Full download test bank at ebookmeta.

com

Rigorous State Based Methods 8th International

Conference ABZ 2021 Ulm Germany June 9 11 2021
Proceedings 1st Edition Alexander Raschke
For dowload this book click LINK or Button below

https://ebookmeta.com/product/rigorous-state-
based-methods-8th-international-conference-
abz-2021-ulm-germany-
june-9-11-2021-proceedings-1st-edition-alexander-
raschke/
OR CLICK BUTTON

DOWLOAD EBOOK

Download More ebooks from https://ebookmeta.com

More products digital (pdf, epub, mobi) instant
download maybe you interests ...

Automated Reasoning with Analytic Tableaux and Related

Methods 30th International Conference TABLEAUX 2021
Birmingham UK September 6 9 2021 Proceedings Anupam Das
(Editor)
https://ebookmeta.com/product/automated-reasoning-with-analytic-
tableaux-and-related-methods-30th-international-conference-
tableaux-2021-birmingham-uk-september-6-9-2021-proceedings-
anupam-das-editor/

Optimization and Learning 4th International Conference

OLA 2021 Catania Italy June 21 23 2021 Proceedings 1st
Edition Bernabé Dorronsoro

https://ebookmeta.com/product/optimization-and-learning-4th-
international-conference-ola-2021-catania-italy-
june-21-23-2021-proceedings-1st-edition-bernabe-dorronsoro/

Graph Transformation 14th International Conference ICGT

2021 Held as Part of STAF 2021 Virtual Event June 24 25
2021 Proceedings 1st Edition Fabio Gadducci

https://ebookmeta.com/product/graph-transformation-14th-
international-conference-icgt-2021-held-as-part-of-
staf-2021-virtual-event-june-24-25-2021-proceedings-1st-edition-
fabio-gadducci/

Architecture of Computing Systems 34th International

Conference ARCS 2021 Virtual Event June 7 8 2021
Proceedings 1st Edition Christian Hochberger (Editor)

https://ebookmeta.com/product/architecture-of-computing-
systems-34th-international-conference-arcs-2021-virtual-event-
june-7-8-2021-proceedings-1st-edition-christian-hochberger-
Software Engineering and Formal Methods: 19th
International Conference, SEFM 2021, Virtual Event,
December 6–10, 2021, Proceedings 1st Edition Calinescu

https://ebookmeta.com/product/software-engineering-and-formal-
methods-19th-international-conference-sefm-2021-virtual-event-
december-6-10-2021-proceedings-1st-edition-calinescu/

Web and Internet Economics: 17th International

Conference, WINE 2021, Potsdam, Germany, December
14–17, 2021, Proceedings (Lecture Notes in Computer
Science, 13112) Michal Feldman
https://ebookmeta.com/product/web-and-internet-economics-17th-
international-conference-wine-2021-potsdam-germany-
december-14-17-2021-proceedings-lecture-notes-in-computer-
science-13112-michal-feldman/

Mobile and Ubiquitous Systems Computing Networking and

Services 18th EAI International Conference MobiQuitous
2021 Virtual Event November 8 11 2021 Proceedings
Takahiro Hara
https://ebookmeta.com/product/mobile-and-ubiquitous-systems-
computing-networking-and-services-18th-eai-international-
conference-mobiquitous-2021-virtual-event-
november-8-11-2021-proceedings-takahiro-hara/

Discovery Science 24th International Conference DS 2021

Halifax NS Canada October 11 13 2021 Proceedings
Lecture Notes in Computer Science Carlos Soares
(Editor)
https://ebookmeta.com/product/discovery-science-24th-
international-conference-ds-2021-halifax-ns-canada-
october-11-13-2021-proceedings-lecture-notes-in-computer-science-
carlos-soares-editor/

HCI International 2021 Posters 23rd HCI International

Conference HCII 2021 Virtual Event July 24 29 2021
Proceedings Part II 1st Edition Constantine Stephanidis

https://ebookmeta.com/product/hci-
international-2021-posters-23rd-hci-international-conference-
hcii-2021-virtual-event-july-24-29-2021-proceedings-part-ii-1st-
 Alexander Raschke
Dominique Méry (Eds.)
LNCS 12709

Rigorous State-Based
Methods
8th International Conference, ABZ 2021
Ulm, Germany, June 9–11, 2021
Proceedings
Lecture Notes in Computer Science 12709

Founding Editors
Gerhard Goos
Karlsruhe Institute of Technology, Karlsruhe, Germany
Juris Hartmanis
Cornell University, Ithaca, NY, USA

Editorial Board Members

Elisa Bertino
Purdue University, West Lafayette, IN, USA
Wen Gao
Peking University, Beijing, China
Bernhard Steffen
TU Dortmund University, Dortmund, Germany
Gerhard Woeginger
RWTH Aachen, Aachen, Germany
Moti Yung
Columbia University, New York, NY, USA
More information about this subseries at http://www.springer.com/series/7407
Alexander Raschke Dominique Méry (Eds.)
•

Rigorous State-Based
Methods
8th International Conference, ABZ 2021
Ulm, Germany, June 9–11, 2021
Proceedings

123
Editors
Alexander Raschke Dominique Méry
Ulm University University of Lorraine
Ulm, Germany Vandœuvre-lès-Nancy, France

ISSN 0302-9743 ISSN 1611-3349 (electronic)

Lecture Notes in Computer Science
ISBN 978-3-030-77542-1 ISBN 978-3-030-77543-8 (eBook)
https://doi.org/10.1007/978-3-030-77543-8

LNCS Sublibrary: SL1 – Theoretical Computer Science and General Issues

© Springer Nature Switzerland AG 2021

Chapter “Formalizing the Institution for Event-B in the Coq Proof Assistant” is licensed under the terms
of the Creative Commons Attribution 4.0 International License (http://creativecommons.org/licenses/by/4.0/).
For further details see license information in the chapter.
This work is subject to copyright. All rights are reserved by the Publisher, whether the whole or part of the
material is concerned, specifically the rights of translation, reprinting, reuse of illustrations, recitation,
broadcasting, reproduction on microfilms or in any other physical way, and transmission or information
storage and retrieval, electronic adaptation, computer software, or by similar or dissimilar methodology now
known or hereafter developed.
The use of general descriptive names, registered names, trademarks, service marks, etc. in this publication
does not imply, even in the absence of a specific statement, that such names are exempt from the relevant
protective laws and regulations and therefore free for general use.
The publisher, the authors and the editors are safe to assume that the advice and information in this book are
believed to be true and accurate at the date of publication. Neither the publisher nor the authors or the editors
give a warranty, expressed or implied, with respect to the material contained herein or for any errors or
omissions that may have been made. The publisher remains neutral with regard to jurisdictional claims in
published maps and institutional affiliations.

This Springer imprint is published by the registered company Springer Nature Switzerland AG
The registered company address is: Gewerbestrasse 11, 6330 Cham, Switzerland
 Preface

The International Conference on Rigorous State-Based Methods (ABZ 2021) is an

international forum for the cross-fertilization of related state-based and machine-based
formal methods, mainly Abstract State Machines (ASM), Alloy, B, TLA+, VDM, and
Z. Rigorous state-based methods share a common conceptual foundation and are
widely used in both academia and industry for the design and analysis of hardware and
software systems.
The name ABZ was invented at the first conference held in London in 2008, where
the ASM, B, and Z conference series merged into a single event. The second con-
ference, ABZ 2010, was held in Orford, Canada, where the Alloy community joined
the event; ABZ 2012 was held in Pisa, Italy, which saw the inclusion of the VDM
community in the conference series (but not in the title); and ABZ 2014 was held in
Toulouse, France, which brought the inclusion of the TLA+ community. Lastly, ABZ
2016 was held in Linz, Austria, and ABZ 2018 in Southampton, UK. In 2018 the
Steering Committee decided to retain the (well-known) acronym ABZ and add the
subtitle “International Conference on Rigorous State-Based Methods” to make more
explicit the intention to include all state-based formal methods.
In 2020, the ABZ conference should have been held in Ulm, Germany. Unfortu-
nately, the conference had to be cancelled at short notice due to the worldwide rampant
COVID-19 virus and was postponed to this year, with the hope of welcoming all
participants personally in Ulm. Unfortunately this hope did not come true, so we had to
organize the conference as a virtual event after all. Since the proceedings were ready
before the cancellation of the 2020 conference, we decided to publish them immedi-
ately. We also launched a new call for papers for ABZ 2021 so that researchers had the
opportunity to publish new results in a timely manner.
Because the ABZ conference is normally hosted every two years we had not defined
a new case study, and with the restrictions of the pandemic and the associated increased
efforts, for example for teaching, being felt in the research community, significantly
fewer papers were submitted to ABZ 2021. There were 15 papers submitted from
authors in 8 countries spread over Europe, Asia, and America. Fortunately, the sub-
mitted papers were of very high quality, so that the four reviews per paper were
consistently positive and only one paper had to be rejected. A total of 6 full research
papers and 8 short research papers were accepted. All accepted papers cover broad
research areas on theoretical, systems, or practical aspects of state-based methods.
The doctoral symposium, which was organized for the first time in 2020, also took
place in 2021. Three PhD students submitted a four-page abstract describing their
research projects and received constructive feedback from the senior researchers of the
ABZ community. Each of the submitted abstracts was also evaluated by a separate
Program Committee.
vi Preface

The conference was due to be held during June 9–11, 2021, in Ulm, Germany, but
unfortunately the successes of the COVID-19 vaccination program will probably not be
seen for several months, so the conference was held virtually. In addition to the new
submissions, the authors of ABZ 2020 were also invited to present their papers, which
fortunately many took advantage of and thus a comprehensive program could be put
together.
Unfortunately, due to consequences of the COVID-19 crisis in the personal envi-
ronment, one of the keynote speakers understandably had to cancel at short notice.
However, we were all the more pleased to listen to the keynotes of Ana Cavalcanti,
University of York, UK, on “RoStar technology — a roboticist’s toolbox for combined
proof and sound simulation” and Gilles Dowek, Inria/ENS Paris-Saclay, France, on
“Sharing proofs across logics and systems: a boost for formal methods?”
The EasyChair conference management system was set up for ABZ 2021, sup-
porting submissions and the review process.
We would like to thank all the authors who submitted their work to ABZ 2021. We
are grateful to the Program Committee members for their high-quality reviews and
discussions. Finally, we wish to thank the Organizing Committee members for their
continuous support.
We hope the vaccination program will also reach poor countries as fast as possible
such that the COVID-19 crisis will decrease within the next two years and we can meet
together in person at ABZ 2023 in France.
For readers of these proceedings, we hope these papers are interesting and they
inspire ideas for future research that can be presented at the next ABZ!

April 2021 Alexander Raschke

Dominique Méry
 Organization

General Chairs
Alexander Raschke Ulm University, Germany
Dominique Méry Université de Lorraine, LORIA, France

Program Committee
Yamine Ait Ameur IRIT/INPT-ENSEEIHT, France
Paolo Arcaini National Institute of Informatics, Japan
Richard Banach University of Manchester, UK
Egon Boerger Università di Pisa, Italy
Eerke Boiten De Montfort University, UK
Michael Butler University of Southampton, UK
Andrew Butterfield Trinity College Dublin, Ireland
David Deharbe ClearSy System Engineering, France
Juergen Dingel Queen’s University, Canada
Flavio Ferrarotti Software Competence Centre Hagenberg, Austria
Mamoun Filali-Amine IRIT, France
Marc Frappier Université de Sherbrooke, Canada
Angelo Gargantini University of Bergamo, Italy
Vincenzo Gervasi University of Pisa, Italy
Gudmund Grov Norwegian Defence Research Establishment (FFI),
Norway
Stefan Hallerstede Aarhus University, Denmark
Klaus Havelund Jet Propulsion Laboratory, USA
Ian J. Hayes The University of Queensland, Australia
Thai Son Hoang University of Southampton, UK
Frank Houdek Daimler AG, Germany
Alexei Iliasov Newcastle University, UK
Felix Kossak Software Competence Center Hagenberg, Austria
Regine Laleau Paris-Est Créteil University, France
Thierry Lecomte ClearSy, France
Michael Leuschel University of Düsseldorf, Germany
Alexei Lisitsa University of Liverpool, UK
Atif Mashkoor Johannes Kepler University, Austria
Jackson Mayo Sandia National Laboratories, USA
Stephan Merz Inria Nancy, France
Stefan Mitsch Carnegie Mellon University, USA
Rosemary Monahan Maynooth University, Ireland
Mohamed Mosbah University of Bordeaux, France
Cesar Munoz NASA, USA
viii Organization

Shin Nakajima National Institute of Informatics, Japan

Uwe Nestmann TU Berlin, Germany
Jose Oliveira University of Minho, Portugal
Philipp Paulweber Vienna University of Technology, Austria
Luigia Petre Åbo Akademi University, Finland
Andreas Prinz University of Agder, Norway
Shengchao Qin Teesside University, UK
Philippe Queinnec Université de Toulouse, France
Elvinia Riccobene University of Milan, Italy
Victor Rivera Australian National University, Australia
Thomas Santen TU Berlin, Germany
Patrizia Scandurra University of Bergamo, Italy
Gerhard Schellhorn Universitaet Augsburg, Germany
Klaus-Dieter Schewe Zhejiang University, China
Steve Schneider University of Surrey, UK
Jun Sun Singapore Management University, Singapore
Maurice H. ter Beek ISTI-CNR, Italy
Laurent Voisin Systerel, France
Virginie Wiels ONERA/DTIM, France
Uwe Zdun University of Vienna, Austria
Wolf Zimmermann Martin Luther University Halle-Wittenberg, Germany
 Contents

Regular Research Articles

Unbounded Barrier-Synchronized Concurrent ASMs for Effective

MapReduce Processing on Streams . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Zilinghan Li, Shilan He, Yiqing Du, Senén González,
and Klaus-Dieter Schewe

Towards ASM-Based Automated Formal Verification

of Security Protocols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
Chiara Braghin, Mario Lilli, and Elvinia Riccobene

Verifying System-Level Security of a Smart Ballot Box. . . . . . . . . . . . . . . . 34

Dana Dghaym, Thai Son Hoang, Michael Butler, Runshan Hu,
Leonardo Aniello, and Vladimiro Sassone

Proving the Safety of a Sliding Window Protocol with Event-B . . . . . . . . . . 50

Sophie Coudert

Event-B Formalization of Event-B Contexts . . . . . . . . . . . . . . . . . . . . . . . . 66

Jean-Paul Bodeveix and Mamoun Filali

Validation of Formal Models by Timed Probabilistic Simulation . . . . . . . . . . 81

Fabian Vu, Michael Leuschel, and Atif Mashkoor

Short Articles

Sterling: A Web-Based Visualizer for Relational Modeling Languages. . . . . . 99

Tristan Dyer and John Baugh

Extending ASMETA with Time Features . . . . . . . . . . . . . . . . . . . . . . . . . . 105

Andrea Bombarda, Silvia Bonfanti, Angelo Gargantini,
and Elvinia Riccobene

About the Concolic Execution and Symbolic ASM Function Promotion

in CASM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112
Philipp Paulweber, Jakob Moosbrugger, and Uwe Zdun

Towards Refinement of Unbounded Parallelism in ASMs Using

Concurrency and Reflection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118
Fengqing Jiang, Neng Xiong, Xinyu Lian, Senén González,
and Klaus-Dieter Schewe
x Contents

The CamilleX Framework for the Rodin Platform . . . . . . . . . . . . . . . . . . . . 124

Thai Son Hoang, Colin Snook, Dana Dghaym, Asieh Salehi Fathabadi,
and Michael Butler

Extensible Record Structures in Event-B . . . . . . . . . . . . . . . . . . . . . . . . . . 130

Asieh Salehi Fathabadi, Colin Snook, Thai Son Hoang, Dana Dghaym,
and Michael Butler

Formalizing and Analyzing System Requirements of Automatic Train

Operation over ETCS Using Event-B . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137
Robert Eschbach

Automatic Transformation of SysML Model to Event-B Model for Railway

CCS Application. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143
Shubhangi Salunkhe, Randolf Berglehner, and Abdul Rasheeq

Short Articles of the PhD-Symposium (Work in Progress)

Formal Meta Engineering Event-B: Extension and Reasoning

The EB4EB Framework . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153
Peter Riviere

A Modeling and Verification Framework for Security Protocols . . . . . . . . . . 158

Mario Lilli

Formalizing the Institution for Event-B in the Coq Proof Assistant . . . . . . . . 162
Conor Reynolds

Author Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 167

Regular Research Articles
 Unbounded Barrier-Synchronized
Concurrent ASMs for Effective
MapReduce Processing on Streams

Zilinghan Li1 , Shilan He1 , Yiqing Du1 , Senén González2 ,

and Klaus-Dieter Schewe1(B)
1
UIUC Institute, Zhejiang University, Haining, China
{zilinghan.18,shilan.18,yiqing.18,kd.schewe}@intl.zju.edu.cn
2
P&T Connected, Linz, Austria

Abstract. MapReduce supports the processing of large data sets in par-

allel. It has been shown that MapReduce is an example for the use of
the bulk synchronous parallel (BSP) bridging model, a model for par-
allel computation on a fixed set of processors comprising alternating
computation and communication phases. In this article we extend the
normal execution of MapReduce from processing large finite data sets to
processing stream queries with input data stream assumed to continue
indefinitely. We classify stream queries into three classes, memoryless,
semi-memoryless and memorable, and provide the model for each class
using MapReduce based on BSP. In addition, as some stream queries
require large amounts of computing sources, the BSP computation model
is extended to a model with unbounded many agents, but preserving
the barrier synchronization. A behavioral theory is developed for this
model extending the behavioral theory of the BSP model. This comprises
an axiomatization, the definition of Infinite-Agent BSP abstract state
machines (Inf-Ag-BSP-ASM) and the proof that such ASMs capture the
unbounded synchronized computations. Finally, we show how MapRe-
duce processing can be further improved on grounds of the unbounded
extension.

Keywords: MapReduce · Stream query · Infinite-agent BSP model ·

Behavioral theory · Concurrent ASM

1 Introduction
MapReduce provides a programming model for processing large data sets in an
asynchronous and distributed way [6]. A MapReduce computation comprises a
map phase processing input data in an asynchronous and parallel way to obtain
intermediate key-value pairs, a shuffle phase redistributing the data and a reduce
phase aggregating intermediate key-value pairs to yield the final results.
The bulk synchronous parallel (BSP) bridging model [16] is a widely-used
model for parallel computations by a fixed number of agents. A BSP computa-
tion consists of a sequence of supersteps, and each superstep is composed of a
c Springer Nature Switzerland AG 2021
A. Raschke and D. Méry (Eds.): ABZ 2021, LNCS 12709, pp. 3–16, 2021.
https://doi.org/10.1007/978-3-030-77543-8_1
4 Z. Li et al.

computation phase and a communication phase. In a computation phase each

agent works independently without any form of interaction until it completes
the local computation. When all agents have completed their local computa-
tions, they continue with a communication phase to exchange data. With all
agents having completed their communication, they return to a new computa-
tion phase and thus begin a new superstep. The BSP model has many useful
applications as demonstrated among others in [5,10,13,14].
As explained in [9] BSP computations are specific concurrent algorithms that
are characterised by a fixed number of agents, the alternation of computation
and communication phases and the barrier synchronization. Consequently, they
are captured by specific concurrent abstract state machines (concurrent ASMs),
the BSP-ASMs, as shown by the behavioral theory of BSP computations.
There exists a strong connection between MapReduce and BSP model: for
the map phase of MapReduce each agent executes the user-defined map func-
tion without interaction, which indicates that the map phase corresponds to
a computation phase in the BSP model. The shuffle phase corresponds to a
communication phase in the BSP model, in which agents interact with each
other by exchanging data. For the reduce phase agents execute the user-defined
reduce function again without interaction, so it also corresponds to a computa-
tion phase. In addition, as MapReduce algorithms proceed, some of the agents
may be executing a map function, while others are executing a reduce function in
the same computation phase. The strong connection indicates that MapReduce
can be captured by the BSP model, which was already sketched in [9]. More
examples on how MapReduce is realized based on grounds of the BSP model
can be found in [14].
A general assumption underlying MapReduce is that while the input data sets
can be large, they are still bounded. In this article we investigate an extension
based on the BSP model enabling the handling of stream queries, where the input
data stream is assumed to continue indefinitely. Then we also extend the BSP
bridging model following the behavioral theory to further support MapReduce
query processing.
We first classify the stream queries according to their concatenation property
and divide them into three different classes: memoryless, semi-memoryless and
memorable. In a nutshell, a memoryless stream process can forget the input
data once they have been processed, a semi-memoryless stream process has to
keep some aggregation of the data for the processing of following data, and
a memorable stream process requires all processed data to be kept. Then we
provide the models for these different classes of stream queries using MapReduce
based on the BSP model.
As the data stream is assumed to continue indefinitely, also the agents exe-
cuting MapReduce are dedicated to processing the stream query indefinitely.
However, we may want to allow some of the agents to leave the computation and
other new agents to join the computation. In particular, some stream queries
require a large amount of computation time and a large memory space for data
storage, especially for some semi-memoryless and memorable queries, so it will
 Unbounded Barrier-Synchronized Concurrent ASMs 5

be advantageous not to have any limit on the number of agents. Theoretically,

we may permit an infinite number of agents, but following the theory of concur-
rent algorithms [3] only finitely many of them can be active in each superstep.
Nonetheless, both the join/leave behavior and an unbounded number of agents
are beyond the expressiveness of general BSP model, where the number of agents
is fixed and bounded.
To extend BSP computation and allow such behaviors, we develop an
extended behavioral theory for Infinite-Agent BSP (Inf-Ag-BSP) computations,
which permits changing numbers of agents in all supersteps, but preserves the
barrier synchronization. The notion of behavioral theory was coined to charac-
terise the method used in the sequential ASM thesis characterising sequential
algorithms in a language-independent way [11]. This work therefore became the
first behavioral theory that was investigated. The same method was later used
for recursive algorithms [4], synchronous parallel algorithms [1,2,7,8,15], and
asynchronous concurrent algorithms [3]. As BSP computations are special con-
current algorithms, a specialised behavioral theory was also developed for the
BSP model [9]. In our extended behavioral theory we will exploit that concurrent
ASMs can deal with an infinite number of agents [3].

2 BSP-ASMs for Stream Queries

In our extension of MapReduce to handle stream queries, we restrict ourselves

to abstract computable stream queries following the definitions and notations
in [12]. A stream query Q : Stream → Stream is abstract computable if there
exists a function K : f inStream → f inStream such that the result of Q can be
obtained by concatenating the results of K applied to larger and larger prefixes
of the input, i.e.

size(s)
Q : s → K(s≤k ), (1)
k=0

where we use to denote concatenation1 . Here K is called the kernel of Q. In
the following K is always used to denote the kernel of the corresponding stream
query.
According to Eq. 1, evaluating stream query Q on stream s requires evaluat-
ing K on the whole stream. However, when handling stream queries via MapRe-
duce, streams are split into several pieces that are evaluated independently. Then
the individual results are aggregated to yield the final result. In the following
stream queries are classified into three classes based on their concatenation prop-
erty. We show how each class can be realised via MapReduce based on the BSP
model.

1 
Theconcatenation ( ) used here is not same as the common concatenation denoted
by . It works more like aggregation and its real functionality varies among different
scenarios, but we still use the term concatenation to be consistent with [12].
6 Z. Li et al.

2.1 Memoryless Stream Queries

In a memoryless stream query the result of new coming input stream is inde-
pendent of the previous input streams, and the output of a larger stream can be
obtained by direct concatenation of the outputs of its smaller substreams. This
gives rise to the following definition.
Definition 1. A stream query Q is said to be memoryless if Q can defined as
follows:

size(s)

size(s)
Q : s → K(s≤k ) = K(sk ) (2)
k=0 k=0
th
where sk is the k element of stream s.
Example 1. Consider the query Q1 which returns an output stream containing
all numbers greater than a threshold value tx . When s is divided into several
substreams, then we can filter out the values greater than tx in each substream
and concatenate them together to yield the final outputs. Since the output can
be obtained by direct concatenation of the outputs of smaller substreams, Q1 is
memoryless.

MapReduce Model. For every MapReduce cycle i, we extract a substream

s(i) from the input stream and execute the map function on this substream to
evaluate K(s(i) ); the result is concatenated to the previous result in the reduce
phase in the following way:
i
 i

Q(s) = K(s(k) ) with s = s(k) (3)
k=1 k=1

The following ASM 1 gives an ASM rule for agent j handling a memoryless
stream query. The variable taskj is the current phase of agent j which can be
either map or reduce. The rule bsp sync() is used for synchronization which indi-
cates the end of the current superstep for an agent. The agent will not continue
with the next superstep until all agents complete their current superstep. The
rule bsp send() can send the local data to other agents and the sent data is only
available in the next superstep, i.e. after bsp sync(). The rule bsp get() fetches
the data sent by other agents in the previous superstep.
ASM 1 (MapReduce for Memoryless Stream Query based on BSP).
IF taskj = “map”
THEN map outj := M ap F unction(sj )
bsp send(map outj )
bsp sync()
IF taskj = “reduce”
THEN map outj := bsp get()
reduce outj := concat(reduce outj , map outj )
bsp sync()
 Unbounded Barrier-Synchronized Concurrent ASMs 7

2.2 Semi-memoryless Stream Queries

For a semi-memoryless stream query it is not sufficient to yield the output of

a larger stream by simply concatenating the outputs of smaller substreams si .
Some further information of these smaller substreams, denoted as I(si ), is also
required to compute the output. This leads to the following definition.

Definition 2. A stream query Q is said to be semi-memoryless if Q can be

defined as follows:

Q : s → Fagg (K(s1 ), K(s2 ), I(s1 ), I(s2 )) with s = s1 + s2 , (4)

where K is the kernel of Q, I(si ) is a set of informative variables of substreams

si , and Fagg is the function that aggregates the outputs of smaller substreams
and yields the output of the larger stream.

Example 2. Consider the query Q2 which returns the average value of the num-
bers arrived so far. When evaluating the average of stream s, where s is divided
into two substreams s1 and s2 , first execute function K which calculates the
average value of s1 and s2 respectively. In this example, the lengths of two sub-
streams are also needed to calculate the total average, namely, I(si ) = {len(si )}.
Therefore, Q2 is semi-memoryless and can be evaluated as follows:

Q(s) = Fagg (K(s1 ), K(s2 ), I(s1 ), I(s2 ))

= Fagg (avg(s1 ), avg(s2 ), {len(s1 )}, {len(s2 )})
(5)
len(s1 ) len(s2 )
= avg(s1 ) · + avg(s2 ) ·
len(s1 ) + len(s2 ) len(s1 ) + len(s2 )

MapReduce Model. For every MapReduce cycle i we extract a substream s(i)

from the input stream and execute map function on this substream to evaluate
both K(s(i) ) and the informative set I(s(i) ), then aggregate with previous results
in the reduce phase in the following way:
i

i−1 i−1
Q(s) = Fagg (K( Σ s(k) ), K(s(i) ), I( Σ s(k) ), I(s(i) )) with s = s(k) (6)
k=1 k=1
k=1

The following ASM 2 gives an ASM rule for agent j handling a semi-
memoryless stream query. The term tag is used to denote the informative set
I. The function bsp send tag() sends the tag to other agents and the function
bsp get tag() fetches the tags sent by others. The variable local tagj is the pre-
i−1
viously stored tags of agent j (i.e. I( Σ s(k) ) in Eq. 6). The function Agg plays
k=1
the role of Fagg which aggregates the previous and current tags and map-results.
8 Z. Li et al.

ASM 2 (MapReduce for Semi-memoryless Stream Query based on

BSP).
IF taskj = “map”
THEN map outj := M ap F unction(sj )
tag outj := T ag F uction(sj )
bsp send(map outj )
bsp send tag(tag outj )
bsp sync()
IF taskj = “reduce”
THEN map outj := bsp get()
tag outj := bsp get tag()
reduce outj := Agg(reduce outj , map outj , local tagj , tag outj )
bsp sync()

2.3 Memorable Stream Queries

The following definition of a memorable stream query indicates that a large set
of information, or even the whole input stream s is required to obtain the output
of the stream query.

Definition 3. A stream query Q is said to be memorable if Q is semi-

memoryless as defined by Eq. 4 and the cardinality of I(s1 ) and I(s2 ) is in the
Θ-Class2 of the cardinality of s1 and s2 , respectively, i.e.

|I(s1 )| ∈ Θ(|s1 |) and |I(s2 )| ∈ Θ(|s2 |) (7)

or equivalently,
|I(s1 ) + I(s2 )| ∈ Θ(|s|) (8)

Example 3. Consider the query Q3 which returns the median value of the num-
bers arrived so far. Given any stream, every number can be the candidate of the
median, which means the whole stream s is required to determine the median.
When evaluating the median of s, where s is divided into two substreams s1 and
s2 , we have I(s1 ) = s1 and I(s2 ) = s2 . Therefore, Q3 is memorable.

MapReduce Model. According to Definition 3 a memorable stream query is a

special case of a semi-memoryless stream query. Hence, the MapReduce model
of memorable query is almost the same as the one given by Algorithm 2. One of
the most important features of memorable query is that the cardinality of the
informative set is unbounded when the input stream continues indefinitely, and
infinite storage space and computation time is required in the aggregation step.
Though in real-life practice no stream will be infinite and a stream query
for an almost-infinitely long input stream is rarely of interest, the memorable
2
Θ-Class is the intersection of O-Class and Ω-Class which provides an asymptotically
tight bound for functions.
 Unbounded Barrier-Synchronized Concurrent ASMs 9

stream query raises the problem how to handle stream queries that require a
large amount of computations and a large storage space. A feasible solution
is to have a large amount of available agents3 , which allows agents to join,
e.g. when there are many parallel computation threads, or leave, e.g. when the
computation is almost sequential. This gives sufficient computing sources and
storage space to guarantee the stream query evaluation to succeed. However,
neither an unbounded number of agents nor a dynamic growth and shrinking of
a set of agents is foreseen in the BSP model. It is therefore required to extend the
BSP model to Infinite-Agent BSP model as we will do in the following section.

3 An Extended Unbounded BSP Model

We now extend the BSP model such that an unbounded number of agents is
permitted, though only finitely many of them can be simultaneously active. In
addition, the extended BSP model should allow agents to join or leave the BSP
computation. The extended BSP model will be called Infinite-Agent BSP (Inf-
Ag-BSP) computation model. In the following subsections a behavioral theory of
Inf-Ag-BSP computation will be developed, which extends the behavioral theory
of the general BSP computation.
In general, a behavioral theory consists of an axiomatization of a class of algo-
rithms, a definition of an abstract machine model and a proof that the abstract
machine model captures the class of algorithms stipulated by the axiomatiza-
tion. The axiomatization is essentially a language-independent definition of the
algorithm class, and it is given by a set of postulates. Then the characterization
theorem contains two parts: (1) instances of the abstract machine model satisfiy
the postulates in the axiomatization; (2) every algorithm defined by the postu-
lates can by step-by-step simulated by an abstract machine, i.e. an instance of
the abstract machine model.

3.1 Axiomatization
There are two essential differences between the general BSP computation model
and the extended Inf-Ag-BSP computation model: (1) The total number of avail-
able agents can be countably infinite; (2) The agents can join or leave the set of
active agents in the BSP computation. Therefore, the axiomatization of Inf-Ag-
BSP can be derived from the axiomatization of the general BSP computation
model developed in [9] with those two differences taken into consideration.
For the first difference, we just slightly modify the number of available agents
from finite to countably infinite. This extension is feasible, as general BSP com-
putations are just restricted concurrent algorithms, and as such they can have
an infinite number of agents [3]. As for the second difference we introduce a local
variable joini and a joining set Jn . The variable joini is a function symbol of

3
In theory, we can assume that the number is countably infinite, provided we restrict
the model such that only finitely many of them will be simultaneously active.
10 Z. Li et al.

arity 0 in the local signature of each algorithm. When the algorithm is going to
join the set of active agents, the variable will be set to true; when the algorithm
decides to leave the BSP, it will be reset to false. The joining set Jn contains
the identifiers i of the active agents which have joined in state Sn . In addition,
requiring Jn to be a finite set ensures that only finitely many agents join at the
same time.
However, there remains another issue concerning the join/leave behavior,
which concerns when an agent is allowed to join or leave the BSP computation.
As for join we require any new agent to join only in the communication phase
because it needs to receive data to manipulate in the next computation phase.
As for leave we require that an agent can leave only after communication, i.e.
in the computation phase, because an agent may send some computed data to
other agents in the communication phase. All above considerations motivate the
axiomatization of Inf-Ag-BSP in the following Definition 4, which originates
from that of the general BSP model with several necessary restrictions and
modifications.

Definition 4. An Infinite-Agent BSP (Inf-Ag-BSP) algorithm is a concurrent

algorithm B = {(ai , Ai ) | i ∈ N} that satisfies the Inf-Ag-BSP signature restric-
tion and Inf-Ag-BSP communication-and-joining postulate defined in the follow-
ing two definitions.

Definition 5 (Inf-Ag-BSP signature restriction). A concurrent algorithm

B = {(ai , Ai )|i ∈ N} satisfies the Inf-Ag-BSP signature restriction iff the signa-
ture of A0 is Σ0 = {bari , joini | i ∈ N\{0}}∪{barrier}, and the signature of any
other Ai (i ∈ N\{0}) is Σi = Σi,loc ∪ {ci,j , cj,i | j ∈ N\{0}, j = i} ∪ {barrier}
such that the following conditions are satisfied:

(1) The subsignatures Σi,loc are pairwise disjoint, and each of them contains the
corresponding function symbols bari and joini of arity 0;
(2) For Ai , all locations (ci,j , v) are write-only;
(3) For Ai , all locations (cj,i , v) are read-only;
(4) The function symbol barrier has arity 0 and is monitored for all agents ai
(i = 0);
(5) For A0 , it monitors bari and joini .

Definition 6 (Inf-Ag-BSP communication-and-joining postulate4 ). For

 B = {(ai , Ai ) | i ∈ N} with concurrent run S0 , S1 , · · · ,
a concurrent algorithm
update sets Δn = a∈Agn Δa (res(Sa(n) , Σa )) for Sn+1 = Sn + Δn , and a
joining set Jn = {i | valSai (n) (joini ) = true}, B satisfies the Inf-Ag-BSP
communication-and-joining postulate iff the following conditions are satisfied:

(1) The cardinality of joining set Jn is finite for all n;

/ Jn , then either ai ∈
(2) If i ∈ / Agn or (joini , true) ∈ Δn ;

4
The definitions of the notations used here can be found in [9, Def. 2.2].
 Unbounded Barrier-Synchronized Concurrent ASMs 11

(3) If there exists an update (l, v) ∈ Δn with a location of form l = (ci,j , v), then
all updates in Δn (except (barx , false) and {(bary , true), (joiny , true)})
have this form and valSa(n) (barrier) = true holds for all a ∈ Agn ;
(4) If there exists no update (l, v) ∈ Δn with a location of the form l = (ci,j , v),
then valSa(n) (barrier) = false holds for all a ∈ Agn ;
(5) If non-trivial update (joini , true) ∈ Δn , then (bari , true) ∈ Δn ;
(6) If non-trivial update (joini , false) ∈ Δn , then valSai (n) (bari ) = false;
(7) Whenever (bari ∧ ¬barrier) ∨ (¬bari ∧ barrier) holds for any agent i ∈ Jn
in state Sn , then Δai (n) (res(Sn , Σi )) = ∅;
(8) The location barrier is lazy, namely, it only changes value when all bari for
i ∈ Jn have changed their values from true to false (or false to true).

The postulates in Definition 6 is used to describe the barrier-synchronization

and join/leave behaviors of Inf-Ag-BSP algorithm. The first condition in the
postulate requires that only finitely many agents can be active at the same
time. Actually, the finiteness of Jn follows from the finiteness of the sets Agn ,
so condition (1) can be derived from the others. The second condition states
that agents ai with valSai (n) (joini ) = false cannot contribute to an update in
state Sn except by an attempt to join the BSP computation in next state Sn+1 .
The third and forth separate update sets into only two cases: one is the update
sets corresponding to the communication phase and another is the update sets
corresponding to the computation phase. The fifth and sixth condition specify
when the value of joini can be changed, i.e. when can algorithms join or leave
the BSP algorithm: an algorithm must join and first enter the communication
phase and must leave in the computation phase5 . The seventh condition states
that all algorithms involved in the BSP algorithm (i.e. valSai (n) (joini ) = true)
have to wait for barrier to become true (or false, respectively) after setting
bari to true (or false respectively).
Analogously to the theory of BSP algorithms we can show concurrent runs of
Infinite-Agent BSP algorithms are indeed organised in supersteps, each compris-
ing a computation phase, in which the individual algorithms Ai operate only on
their local locations, followed by a communication phase, in which the individual
algorithms Ai operate only on their channel locations. The proof is analogous
to the corresponding proof in [9, Thm. 2.1].

Theorem 1 (Superstep Separation Theorem). Let S0 , S1 , . . . be a concur-

rent run of an Infinite-Agent BSP algorithm B = {(ai , Ai ) | 0 ≤ i ≤ k}. Then
there exists a sequence 0 = i0 < i1 < . . . with the following properties:

1. The value of barrier in state Sij is false for even j and true for odd j.
2. For all x with ij ≤ x < ij+1 the update set Δx (with Sx + Δx = Sx+1 )
satisfies:

5
Note that it still has to be ensured that an agent leaving the computation does this
after completing its step. This, however, has to be ensured by the specification of
the programs of the agents.
12 Z. Li et al.

(a) If j is even, then all updates in Δx affect locations of the form (f, v) with
k
f ∈ i=1 Σi,loc .
(b) If j is odd, then none of the updates in Δx affects a location of the form
k
(f, v) with f ∈ i=1 Σi,loc .
3. For all j, all x with ij−1 ≤ x < ij and all agents a ∈ Ag x we have ij−1 ≤ a(x).

3.2 Infinite-Agent BSP Abstract State Machine

As Inf-Ag-BSP algorithms define a restricted class of concurrent algorithms,
an abstract machine model for Inf-Ag-BSP algorithms can also be defined as
restricted concurrent ASM, which we will call Infinite-Agent BSP abstract state
machine (Inf-Ag-BSP-ASM). Definition 7 below defines the rules for such ASM.
Definition 7 (Rules). For i ∈ N\{0} let Σi = Σi,loc ∪{ci,j , cj,i | j ∈ N\{0}, j =
i} ∪ {barrier} be signatures such that the subsignatures Σi,loc are pairwise dis-
joint and contain 0-ary function symbols bari and joini . Then the process rules,
barrier rules and join rules over Σi are defined as follows:
(1) Each assignment rule f (t1 , . . . , tn ) := t0 with f ∈ Σi,loc \{bari , joini } and
terms t1 , . . . , tn , where n is the arity of f , is a process rule. Assignment rules
bari := true and joini := false are also process rules.
(2) Each assignment rule ci,j (t1 , . . . , tn ) := t0 with j ∈ N\{0}, j = i and terms
t1 , . . . , tn , where n is the arity of ci,j , is a barrier rule. Assignment rule
bari := false is also a barrier rule.
(3) The only join rule is the parallel composition of joini := true and bari :=
true.
(4) If all r1 , r2 , · · · , rm are process rules (or barrier rules, respectively), then the
parallel composition (r1 | r2 | · · · | rm ) is also a process rule (or barrier rule,
respectively).
(5) If r is a process rule (or barrier rule, respectively) and ϕ is a Boolean term,
then (IF ϕ THEN r) is also a process rule (or barrier rule, respectively).
An Inf-Ag-BSP rule over Σi (i ∈ N\{0}) is a rule of the form:
(IF joini ∧ ¬bari ∧ ¬barrier THEN ri,proc ) |
(IF joini ∧ bari ∧ barrier THEN ri,comm ) |
(IF ¬joini THENCHOOSE ri,join OR skip)
with a process rule ri,proc , a barrier rule ri,comm and the join rule ri,join .
Let Σ0 = {bari , joini | i ∈ N\{0}} ∪ {barrier} and J = {i | val(joini ) = true}
be the joining set, a switch rule is a rule over signature Σ0 of the form:
SWITCH ≡

(IF ¬barrier ∧ bari THEN barrier := true) |
i∈J

(IF barrier ∧ ¬bari THEN barrier := false)
i∈J
 Unbounded Barrier-Synchronized Concurrent ASMs 13

For machines executing an Inf-Ag-BSP algorithm each active machine, i.e.

val(joini ) = true, has to execute its local process rule ri,proc until the local vari-
able bari is set to true. Once the “synchronisor” machine M0 updates barrier
to true according to the value of bari of all involved machines, Mi has to exe-
cute its barrier rule ri,comm , until the local variable bari is reset to false. Active
machines can only leave during a computation phase, so joini := false is a pro-
cess rule. An inactive machine can either do nothing or join and then enter the
communication phase. These considerations lead to the following definition.
Definition 8. An Infinite-Agent BSP abstract state machine (Inf-Ag-BSP-
ASM) is a concurrent ASM {(ai , Mi )|i ∈ N}, where the signatures Σi of
machines Mi are defined as in Definition 7, the rule of M0 is SWITCH over
Σ0 , the rule of other Mi (i = 0) is an InfAg-BSP rule over Σi , and the joining
set J = {i | val(joini ) = true} is always finite.

3.3 Characterization Theorem

The characterization theorem shows that Inf-Ag-BSP-ASM captures the Inf-Ag-
BSP algorithms. As mentioned before the proof consists of two parts: (1) Inf-
Ag-BSP-ASM satisfies the postulates for Inf-Ag-BSP algorithms in the axioma-
tization; (2) every Inf-Ag-BSP algorithm defined by the postulates can be step-
by-step simulated by an Inf-Ag-BSP-ASM.
Lemma 1. Inf-Ag-BSP-ASM satisfies the postulates for Inf-Ag-BSP algorithms
in the axiomatization.
Proof. Let M = {(ai , Mi )|i ∈ N} be an Inf-Ag-BSP-ASM. According to Def-
inition 8, the signature of M satisfies the Inf-Ag-BSP signature restriction.
It remains to show that M also satisfies the Inf-Ag-BSP communication-and-
joining postulate.
Condition (1) is trivially satisfied because J is required to be always finite in
the definition of M. Condition (2) is a consequence of the Inf-Ag-BSP rule. When
val(joini ) = false, the first two if-conditions of the Inf-Ag-BSP rule cannot be
satisfied and the third if-condition must be satisfied. Then the machine either
does nothing or sets both joini and bari to true, which matches what Condition
(2) requires. For Conditions (3) and (4) we can directly exploit the proof in [9].
For Condition (5) the update (joini , true) is non-trivial, i.e. the initial value
of joini is false. Therefore, it corresponds to the join rule ri,join . According to
the definition of join rules we must have also bari := true ∈ ri,join , which implies
Condition (5). For Condition (6) we exploit that the update (joini , false) must
come from a process rule. This can only be executed, if val(bari ) = false holds,
so Condition (6) is satisfied.
For Condition (7), (bari ∧¬barrier)∨(¬bari ∧barrier) for i ∈ Jn is equivalent
to (joini ∧ bari ∧ ¬barrier) ∨ (joini ∧ ¬bari ∧ barrier). In this case none of the
three if-conditions of Inf-Ag-BSP rule are satisfied, so the ASM does nothing
and the update set is ∅. Condition (8) is again a direct and trivial consequence
of the definition of the rule SWITCH.
14 Z. Li et al.

Lemma 2. Every Inf-Ag-BSP algorithm defined by the postulates can be step-

by-step simulated by an Inf-Ag-BSP-ASM.
Proof. Assume that B = {(ai , Ai )|i ∈ N} is an Inf-Ag-BSP algorithm. Given
that Inf-Ag-BSP algorithms define a restricted class of concurrent algorithms,
we let our abstract machine be a cASM M = {(ai , Ai )|i ∈ N} with the same
signature and the same concurrent runs as B, which is the result of the behavioral
theory of concurrent algorithm in [3].
The machine M0 of agent 0 executes a SWITCH rule, which is used for con-
trolling the separation of the computation phase and communication phase of
BSP algorithm. The rules for other machines Mi have the form
(IF ϕ1 THEN ri,1 ) | · · · | (IF ϕm THEN ri,m )
We can exploit the same argument as in [9] to show that the rules ri can be
written in the form of Inf-Ag-BSP rule when replacing ri by the following rule:
(IF joini ∧ ¬barrier ∧ ¬bari THEN ri,proc ) |
(IF joini ∧ barrier ∧ bari THEN ri,comm ) |
(IF ¬joini THENCHOOSE ri,join OR skip)
with rules ri,proc , ri,comm , ri,join defined as follows:
ri,proc = (IF ϕ1 THEN ri,1 ) | · · · |
(IF ϕm THEN ri,m )
ri,comm = (IF ϕm +1 THEN ri,m +1 ) | · · · |
(IF ϕm THEN ri,m )
ri,join = (IF ϕm +1 THEN ri,m +1 ) | · · · |
(IF ϕm THEN ri,m )
which completes the proof that B can be simulated by an Inf-Ag-BSP-ASM.
Combining Lemmata 1 and 2 gives the following claimed result.
Theorem 2 (Characterization theorem). Infinite-Agent BSP abstract state
machine captures Infinite-Agent BSP algorithms.

4 Processing of Stream Queries with MapReduce Using

Inf-Ag-BSP ASMs
After extending BSP model to the Inf-Ag-BSP model let us revisit our MapRe-
duce models for memoryless and semi-memoryless stream queries in the ASMs
1 and 2. Based on the Inf-Ag-BSP model we refine the previous ASMs, which
leads to Algorithms 3 and 4. The main difference is that this time we check
whether an agent has joined the family of active agents of the BSP computation
or an agent has left before each iteration. The rule Join U pdate() updates the
value of joini at the begining of the computation phase of each superstep. The
refined ASMs allow agents to join or to leave.
 Unbounded Barrier-Synchronized Concurrent ASMs 15

ASM 3 (MapReduce for Memoryless Stream Query based on Inf-Ag-

BSP)
IF joinj = true
THEN joinj := Join U pdate()
// Update the value of joini in current superstep
IF joinj = true
IF taskj = “map”
THEN map outj := M ap F unction(sj )
bsp send(map outj )
bsp sync()
IF taskj = “reduce”
map outj := bsp get()
reduce outj := concat(reduce outj , map outj )
bsp sync()

ASM 4 (MapReduce for Semi-memoryless Stream Query based on

Inf-Ag-BSP)
IF joinj = true
THEN joinj := Join U pdate()
// Update the value of joini in current superstep
IF joinj = true
IF taskj = “map”
map outj := M ap F unction(sj )
tag outj := T ag F uction(sj )
bsp send(map outj )
bsp send tag(tag outj )
bsp sync()
IF taskj = “reduce”
map outj := bsp get()
tag outj := bsp get tag()
reduce outj := Aggre(reduce outj , map outj ,
local tagj , tag outj )
bsp sync()

5 Conclusion
In this paper, we extended MapReduce to handle different classes of stream
queries based on the BSP model. We distinguished memoryless, semi-memoryless
and memorable stream queries. The increasing need for memory and the increas-
ing number of parallel map/reduce tasks in memorable stream queries motivated
the extension of the general BSP model to Inf-Ag-BSP model. For this we devel-
oped a behavioral theory for the Inf-Ag-BSP model based on the theory of the
general BSP model, and we showed how the extended model is used to refine the
16 Z. Li et al.

processing of stream queries. Furthermore, the Inf-Ag-BSP model is not bound

to MapReduce, so it can also be employed to handle other parallel computation
problems, especially those requiring a large amount of computation work.

References
1. Blass, A., Gurevich, Y.: Abstract state machines capture parallel algorithms. ACM
Trans. Comput. Logic 4(4), 578–651 (2003)
2. Blass, A., Gurevich, Y.: Abstract state machines capture parallel algorithms: cor-
rection and extension. ACM Trans. Comp. Logic 9(3), 1–32 (2008)
3. Börger, E., Schewe, K.-D.: Concurrent abstract state machines. Acta Inf. 53(5),
469–492 (2015). https://doi.org/10.1007/s00236-015-0249-7
4. Börger, E., Schewe, K.D.: A behavioural theory of recursive algorithms. Fundam.
Inf. 177(1), 1–37 (2020)
5. Costa, V.G., Marı́n, M.: A parallel search engine with BSP. In: Third Latin Amer-
ican Web Congress (LA-Web 2005), pp. 259–268. IEEE Computer Society (2005).
https://doi.org/10.1109/LAWEB.2005.7
6. Dean, J., Ghemawat, S.: MapReduce: simplified data processing on large clusters.
In: Proceedings of the 6th Conference on Symposium on Opearting Systems Design
& Implementation, OSDI 2004, vol. 6, p. 10. USENIX Association (2004). http://
dl.acm.org/citation.cfm?id=1251254.1251264
7. Dershowitz, N., Falkovich-Derzhavetz, E.: On the parallel computation thesis.
Logic J. IGPL 24(3), 346–374 (2016). https://doi.org/10.1093/jigpal/jzw008
8. Ferrarotti, F., Schewe, K.D., Tec, L., Wang, Q.: A new thesis concerning synchro-
nised parallel computing - simplified parallel ASM thesis. Theor. Comp. Sci. 649,
25–53 (2016). https://doi.org/10.1016/j.tcs.2016.08.013
9. Ferrarotti, F., González, S., Schewe, K.D.: BSP abstract state machines cap-
ture bulk synchronous parallel computations. Sci. Comput. Program. 184, 102319
(2019). https://doi.org/10.1016/j.scico.2019.102319
10. Gava, F., Pommereau, F., Guedj, M.: A BSP algorithm for on-the-fly checking
CTL* formulas on security protocols. J. Supercomput. 69(2), 629–672 (2014).
https://doi.org/10.1007/s11227-014-1099-8
11. Gurevich, Y.: Sequential abstract-state machines capture sequential algorithms.
ACM Trans. Comp. Logic 1(1), 77–111 (2000). https://doi.org/10.1145/343369.
343384
12. Gurevich, Y., Leinders, D., Van den Bussche, J.: A theory of stream queries. In:
Arenas, M., Schwartzbach, M.I. (eds.) DBPL 2007. LNCS, vol. 4797, pp. 153–168.
Springer, Heidelberg (2007). https://doi.org/10.1007/978-3-540-75987-4 11
13. Inda, M.A., Bisseling, R.H.: A simple and efficient parallel FFT algorithm using
the BSP model. Parallel Comput. 27(14), 1847–1878 (2001)
14. Pace, M.F.: BSP vs. MapReduce. In: Ali, H.H., et al. (eds.) Proceedings of the
International Conference on Computational Science (ICCS 2012). Procedia Com-
puter Science, vol. 9, pp. 246–255. Elsevier (2012)
15. Schewe, K.-D., Wang, Q.: A simplified parallel ASM thesis. In: Derrick, J., et al.
(eds.) ABZ 2012. LNCS, vol. 7316, pp. 341–344. Springer, Heidelberg (2012).
https://doi.org/10.1007/978-3-642-30885-7 27
16. Valiant, L.G.: A bridging model for parallel computation. Commun. ACM 33(8),
103–111 (1990). https://doi.org/10.1145/79173.79181
 Towards ASM-Based Automated Formal
Verification of Security Protocols

Chiara Braghin , Mario Lilli , and Elvinia Riccobene(B)

Computer Science Department, Università degli Studi di Milano,

via Celoria 18, Milan, Italy
{chiara.braghin,mario.lilli,elvinia.riccobene}@unimi.it

Abstract. In the security protocols domain, formal verification is more

and more highly demanded to guarantee security assurance: humans
increasingly depend on the use of connected devices in their daily life, so
they must be protected against possible threats and accidents. However,
formal verification, and in general the use of formal methods, is slowed
by myths and misconceptions, mainly due to their mathematical base,
which discourages many designers or engineers from their adoption.
In this paper, we pose the basis for the long-term development of an
ASM-based user-friendly framework for the formal verification of secu-
rity protocols. We introduce a mathematical-based set of templates to
formalise common patterns in security protocols and a set of security
properties. These templates facilitate the protocol formal verification by
providing built-in functions and domains, as well as transition rules and
property schema, to be customised according to the specific protocol to
be verified. The effectiveness of this approach is shown by means of their
application to a number of well-known cryptographic security protocols.

Keywords: Cryptographic protocols · Security assurance · Abstract

state machines

1 Introduction

With the rise of Internet and other open networks, the world became more and
more connected, thus technology and data have taken more significant roles in
our daily lives. A report conducted in 2017 by Domo [20] estimated that by
2020 (without taking in consideration the COVID-19 outbreak that intensified
the process) 1.7MB of data would be created every second for every person on
earth. This massive amount of data, often sensitive, is shared among users by
means of communication protocols. A large number of security protocols have
been developed and deployed in order to provide security guarantees (such as
authentication of actors, or secrecy of some pieces of information) through the

The work was partially supported by the SEED Project SENTINEL.

c Springer Nature Switzerland AG 2021
A. Raschke and D. Méry (Eds.): ABZ 2021, LNCS 12709, pp. 17–33, 2021.
https://doi.org/10.1007/978-3-030-77543-8_2
18 C. Braghin et al.

application of cryptographic primitives. However, the design of security proto-

cols, despite their apparent simplicity, is particularly error-prone. Many commu-
nication protocols do not use up-to-date security features or implement them
wrongly, and it is difficult to detect these small vulnerabilities without a formal
analysis. Moreover, security errors cannot be detected by functional software
testing because they appear only in the presence of a malicious adversary. For
this reason, many published protocols have been found flawed many years after
they have been implemented and used in real applications. Thus, formal verifica-
tion of security protocols has become a key issue. It is also important to enforce
the security during the design phase obtaining the so called security by design.
Indeed, flaws found after the design phase are costly to be patched, and the cost
increases exponentially during the next development phase [23].
Research in the field of protocol verification has been very active in the
last thirty years. It reached a fairly mature state, however most of the tools
are not widely adopted by industry as one would expect. Unfortunately, the
adoption of formal methods is slowed by myths and misconceptions, mainly due
to their mathematical base, which discourages many designers or engineers [18].
The common problems of these tools are: a difficult modelling language, making
the writing of the model error-prone as well; a verification process that might
require user interaction and knowledge of the tool’s internal; the verification
results difficult to interpret and to bind to the original protocol. For this reason,
many of the protocols verified so far have been a case study for a specific tool
and each time a new protocol has to be verified, the modelling of the protocol
has to start from scratch, although often the protocols share the same structure.
In this paper, we want to tackle the problem from a little bit different per-
spective: we want to reduce the gap between software engineers or designers’
background and formal methods notation. To this aim, as a first step, we intro-
duce a mathematical-based set of templates to formalise common patterns in
security protocols and a set of security properties. These templates facilitate the
protocol formal verification by providing built-in functions and domains, as well
as transition rules and property schema, to be customised according to the spe-
cific protocol to be verified. Specifically, we propose a library of functions and
domains that can be used to develop Abstract State Machine (ASM) [14] mod-
els of security protocols. ASM specifications are instances of a model template
that reflects the common structure usually shared by the security protocols. We
also provide a set of schema for temporal logic formulas that specify common
security goals of cryptographic protocols. If instantiated according to the specific
protocol information, resulting properties can be automatically verified by the
AsmetaSMV model checker [2]. The modelling formalism that we have defined,
although not yet near to natural language, has the advantage of being under-
stood as “pseudocode over abstract data”, so it is easy to read and use. Our
approach has been applied to well-known cryptographic security protocols and
to the scenario of IoT protocols [25].
The results presented here are the first step toward a long term research
project. In the future, we want to hide the mathematical formalism behind a
 Towards ASM-Based Automated Formal Verification of Security Protocols 19

high customisable user interface. More precisely, we want to formalise a nota-

tion that links univocally a formalised characteristic of a secure communication
protocol with a graphical element. Final users can easily drag and drop the
components that they need to build their protocol model. Moreover, we want
to make available in our framework the automatic implementation of security
protocols by exploiting techniques that map ASM models to code (e.g., to C++
[12] or Java [3]).
The rest of the paper is organised as follows. In Sect. 2 we briefly recall
some basic definitions on security protocols and on the ASM formal method; we
also present two protocols used in the paper as running case studies. Section 3
introduces the library of domains and functions to model the various elements
of a security cryptographic protocol and to model the concept of the attacker;
we also show the application of the library primitives to model the two running
examples; finally, we present formula schemas for security protocol verification
and we instantiate them for the two protocol examples. Section 4 relates our
work with existing approaches, and Sect. 5 concludes the paper.

2 Background
2.1 Security Protocols
Although there is a wide range of protocols, differing by the number of principals
(or actors), the number of messages, the goals of the protocol (that may often
be expressed with a list of desired security properties), they all share a common
structure. Indeed, a communication protocol consists of a sequence of messages
between two or more principals. Each message may be written in the form:

M1. A → B : message payload

which specifies:
– The principals (or actors) exchanging messages (in general, symbols A and
B represent arbitrary principals, S a server). In particular, the direction of
the arrow specifies the sender and the receiver of the message.
– The order in which messages are sent, and their specific payload. In particular,
M1 is a label identifying the message, whereas message payload specifies the
actual content of the message.
In secure protocols, payloads can be partially or totally ciphered, either by
symmetric-key encryption (in this case, KAB is often used to specify a key shared
between actors A and B, used both to encrypt and decrypt), or by asymmetric-
−1
key encryption (here, KB and KB are used to specify a public and private key
of B, respectively). Message payloads can contain other information, such as
nonces (N ), timestamps (T ), etc.
The security goals are often defined with respect to CIA (Confidential-
ity, Integrity, Authentication) triad. The most common are confidentiality or
integrity of message payloads, or entity authentication (i.e., the process by which
20 C. Braghin et al.

one entity is assured of the identity of a second entity that is participating to

the same session of a protocol, thus, they share the same values of the protocol
parameters, such as session keys, nonces, etc.).
Consider for example two classic protocols (that are still in use in a revised
version) that will be used throughout the paper as running examples to introduce
also the ASM notation. The Needham-Schroeder public-key protocol (NSPK,
forshort) has been introduced in 1978 for mutual authentication (here, we omit

Needham-Schroeder public-key protocol SSL protocol

M1. A → B : {A, NA }KB M1. A → B : {KAB }KB
M2. B → A : {NA , NB }KA M2. B → A : {NB }KAB
M3. A → B : {NB }KB M3. A → B : {CA , {NB }K −1 }KAB
A

the exchanges with the certification authority to get the public keys). It consists
of three messages: in the first message, principal A sends to B a message con-
taining her identity, A, and a nonce, NA , to avoid replay attacks (i.e., reuse of
old messages, often called a challenge message), that only B can decrypt with
his private key. B ’s answer (message M2) is ciphered with A’s public key and
contains nonce NA to authenticate B (he is the only one able to decrypt mes-
sage M1 and obtain NA in clear), and a nonce NB to authenticate A with B.
Since message M2 is encrypted with A’s public key, she is the only one who can
decrypt it, thus if B receives message M3 containing nonce NB encrypted with
his public key, A is authenticated, too.
The SSL protocol was introduced by Netscape to exchange a session key and
mutual authentication. In message M1, client A sends a session key KAB to
server B. In the second message, B produces a challenge NB , which A signs and
returns to B along with a certificate CA , in case B does not have her public key.
Also in this case, A is authenticated when B receives the signed nonce.
In general, a secure protocol is used to communicate along an insecure net-
work in an untrusted environment, such as Internet. That is, the communication
channel is shared among possibly untrusted principals. This means that any
arbitrary adversary E may try to subvert a protocol run. It is common to distin-
guish between passive and active attackers, which differ in the capabilities they
have. The passive attacker is able to eavesdrop the channel, whereas an active
attacker controls the network and can delete, inject, modify and intercept any
message and is only limited by the constraints of the cryptographic methods
used (i.e., the classical symbolic Dolev-Yao model [19] assuming perfect cryp-
tography). In this fully untrusted scenario, it is also wrong to assume that an
intended principal of the protocol always behaves honestly.
Both the above protocols are vulnerable to this attack. In NSPK, if A starts
a session of the protocol with a dishonest principal E, E may start a new session
of the protocol with B to whom (s)he forwards all the messages (s)he receives
from A, where (s)he just changes the key used to encrypt. As a consequence, B
 Towards ASM-Based Automated Formal Verification of Security Protocols 21

will think to run a protocol session with A and not with E (the solution is to
add the identity of the intended receiver in message M2, i.e., {NA , NB , B}KA ).
In the SSL protocol, B can be a dishonest principal opening a session with
another principal C, making C to believe (s)he is talking to A (i.e., B imperson-
ates A with C by showing the nonce signed by A in message M3). The attack
may be avoided by modifying message M3 in {CA , {A, B, KAB , NB }K −1 }KAB .
A

2.2 Abstract State Machines in a Nutshell

ASMs [13,14] is the formalism that we use for modeling security protocols. They
are a state-based formal method, which extends Finite State Machines (FSMs) by
replacing unstructured control states with algebraic structures (i.e., domains of
objects with functions defined on them), and performing state transitions by fir-
ing transition rules. At each computation step, all transition rules are executed in
parallel by leading to simultaneous (consistent) updates of a number of locations
– i.e., memory units defined as pairs (function-name, list-of-parameter-values)–,
and therefore changing functions interpretation from one state to the next one.
Location updates are given as assignments of the form loc := v, where loc is a
location and v its new value. Among other rule constructors, those used for our
purposes are constructors for: guarded updates (if-then, switch-case), paral-
lel updates (par), sequential actions (seq), nondeterministic updates (choose).
Functions which are not updated by rule transitions are static. Those updated
are dynamic, and distinguished in monitored (read by the machine and modified
by the environment), controlled (read and written by the machine).
ASMs allow modeling different computational paradigms, from a single agent
executing parallel actions, to distributed multiple agents interacting in a syn-
chronous or asynchronous way. We exploit the latter computational model for
modeling security protocols. More specifically, a multi-agent ASM is a family of
pairs (a, ASM(a)), where each agent a : Agent executes its own machine ASM(a)
specifying its local behavior, and contributes to determine the next state. A pre-
defined function program on Agent indicates the ASM associated with an agent.
As an example, Fig. 2 shows an excerpt of the multi-agent ASM models of the
two case studies, where the three agents, agentA (for principal A), agentB (for
principar B) and the attacker agentE, operate in a distributed setting according
to the protocol rules (see Sect. 2.1 for more details).
Within transition rules, each agent can identify itself by means of a special
0-ary function self : Agent which is interpreted by each agent a as itself. An
ASM agent can behave according to a control-state ASM [14]: transition rules
are guarded by a function mode, which is updated in the rule body and whose
values resemble the states of a Finite State Machine. This machine model has
been used for specifying principal behaviour (i.e., actor’s actions).

ASMETA Toolset. The ASM formal method is supported by the tool-set

ASMETA (ASM mETAmodeling) [4] for model editing, validation and verifi-
cation.
22 C. Braghin et al.

An ASM model edited in ASMETA by means of the AsmetaL notation [21],

has a predefined structure consisting of: a signature, which contains declarations
of domains and functions; a block of definitions of static domains and functions,
transition rules, state invariants and properties to verify; a main rule, which is
the starting point of a machine computation; a set of initial states, one of which
is elected as default and defines an initial value for the machine locations.
An AsmetaL model can include other pieces of ASM specifications imported as
module from the main machine (that is declared as asm). Every module contains
definitions of domains, functions, invariants and rules, while the main AsmetaL
model is a module that additionally contains an initial state and a main rule
representing the starting point of the execution. The module importing mecha-
nism allows for the specification of predefined libraries of signature declaration
and definition, as those provided in our approach as predefined set of modeling
primitives for cryptography protocols specification.
Among the tools of the ASMETA framework, the model checker AsmetaSMV
can be used to check if given properties, expressed within the model as temporal
logic formulas, hold during all possible model executions. Here, we use AsmetaSMV
to verify the CIA properties for the two case studies (see Sect. 3.3). In case a
property does not hold, a counterexample is returned by the model checker, and
thanks to integration of the ASMETA tools, counterexamples obtained from false
properties are given back as model scenarios that are simulated (an example is
shown in Sect. 3.3). Besides the greater expressiveness of the ASM mathematical
notation w.r.t. the limited modeling primitives of a model checker, the advantage
of using ASM/ASMETA for our purposes, instead of directly specifying protocols
in the input language of the model checker (e.g., NuSMV), is strictly related with
the tool integration feature of ASMETA.

3 ASM Modeling of Cryptographic Protocols

We here introduce the main primitives (in terms of ASM functions and domains
in the AsmetaL notation) useful to model cryptographic protocol. These primi-
tives can be imported as a library, called CryptoLibrary, in the AsmetaL model
of a specific protocol; library domains can be instantiated for the specific pur-
poses of the protocol, while functions can be directly used within the model.
To explain library primitives and show their use for modeling the two case
studies, we use the following convention: excerpts are reported in listings; they
are colored in gray (and not numbered) if they refer to signature declared in the
library, and are numbered and uncolored if excerpts refer to a model.
 Towards ASM-Based Automated Formal Verification of Security Protocols 23

Fig. 1. Structure of a message and examples in SSL and NSPK protocols

Actors or Principals. The library specifies protocol actors as agentX of cor-

responding domain Agent X, where X identifies the role of the agent working
in the protocol as A (X=A), as B (X=B), as a malicious actor (X=E), and as a
trusted key distribution server (X=S).
domain Agent A subsetof Agent
domain Agent B subsetof Agent
domain Agent E subsetof Agent
domain Agent S subsetof Agent

static agentA: Agent A

static agentB: Agent B
static agentE: Agent E
static agentS: Agent S

Messages. Protocol messages are modeled by means of library domains and

functions, according to the message structure given in Fig. 1 (the picture
above shows the general structure, the two pictures below exemplify the
structure of SSL message M3, on the left, and of NSPK M2, on the right).
The domain Message is used to model message labels; Payload is the set
of protocol payload data (e.g., nonces, certificates, keys, etc.); the domain
PayloadSection contains labels indicating groups1 of payload data; the func-
tion protocolMessage associates to a (sender, receiver ) pair of actors the
label of the message they are exchanging; the function payload yields the set
of payload data contained in the payload section of an exchanged message of
a given label.
Library domains Message, Payload and PayloadSection will be instantiated
according to the characteristics of the specific protocol to model2 .
domain Message subsetof Any
domain Payload subsetof Any
domain PayloadSection subsetof Any
controlled protocolMessage: Prod(Agent,Agent)−> Message
controlled payload: Prod(Message,PayloadSection, Agent, Agent) −> Powerset(Payload)

For example, in case of the SSL protocol, Message domain is instantiated as

MessageSSL3 containing the labels of the three messages exchanged between
1
A group contains either data subject to a specific protocol operation (e.g., signature,
hashing, etc.), or data with no further manipulation.
2
Any stands for a domain that can contain any element.
3
We convey to add the suffix naming the protocol to the corresponding library domain
when we instantiate it.
24 C. Braghin et al.

the actors (KK for message M1, NK for M2, CSNK for M3 - see Code 1). Similarly,
PayloadSSL instantiates Payload with elements representing the different
data a message can contain (e.g., SKAB refers to the symmetric key KAB ).
Note that it also contains information to deal with an adversary principal
(as SKAE, symmetric key KAE between A and the intruder - see Sect. 3.1).
PayloadSectionSSL instantiates PayloadSection with labels for significant
groups (e.g., SIGN NONCE identifies data {NB }K −1 ).
A

enum domain MessageSSL = {KK | NK | CSNK}

enum domain PayloadSSL = {NB|CA|SKAB|SKAE|SKEB}
enum domain PayloadSectionSSL={SEND KEY|NONCE|CERT|SIGN NONCE}
....
protocolMessage(agentA,agentB):= KK
payload(KK,SEND KEY,agentA,agentB):=SKAB

Code 1. Excerpt of ASM model for SSL

Actor’s Actions. Each (honest) protocol actor runs a program having the
same structure; this reflects the common pattern that crypto-protocols have.
Figure 2 in Sect. 3.2 shows the pattern similarity in the two case studies, SSL
and NSPK protocols. Each rule in the actor’s program (e.g., r agentARule
for actor agentA) models the role that the actor has in the protocol run. Each
actor has a memory: (s)he keeps information related to the protocol session
by means of the following built-in functions available in the library.
controlled knownAsimPubKey: Agent −> Powerset(AsimPubKeyType)
controlled knownAsimPrivKey: Agent −> Powerset(AsimPrivKeyType)
controlled knownSimmKey: Agent −> Powerset(SimmKeyType)
controlled knownPayload: Agent −> Powerset(PayloadType)

During a protocol session, an actor follows a control-state ASM on the base

of the mode functions internalState on State and protocolMessage on
Message: each control state represents the actor’s configuration upon per-
forming a protocol step where (s)he plays a specific role (as A or B).
domain State subsetof Any
controlled internalState: Agent −> State

Primitives internalState and State must be instantiated to model a specific

protocol. The excerpt in Code 2 shows the instantiation for the SSL protocol.
It also shows a rule of the (agentB’s) control-state that causes the actor’s
state change. The other rules have similar guarded structures.
enum domain StateA = {IDLE A | WAITING NK | END A}
enum domain StateB = {WAITING KAB | WAITING CSNK | END B}
controlled internalStateA: Agent A −> StateA
controlled internalStateB: Agent B −> StateB

if(internalStateB(self)= WAITING KAB and protocolMessage(e,self)= KK)then

par
protocolMessage(self,e):= NK
payload(NK,NONCE,self,e):= {NB}
internalStateB(self):= WAITING CSNK
endpar
endif

Code 2. Control state ASM model of an Agent in SSL

 Towards ASM-Based Automated Formal Verification of Security Protocols 25

Symmetric/Asymmetric encryption primitives. Built-in primitives exist

for handling encryption/decryption of messages by using symmetric and
asymmetric (public and private) keys.
domain SimmKey subsetof Any
controlled encrypt sim: Prod(Message,Powerset(PayloadSection),Agent,Agent) −> SimmKey
static decrypt sim: Prod(Message,Powerset(PayloadSection), Agent, Agent) −> Boolean
static sim keyAssociation: Prod(Agent,Agent) −> SimmKey
function decrypt sim(m in Message, s in Powerset(PayloadSection), a1 in Agent, a2 in Agent)=
if (contains(knownSimmKey(a2),encrypt sim(m,s,a1,a2 ))) then true else false endif

domain AsimPubKey subsetof Any

domain AsimPrivKey subsetof Any
controlled encrypt asim: Prod(Message,Powerset(PayloadSection),Agent,Agent) −> AsimPubKey
static asim revKeyAssociation: AsimPrivKey −>AsimPubKey
static asim keyAssociation: AsimPubKey −> AsimPrivKey
static decrypt asim: Prod(Message,Powerset(PayloadSection),Agent,Agent) −> Boolean
function decrypt asim(m in MessageType,s in Powerset(PayloadSectionType),a1 in Agent,
a2 in Agent)=
if (contains(knownAsimPrivKey(a2),asim keyAssociation(encrypt asim(m,s,a1,a2)))) then
true else false endif

In both symmetric and asymmetric cases, function encrypt [a]sim mem-

orises the encryption key used to encrypt a message of a given label and
payload, sent by a sender actor to a receiver one. For example, in case of pro-
tocol SSL, when message M3. A → B : {CA , {NB }K −1 }KAB is sent, location
A
encrypt sim(CSNK,{CERT,SIGN NONCE},agentA,agentB) is updated with
SKAB, being CSNK the message label, {CERT,SIGN NONCE} the message pay-
load, agentA the sender, agentB the receiver, and SKAB the two agents sym-
metric encryption key.
Decryption functions are predicates used within rule guards to check if an
actor receiving an encrypted message of a given label and payload section can
decrypt the received message: it is false when the message encryption key is
not contained in the agent’s memory.
The following Code 3 shows the rule r message NK of the SSL model, which is
executed by actor B at step M2 of the protocol under the Dolev-Yao assump-
tion (in this case, the traffic is controlled by intruder E, therefore, B views
all messages as sent by E - see Sect. 3.1); function decrypt sim is used to
check if B can decrypt the message, and encrypt sim yields the symmetric
key used for encryption.
rule r message NK =
let (e=agentE) in
if (internalStateB(self)=WAITING KAB and protocolMessage(e,self)=KK) then
if decrypt asim(KK,{SEND KEY},e,self) then
par
knownSimmKey(self):= union(knownSimmKey(self),payload(KK,SEND KEY,e,self))
protocolMessage(self,e):= NK
payload(NK,NONCE,self,e):= {NB}
encrypt sim(NK,{NONCE},self,e):= SKAB
internalStateB(self):= WAITING CSNK
endpar
endif endif endlet

Code 3. ASM rule of an Agent in SSL

26 C. Braghin et al.

Signature. In case of asymmetric encryption, the function sign is used to mem-

orize the signature of a message of given label and payload section, sent by
a sender actor to a receiver actor; predicate verify sign is used to check if
an actor receiving a message containing signed data can verify the authen-
ticity of the message: it checks if the actor verifying the signature knows the
sender’s public key and the signed data matches the content of the signature.
controlled sign: Prod(MessageType, PayloadSectionType, Agent, Agent) −> AsimPrivKeyType
static verify sign: Prod(MessageType,PayloadSectionType, Agent, Agent) −> Boolean
function verify sign(m in Message, s in PayloadSection, a1 in Agent,a2 in Agent)=
if (contains(knownAsimPubKey(a2),asim revKeyAssociation(sign(m,s,a1,a2)))) then
if (allin(knownPayload(a2),payload(m,s,a1 ,a2))) then true else false endif
endif

Advanced features. The library makes also available functions to handle

advanced characteristics of crypto-protocols, e.g., hash functions, MAC func-
tions, the Diffie-Hellman (to name a few); these have not been used in the
two case studies reported here and, therefore, they are not presented here.

3.1 Modeling the Intruder Behaviour

We support two possible behaviours of an intruder : a) as a protocol actor having

malicious behaviour, and b) as an external actor operating in passive mode (i.e.,
an eavesdropper), or in active mode according to the Dolev-Yao assumption.
The intruder is available in the library as agentE. His/her program reflects
the intended behaviours. Note that, the attacker controls the traffic and this
is modeled by imaging E in the middle of the communication between A and
B. Therefore, in the presence of the attacker (internal or external), the channel
between the two honest actors is broken in two sub-channels: between A and E,
and between E and B (this justifies why, in the rules, all messages sent by A are
received by E, and all messages received by B arrive from E).

Protocol actor with a malicious behaviour. In this case, agentE, operat-

ing as an intended protocol actor, receives messages from A who voluntarily
started a protocol session with E. In this case, (s)he can save the information
of the payload, but instead of honestly replying to A following the protocol
rules, E uses his/her information to start a new protocol session with B. The
library monitored function chosenReceiver can be used to capture both the
case in which the intended receiver behaves honestly (as B ), and the case
in which (s)he behaves dishonestly (as E ). Domain Receiver contains those
agents that can be selected as possible protocol receivers.
enum domain Receiver = {agentB|agentE}
monitored chosenReceiver: Receiver
controlled receiver: Receiver

External attacker. In this case, agentE is an external actor, thus A cannot

start a protocol session with E. Information known by the intruder come from
what (s)he is able to steal from the traffic or from a prior knowledge. The
attacker can operate in PASSIVE or ACTIVE mode. This operation mode can
 Towards ASM-Based Automated Formal Verification of Security Protocols 27

be selected by the monitored function chosenMode and the same protocol can
be analysed in the two passive/active intruder scenarios.
enum domain Modality = {ACTIVE | PASSIVE}
monitored chosenMode: Modality
controlled mode: Modality

In PASSIVE mode, agentE can view all the messages of the communication
between agentA and agentB, save all information transmitted in clear and
those contained in message payloads that (s)he is able to decrypt. In ACTIVE
mode, agentE operates under the Dolev-Yao assumption and controls the
traffic: besides the capabilities as passive attacker, (s)he can craft messages
by using information stolen (from messages sent by agentA or agentB) and
send fake messages (consistent with the protocol rules).
For each message type, the intruder has rules for working in passive or active
mode. Rules r message eavesdrop model the intruder operating as passive
attacker; rules r message craft model the intruder operating as external active
actor and as protocol actor with malicious behavior (in both cases, (s)he is able
to craft new messages).
Unlike agentA and agentB, agentE has no internalState and does not
work according to a control-state ASM. His/her behaviour depends on what (s)he
views in the traffic. As the other agents, agentE has a knowledge (knownSimmKey,
knownAsimPrivKey, knownAsimPubKey, knownPayload) that can be exploited to
steal information or craft fake messages. To endow the intruder with a prior
knowledge, it is enough to set initial values for the knowledge functions.

Fig. 2. ASM models of protocols SSL and NSPK

28 C. Braghin et al.

3.2 NSPK and SSL Models

Figure 2 reports the high level ASM models of the two case studies by using
predefined domains and functions of the library CryptoLibrary and instantiat-
ing domains when required. The two models have the same structure: each one
is a multi-agent ASM with programs for honest actors agentA and agentB –
according to the actor’s role in the protocol–, and for the attacker agentE; each
honest actor has a rule for each kind of protocol message (s)he has to build, plus
the final B’s rule for the final message check; the attacker has rules to handle
all possible behaviours (as eavesdropper and as message crafter) as described
before. Call rules definitions differ depending to the protocol.
Code 4 shows, as an example, an excerpt of the rule r message CSNK of
protocol SSL, in the case of A talking with B. The rule is executed by agentA
when she is in (internal) state WAITING NK and receives a message of label NK
(step M2): she can decrypt the message and sends a message of label CSNK, which
is encrypted by the symmetric key between herself and the expected receiver
agentB; the message has two payload sections: one of label CERT, which has
payload CA, and one of label SIGN NONCE, which has the same payload (i.e., NB)
of the previously sent message having label NK and payload section NONCE, signed
by the private actor’s key PRIVKA.
rule r message CSNK=
let (e=agentE) in
if (internalStateA(self)=WAITING NK and protocolMessage(e,self)=NK) then
if (receiver=agentB) then
if (decrypt sim(NK,{NONCE},e,self)=true) then
par
protocolMessage(self,e):= CSNK
payload(CSNK,CERT,self,e):= {CA}
payload(CSNK,SIGN NONCE,self,e ):= payload(NK,NONCE,e,self)
sign(CSNK,SIGN NONCE,self,e):= PRIVKA
encrypt sim(CSNK,{CERT,SIGN NONCE},self,e):= sim keyAssociation(self,receiver)
internalStateA(self):= END A
endpar
endif
..... endif endlet

Code 4. An excerpt of a rule of actor agentA in SSL protocol

3.3 Security Properties Schema

In this section, we introduce schema also for specifying in CTL formulas the
security goals of a protocol in terms of the CIA triad.
Confidentiality. In communication protocols, encryption is used to obtain data
confidentiality: only actors with correct decryption keys are able to access data.
Let x be a given exchanged data, confidentiality of x is assured by proving
that there is not a state in the future in which E knows x:
¬EF ( contains(knownPayload(agentE), x))

Therefore, the confidentiality of the nonce NB in the protocol NSPK is:

 Towards ASM-Based Automated Formal Verification of Security Protocols 29

¬EF ( contains(knownPayload(agentE), NB))

This property is false in the NSPK protocol. Code 5 shows a scenario of the
NSPK protocol model, which reflects the counterexample reported by the model
checker: if agentA initiates a protocol run with agentB under the Dolev-Yao
assumption of an active attacher agentE (the set command is used to assign
specific values to monitored functions) controlling the traffic, upon a certain
number (not reported here) of machine steps (the command step forces a step
of the ASM execution), the protocol run ends with both agents agentA and
agentB successfully completing the protocol, but also with the shared secret NB
known by the attacker (the check command is used to inspect location values
in the current state of the underlying ASM).
Note that if message M2 is patched using message {NA , NB , B}KA , the prop-
erty holds.
scenario NB interception
load NS/NS.asm

set chosenReceiver:=agentE;
set chosenMode:=ACTIVE;
step
check internalStateA(agentA)=IDLE A and internalStateB(agentB)=WAITING NAK;
step
check internalStateA(agentA)=WAITING NNK and
internalStateB(agentB)=WAITING NAK and protocolMessage(agentA,agentE)= NAK
and payload(NAK,NONCE ID,agentA,agentE)={NA,ID A} and
encrypt asim(NAK,{NONCE ID},agentA,agentE)=PUBKE;
step
.....
step
check internalStateA(agentA)=END A and internalStateB(agentB)=END B;
check contains(knownPayload(agentE),NB);

Code 5. Scenario from the counterexample of the false confidentiality property

Integrity. Exchanged message has not been altered. Thus, a message can be
considered integral when the payload sent is the same as the payload received.
Let m be a message exchanged. Integrity of m is assured by proving that
there is not a state in the future in which E altered the payload section sec of the
message m:
¬EF ( payload(m,sec,agentA,agentE)=payload(m,sec,agentE,agentB))

In none of the two protocols there is integrity violation, since there are two sep-
arate sessions and the attacker does not modify any message along the channel.
Authentication. A principal proves his/her identity by demonstrating knowl-
edge of a secret (not necessarily shared) and of an information that varies over
time (to avoid replay attacks), without explicitly revealing the secret.
Let x be a secret that must be shared by the two actors at the end of the
protocol execution. Authentication of entity x is assured by proving that if there
is a state in the future in which A and B know x, then E does not know x.
EF ( contains(knownPayload(agentB), x) and contains(knownPayload(agentA), x)) →
AG( ¬(contains(knownPayload(agentE), x)))
30 C. Braghin et al.

The authentication of the secret nonce NB in the protocol SSL is:

EF ( contains(knownPayload(agentB), NB) and contains(knownPayload(agentA), NB)) →
AG( ¬(contains(knownPayload(agentE), NB)))

This property does not hold; if message M3 is patched using the message
{CA , {A, B, KAB , NB }K −1 }KAB , the property is true.
A

4 Related Work

After the seminal paper on BAN logic [15] introducing one of the first formalisms
designed to reason about protocols, many techniques and tools have been pro-
posed for verifying protocols.
Tamarin [26] is a well-known tool dedicated to the formal analysis of secu-
rity protocols. It has been used to verify complex protocols such as TLS, 5G, or
RFID protocols. It uses its own modelling language to specify protocols, adver-
sary models and security properties. For the verification process, it is based on
deduction and equational reasoning. However, one of its drawback is its lack of
full automation: for many protocols, the user needs to write intermediate lem-
mas (called sources lemmas), or to manually guide the proof search. In [16],
the authors propose a technique to automatically generate sources lemmas that
works for simple protocols, but still needs user interaction in case of large proto-
cols. Scyther [17] is somehow an extension of Tamarin, with a more accessible
and explicit modelling language by means of a graphical user interface.
ProVerif [11] uses applied pi-calculus [27] as modelling language, and a reso-
lution algorithm on Horn clauses for the verification. It may need human inter-
vention when a protocol proof fails because of some internal approximations, or
it may find false attacks. However, it can verify protocols without arbitrarily
bounding the number of executed protocol sessions or the message size.
Verifpal [24] is a more recent framework inspired by ProVerif. As us, the
authors recognise that the limited usage of formal methods is mainly due to
the fact that the languages employed by most tools is too difficult and abstract.
Verifpal uses a simple modelling language similar to the usual protocol notation
that we introduced in Sect. 2.1 at the cost of some compromises in analysis
completeness. For more sound proofs, translation of models in ProVerif and
Coq [10] are possible. The tool’s internal logic relies on the deconstruction and
reconstruction of abstract terms, similar to existing symbolic verification tools.
AVISPA (Automated Validation of Internet Security Protocols and Appli-
cations) [5] is a platform that groups several tools, using different verification
techniques. It uses HLPSL (High-Level Protocol Specification Language) as pro-
tocol description language. The HLPSL model is then translated in an interme-
diate model, that is given as input to four tools: SATMC (SAT-based Model-
Checker) [6] for a bounded state space, CL-AtSe and OFMC for a bounded
number of sessions, TA4SP for an unbounded number of sessions.
The use of ASMs to model security protocols has been tackled in the past.
However, most of the works are rather outdated and they consist on a single case
Another random document with
no related content on Scribd:
 et nos ad tuas nuptias
vocatus rex suscipias.’

The manuscript ends, so far as the Feast of the Circumcision is

concerned, with some Versus ad Prandium, to be sung in the
refectory, taken from a hymn of Prudentius[1007].
The Sens Missel des Fous has been described again and again.
Less well known, however, is the very similar Officium of Beauvais,
and for the simple reason that although recent writers on the Feast
of Fools have been aware of its existence, they have not been aware
of its habitat. I have been fortunate enough to find it in the British
Museum, and only regret that I am not sufficiently acquainted with
textual and musical palaeography to print it in extenso as an
appendix to this chapter[1008]. The date of the manuscript is probably
1227-34[1009]. Like that of Sens it contains the Propria for the Feast
of the Circumcision from Vespers to Vespers. Unluckily, there is a
lacuna of several pages in the middle[1010]. The office resembles
that of Sens in general character, but is much longer. There are two
lines of opening rubric, of which all that remains legible is ... medio
stantes incipit cantor. Then comes the quatrain Lux hodie similarly
used at Sens, but with the notable variant of praesentia festa for
asinaria festa. Then, under the rubric, also barely legible, Conductus,
quando asinus adducitur[1011], comes the ‘Prose of the Ass.’ At the
end of Lauds is the following rubric: Postea omnes eant ante ianuas
ecclesiae clausas. Et quatuor stent foris tenentes singli urnas vino
plenas cum cyfis vitreis. Quorum unus canonicus incipiat Kalendas
Ianuarias. Tunc aperiantur ianuae. Here comes the lacuna in the
manuscript, which begins again in the Mass. Shortly before the
prayer for the pope is a rubric Quod dicitur, ubi apponatur baculus,
which appears to be a direction for a ceremony not fully described in
the Officium. The ‘Prose of the Ass’ occurs a second time as the
Conductus Subdiaconi ad Epistolam, and on this occasion the
musical accompaniment is harmonized in three parts[1012]. I can find
nothing about a Bacularius at second Vespers, but the office ends
with a series of conductus and hymns, some of which are also
harmonized in parts. The Officium is followed in the manuscript by a
Latin cloister play of Daniel[1013].
An earlier manuscript than that just described was formerly
preserved in the Beauvais cathedral library. It dated from 1160-
80[1014]. It was known to Pierre Louvet, the seventeenth-century
historian of Beauvais[1015], and apparently to Dom Grenier, who died
in 1789[1016]. According to Grenier’s account it must have closely
resembled that in the British Museum.
‘Aux premières vêpres, le chantre commençait par entonner au
milieu de la nef: Lux hodie, lux laetitiae, etc.... À laudes rien de
particulier que le Benedictus et son répons farcis. Les laudes finies
on sortait de l’église pour aller trouver l’âne qui attendait à la grande
porte. Elle était fermée. Là, chacun des chanoines s’y trouvant la
bouteille et le verre à la main, le chantre entonnait la prose:
Kalendas ianuarias solemne Christe facias. Voici ce que porte
l’ancien cérémonial: dominus cantor et canonici ante ianuas
ecclesiae clausas stent foris tenentes singuli urnas vini plenas cum
cyfis vitreis, quorum unus cantor incipiat: Kalendas ianuarias, etc.
Les battants de la porte ouverts, on introduisait l’âne dans l’église,
en chantant la prose: Orientis partibus. Ici est une lacune dans le
manuscrit jusque vers le milieu du Gloria in excelsis.... On chantait la
litanie: Christus vincit, Christus regnat, dans laquelle on priait pour le
pape Alexandre III, pour Henri de France, évêque de Beauvais, pour
le roi Louis VII et pour Alixe ou Adèle de Champagne qui était
devenue reine en 1160; par quoi on peut juger de l’antiquité de ce
cérémonial. L’Évangile était précédé d’une prose et suivi d’une autre.
Il est marqué dans le cérémonial de cinq cents ans que les
encensements du jour de cette fête se feront avec le boudin et la
saucisse: hac die incensabitur cum boudino et saucita.’
Dom Grenier gives as the authority for his last sentence, not the
Officium, but the Glossary of Ducange, or rather the additions
thereto made by certain Benedictine editors in 1733-6. They quote
the pudding and sausage rubric together with that as to the drinking-
bout, which occurs in both the Officia, as from a Beauvais
manuscript. This they describe as a codex ann. circiter 500[1017]. It
seems probable that this was not an Officium at all, but something of
the nature of a Processional, and that it was identical with the codex
500 annorum from which the same Benedictines derived their
amazing account of a Beauvais ceremony which took place not on
January 1 but on January 14[1018]. A pretty girl, with a child in her
arms, was set upon an ass, to represent the Flight into Egypt. There
was a procession from the cathedral to the church of St. Stephen.
The ass and its riders were stationed on the gospel side of the altar.
A solemn mass was sung, in which Introit, Kyrie, Gloria and Credo
ended with a bray. To crown all, the rubrics direct that the celebrant,
instead of saying Ite, missa est, shall bray three times (ter
hinhannabit) and that the people shall respond in similar fashion. At
this ceremony also the ‘Prose of the Ass’ was used, and the version
preserved in the Glossary is longer and more ludicrous than that of
either the Sens or the Beauvais Officium.
On a review of all the facts it would seem that the Beauvais
documents represent a stage of the feast unaffected by any such
reform as that carried out by Pierre de Corbeil at Sens. And the
nature of that reform is fairly clear. Pierre de Corbeil provided a text
of the Officium based either on that of Beauvais or on an earlier
version already existing at Sens. He probably added very little of his
own, for the Sens manuscript only contains a few short passages not
to be found in that of Beauvais. And as the twelfth-century Beauvais
manuscript seems to have closely resembled the thirteenth-century
one still extant, Beauvais cannot well have borrowed from him. At
the same time he doubtless suppressed whatever burlesque
ceremonies, similar to the Beauvais drinking-bout in the porch and
censing with pudding and sausage, may have been in use at Sens.
One of these was possibly the actual introduction of an ass into the
church. But it must be remembered that the most extravagant of
such ceremonies would not be likely at either place to get into the
formal service-books[1019]. As the Sens Officium only includes the
actual service of January 1 itself, it is impossible to compare the way
in which the semi-dramatic extension of the feast was treated in the
two neighbouring cathedrals. But Sens probably had this extension,
for as late as 1634 there was an annual procession, in which the
leading figures were the Virgin Mary mounted on an ass and a
cortège of the twelve Apostles. This did not, however, at that time
take part in the Mass[1020].
The full records of the Feast of Fools at Sens do not begin until
the best part of a century after the probable date of its Officium. But
one isolated notice breaks the interval, and shows that the efforts of
Pierre de Corbeil were not for long successful in purging the revel of
its abuses. This is a letter written to the chapter in 1245 by Odo,
cardinal of Tusculum, who was then papal legate in France. He calls
attention to the antiqua ludibria of the feasts of Christmas week and
of the Circumcision, and requires these to be celebrated, not iuxta
pristinum modum, but with the proper ecclesiastical ceremonies. He
specifically reprobates the use of unclerical dress and the wearing of
wreaths of flowers[1021].
A little later in date than either the Sens or the Beauvais Officium
is a Ritual of St. Omer, which throws some light on the Feast of
Fools as it was celebrated in the northern town on the day of the
Circumcision about 1264. It was the feast of the vicars and the choir.
A ‘bishop’ and a ‘dean’ of Fools took part in the services. The latter
was censed in burlesque fashion, and the whole office was recited at
the pitch of the voice, and even with howls. There cannot have been
much of a reformation here[1022].
A few other scattered notices of thirteenth-century Feasts of
Fools may be gathered together. The Roman de Renard is witness
to the existence of such a feast, with jeux and tippling, at Bayeux,
about 1200[1023]. At Autun, the chapter forbade the baculus anni
novi in 1230[1024]. Feasts of Fools on Innocents’ and New Year’s
days are forbidden by the statutes of Nevers cathedral in 1246[1025].
At Romans, in Dauphiné, an agreement was come to in 1274
between the chapter, the archbishop of Vienne and the municipal
authorities, that the choice of an abbot by the cathedral clerks known
as esclaffardi should cease, on account of the disturbances and
scandals to which it had given rise[1026]. The earliest mention of the
feast at Laon is about 1280[1027]; while it is provided for as the sub-
deacons’ feast by an Amiens Ordinarium of 1291[1028]. Nor are the
ecclesiastical writers oblivious of it. William of Auxerre opens an era
of learned speculation in his De Officiis Ecclesiasticis, by explaining
it as a Christian substitute for the Parentalia of the pagans[1029].
Towards the end of the century, Durandus, bishop of Mende, who
drew upon both William of Auxerre and Belethus for his Rationale
Divinorum Officiorum, gave an account of it which agrees closely
with that of Belethus[1030]. Neither William of Auxerre nor Durandus
shows himself hostile to the Feast of Fools. Its abuses are, however,
condemned in more than one contemporary collection of
sermons[1031].
With the fourteenth century the records of the Feast of Fools
become more frequent. In particular, the account-books of the
chapter of Sens throw some light on the organization of the feast in
that cathedral[1032]. The Compotus Camerarii has, from 1345
onwards, a yearly entry pro vino praesentato vicariis ecclesiae die
Circumcisionis Domini. Sometimes the formula is varied to die festi
fatuorum. In course of time the whole expenses of the feast come to
be a charge on the chapter, and in particular, it would appear, upon
the sub-deacon canons[1033]. In 1376 is mentioned, for the first time,
the dominus festi, to whom under the title of precentor et provisor
festi stultorum a payment is made. The Compotus Nemorum shows
that by 1374 a prebend in the chapter woods had been appropriated
to the vicars pro festo fatuorum. Similar entries occur to the end of
the fourteenth century and during the first quarter of the
fifteenth[1034]. Then came the war to disturb everything, and from
1420 the account-books rarely show any traces of the feast. Nor
were civil commotions alone against it. As in the twelfth and
thirteenth centuries, so in the fourteenth and fifteenth the abuses
which clung about the Feasts of Fools rendered them everywhere a
mark for the eloquence of ecclesiastical reformers. About 1400 the
famous theologian and rector of Paris University, Jean-Charlier de
Gerson, put himself at the head of a crusade against the ritus ille
impiissimus et insanus qui regnat per totam Franciam, and
denounced it roundly in sermons and conclusiones. The indecencies
of the feast, he declares, would shame a kitchen or a tavern. The
chapters will do nothing to stop them, and if the bishops protest, they
are flouted and defied. The scandal can only be ended by the
interposition of royal authority[1035]. According to Gerson, Charles
the Sixth did on one occasion issue letters against the feast; and the
view of the reformers found support in the diocesan council of
Langres in 1404[1036], and the provincial council of Tours, held at
Nantes in 1431[1037]. It was a more serious matter when, some
years after Gerson’s death, the great council of Basle included a
prohibition of the feast in its reformatory decrees of 1435[1038]. By
the Pragmatic Sanction issued by Charles VII at the national council
of Bourges in 1438, these decrees became ecclesiastical law in
France[1039], and it was competent for the Parlements to put them
into execution[1040]. But the chapters were obstinate; the feasts were
popular, not only with the inferior clergy themselves, but with the
spectacle-loving bourgeois of the cathedral towns; and it was only
gradually that they died out during the course of the next century and
a half. The failure of the Pragmatic Sanction to secure immediate
obedience in this matter roused the University of Paris, still
possessed with the spirit of Gerson, to fresh action. On March 12,
1445, the Faculty of Theology, acting through its dean, Eustace de
Mesnil, addressed to the bishops and chapters of France a letter
which, from the minuteness of its indictment, is perhaps the most
curious of the many curious documents concerning the feast[1041]. It
consists of a preamble and no less than fourteen conclusiones,
some of which are further complicated by qualificationes. The
preamble sets forth the facts concerning the festum fatuorum. It has
its clear origin, say the theologians, in the rites of paganism,
amongst which this Janus-worship of the Kalends has alone been
allowed to survive. They then describe the customs of the feast in a
passage which I must translate:
‘Priests and clerks may be seen wearing masks and monstrous
visages at the hours of office. They dance in the choir dressed as
women, panders or minstrels. They sing wanton songs. They eat
black puddings at the horn of the altar while the celebrant is saying
mass. They play at dice there. They cense with stinking smoke from
the soles of old shoes. They run and leap through the church,
without a blush at their own shame. Finally they drive about the town
and its theatres in shabby traps and carts, and rouse the laughter of
their fellows and the bystanders in infamous performances, with
indecent gestures and verses scurrilous and unchaste[1042].’
There follows a refutation of the argument that such ludi are but
the relaxation of the bent bow in a fashion sanctioned by antiquity.
On the contrary, they are due to original sin, and the snares of devils.
The bishops are besought to follow the example of St. Paul and St.
Augustine, of bishops Martin, Hilarius, Chrysostom, Nicholas and
Germanus of Auxerre, all of whom made war on sacrilegious
practices, not to speak of the canons of popes and general councils,
and to stamp out the ludibria. It rests with them, for the clergy will not
be so besotted as to face the Inquisition and the secular arm[1043].
The conclusiones thus introduced yield a few further data as to
the ceremonies of the feast. It seems to be indifferently called festum
stultorum and festum fatuorum. It takes place in cathedrals and
collegiate churches, on Innocents’ day, on St. Stephen’s, on the
Circumcision, or on other dates. ‘Bishops’ or ‘archbishops’ of Fools
are chosen, who wear mitres and pastoral staffs, and have crosses
borne before them, as if they were on visitation. They take the Office,
and give Benedictions to the readers of the lessons at Matins, and to
the congregations. In exempt churches, subject only to the Holy See,
a ‘pope’ of Fools is naturally chosen instead of a ‘bishop’ or an
‘archbishop.’ The clergy wear the garments of the laity or of fools,
and the laity put on priestly or monastic robes. Ludi theatrales and
personagiorum ludi are performed.
The manifesto of the Theological Faculty helped in at least one
town to bring matters to a crisis. At Troyes the Feast of Fools
appears to have been celebrated on the Circumcision in the three
great collegiate churches of St. Peter, St. Stephen, and St. Urban,
and on Epiphany in the abbey of St. Loup. The earliest records are
from St. Peter’s. In 1372 the chapter forbade the vicars to celebrate
the feast without leave. In 1380 and 1381 there are significant
entries of payments for damage done: in the former year Marie-la-
Folle broke a candelabrum; in the latter a cross had to be repaired
and gilded. In 1436, the year after the council of Basle, leave was
given to hold the feast without irreverence. In 1439, the year after the
Pragmatic Sanction, it was forbidden. In 1443, it was again
permitted. But it must be outside the church. The ‘archbishop’ might
wear a rochet, but the supper must take place in the house of one of
the canons, and not at a tavern. The experiment was not altogether
a success, for a canon had to be fined twenty sous pour les grandes
sottises et les gestes extravagants qu’il s’était permis à la fête des
fols[1044]. Towards the end of 1444, when it was proposed to renew
the feast, the bishop of Troyes, Jean Leguisé, intervened. The clergy
of St. Peter’s were apparently willing to submit, but those of St.
Stephen’s stood out. They told the bishop that they were exempt
from his jurisdiction, and subject only to his metropolitan, the
archbishop of Sens; and they held an elaborate revel with even more
than the usual insolence and riot. On the Sunday before Christmas
they publicly consecrated their ‘archbishop’ in the most public place
of the town with a jeu de personnages called le jeu du sacre de leur
arcevesque, which was a burlesque of the saint mistère de
consécration pontificale. The feast itself took place in St. Stephen’s
Church. The vicar who was chosen ‘archbishop’ performed the
service on the eve and day of the Circumcision in pontificalibus,
gave the Benediction to the people, and went in procession through
the town. Finally, on Sunday, January 3, the clergy of all three
churches joined in another jeu de personnages, in which, under the
names of Hypocrisie, Faintise and Faux-semblant, the bishop and
two canons who had been most active in opposing the feast, were
held up to ridicule. Jean Leguisé was not a man to be defied with
impunity. On January 23 he wrote a letter to the archbishop of Sens,
Louis de Melun, calling his attention to the fact that the rebellious
clerks had claimed his authority for their action. He also lodged a
complaint with the king himself, and probably incited the Faculty of
Theology at Paris to back him up with the protest already described.
The upshot of it all was a sharp letter from Charles VII to the bailly
and prévost of Troyes, setting forth what had taken place, and
requiring them to see that no repetition of the scandalous jeux was
allowed[1045]. Shortly afterwards the chapter of St. Peter’s sent for
their Ordinarium, and solemnly erased all that was derogatory to
religion and the good name of the clergy in the directions for the
feast. What the chapter of St. Stephen’s did, we do not know. The
canons mainly to blame had already apologized to the bishop.
Probably it was thought best to say nothing, and let it blow over. At
any rate, it is interesting to note that in 1595, a century and a half
later, St. Stephen’s was still electing its archevesque des saulx, and
that droits were paid on account of the vicars’ feast until all droits
tumbled in 1789[1046].
The proceedings at Troyes seem to have reacted upon the feast
at Sens. In December, 1444, the chapter had issued an elaborate
order for the regulation of the ceremony, in which they somewhat
pointedly avoided any reference to the council of Basle or the
Pragmatic Sanction, and cited only the legatine statute of Odo of
Tusculum in 1245. The order requires that divine service shall be
devoutly and decently performed, prout iacet in libro ipsius servitii.
By this is doubtless meant the Officium already described. There
must be no mockery or impropriety, no unclerical costume, no
dissonant singing. Then comes what, considering that this is a
reform, appears a sufficiently remarkable direction. Not more than
three buckets of water at most must be poured over the precentor
stultorum at Vespers. The custom of ducking on St. John’s eve,
apparently the occasion when the precentor was elected, is also
pruned, and a final clause provides that if nobody’s rights are
infringed the stulti may do what they like outside the church[1047].
Under these straitened conditions the feast was probably held in
1445. There was, however, the archbishop as well as the chapter to
be reckoned with. It was difficult for Louis de Melun, after the direct
appeal made to him by his suffragan at Troyes, to avoid taking some
action, and in certain statutes promulgated in November, 1445, he
required the suppression of the whole consuetudo and ordered the
directions for it to be erased from the chant-books[1048]. There is
now no mention of the feast until 1486, from which date an
occasional payment for la feste du premier jour de l’an begins to
appear again in the chapter account-books[1049]. In 1511, the
servitium divinum after the old custom is back in the church. But the
chapter draws a distinction between the servitium and the festum
stultorum, which is forbidden. The performance of jeux de
personnages and the public shaving of the precentor’s beard on a
stage are especially reprobated[1050]. The servitium was again
allowed in 1514, 1516, 1517, and in 1520 with a provision that the
lucerna precentoris fatuorum must not be brought into the
church[1051]. In 1522, both servitium and festum were forbidden on
account of the war with Spain; the shaving of the precentor and the
ceremony of his election on the feast of St. John the Evangelist
again coming in for express prohibition[1052]. In 1523 the servitium
was allowed upon a protest by the vicars, but only with the strict
exclusion of the popular elements[1053]. In 1524 even the servitium
was withheld, and though sanctioned again in 1535, 1539 and 1543,
it was finally suppressed in 1547[1054]. Some feast, however, would
still seem to have been held, probably outside the church, until
1614[1055], and even as late as 1634 there was a trace of it in the
annual procession of the Virgin Mary and the Apostles, already
referred to.
This later history of the feast at Sens is fairly typical, as the
following chapter will show, of what took place all over France. The
chapters by no means showed themselves universally willing to
submit to the decree promulgated in the Pragmatic Sanction. In
many of them the struggle between the conservative and the
reforming parties was spread over a number of years. Councils,
national, provincial and diocesan, continued to find it necessary to
condemn the feast, mentioning it either by name or in a common
category with other ludi, spectacula, choreae, tripudia and
larvationes[1056]. In one or two instances the authority of the
Parlements was invoked. But in the majority of cases the feast either
gradually disappeared, or else passed, first from the churches into
the streets, and then from the clerks to the bourgeois, often to
receive a new life under quite altered circumstances at the hands of
some witty and popular compagnie des fous[1057].
 CHAPTER XIV
THE FEAST OF FOOLS (continued)

The history of the Feast of Fools has been so imperfectly written,

that it is perhaps worth while to bring together the records of its
occurrence, elsewhere than in Troyes and Sens, from the fourteenth
century onwards. They could probably be somewhat increased by an
exhaustive research amongst French local histories, archives, and
the transactions of learned societies. Of the feast in Notre-Dame at
Paris nothing is heard after the reformation carried out in 1198 by
Eudes de Sully[1058]. The bourgeois of Tournai were, indeed, able to
quote a Paris precedent for the feast of their own city in 1499; but
this may have been merely the feast of some minor collegiate body,
such as that founded in 1303 by cardinal Le Moine[1059]; or of the
scholars of the University, or of the compagnie joyeuse of the
Enfants-sans-Souci. At Beauvais, too, there are only the faintest
traces of the feast outside the actual twelfth-and thirteenth-century
service-books[1060]. But there are several other towns in the
provinces immediately north and east of the capital, Île de France,
Picardy, Champagne, where it is recorded. The provision made for it
in the Amiens Ordinarium of 1291 has been already quoted. Shortly
after this, bishop William de Macon, who died in 1303, left his own
pontificalia for the use of the ‘bishop of Fools[1061].’ When, however,
the feast reappears in the fifteenth century the dominus festi is no
longer a ‘bishop,’ but a ‘pope.’ In 1438 there was an endowment
consisting of a share in the profits of some lead left by one John le
Caron, who had himself been ‘pope[1062].’ In 1520 the feast was
held, but no bells were to be jangled[1063]. It was repeated in 1538.
Later in the year the customary election of the ‘pope’ on the
anniversary of Easter was forbidden, but the canons afterwards
repented of their severity[1064]. In 1540 the chapter paid a subsidy
towards the amusements of the ‘pope’ and his ‘cardinals’ on the
Sunday called brioris[1065]. In 1548 the feast was suppressed[1066].
At Noyon the vicars chose a ‘king of Fools’ on Epiphany eve. The
custom is mentioned in 1366 as ‘le gieu des roys.’ By 1419 it was
forbidden, and canon John de Gribauval was punished for an
attempt to renew it by taking the sceptre off the high altar at
Compline on Epiphany. In 1497, 1499, and 1505 it was permitted
again, with certain restrictions. The cavalcade must be over before
Nones; there must be no licentious or scurrilous chansons, no dance
before the great doors; the ‘king’ must wear ecclesiastical dress in
the choir. In 1520, however, he was allowed to wear his crown more
antiquo. The feast finally perished in 1721, owing to la cherté des
vivres[1067]. At Soissons, the feast was held on January 1, with
masquing[1068]. At Senlis, the dominus festi was a ‘pope.’ In 1403
there was much division of opinion amongst the chapter as to the
continuance of the feast, and it was finally decided that it must take
place outside the church. In 1523 it came to an end. The vicars of
the chapter of Saint-Rieul had in 1501 their separate feast on
January 1, with a ‘prelate of Fools’ and jeux in the churchyard[1069].
From Laon fuller records are available[1070]. A ‘patriarch of Fools’
was chosen with his ‘consorts’ on Epiphany eve after Prime, by the
vicars, chaplains and choir-clerks. There was a cavalcade through
the city and a procession called the Rabardiaux, of which the nature
is not stated[1071]. The chapter bore the expenses of the banquet
and the masks. The first notice is about 1280. In 1307 one Pierre
Caput was ‘patriarch.’ In 1454 the bishop upheld the feast against
the dean, but it was decided that it should take place outside the
church. A similar regulation was made in 1455, 1456, 1459. In 1462
the servitium was allowed, and the jeu was to be submitted to
censorship. In 1464 and 1465 mysteries were acted before the
Rabardiaux. In 1486 the jeu was given before the church of St.-
Martin-au-Parvis. In 1490 the jeux and cavalcade were forbidden,
and the banquet only allowed. In 1500 a chaplain, Jean Hubreland,
was fined for not taking part in the ceremony. In 1518 the worse fate
of imprisonment befell Albert Gosselin, another chaplain, who flung
fire from above the porch upon the ‘patriarch’ and his ‘consorts.’ By
1521 the servitium seems to have been conducted by the curés of
the Laon churches, and the vicars and chaplains merely assisted.
The expense now fell on the curés, and the chapter subsidy was cut
down. In 1522 and 1525 the perquisites of the ‘patriarch’ were still
further reduced by the refusal of a donation from the chapter as well
as of the fines formerly imposed on absentees. In 1527 a protest of
Laurent Brayart, ‘patriarch,’ demanding either leave to celebrate the
feast more antiquo or a dispensation from assisting at the election of
his successor, was referred to the ex-‘patriarch.’ In this same year
canons, vicars, chaplains and habitués of the cathedral were
forbidden to appear at the farces of the fête des ânes[1072]. In 1531
the ‘patriarch’ Théobald Bucquet, recovered the right to play
comedies and jeux and to take the absentee fines; but in 1541
Absalon Bourgeois was refused leave pour faire semblant de dire la
messe à liesse. The feast was cut down to the bare election of the
‘patriarch’ in 1560, and seems to have passed into the hands of a
confrérie; all that was retained in the cathedral being the Primes
folles on Epiphany eve, in which the laity occupied the high stalls,
and all present wore crowns of green leaves.
At Rheims, a Feast of Fools in 1490 was the occasion for a
satirical attack by the vicars and choir-boys on the fashion of the
hoods worn by the bourgeoises. This led to reprisals in the form of
some anti-ecclesiastical farces played on the following dimanche des
Brandons by the law clerks of the Rheims Basoche[1073]. At
Châlons-sur-Marne a detailed and curious account is preserved of
the way in which the Feast of Fools was celebrated in 1570[1074]. It
took place on St. Stephen’s day. The chapter provided a banquet on
a theatre in front of the great porch. To this the ‘bishop of Fools’ was
conducted in procession from the maîtrise des fous, with bells and
music upon a gaily trapped ass. He was then vested in cope, mitre,
pectoral cross, gloves and crozier, and enjoyed a banquet with the
canons who formed his ‘household.’ Meanwhile some of the inferior
clergy entered the cathedral, sang gibberish, grimaced and made
contortions. After the banquet, Vespers were precipitately sung,
followed by a motet[1075]. Then came a musical cavalcade round the
cathedral and through the streets. A game of la paume took place in
the market; then dancing and further cavalcades. Finally a band
gathered before the cathedral, howled and clanged kettles and
saucepans, while the bells were rung and the clergy appeared in
grotesque costumes.
Flanders also had its Feasts of Fools. That of St. Omer, which
existed in the twelfth century, lasted to the sixteenth[1076]. An
attempt was made to stop it in 1407, when the chapter forbade any
one to take the name of ‘bishop’ or ‘abbot’ of Fools. But Seraphin
Cotinet was ‘bishop’ of Fools in 1431, and led the gaude on St.
Nicholas’ eve[1077]. The ‘bishop’ is again mentioned in 1490, but in
1515 the feast was suppressed by Francis de Melun, bishop of Arras
and provost of St. Omer[1078]. Some payments made by the chapter
of Béthune in 1445 and 1474 leave it doubtful how far the feast was
really established in that cathedral[1079]. At Lille the feast was
forbidden by the chapter statutes of 1323 and 1328[1080]. But at the
end of the fourteenth century it was in full swing, lasting under its
‘bishop’ or ‘prelate’ from the vigil to the octave of Epiphany. Amongst
the payments made by the chapter on account of it is one to replace
a tin can (kanne stannee) lost at the banquet. The ‘bishop’ was
chosen, as elsewhere, by the inferior clergy of the cathedral; but he
also stood in some relation to the municipality of Lille, and
superintended the miracle plays performed at the procession of the
Holy Sacrament and upon other occasions. In 1393 he received a
payment from the duke of Burgundy for the fête of the Trois Rois.
Municipal subsidies were paid to him in the fifteenth century; he
collected additional funds from private sources and offered prizes, by
proclamation soubz nostre seel de fatuité, for pageants and histoires
de la Sainte Escripture; was, in fact, a sort of Master of the Revels
for Lille. He was active in 1468, but in 1469 the town itself gave the
prizes, in place de l’evesque des folz, qui à présent est rué jus. The
chapter accounts show that he was reappointed in 1485 hoc anno,
de gratia speciali. In 1492 and 1493 the chapter payments were not
to him but sociis domus clericorum, and from this year onwards he
appears neither in the chapter accounts nor in those of the
municipality[1081]. Nevertheless, he did not yet cease to exist, for a
statute was passed by the chapter for his extinction, together with
that of the ludus, quem Deposuit vocant, in 1531[1082]. Five years
before this the canons and vicars were still wearing masks and
playing comedies in public[1083]. The history of the feast at Tournai is
only known to me through certain legal proceedings which took place
before the Parlement of Paris in 1499. It appears that the young
bourgeois of Tournai were accustomed to require the vicars of Notre-
Dame to choose an évesque des sotz from amongst themselves on
Innocents’ day. In 1489 they took one Matthieu de Porta and insulted
him in the church itself. The chapter brought an action in the local
court against the prévost et jurez of the town; and in the meantime
obtained provisional letters inhibitory from Charles VIII, forbidding
the vicars to hold the feast or the bourgeois to enforce it. All went
well for some years, but in 1497 the bourgeois grumbled greatly, and
in 1498, with the connivance of the municipal authorities themselves,
they broke out. On the eve of the Holy Innocents, between nine and
ten o’clock, Jacques de l’Arcq, mayor of the Edwardeurs, and others
got into the house of Messire Pasquier le Pâme, a chaplain, and
dragged him half naked, through snow and frost, to a cabaret. Seven
or eight other vicars, one of whom was found saying his Hours in a
churchyard, were similarly treated, and as none of them would be
made évesque des sotz they were all kept prisoners. The chapter
protested to the prévost et jurez, but in vain. On the following day the
bourgeois chose one of the vicars évesque, baptized him by
torchlight with three buckets of water at a fountain, led him about for
three days in a surplice, and played scurrilous farces. They then
dismissed the vicar, and elected as évesque a clerk from the diocese
of Cambrai, who defied the chapter. They drove Jean Parisiz, the
curé of La Madeleine, who had displeased them, from his church in
the midst of Vespers, and on Epiphany day made him too a prisoner.
In the following March the chapter and Messire Jean Parisiz brought
a joint action before the High Court at Paris against the delinquents
and the municipal authorities, who had backed them up. The case
came on for hearing in November, when it was pleaded that the
custom of electing an évesque des sotz upon Innocents’ day was an
ancient one. The ceremony took place upon a scaffold near the
church door; there were jeux in the streets for seven or eight days,
and a final convici in which the canons and others of the town were
satirized. The chapter and some of the citizens sent bread and wine.
The same thing was done in many dioceses of Picardy, and even in
Paris. It was all ad solacium populi, and divine service was not
disturbed, for nobody entered the church. The vicar who had been
chosen évesque thought it a great and unexpected honour. There
would have been no trouble had not the évesque when distributing
hoods with ears at the end of the jeux unfortunately included certain
persons who would rather have been left out, and who consequently
stirred up the chapter to take action. The court adjourned the case,
and ultimately it appears to have been settled, for one of the
documents preserved is endorsed with a note of a concordat
between the chapter and the town, by which the feast was abolished
in 1500[1084].
Of the Feast of Fools in central France I can say but little. At
Chartres, the Papi-Fol and his cardinals committed many insolences
during the first four days of the year, and exacted droits from
passers-by. They were suppressed in 1479 and again in 1504[1085].
At Tours a Ritual of the fourteenth century contains elaborate
directions for the festum novi anni, quod non debet remanere, nisi
corpora sint humi. This is clearly a reformed feast, of which the chief
features are the dramatic procession of the Prophetae, including
doubtless Balaam on his ass, in church, and a miraculum in the
cloister[1086]. The ‘Boy Bishop’ gives the benediction at Tierce, and
before Vespers there are chori (carols, I suppose) also in the
cloisters. At Vespers Deposuit is sung three times, and the baculus
may be taken. If so, the thesaurarius is beaten with baculi by the
clergy at Compline, and the new cantor is led home with beating of
baculi on the walls[1087]. At Bourges, the use of the ‘Prose of the
Ass’ in Notre-Dame de Sales seems to imply the existence of the
feast, but I know no details[1088]. At Avallon the dominus festi seems
to have been, as at Laon, a ‘patriarch,’ and to have officiated on
Innocents’ day. A chapter statute regulated the proceedings in 1453,
and another abolished them in 1510[1089]. At Auxerre, full accounts
of a long chapter wrangle are preserved in the register[1090]. It began
in 1395 with an order requiring the decent performance of the
servitium, and imposing a fee upon newly admitted canons towards
the feast. In 1396 the feast was not held, owing to the recent defeat
of Sigismund of Hungary and the count of Nevers by Bajazet and his
Ottomans at Nicopolis[1091]. In 1398 the dean entered a protest
against a grant of wine made by the chapter to the thirsty revellers.
In 1400 a further order was passed to check various abuses, the
excessive ringing of bells, the licence of the sermones fatui, the
impounding of copes in pledge for contributions, the beating of men
and women through the streets, and all derisiones likely to bring
discredit on the church[1092]. In the following January, the bishop of
Auxerre, Michel de Crency, intervened, forbidding the fatui to form a
‘chapter,’ or to appoint ‘proctors,’ or clamare la fête aux fous after the
singing of the Hours in the church. This led to a storm. The bishop
brought an action in the secular court, and the chapter appealed to
the ecclesiastical court of the Sens province. In June, however, it
was agreed as part of a general concordat between the parties, that
all these proceedings should be non avenu[1093]. It seems, however,
to have been understood that the chapter would reform the feast. On
December 2, the abbot of Pontigny preached a sermon before the
chapter in favour of the abolition of the feast, and on the following
day the dean came down and warned the canons that it was the
intention of the University of Paris to take action, even if necessary,
by calling in the secular arm[1094]. It was better to reform themselves
than to be reformed. It was then agreed to suppress the abuses of
the feast, the sermons and the wearing of unecclesiastical garb, and
to hold nothing but a festum subdiaconorum on the day of the
Circumcision. Outside the church, however, the clergy might dance
and promenade (chorizare ... et ... spatiare) on the place of St.
Stephen’s. These regulations were disregarded, on the plea that
they were intended to apply only to the year in which they were
made. In 1407 the chapter declared that they were to be permanent,
but strong opposition was offered to this decision by three canons,
Jean Piqueron, himself a sub-deacon, Jean Bonat, and Jean
Berthome, who maintained that the concordat with the bishop was
for reform, not for abolition. The matter was before the chapter for
the last time, so far as the extant documents go, in 1411. On January
2, the dean reported that in spite of the prohibition certain canonici
tortrarii[1095], chaplains and choir-clerks had held the feast. A
committee of investigation was appointed, and in December the
prohibition was renewed. Jean Piqueron was once more a
protestant, and on this occasion obtained the support of five
colleagues[1096]. It may be added that in the sixteenth century an
abbas stultorum was still annually elected on July 18, beneath a
great elm at the porch of Auxerre cathedral. He was charged with the
maintenance of certain small points of choir discipline[1097].
In Franche Comté and Burgundy, the Feast of Fools is also
found. At Besançon it was celebrated by all the four great churches.
In the cathedrals of St. John and St. Stephen, ‘cardinals’ were
chosen on St. Stephen’s day by the deacons and sub-deacons, on
St. John’s day by the priests, on the Holy Innocents’ day by the
choir-clerks and choir-boys. In the collegiate churches of St. Paul
and St. Mary Magdalen, ‘bishops’ or ‘abbots’ were similarly chosen.
All these domini festorum seem to have had the generic title of rois
des fous, and on the choir-feast four cavalcades went about the
streets and exchanged railleries (se chantaient pouille) when they
met. In 1387 the Statutes of cardinal Thomas of Naples ordered that
the feasts should be held jointly in each church in turn; and in 1518
the cavalcades were suppressed, owing to a conflict upon the bridge
which had a fatal ending. Up to 1710, however, reges were still
elected in St. Mary Magdalen’s; not, indeed, those for the three
feasts of Christmas week, but a rex capellanorum and a rex
canonicorum, who officiated respectively on the Circumcision and on
Epiphany[1098]. At Autun the feast of the baculus in the thirteenth
century has already been recorded. In the fifteenth and sixteenth
centuries some interesting notices are available in the chapter
registers[1099]. In 1411 the feast required reforming. The canons
were ordered to attend in decent clothes as on the Nativity; and the
custom of leading an ass in procession and singing a cantilena
thereon was suppressed[1100]. In 1412 the abolition of the feast was
decreed[1101]. But in 1484 it was sanctioned again, and licence was
given to punish those who failed to put in an appearance at the
Hours by burning at the well[1102]. This custom, however, was
forbidden in 1498[1103]. Nothing more is heard of the asinus, but it is
possible that he figured in the play of Herod which was undoubtedly
performed at the feast, and which gave a name to the dominus
festi[1104]. Under the general name of festa fatuorum was included at
Autun, besides the feast of the Circumcision, also that of the ‘bishop’
and ‘dean’ of Innocents, and a missa fatuorum was sung ex ore
infantium from the Innocents’ day to Epiphany[1105]. In 1499 Jean
Rolin, abbot of St. Martin’s and dean of Autun, led a renewed attack
upon the feast. He had armed himself with a letter from Louis XI, and
induced the chapter, in virtue of the Basle decree, to suppress both
Herod and the ‘bishop’ of Innocents[1106]. In 1514 and 1515 the play
of Herod was performed; but in 1518, when application was made to
the chapter to sanction the election of both a ‘Herod’ and the ‘bishop’
and ‘dean’ of Innocents, they applied to the king’s official for leave,
and failed to get it. Finally in 1535 the chapter recurred to the Basle
decree, and again forbade the feast, particularly specifying under the
name of Gaigizons the obnoxious ceremony of ‘ducking.[1107]’ The
feast held in the ducal, afterwards royal chapel of Dijon yields
documents which are unique, because they are in French verse. The
first is a mandement of Philip the Good, duke of Burgundy, in 1454,
confirming, on the request of the haut-Bâtonnier, the privilege of the
fête, against those who would abolish it. He declares

‘Que cette Fête célébrée

Soit à jamais un jour l’année,
Le premier du mois de Janvier;
Et que joyeux Fous sans dangier,
De l’habit de notre Chapelle,
Fassent la Fête bonne et belle,
Sans outrage ni derision.’

In 1477 Louis XI seized Burgundy, and in 1482 his

representatives, Jean d’Amboise, bishop and duke of Langres,
lieutenant of the duchy, and Baudricourt the governor, accorded to
Guy Baroset

‘Protonotaire et Procureur des Foux,’

a fresh confirmation for the privilege of the feast held by

‘Le Bâtonnier et tous ses vrais suppôts[1108].’

There was a second feast in Dijon at the church of St. Stephen.

In 1494 it was the custom here, as at Sens, to shave the ‘precentor’
of Fools upon a stage before the church. In 1621 the vicars still
paraded the streets with music and lanterns in honour of their
‘precentor[1109].’ In 1552, however, the Feasts of Fools throughout
Burgundy had been prohibited by an arrêt of the Parlement of Dijon.
This was immediately provoked by the desire of the chapter of St.
Vincent’s at Châlons-sur-Saône to end the scandal of the feast
under their jurisdiction. It was, however, general in its terms, and
probably put an end to the Chapelle feast at Dijon, since to about
this period may be traced the origin of the famous compagnie of the
Mère-Folle in that city[1110].
In Dauphiné there was a rex et festum fatuorum at St.
Apollinaire’s in Valence, but I cannot give the date[1111]. At Vienne
the Statutes of St. Maurice, passed in 1385, forbid the abbas
stultorum seu sociorum, but apparently allow rois on the
Circumcision and Epiphany, as well as in the three post-Nativity
feasts. They also forbid certain ludibria. No pasquinades are to be
recited, and no one is to be carried in Rost or to have his property
put in pawn[1112]. More can be said of the feast at Viviers. A
Ceremonial of 1365 contains minute directions for its conduct[1113].
On December 17 the sclafardi et clericuli chose an abbas stultus to
be responsible, as at Auxerre, for the decorum of the choir
throughout the year. He was shouldered and borne to a place of
honour at a drinking-bout. Here even the bishop, if present, must do