Ken Mano

On Formal Modeling of Agent Computations

This paper describes a comparative study of three formal methods for modeling and validating agent systems. The study is part of a joint project by researchers in MIT’s Theory of Distributed Systems research group and NTT’s Cooperative Computing research group. Our goal is to establish a mathematical and linguistic foundation for describing and reasoning about agent-style systems.

Role Interchange for Anonymity and Privacy of Voting

We propose a new information-hiding property called role interchangeability for the verification of the anonymity and privacy of security protocols. First, we formally specify the new property in multi-agent systems, and describe its relationship with known anonymity properties that are also defined in multi-agent systems. Moreover, we define privacy in a way that is symmetric with anonymity, and show that exploiting this symmetry is useful for deriving anonymity and privacy from role interchangeability. Next, we show a way of verifying the new property. We show that role interchangeability in a multiagent system is characterized by the existence of role-interchange functions on the set of traces corresponding to the system. In addition, a simulation proof method is presented to prove the existence of the functions for a protocol described as an automaton. Finally, as a case study, we apply our method to the formal verification of the FOO electronic voting protocol.

Pseudonym exchange for privacy-preserving publishing of trajectory data set

Anonymization is a common technique for publishing a location data set in a privacy-preserving way. However, such an anonymized data set lacks trajectory information of users, which could be beneficial to many location-based analytic services. In this paper, we present a dynamic pseudonym scheme for constructing alternate possible paths of mobile users to protect their location privacy. We introduce a formal definition of location privacy for pseudonym-based location data sets and develop a polynomial-time verification algorithm for determining whether each user in a given location data set has sufficient number of possible paths to disguise the users true movements. We also provide the correctness proof of the algorithm.

On Backward-Style Anonymity Verification

Many Internet services and protocols should guarantee anonymity; for example, an electronic voting system should guarantee to prevent the disclosure of who voted for which candidate. To prove trace anonymity, which is an extension of the formulation of anonymity by Schneider and Sidiropoulos, this paper presents an inductive method based on backward anonymous simulations. We show that the existence of an image-finite backward anonymous simulation implies trace anonymity. We also demonstrate the anonymity verification of an e-voting protocol (the FOO protocol) with our backward anonymous simulation technique. When proving the trace anonymity, this paper employs a computer-assisted verification tool based on a theorem prover.

Privacy-Preserving Publishing of Pseudonym-Based Trajectory Location Data Set

Anonymization is a common technique for publishing a location data set in a privacy-preserving way. However, such an anonymized data set lacks trajectory information of users, which could be beneficial to many location-based analytic services. In this paper, we present a dynamic pseudonym scheme for constructing alternate possible paths of mobile users to protect their location privacy. We introduce a formal definition of location privacy for pseudonym-based location data sets and develop a polynomial-time verification algorithm for determining whether each user in a given location data set has sufficient number of possible paths to disguise the users true movements. We also provide the correctness proof of the algorithm.

The Nepi2 Programming System: A pi-Calculus-Based Approach to Agent-Based Programming

We introduce a programming system Nepi2, which is based on a process algebraic framework called the π-calculus. The Nepi2 system supports programmers who wish to construct communicating software or agents. In this paper, we demonstrate programming in Nepi2. First, we write a metacircular interpreter, which enables the construction of a mobile agent framework. We then construct an entity for mobile agent systems, which is called a place agent. Finally, we give an example concerning an electronic marketplace.

The Nepi network programming system: a programming environment for distributed systems

The /spl pi/-calculus is a formal system to analyze distributed systems. This work provides a /spl pi/-calculus-based network programming system Nepi, which enables us to execute a formula of the /spl pi/-calculus as a real communicating program in a network. After introducing the Nepi language and its implementation, we show a programming example in Nepi. We also discuss an efficient programming style of Nepi and applicability of Nepi to symmetric systems.

Unique Normal Form Property of Higher-Order Rewriting Systems

Within the framework of Higher-Order Rewriting Systems proposed by van Oostrom, a sufficient condition for the unique normal form property is presented. This requires neither left-linearity nor termination of the system.

On Safety of Pseudonym-Based Location Data in the Context of Constraint Satisfation Problems

Pseudonymization is a promising technique for publishing a trajectory location data set in a privacy-preserving way. However, it is not trivial to determine whether a given data set is safely publishable against an adversary with partial knowledge about users’ movements. We therefore formulate this safety decision problem based on the framework of constraint satisfaction problems (CSPs) and evaluate its performance with a real location data set. We show that our approach with an existing CSP solver outperforms a polynomial-time verification algorithm, which is designed particularly for this safety problem.

Trust Trust Me (The Additivity)

We present a mathematical formulation of a trust metric using a quality and quantity pair. Under a certain assumption, we regard trust as an additive value and define the soundness of a trust computation as not to exceed the total sum. Moreover, we point out the importance of not only soundness of each computed trust but also the stability of the trust computation procedure against changes in trust value assignment. In this setting, we define trust composition operators. We also propose a trust computation protocol and prove its soundness and stability using the operators.