Joint team with LIX (Laboratoire d'Informatique de l'École Polytechnique) and CNRS.

Our times are characterized by the massive presence of highly distributed and mobile systems consisting of diverse and specialized devices, forming heterogeneous networks, and providing
different services and applications. The resulting computational systems are usually referred to as
*Ubiquitous Computing*, (see, e.g., the UK Grand Challenge initiative under the name
*Sciences for Global Ubiquitous Computing*
).
*Security*is one of the fundamental concerns that arises in this setting. The problem of
*privacy*, in particular, is exacerbated by orders of magnitude: The frequent interaction between users and electronic devices, and the continuous connection between these devices and the
internet, offer to malicious agents the opportunity to gather and store huge amount of information, often without the individual being even aware of it. Mobility is also an additional source of
vulnerability, since tracing may reveal significant information. To avoid these hazards, honest agents should use special protocols, called
*security protocols*.

These systems are usually very complex and based on impressive engineering technologies, but they do not always exhibit a satisfactory level of robustness and reliability. The same holds for protocols: they usually look simple, but the properties that they are supposed to ensure are extremely subtle, and it is also difficult to capture the capabilities of the attacker. As a consequence, even protocols that seem at first “obviously correct” are later (often years later) found to be prone to attacks.

In order to overcome these drawbacks, computer scientists need to develop formalisms, reasoning techniques, and tools, to specify systems and protocols, their intended properties, and to guarantee that these intended properties are indeed satisfied. The challenges that we envisage are (a) to find suitably expressive formalisms which capture essential new features such as mobility, probabilistic behavior, presence of uncertain information, and potentially hostile environment, (b) to build suitably representative models in which to interpret these formalisms, and (c) to design efficient tools to perform the verification in presence of these new features.

Robin Milner visits the Comète team for one year. His visit is supported by a Blaise Pascal chair. Milner is an outstanding scientist who has given many fundamental contributions to the fields of Functional Languages and of Concurrency. He has received many prestigious recognitions, among which the Turing award.

Catuscia Palamidessi gives various invited talks and tutorials at international conferences and workshops on the work done with Prakash Panangaden and Kostas Chatzikokolakis in the context of the INRIA/DREI project Printemps.

The need to deal with probabilities can arise for various reasons:

First, algorithms for distributed systems and security protocols often use randomization.

Second, the modeling of the physical world frequently requires coping with uncertain and approximate information (for example, the number of the requests that are received by a web server during various times of the day), which one can refine by statistical measurements, and which can then be naturally represented using a probabilistic formalism.

Third, reality can sometimes be too complicated to be represented and analyzed in detail; probabilistic models offer then a convenient abstraction mechanism.

We intend to study models and languages for concurrent, probabilistic and mobile systems, with a particular attention to expressiveness issues. We aim at developing criteria to assess the expressive power of a model or formalism in a distributed setting, to compare existing models and formalisms, and to define new ones according to an intended level of expressiveness, taking also into account the issue of (efficient) implementability.

We will focus our efforts on a probabilistic variant of the asynchronous -calculus, that is a formalism designed for mobile and distributed computation. A characteristic of our calculus is the presence of both probabilistic and nondeterministic aspects. This combination is essential to represent probabilistic algorithms and protocols and express their properties in presence of unpredictable (nondeterministic) users and adversaries.

The aim of our research is the specification and verification of protocols used in mobile distributed systems, in particular security protocols. We are especially interested in protocols for
*privacy*, because they exhibit features that require the kind of concepts and approach in which we feel most competent. It is likely, however, that the instruments and tools developed
having privacy in mind can later be useful and adaptable also to other domains of security, like
*Secure Information flow*. Privacy is a generic term which denotes the issue of preventing certain information to become known to an agent, except in case that agent is explicitly allowed
to be informed. It may refer to the protection of
*private data*(credit card number, personal info etc.), of the agent's identity (
*anonymity*), of the link between information and user (
*unlinkability*), of its activities (
*unobservability*), and of its
*mobility*(
*untraceability)*.

The common denominator of this class of problems is that an adversary can try to infer the private information (
*secrets*) from the information that he can access (
*observables*). The purpose of privacy protocols is then to obfuscate the link between secrets and observables as much as possible, and they often use randomization to achieve this
purpose, i.e. to introduce
*noise*. The protocol can therefore be seen as a
*noisy channel*, in the Information-Theoretic sense, between the secrets and the observables.

We intend to explore the rich set of concepts and techniques in the fields of Information Theory and Hypothesis Testing to establish the foundations of privacy, and to develop heuristics and methods to improve protocols for privacy. Our approach will be based on the specification of protocols in the probabilistic asynchronous -calculus, and the application of model-checking to compute the matrices associated to the corresponding channels.

We plan to develop model-checking techniques and tools for verifying properties of systems and protocols specified in the above formalisms. Model checking addresses the problem of establishing whether the model (for instance, a finite-state machine) of a certain specification satisfies a certain logical formula. We intend to concentrate our efforts on aspects that are fundamental for the verification of security protocols, and that are not properly considered in existing tools. These are (a) the combination of probability and mobility, which is not provided by any of the current model checkers, (b) the interplay between nondeterminism and probability, which in security present subtleties that cannot be handled with the traditional notion of scheduler, (c) the development of a logic for expressing security (in particular privacy) properties. We should capture both probabilistic and epistemological aspects, the latter being necessary for treating the knowledge of the adversary. Logics of this kind have been already developed, but the investigation of the relation with the models coming from process calculi, and their utilization in model checking, is still in its infancy.

In collaborations with Dave Parker and Marta Kwiatkowska, we are developing a model checker for the probabilistic asynchronous -calculus. Case studies with Fair Exchange and MUTE, an anonymous peer-to-peer file sharing system, are in progress.

Technically we use MMC as a compiler to encode the probabilistic -calculus into certain PRISM representation, which will then be verified against PCTL using PRISM. The transitional semantics defined in MMC can be reused to derive the symbolic transition graphs of a probabilistic process. The code for derivation will work as an add-on to MMC under XSB and invoke a graph traversal to enumerate all reachable nodes and transitions of the probabilistic process.

In the meanwhile we are also attempting a direct and more flexible approach to the development of a model checker for the probabilistic
-calculus, using OCaml. This should allow to extend the language more easily, to include cryptographic primitives and other features useful for the specification of security protocols.
As the result of our preliminary steps in this direction we have developed a rudimentary model checker, available at the following URL:
http://

Process calculi differ in the constructs for the specification of infinite behavior and in the scoping rules for channel names.

One of the early results about the asynchronous -calculus which significantly contributed to its popularity is the capability of encoding the output prefix of the (choiceless) -calculus in a natural and elegant way. Encodings of this kind were proposed by Honda and Tokoro , and by Boudol . In , we have investigated whether the above encodings preserve De Nicola and Hennessy's testing semantics. It turns out that, under some general conditions, no encoding of output prefix is able to preserve the must testing. This negative result is due to (a) the non atomicity of the sequences of steps which are necessary in the asynchronous -calculus to mimic synchronous communication, and (b) testing semantics's sensitivity to divergence. The preservation of testing semantics is however ensured if we assume some form of fairness.

In we have defined fair computations in the -calculus. We have followed Costa and Stirling's approach for CCS-like languages , but exploited a more natural labeling method of process actions to filter out unfair process executions. The new labeling allowed us to prove all the significant properties of the original one, such as unicity, persistence and disappearance of labels. It also turned out that the labeled -calculus is a conservative extension of the standard one. We contrasted the existing fair testing notions , with those that naturally arise by imposing weak and strong fairness. This comparison provides the expressiveness of the various fair testing-based semantics and emphasizes the discriminating power of the one already proposed in the literature.

One of the goals of Comète is to investigate the foundations of probabilistic calculi, and in particular the probabilistic asynchronous -calculus.

This has been the first work, to our knowledge, to provide a complete axiomatization for weak equivalences in the presence of recursion and both nondeterministic and probabilistic choice.

Probabilistic security protocols involve
*probabilistic choices*and are used for many purposes including signing contracts, sending certified email and protecting the anonymity of communication agents. Some probabilistic
protocols rely on specific random primitives such as the
*Oblivious Transfer*
. There are various examples in this category, notably the contract signing protocol in
and the privacy-preserving auction protocol in
.

A large effort has been dedicated to the formal verification of security protocols, and several approaches based on process-calculi techniques have been proposed. However, in the particular case of probabilistic protocols, only few attempts of this kind have been made.

In we have developed a framework for analyzing probabilistic security protocols using a probabilistic extension of the -calculus inspired by the work in , . In order to express security properties in this calculus, we have extended the notion of testing equivalence to the probabilistic setting. We have applied these techniques to verify the Partial Secret Exchange, a protocol which uses a randomized primitive, the Oblivious Transfer, to achieve fairness of information exchange between two parties.

In
we introduced a framework for the declarative debugging of tcc programs. We expect to adapt this framework to
our work in
and use them to debug security protocols specified in
`utcc`.

The systems for ensuring anonymity often use random mechanisms which can be described probabilistically, while the agents' interest in performing the anonymous action may be totally unpredictable, irregular, and hence expressible only nondeterministically. In the past, formal definitions of the concept of anonymity have been investigated either in a totally nondeterministic framework, or in a purely probabilistic one.

In , , we have proposed a notion of strong anonymity which combines both probability and nondeterminism, and which is suitable for describing the most general situation in which both the systems and the user can have both probabilistic and nondeterministic behavior. We have also investigated the properties of the definition for the particular cases of purely nondeterministic users and purely probabilistic users. One interesting feature of our approach is that in the purely probabilistic case, strong anonymity turns out to be independent from the probability distribution of the users.

Our notions of anonymity are defined in terms of observables for processes in the probabilistic -calculus. As one of the goals of the project is to develop a model checker and other verification tools for this calculus, that will provide also a way to check automatically that the protocols satisfy the intended anonymity properties.

It has been observed recently that in security the combination of nondeterminism and probability can be harmful, in the sense that the resolution of the nondeterminism can reveal the
outcome of the probabilistic choices even though they are supposed to be secret
. This is known as the problem of the
*information-leaking scheduler*. In
we have developed a linguistic (process-calculus) approach to this problem, and we have shown how to apply it to
control the behavior of the scheduler in various anonymity examples.

The PhD thesis of Kostas Chatzikokolakis, which has been defended on October 26, 2007, is largely based on the results described in this section.

In order to obtain a language suitable for the specification and verification of a large class of security protocols, we aim at enriching the probabilistic
-calculus with value passing, encryption and decryption, other primitive functions, and data types, along the lines of the
*applied
-calculus*
.

Model checking is the main tool that we aim at developing for the verification of security protocols.

In , in collaboration with the PRISM team at Oxford, we have established the basis for an implementation of model checking for the probabilistic -calculus. Building upon the (non-probabilistic) -calculus model checker MMC , we have developed an automated procedure for constructing a Markov decision process representing a probabilistic -calculus process. This representation can then be verified using existing probabilistic model checkers such as PRISM. Secondly, we have demonstrated how for a large class of systems an efficient, compositional approach can be applied, which uses our extension of MMC on each parallel component of the system and then translates the results into a higher-level model description for the PRISM tool.

Quantitative and partial information may help to better describe the behavior of many real-life systems. In the particular case of biological ones, the former is fundamental for description and experimentation purposes, and the latter allows to represent those facts that are not precisely known. Moreover, the dynamic nature of these systems makes the use of time in system descriptions a mandatory requirement. In we have proposed ntcc, a timed concurrent constraint process calculus, as a convenient language to model biological systems. ntcc allows to describe both non-deterministic and asynchronous behavior, useful features for describing many scenarios such as unpredictable biological events. A crucial advantage of using ntcc is that interesting properties of biological models can be verified by appealing to its associated proof system. The advantages of following this approach are demonstrated by modelling the Sodium-Potassium pump, a cellular mechanism present in many live organisms.

The project PRONOBIS started in January 2006 and will end in December 2007. The consorsium is composed as follows:

ENS Cachan. Responsible: J. Gobault-Larrecq

INRIA Futurs. Responsible: C. Palamidessi

Oxford University, UK. Responsible: M. Kwiatkowska

University of Verona, Italy. Responsible: R. Segala

The goal of the ProNobis project is to explore mixing probability and non-determinism in the semantics of transition systems, and also of programming languages. We plan to keep one eye on applications to typical computer related problems, in particular to problems stemming from security. Several interesting verification problems related to security involve proving that two processes are contextually equivalent. This usally uses notions such as bisimulation, which need to be better understood in a setting where probabilities, external non-determinism (choosing which action to fire in Markov decision processes), and internal non-determinism (where no visible action distinguishes between the various alternatives).

Home Page:
http://

Some publications representative of this collaboration are , .

This project is finanged by the DGA, for the years 2007 and 2008. The teams involved are:

Hipercom. Responsible: Philippe Jacquet

Comète. Responsible: C. Palamidessi

Algorithmes et Optimisation. Responsible: Philippe Baptiste

MAX. Responsible: Michel Fliess. 2007-2008.

The project has started in December 2005 and includes the following sites:

INRIA Futurs. Responsible: C. Palamidessi

McGill University, Canada. Responsible: P. Panangaden

PRINTEMPS focuses on the applications of Information Theory to security. We are particularly interested in studying the interactions between Concurrency and Information Theory.

Home page:
http://

Some publications representative of this collaboration are , .

The project has started in January 2006 and includes the following sites:

Pontificia Universidad Javeriana, Colombia. Responsible: C. Rueda

INRIA Futurs. Responsible: F. Valencia

IRCAM, France.

Home page:
http://

A publication representative of this collaboration is .

. The project has started in January 2007 and will end in December 2008. It involves the following sites:

Imperial College, UK. Responsible I. Phillips

INRIA Futurs. Responsible: C. Palamidessi

Technische Universität Berlin, Germany. Responsible: U. Nestmann.

A publications representative of this collaboration is .

Note: In this section we include only the activities of the permanent internal members of Comète.

Catuscia Palamidessi is member of the Editorial Board of the journal on Mathematical Structures in Computer Science, published by the Cambridge University Press.

Catuscia Palamidessi is member of the Editorial Board of the journal on Theory and Practice of Logic Programming, published by the Cambridge University Press.

Catuscia Palamidessi is member of the Editorial Board of the Electronic Notes of Theoretical Computer Science, Elsevier Science.

Frank D. Valencia is area editor (for the area of Concurrency) of the ALP Newsletter.

Catuscia Palamidessi is member of:

The IFIP Technical Committee 1 – Foundations of Computer Science. Since 2007

The Council of EATCS, the European Association for Theoretical Computer Science. Since 2005

The IFIP Working Group 2.2 – Formal Description of Programming Concepts. Since 2001

Catuscia Palamidessi has given invited talks and tutorials at the following conferences and workshops:

Workshop on the Interplay of Programming Languages and Cryptography. Sophia Antipolis, France, 7 November 2007.

Dagstuhl seminar on Formal Protocol Verification Applied. Dagstuhl, Germany, 14-19 October 2007.

PLID'07. Programming Language Interference and Dependence. Kongens Lyngby, Denmark, 21 August 2007.

PAuL'07. 2nd International Workshop on Probabilistic Automata and Logics. Wroclaw, Poland, 9 July 2007.

PERAD 2007. Pervasive Adaptive Joint FET - EATCS Workshop. Brussels, Belgium, 26 January 2007.

Catuscia Palamidessi has been the co-organizer of the workshop SecCo 2007, the 5th International Workshop on Security Issues in Concurrency. Lisboa, Portugal, September
2007. See
http://

Catuscia Palamidessi has been/is a member of the program committees of the following conferences:

QEST'08. International Conference on Quantitative Evaluation of SysTems. Saint Malo, France, September 2008.

CONCUR'08. 19th International Conference on Concurrency Theory. Toronto, Canada, August 2008.

CiE 2008: Logic and Theory of Algorithms. Athens, Greece. June 2008.

FICS'08. Foundations of Informatics, Computing and Software. Shanghai, China, June 2008.

LICS 2008. 23rd Symposium on Logic in Computer Science. Pittsburgh, USA. June 2008.

MFPS XXIV. Twenty-fourth Conference on the Mathematical Foundations of Programming Semantics. University of Pennsylvania, Philadelphia, USA, May 2008.

ESOP 2008. 17th European Symposium on Programming. (Part of ETAPS 2008.) Budapest, Hungary, March - April 2008.

VMCAI 2008. 9th International Conference on Verification, Model Checking, and Abstract Interpretation. San Francisco, USA. January 2008.

QEST'07. International Conference on Quantitative Evaluation of Systems. Edinburgh, UK, September 2007.

CONCUR 2007. 18th International Conference on Concurrency Theory. Lisbon, Portugal, September 2007.

FCT 2007. 16th International Symposium on Fundamentals of Computation Theory. Budapest, Hungary, August 2007.

ESOP 2007. 16th European Symposium on Programming. (Part of ETAPS 2007.) Braga, Portugal, 24 March - 1 April, 2007.

Catuscia Palamidessi has been/is a member of the program committees of the following workshops:

TFIT 2008. The Fourth Taiwanese-French Conference on Information Technology. Taipei, Taiwan, March 2008.

FInCo 2007. Workshop on the Foundations of Interactive Computation. (Satellite event of ETAPS 2007). Braga, Portugal, March - April, 2007.

Frank D. Valencia and Carlos Olarte are the organizer of the Comète-Parsifal Seminar. This seminar takes place weekly at LIX, and it is meant as a forum where the
members of Comète and Parsifal present their current works and exchange ideas. See
http://

Catuscia Palamidessi has served as a member of the committee for the evaluation of the candidates to the INRIA Futurs positions of CR2 in the 2007 competition.

Catuscia Palamidessi is a member of the INRIA GTRI (Group de Travail Relations Internationales) from November 2007 till October 2009.

Catuscia Palamidessi is a member of the Comité de These for Mathematics and Computer Science at the École Polytechnique. From October 2007.

Catuscia Palamidessi and Frank Valencia are teaching (together with Francesco Zappa Nardelli and Roberto Amadio) the course “Concurrence” at the “Master Parisien de Recherche en Informatique” (MPRI) in Paris. Winter semester 2007-08.

Frank D. Valencia has been a lecturer on "Concurrency Theory" at Universidad Javeriana de Cali. July 2007.

Catuscia Palamidessi has supervised the following PhD students during 2007:

Kostas Chatzikokolakis. Allocataire École Polytechnique - Ministère.

Romain Beauxis. Allocataire Region Ile de France.

Christelle Braun. Allocataire École Polytechnique - Ministère.

Sylvain Pradalier. Allocataire ENS Cachan. Co-supervised by Cosimo Laneve, University of Bologna, Italy.

Catuscia Palamidessi and Frank Valencia have co-supervised the following PhD students

Carlos Olarte. Allocataire INRIA/CORDIS.

Jesus Aranda. Co-supervised by Juan Francisco Diaz, Universidad del Valle, Colombia.

Catuscia Palamidessi has been “rapporteur” at the following PhD thesis defenses during 2007:

Florent Garnier (Loria). PhD thesis on
*Terminaison en temps moyen fini de systèmes de règles probabilistes*. Defended on 17 September, 2007. Advised by Claude Kirchner.

Rémy Haemmerlé (INRIA Rocquencourt). PhD thesis on
*Fermetures et Modules dans les langages concurrents avec contraintes fondés sur la logique linèaire*. Defended on December, 2007. Advised by François Fages.