From 3237c1de419c64957d20540c5b2d06e7bd377891 Mon Sep 17 00:00:00 2001
From: Daniel Bosk <dbosk@kth.se>
Date: Wed, 10 Apr 2019 12:27:30 +0200
Subject: [PATCH 1/3] Adds PoPETS-2019.4 reviews

---
 paper/reviews/popets-2019.4.md | 100 +++++++++++++++++++++++++++++++++
 1 file changed, 100 insertions(+)
 create mode 100644 paper/reviews/popets-2019.4.md

diff --git a/paper/reviews/popets-2019.4.md b/paper/reviews/popets-2019.4.md
new file mode 100644
index 00000000..1d3076cc
--- /dev/null
+++ b/paper/reviews/popets-2019.4.md
@@ -0,0 +1,100 @@
+Date: Mon, 8 Apr 2019 12:43:49 -0400
+From: pets19-chairs@petsymposium.org
+CC: PoPETs Chairs <pets19-chairs@petsymposium.org>
+Subject: [PoPETs 2019.4] Rebuttal phase - Paper #90 "CROCUS:
+ privacy-preserving CROwd..."
+
+--------------
+===========================================================================
+                         PoPETs 2019.4 Review #90A
+---------------------------------------------------------------------------
+  Paper #90: CROCUS: privacy-preserving CROwd Counting Using Smartphones
+---------------------------------------------------------------------------
+
+                      Overall merit: 3. Major Revisions needed
+                 Reviewer expertise: 2. Some familiarity
+                Reviewer confidence: 2. Medium
+                  Relevance to PETS: 3. Directly related to PETs (scope is
+                                        not an issue)
+
+                         ===== Paper summary =====
+
+The paper describes a privacy-preserving scheme for counting crowds in protests. The goals include i) hiding the participation of a person in a protest, ii) linking participation in multiple protests, iii) ensure that the count is accurate in the presence of attackers that either aim to increase or decrease the count value. 
+The proposed scheme relies on anonymous credentials, which are signed by witnesses near to the participant,  and storing credentials on the blockchain.
+
+                      ===== Comments for author =====
+
+I find the idea quite interesting and the use case is important. It's a nice application of anonymous credential. The authors consider a wide range of adversarial parties, both with regard to increasing and decreasing the count. The paper is well written and contains both a performance evaluation and a security/privacy analysis. I appreciate the section clarifying the limitations. 
+
+However, I believe the authors need to reconsider their blockchain design. It seems like they aim to set up a blockchain only for this application. It is unclear who runs the blockchain and who pays the miners of the transactions. Given that it is likely a small blockchain, it seems like it would be easy for Grace to take it over and prevent the inclusion of proofs. Even if Grace cannot control the blockchain, she might create congestion on the chain that prevents the inclusion of real proofs. An alternative is running the scheme on a public blockchain but that will definitively cost fees participants are probably unwilling to pay. The authors completely ignore these issues, which are important for their solution to work. 
+
+Furthermore, the proofs are quite informal and mainly just refer to the properties of the anonymous credential scheme. It would be great if the authors could be more formal. The adversarial model is a bit confusing as it does not state adversarial goals and Fig. 1 does not explain the entity A. 
+
+I have not read the previous version. It seems to me like the authors addressed the concerns regarding readability and structure. For other concerns, it seems more like they declare various problems to be out-of-scope, which in some cases might be appropriate but especially the lack of resistance against a global passive adversary could be problematic in the sense that protests usually focus on certain regions where someone with the capacity to surveil all communication is more likely than on an international scale. 
+
+Nitpicks:
+
+Definition 4: respectively -> respective 
+
+page9: formula goes into opposite column
+
+===========================================================================
+                         PoPETs 2019.4 Review #90B
+---------------------------------------------------------------------------
+  Paper #90: CROCUS: privacy-preserving CROwd Counting Using Smartphones
+---------------------------------------------------------------------------
+
+                      Overall merit: 1. Reject
+                 Reviewer expertise: 3. Knowledgeable
+                Reviewer confidence: 2. Medium
+                  Relevance to PETS: 3. Directly related to PETs (scope is
+                                        not an issue)
+
+                         ===== Paper summary =====
+
+The paper proposes a privacy-preserving protocol that permits participants in crowd situations (protests or otherwise) to contribute to a verifiable crowd count without having to reveal their identity in participating in that crowd situation. The approach assumes the presence of observers (who can be partially or fully trusted), and requires centrally issued anonymous credentials.
+
+                      ===== Comments for author =====
+
+This paper assembles a number of known but not necessarily widely deployed building blocks (zero-knowledge proofs, anonymous credentials, distributed ledgers, proof-of-proximity hardware in cell phones) to provide a privacy-friendly solution to the problem of counting crowds verifiably, without having to reveal the identity of the members of these crowds.
+
+Unfortunately, the technical design here - while theoretically plausible - feels like a relatively straightforward combination that ultimately renders a set of interesting, but not unexpected properties. It's not entirely clear that these properties are in fact the right ones to solve the problem the paper purports to solve.
+
+Other than the minor issue that proof-of-proximity hardware isn't yet available in widely deployed phones (the authors make a plausible case that this might change; this reviewer has no way to independently assess that), the paper also postulates a sybil-proof anonymous credential system. While the proposed approach achieves non-linkability across different crowd event, the anonymity set for any participant who contributes to the count is limited to the set of all those who have obtained these credentials. In other words, in order to achieve meaningful privacy for the proposed use case, these credentials need to not just widely available, but also widely issued. That seems like a huge step to simply assume.
+
+I encourage the authors to continue their research, and to explore other application scenarios as well.
+
+===========================================================================
+                         PoPETs 2019.4 Review #90C
+---------------------------------------------------------------------------
+  Paper #90: CROCUS: privacy-preserving CROwd Counting Using Smartphones
+---------------------------------------------------------------------------
+
+                      Overall merit: 1. Reject
+                 Reviewer expertise: 2. Some familiarity
+                Reviewer confidence: 2. Medium
+                  Relevance to PETS: 3. Directly related to PETs (scope is
+                                        not an issue)
+
+                         ===== Paper summary =====
+
+This paper proposes a verifiable and privacy-preserving system for counting participants in physical protests. Participants use anonymous credentials and a distance-bounding protocol to authenticate their presence to witnesses, who then submit reports to a ledger for being counted.
+
+                      ===== Comments for author =====
+
+This paper attacks an interesting problem; certainly crowd size estimates have been subjects of some disputes in the past, and at the same time privacy is important.
+
+A key concern I have is the reliance on witnesses to authenticate participation. The authors suggest that either trusted witnesses are used or some number of untrusted ones. I do not see how untrusted witnesses can lead to a secure outcome, even if there is a large number of them, since there is no reason not to believe that all of them are colluding to inflate the crowd size.
+
+Using trusted witnesses, on the other hand, has similar pitfalls to the existing approaches, as discussed in the prior work section: it is hard to find witnesses that all opposing factions will trust, and it is hard to scale this approach to large crowds. Since the distance-bounding protocol is not specified in this paper, it is hard to assess its practical limitations, but typical phone-to-phone communications have relatively small range, so to count all participants in a large protest witnesses need to be deployed throughout the protest.
+
+An important question not considered in this paper is deniability. Could the government use the presence of a CROCUS app on your phone be used to implicate a protester? Is there other evidence that the app maintains after the protest that could be used here? As an example, if a government deployed a witness at a protest, later, it could ask you to authenticate to this witness using the same protest ID, and only those who had not authenticated previously would be able to do so.
+
+Finally, the paper acknowledges in section 9.1 that the technologies needed to support it, including a widely deployed anonymous credential system, distance bounding on phones, etc., are not yet available. It makes some arguments for why this system may be practical in the near future, by extrapolating some results from prior work. This suggests to me that this paper is better suited for a workshop, such as HotPETS, where these speculative ideas can generate discussion, rather than PETS, which typically expects more fully specified and evaluated work.
+
+Other comments:
+- s2.1 talks about Internet connectivity before / after the protests; it is worth noting that many countries often implement high levels of Internet censorship around politically sensitive times
+- s3 "CrowdCount CrowdCount" - duplicated word
+
+
+

From 4c572440555c8a9a78eb3ebce78926c7df45c650 Mon Sep 17 00:00:00 2001
From: Daniel Bosk <dbosk@kth.se>
Date: Wed, 10 Apr 2019 12:29:30 +0200
Subject: [PATCH 2/3] Adds initial work on formalizing and proving the protocol

---
 paper/Makefile          |   1 +
 paper/contents.tex      |   1 +
 paper/formalization.tex | 268 ++++++++++++++++++++++++++++++++++++++++
 3 files changed, 270 insertions(+)
 create mode 100644 paper/formalization.tex

diff --git a/paper/Makefile b/paper/Makefile
index b87af33f..6bea971e 100644
--- a/paper/Makefile
+++ b/paper/Makefile
@@ -18,6 +18,7 @@ SRC+= 	protest-model.tex
 SRC+= 	verifiability-properties.tex
 SRC+=	privacy-properties.tex
 SRC+= 	adversary-model.tex 
+SRC+= 	formalization.tex
 SRC+= 	building-blocks.tex
 SRC+= 	ZKPK.tex
 #SRC+= 	ZKPK-instantiations.tex
diff --git a/paper/contents.tex b/paper/contents.tex
index 75c2d739..6b3b43d3 100644
--- a/paper/contents.tex
+++ b/paper/contents.tex
@@ -10,6 +10,7 @@
 \include*{system-model}
 \include*{related-work}
 \include*{definitions}
+\include*{formalization}
 \include*{building-blocks}
 %\include*{DB-anon-cred}
 \include*{protocol}
diff --git a/paper/formalization.tex b/paper/formalization.tex
new file mode 100644
index 00000000..05ec589c
--- /dev/null
+++ b/paper/formalization.tex
@@ -0,0 +1,268 @@
+\section{Formalization}
+
+\subsection{Setup}
+
+\emph{Setup: \((\spk, \ssk)\gets \CROCUSsetup\).}
+Generates a service public--private key-pair~\((\spk, \ssk)\).
+
+\emph{Registration: \(\sk\gets 
+    \Proto{\CROCUSreg[_P][\spk]}{\CROCUSreg[_{\CA}][\ssk]}\).}
+An interactive protocol which returns the secret key~\(\sk\) of the 
+participant~\(P\).
+
+\subsection{Participation}%
+\label{ProtocolDuring}
+
+\emph{Creation of a protest: \(\cid\gets \GenProtest[s]\).}
+Takes a string~\(s\in\{0,1\}^*\) describing the protest cause and returns a 
+unique cause identifier~\(\cid\).
+
+\emph{Joining: \((\pid, t_s)\gets \CROCUSjoin[_P][\cid]\).}
+Takes the cause identifier~\(\cid\) of a protest and returns the protester' 
+protest-specific identifier~\(\pid\) along with a time-stamp~\(t_s\).
+
+A protester who wants to join the protest uses the manifesto to
+compute an identifier for the cause by hashing the manifesto,
+\(\cid\gets \Hash[\mfst]\) (and comparing the result to that received
+from the organizer, we omit this in the protocol for readibility).
+Afterwards, this identifier is used to create the protest-specific identifier 
+for the protester, \(\pid\gets \ACprf[_{\sk_P}][\cid]\)%
+% (see \cref{fig:ProofFig} and \cref{ACprfAlg} in the appendix for details of 
+%the algorithms)%
+.
+The protester also fetches a time-correlated random value, \(t_s\), from 
+\(\TS\), \(t_s\gets \TSget\).
+
+
+\emph{Joining as a witness: \(t_s'\gets \CROCUSjoin_W\).}
+The witness simply gets a time-correlated random value from the time-stamping service, \(t_s'\gets \TSget\).
+Note that we do this for redundancy, the newest of \(t_s\) and \(t_s'\) will 
+set the start of the time interval of creation for the proof share.
+
+
+\emph{Participation: \(\pi\gets
+    \Proto{\CROCUSparticipate[\cid, \sk_P]}{\CROCUSwitness[\sk_W, \spk]}\),}
+In the participation phase, the protester and 
+the witness construct the proof share of the protester (\cref{fig:ProofFig}).
+
+The protester sends \(\pid\) and \(t_s\) to the witness.
+Then they run the protocol \[
+  \Proto{\ACproveSig[\spk, k, r, \sigma]}{\ACverifySig[\spk, \ssk]}
+\] (see \cref{ACacAlg}), \(k\) and \(r\) are part of \(\sk_P\).
+Note that the \acf{PK} in \cref{ACacAlg} must be
+run as a \iacf{PPK}, which we do by distance bounding.
+If the protocol succeeds, the witness will compute \(\wid \gets 
+  \ACprf[_{\sk_W}][\pid]\) and send \((\wid, t_s', l)\) to the protester.
+
+
+\emph{Submission: \(\psh_P\gets \CROCUSsubmit[_P][\cid, \pid, \wid, t_s, t_s',  l]\).}
+The protester commits the proof-share data to the ledger~\(L\) and receives the 
+proof of commitment, \(t_e\gets \TSsubmit[\Hash[\cid, \pid, \wid, t_s, t_s', 
+  l]]\).
+The sooner this is done, the higher the precision for the time-dependent 
+eligibility criterion will be for later counting.
+The remaining operations are not time critical.
+
+The protester computes \iac{NIZK} proof \(\corr_{\pid}\), which shows the 
+correctness of \(\pid\).
+More specifically,
+\begin{multline*}
+  \corr_{\pid}\gets \SPK\left\{ (\sk_P) : \right. \\
+    \begin{aligned}
+      \pid &= \ACprf[_{\sk_P}][\cid] \quad \land \\
+      \sigma_P' &= \left. \ACblind[\ACsign[_{\ssk}][\sk_P]] \right\}
+    \end{aligned} \\
+      (\cid, \pid, \wid, t_s, t_s', l).
+\end{multline*}
+Finally, the protester uploads the tuple \[
+  \psh_P = (\cid, \pid, \wid, t_s, t_s', t_e, l, \corr_{\pid})
+\] for permanent storage, \(\TSsubmit[\psh_P]\).
+
+\emph{Submission: \(\psh_W\gets \CROCUSsubmit[_W][\cid, \pid, \wid, t_s, t_s', 
+    l]\).}
+The witness, like the protester, commits the proof-share data to the 
+ledger, \(t_e\gets \TSsubmit[\Hash[\cid, \pid, \wid, t_s, t_s', l]]\).
+%(This is to make the time interval as early as possible, whoever is the faster 
+%will submit it.) \sonja{but both do}
+Then, without any time requirements, the witness computes \iac{NIZK} proof 
+\(\corr_{\wid}\) as follows:
+\begin{multline*}
+  \corr_{\wid}\gets \SPK\left\{ (\sk_W) : \right. \\
+    \begin{aligned}
+      \wid &= \ACprf[_{\sk_W}][\pid] \quad \land \\
+      \sigma_W' &= \left. \ACblind[\ACsign[_{\ssk}][\sk_W]] \right\}
+    \end{aligned} \\
+      (\cid, \pid, \wid, t_s, t_s', l).
+\end{multline*}
+Finally, the witness uploads the tuple \[
+  \psh_W = (\cid, \pid, \wid, t_s, t_s', t_e', l, \corr_{\wid})
+\] for permanent storage on the ledger, \(\TSsubmit[\psh_W]\).
+
+
+\begin{figure*}
+  \centering
+  \small
+  \begin{subfigure}{\columnwidth}
+    \begin{align*}
+      O\to \text{all}\colon & \text{manifesto} \\
+      P\colon & t_s\gets \TSget \\
+        & \cid\gets \Hash[\text{manifesto}], \\
+        & \pid\gets \ACprf[_{\sk_P}][\cid] \\
+      W\colon & t_s'\gets \TSget
+      \\[-1em]
+      \noalign{\hfill Join}
+      \midrule
+      \noalign{\hfill Participation}
+      \\[-3em]
+      P\to W\colon & \pid \\
+      P\leftrightarrow W\colon &
+        \PPK\mleft\{ (\sk_P) : \mright. \\
+        & \qquad \pid = \ACprf[_{\sk_P}][\cid], \\
+        & \qquad \mleft. \sigma_P' = \ACblind[\ACsign[_{\ssk}][\sk_P]] \mright\} 
+        \\
+      W\colon & \wid\gets \ACprf[_{\sk_W}][\pid] \\
+      W\to P\colon & (\wid, t_s', l)
+    \end{align*}
+    \caption{Join and participation.}
+  \end{subfigure}
+  \hfill
+  \begin{subfigure}{\columnwidth}
+    \begin{align*}
+      P\colon & t_e\gets \TSsubmit[\Hash[\pid, \wid, t_s, t_s', l]] \\
+      W\colon & t_e'\gets \TSsubmit[\Hash[\pid, \wid, t_s, t_s', l]] \\
+      W\colon & \TSsubmit[(\cid, \pid, \wid, t_s, t_s', t_e, l, 
+      \pi_{\wid})],\quad \text{where} \\
+        & \pi_{\wid} = \SPK\mleft\{ (\sk_W) : \mright. \\
+        & \qquad \wid = \ACprf[_{\sk_W}][\pid], \\
+        & \qquad \mleft. \sigma_W' = \ACblind[\ACsign[_{\ssk}][\sk_W]]\mright\} 
+        \\
+        & \qquad\qquad (\cid, \pid, \wid, t_s, t_s', l) \\
+      P\colon & \TSsubmit[(\cid, \pid, \wid, t_s, t_s', t_e, l, 
+      \pi_{\pid})],\quad \text{where}\\
+        & \pi_{\pid} = \SPK\mleft\{ (\sk_P) : \mright. \\
+        & \qquad \pid = \ACprf[_{\sk_P}][\cid], \\
+        & \qquad \mleft. \sigma_P' = \ACblind[\ACsign[_{\ssk}][\sk_P]] \mright\} 
+        \\
+        & \qquad\qquad (\cid, \pid, \wid, t_s, t_s', l)
+    \end{align*}
+    \caption{Submission.}
+  \end{subfigure}
+  \caption{%
+    An overview of \CROCUS participation.\@
+    The organizer \(O\) broadcasts the manifesto.
+    The protester \(P\), witness \(W\) and their computations are as in \cref{fig:ProofFig}.
+    Finally, both \(P\) and \(W\) submit the proof shares to a
+   public ledger for permanent storage \(S\). Note that \pid  always refers to the
+    protester whose presence is being witnessed.
+  }%
+  \label{fig:ProtocolOverview}
+\end{figure*}
+%\normalsize
+
+
+\subsection{Count and Verification}%
+\label{ProtocolVerification}
+
+% While there are various ways for verifying the participation count, hereafter, 
+% we will detail the two suggested just after \cref{DefParticipationCount}.
+% In the first approach, we do not trust individual witnesses, rather we \emph{assume} that it is difficult for Alice to find more than \(\theta\) witnesses willing to collude.
+% Thus, the strength comes from the number of witnesses and we require at least \(\theta\) witnesses to accept a participation proof as valid.
+% In the second approach, we trust specific witnesses, but no others.
+% In this case, to accept a participation proof as valid, we require at least one trusted witness, the independent journalist Jane.
+% It is the strength function \(\str\) of \cref{DefParticipationCount} that 
+% differ in the two cases.
+% We will first give the procedure and then how to construct the two different 
+% strength functions.
+
+
+To count or verify the participation count for a protest \(\prtst\) with 
+identifier \(\cid_0\), a verifier must download the set \(\pshs_{\cid_0}\) of 
+all \(s_P\) and \(s_W\) tuples containing \(\cid_0\) from the ledger~\(\TS\).
+Then from \(\pshs_{\cid_0}\), a verifier can build, in succession,
+\begin{enumerate*}
+\item the valid proof shares \(s_j^{(i)}\) for all matching pairs \((s_P, 
+    s_W)\) corresponding to a witness \(i\) and a protester \(j\),
+\item the participation proof \(\prf_{j}\) for each protester \(j\),
+\item the set \(\prfs_{\prtst}^{\str,\theta}\) of eligible participation proofs 
+  for all protesters in \(\prtst\), and finally,
+\item the participation count, \ie the cardinality of 
+  \(\prfs_\prtst^{\str,\theta}\).
+\end{enumerate*}
+
+More precisely, given \[
+  \pshs_{\cid_0} = \{ (\cid, \pid, \wid, l, t_s, t_s', t_c, \corr) \in \pshs 
+  \mid \cid = \cid_0 \}
+\] and a matching pair \((s_P, s_W) \in {\pshs_{\cid_0}}^2\) for a witness 
+\(i\) and a protester \(j\) with
+\begin{align*}
+  s_P &= (\cid_0, \pid_j, \wid_i, l, t_s, t_s', t_c, \corr_i) &\text{and} \\
+  s_W &= (\cid_0, \pid_j, \wid_i, l, t_s, t_s', t_c', \corr_j),
+\end{align*}
+%, with matching values for \(cid_0, pid_j, wid_i, l, t_s, t_s'\),
+the verifier can build a valid proof share \(s_j^{(i)}\) certified by \(i\) for 
+\(j\) as follows:
+verify \(\corr_i\) and \(\corr_j\),
+let
+\begin{align*}
+  t &= \interval{\max(t_s, t_s')}{\min(t_c, t_c')} &\text{and} \\
+  s_j^{(i)} &= (\cid_0, \pid_j, \wid_i, l, t),
+\end{align*}
+as in \cref{DefProofShare},
+check that \(s_j^{(i)}\) is valid (\ie happened during and at the location of 
+the protest), as in \cref{DefProofShare}.
+
+Then the set of all valid proof shares for a protester \(j\) constitutes its 
+participation proof \(\prf_{j}\), as in \cref{DefParticipationProof},
+and the verifier thus can derive the set of \((\str,\theta)\)-eligible participation proofs \(\prfs_{\prtst}^{\str,\theta}\) for all protesters for the protest \(\prtst\), as in \cref{DefParticipationCount}.
+Finally, the  participation count \(|\prfs_{\prtst}^{\str,\theta}|\) is the cardinality of this set by  \cref{DefParticipationCount}.
+
+
+% MOST PROBABLY obsolete below v 
+
+%To verify the participation count for a protest \(\prtst\)  with identifier $\cid$
+%(see \cref{DefProtest}), a verifier must download all the proof shares \[
+%  \psh_i =   (\cid, \pid_j, \wid_i, t_s^{(i)}, t_s^{\prime (i)}, t_e^{(i)}, 
+%  t_e^{\prime   (i)}, l_i, \corr_{\pid_j}^{(i)}, \corr_{\wid_i})
+%\] for each protester \(j\) from the ledger, verify \(\corr_{\pid_j}^{(i)}\), 
+%\(\corr_{\wid_i}\) and that the interval \(\interval{\max(t_s^{(i)}, 
+%    t_s^{\prime (i)})}{\min(t_e^{(i)}, t_e^{\prime (i)})}\subseteq t\) and that 
+%\(l_i\subseteq  l\).
+%Any proof share that does not verify correctly will be discarded.
+%At this point, the verifier has constructed the set \(S\) from 
+%\cref{DefProofShares} and can thus construct any participation proof 
+%\(\prf_{\pid_j, P}\) as in \cref{DefParticipationProof}.
+%Now the verifier can compute the participation count \(|\prfs_P^{\str, 
+%    \theta}|\) as in \cref{DefParticipationCount}.
+
+
+%__________________________
+
+% In the case \emph{without} trusted witnesses, all the weights equal to 1 is equivalent to counting the elements in the set, 
+% \(\str[\prf_{\pid_j, P}] = |\prf_{\pid_j, P}|\).
+
+In the case of trusted witnesses, each such trusted witness must
+publish or otherwise inform the verifier of which proof shares they
+have signed, \eg by giving a list of all such proof shares or
+digitally signing each proof share\footnote{%
+  To achieve witness privacy in this situation, one could employ a
+  group or ring signature scheme for a set of potentially trusted witnesses, \eg
+  members of an independent journalist association.  Then one learns
+  that at least one member of this set must have
+  been there.
+}.
+
+Note that, thanks to the \((\str,\theta)\)-eligibility criterion
+(\cref{DefParticipationCount}), the method of counting is extremely
+generic, and each (counting) verifier can make an independent choice to regulate their trust in the final result, based on their initial trust in the witnesses. In other words, anyone who does the counting can choose the eligibility
+criteria (time interval, location, number of regular or trusted
+witnesses, who is considered to be a trusted witness) for their own count
+and as long as these are published along with the result, anyone can
+verify the correctness of the count under those criteria, and potentially question the validity of this choice. Biased or partisan verifiers may be tempted to make extreme choices, but they will have to publish those choices and lose credibility. Reasonable verifiers on the other hand will try to find a good middle-ground that counts all legitimate protesters while being resistant to isolated malicious agents.
+
+% Then the verifier can define \[
+%   \str[\prf_{\pid_j, P}] = \begin{cases}
+%     1 & \text{if \(\exists \psh_i\in \prf_{\pid_j, P}\) that is such a proof 
+%       share} \\
+%     0 & \text{otherwise}
+%   \end{cases}
+% \] and sets \(\theta = 1\).

From 0f81e048dace21b31acb01dce8d6e72df57fcc51 Mon Sep 17 00:00:00 2001
From: Daniel Bosk <dbosk@kth.se>
Date: Fri, 24 May 2019 09:37:20 +0200
Subject: [PATCH 3/3] Adds missing \GenProtest

---
 paper/preamble.tex | 1 +
 1 file changed, 1 insertion(+)

diff --git a/paper/preamble.tex b/paper/preamble.tex
index 16205d42..65d94334 100644
--- a/paper/preamble.tex
+++ b/paper/preamble.tex
@@ -113,6 +113,7 @@
 \NewVariable{\sk}{sk}
 \NewVariable{\spk}{spk}
 \NewVariable{\ssk}{ssk}
+\NewAlgorithm{\GenProtest}{GenProtest}
 \NewAlgorithm{\CROCUSreg}{Reg}
 \NewAlgorithm{\CROCUSjoin}{Join}
 \NewVariable{\mfst}{manifesto}