init

2025-10-25 03:54:21 -04:00
commit da9a2906c3
43 changed files with 19617 additions and 0 deletions
--- a/.latexrun.db
+++ b/.latexrun.db
--- a/.latexrun.db.lock
+++ b/.latexrun.db.lock
--- a/arydshln.sty
+++ b/arydshln.sty
--- a/breakurl.sty
+++ b/breakurl.sty
@@ -0,0 +1,314 @@
+%%
+%% This is file `breakurl.sty',
+%% generated with the docstrip utility.
+%%
+%% The original source files were:
+%%
+%% breakurl.dtx  (with options: `package')
+%% 
+%% This is a generated file.
+%% 
+%% Copyright (C) 2005 by Vilar Camara Neto.
+%% 
+%% This file may be distributed and/or modified under the
+%% conditions of the LaTeX Project Public License, either
+%% version 1.2 of this license or (at your option) any later
+%% version.  The latest version of this license is in:
+%% 
+%%     http://www.latex-project.org/lppl.txt
+%% 
+%% and version 1.2 or later is part of all distributions of
+%% LaTeX version 1999/12/01 or later.
+%% 
+%% Currently this work has the LPPL maintenance status "maintained".
+%% 
+%% The Current Maintainer of this work is Vilar Camara Neto.
+%% 
+%% This work consists of the files breakurl.dtx and
+%% breakurl.ins and the derived file breakurl.sty.
+%% 
+\NeedsTeXFormat{LaTeX2e}[1999/12/01]
+\ProvidesPackage{breakurl}
+    [2013/04/10 v1.40 Breakable hyperref URLs]
+
+
+\RequirePackage{xkeyval}
+\RequirePackage{ifpdf}
+
+\ifpdf
+  % Dummy package options
+  \DeclareOptionX{preserveurlmacro}{}
+  \DeclareOptionX{hyphenbreaks}{}
+  \DeclareOptionX{anythingbreaks}{}
+  \DeclareOptionX{vertfit}{}
+  \ProcessOptionsX\relax
+
+  \PackageWarning{breakurl}{%
+  You are using breakurl while processing via pdflatex.\MessageBreak
+  \string\burl\space will be just a synonym of \string\url.\MessageBreak}
+  \DeclareRobustCommand{\burl}{\url}
+  \DeclareRobustCommand*{\burlalt}{\hyper@normalise\burl@alt}
+  \def\burl@alt#1#2{\hyper@linkurl{\Hurl{#1}}{#2}}
+  \expandafter\endinput
+\fi
+
+\@ifpackageloaded{hyperref}{}{%
+  \PackageError{breakurl}{The breakurl depends on hyperref package}%
+  {I can't do anything. Please type X <return>, edit the source file%
+  \MessageBreak
+  and add \string\usepackage\string{hyperref\string} before
+  \string\usepackage\string{breakurl\string}.}
+  \endinput
+}
+
+\newif\if@preserveurlmacro\@preserveurlmacrofalse
+\newif\if@burl@fitstrut\@burl@fitstrutfalse
+\newif\if@burl@fitglobal\@burl@fitglobalfalse
+\newif\if@burl@anythingbreaks\@burl@anythingbreaksfalse
+
+\newtoks\burl@toks
+
+\let\burl@charlistbefore\empty
+\let\burl@charlistafter\empty
+
+\def\burl@addtocharlistbefore{\g@addto@macro\burl@charlistbefore}
+\def\burl@addtocharlistafter{\g@addto@macro\burl@charlistafter}
+
+\bgroup
+  \catcode`\&=12\relax
+  \hyper@normalise\burl@addtocharlistbefore{%}
+  \hyper@normalise\burl@addtocharlistafter{:/.?#&_,;!}
+\egroup
+
+\def\burl@growmif#1#2{%
+  \g@addto@macro\burl@mif{\def\burl@ttt{#1}\ifx\burl@ttt\@nextchar#2\else}%
+}
+\def\burl@growmfi{%
+  \g@addto@macro\burl@mfi{\fi}%
+}
+\def\burl@defifstructure{%
+  \let\burl@mif\empty
+  \let\burl@mfi\empty
+  \expandafter\@tfor\expandafter\@nextchar\expandafter:\expandafter=%
+    \burl@charlistbefore\do{%
+    \expandafter\burl@growmif\@nextchar\@burl@breakbeforetrue
+    \burl@growmfi
+  }%
+  \expandafter\@tfor\expandafter\@nextchar\expandafter:\expandafter=%
+    \burl@charlistafter\do{%
+    \expandafter\burl@growmif\@nextchar\@burl@breakaftertrue
+    \burl@growmfi
+  }%
+}
+
+\AtEndOfPackage{\burl@defifstructure}
+
+\def\burl@setvertfit#1{%
+  \lowercase{\def\burl@temp{#1}}%
+  \def\burl@opt{local}\ifx\burl@temp\burl@opt
+    \@burl@fitstrutfalse\@burl@fitglobalfalse
+  \else\def\burl@opt{strut}\ifx\burl@temp\burl@opt
+    \@burl@fitstruttrue\@burl@fitglobalfalse
+  \else\def\burl@opt{global}\ifx\burl@temp\burl@opt
+    \@burl@fitstrutfalse\@burl@fitglobaltrue
+  \else
+    \PackageWarning{breakurl}{Unrecognized vertfit option `\burl@temp'.%
+    \MessageBreak
+    Adopting default `local'}
+    \@burl@fitstrutfalse\@burl@fitglobalfalse
+  \fi\fi\fi
+}
+
+\DeclareOptionX{preserveurlmacro}{\@preserveurlmacrotrue}
+\DeclareOptionX{hyphenbreaks}{%
+  \bgroup
+    \catcode`\&=12\relax
+    \hyper@normalise\burl@addtocharlistafter{-}%
+  \egroup
+}
+\DeclareOptionX{anythingbreaks}{%
+  \@burl@anythingbreakstrue
+}
+\DeclareOptionX{vertfit}[local]{\burl@setvertfit{#1}}
+
+\ProcessOptionsX\relax
+
+\def\burl@hyper@linkurl#1#2{%
+  \begingroup
+    \hyper@chars
+    \burl@condpdflink{#1}%
+  \endgroup
+}
+
+\def\burl@condpdflink#1{%
+  \literalps@out{
+    /burl@bordercolor {\@urlbordercolor} def
+    /burl@border {\@pdfborder} def
+  }%
+  \if@burl@fitstrut
+    \sbox\pdf@box{#1\strut}%
+  \else\if@burl@fitglobal
+    \sbox\pdf@box{\burl@url}%
+  \else
+    \sbox\pdf@box{#1}%
+  \fi\fi
+  \dimen@\ht\pdf@box\dimen@ii\dp\pdf@box
+  \sbox\pdf@box{#1}%
+  \ifdim\dimen@ii=\z@
+    \literalps@out{BU.SS}%
+  \else
+    \lower\dimen@ii\hbox{\literalps@out{BU.SS}}%
+  \fi
+  \ifHy@breaklinks\unhbox\else\box\fi\pdf@box
+  \ifdim\dimen@=\z@
+    \literalps@out{BU.SE}%
+  \else
+    \raise\dimen@\hbox{\literalps@out{BU.SE}}%
+  \fi
+  \pdf@addtoksx{H.B}%
+}
+
+\DeclareRobustCommand*{\burl}{%
+  \leavevmode
+  \begingroup
+  \let\hyper@linkurl=\burl@hyper@linkurl
+  \catcode`\&=12\relax
+  \hyper@normalise\burl@
+}
+
+\DeclareRobustCommand*{\burlalt}{%
+  \begingroup
+  \let\hyper@linkurl=\burl@hyper@linkurl
+  \catcode`\&=12\relax
+  \hyper@normalise\burl@alt
+}
+
+\newif\if@burl@breakbefore
+\newif\if@burl@breakafter
+\newif\if@burl@prevbreakafter
+
+\bgroup
+\catcode`\&=12\relax
+\gdef\burl@#1{%
+  \def\burl@url{#1}%
+  \def\burl@urltext{#1}%
+  \burl@doit
+}
+
+\gdef\burl@alt#1{%
+  \def\burl@url{#1}%
+  \hyper@normalise\burl@@alt
+}
+\gdef\burl@@alt#1{%
+  \def\burl@urltext{#1}%
+  \burl@doit
+}
+
+\gdef\burl@doit{%
+  \burl@toks{}%
+  \let\burl@UrlRight\UrlRight
+  \let\UrlRight\empty
+  \@burl@prevbreakafterfalse
+  \@ifundefined{@urlcolor}{\Hy@colorlink\@linkcolor}{\Hy@colorlink\@urlcolor}%
+  \expandafter\@tfor\expandafter\@nextchar\expandafter:\expandafter=%
+    \burl@urltext\do{%
+    \if@burl@breakafter\@burl@prevbreakaftertrue
+      \else\@burl@prevbreakafterfalse\fi
+    \if@burl@anythingbreaks\@burl@breakbeforetrue\else\@burl@breakbeforefalse\fi
+    \@burl@breakafterfalse
+    \expandafter\burl@mif\burl@mfi
+    \if@burl@breakbefore
+      % Breakable if the current char is in the `can break before' list
+      \burl@flush\linebreak[0]%
+    \else
+      \if@burl@prevbreakafter
+        \if@burl@breakafter\else
+          % Breakable if the current char is not in any of the `can break'
+          % lists, but the previous is in the `can break after' list.
+          % This mechanism accounts for sequences of `break after' characters,
+          % where a break is allowed only after the last one
+          \burl@flush\linebreak[0]%
+        \fi
+      \fi
+    \fi
+    \expandafter\expandafter\expandafter\burl@toks
+      \expandafter\expandafter\expandafter{%
+      \expandafter\the\expandafter\burl@toks\@nextchar}%
+  }%
+  \let\UrlRight\burl@UrlRight
+  \burl@flush
+  \literalps@out{BU.E}%
+  \Hy@endcolorlink
+  \endgroup
+}
+\egroup
+
+\def\the@burl@toks{\the\burl@toks}
+
+\def\burl@flush{%
+  \expandafter\def\expandafter\burl@toks@def\expandafter{\the\burl@toks}%
+  \literalps@out{/BU.L (\burl@url) def}%
+  \hyper@linkurl{\expandafter\Hurl\expandafter{\burl@toks@def}}{\burl@url}%
+  \global\burl@toks{}%
+  \let\UrlLeft\empty
+}%
+
+\if@preserveurlmacro\else\let\url\burl\let\urlalt\burlalt\fi
+
+\AtBeginDvi{%
+  \headerps@out{%
+    /burl@stx null def
+    /BU.S {
+      /burl@stx null def
+    } def
+    /BU.SS {
+      currentpoint
+      /burl@lly exch def
+      /burl@llx exch def
+      burl@stx null ne {burl@endx burl@llx ne {BU.FL BU.S} if} if
+      burl@stx null eq {
+        burl@llx dup /burl@stx exch def /burl@endx exch def
+        burl@lly dup /burl@boty exch def /burl@topy exch def
+      } if
+      burl@lly burl@boty gt {/burl@boty burl@lly def} if
+    } def
+    /BU.SE {
+      currentpoint
+      /burl@ury exch def
+      dup /burl@urx exch def /burl@endx exch def
+      burl@ury burl@topy lt {/burl@topy burl@ury def} if
+    } def
+    /BU.E {
+      BU.FL
+    } def
+    /BU.FL {
+      burl@stx null ne {BU.DF} if
+    } def
+    /BU.DF {
+      BU.BB
+      [ /H /I /Border [burl@border] /Color [burl@bordercolor]
+      /Action << /Subtype /URI /URI BU.L >> /Subtype /Link BU.B /ANN pdfmark
+      /burl@stx null def
+    } def
+    /BU.BB {
+      burl@stx HyperBorder sub /burl@stx exch def
+      burl@endx HyperBorder add /burl@endx exch def
+      burl@boty HyperBorder add /burl@boty exch def
+      burl@topy HyperBorder sub /burl@topy exch def
+    } def
+    /BU.B {
+      /Rect[burl@stx burl@boty burl@endx burl@topy]
+    } def
+    /eop where {
+      begin
+      /@ldeopburl /eop load def
+      /eop { SDict begin BU.FL end @ldeopburl } def
+      end
+    } {
+      /eop { SDict begin BU.FL end } def
+    } ifelse
+  }%
+}
+\endinput
+%%
+%% End of file `breakurl.sty'.
--- a/diagrams/ake-server.tex
+++ b/diagrams/ake-server.tex
@@ -0,0 +1,120 @@
+\begin{figure}[h!]
+  \centering
+  %\footnotesize % Apply footnotesize to all text
+  \setmsckeyword{}
+  \drawframe{no}    % uncomment to not draw a frame
+  \begin{msc}[
+    /msc/title top distance=0cm,
+    /msc/first level height=.1cm,
+    /msc/last level height=0.7cm,  % Slightly reduced
+    /msc/head height=0cm,
+    /msc/instance width=0cm,
+    /msc/head top distance=0.5cm,
+    /msc/foot distance=-0.0cm,
+    /msc/instance width=0cm,
+  /msc/every label/.append style = {    % extra style for all labels
+    /tikz/fill       = white,           % paint a white rectangle
+    /tikz/draw       = none,            % no border
+    /tikz/inner sep  = 1pt              % a little padding
+  },
+    /msc/condition height=0.1cm,  % Reduced condition height
+    ]{}
+    %%%%%%%%%%%%%%%%%% CONFIG %%%%%%%%%%%%%%%%%%%%%%%%%
+    \setlength{\instwidth}{0\mscunit} % to remove default box below agents 
+    \setlength{\instdist}{2.21cm}  % default value between agents
+
+    %%%%%%%%%%%%%%%%%% AGENTS %%%%%%%%%%%%%%%%%%%%%%%%%
+    \declinst{A}{              % Alice
+      \begin{tabular}[c]{c}
+        Alice (Initiator) \\
+      \end{tabular}
+    }{}
+    \declinst{Server}{              % Alice
+      \begin{tabular}[c]{c}
+        Server \\
+      \end{tabular}
+    }{}
+    \declinst{B}{              % Bob
+      \begin{tabular}[c]{c}
+        Bob (Responder)
+      \end{tabular}
+    }{}
+
+
+
+    \nextlevel[0.25]
+
+
+\action*{
+  \footnotesize
+  \begin{tabular}{@{}l@{}}
+    \textsf{(pk\textsubscript{A}, sk\textsubscript{A}) = DH\_Gen()} \\
+    \textsf{(spk\textsubscript{A}, ssk\textsubscript{A}) = SignGen()} \\
+    \textsf{sig\_pk\textsubscript{A} = Sign(spk\textsubscript{A}, pk\textsubscript{A})}
+  \end{tabular}
+}{A}
+
+\action*{
+  \footnotesize
+  \begin{tabular}{@{}l@{}}
+    \textsf{(pk\textsubscript{B}, sk\textsubscript{B}) = DH\_Gen()} \\
+    \textsf{(spk\textsubscript{B}, ssk\textsubscript{B}) = SignGen()} \\
+    \textsf{sig\_pk\textsubscript{B} = Sign(spk\textsubscript{B}, pk\textsubscript{B})}
+  \end{tabular}
+}{B}
+
+    \nextlevel[3]
+
+  \condition{{{\footnotesize out-of-band verification of \textsf{spk\textsubscript{A}, spk\textsubscript{B}}}}}{B,A,Server}
+
+    %\nextlevel[2.5]
+    %\mess{\footnotesize\textsf{spk\textsubscript{A}, sig\_pk\textsubscript{A}, pk\textsubscript{A}}}{A}{B}
+    \nextlevel[2.5]
+    \mess{\footnotesize\textsf{spk\textsubscript{B}, sig\_pk\textsubscript{B}, pk\textsubscript{B}}}{B}{Server}
+
+  \nextlevel[1.25]
+
+    \mess{\footnotesize Request pre-keys}{A}{Server}
+  \nextlevel[1.25]
+
+
+    \mess{\footnotesize\textsf{spk\textsubscript{B}, sig\_pk\textsubscript{B}, pk\textsubscript{B}}}{Server}{A}
+
+  \nextlevel[0.75]
+
+\action*{
+  \footnotesize
+  \begin{tabular}{@{}l@{}}
+    \textsf{if CheckSign(spk\textsubscript{B}, pk\textsubscript{B}, sig\_pk\textsubscript{B})} \\
+    \textsf{key = DH(sk\textsubscript{A}, pk\textsubscript{B})}
+  \end{tabular}
+}{A}
+
+  \nextlevel[3.15]
+
+  % \mess{\footnotesize\textsf{spk\textsubscript{A}, sig\_pk\textsubscript{A}, pk\textsubscript{A}}}{A}{B}
+  % \mess{\footnotesize\raisebox{-0.5ex}\colorbox{white}{\textsf{spk\textsubscript{A}, sig\_pk\textsubscript{A}, pk\textsubscript{A}}}}{A}{B}
+
+\mess{%
+  \smash{\raisebox{-0.05ex}{\makebox[0pt]{%
+    \colorbox{white}{\footnotesize\textsf{spk\textsubscript{A}, sig\_pk\textsubscript{A}, pk\textsubscript{A}}}%
+  }}}
+}{A}{B}
+
+  \nextlevel[0.5]
+
+\action*{
+  \footnotesize
+  \begin{tabular}{@{}l@{}}
+    \textsf{if CheckSign(spk\textsubscript{A}, pk\textsubscript{A}, sig\_pk\textsubscript{A})} \\
+    \textsf{key = DH(sk\textsubscript{B}, pk\textsubscript{A})}
+  \end{tabular}
+}{B}
+
+  \nextlevel[1]
+
+   \end{msc}
+   \caption{An example workflow of asynchronous authenticated key exchange. Bob, the responder, uploads his pre-key material ({\footnotesize\textsf{spk\textsubscript{B}, sig\_pk\textsubscript{B}, pk\textsubscript{B}}}) to the server. Alice, the initiator, fetches Bob's key material from the central server at her leasure, and initiates the authenticated key exchange and \textsf{DH} key agreement}
+
+\end{figure}
+
--- a/diagrams/ake.tex
+++ b/diagrams/ake.tex
@@ -0,0 +1,85 @@
+\begin{figure}[h!]
+  \centering
+  %\footnotesize % Apply footnotesize to all text
+  \setmsckeyword{}
+  \drawframe{no}    % uncomment to not draw a frame
+  \begin{msc}[
+    /msc/title top distance=0cm,
+    /msc/first level height=.1cm,
+    /msc/last level height=0.7cm,  % Slightly reduced
+    /msc/head height=0cm,
+    /msc/instance width=0cm,
+    /msc/head top distance=0.5cm,
+    /msc/foot distance=-0.0cm,
+    /msc/instance width=0cm,
+    /msc/condition height=0.1cm  % Reduced condition height
+    ]{}
+    %%%%%%%%%%%%%%%%%% CONFIG %%%%%%%%%%%%%%%%%%%%%%%%%
+    \setlength{\instwidth}{0\mscunit} % to remove default box below agents 
+    \setlength{\instdist}{4.5cm}  % default value between agents
+
+    %%%%%%%%%%%%%%%%%% AGENTS %%%%%%%%%%%%%%%%%%%%%%%%%
+    \declinst{A}{              % Alice
+      \begin{tabular}[c]{c}
+        Alice \\
+      \end{tabular}
+    }{}
+    \declinst{B}{              % Bob
+      \begin{tabular}[c]{c}
+        Bob  
+      \end{tabular}
+    }{}
+
+    \nextlevel[0.25]
+
+
+\action*{
+  \footnotesize
+  \begin{tabular}{@{}l@{}}
+    \textsf{(pk\textsubscript{A}, sk\textsubscript{A}) = DH\_Gen()} \\
+    \textsf{(spk\textsubscript{A}, ssk\textsubscript{A}) = SignGen()} \\
+    \textsf{sig\_pk\textsubscript{A} = Sign(spk\textsubscript{A}, pk\textsubscript{A})}
+  \end{tabular}
+}{A}
+
+\action*{
+  \footnotesize
+  \begin{tabular}{@{}l@{}}
+    \textsf{(pk\textsubscript{B}, sk\textsubscript{B}) = DH\_Gen()} \\
+    \textsf{(spk\textsubscript{B}, ssk\textsubscript{B}) = SignGen()} \\
+    \textsf{sig\_pk\textsubscript{B} = Sign(spk\textsubscript{B}, pk\textsubscript{B})}
+  \end{tabular}
+}{B}
+
+    \nextlevel[3]
+
+  \condition{{{\footnotesize out-of-band verification of \textsf{spk\textsubscript{A}, spk\textsubscript{B}}}}}{B,A}
+
+    \nextlevel[2.5]
+    \mess{\footnotesize\textsf{spk\textsubscript{A}, sig\_pk\textsubscript{A}, pk\textsubscript{A}}}{A}{B}
+    \nextlevel[1.25]
+    \mess{\footnotesize\textsf{spk\textsubscript{B}, sig\_pk\textsubscript{B}, pk\textsubscript{B}}}{B}{A}
+
+  \nextlevel[0.75]
+
+\action*{
+  \footnotesize
+  \begin{tabular}{@{}l@{}}
+    \textsf{if CheckSign(spk\textsubscript{B}, pk\textsubscript{B}, sig\_pk\textsubscript{B})} \\
+    \textsf{key = DH(sk\textsubscript{A}, pk\textsubscript{B})}
+  \end{tabular}
+}{A}
+
+\action*{
+  \footnotesize
+  \begin{tabular}{@{}l@{}}
+    \textsf{if CheckSign(spk\textsubscript{A}, pk\textsubscript{A}, sig\_pk\textsubscript{A})} \\
+    \textsf{key = DH(sk\textsubscript{B}, pk\textsubscript{A})}
+  \end{tabular}
+}{B}
+
+  \nextlevel[1]
+
+   \end{msc}
+\end{figure}
+
--- a/diagrams/fail-cases.tex
+++ b/diagrams/fail-cases.tex
@@ -0,0 +1,30 @@
+\begin{table}[h]
+    \footnotesize
+    \centering
+    \begin{tabularx}{\columnwidth}{l!{\color{black!70}\vrule width 0.4pt\hspace{0.5em}}cccccc}
+    \toprule
+    \textbf{Compromise Scenario} & \textbf{P2} & \textbf{P3} & \textbf{P4} & \textbf{P5} & \textbf{P6} & \textbf{P7} \\
+    & \textit{Secr.} & \textit{Auth.} & \textit{Deni.} & \textit{PFS} & \textit{PCS} & \textit{S-Deni.} \\
+    \midrule
+    \multicolumn{7}{l}{\textit{Megolm}} \\
+    C1: Fan-out ratchet key & \ding{55} & \ding{51} & \ding{51} & \ding{51} & \ding{51} & \ding{51} \\
+    C2: Fan-out public signing key & \ding{51} & \ding{51} & \ding{55} & \ding{51} & \ding{51} & \ding{55} \\
+    C3: Fan-out private signing key & \ding{51} & \ding{51}$^*$ & \ding{55} & \ding{51} & \ding{51} & \ding{55} \\
+    C4: Complete fan-out session & \ding{55} & \ding{55} & \ding{55} & \ding{51} & \ding{51} & \ding{55} \\
+    C5: P2P identity keys (mutual) & \ding{51} & \ding{51} & \ding{51} & \ding{51} & \ding{51} & \ding{51} \\
+    C6: P2P chain key & \ding{55} & \ding{55} & \ding{55} & \ding{51} & \ding{51} & \ding{55} \\
+    C7: P2P pre-key + identity & \ding{55} & \ding{55} & \ding{55} & \ding{51} & \ding{51} & \ding{55} \\
+    \midrule
+    \multicolumn{7}{l}{\textit{Sender Keys}} \\
+    C1: Fan-out ratchet key & \ding{55} & \ding{51} & \ding{51} & \ding{51} & \ding{51} & \ding{51} \\
+    C2: Fan-out public signing key & \ding{51} & \ding{51} & \ding{55} & \ding{51} & \ding{51} & \ding{55} \\
+    C3: Fan-out private signing key & \ding{51} & \ding{55} & \ding{55} & \ding{51} & \ding{51} & \ding{55} \\
+    C4: Complete fan-out session & \ding{55} & \ding{55} & \ding{55} & \ding{51} & \ding{51} & \ding{55} \\
+    C5: P2P identity keys (mutual) & \ding{51} & \ding{51} & \ding{51} & \ding{51} & \ding{51} & \ding{51} \\
+    C6: P2P chain key & \ding{55} & \ding{55} & \ding{55} & \ding{51} & \ding{51} & \ding{55} \\
+    C7: P2P pre-key + identity & \ding{55} & \ding{55} & \ding{55} & \ding{51} & \ding{51} & \ding{55} \\
+    \bottomrule
+    \end{tabularx}
+    \caption{Security property preservation under compromise scenarios. \ding{51} = property maintained, \ding{55} = property violated. $^*$Megolm maintains authentication in C3 due to MAC verification, unlike Sender Keys which relies solely on signatures. P2: Message Secrecy, P3: Authentication, P4: Deniability, P5: Perfect Forward Secrecy, P6: Post-Compromise Security, P7: Strong Deniability. ``P1: Reachability'' remains all true for all cases, and ``P2: Mutual Deniability'' remains false for all cases, thus both properties are not included in the table.}
+    \label{tab:failure-comparison}
+\end{table}
--- a/diagrams/megolm.tex
+++ b/diagrams/megolm.tex
@@ -0,0 +1,331 @@
+\newcommand{\ts}[1]{\textsubscript{#1}}
+% \newcommand{\sf}[1]{\textsf{#1}}
+
+\begin{figure*}[h!]
+  \centering
+  %\footnotesize % Apply footnotesize to all text
+  \setmsckeyword{}
+  \drawframe{no}    % uncomment to not draw a frame
+  \begin{msc}[
+    /msc/title top distance=0cm,
+    /msc/first level height=.1cm,
+    /msc/last level height=0.7cm,  % Slightly reduced
+    /msc/head height=0cm,
+    /msc/instance width=0cm,
+    /msc/head top distance=0.5cm,
+    /msc/foot distance=-0.0cm,
+    /msc/instance width=0cm,
+  /msc/every label/.append style = {    % extra style for all labels
+    /tikz/fill       = white,           % paint a white rectangle
+    /tikz/draw       = none,            % no border
+    /tikz/inner sep  = 1pt              % a little padding
+  },
+    /msc/condition height=0.1cm,  % Reduced condition height
+    ]{}
+    %%%%%%%%%%%%%%%%%% CONFIG %%%%%%%%%%%%%%%%%%%%%%%%%
+    \setlength{\instwidth}{0\mscunit} % to remove default box below agents 
+    \setlength{\instdist}{6cm}  % default value between agents
+
+    %%%%%%%%%%%%%%%%%% AGENTS %%%%%%%%%%%%%%%%%%%%%%%%%
+    \declinst{A}{              % Alice
+      \begin{tabular}[c]{c}
+        Alice (Initiator) \\
+      \end{tabular}
+    }{}
+    \declinst{Server}{              % Alice
+      \begin{tabular}[c]{c}
+        Server \\
+      \end{tabular}
+    }{}
+    \declinst{B}{              % Bob
+      \begin{tabular}[c]{c}
+        Bob (Responder)
+      \end{tabular}
+    }{}
+
+    \action*{
+      \footnotesize
+      \begin{tabular}{@{}l@{}}
+        \text{// Begin P2P-layer operations} \\
+        \textsf{(opk\ts{A}, osk\ts{A}) = X25519\_Gen()} \\
+        \textsf{eph\_pk\ts{A}, eph\_sk\ts{A} = X25519\_Gen()} \\
+        \textsf{sig\_eph\_pk\ts{A} = Sign(opk\ts{A}, eph\_pk\ts{A})} \\
+      \end{tabular}
+    }{A}
+
+    \action*{
+      \footnotesize
+      \begin{tabular}{@{}l@{}} 
+        \textsf{(opk\ts{B}, osk\ts{B}) = X25519\_Gen()} \\
+        \textsf{eph\_pk\ts{B}, eph\_sk\ts{B} = X25519\_Gen()} \\
+        \textsf{sig\_eph\_pk\ts{B} = Sign(opk\ts{B}, eph\_pk\ts{B})} \\
+      \end{tabular}
+    }{B}
+
+    % \action*{
+      % \footnotesize
+      % \begin{tabular}{@{}l@{}} 
+        % \textsf{(opk\textsubscript{A}, osk\textsubscript{A}) = X25519\_Gen()} \\
+      % \end{tabular}
+    % }{B}
+
+
+    \nextlevel[4.4]
+
+
+    \condition{{{\footnotesize out-of-band mutual verification of \textsf{opk\textsubscript{A}, opk\textsubscript{B}}}}}{B,A,Server}
+
+    \nextlevel[2.3]
+
+    \mess{
+      \footnotesize
+      \textsf{
+        opk\ts{B}, sig\_eph\_pk\ts{B}
+      }
+    }{B}{Server}
+
+    \nextlevel[1]
+
+    \mess{
+      \footnotesize
+        Alice requests Bob's pre-keys
+    }{A}{Server}
+
+    \nextlevel[1.5]
+
+    \mess{
+      \footnotesize
+      \textsf{
+        opk\ts{B}, eph\_pk\ts{B}, sig\_eph\_pk\ts{B}
+      }
+    }{Server}{A}
+
+    \nextlevel[1]
+
+    \action*{
+      \footnotesize
+      \begin{tabular}{@{}l@{}} 
+        \textsf{If CheckSign(opk\ts{B}, eph\_pk\ts{B}, sig\_eph\_pk\ts{B}):} \\
+        \textsf{key1 = DH(osk\ts{A}, opk\ts{B})} \\ 
+        \textsf{key2 = DH(eph\_sk\ts{A}, eph\_pk\ts{B})} \\
+        \textsf{key3 = DH(eph\_sk\ts{A}, opk\ts{B})} \\
+        \textsf{master\ts{A} = Concat(key1, key2, key3)} \\
+        \textsf{r1\ts{A}, c1\ts{A} = HKDF(master\ts{A})} \\
+        \textsf{(t1\_pk\ts{A}, t1\_sk\ts{A}) = DH\_Gen()} \\
+      \end{tabular}
+    }{A}
+
+    \nextlevel[6.5]
+
+    \mess{
+      \footnotesize
+      \textsf{
+        opk\ts{A}, eph\_pk\ts{A}, sig\_eph\_pk\ts{A}
+      }
+    }{A}{Server}
+
+    \mess{
+      \footnotesize
+      \textsf{
+        opk\ts{A}, eph\_pk\ts{A}, sig\_eph\_pk\ts{A}
+      }
+    }{Server}{B}
+
+    \nextlevel[1]
+
+    \action*{
+      \footnotesize
+      \begin{tabular}{@{}l@{}}
+        \text{// Begin fan-out layer operations} \\
+        % \textit{generates} \textsf{m1}, \textsf{symkey\ts{A0}} \\
+        \textit{generates} \textsf{symkey\ts{A0}} \\
+        \textsf{ssk\_pk\ts{A}, ssk\_sk\ts{A} = SignGen()} \\
+        \textsf{session\ts{A} = Encrypt(r1\ts{A}, Concat(ssk\_pk\ts{A}, symkey\ts{A0}))} \\ 
+        \textsf{session\_mac\ts{A} = MAC(r1\ts{A}, session\ts{A}) } \\
+        % \textsf{symkey\textsubscript{A1}} $\leftarrow$  \textsf{
+        % Hash(symkey\textsubscript{A0})
+        % }\\
+        % \textsf{x1 = Encrypt(symkey\textsubscript{A1}, m1)} \\
+        % \textsf{x1\_sig = Sign(pk\textsubscript{A}, x1)} 
+      \end{tabular}
+    }{A}
+
+
+
+
+
+    \action*{
+      \footnotesize
+      \begin{tabular}{@{}l@{}} 
+        \textsf{If CheckSign(opk\ts{A}, eph\_pk\ts{A}, sig\_eph\_pk\ts{A}):} \\
+        \textsf{key1 = DH(osk\ts{B}, opk\ts{A})} \\ 
+        \textsf{key2 = DH(eph\_sk\ts{B}, eph\_pk\ts{A})} \\
+        \textsf{key3 = DH(eph\_sk\ts{B}, opk\ts{A})} \\
+        \textsf{master\ts{B} = Concat(key1, key2, key3)} \\
+        \textsf{r1\ts{B}, c1\ts{B} = HKDF(master\ts{B})} \\
+        \textsf{(t1\_pk\ts{B}, t1\_sk\ts{B}) = DH\_Gen()} \\
+      \end{tabular}
+    }{B}
+
+    \nextlevel[6.5]
+
+    \mess{
+      \footnotesize
+      \textsf{
+        session\ts{A}, session\_mac\ts{A}
+      }
+    }{A}{Server}
+
+
+    \mess{
+      \footnotesize
+      \textsf{
+        session\ts{A}, session\_mac\ts{A}
+      }
+    }{Server}{B}
+
+    \nextlevel[1]
+
+    \action*{
+      \footnotesize
+      \begin{tabular}{@{}l@{}}
+        \textsf{if CheckMac(r1\ts{B}, session\ts{A}, session\_mac\ts{A}):} \\
+        \textsf{ssk\_pk\ts{A}, symkey\ts{A0} = Decrypt(r1\ts{A}, session\ts{A})} \\ 
+        % \textsf{session\_mac\ts{A} = MAC(r1\ts{A}, session\ts{A}) } \\
+        % \textsf{symkey\textsubscript{A1}} $\leftarrow$  \textsf{
+        % Hash(symkey\textsubscript{A0})
+        % }\\
+        % \textsf{x1 = Encrypt(symkey\textsubscript{A1}, m1)} \\
+        % \textsf{x1\_sig = Sign(pk\textsubscript{A}, x1)} 
+      \end{tabular}
+    }{B}
+
+    \action*{
+      \footnotesize
+      \begin{tabular}{@{}l@{}}
+        \textit{generates} \textsf{m1} \\
+        % \textit{generates} \textsf{symkey\ts{A0}} \\
+        % \textsf{ssk\_pk\ts{A}, ssk\_sk\ts{A} = SignGen()} \\
+        % \textsf{session\ts{A} = Encrypt(r1\ts{A}, Concat(ssk\_pk\ts{A}, symkey\ts{A0}))} \\ 
+        % \textsf{session\_mac\ts{A} = MAC(r1\ts{A}, session\ts{A}) } \\
+        \textsf{symkey\textsubscript{A1}} $\leftarrow$  \textsf{
+        Hash(symkey\textsubscript{A0})
+        }\\
+        \textsf{x1 = Encrypt(symkey\textsubscript{A1}, m1)} \\
+        \textsf{x1\_sig = Sign(ssk\_sk\ts{A}, x1)} 
+      \end{tabular}
+    }{A}
+
+    \nextlevel[4]
+
+    \mess{
+      \footnotesize
+      \textsf{
+        x1, x1\_sig
+      }
+    }{A}{Server}
+
+
+
+    \mess{
+      \footnotesize
+      server-side fan-out:
+      \textsf{
+        x1, x1\_sig
+      }
+    }{Server}{B}
+    
+    \nextlevel[1]
+
+    \action*{
+      \footnotesize
+      \begin{tabular}{@{}l@{}}
+        \textsf{if CheckSign(ssk\_pk\ts{A}, x1, x1\_sig):} \\
+        \textsf{symkey\textsubscript{A1}} $\leftarrow$  \textsf{
+        Hash(symkey\textsubscript{A0})
+        }\\
+        \textsf{m1 = Decrypt(symkey\textsubscript{A1}, x1)} \\
+      \end{tabular}
+    }{B}
+
+
+    \nextlevel[2]
+
+
+
+    % \condition{{\footnotesize Secure channel establishment via AKE}}{B,A}
+
+    % \nextlevel[2.25]
+
+    % \mess{
+      % \footnotesize
+      % \textsf{
+        % pk\textsubscript{A}, symkey\textsubscript{A0}
+      % }
+    % }{A}{B}
+
+    % \nextlevel[0.6]
+
+    % \action*{
+      % \footnotesize
+      % \begin{tabular}{@{}l@{}}
+        % \textit{generates} \textsf{m1} \\
+        % \textsf{symkey\textsubscript{A1}} $\leftarrow$  \textsf{
+        % Hash(symkey\textsubscript{A0})
+        % }\\
+        % % \textsf{x1 = Encrypt(symkey\textsubscript{A1}, m1)} \\
+        % % \textsf{x1\_sig = Sign(pk\textsubscript{A}, x1)} 
+      % \end{tabular}
+    % }{A}
+
+    % \nextlevel[4.4]
+
+    % \mess{
+      % \footnotesize
+      % (server-side fan-out)
+      % \textsf{
+        % x1, x1\_sig
+      % }
+    % }{A}{B}
+
+    % \nextlevel[0.6]
+
+    % \action*{
+      % \footnotesize
+      % \begin{tabular}{@{}l@{}}
+% \textsf{if CheckSign(sk\textsubscript{A}, x1\_sig))} \\
+        % \textsf{symkey\textsubscript{A1}} $\leftarrow$ \textsf{Hash(symkey\textsubscript{A0})} \\
+        % \textsf{m1 = Decrypt(symkey\textsubscript{A1}, x1)} 
+        % % \textit{generates} \textsf{m1} \\
+        % % \textsf{symkey\textsubscript{A1}} $\leftarrow$  \textsf{
+        % % Hash(symkey\textsubscript{A0})
+        % % }\\
+        % % \textsf{x1 = Encrypt(symkey\textsubscript{A1}, m1)} \\
+        % % \textsf{x1\_sig = Sign(pk\textsubscript{A}, x1)} 
+      % \end{tabular}
+    % }{B}
+
+    % \action*{
+      % \footnotesize
+      % \begin{tabular}{@{}l@{}}
+
+        % \textsf{if CheckSign(sk\textsubscript{A}, x1\_sig))} \\
+        % \textsf{symkey\textsubscript{A1}} $\leftarrow$ \textsf{Hash(symkey\textsubscript{A0})} \\
+        % \textsf{m1 = Decrypt(symkey\textsubscript{A1}, x1)} \\
+        % % \textsf{(pk\textsubscript{B}, sk\textsubscript{B}) = DH\_Gen()} \\
+        % % \textsf{(spk\textsubscript{B}, ssk\textsubscript{B}) = SignGen()} \\
+        % % \textsf{sig\_pk\textsubscript{B} = Sign(spk\textsubscript{B}, pk\textsubscript{B})}
+      % \end{tabular}
+    % }{B}
+
+
+
+   \end{msc}
+
+   \caption{
+     An example instantiation of the nested ratchet protocol using 3DH as the pairwise ratcheting channel. In this example, Alice, the initiator, asynchronously establishes a shared secret with Bob, the responder, via 3DH. Alice then transmits her fan-out layer session, including her ratchet key \textsf{symkey\ts{A0}} and session public key \textsf{ssk\_pk\ts{A}}, using the established secure 3DH channel. Alice follows this by sending Bob her first message, encrypted and signed using her session, and fanned out by the server to all receivers, including Bob. We note the above handshake may be equivalently condensed into just a 3-way handshake; however, for the sake of example, we make explicit the transmission of the 3DH material, session material, and message material. Specified notation for cryptographic primitives, as well as their respective descriptions, are elaborated upon in Table \ref{tab:symbols}. 
+   }
+   \label{fig:megolm}
+
+\end{figure*}
+ 
--- a/diagrams/related.tex
+++ b/diagrams/related.tex
@@ -0,0 +1,25 @@
+\newcommand{\extindent}{~\extension}
+\begin{table*}[ht!]
+  \scriptsize
+  \centering
+  \rowcolors{2}{gray!10}{white}
+  \setlength{\tabcolsep}{1pt}      
+  \begin{tabular}{L{2.0cm} X{0.4cm} | C{1.5cm} C{1.5cm} C{1.5cm} C{1.5cm} C{1.5cm} C{1.5cm} C{1.5cm} C{1.5cm} C{1.5cm} C{1.5cm}}
+    \multicolumn{2}{c|}{Work} & Megolm & Sender Keys & Secrecy & Auth & PCS & PFS & Deniability & Symbolic & Computational & Mechanized
+    \\
+    \hline
+    %\hhline{==|======}
+    $\text{Balbas et al.}$ & \cite{Balbas_SK} & \emptyc & \fullc & \fullc & \fullc & \fullc & \fullc & \emptyc & \emptyc & \fullc & \emptyc \\
+    %
+    $\text{Albrecht et al. 2023}$ & \cite{Albrecht_Dowling_Jones} & \fullc & \emptyc & \fullc & \fullc & \emptyc & \emptyc & \emptyc & \emptyc & \fullc & \emptyc \\
+    %
+    $\text{Albrecht et al. 2025}$ & \cite{Albrecht_2025} & \emptyc & \fullc & \fullc & \fullc & \fullc & \fullc & \emptyc & \emptyc & \fullc & \emptyc \\
+    %
+    $\text{Ours}$ & & \fullc & \fullc & \fullc & \fullc & \fullc & \fullc & \fullc & \fullc & \emptyc & \fullc \\
+  \end{tabular}\smallskip
+ 
+  \caption{Overview of related works that study nested ratchet protocols, 
+    including Megolm (underpinning Matrix) and Sender Keys (underpinning WhatsApp). We include a comparison with our own work.}
+  \label{tab:symbolic-tools}
+\end{table*}
+
--- a/diagrams/session-trans.tex
+++ b/diagrams/session-trans.tex
@@ -0,0 +1,126 @@
+\begin{figure}[h!]
+  \centering
+  %\footnotesize % Apply footnotesize to all text
+  \setmsckeyword{}
+  \drawframe{no}    % uncomment to not draw a frame
+  \begin{msc}[
+    /msc/title top distance=0cm,
+    /msc/first level height=.1cm,
+    /msc/last level height=0.7cm,  % Slightly reduced
+    /msc/head height=0cm,
+    /msc/instance width=0cm,
+    /msc/head top distance=0.5cm,
+    /msc/foot distance=-0.0cm,
+    /msc/instance width=0cm,
+  /msc/every label/.append style = {    % extra style for all labels
+    /tikz/fill       = white,           % paint a white rectangle
+    /tikz/draw       = none,            % no border
+    /tikz/inner sep  = 1pt              % a little padding
+  },
+    /msc/condition height=0.1cm,  % Reduced condition height
+    ]{}
+    %%%%%%%%%%%%%%%%%% CONFIG %%%%%%%%%%%%%%%%%%%%%%%%%
+    \setlength{\instwidth}{0\mscunit} % to remove default box below agents 
+    \setlength{\instdist}{4cm}  % default value between agents
+
+    %%%%%%%%%%%%%%%%%% AGENTS %%%%%%%%%%%%%%%%%%%%%%%%%
+    \declinst{A}{              % Alice
+      \begin{tabular}[c]{c}
+        Alice \\
+      \end{tabular}
+    }{}
+    % \declinst{Server}{              % Alice
+      % \begin{tabular}[c]{c}
+        % Server \\
+      % \end{tabular}
+    % }{}
+    \declinst{B}{              % Bob
+      \begin{tabular}[c]{c}
+        Bob
+      \end{tabular}
+    }{}
+
+    \action*{
+      \footnotesize
+      \begin{tabular}{@{}l@{}} 
+        \textit{generates} \textsf{symkey\textsubscript{A0}} \\
+        \textsf{(pk\textsubscript{A}, sk\textsubscript{A}) = DH\_Gen()} 
+      \end{tabular}
+    }{A}
+
+    \nextlevel[2.3]
+
+    \condition{{\footnotesize Secure channel establishment via AKE}}{B,A}
+
+    \nextlevel[2.25]
+
+    \mess{
+      \footnotesize
+      \textsf{
+        pk\textsubscript{A}, symkey\textsubscript{A0}
+      }
+    }{A}{B}
+
+    \nextlevel[0.6]
+
+    \action*{
+      \footnotesize
+      \begin{tabular}{@{}l@{}}
+        \textit{generates} \textsf{m1} \\
+        \textsf{symkey\textsubscript{A1}} $\leftarrow$  \textsf{
+        Hash(symkey\textsubscript{A0})
+        }\\
+        \textsf{x1 = Encrypt(symkey\textsubscript{A1}, m1)} \\
+        \textsf{x1\_sig = Sign(pk\textsubscript{A}, x1)} 
+      \end{tabular}
+    }{A}
+
+    \nextlevel[4.4]
+
+    \mess{
+      \footnotesize
+      (server-side fan-out)
+      \textsf{
+        x1, x1\_sig
+      }
+    }{A}{B}
+
+    \nextlevel[0.6]
+
+    \action*{
+      \footnotesize
+      \begin{tabular}{@{}l@{}}
+\textsf{if CheckSign(sk\textsubscript{A}, x1\_sig))} \\
+        \textsf{symkey\textsubscript{A1}} $\leftarrow$ \textsf{Hash(symkey\textsubscript{A0})} \\
+        \textsf{m1 = Decrypt(symkey\textsubscript{A1}, x1)} 
+        % \textit{generates} \textsf{m1} \\
+        % \textsf{symkey\textsubscript{A1}} $\leftarrow$  \textsf{
+        % Hash(symkey\textsubscript{A0})
+        % }\\
+        % \textsf{x1 = Encrypt(symkey\textsubscript{A1}, m1)} \\
+        % \textsf{x1\_sig = Sign(pk\textsubscript{A}, x1)} 
+      \end{tabular}
+    }{B}
+
+    % \action*{
+      % \footnotesize
+      % \begin{tabular}{@{}l@{}}
+
+        % \textsf{if CheckSign(sk\textsubscript{A}, x1\_sig))} \\
+        % \textsf{symkey\textsubscript{A1}} $\leftarrow$ \textsf{Hash(symkey\textsubscript{A0})} \\
+        % \textsf{m1 = Decrypt(symkey\textsubscript{A1}, x1)} \\
+        % % \textsf{(pk\textsubscript{B}, sk\textsubscript{B}) = DH\_Gen()} \\
+        % % \textsf{(spk\textsubscript{B}, ssk\textsubscript{B}) = SignGen()} \\
+        % % \textsf{sig\_pk\textsubscript{B} = Sign(spk\textsubscript{B}, pk\textsubscript{B})}
+      % \end{tabular}
+    % }{B}
+
+
+
+   \end{msc}
+
+   \caption{An example workflow of session transmission from Alice to Bob. Alice transmits her session information, including her session's symmetric key {\footnotesize\textsf{symkey\textsubscript{A0}}} and public signing key {\footnotesize\textsf{pk\textsubscript{A}}}. Alice generates a new message {\footnotesize\textsf{m1}}, hashes her session's symmetric key and uses it to encrypt {\footnotesize\textsf{m1}}, signs the ciphertext with {\footnotesize\textsf{sk\textsubscript{A}}}, then sends the ciphertext and signature to the server for server-side fan-out. The recipient, Bob, checks the signature, hashes his copy of the symmetric key, and decrypts.
+   }
+
+\end{figure}
+
--- a/enumitem.sty
+++ b/enumitem.sty
--- a/environ.sty
+++ b/environ.sty
--- a/filecontents.sty
+++ b/filecontents.sty
@@ -0,0 +1,109 @@
+
+%%
+%% This is file `filecontents.sty',
+%% generated with the docstrip utility.
+%%
+%% The original source files were:
+%%
+%% filecontents.dtx  (with options: `package')
+%% 
+%% This is a generated file.
+%% 
+%% Copyright (C) 2011-2023 Scott Pakin <scott+fc@pakin.org>
+%% --------------------------------------------------------
+%% 
+%% This package may be distributed and/or modified under the conditions
+%% of the LaTeX Project Public License, either version 1.3c of this
+%% license or (at your option) any later version.  The latest version of
+%% this license is in
+%% 
+%%    http://www.latex-project.org/lppl.txt
+%% 
+%% and version 1.3c or later is part of all distributions of LaTeX
+%% version 2008/05/04 or later.
+%% 
+\NeedsTeXFormat{LaTeX2e}[1999/12/01]
+\ProvidesPackage{filecontents}
+    [2023/04/02 v1.5a Create an external file from within a LaTeX document]
+\begingroup%
+\catcode`\*=11 %
+\catcode`\^^M\active%
+\catcode`\^^L\active\let^^L\relax%
+\catcode`\^^I\active%
+\gdef\filec@ntents@old@kernel#1{%
+  \openin\@inputcheck#1 %
+  \ifeof\@inputcheck%
+    \@latex@warning@no@line%
+        {Writing file `\@currdir#1'}%
+  \else %
+    \@latex@warning@no@line%
+        {Overwriting file `\@currdir#1'}%
+  \fi %
+  \closein\@inputcheck %
+  \chardef\reserved@c15 %
+  \ch@ck7\reserved@c\write%
+  \immediate\openout\reserved@c#1\relax%
+  \if@tempswa%
+    \immediate\write\reserved@c{%
+      \@percentchar\@percentchar\space%
+          \expandafter\@gobble\string\LaTeX2e file `#1'^^J%
+      \@percentchar\@percentchar\space  generated by the %
+        `\@currenvir' \expandafter\@gobblefour\string\newenvironment^^J%
+      \@percentchar\@percentchar\space from source `\jobname' on %
+         \number\year/\two@digits\month/\two@digits\day.^^J%
+      \@percentchar\@percentchar}%
+  \fi%
+  \let\do\@makeother\dospecials%
+  \count0=128\relax %
+  \loop %
+    \catcode\count0=11\relax %
+    \advance\count0 by 1\relax %
+    \ifnum\count0<256 %
+  \repeat %
+  \edef\E{\@backslashchar end\string{\@currenvir\string}}%
+  \edef\reserved@b{%
+    \def\noexpand\reserved@b%
+         ####1\E####2\E####3\relax}%
+  \reserved@b{%
+    \ifx\relax##3\relax%
+      \immediate\write\reserved@c{##1}%
+    \else%
+      \edef^^M{\noexpand\end{\@currenvir}}%
+      \ifx\relax##1\relax%
+      \else%
+          \@latex@warning{Writing text `##1' before %
+             \string\end{\@currenvir}\MessageBreak as last line of #1}%
+        \immediate\write\reserved@c{##1}%
+      \fi%
+      \ifx\relax##2\relax%
+      \else%
+         \@latex@warning{%
+           Ignoring text `##2' after \string\end{\@currenvir}}%
+      \fi%
+    \fi%
+    ^^M}%
+  \catcode`\^^L\active%
+  \let\L\@undefined%
+  \def^^L{\expandafter\ifx\csname L\endcsname\relax\fi ^^J^^J}%
+  \catcode`\^^I\active%
+  \let\I\@undefined%
+  \def^^I{\expandafter\ifx\csname I\endcsname\relax\fi\space}%
+  \catcode`\^^M\active%
+  \edef^^M##1^^M{%
+    \noexpand\reserved@b##1\E\E\relax}}%
+\endgroup
+\def\fc@no@preamblecmds#1\do\filecontents#2\do\filec@ntents#3\relax{%
+  \gdef\@preamblecmds{#1#3}}
+\@ifundefined{filec@ntents@opt}{%
+  \let\filec@ntents=\filec@ntents@old@kernel
+  \expandafter\fc@no@preamblecmds\@preamblecmds\relax
+}{%
+  \PackageWarningNoLine{filecontents}{%
+    This package is obsolete.  Disabling it and\MessageBreak
+    passing control to the filecontents environment\MessageBreak
+    defined by the LaTeX kernel%
+  }%
+}
+\endinput
+%%
+%% End of file `filecontents.sty'.
--- a/main.aux
+++ b/main.aux
@@ -0,0 +1,229 @@
+\relax 
+\providecommand\hyper@newdestlabel[2]{}
+\providecommand\HyField@AuxAddToFields[1]{}
+\providecommand\HyField@AuxAddToCoFields[2]{}
+\citation{rfc8446}
+\citation{rfc9369}
+\citation{Donenfeld_2017}
+\citation{openvpn}
+\citation{Dingledine_Mathewson_Syverson_2004}
+\citation{Marlinspike_Perrin_X3DH}
+\citation{Moxie_DoubleRatchet}
+\citation{Moxie_Sesame}
+\citation{Kret_Schmidt_PQXDH}
+\citation{Bhargavan_PQXDH,cremers_signal,alwen_doubleratchet,VatandasDeny,bhargavan_dy}
+\citation{rfc9420}
+\citation{Wallez_TreeSync,Wallez_TreeKEM}
+\citation{WhatsAppSecurity2024}
+\citation{MetaMessengerE2EE2023}
+\citation{SignalSenderKeysRust}
+\citation{Jefferys2020SessionProtocol}
+\citation{Albrecht_Dowling_Jones}
+\@LN@col{1}
+\@writefile{toc}{\contentsline {section}{\numberline {1}Introduction}{1}{section.1}\protected@file@percent }
+\@LN@col{2}
+\citation{Balbas_SK}
+\citation{Albrecht_Dowling_Jones}
+\citation{matrixorg_megolm_doc}
+\citation{VatandasDeny,FiedlerPQXDHdeny}
+\citation{SoK_CAC}
+\citation{Balbas_SK,Albrecht_Dowling_Jones}
+\citation{Blanchet_2016}
+\citation{Balbas_SK}
+\citation{Albrecht_Dowling_Jones}
+\citation{Albrecht_2025}
+\@LN@col{1}
+\@LN@col{2}
+\citation{Balbas_SK}
+\citation{Albrecht_Dowling_Jones}
+\citation{Albrecht_2025}
+\citation{Blanchet_2012}
+\citation{Kobeissi_Bhargavan_Blanchet_2017,Bhargavan_PQXDH}
+\citation{rfc9420}
+\citation{Alwen_Coretti_Jost_Mularczyk_2020}
+\citation{rfc9420}
+\citation{Wallez_TreeKEM}
+\citation{Wallez_TreeSync}
+\citation{VatandasDeny}
+\citation{VatandasDeny}
+\citation{Celi_Hoyland_Stebila_Wiggers_2022}
+\citation{Lafourcade_Mahmoud_Ruhault_Taleb}
+\citation{Basin_Cremers_Dreier_Sasse_2022}
+\citation{ProverifManual}
+\citation{Lafourcade_Mahmoud_Ruhault_Taleb}
+\@writefile{lot}{\contentsline {table}{\numberline {1}{\ignorespaces Overview of related works that study nested ratchet protocols, including Megolm (underpinning Matrix) and Sender Keys (underpinning WhatsApp). We include a comparison with our own work.}}{3}{table.caption.1}\protected@file@percent }
+\providecommand*\caption@xref[2]{\@setref\relax\@undefined{#1}}
+\newlabel{tab:symbolic-tools}{{1}{3}{Overview of related works that study nested ratchet protocols, including Megolm (underpinning Matrix) and Sender Keys (underpinning WhatsApp). We include a comparison with our own work}{table.caption.1}{}}
+\@LN@col{1}
+\@writefile{toc}{\contentsline {section}{\numberline {2}Related Works}{3}{section.2}\protected@file@percent }
+\@writefile{toc}{\contentsline {subsection}{\numberline {2.1}Computational Analysis}{3}{subsection.2.1}\protected@file@percent }
+\newlabel{sec:section label}{{2.1}{3}{Computational Analysis}{subsection.2.1}{}}
+\@writefile{toc}{\contentsline {subsection}{\numberline {2.2}Messaging Layer Security}{3}{subsection.2.2}\protected@file@percent }
+\newlabel{sec:section label}{{2.2}{3}{Messaging Layer Security}{subsection.2.2}{}}
+\@LN@col{2}
+\@writefile{toc}{\contentsline {subsection}{\numberline {2.3}Mechanized Deniability}{3}{subsection.2.3}\protected@file@percent }
+\newlabel{sec:section label}{{2.3}{3}{Mechanized Deniability}{subsection.2.3}{}}
+\@writefile{toc}{\contentsline {section}{\numberline {3}The Nested Ratchet Protocol}{3}{section.3}\protected@file@percent }
+\@writefile{toc}{\contentsline {subsection}{\numberline {3.1}Cryptographic Building Blocks}{3}{subsection.3.1}\protected@file@percent }
+\newlabel{sec:section label}{{3.1}{3}{Cryptographic Building Blocks}{subsection.3.1}{}}
+\citation{rfc5869}
+\citation{auth}
+\citation{matrixorg_olm_repo}
+\citation{Marlinspike_Perrin_X3DH}
+\citation{Kret_Schmidt_PQXDH}
+\citation{Moxie_DoubleRatchet}
+\@LN@col{1}
+\@writefile{toc}{\contentsline {subsection}{\numberline {3.2}Handshakes}{4}{subsection.3.2}\protected@file@percent }
+\newlabel{sec:section label}{{3.2}{4}{Handshakes}{subsection.3.2}{}}
+\@LN@col{2}
+\@writefile{lot}{\contentsline {table}{\numberline {2}{\ignorespaces Notation for employed Cryptographic primitives.}}{4}{table.caption.2}\protected@file@percent }
+\newlabel{tab:symbols}{{2}{4}{Notation for employed Cryptographic primitives}{table.caption.2}{}}
+\@LN@col{1}
+\@writefile{lof}{\contentsline {figure}{\numberline {1}{\ignorespaces An example workflow of asynchronous authenticated key exchange. Bob, the responder, uploads his pre-key material ({\footnotesize  \textsf  {spk\textsubscript  {B}, sig\_pk\textsubscript  {B}, pk\textsubscript  {B}}}) to the server. Alice, the initiator, fetches Bob's key material from the central server at her leasure, and initiates the authenticated key exchange and \textsf  {DH} key agreement}}{5}{figure.caption.3}\protected@file@percent }
+\@writefile{toc}{\contentsline {subsection}{\numberline {3.3}Signal, Olm, and the Double Ratchet}{5}{subsection.3.3}\protected@file@percent }
+\newlabel{sec:section label}{{3.3}{5}{Signal, Olm, and the Double Ratchet}{subsection.3.3}{}}
+\@writefile{toc}{\contentsline {subsection}{\numberline {3.4}Session Sharing \& Server-Side Fan-Out}{5}{subsection.3.4}\protected@file@percent }
+\newlabel{sec:section label}{{3.4}{5}{Session Sharing \& Server-Side Fan-Out}{subsection.3.4}{}}
+\@LN@col{2}
+\@writefile{toc}{\contentsline {subsection}{\numberline {3.5}Nested Ratchet Protocol Definition}{5}{subsection.3.5}\protected@file@percent }
+\newlabel{sec:section label}{{3.5}{5}{Nested Ratchet Protocol Definition}{subsection.3.5}{}}
+\citation{Chase_Perrin_Zaverucha_2020}
+\citation{SignalSenderKeysRust}
+\citation{WhatsAppSecurity2024}
+\citation{matrixorg_megolm_doc}
+\citation{MetaMessengerE2EE2023}
+\citation{Jefferys2020SessionProtocol}
+\citation{Chase_Perrin_Zaverucha_2020}
+\citation{Balbas_SK}
+\citation{mcmillion2025keytransparencyarchitecture}
+\citation{matrixorg_megolm_doc}
+\citation{Blanchet_2012,Blanchet_2016}
+\citation{Dolev_1983}
+\citation{ProverifManual}
+\@LN@col{1}
+\@writefile{lof}{\contentsline {figure}{\numberline {2}{\ignorespaces An example workflow of session transmission from Alice to Bob. Alice transmits her session information, including her session's symmetric key {\footnotesize  \textsf  {symkey\textsubscript  {A0}}} and public signing key {\footnotesize  \textsf  {pk\textsubscript  {A}}}. Alice generates a new message {\footnotesize  \textsf  {m1}}, hashes her session's symmetric key and uses it to encrypt {\footnotesize  \textsf  {m1}}, signs the ciphertext with {\footnotesize  \textsf  {sk\textsubscript  {A}}}, then sends the ciphertext and signature to the server for server-side fan-out. The recipient, Bob, checks the signature, hashes his copy of the symmetric key, and decrypts. }}{6}{figure.caption.4}\protected@file@percent }
+\@LN@col{2}
+\@writefile{toc}{\contentsline {subsection}{\numberline {3.6}Real World Instantiations of the Nested Ratchet Protocol}{6}{subsection.3.6}\protected@file@percent }
+\newlabel{sec:section label}{{3.6}{6}{Real World Instantiations of the Nested Ratchet Protocol}{subsection.3.6}{}}
+\@writefile{toc}{\contentsline {section}{\numberline {4}Formal Modeling}{6}{section.4}\protected@file@percent }
+\@writefile{toc}{\contentsline {subsection}{\numberline {4.1}Modeling Strategy}{6}{subsection.4.1}\protected@file@percent }
+\newlabel{sec:section label}{{4.1}{6}{Modeling Strategy}{subsection.4.1}{}}
+\@writefile{lof}{\contentsline {figure}{\numberline {3}{\ignorespaces  An example instantiation of the nested ratchet protocol using 3DH as the pairwise ratcheting channel. In this example, Alice, the initiator, asynchronously establishes a shared secret with Bob, the responder, via 3DH. Alice then transmits her fan-out layer session, including her ratchet key \textsf  {symkey\textsubscript  {A0}} and session public key \textsf  {ssk\_pk\textsubscript  {A}}, using the established secure 3DH channel. Alice follows this by sending Bob her first message, encrypted and signed using her session, and fanned out by the server to all receivers, including Bob. We note the above handshake may be equivalently condensed into just a 3-way handshake; however, for the sake of example, we make explicit the transmission of the 3DH material, session material, and message material. Specified notation for cryptographic primitives, as well as their respective descriptions, are elaborated upon in Table \ref {tab:symbols}. }}{7}{figure.caption.5}\protected@file@percent }
+\newlabel{fig:megolm}{{3}{7}{An example instantiation of the nested ratchet protocol using 3DH as the pairwise ratcheting channel. In this example, Alice, the initiator, asynchronously establishes a shared secret with Bob, the responder, via 3DH. Alice then transmits her fan-out layer session, including her ratchet key \textsf {symkey\ts {A0}} and session public key \textsf {ssk\_pk\ts {A}}, using the established secure 3DH channel. Alice follows this by sending Bob her first message, encrypted and signed using her session, and fanned out by the server to all receivers, including Bob. We note the above handshake may be equivalently condensed into just a 3-way handshake; however, for the sake of example, we make explicit the transmission of the 3DH material, session material, and message material. Specified notation for cryptographic primitives, as well as their respective descriptions, are elaborated upon in Table \ref {tab:symbols}}{figure.caption.5}{}}
+\@LN@col{1}
+\@LN@col{2}
+\citation{Celi_Hoyland_Stebila_Wiggers_2022,Lafourcade_Mahmoud_Ruhault_Taleb}
+\@writefile{lot}{\contentsline {table}{\numberline {3}{\ignorespaces Comparison of Nested Ratchet Protocol Implementations}}{8}{table.caption.6}\protected@file@percent }
+\newlabel{tab:crypto-summary}{{3}{8}{Comparison of Nested Ratchet Protocol Implementations}{table.caption.6}{}}
+\@LN@col{1}
+\@writefile{toc}{\contentsline {subsection}{\numberline {4.2}Claimed Security Properties}{8}{subsection.4.2}\protected@file@percent }
+\newlabel{sec:section label}{{4.2}{8}{Claimed Security Properties}{subsection.4.2}{}}
+\@LN@col{2}
+\citation{Unger_Goldberg_2018}
+\citation{VatandasDeny,Collins_Colombo_Huguenin-Dumittan_2025}
+\@LN@col{1}
+\@writefile{toc}{\contentsline {subsection}{\numberline {4.3}Additional Security Properties}{9}{subsection.4.3}\protected@file@percent }
+\@writefile{toc}{\contentsline {section}{\numberline {5}Analysis of the Nested Ratchet Protocol}{9}{section.5}\protected@file@percent }
+\@writefile{toc}{\contentsline {subsection}{\numberline {5.1}Sub-Protocol Properties}{9}{subsection.5.1}\protected@file@percent }
+\newlabel{sec:section label}{{5.1}{9}{Sub-Protocol Properties}{subsection.5.1}{}}
+\@writefile{toc}{\contentsline {subsection}{\numberline {5.2}Symbolic Analysis Results}{9}{subsection.5.2}\protected@file@percent }
+\newlabel{sec:section label}{{5.2}{9}{Symbolic Analysis Results}{subsection.5.2}{}}
+\@LN@col{2}
+\@writefile{toc}{\contentsline {subsection}{\numberline {5.3}Failure Case Analysis}{9}{subsection.5.3}\protected@file@percent }
+\newlabel{sec:section label}{{5.3}{9}{Failure Case Analysis}{subsection.5.3}{}}
+\@writefile{toc}{\contentsline {subsubsection}{\numberline {5.3.1}Failure Taxonomy}{9}{subsubsection.5.3.1}\protected@file@percent }
+\@LN@col{1}
+\@writefile{toc}{\contentsline {subsubsection}{\numberline {5.3.2}Observed Patterns \& Insights}{10}{subsubsection.5.3.2}\protected@file@percent }
+\@LN@col{2}
+\@writefile{toc}{\contentsline {subsection}{\numberline {5.4}P2P layer pre-key post-compromise message secrecy vs mutual deniability}{10}{subsection.5.4}\protected@file@percent }
+\newlabel{sec:section label}{{5.4}{10}{P2P layer pre-key post-compromise message secrecy vs mutual deniability}{subsection.5.4}{}}
+\@writefile{toc}{\contentsline {subsection}{\numberline {5.5}Fan-out layer non-repudiation vs deniability}{10}{subsection.5.5}\protected@file@percent }
+\newlabel{sec:section label}{{5.5}{10}{Fan-out layer non-repudiation vs deniability}{subsection.5.5}{}}
+\@writefile{toc}{\contentsline {section}{\numberline {6}Discussion}{10}{section.6}\protected@file@percent }
+\citation{Itkis_Reyzin_2001}
+\citation{DY}
+\citation{Gancher_2023}
+\citation{Kret_Schmidt_PQXDH}
+\citation{pqwg}
+\citation{rfc9180}
+\citation{Schwabe_Stebila_Wiggers_2020}
+\citation{Lafourcade_Mahmoud_Ruhault_Taleb,Bhargavan_PQXDH}
+\citation{Celi_Hoyland_Stebila_Wiggers_2022}
+\citation{mcMillion2025keytrans}
+\@LN@col{1}
+\@writefile{lot}{\contentsline {table}{\numberline {4}{\ignorespaces Security property preservation under compromise scenarios. {\fontfamily  {pzd}\fontencoding  {U}\fontseries  {m}\fontshape  {n}\selectfont  \char 51} = property maintained, {\fontfamily  {pzd}\fontencoding  {U}\fontseries  {m}\fontshape  {n}\selectfont  \char 55} = property violated. $^*$Megolm maintains authentication in C3 due to MAC verification, unlike Sender Keys which relies solely on signatures. P2: Message Secrecy, P3: Authentication, P4: Deniability, P5: Perfect Forward Secrecy, P6: Post-Compromise Security, P7: Strong Deniability. ``P1: Reachability'' remains all true for all cases, and ``P2: Mutual Deniability'' remains false for all cases, thus both properties are not included in the table.}}{11}{table.caption.7}\protected@file@percent }
+\newlabel{tab:failure-comparison}{{4}{11}{Security property preservation under compromise scenarios. \ding {51} = property maintained, \ding {55} = property violated. $^*$Megolm maintains authentication in C3 due to MAC verification, unlike Sender Keys which relies solely on signatures. P2: Message Secrecy, P3: Authentication, P4: Deniability, P5: Perfect Forward Secrecy, P6: Post-Compromise Security, P7: Strong Deniability. ``P1: Reachability'' remains all true for all cases, and ``P2: Mutual Deniability'' remains false for all cases, thus both properties are not included in the table}{table.caption.7}{}}
+\@writefile{toc}{\contentsline {subsection}{\numberline {6.1}Recommendations for protocol implementers}{11}{subsection.6.1}\protected@file@percent }
+\newlabel{sec:recs}{{6.1}{11}{Recommendations for protocol implementers}{subsection.6.1}{}}
+\@LN@col{2}
+\@writefile{toc}{\contentsline {section}{\numberline {7}Limitations \& Future Work}{11}{section.7}\protected@file@percent }
+\citation{Blanchet_2012}
+\citation{Blanchet_Jacomme}
+\citation{Kobeissi_Bhargavan_Blanchet_2017}
+\citation{VatandasDeny}
+\citation{Blanchet_Jacomme}
+\bibstyle{plain}
+\bibdata{refs}
+\bibcite{Albrecht_Dowling_Jones}{1}
+\bibcite{Albrecht_2025}{2}
+\bibcite{alwen_doubleratchet}{3}
+\bibcite{Alwen_Coretti_Jost_Mularczyk_2020}{4}
+\bibcite{Balbas_SK}{5}
+\@LN@col{1}
+\@writefile{toc}{\contentsline {section}{\numberline {8}Conclusions}{12}{section.8}\protected@file@percent }
+\@LN@col{2}
+\@writefile{toc}{\contentsline {section}{\numberline {9}Ethical Considerations}{12}{section.9}\protected@file@percent }
+\newlabel{sec:section label}{{9}{12}{Ethical Considerations}{section.9}{}}
+\@writefile{toc}{\contentsline {section}{\numberline {10}Open Science}{12}{section.10}\protected@file@percent }
+\newlabel{sec:section label}{{10}{12}{Open Science}{section.10}{}}
+\bibcite{SoK_CAC}{6}
+\bibcite{rfc9420}{7}
+\bibcite{rfc9180}{8}
+\bibcite{Basin_Cremers_Dreier_Sasse_2022}{9}
+\bibcite{bhargavan_dy}{10}
+\bibcite{DY}{11}
+\bibcite{Bhargavan_PQXDH}{12}
+\bibcite{Blanchet_2012}{13}
+\bibcite{Blanchet_2016}{14}
+\bibcite{Blanchet_Jacomme}{15}
+\bibcite{ProverifManual}{16}
+\bibcite{Celi_Hoyland_Stebila_Wiggers_2022}{17}
+\bibcite{Chase_Perrin_Zaverucha_2020}{18}
+\bibcite{cremers_signal}{19}
+\bibcite{Collins_Colombo_Huguenin-Dumittan_2025}{20}
+\bibcite{auth}{21}
+\bibcite{Dingledine_Mathewson_Syverson_2004}{22}
+\bibcite{Dolev_1983}{23}
+\bibcite{Donenfeld_2017}{24}
+\bibcite{rfc9369}{25}
+\bibcite{FiedlerPQXDHdeny}{26}
+\bibcite{Gancher_2023}{27}
+\bibcite{pqwg}{28}
+\bibcite{Itkis_Reyzin_2001}{29}
+\@LN@col{1}
+\@LN@col{2}
+\bibcite{Jefferys2020SessionProtocol}{30}
+\bibcite{Kobeissi_Bhargavan_Blanchet_2017}{31}
+\bibcite{rfc5869}{32}
+\bibcite{Kret_Schmidt_PQXDH}{33}
+\bibcite{Lafourcade_Mahmoud_Ruhault_Taleb}{34}
+\bibcite{Moxie_Sesame}{35}
+\bibcite{Marlinspike_Perrin_X3DH}{36}
+\bibcite{matrixorg_olm_repo}{37}
+\bibcite{matrixorg_megolm_doc}{38}
+\bibcite{mcmillion2025keytransparencyarchitecture}{39}
+\bibcite{mcMillion2025keytrans}{40}
+\bibcite{MetaMessengerE2EE2023}{41}
+\bibcite{Moxie_DoubleRatchet}{42}
+\bibcite{rfc8446}{43}
+\bibcite{Schwabe_Stebila_Wiggers_2020}{44}
+\bibcite{SignalSenderKeysRust}{45}
+\bibcite{Unger_Goldberg_2018}{46}
+\bibcite{VatandasDeny}{47}
+\bibcite{Wallez_TreeKEM}{48}
+\bibcite{Wallez_TreeSync}{49}
+\bibcite{WhatsAppSecurity2024}{50}
+\bibcite{openvpn}{51}
+\@LN@col{1}
+\@LN@col{2}
+\gdef \@abspage@last{14}
--- a/main.bbl
+++ b/main.bbl
@@ -0,0 +1,307 @@
+\begin{thebibliography}{10}
+
+\bibitem{Albrecht_Dowling_Jones}
+Martin~R Albrecht, Benjamin Dowling, and Daniel Jones.
+\newblock Device-oriented group messaging: A formal cryptographic analysis of
+  matrix’ core.
+
+\bibitem{Albrecht_2025}
+Martin~R Albrecht, Benjamin Dowling, and Daniel Jones.
+\newblock Formal analysis of multi-device group messaging in whatsapp.
+
+\bibitem{alwen_doubleratchet}
+Joël Alwen, Sandro Coretti, and Yevgeniy Dodis.
+\newblock {\em The Double Ratchet: Security Notions, Proofs, and Modularization
+  for the Signal Protocol}, volume 11476 of {\em Lecture Notes in Computer
+  Science}, page 129–158.
+\newblock Springer International Publishing, Cham, 2019.
+
+\bibitem{Alwen_Coretti_Jost_Mularczyk_2020}
+Joël Alwen, Sandro Coretti, Daniel Jost, and Marta Mularczyk.
+\newblock {\em Continuous Group Key Agreement with Active Security}, volume
+  12551 of {\em Lecture Notes in Computer Science}, page 261–290.
+\newblock Springer International Publishing, Cham, 2020.
+
+\bibitem{Balbas_SK}
+David Balbás, Daniel Collins, and Phillip Gajland.
+\newblock {\em WhatsUpp with Sender Keys? Analysis, Improvements and Security
+  Proofs}, volume 14442 of {\em Lecture Notes in Computer Science}, page
+  307–341.
+\newblock Springer Nature Singapore, Singapore, 2023.
+
+\bibitem{SoK_CAC}
+Manuel Barbosa, Gilles Barthe, Karthik Bhargavan, Bruno Blanchet, Cas Cremers,
+  Kevin Liao, and Bryan Parno.
+\newblock Sok: Computer-aided cryptography.
+\newblock In {\em 2021 IEEE Symposium on Security and Privacy (SP)}, page
+  777–795, May 2021.
+
+\bibitem{rfc9420}
+Richard Barnes, Benjamin Beurdouche, Raphael Robert, Jon Millican, Emad Omara,
+  and Katriel Cohn-Gordon.
+\newblock {The Messaging Layer Security (MLS) Protocol}.
+\newblock RFC 9420, July 2023.
+
+\bibitem{rfc9180}
+Richard Barnes, Karthikeyan Bhargavan, Benjamin Lipp, and Christopher~A. Wood.
+\newblock {Hybrid Public Key Encryption}.
+\newblock RFC 9180, February 2022.
+
+\bibitem{Basin_Cremers_Dreier_Sasse_2022}
+David Basin, Cas Cremers, Jannik Dreier, and Ralf Sasse.
+\newblock Tamarin: Verification of large-scale, real-world, cryptographic
+  protocols.
+\newblock {\em IEEE Security \& Privacy}, 20(3):24–32, May 2022.
+
+\bibitem{bhargavan_dy}
+Karthikeyan Bhargavan, Abhishek Bichhawat, Quoc~Huy Do, Pedram Hosseyni, Ralf
+  Küsters, Guido Schmitz, and Tim Würtele.
+\newblock Dy*: A modular symbolic verification framework for executable
+  cryptographic protocol code.
+
+\bibitem{DY}
+Karthikeyan Bhargavan, Abhishek Bichhawat, Quoc~Huy Do, Pedram Hosseyni, Ralf
+  Küsters, Guido Schmitz, and Tim Würtele.
+\newblock Dy*: A modular symbolic verification framework for executable
+  cryptographic protocol code.
+
+\bibitem{Bhargavan_PQXDH}
+Karthikeyan Bhargavan, Charlie Jacomme, Franziskus Kiefer, and Rolfe Schmidt.
+\newblock Formal verification of the pqxdh post-quantum key agreement protocol
+  for end-to-end secure messaging.
+
+\bibitem{Blanchet_2012}
+Bruno Blanchet.
+\newblock {\em Security Protocol Verification: Symbolic and Computational
+  Models}, volume 7215 of {\em Lecture Notes in Computer Science}, page 3–29.
+\newblock Springer Berlin Heidelberg, Berlin, Heidelberg, 2012.
+
+\bibitem{Blanchet_2016}
+Bruno Blanchet.
+\newblock Modeling and verifying security protocols with the applied pi
+  calculus and proverif.
+\newblock {\em Foundations and Trends® in Privacy and Security},
+  1(1–2):1–135, 2016.
+
+\bibitem{Blanchet_Jacomme}
+Bruno Blanchet and Charlie Jacomme.
+\newblock Cryptoverif: a computationally-sound security protocol verifier.
+
+\bibitem{ProverifManual}
+Bruno Blanchet, Ben Smyth, Vincent Cheval, and Marc Sylvestre.
+\newblock Proverif 2.05: Automatic cryptographic protocol verifier, user manual
+  and tutorial.
+
+\bibitem{Celi_Hoyland_Stebila_Wiggers_2022}
+Sofía Celi, Jonathan Hoyland, Douglas Stebila, and Thom Wiggers.
+\newblock {\em A Tale of Two Models: Formal Verification of KEMTLS via
+  Tamarin}, volume 13556 of {\em Lecture Notes in Computer Science}, page
+  63–83.
+\newblock Springer Nature Switzerland, Cham, 2022.
+
+\bibitem{Chase_Perrin_Zaverucha_2020}
+Melissa Chase, Trevor Perrin, and Greg Zaverucha.
+\newblock The signal private group system and anonymous credentials supporting
+  efficient verifiable encryption.
+\newblock In {\em Proceedings of the 2020 ACM SIGSAC Conference on Computer and
+  Communications Security}, page 1445–1459, Virtual Event USA, October 2020.
+  ACM.
+
+\bibitem{cremers_signal}
+Katriel Cohn-Gordon, Cas Cremers, Benjamin Dowling, Luke Garratt, and Douglas
+  Stebila.
+\newblock A formal security analysis of the signal messaging protocol.
+
+\bibitem{Collins_Colombo_Huguenin-Dumittan_2025}
+Daniel Collins, Simone Colombo, and Loïs Huguenin-Dumittan.
+\newblock Real-world deniability in messaging.
+\newblock {\em Proceedings on Privacy Enhancing Technologies},
+  2025(1):320–340, January 2025.
+
+\bibitem{auth}
+Whitfield Diffie, Paul~C. Van~Oorschot, and Michael~J. Wiener.
+\newblock Authentication and authenticated key exchanges.
+\newblock {\em Designs, Codes and Cryptography}, 2(2):107–125, June 1992.
+
+\bibitem{Dingledine_Mathewson_Syverson_2004}
+Roger Dingledine, Nick Mathewson, and Paul Syverson.
+\newblock Tor: The second-generation onion router:.
+\newblock January 2004.
+
+\bibitem{Dolev_1983}
+Danny Dolev.
+\newblock On the security of public key protocols.
+\newblock {\em IEEE TRANSACTIONS ON INFORMATION THEORY}, (2), 1983.
+
+\bibitem{Donenfeld_2017}
+Jason~A. Donenfeld.
+\newblock Wireguard: Next generation kernel network tunnel.
+\newblock In {\em Proceedings 2017 Network and Distributed System Security
+  Symposium}, San Diego, CA, 2017. Internet Society.
+
+\bibitem{rfc9369}
+Martin Duke.
+\newblock {QUIC Version 2}.
+\newblock RFC 9369, May 2023.
+
+\bibitem{FiedlerPQXDHdeny}
+Rune Fiedler and Christian Janson.
+\newblock A deniability analysis of signal’s initial handshake pqxdh.
+\newblock {\em Proceedings on Privacy Enhancing Technologies},
+  2024(4):907–928, October 2024.
+
+\bibitem{Gancher_2023}
+Joshua Gancher, Sydney Gibson, Pratap Singh, Samvid Dharanikota, and Bryan
+  Parno.
+\newblock Owl: Compositional verification of security protocols via an
+  information-flow type system.
+\newblock In {\em 2023 IEEE Symposium on Security and Privacy (SP)}, page
+  1130–1147, San Francisco, CA, USA, May 2023. IEEE.
+
+\bibitem{pqwg}
+Andreas Hülsing, Kai-Chun Ning, Peter Schwabe, Fiona~Johanna Weber, and
+  Philip~R. Zimmermann.
+\newblock Post-quantum wireguard.
+\newblock In {\em 2021 IEEE Symposium on Security and Privacy (SP)}, page
+  304–321, San Francisco, CA, USA, May 2021. IEEE.
+
+\bibitem{Itkis_Reyzin_2001}
+Gene Itkis and Leonid Reyzin.
+\newblock {\em Forward-Secure Signatures with Optimal Signing and Verifying},
+  volume 2139 of {\em Lecture Notes in Computer Science}, page 332–354.
+\newblock Springer Berlin Heidelberg, Berlin, Heidelberg, 2001.
+
+\bibitem{Jefferys2020SessionProtocol}
+Kee Jefferys.
+\newblock Session protocol: Technical implementation details.
+\newblock Blog post on getSession.org, December 2020.
+\newblock Accessed: 2025-08-08.
+
+\bibitem{Kobeissi_Bhargavan_Blanchet_2017}
+Nadim Kobeissi, Karthikeyan Bhargavan, and Bruno Blanchet.
+\newblock Automated verification for secure messaging protocols and their
+  implementations: A symbolic and computational approach.
+\newblock In {\em 2017 IEEE European Symposium on Security and Privacy}, page
+  435–450, Paris, April 2017. IEEE.
+
+\bibitem{rfc5869}
+Hugo Krawczyk and Pasi Eronen.
+\newblock {HMAC-based Extract-and-Expand Key Derivation Function (HKDF)}.
+\newblock RFC 5869, May 2010.
+
+\bibitem{Kret_Schmidt_PQXDH}
+Ehren Kret and Rolfe Schmidt.
+\newblock The pqxdh key agreement protocol.
+\newblock 2024.
+
+\bibitem{Lafourcade_Mahmoud_Ruhault_Taleb}
+Pascal Lafourcade, Dhekra Mahmoud, Sylvain Ruhault, and Abdul~Rahman Taleb.
+\newblock A tale of two worlds, a formal story of wireguard hybridization.
+
+\bibitem{Moxie_Sesame}
+Moxie Marlinspike and Trevor Perrin.
+\newblock The sesame algorithm: Session management for asynchronous message
+  encryption.
+\newblock 2016.
+
+\bibitem{Marlinspike_Perrin_X3DH}
+Moxie Marlinspike and Trevor Perrin.
+\newblock The x3dh key agreement protocol.
+\newblock 2016.
+
+\bibitem{matrixorg_olm_repo}
+{matrix-org}.
+\newblock Olm.
+\newblock \url{https://gitlab.matrix.org/matrix-org/olm}, April 2019.
+\newblock GitLab repository implementing Olm and Megolm cryptographic ratchets.
+
+\bibitem{matrixorg_megolm_doc}
+{matrix-org}.
+\newblock docs/megolm.md.
+\newblock
+  \url{https://gitlab.matrix.org/matrix-org/olm/-/blob/master/docs/megolm.md},
+  September 2022.
+\newblock Markdown file in \emph{Olm} repository.
+
+\bibitem{mcmillion2025keytransparencyarchitecture}
+Brendan McMillion.
+\newblock Key transparency architecture.
+\newblock Internet-Draft, IETF, July 2025.
+\newblock draft-ietf-keytrans-architecture-04, Intended status: Informational.
+
+\bibitem{mcMillion2025keytrans}
+Brendan McMillion.
+\newblock {Key Transparency Architecture}.
+\newblock Internet-Draft draft-ietf-keytrans-architecture-04, IETF
+  Internet-Draft, July 2025.
+\newblock Intended status: Informational; Expires 8 January 2026.
+
+\bibitem{MetaMessengerE2EE2023}
+Jon Millican, Reed Riley, and Meta Platforms.
+\newblock Messenger end-to-end encryption overview.
+\newblock Technical White Paper Version 1M, Meta Platforms (Facebook
+  Engineering), December 2023.
+\newblock Published December 6, 2023 — describes core Signal-Protocol-based
+  E2EE implementation for Messenger and Instagram Direct.
+
+\bibitem{Moxie_DoubleRatchet}
+Trevor Perrin and Moxie Marlinspike.
+\newblock The double ratchet algorithm.
+\newblock 2016.
+
+\bibitem{rfc8446}
+Eric Rescorla.
+\newblock {The Transport Layer Security (TLS) Protocol Version 1.3}.
+\newblock RFC 8446, August 2018.
+
+\bibitem{Schwabe_Stebila_Wiggers_2020}
+Peter Schwabe, Douglas Stebila, and Thom Wiggers.
+\newblock Post-quantum tls without handshake signatures.
+\newblock In {\em Proceedings of the 2020 ACM SIGSAC Conference on Computer and
+  Communications Security}, page 1461–1480, Virtual Event USA, October 2020.
+  ACM.
+
+\bibitem{SignalSenderKeysRust}
+{Signal Foundation}.
+\newblock sender\_keys.rs — sender keys implementation (rust).
+\newblock
+  \url{https://github.com/signalapp/libsignal/blob/main/rust/protocol/src/sender\_keys.rs},
+  2025.
+\newblock Reference implementation of the Sender Keys protocol in libsignal’s
+  Rust codebase.
+
+\bibitem{Unger_Goldberg_2018}
+Nik Unger and Ian Goldberg.
+\newblock Improved strongly deniable authenticated key exchanges for secure
+  messaging.
+\newblock {\em Proceedings on Privacy Enhancing Technologies}, 2018(1):21–66,
+  January 2018.
+
+\bibitem{VatandasDeny}
+Nihal Vatandas, Rosario Gennaro, Bertrand Ithurburn, and Hugo Krawczyk.
+\newblock {\em On the Cryptographic Deniability of the Signal Protocol}, volume
+  12147 of {\em Lecture Notes in Computer Science}, page 188–209.
+\newblock Springer International Publishing, Cham, 2020.
+
+\bibitem{Wallez_TreeKEM}
+Theophile Wallez, Jonathan Protzenko, and Karthikeyan Bhargavan.
+\newblock Treekem: A modular machine-checked symbolic security analysis of
+  group key agreement in messaging layer security.
+
+\bibitem{Wallez_TreeSync}
+Théophile Wallez, Benjamin Beurdouche, and Karthikeyan Bhargavan.
+\newblock Treesync: Authenticated group management for messaging layer
+  security.
+
+\bibitem{WhatsAppSecurity2024}
+WhatsApp.
+\newblock Whatsapp encryption overview: Technical white paper.
+\newblock Technical White Paper Version 8, Meta (WhatsApp), August 2024.
+\newblock Updated August 19, 2024.
+
+\bibitem{openvpn}
+James Yonan.
+\newblock {\em OpenVPN: An Open Source VPN}, 2002.
+\newblock Version 2.6.0 and later. Accessed: 2025-08-08.
+
+\end{thebibliography}
--- a/main.bib
+++ b/main.bib
@@ -0,0 +1,21 @@
+%% LaTeX2e file `main.bib'
+%% generated by the `filecontents' environment
+%% from source `main' on 2025/08/10.
+%%
+%-------------------------------------------------------------------------------
+@Book{arpachiDusseau18:osbook,
+  author =       {Arpaci-Dusseau, Remzi H. and Arpaci-Dusseau Andrea C.},
+  title =        {Operating Systems: Three Easy Pieces},
+  publisher =    {Arpaci-Dusseau Books, LLC},
+  year =         2015,
+  edition =      {1.00},
+  note =         {\url{http://pages.cs.wisc.edu/~remzi/OSTEP/}}
+}
+@InProceedings{waldspurger02,
+  author =       {Waldspurger, Carl A.},
+  title =        {Memory resource management in {VMware ESX} server},
+  booktitle =    {USENIX Symposium on Operating System Design and
+                  Implementation (OSDI)},
+  year =         2002,
+  pages =        {181--194},
+  note =         {\url{https://www.usenix.org/legacy/event/osdi02/tech/waldspurger/waldspurger.pdf}}}
--- a/main.blg
+++ b/main.blg
@@ -0,0 +1,88 @@
+This is BibTeX, Version 0.99d (TeX Live 2025/nixos.org)
+Capacity: max_strings=200000, hash_size=200000, hash_prime=170003
+The top-level auxiliary file: main.aux
+The style file: plain.bst
+Database file #1: refs.bib
+Warning--entry type for "Jefferys2020SessionProtocol" isn't style-file defined
+--line 140 of file refs.bib
+Warning--I'm ignoring mcmillion2025keytransparencyarchitecture's extra "month" field
+--line 235 of file refs.bib
+Warning--I'm ignoring mcmillion2025keytransparencyarchitecture's extra "year" field
+--line 236 of file refs.bib
+Warning--empty journal in Albrecht_Dowling_Jones
+Warning--empty year in Albrecht_Dowling_Jones
+Warning--empty journal in Albrecht_2025
+Warning--empty year in Albrecht_2025
+Warning--can't use both author and editor fields in alwen_doubleratchet
+Warning--can't use both author and editor fields in Alwen_Coretti_Jost_Mularczyk_2020
+Warning--can't use both author and editor fields in Balbas_SK
+Warning--empty journal in bhargavan_dy
+Warning--empty year in bhargavan_dy
+Warning--empty journal in DY
+Warning--empty year in DY
+Warning--empty journal in Bhargavan_PQXDH
+Warning--empty year in Bhargavan_PQXDH
+Warning--can't use both author and editor fields in Blanchet_2012
+Warning--empty journal in Blanchet_Jacomme
+Warning--empty year in Blanchet_Jacomme
+Warning--empty journal in ProverifManual
+Warning--empty year in ProverifManual
+Warning--can't use both author and editor fields in Celi_Hoyland_Stebila_Wiggers_2022
+Warning--empty journal in cremers_signal
+Warning--empty year in cremers_signal
+Warning--empty journal in Dingledine_Mathewson_Syverson_2004
+Warning--there's a number but no volume in Dolev_1983
+Warning--can't use both author and editor fields in Itkis_Reyzin_2001
+Warning--empty journal in Kret_Schmidt_PQXDH
+Warning--empty journal in Lafourcade_Mahmoud_Ruhault_Taleb
+Warning--empty year in Lafourcade_Mahmoud_Ruhault_Taleb
+Warning--empty journal in Moxie_Sesame
+Warning--empty journal in Marlinspike_Perrin_X3DH
+Warning--empty journal in Moxie_DoubleRatchet
+Warning--can't use both author and editor fields in VatandasDeny
+Warning--empty journal in Wallez_TreeKEM
+Warning--empty year in Wallez_TreeKEM
+Warning--empty journal in Wallez_TreeSync
+Warning--empty year in Wallez_TreeSync
+You've used 51 entries,
+            2118 wiz_defined-function locations,
+            800 strings with 13462 characters,
+and the built_in function-call counts, 17428 in all, are:
+= -- 1690
+> -- 864
+< -- 23
+ -- 351
+- -- 290
+* -- 1102
+:= -- 2757
+add.period$ -- 156
+call.type$ -- 51
+change.case$ -- 290
+chr.to.int$ -- 0
+cite$ -- 86
+duplicate$ -- 787
+empty$ -- 1239
+format.name$ -- 290
+if$ -- 3753
+int.to.chr$ -- 0
+int.to.str$ -- 51
+missing$ -- 44
+newline$ -- 255
+num.names$ -- 102
+pop$ -- 416
+preamble$ -- 1
+purify$ -- 247
+quote$ -- 0
+skip$ -- 670
+stack$ -- 0
+substring$ -- 645
+swap$ -- 307
+text.length$ -- 23
+text.prefix$ -- 0
+top$ -- 0
+type$ -- 190
+warning$ -- 35
+while$ -- 121
+width$ -- 53
+write$ -- 539
+(There were 38 warnings)
--- a/main.fls
+++ b/main.fls
@@ -0,0 +1,692 @@
+PWD /home/synchronous/code/matrix-papers/usenix-2026
+INPUT /nix/store/pwg0fvf1d2648crki9jqc2g7fps4w1yz-texlive-combined-medium-2025.20250703/share/texmf-var/web2c/texmf.cnf
+INPUT /nix/store/pwg0fvf1d2648crki9jqc2g7fps4w1yz-texlive-combined-medium-2025.20250703/share/texmf-var/web2c/pdftex/pdflatex.fmt
+INPUT ./main.tex
+OUTPUT ./main.log
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/tex/latex/base/article.cls
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/tex/latex/base/article.cls
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/tex/latex/base/size10.clo
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/tex/latex/base/size10.clo
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/tex/latex/base/size10.clo
+INPUT ./usenix.sty
+INPUT ./usenix.sty
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/tex/latex/psnfss/mathptmx.sty
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/tex/latex/psnfss/mathptmx.sty
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/tex/latex/base/fontenc.sty
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/tex/latex/base/fontenc.sty
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/tex/latex/psnfss/t1ptm.fd
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/tex/latex/psnfss/t1ptm.fd
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/tex/latex/psnfss/t1ptm.fd
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/fonts/map/fontname/texfonts.map
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/fonts/tfm/adobe/times/ptmr8t.tfm
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/tex/latex/base/inputenc.sty
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/tex/latex/base/inputenc.sty
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/tex/latex/pslatex/pslatex.sty
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/tex/latex/pslatex/pslatex.sty
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/tex/latex/microtype/microtype.sty
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/tex/latex/microtype/microtype.sty
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/tex/latex/graphics/keyval.sty
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/tex/latex/graphics/keyval.sty
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/tex/latex/etoolbox/etoolbox.sty
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/tex/latex/etoolbox/etoolbox.sty
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/tex/latex/microtype/microtype-pdftex.def
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/tex/latex/microtype/microtype-pdftex.def
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/tex/latex/microtype/microtype-pdftex.def
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/tex/latex/microtype/microtype.cfg
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/tex/latex/microtype/microtype.cfg
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/tex/latex/microtype/microtype.cfg
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/tex/latex/cite/cite.sty
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/tex/latex/cite/cite.sty
+INPUT ./breakurl.sty
+INPUT ./breakurl.sty
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/tex/latex/xkeyval/xkeyval.sty
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/tex/latex/xkeyval/xkeyval.sty
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/tex/generic/xkeyval/xkeyval.tex
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/tex/generic/xkeyval/xkvutils.tex
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/tex/generic/iftex/ifpdf.sty
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/tex/generic/iftex/ifpdf.sty
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/tex/generic/iftex/iftex.sty
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/tex/generic/iftex/iftex.sty
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/tex/latex/url/url.sty
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/tex/latex/url/url.sty
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/tex/latex/xcolor/xcolor.sty
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/tex/latex/xcolor/xcolor.sty
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/tex/latex/graphics-cfg/color.cfg
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/tex/latex/graphics-cfg/color.cfg
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/tex/latex/graphics-cfg/color.cfg
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/tex/latex/graphics-def/pdftex.def
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/tex/latex/graphics-def/pdftex.def
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/tex/latex/graphics-def/pdftex.def
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/tex/latex/graphics/mathcolor.ltx
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/tex/latex/graphics/mathcolor.ltx
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/tex/latex/graphics/mathcolor.ltx
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/tex/latex/hyperref/hyperref.sty
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/tex/latex/hyperref/hyperref.sty
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/tex/latex/kvsetkeys/kvsetkeys.sty
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/tex/latex/kvsetkeys/kvsetkeys.sty
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/tex/generic/kvdefinekeys/kvdefinekeys.sty
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/tex/generic/kvdefinekeys/kvdefinekeys.sty
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/tex/generic/pdfescape/pdfescape.sty
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/tex/generic/pdfescape/pdfescape.sty
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/tex/generic/ltxcmds/ltxcmds.sty
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/tex/generic/ltxcmds/ltxcmds.sty
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/tex/generic/pdftexcmds/pdftexcmds.sty
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/tex/generic/pdftexcmds/pdftexcmds.sty
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/tex/generic/infwarerr/infwarerr.sty
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/tex/generic/infwarerr/infwarerr.sty
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/tex/latex/hycolor/hycolor.sty
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/tex/latex/hycolor/hycolor.sty
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/tex/latex/hyperref/nameref.sty
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/tex/latex/hyperref/nameref.sty
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/tex/latex/refcount/refcount.sty
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/tex/latex/refcount/refcount.sty
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/tex/generic/gettitlestring/gettitlestring.sty
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/tex/generic/gettitlestring/gettitlestring.sty
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/tex/latex/kvoptions/kvoptions.sty
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/tex/latex/kvoptions/kvoptions.sty
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/tex/generic/stringenc/stringenc.sty
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/tex/generic/stringenc/stringenc.sty
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/tex/latex/hyperref/pd1enc.def
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/tex/latex/hyperref/pd1enc.def
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/tex/latex/hyperref/pd1enc.def
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/tex/generic/intcalc/intcalc.sty
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/tex/generic/intcalc/intcalc.sty
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/tex/latex/hyperref/puenc.def
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/tex/latex/hyperref/puenc.def
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/tex/latex/hyperref/puenc.def
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/tex/generic/bitset/bitset.sty
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/tex/generic/bitset/bitset.sty
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/tex/generic/bigintcalc/bigintcalc.sty
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/tex/generic/bigintcalc/bigintcalc.sty
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/tex/latex/hyperref/hpdftex.def
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/tex/latex/hyperref/hpdftex.def
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/tex/latex/hyperref/hpdftex.def
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/tex/latex/rerunfilecheck/rerunfilecheck.sty
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/tex/latex/rerunfilecheck/rerunfilecheck.sty
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/tex/generic/uniquecounter/uniquecounter.sty
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/tex/generic/uniquecounter/uniquecounter.sty
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/tex/latex/pgf/frontendlayer/tikz.sty
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/tex/latex/pgf/frontendlayer/tikz.sty
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/tex/latex/pgf/basiclayer/pgf.sty
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/tex/latex/pgf/basiclayer/pgf.sty
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/tex/latex/pgf/utilities/pgfrcs.sty
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/tex/latex/pgf/utilities/pgfrcs.sty
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/tex/generic/pgf/utilities/pgfutil-common.tex
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/tex/generic/pgf/utilities/pgfutil-latex.def
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/tex/generic/pgf/utilities/pgfrcs.code.tex
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/tex/generic/pgf/utilities/pgfrcs.code.tex
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/tex/generic/pgf/utilities/pgfrcs.code.tex
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/tex/generic/pgf/pgf.revision.tex
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/tex/generic/pgf/pgf.revision.tex
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/tex/latex/pgf/basiclayer/pgfcore.sty
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/tex/latex/pgf/basiclayer/pgfcore.sty
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/tex/latex/graphics/graphicx.sty
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/tex/latex/graphics/graphicx.sty
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/tex/latex/graphics/graphics.sty
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/tex/latex/graphics/graphics.sty
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/tex/latex/graphics/trig.sty
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/tex/latex/graphics/trig.sty
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/tex/latex/graphics-cfg/graphics.cfg
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/tex/latex/graphics-cfg/graphics.cfg
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/tex/latex/graphics-cfg/graphics.cfg
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/tex/latex/pgf/systemlayer/pgfsys.sty
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/tex/latex/pgf/systemlayer/pgfsys.sty
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/tex/generic/pgf/systemlayer/pgfsys.code.tex
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/tex/generic/pgf/systemlayer/pgfsys.code.tex
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/tex/generic/pgf/systemlayer/pgfsys.code.tex
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/tex/generic/pgf/utilities/pgfkeys.code.tex
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/tex/generic/pgf/utilities/pgfkeyslibraryfiltered.code.tex
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/tex/generic/pgf/systemlayer/pgf.cfg
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/tex/generic/pgf/systemlayer/pgfsys-pdftex.def
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/tex/generic/pgf/systemlayer/pgfsys-pdftex.def
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/tex/generic/pgf/systemlayer/pgfsys-common-pdf.def
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/tex/generic/pgf/systemlayer/pgfsyssoftpath.code.tex
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/tex/generic/pgf/systemlayer/pgfsyssoftpath.code.tex
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/tex/generic/pgf/systemlayer/pgfsyssoftpath.code.tex
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/tex/generic/pgf/systemlayer/pgfsysprotocol.code.tex
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/tex/generic/pgf/systemlayer/pgfsysprotocol.code.tex
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/tex/generic/pgf/systemlayer/pgfsysprotocol.code.tex
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/tex/generic/pgf/basiclayer/pgfcore.code.tex
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/tex/generic/pgf/basiclayer/pgfcore.code.tex
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/tex/generic/pgf/basiclayer/pgfcore.code.tex
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/tex/generic/pgf/math/pgfmath.code.tex
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/tex/generic/pgf/math/pgfmathutil.code.tex
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/tex/generic/pgf/math/pgfmathparser.code.tex
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/tex/generic/pgf/math/pgfmathfunctions.code.tex
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/tex/generic/pgf/math/pgfmathfunctions.basic.code.tex
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/tex/generic/pgf/math/pgfmathfunctions.trigonometric.code.tex
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/tex/generic/pgf/math/pgfmathfunctions.random.code.tex
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/tex/generic/pgf/math/pgfmathfunctions.comparison.code.tex
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/tex/generic/pgf/math/pgfmathfunctions.base.code.tex
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/tex/generic/pgf/math/pgfmathfunctions.round.code.tex
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/tex/generic/pgf/math/pgfmathfunctions.misc.code.tex
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/tex/generic/pgf/math/pgfmathfunctions.integerarithmetics.code.tex
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/tex/generic/pgf/math/pgfmathcalc.code.tex
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/tex/generic/pgf/math/pgfmathfloat.code.tex
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/tex/generic/pgf/math/pgfint.code.tex
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/tex/generic/pgf/basiclayer/pgfcorepoints.code.tex
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/tex/generic/pgf/basiclayer/pgfcorepathconstruct.code.tex
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/tex/generic/pgf/basiclayer/pgfcorepathusage.code.tex
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/tex/generic/pgf/basiclayer/pgfcorescopes.code.tex
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/tex/generic/pgf/basiclayer/pgfcoregraphicstate.code.tex
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/tex/generic/pgf/basiclayer/pgfcoretransformations.code.tex
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/tex/generic/pgf/basiclayer/pgfcorequick.code.tex
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/tex/generic/pgf/basiclayer/pgfcoreobjects.code.tex
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/tex/generic/pgf/basiclayer/pgfcorepathprocessing.code.tex
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/tex/generic/pgf/basiclayer/pgfcorearrows.code.tex
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/tex/generic/pgf/basiclayer/pgfcoreshade.code.tex
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/tex/generic/pgf/basiclayer/pgfcoreimage.code.tex
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/tex/generic/pgf/basiclayer/pgfcoreexternal.code.tex
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/tex/generic/pgf/basiclayer/pgfcorelayers.code.tex
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/tex/generic/pgf/basiclayer/pgfcoretransparency.code.tex
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/tex/generic/pgf/basiclayer/pgfcorepatterns.code.tex
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/tex/generic/pgf/basiclayer/pgfcorerdf.code.tex
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/tex/generic/pgf/modules/pgfmoduleshapes.code.tex
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/tex/generic/pgf/modules/pgfmoduleplot.code.tex
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/tex/latex/pgf/compatibility/pgfcomp-version-0-65.sty
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/tex/latex/pgf/compatibility/pgfcomp-version-0-65.sty
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/tex/latex/pgf/compatibility/pgfcomp-version-1-18.sty
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/tex/latex/pgf/compatibility/pgfcomp-version-1-18.sty
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/tex/latex/pgf/utilities/pgffor.sty
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/tex/latex/pgf/utilities/pgffor.sty
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/tex/latex/pgf/utilities/pgfkeys.sty
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/tex/latex/pgf/utilities/pgfkeys.sty
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/tex/generic/pgf/utilities/pgfkeys.code.tex
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/tex/generic/pgf/utilities/pgfkeys.code.tex
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/tex/generic/pgf/utilities/pgfkeys.code.tex
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/tex/latex/pgf/math/pgfmath.sty
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/tex/latex/pgf/math/pgfmath.sty
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/tex/generic/pgf/math/pgfmath.code.tex
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/tex/generic/pgf/math/pgfmath.code.tex
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/tex/generic/pgf/math/pgfmath.code.tex
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/tex/generic/pgf/utilities/pgffor.code.tex
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/tex/generic/pgf/utilities/pgffor.code.tex
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/tex/generic/pgf/utilities/pgffor.code.tex
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/tex/generic/pgf/frontendlayer/tikz/tikz.code.tex
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/tex/generic/pgf/frontendlayer/tikz/tikz.code.tex
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/tex/generic/pgf/frontendlayer/tikz/tikz.code.tex
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/tex/generic/pgf/libraries/pgflibraryplothandlers.code.tex
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/tex/generic/pgf/libraries/pgflibraryplothandlers.code.tex
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/tex/generic/pgf/modules/pgfmodulematrix.code.tex
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/tex/generic/pgf/frontendlayer/tikz/libraries/tikzlibrarytopaths.code.tex
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/tex/generic/pgf/frontendlayer/tikz/libraries/tikzlibrarytopaths.code.tex
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/tex/latex/amsmath/amsmath.sty
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/tex/latex/amsmath/amsmath.sty
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/tex/latex/amsmath/amsopn.sty
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/tex/latex/amsmath/amstext.sty
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/tex/latex/amsmath/amstext.sty
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/tex/latex/amsmath/amsgen.sty
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/tex/latex/amsmath/amsgen.sty
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/tex/latex/amsmath/amsbsy.sty
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/tex/latex/amsmath/amsbsy.sty
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/tex/latex/amsmath/amsopn.sty
+INPUT ./msc.sty
+INPUT ./msc.sty
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/tex/generic/xstring/xstring.sty
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/tex/generic/xstring/xstring.sty
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/tex/generic/xstring/xstring.tex
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/tex/latex/tools/calc.sty
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/tex/latex/tools/calc.sty
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/tex/generic/pgf/frontendlayer/tikz/libraries/tikzlibrarypositioning.code.tex
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/tex/generic/pgf/frontendlayer/tikz/libraries/tikzlibrarypositioning.code.tex
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/tex/generic/pgf/frontendlayer/tikz/libraries/tikzlibraryfit.code.tex
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/tex/generic/pgf/frontendlayer/tikz/libraries/tikzlibraryfit.code.tex
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/tex/generic/pgf/frontendlayer/tikz/libraries/tikzlibrarycalc.code.tex
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/tex/generic/pgf/frontendlayer/tikz/libraries/tikzlibrarycalc.code.tex
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/tex/generic/pgf/frontendlayer/tikz/libraries/tikzlibraryarrows.code.tex
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/tex/generic/pgf/frontendlayer/tikz/libraries/tikzlibraryarrows.code.tex
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/tex/generic/pgf/libraries/pgflibraryarrows.code.tex
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/tex/generic/pgf/libraries/pgflibraryarrows.code.tex
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/tex/generic/pgf/frontendlayer/tikz/libraries/tikzlibrarydecorations.markings.code.tex
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/tex/generic/pgf/frontendlayer/tikz/libraries/tikzlibrarydecorations.markings.code.tex
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/tex/generic/pgf/frontendlayer/tikz/libraries/tikzlibrarydecorations.code.tex
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/tex/generic/pgf/frontendlayer/tikz/libraries/tikzlibrarydecorations.code.tex
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/tex/generic/pgf/modules/pgfmoduledecorations.code.tex
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/tex/generic/pgf/libraries/decorations/pgflibrarydecorations.markings.code.tex
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/tex/generic/pgf/libraries/decorations/pgflibrarydecorations.markings.code.tex
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/tex/generic/pgf/frontendlayer/tikz/libraries/tikzlibraryshapes.misc.code.tex
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/tex/generic/pgf/frontendlayer/tikz/libraries/tikzlibraryshapes.misc.code.tex
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/tex/generic/pgf/libraries/shapes/pgflibraryshapes.misc.code.tex
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/tex/generic/pgf/libraries/shapes/pgflibraryshapes.misc.code.tex
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/tex/generic/pgf/frontendlayer/tikz/libraries/tikzlibraryshapes.geometric.code.tex
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/tex/generic/pgf/frontendlayer/tikz/libraries/tikzlibraryshapes.geometric.code.tex
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/tex/generic/pgf/libraries/shapes/pgflibraryshapes.geometric.code.tex
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/tex/generic/pgf/libraries/shapes/pgflibraryshapes.geometric.code.tex
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/tex/generic/pgf/frontendlayer/tikz/libraries/tikzlibraryshapes.symbols.code.tex
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/tex/generic/pgf/frontendlayer/tikz/libraries/tikzlibraryshapes.symbols.code.tex
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/tex/generic/pgf/libraries/shapes/pgflibraryshapes.symbols.code.tex
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/tex/generic/pgf/libraries/shapes/pgflibraryshapes.symbols.code.tex
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/tex/latex/tools/array.sty
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/tex/latex/tools/array.sty
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/tex/latex/graphics/color.sty
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/tex/latex/tools/xspace.sty
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/tex/latex/tools/xspace.sty
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/tex/latex/tools/enumerate.sty
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/tex/latex/tools/enumerate.sty
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/tex/latex/oberdiek/centernot.sty
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/tex/latex/oberdiek/centernot.sty
+INPUT ./multirow.sty
+INPUT ./multirow.sty
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/tex/latex/float/float.sty
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/tex/latex/float/float.sty
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/tex/latex/caption/caption.sty
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/tex/latex/caption/caption.sty
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/tex/latex/caption/caption3.sty
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/tex/latex/caption/caption3.sty
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/tex/latex/caption/subcaption.sty
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/tex/latex/caption/subcaption.sty
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/tex/latex/base/textcomp.sty
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/tex/latex/base/textcomp.sty
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/tex/latex/listings/listings.sty
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/tex/latex/listings/listings.sty
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/tex/latex/listings/lstpatch.sty
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/tex/latex/listings/lstpatch.sty
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/tex/latex/listings/lstpatch.sty
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/tex/latex/listings/lstmisc.sty
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/tex/latex/listings/lstmisc.sty
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/tex/latex/listings/lstmisc.sty
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/tex/latex/listings/listings.cfg
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/tex/latex/listings/listings.cfg
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/tex/latex/listings/listings.cfg
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/tex/latex/adjustbox/adjustbox.sty
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/tex/latex/adjustbox/adjustbox.sty
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/tex/latex/adjustbox/adjcalc.sty
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/tex/latex/adjustbox/adjcalc.sty
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/tex/latex/adjustbox/trimclip.sty
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/tex/latex/adjustbox/trimclip.sty
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/tex/latex/collectbox/collectbox.sty
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/tex/latex/collectbox/collectbox.sty
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/tex/latex/adjustbox/tc-pdftex.def
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/tex/latex/adjustbox/tc-pdftex.def
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/tex/latex/adjustbox/tc-pdftex.def
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/tex/latex/algorithms/algorithm.sty
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/tex/latex/algorithms/algorithm.sty
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/tex/latex/base/ifthen.sty
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/tex/latex/base/ifthen.sty
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/tex/latex/algorithms/algorithmic.sty
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/tex/latex/algorithms/algorithmic.sty
+INPUT ./tcolorbox.sty
+INPUT ./tcolorbox.sty
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/tex/latex/tools/verbatim.sty
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/tex/latex/tools/verbatim.sty
+INPUT ./environ.sty
+INPUT ./environ.sty
+INPUT ./enumitem.sty
+INPUT ./enumitem.sty
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/tex/latex/booktabs/booktabs.sty
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/tex/latex/booktabs/booktabs.sty
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/tex/latex/tools/tabularx.sty
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/tex/latex/tools/tabularx.sty
+INPUT ./makecell.sty
+INPUT ./makecell.sty
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/tex/latex/psnfss/pifont.sty
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/tex/latex/psnfss/pifont.sty
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/tex/latex/psnfss/upzd.fd
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/tex/latex/psnfss/upzd.fd
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/tex/latex/psnfss/upzd.fd
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/fonts/tfm/adobe/zapfding/pzdr.tfm
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/tex/latex/psnfss/upsy.fd
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/tex/latex/psnfss/upsy.fd
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/tex/latex/psnfss/upsy.fd
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/fonts/tfm/adobe/symbol/psyr.tfm
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/tex/generic/pgf/frontendlayer/tikz/libraries/tikzlibraryautomata.code.tex
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/tex/generic/pgf/frontendlayer/tikz/libraries/tikzlibraryautomata.code.tex
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/tex/generic/pgf/frontendlayer/tikz/libraries/tikzlibraryshapes.multipart.code.tex
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/tex/generic/pgf/frontendlayer/tikz/libraries/tikzlibraryshapes.multipart.code.tex
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/tex/generic/pgf/libraries/shapes/pgflibraryshapes.multipart.code.tex
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/tex/generic/pgf/libraries/shapes/pgflibraryshapes.multipart.code.tex
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/tex/latex/amsfonts/amsfonts.sty
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/tex/latex/amsfonts/amsfonts.sty
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/tex/latex/amsfonts/amssymb.sty
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/tex/latex/amsfonts/amssymb.sty
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/tex/latex/amscls/amsthm.sty
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/tex/latex/amscls/amsthm.sty
+INPUT ./paralist.sty
+INPUT ./paralist.sty
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/tex/latex/tools/hhline.sty
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/tex/latex/tools/hhline.sty
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/tex/latex/lineno/lineno.sty
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/tex/latex/lineno/lineno.sty
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/tex/latex/mathtools/mathtools.sty
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/tex/latex/mathtools/mathtools.sty
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/tex/latex/mathtools/mhsetup.sty
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/tex/latex/mathtools/mhsetup.sty
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/tex/latex/tools/multicol.sty
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/tex/latex/tools/multicol.sty
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/tex/latex/graphics/dvipsnam.def
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/tex/latex/graphics/dvipsnam.def
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/tex/latex/graphics/dvipsnam.def
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/tex/latex/colortbl/colortbl.sty
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/tex/latex/colortbl/colortbl.sty
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/tex/generic/soul/soul.sty
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/tex/generic/soul/soul.sty
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/tex/generic/soul/soul-ori.sty
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/tex/generic/soul/soul-ori.sty
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/fonts/tfm/jknappen/ec/ectt1000.tfm
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/tex/generic/etexcmds/etexcmds.sty
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/tex/generic/etexcmds/etexcmds.sty
+INPUT ./arydshln.sty
+INPUT ./arydshln.sty
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/tex/latex/l3backend/l3backend-pdftex.def
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/tex/latex/l3backend/l3backend-pdftex.def
+INPUT ./main.aux
+INPUT ./main.aux
+INPUT ./main.aux
+OUTPUT ./main.aux
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/tex/latex/psnfss/omspzccm.fd
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/tex/latex/psnfss/omspzccm.fd
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/tex/latex/psnfss/omspzccm.fd
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/tex/latex/microtype/mt-ptm.cfg
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/tex/latex/microtype/mt-ptm.cfg
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/tex/latex/microtype/mt-ptm.cfg
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/tex/context/base/mkii/supp-pdf.mkii
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/tex/context/base/mkii/supp-pdf.mkii
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/tex/context/base/mkii/supp-pdf.mkii
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/tex/latex/epstopdf-pkg/epstopdf-base.sty
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/tex/latex/epstopdf-pkg/epstopdf-base.sty
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/tex/latex/latexconfig/epstopdf-sys.cfg
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/tex/latex/latexconfig/epstopdf-sys.cfg
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/tex/latex/latexconfig/epstopdf-sys.cfg
+INPUT ./main.out
+INPUT ./main.out
+INPUT ./main.out
+INPUT ./main.out
+OUTPUT ./main.pdf
+INPUT ./main.out
+INPUT ./main.out
+OUTPUT ./main.out
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/fonts/tfm/adobe/times/ptmr8t.tfm
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/fonts/tfm/adobe/times/ptmb8t.tfm
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/fonts/tfm/adobe/times/ptmr8t.tfm
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/fonts/tfm/adobe/times/ptmri8t.tfm
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/tex/latex/psnfss/ot1ptmcm.fd
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/tex/latex/psnfss/ot1ptmcm.fd
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/tex/latex/psnfss/ot1ptmcm.fd
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/fonts/tfm/adobe/times/zptmcmr.tfm
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/fonts/tfm/adobe/times/zptmcmr.tfm
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/fonts/tfm/adobe/times/zptmcmr.tfm
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/tex/latex/psnfss/omlptmcm.fd
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/tex/latex/psnfss/omlptmcm.fd
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/tex/latex/psnfss/omlptmcm.fd
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/fonts/tfm/adobe/times/zptmcmrm.tfm
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/fonts/tfm/adobe/times/zptmcmrm.tfm
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/fonts/tfm/adobe/times/zptmcmrm.tfm
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/fonts/tfm/adobe/times/zpzccmry.tfm
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/fonts/tfm/adobe/times/zpzccmry.tfm
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/fonts/tfm/adobe/times/zpzccmry.tfm
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/tex/latex/psnfss/omxpsycm.fd
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/tex/latex/psnfss/omxpsycm.fd
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/tex/latex/psnfss/omxpsycm.fd
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/fonts/tfm/adobe/times/zpsycmrv.tfm
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/fonts/tfm/adobe/times/zpsycmrv.tfm
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/fonts/tfm/adobe/times/zpsycmrv.tfm
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/fonts/tfm/adobe/times/ptmb7t.tfm
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/fonts/tfm/adobe/times/ptmb7t.tfm
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/fonts/tfm/adobe/times/ptmb7t.tfm
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/fonts/tfm/adobe/times/ptmri7t.tfm
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/fonts/tfm/adobe/times/ptmri7t.tfm
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/fonts/tfm/adobe/times/ptmri7t.tfm
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/fonts/tfm/public/amsfonts/symbols/msam10.tfm
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/tex/latex/microtype/mt-msa.cfg
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/tex/latex/microtype/mt-msa.cfg
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/tex/latex/microtype/mt-msa.cfg
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/fonts/tfm/public/amsfonts/symbols/msam10.tfm
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/fonts/tfm/public/amsfonts/symbols/msam10.tfm
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/fonts/tfm/public/amsfonts/symbols/msbm10.tfm
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/tex/latex/microtype/mt-msb.cfg
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/tex/latex/microtype/mt-msb.cfg
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/tex/latex/microtype/mt-msb.cfg
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/fonts/tfm/public/amsfonts/symbols/msbm10.tfm
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/fonts/tfm/public/amsfonts/symbols/msbm10.tfm
+INPUT ./sections/abstract.tex
+INPUT ./sections/abstract.tex
+INPUT ./sections/abstract.tex
+INPUT ./sections/abstract.tex
+INPUT ./sections/abstract.tex
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/fonts/tfm/adobe/times/ptmb8t.tfm
+INPUT ./sections/intro.tex
+INPUT ./sections/intro.tex
+INPUT ./sections/intro.tex
+INPUT ./sections/intro.tex
+INPUT ./sections/intro.tex
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/fonts/tfm/adobe/times/ptmri8t.tfm
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/fonts/tfm/adobe/times/zptmcmr.tfm
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/fonts/tfm/adobe/times/zptmcmr.tfm
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/fonts/tfm/adobe/times/zptmcmr.tfm
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/fonts/tfm/adobe/times/zptmcmrm.tfm
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/fonts/tfm/adobe/times/zptmcmrm.tfm
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/fonts/tfm/adobe/times/zptmcmrm.tfm
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/fonts/tfm/adobe/times/zpzccmry.tfm
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/fonts/tfm/adobe/times/zpzccmry.tfm
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/fonts/tfm/adobe/times/zpzccmry.tfm
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/fonts/tfm/adobe/times/zpsycmrv.tfm
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/fonts/tfm/adobe/times/zpsycmrv.tfm
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/fonts/tfm/adobe/times/zpsycmrv.tfm
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/fonts/tfm/adobe/times/ptmb7t.tfm
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/fonts/tfm/adobe/times/ptmb7t.tfm
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/fonts/tfm/adobe/times/ptmb7t.tfm
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/fonts/tfm/adobe/times/ptmri7t.tfm
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/fonts/tfm/adobe/times/ptmri7t.tfm
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/fonts/tfm/adobe/times/ptmri7t.tfm
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/fonts/tfm/public/amsfonts/symbols/msam10.tfm
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/fonts/tfm/public/amsfonts/symbols/msam10.tfm
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/fonts/tfm/public/amsfonts/symbols/msam10.tfm
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/fonts/tfm/public/amsfonts/symbols/msbm10.tfm
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/fonts/tfm/public/amsfonts/symbols/msbm10.tfm
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/fonts/tfm/public/amsfonts/symbols/msbm10.tfm
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/fonts/tfm/adobe/times/ptmr8t.tfm
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/fonts/tfm/adobe/times/ptmr8t.tfm
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/fonts/tfm/adobe/times/zptmcmr.tfm
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/fonts/tfm/adobe/times/zptmcmr.tfm
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/fonts/tfm/adobe/times/zptmcmrm.tfm
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/fonts/tfm/adobe/times/zptmcmrm.tfm
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/fonts/tfm/adobe/times/zpzccmry.tfm
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/fonts/tfm/adobe/times/zpzccmry.tfm
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/fonts/tfm/adobe/times/zpsycmrv.tfm
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/fonts/tfm/adobe/times/zpsycmrv.tfm
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/fonts/tfm/adobe/times/ptmb7t.tfm
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/fonts/tfm/adobe/times/ptmb7t.tfm
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/fonts/tfm/adobe/times/ptmri7t.tfm
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/fonts/tfm/adobe/times/ptmri7t.tfm
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/fonts/tfm/public/amsfonts/symbols/msam10.tfm
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/fonts/tfm/public/amsfonts/symbols/msam10.tfm
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/fonts/tfm/public/amsfonts/symbols/msbm10.tfm
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/fonts/tfm/public/amsfonts/symbols/msbm10.tfm
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/fonts/tfm/adobe/times/ptmr8t.tfm
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/fonts/vf/adobe/times/ptmb8t.vf
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/fonts/tfm/adobe/times/ptmb8r.tfm
+INPUT /nix/store/pwg0fvf1d2648crki9jqc2g7fps4w1yz-texlive-combined-medium-2025.20250703/share/texmf-var/fonts/map/pdftex/updmap/pdftex.map
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/fonts/enc/dvips/base/8r.enc
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/fonts/vf/adobe/times/ptmri8t.vf
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/fonts/tfm/adobe/times/ptmri8r.tfm
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/fonts/vf/adobe/times/ptmb8t.vf
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/fonts/tfm/adobe/times/ptmb8r.tfm
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/fonts/vf/adobe/times/ptmr8t.vf
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/fonts/tfm/adobe/times/ptmr8r.tfm
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/fonts/vf/adobe/times/ptmri8t.vf
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/fonts/tfm/adobe/times/ptmri8r.tfm
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/fonts/tfm/adobe/times/ptmb8t.tfm
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/fonts/tfm/adobe/times/ptmrc8t.tfm
+INPUT ./sections/related.tex
+INPUT ./sections/related.tex
+INPUT ./sections/related.tex
+INPUT ./sections/related.tex
+INPUT ./sections/related.tex
+INPUT ./diagrams/related.tex
+INPUT ./diagrams/related.tex
+INPUT ./diagrams/related.tex
+INPUT ./diagrams/related.tex
+INPUT ./diagrams/related.tex
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/fonts/tfm/adobe/times/ptmr8t.tfm
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/fonts/tfm/adobe/times/ptmr8t.tfm
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/fonts/vf/adobe/times/ptmr8t.vf
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/fonts/tfm/adobe/times/ptmr8r.tfm
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/fonts/vf/adobe/times/zpzccmry.vf
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/fonts/tfm/adobe/zapfchan/pzcmi8r.tfm
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/fonts/vf/adobe/times/ptmb8t.vf
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/fonts/tfm/adobe/times/ptmb8r.tfm
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/fonts/vf/adobe/times/ptmr8t.vf
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/fonts/tfm/adobe/times/ptmr8r.tfm
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/fonts/vf/adobe/times/ptmr8t.vf
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/fonts/tfm/adobe/times/ptmr8r.tfm
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/fonts/vf/adobe/times/ptmrc8t.vf
+INPUT ./sections/background.tex
+INPUT ./sections/background.tex
+INPUT ./sections/background.tex
+INPUT ./sections/background.tex
+INPUT ./sections/background.tex
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/fonts/tfm/adobe/helvetic/phvr8t.tfm
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/fonts/tfm/adobe/helvetic/phvro8t.tfm
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/fonts/tfm/adobe/helvetic/phvr8t.tfm
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/fonts/vf/adobe/times/ptmr8t.vf
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/fonts/tfm/adobe/times/ptmr8r.tfm
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/fonts/vf/adobe/helvetic/phvr8t.vf
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/fonts/tfm/adobe/helvetic/phvr8r.tfm
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/fonts/vf/adobe/helvetic/phvro8t.vf
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/fonts/tfm/adobe/helvetic/phvro8r.tfm
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/fonts/vf/adobe/times/zptmcmrm.vf
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/fonts/vf/adobe/times/zptmcmr.vf
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/fonts/tfm/adobe/times/ptmb8t.tfm
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/fonts/tfm/adobe/helvetic/phvr8t.tfm
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/fonts/tfm/adobe/helvetic/phvro8t.tfm
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/fonts/tfm/adobe/times/ptmri8t.tfm
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/fonts/tfm/adobe/helvetic/phvr8t.tfm
+INPUT ./diagrams/ake-server.tex
+INPUT ./diagrams/ake-server.tex
+INPUT ./diagrams/ake-server.tex
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/fonts/vf/adobe/helvetic/phvr8t.vf
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/fonts/tfm/adobe/helvetic/phvr8r.tfm
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/fonts/vf/adobe/times/ptmb8t.vf
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/fonts/tfm/adobe/times/ptmb8r.tfm
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/fonts/vf/adobe/helvetic/phvr8t.vf
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/fonts/tfm/adobe/helvetic/phvr8r.tfm
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/fonts/vf/adobe/times/zpzccmry.vf
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/fonts/tfm/public/cm/cmsy10.tfm
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/fonts/tfm/adobe/symbol/psyr.tfm
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/fonts/tfm/adobe/zapfchan/pzcmi8r.tfm
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/fonts/vf/adobe/helvetic/phvro8t.vf
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/fonts/tfm/adobe/helvetic/phvro8r.tfm
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/fonts/vf/adobe/times/zptmcmrm.vf
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/fonts/tfm/adobe/times/ptmri8r.tfm
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/fonts/tfm/public/cm/cmmi10.tfm
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/fonts/vf/adobe/times/ptmri8t.vf
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/fonts/vf/adobe/helvetic/phvr8t.vf
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/fonts/tfm/adobe/helvetic/phvr8r.tfm
+INPUT ./diagrams/session-trans.tex
+INPUT ./diagrams/session-trans.tex
+INPUT ./diagrams/session-trans.tex
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/tex/latex/psnfss/ts1ptm.fd
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/tex/latex/psnfss/ts1ptm.fd
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/tex/latex/psnfss/ts1ptm.fd
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/fonts/tfm/adobe/times/ptmr8c.tfm
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/fonts/vf/adobe/times/ptmr8c.vf
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/fonts/tfm/public/cm/cmss10.tfm
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/fonts/tfm/public/cm/cmss8.tfm
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/fonts/tfm/public/cm/cmss8.tfm
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/fonts/tfm/public/pslatex/pcrr8tn.tfm
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/fonts/tfm/adobe/times/zptmcmr.tfm
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/fonts/tfm/adobe/times/zptmcmr.tfm
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/fonts/tfm/adobe/times/zptmcmrm.tfm
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/fonts/tfm/adobe/times/zptmcmrm.tfm
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/fonts/tfm/adobe/times/zpzccmry.tfm
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/fonts/tfm/adobe/times/zpzccmry.tfm
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/fonts/tfm/adobe/times/zpsycmrv.tfm
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/fonts/tfm/adobe/times/zpsycmrv.tfm
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/fonts/tfm/public/cm/cmss8.tfm
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/fonts/tfm/adobe/times/ptmb7t.tfm
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/fonts/tfm/adobe/times/ptmb7t.tfm
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/fonts/tfm/adobe/times/ptmri7t.tfm
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/fonts/tfm/adobe/times/ptmri7t.tfm
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/fonts/tfm/public/amsfonts/symbols/msam10.tfm
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/fonts/tfm/public/amsfonts/symbols/msam10.tfm
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/fonts/tfm/public/amsfonts/symbols/msbm10.tfm
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/fonts/tfm/public/amsfonts/symbols/msbm10.tfm
+INPUT ./diagrams/megolm.tex
+INPUT ./diagrams/megolm.tex
+INPUT ./diagrams/megolm.tex
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/fonts/tfm/public/cm/cmss8.tfm
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/fonts/tfm/adobe/times/ptmb8t.tfm
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/fonts/tfm/adobe/times/ptmr8c.tfm
+INPUT ./sections/models.tex
+INPUT ./sections/models.tex
+INPUT ./sections/models.tex
+INPUT ./sections/models.tex
+INPUT ./sections/models.tex
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/fonts/tfm/adobe/times/ptmrc8t.tfm
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/fonts/vf/adobe/times/zptmcmr.vf
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/fonts/tfm/adobe/symbol/psyr.tfm
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/fonts/tfm/public/cm/cmr10.tfm
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/fonts/vf/adobe/times/zptmcmrm.vf
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/fonts/tfm/adobe/times/ptmri8r.tfm
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/fonts/tfm/public/cm/cmmi10.tfm
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/fonts/vf/adobe/times/zpsycmrv.vf
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/fonts/tfm/public/amsfonts/cmextra/cmex9.tfm
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/fonts/tfm/adobe/symbol/psyr.tfm
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/fonts/vf/public/pslatex/pcrr8tn.vf
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/fonts/tfm/public/pslatex/pcrr8rn.tfm
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/fonts/vf/adobe/times/ptmb8t.vf
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/fonts/tfm/adobe/times/ptmb8r.tfm
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/fonts/vf/adobe/times/ptmr8c.vf
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/fonts/tfm/adobe/times/ptmr8r.tfm
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/fonts/vf/adobe/times/ptmrc8t.vf
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/fonts/tfm/adobe/times/ptmr8r.tfm
+INPUT ./sections/analysis.tex
+INPUT ./sections/analysis.tex
+INPUT ./sections/analysis.tex
+INPUT ./sections/analysis.tex
+INPUT ./sections/analysis.tex
+INPUT ./diagrams/fail-cases.tex
+INPUT ./diagrams/fail-cases.tex
+INPUT ./diagrams/fail-cases.tex
+INPUT ./diagrams/fail-cases.tex
+INPUT ./diagrams/fail-cases.tex
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/fonts/tfm/adobe/zapfding/pzdr.tfm
+INPUT ./sections/discussion.tex
+INPUT ./sections/discussion.tex
+INPUT ./sections/discussion.tex
+INPUT ./sections/discussion.tex
+INPUT ./sections/discussion.tex
+INPUT ./sections/limitations.tex
+INPUT ./sections/limitations.tex
+INPUT ./sections/limitations.tex
+INPUT ./sections/limitations.tex
+INPUT ./sections/limitations.tex
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/fonts/vf/adobe/times/zpzccmry.vf
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/fonts/tfm/public/cm/cmsy10.tfm
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/fonts/tfm/adobe/symbol/psyr.tfm
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/fonts/tfm/adobe/zapfchan/pzcmi8r.tfm
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/fonts/vf/adobe/times/zpzccmry.vf
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/fonts/tfm/public/cm/cmsy10.tfm
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/fonts/tfm/adobe/zapfchan/pzcmi8r.tfm
+INPUT ./sections/conclusion.tex
+INPUT ./sections/conclusion.tex
+INPUT ./sections/conclusion.tex
+INPUT ./sections/conclusion.tex
+INPUT ./sections/conclusion.tex
+INPUT ./sections/usenix.tex
+INPUT ./sections/usenix.tex
+INPUT ./sections/usenix.tex
+INPUT ./sections/usenix.tex
+INPUT ./sections/usenix.tex
+INPUT ./main.bbl
+INPUT ./main.bbl
+INPUT ./main.bbl
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/fonts/tfm/adobe/times/ptmri8c.tfm
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/fonts/vf/adobe/times/ptmri8c.vf
+INPUT ./main.aux
+INPUT ./main.out
+INPUT ./main.out
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/fonts/type1/public/amsfonts/cm/cmex10.pfb
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/fonts/type1/public/amsfonts/cm/cmmi10.pfb
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/fonts/type1/public/amsfonts/cm/cmr10.pfb
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/fonts/type1/public/amsfonts/cm/cmss10.pfb
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/fonts/type1/public/amsfonts/cm/cmsy10.pfb
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/fonts/type1/urw/courier/ucrr8a.pfb
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/fonts/type1/urw/helvetic/uhvr8a.pfb
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/fonts/type1/urw/helvetic/uhvro8a.pfb
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/fonts/type1/urw/symbol/usyr.pfb
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/fonts/type1/urw/times/utmb8a.pfb
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/fonts/type1/urw/times/utmr8a.pfb
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/fonts/type1/urw/times/utmri8a.pfb
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/fonts/type1/urw/zapfchan/uzcmi8a.pfb
+INPUT /nix/store/9pyhr9ky5bbhsv4xai3bgxxwxcxaa3ba-texlive-combined-medium-2025.20250703-texmfdist/fonts/type1/urw/zapfding/uzdr.pfb
--- a/main.log
+++ b/main.log
--- a/main.out
+++ b/main.out
@@ -0,0 +1,30 @@
+\BOOKMARK [1][-]{section.1}{\376\377\000I\000n\000t\000r\000o\000d\000u\000c\000t\000i\000o\000n}{}% 1
+\BOOKMARK [1][-]{section.2}{\376\377\000R\000e\000l\000a\000t\000e\000d\000\040\000W\000o\000r\000k\000s}{}% 2
+\BOOKMARK [2][-]{subsection.2.1}{\376\377\000C\000o\000m\000p\000u\000t\000a\000t\000i\000o\000n\000a\000l\000\040\000A\000n\000a\000l\000y\000s\000i\000s}{section.2}% 3
+\BOOKMARK [2][-]{subsection.2.2}{\376\377\000M\000e\000s\000s\000a\000g\000i\000n\000g\000\040\000L\000a\000y\000e\000r\000\040\000S\000e\000c\000u\000r\000i\000t\000y}{section.2}% 4
+\BOOKMARK [2][-]{subsection.2.3}{\376\377\000M\000e\000c\000h\000a\000n\000i\000z\000e\000d\000\040\000D\000e\000n\000i\000a\000b\000i\000l\000i\000t\000y}{section.2}% 5
+\BOOKMARK [1][-]{section.3}{\376\377\000T\000h\000e\000\040\000N\000e\000s\000t\000e\000d\000\040\000R\000a\000t\000c\000h\000e\000t\000\040\000P\000r\000o\000t\000o\000c\000o\000l}{}% 6
+\BOOKMARK [2][-]{subsection.3.1}{\376\377\000C\000r\000y\000p\000t\000o\000g\000r\000a\000p\000h\000i\000c\000\040\000B\000u\000i\000l\000d\000i\000n\000g\000\040\000B\000l\000o\000c\000k\000s}{section.3}% 7
+\BOOKMARK [2][-]{subsection.3.2}{\376\377\000H\000a\000n\000d\000s\000h\000a\000k\000e\000s}{section.3}% 8
+\BOOKMARK [2][-]{subsection.3.3}{\376\377\000S\000i\000g\000n\000a\000l\000,\000\040\000O\000l\000m\000,\000\040\000a\000n\000d\000\040\000t\000h\000e\000\040\000D\000o\000u\000b\000l\000e\000\040\000R\000a\000t\000c\000h\000e\000t}{section.3}% 9
+\BOOKMARK [2][-]{subsection.3.4}{\376\377\000S\000e\000s\000s\000i\000o\000n\000\040\000S\000h\000a\000r\000i\000n\000g\000\040\000\046\000\040\000S\000e\000r\000v\000e\000r\000-\000S\000i\000d\000e\000\040\000F\000a\000n\000-\000O\000u\000t}{section.3}% 10
+\BOOKMARK [2][-]{subsection.3.5}{\376\377\000N\000e\000s\000t\000e\000d\000\040\000R\000a\000t\000c\000h\000e\000t\000\040\000P\000r\000o\000t\000o\000c\000o\000l\000\040\000D\000e\000f\000i\000n\000i\000t\000i\000o\000n}{section.3}% 11
+\BOOKMARK [2][-]{subsection.3.6}{\376\377\000R\000e\000a\000l\000\040\000W\000o\000r\000l\000d\000\040\000I\000n\000s\000t\000a\000n\000t\000i\000a\000t\000i\000o\000n\000s\000\040\000o\000f\000\040\000t\000h\000e\000\040\000N\000e\000s\000t\000e\000d\000\040\000R\000a\000t\000c\000h\000e\000t\000\040\000P\000r\000o\000t\000o\000c\000o\000l}{section.3}% 12
+\BOOKMARK [1][-]{section.4}{\376\377\000F\000o\000r\000m\000a\000l\000\040\000M\000o\000d\000e\000l\000i\000n\000g}{}% 13
+\BOOKMARK [2][-]{subsection.4.1}{\376\377\000M\000o\000d\000e\000l\000i\000n\000g\000\040\000S\000t\000r\000a\000t\000e\000g\000y}{section.4}% 14
+\BOOKMARK [2][-]{subsection.4.2}{\376\377\000C\000l\000a\000i\000m\000e\000d\000\040\000S\000e\000c\000u\000r\000i\000t\000y\000\040\000P\000r\000o\000p\000e\000r\000t\000i\000e\000s}{section.4}% 15
+\BOOKMARK [2][-]{subsection.4.3}{\376\377\000A\000d\000d\000i\000t\000i\000o\000n\000a\000l\000\040\000S\000e\000c\000u\000r\000i\000t\000y\000\040\000P\000r\000o\000p\000e\000r\000t\000i\000e\000s}{section.4}% 16
+\BOOKMARK [1][-]{section.5}{\376\377\000A\000n\000a\000l\000y\000s\000i\000s\000\040\000o\000f\000\040\000t\000h\000e\000\040\000N\000e\000s\000t\000e\000d\000\040\000R\000a\000t\000c\000h\000e\000t\000\040\000P\000r\000o\000t\000o\000c\000o\000l}{}% 17
+\BOOKMARK [2][-]{subsection.5.1}{\376\377\000S\000u\000b\000-\000P\000r\000o\000t\000o\000c\000o\000l\000\040\000P\000r\000o\000p\000e\000r\000t\000i\000e\000s}{section.5}% 18
+\BOOKMARK [2][-]{subsection.5.2}{\376\377\000S\000y\000m\000b\000o\000l\000i\000c\000\040\000A\000n\000a\000l\000y\000s\000i\000s\000\040\000R\000e\000s\000u\000l\000t\000s}{section.5}% 19
+\BOOKMARK [2][-]{subsection.5.3}{\376\377\000F\000a\000i\000l\000u\000r\000e\000\040\000C\000a\000s\000e\000\040\000A\000n\000a\000l\000y\000s\000i\000s}{section.5}% 20
+\BOOKMARK [3][-]{subsubsection.5.3.1}{\376\377\000F\000a\000i\000l\000u\000r\000e\000\040\000T\000a\000x\000o\000n\000o\000m\000y}{subsection.5.3}% 21
+\BOOKMARK [3][-]{subsubsection.5.3.2}{\376\377\000O\000b\000s\000e\000r\000v\000e\000d\000\040\000P\000a\000t\000t\000e\000r\000n\000s\000\040\000\046\000\040\000I\000n\000s\000i\000g\000h\000t\000s}{subsection.5.3}% 22
+\BOOKMARK [2][-]{subsection.5.4}{\376\377\000P\0002\000P\000\040\000l\000a\000y\000e\000r\000\040\000p\000r\000e\000-\000k\000e\000y\000\040\000p\000o\000s\000t\000-\000c\000o\000m\000p\000r\000o\000m\000i\000s\000e\000\040\000m\000e\000s\000s\000a\000g\000e\000\040\000s\000e\000c\000r\000e\000c\000y\000\040\000v\000s\000\040\000m\000u\000t\000u\000a\000l\000\040\000d\000e\000n\000i\000a\000b\000i\000l\000i\000t\000y}{section.5}% 23
+\BOOKMARK [2][-]{subsection.5.5}{\376\377\000F\000a\000n\000-\000o\000u\000t\000\040\000l\000a\000y\000e\000r\000\040\000n\000o\000n\000-\000r\000e\000p\000u\000d\000i\000a\000t\000i\000o\000n\000\040\000v\000s\000\040\000d\000e\000n\000i\000a\000b\000i\000l\000i\000t\000y}{section.5}% 24
+\BOOKMARK [1][-]{section.6}{\376\377\000D\000i\000s\000c\000u\000s\000s\000i\000o\000n}{}% 25
+\BOOKMARK [2][-]{subsection.6.1}{\376\377\000R\000e\000c\000o\000m\000m\000e\000n\000d\000a\000t\000i\000o\000n\000s\000\040\000f\000o\000r\000\040\000p\000r\000o\000t\000o\000c\000o\000l\000\040\000i\000m\000p\000l\000e\000m\000e\000n\000t\000e\000r\000s}{section.6}% 26
+\BOOKMARK [1][-]{section.7}{\376\377\000L\000i\000m\000i\000t\000a\000t\000i\000o\000n\000s\000\040\000\046\000\040\000F\000u\000t\000u\000r\000e\000\040\000W\000o\000r\000k}{}% 27
+\BOOKMARK [1][-]{section.8}{\376\377\000C\000o\000n\000c\000l\000u\000s\000i\000o\000n\000s}{}% 28
+\BOOKMARK [1][-]{section.9}{\376\377\000E\000t\000h\000i\000c\000a\000l\000\040\000C\000o\000n\000s\000i\000d\000e\000r\000a\000t\000i\000o\000n\000s}{}% 29
+\BOOKMARK [1][-]{section.10}{\376\377\000O\000p\000e\000n\000\040\000S\000c\000i\000e\000n\000c\000e}{}% 30
--- a/main.pdf
+++ b/main.pdf
--- a/main.synctex.gz
+++ b/main.synctex.gz
--- a/main.tex
+++ b/main.tex
@@ -0,0 +1,296 @@
+\documentclass[letterpaper,twocolumn,10pt]{article}
+\usepackage{usenix}
+
+% to be able to draw some self-contained figs
+\usepackage{tikz}
+\usepackage{amsmath}
+\usepackage{msc, array}
+\usepackage{xcolor,color,xspace}
+\usepackage{xcolor,color,xspace,enumerate,centernot,multirow,float,graphicx,
+xcolor,caption,subcaption,textcomp,tikz,listings,adjustbox,algorithm,algorithmic,tcolorbox}
+\usepackage{enumitem}
+\usepackage{cite}
+\usepackage{hyperref}
+\usepackage{booktabs,tabularx,makecell}
+\newcolumntype{Y}{>{\centering\arraybackslash}X}
+\usepackage{pifont}
+
+\title{A Mechanized Analysis of Nested Ratchet Protocols}
+
+\newcommand{\pv}[0]{\textsc{ProVerif}\xspace}
+
+\usetikzlibrary{arrows, positioning, automata, fit}
+\usepackage{pgf}
+
+
+\usepackage{adjustbox}
+\usepackage{amsfonts}
+\usepackage{amsmath}
+\usepackage{amssymb}
+\usepackage{amsthm}
+\usepackage{booktabs}
+\usepackage{color}
+\usepackage{paralist}
+\usepackage{enumitem}
+\usepackage{hhline}
+\usepackage{hyperref}
+\usepackage[switch]{lineno}
+\usepackage{mathtools}
+\usepackage{multicol}
+\usepackage{multirow}
+\usepackage{tabularx}
+\usepackage[dvipsnames,table]{xcolor}
+\usepackage{tikz}
+\usepackage{soul}
+\usepackage{arydshln}
+
+% Comments
+
+\newif\ifcomments
+\commentstrue
+\newcommand{\mb}[1]{\ifcomments\textit{\color{Blue}[MB] : #1}\fi}
+\newcommand{\gb}[1]{\ifcomments\textit{\color{ForestGreen}[GB] : #1}\fi}
+\newcommand{\kb}[1]{\ifcomments\textit{\color{DarkOrchid}[KB] : #1}\fi}
+\newcommand{\bb}[1]{\ifcomments\textit{\color{Mahogany}[BB] : #1}\fi}
+\newcommand{\cc}[1]{\ifcomments\textit{\color{OrangeRed}[CC] : #1}\fi}
+\newcommand{\kl}[1]{\ifcomments\textit{\color{Cerulean}[KL] : #1}\fi}
+\newcommand{\bp}[1]{\ifcomments\textit{\color{RoyalPurple}[BP] : #1}\fi}
+
+\newcommand{\revised}[1]{{\ifcomments\color{RoyalPurple}\fi#1}}
+
+% Link colors
+
+\hypersetup{
+  colorlinks,
+  linkcolor={black},  
+  citecolor={red!70!black},
+  urlcolor={blue!70!black}
+}
+
+% Table formatting
+
+\newcolumntype{L}[1]{>{\raggedright\let\newline\\\arraybackslash\hspace{0pt}}m{#1}}
+\newcolumntype{C}[1]{>{\centering\let\newline\\\arraybackslash\hspace{0pt}}m{#1}}
+\newcolumntype{X}[1]{>{\raggedleft\let\newline\\\arraybackslash\hspace{0pt}}m{#1}}
+
+\newcolumntype{R}[2]{%
+    >{\adjustbox{angle=#1,lap=\width-(#2)}\bgroup}%
+    l%
+    <{\egroup}%
+}
+\newcommand*\rot{\multicolumn{1}{R{45}{0em}}}
+
+\setlength{\tabcolsep}{2.5pt}
+
+\newcommand{\extension}{\raisebox{0.2em}{\rotatebox[origin=c]{180}{$\Lsh$}}}
+\newcommand{\extensionl}{\rotatebox[origin=c]{180}{$\Lsh$}}
+\newcommand{\raisecircle}[1]{\raisebox{0.1em}{#1}}
+
+\newcommand{\pie}[1]{%
+\raisebox{-0.15em}{%
+\begin{tikzpicture}
+ \draw (0,0) circle (0.65ex);\fill[rotate=90] (0.65ex,0) arc (0:#1:0.65ex) -- (0,0) -- cycle;
+\end{tikzpicture}}%
+}
+
+\newcommand{\ppie}[1]{%
+\raisebox{-0.15em}{%
+\begin{tikzpicture}
+ \draw (0,0) circle (0.65ex);\fill[rotate=90] (0.65ex,0) arc (0:#1:0.65ex) -- (0,0) -- cycle;
+\end{tikzpicture}}%
+}
+
+\newcommand{\fullc}{\pie{360}}
+\newcommand{\threequartc}{\pie{270}}
+\newcommand{\halfc}{\pie{180}}
+\newcommand{\quartc}{\pie{90}}
+\newcommand{\emptyc}{%
+\raisebox{-0.15em}{%
+\begin{tikzpicture}
+ \draw (0,0) circle (0.65ex);
+\end{tikzpicture}}%
+}
+
+\newcommand{\fullcr}{\raisecircle{\fullc}}
+\newcommand{\halfcr}{\raisecircle{\halfc}}
+\newcommand{\emptycr}{\raisecircle{\emptyc}}
+
+% Symbolic table
+\newcommand{\fullcd}{~\,$\fullc^{\emph{d}\,}$}
+\newcommand{\fullctsym}{~\,$\fullc^{\emph{t}\,\,}$}
+\newcommand{\fullco}{~\,$\fullc^{\emph{o}\,}$}
+\newcommand{\fullctl}{~\,$\fullc^{\emph{t,l}}$}
+\newcommand{\emptycsym}{~\,$\emptyc^{~\,}$}
+
+% Grand slam table
+%\newcommand{\fullct}{$\fullc^{\emph{t\,}}$}
+%\newcommand{\fullcs}{$\fullc^{\emph{s}}$}
+%\newcommand{\emptycx}{$\emptyc^{\;}$}
+
+\newcommand{\fullct}{\fullc}
+\newcommand{\fullcs}{\halfc}
+\newcommand{\emptycx}{\emptyc}
+
+\newcommand{\featheader}[1]{\emph{\textbf{{#1}.}}}
+\newcommand{\featheadernp}[1]{\emph{\textbf{{#1}}}}
+
+% true/false circles
+
+\newcommand{\truecirc}{%
+\raisebox{-0.15em}{%
+\begin{tikzpicture}
+ \draw (0,0) circle (0.65ex);\fill[rotate=90] (0.65ex,0) arc (0:180:0.65ex) -- (0,0) -- cycle;
+\end{tikzpicture}}%
+}
+
+\newcommand{\falsecirc}{%
+\raisebox{-0.15em}{%
+\begin{tikzpicture}
+ \draw (0,0) circle (0.65ex);\fill[rotate=270] (0.65ex,0) arc (0:180:0.65ex) -- (0,0) -- cycle;
+\end{tikzpicture}}%
+}
+
+
+
+\usepackage{amsthm}
+\newtheoremstyle{mydefinition}         % Name of style
+  {3pt}                                % Space above
+  {3pt}                                % Space below
+  {\normalfont}                        % Body font
+  {}                                   % Indent amount
+  {\bfseries}                          % Theorem head font
+  {.}                                  % Punctuation after theorem head
+  { }                                  % Space after theorem head
+  {}                                   % Theorem head spec
+\theoremstyle{mydefinition}
+\newtheorem{mydef}{Definition}
+\hyphenation{op-tical net-works semi-conduc-tor}
+
+\definecolor{gris}{gray}{0.4}
+
+\definecolor{framecolor}{rgb}{0.122, 0.435, 0.698}%
+\definecolor{framecolor2}{named}{red}
+\definecolor{bgcolor}{rgb}{0.95, 0.95, 0.95}%
+
+\newcommand{\attackerbox}[1]{%
+  \begin{tcolorbox}[
+    colframe=framecolor,       %
+    colback=bgcolor,           %
+    boxrule=0pt,               %
+    leftrule=3pt,              %
+    arc=0pt,                   %
+    left=2pt,                  %
+    right=2pt,                 %
+    top=2pt,                   %
+    bottom=2pt,                %
+    width=\linewidth,          %
+    before skip=4pt,           %
+    after skip=4pt             %
+  ]
+    #1
+  \end{tcolorbox}
+}
+
+\newcommand{\badpropbox}[1]{%
+  \begin{tcolorbox}[
+    colframe=framecolor2,       %
+    colback=bgcolor,           %
+    boxrule=0pt,               %
+    leftrule=3pt,              %
+    arc=0pt,                   %
+    left=2pt,                  %
+    right=2pt,                 %
+    top=2pt,                   %
+    bottom=2pt,                %
+    width=\linewidth,          %
+    before skip=4pt,           %
+    after skip=4pt             %
+  ]
+    #1
+  \end{tcolorbox}
+}
+
+\newcommand{\capbox}[1]{%
+  \begin{tcolorbox}[
+    colframe=framecolor,       %
+    colback=bgcolor,           %
+    boxrule=0pt,               %
+    leftrule=0pt,              %
+    arc=0pt,                   %
+    left=2pt,                  %
+    right=2pt,                 %
+    top=2pt,                   %
+    bottom=2pt,                %
+    width=\linewidth,          %
+    before skip=4pt,           %
+    after skip=4pt             %
+  ]
+    #1
+  \end{tcolorbox}
+}
+
+
+\hypersetup{
+  colorlinks,
+  linkcolor={black},  
+  citecolor={red!70!black},
+  urlcolor={blue!70!black},
+}
+
+
+
+\begin{document}
+
+\date{}
+
+\author{
+% {\rm Your N.\ Here}\\
+% Your Institution
+% \and
+% {\rm Second Name}\\
+% Second Institution
+Anonymous Author(s)
+}
+
+\maketitle
+
+\input{sections/abstract}
+
+\section{Introduction}
+
+\input{sections/intro}
+
+\section{Related Works}
+
+\input{sections/related}
+
+\section{The Nested Ratchet Protocol}
+
+\input{sections/background}
+
+\section{Formal Modeling}
+
+\input{sections/models}
+
+\section{Analysis of the Nested Ratchet Protocol}
+
+\input{sections/analysis}
+
+\section{Discussion}
+
+\input{sections/discussion}
+
+\section{Limitations \& Future Work}
+
+\input{sections/limitations}
+
+\section{Conclusions}
+
+\input{sections/conclusion}
+
+\input{sections/usenix}
+
+\bibliographystyle{plain}
+\bibliography{refs}
+
+\end{document}
--- a/makecell.sty
+++ b/makecell.sty
@@ -0,0 +1,260 @@
+%%
+%% This is file `makecell.sty',
+%% generated with the docstrip utility.
+%%
+%% The original source files were:
+%%
+%% makecell.dtx  (with options: `package')
+%% 
+%% IMPORTANT NOTICE:
+%% 
+%% For the copyright see the source file.
+%% 
+%% Any modified versions of this file must be renamed
+%% with new filenames distinct from makecell.sty.
+%% 
+%% For distribution of the original source see the terms
+%% for copying and modification in the file makecell.dtx.
+%% 
+%% This generated file may be distributed as long as the
+%% original source files, as listed above, are part of the
+%% same distribution. (The sources need not necessarily be
+%% in the same archive or directory.)
+\NeedsTeXFormat{LaTeX2e}[1999/12/01]
+\ProvidesPackage{makecell}
+    [2006/06/28 v0.1c Multilined Cells and Tabular Heads]
+\RequirePackage{array}
+\newcommand\makecell{\@ifstar{\let\tabg@pe\gape\makecell@}%
+                             {\let\tabg@pe\cellgape\makecell@}}
+\newcommand\makecell@{\def\t@bset{\cellset}%
+   \let\mcell@align\cellalign
+   \@ifnextchar[\mcell@tabular
+     {\expandafter\mcell@@tabular\cellalign\@nil}}
+\newcommand\thead{\@ifstar{\let\tabg@pe\gape\thead@}%
+                          {\let\tabg@pe\theadgape\thead@}}
+\newcommand\thead@{\def\t@bset{\cellset\theadfont\theadset}%
+   \let\mcell@align\theadalign
+   \@ifnextchar[\mcell@tabular
+     {\expandafter\mcell@@tabular\theadalign\@nil}}
+\@ifdefinable\rotheadsize{\newdimen\rotheadsize}
+\newcommand\rotcell{\@ifundefined{turn}%
+  {\PackageWarning{makecell}%
+     {\string\rotcell\space needs rotating package}%
+  \let\tabg@pe\empty\let\t@bset\cellset\makecell@}
+  {\@ifnextchar[{\@rotcell}{\@@rotcell}}}
+\@ifdefinable\@rotcell{}
+\def\@rotcell[#1]#2{\makecell{\\[-.65\normalbaselineskip]
+  \turn{\cellrotangle}\makecell[#1]{#2}\endturn}}
+\newcommand\@@rotcell[1]{\makecell{\\[-.65\normalbaselineskip]
+  \turn{\cellrotangle}\makecell[c{>{\rightskip0explus
+    \rotheadsize\hyphenpenalty0\pretolerance-1%
+    \noindent\hskip\z@}p{\rotheadsize}
+    }]{#1}\endturn}}
+\newcommand\rothead{\@ifundefined{turn}%
+  {\PackageWarning{makecell}{\string\rothead\space
+    needs rotating package}%
+   \let\tabg@pe\theadgape
+   \def\t@bset{\cellset\theadfont\theadset}\thead@}%
+  {\let\theadgape\rotheadgape
+   \@ifnextchar[{\@rothead}{\@@rothead}}}
+\@ifdefinable\@rothead{}
+\def\@rothead[#1]#2{\thead{\\[-.65\normalbaselineskip]
+  \turn{\cellrotangle}\thead[#1]{#2@{}}\endturn}}
+\newcommand\@@rothead[1]{\thead{\\[-.65\normalbaselineskip]
+  \turn{\cellrotangle}\thead[c{>{\rightskip0explus
+    \rotheadsize\hyphenpenalty0\pretolerance-1%
+    \noindent\hskip\z@}p{\rotheadsize}
+    @{}}]{#1}\endturn}}
+\newcommand\multirowcell{\@ifundefined{multirow}%
+  {\PackageWarning{makecell}{\string\multirowcell\space
+   needs multirow package}}%
+  {\let\mcell@multirow\multirow}\mcell@mrowcell@}
+\newcommand\mcell@mrowcell@[1]{\@ifnextchar
+  [{\mcell@mrowcell@@{#1}}{\mcell@mrowcell@@{#1}[0pt]}}
+\@ifdefinable\mcell@mrowcell@@{}
+\def\mcell@mrowcell@@#1[#2]{\edef\mcell@nrows{#1}\edef\mcell@fixup{#2}%
+   \let\tabg@pe\cellgape\makecell@}
+\newcommand\multirowthead{\@ifundefined{multirow}%
+  {\PackageWarning{makecell}{\string\multirowthead\space
+   needs multirow package}}%
+  {\let\mcell@multirow\multirow}\mcell@mrowhead@}
+\newcommand\mcell@mrowhead@[1]{\@ifnextchar
+  [{\mcell@mrowhead@@{#1}}{\mcell@mrowhead@@{#1}[0pt]}}
+\@ifdefinable\mcell@mrowhead@@{}
+\def\mcell@mrowhead@@#1[#2]{\edef\mcell@nrows{#1}\edef\mcell@fixup{#2}%
+   \let\tabg@pe\theadgape\thead@}
+\@ifdefinable\mcell@multirow{}
+\def\mcell@multirow#1#2[#3]{}%
+\newcommand\mcell@l{\def\mcell@ii{l}\let\mcell@c\mcell@ic
+  \global\let\mcell@left\empty}
+\newcommand\mcell@r{\def\mcell@ii{r}\let\mcell@c\mcell@ic
+  \global\let\mcell@right\empty}
+\newcommand\mcell@t{\def\mcell@i{t}\let\mcell@c\mcell@iic}
+\newcommand\mcell@b{\def\mcell@i{b}\let\mcell@c\mcell@iic}
+\newcommand\mcell@{}
+\newcommand\mcell@c{\def\mcell@ii{c}}
+\newcommand\mcell@ic{\def\mcell@i{c}}
+\newcommand\mcell@iic{\def\mcell@ii{c}}
+\newcommand\mcell@i{c}
+\newcommand\mcell@ii{c}
+\@ifdefinable\mcell@left{\let\mcell@left\hfill}
+\@ifdefinable\mcell@right{\let\mcell@right\hfill}
+\@ifdefinable\mcell@tabular{}\@ifdefinable\mcell@@tabular{}
+\@ifdefinable\mcell@@@tabular{}
+\def\mcell@tabular[#1]#2{\mcell@@tabular#1\@nil{#2}}
+\newcommand\mcell@ifinlist[2]{%
+  \let\next\@secondoftwo
+  \edef\mcell@tmp{#1}%
+  \@for\mcell@Tmp:={#2}\do{%
+    \ifx\mcell@tmp\mcell@Tmp
+      \let\next\@firstoftwo
+    \fi}\next}
+\def\mcell@@tabular#1#2\@nil#3{%
+  \expandafter\mcell@setalign\mcell@align\@nil
+  \mcell@setalign{#1}{#2}\@nil
+  \expandafter\mcell@@@tabular\expandafter\mcell@i\mcell@ii\@nil{#3}}
+\@ifdefinable\mcell@setalign{}
+\def\mcell@setalign#1#2\@nil{\def\@tempa{#1}\def\@tempc{c}%
+  \global\let\mcell@left\hfill\global\let\mcell@right\hfill
+  \def\mcell@c{\def\mcell@ii{c}}%
+  \mcell@ifinlist{#1}{l,r,t,b,c,}{\@nameuse{mcell@#1}}%
+      {\def\mcell@ii{#1}\let\mcell@c\mcell@ic
+       \let\mcell@left\empty\let\mcell@right\empty}%
+  \mcell@ifinlist{#2}{l,r,t,b,c,}{\@nameuse{mcell@#2}}%
+      {\def\mcell@ii{#2}\let\mcell@c\mcell@ic
+       \let\mcell@left\empty\let\mcell@right\empty}%
+  \ifx\@tempa\@tempc\mcell@c\fi
+}
+\def\mcell@@@tabular#1#2\@nil#3{%\mcell@mstyle
+  \ifdim\parindent<\z@\leavevmode\else\noindent\fi
+  \null\mcell@left
+      \ifmmode
+         \mcell@multirow\mcell@nrows*[\mcell@fixup]{\tabg@pe
+          {\hbox{\t@bset$\array[#1]{@{}#2@{}}#3\endarray$}}}%
+      \else
+         \mcell@multirow\mcell@nrows*[\mcell@fixup]{\tabg@pe
+          {\hbox{\t@bset\tabular[#1]{@{}#2@{}}#3\endtabular}}}%
+      \fi\mcell@right\null}
+\newcommand\cellset{\def\arraystretch{1}\extrarowheight\z@
+   \nomakegapedcells}
+\newcommand\cellgape{}
+\newcommand\cellalign{cc}
+\newcommand\cellrotangle{90}
+\newcommand\theadfont{\footnotesize}
+\newcommand\theadset{}
+\newcommand\theadgape{\gape}
+\newcommand\rotheadgape{}
+\newcommand\theadalign{cc}
+\newcommand\gape{\@ifnextchar[\@gape{\@gape[tb]}}
+\newcommand\setcellgapes{\@ifnextchar[%]
+  {\mcell@setgapes{MB}}{\mcell@setgapes{MB}[tb]}}
+\@ifdefinable\@setcellgapes{}
+\def\mcell@setgapes#1[#2]#3{\expandafter\let\csname
+  mcell@#1@\expandafter\endcsname\csname mcell@mb@#2\endcsname
+ \@namedef{mcell@#1jot}{#3}}
+\newcommand\mcell@mb@t[2]{\@tempdima\ht#1\advance\@tempdima#2%
+  \ht#1\@tempdima}
+\newcommand\mcell@mb@b[2]{\@tempdimb\dp#1\advance\@tempdimb#2%
+  \dp#1\@tempdimb}
+\newcommand\mcell@mb@tb[2]{\mcell@mb@t{#1}{#2}\mcell@mb@b{#1}{#2}}
+\@ifdefinable\@gape{}\@ifdefinable\@@gape{}
+\def\@gape[#1]{\mcell@setgapes{mb}[#1]{\jot}\@@gape}
+\def\@@gape{%
+  \ifmmode \expandafter\mathpalette\expandafter\mathg@pe
+  \else \expandafter\makeg@pe
+  \fi}
+\newcommand\makeg@pe[1]{\setbox\z@
+  \hbox{\color@begingroup#1\color@endgroup}\mcell@mb@\z@\mcell@mbjot\box\z@}
+\newcommand\mathg@pe[2]{\setbox\z@
+  \hbox{$\m@th#1{#2}$}\mcell@mb@\z@\mcell@mbjot\box\z@}
+\newcommand\Gape{\@ifnextchar[\@Gape{\@Gape[\jot]}}
+\@ifdefinable\@Gape{}\@ifdefinable\@@Gape{}
+\def\@Gape[#1]{\@ifnextchar[{\@@Gape[#1]}{\@@Gape[#1][#1]}}
+\def\@@Gape[#1][#2]{\def\depth{\dp\z@}\def\height{\ht\z@}%
+  \edef\mcell@mb@##1##2{%
+    \@tempdima\ht\z@\advance\@tempdima#1\ht\z@\@tempdima
+    \@tempdimb\dp\z@\advance\@tempdimb#2\dp\z@\@tempdimb}%
+    \@@gape}
+\newcommand\bottopstrut{\gape{\strut}}
+\newcommand\topstrut{\gape[t]{\strut}}
+\newcommand\botstrut{\gape[b]{\strut}}
+\@ifdefinable\mcell@oriclassz{\let\mcell@oriclassz\@classz}
+\newcommand\makegapedcells{\let\@classz\mcell@classz}
+\newcommand\nomakegapedcells{\let\@classz\mcell@oriclassz}
+\newcommand\mcell@agape[1]{\setbox\z@\hbox{#1}\mcell@MB@\z@\mcell@MBjot
+   \null\mcell@left\box\z@\mcell@right\null}
+\newcommand\mcell@classz{\@classx
+   \@tempcnta \count@
+   \prepnext@tok
+   \@addtopreamble{%\mcell@mstyle
+      \ifcase\@chnum
+         \hfil
+         \mcell@agape{\d@llarbegin\insert@column\d@llarend}\hfil \or
+         \hskip1sp
+         \mcell@agape{\d@llarbegin\insert@column\d@llarend}\hfil \or
+         \hfil\hskip1sp
+         \mcell@agape{\d@llarbegin \insert@column\d@llarend}\or
+         $\mcell@agape{\vcenter
+         \@startpbox{\@nextchar}\insert@column\@endpbox}$\or
+         \mcell@agape{\vtop
+         \@startpbox{\@nextchar}\insert@column\@endpbox}\or
+         \mcell@agape{\vbox
+         \@startpbox{\@nextchar}\insert@column\@endpbox}%
+      \fi
+      \global\let\mcell@left\relax\global\let\mcell@right\relax
+    }\prepnext@tok}
+\newcommand\eline[1]{\count@ #1%
+  \advance\count@\m@ne
+   \loop \@temptokena\expandafter{\the\@temptokena&}%
+    \advance\count@\m@ne \ifnum\count@>\z@\repeat
+     \the\@temptokena\ignorespaces}
+\newcommand\rnline{\gdef
+    \TeXr@rus{\let\@Alph\@Asbuk\let\@alph\@asbuk}\@nline}
+\newcommand\nline{\gdef\TeXr@rus{}\@nline}
+\newcommand\@nline{\@ifnextchar[%]
+    {\@@nline}{\@@nline[1]}}
+\@ifdefinable\@@nline{}
+\def\@@nline[#1]{\@ifnextchar[%]
+    {\@@@nline[#1]}{\@@@nline[#1][1]}}
+\@ifdefinable\@@@nline{}
+\def\@@@nline[#1][#2]#3{\count@ #3%
+  \expandafter\TeXr@loop\@gobble{}#1\@@@
+  \xdef\Num{\the\TeXr@lab}%
+  \@tempcnta#2\relax%
+  \expandafter\@temptokena\expandafter{\Num
+    \global\advance\@tempcnta\@ne}%
+  \advance\count@\m@ne
+  \loop\@temptokena\expandafter{\the\@temptokena&
+        \Num \global\advance\@tempcnta\@ne}%
+    \advance\count@\m@ne \ifnum\count@>\z@ \repeat
+     \the\@temptokena\ignorespaces}
+\newtoks\TeXr@lab
+\def\TeXr@qmark{?}
+\def\TeXr@label#1#2{%
+  \xdef\TeXr@the{\noexpand#1\@tempcnta}%
+  \TeXr@lab\expandafter{\the\TeXr@lab\TeXr@rus\TeXr@the}%
+  \advance\@tempcnta1
+  \TeXr@loop}
+\def\TeXr@rus{}
+\def\TeXr@space{\afterassignment\TeXr@sp@ce\let\@tempa= }
+\def\TeXr@sp@ce{\TeXr@lab\expandafter{\the\TeXr@lab\space}\TeXr@loop}
+\def\TeXr@group#1{\TeXr@lab\expandafter{\the\TeXr@lab{#1}}\TeXr@loop}
+\def\TeXr@other#1{\TeXr@lab\expandafter{\the\TeXr@lab#1}\TeXr@loop}
+\def\TeXr@loop{\futurelet\TeXr@temp\TeXr@loop@}
+\def\TeXr@loop@{%
+  \ifx A\TeXr@temp         \def\@tempa{\TeXr@label\@Alph  }\else
+  \ifx a\TeXr@temp         \def\@tempa{\TeXr@label\@alph  }\else
+  \ifx i\TeXr@temp         \def\@tempa{\TeXr@label\@roman }\else
+  \ifx I\TeXr@temp         \def\@tempa{\TeXr@label\@Roman }\else
+  \ifx 1\TeXr@temp         \def\@tempa{\TeXr@label\@arabic}\else
+  \ifx \@sptoken\TeXr@temp \let\@tempa\TeXr@space         \else
+  \ifx \bgroup\TeXr@temp   \let\@tempa\TeXr@group         \else
+  \ifx \@@@\TeXr@temp      \let\@tempa\@gobble          \else
+                           \let\@tempa\TeXr@other
+                         \TeXr@hook
+                 \fi\fi\fi\fi\fi\fi\fi\fi
+  \@tempa}
+\providecommand\TeXr@hook{}
+\endinput
+%%
+%% End of file `makecell.sty'.
--- a/minted.sty
+++ b/minted.sty
--- a/msc.sty
+++ b/msc.sty
--- a/multirow.sty
+++ b/multirow.sty
@@ -0,0 +1,74 @@
+%
+% Make an entry that will span multiple rows of a table.
+%
+% \multirow{nrows}[bigstruts]{width}[fixup]{text}
+%
+% nrows is the number of rows to span.  It's up to the user to leave the
+%	rows empty, or the stuff created by \multirow will over-write it.
+% bigstruts is the total number of uses of \bigstrut within the rows being
+%	spanned.  Count 2 uses for each \bigstrut, 1 for each \bigstrut[x]
+%	where x is either t or b.  The default is 0.
+% width is the width to which the text is to be set.
+% text is the actual text.  It will be set in LR mode.  You can use \\
+%	within text to force linebreaks where you like.  The text is centered
+%	vertically within the range spanned by nrows.
+% fixup is a length used for fine tuning:  The text will be raised (or
+%	lowered, if fixup is negative) by that length above (below) wherever
+%	it would otherwise have gone.
+%
+% For example:
+%
+% \begin{tabular}{|c|c|}
+% \hline
+% \multirow{4}{1in}{Common g text} & Column g2a\\
+% 	& Column g2b \\
+% 	& Column g2c \\
+% 	& Column g2d \\
+% \hline
+% \multirow{3}[6]{1in}{Common g text} & Column g2a\bigstrut\\\cline{2-2}
+% 	& Column g2b \bigstrut\\\cline{2-2}
+% 	& Column g2c \bigstrut\\
+% \hline
+% \multirow{4}[8]{1in}{Common g text} & Column g2a\bigstrut\\\cline{2-2}
+% 	& Column g2b \bigstrut\\\cline{2-2}
+% 	& Column g2c \bigstrut\\\cline{2-2}
+% 	& Column g2d \bigstrut\\
+% \hline
+% \end{tabular}
+%
+% If any of the spanned rows are unusually large, or if \bigstrut's are used
+% assymetrically about the centerline of the spanned rows, the vertical
+% centering may not come out right.  Use the fixup argument in this case.
+%
+% Just before "text" is expanded, the \multirowsetup macro is expanded to
+% set up any special environment.  Initially, \multirowsetup contains just
+% \raggedright.  It can be redefined with \renewcommand.
+%
+% Bugs:  It's just about impossible to deal correctly with descenders.  The
+% text will be set up centered, but it may then have a baseline that doesn't
+% match the baseline of the stuff beside it, in particular if the stuff
+% beside it has descenders and "text" does not.  This will result in a small
+% missalignment.  About all that can be done is to do a final touchup on
+% "text", using the fixup optional argument.
+%
+% \multirow probably isn't too useful in array, as opposed to table, environ-
+% ments.  It will not work well there since the lines have an extra \jot of
+% space between them which it won't account for.  Fixing this is difficult in
+% general, and doesn't seem worth it.  A semi-automatic fix is to set
+% \bigstrutjot to \jot and then pass a second argument to \multirow to which
+% is equal to half the number of rows spanned.
+%
+\def\multirowsetup{\raggedright}
+\def\multirow#1{\relax\@ifnextchar [{\@multirow{#1}}{\@multirow{#1}[0]}}
+\def\@multirow#1[#2]#3{\@ifnextchar [{\@xmultirow{#1}[#2]{#3}}%
+  {\@xmultirow{#1}[#2]{#3}[0pt]}}
+\def\@xmultirow#1[#2]#3[#4]#5{\@tempcnta=#1%
+  \@tempdima\@tempcnta\ht\@arstrutbox
+  \advance\@tempdima\@tempcnta\dp\@arstrutbox
+  \advance\@tempdima#2\bigstrutjot
+  \setbox0\hbox{\vtop to \@tempdima{\hsize#3\@parboxrestore
+		\vfill \multirowsetup #5\par\vfill}}%
+  \ht0\z@\dp0\z@
+  \@tempdima\ht\@arstrutbox \ifnum#2>0 \advance\@tempdima\bigstrutjot \fi
+  \advance\@tempdima#4 \raise\@tempdima\box0 }
+
--- a/paralist.sty
+++ b/paralist.sty
@@ -0,0 +1,366 @@
+%%
+%% This is file `paralist.sty',
+%% generated with the docstrip utility.
+%%
+%% The original source files were:
+%%
+%% paralist.dtx  (with options: `package')
+%% 
+%% Copyright 1998-2000 Bernd Schandl
+%% email schandl@gmx.net
+%% www   http://members.xoom.com/schandl/paralist
+%% 
+%% This file can be redistributed and/or modified under the terms
+%% of the LaTeX Project Public License distributed from CTAN
+%% archives in the directory macros/latex/base/lppl.txt; either
+%% version 1 of the license, or (at your option) any later version.
+%% 
+%% \CharacterTable
+%%  {Upper-case    \A\B\C\D\E\F\G\H\I\J\K\L\M\N\O\P\Q\R\S\T\U\V\W\X\Y\Z
+%%   Lower-case    \a\b\c\d\e\f\g\h\i\j\k\l\m\n\o\p\q\r\s\t\u\v\w\x\y\z
+%%   Digits        \0\1\2\3\4\5\6\7\8\9
+%%   Exclamation   \!     Double quote  \"     Hash (number) \#
+%%   Dollar        \$     Percent       \%     Ampersand     \&
+%%   Acute accent  \'     Left paren    \(     Right paren   \)
+%%   Asterisk      \*     Plus          \+     Comma         \,
+%%   Minus         \-     Point         \.     Solidus       \/
+%%   Colon         \:     Semicolon     \;     Less than     \<
+%%   Equals        \=     Greater than  \>     Question mark \?
+%%   Commercial at \@     Left bracket  \[     Backslash     \\
+%%   Right bracket \]     Circumflex    \^     Underscore    \_
+%%   Grave accent  \`     Left brace    \{     Vertical bar  \|
+%%   Right brace   \}     Tilde         \~}
+%%
+\ProvidesPackage{paralist}%
+          [2001/03/03 v2.0a Some new list environments (BS)]
+\NeedsTeXFormat{LaTeX2e}
+\newif\if@plnewitem\@plnewitemfalse
+\newif\if@plnewenum\@plnewenumfalse
+\newif\if@pldefblank\@pldefblankfalse
+\newif\if@plincreaseonly\@plincreaseonlyfalse
+\newif\if@plpointedenum\@plpointedenumfalse
+\newif\if@plpointlessenum\@plpointlessenumfalse
+\newif\if@plloadcfg
+\DeclareOption{newitem}{\@plnewitemtrue}
+\DeclareOption{newenum}{\@plnewenumtrue}
+\DeclareOption{defblank}{\@pldefblanktrue}
+\DeclareOption{increaseonly}{\@plincreaseonlytrue}
+\DeclareOption{pointedenum}{\@plpointedenumtrue}
+\DeclareOption{pointlessenum}{\@plpointlessenumtrue}
+\DeclareOption{cfg}{\@plloadcfgtrue}
+\DeclareOption{nocfg}{\@plloadcfgfalse}
+\ExecuteOptions{cfg}
+\ProcessOptions\relax
+\newlength{\pltopsep}
+\newlength{\plpartopsep}
+\newlength{\plitemsep}
+\newlength{\plparsep}
+\setlength{\pltopsep}{0pt}
+\setlength{\plpartopsep}{0pt}
+\setlength{\plitemsep}{0pt}
+\setlength{\plparsep}{0pt}
+\def\if@empty#1#2#3{%
+  \def\@tempa{#1}%
+  \ifx\@tempa\@empty#2\else#3\fi}
+\def\pl@item[#1]{%
+  \if@noitemarg
+    \@noitemargfalse
+    \if@nmbrlist
+      \refstepcounter{\@listctr}%
+    \fi
+  \fi
+  \settowidth{\@tempdima}{#1}%
+  \ifdim\@tempdima>\z@{#1}\nobreakspace\fi
+  \ignorespaces
+  }
+\newtoks\pl@lab
+\def\pl@qmark{?}
+\def\pl@label#1#2{%
+  \edef\pl@the{\noexpand#1{\@enumctr}}%
+  \pl@lab\expandafter{\the\pl@lab\csname the\@enumctr\endcsname}%
+  \advance\@tempcnta1
+  \pl@loop}
+\def\pl@space{\afterassignment\pl@sp@ce\let\@tempa= }
+\def\pl@sp@ce{\pl@lab\expandafter{\the\pl@lab\space}\pl@loop}
+\def\pl@group#1{\pl@lab\expandafter{\the\pl@lab{#1}}\pl@loop}
+\def\pl@other#1{\pl@lab\expandafter{\the\pl@lab#1}\pl@loop}
+\def\pl@loop{\futurelet\pl@temp\pl@loop@}
+\def\pl@loop@{%
+  \ifx A\pl@temp         \def\@tempa{\pl@label\Alph  }\else
+  \ifx a\pl@temp         \def\@tempa{\pl@label\alph  }\else
+  \ifx i\pl@temp         \def\@tempa{\pl@label\roman }\else
+  \ifx I\pl@temp         \def\@tempa{\pl@label\Roman }\else
+  \ifx 1\pl@temp         \def\@tempa{\pl@label\arabic}\else
+  \ifx \@sptoken\pl@temp \let\@tempa\pl@space         \else
+  \ifx \bgroup\pl@temp   \let\@tempa\pl@group         \else
+  \ifx \@@@\pl@temp      \let\@tempa\@gobble          \else
+                         \let\@tempa\pl@other
+                         \pl@hook
+                 \fi\fi\fi\fi\fi\fi\fi\fi
+  \@tempa}
+\providecommand\pl@hook{}
+\def\@enumlabel@#1[#2]{%
+  \@tempcnta0
+  \pl@lab{}%
+  \let\pl@the\pl@qmark
+  \expandafter\pl@loop\@gobble#2\@@@
+  \ifnum\@tempcnta=1\else
+    \PackageWarning{paralist}{Incorrect label; no or multiple
+      counters.\MessageBreak The label is: \@gobble#2}%
+  \fi
+  \expandafter\edef\csname label\@enumctr\endcsname{\the\pl@lab}%
+  \expandafter\let\csname the\@enumctr\endcsname\pl@the
+  \csname c@\@enumctr\endcsname7
+  \if@plincreaseonly
+    \settowidth{\@tempdima}{\the\pl@lab\hspace{\labelsep}}%
+    \ifdim\@tempdima >
+      \csname leftmargin\romannumeral\@enumdepth\endcsname
+        \csname leftmargin\romannumeral\@enumdepth\endcsname
+          \@tempdima
+    \fi
+  \else
+    \expandafter\settowidth
+      \csname leftmargin\romannumeral\@enumdepth\endcsname
+      {\the\pl@lab\hspace{\labelsep}}%
+  \fi
+  #1}
+\def\@itemlabel@#1[#2]{%
+  \def\pl@itemitem{#2}%
+  \def\@itemitem{pl@itemitem}%
+  \if@plincreaseonly
+    \settowidth{\@tempdima}{#2\hspace{\labelsep}}%
+    \ifdim\@tempdima >
+      \csname leftmargin\romannumeral\@itemdepth\endcsname
+        \csname leftmargin\romannumeral\@itemdepth\endcsname
+          \@tempdima
+    \fi
+  \else
+    \expandafter\settowidth
+      \csname leftmargin\romannumeral\@itemdepth\endcsname
+      {#2\hspace{\labelsep}}%
+  \fi
+  #1}
+\def\asparaenum{%
+  \ifnum\@enumdepth>\thr@@
+    \@toodeep
+  \else
+    \advance\@enumdepth\@ne
+    \edef\@enumctr{enum\romannumeral\the\@enumdepth}%
+  \fi
+  \@ifnextchar[{\@enumlabel@{\@asparaenum@}[}{\@asparaenum@}}
+\def\@asparaenum@{%
+  \expandafter\list\csname label\@enumctr\endcsname{%
+    \usecounter{\@enumctr}%
+    \labelwidth\z@
+    \labelsep.5em
+    \leftmargin\z@
+    \parsep\parskip
+    \itemsep\z@
+    \topsep\z@
+    \partopsep\parskip
+    \itemindent\parindent
+    \advance\itemindent\labelsep
+    \def\makelabel##1{##1}}}
+\let\endasparaenum\endlist
+\def\inparaenum{%
+  \ifnum\@enumdepth>\thr@@
+    \@toodeep
+  \else
+    \advance\@enumdepth\@ne
+    \edef\@enumctr{enum\romannumeral\the\@enumdepth}%
+  \fi
+  \@ifnextchar[{\@enumlabel@{\@inparaenum@}[}{\@inparaenum@}}
+\def\@inparaenum@{%
+  \usecounter{\@enumctr}%
+  \def\@itemlabel{\csname label\@enumctr\endcsname}%
+  \let\@item\pl@item
+  \ignorespaces}
+\let\endinparaenum\ignorespacesafterend
+\def\compactenum{%
+  \ifnum\@enumdepth>\thr@@
+    \@toodeep
+  \else
+    \advance\@enumdepth\@ne
+    \edef\@enumctr{enum\romannumeral\the\@enumdepth}%
+  \fi
+  \@ifnextchar[{\@enumlabel@{\@compactenum@}[}{\@compactenum@}}
+\def\@compactenum@{%
+  \expandafter\list\csname label\@enumctr\endcsname{%
+    \usecounter{\@enumctr}%
+    \parsep\plparsep
+    \itemsep\plitemsep
+    \topsep\pltopsep
+    \partopsep\plpartopsep
+    \def\makelabel##1{\hss\llap{##1}}}}
+\let\endcompactenum\endlist
+\if@plnewenum
+  \def\enumerate{%
+    \ifnum \@enumdepth >\thr@@
+      \@toodeep
+    \else
+      \advance\@enumdepth \@ne
+      \edef\@enumctr{enum\romannumeral\the\@enumdepth}%
+    \fi
+    \@ifnextchar[{\@enumlabel@{\@enumerate@}[}{\@enumerate@}}
+  \def\@enumerate@{%
+    \expandafter\list\csname label\@enumctr\endcsname{%
+      \usecounter{\@enumctr}%
+      \def\makelabel##1{\hss\llap{##1}}}}
+\fi % \if@plnewenum
+\def\asparaitem{%
+  \ifnum\@itemdepth>\thr@@
+    \@toodeep
+  \else
+    \advance\@itemdepth\@ne
+    \edef\@itemitem{labelitem\romannumeral\the\@itemdepth}%
+  \fi
+  \@ifnextchar[{\@itemlabel@{\@asparaitem@}}{\@asparaitem@}}
+\def\@asparaitem@{%
+  \expandafter\list\csname\@itemitem\endcsname{%
+    \labelwidth\z@
+    \labelsep.5em
+    \leftmargin\z@
+    \parsep\parskip
+    \itemsep\z@
+    \topsep\z@
+    \partopsep\parskip
+    \itemindent\parindent
+    \advance\itemindent\labelsep
+    \def\makelabel##1{##1}}}
+\let\endasparaitem\endlist
+\def\inparaitem{%
+  \ifnum\@itemdepth>\thr@@
+    \@toodeep
+  \else
+    \advance\@itemdepth\@ne
+    \edef\@itemitem{labelitem\romannumeral\the\@itemdepth}%
+  \fi
+  \@ifnextchar[{\@itemlabel@{\@inparaitem@}}{\@inparaitem@}}
+\def\@inparaitem@{%
+  \def\@itemlabel{\csname\@itemitem\endcsname}%
+  \let\@item\pl@item
+  \ignorespaces}
+\let\endinparaitem\ignorespacesafterend
+\def\compactitem{%
+  \ifnum\@itemdepth>\thr@@
+    \@toodeep
+  \else
+    \advance\@itemdepth\@ne
+    \edef\@itemitem{labelitem\romannumeral\the\@itemdepth}%
+  \fi
+  \@ifnextchar[{\@itemlabel@{\@compactitem@}}{\@compactitem@}}
+\def\@compactitem@{%
+  \expandafter\list\csname\@itemitem\endcsname{%
+    \parsep\plparsep
+    \itemsep\plitemsep
+    \topsep\pltopsep
+    \partopsep\plpartopsep
+    \def\makelabel##1{\hss\llap{##1}}}}
+\let\endcompactitem\endlist
+\if@plnewitem
+  \def\itemize{%
+    \ifnum \@itemdepth >\thr@@
+      \@toodeep
+    \else
+      \advance\@itemdepth\@ne
+      \edef\@itemitem{labelitem\romannumeral\the\@itemdepth}%
+    \fi
+    \@ifnextchar[{\@itemlabel@{\@itemize@}}{\@itemize@}}
+  \def\@itemize@{%
+    \expandafter\list\csname\@itemitem\endcsname{%
+      \def\makelabel##1{\hss\llap{##1}}}}
+\fi % \if@plnewitem
+\def\compactdesc{%
+  \list{}{%
+    \parsep\plparsep
+    \itemsep\plitemsep
+    \topsep\pltopsep
+    \partopsep\plpartopsep
+    \labelwidth\z@
+    \itemindent-\leftmargin
+    \let\makelabel\descriptionlabel}}
+\let\endcompactdesc\endlist
+\if@pldefblank
+  \def\asparablank{%
+    \list{}{%
+      \labelwidth\z@
+      \labelsep\z@
+      \leftmargin\z@
+      \parsep\parskip
+      \itemsep\z@
+      \topsep\z@
+      \partopsep\parskip
+      \itemindent\parindent
+      \advance\itemindent\labelsep
+      \def\makelabel##1{##1}}}
+  \let\endasparablank\endlist
+  \def\inparablank{%
+    \let\@itemlabel\@empty
+    \let\@item\pl@item
+    \ignorespaces}
+  \let\endinparablank\ignorespacesafterend
+\fi % \if@pldefblank
+\def\defaultitem#1#2#3#4{%
+  \if@empty{#1}{}{\def\labelitemi{#1}}%
+  \if@empty{#2}{}{\def\labelitemii{#2}}%
+  \if@empty{#3}{}{\def\labelitemiii{#3}}%
+  \if@empty{#4}{}{\def\labelitemiv{#4}}}
+\def\defaultenum#1#2#3#4{%
+  \if@empty{#1}{}{%
+    \@tempdimb\leftmargini
+    \def\@enumctr{enumi}%
+    \@enumlabel@{\relax}[[#1]%
+    \leftmargini\@tempdimb}%
+  \if@empty{#2}{}{%
+    \@tempdimb\leftmarginii
+    \def\@enumctr{enumii}%
+    \@enumlabel@{\relax}[[#2]%
+    \leftmarginii\@tempdimb}%
+  \if@empty{#3}{}{%
+    \@tempdimb\leftmarginiii
+    \def\@enumctr{enumiii}%
+    \@enumlabel@{\relax}[[#3]%
+    \leftmarginiii\@tempdimb}%
+  \if@empty{#4}{}{%
+    \@tempdimb\leftmarginiv
+    \def\@enumctr{enumiv}%
+    \@enumlabel@{\relax}[[#4]%
+    \leftmarginiv\@tempdimb}%
+  \relax}
+\def\defaultleftmargin#1#2#3#4{%
+  \if@empty{#1}{}{\leftmargini#1}%
+  \if@empty{#2}{}{\leftmarginii#2}%
+  \if@empty{#3}{}{\leftmarginiii#3}%
+  \if@empty{#4}{}{\leftmarginiv#4}%
+  \relax}
+\def\pl@pointxxxenum{%
+  \def\theenumi{\arabic{enumi}}%
+  \def\theenumii{\theenumi.\arabic{enumii}}%
+  \def\theenumiii{\theenumii.\arabic{enumiii}}%
+  \def\theenumiv{\theenumiii.\arabic{enumiv}}%
+  \def\p@enumi{}%
+  \def\p@enumii{}%
+  \def\p@enumiii{}%
+  \def\p@enumiv{}}
+\def\pl@pointedenum{%
+  \def\labelenumi{\theenumi.}%
+  \def\labelenumii{\theenumii.}%
+  \def\labelenumiii{\theenumiii.}%
+  \def\labelenumiv{\theenumiv.}}
+\def\pl@pointlessenum{%
+  \def\labelenumi{\theenumi}%
+  \def\labelenumii{\theenumii}%
+  \def\labelenumiii{\theenumiii}%
+  \def\labelenumiv{\theenumiv}}
+\def\pointedenum{\pl@pointxxxenum\pl@pointedenum}
+\def\pointlessenum{\pl@pointxxxenum\pl@pointlessenum}
+\if@plpointedenum\pointedenum\fi
+\if@plpointlessenum\pointlessenum\fi
+\if@plloadcfg
+  \InputIfFileExists{paralist.cfg}{%
+    \typeout{Using the configuration file paralist.cfg}}{}
+\fi
+
+\endinput
+%%
+%% End of file `paralist.sty'.
--- a/pgfplots.sty
+++ b/pgfplots.sty
@@ -0,0 +1,155 @@
+%--------------------------------------------
+%
+% Package pgfplots.sty
+%
+% Provides a user-friendly interface to create function plots (normal
+% plots, semi-logplots and double-logplots).
+% 
+% It is based on Till Tantau's PGF package.
+%
+% Copyright 2007-2013 by Christian Feuersänger.
+%
+% This program is free software: you can redistribute it and/or modify
+% it under the terms of the GNU General Public License as published by
+% the Free Software Foundation, either version 3 of the License, or
+% (at your option) any later version.
+% 
+% This program is distributed in the hope that it will be useful,
+% but WITHOUT ANY WARRANTY; without even the implied warranty of
+% MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+% GNU General Public License for more details.
+% 
+% You should have received a copy of the GNU General Public License
+% along with this program.  If not, see <http://www.gnu.org/licenses/>.
+%
+%--------------------------------------------
+\IfFileExists{pgfplots.revision.tex}{\input pgfplots.revision.tex } {%
+	\def\pgfplotsrevision{0}%
+	\def\pgfplotsversion{0.0}%
+    \def\pgfplotsversiondatetime{2014-07-01 00:00:00 +100}%
+    \def\pgfplotsrevisiondatetime{2014-07-01 00:00:00 +100}%
+	\def\pgfplotsversiondate{2014/07/01}%
+	\def\pgfplotsrevisiondate{2014/07/01}%
+}
+\ProvidesPackage{pgfplots}[\pgfplotsversiondate\space v\pgfplotsversion\space Data Visualization (\pgfplotsrevision)]
+
+\RequirePackage{graphicx}
+
+% ATTENTION:
+% you MAY need one of
+%   \def\pgfsysdriver{pgfsys-dvipdfm.def}
+%   \def\pgfsysdriver{pgfsys-pdftex.def}
+%   \def\pgfsysdriver{pgfsys-dvips.def}
+%
+% BEFORE the first \usepackage{pgf}, \usepackage{tikz} or
+% \usepackage{pgfplots}.
+% Default is
+%   'dvips' for 'latex'
+%   'pdftex' for 'pdflatex'
+% -> dvipdfm needs special attention.
+
+\IfFileExists{pgfsys-luatex.def}{%
+	% OK, proceed as usual
+}{%
+	% hm. check if we need it:
+	\def\pgfplots@glob@TMPa{luatex.def}%
+	\edef\pgfplots@glob@TMPb{\Gin@driver}%
+	\ifx\pgfplots@glob@TMPb\pgfplots@glob@TMPa
+		% hm. probably
+		\@ifundefined{pgfsysdriver}{%
+			% use a patch shipped with pgfplots:
+			\def\pgfsysdriver{pgfsys-luatexpatch.def}%
+			\immediate\write16{Package pgfplots external lib: activating patch for pgfsys-luatex.def driver (PGF is too old)}
+		}{%
+			\def\pgfplots@glob@TMPa{pgfsys-luatex.def}%
+			\ifx\pgfsysdriver\pgfplots@glob@TMPa
+				% use a patch shipped with pgfplots:
+				\def\pgfsysdriver{pgfsys-luatexpatch.def}%
+				\immediate\write16{Package pgfplots external lib: activating patch for pgfsys-luatex.def driver (PGF is too old)}
+			\fi
+		}%
+	\fi
+}
+
+\RequirePackage{tikz}
+
+% This is *identical* to \pgfutil@IfUndefined . I copied it here
+% because pgf up to and including version 2.10 does not contain it.
+\def\pgfplotsutil@IfUndefined#1{%
+  \begingroup\expandafter\expandafter\expandafter\endgroup
+  \expandafter\ifx\csname#1\endcsname\relax
+    \expandafter\pgfutil@firstoftwo
+  \else
+    \expandafter\pgfutil@secondoftwo
+  \fi
+}
+
+\gdef\pgfplots@glob@TMPa{}%
+\pgfplotsutil@IfUndefined{directlua}{}{%
+	\pgfplotsutil@IfUndefined{newcatcodetable}{%
+		% I need \newcatcodetable
+		\gdef\pgfplots@glob@TMPa{\RequirePackage{luatexbase}}%
+	}
+}%
+
+\ifx\pgfplots@glob@TMPa\pgfutil@empty
+\else
+	\expandafter\pgfplots@glob@TMPa
+\fi
+
+\def\pgfplots@texdist@protect{\protect}%
+
+\input pgfplots.code.tex
+
+
+% checks for xcolor configuration options and will override
+%   mesh/colorspace explicit color output
+% and
+%	colormap default colorspace
+% if needed.
+\def\pgfplots@check@global@colorspace@overrides{%
+	% "bOverridesColorspace"
+	\pgfplots@loc@tmpfalse
+	\ifconvertcolorsD
+		% xcolor converts at *definition* time:
+		\pgfplots@loc@tmptrue
+	\else
+		\ifconvertcolorsU
+			% xcolor converts at *usage* time:
+			\pgfplots@loc@tmptrue
+		\fi
+	\fi
+	%
+	\ifpgfplots@loc@tmp
+		\let\pgfplots@loc@TMPb=\pgfutil@empty%
+		\ifx\XC@tgt@mod\pgfplots@XC@tgt@mod@rgb \def\pgfplots@loc@TMPb{rgb}\fi
+		\ifx\XC@tgt@mod\pgfplots@XC@tgt@mod@RGB \def\pgfplots@loc@TMPb{rgb}\fi
+		\ifx\XC@tgt@mod\pgfplots@XC@tgt@mod@cmyk\def\pgfplots@loc@TMPb{cmyk}\fi
+		\ifx\XC@tgt@mod\pgfplots@XC@tgt@mod@cmy \def\pgfplots@loc@TMPb{cmyk}\fi
+		\ifx\XC@tgt@mod\pgfplots@XC@tgt@mod@gray \def\pgfplots@loc@TMPb{gray}\fi
+		\ifx\XC@tgt@mod\pgfplots@XC@tgt@mod@Gray \def\pgfplots@loc@TMPb{gray}\fi
+		%
+		\ifx\pgfplots@loc@TMPb\pgfutil@empty
+		\else
+			\edef\pgfplots@loc@TMPa{%
+				mesh/colorspace explicit color output=\pgfplots@loc@TMPb,%
+				colormap default colorspace=\pgfplots@loc@TMPb,%
+			}%
+			\pgfplots@log3{Overriding colorspace to \pgfplots@loc@TMPb\space due to xcolor configuration.}%
+			\expandafter\pgfplotsset\expandafter{\pgfplots@loc@TMPa}%
+		\fi
+	\fi
+}%
+
+\def\pgfplots@XC@tgt@mod@rgb#1{rgb}
+\def\pgfplots@XC@tgt@mod@RGB#1{rgb}
+\def\pgfplots@XC@tgt@mod@cmyk#1{cmyk}
+\def\pgfplots@XC@tgt@mod@cmy#1{cmy}
+\def\pgfplots@XC@tgt@mod@gray#1{gray}
+\def\pgfplots@XC@tgt@mod@Gray#1{gray}
+
+\usetikzlibrary{plotmarks}
+
+
+
+\endinput
--- a/refs.bib
+++ b/refs.bib
@@ -0,0 +1,271 @@
+@misc{rfc8446,
+    series =    {Request for Comments},
+    number =    8446,
+    howpublished =  {RFC 8446},
+    publisher = {RFC Editor},
+    doi =       {10.17487/RFC8446},
+    url =       {https://www.rfc-editor.org/info/rfc8446},
+    author =    {Eric Rescorla},
+    title =     {{The Transport Layer Security (TLS) Protocol Version 1.3}},
+    pagetotal = 160,
+    year =      2018,
+    month =     aug,
+    abstract =  {This document specifies version 1.3 of the Transport Layer Security (TLS) protocol. TLS allows client/server applications to communicate over the Internet in a way that is designed to prevent eavesdropping, tampering, and message forgery. This document updates RFCs 5705 and 6066, and obsoletes RFCs 5077, 5246, and 6961. This document also specifies new requirements for TLS 1.2 implementations.},
+}
+
+@article{auth, title={Authentication and authenticated key exchanges}, volume={2}, ISSN={1573-7586}, DOI={10.1007/BF00124891}, abstractNote={We discuss two-party mutual authentication protocols providing authenticated key exchange, focusing on those using asymmetric techniques. A simple, efficient protocol referred to as the station-to-station (STS) protocol is introduced, examined in detail, and considered in relation to existing protocols. The definition of a secure protocol is considered, and desirable characteristics of secure protocols are discussed.}, number={2}, journal={Designs, Codes and Cryptography}, author={Diffie, Whitfield and Van Oorschot, Paul C. and Wiener, Michael J.}, year={1992}, month=jun, pages={107–125}, language={en} }
+
+@misc{rfc9369,
+    series =    {Request for Comments},
+    number =    9369,
+    howpublished =  {RFC 9369},
+    publisher = {RFC Editor},
+    doi =       {10.17487/RFC9369},
+    url =       {https://www.rfc-editor.org/info/rfc9369},
+    author =    {Martin Duke},
+    title =     {{QUIC Version 2}},
+    pagetotal = 14,
+    year =      2023,
+    month =     may,
+    abstract =  {This document specifies QUIC version 2, which is identical to QUIC version 1 except for some trivial details. Its purpose is to combat various ossification vectors and exercise the version negotiation framework. It also serves as a template for the minimum changes in any future version of QUIC. Note that "version 2" is an informal name for this proposal that indicates it is the second version of QUIC to be published as a Standards Track document. The protocol specified here uses a version number other than 2 in the wire image, in order to minimize ossification risks.},
+}
+
+
+@inproceedings{Donenfeld_2017, address={San Diego, CA}, title={WireGuard: Next Generation Kernel Network Tunnel}, ISBN={978-1-891562-46-4}, url={https://www.ndss-symposium.org/ndss2017/ndss-2017-programme/wireguard-next-generation-kernel-network-tunnel/}, DOI={10.14722/ndss.2017.23160}, abstractNote={WireGuard is a secure network tunnel, operating at layer 3, implemented as a kernel virtual network interface for Linux, which aims to replace both IPsec for most use cases, as well as popular user space and/or TLS-based solutions like OpenVPN, while being more secure, more performant, and easier to use. The virtual tunnel interface is based on a proposed fundamental principle of secure tunnels: an association between a peer public key and a tunnel source IP address. It uses a single round trip key exchange, based on NoiseIK, and handles all session creation transparently to the user using a novel timer state machine mechanism. Short pre-shared static keys—Curve25519 points—are used for mutual authentication in the style of OpenSSH. The protocol provides strong perfect forward secrecy in addition to a high degree of identity hiding. Transport speed is accomplished using ChaCha20Poly1305 authenticated-encryption for encapsulation of packets in UDP. An improved take on IP-binding cookies is used for mitigating denial of service attacks, improving greatly on IKEv2 and DTLS’s cookie mechanisms to add encryption and authentication. The overall design allows for allocating no resources in response to received packets, and from a systems perspective, there are multiple interesting Linux implementation techniques for queues and parallelism. Finally, WireGuard can be simply implemented for Linux in less than 4,000 lines of code, making it easily audited and veriﬁed.}, booktitle={Proceedings 2017 Network and Distributed System Security Symposium}, publisher={Internet Society}, author={Donenfeld, Jason A.}, year={2017}, language={en} }
+
+@manual{openvpn,
+  title        = {OpenVPN: An Open Source VPN},
+  author       = {James Yonan},
+  year         = {2002},
+  url          = {https://openvpn.net/},
+  note         = {Version 2.6.0 and later. Accessed: 2025-08-08}
+}
+
+
+@article{Dingledine_Mathewson_Syverson_2004, address={Fort Belvoir, VA}, title={Tor: The Second-Generation Onion Router:}, url={https://apps.dtic.mil/sti/citations/tr/ADA465464}, DOI={10.21236/ADA465464}, abstractNote={We present Tor, a circuit-based low-latency anonymous communication service. This second-generation Onion Routing system addresses limitations in the original design by adding perfect forward secrecy, congestion control, directory servers, integrity checking, conﬁgurable exit policies, and a practical design for location-hidden services via rendezvous points. Tor works on the real-world Internet, requires no special privileges or kernel modiﬁcations, requires little synchronization or coordination between nodes, and provides a reasonable tradeoff between anonymity, usability, and efﬁciency. We brieﬂy describe our experiences with an international network of more than 30 nodes. We close with a list of open problems in anonymous communication.}, institution={Defense Technical Information Center}, author={Dingledine, Roger and Mathewson, Nick and Syverson, Paul}, year={2004}, month=jan, language={en} }
+
+@article{Marlinspike_Perrin_X3DH, 
+  title={The X3DH Key Agreement Protocol}, 
+  author={Marlinspike, Moxie and Perrin, Trevor}, 
+  year = {2016},
+  language={en},
+  url = {https://signal.org/docs/specifications/x3dh/x3dh.pdf}
+}
+
+@article{Moxie_DoubleRatchet, title={The Double Ratchet Algorithm}, 
+  author={Perrin, Trevor and Moxie Marlinspike}, 
+  language={en},
+  year = {2016},
+  url = {https://signal.org/docs/specifications/doubleratchet/doubleratchet.pdf}}
+
+@article{Moxie_Sesame, title={The Sesame Algorithm: Session Management for Asynchronous Message Encryption}, 
+  author={Marlinspike, Moxie and Perrin, Trevor}, 
+  language={en},
+  year = {2016},
+  url = {https://signal.org/docs/specifications/sesame/sesame.pdf}
+}
+
+@article{Kret_Schmidt_PQXDH, title={The PQXDH Key Agreement Protocol}, 
+  author={Kret, Ehren and Schmidt, Rolfe}, 
+  language={en},
+  year = {2024},
+  url = {https://signal.org/docs/specifications/pqxdh/pqxdh.pdf}
+}
+
+@article{Bhargavan_PQXDH, title={Formal verification of the PQXDH Post-Quantum key agreement protocol for end-to-end secure messaging}, abstractNote={The Signal Messenger recently introduced a new asynchronous key agreement protocol called PQXDH (PostQuantum Extended Diffie-Hellman) that seeks to provide post-quantum forward secrecy, in addition to the authentication and confidentiality guarantees already provided by the previous X3DH (Extended Diffie-Hellman) protocol. More precisely, PQXDH seeks to protect the confidentiality of messages against harvest-now-decrypt-later attacks. In this work, we formally specify the PQXDH protocol and analyze its security using two formal verification tools, PROVERIF and CRYPTOVERIF. In particular, we ask whether PQXDH preserves the guarantees of X3DH, whether it provides post-quantum forward secrecy, and whether it can be securely deployed alongside X3DH. Our analysis identifies several flaws and potential vulnerabilities in the PQXDH specification, although these vulnerabilities are not exploitable in the Signal application, thanks to specific implementation choices which we describe in this paper. To prove the security of the current implementation, our analysis notably highlighted the need for an additional binding property of the KEM, which we formally define and prove for Kyber.}, author={Bhargavan, Karthikeyan and Jacomme, Charlie and Kiefer, Franziskus and Schmidt, Rolfe}, language={en} }
+
+@article{Cremers_SIGNAL, title={A Formal Security Analysis of the Signal Messaging Protocol}, abstractNote={The Signal protocol is a cryptographic messaging protocol that provides end-to-end encryption for instant messaging in WhatsApp, Wire, and Facebook Messenger among many others, serving well over 1 billion active users. Signal includes several uncommon security properties (such as “future secrecy” or “post-compromise security”), enabled by a novel technique called ratcheting in which session keys are updated with every message sent.}, author={Cohn-Gordon, Katriel and Cremers, Cas and Dowling, Benjamin and Garratt, Luke and Stebila, Douglas}, language={en} }
+
+@inbook{Alwen_DOUBLERATCHET, address={Cham}, series={Lecture Notes in Computer Science}, title={The Double Ratchet: Security Notions, Proofs, and Modularization for the Signal Protocol}, volume={11476}, ISBN={978-3-030-17652-5}, DOI={10.1007/978-3-030-17653-2_5}, abstractNote={Signal is a famous secure messaging protocol used by billions of people, by virtue of many secure text messaging applications including Signal itself, WhatsApp, Facebook Messenger, Skype, and Google Allo. At its core it uses the concept of “double ratcheting,” where every message is encrypted and authenticated using a fresh symmetric key; it has many attractive properties, such as forward security, post-compromise security, and “immediate (no-delay) decryption,” which had never been achieved in combination by prior messaging protocols.}, booktitle={Advances in Cryptology – EUROCRYPT 2019}, publisher={Springer International Publishing}, author={Alwen, Joël and Coretti, Sandro and Dodis, Yevgeniy}, editor={Ishai, Yuval and Rijmen, Vincent}, year={2019}, pages={129–158}, collection={Lecture Notes in Computer Science}, language={en} }
+
+@inbook{VatandasDeny, address={Cham}, series={Lecture Notes in Computer Science}, title={On the Cryptographic Deniability of the Signal Protocol}, volume={12147}, ISBN={978-3-030-57877-0}, DOI={10.1007/978-3-030-57878-7_10}, booktitle={Applied Cryptography and Network Security}, publisher={Springer International Publishing}, author={Vatandas, Nihal and Gennaro, Rosario and Ithurburn, Bertrand and Krawczyk, Hugo}, editor={Conti, Mauro and Zhou, Jianying and Casalicchio, Emiliano and Spognardi, Angelo}, year={2020}, pages={188–209}, collection={Lecture Notes in Computer Science}, language={en} }
+
+@article{Bhargavan_DY, title={DY*: A Modular Symbolic Verification Framework for Executable Cryptographic Protocol Code}, abstractNote={We present DY?, a new formal veriﬁcation framework for the symbolic security analysis of cryptographic protocol code written in the F? programming language. Unlike automated symbolic provers, our framework accounts for advanced protocol features like unbounded loops and mutable recursive data structures, as well as low-level implementation details like protocol state machines and message formats, which are often at the root of real-world attacks. Our work extends a long line of research on using dependent type systems for this task, but takes a fundamentally new approach by explicitly modeling the global trace-based semantics within the framework, hence bridging the gap between trace-based and type-based protocol analyses. This approach enables us to uniformly, precisely, and soundly model, for the ﬁrst time using dependent types, long-lived mutable protocol state, equational theories, ﬁne-grained dynamic corruption, and trace-based security properties like forward secrecy and post-compromise security. DY? is built as a library of F? modules that includes a model of low-level protocol execution, a Dolev-Yao symbolic attacker, and generic security abstractions and lemmas, all veriﬁed using F?. The library exposes a high-level API that facilitates succinct security proofs for protocol code. We demonstrate the effectiveness of this approach through a detailed symbolic security analysis of the Signal protocol that is based on an interoperable implementation of the protocol from prior work, and is the ﬁrst mechanized proof of Signal to account for forward and post-compromise security over an unbounded number of protocol rounds.}, author={Bhargavan, Karthikeyan and Bichhawat, Abhishek and Do, Quoc Huy and Hosseyni, Pedram and Küsters, Ralf and Schmitz, Guido and Würtele, Tim}, language={en} }
+
+@article{Albrecht_2025, title={Formal Analysis of Multi-Device Group Messaging in WhatsApp}, abstractNote={WhatsApp provides end-to-end encrypted messaging to over two billion users. However, due to a lack of public documentation and source code, the speciﬁc security guarantees it provides are unclear. Seeking to rectify this situation, we combine the limited public documentation with information we gather through reverse-engineering its implementation to provide a formal description of the subset of WhatsApp that provides multi-device group messaging. We utilise this description to state and prove the security guarantees that this subset of WhatsApp provides. Our analysis is performed within a variant of the Device-Oriented Group Messaging model, which we extend to support device revocation. We discuss how to interpret these results, including the security WhatsApp provides as well as its limitations.}, author={Albrecht, Martin R and Dowling, Benjamin and Jones, Daniel}, language={en} }
+
+@misc{rfc9420,
+    series =    {Request for Comments},
+    number =    9420,
+    howpublished =  {RFC 9420},
+    publisher = {RFC Editor},
+    doi =       {10.17487/RFC9420},
+    url =       {https://www.rfc-editor.org/info/rfc9420},
+    author =    {Richard Barnes and Benjamin Beurdouche and Raphael Robert and Jon Millican and Emad Omara and Katriel Cohn-Gordon},
+    title =     {{The Messaging Layer Security (MLS) Protocol}},
+    pagetotal = 132,
+    year =      2023,
+    month =     jul,
+    abstract =  {Messaging applications are increasingly making use of end-to-end security mechanisms to ensure that messages are only accessible to the communicating endpoints, and not to any servers involved in delivering messages. Establishing keys to provide such protections is challenging for group chat settings, in which more than two clients need to agree on a key but may not be online at the same time. In this document, we specify a key establishment protocol that provides efficient asynchronous group key establishment with forward secrecy (FS) and post-compromise security (PCS) for groups in size ranging from two to thousands.},
+}
+
+@article{Wallez_TreeSync, title={TreeSync: Authenticated Group Management for Messaging Layer Security}, abstractNote={Messaging Layer Security (MLS), currently undergoing standardization at the IETF, is an asynchronous group messaging protocol that aims to be efficient for large dynamic groups, while providing strong guarantees like forward secrecy (FS) and post-compromise security (PCS). While prior work on MLS has extensively studied its group key establishment component (called TreeKEM), many flaws in early designs of MLS have stemmed from its group integrity and authentication mechanisms that are not as well-understood. In this work, we identify and formalize TreeSync: a sub-protocol of MLS that specifies the shared group state, defines group management operations, and ensures consistency, integrity, and authentication for the group state across all members. We present a precise, executable, machine-checked formal specification of TreeSync, and show how it can be composed with other components to implement the full MLS protocol. Our specification is written in F∗ and serves as a reference implementation of MLS; it passes the RFC test vectors and is interoperable with other MLS implementations. Using the DY∗ symbolic protocol analysis framework, we formalize and prove the integrity and authentication guarantees of TreeSync, under minimal security assumptions on the rest of MLS. Our analysis identifies a new attack and we propose several changes that have been incorporated in the latest MLS draft. Ours is the first testable, machine-checked, formal specification for MLS, and should be of interest to both developers and researchers interested in this upcoming standard.}, author={Wallez, Théophile and Beurdouche, Benjamin and Bhargavan, Karthikeyan}, language={en} }
+
+@article{Wallez_TreeKEM, title={TreeKEM: A Modular Machine-Checked Symbolic Security Analysis of Group Key Agreement in Messaging Layer Security}, abstractNote={The Messaging Layer Security (MLS) protocol standard proposes a novel tree-based protocol that enables efficient end-to-end encrypted messaging over large groups with thousands of members. Its functionality can be divided into three components: TreeSync for authenticating and synchronizing group state, TreeKEM for the core group key agreement, and TreeDEM for group message encryption. While previous works have analyzed the security of abstract models of TreeKEM, they do not account for the precise low-level details of the protocol standard. This work presents the first machine-checked security proof for TreeKEM. Our proof is in the symbolic Dolev-Yao model and applies to a bit-level precise, executable, interoperable specification of the protocol. Furthermore, our security theorem for TreeKEM composes naturally with a previous result for TreeSync to provide a strong modular security guarantee for the published MLS standard.}, author={Wallez, Theophile and Protzenko, Jonathan and Bhargavan, Karthikeyan}, language={en} }
+
+@techreport{WhatsAppSecurity2024,
+  title        = {WhatsApp Encryption Overview: Technical White Paper},
+  author       = {WhatsApp},
+  institution  = {Meta (WhatsApp)},
+  year         = {2024},
+  month        = aug,
+  day          = {19},
+  number       = {Version 8},
+  type         = {Technical White Paper},
+  url          = {https://www.whatsapp.com/security/WhatsApp-Security-Whitepaper.pdf},
+  note         = {Updated August 19, 2024}
+}
+
+@techreport{MetaMessengerE2EE2023,
+  title        = {Messenger End-to-End Encryption Overview},
+  author       = {Jon Millican and Reed Riley and Meta Platforms},
+  institution  = {Meta Platforms (Facebook Engineering)},
+  year         = {2023},
+  month        = dec,
+  day          = {6},
+  number       = {Version 1M},
+  type         = {Technical White Paper},
+  url          = {https://engineering.fb.com/wp-content/uploads/2023/12/MessengerEnd-to-EndEncryptionOverview\_12-6-2023.pdf},
+  note         = {Published December 6, 2023 — describes core Signal-Protocol-based E2EE implementation for Messenger and Instagram Direct}
+}
+
+@misc{SignalSenderKeysRust,
+  title        = {sender\_keys.rs — Sender Keys Implementation (Rust)},
+  author       = {{Signal Foundation}},
+  howpublished = {\url{https://github.com/signalapp/libsignal/blob/main/rust/protocol/src/sender\_keys.rs}},
+  year         = {2025},
+  note         = {Reference implementation of the Sender Keys protocol in libsignal’s Rust codebase}
+}
+
+@online{Jefferys2020SessionProtocol,
+  author       = {Kee Jefferys},
+  title        = {Session Protocol: Technical implementation details},
+  year         = {2020},
+  month        = dec,
+  day          = {15},
+  url          = {https://getsession.org/blog/session-protocol-technical-information},
+  note         = {Accessed: 2025-08-08},
+  howpublished = {Blog post on getSession.org}
+}
+
+@article{Albrecht_Dowling_Jones, title={Device-Oriented Group Messaging: A Formal Cryptographic Analysis of Matrix’ Core}, abstractNote={Focusing on its cryptographic core, we provide the ﬁrst formal description of the Matrix secure group messaging protocol. Observing that no existing secure messaging model in the literature captures the relationships (and shared state) between users, their devices and the groups they are a part of, we introduce the Device-Oriented Group Messaging model to capture these key characteristics of the Matrix protocol. Utilising our new formalism, we determine that Matrix achieves the basic security notions of conﬁdentiality and authentication, provided it introduces authenticated group membership. On the other hand, while the state sharing functionality in Matrix conﬂicts with advanced security notions in the literature –forward and post-compromise security – it enables features such as history sharing and account recovery, provoking broader questions about how such security notions should be conceptualised.}, author={Albrecht, Martin R and Dowling, Benjamin and Jones, Daniel}, language={en} }
+
+@inbook{Balbas_SK, address={Singapore}, series={Lecture Notes in Computer Science}, title={WhatsUpp with Sender Keys? Analysis, Improvements and Security Proofs}, volume={14442}, ISBN={978-981-99-8732-0}, url={https://link.springer.com/10.1007/978-981-99-8733-7_10}, DOI={10.1007/978-981-99-8733-7_10}, abstractNote={In addressing these questions, we first introduce a novel security model to suit protocols like Sender Keys, deviating from conventional group key agreement-based abstractions. Our framework allows for a natural integration of two-party messaging within group messaging sessions that may be of independent interest. Leveraging this framework, we conduct the first formal analysis of the Sender Keys protocol, and prove it satisfies a weak notion of security. Towards improving security, we propose a series of efficient modifications to Sender Keys without imposing significant performance overhead. We combine these refinements into a new protocol that we call Sender Keys+, which may be of interest both in theory and practice.}, booktitle={Advances in Cryptology – ASIACRYPT 2023}, publisher={Springer Nature Singapore}, author={Balbás, David and Collins, Daniel and Gajland, Phillip}, editor={Guo, Jian and Steinfeld, Ron}, year={2023}, pages={307–341}, collection={Lecture Notes in Computer Science}, language={en} }
+
+
+@misc{matrixorg_megolm_doc,
+  author       = {{matrix-org}},
+  title        = {docs/megolm.md},
+  howpublished = {\url{https://gitlab.matrix.org/matrix-org/olm/-/blob/master/docs/megolm.md}},
+  note         = {Markdown file in \emph{Olm} repository},
+  year         = {2022},
+  month        = sep,
+  urldate      = {2025-08-08}
+}
+
+@misc{matrixorg_olm_repo,
+  author       = {{matrix-org}},
+  title        = {Olm},
+  howpublished = {\url{https://gitlab.matrix.org/matrix-org/olm}},
+  note         = {GitLab repository implementing Olm and Megolm cryptographic ratchets},
+  year         = {2019},
+  month        = apr,
+  urldate      = {2025-08-08}
+}
+
+@article{FiedlerPQXDHdeny, title={A Deniability Analysis of Signal’s Initial Handshake PQXDH}, volume={2024}, rights={https://creativecommons.org/licenses/by/4.0/}, ISSN={2299-0984}, DOI={10.56553/popets-2024-0148}, abstractNote={Many use messaging apps such as Signal to exercise their right to private communication. To cope with the advent of quantum computing, Signal employs a new initial handshake protocol called PQXDH for post-quantum confidentiality, yet keeps guarantees of authenticity and deniability classical. Compared to its predecessor X3DH, PQXDH includes a KEM encapsulation and a signature on the ephemeral key. In this work we show that PQXDH does not meet the same deniability guarantees as X3DH due to the signature on the ephemeral key. Our analysis relies on plaintext awareness of the KEM, which Signal’s implementation of PQXDH does not provide. As for X3DH, both parties (initiator and responder) obtain different deniability guarantees due to the asymmetry of the protocol.}, number={4}, journal={Proceedings on Privacy Enhancing Technologies}, author={Fiedler, Rune and Janson, Christian}, year={2024}, month=oct, pages={907–928}, language={en} }
+
+@inproceedings{SoK_CAC, title={SoK: Computer-Aided Cryptography}, ISSN={2375-1207}, url={https://ieeexplore.ieee.org/document/9519449/?arnumber=9519449}, DOI={10.1109/SP40001.2021.00008}, abstractNote={Computer-aided cryptography is an active area of research that develops and applies formal, machine-checkable approaches to the design, analysis, and implementation of cryptography. We present a cross-cutting systematization of the computer-aided cryptography literature, focusing on three main areas: (i) design-level security (both symbolic security and computational security), (ii) functional correctness and efficiency, and (iii) implementation-level security (with a focus on digital side-channel resistance). In each area, we first clarify the role of computer-aided cryptography—how it can help and what the caveats are—in addressing current challenges. We next present a taxonomy of state-of-the-art tools, comparing their accuracy, scope, trustworthiness, and usability. Then, we highlight their main achievements, trade-offs, and research challenges. After covering the three main areas, we present two case studies. First, we study efforts in combining tools focused on different areas to consolidate the guarantees they can provide. Second, we distill the lessons learned from the computer-aided cryptography community’s involvement in the TLS 1.3 standardization effort. Finally, we conclude with recommendations to paper authors, tool developers, and standardization bodies moving forward.}, booktitle={2021 IEEE Symposium on Security and Privacy (SP)}, author={Barbosa, Manuel and Barthe, Gilles and Bhargavan, Karthik and Blanchet, Bruno and Cremers, Cas and Liao, Kevin and Parno, Bryan}, year={2021}, month=may, pages={777–795} }
+
+@article{ProverifManual, title={ProVerif 2.05: Automatic Cryptographic Protocol Verifier, User Manual and Tutorial}, author={Blanchet, Bruno and Smyth, Ben and Cheval, Vincent and Sylvestre, Marc}, language={en} }
+
+@inbook{Blanchet_2012, address={Berlin, Heidelberg}, series={Lecture Notes in Computer Science}, title={Security Protocol Verification: Symbolic and Computational Models}, volume={7215}, ISBN={978-3-642-28640-7}, url={http://link.springer.com/10.1007/978-3-642-28641-4_2}, DOI={10.1007/978-3-642-28641-4_2}, abstractNote={Security protocol veriﬁcation has been a very active research area since the 1990s. This paper surveys various approaches in this area, considering the veriﬁcation in the symbolic model, as well as the more recent approaches that rely on the computational model or that verify protocol implementations rather than speciﬁcations. Additionally, we brieﬂy describe our symbolic security protocol veriﬁer ProVerif and situate it among these approaches.}, booktitle={Principles of Security and Trust}, publisher={Springer Berlin Heidelberg}, author={Blanchet, Bruno}, editor={Degano, Pierpaolo and Guttman, Joshua D.}, year={2012}, pages={3–29}, collection={Lecture Notes in Computer Science}, language={en} }
+
+@article{Blanchet_2016, title={Modeling and Verifying Security Protocols with the Applied Pi Calculus and ProVerif}, volume={1}, ISSN={2474-1558, 2474-1566}, DOI={10.1561/3300000004}, abstractNote={ProVerif is an automatic symbolic protocol veriﬁer. It supports a wide range of cryptographic primitives, deﬁned by rewrite rules or by equations. It can prove various security properties: secrecy, authentication, and process equivalences, for an unbounded message space and an unbounded number of sessions. It takes as input a description of the protocol to verify in a dialect of the applied pi calculus, an extension of the pi calculus with cryptography. It automatically translates this protocol description into Horn clauses and determines whether the desired security properties hold by resolution on these clauses. This survey presents an overview of the research on ProVerif.}, number={1–2}, journal={Foundations and Trends® in Privacy and Security}, author={Blanchet, Bruno}, year={2016}, pages={1–135}, language={en} }
+
+@article{Dolev_1983, title={On the Security of Public Key Protocols}, abstractNote={Recently the use of public key encryption to provide secure network communication has received considerable attention. Such public key systems are usually effective against passive eavesdroppers, who merely tap the lines and try to decipher the message. It has been pointed out, however, that an improperly designed protocol could be vulnerable to an active saboteur, one who may impersonate another user or alter the message being transmitted. Several models are formulated in which the security of protocols can be discussed precisely. Algorithms and characterizations that can be used to determine protocol security in these models are given.}, number={2}, journal={IEEE TRANSACTIONS ON INFORMATION THEORY}, author={Dolev, Danny}, year={1983}, language={en} }
+
+@inbook{Celi_Hoyland_Stebila_Wiggers_2022, address={Cham}, series={Lecture Notes in Computer Science}, title={A Tale of Two Models: Formal Verification of KEMTLS via Tamarin}, volume={13556}, ISBN={978-3-031-17142-0}, url={https://link.springer.com/10.1007/978-3-031-17143-7_4}, DOI={10.1007/978-3-031-17143-7_4}, booktitle={Computer Security – ESORICS 2022}, publisher={Springer Nature Switzerland}, author={Celi, Sofía and Hoyland, Jonathan and Stebila, Douglas and Wiggers, Thom}, editor={Atluri, Vijayalakshmi and Di Pietro, Roberto and Jensen, Christian D. and Meng, Weizhi}, year={2022}, pages={63–83}, collection={Lecture Notes in Computer Science}, language={en} }
+
+@article{Lafourcade_Mahmoud_Ruhault_Taleb, title={A Tale of Two Worlds, a Formal Story of WireGuard Hybridization}, abstractNote={PQ-WireGuard is a post-quantum variant of WireGuard Virtual Private Network (VPN), where Diffie-Hellman-based key exchange is replaced by post-quantum Key Encapsulation Mechanisms-based key exchange. In this paper, we first conduct a thorough formal analysis of PQ-WireGuard’s original design, in which we point out and fix a number of weaknesses. This leads us to an improved construction PQWireGuard⋆. Secondly, we propose and formally analyze a new protocol, based on both WireGuard and PQ-WireGuard⋆, named Hybrid-WireGuard, compliant with current best practices for post-quantum transition about hybridization techniques. For our analysis, we use the Sapic+ framework that enables the generation of three state-of-the-art protocol models for the verification tools ProVerif, DeepSec and Tamarin from a single specification, leveraging the strengths of each tool. We formally prove that HybridWireGuard is secure. Eventually, we propose a generic, efficient and usable Rust implementation of our new protocol.}, author={Lafourcade, Pascal and Mahmoud, Dhekra and Ruhault, Sylvain and Taleb, Abdul Rahman}, language={en} }
+
+@article{Unger_Goldberg_2018, title={Improved Strongly Deniable Authenticated Key Exchanges for Secure Messaging}, volume={2018}, rights={http://creativecommons.org/licenses/by-nc-nd/3.0}, ISSN={2299-0984}, DOI={10.1515/popets-2018-0003}, abstractNote={A deniable authenticated key exchange (DAKE) protocol establishes a secure channel without producing cryptographic evidence of communication. A DAKE oﬀers strong deniability if transcripts provide no evidence even if long-term key material is compromised (oﬄine deniability) and no outsider can obtain evidence even when interactively colluding with an insider (online deniability). Unfortunately, existing strongly deniable DAKEs have not been adopted by secure messaging tools due to security and deployability weaknesses.}, number={1}, journal={Proceedings on Privacy Enhancing Technologies}, author={Unger, Nik and Goldberg, Ian}, year={2018}, month=jan, pages={21–66}, language={en} }
+
+@article{Collins_Colombo_Huguenin-Dumittan_2025, title={Real-World Deniability in Messaging}, volume={2025}, rights={https://creativecommons.org/licenses/by/4.0/}, ISSN={2299-0984}, DOI={10.56553/popets-2025-0018}, abstractNote={This work explores real-world deniability in messaging. We propose a formal model that considers the entire messaging system to analyze deniability in practice. Applying this model to the Signal application and DKIM-protected email, we demonstrate that these systems do not offer practical deniability guarantees. Additionally, we analyze 140 court cases in Switzerland that use conversations on messaging applications as evidence and find that none consider deniability, providing evidence that this property does not have an impact in the legal setting. Based on these technical and legal findings, we assess whether deniability is a desirable property and the challenges and shortcomings of designing a system that is deniable in practice. We posit that systems should either offer real-world deniability or refrain from claiming to achieve it. We discuss how to choose an appropriate threat model for deniability in a given context and how to design communication systems that are deniable in practice. For Signal, we propose and discuss a simple yet effective solution: the application should enable direct modification of locally stored messages in the user interface. This position paper raises several unanswered questions, aiming to further stimulate discussion and research on real-world deniability in messaging.}, number={1}, journal={Proceedings on Privacy Enhancing Technologies}, author={Collins, Daniel and Colombo, Simone and Huguenin-Dumittan, Loïs}, year={2025}, month=jan, pages={320–340}, language={en} }
+
+
+@article{DY, title={DY*: A Modular Symbolic Verification Framework for Executable Cryptographic Protocol Code}, abstractNote={We present DY?, a new formal veriﬁcation framework for the symbolic security analysis of cryptographic protocol code written in the F? programming language. Unlike automated symbolic provers, our framework accounts for advanced protocol features like unbounded loops and mutable recursive data structures, as well as low-level implementation details like protocol state machines and message formats, which are often at the root of real-world attacks. Our work extends a long line of research on using dependent type systems for this task, but takes a fundamentally new approach by explicitly modeling the global trace-based semantics within the framework, hence bridging the gap between trace-based and type-based protocol analyses. This approach enables us to uniformly, precisely, and soundly model, for the ﬁrst time using dependent types, long-lived mutable protocol state, equational theories, ﬁne-grained dynamic corruption, and trace-based security properties like forward secrecy and post-compromise security. DY? is built as a library of F? modules that includes a model of low-level protocol execution, a Dolev-Yao symbolic attacker, and generic security abstractions and lemmas, all veriﬁed using F?. The library exposes a high-level API that facilitates succinct security proofs for protocol code. We demonstrate the effectiveness of this approach through a detailed symbolic security analysis of the Signal protocol that is based on an interoperable implementation of the protocol from prior work, and is the ﬁrst mechanized proof of Signal to account for forward and post-compromise security over an unbounded number of protocol rounds.}, author={Bhargavan, Karthikeyan and Bichhawat, Abhishek and Do, Quoc Huy and Hosseyni, Pedram and Küsters, Ralf and Schmitz, Guido and Würtele, Tim}, language={en} }
+
+@inproceedings{Gancher_2023, address={San Francisco, CA, USA}, title={Owl: Compositional Verification of Security Protocols via an Information-Flow Type System}, rights={https://doi.org/10.15223/policy-009}, ISBN={978-1-6654-9336-9}, url={https://ieeexplore.ieee.org/document/10179477/}, DOI={10.1109/SP46215.2023.10179477}, abstractNote={Computationally sound protocol verification tools promise to deliver full-strength cryptographic proofs for security protocols. Unfortunately, current tools lack either modularity or automation. We propose a new approach based on a novel use of information flow and refinement types for sound cryptographic proofs. Our framework, OWL, allows type-based modular descriptions of security protocols, wherein disjoint subprotocols can be programmed and automatically proved secure separately. We give a formal security proof for OWL via a core language which supports symmetric and asymmetric primitives, DiffieHellman operations, and hashing via random oracles. We also implement a type checker for OWL and a prototype extraction mechanism to Rust, and evaluate both on 14 case studies, including (simplified forms of) SSH key exchange and Kerberos.}, booktitle={2023 IEEE Symposium on Security and Privacy (SP)}, publisher={IEEE}, author={Gancher, Joshua and Gibson, Sydney and Singh, Pratap and Dharanikota, Samvid and Parno, Bryan}, year={2023}, month=may, pages={1130–1147}, language={en} }
+
+ @inproceedings{Kobeissi_Bhargavan_Blanchet_2017, address={Paris}, title={Automated Verification for Secure Messaging Protocols and Their Implementations: A Symbolic and Computational Approach}, ISBN={978-1-5090-5762-7}, url={https://ieeexplore.ieee.org/document/7961995/}, DOI={10.1109/EuroSP.2017.38}, abstractNote={Many popular web applications incorporate end-toend secure messaging protocols, which seek to ensure that messages sent between users are kept conﬁdential and authenticated, even if the web application’s servers are broken into or otherwise compelled into releasing all their data. Protocols that promise such strong security guarantees should be held up to rigorous analysis, since protocol ﬂaws and implementations bugs can easily lead to real-world attacks.}, booktitle={2017 IEEE European Symposium on Security and Privacy}, publisher={IEEE}, author={Kobeissi, Nadim and Bhargavan, Karthikeyan and Blanchet, Bruno}, year={2017}, month=apr, pages={435–450}, language={en} }
+
+@article{Blanchet_Jacomme, title={CryptoVerif: a Computationally-Sound Security Protocol Verifier}, abstractNote={This document presents the security protocol verifier CryptoVerif. CryptoVerif does not rely on the symbolic, Dolev-Yao model, but on the computational model. It can verify secrecy, correspondence properties (which include authentication), and indistinguishability properties. It produces proofs presented as sequences of games, like those manually written by cryptographers; these games are formalized in a probabilistic process calculus. CryptoVerif provides a generic method for specifying security properties of the cryptographic primitives. It produces proofs valid for any number of sessions of the protocol, and provides an upper bound on the probability of success of an attack against the protocol as a function of the probability of breaking each primitive and of the number of sessions. CryptoVerif is post-quantum sound: when the used cryptographic assumptions are valid for quantum adversaries, the proofs hold for quantum adversaries. It can work automatically, or the user can guide it with manual proof indications.}, author={Blanchet, Bruno and Jacomme, Charlie}, language={en} }
+
+@inproceedings{pqwg, address={San Francisco, CA, USA}, title={Post-quantum WireGuard}, rights={https://doi.org/10.15223/policy-009}, ISBN={978-1-7281-8934-5}, url={https://ieeexplore.ieee.org/document/9519445/}, DOI={10.1109/SP40001.2021.00030}, abstractNote={In this paper we present PQ-WireGuard, a postquantum variant of the handshake in the WireGuard VPN protocol (NDSS 2017). Unlike most previous work on postquantum security for real-world protocols, this variant does not only consider post-quantum confidentiality (or forward secrecy) but also post-quantum authentication. To achieve this, we replace the Diffie-Hellman-based handshake by a more generic approach only using key-encapsulation mechanisms (KEMs). We establish security of PQ-WireGuard, adapting the security proofs for WireGuard in the symbolic model and in the standard model to our construction. We then instantiate this generic construction with concrete post-quantum secure KEMs, which we carefully select to achieve high security and speed. We demonstrate competitiveness of PQ-WireGuard presenting extensive benchmarking results comparing to widely deployed VPN solutions.}, booktitle={2021 IEEE Symposium on Security and Privacy (SP)}, publisher={IEEE}, author={Hülsing, Andreas and Ning, Kai-Chun and Schwabe, Peter and Weber, Fiona Johanna and Zimmermann, Philip R.}, year={2021}, month=may, pages={304–321}, language={en} }
+
+@misc{rfc9180,
+    series =    {Request for Comments},
+    number =    9180,
+    howpublished =  {RFC 9180},
+    publisher = {RFC Editor},
+    doi =       {10.17487/RFC9180},
+    url =       {https://www.rfc-editor.org/info/rfc9180},
+    author =    {Richard Barnes and Karthikeyan Bhargavan and Benjamin Lipp and Christopher A. Wood},
+    title =     {{Hybrid Public Key Encryption}},
+    pagetotal = 107,
+    year =      2022,
+    month =     feb,
+    abstract =  {This document describes a scheme for hybrid public key encryption (HPKE). This scheme provides a variant of public key encryption of arbitrary-sized plaintexts for a recipient public key. It also includes three authenticated variants, including one that authenticates possession of a pre-shared key and two optional ones that authenticate possession of a key encapsulation mechanism (KEM) private key. HPKE works for any combination of an asymmetric KEM, key derivation function (KDF), and authenticated encryption with additional data (AEAD) encryption function. Some authenticated variants may not be supported by all KEMs. We provide instantiations of the scheme using widely used and efficient primitives, such as Elliptic Curve Diffie-Hellman (ECDH) key agreement, HMAC-based key derivation function (HKDF), and SHA2. This document is a product of the Crypto Forum Research Group (CFRG) in the IRTF.},
+}
+
+@inproceedings{Schwabe_Stebila_Wiggers_2020, address={Virtual Event USA}, title={Post-Quantum TLS Without Handshake Signatures}, ISBN={978-1-4503-7089-9}, url={https://dl.acm.org/doi/10.1145/3372297.3423350}, DOI={10.1145/3372297.3423350}, abstractNote={We present KEMTLS, an alternative to the TLS 1.3 handshake that uses key-encapsulation mechanisms (KEMs) instead of signatures for server authentication. Among existing post-quantum candidates, signature schemes generally have larger public key/signature sizes compared to the public key/ciphertext sizes of KEMs: by using an IND-CCA-secure KEM for server authentication in post-quantum TLS, we obtain multiple benefits. A size-optimized post-quantum instantiation of KEMTLS requires less than half the bandwidth of a size-optimized post-quantum instantiation of TLS 1.3. In a speedoptimized instantiation, KEMTLS reduces the amount of server CPU cycles by almost 90% compared to TLS 1.3, while at the same time reducing communication size, reducing the time until the client can start sending encrypted application data, and eliminating code for signatures from the server’s trusted code base.}, booktitle={Proceedings of the 2020 ACM SIGSAC Conference on Computer and Communications Security}, publisher={ACM}, author={Schwabe, Peter and Stebila, Douglas and Wiggers, Thom}, year={2020}, month=oct, pages={1461–1480}, language={en} }
+
+@inbook{Itkis_Reyzin_2001, address={Berlin, Heidelberg}, series={Lecture Notes in Computer Science}, title={Forward-Secure Signatures with Optimal Signing and Verifying}, volume={2139}, ISBN={978-3-540-42456-7}, url={http://link.springer.com/10.1007/3-540-44647-8_20}, DOI={10.1007/3-540-44647-8_20}, abstractNote={We propose the ﬁrst forward-secure signature scheme for which both signing and verifying are as eﬃcient as for one of the most eﬃcient ordinary signature schemes (Guillou-Quisquater [GQ88]), each requiring just two modular exponentiations with a short exponent. All previously proposed forward-secure signature schemes took signiﬁcantly longer to sign and verify than ordinary signature schemes.}, booktitle={Advances in Cryptology — CRYPTO 2001}, publisher={Springer Berlin Heidelberg}, author={Itkis, Gene and Reyzin, Leonid}, editor={Kilian, Joe}, year={2001}, pages={332–354}, collection={Lecture Notes in Computer Science}, language={en} }
+
+@inproceedings{Chase_Perrin_Zaverucha_2020, address={Virtual Event USA}, title={The Signal Private Group System and Anonymous Credentials Supporting Efficient Verifiable Encryption}, ISBN={978-1-4503-7089-9}, url={https://dl.acm.org/doi/10.1145/3372297.3417887}, DOI={10.1145/3372297.3417887}, abstractNote={In this paper we present a system for maintaining a membership list of users in a group, designed for use in the Signal Messenger secure messaging app. The goal is to support private groups where membership information is readily available to all group members but hidden from the service provider or anyone outside the group. In the proposed solution, a central server stores the group membership in the form of encrypted entries. Members of the group authenticate to the server in a way that reveals only that they correspond to some encrypted entry, then read and write the encrypted entries.}, booktitle={Proceedings of the 2020 ACM SIGSAC Conference on Computer and Communications Security}, publisher={ACM}, author={Chase, Melissa and Perrin, Trevor and Zaverucha, Greg}, year={2020}, month=oct, pages={1445–1459}, language={en} }
+
+@misc{mcmillion2025keytransparencyarchitecture,
+  author       = {McMillion, Brendan},
+  title        = {Key Transparency Architecture},
+  howpublished = {Internet-Draft, IETF},
+  month        = jul,
+  year         = 2025,
+  note         = {draft-ietf-keytrans-architecture-04, Intended status: Informational},
+  month        = jul,
+  year         = 2025,
+}
+
+@inbook{Alwen_Coretti_Jost_Mularczyk_2020, address={Cham}, series={Lecture Notes in Computer Science}, title={Continuous Group Key Agreement with Active Security}, volume={12551}, ISBN={978-3-030-64377-5}, url={https://link.springer.com/10.1007/978-3-030-64378-2_10}, DOI={10.1007/978-3-030-64378-2_10}, abstractNote={A continuous group key agreement (CGKA) protocol allows a long-lived group of parties to agree on a continuous stream of fresh secret key material. The protocol must support constantly changing group membership, make no assumptions about when, if, or for how long members come online, nor rely on any trusted group managers. Due to sessions’ long life-time, CGKA protocols must simultaneously ensure both post-compromise security and forward secrecy (PCFS). That is, current key material should be secure despite both past and future compromises.}, booktitle={Theory of Cryptography}, publisher={Springer International Publishing}, author={Alwen, Joël and Coretti, Sandro and Jost, Daniel and Mularczyk, Marta}, editor={Pass, Rafael and Pietrzak, Krzysztof}, year={2020}, pages={261–290}, collection={Lecture Notes in Computer Science}, language={en} }
+
+@inproceedings{Ruhault_Lafourcade_Mahmoud_2024, address={San Diego, CA, USA}, title={A Unified Symbolic Analysis of WireGuard}, ISBN={978-1-891562-93-8}, url={https://www.ndss-symposium.org/wp-content/uploads/2024-364-paper.pdf}, DOI={10.14722/ndss.2024.24364}, abstractNote={WireGuard [22], [21] is a Virtual Private Network (VPN), presented at NDSS 2017, recently integrated into the Linux Kernel [57] and paid commercial VPNs such as NordVPN, Mullvad and ProtonVPN [56]. It proposes a different approach from other classical VPN such as IPsec [29] or OpenVPN [48] because it does not let users configure cryptographic algorithms. The protocol inside WireGuard is a dedicated extension of IKpsk2 protocol from Noise Framework [49]. Different analyses of WireGuard and IKpsk2 protocols have been proposed, in both the symbolic and the computational model, with or without computer-aided proof assistants. These analyses however consider different adversarial models or refer to incomplete versions of the protocols. In this work, we propose a unified formal model of WireGuard protocol in the symbolic model. Our model uses the automatic cryptographic protocol verifiers SAPIC+, PROVERIF and TAMARIN. We consider a complete protocol execution, including cookie messages used for resistance against denial of service attacks. We model a precise adversary that can read or set static, ephemeral or pre-shared keys, read or set ecdh pre-computations, control key distribution. Eventually, we present our results in a unified and interpretable way, allowing comparisons with previous analyses. Finally thanks to our models, we give necessary and sufficient conditions for security properties to be compromised, we confirm a flaw on the anonymity of the communications and point an implementation choice which considerably weakens its security. We propose a remediation that we prove secure using our models.}, booktitle={Proceedings 2024 Network and Distributed System Security Symposium}, publisher={Internet Society}, author={Ruhault, Sylvain and Lafourcade, Pascal and Mahmoud, Dhekra}, year={2024}, language={en} }
+
+@article{Basin_Cremers_Dreier_Sasse_2022, title={Tamarin: Verification of Large-Scale, Real-World, Cryptographic Protocols}, volume={20}, rights={https://ieeexplore.ieee.org/Xplorehelp/downloads/license-information/IEEE.html}, ISSN={1540-7993, 1558-4046}, DOI={10.1109/MSEC.2022.3154689}, abstractNote={Tamarin is a mature, state-of-the-art tool for cryptographic protocol veriﬁcation. We introduce Tamarin and survey some of the larger, tour-de-force results achieved with it. We also show how Tamarin can formalize a wide range of protocols, adversary models, and properties, and scale to substantial, real-world, veriﬁcation problems.}, number={3}, journal={IEEE Security \& Privacy}, author={Basin, David and Cremers, Cas and Dreier, Jannik and Sasse, Ralf}, year={2022}, month=may, pages={24–32}, language={en} }
+
+@misc{rfc5869,
+    series =    {Request for Comments},
+    number =    5869,
+    howpublished =  {RFC 5869},
+    publisher = {RFC Editor},
+    doi =       {10.17487/RFC5869},
+    url =       {https://www.rfc-editor.org/info/rfc5869},
+    author =    {Hugo Krawczyk and Pasi Eronen},
+    title =     {{HMAC-based Extract-and-Expand Key Derivation Function (HKDF)}},
+    pagetotal = 14,
+    year =      2010,
+    month =     may,
+    abstract =  {This document specifies a simple Hashed Message Authentication Code (HMAC)-based key derivation function (HKDF), which can be used as a building block in various protocols and applications. The key derivation function (KDF) is intended to support a wide range of applications and requirements, and is conservative in its use of cryptographic hash functions. This document is not an Internet Standards Track specification; it is published for informational purposes.},
+}
+
+@techreport{mcMillion2025keytrans,
+  author       = {McMillion, Brendan},
+  title        = {{Key Transparency Architecture}},
+  institution  = {IETF Internet-Draft},
+  type         = {Internet-Draft},
+  number       = {draft-ietf-keytrans-architecture-04},
+  year         = {2025},
+  month        = jul,
+  day          = {7},
+  note         = {Intended status: Informational; Expires 8 January 2026},
+  url          = {https://datatracker.ietf.org/doc/draft-ietf-keytrans-architecture/}
+}
--- a/sections/abstract.tex
+++ b/sections/abstract.tex
@@ -0,0 +1,11 @@
+\begin{abstract}
+Nested ratchet protocols—such as Sender Keys and 
+Megolm—combine pairwise peer-to-peer
+double-ratchet channels with a server-assisted fan-out layer to scale 
+end-to-end encrypted group messaging. Despite the widespread deployment
+of nested ratchet protocols, including in WhatsApp, Signal, Matrix, and Facebook Messenger, their security properties are typically analyzed
+piecemeal rather than in a single unified model. Thus, we define the unified nested ratchet protocol primitive to capture the security guarantees of Sender Keys and Megolm. We present a symbolic, mechanized model of the nested ratchet protocol in ProVerif, and instantiate it with canonical designs and faithful encodings of Sender Keys and Megolm. We formalize and evaluate core properties, including message secrecy, mutual authentication, perfect forward secrecy, post-compromise security, and offline deniability. Using our models, we systematize compromise scenarios across the pairwise and fan-out layers, quantify how attacks propagate, and identify recovery conditions induced by
+session (re)generation. We analyze two design tradeoffs, 
+including signed vs. unsigned pre-keys at the peer-to-peer layer (server trust vs. mutual deniability), and signatures vs. MACs at the fan-out layer (non-reputation vs. deniability).
+Our analysis also surfaces actionable recommendations for protocol implementors, including the use of forward-secure signatures, peer-to-peer layer pre-key signing, and fan-out layer encryption usage for two-party channels. We release our ProVerif models and scripts as reproducible artifacts to facilitate verification and comparison of future designs.
+\end{abstract}
--- a/sections/analysis.tex
+++ b/sections/analysis.tex
@@ -0,0 +1,93 @@
+We describe our analysis of the base nested ratchet protocol Megolm (as described by Matrix), and Sender Keys (as described by Signal, Whatsapp, and Facebook Messenger).
+
+\subsection{Sub-Protocol Properties}
+\label{sec:section label}
+
+Building up to our models of the nested ratchet protocol, Megolm, and Sender Keys, we construct simpler models of 3DH, X3DH, Olm, and Signal in isolation. For 3DH and X3DH, we re-prove the classic results on message secrecy and mutual authentication. For Olm and Signal, we re-prove message secrecy, mutual authentication, perfect forward secrecy, and post-compromise security. Notably, we also offer the first mechanization of offline initiator deniability and offline responder undeniability results for 3DH, X3DH, Olm, and Signal.
+
+\subsection{Symbolic Analysis Results}
+\label{sec:section label}
+
+We completely model the nested ratchet protocol, Megolm, and Sender Keys (encompassing Signal, Whatsapp, and Facebook Messenger) under X3DH within \textsc{ProVerif}. To inform and validate our models, we closely referenced the computational constructions of Sender Keys, Megolm, and Signal, referenced the relevant open-source implementations and documentation, and interfaced with the specification authors when necessary. We formalized and automatically proved properties P1-P6 with respect to the models of the nested ratchet protocol, Megolm, and Sender Keys. We also formalized P7 and P8 for use in our case studies.
+
+%and Signal, Whatsapp, and Facebook Messenger (
+
+%We prove properties P1-P6 hold 
+
+%- secrecy
+%- mutual authentication
+%- initiator deniability for megolm sessions
+%- responder undeniability for megolm sessions
+%- perfect forward secrecy over megolm msgs
+
+\subsection{Failure Case Analysis}
+\label{sec:section label}
+
+Using our models, we analyze the various failure cases of the nested ratchet protocol, Megolm, and Sender Keys. For conciseness, we jointly refer to the aforementioned protocols cumulatively, as the results are very similar, unless otherwise stated. We also refer to offline deniability simply as ``deniability'' unless otherwise stated. A stratification of our failure case analysis is shown in Table \ref{tab:failure-comparison}.
+
+\subsubsection{Failure Taxonomy}
+
+\capbox{\underline{\textbf{C1}}: Compromise of a single fan-out layer session ratchet key. \\
+\textbf{Properties violated}: P2}
+Message secrecy (P2) is violated until the compromised peer completes session regeneration and re-transmission. Note, perfect forward secrecy within a single fan-out session (P5) is maintained because session symmetric keys are ratcheted forward with each message.
+
+\capbox{\underline{\textbf{C2}}: Compromise of a single fan-out layer session public signing key. \\
+\textbf{Properties violated}: P4}
+Message deniability (P4) is violated until the compromised peer completes session regeneration and re-transmission. An observer may check the signature on all messages, past and present, within the session and prove attribution to the sender. Note, (P7) is also violated, as both post-compromise deniability and perfect forward deniability within sessions does not hold.
+
+\capbox{\underline{\textbf{C3}}: Compromise of a single fan-out layer session private signing key. \\
+\textbf{Properties violated}: P3, P4 for nested ratchet and Sender Keys; P4 for Megolm}
+Message deniability (P4) is violated for the nested ratchet protocol and its derivatives. Message authentication (P3) is violated for the nested ratchet protocol and Sender Keys; Megolm chooses to MAC messages, ensuring authentication remains in the case the private signing key is compromised. Both properties remain violated until session regeneration and re-transmission.
+
+\capbox{\underline{\textbf{C4}}: Compromise of a single complete fan-out layer session, including the public and public signing keys, and ratchet key. \\
+\textbf{Properties violated}: P2, P3, P4}
+This case can be seen as a composition of the previous cases. In the case a singular fan-out layer session compromise, message secrecy (P2), authentication (P3), and deniability (P4) are compromised until session re-generation and re-transmission.
+
+\capbox{\underline{\textbf{C5}}: Mutual Compromise of long-term static identity keys of a single P2P channel. \\
+\textbf{Properties violated}: None}
+No compromises: unless pre-keys remain unsigned, pre-key messages are secure. Equivalently, this result also expresses resistance against unknown keyshare attacks.
+
+\capbox{\underline{\textbf{C6}}: Compromise of a single chain key within a double ratchet P2P channel. \\
+\textbf{Properties violated}: P2, P3, P4}
+We observe any compromise in P2P double ratchet chain keys results in the compromise of any fan-out layer sessions enclosed within any message keys derived from the chain key. Therefore, (P2), (P3), and (P4) will be violated. Note, (P6) holds due to the self-healing property of the double ratchet.
+\capbox{\underline{\textbf{C7}}: Compromise private pre-key and static identity material of a single peer. \\
+\textbf{Properties violated}: P2, P3, P4} The same as the previous scenario: (P2), (P3), and (P4) are violated until the next fan-out layer session is re-generated and re-transmitted.
+
+\subsubsection{Observed Patterns \& Insights}
+The previous failure taxonomy highlights a few patterns present across both Megolm and Sender Keys:
+
+
+\begin{itemize}[leftmargin=*, align=parleft, label=~$\bullet$~]
+
+\item\noindent\textbf{Universal deniability failures}. Across most compromise scenarios, both Megolm and Sender Keys fail deniability (P4) and strong deniability (P7). 
+
+\item \noindent\textbf{Megolm's MAC advantage}. Only Megolm maintains authentication (P3) when the private signing key is compromised (C3) due to its additional MAC verification on fan-out messages.
+
+\item \noindent\textbf{P2P compromises cascade}. Any P2P layer compromise (C6, C7) breaks nearly everything at the fan-out layer, showing the compositional vulnerability at play.
+
+\item\noindent\textbf{PFS/PCS resilience}. Both Sender Keys and Megolm maintain perfect forward secrecy (P5) and post-compromise security (P6) reasonably well, validating the ratcheting design. This conclusion, however, acknowledges each peer re-establishing sessions with each other peer is a polynomial-complexity operation; this is precisely the scenario where MLS improves upon Nested Ratchet-based protocol designs.
+
+\end{itemize}
+
+%- leaking peer-layer ephemeral keys compromises a single session
+%- leaking peer-layer long-term keys only compromises pre-key messages, and thus a single session, if pre-keys are not signed
+%- leaking session ratchet keys compromises all messages until retransmission
+%- leaking session signatures compromises the deniability of all messages of the session
+
+\subsection{P2P layer pre-key post-compromise message secrecy vs mutual deniability}
+\label{sec:section label}
+
+Designers of secure point-to-point messengers in the client-server model are faced with the decision of whether users should upload signed or unsigned pre-key material to the central server. 
+
+If pre-key messages are \textit{signed} by the long-term identity key, users no longer to place trust the central server; however, offline deniability for the uploader of the pre-key material (also generally the responder to the authenticated key exchange handshake) trivially does not hold, as a judge may simply be presented with the signed pre-keys as proof of protocol participation. If pre-key messages remain \textit{unsigned} more trust must be placed in the central server, as handshake becomes vulnerable to an unknown keyshare attack and thus results in pre-key message leakage if static identity keys are leaked. However, mutual deniability (i.e. property P8) is completely ensured as pre-keys are no longer signed.
+
+The Olm documentation briefly alludes to this tradeoff. We go ahead and mechanize this tradeoff in \textsc{ProVerif}, and most importantly show the entire nested ratchet protocol is deniable to parties external to the group, modulo compromises, if all P2P-layer pre-keys remain unsigned. One observation we make is mutual deniability in the P2P layer is not sufficient to post-compromise and perfect forward deniability (a la property P7) for the entire protocol, which we now elaborate upon. 
+
+\subsection{Fan-out layer non-repudiation vs deniability}
+\label{sec:section label}
+
+We identify a similar trade-off in the fan-out layer of the nested ratchet protocol and its derivatives. Signing all fan-out layer messages with a private key serves to ensure messages cannot be forged within a group; however, in the case any one of the peers are compromised, thereby compromising the public key, deniability for all past and future messages within the session is compromised (i.e. property P7 is violated). 
+
+Thus, the nested ratchet protocol may choose to leave fan-out layer messages \textit{unsigned} and alternatively ensure message authentication via MACs. We mechanize this tradeoff in \textsc{ProVerif}. We observe signatures versus MACs trades non-reputation for mutually deniability both \textit{within} the group (i.e. property P8), as well post-compromise and forward secret deniability (i.e. property P7).
+
+\input{diagrams/fail-cases}
--- a/sections/background.tex
+++ b/sections/background.tex
@@ -0,0 +1,215 @@
+We build up the necessary machinery for our work, including descriptions of the underlying cryptographic primitives, handshakes, component sub-protocols, and a formal description of the nested ratchet protocol.
+
+\subsection{Cryptographic Building Blocks}
+\label{sec:section label}
+
+We overview the relevant cryptographic primitives and specify the notation we employ.
+
+\noindent\textbf{Cryptographic Signatures}. A signature scheme consists
+of three algorithms: \textsf{SignGen()}, which outputs a public/private 
+keypair \textsf{(pk, sk)}; \textsf{Sign(\textsf{sk}, \textit{m})}, which 
+$\sigma$; \textsf{CheckSign(\textsf{pk}, \textit{m}, $\sigma$)}, 
+which takes a public key \textsf{pk}, a message \textit{m}, and a signature
+$\sigma$, and outputs a boolean indicating the validity of the signature.
+For a given keypair \textsf{(pk, sk)}, the algebraic relation \textsf{CheckSign(pk, \textit{m}, Sign(sk, \textit{m}))} $=$ \textsf{True}
+will hold.
+
+\noindent\textbf{Diffie-Hellman (DH) key exchange}. The DH
+key exchange is a cryptographic method that allows 
+two parties to establish a shard secret over an insecure channel. 
+Diffie-Hellman consists of two functions: \textsf{DH\_Gen()}, which outputs
+a public/private keypair \textsf{(pk, sk)}, and \textsf{DH(sk, pk)}, 
+which outputs a string. For two given keypairs generated by \textsf{DH\_Gen()}
+\textsf{(pk\textsubscript{A}, sk\textsubscript{A})}, \textsf{(pk\textsubscript{B}, sk\textsubscript{B})}, the algebraic relation
+\textsf{DH(sk\textsubscript{A}, pk\textsubscript{B})} $=$ \textsf{DH(sk\textsubscript{B}, pk\textsubscript{A})} holds.
+
+\noindent\textbf{Message Authentication Codes (MAC)}. 
+A MAC provides message authenticity and integrity assurance. 
+It consists of two algorithms: \textsf{MAC(k, \textit{m})} which takes
+a secret key \textsf{k} and message \textit{m}, outputting a 
+tag \textsf{t}; and \textsf{CheckMac(k, \textit{m}, t)} which outputs 
+a boolean indicating validity. Formally, 
+\textsf{CheckMac(k, \textit{m}, MAC(k, \textit{m}))} = \textsf{True} holds for all correctly computed tags. MACs instantiated with a hash function are denoted as \textsf{HMAC}.
+
+\noindent\textbf{Symmetric Encryption}. Symmetric encryption provides confidentiality using a single shared secret key for both encryption and decryption. A symmetric encryption scheme consists of two algorithms: \textsf{Encrypt(k, \textit{m})} outputs ciphertext \textsf{c} given a key \textsf{k} and message \textit{m}; \textsf{Decrypt(k, c)} outputs the original message \textit{m}. The algebraic relation \textsf{Decrypt(k, Encrypt(k, m))} = \textsf{m} holds for all correctly encrypted messages.
+
+\noindent\textbf{Authenticated Encryption with Associated Data (AEAD)}. AEAD schemes simultaneously ensure message confidentiality, authenticity, and integrity, optionally incorporating associated data. AEAD is defined by two algorithms: \textsf{AEAD\_ENC(k, \textit{m}, \textit{ad})}, outputting a ciphertext \textsf{c} given a key \textsf{k}, message \textit{m}, and associated data \textsf{ad}; \textsf{AEAD\_DEC(k, c, \textit{ad})} returns message \textit{m} or a symbol indicating failure otherwise. The algebraic relation \textsf{AEAD\_DEC(k, AEAD\_ENC(k, \textit{m}, \textit{ad}), \textit{ad})} = \textsf{m} holds.
+
+\noindent\textbf{Hash Functions}. Cryptographic hash functions deterministically map arbitrary-length inputs to fixed-length outputs, satisfying collision resistance and pre-image resistance. Formally, a hash function \textsf{Hash(m)} outputs a string \textsf{h} of fixed length. Computational hardness ensures it is infeasible to find distinct \textsf{m} and \textsf{m'} where \textsf{Hash(m)} = \textsf{Hash(m')} or to derive \textsf{m} from \textsf{h}.
+
+\noindent\textbf{Key Derivation Functions}. A Key Derivation Function (KDF) is a cryptographic algorithm that derives one or more secrets from a master secret. We universally employ HMAC-based Extract-and-Expand Key Derivation Function (HKDF) \cite{rfc5869} instantiated with a collision-resistant hash function. We denote HKDFs as \textsf{HKDF(master)} $\rightarrow$ \textsf{(k\textsubscript{1}, \ldots, k\textsubscript{n})}, where \textsf{master} denotes master key, and \textsf{(k\textsubscript{1}, \ldots, k\textsubscript{n})} denotes the derived keys.
+
+\newcolumntype{L}{>{\raggedright\arraybackslash}p{4cm}}
+\newcolumntype{R}{>{\raggedright\arraybackslash}p{7cm}}
+\begin{table}[h]
+    \footnotesize
+    % \small
+    \centering
+    % \begin{tabular}{L!{\color{gray}\vrule width 0.4pt}R}
+    % \begin{tabular}{L!{\color{black!70}\vrule width 0.4pt}R}
+    \begin{tabularx}{\columnwidth}{l!{\color{black!70}\vrule width 0.4pt\hspace{0.5em}}X}
+    \toprule
+    \textbf{Symbol} & \textbf{Description} \\
+    \midrule
+    \textsf{SignGen()} $\rightarrow$ \textsf{(sk, pk)} & Generates a signing keypair \\
+    \textsf{Sign(\textsf{sk}, \textit{m})} $\rightarrow$ $\sigma$ & Produces a signature $\sigma$ on \textit{m} using \textsf{sk} \\
+    \textsf{CheckSign(\textsf{pk}, \textit{m}, $\sigma$)} & Takes a public key \textsf{pk}, a string \textit{m}, and a signature $\sigma$; outputs a boolean indicating validity \\
+    \midrule
+    \textsf{DH\_Gen()} $\rightarrow$ \textsf{(sk, pk)} & Generates a DH keypair \\
+    \textsf{DH(sk, pk)} $\rightarrow$ str & Computes DH exponentiation \\
+    \midrule
+    \textsf{X25519\_Gen()} $\rightarrow$ \textsf{sk, pk} & Generates a keypair capable of signing and encryption \\
+    \midrule
+    \textsf{MAC(k, \textit{m})} $\rightarrow$ \textsf{t} & Takes
+a key \textsf{k} and message \textit{m}; outputs a 
+tag \textsf{t} \\
+    \textsf{CheckMac(k, \textit{m}, t)} & Takes
+    a key \textsf{k}, a message \textit{m}, and a tag \textsf{t}; outputs a boolean indicating validity \\
+    \midrule
+    \textsf{Encrypt(k, \textit{m})} $\rightarrow$ \textsf{c} & Takes a key \textsf{k}, a plaintext \textit{m}; ouptuts a ciphertext \textsf{c} \ \\
+    \textsf{Decrypt(k, c)} $\rightarrow$ \textit{m} & Takes a key \textsf{k}, a ciphertext \textsf{c}; outputs the plaintext \textit{m} \\
+    \midrule
+    \textsf{AEAD\_ENC(k, \textit{m}, \textit{ad})} $\rightarrow$ \textsf{c} & Takes a key \textsf{k}, a plaintext \textit{m}, and associated data \textit{ad}; outputs a ciphertext \textsf{c} \\
+    \textsf{AEAD\_DEC(k, c, \textit{ad})} $\rightarrow$ \textit{m} & Takes a key \textsf{c}, a ciphertext \textsf{c}, and associated data \textit{ad}; outputs plaintext \textit{m} \\
+    \midrule
+    \textsf{Hash(m)} $\rightarrow$ \textsf{h} & Takes a string \textsf{m}; outputs a hash \textsf{h}. Assumed to be collision-resistant. \\
+    \midrule
+    \textsf{HKDF(mk)} $\rightarrow$ \textsf{(k\textsubscript{1}, \ldots, k\textsubscript{n})} & Takes a ``master'' key \textsf{mk}, and outputs a set of keys \textsf{(k\textsubscript{1}, \ldots, k\textsubscript{n})} \\
+    \bottomrule
+    \end{tabularx}
+    \caption{Notation for employed Cryptographic primitives.}
+    \label{tab:symbols}
+\end{table}
+
+\subsection{Handshakes}
+\label{sec:section label}
+
+Fundamental to nested ratchet protocols is authenticated key exchange (AKE), which builds on Diffie-Hellman with cryptographic signatures to establish authenticated, shared secrets between two parties over an insecure channel \cite{auth}. AKE generally relies upon verification of public/private key pairs between parties \textit{out-of-band} to prevent unknown key-share attacks.
+
+To achieve \textit{asynchronous} messaging, as well as cryptographic deniability for the conversation intiator, AKE is extended with an always-online intermediary server that (1) retains initial key exchange ``pre-key'' material of users, and (2) retains and transmits encrypted messages. The intermediary server need not be trusted to ensure the secrecy, authenticity, and integrity of transmitted messages.
+
+\input{diagrams/ake-server.tex}
+
+In practice, pre-key bundles do not just consist of the (signed) public material of a single key pair. Multiple key pairs are generally employed, with Diffie-Hellman exchanges crossed between the different key pairs, and the result concatonated together and passed through a key derivation function. 
+
+\begin{itemize}[leftmargin=*, align=parleft, label=~$\bullet$~]
+  \item \textit{Triple Diffie-Hellman} (3DH) combines DH operations between static long-term keys and signed ephemeral one-time use keys -- this way, the derived key remains secure in the case long-term are later compromised \cite{matrixorg_olm_repo}.
+  \item  \textit{Extended Triple Diffie-Hellman} (X3DH), which was notably used by Signal for scaling asynchronous messaging, combines long-term static keys, signed medium-term pre-keys, and one-time use pre-keys -- one-time pre-keys are selected from a set of one-time pre-keys provided to the server. This way, each asynchronous handshake uses a unique one-time pre-key \cite{Marlinspike_Perrin_X3DH}.
+  \item  \textit{Post-Quantum Extended Diffie-Hellman} (PQXDH), combines Diffie-Hellman key exchanges over classical primitives such as RSA or elliptic curve cryptography with post-quantum primtivies via key encaptulation \cite{Kret_Schmidt_PQXDH}.
+\end{itemize}
+
+\subsection{Signal, Olm, and the Double Ratchet}
+\label{sec:section label}
+
+After deriving a symmetric key through an authenticated handshake protocol, secure peer-to-peer messaging in modern protocols, including Signal and Olm, almost universally employ the \textit{Double Ratchet} algorithm. We only describe the Double Ratchet in brief -- we refer the reader to \cite{Moxie_DoubleRatchet} for the complete description. Messages transmitted with the Double Ratchet algorithm, notably, carry post-compromise security and perfect forward secrecy guarantees in addition to the secrecy and authentication guarantees one would achieve with an authenticated encryption scheme. In short, the Double Rachet achieves this by (1) continually hasing ``racheting'' forward the shared symmetric key, (2) continually re-negotiating new Diffie-Hellman keys, and encrypting messages with a key derived via passing the results from the aforemetioned steps into a key derivation function.
+
+\subsection{Session Sharing \& Server-Side Fan-Out}
+\label{sec:section label}
+
+One could reasonably argue secure peer-to-peer messaging is ``solved'' by composing X3DH or PQXDH with the Double Ratchet, as we achieve our desired properties: secrecy, authentication, deniability, post-compromise security, perfect forward secrecy, and asynchronicity. However, the same certainly cannot be said for secure group communication protocols. Group messaging protocols must cope with two orthogonal scaling dimensions:
+\begin{itemize}[leftmargin=*, align=parleft, label=~$\bullet$~]
+  \item \textit{Group fan-out}. A single ciphertext created by the sender should efficiently reach $n-1$ recipients without $n-1$ separate public-key operations at the sender.
+  \item \textit{Dynamic Group Membership}. Group membership does not remain fixed: peers may be added or removed, necessitating another round of key agreement to add the new user or exclude the old user.
+\end{itemize}
+
+\noindent Both problems are addressed with \textit{session-sharing messages} and a \textit{server-side fan-out} layer that sits \textit{above} the pairwise Double Ratchet channels and \textit{below} the application payload. In general, message communication within a group relies upon the key material within sessions as opposed to the pairwise Double Ratchet channels.
+
+%To communicate within a group, peers rely on \textit{sessions} to secure transmitted messages as opposed to the pairwise Double Ratchet channels.
+\noindent\textbf{Sessions}. Broadly, \textit{sessions} include a symmetric ratchet key for message encryption and encryption, as well as a signing key pair for message identification. Each peer creates their own session. Thus, a \textit{session-sharing message}, which each peer distributes to every other peer, encaptulates the symmetric ratchet key and the public key of the signing keypair. To transmit a message, the sending peer will ratchet their symmetric key forward with a cryptographic hash function, encrypt their message, and sign; the receiving peer will check the signature, ratchet their symmetric key forward to match the sender, and decrypt.
+
+\input{diagrams/session-trans.tex}
+
+\noindent\textbf{Server-side Fan-out}. Once a peer's sessions are transmitted to each other peer, group communication is conducted through \textit{server-side fan-out}. That is, the sending peer will send a message to the central server, and the server will ``fan'' the message out to each receiving peer. Combined with the already-established sessions, public-key operations between pairwise peers is avoided.
+
+\noindent\textbf{Group Updates}. Whenever the group is updated, or a peer is compromised, each peer simply generates a new session and transmits it to each other peer through the already established peer-to-peer Double Ratchet channels.
+
+One can see post-compromise security stems from session re-establishment through group updates, and perfect forward secrecy stems from ratcheting forward the session's symmetric key. 
+
+\subsection{Nested Ratchet Protocol Definition}
+\label{sec:section label}
+
+We are now ready to define the \textit{nested ratchet protocol}. 
+Informalaly, nested ratchet protocols \textit{stack} two layers of 
+distinct ratcheting protocols as such:
+
+\begin{itemize}[leftmargin=*]
+  \item \textbf{P2P layer}. Ordinary Double Ratchets-based 
+        communication channels that
+        carry only the occasional \textsc{SessionShare} control
+        messages; they provide secrecy and authentication, but may also 
+        provide deniability, perfect forward secrecy, and post-compromise security.
+  \item \textbf{Fan-out layer}. A lightweight symmetric ratchet per
+        sender; one ciphertext is uploaded and blindly fanned out,
+        giving $O(1)$ work for the sender regardless of group size.
+\end{itemize}
+
+\noindent With this intution, we now provide the complete definition. 
+
+\begin{mydef}[Nested Ratchet Protocol]\hfill\\
+Let $U=\{u_1,\dots,u_n\}$ be a dynamic set of participants.  
+A \emph{Nested Ratchet Protocol} consists of  
+\begin{enumerate}[label=(\roman*),leftmargin=*]
+  \item A set of pairwise \textbf{Double Ratchet channels}
+        $\mathcal D=\bigl\{D_{i,j}\mid u_i,u_j\in U,\;i\neq j\bigr\}$ established through authenticated key exchange between each pair of peers
+  \item For each sender $u_s\in U$, a \textbf{fan-out ratchet}  
+    $R_s=(\mathsf{rk}_s,\mathsf{sk}_s, \mathsf{pk}_s, i)$,  
+        where $\mathsf{rk}_s$ is a symmetric \emph{chain key},
+        $\mathsf{sk}_s/\mathsf{pk}_s$ is a signing key-pair, and $i$ is 
+        the \textit{ratchet index}
+\end{enumerate}
+
+\noindent The protocol exports four operations:
+\begin{itemize}[leftmargin=*]
+  \item \textsc{SessionShare}$(u_s)$ --- sends  
+        $(\mathsf{rk}_s,\mathsf{pk}_s, i)$ through each $D_{s,j}$;
+  \item \textsc{SessionGen}$(u_s)$ --- generates a new ratchet key $\mathsf{rk}_s$, 
+        computes a new signing key pair $(\textsf{pk}_s, \textsf{sk}_s)$ with $\textsf{SignGen()}$,
+        sets $i=0$, and stores $(\mathsf{rk}_s,\mathsf{sk}_s, \mathsf{pk}_s, i)$. 
+        The previous session locally purged; however other peers may choose to hold onto the old session.
+  \item \textsc{Send}$(u_s,m)$ --- updates  
+        $\mathsf{rk}_s\leftarrow \textsf{Hash}(\mathsf{rk}_s)$, 
+        computes \texttt{++i},
+        $c = $ \textsf{Encrypt($k$, $m$)}, and $\sigma_c$ = \textsf{Sign(\textsf{sk}$_s$, $c$)},
+        then uploads ($c$, $\sigma_c$, $i$) to the fan-out server. The fan-out server forwards the message to each receiving peer.
+  \item \textsc{Recv}$(u_r,c, \sigma_c, i_c)$ --- retrives the 
+        stored session $(\textsf{rk}_r, \textsf{pk}_r, i_r)$, 
+        computes $\textsf{CheckSign}(\textsf{pk}_r, c, \sigma_c)$, iterates
+        $\mathsf{rk}_r\leftarrow \textsf{Hash}(\mathsf{rk}_r)$ $i_c - i_r$ times, 
+        then finally computes $m = \textsf{Decrypt(rk$_r$, $c$)}$
+\end{itemize}
+\end{mydef}
+
+\subsection{Real World Instantiations of the Nested Ratchet Protocol}
+\label{sec:section label}
+Instantions of the nested ratchet protocol as defined in the previous section are widely deployed in practice. 
+Megolm as deployed by the Matrix protocol uses 3DH for the P2P layer, and a custom ratchet scheme for the fan-out layer. ``Sender Keys'' as deployed 
+by Whatsapp and Facebook Messenger, choose to use X3DH for the P2P layer, while Signal uses PQXDH in composition with a secure membership maintence protocol \cite{Chase_Perrin_Zaverucha_2020} for the P2P layer. We provide an example of the Nested Ratchet Protocol instantiated with 3DH as the P2P layer (similar to Matrix's Megolm) in Figure \ref{fig:megolm}. Furthermore, a comparison of the prominent nested ratchet protocol implementations deployed in practice is shown in Table \ref{tab:crypto-summary}. 
+
+\input{diagrams/megolm.tex}
+
+\begin{table*}[ht]
+\caption{Comparison of Nested Ratchet Protocol Implementations}
+\label{tab:crypto-summary}
+\centering
+\scriptsize
+\setlength{\tabcolsep}{6pt} % More padding between columns
+\renewcommand{\arraystretch}{1.2} % More vertical space
+\begin{tabularx}{0.8\textwidth}{l Y Y Y Y Y}
+  \toprule
+  \textbf{Protocol} & \textbf{P2P AKE} & \textbf{P2P Msging} &
+\textbf{Fan-out Ratchet} & \textbf{Fan-out Enc.} & \textbf{Fan-out Sig.} \\
+\midrule
+Signal\textsuperscript{\dag} \cite{SignalSenderKeysRust} & PQXDH & Double Ratchet & HMAC-SHA256 & AES-CBC & Curve25519 \\ 
+WhatsApp \cite{WhatsAppSecurity2024} & X3DH & Double Ratchet & HMAC-SHA256 & AES-CBC & Curve25519 \\
+Matrix\textsuperscript{\P} \cite{matrixorg_megolm_doc} & 3DH & Double Ratchet & HMAC-SHA256 & AES-CBC & Curve25519 \\
+Facebook Messenger \cite{MetaMessengerE2EE2023} & X3DH & Double Ratchet & HMAC-SHA256 & AES-CBC & Curve25519 \\
+Session \cite{Jefferys2020SessionProtocol} & Auth.DH & XChaCha20-Poly1305 & None & XChaCha20-Poly1305 & Curve25519 \\
+\bottomrule
+\end{tabularx}
+
+\vspace{1pt}
+\textsuperscript{\dag}For Signal, Sender Keys was obscoleted by Signal Groups v2 \cite{Chase_Perrin_Zaverucha_2020}, yet still \\ employed in-practice \cite{Balbas_SK}. Key Transparency \cite{mcmillion2025keytransparencyarchitecture} is used for identity verification. \\
+\textsuperscript{\P}For Matrix, a MAC is included in fan-out messages \cite{matrixorg_megolm_doc}.
+\end{table*}
+
+
--- a/sections/conclusion.tex
+++ b/sections/conclusion.tex
@@ -0,0 +1,11 @@
+We have presented a formal description of the nested ratchet protocol, instantiated with representative designs used in practice 
+such as Sender Keys and Megolm, as well as the first
+unified, mechanized cryptographic analysis.
+Our results demonstrate that core guarantees, including
+secrecy, mutual authentication, perfect forward secrecy, 
+and post-compromise security, hold under standard assumptions.
+We also present the first mechanized treatment of offline deniability 
+for this class of protocols. 
+We provide a detailed analysis of the compromise scenarios across pairwise and fan-out layers, clarifying how failures propagate and when recovery occurs (e.g. upon session regeneration or double ratchet-based self-healing).
+
+Our analysis and formal models underscore two key design choices when constructing and implementing a nested ratchet protocol: (1) the deniability and trust implications of signed vs. unsigned pre-keys, and (2) the trade-off between non-reputation and deniability when choosing signatures vs. MACs for fan-out. Based on the tradeoffs we identity, as well as our formal analysis, we provide additional concrete recommendations for protocol implementers. Ultimately, in addition to the concrete results our analysis provides, our work demonstrates the utility of formal methods and computer-aided reasoning for constructing and verifying secure protocols.
--- a/sections/discussion.tex
+++ b/sections/discussion.tex
@@ -0,0 +1,14 @@
+We elaborate on our findings and provide concrete recommendations for implementers of the nested ratchet protocol and its derivatives.
+
+\subsection{Recommendations for protocol implementers}
+\label{sec:recs}
+
+\noindent\textbf{Let users choose to leave P2P-layer pre-keys unsigned}. We recommend implementers of the nested ratchet protocol and its derivatives to provide users with the option to leave P2P-layer authenticated key exchange pre-keys (i.e. those used in 3DH/X3DH/PQXDH) unsigned. This way, mutual deniability of the P2P layer and thus mutual deniability of the cumulative nested ratchet protocol is maintained. In this case, the user should be notified of the tradeoff between trusting the central server and mutual deniability. 
+
+\noindent\textbf{Use forward-secure signatures for fan-out layer messaging}.
+We find nested ratchet protocol derivatives, including Sender Keys and Megolm, needlessly compromise on post-compromise deniability guarantees by signing all messages in a single fan-out layer session with one private signing key. If a session's public signing key is compromised (i.e. any of the users in the group are compromised), every message in that session, past and future, may be provably attributed to the sender. To avoid this scenario, we advise implementors of the nested ratchet protocol or its derivatives to employ \textit{forward-secure signatures} in fan-out layer sessions as opposed to static signatures \cite{Itkis_Reyzin_2001}. Using such a primitive, signing keys may be ratcheted concurrently with the symmetric encryption key to provide perfect forward deniability. 
+% https://www.cs.bu.edu/~reyzin/papers/forwardsig-optimal.pdf
+
+
+\noindent\textbf{Do not use fan-out layer encryption for two-party channels}.
+Federated secure communication protocols like Matrix, which employ Megolm as a critical sub-protocol, choose to ensure even peer-to-peer messaging uses the fan-out layer protocol. Matrix ``rooms'' always use Megolm over Olm, even for 1:1 rooms.\footnote{See \href{https://matrix.org/docs/matrix-concepts/end-to-end-encryption/}{matrix.org/docs/matrix-concepts/end-to-end-encryption}. Note, direct messages (i.e. ``m.direct'' in element) are still constructed as rooms.} Our analysis clearly shows this should not be done: Olm should be always used for the 1:1 setting. Fan-out layer protocols such as Megolm intentionally compromise on post-compromise security and initiator deniability to accomidate the group chat setting specifically, and thus should not be used over Olm or Signal in the two-party setting. 
--- a/sections/intro.tex
+++ b/sections/intro.tex
@@ -0,0 +1,80 @@
+
+End-to-end encryption represents the foundation for 
+security, privacy, trust, and compliance for all services 
+on the internet. Several protocols supporting end-to-end encryption 
+exist, all serving different purposes. 
+Transport Layer Security (TLS) \cite{rfc8446} and 
+Quick UDP Internet Connections (QUIC) \cite{rfc9369} 
+secure web traffic; Wireguard \cite{Donenfeld_2017}, 
+OpenVPN \cite{openvpn} secure point-to-point tunneling, and Tor \cite{Dingledine_Mathewson_Syverson_2004} secures multi-hop routing. 
+One such use case --- instant messaging --- has become particularly 
+ubiquitous in today's society. 
+
+While secure instant messaging protocols strive for the same 
+high-level cryptographic properties as other standard protocols 
+such as TLS --- secrecy, authentication, and integrity --- instant 
+messaging carries several subtleties that lead to differences in
+overall protocol design. First, messaging is \textit{asynchronous}:
+an \textit{online} peer must be able to send messages to an 
+\textit{offline} peer, and the offline peer must then receive
+the messages upon coming online. Therefore, parties must rely 
+on a potentially untrusted central server to initiate 
+authentication, key exchange, and message coordination. Second,
+conversations are \textit{long-lived}; unlike TLS connections, 
+which typically last a few seconds, instant messaging conversations 
+may go on for years and carry both sensitive and non-sensitive 
+messages. Thus, it is likely an endpoint will be compromised 
+during a conversation lifetime, necessitating measures protecting 
+conversation contents in long-term key compromise scenarios. 
+Third, conversations are ideally \textit{deniable}, allowing 
+participants to protect their own privacy by plausibly denying 
+the authorship of a given message or transcript. Fourth, message
+transcripts are ideally \textit{restorable}: users expect to be
+able to restore their message conversation history from a server 
+given the right credentials, thereby introducing additional 
+challenges for the integrity, authentication, and confidentiality 
+of stored messages on untrusted servers.
+
+For our properties of interest, it is unquestionable that the 
+Signal protocol has fully emerged as the best-in-class solution 
+for peer-to-peer messaging. The Signal protocol offers secrecy, 
+authentication, integrity, deniability, and asynchronicity
+through the Extended Triple Diffie-Hellman handshake \cite{Marlinspike_Perrin_X3DH}, long-lived
+conversation security through the post-compromise and perfect 
+forward secrecy guarantees of the double ratchet \cite{Moxie_DoubleRatchet}, restorability 
+through Signal's sub-protocol, Sesame \cite{Moxie_Sesame}, and post-quantum security
+through the advent of the PQXDH key agreement protocol \cite{Kret_Schmidt_PQXDH}. Signal 
+has been the subject of ample formal analysis, rigorously proving 
+both on-paper and with proof assistants that each of the 
+aforementioned 
+properties hold \cite{Bhargavan_PQXDH, cremers_signal, alwen_doubleratchet, VatandasDeny, bhargavan_dy}. 
+
+Signal, today, is extremely dominant in secure messaging. It is a reasonable statement to say that every modern end-to-end encrypted messaging protocol is, in fact, a derivative of the Signal protocol. However, the Signal protocol has a single critical caveat: its excellent guarantees fall apart for group messaging. The group messaging scenario carries similar subtleties and desired high-level properties, with the obvious caveat of a shared transcript history. However, at the time of writing, no universal solution akin to what Signal is for peer-to-peer messaging exists for secure group messaging. The current state of secure group messaging is fragmented between tree-based group key agreement schemes such as Messaging Layer Security \cite{rfc9420}, and protocols that \textit{compose} a group fan-out layer with secure peer-to-peer channels such as Sender Keys and Megolm. While there has been excellent recent work done on Messaging Layer Security \cite{Wallez_TreeSync, Wallez_TreeKEM}, the composite-type protocols remain dominant for group messaging in-practice. Sender Keys is directly deployed by WhatsApp \cite{WhatsAppSecurity2024}, Facebook Messenger \cite{MetaMessengerE2EE2023}, Signal \cite{SignalSenderKeysRust}, and Session \cite{Jefferys2020SessionProtocol}; Megolm is deployed by Matrix,\footnote{See \href{https://matrix.org/docs/matrix-concepts/end-to-end-encryption/}{matrix.org/docs/matrix-concepts/end-to-end-encryption} for more details.} which is in turn widely deployed by both governemnts and the private sector \cite{Albrecht_Dowling_Jones}. 
+
+Thus, to analyze this flavor of group communication protocol, namely Sender Keys and Megolm, within a single security model, we define the generalized \textit{nested ratchet protocol} primitive. We define the nested ratchet protocol as a protocol that constitutes two main features: (1) a double ratchet-based peer-to-peer channel such as Signal, which securely communicates (2) a \textit{session} containing a signing keypair and symmetric key, which is then ratcheted forward to encrypt and decrypt fanned out group communications. Informally, we name these two composite features the \textit{peer-to-peer (P2P)} layer and the \textit{fan-out} layer respectively.
+
+While there has been previous work studying nested ratchet protocols, namely Sender Keys \cite{Balbas_SK} and Megolm \cite{Albrecht_Dowling_Jones} in isolation, several questions are left unanswered by the literature:
+\begin{itemize}[leftmargin=*, align=parleft, label=~$\bullet$~]
+
+  \item \noindent\textbf{Nested ratchet protocols generally assume the underlying peer-to-peer channel is secure. What happens if that assumption is broken?} 
+    Broadly, nested ratchet protocols treat the underlying peer-to-peer channels as a black box and assume their security \cite{matrixorg_megolm_doc}. If this assumption fails, how is the broader fan-out layer protocol affected? If peer-to-peer channels have post-compromise security guarantees (i.e. double ratchet is used), what do recovery scenarios look like? The failure and recovery scenarios of nested ratchet protocols have yet to be thoroughly studied.
+
+\item \noindent\textbf{What are the deniability guarantees of nested ratchet protocols?}
+  The deniability of Triple Diffie Hellman, Extended Triple Diffie Hellman, PQXDH, and Authenticated Key Exchange --- the peer-to-peer channel protocols --- are well-studied \cite{VatandasDeny, FiedlerPQXDHdeny}. However, it remains an open question whether or not nested ratchet protocols such as Sender Keys and Megolm preserve the deniability guarantees of their peer-to-peer channels.
+
+\item \noindent\textbf{Do nested ratchet protocols hold up under the scrutiny of formal verification?}
+  In recent years it has become the standard to incorporate formal verification techniques into the design and evaluation of both novel and historical protocols, both inside and outside the cryptographic sphere \cite{SoK_CAC}. However, nested ratchet protocols, including Sender Keys and Megolm, have not received such a treatment. Previous work is hand-written and has not been mechanized \cite{Balbas_SK, Albrecht_Dowling_Jones}. Until this work, it has remained an open question whether nested ratchet protocols hold up under the scrutiny of formal verification. 
+
+\end{itemize}
+
+A rigorous investigation into these unresolved issues is necessary to either validate or reconsider the widespread trust currently placed in nested ratchet protocols.
+
+\textbf{Our contribution.} Our work seeks to round off and tie together the previous literature on nested ratchet protocols. To do so, we take an approach rooted in \textit{formal methods} to study the security of nested ratchet protocols, allowing us to construct computer-verified proofs or provable and explicit counterexamples. We make the following contributions.
+
+\textbf{Models}. We present the first mechanization of nested ratchet protocols, primarily using the state-of-the-art symbolic cryptanalysis tool \pv \cite{Blanchet_2016}. Specifically, we present canonical models of the nested ratchet protocol; we also model Megolm, and Sender Keys according to their specifications. To support our larger nested ratchet protocol models, we also model 3DH, X3DH, Signal, and Olm (the secure point-to-point protocol employed by Megolm). 
+
+\textbf{Formal Analysis}. Using \pv's automated analysis suite, we prove secrecy, authentication, integrity, post-compromise security, and perfect forward secrecy for the nested ratchet protocol, including Megolm and Sender Keys. Using our models, we reason about offline deniability and the various failure cases of the nested ratchet protocol. To support our analysis, we present the first mechanizations of offline deniability, in addition to standard secrecy, authentication, integrity, post-compromise security, and perfect forward secrecy results for 3DH, X3DH, Signal, and Olm. 
+
+\textbf{Comparison}. Using our \pv models, we precisely compare the cryptographic properties and failure cases of the nested ratchet protocol. We quantify how differences in design between both the peer-to-peer and fan-out channels propagate to the overall high-level guarantees of hthe protocols.
+
+\textbf{Code}. Our models are entirely open-source, and our results, environment, and dependencies are readily reproducible via a nix flake: \href{https://zenodo.org/records/16959099}{zenodo.org/records/16959099}
--- a/sections/limitations.tex
+++ b/sections/limitations.tex
@@ -0,0 +1,14 @@
+We identify the limitations of our work, and discuss the respective potential lines of future work to address the limitations.
+
+\noindent\textbf{Abstracted model}. Models in \pv generally abstract away implementation details of cryptographic protocols. Therefore, our models are not executable, and are not drop-in replacements for an already in-place implementation. Our models abstract away details required to actually implement the protocol, including low-level message formatting, key lifetimes, resource constraints, error handling, interfacing with other networking protocols, and caching. Thus, in order to further close the gap between the nested ratchet protocol specification and the real-world implementation, constructing a more detailed model in a more expressive cryptographic modeling tool is necessary. Frameworks such as DY* \cite{DY} and OwlC \cite{Gancher_2023} have shown great promise here, allowing for executable, compilable specifications whilst maintaining semi-automatic cryptanalysis capabilities.
+
+\noindent\textbf{No post-quantum analysis}. Protocols supporting post-quantum encryption have increasingly seen real-world deployment in recent years, including PQXDH \cite{Kret_Schmidt_PQXDH}, PQ-Wireguard \cite{pqwg}, HPKE \cite{rfc9180}, and KEMTLS \cite{Schwabe_Stebila_Wiggers_2020}. The rollout of the aforementioned protocols was notably supported by formal methods tooling, most prominently \pv \cite{Lafourcade_Mahmoud_Ruhault_Taleb, Bhargavan_PQXDH} and \textsc{Tamarin} \cite{Celi_Hoyland_Stebila_Wiggers_2022}. In this work we do not support post-quantum primitives. While at the moment only Signal is the only implementor of a nested ratchet protocol that employs a post-quantum-secure P2P layer (using PQXDH), we expect the other implementors of the nested ratchet protocol to follow suit soon.
+
+\noindent\textbf{No Key Transparency model}. Key Transparency provides a mechanism to allow communicating parties to verify each other's public identity keys via each party uploading key material to an append-only log on a central server \cite{mcMillion2025keytrans}.
+Key Transparency has seen increasing popularity and deployment, being recently adopted by both Signal\footnote{Although Signal has yet to publicly document their usage of Key Transparency, the implementation is publicly available: \href{https://github.com/signalapp/key-transparency-server}{github.com/signalapp/key-transparency-server}} and Whatsapp.\footnote{WhatsApp is not open source; however, the implementation of the Key Transparency server is open source and available here: \href{https://github.com/facebook/akd}{github.com/facebook/akd}} 
+However, it is currently unclear how the incorporation of Key Transparency affects WhatsApp and Signal's existing deniability guarantees. Future work may seek to formalize Key Transparency and its guarantees, then fold the resulting model into existing models of Signal and WhatsApp. 
+
+\noindent\textbf{No mechanized computational analysis}. Computational reasoning about cryptographic protocols is fundamentally different from the symbolic model. As opposed to modeling cryptographic protocols with equational reasoning and specifying properties in terms of traces, the computational model is closer to hand-written cryptographic proofs in the random oracle model, proving protocols reduce to fundamental computational hardness assumptions through a sequence of computational games. The adversary in the computational model is slightly stronger than in the symbolic model \cite{Blanchet_2012}. Formal methods tooling exists for both the computational model and the symbolic model \cite{Blanchet_Jacomme}; in recent years, analysis of important protocols such as Signal have included mechanized proofs within both models \cite{Kobeissi_Bhargavan_Blanchet_2017} \cite{VatandasDeny}. Thus, future work could involve mechanizing the nested ratchet protocol, Sender Keys, or Megolm inside a computational verifier such as \textsc{CryptoVerif} \cite{Blanchet_Jacomme}
+
+
+
--- a/sections/models.tex
+++ b/sections/models.tex
@@ -0,0 +1,70 @@
+We describe our approach for the analysis nested ratchet protocol, Megolm, and Sender Keys
+%l, Megolm (as described by Matrix), Sender Keys (as described by Signal, Whatsapp, and Facebook Messenger), as well as the reliant sub-protocols 3DH, X3DH, Signal, and Olm, 
+using \textsc{ProVerif}. We also describe the claimed
+security properties for these protocols.
+
+\subsection{Modeling Strategy}
+\label{sec:section label}
+
+We do not go into the full details of the symbolic approach. One may refer to \cite{Blanchet_2012, Blanchet_2016} for a detailed presentation and comparison with alternative approaches.
+
+\textbf{Cryptographic Primitives}. In the symbolic model, messages are represented as terms which can be either atomic (to represent fresh values or constants), or constructed through applying functional rules. For instance, \textsf{pk}(\textit{sk}), \textsf{Mac($key$, $msg$)}, \textsf{Encrypt(k, m)}, and \textsf{Decrypt(k, m)}. To model the behavior of cryptographic primitives, function symbols may be ruled by a set of equations, i.e. an \textit{equational theory}. For example, \textsf{Decrypt(k, Encrypt(k, m)) = m} will hold. Therefore, cryptography is assumed to be perfect in the symbolic model; if no equational rules are defined for a given primitive, it behaves as a perfect one-way function. 
+
+\textbf{Threat Model}. The Dolev-Yao attacker model is the standard attacker model assumed in symbolic cryptography \cite{Dolev_1983}. The Dolev-Yao attacker has full control over the network, and can observe, remove, duplicate, replay, synthesize, and subtitute messages on public channels. In \pv, the attacker may be configured to never gain access to certain terms (i.e. a private key), or have access to pre-computed values (i.e. precomputing \textsf{DH} to find additional attacker scenarios). \pv is capable of reasoning soundly, but not completely, about arbitrary protocols with respect to a Dolev-Yao attacker. That is, any attack or proof \pv is guaranteed within the model,\footnote{Though, one must look out for false attacks -- that is, where a property is violated by a trivial or unintended attack trace. Alternatively, cases where properties vacuously hold (i.e. because parts of a protocol are not reachable) should similarly be avoided.}
+but \pv is not guaranteed to terminate.\footnote{And indeed, we employ a plethora of tricks and tweaks to ensure our models terminate reasonably quickly. See section \S 6.6.2 ``Settings'' and \S 6.7.5 ``Sources of incompleteness'' in the \pv manual \cite{ProverifManual}}
+
+\textbf{Trace and Equivalence}. In the symbolic approach there exists two primary classes of security properties: \textit{trace properties} and \textit{equivalence} properties. 
+Trace properties are considered to be satisfied when, in all possible
+traces or executions of the protocol, the property holds. Several security properties are expressable as trace properties. \textit{secrecy} is specified as a reachability property, i.e. whether an attacker can \textit{reach} a given secret term, such as a message. \textit{authentication} is specified as correspondance between two events; that is, if an event is reachable, another event is previously reachable. \textit{perfect forward securiy} and \textit{post-compromise security} relate secrecy queries with event timings, e.g. if a message can be compromised by the time an event occurs. On the other hand, equivalence properties decide if an attacker can \textit{tell apart} two processes; e.g. privacy properties such as deniability and unlinkability can be expressed as equivalence properties. In this work, we employ both trace and equivalence properties.
+
+% Things to mention:
+% - threat model
+% - cryptographic primitives, how they're modeled
+% - security and authentication
+% - equivalence properties \& deniability
+% - evaluation strategy
+
+% claimed security properties
+% - authentication of sessions, authentication of msgs sent with megolm
+% - secrecy of sessions, secrecy of messages; resistant against unknown keyshare attacks
+% - deniability 
+% - forward secrecy and post compromise security
+
+\subsection{Claimed Security Properties}
+\label{sec:section label}
+
+We provide informal definitions for each property we claim the nested ratchet protocol to hold.
+
+\attackerbox{\underline{\textbf{P1}}: Protocol participants are \textbf{Deadlock-Free}.} We claim an arbitrary number of peers who participate in the nested ratchet protocol \textit{do not deadlock} and complete the protocol, even in the presence of an attacker.
+
+\attackerbox{\underline{\textbf{P2}}: Honest peers enjoy \textbf{Message Secrecy}.} 
+ We claim only group members who hold the correct fan-out ratchet state can decrypt ciphertexts encrypted by honest peers, ruling out outsider eavesdropping and cross-group leakage.
+
+\attackerbox{\underline{\textbf{P3}}: Honest protocol participants enjoy \textbf{Mutual Authentication} \& \textbf{Message Agreement.}.} 
+We claim that every plaintext accepted by an honest recipient is \textit{jointly authenticated}: if Alice outputs a message labelled as originating from Bob, then Bob must have previously emitted that exact message under the same epoch key. This guarantees resistance to replay, impersonation, and \textit{unknown-key-share} attacks.
+
+\attackerbox{\underline{\textbf{P4}}: Honest peers enjoy \textbf{Offline Deniability}.} 
+
+We follow the form of \cite{Celi_Hoyland_Stebila_Wiggers_2022, Lafourcade_Mahmoud_Ruhault_Taleb} and claim it is impossible for an offline judge (that is, a judge that does not interfere with the protocol execution) to distinguish between a transcript generated between an honest initiator, and a transcript generated by a simulator.\footnote{No single approach to defining and demonstrating deniability guarantees has distinguished itself in the literature; see a classification here} On the other hand, it is well-known that responder deniability in authenticated key exchange, namely signal, is not ensured in the offline judge model. Thus, we also consider responder \textit{undeniability}.
+
+%We claim that for the initiator of each Double Ratchet channel, message authorship cannot be proven to a coercer and deniability is retained. On the other hand, it is well-known that responder deniability in authenticated key exchange, namely Signal, is not ensured. Thus, we also claim all keys in the initial key exchange must remain unsigned by long-term static keys to ensure mutual deniability. 
+% https://eprint.iacr.org/2022/1111.pdf
+
+\attackerbox{\underline{\textbf{P5}}: Messages sent by honest peers enjoy \textbf{Perfect Forward Secrecy}.}
+We claim that the compromise of any static credential, including the identity keys and the medium-term pre-keys of the double ratchet channel, and the present fan-out ratchet key, does not reveal any earlier traffic from either the current session or any previous sessions.
+
+\attackerbox{\underline{\textbf{P6}}: Between sessions, messages sent by honest peers enjoy \textbf{Post-Compromise Security}.}
+ We claim that once a compromised party executes a fresh \textsc{SessionGen} followed by \textsc{SessionShare}, full secrecy and authentication guaratnees are re-established for the subsequent traffic. 
+ %The attacker’s influence is thus confined to the interval between the breach and the next honest ratchet refresh, matching the recovery guarantees of Signal.
+
+\subsection{Additional Security Properties}
+We additionally define exceptionally strong properties we do not expect to hold in composition with the aforementioned properties, but are desirable and relevant nonetheless. 
+
+\badpropbox{\underline{\textbf{P7}}: In the post-compromise and forward secrecy scenarios, deniability is maintained (i.e. \textbf{Strong Deniability} \cite{Unger_Goldberg_2018}). }
+% https://cypherpunks.ca/~iang/pubs/dakez-popets18.pdf
+Given the compromise of static or ephemeral credentials, ideally deniability of message authorship, both previous and future, is maintained.
+
+\badpropbox{\underline{\textbf{P8}}: Deniability is maintained for all protocol participants (i.e. \textbf{Mutual Offline Deniability})}
+%https://eprint.iacr.org/2021/642.pdf (or the thesis, https://academicworks.cuny.edu/cgi/viewcontent.cgi?article=6191&context=gc_etds)
+%https://petsymposium.org/popets/2025/popets-2025-0018.pdf
+It is well-known that responder deniability in mutually authenticated key exchange, namely Signal, is not ensured within the offline judge model \cite{VatandasDeny, Collins_Colombo_Huguenin-Dumittan_2025}. 
--- a/sections/related.tex
+++ b/sections/related.tex
@@ -0,0 +1,74 @@
+\input{diagrams/related}
+
+We briefly review the relevant related works, 
+including the previous computational analysis of Megolm and Sender Keys,
+the line of work on Messaging Layer Security, and relevant work on 
+cryptographic deniability.
+
+\subsection{Computational Analysis}
+\label{sec:section label}
+The only existing work on Megolm and Sender Keys is computational.
+Balbás et al. provided the first formal description and 
+analysis of the Sender Keys protocol, as employed by WhatsApp,
+within the computational model \cite{Balbas_SK}. 
+Albrecht et al. introduced the 
+\textit{Device-Oriented Group Messaging}
+model to capture the security guarantees of Matrix's Megolm protocol \cite{Albrecht_Dowling_Jones},
+and later WhatsApp's Sender Keys protocol in great detail, also within
+the computational model \cite{Albrecht_2025}.
+
+We differ from the existing body of work in that our analysis is 
+in the \textit{symbolic} model of cryptography as opposed to the random oracle 
+``computational'' model. The symbolic and computational modeling approaches are
+generally regarding to have complimentary benefits 
+\cite{Blanchet_2012}, and cryptographic analysis of 
+modern protocols generally involves both approaches 
+\cite{Kobeissi_Bhargavan_Blanchet_2017,Bhargavan_PQXDH}. In general,
+symbolic analysis allows for simpler mechanization, explicit failure traces,
+and greater ease in evaluating attack scenarios. 
+We take advantage of these benefits and provide the first 
+mechanization of Sender Keys \& Megolm, as well as a 
+cryptographic failure case analysis much more detailed than in previous works. 
+We also cover the same high-level properties as previous works; We provide 
+a complete comparison of the analyzed cryptographic properties
+between the related works and our work in Table \ref{tab:symbolic-tools}.
+
+
+% We differ from the existing body of work in three ways: (1) 
+% we \textit{mechanize} our results in a symbolic protocol analysis tool 
+% as opposed to hand-written analysis in the random 
+% oracle ``computational'' model,
+% (2) we provide the first cryptographic \textit{deniability} analysis of 
+% Megolm and Sender Keys, and (3) 
+% our analysis is unified and general, covering both Megolm and Sender Keys,s
+% within our \textit{nested ratchet protocol} primitive. 
+
+\subsection{Messaging Layer Security}
+\label{sec:section label}
+
+There exists a long and fruitful line of work studying the Messaging
+Layer Security (MLS) protocol standardized by the IETF \cite{rfc9420}, 
+and the underlying Continuous Group Key Agreement (CGKA) primitive \cite{Alwen_Coretti_Jost_Mularczyk_2020}. In 
+comparison with Sender Keys and Megolm, MLS boasts key updates that are 
+logarithmic (as opposed to linear) in the number of members \cite{rfc9420}; however, 
+MLS is relatively new and thus much less widely deployed. TreeKEM, the CGKA primitive used by MLS, has enjoyed a string of 
+mechanized cryptanalysis work using the symbolic protocol analysis 
+framework DY* \cite{Wallez_TreeKEM}. The group management scheme employed by MLS has 
+also seen verification using DY* \cite{Wallez_TreeSync}.
+
+\subsection{Mechanized Deniability}
+\label{sec:section label}
+
+Cryptographic deniability, particularly of authenticated key exchanges, 
+has a long history in the literature. See the related works section of \cite{VatandasDeny}
+for additional background. However, relatively few works have considered mechanizing
+\textit{offline deniability} guarantees -- that is, 
+the ability to deny having participated in a communication session
+\textit{after} it has taken place. One technique for proving offline 
+deniability with respect to a peer involves proving any execution of a session may be 
+\textit{simulated} with only access to the aforementioned peer's public key material \cite{VatandasDeny}.
+In recent years there has
+surfaced a technique for mechanizing offline deniability through the 
+\textit{observational equivalence} feature of symbolic cryptographic provers. 
+This technique has been employed to reason about the deniability of 
+KEMTLS \cite{Celi_Hoyland_Stebila_Wiggers_2022} and Wireguard \cite{Lafourcade_Mahmoud_Ruhault_Taleb} using \textsc{Tamarin} \cite{Basin_Cremers_Dreier_Sasse_2022} and \textsc{ProVerif} \cite{ProverifManual} respectively. We employ this technique to provide the first comprehensive, mechanized deniability analysis of Sender Key and Megolm. Furthermore, we evaluate deniability across different compromise scenarios, as is done in \cite{Lafourcade_Mahmoud_Ruhault_Taleb}.
--- a/sections/usenix.tex
+++ b/sections/usenix.tex
@@ -0,0 +1,13 @@
+\section{Ethical Considerations}
+\label{sec:section label}
+
+We strictly adhere to ethical norms as well as the described ethical guidelines. We confirm our research considers potential negative impact and obeys legislation. Although we point out practical weaknesses in the design of deployed group communication protocols, namely Matrix, in Section \ref{sec:recs}, we emphasize these weaknesses concern only protocol design. Our research does not target a particular implementation nor product that embeds Matrix or other nested ratchet protocols. We plan to alert the stakeholders of our findings immediately after submission, and we do not plan to publicize our work onto a pre-print server until our findings are acknowledged. 
+
+\section{Open Science}
+\label{sec:section label}
+
+We strictly adhere to and enthusiastically embrace the Open Science guidelines of USENIX Security 2026. All of our methodology, models, symbolic analysis in \textsc{ProVerif}, and nix flakes for environment reproducibility are thoroughly documented and openly shared in our companion artifact publicly available on Zenodo: \href{https://zenodo.org/records/16959099}{zenodo.org/records/16959099} 
+
+Our companion artifact contains a nix flake, a nix lock file, a \texttt{README.md}, and a folder, \textbf{proverif}, that contains our \textsc{ProVerif} models of 3DH, X3DH, Signal, Olm, Sender Keys, and Megolm. Secrecy, authentication, post-compromise security, and forward secrecy properties are contained are grouped in the same model file, and offline deniability properties for both the initiator and responder are contained independently in a sub-folder \textbf{deniability}. Our README documents the many of the implementation-specific techniques and tricks that went into modeling Sender Keys, Megolm, and their sub-protocols.
+
+
--- a/tcolorbox.sty
+++ b/tcolorbox.sty
--- a/usenix.sty
+++ b/usenix.sty
@@ -0,0 +1,129 @@
+% usenix.sty - to be used with latex2e for USENIX.
+% To use this style file, look at the template usenix2019_v3.1.tex
+%
+% $Id: usenix.sty,v 1.2 2005/02/16 22:30:47 maniatis Exp $
+%
+% The following definitions are modifications of standard article.sty
+% definitions, arranged to do a better job of matching the USENIX
+% guidelines.
+% It will automatically select two-column mode and the Times-Roman
+% font.
+%
+% 2018-12-19 [for ATC'19]: add packages to help embed all fonts in
+%   pdf; to improve appearance (hopefully); to make refs and citations
+%   clickable in pdf
+%
+% 2020-09-21 file updated to comment out flushend and make it optional
+
+%
+% USENIX papers are two-column.
+% Times-Roman font is nice if you can get it (requires NFSS,
+% which is in latex2e.
+
+\if@twocolumn\else\input twocolumn.sty\fi
+\usepackage{mathptmx}  % times roman, including math (where possible)
+
+% hopefully embeds all fonts in pdf
+\usepackage[T1]{fontenc}
+\usepackage[utf8]{inputenc}
+\usepackage{pslatex}
+
+% appearance
+\usepackage[kerning,spacing]{microtype} % more compact and arguably nicer
+
+% Uncomment the following line if you want the columns of the last page 
+% equal in size. But note that doing so may cause issues with some 
+% document-generating tools.
+% \usepackage{flushend}
+
+% refs and bib
+\usepackage{cite}               % order multiple entries in \cite{...}
+\usepackage{breakurl}           % break too-long urls in refs
+\usepackage{url}                % allow \url in bibtex for clickable links
+\usepackage{xcolor}             % color definitions, to be use for...
+\usepackage[]{hyperref}         % ...clickable refs within pdf...
+\hypersetup{                    % ...like so
+  colorlinks,
+  linkcolor={green!80!black},
+  citecolor={red!70!black},
+  urlcolor={blue!70!black}
+}
+
+%
+% USENIX wants margins of: 0.75" sides, 1" bottom, and 1" top.
+% 0.33" gutter between columns.
+% Gives active areas of 7" x 9"
+%
+\setlength{\textheight}{9.0in}
+\setlength{\columnsep}{0.33in}
+\setlength{\textwidth}{7.00in}
+
+\setlength{\topmargin}{0.0in}
+
+\setlength{\headheight}{0.0in}
+
+\setlength{\headsep}{0.0in}
+
+\addtolength{\oddsidemargin}{-0.25in}
+\addtolength{\evensidemargin}{-0.25in}
+
+% USENIX wants no page numbers for camera-ready papers, so that they can
+% number them themselves.  But submitted papers should have page numbers
+% for the reviewers' convenience.
+% 
+%
+% \pagestyle{empty}
+
+%
+% USENIX titles are in 14-point bold type, with no date, and with no
+% change in the empty page headers.  The whole author section is 12 point
+% italic--- you must use {\rm } around the actual author names to get
+% them in roman.
+%
+\def\maketitle{\par
+ \begingroup
+   \renewcommand\thefootnote{\fnsymbol{footnote}}%
+   \def\@makefnmark{\hbox to\z@{$\m@th^{\@thefnmark}$\hss}}%
+    \long\def\@makefntext##1{\parindent 1em\noindent
+            \hbox to1.8em{\hss$\m@th^{\@thefnmark}$}##1}%
+   \if@twocolumn
+     \twocolumn[\@maketitle]%
+     \else \newpage
+     \global\@topnum\z@
+     \@maketitle \fi\@thanks
+ \endgroup
+ \setcounter{footnote}{0}%
+ \let\maketitle\relax
+ \let\@maketitle\relax
+ \gdef\@thanks{}\gdef\@author{}\gdef\@title{}\let\thanks\relax}
+
+\def\@maketitle{\newpage
+ \vbox to 2.5in{
+ \vspace*{\fill}
+ \vskip 2em
+ \begin{center}%
+  {\Large\bf \@title \par}%
+  \vskip 0.375in minus 0.300in
+  {\large\it
+   \lineskip .5em
+   \begin{tabular}[t]{c}\@author
+   \end{tabular}\par}%
+ \end{center}%
+ \par
+ \vspace*{\fill}
+% \vskip 1.5em
+ }
+}
+
+%
+% The abstract is preceded by a 12-pt bold centered heading
+\def\abstract{\begin{center}%
+{\large\bf \abstractname\vspace{-.5em}\vspace{\z@}}%
+\end{center}}
+\def\endabstract{}
+
+%
+% Main section titles are 12-pt bold.  Others can be same or smaller.
+%
+\def\section{\@startsection {section}{1}{\z@}{-3.5ex plus-1ex minus
+    -.2ex}{2.3ex plus.2ex}{\reset@font\large\bf}}
--- a/wrapfig.sty
+++ b/wrapfig.sty
@@ -0,0 +1,598 @@
+%  W R A P F I G . S T Y    ver 3.6  (Jan 31, 2003)
+%
+%  Copyright (C) 1991-2003   by Donald Arseneau   <asnd@triumf.ca>
+%  This software is released under the terms of the LaTeX Project 
+%  public license.
+%
+%  Environments "wrapfigure" and "wraptable" place a figure or table
+%  at the side of the page and wrap text around it.
+%
+%  \begin{wrapfigure}[12]{r}[34pt]{5cm} <figure> \end{wrapfigure}
+%                     --  -  ----  ---
+%  [number of narrow lines] {placement} [overhang] {width of figure}
+%
+%  Placement is one of   r, l, i, o, R, L, I, O,  for right, left,
+%  inside, outside, (here / FLOAT).
+%  The figure sticks into the margin by `overhang', if given, or by the
+%  length \wrapoverhang, which is normally zero.
+%  The number of wrapped text lines is normally calculated from the height
+%  of the figure, but may be specified manually ("12" above).
+% 
+%  Environments similar to "wrapfigure" and "wraptable" may be easily added,
+%  or invoked by "\begin{wrapfloat}{float_name}"
+%
+%  More detailed instructions are given below, following the definitions.
+%  Please direct any problem reports to asnd@triumf.ca
+
+%%%%%  ----- Begin definitions ----- %%%%%
+
+\@ifundefined{c@WF@wrappedlines}{}{\endinput}
+
+\newdimen\wrapoverhang \wrapoverhang\z@
+\newdimen\WF@size
+\newcount\c@WF@wrappedlines % used globally
+\newbox\WF@box
+\newtoks\WF@everypar
+\newif\ifWF@float
+\let\@@parshape\parshape
+\let\WF@@everypar\everypar
+
+\def\wrapfloat#1{\def\@captype{#1}\@ifnextchar[\WF@wr{\WF@wr[]}}
+
+\def\wrapfigure{\wrapfloat{figure}}
+\def\wraptable{\wrapfloat{table}}
+
+\def\WF@wr[#1]#2{% first two args: #1=num lines, #2=placement
+  \xdef\WF@wfname{wrap\@captype\space}%
+  \ifvoid\WF@box\else \WFclear \WF@collision \fi
+  \xdef\WF@place{\string`\@car#2r\@nil}%
+  \ifnum\lccode\WF@place=\WF@place \global\WF@floatfalse
+    \else \global\WF@floattrue \fi
+  \ifx\parshape\WF@fudgeparshape \ifWF@float\else\WF@collision\fi \else
+   \ifx\par\@@par \ifnum\@@parshape>\z@\WF@conflict\fi \else \WF@conflict\fi
+  \fi \gdef\WF@wli{#1}%
+  \@ifnextchar[\WF@rapt{\WF@rapt[\wrapoverhang]}}
+
+\def\WF@rapt[#1]#2{% final two args: #1 = overhang,  #2 = width,
+  \gdef\WF@ovh{#1}% hold overhang for later, when \width is known
+  \global\setbox\WF@box\vtop\bgroup \setlength\hsize{#2}%
+  \ifdim\hsize>\z@ \@parboxrestore \else 
+  \setbox\z@\hbox\bgroup \let\wf@@caption\caption \let\caption\wf@caption 
+  \ignorespaces \fi}
+
+\def\wf@caption{\relax
+  \ifdim\hsize>\z@ \let\caption\wf@@caption \else
+  \unskip \egroup \hsize\wd\z@ \@parboxrestore \box\z@ \fi \caption}
+
+\def\endwrapfloat{%
+  \ifdim\hsize>\z@ \par\hrule\@width\hsize\@height\z@ % force width
+  \else \unskip \egroup \box\z@ \fi % or end hbox
+  \egroup % end the \vtop; width is known so now is "later"
+  \WF@floatstyhook % support float.sty
+  \def\width{\wd\WF@box}\setlength\wrapoverhang{\WF@ovh}%
+  \xdef\WF@ovh{\the\wrapoverhang}% save until wrapping
+  \ifdim\ht\WF@box>\topskip \ht\WF@box\z@ \fi % too much height, set flag.
+  \ifdim\ht\WF@box<.5\p@ % too tall (starts with \vbox) or too short
+   \global\setbox\WF@box\vtop{\vskip-1.4ex\unvbox\WF@box}\fi
+  \global\WF@size\dp\WF@box % box is guaranteed to have little height.
+  \global\advance\WF@size1.5\baselineskip \global\advance\WF@size\tw@\intextsep
+  \aftergroup\WF@startfloating % even when not really floating!
+  \ifWF@float\else \ifhmode
+     {\unskip \parfillskip\z@skip \par \vskip-\parskip}\aftergroup\noindent
+  \fi\fi \global\@ignoretrue}
+
+\let\endwrapfigure\endwrapfloat
+\let\endwraptable\endwrapfloat
+
+% Subvert \everypar to float fig and do wrapping.  Also for non-float.
+\def\WF@startfloating{%
+ \WF@everypar\expandafter{\the\everypar}\let\everypar\WF@everypar
+ \WF@@everypar{\ifvoid\WF@box\else\WF@floathand\fi \the\everypar
+ \WF@wraphand
+}}
+
+\def\WF@floathand{%
+\ifx\parshape\WF@fudgeparshape \WF@fltmes\else
+  \ifx\par\@@par\ifnum\@@parshape=\z@\ifdim\hangindent=\z@
+    \setbox\z@\lastbox \begingroup
+    \@@par \WF@@everypar{}\WF@putfigmaybe
+    \endgroup % start wrapping
+    \ifvoid\z@\else\box\z@\fi % replace indentation
+  \else\WF@fltmes\fi\else\WF@fltmes\fi\else\WF@fltmes\fi\fi}
+
+% Put fig here if it fits or if it can't float
+\def\WF@putfigmaybe{%
+\ifinner
+  \vskip-\parskip \global\WF@floatfalse
+  \let\pagetotal\maxdimen % kludge flag for "not top of page"
+\else % outer page
+  \@tempdima\pagedepth % save page depth
+   {\advance\parskip\@tempdima\vskip-\parskip}% back up to baseline
+   \penalty\interlinepenalty % update pg. parameters
+   \@tempdimb\pagegoal \advance\@tempdimb-\pagetotal % room left on page
+   \ifdim\@tempdimb<\z@ % \WF@info{Page overfull already;}%
+      \global\WF@floatfalse
+      \ifdim-\@tempdimb>\pageshrink \else \pagebreak \fi
+   \else
+      \ifdim\WF@size>\@tempdimb
+%        \WF@info{Size \the\WF@size\space does not fit in \the\@tempdimb}%
+         \ifWF@float \dimen@.5\baselineskip \else \dimen@ 2\baselineskip\fi
+         \ifdim\pagestretch>\dimen@ \dimen@\pagestretch \fi
+         \ifdim\pagefilstretch>\z@ \dimen@\@tempdimb \fi
+         \ifdim\pagefillstretch>\z@ \dimen@\@tempdimb \fi
+         \advance\dimen@.5\baselineskip
+         \ifdim\dimen@>\@tempdimb % \WF@info{Page nearly full; can stretch}%
+            \global\WF@floatfalse \pagebreak
+         \fi
+      \else % \WF@info{Fits in \the\@tempdimb;}%
+         \global\WF@floatfalse
+   \fi\fi
+   \vskip\@tempdima\relax % (return erased page depth)
+\fi
+\noindent
+\ifWF@float
+  \WF@fltmes
+\else % putting here;
+  \WF@info{Put \WF@wfname here:}%
+  {\ifodd\if@twoside\c@page\else\@ne\fi % assign l/r to i/o placement
+    \lccode`i`l\lccode`o`r\else \lccode`i`r\lccode`o`l\fi
+    \xdef\WF@place{\the\lccode\lccode\WF@place}}% twice to get only l or r
+  \hbox to\z@{% llap or rlap depending on {l} or {r}; calc effective width
+   \@tempdima\wd\WF@box \@tempdimb\WF@ovh
+   \advance\@tempdima-\@tempdimb \advance\@tempdima\columnsep
+   \@tempdimb\hsize \advance\@tempdimb-\@tempdima
+   \xdef\WF@adjlw{\the\@tempdima}%
+   \ifnum `l=\WF@place % fig on left
+    \hss % figure overlaps space to the left
+    \def\@tempa{\kern\columnsep}% position to left of the gap
+   \else  %  fig on right
+    \@tempdima\z@ % no left indentation
+    \kern\@tempdimb \kern\columnsep
+    \def\@tempa{\hss}% figure overlaps space to the right
+   \fi
+   \ifdim\@tempdimb<\hsize
+    \xdef\WF@wrapil{\the\@tempdima \the\@tempdimb}% indentation and length
+    \xdef\WF@adjtlm{\the\@tempdima}%
+   \else
+    \xdef\WF@wrapil{\z@ \the\hsize}%
+    \xdef\WF@adjlw{\z@}\xdef\WF@adjtlm{\z@}%
+   \fi
+   \ifdim\pagetotal=\z@ % \WF@info{Put \WF@wfname at top of p.\thepage}%
+    \global\advance\WF@size-\intextsep
+   \else % \WF@info{Putting \WF@wfname in middle of page}%
+    \setbox\WF@box\hbox{\lower\intextsep\box\WF@box}%
+   \fi \dp\WF@box\z@ \box\WF@box \@tempa
+  }% end \hbox to 0pt
+  \aftergroup\WF@startwrapping % after the \endgroup which immediately follows
+\fi}
+
+\def\WF@startwrapping{%
+ \ifx\WF@wli\@empty
+  {\advance\WF@size1.1\baselineskip
+  \divide\WF@size\baselineskip \global\c@WF@wrappedlines\WF@size}%
+ \else
+  \setcounter{WF@wrappedlines}{\WF@wli}\global\advance\c@WF@wrappedlines\@ne
+ \fi
+ \ifnum\c@WF@wrappedlines>\@ne
+  \let\parshape\WF@fudgeparshape \let\WF@pspars\@empty \let\WF@@par\par
+  \def\@setpar##1{\def\WF@@par{##1}}\def\par{\@par}\let\@par\WF@mypar
+  \xdef\WF@restoretol{\tolerance\the\tolerance}\tolerance9999
+  \advance\linewidth-\WF@adjlw \advance\@totalleftmargin\WF@adjtlm
+ \fi}
+
+\def\WF@wraphand{%
+\ifnum\c@WF@wrappedlines<\tw@ \WF@finale
+\else \begingroup % Create \parshape command:
+ \@tempcnta\@ne \let\WF@wrapil\relax \gdef\WF@ps{}%
+ \@whilenum \@tempcnta<\c@WF@wrappedlines\do{% repeated indentation, length
+  \xdef\WF@ps{\WF@ps\WF@wrapil}\advance\@tempcnta\@ne
+ }\endgroup
+ \ifx\WF@pspars\@empty
+  \@@parshape\c@WF@wrappedlines \WF@ps \WF@noil
+ \else % use external `parshape' values to modify my parshape
+  \WF@modps
+\fi\fi}
+
+\def\WF@mypar{\relax
+ \WF@@par % what the rest of LaTeX expects \par to be (usually \@@par)
+ \ifnum\@@parshape=\z@ \let\WF@pspars\@empty \fi % reset `parshape'
+ \global\advance\c@WF@wrappedlines-\prevgraf \prevgraf\z@
+ \ifnum\c@WF@wrappedlines<\tw@ \WF@finale \fi}
+
+\def\WF@modps{\begingroup
+  \afterassignment\@tempdimb \@tempdima\WF@pspars % a=ind, b=wid
+  \advance\@tempdima-\WF@adjtlm \advance\@tempdimb\WF@adjlw
+%  \afterassignment\dimen@\advance\@tempdima\WF@wrapil
+%  \advance\@tempdimb\dimen@ \advance\@tempdimb-\hsize
+  \let\WF@wrapil\WF@pspars%{\the\@tempdima \the\@tempdimb}%
+  \edef\@tempb{\@@parshape\c@WF@wrappedlines \WF@ps \the\@tempdima \the\@tempdimb}%
+  \expandafter\endgroup\@tempb}
+
+\let\@@setpar\@setpar
+\def\WF@noil{\z@ \hsize}
+\let\WF@pspars\@empty
+
+\def\WF@fudgeparshape{\relax \ifnum\c@WF@wrappedlines<\tw@ \WF@finale
+  \else \afterassignment\WF@fudgeparshapee \fam \fi}
+\def\WF@fudgeparshapee{\ifnum\fam=\@ne \expandafter \WF@parshapeee \else
+  \WF@conflict \@@parshape\fam \fi}
+\def\WF@parshapeee#1#2{\begingroup\delimitershortfall#1%
+   \nulldelimiterspace#2%\advance\nulldelimiterspace\WF@adjlw
+   \edef\@tempa{\def\noexpand\WF@pspars{%
+      \the\delimitershortfall \the\nulldelimiterspace}}%
+  \expandafter\endgroup\@tempa \WF@wraphand}
+
+\def\WF@finale{\ifx\parshape\WF@fudgeparshape
+ \WF@restoretol \let\@setpar\@@setpar \let\par\WF@@par
+ \advance\linewidth\WF@adjlw \advance\@totalleftmargin-\WF@adjtlm
+ \WF@info{Finish wrapping text}%
+ \ifx\par\@@par \def\@par{\let\par\@@par\par}\else \let\@par\WF@@par \fi
+ \let\parshape\@@parshape
+ \parshape\ifx\WF@pspars\@empty \z@ \else \@ne \WF@pspars\fi \fi
+ \ifvoid\WF@box \ifx\everypar\WF@everypar
+  \let\everypar\WF@@everypar \everypar\expandafter{\the\WF@everypar}%
+ \fi\fi}
+
+\newcommand{\WFclear}{\par 
+ \ifvoid\WF@box\else \vskip\bigskipamount \box\WF@box
+ \let\everypar\WF@@everypar \everypar\expandafter{\the\WF@everypar}%
+ \fi \global\c@WF@wrappedlines\z@ \WF@finale}
+
+\begingroup
+ \toks0={\let\everypar\WF@@everypar \everypar\expandafter{\the\WF@everypar}%
+   \let\parshape\@@parshape \let\@setpar\@@setpar }
+ \toks1=\expandafter{\@arrayparboxrestore}
+ \toks2=\expandafter{\clearpage}
+ \edef\@tempa{\def\noexpand\@arrayparboxrestore{\the\toks0 \the\toks1}%
+      \def\noexpand\clearpage{\noexpand\protect\noexpand\WFclear \the\toks2}}
+ \expandafter
+\endgroup\@tempa
+
+\@ifundefined{@capwidth}{\let\@capwidth\hsize}{}% Pamper RevTeX's Stupidity
+
+\def\WF@conflict{\WF@warning
+ {\WF@wfname used inside a conflicting environment}}
+\def\WF@collision{\WF@warning{Collision between wrapping environments}}
+\def\WF@fltmes{\ifWF@float \WF@info{\WF@wfname floats}%
+ \else \WF@warning{Stationary \WF@wfname forced to float}\fi}
+
+\let\WF@warning\@warning
+\let\WF@info\@gobble
+
+% Support float.sty: float styles and \newfloat.  Make \newfloat{foo}
+% define the `wrapfoo' environment.  Support \newfloat from memoir.cls
+% and \newfloatlist from ccaption.sty.
+% 
+\let\WF@floatstyhook\relax
+
+\@ifundefined{newfloat}{}{% There is a \newfloat command
+%
+ \@ifundefined{restylefloat}{
+ % \newfloat comes from somewhere besides float.sty 
+   \@ifclassloaded{memoir}{
+    \toks@=\expandafter\expandafter\expandafter
+     {\csname\string\newfloat\endcsname [{#1}]{#2}{#3}{#4}%
+     \newenvironment{wrap#2}{\wrapfloat{#2}}{\endwrapfloat}%
+    }
+    \edef\@tempa{\def\expandafter\noexpand\csname\string\newfloat\endcsname
+      [##1]##2##3##4{\the\toks@}}
+    \@tempa
+   }% end memoir support
+   {}% Other origins of \newfloat here??
+ }{
+ %  float.sty handler.  Ooops:  Two versions for different versions
+ %  Changing \float@restyle (or \restylefloat) changes \newfloat too.
+ \@ifundefined{float@restyle}{% older float.sty
+  \toks@=\expandafter{\restylefloat{#1}% (env may or may not be defined)
+   \@namedef{wrap#1}{\def\@captype{#1}\@nameuse{fst@#1}%
+    \def\WF@floatstyhook{\let\@currbox\WF@box \columnwidth\wd\WF@box 
+       \global\setbox\WF@box\float@makebox}%
+    \@ifnextchar[\WF@wr{\WF@wr[]}}%
+   \expandafter\let\csname endwrap#1\endcsname \endwrapfigure
+  }\edef\@tempa{\def\noexpand\restylefloat##1{\the\toks@}}
+ }{% newer float.sty: use \float@restyle, and \float@makebox takes width arg
+  \toks@=\expandafter{\float@restyle{#1}% (env may or may not be defined)
+   \@namedef{wrap#1}{\def\@captype{#1}\@nameuse{fst@#1}%
+    \def\WF@floatstyhook{\let\@currbox\WF@box 
+       \global\setbox\WF@box\float@makebox{\wd\WF@box}}%
+    \@ifnextchar[\WF@wr{\WF@wr[]}}%
+   \expandafter\let\csname endwrap#1\endcsname \endwrapfigure
+  }\edef\@tempa{\def\noexpand\float@restyle##1{\the\toks@}}
+ }
+ \@tempa % perform redefinitions
+ %
+ }% End float.sty handler
+}% End redefinitions of \newfloat
+
+% Support ccaption.sty 
+\@ifundefined{\string\newfloatlist}{}{
+ \toks@=\expandafter\expandafter\expandafter
+   {\csname\string\newfloatlist\endcsname [{#1}]{#2}{#3}{#4}{#5}%
+  \@namedef{wrap#2}{\wrapfloat{#2}}%
+  \expandafter\let\csname endwrap#2\endcsname \endwrapfloat
+ }
+ \edef\@tempa{\def\expandafter\noexpand\csname\string\newfloatlist\endcsname
+   [##1]##2##3##4##5{\the\toks@}}
+ \@tempa
+}
+
+% Process package options.
+
+\@ifundefined{DeclareOption}{\endinput}{}
+
+\def\WF@warning{\PackageWarning{wrapfig}}
+\ProvidesPackage{wrapfig}[2003/01/31 \space  v 3.6]
+\DeclareOption{verbose}{\def\WF@info{\PackageInfo{wrapfig}}}
+\ProcessOptions
+\AtEndDocument{\WFclear}
+
+\endinput
+
+%%%%%  ----- End definitions ----- %%%%%
+
+%%%%%  ----- Begin Instructions ----- %%%%%
+
+
+W R A P F I G . S T Y  \ \  ver 3.6 \ \ (Jan 31, 2003)
+
+Copyright (C) 1991-2003 by Donald Arseneau  (asnd@triumf.ca)
+
+Wrapfig.sty provides the environments "wrapfigure" and "wraptable" for
+typesetting a narrow float at the edge of the text, and making the text
+wrap around it.  The "wrapfigure" and "wraptable" environments interact
+properly with the "\caption" command to produce proper numbering, but
+they are not regular floats like "figure" and "table", so (beware!) they
+may be printed out of sequence with the regular floats.  There are four
+parameters for "\begin{wrapfigure}", two optional and two required, plus
+the text of the figure, with a caption perhaps:
+
+   \begin{wrapfigure}[12]{r}[34pt]{5cm} <figure> \end{wrapfigure}
+                      ==  =  ====  ===
+   [number of narrow lines] {placement} [overhang] {width}
+
+Some idiosyncrasies:
+
+  - You must not specify a wrapfigure in any type of list environment or
+    or immediately before or immediately after one.  It is OK to follow
+    a list if there is a blank line ("\par") in between.
+
+  - If you put a wrapfigure in a parbox or a minipage, or any other type
+    of grouping, the text wrapping should end before the group does.
+
+  - It does work in two-column format, but are your figures that small?
+
+  - It may be out of sequence with regular floats.
+
+  - The hlines that may be printed above and below floats are ignored;
+    you must insert them manually if desired.
+
+  - "\linewidth" is now adjusted within the wrapped text, but since it
+    can only be set for whole paragraphs at a time, it will persist with
+    the wrong value after the wrapping, until the paragraph is finished.
+
+New wrapping environments may be added when new float types are defined
+(using memoir.cls, float.sty, or ccaption.sty).  Any wrapping environment,
+"wrapfigure", "wraptable", or something else may be invoked using the
+"wrapfloat" environment, as in "\begin{wrapfloat}{figure}{O}{5cm}".
+
+To use float.sty properly, load package "float" before "wrapfig", 
+and declare any new float types after loading both.  Likewise for
+ccaption.sty and "\newfloatlist" and memoir.cls and its "\newfloat".
+
+\section{Placement and Floating}
+
+Parameter "#2" (required) is the figure placement code, but the valid
+codes are different from regular figures.  They come in pairs: an
+uppercase version which allows the figure to float, and a lowercase
+version that puts the figure ``exactly here''.
+
+  r  R  -  the right side of the text
+  l  L  -  the left side of the text
+  i  I  -  the inside edge--near the binding (if "[twoside]" document)
+  o  O  -  the outside edge--far from the binding
+
+You should specify one code only, not a list.  The figure or table must
+be on one side or the other; it cannot be in the middle with text on
+both sides.  The "i" and "o" options refer to the inside and outside of
+the whole page, not individual columns.
+
+The ability to float is somewhat restricted, and you will get best results
+by giving exact manual placement, but floating is more convenient while
+revising the document.  Any changes to the formatting can ruin your manual
+positioning so you should adjust the placement just before printing a
+final copy.  Here are some tips for good placement:
+
+  - The environment should be placed so as to not run over a page break.
+
+  - The environment must not be placed in special places like lists.
+
+  - For esthetic reasons, only plain text should wrap around the figure.
+    Section titles and big equations look bad; lists are bad if the figure 
+    is on the left.  (All these function properly, they just don't look 
+    very good.)  Small equations look fine.
+
+  - It is convenient to begin the environment between paragraphs, but if
+    you want placement in the middle of a paragraph, you must put the
+    environment between two words where there is a natural line break.
+
+When floating, \LaTeX\ tries to apply these rules.  More specifically,
+a floated wrapping environment will only begin...
+
+  - at the beginning of a paragraph,
+
+  - when there is enough room on the page, or it is possible to go on
+    the next page,
+
+  - if the `paragraph' is not in a section title or a list,
+
+  - if the paragraph is not wrapping around another figure,
+
+  - in the main text (not in a minipage etc.)
+
+It is possible that a non-floating wrapfigure will be forced to float
+when an earlier one is still being processed.  A warning will be written
+in that case.  You can have more information about the floating process
+written to the log file by specifying "\usepackage[verbose]{wrapfig}".
+
+If there is a lot of flexibility on a page, a floating wrapfigure may
+be placed badly; you must turn to manual placement.  A rare problem is
+that floats and footnotes specified within the wrapping text can also
+cause poor placement and bad formatting.
+
+
+\section {Sizing and optional overhang}
+
+Parameter "#4" (the second required parameter) is the width of the figure
+or table.  Given the way that \LaTeX\ puts just about everything into boxes 
+with the current line-width, the width parameter will take precedence over 
+whatever natural width the figure has.  In particular, the caption is always 
+typeset with the specified width.  If the figure is wider than the space 
+allotted, you will get an ``overfull box'' warning.
+
+However, if you specify a width of *zero* ("0pt"), the actual width of
+the figure will determine the wrapping width.  A following "\caption"
+should have the same width as the figure, but it might fail badly; it
+is safer to specify a width when you use a caption.
+
+\LaTeX\ will wrap surrounding text around the figure, leaving a gap of
+"\intextsep" at the top and bottom, and "\columsep" at the side, by
+producing a series of shortened text lines beside the figure.  The
+indentation (shortening) of the text is the figure width plus "\columnsep"
+minus overhang (if any; see below).
+
+\LaTeX\ calculates the number of short lines needed based on the height
+of the figure and the length "\intextsep".  You can override this guess
+by giving the first optional argument (parameter "#1") specifying the
+number of shortened lines (counting each displayed equation as 3 lines).
+This is particularly useful when the surrounding text contains extra
+vertical spacing that is not accounted for automatically.
+
+The second optional parameter ("#3") tells how much the figure should
+hang out into the margin. The default overhang is given by the length
+"\wrapoverhang", which is "0pt" normally but can be changed using
+"\setlength".  For example, to have all wrapfigures use the space
+reserved for marginal notes,
+
+    \setlength{\wrapoverhang}{\marginparwidth}
+    \addtolength{\wrapoverhang}{\marginparsep}
+
+When you do specify the overhang explicitly for a particular figure, you
+can use a special unit called "\width" meaning the width of the figure.
+For example, "[0.5\width]" makes the center of the figure sit on the
+edge of the text, and "[\width]" puts the figure entirely in the margin
+(and the adjacent text is indented by just "\columnsep").  This "\width"
+is the actual width of the wrapfigure, which may be greater than the 
+declared width.
+
+
+\section{Some Random Implementation Notes}
+
+Unfortunately, \LaTeX's system of setting "\everypar" and "\par" is
+unable to coexist peacefully with a wrapping environment, so I was
+forced to subvert the "\@setpar" mechanism and "\everypar".  ("\everypar"
+is already subverted once by NFSS.)
+
+When checking the room left on the page, remember that if there is less
+than "\baselineskip" the new paragraph will begin on the next page, even
+if there is no page stretch. If non-floating, I force a bad page break
+rather than have the figure hang into the bottom margin.
+
+Here are notes on various variables and some macros; what info they
+store and how they are used.
+
+  \WF@wli - number-of-wrapped-lines parameter, saved for start of wrapping.
+     Set globally by "\WF@wr" (set empty if no optional parameter given).
+     The floating mechanism ignores this and uses the real size.
+
+  \WF@ovh - margin overhang set globally by "\WF@rapt", saved until placing
+     figure (but not reset).  Actually, the setting is very tricky so that
+     the expected values are used when a figure floats. First, the expression
+     is saved without evaluation by "\WF@rapt" ("\begin{wrapfigure}") because
+     "\width" is still unknown.  Soon after that, "\endwrapfigure" executes
+     "\WF@ovh" to evaluate the overhang and save the result (so that changes
+     to "\wrapoverhang" while this figure is floating won't affect this
+     figure). Finally, it is used by "\WF@putfigmaybe" when printing the fig.
+
+  \WF@place - a macro that is used as a number, giving the placement code.
+     It might start out as "`I" and later be converted to "114" (r).
+
+  \WF@box - tested for void at "\begin{wrapfigure}", to avoid collisions,
+     by "\everypar" to do floating, and by "\WF@finale" before resetting
+     "\everypar".  Voided globally when used by "\WF@putfigmaybe" (or by
+     "\WF@wr" if an old figure must be dumped prematurely).
+
+  \par - test if it is "\@@par" by "\begin{wrapfigure}" and "\WF@floathand"
+     to float past special environments.  It is set to "\@par" ("\WF@mypar")
+     by "\WF@startwrapping", and restored by an end-group (bad!) or by
+     "\WF@finale" (good).  It is protected from change by redefining
+     "\@setpar".
+
+  \parshape - let to "\WF@fudgeparshape" by "\WF@startwrapping", so lists
+     will continue wrapping; "\@@parshape" preserves the real "\parshape"
+     command, and it is restored by "\WF@finale" or "\@parboxrestore".
+     "\WF@floathand" and "\WF@wr" test if old wrapping is still in progress
+     with "\ifx\parshape\WF@fudgeparshape". The value of "\@@parshape" is
+     also tested to float past lists and other wrapping environments.
+
+  \hangindent - tested to float past section titles etc.
+
+  \c@WF@wrappedlines - the number of shortened lines + 1; set globally by
+     "\WF@startwrapping" and decremented by "\par" ("\WF@mypar").  It is > 1
+     only when wrapping is incomplete.  "\WF@wraphand", "\WF@fudgeparshape",
+     and "\WF@mypar" test the number for calling "\WF@finale".  It may get
+     stuck at some high value if "\par" is restored by an end-group, (and
+     wrapping is terminated prematurely) so it is unwise to use this as a
+     test for wrapping-complete.
+
+  \pagetotal - one of many parameters used to compute floating.  When
+     putting a wrapfigure in a parbox, I assign "\let\pagetotal\maxdimen"
+     (locally!) to signal not-top-of-page and no floating.
+
+  \WF@pspars - the "\parshape" parameters as LaTeX sets them for lists
+     ("\WF@fudgeparshape"); when wrapping I test it and use it to modify my
+     own real params for the paragraph.  They are also used when "\parshape"
+     is restored after wrapping.
+
+  \WF@finale - is performed by "\par" when wrapping should end.  However,
+     that might happen inside a group (a list especially), so the subverted
+     versions of "\par", "\parshape" etc. will be reinstated when the group
+     ends.  Thus, they must themselves test "\c@WF@wrappedlines" < 2 to see
+     when wrapping is over, and if so, they should just do "\WF@finale" again.
+
+These are the tests to see if a floating wrapfigure will fit at a particular
+spot.  These tests are performed at the beginning of every paragraph after
+the figure, except in lists etc.  ("\pagegoal" - "\pagetotal" is the room
+left on the page.)
+
+  >
+  room_left := \pagegoal - \pagetotal
+  if  room_left < 0  then page overfull already: put figure (on next page)
+  else
+     if  figure_size > room_left  then does not fit
+        if  max(min_stretch, \pagestretch) + extra > room_left
+           then page can stretch until full: put figure (at top of next page)
+        fi
+     else figure fits: put figure
+  fi fi
+  <
+
+Even if a wrapfigure is not floating, it will go through the same logic
+to generate a "\pagebreak", and maybe an underfull page, when the current
+page can stretch until full.  The "min_stretch" depends on whether it is
+floating or not: ".5\baselineskip" (floating) "2\baselineskip" (not). The
+"extra" is ".5\baselineskip" in either case.  These values can be adjusted.
+
+There are some other `magic numbers' for floating that aren't really so
+special, but you must change them together if you change them at all.
+To make floating wrapfigures float less and fit on pages more frequently,
+but not change the number of wrapped lines, decrease the "1.5" in
+"\global\advance\WF@size1.5\baselineskip" and increase the "1.1" in
+"\advance\WF@size1.1\baselineskip" by the same amount (and vice versa).
+To make more (or fewer) wrapped lines for the same size figure, without
+changing the floating, change "1.1" in "\advance\WF@size1.1\baselineskip"
+unilaterally.
+
+%%%%%  ----- End Instructions ----- %%%%%
+
+Test file integrity:  ASCII 32-57, 58-126:  !"#$%&'()*+,-./0123456789
+:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~