diff options
| author | Florian Dold <florian.dold@gmail.com> | 2018-09-01 21:04:24 +0200 |
|---|---|---|
| committer | Florian Dold <florian.dold@gmail.com> | 2018-09-01 21:04:24 +0200 |
| commit | 43e10c3cab7ebd5cd009a6ca8afc56a2e3010569 (patch) | |
| tree | c1ace9b11322d7c4a45006a85b3ead683c0848e4 | |
| parent | 13de6d5da1d6fe2b0462effb72288500719e43d2 (diff) | |
| download | papers-43e10c3cab7ebd5cd009a6ca8afc56a2e3010569.tar.gz papers-43e10c3cab7ebd5cd009a6ca8afc56a2e3010569.tar.bz2 papers-43e10c3cab7ebd5cd009a6ca8afc56a2e3010569.zip | |
fc19
| -rw-r--r-- | taler-fc19/llncs.cls | 1218 | ||||
| -rw-r--r-- | taler-fc19/llncsdoc.pdf | bin | 0 -> 215677 bytes | |||
| -rw-r--r-- | taler-fc19/paper.tex | 1448 | ||||
| -rw-r--r-- | taler-fc19/readme.txt | 19 | ||||
| -rw-r--r-- | taler-fc19/ref.bib | 2424 | ||||
| -rw-r--r-- | taler-fc19/splncs04.bst | 1548 |
6 files changed, 6657 insertions, 0 deletions
diff --git a/taler-fc19/llncs.cls b/taler-fc19/llncs.cls new file mode 100644 index 0000000..06401a9 --- /dev/null +++ b/taler-fc19/llncs.cls @@ -0,0 +1,1218 @@ +% LLNCS DOCUMENT CLASS -- version 2.20 (10-Mar-2018)
+% Springer Verlag LaTeX2e support for Lecture Notes in Computer Science
+%
+%%
+%% \CharacterTable
+%% {Upper-case \A\B\C\D\E\F\G\H\I\J\K\L\M\N\O\P\Q\R\S\T\U\V\W\X\Y\Z
+%% Lower-case \a\b\c\d\e\f\g\h\i\j\k\l\m\n\o\p\q\r\s\t\u\v\w\x\y\z
+%% Digits \0\1\2\3\4\5\6\7\8\9
+%% Exclamation \! Double quote \" Hash (number) \#
+%% Dollar \$ Percent \% Ampersand \&
+%% Acute accent \' Left paren \( Right paren \)
+%% Asterisk \* Plus \+ Comma \,
+%% Minus \- Point \. Solidus \/
+%% Colon \: Semicolon \; Less than \<
+%% Equals \= Greater than \> Question mark \?
+%% Commercial at \@ Left bracket \[ Backslash \\
+%% Right bracket \] Circumflex \^ Underscore \_
+%% Grave accent \` Left brace \{ Vertical bar \|
+%% Right brace \} Tilde \~}
+%%
+\NeedsTeXFormat{LaTeX2e}[1995/12/01]
+\ProvidesClass{llncs}[2018/03/10 v2.20
+^^J LaTeX document class for Lecture Notes in Computer Science]
+% Options
+\let\if@envcntreset\iffalse
+\DeclareOption{envcountreset}{\let\if@envcntreset\iftrue}
+\DeclareOption{citeauthoryear}{\let\citeauthoryear=Y}
+\DeclareOption{oribibl}{\let\oribibl=Y}
+\let\if@custvec\iftrue
+\DeclareOption{orivec}{\let\if@custvec\iffalse}
+\let\if@envcntsame\iffalse
+\DeclareOption{envcountsame}{\let\if@envcntsame\iftrue}
+\let\if@envcntsect\iffalse
+\DeclareOption{envcountsect}{\let\if@envcntsect\iftrue}
+\let\if@runhead\iffalse
+\DeclareOption{runningheads}{\let\if@runhead\iftrue}
+
+\let\if@openright\iftrue
+\let\if@openbib\iffalse
+\DeclareOption{openbib}{\let\if@openbib\iftrue}
+
+% languages
+\let\switcht@@therlang\relax
+\def\ds@deutsch{\def\switcht@@therlang{\switcht@deutsch}}
+\def\ds@francais{\def\switcht@@therlang{\switcht@francais}}
+
+\DeclareOption*{\PassOptionsToClass{\CurrentOption}{article}}
+
+\ProcessOptions
+
+\LoadClass[twoside]{article}
+\RequirePackage{multicol} % needed for the list of participants, index
+\RequirePackage{aliascnt}
+
+\setlength{\textwidth}{12.2cm}
+\setlength{\textheight}{19.3cm}
+\renewcommand\@pnumwidth{2em}
+\renewcommand\@tocrmarg{3.5em}
+%
+\def\@dottedtocline#1#2#3#4#5{%
+ \ifnum #1>\c@tocdepth \else
+ \vskip \z@ \@plus.2\p@
+ {\leftskip #2\relax \rightskip \@tocrmarg \advance\rightskip by 0pt plus 2cm
+ \parfillskip -\rightskip \pretolerance=10000
+ \parindent #2\relax\@afterindenttrue
+ \interlinepenalty\@M
+ \leavevmode
+ \@tempdima #3\relax
+ \advance\leftskip \@tempdima \null\nobreak\hskip -\leftskip
+ {#4}\nobreak
+ \leaders\hbox{$\m@th
+ \mkern \@dotsep mu\hbox{.}\mkern \@dotsep
+ mu$}\hfill
+ \nobreak
+ \hb@xt@\@pnumwidth{\hfil\normalfont \normalcolor #5}%
+ \par}%
+ \fi}
+%
+\def\switcht@albion{%
+\def\abstractname{Abstract.}
+\def\ackname{Acknowledgement.}
+\def\andname{and}
+\def\lastandname{\unskip, and}
+\def\appendixname{Appendix}
+\def\chaptername{Chapter}
+\def\claimname{Claim}
+\def\conjecturename{Conjecture}
+\def\contentsname{Table of Contents}
+\def\corollaryname{Corollary}
+\def\definitionname{Definition}
+\def\examplename{Example}
+\def\exercisename{Exercise}
+\def\figurename{Fig.}
+\def\keywordname{{\bf Keywords:}}
+\def\indexname{Index}
+\def\lemmaname{Lemma}
+\def\contriblistname{List of Contributors}
+\def\listfigurename{List of Figures}
+\def\listtablename{List of Tables}
+\def\mailname{{\it Correspondence to\/}:}
+\def\noteaddname{Note added in proof}
+\def\notename{Note}
+\def\partname{Part}
+\def\problemname{Problem}
+\def\proofname{Proof}
+\def\propertyname{Property}
+\def\propositionname{Proposition}
+\def\questionname{Question}
+\def\remarkname{Remark}
+\def\seename{see}
+\def\solutionname{Solution}
+\def\subclassname{{\it Subject Classifications\/}:}
+\def\tablename{Table}
+\def\theoremname{Theorem}}
+\switcht@albion
+% Names of theorem like environments are already defined
+% but must be translated if another language is chosen
+%
+% French section
+\def\switcht@francais{%\typeout{On parle francais.}%
+ \def\abstractname{R\'esum\'e.}%
+ \def\ackname{Remerciements.}%
+ \def\andname{et}%
+ \def\lastandname{ et}%
+ \def\appendixname{Appendice}
+ \def\chaptername{Chapitre}%
+ \def\claimname{Pr\'etention}%
+ \def\conjecturename{Hypoth\`ese}%
+ \def\contentsname{Table des mati\`eres}%
+ \def\corollaryname{Corollaire}%
+ \def\definitionname{D\'efinition}%
+ \def\examplename{Exemple}%
+ \def\exercisename{Exercice}%
+ \def\figurename{Fig.}%
+ \def\keywordname{{\bf Mots-cl\'e:}}
+ \def\indexname{Index}
+ \def\lemmaname{Lemme}%
+ \def\contriblistname{Liste des contributeurs}
+ \def\listfigurename{Liste des figures}%
+ \def\listtablename{Liste des tables}%
+ \def\mailname{{\it Correspondence to\/}:}
+ \def\noteaddname{Note ajout\'ee \`a l'\'epreuve}%
+ \def\notename{Remarque}%
+ \def\partname{Partie}%
+ \def\problemname{Probl\`eme}%
+ \def\proofname{Preuve}%
+ \def\propertyname{Caract\'eristique}%
+%\def\propositionname{Proposition}%
+ \def\questionname{Question}%
+ \def\remarkname{Remarque}%
+ \def\seename{voir}
+ \def\solutionname{Solution}%
+ \def\subclassname{{\it Subject Classifications\/}:}
+ \def\tablename{Tableau}%
+ \def\theoremname{Th\'eor\`eme}%
+}
+%
+% German section
+\def\switcht@deutsch{%\typeout{Man spricht deutsch.}%
+ \def\abstractname{Zusammenfassung.}%
+ \def\ackname{Danksagung.}%
+ \def\andname{und}%
+ \def\lastandname{ und}%
+ \def\appendixname{Anhang}%
+ \def\chaptername{Kapitel}%
+ \def\claimname{Behauptung}%
+ \def\conjecturename{Hypothese}%
+ \def\contentsname{Inhaltsverzeichnis}%
+ \def\corollaryname{Korollar}%
+%\def\definitionname{Definition}%
+ \def\examplename{Beispiel}%
+ \def\exercisename{\"Ubung}%
+ \def\figurename{Abb.}%
+ \def\keywordname{{\bf Schl\"usselw\"orter:}}
+ \def\indexname{Index}
+%\def\lemmaname{Lemma}%
+ \def\contriblistname{Mitarbeiter}
+ \def\listfigurename{Abbildungsverzeichnis}%
+ \def\listtablename{Tabellenverzeichnis}%
+ \def\mailname{{\it Correspondence to\/}:}
+ \def\noteaddname{Nachtrag}%
+ \def\notename{Anmerkung}%
+ \def\partname{Teil}%
+%\def\problemname{Problem}%
+ \def\proofname{Beweis}%
+ \def\propertyname{Eigenschaft}%
+%\def\propositionname{Proposition}%
+ \def\questionname{Frage}%
+ \def\remarkname{Anmerkung}%
+ \def\seename{siehe}
+ \def\solutionname{L\"osung}%
+ \def\subclassname{{\it Subject Classifications\/}:}
+ \def\tablename{Tabelle}%
+%\def\theoremname{Theorem}%
+}
+
+% Ragged bottom for the actual page
+\def\thisbottomragged{\def\@textbottom{\vskip\z@ plus.0001fil
+\global\let\@textbottom\relax}}
+
+\renewcommand\small{%
+ \@setfontsize\small\@ixpt{11}%
+ \abovedisplayskip 8.5\p@ \@plus3\p@ \@minus4\p@
+ \abovedisplayshortskip \z@ \@plus2\p@
+ \belowdisplayshortskip 4\p@ \@plus2\p@ \@minus2\p@
+ \def\@listi{\leftmargin\leftmargini
+ \parsep 0\p@ \@plus1\p@ \@minus\p@
+ \topsep 8\p@ \@plus2\p@ \@minus4\p@
+ \itemsep0\p@}%
+ \belowdisplayskip \abovedisplayskip
+}
+
+\frenchspacing
+\widowpenalty=10000
+\clubpenalty=10000
+
+\setlength\oddsidemargin {63\p@}
+\setlength\evensidemargin {63\p@}
+\setlength\marginparwidth {90\p@}
+
+\setlength\headsep {16\p@}
+
+\setlength\footnotesep{7.7\p@}
+\setlength\textfloatsep{8mm\@plus 2\p@ \@minus 4\p@}
+\setlength\intextsep {8mm\@plus 2\p@ \@minus 2\p@}
+
+\setcounter{secnumdepth}{2}
+
+\newcounter {chapter}
+\renewcommand\thechapter {\@arabic\c@chapter}
+
+\newif\if@mainmatter \@mainmattertrue
+\newcommand\frontmatter{\cleardoublepage
+ \@mainmatterfalse\pagenumbering{Roman}}
+\newcommand\mainmatter{\cleardoublepage
+ \@mainmattertrue\pagenumbering{arabic}}
+\newcommand\backmatter{\if@openright\cleardoublepage\else\clearpage\fi
+ \@mainmatterfalse}
+
+\renewcommand\part{\cleardoublepage
+ \thispagestyle{empty}%
+ \if@twocolumn
+ \onecolumn
+ \@tempswatrue
+ \else
+ \@tempswafalse
+ \fi
+ \null\vfil
+ \secdef\@part\@spart}
+
+\def\@part[#1]#2{%
+ \ifnum \c@secnumdepth >-2\relax
+ \refstepcounter{part}%
+ \addcontentsline{toc}{part}{\thepart\hspace{1em}#1}%
+ \else
+ \addcontentsline{toc}{part}{#1}%
+ \fi
+ \markboth{}{}%
+ {\centering
+ \interlinepenalty \@M
+ \normalfont
+ \ifnum \c@secnumdepth >-2\relax
+ \huge\bfseries \partname~\thepart
+ \par
+ \vskip 20\p@
+ \fi
+ \Huge \bfseries #2\par}%
+ \@endpart}
+\def\@spart#1{%
+ {\centering
+ \interlinepenalty \@M
+ \normalfont
+ \Huge \bfseries #1\par}%
+ \@endpart}
+\def\@endpart{\vfil\newpage
+ \if@twoside
+ \null
+ \thispagestyle{empty}%
+ \newpage
+ \fi
+ \if@tempswa
+ \twocolumn
+ \fi}
+
+\newcommand\chapter{\clearpage
+ \thispagestyle{empty}%
+ \global\@topnum\z@
+ \@afterindentfalse
+ \secdef\@chapter\@schapter}
+\def\@chapter[#1]#2{\ifnum \c@secnumdepth >\m@ne
+ \if@mainmatter
+ \refstepcounter{chapter}%
+ \typeout{\@chapapp\space\thechapter.}%
+ \addcontentsline{toc}{chapter}%
+ {\protect\numberline{\thechapter}#1}%
+ \else
+ \addcontentsline{toc}{chapter}{#1}%
+ \fi
+ \else
+ \addcontentsline{toc}{chapter}{#1}%
+ \fi
+ \chaptermark{#1}%
+ \addtocontents{lof}{\protect\addvspace{10\p@}}%
+ \addtocontents{lot}{\protect\addvspace{10\p@}}%
+ \if@twocolumn
+ \@topnewpage[\@makechapterhead{#2}]%
+ \else
+ \@makechapterhead{#2}%
+ \@afterheading
+ \fi}
+\def\@makechapterhead#1{%
+% \vspace*{50\p@}%
+ {\centering
+ \ifnum \c@secnumdepth >\m@ne
+ \if@mainmatter
+ \large\bfseries \@chapapp{} \thechapter
+ \par\nobreak
+ \vskip 20\p@
+ \fi
+ \fi
+ \interlinepenalty\@M
+ \Large \bfseries #1\par\nobreak
+ \vskip 40\p@
+ }}
+\def\@schapter#1{\if@twocolumn
+ \@topnewpage[\@makeschapterhead{#1}]%
+ \else
+ \@makeschapterhead{#1}%
+ \@afterheading
+ \fi}
+\def\@makeschapterhead#1{%
+% \vspace*{50\p@}%
+ {\centering
+ \normalfont
+ \interlinepenalty\@M
+ \Large \bfseries #1\par\nobreak
+ \vskip 40\p@
+ }}
+
+\renewcommand\section{\@startsection{section}{1}{\z@}%
+ {-18\p@ \@plus -4\p@ \@minus -4\p@}%
+ {12\p@ \@plus 4\p@ \@minus 4\p@}%
+ {\normalfont\large\bfseries\boldmath
+ \rightskip=\z@ \@plus 8em\pretolerance=10000 }}
+\renewcommand\subsection{\@startsection{subsection}{2}{\z@}%
+ {-18\p@ \@plus -4\p@ \@minus -4\p@}%
+ {8\p@ \@plus 4\p@ \@minus 4\p@}%
+ {\normalfont\normalsize\bfseries\boldmath
+ \rightskip=\z@ \@plus 8em\pretolerance=10000 }}
+\renewcommand\subsubsection{\@startsection{subsubsection}{3}{\z@}%
+ {-18\p@ \@plus -4\p@ \@minus -4\p@}%
+ {-0.5em \@plus -0.22em \@minus -0.1em}%
+ {\normalfont\normalsize\bfseries\boldmath}}
+\renewcommand\paragraph{\@startsection{paragraph}{4}{\z@}%
+ {-12\p@ \@plus -4\p@ \@minus -4\p@}%
+ {-0.5em \@plus -0.22em \@minus -0.1em}%
+ {\normalfont\normalsize\itshape}}
+\renewcommand\subparagraph[1]{\typeout{LLNCS warning: You should not use
+ \string\subparagraph\space with this class}\vskip0.5cm
+You should not use \verb|\subparagraph| with this class.\vskip0.5cm}
+
+\DeclareMathSymbol{\Gamma}{\mathalpha}{letters}{"00}
+\DeclareMathSymbol{\Delta}{\mathalpha}{letters}{"01}
+\DeclareMathSymbol{\Theta}{\mathalpha}{letters}{"02}
+\DeclareMathSymbol{\Lambda}{\mathalpha}{letters}{"03}
+\DeclareMathSymbol{\Xi}{\mathalpha}{letters}{"04}
+\DeclareMathSymbol{\Pi}{\mathalpha}{letters}{"05}
+\DeclareMathSymbol{\Sigma}{\mathalpha}{letters}{"06}
+\DeclareMathSymbol{\Upsilon}{\mathalpha}{letters}{"07}
+\DeclareMathSymbol{\Phi}{\mathalpha}{letters}{"08}
+\DeclareMathSymbol{\Psi}{\mathalpha}{letters}{"09}
+\DeclareMathSymbol{\Omega}{\mathalpha}{letters}{"0A}
+
+\let\footnotesize\small
+
+\if@custvec
+\def\vec#1{\mathchoice{\mbox{\boldmath$\displaystyle#1$}}
+{\mbox{\boldmath$\textstyle#1$}}
+{\mbox{\boldmath$\scriptstyle#1$}}
+{\mbox{\boldmath$\scriptscriptstyle#1$}}}
+\fi
+
+\def\squareforqed{\hbox{\rlap{$\sqcap$}$\sqcup$}}
+\def\qed{\ifmmode\squareforqed\else{\unskip\nobreak\hfil
+\penalty50\hskip1em\null\nobreak\hfil\squareforqed
+\parfillskip=0pt\finalhyphendemerits=0\endgraf}\fi}
+
+\def\getsto{\mathrel{\mathchoice {\vcenter{\offinterlineskip
+\halign{\hfil
+$\displaystyle##$\hfil\cr\gets\cr\to\cr}}}
+{\vcenter{\offinterlineskip\halign{\hfil$\textstyle##$\hfil\cr\gets
+\cr\to\cr}}}
+{\vcenter{\offinterlineskip\halign{\hfil$\scriptstyle##$\hfil\cr\gets
+\cr\to\cr}}}
+{\vcenter{\offinterlineskip\halign{\hfil$\scriptscriptstyle##$\hfil\cr
+\gets\cr\to\cr}}}}}
+\def\lid{\mathrel{\mathchoice {\vcenter{\offinterlineskip\halign{\hfil
+$\displaystyle##$\hfil\cr<\cr\noalign{\vskip1.2pt}=\cr}}}
+{\vcenter{\offinterlineskip\halign{\hfil$\textstyle##$\hfil\cr<\cr
+\noalign{\vskip1.2pt}=\cr}}}
+{\vcenter{\offinterlineskip\halign{\hfil$\scriptstyle##$\hfil\cr<\cr
+\noalign{\vskip1pt}=\cr}}}
+{\vcenter{\offinterlineskip\halign{\hfil$\scriptscriptstyle##$\hfil\cr
+<\cr
+\noalign{\vskip0.9pt}=\cr}}}}}
+\def\gid{\mathrel{\mathchoice {\vcenter{\offinterlineskip\halign{\hfil
+$\displaystyle##$\hfil\cr>\cr\noalign{\vskip1.2pt}=\cr}}}
+{\vcenter{\offinterlineskip\halign{\hfil$\textstyle##$\hfil\cr>\cr
+\noalign{\vskip1.2pt}=\cr}}}
+{\vcenter{\offinterlineskip\halign{\hfil$\scriptstyle##$\hfil\cr>\cr
+\noalign{\vskip1pt}=\cr}}}
+{\vcenter{\offinterlineskip\halign{\hfil$\scriptscriptstyle##$\hfil\cr
+>\cr
+\noalign{\vskip0.9pt}=\cr}}}}}
+\def\grole{\mathrel{\mathchoice {\vcenter{\offinterlineskip
+\halign{\hfil
+$\displaystyle##$\hfil\cr>\cr\noalign{\vskip-1pt}<\cr}}}
+{\vcenter{\offinterlineskip\halign{\hfil$\textstyle##$\hfil\cr
+>\cr\noalign{\vskip-1pt}<\cr}}}
+{\vcenter{\offinterlineskip\halign{\hfil$\scriptstyle##$\hfil\cr
+>\cr\noalign{\vskip-0.8pt}<\cr}}}
+{\vcenter{\offinterlineskip\halign{\hfil$\scriptscriptstyle##$\hfil\cr
+>\cr\noalign{\vskip-0.3pt}<\cr}}}}}
+\def\bbbr{{\rm I\!R}} %reelle Zahlen
+\def\bbbm{{\rm I\!M}}
+\def\bbbn{{\rm I\!N}} %natuerliche Zahlen
+\def\bbbf{{\rm I\!F}}
+\def\bbbh{{\rm I\!H}}
+\def\bbbk{{\rm I\!K}}
+\def\bbbp{{\rm I\!P}}
+\def\bbbone{{\mathchoice {\rm 1\mskip-4mu l} {\rm 1\mskip-4mu l}
+{\rm 1\mskip-4.5mu l} {\rm 1\mskip-5mu l}}}
+\def\bbbc{{\mathchoice {\setbox0=\hbox{$\displaystyle\rm C$}\hbox{\hbox
+to0pt{\kern0.4\wd0\vrule height0.9\ht0\hss}\box0}}
+{\setbox0=\hbox{$\textstyle\rm C$}\hbox{\hbox
+to0pt{\kern0.4\wd0\vrule height0.9\ht0\hss}\box0}}
+{\setbox0=\hbox{$\scriptstyle\rm C$}\hbox{\hbox
+to0pt{\kern0.4\wd0\vrule height0.9\ht0\hss}\box0}}
+{\setbox0=\hbox{$\scriptscriptstyle\rm C$}\hbox{\hbox
+to0pt{\kern0.4\wd0\vrule height0.9\ht0\hss}\box0}}}}
+\def\bbbq{{\mathchoice {\setbox0=\hbox{$\displaystyle\rm
+Q$}\hbox{\raise
+0.15\ht0\hbox to0pt{\kern0.4\wd0\vrule height0.8\ht0\hss}\box0}}
+{\setbox0=\hbox{$\textstyle\rm Q$}\hbox{\raise
+0.15\ht0\hbox to0pt{\kern0.4\wd0\vrule height0.8\ht0\hss}\box0}}
+{\setbox0=\hbox{$\scriptstyle\rm Q$}\hbox{\raise
+0.15\ht0\hbox to0pt{\kern0.4\wd0\vrule height0.7\ht0\hss}\box0}}
+{\setbox0=\hbox{$\scriptscriptstyle\rm Q$}\hbox{\raise
+0.15\ht0\hbox to0pt{\kern0.4\wd0\vrule height0.7\ht0\hss}\box0}}}}
+\def\bbbt{{\mathchoice {\setbox0=\hbox{$\displaystyle\rm
+T$}\hbox{\hbox to0pt{\kern0.3\wd0\vrule height0.9\ht0\hss}\box0}}
+{\setbox0=\hbox{$\textstyle\rm T$}\hbox{\hbox
+to0pt{\kern0.3\wd0\vrule height0.9\ht0\hss}\box0}}
+{\setbox0=\hbox{$\scriptstyle\rm T$}\hbox{\hbox
+to0pt{\kern0.3\wd0\vrule height0.9\ht0\hss}\box0}}
+{\setbox0=\hbox{$\scriptscriptstyle\rm T$}\hbox{\hbox
+to0pt{\kern0.3\wd0\vrule height0.9\ht0\hss}\box0}}}}
+\def\bbbs{{\mathchoice
+{\setbox0=\hbox{$\displaystyle \rm S$}\hbox{\raise0.5\ht0\hbox
+to0pt{\kern0.35\wd0\vrule height0.45\ht0\hss}\hbox
+to0pt{\kern0.55\wd0\vrule height0.5\ht0\hss}\box0}}
+{\setbox0=\hbox{$\textstyle \rm S$}\hbox{\raise0.5\ht0\hbox
+to0pt{\kern0.35\wd0\vrule height0.45\ht0\hss}\hbox
+to0pt{\kern0.55\wd0\vrule height0.5\ht0\hss}\box0}}
+{\setbox0=\hbox{$\scriptstyle \rm S$}\hbox{\raise0.5\ht0\hbox
+to0pt{\kern0.35\wd0\vrule height0.45\ht0\hss}\raise0.05\ht0\hbox
+to0pt{\kern0.5\wd0\vrule height0.45\ht0\hss}\box0}}
+{\setbox0=\hbox{$\scriptscriptstyle\rm S$}\hbox{\raise0.5\ht0\hbox
+to0pt{\kern0.4\wd0\vrule height0.45\ht0\hss}\raise0.05\ht0\hbox
+to0pt{\kern0.55\wd0\vrule height0.45\ht0\hss}\box0}}}}
+\def\bbbz{{\mathchoice {\hbox{$\mathsf\textstyle Z\kern-0.4em Z$}}
+{\hbox{$\mathsf\textstyle Z\kern-0.4em Z$}}
+{\hbox{$\mathsf\scriptstyle Z\kern-0.3em Z$}}
+{\hbox{$\mathsf\scriptscriptstyle Z\kern-0.2em Z$}}}}
+
+\let\ts\,
+
+\setlength\leftmargini {17\p@}
+\setlength\leftmargin {\leftmargini}
+\setlength\leftmarginii {\leftmargini}
+\setlength\leftmarginiii {\leftmargini}
+\setlength\leftmarginiv {\leftmargini}
+\setlength \labelsep {.5em}
+\setlength \labelwidth{\leftmargini}
+\addtolength\labelwidth{-\labelsep}
+
+\def\@listI{\leftmargin\leftmargini
+ \parsep 0\p@ \@plus1\p@ \@minus\p@
+ \topsep 8\p@ \@plus2\p@ \@minus4\p@
+ \itemsep0\p@}
+\let\@listi\@listI
+\@listi
+\def\@listii {\leftmargin\leftmarginii
+ \labelwidth\leftmarginii
+ \advance\labelwidth-\labelsep
+ \topsep 0\p@ \@plus2\p@ \@minus\p@}
+\def\@listiii{\leftmargin\leftmarginiii
+ \labelwidth\leftmarginiii
+ \advance\labelwidth-\labelsep
+ \topsep 0\p@ \@plus\p@\@minus\p@
+ \parsep \z@
+ \partopsep \p@ \@plus\z@ \@minus\p@}
+
+\renewcommand\labelitemi{\normalfont\bfseries --}
+\renewcommand\labelitemii{$\m@th\bullet$}
+
+\setlength\arraycolsep{1.4\p@}
+\setlength\tabcolsep{1.4\p@}
+
+\def\tableofcontents{\chapter*{\contentsname\@mkboth{{\contentsname}}%
+ {{\contentsname}}}
+ \def\authcount##1{\setcounter{auco}{##1}\setcounter{@auth}{1}}
+ \def\lastand{\ifnum\value{auco}=2\relax
+ \unskip{} \andname\
+ \else
+ \unskip \lastandname\
+ \fi}%
+ \def\and{\stepcounter{@auth}\relax
+ \ifnum\value{@auth}=\value{auco}%
+ \lastand
+ \else
+ \unskip,
+ \fi}%
+ \@starttoc{toc}\if@restonecol\twocolumn\fi}
+
+\def\l@part#1#2{\addpenalty{\@secpenalty}%
+ \addvspace{2em plus\p@}% % space above part line
+ \begingroup
+ \parindent \z@
+ \rightskip \z@ plus 5em
+ \hrule\vskip5pt
+ \large % same size as for a contribution heading
+ \bfseries\boldmath % set line in boldface
+ \leavevmode % TeX command to enter horizontal mode.
+ #1\par
+ \vskip5pt
+ \hrule
+ \vskip1pt
+ \nobreak % Never break after part entry
+ \endgroup}
+
+\def\@dotsep{2}
+
+\let\phantomsection=\relax
+
+\def\hyperhrefextend{\ifx\hyper@anchor\@undefined\else
+{}\fi}
+
+\def\addnumcontentsmark#1#2#3{%
+\addtocontents{#1}{\protect\contentsline{#2}{\protect\numberline
+ {\thechapter}#3}{\thepage}\hyperhrefextend}}%
+\def\addcontentsmark#1#2#3{%
+\addtocontents{#1}{\protect\contentsline{#2}{#3}{\thepage}\hyperhrefextend}}%
+\def\addcontentsmarkwop#1#2#3{%
+\addtocontents{#1}{\protect\contentsline{#2}{#3}{0}\hyperhrefextend}}%
+
+\def\@adcmk[#1]{\ifcase #1 \or
+\def\@gtempa{\addnumcontentsmark}%
+ \or \def\@gtempa{\addcontentsmark}%
+ \or \def\@gtempa{\addcontentsmarkwop}%
+ \fi\@gtempa{toc}{chapter}%
+}
+\def\addtocmark{%
+\phantomsection
+\@ifnextchar[{\@adcmk}{\@adcmk[3]}%
+}
+
+\def\l@chapter#1#2{\addpenalty{-\@highpenalty}
+ \vskip 1.0em plus 1pt \@tempdima 1.5em \begingroup
+ \parindent \z@ \rightskip \@tocrmarg
+ \advance\rightskip by 0pt plus 2cm
+ \parfillskip -\rightskip \pretolerance=10000
+ \leavevmode \advance\leftskip\@tempdima \hskip -\leftskip
+ {\large\bfseries\boldmath#1}\ifx0#2\hfil\null
+ \else
+ \nobreak
+ \leaders\hbox{$\m@th \mkern \@dotsep mu.\mkern
+ \@dotsep mu$}\hfill
+ \nobreak\hbox to\@pnumwidth{\hss #2}%
+ \fi\par
+ \penalty\@highpenalty \endgroup}
+
+\def\l@title#1#2{\addpenalty{-\@highpenalty}
+ \addvspace{8pt plus 1pt}
+ \@tempdima \z@
+ \begingroup
+ \parindent \z@ \rightskip \@tocrmarg
+ \advance\rightskip by 0pt plus 2cm
+ \parfillskip -\rightskip \pretolerance=10000
+ \leavevmode \advance\leftskip\@tempdima \hskip -\leftskip
+ #1\nobreak
+ \leaders\hbox{$\m@th \mkern \@dotsep mu.\mkern
+ \@dotsep mu$}\hfill
+ \nobreak\hbox to\@pnumwidth{\hss #2}\par
+ \penalty\@highpenalty \endgroup}
+
+\def\l@author#1#2{\addpenalty{\@highpenalty}
+ \@tempdima=15\p@ %\z@
+ \begingroup
+ \parindent \z@ \rightskip \@tocrmarg
+ \advance\rightskip by 0pt plus 2cm
+ \pretolerance=10000
+ \leavevmode \advance\leftskip\@tempdima %\hskip -\leftskip
+ \textit{#1}\par
+ \penalty\@highpenalty \endgroup}
+
+\setcounter{tocdepth}{0}
+\newdimen\tocchpnum
+\newdimen\tocsecnum
+\newdimen\tocsectotal
+\newdimen\tocsubsecnum
+\newdimen\tocsubsectotal
+\newdimen\tocsubsubsecnum
+\newdimen\tocsubsubsectotal
+\newdimen\tocparanum
+\newdimen\tocparatotal
+\newdimen\tocsubparanum
+\tocchpnum=\z@ % no chapter numbers
+\tocsecnum=15\p@ % section 88. plus 2.222pt
+\tocsubsecnum=23\p@ % subsection 88.8 plus 2.222pt
+\tocsubsubsecnum=27\p@ % subsubsection 88.8.8 plus 1.444pt
+\tocparanum=35\p@ % paragraph 88.8.8.8 plus 1.666pt
+\tocsubparanum=43\p@ % subparagraph 88.8.8.8.8 plus 1.888pt
+\def\calctocindent{%
+\tocsectotal=\tocchpnum
+\advance\tocsectotal by\tocsecnum
+\tocsubsectotal=\tocsectotal
+\advance\tocsubsectotal by\tocsubsecnum
+\tocsubsubsectotal=\tocsubsectotal
+\advance\tocsubsubsectotal by\tocsubsubsecnum
+\tocparatotal=\tocsubsubsectotal
+\advance\tocparatotal by\tocparanum}
+\calctocindent
+
+\def\l@section{\@dottedtocline{1}{\tocchpnum}{\tocsecnum}}
+\def\l@subsection{\@dottedtocline{2}{\tocsectotal}{\tocsubsecnum}}
+\def\l@subsubsection{\@dottedtocline{3}{\tocsubsectotal}{\tocsubsubsecnum}}
+\def\l@paragraph{\@dottedtocline{4}{\tocsubsubsectotal}{\tocparanum}}
+\def\l@subparagraph{\@dottedtocline{5}{\tocparatotal}{\tocsubparanum}}
+
+\def\listoffigures{\@restonecolfalse\if@twocolumn\@restonecoltrue\onecolumn
+ \fi\section*{\listfigurename\@mkboth{{\listfigurename}}{{\listfigurename}}}
+ \@starttoc{lof}\if@restonecol\twocolumn\fi}
+\def\l@figure{\@dottedtocline{1}{0em}{1.5em}}
+
+\def\listoftables{\@restonecolfalse\if@twocolumn\@restonecoltrue\onecolumn
+ \fi\section*{\listtablename\@mkboth{{\listtablename}}{{\listtablename}}}
+ \@starttoc{lot}\if@restonecol\twocolumn\fi}
+\let\l@table\l@figure
+
+\renewcommand\listoffigures{%
+ \section*{\listfigurename
+ \@mkboth{\listfigurename}{\listfigurename}}%
+ \@starttoc{lof}%
+ }
+
+\renewcommand\listoftables{%
+ \section*{\listtablename
+ \@mkboth{\listtablename}{\listtablename}}%
+ \@starttoc{lot}%
+ }
+
+\ifx\oribibl\undefined
+\ifx\citeauthoryear\undefined
+\renewenvironment{thebibliography}[1]
+ {\section*{\refname}
+ \def\@biblabel##1{##1.}
+ \small
+ \list{\@biblabel{\@arabic\c@enumiv}}%
+ {\settowidth\labelwidth{\@biblabel{#1}}%
+ \leftmargin\labelwidth
+ \advance\leftmargin\labelsep
+ \if@openbib
+ \advance\leftmargin\bibindent
+ \itemindent -\bibindent
+ \listparindent \itemindent
+ \parsep \z@
+ \fi
+ \usecounter{enumiv}%
+ \let\p@enumiv\@empty
+ \renewcommand\theenumiv{\@arabic\c@enumiv}}%
+ \if@openbib
+ \renewcommand\newblock{\par}%
+ \else
+ \renewcommand\newblock{\hskip .11em \@plus.33em \@minus.07em}%
+ \fi
+ \sloppy\clubpenalty4000\widowpenalty4000%
+ \sfcode`\.=\@m}
+ {\def\@noitemerr
+ {\@latex@warning{Empty `thebibliography' environment}}%
+ \endlist}
+\def\@lbibitem[#1]#2{\item[{[#1]}\hfill]\if@filesw
+ {\let\protect\noexpand\immediate
+ \write\@auxout{\string\bibcite{#2}{#1}}}\fi\ignorespaces}
+\newcount\@tempcntc
+\def\@citex[#1]#2{\if@filesw\immediate\write\@auxout{\string\citation{#2}}\fi
+ \@tempcnta\z@\@tempcntb\m@ne\def\@citea{}\@cite{\@for\@citeb:=#2\do
+ {\@ifundefined
+ {b@\@citeb}{\@citeo\@tempcntb\m@ne\@citea\def\@citea{,}{\bfseries
+ ?}\@warning
+ {Citation `\@citeb' on page \thepage \space undefined}}%
+ {\setbox\z@\hbox{\global\@tempcntc0\csname b@\@citeb\endcsname\relax}%
+ \ifnum\@tempcntc=\z@ \@citeo\@tempcntb\m@ne
+ \@citea\def\@citea{,}\hbox{\csname b@\@citeb\endcsname}%
+ \else
+ \advance\@tempcntb\@ne
+ \ifnum\@tempcntb=\@tempcntc
+ \else\advance\@tempcntb\m@ne\@citeo
+ \@tempcnta\@tempcntc\@tempcntb\@tempcntc\fi\fi}}\@citeo}{#1}}
+\def\@citeo{\ifnum\@tempcnta>\@tempcntb\else
+ \@citea\def\@citea{,\,\hskip\z@skip}%
+ \ifnum\@tempcnta=\@tempcntb\the\@tempcnta\else
+ {\advance\@tempcnta\@ne\ifnum\@tempcnta=\@tempcntb \else
+ \def\@citea{--}\fi
+ \advance\@tempcnta\m@ne\the\@tempcnta\@citea\the\@tempcntb}\fi\fi}
+\else
+\renewenvironment{thebibliography}[1]
+ {\section*{\refname}
+ \small
+ \list{}%
+ {\settowidth\labelwidth{}%
+ \leftmargin\parindent
+ \itemindent=-\parindent
+ \labelsep=\z@
+ \if@openbib
+ \advance\leftmargin\bibindent
+ \itemindent -\bibindent
+ \listparindent \itemindent
+ \parsep \z@
+ \fi
+ \usecounter{enumiv}%
+ \let\p@enumiv\@empty
+ \renewcommand\theenumiv{}}%
+ \if@openbib
+ \renewcommand\newblock{\par}%
+ \else
+ \renewcommand\newblock{\hskip .11em \@plus.33em \@minus.07em}%
+ \fi
+ \sloppy\clubpenalty4000\widowpenalty4000%
+ \sfcode`\.=\@m}
+ {\def\@noitemerr
+ {\@latex@warning{Empty `thebibliography' environment}}%
+ \endlist}
+ \def\@cite#1{#1}%
+ \def\@lbibitem[#1]#2{\item[]\if@filesw
+ {\def\protect##1{\string ##1\space}\immediate
+ \write\@auxout{\string\bibcite{#2}{#1}}}\fi\ignorespaces}
+ \fi
+\else
+\@cons\@openbib@code{\noexpand\small}
+\fi
+
+\def\idxquad{\hskip 10\p@}% space that divides entry from number
+
+\def\@idxitem{\par\hangindent 10\p@}
+
+\def\subitem{\par\setbox0=\hbox{--\enspace}% second order
+ \noindent\hangindent\wd0\box0}% index entry
+
+\def\subsubitem{\par\setbox0=\hbox{--\,--\enspace}% third
+ \noindent\hangindent\wd0\box0}% order index entry
+
+\def\indexspace{\par \vskip 10\p@ plus5\p@ minus3\p@\relax}
+
+\renewenvironment{theindex}
+ {\@mkboth{\indexname}{\indexname}%
+ \thispagestyle{empty}\parindent\z@
+ \parskip\z@ \@plus .3\p@\relax
+ \let\item\par
+ \def\,{\relax\ifmmode\mskip\thinmuskip
+ \else\hskip0.2em\ignorespaces\fi}%
+ \normalfont\small
+ \begin{multicols}{2}[\@makeschapterhead{\indexname}]%
+ }
+ {\end{multicols}}
+
+\renewcommand\footnoterule{%
+ \kern-3\p@
+ \hrule\@width 2truecm
+ \kern2.6\p@}
+ \newdimen\fnindent
+ \fnindent1em
+\long\def\@makefntext#1{%
+ \parindent \fnindent%
+ \leftskip \fnindent%
+ \noindent
+ \llap{\hb@xt@1em{\hss\@makefnmark\ }}\ignorespaces#1}
+
+\long\def\@makecaption#1#2{%
+ \small
+ \vskip\abovecaptionskip
+ \sbox\@tempboxa{{\bfseries #1.} #2}%
+ \ifdim \wd\@tempboxa >\hsize
+ {\bfseries #1.} #2\par
+ \else
+ \global \@minipagefalse
+ \hb@xt@\hsize{\hfil\box\@tempboxa\hfil}%
+ \fi
+ \vskip\belowcaptionskip}
+
+\def\fps@figure{htbp}
+\def\fnum@figure{\figurename\thinspace\thefigure}
+\def \@floatboxreset {%
+ \reset@font
+ \small
+ \@setnobreak
+ \@setminipage
+}
+\def\fps@table{htbp}
+\def\fnum@table{\tablename~\thetable}
+\renewenvironment{table}
+ {\setlength\abovecaptionskip{0\p@}%
+ \setlength\belowcaptionskip{10\p@}%
+ \@float{table}}
+ {\end@float}
+\renewenvironment{table*}
+ {\setlength\abovecaptionskip{0\p@}%
+ \setlength\belowcaptionskip{10\p@}%
+ \@dblfloat{table}}
+ {\end@dblfloat}
+
+\long\def\@caption#1[#2]#3{\par\addcontentsline{\csname
+ ext@#1\endcsname}{#1}{\protect\numberline{\csname
+ the#1\endcsname}{\ignorespaces #2}}\begingroup
+ \@parboxrestore
+ \@makecaption{\csname fnum@#1\endcsname}{\ignorespaces #3}\par
+ \endgroup}
+
+% LaTeX does not provide a command to enter the authors institute
+% addresses. The \institute command is defined here.
+
+\newcounter{@inst}
+\newcounter{@auth}
+\newcounter{auco}
+\newdimen\instindent
+\newbox\authrun
+\newtoks\authorrunning
+\newtoks\tocauthor
+\newbox\titrun
+\newtoks\titlerunning
+\newtoks\toctitle
+
+\def\clearheadinfo{\gdef\@author{No Author Given}%
+ \gdef\@title{No Title Given}%
+ \gdef\@subtitle{}%
+ \gdef\@institute{No Institute Given}%
+ \gdef\@thanks{}%
+ \global\titlerunning={}\global\authorrunning={}%
+ \global\toctitle={}\global\tocauthor={}}
+
+\def\institute#1{\gdef\@institute{#1}}
+
+\def\institutename{\par
+ \begingroup
+ \parskip=\z@
+ \parindent=\z@
+ \setcounter{@inst}{1}%
+ \def\and{\par\stepcounter{@inst}%
+ \noindent$^{\the@inst}$\enspace\ignorespaces}%
+ \setbox0=\vbox{\def\thanks##1{}\@institute}%
+ \ifnum\c@@inst=1\relax
+ \gdef\fnnstart{0}%
+ \else
+ \xdef\fnnstart{\c@@inst}%
+ \setcounter{@inst}{1}%
+ \noindent$^{\the@inst}$\enspace
+ \fi
+ \ignorespaces
+ \@institute\par
+ \endgroup}
+
+\def\@fnsymbol#1{\ensuremath{\ifcase#1\or\star\or{\star\star}\or
+ {\star\star\star}\or \dagger\or \ddagger\or
+ \mathchar "278\or \mathchar "27B\or \|\or **\or \dagger\dagger
+ \or \ddagger\ddagger \else\@ctrerr\fi}}
+
+\def\inst#1{\unskip$^{#1}$}
+\def\orcidID#1{\unskip$^{[#1]}$} % added MR 2018-03-10
+\def\fnmsep{\unskip$^,$}
+\def\email#1{{\tt#1}}
+
+\AtBeginDocument{\@ifundefined{url}{\def\url#1{#1}}{}%
+\@ifpackageloaded{babel}{%
+\@ifundefined{extrasenglish}{}{\addto\extrasenglish{\switcht@albion}}%
+\@ifundefined{extrasfrenchb}{}{\addto\extrasfrenchb{\switcht@francais}}%
+\@ifundefined{extrasgerman}{}{\addto\extrasgerman{\switcht@deutsch}}%
+\@ifundefined{extrasngerman}{}{\addto\extrasngerman{\switcht@deutsch}}%
+}{\switcht@@therlang}%
+\providecommand{\keywords}[1]{\def\and{{\textperiodcentered} }%
+\par\addvspace\baselineskip
+\noindent\keywordname\enspace\ignorespaces#1}%
+\@ifpackageloaded{hyperref}{%
+\def\doi#1{\href{https://doi.org/#1}{https://doi.org/#1}}}{
+\def\doi#1{https://doi.org/#1}}
+}
+\def\homedir{\~{ }}
+
+\def\subtitle#1{\gdef\@subtitle{#1}}
+\clearheadinfo
+%
+%%% to avoid hyperref warnings
+\providecommand*{\toclevel@author}{999}
+%%% to make title-entry parent of section-entries
+\providecommand*{\toclevel@title}{0}
+%
+\renewcommand\maketitle{\newpage
+\phantomsection
+ \refstepcounter{chapter}%
+ \stepcounter{section}%
+ \setcounter{section}{0}%
+ \setcounter{subsection}{0}%
+ \setcounter{figure}{0}
+ \setcounter{table}{0}
+ \setcounter{equation}{0}
+ \setcounter{footnote}{0}%
+ \begingroup
+ \parindent=\z@
+ \renewcommand\thefootnote{\@fnsymbol\c@footnote}%
+ \if@twocolumn
+ \ifnum \col@number=\@ne
+ \@maketitle
+ \else
+ \twocolumn[\@maketitle]%
+ \fi
+ \else
+ \newpage
+ \global\@topnum\z@ % Prevents figures from going at top of page.
+ \@maketitle
+ \fi
+ \thispagestyle{empty}\@thanks
+%
+ \def\\{\unskip\ \ignorespaces}\def\inst##1{\unskip{}}%
+ \def\thanks##1{\unskip{}}\def\fnmsep{\unskip}%
+ \instindent=\hsize
+ \advance\instindent by-\headlineindent
+ \if!\the\toctitle!\addcontentsline{toc}{title}{\@title}\else
+ \addcontentsline{toc}{title}{\the\toctitle}\fi
+ \if@runhead
+ \if!\the\titlerunning!\else
+ \edef\@title{\the\titlerunning}%
+ \fi
+ \global\setbox\titrun=\hbox{\small\rm\unboldmath\ignorespaces\@title}%
+ \ifdim\wd\titrun>\instindent
+ \typeout{Title too long for running head. Please supply}%
+ \typeout{a shorter form with \string\titlerunning\space prior to
+ \string\maketitle}%
+ \global\setbox\titrun=\hbox{\small\rm
+ Title Suppressed Due to Excessive Length}%
+ \fi
+ \xdef\@title{\copy\titrun}%
+ \fi
+%
+ \if!\the\tocauthor!\relax
+ {\def\and{\noexpand\protect\noexpand\and}%
+ \def\inst##1{}% added MR 2017-09-20 to remove inst numbers from the TOC
+ \def\orcidID##1{}% added MR 2017-09-20 to remove ORCID ids from the TOC
+ \protected@xdef\toc@uthor{\@author}}%
+ \else
+ \def\\{\noexpand\protect\noexpand\newline}%
+ \protected@xdef\scratch{\the\tocauthor}%
+ \protected@xdef\toc@uthor{\scratch}%
+ \fi
+ \addtocontents{toc}{\noexpand\protect\noexpand\authcount{\the\c@auco}}%
+ \addcontentsline{toc}{author}{\toc@uthor}%
+ \if@runhead
+ \if!\the\authorrunning!
+ \value{@inst}=\value{@auth}%
+ \setcounter{@auth}{1}%
+ \else
+ \edef\@author{\the\authorrunning}%
+ \fi
+ \global\setbox\authrun=\hbox{\def\inst##1{}% added MR 2017-09-20 to remove inst numbers from the runninghead
+ \def\orcidID##1{}% added MR 2017-09-20 to remove ORCID ids from the runninghead
+ \small\unboldmath\@author\unskip}%
+ \ifdim\wd\authrun>\instindent
+ \typeout{Names of authors too long for running head. Please supply}%
+ \typeout{a shorter form with \string\authorrunning\space prior to
+ \string\maketitle}%
+ \global\setbox\authrun=\hbox{\small\rm
+ Authors Suppressed Due to Excessive Length}%
+ \fi
+ \xdef\@author{\copy\authrun}%
+ \markboth{\@author}{\@title}%
+ \fi
+ \endgroup
+ \setcounter{footnote}{\fnnstart}%
+ \clearheadinfo}
+%
+\def\@maketitle{\newpage
+ \markboth{}{}%
+ \def\lastand{\ifnum\value{@inst}=2\relax
+ \unskip{} \andname\
+ \else
+ \unskip \lastandname\
+ \fi}%
+ \def\and{\stepcounter{@auth}\relax
+ \ifnum\value{@auth}=\value{@inst}%
+ \lastand
+ \else
+ \unskip,
+ \fi}%
+ \begin{center}%
+ \let\newline\\
+ {\Large \bfseries\boldmath
+ \pretolerance=10000
+ \@title \par}\vskip .8cm
+\if!\@subtitle!\else {\large \bfseries\boldmath
+ \vskip -.65cm
+ \pretolerance=10000
+ \@subtitle \par}\vskip .8cm\fi
+ \setbox0=\vbox{\setcounter{@auth}{1}\def\and{\stepcounter{@auth}}%
+ \def\thanks##1{}\@author}%
+ \global\value{@inst}=\value{@auth}%
+ \global\value{auco}=\value{@auth}%
+ \setcounter{@auth}{1}%
+{\lineskip .5em
+\noindent\ignorespaces
+\@author\vskip.35cm}
+ {\small\institutename}
+ \end{center}%
+ }
+
+% definition of the "\spnewtheorem" command.
+%
+% Usage:
+%
+% \spnewtheorem{env_nam}{caption}[within]{cap_font}{body_font}
+% or \spnewtheorem{env_nam}[numbered_like]{caption}{cap_font}{body_font}
+% or \spnewtheorem*{env_nam}{caption}{cap_font}{body_font}
+%
+% New is "cap_font" and "body_font". It stands for
+% fontdefinition of the caption and the text itself.
+%
+% "\spnewtheorem*" gives a theorem without number.
+%
+% A defined spnewthoerem environment is used as described
+% by Lamport.
+%
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+\def\@thmcountersep{}
+\def\@thmcounterend{.}
+
+\def\spnewtheorem{\@ifstar{\@sthm}{\@Sthm}}
+
+% definition of \spnewtheorem with number
+
+\def\@spnthm#1#2{%
+ \@ifnextchar[{\@spxnthm{#1}{#2}}{\@spynthm{#1}{#2}}}
+\def\@Sthm#1{\@ifnextchar[{\@spothm{#1}}{\@spnthm{#1}}}
+
+\def\@spxnthm#1#2[#3]#4#5{\expandafter\@ifdefinable\csname #1\endcsname
+ {\@definecounter{#1}\@addtoreset{#1}{#3}%
+ \expandafter\xdef\csname the#1\endcsname{\expandafter\noexpand
+ \csname the#3\endcsname \noexpand\@thmcountersep \@thmcounter{#1}}%
+ \expandafter\xdef\csname #1name\endcsname{#2}%
+ \global\@namedef{#1}{\@spthm{#1}{\csname #1name\endcsname}{#4}{#5}}%
+ \global\@namedef{end#1}{\@endtheorem}}}
+
+\def\@spynthm#1#2#3#4{\expandafter\@ifdefinable\csname #1\endcsname
+ {\@definecounter{#1}%
+ \expandafter\xdef\csname the#1\endcsname{\@thmcounter{#1}}%
+ \expandafter\xdef\csname #1name\endcsname{#2}%
+ \global\@namedef{#1}{\@spthm{#1}{\csname #1name\endcsname}{#3}{#4}}%
+ \global\@namedef{end#1}{\@endtheorem}}}
+
+\def\@spothm#1[#2]#3#4#5{%
+ \@ifundefined{c@#2}{\@latexerr{No theorem environment `#2' defined}\@eha}%
+ {\expandafter\@ifdefinable\csname #1\endcsname
+ {\newaliascnt{#1}{#2}%
+ \expandafter\xdef\csname #1name\endcsname{#3}%
+ \global\@namedef{#1}{\@spthm{#1}{\csname #1name\endcsname}{#4}{#5}}%
+ \global\@namedef{end#1}{\@endtheorem}}}}
+
+\def\@spthm#1#2#3#4{\topsep 7\p@ \@plus2\p@ \@minus4\p@
+\refstepcounter{#1}%
+\@ifnextchar[{\@spythm{#1}{#2}{#3}{#4}}{\@spxthm{#1}{#2}{#3}{#4}}}
+
+\def\@spxthm#1#2#3#4{\@spbegintheorem{#2}{\csname the#1\endcsname}{#3}{#4}%
+ \ignorespaces}
+
+\def\@spythm#1#2#3#4[#5]{\@spopargbegintheorem{#2}{\csname
+ the#1\endcsname}{#5}{#3}{#4}\ignorespaces}
+
+\def\@spbegintheorem#1#2#3#4{\trivlist
+ \item[\hskip\labelsep{#3#1\ #2\@thmcounterend}]#4}
+
+\def\@spopargbegintheorem#1#2#3#4#5{\trivlist
+ \item[\hskip\labelsep{#4#1\ #2}]{#4(#3)\@thmcounterend\ }#5}
+
+% definition of \spnewtheorem* without number
+
+\def\@sthm#1#2{\@Ynthm{#1}{#2}}
+
+\def\@Ynthm#1#2#3#4{\expandafter\@ifdefinable\csname #1\endcsname
+ {\global\@namedef{#1}{\@Thm{\csname #1name\endcsname}{#3}{#4}}%
+ \expandafter\xdef\csname #1name\endcsname{#2}%
+ \global\@namedef{end#1}{\@endtheorem}}}
+
+\def\@Thm#1#2#3{\topsep 7\p@ \@plus2\p@ \@minus4\p@
+\@ifnextchar[{\@Ythm{#1}{#2}{#3}}{\@Xthm{#1}{#2}{#3}}}
+
+\def\@Xthm#1#2#3{\@Begintheorem{#1}{#2}{#3}\ignorespaces}
+
+\def\@Ythm#1#2#3[#4]{\@Opargbegintheorem{#1}
+ {#4}{#2}{#3}\ignorespaces}
+
+\def\@Begintheorem#1#2#3{#3\trivlist
+ \item[\hskip\labelsep{#2#1\@thmcounterend}]}
+
+\def\@Opargbegintheorem#1#2#3#4{#4\trivlist
+ \item[\hskip\labelsep{#3#1}]{#3(#2)\@thmcounterend\ }}
+
+\if@envcntsect
+ \def\@thmcountersep{.}
+ \spnewtheorem{theorem}{Theorem}[section]{\bfseries}{\itshape}
+\else
+ \spnewtheorem{theorem}{Theorem}{\bfseries}{\itshape}
+ \if@envcntreset
+ \@addtoreset{theorem}{section}
+ \else
+ \@addtoreset{theorem}{chapter}
+ \fi
+\fi
+
+%definition of divers theorem environments
+\spnewtheorem*{claim}{Claim}{\itshape}{\rmfamily}
+\spnewtheorem*{proof}{Proof}{\itshape}{\rmfamily}
+\if@envcntsame % alle Umgebungen wie Theorem.
+ \def\spn@wtheorem#1#2#3#4{\@spothm{#1}[theorem]{#2}{#3}{#4}}
+\else % alle Umgebungen mit eigenem Zaehler
+ \if@envcntsect % mit section numeriert
+ \def\spn@wtheorem#1#2#3#4{\@spxnthm{#1}{#2}[section]{#3}{#4}}
+ \else % nicht mit section numeriert
+ \if@envcntreset
+ \def\spn@wtheorem#1#2#3#4{\@spynthm{#1}{#2}{#3}{#4}
+ \@addtoreset{#1}{section}}
+ \else
+ \def\spn@wtheorem#1#2#3#4{\@spynthm{#1}{#2}{#3}{#4}
+ \@addtoreset{#1}{chapter}}%
+ \fi
+ \fi
+\fi
+\spn@wtheorem{case}{Case}{\itshape}{\rmfamily}
+\spn@wtheorem{conjecture}{Conjecture}{\itshape}{\rmfamily}
+\spn@wtheorem{corollary}{Corollary}{\bfseries}{\itshape}
+\spn@wtheorem{definition}{Definition}{\bfseries}{\itshape}
+\spn@wtheorem{example}{Example}{\itshape}{\rmfamily}
+\spn@wtheorem{exercise}{Exercise}{\itshape}{\rmfamily}
+\spn@wtheorem{lemma}{Lemma}{\bfseries}{\itshape}
+\spn@wtheorem{note}{Note}{\itshape}{\rmfamily}
+\spn@wtheorem{problem}{Problem}{\itshape}{\rmfamily}
+\spn@wtheorem{property}{Property}{\itshape}{\rmfamily}
+\spn@wtheorem{proposition}{Proposition}{\bfseries}{\itshape}
+\spn@wtheorem{question}{Question}{\itshape}{\rmfamily}
+\spn@wtheorem{solution}{Solution}{\itshape}{\rmfamily}
+\spn@wtheorem{remark}{Remark}{\itshape}{\rmfamily}
+
+\def\@takefromreset#1#2{%
+ \def\@tempa{#1}%
+ \let\@tempd\@elt
+ \def\@elt##1{%
+ \def\@tempb{##1}%
+ \ifx\@tempa\@tempb\else
+ \@addtoreset{##1}{#2}%
+ \fi}%
+ \expandafter\expandafter\let\expandafter\@tempc\csname cl@#2\endcsname
+ \expandafter\def\csname cl@#2\endcsname{}%
+ \@tempc
+ \let\@elt\@tempd}
+
+\def\theopargself{\def\@spopargbegintheorem##1##2##3##4##5{\trivlist
+ \item[\hskip\labelsep{##4##1\ ##2}]{##4##3\@thmcounterend\ }##5}
+ \def\@Opargbegintheorem##1##2##3##4{##4\trivlist
+ \item[\hskip\labelsep{##3##1}]{##3##2\@thmcounterend\ }}
+ }
+
+\renewenvironment{abstract}{%
+ \list{}{\advance\topsep by0.35cm\relax\small
+ \leftmargin=1cm
+ \labelwidth=\z@
+ \listparindent=\z@
+ \itemindent\listparindent
+ \rightmargin\leftmargin}\item[\hskip\labelsep
+ \bfseries\abstractname]}
+ {\endlist}
+
+\newdimen\headlineindent % dimension for space between
+\headlineindent=1.166cm % number and text of headings.
+
+\def\ps@headings{\let\@mkboth\@gobbletwo
+ \let\@oddfoot\@empty\let\@evenfoot\@empty
+ \def\@evenhead{\normalfont\small\rlap{\thepage}\hspace{\headlineindent}%
+ \leftmark\hfil}
+ \def\@oddhead{\normalfont\small\hfil\rightmark\hspace{\headlineindent}%
+ \llap{\thepage}}
+ \def\chaptermark##1{}%
+ \def\sectionmark##1{}%
+ \def\subsectionmark##1{}}
+
+\def\ps@titlepage{\let\@mkboth\@gobbletwo
+ \let\@oddfoot\@empty\let\@evenfoot\@empty
+ \def\@evenhead{\normalfont\small\rlap{\thepage}\hspace{\headlineindent}%
+ \hfil}
+ \def\@oddhead{\normalfont\small\hfil\hspace{\headlineindent}%
+ \llap{\thepage}}
+ \def\chaptermark##1{}%
+ \def\sectionmark##1{}%
+ \def\subsectionmark##1{}}
+
+\if@runhead\ps@headings\else
+\ps@empty\fi
+
+\setlength\arraycolsep{1.4\p@}
+\setlength\tabcolsep{1.4\p@}
+
+\endinput
+%end of file llncs.cls
diff --git a/taler-fc19/llncsdoc.pdf b/taler-fc19/llncsdoc.pdf Binary files differnew file mode 100644 index 0000000..24a36b5 --- /dev/null +++ b/taler-fc19/llncsdoc.pdf diff --git a/taler-fc19/paper.tex b/taler-fc19/paper.tex new file mode 100644 index 0000000..e5f59b5 --- /dev/null +++ b/taler-fc19/paper.tex @@ -0,0 +1,1448 @@ +% This is samplepaper.tex, a sample chapter demonstrating the
+% LLNCS macro package for Springer Computer Science proceedings;
+% Version 2.20 of 2017/10/04
+%
+\documentclass[runningheads]{llncs}
+%
+\usepackage{graphicx}
+\usepackage{amsmath,amssymb}
+% Used for displaying a sample figure. If possible, figure files should
+% be included in EPS format.
+%
+% If you use the hyperref package, please uncomment the following line
+% to display URLs in blue roman font according to Springer's eBook style:
+% \renewcommand\UrlFont{\color{blue}\rmfamily}
+
+\usepackage[utf8]{inputenc}
+
+\begin{document}
+\title{Robust and Income-transparent Online E-Cash}
+\maketitle
+
+\begin{abstract}
+ Traditional security definitions for anonymous e-cash omit properties that
+ are vital for practical deployments.
+
+ We argue that a protocol for unlinkable change is necessary even in schemes
+ that provide divisibility. As a naive implementation of a change protocol
+ opens
+
+ We furthermore show that an e-cash protocol that fulfills these properties
+ can be used to implement Camenisch-style fair exchange, tick payments, and
+ can be used to provide anonymous refunds.
+
+\keywords{First keyword \and Second keyword \and Another keyword.}
+\end{abstract}
+
+\def\Z{\mathbb{Z}}
+
+\def\mathperiod{.}
+\def\mathcomma{,}
+
+\newcommand*\ST[5]%
+{\left#1\,#4\vphantom{#5} \;\right#2 \left. #5 \vphantom{#4}\,\right#3}
+
+% uniform random selection from set
+\newcommand{\randsel}[0]{\ensuremath{\xleftarrow{\text{\$}}}}
+
+\newcommand{\Exp}[1]{\ensuremath{E\left[#1\right]}}
+
+% oracles
+\newcommand{\ora}[1]{\ensuremath{\mathcal{O}\mathsf{#1}}}
+% oracle set
+\newcommand{\oraSet}[1]{\ensuremath{\mathcal{O}\textsc{#1}}}
+% algorithm
+\newcommand{\algo}[1]{\ensuremath{\mathsf{#1}}}
+% party
+\newcommand{\prt}[1]{\ensuremath{\mathcal{#1}}}
+% long-form variable
+\newcommand{\V}[1]{\ensuremath{\mathsf{#1}}}
+
+% probability with square brackets of the right size
+\newcommand{\Prb}[1]{\ensuremath{\Pr\left [#1 \right ]}}
+
+\newcommand{\mycomment}[1]{~\\ {\small \textcolor{blue}{({#1})}}}
+
+%\theoremstyle{definition}
+%\newtheorem{definition}{Definition}[section]
+%\theoremstyle{corollary}
+%\newtheorem{corollary}{Corollary}[section]
+
+\section{Model and Syntax for Taler}
+
+We consider a payment system with a single, static exchange and multiple,
+dynamically created customers and merchants. The subset of the full Taler
+protocol that we model includes withdrawing digital coins, spending them with
+merchants and subsequently depositing them at the exchange, as well as
+obtaining unlinkable change for partially spent coins with an online
+``refresh'' protocol.
+
+The exchange offers digital coins in multiple denominations, and every
+denomination has an associated financial value; this mapping is not chosen by
+the adversary but is a system parameter. We mostly ignore the denomination
+values here, including their impact on anonymity, in keeping with existing
+literature \cite{camenisch2007endorsed,pointcheval2017cut}. For anonymity, we
+believe this amounts to assuming that all customers have similar financial
+behavior. We note logarithmic storage, computation and bandwidth demands
+denominations distributed by powers of a fixed constant, like two.
+
+We do not model fees taken by the exchange. Reserves\footnote{%
+ ``Reserve'' is Taler's terminology for funds submitted to the exchange that
+ can be converted to digital coins.
+}
+are also omitted.
+Instead of maintaining a reserve balance, we track the total amount of
+coins withdrawn by each customer.
+
+Coins can be partially spent by specifying a fraction $0 < f \le 1$ of the
+total value associated with the coin's denomination. Unlinkable change below
+the smallest denomination cannot be given. In
+practice the unspendable, residual value should be seen as an additional fee
+charged by the exchange.
+
+The spending of multiple coins is modeled non-atomically: to spend (fractions
+of) multiple coins, they must be spent one-by-one. The individual
+spend/deposit operations are correlated by a unique identifier for the
+transaction. In practice this identifier is the hash $\V{transactionId} =
+H(\V{contractTerms})$ of the contract terms\footnote{The contract terms
+are a digital representation of an individual offer for a certain product or service the merchant sells
+for a certain price.}. Contract terms include a nonce to make them
+unique, that merchant and customer agreed upon. Note that this transaction
+identifier and the correlation between multiple spend operations for one
+payment need not be disclosed to the exchange (it might, however, be necessary
+to reveal during a detailed tax audit of the merchant): When spending the $i$-th coin
+for the transaction with the identifier $\V{transactionId}$, messages to the
+exchange would only contain $H(i \Vert \V{transactionId})$. This is preferable
+for merchants that might not want to disclose to the exchange the individual
+prices of products they sell to customers, but only the total transaction
+volume over time. For simplicity, we do not include this extra feature in our
+model.
+
+Customers are identified by their public key $\V{pkCustomer}$. Every customer
+keeps track of the following data:
+\begin{itemize}
+ \item $\V{wallet}[\V{pkCustomer}]$ contains sets of the customer's coin records,
+ which individually consist of the coin key pair, denomination and exchange's signature.
+ \item $\V{acceptedContracts}[\V{pkCustomer}]$ contains the sets of
+ transaction identifiers accepted by the customer during spending
+ operations, together with coins spent for it and their contributions $0 < f
+ \le 1$.
+ \item $\V{withdrawIds}[\V{pkCustomer}]$ contains the withdraw identifiers of
+ all withdraw operations that were created for this customer.
+ \item $\V{refreshIds}[\V{pkCustomer}]$ contains the refresh identifiers of
+ all refresh operations that were created for this customer.
+\end{itemize}
+
+
+The exchange in our model keeps track of the following data:
+\begin{itemize}
+ \item $\V{withdrawn}[\V{pkCustomer}]$ contains the total amount withdrawn by
+ each customer, i.e. the sum of the financial value of the denominations for
+ all coins that were withdrawn by $\V{pkCustomer}$.
+ \item The overspending database of the exchange is modeled by
+ $\V{deposited}[\V{pkCoin}]$ and $\V{refreshed}[\V{pkCoin}]$, which record
+ deposit and refresh operations respectively on each coin. Note that since
+ partial deposits and multiple refreshes to smaller denominations are
+ possible, one deposit and multiple refresh operations can be recorded for a
+ single coin.
+\end{itemize}
+
+We say that a coin is \emph{fresh} if it appears in neither the $\V{deposited}$
+or $\V{refreshed}$ lists nor in $\V{acceptedContracts}$. We say that a coin is
+being $\V{overspent}$ if recording an operation in $\V{deposited}$ or
+$\V{refreshed}$ would cause the total spent value from both lists to exceed
+the value of the coin's denomination.
+
+Note that the adversary does not have direct read or write access to these
+values; instead the adversary needs to use the oracles (defined later) to
+interact with the system.
+
+We parameterize our system with two security parameters: The general security
+parameter $\lambda$, and the refresh security parameter $\kappa$. While
+$\lambda$ determines the length of keys and thus the security level, using a
+larger $\kappa$ will only decrease the success chance of malicious merchants
+conspiring with customers to obtain unreported (and thus untaxable) income.
+
+\subsection{Algorithms}
+
+The Taler e-cash scheme is modeled by the following probabilistic\footnote{Our
+Taler instantiations are not necessarily probabilistic (except e.g. key
+generation), but we do not want to prohibit this for other instantiations}
+polynomial-time algorithms and interactive protocols. The notation $P(X_1,\dots,X_n)$
+stands for a party $P \in \{\prt{E}, \prt{C}, \prt{M}\}$ (Exchange, Customer
+and Merchant respectively) in an interactive protocol, with $X_1,\dots,X_n$
+being the (possibly private) inputs contributed by the party to the protocol.
+Interactive protocols can access the state maintained by party $P$.
+
+While the adversary can freely execute the interactive protocols by creating
+their own parties, the adversary is not given direct access to the private data
+of parties maintained by the challenger in the security games we define later.
+
+\begin{itemize}
+ \item $\algo{ExchangeKeygen}(1^{\lambda}, 1^{\kappa}, \mathfrak{D}) \mapsto (\V{sksE}, \V{pksE})$:
+ Algorithm executed to generate keys for the exchange, with general security
+ parameter $\lambda$ and refresh security parameter $\kappa$, both given as
+ unary numbers. The denomination specification $\mathfrak{D} = d_1,\dots,d_n$ is a
+ finite sequence of positive rational numbers that defines the financial
+ value of each generated denomination key pair. We henceforth use $\mathfrak{D}$ to
+ refer to some appropriate denomination specification, but our analysis is
+ independent of a particular choice of $\mathfrak{D}$.
+
+ The algorithm generates the exchange's master signing key pair
+ $(\V{skESig}, \V{pkESig})$ and denomination secret and public keys
+ $(\V{skD}_1, \dots, \V{skD}_n), (\V{pkD}_1, \dots, \V{pkD}_n)$. We write
+ $D(\V{pkD}_i)$, where $D : \{\V{pkD}_i\} \rightarrow \mathfrak{D}$ to look
+ up the financial value of denomination $\V{pkD_i}$.
+
+ We collectively refer to the exchange's secrets by $\V{sksE}$ and to the exchange's
+ public keys together with $\mathfrak{D}$ by $\V{pksE}$.
+
+ \item $\algo{CustomerKeygen}(1^\lambda,1^\kappa) \mapsto (\V{skCustomer}, \V{pkCustomer})$:
+ Key generation algorithm for customers with security parameters $\lambda$
+ and $\kappa$.
+
+ \item $\algo{MerchantKeygen}(1^\lambda,1^\kappa) \mapsto (\V{skMerchant},
+ \V{pkMerchant})$: Key generation algorithm for merchants. Typically the
+ same as \algo{CustomerKeygen}.
+
+ \item $\algo{WithdrawRequest}(\prt{E}(\V{sksE}, \V{pkCustomer}),
+ \prt{C}(\V{skCustomer}, \V{pksE}, \V{pkD})) \mapsto (\mathcal{T}_{WR},
+ \V{wid})$: Interactive protocol between the exchange and a customer that
+ initiates withdrawing a single coin of a particular denomination.
+
+ The customer obtains a withdraw identifier $\V{wid}$ from the protocol
+ execution and stores it in $\V{withdrawIds}[\V{pkCustomer}]$.
+
+ The \algo{WithdrawRequest} protocol only initiates a withdrawal. The coin
+ is only obtained and stored in the customer's wallet by executing the
+ \algo{WithdrawPickup} protocol on the withdraw identifier \V{wid}.
+
+ The customer and exchange persistently store additional state (if required
+ by the instantiation) such that the customer can use $\algo{WithdrawPickup}$
+
+ Returns a protocol transcript $\mathcal{T}_{WR}$ of all messages exchanged
+ between the exchange and customer, as well as the withdraw identifier
+ \V{wid}.
+
+ \item $\algo{WithdrawPickup}(\prt{E}(\V{sksE}, \V{pkCustomer}),
+ \prt{C}(\V{skCustomer}, \V{pksE}, \V{wid})) \mapsto (\mathcal{T}_{WP},
+ \V{coin})$: Interactive protocol between the exchange and a customer to
+ obtain the coin from a withdraw operation started with
+ $\algo{WithdrawRequest}$, identified by the withdraw identifier $\V{wid}$.
+
+ The first time $\algo{WithdrawPickup}$ is run with a particular withdraw
+ identifier $\V{wid}$, the exchange increments
+ $\V{withdrawn}[\V{pkCustomer}]$ by $D(\V{pkD})$, where $\V{pkD}$ is the
+ denomination requested in the corresponding $\algo{WithdrawRequest}$
+ execution. How exactly $\V{pkD}$ is restored depends on the particular instantiation.
+
+ The resulting coin
+ \[ \V{coin} = (\V{skCoin}, \V{pkCoin}, \V{pkD}, \V{coinCert}) \]
+ (consisting of secret key $\V{skCoin}$, public key
+ $\V{pkCoin}$, denomination public key $\V{pkD}$ and certificate $\V{coinCert}$ from the exchange) is stored
+ in the customers wallet $\V{wallet}[\V{pkCustomer}]$.
+
+ Executing the $\algo{WithdrawPickup}$ protocol multiple times with the same
+ customer and the same withdraw identifier does not result in any change of
+ the customer's withdraw balance $\V{withdrawn}[\V{pkCustomer}]$,
+ and results in (re-)adding the same coin to the customer's wallet.
+
+ Returns a protocol transcript $\mathcal{T}_{WP}$ of all messages exchanged
+ between the exchange and customer.
+
+ \item $\algo{Spend}(\V{transactionId}, f, \V{coin}, \V{pkMerchant}) \mapsto \V{depositPermission}$:
+ Algorithm to produce and sign a deposit permission \V{depositPermission}
+ for a coin under a particular transaction identifier. The fraction $0 < f \le 1$ determines the
+ fraction of the coin's initial value that will be spent.
+
+ The contents of the deposit permission depend on the instantiation, but it
+ must be possible to derive the public coin identifier $\V{pkCoin}$ from
+ them.
+
+ \item $\algo{Deposit}(\prt{E}(\V{sksE}, \V{pkMerchant}), \prt{M}(\V{skMerchant}, \V{pksE}, \V{depositPermission})) \mapsto \mathcal{T}_D$:
+ Interactive protocol between the exchange and a merchant.
+
+ From the deposit permission we obtain the $\V{pkCoin}$ of the coin to be
+ deposited. If $\V{pkCoin}$ is being overspent, the protocol is aborted with
+ an error message to the merchant.
+
+ On success, we add $\V{depositPermission}$ to $\V{deposited}[\V{pkCoin}]$.
+
+ Returns a protocol transcript $\mathcal{T}_D$ of all messages exchanged
+ between the exchange and merchant.
+
+ \item $\algo{RefreshRequest}(\prt{E}(\V{sksE}), \prt{C}(\V{pkCustomer}, \V{pksE}, \V{coin}_0, \V{pkD}_u))
+ \rightarrow (\mathcal{T}_{RR}, \V{rid})$
+ Interactive protocol between exchange and customer that initiates a refresh
+ of $\V{coin}_0$. Together with $\algo{RefreshPickup}$, it allows the
+ customer to convert $D(\V{pkD}_u)$ of the remaining value on coin \[
+ \V{coin}_0 = (\V{skCoin}_0, \V{pkCoin}_0, \V{pkD}_0, \V{coinCert}_0) \]
+ into a new, unlinkable coin $\V{coin}_u$ of denomination $\V{pkD}_u$.
+
+ Multiple refreshes on the same coin are allowed, but each run subtracts the
+ respective financial value of $\V{coin}_u$ from the remaining value of
+ $\V{coin}_0$.
+
+ The customer only records the refresh operation identifier $\V{rid}$ in
+ $\V{refreshIds}[\V{pkCustomer}]$, but does not yet obtain the new coin. To
+ obtain the new coin, \algo{RefreshPickup} must be used.
+
+ Returns the protocol transcript $\mathcal{T}_{RR}$ and a refresh identifier $\V{rid}$.
+
+ \item $\algo{RefreshPickup}(\prt{E}(\V{sksE}, \V{pkCustomer}),
+ \prt{C}(\V{skCustomer}, \V{pksE}, \V{rid}) \rightarrow (\mathcal{T}_{RP}, \V{coin}_u)$:
+ Interactive protocol between exchange and customer to obtain the new coin
+ for a refresh operation previously started with \algo{RefreshRequest},
+ identified by the refresh identifier $\V{rid}$.
+
+ The first time \algo{RefreshPickup} is run for a particular refresh
+ identifier, the exchange tries to record the refresh operation of value $D(\V{pkD}_u)$
+ in $\V{refreshed}[\V{pkCoin}_0]$, with $\V{pkD}_u$ and $\V{pkCoin}_0$ taken
+ from the corresponding $\algo{RefreshRequest}$ that resulted in $\V{rid}$.
+ How exactly the exchange obtains $\V{pkD}_u$ and $\V{pkCoin}_0$ depends on
+ the instantiation.
+
+ If $\V{pkCoin}_0$ is being overspent, the refresh operation is not recorded
+ in $\V{refreshed}[\V{pkCoin}_0]$, the exchange sends the customer the
+ protocol transcript of the previous deposits and refreshes and aborts the
+ protocol.
+
+ If the customer \prt{C} plays honestly in \algo{RefreshRequest} and
+ \V{RefreshPickup}, the unlinkable coin $\V{coin}_i$ they obtain as change
+ will be stored in their wallet $\V{wallet}[\V{pkCustomer}]$. If \prt{C} is
+ caught playing dishonestly, the \algo{RefreshPickup} protocol aborts.
+
+ An honest customer must be able to repeat a \algo{RefreshPickup} with the
+ same $\V{rid}$ multiple times and (re-)obtain the same coin, even if
+ previous $\algo{RefreshPickup}$ executions were aborted.
+
+ Returns a protocol transcript $\mathcal{T}_{RP}$.
+
+ \item $\algo{Link}(\prt{E}(\V{sksE}), \prt{C}(\V{skCustomer}, \V{pksE}, \V{coin}_0)) \rightarrow (\mathcal{T}, (\V{coin}_1, \dots, \V{coin}_n))$:
+ Interactive protocol between exchange and customer. If $\V{coin}_0$ is a
+ coin that was refreshed, the customer can recompute all the coins obtained
+ from previous refreshes on $\V{coin}_0$, with data obtained from the
+ exchange during the protocol. These coins are added to the customer's
+ wallet $\V{wallet}[\V{pkCustomer}]$ and returned.
+
+\end{itemize}
+
+\subsection{Oracles}
+We now specify how the adversary can interact with the system by defining
+oracles. Oracles are queried by the adversary, and upon a query the challenger
+will act according to the oracle's specification. Note that the adversary for
+the different security games is run with specific oracles, and does not
+necessarily have access to all oracles simultaneously.
+
+We can refer to customers in the parameters to an oracle query simply by their
+public key. For coins, however, the situation is more complicated. The
+adversary needs the ability to refer to coins to trigger operations such as
+spending and refresh, but to model anonymity we cannot give the adversary access
+to the coins' public keys directly. Therefore we allow the adversary to use
+the (successful) transcripts of the withdraw, refresh and link protocols to
+indirectly refer to coins. We refer to this as a coin handle $\mathcal{H}$.
+Since the execution of a link protocol results in a transcript $\mathcal{T}$
+that can contain multiple coins, the adversary needs to select a particular
+coin from the transcript via the index $i$ as $\mathcal{H} = (\mathcal{T}, i)$.
+The respective oracle tries to find the coin that resulted from the transcript
+given by the adversary. If the transcript has not been seen before in the
+execution of a link, refresh or withdraw protocol; or the index for a link
+transcript is invalid, the oracle returns an error to the adversary.
+
+In oracles that trigger the execution of one of the interactive protocols
+defined in the last section, we give the adversary the ability to actively
+control the communication channels between the exchange, customers and
+merchants; i.e. the adversary can effectively record, drop, modify and inject
+messages during the execution of the interactive protocol. Note that this
+allows the adversary to leave the execution of an interactive protocol in an
+unfinished state, where one or more parties are still waiting for messages. We
+use $\mathcal{I}$ to refer to a handle to interactive protocols where the
+adversary can send and receive messages.
+
+\begin{itemize}
+ \item $\ora{AddCustomer}() \mapsto \V{pkCustomer}$:
+ Generates a key pair $(\V{skCustomer}, \V{pkCustomer})$ using the
+ \algo{CustomerKeygen} algorithm, and sets
+ \begin{align*}
+ \V{withdrawn}[\V{pkCustomer}] &:= 0\\
+ \V{acceptedContracts}[\V{pkCustomer}] &:= \{ \}\\
+ \V{wallet}[\V{pkCustomer}] &:= \{\} \\
+ \V{withdrawIds}[\V{pkCustomer}] &:= \{\} \\
+ \V{refreshIds}[\V{pkCustomer}] &:= \{\}.
+ \end{align*}
+ Returns the public key of the newly created customer.
+
+ There is no separate oracle for creating merchants, since no information is
+ tracked for merchants; generating a key pair with \algo{MerchantKeygen}
+ suffices.
+
+ \item $\ora{AddMerchant}() \mapsto \V{pkMerchant}$L
+ Generate a key pair $(\V{skMerchant}, \V{pkMerchant})$ using the
+ \algo{MerchantKeygen} algorithm.
+
+ Returns the public key of the newly created merchant.
+
+ \item $\ora{SendMessage}(\mathcal{I}, P_1, P_2, m) \mapsto ()$:
+ Send message $m$ on the channel from party $P_1$ to party $P_2$ in the
+ execution of interactive protocol $\mathcal{I}$. The oracle does not have
+ a return value.
+
+ \item $\ora{ReceiveMessage}(\mathcal{I}, P_1, P_2) \mapsto m$:
+ Read message $m$ in the channel from party $P_1$ to party $P_2$ in the execution
+ of interactive protocol $\mathcal{I}$. If no message is queued in the channel,
+ return $m = \bot$.
+
+ \item $\ora{WithdrawRequest}(\V{pkCustomer}, \V{pkD}) \mapsto \mathcal{I}$:
+ Triggers the execution of the \algo{WithdrawRequest} protocol. the
+ adversary full control of the communication channels between customer and
+ exchange.
+
+ \item $\ora{WithdrawPickup}(\V{pkCustomer}, \V{pkD}, \mathcal{T}) \mapsto \mathcal{I}$:
+ Triggers the execution of the \algo{WithdrawPickup} protocol, additionally giving
+ the adversary full control of the communication channels between customer and exchange.
+
+ The customer and withdraw identifier $\V{wid}$ are obtained from the \algo{WithdrawRequest} transcript $\mathcal{T}$.
+
+ \item $\ora{RefreshRequest}(\mathcal{H}, \V{pkD}) \mapsto \mathcal{I}$: Triggers the execution of the
+ \algo{RefreshRequest} protocol with the coin identified by coin handle
+ $\mathcal{H}$, additionally giving the adversary full control over the communication channels
+ between customer and exchange.
+
+ \item $\ora{RefreshPickup}(\mathcal{T}) \mapsto \mathcal{I}$:
+ Triggers the execution of the \algo{RefreshPickup} protocol, where the customer and refresh identifier $\V{rid}$
+ are obtained from the $\algo{RefreshRequest}$ protocol transcript $\mathcal{T}$.
+
+ Additionally gives the adversary full control over the communication channels
+ between customer and exchange.
+
+ \item $\ora{Link}(\mathcal{H}) \mapsto \mathcal{I}$: Trigger the execution of the
+ \algo{Link} protocol for the coin referenced by handle $\mathcal{H}$,
+ additionally giving the adversary full control over the communication channels
+ between customer and exchange.
+
+ \item $\ora{Spend}(\V{transactionId}, \V{pkCustomer}, \mathcal{H}, \V{pkMerchant}) \mapsto \V{depositPermission}$:
+ Makes a customer sign a deposit permission over a coin identified by handle
+ $\mathcal{H}$. Returns the deposit permission on success, or $\bot$ if $\mathcal{H}$
+ is not a coin handle that identifies a coin.
+
+ Note that $\ora{Spend}$ can be used to generate deposit permissions that,
+ when deposited, would result in an error due to overspending
+
+ Adds $(\V{transactionId}, \V{depositPermission})$ to $\V{acceptedContracts}[\V{pkCustomer}]$.
+
+ \item $\ora{Share}(\mathcal{H}, \V{pkCustomer}) \mapsto ()$:
+ Shares a coin (identified by handle $\mathcal{H}$) with the customer
+ identified by $\V{pkCustomer}$, i.e. puts the coin identified by $\mathcal{H}$
+ into $\V{wallet}[\V{pkCustomer}]$. Intended to be used by the adversary in attempts to
+ violate income transparency. Does not have a return value.
+
+ Note that this trivially violates anonymity (by sharing with a corrupted customer), thus the usage must
+ be restricted in some games.
+
+ % the share oracle is the reason why we don't need a second withdraw oracle
+
+ \item $\ora{CorruptCustomer}(\V{pkCustomer})\mapsto
+ \newline{}\qquad (\V{skCustomer}, \V{wallet}[\V{pkCustomer}],\V{acceptedContracts}[\V{pkCustomer}],
+ \newline{}\qquad \phantom{(}\V{refreshIds}[\V{pkCustomer}], \V{withdrawIds}[\V{pkCustomer}])$:
+
+ Used by the adversary to corrupt a customer, giving the adversary access to
+ the customer's secret key, wallet, withdraw/refresh identifiers and accepted contracts.
+
+ Permanently marks the customer as corrupted. There is nothing ``special''
+ about corrupted customers, other than that the adversary has used
+ \ora{CorruptCustomer} on them in the past. The adversary cannot modify
+ corrupted customer's wallets directly, and must use the oracle again to
+ obtain an updated view on the corrupted customer's private data.
+
+ \item $\ora{Deposit}(\V{depositPermission}) \mapsto \mathcal{I}$:
+ Triggers the execution of the \algo{Deposit} protocol, additionally giving
+ the adversary full control over the communication channels between merchant and exchange.
+
+ Returns an error if the deposit permission is addressed to a merchant that was not registered
+ with $\ora{AddMerchant}$.
+
+ This oracle does not give the adversary new information, but is used to
+ model the situation where there might be multiple conflicting deposit
+ permissions generated via $\algo{Spend}$, but only a limited number can be
+ deposited.
+\end{itemize}
+
+We write \oraSet{Taler} for the set of all the oracles we just defined.
+
+The exchange does not need to be corrupted with an oracle. A corrupted exchange
+is modeled by giving the adversary the appropriate oracles and the exchange
+secret key from the exchange key generation.
+
+If the adversary determines the exchange's secret key during the setup,
+invoking \ora{WithdrawRequest}, \ora{WithdrawPickup}, \ora{RefreshRequest},
+\ora{RefreshPickup} or \ora{Link} can be seen as the adversary playing the
+exchange. Since the adversary is an active man-in-the-middle in these oracles,
+it can drop messages to the simulated exchange and make up its own response.
+If the adversary calls these oracles with a corrupted customer, the adversary
+plays as the customer.
+
+%\begin{mdframed}
+%The difference between algorithms and interactive protocols
+%is that the ``pure'' algorithms only deal with data, while the interactive protocols
+%take ``handles'' to parties that are communicating in the protocol. The adversary can
+%always execute algorithms that don't depend on handles to communication partners.
+%However the adversary can't run the interactive protocols directly, instead it must
+%rely on the interaction oracles for it. Different interaction oracles might allow the
+%adversary to play different roles in the same interactive protocol.
+%
+%While most algorithms in Taler are not probabilistic, we still say that they are, since
+%somebody else might come up with an instantiation of Taler that uses probabilistic algorithms,
+%and then the games should still apply.
+%
+%
+%While we do have a \algo{Deposit} protocol that's used in some of the games, having a deposit oracle is not necessary
+%since it does not give the adversary any additional power.
+%\end{mdframed}
+
+\section{Games}
+
+We now define four security games (anonymity, conservation, unforgeability and
+income transparency) that are later used to define the security properties for
+Taler. Similar to \cite{bellare2006code} we assume that the game and adversary
+terminate in finite time, and thus random choices made by the challenger and
+adversary can be taken from a finite sample space.
+
+All games except income transpacency return $1$ to indicate that the adversary
+has won and $0$ to indicate that the adversary has lost. The income
+transparency game returns $0$ if the adversary has lost, and a positive
+``laundering ratio'' if the adversary won.
+
+\subsection{Anonymity}
+Intuitively, an adversary~$\prt{A}$ (controlling the exchange and merchants) wins the
+anonymity game if they have a non-negligible advantage in correlating spending operations
+with the withdrawal or refresh operations that created a coin used in the
+spending operation.
+
+Let $\oraSet{Anon} := \oraSet{Taler} - \{ \ora{Share} \}$ stand for access to all Taler oracles
+except the share oracle.
+Let $b$ be the bit that will determine the mapping between customers and spend
+operations, which the adversary must guess.
+
+We define a helper procedure
+\begin{equation*}
+ \algo{Refresh}(\prt{E}(\V{sksE}), \prt{C}(\V{pkCustomer}, \V{pksE}, \V{coin}_0)) \mapsto \mathfrak{R}
+\end{equation*}
+that refreshes the whole remaining amount on $\V{coin}_0$ with repeated application of $\algo{RefreshRequest}$
+and $\algo{RefreshPickup}$ using the smallest possible set of target denominations, and returns all protocol transcripts
+in $\mathfrak{R}$.
+
+\begin{figure}
+\fbox{\begin{minipage}{\textwidth}
+\small
+\bigskip
+\noindent $\mathit{Exp}_{\prt{A}}^{anon}(1^\lambda, 1^\kappa, b)$:
+\vspace{-0.5\topsep}
+\begin{enumerate}
+ \setlength\itemsep{0em}
+ \item $(\V{sksE}, \V{pksE}, \V{skM}, \V{pkM}) \leftarrow {\prt{A}}()$
+ \item $(\V{pkCustomer}_0, \V{pkCustomer}_1, \V{transactionId}_0, \V{transactionId}_1, f) \leftarrow {\prt{A}}^{\oraSet{Anon}}()$
+ \item Select distinct fresh coins
+ \begin{align*}
+ \V{coin}_0 &\in \V{wallet}[\V{pkCustomer}_0]\\
+ \V{coin}_1 &\in \V{wallet}[\V{pkCustomer}_1]
+ \end{align*}
+ Return $0$ if either $\V{pkCustomer}_0$ or $\V{pkCustomer}_1$ are not registered customers with sufficient fresh coins,
+ or an oracle has been called with the coin handle for $\V{coin}_0$ or $\V{coin}_1$.
+ \item For $i \in \{0,1\}$ run
+ \begin{align*}
+ &\V{dp_i} \leftarrow \algo{Spend}(\V{transactionId}_i, f, \V{coin}_{i-b}, \V{pkM}) \\
+ &\algo{Deposit}(\prt{A}(), \prt{M}(\V{skM}, \V{pksE}, \V{dp}_i)) \\
+ &\mathfrak{R}_i \leftarrow \algo{Refresh}(\prt{A}(), \prt{C}(\V{pkCustomer}_i, \V{pksE}, \V{coin}_{i-b}))
+ \end{align*}
+ \item $b' \leftarrow {\cal A}^{\oraSet{Anon}}(\mathfrak{R}_0, \mathfrak{R}_1)$ \\
+ \item Return $0$ if $\ora{Spend}$ was used by the adversary on the coin handles
+ for $\V{coin}_0$ or $\V{coin}_1$ or $\ora{CorruptCustomer}$ was used on $\V{pkCustomer}_0$ or $\V{pkCustomer}_1$.
+ \item If $b = b'$ return $1$, otherwise return $0$.
+\end{enumerate}
+\end{minipage}}
+\end{figure}
+
+Note that unlike other anonymity games defined in the literature (such as
+\cite{pointcheval2017cut}), our anonymity game always lets both customers spend
+in order to avoid having to hide the missing coin in one customer's wallet
+from the adversary.
+
+\subsection{Conservation}
+The adversary wins the conservation game if it can bring an honest customer in a
+situation where the spendable financial value left in the user's wallet plus
+the value spent for transactions known to the customer is less than the value
+withdrawn by the same customer through by the exchange.
+
+In practice, this property is necessary to guarantee that aborted or partially
+completed withdrawals, payments or refreshes, as well as other (transient)
+misbehavior from the exchange or merchant do not result in the customer losing
+money.
+
+Let $\oraSet{Conserv} := \oraSet{Taler} - \{\ora{Share}\}$ stand for access to the
+all Taler oracles except the sharing oracle.
+
+\bigskip
+\noindent $\mathit{Exp}_{\cal A}^{conserv}(1^\lambda, 1^\kappa)$:
+\vspace{-0.5\topsep}
+\begin{enumerate}
+ \setlength\itemsep{0em}
+ \item $(\V{sksE}, \V{pksE}) \leftarrow \mathrm{ExchangeKeygen}(1^\lambda, 1^\kappa, M)$
+ \item $\V{pkCustomer} \leftarrow {\cal A}^{\oraSet{Conserv}}(\V{pksE})$
+ \item Return $0$ if $\V{pkCustomer}$ is not an uncorrupted, registered user.
+ \item \label{game:conserv:run} Run $\algo{WithdrawPickup}$ for each withdraw identifier $\V{wid}$
+ and $\algo{RefreshPickup}$ for each refresh identifier $\V{rid}$ that the user
+ has recorded in $\V{withdrawIds}$ and $\V{refreshIds}$. Run $\algo{Deposit}$
+ for all deposit permissions in $\V{acceptedContracts}$.
+ \item Let $v_{C}$ be the total financial value left on valid coins in $\V{wallet}[\V{pkCustomer}]$,
+ i.e. the denominated values minus the spend/refresh operations recorded in the exchange's database.
+ Let $v_{S}$ be the total financial value of contracts in $\V{acceptedContracts}[\V{pkCustomer}]$.
+ \item Return $1$ if $\V{withdrawn}[\V{pkCustomer}] > v_{C} + v_{S}$.
+\end{enumerate}
+
+Hence we ensure that:
+\begin{itemize}
+ \item if a coin was spent, it was spent for a contract that the customer
+ knows about, i.e. in practice the customer could prove that they ``own'' what they
+ paid for,
+ \item if a coin was refreshed, the customer ``owns'' the resulting coins,
+ even if the operation was aborted, and
+ \item if the customer withdraws, they can always obtain a coin whenever the
+ exchange accounted for a withdrawl, even when protocol executions are
+ intermittently aborted.
+\end{itemize}
+
+Note that we do not give the adversary access to the \ora{Share} oracle, since
+that would trivially allow the adversary to win the conservation game. In
+practice, conservation only holds for customers that do not share coins with
+parties that they do not fully trust.
+
+\subsection{Unforgeability}
+
+Intuitively, adversarial customers win if they can obtain more valid coins than
+they legitimately withdraw.
+
+Let $\oraSet{Forge} := \oraSet{Taler}$ stand for access to the all Taler
+oracles.
+
+\bigskip
+\noindent $\mathit{Exp}_{\cal A}^{forge}(1^\lambda, 1^\kappa)$:
+\vspace{-0.5\topsep}
+\begin{enumerate}
+ \setlength\itemsep{0em}
+ \item $(skE, pkE) \leftarrow \mathrm{ExchangeKeygen}()$
+ \item $(C_0, \dots, C_\ell) \leftarrow \mathcal{A}^{\oraSet{Forge}}(pkExchange)$
+ \item Return $0$ if any $C_i$ is not of the form $(\V{skCoin}, \V{pkCoin}, \V{pkD}, \V{coinCert})$
+ or any $\V{coinCert}$ is not a valid signature by $\V{pkD}$ on the respective $\V{pkCoin}$.
+ \item Return $1$ if the sum of the unspent value of valid coins in $C_0
+ \dots, C_\ell$ exceeds the amount withdrawn by corrupted
+ customers, return $0$ otherwise.
+\end{enumerate}
+
+
+\subsection{Income Transparency}
+
+Intuitively, the adversary wins if coins are in exclusive control of corrupted
+customers, but the exchange has no record of withdrawal or spending for them.
+This presumes that the adversary cannot delete from non-corrupted customer's
+wallets, even though it can use oracles to force protocol interactions of
+non-corrupted customers.
+
+For practical e-cash systems, income transparency disincentivizes the emergence
+of ``black markets'' among mutually distrusting customers, where currency
+circulates without the transactions being visible. This is in contrast to some
+other proposed e-cash systems and cryptocurrencies, where disintermediation is
+an explicit goal. The Link protocol introduces the threat of losing exclusive
+control of coins (despite having the option to refresh them) that were received
+without being visible as income to the exchange.
+
+Let $\oraSet{Income} := \oraSet{Taler}$ stand for access to the
+all Taler oracles.
+
+\bigskip
+\noindent $\mathit{Exp}_{\cal A}^{income}(1^\lambda, 1^\kappa)$:
+\vspace{-0.5\topsep}
+\begin{enumerate}
+ \setlength\itemsep{0em}
+ \item $(skE, pkE) \leftarrow \mathrm{ExchangeKeygen}()$
+ \item $(\V{coin}_1, \dots, \V{coin}_\ell) \leftarrow \mathcal{A}^{\oraSet{Income}}(pkExchange)$
+
+ (The $\V{coin}_i$ must be coins, including secret key and signature by the
+ denomination, for the adversary to win. However these coins need not be
+ present in any honest or corrupted customer's wallet.)
+ \item\label{game:income:spend} Augment the wallets of all non-corrupted customers with their
+ transitive closure using the \algo{Link} protocol.
+ Mark all remaining value on coins in wallets of non-corrupted customers as
+ spent in the exchange's database.
+ \item Let $L$ denote the sum of unspent value on valid coins in $(\V{coin}_1, \dots\, \V{coin}_\ell)$,
+ after accounting for the previous update of the exchange's database.
+ Also let $w'$ be the sum of coins withdrawn by corrupted customers.
+ Then $p := L - w'$ gives the adversary's untaxed income.
+ \item Let $w$ be the sum of coins withdrawn by non-corrupted customers, and
+ $s$ be the value marked as spent by non-corrupted customers, so that
+ $b := w - s$ gives the coins lost during refresh, that is the losses incurred attempting to hide income.
+ \item If $b+p \ne 0$, return $p \over b + p$, i.e. the laundering ratio for attempting to obtain untaxed income. Otherwise return $0$.
+\end{enumerate}
+
+
+\section{Security Definitions}\label{sec:security-properties}
+We now give security definitions based upon the games defined in the previous
+section.
+
+\begin{definition}[Anonymity]
+ We say that an e-cash scheme satisfies \emph{anonymity} if the success
+ probability $\Prb{b \randsel \{0,1\}: \mathit{Exp}_{\cal A}^{anon}(1^\lambda,
+ 1^\kappa, b) = 1}$ of the anonymity game is negligibly close to $1/$ for any
+ polynomial time adversary~$\mathcal{A}$.
+\end{definition}
+
+\begin{definition}[Conservation]
+ We say that an e-cash scheme satisfies \emph{conservation} if
+ the success probability $\Prb{\mathit{Exp}_{\cal A}^{conserv}(1^\lambda, 1^\kappa) = 1}$
+ of the conservation game is negligible for any polynomial time adversary~$\mathcal{A}$.
+\end{definition}
+
+\begin{definition}[Unforgeability]
+ We say that an e-cash scheme satisfies \emph{unforgeability} if the success
+ probability $\Prb{\mathit{Exp}_{\cal A}^{forge}(1^\lambda, 1^\kappa) = 1}$ of
+ the unforgeability game is negligible for any polynomial time adversary
+ $\mathcal{A}$.
+\end{definition}
+
+\begin{definition}[Strong Income Transparency]
+ We say that an e-cash scheme satisfies \emph{strong income transparency} if
+ the success probability $\Prb{\mathit{Exp}_{\cal A}^{income}(1^\lambda, 1^\kappa) \ne 0}$
+ for the income transparency game is negligible for any polynomial time adversary~$\mathcal{A}$.
+\end{definition}
+The adversary is said to win one execution of the strong income transparency
+game if the game's return value is non-zero, i.e. there was at least one
+successful attempt to obtain untaxed income.
+
+
+\begin{definition}[Weak Income Transparency]
+ We say that an e-cash scheme satisfies \emph{weak income transparency}
+ if, for any polynomial time adversary~$\mathcal{A}$,
+ the return value of the the income transparency game satisfies
+ \begin{equation}\label{eq:income-transparency-expectation}
+ E\left[\mathit{Exp}_{\cal A}^{income}(1^\lambda, 1^\kappa)\right] \le {1\over\kappa} \mathperiod
+ \end{equation}
+ In (\ref{eq:income-transparency-expectation}), the expectation runs over
+ any probability space used by the adversary and challenger.
+\end{definition}
+
+For some instantiations, e.g. ones based on zero knowledge proofs, $\kappa$
+might be a security parameter in the traditional sense. However for an e-cash
+scheme to be useful in practice, the adversary does not need to have only
+negligible success probability to win the income transparency game. It
+suffices that the financial losses of the adversary in the game are a
+deterrent, after all our purpose of the game is to characterize tax evasion.
+
+Taler does not fulfill strong income transparency since for Taler $\kappa$ must
+be a small cut-and-choose parameter, as the complexity of our cut-and-choose
+protocol grows linearly with $\kappa$. Instead we show that Taler satisfies
+weak income transparency, which is a statement about the adversary's financial
+loss when winning the game instead of the winning probability. The
+return-on-investment (represented by the game's return value) is bounded by
+$1/\kappa$.
+
+We still characterize strong income transparency, since it might be useful
+for other instantiations that provide more absolute guarantees.
+
+\section{Instantiation}
+We first give an instantiation of Taler's protocol syntax that is generic over
+a blind signature scheme, a signature scheme, a combined signature scheme / key
+exchange protocol. Our instantiation is in the random oracle model (ROM), i.e. usage
+of the hash function $H : \{0,1\}^* \mapsto \{1,\dots,2^\lambda\}$ is modeled
+by an oracle $\ora{H}$ that returns a value randomly chosen from
+$\{1,\dots,2^\lambda\}$ with uniform probability. Subsequent oracle queries on
+the same bit string return the same value.
+
+
+\subsection{Generic Instantiation}
+Let $\textsc{BlindSign}$ be a blind signature scheme with the following syntax, where the party $\mathcal{S}$
+is the signer and $\mathcal{R}$ is the signature requester:
+\begin{itemize}
+ \item $\algo{KeyGen}_{BS}(1^\lambda) \mapsto (\V{sk}, \V{pk})$ is the key generation algorithm
+ for the signer of the blind signature protocol.
+ \item $\algo{Blind}_{BS}(\mathcal{S}(\V{sk}), \mathcal{R}(\V{pk}, m)) \mapsto (\overline{m}, r)$ is a possibly interactive protocol
+ to blind a message $m$ that is to be signed later. The result is a blinded message $\overline{m}$ and
+ a residual $r$ that allows to unblind a blinded signature on $m$ made by $\V{sk}$.
+ \item $\algo{Sign}_{BS}(\mathcal{S}(\V{sk}), \mathcal{R}(\overline{m})) \mapsto
+ \overline{\sigma}$ is an algorithm to sign a blinded message $\overline{m}$.
+ The result $\overline{\sigma}$ is a blinded signature that must be unblinded
+ using the $r$ returned from the corresponding blinding operation before
+ verification. We restrict \algo{Sign} to be a two-move protocol, where the
+ requester sends the first message, and the signer responds.
+ \item $\algo{UnblindSig}_{BS}(r, \overline{m}, \overline{\sigma}) \mapsto \sigma$
+ is an algorithm to unblind a blinded signature.
+ \item $\algo{Verify}_{BS}(\V{pk}, m, \sigma) \mapsto b$ is a algorithm to check the validity of a blind
+ signature. Returns $1$ if the signature $\sigma$ was valid for $m$ and $0$ otherwise.
+\end{itemize}
+
+Note that this syntax excludes some blind signature protocols, such as those
+with interactive/probabilistic verification or those without a ``blinding
+factor'', where the $\algo{Blind}_{BS}$ and $\algo{Sign}_{BS}$ and
+$\algo{UnblindSig}_{BS}$ would be merged into one interactive signing protocol.
+Such blind signature protocols have already been used to construct e-cash
+\cite{camenisch2005compact}.
+
+We require the following two security properties for $\textsc{BlindSign}$:
+\begin{itemize}
+ \item \emph{blindness}: Let $M$ be the set of all possible messages and $\overline{M}$ be the
+ set of all possible blinded messages. Then the distribution of
+ \[ \left\{ (m, \overline{m}) \,\middle| m\, \randsel M, \overline{m} \leftarrow \algo{Blind}_{BS}(\mathcal{S}(\V{sk}), m) \right\} \]
+ must be computationally
+ indistinguishable from
+ \[ \left\{ (m, x) \,\middle|\, m \randsel M, x \randsel \overline{M} \right\}. \]
+ \item \emph{unforgeability}: An adversary that requests $k$ signatures with $\algo{Sign}_{BS}$
+ is unable to produce $k+1$ valid signatures with non-negligible probability.
+\end{itemize}
+For more generalized notions of the security of blind signatures, see e.g.
+\cite{fischlin2009security,schroder2017security}.
+
+Let $\textsc{CoinSignKx}$ be combination of a signature scheme and key exchange:
+
+\begin{itemize}
+ \item $\algo{KeyGen}_{CSK}(1^\lambda) \mapsto (\V{sk}, \V{pk})$ is a key generation algorithm.
+ \item $\algo{Sign}_{CSK}(\V{sk}, m) \mapsto \sigma$ produces a signature $\sigma$ over message $m$.
+ \item $\algo{Verify}_{CSK}(\V{pk}, m, \sigma) \mapsto b$ is a signature verification algorithm.
+ Returns $1$ if the signature $\sigma$ is a valid signature on $m$ by $\V{pk}$, and $0$ otherwise.
+ \item $\algo{Kx}_{CSK}(\V{sk}_1, \V{pk}_2) \mapsto x$ is a key exchange algorithm that computes
+ the shared secret $x$ from secret key $\V{sk}_1$ and public key $\V{pk}_2$.
+\end{itemize}
+
+We require the following security properties to hold for $\textsc{CoinSignKx}$:
+\begin{itemize}
+ \item \emph{unforgeability}: The signature scheme $(\algo{KeyGen}_{CSK}, \algo{Sign}_{CSK}, \algo{Verify}_{CSK})$
+ must satisfy existential unforgeability under chosen message attacks (EUF-CMA).
+ \item \emph{key exchange completeness}: We require that even for keys generated by the adversary,
+ \begin{equation*}
+ \algo{Kex}_{CSK}(\V{sk}_A, \V{pk}_B) = \algo{Kex}_{CSK}(\V{sk}_B, \V{pk}_A).
+ \end{equation*}
+ \item \emph{key exchange security}: The output of $\algo{Kx}_{CSK}$ must be computationally
+ indistinguishable from a random shared secret of the same length, for inputs that have been
+ generated with $\algo{KeyGen}$.
+\end{itemize}
+
+Let $\textsc{Sign} = (\algo{KeyGen}_{S}, \algo{Sign}_{S}, \algo{Verify}_{S})$ be a signature
+scheme that satisfies SUF-CMA.
+
+Using \textsc{Blind}, \textsc{CoinSignKx}, \textsc{Sign} and $H$ we now instantiate the Taler syntax:
+
+\begin{itemize}
+ \item $\algo{ExchangeKeygen}(1^{\lambda}, 1^{\kappa}, \mathfrak{D})$:
+
+ Generate the exchange's signing key pair $\V{skESign} \leftarrow \algo{KeyGen}_{S}(1^\lambda)$.
+
+ For each element in the sequence $\mathfrak{D} = d_1,\dots,d_n$, generate
+ denomination key pair $(\V{skD}_i, \V{pkD}_i) \leftarrow \algo{KeyGen}_{BS}(1^\lambda)$.
+ \item $\algo{CustomerKeygen}(1^\lambda,1^\kappa)$:
+ Return key pair $\algo{KeyGen}_S(1^\lambda)$.
+ \item $\algo{MerchantKeygen}(1^\lambda,1^\kappa)$:
+ Return key pair $\algo{KeyGen}_S(1^\lambda)$.
+
+ \item $\algo{WithdrawRequest}(\prt{E}(\V{sksE}, \V{pkCustomer}), \prt{C}(\V{skCustomer}, \V{pksE}, \V{pkD}))$:
+
+ Let $\V{skD}$ be the exchange's denomination secret key corresponding to $\V{pkD}$.
+
+ \begin{enumerate}
+ \item \prt{C} generates coin key pair $(\V{skCoin}, \V{pkCoin}) \leftarrow \algo{KeyGen}_{CSK}(1^\lambda)$
+ \item \prt{C} runs $(\overline{m}, r) \leftarrow \algo{Blind}_{CSK}(\mathcal{E}(\V{skCoin}), \mathcal{C}(m))$ with the exchange
+ \end{enumerate}
+
+ The withdraw identifier is then
+ \begin{equation*}
+ \V{wid} := (\V{skCoin}, \V{pkCoin}, \overline{m}, r)
+ \end{equation*}
+
+
+ \item $\algo{WithdrawPickup}(\prt{E}(\V{sksE}, \V{pkCustomer}), \prt{C}(\V{skCustomer}, \V{pksE}, \V{wid}))$:
+
+ The customer looks up $\V{skCoin}$, $\V{pkCoin}$, \V{pkD} $\overline{m}$
+ and $r$ via the withdraw identifier $\V{wid}$.
+
+ \begin{enumerate}
+ \item \prt{C} runs $\overline{\sigma} \leftarrow \algo{Sign}_{BS}(\mathcal{E}(\V{skD}), \mathcal{C}(\overline{m}))$ with the exchange
+ \item \prt{C} unblinds the signature $\sigma \leftarrow \algo{UnblindSig}_{BS}(\overline{\sigma}, r, \overline{m})$
+ and stores the coin $(\V{skCoin}, \V{pkCoin}, \V{pkD}, \sigma)$ in their wallet.
+ \end{enumerate}
+
+ \item $\algo{Spend}(\V{transactionId}, f, \V{coin}, \V{pkMerchant})$:
+
+ The deposit permission is computed as $\V{depositPermission} = (\V{pkCoin},
+ \sigma_D, m)$ where $m = (\V{transactionId}, f, \V{pkMerchant})$ and $\sigma_D
+ = \algo{Sign}_{CSK}(skCoin, m)$.
+
+ \item $\algo{Deposit}(\prt{E}(\V{sksE}, \V{pkMerchant}), \prt{M}(\V{skMerchant}, \V{pksE}, \V{depositPermission}))$:
+
+ Exchange checks the signature $\sigma_D$ in the deposit permission, records
+ contribution $f$ in database $\V{deposited}$ of deposited coins.
+
+ \item $\algo{RefreshRequest}(\prt{E}(\V{sksE}, \V{pkCustomer}), \prt{C}(\V{skCustomer}, \V{pksE}, \V{coin}_0, \V{pkD}_u))$:
+
+ Let $\V{skD}_u$ be the secret key corresponding to $\V{pkD}_u$.
+
+ We write
+ \[ \algo{Blind}^*_{BS}(\mathcal{S}(\V{sk}), \mathcal{R}(R, \V{sk}_C, \V{pk}, m)) \mapsto (\overline{m}, r, \mathcal{T}_{B*}) \]
+ for a modified version of $\algo{Blind}_{BS}$ where the signature requester $\mathcal{R}$
+ takes all randomness from seed $R$, the messages from the exchange are recorded in transcript $\mathcal{T}$,
+ and all messages sent by the requester are signed with $\V{sk}_C$.
+
+ Furthermore we write
+ \[ \algo{KeyGen}^*_{CSK}(R, 1^\lambda) \mapsto (\V{sk}, \V{pk}) \]
+ for a modified version of the key generation algorithm that takes randomness from seed $R$.
+
+ For each $i\in \{1,\dots,\kappa \}$, the customer
+ \begin{enumerate}
+ \item generates seed $s_i \randsel \{1, \dots, 1^\lambda\}$
+ \item generates transfer key pair $(t_i, T_i) \leftarrow \algo{KeyGen}^*_{CSK}(s_i, 1^\lambda)$
+ \item computes transfer secret $x_i \leftarrow \algo{Kx}(t_i, \V{pkCoin}_0)$
+ \item computes coin key pair $(\V{skCoin}_i, \V{pkCoin}_i) \leftarrow
+ \algo{KeyGen}^*_{CSK}(x_i, 1^\lambda)$
+ \item and executes the modified blinding protocol
+ \[
+ (\overline{m}_i, r_i, \mathcal{T}_{(B*,i)}) \leftarrow
+ \algo{Blind}^*_{BS}(\mathcal{E}(\V{skD_u}), \mathcal{C}(H(x_i), \V{skCoin}_0, \V{pkD}_u, \V{skCoin}_i))
+ \]
+ with the exchange.
+ \end{enumerate}
+
+ The customer stores the refresh identifier
+ \begin{equation}
+ \V{rid} := (\V{coin}_0, \V{pkD}_u, \V{nonce}, \{ s_i \}, \{ \overline{m}_i \}, \{r_i\}, \{\mathcal{T}_{(B*,i)}\} ).
+ \end{equation}
+
+ \item $\algo{RefreshPickup}(\prt{E}(\V{sksE}, \V{pkCustomer}), \prt{C}(\V{skCustomer}, \V{pksE}, \V{rid}) \rightarrow \mathcal{T}$:
+ The customer looks up the refresh identifier $\V{rid}$ and recomputes the transfer key pairs,
+ transfer secrets and new coin key pairs.
+
+ Then customer sends the commitment $\pi_1 = (\V{pkCoin}_0, \V{pkD}_u, h_C)$ together with signature $\V{sig}_1
+ \leftarrow \algo{Sign}_{CSK}(\V{skCoin}_0, \pi_1)$ to the exchange, where
+ \begin{align*}
+ h_T &:= H(T_1, \dots, T_\kappa)\\
+ h_{\overline{m}} &:= H(\overline{m}_1, \dots, \overline{m}_\kappa)\\
+ h_C &:= H(h_T \Vert h_{\overline{m}})
+ \end{align*}
+
+ The exchange checks the signature $\V{sig}_1$, and aborts if invalid. Otherwise,
+ depending on the commitment:
+ \begin{enumerate}
+ \item if the exchange did not see $\pi_1$ before, it marks $\V{pkCoin}_0$
+ as spent for $D(\V{pkD}_u)$, chooses a uniform random $0 \le \gamma < \kappa$, stores it,
+ and sends this choice in a signed message $(\gamma, \V{sig}_2)$ to the customer,
+ where $\V{sig}_2 \leftarrow \algo{Sign}_{S}(\V{skESig}, \gamma)$.
+ \item otherwise, the exchange sends back the same $\pi_2$ as it sent for the last
+ equivalent $\pi_1$.
+ \end{enumerate}
+
+ In response, the customer sends the reveal message
+ \begin{equation*}
+ \pi_3 = T_\gamma, \overline{m}_\gamma,
+ (s_1, \dots, s_{\gamma-1}, s_{\gamma+1}, \dots, s_\kappa)
+ \end{equation*}
+ and signature
+ \begin{equation*}
+ \V{sig}_{3'} \leftarrow \algo{Sign}_{CSK}(\V{skCoin}_0, (\V{pkCoin}_0,
+ \V{pkD}_u, \mathcal{T}_{(B*,\gamma)}, T_\gamma, \overline{m}_\gamma))
+ \end{equation*} to the exchange.
+
+
+ The exchange checks the signature $\V{sig}_{3'}$ and then computes for $i \ne \gamma$:
+ \begin{align*}
+ (t_i', T_i') &\leftarrow \algo{KeyGen}^*_{CSK}(s_i, 1^\lambda)\\
+ x_i' &\leftarrow \algo{Kx}(t_i, \V{pkCoin}_0)\\
+ (\V{skCoin}_i', \V{pkCoin}_i') &\leftarrow
+ \algo{KeyGen}^*_{CSK}(x_i', 1^\lambda) \\
+ h_T' &:= H(T'_1, \dots, T_{\gamma-1}, T_\gamma, T_{\gamma+1}', \dots, T_\kappa')
+ \end{align*}
+ and simulates the blinding protocol with recorded transcripts (without signing each message,
+ as indicated by the dot ($\cdot$) instead of a signing secret key), obtaining
+ \begin{align*}
+ (\overline{m}_i', r_i', \mathcal{T}_i) &\leftarrow
+ \algo{Blind}^*_{BS}(\mathcal{S}(\V{skD}_u), \mathcal{R}(H(x_i'), \cdot, \V{pkD}_u, \V{skCoin}_i))\\
+ \end{align*}
+ and finally
+ \begin{align*}
+ h_{\overline{m}}' &:= H(\overline{m}_1', \dots, \overline{m}_\gamma, \dots, \overline{m}_\kappa')\\
+ h_C &:= H(h_T' \Vert h_{\overline{m}}').
+ \end{align*}
+
+ For each $i \ne \gamma$, the exchange computes
+ \begin{align*}
+ \overline{\sigma}_i' &\leftarrow \algo{Sign}(\mathcal{E}(\V{skD}_u), \mathcal{E}(\overline{m}_i'))\\
+ \sigma_i' &\leftarrow \algo{UnblindSig}(r_i', \V{pkCoin}_i', \overline{\sigma}_i')\\
+ b_i &\leftarrow \algo{Verify}_{BS}(\V{pkD}, \V{skCoin}_i', \sigma_i')
+ \end{align*}
+
+ Now the exchange checks if $h_C = h_C'$ and if all $b_i = 1$ for $i \ne \gamma$.
+ If one of the checks fails, the exchange aborts the protocol.
+
+ Otherwise, the exchange sends a message back to $\prt{C}$ that the commitment verification succeeded.
+
+ As a last step, the customer obtains the signature $\sigma_\gamma$ on the new coin's public key $\V{pkCoin}_u$ with
+ \begin{align*}
+ \overline{\sigma}_\gamma &\leftarrow \algo{Sign}(\mathcal{E}(\V{skD}_u), \mathcal{C}(\overline{m}_\gamma))\\
+ \sigma_\gamma &\leftarrow \algo{UnblindSig}(r_\gamma, \V{pkCoin}_\gamma, \overline{\sigma}_\gamma).
+ \end{align*}
+
+ Thus the new, unlinkable coin is
+ \begin{equation*}
+ \V{coin}_u = (\V{skCoin}_\gamma, \V{pkCoin}_\gamma, \V{pkD}_u, \sigma_\gamma).
+ \end{equation*}
+
+ \item $\algo{Link}(\prt{E}(\V{sksE}), \prt{C}(\V{skCustomer}, \V{pksE}, \V{coin}_0))$:
+ The customer sends the public key $\V{pkCoin}_0$ of $\V{coin}_0$ to the exchange.
+
+ For each completed refresh on $\V{pkCoin}_0$ recorded in the exchange's
+ database, the exchange sends the following data back to the customer: the
+ signed commit message $(\V{sig}_1, \pi_1)$, the transfer public key
+ $T_\gamma$, the signature $\V{sig}_{3'}$, the blinded signature $\overline{\sigma}_\gamma$, and the
+ transcript $\mathcal{T}_{(B*,\gamma)}$ of the customer's and exchange's messages
+ during the \algo{Blind} protocol execution.
+
+ The following logic is repeated by the customer for each response:
+ \begin{enumerate}
+ \item Verify the signatures (both from $\V{pkESig}$ and $\V{pkCoin}_0$) on the transcript $\mathcal{T}_\kappa$,
+ abort otherwise.
+ \item Verify that $\V{sig}_1$ is a valid signature on $\pi_1$ by $\V{pkCoin}_0$, abort otherwise.
+ \item Re-compute the transfer secret and the new coin's key pair as
+ \begin{align*}
+ x_\gamma &\leftarrow \algo{Kx}_{CSK}(\V{skCoin}_0, T_\gamma)\\
+ (\V{skCoin}_\gamma, \V{pkCoin}_\gamma) &\leftarrow \algo{KeyGen}_{CSK}^*(x_\gamma, 1^\lambda).
+ \end{align*}
+ \item Simulate the blinding protocol with the message transcript received from the exchange to obtain
+ $(\overline{m}_\gamma, r_\gamma)$.
+ \item Check that $\algo{Verify}_{CSK}(\V{pkCoin}_0,
+ \V{pkD}_u, \V{skCoin}_0,(\mathcal{T}_{(B*,\gamma)}, \overline{m}_\gamma), \V{sig}_{3'})$
+ indicates a valid signature, abort otherwise.
+ \item Unblind the signature to obtain $\sigma_\gamma \leftarrow \algo{UnblindSig}(r_\gamma, \V{pkCoin}_\gamma, \overline{\sigma}_\gamma)$
+ \item (Re-)add the coin $(\V{skCoin}_\gamma, \V{pkCoin}_\gamma, \V{pkD}_u, \sigma_\gamma)$ to the customer's wallet.
+ \end{enumerate}
+
+\end{itemize}
+
+\subsection{Concrete Instantiation}
+We now give a concrete instantiation that is used in the implementation
+of GNU Taler for the schemes \textsc{BlindSign}, \textsc{CoinSignKx} and \textsc{Sign}.
+
+For \textsc{BlindSign}, we use RSA blind signatures \cite{XXX}. From
+the information theoretically secure blinding, the computational blindness property
+follows directly. For the unforgeability property, we additionally rely on
+the RSA-KTI assumption as discussed in \cite{bellare2003onemore}. Note
+that since the blinding step in RSA blind signatures is non-interactive,
+storage and verification of the transcript is omitted in refresh and link.
+
+We instantiate \textsc{CoinSignKx} with signatures and key exchange operations
+on elliptic curves in Edwards form, where the same key is used for signatures
+and the Diffie--Hellman key exchange operations. In practice, we use Ed25519
+\cite{bernstein2012high} / Curve25519 \cite{bernstein2006curve25519} for
+$\lambda=256$. We caution that some other elliptic curve key exchange
+implementation might not satisfy the completeness property that we require, due
+to the lack of complete addition laws.
+
+For \textsc{Sign}, we use elliptic-curve signatures, concretely Ed25519.
+
+%In Taler's refresh, we avoid key exchange failures entirely because the
+%Edwards addition law is complete abelian group operation on the curve,
+%and the signature scheme verifies that the point lies on the curve.
+%% https://safecurves.cr.yp.to/refs.html#2007/bernstein-newelliptic
+%% https://safecurves.cr.yp.to/complete.html
+%We warn however that Weierstrass curves have incomplete addition formulas
+%that permit an adversarial merchant to pick transfer keys that yields failures.
+%There are further implementation mistakes that might enable collaborative
+%key exchange failures, like if the exchange does not enforce the transfer
+%private key being a multiple of the cofactor.
+%
+%In this vein, almost all post-quantum key exchanges suffer from key exchange
+%failures that permit invalid key attacks against non-ephemeral keys.
+%All these schemes support only one ephemeral party by revealing the
+%ephemeral party's private key to the non-ephemeral party,
+% ala the Fujisaki-Okamoto transform~\cite{fujisaki-okamoto} or similar.
+%We cannot reveal the old coin's private key to the exchange when
+%verifying the transfer private keys though, which
+% complicates verifying honest key generation of the old coin's key.
+
+
+\section{Discussion}
+
+\subsection{Other Properties}
+
+% FIXME: move this to design or implementation
+\subsubsection{Fair Exchange}
+
+% FIXME: we should mention "atomic swap" here
+
+The Endorsed E-Cash system by Camenisch et al. (described in Section
+\ref{sec:security-related-work}) allows for fair exchange of (online or
+offline) e-cash against digital goods. The online version does not protect the
+customer against loss of anonymity from linkability of aborted fair exchanges.
+
+Taler's refresh protocol can be used for fair exchange of online e-cash against
+digital goods, without any loss of anonymity due to linkability of aborted
+transactions, with the following small extension: The customer asks the
+exchange to \emph{lock coins to a merchant} until a timeout. Until the timeout
+occurs, the exchange provides the merchant with a guarantee that these coins can
+only be spent with this specific merchant, or not at all. The
+fair exchange exchanges the merchant's digital goods against the customer's
+deposit permissions for the locked coins. On aborted fair exchanges,
+the customer refreshes to obtain unlinkable coins.
+
+
+
+
+
+%
+% ---- Bibliography ----
+%
+% BibTeX users should specify bibliography style 'splncs04'.
+% References will then be sorted and formatted in the correct style.
+%
+% \bibliographystyle{splncs04}
+% \bibliography{mybibliography}
+%
+\begin{thebibliography}{8}
+\bibitem{ref_article1}
+Author, F.: Article title. Journal \textbf{2}(5), 99--110 (2016)
+
+\bibitem{ref_lncs1}
+Author, F., Author, S.: Title of a proceedings paper. In: Editor,
+F., Editor, S. (eds.) CONFERENCE 2016, LNCS, vol. 9999, pp. 1--13.
+Springer, Heidelberg (2016). \doi{10.10007/1234567890}
+
+\bibitem{ref_book1}
+Author, F., Author, S., Author, T.: Book title. 2nd edn. Publisher,
+Location (1999)
+
+\bibitem{ref_proc1}
+Author, A.-B.: Contribution title. In: 9th International Proceedings
+on Proceedings, pp. 1--2. Publisher, Location (2010)
+
+\bibitem{ref_url1}
+LNCS Homepage, \url{http://www.springer.com/lncs}. Last accessed 4
+Oct 2017
+\end{thebibliography}
+\end{document}
+
+
+\section{Proofs}
+%\begin{mdframed}
+% Currently the proofs don't have any explicit tightess bounds.
+% Because we don't know where to ``inject'' the value that we get from the challenger when carrying out
+% a reduction, we need to randomly guess in which coin/signature we should ``hijack'' our challenge value.
+% Thus for the proofs to work fully formally, we need to bound the total number of oracle invocations,
+% and our exact bound for the tightness of the reduction depends on this limit.
+%\end{mdframed}
+
+We now give proofs for the security properties defined in Section \ref{sec:security-properties}
+with the generic instantiation of Taler.
+
+\subsection{Anonymity}
+
+\begin{theorem}
+ In the random oracle model, Taler satisfies anonymity.
+\end{theorem}
+
+\begin{proof}
+ We give a proof via a sequence of games $\mathbb{G}_0(b), \mathbb{G}_1(b),
+ \mathbb{G}_2(b)$, where $\mathbb{G}_0(b)$ is the original anonymity game
+ $\mathit{Exp}_{\cal A}^{anon}(1^\lambda, 1^\kappa, b)$. We show the
+ adversary can distinguish between subsequent games with only negligible
+ probability. Let $\epsilon_{HC}$ and $\epsilon_{KX}$ be the advantage of an
+ adversary for finding hash collisions and for breaking the security of the
+ key exchange respectively.
+
+ We define $\mathbb{G}_1$ by replacing the link oracle \ora{Link} with a
+ modified version that behaves the same as \ora{Link}, unless the adversary
+ responds with link data that did not occur in the transcript of a successful
+ refresh operation, but despite of that still passes the customer's
+ verification. In that case, the game is aborted instead.
+
+ Observe that in case this failure event happens, the adversary must have forged a
+ signature on $\V{sig}_{3'}$ on values not signed by the customer, yielding
+ an existential forgery. Thus $\left| \Prb{\mathbb{G}_0 = 1} - \Prb{\mathbb{G}_1 = 1}
+ \right|$ is negligible.
+
+ In $\mathbb{G}_2$, the refresh oracle is modified so that the customer
+ responds with value drawn from a uniform random distribution $D_1$ for the the
+ $\gamma$-th commitment instead of using the key exchange function. We must
+ handle the fact that $\gamma$ is chosen by the adversary after seeing the
+ commitments, so the challenger first makes a guess $\gamma^*$ and replaces
+ only the $\gamma^*$-th commitment with a uniform random value. If the
+ $\gamma$ chosen by the adversary does not match $\gamma^*$, then the
+ challenger rewinds \prt{A} to the point where the refresh oracle was called.
+ Note that we only replace the one commitment that
+ will not be opened to the adversary later.
+
+ Since $\kappa \ll \lambda$ and the security property of $\algo{Kx}$
+ guarantees that the adversary cannot distinguish the result of a key exchange
+ from randomness, the runtime complexity of the challenger still stays
+ polynomial in $\lambda$. An adversary that could with high probability
+ choose a $\gamma$ that would cause a rewind, could also distinguish
+ randomness from the output of $\algo{Kx}$.
+
+ %\mycomment{Tighness bound also missing}
+
+ We now show that $\left| \Prb{\mathbb{G}_1 = 1} - \Prb{\mathbb{G}_2 = 1}
+ \right| \le \epsilon_{KX}$ by defining a distinguishing game $\mathbb{G}_{1
+ \sim 2}$ for the key exchange as follows:
+
+ \bigskip
+ \noindent $\mathbb{G}_{1 \sim 2}(b)$:
+ \vspace{-0.5\topsep}
+ \begin{enumerate}
+ \setlength\itemsep{0em}
+ \item If $b=0$, set
+ \[
+ D_0 := \{ (A, B, \V{Kex}(a, B)) \mid (a, A) \leftarrow \V{KeyGen}(1^\lambda),(b, B) \leftarrow \V{KeyGen}(1^\lambda) \}.
+ \]
+ Otherwise, set
+ \[
+ D_1 := \{ (A, B, C) \mid (a, A) \leftarrow \V{KeyGen}(1^\lambda),
+ (b, B) \leftarrow \V{KeyGen}(1^\lambda),
+ C \randsel \{1,\dots,2^\lambda\} \}.
+ \]
+
+ \item Return $\mathit{Exp'}_{\cal A}^{anon}(b, D_b)$
+
+ (Modified anonymity game where the $\gamma$-th commitment in the
+ refresh oracle is drawn uniformly from $D_b$ (using rewinding). Technically, we need to
+ draw from $D_b$ on withdraw for the coin secret key, write it to a table, look it up on refresh and
+ use the matching tuple, so that with $b=0$ we perfectly simulate $\mathbb{G}_1$.)
+ \end{enumerate}
+
+ Depending on the coin flip $b$, we either simulate
+ $\mathbb{G}_1$ or $\mathbb{G}_2$ perfectly for our adversary~$\mathcal{A}$
+ against $\mathbb{G}_1$. At the same time $b$ determines whether \prt{A}
+ receives the result of the key exchange or real randomness. Thus $\left|
+ \Prb{\mathbb{G}_1 = 1} - \Prb{\mathbb{G}_2 = 1} \right| = \epsilon_{KX}$ is
+ exactly the advantage of $\mathbb{G}_{1 \sim 2}$.
+
+ We observe in $\mathbb{G}_2$ that as $x_\gamma$ is uniform random and not
+ learned by the adversary, the generation of $(\V{skCoin}_\gamma,
+ \V{pkCoin}_\gamma)$ and the execution of the blinding protocol is equivalent
+ under the randeom oracle to using the non-determinized algorithms
+ $\algo{KeyGen}_{CSK}$ and $\algo{Blind}_{BS}$.
+
+ By the blindness of the $\textsc{BlindSign}$ scheme, the adversary is not
+ able to distinguish blinded values from randomness. Thus, the adversary is
+ unable to correlate a $\algo{Sign}_{BS}$ operation in refresh or withdraw
+ with the unblinded value observed during $\algo{Deposit}$.
+
+ We conclude the success probability for $\mathbb{G}_2$ must be $1/2$ and
+ hence the success probability for $\mathit{Exp}_{\cal A}^{anon}(1^\lambda,
+ \kappa, b)$ is at most $1/2 + \epsilon(\lambda)$, where $\epsilon$ is a
+ negligible function.
+\end{proof}
+
+\subsection{Conservation}
+
+\begin{theorem}
+ Assuming existential unforgeability of signatures (EUF-CMA), Taler satisfies conservation.
+\end{theorem}
+
+\begin{proof}
+
+% FIXME: argue that reduction is tight when you have malleability
+ In honest executions, we have $\V{withdrawn}[\V{pkCustomer}] = v_C + v_S$, i.e.
+ the coins withdrawn add up to the coins still available and the coins spent
+ for known transactions.
+
+ In order to win the conservation game, the adversary must increase
+ $\V{withdrawn}[\V{pkCustomer}]$ or decrease $v_C$ or $v_S$. An adversary can
+ abort withdraw operations, thus causing $\V{withdrawn}[\V{pkCustomer}]$ to increase,
+ while the customer does not obtain any coins. However, in step
+ \ref{game:conserv:run}, the customer obtains coins from interrupted withdraw
+ operations. Similarly for the refresh protocol, aborted \algo{RefreshRequest} / \algo{RefreshPickup}
+ operations that result in a coin's remaining value being reduced are completed
+ in step \ref{game:conserv:run}.
+
+ Thus only remaining option for the adversary to decrease $v_C$ or $v_S$ is
+ with the $\ora{RefreshPickup}$ and $\ora{Deposit}$ oracles respectively.
+
+ Since the exchange verifies signatures made by the secret key of the coin
+ that is being spent/refreshed, the adversary must forge this signature or have
+ access to the coin's secret key. As we do not give the adversary access to
+ the sharing oracle, it does not have direct access to any of the honest
+ customer's coin secret keys.
+
+ Thus the adversary must either compute the coin's secret key from observing
+ the coin's public key (e.g. during a partial deposit operation), or forge
+ signatures directly. Both possibilities allow us to carry out a reduction
+ against the unforgeability property of the $\textsc{CoinSignKx}$ scheme, by
+ injecting the challenger's public key into one of the coins.
+
+\end{proof}
+
+\subsection{Unforgeability}
+
+\begin{theorem}
+Taler satisfies {unforgeability}.
+% by probabilistic polynomially time adversaries.
+\end{theorem}
+
+\begin{proof}
+The adversary must have produced at least one coin that was not blindly signed
+by the exchange. In order to carry out a reduction from this adversary to a
+blind signature forgery, we inject the challenger's public key into one
+randomly chosen denomination. Since we do not have access to the
+corresponding secret key of the challenger, signing operations for this
+denomination are replaced with calls to the challenger's signing oracle in
+\ora{WithdrawPickup} and \ora{RefreshPickup}. For $n$ denominations, an
+adversary against the unforgeability game would produce a blind signature
+forgery with probability $1/n$.
+\end{proof}
+
+
+\subsection{Income Transparency}
+\begin{theorem}
+Taler satisfies {weak income transparency}.
+\end{theorem}
+
+\begin{proof}
+%In our refresh operation, the commitment phase sends only the hash of blinded
+%coins and transfer public keys to reduce bandwidth. We therefore first
+%convert our adversary $\mathcal{A}$ into an adversary for a variant protocol
+%in which these commitments contain the full values: We rewind $\mathcal{A}$
+%to try two distinct $\gamma \in 1,\dots,\kappa$ during each refresh
+%operation, so that we obtain all values. We need only try two choices
+%because the adversary reveals all but one planchet in each run. We now
+%witness a hash collision if the transfer secret the adversary reveals does not
+%yield the correct coins.
+%
+%If Taler satisfies unforgeability then this variant protocol does so too,
+%because an adversary against the protocol with commitment to full planchets
+%can trivially be replaced by an adversary against the protocol with hash
+%commitments.
+
+ We consider the directed forest on coins induced by the refresh protocol. It
+ follows from unforgeability that any coin must originate from some customer's
+ withdraw in this graph. Let $F$ be the set of ``final'' refresh operations
+ in this graph, where each refresh $R_i \in F$ either results in a coin in
+ exclusive control of the adversary after step \ref{game:income:spend}, or the
+ refresh operation does not result in a coin at all.
+
+ During each $R_i \in F$, the adversary must have submitted a blinded coin
+ and transfer public key for which the linking protocol fails to produce the
+ resulting coin correctly, otherwise the coin would have been spent in step
+ \ref{game:income:spend}. In this case, either
+ \begin{enumerate}
+ \item the execution of the refresh protocol is incomplete
+ \item the commitment for the $\gamma$-th blinded coin and transfer public
+ key was wrong
+ \item a commitment for a blinded coin and transfer public key other than the $\gamma$-th was wrong
+ \item the exchange's verification of the commitment passes, but customers
+ are unable to re-compute the new coin from the old coin
+ \end{enumerate}
+
+ The last case can be excluded, because it would violate the key exchange
+ completeness assumption.
+
+ We shall prove
+ \begin{equation}\label{eq:income-transparency-proof}
+ \Exp{{p \over b + p} \middle| F \neq \emptyset} = {1\over\kappa}
+ \end{equation}
+ where the expectation runs over
+ any probability space used by the adversary and challenger.
+
+ We shall optimiz our adversary in ways that maximize $p \over b + p$.
+
+ As a reminder, if a refresh operation is initiated using a false commitment
+ that is detected by the exchange, then the new coin cannot be obtained, and
+ contributes to the lost coins $b := w - s$ instead of the winnings $p := L -
+ w'$. We also note $b + p$ gives the value of
+ refreshes attempted with false commitments. As these are non-negative, $p \over b
+ + p$ is undefined if and only if $p = 0$ and $b = 0$, which happens if and
+ only if the adversary does not use false commitments, i.e. $F = \emptyset$.
+
+ We may now assume for optimality that $\mathcal{A}$ submits a false
+ commitment for at most one choice of $\gamma$ in any $R_i \in F$, as
+ otherwise the refresh always fails. Furthermore for an optimal adversary we
+ can exclude refreshes in $F$ that are incomplete, but that would be possible
+ to complete successfully, as completing such a refresh would only increase the
+ adversaries winnings.
+
+ We emphasize that an adversary that loses an $R_i$ loses the coin that would
+ have resulted from it completely, while an optimal adversary who wins an
+ $R_i$ should not gamble again. Indeed, an adversary has no reason to touch
+ its winnings from an $R_i$.
+
+% There is no way to influence $p$ or $b$ through withdrawals or spends
+% by corrupted users of course. In principle, one could decrease $b$ by
+% sharing from a corrupted user to a non-corrupted users,
+% but we may assume this does not occur either, again by optimality.
+
+ For any $R_i$, there are $\kappa$ game runs identical up through the
+ commitment phase of $R_i$ and exhibit different outcomes based on the
+ challenger's random choice of $\gamma$.
+ If $v$ is the financial value of the coin resulting from refresh operation
+ $R_i$ then one of the possible runs adds $v$ to $p$, while the remaining
+ $\kappa-1$ runs add $v$ to $b$.
+
+ We define $p_i$ and $b_i$ to be these contributions summed over the $\kappa$ possible
+ runs, i.e.
+ \begin{align*}
+ p_i &:= v\\
+ b_i &= (\kappa - 1)v
+ \end{align*}
+ and thus $\kappa p_i = b_i + p_i$. Now
+ \begin{align*}
+ \Exp{p} &= {1\over|F|} \sum_{R_i \in F} p_i\\
+ \Exp{b} &= {1\over|F|} \sum_{R_i \in F} b_i,
+ \end{align*}
+ so
+ \begin{equation*}
+ \Exp{{p \over b + p} \middle| F \neq \emptyset} = {1\over\kappa},
+ \end{equation*}
+ which yields the equality (\ref{eq:income-transparency-proof}).
+
+As for $F = \emptyset$, the return value of the game must be $0$, we conclude
+\begin{equation*}
+ E\left[\mathit{Exp}_{\cal A}^{income}(1^\lambda, 1^\kappa)\right] \le {1\over\kappa}.
+\end{equation*}
+
+\end{proof}
+% https://math.stackexchange.com/questions/852890/expectation-of-random-variables-ratio
+%%% $L - w' \over (L - w') + (w - s)$
+% $E(b/p) + 1 = E(b/p + p/p) = E((b + p)/p) = \kappa$
+% $E(b/p) = \kappa-1$
+% $E(p/b) = {1 \over \kappa-1}$
+
+%As it turns out, there is a simple hash-based solutions that provides
+%post-quantum anonymity without additional assumptions though:
+%% because the coin holder is encrypting to themselves:
+%We extend the coin private key $c$ by a secret $m$ and extend the
+%coin signing key $C$ to be a pair $(C,R)$ in which $R$ is the root
+%of a Merkle tree whose $i$th leave is $H(m,i)$.
+%In a refresh, the wallet first constructs the planchets from
+%$H(t C', H(m,i))$ and commits to the index $i$ along with with each
+%transfer public key $T$, and later when revealing $t$ also reveals
+%$H(m,i)$ and the proof that it lives in the Merkle tree.
+%In this scheme, our Merkle tree should be large enough to accommodate
+%some fixed number of refreshes per coin, possibly just one, while
+%our wallet must avoid any fragility in committing its $i$ choices to disk.
+
+%\section{Standard Definitions}
+%\begin{definition}[One-more forgery]
+%For any integer $\ell$, an $(\ell, \ell + 1)$-forgery comes from
+%a probabilistic polynomial time Turing machine $\mathcal{A}$ that can
+%compute, after $\ell$ interactions with the signer $\Sigma$, $\ell + 1$ signatures with non-negligible
+% probability. The ``one-more forgery'' is an $(\ell, \ell + 1)$-forgery for some
+%integer $\ell$.
+%\end{definition}
+%
+%Taken from \cite{pointcheval1996provably}. This definition applies to blind signature schemes in general.
+%Intuition: EUF-CMA is not strong enough for blind signatures,
+%since attacker can choose the message (without going through a hash function before signing).
+%
+%\begin{definition}[RSA-KTI]
+% Game (security parameter $k$, $m : \mathbb{N} \rightarrow \mathbb{N}$,
+% $\mathcal{A}$ adversary with access to RSA inversion oracle \ora{Inv}):
+% \begin{enumerate}
+% \item $(N, e, d) \leftarrow \mathsf{KeyGen}(k)$
+% \item $y_i \leftarrow_R \mathbb{Z}_N^*$ for $i \in 1, \dots, m(k) + 1$
+% \item $(x_1, \dots, x_{m(k) + 1}) \leftarrow \mathcal{A}^{\ora{Inv}}(N, e, k, y_1, \dots, y_{m(k) + 1})$
+% \item $\mathcal{A}$ wins if it made at most $m(k)$ oracle queries and $x_i^e \equiv y_i \pmod N$
+% \end{enumerate}
+%\end{definition}
+%
+%From \cite{bellare2003onemore}. Assumption to prove security of RSA blind signatures. Equivalent to RSA-CTI.
+
diff --git a/taler-fc19/readme.txt b/taler-fc19/readme.txt new file mode 100644 index 0000000..13c6096 --- /dev/null +++ b/taler-fc19/readme.txt @@ -0,0 +1,19 @@ +Dear LLNCS user,
+
+The files in this directory belong to the LaTeX2e package for
+Lecture Notes in Computer Science (LNCS) of Springer-Verlag.
+
+It consists of the following files:
+
+ readme.txt this file
+
+ history.txt the version history of the package
+
+ llncs.cls the LaTeX2e document class
+
+ samplepaper.tex a sample paper
+ fig1.eps a figure used in the sample paper
+
+ llncsdoc.pdf the documentation of the class (PDF version)
+
+ splncs04.bst current LNCS BibTeX style with alphabetic sorting
diff --git a/taler-fc19/ref.bib b/taler-fc19/ref.bib new file mode 100644 index 0000000..5a5f9b2 --- /dev/null +++ b/taler-fc19/ref.bib @@ -0,0 +1,2424 @@ +@inproceedings{clement2009making, + author = {Clement, Allen and Wong, Edmund and Alvisi, Lorenzo and Dahlin, Mike and Marchetti, Mirco}, + title = {Making Byzantine Fault Tolerant Systems Tolerate Byzantine Faults}, + booktitle = {Proceedings of the 6th USENIX Symposium on Networked Systems Design and Implementation}, + series = {NSDI'09}, + year = {2009}, + location = {Boston, Massachusetts}, + pages = {153--168}, + numpages = {16}, + url = {http://dl.acm.org/citation.cfm?id=1558977.1558988}, + acmid = {1558988}, + publisher = {USENIX Association}, + address = {Berkeley, CA, USA}, +} + +@article{fischer1985impossibility, + title={Impossibility of distributed consensus with one faulty process}, + author={Fischer, Michael J and Lynch, Nancy A and Paterson, Michael S}, + journal={Journal of the ACM (JACM)}, + volume={32}, + number={2}, + pages={374--382}, + year={1985}, + publisher={ACM} +} + +@Misc{cosmos, + author = {Jae Kwon and Ethan Buchman}, + title = {Cosmos: A Network of Distributed Ledgers}, + howpublished = {\url{https://cosmos.network/whitepaper}}, + year = {2016}, + note = {Accessed 22 Feb 2017}, +} + +@InProceedings{gns2014wachs, + author = {Wachs, Matthias and Schanzenbach, Martin and Grothoff, Christian}, + title = {A Censorship-Resistant, Privacy-Enhancing and Fully Decentralized Name System}, + booktitle = {Proceedings of the 13th International Conference on Cryptology and Network Security - Volume 8813}, + year = {2014}, + isbn = {978-3-319-12279-3}, + pages = {127--142}, + numpages = {16}, + url = {http://dx.doi.org/10.1007/978-3-319-12280-9_9}, + doi = {10.1007/978-3-319-12280-9_9}, + acmid = {2769431}, + publisher = {Springer-Verlag New York, Inc.}, + address = {New York, NY, USA}, +} + + +@Misc{gnunet-www, + title = "{The GNUnet Project}", + howpublished = {\url{https://gnunet.org/}}, + note = {Accessed 28 Feb 2017}, +} + +@Misc{gnunet-git, + title = "{The GNUnet Project Git Repository}", + howpublished = {\url{git://gnunet.org/git/gnunet}}, + note = {Accessed 28 Feb 2017}, +} + +@article{ben2010simple, + title={Simple gradecast based algorithms}, + author={Ben-Or, Michael and Dolev, Danny and Hoch, Ezra N}, + journal={arXiv preprint arXiv:1007.1049}, + year={2010} +} + + +@incollection{ben2010brief, + title={Brief announcement: simple gradecast based algorithms}, + author={Ben-Or, Michael and Dolev, Danny and Hoch, Ezra N}, + booktitle={Distributed Computing}, + pages={194--197}, + year={2010}, + publisher={Springer} +} + + +@phdthesis{feldman1988optimalphd, + title={Optimal algorithms for Byzantine agreement}, + author={Feldman, Paul Neil}, + year={1988}, + school={Massachusetts Institute of Technology} +} + +@inproceedings{feldman1988optimal, + author = {Feldman, Paul and Micali, Silvio}, + title = {Optimal Algorithms for Byzantine Agreement}, + booktitle = {Proceedings of the Twentieth Annual ACM Symposium on Theory of Computing}, + series = {STOC '88}, + year = {1988}, + isbn = {0-89791-264-0}, + location = {Chicago, Illinois, USA}, + pages = {148--161}, + numpages = {14}, + url = {http://doi.acm.org/10.1145/62212.62225}, + doi = {10.1145/62212.62225}, + acmid = {62225}, + publisher = {ACM}, + address = {New York, NY, USA}, +} + + +@article{eppstein2011difference, + author = {Eppstein, David and Goodrich, Michael T. and Uyeda, Frank and Varghese, George}, + title = {What's the Difference?: Efficient Set Reconciliation Without Prior Context}, + journal = {SIGCOMM Comput. Commun. Rev.}, + issue_date = {August 2011}, + volume = {41}, + number = {4}, + month = {8}, + year = {2011}, + issn = {0146-4833}, + pages = {218--229}, + numpages = {12}, + url = {http://doi.acm.org/10.1145/2043164.2018462}, + doi = {10.1145/2043164.2018462}, + acmid = {2018462}, + publisher = {ACM}, + address = {New York, NY, USA}, + keywords = {difference digest, invertible bloom filter, set difference}, +} + + +@article{dwork1988consensus, + title={Consensus in the presence of partial synchrony}, + author={Dwork, Cynthia and Lynch, Nancy and Stockmeyer, Larry}, + journal={Journal of the ACM (JACM)}, + volume={35}, + number={2}, + pages={288--323}, + year={1988}, + publisher={ACM} +} + + +@inproceedings{fitzi2006optimally, + author = {Fitzi, Matthias and Hirt, Martin}, + title = {Optimally Efficient Multi-valued Byzantine Agreement}, + booktitle = {Proceedings of the Twenty-fifth Annual ACM Symposium on Principles of Distributed Computing}, + series = {PODC '06}, + year = {2006}, + isbn = {1-59593-384-0}, + location = {Denver, Colorado, USA}, + pages = {163--168}, + numpages = {6}, + url = {http://doi.acm.org/10.1145/1146381.1146407}, + doi = {10.1145/1146381.1146407}, + acmid = {1146407}, + publisher = {ACM}, + address = {New York, NY, USA}, + keywords = {byzantine agreement, communication complexity, cryptographic security, information-theoretic security}, +} + + +% Problem: Really, really complex and not that efficient. +@inproceedings{abraham2008almost, + title={An almost-surely terminating polynomial protocol for asynchronous byzantine agreement with optimal resilience}, + author={Abraham, Ittai and Dolev, Danny and Halpern, Joseph Y}, + booktitle={Proceedings of the twenty-seventh ACM symposium on Principles of distributed computing}, + pages={405--414}, + year={2008}, + organization={ACM} +} + + +% Followup tp abraham2008almost +% Problem: Requires some nasty hardware trusted +% computing stuff? +@incollection{abraham2010fast, + title={Fast asynchronous consensus with optimal resilience}, + author={Abraham, Ittai and Aguilera, Marcos K and Malkhi, Dahlia}, + booktitle={Distributed Computing}, + pages={4--19}, + year={2010}, + publisher={Springer} +} + + +% Really nice summary of complexity bounds +% and approaches to asynchrony +@techreport{dutta2005best, + title={Best-case complexity of asynchronous Byzantine consensus}, + author={Dutta, Partha and Guerraoui, Rachid and Vukolic, Marko}, + year={2005}, + institution={Technical Report EPFL/IC/200499, EPFL} +} + + +@inproceedings{castro1999practical, + author = {Miguel Castro and Barbara Liskov}, + title = {Practical Byzantine Fault Tolerance}, + booktitle = {Third Symposium on Operating Systems Design and + Implementation (OSDI)}, + publisher = {USENIX Association, Co-sponsored by IEEE TCOS and ACM SIGOPS}, + address = {New Orleans, Louisiana}, + month = {2}, + volume={99}, + pages={173--186}, + year = {1999} +} + + +@article{cramer1997secure, + title={A secure and optimally efficient multi-authority election scheme}, + author={Cramer, Ronald and Gennaro, Rosario and Schoenmakers, Berry}, + journal={European transactions on Telecommunications}, + volume={8}, + number={5}, + pages={481--490}, + year={1997}, + publisher={Wiley Online Library} +} + + +@article{castro2002practical, + title={Practical Byzantine fault tolerance and proactive recovery}, + author={Castro, Miguel and Liskov, Barbara}, + journal={ACM Transactions on Computer Systems (TOCS)}, + volume={20}, + number={4}, + pages={398--461}, + year={2002}, + publisher={ACM} +} + + +@article{lamport1982byzantine, + title={The Byzantine generals problem}, + author={Lamport, Leslie and Shostak, Robert and Pease, Marshall}, + journal={ACM Transactions on Programming Languages and Systems (TOPLAS)}, + volume={4}, + number={3}, + pages={382--401}, + year={1982}, + publisher={ACM} +} + + + +@article{schneider1990implementing, + title={Implementing fault-tolerant services using the state machine approach: A tutorial}, + author={Schneider, Fred B}, + journal={ACM Computing Surveys (CSUR)}, + volume={22}, + number={4}, + pages={299--319}, + year={1990}, + publisher={ACM} +} + + +@inproceedings{ongaro2014search, + title={In search of an understandable consensus algorithm}, + author={Ongaro, Diego and Ousterhout, John}, + booktitle={Proc. USENIX Annual Technical Conference}, + pages={305--320}, + year={2014} +} + + + +% Very important, highlights the +% consensus part of Paxos/PBFT +@incollection{lampson1996build, + title={How to build a highly available system using consensus}, + author={Lampson, Butler W}, + booktitle={Distributed Algorithms}, + pages={1--17}, + year={1996}, + publisher={Springer} +} + + +@article{van2014vive, + title={Vive la diff{\'e}rence: Paxos vs. Viewstamped Replication vs. Zab}, + author={Van Renesse, Robbert and Schiper, Nicolas and Schneider, Fred B}, + year={2014}, + publisher={IEEE} +} + + + +% Problem: Very complex assumptions +% Cachin seems much more practical, even if he uses signatures. +@article{kapron2010fast, + author = {Kapron, Bruce M. and Kempe, David and King, Valerie and Saia, Jared and Sanwalani, Vishal}, + title = {Fast Asynchronous Byzantine Agreement and Leader Election with Full Information}, + journal = {ACM Trans. Algorithms}, + issue_date = {August 2010}, + volume = {6}, + number = {4}, + month = {9}, + year = {2010}, + issn = {1549-6325}, + pages = {68:1--68:28}, + articleno = {68}, + numpages = {28}, + url = {http://doi.acm.org/10.1145/1824777.1824788}, + doi = {10.1145/1824777.1824788}, + acmid = {1824788}, + publisher = {ACM}, + address = {New York, NY, USA}, + keywords = {Byzantine agreement, Monte Carlo algorithms, asynchronous communication, distributed algorithms, probabilistic method}, +} + + +% Nice for future work section, +% could be applied to consensus +@article{mitzenmacher2013simple, + title={Simple Multi-Party Set Reconciliation}, + author={Mitzenmacher, Michael and Pagh, Rasmus}, + journal={arXiv preprint arXiv:1311.2037}, + year={2013} +} + + +% Has great arguments for (against!) the complexity +% of the state machine approach. +@article{aublin2015next, + author = {Aublin, Pierre-Louis and Guerraoui, Rachid and Kne\v{z}evi\'{c}, Nikola and Qu{\'e}ma, Vivien and Vukoli\'{c}, Marko}, + title = {The Next 700 BFT Protocols}, + journal = {ACM Trans. Comput. Syst.}, + issue_date = {January 2015}, + volume = {32}, + number = {4}, + month = {1}, + year = {2015}, + issn = {0734-2071}, + pages = {12:1--12:45}, + articleno = {12}, + numpages = {45}, + url = {http://doi.acm.org/10.1145/2658994}, + doi = {10.1145/2658994}, + acmid = {2658994}, + publisher = {ACM}, + address = {New York, NY, USA}, + keywords = {Abstract, Byzantine, composability, fault tolerance, optimization, robustness}, +} + + +% Good complexity comparison +% for async case +@inproceedings{mostefaoui2014signature, + author = {Mostefaoui, Achour and Moumen, Hamouma and Raynal, Michel}, + title = {Signature-free Asynchronous Byzantine Consensus with T \&\#60; N/3 and O(N2) Messages}, + booktitle = {Proceedings of the 2014 ACM Symposium on Principles of Distributed Computing}, + series = {PODC '14}, + year = {2014}, + isbn = {978-1-4503-2944-6}, + location = {Paris, France}, + pages = {2--9}, + numpages = {8}, + url = {http://doi.acm.org/10.1145/2611462.2611468}, + doi = {10.1145/2611462.2611468}, + acmid = {2611468}, + publisher = {ACM}, + address = {New York, NY, USA}, + keywords = {abstraction, asynchronous message-passing system, broadcast abstraction, byzantine process, common coin, consensus, distributed algorithm, optimal resilience, randomized algorithm, signature-free algorithm, simplicity}, +} + + +% Failure detectors, overview +@inbook{guerraoui2000consensus, + author="Guerraoui, Rachid + and Hurfinn, Michel + and Mostefaoui, Achour + and Oliveira, Riucarlos + and Raynal, Michel + and Schiper, Andre", + editor="Krakowiak, Sacha + and Shrivastava, Santosh", + title="Consensus in Asynchronous Distributed Systems: A Concise Guided Tour", + bookTitle="Advances in Distributed Systems: Advanced Distributed Computing: From Algorithms to Systems", + year="2000", + publisher="Springer Berlin Heidelberg", + address="Berlin, Heidelberg", + pages="33--47", + abstract="It is now recognized that the Consensus problem is a fundamental problem when one has to design and implement reliable asynchronous distributed systems. This chapter is on the Consensus problem. It studies Consensus in two failure models, namely, the Crash/no Recovery model and the Crash/Recovery model. The assumptions related to the detection of failures that are required to solve Consensus in a given model are particularly emphasized.", + isbn="978-3-540-46475-4", + doi="10.1007/3-540-46475-1_2", + url="https://doi.org/10.1007/3-540-46475-1_2" +} + + +% Good future work to implement this? +@article{bouzidminimal, + title={Minimal Synchrony for Asynchronous Byzantine Consensus}, + year={2015}, + author={Bouzid, Zohir and Mostefaoui, Achour and Raynal, Michel}, + publisher={Collection des Publications Internes de l'Irisa} +} + + +@incollection{lamport2011brief, + title={Brief announcement: leaderless byzantine paxos}, + author={Lamport, Leslie}, + booktitle={Distributed Computing}, + pages={141--142}, + year={2011}, + publisher={Springer} +} + + + + + +% Mention that we don't need early +% stopping in voting (because of of fairness? property) +@article{dolev1990early, + author = {Dolev, Danny and Reischuk, Ruediger and Strong, H. Raymond}, + title = {Early Stopping in Byzantine Agreement}, + journal = {J. ACM}, + issue_date = {Oct. 1990}, + volume = {37}, + number = {4}, + month = {10}, + year = {1990}, + issn = {0004-5411}, + pages = {720--741}, + numpages = {22}, + url = {http://doi.acm.org/10.1145/96559.96565}, + doi = {10.1145/96559.96565}, + acmid = {96565}, + publisher = {ACM}, + address = {New York, NY, USA}, +} + + +% seminal +@article{lamport1998part, + title={The part-time parliament}, + author={Lamport, Leslie}, + journal={ACM Transactions on Computer Systems (TOCS)}, + volume={16}, + number={2}, + pages={133--169}, + year={1998}, + publisher={ACM} +} + + +% follow-up to seminal paper +@article{lamport2001paxos, + title={Paxos made simple}, + author={Lamport, Leslie}, + journal={ACM Sigact News}, + volume={32}, + number={4}, + pages={18--25}, + year={2001} +} + + +% Important since it mentions other approaches +% to the bulletin board stuff. +@mastersthesis{peters2005secure, + type={Master's Thesis}, + title={A Secure Bulletin Board}, + author={Peters, RA}, + school={Technische Universiteit Eindhoven}, + year={2005} +} + +@Mastersthesis{dold2014crypto, + author={Dold, Florian}, + school={Technische Universit\"at M\"unchen}, + type={Bachelor's Thesis}, + title={Cryptographically Secure, Distributed Electronic Voting}, + year={2014} +} + + + +@inproceedings{pedersen1991threshold, + title={A threshold cryptosystem without a trusted party}, + author={Pedersen, Torben Pryds}, + booktitle={Advances in Cryptology—EUROCRYPT’91}, + pages={522--526}, + year={1991}, + organization={Springer} +} + + + +@Inbook{fouque2001one, + author="Fouque, Pierre-Alain + and Stern, Jacques", + editor="Kim, Kwangjo", + title="One Round Threshold Discrete-Log Key Generation without Private Channels", + bookTitle="Public Key Cryptography: 4th International Workshop on Practice and Theory in Public Key Cryptosystems, PKC 2001 Cheju Island, Korea, February 13--15, 2001 Proceedings", + year="2001", + publisher="Springer Berlin Heidelberg", + address="Berlin, Heidelberg", + pages="300--316", + abstract="Pedersen designed the first scheme for generating Discrete- Log keys without any trusted dealer in 1991. As this protocol is simple and efficient, it appeared to be very attractive. For a long time, this robust algorithm has been trusted as being secure. However, in 1999, Gennaro et al. proved that one of the requirements is not guaranteed : more precisely, the property that the key is uniformly distributed in the key space. Their main objective was to repair the security flaw without sacrificing on efficiency. As a result, the protocol became secure but somehow unpractical. In particular, the ``complaint phase'', in which cheaters are thrown out, makes the scheme overly complex and difficult to deal with in practical situations. In order to avoid this phase and other drawbacks such as the initialization phase where private channels have to be created, we present a one round scheme which generates a discrete-log key with public channels only. Finally, we show how to improve the efficiency of our algorithm when the number of servers increases.", + isbn="978-3-540-44586-9", + doi="10.1007/3-540-44586-2_22", + url="https://doi.org/10.1007/3-540-44586-2_22" +} + + +@incollection{aguilera2010stumbling, + author = {Aguilera, Marcos K.}, + chapter = {Stumbling over Consensus Research: Misunderstandings and Issues}, + title = {Replication}, + editor = {Charron-Bost, Bernadette and Pedone, Fernando and Schiper, Andr{\'e}}, + year = {2010}, + isbn = {3-642-11293-5, 978-3-642-11293-5}, + pages = {59--72}, + numpages = {14}, + url = {http://dl.acm.org/citation.cfm?id=2172338.2172342}, + acmid = {2172342}, + publisher = {Springer-Verlag}, + address = {Berlin, Heidelberg}, +} + + +% Good overview of (some) complexity results +@article{coan1992modular, + title={Modular construction of a Byzantine agreement protocol with optimal message bit complexity}, + author={Coan, Brian A and Welch, Jennifer L}, + journal={Information and Computation}, + volume={97}, + number={1}, + pages={61--85}, + year={1992}, + publisher={Elsevier} +} + + + +% good intro and thoughts on paxos / pbft +@article{martin2006fast, + title={Fast byzantine consensus}, + author={Martin, Jean-Philippe and Alvisi, Lorenzo}, + journal={Dependable and Secure Computing, IEEE Transactions on}, + volume={3}, + number={3}, + pages={202--215}, + year={2006}, + publisher={IEEE} +} + + + +% Important, since it introduced it, according to ben2006byzantine +@article{pease1980reaching, + title={Reaching agreement in the presence of faults}, + author={Pease, Marshall and Shostak, Robert and Lamport, Leslie}, + journal={Journal of the ACM (JACM)}, + volume={27}, + number={2}, + pages={228--234}, + year={1980}, + publisher={ACM} +} + + +@inproceedings{ben2006byzantine, + title={Byzantine agreement in the full-information model in O (log n) rounds}, + author={Ben-Or, Michael and Pavlov, Elan and Vaikuntanathan, Vinod}, + booktitle={Proceedings of the thirty-eighth annual ACM symposium on Theory of computing}, + pages={179--186}, + year={2006}, + organization={ACM} +} + + + +% Seems like then best contender for +% real async consensus +@article{cachin2005random, + title={Random oracles in Constantinople: Practical asynchronous Byzantine agreement using cryptography}, + author={Cachin, Christian and Kursawe, Klaus and Shoup, Victor}, + journal={Journal of Cryptology}, + volume={18}, + number={3}, + pages={219--246}, + year={2005}, + publisher={Springer} +} + + + +% Seems like THE citation for SMC +@article{goldreich1998secure, + title={Secure multi-party computation}, + author={Goldreich, Oded}, + journal={Manuscript. Preliminary version}, + year={1998}, + publisher={Citeseer} +} + + + +@book{waldo1997note, + title={A note on distributed computing}, + author={Waldo, Jim and Wyant, Geoff and Wollrath, Ann and Kendall, Sam}, + year={1997}, + publisher={Springer} +} + + +% one synchronous link is enough ... +% also has some nice reductions .... +@INPROCEEDINGS{aguilera2004communication, + author = {Marcos K. Aguilera and Carole Delporte-gallet and Hugues Fauconnier and Sam Toueg}, + title = {Communication-efficient leader election and consensus with limited link synchrony}, + booktitle = {In PODC}, + year = {2004}, + pages = {328--337}, + publisher = {ACM Press} +} + + +@article{dolev1987minimal, + title={On the minimal synchronism needed for distributed consensus}, + author={Dolev, Danny and Dwork, Cynthia and Stockmeyer, Larry}, + journal={Journal of the ACM (JACM)}, + volume={34}, + number={1}, + pages={77--97}, + year={1987}, + publisher={ACM} +} + + +@inproceedings{reiter1995rampart, + author = {Reiter, Michael K.}, + title = {The Rampart Toolkit for Building High-Integrity Services}, + booktitle = {Selected Papers from the International Workshop on Theory and Practice in Distributed Systems}, + year = {1995}, + isbn = {3-540-60042-6}, + pages = {99--110}, + numpages = {12}, + url = {http://dl.acm.org/citation.cfm?id=647369.723763}, + acmid = {723763}, + publisher = {Springer-Verlag}, + address = {London, UK, UK}, +} + + +@inproceedings{kihlstrom1998securering, + author = {Kihlstrom, Kim Potter and Moser, L. E. and Melliar-Smith, P. M.}, + title = {The SecureRing Protocols for Securing Group Communication}, + booktitle = {Proceedings of the Thirty-First Annual Hawaii International Conference on System Sciences - Volume 3}, + series = {HICSS '98}, + year = {1998}, + isbn = {0-8186-8239-6}, + pages = {317--}, + url = {http://dx.doi.org/10.1109/HICSS.1998.656294}, + doi = {10.1109/HICSS.1998.656294}, + acmid = {798823}, + publisher = {IEEE Computer Society}, + address = {Washington, DC, USA}, +} + + + + + +@article{minsky2003set, + title={Set reconciliation with nearly optimal communication complexity}, + author={Minsky, Yaron and Trachtenberg, Ari and Zippel, Richard}, + journal={Information Theory, IEEE Transactions on}, + volume={49}, + number={9}, + pages={2213--2218}, + year={2003}, + publisher={IEEE} +} + + + +@article{bloom1970space, + title={Space/time trade-offs in hash coding with allowable errors}, + author={Bloom, Burton H}, + journal={Communications of the ACM}, + volume={13}, + number={7}, + pages={422--426}, + year={1970}, + publisher={ACM} +} + + +@article{hadzilacos1994modular, + title={A modular approach to fault-tolerant broadcasts and related problems}, + author={Hadzilacos, Vassos and Toueg, Sam}, + year={1994}, + publisher={Cornell University, Department of Computer Science} +} + + + +% problem: shared memory required +@article{aspnes1998lower, + title={Lower bounds for distributed coin-flipping and randomized consensus}, + author={Aspnes, James}, + journal={Journal of the ACM (JACM)}, + volume={45}, + number={3}, + pages={415--450}, + year={1998}, + publisher={ACM} +} + + +% strong connection between SMC and consensus +@Inbook{saia2015recent, + author="Saia, Jared + and Zamani, Mahdi", + editor="Italiano, Giuseppe F. + and Margaria-Steffen, Tiziana + and Pokorn{\'y}, Jaroslav + and Quisquater, Jean-Jacques + and Wattenhofer, Roger", + title="Recent Results in Scalable Multi-Party Computation", + bookTitle="SOFSEM 2015: Theory and Practice of Computer Science: 41st International Conference on Current Trends in Theory and Practice of Computer Science, Pec pod Sn{\v{e}}{\v{z}}kou, Czech Republic, January 24-29, 2015. Proceedings", + year="2015", + publisher="Springer Berlin Heidelberg", + address="Berlin, Heidelberg", + pages="24--44", + abstract="Secure multi-party computation (MPC) allows multiple parties to compute a known function over inputs held by each party, without any party having to reveal its private input. Unfortunately, traditional MPC algorithms do not scale well to large numbers of parties. In this paper, we describe several recent MPC algorithms that are designed to handle large networks. All of these algorithms rely on recent techniques from the Byzantine agreement literature on forming and using quorums. Informally, a quorum is a small set of parties, most of which are trustworthy. We describe the advantages and disadvantages of these scalable algorithms, and we propose new ideas for improving practicality of current techniques. Finally, we conduct simulations to measure bandwidth cost for several current MPC algorithms.", + isbn="978-3-662-46078-8", + doi="10.1007/978-3-662-46078-8_3", + url="https://doi.org/10.1007/978-3-662-46078-8_3" +} + + +% argues that SMC does not need consensus. +% some of the definitions (abort) look suspiciously +% close to gradecasts +@article{goldwasser2005secure, + title={Secure multi-party computation without agreement}, + author={Goldwasser, Shafi and Lindell, Yehuda}, + journal={Journal of Cryptology}, + volume={18}, + number={3}, + pages={247--287}, + year={2005}, + publisher={Springer} +} + + +% This one got a Dijkstra award in 2015, so I should cite it. +@inproceedings{ben1983another, + title={Another advantage of free choice (extended abstract): Completely asynchronous agreement protocols}, + author={Ben-Or, Michael}, + booktitle={Proceedings of the second annual ACM symposium on Principles of distributed computing}, + pages={27--30}, + year={1983}, + organization={ACM} +} + + + +% Another Dijkstra price, should be cited as +% the main thing for failure detectors +% Oh, but: Only crash-faults ... +@article{chandra1996unreliable, + title={Unreliable failure detectors for reliable distributed systems}, + author={Chandra, Tushar Deepak and Toueg, Sam}, + journal={Journal of the ACM (JACM)}, + volume={43}, + number={2}, + pages={225--267}, + year={1996}, + publisher={ACM} +} + + +@incollection{bonomi2006improved, + title={An improved construction for counting bloom filters}, + author={Bonomi, Flavio and Mitzenmacher, Michael and Panigrahy, Rina and Singh, Sushil and Varghese, George}, + booktitle={Algorithms--ESA 2006}, + pages={684--695}, + year={2006}, + publisher={Springer} +} + + + +% Very good overview of bloom filters and advanced +% stuff you can do with them. +@article{tarkoma2012theory, + title={Theory and practice of bloom filters for distributed systems}, + author={Tarkoma, Sasu and Rothenberg, Christian Esteve and Lagerspetz, Eemil}, + journal={Communications Surveys \& Tutorials, IEEE}, + volume={14}, + number={1}, + pages={131--155}, + year={2012}, + publisher={IEEE} +} + + +@article{neiger1994distributed, + title={Distributed consensus revisited}, + author={Neiger, Gil}, + journal={Information Processing Letters}, + volume={49}, + number={4}, + pages={195--201}, + year={1994}, + publisher={Elsevier} +} + + + +@techreport{miller2014anonymous, + title={Anonymous byzantine consensus from moderately-hard puzzles: A model for bitcoin}, + author={Miller, Andrew and LaViola Jr, Joseph J}, + number={CS-TR-14-01}, + year={2014}, + month={4}, + institution={University of Central Florida} +} + + +@inbook{garay2015bitcoin, + author="Garay, Juan + and Kiayias, Aggelos + and Leonardos, Nikos", + editor="Oswald, Elisabeth + and Fischlin, Marc", + title="The Bitcoin Backbone Protocol: Analysis and Applications", + bookTitle="Advances in Cryptology - EUROCRYPT 2015: 34th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Sofia, Bulgaria, April 26-30, 2015, Proceedings, Part II", + year="2015", + publisher="Springer Berlin Heidelberg", + address="Berlin, Heidelberg", + pages="281--310", + abstract="Bitcoin is the first and most popular decentralized cryptocurrency to date. In this work, we extract and analyze the core of the Bitcoin protocol, which we term the Bitcoin backbone, and prove two of its fundamental properties which we call common prefix and chain quality in the static setting where the number of players remains fixed. Our proofs hinge on appropriate and novel assumptions on the ``hashing power'' of the adversary relative to network synchronicity; we show our results to be tight under high synchronization.", + isbn="978-3-662-46803-6", + doi="10.1007/978-3-662-46803-6_10", + url="https://doi.org/10.1007/978-3-662-46803-6_10" +} + + +@article{schwartz2014ripple, + title={The Ripple protocol consensus algorithm}, + author={Schwartz, David and Youngs, Noah and Britto, Arthur}, + journal={Ripple Labs Inc White Paper}, + year={2014} +} + + +@mastersthesis {totakura2013large, + title = {Large Scale Distributed Evaluation of Peer-to-Peer Protocols}, + volume = {Master of Science}, + year = {2013}, + month = {6}, + pages = {76}, + school = {Technische Universit\"at M\"unchen}, + type = {Master's Thesis}, + address = {Garching bei M\"unchen}, + keywords = {emulation, GNUnet, large scale testing, protocol evaluation, testbed}, + author = {Totakura, Sree Harsha} +} + + +@book{okasaki1999purely, + author = {Okasaki, Chris}, + title = {Purely Functional Data Structures}, + year = {1998}, + isbn = {0-521-63124-6}, + publisher = {Cambridge University Press}, + address = {New York, NY, USA}, +} + + +@inproceedings{attiya1984asynchronous, + author = {Attiya, Chagit and Dolev, Danny and Gil, Joseph}, + title = {Asynchronous Byzantine Consensus}, + booktitle = {Proceedings of the Third Annual ACM Symposium on Principles of Distributed Computing}, + series = {PODC '84}, + year = {1984}, + isbn = {0-89791-143-1}, + location = {Vancouver, British Columbia, Canada}, + pages = {119--133}, + numpages = {15}, + url = {http://doi.acm.org/10.1145/800222.806740}, + doi = {10.1145/800222.806740}, + acmid = {806740}, + publisher = {ACM}, + address = {New York, NY, USA}, +} + + + +@article{deutsch1996gzip, + title={GZIP file format specification version 4.3}, + author={Deutsch, L Peter}, + year={1996} +} + + +@inproceedings{polot2014cadet, + author={B. Polot and C. Grothoff}, + booktitle={2014 13th Annual Mediterranean Ad Hoc Networking Workshop (MED-HOC-NET)}, + title={CADET: Confidential ad-hoc decentralized end-to-end transport}, + year={2014}, + pages={71-78}, + keywords={Internet;ad hoc networks;computer network performance evaluation;computer network security;telecommunication network routing;telecommunication network topology;transport protocols;CADET;Internet-usage;ad-hoc wireless networks;authenticated data transfer;confidential ad-hoc decentralized end-to-end transport;confidential data transfer;decentralized networks;friend-to-friend networks;high-speed low-latency networks;network topologies;performance evaluation;restricted-route scenarios;transport protocol;Ad hoc networks;IP networks;Network topology;Peer-to-peer computing;Protocols;Routing;Topology}, + doi={10.1109/MedHocNet.2014.6849107}, + month={6}, +} + + + +@book{benaloh1987verifiable, + title={Verifiable secret-ballot elections}, + author={Benaloh, Josh Daniel Cohen}, + year={1987}, + publisher={Yale University. Department of Computer Science} +} + + +@inproceedings{bessani2014state, + title={State machine replication for the masses with BFT-SMaRt}, + author={Bessani, Alysson and Sousa, Jo{\~a}o and Alchieri, Eduardo EP}, + booktitle={Dependable Systems and Networks (DSN), 2014 44th Annual IEEE/IFIP International Conference on}, + pages={355--362}, + year={2014}, + organization={IEEE} +} + + +@techreport{fischer1981lower, + title={A lower bound for the time to assure interactive consistency}, + author={Fischer, Michael J and Lynch, Nancy A}, + year={1981}, + institution={DTIC Document} +} + +@article{de2001k, + title={On k-set consensus problems in asynchronous systems}, + author={De Prisco, Roberto and Malkhi, Dahlia and Reiter, Michael}, + journal={Parallel and Distributed Systems, IEEE Transactions on}, + volume={12}, + number={1}, + pages={7--21}, + year={2001}, + publisher={IEEE} +} + + +@inproceedings{malpani2000leader, + author = {Malpani, Navneet and Welch, Jennifer L. and Vaidya, Nitin}, + title = {Leader Election Algorithms for Mobile Ad Hoc Networks}, + booktitle = {Proceedings of the 4th International Workshop on Discrete Algorithms and Methods for Mobile Computing and Communications}, + series = {DIALM '00}, + year = {2000}, + isbn = {1-58113-301-4}, + location = {Boston, Massachusetts, USA}, + pages = {96--103}, + numpages = {8}, + url = {http://doi.acm.org/10.1145/345848.345871}, + doi = {10.1145/345848.345871}, + acmid = {345871}, + publisher = {ACM}, + address = {New York, NY, USA}, +} + + +@article{fischer1986easy, + title={Easy impossibility proofs for distributed consensus problems}, + author={Fischer, Michael J and Lynch, Nancy A and Merritt, Michael}, + journal={Distributed Computing}, + volume={1}, + number={1}, + pages={26--39}, + year={1986}, + publisher={Springer} +} + +@inproceedings{Miller:2016:HBB:2976749.2978399, + author = {Miller, Andrew and Xia, Yu and Croman, Kyle and Shi, Elaine and Song, Dawn}, + title = {The Honey Badger of BFT Protocols}, + booktitle = {Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security}, + series = {CCS '16}, + year = {2016}, + isbn = {978-1-4503-4139-4}, + location = {Vienna, Austria}, + pages = {31--42}, + numpages = {12}, + url = {http://doi.acm.org/10.1145/2976749.2978399}, + doi = {10.1145/2976749.2978399}, + acmid = {2978399}, + publisher = {ACM}, + address = {New York, NY, USA}, + keywords = {BFT, asynchronous, atomic broadcast, blockchain}, +} + + +@misc{cryptoeprint:2016:199, + author = {Andrew Miller and Yu Xia and Kyle Croman and Elaine Shi and Dawn Song}, + title = {The Honey Badger of BFT Protocols}, + howpublished = {Cryptology ePrint Archive, Report 2016/199}, + year = {2016}, + note = {\url{http://eprint.iacr.org/2016/199}}, +} + +@misc{cryptoeprint:2016:1067, + author = {Ewa Syta and Philipp Jovanovic and Eleftherios Kokoris Kogias and Nicolas Gailly and Linus Gasser and Ismail Khoffi and Michael J. Fischer and Bryan Ford}, + title = {Scalable Bias-Resistant Distributed Randomness}, + howpublished = {Cryptology ePrint Archive, Report 2016/1067}, + year = {2016}, + note = {\url{http://eprint.iacr.org/2016/1067}, Accessed 22 Feb 2017}, +} + +@article{abd2005fault, + title={Fault-scalable Byzantine fault-tolerant services}, + author={Abd-El-Malek, Michael and Ganger, Gregory R and Goodson, Garth R and Reiter, Michael K and Wylie, Jay J}, + journal={ACM SIGOPS Operating Systems Review}, + volume={39}, + number={5}, + pages={59--74}, + year={2005}, + publisher={ACM} +} + + +@inproceedings{kotla2007zyzzyva, + author = {Kotla, Ramakrishna and Alvisi, Lorenzo and Dahlin, Mike and Clement, Allen and Wong, Edmund}, + title = {Zyzzyva: Speculative Byzantine Fault Tolerance}, + booktitle = {Proceedings of Twenty-first ACM SIGOPS Symposium on Operating Systems Principles}, + series = {SOSP '07}, + year = {2007}, + isbn = {978-1-59593-591-5}, + location = {Stevenson, Washington, USA}, + pages = {45--58}, + numpages = {14}, + url = {http://doi.acm.org/10.1145/1294261.1294267}, + doi = {10.1145/1294261.1294267}, + acmid = {1294267}, + publisher = {ACM}, + address = {New York, NY, USA}, + keywords = {byzantine fault tolerance, output commit, replication, speculative execution}, +} + + +@article{nakamoto2008bitcoin, + title={Bitcoin: A peer-to-peer electronic cash system}, + author={Nakamoto, Satoshi}, + journal={Consulted}, + volume={1}, + number={2012}, + pages={28}, + year={2008} +} + + +@incollection{rink2013mixed, + year={2013}, + isbn={978-3-642-35842-5}, + booktitle={SOFSEM 2013: Theory and Practice of Computer Science}, + volume={7741}, + series={Lecture Notes in Computer Science}, + editor={van Emde Boas, Peter and Groen, FransC.A. and Italiano, GiuseppeF. and Nawrocki, Jerzy and Sack, Harald}, + doi={10.1007/978-3-642-35843-2_31}, + title={Mixed Hypergraphs for Linear-Time Construction of Denser Hashing-Based Data Structures}, + url={http://dx.doi.org/10.1007/978-3-642-35843-2_31}, + publisher={Springer Berlin Heidelberg}, + author={Rink, Michael}, + pages={356-368}, + language={English} +} + + +@inproceedings{goodrich2011invertible, + title={Invertible bloom lookup tables}, + author={Goodrich, Michael T and Mitzenmacher, Michael}, + booktitle={Communication, Control, and Computing (Allerton), 2011 49th Annual Allerton Conference on}, + pages={792--799}, + year={2011}, + organization={IEEE} +} + + +@article{li2011theory, + title={Theory and applications of b-bit minwise hashing}, + author={Li, Ping and K{\"o}nig, Arnd Christian}, + journal={Communications of the ACM}, + volume={54}, + number={8}, + pages={101--109}, + year={2011}, + publisher={ACM} +} + +@inproceedings{adida2008helios, + author = {Adida, Ben}, + title = {Helios: Web-based Open-audit Voting}, + booktitle = {Proceedings of the 17th Conference on Security Symposium}, + series = {SS'08}, + year = {2008}, + location = {San Jose, CA}, + pages = {335--348}, + numpages = {14}, + url = {http://dl.acm.org/citation.cfm?id=1496711.1496734}, + acmid = {1496734}, + publisher = {USENIX Association}, + address = {Berkeley, CA, USA}, +} + + +@article{desmedt1994threshold, + title={Threshold cryptography}, + author={Desmedt, Yvo G}, + journal={European Transactions on Telecommunications}, + volume={5}, + number={4}, + pages={449--458}, + year={1994}, + publisher={Wiley Online Library} +} + + +@article{shamir1979share, + title={How to share a secret}, + author={Shamir, Adi}, + journal={Communications of the ACM}, + volume={22}, + number={11}, + pages={612--613}, + year={1979}, + publisher={ACM} +} + +% Cite some of the voting stuff +% what else is there about set reconciliation? + + + +% Just another SMC protocol that requires agreement +% on potentially large sets. +@incollection{bogetoft2009secure, + author = {Bogetoft, Peter and Christensen, Dan Lund and Damg{\aa}rd, Ivan and Geisler, Martin and Jakobsen, Thomas and Kr{\o}igaard, Mikkel and Nielsen, Janus Dam and Nielsen, Jesper Buus and Nielsen, Kurt and Pagter, Jakob and Schwartzbach, Michael and Toft, Tomas}, + chapter = {Secure Multiparty Computation Goes Live}, + title = {Financial Cryptography and Data Security}, + editor = {Dingledine, Roger and Golle, Philippe}, + year = {2009}, + isbn = {978-3-642-03548-7}, + pages = {325--343}, + numpages = {19}, + url = {http://dx.doi.org/10.1007/978-3-642-03549-4_20}, + doi = {10.1007/978-3-642-03549-4_20}, + acmid = {1602018}, + publisher = {Springer-Verlag}, + address = {Berlin, Heidelberg}, +} + + +@inproceedings{evans2012efficient, + title={Efficient and secure decentralized network size estimation}, + author={Evans, Nathan and Polot, Bartlomiej and Grothoff, Christian}, + booktitle={Proceedings of the 11th international IFIP TC 6 conference on Networking-Volume Part I}, + pages={304--317}, + year={2012}, + organization={Springer-Verlag} +} + + +@misc{green2016bolt, + author = {Matthew Green and Ian Miers}, + title = {Bolt: Anonymous Payment Channels for Decentralized Currencies}, + howpublished = {Cryptology ePrint Archive, Report 2016/701}, + year = {2016}, + note = {\url{http://eprint.iacr.org/2016/701}}, +} + + + +@inproceedings{3DSsucks, + author = {Murdoch, Steven J. and Anderson, Ross}, + title = {Verified by Visa and Mastercard Securecode: Or, How Not to Design Authentication}, + booktitle = {Proceedings of the 14th International Conference on Financial Cryptography and Data Security}, + series = {FC'10}, + year = {2010}, + isbn = {3-642-14576-0, 978-3-642-14576-6}, + location = {Tenerife, Spain}, + pages = {336--342}, + numpages = {7}, + doi_url = {http://dx.doi.org/10.1007/978-3-642-14577-3_27}, + doi = {10.1007/978-3-642-14577-3_27}, + acmid = {2163598}, + publisher = {Springer-Verlag}, + address = {Berlin, Heidelberg}, + url = {https://www.cl.cam.ac.uk/~rja14/Papers/fc10vbvsecurecode.pdf} +} + + +@Inbook{izabachene2013divisible, + author="Izabach{\`e}ne, Malika + and Libert, Beno{\^i}t", + editor="Abdalla, Michel + and Lange, Tanja", + title="Divisible E-Cash in the Standard Model", + bookTitle="Pairing-Based Cryptography -- Pairing 2012: 5th International Conference, Cologne, Germany, May 16-18, 2012, Revised Selected Papers", + year="2013", + publisher="Springer Berlin Heidelberg", + address="Berlin, Heidelberg", + pages="314--332", + abstract="Off-line e-cash systems are the digital analogue of regular cash. One of the main desirable properties is anonymity: spending a coin should not reveal the identity of the spender and, at the same time, users should not be able to double-spend coins without being detected. Compact e-cash systems make it possible to store a wallet of O(2 L ) coins using O(L{\thinspace}+{\thinspace}$\lambda$) bits, where $\lambda$ is the security parameter. They are called divisible whenever the user has the flexibility of spending an amount of 2ℓ, for some ℓ{\thinspace}≤{\thinspace}L, more efficiently than by repeatedly spending individual coins. This paper presents the first construction of divisible e-cash in the standard model (i.e., without the random oracle heuristic). The scheme allows a user to obtain a wallet of 2 L coins by running a withdrawal protocol with the bank. Our construction is built on the traditional binary tree approach, where the wallet is organized in such a way that the monetary value of a coin depends on how deep the coin is in the tree.", + isbn="978-3-642-36334-4", + doi="10.1007/978-3-642-36334-4_20", + url="https://doi.org/10.1007/978-3-642-36334-4_20" +} + + +@Inbook{pointcheval1996provably, +author="Pointcheval, David +and Stern, Jacques", +editor="Kim, Kwangjo +and Matsumoto, Tsutomu", +title="Provably secure blind signature schemes", +bookTitle="Advances in Cryptology --- ASIACRYPT '96: International Conference on the Theory and Applications of Cryptology and Information Security Kyongju, Korea, November 3--7, 1996 Proceedings", +year="1996", +publisher="Springer Berlin Heidelberg", +address="Berlin, Heidelberg", +pages="252--265", +abstract="In this paper, we give a provably secure design for blind signatures, the most important ingredient for anonymity in off-line electronic cash systems. Previous examples of blind signature schemes were constructed from traditional signature schemes with only the additional proof of blindness. The design of some of the underlying signature schemes can be validated by a proof in the so-called random oracle model, but the security of the original signature scheme does not, by itself, imply the security of the blind version. In this paper, we first propose a definition of security for blind signatures, with application to electronic cash. Next, we focus on a specific example which can be successfully transformed in a provably secure blind signature scheme.", +isbn="978-3-540-70707-3", +doi="10.1007/BFb0034852", +url="https://doi.org/10.1007/BFb0034852" +} + + +@Article{bellare2003onemore, +author="Bellare +and Namprempre +and Pointcheval +and Semanko", +title="The One-More-RSA-Inversion Problems and the Security of Chaum's Blind Signature Scheme ", +journal="Journal of Cryptology", +year="2003", +month={6}, +day="01", +volume="16", +number="3", +pages="185--215", +abstract="We introduce a new class of computational problems which we call the ``one-more-RSA-inversion'' problems. Our main result is that two problems in this class, which we call the chosen-target and known-target inversion problems, respectively, have polynomially equivalent computational complexity. We show how this leads to a proof of security for Chaum's RSA-based blind signature scheme in the random oracle model based on the assumed hardness of either of these problems. We define and prove analogous results for ``one-more-discrete-logarithm'' problems. Since the appearence of the preliminary version of this paper, the new problems we have introduced have found other uses as well.", +issn="1432-1378", +doi="10.1007/s00145-002-0120-1", +url="https://doi.org/10.1007/s00145-002-0120-1" +} + + +@InProceedings{fc2014murdoch, + author = {Stephen Murdoch and Ross Anderson}, + title = {Security Protocols and Evidence: Where Many Payment Systems Fail}, + booktitle = {Financial Cryptography and Data Security}, + year = {2014}, +} + + + +@Inbook{pointcheval2017cut, + author="Pointcheval, David + and Sanders, Olivier + and Traor{\'e}, Jacques", + editor="Fehr, Serge", + title="Cut Down the Tree to Achieve Constant Complexity in Divisible E-cash", + bookTitle="Public-Key Cryptography -- PKC 2017: 20th IACR International Conference on Practice and Theory in Public-Key Cryptography, Amsterdam, The Netherlands, March 28-31, 2017, Proceedings, Part I", + year="2017", + publisher="Springer Berlin Heidelberg", + address="Berlin, Heidelberg", + pages="61--90", + abstract="Divisible e-cash, proposed in 1991 by Okamoto and Ohta, addresses a practical concern of electronic money, the problem of paying the exact amount. Users of such systems can indeed withdraw coins of a large value N and then divide it into many pieces of any desired values {\$}{\$}V{\backslash}le N{\$}{\$} . Such a primitive therefore allows to avoid the use of several denominations or change issues. Since its introduction, many constructions have been proposed but all of them make use of the same framework: they associate each coin with a binary tree, which implies, at least, a logarithmic complexity for the spendings.", + isbn="978-3-662-54365-8", + doi="10.1007/978-3-662-54365-8_4", + url="https://doi.org/10.1007/978-3-662-54365-8_4" +} + + + +@Inbook{canard2015divisible, + author="Canard, S{\'e}bastien + and Pointcheval, David + and Sanders, Olivier + and Traor{\'e}, Jacques", + editor="Katz, Jonathan", + title="Divisible E-Cash Made Practical", + bookTitle="Public-Key Cryptography -- PKC 2015: 18th IACR International Conference on Practice and Theory in Public-Key Cryptography, Gaithersburg, MD, USA, March 30 -- April 1, 2015, Proceedings", + year="2015", + publisher="Springer Berlin Heidelberg", + address="Berlin, Heidelberg", + pages="77--100", + abstract="Divisible E-cash systems allow users to withdraw a unique coin of value {\$}{\$}2^n{\$}{\$} from a bank, but then to spend it in several times to distinct merchants. In such a system, whereas users want anonymity of their transactions, the bank wants to prevent, or at least detect, double-spending, and trace the defrauders. While this primitive was introduced two decades ago, quite a few (really) anonymous constructions have been introduced. In addition, all but one were just proven secure in the random oracle model, but still with either weak security models or quite complex settings and thus costly constructions. The unique proposal, secure in the standard model, appeared recently and is unpractical. As evidence, the authors left the construction of an efficient scheme secure in this model as an open problem.", + isbn="978-3-662-46447-2", + doi="10.1007/978-3-662-46447-2_4", + url="https://doi.org/10.1007/978-3-662-46447-2_4" +} + + + +@Inbook{camenisch2005compact, + author="Camenisch, Jan + and Hohenberger, Susan + and Lysyanskaya, Anna", + editor="Cramer, Ronald", + title="Compact E-Cash", + bookTitle="Advances in Cryptology -- EUROCRYPT 2005: 24th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Aarhus, Denmark, May 22-26, 2005. Proceedings", + year="2005", + publisher="Springer Berlin Heidelberg", + address="Berlin, Heidelberg", + pages="302--321", + isbn="978-3-540-32055-5", + doi="10.1007/11426639_18", + url="https://doi.org/10.1007/11426639_18" +} + + +@misc{maertens2015practical, + author = {Patrick Märtens}, + title = {Practical Compact E-Cash with Arbitrary Wallet Size}, + howpublished = {Cryptology ePrint Archive, Report 2015/086}, + year = {2015}, + note = {\url{http://eprint.iacr.org/2015/086}}, +} + +@Inbook{canard2015scalable, +author="Canard, S{\'e}bastien +and Pointcheval, David +and Sanders, Olivier +and Traor{\'e}, Jacques", +editor="Malkin, Tal +and Kolesnikov, Vladimir +and Lewko, Allison Bishop +and Polychronakis, Michalis", +title="Scalable Divisible E-cash", +bookTitle="Applied Cryptography and Network Security: 13th International Conference, ACNS 2015, New York, NY, USA, June 2-5, 2015, Revised Selected Papers", +year="2015", +publisher="Springer International Publishing", +address="Cham", +pages="287--306", +abstract="Divisible E-cash has been introduced twenty years ago but no construction is both fully secure in the standard model and efficiently scalable. In this paper, we fill this gap by providing an anonymous divisible E-cash construction with constant-time withdrawal and spending protocols. Moreover, the deposit protocol is constant-time for the merchant, whatever the spent value is. It just has to compute and store {\$}{\$}2^l{\$}{\$} serial numbers when a value {\$}{\$}2^l{\$}{\$} is deposited, compared to {\$}{\$}2^n{\$}{\$} serial numbers whatever the spent amount (where {\$}{\$}2^n{\$}{\$} is the global value of the coin) in the recent state-of-the-art paper. This makes a very huge difference when coins are spent in several times.", +isbn="978-3-319-28166-7", +doi="10.1007/978-3-319-28166-7_14", +url="https://doi.org/10.1007/978-3-319-28166-7_14" +} + + + + +@Inbook{okamoto1995efficient, +author="Okamoto, Tatsuaki", +editor="Coppersmith, Don", +title="An Efficient Divisible Electronic Cash Scheme", +bookTitle="Advances in Cryptology --- CRYPT0' 95: 15th Annual International Cryptology Conference Santa Barbara, California, USA, August 27--31, 1995 Proceedings", +year="1995", +publisher="Springer Berlin Heidelberg", +address="Berlin, Heidelberg", +pages="438--451", +abstract="Recently, several ``divisible'' untraceable off-line electronic cash schemes have been presented [8, 11, 19, 20]. This paper presents the first practical ``divisible'' untraceable1 off-line cash scheme that is ``single-term''2 in which every procedure can be executed in the order of log N, where N is the precision of divisibility, i.e., N = (the total coin value)/(minimum divisible unit value). Therefore, our ``divisible'' off-line cash scheme is more efficient and practical than the previous schemes. For example, when N = 217 (e.g., the total value is about {\$} 1000, and the minimum divisible unit is 1 cent), our scheme requires only about 1 Kbyte of data be transfered from a customer to a shop for one payment and about 20 modular exponentiations for one payment, while all previous divisible cash schemes require more than several Kbytes of transfered data and more than 200 modular exponentiations for one payment.", +isbn="978-3-540-44750-4", +doi="10.1007/3-540-44750-4_35", +url="https://doi.org/10.1007/3-540-44750-4_35" +} + +@techreport{brands1993efficient, + author = {Brands, Stefan A.}, + title = {An Efficient Off-line Electronic Cash System Based On The Representation Problem.}, + year = {1993}, + source = {http://www.ncstrl.org:8900/ncstrl/servlet/search?formname=detail\&id=oai%3Ancstrlh%3Aercim_cwi%3Aercim.cwi%2F%2FCS-R9323}, + publisher = {CWI (Centre for Mathematics and Computer Science)}, + address = {Amsterdam, The Netherlands, The Netherlands}, +} + + + +@inproceedings{tracz2001fair, + author = {Tracz, Robert and Wrona, Konrad}, + title = {Fair Electronic Cash Withdrawal and Change Return for Wireless Networks}, + booktitle = {Proceedings of the 1st International Workshop on Mobile Commerce}, + series = {WMC '01}, + year = {2001}, + isbn = {1-58113-376-6}, + location = {Rome, Italy}, + pages = {14--19}, + numpages = {6}, + url = {http://doi.acm.org/10.1145/381461.381464}, + doi = {10.1145/381461.381464}, + acmid = {381464}, + publisher = {ACM}, + address = {New York, NY, USA}, + keywords = {electronic commerce, payment systems, wireless applications}, +} + + +@inproceedings{schoenmakers1997security, + author = {Schoenmakers, Berry}, + title = {Security Aspects of the Ecash\&\#153; Payment System}, + booktitle = {State of the Art in Applied Cryptography, Course on Computer Security and Industrial Cryptography - Revised Lectures}, + year = {1998}, + isbn = {3-540-65474-7}, + location = {Leuven, Belgium}, + pages = {338--352}, + numpages = {15}, + url = {http://dl.acm.org/citation.cfm?id=647443.726912}, + acmid = {726912}, + publisher = {Springer-Verlag}, + address = {London, UK, UK}, +} + + + + + +@Inbook{chaum1983blind, + author="Chaum, David", + editor="Chaum, David + and Rivest, Ronald L. + and Sherman, Alan T.", + title="Blind Signatures for Untraceable Payments", + bookTitle="Advances in Cryptology: Proceedings of Crypto 82", + year="1983", + publisher="Springer US", + address="Boston, MA", + pages="199--203", + abstract="Automation of the way we pay for goods and services is already underway, as can be seen by the variety and growth of electronic banking services available to consumers. The ultimate structure of the new electronic payments system may have a substantial impact on personal privacy as well as on the nature and extent of criminal use of payments. Ideally a new payments system should address both of these seemingly conflicting sets of concerns.", + isbn="978-1-4757-0602-4", + doi="10.1007/978-1-4757-0602-4_18", + url="https://doi.org/10.1007/978-1-4757-0602-4_18" +} + + + +@Inbook{chaum1990untraceable, + author="Chaum, David + and Fiat, Amos + and Naor, Moni", + editor="Goldwasser, Shafi", + title="Untraceable Electronic Cash", + bookTitle="Advances in Cryptology --- CRYPTO' 88: Proceedings", + year="1990", + publisher="Springer New York", + address="New York, NY", + pages="319--327", + abstract="The use of credit cards today is an act of faith on the part of all concerned. Each party is vulnerable to fraud by the others, and the cardholder in particular has no protection against surveillance.", + isbn="978-0-387-34799-8", + doi="10.1007/0-387-34799-2_25", + url="https://doi.org/10.1007/0-387-34799-2_25" +} + + +@INPROCEEDINGS{camenisch2007endorsed, + author={J. Camenisch and A. Lysyanskaya and M. Meyerovich}, + booktitle={2007 IEEE Symposium on Security and Privacy (SP '07)}, + title={Endorsed E-Cash}, + year={2007}, + pages={101-115}, + keywords={electronic money;protocols;e-cash;electronic cash scheme;fair exchange protocol;lightweight endorsement;onion routing;Authentication;Cryptographic protocols;Cryptography;Digital signatures;Explosions;Information security;Merchandise;Privacy;Routing}, + doi={10.1109/SP.2007.15}, + ISSN={1081-6011}, + month={5}, +} + + + +@misc{rfc5869, + author="H. Krawczyk and P. Eronen", + title="{HMAC-based Extract-and-Expand Key Derivation Function (HKDF)}", + series="Request for Comments", + number="5869", + howpublished="RFC 5869 (Informational)", + publisher="IETF", + organization="Internet Engineering Task Force", + year=2010, + month={5}, + url="http://www.ietf.org/rfc/rfc5869.txt", +} + + +@inproceedings{danezis2016rscoin, + author = {George Danezis and + Sarah Meiklejohn}, + title = {Centrally Banked Cryptocurrencies}, + booktitle = {23nd Annual Network and Distributed System Security Symposium, {NDSS} + 2016, San Diego, California, USA, February 21-24, 2016}, + year = {2016}, + publisher = {The Internet Society}, +} + + + +@Misc{fatf1997, + title = {FATF-IX report on money laundering typologies}, + howpublished = {\url{http://www.fatf-gafi.org/media/fatf/documents/reports/1996\%201997\%20ENG.pdf}}, + month = {2}, + year = {1998}, +} + +@article{bellare2003one, + title={The One-More-RSA-Inversion Problems and the Security of Chaum's Blind Signature Scheme.}, + author={Bellare, Mihir and Namprempre, Chanathip and Pointcheval, David and Semanko, Michael}, + journal={Journal of Cryptology}, + volume={16}, + number={3}, + year={2003}, + publisher={Springer} +} + + +@inbook{RSA-FDH-KTIvCTI, + author="Bellare, Mihir and Namprempre, Chanathip and Pointcheval, David and Semanko, Michael", + editor="Syverson, Paul", + chapter="The Power of RSA Inversion Oracles and the Security of Chaum's RSA-Based Blind Signature Scheme", + title="Financial Cryptography: 5th International Conference", + year="2002", + publisher="Springer", + address="Berlin, Heidelberg", + pages="319--338", + isbn="978-3-540-46088-6", + doi="10.1007/3-540-46088-8_25", + url="https://www.di.ens.fr/~pointche/Documents/Papers/2001_fcA.pdf" +} + +@misc{LightningNetwork, + author = {Joseph Poon and Thaddeus Dryja}, + title = {The Bitcoin Lightning Network: Scalable Off-Chain Instant Payments}, + month = {1}, + year = {2016}, + note = {\url{https://lightning.network/lightning-network-paper.pdf}}, +} + + +@misc{RippleFined:FinCEN, + author = {Steve Hudak}, + title = {FinCEN Fines Ripple Labs Inc. in First Civil Enforcement Action Against a Virtual Currency Exchanger}, + month = {5}, + day = {5}, + year = {2015}, + note = {\url{https://www.fincen.gov/news/news-releases/fincen-fines-ripple-labs-inc-first-civil-enforcement-action-against-virtual}}, +} + +@misc{RippleFined:ArsTechnica, + author = {Megan Geuss}, + title = {Cryptocurrency maker Ripple Labs fined \$700K for flouting financial regs. Virtual currency Wild West is done, registration as a Money Services Business required.}, + month = {5}, + day = {5}, + year = {2015}, + note = {\url{https://arstechnica.com/tech-policy/2015/05/cryptocurrency-maker-ripple-labs-fined-700k-for-flouting-financial-regs/}}, + url_coindesk = {http://www.coindesk.com/fincen-fines-ripple-labs-700000-bank-secrecy-act/} +} + +@misc{RippleFined:CoinDesk, + author = {Stan Higgins}, + title = {FinCEN Fines Ripple Labs for Bank Secrecy Act Violations}, + month = {5}, + day = {5}, + year = {2015}, + note = {\url{http://www.coindesk.com/fincen-fines-ripple-labs-700000-bank-secrecy-act/}}, +} + + +@misc{rfc6818, + author="P. Yee", + title="{Updates to the Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile}", + howpublished="RFC 6818 (Proposed Standard)", + series="Internet Request for Comments", + type="RFC", + number="6818", + pages="1--8", + year=2013, + month={1}, + issn="2070-1721", + publisher="RFC Editor", + institution="RFC Editor", + organization="RFC Editor", + address="Fremont, CA, USA", + url="https://www.rfc-editor.org/rfc/rfc6818.txt", + key="RFC 6818", + abstract={This document updates RFC 5280, the ``Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile''. This document changes the set of acceptable encoding methods for the explicitText field of the user notice policy qualifier and clarifies the rules for converting internationalized domain name labels to ASCII. This document also provides some clarifications on the use of self-signed certificates, trust anchors, and some updated security considerations. [STANDARDS-TRACK]}, + keywords="", + doi="10.17487/RFC6818", +} + + + +@inproceedings{rivest2004peppercoin, + title={Peppercoin micropayments}, + author={Rivest, Ronald L}, + booktitle={Financial Cryptography}, + pages={2--8}, + year={2004}, + organization={Springer} +} + + +@inproceedings{Camenisch05compacte-cash, + author = {Jan Camenisch and Susan Hohenberger and Anna Lysyanskaya}, + title = {Compact e-cash}, + booktitle = {In EUROCRYPT, volume 3494 of LNCS}, + year = {2005}, + pages = {302--321}, + publisher = {Springer-Verlag}, + url = {http://cs.brown.edu/~anna/papers/chl05-full.pdf}, + url_citeseerx = {http://citeseerx.ist.psu.edu/viewdoc/summary?doi=10.1.1.136.4640} +} + + + +@article{martens2015practical, + title={Practical Divisible E-Cash.}, + author={M{\"a}rtens, Patrick}, + journal={IACR Cryptology ePrint Archive}, + volume={2015}, + pages={318}, + year={2015} +} + +@misc{Martens2015, + title = {Practical Compact E-Cash with Arbitrary Wallet Size}, + author = {Patrick M{\"a}rtens}, + howpublished = {IACR Cryptology ePrint Archive 2015/086}, + year = {2015}, + note = {\url{http://eprint.iacr.org/2015/086}}, +} + + +@inproceedings{bensasson2014zerocash, + author = {Eli Ben-Sasson and Alessandro Chiesa and Christina Garman and Matthew Green and Ian Miers and Eran Tromer and Madars Virza}, + title = {Zerocash: Decentralized Anonymous Payments from Bitcoin}, + booktitle = {IEEE Symposium on Security \& Privacy}, + year = {2014}, +} + + +@book{molander1998cyberpayments, + title={Cyberpayments and money laundering: Problems and promise}, + author={Molander, Roger C and Mussington, David A and Mussington, David and Wilson, Peter A}, + volume={965}, + year={1998}, + publisher={Rand Corporation} +} + + +@InProceedings{sander1999escrow, + author = {Tomas Sander and Amnon Ta-Shma}, + title = {On Anonymous Electronic Cash and Crime}, + booktitle = {ISW'99}, + year = {1999}, + series = {LNCS 1729}, + pages = {202--206}, +} + +@inproceedings{stadler1995fair, + title={Fair blind signatures}, + author={Stadler, Markus and Piveteau, Jean-Marc and Camenisch, Jan}, + booktitle={International Conference on the Theory and Applications of Cryptographic Techniques}, + pages={209--219}, + year={1995}, + organization={Springer} +} + +@Article{solms1992perfect, + author = {Sebastiaan H. von Solms and David Naccache}, + title = {On blind signatures and perfect crimes}, + journal = {Computers \& Security}, + year = {1992}, + volume = {11}, + number = {6}, + pages = {581--583}, +} + + +@Misc{guardian2015cap, + author = {Rupert Jones}, + title = {Cap on card fees could lead to lower prices for consumers}, + howpublished = {\url{http://www.theguardian.com/money/2015/jul/27/cap-on-card-fees-retailers}}, + month = {7}, + year = {2015}, +} + + +@Misc{crinkey2011rundle, + author = {Guy Rundle}, + title = {The humble credit card is now a political tool}, + howpublished = {\url{http://www.crikey.com.au/2011/10/25/rundle-humble-credit-card-now-a-political-tool-just-ask-wikileaks/}}, + month = {10}, + year = {2011}, +} + + +@unpublished{cryptonote, + author = {van Saberhagen, Nicolas}, + month = {10}, + posted-at = {2016-09-18 11:44:05}, + priority = {2}, + title = {{CryptoNote v 2.0}}, + url = {https://cryptonote.org/whitepaper.pdf}, + year = {2013} +} + + +@inproceedings{rupp2013p4r, + title={P4R: Privacy-preserving pre-payments with refunds for transportation systems}, + author={Rupp, Andy and Hinterw{\"a}lder, Gesine and Baldimtsi, Foteini and Paar, Christof}, + booktitle={International Conference on Financial Cryptography and Data Security}, + pages={205--212}, + year={2013}, + organization={Springer} +} + + +@inproceedings{tor-design, + title = {Tor: The Second-Generation Onion Router}, + author = {Roger Dingledine and Nick Mathewson and Paul Syverson}, + booktitle = {Proceedings of the 13th USENIX Security Symposium}, + year = {2004}, + month = {8}, + www_important = {1}, + www_tags = {selected}, + www_html_url = {https://www.torproject.org/svn/trunk/doc/design-paper/tor-design.html}, + www_pdf_url = {https://www.torproject.org/svn/trunk/doc/design-paper/tor-design.pdf}, + www_section = {Anonymous communication}, +} + + +@Misc{greece2015cash, + author = {Reuters}, + title = {Greek council recommends 60 euro limit on ATM withdrawals from Tuesday}, + howpublished = {\url{http://www.reuters.com/article/2015/06/28/eurozone-greece-limits-idUSA8N0Z302P20150628}}, + month = {6}, + year = {2015}, +} + +@Misc{france2015cash, + author = {Heinz-Peter Bader}, + title = {France steps up monitoring of cash payments to fight low-cost terrorism}, + howpublished = {\url{http://www.reuters.com/article/2015/03/18/us-france-security-financing-idUSKBN0ME14720150318}}, + month = {3}, + year = {2015}, +} + + +@article{dent2008extensions, + title={Extensions to Chaum's Blind Signature Scheme and OpenCoin Requirements}, + author={Dent, AW and Paterson, KG and Wild, PR}, + year={2008} +} + +@article{dent2008preliminary, + title={Preliminary Report on Chaum's Online E-Cash Architecture}, + author={Dent, AW and Paterson, KG and Wild, PR}, + journal={Royal Holloway, University of London}, + year={2008} +} + + +@Misc{ibi2014, + author = {ibi research}, + title = {Digitalisierung der Gesellschaft 2014 --- Aktuelle Einsch\"atzungen und Trends}, + howpublished = {\url{http://www.ecommerce-leitfaden.de/digitalisierung-der-gesellschaft-2014.html}}, + year = {2014}, +} + +@inproceedings{fujisaki-okamoto, + title={Secure integration of asymmetric and symmetric encryption schemes}, + author={Fujisaki, Eiichiro and Okamoto, Tatsuaki}, + booktitle={Annual International Cryptology Conference}, + pages={537--554}, + year={1999}, + organization={Springer} +} + +@article{bernstein2012high, + title={High-speed high-security signatures}, + author={Bernstein, Daniel J and Duif, Niels and Lange, Tanja and Schwabe, Peter and Yang, Bo-Yin}, + journal={Journal of Cryptographic Engineering}, + volume={2}, + number={2}, + pages={77--89}, + year={2012}, + publisher={Springer} +} + + +@inproceedings{bernstein2006curve25519, + title={Curve25519: new Diffie-Hellman speed records}, + author={Bernstein, Daniel J}, + booktitle={International Workshop on Public Key Cryptography}, + pages={207--228}, + year={2006}, + organization={Springer} +} + +@techreport{pagnia1999impossibility, + title={On the impossibility of fair exchange without a trusted third party}, + author={Pagnia, Henning and G{\"a}rtner, Felix C}, + year={1999}, + institution={Technical Report TUD-BS-1999-02, Darmstadt University of Technology, Department of Computer Science, Darmstadt, Germany} +} + +@book{katz1996handbook, + title={Handbook of applied cryptography}, + author={Katz, Jonathan and Menezes, Alfred J and Van Oorschot, Paul C and Vanstone, Scott A}, + year={1996}, + publisher={CRC press} +} + + +% ===== PROVABLE SECURITY ===== + +% see also https://www.baigneres.net/downloads/2007_provable_security.pdf + +@article{koblitz2007another, + title={Another look at" provable security"}, + author={Koblitz, Neal and Menezes, Alfred J}, + journal={Journal of Cryptology}, + volume={20}, + number={1}, + pages={3--37}, + year={2007}, + publisher={Springer} +} + +@incollection{pointcheval2005provable, + title={Provable security for public key schemes}, + author={Pointcheval, David}, + booktitle={Contemporary cryptology}, + pages={133--190}, + year={2005}, + publisher={Springer} +} + +@article{shoup2004sequences, + title={Sequences of games: a tool for taming complexity in security proofs.}, + author={Shoup, Victor}, + journal={IACR Cryptology ePrint Archive}, + volume={2004}, + pages={332}, + year={2004} +} + + +@inproceedings{coron2000exact, + title={On the exact security of full domain hash}, + author={Coron, Jean-S{\'e}bastien}, + booktitle={Annual International Cryptology Conference}, + pages={229--235}, + year={2000}, + organization={Springer} +} + +@inproceedings{damgaard2007proof, + title={A “proof-reading” of some issues in cryptography}, + author={Damg{\aa}rd, Ivan}, + booktitle={International Colloquium on Automata, Languages, and Programming}, + pages={2--11}, + year={2007}, + organization={Springer} +} + +@article{koblitz2010brave, + title={The brave new world of bodacious assumptions in cryptography}, + author={Koblitz, Neal and Menezes, Alfred}, + journal={Notices of the American Mathematical Society}, + volume={57}, + number={3}, + pages={357--365}, + year={2010} +} + +@inproceedings{bellare1993random, + title={Random oracles are practical: A paradigm for designing efficient protocols}, + author={Bellare, Mihir and Rogaway, Phillip}, + booktitle={Proceedings of the 1st ACM conference on Computer and communications security}, + pages={62--73}, + year={1993}, + organization={ACM} +} + +@article{koblitz2015random, + title={The random oracle model: a twenty-year retrospective}, + author={Koblitz, Neal and Menezes, Alfred J}, + journal={Designs, Codes and Cryptography}, + volume={77}, + number={2-3}, + pages={587--610}, + year={2015}, + publisher={Springer} +} + +@article{canetti2004random, + title={The random oracle methodology, revisited}, + author={Canetti, Ran and Goldreich, Oded and Halevi, Shai}, + journal={Journal of the ACM (JACM)}, + volume={51}, + number={4}, + pages={557--594}, + year={2004}, + publisher={ACM} +} + +@inproceedings{dreier2015formal, + title={Formal analysis of e-cash protocols}, + author={Dreier, Jannik and Kassem, Ali and Lafourcade, Pascal}, + booktitle={e-Business and Telecommunications (ICETE), 2015 12th International Joint Conference on}, + volume={4}, + pages={65--75}, + year={2015}, + organization={IEEE} +} + +@inproceedings{brickell1995trustee, + title={Trustee-based Tracing Extensions to Anonymous Cash and the Making of Anonymous Change.}, + author={Brickell, Ernest F and Gemmell, Peter and Kravitz, David W}, + booktitle={SODA}, + volume={95}, + pages={457--466}, + year={1995} +} + + + +% ===== CRYPTO BASICS ===== + +@inproceedings{boneh1998decision, + title={The decision diffie-hellman problem}, + author={Boneh, Dan}, + booktitle={International Algorithmic Number Theory Symposium}, + pages={48--63}, + year={1998}, + organization={Springer} +} + + +@article{goldwasser1988digital, + title={A digital signature scheme secure against adaptive chosen-message attacks}, + author={Goldwasser, Shafi and Micali, Silvio and Rivest, Ronald L}, + journal={SIAM Journal on Computing}, + volume={17}, + number={2}, + pages={281--308}, + year={1988}, + publisher={SIAM} +} + + +@inproceedings{bellare1998relations, + title={Relations among notions of security for public-key encryption schemes}, + author={Bellare, Mihir and Desai, Anand and Pointcheval, David and Rogaway, Phillip}, + booktitle={Annual International Cryptology Conference}, + pages={26--45}, + year={1998}, + organization={Springer} +} + + +@inproceedings{blanchet2006automated, + title={Automated security proofs with sequences of games}, + author={Blanchet, Bruno and Pointcheval, David}, + booktitle={Annual International Cryptology Conference}, + pages={537--554}, + year={2006}, + organization={Springer} +} + + +@inproceedings{bellare2006code, + title={Code-based game-playing proofs and the security of triple encryption}, + author={Bellare, Mihir and Rogaway, Phillip}, + booktitle={Advances in Cryptology--EUROCRYPT}, + volume={4004}, + pages={10}, + year={2006} +} + +@inproceedings{fischlin2009security, + title={Security of blind signatures under aborts}, + author={Fischlin, Marc and Schr{\"o}der, Dominique}, + booktitle={International Workshop on Public Key Cryptography}, + pages={297--316}, + year={2009}, + organization={Springer} +} + + +@incollection{lindell2017simulate, + title={How to simulate it--a tutorial on the simulation proof technique}, + author={Lindell, Yehuda}, + booktitle={Tutorials on the Foundations of Cryptography}, + pages={277--346}, + year={2017}, + publisher={Springer} +} + +@book{guo2018introduction, + title={Introduction to Security Reduction}, + author={Guo, Fuchun and Susilo, Willy and Mu, Yi}, + year={2018}, + publisher={Springer} +} + +@article{stallman2002free, + title={What is free software}, + author={Stallman, Richard M}, + journal={Free Society: Selected Essays of}, + volume={23}, + year={2002} +} + +@book{stallman2002essays, + title={Free software, free society: Selected essays of Richard M. Stallman}, + author={Stallman, Richard}, + year={2002}, + publisher={Lulu. com} +} + + +@article{adyen2016global, + title={The Global E-Commerce Payments Guide}, + author={Adyen}, + year={2016} +} + +@article{paypers2016ecommerce, + title={Ecommerce Payment Methods Report 2016}, + author={Lupu, Sebastian and Mual, Melisande and van Stiphout, Mees}, + year={2016} +} + + +@inproceedings{beikverdi2015trend, + title={Trend of centralization in Bitcoin's distributed network}, + author={Beikverdi, Alireza and Song, JooSeok}, + booktitle={Software Engineering, Artificial Intelligence, Networking and Parallel/Distributed Computing (SNPD), 2015 16th IEEE/ACIS International Conference on}, + pages={1--6}, + year={2015}, + organization={IEEE} +} + +@article{bohme2015bitcoin, + title={Bitcoin: Economics, technology, and governance}, + author={B{\"o}hme, Rainer and Christin, Nicolas and Edelman, Benjamin and Moore, Tyler}, + journal={Journal of Economic Perspectives}, + volume={29}, + number={2}, + pages={213--38}, + year={2015} +} + + +@article{provos2007ghost, + title={The Ghost in the Browser: Analysis of Web-based Malware.}, + author={Provos, Niels and McNamee, Dean and Mavrommatis, Panayiotis and Wang, Ke and Modadugu, Nagendra and others}, + journal={HotBots}, + volume={7}, + pages={4--4}, + year={2007} +} + +@misc{riksbank2017riksbank, + title={The Riksbank’s e-krona project}, + author={Riksbank, Sveriges}, + year={2017}, + publisher={Report} +} + +@inproceedings{fuchsbauer2009transferable, +title={Transferable constant-size fair e-cash}, +author={Fuchsbauer, Georg and Pointcheval, David and Vergnaud, Damien}, +booktitle={International Conference on Cryptology and Network Security}, +pages={226--247}, +year={2009}, +organization={Springer} +} + +@inproceedings{au2011electronic, + title={Electronic cash with anonymous user suspension}, + author={Au, Man Ho and Susilo, Willy and Mu, Yi}, + booktitle={Australasian Conference on Information Security and Privacy}, + pages={172--188}, + year={2011}, + organization={Springer} +} + +@article{schroder2017security, + title={Security of blind signatures revisited}, + author={Schr{\"o}der, Dominique and Unruh, Dominique}, + journal={Journal of Cryptology}, + volume={30}, + number={2}, + pages={470--494}, + year={2017}, + publisher={Springer} +} + +@inproceedings{camenisch2004signature, + title={Signature schemes and anonymous credentials from bilinear maps}, + author={Camenisch, Jan and Lysyanskaya, Anna}, + booktitle={Annual International Cryptology Conference}, + pages={56--72}, + year={2004}, + organization={Springer} +} + +@misc{next1999digicash, + publisher={NEXT Magazine}, + year={1999}, + author={How DigiCash Blew Everything}, + author={Anonymous} +} + +@inproceedings{canard2007divisible, + title={Divisible e-cash systems can be truly anonymous}, + author={Canard, S{\'e}bastien and Gouget, Aline}, + booktitle={Annual International Conference on the Theory and Applications of Cryptographic Techniques}, + pages={482--497}, + year={2007}, + organization={Springer} +} + +@inproceedings{canard2006handy, + title={A handy multi-coupon system}, + author={Canard, S{\'e}bastien and Gouget, Aline and Hufschmitt, Emeline}, + booktitle={International Conference on Applied Cryptography and Network Security}, + pages={66--81}, + year={2006}, + organization={Springer} +} + + +@Article{batten2018offline, + author="Batten, Lynn and Yi, Xun", + title="Off-line digital cash schemes providing untraceability, anonymity and change", + journal="Electronic Commerce Research", + year={2018}, + month={1}, + day={27}, + issn="1572-9362", + doi="10.1007/s10660-018-9289-8", + url="https://doi.org/10.1007/s10660-018-9289-8" +} + +@inproceedings{chaum1992wallet, + title={Wallet databases with observers}, + author={Chaum, David and Pedersen, Torben Pryds}, + booktitle={Annual International Cryptology Conference}, + pages={89--105}, + year={1992}, + organization={Springer} +} + +@inproceedings{davida1997anonymity, + title={Anonymity control in e-cash systems}, + author={Davida, George and Frankel, Yair and Tsiounis, Yiannis and Yung, Moti}, + booktitle={International Conference on Financial Cryptography}, + pages={1--16}, + year={1997}, + organization={Springer} +} + + +@inproceedings{chaum1989efficient, + title={Efficient offline electronic checks}, + author={Chaum, David and den Boer, Bert and van Heyst, Eug{\`e}ne and Mj{\o}lsnes, Stig and Steenbeek, Adri}, + booktitle={Workshop on the theory and application of of cryptographic techniques}, + pages={294--301}, + year={1989}, + organization={Springer} +} + +@article{pointcheval2000security, + title={Security arguments for digital signatures and blind signatures}, + author={Pointcheval, David and Stern, Jacques}, + journal={Journal of cryptology}, + volume={13}, + number={3}, + pages={361--396}, + year={2000}, + publisher={Springer} +} + +@inproceedings{damgaard1988payment, + title={Payment systems and credential mechanisms with provable security against abuse by individuals}, + author={Damg{\aa}rd, Ivan Bjerre}, + booktitle={Conference on the Theory and Application of Cryptography}, + pages={328--335}, + year={1988}, + organization={Springer} +} + +@inproceedings{haber1990time, + title={How to time-stamp a digital document}, + author={Haber, Stuart and Stornetta, W Scott}, + booktitle={Conference on the Theory and Application of Cryptography}, + pages={437--455}, + year={1990}, + organization={Springer} +} + + +@article{wust2017you, + title={Do you need a Blockchain?}, + author={W{\"u}st, Karl and Gervais, Arthur}, + journal={IACR Cryptology ePrint Archive}, + volume={2017}, + pages={375}, + year={2017} +} + +@inproceedings{pedersen1996electronic, + title={Electronic payments of small amounts}, + author={Pedersen, Torben P}, + booktitle={International Workshop on Security Protocols}, + pages={59--68}, + year={1996}, + organization={Springer} +} + +@article{poon2016bitcoin, + title={The bitcoin lightning network: Scalable off-chain instant payments}, + author={Poon, Joseph and Dryja, Thaddeus}, + journal={draft version 0.5}, + pages={14}, + year={2016} +} + +@article{poon2017plasma, + title={Plasma: Scalable autonomous smart contracts}, + author={Poon, Joseph and Buterin, Vitalik}, + journal={White paper}, + year={2017} +} + +@article{eyal2018majority, + title={Majority is not enough: Bitcoin mining is vulnerable}, + author={Eyal, Ittay and Sirer, Emin G{\"u}n}, + journal={Communications of the ACM}, + volume={61}, + number={7}, + pages={95--102}, + year={2018}, + publisher={ACM} +} + +@inproceedings{vukolic2015quest, + title={The quest for scalable blockchain fabric: Proof-of-work vs. BFT replication}, + author={Vukoli{\'c}, Marko}, + booktitle={International Workshop on Open Problems in Network Security}, + pages={112--125}, + year={2015}, + organization={Springer} +} + +@inproceedings{eyal2016bitcoin, + title={Bitcoin-NG: A Scalable Blockchain Protocol.}, + author={Eyal, Ittay and Gencer, Adem Efe and Sirer, Emin G{\"u}n and Van Renesse, Robbert}, + booktitle={NSDI}, + pages={45--59}, + year={2016} +} + + +@inproceedings{bentov2016cryptocurrencies, + title={Cryptocurrencies without proof of work}, + author={Bentov, Iddo and Gabizon, Ariel and Mizrahi, Alex}, + booktitle={International Conference on Financial Cryptography and Data Security}, + pages={142--157}, + year={2016}, + organization={Springer} +} + +@inproceedings{gilad2017algorand, + title={Algorand: Scaling byzantine agreements for cryptocurrencies}, + author={Gilad, Yossi and Hemo, Rotem and Micali, Silvio and Vlachos, Georgios and Zeldovich, Nickolai}, + booktitle={Proceedings of the 26th Symposium on Operating Systems Principles}, + pages={51--68}, + year={2017}, + organization={ACM} +} + +@article{kwon2014tendermint, + title={Tendermint: Consensus without mining}, + author={Kwon, Jae}, + journal={Draft v. 0.6, fall}, + year={2014} +} + + +@article{rocket2018snowflake, + title={Snowflake to Avalanche: A Novel Metastable Consensus Protocol Family for Cryptocurrencies}, + author={Team Rocket}, + journal={IPFS}, + year={2018} +} + +@inproceedings{androulaki2018hyperledger, + title={Hyperledger fabric: a distributed operating system for permissioned blockchains}, + author={Androulaki, Elli and Barger, Artem and Bortnikov, Vita and Cachin, Christian and Christidis, Konstantinos and De Caro, Angelo and Enyeart, David and Ferris, Christopher and Laventman, Gennady and Manevich, Yacov and others}, + booktitle={Proceedings of the Thirteenth EuroSys Conference}, + pages={30}, + year={2018}, + organization={ACM} +} + +@article{wood2014ethereum, + title={Ethereum: A secure decentralised generalised transaction ledger}, + author={Wood, Gavin}, + journal={Ethereum project yellow paper}, + volume={151}, + pages={1--32}, + year={2014} +} + +@article{reijers2016governance, + title={Governance in blockchain technologies \& social contract theories}, + author={Reijers, Wessel and O'Brolch{\'a}in, Fiachra and Haynes, Paul}, + journal={Ledger}, + volume={1}, + pages={134--151}, + year={2016} +} + +@article{levy2017book, + title={Book-smart, not street-smart: blockchain-based smart contracts and the social workings of law}, + author={Levy, Karen EC}, + journal={Engaging Science, Technology, and Society}, + volume={3}, + pages={1--15}, + year={2017} +} + +@incollection{reid2013analysis, + title={An analysis of anonymity in the bitcoin system}, + author={Reid, Fergal and Harrigan, Martin}, + booktitle={Security and privacy in social networks}, + pages={197--223}, + year={2013}, + publisher={Springer} +} + +@inproceedings{bonneau2014mixcoin, + title={Mixcoin: Anonymity for Bitcoin with accountable mixes}, + author={Bonneau, Joseph and Narayanan, Arvind and Miller, Andrew and Clark, Jeremy and Kroll, Joshua A and Felten, Edward W}, + booktitle={International Conference on Financial Cryptography and Data Security}, + pages={486--504}, + year={2014}, + organization={Springer} +} + +@inproceedings{heilman2017tumblebit, + title={TumbleBit: An untrusted Bitcoin-compatible anonymous payment hub}, + author={Heilman, Ethan and Alshenibr, Leen and Baldimtsi, Foteini and Scafuro, Alessandra and Goldberg, Sharon}, + booktitle={Network and Distributed System Security Symposium}, + year={2017} +} + +@inproceedings{sun2017ringct, + title={RingCT 2.0: a compact accumulator-based (linkable ring signature) protocol for blockchain cryptocurrency monero}, + author={Sun, Shi-Feng and Au, Man Ho and Liu, Joseph K and Yuen, Tsz Hon}, + booktitle={European Symposium on Research in Computer Security}, + pages={456--474}, + year={2017}, + organization={Springer} +} + +@inproceedings{wahby2018doubly, + title={Doubly-efficient zkSNARKs without trusted setup}, + author={Wahby, Riad S and Tzialla, Ioanna and Shelat, Abhi and Thaler, Justin and Walfish, Michael}, + booktitle={2018 IEEE Symposium on Security and Privacy (SP)}, + pages={926--943}, + year={2018}, + organization={IEEE} +} + +@article{ben2018scalable, + title={Scalable, transparent, and post-quantum secure computational integrity}, + author={Ben-Sasson, Eli and Bentov, Iddo and Horesh, Yinon and Riabzev, Michael}, + journal={Cryptol. ePrint Arch., Tech. Rep}, + volume={46}, + pages={2018}, + year={2018} +} + +@inproceedings{garman2016accountable, + title={Accountable privacy for decentralized anonymous payments}, + author={Garman, Christina and Green, Matthew and Miers, Ian}, + booktitle={International Conference on Financial Cryptography and Data Security}, + pages={81--98}, + year={2016}, + organization={Springer} +} + +@online{crockford_base32, +author = {Crockford, Douglas}, +title = {Base32 Encoding}, +url = {https://www.crockford.com/wrmg/base32.html} +} + +@misc{rfc4634, + series = {Request for Comments}, + number = 4634, + howpublished = {RFC 4634}, + publisher = {RFC Editor}, + doi = {10.17487/RFC4634}, + url = {https://rfc-editor.org/rfc/rfc4634.txt}, + author = {Tony Hansen and Donald E. Eastlake 3rd}, + title = {{US Secure Hash Algorithms (SHA and HMAC-SHA)}}, + pagetotal = 108, + year = 2006, + month = aug, +} + +@misc{rfc5869, + series = {Request for Comments}, + number = 5869, + howpublished = {RFC 5869}, + publisher = {RFC Editor}, + doi = {10.17487/RFC5869}, + url = {https://rfc-editor.org/rfc/rfc5869.txt}, + author = {Dr. Hugo Krawczyk and Pasi Eronen}, + title = {{HMAC-based Extract-and-Expand Key Derivation Function (HKDF)}}, + pagetotal = 14, + year = 2010, + month = may, +} diff --git a/taler-fc19/splncs04.bst b/taler-fc19/splncs04.bst new file mode 100644 index 0000000..2bcad4d --- /dev/null +++ b/taler-fc19/splncs04.bst @@ -0,0 +1,1548 @@ +%% BibTeX bibliography style `splncs03'
+%%
+%% BibTeX bibliography style for use with numbered references in
+%% Springer Verlag's "Lecture Notes in Computer Science" series.
+%% (See Springer's documentation for llncs.cls for
+%% more details of the suggested reference format.) Note that this
+%% file will not work for author-year style citations.
+%%
+%% Use \documentclass{llncs} and \bibliographystyle{splncs03}, and cite
+%% a reference with (e.g.) \cite{smith77} to get a "[1]" in the text.
+%%
+%% This file comes to you courtesy of Maurizio "Titto" Patrignani of
+%% Dipartimento di Informatica e Automazione Universita' Roma Tre
+%%
+%% ================================================================================================
+%% This was file `titto-lncs-02.bst' produced on Wed Apr 1, 2009
+%% Edited by hand by titto based on `titto-lncs-01.bst' (see below)
+%%
+%% CHANGES (with respect to titto-lncs-01.bst):
+%% - Removed the call to \urlprefix (thus no "URL" string is added to the output)
+%% ================================================================================================
+%% This was file `titto-lncs-01.bst' produced on Fri Aug 22, 2008
+%% Edited by hand by titto based on `titto.bst' (see below)
+%%
+%% CHANGES (with respect to titto.bst):
+%% - Removed the "capitalize" command for editors string "(eds.)" and "(ed.)"
+%% - Introduced the functions titto.bbl.pages and titto.bbl.page for journal pages (without "pp.")
+%% - Added a new.sentence command to separate with a dot booktitle and series in the inproceedings
+%% - Commented all new.block commands before urls and notes (to separate them with a comma)
+%% - Introduced the functions titto.bbl.volume for handling journal volumes (without "vol." label)
+%% - Used for editors the same name conventions used for authors (see function format.in.ed.booktitle)
+%% - Removed a \newblock to avoid long spaces between title and "In: ..."
+%% - Added function titto.space.prefix to add a space instead of "~" after the (removed) "vol." label
+%% - Added doi
+%% ================================================================================================
+%% This was file `titto.bst',
+%% generated with the docstrip utility.
+%%
+%% The original source files were:
+%%
+%% merlin.mbs (with options: `vonx,nm-rvvc,yr-par,jttl-rm,volp-com,jwdpg,jwdvol,numser,ser-vol,jnm-x,btit-rm,bt-rm,edparxc,bkedcap,au-col,in-col,fin-bare,pp,ed,abr,mth-bare,xedn,jabr,and-com,and-com-ed,xand,url,url-blk,em-x,nfss,')
+%% ----------------------------------------
+%% *** Tentative .bst file for Springer LNCS ***
+%%
+%% Copyright 1994-2007 Patrick W Daly
+ % ===============================================================
+ % IMPORTANT NOTICE:
+ % This bibliographic style (bst) file has been generated from one or
+ % more master bibliographic style (mbs) files, listed above.
+ %
+ % This generated file can be redistributed and/or modified under the terms
+ % of the LaTeX Project Public License Distributed from CTAN
+ % archives in directory macros/latex/base/lppl.txt; either
+ % version 1 of the License, or any later version.
+ % ===============================================================
+ % Name and version information of the main mbs file:
+ % \ProvidesFile{merlin.mbs}[2007/04/24 4.20 (PWD, AO, DPC)]
+ % For use with BibTeX version 0.99a or later
+ %-------------------------------------------------------------------
+ % This bibliography style file is intended for texts in ENGLISH
+ % This is a numerical citation style, and as such is standard LaTeX.
+ % It requires no extra package to interface to the main text.
+ % The form of the \bibitem entries is
+ % \bibitem{key}...
+ % Usage of \cite is as follows:
+ % \cite{key} ==>> [#]
+ % \cite[chap. 2]{key} ==>> [#, chap. 2]
+ % where # is a number determined by the ordering in the reference list.
+ % The order in the reference list is alphabetical by authors.
+ %---------------------------------------------------------------------
+
+ENTRY
+ { address
+ author
+ booktitle
+ chapter
+ doi
+ edition
+ editor
+ eid
+ howpublished
+ institution
+ journal
+ key
+ month
+ note
+ number
+ organization
+ pages
+ publisher
+ school
+ series
+ title
+ type
+ url
+ volume
+ year
+ }
+ {}
+ { label }
+INTEGERS { output.state before.all mid.sentence after.sentence after.block }
+FUNCTION {init.state.consts}
+{ #0 'before.all :=
+ #1 'mid.sentence :=
+ #2 'after.sentence :=
+ #3 'after.block :=
+}
+STRINGS { s t}
+FUNCTION {output.nonnull}
+{ 's :=
+ output.state mid.sentence =
+ { ", " * write$ }
+ { output.state after.block =
+ { add.period$ write$
+% newline$
+% "\newblock " write$ % removed for titto-lncs-01
+ " " write$ % to avoid long spaces between title and "In: ..."
+ }
+ { output.state before.all =
+ 'write$
+ { add.period$ " " * write$ }
+ if$
+ }
+ if$
+ mid.sentence 'output.state :=
+ }
+ if$
+ s
+}
+FUNCTION {output}
+{ duplicate$ empty$
+ 'pop$
+ 'output.nonnull
+ if$
+}
+FUNCTION {output.check}
+{ 't :=
+ duplicate$ empty$
+ { pop$ "empty " t * " in " * cite$ * warning$ }
+ 'output.nonnull
+ if$
+}
+FUNCTION {fin.entry}
+{ duplicate$ empty$
+ 'pop$
+ 'write$
+ if$
+ newline$
+}
+
+FUNCTION {new.block}
+{ output.state before.all =
+ 'skip$
+ { after.block 'output.state := }
+ if$
+}
+FUNCTION {new.sentence}
+{ output.state after.block =
+ 'skip$
+ { output.state before.all =
+ 'skip$
+ { after.sentence 'output.state := }
+ if$
+ }
+ if$
+}
+FUNCTION {add.blank}
+{ " " * before.all 'output.state :=
+}
+
+
+FUNCTION {add.colon}
+{ duplicate$ empty$
+ 'skip$
+ { ":" * add.blank }
+ if$
+}
+
+FUNCTION {date.block}
+{
+ new.block
+}
+
+FUNCTION {not}
+{ { #0 }
+ { #1 }
+ if$
+}
+FUNCTION {and}
+{ 'skip$
+ { pop$ #0 }
+ if$
+}
+FUNCTION {or}
+{ { pop$ #1 }
+ 'skip$
+ if$
+}
+STRINGS {z}
+FUNCTION {remove.dots}
+{ 'z :=
+ ""
+ { z empty$ not }
+ { z #1 #1 substring$
+ z #2 global.max$ substring$ 'z :=
+ duplicate$ "." = 'pop$
+ { * }
+ if$
+ }
+ while$
+}
+FUNCTION {new.block.checka}
+{ empty$
+ 'skip$
+ 'new.block
+ if$
+}
+FUNCTION {new.block.checkb}
+{ empty$
+ swap$ empty$
+ and
+ 'skip$
+ 'new.block
+ if$
+}
+FUNCTION {new.sentence.checka}
+{ empty$
+ 'skip$
+ 'new.sentence
+ if$
+}
+FUNCTION {new.sentence.checkb}
+{ empty$
+ swap$ empty$
+ and
+ 'skip$
+ 'new.sentence
+ if$
+}
+FUNCTION {field.or.null}
+{ duplicate$ empty$
+ { pop$ "" }
+ 'skip$
+ if$
+}
+FUNCTION {emphasize}
+{ skip$ }
+
+FUNCTION {embolden}
+{ duplicate$ empty$
+{ pop$ "" }
+{ "\textbf{" swap$ * "}" * }
+if$
+}
+FUNCTION {tie.or.space.prefix}
+{ duplicate$ text.length$ #5 <
+ { "~" }
+ { " " }
+ if$
+ swap$
+}
+FUNCTION {titto.space.prefix} % always introduce a space
+{ duplicate$ text.length$ #3 <
+ { " " }
+ { " " }
+ if$
+ swap$
+}
+
+
+FUNCTION {capitalize}
+{ "u" change.case$ "t" change.case$ }
+
+FUNCTION {space.word}
+{ " " swap$ * " " * }
+ % Here are the language-specific definitions for explicit words.
+ % Each function has a name bbl.xxx where xxx is the English word.
+ % The language selected here is ENGLISH
+FUNCTION {bbl.and}
+{ "and"}
+
+FUNCTION {bbl.etal}
+{ "et~al." }
+
+FUNCTION {bbl.editors}
+{ "eds." }
+
+FUNCTION {bbl.editor}
+{ "ed." }
+
+FUNCTION {bbl.edby}
+{ "edited by" }
+
+FUNCTION {bbl.edition}
+{ "edn." }
+
+FUNCTION {bbl.volume}
+{ "vol." }
+
+FUNCTION {titto.bbl.volume} % for handling journals
+{ "" }
+
+FUNCTION {bbl.of}
+{ "of" }
+
+FUNCTION {bbl.number}
+{ "no." }
+
+FUNCTION {bbl.nr}
+{ "no." }
+
+FUNCTION {bbl.in}
+{ "in" }
+
+FUNCTION {bbl.pages}
+{ "pp." }
+
+FUNCTION {bbl.page}
+{ "p." }
+
+FUNCTION {titto.bbl.pages} % for journals
+{ "" }
+
+FUNCTION {titto.bbl.page} % for journals
+{ "" }
+
+FUNCTION {bbl.chapter}
+{ "chap." }
+
+FUNCTION {bbl.techrep}
+{ "Tech. Rep." }
+
+FUNCTION {bbl.mthesis}
+{ "Master's thesis" }
+
+FUNCTION {bbl.phdthesis}
+{ "Ph.D. thesis" }
+
+MACRO {jan} {"Jan."}
+
+MACRO {feb} {"Feb."}
+
+MACRO {mar} {"Mar."}
+
+MACRO {apr} {"Apr."}
+
+MACRO {may} {"May"}
+
+MACRO {jun} {"Jun."}
+
+MACRO {jul} {"Jul."}
+
+MACRO {aug} {"Aug."}
+
+MACRO {sep} {"Sep."}
+
+MACRO {oct} {"Oct."}
+
+MACRO {nov} {"Nov."}
+
+MACRO {dec} {"Dec."}
+
+MACRO {acmcs} {"ACM Comput. Surv."}
+
+MACRO {acta} {"Acta Inf."}
+
+MACRO {cacm} {"Commun. ACM"}
+
+MACRO {ibmjrd} {"IBM J. Res. Dev."}
+
+MACRO {ibmsj} {"IBM Syst.~J."}
+
+MACRO {ieeese} {"IEEE Trans. Software Eng."}
+
+MACRO {ieeetc} {"IEEE Trans. Comput."}
+
+MACRO {ieeetcad}
+ {"IEEE Trans. Comput. Aid. Des."}
+
+MACRO {ipl} {"Inf. Process. Lett."}
+
+MACRO {jacm} {"J.~ACM"}
+
+MACRO {jcss} {"J.~Comput. Syst. Sci."}
+
+MACRO {scp} {"Sci. Comput. Program."}
+
+MACRO {sicomp} {"SIAM J. Comput."}
+
+MACRO {tocs} {"ACM Trans. Comput. Syst."}
+
+MACRO {tods} {"ACM Trans. Database Syst."}
+
+MACRO {tog} {"ACM Trans. Graphic."}
+
+MACRO {toms} {"ACM Trans. Math. Software"}
+
+MACRO {toois} {"ACM Trans. Office Inf. Syst."}
+
+MACRO {toplas} {"ACM Trans. Progr. Lang. Syst."}
+
+MACRO {tcs} {"Theor. Comput. Sci."}
+
+FUNCTION {bibinfo.check}
+{ swap$
+ duplicate$ missing$
+ {
+ pop$ pop$
+ ""
+ }
+ { duplicate$ empty$
+ {
+ swap$ pop$
+ }
+ { swap$
+ pop$
+ }
+ if$
+ }
+ if$
+}
+FUNCTION {bibinfo.warn}
+{ swap$
+ duplicate$ missing$
+ {
+ swap$ "missing " swap$ * " in " * cite$ * warning$ pop$
+ ""
+ }
+ { duplicate$ empty$
+ {
+ swap$ "empty " swap$ * " in " * cite$ * warning$
+ }
+ { swap$
+ pop$
+ }
+ if$
+ }
+ if$
+}
+FUNCTION {format.url}
+{ url empty$
+ { "" }
+% { "\urlprefix\url{" url * "}" * }
+ { "\url{" url * "}" * } % changed in titto-lncs-02.bst
+ if$
+}
+
+FUNCTION {format.doi} % added in splncs04.bst
+{ doi empty$
+ { "" }
+ { after.block 'output.state :=
+ "\doi{" doi * "}" * }
+ if$
+}
+
+INTEGERS { nameptr namesleft numnames }
+
+
+STRINGS { bibinfo}
+
+FUNCTION {format.names}
+{ 'bibinfo :=
+ duplicate$ empty$ 'skip$ {
+ 's :=
+ "" 't :=
+ #1 'nameptr :=
+ s num.names$ 'numnames :=
+ numnames 'namesleft :=
+ { namesleft #0 > }
+ { s nameptr
+ "{vv~}{ll}{, jj}{, f{.}.}"
+ format.name$
+ bibinfo bibinfo.check
+ 't :=
+ nameptr #1 >
+ {
+ namesleft #1 >
+ { ", " * t * }
+ {
+ s nameptr "{ll}" format.name$ duplicate$ "others" =
+ { 't := }
+ { pop$ }
+ if$
+ "," *
+ t "others" =
+ {
+ " " * bbl.etal *
+ }
+ { " " * t * }
+ if$
+ }
+ if$
+ }
+ 't
+ if$
+ nameptr #1 + 'nameptr :=
+ namesleft #1 - 'namesleft :=
+ }
+ while$
+ } if$
+}
+FUNCTION {format.names.ed}
+{
+ 'bibinfo :=
+ duplicate$ empty$ 'skip$ {
+ 's :=
+ "" 't :=
+ #1 'nameptr :=
+ s num.names$ 'numnames :=
+ numnames 'namesleft :=
+ { namesleft #0 > }
+ { s nameptr
+ "{f{.}.~}{vv~}{ll}{ jj}"
+ format.name$
+ bibinfo bibinfo.check
+ 't :=
+ nameptr #1 >
+ {
+ namesleft #1 >
+ { ", " * t * }
+ {
+ s nameptr "{ll}" format.name$ duplicate$ "others" =
+ { 't := }
+ { pop$ }
+ if$
+ "," *
+ t "others" =
+ {
+
+ " " * bbl.etal *
+ }
+ { " " * t * }
+ if$
+ }
+ if$
+ }
+ 't
+ if$
+ nameptr #1 + 'nameptr :=
+ namesleft #1 - 'namesleft :=
+ }
+ while$
+ } if$
+}
+FUNCTION {format.authors}
+{ author "author" format.names
+}
+FUNCTION {get.bbl.editor}
+{ editor num.names$ #1 > 'bbl.editors 'bbl.editor if$ }
+
+FUNCTION {format.editors}
+{ editor "editor" format.names duplicate$ empty$ 'skip$
+ {
+ " " *
+ get.bbl.editor
+% capitalize
+ "(" swap$ * ")" *
+ *
+ }
+ if$
+}
+FUNCTION {format.note}
+{
+ note empty$
+ { "" }
+ { note #1 #1 substring$
+ duplicate$ "{" =
+ 'skip$
+ { output.state mid.sentence =
+ { "l" }
+ { "u" }
+ if$
+ change.case$
+ }
+ if$
+ note #2 global.max$ substring$ * "note" bibinfo.check
+ }
+ if$
+}
+
+FUNCTION {format.title}
+{ title
+ duplicate$ empty$ 'skip$
+ { "t" change.case$ }
+ if$
+ "title" bibinfo.check
+}
+FUNCTION {output.bibitem}
+{ newline$
+ "\bibitem{" write$
+ cite$ write$
+ "}" write$
+ newline$
+ ""
+ before.all 'output.state :=
+}
+
+FUNCTION {n.dashify}
+{
+ 't :=
+ ""
+ { t empty$ not }
+ { t #1 #1 substring$ "-" =
+ { t #1 #2 substring$ "--" = not
+ { "--" *
+ t #2 global.max$ substring$ 't :=
+ }
+ { { t #1 #1 substring$ "-" = }
+ { "-" *
+ t #2 global.max$ substring$ 't :=
+ }
+ while$
+ }
+ if$
+ }
+ { t #1 #1 substring$ *
+ t #2 global.max$ substring$ 't :=
+ }
+ if$
+ }
+ while$
+}
+
+FUNCTION {word.in}
+{ bbl.in capitalize
+ ":" *
+ " " * }
+
+FUNCTION {format.date}
+{
+ month "month" bibinfo.check
+ duplicate$ empty$
+ year "year" bibinfo.check duplicate$ empty$
+ { swap$ 'skip$
+ { "there's a month but no year in " cite$ * warning$ }
+ if$
+ *
+ }
+ { swap$ 'skip$
+ {
+ swap$
+ " " * swap$
+ }
+ if$
+ *
+ remove.dots
+ }
+ if$
+ duplicate$ empty$
+ 'skip$
+ {
+ before.all 'output.state :=
+ " (" swap$ * ")" *
+ }
+ if$
+}
+FUNCTION {format.btitle}
+{ title "title" bibinfo.check
+ duplicate$ empty$ 'skip$
+ {
+ }
+ if$
+}
+FUNCTION {either.or.check}
+{ empty$
+ 'pop$
+ { "can't use both " swap$ * " fields in " * cite$ * warning$ }
+ if$
+}
+FUNCTION {format.bvolume}
+{ volume empty$
+ { "" }
+ { bbl.volume volume tie.or.space.prefix
+ "volume" bibinfo.check * *
+ series "series" bibinfo.check
+ duplicate$ empty$ 'pop$
+ { emphasize ", " * swap$ * }
+ if$
+ "volume and number" number either.or.check
+ }
+ if$
+}
+FUNCTION {format.number.series}
+{ volume empty$
+ { number empty$
+ { series field.or.null }
+ { output.state mid.sentence =
+ { bbl.number }
+ { bbl.number capitalize }
+ if$
+ number tie.or.space.prefix "number" bibinfo.check * *
+ series empty$
+ { "there's a number but no series in " cite$ * warning$ }
+ { bbl.in space.word *
+ series "series" bibinfo.check *
+ }
+ if$
+ }
+ if$
+ }
+ { "" }
+ if$
+}
+
+FUNCTION {format.edition}
+{ edition duplicate$ empty$ 'skip$
+ {
+ output.state mid.sentence =
+ { "l" }
+ { "t" }
+ if$ change.case$
+ "edition" bibinfo.check
+ " " * bbl.edition *
+ }
+ if$
+}
+INTEGERS { multiresult }
+FUNCTION {multi.page.check}
+{ 't :=
+ #0 'multiresult :=
+ { multiresult not
+ t empty$ not
+ and
+ }
+ { t #1 #1 substring$
+ duplicate$ "-" =
+ swap$ duplicate$ "," =
+ swap$ "+" =
+ or or
+ { #1 'multiresult := }
+ { t #2 global.max$ substring$ 't := }
+ if$
+ }
+ while$
+ multiresult
+}
+FUNCTION {format.pages}
+{ pages duplicate$ empty$ 'skip$
+ { duplicate$ multi.page.check
+ {
+ bbl.pages swap$
+ n.dashify
+ }
+ {
+ bbl.page swap$
+ }
+ if$
+ tie.or.space.prefix
+ "pages" bibinfo.check
+ * *
+ }
+ if$
+}
+FUNCTION {format.journal.pages}
+{ pages duplicate$ empty$ 'pop$
+ { swap$ duplicate$ empty$
+ { pop$ pop$ format.pages }
+ {
+ ", " *
+ swap$
+ n.dashify
+ pages multi.page.check
+ 'titto.bbl.pages
+ 'titto.bbl.page
+ if$
+ swap$ tie.or.space.prefix
+ "pages" bibinfo.check
+ * *
+ *
+ }
+ if$
+ }
+ if$
+}
+FUNCTION {format.journal.eid}
+{ eid "eid" bibinfo.check
+ duplicate$ empty$ 'pop$
+ { swap$ duplicate$ empty$ 'skip$
+ {
+ ", " *
+ }
+ if$
+ swap$ *
+ }
+ if$
+}
+FUNCTION {format.vol.num.pages} % this function is used only for journal entries
+{ volume field.or.null embolden
+ duplicate$ empty$ 'skip$
+ {
+% bbl.volume swap$ tie.or.space.prefix
+ titto.bbl.volume swap$ titto.space.prefix
+% rationale for the change above: for journals you don't want "vol." label
+% hence it does not make sense to attach the journal number to the label when
+% it is short
+ "volume" bibinfo.check
+ * *
+ }
+ if$
+ number "number" bibinfo.check duplicate$ empty$ 'skip$
+ {
+ swap$ duplicate$ empty$
+ { "there's a number but no volume in " cite$ * warning$ }
+ 'skip$
+ if$
+ swap$
+ "(" swap$ * ")" *
+ }
+ if$ *
+ eid empty$
+ { format.journal.pages }
+ { format.journal.eid }
+ if$
+}
+
+FUNCTION {format.chapter.pages}
+{ chapter empty$
+ 'format.pages
+ { type empty$
+ { bbl.chapter }
+ { type "l" change.case$
+ "type" bibinfo.check
+ }
+ if$
+ chapter tie.or.space.prefix
+ "chapter" bibinfo.check
+ * *
+ pages empty$
+ 'skip$
+ { ", " * format.pages * }
+ if$
+ }
+ if$
+}
+
+FUNCTION {format.booktitle}
+{
+ booktitle "booktitle" bibinfo.check
+}
+FUNCTION {format.in.ed.booktitle}
+{ format.booktitle duplicate$ empty$ 'skip$
+ {
+% editor "editor" format.names.ed duplicate$ empty$ 'pop$ % changed by titto
+ editor "editor" format.names duplicate$ empty$ 'pop$
+ {
+ " " *
+ get.bbl.editor
+% capitalize
+ "(" swap$ * ") " *
+ * swap$
+ * }
+ if$
+ word.in swap$ *
+ }
+ if$
+}
+FUNCTION {empty.misc.check}
+{ author empty$ title empty$ howpublished empty$
+ month empty$ year empty$ note empty$
+ and and and and and
+ key empty$ not and
+ { "all relevant fields are empty in " cite$ * warning$ }
+ 'skip$
+ if$
+}
+FUNCTION {format.thesis.type}
+{ type duplicate$ empty$
+ 'pop$
+ { swap$ pop$
+ "t" change.case$ "type" bibinfo.check
+ }
+ if$
+}
+FUNCTION {format.tr.number}
+{ number "number" bibinfo.check
+ type duplicate$ empty$
+ { pop$ bbl.techrep }
+ 'skip$
+ if$
+ "type" bibinfo.check
+ swap$ duplicate$ empty$
+ { pop$ "t" change.case$ }
+ { tie.or.space.prefix * * }
+ if$
+}
+FUNCTION {format.article.crossref}
+{
+ key duplicate$ empty$
+ { pop$
+ journal duplicate$ empty$
+ { "need key or journal for " cite$ * " to crossref " * crossref * warning$ }
+ { "journal" bibinfo.check emphasize word.in swap$ * }
+ if$
+ }
+ { word.in swap$ * " " *}
+ if$
+ " \cite{" * crossref * "}" *
+}
+FUNCTION {format.crossref.editor}
+{ editor #1 "{vv~}{ll}" format.name$
+ "editor" bibinfo.check
+ editor num.names$ duplicate$
+ #2 >
+ { pop$
+ "editor" bibinfo.check
+ " " * bbl.etal
+ *
+ }
+ { #2 <
+ 'skip$
+ { editor #2 "{ff }{vv }{ll}{ jj}" format.name$ "others" =
+ {
+ "editor" bibinfo.check
+ " " * bbl.etal
+ *
+ }
+ {
+ bbl.and space.word
+ * editor #2 "{vv~}{ll}" format.name$
+ "editor" bibinfo.check
+ *
+ }
+ if$
+ }
+ if$
+ }
+ if$
+}
+FUNCTION {format.book.crossref}
+{ volume duplicate$ empty$
+ { "empty volume in " cite$ * "'s crossref of " * crossref * warning$
+ pop$ word.in
+ }
+ { bbl.volume
+ capitalize
+ swap$ tie.or.space.prefix "volume" bibinfo.check * * bbl.of space.word *
+ }
+ if$
+ editor empty$
+ editor field.or.null author field.or.null =
+ or
+ { key empty$
+ { series empty$
+ { "need editor, key, or series for " cite$ * " to crossref " *
+ crossref * warning$
+ "" *
+ }
+ { series emphasize * }
+ if$
+ }
+ { key * }
+ if$
+ }
+ { format.crossref.editor * }
+ if$
+ " \cite{" * crossref * "}" *
+}
+FUNCTION {format.incoll.inproc.crossref}
+{
+ editor empty$
+ editor field.or.null author field.or.null =
+ or
+ { key empty$
+ { format.booktitle duplicate$ empty$
+ { "need editor, key, or booktitle for " cite$ * " to crossref " *
+ crossref * warning$
+ }
+ { word.in swap$ * }
+ if$
+ }
+ { word.in key * " " *}
+ if$
+ }
+ { word.in format.crossref.editor * " " *}
+ if$
+ " \cite{" * crossref * "}" *
+}
+FUNCTION {format.org.or.pub}
+{ 't :=
+ ""
+ address empty$ t empty$ and
+ 'skip$
+ {
+ t empty$
+ { address "address" bibinfo.check *
+ }
+ { t *
+ address empty$
+ 'skip$
+ { ", " * address "address" bibinfo.check * }
+ if$
+ }
+ if$
+ }
+ if$
+}
+FUNCTION {format.publisher.address}
+{ publisher "publisher" bibinfo.warn format.org.or.pub
+}
+
+FUNCTION {format.organization.address}
+{ organization "organization" bibinfo.check format.org.or.pub
+}
+
+FUNCTION {article}
+{ output.bibitem
+ format.authors "author" output.check
+ add.colon
+ new.block
+ format.title "title" output.check
+ new.block
+ crossref missing$
+ {
+ journal
+ "journal" bibinfo.check
+ "journal" output.check
+ add.blank
+ format.vol.num.pages output
+ format.date "year" output.check
+ }
+ { format.article.crossref output.nonnull
+ format.pages output
+ }
+ if$
+% new.block
+ format.doi output
+ format.url output
+% new.block
+ format.note output
+ fin.entry
+}
+FUNCTION {book}
+{ output.bibitem
+ author empty$
+ { format.editors "author and editor" output.check
+ add.colon
+ }
+ { format.authors output.nonnull
+ add.colon
+ crossref missing$
+ { "author and editor" editor either.or.check }
+ 'skip$
+ if$
+ }
+ if$
+ new.block
+ format.btitle "title" output.check
+ crossref missing$
+ { format.bvolume output
+ new.block
+ new.sentence
+ format.number.series output
+ format.publisher.address output
+ }
+ {
+ new.block
+ format.book.crossref output.nonnull
+ }
+ if$
+ format.edition output
+ format.date "year" output.check
+% new.block
+ format.doi output
+ format.url output
+% new.block
+ format.note output
+ fin.entry
+}
+FUNCTION {booklet}
+{ output.bibitem
+ format.authors output
+ add.colon
+ new.block
+ format.title "title" output.check
+ new.block
+ howpublished "howpublished" bibinfo.check output
+ address "address" bibinfo.check output
+ format.date output
+% new.block
+ format.doi output
+ format.url output
+% new.block
+ format.note output
+ fin.entry
+}
+
+FUNCTION {inbook}
+{ output.bibitem
+ author empty$
+ { format.editors "author and editor" output.check
+ add.colon
+ }
+ { format.authors output.nonnull
+ add.colon
+ crossref missing$
+ { "author and editor" editor either.or.check }
+ 'skip$
+ if$
+ }
+ if$
+ new.block
+ format.btitle "title" output.check
+ crossref missing$
+ {
+ format.bvolume output
+ format.chapter.pages "chapter and pages" output.check
+ new.block
+ new.sentence
+ format.number.series output
+ format.publisher.address output
+ }
+ {
+ format.chapter.pages "chapter and pages" output.check
+ new.block
+ format.book.crossref output.nonnull
+ }
+ if$
+ format.edition output
+ format.date "year" output.check
+% new.block
+ format.doi output
+ format.url output
+% new.block
+ format.note output
+ fin.entry
+}
+
+FUNCTION {incollection}
+{ output.bibitem
+ format.authors "author" output.check
+ add.colon
+ new.block
+ format.title "title" output.check
+ new.block
+ crossref missing$
+ { format.in.ed.booktitle "booktitle" output.check
+ format.bvolume output
+ format.chapter.pages output
+ new.sentence
+ format.number.series output
+ format.publisher.address output
+ format.edition output
+ format.date "year" output.check
+ }
+ { format.incoll.inproc.crossref output.nonnull
+ format.chapter.pages output
+ }
+ if$
+% new.block
+ format.doi output
+ format.url output
+% new.block
+ format.note output
+ fin.entry
+}
+FUNCTION {inproceedings}
+{ output.bibitem
+ format.authors "author" output.check
+ add.colon
+ new.block
+ format.title "title" output.check
+ new.block
+ crossref missing$
+ { format.in.ed.booktitle "booktitle" output.check
+ new.sentence % added by titto
+ format.bvolume output
+ format.pages output
+ new.sentence
+ format.number.series output
+ publisher empty$
+ { format.organization.address output }
+ { organization "organization" bibinfo.check output
+ format.publisher.address output
+ }
+ if$
+ format.date "year" output.check
+ }
+ { format.incoll.inproc.crossref output.nonnull
+ format.pages output
+ }
+ if$
+% new.block
+ format.doi output
+ format.url output
+% new.block
+ format.note output
+ fin.entry
+}
+FUNCTION {conference} { inproceedings }
+FUNCTION {manual}
+{ output.bibitem
+ author empty$
+ { organization "organization" bibinfo.check
+ duplicate$ empty$ 'pop$
+ { output
+ address "address" bibinfo.check output
+ }
+ if$
+ }
+ { format.authors output.nonnull }
+ if$
+ add.colon
+ new.block
+ format.btitle "title" output.check
+ author empty$
+ { organization empty$
+ {
+ address new.block.checka
+ address "address" bibinfo.check output
+ }
+ 'skip$
+ if$
+ }
+ {
+ organization address new.block.checkb
+ organization "organization" bibinfo.check output
+ address "address" bibinfo.check output
+ }
+ if$
+ format.edition output
+ format.date output
+% new.block
+ format.doi output
+ format.url output
+% new.block
+ format.note output
+ fin.entry
+}
+
+FUNCTION {mastersthesis}
+{ output.bibitem
+ format.authors "author" output.check
+ add.colon
+ new.block
+ format.btitle
+ "title" output.check
+ new.block
+ bbl.mthesis format.thesis.type output.nonnull
+ school "school" bibinfo.warn output
+ address "address" bibinfo.check output
+ format.date "year" output.check
+% new.block
+ format.doi output
+ format.url output
+% new.block
+ format.note output
+ fin.entry
+}
+
+FUNCTION {misc}
+{ output.bibitem
+ format.authors output
+ add.colon
+ title howpublished new.block.checkb
+ format.title output
+ howpublished new.block.checka
+ howpublished "howpublished" bibinfo.check output
+ format.date output
+% new.block
+ format.doi output
+ format.url output
+% new.block
+ format.note output
+ fin.entry
+ empty.misc.check
+}
+FUNCTION {phdthesis}
+{ output.bibitem
+ format.authors "author" output.check
+ add.colon
+ new.block
+ format.btitle
+ "title" output.check
+ new.block
+ bbl.phdthesis format.thesis.type output.nonnull
+ school "school" bibinfo.warn output
+ address "address" bibinfo.check output
+ format.date "year" output.check
+% new.block
+ format.doi output
+ format.url output
+% new.block
+ format.note output
+ fin.entry
+}
+
+FUNCTION {proceedings}
+{ output.bibitem
+ editor empty$
+ { organization "organization" bibinfo.check output
+ }
+ { format.editors output.nonnull }
+ if$
+ add.colon
+ new.block
+ format.btitle "title" output.check
+ format.bvolume output
+ editor empty$
+ { publisher empty$
+ { format.number.series output }
+ {
+ new.sentence
+ format.number.series output
+ format.publisher.address output
+ }
+ if$
+ }
+ { publisher empty$
+ {
+ new.sentence
+ format.number.series output
+ format.organization.address output }
+ {
+ new.sentence
+ format.number.series output
+ organization "organization" bibinfo.check output
+ format.publisher.address output
+ }
+ if$
+ }
+ if$
+ format.date "year" output.check
+% new.block
+ format.doi output
+ format.url output
+% new.block
+ format.note output
+ fin.entry
+}
+
+FUNCTION {techreport}
+{ output.bibitem
+ format.authors "author" output.check
+ add.colon
+ new.block
+ format.title
+ "title" output.check
+ new.block
+ format.tr.number output.nonnull
+ institution "institution" bibinfo.warn output
+ address "address" bibinfo.check output
+ format.date "year" output.check
+% new.block
+ format.doi output
+ format.url output
+% new.block
+ format.note output
+ fin.entry
+}
+
+FUNCTION {unpublished}
+{ output.bibitem
+ format.authors "author" output.check
+ add.colon
+ new.block
+ format.title "title" output.check
+ format.date output
+% new.block
+ format.url output
+% new.block
+ format.note "note" output.check
+ fin.entry
+}
+
+FUNCTION {default.type} { misc }
+READ
+FUNCTION {sortify}
+{ purify$
+ "l" change.case$
+}
+INTEGERS { len }
+FUNCTION {chop.word}
+{ 's :=
+ 'len :=
+ s #1 len substring$ =
+ { s len #1 + global.max$ substring$ }
+ 's
+ if$
+}
+FUNCTION {sort.format.names}
+{ 's :=
+ #1 'nameptr :=
+ ""
+ s num.names$ 'numnames :=
+ numnames 'namesleft :=
+ { namesleft #0 > }
+ { s nameptr
+ "{ll{ }}{ ff{ }}{ jj{ }}"
+ format.name$ 't :=
+ nameptr #1 >
+ {
+ " " *
+ namesleft #1 = t "others" = and
+ { "zzzzz" * }
+ { t sortify * }
+ if$
+ }
+ { t sortify * }
+ if$
+ nameptr #1 + 'nameptr :=
+ namesleft #1 - 'namesleft :=
+ }
+ while$
+}
+
+FUNCTION {sort.format.title}
+{ 't :=
+ "A " #2
+ "An " #3
+ "The " #4 t chop.word
+ chop.word
+ chop.word
+ sortify
+ #1 global.max$ substring$
+}
+FUNCTION {author.sort}
+{ author empty$
+ { key empty$
+ { "to sort, need author or key in " cite$ * warning$
+ ""
+ }
+ { key sortify }
+ if$
+ }
+ { author sort.format.names }
+ if$
+}
+FUNCTION {author.editor.sort}
+{ author empty$
+ { editor empty$
+ { key empty$
+ { "to sort, need author, editor, or key in " cite$ * warning$
+ ""
+ }
+ { key sortify }
+ if$
+ }
+ { editor sort.format.names }
+ if$
+ }
+ { author sort.format.names }
+ if$
+}
+FUNCTION {author.organization.sort}
+{ author empty$
+ { organization empty$
+ { key empty$
+ { "to sort, need author, organization, or key in " cite$ * warning$
+ ""
+ }
+ { key sortify }
+ if$
+ }
+ { "The " #4 organization chop.word sortify }
+ if$
+ }
+ { author sort.format.names }
+ if$
+}
+FUNCTION {editor.organization.sort}
+{ editor empty$
+ { organization empty$
+ { key empty$
+ { "to sort, need editor, organization, or key in " cite$ * warning$
+ ""
+ }
+ { key sortify }
+ if$
+ }
+ { "The " #4 organization chop.word sortify }
+ if$
+ }
+ { editor sort.format.names }
+ if$
+}
+FUNCTION {presort}
+{ type$ "book" =
+ type$ "inbook" =
+ or
+ 'author.editor.sort
+ { type$ "proceedings" =
+ 'editor.organization.sort
+ { type$ "manual" =
+ 'author.organization.sort
+ 'author.sort
+ if$
+ }
+ if$
+ }
+ if$
+ " "
+ *
+ year field.or.null sortify
+ *
+ " "
+ *
+ title field.or.null
+ sort.format.title
+ *
+ #1 entry.max$ substring$
+ 'sort.key$ :=
+}
+ITERATE {presort}
+SORT
+STRINGS { longest.label }
+INTEGERS { number.label longest.label.width }
+FUNCTION {initialize.longest.label}
+{ "" 'longest.label :=
+ #1 'number.label :=
+ #0 'longest.label.width :=
+}
+FUNCTION {longest.label.pass}
+{ number.label int.to.str$ 'label :=
+ number.label #1 + 'number.label :=
+ label width$ longest.label.width >
+ { label 'longest.label :=
+ label width$ 'longest.label.width :=
+ }
+ 'skip$
+ if$
+}
+EXECUTE {initialize.longest.label}
+ITERATE {longest.label.pass}
+FUNCTION {begin.bib}
+{ preamble$ empty$
+ 'skip$
+ { preamble$ write$ newline$ }
+ if$
+ "\begin{thebibliography}{" longest.label * "}" *
+ write$ newline$
+ "\providecommand{\url}[1]{\texttt{#1}}"
+ write$ newline$
+ "\providecommand{\urlprefix}{URL }"
+ write$ newline$
+ "\providecommand{\doi}[1]{https://doi.org/#1}"
+ write$ newline$
+}
+EXECUTE {begin.bib}
+EXECUTE {init.state.consts}
+ITERATE {call.type$}
+FUNCTION {end.bib}
+{ newline$
+ "\end{thebibliography}" write$ newline$
+}
+EXECUTE {end.bib}
+%% End of customized bst file
+%%
+%% End of file `titto.bst'.
|