global computing: an analysis of trust and wireless communications

Global Computing: an Analysis of Trust and WirelessCommunications (Ph.D. Thesis)

Nicola Mezzetti

Technical Report UBLCS-2006-09

April 2006

Department of Computer ScienceUniversity of Bologna

Mura Anteo Zamboni 740127 Bologna (Italy)

The University of Bologna Department of Computer Science Research Technical Reports are available inPDF and gzipped PostScript formats via anonymous FTP from the area ftp.cs.unibo.it:/pub/TR/UBLCSor via WWW at URL http://www.cs.unibo.it/. Plain-text abstracts organized by year are available inthe directory ABSTRACTS.

Recent Titles from the UBLCS Technical Report Series

2005-9 A Reasoning Infrastructure to Support Cooperation of Intelligent Agents on the Semantic Grid, Dragoni,N., Gaspari, M., Guidi, D., April 2005.

2005-10 Fault Tolerant Knowledge Level Communication in Open Asynchronous Multi-Agent Systems, Dragoni,N., Gaspari, M., April 2005.

2005-11 The AEDSS Application Ontology: Enhanced Automatic Assessment of EDSS in Multiple Sclerosis, Gas-pari, M., Saletti, N., Scandellari, C., Stecchi, S., April 2005.

2005-12 How to cheat BitTorrent and why nobody does, Hales, D., Patarin, S., May 2005.

2005-13 Choose Your Tribe! - Evolution at the Next Level in a Peer-to-Peer network, Hales, D., May 2005.

2005-14 Knowledge-Based Jobs and the Boundaries of Firms: Agent-based simulation of Firms Learning and Work-force Skill Set Dynamics, Mollona, E., Hales, D., June 2005.

2005-15 Tag-Based Cooperation in Peer-to-Peer Networks with Newscast, Marcozzi, A., Hales, D., Jesi, G., Arte-coni, S., Babaoglu, O., June 2005.

2005-16 Atomic Commit and Negotiation in Service Oriented Computing, Bocchi, L., Ciancarini, P., Lucchi, R.,June 2005.

2005-17 Efficient and Robust Fully Distributed Power Method with an Application to Link Analysis, Canright, G.,Engo-Monsen, K., Jelasity, M., September 2005.

2005-18 On Computing the Topological Entropy of One-sided Cellular Automata, Di Lena, P., September 2005.

2005-19 A model for imperfect XML data based on Dempster-Shafer’s theory of evidence, Magnani, M., Montesi,D., September 2005.

2005-20 Friends for Free: Self-Organizing Artificial Social Networks for Trust and Cooperation, Hales, D., Arte-coni, S., November 2005.

2005-21 Greedy Cheating Liars and the Fools Who Believe Them, Arteconi, S., Hales, D., December 2005.

2006-01 Lambda-Types on the Lambda-Calculus with Abbreviations: a Certified Specification, Guidi, F., January2006.

2006-02 On the Quality-Based Evaluation and Selection of Grid Services (Ph.D. Thesis), Andreozzi, S., March2006.

2006-03 Transactional Aspects in Coordination and Composition of Web Services (Ph.D. Thesis), Bocchi, L., March2006.

2006-04 Semantic Frameworks for Implicit Computational Complexity (Ph.D. Thesis), Dal Lago, U., March 2006.

2006-05 Fault Tolerant Knowledge Level Inter-Agent Communication in Open Multi-Agent Systems (Ph.D. Thesis),Dragoni, N., March 2006.

2006-06 Middleware Services for Dynamic Clustering of Application Servers (Ph.D. Thesis), Lodi, G., March 2006.

2006-07 Meta Model Management for (Semi) Structured and Uncertain Models (Ph.D. Thesis), Magnani, M.,March 2006.

2006-08 Towards Abstractions for Web Services Composition (Ph.D. Thesis), Mazzara, M., March 2006.

Global Computing: an Analysis of Trust and WirelessCommunications (Ph.D. Thesis)

Nicola Mezzetti1

Technical Report UBLCS-2006-09

April 2006

1. Dept. of Computer Science, University of Bologna, 7, Mura Anteo Zamboni, 40127 Bologna, ITALY, e-mail:[email protected], homepage: http://www.cs.unibo.it/˜mezzettn

1

Abstract

In this thesis we analyze problems of trust modelling and implementation in the context of Global Comput-ing, and problems of how implementations of trust protocols for wireless settings can be formally verified.

A framework for supporting dynamic trust relationships is important for the definition of trustworthyprotocols for wireless computing; in fact, in ne a such context a dynamic set of possibly mutually distrustfulentities (i.e., individuals, services) interact with each other, consuming or producing services, for pursuingtheir own goals. In this context, traditional static trust techniques fail to support the trustworthy executionof interaction protocols among all the possible interacting entities. It is thus necessary the development ofa decentralized dynamic-trust system to be independently implemented by any possible entity in the globalcomputing system.

The study and modelling of trust has its roots in sociology, which provides conceptual and qualitativespecifications on the manner in which trust forms and evolves. However, current research on trust do notaddress a unique formalization of trust, and of the requirements it has to meet. Currently a number of dy-namic trust models exist, and each of these models is provided with simulation-based validation techniqueswhose design is mainly motivated by good-sense. Only when one such a lack will be compensated, rigoroustechniques and tools for the validation of trust models will be available.

The goal of this thesis is twofold: firstly, we aim at providing a computational model of trust that faith-fully represents the socio-cognitive models that are available in the literature and to show its applicationflexibility in the global computing context; secondly, we aim at providing formal tools for the specificationand verification of trust protocols for wireless systems.

The first point is addressed through the development of the Socially-Inspired Reputation computationalmodel (SIR), which has been designed in order to monitor and evaluate entity behaviour in an adaptive,robust, and scalable manner. SIR is the first computational model of reputation that implements the socio-cognitive process that regulates the establishment of trust relationships in human societies. SIR has beenemployed in the design, verification, and implementation of a Trust-Aware extension for naming services(TAw), which shows to be effective in supporting the implementation of trustworthy interaction protocolsin open systems. SIR has also been employed in the design and implementation of rawDonkey, a client forthe peer-to-peer file-sharing eDonkey network which integrates an autonomous and decentralized monitor-ing system reputation evaluation and formation which is employed for the penalization of non-collaborativepeers and for optimizing the global quality of the file-sharing service.

The second part of this thesis examines the communication model of wireless systems, which character-ize the communication model that best represents global computing. We follow the process calculi approachand we develop the Calculus of Wireless Systems (CWS). The principal contribution of this work is the de-velopment of reduction semantics and a labelled transition semantics, and the proof of their equivalence.The novelty of this work lies in the fact that wireless systems implement a communication model whichis substantially different from the ones which are implemented by the process calculi that are currentlyproposed by the literature. Hence, for the modelling of wireless communications, it has been necessary thedevelopment of a novel technique based on the observation of changes of communication states of the singledevices (i.e., transmission, reception) instead of on the observation of single transmission instances. Thisapproach introduces original aspects into both of our semantics and, consequently, on the demonstrationof the equivalence between them.

At the current state, the works on trust and on wireless systems have not been integrated yet, and thetwo parts of this thesis may appear separate works. However, the binding between them lies in the achieve-ments that are left open by this thesis, that we list below. First, the integration of CWS with a set of toolsfor supporting the specification and the verification of trust-related properties and the consequent formalspecification of a reputation system based on SIR. This specification system will be then employed in theverification of the properties of the reputation model. Secondly, the main idea is for us to provide compre-hensive framework for the specification and analysis of decentralized reputation systems for supporting theimplementation of trustworthy interaction protocols for wireless systems. Even though this was the initialgoal of this thesis, we discovered that one such an ambitious goal requires an amount of efforts that is farbeyond the requirements of a Ph.D. thesis.

UBLCS-2006-09 2

Acknowledgments

This progress report is in partial fulfillment of the Ph.D. program; I would like to thank Prof.Davide Sangiorgi, my Ph. D. advisor, and Prof. Fabio Panzieri, my supervisor within the FP5European Project TAPAS (IST-2001-34069), for the support and the advices with which they arehelping me in the achievement of my Ph. D. title. Moreover, I would like to thank the EuropeanFP5 RTD project TAPAS (IST-2001-34069) and the base project “WebMiNDS” under the FIRB pro-gram of the Italian Ministry of Education, University and Research for the partial founding of myPh. D. Program.

3

CONTENTS

Contents

1 Introduction 8

2 Motivation 111 Discussion 112 The Socio-Cognitive Model of Trust 132.1 Considerations about the Socio-Cognitive Trust Model 153 A Conceptual Model for Computing Reputation 164 Related Contributions 174.1 The Web of Trust 19

3 SIR: Socially Inspired Reputation Model 211 Foundations of Trust 211.1 Trust Degrees 232 The Reputation Model 232.1 Modeling Trust Stability 252.2 Modeling Trust Balance 273 Augmenting Contexts with Attributes 274 Relations with the Socio-Cognitive model 28

4 Case Study: Trust-Aware Naming Service (TAw) 301 Motivation 302 The TAw Architecture 312.1 TAw Peer 312.2 Virtual Society Service 362.3 TAw Trust Propagation Protocol 392.4 Experimental Results 412.4.1 Adaptability Test 412.4.2 Robustness Test 43

5 Case Study: rawDonkey 461 Introduction 462 Related Work 473 rawDonkey 483.1 The eDonkey Protocol 483.2 The Architecture of rawDonkey 483.3 Trust Management System 493.3.1 Trust Evaluation Criteria 503.3.2 Gossiping 513.3.3 Trust-Aware Policies 52

6 Considerations 531 Considerations 532 Future Work 54

7 Motivation of the work 551 Discussion 552 Related Work 58

8 The Basic Language 591 Mobile Computing and Wireless Communications 591.1 Examples 602 The Language 62

UBLCS-2006-09 4

CONTENTS

3 Semantics 644 Reduction Semantics 654.1 Examples 715 Labelled Transition Semantics 745.1 Examples 776 The Harmony Theorem 796.1 The Harmony Theorem 86

9 The Extended Language 1001 Language Extensions 1002 Semantic Extensions 1022.1 Extensions to the Reduction Semantics 1022.2 Extensions to the Labelled Transition Semantics 1053 Extensions to the Harmony Theorem 1064 The Extended Harmony Theorem 1195 Example: The Alternating Bit Protocol 1405.1 Formal description 1415.2 Execution Cases 1425.2.1 Execution in Absence of Collisions 1425.2.2 Execution in Presence of Collisions 142

10 Considerations 1451 Considerations 1452 Future Work 145

11 Conclusions 1471 Future Works 148

UBLCS-2006-09 5

LIST OF FIGURES

List of Figures

1 Framework supporting interactions based on dynamical trust. 122 A Conceptual Model for Computing Reputation 16

1 UML class diagram for the TAwPeer. 322 Directory Information Tree implemented by the VSS service. 363 UML class diagram for the Virtual Society Service. 384 Reconfiguration test employing, respectively, the cognitive models (a) and arbitrary

trust stability and trust balance (b). 405 Robustness test employing the cognitive models. 426 Robustness test employing arbitrary trust stability and balance. 44

1 Architecture of rawDonkey. 492 Interaction between TMS and Core in free rider identification. 51

1 Example of a possible communication between node T and node R. 602 Example of coordination between transmitters. 603 Example of coordination between transmitters with different transmission

radius. 614 Example of collision on a receiver. 615 Possible ways in which transmissions in intersecting cells may collide. 626 A more complex example. 62

UBLCS-2006-09 6

LIST OF TABLES

List of Tables

1 Structure of Φ augmented with jurisdiction. 222 Structure of Φ augmented with attributes. 28

1 Structure of a trust propagation protocol message. 392 Pseudocode describing the trust propagation protocol. 40

1 Language for the description of wireless networks 632 Language for the description of tagged networks 673 Rules for >c

l . 684 Rules for >. 685 Structural Congruence. 686 Structural Congruence for tagged networks. 697 Rules for −→c

l,r. 698 Rules for Âc

l . 709 Reduction rules for normalization with possible interferences. 7010 Rules for º. 7011 Labelled transition rules for networks. 7512 Labelled transition rules for processes. 76

1 Language for the description of wireless networks 1012 Extension to the language for tagged networks 1023 Additional rules for >c

l . 1034 Additional the rules for >. 1035 Rules for ≡. 1036 Additional rules for event firing. 1047 Rules for ≡E. 1048 Additional rules for Âc

l . 1049 Additional rules for Â. 10410 Additional rules for º. 10411 Reduction rules for internal actions. 10512 Extensions to the labelled transition rules for networks. 10513 Extensions to the labelled transition rules for processes. 106

UBLCS-2006-09 7

Chapter 1

Introduction

In the last years, global computing has become an active field of research in distributed andmobile computation supported by infrastructures available globally and able to provide uniformservices meeting variable requirements in system aspects (e.g., communication, co-operation andmobility, resource usage, security policies and mechanisms), with particular regard to exploitingtheir universal scale and the programmability of their services. Specifically, global computingaims at enabling a ubiquitous support for heterogeneous open systems in which entities (i.e.,individuals and resources) dynamically join and leave the system, and employ the facilities of thesystem for consuming, for providing, or for collaborating in the provisioning of a set of services.

When speaking of such ubiquitous contexts, we cannot make assumptions on the availableresources with which any single computing platform may support the global computation; wecan neither make assumptions about the specific networking technology interconnecting eachsingle device. It is because of its characteristics that mobile wireless devices is the technologythat most is taken as a reference in the research in global computing.It both enables the settingup of open and ubiquitous computing infrastructures and their hardware may arbitrarily varybetween sensors of the size of one cubic millimeter and laptop computers.

To address the goals of global computing, further research has to be accomplished in orderto fill the gap between the currently available theory on distributed systems and the knowledgethat is needed to enable cooperative activities and resource integration between mutually un-trustworthy devices. During our preliminary research in global computing, we came across asubject that we believe to be important: the establishment of trust relationships between com-pletely unknown entities via wireless communication protocols.

Trust is mandatory to support the dependable implementation of distributed protocols andservices; in addition, it is much more fundamental when the services are implemented throughcollaboration of mutually untrustworthy entities (i.e., which are not guaranteed to behave de-pendably). Standard applications for wired distributed systems build their dependability on theexistence of static trust relationships (i.e., there are entities, called trusted third parties, whichare trusted for always exhibiting a dependable behaviour). By contrast, in the context of globalcomputing both the available resources and the entity behaviours are dynamic; for this reasonsecurity in global computing scenario cannot rely on statically defined trust relationships.

Due to the dynamic aspect of global computing scenarios, in order to support trust-awareinteractions there is the need for a completely decentralized reputation system that enables eachentity with reputations without requiring access to remote information repositories. However,the current trust models do not support the development of pervasive reputation systems.

In the first part of this thesis we thus present our Socially Inspired Reputation (SIR) model thatwe have been developing; SIR is the first model of reputation implementing the conceptual socio-cognitive model of trust [FC01, FC04]. SIR has been developed for enabling the development ofdecentralized reputation management systems; thus, we have identified the properties belor thatwe require SIR to meet.

8

LIST OF TABLES

Flexibility: the reputation model has to be general enough to be applied to any possible context– i.e., the logics for aggregating the single trust evaluations have to be independent fromthe application context;

Adaptability: reputations have to adapt according to the behaviour that the individuals exhibitwithin the system and to the time passing;

Robustness: assuming the presence of a certain amount of noise, the reputation model has toidentify it and prevent it to affect trustworthy information;

Scalability: the reputation model has not to require the maintenance of any global knowledge.

Furthermore, in the trust of this thesis we present two practical applications of SIR which havebeen designed, evaluated and developed in order to show that SIR meets the above require-ments. In particular, the first application is TAw, our Trust-Aware naming service (TAw), andthe second application is rawDonkey, a peer-to-peer file-sharing platform based on the eDonkeyprotocol that employs an autonomous reputation monitoring system in order to encourage peerto collaborate with each others.

Though these applications are important to show that SIR meets the requirements that guidedits development, it is also important for us to provide a more formal and rigorous verification ofits properties. Specifically, we are interested in showing that it can support trust-aware applica-tions in global computing contexts. To this end, formal methods, and in particular process calculi,can bring important contributions; provided a target system, process calculi enable its rigorousspecification and the application of a wide set of accepted techniques and tools for the analysis,the implementation, and the verification of that specification system. Firstly, they enable com-positionality and openess. Compositionality enables one to analyze the behaviour of a systemfocusing on its components; this property makes it possible to both limit the analysis to a singlepart of a system and to analyze the whole system by taking separately each of its componentsand then composing the obtained results. Openess enables one to evaluate the behaviour of asystem deployed in an open environment where other systems executing in parallel may possi-bly interact or interfere with that system. Moreover, a process calculus provided with a reductionsemantics enables the development of a virtual machine capable of implementing that semanticsand interpret a given specification model to perform tests or simulations, and a process calculusprovided with a labelled transition semantics enables the implementation of techniques by whichit is possible to verify whether certain properties (e.g., security, deadlock freeness) are satisfiedby a given specification model. For instance, when verifying properties such as security whereit is important to examine the possible interaction of the system with the environment, processcalculi can be developed to compare the model with infinitely many adversaries; simulation andother experimental techniques do not enable such kind of verifications.

In the second part of this thesis we thus present our work on the development of a processcalculus for describing wireless systems. We have been developing that calculus envisioningits application in the modelling and verification of our reputation model. However, we believethat the contributions that are currently available in formal methods are not adequate for ourverification purposes.

Hence, in the second part of this thesis we present our work on the development of a for-mal model for describing the wireless communication model. Our calculus, called Calculus ofWireless Systems (CWS), is provided with a reduction semantics (RS) and a labelled transitionsemantics (LTS). Since these communication systems groups together aspects of synchrony, asyn-chrony, and broadcast communications, in the design of our semantics we could not follow theapproaches available in the literature; thus, for each of our semantics we invented a specific ap-proach to model the behaviour of the target system. The main technical result of this second partis the equivalence between the two semantics; this result is important because, given that the RSis much more intuitive, it proves the correctness of the LTS and enables one to interchangeablyemploy the more appropriate between the developed semantics for that task to be performed.

While reading this thesis, the trust and wireless parts may appear two separate works. How-ever, it is not so. The first part of this thesis has been developed in order to propose a model of

UBLCS-2006-09 9

LIST OF TABLES

trust that could satisfy the requirements imposed by global computing applications. Instead, thesecond part of this work has been developed in order to provide us with formal tools to enablethe specification and the verification of trust-aware communication protocols in the technologicsetting that most represents global computing. One such an integration work is not obvious isfar beyond the purpose of this thesis. It will be in the further contributions that we will movetoward the provisioning of formal tools for employing CWS to reason on wireless systems andprotocols; then, the goal will be (i) to augment CWS with the specification of a reputation man-agement system, and (ii) to employ this specification to perform the verification of the propertiesthat guided us in the development of SIR. Further contributions will also present and discussthe deep simulation analysis about the reputation system implemented within the rawDonkeydistributed monitoring system.

This thesis is structured as follows. Chapters 2 to 6 present our work on trust and chapter 7to 10 present our work on wireless communications. Finally, Chap. 11 concludes this work anddefines future directions for the research on trusted communications in wireless networks. Thepart on trust is structured as follows:

Chap. 2: This chapter motivates this work and presents the state of the art in the field;

Chap. 3: This chapter presents and discusses SIR, our Socially-Inspired Reputation model;

Chap. 4: This chapter presents our Trust-Awareness extension for naming services, the first casestudy built on SIR;

Chap. 5: This chapter presents our rawDonkey, a reputation enhanced peer-to-peer file sharingclient which has been the second case study for our reputation model;

Chap. 6: This chapter concludes the part on trust and draws the related considerations.

The part on wireless communications is structured as follows:

Chap. 7: This chapter presents and discusses the motivations that lead our work on this topic;

Chap. 8: This chapter presents a basic language for describing wireless communications, theassociated semantics (i.e., reduction semantics and labelled transition semantics), and thefirst contributions;

Chap. 9: This chapters presents some extensions for our language, the augmented semantics,and the last contributions;

Chap. 10: This chapter concludes the part on trust and draws the related considerations.

UBLCS-2006-09 10

Chapter 2

Motivation

1 DiscussionIn global computing scenarios possibly unknown and distrustful entities (e.g., resources, indi-viduals) consume, produce, or support, services. In such scenarios being enabled with trustinformation is a key requirement for any entity; in fact, an entity which is aware of other entitytrustworthiness is also enabled with means to decide whether and under which conditions toengage in interactions with other entities.

For the reader clarity, it is worth defining terms such as trust, trustworthiness and reputa-tion. We define trust to be the measure of how much reliance a truster can justifiably place onthe dependability of a trustee behaviour within a specific context. We say that a trustee is trust-worthy, within a given context, if it actually justifies reliance to be put on the dependability ofits behaviour within that context. We say that a trustee is trustworthy, within a given context, ifit actually justifies reliance to be put on the dependability of its behaviour within that context;We define trustworthiness to be the degree of reliance, within a given context, that any entity isto be justifiably assigned. We assume it to be a private and secret property of each entity and,therefore, neither known to other trusters, nor provable.

In social environments trust is an important aspect that stands at the base of each possible in-teraction between entities: placing trust on some entity for assuming a specific behaviour withina specific context means believing that, at some extent, under the conditions enforced by thatspecific context that person will assume the expected behaviour. Trust is important because of itsconcrete implications. Firstly, trust enables interaction between entities: without trust-awarenessit would not be possible for any entity to have information about the possible outcome of aninteraction engaged in with another entity. Secondly, trust enables any entity to select the bestentity with which to interact for accomplishing a given task: trust enables one to compare anytwo entities for estimating which one is the best for performing a giving task. It is worth not-ing that trust cannot be employed for substituting cryptography-based techniques for meetingsecurity requirements; trust is only a mean for enabling an individual to be aware of possiblebehaviours that other individuals my exhibit when acting within a specific context.

Old trust models were based on the assumption of a number of Trusted Third Parties (TTPs)which were assumed to be always available, to always behave in a dependable manner, and tobe possibly bound with each other by means of static trust relationships. Based on these statictrust relationships, possibly by means of delegation (e.g., employment of credential chains) andabstraction (e.g., employment of roles), complex protocols were built for enabling applicationswith interaction rules to satisfy the security properties required by the specific application (e.g.,[BFL96, BFK98, YMB02, Zim95]); for these properties to be always satisfied, the TTPs are requiredto remain trustworthy.

By contrast, since a generic global computing scenario is characterized by an arbitrary largepopulation in which each individual may dynamically leave and join and possibly exhibit dy-namical behaviour (e.g. due to a limited resource amount, to a failure occurrence, or just to the

11

1 Discussion

Interaction RulesDynamic Trust Criteria Evaluation Criteria

Trust Management

Figure 1. Framework supporting interactions based on dynamical trust.

choice of a new behavioural strategy), it is clear that the maintenance of static trust relationshipwould not provide a solid infrastructure on which to implement trustworthy interactions. Forthis reason, trust has recently become an important research area which investigates the possibil-ity of dynamically building trust relationships in a manner which is similar to how individualsin human societies build their own, that is through evaluations and expectations. Hence, weassociate global computing scenarios to the abstraction of Virtual Society (VS), defined below.

A Virtual Society is a dynamic set of possibly federated and mutually distrustful entities (i.e.,individuals and resources) which interact with each other, providing and consuming services,in order to accomplish their respective tasks.

We thus define reputation to be a specific form of trust which is collaboratively maintained byindividuals in a society through the sharing of a given, possible partial, amount of informationabout the trustee behaviour within a given context.

In a social system, each entity is autonomous and, by interacting with other individuals, col-lects and locally maintains trust information to be employed for trust computation purposes. Inthis setting, interactions can be either one of the following:

• Task performance interaction: In this case each one directly experiences the other trustwor-thiness within the context;

• Exchange of trust information: In this case each one makes some of its trust informationavailable to the other.

Therefore, so as to support interactions based on a dynamical form of trust, we designed theframework that is shown in Fig. 1. The implementation of interaction policies based on dynamictrust requires both trust criteria and evaluation criteria to be implemented. The first criteria iden-tify a decision semantics which enables an entity to decide whether to consider a second entitytrusted or not, once an estimation about that entity behaviour is provided. The second criteria en-ables an entity to evaluate the outcome of an interaction and produce the trust information thatis needed to adapt the estimations about other entities baheviours; in fact, since entities buildtheir own expectations according to the opinions that they make interacting with and evaluatingthe other entities in the system, a dynamic-trust criteria implies the existence of an evaluationcriteria. The trust management layer implements a trust model; by taking the single evalua-tions produced by the evaluation criteria, it aggregates these values according to the trust modelto obtain the expectations about entity behaviours. Such expectations are then avalable to thedynamic-trust criteria for deriving a trust opinion which depend on each single entity’s trust cri-teria; for instance, Alice may consider trustworthy an entity which is expected to satisfy a givenrequest with a probability between 0.4 and 0.6 while Bob may require a probability between 0.5

and 0.7 so as to consider the same entity trustworthy.Our work focuses on trust models. In order for global computing systems to be provided with

a trust model which satisfies the above requirements, we took inspiration by the social model; weconsider it to be a good reference model because of its autonomy, its high decentralization, and itsextensive validation. Specifically, based on the socio-cognitive model of trust [FC01, FC04] andon the above principles, we develop the first distributed implementation in order to satisfy theabove requirements and to enable the trustworthy implementation of Reputation ManagementSystems (RMSs) for global computing purposes. Moreover, we require that our dynamic trustmodel enable reputations with the following requirements:

UBLCS-2006-09 12

2 The Socio-Cognitive Model of Trust

Adaptability: reputations have to adapt according to the behaviour that the individuals exhibitwithin the system and to the time passing;

Robustness: assuming the presence of a certain amount of noise, the reputation model has toidentify it and prevent it to affect trustworthy information;


When reading the literature about the currently available trust models, it is clear that neitherof the available research contributions (see below in this chapter) satisfy the above requirements.In fact, examining the proposed trust and reputation models, it is possible to observe that someof them do not adequately capture trust’s adaptive nature (e.g., [ARH00, AD01, AM04, BB04,Cap04, Jøs01], some of them cannot isolate and ignore byzantine trust information the noiseinjected within the RMS (e.g., [AD01, BB03, BB04, Cap04, CNS03]), and finally some of themenable implementations which may present scalability problems (e.g., [BBK94, CNS03, Car00,Mau96, YKB93]). Moreover, some of the available trust models require the global sharing of trustinformation through distributed data structures; even if this may increase the accuracy in trustcomputation, there are no guarantees on the trustworthy maintenance of shared information.

The purpose of this work is then the development of a trust model which overcomes thelimitations of existing trust models enabling its employment in global computing settings. In thefirst part of this thesis, we report our experience in developing, validating, and employing theSocially Inspired Reputation (SIR) model, our flexible computational model of reputation whichcan employed for enabling trust-awareness within global computing scenarios. SIR is the firstformal implementation of the socio-cognitive model of trust [FC01, FC04], which describes thecomputational logic by which each single individual in a human society aggregates the collectedinformation for computing reputations.

In order for us to validate the SIR reputation model, the Trust-Aware naming service (TAw)has been designed and extensively simulated. TAw enables service oriented architectures withtrust-awareness; that is, by employing TAw any entity is enabled with trust information for de-ciding whether, and at which conditions, to engage an interaction with any other entity. Theperformed simulations showed that TAw implements an adaptive and robust behaviour: specifi-cally, we have been simulating a consumer/producer scenario in which TAw is deployed in orderfor the consumer to select the provider to refer to in a trust-aware manner. The obtained resultsconfirm our expectation that SIR enables TAw to scalably implement an adaptive and robustreputation management system within global computing scenarios.

Another application of the SIR model is represented by rawDonkey, which is an eDonkeyclient for the homonym peer-to-peer file sharing network. rawDonkey employs the SIR model toevaluate the users on the network according to the possible misbehaviours (i.e., faker and free-rider) and to advantage the collaborative ones with respect to the non collaborative ones. The soobtained reputations are employed to enforce a file distribution priority among the peers in orderto penalize non-collaborative users and to guarantee a fair resource sharing among collaborativeones.

2 The Socio-Cognitive Model of TrustIn [FC01, FC04], Castelfranchi and Falcone define a socio-cognitive model of trust that is basedon a the the mental process of trust formation in cognitive terms (e.g., beliefs, goals); although itdoes not describe the psychological aspects of trust, it formalizes the most rational and consciousaspects. For the sake of clarity, the socio-cognitive model of trust is based on the BDI (Belief-Desire-Intention) approach that is inspired by Bratman’s philosophical model [Bra87] and hasbeen defined to model the mental processes of decision-taking. According to this model, only aprincipal that is characterized by both goals and beliefs can trust another principal. It is worthnoting two issues of trust: first, trust does not apply to unconcerned principals, they only haveopinions and forecast based on their knowledge; second, trust itself consists of beliefs, specifically

UBLCS-2006-09 13


of evaluations and expectations. In this context, we are going to examine the three notions of trustbelow, taking in consideration the trust that binds a truster with a trustee within a given context.In this context, we can associate with trust the following meanings:

• A mere mental attitude (prediction and evaluation) towards another principal, a simpledisposition;

• A decision to rely upon the other, i.e. an intention to delegate and trust, which makes thetruster ”vulnerable”;

• A behaviour, i.e. the intentional act of trusting, and the consequent relation between thetruster and the trustee.

In each of the above concepts, different sets of cognitive actions are evaluated by the truster; alltogether, these actions describe the whole process of trusting: firstly, some information enablesthe truster to predict for each possible trustee the most likely behaviour, and to select the entitywhich appear to provide the truster with the best service; secondly, the truster has to decidewhether the expected service is worth taking the risk of having produced a wrong expectation;finally, there is the actual relation between the truster and the trustee (i.e., the interaction). Hence,the socio-cognitive model of trust identifies three important concepts related with trust: trustdisposition, decision to trust, and act of trusting. For the sake of clarity, since the trustee competencewithin a specific context is useful to the truster (trust disposition) which decided to rely on it(decision to trust), this means that the truster might delegate (act of trusting) to the trustee sometask which composes his own goal.

Moreover, the model includes three basic beliefs:

Competence Belief: a sufficient evaluation of the trustee’s ability is necessary, the truster shouldbelieve that the trustee is useful for his goal, that the trustee can provide the expected result,and that the trustee can play such a role on behalf of him.

Willingness Belief: the truster should believe that the trustee not only can perform the requestedservice, but actually he will perform it. This belief makes the trustee’s behaviour pre-dictable.

Dependence Belief: either the truster believes to depend on the trustee’s competence (strongdependence), or it believes that there is an advantage in relying on the trustee instead ofnot relying on it (weak dependence). In other words, in a trust relationship the truster is ina strategic situation in that he believes that the achievement of his goals depends, eitherpartially or totally, on the actions of the trustee.

From the point of view of the dynamic studies of trust, it is worth noting how the above basicbeliefs might change during the same interaction or during a sequence of interactions: for ex-ample, the competence (or ability) of the trustee, or the trustee’s willingness, or the dependencerelationship between the truster and the trustee might change. Another important characteris-tic of the socio-cognitive model of trust is the distinction between trust in a trustee that has toperform a task based on his internal charactestics (e.g., competence, ability), and the trust in theenvironment which can affect the achievement of the goals by external factors like opportunitiesand interferences.

According to this model, the trust in a principal consists in two beliefs/evaluations that areidentified as the basis for reliance: competence, which includes knowledge and self-confidence,and disposition, which in turn is based on aspects such as willingness and availability.

Like the above trust definitions, the socio-cognitive model asserts that trust implies, eitherimplicitly or explicitly, the subjective probability of the successful performance of a given trusteewithin a specific context; it is on the basis of this subjective evaluation of risk that the relationshipbetween a truster and a trustee is engaged. That probability itself depends on the truster beliefsand evaluations. However, within a given environment, an evaluation of a specific trustee is notreally an evaluation about it, instead the evaluation accounts the environment aspects as well;

UBLCS-2006-09 14


thus, the subjective probability of the trustee successful performance should be decomposed intothe expectation of the trustee itself of behaving dependably (internal attribution) and the expecta-tion of having the appropriate environmental conditions (external attribution) for the performanceto succeed, such as that the absence of interferences that could harm the performance.

The socio-cognitive trust model is based on the following formal constructs. Be Act =α1, . . . , αn a finite set of actions, and Agt = A, . . . , X, Y, . . . a finite set of principals (thatin the original work are called agents). Each principal is described by its own set of actions, itsplan library, its set of resources, its set of goals, believes and motives.

In this model, the actual object of delegation is the action/goal pair, τ = (α, g), and it takesthe name of task. Given a principal X and an environmental context Ω (a set of propositionsdescribing the state of the world), it is possible to define as trusworthiness of principal X aboutτ in Ω (indicated by the notation trustworthiness(XτΩ)), the objective probability that X willdependably perform task τ in environment Ω; this objective probability is computed on the basisof elemental components such as:

Degree of Ability (DoA): it ranges between 0 and 1 and indicates the level of ability of a givenprincipal X about a specific task τ, i.e. the probability that X will correctly perform τ giventhat he intends to do that;

Degree of Willingness (DoW): it ranges between 0 and 1 and indicates the level of intentionalityof a given principal X about a specific task τ, i.e., it is the probability that X actually initiatesthe performance of a given task given that he declared himself intended to perform thattask.

Thus, in this model the following dependence holds.

Trustworthiness(XτΩ) = F (DoAXτΩ, DoWXτΩ) (1)

Where F is a function which preserves monotonicity, and ranges in [0, 1], expressing the objectiveprobability that principal X will behave dependably about task τ within the environment Ω.

According to this model, to correctly represent the trustworthiness of a principal through sub-jective probabilities, it is important to be enabled with cognitive attribution process to interpretthe outcomes of a truster’s reliance on a given trustee and that trustee’s performance (i.e., failureor success); in particular, the effect of the trust a given truster X placed on a given trustee Y’sfailure or success on X’s trust in Y depends on the X’s causal attribution [Wei61] of the event. Ac-cording to that theory, any event (i.e., success or failure) can be either ascribed to factors internal tothe subject, or to environmental, external causes; moreover, these events may either be occasionalor depend on stable properties of the principal or the environment. For example, a failure willimpact on the self-esteem of a subject only when attributed to a internal and stable characteristicsof the subject itself.

The socio-cognitive model defines a function, namely DoT, by which a principal A can eval-uate its own trust (degree of trust) in principal B about the task τ (to be performed) in the envi-ronment Ω. In [FC01, FC04], f is a general function that preserves monotonicity; in particular,DoAA,B,τ is the B’s degree of ability about task τ in A’s opinion, DoWA,B,τ is the B’s degree ofintention about task τ in A’s opinion, and e(Ω) takes into account the part of the task that is notdirectly performed by B and the hampering or facilitating conditions that are enforced by thespecific environment Ω.

DoTA,B,τ,Ω = f(DoAA,B,τ, DoWA,B,τ, e(Ω)) (2)

In the analysis of this function, one has to consider all the dependence relationships that mayhold between the three sub-constituents (i.e., DoAA,B,τ, DoWA,B,τ, e(Ω)).

2.1 Considerations about the Socio-Cognitive Trust ModelThe socio-cognitive model provides a very precise description of trust dynamics from a globalperspective; however it is worth noting that, in order for this trust model to be completely spec-ified, one has to be aware of how to separate the environment responsibilities from the trustee’s

UBLCS-2006-09 15

3 A Conceptual Model for Computing Reputation

Reputation

Computation Adaptation

+

+

Third−PartyOpinion

Self−MadeOpinionEvaluation

Third−Party Expectation




Time

+

Figure 2. A Conceptual Model for Computing Reputation

responsibilities. Thus, within a generic scenario in which the truster and the trustee belong topossibly different environments, it is clear that the truster has to be provided with informationsabout how to separate these two components; on the other hand, unless a specific study be per-formed so as to evaluate the environment effects on the different task’s contexts, it is not clearhow to enable the truster to predict environment effects on a specific task request and to evaluatethe objective trustworthiness of the trustee.

Within a global computing context, it is clear that it is not scalable to enable each principal tobe aware of the effect that might affect a delegated task in each possible environment in whichit may be performed. Moreover, in a virtual society scenario where the consumer/producerinteraction paradigm is implemented, the truster does not really cares how failure responsibilityhas to be divided for deciding whether and whom to delegate a task; actually, he only caresabout success probability and wants to be able to evaluate it. In our opinion, the information thatis important for the truster to be provided with is the overall probability for the delegated task tosucceed.

3 A Conceptual Model for Computing ReputationBased on the socio-cognitive model of trust, we designed a conceptual model for computingreputations which is inspired on the social dynamics; this model is represented in Fig. 2. In thismodel we encode our interpretation of the socio-cognitive process that implements reputations.

In the figure we see all the abstraction that take part to the reputation forming relation be-tween them. First, we can isolate the basic trust elements, namely the evaluations and the expecta-tions. We define an evaluation to be a sampling of the behaviour of the trustee, decided using aspecific evaluation criteria. By contrast, we define an expectation to be a representation of trustwhich considers all the available trust information about the trustee and presently describes itspossible behaviour.

Before proceeding in the explanation of the model in the picture, it is worth making someconsideration about the effect of time on trust information. Each single basic piece of trust in-formation is determined by the behaviour exhibited by the trustee until a certain time. Sincewe assume to employ our model in systems in which principals can dynamically change theirbehaviours, we can legitimately assume each piece of trust information to lose relevance in repu-tation computation as time passes. For this reason, the picture shows that time is an element thatinfluences the aggregation of the basic trust elements.

For computing reputations, each principal employs both expectations and evaluations. Ex-pectations may be obtained by third parties (Third-Party Expectations), through the exchange of

UBLCS-2006-09 16

4 Related Contributions

recommendations, which are generally produced by the recommender through the aggregationof basic trust values, or self-constructed, through the composition of locally-available trust infor-mation derived by the direct experience of the truster.

Hence, each principal aggregates the locally-available basic trust information in order to ob-tain the Third-Party Opinion and the Self-Made Opinion; the former is obtained aggregating theavailable Third-Party Expectations, and the latter is obtained aggregating the available directEvaluations.

Then, the opinions are aggregated to form reputation. This is nevertheless the social mecha-nism of reputation forming: each of us maintains information about the recommendations thathe gets from other individuals and employs them in the composition with the expectation ob-tained from its direct experience for obtaining a more complete evaluation which takes the nameof reputation.

In the composition of these trust abstractions, there is also dependence between the sometrust abstractions and the adaptiveness criteria.

First, each single trust evaluation has a role in its composition with the aggregated value;for instance, the aggregated value can vary depending on whether the evaluation is classifiedas stable or occasional, and on whether it is positive or negative with respect to the expectedevaluation.

Second, the self-made opinion have a role in the aggregation of Third-Party Expectations;for instance, these expectations can considered in the aggregation according on whether theyprovided useful information for guessing the result of the successive evaluations. Moreover,Self-Made Opinion is also important for aggregating itself with the Third-Party Opinion; basedon how much a principal found himself able to guess the result of interactions by employing theonly self-obtained trust expectation, it can decide which weight to give to the one expectationwith respect to the other.

This conceptual model defines a class of computational models of reputation which is bothcompatible with the ideals expressed in socio-cognitive model of trust and that is implementablein settings in which it is impossible to maintain centralized information. In the next chapter, wepresent our implementation of this model, namely the Socially Inspired Reputation model (SIR).

4 Related ContributionsIn [ARH97, ARH00], Abdul-Rahman and Hailes employs a reputation-based infrastructure forinformation retrieval. First, they propose a discrete metric for expressing trust degrees. We be-lieve that this design choice does not adequately enable a faithful representation of the socialtrust; in fact, it is not clear the social intuition which is encoded in the aggregation trust informa-tions to compute direct trust, indirect trust, and reputations. For instance, the way in which directtrust is encoded wants to describe the whole interaction history between a given truster and agiven trustee; however, that representation makes no distinction about which evaluations hap-pened far in the past and which ones happened recently, therefore it impossible for the truster tounderstand the behavioural pattern of the trustee and to get a picture of its current dependability.

In [AD01], Aberer and Despotovic introduce a complaint-based reputation system to be ap-plied within peer-to-peer infrastructures for file sharing. To our opinionion, a reputation modelwhich keeps record only of complaints is not adequate to represent social reputation in that itis not representative of the whole interaction history; the complaint could refer, for instance, toevents happened far away in the past, after which a dependable behaviour has been exhibitedfor a long period. Therefore, since the model itself does not model trust adaptiveness with time,it is impossible for a faulty principal which committed mistakes to rebuild a good reputation. Inaddition, the model does not provide any mean to distinguish legitimate trust informations frommalicious ones. Finally, their reputation management system requires a distributed data struc-ture, namely P-Grid, to be deployed over the whole peer-2-peer architecture so as to maintaintrust informations.

In [AM04], Azzedin and Maherswaran develop a socially inspired reputation model that is

UBLCS-2006-09 17


similar to the one proposed in this paper. First of all, they define a criteria for evaluating the hon-esty of a recommender that is quite debatable, in that a recommender is evaluated as honest ifin the past history it returned recommendations that describe a quite stable behaviour of a giventrustee; however, in order for this criteria to be valid it requires the trustee to really exhibit a sta-ble behaviour. This contradicts the dynamical nature of reputation and the asynchronous natureof failures which may substantially affect the behaviour of a principal; a social reputation systemshould be useless if it was guaranteed that principals always exhibit the same behaviour. Sec-ond, in this model, after an trust evaluation has been performed, direct trust is updated withoutconsidering the time elapsed since the last update; thus, it does not consider trust information tobecome obsolete as time passes. Moreover, the direct-trust update semantics does not considerthe behavioural history of the trustee. Similarly to what happens for direct trust, we think that thesemantics which defines reputation in terms of both direct and indirect trust is not representativeof the human social behaviour.

In [BBK94, YKB93], Beth and Yahalom describe a formal trust model, founded on bayesianprobability theory and reliability analysis techniques, which is to be used for evaluating the trust-worthiness of entities in open networks. In order for it to be applied, a truster has to know allthe paths to the trustee in the trust network, within the specific context in which trust is to beevaluated; hence, as the trust-network complexity and the trust contexts grow, this model doesnot meet scalability and efficiency requirements to enable its practical employment. Moreover,this model does not implement any technique for encoding the freshness of the available trust-information (e.g., trust decay as time passes). Our dynamical and adaptive reputation modeldoes not require a truster to handle any structured knowledge of the trust network; in addition,it is expected to meet the required flexibility and scalability requirements despite the networktopology complexity.

In [BB03, BB04], Buchegger presents a reputation which is based on the beta probability den-sity function; This model does not implement dynamical trustworthiness on recommendations;instead, identifies as malicious recommendations the ones which substantially differ from thedirect trust. This assumption might not be true and lead to slowed adaptiveness in that, if arecommendation reports in the trustee a behaviour change which recently happened and whichhas not yet been identified by the truster, this trustworthy information would be identified asmalicious by the truster and thus discarded. In addition, this model also implements an agingtechnique to express the decay of trust with time which is rather not realistic: firstly, the decaydoes not depend on time but on the position of the trust evaluation within the sequence, the eachtrust evaluation is applied the same decay factor independently from the time interleaving eachpair of consecutive evaluations; second, when the decay is applied, the aging does not applieson the whole evaluation history but rather on either the sequence of successes of the sequence offailures, according to the last trust evaluation.

In [Cap04], Capra proposes a reputation model which is inspired to the human behaviour;however, though detailed a trust metric is presented, it is not clear its root within the humanpsychology. The author argues that, so as to weight recommendations according to their depend-ability, trust is evaluated within the provisioning of recommendations; further in that document,a quality attribute, which does not depend on the recommender reputation but on the degree ofknowledge between the truster and the recommendor, is introduced to weight the various rec-ommendations. This may lead to problems in that the truster can believe to have a high degree ofknowledge about an undependable provider; in this case it will possibly weight its recommenda-tions more than ones which are more dependable. Moreover, it is not clear the binding betweenthe semantics which specifies the composition of the direct trust value and the one derived bythe evaluation of the provider recommendations and the human behaviour.

In the context of the SECURE European Project a reputation model specific for ubiquitouscomputing is being studyied; specifically, in [CNS03] Carbone makes use of knowledge degreesto disambiguate between principals that present the same trust levels and to bootstrap the trustacquisition mechanism in an unknown environment. Although the trust model the author de-velops is very precise about statical definitions, it is not clear how they develop the dynamicaladaptation of trust and reputation degrees. By means of the decay functions that depend on time,

UBLCS-2006-09 18


our model encodes a degree of knowledge (i.e., a degree of the encoded information freshness)within the reputation model as well.

In [JK98, Jøs99, Jøs01], Jøsang defines a trust model which is based on a triple of probabilityvalues describing the behaviour that a specific principal will assume when an interaction withhim is engaged; these triples specify, respectively, the probability of engaging a positive inter-action, the probability of engaging a negative one, and the uncertainity. Although the model iswell specified and developed, the chosen trust representation hides all the information about theinteraction history of the trustee and does not allow the truster to understand the behaviour thatthe trustee could currently exhibit (as happens for Buchegger’s model in [BB03]). In fact, givenany two trust evaluation sequences with both the same number of success results and the samenumber of failure results, the model returns the same reputation whatever permutation of theseevaluation is assumed; therefore, a trustee whose dependability was bad at the beginning thenalways exhibited a dependable behaviour is considered as trustworthy as another which recentlylost its dependability. Trust adaptability with time has not been considered in the model.

In [Jøs02], Jøsang proposes a reputation model based on the beta probability density func-tion. Though it is based on solid theoretical foundations, we think that it is not representativeenough of social reputation. In fact, the model does not distinguish between direct and indirectforms of trust, therefore it does not specify any semantics to represent the human psychologyin distinguishing among them. Moreover, although an aging mechanism is implemented for theobtained recommendations, the semantics which implements the recommendation aging is notclear; according to that semantics, it appears that the aging is not based on the time in which thisrecommendation was produced, rather it is based on its position in the sequence of the recom-mendations that the truster collected.

In [JP04], Jøsang and Lo Presti define trust in a way that is is semantically different fromthe definition we gave in Chap. 1 and define a trust degree according to that definition; to ouropinion, their definition of trust melts reputation semantics with a trusting criteria (i.e., decidingwhether to trust or not). Although we believe that it would be better to maintain the decisioncriteria separate from the reputation semantics, given the trustee reputation, this criteria can beapplied on our reputation model as well to implement decision making about whether to trustor not.

Both Dragovic et al. [DHH+03] and the OpenPrivacy project [ope] implement reputation man-agement systems; the former for trust-aware selection of application servers, and the latter fordisseminating and computing trust information within a specific distributed object middleware.However, no specific information about the adopted reputation models were available to theauthors.

4.1 The Web of TrustIn the context of Public Key Infrastructures (PKI), trust has been widely studied within the ”Webof Trust” model [Car00, Mau96]. Introduced by Zimmermann in Pretty Good Privacy (PGP)[Zim95],the web of trust can be defined as PKI model where a global state about the principals and theirdirect trust relationships is maintained; i.e., each principal can make publicly known whose keyshe trusts to be authentic. Moreover, as a member of the infrastructure, each principal can decidewhom and to which degree to trust as an introducer of new keys. In order for communication totake place between any two principals, a trust link between them has to be enabled by the trustrelationships encoded in the web of trust. In [Mau96], Maurer formalizes the web of trust modeland describes a technique for assessing probabilistic trust between two principals in a web oftrust. However, such a technique require all the possible trust paths between the two principalsto be known and a complex analysis technique to be applied on them; its complexity preventssuch a technique to be applied in practice. In [Car00], Caronni introduces and evaluates heuristicstechniques for reducing the complexity of the Maurer’s technique; however, such techniques stillrequire a global state about certificates and direct trust relationships to be maintained. HumanSocieties do not rely on having global knowledge of trust networks and, still, the social reputationmodel succeeds in identifying untrustworthy individuals so as to support legitimate interactionsamong population members. Our social reputation model enables one to implement a reputation

UBLCS-2006-09 19


system without requiring principals to maintain a global state about the trust network, meetingscalability and efficiency even in arbitrarily complex scenarios. Moreover, our reputation modelimplements the dynamical behaviour that is not captured by the earlier model implemented inthe web of trust.

UBLCS-2006-09 20

Chapter 3

SIR: Socially Inspired ReputationModel

1 Foundations of TrustIn [Mez03], trust is defined as a ternary relation T (α,β,φ), where α and β are two principals andφ is a context. The presence of the triple (Alice, Bob, c(i)) in T indicates that Alice trusts Bob forconsuming interface i.

A trust system is defined as the triple (P,Φ, T ), where P is the set of principals and Φ is the setof contexts on which the trust relation T is defined. A trust relation T defined over P × P × Φ

may satisfy the following properties:

reflexivity: A trust relation T is reflexive in context φ if, for every principal α ∈ P, the triple (α, α,φ)is in T .

symmetry: A trust relation T is symmetric in context φ if, for every pair of principals α,β ∈ P, if(α,β, φ) ∈ T then (β,α, φ−1) ∈ T (i.e., each has assessed the trustworthiness of the other).

Reflexivity is also called implicit trust. Basically, the reflexive property enables the existenceof self confidence; that is, after two principals engaged an interaction with each other, each ofthem is enabled with much experience and, thus, is enabled with more data to compute a moreprecise “a-priori” estimation of other principal behaviours.

For instance, let us say that Alice carries out an interaction with Bob because she wantedinterface i to be provided and Bob was able to satisfy her request. Hence, after the interactionAlice has a new trust evaluation which can be used to provide an estimation about the error thatAlice made by referring to the trust information she had a priori.

Symmetric property states that any consumer/producer interaction has to affect the trust in-formation of both the principals; i.e., both the consumer trust information about the producerand the producer trust information about the consumer. In fact, after an interaction between anytwo principals, each of them is enabled with more information about the other and can computea better estimation of its behaviour in the context in which the interaction occurred.

Moreover, within each possible context, each single interaction is an instance of the client/ser-ver interaction paradigm; thus, both the client and the server are bound to the same interactionsemantics. in this specific case of this work, the two context are both bound to the same interface.

When speaking of trust, it is worth mentioning the first context in which trust appeared, thatis authentication. We define the context of authentication, represented by the notation auth, to bea special context that is equal to its inverse.

Having the reflexive property satisfied within authentication expresses the trust that eachprincipal is believed to maintain the secrecy of its private key. More in general, trusting a princi-pal within authentication means trusting the binding between his private key and his identity.

On the other hand, having the symmetric property satisfied within authentication indicates

21

1 Foundations of Trust

that, for any two principals, it is possible for them to mutually authenticate and, thus, implementsecurity requirements such as non-repudiation of origin and integrity of origin which are the baseof each effective exchange of information. In fact, in the real world any two entities exchangingmessages are successfully only if there is some kind of authentication between them, otherwiseany communication between these two principals has no effect (i.e., without any informationabout the message origin, that message is to be ignored). Thus, proof of message origin andintegrity have to be provided so as for principal to consider the content of the message as comingfrom the expected sender.Proposition 1 (communicability condition) Let α,β ∈ P be any two principals, then a communica-tion between them can take place if and only if Tα,β, the restriction of T over the set of principals α,β,is symmetrical in the context of authentication.

A third property, namely transitivity, is defined by introducing the jurisdiction subcontext; itis used to represent trustworthiness in recommending principals acting within a specific context.Given a context φ, the jurisdiction subcontext associated with φ is represented in mathemat-ical notation by the symbol j(φ). A principal having jurisdiction over a context φ is trustedfor providing reliable trust information about trustees within context φ (i.e., whether a giventrustee can be trusted or not); such information is referred to as recommendations. For example,(Alice, Bob, j(φ)) ∈ T means that Alice places trust in Bob for having jurisdiction over context φ

and is willing to inherit Bob’s trust relationships for context φ.Transitivity is formally defined as follows:

transitivity: A trust relation T is transitive in context φ if for every three principals α,β, γ such that(α,β, j(φ)) ∈ T and (β, γ, φ) ∈ T and the communicability condition holds for both α,β andβ, γ, then (α, γ, φ) ∈ T × T .

Table 1. Structure of Φ augmented with jurisdiction.

I ::= i | h | k

C ::= p(I) | c(I) | authentication

Φ ::= C | j(C)

In other words, given a trust relation T , transitive in context φ, and any three principalsα, β, γ, if T (α, γ,φ) is not defined in T , it can be indirectly computed if both T (α,β, j(φ)) andT (β, γ, φ) are defined; thus, the trust between principals α and γ is defined as T (α, γ, φ) =T (α,β, j(φ)) T (β, γ, φ) in Tα,β,γ × Tα,β,γ.

Having the transitive property satisfied within authentication enables Certification Authori-ties and credential chains, a principal, say Alice, trusting another one, say Bob, for having juris-diction within authentication, will inherit all the trust relationships that hold between Bob andany other principal, within the context of authentication. In this case, for Alice, Bob plays therole of Certification Authority. Hence, having a transitivity chain within T enables principals toinherit trust relationships along the chain and thus, at an abstract level, certificate chains to beimplemented.

In Tab. 1 the set Φ of the possible contexts is defined in terms of the definitions given above;here, I indicates the set of service interfaces and C the basic contexts.

Given the basic notions of trust, we define a trust system to be an environment in which trustrelationships can be established between that environment’s principals; a trust system is specifiedby the triple (P,Φ, T ) where P is the set of principals, Φ is the above defined set of contexts, andT is the trust relation.

UBLCS-2006-09 22

2 The Reputation Model

1.1 Trust DegreesSo far, we have seen a trust relationship T as a relation: given a couple of entities and a context, Tindicates the existence of a trust relation without giving any other information about the strengthof this trust binding. In order to express this “strength”, the trust relationship is changed into atrust function that returns a real value belonging to the closed set [0, 1] within which the value1 indicates “full trust” and 0 indicates “absence of trust”; where, by “absence of trust” we arenot meaning distrust (which is a rather different concept), but we mean that the data whichare available to the principal enable him not to expect a dependable behaviour. We name thisstrength measure trust degree. While remaining consistent with the definition of trust given inSec. ??, this representation greatly improves its expressiveness.

T : P × P ×Φ −→ [0, 1] (1)

For example, the notation T (Alice, VISA, p(ATM)) = 0.99 indicates that Alice expects fromVISA’s automatic teller machine a dependable behaviour (wich embodies properties such asavailability, and exactly-once semantics) with a probability of 0.99, when used for withdraw-ing cash; in turn, with a probability of 0.01 Alice expects the ATM service not to dependablysatisfy her request (for example she might expect it to be unavailable).

Trust degrees are not only used by a principal to decide whether or not to interact with agiven principal; they might also be used to determine the security mechanisms and parametersthat have to be required for the interaction to take place. For instance, in electronic commerceapplications trust models are used to determine the frequency at which a principal has to au-thenticate performing micro-transactions payments [Man00].

Within transitive trust, the truster should be prevented from trusting a given trustee morethan both the trust he places on the recommender and the trust the recommender places on thattrustee. Hence, if T (Alice, Bob, j(φ)) and T (Bob,Cecilia,φ), then Alice would trust Cecilia inthe same context with degree

T (Alice, Cecilia, φ) ≤ minT (Alice, Bob, j(φ)), T (Bob,Cecilia, φ) (2)

where equality holds iff both T (Alice, Bob, j(φ)) and T (Bob,Cecilia, φ) assume either the value0 or the value 1. The minority relation (2) is satisfied by defining recommended trust as the arith-metic multiplication between the trust degree that holds between the truster and the recom-mender and the one that holds between the recommender and the trustee, within the appropriatecontexts (see below).

T (Alice, Cecilia, φ) = T (Alice, Bob, j(φ)) · T (Bob,Cecilia, φ) (3)

2 The Reputation ModelBefore introducing the reputation model, we assume a trust system (P,Φ, T ) where j(φ) is de-fined for each context φ ∈ Φ.

In Sec. 1, we defined trust as a function that returns the trust degree between a truster and atrustee within a given context. However, trust is not static in time; both time and events (e.g., aninteraction that take place between the truster and the trustee) can change a given trust degree.Thus, we define the generic trust function as below, where τ indicates the set of numerical timevalues.

T : P × P ×Φ× τ −→ [0, 1] (4)

In [BB03, BB04, JK98, Jøs99, Jøs01], the authors model direct trust by using a beta probabilitydensity function, which in statistics is used to represent the “a priori” estimation about an eventbehaviour. The basic assumption for this model to be applied is that the trust evaluations haveto be abstracted as stochastic events which respect a binomial probability distribution and mayonly represent either the failure or the success in the trustee’s dependability. Since we want toimprove the expressiveness of the dependability evaluation, in this section we propose a model

UBLCS-2006-09 23


for direct trust which is based on the evaluation of trust degrees which belong to the continuousinterval [0, 1]; this enables the measure of partial dependability which can implement a betterdegree of precision in computing trustee reputations.

Thus, we define a generic trust function as in (5), where the parameters respectively representthe truster, the trustee, the context, and the time at which trust has to be evaluated, and the returnvalue is named trust value and indicates the strength of the trust relationship between the trusterand the trustee; we assume the value 0 to represent “absence of trust” and the value 1 to represent“full trust”.

T : P × P ×Φ× τ −→ [0, 1] (5)

Consistently with our definition of trust, we assume all the trust values to be initialized to 0 sincethere is no a priori data that justifies a different trust value to be assigned.

We assume obsolete information not to enable accurate estimations of current behaviours.Hence, we assume trust to decay as time passes; specifically, for each context we define a de-cay function that models the speed with which trust information becomes obsolete within thatcontext.

δφ(t) : τ → [0, 1]

Several decay functions are needed because the validity of a trust degree depends on the natureof the context within which it applies; e.g., the more critical (i.e., risky) the context, the morerapidly the trust decreases with respect to time if no new trust information is available. For us tochoose a proper decay function we have to consider that, if no fresh trust information is provided,trust decay should not depend on the trust-update rate; i.e., if a given reputation is measured as ρ

at time t, at time t ′ that reputation has to be measured as ρ ′ independently of how many times itwas updated in between. Thus, given t ′′ such that t ≤ t ′′ ≤ t ′, the proper decay function whichsatisfies this property is one that solves the following equation:

ρ · δφ(t ′ − t) = ρ · δφ(t ′′ − t) · δφ(t ′ − t ′′) (6)

It is easily provable that (6) is satisfied by all the functions which are homomorphisms from(R+ ∪ 0, +) to ([0, 1], ·), such as, for example, the exponential function in (7).

δφ(t) = ηtφ (7)

According to the nature of social trust, in this section we define three trust abstractions: rep-utation, direct trust, and indirect trust. On the one hand, direct trust encodes trust based on thetruster’s own experience. On the other hand, indirect trust encodes trust based on the recom-mendations the truster receives from the other principals.

Equation (8) models direct trust, which represents the perception of a principal’s trustwor-thiness which is uniquely determined according to the trust evaluations in which the principalcomputing the reputation took part in the role of truster. In order for direct trust to be computed,a truster has to evaluate each action that is exhibited by the trustee within the trust assessmentcontext; in (8), tvt ∈ [0, 1] models a trust value derived from an interaction which happened attime t. Specifically, if the set E of trust evaluations does not change, the direct trust at time t ′ iscomputed by applying the decay function to the last direct trust value D(α,β, φ, t)E, computedat time t; otherwise, be tvt ′ ∈ [0, 1] the fresh trust evaluation obtained at time t ′, the new directtrust value is computed by normalizing the linear combination of both tvt ′ and the past directvalue of D(α,β, φ, t)E, that is the last direct trust value computed at time t ≤ t ′.

D(α,β, φ, t ′)E ′ =

0 if E ′ = ∅

D(α,β,φ, t)E · δφ(t ′ − t) if E ′ = E

D(α,β,φ,t)E·δφ(t ′−t)+ω·tvt ′δφ(t ′−t)+ω if E ′ = E ∪ tvt ′

(8)

In the equation above, ω is named the trust stability factor and it represents the adjustment tobe made to the trust value according to the previous interactions; the cognitive model for truststability is described below in this section.

UBLCS-2006-09 24


Equation (9) models indirect trust, which is the average trust-degree that a set Γ of knownprincipals, namely recommenders, associate with the trustee (within a given context at a specifictime) We define it to be the average reputation that a set Γ of known principals, namely recom-menders, associate with the trustee (within a given context and at a specific time). In that equation,it is worth noting the use of the notationR(γ, β, φ, t) that stands for the reputation obtained fromprincipal γ about principal β; for clarity, we call recommendation each reputation that a princi-pal obtains from other principals. The weight that is assigned to each single recommendationis the current direct trust between the α, the principal receiving the recommendations, and therecommender which provided that recommendation, within the context of ”provisioning of rec-ommendations within context φ” which is represented by the notation j(φ). Whenever freshtrust information is not available the trust decay applies as in the case of direct trust.

I(α,β, φ, t ′)R ′ =

0 if R ′ = ∅I(α,β, φ, t)R · δφ(t ′ − t) if R ′ = R∑

γ∈Γ D(α,γ,j(φ),t ′)E·R(γ,β,φ,t ′)∑γ∈Γ D(α,γ,j(φ),t ′) otherwise

(9)

Equation (10) defines reputation as the convex combination of direct and undirect trust; thetrust balancing factor, represented by the notation ψ, is a factor that indicates the subjective weighta specific principal assigns to direct trust with respect to indirect trust; the cognitive model fortrust balance is described below in this section. Moreover, in this equation E and R indicate,respectively, the set of trust evaluations directly performed by the truster and the set of recom-mendations that he collected from a set Γ of recommenders. Similarly to what happens to bothdirect and indirect trust, if any new trust evaluation is not available, it is possible to compute thecurrent reputation from the previously computed value.

R(α,β, φ, t ′)E ′,R ′ =

R(α,β,φ, t)E,R · δφ(t ′ − t) if E ′ = E ∧ R ′ = R

ψ · D(α,β, φ, t ′)E ′

+(1 − ψ) · I(α,β, φ, t ′)R ′ otherwise

(10)

Let any two principals carry out an interaction; after that interaction, each of them can as-sociate a trust value with the other principal, according to his behaviour during that interaction.However, a new trust value does not only contribute to compute the direct trust between a trusterand a trustee; it is also used for computing the direct trust between the truster and the recom-menders. Basically, the smaller the difference between the recommendation and that trustee’sdirect trust (updated with the latest trust value), the better reputation that will be associated withthat recommender by the truster. Thus, given a truster α, a recommendor β, and a trustee γ,the trust value, tv, that α associates with a recommendation from β regarding γ trustworthinesswithin a context φ, the new direct trust degree between the truster and the recommender is to becomputed according to (8) and (11).

tv = (1 − |R(β, γ, φ, t ′) −D(α, γ, φ, t ′)|) (11)

2.1 Modeling Trust StabilityAccording to [Wei61], to correctly represent the trustworthiness of a principal through subjec-tive probabilities, it is important to be enabled with cognitive attribution process to interpret theoutcomes of a trusters reliance on a given trustee and that trustees performance (i.e., failure orsuccess); in particular, the effect of the trust a given truster placed on the failure or success of agiven trustee on the trust that the truster places in the trustee depends on the causal attributionthat the truster associates with the event. Hence, any event (i.e., success or failure) can be eitherascribed to factors internal to the subject, or to environmental, external causes; moreover, theseevents may either be occasional or depend on stable properties of the principal or the environ-ment. However, since we are not provided with information about the trustee information andour reputation model is intended to estimate the truster subjective reliance on the trustee behav-iour, we decide not to distinguish between individual and environmental responsibilities but to

UBLCS-2006-09 25


only distinguish between stable and occasional behaviours. In fact, the actual goal of the trusteris to assess the extent of overall trustworthiness that can be associated to the trustee within aspecific context.

Therefore, trust stability is modeled by (12); here, we want to identify whether an interac-tion was typical or not and to adapt direct trust according to that. Therefore, we assume thatthe trust values that can derive from the trust evaluations of a single principal, within the samecontext, to have a gaussian distribution with mean value tv and standard deviation σ; thus,given the set E of currently available trust evaluations about a specific principal within a givencontext, we define his stable behaviours to be the ones whose trust degrees fall within the in-terval [tvE − σE, tvE + σE], where tvE is the mean value computed on the set of evaluations E

and σE the respective standard deviation. In (12), the functions focc,pos(E, tv), fstab,pos(E, tv),fstab,neg(E, tv), and focc,neg(E, tv) are to be instantiated according to the specific behaviour thatthe principal wants to implement: focc,pos(E, tv) implements the behaviour corresponding to theoccurrence of occasional evaluations which are better than the stable ones, fstab,pos(E, tv) imple-ments the behaviour corresponding to the occurrence of stable evaluations which are better thanthe expected value, fstab,neg(E, tv) implements the behaviour corresponding to the occurrenceof stable evaluations which are worse than the expected value, focc,neg(E, tv) implements thebehaviour corresponding to the occurrence of occasional evaluations which are worse than thestable ones.

σ∅ = 0

σE∪tv =

√√√√∑

tvi∈E∪tv

(tvi − tvE∪tv

)2

|E| + 1

ω =

focc,pos(E, tv) if tv > tvE + σE

fstab,pos(E, tv) if tvE + σE ≥ tv > tvE

fexp(E, tv) if tv = tvE

fstab,neg(E, tv) if tvE > tv ≥ tvE − σE

focc,neg(E, tv) if tvE + σE < tv

(12)

It is worth noting that the proposed approach does not require for each principal to maintain theevaluations about each single interaction in which it took part; in order for a truster to maintainupdated statistical information about the interactions engaged with another principal, it is suffi-cient for that truster to maintain three pieces of information regarding the number of the engagedinteractions, the sum of the evaluations, and the sum of the squares of each single evaluation.This information enable one to easily achieve statistical information (i.e., mean and variance),and can be easily updated with evaluations about further interactions.

In order for our model to be employed within some dependability context, we believe a cau-tious and responsible behaviour should be modeled by the trust stability. For instance, if the freshtrust value had meant an unusual low-dependable behaviour, then the trust stability value hasto enforce a significant decrease the associated direct trust; in turn, if it had meant an unusualhigh-dependable behaviour, then the trust stability value has to enforce a negligible increase inthe associated direct trust. For instance, the functions below encode this evaluation approach.

focc,pos(E, tv) = 0

fstab,pos(E, tv) = 1 − tv−tvE+σE

2σE

fexp(E, tv) = 12

fstab,neg(E, tv) = 1 − tv−tvE+σE

2σE

focc,neg(E, tv) = 1

(13)

UBLCS-2006-09 26

3 Augmenting Contexts with Attributes

2.2 Modeling Trust BalanceWhen deciding how much to take into account received recommendations with respect to itsdirect experience, an individual relies upon how confident he believes to be within the specificcontext. Hence, we believe a good model for trust balance to be the self-trust an individual placesupon itself for providing recommendations within that context.

Equation (14) describes the model for trust balance; essentially, self-confidence and dependson a principal α, a context φ, and time t. Trust balance also depends on the size of the set Γ ofrecommenders; in fact, the more the available recommendations are, the less the direct trust willbe considered when computing the reputation. When there are no recommenders, only directtrust is taken into account for computing reputation.

ψα,φ,t,Γ = D (α,α, j(φ), t)log(|Γ |+1)E (14)

Self-confidence is to be computed in a way that is similar to how direct trust within jurisdictionis computed; it is the reflexive direct trust updated according to the precision with which the cur-rently available direct trust approximates the computed reputations. Thus, given an interactionbetween principals α and β which happened within context φ at time t, the self confidence isupdated according to the above defined tvφ.

tvφ = (1 − |R(α, γ,φ, t ′) −D(α, γ, φ, t ′)|) (15)

Trust balancing for context φ is updated each time the principal carries on an interactionwithin that context. The less the fresh trust value differentiates from the expected interactionoutcome (i.e., the trustee reputation) the more the self confidence will decrease. Similarly, themore the fresh trust value differentiates from the expected interaction outcome (i.e., the trusteereputation) the more the self confidence will decrease.

For instance, let us say that in our lifetime each of us statistically undergoes one major surgery;in this case, it is impossible to assess the competence of a doctor from personal experience. Bymaintaining the self-competence on each context, each of us which never had a major surgerywill completely base his estimation by relying on the experience of other individuals. Therefore,given a patient, as the number of direct evaluations in that context increases and, consequently,his personal experience adequately approximates the doctor behaviour, then his direct experiencewill be more relevant in determining that estimation.

3 Augmenting Contexts with AttributesSo far, we described how to evaluate a principal’s reputation either in consuming or producing agiven interface or in providing recommendations within a specified context. Hence, if we knowthat R(Alice, Nicola, p(smtp), t0) = 0.67, it is still unclear on which aspect the partial unrelia-bility depends, e.g., whether Nicola’s smtp server rarely allows illegitimate access to emails orjust because of a low availability of the service. When a truster finds a trustee’s reputation to beunsatisfactory, in order for the truster to interact with that trustee it is legitimate for him to beaware of the origin of that partial unreliability; attributes are introduced to fill this purpose.

We define an attribute to be a property that is relevant within a given context, such as avail-ability, confidentiality or authentication. Attributes are introduced into our model by definingassociated subcontexts, that are used to specialize the generic contexts.

In Tab. 2 the grammar describing the structure of Φ with attributes is formally described; here,I indicates the set of interface names, A the set of attribute names, G the set of simple contextsand C augments G with subcontexts.

Such a design approach enables us to simultaneously maintain both overall reputations andspecialized ones in an efficient manner; in fact, when a principal is assigned a new trust valuein a generic context φ ∈ Φ, if it corresponds to a specialized context, then the correspondingreputation can be updated and the associated generic context can be retrieved in order for itto be updated as well. Hence, the redefined definition of Φ allows us to manage specialized

UBLCS-2006-09 27

4 Relations with the Socio-Cognitive model

Table 2. Structure of Φ augmented with attributes.

I ::= i | h | k

A ::= a | b | d

G ::= p(I) | c(I)

C ::= a(G) | G | authentication

Φ ::= C | j(C)

reputations preserving the validity of the formulas presented in the previous section. The inverseis not defined for attributes.

4 Relations with the Socio-Cognitive modelThe main difference between the SIR computational model and the socio-cognitive model is theconcept of reputation as the aggregation of direct experience and indirect one that is encodedwithin recommendations; in fact, the socio-cognitive model only specifies trust update as a con-sequence of new direct evaluations. To our opinion, recommendations play a central role inreputation management since, specially when a small number of direct evaluations has been per-formed, they enable the truster to rely on a larger amount of possibly trustworthy evaluations.

Similarly to what the socio-cognitive model, through reputation the SIR model enables a prin-cipal to approximate the trustworthiness of each possible principal. What in the socio-cognitivemodel is represented by DoA and DoW, in SIR is implementable by introducing two attributes,respectively competence and willingness, to all the possible contexts; the first one should beupdated each time an interaction is carried out with the evaluation of that interaction outcome,while the second one should always be updated according to the interaction was completed ornot. However, what SIR enables a truster to achieve is not an approximation actual trustee’strustworthiness; instead it is aggregated with the influence that the global environment enforcedon the whole interaction. For example, be competence.p(i) and willingness.p(i) the contextsrespectively associated with the competence and willingness in providing interface i, then both(16) and (17) hold; here, Eβ,p(i),t,S, Eβ,p(i),t,W , and Ep(i),t,Ω indicate, respectively, the event thatexpresses success of β in providing interface i at time t, the event that express the willingness ofβ about providing interface i at time t, and the event that express the absence of failure enforcedby the environment on the production of interface i at time t (we assume the environment influ-ence to be independent from both the objective competence and the objective willingness of thetrustee).

lim|I|→+∞

R(α,β, competence.p(i), t) = P(Eβ,p(i),t,S

) · P (Ep(i),t,Ω

)(16)

lim|I|→+∞

R(α,β, willingness.p(i), t) = P(Eβ,p(i),t,W

) · P (Ep(i),t,Ω

)(17)

That is, the more evaluations or recommendations are collected, the better the reputation com-puted by SIR approximates the overall probability of success within the evaluated context. How-ever, it is worth noting the below decomposition wich expresses the probability of success withwhich the interface i will be provided by principal β at time t to both the competence and will-ingness of that trustee.

P(Eβ,p(i),t,S

)= P

(Eβ,p(i),t,S

∣∣Eβ,p(i),t,W

) · P (Eβ,p(i),t,W

)

+ P(Eβ,p(i),t,S

∣∣Eβ,p(i),t,W

) · P (Eβ,p(i),t,W

)

UBLCS-2006-09 28

4 Relations with the Socio-Cognitive model

But, since there is no probability of success if the trustee does not engage the task, then the overallprobability of success is expressed in (18).

P(Eβ,p(i),t,S

)= P

(Eβ,p(i),t,S

∣∣Eβ,p(i),t,W

) · P (Eβ,p(i),t,W

)(18)

UBLCS-2006-09 29

Chapter 4

Case Study: Trust-Aware NamingService (TAw)

1 MotivationThe naming service is a fundamental part of any component oriented architecture. It implementslocation transparency between components enabling each other with references for invoking op-erations implemented by remote components. Specifically, the name service associates a specificname with each component instance and the client component which requires the service of aremote component instance needs to query the naming service with the required instance as-sociated name in order to being enabled with its remote reference. Specifically, a name serverimplements a one to one map between names and instances. Similarly, service oriented architec-tures implement location transparency by means of directory services. Although implementing aone to many relation between names and references, directory services maintain a map betweennames and the associated service instances.

In a dynamic application context, as a generic service oriented application scenario, severalfactors may affect service provisioning: for instance, components functionalities may be subjectof failures and recoveries, or service providers may dynamically change service provisioningstrategies for better achieving its own goals. Within such contexts, each client component (orservice) may obtain great advantage from being enabled with information about which serviceprovider could better meet its needs. Among the currently available technologies, neither nam-ing nor directory services enable the client component, or service, with information about thetrustworthiness of each other. Such information would be useful for implementing a service toevaluate the dependability (i.e., availability, reliability) of available services as well as to activatesecurity mechanisms when a number of entities engage in an interaction (i.e., based on the trustdegree each part places in the others, the security measures that are to be employed can be agreedso as to avoid illegitimate behaviour and optimize system performances).

Hence, in this chapter we present our Trust-Aware Naming Service (TAw), a hybrid peer-to-peer architecture which has specifically been designed for enabling existing naming and direc-tory services with the abstraction of trust. The TAw architecture implements a middle tier be-tween the client application and the naming service. Within this tier, information about principalbehaviours is collected and aggregated to form the abstraction of reputation; thus, this meta-information will complete the results returned by the naming service enabling the principals tocompare the possible trustees with each other in order to find out the most trustworthy. Becauseof its application context, we require TAw to be both scalable and flexible: scalability entails theability of the system to scale as the number of entities within the system increases, and flexibil-ity entails the compatibility of TAw with different naming service architectures, as required bya multi-institutional environment. It is worth noting that TAw does not play any active role inmanaging computer security; it only provides each entity in the system with information aboutthe behaviour of other entities, allowing them to possibly avoid engaging in interactions with

30

2 The TAw Architecture

misbehaving entities.

2 The TAw ArchitectureTAw is a hybrid peer-to-peer architecture in which each entity (i.e., service producer or con-sumer) is associated with a TAw peer. TAw peers exchange trust information about each other;locally, each peer maintains the available trust information, according to a specific trust model(the current prototype implements the SIR reputation model), in order to approximate the trust-worthiness of the entities with which he is engaging in interactions. The Virtual Society Service(VSS) is responsible for enabling the peers to aggregate themselves into a virtual society; more-over, it enforces an access control policy that is specific to the virtual society. Its purpose is bothto allow only legitimate entities to participate in the exchange of trust information, and to pre-vent any entity from owning multiple instances of TAw peers simultaneously. Each TAw peerboth interfaces the entity with the naming service in a trust-aware manner and, simultaneously,implements the social behaviour on behalf of that entity, i.e., it locally collects and maintains trustinformation, computes reputations and propagates them on his behalf. A piece of trust informa-tion held by a peer either originates from the owner entity as the result of concluded interactions,or has been obtained via the Trust Propagation Protocol.

Since its completely decentralized design approach, TAw inherently meets scalability, effi-ciency, and fault-tolerance; specifically, it implements both a hybrid peer-to-peer interaction para-digm and an epidemic-like information dissemination technique (see below). Moreover, in orderfor our architecture to meet adaptiveness, robustness, and scalability, the SIR reputation modelhas been implemented within TAw.

Within the framework described in Section A Generic Trust Management Framework TAwimplements the trust management system. Because of the possible diversity between applicationrequirements, it owes to the application developer to enable the application with trust evaluationand dynamic trust criteria.

2.1 TAw PeerThe TAw peer is the abstraction of a principal within a virtual society. Each TAw peer (i) im-plements the social behaviour on behalf of that entity, i.e., it locally collects and maintains trustinformation, computes reputations and propagates them on his behalf, and (ii) employs such in-formation for enabling the associated entity to access the naming service in a trust-aware manner.A piece of trust information held by a peer either originates from the owner entity as the resultof concluded interactions, or has been obtained via the Trust Propagation Protocol (TPP), whichwe describe below.

Each peer embodies a data structure, namely the trust repository, that is used to maintain trustinformation; basically, it is a collection of tuples (α,β, φ, t, p) where α ∈ P is the truster, β ∈ Pis the trustee, φ ∈ Φ is the context, t is the time to which the trust degree refers and p ∈ [0, 1] isthe trust degree associated with R(α,β, φ, t). Autonomously each TAw peer disseminates trustinformation towards a subset of its neighborhood through the trust propagation protocol.

When speaking of interactions between application components which are deployed in multi-institutional environments, interoperability is a key issue to address. For this reason we requireTAw to be suitable for accommodating any possible naming service in a virtual enterprise sce-nario. To meet this requirement we divided the TAw peer in two parts, namely the TAw CorePeer and the TAw Peer. The former implements the trust model and metrics which is common toall the TAw Peers, providing them with a common way to compute and understand trust infor-mation. The latter is a wrapper which employs the TAw Peer Core to enable a specific namingservice with trust requirements.

TAw Core Peer: The TawCorePeer class is responsible for providing the Taw peer with facili-ties to implement all the trust related operations in a manner that is independent from thespecific naming technology. The TawCorePeer implements the TAwCoreInterface (see the

UBLCS-2006-09 31


Figure 1. UML class diagram for the TAwPeer.

UML representation in Fig. 1). Through the employment of its basic operations it is possiblefor a peer to both keep the local trust information updated and to obtain trust informationabout other TAw peers. The TAwCorePeer embodies a TAwGossiper and a TAwListen-erServer. They are responsible implementing the trust propagation protocol. One spreadsits own trust information over the virtual society network so that the other peers can em-ploy it to compute reputations, and the other collects the trust information that is spreadover the virtual society network by other peers.

TAw Peer: This wrapper embodies an instance of the TAwCorePeer and employs its services toenable the application layer with a trust-aware lookup operation and trust-awareness aboutthe other entities within the system. The TAwPeer is an abstract class which implementsTAwPeerInterface (see Fig. 1). The employment of this type of design approach enabledus to implement the whole TAw logic in the TAwPeer, leaving a private interface whichgeneralizes the connection with the naming service unspecified. The application developeronly has to implement the abstract methods in the TAwPeer class.

The TAw peer is the abstraction of an entity within a virtual society; specifically, it is a proxyclient which mediates between the entity itself and the naming service. In order to provide ap-plications with trust awareness, TAw peers organize themselves in a social network employingthe services provided by the VSS.

Figure 1 describes the whole design of the TAw peer. The TAwPeer is an abstact class whichrequires the application developer to instantiate the following methods:

UBLCS-2006-09 32


init(args[]:Object):void : this method is employed by the TAwPeer constructor for con-tacting the naming service and retrieving its java abstraction, on which the actual namingservice operations will be performed;

bindNaming(ref:Reference; obj:Object):void : this method is employed by the bindmethod to enable an object to expose its service to remote invocations. Specifically, thismethod is a wrapper for the bind operation of the specific naming technology that is em-ployed;

unbindNaming(ref:Reference):void : similarly to the above operation, this method isemployed by the unbind method. Specifically, this method is a wrapper for the unbindoperation of the specific naming technology that is employed;

lookupNaming(ref:Reference):Remote : this method enables the TAw peer to retrievethe stub for invoking operations on a remote server object from the naming service. Specif-ically, this method is a wrapper for the lookup operation of the specific naming technologythat is employed and is employed in trustAwareLookup.

A class that implements the TAwPeer class exposes to the application the following interface:

TAwPeer(args[]:Object, c:Certificate, add:NetAddr): TAwPeer : This methodperforms the following operations:

1. The local fields cert and address are initialized;2. The startSession(c) operation is invoked on the VSS. If authentication is correctly per-

formed then (i) a session identifier is returned and the local variable sess id is ini-tialized, otherwise (ii) an AuthenticationException is raised;

3. A local instance of TAwCorePeer is created with the entity reference name and theneighbourhood n;

4. the init(args) operation is invoked in order for the local variable namingServ tobe initialized with a remote reference to the naming service;

trustAwareLookup(ctx:Context):Remote : when provided with a service context thismethod returns the remote stub of most trustworthy server object to the application. Itperforms the following operations:

1. getTrustedReference(ctx) is invoked on the local instance of TAwCorePeer. Areference to a trustworthy server object is provided;

2. If the returned reference is not valid, the lookupVSS(ctx) operation is invoked onthe VSS:if a valid reference ref is returned, then the putTrust(ref, ctx, 0) localmethod is invoked otherwise, if the reference is not valid, a RemoteException is raised;

3. If the returned reference ref is valid, the local lookupNaming(ref) operation is in-voked and its result is returned.

getTrust(ref:Reference, ctx:Context): trustDegree : given the reference ref toan entity and a context ctx, this operation is a wrapper for the getTrust(ref,ctx) in-vocation on the local instance of TAwCorePeer and returns the result of that invocation tothe application.

putTrust(ref:Reference, ctx:Context, eval:trustDegree): void : given thereference to an entity, a context and a trust evaluation, this operation is a wrapper for theputTrust(ref,ctx,eval) invocation on the local instance of TAwCorePeer, whosepurpose is to update the reputation of entity ref within the context ctx according to thetrust evaluation eval. This operation possibly triggers the execution of the trust propaga-tion protocol;

bind(ref:Reference, ctx:Context, obj:Object): void : this operation performsthe following operations:

UBLCS-2006-09 33


1. bindNaming(ref, obj) is invoked;2. If the operation terminates correctly, then the operation bind(ref,ctx, address,

cert) is invoked on the VSS, otherwise a RemoteException is raised;3. updateNeighbourhood(ctx) is invoked on the VSS to obtain a collection of neigh-

bours;4. An instance n of the Neighbourhood class is created from c;5. setNeighbourhood(n) is invoked on the TAwCorePeer instance;

unbind(ref:Reference, ctx:Context): void : this operation performs the following:

1. The Neighbourhood object which refers to context ctx is disposed of;2. unbindNaming(ref) is invoked;3. If the operation terminates correctly, then the operation unbind(ref,ctx) is in-

voked on the VSS otherwise, a RemoteException is raised.

finalize() : this operation makes sure that all the bindings in both the VSS and the namingservice are removed before the TAw peer is disposed of.

As mentioned above, the TAwCorePeer implements the trust management interface and therelated data structures. Specifically, it manages the trust repository, implemented by the Repos-itory class, which embodies both a set of TrustTuple objects and the operations to manage thetuples in this set. Each TrustTuple contains information about the truster (i.e., entity which gen-erated the tuple), the trustee, the context to which this trust information applies, the time whenthe tuple was updated, and the associated trust value. The TAwCorePeer implements the follow-ing operations:

TAwCorePeer(ref:Reference, n: Neighbourhood):TAwCorePeer : this is the classconstructor. At the creation of the class, it sets the name and neighbourhood fields. Thefirst identifies the entity within the trust system. The second corresponds to the set ofentities towards which reputations will be propagated. Then, the classes listener server andgossiper are instantiated. The first listens for incoming messages of the trust propagationprotocol, and the second proactively initiates sessions of the trust propagation protocol;

getTrust(ref:Reference, ctx:Context): trustDegree : this operation performsthe following:

1. getTrustTuples(ref,ctx) is invoked on the local repository;2. from the returned tuples and the implemented reputation model, the new reputation

is computed;3. the computed reputation is returned.

putTrust(ref:Reference, ctx:Context, eval:trustDegree): void : this oper-ation performs the following:

1. getTrust(name, ref, ctx) is invoked on the local repository;2. a new TrustTuple instance tt is generated starting from the retrieved tuple and the

implemented reputation model;3. the operation store(tt) is invoked on the local repository;4. the operation store(tt) is invoked on the local gossiper.

getTrustedReference(ctx:Context): Reference : this operation performs the fol-lowing:

1. getTrustTuples(ctx) is performed on the local Repository instance to retrievethe trust tuples regarding the trustee within context ctx;

2. all the reputations are computed according to the returned trust tuples and the imple-mented reputation model;

3. The best reputation is selected and the respective trustee reference is returned.

UBLCS-2006-09 34


updateRepository(news:Repository):void : this operation merges the news repository,passed as parameter, with the local repository. merge(news) is invoked on Repository.

setNeighbourhood(n:Neighbourhood):void : this operation is a wrapper for the homonymoperation which is defined in the TAwGossiper. setNeighbourhood(n) is invoked onthe TAwGossiper;

finalize() : this method terminates the gossiper and the listener server before disposing theobject of.

The Repository implements the following methods:

store(trustRec:TrustTuple):void : this operation stores the tuple trustRec in therepository tuple space. If it already contains a tuple with the same (truster, trustee, con-text) but is less recent recent than trustRec, that tuple is overwritten, otherwise trustRecis discarded;

getTrust(truster:Reference, trustee:Reference, ctx:Context) : TrustTuple: this operation retrieves the tuple which contains the triple (truster, trustee, ctx) from therepository tuple space. If one such a tuple is present it is returned, otherwise null is re-turned;

getTrustTuples(trustee:Reference, ctx:Context) : Collection : this opera-tion retrieves from the repository tuple space all the trust tuples regarding entity trusteewithin context ctx. The collection of those tuples is returned;

getTrustTuples(ctx:Context) : Collection : this operation retrieves from the repos-itory tuple space all the trust tuples pertaining to the context ctx. The collection of thosetuples is returned;

merge(r:Repository): void : For each tuple tt in the repository r, the local operationstore(tt) is invoked;

size() : int : this operation returns the number of tuples contained in the repository tuplespace.

As mentioned above, TAwGossiper is a thread which has the purpose to autonomously dis-seminate trust information over the social network through the trust propagation protocol (seeSection Trust Propagation Protocol). Specifically, it keeps track of the recently computed reputa-tions and triggers the trust propagation protocol according to the criteria below, which regardsthe amount of fresh trust information acquired since the last execution of the protocol (which weindicate with the notation size):

1. if news.size() ¿= threshold before a quantum of time elapses since the last execution, or

2. if a quantum elapsed since the last execution and 0 ¡ news.size() ¡ threshold.

The TAwGossiper implements the logic represented in Figure 3; moreover, it implements thefollowing operations:

TAwGossiper() : this operation creates an instance of the TAwGossiper. It locally instantiatesa Repository class which works as a buffer for maintaining the fresh trust information to bepropagated.

start() : this method enables the TAwCorePeer to activate the TAwGossiper;

store(tt:TrustTuple): void : this operation is a wrapper which just invokes the oper-ation store(tt) on the local Repository;

UBLCS-2006-09 35


Figure 2. Directory Information Tree implemented by the VSS service.

setNeighbourhood(n:Neighbourhood):void : this operation stores the passed Neighbourhoodin a the local field neighbours, employing the respective context as search key;

gossip(fanOut:Collection): void : this operation triggers the propagation, towards asubset of the neighbourhood which we call fanOut, of the trust information contained inthe local Repository . After the propagation, the Repository is emptied.

The TAwListenerServer is a thread which listens for inbound instances of the trust propa-gation protocol. Once started, it waits for connections on behalf of other TAw peers, specificallyfrom their TAw gossipers, and for each connection it instantiates a TAw listener. The TAw listenerserver implements the following operations:

TAwListenerServer(add:NetAddr) : this operation creates an instance of the TAwListenerServerwhich waits for connections at the specific add network address. It locally instantiates a lo-cal Repository class which for stores the received trust information that will be merged withthe Repository instance which resides in the TAwCorePeer;

start() : this method enables the TAwCorePeer to activate the TAwListenerServer;

updateRepository(r:Repository): void : this operation is a wrapper for the opera-tion merge(r) that is invoked on the local Repository.

The TAwListener is a class which reads an incoming trust propagation message, and retrievesthe fresh trust information to be added to the TAwListenerServer local Repository. The conditionunder which the news Repository is merged with the TAwCorePeer repository by the TAwLis-tenerServer is similar to the one employed from TAwGossiper to initiate a propagation of trustinformation.

1. if news.size() ¿= threshold before a quantum of time elapses since the last execution, or

2. if a quantum elapsed since the last execution and 0 ¡ news.size() ¡ threshold.

2.2 Virtual Society ServiceThe main function of the VSS is to enable the implementation of the virtual society. Specifically,it enables the entities to aggregate with each other, forming the social network over which trustinformation are exchanged. To enable this service, the VSS employs a directory service whichmaintains information about all the entities in the virtual society according to the contexts inwhich they will consume or produce interfaces. The directory service implements the four levelsDirectory Information Tree (DIT) represented in Figure 4. The root represents the starting point toaccess the stored information; the first level maintains the possible service interfaces; the secondlevel implements the contexts generated by each service interface (e.g., production and consump-tion); and, finally, the third level maintains the entities which either consume or produce servicesin the specific context.

UBLCS-2006-09 36


To contribute to the trust information exchange, a principal joining the virtual society has tobe provided with knowledge about how to propagate trust information. We assume to representthe virtual society as a directed random graph in which each node represents a principal andthe edges represent the direction in which trust information is propagated; given a principal p,we call the neighborhood of p the set of principals that are directly connected to p. Reading theliterature about epidemic data-dissemination paradigm [DGH+87, KMG03], it is known that an-nodes direct random graph with degree O(log n) has diameter in O(log n); that specific nodedegree takes the name of fan-out. Therefore, in order to minimize the overhead introduced bythe propagation of trust information, we require the neighborhood size to be in O(log n); thus,when a principal joins the virtual society, a random set of neighbors is associated with him forthe recommendations to be propagated.

In order for trust information to be propagated uniquely towards the entities which are con-cerned with it, in the virtual society entities are grouped according to the specific contexts inwhich they engage in interactions; hence, we require the neighbourhood of a given entity to becomposed of entities which are concerned with the same set of contexts as that specific entity.Due to the dynamical nature of virtual societies, the entities that dynamically join and leave thesystem may enforce frequent changes in the fan-out. As a consequence, it may be required for allthe entities in the system to frequently update their neighbourhood in order to meet the abovementioned efficiency requirements. We prevent such updates by enforcing the neighbourhoodsize to be larger than the gossiping fan-out and, at each round of the trust propagation proto-col, to enforce the spreading of trust information only to a subset of the neighbourhood of a sizeequal to the fan-out. For TAw to be more robust against untrustworthy trust information (i.e.,noise or untrustworthy reputations), the VSS enables each entity to update its neighbourhoodwith a new one, which is randomly decided by the VSS itself. The neighbourhood update limitsthe influence that such untrustworthy information has on the ability of entities to compute repre-sentative reputations. We use the term session to identify the sequence of activities that an entityperforms, starting with its joining to the virtual society and ending with it leaving it again. Inorder to control the maximum influence that an entity can have on the spreading of trust infor-mation over the social network, we require the VSS to implement an access control policy so at toenforce each entity to maintain at most one open session at any given time. In fact, allowing anentity to maintain several concurrent sessions would enable him to appear as multiple entities;that would prevent the other principals from associating the behaviour exhibited by that falsegroup with the same principal, and, consequently, to correctly compute the reputation of thatprincipal. Hence, in order to enable authentication of principals, and to verify the origin and theintegrity of propagated trust information, each entity which is allowed to legitimately employTAw services is uniquely identified by a long-term PK certificate.

In order for an entity to manage its activity within the virtual society, the VSS provides entitieswith an interface to manage the membership within the virtual society and to enable furtherexchange of trust information. Figure 3 shows the UML class diagram for the classes whichcompose the VSS. The main class is the VSSDaemon, which is a thread implementing a proxy forthe LDAP server which manages the DIT mentioned above. When receiving a service request,it dispatches that request to a VSSRequestHandler that performs the requested task and returnsthe result to the client. The VSSDaemon implements the following operations:

VSSDaemon(add:NetAddr) : this constructor enables the creation of a VSSDaemon whichwaits for service requests on the specific network address add;

start(): void : this operation enables the VSSStarter to activate the VSS Services;

stop(): void : this operation enables the VSSStarter to terminate the VSS Services;

addSession(c:Certificate, sess id:long): void : this operation enables a VSSRequestHandlerto store information about an open session. This operation is invoked by the VSSRequestHandlerwhen a client successfully starts a session;

UBLCS-2006-09 37


Figure 3. UML class diagram for the Virtual Society Service.

removeSession(c:Certificate): void : This operation is invoked by an instance ofVSSRequestHandler to terminate a session and dispose of the related data;

hasOpenSession(c:Certificate): Boolean : this operation returns true if a sessionidentifier is associated with certificate c within openSessions. False is returned other-wise;

lookupBuffer(ctx:Context): Collection : this operation queries the buffer for theentities that have an open session and are bound in the VSS within context ctx. For eachentity , the respective VSSReference is returned; such class embodies its naming refer-ence, the address on which its TAwPeer listens for trust propagation messages, and itspublic key certificate.

The VSSRequestHandler implements the following services:

VSSRequestHandler(vss:VSSDaemon, ldap:Remote) : this operation creates an instanceof VSSRequestHandler and provides it with the references to the VSS daemon and to theLDAP server;

startSession(c:Certificate): void : this operation enables a TAwPeer to authenti-cate to the VSS and to employ TAw services.

1. hasOpenSession(c) is invoked on the VSSDaemon to check that the c does notcorrespond to any open session;

2. if no open session on behalf of c exists, the respective TAwPeer authorises the employ-ment of that public key certificate;

3. Upon successful authentication, a session identifier, sid, is generated and the opera-tion addSession(c,sid) is invoked on the VSSDaemon;

4. The session identifier sid is returned to the TAwPeer;

stopSession(c:Certificate): void : this operation closes the session for the peer thatregistered with certificate c. The operation removeSession(c) is invoked on the VSSDaemon;

bind(ref:Reference, ctx:Context, add:NetAddr, c:Certificate): void : thisoperation inserts the tuple (ref, add, c) within the LDAP directory information tree atthe position which corresponds to context ctx. The tuple is also added to the VSSDaemon

UBLCS-2006-09 38


Table 1. Structure of a trust propagation protocol message.

Reputation ::= 〈trustee, time, reputationValue〉Context ::= 〈context, length, Reputation+〉TrustPropagationMessage ::= 〈truster, length,Contexts+〉

buffer. If a tuple containing reference ref is already present in the DIT, this invocation hasnot effect;

unbind(ref:Reference, ctx:Context): void : this operation removes the tuple as-sociated with entity ref within the LDAP directory information tree at the position whichcorresponds to context ctx, if present. The tuple is also removed from the VSSDaemonbuffer.

lookup(ctx:Context) : VSSReference : this operation returns the VSSReference ofa random entity within context ctx to the invoking TAwPeer.

1. lookup(ctx) is invoked on VSSDaemon. The Collection T is returned;2. If T = null, then the LDAP server is queried for the Collection T of entries stored in

context ctx;3. A random VSSReference is selected from T and returned;

updateNeighbourhood(ctx:Context) : Collection : this operation returns a Collec-tion of VSSReference randomly selected within context ctx to the TAwPeer;

1. lookup(ctx) is invoked on VSSDaemon. The Collection T is returned;2. If T = null, then the LDAP server is queried for the Collection T of entries stored

in the context ctx;3. A Collection of O(log(|T |)) instances of VSSReference is randomly selected from T and

returned;

Essentially, the VSS enables the reputation system to start from scratch, connecting entitieswith each other forming a social network for the propagation of trust information. Moreover, inorder for the VSS to tolerate failures and not to constitute a bottleneck, it can be implementedin a distributed and trustworthy manner. For instance, the VSS can be implemented as a clusterof servers, which have to agree (e.g., by voting) on the decisions about the management of TAwsystem (e.g., which entities can legitimately access TAw services).

2.3 TAw Trust Propagation ProtocolIn order for trust information to be distributed over the system, TAw implements an epidemic-like dissemination technique. Specifically, each TAw peer periodically sends the newly computedreputations to a random subset of its neighbourhood, whose size corresponds to the fan-out. Thereceiving neighbours will store these tuples in the respective trust repositories where they willbe employed for computing fresh reputations. We implement trust propagation messages as self-descriptive, human-readeable XML tuple-spaces, whose structure is defined by a common DTDspecification. Each trust propagation message has the tree-structure as in Table 1: the sendingtruster as root and the trustees as leaves; then, in order to minimize the size of the message, ina generic message trust information are grouped by the reference context. Thus, each messagespecifies the truster, the number of contexts included within the message and, for each context,the number of reputation tuples included in the message and the tuples themselves.

Table 1 describes the structure of a generic trust propagation message; so as to minimize thesize of the message, in a generic message trust information are grouped by the reference context.Thus, each message specifies the truster, the number of contexts included within the message

UBLCS-2006-09 39


1 randomly select a fan-out from the neighborhood;2 select the recently updated reputations;3 for each neighbor n in the selected fan-out:4 build an appropriate protocol message;5 send that protocol message to neighbor n;

Table 2. Pseudocode describing the trust propagation protocol.

and, for each context, the number of reputation tuples included in the message and the tuplesthemselves.

Every trust propagation message is parsed by the receiving TAw peer (within the associ-ated TAwListener) and its content will be locally stored according to the semantics explainedin Section TAw-Peer. When the trust propagation protocol is triggered, because either a timeoutoccurred or enough trust information has been directly updated, then the protocol behaves asdescribed by the pseudo-code listed in Tab. 2. In words, each time a protocol run is triggered,a subset of the neighbourhood is randomly selected and the set of trust information that hasbeen updated since the last propagation round is identified. Then, for each neighbour in the se-lected fan-out, a protocol message, containing the trust information in which that neighbour isconcerned, is built and sent to that neighbour.

The adoption of the epidemic model gives probabilistic guarantee to maintain a social net-work whose diameter (i.e., the maximum social distance between any two individuals) countsO(logn) edges, with n being the number of individuals in the society. Never in two successivepropagation rounds is the same information propagated. At each round each individual prop-agates its own opinion about the known principals, according to the human social behaviour;however, it is worth noting that such an epidemic technique allows fresh trust information toreach all the TAw peers within a number of propagation rounds that depends on the logarithmof group size. The adoption of this type of epidemic model for spreading trust information doesnot provide the guarantee that all the principals compute the same trust degree about a specificprincipal; however, according to the results in [Mez04b], we expect reputations to tend towardsthe mathematical ideal in a manner that depends on the social distance between the truster andthe trustee (i.e., the average number of recommendors which stand between the truster and thetrustee).

0

1

2

3

4

5

0.660.500.330

inte

ract

ion

roun

d

trustworthiness

fan-out 3fan-out 5fan-out 7

fan-out 10

0

5

10

15

20

25

30

35

0.670.500.330

prop

agat

ion

roun

d

trustworthiness

fan-out 7fan-out 10fan-out 5fan-out 3

(a) (b)

Figure 4. Reconfiguration test employing, respectively, the cognitive models (a) and arbitrary trust sta-bility and trust balance (b).

UBLCS-2006-09 40


2.4 Experimental ResultsThe results that we are going to present have been computed considering a generic producer/con-sumer scenario in which 1000 consumers join the TAw infrastructure in order to access servicesprovided by a set of producers; the size of this set, the behaviour of the consumers, and thebehaviour of the producers vary according to the purpose of the experiment. Each consumer ischaracterized by a maliciousness degree, that is the probability for him/her to propagate randomnoise instead of the correct information; at each propagation round a recommender will decidewhether to spread out either noise or correct trust information using a uniform probability dis-tribution whose average value is equal to its maliciousness. Each provider is characterized byits trustworthiness, that is the probability that he/she will exhibit a dependable behaviour indelivering a service, and a behavioural pattern, that is a function that describes how the trust-worthiness changes with time (this feature has been introduced to specify failures, i.e. randomlyexhibited and crashes, as well as failure recoveries); we assume a provider to exhibit a failurewith a uniform probability distribution whose average value is equal to its trustworthiness. Foreach experiment we compare the employment of the cognitive technique with the employmentof arbitrary trust parameters; specifically, we compare the trust stability as defined in (13) to thecase in which both trust stability and trust balance have been arbitrarily set to 0.5.

To generate service requests, each consumer behaves as follows: firstly, the best service provi-der within the application context is selected according to the available trust information; sec-ondly, the service is invoked on the provider; finally, a trust value is associated with the per-formed interaction and the trust information is updated. Each client generates independent andidentically distributed service requests so that the time between any two consecutive is 30 timeunits, on average. Moreover, each peer periodically propagates trust information towards itsneighborhood; the time interval between any two consecutive propagations is 120 time units.

Since the VSS maintains separate social networks for different contexts, the results of thesimulations are not affected by the number of contexts. Hence, these experiments are definedemploying a unique service interface with the associated contexts (i.e., consumption, provision-ing and recommending), focusing our attention on the properties of the reputation managementsystem.

2.4.1 Adaptability TestWith this experiment we have evaluated how TAw enables system reconfiguration in presenceof failures that occur within the system; specifically, given any consumer which currently refersto a dependable service provider, if a failure occurs that compromises the dependability of thisprovider, we have been evaluating the mean number of propagation round that are required forthat consumer to select a new dependable provider. For this experiment we defined 50 providers,5 of which are fully dependable (i.e., trustworthiness equal to 1), and the remaining set to exhibitrandom failures, i.e., their trustworthiness is set to a random number in the interval [0, 1), whichimplies failures to be uniformly distributed with mean equal to the trustworthiness. Within thissetting, once all the consumers are stabilized on those five most dependable providers, a ran-dom failure is triggered on one of these providers so as to enforce the consumers to reorganizethemselves so as to refer to the remaining four dependable providers. In this experiment, we con-sidered four different kind of failures, that respectively reduce the trustworthiness of the selectedcorrect provider to 0.67, 0.5, 0.33, and 0. Figure 4(a) shows the mean number of propagationrounds that are required for reconfiguration, when the above mentioned failures occur and set-ting the fan-out size to 3, 5, 7, and 10. First, we can observe that the more the failure affects theprovider the faster the consumers reorganize so as to refer to a correct provider; the reason ofthis behaviour is that the more a failure is noticeable by all the principals, the faster is for them toachieve a good approximation of the failure. Second, it is possible to observe that with a fan-outequal to 10 the reconfiguration time behaves in a linear way according to the extent on failurethat affects the provider; however, the more the fan-out decreases, the more becomes evident asuper-linear behaviour of the reconfiguration time with respect to the extent of the failure. Thereader note that the fan-out of 10 corresponds to the logarithm of the number of nodes in the

UBLCS-2006-09 41


0

0.1

0.2

0.3

0.4

0.5

0.6

0.7

0.8

0.9

1

24018012060

repu

tatio

n

propagation round

0

0.005

0.01

0.015

0.02

0.025

24018012060

varia

nce

propagation round

(a) (b)

0

0.1

0.2

0.3

0.4

0.5

0.6

0.7

0.8

0.9

1

24018012060

repu

tatio

n

propagation round

30% malicious consumers

0

0.005

0.01

0.015

0.02

0.025

24018012060

varia

nce

propagation round

(c) (d)

0

0.1

0.2

0.3

0.4

0.5

0.6

0.7

0.8

0.9

1

24018012060

repu

tatio

n

propagation round

50% malicious consumers

0

0.005

0.01

0.015

0.02

0.025

24018012060

varia

nce

propagation round

(e) (f)

Figure 5. Robustness test employing the cognitive models.

UBLCS-2006-09 42


social network and, according to the results presented in [DGH+87, KMG03], such a fan-out re-duces the diameter of the social network to the order of the logarithm of the number of nodesin that network, thus optimizing the number of instances of the propagation protocol that arerequired for a piece of trust information to cross the entire network. Comparing these resultswith the ones showed in fig. 4(b), it is noticeable that the employment of the cognitive modelsimplies a much smaller time for the system to reconfigure, especially as the extent of the failuredecreases.

2.4.2 Robustness TestWith this experiment we have been studying the robustness of TAw against malicious principalswhich propagate wrong trust information within the system; specifically, we have been evaluat-ing at which extent any consumer can approximate the trustworthiness of a given provider whichexhibit a dynamic behavioural pattern. Hence, for this experiment we defined a single providerwith the following behavioural pattern: initially, it behaves dependably with trustworthiness 1;at interaction round 60 it suffers a crash failure; at the interaction round 120 the crash recoversand it behaves dependably with trustworthiness 0.8; at round 180 another failure happens thatreduces its trustworthiness to 0.6; finally, at round 240, the provider is fully recovered and itstrustworthiness is 1. Within this setting, we estimate at which extent the provider’s reputation,as computed by the consumers, is affected as the number of noisy consumers (i.e., the ones thatintroduce wrong trust information) increases.

Figure 5 (a) shows the average reputation of the provider computed over the 1000 consumerswhen no random information is introduced within the system. Here, the approximated patternfollows the specified behavioural pattern for the faulty principal, even if the suspicious modeladopted for trust stability enforces fast changes on the curve of trust when a principal lose repu-tation and slow changes on the curve for that principal to gain reputation; moreover, the suspi-ciousness implemented by the trust stability model enforces for the principal a reputation lowerthan its actual trustworthiness unless it behaves in a completely dependable manner (i.e., with atrustworthiness equal to 1). In addition, the adaptability rate of the trust function can be modi-fied by setting the trust decay parameter according to the specific application context. Figure 5(b) shows the variance computed on the reputations of Fig. 5 (a), which affects only the seconddecimal digit of the computed reputation of each principal. Specifically, it is possible to see that,as the provider changes its trustworthiness (i.e., the behaviour in the intervals between propa-gation round 30 and 60 and between 90 and 150), there is a variance peak which represents theasynchrony with which all the principals discover the change in the provider behaviour; afterthe peack, the variance’s convergence to zero represents an implicit and distributed commit byall the principals on the approximation of that provider’s trustworthiness. Hence, even with arandom behaviour that the principal exhibit to each possible consumer, TAw enables all the con-sumers to agree on the reputation to assign to that provider, which follows the behaviour of theprovider’s trustworthiness according to a suspicious evaluation. Moreover, it is possible to seethat the speed with which reputation adapts depends on the behaviour exhibited by the provider;in fact, although the initial reputation is 0, at the beginning of the experiment it rapidly convergesto 1 but, when at propagation round 240 the provider trustworthiness goes back to 1 from 0.6, thepast behaviour is taken into account and the convergence to 1 is slower than at the beginning. Infigures 5(c), 5(d), 5(e), and 5(f) it is possible to observe the average reputation and the respectivevariance computed, respectively, when the 30% and the 50% of the consumers propagate noise(i.e., chosen randomly in [0, 1] with a uniform probability distribution) instead of correct trustinformation. By looking at the average reputations and the variance charts, we can claim that,even in presence of partially trustworthy recommenders, all the correct consumers agree, with agood degree of precision, to the same trustworthiness that is computed in absence of noise.

Figure 6 shows the provider trustworthiness as computed by the consumers employing theold model of SIR; though, even in presence of noise, the consumers agree with a good approxi-mation to a value that is very near to the actual trustworthiness of the provider. Looking at howthe reputation adapts in correspondence of the changes in the trustee dependability, it is worthnoting that the arbitrary composition of direct and indirect trust prevents reputation to depend

UBLCS-2006-09 43


0

0.1

0.2

0.3

0.4

0.5

0.6

0.7

0.8

0.9

1

24018012060

repu

tatio

n

propagation round

0

0.005

0.01

0.015

0.02

0.025

24018012060

varia

nce

propagation round

(a) (b)

0

0.1

0.2

0.3

0.4

0.5

0.6

0.7

0.8

0.9

1

24018012060

repu

tatio

n

propagation round

0

0.005

0.01

0.015

0.02

0.025

24018012060

varia

nce

propagation round

(c) (d)

0

0.1

0.2

0.3

0.4

0.5

0.6

0.7

0.8

0.9

1

24018012060

repu

tatio

n

propagation round

0

0.005

0.01

0.015

0.02

0.025

24018012060

varia

nce

propagation round

(e) (f)

Figure 6. Robustness test employing arbitrary trust stability and balance.

UBLCS-2006-09 44


on the behaviour exhibited in the past by that trustee.

UBLCS-2006-09 45

Chapter 5

Case Study: rawDonkey

1 IntroductionPeer-to-Peer file sharing environments can be seen social environments where single individualsmeet and agree for sharing (parts of) files. It is clear the similarity of these application contextsto what we call Virtual Societies (VS). A VS is defined to be dynamic set of possibly federatedand mutually distrustful entities (i.e., individuals and resources) which interact with each other,providing and consuming services, in order to accomplish their respective tasks. In peer-to-peerfile-sharing networks, collaboration among peers is essential in order to optimize file distribution.The more the peers equally support the file sharing (according to the availability of both theirstorage capacity and bandwidth), the more the file distribution is efficient. In real applicationsthere are two profiles of user behaviour that describe the users that are less collaborative: thefakers and the free riders. A user is a faker if he/she shares files whose symbolic names do notcorrespond to the actual content; instead, a user is a free rider if he/she only downloads filesfrom the network without enabling any upload. Clearly, the less the fakers and the free riders ina file-sharing network, the better the service that the whole network provides.

In this context, in order to encourage each peer to be more collaborative our idea is to asso-ciate reputations with users so as to implement an autonomous mechanism capable of detectingand penalizing misbehaving peers. We employ reputations to measure how much a peer haspreviously collaborated in file distribution; hence, a peer is granted a good reputation if he hasshown a collaborative behaviour (i.e., that peer has satisfied all the received upload requestswithout delivering fakes); otherwise, that peer gets a bad reputation. Hence, the file distributionsystem should grant honor upload requests according to a policy which grants priority to mostcollaborative peers, and route download requests towards the sources which exhibited a collab-orative behaviour. Note that this policy (i) makes the collaborative part of the network to growfaster than the non collaborative part, (ii) implements an efficient file sharing service among thecollaborative peers, and (iii) motivates each peer to exhibit a collaborative behaviour.

In a system of mutually distrustful entity it is necessary for the peers to mutually assess theirreputations before any kind of interaction take place[SFWC04]. Thus, provided in this context theabsence of trusted third parties it is not possible for each participating peers to rely on someoneelse for the maintenance of her/his own trust information; such information is in fact the onlymanner each peer has to assess the trustworthiness of the other peers and cannot get corrupted.This assumption requires our trust management system to be totally decentralized. Moreover,we believe that in this context a reputation model has to meet the following requirements:

Adaptability: reputations have to adapt according to the behaviour that the individuals dynam-ically exhibit within the system and, since information eventually becomes obsolete, to thetime passing;

Robustness: assuming the presence of a certain amount of illegitimate trust information, thereputation model has to identify it and prevent it to affect the computation of reputations;

46

2 Related Work


Hence, we employ the SIR[Mez04b, Mez04a, Mez05] reputation model because it has beenproved to meet the requirements of adaptability, robustness and scalability that we specifiedabove and because it enables the implementation of completely decentralized trust managementsystems. In this paper we first define the evaluation criteria for the identification of fakers andfree riders and we combine them with the SIR model and for enabling peers with the reputationsassociated to each possible user profile. Then, we integrate such results within an eDonkey clientto obtain (i) an automatic free-rider identification, and (ii) an interactive technique for faker iden-tification (as fakes can only be identified by humans). We implemented such concepts within therawDonkey architecture, which is an eDonkey [Kli] client integrating a decentralized monitoringsystem for the file-sharing protocol execution. Reputations are formed by the composition thetrust information that the peer locally maintains; each piece of information may be obtained byeither observing the local execution of the eDonkey protocol or by exchanging recommendationswith other peer through a gossiping protocol that is autonomously triggered among differentpeers. Although the experiment was performed on the eDonkey protocol, the presented criteriacan easily be applied to any protocol for P2P file sharing.

2 Related WorkThe currently available literature about trust formation and applications in peer-to-peer file shar-ing contexts (e.g., [SFWC04, AD01, CDV+02, KSGM03, TWD04]) do not fully meet our require-ments either because most of them do require the maintenance of the single trust evaluations ina distributed data structure, or because they fail to meet some of the adaptability, robustness,and scalability requirements that we mentioned above. Moreover, most of the currently availablesolutions limit to the formation of trust relationships for supporting the user choices in files todownload, but do not define any automatically enforced trust-based policy.

In [SFWC04] a trust-based monitoring system has been integrated within the Gnutella clientto enable protocol interactions. Like in our work, in this work the authors derive trust scores ina partially autonomous manner by both analyzing the the Gnutella protocol traffic and by inter-actions with the user. The employed trust model is very simple and customizable by each peer;however, it appears not to be adequate for this application in that (i) does not meet the adapt-ability and robustness requirements, and (ii) does not enable peers to exchange trust informationand, thus, to compare with each others the computed trust evaluations and assess the goodnessof both their own evaluations and their own evaluation criteria.

In [AD01] a complaint-based reputation system is employed for peer reputation management.We believe that this reputation model is not adequate for the specific application in that it do notrepresent the whole trustee interaction history and it requires the maintenance of complaint datawithin a distributed hash table which is maintained by the peers. The employed reputationmodel does not enable peers to redeem: peers which are count a specific number of bad evalu-ations are excluded from file-sharing because they cannot rebuild a good reputation. However,the reputation model is weak against the introduction of false complaints because it does notintegrate any mechanism to distinguish between true and false complaints.

In [CDV+02], the main contribution is a protocol for retrieving trust information for sourceselection in the Gnutella network. Here, a simple reputation model is implemented, however thetrust evaluations are simply determined by the users, making the whole system vulnerable tocollusion attacks. The whole work is more centered on security mechanisms which are based onPKI certificates for peers to authenticate with each other, to avoid impersonation attacks, and toensure the authenticity of exchanged reputations.

In [KSGM03], a trust model is combined with a distributed hash tables so as to enable peerswith global trust values; however, the maintenance of global trust values request greater com-putational and communication efforts; moreover, the employed trust model does not meet theadaptiveness degree of the reputation model adopted for this work and the evaluation criteria

UBLCS-2006-09 47

3 rawDonkey

appears to be incomplete, e.g. it does not take into account partially satisfied download requestsand the trust score does not encode the specific time when bad behaviours occur.

3 rawDonkey3.1 The eDonkey ProtocolFor the sake of clarity, when in a file sharing network a file, or a part of it, is transferred from onepeer to another, we say that the requesting peer performs a download operation, while the peerowning the file, namely the source peer, performs an upload operation.

The eDonkey network [Kli] is a hybrid P2P architecture which has been designed for enablingfile-sharing; in this network there are two entities, the eDonkey clients and the server. The clientsare the peers which participate to the file exchange, making available to the other clients a (pos-sibly empty) set of files. Each server maintains the bindings between the names of the availablefiles and the peers which own that file (the owner peers, below), within a directory; these bind-ings are grouped according to the hash value of the file content. Each file is logically divided insegments, namely chunks of at most 9500KB size. Each chunk is associated with its hash value,so as to reduce the amount of transferred data in case of transmission errors. When logging onwithin the network, each user registers the shared files to the server. The chunk is the minimumsharing unit for each file; when a user successfully downloads the first chunk of a file, the serveris automatically notified in order for that user to participate to the sharing of that file. For eachchunk, the transfer unit is the block, which measures at most 180KB.

A client, which is looking for a file, queries the server with a set of keywords to be used foridentifying a set of file names; the server returns a set of pairs (filename, hashvalue) , if any(see below), which match the specified keywords. Then, as the client has identified the file todownload, it (i) queries the server specifying the respective hash values to retrieve the referencesto the owner peers, and (ii) engages in a handshake session with all those peers to verify theiractive status. Then, it sends a download request to each owner peer. Each owner may findthat the requested file is either available or not available. In the former case it responds with abitmap that specifies which file chunks are available; in the latter, it transmits a file-not-found errormessage. If the file is shared by the owner peer, the client sends a start download request to eachowner peer for which the requested file is available; the client will then receive the scheduledqueue position in the uploading queue from each owner peer. In the majority of the eDonkeyimplementations, the owner peers schedule upload requests according to a FIFO discipline; thus,when an owner peer schedules an upload request for service, it notifies the relative client peerfirst, which is then enabled to request up to three blocks to the owner peer (request parts message).The owner peer will then answer with a number of sending part messages in order to honor theclient request.

Finally, the eDonkey protocol implements a technique for the retrieval of corrupted chunks.

3.2 The Architecture of rawDonkeyThe rawDonkey (i.e., reputation-aware eDonkey) architecture we have developed is structuredas depicted in Fig. 1. In this figure, the blocks correspond to the application modules, and thearrows represent the interactions among those modules. The relative responsibilities of each ofthese modules can be summarized as follows.

Gui: this module implements the client graphic interface;

Command/Notification: this module interfaces the Gui with the Core module; it has been intro-duced in order to decouple the implementations of the Gui form the Core (see below), andto make the Gui updates independent from the Core activities;

Core: this module is the core application; it manages the interactions with the server, the down-loads (i.e., manages and maintains the state of the requested/active downloads), and theuploads (i.e., maintains the upload queue and the manages the active uploads).

UBLCS-2006-09 48

3 rawDonkey

Figure 1. Architecture of rawDonkey.

TMS: the Trust Management System (TMS) module implements the SIR reputation model andthe trust criteria that are described further in this section. It also embodies a data structure,namely trust repository, which is employed to store and access trust information;

Session: this module implements the single transfer sessions to/from other peers; it providesclasses for managing the single eDonkey protocol messages;

Mapping Binary/Object: this module abstracts the protocol messages to java classes that can behandled by the session module.

The trust management system that has been developed for the eDeonkey client aims at opti-mizing the collaboration between peers so as to improve the quality of the file distribution. Wedefine the optimal file sharing network to be one in which (i) each single download request iseventually satisfied, and (ii) all the peers fairly support the file distribution according to theiravailable bandwidth and storage capacity. We say that a request is satisfied when the intended(i.e., not a fake) content has been delivered. In the following, we describe how we have devel-oped a monitoring system for the eDonkey protocol that, by observing the behaviour of the peersin meeting requirement (i), enables an adaptive file distribution policy that can meet requirement(ii).

3.3 Trust Management SystemIn this section we introduce the trust logics as they have been implemented within the TMS mod-ule; specifically, we describe the logic that has been implemented to identify the free rider andthe faker profiles, respectively. Our trust management has required the extension of the eDonkeyprotocol messages; however, such messages have been extended so as to maintain the compati-bility with the original eDonkey protocol and the existing server and client implementations. Itis worth noting that the exchange of recommendations require the trusters to trust the origin ofthe recommendation. To this end, we have integrated an alternative handshake protocol withinthe architecture whose purpose is to provide authentication between peers that employ this en-hanced client, and to admit the authenticity of the recommendations exchanged later on.

UBLCS-2006-09 49

3 rawDonkey

3.3.1 Trust Evaluation CriteriaFree Rider A free rider is a user which is online and downloads from other sources but doesnot share any file; i.e., he/she cannot satisfy the received download requests. Hence, in orderto evaluate the availability of the user as a source peer, we introduced the availability context,indicated by the notation A. It is worth noting that, in the absence of trust information, each un-known peer (i.e., a peer for which no previous trust information is available) might be confusedwith a free rider. In order to avoid this behaviour, we introduce a context availability.stability,indicated by the notation A.S, which specifies how much the computed trust value associatedwith the context availability has to be considered stable. The trustworthiness of a source peerwithin these two contexts are evaluated when he/she is sent a download request or when adownload request is served by that peer; the following cases are possible:

1. Upon the download request from client peer α, at time t the source β peer replies with a file-not-found message; in this case, it is clear that the file has been removed from the sharing.Thus, we grant the user with the evaluation eA = 0 in context availability, which wethen employ for deriving the evaluation eA.S = 1 − |eA −DA| in context stabilityA, whereDA = D(α,β, A, t) is the direct trust that client peer α presently associates with source peerβ within context availability.

2. Let us assume that the client peer requested k blocks to the source peer via a request partsmessage and that the source peer sent back to the peer h ≤ k blocks to the client. In thiscase we grant the user a trust evaluation that is proportional to the part of the request thathas been satisfied; in the evaluation, we apply a modifier which depends on whether thesource peer was in credit with the client peer: if the source peer served the request whilebeing in credit, a positive modifier is granted. Formally,

eA =

hk + k−h

k · e− 1credit credit > 0

h/k otherwise

where credit is the difference between the number of blocks that the client peer previouslyreceived from that source peer and the number of blocks that he/she previously uploadedto that source peer. The evaluation within context A.S remains eA.S = 1− |eA −DA|, whereDA = D(α,β, A, t) is the direct trust that client peer α presently associates with source peerβ within context availability. .

This technique produces a pair of direct trust values, (A, A.S), that indicates how much apeer showed himself available in sharing its own files. This value pair ranges from (0, 0), whichindicates maximum uncertainty about the peer behaviour, to (0, 1) which indicates that the peeris not willing to share its own files, to (1, 1) which indicates that the peer is fully collaborativein that contexts; the pair (p, 0), with p 6= 0 has no meaning, according to the context semantics.A pair (p, 1), with p, q ∈ (0, 1), means that the peer availability, p, is partial and with stablebehaviour, and the generic pair (p, q), with p, q ∈ (0, 1), means that the peer availability, p, ispartial but its behaviour has not stabilized yet.

At each interaction, it would be possible for a source peer to produce trust evaluations on theclient peer, based on the credit, positive or negative, that is associated with that client. However,we decided not to produce this evaluation to prevent a source which only shares and does notrequests files (e.g., a big server) from penalizing those clients that request his/her services.

Figure 2 describes how the core and the TMS modules interact when a download happens:when a request parts message is satisfied, on the client side (downloader) the credit information(i.e., the amount of downloaded data) is updated and the new direct trust value is computed; inturn, on the source side the only credit information (i.e., the amount of uploaded data) is updated.

Faker We defined a faker to be one which associates illegitimate symbolic names to his/her ownfiles; unfortunately, this property cannot be monitored by a software component, and requires theinteraction with the user who has to express a judgement on the downloaded file. In this case,

UBLCS-2006-09 50

3 rawDonkey

credit and trustupdate

informationabout

source peer

updatecredit

informationabout

client peer

1

2

34

Request blocks

Sending Parts

Client Peer Source Peer

Session Session

TMS TMS

Figure 2. Interaction between TMS and Core in free rider identification.

the possible judgements are ”fake” and ”not fake”; for each downloaded file the client peer isgiven a single possibility to express this judgement. Similarly to the free-rider criteria, we needtwo contexts to distinguish between fakers and unknown users; we thus introduce competence

context, indicated by the notation C, and the associated competence.stability context, indicatedby the notation C.S. Competence represents how good a user is in judging the content of its ownshared files and in defining symbolic names. Formally, the evaluation criteria for these contextsare

eC =

1 if ”not fake”0 otherwise

eC.S = 1 − |eC −DC|

where eC is the evaluation in the competence context and eC.S is the evaluation in the associatedstability context.

Finally, since we said that eDonkey enables the sharing of partially completed files, this cri-terion has to be implemented for the only owner peers that own the entire file at the time thedownload requests are produced. In this case, the trust information update is similar to theprevious case; however, the trust update is triggered by the user, and carried out after the filedownload has been completed; i.e., from the Gui, the trust evaluation reaches the Core module,which then invokes the actual update within the TMS.

3.3.2 GossipingWe designed an ad-hoc gossiping protocol for minimizing the communication overhead; specif-

ically, we rely on the assumption that the peer that interact with each other in a file-sharing net-work share common interests; hence, they may be willing to contact the same subset of ownerpeers. The base eDonkey authentication protocol has been augmented so as to establish whethera contacted peer is a rawDonkey peer or a common eDonkey peer. In the first case, the eDon-key authentication mechanism is performed, otherwise the PKI-based rawDonkey authenticationmechanism is performed. To this purpose, each rawDonkey peer is provided with its PKI certifi-cate; such certificate is also employed for providing origin and integrity proofs in the exchange oftrust information. When two rawDonkey peers authenticate, the established connection also con-veys recommendation exchange phases; otherwise, the standard eDonkey protocol is executed.For the recommendation exchange phase, a specific extension of the eDonkey protocol has beendesigned.

The recommendation exchange phase is automatically triggered on the currently open pro-tocol connections if either (i) a threshold of fresh trust information (volume-threshold) has beenacquired before a quantum of time has elapsed since the last recommendation exchange, or (ii) aquantum of time (time-threshold) elapsed since the last protocol run and some trust informationhas been acquired but the threshold has not been reached.

In the recommendation exchange phase, the contacting peer selects the fresh reputations thathave been computed to send to the contacted peer; each single reputation is considered fresh if

UBLCS-2006-09 51

3 rawDonkey

both it has been sent to a number of randomly selected peers that is less than the fan-out para-meter, and it has been computed not before a certain amount of time (freshness-threshold), afterwhich the recommendation is considered obsolete. According to the results obtained from theresearch in epidemic propagation algorithms [DGH+87, EGH+03], in order to optimize informa-tion propagation in a P2P network, the fan-out parameter is set to be equal to the logarithm ofthe number of known rawDonkey peers.

3.3.3 Trust-Aware PoliciesUpload management: We have used the above mentioned definitions to define a trust-awarequeuing policy for download requests, which gives priority to those requests originated frompeers with better reputation. For each peer, the available reputations in the four defined con-texts are aggregated in a trust score which represents an overall judgement on the behaviour ofthat peer. Hence, download requests are enqueued giving priority to those with higher scores.Among the peers with equal trust score, a FIFO queuing policy is implemented. This policyguarantees that each request is eventually honored.

The trust score, Tscore, is formalized below; it is a value in the continuous and closed interval[−2, 2]. The value 2 is associated with a collaborative trustee and decreases until −2 for principalsthat are fully non-collaborative.

Tscore(α,β, t) = R(α,β, A, t) · R(α,β, A.S, t)

+ R(α,β, C, t) · R(α, β,C.S, t)

+ P

where the notation P indicates a penalty which is applied in case any of the two bad profiles isassociated with the trustee; it has been introduced to discriminate between new peers, that wouldhave an associated trust score equal to 0, and the misbehaving ones. The penalty is defined asfollows.

P = PA + PC

where each of the two terms is formally defined as

Pφ =

−R(α,β,φ.S, t) R(α,β, φ, t) = 0

0 otherwise

Starvation of download requests is prevented by an aging technique that is applied to allthe enqueued download requests: periodically, each queued request that is associated with ascore less than 2, has the score increased by an aging-parameter (set by default at 0.1), up to themaximum value of 2. Note that only the increase of the trust score associated with the downloadrequest does not contribute to increasing the reputation of the requesting peer.

Resource Selection: The computed reputations have also been employed for guiding the user inselecting trustworthy resources on the eDonkey network. Firstly, when a user queries the serverfor the peers that own a specific file, the trust management system is also queried for returningtrust information for each single reported source: the reputation in the competence competence

context will help the user deciding whether the file is possibly a fake or not, and the reputationin the availability context will help the user estimating how many sources, among the reportedones, are possibly free-riders (and then will probably deny file sharing).

Moreover, once the specific file has been selected, the download requests are sent to the avail-able sources giving priority to the ones which are associated with a higher reputation computedin the availability context. Specifically, for each missing block, the request for that block issent to the peer which is associated with a better reputation and which is selected between thecurrently available peers that own that block.

UBLCS-2006-09 52

Chapter 6

Considerations

1 ConsiderationsIn the context of trust management the principal contribution that we provided is SIR, our com-putational model of reputation. This model has been developed in order to overcome the limita-tion of currently available trust management systems which prevent their employment in globalcomputing scenarios. Moreover, in the analysis of the state of the art in trust models, we pointedout some aspect of these contributions (see Chap. ) which guided us in the development of theSIR model. Finally, we defined the requirements that a trust model should meet for its employ-ment in global computing context: adaptiveness, robustness, and scalability. According to allthose principles we developed the SIR model and the associated context abstraction. We alsointroduced the attribute abstraction for providing a better degree of expressiveness with respectto other existing trust models and for enabling the modelling and implementation of complextrust evaluations.

The second contribution that we introduced in this part is TAw. TAw is the first general-purpose middleware architecture for reputation management; it has been designed to integratenaming and directory services so as to enable component (or service) oriented architectures withtrust-aware resource (i.e., component or service) selection. TAw can be transparently employedfor enabling with trust awareness business-to-business or business-to-consumer applications.The TAw architecture is totally decentralized. Each entity (i.e., application, service, or compo-nent) has an associated peer which manages trust computation on its behalf; peers collect trustinformation from the interactions engaged in by the associated application, aggregate the locallyavailable trust information, and pro-actively exchange trust information with each other for rep-utation computation purposes.

We performed extensive simulations of the TAw architecture in order to assess how TAwmeets the requirements that guided us in the development of SIR. The obtained results show thatTAw meets the requirements of adaptability, robustness, and scalability, as described below:

adaptability: the obtained results show that SIR, employing only a partial amount of global trustinformation, enables entities to obtain a good approximation of entity trustworthiness in amanner which depends on each single entity interaction history. Moreover, the behaviouralpattern of a trustee is employed by each trustee for adapting adaptiveness speed accordingto customizable criteria. The specific application within TAw show that the adoption ofcognitive techniques for trust adaptiveness increases the responsiveness and the efficiencyof the system reconfiguration, enabling entities to quickly reference trusted entities whendynamic factors affect the system;

robustness: the obtained results show that SIR, even in presence of a high number of incom-petent recommenders, enables the identification of faked trust information and adapts inorder for reputations to be computed with a good degree of precision. The specific applica-tion within TAw show that the reputation network maintains its efficiency even in presence

53

2 Future Work

of a a high number of entities which do not implement unreliable evaluation criteria;

scalability: the obtained results show that SIR does not require that reputations be computedon global trust information in order to accurately approximate entity trustworthiness. Thespecific application within TAw shows that even in a network which implements the gos-siping model, that is a network in which each entity has a very limited view of the total setof participating entities, reputations are accurately computed and adapted according to dy-namic changes in entity behaviours; the application in this context show that SIR efficientlygrants good adaptability and robustness, how it is observable by the reconfiguration androbustness tests.

Hence, the experiments performed on TAw show that SIR fulfills its goals enabling the re-quirements of adaptiveness, robustness, and scalability to be met in pervasive computing con-texts in which global information cannot be reliably maintained. The same results show that, inthis context, it is possible to maintain a distributed information system to integrate the informa-tion maintained by naming and directory services for improving the data workflow and entitycollaboration in service oriented contexts.

The last contribution regards rawDonkey, our architecture for file distribution in peer-to-peerfile sharing networks. This architecture uses trust criteria in order to meet the autonomy, collabo-ration, and scalability requirements of this class of networks, as summarized below. To the best ofour knowledge, rawDonkey is the first peer-to-peer file-sharing architecture which employs trustmodels and criteria in order to meet the autonomy, collaboration, and scalability requirements ofthis class of networks, as summarized below.

autonomy: The trust management system autonomously manages all the monitoring and eval-uation activities that do not require the user interaction: as for the free rider profile, trustcriteria have been formalized so as to enable its automatic identification; however, as forthe faker profile, the user interaction is required because files do not currently embody se-mantic information and thus it is not possible to automatically evaluate the correspondencebetween a file name and its actual content.

collaboration: The trust criteria have been employed in the definition of trust-aware policiesthat grant collaborative peers with better performances, and penalizes non-collaborativepeers, according to the reputation that they are associated with; employing this princi-ple, not only the collaborative part of the network is enabled to grow faster than the non-collaborative part, but the non-collaborative part also may reduce because each user is moreinterested in collaborate in file sharing.

scalability: The developed monitoring system has been designed so as not to require global in-formation; each peer locally monitors the protocol executions and aggregates the associatedevaluations; then, through the ad-hoc gossiping protocol for recommendation exchange,peers efficiently exchange trust information with each other in order to disseminate the col-lected information and be enabled with reputations. The property of the adopted reputa-tion model grant each peer to approximate the reputation of any other peer with a precisionthat tends to the mathematical ideal defined in Sec. ?? in a manner that depends on the kind(i.e., direct or indirect) and frequency of interactions between the two peers.

2 Future WorkWe are currently writing a simulator of rawDonkey and planning extensive simulations in orderto evaluate the behaviour of our trust management system. Moreover, more tests are planned toassess the behaviour of our rawDonkey implementation in real contexts, and to evaluate experi-mentally the overheads introduced by our trust based approach.

UBLCS-2006-09 54

Chapter 7

Motivation of the work

1 DiscussionWireless technology is becoming everyday more widespread; its applications span from userapplications, such as personal area networks, ambient intelligence, and wireless local area net-works, to real-time applications, such as cellular networks for mobile telephony or sensor net-works.

The goal of this work is to define a basic calculus of wireless systems, and its associatedoperational semantics. The most important contribution of this work has been the semantics.Here we had to face the peculiarities of wireless systems, which combine features of broadcast,synchrony, and asynchrony, as we outline below.

Wireless devices communicate by broadcast of messages. This is however quite different fromthe more conventional wired-based broadcast that we find in networks with Ethernet and that,from a semantic point of view, is well-understood ([Pra95, Pra96]). First, in ethernet-like systemsbroadcasting is global, i.e., the messages transmitted reach all nodes of the system. By contrast, inwireless system broadcasting is local, i.e., a transmission spans over a limited area, called cell, andtherefore reaches only a – possibly empty – subset of the devices in the system. Second, the com-munication channel for an ethernet device is full-duplex; that is, a node can transmit and receiveat the same time. As a consequence of full-duplex channels and global broadcasting, interfer-ences between two simultaneous transmissions are immediately detected by transmitters. Thustransmitters know that they have to retransmit their messages, and they do so after a randomly-chosen period of time. This means that interferences in ethernet-like systems are easy to repair.In a model of these systems it is therefore reasonable to abstract from interferences, i.e., to assumethat they do not exist. By contrast, in wireless systems channels are half-duplex: a device can ei-ther transmit or receive, but cannot do both at the same time. Hence, an interference between twotransmissions is only possibly detected by receivers located in the intersection of the cells of thetwo transmitters. Interference is thus a delicate aspect of wireless systems that has to be handledby means of ad-hoc protocols (e.g., CDMA/CA). Interference is also one of the key aspects to bedescribed by a model of these systems. A third, but semantically less relevant, difference betweenethernet and wireless broadcast is that only the latter uses explicit communication channels.

Wireless systems have also features of synchrony that remind us of synchronous languages (e.g.,Esterel [BG92], Statecharts [Har87], SCCS [Mil83]). Indeed, in a single time unit of wireless sys-tems multiple events can happen; such a simultaneous execution of the events is different froman interleaving of them: only in the former case, for instance, interferences can appear.

Wireless devices locally try to remain synchronized on a common clock so that, for instance,transmissions start at the same time. This is due to the fact that each network device, and thuswireless ones as well, incorporates a hardware clock that is employed for physical transmission;however, each hardware clock is generally characterized by a different clock drift with respect tothe nominal frequency. Hence, for different devices to synchronize with each others and reducethe effect of the clock drift, each of them re-synchronize its own clock on the transmissions which

55

1 Discussion

are performed from the other devices. However, the physical distance among the devices andthe partial area covered by each single transmission may prevent an exact global agreement onclocks. Therefore, the clocks of distant devices may not coincide. This introduces an additionalelement of asynchrony that affects the way interferences appear and are detected, as we discussbelow.

Another – though less important – feature of wireless systems (that a semantics should show)is the fact that a transmitter, before initiating a transmission, checks that, locally, the communi-cation channel (i.e. a specific frequency band) is not presently employed for performing othertransmissions. This is imposed in order to reduce the possibilities of interferences.

When developing our semantics of wireless systems we tried hard to adhere to the standardoperational semantics of concurrent systems (broadcast systems as in CBS [Pra95, Pra96, OPT02],point-to-point systems as CCS [Mil80] or CSP [BHR84]) in which each transmission of a message(or communication) is represented by a single atomic event, and, furthermore, each event (ortransition, or action) in the semantics represents precisely one transmission. For instance, in

the labelled transition semantics of in CCS an event Pa!v−→ P ′ means that an output process in

P transmits value v on channel a and, as a result, the transmission action !v is produced andthe process evolves into P ′. Only one among the input processes executing in parallel with P

will receive that value. Similarly, in CBS an event P!v−→ P ′ means that the output process in P

transmits value v and, as a result, the process evolves into P ′. All the input processes executingin parallel with P will catch that transmission.

Our attempt of following this approach was unsuccessful due to the physical aspects of wire-less systems outlined above. In particular, we could not maintain transmission atomicity and, atthe same time, express all the possible modes in which interferences may occur.

A natural alternative would have been to follow the approach of synchronous languages. Inthese languages an event in the semantics represents a set of transmissions, namely all those thatoccurred during the same time unit. Unfortunately, we failed also with this approach. The reasonis that the synchrony among the devices of a wireless system is not perfect: the transmission oftwo distant devices may span time units that are only partially overlapping, with strong conse-quences on the interference that these devices can cause with each other and with other devices.

We thus decided to refine the view on transmissions and observe, for each node, the changeof state between transmission and reception (and vice versa), rather then single transmissions.In performing this, we model real wireless device; in particular, we assume that when a deviceis not performing a transmission its antenna is in reception mode. Hence, we call event the statechange that occurs in the network when a device changes the function of its antenna. Specifically,we call begin transmission the event which corresponds to a device which initiates a transmission;and, we call end transmission the event which corresponds to a transmitter which finishes itstransmission. It is also realistic to assume that a receiving device can distinguish between thistwo events because the real implementation of wireless communication protocol specify differentsignal sequences for indicating when a transmission is respectively initiating and terminating.

We introduce a calculus for wireless systems, that we call CWS (Calculus of Wireless Systems).It has nodes, which represent the devices of the system, that can be composed in parallel. Insidea node there is a sequential process, which models the behaviour of that device. Each node hasa location and a radius that define the cell over which that node can transmit. We equip CWSwith a reduction semantics (RS) and a labelled transition semantics (LTS): the first semantics ismore intuitive (i.e., among the standard semantics, it is the semantics which better show the cor-respondence between itself and the modelled system) and, thus, is more appropriate when usedfor analyzing how a given specification model evolves on its own; in turn, the LTS is importantbecause it is more suitable for defining equivalence relations between specification models andfor developing techniques verifying system properties.

Besides the different flavor (the fact of being RS rather LTS), the two semantics also differin the approach we followed to check the interferences. In the LTS, the derivation of a transi-tion takes the set of active transmitters in the network (i.e., the set of devices that are currentlyengaged in a transmission) as a parameter; then, the various possibilities of interferences are

UBLCS-2006-09 56

1 Discussion

checked against such a parameter. In the RS, by contrast, such parameter is absent; the checks forinterferences are “hardwired” into the rules of the semantics itself. As a consequence, however,the derivation of a reduction has to be decomposed into three separate sub-derivations, whichare defined using some auxiliary relations on an extension of the calculus. Each one of suchauxiliary relations implements a logical distinct sub-component of the mechanism with whichtransmissions are performed in wireless systems (e.g., individuation of the transmitter; individ-uation of its cell; for each receiver in the cell, the individuation of possible interferences). Themain extensions of the calculus are given by markers that are placed on the network nodes andthat represent a partial state of the node within the whole reduction.

It would have been possible to design the RS employing the same parameter as for the LTS,and the correspondence between the two semantics would have been easier to find. We havechosen not to do so in order to compare the two approaches; at present, we do not see one that isobviously better than the other.

Our main technical result is the equivalence between the two semantics; this proves the cor-rectness of the LTS and enables one to interchangeably use the more appropriate between the de-veloped semantics for that task to be performed. Due to the novel approaches that we employedin the development of our semantics, this proof has not been a trivial task: its importance reliesin the differences between the LTS and the RS and in the non-standard structure of the RS. Thisresult reinforces the two semantics showing that our intuition in the modelling of the wirelesscommunication systems and in the development of the semantics have been correct; in partic-ular, given that the RS is much more intuitive than the LTS, it appears clear that we have beensuccessful in the development of this one. Moreover, this result enables one to interchangeablyemploy the more appropriate between the developed semantics for that task to be performed.For instance, the same specification model could be evaluated on its own by employing the RS,and then some properties of the system could be verified employing tools developed on the LTS.

At present, CWS does not model the movement of devices. This choice simplifies the syn-tax and the semantics of the calculus. Further, even without movement, CWS is adequate fordescribing important classes of wireless systems, most notably sensor networks and their pro-tocols. A sensor network ([ASSC02, CYKB03]) is a computer network of many, spatially dis-tributed devices using sensors to monitor conditions (e.g., temperature, sound, vibration, pres-sure, motion) at different locations. Each device is equipped with a radio transceiver, a smallmicro-controller, and an energy source, usually a battery. Since the sensors are not providedwith devices for mobility, they communicate employing a broadcast-based wireless data-linkprotocol (i.e., 802.15.4) to collaboratively transport, and possibly aggregate, the collected in-formation to a monitoring computer. Sensor networks are applied in a wide variety of areas,such as traffic monitoring and video surveillance ([CEE+01, MPS+02, SPMC04]), disaster recov-ery ([WLLP01, SL05]), home monitoring ([Kev05a]), and manufacturing and industrial automa-tion ([Mic04, Goo04, Kev05b, Sys04, SNL05]). More in general, CWS is suitable for modellingwireless networks in all those contexts in which the network topology, in terms of connectivity,may be assumed to be static.

As we discuss in Chapter 10, we believe the syntax and semantics can be augmented withmovement. Other future work regards the encoding of time and the development of techniquesfor the verification of system properties.

This part of the thesis has the following structure. Chapter 8 describes the wireless commu-nication model. Moreover, it presents CWS and the semantics that we developed. The chapterconcludes with the theorem that proves the correspondence between the two semantics. Chap-ter 9 extends the basic language; in order of relevance, the language has been extended with ahandled-input prefix, introduced to model timeouts and interrupts, the restriction operator, andthe selection and recursion operators. This chapter presents the extensions that have been addedto the semantics for modelling the language extensions and concludes presenting the theoremthat proves the correspondence between the extended semantics. Finally, Chapter 10 discussesthe contribution and concludes this work.

UBLCS-2006-09 57

2 Related Work

2 Related WorkAs it regards wireless systems, probabilistic simulation is currently the main validation tech-nique which is employed for verification : given a system, pseudo-random number generatorsare employed to select a finite subset of the possible execution traces and then statistical analysistechniques are applied to obtain probabilistic information on that system.

In the research area of process calculi, there exist few contributions, all related to broadcastcalculi, which can be the basef or reasoning on and verify protocols for wireless networks.

The Calculus of Broadcasting Systems (CBS [Pra95, Pra96, OPT02]) and its extensions are thefirst calculi that model ethernet-like communication models. It has major differences to our ap-proach. First, it models broadcast-based wired networks (e.g., ethernet) that, because of theirhardware properties, resolve by hardware the problem of interferences; hence, all processes re-ceive a broadcast message, without the possibility for a receiver of losing a message. Secondly,CBS has an asynchronous semantics with atomic transmissions and, as we motivated in Sec.1,this semantics is not suitable for modelling wireless communication systems.

Recently, CBS# ([NH04, NH05]) has been proposed as a process calculus for modelling mobilewireless networks. It inherits broadcast as the base communication paradigm, with the differencethat sent messages are not received globally, but only by the adjacent neighbors of the sendingnode. The major difference with our work is that in CBS# the authors abstract from interferences;this means that any sent message is received by all the receivers which are in the transmissioncell of the sending node. Moreover, in CBS# each single event represents a whole transmission.This may be a reasonable abstraction for reasoning on high level properties and applications. Wechose to model a wireless system at a lower level, name that of data-link, which is the lowest levelat which wireless systems can be programmed. At this level interferences are an essential aspect.Indeed, the presence of collisions non resolvable by hardware is one of the most original featuresof wireless networking and may influence the execution of network protocols. Another differencebetween our work and CBS# is that in the latter, in order to determine the recipients of each singletransmission, a graph representation of node localities is employed; while this approach is moreexpressive, ours (based on the use of locations and radius that define transmission cells andthe distances among nodes) enables a more compact representation of connectivity and simplersemantic rules.

Finally, another calculus, namely calculus for Mobile Broadcasting Systems (MBS [Pra05]) isbeing developed. MBS aims at providing a communication model which implements the ”glob-ally asynchronous, locally synchronous” communication model which is proper of wireless com-munication systems. The base idea of this calculus is to employ channels as sealed rooms, pre-venting a message sent within a room to being captured by processes in other rooms. In each ofthese rooms, transmissions are modelled as asynchronous atomic actions. Similarly to CBS#, thiscalculus does not model the fact that a process might be simultaneously deployed in differentrooms and, thus, both listen to the communications being carried out in all those rooms and ex-periencing interferences when a number of transmissions is simultaneously carried out in thoserooms.

UBLCS-2006-09 58

Chapter 8

The Basic Language

1 Mobile Computing and Wireless CommunicationsA wireless node is a mobile or portable communicating device that embodies four basic compo-nents: a processing unit, a storage unit, a transceiver unit, and a power unit. The processing unit,which works in association with the storage unit, implements the programs that are executedby the device, which make use of communicating facilities to exchange messages with other de-vices. To this purpose, the transceiver unit connects the node to the network; usually, this unitis a single-antenna radio that can alternatively transmit in broadcast and receive. Last but notleast component is the power unit. Usually, this does not provide a wireless device with a largeamount of power; thus limiting both the lifetime and the transmission radius of the device. Togive an idea, there is an inverse cubic relation between the time spent in transmissions and theemployed transmission radius; precisely, lifetime increases linearly with the available power anddecreases in a cubic manner as the transmission radius increases. In addition, a wireless nodemay be provided with additional input/output components, such as sensors, for input purposes,or actuators, for output ones.

When speaking of communications in wireless systems, we employ the following terms:

Transmitter: we use this term to indicate a node which is either waiting to initiate a transmis-sion, or currently transmitting (in this case we say it to be an active transmitter);

Receiver: we use this term to indicate a node which is either waiting for receiving, or is currentlyreceiving, a value (in this case we say it to be active receiver).

Radio technology enforces a communication paradigm that is unique among the existing net-working technologies. In fact, each single transmission is not seen by each possible node withinthe system, but only by the ones which are located within the transmitter cell and that are not cur-rently transmitting. In this work, we assume the cell associated with a device to be the area whichcontains all the locations that fall within a certain distance, namely the cell radius, from that de-vice; the cell radius may be individually decided by each device according to its own properties(e.g., the available battery power). We call this communication paradigm bounded broadcast.

At any time each device is synchronized on a single communication channel (e.g., a frequency,a sequence of time slices, or a modulation code). Therefore, when a device transmits it can com-municate or interfere with the devices that are synchronized on the same channel. Moreover atany time a single antenna device can either transmit over, or listen to, the channel. If a wirelessnode is ready to transmit, it can initiate that transmission only if the channel is idle (i.e., thereare not ongoing transmissions reaching that node). By contrast, a node which is currently trans-mitting is assumed to perform the transmission completely, unless a failure occurs (we will notmodel failures in our calculus).

When a node which is waiting for an incoming transmission detects a new transmission inclear (i.e., not disturbed by any ongoing transmission), it begins receiving. For the reception

59

1 Mobile Computing and Wireless Communications

T R

T

ready receptionR

transmission

Figure 1. Example of a possible communication between node T and node R.

2T T1

busy

transmission busyidleidle

idle

idle

T

T1

2

transmissionready to transmit

idle idle

Figure 2. Example of coordination between transmitters.

to succeed, the receiver has not to suffer interferences from other concurrent transmissions (i.e.,multiple transmissions simultaneously reaching the receiver), otherwise, as soon as the interfer-ence is detected, the reception fails.

1.1 ExamplesExample 1 Figure 1 represents a possible wireless system in which two node appear: a node T ,which is supposed to transmit a value, and a node R which is located within T ’s transmission celland is ready to receive. The space-time diagram in the same figure represents the system behav-iour that can be observed since T initiates the transmission. In the figure, the arrows representthe transmission events (the begin-transmissions and the end-transmissions). When R identifiesthe beginning of the transmission, it begins acquiring the transmitted value and the transmissionterminates when R detects the end of the transmission.

Example 2 Figure 2 represents a scenario in which there are two transmitters that are both sup-posed to transmit a value; these transmitters are deployed so that each of them is incorporatedwithin the cell of the other. When one such a situation occurs, the two transmitters coordinateeach other so as not to interfere. If during that transmission the transmitter T2 becomes readyto transmit a value, it detects the channel busy and then waits for the transmission from T1 tocomplete.

Example 3 In this example again we have two transmitters, but, in contrast with Example 2, nowthe transmitters have different cells (Fig. 3): the cell of T2 is almost incorporated within that of T1.In this figure, the cross represents two transmissions colliding. Thus T1 cannot detect whether theother node is transmitting or not. The case in which T1 transmits first is similar to the situationdescribed in Example 2. The situation is different if T2 initiates a transmission and, before thisis complete, T1 becomes ready to initiate another transmission. The space-time diagram in thefigure shows what happens: T2 initiates the transmission that is not detected by T1 that, as soon

UBLCS-2006-09 60

1 Mobile Computing and Wireless Communications

12TT

transmission busy

transmission

superpositionsignal

idle

idle

T

T2

1

idle

idle

Figure 3. Example of coordination between transmitters with different transmission radius.

R

T2

T1

2

transmission

Ridle

idle

idlebusy

T

T

1

idletransmissionidle

idle

Figure 4. Example of collision on a receiver.

as ready to transmit, begins its transmission ignoring that it is interfering with T1. Of course, T2

does not perceive the interference.

Example 4 The node configuration that we describe in this example is named Hidden Nodes Con-figuration; here, two transmissions fail to be received because they collide (i.e., they interfere witheach other) and neither of the transmitters detects the collision. This node configuration is rep-resented in Fig. 4. We have two transmitters, respectively T1 and T2 which are synchronized onthe same channel as the receiver R. The receiver is placed in the intersection of the transmittercells, but the transmitters are not; this implies that T1 does not see transmissions from T2, andvice versa. Let us assume that R is receiving a byte-stream from T1 when T2, who is unaware ofthe ongoing communication, decides to initiate a transmission. This new transmission interfereswith the one from T1, and R will detect interference on the channel.

Therefore, because of hidden nodes, it is possible for a transmission to be correctly receivedby only a subset of the nodes which are within the transmission cell, with the other receiversidentifying collisions.

Figure 5 illustrates all the cases in which any two transmissions having intersecting cells mayoverlap. In cases (a) and (c) the event succession interleaves the events of the two transmis-sions: each pair of events which regard the same transmission is interrupted by an event of theother transmission; hence, it appears that maintaining information about the last occurred eventwould be enough to detect interferences. However, by examining the event succession in cases(b) and (d) it is clear that maintaining the last occurred event is not enough: if we examine theinner events in the sequence they represent the begin and the end of the same transmission and,thus, the transmission would be considered as successful. A semantics for such communicationsystems has to correctly catch these collision cases.

Example 5 This example does not introduce any new aspect of wireless systems; it only de-scribes a scenario in which a transmission is successfully received by a partial set of the possiblereceivers. The example in Fig. 6 shows the behaviour of this one-to-many communication par-

UBLCS-2006-09 61

2 The Language

idle

T

Int

transmission

transmission idleidle

idle

idleT2

1

busy busy

collision

idle

transmission

collision

idle

busy

idle

idleT2

1

transmission

busy

idle

idle

idle

T

Int

(a) (b)

transmission

transmission idle

idle idle

idleT2

1

idle

T

Intbusy collision busy

idle

idle

transmission

busy

idle

idle

idle

idleT2

1

idle

T

Intbusycollision

transmission

(c) (d)

Figure 5. Possible ways in which transmissions in intersecting cells may collide.

adigm in presence of possible collisions; specifically shows the possibility for only a subset ofthe possible receivers to actually capture a transmission. In this example, both node T1 and nodeT2, in this specific order, begin transmitting; these two transmissions partially interfere with eachother. In the system two receiving nodes are present: node R1 falls within the area in whichthe transmissions interfere with each other whereas R2 is exposed to the transmission of nodeT1 only. In this case, even if both R1 and R2 fall in T1 cell only the second receiver captures thevalue transmitted from T1 while the second detects interference; the value transmitted by nodeT2 remains unknown.

2 The LanguageIn this section we present the basic Calculus of Wireless Systems (CWS). In order to focus on com-munications and coordination scenarios, this language only includes input/output operations.

T2

T1 R 1

R 2

transmissionT

T2

1

transmission

busy idle

idle

idleR1

R2

idle idle

idle idle

idle

Figure 6. A more complex example.

UBLCS-2006-09 62

2 The Language

C def= a . . . d channels

E def= e . . . g expressions

U def= m. . . o node identifiers

V def= x . . . z variables

I def= h . . . k ground values

L def= U ∪ V ∪ I = u . . . v values

interferencedef= ⊥ interference

Pdef= out〈e〉.P output|| 〈v〉.P active output|| in(x).P input|| (x).P active input|| 0 inactive process

Ndef= n [P]

cl,r wireless node

|| N|N parallel composition|| 0 empty network

Table 1. Language for the description of wireless networks

The language is composed of a process language and a network language, which respectivelydescribe the state transition of a wireless node, and the wireless communication model.

The basic element of this language is the node; a node represents a single device within thesystem. Inside a node there is a sequential process, which models the communication activitiesof that node. Each node specifies its location and its transmission radius, which are employed todefine the cell over which that node can transmit and the distance from that node to other nodes.In CWS, the nodes of a system are neither created nor destroyed. A network evolves when thenodes emit and detect new transmission events.

For the sake of clarity, it is worth pointing out the difference between node identifiers andlocations. A node identifier represents a logical location, which can be employed for instanceas the device network addresses. By contrast, a location represents a physical location and isemployed for deriving information about the connectivity between different devices. Moreover,we believe locations to be bad node identifiers in that, with the introduction of movements, eachlocation will not always identify the same device, if any.

Identifiers Table 1 defines the language; its syntax is defined as follows: the set C defines thechannel names (e.g. a − d). The set E defines the expressions; an expression can be a singlevalue or an arithmetical (or boolean) expression defined on values. The set U defines the nodeidentifiers (e.g., m − o), the set V defines the set of variables (e.g., x − z), and the set I defines theground values (e.g., integers, booleans, characters) of the language (e.g., h − k). Moreover, theset L of values (e.g., u − v) represents the information which can be transmitted; it includes basicvalues, node identifiers, and variables. We omit operations such as the evaluation of arithmeticaland boolean expressions, hence we assume the existence of an evaluation function, representedby the notation [[[]]], that having an expression returns its corresponding value; for instance, [[[e]]] =v indicates that the evaluation of expression e returns the value v. Channels are not values and,thus, cannot be transmitted. Finally, the special value ⊥ which cannot be transmitted, but isassigned to a variable when a collision is detected.

The process language includes the operations below:

UBLCS-2006-09 63

3 Semantics

output: An output process out〈e〉.P represents a process that is willing to initiate the transmis-sion value [[[e]]]; as a result, the process will evolve into process 〈v〉.P, where [[[e]]] = v;

active output: An output process 〈v〉.P represents a process that is willing to terminate thetransmission of value v; as a result, the process will evolve into process P;

input: An input process in(x).P represents a process that is willing to receive the first value thatis detected in clear; as a result, the process will evolve into process (x).P;

active input: An input process (x).P represents a process that is currently receiving a value tostore into variable x. This reception succeeds if no collision is detected until the end of thetransmission; in this case, the received value is bound to x and the process evolves intov/xP. Otherwise, the value ⊥, which indicates a failed reception, will be bound to the x

and the process will evolve into ⊥/xP;

inactive process: this prefix represents a terminated process.

The network language is defined by the following constructs:

node: the notation n [P]cl,r represents a node named n which is executing process P, synchro-

nized on channel c, and which can transmit over a cell centered in the spatial point l (i.e.,its location) with radius r;

parallel composition: two networks execute in parallel.

empty network: a network without any node.

Locations Each node has the location in which it is deployed and the respective transmissionradius. We do not indicate how locations should be specified; for instance, the locations could bespecified by means of a coordinate system. The only assumption we make is the existence of afunction d which takes any two locations and returns the distance between them.

Well-Formed Networks Since we employ node identifiers as network addresses, it is legitimate toassume that in any network each node identifier is unique. We assume that two different nodescannot share the same location. We call such networks well-formed; in the remainder of this thesiswe will only consider well formed networks.

Bound Names and Free Names Nodes execute in parallel and communicate via channels; eachnode defines its local variables. In each node of the form n [in(x).P]

cl,r or n [(x).P]

cl,r the displayed

occurrence of x is binding with scope P. A name is free if it is not bound. We write fn(N) for theset of names that have a free occurrence in N. As for substitution and α−convertibility, we employthe standard definitions of calculi with bindings (e.g., CCS with value passing, π-calculus).

3 SemanticsThe semantics for the calculus of the previous section have been defined according to the aspectsbelow:

• A typical wireless device is provided with a single antenna. One such a device can accessthe communication channel in a half-duplex mode (i.e., at any given time, it can eithertransmit or receive). Moreover, for power saving purposes, when a device is not perform-ing any transmission, it maintains the antenna in reception mode. Hence, in the reminderof this work we call transmitter a node whose process begins with an output or with anactive output prefix; in the latter case, we say that the node is an active transmitter because itis presently performing a transmission (in practice, this is the only case in which a wireless

UBLCS-2006-09 64

4 Reduction Semantics

device employs its antenna in transmit mode). A node which is not transmitting may eitherbe receiving (i.e., waiting for a transmission to begin or to finish) or be performing someinternal action;

• As we discussed and motivated in Sec. 1, in order to identify whether (and where) twotransmissions interfere with each other, our semantics do not trace complete transmissionsbut trace boundary events; each event represents a modification of the antenna communi-cation mode (i.e., transmit or receive). We hence have two events: the begin-transmissionevent indicates the switching of an antenna from reception to transmission mode, and theend-transmission event indicates the opposite switching.

• In a wireless system, transmissions are performed in a bit-per-bit fashion. If a transmis-sion aborts, the partial bit-stream is discarded. Abstractly, this corresponds to keeping thechannel allocated for the transmission time and revealing the value just before concludingthe transmission. We hence assume that a transmitted value becomes visible only once it iscompletely transmitted; that is, we make it visible to the recipients with the occurrence ofthe end-transmission event.

We present two semantics for CWS. Firstly, we present a Reduction Semantics (RS). In RS, thestructural operation semantics style is combined with an auxiliary relation of structural congru-ence that allows manipulation of the term structure so to bring potential interacting componentsin contiguous positions. In literature, the reduction semantics has only been employed for rea-soning on processes with handshaking communications (essentially the pi-calculus, and otherhigh order systems in which mobile processes communicate via a point-to-point communicationparadigm and possibly move). In particular, they are employed to reason about how a systemevolves on its own. In this work, the systems we deal with are quite different, for handshaking isreplaced by ”local” broadcast. However, the motivations for using the RS are the same: we wishto prove the correctness of an LTS, and also we feel that the RS is easier to grasp than the LTS(though the rules are sometimes not as simple as the rules for RS has been previously used).

Secondly, we present a labelled transition semantics (LTS); a LTS explains how a systemevolves, both as a result of activities internal to the system, and as a result of interactions betweenthe system and its environment. A LTS strictly obeys the principles of structured operational se-mantics, and thus the derivation of a transition is driven by the structure of a term.

A LTS enables one to inherit the large amount of wide accepted techniques and tools thathave been developed. For instance, the LTSs are widely used for modelling and analysing pro-gramming languages and distributed protocols. Moreover, LTSs ease the definition of behaviourequivalence relations (e.g., bisimulations, trace equivalences); such relations can then be em-ployed in the verification of system properties (e.g., security, deadlock freeness).

4 Reduction SemanticsRS has been developed for handshake communication systems. Here, a reduction is an inter-action between an emitter and a receiver. The reduction has no label because it is invisible: noother component, either inside or outside the system, can see it. In our case, an internal activityis a broadcast, i.e., a transmission. A transmission is a visible action: even if some nodes insidethe systems receive it, in principle it could also be received by nodes outside the system. Thus,in our RS a reduction represents a transmission and is labelled with the information to identifythat transmission. (Hence, for us, also the RS is a labelled semantics; we nevertheless stick to thestandard LTS/RS terminology to distinguish the two forms of semantics).

Another major difference, not only with respect to the standard RS, but in general with respectto previous semantics of process languages, is that for us a label does not explain a complete event(a communication, a transmission), but only its boundary (begin and end of a transmission). Thisaccounts for the two kinds of reductions in our system, which correspond to transmission actions.We write N 7−→l N ′ to indicate that a transmission begins in network N at location l and the

UBLCS-2006-09 65


network thus evolves into N ′, and Nv7−→l N ′ to indicate that in network N the transmission of

value v from location l terminates and that the network thus evolves into N ′.The rules for transmission actions require quite a complex machinery. This is due to those

communication aspects that are specific of wireless communications and discussed in Chapter 1;in particular,

C1: a node cannot freely initiate a transmission, but can only do so if it is not presently reachedby a transmission over the same channel from another node;

C2: a transmission cannot reach arbitrary components, but may affect all and only the nodes inthe transmission cell of the transmitter;

C3: a transmission that is received by a node is not always readable, but it is so only if no othertransmission reaches that node at that time.

In order to have simple and intuitive reduction rules, a single reduction step has been dividedinto three sub-steps.

Sub-Step 1 (Event Selection): the transmitter node (i.e., the node that causes the reduction) isselected. In this step the transmitter is tagged and condition C1 is checked, if necessary;

Sub-Step 2 (Event Firing): the set of receivers that fall within the transmission cell of the nodepreviously selected is isolated (checking condition C2), then the transmission event is per-formed and, in doing so, the receivers in the cell are tagged.

Sub-Step 2 (Receiver Normalization): for each receiver tagged in the previous sub-step, condi-tion C3 is checked so to determine its correct evolution.

In these sub-steps we employ the calculus of Tab. 2, which extends the basic syntax of CWS(Tab. 1). This calculus introduces tags, which are special markers. Specifically, we introducethree tags. Firstly, the bag, represented by the notation

R

, which is used for identifying thetransmission cell a transmitter. This tag is introduced in the Event Selection sub-step. In theEvent Firing sub-step, the bag is employed to isolate the receivers that may be affected by theevent. Secondly, the notation 〈|R|〉 represents a receiver which has detected the begin of a newtransmission. This notation is introduced when the begin-transmission event is fired. In theReceiver Normalization sub-step, this tag is removed when the receiver evolution is determined.Finally, the notation 〈|R|〉v represents a receiver which detected the end of the transmission ofvalue v; it is employed similarly to the tag 〈|R|〉.

Formally, a reduction for transmission actions occurs if one of the following holds:

(BEGIN TRANSMISSION)

If N −→l N ′ then there exist c, l, r, E, E ′, l ′ s.t. N >cl E −→c

l,r E ′ Â∗ Âcl ′∗ º N ′

(END TRANSMISSION)

If Nv−→l N ′ then there exist c, l, r, E, E ′, l ′ s.t. N > E −→c

l,r E ′ Â∗ Âcl ′∗ º N ′

where

• >cl and > formalize Event Selection: he first relation is employed to select the transmission

to initiate, while the second relation is employed to select the transmission to terminate;

• −→cl,r formalizes Event Firing. In this step, structural congruence is employed to bring

together all the receivers that fall within the transmission cell of the transmitter previouslyselected.

UBLCS-2006-09 66


Rdef= n [in(x).P]

cl,r inactive receiver

|| n [(x).P]cl,r active receiver

Rdef= R receiver|| R|R parallel of receivers|| 0 empty network

Tbegindef= 〈|R|〉 begin-transmission tagged receiver|| Tbegin|Tbegin begin-transmission tagged receivers|| 0 empty network

Tenddef= 〈|R|〉v end-transmission tagged receiver|| Tend|Tend end-transmission tagged receivers|| 0 empty network

Edef= n [out〈e〉.P]

cl,r

R

|N initial begin-transmission tagged network|| n [〈v〉.P]

cl,r 0 |Tbegin|N final begin-transmission tagged network

|| n [〈v〉.P]cl,r

R

|N initial end-transmission tagged network|| n [P]

cl,r 0 |Tend|N final end-transmission tagged network

Table 2. Language for the description of tagged networks

• Â, Âcl , and º formalize Receiver Normalization. The relation Â is employed to deter-

mine the evolution of a tagged receiver in the case in which interferences need not bechecked (e.g., an end-transmission event detected by a receiver that is waiting for a begin-transmission). The relation Âc

l is employed to determine the evolution of a tagged re-ceiver in the case in which condition C3 on interferences is to be checked (e.g., a begin-transmission event detected by a receiver that is waiting for an event of this kind). Finally,the relation º is employed to close the bag of the transmitter and to enable further reduc-tions.

Now, we describe the rules that formalize the relations above; for this we need some termi-nology.

• We say that network N reaches location l via channel c, and we write N →c l, if location l

falls within at least one transmission cell of an active, untagged (see below), transmitter inN. Formally, we write N →c l if network N contains at least an active transmitter, havingthe form n [〈v〉.P]

cl ′,r, for which it holds that d(l, l ′) ≤ r. Otherwise, we say that network N

does not reach location l via channel c, and we write N 6→c l.

• We say that network N is reachable via channel c from location l with radius r, and we writeN ←c (l, r), if at least a node in network N is ready to receive on c, or is currently receivingon c, and is deployed within the cell centered at location l and having radius r. Formally,N ←c (l, r) holds if N contains at least a receiver, having either the form n [in(x).P]

cl ′,r ′ or

the form n [(x).P]cl ′,r ′ , for which it holds that d(l, l ′) ≤ r. Otherwise, we say that network

N is not reachable via channel c from location l with radius r, and we write N 6←c (l, r).

As in standard reduction semantics, we employ structural congruence to rewrite the termsof the system so as to bring the reagent terms (i.e., the ones that take part in a reduction step)in contiguous positions. In this basic language we only need the rules for parallel composition.Formally:

UBLCS-2006-09 67


[[[e]]] = vn [out〈e〉.P]cl,r >c

l n [out〈v〉.P]cl,r 0[RS-COMMbegin]

N1 >cl E N2 6→c l

N1 |N2 >cl E |N2

[RS-COMPbegin]

N ≡ N ′ >cl E ′′ ≡E E ′′′

N >cl E ′′′

[RS-SC>cl

]

Table 3. Rules for >cl .

n [〈v〉.P]cl,r > n [〈v〉.P]cl,r 0 [RS-COMMend]

N1 > EN1 |N2 > E |N2

[RS-COMPend]

N ≡ N ′ > E ′′ ≡E E ′′′

N > E ′′′[RS-SC>]

Table 4. Rules for >.

[SC-PARCOMP] N1|N2 ≡ N2|N1

[SC-PARASSOC] N1|(N2|N3) ≡ (N1|N2)|N3

[SC-PARNULL] N|0 ≡ N

Table 5. Structural Congruence.

UBLCS-2006-09 68


[SCE-EQUIVALENCE] E ≡ E ′

E ≡E E ′

[SCE-BAGREADY] n [P]cl,r

eR

|m [in(X).Q]cl ′,r ′ ≡E n [P]cl,r

eRm [in(X).Q]cl ′,r ′

, d(l, l ′) ≤ r

[SCE-BAGREADING] n [P]cl,r

eR

|m [(x).Q]cl ′,r ′ ≡E n [P]cl,r

eRm [(x).Q]cl ′,r ′

, d(l, l ′) ≤ r

Table 6. Structural Congruence for tagged networks.

n [out〈v〉.P]cl,r

eR−→c

l,r n [〈v〉.P]cl,r 0 〈|eR|〉 [RS-OUTbegin]

n [〈v〉.P]cl,r

eR−→c

l,r n [P]cl,r 0 〈|eR|〉v [RS-OUTend]

E1 −→cl,r E ′1 E2 6←c (l, r)

E1 |E2 −→cl,r E ′1 |E2

[RS-COMPevent]

E ≡E E ′ −→cl,r E ′′ ≡E E ′′′

E −→cl,r E ′′′

[RS-SC−→cl,r

]

Table 7. Rules for −→cl,r.

Definition 1 Structural congruence (SC) is the smallest congruence closed under the axioms of Table 5.

Table 3 presents the rules for >cl (i.e., selection of transmission with control over interferences).

The key rule is RS-COMMbegin. Here, n is the node selected to begin the transmission. Theempty bag 0 marks the selected node. This bag is a tag which represents the transmission cellof this node. The bag is now created empty; it will be filled later, in the Event Firing sub-step.In the other rules of the table the choice of the selected node is propagated through the system.Condition C1 has to be checked; this is done in rule RS-COMPbegin.

The rules for > (i.e., selection of transmission without interference control), presented in Table4, are similar. The only difference is that condition C1 need not be checked when the choice of theselected node is propagated through the system: a transmission that has been initiated is carriedon until its end.

In order to place all the appropriate receivers in the bag of the transmitter selected in theEvent Selection sub-step we extend structural congruence to tagged networks: see Tab. 6; here,the rules SC-BAGREADY and SC-BAGREADING are employed to group the legitimate receiversinside the bag.

Definition 2 Structural congruence for tagged networks (SCE) is the smallest congruence closed underthe axioms of Table 6.

The rules for Event Firing are shown in Table 7. They include rules for transmission actionsand rule RS-SCevent, where SCE is taken into account. The key rules are RS-OUTbegin and RS-OUTend, for begin and end transmission events, respectively. In both cases, the transmission doesnot have an effect on the receivers in the bag, which are simply tagged (for an end-transmission,the tag includes the value that has been communicated in the transmission). The notation 〈|R|〉indicates the tagging: if R is R1 | . . . | Rn, then 〈|R|〉 abbreviates 〈|R1|〉 | . . . | 〈|Rn|〉 (in the case of 〈|R|〉v,

UBLCS-2006-09 69


〈|n [in(X).P]cl,r |〉 Âcl n [(x).P]cl,r [RS-READYbegin]

〈|n [(x).P]cl,r |〉v Âcl n [v/xP]cl,r [RS-READINGend]

E1 Âcl E ′1 E2 6→c l

E1 |E2 Âcl E ′1 |E2

[RS-COMPlabnorm]

E ≡E E ′ Âcl E ′′ ≡E E ′′′

E Âcl E ′′′

[RS-SCÂcl

]

Table 8. Rules for Âcl .

m [〈vm〉.Pm]clm,rm

〈|n [in(X).P]cl,r |〉 Â m [〈vm〉.Pm]clm,rm

n [in(X).P]cl,r [RS-READYnoise]d(l, lm) ≤ rm

〈|n [(x).P]cl,r |〉 Â n [⊥/xP]cl,r [RS-READINGbegin]

〈|n [in(x).P]cl,r |〉v Â n [in(x).P]cl,r [RS-READYend]

E1 Â E ′1E1 |E2 Â E ′1 |E2

[RS-COMPnorm]

E ≡E E ′ Â E ′′ ≡E E ′′′

E Â E ′′′[RS-SCnorm]

Table 9. Reduction rules for normalization with possible interferences.

the notation is similar). In case of begin-transmission an output process initiates the transmissionand the respective node becomes an active transmitter; the value of the transmission is howeverrevealed only in the following end-transmission event. It is worth noting rule RS-COMPevent,for parallel composition, that checks that the rest of the system does not contain receivers whichshould have been placed in the transmitter bag. This check guarantees that the bags employedin rules RS-OUTbegin and RS-OUTend are indeed complete.

In the Receiver Normalization sub-step, each tagged receiver is resolved by checking condi-tion C3 above to determine whether the event of the tag was received in clear or as an interfer-ence. Reception in clear is indicated by relation Âc

l (see Table 8): in this case, either an inputprocess becomes an active receiver (rule RS-READYbegin), or an active receiver successfully ter-minates its reception and obtains the value transmitted (rule RS-READINGend). The absence ofinterferences is checked in condition E2 6→c l of rule RS-COMPlabnorm : the location where the

n [P]cl,r 0 º n [P]cl,r [RS-TRANSM]

E1 º N1

E1 |N2 º N1 |N2[RS-COMPº]

E ≡E E ′ º N ≡ N ′

E º N ′ [RS-SCº]

Table 10. Rules for º.

UBLCS-2006-09 70


tag has been resolved should not be reached by an untagged active transmitter (that is, a trans-mitter different from the one that produced the tag). Relation Â handles the cases in which thereceiver evolution does not depend on whether it is reached by a clear signal or by interferingtransmissions (see Table 9). There can be several cases. First, if the tagged receiver is not anactive receiver and is presently reached by a transmission, then the detection of a begin transmis-sion does not change its current state (rule RS-READYnoise). In this case the tagged receiver andthe relevant transmitter are brought into contiguous position by means of structural congruence.Secondly, if an active receiver detects the beginning of a new transmission, then it binds the inter-ference value (i.e., ⊥) to the variable employed for the communication (rule RS-READINGbegin).Finally, a receiver which detects an end-transmission while expecting a begin-transmission re-mains in the same state independently from other concurrent transmissions (rule RS-READYend).

Finally, the last tag in the network (i.e., the one on the transmitter that was performing theaction) is removed by relation º (see Table 10); and the network is now ready for another actionto be performed.

4.1 ExamplesBelow we show how the examples provided in section 1 are modelled employing our reductionsemantics.

Example 1 This example shows a regular communication when a transmitter T = n [out〈v〉.0]cl,ρ

is executing in parallel with a receiver R = m [in(x).P]cl ′,ρ ′ which is placed within the transmitter

cell (i.e., d(l, l ′) ≤ ρ).

Ndef= n [out〈v〉.0]cl,ρ

m [in(x).0]cl ′,ρ ′

>cl n [out〈v〉.0]cl,ρ

m [in(x).0]cl ′,ρ ′

−→cl,ρ n [〈v〉.0]cl,ρ 0

〈|m [in(x).0]cl ′,ρ ′ |〉

Âcl ′ n [〈v〉.0]cl,ρ 0

m [(x).0]cl ′,ρ ′

º n [〈v〉.0]cl,ρ

m [(x).0]cl ′,ρ ′

> n [〈v〉.0]cl,ρ

m [(x).0]cl ′,ρ ′

−→cl,ρ n [0]cl,ρ 0

〈|m [(x).0]cl ′,ρ ′ |〉v

Âcl ′ n [0]cl,ρ 0

m [v/x.0]cl ′,ρ ′

º n [0]cl,ρ

m [v/x.0]cl ′,ρ ′

At the beginning of the execution, the only possible transition for the network is on behalfof the transmitter T for initiating a transmission; since there are no active transmitters in thenetwork which interfere with T , its transmission bag is created and the receivers, R, are put withinthe bag by rules RS-STRUCTCONG and RS-BAGREADY. Then, the transmission is performed(employing rule RS-OUTbegin) and R is tagged with the begin-transmission tag. Finally, thereceiver is normalized by rule RS-READYbegin and then the transmission bag closes. The end-transmission happens in a similar manner and R obtains the value transmitted by T .

Example 2 This example shows the behaviour of two transmitters (T1 = n1 [out〈v1〉.0]cl,ρ and

T2 = n2 [out〈v2〉.0]cl ′,ρ) when they execute in parallel and each one falls within the other’s trans-

mission cell; the inequality d(l, l ′) ≤ ρ holds. This example shows that the nodes can coordinatewith each other and interleave their own transmissions.

UBLCS-2006-09 71


Ndef= n1 [out〈v1〉.0]cl,ρ

n2 [out〈v2〉.0]cl ′,ρ

>cl n1 [out〈v1〉.0]cl,ρ 0


−→cl,ρ n1 [〈v1〉.0]cl,ρ 0


º n1 [〈v1〉.0]cl,ρ


> n1 [〈v1〉.0]cl,ρ 0n2 [out〈v2〉.0]cl ′,ρ

−→cl,ρ n1 [0]cl,ρ 0


º n1 [0]cl,ρ


>cl ′ n2 [out〈v2〉.0]cl ′,ρ 0

n1 [0]cl,ρ

−→cl ′,ρ n2 [〈v2〉.0]cl ′,ρ 0

n1 [0]cl,ρ

º n2 [〈v2〉.0]cl ′,ρ

n1 [0]cl,ρ

> n2 [〈v2〉.0]cl ′,ρ 0n1 [0]cl,ρ

−→cl ′,ρ n2 [0]cl ′,ρ 0

n1 [0]cl,ρ

º n2 [0]cl ′,ρ

n1 [0]cl,ρ

At the beginning of the execution, each transmitters can perform a begin transmission action;let us assume that T1 precedes T2 and fires this event (the case of T2 is similar). In this case, ruleRS-COMPbegin prevents T2 from initiating its transmission. Only when T1 has finished, can T2

proceed with its transmission to make the network reach its final status.


T2 = n2 [out〈v2〉.0]cl ′,ρ ′ ) when they execute in parallel and only the second falls within transmis-

sion cell of the first (i.e., d(l, l ′) ≤ ρ and d(l, l ′) ≥ ρ ′).


n2 [out〈v2〉.0]cl ′,ρ ′

>cl ′ n2 [out〈v2〉.0]cl ′,ρ ′ 0

n1 [out〈v1〉.0]cl,ρ

−→cl ′,ρ ′ n2 [〈v2〉.0]cl ′,ρ ′ 0


º n2 [〈v2〉.0]cl ′,ρ ′


>cl n1 [out〈v1〉.0]cl,ρ 0

n2 [〈v2〉.0]cl ′,ρ ′

−→cl,ρ n1 [〈v1〉.0]cl,ρ 0

n2 [〈v2〉.0]cl ′,ρ ′

º n1 [〈v1〉.0]cl,ρ

n2 [〈v2〉.0]cl ′,ρ ′

> n2 [〈v2〉.0]cl ′,ρ 0n1 [〈v1〉.0]cl,ρ

−→cl ′,ρ ′ n2 [0]cl ′,ρ 0

n1 [〈v1〉.0]cl,ρ

º n2 [0]cl ′,ρ

n1 [〈v1〉.0]cl,ρ

> n1 [〈v1〉.0]cl,ρ 0n2 [0]cl ′,ρ

−→cl,ρ n1 [0]cl,ρ 0

n2 [0]cl ′,ρ

UBLCS-2006-09 72


º n1 [0]cl,ρ

n2 [0]cl ′,ρ

At the beginning of the execution, each transmitters can initiate a transmission; we assumethat T2 initiates before T1. This transmission is not detected by T1 (RS-COMPbegin) which initiatesits own transmission. Thus the transmissions do not interleave. By contrast with T1 transmittingbefore T2 the transmissions interleave.

Example 4 This example shows the behaviour of a receiver (i.e., R = m [in(x).P]cl ′′,ρ ′ ) and two

transmitters (T1 = n1 [out〈v1〉.0]cl,ρ and T2 = n2 [out〈v2〉.0]

cl ′,ρ) when transmissions interfere with

each other at the receiver site; the inequalities d(l, l ′) ≥ ρ, d(l, l ′′) ≤ ρ, and d(l ′, l ′′) ≤ ρ hold.



m [in(x).0]cl ′′,ρ ′

>cl ′ n2 [out〈v2〉.0]cl ′,ρ

m [in(x).0]cl ′′,ρ ′


−→cl ′,ρ n2 [〈v2〉.0]cl ′,ρ 0

〈|m [in(x).0]cl ′′,ρ ′ |〉n1 [out〈v1〉.0]cl,ρ

Âcl ′′ n2 [〈v2〉.0]cl ′,ρ 0

m [(x).0]cl ′′,ρ ′


º n2 [〈v2〉.0]cl ′,ρ

m [(x).0]cl ′′,ρ ′


>cl n1 [out〈v1〉.0]cl,ρ

m [(x).0]cl ′′,ρ ′

n2 [〈v2〉.0]cl ′,ρ

−→cl,ρ n1 [〈v1〉.0]cl,ρ 0

〈|m [(x).0]cl ′′,ρ ′ |〉n2 [〈v2〉.0]cl ′,ρ

Â n1 [〈v1〉.0]cl,ρ 0m [⊥/x0]cl ′′,ρ ′

n2 [〈v2〉.0]cl ′,ρ

º n1 [〈v1〉.0]cl,ρ

m [⊥/x0]cl ′′,ρ ′

n2 [〈v2〉.0]cl ′,ρ

> n2 [〈v2〉.0]cl ′,ρ 0m [⊥/x0]cl ′′,ρ ′

n1 [〈v1〉.0]cl,ρ

−→cl ′,ρ n2 [0]cl ′,ρ 0

m [⊥/x0]cl ′′,ρ ′

n1 [〈v1〉.0]cl,ρ

º n2 [0]cl ′,ρ

m [⊥/x0]cl ′′,ρ ′

n1 [〈v1〉.0]cl,ρ

> n1 [〈v1〉.0]cl,ρ 0m [⊥/x0]cl ′′,ρ ′

n2 [0]cl ′,ρ

−→cl,ρ n1 [0]cl,ρ 0

m [⊥/x0]cl ′′,ρ ′

n2 [0]cl ′,ρ

º n1 [0]cl,ρ

m [⊥/x0]cl ′′,ρ ′

n2 [0]cl ′,ρ

At the beginning, both the transmitter can emit a begin transmission event. We assume thatT2 initiates its transmission; consequently, receiver R detects the transmission and begin receiv-ing. Then, transmitter T1, which cannot detect T2 transmission, initiates its own transmission(RS-COMPbegin), provoking an interference on R; this interference is detected by R (i.e., RS-READINGbegin) which stores ⊥ and proceed with its execution.

Example 5 This example is a composition of examples 1 and 4; it shows the behaviour of two re-ceivers (R1 = m1 [in(x).P]

cl ′′,ρ ′ and R2 = m2 [in(y).P]

cl ′′′,ρ ′′ ) and two transmitters (T1 = n1 [out〈v1〉.0]

cl,ρ

and T2 = n2 [out〈v2〉.0]cl ′,ρ) when the transmissions interfere with each other and the following

inequalities hold: d(l, l ′) ≥ ρ, d(l, l ′′) ≤ ρ, d(l, l ′′′) ≤ ρ, d(l ′, l ′′) ≤ ρ, and d(l ′, l ′′′) ≥ ρ. Thisexample shows what happens if a collision occurs on R1 but not on R2. This example does notintroduce any new aspect of the RS; it only describes a scenario in which a transmission is suc-cessfully received by a partial set of the possible receivers.

UBLCS-2006-09 73

5 Labelled Transition Semantics


n2 [out〈v2〉.0]cl ′,ρ ′

m1 [in(x).P]cl ′′,ρ ′

m2 [in(y).P]cl ′′′,ρ ′′

>cl ′ n2 [out〈v2〉.0]cl ′,ρ

m1 [in(x).0]cl ′′,ρ ′


m2 [in(y).P]cl ′′′,ρ ′′

−→cl ′,ρ n2 [〈v2〉.0]cl ′,ρ 0

〈|m1 [in(x).0]cl ′′,ρ ′ |〉n1 [out〈v1〉.0]cl,ρ

m2 [in(y).P]cl ′′′,ρ ′′

Âcl ′′ n2 [〈v2〉.0]cl ′,ρ 0

m1 [(x).0]cl ′′,ρ ′


m2 [in(y).P]cl ′′′,ρ ′′

º n2 [〈v2〉.0]cl ′,ρ

m1 [(x).0]cl ′′,ρ ′


m2 [in(y).P]cl ′′′,ρ ′′

>cl n1 [out〈v1〉.0]cl,ρ

m1 [(x).0]cl ′′,ρ ′

m2 [in(y).P]cl ′′′,ρ ′′

n2 [〈v2〉.0]cl ′,ρ

−→cl,ρ n1 [〈v1〉.0]cl,ρ 0

〈|m1 [(x).0]cl ′′,ρ ′ |〉〈|m2 [in(y).P]cl ′′′,ρ ′′ |〉

n2 [〈v2〉.0]cl ′,ρ

Â n1 [〈v1〉.0]cl,ρ 0m1 [⊥/x0]cl ′′,ρ ′

〈|m2 [in(y).P]cl ′′′,ρ ′′ |〉n2 [〈v2〉.0]cl ′,ρ

Âcl ′′′ n1 [〈v1〉.0]cl,ρ 0

m1 [⊥/x0]cl ′′,ρ ′

m2 [(y).P]cl ′′′,ρ ′′

n2 [〈v2〉.0]cl ′,ρ

º n1 [〈v1〉.0]cl,ρ

m1 [⊥/x0]cl ′′,ρ ′

m2 [(y).P]cl ′′′,ρ ′′

n2 [〈v2〉.0]cl ′,ρ

> n2 [〈v2〉.0]cl ′,ρ 0m1 [⊥/x0]cl ′′,ρ ′

m2 [(y).P]cl ′′′,ρ ′′

n1 [〈v1〉.0]cl,ρ

−→cl ′,ρ n2 [0]cl ′,ρ 0

m1 [⊥/x0]cl ′′,ρ ′

m2 [(y).P]cl ′′′,ρ ′′

n1 [〈v1〉.0]cl,ρ

º n2 [0]cl ′,ρ

m1 [⊥/x0]cl ′′,ρ ′

m2 [(y).P]cl ′′′,ρ ′′

n1 [〈v1〉.0]cl,ρ

> n1 [〈v1〉.0]cl,ρ

m2 [(y).P]cl ′′′,ρ ′′

m1 [⊥/x0]cl ′′,ρ ′

n2 [0]cl ′,ρ

−→cl,ρ n1 [0]cl,ρ 0

〈|m2 [(y).P]cl ′′′,ρ ′′ |〉v1

m1 [⊥/x0]cl ′′,ρ ′

n2 [0]cl ′,ρ

Âcl ′′ n1 [0]cl,ρ 0

m2 [v1/y.P]cl ′′′,ρ ′′

m1 [⊥/x0]cl ′′,ρ ′

n2 [0]cl ′,ρ

º n1 [0]cl,ρ

m2 [v1/y.P]cl ′′′,ρ ′′

m1 [⊥/x0]cl ′′,ρ ′

n2 [0]cl ′,ρ

5 Labelled Transition SemanticsReflecting the structure of the language syntax, the Labelled Transition Semantics (LTS) has twosets of rules: the network LTS, which describes the propagation of events in the network, and theprocess LTS, which describes how the processes in the nodes evolve.

Each event that is produced propagates over all the network; but only the nodes that arelocated within the transmission cell of the sender may be affected by that event.

In the network semantics, a transition has the form

T ¤ Nµ−→ N ′

and reads given the set T of active transmitters, network N, at the occurrence of event µ, becomes networkN ′. In this transition, T collects the set of the active transmissions within the network at the mo-ment in which the event is produced; each active transmitter in T is represented by a triple (l, r, c)where l is the transmitter location, r is the radius of the transmission cell, and c is the employedcommunication channel.

There are four possible types of transitions (i.e., four possible types of events µ):c![l,r]−→ : the transmitter at location l becomes active and initiates a transmission over channel c

with radius r;

UBLCS-2006-09 74


P!−→ P ′ T |l,c = ∅

T ¤ n [P]cl,r

c![l,r]−→ n [P ′]cl,r

[NS-OUTbegin] P!v−→ P ′

T ¤ n [P]cl,r

c!v[l,r]−→ n [P ′]cl,r

[NS-OUTend]

P?θ−→ P ′ d(l, l ′) ≤ r ′ T |l,c\l ′, r ′, c = ∅

T ¤ n [P]cl,r

c?θ[l ′,r ′]−→ n [P ′]cl,r

[NS-IN1]

d(l, l ′) > r ′ ∨ c 6= c ′

T ¤ n [P]cl,r

c ′?θ[l ′,r ′]−→ n [P]cl,r

[NS-IN2]

P?⊥−→ P ′ d(l, l ′) ≤ r ′ T |l,c\l ′, r ′, c 6= ∅

T ¤ n [P]cl,r

c?θ[l ′,r ′]−→ n [P ′]cl,r

[NS-IN3]

T ¤ N1c?θ[l,r]−→ N ′

1 T ¤ N2c!θ[l,r]−→ N ′

2

T ¤ N1|N2c!θ[l,r]−→ N ′

1|N ′2

[NS-COMr]

T ¤ N1c!θ[l,r]−→ N ′

1 T ¤ N2c?θ[l,r]−→ N ′

2

T ¤ N1|N2c!θ[l,r]−→ N ′

1|N ′2

[NS-COMl]

T ¤ N1c?θ[l,r]−→ N ′

1 T ¤ N2c?θ[l,r]−→ N ′

2

T ¤ N1|N2c?θ[l,r]−→ N ′

1|N ′2

[NS-RCOMin]

Table 11. Labelled transition rules for networks.

c!v[l,r]−→ : the transmission of value v over channel c, originated at location l, with radius r termi-nates;

c?[l,r]−→ : the begin of a transmission over channel c originated at location l and having radius r

can be detected;

c?v[l,r]−→ : the end of a transmission of value v over channel c originated at location l and havingradius r can be detected.

Given a set of active transmissions T , a location l, and a channel c, we define T |c,l to be thesubset of T containing the transmissions that reach a node located in l and synchronized overchannel c. Formally,

T |c,l = (l ′, r ′, c ′) | d(l ′, l) ≤ r ′ ∧ c ′ = c

It is worth noting that this semantics do not automatically updates the set T when a transmis-sion begins or completes. When a new transition is performed, the set T is manually computedby looking at the network at the left hand-side of the transition.

Table 11 presents the LTS for networks. For now, we only explain intuitively how processesevolve with the detection of new events; later on, when we present the LTS for processes, thisintuition will be made formal.

In the LTS for networks, the key rules regard events reaching a single node (i.e., NS-IN1,NS-IN2, and NS-IN3) and nodes emitting events (i.e., NS-OUTbegin and NS-OUTend).

NS-IN1: this rule shows a node which receives an event in clear. Specifically, a node whichfalls in the transmission cell of an event (i.e., d(l, l ′) ≤ r ′), which is synchronized on thesame channel (i.e., c) as that event, and which is not exposed to other transmissions (i.e.,

T |l,c\l ′, r ′, c = ∅) evolves according to its process (i.e., P?θ−→ P ′);

UBLCS-2006-09 75


NS-IN2: this rule shows that a node which is not reached by an event (i.e., d(l, l ′) > r ′ or issynchronized on a different channel) does not evolve;

NS-IN3: this rule shows a node that detects colliding transmissions. Specifically, a node whichfalls in the transmission cell of an event (i.e., d(l, l ′) ≤ r ′), which is synchronized on thesame channel, c, as that event, and which is exposed to other transmissions (i.e., T |l,c\l ′, r ′, c 6=∅) detects an interference and it process evolves accordingly (i.e., P

?⊥−→ P ′);

NS-OUTbegin: this rule says that a transmission is initiated by a node when that node is notreached by any active transmission (i.e., T |l,c = ∅) and the process executing within that

node is ready to perform a transmission (i.e., P!−→ P ′);

NS-OUTend: this rule shows the termination of a transmission (P !v−→ P ′ indicates terminationof transmission at the process level); in this case no conditions on presently active trans-missions are checked.

The propagation of events through the network is described by rules NS-COMr, NS-COMl,and NS-COMin.

NS-COMr (and NS-COMl): An event generated in a network is propagated to another networkthat executes in parallel and the two networks in parallel evolve generating the same event(NS-COMl is symmetrical to NS-COMr);

NS-COMin: The parallel composition of two networks that detect the occurrence of the sameevent is a network in which the occurrence of that event is detected.

[[[e]]] = v

out〈e〉.P !−→ 〈v〉.P[PS-OUTbegin] 〈v〉.P !v−→ P [PS-OUTend]

in(X).P?−→ (x).P [PS-INbegin] in(X).P

?v−→ in(X).P [PS-WAITbegin]

(x).P?v−→ v/xP [PS-INend]

Pα−→ P α ∈ ?, ?v, ∀P 6∈ in(x).P1, (x).P1 [PS-NOIN]

Table 12. Labelled transition rules for processes.

Table 12 presents the labelled transition rules for processes. We comment the rules for theoutput (i.e., PS-OUTbegin and PS-OUTend) and the input (i.e., PS-READY, PS-WAITING, andPS-READING) of events.

PS-OUTbegin: the process evaluates expression e and initiates the transmission of the obtainedvalue;

PS-OUTend: the process terminates transmission of value v;

PS-INbegin: the process captures a begin-transmission event;

PS-WAITbegin: the process waits for a begin-transmission event;

PS-INend: the process receives value v. If v 6= ⊥ the transmission was correctly performed, onthe contrary an interference was detected. Value v is stored and the process continues withthe execution;

PS-NOTIN: output prefixes are not affected by the occurrence of events;

UBLCS-2006-09 76


5.1 ExamplesBelow we use the LTS to describe the examples in Sec. 1.

Example 1 This example shows a regular communication between a transmitter T = n [out〈v〉.0]cl,ρ

and a receiver R = m [in(x).P]cl ′,ρ ′ which is placed within the transmitter cell (i.e., d(l, l ′) ≤ ρ).

Ndef= n [out〈v〉.0]cl,ρ

m [in(x).P]cl ′,ρ ′

∅¤ Nc![l,ρ]−→ n [〈v〉.0]cl,ρ

m [(x).P]cl ′,ρ ′ = N1

(l, ρ, c) ¤ N1c!v[l,ρ]−→ n [0]cl,ρ

m [v/xP]cl ′,ρ ′

At the beginning of the execution, the only possible transition for the network is on behalf ofthe transmitter T for initiating a transmission; since there are no active transmissions reachingT (i.e., ∅|l,c = ∅), the transmission can initiate (i.e., NS-OUTbegin). Simultaneously, the receiverR which was not previously reached by any transmission (i.e., ∅|l ′,c = ∅) sees the transmissionevent and begins receiving that transmission (i.e., rules NS-COMl and NS-IN1). In addition, asthe transmitter initiates the transmission and the event c![l, r] is triggered, the triple (l, r, c) isadded to the set of active transmissions. Then, as the transmitter completes the transmission ofvalue v, the end-transmission event is triggered (i.e., NS-OUTend) and R terminates the reception(i.e., NS-COMl and NS-IN1).


T2 = n2 [out〈v2〉.0]cl ′,ρ) when they execute in parallel and each one falls within the other’s trans-

mission cell; the relation d(l, l ′) ≤ ρ holds. This example shows how the nodes interleave theirown transmissions.



∅¤ Nc![l,ρ]−→ n1 [〈v1〉.0]cl,ρ

n2 [out〈v2〉.0]cl ′,ρ = N1

(l, ρ, c) ¤ N1c!v1[l,ρ]−→ n1 [0]cl,ρ

n2 [out〈v2〉.0]cl ′,ρ = N2

∅¤ N2c![l ′,ρ]−→ n1 [0]cl,ρ

n2 [〈v2〉.0]cl ′,ρ = N3

(l ′, ρ, c) ¤ N3c!v2[l ′,ρ]−→ n1 [0]cl,ρ

n2 [0]cl ′,ρ

At the beginning of the execution, each transmitters can initiate a transmission; we assumethat T1 precedes T2 and emits the begin transmission event (i.e., NS-OUTbegin). In this case,the ongoing transmission is detected by T2 (i.e., (l, ρ, c)|l ′,c = (l, ρ, c)) which is prevented toinitiate a new transmission. T2 can proceed with its transmission only after T1 has terminated itstransmission. The case of T2 transmitting before T1 is similar.


T2 = n2 [out〈v2〉.0]cl ′,ρ ′ ) when they execute in parallel and only the second falls within transmis-

sion cell of the first (i.e., d(l, l ′) ≤ ρ and d(l, l ′) ≥ ρ ′). This example shows that transmissioninterleaving is not guaranteed if, while transmitting, each of the two nodes cannot reach theother.


n2 [out〈v2〉.0]cl ′,ρ ′

UBLCS-2006-09 77


∅¤ Nc![l ′,ρ ′]−→ n1 [out〈v1〉.0]cl,ρ

n2 [〈v2〉.0]cl ′,ρ ′ = N1

(l ′, ρ ′, c) ¤ N1c![l,ρ]−→ n1 [〈v1〉.0]cl,ρ

n2 [〈v2〉.0]cl ′,ρ ′ = N2

(l ′, ρ ′, c), (l, ρ, c) ¤ N2c!v2[l ′,ρ ′]−→ n1 [〈v1〉.0]cl,ρ

n2 [0]cl ′,ρ ′ = N3

(l, ρ, c) ¤ N3c!v1[l,ρ]−→ n1 [0]cl,ρ

n2 [0]cl ′,ρ ′

At the beginning of the execution, each transmitters can initiate a transmission; we assumethat T2 initiates its own transmission before T1. This transmission is not detected by T1 (i.e.,(l, ρ ′, c)|l ′,c = ∅) which initiates its own transmission. In this case the transmissions do notinterleave. In the case of T1 transmitting before T2 the transmissions interleave.

Example 4 This example shows the behaviour of a receiver (i.e., R = m [in(x).P]cl ′′,ρ ′ ) and two

transmitters (T1 = n1 [out〈v1〉.0]cl,ρ and T2 = n2 [out〈v2〉.0]

cl ′,ρ) when transmissions interfere with

each other at the receiver site (i.e., the relations d(l, l ′) ≥ ρ, d(l, l ′′) ≤ ρ, and d(l ′, l ′′) ≤ ρ hold).This example shows what happens if a collision occurs on R.


n2 [out〈v2〉.0]cl ′,ρ ′

m [in(x).P]cl ′′,ρ ′

∅¤ Nc![l ′,ρ]−→ n1 [out〈v1〉.0]cl,ρ

n2 [〈v2〉.0]cl ′,ρ ′

m [(x).P]cl ′′,ρ ′ = N1

(l ′, ρ, c) ¤ N1c![l ′,ρ]−→ n1 [〈v1〉.0]cl,ρ

n2 [〈v2〉.0]cl ′,ρ ′

m [⊥/xP]cl ′′,ρ ′ = N2

(l ′, ρ, c), (l, ρ, c) ¤ N2c!v2[l ′,ρ]−→ n1 [〈v1〉.0]cl,ρ

n2 [0]cl ′,ρ ′

m [⊥/xP]cl ′′,ρ ′ = N3

(l, ρ, c) ¤ N3c!v1[l,ρ]−→ n1 [0]cl,ρ

n2 [0]cl ′,ρ ′

m [⊥/xP]cl ′′,ρ ′

At the beginning, both the transmitter can emit a begin transmission event. We assume thatT2 initiates its transmission; consequently, receiver R would detect the transmission and beginreceiving. Then, transmitter T1 which cannot detect T2 transmission (i.e., (l ′, ρ, c)|l,c = ∅) ini-tiates its own transmission, provoking an interference on R (i.e., l ′, ρ, c)|l ′′,c = (l ′, ρ, c)); thisinterference makes R store ⊥ and proceed with its execution (i.e., NS-IN3).

Example 5 This example is a composition of examples 1 and 4; it shows the behaviour of two re-ceivers (R1 = m1 [in(x).P]

cl ′′,ρ ′ and R2 = m2 [in(y).P]

cl ′′′,ρ ′′ ) and two transmitters (T1 = n1 [out〈v1〉.0]

cl,ρ

and T2 = n2 [out〈v2〉.0]cl ′,ρ) when the transmissions interfere with each other. Receiver R1 falls

in the transmission cells of both T1 and T2 and R2 falls in the transmission cell of T1 only. Thisexample does not introduce any new aspect of the LTS; it only describes a scenario in which atransmission is successfully received by a partial set of the possible receivers.


n2 [out〈v2〉.0]cl ′,ρ ′

m1 [in(x).P]cl ′′,ρ ′

m2 [in(y).P]cl ′′′,ρ ′′

∅¤ Nc![l ′,ρ]−→ n1 [out〈v1〉.0]cl,ρ

n2 [〈v2〉.0]cl ′,ρ ′

m1 [(x).P]cl ′′,ρ ′

m2 [in(y).P]cl ′′′,ρ ′′ = N1

(l ′, ρ, c) ¤ N1c![l,ρ]−→ n1 [〈v1〉.0]cl,ρ

n2 [〈v2〉.0]cl ′,ρ ′

m1 [⊥/xP]cl ′′,ρ ′

m2 [(y).P]cl ′′′,ρ ′′ = N2

(l ′, ρ, c), (l, ρ, c) ¤ N2c!v2[l ′,ρ]−→ n1 [〈v1〉.0]cl,ρ

n2 [0]cl ′,ρ ′

m1 [⊥/xP]cl ′′,ρ ′

m2 [(y).P]cl ′′′,ρ ′′ = N3

(l, ρ, c) ¤ N3c!v1[l,ρ]−→ n1 [0]cl,ρ

n2 [0]cl ′,ρ ′

m1 [⊥/xP]cl ′′,ρ ′

m2 [v1/y.P]cl ′′′,ρ ′′

UBLCS-2006-09 78

6 The Harmony Theorem

6 The Harmony TheoremIn this section we demonstrate the correspondence between the reduction and labelled semantics;this result enables one to interchangeably employ each of the developed semantics according tothe aspect under which one would like to study a system. Reduction semantics ease the taskof understanding how a system behaves on its own and, in addition, it intuitively expresses thecorrespondence between the semantics and the modelled system. By contrast, the LTS enables tobetter understand how a system interacts with its environment and how each single part of thatsystem behaves, individually or as part of a larger system.

The differences between the LTS and the RS, and the non-standard structure of the RS makethis proof a non-trivial task. In our case, the reduction relation is defined employing additionaltagged terms and six auxiliary relations; in particular, we have reductions implemented in threesub-steps by (i) a single application of a relation for selecting the next event to trigger (i.e., ei-ther transmission in clear or unconstrained transmission), then (ii) the application of the relationwhich actually triggers the event, and (iii) a single application of a normalization relation foreach node which has been involved in the event transmission or reception (i.e., normalization inclear, unconstrained normalization, and transmitter normalization). Hence, having proved thecorrespondence between our semantics, the importance of this result is increased because of thenon-standard structure of our semantics.

First, we present two lemmas 1 and 2 about the reduction semantics which describe howa network changes across the reduction sub-steps for each possible kind of reduction (when atransmission begins and the case when a transmission finishes).

For the lemmas we first introduce a notation that describes the Receiver Normalization sub-step.

Definition 3 (Normalization) We employ the notation R to represent the normalization of the re-ceivers R. The normalization is defined as follows.

1. If 〈|R|〉 = 〈|R1|〉|〈|R2|〉 then 〈|R|〉 = 〈|R1|〉 | 〈|R2|〉 ;

2. If 〈|R|〉v = 〈|R1|〉v|〈|R2|〉v then 〈|R|〉v = 〈|R1|〉v | 〈|R2|〉v ;

3. If 〈|R|〉 = 〈|n [in(x).P]cl,r |〉 then 〈|R|〉v = n [(x).P]

cl,r if location l is not reached by other transmis-

sions on channel c, n [in(x).P]cl,r otherwise;

4. If 〈|R|〉v = 〈|n [in(x).P]cl,r |〉v then 〈|R|〉v = n [in(x).P]

cl,r;

5. If 〈|R|〉 = 〈|n [(x).P]cl,r |〉 then 〈|R|〉 = n [⊥/xP]

cl,r;

6. If 〈|R|〉v = 〈|n [(x).P]cl,r |〉v then 〈|R|〉v = n [v/xP]

cl,r;

7. If 〈|R|〉 = 〈|0|〉 then 〈|R|〉 = 0;

8. If 〈|R|〉v = 〈|0|〉v then 〈|R|〉v = 0.

For the two lemmas below we employ the same proof technique: first, we prove that eachnetwork in which an event is being fired can be rewritten, employing structural congruence, in aspecific form; then, from this form it is straightforward to see that all the equivalences hold.

For the sake of completeness, for both the lemmas we report the complete proofs.

Lemma 1 If N >cl E −→c

l,r E ′ Âcl ′∗ Â∗ º N ′, then there exist n, v, , P, R,N1 such that

UBLCS-2006-09 79


N ≡((


∣∣ R)∣∣∣ N1

)

E ≡E

(n [out〈v〉.P]

cl,r

R∣∣∣ N1

)

E ′ ≡E

((n [〈v〉.P]

cl,r 0

∣∣∣ 〈|R|〉)∣∣∣ N1

)

N ′ ≡((

n [〈v〉.P]cl,r

∣∣∣∣ 〈|R|〉)∣∣∣∣ N1

)

Where,

• N1 6→c l;

• R is the possibly empty parallel composition of nodes which are in the form m [in(X).P]cl ′,r ′ or

m [(x).P]cl ′,r ′ and for which it holds that m [Q]

cl ′,r ′ ←c (l, r).

Proof

First, we have to prove that for each wireless network N in which a transmission isinitiating the following holds:

N ≡ NSdef=

((n [out〈v〉.P]

cl,r

∣∣ R)∣∣∣ N1

)(1)

The proof is by induction on the structure of N:BASE CASE: System N = n [out〈v〉.P]

cl,r is in normal form. Below we show that (1) is

satisfied by taking R = N1 = 0.

n [out〈v〉.P]cl,r ≡ n [out〈v〉.P]

cl,r

∣∣ 0

≡ (n [out〈v〉.P]

cl,r

∣∣ 0)∣∣ 0

=((


∣∣ 0)∣∣ 0

)

In this case, the equivalence is proved.INDUCTIVE CASE: N may only be structured like Na|Nb. Let us assume that the

equivalence (1) holds for Na. The case for Nb to satisfy the inductive hypothesisis similar. Hence, for some Ra, Na1

it holds that

Na ≡((


∣∣ Ra

)∣∣∣ Na1

)

Moreover, by employing structural congruence, it also holds that

Nb ≡ Rb|Nb1

where (i) Rb is the parallel composition of nodes which are either of the form [in(X).Pm]

clm,rm

or m [(x).Pm]clm,rm

for which it holds that d(l, lm) ≤ r, and(ii) Nb1

is the parallel composition of the remaining nodes for which it holdsthat Nb1

6→c l (otherwise node n could not begin the transmission and thus itwould not be the case of this lemma).Hence, by the employing structural congruence (i.e., rules SC-PARASSOC andSC-PARCOMP) it is straightforward to verify that the following holds:


eRa

Na1

eRb

Nb1

≡


eRa

eRb

Na1

Nb1

where,

UBLCS-2006-09 80


• since for both Ra and Rb are composed by receivers that are listening onchannel c and fall within the transmission cell of node n, then R ′|R ′′ is apossible assignment for R which satisfies the lemma conditions;

• since neither Na1or Nb1

embodies any node m [〈v〉.Q]clm,rm

such that d(lm, l) ≤rm, then Na1

|Nb1is a possible assignment for N1 which satisfies the lemma

conditions.The inductive case is proved.

Hence, equivalence (1) is satisfied.

Given that, the next step is to prove the following:

E ≡E ESdef=

(n [out〈v〉.P]

cl,r

R∣∣∣ N1

)(2)

To address this step, first we find E by applying reduction rules RS-COMMbegin andRS-COMPbegin on NS

E =((

n [out〈v〉.P]cl,r 0

∣∣ R)∣∣∣ N1

)(3)

and then we have to prove the equivalence (2). So far, we know that NS >cl E; in order

for us to demonstrate that E ≡E ES, we first prove (4) by reasoning by induction onthe number of nodes in R.


∣∣ R ≡E n [out〈v〉.P]cl,r

R

(4)

BASE CASE: If R = 0, then we have to prove the following:


∣∣ 0 ≡E n [out〈v〉.P]cl,r 0

This equivalence (4) is satisfied in that it is an instance of the structural congru-ence rule SC-PARNULL.

INDUCTIVE CASE: Let us assume the equivalence below to hold for a generic R (in-ductive hypothesis).



R

To show that it holds for R|r [Pr]cl ′,r ′ with d(l ′, l) ≤ r, for any Pr of the form

in(X).P ′r or (x).P ′r, we employ the structural congruence rules SC-BAGREADYand SC-BAGREADING (according to the form of Pr).

ind. hypothesis



R


∣∣ R∣∣∣ r [P]

cl ′,r ′ ≡E n [out〈v〉.P]

cl,r

R∣∣∣ r [P]

cl ′,r ′


∣∣ R∣∣∣ r [P]


cl,r

R∣∣∣ r [P]

cl ′,r ′

Hence,


∣∣ R∣∣∣ r [P]


cl,r

R

∣∣r [P]cl ′,r ′

This satisfies the the inductive case.

UBLCS-2006-09 81


Hence, whatever R be, we have that (4) holds; given this, below we prove that (2)holds as well.


∣∣ R∣∣∣ r [P]


cl,r

R∣∣∣ r [P]

cl ′,r ′

(n [out〈v〉.P]

cl,r 0

∣∣ R∣∣∣ r [P]

cl ′,r ′

)∣∣∣ N1 ≡E n [out〈v〉.P]cl,r

R∣∣∣ r [P]

cl ′,r ′

∣∣∣ N1

Now, through a single application of the reduction rule RS-SC>cl, it is possible to

show that N >cl ES.

N ≡ NS NS >cl E E ≡E ES

N >cl ES

We thus show that E ′ is derivable from ES by the application of reduction rules RS-OUTbegin and RS-COMPevent.


eR−→c

l,r n [〈v〉.P]cl,r 0 〈|eR|〉 N1 6←c (l, r)


eRN1

−→c

l,r

n [〈v〉.P]cl,r 0

〈|eR|〉N1

E ′ = E ′Sdef=

((n [〈v〉.P]

cl,r 0

∣∣ 〈|R|〉)∣∣∣ N1

)

Finally, let us show that normalization preserves the state of nodes in N1 and changesthe state of nodes in R as specified. Since nodes in R can only be receiving, theydo not interfere with each other or with nodes in N1; hence, we will examine thebehaviour of a single node separately according to whether they are also exposedto transmissions by nodes in N1 or not. Because normalization essentially affectsthe only receivers, which do are not presently transmitting and thus cannot interferewith each other, in this proof we only show the normalization of single receivers inthat multiple receivers normalize independently from each other.

First, if R = m [in(x).P ′m]clm,rm

we have to see whether node m is presently reached byother transmissions. Hence, if N1 6→c lm then, through three times the employmentof RS-READYbegin, and RS-COMPlabnorm it is straightforward to prove that nodem normalizes to m [(x).P ′m]

clm,rm

. By contrast, if N1 →c lm then there is at leastone node o ∈ N1 such that it holds N1 ≡ o [〈vo〉.Po]

clo,ro

|N ′1, with d(lo, lm) ≤ ro.

In this case, the proof is addressed by the employment of rules RS-READYnoise andRS-COMPnorm and node m normalizes to m [in(x).P ′m]

clm,rm

.

Secondly, if R = m [(x).P ′m]clm,rm

then, since m is already employed in receiving data,this configuration is possible only if N1 →c lm and if there is a single node o ∈ N1

such that it holds N1 ≡ o [〈vo〉.Po]clo,ro

|N ′1, with d(lo, lm) ≤ ro. In this case, the

proof is addressed by the employment of rules RS-READINGbegin, RS-COMPnorm,and RS-SCnorm, and node m normalizes to m [⊥/xP ′m]

clm,rm

.

After the receiver normalization we have that

E ′SÂcl ′∗ Â∗

((n [〈v〉.P]

cl,r 0

∣∣∣∣ 〈|R|〉)∣∣∣∣ N1

)def= E ′′S (5)

Hence, by the employment of rules RS-TRANSM and RS-COMPtransnorm the trans-mitter bag closes and the normalization step for the begin transmission action ter-minates. At the end of the normalization process, we have that E ′SÂc

l ′∗ Â∗º N ′

S,where

N ′S

def=

((n [〈v〉.P]

cl,r

∣∣∣∣ 〈|R|〉)∣∣∣∣ N1

)

UBLCS-2006-09 82


To conclude the proof, we found that

N >cl ES −→c

l,r E ′SÂcl ′∗ Â∗º N ′

S

where N, ES, E ′S, and N ′S satisfy the forms that are specified in the lemma.

2

Lemma 2 If N > E −→cl,r E ′ Âc

l ′∗ Â∗ º N ′, then exist n, v, , P, R,N1 such that

N ≡((

n [〈v〉.P]cl,r

∣∣ R)∣∣∣ N1

)

E ≡E

(n [〈v〉.P]

cl,r

R∣∣∣ N1

)

E ′ ≡E

((n [P]

cl,r 0

∣∣∣ 〈|R|〉)∣∣∣ N1

)

N ′ ≡((

n [P]cl,r

∣∣∣∣ 〈|R|〉)∣∣∣∣ N1

)

Where R is the possibly empty parallel composition of nodes which are in the form m [in(X).P]cl ′,r ′ or


cl ′,r ′ ←c (l, r).

Proof

First, we have to prove that for each wireless network N in which a transmission isterminating the following holds:

N ≡ NSdef=

((n [〈v〉.P]

cl,r

∣∣ R)∣∣∣ N1

)(6)

This proof is by induction on the structure of N:

BASE CASE: System N = n [〈v〉.P]cl,r is in normal form. Below we show that (6) is

satisfied by taking R = N1 = 0.

n [〈v〉.P]cl,r ≡ n [〈v〉.P]

cl,r

∣∣ 0

≡ (n [〈v〉.P]

cl,r

∣∣ 0)∣∣ 0

=((

n [〈v〉.P]cl,r

∣∣ 0)∣∣ 0

)

In this case, the equivalence is proved.INDUCTIVE CASE: N may only be structured like Na|Nb. Let us assume that the

equivalence (6) holds for Na. The case for Nb to satisfy the inductive hypothesisis similar. Hence, for some Ra, Na1

it holds that

Na ≡((

n [〈v〉.P]cl,r

∣∣ Ra

)∣∣∣ Na1

)


Nb ≡ Rb|Nb1

where (i) Rb is the parallel composition of nodes which are either of the form [in(X).Pm]

clm,rm

or m [(x).Pm]clm,rm

for which it holds that d(l, lm) ≤ r, and(ii) Nb1

is the parallel composition of the remaining nodes.

UBLCS-2006-09 83


Hence, by the employing structural congruence (i.e., rules SC-PARASSOC andSC-PARCOMP) it is straightforward to verify that the following holds:

n [〈v〉.P]cl,r

eRa

Na1

eRb

Nb1

≡

n [〈v〉.P]cl,r

eRa

eRb

Na1

Nb1

where,• since for both Ra and Rb are composed by receivers that are listening on

channel c and fall within the transmission cell of node n, then R ′|R ′′ is achoice for R which satisfies the lemma requirements;

• since for terminating a transmission there are no requirements for the nodesin N1, N1 = Na1

|Nb1satisfies the lemma requirements about N1.

These assignments satisfy the inductive case and prove (6).



E ≡E ESdef=

(n [〈v〉.P]

cl,r

R∣∣∣ N1

)(7)

To address this step, firstly we find E by applying reduction rules RS-COMMend andRS-COMPend on NS

E =((

n [〈v〉.P]cl,r 0

∣∣ R)∣∣∣ N1

)(8)

and then we have to prove the equivalence (7). So far, we know that NS > E; in orderfor us to demonstrate that E ≡E ES, we first prove (9) by reasoning by induction onthe number of nodes in R.

n [〈v〉.P]cl,r 0

∣∣ R ≡E n [〈v〉.P]cl,r

R

(9)


n [〈v〉.P]cl,r 0

∣∣ 0 ≡E n [〈v〉.P]cl,r 0



n [〈v〉.P]cl,r 0

∣∣ R ≡E n [〈v〉.P]cl,r

R


in(X).P ′r or (x).P ′r, we employ the structural congruence rules SC-BAGREADYand SC-BAGREADING (according to the form of Pr).

ind. hypothesis

n [〈v〉.P]cl,r 0

∣∣ R ≡E n [〈v〉.P]cl,r

R

n [〈v〉.P]cl,r 0

∣∣ R∣∣∣ r [P]

cl ′,r ′ ≡E n [〈v〉.P]

cl,r

R∣∣∣ r [P]

cl ′,r ′

n [〈v〉.P]cl,r 0

∣∣ R∣∣∣ r [P]

cl ′,r ′ ≡E n [〈v〉.P]

cl,r

R∣∣∣ r [P]

cl ′,r ′

Hence,n [〈v〉.P]

cl,r 0

∣∣ R∣∣∣ r [P]

cl ′,r ′ ≡E n [〈v〉.P]

cl,r

R

∣∣r [P]cl ′,r ′

This satisfies the inductive case.

UBLCS-2006-09 84



n [〈v〉.P]cl,r 0

∣∣ R∣∣∣ r [P]

cl ′,r ′ ≡E n [〈v〉.P]

cl,r

R∣∣∣ r [P]

cl ′,r ′

(n [〈v〉.P]

cl,r 0

∣∣ R∣∣∣ r [P]

cl ′,r ′

)∣∣∣ N1 ≡E n [〈v〉.P]cl,r

R∣∣∣ r [P]

cl ′,r ′

∣∣∣ N1

Now, through a single application of the reduction rule RS-SC>, it is possible to showthat N > ES.

N ≡ NS NS > E E ≡E ES

N > ES

We thus show that E ′ is derivable from ES by the application of reduction rules RS-OUTend and RS-COMPevent.

n [〈v〉.P]cl,r

eR−→c

l,r n [P]cl,r 0 〈|eR|〉

n [〈v〉.P]cl,r

eRN1

−→c

l,r

n [P]cl,r 0

〈|eR|〉N1

E ′ = E ′Sdef=

((n [P]

cl,r 0

∣∣ 〈|R|〉)∣∣∣ N1

)

Finally, let us show that normalization preserves the state of nodes in N1 and changesthe state of nodes in R as specified. Since nodes in R are receivers only, they do not in-terfere with each other or with nodes in N1; hence, we will examine the behaviour ofa single node separately according to whether they are also exposed to transmissionsby nodes in N1 or not. Because normalization essentially affects the only receivers,which do are not presently transmitting and thus cannot interfere with each other,in this proof we only show the normalization of single receivers in that multiple re-ceivers normalize independently from each other.

First, if R = m [in(x).P ′m]clm,rm

the detection of a transmission that finishes do notchange the state of node m, independently from whether it holds that N1 6→c lmor not. Hence, through the employment of RS-READYend, and RS-COMPnorm it isstraightforward to prove that node m normalizes to m [in(x).P ′m]

clm,rm

.


then, since node n is currently transmitting it canonly be that node m is presently employed in receiving the value transmitted fromn. This configuration is possible only if N1 6→c lm. In this case, the proof is ad-dressed by the employment of rules RS-READINGend, RS-COMPlabelednorm, andRS-SClabelednorm, and node m normalizes to m [v/xP ′m]

clm,rm

.After the receiver normalization we have that

E ′SÂcl ′∗ Â∗

((n [P]

cl,r 0

∣∣∣∣ 〈|R|〉)∣∣∣∣ N1

)def= E ′′S (10)

Hence, by the employment of rules RS-TRANSM and RS-COMPtransnorm the trans-mitter bag closes and the normalization step for the begin transmission action ter-minates. At the end of the normalization process, we have that E ′SÂc

l ′∗ Â∗º N ′

S,where

N ′S

def=

((n [P]

cl,r

∣∣∣∣ 〈|R|〉)∣∣∣∣ N1

)


N > ES −→cl,r E ′SÂc

l ′∗ Â∗º N ′

S


2

UBLCS-2006-09 85


6.1 The Harmony TheoremThe harmony theorem below proves the correspondence between our semantics. This theorem isdivided into two parts. Firstly, we show that the labelled transition semantics is compatible withstructural congruence; that is, application of structural congruence does not affect the possibletransitions. Secondly, we employ this result, together with the results of the lemmas 1 and 2in order to prove that given any network, the RS behaves as the LTS; i.e., each reduction inthe RS has a corresponding transition in the LTS and vice versa, and the resulting networks arestructural congruent. This second part separately examines the correspondence between LTS andRS in the cases of begin-transmission and end-transmission. We use the same proof technique fordemonstrating both the cases.

This proof has been addressed by employing various techniques. The first assertion has beenproved by reasoning by structural induction on the number of applications of structural congru-ence and on the contexts. Moreover, both the cases of the second assertions have been provedemploying the following technique. Employing the lemmas 1 and 2, and the first assertion of thetheorem, we reason on the form of the network to prove that LTS behaves as the RS. For provingthe other implication, we could not reason by induction because we found a problem with theset of ongoing transmissions T to be propagated from the bottom to the top of the derivation tree;hence, we reasoned by contradiction and we again employed the first assertion of the theorem.Theorem 1 (Harmony Theorem)

1. If T ¤ Nα−→ N ′ and N ≡ N1 then T ¤ N1

α−→ N ′1 ≡ N ′.

2. The following holds

(a)

(a.1) If N >cl E1 −→c

l,r E2 Âcl ′∗ Â∗ º N ′ then T ¤ N

c![l,r]−→ ≡ N ′, and

(a.2) If T ¤Nc![l,r]−→ ≡ N ′ then there exist E1, E2, l ′ s.t. N >c

l E1 −→cl,r E2 Âc

l ′∗ Â∗ º N ′

(b)

(b.1) If N > E1 −→cl,r E2 Âc

l ′∗ Â∗ º N ′ then T ¤ N

c!v[l,r]−→ ≡ N ′, and

(b.2) If T ¤Nc!v[l,r]−→ ≡ N ′ then there exist E1, E2, l ′ s.t. N > E1 −→c

l,r E2 Âcl ′∗ Â∗ º N ′

Where T is the set of transmissions that are active in network N.

Proof


α−→ N ′1 ≡ N ′

The proof is by induction on the number of applications of the structural con-gruence rules.

Base Case: We assume N1 ≡ N by zero applications of structural congruencerules, hence N1 = N. By hypothesis T ¤N

α−→ N ′; moreover, since N1 = N,then T ¤ N1

α−→ N ′ holds. Hence, N ′1 for which T ¤ N1

α−→ N ′1 ≡ N ′ holds

exists and is equal to N ′.Inductive Case: Assume that N1 is obtained from N through k distinct applica-

tions of the rules of structural congruence. We indicate with N(i) the systemafter the i-th application of structural congruence.

N = N(0) ≡ N(1) ≡ . . . ≡ N(i) ≡ . . . ≡ N(k−1) ≡ N(k) = N1

By inductive hypothesis, we assume that the following holds:

T ¤ Nα−→ N ′ N ≡ N(k−1)

T ¤ N(k−1)α−→ N ′

(k−1) ≡ N ′

UBLCS-2006-09 86


Now, we have to prove that, for each possible application of structural con-gruence, the statement is valid within each possible context c ∈ C of appli-cation.

Cdef= [·] || C|NC || NC|C

[·]: In this case, by reasoning on the structure of Nk, we have to prove thefollowing:

T ¤ N(k−1)α−→ N ′

(k−1) Nk−1 ≡ N(k)

T ¤ N(k)α−→ N ′

(k) ≡ N ′(k−1)

• Let us assume that T ¤ Nk−1c!θ[l,r]−→ N ′

k−1 that has been obtainedby the application of rule NS-COMr; hence, we know that:(a) Nk−1 = Na|Nb and N ′

k−1 = N ′a|N ′

b

(b) T ¤ Nac?θ[l,r]−→ N ′

a and T ¤ Nbc!θ[l,r]−→ N ′

b

By SC rule SC-PARCOMP, we know that Na|Nb ≡ Nb|Na, thatwe call Nk. Moreover, having the hypothesis at point 2 abovewe know by the application of NS-COMl that makes Nk becomeN ′

b|N ′a, that we call N ′

k, that is structural congruent to N ′k−1 by

SC rule SC-PARCOMP. Hence is proved that

T ¤ Na|Nbc!θ[l,r]−→ N ′

a|N ′b Na|Nb ≡ Nb|Na

T ¤ Nb|Nac!θ[l,r]−→ N ′

b|N ′a ≡ N ′

a|N ′b

As for rule NS-COMr, the statement holds.• Let us assume that T ¤ Nk−1

c!θ[l,r]−→ N ′k−1 that has been obtained

by the application of rule NS-COMl. The proof is similar to theone above, considering rules NS-COMl and rules NS-COMr inthe opposite order.


k−1 that has been obtainedby the application of rule NS-COMin; hence, we know that:(a) Nk−1 = Na|Nb and N ′

k−1 = N ′a|N ′

b

(b) T ¤ Nac?θ[l,r]−→ N ′

a and T ¤ Nbc?θ[l,r]−→ N ′

b

By SC rule SC-PARCOMP, we know that Na|Nb ≡ Nb|Na, thatwe call Nk. Moreover, having the hypothesis at point 2 above weknow by the application of NS-COMin that makes Nk becomeN ′




T ¤ Na|Nbc?θ[l,r]−→ N ′


T ¤ Nb|Nac?θ[l,r]−→ N ′

b|N ′a ≡ N ′

a|N ′b

As for NS-COMin, the statement holds.As for the empty context, we proved that the statement holds.

C|NC: In this case we have to prove the statement when N(k−1) has theform C|NC; this regards the parallel composition, either for communi-cation or for internal actions.• Let us assume that T ¤ Nk−1

τ−→ N ′k−1 that has been obtained

by the application of rule NS-COMr. Then, we know that T ¤

C|NCc!θ[l,r]−→ C ′|N ′

C, that T ¤ Cc?θ[l,r]−→ C ′, and that T ¤ NC

c!θ[l,r]−→

UBLCS-2006-09 87


N ′C. By the employment of NS-COMl, we can then obtain T ¤

NC|Cc!θ[l,r]−→ N ′

C|C ′.Note that, by the SC rule SC-PARCOM, Nk−1 ≡ NC|C = Nk andN ′

k−1 ≡ N ′C|C ′ = N ′

k; hence,

T ¤ C|NCc!θ[l,r]−→ C ′|N ′

C C|NC ≡ NC|C

T ¤ NC|Cc!θ[l,r]−→ N ′

C|C ′ ≡ C ′|N ′C

As for NS-COMr, the statement holds.• Let us assume that T ¤Nk−1

τ−→ N ′k−1 that has been obtained by

the application of rule NS-COMl. In this case, the proof is similarto the one above.

• Let us assume that T ¤ Nk−1τ−→ N ′

k−1 that has been obtainedby the application of rule NS-COMin. Then, we know that T ¤

C|NCc?θ[l,r]−→ C ′|N ′

C, that T ¤ Cc?θ[l,r]−→ C ′, and that T ¤ NC

c?θ[l,r]−→N ′

C. By the employment of NS-COMl, we can then obtain T ¤

NC|Cc?θ[l,r]−→ N ′

C|C ′.Note that, by the SC rule SC-PARCOM, Nk−1 ≡ NC|C = Nk andN ′

k−1 ≡ N ′C|C ′ = N ′

k; hence,

T ¤ C|NCc?θ[l,r]−→ C ′|N ′

C C|NC ≡ NC|C

T ¤ NC|Cc?θ[l,r]−→ N ′

C|C ′ ≡ C ′|N ′C

As for NS-COMr, the statement holds.As for this context, the statement holds.

NC|C: In this case we have to prove the statement when N(k−1) has theform NC|C; this case is similar to the previous one.

Since the statement has been proved for every context and for every possi-ble context, the inductive case has been proved.

Both the base case and the inductive case hold; the statement is proved.2. This proof consists of examining separately the cases of start and end of trans-

mission.(a)

(a.1): If N >cl E1 −→c

l,r E2 Â∗ Âcl ′∗ º N ′ then T ¤ N

[l,r]!c−→ ≡ N ′.

By Lemma 1 we know that

N ≡ ((n [out〈v〉.P]

cl,r

∣∣ R)∣∣ N1

)

N ′ ≡((

n [〈v〉.P]cl,r

∣∣ 〈|R|〉)∣∣∣∣ N1

)

where R is the subsystem composed by the actual receivers that aretouched by the transmission, N1 is the subsystem composed by boththe nodes that are not touched by that transmission and the ones thatare touched by the signal but are not performing input actions, and

〈|R|〉 is the system R that has been touched by the transmission begin-ning and has subsequently been normalized.To prove the implication we have to show that (i) according to LTSnode n is enabled to begin the transmission, and (ii) that the LTS en-forces system N to become system N ′′ which is structural congruentto N ′.

UBLCS-2006-09 88


First, by Lemma 1 we also know that node n is not reached by anyongoing transmission, i.e. T |l,c\(l, r, c) = ∅. This condition enablesthe employment rule NS-OUTbegin.Second, since in both the LTS and in the RS there are no rules that cre-ate or destroy wireless nodes, any transition cannot imply any changewithin the system except for the state of the nodes within the system.Therefore, to prove the statement we have to show that, for each pos-sible node m in R or in N1, both the LTS and the RS enforce the samestate transition.Let m be in N1, then Lemma 1 grants us that its internal state does notchange. In order to prove that the LTS behaves the same, we have toexamine the following cases:• whatever its location, m is synchronized on a channel cm 6= c;

In this case d(l, lm) ≤ r. For the prove to be complete, we haveto analyze both the case in which m is not touched by any signaland the case in which there is at least an ongoing transmissiontouching m. Let us first assume N1 = m [P]

cm

lm,rm. We also know

that T = ∅. Hence, it is straightforward to verify that the system(n [out〈v〉.P]

cl,r | m [Pm]

cm

lm,rm) performs the action and becomes

(n [〈v〉.P]cl,r | m [Pm]

cm

lm,rm).

Second, let us assume N1 = m [Pm]cm

lm,rm|o [〈vo〉Po]

co

lo,ro, with

d(lm, lo) ≤ ro and co = cm; moreover, since node n is enabledto transmit, we also know that d(l, lo) > ro and T = (lo, ro, co).Hence, it is straightforward to verify that the system

(n [out〈v〉.P]cl,r | m [Pm]

cm

lm,rm| o [〈vo〉.Po]

co

lo,ro)

performs the action and becomes

(n [〈v〉.P]cl,r | m [Pm]

cm


co

lo,ro)

In case of multiple transmissions touching node m, it is straight-forward to show that m would maintain the same state.Similarly to what happens with RS, the two cases above provethat LTS leaves the state of node m unchanged.

• cm = c and m is touched by the transmission but it is performingan output operation (outop);

In this case d(l, lm) ≤ r. Even in this case, we have to analyzeboth the case in which m is not touched by any signal and the casein which there is at least an ongoing transmission touching m.Let us first assume N1 = m [outop.Pm]

cm

lm,rm. We also know that

T = (lo, ro, co). Under these conditions, it is straightforward toverify that

(n [out〈v〉.P]cl,r | m [outop.Pm]

cm

lm,rm)


(n [〈v〉.P]cl,r | m [outop.Pm]

cm

lm,rm)



co

lo,ro, with

d(lm, lo) ≤ ro and co = cm; moreover, since node n is enabledto transmit, we also know that d(l, lo) > ro and T = (lo, ro, co).Under these conditions, it is straightforward to verify that

UBLCS-2006-09 89



cm


co

lo,ro)



cm


co

lo,ro)

In case of multiple transmissions touching node m, it is straight-forward to show that m would behave in the same manner.Similarly to what happens with RS, the two cases above provethat LTS does not change the state of node m.

• cm = c and m is not touched by the transmission.

In this case d(l, lm) > r. For the prove to be complete, we haveto analyze both the case in which m is not touched by any signaland the case in which there is at least an ongoing transmissiontouching m. Let us first assume N1 = m [P]

cm

lm,rm. We also know

that T = ∅. Under these conditions, it is straightforward to verifythat


cm

lm,rm)


(n [〈v〉.P]cl,r | m [Pm]

cm

lm,rm)



co

lo,ro, with



cm


co

lo,ro)


(n [〈v〉.P]cl,r | m [Pm]

cm


co

lo,ro)

In case of multiple transmissions touching node m, it is straight-forward to show that m would behave in the same manner.Similarly to what happens with reduction semantics, the two casesabove prove that in LTS node m does not change state.

The three cases above prove that, similarly to RS, the LTS does notenforce the nodes in N1 to change their respective states.Hence, let us examine the behaviour of nodes in R. As far as we know,a node m is in R if both it is synchronized on the transmission channel(i.e., c) and it is performing an input operation (i.e., it is either readyto receive or currently receiving a value).• m [in(x).Pm]

clm,rm

is touched by the transmission and is synchro-nized on channel c;

Let us first analyze the case in which m is not touched by anyother transmission; i.e., which corresponds to the assumptionN1 = ∅. We also know that T = ∅. In this case, Lemma 1 statesthat reduction semantics makes node m switch to the followingstate m [(x).Pm]

clm,rm

. Under these conditions, it is straightfor-ward to verify that

UBLCS-2006-09 90


(n [out〈v〉.P]cl,r | m [in(x).Pm]

cm

lm,rm)


(n [〈v〉.P]cl,r | m [(x).Pm]

cm

lm,rm)

Second, let us assume node m to be touched by a transmissionfrom node o [〈vo〉.Po]

clo,ro

; i.e., which corresponds to the assump-tion N1 = o [〈vo〉.Po]

clo,ro

with co = cm. We know that T =(lo, ro, co). In this case, Lemma 1 states that reduction seman-tics makes node m remain in the same state. Under these condi-tions, it is straightforward to verify that


cm


co

lo,ro)


(n [〈v〉.P]cl,r | m [in(x).Pm]

cm


co

lo,ro)

In case of multiple transmissions touching node m, it is straight-forward to show that m would behave in the same manner.These two cases prove that, in this case, both the RS and the LTSenforce the same behaviour on node m.

• m [(x).Pm]clm,rm


For m to be m [(x).Pm]clm,rm

, it has to be touched by one and onlyone transmission. Hence, let us assume node m to be touched bya transmission from node o [〈vo〉.Po]

clo,ro

; i.e., which correspondsto the assumption N1 = o [〈vo〉.Po]

clo,ro

with co = cm. We knowthat T = (lo, ro, co). In this case, Lemma 1 states that RS makesnode m b switch to state m [⊥/x.Pm]

clm,rm

. Under these condi-tions, it is straightforward to verify that

(n [out〈v〉.P]cl,r |m [(x).Pm]

cm


co

lo,ro)


(n [〈v〉.P]cl,r | m [⊥/x.Pm]

cm


co

lo,ro)

In this case both the RS and the LTS enforce the same behaviouron node m.

The cases that we showed so far show that to each reduction that ap-plies to the network, there is a corresponding labelled transition thatapplies and that the two semantics make each single node evolve tothe same state. By the first part of this lemma we know that, for eachnetwork, applications of structural congruence do not change the pos-sible transitions; hence, we can conclude that, for each network, thetwo semantics enable the same transitions and the networks that areproduced are structural equivalent.

(a.2): If T ¤ N[l,r]!c−→ ≡ N ′ ⇒ then there exist E1, E2, l ′ s.t. N >c

l E1 −→cl

E2Âcl ′∗ Â∗ º N ′. We address this proof by contradiction; specifically,

we have to verify the following two cases:

UBLCS-2006-09 91


i. 6 ∃ E1, E2, l ′,N ′′ s.t. N >cl E1 −→c

l E2Âcl ′∗ Â∗ º N ′′.

Lemma 1 grants us that we can write the equivalence below

N ≡ N ′′′ =((


∣∣ R)∣∣∣ N1

)

Since we also know that T ¤ Nc![l,r]−→ N ′ then, by the first point of

this lemma, we can state that both T ¤ N ′′ c![l,r]−→ ≡ N ′. Therefore,the reduction rule NS-OUTbegin prevents the wireless node n

from beginning the transmission if location l is reached from R

or N1, but R, by definition, is uniquely composed by receivers.Hence, for a transmission to be prevented to start, it means thatN1 can be rewritten as below:

N1 = q [〈v2〉.Q]clq,rq

∣∣∣ N2

Hence, it would be true that (c, lq, rq) ∈ T and, since T |c,l wouldbe different from ∅, the rule NS-OUTbegin could not be employed

and the transition T ¤ N ′′′ c![l,r]−→ ≡ N ′ would not be possible. As

a consequence, also the transition T ¤N![l,r,c]−→ ≡ N ′ would not be

possible, contradicting the hypothesis.ii. ∃ E1, E2, c ′, l ′,N ′′′ s.t. N >c

l E1 −→cl,r E2Âc

l ′∗ Â∗ º N ′′′ ⇒

N ′′′ 6=≡ N ′.

If the transition occurs, then for Lemma 1 we know that ∃N ′′, E1, E2, c ′, l ′,N ′′′

such thatN ≡ N ′′ =

((n [out〈v〉.P]

cl,r

∣∣ R)∣∣∣ N1

)

N ′′′ ≡((

n [〈v〉.P]cl,r

∣∣ 〈|R|〉)∣∣∣∣ N1

)

where R is the subsystem composed by the actual receivers thatare touched by the transmission that is going to begin, N1 is thesubsystem composed by both the nodes that are not touched bythat transmission and the ones that are touched by the signal but

would not react to it, and 〈|R|〉 is the system R that has beentouched by the transmission beginning and has subsequently beennormalized.Since in both the LTS and in the RS there are no rules that create ordestroy wireless nodes, the transition occurring cannot imply anychange within the system except for the state of the transmitterand the nodes touched by the signal. Hence, there has to be anode m [P]

cm

lm,rmin N ′ that is executing a process that is different

from the respective one that it is executing in N ′′′.Let m be in N1, then Lemma 1 grants us that its internal state doesnot change. In order to prove that the LTS behaves the same, wehave to examine the following cases:• whatever its location, m is synchronized on a channel cm 6= c;

In this case d(l, lm) ≤ r. For the prove to be complete, we haveto analyze both the case in which m is not touched by any sig-nal and the case in which there is at least an ongoing transmis-sion touching m. Let us first assume N1 = m [P]

cm

lm,rm. We also

UBLCS-2006-09 92


know that T = ∅. Under these conditions, it is straightforwardto verify that


cm

lm,rm)


(n [〈v〉.P]cl,r | m [Pm]

cm

lm,rm)



co

lo,ro, with

d(lm, lo) ≤ ro and co = cm; moreover, since node n is en-abled to transmit, we also know that d(l, lo) > ro and T =(lo, ro, co). Under these conditions, it is straightforward toverify that


cm


co

lo,ro)


(n [〈v〉.P]cl,r | m [Pm]

cm


co

lo,ro)

In case of multiple transmissions touching node m, it is straight-forward to show that m would switch to the same state.Similarly to what happens with RS, the two cases above provethat LTS does not modify the state of node m.

• cm = c and m is touched by the transmission but it is perform-ing an output operation (outop);

In this case d(l, lm) ≤ r. Even in this case, we have to an-alyze both the case in which m is not touched by any signaland the case in which there is at least an ongoing transmissiontouching m. Let us first assume N1 = m [outop.Pm]

cm

lm,rm. We

also know that T = (lo, ro, co). Under these conditions, it isstraightforward to verify that


cm

lm,rm)



cm

lm,rm)



co

lo,ro, with



cm

lm,rm| o [〈vo〉Po]

co

lo,ro)



cm


co

lo,ro)

In case of multiple transmissions touching node m, it is straight-forward to show that m would behave in the same manner.Similarly to what happens with RS, the two cases above provethat LTS does not modify the state of node m.

UBLCS-2006-09 93



In this case d(l, lm) > r. For the prove to be complete, we haveto analyze both the case in which m is not touched by any sig-nal and the case in which there is at least an ongoing transmis-sion touching m. Let us first assume N1 = m [P]

cm

lm,rm. We also



cm

lm,rm)


(n [〈v〉.P]cl,r | m [Pm]

cm

lm,rm)



co

lo,ro, with


(n [out〈v〉.P]cl,r |m [Pm]

cm


co

lo,ro)



cm


co

lo,ro)

In case of multiple transmissions touching node m, it is straight-forward to show that m would behave in the same manner.Similarly to what happens with RS, the two cases above provethat LTS does not modify state of node m.

The three cases above prove that, similarly to RS, the LTS doesnot enforce changes in N1.Hence, let us examine the behaviour of nodes in R. As far as weknow, a node m is in R if both it is synchronized on the transmis-sion channel (i.e., c) and it is performing an input operation (i.e.,it is either ready to receive or currently receiving an incomingsignal).• m [in(x).Pm]

clm,rm

is touched by the transmission and is syn-chronized on channel c;

Let us first analyze the case in which m is not touched by anyother transmission; for this we assume N1 = ∅, in that we al-ready proved that nodes in N1 are not modified. We also knowthat T = ∅. In this case, Lemma 1 states that RS makes nodem switch to the following state m [(x).Pm]

clm,rm

. Under theseconditions, it is straightforward to verify that


cm

lm,rm)


(n [〈v〉.P]cl,r | m [(x).Pm]

cm

lm,rm)

Second, let us assume node m to be touched by a transmis-sion from node o [〈vo〉.Po]

clo,ro

; i.e., which corresponds to the

UBLCS-2006-09 94


assumption N1 = o [〈vo〉.Po]clo,ro

with co = cm. We know thatT = (lo, ro, co) In this case, Lemma 1 states that RS makesnode m remain in the same state. Under these conditions, it isstraightforward to verify that


cm

lm,rm)



cm

lm,rm)

In case of multiple transmissions touching node m, it is straight-forward to show that m would behave in the same manner.These two cases prove that, in this case, both the RS and theLTS enforce the same behaviour on node m.




, it has to be touched by one andonly one transmission. Hence, let us assume node m to betouched by a transmission from node o [〈vo〉.Po]

clo,ro

; i.e., whichcorresponds to the assumption N1 = o [〈vo〉.Po]

clo,ro

with co =cm. We know that T = (lo, ro, co). In this case, Lemma 1states that RS node m b switch to state m [⊥/x.Pm]

clm,rm

. Un-der these conditions, it is straightforward to verify that

(n [out〈v〉.P]cl,r | m [(x).Pm]

cm


co

lo,ro)


(n [〈v〉.P]cl,r | m [⊥/x.Pm]

cm


co

lo,ro)


The fact that both the LTS and the RS enforce the same behaviourfor node m, for every possible state that it may assume, contra-dicts the hypothesis and proves this assertion.

The cases that we showed so far show that to each labelled transitionthat applies to the network, there is a corresponding reduction thatapplies and that the two semantics make each single node evolve tothe same state. By the first part of this lemma we know that, for eachnetwork, applications of structural congruence do not change the pos-sible transitions; hence, we can conclude that, for each network, thetwo semantics enable the same transitions and the networks that areproduced are structural equivalent.

(b)(b.1): Let us consider the case of the end of transmission

By Lemma 2 we know that

N ≡ ((n [〈v〉.P]

cl,r

∣∣ R)∣∣ N1

)

N ′ ≡((

n [P]cl,r

∣∣ 〈|R|〉v)∣∣∣∣ N1

)

where R is the subsystem composed by the actual receivers that aretouched by the transmission that is going to begin, N1 is the subsystem

UBLCS-2006-09 95


composed by both the nodes that are not touched by that transmissionand the ones that are touched by the signal but would not react to it,

and 〈|R|〉v is the system R that has been touched by the transmissionbeginning and has subsequently been normalized.To prove the implication we have to show that (i) according to LTS,node n is enabled to terminate the transmission, and (ii) that the LTSenforces system N to become system N ′′ which is structural congruentto N ′.First, by rule NS-OUTend, we know that there are no conditions toprevent a transmitter from ending a current transmission; hence, if re-duction semantics makes it possible to terminate a transmission, theneven LTS enables the end of that transmission.Secondly, since in both the LTS and in the RS there are no rules thatcreate or destroy wireless nodes, the transition occurring cannot implyany change within the system except for the state of the transmitterand the nodes touched by the signal. Therefore, we remain to showthat, for each possible node m in R or in N1, both the LTS and the RSenforce the same state transition.As it regards a generic node in N1, it is straightforward to verify thatthe proof is similar to the proof in the case of the begin-transmissionevent: since the transmission does not reach the nodes outside the cell,all the nodes in N1 are not affected in both the semantics. Hence, weonly show the cases in whichHence, let us examine the behaviour of nodes in R. As far as we know,a node m is in R if both it is synchronized on the transmission channel(i.e., c) and it is performing an input operation (i.e., it is either readyto receive or currently receiving an incoming signal).• m [in(x).Pm]

clm,rm


Let us first analyze the case in which m is not touched by anyother transmission; i.e., which corresponds to the assumptionN1 = ∅. In this case, Lemma 2 states that reduction semanticsmakes node m switch to the following state m [(x).Pm]

clm,rm

. Weknow that T = (l, r, c). Under these conditions, it is straightfor-ward to verify that


cm

lm,rm)


(n [P]cl,r | m [in(x).Pm]

cm

lm,rm)


clo,ro


clo,ro

with co = cm. In this case, Lemma 2states that reduction semantics makes node m remain in the samestate. We know that T = (lo, ro, co), (l, r, c). Under these condi-tions, it is straightforward to verify that

n [〈v〉.P]cl,r |m [in(x).Pm]

cm


co

lo,ro)



cm


co

lo,ro)

UBLCS-2006-09 96


In case of multiple transmissions touching node m, it is straight-forward to show that m would behave in the same manner.These two cases prove that, in this case, both the RS and the LTSenforce the same behaviour on node m.




, it has to be touched by one and onlyone transmission. In this case, since m ∈ R, we know that m isreceiving the transmission that is being performed by node n. Inthis case we can assume N1 to be empty. Moreover, we know thatT = (l, r, c) In this case, Lemma 2 states that RS makes node m

b switch to state m [v/x.Pm]clm,rm

. Under these conditions, it isstraightforward to verify that

(n [〈v〉.P]cl,r | m [(x).Pm]

cm

lm,rm)


(n [P]cl,r | m [v/x.Pm]

cm

lm,rm)

In this case both the RS and the LTS describe the same behaviourfor node m.


(b.2): Let us consider the case of the end of transmission T ¤ Nv[l,r]!c−→ ≡

N ′ ⇒ ∃ E1, E2, c, l, l ′ s.t. N > E1 −→cl,r E2 Â∗ Âc

l ′∗ º N ′. This proof

is also addressed by contradiction.i. 6 ∃ E1, E2, c ′, l ′,N ′′ s.t. N > E1 −→c

l E2 Â∗ º N ′′.

It is straightforward to see that this case is not possible; in fact,both the RS and the LTS enable the termination of a transmissionwithout other conditions. This means that, once a transmissionbegan, the termination of this transmission is granted to happenexactly when it is intended to.

ii. ∃ E1, E2, c, l ′,N ′′′ s.t. N > E1 −→cl,r E2 Â∗ º N ′′′ ⇒ N ′′′ 6=≡ N ′.


such thatN ≡ N ′′ =

((n [〈v〉.P]

cl,r

∣∣ R)∣∣∣ N1

)

N ′′′ ≡((

n [P]cl,r

∣∣ 〈|R|〉v)∣∣∣∣ N1

)

where R is the subsystem composed by the actual receivers thatare touched by the ending transmission, N1 is the subsystemcomposed by both the nodes that were not touched by that trans-mission and the ones that were touched by the signal while not

explicitly receiving, and 〈|R|〉v is the system R that was touched

UBLCS-2006-09 97


by the ended transmission and has subsequently been normal-ized.As in the previous case, since in both the LTS and in the RS thereare no rules that create or destroy wireless nodes, the transitionoccurring cannot imply any change within the system except forthe state of the transmitter and the nodes touched by the signal.Hence, there has to be a node m [P]

cm

lm,rmin N ′ that is executing a

process that is different from the respective one that it is execut-ing in N ′′′.Let m be in N1, then Lemma 2 grants us that its internal statedoes not change. Even in this case, the proof is similar to the oneregarding the begin transmission action. Thus, we only addressthe part of the proof that regards the nodes in R for the end trans-mission action.By definition, a node m is in R if both it is synchronized on thetransmission channel (i.e., c) and it is performing an input oper-ation (i.e., it is either ready to receive or currently receiving anincoming signal). We then examine each of these cases both inabsence and in presence of interferences.• m [in(x).Pm]

clm,rm


Let us first analyze the case in which m is not touched by anyother transmission; i.e., which corresponds to the assumptionN1 = ∅. In this case, Lemma 2 states that RS makes node m

switch to the following state m [(x).Pm]clm,rm

. We know thatT = (l, r, c). Under these conditions, it is straightforward toverify that


cm

lm,rm)



cm

lm,rm)


clo,ro

; i.e., which corresponds to theassumption N1 = o [〈vo〉.Po]

clo,ro

with co = cm. In this case,Lemma 2 states that RS makes node m remain in the same state.We know that T = (lo, ro, co), (l, r, c). Under these condi-tions, it is straightforward to verify that


cm


co

lo,ro)



cm


co

lo,ro)

In case of multiple transmissions touching node m, it is straight-forward to show that m would switch to the same state.These two cases prove that, in this case, both the RS and theLTS describe the same behaviour for node m.




, it has to be touched by one andonly one transmission. In this case, since m ∈ R, we know

UBLCS-2006-09 98


that m is receiving the transmission that is being performed bynode n. In this case we can assume N1 to be empty. Moreover,we know that T = (l, r, c) In this case, Lemma 2 states thatRS makes node m b switch to state m [v/x.Pm]

clm,rm

. Underthese conditions, it is straightforward to verify that

(n [〈v〉.P]cl,r | m [(x).Pm]

cm

lm,rm)


(n [P]cl,r | m [v/x.Pm]

cm

lm,rm)

In case of multiple transmissions touching node m, it is straight-forward to show that m would behave in the same manner.In this case both the RS and the LTS describe the same behav-iour for node m.

The fact that both the LTS and the RS describe the same behaviourfor node m, for every possible state that it assumes, contradictsthe hypothesis and prove this assertion.


2

The complexity of the proof, lying in the form of the reduction semantics, gives relevance tothis result. This result reinforces the two semantics; it shows that our intuition in the modellingof the wireless communication systems and in the development of the semantics have been cor-rect. Specifically, given that the RS is much more intuitive, it appears clear that we have beensuccessful in the development of the LTS. Moreover, this result enables one to interchangeablyemploy the more appropriate between the developed semantics for that task to be performed.For instance, the same specification model could be evaluated on its own by employing the RS,and then some properties of the system could be verified employing tools developed on the LTS.

UBLCS-2006-09 99

Chapter 9

The Extended Language

1 Language ExtensionsIn this section we describe some extensions for our language. Table 1 specifies the syntax of CWSaugmented with new prefixes: the timeout for the input operation and the restriction are themain extensions; other extensions are the selection and recursion operators.

The handled input enables the modelling of scenarios in which a device, due to the verifi-cation of internal conditions (e.g., timeouts, interrupts, exceptions) stops waiting for incomingmessages and changes its execution flow. This operator is important for communication proto-cols to implement techniques for preventing starvation. Since in CWS channel names cannot betransmitted the restriction is not essential; however, in the further sections it will be proved that,except for the additional rules, the approaches that we employed for developing our semanticsare compatible with the extension and do not increase in their complexity. The other introducedoperators are important in order to make our language turing-complete.

This syntax is an extension of the one in table 1 where the input prefix has been replaced withthe handled input.

First, we describe the prefixes that have been added to the process language.

handled input: An input process in(x) + H.P represents a process can either store into variablex the first value which receives, or trigger the handler H if some internal condition (e.g.,timeout, interrupt, exception) verifies. In the first case, the reception begins and the processevolves to process (x).P. In the second case, the process evolves to process H;

channel switch: A process switch c.P represents a process that synchronizes the respective de-vice on channel c, and then continues as P;

conditional construct: A process if e then P1 else P2 represents a process that behaves accordingto the truth value [[[e]]]; that is, if [[[e]]] is evaluated to true then the process will evolve intoP1, otherwise the process will evolve into P2;

recursion: In the definition of recursion, we assume a distinct alphabet of characters and sym-bols ranged over by A; for each employed constant symbol A there is a definition having

the form Adef= (x)P. Then, a process A〈e〉 behaves as v/xP, provided that [[[e]]] = v.

Moreover, the network language has been augmented with restriction. The restriction opera-tion (νc) N creates a new channel c within the scope of network N; the new channel can be usedby the only nodes in N to communicate with each other.

The above extensions enforce a change in the definition of bindings and of free names.

Bound Names and Free Names In our language, nodes execute in parallel and communicate viachannels; each node locally defines its variables and executes sequential processes. In each of

100

1 Language Extensions

C def= a . . . d channels

E def= e . . . g expressions

U def= m. . . o node identifiers

V def= x . . . z variables

I def= h . . . k ground values

L def= U ∪ V ∪ I = u . . . v values

interferencedef= ⊥ interference

Pdef= out〈e〉.P output|| 〈v〉.P active output|| in(x) + H.P handled input|| (x).P active input|| switch c.P channel switch|| if e then P else P conditional construct|| A〈e〉 recursion|| 0 inactive process

Hdef= P timeout handler|| 0 inactive handler

Ndef= n [P]

cl,r wireless node

|| N1|N2 parallel composition|| (νc) N channel restriction|| 0 empty network

Table 1. Language for the description of wireless networks

UBLCS-2006-09 101

2 Semantic Extensions

Edef= (νc)(n [out〈e〉.P]

cl,r

R

|N) initial begin-transmission tagged network|| (νc)(n [〈v〉.P]

cl,r 0 |Tbegin|N) final begin-transmission tagged network

|| (νc)(n [〈v〉.P]cl,r

R

|N) initial end-transmission tagged network|| (νc)(n [P]

cl,r 0 |Tend|N) final end-transmission tagged network

Table 2. Extension to the language for tagged networks

n [in(x) + H.P]cl,r and n [(x).P]

cl,r the displayed occurrence of x is binding with scope P. In a

context defining Adef= (x)P the displayed ocurrences of x are binding with scope P. In (νc) (N),

the displayed occurrence of c is binding with scope N. We say that a name is free if it is notbound. We write fn(N) for the set of free names in N.

2 Semantic ExtensionsIn this section we present reduction semantics and the labelled transition semantics augmentedwith the new constructs.

2.1 Extensions to the Reduction SemanticsIn addition to the reductions for the transmission actions (presented in sec. 2), we now also havereductions N 7−→ N ′ that represent computation steps internal to one of the nodes in the network(e.g., a channel switch, or the resolution of a branch of an if-then-else), and the reductions N 7−→#N ′ that represent transmission actions over restricted channels.

It is worth commenting on transmissions that occur on a restricted channel. Within the scopeof the restriction, the transmission behaves as any other transmission. However, outside of therestricted network, the transmission channel is unknown and, thus, interferences are not pos-sible; hence, outside of the scope of a restricted transmission, the checks on the conditions forinterferences may be relaxed.

Tagged networks are still described by the syntax in Tab. 1, but the description of the nonterminal symbol E is replaced by the description in Tab. 2; the employed tags maintain the samemeaning as in Sec. 4.

Formally, a reduction for restricted transmission events or for internal actions are defined asbelow:

(RESTRICTED TRANSMISSION)

If N 7−→# N ′ then there exists E, E ′, s.t. N > E −→##,# E ′ Â∗ º N ′

(INTERNAL ACTION)

If N 7−→ N ′ then N −→ N ′

where

• > formalizes the Event Selection sub-step and is employed for selecting the next restrictedtransmission event. In contrast with the case of non-restricted transmission, for restrictedtransmission events the same relation > is used both for the begin-transmission and forend-transmission events. The reason is that in case of a restricted event, no interferences arepossible outside the scope of the restriction and therefore the checks used in non-restrictedbegin-transmissions are not needed;

UBLCS-2006-09 102


N >cl E c ′ 6= c

(νc ′)N >cl (νc ′)E

[RS-RES1] N >cl E

(νc)N > (νc)E[RS-RES2]

Table 3. Additional rules for >cl .

N > E(νc)N > (νc)E

[RS-RES3]

Table 4. Additional the rules for >.

• −→cl,r and −→#

#,# formalizes the Event Firing sub-step: the first relation describes unre-stricted transmissions (as in Sec. 4) while the second describes restricted ones;

• Â, and º formalize the Receiver Normalization sub-step and maintain the same functionas described in Sec. 4. Again, here, in contrast with the non-restricted case, relations Â andº are sufficient because no interferences arise outside the scope of a restrictions.

Table 3 presents the rules which extend the relation >cl described by the rules in Tab. 3. Rule

RS-RES2shows that, within the scope of a restriction, a begin-transmission event needs controlsover interferences but, outside the scope of the restriction, the controls can be lifted (i.e., >c

l ischanged in >).

As in the reduction semantics for the basic language, we employ structural congruence torewrite the terms of the system so as to bring the reagent terms in contiguous positions. Weemploy the standard rules for parallel composition and restriction as in Tab. 5.

Table 4 present the new rules which extend the relation > described in Tab. 4.A structural congruence for tagged networks is still needed to group the appropriate receivers

in the transmitter bag; Table 7 shows the rules . The rule SC-BAGREADY, for the handled inputoperation, modifies and replaces the previous rule for input.

Table 6 presents the rules for the Event Firing. The basic rules of 7 have been extended formanaging transmissions in presence of restriction: if the transmission action is performed on arestricted channel, the channel name, the location and the possibly transmitted value are masked,otherwise the transmission details remain visible (see rule RS-RES5).

In the Receiver Normalization sub-step, each tagged receiver is normalized by deciding how

[SC-PARCOMP] N1|N2 ≡ N2|N1

[SC-PARASSOC] N1|(N2|N3) ≡ (N1|N2)|N3

[SC-PARNULL] N|0 = N

[SC-RESCOMP] (νc)(νc ′)N ≡ (νc ′)(νc)N

[SC-RESSUBST] (νc)(N1|N2) ≡ N1|(νc)N2, c 6∈ fn(N1)

[SC-RESNULL] (νc)0 ≡ 0

Table 5. Rules for ≡.

UBLCS-2006-09 103


E −→##,# E ′

E |N −→##,# E ′ |N

[RS-COMP−→##,#

]

E −→cl,r E ′ c 6= c ′

(νc ′) E −→cl,r (νc ′) E ′

[RS-RES4] E −→cl,r E ′

(νc) E −→##,# (νc) E ′

[RS-RES5]

E ≡E E ′ −→cl,r E ′′ ≡E E ′′′

E −→##,# E ′′′

[RS-SC−→##,#

]

Table 6. Additional rules for event firing.

[SCE-EQUIVALENCE] E ≡ E ′

E ≡E E ′

[SCE-BAGREADY] n [P]cl,r

eR

|m [in(X) + H.Q]cl ′,r ′ ≡E n [P]cl,r

eRm [in(X) + H.Q]cl ′,r ′

d(l, l ′) ≤ r

[SCE-BAGREADING] n [P]cl,r

eR

|m [(x).Q]cl ′,r ′ ≡E n [P]cl,r

eRm [(x).Q]cl ′,r ′

d(l, l ′) ≤ r

Table 7. Rules for ≡E.

〈|n [in(X) + H.P]cl,r |〉 Âcl n [(x).P]cl,r [RS-READYbegin]

E1 Âcl E ′1 c 6= c ′

(νc ′) E1 Âcl (νc ′) E ′1

[RS-RES6] E1 Âcl E ′1

(νc) E1 Â (νc) E ′1[RS-RES7]

Table 8. Additional rules for Âcl .

m [〈vm〉.Pm]clm,rm

〈|n [in(X) + H.P]cl,r |〉 Â m [〈vm〉.Pm]clm,rm

n [in(X) + H.P]cl,r [RS-READYnoise]d(l, lm) ≤ rm

〈|n [in(x) + H.P]cl,r |〉v Â n [in(x) + H.P]cl,r [RS-READYend]

E1 Â E ′1(νc) E1 Â (νc) E ′1

[RS-RES8]

Table 9. Additional rules for Â.

E º N(νc) E º (νc) N

[RS-RES9]

Table 10. Additional rules for º.

UBLCS-2006-09 104


n [switch c ′.P]cl,r −→ n [P]c

′l,r [RS-SWITCH] A

def= (x)P [[[ee]]] = ev

n [A〈v〉]cl,r −→ n [v/xP]cl,r

[RS-INVOKE]

[[[b]]] = ttn [if b then P else Q]cl,r −→ n [P]cl,r

[RS-IFtt] [[[b]]] = ffn [if b then P else Q]cl,r −→ n [Q]cl,r

[RS-IFff]

n [in(X) + H.P]cl,r −→ n [H]c′

l,r [RS-HANDLER]

N1 −→ N ′1

N1 |N2 −→ N ′1 |N2

[RS-COMP−→]

Table 11. Reduction rules for internal actions.

P@c ′−→ P ′

T ¤ n [P]cl,r

τ−→ n [P ′]c′

l,r

[NS-SWITCH] Pτ−→ P ′

T ¤ n [P]cl,r

τ−→ n [P ′]c′

l,r

[NS-INVIS]

T ¤ Nc ′!θ[l,r]−→ N ′ c 6= c ′

T ¤ (νc) Nc ′!θ[l,r]−→ (νc) N ′

[NS-RES1] T ¤ Nc ′?θ[l,r]−→ N ′ c 6= c ′

T ¤ (νc) Nc ′?θ[l,r]−→ (νc) N ′

[NS-RES2]

TN ¤ Nc!θ[l,r]−→ N ′

T ¤ (νc) Nτ−→ (νc) N ′ [NS-RES3] T ¤ N

τ−→ N ′ c 6= c ′

T ¤ (νc) Nτ−→ (νc) N ′ [NS-RES4]

T ¤ N1τ−→ N ′

1

T ¤ N1|N2τ−→ N ′

1|N2

[NS-PARl] T ¤ N1τ−→ N ′

1

T ¤ N2|N1τ−→ N2|N ′

1

[NS-PARr]

Table 12. Extensions to the labelled transition rules for networks.

the receiver evolves according to its internal state, the detected event, and according to whetherthe event was detected in clear or not. Relation Âc

l presented in Sec. 4 is extended with the rulesof Tab. 8. The rules for the input operation have been replaced with those for the handled input;in particular, rule RS-READYbegin has been introduced: it states that the detection in clear ofa new transmission activates reception and disables the associated handler. For the restrictionconstruct, rule is RS-RES7 states that, for a transmission on a restricted channel, interferenceshave to be checked only within the restriction scope. In the case of restriction over channelsdifferent from the one in which the transmission occurs, restriction has no effect (rule RS-RES6).

Table 9 extends the rules for relation Â (see Tab. 9). Restriction is handled by rule RS-RES8,which states that a normalization within a restricted network is not affected by the activities ofthe nodes outside the restriction.

Finally, the rules for transmitter normalization are extended with rule RS-RES9 of Tab. 10.The rules for internal actions, i.e. the relation 7−→ of Tab. 11, are are the simplest, and follow

the standard rules of reduction semantics. The most interesting rules are RS-SWITCH and RS-HANDLER. The first rule is employed by a node to synchronize on the specified communicationchannel. The second one models the input-handler activation. Since time is not yet encoded inour calculus, the handler activation is decided in a non-deterministic manner. The other rules arethe usual ones for selection and recursion constructs, and for parallel composition and restric-tion.

2.2 Extensions to the Labelled Transition SemanticsIn this section we present the extensions to labelled transition semantics.

UBLCS-2006-09 105

3 Extensions to the Harmony Theorem

in(X) + H.P?−→ (x).P [PS-INbegin] in(X) + H.P

?v−→ in(X) + H.P [PS-WAITbegin]

in(X) + H.Pτ−→ H [PS-HANDLER]

Pα−→ P α ∈ ?, ?v, ∀P 6∈ in(x) + H.P1, (x).P1 [PS-NOIN]

[[[b]]] = tt

if b then P else Qτ−→ P

[PS-IFtt] [[[b]]] = ff

if b then P else Qτ−→ Q

[PS-IFff]

switch c.P@c−→ P [PS-SWITCH] A

def= (ex)P [[[ee]]] = ev

A〈ee〉 τ−→ ev/exP[PS-INVOKE]

Table 13. Extensions to the labelled transition rules for processes.

The LTS for networks of Tab. 11 is extended with the rules of Tab. 12. The key rules fordealing with restriction are NS-RES1, NS-RES2, and NS-RES3 (see Tab. 12).

NS-RES1 (and NS-RES2) says that a transmission event which is produced inside the scope of arestriction, but on a different channel, remains visible outside;

NS-RES2 says that the restriction over a channel does not affect reception of events that on otherchannels;

NS-RES3 shows that a transmission event on a restricted channel is masked outside the restric-tion.

Rules NS-SWITCH and NS-INVIS deal with, respectively, channel synchronization and invisi-ble actions. Finally, the remaining rules, NS-RES4, NS-PARr and NS-PARl, are standard rules forrestriction and parallel composition.

Table 13 presents the labelled transition rules for processes which extend the rules of Tab. 12.The rules for the input construct are replaced by the rules for the handled input. The importantrules for the language extensions are the following:

PS-INbegin: at the detection in clear of the begin of a transmission, the process begins readingthe transmitted value and the timeout handler is disabled;

PS-HANDLER: if no transmission is detected, a timeout occurrence may trigger the handlerexecution;

PS-SWITCH: the process changes the communication channel on which the node is synchro-nized.

The other rules are standard, and define the behaviour of the selection and recursion con-structs; as internal operations, they are not visible within the network.

3 Extensions to the Harmony TheoremIn order to prove the harmony lemma for the extended language, we employ the same prooftechnique as for the harmony lemma in the case of the basic language.

We hence present four lemmas which describe how a network changes across the reductionsub-steps for each possible kind of reduction in the network. Specifically, we have lemmas 3,4, 5, and 6 which respectively describe the case when a transmission begins, the case when a

UBLCS-2006-09 106


transmission finishes, the case when a transmission action is performed on a restricted channel,and the case in which an internal action is performed.

For the following lemmas we first introduce a notation that describes the normalization step.

Definition 4 (Normalization) We employ the notation R to represent the normalization of the re-ceivers R. The normalization is defined as follows.

1. If 〈|R|〉 = 〈|R1|〉|〈|R2|〉 then 〈|R|〉 = 〈|R1|〉 | 〈|R2|〉 ;

2. If 〈|R|〉v = 〈|R1|〉v|〈|R2|〉v then 〈|R|〉v = 〈|R1|〉v | 〈|R2|〉v ;

3. If 〈|R|〉 = 〈|n [in(x) + H.P]cl,r |〉 then 〈|R|〉v = n [(x).P]

cl,r if location l is not reached by other

transmissions on channel c, n [in(x) + H.P]cl,r otherwise;

4. If 〈|R|〉v = 〈|n [in(x).P]cl,r |〉v then 〈|R|〉v = n [in(x) + H.P]

cl,r;

5. If 〈|R|〉 = 〈|n [(x).P]cl,r |〉 then 〈|R|〉 = n [⊥/xP]

cl,r;

6. If 〈|R|〉v = 〈|n [(x).P]cl,r |〉v then 〈|R|〉v = n [v/xP]

cl,r;

7. If 〈|R|〉 = 〈|0|〉 then 〈|R|〉 = 0;

8. If 〈|R|〉v = 〈|0|〉v then 〈|R|〉v = 0.

For proving the lemmas in the cases of begin transmission (Lemma 3) and end transmission(Lemma 4) we employ the same proof technique. These two lemmas are similar to the ones forthe basic language (respectively, Lemma 1 and Lemma 2) in which channel restriction has beenadded. However, for the sake of completeness, for both lemmas we report the whole proofs.

Lemma 3 If N >cl E −→c

l,r E ′ Âcl ′∗ Â∗ º N ′, then exist c, n, v, , P, R, N1 such that

N ≡ (νc)((


∣∣ R)∣∣∣ N1

)

E ≡E (νc)(n [out〈v〉.P]

cl,r

R∣∣∣ N1

)

E ′ ≡E (νc)((

n [〈v〉.P]cl,r 0

∣∣∣ 〈|R|〉)∣∣∣ N1

)

N ′ ≡ (νc)

((n [〈v〉.P]

cl,r

∣∣∣∣ 〈|R|〉)∣∣∣∣ N1

)

Moreover,

• c 6∈ c;

• N1 6→c l;



cl ′,r ′ ←c (l, r).

UBLCS-2006-09 107


Proof


N ≡ NSdef= (νc)

((n [out〈v〉.P]

cl,r

∣∣ R)∣∣∣ N1

)(1)

The proof is by induction on the structure of N:

BASE CASE: System N = n [out〈v〉.P]cl,r is in normal form. In fact, we show that (1)

is satisfied by taking c = ∅ and R = N1 = 0.


cl,r

∣∣ 0


cl,r

∣∣ 0)∣∣ 0

= (ν∅) ((n [out〈v〉.P]

cl,r

∣∣ 0)∣∣ 0

)

In this case, the equivalence is proved.INDUCTIVE CASE: N may be structured as follows

Na|Nb: Let us assume that the equivalence (1) holds for Na. Hence, for someRa, Na1

it holds that

Na ≡ (νca)((


∣∣ Ra

)∣∣∣ Na1

)


Nb ≡ (νcb)(Rb|Nb1

)

where (i) Rb is the parallel composition of nodes which are either of the form [in(X) + H.Pm]

clm,rm

or m [(x).Pm]clm,rm

for which it holds that d(l, lm) ≤r, and (ii) Nb1

is the parallel composition of the remaining nodes for whichit holds that Nb1

6→c l (otherwise node n could not begin the transmissionand thus it would not be the case of this lemma), and (iii) c 6∈ cb.Hence, by the employing structural congruence (i.e., rules SC-RESSUBST,SC-PARASSOC and SC-PARCOMP) it is straightforward to verify that thefollowing holds:

(νca)((


∣∣ Ra

)∣∣∣ Na1

)∣∣∣ (νcb)(Rb

∣∣∣ Nb1

)

≡(νca ∪ cb)

((n [out〈v〉.P]

cl,r

∣∣ Ra

∣∣∣ Rb

)∣∣∣ Na1

∣∣∣ Nb1

)

where,• c 6∈ ca ∪ cb, hence ca ∪ cb is a valid choice for c which satisfies the

lemma requirements;• since for both Ra and Rb are composed by receivers that are listening

on channel c and fall within the transmission cell of node n, then Ra|Rb

is a possible assignment for R which satisfies the lemma conditions;• since neither Na1

or Nb1embodies any node m [〈v〉.Q]

clm,rm

such thatd(lm, l) ≤ rm, then Na1

|Nb1is a possible assignment for N1 which

satisfies the lemma conditions.

UBLCS-2006-09 108


(νc ′) (Na): let us assume

Na ≡ (νca)((


∣∣ Ra

)∣∣∣ Na1

)

Hence, it is straightforward to see that, provided that c ′ 6= c (otherwise itwould not be the case of this lemma), then c = ca ∪ c ′. It is also easy tosee that R = Ra, and N1 = Na1 still satisfy the required properties by theinductive hypothesis.

The inductive case is proved.



E ≡E ESdef= (νc)

(n [out〈v〉.P]

cl,r

R∣∣∣ N1

)(2)

To address this step, first we find E by applying reduction rules RS-COMMbegin, RS-COMP>c

l, and RS-RES1 on NS

E = (νc)((


∣∣ R)∣∣∣ N1

)(3)

and then we have to prove the equivalence (2). So far, we know that NS >cl E; in order

for us to demonstrate that E ≡E ES, we first prove (4) by reasoning by induction onthe number of nodes in R.



R

(4)



∣∣ 0 ≡E n [out〈v〉.P]cl,r 0





R


in(X)+H.P ′r or (x).P ′r, we employ the structural congruence rules SC-BAGREADYand SC-BAGREADING (according to the form of Pr).

ind. hypothesis



R


∣∣ R∣∣∣ r [P]


cl,r

R∣∣∣ r [P]

cl ′,r ′


∣∣ R∣∣∣ r [P]


cl,r

R∣∣∣ r [P]

cl ′,r ′

Hence,


∣∣ R∣∣∣ r [P]


cl,r

R

∣∣r [P]cl ′,r ′


UBLCS-2006-09 109


Hence, whatever R be, we have that (4) holds; given this, below we prove that (2)holds.


∣∣ R∣∣∣ r [P]


cl,r

R∣∣∣ r [P]

cl ′,r ′

(n [out〈v〉.P]

cl,r 0

∣∣∣R∣∣r [P]

cl ′,r ′

)|N1 ≡E n [out〈v〉.P]

cl,r

R∣∣∣ r [P]

cl ′,r ′

∣∣∣ N1

(νc)((


∣∣∣R∣∣r [P]

cl ′,r ′

)|N1) ≡E (νc)

(n [out〈v〉.P]

cl,r

R∣∣∣ r [P]

cl ′,r ′

∣∣∣ N1

)

Now, through a single application of the reduction rule RS-SC>cl, it is possible to

show that N >cl ES.

N ≡ NS NS >cl E E ≡E ES

N >cl ES

We thus show that E ′ is derivable from ES by the application of reduction rules RS-OUTbegin, RS-COMP−→c

l,r, and RS-RES4.


eR−→c

l,r n [〈v〉.P]cl,r 0 〈|eR|〉 N1 6←c (l, r)


eRN1

−→c

l,r

n [〈v〉.P]cl,r 0

〈|eR|〉N1

(νec)


eRN1

−→c

l,r (νec)

n [〈v〉.P]cl,r 0 〈|eR|〉

N1

E ′ = E ′Sdef= (νc)

((n [〈v〉.P]

cl,r 0

∣∣ 〈|R|〉)∣∣∣ N1

)


First, if R = m [in(x) + H.P ′m]clm,rm

we have to see whether node m is presentlyreached by other transmissions. Hence, if N1 6→c lm then, through three times theemployment of RS-READYbegin, RS-COMPÂc

l, and RS-RES6 it is straightforward to

prove that node m normalizes to m [(x).P ′m]clm,rm

. By contrast, if N1 →c lm thenthere is at least one node o ∈ N1 such that it holds N1 ≡ o [〈vo〉.Po]

clo,ro

|N ′1, with

d(lo, lm) ≤ ro. In this case, the proof is addressed by the employment of rulesRS-READYnoise, RS-COMPÂ, and RS-RES8, and as a result node m normalizes tom [in(x) + H.P ′m]

clm,rm

.





proof is addressed by the employment of rules RS-READINGbegin, RS-COMPÂ, andRS-RES8, and RS-SCÂ, and as a result node m normalizes to m [⊥/xP ′m]

clm,rm


E ′SÂcl ′∗ Â∗ (νc)

((n [〈v〉.P]

cl,r 0

∣∣∣∣ 〈|R|〉)∣∣∣∣ N1

)def= E ′′S (5)

Hence, by the employment of rules RS-TRANSM, RS-COMPº, and RS-RES9 the trans-mitter bag closes and the normalization step for the begin transmission action termi-nates. At the end of the normalization process, we have that E ′SÂc

l ′∗ Â∗º N ′

S, where

N ′S

def= (νc)

((n [〈v〉.P]

cl,r

∣∣∣∣ 〈|R|〉)∣∣∣∣ N1

)

UBLCS-2006-09 110



N >cl ES −→c

l,r E ′SÂcl ′∗ Â∗º N ′

S


2

Lemma 4 If N > E −→cl,r E ′ Âc

l ′∗ Â∗ º N ′, then exist c, n, v, , P, R,N1 such that

N ≡ (νc)((

n [〈v〉.P]cl,r

∣∣ R)∣∣∣ N1

)

E ≡E (νc)(n [〈v〉.P]

cl,r

R∣∣∣ N1

)

E ′ ≡E (νc)((

n [P]cl,r 0

∣∣∣ 〈|R|〉)∣∣∣ N1

)

N ′ ≡ (νc)

((n [P]

cl,r

∣∣∣∣ 〈|R|〉)∣∣∣∣ N1

)

Moreover,

• c 6∈ c;



cl ′,r ′ ←c (l, r).

Proof

First, we have to prove that for each wireless network N in which an end-transmissionevent can be fired the following holds:

N ≡ NSdef= (νc)

((n [〈v〉.P]

cl,r

∣∣ R)∣∣∣ N1

)(6)

This proof is by induction on the structure of N:

BASE CASE: System N = n [〈v〉.P]cl,r is in normal form. Below we show that (6) is

satisfied by taking c = ∅ and R = N1 = 0.

n [〈v〉.P]cl,r ≡ n [〈v〉.P]

cl,r

∣∣ 0

≡ (n [〈v〉.P]

cl,r

∣∣ 0)∣∣ 0

= (ν∅) ((n [〈v〉.P]

cl,r

∣∣ 0)∣∣ 0

)

In this case, the equivalence is proved.INDUCTIVE CASE: N may only be structured as follows

Na|Nb: Let us assume that the equivalence (6) holds for Na. Hence, for someRa, Na1

it holds that

Na ≡ (νca)((

n [〈v〉.P]cl,r

∣∣ Ra

)∣∣∣ Na1

)


Nb ≡ (νcb)(Rb|Nb1

)

UBLCS-2006-09 111


where (i) Rb is the parallel composition of nodes which are either of the form [in(X) + H.Pm]

clm,rm

or m [(x).Pm]clm,rm

for which it holds that d(l, lm) ≤r, (ii) Nb1

is the parallel composition of the remaining nodes, and (iii) c 6∈cb.Hence, by the employing structural congruence (i.e., rules SC-RESSUBST,SC-PARASSOC, and SC-PARCOMP) it is straightforward to verify that thefollowing holds:

(νca)((

n [〈v〉.P]cl,r

∣∣ Ra

)∣∣∣ Na1

)∣∣∣ (νcb)(Rb

∣∣∣ Nb1

)

≡(νca ∪ cb)

((n [〈v〉.P]

cl,r

∣∣ Ra

∣∣∣ Rb

)∣∣∣ Na1

∣∣∣ Nb1

)

where,• c 6∈ ca ∪ cb, hence ca ∪ cb is a valid choice for c which satisfies the

lemma requirements;• since for both Ra and Rb are composed by receivers that are listening

on channel c and fall within the transmission cell of node n, then Ra|Rb

is a choice for R which satisfies the lemma requirements;• since for terminating a transmission there are no requirements for the

nodes in N1, N1 = Na1|Nb1

satisfies the lemma requirements aboutN1.

These assignments satisfy the inductive case and prove (6).(νc ′) (Na): let us assume

Na ≡ (νca)((

n [〈v〉.P]cl,r

∣∣ Ra

)∣∣∣ Na1

)

Hence, it is straightforward to see that, provided that c ′ 6= c (otherwise itwould not be the case of this lemma), then c = ca ∪ c ′. It is also easy tosee that both the assignements R = Ra and N1 = Na1 satisfy the lemmarequirements by the inductive hypothesis.



E ≡E ESdef= (νc)

(n [〈v〉.P]

cl,r

R∣∣∣ N1

)(7)

To address this step, firstly we find E by applying reduction rules RS-COMMend, RS-COMP>, and RS-RES3 on NS

E = (νc)((

n [〈v〉.P]cl,r 0

∣∣ R)∣∣∣ N1

)(8)

and then we have to prove the equivalence (7). So far, we know that NS > E; in orderfor us to demonstrate that E ≡E ES, we first prove (9) by reasoning by induction onthe number of nodes in R.

n [〈v〉.P]cl,r 0

∣∣ R ≡E n [〈v〉.P]cl,r

R

(9)


n [〈v〉.P]cl,r 0

∣∣ 0 ≡E n [〈v〉.P]cl,r 0


UBLCS-2006-09 112



n [〈v〉.P]cl,r 0

∣∣ R ≡E n [〈v〉.P]cl,r

R



ind. hypothesis

n [〈v〉.P]cl,r 0

∣∣ R ≡E n [〈v〉.P]cl,r

R

n [〈v〉.P]cl,r 0

∣∣ R∣∣∣ r [P]

cl ′,r ′ ≡E n [〈v〉.P]

cl,r

R∣∣∣ r [P]

cl ′,r ′

n [〈v〉.P]cl,r 0

∣∣ R∣∣∣ r [P]

cl ′,r ′ ≡E n [〈v〉.P]

cl,r

R∣∣∣ r [P]

cl ′,r ′

Hence,n [〈v〉.P]

cl,r 0

∣∣ R∣∣∣ r [P]

cl ′,r ′ ≡E n [〈v〉.P]

cl,r

R

∣∣r [P]cl ′,r ′

This satisfies the inductive case.


n [〈v〉.P]cl,r 0

∣∣ R∣∣∣ r [P]

cl ′,r ′ ≡E n [〈v〉.P]

cl,r

R∣∣∣ r [P]

cl ′,r ′

(n [〈v〉.P]

cl,r 0

∣∣ R∣∣∣ r [P]

cl ′,r ′

)∣∣∣ N1 ≡E n [〈v〉.P]cl,r

R∣∣∣ r [P]

cl ′,r ′

∣∣∣ N1

(νc)( (

n [〈v〉.P]cl,r 0

∣∣ R∣∣∣ r [P]

cl ′,r ′

)∣∣∣ N1

)≡E (νc)

(n [〈v〉.P]

cl,r

R∣∣∣ r [P]

cl ′,r ′

∣∣∣ N1

)



N > ES

We thus show that E ′ is derivable from ES by the application of reduction rules RS-OUTend, RS-COMP−→c

l,r, and RS-RES4.

n [〈v〉.P]cl,r

eR−→c

l,r n [P]cl,r 0 〈|eR|〉

n [〈v〉.P]cl,r

eRN1

−→c

l,r

n [P]cl,r 0

〈|eR|〉N1

(νec)

n [〈v〉.P]cl,r

eRN1

−→c

l,r (νec)

n [P]cl,r 0 〈|eR|〉

N1


((n [P]

cl,r 0

∣∣ 〈|R|〉)∣∣∣ N1

)

Finally, let us show that normalization preserves the state of nodes in N1 and changesthe state of nodes in R as specified. Since nodes in R are receivers only, they do not in-terfere with each other or with nodes in N1; hence, we will examine the behaviour ofa single node separately according to whether they are also exposed to transmissionsby nodes in N1 or not. Because normalization essentially affects the only receivers,which do are not presently transmitting and thus cannot interfere with each other,in this proof we only show the normalization of single receivers in that multiple re-ceivers normalize independently from each other.


the detection of a transmission that finishes do notchange the state of node m, independently from whether it holds that N1 6→c lm or

UBLCS-2006-09 113


not. Hence, through the employment of RS-READYend, RS-COMPÂ, and RS-RES8 itis straightforward to prove that node m normalizes to m [in(x) + H.P ′m]

clm,rm

.


then, since node n is currently transmitting it canonly be that node m is presently employed in receiving the value transmitted from n.This configuration is possible only if N1 6→c lm. In this case, the proof is addressedby the employment of rules RS-READINGend, RS-COMPÂc

l, RS-RES6, and RS-SCÂc

l,

and node m normalizes to m [v/xP ′m]clm,rm


E ′SÂcl ′∗ Â∗ (νc)

((n [P]

cl,r 0

∣∣∣∣ 〈|R|〉)∣∣∣∣ N1

)def= E ′′S (10)

Hence, by the employment of rules RS-TRANSM, RS-COMPº, and RS-RES9 the trans-mitter bag closes and the normalization step for the begin transmission action termi-nates. At the end of the normalization process, we have that E ′SÂc

l ′∗ Â∗º N ′

S, where

N ′S

def= (νc)

((n [P]

cl,r

∣∣∣∣ 〈|R|〉)∣∣∣∣ N1

)


N > ES −→cl,r E ′SÂc

l ′∗ Â∗º N ′

S


2

Lemma 5 If N > E −→##,# E ′ Â∗ º N ′, then exist c, n, v, , P, R,N1 such that

•N ≡ (νc)

((n [out〈v〉.P]

cl,r

∣∣ R)∣∣∣ N1

)

E ≡E (νc)(n [out〈v〉.P]

cl,r

R∣∣∣N1

)

E ′ ≡E (νc)((

n [〈v〉.P]cl,r 0

∣∣ 〈|R|〉)∣∣∣ N1

)

N ′ ≡ (νc)

((n [〈v〉.P]

cl,r

∣∣∣∣ 〈|R|〉)∣∣∣∣ N1

)

with such that N1 6→c l;

•N ≡ (νc)

((n [〈v〉.P]

cl,r

∣∣ R)∣∣∣ N1

)

E ≡E (νc)(n [〈v〉.P]

cl,r

R∣∣∣ N1

)

E ′ ≡E (νc)((

n [P]cl,r 0

∣∣ 〈|R|〉v)∣∣∣ N1

)

N ′ ≡ (νc)

((n [P]

cl,r

∣∣∣∣ 〈|R|〉v)∣∣∣∣ N1

)

Moreover

• c ∈ c;



cl ′,r ′ ←c (l, r).

UBLCS-2006-09 114


Proof

This case requires to analyze the cases for both the beginning and the end of transmis-sion on a restricted channel; however, the proofs are similar and thus we only showthe case for the begin transmission.


N ≡ NSdef= (νc)

((n [out〈v〉.P]

cl,r

∣∣ R)∣∣∣ N1

)(11)


BASE CASE: System N = (νc)(n [out〈v〉.P]cl,r |Na. The proof on the structure of

the unrestricted network is granted by the proofs of the lemma above. Hence,assuming that by lemma 3 Na ≡ Ra|Na1

, with Ra being the receivers on channelc and Na1

being the other nodes for which it holds that Na16→c l then we show

that (11) is satisfied by taking c = c and R = Ra, and N1 = Na1.


cl,r

∣∣ Ra


cl,r

∣∣ 0)∣∣ Na1

= (νc)((


∣∣ Ra

)∣∣∣ Na1

)

In this case, the equivalence is proved.INDUCTIVE CASE: N may be structured as follows

Na|Nb: Let us assume that the equivalence (11) holds for Na. The proof for Nb

satisfying the inductive hypothesis is similar. Hence, for some Ra, Na1it

holds thatNa ≡ (νca)

((n [out〈v〉.P]

cl,r

∣∣ Ra

)∣∣∣ Na1

)

and c ∈ ca. We know that Na is restricted over the communication channeland, thus, any other network, running in parallel, is not affected by anytransmission occurring over channel c.Moreover, by employing structural congruence, it also holds that

Nb ≡ (νcb) (Nb1)

Hence, by the employing structural congruence (i.e., rules SC-RESSUBST,SC-PARASSOC and SC-PARCOMP) it is straightforward to verify that thefollowing holds:

(νca)((


∣∣ Ra

)∣∣∣ Na1

)∣∣∣ (νcb) (Nb1)

≡(νca ∪ cb)

((n [out〈v〉.P]

cl,r

∣∣ Ra

)∣∣∣ Na1

∣∣∣ Nb1

)

where,• c ∈ ca ∪ cb, hence ca ∪ cb is a valid choice for c which satisfies the

lemma requirements;• since Ra is composed by receivers that are listening on channel c and

fall within the transmission cell of node n, then Ra is a possible assign-ment for R which satisfies the lemma conditions;

UBLCS-2006-09 115


• since neither Na1or Nb1

embodies any node m [〈v〉.Q]clm,rm

such thatd(lm, l) ≤ rm, then Na1

|Nb1is a possible assignment for N1 which

satisfies the lemma conditions.(νc ′) (Na): let us assume

Na ≡ (νca)((


∣∣ Ra

)∣∣∣ Na1

)

with c ∈ widetildeca.Hence, it is straightforward to see that, provided that c ∈ ca ∪ c ′, thenc = ca ∪ c ′. It is also easy to see that R = Ra, and N1 = Na1 still satisfy therequired properties by the inductive hypothesis.

The inductive case is proved.



E ≡E ESdef= (νc)

(n [out〈v〉.P]

cl,r

R∣∣∣ N1

)(12)

To address this step, first we find E by applying reduction rules RS-COMMbegin, RS-COMP>c

l, and RS-RES2 on NS

E = (νc)((


∣∣ R)∣∣∣ N1

)(13)

and then we have to prove the equivalence (12). So far, we know that NS >cl E;

in order for us to demonstrate that E ≡E ES, we first prove (14) by reasoning byinduction on the number of nodes in R.



R

(14)



∣∣ 0 ≡E n [out〈v〉.P]cl,r 0





R



ind. hypothesis



R


∣∣ R∣∣∣ r [P]


cl,r

R∣∣∣ r [P]

cl ′,r ′


∣∣ R∣∣∣ r [P]


cl,r

R∣∣∣ r [P]

cl ′,r ′

Hence,


∣∣ R∣∣∣ r [P]


cl,r

R

∣∣r [P]cl ′,r ′


UBLCS-2006-09 116


Hence, whatever R be, we have that (14) holds; given this, below we prove that (12)holds.


∣∣ R∣∣∣ r [P]


cl,r

R∣∣∣ r [P]

cl ′,r ′

(n [out〈v〉.P]

cl,r 0

∣∣∣R∣∣r [P]

cl ′,r ′

)|N1 ≡E n [out〈v〉.P]

cl,r

R∣∣∣ r [P]

cl ′,r ′

∣∣∣ N1

(νc)((


∣∣∣R∣∣r [P]

cl ′,r ′

)|N1) ≡E (νc)

(n [out〈v〉.P]

cl,r

R∣∣∣ r [P]

cl ′,r ′

∣∣∣ N1

)



N > ES

We thus show that E ′ is derivable from ES by the application of reduction rules RS-OUTbegin, RS-COMP−→c

l,r, and RS-RES5.


eR−→c

l,r n [〈v〉.P]cl,r 0 〈|eR|〉 N1 6←c (l, r)


eRN1

−→c

l,r

n [〈v〉.P]cl,r 0

〈|eR|〉N1

(νec)


eRN1

−→#

#,# (νec)

n [〈v〉.P]cl,r 0 〈|eR|〉

N1


((n [〈v〉.P]

cl,r 0

∣∣ 〈|R|〉)∣∣∣ N1

)



we have to see whether node m is presentlyreached by other transmissions. Hence, if N1 6→c lm then, through three times theemployment of RS-READYbegin, RS-COMPÂc

l, and RS-RES7 it is straightforward to

prove that node m normalizes to m [(x).P ′m]clm,rm

. By contrast, if N1 →c lm thenthere is at least one node o ∈ N1 such that it holds N1 ≡ o [〈vo〉.Po]

clo,ro

|N ′1, with

d(lo, lm) ≤ ro. In this case, the proof is addressed by the employment of rulesRS-READYnoise, RS-COMPÂ, and RS-RES8, and as a result node m normalizes tom [in(x) + H.P ′m]

clm,rm

.





proof is addressed by the employment of rules RS-READINGbegin, RS-COMPÂ, andRS-RES8, and RS-SCÂ, and as a result node m normalizes to m [⊥/xP ′m]

clm,rm


E ′S Â∗ (νc)

((n [〈v〉.P]

cl,r 0

∣∣∣∣ 〈|R|〉)∣∣∣∣ N1

)def= E ′′S (15)

Hence, by the employment of rules RS-TRANSM, RS-COMPº, and RS-RES9 the trans-mitter bag closes and the normalization step for the begin transmission action termi-nates. At the end of the normalization process, we have that E ′S Â∗º N ′

S, where

N ′S

def= (νc)

((n [〈v〉.P]

cl,r

∣∣∣∣ 〈|R|〉)∣∣∣∣ N1

)

UBLCS-2006-09 117



N > ES −→##,# E ′S Â∗º N ′

S


2

Lemma 6 If N −→ N ′, then

N ≡ (νc)((

n [P]cl,r

)∣∣ N1

)

N ′ ≡ (νc)((

n [P ′]cl,r)∣∣ N1

)

Proof

We have to prove that for each wireless network N that is going to perform an internalaction, the following holds:

N ≡ (νc)((

n [τ − act.P]cl,r

∣∣ R)∣∣∣ N1

)


BASE CASE: System N = n [τ − act.P]cl,r is in normal form. We show that this is true

by taking c = ∅, and R = N1 = 0.

n [τ − act.P]cl,r ≡ n [τ − act.P]

cl,r

∣∣ 0

≡ (n [τ − act.P]

cl,r

∣∣ 0)∣∣ 0

= (ν∅) ((n [τ − act.P]

cl,r

∣∣ 0)∣∣ 0

)

In this case, the equivalence holds.INDUCTIVE CASE: We have to reason on the possible structure of N

N ′|N ′′ Let us assume that the equivalence holds for N ′ such that

N ′ ≡ (νc ′)(n [τ − act.P]

cl,r

∣∣ N ′1

)

while N ′′ = (νc ′′) (N ′′1 ). We assume that the c∩c ′′ = ∅, that fn(N ′)∩c ′′ = ∅

and that fn(N ′′) ∩ c ′ = ∅; if it is not so, it is easy to meet these condi-tions through the application of α-conversion. Then, by the employment ofstructural congruence rules SC-RESSUBST, SC-PARASSOC, SC-PARCOMPit is straightforward to verify that the following equivalence holds:

(νec ′) n [τ − act.P]cl,r

N ′1

(νfc ′′)N′′ ≡ (νec ′) (νfc ′′) n [τ − act.P]cl,r

N ′1

N ′′

Hence, the normal form is obtained by placing c = c ′∪c ′′ and N1 = N ′1|N ′′.

(νc ′) (N): let us assume

N ≡ (νc∗) (n [τ − act.P]

cl,r

∣∣ N∗1

)

It is straightforward to see that the normal form is obtained by placing c =c∗ ∪ c ′.

2

UBLCS-2006-09 118

4 The Extended Harmony Theorem

4 The Extended Harmony TheoremGiven the results for the basic language in the previous chapter, we are now able to present thetheorem that proves the correspondence between our extended semantics. The theorem main-tains the same structure as in Theorem 1: in the first part we show that the labelled transitionsemantics is compatible with structural congruence; that is, the application of structural congru-ence does not modify the possible transitions. In the second part we employ this result, togetherwith the results of the lemmas 3, 4, 5, and 6, in order to prove that given any network, the RS be-haves as the LTS; i.e., each reduction in the RS has a corresponding transition in the LTS and viceversa, and the produced networks are structural congruent. This second part separately examinesthe correspondence between LTS and RS in the cases of begin transmission, end transmission, re-stricted transmission event, and internal action. For the sake of clarity, for begin-transmissionand end-transmission cases, the proofs have the same structure as in Theorem 1 in which, bycontrast, restriction is also considered.Theorem 2 (Harmony Theorem)


α−→ N ′1 ≡ N ′.

2. The following holds

(a)

(a.1) If N >cl E1 −→c

l,r E2 Âcl ′∗ Â∗ º N ′ then T ¤ N

c![l,r]−→ ≡ N ′, and

(a.2) If T ¤Nc![l,r]−→ ≡ N ′ then there exist E1, E2, l ′ s.t. N >c

l E1 −→cl,r E2 Âc

l ′∗ Â∗ º N ′

(b)

(b.1) If N > E1 −→cl,r E2 Âc

l ′∗ Â∗ º N ′ then T ¤ N

c!v[l,r]−→ ≡ N ′, and

(b.2) If T ¤Nc!v[l,r]−→ ≡ N ′ then there exist E1, E2, l ′ s.t. N > E1 −→c

l,r E2 Âcl ′∗ Â∗ º N ′

(c)

(c.1) If N > E1 −→##,# E2 Â∗ º N ′ then T ¤ N

τ−→≡ N ′, and(c.2) If T ¤ N

τ−→≡ N ′ then there exist E1, E2 s.t. N > E1 −→##,# E2 Â∗ º N ′

(d)

(d.1) If N −→ N ′ then T ¤ Nτ−→≡ N ′, and

(d.2) If T ¤ Nτ−→≡ N ′ then N −→ N ′

Where T is the set of transmissions that are active in network N.

Proof


α−→ N ′1 ≡ N ′

The proof is by induction on the number of applications of the structural con-gruence rules.

Base Case: We assume N1 ≡ N by zero applications of structural congruencerules, hence N1 = N. By hypothesis T ¤N

α−→ N ′; moreover, since N1 = N,then T ¤ N1

α−→ N ′ holds. Hence, N ′1 for which T ¤ N1

α−→ N ′1 ≡ N ′ holds

exists and is equal to N ′.Inductive Case: Assume that N1 is obtained from N through k distinct applica-

tions of the rules of structural congruence. We indicate with N(i) the systemafter the i-th application of structural congruence.

N = N(0) ≡ N(1) ≡ . . . ≡ N(i) ≡ . . . ≡ N(k−1) ≡ N(k) = N1

UBLCS-2006-09 119


By inductive hypothesis, we assume that the following holds:

T ¤ Nα−→ N ′ N ≡ N(k−1)

T ¤ N(k−1)α−→ N ′

(k−1) ≡ N ′

Now, we have to prove that, for each possible application of structural con-gruence, the statement is valid within each possible context c ∈ C of appli-cation.

Cdef= [·] || C|N || N|C || (νz)C || n [P]

cl,r

[·]: In this case, by reasoning on the structure of Nk, we have to prove thefollowing:

T ¤ N(k−1)α−→ N ′

(k−1) Nk−1 ≡ N(k)

T ¤ N(k)α−→ N ′

(k) ≡ N ′(k−1)


k−1 that has been obtainedby the application of rule NN-COMr; hence, we know that:(a) Nk−1 = Na|Nb and N ′

k−1 = N ′a|N ′

b

(b) T ¤ Nac?θ[l,r]−→ N ′

a and T ¤ Nbc!θ[l,r]−→ N ′

b

By SC rule SC-PARCOMP, we know that Na|Nb ≡ Nb|Na, thatwe call Nk. Moreover, having the hypothesis at point 2 abovewe know by the application of NS-COMl that makes Nk becomeN ′




T ¤ Na|Nbc!θ[l,r]−→ N ′


T ¤ Nb|Nac!θ[l,r]−→ N ′

b|N ′a ≡ N ′

a|N ′b

As for rule NS-COMr, the statement holds.• Let us assume that T ¤ Nk−1


by the application of rule NS-COMl. The proof is similar to theone above, considering rules NS-COMl and rules NS-COMr inthe opposite order.


k−1 that has been obtainedby the application of rule NS-COMin; hence, we know that:(a) Nk−1 = Na|Nb and N ′

k−1 = N ′a|N ′

b

(b) T ¤ Nac?θ[l,r]−→ N ′

a and T ¤ Nbc?θ[l,r]−→ N ′

b

By SC rule SC-PARCOMP, we know that Na|Nb ≡ Nb|Na, thatwe call Nk. Moreover, having the hypothesis at point 2 above weknow by the application of NS-COMin that makes Nk becomeN ′




T ¤ Na|Nbc?θ[l,r]−→ N ′


T ¤ Nb|Nac?θ[l,r]−→ N ′

b|N ′a ≡ N ′

a|N ′b

As for NS-COMin, the statement holds.• Let us assume that T ¤ Nk−1


by the application of rule NS-RES1. In this case we know that

Nk−1 = (νc ′) Na, that N ′k−1 = (νc ′) N ′

a, that T ¤ Nac!θ[l,r]−→ N ′

a,and that c 6= c ′. Hence, Na can either be (νc ′′) Nb or Nb|Nc. Weanalyze both the cases:

UBLCS-2006-09 120


Nk−1 = (νc ′)(νc ′′) Nb: In this case we know that T¤(νc ′)(νc ′′) Nbc!θ[l,r]−→

(νc ′)(νc ′′) N ′b by twice the employment of NS-RES1. How-

ever, starting from T ¤ Nbc!θ[l,r]−→ N ′

b it is possible to permutethe single applications of NS-RES1: this legitimately leads to

the transition T ¤ (νc ′′)(νc ′) Nbc!θ[l,r]−→ (νc ′′)(νc ′) N ′

b.Note that, by the SC rule SC-RESCOMP, Nk−1 ≡ (νc ′′)(νc ′) Nb =Nk and N ′

k−1 ≡ (νc ′′)(νc ′) N ′b = N ′

k; hence,

T ¤ (νc ′)(νc ′′) Nbc!θ[l,r]−→ (νc ′)(νc ′′) N ′

b (νc ′)(νc ′′) Nb ≡ (νc ′′)(νc ′) Nb

T ¤ (νc ′′)(νc ′) Nbc?θ[l,r]−→ (νc ′′)(νc ′) N ′

b ≡ (νc ′)(νc ′′) N ′b

In this case the equivalence is proved.

Nk−1 = (νc ′)(Nb|Nc): In this case we know that T¤(νc ′)(Nb|Nc)c!θ[l,r]−→

(νc ′)(N ′b|N ′

c); we also know that this derivation has been ob-tained through the application of rules NS-RES1 and eitherNS-COMr and NS-COMl. Hence, either one of the cases be-low holds:

1. T ¤ Nbc!θ[l,r]−→ N ′

b and T ¤ Ncc?θ[l,r]−→ N ′

c;

2. T ¤ Nbc?θ[l,r]−→ N ′

b and T ¤ Ncc!θ[l,r]−→ N ′

c;

Let us assume that c ′ ∈ fn(Nb) but c ′ 6∈ fn(Nc), otherwiseit is always possible to find networks Nd and Ne such thatNd|Ne ≡ Nb|Nc and these conditions are satisfied. Let us thenconsider the first case above (the second one is similar): if we

first apply NS-RES1 to T ¤ Nbc!θ[l,r]−→ N ′

b and then NS-COMl

we obtain T ¤ (νc ′)Nb|Ncc!θ[l,r]−→ (νc ′)N ′

b|N ′c.

Note that, by the SC rule SC-RESSUBST, Nk−1 ≡ (νc ′)Nb|Nc =Nk and N ′

k−1 ≡ (νc ′)N ′b|N ′

c = N ′k; hence,

T ¤ (νc ′)(Nb|Nc)c!θ[l,r]−→ (νc ′)(N ′

b|N ′c) (νc ′)(Nb|Nc) ≡ (νc ′)Nb|Nc

T ¤ (νc ′)Nb|Ncc?θ[l,r]−→ (νc ′)N ′

b|N ′c ≡ (νc ′)(N ′

b|N ′c)

In this case the equivalence is proved.As for rule NS-RES1, the statement holds.

• Let us assume that T ¤ Nk−1c?θ[l,r]−→ N ′

k−1 that has been obtainedby the application of rule NS-RES2; in this case the proof is simi-lar to the one above.


k−1 that has been obtainedby the application of rule NS-RES3. In this case we know that

Nk−1 = (νc ′) Na, that N ′k−1 = (νc ′) N ′

a , that T ¤ Nac!θ[l,r]−→ N ′

a,and that c ′ = c. Hence, Na can either be (νc ′′) Nb or Nb|Nc. Weanalyze both the cases:Nk−1 = (νc)(νc ′′) Nb: In this case we know that T¤(νc)(νc ′′) Nb

τ−→(νc)(νc ′′) N ′

b by first the employment of NS-RES1 on T¤Nbc!θ[l,r]−→

N ′b and then the NS-RES3. However, starting from T¤Nb

c!θ[l,r]−→N ′

b it is possible to apply first NS-RES3 and then NS-RES4:this legitimately leads to the transition T ¤ (νc ′′)(νc ′) Nb

τ−→(νc ′′)(νc ′) N ′

b.

UBLCS-2006-09 121


Note that, by the SC rule SC-RESCOMP, Nk−1 ≡ (νc ′′)(νc ′) Nb =Nk and N ′

k−1 ≡ (νc ′′)(νc ′) N ′b = N ′

k; hence,

T ¤ (νc ′)(νc ′′) Nbτ−→ (νc ′)(νc ′′) N ′

b (νc ′)(νc ′′) Nb ≡ (νc ′′)(νc ′) Nb

T ¤ (νc ′′)(νc ′) Nbτ−→ (νc ′′)(νc ′) N ′

b ≡ (νc ′)(νc ′′) N ′b

In this case the equivalence is proved.Nk−1 = (νc)(Nb|Nc): In this case we know that T¤(νc)(Nb|Nc)

τ−→(νc)(N ′

b|N ′c); we also know that this derivation has been ob-

tained through the application of rules NS-RES3 and eitherNS-COMr and NS-COMl. Hence, either one of the cases be-low holds:

1. T ¤ Nbc!θ[l,r]−→ N ′

b and T ¤ Ncc?θ[l,r]−→ N ′

c;

2. T ¤ Nbc?θ[l,r]−→ N ′

b and T ¤ Ncc!θ[l,r]−→ N ′

c;

Let us assume that c ∈ fn(Nb) but c 6∈ fn(Nc), otherwiseit is always possible to find networks Nd and Ne such thatNd|Ne ≡ Nb|Nc and these conditions are satisfied. Under thisassumption, N ′

c = Nc. Let us then consider the first case above(the second one is similar): if we first apply NS-RES3 to T ¤

Nbc!θ[l,r]−→ N ′

b and then NS-PARl we obtain T ¤ (νc)Nb|Ncτ−→

(νc)N ′b|Nc.

Note that, by the SC rule SC-RESSUBST, Nk−1 ≡ (νc)Nb|Nc =Nk and N ′

k−1 ≡ (νc)N ′b|Nc = N ′

k; hence,

T ¤ (νc)(Nb|Nc)τ−→ (νc)(N ′

b|Nc) (νc)(Nb|Nc) ≡ (νc)Nb|Nc

T ¤ (νc)Nb|Ncτ−→ (νc)N ′

b|Nc ≡ (νc)(N ′b|Nc)



k−1 that has been obtainedby the application of rule NS-RES4. In this case we know thatNk−1 = (νc ′) Na, that N ′

k−1 = (νc ′) N ′a , that T ¤ Na

τ−→ N ′a.

Hence, Na can either be (νc ′′) Nb or Nb|Nc. We analyze both thecases:Nk−1 = (νc ′)(νc ′′) Nb: In this case we know that T¤(νc ′)(νc ′′) Nb

τ−→(νc ′)(νc ′′) N ′

b by first the employment of either one of the NS-RES rules on T ¤ Nb

α−→ N ′b and then of NS-RES4. However,

starting from T ¤ Nbα−→ N ′

b it is possible to invert the appli-cation of the rules to legitimately obtain T ¤ (νc ′′)(νc ′) Nb

τ−→(νc ′′)(νc ′) N ′

b.Note that, by the SC rule SC-RESCOMP, Nk−1 ≡ (νc ′′)(νc ′) Nb =Nk and N ′

k−1 ≡ (νc ′′)(νc ′) N ′b = N ′

k; hence,

T ¤ (νc ′)(νc ′′) Nbτ−→ (νc ′)(νc ′′) N ′

b (νc ′)(νc ′′) Nb ≡ (νc ′′)(νc ′) Nb

T ¤ (νc ′′)(νc ′) Nbτ−→ (νc ′′)(νc ′) N ′

b ≡ (νc ′)(νc ′′) N ′b

In this case the equivalence is proved.Nk−1 = (νc ′)(Nb|Nc): In this case we know that T¤(νc ′)(Nb|Nc)

τ−→(νc ′)(N ′

b|N ′c); we also know that T ¤ Nb|Nc

τ−→ N ′b|N ′

c. We

UBLCS-2006-09 122


also know that this derivation has been obtained through theapplication of rules NS-RES3 and either one of the rules for theparallel composition.Let us assume that c ′ 6∈ fn(Nc) and that Nc contains onlynodes that do not participate to the performance of the currentaction, otherwise it is always possible to find networks Nd andNe such that Nd|Ne ≡ Nb|Nc and which satisfy these condi-tions. In this case N ′

c = Nc. Since by hypothesis we know thatthe restriction does not influence the action being performed,we can first apply NS-RES4 to T ¤ Nb

τ−→ N ′b and then NS-

PARl, we obtain T ¤ (νc ′)Nb|Ncτ−→ (νc ′)N ′

b|Nc.Note that, by the SC rule SC-RESSUBST, Nk−1 ≡ (νc ′)Nb|Nc =Nk and N ′

k−1 ≡ (νc ′)N ′b|Nc = N ′

k; hence,

T ¤ (νc ′)(Nb|Nc)τ−→ (νc ′)(N ′

b|Nc) (νc ′)(Nb|Nc) ≡ (νc ′)Nb|Nc

T ¤ (νc ′)Nb|Ncτ−→ (νc ′)N ′

b|Nc ≡ (νc ′)(N ′b|Nc)



k−1 that has been obtainedby the application of rule NS-PARl. In this case we know thatNk−1 = Na|Nb, that N ′

k−1 = N ′a|Nb , that T ¤ Na

τ−→ N ′a and

that T ¤ Na|Nbτ−→ N ′

a|Nb. By the application of NS-PARr toT ¤Na

τ−→ N ′a employing the same Nb we obtain T ¤Nb|Na

τ−→Nb|N ′

a.Note that, by the SC rule SC-PARCOM, Nk−1 ≡ Nb|Na = Nk andN ′

k−1 ≡ Nb|N ′a = N ′

k; hence,

T ¤ Na|Nbτ−→ N ′

a|Nb Na|Nb ≡ Nb|Na

T ¤ Nb|Naτ−→ Nb|N ′

a ≡ N ′a|Nb

As for rule NS-PARl, the statement holds.• Let us assume that T ¤ Nk−1


by the application of rule NS-PARl. This case is similar to theprevious one.

As for the empty context, we proved that the statement holds.C|N: In this case we have to prove the statement when N(k−1) has the form

C|N; this regards the parallel composition, either for communicationor for internal actions.• Let us assume that T ¤ Nk−1


by the application of rule NS-COMr. Then, we know that T ¤

C|Nac!θ[l,r]−→ C ′|N ′

a, that T ¤ Cc?θ[l,r]−→ C ′, and that T ¤ Na

c!θ[l,r]−→N ′

a. By the employment of NS-COMl, we can then obtain T ¤

Na|Cc!θ[l,r]−→ N ′

a|C ′.Note that, by the SC rule SC-PARCOM, Nk−1 ≡ Na|C = Nk andN ′

k−1 ≡ N ′a|C ′ = N ′

k; hence,

T ¤ C|Nac!θ[l,r]−→ C ′|N ′

a C|Na ≡ Na|C

T ¤ Na|Cc!θ[l,r]−→ N ′

a|C ′ ≡ C ′|N ′a

As for NS-COMr, the statement holds.

UBLCS-2006-09 123


• Let us assume that T ¤Nk−1τ−→ N ′

k−1 that has been obtained bythe application of rule NS-COMl. In this case, the proof is similarto the one above.

• Let us assume that T ¤Nk−1τ−→ N ′

k−1 that has been obtained bythe application of rule NS-PARl. Then, we know that, for everyNa, T ¤ C|Na

τ−→ C ′|Na and T ¤ Cτ−→ C ′. By the employment

of NS-PARr, we can then obtain T ¤ Na|Cτ−→ Na|C ′.

Note that, by the SC rule SC-PARCOM, Nk−1 ≡ Na|C = Nk andN ′

k−1 ≡ Na|C ′ = N ′k; hence,

T ¤ C|Naτ−→ C ′|Na C|Na ≡ Na|C

T ¤ Na|Cτ−→ Na|C ′ ≡ C ′|Na

As for NS-PARl, the statement holds.• Let us assume that T ¤Nk−1

τ−→ N ′k−1 that has been obtained by

the application of rule NS-PARr. In this case, the proof is similarto the one above.

As for this context, the statement holds.N|C: In this case we have to prove the statement when N(k−1) has the

form N|C; this case is similar to the previous one.(νc ′) C: In this case we have to prove the statement when N(k−1) has the

form (νc ′) C; this case regards the restriction.


k−1 that has been obtainedby the application of rule NS-RES1. In this case we know thatNk−1 = (νc ′) C, that N ′

k−1 = (νc ′) C ′, and that c 6= c ′. Hence, C

can either be (νc ′′) C1, C1|N, or N|C1. We analyze the first two,since the last two are similar:Nk−1 = (νc ′)(νc ′′) C1: In this case we know that T¤(νc ′)(νc ′′) C1

c!θ[l,r]−→(νc ′)(νc ′′) C ′

1 by twice the employment of NS-RES1. How-

ever, starting from T ¤ C1c!θ[l,r]−→ C ′

1 it is possible to permutethe single applications of NS-RES1: this legitimately leads to

the transition T ¤ (νc ′′)(νc ′) C1c!θ[l,r]−→ (νc ′′)(νc ′) C ′

1.Note that, by the SC rule SC-RESCOMP, Nk−1 ≡ (νc ′′)(νc ′) C1 =Nk and N ′

k−1 ≡ (νc ′′)(νc ′) C ′1 = N ′

k; hence,

T ¤ (νc ′)(νc ′′) C1c!θ[l,r]−→ (νc ′)(νc ′′) C ′

1 (νc ′)(νc ′′) C1 ≡ (νc ′′)(νc ′) C1

T ¤ (νc ′′)(νc ′) C1c?θ[l,r]−→ (νc ′′)(νc ′) C ′

1 ≡ (νc ′)(νc ′′) C ′1

In this case the equivalence is proved.

Nk−1 = (νc ′)(C1|N): In this case we know that T¤(νc ′)(C1|N)c!θ[l,r]−→

(νc ′)(C ′1|N ′); we also know that this derivation has been ob-

tained through the application of rules NS-RES1 and eitherNS-COMr and NS-COMl. Hence, either one of the cases be-low holds:

1. T ¤ C1c!θ[l,r]−→ C ′

1 and T ¤ Nc?θ[l,r]−→ N ′;

2. T ¤ C1c?θ[l,r]−→ C ′

1 and T ¤ Nc!θ[l,r]−→ N ′;

Let Na and Nb be networks such that N ≡ Na|Nb for whichit holds that c ′ 6∈ fn(Nb). Let us then consider the first caseabove (the second one is similar): if we first apply NS-RES1

UBLCS-2006-09 124


to T ¤ C|Nac!θ[l,r]−→ C ′|N ′

a and then NS-COMl we obtain T ¤

(νc ′)(C|Na)|Nbc!θ[l,r]−→ (νc ′)(C ′|N ′

a)|N ′b.

Note that, by the SC rule SC-RESSUBST, Nk−1 ≡ (νc ′)(C|Na)|Nb =Nk and N ′

k−1 ≡ (νc ′)(C ′|N ′a)|N ′

b = N ′k; hence,

T ¤ (νc ′)(C1|N)c!θ[l,r]−→ (νc ′)(C ′

1|N ′) (νc ′)(C1|N) ≡ (νc ′)(C|Na)|Nb

T ¤ (νc ′)(C|Na)|Nbc?θ[l,r]−→ (νc ′)(C ′|N ′

a)|N ′b ≡ (νc ′)(C ′

1|N ′)


• Let us assume that T ¤ Nk−1c?θ[l,r]−→ N ′

k−1 that has been obtainedby the application of rule NS-RES2; in this case the proof is simi-lar to the one above.


k−1 that has been obtainedby the application of rule NS-RES3. In this case we know that

Nk−1 = (νc ′) C, that N ′k−1 = (νc ′) C ′ , that T ¤ C

c!θ[l,r]−→ C ′, andthat c ′ = c. Hence, C can either be (νc ′′) C1, C1|N or N|C1. Weanalyze the first two, since the last two are similar:Nk−1 = (νc)(νc ′′) C1: In this case we know that T¤(νc)(νc ′′) C1

τ−→(νc)(νc ′′) C ′

1 by first the employment of NS-RES1 on T¤C1c!θ[l,r]−→

C ′1 and then the NS-RES3. However, starting from T¤C1

c!θ[l,r]−→C ′

1 it is possible to apply first NS-RES3 and then NS-RES4:this legitimately leads to the transition T ¤ (νc ′′)(νc ′) C1

τ−→(νc ′′)(νc ′) C ′


k−1 ≡ (νc ′′)(νc ′) C ′1 = N ′

k; hence,

T ¤ (νc ′)(νc ′′) C1τ−→ (νc ′)(νc ′′) C ′

1 (νc ′)(νc ′′) C1 ≡ (νc ′′)(νc ′) C1

T ¤ (νc ′′)(νc ′) C1τ−→ (νc ′′)(νc ′) C ′

1 ≡ (νc ′)(νc ′′) C ′1

In this case the equivalence is proved.Nk−1 = (νc)(C1|N): In this case we know that T¤(νc)(C1|N)

τ−→(νc)(C ′

1|N ′); we also know that this derivation has been ob-tained through the application of rules NS-RES3 and eitherNS-COMr and NS-COMl. Hence, either one of the cases be-low holds:

1. T ¤ C1c!θ[l,r]−→ C ′

1 and T ¤ Nc?θ[l,r]−→ N ′;

2. T ¤ C1c?θ[l,r]−→ C ′

1 and T ¤ Nc!θ[l,r]−→ N ′;

Let Na and Nb be networks such that N ≡ Na|Nb for which itholds that c ′ 6∈ fn(Nb). Under this assumption, N ′

b = Nb. Letus then consider the first case above (the second one is similar):

if we first apply NS-RES3 to T ¤ C|Nac!θ[l,r]−→ C ′|N ′

a and thenNS-COMl we obtain T ¤ (νc)(C|Na)|Nb

τ−→ (νc)(C ′|N ′a)|Nb.

Note that, by the SC rule SC-RESSUBST, Nk−1 ≡ (νc)Nb|Nc =Nk and N ′

k−1 ≡ (νc)N ′b|Nc = N ′

k; hence,

T ¤ (νc)(C1|N)τ−→ (νc)(C ′

1|N ′) (νc)(C1|N) ≡ (νc)(C|Na)|Nb

T ¤ (νc)(C|Na)|Nbτ−→ (νc)(C ′|N ′

a)|Nb ≡ (νc)(C ′1|N ′)

UBLCS-2006-09 125




k−1 that has been obtainedby the application of rule NS-RES4. In this case we know thatNk−1 = (νc ′) C, that N ′

k−1 = (νc ′) C ′ , that T ¤Cτ−→ C ′. Hence,

C can either be (νc ′′) C1, C1|N or N|C1. We analyze the first two,since the last two are similar:Nk−1 = (νc ′)(νc ′′) C1: In this case we know that T¤(νc ′)(νc ′′) C1

τ−→(νc ′)(νc ′′) C ′

1 by first the employment of either one of the NS-RES rules on T ¤ C1

α−→ C ′1 and then of NS-RES4. However,

starting from T ¤ C1α−→ C ′

1 it is possible to invert the appli-cation of the rules to legitimately obtain T ¤ (νc ′′)(νc ′) C1

τ−→(νc ′′)(νc ′) C ′


k−1 ≡ (νc ′′)(νc ′) C ′1 = N ′

k; hence,

T ¤ (νc ′)(νc ′′) C1τ−→ (νc ′)(νc ′′) C ′

1 (νc ′)(νc ′′) C1 ≡ (νc ′′)(νc ′) C1

T ¤ (νc ′′)(νc ′) C1τ−→ (νc ′′)(νc ′) C ′

1 ≡ (νc ′)(νc ′′) C ′1

In this case the equivalence is proved.Nk−1 = (νc ′)(C1|N): In this case we know that T¤(νc ′)(C1|N)

τ−→(νc ′)(C ′

1|N ′); we also know that T ¤ C1|Nτ−→ C ′

1|N ′. We alsoknow that this derivation can only be obtained through the ap-plication of rule NS-RES3 or either one of the rules for the par-allel composition.Let Na and Nb be networks such that N ≡ Na|Nb for which itholds that c ′ 6∈ fn(Nb) and nodes in Nb does not participateto the action being performed. Under this assumption, N ′

b =Nb. Since, by hypothesis, we know that the restriction does notinfluence the action being performed, we can first apply NS-RES4 to T ¤ C1|Na

τ−→ C ′1|N ′

a and then NS-PARl, we obtainT ¤ (νc ′)(C1|Na)|Nb

τ−→ (νc ′)(C ′1|N ′

a)|Nb.Note that, by the SC rule SC-RESSUBST, Nk−1 ≡ (νc ′)(C1|Na)|Nb =Nk and N ′

k−1 ≡ (νc ′)(C ′1|N ′

a)|Nb = N ′k; hence,

T ¤ (νc ′)(C1|N)τ−→ (νc ′)(C ′

1|N ′) (νc ′)(C1|N) ≡ (νc ′)(C1|Na)|Nb

T ¤ (νc ′)(C1|Na)|Nbτ−→ (νc ′)(C ′

1|N ′a)|Nb ≡ (νc ′)(C ′

1|N ′)


As for this context, the statement holds.Since the statement has been proved for every context and for every possi-ble context, the inductive case has been proved.

Both the base case and the inductive case hold; the statement is proved.2. This proof consists of examining separately the cases of start of transmission,

end of transmission, the restricted transmission action, and invisible action.(a) Let us consider the case of the beginning of transmission.

(a.1): By Lemma 3 we know that

N ≡ (νc)((


∣∣ R)∣∣∣ N1

)

UBLCS-2006-09 126


N ′ ≡ (νc)

((n [〈v〉.P]

cl,r

∣∣ 〈|R|〉)∣∣∣∣ N1

)

where R is the subsystem composed by the actual receivers that aretouched by the transmission, N1 is the subsystem composed by boththe nodes that are not touched by that transmission and the ones thatare touched by the signal but are not performing input actions, and

〈|R|〉 is the system R that has been touched by the transmission be-ginning and has subsequently been normalized. We also know thatc 6∈ c.To prove the implication we have to show that (i) according to labelledtransition semantics node n is enabled to begin the transmission, and(ii) that the LTS enforces system N to become system N ′′ which isstructural congruent to N ′.First, by Lemma 3 we also know that node n is not reached by anyongoing transmission, i.e. T |l,c\(l, r, c) = ∅. This condition enablesthe employment rule NS-OUTbegin.Second, since in both the LTS and in the RS there are no rules that cre-ate or destroy wireless nodes, any transition cannot imply any changewithin the system except for the state of the nodes within the system.Therefore, to prove the statement we have to show that, for each pos-sible node m in R or in N1, both the LTS and the RS enforce the samestate transition.Let m be in N1, then Lemma 3 grants us that its internal state does notchange. In order to prove that the LTS behaves the same, we have toexamine the following cases:• whatever its location, m is synchronized on a channel cm 6= c;

In this case d(l, lm) ≤ r. For the prove to be complete, we haveto analyze both the case in which m is not touched by any signaland the case in which there is at least an ongoing transmissiontouching m. Let us first assume N1 = m [P]

cm

lm,rm. We also know

that T = ∅. Hence, it is straightforward to verify that the system

(νc) (n [out〈v〉.P]cl,r | m [Pm]

cm

lm,rm)


(νc) (n [〈v〉.P]cl,r | m [Pm]

cm

lm,rm)



co

lo,ro, with

d(lm, lo) ≤ ro and co = cm; moreover, since node n is enabledto transmit, we also know that d(l, lo) > ro and T = (lo, ro, co).Hence, it is straightforward to verify that the system


cm


co

lo,ro)


(νc) (n [〈v〉.P]cl,r | m [Pm]

cm


co

lo,ro)

In case of multiple transmissions touching node m, it is straight-forward to show that m would maintain the same state.Similarly to what happens with RS, the two cases above provethat LTS leaves the state of node m unchanged.

UBLCS-2006-09 127


• cm = c and m is touched by the transmission but it is not per-forming an input related operation;

In this case d(l, lm) ≤ r. Even in this case, we have to analyzeboth the case in which m is not touched by any signal and thecase in which there is at least an ongoing transmission touchingm. Let us first assume N1 = m [τact.Pm]

cm

lm,rm. We also know that

T = (lo, ro, co). Under these conditions, it is straightforward toverify that

(νc) (n [out〈v〉.P]cl,r | m [τact.Pm]

cm

lm,rm)


(νc) (n [〈v〉.P]cl,r | m [τact.Pm]

cm

lm,rm)



co

lo,ro, with



cm


co

lo,ro)



cm


co

lo,ro)

In case of multiple transmissions touching node m, it is straight-forward to show that m would switch to the same state.Similarly to what happens with RS, the two cases above provethat LTS does not change the state of node m.


In this case d(l, lm) > r. For the prove to be complete, we haveto analyze both the case in which m is not touched by any signaland the case in which there is at least an ongoing transmissiontouching m. Let us first assume N1 = m [P]

cm

lm,rm. We also know

that T = ∅. Under these conditions, it is straightforward to verifythat


cm

lm,rm)


(νc) (n [〈v〉.P]cl,r | m [Pm]

cm

lm,rm)



co

lo,ro, with



cm


co

lo,ro)


(νc) (n [〈v〉.P]cl,r | m [Pm]

cm


co

lo,ro)

UBLCS-2006-09 128


In case of multiple transmissions touching node m, it is straight-forward to show that m would switch to the same state.Similarly to what happens with reduction semantics, the two casesabove prove that in LTS node m does not change state.

The three cases above prove that, similarly to RS, the LTS does notenforce the nodes in N1 to change their respective states.Hence, let us examine the behaviour of nodes in R. As far as we know,a node m is in R if both it is synchronized on the transmission channel(i.e., c) and it is performing an input operation (i.e., it is either readyto receive or currently receiving a value).• m [in(x).Pm]

clm,rm


Let us first analyze the case in which m is not touched by anyother transmission; i.e., which corresponds to the assumptionN1 = ∅. We also know that T = ∅. In this case, Lemma 3 statesthat reduction semantics makes node m switch to the followingstate m [(x).Pm]

clm,rm

. Under these conditions, it is straightfor-ward to verify that

νc) (n [out〈v〉.P]cl,r | m [in(x).Pm]

cm

lm,rm)


(νc) (n [〈v〉.P]cl,r | m [(x).Pm]

cm

lm,rm)


clo,ro


clo,ro

with co = cm. We know that T =(lo, ro, co). In this case, Lemma 3 states that reduction seman-tics makes node m remain in the same state. Under these condi-tions, it is straightforward to verify that

(νc) (n [out〈v〉.P]cl,r | m [in(x).Pm]

cm


co

lo,ro)


(νc) (n [〈v〉.P]cl,r | m [in(x).Pm]

cm


co

lo,ro)

In case of multiple transmissions touching node m, it is straight-forward to show that m would switch to the same state.These two cases prove that, in this case, both the RS and the LTSenforce the same behaviour on node m.




, it has to be touched by one and onlyone transmission. Hence, let us assume node m to be touched bya transmission from node o [〈vo〉.Po]

clo,ro

; i.e., which correspondsto the assumption N1 = o [〈vo〉.Po]

clo,ro

with co = cm. We knowthat T = (lo, ro, co). In this case, Lemma 3 states that RS makesnode m b switch to state m [⊥/x.Pm]

clm,rm

. Under these condi-tions, it is straightforward to verify that

(νc) (n [out〈v〉.P]cl,r |m [(x).Pm]

cm


co

lo,ro)

UBLCS-2006-09 129



(νc) (n [〈v〉.P]cl,r | m [⊥/x.Pm]

cm


co

lo,ro)



(a.2): We address this proof by contradiction; specifically, we have to verifythe following two cases:i. 6 ∃ E1, E2, c, l, l ′,N ′′ s.t. N >c

l E1 −→cl E2Âc

l ′∗ Â∗ º N ′′.

Lemma 3 grants us that we can write the equivalence below

N ≡ N ′′′ = (νc)((


∣∣ R)∣∣∣ N1

)

Since we also know that T ¤ Nc![l,r]−→ N ′ then, by the first point of

this lemma, we can state that both T ¤ N ′′ c![l,r]−→ ≡ N ′ and c 6∈ c.Therefore, the reduction rule NS-OUTbegin prevents the wirelessnode n from beginning the transmission if location l is reachedfrom R or N1, but R, by definition, is uniquely composed by trans-mitters. Hence, for a transmission to be prevented to start, itmeans that N1 can be rewritten as below:

N1 = q [〈v2〉.Q]clq,rq

∣∣∣ N2

Hence, it would be true that (c, lq, rq) ∈ T and, since T |c,l wouldbe different from ∅, the rule NS-OUTbegin could not be employed

and the transition T ¤ N ′′′ c![l,r]−→ ≡ N ′ would not be possible. As

a consequence, also the transition T ¤N![l,r,c]−→ ≡ N ′ would not be

possible, contradicting the hypothesis.ii. ∃ E1, E2, c ′, l ′,N ′′′ s.t. N >c

l E1 −→cl,r E2Âc

l ′∗ Â∗ º N ′′′ ⇒

N ′′′ 6=≡ N ′.


such that

N ≡ N ′′ = (νc)((


∣∣ R)∣∣∣ N1

)

N ′′′ ≡ (νc)

((n [〈v〉.P]

cl,r

∣∣ 〈|R|〉)∣∣∣∣ N1

)

where R is the subsystem composed by the actual receivers thatare touched by the transmission that is going to begin, N1 is thesubsystem composed by both the nodes that are not touched bythat transmission and the ones that are touched by the signal but

would not react to it, and 〈|R|〉 is the system R that has been

UBLCS-2006-09 130


touched by the transmission beginning and has subsequently beennormalized. We also know that c 6∈ c.Since in both the LTS and in the RS there are no rules that create ordestroy wireless nodes, the transition occurring cannot imply anychange within the system except for the state of the transmitterand the nodes touched by the signal. Hence, there has to be anode m [P]

cm

lm,rmin N ′ that is executing a process that is different

from the respective one that it is executing in N ′′′.Let m be in N1, then Lemma 3 grants us that its internal state doesnot change. In order to prove that the LTS behaves the same, wehave to examine the following cases:• whatever its location, m is synchronized on a channel cm 6= c;

In this case d(l, lm) ≤ r. For the prove to be complete, we haveto analyze both the case in which m is not touched by any sig-nal and the case in which there is at least an ongoing transmis-sion touching m. Let us first assume N1 = m [P]

cm

lm,rm. We also



cm

lm,rm)


(νc) (n [〈v〉.P]cl,r | m [Pm]

cm

lm,rm)



co

lo,ro, with



cm


co

lo,ro)


(νc) (n [〈v〉.P]cl,r | m [Pm]

cm


co

lo,ro)


• cm = c and m is touched by the transmission but it is not per-forming an input related operation;

In this case d(l, lm) ≤ r. Even in this case, we have to an-alyze both the case in which m is not touched by any signaland the case in which there is at least an ongoing transmissiontouching m. Let us first assume N1 = m [τact.Pm]

cm

lm,rm. We

also know that T = (lo, ro, co). Under these conditions, it isstraightforward to verify that


cm

lm,rm)



cm

lm,rm)

UBLCS-2006-09 131




co

lo,ro, with



cm


co

lo,ro)



cm


co

lo,ro)



In this case d(l, lm) > r. For the prove to be complete, we haveto analyze both the case in which m is not touched by any sig-nal and the case in which there is at least an ongoing transmis-sion touching m. Let us first assume N1 = m [P]

cm

lm,rm. We also



cm

lm,rm)


(νc) (n [〈v〉.P]cl,r | m [Pm]

cm

lm,rm)



co

lo,ro, with


(νc) (n [out〈v〉.P]cl,r |m [Pm]

cm


co

lo,ro)



cm


co

lo,ro)

In case of multiple transmissions touching node m, it is straight-forward to show that m would switch to the same state.Similarly to what happens with RS, the two cases above provethat LTS does not modify state of node m.

The three cases above prove that, similarly to RS, the LTS doesnot enforce changes in N1.Hence, let us examine the behaviour of nodes in R. As far as weknow, a node m is in R if both it is synchronized on the transmis-sion channel (i.e., c) and it is performing an input operation (i.e.,it is either ready to receive or currently receiving an incomingsignal).• m [in(x).Pm]

clm,rm


UBLCS-2006-09 132


Let us first analyze the case in which m is not touched by anyother transmission; for this we assume N1 = ∅, in that we al-ready proved that nodes in N1 are not modified. We also knowthat T = ∅. In this case, Lemma 3 states that RS makes nodem switch to the following state m [(x).Pm]

clm,rm

. Under theseconditions, it is straightforward to verify that


cm

lm,rm)


(νc) (n [〈v〉.P]cl,r | m [(x).Pm]

cm

lm,rm)


clo,ro


clo,ro

with co = cm. We know thatT = (lo, ro, co) In this case, Lemma 3 states that RS makesnode m remain in the same state. Under these conditions, it isstraightforward to verify that


cm

lm,rm)



cm

lm,rm)

In case of multiple transmissions touching node m, it is straight-forward to show that m would switch to the same state.These two cases prove that, in this case, both the RS and theLTS enforce the same behaviour on node m.




, it has to be touched by one andonly one transmission. Hence, let us assume node m to betouched by a transmission from node o [〈vo〉.Po]

clo,ro

; i.e., whichcorresponds to the assumption N1 = o [〈vo〉.Po]

clo,ro

with co =cm. We know that T = (lo, ro, co). In this case, Lemma 3states that RS node m b switch to state m [⊥/x.Pm]

clm,rm

. Un-der these conditions, it is straightforward to verify that

(νc) (n [out〈v〉.P]cl,r | m [(x).Pm]

cm


co

lo,ro)


(νc) (n [〈v〉.P]cl,r | m [⊥/x.Pm]

cm


co

lo,ro)


The fact that both the LTS and the RS enforce the same behaviourfor node m, for every possible state that it may assume, contra-dicts the hypothesis and proves this assertion.

The cases that we showed so far show that to each labelled transitionthat applies to the network, there is a corresponding reduction thatapplies and that the two semantics make each single node evolve tothe same state. By the first part of this lemma we know that, for each

UBLCS-2006-09 133


network, applications of structural congruence do not change the pos-sible transitions; hence, we can conclude that, for each network, thetwo semantics enable the same transitions and the networks that areproduced are structural equivalent.

(b) Let us consider the case of the end of transmission.(b.1): By Lemma 4 we know that

N ≡ (νc)((

n [〈v〉.P]cl,r

∣∣ R)∣∣∣ N1

)

N ′ ≡ (νc)

((n [P]

cl,r

∣∣ 〈|R|〉v)∣∣∣∣ N1

)

where R is the subsystem composed by the actual receivers that aretouched by the transmission that is going to begin, N1 is the subsystemcomposed by both the nodes that are not touched by that transmissionand the ones that are touched by the signal but would not react to it,

and 〈|R|〉v is the system R that has been touched by the transmissionbeginning and has subsequently been normalized. We also know thatc 6∈ c.To prove the implication we have to show that (i) according to LTS,node n is enabled to terminate the transmission, and (ii) that the LTSenforces system N to become system N ′′ which is structural congruentto N ′.First, by rule NS-OUTend, we know that there are no conditions toprevent a transmitter from ending a current transmission; hence, if re-duction semantics makes it possible to terminate a transmission, theneven LTS enables the end of that transmission.Secondly, since in both the LTS and in the RS there are no rules thatcreate or destroy wireless nodes, the transition occurring cannot implyany change within the system except for the state of the transmitterand the nodes touched by the signal. Therefore, we remain to showthat, for each possible node m in R or in N1, both the LTS and the RSenforce the same state transition.As it regards a generic node in N1, it is straightforward to verify thatthe proof is similar to the case before: since the transmission does notreach the nodes outside the cell, all the nodes in N1 are not affected inboth the semantics. Hence, we only show the cases in whichHence, let us examine the behaviour of nodes in R. As far as we know,a node m is in R if both it is synchronized on the transmission channel(i.e., c) and it is performing an input operation (i.e., it is either readyto receive or currently receiving an incoming signal).• m [in(x).Pm]

clm,rm


Let us first analyze the case in which m is not touched by anyother transmission; i.e., which corresponds to the assumptionN1 = ∅. In this case, Lemma 4 states that reduction semanticsmakes node m switch to the following state m [(x).Pm]

clm,rm

. Weknow that T = (l, r, c). Under these conditions, it is straightfor-ward to verify that


cm

lm,rm)

UBLCS-2006-09 134



(νc) (n [P]cl,r | m [in(x).Pm]

cm

lm,rm)


clo,ro


clo,ro

with co = cm. In this case, Lemma 4states that reduction semantics makes node m remain in the samestate. We know that T = (lo, ro, co), (l, r, c). Under these condi-tions, it is straightforward to verify that

(νc) (n [〈v〉.P]cl,r |m [in(x).Pm]

cm


co

lo,ro)



cm


co

lo,ro)

In case of multiple transmissions touching node m, it is straight-forward to show that m would switch to the same state.These two cases prove that, in this case, both the RS and the LTSenforce the same behaviour on node m.




, it has to be touched by one and onlyone transmission. In this case, since m ∈ R, we know that m isreceiving the transmission that is being performed by node n. Inthis case we can assume N1 to be empty. Moreover, we know thatT = (l, r, c) In this case, Lemma 4 states that RS makes node m

b switch to state m [v/x.Pm]clm,rm

. Under these conditions, it isstraightforward to verify that

(νc) (n [〈v〉.P]cl,r | m [(x).Pm]

cm

lm,rm)


(νc) (n [P]cl,r | m [v/x.Pm]

cm

lm,rm)

In this case both the RS and the LTS describe the same behaviourfor node m.


(b.2): This proof is addressed by contradiction.i. 6 ∃ E1, E2, c ′, l ′,N ′′ s.t. N > E1 −→c

l,r E2 Â∗ º N ′′.

It is straightforward to see that this case is not possible; in fact,both the RS and the LTS enable the termination of a transmissionwithout other conditions. This means that, once a transmissionbegan, the termination of this transmission is granted to happenexactly when it is intended to.

UBLCS-2006-09 135


ii. ∃ E1, E2, c, l ′,N ′′′ s.t. N > E1 −→cl,r E2 Â∗ º N ′′′ ⇒ N ′′′ 6=≡ N ′.


such that

N ≡ N ′′ = (νc)((

n [〈v〉.P]cl,r

∣∣ R)∣∣∣ N1

)

N ′′′ ≡ (νc)

((n [P]

cl,r

∣∣ 〈|R|〉v)∣∣∣∣ N1

)

where R is the subsystem composed by the actual receivers thatare touched by the ending transmission, N1 is the subsystemcomposed by both the nodes that were not touched by that trans-mission and the ones that were touched by the signal while not

explicitly receiving, and 〈|R|〉v is the system R that was touchedby the ended transmission and has subsequently been normal-ized. We also know that c 6∈ c.As in the previous case, since in both the LTS and in the RS thereare no rules that create or destroy wireless nodes, the transitionoccurring cannot imply any change within the system except forthe state of the transmitter and the nodes touched by the signal.Hence, there has to be a node m [P]

cm

lm,rmin N ′ that is executing a

process that is different from the respective one that it is execut-ing in N ′′′.Let m be in N1, then Lemma 4 grants us that its internal statedoes not change. Even in this case, the proof is similar to the oneregarding the begin transmission action. Thus, we only address

the part of the proof that regards the nodes in ˜R for the end trans-

mission action.By definition, a node m is in R if both it is synchronized on thetransmission channel (i.e., c) and it is performing an input oper-ation (i.e., it is either ready to receive or currently receiving anincoming signal). We then examine each of these cases both inabsence and in presence of interferences.• m [in(x).Pm]

clm,rm


Let us first analyze the case in which m is not touched by anyother transmission; i.e., which corresponds to the assumptionN1 = ∅. In this case, Lemma 4 states that RS makes node m

switch to the following state m [(x).Pm]clm,rm

. We know thatT = (l, r, c). Under these conditions, it is straightforward toverify that


cm

lm,rm)



cm

lm,rm)


clo,ro


clo,ro

with co = cm. In this case,Lemma 4 states that RS makes node m remain in the same state.

UBLCS-2006-09 136


We know that T = (lo, ro, co), (l, r, c). Under these condi-tions, it is straightforward to verify that


cm


co

lo,ro)



cm


co

lo,ro)

In case of multiple transmissions touching node m, it is straight-forward to show that m would switch to the same state.These two cases prove that, in this case, both the RS and theLTS describe the same behaviour for node m.




, it has to be touched by one andonly one transmission. In this case, since m ∈ R, we knowthat m is receiving the transmission that is being performed bynode n. In this case we can assume N1 to be empty. Moreover,we know that T = (l, r, c) In this case, Lemma 4 states thatRS makes node m b switch to state m [v/x.Pm]

clm,rm

. Underthese conditions, it is straightforward to verify that

(νc) (n [〈v〉.P]cl,r | m [(x).Pm]

cm

lm,rm)


(νc) (n [P]cl,r | m [v/x.Pm]

cm

lm,rm)

In case of multiple transmissions touching node m, it is straight-forward to show that m would switch to the same state.In this case both the RS and the LTS describe the same behav-iour for node m.

The fact that both the LTS and the RS describe the same behaviourfor node m, for every possible state that it assumes, contradictsthe hypothesis and prove this assertion.The cases that we showed so far show that to each labelled tran-sition that applies to the network, there is a corresponding re-duction that applies and that the two semantics make each singlenode evolve to the same state. By the first part of this lemmawe know that, for each network, applications of structural con-gruence do not change the possible transitions; hence, we canconclude that, for each network, the two semantics enable thesame transitions and the networks that are produced are struc-tural equivalent.

(c) Let us consider the case of restricted transmission.

By Lemma 5 we know that we are either in the case of begin transmission,and thus

N ≡ (νc)(νc)((


∣∣ R)∣∣∣ N1

)= (νc)N2

N ′ ≡ (νc)(νc)

((n [〈v〉.P]

cl,r

∣∣ 〈|R|〉)∣∣∣∣ N1

)= (νc)N ′

2

UBLCS-2006-09 137


or in the case of end transmission,

N ≡ (νc)(νc)((


∣∣ R)∣∣∣ N1

)= (νc)N2

N ′ ≡ (νc)(νc)

((n [〈v〉.P]

cl,r

∣∣ 〈|R|〉)∣∣∣∣ N1

)= (νc)N ′

2

where c 6∈ c. Hence, if N > N −→##,# N ′ Â∗º N ′, we know by the previous

cases that either one of the following statements hold:

i. N2 >cl N2 −→c

l,r N ′2 Â∗ Âc

l∗ º N ′

2 ⇔ T ¤ N2c![l,r]−→ N ′

2

ii. N2 > N2 −→cl,r N ′

2 Â∗º N ′2 ⇔ T ¤ N2

c!v[l,r]−→ N ′2

We only show the case for the begin transmission event; the other is similar.Since we know that the transmission is performed without the channel re-striction according to both LTS and RS, it is clear that the same transmissionalso occurs when the channel scope is restricted for the system. What wehave to show is that restricting over the communication channel has thesame hiding effect using both the transition systems.

(c.1): We know that N2 >cl N2 −→c


l∗ º N ′

2 ⇒ T ¤ N2c![l,r]−→

N ′2. We have to prove that (νc) N2 > (νc) N2 −→#

#,# (νc) N ′2 Â∗º

(νc) N ′2 ⇒ T ¤ (νc) N2

τ−→ (νc) N ′2. This is given by the application

of rule NS-RES3.The cases that we showed so far show that to each reduction that ap-plies to the network, there is a corresponding labelled transition thatapplies and that the two semantics make each single node evolve tothe same state. By the first part of this lemma we know that, for eachnetwork, applications of structural congruence do not change the pos-sible transitions; hence, we can conclude that, for each network, thetwo semantics enable the same transitions and the networks that areproduced are structural equivalent.

(c.2): We know that T ¤ N2c![l,r]−→ N ′

2N2 >cl N2 −→c


l∗ º

N ′2. We have to prove that T ¤ (νc) N2

τ−→ (νc) N ′2 ⇒ (νc) N2 >

(νc) N2 −→##,# (νc) N ′

2 Â∗º (νc) N ′2. This is given by 5.


This proves the statement for the restricted communication.(d) Let us consider the internal action.

(d.1): By Lemma 6 we know that

N ≡ (νc)(n [τact.P]

cl,r

∣∣ N1

)

N ′ ≡ (νc)(n [P]

cl,r

∣∣ N1

)

where N1 is the subsystem composed by every possible node but n.To prove the implication we have to show that (i) according to LTSnode n is enabled to perform the internal action, and (ii) that the LTSenforces system N to become system N ′′ which is structural congruentto N ′.

UBLCS-2006-09 138


First, by rule NS-INVIS, we know that there are no conditions thatprevent a node from performing an internal action.As in the previous case, since in both the LTS and in the RS there areno rules that create or destroy wireless nodes, the transition occurringcannot imply any change within the system except for the state of thetransmitter and the nodes touched by the signal. LTS rules NS-PARr

and NS-PARl say that any network in which a node performs an inter-nal action does not affect the state of another network which executesin parallel. On the other hand, Lemma 6 states that, as it regards RS,anode executing an internal action does not change the state of theother nodes in the network.The cases that we showed so far show that to each reduction that ap-plies to the network, there is a corresponding labelled transition thatapplies and that the two semantics make each single node evolve tothe same state. By the first part of this lemma we know that, for eachnetwork, applications of structural congruence do not change the pos-sible transitions; hence, we can conclude that, for each network, thetwo semantics enable the same transitions and the networks that areproduced are structural equivalent.

(d.2): This proof is addressed by contradiction.i. 6 ∃N ′′ s.t. N −→ N ′′

It is straightforward to see that this case is not possible; in fact,both the RS and the LTS enable the execution of invisible actionswithout additional conditions. This means that each invisible ac-tion is granted to be executed whatever the state of the systemis.

ii. ∃N ′′′ s.t. N −→ N ′′′ ⇒ N ′′′ 6=≡ N ′

If the transition occurs, then for Lemma 6 we know that ∃N ′′,N ′′′

such thatN ≡ N ′′ = (νc)

(n [τact.P]

cl,r

∣∣ N1

)

N ′′′ ≡ (νc)(n [P]

cl,r

∣∣ N1

)

where N1 is the subsystem composed by every possible node butn.As in the previous case, since both the LTS and RS rules do nei-ther create nor destroy nodes, the action cannot affect the systemexcept as for the number node. Hence, there has to be a nodem [P]

cm

lm,rmin N ′ that is executing a process that is different from

the respective one that it is executing in N ′′′.Lemma 6 states that RS rules for internal actions does not af-fect the nodes within the system but the one performing the ac-tion. Let us prove the same thing for LTS. Let N1 be composedby a node executing any possible program N1 = m [Pm]

cm

lm,rm;

then it can either being transmitting, receiving or waiting to per-form an operation. Hence, T could respectively be either equalto (lm, rm, c) (if m is currently performing a transmission), orequal to ∅ (otherwise).

τact.Pα−→ P

T ¤ n [τact.P]cl,r

τ−→ n [P]cl,r

[α ∈ @c ′, τ]

T ¤ n [τact.P]cl,r |m [Pm]

cm

lm,rm

τ−→ n [P]cl,r |m [Pm]

cm

lm,rm

UBLCS-2006-09 139

5 Example: The Alternating Bit Protocol

Note that the derivation tree above is correct for both T = ∅and T = (lm, rm, c); hence, this contradicts the hypothesis andproves that LTS behaves the same as RS.


2

The relevance of the result is the same as for Theorem 1; in fact, in this chapter we do notintroduce any language extension that modifies our results. However, in this chapter we pro-vided two language extensions that it is worth some considerations. Firstly, the handled input isimportant for the modelling of real-world scenarios. Specifically, in this language we modelledinterferences because we think it to be an important and novel aspect of wireless computing;however, interferences may imply that some transmitted value is lost and, thus, it is importantfor each possible receiver of that value to avoiding waiting forever for the transmission that hasbeen lost. Hence, having the equivalence proved for the handled input enables to extend the con-siderations that we made about Theorem 1 to this theorem, and to its applications to real-worldwireless protocols. Secondly, we introduced restriction. Though it may appear that it increasesthe complexity of our semantics, the manner in which it has been modelled within our semanticsdoes not increase the complexity of the proofs.

5 Example: The Alternating Bit ProtocolThe reliable communication of a stream of data is a common problem for any distributed sys-tem scenario; in this section we present a variation of the alternating bit protocol that applies towireless systems. Reliability is granted by the employment of the stop-and-wait technique. Weassume the channel to be reliable (i.e., transmitted values are neither lost or duplicated within thechannel); however, transmissions interfering with each other may prevent a reception to succeed.The name of the protocol refers to the technique employed for obtaining reliability: messages aresent tagged with a sequence number (e.g., in this example the bits 0 and 1), which also constitutethe acknowledgement for the associated data message.

In this protocol, there are two parties: the sender, which is the node that initially owns the dataand becomes the source of the stream, and the replier, which is the node which which receiveseach value of the stream and acknowledges each single piece of received data. Both the senderand the replier operate on the same channel.

The sender works as follows; after having produced a message, it transmits it on the desig-nated channel, tagged with sequence number b, and sets a timer. Then, three possibilities haveto be considered:

• the sender awaits for the receiver to be ready to receive the stream;

• the sender receives a unexpected acknowledgement,i.e. 1 − b, it is ignored. the last trans-mitted value is then retransmitted;

• the sender receives the expected acknowledgement b; in this case it is ready to proceedwith the transmission of a new value with sequence number 1 − b.

The replier works as follows; after receiving a message tagged with sequence number b, itacknowledges that by sending b back and waits for a new value. Then, three possibilities haveto be considered:

UBLCS-2006-09 140


• the sender is notified of the acknowledgement b of the last received message;

• the replier receives a value with the expected serial number 1 − b; in this case it restarts,transmitting the acknowledgment for the last received value, i.e. 1 − b, and waiting for anew value tagged with sequence number b;

• the replier receives a value tagged with an unexpected serial number,i.e. b; in this case itrestarts retransmitting the last sent acknowledgement, i.e. b, and waiting for a new valuetagged with sequence number 1 − b;

• no data is received before a given time; in this case it restarts retransmitting the last sentacknowledgement, i.e. b, and waiting for a new value tagged with sequence number 1 − b;

5.1 Formal descriptionWe now define the sender and the replier processes which should comply with the informalspecification above. For the sake of clarity, we assume the existence of two functions: seq(y),which gives the sequence number of a received value, and val(y), which gives the actual valueassociated with a received one (removes the sequence number).

The Sender is a node that is willing to synchronize with a Replier on the sequence number u,and then will implement the alternating bit protocol for transmitting the values z.

Senderdef= (z, u)n [if (y 6= ∅) then SyncSend〈y, w〉 else 0]

cls,rs

(16)

The SynchSend is a routine which waits for a receiver to be synchronized on the sequencenumber w, and then initiates the transmission of the first value of z and calls the routine Send

to implement the transmission of the successive values or, in the case a transmitted value is notacknowledged, to implement the retransmission of the last received value.

SyncSenddef= (y, w)in(x)+0.if (x = w) then out〈y1, 1−w〉.Send〈y\y1, y1, 1−w〉 else SyncSend〈y, w〉

(17)

Senddef= (y, yl, w)in(x) + 0.if (x = w) then

if (y 6= ∅) then out〈y1, 1 − w〉.Send〈y\y1, y1, 1 − w〉 else 0else out〈yl, w〉.Send〈y, yl, w〉

The Replier is a node that is willing to synchronize with a Sender on a sequence number, andthen will implement the alternating bit protocol for receiving the values the Sender is willing totransmit.

Replierdef= (x)m [Reply〈x〉]clr,rr

(18)

The Reply routine is employed first for synchronizing with the Sender, for receiving the trans-mitted values, and for replying with the asociated acknowledgements.

Replydef= (w)out〈w〉.in(y) + Reply〈1 − w〉.

if (seq(y) = 1 − w) then Reply〈1 − w〉 else Reply〈w〉

The system that we are going to examine is the parallel composition of the Sender and theReplier.

Systemdef= Sender〈v, 1〉| Replier〈1〉 (19)

UBLCS-2006-09 141


5.2 Execution CasesIn order for us to show that the protocol implements reliable communication of data-streams, weshow the possible execution cases. Respectively, we first show an execution scenario in whichall the single transmissions are successful. Secondly, we show the possible cases in which thetransmission may fail; in these cases the protocol triggers the retransmission of the last piece ofsent data. For all execution trace, we assume the same system below.

Sdef= n [SyncSend〈[hi, World!], 1〉]cls,rs

|m [Reply〈1〉]clr,rr(20)

5.2.1 Execution in Absence of CollisionsAt the beginning, the sender is waiting to synchronize with the receiver on a serial number toemploy for transmitting the data stream. The sender will initiate the transmission only if thatvalue corresponds to the expected one. In this case, the data stream can be sent because senderis waiting for receiving 1 and the receiver sends 1. After that transmission the system will evolveinto the system below.

S1 ≡ n [if (1 = 1) then out〈hi!, 1 − 1〉.Send〈[World!], hi, 1 − 1〉 else SyncSend〈[hi, World!], 1〉]cls,rs

| m [in(y) + Reply〈1 − 1〉.if (seq(y) = 1 − 1) then Reply〈1 − 1〉 else Reply〈1〉]clr,rr

(21)Then, since the two devices are synchronized on the same sequence number (i.e., 1), the

sender proceeds sending the first value associated with a new serial number. Equation 22 de-scribes the system before the transmission. Equation 5.2.2 describes the system after the trans-mission; here, the replier, which received a value associated with the expected serial number (i.e.,0), is ready for acknowledging the received value and obtaining a new value.

S2 ≡ n [out〈hi!, 0〉.Send〈[World!], hi, 0〉]cls,rs

| m [in(y) + Reply〈0〉.if (seq(y) = 0) then Reply〈0〉 else Reply〈1〉]clr,rr

(22)

S3 ≡ n [Send〈[World!], hi, 0〉]cls,rs

| m [Reply〈0〉]clr,rr

(23)

Now, both the sender and the receiver synchronized on the same serial number (i.e., 0). Inabsence of collisions, the second value will transmitted in the same manner.

5.2.2 Execution in Presence of CollisionsIn the execution of this alternating bit protocol, there are four receptions that can fail because ofinterferences. Respectively, the reception of the value in the SynchSend and in the Send routines,and the the reception of the stream value in the Reply routine. We will separately examine eachof these three cases, in the same order they are mentioned above.

For examining the system behaviour in presence of interferences, we examine the possibleexecution of system S when a transmitter o [out〈v〉]clo,ro

executes in parallel with the Sender andthe Replier. Based on when node o will execute its transmission, the three interferences will betriggered.

S′ def

= n [SyncSend〈[hi, World!], 1〉]cls,rs|m [Reply〈1〉]clr,rr

|o [out〈v〉]clo,ro(24)

First Case Like in the previous case, when the execution begins the Sender and the Replier

agree on the first sequence number to employ. In this execution case we examine the effect of aninterference preventing the Sender to receive the synchronization message.

When the Replier sends the synchronization message the Sender initiates the reception of themessage, and the system becomes as below.

UBLCS-2006-09 142


S ′1 ≡ n [(x).if (x = 1) then out〈hi!, 1 − x〉.Send〈[World!], hi, 1 − x〉 else SyncSend〈[hi, World!], 1〉]cls,rs

| m [〈1〉.in(y) + Reply〈0〉.if (seq(y) = 0) then Reply〈0〉 else Reply〈1〉]clr,rr

| o [out〈v〉]clo,ro

(25)Let us assume that, during this transmission, node o, which is not reached from the Replier

transmission, initiates its transmission which, in turn, reaches the Sender. In this case, the thesystem evolves into the configuration described below.

S ′1 ≡ n [⊥/xif (x = 1) then out〈hi!, 1 − x〉.Send〈[World!], hi, 1 − x〉 else SyncSend〈[hi, World!], 1〉]cls,rs

| m [〈1〉.in(y) + Reply〈0〉.if (seq(y) = 0) then Reply〈0〉 else Reply〈1〉]clr,rr

| o [〈v〉]clo,ro

(26)Now, the Sender, which sees that the sequence number agreement failed, returns to the initial

state waiting for a successful synchronization. Then, both the Replier and node o terminate theirrespective transmissions.

S ′2 ≡ n [SyncSend〈[hi, World!], 1〉]cls,rs


| o [0]clo,ro

(27)

At this point, since the replier waits from a message that the sender is not sending, the inputtimeout will trigger, enforcing the Replier to re-synchronize with the Sender.



| o [0]clo,ro

(28)

At the first synchronization attempt, the Replier attempts the synchronization with the senderemploying a sequence number different from the one requested by the Sender. Hence, theSender will remain listening for another synchronization attempt, while the Replier will waitfor an incoming message from the sender.



| o [0]clo,ro

(29)

The timeout on the Replier input will make the it evolve and initiate a new synchronizationwith the receiver.

S′5

def= n [SyncSend〈[hi, World!], 1〉]cls,rs

|m [Reply〈1〉]clr,rr|o [0]clo,ro

(30)

This time the two parties will agree on the sequence number and the system will evolve withthe value stream correctly received by the replier.

Second Case In this second case we analyze the case in which an interference prevents the Sender

to get the Replier acknowledgement. For this example we start from the system configuration inin which we added the interfering transmitter o [out〈v〉]clo,ro.

S ′′def= n [Send〈[World!], hi, 0〉]cls,rs



(31)

As in the above example, we assume first the Replier and then node o to initiate their re-spective transmissions. In turn, the Sender first initiates the reception of the transmission fromthe Replier and then, as soon as node o initiates its transmission, it terminates the reception andidentifies a collision. At the end of the two transmissions, the system state will be:

UBLCS-2006-09 143


• Since the Sender did not receive the awaited acknowledgement, it proceeds re-sending thelast sent message;

• The Replier awaits the next value in the stream;

• The interfering node o cannot evolve further.

Formally,

S ′′1 ≡ n [out〈hi, 0〉.Send〈[World!], hi, 0〉]cls,rs


| o [0]clo,ro

(32)

Then, the Replier, receiving the transmission from the Sender, will recognize the unexpectedsequence number, and then will assume the state it had in (31). In turn, after the transmission,the Sender will go back to the state it had in (31). From this state, in absence of additionalinterferences the transmission of the value stream will succeed.

Third Case In this case we analyze the case in which an interference prevents the Reply routineto catch the value transmitted by the Sender.

S ′′′def= n [Send〈[World!], hi, 0〉]cls,rs



(33)

At the beginning, the Replier will send the acknowledgement to the Sender and then theywill proceed with the exchange of the stream value. The system will be in the state (34)

S ′′′1def= n [out〈World!, 1〉.Send〈∅, World!, 1〉]cls,rs



(34)

Now, let us assume that both the Sender and the interfering node o transmit and these twotransmissions collide on the Replier; then, the Replier will identify the collision and the systemstate will evolve as below.

S ′′′2def= n [Send〈∅, World!, 1〉]cls,rs


| o [0]clo,ro

(35)

Now, the Replier will re-send the acknowledgment of the last received value to the Sender

which, in turn, identifies the unexpected acknowledgement. The corresponding state is describedbelow.

S ′′′3def= n [out〈World!, 1〉.Send〈∅, World!, 1〉]cls,rs


| o [0]clo,ro

(36)

Now, the Sender retransmits the last transmitted value. The Replier, catching that trans-mission, will become ready to acknowledge that transmission. This will complete the reliabletransmission of the value stream. The system state is described below.

S ′′′4def= n [Send〈∅, World!, 1〉]cls,rs


| o [0]clo,ro

(37)

UBLCS-2006-09 144

Chapter 10

Considerations

1 ConsiderationsIn this thesis we define a basic calculus of wireless systems, and the associated operational se-mantics (i.e., a reduction semantics and a labelled transition semantics). Defining the semanticshas not been an easy task; this was due to the peculiarities of wireless systems, which we dis-cussed in Sec. 1. We tried hard to follow the approach of standard semantics for handshake andbroadcasting communication systems; however it was not possible because of the differencesbetween the peculiarities of these systems and the wireless system ones.

The ways in which interferences may present depends on the asynchrony and on the broad-cast communication model that characterize wireless systems. In order for our semantics to cap-ture all the possibilities for interferences to present, we do not examine atomic transmissions butthe change of state between transmission and reception (and vice versa).

The identification of the broadcast recipients and the management of interferences also im-plied the two semantics to implement techniques for identifying the nodes reached by each sin-gle transmission and to make them evolve according to their internal state and to the possiblepresence of local interferences. We thus decided to follow two different approaches in collisionmodelling and identification that are both based on the analysis of the notion of event defined asthe begin or the end of a transmission. The employed approaches gave birth to two semantics, anRS and an LTS, that have very different structures: RS rules perform the checks on interferencesby employing a version of CWS extended with markers and some auxiliary relations, while theLTS rules perform the checks by employing as parameter the set of transmissions that are en-gaged in within the network.

The main technical result is the correspondence between the two semantics. The complexityof the proof, lying in the form of the reduction semantics, gives relevance to this result. Thisresult reinforces the two semantics; it shows that our intuition in the modelling of the wirelesscommunication systems and in the development of the semantics have been correct. Specifically,given that the RS is much more intuitive, it appears clear that we have been successful in thedevelopment of the LTS. Moreover, this result enables one to interchangeably employ the moreappropriate between the developed semantics for that task to be performed. For instance, thesame specification model could be evaluated on its own by employing the RS, and then someproperties of the system could be verified employing tools developed on the LTS.

Although movement is not currently encoded within CWS, at the current state our calculusis suitable for the description and the study of sensor networks, which are a specific class ofwireless networks in which single nodes, which are deployed in fixed locations and are providedwith a wireless communication device by means of which they implement distributed protocols.

2 Future WorkThe work done so far opens a variety of directions for the future work.

145

2 Future Work

Secondly, for enabling the representation of a generic mobile ad-hoc-wireless network the en-coding of movement is a key issue. Because the communication model developed and discussedso far, it may appear quite hard to encode movement while maintaining the fine-grained observa-tion of concurrent transmissions. However, it is worth making a consideration about the physicalrelations between movement and communication. In real settings, for a wireless device to movefrom a location to another one, it takes a time which depends on the device speed (which is usu-ally in the order of 100 meters per seconds); by contrast, the transmission of a value takes a timewhich depends on both the time employed for sending the value over the communication media(which is in the order 107 bits per second), and on the speed with which the light traverses theether (which is in the order of 108 meters per second). For instance, we observe the time takenby a transmitter which moves at 5 meters per second to transmit a frame of 2000 Bytes over achannel having a bandwidth of 2 megabit per second. The only transmission takes about 0.008

seconds; in that time, the transmitter moves about 4 centimeters far from the position in whichthe transmission started. Hence, a possible solution for encoding movement is to consider thenetwork to be static during the performance of each single transmission action and, after each ofsuch actions, to recompute each node location. We believe this to be a good approximation forthe movement to be encoded in the language.

Secondly, for the development of techniques and tools for the verification of wireless systemproperties, it is important to develop relations of behaviour equivalence between networks.

Third, it is important for our language to enable channel transmission. In fact, channel trans-mission is very important in that it would enable wireless devices to instantiate and share newchannels on which to communicate with each other. Channel transmission enables scope ex-trusion which will be fundamental in the abstraction of cryptographic channels for the formalanalysis of security protocols. In addition, for the modelling and verification of security proto-cols, cryptographic primitives will also be encoded in CWS.

Finally, the encoding of time is fundamental for pursuing the task of system property verifica-tion and performance analysis. With time encoded, we will also provide a more precise formal-ization of the timeout handler for the input operation, implementing a deterministic semanticsfor the handler activation.

UBLCS-2006-09 146

Chapter 11

Conclusions

In this thesis we report our investigation about trusted communications in global computing.The first important contribution of this thesis is SIR, our reputation model which is the first

one implementing the Socio-Cognitive reputation model, which is a sociological formalization ofthe reputation model used within the human society. SIR decouples the trust aggregation logicfrom the trust evaluation criteria and the trust decision criteria. SIR has been designed in orderto be implemented in contexts in which there cannot be data centralization. Implementing SIR,each individual locally collects and aggregates trust information that result from the interactionsit engages in. Then, through the exchange of such aggregated information, principals completetheir partial views on the global trust information and adapt their own reputations. Thanksto this social-based approach, SIR is a flexible reputation model that can be employed in anytrust context just by tailoring the trust evaluation and decision criteria in order to be appropriatewith respect to the application context. Moreover, SIR implements the three requirements ofadaptability, robustness, and scalability, as follows.

adaptability: a truster adapts the reputations of a given trustee according to the experienced in-teractions with the trustee, according to the recommendations obtained from other trusters,according to the time which obsoletes the available trust information, and according to a-posteriori evaluations of the error committed between the last computed evaluation andthe successive interaction;

robustness: each truster evaluates the recommenders according to how much the obtained rec-ommendations approximate the trustworthiness showed by the trustee (i.e., associatinggood reputation to the recommenders which provide ) and considers this evaluation whenaggregating the associated recommendation to form the reputation. In this manner, badrecommendations are not considered for reputation computation purposes;

scalability: SIR do not requires a fixed amount of trust information to be available for repu-tation computation purposes. Even in absence of recommenders, a single truster can im-plement its own reputation system just by aggregating the trust evaluations obtained fromits direct interactions. When recommenders are available, SIR enables the aggregation ofrecommendations within reputations without requiring the support of globally shared datastructures.

The experiments that we performed show that in a highly distributed setting our model ofreputation behaves as expected and the computed reputations tend to the mathematical idealdescribed by the equations in Chapter 3. Moreover, the observed use cases (i.e., TAw, rawDon-key) show that, in practical contexts, SIR behaves as expected, providing an efficient techniquefor referencing trustworthy entities in real settings. In particular, TAw is the first general pur-pose extension for integrating naming and directory services with trust-awareness mechanisms.Moreover, rawDonkey integrates the first trust monitoring system which is completely decentral-ized (i.e. does not employ distributed data structures for the maintenance of trust information)

147

1 Future Works

and employs the locally computed trust information for automatically adapt the execution of thefile-sharing protocol so as to optimize the content distribution between trustworthy peers.

The second important contribution of this thesis regards our research in the development oftwo formal semantics for wireless systems. Thus, we have developed a calculus for the mod-elling of wireless systems which is provided with a reduction semantics and a labelled transitionsemantics. Due to the peculiarities of the wireless communications, our semantics are sensiblydifferent from the existing semantics that can be found in the related contributions in this area.We tried hard to employ the same approach as the available contributions, but these approacheswere not satisfiable because we could not find a manner to correctly model all the aspects ofthese communication systems. As a result, the two semantics required the development of novelapproaches for describing this communication model. The main contribution of this part is theequivalence that has been proved between the two semantics; this result is important because,given that the reduction semantics is much more intuitive, it firstly proves the correctness ofthe labelled transition semantics and, secondly, enables one to interchangeably employ the moreappropriate between the developed semantics for that task to be performed.

At present, our semantics describe the wireless communication model but do not encodemovement. However, even without movement CWS is adequate for describing sensor networksand the associated protocols. Further encodings of time and movement are possible as discussedin Sec. 2.

1 Future WorksThe initial purpose of this thesis was the study of trusted communications in wireless networks.At present, the current results are not yet integrated together and it may appear that this thesispresents two separate works. It is worth noting that this structure is due to the fact that currentcontributions in formal methods cannot provide us with tools for the verification of SIR and thisimplied for us to spend additional efforts in the development of CWS. However, we plan toproceed further in this direction. First, we aim at providing CWS with a set of tools that can beemployed for the verification of properties of wireless systems. Secondly, we aim at encodingour reputation model within CWS.

This encoding will then be employed in the formal verification of the properties of our reputa-tion model, such as, for instance, scalability. For instance, scalability could be proved by showingthat, in a wireless system in which each device has only a partial view (i.e., a fixed transmissioncell) on the global communication system, it can always manage to approximate the reputationof the other devices in the system with a speed that depends on the size of the cell, but do notdepends on the specific execution trace.

Generally, our idea is to provide a comprehensive framework for the specification and analy-sis of peer-to-peer reputation systems in which trust information is decentralized and is ex-changed employing the wireless communication model. However, this work requires quite aconsiderable amount of further efforts that are far beyond the purpose of this thesis.

UBLCS-2006-09 148

REFERENCES

References[AD01] K. Aberer and Z. Despotovic. Managing trust in a peer-2-peer information system.

In 10th International Conference on Information and Knowledge Management, 2001.

[AM04] F. Azzedin and M. Maheswaran. Trust brokering system and its application to re-source management in public-resource grids. In 2004 International Parallel and Dis-tributed Processing Symposium (IPDPS 2004), April 2004.

[ARH97] A. Abdul-Rahman and S. Hailes. A distributed trust model. In New Security ParadigmsWorkshop, 1997.

[ARH00] A. Abdul-Rahman and S. Hailes. Supporting trust in virtual communities. In 33rdHawaii International Conference on System Sciences, 2000.

[ASSC02] I.F. Akyildiz, W. Su, Y. Sankarasubramaniam, and E. Cayirci. A survey on sensornetworks. IEEE Communications Magazine, 40(8):102114, August 2002.

[BB03] S. Buchegger and J.-L. Le Boudec. The effect of rumor spreading in reputation sys-tems for mobile ad-hoc networks. In Modeling and Optimization in Mobile, Ad Hoc andWireless Networks (WiOpt’03), March 2003.

[BB04] S. Buchegger and J.-L. Le Boudec. A robust reputation system for mobile ad-hocnetworks. In P2PEcon, June 2004.

[BBK94] T. Beth, M. Borcherding, and B. Klein. Valuation of trust in open networks. In Com-puter Security, Lecture Notes in Computer Science, volume 875, pages 3–18, 1994.

[BFK98] M. Blaze, J. Feigenbaum, and A. Keromytis. Keynote: Trust management for publickey infrastructures. In 6th International Workshop on Security Protocols, Lecture Notes inComputer Science, volume 1550, pages 59–63. Springer-Verlag, 1998.

[BFL96] M. Blaze, J. Feigenbaum, and J. Lacy. Decentralized trust management. In IEEESymposium on Security and Privacy, pages 164–173, 1996.

[BG92] Gerard Berry and Georges Gonthier. The esterel synchronous programming lan-guage: Design, semantics, implementation. Science of Computer Programming,19(2):87–152, 1992.

[BHR84] S. D. Brookes, C. A. R. Hoare, and A. W. Roscoe. A theory of communicating se-quential processes. Journal of the Association for Computing Machinery, 31(3):560–599,1984.

[Bra87] M. Bratman. Intentions, Plans and Practical Reasons. Harvard University Press, Cam-bridge, Massachussets, U.S.A., 1987.

[Cap04] L. Capra. Engineering human trust in mobile system collaborationss. In 12th Inter-national Symposium on the Foundations of Software Engineering (SIGSOFT 2004/FSE-12),2004.

[Car00] G. Caronni. Walking the web of trust. In IEEE 9th International Workshops on EnablingTechnologies: Infrastructure for Collaborative Enterprises (WET ICE’00), pages 153–158,2000.

[CDV+02] F. Cornelli, E. Damiani, S. Di Capitani Di Vimercati, S. Paraboschi, and P. Samarati.Choosing reputable servents in a p2p network, May 2002.

[CEE+01] A. Cerpa, J. Elson, D. Estrin, L. Girod, M. Hamilton, and J. Zhao. Habitat monitoring:Application driver for wireless communications technology, 2001.

UBLCS-2006-09 149

REFERENCES

[CNS03] M. Carbone, M. Nielsen, and V. Sassone. A formal model for trust in dynamic net-works. In A. Cerone and P. Lindsay, editors, International Conference on Software Engi-neering and Formal Methods (SEFM 2003), pages 54–61, 2003.

[CYKB03] C. Chee-Yee, S.P. Kumar, and A.H. Booz. Sensor networks: evolution, opportunities,and challenges. Proceedings of the IEEE, 91(8):1247–1256, August 2003.

[DGH+87] A. Demers, D. Greene, C. Hauser, W. Irish, J. Larson, S. Shenker, H. Sturgis, D. Swine-hart, and D. Terry. Epidemic algorithms for replicated database maintenance. In 6thACM Symposium on Principles of distributed computing, pages 1–12. ACM Press, 1987.

[DHH+03] B. Dragovic, S. Hand, T. Harris, Kotsovinos, and A. Twigg. Managing trust andreputation in the xenoserver open platform. In First International Conference on TrustManagement, 2003.

[EGH+03] P. Eugster, R. Guerraoui, S. Handurukande, A. Kermarrec, and P. Kouznetsov. Light-weight probabilistic broadcast. ACM Transactions on Computer Systems (TOCS),21(4):341–374, November 2003.

[FC01] R. Falcone and C. Castelfranchi. Social trust: A cognitive approach. In C. Castel-franchi and Y. Tan, editors, Trust and Deception in Virtual Societies, pages 55–90. KluwerAcademic Press, 2001.

[FC04] R. Falcone and C. Castelfranchi. Trust dynamics: How trust is influenced by directexperiences and by trust itself. In C. Castelfranchi and Y. Tan, editors, 3rd InternationalJoint Conference on Autonomous Agents and Multiagent Systems (AAMAS’04), volume 2,pages 740–747. Kluwer Academic Press, 2004.

[Goo04] B. G. Goode. Reliable enough for a nuclearplant? Wireless for Industry, 3:7–9, December 2004.http://www.nxtbook.com/fx/books/advanstar/sensors-1204/.

[Har87] David Harel. Statecharts: A visual formalism for complex systems. Science of Com-puter Programming, 8(3):231–274, June 1987.

[JK98] A. Jøsang and S. Knapskog. A metric for trusted systems. In 21st National SecurityConference, 1998.

[Jøs99] A. Jøsang. An algebra for assessing trust in certification chains. In J. Kochmar, editor,Network and Distributed System Security Symposium (NDSS’99). The Internet SocietyPress, 1999.

[Jøs01] A. Jøsang. A logic for uncertain probabilities. volume 9, pages 279–311, 2001.

[Jøs02] A. Jøsang. The beta reputation system. In 15th Bled Electronic Commerce Conference,2002.

[JP04] A. Jøsang and S. Lo Presti. Analysing the relationship between risk and trust. InC. Jensen, S. Poslad, and T. Dimitrakos, editors, 2nd International Conference on TrustManagement (iTrust 2004), Lecture Notes in Computer Science, volume 2995, pages 135–145. Springer-Verlag, 2004.

[Kev05a] T. Kevan. Coming soon to your neighborhood. Wireless Sensors, 3:5–8, August 2005.http://www.nxtbook.com/nxtbooks/questex/wirelesssensorsq305/.

[Kev05b] T. Kevan. Updating a steel mill wirelessly. Wireless Sensors, 4:4–5, 2005.http://www.nxtbook.com/nxtbooks/questex/wirelesssensorsq305/.

[Kli] A. Klimkin. pdonkey, an edonkey protocol library. http://pdonkey.sourceforge.net.

UBLCS-2006-09 150

REFERENCES

[KMG03] A. Kermarrec, L. Massoulie, and A. Ganesh. Probabilistic and reliable disseminationin large scale systems. IEEE Transactions on Parallel and Distributed Systems, 14(2), 2003.

[KSGM03] S. D. Kamvar, M. T. Schlosser, and H. Garcia-Molina. The eigentrust algorithm forreputation management in p2p networks, 2003.

[Man00] D. Manchala. E-commerce trust metrics and models. IEEE Internet Computing,4(2):36–44, 2000.

[Mau96] U. Maurer. Modeling a public-key infrastructure. In E. Bertino, editor, 1996 EuropeanSymposium on Research in Computer Security (ESORICS’96), Lecture Notes in ComputerScience, volume 1146, pages 325–350, 1996.

[Mez03] N. Mezzetti. Towards a model for trust relationships in virtual enterprises. In 14thInternational Workshop on Database and Expert Systems Applications, pages 420–424, Sep-tember 2003.

[Mez04a] N. Mezzetti. SIR: a model of social reputation. Technical Report UBLCS-2004-15,Department of Computer Science, University of Bologna, October 2004.

[Mez04b] N. Mezzetti. A socially inspired reputation model. In S. Katsikas, S. Gritzalis, andJ. Lopes, editors, Public Key Infrastructures, Lecture Notes in Computer Science, volume3093, pages 191–204, June 2004.

[Mez05] N. Mezzetti. Enabling trust-awareness in naming services. Computer Science, Systems& Engineering Journal (CSSE), 20(6):421–432, November 2005.

[Mic04] inc. Microstrain. Wireless sensors monitor critical civil in-frastructure. Wireless for Industry, 3:6, December 2004.http://www.nxtbook.com/fx/books/advanstar/sensors-1204/.

[Mil80] R. Milner. A calculus of communicating systems, 1980.

[Mil83] R. Milner. Calculi for synchrony and asynchrony. Theoretical Computer Science,25(3):267–310, 1983.

[MPS+02] A. Mainwaring, J. Polastre, R. Szewczyk, D. Culler, and J. Anderson. Wireless sensornetworks for habitat monitoring, 2002.

[NH04] Sebastian Nanz and Chris Hankin. Formal security analysis for ad-hoc networks.In Proceedings of the 2004 Workshop on Views on Designing Complex Architectures(VODCA’04), 2004.

[NH05] Sebastian Nanz and Chris Hankin. A framework for security analysis of mo-bile wireless networks. Technical Report 2005/4, Imperial College London, 2005.http://www.doc.ic.ac.uk/research/technicalreports/.

[ope] The openprivacy project. http://www.openprivacy.org/.

[OPT02] Karol Ostrovsky, K. V. S. Prasad, and Walid Taha. Towards a primitive higher ordercalculus of broadcasting systems. In PPDP ’02: Proceedings of the 4th ACM SIGPLANinternational conference on Principles and practice of declarative programming, pages 2–13,2002.

[Pra95] K. V. S. Prasad. A calculus of broadcasting systems. Sci. Comput. Program., 25(2-3):285–327, 1995.

[Pra96] K. V. S. Prasad. Broadcasting in time. In Paolo Ciancarini and Chris Hankin, editors,COORDINATION, volume 1061 of Lecture Notes in Computer Science, pages 321–338.Springer, 1996.

UBLCS-2006-09 151

REFERENCES

[Pra05] K. V. S. Prasad. A prospectus for mobile broadcasting systems. In Workshop on Alge-braic Process Calculi: The First Twenty Five Years and Beyond, pages 209–212, 2005.

[SFWC04] N. Stakhanova, S. Ferrero, J. Wong, and Y. Cai. A reputation-based trust manage-ment in peer-to-peer network systems. In 17th International Conference on Parallel andDistributed Computing Systems (PDCS’04), pages 510–515, 2004.

[SL05] M. J. Sailor and J. R. Link. Smart dust: nanostructured devices in a grain of sand.Chemical Communications, 11:1375–1383, 2005.

[SNL05] D. Senders, S. Neely, and J. Lewis. Manufacturing probeneedles with vision. Wireless Sensors, 3:25–28, August 2005.http://www.nxtbook.com/nxtbooks/questex/wirelesssensorsq305/.

[SPMC04] R. Szewczyk, J. Polastre, A. Mainwaring, and D. Culler. Lessons from a sensor net-work expedition, 2004.

[Sys04] Sensicast Systems. Sensicast mesh network monitors nu-clear plant motors. Wireless for Industry, 3:6, December 2004.http://www.nxtbook.com/fx/books/advanstar/sensors-1204/.

[TWD04] Y. Tang, H. Wang, and W. Dou. Trust based incentive in p2p network, 2004.

[Wei61] N. Weiner. Cybernetics or Control and Communication in the Animal and the Machine. TheMIT Press, Cambridge, Massachussets, Wiley and Sons, New York, U.S.A., 1961.

[WLLP01] B. Warneke, M. Last, B. Liebowitz, and K. S.J. Pister. Smart dust: Communicatingwith a cubic-millimeter computer. Computer, 34(1):44–51, January 2001.

[YKB93] R. Yahalom, B. Klein, and T. Beth. Trust relationships in secure systems – a distributedauthentication perspective. In 1993 IEEE Symposium on Security and Privacy, pages150–164, May 1993.

[YMB02] W. Yao, K. Moody, and J. Bacon. A model of OASIS role-based access control and itssupport of active security. ACM Transactions on Information and System Security, 5(4),2002.

[Zim95] P. Zimmermann. The Official PGP Users Guide. MIT Press, Boston, Massachusetts,U.S.A., 1995.

UBLCS-2006-09 152