@string{brics =	"{BRICS}"}
@string{daimi =	"Department of Computer Science, University of Aarhus"}
@string{iesd  =	"Department of Computer Science, Institute
of Electronic Systems, Aalborg University"}
@string{rs    =	"Research Series"}
@string{ns    =	"Notes Series"}
@string{ls    =	"Lecture Series"}
@string{ds    =	"Dissertation Series"}

@techreport{BRICS-DS-03-14,
author = 	 "Varacca, Daniele",
title = 	 "Probability, Nondeterminism and Concurrency:
Two Denotational Models for Probabilistic
Computation",
institution =  brics,
year = 	 2003,
type = 	 ds,
number = 	 "DS-03-14",
month = 	 nov,
note = 	 "PhD thesis. xii+163~pp",
comment = 	 "Defence: November~24, 2003 ",
abstract = 	 "Nondeterminism is modelled in domain theory by
the notion of a powerdomain, while probability
is modelled by that of the probabilistic
powerdomain. Some problems arise when we want
to combine them in order to model computation
in which both nondeterminism and probability
are present. In particular there is no
categorical {\em distributive law} between
them. We introduce the {\em powerdomain of
indexed valuations} which modifies the usual
probabilistic powerdomain to take more detailed
account of where probabilistic choices are
made. We show the existence of a distributive
law between the powerdomain of indexed
valuations and the nondeterministic
powerdomain. By means of an equational theory
we give an alternative characterisation of
indexed valuations and the distributive law. We
study the relation between valuations and
indexed valuations. Finally we use indexed
valuations to give a semantics to a programming
language. This semantics reveals the
computational intuition lying behind the
mathematics.\bibpar

In the second part of the thesis we provide an
operational reading of continuous valuations on
certain domains (the distributive concrete
domains of Kahn and Plotkin) through the model
of {\em probabilistic event structures}. Event
structures are a model for concurrent
computation that account for causal relations
between events. We propose a way of adding
probabilities to confusion free event
structures, defining the notion of
probabilistic event structure. This leads to
various ideas of a run for probabilistic event
structures. We show a confluence theorem for
such runs. Configurations of a confusion free
event structure form a distributive concrete
domain. We give a representation theorem which
characterises completely the powerdomain of
valuations of such concrete domains in terms of
probabilistic event structures.",
}

@techreport{BRICS-DS-03-13,
author = 	 "Nygaard, Mikkel",
title = 	 "Domain Theory for Concurrency",
institution =  brics,
year = 	 2003,
type = 	 ds,
number = 	 "DS-03-13",
month = 	 nov,
note = 	 "PhD thesis. xiii+161~pp",
comment = 	 "Defence: November~21, 2003",
abstract = 	 "Concurrent computation can be given an
abstract mathematical treatment very similar to
that provided for sequential computation by
domain theory and denotational semantics of
Scott and Strachey. \bibpar
A simple domain theory for concurrency is
presented. Based on a categorical model of
linear logic and associated comonads, it
highlights the role of linearity in concurrent
computation. Two choices of comonad yield two
expressive metalanguages for higher-order
processes, both arising from canonical
constructions in the model. Their denotational
semantics are fully abstract with respect to
contextual equivalence. \bibpar
One language, called HOPLA for Higher-Order
Process LAnguage, derives from an exponential
of linear logic. It can be viewed as an
extension of the simply-typed lambda calculus
with CCS-like nondeterministic sum and prefix
operations, in which types express the form of
computation path of which a process is capable.
HOPLA can directly encode calculi like CCS, CCS
with process passing, and mobile ambients with
public names, and it can be given a
straightforward operational semantics
supporting a standard bisimulation congruence.
The denotational and operational semantics are
related with simple proofs of soundness and
adequacy. Full abstraction implies that
contextual equivalence coincides with logical
equivalence for a fragment of Hennessy-Milner
logic, linking up with simulation equivalence.
\bibpar
The other language is called Affine HOPLA and
is based on a weakening comonad that yields a
model of affine-linear logic. This language
adds to HOPLA an interesting tensor operation
at the price of linearity constraints on the
occurrences of variables. The tensor can be
understood as a juxtaposition of independent
processes, and allows Affine HOPLA to encode
processes of the kind found in treatments of
nondeterministic dataflow. \bibpar
The domain theory can be generalised to
presheaf models, providing a more refined
treatment of nondeterministic branching and
supporting notions of bisimulation. The
operational semantics for HOPLA is guided by
the idea that derivations of transitions in the
operational semantics should correspond to
elements of the presheaf denotations. Similar
guidelines lead to an operational semantics for
the first-order fragment of Affine HOPLA. An
extension of the operational semantics to the
full language is based on a stable denotational
semantics which associates to each computation
the minimal input necessary for it. Such a
semantics is provided, based on event
structures; it agrees with the presheaf
semantics at first order and exposes the tensor
operation as a simple parallel composition of
event structures. \bibpar
The categorical model obtained from presheaves
is very rich in structure and points towards
more expressive languages than HOPLA and Affine
HOPLA---in particular concerning extensions to
cover independence models. The thesis concludes
with a discussion of related work towards a
fully fledged domain theory for concurrency.",
}

@techreport{BRICS-DS-03-12,
author = 	 "Oliva, Paulo B.",
title = 	 "Proof Mining in Subsystems of Analysis",
institution =  brics,
year = 	 2003,
type = 	 ds,
number = 	 "DS-03-12",
month = 	 sep,
note = 	 "PhD thesis. xii+198~pp",
comment = 	 "Defence: September~26, 2003",
abstract = 	 "This dissertation studies the use of methods
of proof theory in extracting new information
from proofs in subsystems of classical
analysis. We focus mainly on ineffective
proofs, i.e.\ proofs which make use of
ineffective principles ranging from weak
K{\"o}nig's lemma to full comprehension. The
main contributions of the dissertation can be
divided into four parts:
\begin{enumerate}
\item A discussion of how monotone functional
interpretation provides the right notion of
numerical implication'' in analysis. We
show among other things that monotone
functional interpretation naturally creates
well-studied moduli when applied to various
classes of statements (e.g.\ uniqueness,
convexity, contractivity, continuity and
monotonicity) and that the interpretation of
implications between those statements
corresponds to translations between the
different moduli.
\item A case study in $L_1$-approximation, in
which we analyze Cheney's proof of Jackson's
theorem, concerning uniqueness of the best
approximation, w.r.t.\ $L_1$-norm, of
continuous functions $f \in C[0, 1]$ by
polynomials of bounded degree. The result of
our analysis provides the first effective
modulus of uniqueness for
$L_1$-approximation. Moreover, using this
modulus we give the first complexity analysis
of the sequence of best $L_1$-approximations
for polynomial-time computable functions $f \in C[0, 1]$.
\item A comparison between three different
forms of bar recursion, in which we show
among other things that the type structure of
strongly majorizable functionals is a model
of modified bar recursion, that modified bar
recursion is not S1--S9 computable over the
type structure of total continuous functions
and that modified bar recursion de nes
(primitive recursively, in the sense of
Kleene) Spector's bar recursion.
\item An adaptation of functional
interpretation to handle ine ective proofs in
feasible analysis, which provides the first
modular procedure for extracting
polynomial-time realizers from ineffective
proofs (i.e.\ proofs involving weak
K{\"o}nig's lemma) of $\prod^0_2$-theorems in
feasible analysis.
\end{enumerate}
",
}

@techreport{BRICS-DS-03-11,
author = 	 "Koprowski, Maciej",
title = 	 "Cryptographic Protocols Based on Root
Extracting",
institution =  brics,
year = 	 2003,
type = 	 ds,
number = 	 "DS-03-11",
month = 	 aug,
note = 	 "PhD thesis. xii+138~pp",
comment = 	 "Defence: August~8, 2003",
abstract = 	 "In this thesis we design new cryptographic
protocols, whose security is based on the
hardness of root extracting or more speci cally
the RSA problem. \bibpar
First we study the problem of root extraction
in nite Abelian groups, where the group order
is unknown. This is a natural generalization of
the, heavily employed in modern cryptography,
RSA problem of decrypting RSA ciphertexts. We
examine the complexity of this problem for
generic algorithms, that is, algorithms that
work for any group and do not use any special
properties of the group at hand. We prove an
exponential lower bound on the generic
complexity of root extraction, even if the
algorithm can choose the public exponent''
itself. In other words, both the standard and
the strong RSA assumption are provably true
w.r.t.\ generic algorithms. The results hold
for arbitrary groups, so security
w.r.t.\ generic attacks follows for any
cryptographic construction based on root
extracting. \bibpar
As an example of this, we modify Cramer-Shoup
signature scheme such that it becomes a generic
algorithm. We discuss then implementing it in
RSA groups without the original restriction
that the modulus must be a product of safe
primes. It can also be implemented in class
groups. In all cases, security follows from a
well de ned complexity assumption (the strong
root assumption), without relying on random
oracles. \bibpar
A {\em smooth} natural number has no big prime
factors. The probability, that a random natural
number not greater than $x$ has all prime
factors smaller than $x^{1/u}$ with $u>1$, is
asymptotically close to the Dickman function
$\rho(u)$. By careful analysis of Hildebrand's
asymptotic smoothness results and applying new
techniques, we derive concrete bounds on the
smoothness probabilities assuming the Riemann
hypothesis. We show how our results can be
applied in order to suggest realistic values of
security parameters in Gennaro-Halevi-Rabin
signature scheme. \bibpar
We introduce a modi ed version of Fischlin's
signature scheme where we substitute prime
exponents with random numbers. Equipped with
our exact smoothness bounds, we can compute
concrete sizes of security parameters,
providing a currently acceptable level of
security. \bibpar
This allows us to propose the rst practical
blind signature scheme provably secure, without
relying on heuristics called random oracle
model (ROM). We obtain the protocol for issuing
blind signatures by implementing our modi ed
Fischlin's signing algorithm as a secure
two-party computation. The security of our
scheme assumes the hardness of the strong RSA
problem and decisional composite residuosity.
\bibpar
We discuss a security aw in the e cient
statefull variant of Fischlin's signature
scheme. \bibpar
Next, we introduce a threshold RSA scheme which
is almost as e cient as the fastest previous
threshold RSA scheme (by Shoup), but where two
assumptions needed in Shoup's and in previous
schemes can be dropped, namely that the modulus
must be a product of safe primes and that a
trusted dealer generates the keys. The
robustness (but not the unforgeability) of our
scheme depends on a new intractability
assumption, in addition to security of the
underlying standard RSA scheme. \bibpar
Finally, we propose the concept of ne-grained
forward secure signature schemes, which not
only provides non-repudiation w.r.t. past time
periods the way ordinary forward secure
signature schemes do, but in addition allows
the signer to specify which signatures of the
current time period remain valid in case the
public key needs to be revoked. This is an
important advantage if the signer processes
many signatures per time period as otherwise
the signer would have to re-issue those
signatures (and possibly re-negotiate the
respective messages) with a new key. Apart from
a formal model we present practical
instantiations and prove them secure under the
strong RSA assumption only, i.e., we do not
resort to the random oracle model to prove
security. As a sideresult, we provide an
ordinary forward-secure scheme whose key-update
time is signi cantly smaller than for other
known schemes that do not assume random oracle
model (ROM)."
}

@techreport{BRICS-DS-03-10,
author = 	 "Fehr, Serge",
title = 	 "Secure Multi-Player Protocols: Fundamentals,
Generality, and Efficiency ",
institution =  brics,
year = 	 2003,
type = 	 ds,
number = 	 "DS-03-10",
month = 	 aug,
note = 	 "PhD thesis. xii+125~pp",
comment = 	 "Defence: August~8, 2003 ",
abstract = 	 "While classically cryptography is concerned
with the problem of private communication among
two entities, say {\em players}, in modern
cryptography {\em multi}-player protocols play
an important role. And among these, it is
probably fair to say that {\em secret sharing},
and its stronger version {\em verifiable secret
sharing (VSS)}, as well as {\em multi-party
computation} (MPC) belong to the most appealing
and/or useful ones. The former two are basic
tools to achieve better robustness of
cryptographic schemes against malfunction or
misuse by decentralizing'' the security from
one single to a whole group of individuals
(captured by the term {\em threshold}
cryptography). The latter allows---at least in
principle---to execute {\em any} collaboration
among a group of players in a {\em secure} way
that guarantees the correctness of the outcome
but simultaneously respects the privacy of the
participants.\bibpar
In this work, we study three aspects of secret
sharing, VSS and MPC, which we denote by {\em
fundamentals}, {\em generality}, and {\em
efficiency}. By fundamentals we mean the quest
for understanding {\em why} a protocol works
and is secure in abstract (and hopefully
simple) mathematical terms. By generality we
mean generality with respect to the underlying
mathematical structure, in other words,
minimizing the mathematical {\em axioms}
required to do some task. And efficiency of
course deals with the improvement of protocols
with respect to some meaningful complexity
measure. \bibpar
We briefly summarize our main results. (1) We
give a complete characterization of {\em
black-box} secret sharing in terms of simple
algebraic conditions on the integer sharing
coefficients, and we propose a black-box secret
sharing scheme with minimal expansion factor.
Note that, in contrast to the classical
field-based secret sharing schemes, a black-box
secret sharing scheme allows to share a secret
sampled from an arbitrary Abelian group and
requires only black-box access to the group
operations and to random group elements. Such a
scheme may be very useful in the construction
of threshold cryptosystems based on groups with
secret order (like~RSA). (2) We show that
without loss of efficiency, MPC can be based on
arbitrary finite rings. This is in sharp
contrast to the literature where essentially
all MPC protocols require a much stronger
mathematical structure, namely a field. Apart
from its theoretical value, this can lead to
efficiency improvements since it allows a
greater freedom in the (mathematical)
representation of the task that needs to be
securely executed. (3) We propose a unified
treatment of perfectly secure linear VSS and
distributed commitments (a weaker version of
the former), and we show that the security of
such a scheme can be reduced to a linear
algebra condition. The security of all known
schemes follows as corollaries whose proofs are
pure linear algebra arguments, in contrast to
some hybrid arguments used in the literature.
(4) We construct a new unconditionally secure
VSS scheme with minimized reconstruction
complexity in the setting of a dishonest
minority. This improves on the reconstruction
complexity of the previously best known scheme
without affecting the (asymptotic) complexity
of the sharing phase. In the context of MPC
with {\em pre-processing}, our scheme allows to
improve the computation phase of earlier
protocols without increasing the complexity of
the pre-processing. (5) Finally, we consider
{\em commitment multiplication proofs}, which
allow to prove a multiplicative relation among
three commitments, and which play a crucial
role in computationally secure MPC. We study a
{\em non-interactive} solution which works in a
{\em distributed-verifier} setting and
essentially consists of a few executions of
Pedersen's VSS. We simplify and improve the
protocol, and we point out a (previously
overlooked) property which helps to construct
non-interactive proofs of {\em partial
knowledge} in this setting. This allows for
instance to prove the knowledge of $\ell$ out
of $m$ given secrets, without revealing which
ones. We also construct a non-interactive
distributed-verifier proof of {\em circuit
satisfiability}, which---in principle---allows
to prove {\em anything} that can be proven
without giving away the proof.",
}

@techreport{BRICS-DS-03-9,
author = 	 "Jurik, Mads J.",
title = 	 "Extensions to the Paillier Cryptosystem with
Applications to Cryptological Protocols",
institution =  brics,
year = 	 2003,
type = 	 ds,
number = 	 "DS-03-9",
month = 	 aug,
note = 	 "PhD thesis. xii+117~pp",
comment = 	 "Defence: August~7, 2003 ",
abstract = 	 "The main contribution of this thesis is a
simplification, a generalization and some
modifications of the homomorphic cryptosystem
proposed by Paillier in 1999, and several
cryptological protocols that follow from these
changes. \bibpar
The Paillier cryptosystem is an additive
homomorphic cryptosystem, meaning that one can
combine ciphertexts into a new ciphertext that
is the encryption of the sum of the messages of
the original ciphertexts. The cryptosystem uses
arithmetic over the group ${\bf Z}_{n^2}^*$ and
the cryptosystem can encrypt messages from the
group ${\bf Z}_n$. In this thesis the
cryptosystem is generalized to work over the
group ${\bf Z}_{n^{s+1}}^*$ for any integer $s > 0$ with plaintexts from the group ${\bf Z}_{n^s}$. This has the advantage that the
ciphertext is only a factor of $(s+1) / s$
longer than the plaintext, which is an
improvement to the factor of 2 in the Paillier
cryptosystem. The generalized cryptosystem is
also simplified in some ways, which results in
a threshold decryption that is conceptually
simpler than other proposals. Another
cryptosystem is also proposed that is
length-flexible, i.e. given a fixed public key,
the sender can choose the $s$ when the message
is encrypted and use the message space of ${\bf Z}_{n^s}$. This new system is modified using
some El Gamal elements to create a cryptosystem
that is both length-flexible and has an
efficient threshold decryption. This new system
has the added feature, that with a globally
setup RSA modulus $n$, provers can efficiently
prove various relations on plaintexts inside
ciphertexts made using different public keys.

Using these cryptosystems several multi-party
protocols are proposed:
\begin{itemize}
\item A mix-net, which is a tool for making an
unknown random permutation of a list of
ciphertext. This makes it a useful tool for
achieving anonymity.

\item Several voting systems:
\begin{itemize}
\item An efficient large scale election
system capable of handling large elections
with many candidates.

\item Client/server trade-offs: 1) a system
where vote size is within a constant of the
minimal size, and 2) a system where a voter
is protected even when voting from a
hostile environment (i.e. a Trojan infested
computer). Both of these improvements are
achieved at the cost of some extra
computations at the server side.

\item A small scale election with perfect
ballot secrecy (i.e. any group of persons
only learns what follows directly from
their votes and the final result) usable
e.g. for board room election.
\end{itemize}

\item A key escrow system, which allows an
observer to decrypt any message sent using
any public key set up in the defined way.
This is achieved even though the servers only
store a constant amount of key material.
\end{itemize}

\noindent The last contribution of this thesis
is a petition system based on the modified Weil
pairing. This system greatly improves the naive
implementations using normal signatures from
using an order of ${\cal O}(tk)$ group
operations to using only ${\cal O}(t + k)$,
where $t$ is the number of signatures checked,
and $k$ is the security parameter.",
}

@techreport{BRICS-DS-03-8,
author = 	 "Nielsen, Jesper Buus",
title = 	 "On Protocol Security in the Cryptographic
Model ",
institution =  brics,
year = 	 2003,
type = 	 ds,
number = 	 "DS-03-8",
month = 	 aug,
note = 	 "PhD thesis. xiv+341~pp",
comment = 	 "Defence: August~7, 2003",
abstract = 	 "It seems to be a generally acknowledged fact
that you should never trust a computer and that
you should trust the person operating the
computer even less. This in particular becomes
a problem when the party that you do not trust
is one which is separated from you and is one
on which you depend, e.g. because that party is
the holder of some data or some capability that
you need in order to operate correctly. How do
you perform a given task involving interaction
with other parties while allowing these parties
a minimal influence on you and, if privacy is
an issue, allowing them to learn as little
about you as possible. This is the general
problem of secure {\em multiparty computation}.
The usual way of formalizing the problem is to
say that a number of parties who do not trust
each other wish to compute some function of
their local inputs, while keeping their inputs
as secret as possible and guaranteeing the
correctness of the output. Both goals should be
obtained even if some parties stop
participating or some malevolent coalition of
the parties start deviating arbitrarily from
the agreed protocol. The task is further
complicated by the fact that besides their
mutual distrust, nor do the parties trust the
channels by which they communicate. A general
solution to the secure multiparty computation
problem is a compiler which given any feasible
function describes an efficient protocol which
allows the parties to compute the function
securely on their local inputs over an open
network.\bibpar
Over the past twenty years the secure
multiparty computation problem has been the
subject of a large body of research, both
research into the models of multiparty
computation and research aimed at realizing
general secure multiparty computation. The main
approach to realizing secure multiparty
computation has been based on verifiable secret
sharing as computation, where each party holds
a secret share of each input and during the
execution computes secret shares of all
intermediate values. This approach allows the
parties to keep all inputs and intermediate
values secret and to pool the shares of the
output values to learn exactly these
values.\bibpar
More recently an approach based on joint
homomorphic encryption was introduced, allowing
for an efficient realization of general
multiparty computation secure against an
eavesdropper. A joint encryption scheme is an
encryption scheme where all parties can
encrypt, but where it takes the participation
of all parties to open an encryption. The
computation then starts by all parties
broadcasting encryptions of their inputs and
progresses through computing encryptions of the
intermediary values using the homomorphic
properties of the encryption scheme. The
encryptions of the outputs can then be jointly
decrypted.\bibpar
In this dissertation we extend this approach by
using threshold homomorphic encryption to
provide full-fledged security against an active
attacker which might control some of the
parties and which might take over parties
during the course of the protocol execution. As
opposed to a joint encryption scheme a
threshold encryption scheme only requires that
a given number of the parties are operating
correctly for decryption to be possible. In
this dissertation we show that threshold
homomorphic encryption allows to solve the
secure general multiparty computation problem
more efficiently than previous approaches to
the problem.\bibpar
Starting from an open point-to-point network
there is a long way to general secure
multiparty computation. The dissertation
contains contributions at several points along
the way. In particular we investigate how to
realize {\em secure channels}. We also show how
threshold signature schemes can be used to
efficiently realize a {\em broadcast channel}
and how threshold cryptography can be used to
provide the parties of the network with a
source of {\em shared randomness}. All three
tools are well-known to be extremely powerful
resources in a network, and our principle
contribution is to provide efficient
realizations.\bibpar
The dissertation also contains contributions to
the definitional part of the field of
multiparty computation. Most significantly we
augment the recent model of {\em universally
composable security} with a formal notion of
what it means for a protocol to only realize a
given problem under a given {\em restricted
input-output behavior} of the environment. This
e.g. allows us to give the first specification
of a {\em universally composable zero-knowledge
proof of membership} which does not at the same
time require the proof system to be a proof of
knowledge.",
}

@techreport{BRICS-DS-03-7,
author = 	 "C{\'a}ccamo, Mario Jos{\'e}",
title = 	 "A Formal Calculus for Categories",
institution =  brics,
year = 	 2003,
type = 	 ds,
number = 	 "DS-03-7",
month = 	 jun,
note = 	 "PhD thesis. xiv+151",
comment = 	 "Defence: June~23, 2003",
abstract = 	 "This dissertation studies the logic
underlying category theory. In particular we
present a formal calculus for reasoning about
universal properties. The aim is to systematise
judgements about {\em functoriality} and {\em
naturality} central to categorical reasoning.
The calculus is based on a language which
extends the typed lambda calculus with new
binders to represent universal constructions.
The types of the languages are interpreted as
locally small categories and the expressions
represent functors. \bibpar
The logic supports a syntactic treatment of
universality and duality. Contravariance
requires a definition of universality generous
enough to deal with functors of mixed variance.
{\em Ends} generalise limits to cover these
kinds of functors and moreover provide the
basis for a very convenient algebraic
manipulation of expressions. \bibpar
The equational theory of the lambda calculus is
extended with new rules for the definitions of
universal properties. These judgements express
the existence of natural isomorphisms between
functors. The isomorphisms allow us to
formalise in the calculus results like the
Yoneda lemma and Fubini theorem for ends. The
definitions of limits and ends are given as
{\em representations} for special {\bf
Set}-valued functors where {\bf Set} is the
category of sets and functions. This
establishes the basis for a more calculational
presentation of category theory rather than the
traditional diagrammatic one. \bibpar
The presence of structural rules as primitive
in the calculus together with the rule for
duality give rise to issues concerning the {\em
coherence} of the system. As for every
well-typed expression-in-context there are
several possible derivations it is sensible to
ask whether they result in the same
interpretation. For the functoriality
judgements the system is coherent up to natural
isomorphism. In the case of naturality
judgements a simple example shows its
incoherence. However in many situations to know
there exists a natural isomorphism is enough.
As one of the contributions in this
dissertation, the calculus provides a useful
tool to verify that a functor is continuous by
just establishing the existence of a certain
natural isomorphism. \bibpar
Finally, we investigate how to generalise the
calculus to enriched categories. Here we lose
the ability to manipulate contexts through
weakening and contraction and conical limits
are not longer adequate.",
}

@techreport{BRICS-DS-03-6,
author = 	 "Ursem, Rasmus K.",
title = 	 "Models for Evolutionary Algorithms and Their
Applications in System Identification and
Control Optimization",
institution =  brics,
year = 	 2003,
type = 	 ds,
number = 	 "DS-03-6",
month = 	 jun,
note = 	 "PhD thesis. xiv+183~pp",
comment = 	 "Defence: June~20, 2003",
abstract = 	 "In recent years, optimization algorithms have
received increasing attention by the research
community as well as the industry. In the area
of evolutionary computation (EC), inspiration
for optimization algorithms originates in
Darwin's ideas of evolution and survival of the
fittest. Such algorithms simulate an
evolutionary process where the goal is to
evolve solutions by means of crossover,
mutation, and selection based on their quality
(fitness) with respect to the optimization
problem at hand. Evolutionary algorithms (EAs)
are highly relevant for industrial
applications, because they are capable of
handling problems with non-linear constraints,
multiple objectives, and dynamic components ---
properties that frequently appear in real-world
problems. \bibpar
This thesis presents research in three
fundamental areas of EC; fitness function
design, methods for parameter control, and
techniques for multimodal optimization. In
addition to general investigations in these
areas, I introduce a number of algorithms and
demonstrate their potential on real-world
problems in system identification and control.
Furthermore, I investigate dynamic optimization
problems in the context of the three
fundamental areas as well as control, which is
a field where real-world dynamic problems
appear. \bibpar
Regarding fitness function design, smoothness
of the fitness landscape is of primary concern,
because a too rugged landscape may disrupt the
search and lead to premature convergence at
local optima. Rugged fitness landscapes
typically arise from imprecisions in the
fitness calculation or low relatedness between
neighboring solutions in the search space. The
imprecision problem was investigated on the
Runge-Kutta-Fehlberg numerical integrator in
the context of non-linear differential
equations. Regarding the relatedness problem
for the search space of arithmetic functions,
Thiemo Krink and I suggested the smooth
operator genetic programming algorithm. This
approach improves the smoothness of fitness
function by allowing a gradual change between
traditional operators such as multiplication
and division. \bibpar
In the area of parameter control, I
investigated the so-called self-adaptation
technique on dynamic problems. In
self-adaptation, the genome of the individual
contains the parameters that are used to modify
the individual. Self-adaptation was developed
for static problems; however, the parameter
control approach requires a significant number
of generations before superior parameters are
evolved. In my study, I experimented with two
artificial dynamic problems and showed that the
technique fails on even rather simple
time-varying problems. In a different study on
static problems, Thiemo Krink and I suggested
the terrain-based patchwork model, which is a
fundamentally new approach to parameter control
based on agents moving in a spatial grid world.
\bibpar
For multimodal optimization problems,
algorithms are typically designed with two
objectives in mind. First, the algorithm shall
find the global optimum and avoid stagnation at
local optima. Additionally, the algorithm shall
preferably find several candidate solutions,
and thereby allow a final human decision among
the found solutions. For this objective, I
created the multinational EA that employs a
self-organizing population structure grouping
the individuals into a number of subpopulations
located in different parts of the search space.
In a related study, I investigated the
robustness of the widely used sharing
technique. Surprisingly, I found that this
algorithm is extremely sensitive to the range
of fitness values. In a third investigation, I
introduced the diversity-guided EA, which uses
a population diversity measure to guide the
search. The potential of this algorithm was
demonstrated on parameter identification of two
induction motor models, which are used in the
pumps produced by the Danish pump manufacturer
Grundfos.",
abstract1 = 	 "\bibpar
The field of dynamic optimization has received
significant attention since 1990. However, most
research performed in an EC-context has focused
on artificial dynamic problems. In a
fundamental study, Thiemo Krink, Mikkel T.
Jensen, Zbigniew Michalewicz, and I
investigated artificial dynamic problems and
found no clear connection (if any) to
real-world dynamic problems. In conclusion, a
large part of this research field's foundation,
i.e., the test problems, is highly
questionable. In continuation of this, Thiemo
Krink, Bogdan Filipi{\v{c}}, and I investigated
online control problems, which have the special
property that the search changes the problem.
In this context, we examined how to utilize the
available computation time in the best way
between updates of the control signals. For an
EA, the available time can be a trade-off
between population size and number of
generations. From our experiments, we concluded
that the best approach was to have a small
population and many generations, which
essentially turns the problem into a series of
related static problems. To our surprise, the
control problem could easily be solved when
optimized like this. To further examine this,
we compared the EA with a particle swarm and a
local search approach, which we developed for
dynamic optimization in general. The three
algorithms had matching performance when
properly tuned. An interesting result from this
investigation was that different step-sizes in
the local search algorithm induced different
control strategies, i.e., the search strategy
lead to the emergence of alternative paths of
the moving optima in the dynamic landscape.
This observation is captured in the novel
concept of {\em optima in time}, which we
introduced as a temporal version of the usual
optima the in search space.",
}

@techreport{BRICS-DS-03-5,
author = 	 "Milicia, Giuseppe",
title = 	 "Applying Formal Methods to Programming
Language Design and Implementation",
institution =  brics,
year = 	 2003,
type = 	 ds,
number = 	 "DS-03-5",
month = 	 jun,
note = 	 "PhD thesis. xvi+211",
comment = 	 "Defence: June~16, 2003",
abstract = 	 "This thesis concerns the design and evolution
of two programming languages. The two
contributions, unrelated with each other, are
treated separately. The underlying theme of
this work is the application of {\em formal
methods} to the task of programming language
design and implementation.\bibpar

{\bf Jeeg}\bibpar
We introduce Jeeg, a dialect of Java based on a
declarative replacement of the synchronization
mechanisms of Java that results in a complete
decoupling of the business'' and the
synchronization'' code of classes.
Synchronization constraints in Jeeg are
expressed in a linear temporal logic which
allows to effectively limit the occurrence of
the inheritance anomaly that commonly affects
concurrent object oriented languages. Jeeg is
inspired by the current trend in aspect
oriented languages. In a Jeeg program the
sequential and concurrent aspects of object
behaviors are decoupled: specified separately
by the programmer these are then weaved
together by the Jeeg compiler.\bibpar

$\chi${\bf-Spaces}\bibpar
It is of paramount importance that a security
protocol effectively enforces the desired
security requirements. The apparent simplicity
of informal protocol descriptions hides the
complex interactions of a security protocol
which often invalidate informal correctness
arguments and justify the effort of formal
protocol verification. Verification, however,
is usually carried out on an abstract model not
at all related with a protocol's
implementation. Experience shows that security
breaches introduced in implementations of
successfully verified models are rather common.
The $\chi$-Spaces framework is a tool meant to
support every step of the protocol's life-cycle
in a uniform manner. The core of the framework
is a domain specific programming language based
on SPL (Security Protocol Language) a formal
model for studying security protocols. This
simple, yet powerful, language allows the
implementation of security protocols in a
concise an precise manner. Its underlying
formal model, based on SPL, gives the power to
prove interesting properties of the actual
protocol implementation. Simulation,
benchmarking and testing of the protocols is
immediate using the $\chi$-Sim tool."
}

@techreport{BRICS-DS-03-4,
author = 	 "Crazzolara, Federico",
title = 	 "Language, Semantics, and Methods for Security
Protocols",
institution =  brics,
year = 	 2003,
type = 	 ds,
number = 	 "DS-03-4",
month = 	 may,
note = 	 "PhD thesis. xii+160",
comment = 	 "Defence: May~15, 2003",
abstract = 	 "Security protocols help in establishing
secure channels between communicating systems.
Great care needs therefore to be taken in
developing and implementing robust protocols.
The complexity of security-protocol
interactions can hide, however, security
weaknesses that only a formal analysis can
reveal. The last few years have seen the
emergence of successful intensional,
event-based, formal approaches to reasoning
about security protocols. The methods are
concerned with reasoning about the events that
a security protocol can perform, and make use
of a causal dependency that exists between
events. Methods like strand spaces and the
inductive method of Paulson have been designed
to support an intensional, event-based, style
of reasoning. These methods have successfully
tackled a number of protocols though in an {\em
ad hoc} fashion. They make an informal spring
from a protocol to its representation and do
not address how to build up protocol
representations in a compositional fashion.
\bibpar
This dissertation presents a new, event-based
approach to reasoning about security protocols.
We seek a broader class of models to show how
event-based models can be structured in a
compositional way and so used to give a formal
semantics to security protocols which supports
proofs of their correctness. More precisely, we
give a compositional event-based semantics to
an economical, but expressive, language for
describing security protocols (SPL); so the
events and dependency of a wide range of
protocols are determined once and for all. The
net semantics allows the derivation of general
properties and proof principles the use of
which is demonstrated in establishing security
properties for a number of protocols. The NSL
public-key protocol, the ISO 5-pass
authentication and the $\Pi_3$ key-translation
protocols are analysed for their level of
secrecy and authentication and for their
robustness in runs where some session-keys are
compromised. Particularly useful in the
analysis are general results that show which
events of a protocol run can not be those of a
spy. \bibpar
The net semantics of SPL is formally related to
a transition semantics which can easily be
implemented. (An existing SPL implementation
bridges the gap that often exists between
abstract protocol models on which verification
of security properties is carried out and the
implemented protocol.) SPL-nets are a
particular kind of contextual Petri-nets. They
have persistent conditions and as we show in
this thesis, unfold under reasonable
assumptions to a more basic kind of nets. We
relate SPL-nets to strand spaces and inductive
rules, as well as trace languages and event
structures so unifying a range of approaches,
as well as providing conditions under which
particular, more limited, models are adequate
for the analysis of protocols. The relations
that are described in this thesis help
integrate process calculi and algebraic
reasoning with event-based methods to obtain a
more accurate analysis of security properties
of protocols.",
}

@techreport{BRICS-DS-03-3,
author = 	 "Srba, Ji{\v{r}}{\'\i}",
title = 	 "Decidability and Complexity Issues for
Infinite-State Processes",
institution =  brics,
year = 	 2003,
type = 	 ds,
number = 	 "DS-03-3",
note = 	 "PhD thesis. xii+171~pp",
comment = 	 "Defence: April~14, 2003",
abstract = 	 "This thesis studies decidability and
complexity border-lines for algorithmic
verification of infinite-state systems.
Verification techniques for finite-state
processes are a successful approach for the
validation of reactive programs operating over
finite domains. When infinite data domains are
introduced, most of the verification problems
become in general undecidable. By imposing
certain restrictions on the considered models
(while still including infinite-state spaces),
it is possible to provide algorithmic decision
procedures for a variety of properties. Hence
the models of infinite-state systems can be
classified according to which verification
problems are decidable, and in the positive
case according to complexity
considerations.\bibpar
This thesis aims to contribute to the problems
mentioned above by studying decidability and
complexity questions of equivalence checking
problems, i.e., the problems whether two
infinite-state processes are equivalent with
regard to some suitable notion of behavioural
equivalence. In particular, our interest is
focused on strong and weak bisimilarity
checking within classical models of
infinite-state processes. \bibpar
Throughout the thesis, processes are modelled
by the formalism of process rewrite systems
which provides a uniform classification of all
the considered classes of infinite-state
processes.\bibpar
We begin our exposition of infinite-state
systems by having a closer look at the very
basic model of labelled transition systems. We
demonstrate a simple geometrical encoding of
the labelled systems into unlabelled ones by
transforming labels into linear paths of
different lengths. The encoding preserves the
answers to the strong bisimilarity checking and
is shown to be effective e.g. for the classes
of pushdown processes and Petri nets. This
gives several decidability and complexity
corollaries about unlabelled variants of the
models.\bibpar
We continue by developing a general
decidability theorem for commutative process
algebras like deadlock-sensitive BPP (basic
parallel processes), lossy BPP, interrupt BPP
and timed-arc BPP nets. The introduced
technique relies on the tableau-based proof of
decidability of strong bisimilarity for BPP and
we extend it in several ways to provide a wider
applicability range of the technique. This, in
particular, implies that all the mentioned
classes of commutative process algebras allow
for algorithmic checking of strong
bisimilarity. \bibpar
Another topic studied in the thesis deals with
finding tight complexity estimates for strong
and weak bisimilarity checking. A novel
technique called existential quantification is
explicitly described and used to show that the
strong bisimilarity and regularity problems for
basic process algebra and basic parallel
processes are PSPACE-hard. In case of weak
bisimilarity checking of basic parallel
processes the problems are shown to be again
PSPACE-hard --- this time, however, also for
the normed subclass. \bibpar
Finally we consider the problems of weak
bisimilarity checking for the classes of
pushdown processes and PA-processes. Negative
answers to the problems are given --- both
problems are proven to be undecidable. The
proof techniques moreover solve some other open
problems. For example the undecidability proof
for pushdown processes implies also
undecidability of strong bisimilarity for
prefix-recognizable graphs. \bibpar
The thesis is concluded with an overview of the
state-of-the-art for strong and weak
bisimilarity problems within the classes from
the hierarchy of process rewrite systems. ",
}

@techreport{BRICS-DS-03-2,
author = 	 "Valencia, Frank D.",
title = 	 "Temporal Concurrent Constraint Programming",
institution =  brics,
year = 	 2003,
type = 	 ds,
number = 	 "DS-03-2",
month = 	 feb,
note = 	 "PhD thesis. xvii+174",
comment = 	 "Defence: February~5, 2003",
abstract = 	 "{\em Concurrent constraint programming} (ccp)
is a formalism for concurrency in which agents
interact with one another by telling (adding)
and asking (reading) information in a shared
medium. Temporal ccp extends ccp by allowing
agents to be constrained by time conditions.
This dissertation studies temporal ccp as a
model of concurrency for discrete-timed
systems. The study is conducted by developing a
process calculus called {\tt ntcc}. \bibpar
The {\tt ntcc} calculus generalizes the tcc
model, the latter being a temporal ccp model
for {\em deterministic} and {\em synchronous
timed reactive} systems. The calculus is built
upon few basic ideas but it captures several
aspects of timed systems. As tcc, {\tt ntcc}
can model unit delays, time-outs, pre-emption
and synchrony. Additionally, it can model {\em
unbounded but finite delays, bounded
eventuality, asynchrony} and {\em
nondeterminism}. The applicability of the
calculus is illustrated with several
interesting examples of discrete-time systems
involving mutable data structures, robotic
devices, multi-agent systems and music
applications. \bibpar
The calculus is provided with a {\em
denotational semantics} that captures the
reactive computations of processes in the
presence of arbitrary environments. The
denotation is proven to be {\em fully-abstract}
for a substantial fragment of the calculus.
This dissertation identifies the exact
technical problems (arising mainly from
allowing nondeterminism, locality and time-outs
in the calculus) that makes it impossible to
obtain a fully abstract result for the full
language of {\tt ntcc}. \bibpar
Also, the calculus is provided with a process
logic for expressing {\em temporal
specifications} of {\tt ntcc} processes. This
dissertation introduces a ({\em relatively})
{\em complete inference system} to prove that a
given {\tt ntcc}process satisfies a given
formula in this logic. The denotation, process
logic and inference system presented in this
dissertation significantly extend and
strengthen similar developments for tcc and
(untimed) ccp. \bibpar
This dissertation addresses the {\em
decidability} of various behavioral
equivalences for the calculus and {\em
characterizes} their corresponding induced
congruences. The equivalences (and their
associated congruences) are proven to be
decidable for a significant fragment of the
calculus. The decidability results involve a
systematic translation of processes into finite
state B{\"u}chi automata. To the author's best
knowledge the study of decidability for ccp
equivalences is original to this work. \bibpar
Furthermore, this dissertation deepens the
understanding of previous ccp work by
establishing an {\em expressive power
hierarchy} of several temporal ccp languages
which were proposed in the literature by other
authors. These languages, represented in this
dissertation as {\em variants} of {\tt ntcc} ,
differ in their way of defining infinite
behavior (i.e., {\em replication} or {\em
recursion}) and the scope of variables (i.e.,
{\em static} or {\em dynamic scope}). In
particular, it is shown that (1) recursive
procedures with parameters can be encoded into
parameterless recursive procedures with dynamic
scoping, and vice-versa; (2) replication can be
encoded into parameterless recursive procedures
with static scoping, and vice-versa; (3) the
languages from (1) are {\em strictly more
expressive} than the languages from (2). (Thus,
in this family of languages recursion is more
expressive than replication and dynamic scope
is more expressive than static scope.)
Moreover, it is shown that behavioral
equivalence is {\em undecidable} for the
languages from (l), but {\em decidable} for the
languages from (2). Interestingly, the
undecidability result holds even if the process
variables take values from a {\em fixed finite
domain} whilst the decidability holds for {\em
arbitrary domains}. \bibpar
Both the expressive power hierarchy and
decidability/undecidability results give a
clear distinction among the various temporal
ccp languages. Also, the distinction between
static and dynamic scoping helps to clarify the
situation in the (untimed) ccp family of
languages. Moreover, the methods used in the
decidability results may provide a framework to
perform further systematic investigations of
temporal ccp languages."
}

@techreport{BRICS-DS-03-1,
author = 	 "Brabrand, Claus",
title = 	 "Domain Specific Languages for Interactive Web
Services",
institution =  brics,
year = 	 2003,
type = 	 ds,
number = 	 "DS-03-1",
month = 	 jan,
note = 	 "PhD thesis. xiv+214~pp",
abstract = 	 "This dissertation shows how domain specific
languages may be applied to the domain of
interactive Web services to obtain flexible,
safe, and efficient solutions.\bibpar
We show how each of four key aspects of
interactive Web services involving sessions,
dynamic creation of HTML/XML documents, form
field input validation, and concurrency
control, may benefit from the design of a
dedicated language.\bibpar
Also, we show how a notion of metamorphic
syntax macros facilitates integration of these
individual domain specific languages into a
complete language. \bibpar
The result is a domain specific language, \verb
!{}!, that supports virtually all
aspects of the development of interactive Web
services and provides flexible, safe, and
efficient solutions",