-
Relaxed Choices in Bottom-Up Asynchronous Multiparty Session Types
Authors:
Ivan Prokić,
Simona Prokić,
Silvia Ghilezan,
Alceste Scalas,
Nobuko Yoshida
Abstract:
Asynchronous multiparty session types provide a formal model for expressing the behaviour of communicating processes and verifying that they correctly implement desired protocols. In the ``bottom-up'' approach to session typing, local session types are specified directly, and the properties of their composition (e.g. deadlock freedom and liveness) are checked and transferred to well-typed processe…
▽ More
Asynchronous multiparty session types provide a formal model for expressing the behaviour of communicating processes and verifying that they correctly implement desired protocols. In the ``bottom-up'' approach to session typing, local session types are specified directly, and the properties of their composition (e.g. deadlock freedom and liveness) are checked and transferred to well-typed processes. This method allows expressing and verifying a broad range of protocols, but still has a key limitation: it only supports protocols where every send/receive operation is directed towards strictly one recipient/sender at a time. This makes the technique too restrictive for modelling some classes of protocols, e.g. those used in the field of federated learning.
This paper improves the session typing theory by extending the asynchronous ``bottom-up'' approach to support protocols where a participant can choose to send or receive messages to/from multiple other participants at the same time, rather than just one at a time. We demonstrate how this extension enables the modeling and verification of real-world protocols, including some used in federated learning. Furthermore, we introduce and formally prove safety, deadlock-freedom, liveness, and session fidelity properties for our session typing system, revealing interesting dependencies between these properties in the presence of a subtyping relation.
△ Less
Submitted 29 April, 2025;
originally announced April 2025.
-
Correct orchestration of Federated Learning generic algorithms: formalisation and verification in CSP
Authors:
Ivan Prokić,
Silvia Ghilezan,
Simona Kašterović,
Miroslav Popovic,
Marko Popovic,
Ivan Kaštelan
Abstract:
Federated learning (FL) is a machine learning setting where clients keep the training data decentralised and collaboratively train a model either under the coordination of a central server (centralised FL) or in a peer-to-peer network (decentralised FL). Correct orchestration is one of the main challenges. In this paper, we formally verify the correctness of two generic FL algorithms, a centralise…
▽ More
Federated learning (FL) is a machine learning setting where clients keep the training data decentralised and collaboratively train a model either under the coordination of a central server (centralised FL) or in a peer-to-peer network (decentralised FL). Correct orchestration is one of the main challenges. In this paper, we formally verify the correctness of two generic FL algorithms, a centralised and a decentralised one, using the CSP process calculus and the PAT model checker. The CSP models consist of CSP processes corresponding to generic FL algorithm instances. PAT automatically proves the correctness of the two generic FL algorithms by proving their deadlock freeness (safety property) and successful termination (liveness property). The CSP models are constructed bottom-up by hand as a faithful representation of the real Python code and is automatically checked top-down by PAT.
△ Less
Submitted 26 June, 2023;
originally announced June 2023.
-
Precise Subtyping for Asynchronous Multiparty Sessions
Authors:
Silvia Ghilezan,
Jovanka Pantović,
Ivan Prokić,
Alceste Scalas,
Nobuko Yoshida
Abstract:
This paper presents the first formalisation of the precise subtyping relation for asynchronous multiparty sessions. We show that our subtyping relation is sound (i.e., guarantees safe process replacement) and also complete: any extension of the relation is unsound. To achieve our results, we develop a novel session decomposition technique, from full session types (including internal/external choic…
▽ More
This paper presents the first formalisation of the precise subtyping relation for asynchronous multiparty sessions. We show that our subtyping relation is sound (i.e., guarantees safe process replacement) and also complete: any extension of the relation is unsound. To achieve our results, we develop a novel session decomposition technique, from full session types (including internal/external choices) into single input/output session trees (without choices). Previous work studies precise subtyping for binary sessions (with just two participants), or multiparty sessions (with any number of participants) and synchronous interaction. Here, we cover multiparty sessions with asynchronous interaction, where messages are transmitted via FIFO queues (as in the TCP/IP protocol), and prove that our subtyping is both operationally and denotationally precise. In the asynchronous multiparty setting, finding the precise subtyping relation is a highly complex task: this is because, under some conditions, participants can permute the order of their inputs and outputs, by sending some messages earlier or receiving some later, without causing errors; the precise subtyping relation must capture all such valid permutations -- and consequently, its formalisation, reasoning and proofs become challenging. Our session decomposition technique overcomes this complexity, expressing the subtyping relation as a composition of refinement relations between single input/output trees, and providing a simple reasoning principle for asynchronous message optimisations.
△ Less
Submitted 26 October, 2020;
originally announced October 2020.
-
The Cpi-calculus: a Model for Confidential Name Passing
Authors:
Ivan Prokić
Abstract:
Sharing confidential information in distributed systems is a necessity in many applications, however, it opens the problem of controlling information sharing even among trusted parties. In this paper, we present a formal model in which dissemination of information is disabled at the level of the syntax in a direct way. We introduce a subcalculus of the pi-calculus in which channels are considered…
▽ More
Sharing confidential information in distributed systems is a necessity in many applications, however, it opens the problem of controlling information sharing even among trusted parties. In this paper, we present a formal model in which dissemination of information is disabled at the level of the syntax in a direct way. We introduce a subcalculus of the pi-calculus in which channels are considered as confidential information. The only difference with respect to the pi-calculus is that channels once received cannot be forwarded later on. By means of examples, we give an initial idea of how some privacy notions already studied in the past, such as group creation and name hiding, can be represented without any additional language constructs. We also present an encoding of the (sum-free) pi-calculus in our calculus.
△ Less
Submitted 12 September, 2019; v1 submitted 26 February, 2019;
originally announced February 2019.
-
A Calculus for Modeling Floating Authorizations
Authors:
Jovanka Pantovic,
Ivan Prokic,
Hugo Torres Vieira
Abstract:
Controlling resource usage in distributed systems is a challenging task given the dynamics involved in access granting. Consider, for instance, the setting of floating licenses where access can be granted if the request originates in a licensed domain and the number of active users is within the license limits, and where licenses can be interchanged. Access granting in such scenarios is given in t…
▽ More
Controlling resource usage in distributed systems is a challenging task given the dynamics involved in access granting. Consider, for instance, the setting of floating licenses where access can be granted if the request originates in a licensed domain and the number of active users is within the license limits, and where licenses can be interchanged. Access granting in such scenarios is given in terms of floating authorizations, addressed in this paper as first class entities of a process calculus model, encompassing the notions of domain, accounting and delegation. We present the operational semantics of the model in two equivalent alternative ways, each informing on the specific nature of authorizations. We also introduce a typing discipline to single out systems that never get stuck due to lacking authorizations, addressing configurations where authorization assignment is not statically prescribed in the system specification.
△ Less
Submitted 16 February, 2018;
originally announced February 2018.
