From 96ca47ee7140339e1a9928408c1086e2283a139d Mon Sep 17 00:00:00 2001 From: Aaron Feickert <66188213+AaronFeickert@users.noreply.github.com> Date: Fri, 21 Oct 2022 00:35:00 +0200 Subject: [PATCH] Formatting and efficiency updates (#2) --- llncs.cls | 1218 +++++++++++++++++++++++++++++++++++++++ main.bib | 27 +- main.tex | 386 ++++++------- splncs04.bst | 1548 ++++++++++++++++++++++++++++++++++++++++++++++++++ 4 files changed, 2966 insertions(+), 213 deletions(-) create mode 100644 llncs.cls create mode 100644 splncs04.bst diff --git a/llncs.cls b/llncs.cls new file mode 100644 index 0000000..886bf72 --- /dev/null +++ b/llncs.cls @@ -0,0 +1,1218 @@ +% LLNCS DOCUMENT CLASS -- version 2.20 (10-Mar-2018) +% Springer Verlag LaTeX2e support for Lecture Notes in Computer Science +% +%% +%% \CharacterTable +%% {Upper-case \A\B\C\D\E\F\G\H\I\J\K\L\M\N\O\P\Q\R\S\T\U\V\W\X\Y\Z +%% Lower-case \a\b\c\d\e\f\g\h\i\j\k\l\m\n\o\p\q\r\s\t\u\v\w\x\y\z +%% Digits \0\1\2\3\4\5\6\7\8\9 +%% Exclamation \! Double quote \" Hash (number) \# +%% Dollar \$ Percent \% Ampersand \& +%% Acute accent \' Left paren \( Right paren \) +%% Asterisk \* Plus \+ Comma \, +%% Minus \- Point \. Solidus \/ +%% Colon \: Semicolon \; Less than \< +%% Equals \= Greater than \> Question mark \? +%% Commercial at \@ Left bracket \[ Backslash \\ +%% Right bracket \] Circumflex \^ Underscore \_ +%% Grave accent \` Left brace \{ Vertical bar \| +%% Right brace \} Tilde \~} +%% +\NeedsTeXFormat{LaTeX2e}[1995/12/01] +\ProvidesClass{llncs}[2018/03/10 v2.20 +^^J LaTeX document class for Lecture Notes in Computer Science] +% Options +\let\if@envcntreset\iffalse +\DeclareOption{envcountreset}{\let\if@envcntreset\iftrue} +\DeclareOption{citeauthoryear}{\let\citeauthoryear=Y} +\DeclareOption{oribibl}{\let\oribibl=Y} +\let\if@custvec\iftrue +\DeclareOption{orivec}{\let\if@custvec\iffalse} +\let\if@envcntsame\iffalse +\DeclareOption{envcountsame}{\let\if@envcntsame\iftrue} +\let\if@envcntsect\iffalse +\DeclareOption{envcountsect}{\let\if@envcntsect\iftrue} +\let\if@runhead\iffalse +\DeclareOption{runningheads}{\let\if@runhead\iftrue} + +\let\if@openright\iftrue +\let\if@openbib\iffalse +\DeclareOption{openbib}{\let\if@openbib\iftrue} + +% languages +\let\switcht@@therlang\relax +\def\ds@deutsch{\def\switcht@@therlang{\switcht@deutsch}} +\def\ds@francais{\def\switcht@@therlang{\switcht@francais}} + +\DeclareOption*{\PassOptionsToClass{\CurrentOption}{article}} + +\ProcessOptions + +\LoadClass[twoside]{article} +\RequirePackage{multicol} % needed for the list of participants, index +\RequirePackage{aliascnt} + +\setlength{\textwidth}{12.2cm} +\setlength{\textheight}{19.3cm} +\renewcommand\@pnumwidth{2em} +\renewcommand\@tocrmarg{3.5em} +% +\def\@dottedtocline#1#2#3#4#5{% + \ifnum #1>\c@tocdepth \else + \vskip \z@ \@plus.2\p@ + {\leftskip #2\relax \rightskip \@tocrmarg \advance\rightskip by 0pt plus 2cm + \parfillskip -\rightskip \pretolerance=10000 + \parindent #2\relax\@afterindenttrue + \interlinepenalty\@M + \leavevmode + \@tempdima #3\relax + \advance\leftskip \@tempdima \null\nobreak\hskip -\leftskip + {#4}\nobreak + \leaders\hbox{$\m@th + \mkern \@dotsep mu\hbox{.}\mkern \@dotsep + mu$}\hfill + \nobreak + \hb@xt@\@pnumwidth{\hfil\normalfont \normalcolor #5}% + \par}% + \fi} +% +\def\switcht@albion{% +\def\abstractname{Abstract.} +\def\ackname{Acknowledgement.} +\def\andname{and} +\def\lastandname{\unskip, and} +\def\appendixname{Appendix} +\def\chaptername{Chapter} +\def\claimname{Claim} +\def\conjecturename{Conjecture} +\def\contentsname{Table of Contents} +\def\corollaryname{Corollary} +\def\definitionname{Definition} +\def\examplename{Example} +\def\exercisename{Exercise} +\def\figurename{Fig.} +\def\keywordname{{\bf Keywords:}} +\def\indexname{Index} +\def\lemmaname{Lemma} +\def\contriblistname{List of Contributors} +\def\listfigurename{List of Figures} +\def\listtablename{List of Tables} +\def\mailname{{\it Correspondence to\/}:} +\def\noteaddname{Note added in proof} +\def\notename{Note} +\def\partname{Part} +\def\problemname{Problem} +\def\proofname{Proof} +\def\propertyname{Property} +\def\propositionname{Proposition} +\def\questionname{Question} +\def\remarkname{Remark} +\def\seename{see} +\def\solutionname{Solution} +\def\subclassname{{\it Subject Classifications\/}:} +\def\tablename{Table} +\def\theoremname{Theorem}} +\switcht@albion +% Names of theorem like environments are already defined +% but must be translated if another language is chosen +% +% French section +\def\switcht@francais{%\typeout{On parle francais.}% + \def\abstractname{R\'esum\'e.}% + \def\ackname{Remerciements.}% + \def\andname{et}% + \def\lastandname{ et}% + \def\appendixname{Appendice} + \def\chaptername{Chapitre}% + \def\claimname{Pr\'etention}% + \def\conjecturename{Hypoth\`ese}% + \def\contentsname{Table des mati\`eres}% + \def\corollaryname{Corollaire}% + \def\definitionname{D\'efinition}% + \def\examplename{Exemple}% + \def\exercisename{Exercice}% + \def\figurename{Fig.}% + \def\keywordname{{\bf Mots-cl\'e:}} + \def\indexname{Index} + \def\lemmaname{Lemme}% + \def\contriblistname{Liste des contributeurs} + \def\listfigurename{Liste des figures}% + \def\listtablename{Liste des tables}% + \def\mailname{{\it Correspondence to\/}:} + \def\noteaddname{Note ajout\'ee \`a l'\'epreuve}% + \def\notename{Remarque}% + \def\partname{Partie}% + \def\problemname{Probl\`eme}% + \def\proofname{Preuve}% + \def\propertyname{Caract\'eristique}% +%\def\propositionname{Proposition}% + \def\questionname{Question}% + \def\remarkname{Remarque}% + \def\seename{voir} + \def\solutionname{Solution}% + \def\subclassname{{\it Subject Classifications\/}:} + \def\tablename{Tableau}% + \def\theoremname{Th\'eor\`eme}% +} +% +% German section +\def\switcht@deutsch{%\typeout{Man spricht deutsch.}% + \def\abstractname{Zusammenfassung.}% + \def\ackname{Danksagung.}% + \def\andname{und}% + \def\lastandname{ und}% + \def\appendixname{Anhang}% + \def\chaptername{Kapitel}% + \def\claimname{Behauptung}% + \def\conjecturename{Hypothese}% + \def\contentsname{Inhaltsverzeichnis}% + \def\corollaryname{Korollar}% +%\def\definitionname{Definition}% + \def\examplename{Beispiel}% + \def\exercisename{\"Ubung}% + \def\figurename{Abb.}% + \def\keywordname{{\bf Schl\"usselw\"orter:}} + \def\indexname{Index} +%\def\lemmaname{Lemma}% + \def\contriblistname{Mitarbeiter} + \def\listfigurename{Abbildungsverzeichnis}% + \def\listtablename{Tabellenverzeichnis}% + \def\mailname{{\it Correspondence to\/}:} + \def\noteaddname{Nachtrag}% + \def\notename{Anmerkung}% + \def\partname{Teil}% +%\def\problemname{Problem}% + \def\proofname{Beweis}% + \def\propertyname{Eigenschaft}% +%\def\propositionname{Proposition}% + \def\questionname{Frage}% + \def\remarkname{Anmerkung}% + \def\seename{siehe} + \def\solutionname{L\"osung}% + \def\subclassname{{\it Subject Classifications\/}:} + \def\tablename{Tabelle}% +%\def\theoremname{Theorem}% +} + +% Ragged bottom for the actual page +\def\thisbottomragged{\def\@textbottom{\vskip\z@ plus.0001fil +\global\let\@textbottom\relax}} + +\renewcommand\small{% + \@setfontsize\small\@ixpt{11}% + \abovedisplayskip 8.5\p@ \@plus3\p@ \@minus4\p@ + \abovedisplayshortskip \z@ \@plus2\p@ + \belowdisplayshortskip 4\p@ \@plus2\p@ \@minus2\p@ + \def\@listi{\leftmargin\leftmargini + \parsep 0\p@ \@plus1\p@ \@minus\p@ + \topsep 8\p@ \@plus2\p@ \@minus4\p@ + \itemsep0\p@}% + \belowdisplayskip \abovedisplayskip +} + +\frenchspacing +\widowpenalty=10000 +\clubpenalty=10000 + +\setlength\oddsidemargin {63\p@} +\setlength\evensidemargin {63\p@} +\setlength\marginparwidth {90\p@} + +\setlength\headsep {16\p@} + +\setlength\footnotesep{7.7\p@} +\setlength\textfloatsep{8mm\@plus 2\p@ \@minus 4\p@} +\setlength\intextsep {8mm\@plus 2\p@ \@minus 2\p@} + +\setcounter{secnumdepth}{2} + +\newcounter {chapter} +\renewcommand\thechapter {\@arabic\c@chapter} + +\newif\if@mainmatter \@mainmattertrue +\newcommand\frontmatter{\cleardoublepage + \@mainmatterfalse\pagenumbering{Roman}} +\newcommand\mainmatter{\cleardoublepage + \@mainmattertrue\pagenumbering{arabic}} +\newcommand\backmatter{\if@openright\cleardoublepage\else\clearpage\fi + \@mainmatterfalse} + +\renewcommand\part{\cleardoublepage + \thispagestyle{empty}% + \if@twocolumn + \onecolumn + \@tempswatrue + \else + \@tempswafalse + \fi + \null\vfil + \secdef\@part\@spart} + +\def\@part[#1]#2{% + \ifnum \c@secnumdepth >-2\relax + \refstepcounter{part}% + \addcontentsline{toc}{part}{\thepart\hspace{1em}#1}% + \else + \addcontentsline{toc}{part}{#1}% + \fi + \markboth{}{}% + {\centering + \interlinepenalty \@M + \normalfont + \ifnum \c@secnumdepth >-2\relax + \huge\bfseries \partname~\thepart + \par + \vskip 20\p@ + \fi + \Huge \bfseries #2\par}% + \@endpart} +\def\@spart#1{% + {\centering + \interlinepenalty \@M + \normalfont + \Huge \bfseries #1\par}% + \@endpart} +\def\@endpart{\vfil\newpage + \if@twoside + \null + \thispagestyle{empty}% + \newpage + \fi + \if@tempswa + \twocolumn + \fi} + +\newcommand\chapter{\clearpage + \thispagestyle{empty}% + \global\@topnum\z@ + \@afterindentfalse + \secdef\@chapter\@schapter} +\def\@chapter[#1]#2{\ifnum \c@secnumdepth >\m@ne + \if@mainmatter + \refstepcounter{chapter}% + \typeout{\@chapapp\space\thechapter.}% + \addcontentsline{toc}{chapter}% + {\protect\numberline{\thechapter}#1}% + \else + \addcontentsline{toc}{chapter}{#1}% + \fi + \else + \addcontentsline{toc}{chapter}{#1}% + \fi + \chaptermark{#1}% + \addtocontents{lof}{\protect\addvspace{10\p@}}% + \addtocontents{lot}{\protect\addvspace{10\p@}}% + \if@twocolumn + \@topnewpage[\@makechapterhead{#2}]% + \else + \@makechapterhead{#2}% + \@afterheading + \fi} +\def\@makechapterhead#1{% +% \vspace*{50\p@}% + {\centering + \ifnum \c@secnumdepth >\m@ne + \if@mainmatter + \large\bfseries \@chapapp{} \thechapter + \par\nobreak + \vskip 20\p@ + \fi + \fi + \interlinepenalty\@M + \Large \bfseries #1\par\nobreak + \vskip 40\p@ + }} +\def\@schapter#1{\if@twocolumn + \@topnewpage[\@makeschapterhead{#1}]% + \else + \@makeschapterhead{#1}% + \@afterheading + \fi} +\def\@makeschapterhead#1{% +% \vspace*{50\p@}% + {\centering + \normalfont + \interlinepenalty\@M + \Large \bfseries #1\par\nobreak + \vskip 40\p@ + }} + +\renewcommand\section{\@startsection{section}{1}{\z@}% + {-18\p@ \@plus -4\p@ \@minus -4\p@}% + {12\p@ \@plus 4\p@ \@minus 4\p@}% + {\normalfont\large\bfseries\boldmath + \rightskip=\z@ \@plus 8em\pretolerance=10000 }} +\renewcommand\subsection{\@startsection{subsection}{2}{\z@}% + {-18\p@ \@plus -4\p@ \@minus -4\p@}% + {8\p@ \@plus 4\p@ \@minus 4\p@}% + {\normalfont\normalsize\bfseries\boldmath + \rightskip=\z@ \@plus 8em\pretolerance=10000 }} +\renewcommand\subsubsection{\@startsection{subsubsection}{3}{\z@}% + {-18\p@ \@plus -4\p@ \@minus -4\p@}% + {-0.5em \@plus -0.22em \@minus -0.1em}% + {\normalfont\normalsize\bfseries\boldmath}} +\renewcommand\paragraph{\@startsection{paragraph}{4}{\z@}% + {-12\p@ \@plus -4\p@ \@minus -4\p@}% + {-0.5em \@plus -0.22em \@minus -0.1em}% + {\normalfont\normalsize\itshape}} +\renewcommand\subparagraph[1]{\typeout{LLNCS warning: You should not use + \string\subparagraph\space with this class}\vskip0.5cm +You should not use \verb|\subparagraph| with this class.\vskip0.5cm} + +\DeclareMathSymbol{\Gamma}{\mathalpha}{letters}{"00} +\DeclareMathSymbol{\Delta}{\mathalpha}{letters}{"01} +\DeclareMathSymbol{\Theta}{\mathalpha}{letters}{"02} +\DeclareMathSymbol{\Lambda}{\mathalpha}{letters}{"03} +\DeclareMathSymbol{\Xi}{\mathalpha}{letters}{"04} +\DeclareMathSymbol{\Pi}{\mathalpha}{letters}{"05} +\DeclareMathSymbol{\Sigma}{\mathalpha}{letters}{"06} +\DeclareMathSymbol{\Upsilon}{\mathalpha}{letters}{"07} +\DeclareMathSymbol{\Phi}{\mathalpha}{letters}{"08} +\DeclareMathSymbol{\Psi}{\mathalpha}{letters}{"09} +\DeclareMathSymbol{\Omega}{\mathalpha}{letters}{"0A} + +\let\footnotesize\small + +\if@custvec +\def\vec#1{\mathchoice{\mbox{\boldmath$\displaystyle#1$}} +{\mbox{\boldmath$\textstyle#1$}} +{\mbox{\boldmath$\scriptstyle#1$}} +{\mbox{\boldmath$\scriptscriptstyle#1$}}} +\fi + +\def\squareforqed{\hbox{\rlap{$\sqcap$}$\sqcup$}} +\def\qed{\ifmmode\squareforqed\else{\unskip\nobreak\hfil +\penalty50\hskip1em\null\nobreak\hfil\squareforqed +\parfillskip=0pt\finalhyphendemerits=0\endgraf}\fi} + +\def\getsto{\mathrel{\mathchoice {\vcenter{\offinterlineskip +\halign{\hfil +$\displaystyle##$\hfil\cr\gets\cr\to\cr}}} +{\vcenter{\offinterlineskip\halign{\hfil$\textstyle##$\hfil\cr\gets +\cr\to\cr}}} +{\vcenter{\offinterlineskip\halign{\hfil$\scriptstyle##$\hfil\cr\gets +\cr\to\cr}}} +{\vcenter{\offinterlineskip\halign{\hfil$\scriptscriptstyle##$\hfil\cr +\gets\cr\to\cr}}}}} +\def\lid{\mathrel{\mathchoice {\vcenter{\offinterlineskip\halign{\hfil +$\displaystyle##$\hfil\cr<\cr\noalign{\vskip1.2pt}=\cr}}} +{\vcenter{\offinterlineskip\halign{\hfil$\textstyle##$\hfil\cr<\cr +\noalign{\vskip1.2pt}=\cr}}} +{\vcenter{\offinterlineskip\halign{\hfil$\scriptstyle##$\hfil\cr<\cr +\noalign{\vskip1pt}=\cr}}} +{\vcenter{\offinterlineskip\halign{\hfil$\scriptscriptstyle##$\hfil\cr +<\cr +\noalign{\vskip0.9pt}=\cr}}}}} +\def\gid{\mathrel{\mathchoice {\vcenter{\offinterlineskip\halign{\hfil +$\displaystyle##$\hfil\cr>\cr\noalign{\vskip1.2pt}=\cr}}} +{\vcenter{\offinterlineskip\halign{\hfil$\textstyle##$\hfil\cr>\cr +\noalign{\vskip1.2pt}=\cr}}} +{\vcenter{\offinterlineskip\halign{\hfil$\scriptstyle##$\hfil\cr>\cr +\noalign{\vskip1pt}=\cr}}} +{\vcenter{\offinterlineskip\halign{\hfil$\scriptscriptstyle##$\hfil\cr +>\cr +\noalign{\vskip0.9pt}=\cr}}}}} +\def\grole{\mathrel{\mathchoice {\vcenter{\offinterlineskip +\halign{\hfil +$\displaystyle##$\hfil\cr>\cr\noalign{\vskip-1pt}<\cr}}} +{\vcenter{\offinterlineskip\halign{\hfil$\textstyle##$\hfil\cr +>\cr\noalign{\vskip-1pt}<\cr}}} +{\vcenter{\offinterlineskip\halign{\hfil$\scriptstyle##$\hfil\cr +>\cr\noalign{\vskip-0.8pt}<\cr}}} +{\vcenter{\offinterlineskip\halign{\hfil$\scriptscriptstyle##$\hfil\cr +>\cr\noalign{\vskip-0.3pt}<\cr}}}}} +\def\bbbr{{\rm I\!R}} %reelle Zahlen +\def\bbbm{{\rm I\!M}} +\def\bbbn{{\rm I\!N}} %natuerliche Zahlen +\def\bbbf{{\rm I\!F}} +\def\bbbh{{\rm I\!H}} +\def\bbbk{{\rm I\!K}} +\def\bbbp{{\rm I\!P}} +\def\bbbone{{\mathchoice {\rm 1\mskip-4mu l} {\rm 1\mskip-4mu l} +{\rm 1\mskip-4.5mu l} {\rm 1\mskip-5mu l}}} +\def\bbbc{{\mathchoice {\setbox0=\hbox{$\displaystyle\rm C$}\hbox{\hbox +to0pt{\kern0.4\wd0\vrule height0.9\ht0\hss}\box0}} +{\setbox0=\hbox{$\textstyle\rm C$}\hbox{\hbox +to0pt{\kern0.4\wd0\vrule height0.9\ht0\hss}\box0}} +{\setbox0=\hbox{$\scriptstyle\rm C$}\hbox{\hbox +to0pt{\kern0.4\wd0\vrule height0.9\ht0\hss}\box0}} +{\setbox0=\hbox{$\scriptscriptstyle\rm C$}\hbox{\hbox +to0pt{\kern0.4\wd0\vrule height0.9\ht0\hss}\box0}}}} +\def\bbbq{{\mathchoice {\setbox0=\hbox{$\displaystyle\rm +Q$}\hbox{\raise +0.15\ht0\hbox to0pt{\kern0.4\wd0\vrule height0.8\ht0\hss}\box0}} +{\setbox0=\hbox{$\textstyle\rm Q$}\hbox{\raise +0.15\ht0\hbox to0pt{\kern0.4\wd0\vrule height0.8\ht0\hss}\box0}} +{\setbox0=\hbox{$\scriptstyle\rm Q$}\hbox{\raise +0.15\ht0\hbox to0pt{\kern0.4\wd0\vrule height0.7\ht0\hss}\box0}} +{\setbox0=\hbox{$\scriptscriptstyle\rm Q$}\hbox{\raise +0.15\ht0\hbox to0pt{\kern0.4\wd0\vrule height0.7\ht0\hss}\box0}}}} +\def\bbbt{{\mathchoice {\setbox0=\hbox{$\displaystyle\rm +T$}\hbox{\hbox to0pt{\kern0.3\wd0\vrule height0.9\ht0\hss}\box0}} +{\setbox0=\hbox{$\textstyle\rm T$}\hbox{\hbox +to0pt{\kern0.3\wd0\vrule height0.9\ht0\hss}\box0}} +{\setbox0=\hbox{$\scriptstyle\rm T$}\hbox{\hbox +to0pt{\kern0.3\wd0\vrule height0.9\ht0\hss}\box0}} +{\setbox0=\hbox{$\scriptscriptstyle\rm T$}\hbox{\hbox +to0pt{\kern0.3\wd0\vrule height0.9\ht0\hss}\box0}}}} +\def\bbbs{{\mathchoice +{\setbox0=\hbox{$\displaystyle \rm S$}\hbox{\raise0.5\ht0\hbox +to0pt{\kern0.35\wd0\vrule height0.45\ht0\hss}\hbox +to0pt{\kern0.55\wd0\vrule height0.5\ht0\hss}\box0}} +{\setbox0=\hbox{$\textstyle \rm S$}\hbox{\raise0.5\ht0\hbox +to0pt{\kern0.35\wd0\vrule height0.45\ht0\hss}\hbox +to0pt{\kern0.55\wd0\vrule height0.5\ht0\hss}\box0}} +{\setbox0=\hbox{$\scriptstyle \rm S$}\hbox{\raise0.5\ht0\hbox +to0pt{\kern0.35\wd0\vrule height0.45\ht0\hss}\raise0.05\ht0\hbox +to0pt{\kern0.5\wd0\vrule height0.45\ht0\hss}\box0}} +{\setbox0=\hbox{$\scriptscriptstyle\rm S$}\hbox{\raise0.5\ht0\hbox +to0pt{\kern0.4\wd0\vrule height0.45\ht0\hss}\raise0.05\ht0\hbox +to0pt{\kern0.55\wd0\vrule height0.45\ht0\hss}\box0}}}} +\def\bbbz{{\mathchoice {\hbox{$\mathsf\textstyle Z\kern-0.4em Z$}} +{\hbox{$\mathsf\textstyle Z\kern-0.4em Z$}} +{\hbox{$\mathsf\scriptstyle Z\kern-0.3em Z$}} +{\hbox{$\mathsf\scriptscriptstyle Z\kern-0.2em Z$}}}} + +\let\ts\, + +\setlength\leftmargini {17\p@} +\setlength\leftmargin {\leftmargini} +\setlength\leftmarginii {\leftmargini} +\setlength\leftmarginiii {\leftmargini} +\setlength\leftmarginiv {\leftmargini} +\setlength \labelsep {.5em} +\setlength \labelwidth{\leftmargini} +\addtolength\labelwidth{-\labelsep} + +\def\@listI{\leftmargin\leftmargini + \parsep 0\p@ \@plus1\p@ \@minus\p@ + \topsep 8\p@ \@plus2\p@ \@minus4\p@ + \itemsep0\p@} +\let\@listi\@listI +\@listi +\def\@listii {\leftmargin\leftmarginii + \labelwidth\leftmarginii + \advance\labelwidth-\labelsep + \topsep 0\p@ \@plus2\p@ \@minus\p@} +\def\@listiii{\leftmargin\leftmarginiii + \labelwidth\leftmarginiii + \advance\labelwidth-\labelsep + \topsep 0\p@ \@plus\p@\@minus\p@ + \parsep \z@ + \partopsep \p@ \@plus\z@ \@minus\p@} + +\renewcommand\labelitemi{\normalfont\bfseries --} +\renewcommand\labelitemii{$\m@th\bullet$} + +\setlength\arraycolsep{1.4\p@} +\setlength\tabcolsep{1.4\p@} + +\def\tableofcontents{\chapter*{\contentsname\@mkboth{{\contentsname}}% + {{\contentsname}}} + \def\authcount##1{\setcounter{auco}{##1}\setcounter{@auth}{1}} + \def\lastand{\ifnum\value{auco}=2\relax + \unskip{} \andname\ + \else + \unskip \lastandname\ + \fi}% + \def\and{\stepcounter{@auth}\relax + \ifnum\value{@auth}=\value{auco}% + \lastand + \else + \unskip, + \fi}% + \@starttoc{toc}\if@restonecol\twocolumn\fi} + +\def\l@part#1#2{\addpenalty{\@secpenalty}% + \addvspace{2em plus\p@}% % space above part line + \begingroup + \parindent \z@ + \rightskip \z@ plus 5em + \hrule\vskip5pt + \large % same size as for a contribution heading + \bfseries\boldmath % set line in boldface + \leavevmode % TeX command to enter horizontal mode. + #1\par + \vskip5pt + \hrule + \vskip1pt + \nobreak % Never break after part entry + \endgroup} + +\def\@dotsep{2} + +\let\phantomsection=\relax + +\def\hyperhrefextend{\ifx\hyper@anchor\@undefined\else +{}\fi} + +\def\addnumcontentsmark#1#2#3{% +\addtocontents{#1}{\protect\contentsline{#2}{\protect\numberline + {\thechapter}#3}{\thepage}\hyperhrefextend}}% +\def\addcontentsmark#1#2#3{% +\addtocontents{#1}{\protect\contentsline{#2}{#3}{\thepage}\hyperhrefextend}}% +\def\addcontentsmarkwop#1#2#3{% +\addtocontents{#1}{\protect\contentsline{#2}{#3}{0}\hyperhrefextend}}% + +\def\@adcmk[#1]{\ifcase #1 \or +\def\@gtempa{\addnumcontentsmark}% + \or \def\@gtempa{\addcontentsmark}% + \or \def\@gtempa{\addcontentsmarkwop}% + \fi\@gtempa{toc}{chapter}% +} +\def\addtocmark{% +\phantomsection +\@ifnextchar[{\@adcmk}{\@adcmk[3]}% +} + +\def\l@chapter#1#2{\addpenalty{-\@highpenalty} + \vskip 1.0em plus 1pt \@tempdima 1.5em \begingroup + \parindent \z@ \rightskip \@tocrmarg + \advance\rightskip by 0pt plus 2cm + \parfillskip -\rightskip \pretolerance=10000 + \leavevmode \advance\leftskip\@tempdima \hskip -\leftskip + {\large\bfseries\boldmath#1}\ifx0#2\hfil\null + \else + \nobreak + \leaders\hbox{$\m@th \mkern \@dotsep mu.\mkern + \@dotsep mu$}\hfill + \nobreak\hbox to\@pnumwidth{\hss #2}% + \fi\par + \penalty\@highpenalty \endgroup} + +\def\l@title#1#2{\addpenalty{-\@highpenalty} + \addvspace{8pt plus 1pt} + \@tempdima \z@ + \begingroup + \parindent \z@ \rightskip \@tocrmarg + \advance\rightskip by 0pt plus 2cm + \parfillskip -\rightskip \pretolerance=10000 + \leavevmode \advance\leftskip\@tempdima \hskip -\leftskip + #1\nobreak + \leaders\hbox{$\m@th \mkern \@dotsep mu.\mkern + \@dotsep mu$}\hfill + \nobreak\hbox to\@pnumwidth{\hss #2}\par + \penalty\@highpenalty \endgroup} + +\def\l@author#1#2{\addpenalty{\@highpenalty} + \@tempdima=15\p@ %\z@ + \begingroup + \parindent \z@ \rightskip \@tocrmarg + \advance\rightskip by 0pt plus 2cm + \pretolerance=10000 + \leavevmode \advance\leftskip\@tempdima %\hskip -\leftskip + \textit{#1}\par + \penalty\@highpenalty \endgroup} + +\setcounter{tocdepth}{0} +\newdimen\tocchpnum +\newdimen\tocsecnum +\newdimen\tocsectotal +\newdimen\tocsubsecnum +\newdimen\tocsubsectotal +\newdimen\tocsubsubsecnum +\newdimen\tocsubsubsectotal +\newdimen\tocparanum +\newdimen\tocparatotal +\newdimen\tocsubparanum +\tocchpnum=\z@ % no chapter numbers +\tocsecnum=15\p@ % section 88. plus 2.222pt +\tocsubsecnum=23\p@ % subsection 88.8 plus 2.222pt +\tocsubsubsecnum=27\p@ % subsubsection 88.8.8 plus 1.444pt +\tocparanum=35\p@ % paragraph 88.8.8.8 plus 1.666pt +\tocsubparanum=43\p@ % subparagraph 88.8.8.8.8 plus 1.888pt +\def\calctocindent{% +\tocsectotal=\tocchpnum +\advance\tocsectotal by\tocsecnum +\tocsubsectotal=\tocsectotal +\advance\tocsubsectotal by\tocsubsecnum +\tocsubsubsectotal=\tocsubsectotal +\advance\tocsubsubsectotal by\tocsubsubsecnum +\tocparatotal=\tocsubsubsectotal +\advance\tocparatotal by\tocparanum} +\calctocindent + +\def\l@section{\@dottedtocline{1}{\tocchpnum}{\tocsecnum}} +\def\l@subsection{\@dottedtocline{2}{\tocsectotal}{\tocsubsecnum}} +\def\l@subsubsection{\@dottedtocline{3}{\tocsubsectotal}{\tocsubsubsecnum}} +\def\l@paragraph{\@dottedtocline{4}{\tocsubsubsectotal}{\tocparanum}} +\def\l@subparagraph{\@dottedtocline{5}{\tocparatotal}{\tocsubparanum}} + +\def\listoffigures{\@restonecolfalse\if@twocolumn\@restonecoltrue\onecolumn + \fi\section*{\listfigurename\@mkboth{{\listfigurename}}{{\listfigurename}}} + \@starttoc{lof}\if@restonecol\twocolumn\fi} +\def\l@figure{\@dottedtocline{1}{0em}{1.5em}} + +\def\listoftables{\@restonecolfalse\if@twocolumn\@restonecoltrue\onecolumn + \fi\section*{\listtablename\@mkboth{{\listtablename}}{{\listtablename}}} + \@starttoc{lot}\if@restonecol\twocolumn\fi} +\let\l@table\l@figure + +\renewcommand\listoffigures{% + \section*{\listfigurename + \@mkboth{\listfigurename}{\listfigurename}}% + \@starttoc{lof}% + } + +\renewcommand\listoftables{% + \section*{\listtablename + \@mkboth{\listtablename}{\listtablename}}% + \@starttoc{lot}% + } + +\ifx\oribibl\undefined +\ifx\citeauthoryear\undefined +\renewenvironment{thebibliography}[1] + {\section*{\refname} + \def\@biblabel##1{##1.} + \small + \list{\@biblabel{\@arabic\c@enumiv}}% + {\settowidth\labelwidth{\@biblabel{#1}}% + \leftmargin\labelwidth + \advance\leftmargin\labelsep + \if@openbib + \advance\leftmargin\bibindent + \itemindent -\bibindent + \listparindent \itemindent + \parsep \z@ + \fi + \usecounter{enumiv}% + \let\p@enumiv\@empty + \renewcommand\theenumiv{\@arabic\c@enumiv}}% + \if@openbib + \renewcommand\newblock{\par}% + \else + \renewcommand\newblock{\hskip .11em \@plus.33em \@minus.07em}% + \fi + \sloppy\clubpenalty4000\widowpenalty4000% + \sfcode`\.=\@m} + {\def\@noitemerr + {\@latex@warning{Empty `thebibliography' environment}}% + \endlist} +\def\@lbibitem[#1]#2{\item[{[#1]}\hfill]\if@filesw + {\let\protect\noexpand\immediate + \write\@auxout{\string\bibcite{#2}{#1}}}\fi\ignorespaces} +\newcount\@tempcntc +\def\@citex[#1]#2{\if@filesw\immediate\write\@auxout{\string\citation{#2}}\fi + \@tempcnta\z@\@tempcntb\m@ne\def\@citea{}\@cite{\@for\@citeb:=#2\do + {\@ifundefined + {b@\@citeb}{\@citeo\@tempcntb\m@ne\@citea\def\@citea{,}{\bfseries + ?}\@warning + {Citation `\@citeb' on page \thepage \space undefined}}% + {\setbox\z@\hbox{\global\@tempcntc0\csname b@\@citeb\endcsname\relax}% + \ifnum\@tempcntc=\z@ \@citeo\@tempcntb\m@ne + \@citea\def\@citea{,}\hbox{\csname b@\@citeb\endcsname}% + \else + \advance\@tempcntb\@ne + \ifnum\@tempcntb=\@tempcntc + \else\advance\@tempcntb\m@ne\@citeo + \@tempcnta\@tempcntc\@tempcntb\@tempcntc\fi\fi}}\@citeo}{#1}} +\def\@citeo{\ifnum\@tempcnta>\@tempcntb\else + \@citea\def\@citea{,\,\hskip\z@skip}% + \ifnum\@tempcnta=\@tempcntb\the\@tempcnta\else + {\advance\@tempcnta\@ne\ifnum\@tempcnta=\@tempcntb \else + \def\@citea{--}\fi + \advance\@tempcnta\m@ne\the\@tempcnta\@citea\the\@tempcntb}\fi\fi} +\else +\renewenvironment{thebibliography}[1] + {\section*{\refname} + \small + \list{}% + {\settowidth\labelwidth{}% + \leftmargin\parindent + \itemindent=-\parindent + \labelsep=\z@ + \if@openbib + \advance\leftmargin\bibindent + \itemindent -\bibindent + \listparindent \itemindent + \parsep \z@ + \fi + \usecounter{enumiv}% + \let\p@enumiv\@empty + \renewcommand\theenumiv{}}% + \if@openbib + \renewcommand\newblock{\par}% + \else + \renewcommand\newblock{\hskip .11em \@plus.33em \@minus.07em}% + \fi + \sloppy\clubpenalty4000\widowpenalty4000% + \sfcode`\.=\@m} + {\def\@noitemerr + {\@latex@warning{Empty `thebibliography' environment}}% + \endlist} + \def\@cite#1{#1}% + \def\@lbibitem[#1]#2{\item[]\if@filesw + {\def\protect##1{\string ##1\space}\immediate + \write\@auxout{\string\bibcite{#2}{#1}}}\fi\ignorespaces} + \fi +\else +\@cons\@openbib@code{\noexpand\small} +\fi + +\def\idxquad{\hskip 10\p@}% space that divides entry from number + +\def\@idxitem{\par\hangindent 10\p@} + +\def\subitem{\par\setbox0=\hbox{--\enspace}% second order + \noindent\hangindent\wd0\box0}% index entry + +\def\subsubitem{\par\setbox0=\hbox{--\,--\enspace}% third + \noindent\hangindent\wd0\box0}% order index entry + +\def\indexspace{\par \vskip 10\p@ plus5\p@ minus3\p@\relax} + +\renewenvironment{theindex} + {\@mkboth{\indexname}{\indexname}% + \thispagestyle{empty}\parindent\z@ + \parskip\z@ \@plus .3\p@\relax + \let\item\par + \def\,{\relax\ifmmode\mskip\thinmuskip + \else\hskip0.2em\ignorespaces\fi}% + \normalfont\small + \begin{multicols}{2}[\@makeschapterhead{\indexname}]% + } + {\end{multicols}} + +\renewcommand\footnoterule{% + \kern-3\p@ + \hrule\@width 2truecm + \kern2.6\p@} + \newdimen\fnindent + \fnindent1em +\long\def\@makefntext#1{% + \parindent \fnindent% + \leftskip \fnindent% + \noindent + \llap{\hb@xt@1em{\hss\@makefnmark\ }}\ignorespaces#1} + +\long\def\@makecaption#1#2{% + \small + \vskip\abovecaptionskip + \sbox\@tempboxa{{\bfseries #1.} #2}% + \ifdim \wd\@tempboxa >\hsize + {\bfseries #1.} #2\par + \else + \global \@minipagefalse + \hb@xt@\hsize{\hfil\box\@tempboxa\hfil}% + \fi + \vskip\belowcaptionskip} + +\def\fps@figure{htbp} +\def\fnum@figure{\figurename\thinspace\thefigure} +\def \@floatboxreset {% + \reset@font + \small + \@setnobreak + \@setminipage +} +\def\fps@table{htbp} +\def\fnum@table{\tablename~\thetable} +\renewenvironment{table} + {\setlength\abovecaptionskip{0\p@}% + \setlength\belowcaptionskip{10\p@}% + \@float{table}} + {\end@float} +\renewenvironment{table*} + {\setlength\abovecaptionskip{0\p@}% + \setlength\belowcaptionskip{10\p@}% + \@dblfloat{table}} + {\end@dblfloat} + +\long\def\@caption#1[#2]#3{\par\addcontentsline{\csname + ext@#1\endcsname}{#1}{\protect\numberline{\csname + the#1\endcsname}{\ignorespaces #2}}\begingroup + \@parboxrestore + \@makecaption{\csname fnum@#1\endcsname}{\ignorespaces #3}\par + \endgroup} + +% LaTeX does not provide a command to enter the authors institute +% addresses. The \institute command is defined here. + +\newcounter{@inst} +\newcounter{@auth} +\newcounter{auco} +\newdimen\instindent +\newbox\authrun +\newtoks\authorrunning +\newtoks\tocauthor +\newbox\titrun +\newtoks\titlerunning +\newtoks\toctitle + +\def\clearheadinfo{\gdef\@author{No Author Given}% + \gdef\@title{No Title Given}% + \gdef\@subtitle{}% + \gdef\@institute{No Institute Given}% + \gdef\@thanks{}% + \global\titlerunning={}\global\authorrunning={}% + \global\toctitle={}\global\tocauthor={}} + +\def\institute#1{\gdef\@institute{#1}} + +\def\institutename{\par + \begingroup + \parskip=\z@ + \parindent=\z@ + \setcounter{@inst}{1}% + \def\and{\par\stepcounter{@inst}% + \noindent$^{\the@inst}$\enspace\ignorespaces}% + \setbox0=\vbox{\def\thanks##1{}\@institute}% + \ifnum\c@@inst=1\relax + \gdef\fnnstart{0}% + \else + \xdef\fnnstart{\c@@inst}% + \setcounter{@inst}{1}% + \noindent$^{\the@inst}$\enspace + \fi + \ignorespaces + \@institute\par + \endgroup} + +\def\@fnsymbol#1{\ensuremath{\ifcase#1\or\star\or{\star\star}\or + {\star\star\star}\or \dagger\or \ddagger\or + \mathchar "278\or \mathchar "27B\or \|\or **\or \dagger\dagger + \or \ddagger\ddagger \else\@ctrerr\fi}} + +\def\inst#1{\unskip$^{#1}$} +\def\orcidID#1{\unskip$^{[#1]}$} % added MR 2018-03-10 +\def\fnmsep{\unskip$^,$} +\def\email#1{{\tt#1}} + +\AtBeginDocument{\@ifundefined{url}{\def\url#1{#1}}{}% +\@ifpackageloaded{babel}{% +\@ifundefined{extrasenglish}{}{\addto\extrasenglish{\switcht@albion}}% +\@ifundefined{extrasfrenchb}{}{\addto\extrasfrenchb{\switcht@francais}}% +\@ifundefined{extrasgerman}{}{\addto\extrasgerman{\switcht@deutsch}}% +\@ifundefined{extrasngerman}{}{\addto\extrasngerman{\switcht@deutsch}}% +}{\switcht@@therlang}% +\providecommand{\keywords}[1]{\def\and{{\textperiodcentered} }% +\par\addvspace\baselineskip +\noindent\keywordname\enspace\ignorespaces#1}% +\@ifpackageloaded{hyperref}{% +\def\doi#1{\href{https://doi.org/#1}{https://doi.org/#1}}}{ +\def\doi#1{https://doi.org/#1}} +} +\def\homedir{\~{ }} + +\def\subtitle#1{\gdef\@subtitle{#1}} +\clearheadinfo +% +%%% to avoid hyperref warnings +\providecommand*{\toclevel@author}{999} +%%% to make title-entry parent of section-entries +\providecommand*{\toclevel@title}{0} +% +\renewcommand\maketitle{\newpage +\phantomsection + \refstepcounter{chapter}% + \stepcounter{section}% + \setcounter{section}{0}% + \setcounter{subsection}{0}% + \setcounter{figure}{0} + \setcounter{table}{0} + \setcounter{equation}{0} + \setcounter{footnote}{0}% + \begingroup + \parindent=\z@ + \renewcommand\thefootnote{\@fnsymbol\c@footnote}% + \if@twocolumn + \ifnum \col@number=\@ne + \@maketitle + \else + \twocolumn[\@maketitle]% + \fi + \else + \newpage + \global\@topnum\z@ % Prevents figures from going at top of page. + \@maketitle + \fi + \thispagestyle{empty}\@thanks +% + \def\\{\unskip\ \ignorespaces}\def\inst##1{\unskip{}}% + \def\thanks##1{\unskip{}}\def\fnmsep{\unskip}% + \instindent=\hsize + \advance\instindent by-\headlineindent + \if!\the\toctitle!\addcontentsline{toc}{title}{\@title}\else + \addcontentsline{toc}{title}{\the\toctitle}\fi + \if@runhead + \if!\the\titlerunning!\else + \edef\@title{\the\titlerunning}% + \fi + \global\setbox\titrun=\hbox{\small\rm\unboldmath\ignorespaces\@title}% + \ifdim\wd\titrun>\instindent + \typeout{Title too long for running head. Please supply}% + \typeout{a shorter form with \string\titlerunning\space prior to + \string\maketitle}% + \global\setbox\titrun=\hbox{\small\rm + Title Suppressed Due to Excessive Length}% + \fi + \xdef\@title{\copy\titrun}% + \fi +% + \if!\the\tocauthor!\relax + {\def\and{\noexpand\protect\noexpand\and}% + \def\inst##1{}% added MR 2017-09-20 to remove inst numbers from the TOC + \def\orcidID##1{}% added MR 2017-09-20 to remove ORCID ids from the TOC + \protected@xdef\toc@uthor{\@author}}% + \else + \def\\{\noexpand\protect\noexpand\newline}% + \protected@xdef\scratch{\the\tocauthor}% + \protected@xdef\toc@uthor{\scratch}% + \fi + \addtocontents{toc}{\noexpand\protect\noexpand\authcount{\the\c@auco}}% + \addcontentsline{toc}{author}{\toc@uthor}% + \if@runhead + \if!\the\authorrunning! + \value{@inst}=\value{@auth}% + \setcounter{@auth}{1}% + \else + \edef\@author{\the\authorrunning}% + \fi + \global\setbox\authrun=\hbox{\def\inst##1{}% added MR 2017-09-20 to remove inst numbers from the runninghead + \def\orcidID##1{}% added MR 2017-09-20 to remove ORCID ids from the runninghead + \small\unboldmath\@author\unskip}% + \ifdim\wd\authrun>\instindent + \typeout{Names of authors too long for running head. Please supply}% + \typeout{a shorter form with \string\authorrunning\space prior to + \string\maketitle}% + \global\setbox\authrun=\hbox{\small\rm + Authors Suppressed Due to Excessive Length}% + \fi + \xdef\@author{\copy\authrun}% + \markboth{\@author}{\@title}% + \fi + \endgroup + \setcounter{footnote}{\fnnstart}% + \clearheadinfo} +% +\def\@maketitle{\newpage + \markboth{}{}% + \def\lastand{\ifnum\value{@inst}=2\relax + \unskip{} \andname\ + \else + \unskip \lastandname\ + \fi}% + \def\and{\stepcounter{@auth}\relax + \ifnum\value{@auth}=\value{@inst}% + \lastand + \else + \unskip, + \fi}% + \begin{center}% + \let\newline\\ + {\Large \bfseries\boldmath + \pretolerance=10000 + \@title \par}\vskip .8cm +\if!\@subtitle!\else {\large \bfseries\boldmath + \vskip -.65cm + \pretolerance=10000 + \@subtitle \par}\vskip .8cm\fi + \setbox0=\vbox{\setcounter{@auth}{1}\def\and{\stepcounter{@auth}}% + \def\thanks##1{}\@author}% + \global\value{@inst}=\value{@auth}% + \global\value{auco}=\value{@auth}% + \setcounter{@auth}{1}% +{\lineskip .5em +\noindent\ignorespaces +\@author\vskip.35cm} + {\small\institutename} + \end{center}% + } + +% definition of the "\spnewtheorem" command. +% +% Usage: +% +% \spnewtheorem{env_nam}{caption}[within]{cap_font}{body_font} +% or \spnewtheorem{env_nam}[numbered_like]{caption}{cap_font}{body_font} +% or \spnewtheorem*{env_nam}{caption}{cap_font}{body_font} +% +% New is "cap_font" and "body_font". It stands for +% fontdefinition of the caption and the text itself. +% +% "\spnewtheorem*" gives a theorem without number. +% +% A defined spnewthoerem environment is used as described +% by Lamport. +% +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + +\def\@thmcountersep{} +\def\@thmcounterend{.} + +\def\spnewtheorem{\@ifstar{\@sthm}{\@Sthm}} + +% definition of \spnewtheorem with number + +\def\@spnthm#1#2{% + \@ifnextchar[{\@spxnthm{#1}{#2}}{\@spynthm{#1}{#2}}} +\def\@Sthm#1{\@ifnextchar[{\@spothm{#1}}{\@spnthm{#1}}} + +\def\@spxnthm#1#2[#3]#4#5{\expandafter\@ifdefinable\csname #1\endcsname + {\@definecounter{#1}\@addtoreset{#1}{#3}% + \expandafter\xdef\csname the#1\endcsname{\expandafter\noexpand + \csname the#3\endcsname \noexpand\@thmcountersep \@thmcounter{#1}}% + \expandafter\xdef\csname #1name\endcsname{#2}% + \global\@namedef{#1}{\@spthm{#1}{\csname #1name\endcsname}{#4}{#5}}% + \global\@namedef{end#1}{\@endtheorem}}} + +\def\@spynthm#1#2#3#4{\expandafter\@ifdefinable\csname #1\endcsname + {\@definecounter{#1}% + \expandafter\xdef\csname the#1\endcsname{\@thmcounter{#1}}% + \expandafter\xdef\csname #1name\endcsname{#2}% + \global\@namedef{#1}{\@spthm{#1}{\csname #1name\endcsname}{#3}{#4}}% + \global\@namedef{end#1}{\@endtheorem}}} + +\def\@spothm#1[#2]#3#4#5{% + \@ifundefined{c@#2}{\@latexerr{No theorem environment `#2' defined}\@eha}% + {\expandafter\@ifdefinable\csname #1\endcsname + {\newaliascnt{#1}{#2}% + \expandafter\xdef\csname #1name\endcsname{#3}% + \global\@namedef{#1}{\@spthm{#1}{\csname #1name\endcsname}{#4}{#5}}% + \global\@namedef{end#1}{\@endtheorem}}}} + +\def\@spthm#1#2#3#4{\topsep 7\p@ \@plus2\p@ \@minus4\p@ +\refstepcounter{#1}% +\@ifnextchar[{\@spythm{#1}{#2}{#3}{#4}}{\@spxthm{#1}{#2}{#3}{#4}}} + +\def\@spxthm#1#2#3#4{\@spbegintheorem{#2}{\csname the#1\endcsname}{#3}{#4}% + \ignorespaces} + +\def\@spythm#1#2#3#4[#5]{\@spopargbegintheorem{#2}{\csname + the#1\endcsname}{#5}{#3}{#4}\ignorespaces} + +\def\@spbegintheorem#1#2#3#4{\trivlist + \item[\hskip\labelsep{#3#1\ #2\@thmcounterend}]#4} + +\def\@spopargbegintheorem#1#2#3#4#5{\trivlist + \item[\hskip\labelsep{#4#1\ #2}]{#4(#3)\@thmcounterend\ }#5} + +% definition of \spnewtheorem* without number + +\def\@sthm#1#2{\@Ynthm{#1}{#2}} + +\def\@Ynthm#1#2#3#4{\expandafter\@ifdefinable\csname #1\endcsname + {\global\@namedef{#1}{\@Thm{\csname #1name\endcsname}{#3}{#4}}% + \expandafter\xdef\csname #1name\endcsname{#2}% + \global\@namedef{end#1}{\@endtheorem}}} + +\def\@Thm#1#2#3{\topsep 7\p@ \@plus2\p@ \@minus4\p@ +\@ifnextchar[{\@Ythm{#1}{#2}{#3}}{\@Xthm{#1}{#2}{#3}}} + +\def\@Xthm#1#2#3{\@Begintheorem{#1}{#2}{#3}\ignorespaces} + +\def\@Ythm#1#2#3[#4]{\@Opargbegintheorem{#1} + {#4}{#2}{#3}\ignorespaces} + +\def\@Begintheorem#1#2#3{#3\trivlist + \item[\hskip\labelsep{#2#1\@thmcounterend}]} + +\def\@Opargbegintheorem#1#2#3#4{#4\trivlist + \item[\hskip\labelsep{#3#1}]{#3(#2)\@thmcounterend\ }} + +\if@envcntsect + \def\@thmcountersep{.} + \spnewtheorem{theorem}{Theorem}[section]{\bfseries}{\itshape} +\else + \spnewtheorem{theorem}{Theorem}{\bfseries}{\itshape} + \if@envcntreset + \@addtoreset{theorem}{section} + \else + \@addtoreset{theorem}{chapter} + \fi +\fi + +%definition of divers theorem environments +\spnewtheorem*{claim}{Claim}{\itshape}{\rmfamily} +\spnewtheorem*{proof}{Proof}{\itshape}{\rmfamily} +\if@envcntsame % alle Umgebungen wie Theorem. + \def\spn@wtheorem#1#2#3#4{\@spothm{#1}[theorem]{#2}{#3}{#4}} +\else % alle Umgebungen mit eigenem Zaehler + \if@envcntsect % mit section numeriert + \def\spn@wtheorem#1#2#3#4{\@spxnthm{#1}{#2}[section]{#3}{#4}} + \else % nicht mit section numeriert + \if@envcntreset + \def\spn@wtheorem#1#2#3#4{\@spynthm{#1}{#2}{#3}{#4} + \@addtoreset{#1}{section}} + \else + \def\spn@wtheorem#1#2#3#4{\@spynthm{#1}{#2}{#3}{#4} + \@addtoreset{#1}{chapter}}% + \fi + \fi +\fi +\spn@wtheorem{case}{Case}{\itshape}{\rmfamily} +\spn@wtheorem{conjecture}{Conjecture}{\itshape}{\rmfamily} +\spn@wtheorem{corollary}{Corollary}{\bfseries}{\itshape} +\spn@wtheorem{definition}{Definition}{\bfseries}{\itshape} +\spn@wtheorem{example}{Example}{\itshape}{\rmfamily} +\spn@wtheorem{exercise}{Exercise}{\itshape}{\rmfamily} +\spn@wtheorem{lemma}{Lemma}{\bfseries}{\itshape} +\spn@wtheorem{note}{Note}{\itshape}{\rmfamily} +\spn@wtheorem{problem}{Problem}{\itshape}{\rmfamily} +\spn@wtheorem{property}{Property}{\itshape}{\rmfamily} +\spn@wtheorem{proposition}{Proposition}{\bfseries}{\itshape} +\spn@wtheorem{question}{Question}{\itshape}{\rmfamily} +\spn@wtheorem{solution}{Solution}{\itshape}{\rmfamily} +\spn@wtheorem{remark}{Remark}{\itshape}{\rmfamily} + +\def\@takefromreset#1#2{% + \def\@tempa{#1}% + \let\@tempd\@elt + \def\@elt##1{% + \def\@tempb{##1}% + \ifx\@tempa\@tempb\else + \@addtoreset{##1}{#2}% + \fi}% + \expandafter\expandafter\let\expandafter\@tempc\csname cl@#2\endcsname + \expandafter\def\csname cl@#2\endcsname{}% + \@tempc + \let\@elt\@tempd} + +\def\theopargself{\def\@spopargbegintheorem##1##2##3##4##5{\trivlist + \item[\hskip\labelsep{##4##1\ ##2}]{##4##3\@thmcounterend\ }##5} + \def\@Opargbegintheorem##1##2##3##4{##4\trivlist + \item[\hskip\labelsep{##3##1}]{##3##2\@thmcounterend\ }} + } + +\renewenvironment{abstract}{% + \list{}{\advance\topsep by0.35cm\relax\small + \leftmargin=1cm + \labelwidth=\z@ + \listparindent=\z@ + \itemindent\listparindent + \rightmargin\leftmargin}\item[\hskip\labelsep + \bfseries\abstractname]} + {\endlist} + +\newdimen\headlineindent % dimension for space between +\headlineindent=1.166cm % number and text of headings. + +\def\ps@headings{\let\@mkboth\@gobbletwo + \let\@oddfoot\@empty\let\@evenfoot\@empty + \def\@evenhead{\normalfont\small\rlap{\thepage}\hspace{\headlineindent}% + \leftmark\hfil} + \def\@oddhead{\normalfont\small\hfil\rightmark\hspace{\headlineindent}% + \llap{\thepage}} + \def\chaptermark##1{}% + \def\sectionmark##1{}% + \def\subsectionmark##1{}} + +\def\ps@titlepage{\let\@mkboth\@gobbletwo + \let\@oddfoot\@empty\let\@evenfoot\@empty + \def\@evenhead{\normalfont\small\rlap{\thepage}\hspace{\headlineindent}% + \hfil} + \def\@oddhead{\normalfont\small\hfil\hspace{\headlineindent}% + \llap{\thepage}} + \def\chaptermark##1{}% + \def\sectionmark##1{}% + \def\subsectionmark##1{}} + +\if@runhead\ps@headings\else +\ps@empty\fi + +\setlength\arraycolsep{1.4\p@} +\setlength\tabcolsep{1.4\p@} + +\endinput +%end of file llncs.cls diff --git a/main.bib b/main.bib index 7a40207..b61e9e0 100644 --- a/main.bib +++ b/main.bib @@ -59,7 +59,6 @@ @inproceedings{cortier isbn = {9781450324854}, publisher = {Association for Computing Machinery}, address = {New York, NY, USA}, -url = {https://doi.org/10.1145/2517840.2517852}, doi = {10.1145/2517840.2517852}, booktitle = {Proceedings of the 12th ACM Workshop on Workshop on Privacy in the Electronic Society}, pages = {131–142}, @@ -80,7 +79,6 @@ @InProceedings{boneh publisher="Springer Berlin Heidelberg", address="Berlin, Heidelberg", pages="30--43", -abstract="We present an attack on plain ElGamal and plain RSA encryption. The attack shows that without proper preprocessing of the plaintexts, both El Gamal and RSA encryption are fundamentally insecure. Namely, when one uses these systems to encrypt a (short) secret key of a symmetric cipher it is often possible to recover the secret key from the ciphertext. Our results demonstrate that preprocessing messages prior to encryption is an essential part of bothsy stems.", isbn="978-3-540-44448-0" } @@ -91,8 +89,7 @@ @article{dimitriou pages = {107234}, year = {2020}, issn = {1389-1286}, -doi = {https://doi.org/10.1016/j.comnet.2020.107234}, -url = {https://www.sciencedirect.com/science/article/pii/S1389128619317414}, +doi = {10.1016/j.comnet.2020.107234}, author = {Tassos Dimitriou}, keywords = {Internet voting, Blockchains, Coercion resistance, Receipt-freeness, Universal verifiability, Commitments, }, } @@ -145,3 +142,25 @@ @InProceedings{groth_shuffle pages="263--280", isbn="978-3-642-29011-4" } + +@misc{electionguard, +author="Benaloh, Josh and Naehrig, Michael", +title="{E}lection{G}uard Specification v1.0", +howpublished={\url{https://www.electionguard.vote/spec/}} +} + +@misc{kryvos, + author = {Nicolas Huber and Ralf Kuesters and Toomas Krips and Julian Liedtke and Johannes Mueller and Daniel Rausch and Pascal Reisert and Andreas Vogt}, + title = {Kryvos: Publicly Tally-Hiding Verifiable E-Voting}, + howpublished = {Cryptology ePrint Archive, Paper 2022/1132}, + year = {2022}, + note = {\url{https://ia.cr/2022/1132}}, +} + +@misc{replay, + author = {David Mestel and Johannes Mueller and Pascal Reisert}, + title = {How Efficient are Replay Attacks against Vote Privacy? {A} Formal Quantitative Analysis}, + howpublished = {Cryptology ePrint Archive, Paper 2022/743}, + year = {2022}, + note = {\url{https://ia.cr/2022/743}}, +} diff --git a/main.tex b/main.tex index a94c934..a08ab0b 100644 --- a/main.tex +++ b/main.tex @@ -1,93 +1,76 @@ -\documentclass{article} -\usepackage[utf8]{inputenc} -\usepackage{amsmath,amssymb,amsthm,amsfonts} -\usepackage{hyperref} -\usepackage{authblk} +\documentclass{llncs} + +\pagestyle{plain} + +\usepackage{amsmath,amssymb,amsfonts} +\usepackage{bookmark} \newcommand{\G}{\mathbb{G}} \newcommand{\F}{\mathbb{F}} \newcommand{\func}[1]{\mathsf{#1}} -\title{Aura: private voting with reduced trust on tallying authorities} -\author[1,2]{Aram Jivanyan\thanks{Corresponding author: \texttt{aram@firo.org}}} -\author[3]{Aaron Feickert} -\affil[1]{Firo} -\affil[2]{Yerevan State University} -\affil[3]{Cypher Stack} -\date{\today} - \begin{document} +\title{Aura: private voting with reduced trust on tallying authorities} +\author{Aram Jivanyan\inst{1,2}\thanks{Corresponding author: \email{aram@firo.org}} \and Aaron Feickert\inst{3}} +\institute{Firo \and Yerevan State University \and Cypher Stack} \maketitle \begin{abstract} Electronic voting has long been an area of active and challenging research. Security properties relevant to physical voting in elections with a variety of threat models and priorities are often difficult to reproduce in cryptographic systems and protocols. - Existing work in this space often focuses on the privacy of ballot contents, assurances to voters that their votes are tabulated, and verification that election results are correct; however, privacy of voter identity is often offloaded to trust requirements on election organizers or tallying authorities, or implies other kinds of trust related to cryptographic construction instantiation. + Even in voting systems where ballot contents are private and results are verifiable, ballot anonymity is often offloaded to requirements of trusted parties. Here we introduce Aura, an election protocol that reduces trust on tallying authorities and organizers while ensuring voter privacy. - Ballots in Aura are dissociated from voter identity cryptographically, use verifiable encryption and threshold decryption to diffuse trust in tallying authorities, require no trusted setup for cryptographic primitives, and use efficient proving systems to reduce computation and communication complexity. - These properties make Aura a competitive candidate for use in a variety of applications where trust minimization is desirable or necessary. + Ballots in Aura are dissociated from voter identity cryptographically and use verifiable encryption and threshold decryption to mitigate trust in tallying authorities + Aura requires no trusted setups for cryptographic primitives and uses efficient proving systems to reduce computation and communication complexity. + These properties make Aura a competitive candidate for use in a variety of applications where verifiable trust minimization is desirable or necessary. \end{abstract} \section{Introduction} Electronic voting poses unique and systemic challenges in research, development, implementation, and deployment. -Unfortunately, most device-based voting machine methods currently in common use are commercial products developed without public expert input, broad auditing, documented protocols, or track records of security that hold up to close examination. - -Accountable online voting, where a so-called ``bulletin board'' of public ballots is employed for transparency and auditability, has inherently different trust and security requirements than closed machine-based techniques; in this case, ballot and election properties and tabulation methods must be secured cryptographically in order to achieve the required goals of a particular application. +Verifiable electronic voting, where a public election record is employed for transparency and auditability, has inherently different trust and security requirements than other legacy techniques; in this case, ballot and election properties and tabulation methods must be secured cryptographically in order to achieve the required goals of a particular application. -Requirements, risks, and threat models in elections are complex. -Voter anonymity is often required and reasonably guaranteed in physical elections, where ballots contain no identifying information about the voter at the time of tallying. -Avoidance of voter coercion and bribery may also be important in major elections; a voter entering a voting booth privately where photography is prohibited can prevent this in practice, but circumstances may differ significantly in the online case where ballots are publicly visible for audit purposes and a voter may cast its ballot from the device of its choosing. +Requirements, risks, and threat models in elections are complex and varied. +Ballot anonymity is often required and reasonably guaranteed in physical elections, where ballots contain no identifying information about the voter at the time of tallying. +Avoidance of voter coercion and bribery may also be important in major elections; a voter entering a voting booth alone where photography is prohibited can prevent this in practice, but this may not be case if the election is conducted online. \subsection{Requirements} Properties and requirements on voting protocols have long been the subject of interesting and evolving research, but as yet there does not appear to be a universal set of guidelines by which to analyze such constructions. -Since many properties and threat models of physical elections are challenging to precisely map to the digital realm, it is similarly challenging to precisely specify requirements that meet all use cases that could arise. Informally, we require the following properties: \begin{itemize} - \item \textbf{Public parameters}: We require that all cryptographic constructions be instantiated with only public verificable parameters, with no trusted parties required for setup (aside from election-specific trust requirements like voter registration). + \item \textbf{Public parameters}: Aside from election-specific trust requirements, all cryptographic constructions must use publicly-verifiable parameters. \item \textbf{Correctness}: A voter authorized for an election can cast a ballot that is included in the election result. \item \textbf{Universal verifiability}: Any observer can verify that all valid ballots are included in the final result, and that the result correctly represents only those ballots. \item \textbf{Vote privacy}: It is not possible for an observer to determine the vote associated with a valid ballot. \item \textbf{Voter anonymity}: It is not possible for an observer to determine the voter associated with a valid ballot, or if a particular voter voted at all. - \item \textbf{Ballot soundness}: It is not possible for a voter to cast a ballot included in the election result if: - \begin{itemize} - \item The voter is not authorized to vote in the election. - \item The voter has already cast a valid ballot. - \item The vote included in the ballot is not valid according to election rules. - \end{itemize} -\end{itemize} - -We mention separately an important but subtle property: -\begin{itemize} \item \textbf{Coercion resistance}: It is possible for a voter to privately cast multiple ballots that each invalidate any previous ballots. \end{itemize} -At face value, this appears to contradict ballot soundness. -However, we show later that it is possible to construct algorithms that permit voters to privately cast multiple ballots that are initially judged as valid by participants during the election, but later can be verifiably identified by talliers as re-votes, such that only the most recent ballot cast by the voter is included in the result. -Further, this process does not reveal the identity of the voter, so voter anonymity is maintained. -It is also possible to construct algorithms that do not allow for this type of coercion-resistant re-voting, should election rules or situations prohibit it. - -This property assumes the possibility that a voter may be bribed or coerced into voting a particular choice, but may be outside adversarial influence at a later time prior to the election ending. -Coercion resistance is often related to the idea of a receipt-free election, where a voter is not able to provide evidence of its vote to a third party at any time; while Aura does not have this property (a voter can store its randomness and recreate a ballot to show the third party), we consider the listed form of coercion resistance to be useful nonetheless. +Coercion resistance assumes the possibility that a voter may be bribed or coerced into voting a particular choice, but is outside adversarial influence at a later time prior to the election ending. +It is often related to the idea of a receipt-free election, where a voter is not able to provide evidence of its vote to a third party at any time; while Aura does not have this property, we consider the listed form of coercion resistance to be useful nonetheless. \subsection{Prior work} There is a large and growing body of research over several decades relating to security models and instantiations of electronic voting protocols using a variety of cryptographic techniques, but we do not attempt to provide a comprehensive review here. -Arguably the most relevant comparison to our current work is Helios, a popular deployed protocol for so-called ``boardroom" elections where many risks relevant to large-scale public elections are not present. +Arguably one of the most relevant comparisons to our current work is Helios, a popular deployed protocol for so-called ``boardroom" elections where many risks relevant to large-scale public elections are not present. The original Helios protocol \cite{helios} relies heavily on talliers, election organizers, and a central server; ballots are publicly linked to voter identity, and talliers act as a mixnet to shuffle ballots prior to decryption. Later work proposed an informally-described protocol update to Helios \cite{helios2} that replaces expensive verifiable shuffling with homomorphic ballot decryption and a set of proofs of ballot validity; however, individual ballots are still linked to voter identity. The research of \cite{cortier} introduces a straightforward verifiable ElGamal threshold cryptosystem for talliers that does not require a trusted dealer, and augments Helios to include this; however, the method provided is vulnerable to key cancellation and provides no particular guarantees on key validity. +Another relevant comparison is ElectionGuard, a well-specified protocol for verifiable elections \cite{electionguard} that includes more robust verifiable key generation and decryption. +However, it does not provide any particular verifiable guarantees on ballot anonymity, relying on election administrators to assert voter eligibility and decouple voter identity from ballot data. +Additionally, although it provides an option for ballot spoiling, this requires individual decryption of such ballots for verification. More recent investigations introduce complete voter privacy with different trust requirements, primarily using combinations of encrypted ballots and general zero-knowledge proving systems, to dissociate ballots from voter identity. For example, \cite{dimitriou} uses a zk-SNARK construction to anonymize ballots, and relies on organizer-supplied token randomizers as a form of coercion resistance; however, soundness and voter anonymity are compromised in the case of a malicious organizer producing the proving system common reference string. In Vote-SAVER \cite{saver}, voter anonymity is similarly provided by a zk-SNARK construction, and coercion resistance is achieved by having untrusted third parties conduct provable re-randomization; however, this crucially relies on proving system malleability, and therefore is currently limited (to our knowledge) to proving systems where soundness depends on a trusted organizer to produce a non-malicious common reference string. +More recent work like Kryvos \cite{kryvos} examines more complex voting methods and adds partial or full hiding of tally details, but soundness depends on trusted organizers and proofs are large. \subsection{Contribution} @@ -98,7 +81,8 @@ \subsection{Contribution} In Aura, all cryptographic components may be instantiated with public verifiable parameters. Keys used by voters can be generated by voters themselves, and the key used for decrypting election results is constructed by tally authorities in a distributed and verifiable manner that does not require a trusted dealer. Ballots are dissociated from voter identity using voter-produced provable re-randomization and a set membership proof, and ballot validity is asserted by a combination of verifiable ElGamal encryption and a bit vector proving system. -Even in the case of collusion between talliers (and even organizers) to decrypt individual ballots, voter anonymity is perfectly retained; and while multiple vote attempts by a voter can be reliably detected, this process occurs after the close of the election, and allows for safer mitigation of voter coercion by permitting such a voter to invalidate a coerced ballot anonymously. +Even in the case of collusion between talliers (and even organizers) to decrypt individual ballots, voter anonymity is perfectly retained; and while multiple vote attempts by a voter can be reliably detected, this process occurs after the close of the election, and allows for safer mitigation of voter coercion by permitting such a voter to invalidate a coerced ballot anonymously and without revealing its contents. +The careful use of proving systems for ballot anonymity and coercion resistance additionally prevents votes cast in replay attacks from succeeding with either identical or malleated ballot data \cite{replay}. Aura uses constructions supporting efficient operations. The one-of-many proving system used to assert voter anonymity supports batch verification that greatly reduces the marginal complexity of verification, and scales extremely well in proof size even with a large number of voters. @@ -110,48 +94,32 @@ \subsection{Contribution} \section{Cryptographic primitives} In this section, we describe the cryptographic constructions required for the Aura election protocol. +Throughout these descriptions, let $\G$ be a prime-order group where the discrete logarithm and decisional Diffie-Hellman problems are hard, and let $\F$ be its scalar field. \subsection{Distributed verifiable threshold ElGamal encryption} -Aura requires a distributed verifiable threshold ElGamal cryptosystem. -Such a system requires several important properties. -Unlike in some threshold cryptosystems, key generation must be fully distributed and not require a trusted dealer. -Additionally, the validity of the key generation must be publicly verifiable, such that distributed knowledge of valid key shares is asserted. -Finally, it must be possible to produce proofs of valid encryption and decryption of messages with public verification. - -There are several algorithms used in such a construction: -\begin{itemize} - \item $\func{KeyGen}$: This algorithm is run by each keyholder to generate a key share and a proof of validity. - \item $\func{VerifyKeyGen}$: This algorithm is run by any verifier to assert the validity of key shares and use them to assemble the corresponding group key. - \item $\func{Encrypt}$: This algorithm is run by any entity, and encrypts a scalar-valued message for a given public ElGamal key. - It also produces a proof that the encryption is valid for the public key. - \item $\func{VerifyEncrypt}$: This algorithm is run by any verifier, and asserts that a given encryption is valid. - \item $\func{PartialDecrypt}$: This algorithm is run by a keyholder. - It produces a partial decryption of an ElGamal ciphertext message, and a proof of validity. - \item $\func{VerifyDecrypt}$: This algorithm is run by any verifier. - It uses partial decryptions to produce a plaintext message, and asserts that each partial decryption is valid. -\end{itemize} -We note that while these algorithms need not be specific to threshold operations, our construction is, and requires a given threshold of keyholders to produce a successful decryption. +Aura requires a distributed verifiable threshold ElGamal cryptosystem, where a cohort of designated parties is required to decrypt messages. +In such a construction, we require that key generation be fully distributed with no trusted parties. +Further, the validity of key generation, encryption, and decryption must be verifiable. The construction we describe here is based on that of \cite{cortier}, which describes a distributed threshold design intended for use in Helios. However, that construction is vulnerable to key cancellation attacks, does not assert proper joint key representation, and uses verification keys that (if maliciously crafted) do not allow for publicly-verifiable decryption. Further, the design is generic to support arbitrary group elements as messages, which is not secure in general \cite{boneh}; while its overlying protocol does not fall victim to this problem by the nature of its construction, the general design is vulnerable. -Fortunately, the nature of Aura ballots is such that small scalar-valued messages are required, so recovery of such messages after decryption is trivial using brute-force methods not subject to denial-of-service attacks. -We therefore modify the design to address these shortco\text{min}gs, specify abort points in the protocol, and indicate simplifications where possible. +We modify the design to address these shortcomings, specify abort points in the protocol, and indicate simplifications where possible. -Let $pp_{\text{enc}} = (\G, \F, G, \{H_i\}_{i=0}^{k-1}, k, t, \nu)$ be the public parameters for such a cryptosystem, where $\G$ is a prime-order group where the discrete logarithm problem is hard, $\F$ is its scalar field, $G, \{H_i\}_{i=0}^{k-1} \in \G$ are generators with no efficiently-computable discrete logarithm relationship, $k > 0$ is the number of valid message generators, $t$ is the threshold of keyholders required for decryption, and $\nu$ is the total number of keyholders (so $1 \leq t \leq \nu)$. +Let $pp_{\text{enc}} = (\G, \F, G, \{H_i\}_{i=0}^{k-1}, k, t, \nu)$ be the public parameters for the construction, where $G, \{H_i\}_{i=0}^{k-1} \in \G$ are independent generators, $k > 0$ is the number of valid message generators, $t$ is the threshold of keyholders required for decryption, and $\nu$ is the total number of keyholders (so $1 \leq t \leq \nu)$. We assume that $pp_{\text{enc}}$ is available to all algorithms, which we describe now: \begin{itemize} \item $\func{KeyGen}(\alpha) \mapsto (Y_\alpha, \Pi_\alpha^{\text{key}})$: The function takes as input a player index $1 \leq \alpha \leq \nu$. It does the following: \begin{enumerate} - \item Chooses a set $\{a_{\alpha,j}\}_{j=0}^{t-1} \subset \F$ of scalars uniformly at random, and defines the polynomial $$f_\alpha(x) = \sum_{j=0}^{t-1} a_{\alpha,j}x^j$$ and vector $C_\alpha = \{C_{\alpha,j}\}_{j=0}^{t-1} = \{a_{\alpha,j}G\}_{j=0}^{t-1}$ using these values. + \item Chooses a set $\{a_{\alpha,j}\}_{j=0}^{t-1} \subset \F$ of scalars uniformly at random, and defines the polynomial \[ f_\alpha(x) = \sum_{j=0}^{t-1} a_{\alpha,j}x^j\] and vector $C_\alpha = \{C_{\alpha,j}\}_{j=0}^{t-1} = \{a_{\alpha,j}G\}_{j=0}^{t-1}$ using these values. \item Produces a proof of representation $\Pi_\alpha^{\text{rep}} = \func{RepProve}(G, C_{\alpha,0} ; a_{\alpha,0})$, and sends the tuple $(C_\alpha, \Pi_\alpha^{\text{rep}})$ to all other players. \item On receipt of such a tuple $(C_\beta, \Pi_\beta^{\text{rep}})$ from another player $\beta$, verifies that $\func{RepVerify}(\Pi_\beta^{\text{rep}}, G, C_\beta) = 1$, and aborts otherwise. \item For each $1 \leq \beta \leq \nu$, computes a value $y_{\alpha, \beta} = f_\alpha(\beta)$ and sends it to player $\beta$. - \item On receipt of such a value $y_{\beta,\alpha}$ from another player $\beta$, checks that $$\sum_{j=0}^{t-1} C_{\beta,j} = y_{\beta,\alpha}G$$ and aborts otherwise. - \item Computes its private key share $$y_\alpha = \sum_{\beta=1}^{\nu} y_{\beta,\alpha}$$ and public key share $Y_\alpha = y_\alpha G$ and public group key $$Y = \sum_{\beta=1}^{\nu} C_{\beta,0}.$$ + \item On receipt of such a value $y_{\beta,\alpha}$ from another player $\beta$, checks that \[ \sum_{j=0}^{t-1} C_{\beta,j} = y_{\beta,\alpha}G \] and aborts otherwise. + \item Computes its private key share \[ y_\alpha = \sum_{\beta=1}^{\nu} y_{\beta,\alpha} \] and public key share $Y_\alpha = y_\alpha G$ and public group key \[ Y = \sum_{\beta=1}^{\nu} C_{\beta,0}. \] \item Produces a proof of representation $\Pi_\alpha^{\text{key}} = \func{RepProve}(G, Y_\alpha ; y_\alpha)$. \end{enumerate} The function outputs $(Y_\alpha, \Pi_\alpha^{\text{key}})$. @@ -169,18 +137,18 @@ \subsection{Distributed verifiable threshold ElGamal encryption} \begin{enumerate} \item Chooses a nonce $r \in \F$ uniformly at random. \item Sets $D = rG$ and $E = rY + mH_i$. - \item Produces a proof of encryption: $$\Pi_{\text{enc}} = \func{EncValProve}(G, Y, H_i, D, E ; (r, m))$$ + \item Produces a proof of encryption: \[ \Pi_{\text{enc}} = \func{EncValProve}(G, Y, H_i, D, E ; (r, m)) \] \end{enumerate} The function outputs $(D, E, \Pi_{\text{enc}})$. \item $\func{VerifyEncrypt}(Y, i, D, E, \Pi_{\text{enc}}) \mapsto \{0, 1\}$: The function takes as input an ElGamal public key $Y$, message generator index $0 \leq i < k$, ElGamal ciphertext $(D, E)$, and a proof of encryption. - If $$\func{EncValVerify}(\Pi_{\text{enc}}, G, Y, H_i, D, E) = 1$$ it outputs $1$; otherwise, it outputs $0$. + If \[ \func{EncValVerify}(\Pi_{\text{enc}}, G, Y, H_i, D, E) = 1 \] it outputs $1$; otherwise, it outputs $0$. \item $\func{PartialDecrypt}(y_\alpha, D, E) \mapsto (R_\alpha, \Pi_\alpha^{\text{dec}})$: The function takes as input a private key share $y_\alpha$ and ElGamal ciphertext $(D, E)$. It does the following: \begin{enumerate} \item Computes $R_\alpha = y_\alpha D$. - \item Produces a proof of discrete logarithm equality: $$\Pi_\alpha^{\text{dec}} = \func{EqProve}(D, G, R_\alpha, y_\alpha G ; y_\alpha)$$ + \item Produces a proof of discrete logarithm equality: \[ \Pi_\alpha^{\text{dec}} = \func{EqProve}(D, G, R_\alpha, y_\alpha G ; y_\alpha) \] \end{enumerate} The function outputs $(R_\alpha, \Pi_\alpha^{\text{dec}})$. @@ -189,95 +157,62 @@ \subsection{Distributed verifiable threshold ElGamal encryption} It does the following: \begin{enumerate} \item For each $1 \leq j \leq t$, checks that $\func{EqVerify}(\Pi_j^{\text{dec}}, D, G, R_j, Y_j) = 1$, and aborts otherwise. - \item For each $1 \leq j \leq t$, computes the corresponding Lagrange coefficient: $$\lambda_j = \prod_{i=1, i \neq j}^t \frac{i}{i - j}$$ - \item Computes the following: $$M = E - \sum_{j=1}^t \lambda_j R_j$$ + \item For each $1 \leq j \leq t$, computes the corresponding Lagrange coefficient: \[ \lambda_j = \prod_{i=1, i \neq j}^t \frac{i}{i - j} \] + \item Computes the following: \[ M = E - \sum_{j=1}^t \lambda_j R_j \] \item Uses brute force (or another appropriate computational method) to find $m \in \F$ such that $mH = M$. \end{enumerate} The function outputs $m$. \end{itemize} -\subsection{Bit vector commitment proving system} +\subsection{Proving systems} + +We require several proving systems for use in Aura. +Each can be instantiated non-interactively, either by instantiations cited, or using standard Schnorr-type representation proof techniques. +Each is provable to be complete, special sound, and special honest-verifier zero knowledge. +For each proving system, we list the public parameters, relevant relation, and prover and verifier functions; we omit the specific instantiations. + -We require a proving system that, given a group element, proves in zero knowledge that it is a Pedersen vector commitment to a ``bit sequence'' of field elements in the set $\{0,1\}$ whose sum is a given value. -In the context of the Aura protocol, this proving system efficiently shows that a set of ballot ciphertexts encrypt valid choices according to election rules, described later. +\subsubsection{Bit vector commitment proving system} -Let $pp_{\text{bit}} = \left( \G, \F, w, k, \{G_i\}_{i=0}^{k-1}, H \right)$ be the public parameters for such a proving system. -Here $\G$ is a prime-order group where the discrete logarithm problem is hard, $\F$ is its scalar field, $w$ and $k$ are positive integers, and the elements $\{G_i\}_{i=0}^{k-1}, H \in \G$ are generators with no efficiently-computable discrete logarithm relationship. -The proving system itself is a sigma protocol for the relation +This proving system asserts that a given group element is a Pedersen vector commitment to elements in the set $\{0,1\}$ whose sum is a specified value. +The public parameters are $pp_{\text{bit}} = \left( \G, \F, w, k, \{G_i\}_{i=0}^{k-1}, H \right)$, where $w, k > 0$ and $\{G_i\}_{i=0}^{k-1}, H \in \G$ are independent generators. +The relation is the following: \begin{multline*} \mathcal{R}_{\text{bit}} = \left\{ pp_{\text{bit}}, B \in \G ; \{b_i\}_{i=0}^{k-1}, r \in \F : B = rH + \sum_{i=0}^{k-1} b_i G_i, \right. \\ \left. b_i \in \{0,1\} \forall i \in [0,k), \sum_{i=0}^{k-1} b_i = w \right\} \end{multline*} -that is complete, special honest-verifier zero knowledge, and special sound. - -Any public-coin instantiation of an interactive protocol for this relation can be made non-interactive by applying the (strong) Fiat-Shamir transform. -For the non-interactive protocol, define the following prover and verifier algorithms for $\mathcal{R}_{\text{bit}}$, assu\text{min}g fixed parameters $pp_{\text{bit}}$ have already been selected: +The relevant algorithms are the following: \begin{itemize} - \item $\func{BitProve}\left( B ; \{b_i\}_{i=0}^{k-1}, r \right) \mapsto \Pi_{\text{bit}}$ accepts as input statement and witness elements, and outputs a proof. - \item $\func{BitVerify}\left( \Pi_{\text{bit}}, B \right) \mapsto \{0, 1\}$ accepts as input a proof and statement elements, and outputs a bit to indicate whether or not the proof is valid. + \item $\func{BitProve}\left( B ; \{b_i\}_{i=0}^{k-1}, r \right) \mapsto \Pi_{\text{bit}}$ + \item $\func{BitVerify}\left( \Pi_{\text{bit}}, B \right) \mapsto \{0, 1\}$ \end{itemize} +A simple generalization of an existing proving system by Bootle \textit{et al.} may be used as an instantiation of the required proving system \cite{bootle}. +For completeness, we include a full description of the generalization in Appendix \ref{app:bit}. -We describe here a simple generalization of an existing proving system by Bootle \textit{et al.} that originally was used to show that the bit sequence elements sum to the fixed value $1$, and is an instantiation of the required proving system \cite{bootle}. -For completeness, we describe the full interactive protocol here. - -\begin{enumerate} -\item The prover selects $r_A, r_C, r_D, \{a_i\}_{i=1}^{k-1} \in \F$ uniformly at random, and sets $$a_0 = -\sum_{i=1}^{k-1} a_i.$$ -\item The prover computes the Pedersen vector commitments -\begin{alignat*}{1} - A &= r_A H + \sum_{i=0}^{k-1} a_i G_i \\ - C &= r_C H + \sum_{i=0}^{k-1} a_i(1 - 2b_i)G_i \\ - D &= r_D H - \sum_{i=0}^{k-1} a_i^2 G_i -\end{alignat*} -and sends $A, C, D$ to the verifier. -\item The verifier selects a challenge $x \in \F$ uniformly at random, and sends $x$ to the prover. -\item For each $i \in [1,k)$, the prover sets $f_i = b_i x + a_i$. -The prover also sets $z_A = rx + r_A$ and $z_C = r_C x + r_D$, and sends $\{f_i\}_{i=1}^{k-1}, z_A, z_C$ to the verifier. -\item The verifier sets $$f_0 = wx - \sum_{i=1}^{k-1} f_i$$ and accepts the proof if and only if the following hold: -\begin{alignat*}{1} - A + xB &= z_A H + \sum_{i=0}^{k-1} f_i G_i \\ - xC + D &= z_C H + \sum_{i=0}^{k-1} f_i(x - f_i)G_i -\end{alignat*} -\end{enumerate} - - -\subsection{Commitment set proving system} - -We require a proving system that, given a set of group elements, proves in zero knowledge that one of them is a Pedersen commitment to zero. -More specifically, we also include an ``offset'' group element that is subtracted from each element of the set first as a re-randomization of a nonzero input commitment, which is helpful for computational efficiency in practice. -In the context of the Aura protocol, this proving system asserts that a ballot was produced by an eligible voter without revealing the voter's identity.\footnote{We stress that other forms of external information, like ti\text{min}g or network data, may leak information about voter identity; here we assert voter anonymity in a cryptographic context.} -Let $pp_{\text{set}} = (\G, \F, G, H, n, m)$ be the public parameters for such a proving system. -Here $\G$ is a prime-order group where the discrete logarithm problem is hard, $\F$ is its scalar field, $G, H \in \G$ are generators with no efficiently-computable discrete logarithm relationship, and $n, m > 1$ are integers. -For notation convenience, let $N = n^m$. -The proving system itself is a sigma protocol for the relation -$$\mathcal{R}_{\text{set}} = \left\{ pp_{\text{set}}, \{C_i\}_{i=0}^{N-1}, C' \in \G ; l \in [0,N), r \in \F : C_l - C' = rH \right\}$$ -that is complete, special honest-verifier zero knowledge, and special sound. +\subsubsection{Commitment set proving system} -Any public-coin instantiation of an interactive protocol for this relation can be made non-interactive by applying the (strong) Fiat-Shamir transform. -For the non-interactive protocol, define the following prover and verifier algorithms for $\mathcal{R}_{\text{set}}$, assu\text{min}g fixed parameters $pp_{\text{set}}$ have already been selected: +This proving system asserts that some group element in a given set is, when offset by another group element, a Pedersen commitment to zero. +The public parameteres are $pp_{\text{set}} = (\G, \F, G, H, n, m)$, where $n, m > 1$ and $G, H$ are independent generators. +Let $N = n^m$. +The relation is the following: +\[ \mathcal{R}_{\text{set}} = \left\{ pp_{\text{set}}, \{C_i\}_{i=0}^{N-1}, C' \in \G ; l \in [0,N), r \in \F : C_l - C' = rH \right\} \] +The relevant algorithms are the following: \begin{itemize} - \item $\func{SetProve}\left( \{C_i\}_{i=0}^{N-1}, C' ; l, r \right) \mapsto \Pi_{\text{set}}$ accepts as input statement and witness elements, and outputs a proof. - \item $\func{SetVerify}\left( \Pi_{\text{set}}, \{C_i\}_{i=0}^{N-1}, C' \right) \mapsto \{0, 1\}$ accepts as input a proof and statement elements, and outputs a bit to indicate whether or not the proof is valid. + \item $\func{SetProve}\left( \{C_i\}_{i=0}^{N-1}, C' ; l, r \right) \mapsto \Pi_{\text{set}}$ + \item $\func{SetVerify}\left( \Pi_{\text{set}}, \{C_i\}_{i=0}^{N-1}, C' \right) \mapsto \{0, 1\}$ \end{itemize} - -The one-of-many proving system in \cite{bootle}, with a simple modification as done in \cite{spark}, may be used for this purpose. +The proving system in \cite{bootle}, with a simple modification as done in \cite{spark}, may be used for this purpose. -\subsection{Other proving systems} - -We require several other simple proving systems relating to assertions of representation and discrete logarithm equality that are used by other cryptographic primitives in Aura. -Each such proving system has a standard Schnorr-type non-interactive instantiation provable to be complete, special sound, and special honest-verifier zero knowledge. - -For each proving system, we list the public parameters, relevant relation, and prover and verifier functions; we omit the specific instantiations. - \subsubsection{Representation proving system} This proving system asserts knowledge of a group element representation. -The public parameters are $pp_{\text{rep}} = (\G, \F)$, where $\G$ is a prime-order group where the discrete logarithm problem is hard, and $\F$ is its scalar field. +The public parameters are $pp_{\text{rep}} = (\G, \F)$. The relation is the following: -$$\mathcal{R}_{\text{rep}} = \{ pp_{\text{rep}}, \{G_i\}_{i=0}^{n-1}, Y ; \{y_i\}_{i=0}^{n-1} : Y = \sum_{i=0}^{n-1} y_i G_i \}$$ +\[ \mathcal{R}_{\text{rep}} = \{ pp_{\text{rep}}, \{G_i\}_{i=0}^{n-1}, Y ; \{y_i\}_{i=0}^{n-1} : Y = \sum_{i=0}^{n-1} y_i G_i \} \] The relevant algorithms are the following: \begin{itemize} \item $\func{RepProve}(\{G_i\}_{i=0}^{n-1}, Y ; \{y_i\}_{i=0}^{n-1}) \mapsto \Pi_{\text{rep}}$ @@ -288,9 +223,9 @@ \subsubsection{Representation proving system} \subsubsection{Encryption validity proving system} This proving system asserts a valid ElGamal encryption using a specific representation assertion. -The public parameters are $pp_{\text{val}} = (\G, \F)$, where $\G$ is a prime-order group where the discrete logarithm problem is hard, and $\F$ is its scalar field. +The public parameters are $pp_{\text{val}} = (\G, \F)$. The relation is the following: -$$\mathcal{R}_{\text{val}} = \{ pp_{\text{enc}}, G, Y, H, D, E ; (r, m) : D = rG, E = mY + rH \}$$ +\[ \mathcal{R}_{\text{val}} = \{ pp_{\text{enc}}, G, Y, H, D, E ; (r, m) : D = rG, E = mY + rH \} \] The relevant algorithms are the following: \begin{itemize} \item $\func{EncValProve}(G, Y, H, D, E ; r, m) \mapsto \Pi_{\text{enc}}$ @@ -301,7 +236,7 @@ \subsubsection{Encryption validity proving system} \subsubsection{Serial validity proving system} This proving system asserts a valid ElGamal encryption using a specific representation assertion matches a particular partial commitment opening. -The public parameters are $pp_{\text{ser}} = (\G, \F)$, where $\G$ is a prime-order group where the discrete logarithm problem is hard, and $\F$ is its scalar field. +The public parameters are $pp_{\text{ser}} = (\G, \F)$. The relation is the following: \begin{multline*} \mathcal{R}_{\text{ser}} = \left\{ pp_{\text{ser}}, F, G, H, Y, C, D, E ; (s, r, r') : \right. \\ @@ -317,9 +252,9 @@ \subsubsection{Serial validity proving system} \subsubsection{Discrete logarithm equality proving system} This proving system asserts two group elements share the same discrete logarithm with respect to specified generators. -The public parameters are $pp_{\text{eq}} = (\G, \F)$, where $\G$ is a prime-order group where the discrete logarithm problem is hard, and $\F$ is its scalar field. +The public parameters are $pp_{\text{eq}} = (\G, \F)$. The relation is the following: -$$\mathcal{R}_{\text{eq}} = \{ pp_{\text{eq}}, G, H, Y, Y' ; y : Y = yG, Y' = yH \}$$ +\[ \mathcal{R}_{\text{eq}} = \{ pp_{\text{eq}}, G, H, Y, Y' ; y : Y = yG, Y' = yH \} \] The relevant algorithms are the following: \begin{itemize} \item $\func{EqProve}(G, H, Y, Y' ; y) \mapsto \Pi_{\text{eq}}$ @@ -343,36 +278,18 @@ \section{Protocol} \subsection{Overview} There are several types of entities in Aura that interact during the election process. +Organizers set protocol parameters for elections, voters, and talliers. +Voters cast ballots in elections. +Talliers collaboratively compute and publish results at the end of elections. +Verifiers assert that elections and results are valid. -\begin{itemize} - \item \textbf{Organizers} set up protocol parameters, elections, voters, and talliers. - This role may be separated based on specific application needs and trust requirements. - \item \textbf{Voters} cast ballots in elections. - \item \textbf{Talliers} collaboratively compute and publish results at the end of elections. - \item \textbf{Verifiers} assert that the setup, ballots, and tallier results are complete, accurate, and valid. - Any entity or participant can act as a verifier. -\end{itemize} -We also assume a public bulletin board $\mathcal{B}$ is used to store all public data; this includes election parameters, keys, ballots, tally data, and other information. -The instantiation of $\mathcal{B}$ is especially suited for a blockchain-type construction for which modification or erasure of posted data is infeasible. - -An election consists of several steps, represented by algorithms that we describe in detail later. - -\begin{itemize} - \item $\func{SetupElection}$: This algorithm is run by organizers and sets up $\mathcal{B}$, outputs public parameters for the election, identifies authorized voters in the election, and selects talliers. - \item $\func{SetupTally}$: This algorithm is run by talliers and sets up the threshold keys used for result decryption. - \item $\func{SetupVoter}$: This algorithm is run by voters and sets up the ballot keys used to cast ballots. - \item $\func{VerifySetup}$: This algorithm can be run by any network participant to check the correctness of the setup processes. - \item $\func{Vote}$: This algorithm is run by voters; it produces a ballot and submits it to $\mathcal{B}$. - \item $\func{VerifyBallot}$: This algorithm is run by voters or any other network participant; it checks that a ballot is valid. - \item $\func{Tally}$: This algorithm is run by talliers after the election concludes; it produces the results of the election. - \item $\func{VerifyTally}$: This algorithm is run by verifiers after the results are produced; it asserts that the results represent all valid ballots correctly. -\end{itemize} - -In cases where the trust model for an election differs from that implied here, the setup algorithms may differ, and yield different analysis. +We assume a public bulletin board $\mathcal{B}$ is used to store election data. +The instantiation of $\mathcal{B}$ is especially suited for a blockchain-type construction for which modification or erasure of posted data is computationally infeasible. \subsection{Algorithms} +An election consists of several steps, represented by algorithms that we describe in detail here. We assume that the organizer, the talliers, and all voters possess signing keys (with corresponding verification keys) for the unforgeable signature scheme, which can be used to sign and verify arbitrary messages to authenticate them. The distribution of such keys is outside the scope of this protocol. @@ -460,7 +377,7 @@ \subsubsection{\texorpdfstring{$\func{Vote}$}{Vote}} \right. \end{displaymath} and $k_{\text{min}} \leq \sum_{j=0}^{k-1} c_{i,j} \leq k_{\text{max}}$. - \item For $j \in [0,k)$, encrypts each choice by setting $(D_{i,j}, E_{i,j}, \Pi_{\text{enc},i,j}) = \func{Encrypt}(c_{i,j}, j, Y)$. + \item For $j \in [0,k)$, encrypts each choice by setting \[ (D_{i,j}, E_{i,j}, \Pi_{\text{enc},i,j}) = \func{Encrypt}(c_{i,j}, j, Y). \] \item For $j \in [k,k')$, extends the vector $c_i$ by setting \begin{displaymath} c_{i,j} = \left\{ @@ -470,19 +387,19 @@ \subsubsection{\texorpdfstring{$\func{Vote}$}{Vote}} \end{array} \right. \end{displaymath} - for padding purposes, and computes encryptions $(D_{i,j}, E_{i,j}, \Pi_{\text{enc},i,j}) = \func{Encrypt}(c_{i,j}, j, Y)$. - \item Computes a bit vector commitment proof $$\Pi_{\text{bit},i} = \func{BitProve}\left( \sum_{j=0}^{k'-1} E_{i,j} ; \{c_{i,j}\}_{j=0}^{k'-1}, r \right),$$ where $r$ is the sum of all nonces used in encryption proofs for $j \in [0,k'-1)$. + for padding purposes, and computes encryptions \[ (D_{i,j}, E_{i,j}, \Pi_{\text{enc},i,j}) = \func{Encrypt}(c_{i,j}, j, Y). \] + \item Computes a bit vector commitment proof \[ \Pi_{\text{bit},i} = \func{BitProve}\left( \sum_{j=0}^{k'-1} E_{i,j} ; \{c_{i,j}\}_{j=0}^{k'-1}, r \right), \] where $r$ is the sum of all nonces used in encryption proofs for $j \in [0,k'-1)$. \item Chooses a nonce $r_i' \in \F$ uniformly at random, and computes the serial offset $C_i' = s_i G + r_i' H$. \item Encrypts the ballot serial number by choosing a nonce $r_i'' \in \F$ uniformly at random and computing $D_i' = r_i'' G$ and $E_i' = s_i F + r_i'' Y$. \item Assembles $\overline{C}$ to be the set of all voter commitments $\{C_i\}$ corresponding to voter verification keys in $L_{\text{voters}}$, and generates a commitment set proof - $$\Pi_{\text{set},i} = \func{SetProve}\left(\overline{C}, C_i' ; l_i, r_i - r_i' \right)$$ + \[ \Pi_{\text{set},i} = \func{SetProve}\left(\overline{C}, C_i' ; l_i, r_i - r_i' \right) \] where $\overline{C}_{l_i} = C_i$. \item Assembles a ballot tuple: - $$B_i = \left( pp, (D_{i,j}, E_{i,j}, \Pi_{\text{enc},i,j})_{j=0}^{k'-1}, \Pi_{\text{bit},i}, C_i', D_i', E_i', \Pi_{\text{set},i} \right)$$ + \[ B_i = \left( pp, (D_{i,j}, E_{i,j}, \Pi_{\text{enc},i,j})_{j=0}^{k'-1}, \Pi_{\text{bit},i}, C_i', D_i', E_i', \Pi_{\text{set},i} \right) \] \item Generates a proof of serial number validity - $$\Pi_{\text{ser},i} = \func{SerValProve}(F, G, H, Y, C_i', D_i', E_i' ; s_i, r_i', r_i'')$$ + \[ \Pi_{\text{ser},i} = \func{SerValProve}(F, G, H, Y, C_i', D_i', E_i' ; s_i, r_i', r_i'') \] that binds $B_i$ to its initial transcript. - \item Posts the ballot tuple $B_i$ and binding proof $\Pi_{\text{ser},i}$ to $\mathcal{B}$ as the voter's anonymized and authenticated ballot. + \item Posts the ballot tuple $B_i$ and binding proof $\Pi_{\text{ser},i}$ to $\mathcal{B}$. \end{enumerate} If the voter is coerced or bribed to submit a ballot of an adversary's choice, the voter may cast another ballot once outside of the adversary's influence by repeating these steps. @@ -493,12 +410,12 @@ \subsubsection{\texorpdfstring{$\func{Vote}$}{Vote}} \subsubsection{\texorpdfstring{$\func{VerifyBallot}$}{VerifyBallot}} Given a semantically-correct ballot (without explicit voter index $i$) of the form -$$B = \left( (D_j, E_j, \Pi_{\text{enc},j})_{j=0}^{k'-1}, \Pi_{\text{bit}}, C', D', E', \Pi_{\text{set}} \right),$$ +\[ B = \left( (D_j, E_j, \Pi_{\text{enc},j})_{j=0}^{k'-1}, \Pi_{\text{bit}}, C', D', E', \Pi_{\text{set}} \right), \] any verifier does the following: \begin{enumerate} \item Checks that $\func{SerValVerify}(\Pi_{\text{ser}}, F, G, H, Y, C', D', E') \mapsto 1$ using $B$ as a transcript binding, and aborts otherwise. \item For each $j \in [0,k')$, checks that $\func{VerifyEncrypt}(Y, j, D_j, E_j, \Pi_{\text{enc},j}) \mapsto 1$, and aborts otherwise. - \item Checks that $$\func{BitVerify}\left( \Pi_{\text{bit}}, \sum_{j=0}^{k'-1} E_j \right) \mapsto 1,$$ and aborts otherwise. + \item Checks that \[ \func{BitVerify}\left( \Pi_{\text{bit}}, \sum_{j=0}^{k'-1} E_j \right) \mapsto 1, \] and aborts otherwise. \item Assembles the set $\overline{C}$ as in $\func{Vote}$, checks that $\func{SetVerify}(\Pi_{\text{set}}, \overline{C}, C') \mapsto 1$, and aborts otherwise. \end{enumerate} @@ -509,8 +426,8 @@ \subsubsection{\texorpdfstring{$\func{Tally}$}{Tally}} Assume a set of $t$ talliers indexed $1 \leq j \leq t$. Each such tallier does the following for each valid ballot $i$ appearing on $\mathcal{B}$: \begin{enumerate} - \item Runs $\func{PartialDecrypt}(y_j, D_i', E_i') \mapsto (R_{\text{ser},i,j}, \Pi_{\text{ser},i,j})$, and posts the tuple $(R_{\text{ser},i,j}, \Pi_{\text{ser},i,j}^{\text{dec}})$ to $\mathcal{B}$ as an authenticated message signed with its tallier signing key from $L_{\text{tally}}$. - \item After receiving all such partial decryptions from the threshold cohort and verifying the authenticated messages, partially (without attempting to brute-force the final decryption) runs $$\func{VerifyDecrypt}(D_i', E_i', \{j, Y_j, R_{\text{ser},i,j}^{\text{dec}}, \Pi_{\text{ser},i,j}\}_{j=1}^t)$$ to obtain a serial number public key $S_i \in \G$. + \item Runs $\func{PartialDecrypt}(y_j, D_i', E_i') \mapsto (R_{\text{ser},i,j}, \Pi_{\text{ser},i,j})$, and posts this tuple to $\mathcal{B}$ as an authenticated message signed with its tallier signing key from $L_{\text{tally}}$. + \item After receiving all such partial decryptions from the threshold cohort and verifying the authenticated messages, partially (without attempting to brute-force the final decryption) runs \[ \func{VerifyDecrypt}(D_i', E_i', \{j, Y_j, R_{\text{ser},i,j}^{\text{dec}}, \Pi_{\text{ser},i,j}\}_{j=1}^t) \] to obtain a serial number public key $S_i \in \G$. \item Verifies the signature on the ballot $i$ using $S_i$ as the verification public key (against generator $F$). \item If $S_i$ appears with any other valid ballot, discard all but the most recent such ballot, according to bulletin board ordering. \end{enumerate} @@ -519,8 +436,8 @@ \subsubsection{\texorpdfstring{$\func{Tally}$}{Tally}} The talliers now verifiably produce the tally of all $N_{\text{valid}}$ such ballots. Each tallier with index $1 \leq j \leq t$ does the following: \begin{enumerate} - \item For each $l \in [0,k)$, computes the ballot sums for choice $l$ by setting $$\overline{D}_l = \sum_{i=0}^{N_{\text{valid}}-1} D_{i,l}$$ and $$\overline{E}_l = \sum_{i=0}^{N_{\text{valid}}-1} E_{i,l},$$ and partially decrypting the sums: - $$\func{PartialDecrypt}(y_j, \overline{D}_l, \overline{E}_l) \mapsto (R_{l,j},\Pi_{l,j}^{\text{dec}})$$ + \item For each $l \in [0,k)$, computes the ballot sums for choice $l$ by setting \[ \overline{D}_l = \sum_{i=0}^{N_{\text{valid}}-1} D_{i,l} \] and \[ \overline{E}_l = \sum_{i=0}^{N_{\text{valid}}-1} E_{i,l}, \] and partially decrypting the sums: + \[ \func{PartialDecrypt}(y_j, \overline{D}_l, \overline{E}_l) \mapsto (R_{l,j},\Pi_{l,j}^{\text{dec}}) \] \item Posts the set of tuples $\{(R_{l,j},\Pi_{l,j}^{\text{dec}})\}_{l=0}^{k-1}$ to $\mathcal{B}$ as an authenticated message signed with its tallier signing key from $L_{\text{tally}}$. \end{enumerate} @@ -531,69 +448,120 @@ \subsubsection{\texorpdfstring{$\func{VerifyTally}$}{VerifyTally}} \begin{enumerate} \item For each valid ballot $i$ appearing on $\mathcal{B}$: \begin{enumerate} - \item Partially (without attempting to brute-force the final decryption) runs $$\func{VerifyDecrypt}(D_i', E_i', \{j, Y_j, R_{\text{ser},i,j}^{\text{dec}}, \Pi_{\text{ser},i,j}\}_{j=1}^t)$$ to obtain a serial number public key $S_i \in \G$, and aborts if this fails. + \item Partially (without attempting to brute-force the final decryption) runs \[ \func{VerifyDecrypt}(D_i', E_i', \{j, Y_j, R_{\text{ser},i,j}^{\text{dec}}, \Pi_{\text{ser},i,j}\}_{j=1}^t) \] to obtain a serial number public key $S_i \in \G$, and aborts if this fails. \item Verifies the signature on the ballot $i$ using $S_i$ as the verification public key (against generator $F$), and aborts if this fails. \item If $S_i$ appears with any other valid ballot, discard all but the most recent such ballot, according to bulletin board ordering. \end{enumerate} \item Assembles the set of $N_{\text{valid}}$ remaining valid ballots, now indexed by $i$. \item For each choice index $l \in [0,k)$: \begin{enumerate} - \item Computes the ballot sums for choice $l$ by setting $$\overline{D}_l = \sum_{i=0}^{N_{\text{valid}}-1} D_{i,l}$$ and $$\overline{E}_l = \sum_{i=0}^{N_{\text{valid}}-1} E_{i,l}.$$ - \item Finalizes the decryption $$\func{VerifyDecrypt}(\overline{D}_l, \overline{E}_l, \{j, Y_j, R_{l,j}^{\text{dec}}, \Pi_{l,j}^{\text{dec}}\}_{j=1}^t) \mapsto t_l$$ to obtain the total votes $t_l$ for choice $l$, and aborts if this fails. + \item Computes the ballot sums for choice $l$ by setting \[ \overline{D}_l = \sum_{i=0}^{N_{\text{valid}}-1} D_{i,l} \] and \[ \overline{E}_l = \sum_{i=0}^{N_{\text{valid}}-1} E_{i,l}. \] + \item Finalizes the decryption \[ \func{VerifyDecrypt}(\overline{D}_l, \overline{E}_l, \{j, Y_j, R_{l,j}^{\text{dec}}, \Pi_{l,j}^{\text{dec}}\}_{j=1}^t) \mapsto t_l \] to obtain the total votes $t_l$ for choice $l$, and aborts if this fails. \end{enumerate} \end{enumerate} \section{Remarks} -We conclude with informal observations and remarks about Aura's security and efficiency. +While we do not provide a formal security analysis here, we note that Aura meets our informal requirements. +All cryptographic constructions use only public parameters, and completeness properties map to overall protocol correctness. +We obtain universal verifiability since any observer can run $\func{VerifyBallot}$ on all ballots appearing on the bulletin board, and run $\func{VerifyTally}$ to check that these ballots all appear in the correct tally. +Vote privacy follows from the properties of the cryptographic primitives used in $\func{Vote}$ and $\func{Tally}$ under the assumption of no malicious threshold cohort of talliers. +Voter anonymity is asserted unconditionally by the use of a commitment set proof, and coercion resistance follows from the use of encrypted ballot serial numbers that are unique and fixed for each voter identity. -\subsection{Security} -While we do not provide a formal security analysis here, it is relevant to discuss how Aura's design works toward the properties introduced earlier. +\subsection{Efficiency} -All cryptographic components in Aura are instantiated with public parameters. -While the key generation process for talliers is inherently a multiparty computation, this is a verifiable process that itself does not require specific trust for its instantiation. +We discuss overall scaling of Aura algorithms here, and provide a more concrete comparison to ElectionGuard in Appendix \ref{app:efficiency}. -Correctness follows in a straightforward manner by inspection. +The most computationally-expensive construction in an Aura election is the commitment set membership proof associated to each ballot. +The size of this proof scales as $O(\log(N_{\text{voters}}))$ using the instantiation referenced. +While verification at first appears to scale as $O(N_{\text{voters}})$, the use of efficient multiscalar multiplication algorithms \cite{pippenger} can reduce this complexity to $O(N_{\text{voters}}/\log(N_{\text{voters}}))$ with good constants. -Universal verifiability is achieved. -Any observer can check ballot validity by running $\func{VerifyBallot}$ on all ballots appearing on the bulletin board, and run $\func{VerifyTally}$ to check that these ballots all appear. -The final tally validity is further assured in $\func{VerifyTally}$ from the use of the verifiable threshold decryption construction. +Further, the instantiation supports efficient batch verification. +When verifying proofs from multiple ballots, verifier weighting of common group elements in the required multiscalar multiplication evaluation makes the marginal verification complexity constant, amortizing the overall cost across the batch. +Interestingly, this use of batch verification can make overall Aura ballot verification several times more efficient than existing efficient mixnet constructions \cite{efficient_shuffle,groth_shuffle}. -Vote privacy follows from the properties of the primitives used in $\func{Vote}$. -It is possible for a threshold cohort of talliers to decrypt individual ballots, and hence we must assume no such cohort is malicious. -No observer, however, can produce any such decryption or otherwise distinguish individual ballot contents due to their underlying encryption and the properties of the related $\func{Vote}$ proofs. +Other verification steps in $\func{VerifySetup}$, $\func{VerifyBallot}$, and $\func{VerifyTally}$ imply lower complexity, or may be similarly batched for improved efficiency. -The use of a commitment set proof asserts voter anonymity, which follows even if the talliers or organizer are malicious or collude. +These observations make Aura a competitive candidate for suitable applications. -Ballot soundness is achieved through several checks. -Since the commitment set proof is sound, no unauthorized voter knows an opening to a commitment contained in such a valid set, and hence cannot cast a valid ballot. -If the voter has already cast a valid ballot, any subsequent ballot must use the same serial number since the proof of serial number validity is sound and the commitments are computationally binding. -Coercion resistance, which is related to soundness, is achieved similarly. +\bibliographystyle{splncs04} +\bibliography{main} -\subsection{Efficiency} +\appendix -Aura can operate with good efficiency. -The most computationally-expensive construction in an Aura election is the commitment set membership proof associated to each ballot, on the assumption that the number of voters $N_{\text{voters}}$ will exceed the number of talliers $N_{\text{tally}}$ and choices $k$ in the election. +\section{Bit commitment proving system} +\label{app:bit} -The size of this proof scales as $O(\log(N_{\text{voters}}))$ using the instantiation referenced. -While verification apparently scales as $O(N_{\text{voters}})$, the use of efficient multiscalar multiplication algorithms \cite{pippenger} can reduce this complexity to $O(N_{\text{voters}}/\log(N_{\text{voters}}))$. +We now show an efficient instantiation of a bit commitment proving system. +This is a generalization of the construction used in \cite{bootle}, which in our notation supports only $w = 1$. +The proof of security follows similarly with only minor straightforward modifications, so we omit it here. -Further, the instantiation supports batch verification. -When verifying proofs from multiple ballots, verifier weighting of common group elements in the required multiscalar multiplication evaluation makes the marginal verification complexity constant, amortizing the overall cost across the batch. -Interestingly, this use of batch verification can make overall Aura ballot verification several times more efficient than existing efficient mixnet constructions \cite{efficient_shuffle,groth_shuffle}. +While in Aura we describe a non-interactive construction, we show here the corresponding interactive protocol, and note that the strong Fiat-Shamir technique easily applies. -Other verification steps in $\func{VerifySetup}$, $\func{VerifyBallot}$, and $\func{VerifyTally}$ imply lower complexity, or may be similarly batched for improved efficiency. +\begin{enumerate} + \item The prover selects $r_A, r_C, r_D, \{a_i\}_{i=1}^{k-1} \in \F$ uniformly at random, and sets \[ a_0 = - \sum_{i=1}^{k-1} a_i. \] + \item The prover computes the Pedersen vector commitments + \begin{alignat*}{1} + A &= r_A H + \sum_{i=0}^{k-1} a_i G_i \\ + C &= r_C H + \sum_{i=0}^{k-1} a_i(1 - 2b_i) G_i \\ + D &= r_D H + \sum_{i=0}^{k-1} a_i^2 G_i + \end{alignat*} + and sends $A, C, D$ to the verifier. + \item The verifier selects a challenge $x \in \F \setminus \{0\}$ uniformly at random, and sends $x$ to the prover. + \item For each $i \in [1,k)$, the prover sets $f_i = b_i x + a_i$. + The prover also sets $z_a = rx + r_A$ and $z_C = r_C x + r_D$, and sends $\{f_i\}_{i=0}^{k-1}, z_A, z_C$ to the verifier. + \item The verifier sets \[ f_0 = wx - \sum_{i=1}^{k-1} f_i \] and accepts the proof if and only if the following hold: + \begin{alignat*}{1} + A + xB &= z_A H + \sum_{i=0}^{k-1} f_i G_i \\ + xC + D &= z_C H + \sum_{i=0}^{k-1} f_i(x - f_i) G_i + \end{alignat*} +\end{enumerate} -These observations make Aura a competitive candidate for suitable applications. +\section{Comparison to ElectionGuard} +\label{app:efficiency} + +We compare the efficiency of some Aura components to those of ElectionGuard \cite{electionguard}, since its design is well specified. +However, we note that ElectionGuard offloads voter anonymity to election organizers, which Aura specifically avoids through the use of voter-produced anonymity proofs; as a result, we cannot provide a direct comparison. + +However, it is instructive to examine how Aura's other ballot-related proofs compare. +In particular, we note that ballot proofs in both protocols have two overall goals: they must show that each option encrypts to 0 (the voter does not choose it) or 1 (the voter chooses it) against the correct ElGamal key, and must further show that only a specified number of options are chosen. +In Aura, this is done using $\func{EncValVerify}$ on each encrypted option from a ballot, and $\func{BitVerify}$ on the sum of all encrypted options. +Specifically, the former asserts that each option is a valid encryption of \textit{some} message (secretly known by the prover) against the proper key, and the latter asserts both that each such message is in $\{0,1\}$ and that the selection limit is satisfied. +This approach succeeds in part because each choice is assocated to a unique group generator as part of the ElGamal encryptions. + +In ElectionGuard, a related but different approach is taken. +One proving system uses a disjunction approach to show that each encrypted option corresponds to a message in $\{0,1\}$ against the proper key. +Another proving system shows that the sum of all such encryptions corresponds to the selection limit. +This approach succeeds in part because each choice uses the same group generators for ElGamal encryption. + +As before, suppose an election has $k$ options, and that a voter must select between $k_{\text{min}}$ and $k_{\text{max}}$ of them. +Let $k' = k + k_{\text{max}} - k_{\text{min}}$ for convenience. +We show the total size of the ballot-related proofs in Aura and ElectionGuard in Table \ref{table:size}, assuming for Aura a standard Schnorr-type instantiation of the required encryption validity proving system. +In both cases, we generalize and assume all proof elements can be represented using a fixed and common size.\footnote{While Aura is presented for general groups, \cite{electionguard} specifies particular group parameters.} +Further, we account for batch verification, where it is possible to present Schnorr-type proving systems for both protocols either in a manner that supports efficient verification of multiple proofs at the same time (by including the initial prover messages in the proof), or in a manner not supporting this (by including the claimed Fiat-Shamir challenge in the proof, and requiring the verifier to reconstruct the prover messages); this affects the size of each proof and the overall computational complexity. + +\begin{table} + \centering + \caption{Total size of each ballot's validity proofs for Aura and ElectionGuard, given in proof elements, both supporting batch verification and not} + \label{table:size} + \begin{tabular}{l|c|c|} + Protocol & Size (batching) & Size (no batching) \\ + \hline + Aura & $5k' + 4$ & $4k' + 4$ \\ + ElectionGuard & $8k' + 3$ & $4k' + 2$ \\ + \end{tabular} +\end{table} + +We note an interesting tradeoff, in that the total size of a ballot varies between the two protocols depending on the need for batch verification support. +In the case where batch verification is desired or required, Aura ballots are significantly smaller than those of ElectionGuard; if batch verification is not used, Aura ballots are slightly larger. +Since Aura is particularly intended for efficient use in decentralized settings where both the size of the public bulletin board and overall verification complexity are considered limited resources, this provides a distinct and notable advantage. -\bibliographystyle{plain} -\bibliography{main} \end{document} diff --git a/splncs04.bst b/splncs04.bst new file mode 100644 index 0000000..3be8de3 --- /dev/null +++ b/splncs04.bst @@ -0,0 +1,1548 @@ +%% BibTeX bibliography style `splncs03' +%% +%% BibTeX bibliography style for use with numbered references in +%% Springer Verlag's "Lecture Notes in Computer Science" series. +%% (See Springer's documentation for llncs.cls for +%% more details of the suggested reference format.) Note that this +%% file will not work for author-year style citations. +%% +%% Use \documentclass{llncs} and \bibliographystyle{splncs03}, and cite +%% a reference with (e.g.) \cite{smith77} to get a "[1]" in the text. +%% +%% This file comes to you courtesy of Maurizio "Titto" Patrignani of +%% Dipartimento di Informatica e Automazione Universita' Roma Tre +%% +%% ================================================================================================ +%% This was file `titto-lncs-02.bst' produced on Wed Apr 1, 2009 +%% Edited by hand by titto based on `titto-lncs-01.bst' (see below) +%% +%% CHANGES (with respect to titto-lncs-01.bst): +%% - Removed the call to \urlprefix (thus no "URL" string is added to the output) +%% ================================================================================================ +%% This was file `titto-lncs-01.bst' produced on Fri Aug 22, 2008 +%% Edited by hand by titto based on `titto.bst' (see below) +%% +%% CHANGES (with respect to titto.bst): +%% - Removed the "capitalize" command for editors string "(eds.)" and "(ed.)" +%% - Introduced the functions titto.bbl.pages and titto.bbl.page for journal pages (without "pp.") +%% - Added a new.sentence command to separate with a dot booktitle and series in the inproceedings +%% - Commented all new.block commands before urls and notes (to separate them with a comma) +%% - Introduced the functions titto.bbl.volume for handling journal volumes (without "vol." label) +%% - Used for editors the same name conventions used for authors (see function format.in.ed.booktitle) +%% - Removed a \newblock to avoid long spaces between title and "In: ..." +%% - Added function titto.space.prefix to add a space instead of "~" after the (removed) "vol." label +%% - Added doi +%% ================================================================================================ +%% This was file `titto.bst', +%% generated with the docstrip utility. +%% +%% The original source files were: +%% +%% merlin.mbs (with options: `vonx,nm-rvvc,yr-par,jttl-rm,volp-com,jwdpg,jwdvol,numser,ser-vol,jnm-x,btit-rm,bt-rm,edparxc,bkedcap,au-col,in-col,fin-bare,pp,ed,abr,mth-bare,xedn,jabr,and-com,and-com-ed,xand,url,url-blk,em-x,nfss,') +%% ---------------------------------------- +%% *** Tentative .bst file for Springer LNCS *** +%% +%% Copyright 1994-2007 Patrick W Daly + % =============================================================== + % IMPORTANT NOTICE: + % This bibliographic style (bst) file has been generated from one or + % more master bibliographic style (mbs) files, listed above. + % + % This generated file can be redistributed and/or modified under the terms + % of the LaTeX Project Public License Distributed from CTAN + % archives in directory macros/latex/base/lppl.txt; either + % version 1 of the License, or any later version. + % =============================================================== + % Name and version information of the main mbs file: + % \ProvidesFile{merlin.mbs}[2007/04/24 4.20 (PWD, AO, DPC)] + % For use with BibTeX version 0.99a or later + %------------------------------------------------------------------- + % This bibliography style file is intended for texts in ENGLISH + % This is a numerical citation style, and as such is standard LaTeX. + % It requires no extra package to interface to the main text. + % The form of the \bibitem entries is + % \bibitem{key}... + % Usage of \cite is as follows: + % \cite{key} ==>> [#] + % \cite[chap. 2]{key} ==>> [#, chap. 2] + % where # is a number determined by the ordering in the reference list. + % The order in the reference list is alphabetical by authors. + %--------------------------------------------------------------------- + +ENTRY + { address + author + booktitle + chapter + doi + edition + editor + eid + howpublished + institution + journal + key + month + note + number + organization + pages + publisher + school + series + title + type + url + volume + year + } + {} + { label } +INTEGERS { output.state before.all mid.sentence after.sentence after.block } +FUNCTION {init.state.consts} +{ #0 'before.all := + #1 'mid.sentence := + #2 'after.sentence := + #3 'after.block := +} +STRINGS { s t} +FUNCTION {output.nonnull} +{ 's := + output.state mid.sentence = + { ", " * write$ } + { output.state after.block = + { add.period$ write$ +% newline$ +% "\newblock " write$ % removed for titto-lncs-01 + " " write$ % to avoid long spaces between title and "In: ..." + } + { output.state before.all = + 'write$ + { add.period$ " " * write$ } + if$ + } + if$ + mid.sentence 'output.state := + } + if$ + s +} +FUNCTION {output} +{ duplicate$ empty$ + 'pop$ + 'output.nonnull + if$ +} +FUNCTION {output.check} +{ 't := + duplicate$ empty$ + { pop$ "empty " t * " in " * cite$ * warning$ } + 'output.nonnull + if$ +} +FUNCTION {fin.entry} +{ duplicate$ empty$ + 'pop$ + 'write$ + if$ + newline$ +} + +FUNCTION {new.block} +{ output.state before.all = + 'skip$ + { after.block 'output.state := } + if$ +} +FUNCTION {new.sentence} +{ output.state after.block = + 'skip$ + { output.state before.all = + 'skip$ + { after.sentence 'output.state := } + if$ + } + if$ +} +FUNCTION {add.blank} +{ " " * before.all 'output.state := +} + + +FUNCTION {add.colon} +{ duplicate$ empty$ + 'skip$ + { ":" * add.blank } + if$ +} + +FUNCTION {date.block} +{ + new.block +} + +FUNCTION {not} +{ { #0 } + { #1 } + if$ +} +FUNCTION {and} +{ 'skip$ + { pop$ #0 } + if$ +} +FUNCTION {or} +{ { pop$ #1 } + 'skip$ + if$ +} +STRINGS {z} +FUNCTION {remove.dots} +{ 'z := + "" + { z empty$ not } + { z #1 #1 substring$ + z #2 global.max$ substring$ 'z := + duplicate$ "." = 'pop$ + { * } + if$ + } + while$ +} +FUNCTION {new.block.checka} +{ empty$ + 'skip$ + 'new.block + if$ +} +FUNCTION {new.block.checkb} +{ empty$ + swap$ empty$ + and + 'skip$ + 'new.block + if$ +} +FUNCTION {new.sentence.checka} +{ empty$ + 'skip$ + 'new.sentence + if$ +} +FUNCTION {new.sentence.checkb} +{ empty$ + swap$ empty$ + and + 'skip$ + 'new.sentence + if$ +} +FUNCTION {field.or.null} +{ duplicate$ empty$ + { pop$ "" } + 'skip$ + if$ +} +FUNCTION {emphasize} +{ skip$ } + +FUNCTION {embolden} +{ duplicate$ empty$ +{ pop$ "" } +{ "\textbf{" swap$ * "}" * } +if$ +} +FUNCTION {tie.or.space.prefix} +{ duplicate$ text.length$ #5 < + { "~" } + { " " } + if$ + swap$ +} +FUNCTION {titto.space.prefix} % always introduce a space +{ duplicate$ text.length$ #3 < + { " " } + { " " } + if$ + swap$ +} + + +FUNCTION {capitalize} +{ "u" change.case$ "t" change.case$ } + +FUNCTION {space.word} +{ " " swap$ * " " * } + % Here are the language-specific definitions for explicit words. + % Each function has a name bbl.xxx where xxx is the English word. + % The language selected here is ENGLISH +FUNCTION {bbl.and} +{ "and"} + +FUNCTION {bbl.etal} +{ "et~al." } + +FUNCTION {bbl.editors} +{ "eds." } + +FUNCTION {bbl.editor} +{ "ed." } + +FUNCTION {bbl.edby} +{ "edited by" } + +FUNCTION {bbl.edition} +{ "edn." } + +FUNCTION {bbl.volume} +{ "vol." } + +FUNCTION {titto.bbl.volume} % for handling journals +{ "" } + +FUNCTION {bbl.of} +{ "of" } + +FUNCTION {bbl.number} +{ "no." } + +FUNCTION {bbl.nr} +{ "no." } + +FUNCTION {bbl.in} +{ "in" } + +FUNCTION {bbl.pages} +{ "pp." } + +FUNCTION {bbl.page} +{ "p." } + +FUNCTION {titto.bbl.pages} % for journals +{ "" } + +FUNCTION {titto.bbl.page} % for journals +{ "" } + +FUNCTION {bbl.chapter} +{ "chap." } + +FUNCTION {bbl.techrep} +{ "Tech. Rep." } + +FUNCTION {bbl.mthesis} +{ "Master's thesis" } + +FUNCTION {bbl.phdthesis} +{ "Ph.D. thesis" } + +MACRO {jan} {"Jan."} + +MACRO {feb} {"Feb."} + +MACRO {mar} {"Mar."} + +MACRO {apr} {"Apr."} + +MACRO {may} {"May"} + +MACRO {jun} {"Jun."} + +MACRO {jul} {"Jul."} + +MACRO {aug} {"Aug."} + +MACRO {sep} {"Sep."} + +MACRO {oct} {"Oct."} + +MACRO {nov} {"Nov."} + +MACRO {dec} {"Dec."} + +MACRO {acmcs} {"ACM Comput. Surv."} + +MACRO {acta} {"Acta Inf."} + +MACRO {cacm} {"Commun. ACM"} + +MACRO {ibmjrd} {"IBM J. Res. Dev."} + +MACRO {ibmsj} {"IBM Syst.~J."} + +MACRO {ieeese} {"IEEE Trans. Software Eng."} + +MACRO {ieeetc} {"IEEE Trans. Comput."} + +MACRO {ieeetcad} + {"IEEE Trans. Comput. Aid. Des."} + +MACRO {ipl} {"Inf. Process. Lett."} + +MACRO {jacm} {"J.~ACM"} + +MACRO {jcss} {"J.~Comput. Syst. Sci."} + +MACRO {scp} {"Sci. Comput. Program."} + +MACRO {sicomp} {"SIAM J. Comput."} + +MACRO {tocs} {"ACM Trans. Comput. Syst."} + +MACRO {tods} {"ACM Trans. Database Syst."} + +MACRO {tog} {"ACM Trans. Graphic."} + +MACRO {toms} {"ACM Trans. Math. Software"} + +MACRO {toois} {"ACM Trans. Office Inf. Syst."} + +MACRO {toplas} {"ACM Trans. Progr. Lang. Syst."} + +MACRO {tcs} {"Theor. Comput. Sci."} + +FUNCTION {bibinfo.check} +{ swap$ + duplicate$ missing$ + { + pop$ pop$ + "" + } + { duplicate$ empty$ + { + swap$ pop$ + } + { swap$ + pop$ + } + if$ + } + if$ +} +FUNCTION {bibinfo.warn} +{ swap$ + duplicate$ missing$ + { + swap$ "missing " swap$ * " in " * cite$ * warning$ pop$ + "" + } + { duplicate$ empty$ + { + swap$ "empty " swap$ * " in " * cite$ * warning$ + } + { swap$ + pop$ + } + if$ + } + if$ +} +FUNCTION {format.url} +{ url empty$ + { "" } +% { "\urlprefix\url{" url * "}" * } + { "\url{" url * "}" * } % changed in titto-lncs-02.bst + if$ +} + +FUNCTION {format.doi} % added in splncs04.bst +{ doi empty$ + { "" } + { after.block 'output.state := + "\doi{" doi * "}" * } + if$ +} + +INTEGERS { nameptr namesleft numnames } + + +STRINGS { bibinfo} + +FUNCTION {format.names} +{ 'bibinfo := + duplicate$ empty$ 'skip$ { + 's := + "" 't := + #1 'nameptr := + s num.names$ 'numnames := + numnames 'namesleft := + { namesleft #0 > } + { s nameptr + "{vv~}{ll}{, jj}{, f{.}.}" + format.name$ + bibinfo bibinfo.check + 't := + nameptr #1 > + { + namesleft #1 > + { ", " * t * } + { + s nameptr "{ll}" format.name$ duplicate$ "others" = + { 't := } + { pop$ } + if$ + "," * + t "others" = + { + " " * bbl.etal * + } + { " " * t * } + if$ + } + if$ + } + 't + if$ + nameptr #1 + 'nameptr := + namesleft #1 - 'namesleft := + } + while$ + } if$ +} +FUNCTION {format.names.ed} +{ + 'bibinfo := + duplicate$ empty$ 'skip$ { + 's := + "" 't := + #1 'nameptr := + s num.names$ 'numnames := + numnames 'namesleft := + { namesleft #0 > } + { s nameptr + "{f{.}.~}{vv~}{ll}{ jj}" + format.name$ + bibinfo bibinfo.check + 't := + nameptr #1 > + { + namesleft #1 > + { ", " * t * } + { + s nameptr "{ll}" format.name$ duplicate$ "others" = + { 't := } + { pop$ } + if$ + "," * + t "others" = + { + + " " * bbl.etal * + } + { " " * t * } + if$ + } + if$ + } + 't + if$ + nameptr #1 + 'nameptr := + namesleft #1 - 'namesleft := + } + while$ + } if$ +} +FUNCTION {format.authors} +{ author "author" format.names +} +FUNCTION {get.bbl.editor} +{ editor num.names$ #1 > 'bbl.editors 'bbl.editor if$ } + +FUNCTION {format.editors} +{ editor "editor" format.names duplicate$ empty$ 'skip$ + { + " " * + get.bbl.editor +% capitalize + "(" swap$ * ")" * + * + } + if$ +} +FUNCTION {format.note} +{ + note empty$ + { "" } + { note #1 #1 substring$ + duplicate$ "{" = + 'skip$ + { output.state mid.sentence = + { "l" } + { "u" } + if$ + change.case$ + } + if$ + note #2 global.max$ substring$ * "note" bibinfo.check + } + if$ +} + +FUNCTION {format.title} +{ title + duplicate$ empty$ 'skip$ + { "t" change.case$ } + if$ + "title" bibinfo.check +} +FUNCTION {output.bibitem} +{ newline$ + "\bibitem{" write$ + cite$ write$ + "}" write$ + newline$ + "" + before.all 'output.state := +} + +FUNCTION {n.dashify} +{ + 't := + "" + { t empty$ not } + { t #1 #1 substring$ "-" = + { t #1 #2 substring$ "--" = not + { "--" * + t #2 global.max$ substring$ 't := + } + { { t #1 #1 substring$ "-" = } + { "-" * + t #2 global.max$ substring$ 't := + } + while$ + } + if$ + } + { t #1 #1 substring$ * + t #2 global.max$ substring$ 't := + } + if$ + } + while$ +} + +FUNCTION {word.in} +{ bbl.in capitalize + ":" * + " " * } + +FUNCTION {format.date} +{ + month "month" bibinfo.check + duplicate$ empty$ + year "year" bibinfo.check duplicate$ empty$ + { swap$ 'skip$ + { "there's a month but no year in " cite$ * warning$ } + if$ + * + } + { swap$ 'skip$ + { + swap$ + " " * swap$ + } + if$ + * + remove.dots + } + if$ + duplicate$ empty$ + 'skip$ + { + before.all 'output.state := + " (" swap$ * ")" * + } + if$ +} +FUNCTION {format.btitle} +{ title "title" bibinfo.check + duplicate$ empty$ 'skip$ + { + } + if$ +} +FUNCTION {either.or.check} +{ empty$ + 'pop$ + { "can't use both " swap$ * " fields in " * cite$ * warning$ } + if$ +} +FUNCTION {format.bvolume} +{ volume empty$ + { "" } + { bbl.volume volume tie.or.space.prefix + "volume" bibinfo.check * * + series "series" bibinfo.check + duplicate$ empty$ 'pop$ + { emphasize ", " * swap$ * } + if$ + "volume and number" number either.or.check + } + if$ +} +FUNCTION {format.number.series} +{ volume empty$ + { number empty$ + { series field.or.null } + { output.state mid.sentence = + { bbl.number } + { bbl.number capitalize } + if$ + number tie.or.space.prefix "number" bibinfo.check * * + series empty$ + { "there's a number but no series in " cite$ * warning$ } + { bbl.in space.word * + series "series" bibinfo.check * + } + if$ + } + if$ + } + { "" } + if$ +} + +FUNCTION {format.edition} +{ edition duplicate$ empty$ 'skip$ + { + output.state mid.sentence = + { "l" } + { "t" } + if$ change.case$ + "edition" bibinfo.check + " " * bbl.edition * + } + if$ +} +INTEGERS { multiresult } +FUNCTION {multi.page.check} +{ 't := + #0 'multiresult := + { multiresult not + t empty$ not + and + } + { t #1 #1 substring$ + duplicate$ "-" = + swap$ duplicate$ "," = + swap$ "+" = + or or + { #1 'multiresult := } + { t #2 global.max$ substring$ 't := } + if$ + } + while$ + multiresult +} +FUNCTION {format.pages} +{ pages duplicate$ empty$ 'skip$ + { duplicate$ multi.page.check + { + bbl.pages swap$ + n.dashify + } + { + bbl.page swap$ + } + if$ + tie.or.space.prefix + "pages" bibinfo.check + * * + } + if$ +} +FUNCTION {format.journal.pages} +{ pages duplicate$ empty$ 'pop$ + { swap$ duplicate$ empty$ + { pop$ pop$ format.pages } + { + ", " * + swap$ + n.dashify + pages multi.page.check + 'titto.bbl.pages + 'titto.bbl.page + if$ + swap$ tie.or.space.prefix + "pages" bibinfo.check + * * + * + } + if$ + } + if$ +} +FUNCTION {format.journal.eid} +{ eid "eid" bibinfo.check + duplicate$ empty$ 'pop$ + { swap$ duplicate$ empty$ 'skip$ + { + ", " * + } + if$ + swap$ * + } + if$ +} +FUNCTION {format.vol.num.pages} % this function is used only for journal entries +{ volume field.or.null embolden + duplicate$ empty$ 'skip$ + { +% bbl.volume swap$ tie.or.space.prefix + titto.bbl.volume swap$ titto.space.prefix +% rationale for the change above: for journals you don't want "vol." label +% hence it does not make sense to attach the journal number to the label when +% it is short + "volume" bibinfo.check + * * + } + if$ + number "number" bibinfo.check duplicate$ empty$ 'skip$ + { + swap$ duplicate$ empty$ + { "there's a number but no volume in " cite$ * warning$ } + 'skip$ + if$ + swap$ + "(" swap$ * ")" * + } + if$ * + eid empty$ + { format.journal.pages } + { format.journal.eid } + if$ +} + +FUNCTION {format.chapter.pages} +{ chapter empty$ + 'format.pages + { type empty$ + { bbl.chapter } + { type "l" change.case$ + "type" bibinfo.check + } + if$ + chapter tie.or.space.prefix + "chapter" bibinfo.check + * * + pages empty$ + 'skip$ + { ", " * format.pages * } + if$ + } + if$ +} + +FUNCTION {format.booktitle} +{ + booktitle "booktitle" bibinfo.check +} +FUNCTION {format.in.ed.booktitle} +{ format.booktitle duplicate$ empty$ 'skip$ + { +% editor "editor" format.names.ed duplicate$ empty$ 'pop$ % changed by titto + editor "editor" format.names duplicate$ empty$ 'pop$ + { + " " * + get.bbl.editor +% capitalize + "(" swap$ * ") " * + * swap$ + * } + if$ + word.in swap$ * + } + if$ +} +FUNCTION {empty.misc.check} +{ author empty$ title empty$ howpublished empty$ + month empty$ year empty$ note empty$ + and and and and and + key empty$ not and + { "all relevant fields are empty in " cite$ * warning$ } + 'skip$ + if$ +} +FUNCTION {format.thesis.type} +{ type duplicate$ empty$ + 'pop$ + { swap$ pop$ + "t" change.case$ "type" bibinfo.check + } + if$ +} +FUNCTION {format.tr.number} +{ number "number" bibinfo.check + type duplicate$ empty$ + { pop$ bbl.techrep } + 'skip$ + if$ + "type" bibinfo.check + swap$ duplicate$ empty$ + { pop$ "t" change.case$ } + { tie.or.space.prefix * * } + if$ +} +FUNCTION {format.article.crossref} +{ + key duplicate$ empty$ + { pop$ + journal duplicate$ empty$ + { "need key or journal for " cite$ * " to crossref " * crossref * warning$ } + { "journal" bibinfo.check emphasize word.in swap$ * } + if$ + } + { word.in swap$ * " " *} + if$ + " \cite{" * crossref * "}" * +} +FUNCTION {format.crossref.editor} +{ editor #1 "{vv~}{ll}" format.name$ + "editor" bibinfo.check + editor num.names$ duplicate$ + #2 > + { pop$ + "editor" bibinfo.check + " " * bbl.etal + * + } + { #2 < + 'skip$ + { editor #2 "{ff }{vv }{ll}{ jj}" format.name$ "others" = + { + "editor" bibinfo.check + " " * bbl.etal + * + } + { + bbl.and space.word + * editor #2 "{vv~}{ll}" format.name$ + "editor" bibinfo.check + * + } + if$ + } + if$ + } + if$ +} +FUNCTION {format.book.crossref} +{ volume duplicate$ empty$ + { "empty volume in " cite$ * "'s crossref of " * crossref * warning$ + pop$ word.in + } + { bbl.volume + capitalize + swap$ tie.or.space.prefix "volume" bibinfo.check * * bbl.of space.word * + } + if$ + editor empty$ + editor field.or.null author field.or.null = + or + { key empty$ + { series empty$ + { "need editor, key, or series for " cite$ * " to crossref " * + crossref * warning$ + "" * + } + { series emphasize * } + if$ + } + { key * } + if$ + } + { format.crossref.editor * } + if$ + " \cite{" * crossref * "}" * +} +FUNCTION {format.incoll.inproc.crossref} +{ + editor empty$ + editor field.or.null author field.or.null = + or + { key empty$ + { format.booktitle duplicate$ empty$ + { "need editor, key, or booktitle for " cite$ * " to crossref " * + crossref * warning$ + } + { word.in swap$ * } + if$ + } + { word.in key * " " *} + if$ + } + { word.in format.crossref.editor * " " *} + if$ + " \cite{" * crossref * "}" * +} +FUNCTION {format.org.or.pub} +{ 't := + "" + address empty$ t empty$ and + 'skip$ + { + t empty$ + { address "address" bibinfo.check * + } + { t * + address empty$ + 'skip$ + { ", " * address "address" bibinfo.check * } + if$ + } + if$ + } + if$ +} +FUNCTION {format.publisher.address} +{ publisher "publisher" bibinfo.warn format.org.or.pub +} + +FUNCTION {format.organization.address} +{ organization "organization" bibinfo.check format.org.or.pub +} + +FUNCTION {article} +{ output.bibitem + format.authors "author" output.check + add.colon + new.block + format.title "title" output.check + new.block + crossref missing$ + { + journal + "journal" bibinfo.check + "journal" output.check + add.blank + format.vol.num.pages output + format.date "year" output.check + } + { format.article.crossref output.nonnull + format.pages output + } + if$ +% new.block + format.doi output + format.url output +% new.block + format.note output + fin.entry +} +FUNCTION {book} +{ output.bibitem + author empty$ + { format.editors "author and editor" output.check + add.colon + } + { format.authors output.nonnull + add.colon + crossref missing$ + { "author and editor" editor either.or.check } + 'skip$ + if$ + } + if$ + new.block + format.btitle "title" output.check + crossref missing$ + { format.bvolume output + new.block + new.sentence + format.number.series output + format.publisher.address output + } + { + new.block + format.book.crossref output.nonnull + } + if$ + format.edition output + format.date "year" output.check +% new.block + format.doi output + format.url output +% new.block + format.note output + fin.entry +} +FUNCTION {booklet} +{ output.bibitem + format.authors output + add.colon + new.block + format.title "title" output.check + new.block + howpublished "howpublished" bibinfo.check output + address "address" bibinfo.check output + format.date output +% new.block + format.doi output + format.url output +% new.block + format.note output + fin.entry +} + +FUNCTION {inbook} +{ output.bibitem + author empty$ + { format.editors "author and editor" output.check + add.colon + } + { format.authors output.nonnull + add.colon + crossref missing$ + { "author and editor" editor either.or.check } + 'skip$ + if$ + } + if$ + new.block + format.btitle "title" output.check + crossref missing$ + { + format.bvolume output + format.chapter.pages "chapter and pages" output.check + new.block + new.sentence + format.number.series output + format.publisher.address output + } + { + format.chapter.pages "chapter and pages" output.check + new.block + format.book.crossref output.nonnull + } + if$ + format.edition output + format.date "year" output.check +% new.block + format.doi output + format.url output +% new.block + format.note output + fin.entry +} + +FUNCTION {incollection} +{ output.bibitem + format.authors "author" output.check + add.colon + new.block + format.title "title" output.check + new.block + crossref missing$ + { format.in.ed.booktitle "booktitle" output.check + format.bvolume output + format.chapter.pages output + new.sentence + format.number.series output + format.publisher.address output + format.edition output + format.date "year" output.check + } + { format.incoll.inproc.crossref output.nonnull + format.chapter.pages output + } + if$ +% new.block + format.doi output + format.url output +% new.block + format.note output + fin.entry +} +FUNCTION {inproceedings} +{ output.bibitem + format.authors "author" output.check + add.colon + new.block + format.title "title" output.check + new.block + crossref missing$ + { format.in.ed.booktitle "booktitle" output.check + new.sentence % added by titto + format.bvolume output + format.pages output + new.sentence + format.number.series output + publisher empty$ + { format.organization.address output } + { organization "organization" bibinfo.check output + format.publisher.address output + } + if$ + format.date "year" output.check + } + { format.incoll.inproc.crossref output.nonnull + format.pages output + } + if$ +% new.block + format.doi output + format.url output +% new.block + format.note output + fin.entry +} +FUNCTION {conference} { inproceedings } +FUNCTION {manual} +{ output.bibitem + author empty$ + { organization "organization" bibinfo.check + duplicate$ empty$ 'pop$ + { output + address "address" bibinfo.check output + } + if$ + } + { format.authors output.nonnull } + if$ + add.colon + new.block + format.btitle "title" output.check + author empty$ + { organization empty$ + { + address new.block.checka + address "address" bibinfo.check output + } + 'skip$ + if$ + } + { + organization address new.block.checkb + organization "organization" bibinfo.check output + address "address" bibinfo.check output + } + if$ + format.edition output + format.date output +% new.block + format.doi output + format.url output +% new.block + format.note output + fin.entry +} + +FUNCTION {mastersthesis} +{ output.bibitem + format.authors "author" output.check + add.colon + new.block + format.btitle + "title" output.check + new.block + bbl.mthesis format.thesis.type output.nonnull + school "school" bibinfo.warn output + address "address" bibinfo.check output + format.date "year" output.check +% new.block + format.doi output + format.url output +% new.block + format.note output + fin.entry +} + +FUNCTION {misc} +{ output.bibitem + format.authors output + add.colon + title howpublished new.block.checkb + format.title output + howpublished new.block.checka + howpublished "howpublished" bibinfo.check output + format.date output +% new.block + format.doi output + format.url output +% new.block + format.note output + fin.entry + empty.misc.check +} +FUNCTION {phdthesis} +{ output.bibitem + format.authors "author" output.check + add.colon + new.block + format.btitle + "title" output.check + new.block + bbl.phdthesis format.thesis.type output.nonnull + school "school" bibinfo.warn output + address "address" bibinfo.check output + format.date "year" output.check +% new.block + format.doi output + format.url output +% new.block + format.note output + fin.entry +} + +FUNCTION {proceedings} +{ output.bibitem + editor empty$ + { organization "organization" bibinfo.check output + } + { format.editors output.nonnull } + if$ + add.colon + new.block + format.btitle "title" output.check + format.bvolume output + editor empty$ + { publisher empty$ + { format.number.series output } + { + new.sentence + format.number.series output + format.publisher.address output + } + if$ + } + { publisher empty$ + { + new.sentence + format.number.series output + format.organization.address output } + { + new.sentence + format.number.series output + organization "organization" bibinfo.check output + format.publisher.address output + } + if$ + } + if$ + format.date "year" output.check +% new.block + format.doi output + format.url output +% new.block + format.note output + fin.entry +} + +FUNCTION {techreport} +{ output.bibitem + format.authors "author" output.check + add.colon + new.block + format.title + "title" output.check + new.block + format.tr.number output.nonnull + institution "institution" bibinfo.warn output + address "address" bibinfo.check output + format.date "year" output.check +% new.block + format.doi output + format.url output +% new.block + format.note output + fin.entry +} + +FUNCTION {unpublished} +{ output.bibitem + format.authors "author" output.check + add.colon + new.block + format.title "title" output.check + format.date output +% new.block + format.url output +% new.block + format.note "note" output.check + fin.entry +} + +FUNCTION {default.type} { misc } +READ +FUNCTION {sortify} +{ purify$ + "l" change.case$ +} +INTEGERS { len } +FUNCTION {chop.word} +{ 's := + 'len := + s #1 len substring$ = + { s len #1 + global.max$ substring$ } + 's + if$ +} +FUNCTION {sort.format.names} +{ 's := + #1 'nameptr := + "" + s num.names$ 'numnames := + numnames 'namesleft := + { namesleft #0 > } + { s nameptr + "{ll{ }}{ ff{ }}{ jj{ }}" + format.name$ 't := + nameptr #1 > + { + " " * + namesleft #1 = t "others" = and + { "zzzzz" * } + { t sortify * } + if$ + } + { t sortify * } + if$ + nameptr #1 + 'nameptr := + namesleft #1 - 'namesleft := + } + while$ +} + +FUNCTION {sort.format.title} +{ 't := + "A " #2 + "An " #3 + "The " #4 t chop.word + chop.word + chop.word + sortify + #1 global.max$ substring$ +} +FUNCTION {author.sort} +{ author empty$ + { key empty$ + { "to sort, need author or key in " cite$ * warning$ + "" + } + { key sortify } + if$ + } + { author sort.format.names } + if$ +} +FUNCTION {author.editor.sort} +{ author empty$ + { editor empty$ + { key empty$ + { "to sort, need author, editor, or key in " cite$ * warning$ + "" + } + { key sortify } + if$ + } + { editor sort.format.names } + if$ + } + { author sort.format.names } + if$ +} +FUNCTION {author.organization.sort} +{ author empty$ + { organization empty$ + { key empty$ + { "to sort, need author, organization, or key in " cite$ * warning$ + "" + } + { key sortify } + if$ + } + { "The " #4 organization chop.word sortify } + if$ + } + { author sort.format.names } + if$ +} +FUNCTION {editor.organization.sort} +{ editor empty$ + { organization empty$ + { key empty$ + { "to sort, need editor, organization, or key in " cite$ * warning$ + "" + } + { key sortify } + if$ + } + { "The " #4 organization chop.word sortify } + if$ + } + { editor sort.format.names } + if$ +} +FUNCTION {presort} +{ type$ "book" = + type$ "inbook" = + or + 'author.editor.sort + { type$ "proceedings" = + 'editor.organization.sort + { type$ "manual" = + 'author.organization.sort + 'author.sort + if$ + } + if$ + } + if$ + " " + * + year field.or.null sortify + * + " " + * + title field.or.null + sort.format.title + * + #1 entry.max$ substring$ + 'sort.key$ := +} +ITERATE {presort} +SORT +STRINGS { longest.label } +INTEGERS { number.label longest.label.width } +FUNCTION {initialize.longest.label} +{ "" 'longest.label := + #1 'number.label := + #0 'longest.label.width := +} +FUNCTION {longest.label.pass} +{ number.label int.to.str$ 'label := + number.label #1 + 'number.label := + label width$ longest.label.width > + { label 'longest.label := + label width$ 'longest.label.width := + } + 'skip$ + if$ +} +EXECUTE {initialize.longest.label} +ITERATE {longest.label.pass} +FUNCTION {begin.bib} +{ preamble$ empty$ + 'skip$ + { preamble$ write$ newline$ } + if$ + "\begin{thebibliography}{" longest.label * "}" * + write$ newline$ + "\providecommand{\url}[1]{\texttt{#1}}" + write$ newline$ + "\providecommand{\urlprefix}{URL }" + write$ newline$ + "\providecommand{\doi}[1]{https://doi.org/#1}" + write$ newline$ +} +EXECUTE {begin.bib} +EXECUTE {init.state.consts} +ITERATE {call.type$} +FUNCTION {end.bib} +{ newline$ + "\end{thebibliography}" write$ newline$ +} +EXECUTE {end.bib} +%% End of customized bst file +%% +%% End of file `titto.bst'.