2025Activity reportProject-Team​‌COMETE

3.1.1 Three way​​​‌ optimization between privacy and‌ utility

One of the‌​‌ main problems in the​​ design of privacy mechanisms​​​‌ is the preservation of‌ the utility. In the‌​‌ case of local privacy,​​ namely when the data​​​‌ are sanitized by the‌ user before they are‌​‌ collected, the notion of​​ utility is twofold:

• Utility​​​‌ as quality of service‌ (QoS):
  The user usually‌​‌ gives his data in​​ exchange of some service,​​​‌ and in general the‌ quality of the service‌​‌ depends on the precision​​ of such data. For​​​‌ instance, consider a scenario‌ in which Alice wants‌​‌ to use a LBS​​​‌ (Location-Based Service) to find​ some restaurant near her​‌ location $x$. The​​ LBS needs of course​​​‌ to know Alice's location,​ at least approximately, in​‌ order to provide the​​ service. If Alice is​​​‌ worried about her privacy,​ she may send to​‌ the LBS an approximate​​ location $y$ instead of​​​‌ $x$. Clearly, the​ LBS will send a​‌ list of restaurants near​​ $x$, so if​​​‌ $y$ is too far​ from $x$ the service​‌ will degrade, while if​​ it is too close​​​‌ Alice's privacy would be​ at stake.
• Utility as​‌ statistical quality of the​​ data (Stat):
  Bob, the​​​‌ service provider, is motivated​ to offer his service​‌ because in this way​​ he can collect Alice's​​​‌ data, and quality data​ are very valuable for​‌ the big-data industry. We​​ will consider in particular​​​‌ the use of the​ data collections for statistical​‌ purposes, namely for extracting​​ general information about the​​​‌ population (and not about​ Alice as an individual).​‌ Of course, the more​​ Alice's data are obfuscated,​​​‌ the less statistical value​ they have.

We intend​‌ to consider both kinds​​ of utility, and study​​​‌ the “three way” optimization​ problem in the context​‌ of $d$-privacy, our​​ approach to local differential​​​‌ privacy 34. Namely,​ we want to develop​‌ methods for producing mechanisms​​ that offer the best​​​‌ trade-off between $d$-privacy,​ QoS and Stat, at​‌ the same time. In​​ order to achieve this​​​‌ goal, we will need​ to investigate various issues.​‌ In particular:

• how to​​ best estimate the original​​​‌ distribution from a collection​ of noisy data, in​‌ order to perform the​​ intended statistical analysis,
• what​​​‌ metrics to use for​ assessing the statistical value​‌ of a distributions (for​​ a given application), in​​​‌ order to reason about​ Stat, and
• how to​‌ compute in an efficient​​ way the best noise​​​‌ from the point of​ view of the trade-off​‌ between $d$-privacy, QoS​​ and Stat.

Estimation of​​​‌ the original distribution

The​ only methods for the​‌ estimation of the original​​ distribution from perturbed data​​​‌ that have been proposed​ so far in the​‌ literature are the iterative​​ Bayesian update (IBU) and​​​‌ the matrix inversion (INV).​ The IBU is more​‌ general and based on​​ solid statistical principles, but​​​‌ it is not ye​ well known in the​‌ in the privacy community,​​ and it has not​​​‌ been studied much in​ this context. We are​‌ motivated to investigate this​​ method because from preliminary​​​‌ experiments it seems more​ efficient on date obfuscated​‌ by geo-indistinguishability mechanisms (cfr.​​ next section). Furthermore, we​​​‌ believe that the IBU​ is compositional, namely it​‌ can deal naturally and​​ efficiently with the combination​​​‌ of data generated by​ different noisy functions, which​‌ is important since in​​ the local model of​​​‌ privacy every user can,​ in principle, use a​‌ different mechanisms or a​​ different level of noise.​​​‌ We intend to establish​ the foundations of the​‌ IBU in the context​​ of privacy, and study​​​‌ its properties like the​ compositionality mentioned above, and​‌ investigate its performance in​​ the state-of-the-art locally differentially​​ private mechanisms.

The central​​​‌ and the local models‌ of differential privacy

Hybrid‌ model

An interesting line‌​‌ of research will be​​ to consider an intermediate​​​‌ model between the local‌ and the central models‌​‌ of differential privacy (cfr.​​ Figure 1). The​​​‌ idea is to define‌ a privacy mechanism based‌​‌ on perturbing the data​​ locally, and then collecting​​​‌ them into a dataset‌ organized as an histogram.‌​‌ We call this model​​ “hibrid” because the collector​​​‌ is trusted like in‌ central differential privacy, but‌​‌ the data are sanitized​​ according to the local​​​‌ model. The resulting dataset‌ would satisfy differential privacy‌​‌ from the point of​​ view of an external​​​‌ observer, while the statistical‌ utility would be as‌​‌ high as in the​​ local model. One further​​​‌ advantage is that the‌ IBU is compositional, hence‌​‌ the datasets sanitized in​​ this way could be​​​‌ combined without any loss‌ of precision in the‌​‌ application of the IBU.​​ In other words, the​​​‌ statistical utility of the‌ union of sanitized datasets‌​‌ is the same as​​ the statistical utility of​​​‌ the sanitized union of‌ datasets, which is of‌​‌ course an improvement (for​​ the law of large​​​‌ numbers) wrt each separate‌ dataset. One important application‌​‌ would be the cooperative​​ sharing of sanitized data​​​‌ owned by different different‌ companies or institution, to‌​‌ the purpose of improving​​ statistical utility while preserving​​​‌ the privacy of their‌ respective datasets.

Geo-indistinguishability: a‌​‌ framework to protect the​​ privacy of the user​​​‌ when dealing with location-based‌ services (a). The framework‌​‌ guarrantees $d$-privacy, a​​ distance-based variant of differential​​​‌ privacy (b). The typical‌ implementation uses (extended) Laplace‌​‌ noise (c).

3.1.2 Geo-indistinguishability‌

We plan to further‌​‌ develop our line of​​ research on location privacy,​​​‌ and in particular, enhance‌ our framework of geo-indistinguishability‌​‌ 3 (cfr. Figure 2​​) with mechanisms that​​​‌ allow to take into‌ account sanitize high-dimensional traces‌​‌ without destroying utility (or​​ privacy). One problem with​​​‌ the geo-indistinguishable mechanisms developed‌ so far (the planar‌​‌ Laplace an the planar​​ geometric) is that they​​​‌ add the same noise‌ function uniformly on the‌​‌ map. This is sometimes​​ undesirable: for instance, a​​​‌ user located in a‌ small island in the‌​‌ middle of a lake​​ should generate much more​​​‌ noise to conceal his‌ location, so to report‌​‌ also other locations on​​ the ground, because the​​​‌ adversary knows that it‌ is unlikely that the‌​‌ user is in the​​ water. Furthermore, for the​​​‌ same reason, it does‌ not offer a good‌​‌ protection with respect to​​ re-identification attacks: a user​​​‌ who lives in an‌ isolated place, for instance,‌​‌ can be easily singled​​ out because he reports​​​‌ locations far away from‌ all others. Finally, and‌​‌ this is a common​​​‌ problem with all methods​ based on DP, the​‌ repeated use of the​​ mechanism degrades the privacy,​​​‌ and even when the​ degradation is linear, as​‌ in the case of​​ all DP-based methods, it​​​‌ becomes quickly unacceptable when​ dealing with highly structured​‌ data such as spatio-temporal​​ traces.

Privacy breach in​​​‌ machine learning as a​ service.

3.1.3 Threats for privacy​ in machine learning

In​‌ recent years several researchers​​ have observed that machine​​​‌ learning models leak information​ about the training data.​‌ In particular, in certain​​ cases an attacker can​​​‌ infer with relatively high​ probability whether a certain​‌ individual participated in the​​ dataset (membership inference​​​‌ attack) od the​ value of his data​‌ (model inversion attack​​). This can happen​​​‌ even if the attacker​ has nop access to​‌ the internals of the​​ model, i.e., under the​​​‌ black box assumption,​ which is the typical​‌ scenario when machine learning​​ is used as a​​​‌ service (cfr. Figure 3​). We plan to​‌ develop methods to reason​​ about the information-leakage of​​​‌ training data from deep​ learning systems, by identifying​‌ appropriate measures of leakage​​ and their properties, and​​​‌ use this theoretical framework​ as a basis for​‌ the analysis of attacks​​ and for the development​​​‌ of robust mitigation techniques.​ More specifically, we aim​‌ at:

• Developing compelling case​​ studies based on state-of-the-art​​​‌ algorithms to perform attacks,​ showcasing the feasibility of​‌ uncovering specified sensitive information​​ from a trained software​​​‌ (model) on real data.​
• Quantifying information leakage. Based​‌ on the uncovered attacks,​​ the amount of sensitive​​​‌ information present in trained​ software will be quantified​‌ and measured. We will​​ study suitable notions of​​​‌ leakage, possibly based on​ information-theoretical concepts, and establish​‌ firm foundations for these.​​
• Mitigating information leakage. Strategies​​​‌ will be explored to​ avoid the uncovered attacks​‌ and minimize the potential​​ information leakage of a​​​‌ trained model.

3.1.4 Relation​ between privacy and robustness​‌ in machine learning

The​​ relation between privacy and​​​‌ robustness, namely resilience to​ adversarial attacks, is rather​‌ complicated. Indeed the literature​​ on the topic seems​​​‌ contradictory: on the one​ hand, there are works​‌ that show that differential​​ privacy can help to​​​‌ mitigate both the risk​ of inference attacks and​‌ of misclassification (cfr. 39​​). On the other​​​‌ hand, there are studies​ that show that there​‌ is a trade-off between​​ protection from inference attacks​​​‌ and robustness 41.​ We intend to shed​‌ light on this confusing​​ situation. We believe that​​​‌ the different variations of​ differential privacy play a​‌ role in this apparent​​ contradiction. In particular, preprocessing​​​‌ the training data with​ $d$-privacy seems to​‌ go along with the​​ concept of robustness, because​​​‌ it guarantees that small​ variations in the input​‌ cannot result in large​​ variations in the output,​​​‌ which is exactly the​ principle of robustness. On​‌ the other hand, the​​ addition of random noise​​​‌ on the output result​ (postprocessing), which​‌ is the typical method​​ in central DP, should​​ reduce the precision and​​​‌ therefore increase the possibility‌ of misclassification. We intend‌​‌ to make a taxonomy​​ of the differential privacy​​​‌ variants, in relation to‌ their effect on robustness,‌​‌ and develop a principled​​ approach to protect both​​​‌ privacy and security in‌ an optimal way.

One‌​‌ promising research direction for​​ the deployment of $\mathrm{d‌}$-privacy in this context‌ is to consider Bayesian‌​‌ neural networks (BNNs). These​​ are neural networks with​​​‌ distributions over their weights,‌ which can capture the‌​‌ uncertainty within the learning​​ model, and which provide​​​‌ a natural notion of‌ distance (between distributions) on‌​‌ which we can define​​ a meaningful notion of​​​‌ $d$-privacy. Such neural‌ networks allow to compute‌​‌ an uncertainty estimate along​​ with the output, which​​​‌ is important for safety-critical‌ applications.

3.1.5 Relation between‌​‌ privacy and fairness

Both​​ fairness and privacy are​​​‌ multi-faces notions, assuming different‌ meaning depending on the‌​‌ application domain, on the​​ situation, and on what​​​‌ exactly we want to‌ protect. Fairness, in particular,‌​‌ has received many different​​ definitions, some even in​​​‌ contrast with each other.‌ One of the definitions‌​‌ of fairness is the​​ property that similar “similar”​​​‌ input data produce "similar"‌ outputs. Such notion corresponds‌​‌ closely to $d$-privacy.​​ Other notions of fairness,​​​‌ however, are in opposition‌ to standard differential privacy.‌​‌ This is the case,​​ notably, of Equalized Odds​​​‌36 and of Equality‌ of False Positives and‌​‌ Equality of False Negatives​​35. We intend​​​‌ to study a tassonomy‌ of the relation between‌​‌ the main notions of​​ fairness an the various​​​‌ variants of differential privacy.‌ In particular, we intend‌​‌ to study the relation​​ between the recently-introduced notions​​​‌ of causal fairness and‌ causal differential privacy 42‌​‌.

Another line of​​ research related to privacy​​​‌ and fairness, that we‌ intend to explore, is‌​‌ the design of to​​ pre-process the training set​​​‌ so to obtain machine‌ learning models that are‌​‌ both privacy-friendly and fair.​​

3.2.1 Non-0-sum games

The‌ framework of $g$-leakage‌​‌ does not take into​​ account two important factors:​​​‌ (a) the loss of‌ the user, and (b)‌​‌ the cost of the​​ attack for the adversary.​​​‌ Regarding (a), we observe‌ that in general the‌​‌ goal of the adversary​​ may not necessarily coincide​​​‌ with causing maximal damage‌ to the user, i.e.,‌​‌ there may be a​​ mismatch between the aims​​​‌ of the attacker and‌ what the user tries‌​‌ to protect the most.​​ To model this more​​​‌ general scenario, we had‌ started investigating the interplay‌​‌ between defender and attacker​​ in a game-theoretic setting,​​​‌ starting with the simple‌ case of 0-sum games‌​‌ which corresponds to $\mathrm{g}$-leakage. The idea was​​​‌ that, once the simple‌ 0-sum case would be‌​‌ well understood, we would​​ extend the study to​​​‌ the non-0-sum case, that‌ is needed to represent‌​‌ (a) and (b) above.​​​‌ However, we had first​ to invent and lay​‌ the foundations of a​​ new kind of games,​​​‌ the information leakage games​31 because the notion​‌ of leakage cannot be​​ expressed in terms of​​​‌ payoff in standard game​ theory. Now that the​‌ theory of these new​​ games is well established,​​​‌ we intend to go​ ahead with our plan,​‌ namely study costs and​​ damages of attacks in​​​‌ terms of non-0-sum information​ leakage games.

3.2.2 Black-box​‌ estimation of leakage via​​ machine learning

Most of​​​‌ the works in QIF​ rely on the so-called​‌ white-box assumption, namely, they​​ assume that it is​​​‌ possible to compute exactly​ the (probabilistic) input-output relation​‌ of the system, seen​​ as an information-theoretic channel.​​​‌ This is necessary in​ order to apply the​‌ formula that expresses the​​ leakage. In practical situations,​​​‌ however, it may not​ be possible to compute​‌ the input-output relation, either​​ because the system is​​​‌ too complicated, or simply​ because it is not​‌ accessible. Such scenario is​​ called black-box. The only​​​‌ assumption we make is​ that the adversary can​‌ interact with the system,​​ by feeding to it​​​‌ inputs of his choice​ and observing the corresponding​‌ outputs.

Given the practical​​ interest of the black-box​​​‌ model, we intend to​ study methods to estimate​‌ its leakage. Clearly the​​ standard QIF methods are​​​‌ not applicable. We plan​ to use, instead, a​‌ machine learning approach, continuing​​ the work we started​​​‌ in 11. In​ particular, we plan to​‌ investigate whether we can​​ improve the efficiency of​​​‌ the method proposed by​ leveraging on the experience​‌ that we have acquired​​ with the GANs 40​​​‌. The idea is​ to construct a training​‌ set and a testing​​ set from the input-output​​​‌ samples collected by interacting​ with the system, and​‌ then build a classifier​​ that learns from the​​​‌ training set to classify​ the input from the​‌ output so to maximize​​ its gain. The measure​​​‌ of its performance on​ the testing set should​‌ then give an estimation​​ of the posterior $\mathrm{g‌}$-vulnerability.

3.3.1 Privacy protection

In‌​‌ 38 we have investigated​​ potential leakage in social​​​‌ networks, namely, the unintended‌ propagation and collection of‌​‌ confidential information. We intend​​ to enrich this model​​​‌ with epistemic aspects, in‌ order to take into‌​‌ account the belief of​​ the users and how​​​‌ it influences the behavior‌ of agents with respect‌​‌ the transmission of information.​​

Furthermore, we plan to​​​‌ investigate attack models used‌ to reveal a user’s‌​‌ private information, and explore​​ the framework of $\mathrm{g‌}$-leakage to formalize the‌ privacy threats. This will‌​‌ provide the basis to​​ study suitable protection mechanisms.​​​‌

3.3.2 Polarization and Belief‌ in influence graphs

In‌​‌ social scenarios, a group​​ may shape their beliefs​​​‌ by attributing more value‌ to the opinions of‌​‌ influential figures. This cognitive​​ bias is known as​​​‌ authority bias. Furthermore,‌ in a group with‌​‌ uniform views, users may​​ become extreme by reinforcing​​​‌ one another’s opinions, giving‌ more value to opinions‌​‌ that confirm their own​​ beliefs; another common cognitive​​​‌ bias known as confirmation‌ bias. As a‌​‌ result, social networks can​​ cause their users to​​​‌ become radical and isolated‌ in their own ideological‌​‌ circle causing dangerous splits​​ in society (polarization). We​​​‌ intend to study these‌ dynamics in a model‌​‌ called influence graph,​​ which is a weighted​​​‌ directed graph describing connectivity‌ and influence of each‌​‌ agent over the others.​​ We will consider two​​​‌ kinds of belief updates:‌ the authority belief update,‌​‌ which gives more value​​ to the opinion of​​​‌ agents with higher influence,‌ and the confirmation bias‌​‌ update, which gives more​​ value to the opinion​​​‌ of agents with similar‌ views.

We plan to‌​‌ study the evolution of​​ polarization in these graphs.​​​‌ In particular, we aim‌ at defining a suitable‌​‌ measure of polarization, characterizing​​ graph structures and conditions​​​‌ under which polarization eventually‌ converges to 0 (vanishes),‌​‌ and methods to compute​​ the change in the​​​‌ polarization value over time.‌

Another purpose of this‌​‌ line of research is​​ how the bias of​​​‌ the agents whose data‌ are being collected impacts‌​‌ the fairness of learning​​ algorithms based on these​​​‌ data.

3.3.3 Concurrency models‌ for the propagation of‌​‌ information

Due to their​​ popularity and computational nature,​​​‌ social networks have exacerbated‌ group polarization. Existing models‌​‌ of group polarization from​​ economics and social psychology​​​‌ state its basic principles‌ and measures 37.‌​‌ Nevertheless, unlike our computational​​ ccp models, they are​​​‌ not suitable for describing‌ the dynamics of agents‌​‌ in distributed systems. Our​​ challenge is to coherently​​​‌ combine our ccp models‌ for epistemic behavior with‌​‌ principles and techniques from​​ economics and social psychology​​​‌ for GP. We plan‌ to develop a ccp-based‌​‌ process calculus which incorporates​​ structures from social networks,​​​‌ such as communication, influence,‌ individual opinions and beliefs,‌​‌ and privacy policies. The​​ expected outcome is a​​​‌ computational model that will‌ allow us to specify‌​‌ the interaction of groups​​ of agents exchanging epistemic​​​‌ information among them and‌ to predict and measure‌​‌ the leakage of private​​​‌ information, as well​ as the degree of​‌ polarization that such group​​ may reach.

7.1.1 Multi-Freq-LDPy‌​‌

• Name:
  Multiple Frequency Estimation​​ Under Local Differential Privacy​​​‌ in Python
• Keywords:
  Privacy,‌ Python, Benchmarking
• Scientific Description:‌​‌
  The purpose of Multi-Freq-LDPy​​ is to allow the​​​‌ scientific community to benchmark‌ and experiment with Locally‌​‌ Differentially Private (LDP) frequency​​ (or histogram) estimation mechanisms.​​​‌ Indeed, estimating histograms is‌ a fundamental task in‌​‌ data analysis and data​​ mining that requires collecting​​​‌ and processing data in‌ a continuous manner. In‌​‌ addition to the standard​​ single frequency estimation task,​​​‌ Multi-Freq-LDPy features separate and‌ combined multidimensional and longitudinal‌​‌ data collections, i.e., the​​ frequency estimation of multiple​​​‌ attributes, of a single‌ attribute throughout time, and‌​‌ of multiple attributes throughout​​ time.
• Functional Description:

  Local​​​‌ Differential Privacy (LDP) is‌ a gold standard for‌​‌ achieving local privacy with​​​‌ several real-world implementations by​ big tech companies such​‌ as Google, Apple, and​​ Microsoft. The primary application​​​‌ of LDP is frequency​ (or histogram) estimation, in​‌ which the aggregator estimates​​ the number of times​​​‌ each value has been​ reported.

  Multi-Freq-LDPy provides an​‌ easy-to-use and fast implementation​​ of state-of-the-art LDP mechanisms​​​‌ for frequency estimation of:​ single attribute (i.e., the​‌ building blocks), multiple attributes​​ (i.e., multidimensional data), multiple​​​‌ collections (i.e., longitudinal data),​ and both multiple attributes/collections.​‌

  Multi-Freq-LDPy is now a​​ stable package, which is​​​‌ built on the well-established​ Numpy package - a​‌ de facto standard for​​ scientific computing in Python​​​‌ - and the Numba​ package for fast execution.​‌

• URL:
  https://­github.­com/­hharcolezi/­multi-freq-ldpy
• Publication:
  hal-03816212​​
• Contact:
  Heber Hwang Arcolezi​​​‌
• Participants:
  Heber Hwang Arcolezi,​ Jean-François Couchot, Sébastien Gambs,​‌ Catuscia Palamidessi, Majid Zolfaghari​​

7.1.2 LOLOHA

• Name:
  LOngitudinal​​​‌ LOcal HAshing For Locally​ Private Frequency Monitoring
• Keyword:​‌
  Privacy
• Functional Description:
  This​​ is a Python implementation​​​‌ of our locally differentially​ private mechanism named LOLOHA.​‌ We implemented a private-oriented​​ version named BiLOLOHA and​​​‌ a utility-oriented version named​ OLOLOHA. We benchmarked our​‌ mechanisms in comparison with​​ Google's RAPPOR mechanism and​​​‌ Microsoft's dBitFlipPM mechanism.
• URL:​
  https://­github.­com/­hharcolezi/­LOLOHA
• Publication:
  hal-03911550
• Contact:​‌
  Heber Hwang Arcolezi
• Participants:​​
  Heber Hwang Arcolezi, Sébastien​​​‌ Gambs, Catuscia Palamidessi, Carlos​ Pinzon Henao

7.1.3 PRiLDP​‌

• Name:
  Privacy Risks of​​ Local Differential Privacy
• Keyword:​​​‌
  Privacy
• Functional Description:
  This​ is a Python implementation​‌ of two privacy threats​​ we identified against locally​​​‌ differentially private (LDP) mechanisms.​ We implemented attribute inference​‌ attacks as well as​​ re-identification attacks, benchmarking the​​​‌ robustness of five state-of-the-art​ LDP mechanisms.
• URL:
  https://­github.­com/­hharcolezi/­risks-ldp​‌
• Publication:
  hal-04082592
• Contact:
  Heber​​ Hwang Arcolezi
• Participants:
  Heber​​​‌ Hwang Arcolezi, Sébastien Gambs,​ Jean-François Couchot, Catuscia Palamidessi​‌

7.1.4 PRIVIC

• Name:
  A​​ privacy-preserving method for incremental​​​‌ collection of location data​
• Keyword:
  Privacy
• Functional Description:​‌
  This library contains various​​ tools for the PRIVIC​​​‌ project: the implementation of​ the Blahut-Arimoto mechanism for​‌ metric privacy, the Iterative​​ Bayesian Update, and the​​​‌ implementation of an algorithm​ performing an incremental collection​‌ of data under metric​​ differential privacy protection, and​​​‌ gradual improvement of the​ mechanism from the point​‌ of view of utility.​​
• URL:
  https://­github.­com/­blitzwas/­PRIVIC
• Publication:
  hal-03968692​​​‌
• Contact:
  Sayan Biswas
• Participants:​
  Sayan Biswas, Catuscia Palamidessi​‌

7.1.5 LDP-FAIRNESS

• Name:
  Impact​​ of Local Differential Privacy​​​‌ on Fairness
• Keywords:
  Privacy,​ Fairness
• Functional Description:
  This​‌ library contains various tools​​ for the study of​​​‌ the impact of Local​ Differential Privacy on fairness.​‌
• URL:
  https://­github.­com/­hharcolezi/­ldp-fairness-impact
• Publication:
  hal-04175027​​
• Contact:
  Heber Hwang Arcolezi​​​‌
• Participants:
  Heber Hwang Arcolezi,​ Karima Makhlouf, Catuscia Palamidessi​‌

7.1.6 Causal-based Fairness

• Name:​​
  Causal-based Machine Learning Discrimination​​​‌ Estimation
• Keywords:
  Fairness, Causal​ discovery
• Functional Description:
  Addressing​‌ the problem of fairness​​ is crucial to safely​​​‌ use machine learning algorithms​ to support decisions with​‌ a critical impact on​​ people's lives such as​​​‌ job hiring, child maltreatment,​ disease diagnosis, loan granting,​‌ etc. Several notions of​​ fairness have been defined​​​‌ and examined in the​ past decade, such as​‌ statistical parity and equalized​​ odds. The most recent​​​‌ fairness notions, however, are​ causal-based and reflect the​‌ now widely accepted idea​​ that using causality is​​ necessary to appropriately address​​​‌ the problem of fairness.‌ The big impediment to‌​‌ the use of causality​​ to address fairness, however,​​​‌ is the unavailability of‌ the causal model (typically‌​‌ represented as a causal​​ graph). This library contains​​​‌ the software tools that‌ implement all required steps‌​‌ to estimate discrimination using​​ a causal approach, including,​​​‌ the causal discovery, the‌ adjustment of the causal‌​‌ model, and the estimation​​ of discrimination. The software​​​‌ is to be deployed‌ as a web application‌​‌ which makes it accessible​​ online without any required​​​‌ setup on the user‌ side.
• Publication:
  hal-04355882
• Contact:‌​‌
  Sami Zhioua
• Participants:
  Raluca​​ Panainte, Yassine Turki, Sami​​​‌ Zhioua

7.1.7 Polarization

• Name:‌
  A model for polarization‌​‌
• Keyword:
  Social network
• Functional​​ Description:
  This is a​​​‌ Python implementation of our‌ polarization model. The implementation‌​‌ is parametric in the​​ social influence graph and​​​‌ belief update representing the‌ social network and it‌​‌ allows for the simulation​​ of belief evolution and​​​‌ measuring the polarization of‌ the network.
• URL:
  https://­github.­com/­Sirquini/­Polarization‌​‌
• Publication:
  hal-03872692
• Contact:
  Frank​​ Valencia
• Participants:
  Frank Valencia,​​​‌ Mario Sergio Ferreira Alvim‌ Junior, Sophia Knight, Santiago‌​‌ Quintero

7.1.8 GMeet

• Name:​​
  GMeet Algorithms
• Keyword:
  Distributed​​​‌ computing
• Functional Description:
  This‌ is a Python library‌​‌ containing the implementation of​​ our methods to compute​​​‌ distributed knowledge in multi-agent‌ systems. The implementation allows‌​‌ for experimental comparison between​​ the different methods on​​​‌ randomly generated inputs.
• URL:‌
  https://­caph1993.­github.­io/­GMeetMono/
• Publication:
  hal-02422624
• Contact:‌​‌
  Frank Valencia

7.1.9 Fairness-Accuracy​​

• Name:
  On the trade-off​​​‌ between Fairness and Accuracy‌
• Keywords:
  Fairness, Machine learning‌​‌
• Functional Description:

  This software​​ is composed by two​​​‌ main modules that serve‌ the following purposes:

  (1)‌​‌ To visualize the perimeter​​ of all possible machine​​​‌ learning models in the‌ Equal Opportunity - Accuracy‌​‌ space, and to show​​ that, for certain distributions,​​​‌ Equal Opportunity implies that‌ the best Accuracy achievable‌​‌ is that of a​​ trivial model.

  (2) To​​​‌ compute the Pareto optimality‌ between Equal Opportunity Difference‌​‌ and Accuracy.

• Publication:
  hal-04308195​​
• Contact:
  Catuscia Palamidessi
• Participants:​​​‌
  Carlos Pinzon Henao, Catuscia‌ Palamidessi, Frank Valencia

7.1.10‌​‌ libqif - A Quantitative​​ Information Flow C++ Toolkit​​​‌ Library

• Keywords:
  Information leakage,‌ Privacy, C++, Linear optimization‌​‌
• Functional Description:

  The goal​​ of libqif is to​​​‌ provide an efficient C++‌ toolkit implementing a variety‌​‌ of techniques and algorithms​​ from the area of​​​‌ quantitative information flow and‌ differential privacy. We plan‌​‌ to implement all techniques​​ produced by Com$\setminus ‌$`ete in recent years,‌ as well as several‌​‌ ones produced outside the​​ group, giving the ability​​​‌ to privacy researchers to‌ reproduce our results and‌​‌ compare different techniques in​​ a uniform and efficient​​​‌ framework.

  Some of these‌ techniques were previously implemented‌​‌ in an ad-hoc fashion,​​ in small, incompatible with​​​‌ each-other, non-maintained and usually‌ inefficient tools, used only‌​‌ for the purposes of​​ a single paper and​​​‌ then abandoned. We aim‌ at reimplementing those –‌​‌ as well as adding​​ several new ones not​​​‌ previously implemented – in‌ a structured, efficient and‌​‌ maintainable manner, providing a​​ tool of great value​​​‌ for future research. Of‌ particular interest is the‌​‌ ability to easily re-run​​​‌ evaluations, experiments, and case-studies​ from QIF papers, which​‌ will be of great​​ value for comparing new​​​‌ research results in the​ future.

  The library's development​‌ continued in 2020 with​​ several new added features.​​​‌ 68 new commits were​ pushed to the project's​‌ git repository during this​​ year. The new functionality​​​‌ was directly applied to​ the experimental results of​‌ several publications of COMETE.​​

• URL:
  https://­github.­com/­chatziko/­libqif
• Contact:
  Konstantinos​​​‌ Chatzikokolakis

7.1.11 IBU: A​ java library for estimating​‌ distributions

• Keywords:
  Privacy, Statistic​​ analysis, Bayesian estimation
• Functional​​​‌ Description:

  The main objective​ of this library is​‌ to provide an experimental​​ framework for evaluating statistical​​​‌ properties on data that​ have been sanitized by​‌ obfuscation mechanisms, and for​​ measuring the quality of​​​‌ the estimation. More precisely,​ it allows modeling the​‌ sensitive data, obfuscating these​​ data using a variety​​​‌ of privacy mechanisms, estimating​ the probability distribution on​‌ the original data using​​ different estimation methods, and​​​‌ measuring the statistical distance​ and the Kantorovich distance​‌ between the original and​​ estimated distributions. This is​​​‌ one of the main​ software projects of Palamidessi's​‌ ERC Project HYPATIA.

  We​​ intend to extend the​​​‌ software with functionalities that​ will allow estimating statistical​‌ properties of multi-dimensional (locally​​ sanitized) data and using​​​‌ collections of data locally​ sanitized with different mechanisms.​‌

• URL:
  https://­gitlab.­com/­locpriv/­ibu
• Contact:
  Ehab​​ Elsalamouny

7.1.12 ldp-audit

• Name:​​​‌
  Local Differential Privacy Auditor​
• Keyword:
  Differential privacy
• Functional​‌ Description:
  A tool for​​ auditing Locally Differentially Private​​​‌ (LDP) protocols.
• URL:
  https://­github.­com/­hharcolezi/­ldp-audit​
• Contact:
  Heber Hwang Arcolezi​‌

7.1.13 Polarizómetro

• Name:
  Polarizómetro​​
• Keyword:
  Social networks
• Functional​​​‌ Description:

  The Polarizómetro is​ a platform that was​‌ launched in August 2024​​ in a public event​​​‌ (https://sites.google.com/view/promueva/eventos/2024) with an audience​ of about 200 people.​‌ This platform, meant for​​ decision-makers and available online,​​​‌ allows to measure the​ polarization of an opinion​‌ distribution in a group​​ or social media over​​​‌ a particular subject. The​ opinion can be expressed​‌ as usual posts on​​ social media or a​​​‌ standard Likert scale. The​ polarization can be measured​‌ using several standard notions​​ from the literature such​​​‌ as Esteban and Ray’s,​ or using our measure​‌ MEC (the Minimal Effort​​ to Consensus) developed in​​​‌ our project PROMUEVA based​ on the Earth Mover​‌ Distance.

  The platform has​​ been used to regularly​​​‌ measure polarization on real​ opinion distributions in the​‌ social media X (formerly​​ known as Twitter) about​​​‌ the Pension Reform in​ Colombia and about the​‌ benefits of the 2024​​ United Nations Biodiversity Conference​​​‌ of the Parties (COP16)​ that took place in​‌ Cali, Colombia.

• URL:
  https://­polarizometro.­lipn.­univ-paris13.­fr/​​
• Contact:
  Frank Valencia
• Partners:​​​‌
  LIPN (Laboratoire d'Informatique de​ l'Université Paris Nord), Pontificia​‌ Universidad Javeriana Cali

8.1.1 Enhancing​‌ metric privacy with a​​ shuffler

Differential Privacy (DP)​​​‌ is one of the​ most successful privacy-preserving frameworks.​‌ In the central model​​ of DP a trusted​​ server adds controlled noise​​​‌ as it acts as‌ an interface between the‌​‌ data providers (users) and​​ the data consumers (analysts).​​​‌ To overcome the strong‌ trust assumption of having‌​‌ a trusted server, Local​​ Differential Privacy (LDP) has​​​‌ been proposed, where the‌ individual data are obfuscated‌​‌ directly at the end​​ of the data provider.​​​‌ To improve LDP, in‌ recent years researchers have‌​‌ proposed to combine it​​ with a shuffler which​​​‌ is supposed to mix‌ the data at the‌​‌ time of collection, enhancing​​ the privacy of LDP​​​‌ without affecting utility. The‌ shuffler is assumed to‌​‌ be trusted, but this​​ is also an arguably​​​‌ strong assumption that cannot‌ always be guaranteed. Metric‌​‌ privacy (aka d-privacy) is​​ a variant of DP​​​‌ that can be applied‌ in domains provided with‌​‌ a notion of distance​​ and it is particularly​​​‌ used in location privacy,‌ where it takes the‌​‌ name of geo-indistinguihability. In​​ contrast to DP, metric​​​‌ privacy allows calibrating the‌ noise so that data‌​‌ points closer to the​​ true one are more​​​‌ likely to be reported.‌ In 13, we‌​‌ studied how metric privacy​​ can be improved by​​​‌ combining it with a‌ shuffler. More specifically, we‌​‌ considered the combination of​​ the shuffler with three​​​‌ mechanisms, Randomized Response, Geometric‌ and an optimal protocol,‌​‌ in the context of​​ the sum and average​​​‌ queries. In all cases,‌ we formally derived the‌​‌ relations that express the​​ privacy amplification due to​​​‌ the shuffler, in terms‌ of metric privacy. Moreover,‌​‌ we formally studied the​​ privacy guarantees of each​​​‌ protocol if the shuffler‌ is compromised. Finally we‌​‌ conducted experiments using synthetic​​ data as well as​​​‌ real-world location data, showing‌ that the proposed mechanisms‌​‌ achieve a better privacy-utility​​ trade-off compared to the​​​‌ baseline of the standard‌ geometric mechanism.

8.1.2 Testing‌​‌ the level of privacy​​

In 16, we​​​‌ analyzed to what extent‌ final users can infer‌​‌ information about the level​​ of protection of their​​​‌ data when the data‌ obfuscation mechanism is a‌​‌ priori unknown to them​​ (the so-called “black-box” scenario).​​​‌ In particular, we explored‌ four notions of differential‌​‌ privacy, namely local/central $\mathrm{ϵ}$-DP/Rényi-DP. On the one​​​‌ hand, we proved that,‌ without any assumption on‌​‌ the underlying distributions, it​​ is not possible to​​​‌ have an algorithm able‌ to infer the level‌​‌ of data protection with​​ provable guarantees. On the​​​‌ other hand, we demonstrated‌ that, under reasonable assumptions‌​‌ (namely Lipschitzness of the​​ involved densities on a​​​‌ closed interval), such guarantees‌ exist for the local‌​‌ versions and can be​​ achieved by a simple​​​‌ histogram-based estimator. We validated‌ our results experimentally and‌​‌ note that, in two​​ particularly well behaved distributions​​​‌ (namely the Laplace and‌ the Gaussian noise), our‌​‌ method performs better than​​ expected, in the sense​​​‌ that in practice the‌ number of samples needed‌​‌ to achieve the desired​​ confidence is smaller than​​​‌ the theoretical bound, and‌ the estimate of $\mathrm{ϵ‌‌}$ is more precise than​​ predicted.

In 25,​​​‌ We considered the problem‌ of estimating the Bayes‌​‌ risk, from which one​​​‌ can derive some of​ the most popular leakage​‌ measures (e.g., min-entropy, additive,​​ and multiplicative leakage). The​​​‌ state-of-the-art method for estimating​ these leakage measures is​‌ the frequentist paradigm, which​​ approximates the system's internals​​​‌ by looking at the​ frequencies of its inputs​‌ and outputs. Unfortunately, this​​ does not scale for​​​‌ systems with large output​ spaces, where it would​‌ require too many input-output​​ examples. Consequently, it also​​​‌ cannot be applied to​ systems with continuous outputs​‌ (e.g., time side channels,​​ network traffic). In 25​​​‌, we exploited an​ analogy between Machine Learning​‌ (ML) and black-box leakage​​ estimation to show that​​​‌ the Bayes risk of​ a system can be​‌ estimated by using a​​ class of ML methods:​​​‌ the universally consistent learning​ rules; these rules can​‌ exploit patterns in the​​ input-output examples to improve​​​‌ the estimates' convergence, while​ retaining formal optimality guarantees.​‌ We focused on a​​ set of them, the​​​‌ nearest neighbor rules; we​ showed that they significantly​‌ reduce the number of​​ black-box queries required for​​​‌ a precise estimation whenever​ nearby outputs tend to​‌ be produced by the​​ same secret; furthermore, some​​​‌ of them can tackle​ systems with continuous outputs.​‌ We illustrated the applicability​​ of these techniques on​​​‌ both synthetic and real-world​ data, and we compared​‌ them with the state-of-the-art​​ tool, leakiEst, which is​​​‌ based on the frequentist​ approach.

8.1.3 Privacy in​‌ Federated Learning

Federated Learning​​ (FL) has emerged as​​​‌ a promising paradigm for​ collaborative model training without​‌ the need to share​​ clients’ personal data, thereby​​​‌ preserving privacy. However, the​ non-IID nature of the​‌ clients’ data introduces major​​ challenges for FL, highlighting​​​‌ the importance of personalized​ federated learning (PFL) methods.​‌ In PFL, models are​​ typically trained to cater​​​‌ to specific feature distributions​ present in the population​‌ data. A notable method​​ for PFL is the​​​‌ Iterative Federated Clustering Algorithm​ (IFCA), which mitigates the​‌ concerns associated with the​​ non-IID-ness by grouping clients​​​‌ with similar data distributions.​ While it has been​‌ shown that IFCA enhances​​ both accuracy and fairness,​​​‌ its strategy of dividing​ the population into smaller​‌ clusters increases vulnerability to​​ Membership Inference Attacks (MIA),​​​‌ particularly among minorities with​ limited training samples. In​‌ 23, we introduced​​ IFCA-MIR, an improved version​​​‌ of IFCA that integrates​ MIA risk assessment into​‌ the clustering process. Allowing​​ clients to select clusters​​​‌ based on both model​ performance and MIA vulnerability,​‌ IFCA-MIR achieves an improved​​ performance with respect to​​​‌ accuracy, fairness, and privacy.​ We demonstrated that IFCA-MIR​‌ reduces the risk of​​ MIA by up to​​​‌ 5.6 x compared to​ the original IFCA while​‌ maintaining comparable model accuracy​​ and fairness.

8.1.4 Estimating​​​‌ the original distribution

Randomized​ Response (RR) is a​‌ protocol designed to collect​​ and analyze categorical data​​​‌ with local differential privacy​ guarantees. It has been​‌ used as a building​​ block of mechanisms deployed​​​‌ by Big Tech companies​ to collect app or​‌ web users' data. Each​​ user reports an automatic​​​‌ random alteration of their​ true value to the​‌ analytics server, which then​​ estimates the histogram of​​ the true unseen values​​​‌ of all users using‌ a debiasing rule to‌​‌ compensate for the added​​ randomness. A known issue​​​‌ is that the standard‌ debiasing rule can yield‌​‌ a vector with negative​​ values (which can not​​​‌ be interpreted as a‌ histogram), and there is‌​‌ no consensus on the​​ best fix. An elegant​​​‌ but slow solution is‌ the Iterative Bayesian Update‌​‌ algorithm (IBU), which converges​​ to the Maximum Likelihood​​​‌ Estimate (MLE) as the‌ number of iterations goes‌​‌ to infinity. In 24​​ we have proposed an​​​‌ alternative to IBU by‌ providing a simple formula‌​‌ for the exact MLE​​ of RR and compares​​​‌ it with other estimation‌ methods experimentally to help‌​‌ practitioners decide which one​​ to use.

Domaines Cryptographie​​​‌ et sécurité [cs.CR] Intelligence‌ artificielle [cs.AI] Apprentissage [cs.LG]‌​‌

8.2.1 Website fingerprinting defense​​​‌

Quantitative Information Flow (QIF)‌ provides a robust information-theoretical‌​‌ framework for designing secure​​ systems with minimal information​​​‌ leakage. While previous research‌ has addressed the design‌​‌ of such systems under​​ hard constraints (e.g. application​​​‌ limitations) and soft constraints‌ (e.g. utility), scenarios often‌​‌ arise where the core​​ system's behavior is considered​​​‌ fixed. In such cases,‌ the challenge is to‌​‌ design a new component​​ for the existing system​​​‌ that minimizes leakage without‌ altering the original system.‌​‌ In 19 we addressed​​ this problem by proposing​​​‌ optimal solutions for constructing‌ a new row, in‌​‌ a known and unmodifiable​​ information-theoretic channel, aiming at​​​‌ minimizing the leakage. We‌ first modeled two types‌​‌ of adversaries: an exact-guessing​​ adversary, aiming to guess​​​‌ the secret in one‌ try, and a s-distinguishing‌​‌ one, which tries to​​ distinguish the secret s​​​‌ from all the other‌ secrets. Then, we discussed‌​‌ design strategies for both​​ fixed and unknown priors​​​‌ by offering, for each‌ adversary, an optimal solution‌​‌ under linear constraints, using​​ Linear Programming. We applied​​​‌ our approach to the‌ problem of website fingerprinting‌​‌ defense, considering a scenario​​ where a site administrator​​​‌ can modify their own‌ site but not others.‌​‌ We experimentally evaluated our​​ proposed solutions against other​​​‌ natural approaches. First, we‌ sampled real-world news websites‌​‌ and then, for both​​ adversaries, we demonstrated that​​​‌ the proposed solutions are‌ effective in achieving the‌​‌ least leakage. Finally, we​​ simulated an actual attack​​​‌ by training an ML‌ classifier for the s-distinguishing‌​‌ adversary and showed that​​ our approach decreases the​​​‌ accuracy of the attacker.‌

8.3.1 Relation between fairness​​ and privacy

In the​​​‌ era of Big Data,‌ the development of artificial‌​‌ intelligence (AI) systems presents​​ both opportunities and challenges,​​​‌ particularly concerning privacy and‌ fairness. While differential privacy‌​‌ (DP) has emerged as​​ a robust methodology for​​​‌ preserving privacy in real-world‌ applications, its local variant‌​‌ (LDP) specifically addresses trust​​ issues by removing the​​​‌ reliance on a centralized‌ server. Equally critical, conducting‌​‌ fairness audits of AI​​ systems helps identify and​​​‌ mitigate discriminatory outcomes in‌ machine learning. Although the‌​‌ relationship between DP and​​ fairness is inherently multifaceted,​​​‌ inb 12 we offered‌ a detailed empirical examination‌​‌ of how collecting multi-dimensional​​​‌ sensitive attributes under LDP​ affects fairness in binary​‌ classification tasks. Our findings​​ reveal that LDP can​​​‌ slightly improve fairness without​ substantially degrading model performance—challenging​‌ the notion that DP​​ necessarily exacerbates unfairness. We​​​‌ demonstrated these results by​ evaluating seven state-of-the-art LDP​‌ protocols on three benchmark​​ datasets, using established group​​​‌ fairness metrics. Moreover, we​ proposed a novel privacy​‌ budget allocation scheme that​​ incorporates varying domain sizes​​​‌ of sensitive attributes, achieving​ a superior privacy-utility-fairness trade-off​‌ compared to existing solutions.​​

8.3.2 Assessing the Resilience​​​‌ of Causal Discovery Methods​

Causal discovery (CD) algorithms​‌ are increasingly applied to​​ socially and ethically sensitive​​​‌ domains. However, their evaluation​ under realistic conditions remains​‌ challenging due to the​​ scarcity of real-world datasets​​​‌ annotated with ground-truth causal​ structures. Whereas synthetic data​‌ generators support controlled benchmarking,​​ they often overlook forms​​​‌ of bias, such as​ dependencies involving sensitive attributes,​‌ which may significantly affect​​ the observed distribution and​​​‌ compromise the trustworthiness of​ downstream analysis. In 14​‌ we introduceed a novel​​ synthetic data generation framework​​​‌ that enables controlled bias​ injection while preserving the​‌ causal relationships specified in​​ a ground-truth causal graph.​​​‌ The framework aims to​ evaluate the reliability of​‌ CD methods by examining​​ the impact of varying​​​‌ bias levels and outcome​ binarization thresholds. Experimental results​‌ showed that even moderate​​ bias levels can lead​​​‌ CD approaches to fail​ to correctly infer causal​‌ links, particularly those connecting​​ sensitive attributes to decision​​​‌ outcomes. These findings underscore​ the need for expert​‌ validation and highlight the​​ limitations of current CD​​​‌ methods in fairness-critical applications.​ Our proposal thus provides​‌ an essential tool for​​ benchmarking and improving CD​​​‌ algorithms in biased, real-world​ data settings.

8.4.1 Spiral of​​​‌ Silence in Social Networks​

In modern social networks,​‌ the selective expression of​​ opinions can significantly distort​​​‌ the perception of public​ opinion, amplify polarization, and​‌ influence democratic processes. A​​ key mechanism behind this​​​‌ phenomenon is the Spiral​ of Silence, a​‌ well-known social theory stating​​ that individuals may refrain​​​‌ from expressing their opinions​ when they perceive themselves​‌ to be in the​​ minority due to fear​​​‌ of social isolation. Motivated​ by the need to​‌ better understand the impact​​ of silence on collective​​​‌ opinion dynamics, in 18​ we developed new multi-agent​‌ models that incorporate the​​ Spiral of Silence into​​​‌ the classical DeGroot framework​ for social learning. In​‌ particular, we introduced two​​ variants of the model,​​​‌ capturing situations in which​ silent individuals are either​‌ ignored in the opinion​​ update process or continue​​​‌ to influence others through​ their previously expressed opinions.​‌ We formally analyzed the​​ convergence properties of these​​​‌ models and showed that,​ unlike in the classical​‌ DeGroot model, consensus is​​ not always guaranteed, even​​​‌ in strongly connected networks,​ due to the emergence​‌ of persistent silence and​​ memory effects, while identifying​​​‌ conditions under which consensus​ can still be achieved​‌ in fully connected networks.​​ To complement the theoretical​​​‌ analysis, we developed a​ high-performance simulation platform capable​‌ of modeling networks with​​ over one million agents​​, enabling the study​​​‌ of opinion dynamics in‌ large-scale networks with realistic‌​‌ social structures. These large-scale​​ simulations reproduced key phenomena​​​‌ predicted by the Spiral‌ of Silence theory, including‌​‌ reinforcement of dominant views,​​ hidden consensus, and persistent​​​‌ disagreement. This work provides‌ new theoretical and computational‌​‌ tools for understanding how​​ social pressure and silence​​​‌ shape collective opinion formation‌ and polarization in complex‌​‌ societies.

8.4.2 Partial Information​​ in Opinion Models

In​​​‌ many real-world social networks,‌ agents often hold partial,‌​‌ uncertain, or multi-dimensional opinions,​​ and influence relationships cannot​​​‌ always be represented by‌ precise numerical values. This‌​‌ limitation restricts the applicability​​ of classical opinion models,​​​‌ such as the DeGroot‌ model, which assume exact‌​‌ opinions and influence weights.​​ To address these challenges,​​​‌ in 22 we introduced‌ Constraint Opinion Models,‌​‌ a novel framework that​​ represents agents' opinions and​​​‌ influences as soft constraints‌ rather than single real‌​‌ numbers. This generalization enables​​ the modeling of complex​​​‌ scenarios involving partial information,‌ conditional preferences, multi-topic discussions,‌​‌ and epistemic beliefs about​​ other agents. We developed​​​‌ formal definitions of constraint-based‌ opinion dynamics and showed‌​‌ how classical models arise​​ as special cases of​​​‌ our framework. Furthermore, we‌ introduced a new notion‌​‌ of distance between constraints​​ that enables the measurement​​​‌ of opinion divergence and‌ supports the definition of‌​‌ refined polarization measures. Through​​ illustrative examples and computational​​​‌ experiments, we demonstrated that‌ the proposed framework captures‌​‌ behaviors that cannot be​​ represented in traditional models.​​​‌ This framework establishes a‌ mathematical foundation for studying‌​‌ opinion formation under uncertainty​​ and complexity in modern​​​‌ social systems.

8.4.3 Analyzing‌ Opinion Models Using Rewriting‌​‌ Logic

Understanding how interaction​​ patterns and cognitive biases​​​‌ influence collective opinion formation‌ is essential for explaining‌​‌ phenomena such as polarization,​​ consensus, and fragmentation in​​​‌ modern social networks. However,‌ many existing opinion dynamics‌​‌ models are studied in​​ isolation, making systematic comparison​​​‌ and joint analysis difficult.‌ To overcome this limitation,‌​‌ in 17 we developed​​ a unified formal framework​​​‌ for specifying, simulating, and‌ analyzing opinion formation processes‌​‌ using rewriting logic. Our​​ approach is based on​​​‌ concurrent set relations that‌ model agents, influence networks,‌​‌ and opinion updates in​​ a uniform manner, allowing​​​‌ classical models such as‌ DeGroot and gossip-based dynamics‌​‌ to be represented as​​ instances of a common​​​‌ framework. We implemented this‌ framework in the Maude‌​‌ system as a fully​​ executable rewrite theory, enabling​​​‌ automated reasoning techniques such‌ as reachability analysis, probabilistic‌​‌ simulation, and statistical model​​ checking to study properties​​​‌ of opinion dynamics. The‌ framework also supports the‌​‌ integration of cognitive biases​​ and extensions such as​​​‌ Spiral-of-Silence mechanisms, enabling systematic‌ exploration of complex social‌​‌ behaviors under different interaction​​ strategies. This unified infrastructure​​​‌ enables analysis and experimental‌ validation of a broad‌​‌ class of opinion dynamics​​ models, offering new tools​​​‌ for investigating the mechanisms‌ that drive polarization and‌​‌ collective behavior in complex​​ social systems.

10.1.1​‌ Inria associate team not​​ involved in an IIL​​​‌ or an international program​

10.1.2 Participation in​​​‌ other International Programs

10.2.1​​​‌ Visits of international scientists​

10.2.2 Visits to​​ international teams

10.3.1 Horizon Europe

TOBIAS​​​‌

iPOP

FedMalin

DIFPRIPOS‌​‌

11.1.1 Scientific events: organisation​​

11.1.2 Scientific events:‌​‌ selection

11.1.3 Journal​

11.1.4 Invited talks​

• Catuscia Palamidessi has been​‌ keynote invited speaker at:​​
  • PPML 2025, the​​​‌ workshop on Privacy-Preserving Machine​ Learning, associated with EurIPS​‌, Copenhagen, Denmark, December​​ 7, 2025.
  • MDAI 2025​​​‌, the International Conference​ on Modeling Decisions for​‌ Artificial Intelligence. València, Spain,​​ September 15–18, 2025.
  • gdr-secu-jn2025​​​‌, Journée Nationale du​ GDR Sécurité. Caen, France,​‌ June 23–25, 2025.
  • Workshop@University​​ of Waterloo, the​​​‌ 2nd Inria-University of Waterloo-Université​ de Bordeaux Workshop. Waterloo,​‌ Canada, May 26–27, 2025​​

11.1.5 Leadership within the​​​‌ scientific community

• Catuscia palamidessi​ is:
  • President of SIGLOG​‌, the ACM Special​​ Interest Group on Logic​​​‌ and Computation.
  • Co-chair of​ the of the 6th​‌ edition of the CNIL-Inria​​ Privacy Award.
  • Member​​​‌ of steering committees of:​
    • (2016-) CONCUR, the International​‌ Conference in Concurrency Theory.​​
    • (2015-) EACSL, the​​​‌ European Association for Computer​ Science Logics.

11.1.6 Scientific​‌ expertise

• Catuscia Palamidessi has​​ been:
  • (2025-29) Member of​​​‌ the Scientific Advisory Board​ of the GSSI international​‌ PhD school and a​​ center for research and​​​‌ higher education in Sciences.​
  • (2024-25) Member of the​‌ international jury of two​​ programs of the FWF​​, the Austrian Science​​​‌ Fund: the FWF ASTRA‌ Award and the FWF‌​‌ Wittgenstein Award.
  • (2025)​​ Member of the Estonian​​​‌ Research Council for the‌ evaluation process of the‌​‌ research funding applications in​​ 2025, in the fields​​​‌ of Mathematics, Computer Science‌ and Informatics.
  • (2023-) Member‌​‌ of the Commission in​​ itinere ed ex post​​​‌ for the research initiatives‌ for technologies and innovative‌​‌ trajectorie. MUR, Ministry​​ of Education, Universities and​​​‌ Research, Italy.
  • (2021-) Member‌ of the Board of‌​‌ Trustees of the IMDEA​​ Software Institute, Madrid,​​​‌ Spain.
  • (2019-) Member of‌ the Sci. Adv. Board‌​‌ of CISPA, Helmholtz​​ Center for Information Security.​​​‌ Saarbruecken, Germany.

11.2.1 Teaching

• Frank Valencia​​ has been teaching since​​​‌ 2019 Concurrency Theory and‌ Computability at the Master's‌​‌ program of Computer Science​​ at the University Javeriana​​​‌ Cali for a total‌ of 128 hours per‌​‌ year.

11.2.2 Supervision

• Supervision​​ of PhD students
  • (2025-)​​​‌ Dāvis Šterns. Co-supervised by‌ Catuscia Palamidessi and Tom‌​‌ Bäckström from Aalto University.​​ Subject: Attacking information bottlenecks​​​‌ – Theoretical metrics and‌ bounds of privacy.
  • (2024-)‌​‌ Lois Ecoffet. Co-supervised by​​ Catuscia Palamidessi and by​​​‌ Jean François Couchot, from‌ the Université de Franche-Comteé.‌​‌ Subject: Towards Differentially Private​​ SQL Query Interpretation: A​​​‌ Comprehensive Approach and Implementation‌ in PostgreSQL.
  • (2023-) Brahim‌​‌ Erraji. Co-supervised by Catuscia​​ Palamidessi and by Aurélien​​​‌ Bellet, from the Inria‌ team PreMeDICaL. Subject: Fairness‌​‌ in federated learning.
  • (2023-)​​ Ramon Goncalves Gonze. Co-supervised​​​‌ by Catuscia palamidessi and‌ Mario Alvim. Subject: Tension‌​‌ between privacy and utility​​ in Census data.
  • (2022-25)​​​‌ Andreas Athanasiou. Co-supervised by‌ Catuscia palamidessi and Kostantinos‌​‌ Chatzikokolakis. Subject: The shuffle​​ model for metric differential​​​‌ privacy.
  • (2023-) Juan Paz.‌ Supervised by Frank Valencia.‌​‌ Subject: Cognitive Bias in​​ Social Networks.
• Supervision of​​​‌ postdocs and junior researchers‌
  • (2025-) Sara Saeidian, postdoc.‌​‌
  • (2024-) Ehab ElSalamouny, research​​ engineer.
  • (2020-25) Gangsoo Zeong,​​​‌ research engineer.
  • (2022-25) Szilvia‌ Lestyan, postdoc (since 2023‌​‌ she was hired by​​ the Institut National d'Études​​​‌ Démographiques (INED) and works‌ on a project in‌​‌ the context of a​​ collaboration between INED and​​​‌ COMETE).

11.2.3 Juries

• Catuscia‌ Palamidessi has been:
  • Reviewer‌​‌ and Member of the​​ jury for the HDR​​​‌ defense of Jean Krivine.‌ Université Paris Cité, France.‌​‌ January 2025.
  • Member of​​ the jury for the​​​‌ PhD defense of Ala‌ Eddine Laouir, LORIA, Nancy,‌​‌ France, December 2025.
  • Member​​ of the jury for​​​‌ the PhD defense of‌ Gabriel H. Nunes, UFMG,‌​‌ Belo Horzonte, November 2025.​​
  • Member of the jury​​​‌ for the PhD defense‌ of Ashraf Ghiye, IPP,‌​‌ Palaiseau, May 2025.
  • (2015-)​​ Member of the steering​​​‌ committee of the PhD‌ Program in Computer Science‌​‌ at the University of​​ Pisa, Italy.

11.3.1 Productions (articles,‌​‌ videos, podcasts, serious games,​​ ...)

• Frank Valencia participated​​​‌ on video program El‌ Polarizometro, a digital tool‌​‌ to understand gender violence​​ for the University of​​​‌ Valle Colombia.

11.3.2 Participation‌ in Live events

• Frank‌​‌ Valencia participated on live​​ event Polarization and Gender​​​‌ Violence organized at University‌ of Javeriana de Cali.‌​‌

International journals

• 12 article‌​‌H. H.Héber Hwang​​ Arcolezi, K.Karima​​​‌ Makhlouf and C.Catuscia‌ Palamidessi. Group fairness‌​‌ under obfuscated sensitive information​​.Journal of Computer​​​‌ SecurityMay 2025,‌ 1-26HALDOIback‌​‌ to text
• 13 article​​A.Andreas Athanasiou,​​​‌ K.Konstantinos Chatzikokolakis and‌ C.Catuscia Palamidessi.‌​‌ Enhancing Metric Privacy With​​ a Shuffler.Proceedings​​​‌ on Privacy Enhancing Technologies‌2025HALback to‌​‌ text
• 14 articleM.​​Martina Cinquini, K.​​​‌Karima Makhlouf, J.‌Jay Jawale, S.‌​‌Sami Zhioua, C.​​Catuscia Palamidessi and R.​​​‌Riccardo Guidotti. A‌ Bias Injection Technique to‌​‌ Assess the Resilience of​​ Causal Discovery Methods.​​​‌IEEE Access132025‌, 97376-97391HALDOI‌​‌back to text
• 15​​ articleM.Martina Cinquini​​​‌, K.Karima Makhlouf‌, J.Jay Jawale‌​‌, S.Sami Zhioua​​, C.Catuscia Palamidessi​​​‌ and R.Riccardo Guidotti‌. Corrections to “A‌​‌ Bias Injection Technique to​​ Assess the Resilience of​​​‌ Causal Discovery Methods”.‌IEEE Access132025‌​‌, 199630 - 199630​​HALDOI
• 16 article​​​‌D.Daniele Gorla,‌ L.Louis Jalouzot,‌​‌ F.Federica Granese,​​ C.Catuscia Palamidessi and​​​‌ P.Pablo Piantanida.‌ On Estimating the Strength‌​‌ of Differentially Private Mechanisms​​ in a Black-Box Setting​​​‌.IEEE Transactions on‌ Dependable and Secure Computing‌​‌225September 2025​​, 5494-5507HALDOI​​​‌back to text
• 17‌ articleC.Carlos Olarte‌​‌, C.Carlos Ramírez​​, C.Camilo Rocha​​​‌ and F.Frank Valencia‌. Unified opinion formation‌​‌ analysis in rewriting logic​​.Journal of Logical​​​‌ and Algebraic Methods in‌ Programming148December 2025‌​‌, 101095HALDOI​​back to text

International​​​‌ peer-reviewed conferences

• 18 inproceedings‌J.Jesús Aranda,‌​‌ J. F.Juan Francisco​​ Díaz, D.David​​​‌ Gaona and F.Frank‌ Valencia. The Spiral‌​‌ of Silence in Multi-agent​​ Models for Opinion Formation​​​‌.Theoretical Aspects of‌ Computing – ICTAC 2025‌​‌Marrakech, Morocco2025HAL​​DOIback to text​​​‌
• 19 inproceedingsA.Andreas‌ Athanasiou, K.Konstantinos‌​‌ Chatzikokolakis and C.Catuscia​​ Palamidessi. Self-Defense: Optimal​​​‌ QIF Solutions and Application‌ to Website Fingerprinting.‌​‌Proceedings of the 38th​​ IEEE Computer Security Foundations​​​‌ Symposium (CSF 2025)CSF‌ 2025 - 38th IEEE‌​‌ Computer Security Foundations Symposium​​Santa Cruz, United States​​​‌June 2025HALback‌ to text
• 20 inproceedings‌​‌S.Sayan Biswas,​​ M.Mathieu Even,​​​‌ A.-M.Anne-Marie Kermarrec,‌ L.Laurent Massoulié,‌​‌ R.Rafael Pires,​​ R.Rishi Sharma and​​​‌ M.Martijn de Vos‌. Noiseless Privacy-Preserving Decentralized‌​‌ Learning.PETS 2025​​​‌ - 25th Privacy Enhancing​ Technologies Symposium2025Bristol,​‌ United KingdomJanuary 2025​​, 824 - 844​​​‌HALDOI
• 21 inproceedings​J. G.Jade Garcia​‌ Bourrée, A.Augustin​​ Godinot, S.Sayan​​​‌ Biswas, A.-M.Anne-Marie​ Kermarrec, E. L.​‌Erwan Le Merrer,​​ G.Gilles Tredan,​​​‌ M.Martijn de Vos​ and M.Milos Vujasinovic​‌. Robust ML Auditing​​ using Prior Knowledge.​​​‌ICML 2025 - 42nd​ International Conference on Machine​‌ LearningVancouver, CanadaarXiv​​July 2025, 1-17​​​‌HALDOI
• 22 inproceedings​F.Fabio Gadducci,​‌ C.Carlos Olarte and​​ F.Frank Valencia.​​​‌ A Constraint Opinion Model​.COORDINATION 2025 -​‌ 27th IFIP WG 6.1​​ International Conference on Coordination​​​‌ Models and LanguagesLille,​ FrancearXivApril 2025​‌HALDOIback to​​ text
• 23 inproceedingsK.​​​‌Kangsoo Jung, S.​Sayan Biswas and C.​‌Catuscia Palamidessi. Mitigating​​ Membership Inference Vulnerability in​​​‌ Iterative Federated Clustering Algorithm​.Workshop on Recent​‌ Advances in Resilient and​​ Trustworthy Machine learning-driven systems,​​​‌Taipei, TaiwanACMOctober​ 2025, 1-12HAL​‌DOIback to text​​
• 24 inproceedingsC. A.​​​‌Carlos Antonio Pinzón,​ E.Ehab Elsalamouny,​‌ L.Lucas Massot,​​ A.Alexis Miller,​​​‌ H.Héber Hwang Arcolezi​ and C.Catuscia Palamidessi​‌. Estimating the True​​ Distribution of Data Collected​​​‌ with Randomized Response.​AAAI 2026 - 40th​‌ Annual AAAI Conference on​​ Artificial Intelligence4042​​​‌Singapore, SingaporeMarch 2026​, 35751-35758HALDOI​‌back to text

Scientific​​ book chapters

• 25 inbook​​​‌G.Giovanni Cherubin,​ K.Konstantinos Chatzikokolakis and​‌ C.Catuscia Palamidessi.​​ Chapter 15: Testing Private​​​‌ Models.Differential Privacy​ in Artificial Intelligence: From,​‌ Theory to Practice2025​​HALDOIback to​​​‌ textback to text​

Reports & preprints

• 26​‌ miscS.Sayan Biswas​​, M.Mark Dras​​​‌, P.Pedro Faustini​, N.Natasha Fernandes​‌, A.Annabelle McIver​​, C.Catuscia Palamidessi​​​‌ and P.Parastoo Sadeghi​. Comparing privacy notions​‌ for protection against reconstruction​​ attacks in machine learning​​​‌.February 2025HAL​DOI
• 27 miscJ.-P.​‌ S.Judith Sáinz-Pardo Díaz​​, A.Andreas Athanasiou​​​‌, K.Kangsoo Jung​, C.Catuscia Palamidessi​‌ and Á. L.Álvaro​​ López García. Metric​​​‌ Privacy in Federated Learning​ for Medical Imaging: Improving​‌ Convergence and Preventing Client​​ Inference Attacks.February​​​‌ 2025HALDOI
• 28​ miscL.Loïs Ecoffet​‌, V.Veronika Rehn-Sonigo​​, J.-F.Jean-François Couchot​​​‌ and C.Catuscia Palamidessi​. Experiments and Analysis​‌ of Privacy-Preserving SQL Query​​ Sanitization Systems.2025​​​‌HALDOI
• 29 misc​E.Ehab Elsalamouny and​‌ C.Catuscia Palamidessi.​​ On the Consistency and​​​‌ Performance of the Iterative​ Bayesian Update.August​‌ 2025HAL
• 30 misc​​C.Carlos Pinzón and​​​‌ C.Catuscia Palamidessi.​ Jeffrey's update rule as​‌ a minimizer of Kullback-Leibler​​ divergence.February 2025​​​‌HAL