Joint team with LIX (Laboratoire d'Informatique de l'Ecole Polytechnique) and CNRS.

The research of the Comète team focuses on the theoretical foundations of distributed and mobile systems. The project follows two main directions: the study, implementation and applications of the probabilistic -calculus, a variant of the -calculus, and the use of higher-order functional programming languages for distributed applications, in particular in the context of peer-to-peer systems.

Our main field of application are large-scale Distributed Mobile Systems (DMS) of computing devices of varying character providing diverse services. In this context, it is a daunting technical and scientific challenge to develop reasoning techniques which allow us to build systems guaranteeing that processes and data move in a secure, highly distributed network of devices which may individually exhibit failures but together work as a reliable, dependable system.

Formal
*Specification and Verification*is of great help for system building and reasoning. The issue is to formally verifying whether a given system complies with a given specification typically
expressed as temporal/spatial logic formulas, process expressions, or automata.

*Model checking*prevails in today's verification techniques. However, model checking usually needs a
*finite-state*representation of systems, while most DMS are inherently open: there is no bound on the number of resources/devices that can be part of a system. In other words, many DMS's
phenomena are best represented in models providing for unbounded or infinite systems. We consider the challenging problem of extending model checking techniques, possibly by combining them with
deductive techniques, for the verification of DMS in
*unbounded or (infinite)*scenarios.

*Fault tolerance*is a fundamental issue of DMS as they must often provide reliable services despite the occurrence of various types of failure. The use of specifications enriched with
*stochastic*information and
*probabilistic*reasoning provides a powerful mathematical tool for analyzing DMS that may exhibit failures. For example, stochastic information with probabilistic techniques can be used
for specifying the rate at which faulty communication channels drop messages and for verifying message-delivery properties of the corresponding system. The probabilistic specification and
verification of DMS is one of goals of Comète.

The highly distributed and mobile nature of the systems under consideration makes them more accessible and hence more vulnerable.
*Security*is therefore crucial for these systems. The specification and verification of security properties has until now mainly addressed finite-state, deterministic processes (or
protocols). We believe that more attention needs to be paid to infinite-state and probabilistic frameworks for the faithful modeling of features such as
*nonce generation*,
*cryptographic attacks*, and an
*open number of participants*. Such features are prominently present in the DMS we are interested.

Our general goal is to provide rigorous theories and tools for the specification and verification of DMS. In particular, we shall deal with the following fundamental specific issues in the
specification and verification of DMS:
*Infinite (or Unbounded) Systems*,
*Probabilistic Specifications*and
*Specification and Verification of Security*. Our approach will involve the use of tools from Process Calculi, Constraint Technology and Probabilistic Methods. We shall introduce these
tools before describing our project approach.

Calculi for expressing and formalizing the basic features of concurrent systems

Process calculi treat processes much like the
-calculus treats computable functions. They provide a language in which the structure of
*terms*represents the structure of processes together with an
*operational semantics*to represent computational steps. For example, the term
, which is built from
Pand
Qwith the
*constructor*
, represents the process that results from the parallel execution of those represented by
Pand
Q. An operational semantics may dictate that if
Pcan evolve into
in a computational step
then
can also evolve into
in a computational step.

An appealing feature of process calculi is their
*algebraic*treatment of processes. The constructors are viewed as the
*operators*of an algebraic theory whose equations and inequalities among terms relate process behavior. For instance, the construct
can be viewed as a commutative operator, hence the equation
states that the behavior of the two parallel compositions are the same. Because of this algebraic emphasis, these calculi are often referred to as
*process algebras*.

Typically the operational semantics of process calculi interpret process term by using transitions (labeled or not) specifying its computational steps
. A labeled transition
specifies that
Pperforms
and then behaves as
Q. The relations
are defined according to the process calculus under consideration. In the next section we shall see those for the
-calculus
,
which is perhaps the most prominent
representative of calculi for mobile systems.

In the early 90's Milner, Parrow, and Walker proposed the -calculus , , a small paradigm for concurrency similar to CCS (the calculus for Communicating Systems, ) but enriched with constructs to support the the novel and powerful notion of link mobility. This proposal has had a tremendous impact on the community of Formal Methods for Concurrency, and stimulated or influenced research in other areas too, like for instance Security (cfr. the spi-calculus, ).

The
-calculus, like CCS, models communication by handshaking, namely as a
*synchronous*interaction of both partners (rules
Comand
Close). A few years after the introduction of the
-calculus, Honda and Tokoro
and, independently, Boudol
, proposed a variant which models asynchronous
communication instead. This variant has become known under the name of asynchronous
-calculus (
_{a}-calculus for short).

The
_{a}-calculus became quickly very popular, for several reasons:

it is an elegant model of asynchronous communication, more abstract and more symmetric than previously proposed calculi for asynchronous communication,

it has been ``faithfully'' implemented ,

it is simpler than the -calculus, because it has fewer constructs, and yet

it was believed to have the same expressive power as the
-calculus. This equivalence was not formally proved, but there were several hints in this direction: Milner's encoding of the lambda calculus in the
-calculus was re-done for
_{a}
, it was shown that output prefix can be
simulated
,
, and input-guarded choice as well
. Note that this justifies the more recent
presentations of the
_{a}-calculus, which include input-guarded choice as an explicit operator
,
.

It was not only until some years later that the claim of equivalence was refuted: in
it was shown that the
-calculus is strictly more expressive than the
_{a}-calculus, in the sense that it is not possible to encode the first into the latter in a
*uniform*way while preserving a
*reasonable*semantics. Uniform essentially means homomorphic with respect to the parallel and the renaming operators, and reasonable means sensitive to the capability of achieving
success in all possible computations. This result is based on the fact that in the
-calculus it is possible to define an algorithm for leader election in a symmetric network, while this cannot be done with the
_{a}-calculus. In
it was shown that the additional expressive
power is due exactly to the mixed choice construct: choices with homogeneous guards (i.e. with input guards only, or output guards only) can be eliminated.

A consequence of the above results, however, is that the
-calculus cannot be implemented deterministically

Logics for expressing and formalizing properties of concurrent systems

In Comète we are interested in verifying whether a given process satisfies certain properties. These properties are often expressed in some logical formalism.

A way of expressing process specifications is by using a process logic. One such a logic is the Hennesy-Milner's modal logic. The discriminating power of this logic with respect to a finite processes (i.e., recursion-free processes) coincides with strong bisimilarity (see ). That is, two finite processes are strongly bisimilar if and only if they satisfy the same formulas in the Hennessy-Milner's logic.

Hennesy-Milner's logic can express local properties such as ``an action must happen next'' but it cannot express long-term properties such as ``an action eventually happens''. This kind of
property, which falls into the category of
*liveness properties*(expressing that ``something good eventually happens''), and also
*safety properties*(expressing that ``something bad never happens'') have been found to be useful for reasoning about concurrent systems. The modal logics attempting to capture
properties of the kind above are often referred to as
*temporal-logics*.

Temporal logics were introduced into computer science by Pnueli
and thereafter proven to be a good basis for
specification as well as for (automatic and machine-assisted) reasoning about concurrent systems. Temporal logics can be classified into linear and branching time logics. In the
*linear*case at each moment there is only one possible future whilst in the
*branching*case at each moment time may split into alternative futures.

This research is carried over in cooperation with Biorn Victor (Uppsala University), Vijay Saraswat (IBM, USA), and Stefan Dantchev (University of Durham, UK)

Constraints and process calculi approaches for proving properties of infinite-state systems

Verifying infinite systems is a particularly challenging and a relatively new area. Practical applications of this are still at a preliminary stage.

Constraint-based verification , has shown to be promising approach for infinite systems since a constraint formula is a natural symbolic representation of an infinite state set.

*Open Constraint Satisfaction Problems*have been recently introduced for specifying and solving constraints problems in highly distributed networks. In such a context typically there is
no bound on the number of devices/resources that can be part of a given network. Algorithms for this kind of problems and their applications have been considered in
,
,
. Nevertheless little attention has been paid
to the computational limits of these problems. I.e., studies establishing, for interesting classes of these problems are actually computationally solvable. This is certainly an issue when you
allow unbounded number of resources as it is the case in DMS.

The study of expressive power of different forms of specifying infinite-behavior in Process Calculi is a recent line of research bringing understanding for infinite behavior of concurrent systems in terms of decidability.

Our work in (see also , ), to our knowledge the first of this kind, deepened the understanding of process calculi for concurrent constraint programming by establishing an expressive power hierarchy of several temporal ccp languages which were proposed in the literature by other authors. These calculi, differ in their way of defining infinite behavior (i.e., replication or recursion) and the scope of variables (i.e., static or dynamic scope). In particular, it is shown that (1) recursive procedures with parameters can be encoded into parameterless recursive procedures with dynamic scoping, and vice-versa; (2) replication can be encoded into parameterless recursive procedures with static scoping, and vice-versa; (3) the calculi from (1) are strictly more expressive than the calculi from (2). Moreover, it is shown that the behavioral equivalence for these calculi is undecidable for those from (1), but decidable for those from (2). Interestingly, the undecidability result holds even if the variables in the corresponding languages take values from a fixed finite domain whilst the decidability holds for arbitrary domains. The works , , present similar results in the context of the calculus for communicating systems (CCS).

Both the expressive power hierarchy and decidability/undecidability results give theoretical distinctions among different ways of expressing infinite behavior. The above work, however, pay little attention to the existence efficient algorithms for the corresponding decidability questions or the existence of semi-decision procedures for the undecidable cases. These issues are fundamental if we wish to verify infinite-state process specifications, and hence we shall address it in this project.

Formalisms to express security properties and protocols and to verify them

Security protocols, also known as cryptographic protocols, are small concurrent programs designed to provide various security services across a distributed system. These goals include: authentication of agents and nodes, establishing session keys between nodes, ensuring secrecy, integrity, anonymity, non-repudiation, fairness, and so on. The challenge comes from the fact that we want to guarantee security of exchanges between participants using non-secure mediums, whose weaknesses can be exploited by malicious adversaries. In certain cases, like in the non-repudiation and fairness problems, we cannot even be sure that the participants are honest.

With the increasing degree of distribution and mobility of modern systems, and the increasing number of applications such as electronic commerce, electronic vote, etc, these protocols are becoming more and more used, and their correctness more and more crucial. Establishing the correctness of these protocols, however, is not an easy task; the difficulties arise from a number of considerations:

The properties that they are supposed to ensure are extremely subtle; the precise meaning of a property is often a matter of debate and needs to be formally specified.

The capabilities of adversaries (intruders, attackers, ...) are difficult to capture.

By their nature security protocols involve a high degree of concurrency, which makes the analysis much more complicated.

Several formalisms have been proposed for the specification of the protocols and intruders, for the description of the security properties, and for proving correctness. For example, the Strand spaces , , the spi-calculus and other process calculi , , , , formalisms based on linear logic , , on set-rewriting , , on rewriting logic , on tree automata , , and on set constraints .

The foundational research of Comète (process calculi, communication and mobility, probabilistic studies, semantics and logics for concurrency, etc.) and the software tools we develop address the needs of many application domains. They are virtually applicable to any system or protocol made of distributed agents communicating by asynchronous messages, and where, possibly, the communication structure can change dynamically. Here we list the main domains of applications we envisage:

Distributed and mobile systems: election algorithms, dynamic reconfiguration algorithms, fault tolerance algorithms;

Databases: transaction protocols, distributed knowledge bases;

Security protocols: authentication, electronic transactions;

Telecommunications: mobile telephony, active network management, hot reconfigurations, feature interaction detection;

In collaborations with Dave Parker and Marta Kwiatkowska, we are developing a model checker for the probabilistic asynchronous -calculus. Case studies with Fair Exchange and MUTE, an anonymous peer-to-peer file sharing system, are in progress.

Technically we use MMC as a compiler to encode the probabilistic -calculus into certain PRISM representation, which will then be verified against PCTL using PRISM. The transitional semantics defined in MMC can be reused to derive the symbolic transition graphs of a probabilistic process. The code for derivation will work as an add-on to MMC under XSB and invoke a graph traversal to enumerate all reachable nodes and transitions of the probabilistic process.

One of the goals of Comète is to investigate the foundations of probabilistic calculi, and in particular the probabilistic asynchronous -calculus described in Section .

This has been the first work, to our knowledge, to provide a complete axiomatization for weak equivalences in the presence of recursion and both nondeterministic and probabilistic choice.

In systems that model quantitative processes, steps are associated with a given quantity, such as the probability that the step will happen or the resources (e.g. time or cost) needed to perform that step. The standard notion of bisimulation can be adapted to these systems by treating the quantities as labels, but this does not provide a robust relation, since quantities are matched only when they are identical. Processes that differ for a very small probability, for instance, would be considered just as different as processes that perform completely different actions. This is particularly relevant to security systems where specifications can be given as perfect, but impractical processes and other, practical processes are considered safe if they only differ from the specification with a negligible probability.

To find a more flexible way to differentiate processes, we have considered the notion of metric, which is a function that associates a real number (distance) with a pair of elements. In
, we have studied metric semantic for a
general framework that we call
*Action-labeled Quantitative Transition Systems*(AQTS). This framework subsumes some other well-known quantitative systems such as probabilistic automata
, reactive and generative models
, and (a simplified version of) weighted
automata
,
.

The metric semantics that we have investigated in is based on rather sophisticated techniques. In particular, we needed to resort to the notion of Hutchinson distance.

Probabilistic security protocols involve
*probabilistic choices*and are used for many purposes including signing contracts, sending certified email and protecting the anonymity of communication agents. Some probabilistic
protocols rely on specific random primitives such as the
*Oblivious Transfer*
. There are various examples in this category,
notably the contract signing protocol in
and the privacy-preserving auction protocol in
.

A large effort has been dedicated to the formal verification of security protocols, and several approaches based on process-calculi techniques have been proposed. However, in the particular case of probabilistic protocols, only few attempts of this kind have been made. One proposal of this kind is , which defines a probabilistic version of the noninterference property, and uses a probabilistic variant of CCS and of bisimulation to analyze protocols wrt this property.

In and we have developed a framework for analyzing probabilistic security protocols using a probabilistic extension of the -calculus inspired by the work in , . In order to express security properties in this calculus, we have extended the notion of testing equivalence to the probabilistic setting. We have have applied these techniques to verify the Partial Secret Exchange, a protocol which uses a randomized primitive, the Oblivious Transfer, to achieve fairness of information exchange between two parties.

The concept of anonymity comes into play in a wide range of situations, varying from voting and anonymous donations to postings on bulletin boards and sending mails.

The systems for ensuring anonymity often use random mechanisms which can be described probabilistically, while the agents' interest in performing the anonymous action may be totally unpredictable, irregular, and hence expressible only nondeterministically. In the past, formal definitions of the concept of anonymity have been investigated either in a totally nondeterministic framework, or in a purely probabilistic one. We have proposed a notion of anonymity which combines both probability and nondeterminism, and which is suitable for describing the most general situation in which both the systems and the user can have both probabilistic and nondeterministic behavior. We have also investigated the properties of the definition for the particular cases of purely nondeterministic users and purely probabilistic users.

We have investigated notions of strong anonymity in and , . One interesting feature of our approach is that in the purely probabilistic case, strong anonymity turns out to be independent from the probability distribution of the users. In , , we have also investigated notions of weak anonymity. These are more realistic in the sense that they are more likely to be satisfied by the anonymity protocols used in practice.

Our notions of anonymity are defined in terms of observables for processes in the probabilistic -calculus. As one of the goals of the project is to develop a model checker and other verification tools for this calculus, that will provide also a way to check automatically that the protocols satisfy the intended anonymity properties.

One of the most pressing questions in Concurrency is how the several languages and models that have been proposed compare to each other, and, in particular, which ones are the most suitable to capture the nature of concurrent and distributed computation. We have investigated the expressive power of various formalisms wrt to some of the key aspects of concurrency.

One of the early results about the asynchronous -calculus which significantly contributed to its popularity is the capability of encoding the output prefix of the (choiceless) -calculus in a natural and elegant way. Encodings of this kind were proposed by Honda and Tokoro , by Nestmann and (independently) by Boudol . In , , we have investigated whether the above encodings preserve De Nicola and Hennessy's testing semantics. It turns out that, under some general conditions, no encoding of output prefix is able to preserve the must testing. This negative result is due to (a) the non atomicity of the sequences of steps which are necessary in the asynchronous -calculus to mimic synchronous communication, and (b) testing semantics's sensitivity to divergence.

Another line of investigation has been represented by the comparison between various forms of recursion and replication in concurrent calculi. We have noted that the expressive power of
recursion, and in particular whether or not it can be encoded by replication, depends critically on the notion of
*scope*adopted for channel names. In
we have surveyed various definitions of scope
proposed in literature, and we have discussed their impact on the expressiveness of recursion.

In we have defined fair computations in the -calculus. We have followed Costa and Stirling's approach for CCS-like languages , but exploited a more natural labeling method of process actions to filter out unfair process executions. The new labeling allowed us to prove all the significant properties of the original one, such as unicity, persistence and disappearance of labels. It also turned out that the labeled -calculus is a conservative extension of the standard one. We contrasted the existing fair testing , with those that naturally arise by imposing weak and strong fairness. This comparison provides the expressiveness of the various fair testing-based semantics and emphasizes the discriminating power of the one already proposed in the literature.

Quantitative and partial information may help to better describe the behavior of many real-life systems. In the particular case of biological ones, the former is fundamental for description and experimentation purposes, and the latter allows to represent those facts that are not precisely known. Moreover, the dynamic nature of these systems makes the use of time in system descriptions a mandatory requirement. In we have proposed ntcc, a timed concurrent constraint process calculus, as a convenient language to model biological systems. ntcc allows to describe both non-deterministic and asynchronous behavior, useful features for describing many scenarios such as unpredictable biological events. A crucial advantage of using ntcc is that interesting properties of biological models can be verified by appealing to its associated proof system. The advantages of following this approach are demonstrated by modelling the Sodium-Potassium pump, a cellular mechanism present in many live organisms.

The project ROSSIGNOL has started in 2003 and ended in 2006 and included the following participants:

LIF. Responsible: D. Lugiez

INRIA Futurs. Responsible: C. Palamidessi

LSV. Responsible: F. Jacquemard

VERIMAG.Responsible: Y. Lakhnech

ROSSIGNOL focuses on the foundations of Security Protocols. The goal of this project is the development of abstract models, simple enough to be used for the definition of a comprehensible semantics for the language of security properties. In particular, the project focuses on probabilistic models.

The project PRONOBIS has started in 2006 and includes the following participants:

ENS Cachan. Responsible: J. Gobault-Larrecq

INRIA Futurs. Responsible: C. Palamidessi

University of Birgmingham. Responsible: M. Kwiatkowska

University of Verona. Responsible: R. Segala

The goal of the ProNobis project is to explore mixing probability and non-determinism in the semantics of transition systems, and also of programming languages. We plan to keep on eye on applications to typical computer related problems, in particular to problems stemming from security. Several interesting verification problems related to security involve proving that two processes are contextually equivalent. This usally uses notions such as bisimulation, which need to be better understood in a setting where probabilities, external non-determinism (choosing which action to fire in Markov decision processes), and internal non-determinism (where no visible action distinguishes between the various alternatives).

The project has started in December 2005 and includes the following participants:

INRIA Futurs. Responsible: C. Palamidessi

Paris VII. Responsible: V. Danos

McGill University. Responsible: P. Panangaden

PRINTEMPS focuses on the applications of Information Theory to security. We are particularly interested in studying the interactions between Concurrency and Information Theory.

The EGIDE/PAI program PICASSO aims at promoting the scientific and technological exchanges between France and Spain. The equip Comète is participating, within this program, to a project whose participants are:

INRIA Futurs. Responsibles: Catuscia Palamidessi and Dale Miller

Universidad Politécnica de Madrid. Responsibles: James Lipton and Manuel Hermenegildo

The main aims of our project, which has started in January 2005, are the integration of the approaches developed by the INRIA and the UPM teams to the analysis and implementation of Higher-Order Languages (both sequential and concurrent), coinductive techniques (with special emphasis on lazy features), and in the areas of code validation, proof carrying code and security.

Note: In this section we include only the activities of the permanent internal members of Comète.

Frank D. Valencia is the organizer of the Comète-Parsifal Seminar. This seminar takes place weekly at LIX, and it is meant as a forum where the members of Comète and Parsifal present their current works and exchange ideas. See http://www.lix.polytechnique.fr/comete/seminar/.

Catuscia Palamidessi is member of the Editorial Board of the journal on Mathematical Structures in Computer Science, published by the Cambridge University Press.

Catuscia Palamidessi is member of the Editorial Board of the journal on Theory and Practice of Logic Programming, published by the Cambridge University Press.

Catuscia Palamidessi is member of the Editorial Board of the Electronic Notes of Theoretical Computer Science, Elsevier Science.

Frank D. Valencia is area editor (for the area of Concurrency) of the ALP Newsletter.

Catuscia Palamidessi is member of the council of the EATCS, the European Association on Theoretical Computer Science.

Frank Valencia and Catuscia Palamidessi have been the organizers of the LIX colloquium on ``Emerging Trends in Concurrency Theory'' Palaiseau, France, November 2006. See http://www.lix.polytechnique.fr/comete/conferences/LIXColloquium2006/page/index.html.

Catuscia Palamidessi has been/is a member of the program committees of the following conferences:

CiE 2008: Logic and Theory of Algorithms. Athens, Greece. June 2008.

ESOP 2008. 17th European Symposium on Programming. (Part of ETAPS 2008.) Budapest, Hungary, March - April 2008.

QEST'07. International Conference on Quantitative Evaluation of Systems. Edinburgh, UK, September 2007.

CONCUR 2007. 18th International Conference on Concurrency Theory. Lisbon, Portugal, September 2007.

FCT 2007. 16th International Symposium on Fundamentals of Computation Theory. Budapest, Hungary, August 2007.

ESOP 2007. 16th European Symposium on Programming. (Part of ETAPS 2007.) Braga, Portugal, 24 March - 1 April, 2007.

LPAR 2006. International Conference on Logic for Programming Artificial Intelligence and Reasoning. Phnom Penh, Cambodia, November 2006.

CONCUR 2006. International Conference on Concurrency Theory. Bonn, Germany, August 2006.

MFPS 2006. Twenty-second Conference on the Mathematical Foundations of Programming Semantics. University of Genova, Italy, May 2006.

FOSSACS 2006. Foundations of Software Science and Computation Structures. (Part of ETAPS 2006.) Vienna, Austria, March 2006.

Catuscia Palamidessi has been/is a member of the program committees of the following workshops:

FInCo 2007. Workshop on the Foundations of Interactive Computation. (Satellite event of ETAPS 2007). Braga, Portugal, March - April, 2007.

EXPRESS'06. 12th International Workshop on Expressiveness in Concurrency. Bonn, Germany, August 2006.

ACM Transactions on Programming Languages, Theoretical Computer Science, Journal of Algebraic and Logic Programming, Information and Computation, IEEE Transactions on Parallel and Distributed Systems, Formal Aspects of Computing, Wireless Personal Communications, Journal of Universal Computer Science.

LPAR 2006, CONCUR 2006, EXPRESS 2006, ESOP 2006, MFPS 2006, FOSSACS 2006, ICSE 2006, MIC 2006.

Tom Chothia has won the
*Best Paper Award*at FORTE 2006, with the paper
, which was mostly developed during 2005
while he was a postdoc in the Comète team.

Note: In this section we include only the activities of the permanent internal members of Comète.

Frank D. Valencia has given a course on Computability Theory at the PhD School of Informatics at Universidad del Valle, Colombia. January 2006.

Catuscia Palamidessi is co-teaching (together with Jean-Jacques Lévy, Erik Gobault and James Leifer) the course ``Concurrence'' at the ``Master Parisien de Recherche en Informatique'' MPRI in Paris. Winter semester 2005-06.

Catuscia Palamidessi has been co-teaching (together with Pierre-Louis Curien, Francesco Zappa-Nardelli, James Leifer and Roberto Amadio) the course ``Concurrence'' at the ``Master Parisien de Recherche en Informatique'' MPRI in Paris. Winter semester 2006-07.

Frank D. Valencia has been a lecturer on "Concurrency Theory" at Universidad Javeriana de Cali. July 2006.

The team Comète has supervised the following PhD students during 2006:

Kostas Chatzikokolakis. Allocataire École Polytechnique - Ministère.

Romain Beauxis. Allocataire Region Ile de France.

Sylvain Pradalier. Allocataire ENS Cachan. Co-supervised by Cosimo Laneve, University of Bologna, Italy.

Carlos Olarte. Allocataire INRIA - CORDIs.

Jesus Aranda. Co-supervised by Juan Francisco Diaz, Universidad del Valle, Colombia.

The team Comète has supervised the following internship students during 2006:

Purnima Gupta. IIT, New Delhi. From 1/5/2006 till 31/7/2006.

Catuscia Palamidessi has been ``rapporteur'' at the following PhD thesis defenses during 2006:

Jean Krivine. PhD thesis on
*Reversible process algebra*defended on November 16, 2006. Advised by Jean-Jacques Lévy.