diff --git a/fig/proofshare-trusted.tikz b/fig/proofshare-trusted.tikz
new file mode 100644
index 00000000..91e6f417
--- /dev/null
+++ b/fig/proofshare-trusted.tikz
@@ -0,0 +1,53 @@
+\begin{tikzpicture}[%
+  -Latex,
+  item/.style={rectangle,draw},
+  edge from parent/.style={},
+  ]
+  \tikzset{%
+    %grow'=left,%
+    %level distance=5em%
+  }
+  \node[item] (proof) {$(\cid, \pid, \wid, t, l)$}
+  child {%
+    node[item] (pid) {$\pid$}
+    child {%
+      node[item] (cid) {$\cid$}
+      child {%
+        node[item] (manifesto) {$\mfst$}
+      }
+    }
+  }
+  child {%
+    node[item] (wid) {$\wid$}
+  }
+  child {%
+    node[item] (ts) {$t$}
+  }
+  child {%
+    node[item] (l) {$l$}
+  }
+  ;
+
+  \node[item,right of=proof,node distance=8em] (prfW) {$\prf_W$} ;
+
+  \path[every node/.style={font=\small}]
+  (cid) edge [out=north west,in=west] node [anchor=east] {$\in$} (proof)
+  (pid) edge node [anchor=south east] {$\in$} (proof)
+  (wid) edge node [anchor=east] {$\in$} (proof)
+  (ts) edge node [anchor=east] {$\in$} (proof)
+  (l) edge node [anchor=west] {$\in$} (proof)
+  ;
+
+  \path[every node/.style={font=\small}]
+  (manifesto) edge node [anchor=east] {$\Hash[\cdot]$} (cid)
+  (cid) edge node [anchor=west,rotate=-30]
+    {$\ACprf[_{\sk_P}][\cdot]$} (pid)
+  (pid) edge[bend right] node [anchor=160,rotate=-30]
+    {$\ACprf[_{\sk_W}][\cdot]$} (wid)
+  ;
+
+  \path[every node/.style={font=\small}]
+  (proof) edge [out=east,in=west] node {} (prfW)
+  ;
+
+\end{tikzpicture}
diff --git a/paper/.gitignore b/paper/.gitignore
index 6a78a27d..f5ddf295 100644
--- a/paper/.gitignore
+++ b/paper/.gitignore
@@ -10,6 +10,7 @@ location.bib
 main.pdf
 paper.pdf
 proofshare.tikz
+proofshare-trusted.tikz
 protests.bib
 sybil.bib
 tposet.tikz
diff --git a/paper/Makefile b/paper/Makefile
index a75c0578..5e642670 100644
--- a/paper/Makefile
+++ b/paper/Makefile
@@ -11,12 +11,12 @@ main.pdf: preamble.tex preamble-paper.tex
 SRC+=	contents.tex
 SRC+=	abstract.tex
 SRC+=	intro.tex
-SRC+=	system-model.tex
 SRC+=	current-crowd-counting.tex
 SRC+= 	definitions.tex
 SRC+= 	protest-model.tex
 SRC+= 	security-properties.tex
 SRC+= 	adversary-model.tex 
+SRC+=	system-model.tex
 SRC+= 	building-blocks.tex
 SRC+= 	ZKPK.tex
 #SRC+= 	ZKPK-instantiations.tex
@@ -25,10 +25,11 @@ SRC+= 	anon-cred.tex
 SRC+= 	distance-bounding.tex
 #SRC+= 	DB-anon-cred.tex
 SRC+= 	timestamp.tex
-SRC+= 	protocol.tex
+SRC+= 	protocol-trusted.tex
+SRC+= 	protocol-untrusted.tex
 SRC+=	security-analysis.tex
-SRC+= 	verifiability-analysis.tex
-SRC+= 	privacy-analysis.tex
+SRC+= 		verifiability-analysis.tex
+SRC+= 		privacy-analysis.tex
 SRC+= 	performance.tex
 SRC+= 	related-work.tex
 SRC+= 	discussion.tex
@@ -39,8 +40,9 @@ SRC+= 	identity-limits.tex
 
 main.pdf: ${SRC}
 
-FIGS+= 				proofshare.tikz
+FIGS+= 				proofshare.tikz proofshare-trusted.tikz
 proofshare.tikz: 	../fig/proofshare.tikz
+proofshare-trusted.tikz: 	../fig/proofshare-trusted.tikz
 
 FIGS+= 				base-adversary.tikz
 base-adversary.tikz: ../fig/base-adversary.tikz
diff --git a/paper/building-blocks.tex b/paper/building-blocks.tex
index 5eeb2c42..f8445213 100644
--- a/paper/building-blocks.tex
+++ b/paper/building-blocks.tex
@@ -24,5 +24,7 @@ \section{Building blocks}%
 
 \input{distance-bounding.tex}
 
+\input{location-proofs.tex}
+
 \input{timestamp.tex}
 
diff --git a/paper/contents.tex b/paper/contents.tex
index 908bd6bd..1331061f 100644
--- a/paper/contents.tex
+++ b/paper/contents.tex
@@ -13,7 +13,8 @@
 \include*{definitions}
 \include*{building-blocks}
 %\include*{DB-anon-cred}
-\include*{protocol}
+\include*{protocol-trusted}
+\include*{protocol-untrusted}
 \include*{security-analysis}
 \include*{performance}
 \include*{related-work}
@@ -23,7 +24,6 @@
 \printbibliography{}
 
 \appendix
-\include*{location-proofs}
 %\include*{trust-assumptions}
 \include*{anon-cred-figures}
 %\include*{tamarin-spec}
diff --git a/paper/distance-bounding.tex b/paper/distance-bounding.tex
index 169cb84d..05ade3aa 100644
--- a/paper/distance-bounding.tex
+++ b/paper/distance-bounding.tex
@@ -42,8 +42,9 @@ \subsection{Distance-bounding protocols}%
 Our setting requires a public-key \ac{DB} protocol with a \emph{malicious verifier} who will potentially try to \emph{impersonate the prover}.
 The verifier might also try to track the provers and map their identities to 
 their actions, thus we also require strong privacy.
-In fact, as the construction in \cref{Protocol} shows, we require \iac{DB} 
-\ac{ZKPK}, or simply \ac{PPK}, for discrete logarithms.
+In fact, as the construction in 
+\cref{untrusted-witnesses-protocol,trusted-witnesses-protocol} shows, we 
+require \iac{DB} \ac{ZKPK}, or simply \ac{PPK}, for discrete logarithms.
 For this paper, we assume the existence of such a protocol.
 There exists one such protocol in the literature, namely one by 
 \textcite{DB-Schnorr}, we refer to that paper for a detailed discussion.
diff --git a/paper/intro.tex b/paper/intro.tex
index 43999dbd..a48819ff 100644
--- a/paper/intro.tex
+++ b/paper/intro.tex
@@ -71,7 +71,9 @@ \section{Introduction}%
 %
 We present \CROCUS, a privacy-preserving crowd counting 
 %estimation 
-protocol in in \Cref{Protocol}, analyze its security in \cref{SecurityAnalysis}, and estimate its performance in \cref{PerformanceAnalysis}.
+protocol in in \cref{trusted-witnesses-protocol,untrusted-witnesses-protocol}, 
+analyze its security in \cref{SecurityAnalysis}, and estimate its performance 
+in \cref{PerformanceAnalysis}.
 We compare it to related work in \cref{related-work}.
 Finally, we discuss limitations and assumptions in \cref{Discussion} and give 
 our conclusions in \cref{Conclusion}.
diff --git a/paper/location-proofs.tex b/paper/location-proofs.tex
new file mode 100644
index 00000000..4603511e
--- /dev/null
+++ b/paper/location-proofs.tex
@@ -0,0 +1,37 @@
+\subsection{Location proofs}
+\label{location-proofs}
+Some \acp{LBS} only grant access to resources to users located at a particular 
+location, thus raising the issue of verifying the position claimed by a 
+particular user.
+One possible way to counter this threat is by having the requesting device 
+formally prove that it really is at the claimed location, which gives rise to 
+the concept of \acp{LP}.
+In a nutshell, \iac{LP} is a digital certificate attesting that someone was at 
+a particular location at a specific moment in time.
+\Iac{LPS} is an architecture by which users can obtain \acp{LP} from 
+neighboring witnesses (\eg trusted access points or other users) that can later 
+be shown to verifiers who can check the validity of a particular 
+proof~\cite{luo2010veriplace,zhu2011applaus}.
+Most of the existing approaches to \acp{LP} require the prover and the 
+witnesses to disclose their identities, thus raising many privacy issues such 
+as the possibility of tracing the movements of users of the \ac{LPS}.
+However, some \acp{LPS}, such as PROPS~\cite{PROPS}, exist that provide strong 
+privacy guarantees along with the possibility of verifying the claim of the 
+location.
+
+%\CROCUS shares some similarities with PROPS, although their objective is quite 
+%different as it aims at verifying a global property of the population (\ie 
+%crowd estimation) in contrast to checking the location claim made by a user, 
+%which is an individual property.
+%
+%Another difference is that \CROCUS operates in a more adverse environment.
+%\CROCUS must provide \emph{universal verifiability}, this means that all proofs 
+%must be available to and verifiable by anyone.
+%One problem here is that we have multiple verifiers who might not trust the 
+%same witnesses.
+%The incentives to cheat are also bigger and consequently the thresholds for 
+%collusion are much higher.
+%
+\sonja{add something on platin.io, details unknown but roughly relying on 
+  witnesses and graph theory (unique big cluster, assumption of honest 
+  majority)}
diff --git a/paper/preamble.tex b/paper/preamble.tex
index 0d9287da..91cdbdcd 100644
--- a/paper/preamble.tex
+++ b/paper/preamble.tex
@@ -112,11 +112,14 @@
 \NewAlgorithm{\CROCUSsetup}{Setup}
 \NewVariable{\pk}{pk}
 \NewVariable{\sk}{sk}
-\NewVariable{\spk}{spk}
-\NewVariable{\ssk}{ssk}
+\NewVariable{\CA}{CA}
+\NewVariable{\spk}{spk_\CA}
+\NewVariable{\ssk}{ssk_\CA}
+\NewVariable{\spkw}{spk_{\CA'}}
+\NewVariable{\sskw}{ssk_{\CA'}}
 \NewAlgorithm{\CROCUSreg}{Reg}
 \NewAlgorithm{\CROCUSjoin}{Join}
-\NewVariable{\mfst}{manifesto}
+\NewVariable{\mfst}{m}
 \NewAlgorithm{\CROCUSparticipate}{Prticip}
 \NewAlgorithm{\CROCUSwitness}{Witness}
 \NewAlgorithm{\CROCUSsubmit}{Submit}
@@ -149,7 +152,6 @@
 \NewAlgorithm{\PKverify}{PK.\!Verify}
 \NewAlgorithm{\SPKprove}{SPK.\!Prove}
 \NewAlgorithm{\SPKverify}{SPK.\!Verify}
-\NewVariable{\CA}{CA}
 \NewSet{\TT}{T}
 \NewSet{\LL}{L}
 
diff --git a/paper/protocol-trusted.tex b/paper/protocol-trusted.tex
new file mode 100644
index 00000000..79280d77
--- /dev/null
+++ b/paper/protocol-trusted.tex
@@ -0,0 +1,354 @@
+%\section{\CROCUS:\@ A protocol for crowd counting estimation}%
+\section{Crowd counting with trusted witnesses}%
+\label{trusted-witnesses-protocol}
+
+We now present a protocol for privacy-preserving but verifiable crowd
+counts.
+This version of the protocol relies on trusted entities to act as witnesses for 
+\iac{LP}.
+
+A prerequisite for this protocol is a one-to-one mapping between a persons real 
+identity and a certificate (\ie a cryptographic key).
+\Cref{ProtocolSetup} covers how Alice can obtain such a certificate.
+It is a lighter version than in~\cite{SelfCertifiedSybilFreePseudonyms} and not 
+the full protocol of~\cite{HowToWinTheCloneWars}.
+
+At the core of our construction, witnesses generate participation proofs for 
+the protesters (in \cref{TrustedProtocolDuring}), these are essentially 
+augmented \acp{LP}\footnote{%
+  \Iac{LP} certifies that its owner was at a given location at a given time.
+  In \cref{protest-model}, we point out that we also need a cause identifier.
+}.
+Then whoever wants to verify the participation count, will count and verify 
+those participation proofs (in \cref{TrustedProtocolVerification}). 
+
+The entities involved in our protocol are participants and (count) verifiers.
+A participant can assume three different roles:
+\begin{enumerate}
+\item The \emph{organizer} has written a manifesto for the protest and 
+  disseminated it to others.
+  Anyone can do this, but in general, there is only one organizer.
+\item A \emph{protester} is attending the protest and asks witnesses to vouch 
+  for their presence.
+\item A \emph{witness} provides proofs of participation to protesters.
+  The proofs are constructed such that they are verifiable by third parties.
+  The witness must be trusted by the verifier.
+\end{enumerate}
+Anyone can be a verifier (we required universal verifiability, 
+\cref{desired-properties}).
+The verifier defines the protest to be counted by setting the cause, time 
+(interval) and location (area), \cf \cref{DefProtest}.
+Now the verifier counts all proofs that verify correctly and fulfils the cause, 
+time and location criteria.
+The verifier can publish, \eg in a news paper, the final count together with 
+the cause, time and location and anyone can verify this count (by repeating the 
+same procedure).
+Any participant can confirm their inclusion by repeating the count and checking 
+that their proof is included.
+
+\subsection{Prerequisite: self-certified, Sybil-free pseudonyms}%
+\label{ProtocolSetup}
+
+Before Alice can have her participation in any event counted, she must get a 
+certificate that ensures Sybil-freeness.
+This is only done once\footnote{%
+  It is repeated when the credential expires, in analogy to a passport that 
+  must be renewed at regular intervals.
+}.
+The keys can be reused for an arbitrary number of protests or, given
+careful choices in the \ac{PRF} used for deriving identifiers, other
+services that work with anonymous credentials.
+
+\paragraph*{Setup: \((\spk, \ssk)\gets \CROCUSsetup\)}
+
+During the setup phase, the \ac{CA} creates all the needed keys.
+The \ac{CA} generates a service public-private key-pair \((\spk, \ssk)\gets 
+  \ACsetup\) (see \cref{ACsignAlg}).
+
+\paragraph*{Registration: \(\sk\gets 
+\Proto{\CROCUSreg[_P][\spk]}{\CROCUSreg[_{\CA}][\ssk]}\)}
+
+During the registration phase, each participant
+generates a secret key~\(\sk = (k, r)\) and
+obtains a signature on it by the \ac{CA} \emph{but without revealing it} to the 
+\ac{CA}.
+At the end, each participant will have a signed secret key while the \ac{CA} 
+will issue only one signature per participant but without knowing the 
+association between a particular key and the identity of the participant.
+The participant chooses \(k, r\rgets \ZZ_q\) uniformly randomly and runs 
+\(\sigma \gets \Proto{\ACgetSig[\spk, k, r]}{\ACissueSig[\spk, \ssk]}\) (see 
+\cref{ACacAlg}).
+Upon success, the participant sets \(\sk = (\sigma, k, r)\).
+
+The key~\(\sk\) can be used together with \(\ACprf\) to create a 
+pseudonym~\(p\gets \ACprf[_k][c]\) in a particular context~\(c\) (see 
+\cref{ACprfAlg}).
+There exists \iac{PK} such that one can prove that \(p\) is computed correctly 
+from \(c\) with a valid key~\(\sk\) (see \cref{ACprfPKalg} or \cite{AnonPass} 
+for details).
+
+
+
+\subsection{Participation}%
+\label{TrustedProtocolDuring}
+
+%The join, participation and submission phases are as follows.
+% illustrated in \cref{protocol-overview-trusted}.
+The goal of our protocol is to generate and collect privacy-preserving
+participation proofs that can be counted and verified. These proofs
+consist of proof shares that are constructed as depicted in
+\cref{proofshare-trusted-fig}.
+They are constructed through an interactive protocol between the protester and 
+the witness, as depicted in \cref{protocol-overview-trusted} and described below.
+
+\begin{figure}
+  \centering
+  \small
+  \includegraphics{proofshare-trusted.tikz}
+  \caption{%
+    Structure of a proof share.
+    The protest (cause) identifier \(\cid\) is the hash value of the manifesto.
+    The protester~\(P\)'s protest-specific pseudonym~\(\pid\) is computed using 
+    the protester's key~\(\sk_P\) and \(\cid\).
+    The witness \(W\)'s \emph{protester}-specific identifier \(\wid\) is 
+    computed using the witness's key~\(\sk_W\) and the protester's 
+    pseudonym~\(\pid\).
+    \(t\) is the time (interval) and \(l\) is the location (area) as determined 
+    by the trusted witness~\(W\).
+    All values are signed by the witness (signature \(\prf_W = \SPK[\sk_W][\wid 
+    = \dotsb][\cid, \pid, \wid, t, l]\)) while also proving the correctness of 
+    \(\wid\) and knowledge of a signature on \(\sk_W\) by some \ac{CA}.
+  }%
+  \label{proofshare-trusted-fig}
+\end{figure}%
+
+
+\paragraph*{Creation of a protest: the manifesto}
+
+The organizer writes a manifesto for the protest, which describes its cause.
+This manifesto could take the form of any intelligible text, in
+practice at minimum a name.
+The organizer then distributes this manifesto to people through
+any suitable means  (\eg on the Web, on placards, \etc).
+If they agree with the cause, they will use the knowledge of the
+manifesto to join the protest. 
+
+
+\paragraph*{Joining as a protester:
+  \((\pid)\gets \CROCUSjoin[_P][\mfst]\)}
+
+In the terminology of \textcite{SelfCertifiedSybilFreePseudonyms}, the 
+manifesto~\(\mfst\) is the context and it yields an identity domain.
+A protester who wants to join the protest uses the manifesto~\(\mfst\) to
+compute an identifier for the cause (the context) by hashing the manifesto,
+\(\cid\gets \Hash[\mfst]\)\footnote{%
+  The result should be compared to that received from the organizer to check 
+  that the \(\cid\) indeed is correct.
+  This is to avoid that protesters use different \(\cid\)s for semantically 
+  equivalent manifestos~\(\mfst\).
+  However, we omit this in the protocol for readability.
+}.
+Afterwards, this is used to create the protester's protest-specific 
+pseudonym~\(\pid\gets \ACprf[_{\sk_P}][\cid]\)%
+% (see \cref{proofshare-trusted-fig} and \cref{ACprfAlg} in the appendix for details of 
+%the algorithms)%
+.
+
+
+\paragraph*{Joining as a witness}
+
+The witness does not have to do anything to join as a witness.
+That the witness is trusted by the verifier means that the verifier trusts that 
+the witness can
+\begin{enumerate*}
+  \item determine the time of an interaction with a protester,
+  \item determine the its own location during that interaction
+    and
+  \item will run the protocol as an honest witness with the potentially 
+    malicious protester.
+\end{enumerate*}
+
+
+\paragraph*{Participation:
+  \(\pi\gets
+    \Proto{\CROCUSparticipate[\cid, \sk_P]}{\CROCUSwitness[\sk_W, \spk]}\)}
+
+In the participation phase, the protester and 
+the witness construct the proof share of the protester (\cref{proofshare-trusted-fig}).
+
+The protester sends \(\pid\) to the witness.
+Then they run the protocol \[
+  \Proto{\ACproveSig[\spk, k, r, \sigma]}{\ACverifySig[\spk, \ssk]}
+\] (see \cref{ACacAlg}), \(k\) and \(r\) are part of \(\sk_P\).
+Note that the \acf{PK} in \cref{ACacAlg} must be
+\iacf{PPK} (\ie a \acl{PK} with distance bounding).
+We use the protocol of \textcite{DB-Schnorr}, which does exactly this.
+If the protocol succeeds, the witness will compute \(\wid \gets 
+\ACprf[_{\sk_W}][\pid]\) and send \((\wid, t, l)\) to the protester, where 
+\(t\) is the current time and \(l\) is the witness' current location.
+
+
+\paragraph*{Submission:
+  \(\psh\gets \CROCUSsubmit[_W][\cid, \pid, \wid, t, l]\)}
+
+In the submission phase, the proof shares are be made available for the 
+verifier.
+\Ie the verifier must be able to verify that a proof was actually issued by a 
+witness.
+
+To achieve this, the witness computes \iac{NIZK} proof~\(\corr_{\wid}\), 
+proving the correctness of \(\wid\) while also signing the time~\(t\) and 
+location~\(l\).
+More specifically, we have that
+\begin{multline*}
+  \corr_{\wid}\gets \SPK\left\{ (\sk_W) : \right. \\
+    \begin{aligned}
+      \wid &= \ACprf[_{\sk_W}][\pid] \quad \land \\
+      \sigma_W' &= \left. \ACblind[\ACsign[_{\sskw}][\sk_W]] \right\}
+    \end{aligned} \\
+      (\cid, \pid, \wid, t, l).
+\end{multline*}
+Finally, the complete proof share is the tuple \[
+  \psh = (\cid, \pid, \wid, t, l, \corr_{\wid}).
+\]
+
+For individual and universal verifiability, the proof should be published on 
+some permanent storage, such as the ledger~\(\TS\) by running 
+\(\TSsubmit[\psh]\) (\cref{ledger}).
+
+Note that it does not matter if it is the witness or the protester who makes 
+\(\psh\) available to the verifier.
+The witness could compute \(\psh\) during the protest and give to the 
+protester immediately, but we separate these steps to show that the witness can 
+postpone those extra computations while potentially running on battery.
+(Remember, the witness is assumed trusted.)
+
+Now, the witness is anonymous here.
+For the verifier to recognize a proof on some publicly available storage as 
+issued by a trusted witness there could be another \ac{CA}, say \(\CA'\), which 
+issues credentials to witnesses.
+\(\CA'\) could be run by a news paper, trusted to only issue credentials to 
+trustworthy witnesses.
+
+Another solution would be that the witness simply signs the tuple \((\cid, 
+\pid, t, l)\) with a key that is tied to the witness' identity.
+However, that would allow tracking and thus the anonymity set of the protester 
+would shrink.
+
+Note also that the prover need not compute any \ac{NIZK} proof of the 
+correctness of \(\pid\) since the witness is trusted to have verified this (as 
+part of the distance bounding).
+
+
+
+\begin{figure*}
+  \centering
+  \small
+  \begin{subfigure}{\columnwidth}
+    \begin{align*}
+      O\to \text{all}\colon & \text{manifesto} \\
+      P\colon
+        & \cid\gets \Hash[\text{manifesto}], \\
+        & \pid\gets \ACprf[_{\sk_P}][\cid]
+      \\[-1em]
+      \noalign{\hfill Join}
+      \midrule
+      \noalign{\hfill Participation}
+      \\[-3em]
+      P\to W\colon & \pid \\
+      P\leftrightarrow W\colon &
+        \PPK\mleft\{ (\sk_P) : \mright. \\
+        & \qquad \pid = \ACprf[_{\sk_P}][\cid], \\
+        & \qquad \mleft. \sigma_P' = \ACblind[\ACsign[_{\ssk}][\sk_P]] \mright\} 
+        \\
+      W\colon & \wid\gets \ACprf[_{\sk_W}][\pid]% \\
+      %W\to P\colon & (\wid, t, l)
+    \end{align*}
+    \caption{Join and participation}
+  \end{subfigure}
+  \hfill
+  \begin{subfigure}{\columnwidth}
+    \begin{align*}
+      W\colon & \TSsubmit[(\cid, \pid, \wid, t, l, \corr_{\wid})],\quad 
+      \text{where} \\
+        & \corr_{\wid} = \SPK\mleft\{ (\sk_W) : \mright. \\
+        & \qquad \wid = \ACprf[_{\sk_W}][\pid], \\
+        & \qquad \mleft. \sigma_W' =
+              \ACblind[\ACsign[_{\sskw}][\sk_W]]\mright\} \\
+        & \qquad\qquad (\cid, \pid, \wid, t, l)
+    \end{align*}
+    \caption{Submission}
+  \end{subfigure}
+  \caption{%
+    An overview of the protocol with trusted witnesses.
+    The organizer~\(O\) broadcasts the manifesto.
+    The protester~\(P\) with pseudonym~\(\pid\) in the context of the protest 
+    (\(\cid\)),
+    the witness~\(W\) with pseudonym~\(\wid\) in the context of that protester 
+    and
+    their computations are as in \cref{proofshare-trusted-fig}.
+    Finally, \(W\) submits the proof share to a public ledger~\(\TS\) for 
+    permanent storage.
+  }%
+  \label{protocol-overview-trusted}
+\end{figure*}
+%\normalsize
+
+
+\subsection{Count and verification}%
+\label{TrustedProtocolVerification}
+
+% While there are various ways for verifying the participation count, hereafter, 
+% we will detail the two suggested just after \cref{DefParticipationCount}.
+% In the first approach, we do not trust individual witnesses, rather we \emph{assume} that it is difficult for Alice to find more than \(\theta\) witnesses willing to collude.
+% Thus, the strength comes from the number of witnesses and we require at least \(\theta\) witnesses to accept a participation proof as valid.
+% In the second approach, we trust specific witnesses, but no others.
+% In this case, to accept a participation proof as valid, we require at least one trusted witness, the independent journalist Jane.
+% It is the strength function \(\str\) of \cref{DefParticipationCount} that 
+% differ in the two cases.
+% We will first give the procedure and then how to construct the two different 
+% strength functions.
+
+Assume that the verifier wants to verify the count for a protest~\(\prtst\).
+The first thing the verifier will do, is to download all the proof 
+shares~\(\psh\) from the ledger~\(\TS\), such that \(\psh \sqsubseteq \sprtst\) 
+is a valid proof share for some subprotest~\(\sprtst\in\prtst\) of the 
+protest~\(\prtst\).
+Next, the verifier selects only those proof shares~\(\psh = (\cid, \pid, \wid, 
+t, l, \corr_{\wid})\) such that \(\corr_\wid\) proves knowledge of a signature 
+by \(\sskw\).
+We denote this set of proof shares by \(\pshs\).
+
+Next, the verifier partitions the set of proof shares~\(\pshs\) using the 
+relation~\(=_\pid\) such that \(
+  (\cid, \pid, \wid, t, l) =_\pid (\cid', \pid', \wid', t', l')
+\) is true if \(\pid = \pid'\).
+Each equivalence class \(\prf_{i, \prtst} \in \pshs/{=_\pid}\) is a proof of 
+participation for participant \(i\).
+In terms of \cref{DefParticipationCount}, we let \(\theta = 1\) and \[
+  \str(\psh) =
+    \begin{cases}
+      1 & \text{if the verifier trusts \(\CA'\) to issue only to trustworthy 
+        witnesses} \\
+      0 & \text{otherwise}
+    \end{cases}.
+\] Consequently, the total participation count is \(|\prfs_\prtst^{\str, 
+\theta}|\).
+
+\endinput
+
+Note that, thanks to the \((\str,\theta)\)-eligibility criterion
+(\cref{DefParticipationCount}), the method of counting is extremely
+generic, and each (counting) verifier can make an independent choice to regulate their trust in the final result, based on their initial trust in the witnesses. In other words, anyone who does the counting can choose the eligibility
+criteria (time interval, location, number of regular or trusted
+witnesses, who is considered to be a trusted witness) for their own count
+and as long as these are published along with the result, anyone can
+verify the correctness of the count under those criteria, and potentially question the validity of this choice. Biased or partisan verifiers may be tempted to make extreme choices, but they will have to publish those choices and lose credibility. Reasonable verifiers on the other hand will try to find a good middle-ground that counts all legitimate protesters while being resistant to isolated malicious agents.
+
+% Then the verifier can define \[
+%   \str[\prf_{\pid_j, P}] = \begin{cases}
+%     1 & \text{if \(\exists \psh_i\in \prf_{\pid_j, P}\) that is such a proof 
+%       share} \\
+%     0 & \text{otherwise}
+%   \end{cases}
+% \] and sets \(\theta = 1\).
diff --git a/paper/protocol-untrusted.tex b/paper/protocol-untrusted.tex
new file mode 100644
index 00000000..ee560c39
--- /dev/null
+++ b/paper/protocol-untrusted.tex
@@ -0,0 +1,235 @@
+%\section{\CROCUS:\@ A protocol for crowd counting estimation}%
+\section{Crowd counting with potentially untrusted witnesses}%
+\label{untrusted-witnesses-protocol}
+
+In line with some \ac{LPS}, \eg \ac{PROPS}, we now provide a version where we 
+reduce the trust in the witnesses.
+The entities and roles involved in this version of the protocol are still the 
+same, but we reduce the possibility to create new proofs before and after an 
+event.
+
+
+\subsection{Participation}%
+\label{ProtocolDuring}
+
+The main change to participate is the use of the time-stamping property of 
+\(\TS\).
+Instead of the witness determining the time~\(t\), the witness and protester 
+each determine a time interval for the creation of the proof.
+The witness gets \(t_s\gets \TSget\) and the protester gets \(t_s'\gets 
+\TSget\) from the ledger~\(\TS\).
+They close the interval by committing the proof share to the ledger using 
+\(\TSsubmit\).
+This adapted structure of a proof-share is depicted in \cref{fig:ProofFig}.
+The updated protocol phases are given in \cref{fig:ProtocolOverview} and 
+described below.
+
+\begin{figure}
+  \centering
+  \small
+  \includegraphics{proofshare.tikz}
+  \caption{%
+    Structure of a proof share.
+    The protest (cause) identifier \(\cid\) is the hash value of the manifesto.
+    The protester \(P\)'s identifier \(\pid\) is computed using the protester's key \(\sk_P\) and \(\cid\).
+    The witness \(W\)'s protester-specific identifier \(\wid\) is computed using the
+    witness's key \(\sk_W\) and the protester's \(\pid\).
+    \(t_s, t_s'\) are the outputs from \(\TSget\), \eg hashes of the head 
+    blocks in the ledger seen by the protester and witness, respectively, and 
+    \(l\) is an area.
+    All values are signed by the witness (signature \(\prf_W = \SPK[\sk_W][\wid 
+      = \dotsb][\cid, \pid, \wid, t_s, t_s', l]\)) while also proving the 
+    correctness of \(\wid\) and knowledge of a signature on \(\sk_W\).
+    The protester constructs \(\prf_P\) analogously.
+  }%
+  \label{fig:ProofFig}
+\end{figure}%
+
+
+The creation of the protest is the same: the organizer publishes the manifesto 
+in some way.
+
+\paragraph*{Joining}
+
+The join procedure is the same, except we add fetching \(t_s\).
+So the protester computes \(
+  \cid\gets \Hash[\mfst]
+\) and \(
+  \pid\gets \ACprf[_{\sk_P}][\cid].
+\) The protester also fetches a time-correlated random value, \(t_s\), from 
+\(\TS\); \(t_s\gets \TSget\).
+
+The witness simply gets a time-correlated random value from the time-stamping 
+service, \(t_s'\gets \TSget\).
+Note that we do this for redundancy, the newest of \(t_s\) and \(t_s'\) will 
+set the start of the time interval of creation for the proof share.
+
+
+\paragraph*{Participation}
+
+In the participation phase, the only difference is the use of \(t_s\) and 
+\(t_s'\) instead of \(t\).
+
+The protester sends \(\pid\) and \(t_s\) to the witness.
+Then they run the protocol \[
+  \Proto{\ACproveSig[\spk, k, r, \sigma]}{\ACverifySig[\spk, \ssk]}
+\] to verify the correctness of \(\pid\) and do the distance bounding, same as 
+before.
+If the protocol succeeds, the witness will compute \(\wid \gets 
+\ACprf[_{\sk_W}][\pid]\) and send \((\wid, t_s', l)\) to the protester.
+
+
+\paragraph*{Submission}
+
+The submission phase differs in what constitutes the proof share.
+The protester commits the proof-share data to the ledger~\(\TS\) and receives 
+the proof of commitment~\(t_e\gets \TSsubmit[\Hash[\cid, \pid, \wid, t_s, t_s', 
+l]]\), which ends the time interval.
+The sooner this is done, the higher the precision for the time-dependent 
+eligibility criterion will be for later counting.
+(The witness can also do this, the important part is to do it as soon as 
+possible.)
+The remaining operations are not time critical.
+
+The protester computes \iac{NIZK} proof \(\corr_{\pid}\), which shows the 
+correctness of \(\pid\) to a third party.
+More specifically,
+\begin{multline*}
+  \corr_{\pid}\gets \SPK\left\{ (\sk_P) : \right. \\
+    \begin{aligned}
+      \pid &= \ACprf[_{\sk_P}][\cid] \quad \land \\
+      \sigma_P' &= \left. \ACblind[\ACsign[_{\ssk}][\sk_P]] \right\}
+    \end{aligned} \\
+      (\cid, \pid, \wid, t_s, t_s', l).
+\end{multline*}
+Finally, the protester uploads the tuple \[
+  \psh_P = (\cid, \pid, \wid, t_s, t_s', t_e, l, \corr_{\pid})
+\] for permanent storage, \(\TSsubmit[\psh_P]\).
+
+The witness, like the protester, commits the proof-share data to the ledger, 
+\(t_e\gets \TSsubmit[\Hash[\cid, \pid, \wid, t_s, t_s', l]]\).
+(This is to close the time interval as early as possible, whoever is the faster 
+will submit it first, so both submit it.) \sonja{but both do}
+Then, without any time requirements, the witness computes \iac{NIZK} proof 
+\(\corr_{\wid}\) as follows:
+\begin{multline*}
+  \corr_{\wid}\gets \SPK\left\{ (\sk_W) : \right. \\
+    \begin{aligned}
+      \wid &= \ACprf[_{\sk_W}][\pid] \quad \land \\
+      \sigma_W' &= \left. \ACblind[\ACsign[_{\ssk}][\sk_W]] \right\}
+    \end{aligned} \\
+      (\cid, \pid, \wid, t_s, t_s', l).
+\end{multline*}
+Finally, the witness uploads the tuple \[
+  \psh_W = (\cid, \pid, \wid, t_s, t_s', t_e', l, \corr_{\wid})
+\] for permanent storage on the ledger, \(\TSsubmit[\psh_W]\).
+
+
+\begin{figure*}
+  \centering
+  \small
+  \begin{subfigure}{\columnwidth}
+    \begin{align*}
+      O\to \text{all}\colon & \text{manifesto} \\
+      P\colon & t_s\gets \TSget \\
+        & \cid\gets \Hash[\text{manifesto}], \\
+        & \pid\gets \ACprf[_{\sk_P}][\cid] \\
+      W\colon & t_s'\gets \TSget
+      \\[-1em]
+      \noalign{\hfill Join}
+      \midrule
+      \noalign{\hfill Participation}
+      \\[-3em]
+      P\to W\colon & \pid \\
+      P\leftrightarrow W\colon &
+        \PPK\mleft\{ (\sk_P) : \mright. \\
+        & \qquad \pid = \ACprf[_{\sk_P}][\cid], \\
+        & \qquad \mleft. \sigma_P' = \ACblind[\ACsign[_{\ssk}][\sk_P]] \mright\} 
+        \\
+      W\colon & \wid\gets \ACprf[_{\sk_W}][\pid] \\
+      W\to P\colon & (\wid, t_s', l)
+    \end{align*}
+    \caption{Join and participation.}
+  \end{subfigure}
+  \hfill
+  \begin{subfigure}{\columnwidth}
+    \begin{align*}
+      P\colon & t_e\gets \TSsubmit[\Hash[\pid, \wid, t_s, t_s', l]] \\
+      W\colon & t_e'\gets \TSsubmit[\Hash[\pid, \wid, t_s, t_s', l]] \\
+      W\colon & \TSsubmit[(\cid, \pid, \wid, t_s, t_s', t_e, l, 
+      \pi_{\wid})],\quad \text{where} \\
+        & \pi_{\wid} = \SPK\mleft\{ (\sk_W) : \mright. \\
+        & \qquad \wid = \ACprf[_{\sk_W}][\pid], \\
+        & \qquad \mleft. \sigma_W' = \ACblind[\ACsign[_{\ssk}][\sk_W]]\mright\} 
+        \\
+        & \qquad\qquad (\cid, \pid, \wid, t_s, t_s', l) \\
+      P\colon & \TSsubmit[(\cid, \pid, \wid, t_s, t_s', t_e, l, 
+      \pi_{\pid})],\quad \text{where}\\
+        & \pi_{\pid} = \SPK\mleft\{ (\sk_P) : \mright. \\
+        & \qquad \pid = \ACprf[_{\sk_P}][\cid], \\
+        & \qquad \mleft. \sigma_P' = \ACblind[\ACsign[_{\ssk}][\sk_P]] \mright\} 
+        \\
+        & \qquad\qquad (\cid, \pid, \wid, t_s, t_s', l)
+    \end{align*}
+    \caption{Submission.}
+  \end{subfigure}
+  \caption{%
+    An overview of \CROCUS participation.\@
+    The organizer \(O\) broadcasts the manifesto.
+    The protester \(P\), witness \(W\) and their computations are as in \cref{fig:ProofFig}.
+    Finally, both \(P\) and \(W\) submit the proof shares to a
+   public ledger for permanent storage \(S\). Note that \pid  always refers to the
+    protester whose presence is being witnessed.
+  }%
+  \label{fig:ProtocolOverview}
+\end{figure*}
+%\normalsize
+
+
+\subsection{Count and Verification}%
+\label{ProtocolVerification}
+
+The set of proofs is constructed the same way as before.
+What differs is what we do with \(\theta\) and \(\str\).
+
+We have the set of proof shares~\(\pshs\), as before.
+We also have the partitioning of the set of proof shares using the 
+relation~\(=_\pid\) such that \(
+  (\cid, \pid, \wid, t, l) =_\pid (\cid', \pid', \wid', t', l')
+\) is true if \(\pid = \pid'\).
+Each equivalence class \(\prf_{i, \prtst} \in \pshs/{=_\pid}\) is a proof of 
+participation for participant \(i\).
+This is the same as before.
+
+However, in terms of \cref{DefParticipationCount}, the total participation 
+count is still \(|\prfs_\prtst^{\str, \theta}|\), but this time the verifier 
+might set \(\theta\) and \(\str\) differently.
+The verifier can still set \(\theta\) and \(\str\) the same as before and get 
+the trusted witnesses scenario.
+But this time the verifier knows when the proofs were constructed (in 
+\(\interval{t_s}{t_e}\)), due to trusting \(\TS\) to provide correct 
+time-stamping and immutability.
+
+\daniel{The following should be edited to fit.} 
+Note that, thanks to the \((\str,\theta)\)-eligibility criterion
+(\cref{DefParticipationCount}), the method of counting is extremely
+generic, and each (counting) verifier can make an independent choice to regulate their trust in the final result, based on their initial trust in the witnesses. In other words, anyone who does the counting can choose the eligibility
+criteria (time interval, location, number of trusted or untrusted witnesses, 
+who is considered to be a trusted witness) for their own count.
+As long as \emph{these assumptions/criteria are published along with the 
+result}, anyone can verify the correctness of the count under those criteria, 
+and potentially question the validity of this choice. Biased or partisan 
+verifiers may be tempted to make extreme choices, but they will have to publish 
+those choices and lose credibility. Reasonable verifiers, on the other hand, 
+will try to find a good middle-ground that counts all legitimate protesters 
+while being resistant to isolated malicious agents.
+However, what exactly this choice would be is out of scope and, in fact, would 
+fall under a different area of research.
+
+% Then the verifier can define \[
+%   \str[\prf_{\pid_j, P}] = \begin{cases}
+%     1 & \text{if \(\exists \psh_i\in \prf_{\pid_j, P}\) that is such a proof 
+%       share} \\
+%     0 & \text{otherwise}
+%   \end{cases}
+% \] and sets \(\theta = 1\).
diff --git a/paper/protocol.tex b/paper/protocol.tex
deleted file mode 100644
index 367c840c..00000000
--- a/paper/protocol.tex
+++ /dev/null
@@ -1,379 +0,0 @@
-%\section{\CROCUS:\@ A protocol for crowd counting estimation}%
-\section{The \CROCUS Protocol}%
-\label{Protocol}
-
-
-We now present \CROCUS, a protocol for privately verifiable crowd
-counts. A prerequisite for using \CROCUS is a one-to-one mapping of a person's
-sybil-proof identity and a cryptographic key%
-%, more specifically, an anonymous 
-%identity credential that provides unlinkability between contexts but 
-%linkability for reuse within the same context
-%\sonja{this is actually achieved by our use of prfs for pid and wid,
-%not inherent in the credential}
-% \footnote{%
-%   Given any \ac{CA} that prevents Sybil 
-%   attacks~\cite{SybilAttack}, systems such as~\cite{clonewars} could
-%   be used to make sure that for each identity one-and-only-one
-%   cryptographic key is issued.
-%   In terms of~\cite{clonewars}, this can be seen as an unclonable subscription 
-%   to one's identity.
-% }
-. Since we assume these properties, we
-present only the result of the process of getting anonymous
-credentials from a \ac{CA}, in \cref{ProtocolSetup}.
-
-The core of the \CROCUS protocol consists of generating participation
-proofs (joining a protest, participating in witnessing, submitting
-proof shares to a ledger, all in \cref{ProtocolDuring}) with an overview in \cref{fig:ProtocolOverview}, and then counting and
-verification of that count (in \cref{ProtocolVerification}). 
-
-% The protocol consists of five phases: setup (in \cref{ProtocolSetup}),
-% join, participation, submission (all in in \cref{ProtocolDuring}) and
-% verification (in \cref{ProtocolVerification}).
-
-The entities involved in our protocol are participants and (count) verifiers.
-A participant can assume three different roles:
-\begin{enumerate}
-\item The \emph{organizer} has written a manifesto for the protest and 
-  disseminated it to others.
-\item A \emph{protester} is attending the protest and asks witnesses to vouch 
-  for their presence.
-\item A \emph{witness} provides proofs to protesters which state that they indeed participated, constructed such that the proofs are verifiable by 
-  third parties.
-\end{enumerate}
-In general, there is one organizer and every participant can act as
-either or both protester and witness.
-
-After the protest, anyone can count the number of participants (of the protest and the
-protocol) and verify anyone else's count given the relevant meta data
-(which protest, location, time, and witness parameters used in the
-count). We refer to anyone counting or verifying a count as the
-verifier; the process is the same. 
-
-\subsection{Prerequisite: anonymous credentials}%
-\label{ProtocolSetup}
-
-Before Alice can have her participation in any event counted by
-\CROCUS, she needs to get an anonymous credential and corresponding
-keys. This only needs to be repeated when the credential expires or is
-lost, in analogy to a passport in terms of expected intervals. The
-keys can be reused for an arbitrary number of protests or, given
-careful choices in the PRF used for deriving identifiers, other
-services that work with anonymous credentials. 
-
-We use the setup and registration phases of Anon-Pass~\cite{AnonPass} for
-getting anonymous credentials, adapting only the notation to fit ours. 
-%More precisely, we have simply adapted their description to our notation, but otherwise kept the setting as similar as possible.
-
-
-\emph{Setup: \((\spk, \ssk)\gets \CROCUSsetup\).}
-During the setup phase, the \ac{CA} creates all the needed keys.
-The \ac{CA} generates a service public-private key-pair \((\spk, \ssk)\gets 
-  \ACsetup\) (see \cref{ACsignAlg}).
-
-\emph{Registration: \(\sk\gets 
-    \Proto{\CROCUSreg[_P][\spk]}{\CROCUSreg[_{\CA}][\ssk]}\).}
-During the registration phase, each participant generates a secret key~\((k, 
-  r)\) and obtains a signature on it by the \ac{CA} \emph{but without revealing 
-  it} to the \ac{CA} (or to any part thereof in a multi-party scenario).
-At the end, each participant will have a signed secret key while the \ac{CA} 
-will issue only one signature per participant but without knowing the 
-association between a particular key and the identity of the participant.
-The participant chooses \(k, r\rgets \ZZ_q\) uniformly randomly and runs 
-\(\sigma \gets \Proto{\ACgetSig[\spk, k, r]}{\ACissueSig[\spk, \ssk]}\) (see 
-\cref{ACacAlg}).
-Upon success, the participant sets \(\sk = (\sigma, k, r)\).
-
-
-
-\subsection{Participation}%
-\label{ProtocolDuring}
-
-
-%The join, participation and submission phases are as follows.
-% illustrated in \cref{fig:ProtocolOverview}.
-The goal of \CROCUS is to generate and collect privacy-preserving
-participation proofs that can be counted and verified. These proofs
-consist of proof shares that are constructed as depicted in
-\cref{fig:ProofFig}. The protocol phases are given in
-\cref{fig:ProtocolOverview} and described below.
-
-\begin{figure}
-  \centering
-  \small
-  \includegraphics{proofshare.tikz}
-  \caption{%
-    Structure of a proof share.
-    The protest (cause) identifier \(\cid\) is the hash value of the manifesto.
-    The protester \(P\)'s identifier \(\pid\) is computed using the protester's key \(\sk_P\) and \(\cid\).
-    The witness \(W\)'s protester-specific identifier \(\wid\) is computed using the
-    witness's key \(\sk_W\) and the protester's \(\pid\).
-    \(t_s, t_s'\) are the hashes of the head blocks in the ledger seen by the 
-    protester and witness, respectively, and \(l\) is an area.
-    All values are signed by the witness (signature \(\prf_W = \SPK[\sk_W][\wid 
-      = \dotsb][\cid, \pid, \wid, t_s, t_s', l]\)) while also proving the 
-    correctness of \(\wid\) and knowledge of a signature on \(\sk_W\).
-    The protester constructs \(\prf_P\) analogously.
-  }%
-  \label{fig:ProofFig}
-\end{figure}%
-
-
-\emph{Creation of a protest: the manifesto.}
-The organizer writes a manifesto for the protest, which describes its cause.
-This manifesto could take the form of any intelligible text, in
-practice at minimum a name.
-The organizer then distributes this manifesto to people through
-any suitable means  (\eg on the Web, on placards, \etc).
-If they agree with the cause, they will use the knowledge of the
-manifesto to join the protest. 
-
-
-\emph{Joining as a protester: \((\pid, t_s)\gets 
-    \CROCUSjoin[_P][\text{manifesto}]\).}
-A protester who wants to join the protest uses the manifesto to
-compute an identifier for the cause by hashing the manifesto,
-\(\cid\gets \Hash[\mfst]\) (and comparing the result to that received
-from the organizer, we omit this in the protocol for readibility).
-Afterwards, this identifier is used to create the protest-specific identifier 
-for the protester, \(\pid\gets \ACprf[_{\sk_P}][\cid]\)%
-% (see \cref{fig:ProofFig} and \cref{ACprfAlg} in the appendix for details of 
-%the algorithms)%
-.
-The protester also fetches a time-correlated random value, \(t_s\), from 
-\(\TS\), \(t_s\gets \TSget\).
-
-
-\emph{Joining as a witness: \(t_s'\gets \CROCUSjoin_W\).}
-The witness simply gets a time-correlated random value from the time-stamping service, \(t_s'\gets \TSget\).
-Note that we do this for redundancy, the newest of \(t_s\) and \(t_s'\) will 
-set the start of the time interval of creation for the proof share.
-
-
-\emph{Participation: \(\pi\gets
-    \Proto{\CROCUSparticipate[\cid, \sk_P]}{\CROCUSwitness[\sk_W, \spk]}\),}
-In the participation phase, the protester and 
-the witness construct the proof share of the protester (\cref{fig:ProofFig}).
-
-The protester sends \(\pid\) and \(t_s\) to the witness.
-Then they run the protocol \[
-  \Proto{\ACproveSig[\spk, k, r, \sigma]}{\ACverifySig[\spk, \ssk]}
-\] (see \cref{ACacAlg}), \(k\) and \(r\) are part of \(\sk_P\).
-Note that the \acf{PK} in \cref{ACacAlg} must be
-run as a \iacf{PPK}, which we do by distance bounding.
-If the protocol succeeds, the witness will compute \(\wid \gets 
-  \ACprf[_{\sk_W}][\pid]\) and send \((\wid, t_s', l)\) to the protester.
-
-
-\emph{Submission: \(\psh_P\gets \CROCUSsubmit[_P][\cid, \pid, \wid, t_s, t_s',  l]\).}
-The protester commits the proof-share data to the ledger~\(L\) and receives the 
-proof of commitment, \(t_e\gets \TSsubmit[\Hash[\cid, \pid, \wid, t_s, t_s', 
-  l]]\).
-The sooner this is done, the higher the precision for the time-dependent 
-eligibility criterion will be for later counting.
-The remaining operations are not time critical.
-
-The protester computes \iac{NIZK} proof \(\corr_{\pid}\), which shows the 
-correctness of \(\pid\).
-More specifically,
-\begin{multline*}
-  \corr_{\pid}\gets \SPK\left\{ (\sk_P) : \right. \\
-    \begin{aligned}
-      \pid &= \ACprf[_{\sk_P}][\cid] \quad \land \\
-      \sigma_P' &= \left. \ACblind[\ACsign[_{\ssk}][\sk_P]] \right\}
-    \end{aligned} \\
-      (\cid, \pid, \wid, t_s, t_s', l).
-\end{multline*}
-Finally, the protester uploads the tuple \[
-  \psh_P = (\cid, \pid, \wid, t_s, t_s', t_e, l, \corr_{\pid})
-\] for permanent storage, \(\TSsubmit[\psh_P]\).
-
-\emph{Submission: \(\psh_W\gets \CROCUSsubmit[_W][\cid, \pid, \wid, t_s, t_s', 
-    l]\).}
-The witness, like the protester, commits the proof-share data to the 
-ledger, \(t_e\gets \TSsubmit[\Hash[\cid, \pid, \wid, t_s, t_s', l]]\).
-%(This is to make the time interval as early as possible, whoever is the faster 
-%will submit it.) \sonja{but both do}
-Then, without any time requirements, the witness computes \iac{NIZK} proof 
-\(\corr_{\wid}\) as follows:
-\begin{multline*}
-  \corr_{\wid}\gets \SPK\left\{ (\sk_W) : \right. \\
-    \begin{aligned}
-      \wid &= \ACprf[_{\sk_W}][\pid] \quad \land \\
-      \sigma_W' &= \left. \ACblind[\ACsign[_{\ssk}][\sk_W]] \right\}
-    \end{aligned} \\
-      (\cid, \pid, \wid, t_s, t_s', l).
-\end{multline*}
-Finally, the witness uploads the tuple \[
-  \psh_W = (\cid, \pid, \wid, t_s, t_s', t_e', l, \corr_{\wid})
-\] for permanent storage on the ledger, \(\TSsubmit[\psh_W]\).
-
-
-\begin{figure*}
-  \centering
-  \small
-  \begin{subfigure}{\columnwidth}
-    \begin{align*}
-      O\to \text{all}\colon & \text{manifesto} \\
-      P\colon & t_s\gets \TSget \\
-        & \cid\gets \Hash[\text{manifesto}], \\
-        & \pid\gets \ACprf[_{\sk_P}][\cid] \\
-      W\colon & t_s'\gets \TSget
-      \\[-1em]
-      \noalign{\hfill Join}
-      \midrule
-      \noalign{\hfill Participation}
-      \\[-3em]
-      P\to W\colon & \pid \\
-      P\leftrightarrow W\colon &
-        \PPK\mleft\{ (\sk_P) : \mright. \\
-        & \qquad \pid = \ACprf[_{\sk_P}][\cid], \\
-        & \qquad \mleft. \sigma_P' = \ACblind[\ACsign[_{\ssk}][\sk_P]] \mright\} 
-        \\
-      W\colon & \wid\gets \ACprf[_{\sk_W}][\pid] \\
-      W\to P\colon & (\wid, t_s', l)
-    \end{align*}
-    \caption{Join and participation.}
-  \end{subfigure}
-  \hfill
-  \begin{subfigure}{\columnwidth}
-    \begin{align*}
-      P\colon & t_e\gets \TSsubmit[\Hash[\pid, \wid, t_s, t_s', l]] \\
-      W\colon & t_e'\gets \TSsubmit[\Hash[\pid, \wid, t_s, t_s', l]] \\
-      W\colon & \TSsubmit[(\cid, \pid, \wid, t_s, t_s', t_e, l, 
-      \pi_{\wid})],\quad \text{where} \\
-        & \pi_{\wid} = \SPK\mleft\{ (\sk_W) : \mright. \\
-        & \qquad \wid = \ACprf[_{\sk_W}][\pid], \\
-        & \qquad \mleft. \sigma_W' = \ACblind[\ACsign[_{\ssk}][\sk_W]]\mright\} 
-        \\
-        & \qquad\qquad (\cid, \pid, \wid, t_s, t_s', l) \\
-      P\colon & \TSsubmit[(\cid, \pid, \wid, t_s, t_s', t_e, l, 
-      \pi_{\pid})],\quad \text{where}\\
-        & \pi_{\pid} = \SPK\mleft\{ (\sk_P) : \mright. \\
-        & \qquad \pid = \ACprf[_{\sk_P}][\cid], \\
-        & \qquad \mleft. \sigma_P' = \ACblind[\ACsign[_{\ssk}][\sk_P]] \mright\} 
-        \\
-        & \qquad\qquad (\cid, \pid, \wid, t_s, t_s', l)
-    \end{align*}
-    \caption{Submission.}
-  \end{subfigure}
-  \caption{%
-    An overview of \CROCUS participation.\@
-    The organizer \(O\) broadcasts the manifesto.
-    The protester \(P\), witness \(W\) and their computations are as in \cref{fig:ProofFig}.
-    Finally, both \(P\) and \(W\) submit the proof shares to a
-   public ledger for permanent storage \(S\). Note that \pid  always refers to the
-    protester whose presence is being witnessed.
-  }%
-  \label{fig:ProtocolOverview}
-\end{figure*}
-%\normalsize
-
-
-\subsection{Count and Verification}%
-\label{ProtocolVerification}
-
-% While there are various ways for verifying the participation count, hereafter, 
-% we will detail the two suggested just after \cref{DefParticipationCount}.
-% In the first approach, we do not trust individual witnesses, rather we \emph{assume} that it is difficult for Alice to find more than \(\theta\) witnesses willing to collude.
-% Thus, the strength comes from the number of witnesses and we require at least \(\theta\) witnesses to accept a participation proof as valid.
-% In the second approach, we trust specific witnesses, but no others.
-% In this case, to accept a participation proof as valid, we require at least one trusted witness, the independent journalist Jane.
-% It is the strength function \(\str\) of \cref{DefParticipationCount} that 
-% differ in the two cases.
-% We will first give the procedure and then how to construct the two different 
-% strength functions.
-
-
-To count or verify the participation count for a protest \(\prtst\) with 
-identifier \(\cid_0\), a verifier must download the set \(\pshs_{\cid_0}\) of 
-all \(s_P\) and \(s_W\) tuples containing \(\cid_0\) from the ledger~\(\TS\).
-Then from \(\pshs_{\cid_0}\), a verifier can build, in succession,
-\begin{enumerate*}
-\item the valid proof shares \(s_j^{(i)}\) for all matching pairs \((s_P, 
-    s_W)\) corresponding to a witness \(i\) and a protester \(j\),
-\item the participation proof \(\prf_{j}\) for each protester \(j\),
-\item the set \(\prfs_{\prtst}^{\str,\theta}\) of eligible participation proofs 
-  for all protesters in \(\prtst\), and finally,
-\item the participation count, \ie the cardinality of 
-  \(\prfs_\prtst^{\str,\theta}\).
-\end{enumerate*}
-
-More precisely, given \[
-  \pshs_{\cid_0} = \{ (\cid, \pid, \wid, l, t_s, t_s', t_c, \corr) \in \pshs 
-  \mid \cid = \cid_0 \}
-\] and a matching pair \((s_P, s_W) \in {\pshs_{\cid_0}}^2\) for a witness 
-\(i\) and a protester \(j\) with
-\begin{align*}
-  s_P &= (\cid_0, \pid_j, \wid_i, l, t_s, t_s', t_c, \corr_i) &\text{and} \\
-  s_W &= (\cid_0, \pid_j, \wid_i, l, t_s, t_s', t_c', \corr_j),
-\end{align*}
-%, with matching values for \(cid_0, pid_j, wid_i, l, t_s, t_s'\),
-the verifier can build a valid proof share \(s_j^{(i)}\) certified by \(i\) for 
-\(j\) as follows:
-verify \(\corr_i\) and \(\corr_j\),
-let
-\begin{align*}
-  t &= \interval{\max(t_s, t_s')}{\min(t_c, t_c')} &\text{and} \\
-  s_j^{(i)} &= (\cid_0, \pid_j, \wid_i, l, t),
-\end{align*}
-as in \cref{DefProofShare},
-check that \(s_j^{(i)}\) is valid (\ie happened during and at the location of 
-the protest), as in \cref{DefProofShare}.
-
-Then the set of all valid proof shares for a protester \(j\) constitutes its 
-participation proof \(\prf_{j}\), as in \cref{DefParticipationProof},
-and the verifier thus can derive the set of \((\str,\theta)\)-eligible participation proofs \(\prfs_{\prtst}^{\str,\theta}\) for all protesters for the protest \(\prtst\), as in \cref{DefParticipationCount}.
-Finally, the  participation count \(|\prfs_{\prtst}^{\str,\theta}|\) is the cardinality of this set by  \cref{DefParticipationCount}.
-
-
-% MOST PROBABLY obsolete below v 
-
-%To verify the participation count for a protest \(\prtst\)  with identifier $\cid$
-%(see \cref{DefProtest}), a verifier must download all the proof shares \[
-%  \psh_i =   (\cid, \pid_j, \wid_i, t_s^{(i)}, t_s^{\prime (i)}, t_e^{(i)}, 
-%  t_e^{\prime   (i)}, l_i, \corr_{\pid_j}^{(i)}, \corr_{\wid_i})
-%\] for each protester \(j\) from the ledger, verify \(\corr_{\pid_j}^{(i)}\), 
-%\(\corr_{\wid_i}\) and that the interval \(\interval{\max(t_s^{(i)}, 
-%    t_s^{\prime (i)})}{\min(t_e^{(i)}, t_e^{\prime (i)})}\subseteq t\) and that 
-%\(l_i\subseteq  l\).
-%Any proof share that does not verify correctly will be discarded.
-%At this point, the verifier has constructed the set \(S\) from 
-%\cref{DefProofShares} and can thus construct any participation proof 
-%\(\prf_{\pid_j, P}\) as in \cref{DefParticipationProof}.
-%Now the verifier can compute the participation count \(|\prfs_P^{\str, 
-%    \theta}|\) as in \cref{DefParticipationCount}.
-
-
-%__________________________
-
-% In the case \emph{without} trusted witnesses, all the weights equal to 1 is equivalent to counting the elements in the set, 
-% \(\str[\prf_{\pid_j, P}] = |\prf_{\pid_j, P}|\).
-
-In the case of trusted witnesses, each such trusted witness must
-publish or otherwise inform the verifier of which proof shares they
-have signed, \eg by giving a list of all such proof shares or
-digitally signing each proof share\footnote{%
-  To achieve witness privacy in this situation, one could employ a
-  group or ring signature scheme for a set of potentially trusted witnesses, \eg
-  members of an independent journalist association.  Then one learns
-  that at least one member of this set must have
-  been there.
-}.
-
-Note that, thanks to the \((\str,\theta)\)-eligibility criterion
-(\cref{DefParticipationCount}), the method of counting is extremely
-generic, and each (counting) verifier can make an independent choice to regulate their trust in the final result, based on their initial trust in the witnesses. In other words, anyone who does the counting can choose the eligibility
-criteria (time interval, location, number of regular or trusted
-witnesses, who is considered to be a trusted witness) for their own count
-and as long as these are published along with the result, anyone can
-verify the correctness of the count under those criteria, and potentially question the validity of this choice. Biased or partisan verifiers may be tempted to make extreme choices, but they will have to publish those choices and lose credibility. Reasonable verifiers on the other hand will try to find a good middle-ground that counts all legitimate protesters while being resistant to isolated malicious agents.
-
-% Then the verifier can define \[
-%   \str[\prf_{\pid_j, P}] = \begin{cases}
-%     1 & \text{if \(\exists \psh_i\in \prf_{\pid_j, P}\) that is such a proof 
-%       share} \\
-%     0 & \text{otherwise}
-%   \end{cases}
-% \] and sets \(\theta = 1\).
diff --git a/paper/revision.tex b/paper/revision.tex
index 8284730c..35a6afbf 100644
--- a/paper/revision.tex
+++ b/paper/revision.tex
@@ -41,7 +41,7 @@
 
 %% Uncomment for final version
 % \renewcommand{\change}[3]{#1}
-\renewcommand{\annote}[3]{}
+% \renewcommand{\annote}[3]{}
 
 
 
diff --git a/paper/security-analysis.tex b/paper/security-analysis.tex
index 08a0af54..10d39d70 100644
--- a/paper/security-analysis.tex
+++ b/paper/security-analysis.tex
@@ -1,5 +1,10 @@
 \section{Security and privacy analysis}%
 \label{SecurityAnalysis}
 
+In this section, we treat the security and privacy of the proposed protocols.
+We focus on the untrusted-witnesses case, since the trusted-witnesses case is 
+exactly the same except that some of the arguments are instead reduced to 
+trust.
+
 \input{verifiability-analysis.tex}
 \input{privacy-analysis.tex}
diff --git a/paper/system-model.tex b/paper/system-model.tex
index 25c23c55..bf17916e 100644
--- a/paper/system-model.tex
+++ b/paper/system-model.tex
@@ -18,7 +18,8 @@ \subsection{System model and assumptions}%
 
 In practice, participants witness each other's participation using
 their smartphones (or similar devices) running the protocol described
-in \cref{Protocol} and uploading their testimony (\ie, proof shares)
+in \cref{untrusted-witnesses-protocol,trusted-witnesses-protocol} and uploading 
+their testimony (\ie, proof shares)
 to a ledger (such as a blockchain) after the protest.  During the
 protest, the devices might be limited by their batteries and
 computations they can perform and only have local connectivity to each