Joint team with LIX (Laboratoire d'Informatique de l'École Polytechnique) and CNRS.

Our times are characterized by the massive presence of highly distributed and mobile systems consisting of diverse and specialized devices, forming heterogeneous networks, and providing
different services and applications. The resulting computational systems are usually referred to as
*Ubiquitous Computing*, (see, e.g., the UK Grand Challenge initiative under the name
*Sciences for Global Ubiquitous Computing*
).
*Security*is one of the fundamental concerns that arises in this setting. The problem of
*privacy*, in particular, is exacerbated by orders of magnitude: The frequent interaction between users and electronic devices, and the continuous connection between these devices and the
internet, offer to malicious agents the opportunity to gather and store huge amount of information, often without the individual being even aware of it. Mobility is also an additional source of
vulnerability, since tracing may reveal significant information. To avoid these hazards, honest agents should use special protocols, called
*security protocols*.

These systems are usually very complex and based on impressive engineering technologies, but they do not always exhibit a satisfactory level of robustness and reliability. The same holds for protocols: they usually look simple, but the properties that they are supposed to ensure are extremely subtle, and it is also difficult to capture the capabilities of the attacker. As a consequence, even protocols that seem at first “obviously correct” are later (often years later) found to be prone to attacks.

In order to overcome these drawbacks, computer scientists need to develop formalisms, reasoning techniques, and tools, to specify systems and protocols, their intended properties, and to guarantee that these intended properties are indeed satisfied. The challenges that we envisage are (a) to find suitably expressive formalisms which capture essential new features such as mobility, probabilistic behavior, presence of uncertain information, and potentially hostile environment, (b) to build suitably representative models in which to interpret these formalisms, and (c) to design efficient tools to perform the verification in presence of these new features.

Konstantinos Chatzikokolakis, ex PhD student of Comète who defended his thesis the 26th of October 2007, has won one of the two second prices Specif / Gilles Kahn for the
best PhD thesis in France in Computer Science for the year 2008 (
http://

Catuscia Palamidessi and Frank Valencia have been invited to serve as PC chairs of the 2009 edition of the conference SOFSEM (Current Trends in Theory and Practice of
Computer Science,
http://

Catuscia Palamidessi has been invited to serve as PC chairs of the 2009 edition of the conference MFPS (Mathematical Foundations of Programming Semantics XXV,
http://

The need to deal with probabilities can arise for various reasons:

First, algorithms for distributed systems and security protocols often use randomization.

Second, the modeling of the physical world frequently requires coping with uncertain and approximate information (for example, the number of the requests that are received by a web server during various times of the day), which one can refine by statistical measurements, and which can then be naturally represented using a probabilistic formalism.

Third, reality can sometimes be too complicated to be represented and analyzed in detail; probabilistic models offer then a convenient abstraction mechanism.

We intend to study models and languages for concurrent, probabilistic and mobile systems, with a particular attention to expressiveness issues. We aim at developing criteria to assess the expressive power of a model or formalism in a distributed setting, to compare existing models and formalisms, and to define new ones according to an intended level of expressiveness, taking also into account the issue of (efficient) implementability.

We will focus our efforts on a probabilistic variant of the asynchronous -calculus, that is a formalism designed for mobile and distributed computation. A characteristic of our calculus is the presence of both probabilistic and nondeterministic aspects. This combination is essential to represent probabilistic algorithms and protocols and express their properties in presence of unpredictable (nondeterministic) users and adversaries.

The aim of our research is the specification and verification of protocols used in mobile distributed systems, in particular security protocols. We are especially interested in protocols for
*privacy*, because they exhibit features that require the kind of concepts and approach in which we feel most competent. It is likely, however, that the instruments and tools developed
having privacy in mind can later be useful and adaptable also to other domains of security, like
*Secure Information flow*. Privacy is a generic term which denotes the issue of preventing certain information to become known to an agent, except in case that agent is explicitly allowed
to be informed. It may refer to the protection of
*private data*(credit card number, personal info etc.), of the agent's identity (
*anonymity*), of the link between information and user (
*unlinkability*), of its activities (
*unobservability*), and of its
*mobility*(
*untraceability)*.

The common denominator of this class of problems is that an adversary can try to infer the private information (
*secrets*) from the information that he can access (
*observables*). The purpose of privacy protocols is then to obfuscate the link between secrets and observables as much as possible, and they often use randomization to achieve this
purpose, i.e. to introduce
*noise*. The protocol can therefore be seen as a
*noisy channel*, in the Information-Theoretic sense, between the secrets and the observables.

We intend to explore the rich set of concepts and techniques in the fields of Information Theory and Hypothesis Testing to establish the foundations of privacy, and to develop heuristics and methods to improve protocols for privacy. Our approach will be based on the specification of protocols in the probabilistic asynchronous -calculus, and the application of model-checking to compute the matrices associated to the corresponding channels.

We plan to develop model-checking techniques and tools for verifying properties of systems and protocols specified in the above formalisms. Model checking addresses the problem of establishing whether the model (for instance, a finite-state machine) of a certain specification satisfies a certain logical formula. We intend to concentrate our efforts on aspects that are fundamental for the verification of security protocols, and that are not properly considered in existing tools. These are (a) the combination of probability and mobility, which is not provided by any of the current model checkers, (b) the interplay between nondeterminism and probability, which in security present subtleties that cannot be handled with the traditional notion of scheduler, (c) the development of a logic for expressing security (in particular privacy) properties. We should capture both probabilistic and epistemological aspects, the latter being necessary for treating the knowledge of the adversary. Logics of this kind have been already developed, but the investigation of the relation with the models coming from process calculi, and their utilization in model checking, is still in its infancy.

In collaborations with Dave Parker and Marta Kwiatkowska, we are developing a model checker for the probabilistic asynchronous -calculus. Case studies with Fair Exchange and MUTE, an anonymous peer-to-peer file sharing system, are in progress.

Technically we use MMC as a compiler to encode the probabilistic -calculus into certain PRISM representation, which will then be verified against PCTL using PRISM. The transitional semantics defined in MMC can be reused to derive the symbolic transition graphs of a probabilistic process. The code for derivation will work as an add-on to MMC under XSB and invoke a graph traversal to enumerate all reachable nodes and transitions of the probabilistic process.

In the meanwhile we are also attempting a direct and more flexible approach to the development of a model checker for the probabilistic
-calculus, using OCaml. This should allow to extend the language more easily, to include cryptographic primitives and other features useful for the specification of security protocols.
As the result of our preliminary steps in this direction we have developed a rudimentary model checker, available at the following URL:
http://

This software generates PRISM models for the Dining Cryptographers and Crowds protocols. It can also use PRISM to calculate the capacity of the corresponding channels. More information can
be found in
and in the file README file width instructions at the URL
http://

The software can be download at
http://

The corner points can be used to compute the maximum probability of error and to improve the Hellman-Raviv and Santhi-Vardy bounds. More information can be found in
and in the file README file width instructions at the URL
http://

The software can be download at
http://

Busi et al.
showed that CCS
_{!}(CCS with replication instead of recursion) is Turing powerful by providing an encoding of Random Access Machines (RAMs) which preserves and reflects
*convergence*(i.e., the existence of terminating computations). The encoding uses an unbounded number of restrictions arising from having restriction operators under the scope of
replication. On the other hand, in
they had shown that there is no encoding of RAMs into CCS
_{!}which preserves and reflects divergence.

In we have defined fair computations in the -calculus. We have followed Costa and Stirling's approach for CCS-like languages , but exploited a more natural labeling method of process actions to filter out unfair process executions. The new labeling allowed us to prove all the significant properties of the original one, such as unicity, persistence and disappearance of labels. It also turned out that the labeled -calculus is a conservative extension of the standard one. We contrasted the existing fair testing notions , with those that naturally arise by imposing weak and strong fairness. This comparison provides the expressiveness of the various fair testing-based semantics and emphasizes the discriminating power of the one already proposed in the literature.

Information hiding refers to the problem of protecting private information while performing certain tasks or interactions, and trying to avoid that an adversary can infer such information. Particular cases of this property are anonymity and privacy.

The systems for information hiding often use random mechanisms to obfuscate the link between the observables and the information to be protected. The random mechanisms can be described probabilistically, while the value of the secret may be totally unpredictable, irregular, and hence expressible only nondeterministically. Nondeterminism can also be present due to the interaction of the various component of the system.

It has been observed recently that in security the combination of nondeterminism and probability can be harmful, in the sense that the resolution of the nondeterminism can reveal the
outcome of the probabilistic choices even though they are supposed to be secret
. This is known as the problem of the
*information-leaking scheduler*. In
we have developed a linguistic (process-calculus) approach to this problem, and we have shown how to apply it to
control the behavior of the scheduler in various anonymity examples.

In , we have proposed a framework in which anonymity protocols are interpreted as particular kinds of channels, and the degree of anonymity provided by the protocol as the converse of the channel's capacity. We have then illustrated how various notions of anonymity can be expressed in this framework, and showed the relation with some definitions of probabilistic anonymity in literature. Finally, we have discussed how to compute the channel matrix on the basis of the transition system associated to the protocol, and how to perform the computation automatically using a model-checker like PRISM.

The degree of protection provided by a protocol can be expressed in terms of the probability of error associated to the inference of the secret information. In we have investigated how the adversary can test the system to try to infer the user's identity, and we have studied how the probability of error depends on the characteristics of the channel. In particular we have considered the Bayes approach, and we have been able to characterize the associated probability of error (Bayes risk) in terms of the solution of certain systems of equations derived from the channel. This has allowed us to compute tight bounds for the Bayes risk, thus improving long-standing results in literature.

In information hiding, an adversary that tries to infer the secret information has a higher probability of success if it knows the distribution on the secrets. In we have shown that if the system leaks probabilistically some information about the secrets, (that is, if there is a probabilistic correlation between the secrets and some observables) then the adversary can approximate such distribution by repeating the observations. More precisely, it can approximate the distribution on the observables by computing their frequencies, and then derive the distribution on the secrets by using the correlation in the inverse direction. We have illustrate this method, and then we have studied the bounds on the approximation error associated with it, for various natural notions of error. As a case study, we have applied our results to Crowds, a protocol for anonymous communication.

In order to obtain a language suitable for the specification and verification of a large class of security protocols, we aim at enriching the probabilistic
-calculus with value passing, encryption and decryption, other primitive functions, and data types, along the lines of the
*applied
-calculus*
.

Concurrent constraint programming (
`ccp`,
) is a model of computation based on the notion of store as the information available for the process. Each
process has access to a global store, with respect to which it tests and adds constraints. During the execution, the store can only increase. A domain-theoretic denotational semantics has
been defined in
, that maps a process to the supremum store that it can reach. It is then possible to compute this supremum
store by a fixed point construction, based on the grammar of the process.

In we have proposed an extension of concurrent constraint programming with probabilistic executions. We were interested in extending the original operational and denotational semantics so as to bridge the gap between the original closure operator semantics and the vector space approach as defined in . The main challenge was to give a mathematical framework for defining a maximal probabilistic execution. Indeed, for a (possibly infinite) sequence of probabilistic execution states which are probability measures on the atomic states of the process, it is not guaranteed that a limit state can be defined, or that this limit will enjoy the same properties as the finite probabilistic states do. We have addressed this issue by using a topological notion of probability measures, namely the (simple) valuations, and by defining a mathematical space for which we prove that this limit exists and enjoys the expected properties. Using this result, a denotational semantics has been defined for this language that is the lifted denotational semantics of the original concurrent constraint programming, dealing with vector spaces and linear closure operators instead of set of constraints and closure operators.

More precisely, we have showed that in contrast to
`tcc`,
`utcc`is Turing-powerful by encoding Minsky machines. The encoding proposed makes use of a monadic constraint system allowing us to prove a new result for a fragment of FLTL: The
undecidability of the validity problem for monadic FLTL without equality and function symbols. This result justifies the restriction imposed in previous decidability results on the
quantification of flexible-variables. We have also shown that, as in
`tcc`,
`utcc`processes can be semantically represented as partial closure operators. The representation has been proved to be fully abstract wrt the input-output behavior of processes for a
meaningful fragment of the
`utcc`. This has shown that mobility can be captured as closure operators over an underlying constraint system. As an application of the semantic study of
`utcc`, we have identified a language for security protocols that can be represented as closure operators over a cryptographic constraint system.

Model checking is the main tool that we aim at developing for the verification of security protocols.

In , in collaboration with the PRISM team at Oxford, we have established the basis for an implementation of model checking for the probabilistic -calculus. Building upon the (non-probabilistic) -calculus model checker MMC , we have developed an automated procedure for constructing a Markov decision process representing a probabilistic -calculus process. This representation can then be verified using existing probabilistic model checkers such as PRISM. Secondly, we have demonstrated how for a large class of systems an efficient, compositional approach can be applied, which uses our extension of MMC on each parallel component of the system and then translates the results into a higher-level model description for the PRISM tool.

This project is finanged by the DGA, for the years 2007 and 2008. The teams involved are:

Hipercom. Responsible: Philippe Jacquet

Comète. Responsible: C. Palamidessi

Algorithmes et Optimisation. Responsible: Philippe Baptiste

MAX. Responsible: Michel Fliess. 2007-2008.

The project has started in December 2005 and includes the following sites:

INRIA Futurs. Responsible: C. Palamidessi

McGill University, Canada. Responsible: P. Panangaden

PRINTEMPS focuses on the applications of Information Theory to security. We are particularly interested in studying the interactions between Concurrency and Information Theory.

Home page:
http://

Some publications representative of this collaboration are , .

The project has started in January 2006 and includes the following sites:

Pontificia Universidad Javeriana, Colombia. Responsible: C. Rueda

INRIA Futurs. Responsible: F. Valencia

IRCAM, France.

Home page:
http://

Some publications representative of this collaboration is and .

. The project has started in January 2007 and will end in December 2008. It involves the following sites:

Imperial College, UK. Responsible I. Phillips

INRIA Futurs. Responsible: C. Palamidessi

Technische Universität Berlin, Germany. Responsible: U. Nestmann.

A publications representative of this collaboration is .

Note: In this section we include only the activities of the permanent internal members of Comète.

Catuscia Palamidessi is member of the Editorial Board of the journal on Mathematical Structures in Computer Science, published by the Cambridge University Press.

Catuscia Palamidessi is member of the Editorial Board of the journal on Theory and Practice of Logic Programming, published by the Cambridge University Press.

Catuscia Palamidessi is member of the Editorial Board of the Electronic Notes of Theoretical Computer Science, Elsevier Science.

Frank D. Valencia is area editor (for the area of Concurrency) of the ALP Newsletter.

Catuscia Palamidessi is member of:

The IFIP Technical Committee 1 – Foundations of Computer Science. Since 2007

The Council of EATCS, the European Association for Theoretical Computer Science. Since 2005

The IFIP Working Group 2.2 – Formal Description of Programming Concepts. Since 2001

Catuscia Palamidessi has given invited talks at the following conferences and workshops:

Workshop in occasion of the opening of the MT-Lab in Copenhagen, 19-20 Oct 2008.

Workshop on Informatic Phenomena. New Orleans, 13-17 Oct 2008.
http://

Workshop on Logic And Information Security. Leiden, 22-26 Sept 2008.
http://

SecCo 2008: 6th International Workshop on Security Issues in Concurrency. Toronto, 23 August 2008.
http://

ICE'08: Synchronous and Asynchronous Interactions in Concurrent Distributed Systems. ICALP 2008 affiliated workshop - Reykjavik, 6 July 2008.
http://

1st Canada-France MITACS Workshop on Foundations & Practice of Security. Montreal, 31 May - June 2, 2008.
http://

Catuscia Palamidessi and Frank Valencia have been invited to serve as PC chairs of the 2009 edition of the International conference on Current Trends in Theory and
Practice of Computer Science (SOFSEM),
http://

Catuscia Palamidessi has been invited to serve as PC chairs of the 2009 edition of the conference on Mathematical Foundations of Programming Semantics (MFCS XXV),
http://

Catuscia Palamidessi has been/is a member of the program committees of the following conferences:

CONCUR 2009. 20th International Conference on Concurrency Theory. Bologna, Italy, September 2009.

FOSSACS 2009. 12th International Conference on Foundations of Software Science and Computation Structures. (Part of ETAPS 2009.) York, UK, March 2009.

QEST'08. International Conference on Quantitative Evaluation of SysTems. Saint Malo, France, September 2008.

CONCUR 2008. 19th International Conference on Concurrency Theory. Toronto, Canada, August 2008.

CiE 2008: Logic and Theory of Algorithms. Athens, Greece. June 2008.

FICS 2008. Foundations of Informatics, Computing and Software. Shanghai, China, June 2008.

LICS 2008. 23rd Symposium on Logic in Computer Science. Pittsburgh, USA. June 2008.

MFPS XXIV. Twenty-fourth Conference on the Mathematical Foundations of Programming Semantics. University of Pennsylvania, Philadelphia, USA, May 2008.

ESOP 2008. 17th European Symposium on Programming. (Part of ETAPS 2008.) Budapest, Hungary, March - April 2008.

VMCAI 2008. 9th International Conference on Verification, Model Checking, and Abstract Interpretation. San Francisco, USA. January 2008.

Catuscia Palamidessi has been/is a member of the program committees of the following workshops:

FMWS 2008. Formal Methods for Wireless Systems. CONCUR 2008 affiliated workshop. Toronto, Canada. August 2008.

SOS 2008. Structural operational semantics. ICALP 2008 affiliated workshop - Reykjavik, Iceland. July 2008.

TFIT 2008. The Fourth Taiwanese-French Conference on Information Technology. Taipei, Taiwan, March 2008.

Frank D. Valencia has been/is a member of the program committees of the following conferences and workshops:

ICLP 2009. 25th International Conference on Logic Programming. Pasadena, USA, July 2009.

ICLP 2008. 24th International Conference on Logic Programming. Udine, Italy, December 2008.

EXPRESS'08. 15th International Workshop on Expressiveness in Concurrency. CONCUR 2008 affiliated workshop. Toronto, Canada. August 2008.

Carlos A. Olarte has been/is a member of the program committees of the following conferences:

SAC 2009. 24th Annual ACM Symposium on Applied Computing. Track on Constraint Satisfaction and Programming. Honolulu, USA, March 2009.

SAC 2008. 23rd Annual ACM Symposium on Applied Computing. Track on Constraint Satisfaction and Programming. Fortaleza, Brazil, March 2008.

Frank D. Valencia and Carlos Olarte are the organizer of the Comète-Parsifal Seminar. This seminar takes place weekly at LIX, and it is meant as a forum where the
members of Comète and Parsifal present their current works and exchange ideas. See
http://

Catuscia Palamidessi has served as:

Member of the Commission Scientifique Disciplinaire pour les Programmes Non Thématiques et Jeunes Chercheurs de l'ANR, 2008.

Member of the Commission Scientifique du Centre de Recherche INRIA Saclay, since February 2008.

Reviewer for the projects proposal for the program PRIN, sponsored by the Italian MIUR (“Ministero dell'Istruzione, dell'Università e della Ricerca”).

Member of the panel to evaluate project proposals for the 2008 programme “Information and Communication Technology - ICT”, sponsored by the Vienna Science and Technology Fund WWTF.

Member of the INRIA GTRI (Group de Travail Relations Internationales) from November 2007 till October 2009.

Member of the Comité de These for Mathematics and Computer Science at the École Polytechnique. Since October 2007.

Frank Valencia is teaching (together with Francesco Zappa Nardelli and Roberto Amadio) the course “Concurrence” at the “Master Parisien de Recherche en Informatique” (MPRI) in Paris. Winter semester 2008-09.

Frank D. Valencia has been a lecturer on "Concurrency Theory" at Universidad Javeriana de Cali. July 2008.

Catuscia Palamidessi has supervised the following PhD students:

Romain Beauxis. Allocataire Region Ile de France.

Christelle Braun. Allocataire École Polytechnique - Ministère.

Mario Sergio Ferreira Alvim Junior. Allocataire CNRS/DGA.

Sylvain Pradalier. Allocataire ENS Cachan. Co-supervised by Cosimo Laneve, University of Bologna, Italy.

Catuscia Palamidessi and Frank Valencia have co-supervised the following PhD students

Carlos Olarte. Allocataire INRIA/CORDIS.

Jesus Aranda. Co-supervised by Juan Francisco Diaz, Universidad del Valle, Colombia.

The team Comète has supervised the following internship students during 2008:

Abhishek Bhowmick. Junior, Bachelor of Technology, Computer Science and Engineering, IIT Kanpur. May-July 2008.

Catuscia Palamidessi has been “rapporteur” for the thesis, and member of the jury at the thesis defense, of the following PhD students:

Han Chen (Queen Mary, University of London, UK). PhD thesis on
*Information-Theoretic Approaches to Non-Interference*. Defended on December 17, 2008. Advised by Pasquale Malacaria.

Augusto Parma (Università di Verona, Italy). PhD thesis on
*Axiomatic and Logical Characterizations of Probabilistic Preorders and Trace Semantics*. Defended on May 8, 2008. Advised by Roberto Segala.

Sardaouna Hamadou (École Polytechnique of Montreal, Canada). PhD thesis on
*Analyse formelle des protocoles cryptographiques et flux d'information admissible*. Defended of March 26, 2008. Advised by John Mullins and Srecko Brlek.