6 October 2002 1 PPDP / GPCE 2002 Mobile Calculi Catuscia Palamidessi, INRIA Futurs, France joint work with Mihaela Herescu, IBM, Austin for Distributed.

Slides:



Advertisements
Similar presentations
Web Services Choreography Description Language Overview 24th November2004 Steve Ross-Talbot Chief Scientist, Enigmatec Corporation Ltd Chair W3C Web Services.
Advertisements

Security attacks. - confidentiality: only authorized parties have read access to information - integrity: only authorized parties have write access to.
Distributed Leader Election Algorithms in Synchronous Ring Networks
08 April PPS - Groupe de Travail en Concurrence The probabilistic asynchronous -calculus Catuscia Palamidessi, INRIA Futurs, France.
How to Schedule a Cascade in an Arbitrary Graph F. Chierchetti, J. Kleinberg, A. Panconesi February 2012 Presented by Emrah Cem 7301 – Advances in Social.
Paris, 3 Dec 2007MPRI Course on Concurrency MPRI – Course on Concurrency Lecture 12 Probabilistic process calculi Catuscia Palamidessi LIX, Ecole Polytechnique.
Foundations of Cryptography Lecture 10 Lecturer: Moni Naor.
Distributed Markov Chains P S Thiagarajan School of Computing, National University of Singapore Joint work with Madhavan Mukund, Sumit K Jha and Ratul.
SECURITY AND VERIFICATION Lecture 4: Cryptography proofs in context Tamara Rezk INDES TEAM, INRIA January 24 th, 2012.
Chapter 15 Basic Asynchronous Network Algorithms
Timed Automata.
Programming Paradigms for Concurrency Lecture 11 Part III – Message Passing Concurrency TexPoint fonts used in EMF. Read the TexPoint manual before you.
01/05/2015 Agay Spring School, March'02 Mobility 1 : the Pi Calculus Cédric Fournet Microsoft Research Cambridge.
1 Introduction to Quantum Information Processing CS 467 / CS 667 Phys 467 / Phys 767 C&O 481 / C&O 681 Richard Cleve DC 3524 Course.
Foundations of Cryptography Lecture 13 Lecturer: Moni Naor.
Lecture 4 1 Expressing Security Properties in CSP Security properties: the goals that a protocol is meant to satisfy, relatively to specific kinds and.
Process Algebra (2IF45) Probabilistic Process Algebra Suzana Andova.
Probabilistic Methods in Concurrency Lecture 9 Other uses of randomization: a randomized protocol for anonymity Catuscia Palamidessi
Bangalore, 2 Feb 2005Probabilistic security protocols 1 CIMPA School on Security Specification and verification of randomized security protocols Lecture.
Anna Philippou Department of Computer Science University of Cyprus Joint work with Mauricio Toro Department of Comp. Sc. EAFIT University Christina Kassara.
Probabilistic Methods in Concurrency Lecture 3 The pi-calculus hierarchy: separation results Catuscia Palamidessi
ISBN Chapter 3 Describing Syntax and Semantics.
Towards a Logic for Wide-Area Internet Routing Nick Feamster and Hari Balakrishnan M.I.T. Computer Science and Artificial Intelligence Laboratory Kunal.
Course on Probabilistic Methods in Concurrency (Concurrent Languages for Probabilistic Asynchronous Communication) Lecture 1 The pi-calculus and the asynchronous.
Foundations of Interaction ETAPS `05 0 Ex nihilo: a reflective higher- order process calculus The  -calculus L.G. Meredith 1 & Matthias Radestock.
1 Introduction to Computability Theory Lecture12: Decidable Languages Prof. Amos Israeli.
Analysis of Security Protocols (V) John C. Mitchell Stanford University.
1 Ivan Lanese Computer Science Department University of Bologna Roberto Bruni Computer Science Department University of Pisa A mobile calculus with parametric.
Randomized and Quantum Protocols in Distributed Computation Michael Ben-Or The Hebrew University Michael Rabin’s Birthday Celebration.
Software Engineering, COMP201 Slide 1 Protocol Engineering Protocol Specification using CFSM model Lecture 30.
Prof. Bart Selman Module Probability --- Part e)
Optimistic Synchronous Multi-Party Contract Signing N. Asokan, Baum-Waidner, M. Schunter, M. Waidner Presented By Uday Nayak Advisor: Chris Lynch.
1 Ivan Lanese Computer Science Department University of Bologna Italy Concurrent and located synchronizations in π-calculus.
Describing Syntax and Semantics
CSE 597E Fall 2001 PennState University1 Digital Signature Schemes Presented By: Munaiza Matin.
Cryptography Week-6.
Information-Theoretic Security and Security under Composition Eyal Kushilevitz (Technion) Yehuda Lindell (Bar-Ilan University) Tal Rabin (IBM T.J. Watson)
Modern Concurrency Abstractions for C# by Nick Benton, Luca Cardelli & C´EDRIC FOURNET Microsoft Research.
Towards a Logic for Wide- Area Internet Routing Nick Feamster Hari Balakrishnan.
Distributed Algorithms 2014 Igor Zarivach A Distributed Algorithm for Minimum Weight Spanning Trees By Gallager, Humblet,Spira (GHS)
Discrete Bee Dance Algorithms for Pattern Formation on the Grid Noam Gordon Israel A. Wagner Alfred M. Bruckstein Technion IIT, Israel.
Probabilistic Methods in Concurrency Lecture 4 Problems in distributed systems for which only randomized solutions exist Catuscia Palamidessi
11 February CdP INRIA Futurs Catuscia Palamidessi INRIA Saclay.
Formalizing the Asynchronous Evolution of Architecture Patterns Workshop on Self-Organizing Software Architectures (SOAR’09) September 14 th 2009 – Cambrige.
1 2. Independence and Bernoulli Trials Independence: Events A and B are independent if It is easy to show that A, B independent implies are all independent.
The Spi Calculus A Calculus for Cryptographic Protocols Presented By Ramesh Yechangunja.
Security protocols and their verification Mark Ryan University of Birmingham Midlands Graduate School University of Birmingham April 2005 Steve Kremer.
Consensus and Its Impossibility in Asynchronous Systems.
10 December 2002ENS Cachan1 Generalized dining philosophers Catuscia Palamidessi, INRIA in collaboration with Mihaela Oltea Herescu, IBM Michael Pilquist,
A Locally Nameless Theory of Objects 1.Introduction:  -calculus and De Bruijn notation 2.locally nameless technique 3.formalization in Isabelle and proofs.
1 Reasoning about Concrete Security in Protocol Proofs A. Datta, J.Y. Halpern, J.C. Mitchell, R. Pucella, A. Roy.
MPRI – Course on Concurrency Probabilistic methods in Concurrency Catuscia Palamidessi INRIA Futurs and LIX
ASPfun: A Distributed Object Calculus and its Formalization in Isabelle Work realized in collaboration with Florian Kammüller and Henry Sudhof (Technische.
Ivan Lanese Computer Science Department University of Bologna/INRIA Italy Decidability Results for Dynamic Installation of Compensation Handlers Joint.
Probabilistic Anonymity Mohit Bhargava, IIT New Delhi Catuscia Palamidessi, INRIA Futurs & LIX.
Probabilistic and Nondeterministic Aspects of Anonymity Catuscia Palamidessi, INRIA & LIX Based on joint work with Mohit Bhargava, IIT New Delhi Kostas.
Paris, 17 December 2007MPRI Course on Concurrency MPRI – Course on Concurrency Lecture 14 Application of probabilistic process calculi to security Catuscia.
MPRI 3 Dec 2007Catuscia Palamidessi 1 Why Probability and Nondeterminism? Concurrency Theory Nondeterminism –Scheduling within parallel composition –Unknown.
MPRI – Course on Concurrency Lectures 11 and 12 The pi-calculus expressiveness hierarchy Catuscia Palamidessi INRIA Futurs and LIX
14 October BASICS'09, Shanghai On the expressive power of synchronization primitives in the π-calculus Catuscia Palamidessi, INRIA Saclay, France.
Concurrency 5 The theory of CCS Specifications and Verification Expressive Power Catuscia Palamidessi
6 June Lecture 3 1 TU Dresden - Ws on Proof Theory and Computation Formal Methods for Security Protocols Catuscia Palamidessi Penn State university,
Chapter 21 Asynchronous Network Computing with Process Failures By Sindhu Karthikeyan.
Probabilistic Methods in Concurrency Lecture 6 Progress statements: A tool for verification of probabilistic automata Catuscia Palamidessi
Lecture 4 1 Honnor Projects Supervised by Catuscia Palamidessi The  -calculus, a small language for specification and verification of concurrency and.
16 January 2004LIX1 Equipe Comète Concurrency, Mobility, and Transactions Catuscia Palamidessi INRIA-Futurs and LIX.
Topic 36: Zero-Knowledge Proofs
Catuscia Palamidessi, INRIA Saclay, France
Probabilistic Methods in Concurrency Lecture 7 The probabilistic asynchronous p-calculus Catuscia Palamidessi
Expressive Power of CCS
Presentation transcript:

6 October PPDP / GPCE 2002 Mobile Calculi Catuscia Palamidessi, INRIA Futurs, France joint work with Mihaela Herescu, IBM, Austin for Distributed Programming

2 Mobile calculi The  calculus [Milner, Parrow, Walker ‘89] CCS + Mobility of links Dynamic reconfiguration of the communication structure

3 Mobile Calculi The asynchonous  calc [Honda-Tokoro’92, Boudol ’91] Action Calculi [Milner, early ‘90] The Fusion calculus [Parrow, Victor, early ‘90] Join Calculus [Fournet, Gonthier, Levy, …’96] … Related calculi Mobile Ambients [Cardelli, Gordon ‘97] The seal calculus [Castagna, Vitek, mid ‘90] Boxed Ambients [Bugliesi, Castagna, Crafa, late ‘90] The spi calculus [Abadi, Gordon, mid ‘90] a calculus for specification and verification of security protocols based on the  calculus

4 The  calculus Basic constructs to expess parallelism, communication, choice, generation of new names (which can be communicated and in turn used as channels), scope Scope extrusion: a name can be communicated and its scope extended to include the recipient xy z z z R Q P

5 Expressive Power of  link mobility network reconfiguration express HO (e.g. calculus) in a natural way mixed choice solution to distributed problems involving distributed agreement

6 The expressive power of  Example of distributed agreement: the leader election problem A symmetric and fully distributed solution in  x.P wins + y^.P loses | y.Q wins + x^.Q loses –   P loses | Q wins PQ y x –   P wins | Q loses

7  : the  calculus (w/ mixed choice) Syntax g ::= x(y) | x^y |  prefixes (input, output, silent) P ::=  i g i. P i mixed guarded choice | P | P parallel | (x) P new name |rec A P recursion | A procedure name

8 Operational semantics Transition system P -a  Q Rules Choice  i g i. P i –g i  P i P -x^y  P’ Open ___________________ (y) P -x^(y)  P’

9 Operational semantics Rules (continued) P -x(y)  P’ Q -x^z  Q’ Com ________________________ P | Q -   P’ [z/y] | Q’ P -x(y)  P’ Q -x^(z)  Q’ Close _________________________ P | Q -   (z) (P’ [z/y] | Q’) P -g  P’ Par _________________ f(Q) and b(g) disjoint Q | P -g  Q | P

10 Implementation issues It is well known that formalisms able to express distributed agreement are difficult to implement in a distributed fashion For this reason, the field has evolved towards asynchronous variants of  or other asynchronous formalisms for instance, the asynchronous  calculus [Honda- Tokoro’92, Boudol, ’92]

11  a : the Asynchonous  Syntax g ::= x(y) |  prefixes P ::=  i g i. P i input guarded choice |x^y output action | P | P parallel | (x) P new name |rec A P recursion | A procedure name

12 Operational semantics of  a Additional rule: Out x^y –x^y  0 Asynchronous communication: we can’t write a continuation after an output, i.e. no x^y.P, but only x^y | P so P will proceed without waiting for the actual delivery of the message Note: the original  a did not contain a choice construct. However the version presented here was shown expressively equivalent to the original  a by [Nestmann and Pierce, ’96]

13  vs.  a  a is suitable for distributed implementation, in contrast to  However, despite the difficulties regarding implementation, the  calculus is still very appealing, because of its superior expressive power Examples of problems that can be solved in  and not in  a : dining philosophers ( following [Francez and Rodeh, ’82] ) the symmetric leader election problem, for any ring of processes The solution uses name mobility to fully connect the graph, and then mixed choice to break the symmetry. This problem cannot be solved in  a, nor in CCS [ Palamidessi 97]

14 Towards a fully distributed implementation of  The results of previous pages show that a fully distributed implementation of  must necessarily be randomized A two-steps approach:  probabilistic asynchronous  distributed machine [[ ]] > Advantages: the correctness proof is easier since [[ ]] (which is the difficult part of the implementation) is between two similar languages

15  pa : the Probabilistic Asynchonous  Syntax g ::= x(y) |  prefixes P ::=  i p i g i. P i pr. inp. guard. choice  i p i = 1 |x^y output action | P | P parallel | (x) P new name |rec A P recursion | A procedure name

16 1/2 1/3 2/3 1/2 1/3 2/3 1/2 1/3 2/3 The operational semantics of  pa Based on the Probabilistic Automata of Segala and Lynch Distinction between nondeterministic behavior (choice of the scheduler) and probabilistic behavior (choice of the process) Scheduling Policy: The scheduler chooses the group of transitions Execution: The process chooses probabilistically the transition within the group

17 The operational semantics of  pa Representation of a group of transition P { --g i -> p i P i } i Rules Choice  i p i g i. P i {--g i -> p i P i } i P {--g i -> p i P i } i Par ____________________ Q | P {--g i -> p i Q | P i } i

18 The operational semantics of  pa Rules (continued) P {--x i (y i )-> p i P i } i Q {--x^z-> 1 Q’ } i Com____________________________________ P | Q {--  -> p i P i [z/y i ] | Q’ } x i =x U { --x i (y i )-> p i P i | Q } x i =/=x P {--x i (y i )-> p i P i } i Res___________________ q i renormalized (x) P { --x i (y i )-> q i (x) P i } x i =/= x

19 Implementation of  pa Compilation in Java > :  pa  Java Distributed > = >. start(); >.start(); Compositional > = > jop > for all op Channels are one-position buffers with test-and-set (synchronized) methods for input and output The probabilistic input guarded construct is implemented as a while loop in which channels to be tried are selected according to their probability. The loop repeats until an input is successful

20 Encoding  into  pa [[ ]] :    pa Fully distributed [[ P | Q ]] = [[ P ]] | [[ Q ]] Uniform [[ P  ]] = [[ P ]]  Correct wrt a notion of probabilistic testing semantics P must O iff [[ P ]] must [[ O ]] with prob 1

21 Encoding  into  pa Idea: Every mixed choice is translated into a parallel comp. of processes corresponding to the branches, plus a lock f The input processes compete for acquiring both its own lock and the lock of the partner The input process which succeeds first, establishes the communication. The other alternatives are discarded P Q R Pi Qi Ri f f f The problem is reduced to a generalized dining philosophers problem where each fork (lock) can be adjacent to more than two philosophers Further, we can reduce the generalized DP to the classic case, and then apply the algorithm of Lehmann and Rabin S R’i f Si

22 Dining Philosophers: classic case Each fork is shared by exactly two philosophers

23 Dining Philosophers, classic case The requirements on the encoding    pa imply symmetry and full distribution There are many solution to the DP problem, but in order to be symmetric and fully distributed a solution has necessarily to be randomized. Proved by [Lehmann and Rabin 81] - They also provided a randomized algorithm (for the classic case) Note that the DP problem can be solved in  in a fully distributed, symmetric way. Hence the need for randomization is not a characteristic of our approach: it would arise in any encoding of  into an asynchronous language.

24 The algorithm of Lehmann and Rabin 1. Think 2. choose first_fork in {left,right} %commit 3. if taken(first_fork) then goto 3 4. take(first_fork) 5. if taken(first_fork) then goto 2 6. take(second_fork) 7. eat 8. release(second_fork) 9. release(first_fork) 10. goto 1

25 Dining Phils: generalized case Each fork can be shared by more than two philosophers Reduction to the classic case: each fork is initially associated with a token. Each phil needs to acquire a token in order to participate to the competition. The competing phils determine a set of subgraphs in which each subgraph contains at most one cycle

26 Generalized philosophers Another problem we had to face: the solution of Lehmann and Rabin works only for fair schedulers, while  pa does not provide any guarantee of fairness Fortunately, it turns out that the fairness is required only in order to avoid a busy-waiting livelock at instruction 3. If we replace busy-waiting with suspension, then the algorithm works for any scheduler This result was achieved independently also by Fribourg et al, TCS 2002

27 1. Think 2. choose first_fork in {left,right} %commit 3. if taken(first_fork) then wait 4. take(first_fork) 5. if taken(first_fork) then goto 2 6. take(second_fork) 7. eat 8. release(second_fork) 9. release(first_fork) 10. goto 1 1. Think 2. choose first_fork in {left,right} %commit 3. if taken(first_fork) then goto 3 4. take(first_fork) 5. if taken(first_fork) then goto 2 6. take(second_fork) 7. eat 8. release(second_fork) 9. release(first_fork) 10. goto 1 The algorithm of Lehmann and Rabin Modified so to avoid the need for fairness The algorithm of Lehmann and Rabin

28 Conclusion We have provided an encoding of the  calculus into its asynchronous fragment, enriched with probabilities fully distributed compositional correct wrt a notion of testing semantics Advantages: high-level solutions to distributed algorithms Easier to prove correct (no reasoning about randomization required)

29 Future work: Application of  pa to Security protocols Propis: a small language based on  pa to express and verify security protocols and their properties, like Secrecy messages, keys, etc. remain secret Authentication guarantees about the parties involved in the protocol Non-repudiation evidence of the involvement of the other party Anonymity protecting the identity of agents wrt particular events Formal tools for automatic verification

30 Features of PROPIS PRObabilistic PI for Security  pa enriched with cryptographic primitives similar to those of the spi-calculus [Abadi and Gordon] The probability features will allow to analyse security protocols at a finer level (cryptographic level), i.e. beyond the Dolew-Yao assumptions: In our approach an attacker can guess a key. The point is to prove that the probability that it actually guess the right key is negligible. The probability features will also allow to express protocols that require randomization.

31 Example: The dining cryptographers Crypt (0) Crypt (1) Crypt (2) Master pays0notpays0 An example of achieving anonymity

32 The dining cryptographers The Problem: Three cryptographers share a meal The meal is paid either by the organization (master) or by one of them. The master decides who pays Each of the cryptographers is informed by the master whether or not he is paying GOAL: The cryptographers would like to know whether the meal is being paid by the master or by one of them, but without knowing who is paying (if it is one of them).

33 The dining cryptographers: Solution Solution: Each cryptographer tosses a coin (probabilistic choice). Each coin is in between two cryptographers. The result of each coin-tossing is visible to the adjacent cryptographers, and only to them. Each cryptographer examines the two adjacent coins If he is paying, he announces “agree” if the results are the same, and “disagree” otherwise. If he is not paying, he says the opposite Claim 1: if the number of “disagree” is even, then the master is paying. Otherwise, one of them is paying. Claim 2: In the latter case, if the coin is fair the non paying cryptographers will not be able to deduce whom exactly is paying

34 The dining cryptographers: Solution Crypt (0) Crypt (1) Crypt (2) Master Coin( 2) Coin (1) Coin (0) pays0notpays0 look20 out1