly (e.g., "a!b:x" represents the action ab!x) and can extend the causality relation (e.g., "[1->3]" denotes that the 1 st event must precede the 3 rd event), where 1 and 3 are the event identifiers depicted in the BP diagram. The BP R i in Figure 14 can be written both as "(a->b:yes + a->b:no) ; a->b:int" and as The remaining widgets provide different analyses, including the following: "Global B-Pomset" draws the encoded BP from "Choreography"; "B-Pomset Semantics" allows a step-by-step exploration of the reduction semantics of an encoded BP (Figure 3), drawing the intermediate BPs; "Choreo Semantics (...)" allows a step-by-step exploration of the reduction semantics of the provided choreography ( Figure 10); "Well-formed" checks if the BP is well-formed; it states for each wellformedness property whether it holds and gives a counterexample when it does not; "Realisability via bisimulation" searches for a bisimulation between the global LTS and the composition of all local LTSs (Theorem 47); this acts as our ground truth for realisability (Theorem 48), but it is often infeasible due to state explosion; "Local B-Pomset" draws the projections of the BP to each agent; "Global LTS" and "Local LTS" draw state machines using the semantics of BPs (Figure 3) applied to the global and to the projected BPs, respectively (bounding the number of states to a maximum value); "Sequence Diagram (...)" draws a sequence diagram representing the choreography (ignoring the extended causality arrows used to produce non-choreographic BPs).
Remark (loops). Our implementation targets only finite BPs. Hence choreographies with loops are not covered by our analysis. However, the current version includes experiments with loops. I.e., some analyses will produce some results for BPs with special branches marked as loops. The theory for this extension is still under investigation and not documented in this paper.

Realising well-formedness
The (open) source code of our implementation of well-formedness can be found on GitHub. 11 This implementation realises the declarative definitions of each of the four sub-properties of well-formedness (Theorem 58).
Our implementation provides some insights regarding the complexity of verifying these four sub-properties. Recall that analysing realisability, as defined in Theorem 48, requires traversing the full state-space of our semantics, which explodes exponentially in the presence of concurrent events. Our implementation avoids expanding the full state-space by combining multiple traversals over the BP graph structure. Below we sketch the implementation of each of these four sub-properties, providing evidences that it is less complex than traversing all states.
Well-branched. (Theorem 54) Our tool finds every choice with branches B 1 and B 2 . It proceeds by: (1) recursively checking if both branches are well-branched, (2) finding all leaders in each branch, i.e., events with no predecessor in the same branch (3) collecting sending and receiving agents involved, and (4) verifying that only 1 leading sender and receiver is found (i.e., agents involved in events with no predecessors in the branch), that they are the same in both branches, and that they have different messages. Furthermore, (5) each of these branches is projected to all remaining agents, and (6) corresponding projections from both branches are compared using graph isomorphism. 12 The causality relation is modelled as hash-map from events to their predecessors (not being minimal nor transitive closed). Most operations are linear on the number of events, whereas the most complex operations are projecting both branches to all agents that are not in the leading events (5), and check if each projection is isomorphic to its neighbour branch (6).
Well-channelled (Theorem 55) Our tool starts by collecting, for each pair of agents a and b, the sets of channels EM ! ab and EM ? ab , each consisting of events and messages (e, m) sent by a and received by b, respectively. It then proceeds in two parts.
Firstly, for every distinct pair (e 1 , m 1 ), (e 2 , m 2 ) ∈ EM ! ab , it checks if e 1 and e 2 are either related (e 1 ⪯ e 2 or e 2 ⪯ e 1 ) or are exclusive (in opposing branches of a choice). It also performs the same check for EM ? ab . Secondly, for each set EM ? ab , it collects every event e paired with a direct predecessor e ′ , and for every distinct pair (e ′ 1 , e 1 ) and (e ′ 2 , e 2 ) from this set it checks if e 1 ⪯ e 2 ⇒ e ′ 1 ⪯ e ′ 2 . In these calculations, checking e ⪯ e ′ requires traversing the predecessor graph from e ′ until it finds e, and the direct predecessor relation is computed once by discarding redundant arcs in the predecessor relation. A worst case scenario is when the same channel appears in many places, leading to large EM ! ab and EM ? ab sets. In turn, this would be a best case scenario to check well-branchedness, where fewer projections and graph isomorphisms checks would be needed.
Tree-like (Theorem 56) Our tool starts by computing the successor relation by inverting the predecessor relation. It then checks, for every branch B of every choice if the set of all successors of its events includes elements outside that branch.
Choreographic (Theorem 57) Our tool pre-computes the successor relation (inverting the predecessor one), and for every event e proceeds in three parts.
Firstly, it traverses the predecessor until it finds, in every branch of this traversal, either (1) an event labelled by a sending action that matches the action of e, or (2) an event with the same subject.
Secondly, when e is labelled by some ab?m and is inside a branch of a choice, it checks if any of the neighbour events in the same branch (not further nested) is also a predecessor and labelled by a matching ab!m.
Thirdly, when e is labelled by some ab!m, it uses the successor relation to traverse all its successors. When finding an event with a matching ab?m our tool collects it paired with the set of events ab!m passed by during the traversal. It then checks if exactly one of these pairs has exactly e as its only predecessor.
This informal explanation provides an overview of the set of traversals over the BP graph required to verify the four conditions that guarantee wellformedness. It also highlights the compactness of the formal definitions with respect to their realisation. Intuitively, we expect our implementation to have polynomial (time) complexity, corresponding to situations where, for every event, we need to reason over its neighbours in a branch or its predecessors (as in the choreographic check). Furthermore, checking if a BP is well-channelled, when all its N events are labelled by sending actions ab!m i over the same agents and different messages m i , would require comparing all pairs of messages (complexity O(N 2 )). Each of these comparisons could further require traversing the predecessor relation, which in the worst case could mean traversing the N events. In any of these scenarios, the complexity is well below the exponential complexity required to analyse realisability via bisimilarity, and can be validated by experimenting with the online tool.

Performance evaluation
We executed most examples mentioned in this paper with our tool and measured the time to compute well-formedness and realisability (via bisimulations). We used the same source code, but compiled to and executed from a Java Virtual Machine, instead of using JavaScript. The results are presented in Table 2, using the abbreviations WC (well-channeled), WB (wellbranched), TL (tree-like), and CH (choreographic). Each measurement was repeated ten times -we write a ± δ to capture both the average a and the greatest deviation δ. The ratio in the last column divides the time to check well-formedness by the time to check realisability.
The experiments presented here do not aim at exploring corner cases regarding best-and worst-scenarios for well-formedness. Instead, the goal is to illustrate that checking well-formedness does not suffer the same state explosion problem as a search for a bisimulation over the state-space.
Based on the results in Table 2, we draw three main conclusions.
ing well-formedness is one order of magnitude faster than checking bisimulation-based realisability (ratio between 10%-100%), two orders (1%-10%), or even three orders (0.1%-1%). Furthermore, we note that the speedup of checking well-formedness tends to be larger in cases where checking realisability is relatively expensive (i.e., relatively high values in the "Realisable" column). This suggests that checking wellformedness scales better than checking realisability.

2.
In three examples, the check for well-formedness was negative, while the check for realisability was positive (c strict snd , c lenient snd , and R i ). This demonstrates that well-formedness is a sound, but incomplete, condition that conservatively approximates realisability. An important piece of future work is to make well-formedness more liberal.
3. Regarding the sub-conditions of well-formedness, checking tree-likeness tends to be the cheapest among the four. Neither one of the three other sub-conditions clearly stands out as being the most expensive one; it tends to depend on the structure of the branching pomset under consideration.
We note that we consider these experimental results preliminary; a more extensive practical evaluation is needed to better understand, e.g., the performance of our approach in corner cases. However, we do believe that Table 2 already gives an encouraging general impression.

Related work
Pomsets. Pomsets were initially introduced by Pratt [18] for concurrent models and have been widely used, e.g., in the context of message sequence charts by Katoen and Lambert [29]. Recently Guanciale and Tuosto proposed two semantic frameworks for choreographies, one of which uses sets of pomsets [36]. They also note that the pomset framework exhibits exponential growth in the number of choices in a choreography, and they propose an alternative semantic framework using hypergraphs, which can compactly represent choices. While the hypergraph framework is more compact, their pomset framework is simpler and, they believe, more elegant. We agree with this analysis, and we aim to preserve the simplicity and elegance of the pomset framework by proposing a framework that avoids exponential growth in the number of choices while still being based on pomsets.
Event structures. Section 3 gives a detailed formal comparison of the expressive power of BPs and several classes of ESs from the literature. Event structures (ESs) (resp. labelled ESs) were introduced as a generalisation of posets (resp. pomsets). The main difference is in the added choice mechanism: ESs use a conflict relation to forbid certain pairs of actions of occurring in the same execution, while BPs use an explicit branching structure. Generally speaking, the choice mechanisms of ESs are more expressive than BPs' branching structure, but the latter's refinement semantics raise its expressiveness in orthogonal ways. As a result, BPs are incomparable with the most common classes of ESs and are only properly contained in some of the more expressive classes of dynamic event structures.
Choreographies. Choreographies are typically used in a top-down workflow: the developer writes a global view C and decomposes it into its projections, such that the behaviour of C is behaviourally equivalent to the parallel composition of its projections. Examples of this approach include workflows based on message sequence charts [1,2], multiparty session types [3,4], and choreographic programs [5,6]. The choreographic language used in this paper assumes asynchronous communication between agents and includes a finite loop operator, borrowing from this literature the same notion of interactions as syntactic atoms and their (parallel, sequential, and choice) composition.
Realisability. Realisability has been well-studied in the last two decades in a variety of settings. For example, Alur et al. study the realisability of message sequence charts [37]. They define the notions of weak and safe realisability of languages, the latter also ensuring deadlock-freedom, and they define closure conditions on languages which they show to precisely capture weakly and safely realisable languages. Lohmann and Wolf define the notion of distributed realisability, where a protocol is distributedly realisable if there exists a set of compositions such that every composition covers a subset of the protocol and the entire protocol is covered by their union [8]. Fu et al. [7], Basu et al. [9], Finkel and Lozes [38] and Schewe et al. [10] all study the realisability of protocols on different network configurations when considering only the sending behaviour -receive events are omitted -showing necessary and/or sufficient conditions and decidability results.
Realisability of pomsets. One major source of inspiration for our work has been the recent work by Guanciale and Tuosto, in which they presented a realisability analysis based on sets of pomsets [13]. They show how to capture the language closure conditions of Alur et al. [37] directly on pomsets, without having to explicitly compute their language. Typically choreography languages are limited in their expressiveness and any analysis on their realisability is then language-dependent. Both Alur et al. and Guanciale and Tuosto perform a syntax-oblivious analysis, which has the benefit of being applicable to any specification which can be encoded as a set of pomsets, regardless of the specification language. The analysis by Guanciale and Tuosto is at a higher level of abstraction than sets of traces. This allows both for a more efficient analysis and for easier identification of design errors, as these can be identified in a more abstract model.
Our approach is similarly syntax-oblivious, though the analysis itself is based on multiparty session types. A major technical difference is that Guanciale and Tuosto use unordered buffers (e.g., non-FIFO queues) while ours are ordered. For example, the parallel composition of a b:x and a b:y is realisable in the unordered setting and not in the ordered one. The two settings agree on realisability when the two message types are the same (e.g., two concurrent copies of a b:x); while Guanciale and Tuosto explicitly note that they support concurrently repeated actions, however, our current wellchanneledness condition does not make an exception for these. This is an obvious target for relaxation of our conditions.
Further inspiration for relaxation of well-formedness conditions can be found in an earlier paper by the same authors [36]. In particular their definition of well-branchedness, using 'active' and 'passive' agents, could serve as a basis for a relaxed version of our own.
A meaningful in-depth comparison between the pomset-based approach by Guanciale and Tuosto [13] and ours, both in terms of expressiveness and efficiency, would first require further development (relaxation) of our conditions and is therefore left for future work. In the meantime, one takeaway from their paper is the performance gain they obtain by lifting the analysis from languages (sets of traces) to a higher level of abstraction, i.e., sets of pomsets. Our hope is that a further performance gain can be obtained by lifting the analysis from sets of pomsets to an even higher level of abstraction (e.g., branching pomsets).
Multiparty session types. The other major source of inspiration for our work is multiparty session types (MPST), introduced by Honda et al. [3]. Specifically: Our well-branchedness condition corresponds to the branching syntax of global types in MPST and its definition of projection. Branching in MPST is done on the label of a single message, and the projection on agents uninvolved in the choice is only defined if it is the same in every branch.
Our well-channeledness condition corresponds to the principle that same-channeled actions should be ordered. We note that our condition is more liberal: we prohibit concurrent sends or receives on the same channel, while in MPST the projection of a parallel composition on an agent is undefined if the agent occurs in both parallel branches (even if those branches' channels are disjoint).
Our tree-likeness condition follows from the syntax of global types in MPST, which uses a prefix operator rather than a more general sequential composition. As a consequence all global types are tree-like. The same is true for other languages that use a prefix operator and not sequential composition, such as CCS [39] and π-calculus [40].
Since its introduction, various papers have addressed the conservativeness of the well-branchedness condition in MPST. One line of research relaxes the condition by using a merge operation to allow all agents to have different behaviour in different branches, as long as they are timely informed of the choice [41,42,43]. Another line relaxes the condition by allowing different branches to start with different receivers, rather than enforcing the same receiver in every branch [12,44,45,46,47]. These results may also serve as inspiration for relaxations of the well-branchedness condition on branching pomsets.
While our current conditions broadly correspond with well-formedness in MPST, we believe that our approach offers three advantages. First, as discussed before, it is syntax-oblivious, meaning it is not only applicable to MPST but to any specification which can be encoded as a branching pomset. Second, we believe that branching pomsets have the potential to be more expressive than global types in MPST. As mentioned above, our well-channeledness condition is already more liberal than the one in MPST. We have described various sources of possible relaxations for our well-branchedness condition, both in the MPST and in the pomset literature. Lastly, we conjecture that our tree-likeness condition is needed to simplify our proofs, and that it is possible -though more complex -to prove realisability without it (or at least with a relaxed version of it).

Conclusion
In this section we briefly summarise the paper and discuss (1) possible improvements on BPs in general, (2) ideas for future work on event structures, (3) relaxations of our well-formedness conditions on BPs for choreographies, (4) and ideas for future work on the tool.

Summary
In Section 2 we have defined a new model for communication protocols, branching pomsets (Theorem 3), which can compactly represent both concurrency and choices, and have defined its semantics ( Figure 3).
In Section 3 we have compared the expressive power of BPs with several classes of event structures from the literature. Figure 7 summarises our findings: we have shown that BPs are incomparable with prime ESs, with extended bundle ESs and with growing and shrinking causality ESs; we conjecture that BPs describe proper subsets of a variant of dynamic causality ESs; we prove their inclusion in ESs for resolvable conflict.
In Section 4 we have defined a choreographic language and its operational semantics (Figures 9 and 10) using the weak sequential composition and partial termination of Rensink and Wehrheim [30], which is novel in the context of choreographies. We have shown that we can use BPs to model choreographies ( Figure 12) and that this model is behaviourally equivalent (bisimilar) to the operational semantics (Theorem 46).
In Section 5 we have defined well-formedness conditions on BPs for choreographies (Theorem 58) and have proven that a well-formed BP represents a realisable protocol (Theorem 70). Since these conditions are defined on BPs, they are generic: we can use them to reason about choreographies in the language defined in Section 4 and any other language that can be encoded in BPs, without having to develop a specific analysis for the language in question. Our conditions are sufficient but not necessary, we discuss possible relaxations later in this section.
In Section 6 we have presented our prototype tool and described the algorithms used to implement well-formedness. Our tool is compiled to JavaScript that can be executed by any recent internet browser; a screenshot can be found in Figure 17. For any given BP, our tool can verify well-formedness, apply the reduction rules, and verify realisability using bisimulation, among other analysis.
8.2. Discussion regarding branching pomsets n-ary choices. Our branching structures only supports n-ary choices as a derived concept, through nested binary choices. This matches the structure of choreographies, but it would be more natural to represent c 1 + (c 2 + c 3 ) as a single choice between the pomsets c 1 , c 2 and c 3 instead of as two nested binary choices. However, supporting arbitrary n-ary choices also requires some thought about how to change the rules for refinement (Figure 3a), in particular Choice. A naive change would be to simply have this rule use i ∈ {1, . . . , n} and {{B 1 , . . . , B n }} instead of its current binary rules, but this is not sufficient as this naive n-ary choice would not be equivalent to the same branches composed as nested binary choices. For example, c 1 + (c 2 + c 3 ) can partially terminate to c 1 + c 2 and its interpretation as a BP can refine to c 1 + c 2 , but a BP whose branching structure consists of a single ternary choice {{B 1 , B 2 , B 3 }} would not be able to refine to {{B 1 , B 2 }} as the rules would only allow it to either refine all of its branches or discard all but one of them. Properly supporting n-ary choices would thus also require a new rule that allows {{B 1 , . . . , B n }} to refine a choice between an arbitrary (non-empty) subset of its branches.
Partial order. In Theorem 3, ⪯ is defined as a relation on events such that its transitive closure is a partial order, rather than ⪯ being a partial order itself as ≤ is in traditional pomsets. This is necessary because two events may be either related or unrelated depending on the resolution of certain choices. For example, consider the BP R c in Figure 11. The events labelled ab!x and cd!x are related if the choice's upper branch is taken and unrelated otherwise. It should thus be possible to enable cd!x by discarding the choice's upper branch. In our current rules cd!x only has a direct dependency on bc?x and therefore discarding bc?x will make cd!x minimal. However, if ⪯ were a partial order, then cd!x would also have direct dependencies on ab!x, ab?x and bc!x and, since the first two events are not part of the choice, there would be no refinement that enables cd!x.
In general, if R 1 ⊒ R ′ 1 and R 2 ⊒ R ′ 2 then if ⪯ would be a partial order it would not necessarily be true that R 1 ; R 2 ⊒ R ′ 1 ; R ′ 2 : R 1 ; R 2 may contain dependencies obtained by transitivity which would still be present in the refinement but which cannot be derived in R ′ 1 ; R ′ 2 . Castellani and Zhang note the same property in the context of flow event structures [48].
Loops. In Figure 12 a loop c * is encoded by infinitely unfolding it. As such, BPs do not currently provide a finite representation of infinite choreographies. We envision three possible directions. One possibility would be to add an explicit repetition construct to the branching structure (e.g., change the second grammatical rule to C = e | {B 1 , B 2 } | B * ) and expand the semantics and proofs accordingly. Alternatively, a solution might be found in the extension from message sequence charts (MSCs) to MSC-graphs [1]. A similar extension could be developed for branching pomsets, where they are sequentially composed in a (possibly cyclic) graph. Finally, it may be possible to leverage the recently introduced pomset automata [49].

Discussion regarding event structures
Relation between BPs and ESs. Figure 7 shows the established inclusions and non-inclusions between BPs and ESs. Naturally, formally proving or disproving the inclusion of BPs in our variant of dynamic causality ESs (Theorem 35) would complete the picture. Another logical comparison to make would be with the original semantics of dynamic causality ESs, which are not covered in this paper. Additionally, it may be interesting to further study the difference in expressiveness between BPs and the classes of ESs. As demonstrated by Theorem 28, (prime) ESs can describe more complex choices than BPs. A way to close or overcome the gap would be to lift the requirement on a BP's branching structure that all events must occur in it exactly once, thus allowing overlapping boxes in the graphical representation. This would also require changes to the refinement rules. As the branching structure could then encode a (symmetric) conflict relation, this would invalidate Theorem 28. It is unclear precisely how it would affect the other relations.
Well-formedness for event structures. Because of the close relation between BPs and ESs, it is tempting to try to adapt our well-formedness conditions to the latter. We believe, however, that this is not straightforward. Our well-branchedness condition in particular reasons over choices and their branches, which poses a problem in two ways: (1) 'choices' in the sense of well-branchedness are only represented implicitly in ESs, which would require extracting them first, and (2) as stated before, ESs can describe more complex choices than BPs, which would require a different way of reasoning about them. A more promising approach might be to in some way apply the notion of 'active' and 'passive' agents in the well-formedness conditions for pomsets by Guanciale and Tuosto [36] to ESs. Well-formedness of ESs is also discussed by Castellani et al. in a recent paper on ES semantics for multiparty sessions [15], where they also reference the conditions by Guanciale and Tuosto.

Discussion regarding well-formedness conditions
We have discussed several possible relaxations of well-branchedness in Section 7. We now discuss the other three conditions.
Well-channeledness. The BP R h in Figure 14 is not well-channeled since the events labelled with ab?int and ab?bool are unordered. It is unrealisable because a local system will force the int to be received before the bool while the global BP allows a different order. However, in this case one may take the view that the problem is not the local system being too strict, but rather the global BP being too liberal in an environment with ordered buffers: it should then in some way allow a user to specify just the two acceptable orderings without having to resort to adding a choice between the two and duplicating all events in the BP. Therefore, instead of changing the wellchanneledness condition, another avenue would be to change the reduction rules in for branching pomsets themselves ( Figure 3) and specifically adapt them to ordered buffers. This could be done in such a way that reducing R h by firing ab!int then automatically adds a dependency from ab?int to ab?bool. This might allow the well-channeledness condition to be significantly relaxed or to possibly be removed altogether.
Tree-likeness. Having the assumption of tree-likeness simplifies our proofs. It is our aim to eventually relax or even remove it and still prove realisability, but this will require a significantly more complex proof. We have noted in Section 7 that global types in MPST and expressions in, e.g., CCS and the π-calculus, are tree-like by default. Conceptually a non-tree-like BP could potentially be turned into an equivalent (i.e., bisimilar) tree-like one by distributing the offending events over the branches of the involved choice.
For example, consider the BP R i in Figure 14. By duplicating ab!int and ab?int and adding a copy of each with the relevant dependencies to each of the two branches of the choice, we obtain a bisimilar but now tree-like (and well-formed) BP. A more general scheme may be developed based on versions of the CCS expansion theorem [50,51]. However, regaining expressiveness at the cost of duplicating events effectively negates the benefits of using BPs in the first place.
Choreographicness. The choreographicness condition works well for BPs derived from choreographies, but could eventually be relaxed to also allow more general BPs. Choreographicness forces the two events in a send-receive pair to be siblings in the branching structure. For example, in BP R i in Figure 14 it would be disallowed to distribute ab!int over the choice while leaving ab?int outside, even though the resulting BP would be bisimilar to R i . 8.5. Future work regarding the tool BP variations. Choreographies with loops generate BPs with infinite events. Our current implementation includes some experimental support to represent loops symbolically, which we plan to further investigate. Other variations of BPs, e.g., with n-ary choices mentioned above, could also be added to the implementation.
Event Structures. Our future work includes possible encoding of BPs as dynamic causality ESs (Theorem 35) and as ESs for resolvable conflict (Theorem 36). These encodings can be also implemented and included in our prototype tool.
API generation. We have investigated how to generate APIs in Scala 3, which can verify compliance at compile time of an implementation with respect to a projected pomset [11]. We believe that this can be further explored in the context of BPs.